# Environment Configuration All settings are configured in `backend/.env`. Copy `backend/.env.example` to `backend/.env` and fill in the values for the providers you want to use. The backend must be restarted after any changes to `.env`. --- ## Cloudflare | Variable | Required | Description | |----------|----------|-------------| | `CLOUDFLARE_API_TOKEN` | Yes | API token with Zone:Read and DNS:Edit permissions | Create a token at **dash.cloudflare.com → My Profile → API Tokens → Create Token**. See `API-ACCESS.md` for the required permissions. --- ## Loopia | Variable | Required | Description | |----------|----------|-------------| | `LOOPIA_USER` | Yes | API username in the format `youruser@loopiaapi` | | `LOOPIA_PASSWORD` | Yes | API user password | Create an API user at **customerzone.loopia.se → My Account → API Users**. See `API-ACCESS.md` for the required method groups. --- ## Pi-hole | Variable | Required | Description | |----------|----------|-------------| | `PIHOLE_URL` | Yes | Base URL of the Pi-hole instance, e.g. `http://192.168.1.x` | | `PIHOLE_PASSWORD` | Yes | Pi-hole web interface password | Requires Pi-hole v6. Only A, AAAA, and CNAME records are supported. TTL is not configurable via the Pi-hole API. --- ## Azure DNS | Variable | Required | Description | |----------|----------|-------------| | `AZURE_TENANT_ID` | Yes | Azure AD tenant ID | | `AZURE_CLIENT_ID` | Yes | Service principal application (client) ID | | `AZURE_CLIENT_SECRET` | Yes | Service principal client secret | | `AZURE_SUBSCRIPTION_ID` | Yes | Azure subscription ID containing the DNS zones | The service principal requires the **DNS Zone Contributor** role on the subscription or resource group. See `API-ACCESS.md` for setup instructions. --- ## cPanel | Variable | Required | Description | |----------|----------|-------------| | `CPANEL_URL` | Yes | cPanel URL including port, e.g. `https://hostname:2083` | | `CPANEL_USERNAME` | Yes | cPanel account username | | `CPANEL_API_TOKEN` | Yes | API token created in cPanel → Security → Manage API Tokens | | `CPANEL_INSECURE` | No | Set to `true` to disable SSL certificate verification. Use when cPanel uses a self-signed certificate. Defaults to `false`. | The cPanel account must own the domains you want to manage. Uses the cPanel UAPI and API 2 (ZoneEdit module). See `API-ACCESS.md` for setup instructions. --- ## Authentication | Variable | Required | Description | |----------|----------|-------------| | `JWT_SECRET` | Yes | A long random string used to sign login tokens. Generate one with: `node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"` | | `JWT_EXPIRES_IN` | No | How long login sessions last. Defaults to `24h`. Accepts values like `12h`, `7d`. | --- ## General | Variable | Required | Description | |----------|----------|-------------| | `DISABLED_PROVIDERS` | No | Comma-separated list of provider IDs to hide from the app without removing credentials. Valid values: `cloudflare`, `loopia`, `pihole`, `azure`, `cpanel`. Example: `DISABLED_PROVIDERS=loopia,cpanel` | | `PORT` | No | Port the backend listens on. Defaults to `3001`. | | `DB_PATH` | No | Path to the DNS record cache file. Defaults to `backend/dns-cache.json`. | | `SETTINGS_PATH` | No | Path to the settings file. Defaults to `backend/settings.json`. | | `USERS_PATH` | No | Path to the users file. Defaults to `backend/users.json`. | | `AUDIT_PATH` | No | Path to the audit log file. Defaults to `backend/audit-log.json`. | --- ## Example ```env # Cloudflare CLOUDFLARE_API_TOKEN=your_token_here # Loopia LOOPIA_USER=youruser@loopiaapi LOOPIA_PASSWORD=yourpassword # Pi-hole (v6) PIHOLE_URL=http://192.168.1.10 PIHOLE_PASSWORD=yourpassword # Azure DNS AZURE_TENANT_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx AZURE_CLIENT_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx AZURE_CLIENT_SECRET=your_secret AZURE_SUBSCRIPTION_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx # cPanel CPANEL_URL=https://hostname:2083 CPANEL_USERNAME=myuser CPANEL_API_TOKEN=your_token CPANEL_INSECURE=false # Auth JWT_SECRET=your-long-random-secret-here JWT_EXPIRES_IN=24h # Disable specific providers DISABLED_PROVIDERS= PORT=3001 ```