Environment Variables

Manager Variables

Variable	Required	Description
BILBYCAST_JWT_SECRET	Yes	64-char hex string (32 bytes) for JWT signing
BILBYCAST_MASTER_KEY	Yes	64-char hex string (32 bytes) for envelope encryption at rest (derives per-domain KEKs via HKDF)
BILBYCAST_NEW_MASTER_KEY	No	New master key for rotate-master-key CLI command (rotation only)
BILBYCAST_TLS_CERT	Conditional	TLS certificate PEM path (file-based TLS mode)
BILBYCAST_TLS_KEY	Conditional	TLS private key PEM path (file-based TLS mode)
BILBYCAST_TLS_MODE	No	"direct" (default) or "behind_proxy"
BILBYCAST_ACME_ENABLED	No	Enable automatic Let’s Encrypt certificates (true/false)
BILBYCAST_ACME_DOMAIN	Conditional	Domain for ACME certificate (required if ACME enabled)
BILBYCAST_ACME_EMAIL	No	Contact email for Let’s Encrypt
BILBYCAST_ACME_HTTP_PORT	No	Port for HTTP-01 challenge (default: 80)
BILBYCAST_PORT	No	Override listen port (default: 8443)
BILBYCAST_LISTEN_ADDRS	No	Comma-separated bind addresses for the main HTTPS/WSS listener (default 0.0.0.0,[::] = dual-stack). Examples: 0.0.0.0 (v4 only), [::] (v6 only), 192.0.2.5,[2001:db8::5] (specific interfaces). Port still comes from BILBYCAST_PORT.
BILBYCAST_ACME_LISTEN_ADDRS	No	Comma-separated bind addresses for the ACME HTTP-01 challenge listener (default 0.0.0.0,[::]). Same shape as BILBYCAST_LISTEN_ADDRS; port from BILBYCAST_ACME_HTTP_PORT.
BILBYCAST_DATABASE_URL	No	Postgres DSN (default: postgres://bilbycast:bilbycast_dev@localhost:5433/bilbycast — points at the dev docker-compose cluster)

Edge and Relay Variables

Variable	Description
BILBYCAST_ALLOW_INSECURE	Set to "1" to allow accept_self_signed_cert in manager connection config. Safety guard against accidental use in production.
RUST_LOG	Log level control (e.g., bilbycast_edge=info, bilbycast_relay=debug)

Generating Secrets

# Generate JWT secret (64-char hex = 32 bytes)
openssl rand -hex 32

# Generate master key (64-char hex = 32 bytes)
openssl rand -hex 32

Both secrets are validated at startup — weak or short values are rejected.