Skip to content

configuration.md

Latest commit

 

History

History
116 lines (93 loc) · 5.39 KB

configuration.md

File metadata and controls

116 lines (93 loc) · 5.39 KB

Configuration

Copy .env.template to .env and set:

Required

Variable Description
REDIS_PASSWORD Redis authentication password
RESULT_HMAC_KEY HMAC-SHA256 key for result signing (auto-generated by install.sh via openssl rand -hex 32). Both dispatcher and bot fail hard at startup if missing.

At least one interface must be configured:

Variable Interface Description
TELEGRAM_BOT_TOKEN Telegram Telegram bot token
ALLOWED_CHATS Telegram Comma-separated Telegram chat IDs
DISCORD_BOT_TOKEN Discord Discord bot token
DISCORD_ALLOWED_USERS Discord Comma-separated Discord user IDs
SLACK_BOT_TOKEN Slack Slack bot token (xoxb-...)
SLACK_APP_TOKEN Slack Slack app token (xapp-...)
SLACK_ALLOWED_USERS Slack Comma-separated Slack user IDs
WEB_USERNAME / WEB_PASSWORD Web HTTP Basic Auth credentials (or WEB_USERS for multi-user)

Optional

Variable Default Description
SSH_KEYS_DIR ./ssh-keys Path to SSH keys
LOG_LEVEL INFO Logging level (DEBUG/INFO/WARNING/ERROR)
MAX_CONCURRENT_TASKS 3 Max parallel task executions
TASK_TIMEOUT 300 Task timeout in seconds (.env.template ships 300; compose fallback is 600)
SESSION_TTL 14400 Session context window in seconds (4h)
HISTORY_TTL 86400 History retention in Redis (24h)
SUDO_COMMANDS nmap,tcpdump,... Comma-separated commands hcli can sudo (full paths resolved at startup)
GATE_CHECK true Asimov firewall Haiku gate check — independent model evaluates each command (adds ~2-3s per command). Set to false to disable.
GATE_MODEL haiku Model used by the Asimov firewall gatekeeper
BLOCKED_PATTERNS Pipe-separated denylist patterns (e.g. | bash|base64 -d)
BLOCKED_PATTERNS_FILE /app/blocked-patterns.txt Pattern file (~80 patterns, 12 categories). Override with your own for external CVE/signature feeds
CORE_BASE_IMAGE debian:12-slim Base image for the core container
ENV_TAG Multi-instance isolation tag. Appended to container names, network names, and hostnames (e.g., devh-cli-dev-core)
MAIN_MODEL opus Primary model for task execution
FAST_MODEL haiku Fast model for quick responses
CHAT_NAMES Comma-separated chat_id:name pairs for human-readable session chunk directories

Monitor Stack

Variable Description
TIMESCALE_PASSWORD TimescaleDB password (required for monitor profile)
TIMESCALE_URL TimescaleDB connection URL (used by dispatcher and firewall for metrics writes)
GRAFANA_ADMIN_PASSWORD Grafana admin login password
GRAFANA_INTERNAL_URL Local Grafana base URL for inline graph rendering from telegram-bot
GRAFANA_URL External Grafana instance URL
GRAFANA_API_TOKEN Grafana API token (Viewer role recommended)

Vector Memory

Variable Description
QDRANT_API_KEY Qdrant authentication key
QDRANT_COLLECTION Qdrant collection name (default: hcli_memory)

Integrations

Variable Container Description
NETBOX_URL core NetBox instance URL
NETBOX_API_TOKEN core NetBox API token
GRAFANA_URL core, telegram-bot Grafana instance URL
GRAFANA_API_TOKEN core, telegram-bot Grafana API token
GRAFANA_INTERNAL_URL core, telegram-bot Local Grafana URL for graph rendering
GRAFANA_ADMIN_PASSWORD core, telegram-bot Grafana admin password (basic auth for renderer)
EVE_NG_URL core EVE-NG REST API URL
EVE_NG_USERNAME core EVE-NG username
EVE_NG_PASSWORD core EVE-NG password
LAMBDAAPI core Lambda API endpoint URL

Web UI

Variable Default Description
WEB_PORT 8443 Port for the web UI
WEB_SSL true Enable HTTPS with auto-generated self-signed cert (place cert.pem/key.pem in ssl/ for custom certs)
WEB_USERS Multi-user mode: comma-separated name:password pairs (takes priority over WEB_USERNAME/WEB_PASSWORD)

Discord

Variable Default Description
DISCORD_ALLOWED_ROLES Comma-separated Discord role IDs (optional — users with any role are authorized)
DISCORD_GUILD_IDS Comma-separated guild IDs for instant slash command sync
DISCORD_CHAT_NAMES Comma-separated channel_id:name pairs

Slack

Variable Description
SLACK_CHAT_NAMES Comma-separated channel_id:name pairs

Claude Code Authentication

Uses Claude Max/Pro subscription — no API costs. One-time setup:

docker compose run -it claude-code setup-token
# opens a URL — authenticate in browser, paste the key back
# token prints to screen, copy into CLAUDE_CODE_OAUTH_TOKEN in .env
Variable Description
CLAUDE_CODE_OAUTH_TOKEN Claude Code OAuth token (from setup above)
ANTHROPIC_AUTH_TOKEN Alternative: Anthropic auth token
ANTHROPIC_API_KEY Alternative: Anthropic API key
ANTHROPIC_BASE_URL Custom Anthropic API base URL