Configuration
All configuration is managed via environment variables in .env. Copy .env.example to .env and fill in values.
All values are read through src/core/config.py (pydantic-settings). Never read os.environ directly in business logic — add a field to Settings instead.
Required variables
| Variable | Description |
|---|---|
SECRET_KEY | JWT signing secret — minimum 32 characters in production |
ENCRYPTION_KEY | Fernet key for credential and TOTP secret encryption |
POSTGRES_PASSWORD | PostgreSQL database password |
REDIS_PASSWORD | Redis password |
Generate a Fernet key:
python3 -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"Auth & security
| Variable | Default | Description |
|---|---|---|
SECRET_KEY | — | JWT signing (≥32 chars in prod) |
ENCRYPTION_KEY | — | Fernet key for secrets at rest |
REQUIRE_INVITE | false | true = invite-only registration |
ENVIRONMENT | production | development or production |
CORS_ORIGINS | — | Comma-separated allowed origins |
Production mode rejects startup if SECRET_KEY is weak or uses the default placeholder.
Database
| Variable | Default | Description |
|---|---|---|
POSTGRES_HOST | postgres | DB hostname (Docker service name) |
POSTGRES_PORT | 5432 | DB port |
POSTGRES_DB | nexora | Database name |
POSTGRES_USER | nexora | Database user |
POSTGRES_PASSWORD | — | Database password (required) |
Redis
| Variable | Default | Description |
|---|---|---|
REDIS_HOST | redis | Redis hostname |
REDIS_PORT | 6379 | Redis port |
REDIS_PASSWORD | — | Redis password (required) |
LLM providers
Providers are configured per-organization in the UI (Settings → Providers). API keys are stored encrypted in the database using the ENCRYPTION_KEY.
The provider chain is tried in order — first healthy provider handles the request.
Integrations
Telegram
| Variable | Description |
|---|---|
TELEGRAM_BOT_TOKEN | Bot token from @BotFather |
GitHub App
| Variable | Description |
|---|---|
GITHUB_APP_ID | GitHub App ID |
GITHUB_APP_PRIVATE_KEY | PEM private key (base64 or raw) |
GITHUB_APP_WEBHOOK_SECRET | Webhook signing secret |
GitLab OAuth
| Variable | Description |
|---|---|
GITLAB_APP_ID | GitLab OAuth application ID |
GITLAB_APP_SECRET | GitLab OAuth secret |
GITLAB_REDIRECT_URI | OAuth callback URL |
Agent concurrency
| Variable | Default | Description |
|---|---|---|
MAX_CONCURRENT_AGENTS | 2 | Max parallel sub-agents per worker |
MAX_CONCURRENT_AGENTS_PER_ORG | 4 | Max parallel sub-agents per org (Redis-coordinated) |
TASKS_PER_BATCH | 2 | Tasks dispatched per batch |
NexoraCloud billing (optional)
Set when deploying NexoraCloud (not needed for plain Nexora):
| Variable | Description |
|---|---|
BILLING_WORKER_URL | URL of the billing worker (port 8001) |
NEXORA_LICENSE_KEY | Inline JWT license (or use NEXORA_LICENSE_KEY_PATH) |
NEXORA_LICENSE_KEY_PATH | Path to license.key file |
NEXORA_LICENSE_PUBLIC_KEY_PATH | Path to license_public.pem |
NEXORA_ADMIN_URL | https://nexora-gw.parendum.com |
Networking
| Variable | Default | Description |
|---|---|---|
HTTP_PORT | 80 | nginx external port |