import { Callout } from ‘@astrojs/starlight/components’;
FourEyes is configured via environment variables (copy .env.example to .env).
Never commit real values — .env is gitignored.
| Variable | Default | Description |
|---|
FOUREYES_GRPC_ADDR | :8443 | Node mTLS gRPC (bidi stream); grpc-gateway reverse-proxies here. |
FOUREYES_HTTP_ADDR | :8444 | REST/gateway + embedded UI (HTTP). |
| Variable | Default | Description |
|---|
FOUREYES_STORAGE_MODE | embedded | embedded (SQLite/DuckDB) or scale (Postgres+ClickHouse, roadmap). |
FOUREYES_SQLITE_DSN | file:foureyes.db?cache=shared&... | Relational SQLite DSN (WAL + foreign keys on). |
FOUREYES_TS_BACKEND | sqlite | Time-series backend: sqlite (pure Go) or duckdb (CGO, -tags duckdb). |
FOUREYES_SQLITE_TS_DSN | foureyes-ts.db | Used when FOUREYES_TS_BACKEND=sqlite. |
FOUREYES_DUCKDB_DSN | foureyes-ts.duckdb | Used when FOUREYES_TS_BACKEND=duckdb. |
| Variable | Default | Description |
|---|
FOUREYES_CA_CERT | ./dev/ca.pem | CA certificate (PEM). |
FOUREYES_SERVER_CERT | ./dev/server.pem | Server certificate (PEM). |
FOUREYES_SERVER_KEY | ./dev/server-key.pem | Server private key (PEM). |
| Variable | Default | Description |
|---|
FOUREYES_ENROLL_TOKEN_TTL | 15m | Enrollment token lifetime. |
FOUREYES_AUTO_APPROVE | false | Dev convenience: auto-approve pending nodes. |
| Variable | Default | Description |
|---|
FOUREYES_FLUSH_INTERVAL | 2s | Result batch flush interval (1–5s). |
| Variable | Default | Description |
|---|
FOUREYES_LOG_LEVEL | info | Logging verbosity. |
| Variable | Default | Description |
|---|
FOUREYES_OTEL_ENDPOINT | (empty) | OTLP/gRPC target (e.g. localhost:4317). Empty = disabled. |
FOUREYES_OTEL_EXPORT_INTERVAL | 30s | Periodic push cadence. |
FOUREYES_OTEL_INSECURE | true | Plaintext gRPC (dev); set false for TLS. |
FOUREYES_OTEL_HEADERS | (empty) | k=v,k=v auth/tenant headers. |
| Variable | Default | Description |
|---|
FOUREYES_NODE_TOKEN | (empty) | Enrollment token used by the node to register. |
FOUREYES_BROWSER_BINARY | (empty) | Explicit Chromium path (else PATH, else download-on-demand). |
FOUREYES_BROWSER_DISABLE_DOWNLOAD | (empty) | Set to fail closed instead of fetching Chromium. |
FOUREYES_BROWSER_SHA256 | (empty) | Optional checksum for the fetched Chromium. |
Release signing is configured at **build** time, not runtime: the public key is
pinned into a node build, and only artifacts signed by the matching private key
are accepted. Downloaded release binaries ship without a pinned key, so node
self-update is disabled by default. See [Node self-update](/guides/self-update/).