Skip to content

Configuration

Sairo is configured entirely through environment variables. Pass them via -e flags in docker run, an .env file with Docker Compose, or Kubernetes secrets.

These variables connect Sairo to your S3-compatible storage backend.

VariableRequiredDefaultDescription
S3_ENDPOINTYesFull URL of your S3-compatible endpoint (e.g., https://s3.amazonaws.com).
S3_ACCESS_KEYYesS3 access key ID.
S3_SECRET_KEYYesS3 secret access key.
S3_REGIONNo(empty)S3 region. Required by some providers; can be left empty for MinIO.

These variables control login credentials and session behavior.

VariableRequiredDefaultDescription
AUTH_MODENolocalAuth mode: local (username/password) or s3 (authenticate with S3 access key/secret key directly).
ADMIN_USERNoadminUsername for the built-in admin account.
ADMIN_PASSNoAuto-generatedPassword for the admin account. If not set, a random password is generated and printed to stdout on first startup.
JWT_SECRETNoAuto-generatedSecret key used to sign JWT tokens. If not set, a random value is generated on startup. Set this explicitly in production so tokens survive container restarts.
SESSION_HOURSNo24Number of hours before a JWT token expires and the user must log in again.
SECURE_COOKIENotrueSet the Secure flag on authentication cookies. Must be true for HTTPS, false for HTTP.

These variables control how Sairo indexes your S3 objects.

VariableRequiredDefaultDescription
RECRAWL_INTERVALNo120Seconds between the end of one crawl and the start of the next. Increase this for large buckets to reduce S3 API calls.
DB_DIRNo/dataDirectory where per-bucket SQLite databases are stored. Mount a persistent volume here.

Enable LDAP authentication to let users log in with their directory credentials.

VariableRequiredDefaultDescription
LDAP_ENABLEDNofalseSet to true to enable LDAP authentication.
LDAP_SERVERIf LDAP enabledLDAP server URL (e.g., ldap://ldap.example.com or ldaps://ldap.example.com).
LDAP_BASE_DNIf LDAP enabledBase DN for user searches (e.g., dc=example,dc=com).
LDAP_USER_FILTERIf LDAP enabled(sAMAccountName={username})LDAP filter to find users. Use {username} as a placeholder.
LDAP_BIND_DNNoDN to bind with for searching (e.g., cn=readonly,dc=example,dc=com). If not set, anonymous bind is attempted.
LDAP_BIND_PASSWORDNoPassword for the bind DN.
LDAP_ADMIN_GROUPNoDN of the LDAP group whose members are granted the admin role (e.g., cn=admins,ou=groups,dc=example,dc=com).
LDAP_DEFAULT_ROLENoviewerRole assigned to LDAP users who are not in the admin group. One of admin or viewer.

Enable OAuth authentication with Google and/or GitHub.

VariableRequiredDefaultDescription
OAUTH_GOOGLE_CLIENT_IDFor Google OAuthGoogle OAuth 2.0 client ID.
OAUTH_GOOGLE_CLIENT_SECRETFor Google OAuthGoogle OAuth 2.0 client secret.
OAUTH_GITHUB_CLIENT_IDFor GitHub OAuthGitHub OAuth app client ID.
OAUTH_GITHUB_CLIENT_SECRETFor GitHub OAuthGitHub OAuth app client secret.
OAUTH_DEFAULT_ROLENoviewerRole assigned to new users who authenticate via OAuth. One of admin or viewer.
OAUTH_ALLOWED_DOMAINSNoComma-separated list of allowed email domains (e.g., example.com,company.com). If set, only users with matching email domains can log in.

Customize the Sairo UI appearance.

VariableRequiredDefaultDescription
APP_NAMENoSairoApplication name displayed in the UI header and login page.
PRIMARY_COLORNo#3b82f6Primary accent color for the UI (any valid CSS color, e.g., #1a73e8).
APP_LOGONoURL to a logo image displayed on the login page and sidebar.
LOGIN_MESSAGENoCustom message shown on the login page (e.g., "Sign in with your corporate account").
Terminal window
# S3 connection
S3_ENDPOINT=https://s3.us-east-1.amazonaws.com
S3_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE
S3_SECRET_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
S3_REGION=us-east-1
# Authentication
ADMIN_USER=admin
ADMIN_PASS=your-strong-password
JWT_SECRET=your-random-64-char-hex-string
SESSION_HOURS=24
SECURE_COOKIE=true
# Crawler
RECRAWL_INTERVAL=300
DB_DIR=/data
# Branding
APP_NAME=Acme Storage Browser
PRIMARY_COLOR=#0f62fe
LOGIN_MESSAGE=Internal use only. Sign in to continue.