Ballast is configured via environment variables. This reference covers all available settings.
Core Settings
| Variable | Required | Default | Description |
|---|
ENVIRONMENT | No | local | Environment name (local, staging, production) |
LOCAL_DEVELOPMENT | No | false | Enable development mode (skips email verification) |
AUTH_ENABLED | No | true | Enable authentication (disable for testing) |
Database (PostgreSQL)
| Variable | Required | Default | Description |
|---|
POSTGRES_HOST | Yes | - | PostgreSQL host |
POSTGRES_PORT | Yes | 5432 | PostgreSQL port |
POSTGRES_DB | Yes | ballast | Database name |
POSTGRES_USER | Yes | - | Database user |
POSTGRES_PASSWORD | Yes | - | Database password |
POSTGRES_SSLMODE | No | disable | SSL mode (disable, require, verify-full) |
Vector Database (Qdrant)
| Variable | Required | Default | Description |
|---|
QDRANT_HOST | Yes | - | Qdrant host |
QDRANT_PORT | Yes | 6334 | Qdrant gRPC port |
QDRANT_API_KEY | No | - | Qdrant API key (if secured) |
QDRANT_USE_TLS | No | false | Enable TLS for Qdrant |
Cache (Redis)
| Variable | Required | Default | Description |
|---|
REDIS_HOST | Yes | - | Redis host |
REDIS_PORT | Yes | 6379 | Redis port |
REDIS_PASSWORD | No | - | Redis password |
Background Jobs (Temporal)
| Variable | Required | Default | Description |
|---|
TEMPORAL_HOST | Yes | - | Temporal server host |
TEMPORAL_PORT | Yes | 7233 | Temporal server port |
TEMPORAL_NAMESPACE | No | default | Temporal namespace |
TEMPORAL_TASK_QUEUE | No | ballast-sync-queue | Task queue name |
TEMPORAL_ENABLED | No | true | Enable Temporal integration |
Authentication
| Variable | Required | Default | Description |
|---|
JWT_SECRET | Yes | - | Secret for signing JWT tokens |
ENCRYPTION_KEY | Yes | - | Key for encrypting credentials (32 bytes, base64) |
STATE_SECRET | Yes | - | Secret for OAuth state tokens |
AI Services
OpenAI (Required for embeddings)
| Variable | Required | Default | Description |
|---|
OPENAI_API_KEY | Yes | - | OpenAI API key |
Anthropic (Optional, for AI features)
| Variable | Required | Default | Description |
|---|
ANTHROPIC_API_KEY | No | - | Anthropic API key |
Cohere (Optional, for reranking)
| Variable | Required | Default | Description |
|---|
COHERE_API_KEY | No | - | Cohere API key |
OAuth Providers
Configure OAuth credentials for each integration you want to enable:
Google Workspace
| Variable | Required | Description |
|---|
GOOGLE_CLIENT_ID | For Google sources | Google OAuth client ID |
GOOGLE_CLIENT_SECRET | For Google sources | Google OAuth client secret |
Microsoft 365
| Variable | Required | Description |
|---|
MICROSOFT_CLIENT_ID | For Microsoft sources | Azure AD app client ID |
MICROSOFT_CLIENT_SECRET | For Microsoft sources | Azure AD app client secret |
Slack
| Variable | Required | Description |
|---|
SLACK_CLIENT_ID | For Slack source | Slack app client ID |
SLACK_CLIENT_SECRET | For Slack source | Slack app client secret |
GitHub
| Variable | Required | Description |
|---|
GITHUB_CLIENT_ID | For GitHub source | GitHub OAuth app client ID |
GITHUB_CLIENT_SECRET | For GitHub source | GitHub OAuth app client secret |
Salesforce
| Variable | Required | Description |
|---|
SALESFORCE_CLIENT_ID | For Salesforce source | Salesforce connected app client ID |
SALESFORCE_CLIENT_SECRET | For Salesforce source | Salesforce connected app client secret |
Notion
| Variable | Required | Description |
|---|
NOTION_CLIENT_ID | For Notion source | Notion integration client ID |
NOTION_CLIENT_SECRET | For Notion source | Notion integration client secret |
Email (SMTP)
| Variable | Required | Default | Description |
|---|
SMTP_HOST | For email | - | SMTP server host |
SMTP_PORT | For email | 587 | SMTP server port |
SMTP_USER | For email | - | SMTP username |
SMTP_PASSWORD | For email | - | SMTP password |
EMAIL_FROM_ADDRESS | For email | - | From email address |
EMAIL_FROM_NAME | No | Ballast | From display name |
Alternative email provider:
| Variable | Required | Description |
|---|
RESEND_API_KEY | Alternative to SMTP | Resend API key |
Billing (Optional)
| Variable | Required | Description |
|---|
STRIPE_API_KEY | For billing | Stripe API key |
STRIPE_WEBHOOK_SECRET | For billing | Stripe webhook signing secret |
URLs
| Variable | Required | Default | Description |
|---|
FRONTEND_URL | Yes | - | Public URL for the web app |
BACKEND_URL | No | Same as FRONTEND_URL | URL for API (if different) |
Initial Admin
| Variable | Required | Description |
|---|
SUPERUSER_EMAIL | Recommended | Email for initial admin account |
SUPERUSER_PASSWORD | Recommended | Password for initial admin account |
Example Configuration
Minimal production configuration:
ENVIRONMENT=production
JWT_SECRET=your-secure-random-string-at-least-32-chars
ENCRYPTION_KEY=base64-encoded-32-byte-key
STATE_SECRET=another-secure-random-string
POSTGRES_HOST=your-postgres-host
POSTGRES_PORT=5432
POSTGRES_DB=ballast
POSTGRES_USER=ballast
POSTGRES_PASSWORD=secure-password
POSTGRES_SSLMODE=require
QDRANT_HOST=your-qdrant-host
QDRANT_PORT=6334
QDRANT_USE_TLS=true
QDRANT_API_KEY=your-qdrant-api-key
REDIS_HOST=your-redis-host
REDIS_PORT=6379
REDIS_PASSWORD=redis-password
TEMPORAL_HOST=your-temporal-host
TEMPORAL_PORT=7233
OPENAI_API_KEY=sk-...
FRONTEND_URL=https://ballast.yourcompany.com
SUPERUSER_EMAIL=admin@yourcompany.com
SUPERUSER_PASSWORD=secure-initial-password
Generating Secrets
Generate a secure JWT secret:
openssl rand -base64 32
Generate an encryption key:
openssl rand -base64 32
Generate a state secret:
openssl rand -hex 32