Environment Variables¶
Trunk8 uses environment variables for sensitive configuration that shouldn't be stored in files.
Available Environment Variables¶
TRUNK8_ADMIN_PASSWORD¶
Purpose: Sets the admin password for accessing protected features.
Default: admin (change this in production!)
Example:
TRUNK8_SECRET_KEY¶
Purpose: Secret key for Flask session encryption and security.
Default: Random value generated at runtime
Example:
Generate a secure key:
TRUNK8_PORT¶
Purpose: Sets the port number for the Flask development server.
Default: 5001
Example:
Note: This only affects the development server started with python run.py. For production deployments with Gunicorn, specify the port using Gunicorn's --bind option:
TRUNK8_LOG_LEVEL¶
Purpose: Controls the verbosity of application logging output.
Default: INFO
Valid Values: DEBUG, INFO, WARNING, ERROR, CRITICAL
Example:
# Set to DEBUG for detailed troubleshooting
export TRUNK8_LOG_LEVEL="DEBUG"
# Set to WARNING to only see warnings and errors
export TRUNK8_LOG_LEVEL="WARNING"
Description:
DEBUG: Verbose logging including detailed operational infoINFO: General information about application operation (default)WARNING: Warning messages and aboveERROR: Error messages and aboveCRITICAL: Only critical errors
Log Format: YYYY-MM-DD HH:MM:SS - module - LEVEL - message
Setting Environment Variables¶
Method 1: Shell Export¶
Set temporarily in current shell:
Method 2: .env File¶
Create a .env file in project root:
# .env
TRUNK8_ADMIN_PASSWORD=secure-password
TRUNK8_SECRET_KEY=your-secret-key-here
TRUNK8_LOG_LEVEL=INFO
TRUNK8_PORT=5001
The application automatically loads this file using python-dotenv.
Method 3: System Environment¶
Add to shell profile (~/.bashrc, ~/.zshrc):
# Trunk8 Configuration
export TRUNK8_ADMIN_PASSWORD="secure-password"
export TRUNK8_SECRET_KEY="your-secret-key"
Reload profile:
Method 4: Docker¶
Pass to Docker container:
docker run -p 5001:5001 \
-e TRUNK8_ADMIN_PASSWORD="secure-password" \
-e TRUNK8_SECRET_KEY="secret-key" \
-e TRUNK8_LOG_LEVEL="INFO" \
-e TRUNK8_PORT="5001" \
trunk8
Using docker-compose:
version: '3'
services:
trunk8:
image: trunk8
ports:
- "${TRUNK8_PORT:-5001}:${TRUNK8_PORT:-5001}"
environment:
- TRUNK8_ADMIN_PASSWORD=${TRUNK8_ADMIN_PASSWORD}
- TRUNK8_SECRET_KEY=${TRUNK8_SECRET_KEY}
- TRUNK8_PORT=${TRUNK8_PORT:-5001}
Method 5: Systemd¶
For systemd services:
[Service]
Environment="TRUNK8_ADMIN_PASSWORD=secure-password"
Environment="TRUNK8_SECRET_KEY=secret-key"
Method 6: Supervisor¶
In supervisor config:
[program:trunk8]
environment=TRUNK8_ADMIN_PASSWORD="%(ENV_TRUNK8_ADMIN_PASSWORD)s",TRUNK8_SECRET_KEY="%(ENV_TRUNK8_SECRET_KEY)s"
Security Best Practices¶
Password Requirements¶
Create strong admin passwords:
- Minimum 12 characters
- Mix of upper/lowercase letters
- Include numbers and symbols
- Unique to Trunk8
Good Example:
Bad Examples:
admin(default)password123trunk8
Secret Key Guidelines¶
The secret key should be:
- At least 32 characters
- Randomly generated
- Never shared or committed
- Unique per installation
Generate secure keys:
# Option 1: Hex string
python -c "import secrets; print(secrets.token_hex(32))"
# Option 2: URL-safe string
python -c "import secrets; print(secrets.token_urlsafe(32))"
# Option 3: UUID-based
python -c "import uuid; print(uuid.uuid4().hex + uuid.uuid4().hex)"
File Permissions¶
Protect .env files:
Git Security¶
Never commit sensitive data:
Add to .gitignore:
Verification¶
Check if Variables are Set¶
# Check specific variable
echo $TRUNK8_ADMIN_PASSWORD
# Check all Trunk8 variables
env | grep TRUNK8_
Test in Python¶
import os
password = os.getenv('TRUNK8_ADMIN_PASSWORD', 'not-set')
secret_key = os.getenv('TRUNK8_SECRET_KEY', 'not-set')
print(f"Password configured: {'Yes' if password != 'not-set' else 'No'}")
print(f"Secret key configured: {'Yes' if secret_key != 'not-set' else 'No'}")
Troubleshooting¶
Variables Not Loading¶
- Check spelling - Variable names are case-sensitive
- Verify .env location - Must be in project root
- Restart application - Changes require restart
- Check shell - Some shells need
exportprefix
Docker Issues¶
Variables not passing to container:
# Debug: Print environment in container
docker run --rm trunk8 env | grep TRUNK8_
# Fix: Use --env-file
docker run --env-file .env trunk8
Permission Denied¶
If .env can't be read:
Advanced Usage¶
Multiple Environments¶
Use different files per environment:
# Development
cp .env.development .env
# Staging
cp .env.staging .env
# Production
cp .env.production .env
Dynamic Values¶
Generate values at runtime:
Validation Script¶
Create check_env.py:
#!/usr/bin/env python3
import os
import sys
required_vars = ['TRUNK8_ADMIN_PASSWORD', 'TRUNK8_SECRET_KEY']
missing = []
for var in required_vars:
if not os.getenv(var):
missing.append(var)
if missing:
print(f"Error: Missing environment variables: {', '.join(missing)}")
sys.exit(1)
else:
print("All required environment variables are set!")
Security Checklist¶
- Changed default admin password
- Generated unique secret key
- Protected .env file permissions
- Added .env to .gitignore
- Documented variables for team
- Regular password rotation schedule
- Monitoring for exposed secrets
Next Steps¶
- Review Security Best Practices
- Configure Application Settings
- Set up Production Deployment
- Learn about Configuration Management