Configuration (.env)

PDNS Manager is configured from two sources: the .env file (boot-time config: DB, JWT, cookies, feature flags) and the admin panel itself (everything operational: PowerDNS servers, SMTP, captcha, welcome mail, branding). That split is intentional: things you may change at runtime don't require a container restart.

Database

Variable	Default	Purpose
`DB_ROOT_PASSWORD`	empty (required)	MariaDB root password. Set on first start.
`DB_NAME`	`dns_manager`	Schema name. Don't change post-install.
`DB_USER`	`dns_admin`	App user in the DB.
`DB_PASSWORD`	empty (required)	App user password. Auto-generated by setup.

Auth & cookies

Variable	Default	Purpose
`JWT_SECRET_KEY`	empty (required)	Signs session JWTs. Recommended: `openssl rand -hex 64`.
`JWT_ALGORITHM`	`HS256`	Asymmetric would be overkill for a self-signed session.
`JWT_EXPIRE_MINUTES`	`1440`	Session lifetime in the JWT. 24 hours.
`AUTH_COOKIE_NAME`	`dns_manager_token`	Cookie name. Deliberately not `session` so it's easy to find in DevTools.
`AUTH_COOKIE_SECURE`	`false`	Set to `true` once you have HTTPS in front – otherwise the browser doesn't send the cookie reliably.
`AUTH_COOKIE_SAMESITE`	`lax`	Safe and compatible. `strict` usually fine, `none` only for cross-site embeds.
`AUTH_COOKIE_MAX_AGE`	`2592000` (compose), `86400` (code)	Cookie lifetime in seconds. Compose sets 30 days, plain code default is 24 h.
`INITIAL_ADMIN_PASSWORD`	unset	If set, on first start a user `admin` is created with this password. Otherwise the backend generates a random one and stores it under `/app/.initial-admin-password`.
`ENABLE_REGISTRATION`	`false`	Allows public sign-up via `/register`. Default `true` during the wizard for first setup, please set back to `false` afterwards.

App / behaviour

Variable	Default	Purpose
`APP_NAME`	`PDNS Manager`	Display name (tab title, header). Also editable in the panel.
`DEFAULT_LANGUAGE`	`de` (compose)	UI language on first visit. Users can change later via dropdown.
`LOG_LEVEL`	`info`	Standard Python log level.
`LOG_FORMAT`	`text`	`text` for humans, `json` for log aggregators like Loki.
`INSTALL_PATH`	unset	Shown in the panel ("Updates come from …").
`ALLOWED_ORIGINS`	empty	CORS allow list (comma-separated URLs). Empty = same-origin only, fine for the built-in UI.
`DOCS_ENABLED`	`false`	Exposes Swagger under `/docs` + `/openapi.json`. Only on if you really need it.

PowerDNS

Variable	Default	Purpose
`PDNS_SERVERS`	empty	Comma-separated `name\|url\|api_key`. Not required – servers are usually added in the panel (cleaner because they go into the DB and stay editable).

Webhooks

Variable	Default	Purpose
`WEBHOOK_ALLOW_PRIVATE_URLS`	`false`	SSRF protection: localhost, RFC1918, link-local URLs are blocked. Set `true` only on fully internal networks.

Not in .env

Deliberately not in .env: SMTP, captcha, welcome mail, branding, ACME tokens. Those live in system_settings (DB) and are managed via the panel – see the feature pages:

Example: a fully-set production .env

# --- DB ---
DB_ROOT_PASSWORD=jfM3...random...vQ
DB_NAME=dns_manager
DB_USER=dns_admin
DB_PASSWORD=K8x...random...mz

# --- Auth ---
JWT_SECRET_KEY=58b6...128-hex-chars...
INITIAL_ADMIN_PASSWORD=                      # empty = auto-generated
ENABLE_REGISTRATION=false                    # disable after setup
AUTH_COOKIE_SECURE=true                      # because reverse proxy with HTTPS
AUTH_COOKIE_SAMESITE=lax
AUTH_COOKIE_MAX_AGE=2592000                  # 30 days

# --- App ---
APP_NAME=PDNS Manager
DEFAULT_LANGUAGE=en
LOG_LEVEL=info
LOG_FORMAT=text
ALLOWED_ORIGINS=
DOCS_ENABLED=false

# --- Webhooks ---
WEBHOOK_ALLOW_PRIVATE_URLS=false