romm/env.template at master · TechnicallyComputers/romm · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
ROMM_BASE_PATH=/path/to/romm_mock
ROMM_TMP_PATH=
KIOSK_MODE=false

# Netplay SFU (reverse-proxied by the RomM container)
# Preferred: SFU_HOST / SFU_PORT
# Backwards-compatible: EMULATORJS_SFU_HOST / EMULATORJS_SFU_PORT
SFU_HOST=localhost
SFU_PORT=3001

# EmulatorJS bundle: EJS_SFU_NETPLAY_ENABLED=false → OG EmulatorJS (cdn.emulatorjs.org, supports P2P netplay when config emulatorjs.netplay.enabled=true);
# EJS_SFU_NETPLAY_ENABLED=true → EmulatorJS-SFU (jsDelivr, SFU-based netplay). Overrides config.yml emulatorjs.netplay.ejs_sfu_enabled.
# EJS_SFU_NETPLAY_ENABLED=

# IGDB credentials
IGDB_CLIENT_ID=
IGDB_CLIENT_SECRET=

# Mobygames
MOBYGAMES_API_KEY=

# Screenscraper
SCREENSCRAPER_USER=
SCREENSCRAPER_PASSWORD=

# SteamGridDB
STEAMGRIDDB_API_KEY=

# RetroAchievements
RETROACHIEVEMENTS_API_KEY=

# Playmatch
PLAYMATCH_API_ENABLED=

# LaunchBox
LAUNCHBOX_API_ENABLED=

# Hasheous
HASHEOUS_API_ENABLED=

# Flashpoint Project
FLASHPOINT_API_ENABLED=

# HowLongToBeat
HLTB_API_ENABLED=

# TheGamesDB
TGDB_API_ENABLED=

# Database config
ROMM_DB_DRIVER=mariadb
DB_HOST=127.0.0.1
DB_PORT=3306
DB_NAME=romm
DB_USER=romm
DB_PASSWD=
DB_ROOT_PASSWD=

# Redis / Valkey config (used by RomM backend + workers)
#
# Netplay/SFU deployments no longer require SFU nodes to connect to Redis/Valkey.
# SFU nodes call RomM internal HTTP APIs for token verification and room metadata.
#
# If REDIS_HOST is empty and you're running the all-in-one container image, RomM
# starts an internal Valkey bound to 127.0.0.1 in protected mode and sets
# REDIS_PASSWORD to ROMM_AUTH_SECRET_KEY automatically.
REDIS_HOST=127.0.0.1
REDIS_PORT=6379
REDIS_USERNAME=
REDIS_PASSWORD=
REDIS_DB=0
REDIS_SSL=false

# Internal Valkey (only when running the all-in-one RomM container)
#
# By default, if REDIS_HOST is empty, the container starts an internal Valkey
# bound to 127.0.0.1 (loopback-only) in protected mode.
#
# To allow other containers (like EmulatorJS-SFU) to connect to RomM's internal
# Valkey over the Docker network, opt-in to exposing it AND enable ACL.
ROMM_INTERNAL_VALKEY_EXPOSE=false
ROMM_INTERNAL_VALKEY_ENABLE_ACL=
# Optional overrides
ROMM_INTERNAL_VALKEY_BIND=
ROMM_INTERNAL_VALKEY_PROTECTED_MODE=
ROMM_INTERNAL_VALKEY_DATA_DIR=/redis-data
ROMM_INTERNAL_VALKEY_ACL_FILE=

# ACL passwords (recommended for Netplay/SFU)
# - VALKEY_SFU_PASSWORD is the password for the SFU Redis user (usually `sfu`) and must be set.
# - VALKEY_ROMM_PASSWORD is optional. If omitted, RomM's internal Valkey ACL generation will
#   fall back to `ROMM_AUTH_SECRET_KEY` as the `romm` user's password.
#
# Security note: using the same value for JWT signing and Redis auth couples trust domains.
# For best security, use a dedicated Redis password and set it via REDIS_PASSWORD/VALKEY_ROMM_PASSWORD.
VALKEY_ROMM_PASSWORD=
VALKEY_SFU_PASSWORD=

# Authentik
POSTGRES_DB=authentik
POSTGRES_USER=authentik
POSTGRES_PASSWORD=authentik
AUTHENTIK_SECRET_KEY=
AUTHENTIK_BOOTSTRAP_PASSWORD=

# Authentication
ROMM_AUTH_SECRET_KEY=

# SFU internal API auth (recommended)
# Dedicated shared secret used by SFU nodes to call RomM internal SFU endpoints.
ROMM_SFU_INTERNAL_SECRET=
# Disable auth on download endpoint for 3rd party support
DISABLE_DOWNLOAD_ENDPOINT_AUTH=
# Disable CSRF protection for development and testing purposes
DISABLE_CSRF_PROTECTION=
# Disable username + passsword login when using OIDC login
DISABLE_USERPASS_LOGIN=
DISABLE_SETUP_WIZARD=
INVITE_TOKEN_EXPIRY_SECONDS=600

# OpenID Connect (Authentik, Authelia, etc.)
OIDC_ENABLED=
OIDC_AUTOLOGIN=
OIDC_PROVIDER=
OIDC_CLIENT_ID=
OIDC_CLIENT_SECRET=
OIDC_REDIRECT_URI=
OIDC_SERVER_APPLICATION_URL=
OIDC_SERVER_METADATA_URL=
OIDC_CLAIM_ROLES=
OIDC_ROLE_VIEWER=
OIDC_ROLE_EDITOR=
OIDC_ROLE_ADMIN=
OIDC_TLS_CACERTFILE=
OIDC_USERNAME_ATTRIBUTE=preferred_username
OIDC_RP_INITIATED_LOGOUT=
OIDC_END_SESSION_ENDPOINT=

# Filesystem watcher (optional)
ENABLE_RESCAN_ON_FILESYSTEM_CHANGE=true
RESCAN_ON_FILESYSTEM_CHANGE_DELAY=5

# Tasks (optional)
TASK_TIMEOUT=300
TASK_RESULT_TTL=86400
SEVEN_ZIP_TIMEOUT=60
ENABLE_SCHEDULED_RESCAN=true
SCHEDULED_RESCAN_CRON=0 3 * * *
ENABLE_SCHEDULED_UPDATE_SWITCH_TITLEDB=true
SCHEDULED_UPDATE_SWITCH_TITLEDB_CRON=0 4 * * *
ENABLE_SCHEDULED_UPDATE_LAUNCHBOX_METADATA=true
SCHEDULED_UPDATE_LAUNCHBOX_METADATA_CRON=0 4 * * *
ENABLE_SCHEDULED_CONVERT_IMAGES_TO_WEBP=true
SCHEDULED_CONVERT_IMAGES_TO_WEBP_CRON=0 4 * * *
ENABLE_SCHEDULED_RETROACHIEVEMENTS_PROGRESS_SYNC=true
SCHEDULED_RETROACHIEVEMENTS_PROGRESS_SYNC_CRON=0 4 * * *
REFRESH_RETROACHIEVEMENTS_CACHE_DAYS=30

# In-browser emulation
DISABLE_EMULATOR_JS=false
DISABLE_RUFFLE_RS=false

# YouTube alternatives (Piped, Invidious, etc.)
YOUTUBE_BASE_URL=https://www.youtube.com

# Switch Tinfoil
TINFOIL_WELCOME_MESSAGE="RomM Switch Library"

# Logging
LOGLEVEL=DEBUG
FORCE_COLOR=
NO_COLOR=

# Web server (optional)
# Workers -> (2 × CPU cores) + 1
WEB_SERVER_CONCURRENCY=2
WEB_SERVER_TIMEOUT=300
WEB_SERVER_KEEPALIVE=2
WEB_SERVER_MAX_REQUESTS=1000
WEB_SERVER_MAX_REQUESTS_JITTER=100
WEB_SERVER_WORKER_CONNECTIONS=1000
WEB_SERVER_GUNICORN_WAIT_SECONDS=30
IPV4_ONLY=false

# Redis Workers
SCAN_TIMEOUT=
SCAN_WORKERS=

# Development only
DEV_MODE=true
DEV_HOST=127.0.0.1
DEV_PORT=5000
DEV_HTTPS=false
DEV_SQL_ECHO=false
SENTRY_DSN=