JournivJourniv
Configurations

Environment Variables

Complete reference of all environment variables available in Journiv.

Journiv uses environment variables for all configuration. This reference covers every available option.

Required Variables

These variables must be set for Journiv to run:

VariableDescriptionExample
SECRET_KEYSecret key for JWT token signing (minimum 32 characters)openssl rand -base64 32
DOMAIN_NAMEYour server IP address or domain name (supports ports and wildcards)192.168.1.1:8668, journiv.ts.net, or *.ts.net

Database Configuration

VariableDefaultDescription
DATABASE_URLsqlite:///./journiv.dbDatabase connection string
POSTGRES_HOST-PostgreSQL host (if not using DATABASE_URL)
POSTGRES_USER-PostgreSQL user
POSTGRES_PASSWORD-PostgreSQL password
POSTGRES_DB-PostgreSQL database name
POSTGRES_PORT5432PostgreSQL port

Database URL Formats:

  • SQLite: sqlite:///./journiv.db or sqlite:////absolute/path/to/journiv.db
  • PostgreSQL: postgresql://user:password@host:5432/journiv

Application Settings

VariableDefaultDescription
ENVIRONMENTdevelopmentEnvironment mode (development, production). In development, host validation is disabled (*).
DEBUGfalseEnable debug mode (shows detailed error pages)
LOG_LEVELINFOLogging level (DEBUG, INFO, WARNING, ERROR)
DOMAIN_SCHEMEhttpDomain scheme (http, https)
API_V1_PREFIX/api/v1API prefix (usually don't change)

Storage Configuration

Journiv uses /data as the default data directory (Docker) or the application directory (manual installation).

VariableDefaultDescription
MEDIA_ROOT/data/mediaDirectory for uploaded media files (images, attachments)
LOG_DIR/data/logsDirectory for application logs
EXPORT_DIR/data/exportsDirectory for exported data files
IMPORT_DIR/data/importsDirectory for imported data files
MAX_FILE_SIZE_MB50Maximum file upload size in MB
IMPORT_EXPORT_MAX_FILE_SIZE_MB500Maximum import/export file size in MB

Note: The SQLite database file (journiv.db) is stored at /data/journiv.db in Docker installations. For PostgreSQL, the database is managed separately.

Docker Volume Mounts

When using Docker, mount the /data directory to persist data:

Named volume (recommended):

-v app_data:/data

Bind mount (for easy file access):

-v /path/to/local/data:/data

Note: When using bind mounts, ensure permissions are set correctly. The container runs as a non-root user (UID 1000), so the mounted directory should be writable by that user.

Security Settings

VariableDefaultDescription
DISABLE_SIGNUPfalseDisable new user registration (blocks both email/password and OIDC signups, except first user bootstrap and existing users linking accounts)
ACCESS_TOKEN_EXPIRE_MINUTES15Access token expiry in minutes
REFRESH_TOKEN_EXPIRE_DAYS7Refresh token expiry in days
ADMIN_USER-Admin user email (for admin exports)
PASSWORD_MIN_LENGTH8Minimum password length

CORS Configuration

VariableDefaultDescription
ENABLE_CORSfalseEnable CORS (required for web app from different domain)
CORS_ORIGINSComma-separated list of allowed origins. Also expands the trusted host list for the application.http://host.vh.ts.net:8668,http://192.168.1.50:8668
CORS_CREDENTIALStrueAllow credentials in CORS requests

Example:

ENABLE_CORS=true
CORS_ORIGINS=https://journiv.example.com,https://app.journiv.example.com

OIDC/SSO Configuration

VariableDefaultDescription
OIDC_ENABLEDfalseEnable OIDC authentication
OIDC_ISSUER-OIDC provider issuer URL (e.g., https://keycloak.example.com/realms/journiv)
OIDC_CLIENT_ID-OIDC client ID
OIDC_CLIENT_SECRET-OIDC client secret
OIDC_REDIRECT_URI-OIDC redirect URI (usually https://your-domain.com/api/v1/auth/oidc/callback)
OIDC_SCOPESopenid email profileOIDC scopes (space-separated)
OIDC_AUTO_PROVISIONtrueAuto-create accounts on first OIDC login
REDIS_URL-Redis URL for OIDC state storage (required for OIDC)

Note: REDIS_URL is required when OIDC is enabled. Redis is used to store OIDC state during the authentication flow.

For complete OIDC setup instructions, including provider-specific configuration (Keycloak, Authentik, Authelia), see the OIDC/SSO Authentication guide.

Hostname & Domain Validation

Journiv uses the DOMAIN_NAME and CORS_ORIGINS to validate incoming requests and prevent HTTP Host header attacks.

Wildcard Support

If you want to support multiple subdomains or any address in your network (e.g., Tailscale), you can use a wildcard:

DOMAIN_NAME=*.ts.net

Important: If using a wildcard for DOMAIN_NAME, you must explicitly set OIDC_REDIRECT_URI to a concrete address (e.g., https://host.vh.ts.net:8668/api/v1/auth/oidc/callback) if OIDC is enabled.

Multiple Specific Hosts

To allow access via multiple specific hostnames (e.g., MagicDNS and a local IP), use CORS_ORIGINS:

ENABLE_CORS=true
CORS_ORIGINS=http://host.vh.ts.net:8668,http://192.168.1.50:8668

When ENABLE_CORS is active, Journiv automatically extracts hostnames from all origins in CORS_ORIGINS and adds them to its trusted hosts list.

Port Support

You can include the public port in DOMAIN_NAME (e.g., DOMAIN_NAME=host.vh.ts.net:8668). Journiv correctly handles this for both hostname validation and absolute URL generation.

Rate Limiting

VariableDefaultDescription
RATE_LIMIT_ENABLEDtrueEnable rate limiting
RATE_LIMIT_PER_MINUTE60Requests per minute per IP

External API Configuration

Weather Service (OpenWeather)

VariableDefaultDescription
OPEN_WEATHER_API_KEY_25-OpenWeather API 2.5 key for current weather data
OPEN_WEATHER_API_KEY_30-OpenWeather API 3.0 key for historical weather data (optional)

Weather Service Configuration:

  • Weather features are optional - if neither API key is configured, weather features will be disabled
  • Get your free API key at: https://openweathermap.org/api
  • When configured, users can fetch weather data for locations in their journal entries

API Key Options:

  • Only OPEN_WEATHER_API_KEY_25: Enables current weather for new entries (historical weather unavailable)
  • Only OPEN_WEATHER_API_KEY_30: Enables both current and historical weather (uses 3.0 API for all requests)
  • Both keys configured: Optimal setup - uses 2.5 API for current weather (more efficient) and 3.0 API for historical weather
  • Note: You can set the same API key for both 2.5 and 3.0 if you want to use the same API key for both.

Note: OpenWeather 3.0 API (Time Machine) is required to fetch weather for past entries. The free tier includes limited historical weather calls. For more details, see the Weather & Location guide.

Example Configurations

Minimal (SQLite)

SECRET_KEY=your-secret-key-here
DOMAIN_NAME=192.168.1.1

Production (PostgreSQL)

SECRET_KEY=your-secret-key-here
DOMAIN_NAME=journiv.example.com
DATABASE_URL=postgresql://journiv:password@localhost:5432/journiv
ENVIRONMENT=production
LOG_LEVEL=INFO
DEBUG=false
MAX_FILE_SIZE_MB=100
DISABLE_SIGNUP=false
OPEN_WEATHER_API_KEY_25=your-openweather-2-5-api-key-here
OPEN_WEATHER_API_KEY_30=your-openweather-3-0-api-key-here

Production with OIDC

SECRET_KEY=your-secret-key-here
DOMAIN_NAME=journiv.example.com
DATABASE_URL=postgresql://journiv:password@localhost:5432/journiv
ENVIRONMENT=production
LOG_LEVEL=INFO
DEBUG=false
OIDC_ENABLED=true
OIDC_ISSUER=https://keycloak.example.com/realms/journiv
OIDC_CLIENT_ID=journiv-client
OIDC_CLIENT_SECRET=your-client-secret
OIDC_REDIRECT_URI=https://journiv.example.com/api/v1/auth/oidc/callback
REDIS_URL=redis://redis:6379/0
DISABLE_SIGNUP=true

For complete OIDC setup instructions, see the OIDC/SSO Authentication guide.

Development

SECRET_KEY=dev-secret-key-change-in-production
DOMAIN_NAME=localhost
ENVIRONMENT=development
LOG_LEVEL=DEBUG
DEBUG=true

Environment Variable Priority

Environment variables are read in this order (later overrides earlier):

  1. System environment variables
  2. .env file (for manual installation)
  3. Docker Compose environment section
  4. Docker Compose env_file

Security Best Practices

  1. Never commit .env files - Add to .gitignore
  2. Use strong SECRET_KEY - Generate with openssl rand -base64 32
  3. Rotate secrets regularly - Especially in production
  4. Use different keys per environment - Don't reuse dev keys in production
  5. Store secrets securely - Use secret management tools in production
  6. Limit CORS origins - Only allow trusted domains
  7. Disable signups - Set DISABLE_SIGNUP=true to require admin-created accounts only (blocks OIDC auto-provisioning too)

Troubleshooting

Variable not taking effect

  • Check spelling (case-sensitive)
  • Restart container/service after changes
  • Verify variable is set: docker compose exec journiv env | grep VARIABLE_NAME

Database connection issues

  • Verify DATABASE_URL format is correct
  • Check PostgreSQL is accessible
  • Verify credentials are correct

Configuration

Configure your Journiv instance for optimal performance and security.

Database Setup

Configure SQLite or PostgreSQL for your Journiv instance.

On this page

Required VariablesDatabase ConfigurationApplication SettingsStorage ConfigurationDocker Volume MountsSecurity SettingsCORS ConfigurationOIDC/SSO ConfigurationHostname & Domain ValidationWildcard SupportMultiple Specific HostsPort SupportRate LimitingExternal API ConfigurationWeather Service (OpenWeather)Example ConfigurationsMinimal (SQLite)Production (PostgreSQL)Production with OIDCDevelopmentEnvironment Variable PrioritySecurity Best PracticesTroubleshootingVariable not taking effectDatabase connection issues