struxastruxa
Reference

Environment Variables

Complete reference for all Struxa panel environment variables.

All variables live in /opt/struxa/.env.prod. The installer generates this file automatically. It is chmod 600 — keep it secret and never commit it.

Required Variables

VariableDescription
DATABASE_URLMySQL connection string. Format: mysql://user:pass@host:3306/db
BETTER_AUTH_SECRET32+ byte random hex string. Signs session tokens. Never reuse across environments.
BETTER_AUTH_URLFull public URL of the panel, e.g. https://panel.example.com. Used for CSRF validation and cookie binding.
CORS_ORIGINAllowed CORS origin. Set to the same value as BETTER_AUTH_URL.
APP_URLBase URL of the application. Same as BETTER_AUTH_URL.
JWT_PRIVATE_KEYBase64-encoded RSA 2048-bit private key. Signs tokens issued to Wings.
JWT_PUBLIC_KEYBase64-encoded RSA 2048-bit public key. Verified by Wings to authenticate the panel.
DATABASE_ENCRYPTION_KEY64-character hex string (32 bytes). Encrypts sensitive columns at rest.

MySQL Variables

VariableDescription
MYSQL_ROOT_PASSWORDRoot password for the MySQL container
MYSQL_DATABASEDatabase name (default: struxa)
MYSQL_USERDatabase user (default: struxa)
MYSQL_PASSWORDDatabase user password

Optional Variables

VariableDescription
TURNSTILE_SECRET_KEYCloudflare Turnstile secret key. Enables CAPTCHA on login and register if set.
NODE_ENVdevelopment or production. Always production in Docker.
SKIP_ENV_VALIDATIONSet to 1 to skip startup env validation (not recommended).

Docker Compose Variables

VariableDescription
GITHUB_REPOSITORY_OWNERGitHub org name for the image registry. Default: struxadotcloud.
IMAGE_TAGDocker image tag to pull. Default: latest. Pin to a release tag for stability.

Regenerating Secrets

# New Better Auth secret
openssl rand -hex 32

# New database encryption key (64 hex chars)
openssl rand -hex 32

# New RSA key pair
openssl genrsa -out /tmp/priv.pem 2048
openssl rsa -in /tmp/priv.pem -pubout -out /tmp/pub.pem
base64 -w0 < /tmp/priv.pem   # → JWT_PRIVATE_KEY
base64 -w0 < /tmp/pub.pem    # → JWT_PUBLIC_KEY
rm /tmp/priv.pem /tmp/pub.pem

Rotating DATABASE_ENCRYPTION_KEY without a migration will make all existing encrypted data unreadable. Only rotate it on a fresh install or with a dedicated migration script.

Panel Configuration

nginx configuration, first-run setup, and production tips for the Struxa panel.

API Overview

The Struxa panel exposes a type-safe oRPC API. This page covers authentication, endpoints, and usage.

On this page

Required VariablesMySQL VariablesOptional VariablesDocker Compose VariablesRegenerating Secrets