Self-Hosting

Configuration

Complete reference for all environment variables and configuration options.

Server Settings

Core server configuration options.

Variable	Default	Description
`ENV`	`production`	Environment mode (development, staging, production)
`PORT`	`8080`	HTTP/WebSocket server port
`HOST`	`0.0.0.0`	Server host (0.0.0.0 = all interfaces)
`BASE_URL`*	`-`	Application base URL (e.g., https://kokomo.yourdomain.com)
`LOG_LEVEL`	`info`	Logging level (debug, info, warn, error)
`LOG_FILE`	`/var/log/kokomo/app.log`	Log file path
`LOG_JSON`	`true`	JSON format logging

Database (PostgreSQL)

PostgreSQL connection settings.

Variable	Default	Description
`DB_HOST`*	`localhost`	Database host (use 'postgres' for Docker)
`DB_PORT`	`5432`	Database port
`DB_USER`*	`kokomo`	Database username
`DB_PASSWORD`*	`-`	Database password
`DB_NAME`*	`kokomo`	Database name
`DB_SSLMODE`	`disable`	SSL mode (disable, require, verify-ca, verify-full)
`DB_MAX_CONNECTIONS`	`25`	Maximum connection pool size
`DB_MAX_IDLE_CONNECTIONS`	`5`	Maximum idle connections
`DB_MAX_LIFETIME_MINUTES`	`60`	Connection max lifetime

Connection URL format

# Can also use DATABASE_URL instead of individual vars
DATABASE_URL=postgres://kokomo:password@localhost:5432/kokomo?sslmode=disable

JWT Authentication

Token-based authentication settings.

Variable	Default	Description
`JWT_SECRET`*	`-`	Access token secret (min 32 chars)
`JWT_REFRESH_SECRET`*	`-`	Refresh token secret (different from JWT_SECRET)
`JWT_EXPIRATION_MINUTES`	`15`	Access token expiration (minutes)
`JWT_REFRESH_EXPIRATION_DAYS`	`7`	Refresh token expiration (days)

Generate JWT Secrets

# Generate 64-character hex secrets
openssl rand -hex 64

# Example output:
# a1b2c3d4e5f6...

File Storage

Configure local or S3-compatible storage.

Variable	Default	Description
`UPLOAD_DIR`	`/var/kokomo/uploads`	Upload directory path
`MAX_UPLOAD_SIZE_MB`	`50`	Max file upload size (MB)
`THUMBNAIL_DIR`	`thumbnails`	Thumbnail subdirectory
`ALLOWED_FILE_EXTENSIONS`	`jpg,jpeg,png,gif,pdf,doc,docx,mp4`	Allowed file extensions (comma-separated)

S3 Storage (Optional)

Variable	Default	Description
`USE_S3`	`false`	Enable S3 storage
`AWS_REGION`	`ap-northeast-2`	AWS region
`AWS_ACCESS_KEY_ID`	`-`	AWS access key
`AWS_SECRET_ACCESS_KEY`	`-`	AWS secret key
`S3_BUCKET`	`-`	S3 bucket name
`S3_ENDPOINT`	`-`	Custom endpoint (for MinIO, etc.)

Redis (Optional)

Caching and session storage settings.

Variable	Default	Description
`USE_REDIS`	`false`	Enable Redis caching
`REDIS_HOST`	`localhost`	Redis host (use 'redis' for Docker)
`REDIS_PORT`	`6379`	Redis port
`REDIS_PASSWORD`	`-`	Redis password (if set)
`REDIS_DB`	`0`	Redis database number

Redis URL format

# Can also use REDIS_URL
REDIS_URL=redis://localhost:6379
REDIS_URL=redis://:password@localhost:6379/0

CORS Settings

Cross-Origin Resource Sharing configuration.

Variable	Default	Description
`CORS_ALLOWED_ORIGINS`	`*`	Allowed origins (comma-separated, or * for all)
`CORS_ALLOWED_METHODS`	`GET,POST,PUT,DELETE,OPTIONS,PATCH`	Allowed HTTP methods
`CORS_ALLOWED_HEADERS`	`Origin,Content-Type,Accept,Authorization`	Allowed headers
`CORS_ALLOW_CREDENTIALS`	`true`	Allow credentials (cookies, auth headers)

Rate Limiting

DDoS protection and API rate limiting.

Variable	Default	Description
`RATE_LIMIT_ENABLED`	`true`	Enable rate limiting
`RATE_LIMIT_WINDOW_SECONDS`	`60`	Time window (seconds)
`RATE_LIMIT_MAX_REQUESTS`	`100`	Max requests per window

WebSocket

Real-time communication settings.

Variable	Default	Description
`WEBSOCKET_PATH`	`/ws`	WebSocket endpoint path
`WEBSOCKET_MAX_MESSAGE_SIZE`	`1048576`	Max message size (1MB)
`WEBSOCKET_READ_BUFFER_SIZE`	`1024`	Read buffer size
`WEBSOCKET_WRITE_BUFFER_SIZE`	`1024`	Write buffer size

Email (SMTP)

Configure email for invitations and notifications.

Variable	Default	Description
`SMTP_HOST`	`-`	SMTP server hostname
`SMTP_PORT`	`587`	SMTP port
`SMTP_USER`	`-`	SMTP username
`SMTP_PASSWORD`	`-`	SMTP password
`SMTP_FROM`	`-`	From address for emails

Example SMTP Configs

# Gmail
SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
SMTP_USER=your-email@gmail.com
SMTP_PASSWORD=your-app-password

# AWS SES
SMTP_HOST=email-smtp.us-east-1.amazonaws.com
SMTP_PORT=587
SMTP_USER=your-ses-access-key
SMTP_PASSWORD=your-ses-secret-key

Security

Security and protection settings.

Variable	Default	Description
`FORCE_HTTPS`	`true`	Force HTTPS (recommended for production)
`TRUSTED_PROXIES`	`127.0.0.1,::1`	Trusted proxy IPs
`CSRF_ENABLED`	`true`	Enable CSRF protection
`CSRF_SECRET`	`-`	CSRF token secret

Monitoring

Health check and metrics endpoints.

Variable	Default	Description
`METRICS_ENABLED`	`true`	Enable Prometheus metrics
`METRICS_PATH`	`/metrics`	Metrics endpoint path
`HEALTH_CHECK_PATH`	`/health`	Health check endpoint

Complete Example

A production-ready configuration example.

.env

# ===================
# Kokomo Server Config
# ===================

# Server
ENV=production
PORT=8080
HOST=0.0.0.0
BASE_URL=https://kokomo.yourcompany.com

# Database (PostgreSQL)
DB_HOST=postgres
DB_PORT=5432
DB_USER=kokomo
DB_PASSWORD=your-secure-db-password-here
DB_NAME=kokomo
DB_SSLMODE=disable
DB_MAX_CONNECTIONS=25

# JWT Authentication
JWT_SECRET=your-64-character-random-hex-string-for-access-tokens
JWT_REFRESH_SECRET=another-64-character-random-hex-string-for-refresh
JWT_EXPIRATION_MINUTES=15
JWT_REFRESH_EXPIRATION_DAYS=7

# Redis
USE_REDIS=true
REDIS_HOST=redis
REDIS_PORT=6379

# File Storage
UPLOAD_DIR=/var/kokomo/uploads
MAX_UPLOAD_SIZE_MB=50
ALLOWED_FILE_EXTENSIONS=jpg,jpeg,png,gif,pdf,doc,docx,xls,xlsx,ppt,pptx,zip,mp4,mov

# CORS
CORS_ALLOWED_ORIGINS=https://kokomo.yourcompany.com,https://app.yourcompany.com

# Rate Limiting
RATE_LIMIT_ENABLED=true
RATE_LIMIT_WINDOW_SECONDS=60
RATE_LIMIT_MAX_REQUESTS=100

# Security
FORCE_HTTPS=true
CSRF_ENABLED=true
CSRF_SECRET=your-csrf-secret-here

# Email (optional)
SMTP_HOST=smtp.yourcompany.com
SMTP_PORT=587
SMTP_USER=kokomo@yourcompany.com
SMTP_PASSWORD=email-password
SMTP_FROM=Kokomo <kokomo@yourcompany.com>

# Logging
LOG_LEVEL=info
LOG_JSON=true

Installation Guide Database Setup