Configuration
Configure authentication, Tailscale, Hub, MCP tokens, and system settings
Environment Variables
All configuration is via environment variables or database-backed settings. Copy .env.example to .env and adjust.
Core Settings
| Variable | Default | Description |
|---|---|---|
PW_POSTGRES_PASSWORD | — | Database password (required) |
PW_POSTGRES_HOST | pw-db | Database host |
PW_POSTGRES_PORT | 5432 | Database port |
PW_POSTGRES_DB | podwarden | Database name |
PW_API_PORT | 8000 | API port |
PW_UI_PORT | 3000 | UI port |
Tailscale
| Variable | Description |
|---|---|
PW_TAILSCALE_API_KEY | Tailscale API key for device discovery |
PW_TAILSCALE_TAILNET | Your tailnet name |
PW_HOST_TAG_FILTER | Only show hosts with this Tailscale tag |
Configure via Settings → Tailscale in the dashboard or via environment variables. Discovery tags filter which devices appear in PodWarden.
Authentication
PodWarden supports three auth modes, configurable in order of priority:
OIDC (Recommended)
| Variable | Description |
|---|---|
PW_OIDC_ISSUER_URL | OIDC provider URL (e.g. Keycloak realm) |
PW_OIDC_CLIENT_ID | OAuth client ID |
PW_OIDC_CLIENT_SECRET | OAuth client secret |
PW_OIDC_REDIRECT_URI | Callback URL |
The frontend initiates the PKCE flow with your configured provider. After login, the provider returns an authorization code that is exchanged for access and refresh tokens. The access token is sent as a Bearer token on API requests.
Any OpenID Connect provider works: Keycloak, Google, GitHub, Authentik, etc.
Temporary Admin
| Variable | Description |
|---|---|
PW_TEMP_ADMIN_USERNAME | Temporary admin username |
PW_TEMP_ADMIN_PASSWORD | Temporary admin password |
Useful for initial setup. Creates a temporary admin account that bypasses OIDC. Remove these variables after creating permanent OIDC or local user accounts.
Local Users
Managed via Settings → Users. Create accounts with email, password, and role. No external identity provider required.
Roles:
- admin — Full access to all resources, settings, user management, secrets, token creation
- operator — Manage hosts, clusters, workloads, deployments, storage
- viewer — Read-only access to all resources
Registry
| Variable | Default | Description |
|---|---|---|
PW_DEFAULT_REGISTRY | — | Default container registry URL |
PW_DEFAULT_IMAGE_TAG | latest | Default image tag for deployments |
Set fleet-wide defaults for container image registry and tag. Individual stacks can override these.
SSH / Provisioning
| Variable | Description |
|---|---|
PW_SSH_KEY_PATH | Path to SSH private key for host provisioning |
PW_SSH_USER | SSH user for provisioning (default: root) |
PodWarden uses SSH to provision hosts via Ansible — installing Docker, k3s-agent, and GPU drivers. Generate SSH key pairs from Settings → Secrets → Generate SSH Key Pair or provide your own.
PodWarden Hub
| Variable | Description |
|---|---|
PODWARDEN_HUB_URL | Hub URL (default: https://apps.podwarden.com) |
PODWARDEN_HUB_API_KEY | Hub API key (starts with pwc_) |
Connect your PodWarden instance to PodWarden Hub for catalog access. See Connecting to Hub.
Database-Backed Settings
Some settings are stored in the database and configurable via the Settings page. These override environment variables when set.
SMTP
Configure email notifications under Settings → System Config → SMTP:
| Field | Description |
|---|---|
| Host | SMTP server hostname |
| Port | SMTP server port (587 for TLS) |
| Username | SMTP auth username |
| Password | SMTP auth password |
| From Address | Sender email address |
| TLS | Enable STARTTLS |
Click Test Email to send a test message and verify your configuration.
OIDC
Override OIDC environment variables from the UI under Settings → System Config → OIDC:
| Field | Description |
|---|---|
| Issuer URL | OIDC provider URL |
| Client ID | OAuth client ID |
| Client Secret | OAuth client secret |
| Redirect URI | Callback URL |
Click Test OIDC to verify the discovery endpoint responds correctly.
Hub Settings
Configure the PodWarden Hub connection under Settings → Hub:
| Field | Description |
|---|---|
| Hub URL | https://apps.podwarden.com |
| API Key | Your organization's Hub API key (pwc_...) |
Click Test Connection to verify the API key is valid and Hub is reachable. See Connecting to Hub for the full setup guide.
Tailscale Settings
Configure host discovery under Settings → Tailscale:
| Field | Description |
|---|---|
| API Key | Tailscale API key |
| Tailnet | Your tailnet name |
| Discovery Tags | Filter hosts by Tailscale tags |
The API key and tailnet are stored as encrypted app secrets.
Registry Settings
Configure fleet-wide defaults under Settings → Registry:
| Field | Description |
|---|---|
| Default Registry URL | Default container registry for all workloads |
| Default Image Tag | Default tag (e.g. latest, stable) |
MCP Tokens
Machine-readable API tokens for automation and integrations. Create and manage tokens under Settings → MCP Tokens.
Creating a Token
- Go to Settings → MCP Tokens
- Click Create Token
- Set a Name (descriptive label, e.g. "CI/CD Pipeline")
- Choose a Role — determines API access level:
admin— Full access to all resourcesoperator— Manage hosts, clusters, workloads, deployments, storageviewer— Read-only access
- Set Expiry — 1 to 365 days, or no expiry
- Copy the token immediately — it starts with
pwm_and is shown only once
Using a Token
Include the token as a Bearer token in API requests:
curl -H "Authorization: Bearer pwm_a1b2c3d4e5f6..." \
https://podwarden.example.com/api/v1/hostsToken Management
- Revoke — Immediately invalidate a token
- Reissue — Generate a new key while keeping the same name and role
- Audit Log — Every API request made with the token is logged with method, path, and status code
View audit logs per token or across all tokens under Settings → MCP Tokens → Audit.
Use Cases
- CI/CD pipelines — Record deployments via
POST /api/v1/deployments - Monitoring — Read cluster status and workload health
- Automation scripts — Create/manage workloads programmatically
- MCP (Model Context Protocol) — Allow AI agents to interact with your fleet
Secrets
PodWarden provides encrypted secret storage. Manage secrets under Settings → Secrets.
Creating Secrets
- Go to Settings → Secrets
- Click Create Secret
- Enter a Key (unique identifier) and Value
- Save — the value is encrypted at rest
Secrets can be referenced by stacks via secret_refs and are injected as environment variables at deploy time.
SSH Key Pairs
PodWarden can generate ed25519 SSH key pairs for host provisioning:
- Go to Settings → Secrets
- Click Generate SSH Key Pair
- Enter a name for the key pair
- PodWarden generates the keys and stores both the private and public key as secrets
View which key pairs are in use by provisioned hosts under SSH Key Pairs in Use.