Configuration Reference

Configuration Reference

All configuration is via environment variables. Most settings can also be changed at runtime through the web UI (Settings page), in which case the DB-stored value takes precedence over the env var after the first change.

Core

Variable	Default	Description
SENTINEL_DOCKER_SOCK	/var/run/docker.sock	Path to the Docker socket
SENTINEL_DB_PATH	/data/sentinel.db	Path to the BoltDB database file
SENTINEL_LOG_JSON	true	Output logs as JSON. Set false for human-readable text
SENTINEL_DEFAULT_POLICY	manual	Default update policy for containers without a sentinel.policy label. One of: auto, manual, pinned
SENTINEL_LATEST_AUTO_UPDATE	false	Auto-update containers using :latest tag regardless of default policy
SENTINEL_IMAGE_CLEANUP	true	Remove old images after successful updates
SENTINEL_IMAGE_BACKUP	false	Tag old images before removal for rollback recovery
SENTINEL_SHOW_STOPPED	false	Include stopped containers in the dashboard
SENTINEL_REMOVE_VOLUMES	false	Remove anonymous volumes when replacing containers
SENTINEL_DEPS	true	Dependency-aware updates (respects container links and depends_on ordering)
SENTINEL_HOST	(auto-detected)	Docker host IP or hostname, used for port links in the dashboard

Polling and Scheduling

Variable	Default	Description
SENTINEL_POLL_INTERVAL	6h	How often to scan for updates (Go duration: 30m, 1h, 6h)
SENTINEL_GRACE_PERIOD	30s	Wait time after starting a new container before health-checking
SENTINEL_SCHEDULE	(empty)	Global cron expression for scan scheduling (overrides poll interval when set)
SENTINEL_MAINTENANCE_WINDOW	(empty)	Time-range expression restricting when auto-updates can run (e.g. 02:00-06:00)
SENTINEL_SCAN_CONCURRENCY	1	Number of parallel registry checks per scan cycle (max 50)
SENTINEL_ROLLBACK_POLICY	(empty)	Policy applied to a container after automatic rollback. One of: manual, pinned, or empty (keep current)

Web Dashboard

Variable	Default	Description
SENTINEL_WEB_ENABLED	true	Enable the web dashboard and REST API
SENTINEL_WEB_PORT	8080	Port for the web server

Authentication

Variable	Default	Description
SENTINEL_AUTH_ENABLED	(nil; DB default: true)	Enable authentication. When unset, uses the DB-stored value (true on fresh installs)
SENTINEL_SESSION_EXPIRY	720h (30 days)	Session cookie lifetime
SENTINEL_COOKIE_SECURE	true	Set the Secure flag on session cookies. Disable if not using HTTPS

TLS

Variable	Default	Description
SENTINEL_TLS_CERT	(empty)	Path to TLS certificate PEM file
SENTINEL_TLS_KEY	(empty)	Path to TLS private key PEM file
SENTINEL_TLS_AUTO	false	Auto-generate a self-signed TLS certificate on startup

Both SENTINEL_TLS_CERT and SENTINEL_TLS_KEY must be set together, or both left empty. SENTINEL_TLS_AUTO is an alternative that generates a self-signed certificate without needing files.

WebAuthn (Passkeys)

Variable	Default	Description
SENTINEL_WEBAUTHN_RPID	(empty)	Relying Party ID, typically the hostname (e.g. sentinel.example.com). Required to enable passkeys
SENTINEL_WEBAUTHN_DISPLAY_NAME	Docker-Sentinel	Display name shown by authenticators during registration
SENTINEL_WEBAUTHN_ORIGINS	(empty)	Comma-separated list of allowed origins (e.g. https://sentinel.example.com). Required when RPID is set

All three variables must be configured to enable passkey authentication. SENTINEL_WEBAUTHN_RPID and SENTINEL_WEBAUTHN_ORIGINS must both be set or both empty.

Notifications

Variable	Default	Description
SENTINEL_GOTIFY_URL	(empty)	Gotify server URL (e.g. https://gotify.example.com)
SENTINEL_GOTIFY_TOKEN	(empty)	Gotify application token
SENTINEL_WEBHOOK_URL	(empty)	Webhook endpoint URL for JSON POST notifications
SENTINEL_WEBHOOK_HEADERS	(empty)	Extra headers for webhook requests, comma-separated Key:Value pairs

Additional notification providers (Slack, Discord, Ntfy, Telegram, Pushover, Email, MQTT, Apprise) are configured through the web UI Settings page rather than environment variables.

Cluster Mode

Variable	Default	Description
SENTINEL_MODE	(empty)	Node role: server or agent. Empty defaults to standalone server
SENTINEL_CLUSTER	false	Enable the gRPC cluster listener (server mode)
SENTINEL_CLUSTER_PORT	9443	gRPC port for cluster communication
SENTINEL_CLUSTER_DIR	/data/cluster	Directory for CA and node certificates (auto-generated mTLS)
SENTINEL_SERVER_ADDR	(empty)	Server gRPC address for agent enrolment (e.g. server-host:9443)
SENTINEL_ENROLL_TOKEN	(empty)	One-time token for agent enrolment (generated by the server)
SENTINEL_HOST_NAME	(empty)	Human-readable label for this node in the cluster dashboard
SENTINEL_GRACE_PERIOD_OFFLINE	30m	Time before an agent switches to autonomous mode when the server is unreachable

Integrations

Variable	Default	Description
SENTINEL_PORTAINER_URL	(empty)	Portainer API URL (e.g. https://portainer.example.com:9443)
SENTINEL_PORTAINER_TOKEN	(empty)	Portainer API token for container metadata enrichment
SENTINEL_NPM_URL	(empty)	Nginx Proxy Manager API URL
SENTINEL_NPM_EMAIL	(empty)	NPM login email
SENTINEL_NPM_PASSWORD	(empty)	NPM login password

Lifecycle Hooks

Variable	Default	Description
SENTINEL_HOOKS	false	Enable lifecycle hooks (pre/post-update scripts)
SENTINEL_HOOKS_WRITE_LABELS	false	Allow hooks to write Docker labels on containers

Metrics

Variable	Default	Description
SENTINEL_METRICS	false	Enable the Prometheus metrics endpoint (/metrics)
SENTINEL_METRICS_TEXTFILE	(empty)	Path for node_exporter textfile collector output (writes .prom file instead of serving HTTP)

Duration Format

Environment variables accepting durations use Go's time.Duration syntax:

Suffix	Meaning	Example
s	Seconds	30s
m	Minutes	5m
h	Hours	6h

Combine as needed: 1h30m, 2h45m30s.

See Also

• Docker Labels for per-container configuration via labels
• Installation for deployment options
• Notifications for detailed notification provider setup