All variables
| Variable | Required | Default | Description |
|---|
REDIS_URL | Yes | — | Redis connection string. Example: redis://localhost:6379. Required — server will not start without it. |
PARMANA_API_KEY | Recommended | "" | Bearer token for API authentication. If empty, all requests are accepted without authentication. |
AUDIT_DATABASE_URL | Recommended | "" | PostgreSQL connection string. If empty, audit records are not stored. |
PARMANA_SIGNING_PROVIDER | Yes | — | Signing key source: "env" or "disk". |
PARMANA_SIGNING_PRIVATE_KEY | Conditional | — | PEM-encoded Ed25519 private key. Required when PARMANA_SIGNING_PROVIDER=env. |
PARMANA_SIGNING_PUBLIC_KEY | Conditional | — | PEM-encoded Ed25519 public key. Required when PARMANA_SIGNING_PROVIDER=env. |
PARMANA_SIGNING_PRIVATE_KEY_PATH | Conditional | — | Path to PEM private key file. Required when PARMANA_SIGNING_PROVIDER=disk. |
PARMANA_SIGNING_PUBLIC_KEY_PATH | Conditional | — | Path to PEM public key file. Required when PARMANA_SIGNING_PROVIDER=disk. |
PORT | No | 3000 | Server listen port. |
HOST | No | 0.0.0.0 | Server bind address. Use 127.0.0.1 in production when behind Nginx. |
CORS_ORIGIN | No | http://localhost:8081 | Allowed CORS origin for browser requests. |
PARMANA_POLICIES_ROOT | No | /app/policies | Directory path for compiled policy bundles. |
PARMANA_TRUST_ROOT | No | /app/trust/trust-root.json | Path to trust root metadata JSON. |
PARMANA_TRUST_PUBLIC_KEY | No | /app/trust/root.pub | Path to trust root PEM public key. |
PARMANA_RELEASE_MANIFEST | No | /app/artifacts/release-manifest.json | Path to release manifest JSON. |
PARMANA_RELEASE_SIGNATURE | No | /app/artifacts/release-manifest.sig | Path to release manifest Ed25519 signature. |
Signing key — Option A (env)
Set key material directly in the environment. Suitable for Docker environments where secrets are injected via secrets managers.
PARMANA_SIGNING_PROVIDER=env
PARMANA_SIGNING_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIMqFRG...
-----END PRIVATE KEY-----"
PARMANA_SIGNING_PUBLIC_KEY="-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEA...
-----END PUBLIC KEY-----"
Never write private key material to .env files in version control. Use a secrets manager (AWS Secrets Manager, HashiCorp Vault, Docker secrets) and inject at deploy time.
Signing key — Option B (disk)
Load key files from the filesystem. Suitable when keys are managed via filesystem permissions or HSM-backed volumes.
PARMANA_SIGNING_PROVIDER=disk
PARMANA_SIGNING_PRIVATE_KEY_PATH=/secure/parmana/private.pem
PARMANA_SIGNING_PUBLIC_KEY_PATH=/secure/parmana/public.pem
volumes:
- /path/to/keys:/secure/parmana:ro
Minimal working configuration
The minimum set required to start the server with full functionality:
REDIS_URL=redis://redis:6379
PARMANA_API_KEY=your-secret-key
AUDIT_DATABASE_URL=postgresql://Parmana:password@postgres:5432/Parmana_audit
PARMANA_SIGNING_PROVIDER=env
PARMANA_SIGNING_PRIVATE_KEY=<PEM private key>
PARMANA_SIGNING_PUBLIC_KEY=<PEM public key>
Generating Ed25519 keys
# Generate a key pair (OpenSSL)
openssl genpkey -algorithm ed25519 -out private.pem
openssl pkey -in private.pem -pubout -out public.pem
import crypto from "crypto";
import fs from "node:fs";
const { privateKey, publicKey } = crypto.generateKeyPairSync("ed25519", {
privateKeyEncoding: { type: "pkcs8", format: "pem" },
publicKeyEncoding: { type: "spki", format: "pem" },
});
fs.writeFileSync("private.pem", privateKey);
fs.writeFileSync("public.pem", publicKey);
public.pem to auditors and verifiers. Keep private.pem in a secrets manager.
