[ REFERENCE / CONFIG ]
Configuration
Everything is in .env (created from .env.example on install; all keys are
documented there). The defaults run a complete local stack. The knobs you'll
touch most:
| Variable | Default | What it does |
|---|---|---|
PREVIEW_DOMAIN | localhost | domain preview URLs hang off |
HTTP_PORT | 80 | host port Traefik listens on |
SANDBOXD_DATA_DIR | /var/lib/sandboxed | where workspaces + state live |
SANDBOXD_API_BIND | 127.0.0.1:9090 | where the control-plane API is published |
SANDBOXD_API_AUTH_DISABLED | true | open API for local use; set false + tokens for prod |
Notes
HTTP_PORT— set to e.g.8088if port 80 is taken; preview URLs then include it (http://s-<id>-<port>.preview.localhost:8088).SANDBOXD_API_TOKENS— with auth enabled, setname:secretand sendAuthorization: Bearer secreton every API call.- Production switches —
PREVIEW_DOMAIN,PREVIEW_ENTRYPOINT=websecure,PREVIEW_TLS=truefor a public HTTPS deployment; see Production / TLS. SANDBOXD_SET_MEMORY_HIGH— opt-in softer cgroupmemory.highthrottle per sandbox (needs host cgroup access); the hard--memoryceiling is always on.SANDBOXD_USERNS—--userns=hostis set on the infra containers (and, by default, on sandboxes) so workspace ownership is deterministic whether or not the host daemon uses userns-remap. SetSANDBOXD_USERNS=empty to opt sandboxes back into the daemon default.
Apply changes with docker compose up -d.