Skip to content
paws

Configuration Reference

Both services are configured via environment variables. Set them in your shell, a .env file, or your Docker/Kubernetes manifests.

Control plane

Section titled “Control plane”

The control plane runs on any VPS. It serves the API, dashboard, and coordinates workers.

Core

Section titled “Core”
VariableDefaultDescription
PORT4000HTTP listen port
API_KEYpaws-dev-keyAPI key for authenticating requests
WORKER_URLStatic worker URL for dev/single-node (e.g., http://localhost:3000)
DASHBOARD_DIRPath to built dashboard assets (enables web UI)
DATA_DIR/var/lib/paws/dataPersistent data directory (daemon store)

OIDC authentication

Section titled “OIDC authentication”

Set all four to enable SSO login on the dashboard and API:

VariableDefaultDescription
OIDC_ISSUEROIDC issuer URL (e.g., https://fleet.example.com/dex)
OIDC_CLIENT_IDOIDC client ID
OIDC_CLIENT_SECRETOIDC client secret
AUTH_SECRETSecret for signing session cookies
OIDC_REDIRECT_URIhttp://localhost:{PORT}/auth/callbackOAuth callback URL
OIDC_AUTH_EXTERNAL_URLExternal-facing URL for auth redirects (if behind a proxy)

Autoscaler

Section titled “Autoscaler”
VariableDefaultDescription
AUTOSCALE_ENABLEDfalseEnable auto-scaling
AUTOSCALE_PROVIDERhetzner-cloudProvider for new workers (hetzner-cloud, aws-ec2)
AUTOSCALE_MIN_WORKERS1Minimum worker count
AUTOSCALE_MAX_WORKERS10Maximum worker count
AUTOSCALE_WORKER_PLANcx31Server type for new workers
AUTOSCALE_WORKER_REGIONfsn1Region for new workers
HCLOUD_TOKENHetzner Cloud API token (when provider is hetzner-cloud)
AWS_REGIONus-east-1AWS region (when provider is aws-ec2)
AWS_AMI_IDAMI ID for worker instances
AWS_ACCESS_KEY_IDAWS access key
AWS_SECRET_ACCESS_KEYAWS secret key

Worker

Section titled “Worker”

The worker runs on bare metal with /dev/kvm. It manages Firecracker VMs.

Core

Section titled “Core”
VariableDefaultDescription
PORT3000HTTP listen port
WORKER_NAMEworker-{pid}Unique name for this worker
MAX_CONCURRENT_VMS5Max concurrent VM sessions
MAX_QUEUE_SIZE10Max queued sessions
SNAPSHOT_DIR/var/lib/paws/snapshots/agent-latestDefault snapshot directory
SNAPSHOT_BASE_DIR/var/lib/paws/snapshotsBase directory for all snapshots
VM_BASE_DIR/var/lib/paws/vmsWorking directory for VM files
SSH_KEY_PATH/var/lib/paws/ssh/id_ed25519SSH private key for VM access

Call-home (control plane registration)

Section titled “Call-home (control plane registration)”
VariableDefaultDescription
GATEWAY_URLControl plane URL (e.g., https://fleet.example.com)
API_KEYAPI key to authenticate with control plane
WORKER_URLhttp://localhost:{PORT}URL the control plane should use to reach this worker

Snapshot sync (R2)

Section titled “Snapshot sync (R2)”
VariableDefaultDescription
SNAPSHOT_SYNC_ENABLEDfalseEnable snapshot sync from R2
R2_ENDPOINTCloudflare R2 endpoint URL
R2_ACCESS_KEY_IDR2 access key
R2_SECRET_ACCESS_KEYR2 secret key
R2_BUCKET_NAMER2 bucket name
SNAPSHOT_SYNC_INTERVAL_MS300000Sync poll interval in ms (default: 5 min)

Example .env file

Section titled “Example .env file”
Terminal window
# Control plane
PORT=4000
API_KEY=paws-your-secret-key
DASHBOARD_DIR=/opt/paws/dashboard/dist
DATA_DIR=/var/lib/paws/data


# OIDC (Dex)
OIDC_ISSUER=https://fleet.example.com/dex
OIDC_CLIENT_ID=paws
OIDC_CLIENT_SECRET=your-oidc-secret
AUTH_SECRET=your-session-secret
OIDC_REDIRECT_URI=https://fleet.example.com/auth/callback