Docs / Configuration

Configuration

All configurable environment variables live in .env at the project root. Services load it automatically at startup via python-dotenv; Docker Compose reads it the same way.

Quick start

cp .env.example .env
# Edit .env and fill in any required values

Never commit .env. It's in .gitignore. Only commit .env.example with placeholder values.

Precedence

Each service's run.py calls load_dotenv() against the project-root .env before applying its config.yaml defaults. Highest priority first:

Shell environment (already-exported vars)
.env file (loaded by python-dotenv)
config.yaml defaults

n8n automation (port 5679)

Variable	Required	Default	Description
`WYLDE_N8N_EMAIL`	No	`admin@wylde.local`	n8n admin login email.
`WYLDE_N8N_PASSWORD`	Yes	—	n8n admin password.
`WYLDE_N8N_API_KEY`	No	—	API key (preferred over password auth when set).
`WYLDE_N8N_BASIC_AUTH_PASSWORD`	No	—	HTTP basic-auth password for the n8n reverse-proxy layer.
`WYLDE_N8N_URL`	No	`http://127.0.0.1:5678`	URL n8n is reachable on.

Device gate / Fletch web auth (port 7000)

Variable	Required	Default	Description
`WYLDE_FLETCH_USER`	No	`admin`	Username for the Fletch web basic-auth layer.
`WYLDE_FLETCH_PASS`	Yes	—	Password for the Fletch web basic-auth layer.

Graph (wylde-graph, ports 7474 / 7687)

Variable	Required	Default	Description
`GRAPH_USER`	No	`neo4j`	Database username.
`GRAPH_PASSWORD`	No	—	Database password (required if auth enabled).
`GRAPH_BOLT_URL`	No	`bolt://127.0.0.1:7687`	Bolt connection URL.

WireGuard VPN (wylde-vpn — optional)

Variable	Required	Default	Description
`VPN_ENDPOINT`	Yes if VPN enabled	—	VPN server `host:port`.
`VPN_PEER_PUBKEY`	Yes if VPN enabled	—	WireGuard public key of the VPN server.
`VPN_PRIVATE_KEY`	No	auto-generated	WireGuard private key for this device.
`VPN_TUNNEL_ADDR`	No	`10.8.0.2/24`	Tunnel IP address for this device.
`VPN_DNS`	No	`1.1.1.1`	DNS server inside the VPN tunnel.
`VPN_ALLOWED_IPS`	No	`0.0.0.0/0, ::/0`	IP ranges routed through the VPN.

HashiCorp Vault (security-api, optional)

Only needed when SECRETS_PROVIDER=vault.

Variable	Required	Default	Description
`SECRETS_PROVIDER`	No	`file`	Backend: `file` or `vault`.
`VAULT_ADDR`	When vault	—	Vault server URL.
`VAULT_TOKEN`	When vault	—	Vault authentication token.
`VAULT_MOUNT_PATH`	No	`secret`	Vault KV mount path.
`VAULT_SECRET_PATH`	No	`app/prod`	Path within the mount for app secrets.
`VAULT_TIMEOUT`	No	`30`	Vault request timeout (seconds).
`VAULT_SSL_VERIFY`	No	`true`	Verify Vault TLS certificate.

Ollama (shared)

Variable	Required	Default	Description
`OLLAMA_URL`	No	`http://127.0.0.1:11434`	Ollama API base URL.

RAG (wylde-rag, port 8008)

Variable	Required	Default	Description
`EMBED_MODEL`	No	`nomic-embed-text`	Ollama model used for embeddings.
`EMBED_DIM`	No	`768`	Embedding vector dimension.
`EMBED_BATCH_SIZE`	No	`32`	Documents per embedding batch.

Captioner (wylde-caption, port 8015)

Variable	Required	Default	Description
`CAPTION_BACKEND`	No	`florence`	Captioning backend: `florence` or `qwen`.
`CAPTION_DEVICE`	No	`cuda`	Inference device (`cuda`, `cpu`).
`CAPTION_DTYPE`	No	`float16`	Torch dtype (`float16`, `bfloat16`, `float32`).

Trainer (wylde-trainer, port 8013)

Variable	Required	Default	Description
`DATASETS_DIR`	No	service default	Path to training dataset storage.
`CHECKPOINT_DIR`	No	service default	Path to model checkpoint output.

Discovery

Variable	Required	Default	Description
`WYLDE_DISCOVERY`	No	`mdns`	Discovery backend: `mdns`, `consul`, or `both`.
`WYLDE_TRANSPORT`	No	`pipe`	Call transport: `pipe` (default) or `http`.
`CONSUL_HTTP_ADDR`	No	`http://127.0.0.1:8500`	Consul agent HTTP address (only when Consul is in use).
`CONSUL_ADVERTISE_ADDRESS`	No	`host.docker.internal`	Address advertised from inside Docker.

Logging

Variable	Required	Default	Description
`LOG_LEVEL`	No	`INFO`	Global log level (`DEBUG`, `INFO`, `WARNING`, `ERROR`).