ServerBee Docs

ServerBee uses Figment for configuration loading, which supports layered configuration from multiple sources. This page provides a complete reference for every configuration option.

Configuration Loading Priority

Configuration values are merged in the following order. Later sources override earlier ones:

TOML file (system): /etc/serverbee/server.toml or /etc/serverbee/agent.toml
TOML file (local): server.toml or agent.toml in the working directory
Runtime environment variables: Prefixed with SERVERBEE_, using __ (double underscore) as the nested key separator

Environment Variable Mapping

Every TOML runtime configuration key maps directly to an environment variable. Replace dots with __ and prefix with SERVERBEE_:

Developer Workflow Env Vars

These variables are for local repo tooling and developer workflows. They are not Figment-backed runtime config for the ServerBee server or agent binaries.

Environment Variable	Used By	Description
`SERVERBEE_PROD_URL`	`make db-pull`, `make web-dev-prod`	Production base URL used by the database pull script and the frontend prod-proxy workflow
`SERVERBEE_PROD_API_KEY`	`make db-pull`	Admin-scoped API key for the production backup API. Do not reuse this for `make web-dev-prod`
`SERVERBEE_PROD_READONLY_API_KEY`	`make web-dev-prod`	Member-scoped API key injected by the frontend dev proxy for live production browsing
`ALLOW_WRITES`	`make web-dev-prod`	Local opt-in override. Set to `1` to disable the proxy's read-method-only block. When set, the UI banner changes from the normal read-only warning to a stronger write-enabled warning

These variables are intentionally scoped to local tooling. ALLOW_WRITES is not a server feature flag, it is an explicit local override for the frontend prod-proxy workflow only.

There is no admin username/password environment variable. On first start (when no users exist) the server auto-creates an admin account with a randomly generated password and prints it once to the server/container logs as a highlighted credentials banner. Capture it from the logs, then on first login you are required to change this password and may optionally choose a different username.

Environment Variable	Default	Description
`SERVERBEE_SERVER__LISTEN`	`0.0.0.0:9527`	Listen address and port

Common

Environment Variable	Default	Description
`SERVERBEE_SERVER__DATA_DIR`	`./data`	Data directory for database and backups
`SERVERBEE_AUTH__MAX_SERVERS`	`0`	Maximum servers allowed via enrollment (0 = no limit). Best-effort soft cap
`SERVERBEE_SERVER__TRUSTED_PROXIES`	private/loopback CIDRs	CIDR list of trusted reverse proxies. Defaults to RFC 1918 + loopback. Set to `[]` to disable
`SERVERBEE_SCHEDULER__TIMEZONE`	`UTC`	Timezone for daily traffic aggregation (e.g. `Asia/Shanghai`)
`SERVERBEE_FEATURE__CUSTOM_THEMES`	`true`	Set `feature.custom_themes` to false to disable user-defined themes. Custom refs are read-coerced to `preset:default`
`SERVERBEE_LOG__LEVEL`	`info`	Log level: `trace`, `debug`, `info`, `warn`, `error`
`SERVERBEE_LOG__FILE`	`""`	Log file path. Empty means stdout only

OAuth (Optional)

Environment Variable	Default	Description
`SERVERBEE_OAUTH__BASE_URL`	`""`	Public server URL for constructing OAuth callback URLs
`SERVERBEE_OAUTH__ALLOW_REGISTRATION`	`false`	Auto-create user accounts on first OAuth login
`SERVERBEE_OAUTH__GITHUB__CLIENT_ID`	--	GitHub OAuth App client ID
`SERVERBEE_OAUTH__GITHUB__CLIENT_SECRET`	--	GitHub OAuth App client secret
`SERVERBEE_OAUTH__GOOGLE__CLIENT_ID`	--	Google OAuth client ID
`SERVERBEE_OAUTH__GOOGLE__CLIENT_SECRET`	--	Google OAuth client secret
`SERVERBEE_OAUTH__OIDC__ISSUER_URL`	--	OIDC provider issuer URL
`SERVERBEE_OAUTH__OIDC__CLIENT_ID`	--	OIDC client ID
`SERVERBEE_OAUTH__OIDC__CLIENT_SECRET`	--	OIDC client secret
`SERVERBEE_OAUTH__OIDC__SCOPES`	`["openid", "email", "profile"]`	OAuth scopes to request

GeoIP (Optional)

Environment Variable	Default	Description
`SERVERBEE_GEOIP__MMDB_PATH`	`""`	Path to a MaxMind-compatible MMDB file. Non-empty path enables this custom GeoIP database; otherwise admins can download the DB-IP Lite database from Settings → GeoIP Database

Resend (Email Notifications)

Environment Variable	Default	Description
`SERVERBEE_RESEND__API_KEY`	`""`	Resend API key. Required for Email notifications. Sender domain must be verified at resend.com/domains

Data Retention (Tuning)

Environment Variable	Default	Description
`SERVERBEE_RETENTION__RECORDS_DAYS`	`7`	Raw metric records retention in days
`SERVERBEE_RETENTION__RECORDS_HOURLY_DAYS`	`90`	Hourly aggregated records retention in days
`SERVERBEE_RETENTION__GPU_RECORDS_DAYS`	`7`	GPU metric records retention in days
`SERVERBEE_RETENTION__PING_RECORDS_DAYS`	`7`	Ping probe records retention in days
`SERVERBEE_RETENTION__NETWORK_PROBE_DAYS`	`7`	Raw network probe records retention in days
`SERVERBEE_RETENTION__NETWORK_PROBE_HOURLY_DAYS`	`90`	Hourly network probe aggregates retention in days
`SERVERBEE_RETENTION__AUDIT_LOGS_DAYS`	`180`	Audit log retention in days
`SERVERBEE_RETENTION__TRAFFIC_HOURLY_DAYS`	`7`	Traffic hourly records retention in days
`SERVERBEE_RETENTION__TRAFFIC_DAILY_DAYS`	`400`	Traffic daily records retention in days
`SERVERBEE_RETENTION__TASK_RESULTS_DAYS`	`7`	Task results retention in days
`SERVERBEE_RETENTION__DOCKER_EVENTS_DAYS`	`7`	Docker event records retention in days
`SERVERBEE_RETENTION__SERVICE_MONITOR_DAYS`	`30`	Service monitor records retention in days

Mobile (Optional)

Environment Variable	Default	Description
`SERVERBEE_MOBILE__ACCESS_TTL`	`900`	Mobile access token lifetime in seconds (15 min)
`SERVERBEE_MOBILE__REFRESH_TTL`	`2592000`	Mobile refresh token lifetime in seconds (30 days)

Internal

The following variables have sensible defaults and rarely need modification. Only adjust when you have a specific requirement.

Environment Variable	Default	Description
`SERVERBEE_DATABASE__PATH`	`serverbee.db`	SQLite database file path (relative to data_dir)
`SERVERBEE_DATABASE__MAX_CONNECTIONS`	`10`	Maximum database connection pool size
`SERVERBEE_AUTH__SESSION_TTL`	`86400`	Session token TTL in seconds (default 24h)
`SERVERBEE_AUTH__SECURE_COOKIE`	`true`	Set the Secure flag on session cookies. Use `false` only when the browser accesses ServerBee over plain HTTP, such as direct IP quick-start installs
`SERVERBEE_RATE_LIMIT__LOGIN_MAX`	`5`	Max login attempts per IP within 15-minute window
`SERVERBEE_RATE_LIMIT__REGISTER_MAX`	`3`	Max agent registrations per IP within 15-minute window
`SERVERBEE_UPGRADE__RELEASE_BASE_URL`	`https://github.com/ZingerLittleBee/ServerBee/releases`	Base URL for agent upgrade release assets
`SERVERBEE_UPGRADE__LATEST_VERSION_URL`	`""`	Optional custom URL for latest version API. If empty, uses GitHub API
`SERVERBEE_FILE__MAX_UPLOAD_SIZE`	`104857600`	Maximum file upload size in bytes (default 100 MB)

Agent Environment Variables

Agent top-level keys use single underscore. Nested keys use __ (double underscore).

Quick Start

Environment Variable	Default	Description
`SERVERBEE_SERVER_URL`	-- (required)	Server HTTP base URL (e.g. `http://your-server:9527`). Agent appends API paths automatically
`SERVERBEE_ENROLLMENT_CODE`	`""`	One-time enrollment code minted by an admin in Settings. Single-use and short-lived (default 10 min). Only used when token is empty

Common

Environment Variable	Default	Description
`SERVERBEE_COLLECTOR__INTERVAL`	`3`	Metric report interval in seconds
`SERVERBEE_COLLECTOR__ENABLE_GPU`	`false`	Enable NVIDIA GPU monitoring (requires nvml)
`SERVERBEE_COLLECTOR__ENABLE_TEMPERATURE`	`true`	Enable CPU temperature monitoring
`SERVERBEE_FILE__ENABLED`	`false`	Enable file management on this agent
`SERVERBEE_FILE__ROOT_PATHS`	`[]`	Allowed root paths (comma-separated, e.g. `/home,/var/log`). Empty rejects all file operations
`SERVERBEE_IP_CHANGE__ENABLED`	`true`	Enable periodic IP change detection
`SERVERBEE_IP_CHANGE__CHECK_EXTERNAL_IP`	`false`	Also query an external URL to detect public/NAT IP changes
`SERVERBEE_LOG__LEVEL`	`info`	Log level: `trace`, `debug`, `info`, `warn`, `error`
`SERVERBEE_LOG__FILE`	`""`	Log file path. Empty means stdout only

Internal

The following variables have sensible defaults and rarely need modification. Only adjust when you have a specific requirement.

Environment Variable	Default	Description
`SERVERBEE_TOKEN`	auto-populated	Agent auth token. Auto-populated after registration, do not set manually
`SERVERBEE_FILE__MAX_FILE_SIZE`	`1073741824`	Max file size in bytes for read/download (default 1GB)
`SERVERBEE_FILE__DENY_PATTERNS`	`.key,.pem,...`	Glob patterns for files the agent refuses to access
`SERVERBEE_IP_CHANGE__EXTERNAL_IP_URL`	`https://api.ipify.org`	URL that returns the agent's external IP as plain text
`SERVERBEE_IP_CHANGE__INTERVAL_SECS`	`300`	IP check interval in seconds (default 5 minutes)

Upgrade (Agent)

Environment Variable	Default	Description
`SERVERBEE_UPGRADE__RELEASE_REPO_URL`	`https://github.com/ZingerLittleBee/ServerBee/releases`	Pinned release source base URL the Agent downloads upgrades from. Any HTTPS host mirroring the GitHub releases path layout `{base}/download/v{version}/{asset}` and `{base}/download/v{version}/checksums.txt` works. Compile-time default is overridable via the `SERVERBEE_RELEASE_REPO` build-time env
`SERVERBEE_UPGRADE__RELEASE_CERT_SPKI_SHA256`	`""`	Optional TLS certificate SPKI pin for the release host. 64 lowercase hex chars = SHA-256 of the leaf cert SubjectPublicKeyInfo DER. Empty = disabled. If set, the Agent additionally pins the leaf cert SPKI after standard chain validation. Invalid (non-64/non-hex) values are rejected at startup

Server Configuration (server.toml)

`[server]` -- Core Server Settings

Key	Type	Default	Description
`listen`	string	`"0.0.0.0:9527"`	IP address and port the server listens on
`data_dir`	string	`"./data"`	Directory for database files and other persistent data
`trusted_proxies`	string[]	private/loopback CIDRs	CIDR ranges of trusted reverse proxies. Defaults to RFC 1918 + loopback ranges. Set to `[]` to disable X-Forwarded-For extraction

`[database]` -- Database Settings

Key	Type	Default	Description
`path`	string	`"serverbee.db"`	Database filename (relative to `data_dir`)
`max_connections`	u32	`10`	Maximum number of connections in the SQLite pool

`[auth]` -- Authentication Settings

Key	Type	Default	Description
`session_ttl`	i64	`86400`	Session cookie lifetime in seconds (24 hours)
`max_servers`	u32	`0`	Maximum servers allowed via enrollment (0 = no limit). Best-effort soft cap
`secure_cookie`	bool	`true`	Set the `Secure` flag on session cookies. Use `false` only when the browser accesses ServerBee over plain HTTP

`[retention]` -- Data Retention

Key	Type	Default	Description
`records_days`	u32	`7`	Days to keep raw metric records
`records_hourly_days`	u32	`90`	Days to keep hourly aggregated records
`gpu_records_days`	u32	`7`	Days to keep per-GPU metric records
`ping_records_days`	u32	`7`	Days to keep ping probe records
`network_probe_days`	u32	`7`	Days to keep raw network probe records
`network_probe_hourly_days`	u32	`90`	Days to keep hourly aggregated network probe records
`audit_logs_days`	u32	`180`	Days to keep audit log entries
`traffic_hourly_days`	u32	`7`	Days to keep hourly traffic records
`traffic_daily_days`	u32	`400`	Days to keep daily traffic records
`task_results_days`	u32	`7`	Days to keep task execution results
`docker_events_days`	u32	`7`	Days to keep Docker event records
`service_monitor_days`	u32	`30`	Days to keep service monitor check records

Raw metric records are collected every 60 seconds and retained for 7 days by default. The hourly aggregator computes averages so you can keep long-term trends for 90 days without excessive storage. Adjust these values based on your disk space and monitoring needs.

`[scheduler]` -- Scheduler

Key	Type	Default	Description
`timezone`	string	`"UTC"`	Timezone for daily traffic aggregation and billing cycle computation. Use IANA timezone names (e.g. `Asia/Shanghai`, `US/Eastern`)

`[feature]` -- Feature Flags

Key	Type	Default	Description
`custom_themes`	bool	`true`	Disable user-defined themes when false. Custom refs are read-coerced to `preset:default`

`[rate_limit]` -- Rate Limiting

Key	Type	Default	Description
`login_max`	u32	`5`	Maximum login attempts per rate-limit window
`register_max`	u32	`3`	Maximum agent registration attempts per rate-limit window

`[log]` -- Logging

Key	Type	Default	Description
`level`	string	`"info"`	Log verbosity: `trace`, `debug`, `info`, `warn`, `error`
`file`	string	`""`	Path to log file. If empty, logs go to stdout only

The log level can also be set via the RUST_LOG environment variable, which takes precedence.

`[geoip]` -- GeoIP Lookup

Key	Type	Default	Description
`mmdb_path`	string	`""`	Path to a MaxMind-compatible MMDB file. Non-empty path enables this custom GeoIP database; if empty, the UI can download DB-IP Lite into the server data directory

`[resend]` -- Email Notifications

Key	Type	Default	Description
`api_key`	string	`""`	Resend API key (resend.com/api-keys). Required to use the Email notification channel. The `from` address on each email channel must belong to a domain verified at resend.com/domains

`[oauth]` -- OAuth / SSO

Key	Type	Default	Description
`base_url`	string	`""`	Public URL of your ServerBee instance (for callback URLs)
`allow_registration`	bool	`false`	Create new user accounts on first OAuth login

`[oauth.github]` -- GitHub OAuth

Key	Type	Default	Description
`client_id`	string	--	GitHub OAuth App client ID
`client_secret`	string	--	GitHub OAuth App client secret

`[oauth.google]` -- Google OAuth

Key	Type	Default	Description
`client_id`	string	--	Google OAuth client ID
`client_secret`	string	--	Google OAuth client secret

`[oauth.oidc]` -- OpenID Connect

Key	Type	Default	Description
`issuer_url`	string	--	OIDC issuer URL (e.g., `https://auth.example.com/realms/main`)
`client_id`	string	--	OIDC client ID
`client_secret`	string	--	OIDC client secret
`scopes`	string[]	`["openid", "email", "profile"]`	OAuth scopes to request

`[upgrade]` -- Agent Upgrade

Key	Type	Default	Description
`release_base_url`	string	`"https://github.com/ZingerLittleBee/ServerBee/releases"`	Base URL for agent upgrade release assets. The server appends `/download/v{version}/` to construct the asset download URL
`latest_version_url`	string	`""`	Optional custom URL for latest version API. If empty, the server queries GitHub API to determine the latest version. Use this to override with a custom version endpoint

`[file]` -- File Upload (Server-side)

Key	Type	Default	Description
`max_upload_size`	u64	`104857600`	Maximum file upload size in bytes (default 100 MB)

`[mobile]` -- Mobile Authentication

Key	Type	Default	Description
`access_ttl`	i64	`900`	Mobile access token lifetime in seconds (default 15 minutes)
`refresh_ttl`	i64	`2592000`	Mobile refresh token lifetime in seconds (default 30 days)

Agent Configuration (agent.toml)

Docker Agent: Mount the host's machine-id for correct fingerprint identification:
-v /etc/machine-id:/etc/machine-id:ro

Top-Level Options

Key	Type	Default	Description
`server_url`	string	required	URL of the ServerBee server (e.g., `http://10.0.0.1:9527`)
`token`	string	`""`	Agent authentication token (auto-populated after registration)
`enrollment_code`	string	`""`	One-time enrollment code from server Settings (used only when `token` is empty; consumed on first successful registration)

`[collector]` -- Metric Collection

Key	Type	Default	Description
`interval`	u32	`3`	Collection interval in seconds
`enable_gpu`	bool	`false`	Enable NVIDIA GPU monitoring (requires `nvidia-smi`)
`enable_temperature`	bool	`true`	Enable CPU temperature sensor monitoring

`[file]` -- File Management

Key	Type	Default	Description
`enabled`	bool	`false`	Enable file management capability. The server must also enable `CAP_FILE` for the agent
`root_paths`	string[]	`[]`	Restrict browsing to these directories. Empty array rejects all file operations
`max_file_size`	u64	`1073741824`	Maximum file size (bytes) for read and download operations (default 1 GB)
`deny_patterns`	string[]	`[".key", ".pem", "id_rsa", ".env", "shadow", "passwd"]`	Glob patterns for files the agent will refuse to access

`[ip_change]` -- IP Change Detection

Key	Type	Default	Description
`enabled`	bool	`true`	Enable periodic IP change detection. Agent enumerates NIC addresses and reports changes
`check_external_ip`	bool	`false`	Also query an external URL to detect public/NAT IP changes
`external_ip_url`	string	`"https://api.ipify.org"`	URL that returns the agent's external IP as plain text (used when `check_external_ip` is true)
`interval_secs`	u64	`300`	IP check interval in seconds (default 5 minutes)

`[log]` -- Logging

Key	Type	Default	Description
`level`	string	`"info"`	Log verbosity: `trace`, `debug`, `info`, `warn`, `error`
`file`	string	`""`	Path to log file. If empty, logs go to stdout only

`[upgrade]` -- Upgrade Source (Agent)

The agent downloads upgrades from a locally-pinned release source rather than trusting a URL from the server.

Key	Type	Default	Description
`release_repo_url`	string	`"https://github.com/ZingerLittleBee/ServerBee/releases"`	Base URL for agent upgrade release assets. Must replicate the GitHub releases directory layout: `{base}/download/v{version}/{asset}` for binaries and `{base}/download/v{version}/checksums.txt` for checksum verification. The compile-time default is overridable via the `SERVERBEE_RELEASE_REPO` build-time env var
`release_cert_spki_sha256`	string	`""`	Optional TLS SPKI pin for the release host. Set to 64 lowercase hex characters (SHA-256 of the leaf certificate's SubjectPublicKeyInfo DER encoding). Empty disables pinning. If set, the agent additionally validates the leaf cert SPKI after standard chain validation. Invalid format (non-64-char or non-hex) is rejected at startup

Configuration precedence (highest wins):

--release-repo CLI flag
SERVERBEE_UPGRADE__RELEASE_REPO_URL environment variable
/etc/serverbee/agent.toml or agent.toml [upgrade] section
Compile-time default (official GitHub releases URL)

The dashboard "latest version" check uses the Server-configured release source (upgrade.release_base_url / upgrade.latest_version_url). Those are separate Server-side settings used only for the dashboard's "latest version" lookup, and are distinct from the Agent's [upgrade] release_repo_url, which governs what the Agent actually downloads. For consistent upgrade behavior, point both the Server and the Agent at the same release repository unless you intentionally want them to track different sources.

How to obtain the SPKI pin for a release host certificate:

openssl x509 -in cert.pem -pubkey -noout \
  | openssl pkey -pubin -outform der \
  | openssl dgst -sha256 -r | awk '{print $1}'

Example: Minimal Server Configuration

[server]
data_dir = "./data"

Everything else uses sensible defaults. On first startup, ServerBee creates the admin user with a random password and prints it once in the server logs.

Example: Production Server Configuration

[server]
listen = "127.0.0.1:9527"
data_dir = "/var/lib/serverbee"

[auth]
secure_cookie = true

[retention]
records_days = 14
records_hourly_days = 180

[geoip]
mmdb_path = "/var/lib/serverbee/GeoLite2-City.mmdb"

[log]
level = "info"
file = "/var/log/serverbee/server.log"

[oauth]
base_url = "https://monitor.example.com"
allow_registration = false

[oauth.github]
client_id = "Iv1.abc123"
client_secret = "secret123"

Example: Minimal Agent Configuration

server_url = "http://your-server-ip:9527"
enrollment_code = "<one-time code from Settings>"

Example: Production Agent Configuration

server_url = "https://monitor.example.com"
token = "previously-obtained-token"

[collector]
interval = 3
enable_gpu = true
enable_temperature = true

[file]
enabled = true
root_paths = ["/home", "/var/log", "/etc"]
max_file_size = 1073741824
deny_patterns = ["*.key", "*.pem", "id_rsa*", ".env*", "shadow", "passwd"]

[ip_change]
enabled = true
check_external_ip = false

[log]
level = "info"
file = "/var/log/serverbee/agent.log"

Configuration Reference

On this page