contento
contento
Self-hosting

Environment Variables

All environment variables required to run Contento.

Copy .env.example to .env and fill in the values below.

Required

VariableDescription
DATABASE_URLPostgreSQL connection string. postgresql://user:pass@host:5432/contento
NEXTAUTH_SECRETRandom secret for NextAuth session signing. openssl rand -base64 32
AUTHENTIK_ISSUERAuthentik OIDC issuer URL. e.g. https://auth.example.com/application/o/contento/
AUTHENTIK_CLIENT_IDOAuth2 client ID registered in Authentik.
AUTHENTIK_CLIENT_SECRETOAuth2 client secret from Authentik.
IMGPROXY_KEY64-char hex key for imgproxy HMAC signing.
IMGPROXY_SALT64-char hex salt for imgproxy HMAC signing.

Generate imgproxy key/salt:

xxd -g 2 -l 64 -p /dev/urandom | tr -d '\n'

Run twice — once for key, once for salt.

Optional / defaults

VariableDefaultDescription
NEXTAUTH_URLhttp://localhost:3000Public URL of the Contento app. Set to your domain in production.
PUBLIC_URLhttp://localhost:3000Used when constructing delivery URLs in the sign/read API.
MINIO_ENDPOINThttp://minio:9000Internal MinIO endpoint (used server-side).
MINIO_PUBLIC_ENDPOINThttp://localhost:9000Public MinIO endpoint (used in presigned URLs returned to clients).
MINIO_ROOT_USERminioadminMinIO root username.
MINIO_ROOT_PASSWORDchangeme_minioMinIO root password. Change in production.
IMGPROXY_ENDPOINThttp://imgproxy:8080Internal imgproxy endpoint.

Production checklist

  • MINIO_ROOT_PASSWORD is changed from the default
  • NEXTAUTH_SECRET is a fresh random value (not reused from dev)
  • NEXTAUTH_URL and PUBLIC_URL are set to your public domain
  • MINIO_PUBLIC_ENDPOINT points to a publicly reachable MinIO URL (or CDN in front of it)
  • IMGPROXY_KEY and IMGPROXY_SALT are secret and not committed to version control

Docker Compose

Run Contento locally or in production with Docker Compose.

Migrations

How database migrations work in Contento.

On this page

RequiredOptional / defaultsProduction checklist