Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.dbdock.xyz/llms.txt

Use this file to discover all available pages before exploring further.

DBdock can be configured via dbdock.config.json, environment variables, or a mix of both. Secrets always live in environment variables — never in the config file.
Security-first. Passwords, API keys, webhooks, and encryption secrets must be set via environment variables. The config file is designed to be committed to your repository; the .env file is designed not to be.

Config file structure

dbdock.config.json has four top-level sections: 
{
  "database":  { /* connection details (no password) */ },
  "storage":   { /* storage provider config */ },
  "backup":    { /* format, compression, encryption, retention */ },
  "alerts":    { /* email & slack notifications */ }
}

Database

Set DBDOCK_DB_URL or DATABASE_URL to a full PostgreSQL URL. When present, it overrides anything in dbdock.config.json. 
DBDOCK_DB_URL=postgresql://user:password@host:5432/database
# or
DATABASE_URL=postgresql://user:password@host:5432/database

Option 2 — Config file with password in env

{
  "database": {
    "type": "postgres",
    "host": "localhost",
    "port": 5432,
    "username": "postgres",
    "database": "myapp"
  }
}
Password comes from DBDOCK_DB_PASSWORD.

Option 3 — .pgpass

For host-level credential isolation, use PostgreSQL’s .pgpass file: 
touch ~/.pgpass
chmod 600 ~/.pgpass
echo "localhost:5432:myapp:postgres:my-secure-password" >> ~/.pgpass
DBdock uses .pgpass automatically when present.

Storage

Pick one provider. Each has its own dedicated page with setup instructions:

Local

Filesystem storage for single-server setups.

AWS S3

S3 or any S3-compatible service.

Cloudflare R2

Zero-egress object storage.

Cloudinary

Media platform with generous free tier.

Backup

{
  "backup": {
    "format": "custom",
    "compression": {
      "enabled": true,
      "level": 6
    },
    "encryption": {
      "enabled": true
    },
    "retention": {
      "enabled": true,
      "maxBackups": 100,
      "maxAgeDays": 30,
      "minBackups": 5,
      "runAfterBackup": true
    }
  }
}
FieldTypeDefaultDescription
format'custom' | 'plain' | 'directory' | 'tar''custom'PostgreSQL backup format
compression.enabledbooleantrueApply zstd compression
compression.level0–116zstd compression level
encryption.enabledbooleantrueAES-256-GCM encryption
retention.enabledbooleantrueEnable automatic cleanup
retention.maxBackupsnumber100Cap total backup count
retention.maxAgeDaysnumber30Delete backups older than N days
retention.minBackupsnumber5Never delete below this count
retention.runAfterBackupbooleantrueRun cleanup after each backup
Encryption key is read from DBDOCK_ENCRYPTION_SECRET. Generate a key: 
node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"

Alerts

See the dedicated alert pages for setup:

Email

SMTP via Gmail, SendGrid, SES, Mailgun, or any provider.

Slack

Incoming webhooks.

Environment variables reference

DBdock reads from both .env and .env.local. .env.local takes priority.

Database

VariableDescription
DBDOCK_DB_URLFull PostgreSQL URL
DATABASE_URLSame as DBDOCK_DB_URL (alternative name)
DBDOCK_DB_PASSWORDPassword (when not using URL form)
DB_HOSTDatabase host
DB_PORTDatabase port
DB_USERDatabase user
DB_NAMEDatabase name

Storage

VariableDescription
STORAGE_PROVIDERlocal | s3 | r2 | cloudinary
STORAGE_BUCKETBucket/container name
STORAGE_LOCAL_PATHPath for local storage
DBDOCK_STORAGE_ACCESS_KEYS3/R2 access key
DBDOCK_STORAGE_SECRET_KEYS3/R2 secret key
DBDOCK_CLOUDINARY_API_KEYCloudinary API key
DBDOCK_CLOUDINARY_API_SECRETCloudinary API secret

Encryption

VariableDescription
DBDOCK_ENCRYPTION_SECRET64-char hex key
ENCRYPTION_ENABLEDtrue | false
ENCRYPTION_ITERATIONSPBKDF2 iterations (default 100000)

Alerts

VariableDescription
DBDOCK_SMTP_USERSMTP username
DBDOCK_SMTP_PASSSMTP password
DBDOCK_SLACK_WEBHOOKSlack incoming webhook URL
DBDOCK_CUSTOM_WEBHOOKCustom HTTP webhook URL

Runtime

VariableDescription
DBDOCK_CONFIG_PATHPath to dbdock.config.json (default: ./dbdock.config.json)
DBDOCK_STRICT_MODEtrue to refuse any secret read from the config file

Strict mode

Set DBDOCK_STRICT_MODE=true to enforce environment-only secrets. DBdock will refuse to load any configuration where a secret appears in the config file, preventing accidental commits. Recommended for CI and production.

Config migration

If you have secrets in dbdock.config.json from an older version: 
npx dbdock migrate-config
DBdock moves them to .env, cleans up the config file, and updates .gitignore. See migrate-config.