PasarGuard
Panel

Configuration

Configure PasarGuard Panel with environment variables and settings

Configuration Overview

PasarGuard Panel is configured through environment variables stored in the .env file located at /opt/pasarguard/.env.

Environment Variables

Admin Configuration

VariableTypeDefaultDescription
SUDO_USERNAMEstring-Superuser's username for initial admin account
SUDO_PASSWORDstring-Superuser's password for initial admin account

SUDO_USERNAME and SUDO_PASSWORD only work when DEBUG mode is enabled. For production, create the owner account from the dashboard setup form using pasarguard cli generate-temp-key.

Database Configuration

VariableTypeDefaultDescription
SQLALCHEMY_DATABASE_URLstring-Database connection string (SQLite, MySQL, MariaDB, PostgreSQL, TimescaleDB)

Database URL Examples:

# TimescaleDB/PostgreSQL (default)
SQLALCHEMY_DATABASE_URL = "postgresql+asyncpg://user:password@localhost/pasarguard"

# MySQL/MariaDB
SQLALCHEMY_DATABASE_URL = "mysql+asyncmy://user:password@localhost/pasarguard"

# SQLite 
SQLALCHEMY_DATABASE_URL = "sqlite+aiosqlite:////var/lib/pasarguard/db.sqlite3"

UVICORN Web Server

VariableTypeDefaultDescription
UVICORN_HOSTstring0.0.0.0Host address to bind the web server
UVICORN_PORTint8000Port number for the web server
UVICORN_UDSstring-Unix domain socket path; when set, Uvicorn binds to the socket instead of host/port
UVICORN_SSL_CERTFILEstring-Path to SSL certificate file
UVICORN_SSL_KEYFILEstring-Path to SSL private key file
UVICORN_SSL_CA_TYPEstringpublicCertificate authority type used for SSL validation
UVICORN_WORKERSint1Number of Uvicorn worker processes
UVICORN_LOOPstringautoUvicorn event loop setting
UVICORN_PROXY_HEADERSboolfalseTrust proxy headers such as forwarded client IPs
UVICORN_FORWARDED_ALLOW_IPSstring/list127.0.0.1Trusted proxy IPs for forwarded headers; use * only on trusted private networks

Example:

UVICORN_HOST = "0.0.0.0"
UVICORN_PORT = 8000
UVICORN_SSL_CERTFILE = "/var/lib/pasarguard/cert.pem"
UVICORN_SSL_KEYFILE = "/var/lib/pasarguard/key.pem"
UVICORN_PROXY_HEADERS = true
UVICORN_FORWARDED_ALLOW_IPS = "127.0.0.1"

Enable UVICORN_PROXY_HEADERS only when PasarGuard is behind a trusted reverse proxy. Do not use UVICORN_FORWARDED_ALLOW_IPS = "*" on an untrusted network.

Authentication & Security

VariableTypeDefaultDescription
JWT_ACCESS_TOKEN_EXPIRE_MINUTESint1440JWT token expiration time in minutes (default: 24 hours)

Example:

# Token expires after 24 hours
JWT_ACCESS_TOKEN_EXPIRE_MINUTES = 1440

# Token expires after 7 days
JWT_ACCESS_TOKEN_EXPIRE_MINUTES = 10080

Panel Settings

VariableTypeDefaultDescription
DOCSboolfalseEnable/disable API documentation endpoint
DEBUGboolfalseEnable debug mode for verbose logging
ROLEstringall-in-oneRuntime role: backend, node, scheduler, or all-in-one
DASHBOARD_PATHstring/dashboard/URL path where the dashboard is served
VITE_BASE_APIstring/API base URL used by the dashboard
ALLOWED_ORIGINSstring*Comma-separated CORS origins

Example:

DOCS = true
DEBUG = false

WireGuard

VariableTypeDefaultDescription
WIREGUARD_ENABLEDbooltrueEnable WireGuard peer allocation and WireGuard subscription output
WIREGUARD_GLOBAL_POOLCIDR10.0.0.0/8IPv4 pool used to auto-allocate WireGuard user peer IPs and validate manual peer IPs
WIREGUARD_RESERVEDCIDR list10.0.0.0/31Comma-separated IPv4 CIDR ranges that must never be allocated

Example:

# Disable WireGuard output and automatic peer allocation
WIREGUARD_ENABLED = false

# Custom allocation pool
WIREGUARD_GLOBAL_POOL = "10.66.0.0/16"
WIREGUARD_RESERVED = "10.66.0.0/31,10.66.0.10/32"

When WIREGUARD_ENABLED = false, WireGuard subscription output is skipped and automatic WireGuard peer IP allocation is disabled.

Usage Recording

VariableTypeDefaultDescription
DISABLE_RECORDING_NODE_USAGEboolfalseDisable recording node usage samples
ENABLE_RECORDING_NODES_STATSboolfalseEnable detailed node stats recording; only available for PostgreSQL/TimescaleDB
RESET_USER_USAGE_CLEAN_CHART_DATAboolfalseDelete user chart history when resetting user usage

Example:

DISABLE_RECORDING_NODE_USAGE = false
ENABLE_RECORDING_NODES_STATS = true
RESET_USER_USAGE_CLEAN_CHART_DATA = false

Complete Configuration Example

Production Setup

# Database (TimescaleDB recommended)
SQLALCHEMY_DATABASE_URL = "postgresql+asyncpg://pasarguard:password@localhost/pasarguard"

# Web Server
UVICORN_HOST = "0.0.0.0"
UVICORN_PORT = 8000
UVICORN_SSL_CERTFILE = "/var/lib/pasarguard/cert.pem"
UVICORN_SSL_KEYFILE = "/var/lib/pasarguard/key.pem"
UVICORN_PROXY_HEADERS = true
UVICORN_FORWARDED_ALLOW_IPS = "127.0.0.1"

# Security
JWT_ACCESS_TOKEN_EXPIRE_MINUTES = 1440

# Panel Settings
DOCS = false
DEBUG = false

# WireGuard
WIREGUARD_ENABLED = true
WIREGUARD_GLOBAL_POOL = "10.0.0.0/8"
WIREGUARD_RESERVED = "10.0.0.0/31"

Development/Testing Setup

# Debug admin configuration; only used when DEBUG = true
SUDO_USERNAME = "admin"
SUDO_PASSWORD = "admin123"

# Database (SQLite for testing)
SQLALCHEMY_DATABASE_URL = "sqlite+aiosqlite:////var/lib/pasarguard/db.sqlite3"

# Web Server
UVICORN_HOST = "127.0.0.1"
UVICORN_PORT = 8000

# Security
JWT_ACCESS_TOKEN_EXPIRE_MINUTES = 1440

# Panel Settings
DOCS = true
DEBUG = true

Configuration Management

View Current Configuration

cat /opt/pasarguard/.env

Edit Configuration

sudo nano /opt/pasarguard/.env

Apply Changes

After modifying configuration, restart the panel:

pasarguard restart

Verify Configuration

Check if the service is running correctly:

pasarguard status

View logs to troubleshoot issues:

pasarguard logs

Multi-Node Setup

To configure multiple nodes:

  1. Install and configure PasarGuard Node on each server (see Node Installation)

  2. Configure node API credentials on each node server

  3. Add nodes in the panel interface:

    • Navigate to the Nodes section in the dashboard
    • Click "Add Node"
    • Enter node connection details (address, port, API key, etc.)
    • Check the connection

Security Best Practices

Secure Database Credentials

Use strong passwords for database connections:

# Generate secure password
openssl rand -base64 32

Use SSL Certificates

Always use valid SSL certificates in production:

# Using Let's Encrypt
sudo certbot certonly --standalone -d your-domain.com

# Update .env
UVICORN_SSL_CERTFILE = "/etc/letsencrypt/live/your-domain.com/fullchain.pem"
UVICORN_SSL_KEYFILE = "/etc/letsencrypt/live/your-domain.com/privkey.pem"

Disable Debug Mode in Production

DEBUG = false
DOCS = false