All configuration uses the MPG_ prefix, loaded by Viper from environment variables or a .env file.
[!NOTE]
Both backends share many variable names (database, cache, logging, OTEL, rate limiting, encryption). Where the variable name is the same, it applies identically to both services unless noted.
Comma-separated CIDRs/IPs of trusted reverse proxies. Client-IP forwarding headers (X-Real-IP, X-Forwarded-For) are honoured only when the immediate peer matches one of these entries; otherwise the raw connection IP is used for rate limiting and session IP binding. Provider-agnostic — does not require Cloudflare. Set to your load balancer's CIDR(s) if you front the stack with an external proxy. Both backends.
MPG_INTERNAL_HEALTH_TOKEN
string
No
— (source-IP check only)
Shared secret required, in addition to the private/loopback source check, for the /internal/health deep endpoint. Behind a proxy the connection IP is the proxy, so this token is the real access gate. Set in production. Both backends.
MPG_IPN_ALLOW_PRIVATE_TARGETS
bool
No
false
Allow IPN webhook delivery to private/loopback/link-local targets (SSRF guard). Keep false in production. Main backend only.
Note: The bundled Caddy reverse proxy forwards an authoritative X-Real-IP derived
from its own trusted-proxy configuration, so the backends only need to trust the proxy hop
(MPG_SECURITY_TRUSTED_PROXIES defaults to the internal container networks). Cloudflare is
not required — any reverse proxy, or no proxy at all, is supported.
URL of the Gotenberg PDF service; deployment templates set this to the internal Gotenberg service.
MPG_MAIN_WORKER_TEMP_CACHE_DIR
string
No
OS temp dir + /pdf-cache
Local directory for temporary PDF caching (defaults to the host OS temp directory). In container deployments this is commonly set explicitly (e.g. /tmp/pdf-cache).
MPG_MAIN_WORKER_SERVICE_URL
string
No
—
Internal URL where the worker HTTP server is reachable (used by the main API to proxy PDF requests)
[!IMPORTANT]
Generate unique keys for each environment (development, staging, production). Never reuse keys across environments. Rotate keys if they are ever exposed.