Full List of Variables

• CLIENT_NAME — client login for Gramax Enterprise Server. Used for authentication in Docker Registry and when substituting values into configuration variables. Issued at purchase. Required. Example: gramax

• GES_URL — URL where GES will be available. Required. Example: https://enterprise.gramax.local

• AUTH_SERVICE_URL — URL where the auth service will be available. Example: https://ges.gram.ax/auth

• DIAGRAM_RENDERER_SERVICE_URL — URL where the Diagram-renderer service will be available. Example: https://ges.gram.ax/diagram-renderer

• ALLOWED_GRAMAX_URLS — URLs of Gramax instances (documentation portal, browser version, and GES), comma-separated. No trailing comma. Required. Example: https://some-instance.gram.ax,https://another-instance.gram.ax

• LICENSE_KEY — license key for Gramax Enterprise Server. Issued at purchase. Required. Example: 765d562b9092eec3…

• GIT_SERVER_TOKEN — access token for the Git server for reading/cloning repositories. Required. Example: glpat-...

• GES_ADMIN_EMAILS — workspace owner emails, comma-separated. Written to config only on first startup. Required. Example: admin1@gramax.local,admin2@gramax.local

• GIT_SERVER_URL — GitLab server address for external storage. Required. Example: https://gitlab.example.com

• ENTERPRISE_STORAGE_TYPE — configuration storage type: gitlab or local. Required. Example: gitlab

• ENTERPRISE_CONFIG_PATH — for ENTERPRISE_STORAGE_TYPE=local: path to the GES settings folder on the virtual machine. Required. Default: /app/config

• GIT_PROJECT_PATH — for ENTERPRISE_STORAGE_TYPE=gitlab: path to the settings repository in GitLab, as group/repository-name. Must be created before initialization. Required. Example: dr/gramax-yaml-manager

• GIT_PROJECT_BRANCH — branch of the GIT_PROJECT_PATH repository, if it differs from master. Default: master. Example: main

• ENTERPRISE_SERVICE_ENCRYPTION_KEY — key for secure data transfer between services. Required. Example: 5caf59ed...cddb8489

• COOKIE_SECRET — key for encrypting user secrets in cookies. Recommended: a 32-byte key (openssl rand -hex 32). Example: 397b6f3bf51a73b9...

• AUTH_METHOD — SSO authorization method. All parameters related to AUTH_METHOD are required. Options: azure, adfs, keycloak, openid, ldap, kerberos. Example: AUTH_METHOD=azure

• CONNECTOR_TYPE — method for retrieving the user list. All parameters related to CONNECTOR_TYPE are required. Options: ldap, keycloak, scim. Example: CONNECTOR_TYPE=ldap

For AUTH_METHOD = azure

• AZURE_AUTHORIZATION_URL — authorization endpoint URL. Example: https://login.microsoftonline.com/HohLpGvI.../oauth2/v2.0/authorize

• AZURE_TOKEN_URL — token endpoint URL. Example: https://login.microsoftonline.com/HohLpGvI.../oauth2/v2.0/token

• AZURE_API_URL — API information endpoint URL. Example: https://graph.microsoft.com/v1.0

• AZURE_CLIENT_ID — application ID in Azure. Example: 0FYSAWm1A-1x4k-e14H-0LHe-gf6qwElcYuz

• AZURE_CLIENT_SECRET — application secret in Azure. Example: rY3yh*suIebMk^k0KGoi3azsIBP&FY@odQsgFVdc

For AUTH_METHOD = adfs

• ADFS_CERT — certificate used for authentication in ADFS.

• ADFS_ENTRYPOINT — authentication entry point. Example: https://adfs.gram.ax/adfs/ls/

• ADFS_ISSUER — ADFS identifier. Example: https://adfs.gram.ax/

• ADFS_CALLBACK_URL — callback URL after successful authentication. Example: https://app.gram.ax/auth/cb

For AUTH_METHOD = keycloak

• KEYCLOAK_SERVER_URL — Keycloak server URL. Example: https://keycloak.gram.ax/auth/

• KEYCLOAK_REALM — realm name in Keycloak. Example: gramax

• KEYCLOAK_CLIENT_ID — Keycloak client ID.

• KEYCLOAK_USE_ACCESS_TOKEN_INFO — whether to read user info from access_token. Example: KEYCLOAK_USE_ACCESS_TOKEN_INFO=true

For AUTH_METHOD = openid

• OPEN_ID_SERVER_URL — OpenID server URL. Example: https://keycloak.gram.ax/auth/

• OPEN_ID_REALM — realm name in OpenID. Example: gramax

• OPEN_ID_CLIENT_ID — OpenID client ID.

• OPEN_ID_CLIENT_SECRET — OpenID client secret.

For AUTH_METHOD = ldap

• LDAP_URL — LDAP server URL. Example: ldap://ldap.example.com:389 or ldaps://ldap.example.com:636

• LDAP_ADMIN_DN — DN of the administrative user with directory search permissions. Example: gramax@gramax.ru

• LDAP_ADMIN_PASSWORD — password of the administrative user. Example: secretAdminPass

• LDAP_USER_SEARCH_BASE — DN of the base user search point. Example: ou=users,dc=example,dc=com

• LDAP_USERNAME_ATTRIBUTE — user attribute for search. Example: samaccountname, cn, mail

• LDAP_USER_DN — DN of a specific user, if known directly. Example: OU=Enabled,OU=GRAMAX-USERS,DC=gramax,DC=local

• LDAP_GROUP_SEARCH_BASE — DN of the base group search point. Example: ou=groups,dc=example,dc=com

• LDAP_GROUP_CLASS — object class of the group entry. Example: groupOfNames

• LDAP_GROUP_MEMBER_ATTRIBUTE — attribute in a group entry containing its members. Example: member

• LDAP_GROUP_MEMBER_USER_ATTRIBUTE — user attribute matched with LDAP_GROUP_MEMBER_ATTRIBUTE. Example: dn

• LDAP_ATTRIBUTES — comma-separated list of user attributes to return. If not specified, all are returned. Example: cn,sn,mail

For AUTH_METHOD = kerberos

• KERBEROS_REALM — Kerberos realm (Active Directory domain). Must be in UPPERCASE. Example: COMPANY.LOCAL

• KERBEROS_SERVICE_PRINCIPAL — Service Principal Name (SPN). Format: HTTP/hostname@REALM. Example: HTTP/gramax.company.local@COMPANY.LOCAL

• KRB5_KTNAME — environment variable for the Kerberos library. Format: FILE:/path/to/keytab. Example: FILE:/opt/gramax/config/gramax.keytab

• KERBEROS_REALM must exactly match the Active Directory domain in UPPERCASE

• KERBEROS_SERVICE_PRINCIPAL must match the SPN registered in Active Directory

• The path in KRB5_KTNAME must start with the FILE: prefix

• The keytab file must have 600 permissions

For CONNECTOR_TYPE=ldap

• LDAP_URL — LDAP server URL. Example: ldap://ldap.example.com:389 or ldaps://ldap.example.com:636

• LDAP_ADMIN_DN — user DN with directory search permissions. Example: gramax@gramax.ru

• LDAP_ADMIN_PASSWORD — password of the user specified in LDAP_ADMIN_DN. Example: secretAdminPass

• LDAP_USER_SEARCH_BASE — DN of the base user search point. Example: ou=users,dc=example,dc=com

• LDAP_GROUP_CLASS — LDAP object class used to search for groups. Example: group

• LDAP_GROUP_SEARCH_BASE — DN of the base group search point. Example: ou=groups,dc=example,dc=com

• LDAP_SEARCH_GROUP_LIMIT — maximum number of groups returned during LDAP search. Example: 15

For CONNECTOR_TYPE=keycloak

• KEYCLOAK_SERVER_URL — Keycloak server URL. Example: https://keycloak.gram.ax/auth/

• KEYCLOAK_REALM — realm name in Keycloak. Example: gramax

• KEYCLOAK_API_TOKEN — access token.

For CONNECTOR_TYPE=scim

• SCIM_SERVER_URL — SCIM server URL. Example: https://scim.gram.ax/auth/

• SCIM_TOKEN — access token (used instead of SCIM_ADMIN_LOGIN + SCIM_ADMIN_PASSWORD).

• SCIM_GET_USERS_FILTER — filter for user search. Default: userName co "${searchSubstring}"

• SCIM_ADMIN_LOGIN — username for Basic authorization (instead of SCIM_TOKEN).

• SCIM_ADMIN_PASSWORD — password for Basic authorization (instead of SCIM_TOKEN).

• LOG_TYPE — log format: default or cef. Default: default

• LOG_LEVEL — minimum logging level: debug, info, warn, error, fatal. Default: info

• LOG_TRANSPORTER — log output channel: console or syslog. Default: console

• LOG_SYSLOG_HOST — Syslog server host. Default: 127.0.0.1

• LOG_SYSLOG_PORT — Syslog server port. Default: 514

• LOG_SYSLOG_PROTOCOL — Syslog connection protocol (IPv4/IPv6 and TLS supported): udp4, tcp4, tls4, udp6, tcp6, tls6. Default: udp4

• LOG_SYSLOG_APP_NAME — application name in Syslog messages. Default: gramax

• AUTO_PULL_TOKEN — user token for automatic synchronization. Example: glpat-3Ax2PoY1h75JqpXG3X-r

• AUTO_PULL_INTERVAL — automatic synchronization interval in seconds. Default: 3 minutes. Example: 120

• AUTO_PULL_USERNAME — when using login/password authentication: username (AUTO_PULL_TOKEN then contains the password). Example: autopull

• DISABLE_SEO — disables automatic generation of sitemap.xml and robots.txt. If true, the portal is not indexed. Default: true

• YANDEX_METRIC_COUNTER — Yandex Metrica counter ID.

• AI_TOKEN — authorization token for the LLM service. Use the same value as AUTH__ADMIN__TOKEN.

• AI_SERVER_URL — URL for accessing the LLM service. Default: {GES_URL}/ai

• AI_INSTANCE_NAME — unique portal identifier. Allows one LLM service to work with multiple portals. Example: my-docs-portal

• GES_REFRESH_INTERVAL — synchronization interval between the portal and GES settings, in seconds. Default: 600

• VAULT_API_VERSION — Vault API version. Example: v1

• VAULT_TOKEN — access token for Vault authentication. Example: s.NG8kghWwZVZHX1wGnGzY9k5u

• VAULT_ENDPOINT — Vault server URL. Example: https://vault.gram.ax

• VAULT_PATH — path to the secret in Vault. Example: secret/data/gramax/ldap

• VAULT_MOUNT_PATH — mounted path for KV storage if it differs from secret. Example: secret

• CONFLUENCE_CLIENT_ID — client ID for connecting to the Confluence API.

• CONFLUENCE_CLIENT_SECRET — client secret for Confluence authorization.

• CONFLUENCE_REDIRECT_URI — redirect URL for OAuth authorization with Confluence.

• NOTION_CLIENT_ID — client ID for connecting to the Notion API.

• NOTION_CLIENT_SECRET — client secret for Notion authorization.

• NOTION_REDIRECT_URI — redirect URL for OAuth authorization with Notion.

• VECTORDB__TYPE — vector database type. Default: qdrant

• VECTORDB__HOST — address for connecting to the Qdrant database. Default: http://enteprise-gramax-qdrant for Helm chart.

• EMBEDDING__TYPE — provider type for generating embeddings: openai (for OpenAI and compatible services) or ollama (for local Ollama). Example: EMBEDDING__TYPE=openai

• EMBEDDING__MODEL — model name for embedding generation. Example: text-embedding-3-large, mxbai-embed-large

• EMBEDDING__HOST — provider API server address (for OpenAI-compatible providers or remote Ollama). Example: https://api.deepseek.com/v1

• EMBEDDING__APIKEY — API key for accessing the provider service.

• EMBEDDING__SOCKSPROXYURL — SOCKS5 proxy address. Format: socks5://user:password@host:port. Example: socks5://proxy_user:proxy_pass@192.168.1.1:1080

• EMBEDDING__QUERYTEMPLATE — query template for embeddings.

• EMBEDDING__DOCUMENTTEMPLATE — document template for embeddings.

• EMBEDDING__DIMENSIONS — vector dimension produced by the model. Example: 1536

• FEATURE__SENDEMBEDDINGDIMENSIONS — flag for sending embedding dimensions.

• CHAT__TYPE — provider type for chat. Value: openai.

• CHAT__HOST — provider API server address. Example: https://api.deepseek.com/v1

• CHAT__MODEL — model name for text generation. Example: gpt-4o

• CHAT__APIKEY — API key for accessing the provider service.

• CHAT__SOCKSPROXYURL — SOCKS5 proxy address. Format: socks5://user:password@host:port

• AUTH__ADMIN__TOKEN — secret token for authorizing requests from Gramax to the LLM service.

• BUGSNAG_API_KEY — API key for sending errors to Bugsnag. Example: 123abc456def789ghi012jkl345mno678

• MATOMO_SITE_ID — site ID in Matomo. Example: 5

• MATOMO_URL — Matomo instance URL. Example: https://matomo.gram.ax

• MATOMO_CONTAINER_URL — Matomo Tag Manager container URL. Example: https://matomo.gram.ax/js/container_ABC.js

• ELASTIC_SEARCH_API_URL — Elasticsearch server API URL. Example: https://es.gram.ax:9200

• ELASTIC_SEARCH_INSTANCE_NAME — instance name or index in Elasticsearch. Example: gramax-logs

• ELASTIC_SEARCH_USERNAME — username for Elasticsearch access. Example: elastic_user

• ELASTIC_SEARCH_PASSWORD — user password for Elasticsearch access. Example: strongPassword123