# ─── Data Directory ────────────────────────────────────────────────────── # Root directory for SQLite database and image cache (default: ./data, Docker: /data) # DATA_DIR=./data # ─── TMDB (required) ─────────────────────────────────────────────────────── # API Read Access Token — get one at https://www.themoviedb.org/settings/api TMDB_API_READ_ACCESS_TOKEN= # Optional: override TMDB base URLs (advanced) # TMDB_API_BASE_URL=https://api.themoviedb.org/3 # TMDB_IMAGE_BASE_URL=https://image.tmdb.org/t/p # ─── Auth (required) ─────────────────────────────────────────────────────── # Random secret for session encryption (min 32 chars) # Generate one with `bunx @better-auth/cli secret` or `openssl rand -base64 32` BETTER_AUTH_SECRET= # Public URL of your instance, especially important if reverse proxy is used BETTER_AUTH_URL=http://localhost:3000 # ─── OIDC Authentication (optional) ──────────────────────────────────── # OIDC is enabled when OIDC_CLIENT_ID, OIDC_CLIENT_SECRET, and OIDC_ISSUER_URL are all set. # Callback URL to configure in your IdP: ${BETTER_AUTH_URL}/api/auth/oauth2/callback/oidc # OIDC_CLIENT_ID= # OIDC_CLIENT_SECRET= # OIDC_ISSUER_URL= # e.g. https://authentik.example.com/application/o/sofa # OIDC_PROVIDER_NAME=SSO # Display name on login button (default: "SSO") # OIDC_AUTO_REGISTER=true # Auto-create users on first OIDC login (default: true) # DISABLE_PASSWORD_LOGIN=false # Set to "true" to hide email/password form when OIDC is configured # ─── Logging ────────────────────────────────────────────────────────── # Log verbosity: error, warn, info, debug (default: info) # LOG_LEVEL=info # ─── Update Checks ──────────────────────────────────────────────────── # Base URL for the public API used for update checks and other centralized features # PUBLIC_API_URL=https://public-api.sofa.watch # ─── Image Caching ───────────────────────────────────────────────────── # Set IMAGE_CACHE_ENABLED to "false" to use TMDB CDN directly (default: enabled) # IMAGE_CACHE_ENABLED=true