Skip to content

Configuration Reference

This page documents every environment variable in the MAGK platform's .env.template file. Variables are organized by the same sections found in the template.

To get started, copy the template and customize:

cp .env.template .env

For variables that require generated secrets, see the Installation Guide for generation commands.

Quick secret generation

Run bash config/scaling/generate-config.sh to auto-generate all required secrets at once.


Database

PostgreSQL connection credentials used by all platform services.

Variable Description Default Format Required
POSTGRES_DB PostgreSQL database name magk String Yes
POSTGRES_USER PostgreSQL username magk String Yes
POSTGRES_PASSWORD PostgreSQL password Generated: openssl rand -base64 24 Yes

Warning

POSTGRES_PASSWORD must be generated before first deployment. Never use the placeholder value in production.

Staging database name

For staging deployments, set POSTGRES_DB=magk_staging to isolate the staging database from production on the same host. Production uses the default magk.


Message Queue

RabbitMQ broker credentials for inter-service messaging and background jobs.

Variable Description Default Format Required
RABBITMQ_USER RabbitMQ username magk String Yes
RABBITMQ_PASSWORD RabbitMQ password Generated: openssl rand -base64 24 Yes
RABBITMQ_VHOST RabbitMQ virtual host magk String Yes

Domain & SSL

Public domain and Let's Encrypt certificate configuration. See the Installation Guide for full SSL/TLS setup details.

Variable Description Default Format Required
DOMAIN Public domain for the platform localhost Hostname (e.g., magktech.com) Yes
SSL_EMAIL Email for Let's Encrypt certificate notifications admin@magktech.com Email address Yes

Info

Set DOMAIN to your actual domain (e.g., magktech.com) for staging and production deployments. Traefik uses this value to request wildcard TLS certificates via the Route53 DNS challenge.


Authentication (Better Auth)

Session-based authentication configuration using Better Auth.

Variable Description Default Format Required
BETTER_AUTH_SECRET Secret key for signing session tokens Generated: openssl rand -hex 32 Yes
BETTER_AUTH_URL Base URL for auth callbacks https://${DOMAIN} URL Yes
BETTER_AUTH_TRUSTED_ORIGINS Additional trusted origins for CSRF validation (empty) Comma-separated URLs (e.g., http://localhost:3200) No

Tip

BETTER_AUTH_TRUSTED_ORIGINS is useful when accessing the platform through a port-mapped staging URL or an external domain that differs from DOMAIN.


Admin Account

Initial administrator account credentials used during first deployment. The deploy workflow seeds this account via the Better Auth sign-up endpoint.

Variable Description Default Format Required
ADMIN_USERNAME Admin display name administrator String Yes
ADMIN_PASSWORD Admin account password No default — deploy fails if unset Yes
ADMIN_EMAIL Admin account email admin@magktech.com Email address Yes

No default password

ADMIN_PASSWORD has no fallback value. If it is not set in the environment file, the deployment will fail explicitly rather than create an admin account with a known password. This is intentional fail-closed behavior to prevent insecure default credentials in staging and production.


LDAP

OpenLDAP directory service configuration for TAK client authentication and group management.

Variable Description Default Format Required
LDAP_ORGANISATION LDAP organization name MAGK String Yes
LDAP_DOMAIN LDAP domain magktech.com Domain name Yes
LDAP_ADMIN_PASSWORD LDAP administrator password Generated: openssl rand -base64 24 Yes
LDAP_CONFIG_PASSWORD LDAP configuration password Generated: openssl rand -base64 24 Yes
LDAP_BASE_DN LDAP base distinguished name dc=magktech,dc=com LDAP DN Yes
LDAP_ADMIN_DN LDAP admin distinguished name cn=admin,dc=magktech,dc=com LDAP DN Yes
LDAP_TLS Enable TLS for LDAP connections true true / false Yes

Note

Update LDAP_BASE_DN and LDAP_ADMIN_DN if you change LDAP_DOMAIN to match your domain's DN structure.


TAK Service

TAK protocol ports and database connection for the Python TAK microservice.

Variable Description Default Format Required
TAK_TCP_PORT TCP port for unencrypted CoT traffic 8087 Port number Yes
TAK_SSL_PORT SSL port for encrypted CoT traffic 8089 Port number Yes
TAK_SSL_ENABLED Enable SSL for TAK connections true true / false Yes
TAK_MARTI_PORT Marti API HTTPS port (mTLS via Nginx) 8443 Port number Yes
TAK_DATABASE_HOST Database hostname for TAK service postgresql Hostname Yes
TAK_DATABASE_PORT Database port for TAK service 5432 Port number Yes
TAK_DATABASE_NAME Database name for TAK service ${POSTGRES_DB} String (references POSTGRES_DB) Yes
TAK_DATABASE_USER Database username for TAK service ${POSTGRES_USER} String (references POSTGRES_USER) Yes
TAK_DATABASE_PASSWORD Database password for TAK service ${POSTGRES_PASSWORD} String (references POSTGRES_PASSWORD) Yes

Info

The TAK service shares the main MAGK database by default. The TAK_DATABASE_* variables reference the Database section values via shell variable expansion.


Meshtastic Mesh Radio

Optional Meshtastic mesh radio bridge. When configured, the TAK service polls a Meshtastic device for node positions and converts them to CoT events for display on the tactical map. Set either a serial port or TCP host to enable.

Variable Description Default Format Required
MESHTASTIC_SERIAL_PORT Serial port for Meshtastic device (empty) Device path (e.g., /dev/ttyUSB0) No
MESHTASTIC_TCP_HOST TCP hostname for Meshtastic device (empty) Hostname or IP No
MESHTASTIC_TCP_PORT TCP port for Meshtastic device 4403 Port number No
MESHTASTIC_RECONNECT_DELAY Seconds to wait before reconnecting after a connection loss 10 Positive integer (seconds) No

Tip

Set either MESHTASTIC_SERIAL_PORT (for USB-connected devices) or MESHTASTIC_TCP_HOST (for network-connected devices). Leave both empty to disable the Meshtastic bridge entirely.


Real-Time Services

WebSocket server and UDP gateway configuration for real-time communication.

Variable Description Default Format Required
WS_PORT WebSocket server port (dedicated HTTP server for WS upgrade handling) 3001 Port number Yes
NODE_UDP_ENABLED Enable the Node UDP Gateway for hardware node communication false true / false No
NODE_UDP_PORT UDP port for MAGK hardware nodes 5683 Port number No

Tip

Set NODE_UDP_ENABLED=true only if you are using MAGK hardware nodes (HaLow devices). The UDP gateway listens on port 5683 by default.


OAuth

Optional single sign-on providers. Leave blank to disable, or configure via the Admin Settings page at runtime.

Variable Description Default Format Required
GOOGLE_CLIENT_ID Google OAuth client ID (empty) String from Google Cloud Console No
GOOGLE_CLIENT_SECRET Google OAuth client secret (empty) String No
GITHUB_CLIENT_ID GitHub OAuth client ID (empty) String from GitHub Developer Settings No
GITHUB_CLIENT_SECRET GitHub OAuth client secret (empty) String No

OAuth redirect URIs

  • Google: https://yourdomain.com/api/auth/callback/google
  • GitHub: https://yourdomain.com/api/auth/callback/github

Replace yourdomain.com with your actual DOMAIN value.


Email / SMTP

Optional email delivery configuration. Works with any SMTP provider (AWS SES, SendGrid, Mailgun, etc.). Can also be configured via Admin Settings at runtime.

Variable Description Default Format Required
SMTP_HOST SMTP server hostname (empty) Hostname (e.g., email-smtp.us-east-1.amazonaws.com) No
SMTP_PORT SMTP server port 587 Port number No
SMTP_USER SMTP authentication username (empty) String No
SMTP_PASSWORD SMTP authentication password (empty) String No
SMTP_SECURE Use TLS for SMTP connection false true / false No
FROM_EMAIL Sender email address for outgoing mail noreply@magktech.com Email address No
FROM_NAME Sender display name for outgoing mail MAGK String No

AWS SES

For AWS SES, use host=email-smtp.<region>.amazonaws.com, port=587, and your SES SMTP credentials (not IAM access keys).


Monitoring

Grafana dashboard access credentials.

Variable Description Default Format Required
GRAFANA_ADMIN_PASSWORD Grafana admin user password Generated: openssl rand -base64 16 Yes

Media Streaming

MediaMTX configuration for RTSP/RTMP video streaming.

Variable Description Default Format Required
MTX_PROTOCOLS Allowed streaming protocols tcp Protocol name(s) No
MEDIAMTX_RTSP_PORT RTSP streaming port 8554 Port number No
MEDIAMTX_RTMP_PORT RTMP streaming port 1935 Port number No

Deployment

Environment type, log verbosity, and Docker Compose project isolation.

Variable Description Default Format Required
DEPLOYMENT_ENV Deployment environment identifier development development / staging / production Yes
LOG_LEVEL Minimum log severity for the ECS logging service INFO debug / info / warn / error / fatal (case-insensitive) Yes
COMPOSE_PROJECT_NAME Docker Compose project name for environment isolation magk String Yes

Environment isolation

COMPOSE_PROJECT_NAME prefixes all container names, volumes, and networks. Use different values to run multiple environments on the same host:

  • Local dev: magk (default)
  • Staging: magk-staging
  • Production: magk-prod

See the Installation Guide for more details on environment isolation.


Logging (ECS Logging Service)

Configuration for the structured logging service that persists logs to PostgreSQL.

Variable Description Default Format Required
LOG_RETENTION_DAYS Days to retain log entries before automatic trimming 2 Positive integer Yes
LOG_BATCH_SIZE Number of log entries to batch before flushing to PostgreSQL 100 Positive integer Yes
LOG_FLUSH_INTERVAL_MS Interval in milliseconds between automatic buffer flushes 2000 Positive integer (milliseconds) Yes

Security (Scanner Detector)

Automated scanner/bot detection and IP banning thresholds.

Variable Description Default Format Required
SCANNER_BAN_DURATION_MINUTES Duration in minutes to ban IPs that exceed the scanner threshold 30 Positive integer (minutes) Yes
SCANNER_THRESHOLD_HITS Number of scanner path hits before an IP is banned 5 Positive integer Yes
SCANNER_THRESHOLD_WINDOW_MINUTES Sliding window in minutes for counting scanner path hits per IP 10 Positive integer (minutes) Yes
MAX_REQUEST_BODY_BYTES Maximum allowed request body size in bytes 1048576 Positive integer (bytes; default is 1 MB) Yes

Staging Overrides

Port mappings and domain used with docker-compose.staging.yml. These allow staging to run alongside production on the same host with different ports.

Variable Description Default Format Required
STAGING_DOMAIN Staging environment domain staging.magktech.com Hostname Yes (staging)
STAGING_WEB_PORT Staging web application port 3200 Port number Yes (staging)
STAGING_TAK_TCP_PORT Staging TAK TCP CoT port (offset required — no SNI) 18087 Port number Yes (staging)
STAGING_TAK_SSL_PORT Staging TAK SSL CoT port (offset required — no SNI) 18089 Port number Yes (staging)
STAGING_HTTP_PORT Staging Traefik HTTP port 18080 Port number Yes (staging)
STAGING_HTTPS_PORT Staging Traefik HTTPS port 18443 Port number Yes (staging)
STAGING_LDAP_PORT Staging LDAP port 10389 Port number Yes (staging)
STAGING_RTSP_PORT Staging RTSP streaming port 18554 Port number Yes (staging)
STAGING_PROMETHEUS_PORT Staging Prometheus port 9190 Port number Yes (staging)
STAGING_GRAFANA_PORT Staging Grafana port 3101 Port number Yes (staging)

Traefik SNI Routing for Shared Ports

TAK ports 8443 (Marti API), 8446 (enrollment), and 64738 (Mumble TCP) use Traefik SNI routing and do not need staging port offsets — Traefik routes traffic based on the TLS Server Name Indication (SNI) header, so staging and production share these ports on the same host.

CoT streaming ports 8089 (SSL) and 8087 (TCP) still require offsets because ATAK does not send SNI headers on these connections. Mumble UDP also requires a direct port mapping via MUMBLE_EXTERNAL_PORT since UDP does not support SNI.

Info

Staging overrides use offset port numbers to avoid conflicts with production services running on the same host. See the Installation Guide for the full staging deployment workflow.


Production Overrides

Port mappings used with docker-compose.production.yml.

Variable Description Default Format Required
WEB_PORT Production web application port 3000 Port number Yes (production)
PROMETHEUS_PORT Production Prometheus port 9090 Port number Yes (production)
GRAFANA_PORT Production Grafana port 3001 Port number Yes (production)
LDAP_PORT Production LDAP port 389 Port number Yes (production)
LDAPS_PORT Production LDAPS (secure LDAP) port 636 Port number Yes (production)

Branding

UI branding variables that control the platform's display name and color scheme.

Variable Description Default Format Required
BRAND_NAME Platform display name MAGK String Yes
BRAND_TAGLINE Platform tagline Multipurpose Awareness and Group Kit String Yes
BRAND_COLOR_PRIMARY Primary brand color (deep navy) #1e3c72 Hex color code Yes
BRAND_COLOR_ACCENT Accent brand color (tactical orange) #ff6b35 Hex color code Yes

AI / LLM Provider

Configuration for the optional AI assistant feature. Supports LiteLLM (self-hosted proxy) or AWS Bedrock as the LLM backend.

Variable Description Default Format Required
MAGK_AI_PROVIDER LLM provider backend litellm litellm / bedrock No
MAGK_AI_ASSISTANT_ENABLED Enable the AI assistant in the sidebar false true / false No
LITELLM_MASTER_KEY LiteLLM proxy authentication key Generated: openssl rand -hex 32 No (required if provider is litellm)
LITELLM_LOG_LEVEL LiteLLM proxy log verbosity INFO DEBUG / INFO / WARNING / ERROR No

LiteLLM Version Security

LiteLLM version must be >=1.83.0. Versions 1.82.7 and 1.82.8 are compromised:

  • CVE-2024-6587: SSRF credential leakage
  • CVE-2025-0330: API key exposure in error responses
  • March 2026 supply chain attack on versions 1.82.7/1.82.8

Tip

Set MAGK_AI_ASSISTANT_ENABLED=true to show the AI Assistant in the sidebar for admin and organizer users. The assistant is hidden by default.


MCP Server (AI Assistant Tool Access)

Configuration for the MCP (Model Context Protocol) server that provides AI assistant tool access.

Variable Description Default Format Required
MCP_API_KEY API key for MCP server authentication Generated: openssl rand -hex 32, prefixed with mcp_ No

Tip

Generate the key with: echo "mcp_$(openssl rand -hex 32)"


Mumble Voice Communications

Optional Mumble voice server integration for event-based voice channels. When enabled, MAGK deploys a Mumble server (magk-mumble) and an Ice Admin Sidecar (magk-mumble-admin) that manages channels, ACLs, and LDAP authentication.

Variable Description Default Format Required
MUMBLE_HOST Mumble server hostname (Docker service name) magk-mumble Hostname No
MUMBLE_PORT Mumble protocol port for client connections 64738 Port number No
MUMBLE_SUPERUSER_PASSWORD SuperUser password for the Mumble server Generated: openssl rand -base64 24 When enabled
MUMBLE_ENABLED Enable Mumble voice communications integration false true / false No
MUMBLE_ICE_PORT ZeroC Ice RPC port for server administration 6502 Port number No
MUMBLE_LDAP_ENABLED Enable LDAP-based Mumble authentication via the Ice Admin Sidecar false true / false No
MUMBLE_ADMIN_API_PORT Internal HTTP API port for the Ice Admin Sidecar 6503 Port number No
MUMBLE_MONITORING_ENABLED Enable the optional Monitoring Bot for real-time channel/user state false true / false No
MUMBLE_EXTERNAL_PORT External Mumble port for TAK clients (defaults to MUMBLE_PORT) 64738 Port number No
MUMBLE_MEMBERSHIP_API_URL Internal API URL for membership lookups http://magk-web:3000/api/internal/mumble-groups URL No
MUMBLE_MEMBERSHIP_CACHE_TTL Cache duration in seconds for group memberships 60 Positive integer (seconds) No
MUMBLE_MEMBERSHIP_TIMEOUT HTTP timeout in seconds for membership lookups 2 Positive integer (seconds) No

Note

Set MUMBLE_ENABLED=true to add the Mumble server and admin sidecar to the Docker Compose stack. Channels are provisioned per-event during roster finalization. Players authenticate using LDAP credentials when MUMBLE_LDAP_ENABLED=true.

Mumble Port Routing

Mumble TCP connections use Traefik SNI routing (shared port with production/staging). Mumble UDP connections require a direct port mapping via MUMBLE_EXTERNAL_PORT since UDP does not support SNI.

EUD Emulator Fleet

Configuration for the 10-device ATAK emulator fleet managed by scripts/eud-fleet.sh. Only consulted by the fleet tooling — the rest of the MAGK platform ignores these variables. See EUD Emulator Fleet for the operator guide.

Variable Default Description
FLEET_SIZE 10 Number of EUDs to start when running eud-fleet.sh start with no index. Must match the services declared in compose/docker-compose.android-fleet.yml.
FLEET_BOOT_BATCH 3 Emulators are booted in batches of this size to avoid saturating KVM on shared hosts.
FLEET_CALLSIGN_PREFIX MAGK Callsign prefix. Each EUD is named <prefix>-NN (e.g. MAGK-01MAGK-10).
FLEET_BASE_EMAIL_USER ops Local part of the base email used to seed one MAGK user per EUD. Combined with FLEET_BASE_EMAIL_DOMAIN using the +eudN sub-addressing convention.
FLEET_BASE_EMAIL_DOMAIN magktech.com Domain part of the base email.
FLEET_USER_PASSWORD MagkEud2026! Shared password seeded into every MAGK user — rotate after real use.
FLEET_ATAK_SERVER tak-service CoT streaming hostname reachable from inside the Docker network.
FLEET_ATAK_SERVER_PORT 8089 CoT streaming SSL port.
FLEET_TAK_UPDATE_SERVER https://nginx:8443/api/packages TAK Update Server URL prefilled into each EUD's ATAK preferences.
FLEET_ENROLLMENT_URL https://nginx:8446 Certificate enrollment endpoint.
FLEET_ATAK_APK ATAK-5.7.0.4-cc9eab57-civSmall-release.apk Which ATAK core APK to sideload on each EUD. civSmall boots faster; use the full civ-release.apk for feature-parity testing.
FLEET_PLUGIN_SKIPLIST ATAK-Plugin-taktalk-1.0.0-…-civ-release.apk Space-separated APK filenames to skip during fleet provisioning even though they are still published to real EUDs by the TAK Update Server. Default excludes the oversized taktalk download.
FLEET_DEVICE_PROFILE Samsung Galaxy S10 Emulator device model, passed to budtmo/docker-android as its DEVICE env.

Note

Ten parallel emulators require roughly 20 vCPU and 30 GB RAM with /dev/kvm available on the host. Reduce FLEET_SIZE and FLEET_BOOT_BATCH to scale down on smaller hosts. The Appium-driven smoke tests assume at most four concurrent sessions (scripts/eud-fleet.sh probe --max-parallel N).

Elevation Service

Optional integration with an Open Topo Data instance. Used by the tactical map's elevation-profile tool to look up terrain altitudes along drawn routes.

Variable Default Description
MAGK_ELEVATION_API_URL http://opentopodata:5000 Base URL for the Open Topo Data elevation API. Leave the default if you ship the bundled opentopodata compose service; override to point at any compatible endpoint.

Feature Flags

Toggle in-development capabilities without redeploying compose changes.

Variable Default Description
MAGK_NATIVE_AUTHORING false Enables the native tactical authoring tools (Phase 1–5) when set to true. Leave disabled in production until Phase 5 ships.
MAGK_TAK_UI false Enables TAK-style UI components (toolbar, detail panel, map controls, radial menu, self-position readout) on tactical surfaces. Set to true to activate the TAK UI overhaul (Spec 27).

TAK UI OVERHAUL (Spec 27)

The MAGK_TAK_UI flag controls the TAK-style UI overhaul. When enabled, tactical surfaces (/admin/tactical, /map, /player/tactical) render TAK-native-style components:

  • TakToolbar — Compact icon-only toolbar matching ATAK's top bar
  • TakDetailPanel — Right-side sliding panel for item details, chat, and contacts
  • TakMapControls — Left-side compass, GPS lock, and zoom controls
  • SelfPositionReadout — Bottom-left position overlay (callsign, MGRS, altitude, speed)
  • RadialMenu — Circular context menu on feature right-click/long-press
  • Player WebTAK — Browser-based tactical surface at /player/tactical for players without ATAK/iTAK
Variable Default Description
MAGK_TAK_UI false Master toggle for the TAK UI overhaul. Set to true in production after validation.

ADS-B Pipeline

Activates ADSBCoTPipeline (apps/tak-service/tak/adsbxcot_pipeline.py) when at least one feed source is configured. Manned-aircraft transponder hits and any 1090 ES Remote ID drone broadcasts are converted into CoT events on the magk.cot exchange and rendered on every connected ATAK plus the MAGK web map.

Variable Default Description
ADSB_API_URL empty Hosted ADS-B feed (ADSBexchange-style endpoint). Leave blank when consuming from DUMP1090_URL instead.
ADSB_API_KEY empty Sent in the api-auth header when calling ADSB_API_URL.
DUMP1090_URL empty Local dump1090 receiver, e.g. http://dump1090.local:8080/data/aircraft.json.
SENSOR_POLL_INTERVAL 5 Seconds between polls of the configured feed source. Shared with the AIS pipeline.

Note

The pipeline emits a-n-A-C-F (neutral, air, civil, fixed-wing) by default. Drone Remote ID broadcasts that arrive over 1090 ES will be tagged with the same type — for dedicated Remote ID feeds (Bluetooth/WiFi), see the separate DRONECOT_FEED_URL.

APRS-IS Gateway

Activates APRSGateway (apps/tak-service/tak/aprs_gateway.py) when APRS_ENABLED=true. The gateway connects read-only to APRS-IS, parses position beacons from radios that uplink GPS via APRS, and republishes them as friendly-ground CoT on magk.cot. Operators carrying these radios appear on the MAGK map and inside every connected ATAK alongside other tactical icons.

Compatible radios include (but are not limited to):

  • BTECH UV-Pro — built-in APRS, plus the BTECH UV-Pro relay ATAK plugin for full CoT-over-RF bridging on the device side.
  • Anytone AT-D878 / AT-D578UV — DMR + APRS.
  • Baofeng DM-32 / DM-1701 — DMR with APRS gateway integrations.
  • Any other rig that beacons to APRS-IS.
Variable Default Description
APRS_ENABLED false Master switch for the gateway.
APRS_IS_HOST rotate.aprs2.net APRS-IS pool hostname.
APRS_IS_PORT 14580 TCP port for filtered server-side feeds.
APRS_CALLSIGN MAGK-RO Login callsign — use one you own with an SSID like -RO to identify the read-only client.
APRS_PASSCODE -1 APRS-IS passcode. -1 is the documented value for read-only access.
APRS_FILTER empty Server-side filter, e.g. r/45.5/-122.6/100 for a 100 km radius or b/W7AB-9/KK7CD-7 for a callsign list. Leave blank for the firehose (not recommended).
APRS_RECONNECT_DELAY 10 Seconds between reconnect attempts when the APRS-IS socket drops.

Note

The gateway is receive-only — MAGK does not transmit on RF, and the radio plugins themselves run on the EUD (Bluetooth/USB to the radio). The MAGK server side is purely the APRS-IS ingestion path; pair it with the BTECH UV-Pro relay plugin for full ATAK CoT-over-RF coverage.

CLOUDTAK PLAYER PORTAL (spec 29)

Embeds unmodified CloudTAK (AGPL-3.0) as the browser-based player tactical portal at map.<domain>. CloudTAK runs as a peer service communicating with MAGK via standard TAK protocols. No CloudTAK source code is incorporated into MAGK's bundle.

Operational documentation (deployment runbook, AGPL compliance) is maintained in .kiro/specs/29-cloudtak-player-portal/docs/.

Variable Default Description
MAGK_CLOUDTAK_VERSION v12.138.2 Pinned CloudTAK image tag. Never auto-upgrade; review CHANGELOG before bumping.
CLOUDTAK_SIGNING_SECRET JWT signing secret for CloudTAK sessions. Generate with openssl rand -base64 32.
CLOUDTAK_MINIO_USER cloudtakadmin MinIO access key for CloudTAK's object store.
CLOUDTAK_MINIO_PASSWORD MinIO secret key. Generate with openssl rand -base64 24.
CLOUDTAK_ASSET_BUCKET cloudtak S3 bucket name for CloudTAK assets (PMTiles, uploads, attachments).
CLOUDTAK_TAK_ADMIN_USERNAME administrator TAK Server admin username for CloudTAK's initial connection setup.
CLOUDTAK_TAK_ADMIN_PASSWORD TAK Server admin password. Used once during first PATCH /api/server.
CLOUDTAK_RETENTION_SCHEDULE 0 3 * * * Cron schedule for CloudTAK's data retention worker.
PRIMARY_DOMAIN magktech.com Base domain for CloudTAK subdomains (map.X, tiles.map.X, video.X).