Configuration
AI Admin Panel is configured through environment variables, Docker Compose files, and service-specific configuration. This page covers all configurable aspects of the system.
Environment Variables
The primary configuration file is /opt/aiadminpanel/.env. All variables are read at startup.
Core Settings
| Variable | Default | Description |
|---|---|---|
PANEL_DOMAIN | (required) | Base domain for the panel |
PANEL_PORT | 8080 | Internal HTTP port (Traefik proxies to this) |
DATABASE_URL | (auto-generated) | PostgreSQL connection string |
VALKEY_URL | valkey://valkey:6379 | Valkey connection string |
LOG_LEVEL | info | Log level: debug, info, warn, error |
ENVIRONMENT | production | Runtime environment: production, development |
Authentication (Keycloak)
| Variable | Default | Description |
|---|---|---|
OIDC_ISSUER_URL | https://auth.{PANEL_DOMAIN}/realms/aiadminpanel | Keycloak realm URL |
OIDC_CLIENT_ID | panel | OIDC client identifier |
OIDC_CLIENT_SECRET | (auto-generated) | OIDC client secret |
SESSION_SECRET | (auto-generated) | Cookie encryption key |
SSL and Traefik
| Variable | Default | Description |
|---|---|---|
ACME_EMAIL | (required) | Email for Let's Encrypt notifications |
ACME_STORAGE | /traefik/acme.json | Certificate storage path |
ACME_CA_SERVER | https://acme-v02.api.letsencrypt.org/directory | ACME CA server URL |
Cloudflare DNS (Optional)
| Variable | Default | Description |
|---|---|---|
CF_DNS_API_TOKEN | (empty) | Cloudflare API token with DNS edit permission |
CF_ZONE_ID | (empty) | Cloudflare zone ID (auto-detected if token has zone read permission) |
CF_PROXIED | false | Whether to enable Cloudflare proxy on created DNS records |
AI Provider (Optional)
| Variable | Default | Description |
|---|---|---|
AI_PROVIDER | (empty) | AI provider: openai, litellm, ollama |
AI_API_URL | (empty) | AI API endpoint URL |
AI_API_KEY | (empty) | AI API key |
AI_MODEL | (empty) | Model name for AI-powered deployments |
Notifications (Optional)
| Variable | Default | Description |
|---|---|---|
SMTP_HOST | (empty) | SMTP server hostname |
SMTP_PORT | 587 | SMTP server port |
SMTP_USER | (empty) | SMTP username |
SMTP_PASS | (empty) | SMTP password |
SMTP_FROM | noreply@{PANEL_DOMAIN} | From address for email notifications |
Docker Compose Structure
The production deployment uses two compose files:
docker-compose.infra.yml — Infrastructure Services
Manages the foundational services that the panel depends on:
services:
postgresql:
image: postgres:16
volumes:
- pgdata:/var/lib/postgresql/data
networks:
- aiadminpanel
valkey:
image: valkey/valkey:8
networks:
- aiadminpanel
traefik:
image: traefik:v3.0
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik:/traefik
networks:
- aiadminpanel
keycloak:
image: quay.io/keycloak/keycloak:26.0
labels:
- "traefik.enable=true"
- "traefik.http.routers.keycloak.rule=Host(`auth.${PANEL_DOMAIN}`)"
networks:
- aiadminpanel
docker-compose.yml — Panel Application
Manages the panel itself:
services:
panel:
image: ghcr.io/aiadminpanel/panel:latest
env_file: .env
volumes:
- /var/run/docker.sock:/var/run/docker.sock
labels:
- "traefik.enable=true"
- "traefik.http.routers.panel.rule=Host(`${PANEL_DOMAIN}`)"
- "traefik.http.routers.panel.tls.certresolver=letsencrypt"
networks:
- aiadminpanel
Keycloak Configuration
Keycloak serves as the sole identity provider. The installer creates:
- Realm:
aiadminpanel - Client:
panel(confidential, authorization code flow) - Admin user: created with the email and password from install
Keycloak Admin Console
Access at https://auth.{PANEL_DOMAIN}/admin/ with the Keycloak admin credentials.
Custom Branding
The panel applies dark branding to the Keycloak login page automatically. To customize further, modify the theme in the Keycloak admin console under Realm Settings > Themes.
Adding Users
Users can be created through:
- The panel's customer management UI (creates Keycloak user automatically)
- The Keycloak admin console directly
- The Keycloak user self-registration flow (if enabled)
Roles
| Role | Permissions |
|---|---|
admin | Full access to all resources and settings |
operator | Manage services, deploy, view all customers |
viewer | Read-only access to assigned resources |
Traefik SSL Setup
Traefik handles all SSL termination via Let's Encrypt. The static configuration at /opt/aiadminpanel/traefik/traefik.yml:
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
certificatesResolvers:
letsencrypt:
acme:
email: "${ACME_EMAIL}"
storage: /traefik/acme.json
httpChallenge:
entryPoint: web
providers:
docker:
exposedByDefault: false
network: aiadminpanel
Services get SSL automatically when deployed — no manual certificate management required.
Wildcard Certificates (Cloudflare DNS Challenge)
If CF_DNS_API_TOKEN is set, Traefik uses the Cloudflare DNS challenge for wildcard certificates:
certificatesResolvers:
letsencrypt:
acme:
dnsChallenge:
provider: cloudflare
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
This issues a single *.panel.example.com certificate covering all services.
Cloudflare DNS Integration
When configured, the panel automatically creates DNS records for deployed services:
- Service deploys to
myapp.panel.example.com - Panel calls Cloudflare API to create an A record
- Traefik picks up the route and provisions SSL
- Service is accessible within seconds
Setting Up Cloudflare
- Go to your Cloudflare dashboard
- Create an API token with Zone:DNS:Edit permission for your domain
- Set
CF_DNS_API_TOKENin/opt/aiadminpanel/.env - Restart the panel:
docker compose restart panel
Without Cloudflare
If not using Cloudflare, you need a wildcard DNS record (*.panel.example.com) pointing to your server. Services will be accessible immediately after deploy since the wildcard catches all subdomains.