Configuration

Cetacean can be configured through CLI flags, environment variables, or a TOML config file. When the same setting is specified in multiple places, the precedence order is:
flag > env var > config file > default.

Sensitive settings (secrets, keys) also accept a _FILE suffix on their env var to read the secret from that file at startup. The _FILE variant has lower precedence than the direct env var.

General Settings

server.listen_addr

Address and port the HTTP server binds to. Use 0.0.0.0:9000 to listen on all interfaces, or 127.0.0.1:9000 to restrict to localhost.

Flag -listen Env var CETACEAN_LISTEN_ADDR Default :9000

server.base_path

URL prefix for hosting Cetacean under a sub-path behind a reverse proxy (e.g., /cetacean serves the dashboard at https://example.com/cetacean/). Leave unset when Cetacean owns the root path.

Flag -base-path Env var CETACEAN_BASE_PATH

docker.host

Docker Engine API endpoint. Supports Unix sockets (unix:///path), TCP (tcp://host:port), and SSH (ssh://user@host).

Flag -docker-host Env var CETACEAN_DOCKER_HOST Default unix:///var/run/docker.sock

prometheus.url

Base URL of a Prometheus server (e.g., http://prometheus:9090). When set, Cetacean proxies metric queries and enables resource usage charts, sizing recommendations, and the metrics stream. When unset, all metric-dependent features are disabled.

Flag -prometheus-url Env var CETACEAN_PROMETHEUS_URL

logging.level

Minimum log severity. One of debug, info, warn, or error.

Flag -log-level Env var CETACEAN_LOG_LEVEL Default info

logging.format

Log output format. json produces structured, machine-readable lines. text produces human-friendly console output.

Flag -log-format Env var CETACEAN_LOG_FORMAT Default json

server.pprof

Expose Go runtime profiling endpoints at /debug/pprof/. Useful for diagnosing CPU, memory, and goroutine issues in production. Should be disabled unless actively profiling.

Flag -pprof Env var CETACEAN_PPROF Default false

server.self_metrics

Expose a Prometheus-compatible metrics endpoint at /-/metrics with internal counters for SSE connections, cache operations, and HTTP request latency.

Flag -self-metrics Env var CETACEAN_SELF_METRICS Default true

server.recommendations

Enable the recommendation engine, which periodically analyzes swarm state and Prometheus metrics to surface suggestions (resource sizing, missing health checks, operational issues). See Recommendations for details.

Flag -recommendations Env var CETACEAN_RECOMMENDATIONS Default true

server.operations_level

Controls which write operations the dashboard exposes. 0 is fully read-only, 1 allows operational actions (scale, restart, rollback), 2 adds service configuration edits, and 3 enables destructive operations like node removal. See Operations Level for the full breakdown.

Flag -operations-level Env var CETACEAN_OPERATIONS_LEVEL Default 1

server.sse.batch_interval

How long the SSE broadcaster waits to batch multiple change events into a single push. Lower values reduce UI update latency; higher values reduce network overhead when many resources change at once. Accepts any Go duration string (e.g., 50ms, 1s).

Flag -sse-batch-interval Env var CETACEAN_SSE_BATCH_INTERVAL Default 100ms

server.cors.origins

Origins allowed to make cross-origin requests to the API. Comma-separated list of origins (e.g., https://admin.example.com) or * to allow all. When unset, CORS headers are not sent and cross-origin requests from browsers are blocked.

Flag -cors-origins Env var CETACEAN_CORS_ORIGINS

server.trusted_proxies

IP addresses or CIDR ranges of reverse proxies whose X-Forwarded-For headers should be trusted for determining the real client IP (e.g., 10.0.0.0/8,172.16.0.0/12). Required for header-based authentication. When unset, all requests are treated as direct connections.

Flag -trusted-proxies Env var CETACEAN_TRUSTED_PROXIES

storage.snapshot

Persist swarm state to disk after every sync. On restart, Cetacean loads the snapshot to serve data immediately while the live sync catches up, avoiding a blank dashboard during startup.

Flag -snapshot Env var CETACEAN_SNAPSHOT Default true

storage.data_dir

Directory where the snapshot file (snapshot.json) is stored. Must be writable by the Cetacean process. In Docker, mount this as a volume for persistence across container restarts.

Flag -data-dir Env var CETACEAN_DATA_DIR Default ./data

tls.cert

Path to the PEM-encoded server certificate for TLS termination. Must be paired with tls.key. Required for client certificate authentication (mTLS), optional otherwise.

Flag -tls-cert Env var CETACEAN_TLS_CERT

tls.key

Path to the PEM-encoded private key matching tls.cert.

Flag -tls-key Env var CETACEAN_TLS_KEY

config

Path to an optional TOML configuration file. All settings in this file can also be set via flags or environment variables. See Config File for the format.

Flag -config Env var CETACEAN_CONFIG

Note: TLS cert and key must be set together or not at all. Required for cert auth mode (mTLS), optional otherwise.

Authentication and Authorization Settings

auth.mode

Authentication provider to use. One of none (anonymous access), oidc (OpenID Connect), tailscale (Tailscale identity), cert (mTLS client certificates), or headers (trusted reverse proxy headers). Only one mode can be active at a time. See Authentication for detailed guides.

Flag -auth-mode Env var CETACEAN_AUTH_MODE Default none

OIDC

auth.oidc.issuer required

Base URL of the OpenID Connect identity provider (e.g., https://accounts.google.com or https://keycloak.example.com/realms/myorg). Must support OIDC Discovery at /.well-known/openid-configuration.

Flag -auth-oidc-issuer Env var CETACEAN_AUTH_OIDC_ISSUER

auth.oidc.client_id required

OAuth 2.0 client ID registered with the identity provider for Cetacean.

Flag -auth-oidc-client-id Env var CETACEAN_AUTH_OIDC_CLIENT_ID

auth.oidc.client_secret required

OAuth 2.0 client secret for the registered client. Use the _FILE suffix to read from a Docker secret or mounted file.

Flag -auth-oidc-client-secret Env var CETACEAN_AUTH_OIDC_CLIENT_SECRET

auth.oidc.redirect_url required

URL the identity provider redirects to after authentication (e.g., https://cetacean.example.com/auth/callback). Must use HTTPS in production; http://localhost and http://127.0.0.1 are allowed for local development.

Flag -auth-oidc-redirect-url Env var CETACEAN_AUTH_OIDC_REDIRECT_URL

auth.oidc.scopes

Comma-separated list of OAuth 2.0 scopes to request from the identity provider. The defaults provide user identity, display name, and email. Add provider-specific scopes here if you need additional claims (e.g., group membership).

Flag -auth-oidc-scopes Env var CETACEAN_AUTH_OIDC_SCOPES Default openid,profile,email

auth.oidc.session_key

Hex-encoded 32-byte HMAC key used to sign browser session cookies. When unset, a random key is generated at startup — restarting the process invalidates all sessions. Set a fixed value for session persistence across restarts. Generate one with openssl rand -hex 32.

Flag -auth-oidc-session-key Env var CETACEAN_AUTH_OIDC_SESSION_KEY Default random

Tailscale

auth.tailscale.mode

How Cetacean connects to Tailscale. local queries the host’s Tailscale daemon (requires Tailscale installed on the host). tsnet embeds a Tailscale node directly inside the process (no host-level Tailscale needed, ideal for containers). See Authentication — Tailscale for a detailed comparison.

Flag -auth-tailscale-mode Env var CETACEAN_AUTH_TAILSCALE_MODE Default local

auth.tailscale.authkey

Tailscale auth key for automatic node enrollment. Only required in tsnet mode. Generate one in the Tailscale admin console under Settings → Keys. Use the _FILE suffix to read from a Docker secret.

Flag -auth-tailscale-authkey Env var CETACEAN_AUTH_TAILSCALE_AUTHKEY

auth.tailscale.hostname

The hostname the embedded Tailscale node registers as on the tailnet (tsnet mode only). The dashboard will be accessible at http://cetacean.<tailnet-name>.ts.net.

Flag -auth-tailscale-hostname Env var CETACEAN_AUTH_TAILSCALE_HOSTNAME Default cetacean

auth.tailscale.state_dir

Directory for persisting tsnet node state (keys, registration). Mount this as a volume in Docker to avoid re-enrolling the node on every restart.

Flag -auth-tailscale-state-dir Env var CETACEAN_AUTH_TAILSCALE_STATE_DIR

auth.tailscale.capability

Tailscale ACL capability key used to map tailnet users to application groups (e.g., example.com/cap/cetacean). When set, Cetacean reads group grants from Tailscale’s CapMap and populates the identity’s groups array for authorization.

Flag -auth-tailscale-capability Env var CETACEAN_AUTH_TAILSCALE_CAPABILITY

Client Certificates

auth.cert.ca required

Path to a PEM-encoded CA certificate bundle. Client certificates must be signed by one of the CAs in this bundle to be accepted. Supports certificate chains and multiple CAs in a single file.

Flag -auth-cert-ca Env var CETACEAN_AUTH_CERT_CA

Note: Requires -tls-cert and -tls-key to be set (mTLS needs TLS termination at Cetacean).

Trusted Proxy Headers

auth.headers.subject required

Name of the HTTP header containing the authenticated user’s unique identifier (e.g., X-Remote-User). This becomes the subject in the identity and is used for authorization audience matching.

Flag -auth-headers-subject Env var CETACEAN_AUTH_HEADERS_SUBJECT

auth.headers.name

Name of the HTTP header containing the user’s display name (e.g., X-Remote-Name). Shown in the dashboard’s user badge.

Flag -auth-headers-name Env var CETACEAN_AUTH_HEADERS_NAME

auth.headers.email

Name of the HTTP header containing the user’s email address (e.g., X-Remote-Email). Used for authorization audience matching alongside the subject.

Flag -auth-headers-email Env var CETACEAN_AUTH_HEADERS_EMAIL

auth.headers.groups

Name of the HTTP header containing the user’s group memberships as a comma-separated list (e.g., X-Remote-Groups). Groups are used for authorization audience matching.

Flag -auth-headers-groups Env var CETACEAN_AUTH_HEADERS_GROUPS

auth.headers.secret_header

Name of an HTTP header that must carry a shared secret for the request to be accepted. Provides an additional layer of protection beyond IP-based server.trusted_proxies — the proxy must include this header with the correct value on every request.

Flag -auth-headers-secret-header Env var CETACEAN_AUTH_HEADERS_SECRET_HEADER

auth.headers.secret_value

The expected value of the shared secret header. Required when auth.headers.secret_header is set. Use the _FILE suffix to read from a Docker secret.

Flag -auth-headers-secret-value Env var CETACEAN_AUTH_HEADERS_SECRET_VALUE

auth.headers.trusted_proxies deprecated

Use server.trusted_proxies instead. This setting will be removed in v1.

Flag -auth-headers-trusted-proxies Env var CETACEAN_AUTH_HEADERS_TRUSTED_PROXIES

Note: trusted_proxies is always required. The shared secret is optional, additional protection.

See Authentication for detailed usage guides, flow diagrams, and deployment examples.

Config File

Pass a TOML file via -config or CETACEAN_CONFIG. Every field is optional — omitting a key uses the default.

cetacean -config /etc/cetacean/config.toml

See config.reference.toml for a complete reference with all options, defaults, and descriptions. Copy it as a starting point and uncomment what you need.

Subcommands

cetacean                  Start the server
cetacean healthcheck      Exit 0 if ready, 1 otherwise (for Docker HEALTHCHECK)

Snapshots

Cetacean saves all cached swarm state to ${data_dir}/snapshot.json after every sync. On startup, it loads the snapshot to serve stale-but-fast data while the live sync catches up. Writes are crash-safe.

Health Checks

Two meta endpoints, exempt from authentication and content negotiation:

Endpoint	Behavior	Use for
`GET /-/health`	Always 200 if the process is running	Uptime monitoring, restart policies
`GET /-/ready`	200 after the first Docker sync; 503 until then	Load balancers, `depends_on` gating

The binary includes a cetacean healthcheck subcommand (used by the built-in Docker HEALTHCHECK).

Operations Level

The operations_level setting controls which write operations are available. The default is 1. Requests above the configured level receive 403 Forbidden. Each level includes everything below it.

Operation	0 Read-only	1 Operational	2 Configuration	3 Impactful
Browse all resources	✔	✔	✔	✔
Scale, restart, rollback, update image	—	✔	✔	✔
Edit service definitions (env, resources, ports, placement, etc.)	—	—	✔	✔
Create/edit configs, secrets, plugins	—	—	✔	✔
Edit swarm settings (raft, orchestration, dispatcher)	—	—	✔	✔
Delete resources, change node availability/role	—	—	—	✔
Change service/endpoint mode, remove nodes/stacks	—	—	—	✔
Manage CA, encryption, rotate tokens, unlock swarm	—	—	—	✔

When combined with ACL, both checks must pass — operations level is the global ceiling, ACL controls per-user scope.

Profiling

When pprof is enabled, standard Go profiling endpoints are available at /debug/pprof/:

go tool pprof http://localhost:9000/debug/pprof/profile   # 30s CPU profile
go tool pprof http://localhost:9000/debug/pprof/heap       # heap snapshot

Edit this page on GitHub