Skip to content
🐋Cetacean

Configuration

Cetacean can be configured through CLI flags, environment variables, or a TOML config file. When the same setting is specified in multiple places, the precedence order is:
flag > env var > config file > default.

Sensitive settings (secrets, keys) also accept a _FILE suffix on their env var to read the secret from that file at startup. The _FILE variant has lower precedence than the direct env var.

General Settings

server.listen_addr

Address and port the HTTP server binds to. Use 0.0.0.0:9000 to listen on all interfaces, or 127.0.0.1:9000 to restrict to localhost.

Flag-listenEnv varCETACEAN_LISTEN_ADDRDefault:9000
server.base_path

URL prefix for hosting Cetacean under a sub-path behind a reverse proxy (e.g., /cetacean serves the dashboard at https://example.com/cetacean/). Leave unset when Cetacean owns the root path.

Flag-base-pathEnv varCETACEAN_BASE_PATH
docker.host

Docker Engine API endpoint. Supports Unix sockets (unix:///path), TCP (tcp://host:port), and SSH (ssh://user@host).

Flag-docker-hostEnv varCETACEAN_DOCKER_HOSTDefaultunix:///var/run/docker.sock
prometheus.url

Base URL of a Prometheus server (e.g., http://prometheus:9090). When set, Cetacean proxies metric queries and enables resource usage charts, sizing recommendations, and the metrics stream. When unset, all metric-dependent features are disabled.

Flag-prometheus-urlEnv varCETACEAN_PROMETHEUS_URL
logging.level

Minimum log severity. One of debug, info, warn, or error.

Flag-log-levelEnv varCETACEAN_LOG_LEVELDefaultinfo
logging.format

Log output format. json produces structured, machine-readable lines. text produces human-friendly console output.

Flag-log-formatEnv varCETACEAN_LOG_FORMATDefaultjson
server.pprof

Expose Go runtime profiling endpoints at /debug/pprof/. Useful for diagnosing CPU, memory, and goroutine issues in production. Should be disabled unless actively profiling.

Flag-pprofEnv varCETACEAN_PPROFDefaultfalse
server.self_metrics

Expose a Prometheus-compatible metrics endpoint at /-/metrics with internal counters for SSE connections, cache operations, and HTTP request latency.

Flag-self-metricsEnv varCETACEAN_SELF_METRICSDefaulttrue
server.recommendations

Enable the recommendation engine, which periodically analyzes swarm state and Prometheus metrics to surface suggestions (resource sizing, missing health checks, operational issues). See Recommendations for details.

Flag-recommendationsEnv varCETACEAN_RECOMMENDATIONSDefaulttrue
server.operations_level

Controls which write operations the dashboard exposes. 0 is fully read-only, 1 allows operational actions (scale, restart, rollback), 2 adds service configuration edits, and 3 enables destructive operations like node removal. See Operations Level for the full breakdown.

Flag-operations-levelEnv varCETACEAN_OPERATIONS_LEVELDefault1
server.sse.batch_interval

How long the SSE broadcaster waits to batch multiple change events into a single push. Lower values reduce UI update latency; higher values reduce network overhead when many resources change at once. Accepts any Go duration string (e.g., 50ms, 1s).

Flag-sse-batch-intervalEnv varCETACEAN_SSE_BATCH_INTERVALDefault100ms
server.cors.origins

Origins allowed to make cross-origin requests to the API. Comma-separated list of origins (e.g., https://admin.example.com) or * to allow all. When unset, CORS headers are not sent and cross-origin requests from browsers are blocked.

Flag-cors-originsEnv varCETACEAN_CORS_ORIGINS
server.trusted_proxies

IP addresses or CIDR ranges of reverse proxies whose X-Forwarded-For headers should be trusted for determining the real client IP (e.g., 10.0.0.0/8,172.16.0.0/12). Required for header-based authentication. When unset, all requests are treated as direct connections.

Flag-trusted-proxiesEnv varCETACEAN_TRUSTED_PROXIES
storage.snapshot

Persist swarm state to disk after every sync. On restart, Cetacean loads the snapshot to serve data immediately while the live sync catches up, avoiding a blank dashboard during startup.

Flag-snapshotEnv varCETACEAN_SNAPSHOTDefaulttrue
storage.data_dir

Directory where the snapshot file (snapshot.json) is stored. Must be writable by the Cetacean process. In Docker, mount this as a volume for persistence across container restarts.

Flag-data-dirEnv varCETACEAN_DATA_DIRDefault./data
tls.cert

Path to the PEM-encoded server certificate for TLS termination. Must be paired with tls.key. Required for client certificate authentication (mTLS), optional otherwise.

Flag-tls-certEnv varCETACEAN_TLS_CERT
tls.key

Path to the PEM-encoded private key matching tls.cert.

Flag-tls-keyEnv varCETACEAN_TLS_KEY
config

Path to an optional TOML configuration file. All settings in this file can also be set via flags or environment variables. See Config File for the format.

Flag-configEnv varCETACEAN_CONFIG

Note: TLS cert and key must be set together or not at all. Required for cert auth mode (mTLS), optional otherwise.

Authentication and Authorization Settings

auth.mode

Authentication provider to use. One of none (anonymous access), oidc (OpenID Connect), tailscale (Tailscale identity), cert (mTLS client certificates), or headers (trusted reverse proxy headers). Only one mode can be active at a time. See Authentication for detailed guides.

Flag-auth-modeEnv varCETACEAN_AUTH_MODEDefaultnone

OIDC

auth.oidc.issuerrequired

Base URL of the OpenID Connect identity provider (e.g., https://accounts.google.com or https://keycloak.example.com/realms/myorg). Must support OIDC Discovery at /.well-known/openid-configuration.

Flag-auth-oidc-issuerEnv varCETACEAN_AUTH_OIDC_ISSUER
auth.oidc.client_idrequired

OAuth 2.0 client ID registered with the identity provider for Cetacean.

Flag-auth-oidc-client-idEnv varCETACEAN_AUTH_OIDC_CLIENT_ID
auth.oidc.client_secretrequired

OAuth 2.0 client secret for the registered client. Use the _FILE suffix to read from a Docker secret or mounted file.

Flag-auth-oidc-client-secretEnv varCETACEAN_AUTH_OIDC_CLIENT_SECRET
auth.oidc.redirect_urlrequired

URL the identity provider redirects to after authentication (e.g., https://cetacean.example.com/auth/callback). Must use HTTPS in production; http://localhost and http://127.0.0.1 are allowed for local development.

Flag-auth-oidc-redirect-urlEnv varCETACEAN_AUTH_OIDC_REDIRECT_URL
auth.oidc.scopes

Comma-separated list of OAuth 2.0 scopes to request from the identity provider. The defaults provide user identity, display name, and email. Add provider-specific scopes here if you need additional claims (e.g., group membership).

Flag-auth-oidc-scopesEnv varCETACEAN_AUTH_OIDC_SCOPESDefaultopenid,profile,email
auth.oidc.session_key

Hex-encoded 32-byte HMAC key used to sign browser session cookies. When unset, a random key is generated at startup — restarting the process invalidates all sessions. Set a fixed value for session persistence across restarts. Generate one with openssl rand -hex 32.

Flag-auth-oidc-session-keyEnv varCETACEAN_AUTH_OIDC_SESSION_KEYDefaultrandom

Tailscale

auth.tailscale.mode

How Cetacean connects to Tailscale. local queries the host’s Tailscale daemon (requires Tailscale installed on the host). tsnet embeds a Tailscale node directly inside the process (no host-level Tailscale needed, ideal for containers). See Authentication — Tailscale for a detailed comparison.

Flag-auth-tailscale-modeEnv varCETACEAN_AUTH_TAILSCALE_MODEDefaultlocal
auth.tailscale.authkey

Tailscale auth key for automatic node enrollment. Only required in tsnet mode. Generate one in the Tailscale admin console under Settings → Keys. Use the _FILE suffix to read from a Docker secret.

Flag-auth-tailscale-authkeyEnv varCETACEAN_AUTH_TAILSCALE_AUTHKEY
auth.tailscale.hostname

The hostname the embedded Tailscale node registers as on the tailnet (tsnet mode only). The dashboard will be accessible at http://cetacean.<tailnet-name>.ts.net.

Flag-auth-tailscale-hostnameEnv varCETACEAN_AUTH_TAILSCALE_HOSTNAMEDefaultcetacean
auth.tailscale.state_dir

Directory for persisting tsnet node state (keys, registration). Mount this as a volume in Docker to avoid re-enrolling the node on every restart.

Flag-auth-tailscale-state-dirEnv varCETACEAN_AUTH_TAILSCALE_STATE_DIR
auth.tailscale.capability

Tailscale ACL capability key used to map tailnet users to application groups (e.g., example.com/cap/cetacean). When set, Cetacean reads group grants from Tailscale’s CapMap and populates the identity’s groups array for authorization.

Flag-auth-tailscale-capabilityEnv varCETACEAN_AUTH_TAILSCALE_CAPABILITY

Client Certificates

auth.cert.carequired

Path to a PEM-encoded CA certificate bundle. Client certificates must be signed by one of the CAs in this bundle to be accepted. Supports certificate chains and multiple CAs in a single file.

Flag-auth-cert-caEnv varCETACEAN_AUTH_CERT_CA

Note: Requires -tls-cert and -tls-key to be set (mTLS needs TLS termination at Cetacean).

Trusted Proxy Headers

auth.headers.subjectrequired

Name of the HTTP header containing the authenticated user’s unique identifier (e.g., X-Remote-User). This becomes the subject in the identity and is used for authorization audience matching.

Flag-auth-headers-subjectEnv varCETACEAN_AUTH_HEADERS_SUBJECT
auth.headers.name

Name of the HTTP header containing the user’s display name (e.g., X-Remote-Name). Shown in the dashboard’s user badge.

Flag-auth-headers-nameEnv varCETACEAN_AUTH_HEADERS_NAME
auth.headers.email

Name of the HTTP header containing the user’s email address (e.g., X-Remote-Email). Used for authorization audience matching alongside the subject.

Flag-auth-headers-emailEnv varCETACEAN_AUTH_HEADERS_EMAIL
auth.headers.groups

Name of the HTTP header containing the user’s group memberships as a comma-separated list (e.g., X-Remote-Groups). Groups are used for authorization audience matching.

Flag-auth-headers-groupsEnv varCETACEAN_AUTH_HEADERS_GROUPS
auth.headers.secret_header

Name of an HTTP header that must carry a shared secret for the request to be accepted. Provides an additional layer of protection beyond IP-based server.trusted_proxies — the proxy must include this header with the correct value on every request.

Flag-auth-headers-secret-headerEnv varCETACEAN_AUTH_HEADERS_SECRET_HEADER
auth.headers.secret_value

The expected value of the shared secret header. Required when auth.headers.secret_header is set. Use the _FILE suffix to read from a Docker secret.

Flag-auth-headers-secret-valueEnv varCETACEAN_AUTH_HEADERS_SECRET_VALUE
auth.headers.trusted_proxiesdeprecated

Use server.trusted_proxies instead. This setting will be removed in v1.

Flag-auth-headers-trusted-proxiesEnv varCETACEAN_AUTH_HEADERS_TRUSTED_PROXIES

Note: trusted_proxies is always required. The shared secret is optional, additional protection.

See Authentication for detailed usage guides, flow diagrams, and deployment examples.

Config File

Pass a TOML file via -config or CETACEAN_CONFIG. Every field is optional — omitting a key uses the default.

cetacean -config /etc/cetacean/config.toml

See config.reference.toml for a complete reference with all options, defaults, and descriptions. Copy it as a starting point and uncomment what you need.

Subcommands

cetacean                  Start the server
cetacean healthcheck      Exit 0 if ready, 1 otherwise (for Docker HEALTHCHECK)

Snapshots

Cetacean saves all cached swarm state to ${data_dir}/snapshot.json after every sync. On startup, it loads the snapshot to serve stale-but-fast data while the live sync catches up. Writes are crash-safe.

Health Checks

Two meta endpoints, exempt from authentication and content negotiation:

EndpointBehaviorUse for
GET /-/healthAlways 200 if the process is runningUptime monitoring, restart policies
GET /-/ready200 after the first Docker sync; 503 until thenLoad balancers, depends_on gating

The binary includes a cetacean healthcheck subcommand (used by the built-in Docker HEALTHCHECK).

Operations Level

The operations_level setting controls which write operations are available. The default is 1. Requests above the configured level receive 403 Forbidden. Each level includes everything below it.

Operation0 Read-only1 Operational2 Configuration3 Impactful
Browse all resources
Scale, restart, rollback, update image
Edit service definitions (env, resources, ports, placement, etc.)
Create/edit configs, secrets, plugins
Edit swarm settings (raft, orchestration, dispatcher)
Delete resources, change node availability/role
Change service/endpoint mode, remove nodes/stacks
Manage CA, encryption, rotate tokens, unlock swarm

When combined with ACL, both checks must pass — operations level is the global ceiling, ACL controls per-user scope.

Profiling

When pprof is enabled, standard Go profiling endpoints are available at /debug/pprof/:

go tool pprof http://localhost:9000/debug/pprof/profile   # 30s CPU profile
go tool pprof http://localhost:9000/debug/pprof/heap       # heap snapshot