Environment Variables
All secrets, connection strings, and runtime tuning go in environment variables. Nothing sensitive is committed to git. Each service has a .env.example in its repo root — copy to .env and fill in values.
Common / shared
| Variable | Required | Purpose |
|---|---|---|
GORDON_DATABASE_URL | Yes | Bootstrap / superuser DSN. Used by gordon-migrate and dev scripts. |
GORDON_BUS_NATS_URL | Yes | NATS JetStream endpoint. Example: nats://localhost:4222 |
RUST_LOG | No | Tracing filter. Example: info,gordon=debug |
RUST_BACKTRACE | No | Enable Rust backtraces. Set 1 in dev. |
gordon-data
Source file: gordon-data/.env.example
| Variable | Required | Purpose |
|---|---|---|
DATABASE_URL | Yes | Postgres DSN for gordon_data_writer role |
GORDON_DATA_BIND_ADDR | No | HTTP bind address. Default: 0.0.0.0:8081 |
GORDON_DATA_LOG_LEVEL | No | Log filter. Default: info |
GORDON_DATA_BINANCE_API_KEY | No | Read-only Binance key (raises rate limits, enables signed endpoints). Must NOT have withdrawal permission — startup probe aborts if enable_withdrawals=true. |
GORDON_DATA_BINANCE_API_SECRET | No | Paired secret for the above |
BINANCE_SPOT_REST_URL | No | Override Binance Spot REST URL. Default: https://api.binance.com |
BINANCE_SPOT_WS_URL | No | Override Binance Spot WS URL. Default: wss://stream.binance.com:9443 |
BINANCE_FUTURES_REST_URL | No | Override Binance Futures REST URL. Default: https://fapi.binance.com |
BINANCE_FUTURES_WS_URL | No | Override Binance Futures WS URL. Default: wss://fstream.binance.com |
GORDON_DATA_FRED_API_KEY | No | FRED API key. Optional at runtime; required for historical macro backfill CLI. |
GORDON_DATA_BINANCE_SPOT_SYMBOLS | No | Comma-separated symbols for spot ingest. Example: BTCUSDT,ETHUSDT |
GORDON_DATA_BINANCE_PERP_SYMBOLS | No | Comma-separated symbols for perp ingest. |
GORDON_DATA_BINANCE_FUNDING_SYMBOLS | No | Comma-separated symbols for funding rate ingest. |
Read-only Binance keys only
gordon-data is the ONLY service that may hold Binance keys. They must be read-only (no trading, no withdrawal). The startup probe checks /sapi/v1/account/apiRestrictions and aborts if enable_withdrawals=true.
gordon-risk
Source file: gordon-risk/.env.example
| Variable | Required | Purpose |
|---|---|---|
GORDON_RISK_DATABASE_URL | Yes | Postgres DSN for gordon_risk role |
GORDON_RISK_BIND_ADDR | No | HTTP bind address. Default: 0.0.0.0:8082 |
GORDON_RISK_LOG_LEVEL | No | Log filter. Default: info |
GORDON_RISK_OPERATOR_TOKEN | Yes | Pre-shared token for protected endpoints (POST /emergency-flatten, POST /risk/resume, POST /bots/:id/pause). Fail-closed: returns 503 if unset. |
gordon-risk does NOT hold exchange keys. Trading keys live solely in gordon-executor.
gordon-manager
Source file: gordon-manager/.env.example, .env.dev.example
| Variable | Required | Purpose |
|---|---|---|
GORDON_MANAGER__DATABASE_URL | Yes | Postgres DSN for gordon_manager role |
GORDON_MANAGER__BIND_ADDR | No | HTTP bind address. Default: 0.0.0.0:8083 |
GORDON_MANAGER_LOG_LEVEL | No | Log filter. Default: info |
GORDON_MANAGER_OPERATOR_TOKEN | Yes | Primary operator token. Browser mutations use this via X-Operator-Token header. Fail-closed. |
GORDON_MANAGER__RISK_SERVICE_URL | No | gordon-risk URL for BFF proxy. Example: http://gordon-risk:8082 |
GORDON_MANAGER__DATA_SERVICE_URL | No | gordon-data URL for BFF reads. Example: http://gordon-data:8081 |
GORDON_MANAGER__GORDON_RISK_OPERATOR_TOKEN | No | Forward token manager uses when proxying operator commands to gordon-risk. |
GORDON_MANAGER__GORDON_ALERTMANAGER_URL | No | AlertManager URL for GET /bff/alerts/firing. Unset → handler returns 503. |
GORDON_MANAGER__GORDON_PROMETHEUS_URL | No | Prometheus URL for GET /bff/bots/{bot_id}/metrics-summary. Unset → handler returns 503. |
GORDON_MANAGER_DOCKER_SOCKET_PATH | No | docker-socket-proxy endpoint. Default: unix:///var/run/docker-socket-proxy/docker.sock |
gordon-bot
Source file: gordon-bot/.env.example
| Variable | Required | Purpose |
|---|---|---|
GORDON_BOT_ID | Yes | UUIDv7 bot identifier. One unique value per container. |
GORDON_BOT_DATABASE_URL | Yes | Postgres DSN for gordon_bot role |
GORDON_DATA_BASE_URL | Yes | gordon-data REST base URL for warmup fallback. |
GORDON_BUS_NATS_URL | Yes | NATS endpoint for live candle subscription. |
GORDON_BOT_BIND_ADDR | No | HTTP bind address. Default: 0.0.0.0:8084 (container-internal) |
GORDON_BOT_LOG_LEVEL | No | Log filter. Default: info |
GORDON_BOT_STRATEGY | No | Strategy name from StrategyRegistry. Production: a named strategy. E2E: manual. |
GORDON_BOT_CANDLE_SOURCE | No | data-ws (default) or scripted (e2e fixture replay). |
Banned exchange credentials
gordon-bot startup refuses to start if any of the following env vars are set. Exchange keys belong exclusively to gordon-executor.
BINANCE_API_KEY
BINANCE_API_SECRET
BINANCE_SECRET_KEY
BINANCE_TRADING_API_KEY
BINANCE_TRADING_SECRET_KEY
BINANCE_TESTNET_API_KEY
BINANCE_TESTNET_API_SECRET
BINANCE_TESTNET_SECRET
BINANCE_TESTNET_SECRET_KEYgordon-executor
Source file: gordon-executor/.env.example, .env.executor.example
| Variable | Required | Purpose |
|---|---|---|
GORDON_EXECUTOR_DATABASE_URL | Yes | Postgres DSN for gordon_executor role |
GORDON_EXECUTOR_BIND_ADDR | No | HTTP bind address. Default: 0.0.0.0:8085 |
GORDON_EXECUTOR_LOG_LEVEL | No | Log filter. Default: info |
GORDON_EXECUTOR_OPERATOR_TOKEN | Yes | Operator token for POST /clear-quarantine, POST /flatten. Fail-closed. |
GORDON_EXECUTOR_BREAK_GLASS_TOKEN | No | Break-glass emergency token. Loaded lazily. |
BINANCE_TESTNET_API_KEY | Yes (testnet) | Trading-capable testnet key. Kept in .env.executor, not the global env. |
BINANCE_TESTNET_API_SECRET | Yes (testnet) | Paired testnet secret. |
BINANCE_API_KEY | Yes (prod) | Trading-capable production key. Distinct principal from gordon-data. |
BINANCE_API_SECRET | Yes (prod) | Paired production secret. |
BINANCE_TESTNET_REST_URL | No | Testnet REST URL. Default: https://testnet.binancefuture.com |
BINANCE_TESTNET_WS_URL | No | Testnet WS URL. Default: wss://stream.binancefuture.com |
GORDON_EXECUTOR_MAX_NOTIONAL_USD_TESTNET | No | Max notional per order on testnet. |
GORDON_EXECUTOR_MAX_NOTIONAL_USD_PROD | No | Max notional per order on production. |
GORDON_EXECUTOR_MAX_DAILY_NOTIONAL_USD_PER_BOT | No | Optional per-bot daily cap. Unset = warn-only mode. |
GORDON_EXECUTOR_MAX_DAILY_NOTIONAL_USD_GLOBAL | No | Optional global daily cap. Unset = warn-only mode. |
Testnet keys must stay out of the global env
BINANCE_TESTNET_API_KEY and BINANCE_TESTNET_API_SECRET must be sourced only to the executor process. Putting them in the global env would trip gordon-bot's banned-credentials check at startup. Use .env.executor (separate file, loaded only by the executor process in Procfile.dev).
gordon-console
Source file: gordon-console/.env.example
| Variable | Required | Purpose |
|---|---|---|
AUTH_SECRET | Yes | JWT cookie encryption key. Generate: openssl rand -base64 32 |
AUTH_URL | Yes | Public origin for Auth.js callback URL. Example: https://gordon.lab |
AUTH_TRUST_HOST | Yes | Trust X-Forwarded-* from nginx. Set true in production. |
AUTH_KANIDM_ISSUER | Yes | Kanidm OIDC issuer URL. Example: https://auth.lepaux.com/oauth2/openid/gordon-console |
AUTH_KANIDM_CLIENT_ID | Yes | Kanidm OIDC client id. |
AUTH_KANIDM_CLIENT_SECRET | Yes | Kanidm OIDC client secret. Never in source. |
GORDON_MANAGER_OPERATOR_TOKEN | Yes | Operator token injected as X-Operator-Token on every BFF mutation forwarded to gordon-manager. Never prefix with NEXT_PUBLIC_. |
NEXT_PUBLIC_GORDON_MANAGER_URL | No | Browser-side manager URL. Example: http://localhost:8083 |
NEXT_PUBLIC_GORDON_DATA_URL | No | Browser-side data URL. |
NEXT_PUBLIC_GORDON_RISK_URL | No | Browser-side risk URL (read-only; writes go through manager BFF). |
GORDON_MANAGER_WS_INTERNAL_URL | No | Internal WS URL for manager. Example: ws://gordon-manager:8083/ws |
LOKI_URL | No | Loki URL for the log viewer panel. Blank disables the panel. |
GORDON_CONSOLE_E2E_INJECT_HEADERS | No | Set true in e2e stack only — registers the Credentials auth provider. Must be false on srv-apps. |
GORDON_CONSOLE_E2E_AUTH_TOKEN | No | E2e auth secret. E2e only. |
gordon-lab
Source file: gordon-lab/.env.example
| Variable | Required | Purpose |
|---|---|---|
GORDON_DATABASE_URL | Yes | Read-only Postgres DSN using the gordon_lab_reader role. INSERTs are revoked at the DB layer — any write attempt fails with InsufficientPrivilege. |
FRED_API_KEY | No | FRED API key for macro research scripts. |
Conventions
.envfiles are gitignored across all repos. Never commit a populated.env.- Each service's
.env.exampleis the source of truth for that service's variables. - Production values are managed via Ansible vault (
homelab/repo). Vault key names follow the patternvault_gordon_<service>_<var>. - Operator tokens must be 256-bit random hex secrets in production:
openssl rand -hex 32.