Configuration Reference Complete reference for all Labelgate configuration options.
Every config file key maps directly to an environment variable:
Replace dots (.) with underscores (_)
Uppercase all letters
Add the LABELGATE_ prefix
Config File Environment Variable log_levelLABELGATE_LOG_LEVELdocker.endpointLABELGATE_DOCKER_ENDPOINTsync.remove_delayLABELGATE_SYNC_REMOVE_DELAYapi.base_pathLABELGATE_API_BASE_PATH
Environment variables always take priority over config file values.
Environment Variable Config File Path Default Description LABELGATE_LABEL_PREFIXlabel_prefixlabelgateLabel prefix for container labels LABELGATE_LOG_LEVELlog_levelinfoLog level: debug, info, warn, error LABELGATE_LOG_FORMATlog_formattextLog format: json, text LABELGATE_MODEmodemainRun mode: main or agent LABELGATE_DEFAULT_TUNNELdefault_tunneldefaultDefault tunnel name
Environment Variable Config File Path Default Description LABELGATE_DOCKER_ENDPOINTdocker.endpointunix:///var/run/docker.sockDocker daemon endpoint LABELGATE_DOCKER_POLL_INTERVALdocker.poll_interval2mFallback polling interval LABELGATE_DOCKER_FILTER_LABELdocker.filter_label- Only watch containers with this label LABELGATE_DOCKER_SSH_KEYdocker.ssh.key- SSH private key path (for ssh:// endpoints) LABELGATE_DOCKER_SSH_KEY_PASSPHRASEdocker.ssh.key_passphrase- SSH key passphrase LABELGATE_DOCKER_SSH_KNOWN_HOSTSdocker.ssh.known_hosts- SSH known hosts file LABELGATE_DOCKER_TLS_CAdocker.tls.ca- TLS CA certificate (for tcp:// with TLS) LABELGATE_DOCKER_TLS_CERTdocker.tls.cert- TLS client certificate LABELGATE_DOCKER_TLS_KEYdocker.tls.key- TLS client key
Environment Variable Config File Path Default Description LABELGATE_CLOUDFLARE_API_TOKENcloudflare.api_token- Default API token (required) LABELGATE_CLOUDFLARE_ACCOUNT_IDcloudflare.account_id- Cloudflare Account ID LABELGATE_CLOUDFLARE_TUNNEL_IDcloudflare.tunnel_id- Default Tunnel ID
The TUNNEL_TOKEN used by cloudflared to establish the tunnel connection is not a Labelgate configuration. It is configured directly on the cloudflared service. See cloudflared Setup for details.
By default, Labelgate does not delete Cloudflare resources when a container stops. To enable deletion, set cleanup: "true" on each service label (see DNS Labels , Tunnel Labels ). Resources are then scheduled for deletion after remove_delay.
Environment Variable Config File Path Default Description LABELGATE_SYNC_INTERVALsync.interval1hPeriodic reconciliation interval LABELGATE_SYNC_REMOVE_DELAYsync.remove_delay30mDelay before deleting resources when cleanup=true LABELGATE_SYNC_ORPHAN_TTLsync.orphan_ttl0Auto-remove DB records for orphaned resources (0 = never)
Environment Variable Config File Path Default Description LABELGATE_DB_PATHdb.path/app/config/labelgate.dbSQLite database path
Environment Variable Config File Path Default Description LABELGATE_API_ENABLEDapi.enabledtrueEnable HTTP API server LABELGATE_API_ADDRESSapi.address:8080Listen address LABELGATE_API_BASE_PATHapi.base_path/apiAPI base path LABELGATE_API_TOKENapi.token- Bearer token for API authentication (disabled if empty)
Environment Variable Config File Path Default Description LABELGATE_RETRY_ATTEMPTSretry.attempts3Maximum retry attempts LABELGATE_RETRY_DELAYretry.delay1sInitial retry delay LABELGATE_RETRY_MAX_DELAYretry.max_delay30sMaximum retry delay LABELGATE_RETRY_BACKOFFretry.backoff2Retry backoff multiplier
Environment Variable Config File Path Default Description LABELGATE_AGENT_ENABLEDagent.enabledfalseEnable agent WebSocket server LABELGATE_AGENT_LISTENagent.listen:8081Agent server listen address LABELGATE_AGENT_ACCEPT_TOKENagent.accept_token- Shared token to accept any agent LABELGATE_AGENT_TLS_CAagent.tls.ca- TLS CA certificate LABELGATE_AGENT_TLS_CERTagent.tls.cert- TLS certificate for agent server LABELGATE_AGENT_TLS_KEYagent.tls.key- TLS key for agent server
Environment Variable Config File Path Default Description LABELGATE_CONNECT_MODEconnect.modeoutboundConnection mode: outbound or inbound LABELGATE_CONNECT_ENDPOINTconnect.endpoint- Main instance WebSocket URL (outbound) LABELGATE_CONNECT_LISTENconnect.listen- Listen address (inbound) LABELGATE_CONNECT_TOKENconnect.token- Authentication token LABELGATE_CONNECT_AGENT_IDconnect.agent_idAuto from /etc/machine-id Agent identifier LABELGATE_CONNECT_HEARTBEAT_INTERVALconnect.heartbeat_interval30sHeartbeat interval LABELGATE_CONNECT_TLS_CAconnect.tls.ca- TLS CA certificate LABELGATE_CONNECT_TLS_CERTconnect.tls.cert- TLS client certificate LABELGATE_CONNECT_TLS_KEYconnect.tls.key- TLS client key
Environment Variable Config File Path Default Description LABELGATE_CONFIG- - Path to YAML config file LABELGATE_SKIP_CREDENTIAL_VALIDATIONskip_credential_validationfalseSkip credential check on startup
For managing multiple Cloudflare accounts or zones with different tokens, use a config file:
cloudflare : api_token : your-default-token credentials : personal : api_token : your-personal-token zones : - example.com - "*.example.com" company : api_token : your-company-token zones : - company.io - company.com tunnels : secondary : account_id : your-account-id-2 tunnel_id : your-tunnel-id-2 credential : company Secrets should still be passed via environment variables — see Hybrid Mode .
Container label specifies credential name (e.g., labelgate.dns.web.credential=company)
Automatic zone matching against configured zones patterns
Fall back to the default api_token
Exact match : example.com matches example.comWildcard match : *.example.com matches sub.example.com, api.example.comParent domain match : example.com matches www.example.com (fallback)
label_prefix : labelgate log_level : info log_format : text default_tunnel : default docker : endpoint : unix:///var/run/docker.sock poll_interval : 2m cloudflare : # Set via LABELGATE_CLOUDFLARE_API_TOKEN environment variable api_token : "" account_id : "" tunnel_id : "" sync : interval : 1h remove_delay : 30m db : path : /app/config/labelgate.db retry : attempts : 3 delay : 1s max_delay : 30s backoff : 2 api : enabled : true address : :8080 base_path : /api