Configuration Guide¶

This guide covers all configuration options for PenLocal-AI.

Environment Variables¶

The .env file contains all secrets and configuration. It's automatically generated by the installer, but can be customized.

Database Configuration¶

Variable	Default	Description
`POSTGRES_USER`	Generated	PostgreSQL username
`POSTGRES_PASSWORD`	Generated	PostgreSQL password
`POSTGRES_DB`	`n8n`	Default database name

n8n Configuration¶

Variable	Default	Description
`N8N_ENCRYPTION_KEY`	Generated	Workflow encryption key
`N8N_USER_MANAGEMENT_JWT_SECRET`	Generated	JWT signing secret
`N8N_HOST`	`localhost`	Public hostname

Security Keys¶

Variable	Description
`VAULT_MASTER_KEY`	Fernet encryption key for credentials
`VAULT_API_KEY`	Credential vault API key
`MANAGER_BACKEND_MASTER_KEY`	n8n ↔ webapp authentication
`WEBAPP_SECRET_KEY`	Flask session encryption

Service API Keys¶

Variable	Description
`OLLAMA_API_KEY`	Bearer token for Ollama proxy
`QDRANT_API_KEY`	Qdrant authentication key
`MINIO_ROOT_USER`	MinIO admin username
`MINIO_ROOT_PASSWORD`	MinIO admin password

SSH Configuration¶

Variable	Description
`SSH_PASSPHRASE`	Passphrase for SSH keypair

Example .env File¶

# Database
POSTGRES_USER=penlocal_user
POSTGRES_PASSWORD=<generated-32-char>
POSTGRES_DB=n8n

# n8n
N8N_ENCRYPTION_KEY=<generated-32-char>
N8N_USER_MANAGEMENT_JWT_SECRET=<generated-64-char>
N8N_HOST=localhost

# Security Keys
VAULT_MASTER_KEY=<generated-32-char>
VAULT_API_KEY=<generated-32-char>
MANAGER_BACKEND_MASTER_KEY=<generated-32-char>
WEBAPP_SECRET_KEY=<generated-32-char>

# Service Keys
OLLAMA_API_KEY=<generated-32-char>
QDRANT_API_KEY=<generated-32-char>
MINIO_ROOT_USER=minioadmin
MINIO_ROOT_PASSWORD=<generated-32-char>

# SSH
SSH_PASSPHRASE=<generated-16-char>

Docker Compose Profiles¶

Select which services to run:

Profile	Services Included
(none)	Core services without Ollama
`cpu`	Core + Ollama (CPU mode)
`gpu-nvidia`	Core + Ollama (NVIDIA GPU)
`gpu-amd`	Core + Ollama (AMD GPU)

# Run without Ollama
docker compose up -d

# Run with NVIDIA GPU
docker compose --profile gpu-nvidia up -d

# Run with CPU Ollama
docker compose --profile cpu up -d

Admin Settings¶

Configurable via the webapp Admin panel:

Concurrency Settings¶

Setting	Default	Description
Max concurrent per Ollama	2	Parallel tasks per Ollama connection

Security Settings¶

Setting	Default	Description
Allow private IPs	No	SSRF protection toggle
Max upload size	50 MB	Maximum file upload size

User Settings¶

Setting	Description
MFA Required	Force MFA for specific users
Must Change Password	Force password change on next login

Ollama Connection Configuration¶

Add Ollama connections via Profile → Ollama Connections:

Local Ollama (Docker)¶

Field	Value
Name	Local GPU
URL	`https://ollama-proxy:11434`
API Key	Value of `OLLAMA_API_KEY` from `.env`

Remote Ollama¶

Field	Value
Name	Remote Server
URL	`https://your-server.com:11434`
API Key	Your remote API key

Mac Local (host.docker.internal)¶

Field	Value
Name	Mac Local
URL	`http://host.docker.internal:11434`
API Key	(none if no auth configured)

Qdrant Configuration¶

File: qdrant/config.yaml

service:
  enable_tls: true
  api_key: ${QDRANT_API_KEY}  # From environment

tls:
  cert: /qdrant/tls/qdrant.crt
  key: /qdrant/tls/qdrant.key

Nginx Configuration¶

Modify Timeouts¶

Edit nginx/*.conf files:

proxy_connect_timeout 600s;
proxy_send_timeout 600s;
proxy_read_timeout 600s;

Modify Upload Limits¶

client_max_body_size 100M;  # Increase from 50M

Add Custom Headers¶

add_header X-Custom-Header "value";

SSL Certificate Configuration¶

Regenerate Certificates¶

# Remove existing certificates
rm -rf nginx/ssl/*.crt nginx/ssl/*.key

# Restart ssl-cert-generator
docker compose up ssl-cert-generator

Use Custom Certificates¶

Replace files in nginx/ssl/: - n8n.crt / n8n.key - webapp.crt / webapp.key - etc.

Update ca-bundle.crt if using custom CA.

Logging Configuration¶

View Logs¶

# All services
docker compose logs -f

# Specific service
docker compose logs -f pentest-webapp
docker compose logs -f n8n
docker compose logs -f ollama

Log Levels¶

n8n logs can be configured via environment:

environment:
  - N8N_LOG_LEVEL=debug  # info, warn, error, debug

Network Configuration¶

Change Subnets¶

Edit docker-compose.yml:

networks:
  internal-services:
    ipam:
      config:
        - subnet: 10.150.0.0/16

  kali-network:
    ipam:
      config:
        - subnet: 10.151.0.0/16

Change Port Bindings¶

services:
  n8n-proxy:
    ports:
      - "0.0.0.0:443:443"  # Expose to all interfaces
      # or
      - "192.168.1.100:443:443"  # Specific interface

Backup Configuration¶

Database Backup¶

# Backup PostgreSQL
docker compose exec postgres pg_dump -U $POSTGRES_USER pentest_db > backup.sql

# Restore
docker compose exec -T postgres psql -U $POSTGRES_USER pentest_db < backup.sql

Volume Backup¶

# Stop services first
docker compose down

# Backup volumes
docker run --rm -v pentest-agent_postgres_storage:/data -v $(pwd):/backup alpine \
  tar czf /backup/postgres_backup.tar.gz /data

# Repeat for other volumes

Full Backup Script¶

#!/bin/bash
BACKUP_DIR="./backups/$(date +%Y%m%d)"
mkdir -p $BACKUP_DIR

# Stop services
docker compose down

# Backup each volume
for vol in postgres_storage n8n_storage qdrant_storage; do
  docker run --rm \
    -v pentest-agent_${vol}:/data \
    -v ${BACKUP_DIR}:/backup \
    alpine tar czf /backup/${vol}.tar.gz /data
done

# Backup .env
cp .env ${BACKUP_DIR}/

# Restart
docker compose up -d