Configuration Reference
All configuration starts with environment variables. Many settings can also be changed at runtime via the admin panel — database overrides take precedence over env vars.
Run rstash env to generate a documented .env template:
rstash env > .envServer
| Variable | Default | Description |
|---|---|---|
RSTASH_ADDR | :8080 | Listen address (host:port) |
RSTASH_BASE_URL | http://localhost:8080 | Public-facing URL of the server |
RSTASH_LOG_LEVEL | info | Log level: debug, info, warn, error |
RSTASH_LOG_FILE | (none) | Path to log file (empty = stderr only) |
RSTASH_BASE_URL is important — it’s used in WebFinger responses and OAuth redirects. Set it to your actual public URL in production.
Database
| Variable | Default | Description |
|---|---|---|
RSTASH_DB | sqlite:rstash.db | Metadata database DSN |
RSTASH_BLOB | sqlite:rstash-blobs.db | Blob store DSN |
Both support these DSN prefixes:
sqlite:path— SQLite (default, no external dependencies)postgres:connection-string— PostgreSQLmysql:dsn— MySQL / MariaDBmssql:dsn— SQL Server
The blob store also supports:
fs:/path/to/directory— stores files on disk instead of in a databases3:bucket?region=us-east-1— S3-compatible object storage (AWS, DigitalOcean Spaces, MinIO, etc.)
TLS
| Variable | Default | Description |
|---|---|---|
RSTASH_TLS_MODE | (auto-detect) | TLS mode: off, manual, auto |
RSTASH_TLS_CERT | Path to TLS certificate file | |
RSTASH_TLS_KEY | Path to TLS private key file | |
RSTASH_TLS_CACHE | ./certs | Autocert certificate cache directory |
When RSTASH_TLS_MODE is empty, rstash auto-detects:
- If
RSTASH_TLS_CERTandRSTASH_TLS_KEYare set →manualmode - Otherwise → TLS disabled
Set RSTASH_TLS_MODE=auto for automatic HTTPS via Let’s Encrypt. Your RSTASH_BASE_URL must use a real domain and port 443 must be reachable.
Runtime Settings
The following settings have sensible defaults and can be changed at any time through the admin panel (Settings page). Changes take effect immediately without restarting the server.
- Registration mode —
closed(default),open, orapproval - Rate limiting — per-IP requests per second (default: 10 req/sec, burst 20)
- Storage quotas — off, global total (default: 50 GB), or per-user
- Max upload size — per-request limit (default: 50 MB)
- OAuth token lifetime — how long tokens last (default: 30 days)
- Refresh tokens — enabled/disabled and lifetime
- Metrics — public, admin-only, or off
- Legal pages — terms of service and privacy policy (built-in text, custom URL, or off)
- Blocked MIME types — content type filtering for uploads
- Public writes — whether unauthenticated writes to public paths are allowed
Example Production Config
export RSTASH_ADDR=":443"
export RSTASH_BASE_URL="https://storage.example.com"
export RSTASH_DB="postgres:host=localhost dbname=rstash sslmode=disable"
export RSTASH_BLOB="fs:/var/lib/rstash/blobs"
export RSTASH_TLS_MODE="auto"
rstash