# ───────────────────────────────────────────────────────────────────────────── # IB Gateway (gnzsnz/ib-gateway:stable) # ───────────────────────────────────────────────────────────────────────────── TWS_USERID=your_ibkr_username TWS_PASSWORD=your_ibkr_password TRADING_MODE=paper # paper | live VNC_SERVER_PASSWORD=your_vnc_password TWOFA_TIMEOUT_ACTION=restart # restart | exit AUTO_RESTART_TIME=11:59 PM RELOGIN_AFTER_2FA_TIMEOUT=yes TIME_ZONE=Europe/Istanbul # e.g. America/New_York, Europe/London # ───────────────────────────────────────────────────────────────────────────── # FastAPI Application # ───────────────────────────────────────────────────────────────────────────── IBKR_HOST=ib-gateway # Docker service name; use 127.0.0.1 for local IBKR_PORT=4002 # paper=4002, live=4001 IBKR_CLIENT_ID=1 WEBHOOK_SECRET=change_this_to_a_strong_random_secret # openssl rand -hex 32 DB_PATH=/app/trades.db # ───────────────────────────────────────────────────────────────────────────── # Risk Management # ───────────────────────────────────────────────────────────────────────────── MAX_DAILY_LOSS=500.0 MAX_POSITIONS=5 MAX_ORDER_VALUE=10000.0 # ───────────────────────────────────────────────────────────────────────────── # UI Authentication (HTTP Basic Auth — opt-in) # Leave both unset to disable auth (trusted network / Tailscale only) # Set both to enable auth on all UI pages (/, /scanner, /tradelog, /portfolio) # /health and /webhook are always public regardless of this setting # ───────────────────────────────────────────────────────────────────────────── # UI_USERNAME=admin # UI_PASSWORD=change_this_strong_password # ───────────────────────────────────────────────────────────────────────────── # Traefik (external reverse proxy — must be running as a separate stack) # ───────────────────────────────────────────────────────────────────────────── TRAEFIK_NETWORK=traefik-public # External Docker network Traefik is attached to TRAEFIK_HOST=ibkr.your-tailnet.ts.net # Hostname Traefik routes on (your Tailscale FQDN) TRAEFIK_ENTRYPOINT=websecure # Traefik entrypoint name (websecure=HTTPS, web=HTTP)