Configuration reference
Every Curiosity Workspace runtime knob is exposed as an environment variable with the MSK_ prefix. The same variables work whether you start the container with docker run -e ..., declare them in a docker-compose.yml, set them on a Kubernetes Pod spec, or pass them as --MSK_* command-line flags on a self-hosted binary.
This page lists the variables you'll set most often. Variables not listed here are either rarely needed or internal/experimental.
Treat secrets (MSK_ADMIN_PASSWORD, MSK_LICENSE, MSK_JWT_KEY, MSK_GRAPH_MASTER_KEY, certificate paths) as production credentials: store them in a secret manager, inject them at runtime, and never commit them to source.
Storage and persistence
| Variable | Purpose | Default | Notes |
|---|---|---|---|
MSK_GRAPH_STORAGE |
Path inside the container where the graph database lives | /data/curiosity (recommended) |
Mount a persistent volume here. Without it, all data is lost on container restart. |
MSK_GRAPH_TEMP_FOLDER |
Scratch directory for parser/linker workloads | OS temp | Set to a fast local disk if you process many large files. |
MSK_GRAPH_BACKUP_FOLDER |
Where rolling backups are written | unset | Set this to enable scheduled snapshots. See Backup & restore. |
MSK_GRAPH_JOURNAL_FOLDER |
Transaction journal location | alongside MSK_GRAPH_STORAGE |
Separate disk improves write throughput for write-heavy ingest. |
MSK_GRAPH_MASTER_KEY |
Master key for encrypted properties at rest | autogenerated on first boot | Provide explicitly in production and back it up — losing it means losing encrypted content. |
Networking and HTTPS
| Variable | Purpose | Default | Notes |
|---|---|---|---|
MSK_PORT |
HTTP listen port | 8080 |
Override only if you can't expose 8080 in your platform. |
MSK_SERVER_ADDRESS |
Internal bind address | http://0.0.0.0:8080 |
Rarely overridden — let the platform map ports instead. |
MSK_PUBLIC_ADDRESS |
Public-facing URL clients see (https://workspace.example.com) |
empty | Set in any deployment behind a reverse proxy or load balancer so generated links use the right hostname. |
MSK_CERT_FILE |
Path to a TLS certificate (PEM) | unset | Set to terminate TLS inside the container; otherwise terminate TLS at a proxy. |
MSK_CERT_FILE_PRIVATE_KEY |
Path to the matching private key (PEM) | unset | Required if MSK_CERT_FILE is set. |
MSK_USE_HSTS |
Send Strict-Transport-Security headers | false |
Enable in production. |
MSK_REDIRECT_TO_HTTPS |
Redirect plain HTTP to HTTPS | false |
Enable when the container terminates TLS. |
MSK_CORS |
Comma-separated allowed origins | empty | Add origins for cross-domain custom interfaces. |
MSK_HTTP_PROXY |
Outbound HTTP proxy | unset | Set when the container needs to reach LLM providers through a corporate proxy. |
Identity and tokens
| Variable | Purpose | Default | Notes |
|---|---|---|---|
MSK_ADMIN_USER |
Username for the bootstrap admin account | admin |
Customize on production deployments. |
MSK_ADMIN_PASSWORD |
Password for the bootstrap admin account | admin (replaces the default) |
Always set this on first boot, even for local dev. Without it, the workspace ships with the well-known admin/admin pair. |
MSK_ADMIN_EMAIL |
Email of the bootstrap admin account | unset | Needed for password-recovery flows. |
MSK_JWT_KEY |
Signing key for issued JWT tokens (API, endpoint, session) | autogenerated on first boot | Provide explicitly in production. Rotating it invalidates outstanding tokens. |
MSK_LICENSE |
License token | unset | Required for licensed deployments. Available from your Curiosity account. |
Replication (read-only replicas)
| Variable | Purpose | Default | Notes |
|---|---|---|---|
MSK_REPLICA |
Switch the process into read-only replica mode | false |
Set on replicas only. The primary does not need to be told replicas exist — it accepts registrations. |
MSK_PRIMARY_ADDRESS |
URL of the primary workspace the replica should follow | unset | Required when MSK_REPLICA=true. e.g. https://workspace-primary.example.com. |
MSK_JWT_KEY |
Shared signing key, must match the primary's value | autogenerated | Mandatory for replication — the primary uses it to authenticate the replica. |
See Read-only replicas for the full setup. Replicas also communicate with the primary over TCP 42999 (gRPC); open it on internal-only routes.
Observability
| Variable | Purpose | Default | Notes |
|---|---|---|---|
MSK_LOG_PATH |
Directory for application logs | container stdout | Mount a volume to keep logs after container restart. |
MSK_LOG_LEVEL |
Minimum log level | Information |
Use Debug while diagnosing, but expect significant log volume. |
Common combinations
Local development (single-user, ephemeral)
docker run --name curiosity \
-p 127.0.0.1:8080:8080 \
-v ~/curiosity/storage:/data \
-e MSK_GRAPH_STORAGE=/data/curiosity \
-e MSK_ADMIN_PASSWORD="$(openssl rand -base64 24)" \
curiosityai/curiosity:latest
Staging behind a reverse proxy (TLS at the proxy)
docker run --name curiosity \
-p 8080:8080 \
-v /srv/curiosity:/data \
-e MSK_GRAPH_STORAGE=/data/curiosity \
-e MSK_GRAPH_BACKUP_FOLDER=/data/backups \
-e MSK_GRAPH_JOURNAL_FOLDER=/data/journal \
-e MSK_PUBLIC_ADDRESS=https://workspace.staging.example.com \
-e MSK_ADMIN_PASSWORD_FILE=/run/secrets/admin_password \
-e MSK_JWT_KEY_FILE=/run/secrets/jwt_key \
-e MSK_LICENSE_FILE=/run/secrets/license \
curiosityai/curiosity:v1.42.0
Production (TLS terminated in-container)
docker run --name curiosity \
-p 443:8080 \
-v /srv/curiosity:/data \
-v /etc/letsencrypt/live/example.com:/certs:ro \
-e MSK_GRAPH_STORAGE=/data/curiosity \
-e MSK_GRAPH_BACKUP_FOLDER=/data/backups \
-e MSK_PUBLIC_ADDRESS=https://workspace.example.com \
-e MSK_CERT_FILE=/certs/fullchain.pem \
-e MSK_CERT_FILE_PRIVATE_KEY=/certs/privkey.pem \
-e MSK_USE_HSTS=true \
-e MSK_REDIRECT_TO_HTTPS=true \
-e MSK_ADMIN_PASSWORD_FILE=/run/secrets/admin_password \
-e MSK_JWT_KEY_FILE=/run/secrets/jwt_key \
-e MSK_LICENSE_FILE=/run/secrets/license \
curiosityai/curiosity:v1.42.0
Where these variables come from
Most user-facing configuration that isn't security/runtime — supported languages, NLP pipelines, search indexes, embedding/LLM providers, SSO settings — lives inside the workspace database and is managed from the UI. The environment variables on this page only cover the runtime shell around that database.
For per-feature configuration:
- Workspace Configuration — overview of UI-managed settings.
- LLM Configuration — model provider keys, fallbacks, rate limits.
- SSO providers — identity provider integration.
For the platform-specific deployment patterns: