# Unraid MCP Server Configuration # ================================= # Core API Configuration (Required) # --------------------------------- UNRAID_API_URL=https://your-unraid-server-url/graphql UNRAID_API_KEY=your_unraid_api_key # MCP Server Settings # ------------------- # Default transport is stdio (for Claude Desktop / local use). # Docker Compose overrides this to streamable-http automatically. # Options: stdio (default), streamable-http, sse (deprecated) UNRAID_MCP_TRANSPORT=stdio UNRAID_MCP_HOST=0.0.0.0 UNRAID_MCP_PORT=6970 # Logging Configuration # --------------------- UNRAID_MCP_LOG_LEVEL=INFO # Options: DEBUG, INFO, WARNING, ERROR UNRAID_MCP_LOG_FILE=unraid-mcp.log # Log file name (saved to logs/ directory) # SSL/TLS Configuration # -------------------- # Set to 'false' or '0' to disable SSL verification (e.g., for self-signed certificates) # Set to 'true' or '1' to enable SSL verification (default) # Set to a file path to use a custom CA bundle UNRAID_VERIFY_SSL=true # Real-time Subscription Configuration # ------------------------------------ # Enable automatic subscription startup (true/false) UNRAID_AUTO_START_SUBSCRIPTIONS=true # Maximum WebSocket reconnection attempts (numeric) UNRAID_MAX_RECONNECT_ATTEMPTS=10 # Optional: Custom log file path for subscription auto-start diagnostics # Defaults to standard log if not specified # UNRAID_AUTOSTART_LOG_PATH=/custom/path/to/autostart.log # Credentials Directory Override (Optional) # ----------------------------------------- # Override the credentials directory (default: ~/.unraid-mcp/) # UNRAID_CREDENTIALS_DIR=/custom/path/to/credentials # Authentication # -------------- # This server has NO built-in authentication. # When running as HTTP (streamable-http transport), protect the endpoint with # an external OAuth gateway or identity-aware proxy: # # Reverse proxy with auth: nginx + OAuth2-proxy, Caddy + forward auth # Identity-aware proxy: Authelia, Authentik, Pomerium # Network isolation: bind to 127.0.0.1, use VPN/Tailscale for access # Firewall rules: restrict source IPs at the network layer # # stdio transport (default) is inherently local — no network exposure.