Skip to content

Configuration

Fabricator reads environment configuration at runtime. In a packaged native install, systemd loads /etc/fabricator/fabricator.env through EnvironmentFile=. In Docker, set the same values as environment: entries in docker-compose.yml; the image pins persistent paths onto /data.

Default native production file created by the installer:

# Fabricator environment configuration
HOST=0.0.0.0
PORT=5000
FLASK_ENV=production
SERVER_ROOT=/var/lib/fabricator/servers
SERVER_INDEX_FILE=/var/lib/fabricator/servers.json
PLAYIT_ENABLED=false
PLAYIT_BINARY_VERIFIED=true

Restart after editing:

Terminal window
sudo systemctl restart fabricator

For Docker, recreate the container after compose changes:

Terminal window
docker compose up -d
VariableDefaultDescription
HOSTdevelopment: 127.0.0.1; native packaged install and Docker: 0.0.0.0Bind address for the Flask server. In Docker, keep this at 0.0.0.0 and restrict the host-side port mapping instead.
PORT5000HTTP port for the dashboard and API.
FLASK_ENVdevelopment; packaged installs use productionControls production defaults.
SERVER_ROOTnative production: /var/lib/fabricator/servers; Docker: /data/servers; development: app data servers/Root directory for managed server instances.
SERVER_INDEX_FILEnative production: /var/lib/fabricator/servers.json; Docker: /data/servers.json; development: app data servers.jsonJSON index of configured servers.
JAVA_ROOTnative production: /var/lib/fabricator/java; Docker: /data/java; development: app data java/Directory for managed Java runtimes.
BACKUPS_DIRnative production: /var/lib/fabricator/backups; Docker: /data/backups; development: app data backups/Default backup directory.
CORS_ORIGINShttp://localhost:3000Comma-separated list of allowed browser origins for separate frontends. Wildcard * is rejected.
FABRICATOR_MAX_WORLD_UPLOAD_BYTES10737418240 (10 GiB)Max streamed upload size for Backups → Import world. Raise the reverse proxy body limit too if one sits in front.
PLAYIT_ENABLEDfalseStarts the shared playit.gg tunnel agent automatically when no dashboard-persisted state file exists. Prefer the dashboard toggle for normal use.
PLAYIT_BINARY_VERIFIEDinstaller-managedWhether the installer/update verified the pinned playit binaries. The UI surfaces a non-blocking warning when false.
PLAYIT_RUNTIME_DIRnative production: /var/lib/fabricator/playit; Docker: /data/playit; development: app data playit/Runtime directory for the playit secret, socket, PID file, logs, and enabled-state marker. Usually only changed for development/manual installs.
SECRET_KEYgenerated and persisted in auth.jsonOptional fixed Flask session signing key. Env value overrides the persisted key.
FABRICATOR_AUTH_PASSWORD_HASHunsetOptional env-managed operator password hash. When set, it skips setup mode and cannot be changed from the dashboard.
FABRICATOR_DISABLE_AUTHfalseExplicitly disables built-in auth. Use only behind a trusted reverse-proxy/VPN auth layer.
FABRICATOR_SESSION_COOKIE_SECUREfalseAdds the Secure flag to the session cookie. Enable when the public dashboard URL is HTTPS.
FABRICATOR_SKIP_JAVA_CHECKunset / falseDevelopment escape hatch to bypass Java version enforcement. Do not enable in production.
FABRICATOR_VERSIONlatest in installerInstaller target release tag.
FABRICATOR_REPOphilderks/FabricatorInstaller repository override.
FABRICATOR_SKIP_OS_PACKAGES0Internal update optimization used by tools/update.sh; valid only in update mode.

auth.json lives next to servers.json: /var/lib/fabricator/auth.json on native installs and /data/auth.json in Docker. It stores the generated session key and hashed operator password when those values are not env-managed. See Authentication for setup, reset, and disabling guidance.

CORS_ORIGINS must contain concrete HTTP(S) origins:

CORS_ORIGINS=http://localhost:3000,https://dashboard.example.com

CORS_ORIGINS=* is rejected because Fabricator exposes destructive endpoints such as start/stop, file writes, mod deletes, backups, imports, and uninstall/update workflows.

FABRICATOR_MAX_WORLD_UPLOAD_BYTES is enforced while the upload stream is written to disk, so an oversize archive is rejected before it lands fully on the host. If nginx, Caddy, Cloudflare, or another proxy sits in front, configure its request body limit as well or it may reject large worlds before Fabricator sees them.

The native installer creates /var/lib/fabricator/playit for the fabricator service user and installs pinned playit/playit-cli binaries into /usr/local/bin when the host architecture is supported. Docker stores the same runtime state in /data/playit.

The runtime directory stores the account secret, daemon socket, PID file, log file, and dashboard-persisted enabled state. Treat it as sensitive because the saved secret can authenticate the playit agent.

Use the playit.gg tunnels guide for dashboard setup and tunnel troubleshooting.

Server install paths are resolved inside SERVER_ROOT. Relative install paths are interpreted below the root. Attempts to escape the root are rejected by the backend.

Most game options are persisted in Fabricator’s server index and written into the instance’s server.properties. Settings are editable only while the server is stopped. See Server settings for the UI behavior and field groups.