> ## Documentation Index > Fetch the complete documentation index at: https://engineering.unkey.com/llms.txt > Use this file to discover all available pages before exploring further. # Configuration > Configuration model and required settings for the frontline service ## Configuration model Unkey services read configuration from a TOML file passed at startup. Environment variables can be referenced with `${VAR}` and are expanded before parsing. Defaults and validation run after parsing. The config schema maps to [`svc/frontline/config.go`](https://github.com/unkeyed/unkey/blob/main/svc/frontline/config.go). Minimal config example: ```toml theme={"theme":"kanagawa-wave"} http_port = 7070 https_port = 7443 region = "${UNKEY_REGION}.aws" instance_id = "${POD_NAME}" apex_domain = "${UNKEY_APEX_DOMAIN}" max_hops = 10 ctrl_addr = "${UNKEY_CTRL_ADDR}" prometheus_port = 9090 [database] primary = "${UNKEY_DATABASE_PRIMARY}" readonly_replica = "${UNKEY_DATABASE_REPLICA}" [vault] url = "${UNKEY_VAULT_URL}" token = "${UNKEY_VAULT_TOKEN}" [gossip] bind_addr = "0.0.0.0" lan_port = 7946 wan_port = 7947 secret_key = "${UNKEY_GOSSIP_SECRET_KEY}" ``` Instance identifier for logs and tracing. Plain-HTTP listener port. Serves ACME HTTP-01 challenges and 308-redirects everything else to https\://. HTTPS listener port. Terminates TLS and forwards customer traffic to the sentinel. Region label for routing. Apex domain for regional routing. Maximum number of routing hops. Control API address. Prometheus metrics port. Set to 0 to disable. TLS settings for HTTPS. Disable TLS when true. Path to TLS certificate. Path to TLS key. MySQL configuration. Primary DSN. Optional read replica DSN. Vault connection. Vault URL. Vault token. Gossip-based cache invalidation. Bind address. LAN port. WAN port. LAN seed addresses. WAN seed addresses. Secret key for gossip encryption. Tracing and logging configuration. Trace sampling rate. Log sampling rate. Slow log threshold. ## Environment variables The Helm chart provides these variables for the default config template: Region label. Apex domain for routing. Control API address. Vault URL. Vault token. MySQL primary DSN. MySQL read replica DSN. Gossip secret key. ## Example configuration ```toml theme={"theme":"kanagawa-wave"} http_port = 7070 https_port = 7443 region = "${UNKEY_REGION}.aws" instance_id = "${POD_NAME}" apex_domain = "${UNKEY_APEX_DOMAIN}" max_hops = 10 ctrl_addr = "${UNKEY_CTRL_ADDR}" prometheus_port = 9090 [database] primary = "${UNKEY_DATABASE_PRIMARY}" readonly_replica = "${UNKEY_DATABASE_REPLICA}" [vault] url = "${UNKEY_VAULT_URL}" token = "${UNKEY_VAULT_TOKEN}" [gossip] bind_addr = "0.0.0.0" lan_port = 7946 wan_port = 7947 secret_key = "${UNKEY_GOSSIP_SECRET_KEY}" [observability.tracing] sample_rate = 0.1 [observability.logging] sample_rate = 0.01 slow_threshold = "2s" ``` ## Related docs * [Overview](/architecture/services/frontline/overview)