Configuration
Drydock is configured via environment variables and Docker labels.
drydock is configured via Environment Variables and Docker labels.
Prefix convention
All environment variables use the DD_ prefix. All Docker labels use the dd. prefix.
| Context | Prefix | Example |
|---|---|---|
| Environment variables | DD_ | DD_SERVER_PORT |
| Docker labels | dd. | dd.watch |
| Secret files | DD_ + __FILE | DD_AUTH_BASIC_JOHN_HASH__FILE |
Please find below the documentation for each of them:
- Agents — distributed multi-host architecture
- Authentication
- Backup & Rollback — automatic image backup and one-click restore
- Container Actions — start, stop, restart, update, and delete
- Dashboard — widget layout, customization, and trigger aliases
- DNS — DNS result ordering for Alpine/musl compatibility
- Lifecycle Hooks — pre/post-update commands
- Logs
- Registries
- Self-Update — graceful drydock self-update
- Server
- Storage
- Timezone
- Triggers
- UI / Appearance — themes, icons, fonts, command palette, locale
- Update Bouncer — vulnerability scanning, signatures, and SBOM
- Watchers
- Webhooks — CI/CD integration
Diagnostics
Drydock includes a one-click diagnostic debug dump available in Config > Diagnostics or via the API at GET /api/v1/debug/dump. The dump collects a time-windowed snapshot of recent events, redacts all sensitive values (tokens, passwords, secrets), and downloads as a JSON attachment. Use the ?minutes=N query parameter to control how many minutes of event history to include (default 30).
See Diagnostic debug dump for the full API reference.
Complete example
services:
# Valid semver following by os name
vaultwarden:
image: vaultwarden/server:1.22.1-alpine
container_name: bitwarden
labels:
- 'dd.tag.include=^\d+\.\d+\.\d+-alpine$$'
- 'dd.link.template=https://github.com/dani-garcia/vaultwarden/releases/tag/$${major}.$${minor}.$${patch}'
# Valid semver following by an build number (linux server style)
duplicati:
image: linuxserver/duplicati:v2.0.6.3-2.0.6.3_beta_2021-06-17-ls104
container_name: duplicati
labels:
- 'dd.tag.include=^v\d+\.\d+\.\d+\.\d+-\d+\.\d+\.\d+\.\d+.*$$'
# Valid calver
homeassistant:
image: homeassistant/home-assistant:2021.7.1
container_name: homeassistant
labels:
- 'dd.tag.include=^\d+\.\d+\.\d+$$'
- 'dd.link.template=https://github.com/home-assistant/core/releases/tag/$${major}.$${minor}.$${patch}'
# Valid semver with a leading v
pihole:
image: pihole/pihole:v5.8.1
container_name: pihole
labels:
- 'dd.tag.include=^v\d+\.\d+\.\d+$$'
- 'dd.link.template=https://github.com/pi-hole/FTL/releases/tag/v$${major}.$${minor}.$${patch}'
# Mutable tag (latest) with digest tracking
pyload:
image: writl/pyload:latest
container_name: pyload
labels:
- 'dd.tag.include=latest'
- 'dd.watch.digest=true'
# drydock self tracking :)
drydock:
image: codeswhat/drydock:latest
container_name: drydock
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /opt/drydock/store:/store
# The image includes a built-in HEALTHCHECK — no override needed.
# If you need custom intervals, use the built-in binary:
healthcheck:
test: /bin/healthcheck ${DD_SERVER_PORT:-3000}
interval: 10s
timeout: 10s
retries: 3
start_period: 10s
labels:
- 'dd.tag.include=^latest$$'
- 'dd.link.template=https://github.com/orgs/CodesWhat/packages/container/package/drydock'Secret management
__FILE.For example, instead of providing the Basic auth details as
DD_AUTH_BASIC_JOHN_HASH=argon2id$65536$3$4$/Y21uoNfTJ/Bv+t7Msz6XABip7tBOI55ZgjeCXyhGc0=$MHhv8Tc/0TCnhAeoNQRHII3sbOLIQ+1lMlHk+Ifyv3IUAxT6NkVt+OXT03kJTn8JRzmD24L+qCjcqk2+Ad1dTw==You can create an external file with the appropriate permissions (let's say /tmp/john_hash) containing the secret value (argon2id$65536$3$4$/Y21uoNfTJ/Bv+t7Msz6XABip7tBOI55ZgjeCXyhGc0=$MHhv8Tc/0TCnhAeoNQRHII3sbOLIQ+1lMlHk+Ifyv3IUAxT6NkVt+OXT03kJTn8JRzmD24L+qCjcqk2+Ad1dTw==).
Then you need to reference this file by using the following env var
DD_AUTH_BASIC_JOHN_HASH__FILE=/tmp/john_hashDD_ env var (no restrictions).