[daemon]
[daemon] carries the small set of settings that apply to the daemon
as a whole rather than to any individual task or service. It is optional;
omit the section and the built-in defaults below take over.
The data directory and listen address are deliberately not in
TOML — they need to be settable before the config file is even read, so
they live on the CLI (or in your supervisor’s invocation of runwisp).
They’re documented here alongside the in-TOML keys because operators
think of them together.
[daemon]shutdown_timeout = "10s"| Key | Default | What it does |
|---|---|---|
shutdown_timeout | "10s" | Whole-daemon shutdown budget. After SIGTERM, the daemon SIGKILLs any in-flight runs that haven’t exited within this window so the process can actually exit. |
shutdown_timeout
Section titled “shutdown_timeout”shutdown_timeout is the whole-daemon budget. Each task and service
still gets its own graceful_stop
inside that cap. If any graceful_stop exceeds shutdown_timeout the
daemon emits a boot-time warning naming the offending task — the daemon
will SIGKILL the survivor before its per-task grace window completes.
Either raise shutdown_timeout, lower the per-task graceful_stop, or
accept that the task’s cleanup hook may be interrupted on daemon
shutdown.
CLI flags: data directory & listen address
Section titled “CLI flags: data directory & listen address”These three flags govern where state lives and where the HTTP/Web UI
listens. They apply to every runwisp subcommand (daemon, tui,
exec, …):
| Flag | Default | What it does |
|---|---|---|
--data | data | Directory for all persistent state — SQLite database, per-task logs, PID file, and the local Unix socket. |
--host | 127.0.0.1 | Bind address for the HTTP server. Use 0.0.0.0 to listen on every interface. |
--port | 9477 | TCP port for the HTTP server (REST API, SSE log stream, Web UI). |
runwisp daemon --data /var/lib/runwisp --host 0.0.0.0 --port 9477Picking --data once and using it consistently matters: the database
file (runwisp.db), the local Unix socket (runwisp.sock), and every
task’s log files all live under that directory. Moving it after the
fact is a directory move, not a configuration change.
The daemon does not persist the daemon password or the JWT signing
key. The password comes from RUNWISP_PASSWORD if set, otherwise a
fresh ephemeral one is generated every boot. The JWT key is derived
deterministically from the password — set RUNWISP_PASSWORD (e.g.
via a Docker secret or systemd LoadCredential=) to keep browser
sessions stable across daemon restarts. See Auth
for details.
Environment variables
Section titled “Environment variables”| Variable | What it does |
|---|---|
RUNWISP_PASSWORD | Sets the daemon password in memory. When unset, a fresh ephemeral password is minted every boot (and every session rotates with it). |
RUNWISP_TRUST_PROXY | Comma-separated CIDR list of reverse proxies whose X-Forwarded-* headers the daemon may honor. |
RUNWISP_CLOUD_TOKEN | Used by runwisp cloud to connect to a control plane. Ignored in standalone mode. |
Local Unix socket
Section titled “Local Unix socket”The daemon creates <datadir>/runwisp.sock on startup. Local CLI
commands and the TUI connect over this socket and do not require a
password — access is gated by the data dir’s 0700 mode, the
socket’s 0600 mode, and a SO_PEERCRED check at accept time. The
socket file is removed on graceful shutdown.
Where to next
Section titled “Where to next”[tasks.*]reference — per-taskgraceful_stop, which lives inside the daemon-wideshutdown_timeout.[storage]reference — the disk-usage safeguards that protect the data dir.