Configuration
All components configure from environment variables only. No secrets ship in images or composes — node secrets arrive as dstack sealed env (encrypted to the CVM at deploy time), and key material is never configuration at all: it is derived from the TEE seed at boot.
Sidecar (cluster-mesh-agent)
Section titled “Sidecar (cluster-mesh-agent)”| Variable | Required | Default | Purpose |
|---|---|---|---|
CHAIN_ID | yes | — | EVM chain id (8453 live). |
RPC_URL | yes | — | EVM RPC endpoint (read path). |
BUNDLER_URL | yes | — | EIP-4337 bundler RPC (may equal RPC_URL on Alchemy). |
INDEXER_REGISTRY_ADDR | yes | — | Per-chain IndexerRegistry address. |
GAS_POLICY_ID | no | "" | Alchemy Gas Manager policy for sponsored UserOps. |
MEMBER_CONTRACT | no | unset | Explicit member address. Leave unset on dstack base KMS — the sidecar self-discovers its app id at runtime. |
GATEWAY_DOMAIN | no | unset | dstack gateway base domain (live: dstack-base-prod5.phala.network). Peer ingresses resolve as <app_id>-<port>s.<domain>. Unset → registration-only mode (no mesh). |
WG_TCP_PORT | no | 51900 | The wg-over-TCP ingress port (exposed through the gateway). |
WG_LISTEN_PORT | no | 51821 | Wireguard’s outer (kernel) listen port. Distinct from the in-mesh heartbeat port 51820. |
DSTACK_SOCKET | no | /var/run/dstack.sock | dstack guest-agent socket (keys, quotes, identity). |
AGENT_GRPC_SOCKET | no | /var/run/attestmesh/agent.sock | Application-facing gRPC unix socket. |
HEALTH_HTTP_ADDR | no | 127.0.0.1:9090 | Health endpoint bind (use 0.0.0.0:9090 to expose via the gateway). |
LOG_FORMAT / LOG_LEVEL | no | json / info | Tracing output. |
Container requirements: NET_ADMIN capability, /dev/net/tun, the dstack socket
mounted, and ports 9090 + 51900 published.
Indexer (attestmesh-indexer)
Section titled “Indexer (attestmesh-indexer)”| Variable | Required | Default | Purpose |
|---|---|---|---|
CHAIN_ID | yes | — | Chain to watch (8453 live). |
RPC_URL | yes | — | EVM RPC endpoint. |
INDEXER_REGISTRY_ADDR | yes | — | Registry to self-check against. |
CLUSTER_DIAMOND_FACTORY_ADDR | yes | — | Factory watched for cluster discovery. |
INDEXER_START_BLOCK | no | 0 | Catch-up floor — set it. The factory’s deploy block; 0 means a genesis scan, which on a mainnet effectively never finishes. deploy/indexer.sh computes it automatically (getCode binary search). Live: 46868742. |
BLOCK_BATCH_SIZE | no | 200 | Blocks per eth_getLogs page (live runs 2000). |
BLOCK_POLL_INTERVAL_MS | no | 2000 | Head-polling cadence. |
INDEXER_CODE_ID | no | zero | Expected code id for the boot self-check (non-fatal mismatch). |
INDEXER_GRPC_ADDR | no | 0.0.0.0:50051 | Subscription gRPC bind. |
HEALTH_HTTP_ADDR | no | 0.0.0.0:9090 | Health/metrics bind. |
STATE_DIR | no | /var/lib/attestmesh-indexer | Persistent cursor store (mount a volume). |
DSTACK_SOCKET | no | /var/run/dstack.sock | TEE identity derivation. |
LOG_FORMAT / LOG_LEVEL | no | json / info | Tracing output. |
Gas-sponsorship webhook
Section titled “Gas-sponsorship webhook”Configured via wrangler (vars + secrets):
| Variable | Purpose |
|---|---|
EXPECTED_CHAIN_ID | 8453 live. |
RPC_URL (secret) | For provenance verification calls. |
ALCHEMY_WEBHOOK_TOKEN (secret) | Shared token the policy presents. |
| Factory / cluster addresses | The recognized deployment the worker validates against. |
Deploy-time inputs (deploy/env.sh)
Section titled “Deploy-time inputs (deploy/env.sh)”The deploy routines load operator credentials from the environment — deployer key,
RPC/bundler URLs, gas policy id, Phala API session, ghcr pull credentials, and
Cloudflare tokens. See the repo’s deploy/ README header comments; none of these
ever reach a container image.