sure-aio

Overview

Sure (formerly Maybe Finance) is a self-hosted personal finance app for budgeting, net worth tracking, and account aggregation.

All-In-One Unraid Edition
sure-aio packages the web app, worker, PostgreSQL, and Redis into one Unraid template with persistent appdata paths, so beginners can run Sure without deploying separate DB/cache containers.

Quick Install (Beginners)

In Unraid, click Install for this template.
Open an Unraid terminal and generate your secret: [code]openssl rand -hex 64[/code]
Copy that value into [code]Secret Key Base[/code] ([code]SECRET_KEY_BASE[/code]) in the template form.
Leave defaults in place for first boot, then click Apply.
Wait for initialization to complete, then open [code]http://SERVER_IP:3000[/code] (or your mapped port).

Power Users (Advanced View)

Enable [code]Advanced View[/code] in the template to expose full runtime/env controls.
Override DB/Redis to external services if desired, or keep the AIO defaults.
Configure SMTP, reverse-proxy SSL behavior, OIDC/SSO, telemetry/APM, and API/provider keys (Plaid, Yahoo, Brandfetch, AI, etc.).
Keep defaults for easiest operation; only set overrides you actually need.

Data paths (default)

[code]/mnt/user/appdata/sure-aio/system[/code]
[code]/mnt/user/appdata/sure-aio/postgres[/code]
[code]/mnt/user/appdata/sure-aio/redis[/code]

Requirements

Generate and keep a strong SECRET_KEY_BASE before first boot, and back up Rails storage, PostgreSQL, and Redis appdata before upgrades. Use external PostgreSQL, Redis, storage, SMTP, or provider settings only when you intentionally move beyond the bundled AIO defaults.

Runtime arguments

Web UI: http://[IP]:[PORT:3000]
Network: bridge
Shell: sh
Privileged: false

Template configuration

Web UI PortPorttcp

The main web interface port.

Target: 3000
Default: 3000
Value: 3000

Secret Key BaseVariable

Critical: Run 'openssl rand -hex 64' in your Unraid terminal and paste the randomized hash here.

Target: SECRET_KEY_BASE

[Internal] Self Hosted ModeVariable

Internal wrapper flag required for Sure self-hosted mode. Leave unchanged.

Target: SELF_HOSTED
Default: true
Value: true

[Internal] Legacy Self Hosting AliasVariable

Legacy upstream alias for self-hosted mode. Usually leave blank because SELF_HOSTED=true is already set by this wrapper.

Target: SELF_HOSTING_ENABLED

App Volumes - Rails StoragePathrw

Internal rails file storage.

Target: /rails/storage
Default: /mnt/user/appdata/sure-aio/system
Value: /mnt/user/appdata/sure-aio/system

App Volumes - Postgres DBPathrw

Internal PostgreSQL database storage mapped externally so you don't lose data.

Target: /var/lib/postgresql/data
Default: /mnt/user/appdata/sure-aio/postgres
Value: /mnt/user/appdata/sure-aio/postgres

App Volumes - Redis CachePathrw

Internal Redis memory cache.

Target: /var/lib/redis
Default: /mnt/user/appdata/sure-aio/redis
Value: /mnt/user/appdata/sure-aio/redis

[SSL] Custom CA Certificate MountPathro

Optional host path to a PEM CA certificate file for trusting self-signed or internal HTTPS services. Leave blank unless you need private CA support.

Target: /certs/custom-ca.pem

App DomainVariable

The domain your Sure instance is hosted at (used for email links).

Target: APP_DOMAIN

App URLVariable

Optional full external base URL including scheme, such as 'https://finance.example.com'. Useful for advanced SSO flows that need an absolute callback or issuer URL.

Target: APP_URL

Onboarding StateVariable

Controls user registration. Use 'open', 'closed', or 'invite_only'.

Target: ONBOARDING_STATE
Default: open
Value: open

Require Invite CodeVariable

Optional global gate for account registration. Set to 'true' to require invite codes for sign-up.

Target: REQUIRE_INVITE_CODE

Require Email ConfirmationVariable

Set to 'false' if you explicitly want to skip email confirmation for new accounts. Leave enabled for the safer default.

Target: REQUIRE_EMAIL_CONFIRMATION
Default: true
Value: true

Assume SSLVariable

Leave 'false' for direct LAN access. Set to 'true' only when Sure sits behind a SSL-terminating reverse proxy.

Target: RAILS_ASSUME_SSL
Default: false
Value: false

Force SSL RedirectsVariable

Leave 'false' for the default Unraid install over plain HTTP. Set to 'true' only if you want direct HTTP requests redirected to HTTPS.

Target: RAILS_FORCE_SSL
Default: false
Value: false

[Proxy] Referrer PolicyVariable

Browser Referrer-Policy header used by Rails origin checks. Keep 'strict-origin-when-cross-origin' for reverse proxies; avoid 'no-referrer' because it can make browsers send Origin: null and break login POSTs.

Target: SURE_REFERRER_POLICY
Default: strict-origin-when-cross-origin
Value: strict-origin-when-cross-origin

[Proxy] CSRF Origin CheckVariable

Leave 'true' unless your reverse proxy, Cloudflare path, browser, or privacy middleware still forces login POSTs to send Origin: null. Set to 'false' only as an advanced compatibility escape hatch; Rails CSRF token validation remains enabled.

Target: SURE_CSRF_ORIGIN_CHECK
Default: true
Value: true

[SSL] Custom CA FileVariable

Optional in-container path to a PEM CA certificate file. If you use the provided mount above, set this to '/certs/custom-ca.pem'.

Target: SSL_CA_FILE

[SSL] Override Global CA BundleVariable

Optional full CA bundle path for advanced Ruby/OpenSSL trust overrides. Usually leave blank and use SSL_CA_FILE instead.

Target: SSL_CERT_FILE

[SSL] Verify Remote CertificatesVariable

Leave 'true' for production. Set to 'false' only for temporary testing against broken or self-signed HTTPS endpoints.

Target: SSL_VERIFY
Default: true
Value: true

[SSL] Debug LoggingVariable

Set to 'true' to log detailed outbound SSL trust and certificate diagnostics.

Target: SSL_DEBUG
Default: false
Value: false

[Legal] Privacy Policy URLVariable

Optional external privacy-policy URL shown by the app when provided.

Target: LEGAL_PRIVACY_URL

[Legal] Terms of Service URLVariable

Optional external terms-of-service URL shown by the app when provided.

Target: LEGAL_TERMS_URL

[External DB] DB Host OverrideVariable

Optional external PostgreSQL host or container name. Example: '192.168.1.50' or 'postgres-shared' on a custom Docker network.

Target: DB_HOST

[External DB] DB Port OverrideVariable

Optional external PostgreSQL port. Example: '5432'.

Target: DB_PORT

[External DB] DB Name OverrideVariable

Optional external PostgreSQL database name. Leave blank to keep Sure's normal default database name.

Target: POSTGRES_DB

[External DB] DB User OverrideVariable

Optional external PostgreSQL username. This user must already exist on your external database.

Target: POSTGRES_USER

[External DB] DB Password OverrideVariable

Optional password for the external PostgreSQL user above.

Target: POSTGRES_PASSWORD

[External DB] Redis URL OverrideVariable

Optional external Redis URL. Example: 'redis://192.168.1.50:6379/1' or 'redis://:password@redis-host:6379/1'.

Target: REDIS_URL

[External Redis] Sentinel HostsVariable

Optional Redis Sentinel hosts, comma-separated like 'host1:26379,host2:26379'. Takes precedence over REDIS_URL when set.

Target: REDIS_SENTINEL_HOSTS

[External Redis] Sentinel MasterVariable

Redis Sentinel master name.

Target: REDIS_SENTINEL_MASTER
Default: mymaster
Value: mymaster

[External Redis] Sentinel UsernameVariable

Redis Sentinel username if your Sentinel deployment requires authentication.

Target: REDIS_SENTINEL_USERNAME
Default: default
Value: default

[External Redis] Sentinel PasswordVariable

Redis password used for Sentinel-backed Redis deployments.

Target: REDIS_PASSWORD

[System] Product NameVariable

Custom product name in UI.

Target: PRODUCT_NAME

[System] Brand NameVariable

Custom brand name in UI.

Target: BRAND_NAME

[System] Default UI LayoutVariable

Choose the initial layout for new sessions. Use 'dashboard' for the standard app or 'intro' for the intro-first experience.

Target: DEFAULT_UI_LAYOUT
Default: dashboard
Value: dashboard

[DB Encryption] Primary KeyVariable

Optional explicit Rails encryption primary key. Leave blank unless you deliberately manage separate Active Record encryption keys outside SECRET_KEY_BASE.

Target: ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY

[DB Encryption] Deterministic KeyVariable

Optional deterministic encryption key paired with the primary key above. Leave blank unless you already know your Rails encryption key material.

Target: ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY

[DB Encryption] Derivation SaltVariable

Optional key-derivation salt for Rails encryption. Leave blank unless you manage custom encryption keys yourself.

Target: ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT

[AI] OpenAI / Ollama TokenVariable

OpenAI-compatible API key. Get OpenAI keys from platform.openai.com/api-keys. If using local Ollama, enter any non-empty placeholder such as 'ollama-local'.

Target: OPENAI_ACCESS_TOKEN

[AI] OpenAI URI BaseVariable

Leave blank for official OpenAI. For local LLMs, enter your endpoint (e.g., 'http://ollama:11434/v1').

Target: OPENAI_URI_BASE

[AI] Model NameVariable

If using Ollama, you MUST define the model here (e.g., 'llama3.1:13b' or 'gemma2:7b').

Target: OPENAI_MODEL

[AI] Categorization ProviderVariable

Optional provider override used only for transaction categorization. Example: 'openai' or 'ollama'. If blank, Sure uses its normal AI provider behavior.

Target: CATEGORIZATION_PROVIDER

[AI] Categorization ModelVariable

Optional model override used only for categorization, such as 'gemma2:7b'.

Target: CATEGORIZATION_MODEL

[AI] Chat ProviderVariable

Optional provider override used only for chat-assistant requests. Example: 'openai' or 'ollama'.

Target: CHAT_PROVIDER

[AI] Chat ModelVariable

Optional model override used only for chat-assistant requests, such as 'gpt-4.1' or a local Ollama model.

Target: CHAT_MODEL

[AI] Request TimeoutVariable

OpenAI-compatible request timeout in seconds. Raise this only if your provider or local LLM is slow to respond.

Target: OPENAI_REQUEST_TIMEOUT
Default: 60
Value: 60

[AI] JSON Mode OverrideVariable

Optional structured-output override. Valid values are '', 'strict', 'none', or 'json_object'. Set this only if you need to force Sure's OpenAI JSON behavior globally.

Target: LLM_JSON_MODE

[AI] Debug LoggingVariable

Set to 'true' to enable verbose AI chat debugging in logs.

Target: AI_DEBUG_MODE
Default: false
Value: false

[AI] Enable PDF ProcessingVariable

Leave 'true' for OpenAI or vision-capable providers. Set to 'false' only for OpenAI-compatible endpoints that do not support PDF or vision input.

Target: OPENAI_SUPPORTS_PDF_PROCESSING
Default: true
Value: true

[AI] Supports Responses APIVariable

Optional override for OpenAI-compatible endpoints. Use 'true' to force the Responses API or 'false' to force chat completions. Leave blank for upstream auto-detection.

Target: OPENAI_SUPPORTS_RESPONSES_ENDPOINT

[AI] Context WindowVariable

Optional total LLM context window in tokens. Lower this for small local models or raise it for larger cloud models.

Target: LLM_CONTEXT_WINDOW

[AI] Max Response TokensVariable

Optional tokens reserved for each model response. Leave blank for upstream defaults.

Target: LLM_MAX_RESPONSE_TOKENS

[AI] Max History TokensVariable

Optional explicit chat history token budget. Leave blank so Sure derives it from context, response, and system-prompt reserves.

Target: LLM_MAX_HISTORY_TOKENS

[AI] System Prompt ReserveVariable

Optional tokens reserved for Sure's system prompt and instructions. Leave blank for upstream defaults.

Target: LLM_SYSTEM_PROMPT_RESERVE

[AI] Max Items Per Tool CallVariable

Optional maximum batch size for AI categorization and merchant-detection calls. Lower this for small local models.

Target: LLM_MAX_ITEMS_PER_CALL

[AI] Vector Store ProviderVariable

Optional document-search backend. Leave blank for the default path. Set to 'pgvector' to use PostgreSQL-based vectors or 'qdrant' for an external Qdrant server.

Target: VECTOR_STORE_PROVIDER

[AI] Embedding ModelVariable

Embedding model name used for document search. Example: 'nomic-embed-text'. This is required when you enable pgvector or qdrant-backed document search.

Target: EMBEDDING_MODEL

[AI] Embedding DimensionsVariable

Embedding width for the selected model. Must match the provider output.

Target: EMBEDDING_DIMENSIONS
Default: 1024
Value: 1024

[AI] Embedding URI BaseVariable

Optional dedicated embeddings endpoint. Example: 'http://ollama:11434/v1'. If blank, Sure falls back to OPENAI_URI_BASE.

Target: EMBEDDING_URI_BASE

[AI] Embedding Access TokenVariable

Optional dedicated embeddings token. If blank, Sure falls back to OPENAI_ACCESS_TOKEN.

Target: EMBEDDING_ACCESS_TOKEN

[AI] Qdrant URLVariable

Optional external Qdrant endpoint for vector storage. Example: 'http://192.168.1.50:6333'.

Target: QDRANT_URL

[AI] Qdrant API KeyVariable

Optional Qdrant API key from your Qdrant Cloud or self-hosted auth configuration.

Target: QDRANT_API_KEY

[Ext. AI] Assistant TypeVariable

Set to 'external' to route all chat to an external agent via MCP.

Target: ASSISTANT_TYPE

[Ext. AI] Assistant URLVariable

URL for the external agent (e.g. https://your-openclaw/v1/chat/completions).

Target: EXTERNAL_ASSISTANT_URL

[Ext. AI] Assistant TokenVariable

Auth token expected by your external agent or gateway. Copy it from that service's dashboard or config.

Target: EXTERNAL_ASSISTANT_TOKEN

[Ext. AI] Agent IDVariable

Optional Agent ID for OpenClaw routing.

Target: EXTERNAL_ASSISTANT_AGENT_ID

[Ext. AI] Session KeyVariable

Optional shared session key for remote agent conversation persistence. Leave blank so Sure-AIO derives isolated per-chat remote state.

Target: EXTERNAL_ASSISTANT_SESSION_KEY

[Ext. AI] Allowed EmailsVariable

Optional comma-separated allowlist of users permitted to use the external assistant.

Target: EXTERNAL_ASSISTANT_ALLOWED_EMAILS

[Ext. AI] MCP User EmailVariable

Required if using Ext. AI: Email of an existing Sure user.

Target: MCP_USER_EMAIL

[Ext. AI] MCP API TokenVariable

Required if using Ext. AI: Bearer token for agent callbacks to /mcp. Generate one with 'openssl rand -hex 32' in the Unraid terminal.

Target: MCP_API_TOKEN

[Telemetry] PostHog KeyVariable

PostHog project API key from your PostHog project settings.

Target: POSTHOG_KEY

[Telemetry] PostHog HostVariable

PostHog host URL. Example: 'https://us.i.posthog.com' or your self-hosted PostHog URL.

Target: POSTHOG_HOST

[Telemetry] Langfuse HostVariable

Langfuse base URL for LLM observability. Example: 'https://cloud.langfuse.com' or your self-hosted Langfuse URL.

Target: LANGFUSE_HOST

[Telemetry] Langfuse RegionVariable

Optional Langfuse region shortcut like 'us' or 'eu'. Use this only if you are not setting a custom Langfuse Host URL.

Target: LANGFUSE_REGION

[Telemetry] Langfuse Public KeyVariable

Langfuse public key from your project settings.

Target: LANGFUSE_PUBLIC_KEY

[Telemetry] Langfuse Secret KeyVariable

Langfuse secret key from your project settings.

Target: LANGFUSE_SECRET_KEY

[Telemetry] Sentry DSNVariable

Optional Sentry DSN if you want upstream exception reporting enabled for this instance.

Target: SENTRY_DSN

[Telemetry] Skylight EnabledVariable

Set to 'true' only if you intentionally use Skylight's hosted APM service. Default is 'false' for AIO installs so no external Skylight setup is required.

Target: SKYLIGHT_ENABLED
Default: false
Value: false

[Telemetry] Skylight Auth TokenVariable

Optional Skylight app authentication token. Only used when SKYLIGHT_ENABLED is true and you want to send APM data to your Skylight account.

Target: SKYLIGHT_AUTHENTICATION

[Telemetry] Logtail API KeyVariable

Optional Better Stack / Logtail source token from your log source settings.

Target: LOGTAIL_API_KEY

[Telemetry] Logtail Ingest HostVariable

Optional Logtail ingest host used with LOGTAIL_API_KEY.

Target: LOGTAIL_INGESTING_HOST

[Telemetry] Rails Log LevelVariable

Application log verbosity. Use 'info' for normal operation or 'debug' for deeper troubleshooting.

Target: RAILS_LOG_LEVEL
Default: info
Value: info

[Runtime] Rails/Sidekiq Thread PoolVariable

Optional worker thread count used by Puma, Sidekiq, and DB pool sizing. Leave blank for upstream default (3).

Target: RAILS_MAX_THREADS

[Runtime] Puma Worker ProcessesVariable

Optional Puma process count for the web service. Leave blank for upstream default (1).

Target: WEB_CONCURRENCY

[Runtime] Sidekiq Web UsernameVariable

Optional username for /sidekiq dashboard basic auth. Leave blank to keep upstream default username ('sure').

Target: SIDEKIQ_WEB_USERNAME

[Runtime] Sidekiq Web PasswordVariable

Optional password for /sidekiq dashboard basic auth. Leave blank to keep upstream default password ('sure').

Target: SIDEKIQ_WEB_PASSWORD

[Network] HTTPS ProxyVariable

Optional outbound HTTPS proxy URL (for advanced egress controls like Pipelock). Leave blank for normal direct outbound traffic.

Target: HTTPS_PROXY

[Network] HTTP ProxyVariable

Optional outbound HTTP proxy URL. Leave blank unless your network requires a proxy.

Target: HTTP_PROXY

[Network] No Proxy HostsVariable

Optional comma-separated hosts/domains that should bypass HTTP(S) proxy routing.

Target: NO_PROXY

[API] Exchange Rate ProviderVariable

Optional exchange-rate provider override. If left blank, Sure uses its normal default and UI selection behavior.

Target: EXCHANGE_RATE_PROVIDER

[API] Securities ProviderVariable

Optional securities provider override. If left blank, Sure uses its normal default and UI selection behavior.

Target: SECURITIES_PROVIDER

[API] Securities ProvidersVariable

Optional comma-separated securities provider list. Example: 'yahoo_finance,binance_public,twelve_data'. Takes precedence over the single Securities Provider field when set.

Target: SECURITIES_PROVIDERS

[API] Brandfetch Client IDVariable

Brandfetch client ID from your Brandfetch application or dashboard if you want merchant and bank logos.

Target: BRAND_FETCH_CLIENT_ID

[API] Brandfetch High-Res LogosVariable

Optional env override for 120x120 Brandfetch logos. Set to 'true' to force high-res logos, 'false' to force standard size. Leave blank to keep the in-app toggle enabled.

Target: BRAND_FETCH_HIGH_RES_LOGOS

[API] Indexa API TokenVariable

Optional global API token used by the Indexa Capital provider when account-level credentials are not configured.

Target: INDEXA_API_TOKEN

[API] Twelve Data KeyVariable

Optional Twelve Data API key from twelvedata.com if you want exchange rates or securities from Twelve Data instead of Yahoo Finance.

Target: TWELVE_DATA_API_KEY

[API] Twelve Data URL OverrideVariable

Optional custom Twelve Data API base URL. Leave blank unless you are routing Twelve Data through a proxy or alternate endpoint.

Target: TWELVE_DATA_URL

[API] Twelve Data Min Request IntervalVariable

Optional minimum spacing between Twelve Data requests in seconds. Leave blank for upstream pacing.

Target: TWELVE_DATA_MIN_REQUEST_INTERVAL

[API] Twelve Data Max Requests Per MinuteVariable

Optional Twelve Data per-minute credit limit. Lower this if your plan is more restrictive than upstream defaults.

Target: TWELVE_DATA_MAX_REQUESTS_PER_MINUTE

[API] Tiingo API KeyVariable

Optional Tiingo API key for securities pricing. Configure provider selection separately if you want Sure to use Tiingo.

Target: TIINGO_API_KEY

[API] Tiingo URL OverrideVariable

Optional custom Tiingo API base URL. Leave blank for normal public Tiingo access.

Target: TIINGO_URL

[API] Tiingo Max Requests Per HourVariable

Optional Tiingo hourly request cap used by Sure's rate limiter. Leave blank for upstream defaults.

Target: TIINGO_MAX_REQUESTS_PER_HOUR

[API] EODHD API KeyVariable

Optional EODHD API key for securities pricing, especially international ETF coverage. Configure provider selection separately if you want Sure to use EODHD.

Target: EODHD_API_KEY

[API] EODHD URL OverrideVariable

Optional custom EODHD API base URL. Leave blank for normal public EODHD access.

Target: EODHD_URL

[API] EODHD Max Requests Per DayVariable

Optional EODHD daily request cap used by Sure's rate limiter. Leave blank for upstream defaults.

Target: EODHD_MAX_REQUESTS_PER_DAY

[API] Alpha Vantage API KeyVariable

Optional Alpha Vantage API key for securities pricing. Configure provider selection separately if you want Sure to use Alpha Vantage.

Target: ALPHA_VANTAGE_API_KEY

[API] Alpha Vantage URL OverrideVariable

Optional custom Alpha Vantage API base URL. Leave blank for normal public Alpha Vantage access.

Target: ALPHA_VANTAGE_URL

[API] Alpha Vantage Max Requests Per DayVariable

Optional Alpha Vantage daily request cap used by Sure's rate limiter. Leave blank for upstream defaults.

Target: ALPHA_VANTAGE_MAX_REQUESTS_PER_DAY

[API] MFAPI URL OverrideVariable

Optional custom MFAPI base URL for mutual-fund data. Leave blank for upstream defaults.

Target: MFAPI_URL

[API] Binance Public URL OverrideVariable

Optional custom Binance public market-data base URL. Leave blank for upstream defaults.

Target: BINANCE_PUBLIC_URL

[API] Binance Egress IP HintVariable

Optional public egress IP shown in the Binance setup UI so users know which IP to allowlist.

Target: BINANCE_EGRESS_IP

[API] Yahoo Finance URL OverrideVariable

Optional custom Yahoo Finance API base URL. Leave blank for normal public Yahoo Finance access.

Target: YAHOO_FINANCE_URL

[API] Yahoo Finance Max RetriesVariable

Maximum retry attempts for Yahoo Finance requests before Sure gives up.

Target: YAHOO_FINANCE_MAX_RETRIES
Default: 5
Value: 5

[API] Yahoo Finance Retry IntervalVariable

Seconds to wait between Yahoo Finance retry attempts.

Target: YAHOO_FINANCE_RETRY_INTERVAL
Default: 1.0
Value: 1.0

[API] Yahoo Finance Min Request IntervalVariable

Optional minimum spacing between Yahoo Finance requests in seconds. Leave blank to keep upstream defaults.

Target: YAHOO_FINANCE_MIN_REQUEST_INTERVAL

[Sync] Auto Sync EnabledVariable

Container-level override for Sure's scheduled sync job. Use '1' to keep it enabled or '0' to disable automatic syncs globally.

Target: AUTO_SYNC_ENABLED
Default: 1
Value: 1

[Sync] Auto Sync TimeVariable

Daily auto-sync time in 24-hour HH:MM format.

Target: AUTO_SYNC_TIME
Default: 02:22
Value: 02:22

[Sync] Auto Sync TimezoneVariable

Timezone used with AUTO_SYNC_TIME. Example: 'America/Denver'.

Target: AUTO_SYNC_TIMEZONE
Default: UTC
Value: UTC

[Sync] SimpleFIN Include PendingVariable

Set to '0' to exclude pending SimpleFIN transactions. If set here, upstream disables the corresponding Sync setting in the Sure UI.

Target: SIMPLEFIN_INCLUDE_PENDING
Default: 1
Value: 1

[Sync] SimpleFIN Raw Debug LogsVariable

Set to 'true' to log raw SimpleFIN payloads for debugging. This can expose sensitive data and create noisy logs.

Target: SIMPLEFIN_DEBUG_RAW

[Sync] SimpleFIN Credit Overpayment HeuristicVariable

Optional override for SimpleFIN liability overpayment detection. Set to 'false' to disable the heuristic globally.

Target: SIMPLEFIN_CC_OVERPAYMENT_HEURISTIC

[Sync] Plaid Include PendingVariable

Set to '0' to exclude pending Plaid transactions. If set here, upstream disables the corresponding Sync setting in the Sure UI.

Target: PLAID_INCLUDE_PENDING
Default: 1
Value: 1

[Sync] Lunchflow Include PendingVariable

Set to 'true' to include pending transactions in Lunchflow sync requests.

Target: LUNCHFLOW_INCLUDE_PENDING

[Sync] Lunchflow Raw Debug LogsVariable

Set to 'true' to log raw Lunchflow payloads for debugging. This can expose sensitive data and create noisy logs.

Target: LUNCHFLOW_DEBUG_RAW

[Auth] Local Login EnabledVariable

Set to 'false' to disable local email/password login and move users toward SSO-only auth.

Target: AUTH_LOCAL_LOGIN_ENABLED
Default: true
Value: true

[Auth] Local Admin OverrideVariable

If local login is disabled, set to 'true' to let super admins keep local login as an emergency backdoor.

Target: AUTH_LOCAL_ADMIN_OVERRIDE_ENABLED
Default: false
Value: false

[Auth] JIT SSO ModeVariable

SSO behavior for first-time users: 'create_and_link' creates accounts automatically, 'link_only' requires an existing user.

Target: AUTH_JIT_MODE
Default: create_and_link
Value: create_and_link

[Auth] Allowed OIDC DomainsVariable

Optional comma-separated email domains allowed for JIT SSO account creation.

Target: ALLOWED_OIDC_DOMAINS

[Auth] Provider SourceVariable

Leave blank for normal YAML/env-backed provider loading. Set to 'db' if you want upstream's database-backed SSO provider admin UI.

Target: AUTH_PROVIDERS_SOURCE

[Auth] OIDC Client IDVariable

OIDC client ID from your identity provider app registration, such as Authentik, Authelia, Keycloak, or Zitadel.

Target: OIDC_CLIENT_ID

[Auth] OIDC Client SecretVariable

OIDC client secret from the same identity provider app registration.

Target: OIDC_CLIENT_SECRET

[Auth] OIDC IssuerVariable

OIDC issuer URL. Example: 'https://auth.example.com/application/o/sure/' or your provider's issuer endpoint.

Target: OIDC_ISSUER

[Auth] OIDC Redirect URIVariable

OIDC redirect URI registered with your provider. Example: 'https://finance.example.com/auth/openid_connect/callback'.

Target: OIDC_REDIRECT_URI

[Auth] OIDC Button LabelVariable

Optional custom sign-in button label for the default OIDC provider.

Target: OIDC_BUTTON_LABEL

[Auth] OIDC Button IconVariable

Optional icon slug for the default OIDC sign-in button.

Target: OIDC_BUTTON_ICON
Default: key
Value: key

[Auth] Google OAuth Client IDVariable

Optional Google OAuth client ID from console.cloud.google.com if you want a dedicated Google sign-in provider.

Target: GOOGLE_OAUTH_CLIENT_ID

[Auth] Google OAuth Client SecretVariable

Optional Google OAuth client secret from the same Google OAuth app.

Target: GOOGLE_OAUTH_CLIENT_SECRET

[Auth] Google Button LabelVariable

Optional custom label for the Google sign-in button.

Target: GOOGLE_BUTTON_LABEL
Default: Sign in with Google
Value: Sign in with Google

[Auth] Google Button IconVariable

Optional icon slug for the Google sign-in button.

Target: GOOGLE_BUTTON_ICON
Default: google
Value: google

[Auth] GitHub OAuth Client IDVariable

Optional GitHub OAuth client ID from your GitHub OAuth App settings if you want a dedicated GitHub sign-in provider.

Target: GITHUB_CLIENT_ID

[Auth] GitHub OAuth Client SecretVariable

Optional GitHub OAuth client secret from the same GitHub OAuth App.

Target: GITHUB_CLIENT_SECRET

[Auth] GitHub Button LabelVariable

Optional custom label for the GitHub sign-in button.

Target: GITHUB_BUTTON_LABEL
Default: Sign in with GitHub
Value: Sign in with GitHub

[Auth] GitHub Button IconVariable

Optional icon slug for the GitHub sign-in button.

Target: GITHUB_BUTTON_ICON
Default: github
Value: github

[Auth:Keycloak] Client IDVariable

Optional named Keycloak OIDC provider client ID for upstream multi-provider auth.yml mode.

Target: OIDC_KEYCLOAK_CLIENT_ID

[Auth:Keycloak] Client SecretVariable

Optional named Keycloak OIDC provider client secret for upstream multi-provider auth.yml mode.

Target: OIDC_KEYCLOAK_CLIENT_SECRET

[Auth:Keycloak] IssuerVariable

Optional named Keycloak OIDC issuer URL for upstream multi-provider auth.yml mode.

Target: OIDC_KEYCLOAK_ISSUER

[Auth:Keycloak] Redirect URIVariable

Optional named Keycloak OIDC redirect URI for upstream multi-provider auth.yml mode.

Target: OIDC_KEYCLOAK_REDIRECT_URI

[Auth:Authentik] Client IDVariable

Optional named Authentik OIDC provider client ID for upstream multi-provider auth.yml mode.

Target: OIDC_AUTHENTIK_CLIENT_ID

[Auth:Authentik] Client SecretVariable

Optional named Authentik OIDC provider client secret for upstream multi-provider auth.yml mode.

Target: OIDC_AUTHENTIK_CLIENT_SECRET

[Auth:Authentik] IssuerVariable

Optional named Authentik OIDC issuer URL for upstream multi-provider auth.yml mode.

Target: OIDC_AUTHENTIK_ISSUER

[Auth:Authentik] Redirect URIVariable

Optional named Authentik OIDC redirect URI for upstream multi-provider auth.yml mode.

Target: OIDC_AUTHENTIK_REDIRECT_URI

[Storage] Provider StrategyVariable

Leave blank for internal disk storage. Change to 'amazon', 'cloudflare', 'generic_s3', or 'google' to move uploads out of the container.

Target: ACTIVE_STORAGE_SERVICE

[Storage:AWS] Access Key IDVariable

Amazon S3 access key ID from your AWS IAM user or access-key pair.

Target: S3_ACCESS_KEY_ID

[Storage:AWS] Secret Access KeyVariable

Amazon S3 secret access key paired with the access key ID above.

Target: S3_SECRET_ACCESS_KEY

[Storage:AWS] RegionVariable

Amazon S3 region. Defaults to us-east-1 if left blank.

Target: S3_REGION

[Storage:AWS] Bucket NameVariable

Amazon S3 bucket name.

Target: S3_BUCKET

[Storage:R2] Cloudflare Account IDVariable

Cloudflare account ID used to construct the R2 endpoint URL.

Target: CLOUDFLARE_ACCOUNT_ID

[Storage:R2] Access Key IDVariable

Cloudflare R2 access key ID from your R2 API token pair.

Target: CLOUDFLARE_ACCESS_KEY_ID

[Storage:R2] Secret Access KeyVariable

Cloudflare R2 secret access key paired with the R2 access key ID above.

Target: CLOUDFLARE_SECRET_ACCESS_KEY

[Storage:R2] Bucket NameVariable

Cloudflare R2 bucket name.

Target: CLOUDFLARE_BUCKET

[Storage:Generic S3] Access Key IDVariable

Generic S3 or MinIO access key ID from your object-storage service.

Target: GENERIC_S3_ACCESS_KEY_ID

[Storage:Generic S3] Secret Access KeyVariable

Generic S3 or MinIO secret access key paired with the access key ID above.

Target: GENERIC_S3_SECRET_ACCESS_KEY

[Storage:Generic S3] RegionVariable

Generic S3 region value expected by your provider.

Target: GENERIC_S3_REGION

[Storage:Generic S3] Bucket NameVariable

Generic S3 or MinIO bucket name.

Target: GENERIC_S3_BUCKET

[Storage:Generic S3] Custom EndpointVariable

Custom MinIO or S3-compatible endpoint URL.

Target: GENERIC_S3_ENDPOINT

[Storage:Generic S3] Force Path StyleVariable

Set to 'true' for providers that require path-style S3 requests.

Target: GENERIC_S3_FORCE_PATH_STYLE
Default: false
Value: false

[Storage:GCS] ProjectVariable

Google Cloud project ID used by Active Storage when Provider Strategy is set to 'google'.

Target: GCS_PROJECT

[Storage:GCS] Bucket NameVariable

Google Cloud Storage bucket name used when Provider Strategy is set to 'google'.

Target: GCS_BUCKET

[Storage:GCS] Keyfile JSONVariable

Raw Google service-account JSON content. Preferred over a keyfile path when using GCS storage.

Target: GCS_KEYFILE_JSON

[Storage:GCS] Keyfile PathVariable

In-container path to a Google service-account JSON keyfile. Use only if you mount the file separately.

Target: GCS_KEYFILE

[Email] SMTP AddressVariable

Hostname for your SMTP server. Example: 'smtp.mailgun.org', 'smtp.sendgrid.net', or your mail relay host.

Target: SMTP_ADDRESS

[Email] SMTP PortVariable

Port for your SMTP server. Common values: '465' for implicit TLS or '587' for STARTTLS.

Target: SMTP_PORT
Default: 465

[Email] SMTP UsernameVariable

SMTP username from your mail provider or relay.

Target: SMTP_USERNAME

[Email] SMTP PasswordVariable

SMTP password or app password from your mail provider.

Target: SMTP_PASSWORD

[Email] SMTP TLS EnabledVariable

Leave 'true' for normal secure SMTP. Set to 'false' only if your mail relay expects plain SMTP without TLS.

Target: SMTP_TLS_ENABLED
Default: true
Value: true

[Email] SMTP TLS Skip VerifyVariable

Leave 'false' for normal certificate validation. Set to 'true' only for a trusted private SMTP relay with broken TLS certificates.

Target: SMTP_TLS_SKIP_VERIFY
Default: false
Value: false

[Email] Sender AddressVariable

The email address your app will send mail from (e.g., finance@mydomain.com).

Target: EMAIL_SENDER

[Plaid] Client IDVariable

Optional Plaid client ID if you want upstream Plaid account linking enabled.

Target: PLAID_CLIENT_ID

[Plaid] SecretVariable

Optional Plaid secret paired with the client ID above.

Target: PLAID_SECRET

[Plaid] EnvironmentVariable

Optional Plaid environment such as 'sandbox' or 'production'.

Target: PLAID_ENV

[Plaid EU] Client IDVariable

Optional Plaid Europe client ID if you use the Plaid EU adapter.

Target: PLAID_EU_CLIENT_ID

[Plaid EU] SecretVariable

Optional Plaid Europe secret paired with the Plaid EU client ID above.

Target: PLAID_EU_SECRET

[Plaid EU] EnvironmentVariable

Optional Plaid Europe environment such as 'sandbox' or 'production'.

Target: PLAID_EU_ENV

Links

Template Support Docker Hub Project

Details

Repository

jsonbored/sure-aio:latest

Registry

https://hub.docker.com/r/jsonbored/sure-aio

Last Updated2026-05-26

First Seen2026-05-01

Run sure-aio on Unraid.

sure-aio is listed in Community Apps for Unraid OS. Explore Unraid to build a flexible home server, NAS, or homelab.

Explore Unraid OS