Skip to main content

Nora environment variable reference

Complete reference for every environment variable Nora reads, grouped by category, with required flags, defaults, and configuration guidance.
Every Nora deployment is configured through environment variables. Start by copying .env.example to .env in your project root, then replace all <REPLACE_...> placeholders with real values before starting the stack. The sections below describe every variable Nora reads, grouped by function. Settings — the provider-keys surface that several environment variables ultimately drive
Generate cryptographic secrets with the following command. Never reuse secrets across deployments or commit them to version control.
node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"

Required

These variables must be set before the stack will start. Without them, JWTs cannot be signed, stored credentials cannot be encrypted, backup archives cannot be sealed, and Agent Hub source-catalog API keys cannot be hashed.
VariableRequiredDefaultDescription
JWT_SECRETYesSecret used to sign all JWTs. Minimum 32 characters. In production the backend refuses to boot when this is missing, too short, or looks like a placeholder (e.g. an unedited .env.example value). In development a generated secret is persisted in the database so sessions survive restarts.
ENCRYPTION_KEYYes32-byte hex key (64 hex characters) for AES-256-GCM encryption of stored provider keys, integration credentials, and other sensitive values. In production the backend refuses to boot when this is missing or invalid unless NORA_ALLOW_PLAINTEXT_SECRETS=true is set explicitly.
NORA_BACKUP_ENCRYPTION_KEYYes32-byte hex key for sealing managed backup archives. Required to create or restore backups. Do not rotate casually — archives encrypted with the previous key cannot be decrypted with a new one.
NORA_AGENT_HUB_API_KEY_HASH_SECRETYesHMAC secret for hashing Agent Hub source-catalog API keys at rest. setup.sh auto-generates this on first run; rotating it invalidates every issued Agent Hub key.
NORA_ALLOW_PLAINTEXT_SECRETSNofalseExplicit override to boot a production instance without a valid ENCRYPTION_KEY (credentials are then stored unencrypted). Only for throwaway/demo environments.

Bootstrap admin account

These two optional variables seed a first administrator account on the very first boot. They are ignored on subsequent starts once the account exists. Both must be set together — setting only one has no effect.
VariableRequiredDefaultDescription
DEFAULT_ADMIN_EMAILNoEmail address for the bootstrap admin account.
DEFAULT_ADMIN_PASSWORDNoPassword for the bootstrap admin account. Minimum 12 characters. No insecure defaults are accepted.
Do not set a weak or well-known password here. This account has full operator access from the moment the database is seeded.

Database

PostgreSQL connection settings. Defaults match the Docker Compose service name and port.
VariableRequiredDefaultDescription
DB_HOSTNopostgresPostgreSQL hostname. Compose users keep the default; external DBs override.
DB_PORTNo5432PostgreSQL port.
DB_USERNonoraDatabase role used by backend-api and worker-provisioner.
DB_PASSWORDYesPassword for the role above. For compose installs, keep this value aligned with the initialized Postgres volume; setup preserves it during reconfigure mode.
DB_NAMENonoraDatabase name.

Redis and queue

Redis backs BullMQ for deployment, ClawHub install, backup, and alert-delivery jobs.
VariableRequiredDefaultDescription
REDIS_HOSTNoredisRedis hostname.
REDIS_PORTNo6379Redis port.
REDIS_PASSWORDNoOptional Redis password. Set when Redis is exposed outside the compose network.
PORTNo4000Backend-api listen port inside the container.
BACKEND_API_PORTNo4100Host-only backend API port mapped to container PORT. Setup auto-picks another free port when 127.0.0.1:4100 is busy.
DEPLOYMENT_WORKER_CONCURRENCYNo6How many deployment jobs the provisioner worker runs in parallel. Higher values reduce queued time but increase image-pull and bootstrap pressure.
DEPLOYMENT_JOB_TIMEOUT_MSNo900000Timeout per deployment job, in milliseconds. Aliased by PROVISION_TIMEOUT_MS for legacy deployments.
CLAWHUB_INSTALL_TIMEOUT_MSNo300000Timeout per ClawHub skill install job, in milliseconds.
BACKUP_WORKER_CONCURRENCYNo2Backup worker concurrency.
NORA_BACKUP_JOB_TIMEOUT_MSNo1800000Backup job hard timeout. The backup worker enforces this via Promise.race because BullMQ v5 ignores defaultJobOptions.timeout.
NORA_BACKUP_SCHEDULE_POLL_MSNo60000How often the backup worker checks for due scheduled backups.
ALERT_DELIVERY_ATTEMPTSNo5Number of retry attempts for an alert webhook delivery before the worker records a terminal failure on the rule. Clamped to [1, 10].
ALERT_DELIVERY_WORKER_CONCURRENCYNo5Concurrency of the alert-deliveries worker.
WORKER_HEALTH_PORTNo4001Provisioner worker health-check port.
BACKUP_WORKER_HEALTH_PORTNo4002Backup worker health-check port.

Access and URL

These variables control which nginx configuration is mounted, the listening port, and the public-facing base URL.
VariableRequiredDefaultDescription
NGINX_CONFIG_FILENonginx.confNginx configuration to mount. Use nginx.conf for local-only mode and nginx.public.conf for public-domain mode.
NGINX_HTTP_PORTNo8080Host port mapped to the nginx HTTP listener. Use 8080 locally and 80 when deploying on a public domain. Setup auto-picks another free local port when 8080 is busy.
NEXTAUTH_URLNohttp://localhost:8080Canonical browser-facing URL of your Nora deployment. Set to your https:// origin when exposing on a domain.
NORA_PUBLIC_URLNoOptional explicit public origin used by emails, OAuth callbacks, and audit links when it differs from NEXTAUTH_URL.

OAuth

OAuth login is disabled by default. Set OAUTH_LOGIN_ENABLED=true and NEXT_PUBLIC_OAUTH_LOGIN_ENABLED=true along with provider credentials to enable it. Provider verification must be completed in the relevant developer consoles before these values take effect.
VariableRequiredDefaultDescription
OAUTH_LOGIN_ENABLEDNofalseSet to true to activate OAuth login on the backend.
NEXT_PUBLIC_OAUTH_LOGIN_ENABLEDNofalseSet to true to display OAuth login buttons in the frontends.
GOOGLE_CLIENT_IDNoOAuth 2.0 client ID from Google Cloud Console.
GOOGLE_CLIENT_SECRETNoOAuth 2.0 client secret from Google Cloud Console.
GITHUB_CLIENT_IDNoOAuth App client ID from GitHub Developer Settings.
GITHUB_CLIENT_SECRETNoOAuth App client secret from GitHub Developer Settings.
NEXTAUTH_SECRETNoSecret used by NextAuth.js for session encryption. Required when OAuth is enabled.

Public signup abuse protection

Signup remains public, but Nora can bound signup spikes with dedicated app-level rate limits and an optional bot challenge.
VariableRequiredDefaultDescription
SIGNUP_RATE_LIMIT_BURST_MAXNo5Maximum signup attempts per IP within the burst window.
SIGNUP_RATE_LIMIT_BURST_WINDOW_MSNo600000Burst signup window in milliseconds.
SIGNUP_RATE_LIMIT_DAILY_MAXNo20Maximum signup attempts per IP within the daily window.
SIGNUP_RATE_LIMIT_DAILY_WINDOW_MSNo86400000Sustained signup window in milliseconds.
SIGNUP_BOT_PROTECTION_PROVIDERNononeBackend signup challenge provider. One of none, turnstile, or recaptcha.
NEXT_PUBLIC_SIGNUP_BOT_PROTECTION_PROVIDERNononeFrontend signup challenge provider. Match the backend provider when challenge protection is used.
SIGNUP_TURNSTILE_SECRETNoCloudflare Turnstile secret key. Required when the signup provider is turnstile.
NEXT_PUBLIC_SIGNUP_TURNSTILE_SITE_KEYNoCloudflare Turnstile public site key rendered by the signup page.
SIGNUP_RECAPTCHA_SECRETNoGoogle reCAPTCHA secret key. Required when the signup provider is recaptcha.
NEXT_PUBLIC_SIGNUP_RECAPTCHA_SITE_KEYNoGoogle reCAPTCHA public site key rendered by the signup page.

Release tracking and upgrades

Drives the admin “release available” banner and the one-click upgrade runner. Setting NORA_GITHUB_REPO enables Nora to compare the running version against the latest published GitHub release.
VariableRequiredDefaultDescription
NORA_CURRENT_VERSIONNoCurrent running version, set by your deploy pipeline.
NORA_CURRENT_COMMITNoCommit SHA of the running build.
NORA_GITHUB_REPONosolomon2773/noraowner/repo used to query the GitHub Releases API.
NORA_GITHUB_TOKENNoOptional PAT to raise the GitHub API rate limit.
NORA_RELEASE_CACHE_TTL_MSNo300000How long to cache the latest-release lookup, in milliseconds.
NORA_LATEST_VERSIONNoManual override for the latest version. Skips the GitHub query when set.
NORA_LATEST_PUBLISHED_ATNoManual override for the latest release timestamp.
NORA_RELEASE_NOTES_URLNoURL displayed alongside the upgrade banner.
NORA_LATEST_SEVERITYNowarningSeverity of the upgrade banner. One of info, warning, critical.
NORA_UPGRADE_REQUIREDNofalseSet to true to display a hard-required upgrade banner.
NORA_AUTO_UPGRADE_ENABLEDNofalseOpt-in to one-click upgrades from Admin Settings.
NORA_HOST_REPO_DIRNoAbsolute Linux host path to this Nora checkout. Auto-filled by setup.sh.
NORA_UPGRADE_REPONohttps://github.com/solomon2773/nora.gitGit URL used by the upgrade runner.
NORA_UPGRADE_REFNomasterBranch or ref the upgrade runner pulls.
NORA_UPGRADE_RUNNER_IMAGENodocker:29-cliContainer image the upgrade runner executes inside.
NORA_UPGRADE_STATE_VOLUMENonora_upgrade_stateDocker volume that persists upgrade state between runs.
NORA_ENV_FILENo.envDeploy env file passed to Docker Compose during one-click upgrades.
NORA_UPGRADE_COMPOSE_FILESNoauto-detectedColon-separated compose file list used by the upgrade runner. Leave blank to reuse Docker Compose labels from the running backend container.
NORA_UPGRADE_PUBLIC_HEALTH_URLNoOptional public health URL checked after the stack rebuilds, for example https://stage.example.com/api/health.
NORA_UPGRADE_HEALTHCHECK_ATTEMPTSNo40Number of backend health attempts before a one-click upgrade is marked failed.
NORA_UPGRADE_HEALTHCHECK_INTERVAL_SECONDSNo3Seconds to wait between one-click upgrade health checks.
NORA_INSTALL_METHODNosourceInstall method shown in admin UI. One of source, docker_image, custom.
NORA_MANUAL_UPGRADE_COMMANDNo./setup.sh --updateCommand displayed when auto-upgrade is disabled.
NORA_MANUAL_UPGRADE_STEPSNoOptional override for the displayed manual-upgrade steps.

System banner

VariableRequiredDefaultDescription
NORA_SYSTEM_BANNER_ENABLEDNofalseMaster switch for the admin-configured banner shown across /app and /admin. Banner copy and severity are managed in Admin Settings.

Platform mode

VariableRequiredDefaultDescription
PLATFORM_MODENoselfhostedOperating mode. selfhosted uses operator-defined resource limits with no billing. paas enables Stripe billing and locks resources to subscription plan tiers. See Platform modes for full details.

Self-hosted resource limits

These variables are only read when PLATFORM_MODE=selfhosted. They define the maximum resources any single user can request when deploying an agent.
VariableRequiredDefaultDescription
MAX_VCPUNo16Maximum vCPUs a user may allocate to a single agent.
MAX_RAM_MBNo32768Maximum RAM in megabytes a user may allocate to a single agent.
MAX_DISK_GBNo500Maximum disk space in gigabytes a user may allocate to a single agent.
MAX_AGENTSNo50Maximum number of agents a single user may deploy.

Billing / Stripe

These variables are only read when PLATFORM_MODE=paas. See Platform modes for a full explanation of PaaS mode.
VariableRequiredDefaultDescription
BILLING_ENABLEDNofalseSet to true to enforce Stripe subscription limits. When false in PaaS mode, deployments are unlimited.
STRIPE_SECRET_KEYNoStripe secret key. Use sk_test_... for testing and sk_live_... for production.
STRIPE_WEBHOOK_SECRETNoStripe webhook signing secret (whsec_...) for verifying incoming webhook events.
STRIPE_PRICE_PRONoStripe Price ID (price_...) for the Pro subscription tier.
STRIPE_PRICE_ENTERPRISENoStripe Price ID (price_...) for the Enterprise subscription tier.

Runtime selection

Runtime selection is three-dimensional: runtime family × deploy target × sandbox profile. Each enabled-list variable accepts a comma-separated list. The first id in each list is the default for new deployments. See Provisioner backends for details.
VariableRequiredDefaultDescription
ENABLED_RUNTIME_FAMILIESNoopenclawRuntime families enabled. Supported ids: openclaw, hermes.
ENABLED_BACKENDSNodockerEnv-configured deploy targets enabled. Use docker for supported onboarding. proxmox is known but release-blocked. Kubernetes clusters are registered in Admin.
ENABLED_SANDBOX_PROFILESNostandardSandbox profiles enabled. Supported ids: standard, nemoclaw.

Kubernetes registry and Compose mount helpers

Nora no longer creates Kubernetes execution targets from .env labels. Register every Kubernetes cluster in Admin -> Kubernetes. Each enabled row becomes a concrete execution target such as k8s:aks-eastus2 and stores its provider, actual cluster name, kubeconfig, namespaces, exposure mode, Service annotations, load-balancer source ranges, and load-balancer class. docker-compose.kubernetes.yml only mounts a kubeconfig directory into the Nora containers. Put one or more kubeconfig files under NORA_KUBECONFIGS_DIR, then enter /kubeconfigs/<file> as each Admin Kubeconfig path. The Admin path must be the path visible inside backend-api and worker-provisioner, not the host path. For more than one cluster, put multiple kubeconfig files under NORA_KUBECONFIGS_DIR. The Kubernetes overlay mounts that directory at /kubeconfigs, so two AKS clusters can use Admin paths such as /kubeconfigs/aks-eastus2 and /kubeconfigs/aks-westus2 while both still run through docker-compose.kubernetes.yml.
VariableRequiredDefaultDescription
NORA_KUBECONFIGS_DIRNo./.secrets/kubeconfigsHost directory mounted at /kubeconfigs by the Kubernetes overlay for single- or multi-cluster setups.
CONTAINER_KUBECONFIG_PATHNo/tmp/nora-kind.container.kubeconfigKind smoke helper file; its parent directory is mounted as NORA_KUBECONFIGS_DIR.
Admin-registered encrypted kubeconfigs require ENCRYPTION_KEY because Nora stores pasted kubeconfig content encrypted at rest.

Gateway proxy SSRF guard

Defaults allow OpenClaw’s internal gateway port, Docker-published 19000-19999, and Kubernetes NodePort 30000-32767. Override only if you publish gateways on non-default ports or hosts.
VariableRequiredDefaultDescription
NORA_GATEWAY_PROXY_ALLOWED_PORTSNoComma-separated list of additional ports the gateway proxy may target.
NORA_GATEWAY_PROXY_ALLOWED_HOSTSNoComma-separated list of additional hostnames the gateway proxy may target.

Proxmox

Proxmox is planned but not supported in the current release. These values are retained for adapter development and future validation; setting them does not unblock Proxmox runtime deployment.
VariableRequiredDefaultDescription
PROXMOX_API_URLNoFull URL to the Proxmox API, for example https://proxmox.local:8006/api2/json.
PROXMOX_TOKEN_IDNoProxmox API token ID in user@pam!tokenname format.
PROXMOX_TOKEN_SECRETNoSecret associated with the Proxmox API token.
PROXMOX_NODENopveName of the Proxmox node where VMs are created.
PROXMOX_TEMPLATENolocal:vztmpl/ubuntu-22.04-standard_22.04-1_amd64.tar.zstDefault LXC template used for OpenClaw agents.
PROXMOX_HERMES_TEMPLATENoOverride template used when deploying Hermes agents on Proxmox.
PROXMOX_NEMOCLAW_TEMPLATENoOverride template used when deploying NemoClaw-sandboxed agents on Proxmox.
PROXMOX_ROOTFS_STORAGENolocal-lvmProxmox storage pool used for the rootfs disk.
PROXMOX_BRIDGENovmbr0Network bridge attached to created LXCs/VMs.
PROXMOX_SSH_HOSTNoSSH host used by Nora to run privileged commands on the Proxmox node.
PROXMOX_SSH_USERNorootSSH user.
PROXMOX_SSH_PRIVATE_KEY_PATHNoPath to the private key file mounted into backend-api / worker-provisioner.
PROXMOX_SSH_PASSWORDNoPassword fallback when key auth is not configured.

NemoClaw / NVIDIA

Read when ENABLED_SANDBOX_PROFILES includes nemoclaw.
VariableRequiredDefaultDescription
NVIDIA_API_KEYNoAPI key from build.nvidia.com for accessing NVIDIA-hosted Nemotron models.
NEMOCLAW_DEFAULT_MODELNonvidia/nemotron-3-super-120b-a12bDefault Nemotron model used by NemoClaw agents.
NEMOCLAW_SANDBOX_IMAGENonora-nemoclaw-agent:localContainer image for NemoClaw sandbox runtime. setup.sh builds this automatically when NemoClaw is enabled.

OpenClaw runtime

These variables tune the OpenClaw runtime image and gateway. Most operators leave them at their defaults; override when running a forked OpenClaw build or pinning to a specific image.
VariableRequiredDefaultDescription
OPENCLAW_DOCKER_IMAGENoOpenClaw defaultContainer image used for OpenClaw agents.
OPENCLAW_STANDARD_IMAGENoOpenClaw defaultImage used specifically for the standard sandbox profile.
OPENCLAW_GATEWAY_PORTNo18789Internal port the OpenClaw gateway listens on inside the agent container.
OPENCLAW_GATEWAY_TOKENNoauto-generated per agentStatic gateway token override. Most deployments rely on the per-agent token Nora issues.
OPENCLAW_DOCKER_PACKAGENoOpenClaw defaultOverride package name used when building images.
OPENCLAW_TSX_BINNoOpenClaw defaultPath to the tsx runner inside the OpenClaw image.
OPENCLAW_TSX_PACKAGENoOpenClaw defaultOverride tsx package name.
OPENCLAW_CLI_PATHNoOpenClaw defaultPath to the OpenClaw CLI inside the image.
OPENCLAW_DISABLE_BONJOURNofalseDisable Bonjour/mDNS inside OpenClaw containers when not needed.

Hermes runtime

VariableRequiredDefaultDescription
HERMES_DOCKER_IMAGENoHermes defaultContainer image used for Hermes agents when hermes is in ENABLED_RUNTIME_FAMILIES.

Agent Hub source catalog

Configure where Agent Hub fetches community templates from. Internal templates are seeded automatically.
VariableRequiredDefaultDescription
NORA_AGENT_HUB_URLNohttps://nora.solomontsao.comBase URL of the Agent Hub source catalog.
NORA_AGENT_HUB_API_KEYNoAPI key for the source catalog. Stored encrypted in Admin Settings; the env value bootstraps the first run.

Workspace invitations

VariableRequiredDefaultDescription
NORA_WORKSPACE_INVITE_SECRETNoSecret used to sign workspace invitation tokens. Falls back to JWT_SECRET when unset.

Integrations

VariableRequiredDefaultDescription
NORA_INTEGRATIONS_DIRNobackend-api/integrations-dataDirectory where integration runtime files are written before being mounted into agents.
NORA_INTEGRATIONS_CONFIGNoPath to a JSON file overriding the default integration catalog.

Managed backups

NORA_BACKUP_STORAGE selects the destination. Supported values: local (default volume), s3, r2, ssh. Leave the destination credentials empty to manage them through Admin Settings instead of .env.
VariableRequiredDefaultDescription
NORA_BACKUP_STORAGENolocalDestination type. One of local, s3, r2, ssh.
NORA_BACKUP_DIRNoOverride path for local destination. Defaults to the nora_backups Docker volume.
NORA_BACKUP_LIMIT_PER_AGENTNo10Maximum number of retained backups per agent.
NORA_BACKUP_STORAGE_MBNo51200Soft cap on total backup storage in megabytes.
NORA_BACKUP_RETENTION_DAYSNo30Number of days to retain expired backups before pruning.

S3-compatible

Use NORA_BACKUP_STORAGE=s3 for AWS S3 or any S3-compatible service. Set NORA_BACKUP_S3_ENDPOINT for non-AWS providers.
VariableRequiredDefaultDescription
NORA_BACKUP_S3_BUCKETNoS3 bucket name.
NORA_BACKUP_S3_REGIONNoAWS region or compatible region string.
NORA_BACKUP_S3_ENDPOINTNoCustom endpoint for non-AWS providers.
NORA_BACKUP_S3_ACCESS_KEY_IDNoAccess key.
NORA_BACKUP_S3_SECRET_ACCESS_KEYNoSecret access key.
NORA_BACKUP_S3_SESSION_TOKENNoOptional STS session token.

Cloudflare R2

Use NORA_BACKUP_STORAGE=r2. Set NORA_BACKUP_R2_ENDPOINT to your account endpoint, e.g. https://<account-id>.r2.cloudflarestorage.com.
VariableRequiredDefaultDescription
NORA_BACKUP_R2_BUCKETNoR2 bucket name.
NORA_BACKUP_R2_REGIONNoRegion.
NORA_BACKUP_R2_ENDPOINTNoAccount-specific R2 endpoint URL.
NORA_BACKUP_R2_ACCESS_KEY_IDNoR2 access key.
NORA_BACKUP_R2_SECRET_ACCESS_KEYNoR2 secret access key.
NORA_BACKUP_R2_SESSION_TOKENNoOptional session token.

SSH / SFTP

Use NORA_BACKUP_STORAGE=ssh.
VariableRequiredDefaultDescription
NORA_BACKUP_SSH_HOSTNoSSH host.
NORA_BACKUP_SSH_PORTNo22SSH port.
NORA_BACKUP_SSH_USERNAMENoSSH user.
NORA_BACKUP_SSH_REMOTE_PATHNoRemote path where backup archives are uploaded.
NORA_BACKUP_SSH_PRIVATE_KEYNoPEM-encoded private key for SSH auth.
NORA_BACKUP_SSH_PASSWORDNoPassword fallback when key auth is not configured.

Security

VariableRequiredDefaultDescription
CORS_ORIGINSNohttp://localhost:8080Comma-separated list of allowed CORS origins. Update to your public origin when Nora is exposed on a domain, for example https://app.example.com.

LLM key storage

VariableRequiredDefaultDescription
KEY_STORAGENodatabaseWhere LLM provider keys are stored. database encrypts and persists keys in PostgreSQL. env reads keys from environment variables instead.
MICROSOFT_FOUNDRY_API_KEYNoFoundry API key when using KEY_STORAGE=env or injecting provider credentials directly into a runtime.
MICROSOFT_FOUNDRY_BASE_URLNoPer-resource Foundry endpoint, for example https://<resource>.services.ai.azure.com/openai/v1/. Required for Microsoft Foundry runtime registration.
MICROSOFT_FOUNDRY_DEPLOYMENTNoExact Azure deployment name to use as the runtime model, for example gpt-5.5-1. Deployment names are operator-defined and must not be shortened to gpt-5.5.
MICROSOFT_FOUNDRY_API_VERSIONNoOptional Foundry API version for classic Azure OpenAI endpoint shapes. Leave empty when using the OpenAI v1 GA path.

TLS

Optional; only relevant when nginx terminates TLS directly inside the stack.
VariableRequiredDefaultDescription
TLS_CERT_PATHNoPath to the TLS certificate file on the host. Used when nginx is configured to terminate TLS.
TLS_KEY_PATHNoPath to the TLS private key file on the host.

Cost reporting

These optional rates drive the Cost dashboards. Nora estimates spend from token usage recorded by OpenClaw, Hermes, and future runtime chat paths.
VariableRequiredDefaultDescription
COST_PER_1K_TOKENSNo0.002Fallback LLM token cost when a per-model rate is unavailable or historical usage has no model data.
COST_MODEL_RATES_JSONNoJSON object mapping model ids or provider/model ids to token rates.
Example: 
COST_MODEL_RATES_JSON={"openai/gpt-5.5":{"input_per_1k":0.002,"output_per_1k":0.008},"claude-sonnet-4-5":{"input_per_1k":0.003,"output_per_1k":0.015},"flat-model":{"per_1k":0.004}}
Use input_per_1k and output_per_1k when Nora records prompt/completion token splits. Use per_1k for total-token-only pricing.

Legacy AWS backup variables

These variables are read by older platform-settings code paths for backward compatibility. New deployments should use the NORA_BACKUP_S3_* family above instead.
VariableRequiredDefaultDescription
AWS_S3_BUCKETNoLegacy S3 bucket alias for backups.
AWS_ACCESS_KEY_IDNoLegacy AWS access key ID.
AWS_SECRET_ACCESS_KEYNoLegacy AWS secret access key.