From 47321ea9ad7e9be948bbdad93d8ae63846eb4610 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 28 Jul 2025 12:34:38 -0700
Subject: [PATCH] Update readme: env

---
 README.md | 30 ++++++++++++++++++++++++++++--
 1 file changed, 28 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index bd1aaf3..69a4fa8 100644
--- a/README.md
+++ b/README.md
@@ -50,10 +50,36 @@ When Newt receives WireGuard control messages, it will use the information encod
         -   `interface` (optional): Name of the WireGuard interface. Default: newt
         -   `keep-interface` (optional): Keep the WireGuard interface. Default: false
 
+## Environment Variables
+
+All CLI arguments can be set using environment variables as an alternative to command line flags. Environment variables are particularly useful when running Newt in containerized environments.
+
+-   `PANGOLIN_ENDPOINT`: Endpoint of your pangolin server (equivalent to `--endpoint`)
+-   `NEWT_ID`: Newt ID generated by Pangolin (equivalent to `--id`)
+-   `NEWT_SECRET`: Newt secret for authentication (equivalent to `--secret`)
+-   `MTU`: MTU for the internal WG interface. Default: 1280 (equivalent to `--mtu`)
+-   `DNS`: DNS server to use to resolve the endpoint. Default: 8.8.8.8 (equivalent to `--dns`)
+-   `LOG_LEVEL`: Log level (DEBUG, INFO, WARN, ERROR, FATAL). Default: INFO (equivalent to `--log-level`)
+-   `DOCKER_SOCKET`: Path to Docker socket for container discovery (equivalent to `--docker-socket`)
+-   `PING_INTERVAL`: Interval for pinging the server. Default: 3s (equivalent to `--ping-interval`)
+-   `PING_TIMEOUT`: Timeout for each ping. Default: 5s (equivalent to `--ping-timeout`)
+-   `UPDOWN_SCRIPT`: Path to updown script for target add/remove events (equivalent to `--updown`)
+-   `TLS_CLIENT_CERT`: Path to client certificate for mTLS (equivalent to `--tls-client-cert`)
+-   `DOCKER_ENFORCE_NETWORK_VALIDATION`: Validate container targets are on same network. Default: false (equivalent to `--docker-enforce-network-validation`)
+-   `HEALTH_FILE`: Path to health file for connection monitoring (equivalent to `--health-file`)
+-   `ACCEPT_CLIENTS`: Enable WireGuard server mode. Default: false (equivalent to `--accept-clients`)
+-   `GENERATE_AND_SAVE_KEY_TO`: Path to save generated private key (equivalent to `--generateAndSaveKeyTo`)
+-   `USE_NATIVE_INTERFACE`: Use native WireGuard interface (Linux only). Default: false (equivalent to `--native`)
+-   `INTERFACE`: Name of the WireGuard interface. Default: newt (equivalent to `--interface`)
+-   `KEEP_INTERFACE`: Keep the WireGuard interface after shutdown. Default: false (equivalent to `--keep-interface`)
+-   `CONFIG_FILE`: Load the config json from this file instead of in the home folder.
+
+**Note**: When both environment variables and CLI arguments are provided, CLI arguments take precedence.
+
 -   Example:
 
 ```bash
-./newt \
+newt \
 --id 31frd0uzbjvp721 \
 --secret h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6 \
 --endpoint https://example.com
@@ -245,7 +271,7 @@ Newt supports mutual TLS (mTLS) authentication, if the server has been configure
 Examples:
 
 ```bash
-./newt \
+newt \
 --id 31frd0uzbjvp721 \
 --secret h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6 \
 --endpoint https://example.com \