Hey @shalak,
please take a look at this post, which should hopefully answer some questions regarding the Repository Server and password variables.
AFAICT the USER variable is never used. Maybe a copy & paste leftover.
Basic auth is only used for WebUI access. Clients don’t need to know this credentials when connected through Repository Server. You can omit this settings and disable the WebUI if you don’t plan on using it.
Persistent cache isn’t necessary but might be helpful when your server is connected to a slow storage backend (e.g. high latency SFTP).
Seems to be used for browsing mounted snapshots.
You can use the WebUI, but I prefer to use CLI. This command should create the repository and automatically use the KOPIA_PASSWORD from your docker-compose file as repository (master) password.
docker exec kopia kopia repo create filesystem --path=/repository
There is no need for 2 repositories as users can only see their own snapshots and policies when ACLs are enabled ( kopia server acl enable).
The server certificate fingerprint is printed to your console/logs when you start the server with the --tls-generate-cert parameter. Please see my post here for a mini-tutorial on this topic.