All configuration is via environment variables. The single source of truth for versions is versions.nix; run just sync-versions to regenerate .env.
| Variable | Default | Description |
|---|
POSTGRES_HOST | — | PostgreSQL host |
POSTGRES_PORT | 5433 | PostgreSQL port |
POSTGRES_USERNAME | — | PostgreSQL user |
POSTGRES_PASSWORD | — | PostgreSQL password |
POSTGRES_PATH | — | Database name |
POSTGRES_READ_HOST | Same as write host | Read replica host |
DB_POOL_MAX | 20 | Max connection pool size |
DB_POOL_MIN | 2 | Min connection pool size |
DB_CONNECT_TIMEOUT_SECS | 10 | Connection timeout |
CLICKHOUSE_HOST | — | ClickHouse host |
CLICKHOUSE_PORT | 8123 | ClickHouse HTTP port |
| Variable | Default | Description |
|---|
S3_ACCESS_KEY | — | Access key |
S3_SECRET_KEY | — | Secret key |
S3_ENDPOINT | — | Custom endpoint (for MinIO) |
S3_REGION | — | AWS region |
Bucket names: syndb-mesh, syndb-swb, syndb-search, syndb-jobs. No underscores allowed in bucket names.
| Variable | Default | Description |
|---|
PASSLIB_SECRET | — | PASETO v4.local symmetric key (minimum 32 bytes) |
SERVICE_SECRET | — | Service account registration secret |
UI_BASE_URL | — | OAuth callback redirect base URL |
ACCESS_TOKEN_LIFETIME | 900 (15 min) | Access token TTL in seconds |
REFRESH_TOKEN_LIFETIME | 2592000 (30 days) | Refresh token TTL in seconds |
| Variable | Description |
|---|
OA_GITHUB_ID, OA_GITHUB_SECRET | GitHub OAuth app credentials |
OA_GOOGLE_ID, OA_GOOGLE_SECRET | Google OAuth credentials |
OA_ORCID_ID, OA_ORCID_SECRET | ORCID OAuth credentials |
OA_CILOGON_ID, OA_CILOGON_SECRET | CILogon OAuth credentials |
OA_GITLAB_ID, OA_GITLAB_SECRET | GitLab OAuth credentials |
OA_GITLAB_URL | Custom GitLab instance URL |
OA_ORCID_SANDBOX | Use sandbox.orcid.org (false) |
OA_CILOGON_SANDBOX | Use test.cilogon.org (false) |
OAUTH_PROVIDER_BASE_URL | Override provider URLs (testing) |
| Variable | Default | Description |
|---|
FEDERATION_LISTEN_ADDR | OS-assigned | libp2p listen address |
FEDERATION_ENABLE_MDNS | true | Enable mDNS LAN discovery |
FEDERATION_HUB_MULTIADDRS | — | Comma-separated hub multiaddrs for WAN |
FEDERATION_CLUSTER_NAME | — | Cluster identifier (required for node mode) |
FEDERATION_CLUSTER_DESCRIPTION | — | Cluster description |
FEDERATION_CLUSTER_INSTITUTION | — | Institution name |
FEDERATION_PASSWORD | — | Shared federation secret |
FEDERATION_CLUSTER_NATIVE_PORT | 9440 | ClickHouse native port for remote() |
FEDERATION_NODE_FLIGHT_PORT | 50052 | Internal Flight gRPC port |
FEDERATION_NODE_FLIGHT_ADVERTISE | localhost:50052 | Advertised Flight endpoint |
FEDERATION_DELEGATION_TIMEOUT_SECS | 30 | Timeout for delegated requests |
| Variable | Default | Description |
|---|
DEV_MODE | false | Permissive CORS, data seeding |
DEBUG | false | Verbose SQL logging |
TESTING | false | Skip federation/job queue init |
REQUEST_TIMEOUT_SECS | 60 | HTTP handler timeout |
HTTP_CLIENT_TIMEOUT_SECS | 30 | Internal HTTP client timeout |
UPLOAD_TIMEOUT | 21600 (6 hours) | Upload timeout |
FLIGHT_PORT | 50051 | Arrow Flight server port |
REQUIRE_AUTHENTICATION | true | Require auth for protected endpoints |
| Variable | Default | Description |
|---|
RATE_LIMIT_PER_SECOND | 100 | Sustained request rate per IP |
RATE_LIMIT_BURST | 200 | Burst capacity per IP |
| Variable | Default | Description |
|---|
JOB_QUEUE_MAX_WORKERS | 4 | Max concurrent job workers |
JOB_RESULT_TTL_HOURS | 24 | Result retention |
JOB_MAX_RESULT_BYTES | 1073741824 (1 GB) | Max result size |
| Variable | Default | Description |
|---|
MEILISEARCH_HOST | — | Meilisearch host |
MEILISEARCH_PORT | 7700 | Meilisearch port |
MEILISEARCH_API_KEY | — | Meilisearch API key |