Infrahub configuration
The Infrahub containers have a number of environmental variables available at runtime to affect their behavior.
Here are a few common methods of setting configuration:
- Exporting in a shell, example:
export INFRAHUB_ADDRESS="http://localhost:8000" - Using a
.envfile - Using a
.tomlconfiguration file (setting names use lowercase with underscores, e.g.,address = "http://localhost:8000") - Using direnv
note
infrahubctl has it's own environmental variables. See the infrahubctl documentation for more information.
Main​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_DOCS_INDEX_PATH | Full path of saved json containing pre-indexed documentation | string | /opt/infrahub/docs/build/search-index.json |
INFRAHUB_INTERNAL_ADDRESS | None | None | None |
INFRAHUB_ALLOW_ANONYMOUS_ACCESS | Indicates if the system allows anonymous read access | boolean | True |
INFRAHUB_ANONYMOUS_ACCESS_ROLE | Name of the role defining which permissions anonymous users have | string | Anonymous User |
INFRAHUB_TELEMETRY_OPTOUT | Disable anonymous usage reporting | boolean | False |
INFRAHUB_TELEMETRY_ENDPOINT | None | string | https://telemetry.opsmill.cloud/infrahub |
INFRAHUB_PERMISSION_BACKENDS | List of modules to handle permissions, they will be run in the given order | array[string] | ['infrahub.permissions.LocalPermissionBackend'] |
INFRAHUB_PUBLIC_URL | Define the public URL of the Infrahub, might be required for OAuth2 and OIDC depending on your infrastructure. | None | None |
INFRAHUB_SCHEMA_STRICT_MODE | Enable strict schema validation. When set to False, human_friendly_id schema fields should not necessarily target a unique combination of peer attributes. | boolean | True |
INFRAHUB_DIFF_UPDATE_AFTER_MERGE | When enabled, diff updates are triggered for active branches after a branch merge. | boolean | True |
INFRAHUB_DELETE_BRANCH_AFTER_MERGE | When enabled, the Infrahub branch is automatically deleted after a successful merge. | boolean | False |
Api​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_API_CORS_ALLOW_ORIGINS | A list of origins that are authorized to make cross-site HTTP requests | array[string] | None |
INFRAHUB_API_CORS_ALLOW_METHODS | A list of HTTP verbs that are allowed for the actual request | array[string] | None |
INFRAHUB_API_CORS_ALLOW_HEADERS | The list of non-standard HTTP headers allowed in requests from the browser | array[string] | None |
INFRAHUB_API_CORS_ALLOW_CREDENTIALS | If True, cookies will be allowed to be included in cross-site HTTP requests | boolean | True |
Git​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_GIT_REPOSITORIES_DIRECTORY | None | string | repositories |
INFRAHUB_GIT_SYNC_INTERVAL | Time (in seconds) between git repositories synchronizations | integer | 10 |
INFRAHUB_GIT_APPEND_GIT_SUFFIX | Automatically append '.git' to HTTP URLs if for these domains. | array[string] | None |
INFRAHUB_GIT_IMPORT_SYNC_BRANCH_NAMES | Names or regex of branches to be created in infrahub during import e.g. 'infrahub/.', 'release/.', '^branch-'. Note: other branches created with sync with git will be imported also | array[string] | None |
INFRAHUB_GIT_USER_NAME | User name of the git user. This will be used as the user name when Infrahub commits code to a repository | string | Infrahub |
INFRAHUB_GIT_USER_EMAIL | Email of the git user. This will be used as the user email when Infrahub commits code to a repository | string | infrahub@opsmill.com |
INFRAHUB_GIT_GLOBAL_CONFIG_FILE | The location of the git config file. This will be set as the system GIT_CONFIG_GLOBAL environment variable if the environment variable is not initially set | string | /opt/infrahub/.gitconfig |
INFRAHUB_GIT_USE_EXPLICIT_MERGE_COMMIT | Whether to allow explicit merge commits when infrahub merges branches | boolean | False |
INFRAHUB_GIT_DELETE_GIT_BRANCH_AFTER_MERGE | When enabled, the corresponding Git branch is deleted after the Infrahub branch is deleted. Requires delete_branch_after_merge to be enabled. | boolean | False |
Dev​
The development settings are only relevant for local development.
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_DEV_FRONTEND_REDIRECT_SSO | Indicates of the frontend should be responsible for the SSO redirection | boolean | False |
INFRAHUB_DEV_ALLOW_ENTERPRISE_CONFIGURATION | Allow enterprise configuration in development mode, this will not enable the features just allow the configuration. | boolean | False |
INFRAHUB_DEV_GIT_CREDENTIAL_HELPER | Location of git credential helper | string | infrahub-git-credential |
Http​
The HTTP settings control how Infrahub interacts with external HTTP servers. This can be things like webhooks and OAuth2 providers.
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_HTTP_TIMEOUT | Default connection timeout in seconds | integer | 10 |
INFRAHUB_HTTP_TLS_INSECURE | Indicates if Infrahub will validate server certificates or if the validation is ignored. | boolean | False |
INFRAHUB_HTTP_TLS_CA_BUNDLE | Custom CA bundle in PEM format. The value should either be the CA bundle as a string, alternatively as a file path. | None | None |
Database​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_DB_INFRAHUB_DB_TYPE | None | string (neo4j, memgraph) | neo4j |
INFRAHUB_DB_PROTOCOL | None | string | bolt |
INFRAHUB_DB_USERNAME | None | string | neo4j |
INFRAHUB_DB_PASSWORD | None | string | admin |
INFRAHUB_DB_ADDRESS | None | string | localhost |
INFRAHUB_DB_PORT | None | integer | 7687 |
INFRAHUB_DB_DATABASE | Name of the database | None | None |
INFRAHUB_DB_POLICY | Routing policy for database connections | None | None |
INFRAHUB_DB_TLS_ENABLED | Indicates if TLS is enabled for the connection | boolean | False |
INFRAHUB_DB_TLS_INSECURE | Indicates if TLS certificates are verified | boolean | False |
INFRAHUB_DB_TLS_CA_FILE | File path to CA cert or bundle in PEM format | None | None |
INFRAHUB_DB_QUERY_SIZE_LIMIT | The max number of records to fetch in a single query before performing internal pagination. | integer | 5000 |
INFRAHUB_DB_MAX_DEPTH_SEARCH_HIERARCHY | Maximum number of level to search in a hierarchy. | integer | 5 |
INFRAHUB_DB_RETRY_LIMIT | Maximum number of times a transient issue in a transaction should be retried. | integer | 3 |
INFRAHUB_DB_RETRY_BASE_DELAY | Base delay in seconds for exponential backoff on transaction retries. | number | 0.1 |
INFRAHUB_DB_RETRY_MAX_DELAY | Maximum delay in seconds for exponential backoff on transaction retries. | number | 2.0 |
INFRAHUB_DB_RETRY_JITTER_MAX | Maximum jitter in seconds added to retry delay to avoid thundering herd. | number | 0.1 |
INFRAHUB_DB_MAX_CONCURRENT_QUERIES | Maximum number of concurrent queries that can run (0 means unlimited). | integer | 0 |
INFRAHUB_DB_MAX_CONCURRENT_QUERIES_DELAY | Delay to add when max_concurrent_queries is reached. | number | 0.01 |
Broker​
Configuration settings for the message bus.
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_BROKER_TLS_ENABLED | Indicates if TLS is enabled for the connection | boolean | False |
INFRAHUB_BROKER_TLS_INSECURE | Indicates if TLS certificates are verified | boolean | False |
INFRAHUB_BROKER_TLS_CA_FILE | File path to CA cert or bundle in PEM format | None | None |
INFRAHUB_BROKER_USERNAME | None | string | infrahub |
INFRAHUB_BROKER_PASSWORD | None | string | infrahub |
INFRAHUB_BROKER_ADDRESS | None | string | localhost |
INFRAHUB_BROKER_PORT | Specified if running on a non default port. | None | None |
INFRAHUB_BROKER_RABBITMQ_HTTP_PORT | None | None | None |
INFRAHUB_BROKER_NAMESPACE | None | string | infrahub |
INFRAHUB_BROKER_MAXIMUM_MESSAGE_RETRIES | The maximum number of retries that are attempted for failed messages | integer | 10 |
INFRAHUB_BROKER_MAXIMUM_CONCURRENT_MESSAGES | The maximum number of concurrent messages fetched by each worker | integer | 2 |
INFRAHUB_BROKER_VIRTUALHOST | The virtual host to connect to | string | / |
INFRAHUB_BROKER_DRIVER | None | string (rabbitmq, nats) | rabbitmq |
Cache​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_CACHE_ADDRESS | None | string | localhost |
INFRAHUB_CACHE_PORT | Specified if running on a non default port (6379) | None | None |
INFRAHUB_CACHE_DATABASE | Id of the database to use | integer | 0 |
INFRAHUB_CACHE_DRIVER | None | string (redis, nats) | redis |
INFRAHUB_CACHE_USERNAME | None | string | |
INFRAHUB_CACHE_PASSWORD | None | string | |
INFRAHUB_CACHE_TLS_ENABLED | Indicates if TLS is enabled for the connection | boolean | False |
INFRAHUB_CACHE_TLS_INSECURE | Indicates if TLS certificates are verified | boolean | False |
INFRAHUB_CACHE_TLS_CA_FILE | File path to CA cert or bundle in PEM format | None | None |
INFRAHUB_CACHE_CLEAN_UP_DEADLOCKS_INTERVAL_MINS | Age threshold in minutes: locks older than this and owned by inactive workers are deleted by the cleanup task. | integer | 15 |
Workflow​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_WORKFLOW_ADDRESS | None | string | localhost |
INFRAHUB_WORKFLOW_PORT | Specified if running on a non default port. | None | None |
INFRAHUB_WORKFLOW_TLS_ENABLED | Indicates if TLS is enabled for the connection | boolean | False |
INFRAHUB_WORKFLOW_DRIVER | None | string (local, worker) | worker |
INFRAHUB_WORKFLOW_DEFAULT_WORKER_TYPE | None | string | infrahubasync |
INFRAHUB_WORKFLOW_EXTRA_LOGGERS | A list of additional logger that will be captured during task execution. | array[string] | None |
INFRAHUB_WORKFLOW_EXTRA_LOG_LEVEL | Log level applied to all extra loggers. | string (CRITICAL, ERROR, WARNING, INFO, DEBUG) | INFO |
INFRAHUB_WORKFLOW_WORKER_POLLING_INTERVAL | Specify how often the worker should poll the server for tasks (sec) | integer | 2 |
INFRAHUB_WORKFLOW_FLOW_RUN_COUNT_CACHE_THRESHOLD | Threshold for caching flow run counts (0 to always cache, higher values to disable) | integer | 100000 |
Miscellaneous​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_MISC_PRINT_QUERY_DETAILS | None | boolean | False |
INFRAHUB_MISC_START_BACKGROUND_RUNNER | None | boolean | True |
INFRAHUB_MISC_MAXIMUM_VALIDATOR_EXECUTION_TIME | The maximum allowed time (in seconds) for a validator to run. | integer | 1800 |
INFRAHUB_MISC_RESPONSE_DELAY | Arbitrary delay to add when processing API requests. | integer | 0 |
Analytics​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_ANALYTICS_ENABLE | None | boolean | True |
INFRAHUB_ANALYTICS_ADDRESS | None | None | None |
INFRAHUB_ANALYTICS_API_KEY | None | None | None |
Initial​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_INITIAL_DEFAULT_BRANCH | Defines the name of the default branch within Infrahub, can only be set once during initialization of the system. | string | main |
INFRAHUB_INITIAL_ADMIN_TOKEN | An optional initial token for the admin account. | None | None |
INFRAHUB_INITIAL_ADMIN_PASSWORD | The initial password for the admin user | string | infrahub |
INFRAHUB_INITIAL_AGENT_TOKEN | An optional initial token for a git-agent account. | None | None |
INFRAHUB_INITIAL_AGENT_PASSWORD | An optional initial password for a git-agent account. | None | None |
Policy​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_POLICY_REQUIRED_PROPOSED_CHANGE_APPROVALS | Number of approvals required for proposed changes. (Enterprise only: not available in the community version.) | integer | 0 |
INFRAHUB_POLICY_REVOKE_PROPOSED_CHANGE_APPROVALS | Boolean indicating whether performing changes on a proposed change branch should revoke existing approvals. (Enterprise only: not available in the community version.) | boolean | False |
Security​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_SECURITY_ACCESS_TOKEN_LIFETIME | Lifetime of access token in seconds | integer | 3600 |
INFRAHUB_SECURITY_REFRESH_TOKEN_LIFETIME | Lifetime of refresh token in seconds | integer | 2592000 |
INFRAHUB_SECURITY_SECRET_KEY | The secret key used to validate authentication tokens | string | None |
INFRAHUB_SECURITY_OAUTH2_PROVIDERS | The selected OAuth2 providers | array[string] | None |
INFRAHUB_SECURITY_OAUTH2_PROVIDER_SETTINGS | None | object | Check nested parameters |
INFRAHUB_SECURITY_OIDC_PROVIDERS | The selected OIDC providers | array[string] | None |
INFRAHUB_SECURITY_OIDC_PROVIDER_SETTINGS | None | object | Check nested parameters |
INFRAHUB_SECURITY_RESTRICT_UNTRUSTED_JINJA2_FILTERS | Indicates if untrusted Jinja2 filters should be disallowed for computed attributes | boolean | True |
INFRAHUB_SECURITY_SSO_USER_DEFAULT_GROUP | Name of the group to which users authenticated via SSO will belong if not provided by identity provider | None | None |
INFRAHUB_SECURITY_AUTO_CREATE_GROUPS_FILTER | Regex(es) that decide which external identity-provider group claims become Infrahub groups. Accepts one regex or a list; the first matching pattern wins. Use a named capture group (?P<name>...) to set the group name; otherwise the full claim is used. Leave empty to disable auto-creation. | None | None |
INFRAHUB_SECURITY_AUTO_CREATE_GROUPS_MAX_PER_LOGIN | Maximum number of groups that can be auto-created during a single login. Once reached, further new groups are skipped (with a warning) but the login still succeeds. Adding the user to groups that already exist is not limited. | integer | 50 |
INFRAHUB_SECURITY_OAUTH2_PROVIDER_SETTINGS​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_OAUTH2_GOOGLE_ICON | None | string | mdi:google |
INFRAHUB_OAUTH2_GOOGLE_USERINFO_METHOD | None | string (post, get) | get |
INFRAHUB_OAUTH2_GOOGLE_PKCE_ENABLED | Enable PKCE (RFC 7636) with S256 method for authorization code flow | boolean | True |
INFRAHUB_OAUTH2_GOOGLE_GROUPS_CLAIM | Top-level key in the IdP claim payload from which the user's groups are read. Defaults to groups. Set per provider when your IdP emits group memberships under a different claim name (e.g., roles). | string | groups |
INFRAHUB_OAUTH2_GOOGLE_CLIENT_ID | Client ID of the application created in the auth provider | string | None |
INFRAHUB_OAUTH2_GOOGLE_CLIENT_SECRET | Client secret as defined in auth provider | None | None |
INFRAHUB_OAUTH2_GOOGLE_AUTHORIZATION_URL | None | string | https://accounts.google.com/o/oauth2/auth |
INFRAHUB_OAUTH2_GOOGLE_TOKEN_URL | None | string | https://oauth2.googleapis.com/token |
INFRAHUB_OAUTH2_GOOGLE_USERINFO_URL | None | string | https://www.googleapis.com/oauth2/v3/userinfo |
INFRAHUB_OAUTH2_GOOGLE_SCOPES | None | array[string] | None |
INFRAHUB_OAUTH2_GOOGLE_DISPLAY_LABEL | None | string | |
INFRAHUB_OAUTH2_GOOGLE_FETCH_GROUPS | Whether to use Cloud Identity API to fetch user groups. Note: requires additional scopes: https://www.googleapis.com/auth/cloud-identity.groups.readonly | boolean | False |
INFRAHUB_OAUTH2_GOOGLE_CLOUDIDENTITY_URL | Google Cloud endpoint for Cloud Identity. Using searchDirectGroups by default because it is available for the Free plan | string | https://cloudidentity.googleapis.com/v1/groups/-/memberships:searchDirectGroups |
INFRAHUB_OAUTH2_PROVIDER1_ICON | None | string | mdi:account-key |
INFRAHUB_OAUTH2_PROVIDER1_USERINFO_METHOD | None | string (post, get) | get |
INFRAHUB_OAUTH2_PROVIDER1_PKCE_ENABLED | Enable PKCE (RFC 7636) with S256 method for authorization code flow | boolean | True |
INFRAHUB_OAUTH2_PROVIDER1_GROUPS_CLAIM | Top-level key in the IdP claim payload from which the user's groups are read. Defaults to groups. Set per provider when your IdP emits group memberships under a different claim name (e.g., roles). | string | groups |
INFRAHUB_OAUTH2_PROVIDER1_CLIENT_ID | Client ID of the application created in the auth provider | string | None |
INFRAHUB_OAUTH2_PROVIDER1_CLIENT_SECRET | Client secret as defined in auth provider | None | None |
INFRAHUB_OAUTH2_PROVIDER1_AUTHORIZATION_URL | None | string | None |
INFRAHUB_OAUTH2_PROVIDER1_TOKEN_URL | None | string | None |
INFRAHUB_OAUTH2_PROVIDER1_USERINFO_URL | None | string | None |
INFRAHUB_OAUTH2_PROVIDER1_SCOPES | None | array[string] | None |
INFRAHUB_OAUTH2_PROVIDER1_DISPLAY_LABEL | None | string | Single Sign on |
INFRAHUB_OAUTH2_PROVIDER2_ICON | None | string | mdi:account-key |
INFRAHUB_OAUTH2_PROVIDER2_USERINFO_METHOD | None | string (post, get) | get |
INFRAHUB_OAUTH2_PROVIDER2_PKCE_ENABLED | Enable PKCE (RFC 7636) with S256 method for authorization code flow | boolean | True |
INFRAHUB_OAUTH2_PROVIDER2_GROUPS_CLAIM | Top-level key in the IdP claim payload from which the user's groups are read. Defaults to groups. Set per provider when your IdP emits group memberships under a different claim name (e.g., roles). | string | groups |
INFRAHUB_OAUTH2_PROVIDER2_CLIENT_ID | Client ID of the application created in the auth provider | string | None |
INFRAHUB_OAUTH2_PROVIDER2_CLIENT_SECRET | Client secret as defined in auth provider | None | None |
INFRAHUB_OAUTH2_PROVIDER2_AUTHORIZATION_URL | None | string | None |
INFRAHUB_OAUTH2_PROVIDER2_TOKEN_URL | None | string | None |
INFRAHUB_OAUTH2_PROVIDER2_USERINFO_URL | None | string | None |
INFRAHUB_OAUTH2_PROVIDER2_SCOPES | None | array[string] | None |
INFRAHUB_OAUTH2_PROVIDER2_DISPLAY_LABEL | None | string | Single Sign on |
INFRAHUB_SECURITY_OIDC_PROVIDER_SETTINGS​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_OIDC_GOOGLE_ICON | None | string | mdi:google |
INFRAHUB_OIDC_GOOGLE_DISPLAY_LABEL | None | string | |
INFRAHUB_OIDC_GOOGLE_USERINFO_METHOD | None | string (post, get) | get |
INFRAHUB_OIDC_GOOGLE_PKCE_ENABLED | Enable PKCE (RFC 7636) with S256 method for authorization code flow | boolean | True |
INFRAHUB_OIDC_GOOGLE_GROUPS_CLAIM | Top-level key in the IdP claim payload from which the user's groups are read. Defaults to groups. Set per provider when your IdP emits group memberships under a different claim name (e.g., roles). | string | groups |
INFRAHUB_OIDC_GOOGLE_CLIENT_ID | Client ID of the application created in the auth provider | string | None |
INFRAHUB_OIDC_GOOGLE_CLIENT_SECRET | Client secret as defined in auth provider | None | None |
INFRAHUB_OIDC_GOOGLE_DISCOVERY_URL | None | string | https://accounts.google.com/.well-known/openid-configuration |
INFRAHUB_OIDC_GOOGLE_SCOPES | None | array[string] | None |
INFRAHUB_OIDC_GOOGLE_FETCH_GROUPS | Whether to use Cloud Identity API to fetch user groups. Note: requires additional scope: https://www.googleapis.com/auth/cloud-identity.groups.readonly | boolean | False |
INFRAHUB_OIDC_GOOGLE_CLOUDIDENTITY_URL | Google Cloud endpoint for Cloud Identity. Using searchDirectGroups by default because it is available for the Free plan | string | https://cloudidentity.googleapis.com/v1/groups/-/memberships:searchDirectGroups |
INFRAHUB_OIDC_PROVIDER1_ICON | None | string | mdi:account-key |
INFRAHUB_OIDC_PROVIDER1_DISPLAY_LABEL | None | string | Single Sign on |
INFRAHUB_OIDC_PROVIDER1_USERINFO_METHOD | None | string (post, get) | get |
INFRAHUB_OIDC_PROVIDER1_PKCE_ENABLED | Enable PKCE (RFC 7636) with S256 method for authorization code flow | boolean | True |
INFRAHUB_OIDC_PROVIDER1_GROUPS_CLAIM | Top-level key in the IdP claim payload from which the user's groups are read. Defaults to groups. Set per provider when your IdP emits group memberships under a different claim name (e.g., roles). | string | groups |
INFRAHUB_OIDC_PROVIDER1_CLIENT_ID | Client ID of the application created in the auth provider | string | None |
INFRAHUB_OIDC_PROVIDER1_CLIENT_SECRET | Client secret as defined in auth provider | None | None |
INFRAHUB_OIDC_PROVIDER1_DISCOVERY_URL | The OIDC discovery URL xyz/.well-known/openid-configuration | string | None |
INFRAHUB_OIDC_PROVIDER1_SCOPES | None | array[string] | None |
INFRAHUB_OIDC_PROVIDER2_ICON | None | string | mdi:account-key |
INFRAHUB_OIDC_PROVIDER2_DISPLAY_LABEL | None | string | Single Sign on |
INFRAHUB_OIDC_PROVIDER2_USERINFO_METHOD | None | string (post, get) | get |
INFRAHUB_OIDC_PROVIDER2_PKCE_ENABLED | Enable PKCE (RFC 7636) with S256 method for authorization code flow | boolean | True |
INFRAHUB_OIDC_PROVIDER2_GROUPS_CLAIM | Top-level key in the IdP claim payload from which the user's groups are read. Defaults to groups. Set per provider when your IdP emits group memberships under a different claim name (e.g., roles). | string | groups |
INFRAHUB_OIDC_PROVIDER2_CLIENT_ID | Client ID of the application created in the auth provider | string | None |
INFRAHUB_OIDC_PROVIDER2_CLIENT_SECRET | Client secret as defined in auth provider | None | None |
INFRAHUB_OIDC_PROVIDER2_DISCOVERY_URL | The OIDC discovery URL xyz/.well-known/openid-configuration | string | None |
INFRAHUB_OIDC_PROVIDER2_SCOPES | None | array[string] | None |
Ldap​
LDAP authentication configuration.
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_LDAP_ENABLED | Enable LDAP authentication on this deployment. When turned off, new LDAP sign-ins are refused; existing sessions are unaffected. | boolean | False |
INFRAHUB_LDAP_SERVERS | Comma-separated list of LDAP server URIs (e.g. ldaps://dc1.example.com:636,ldaps://dc2.example.com:636). Each entry is tried in declaration order, falling through to the next when one is unreachable, so list a primary first and any standby replicas after it for high availability. URIs must use the ldap or ldaps scheme. | array[string] | None |
INFRAHUB_LDAP_SERVICE_ACCOUNT_DN | Distinguished name of the directory account used to look up users before verifying their credentials. | None | None |
INFRAHUB_LDAP_SERVICE_ACCOUNT_PASSWORD | Password for the service account used during the user lookup. | None | None |
INFRAHUB_LDAP_USER_SEARCH_BASE | Distinguished name of the directory subtree where user entries are stored, e.g. OU=Users,DC=corp,DC=example,DC=com. | None | None |
INFRAHUB_LDAP_USER_SEARCH_FILTER | LDAP filter used to locate a user entry by their sign-in name. The {username} placeholder is substituted at sign-in time with the user-supplied login name and is safely escaped to prevent filter injection. If left empty, a default is generated from the configured username attribute (attribute_username), so changing the username attribute keeps the filter aligned automatically. | None | None |
INFRAHUB_LDAP_ATTRIBUTE_USERNAME | Name of the LDAP attribute that holds a user's sign-in name. Defaults to sAMAccountName (typical on Active Directory); uid is typical on OpenLDAP. | string | sAMAccountName |
INFRAHUB_LDAP_ATTRIBUTE_DISPLAY_NAME | Name of the LDAP attribute that holds a user's human-readable display name. | string | displayName |
INFRAHUB_LDAP_ATTRIBUTE_DISABLED | Name of an LDAP attribute that signals whether an account is disabled. Defaults to userAccountControl (Active Directory's mechanism). Leave empty for directories that do not expose an equivalent attribute; the disabled-account check is then skipped. | None | userAccountControl |
INFRAHUB_LDAP_ATTRIBUTE_DISABLED_BITMASK | When attribute_disabled is set, the integer value of that attribute is treated as a bitmask; the account is considered disabled if any of these bits are set. Default 0x2 matches Active Directory's standard 'account disabled' flag. | integer | 2 |
INFRAHUB_LDAP_GROUP_ENABLED | Enable directory group resolution. When turned off, users sign in successfully but receive no permissions until they are assigned to local groups manually. When turned on, group_base_dn must be set. | boolean | False |
INFRAHUB_LDAP_GROUP_BASE_DN | Distinguished name of the directory subtree where group entries are stored, e.g. OU=Groups,DC=corp,DC=example,DC=com. Required when group_enabled is true. | None | None |
INFRAHUB_LDAP_GROUP_FILTER | LDAP filter used to look up the groups a user belongs to. The {user_dn} placeholder is substituted with the user's distinguished name at sign-in time and is safely escaped to prevent filter injection. | string | (member={user_dn}) |
INFRAHUB_LDAP_GROUP_NAME_ATTRIBUTE | Name of the LDAP attribute on group entries that is read as the group's name. The value is matched against local group names to grant the user the matching permissions. | string | cn |
INFRAHUB_LDAP_GROUP_STRATEGY | How nested-group memberships are resolved. ad_in_chain uses Active Directory's transitive-membership search to retrieve all nested groups in a single query; it is the fastest option against AD. bfs walks group memberships level by level and works against any LDAP-compatible directory. | string (bfs, ad_in_chain) | bfs |
INFRAHUB_LDAP_GROUP_BFS_MAX_DEPTH | Maximum number of nesting levels to traverse when group_strategy is bfs. Has no effect for other strategies. Cycles in the group structure are detected automatically. Minimum value is 10. | integer | 16 |
INFRAHUB_LDAP_TLS_ENABLED | Use an encrypted connection to the LDAP server. Pair with ldaps:// server URIs, or set tls_starttls = true to upgrade plain ldap:// connections. | boolean | False |
INFRAHUB_LDAP_TLS_STARTTLS | Upgrade a plain ldap:// connection to TLS using STARTTLS instead of connecting via ldaps://. | boolean | False |
INFRAHUB_LDAP_TLS_CA_BUNDLE | PEM-encoded certificate authority bundle used to verify the LDAP server's TLS certificate. May be a path to a file or the PEM contents directly. Checked at startup. | None | None |
INFRAHUB_LDAP_TLS_INSECURE | Skip TLS certificate validation. Test and development environments only; never enable in production. | boolean | False |
INFRAHUB_LDAP_TLS_MINIMUM_VERSION | Minimum TLS protocol version accepted when connecting to an LDAP server. | string (TLSv1.2, TLSv1.3) | TLSv1.2 |
INFRAHUB_LDAP_PER_SERVER_TIMEOUT | Maximum time, in seconds, to wait for an LDAP server to respond before treating it as unreachable and trying the next configured server. | number | 10.0 |
INFRAHUB_LDAP_DISPLAY_LABEL | Text shown on the LDAP sign-in button on the login page. | string | Sign in with LDAP |
INFRAHUB_LDAP_ICON | Icon shown on the LDAP sign-in button on the login page. | string | mdi:account-key-outline |
Storage​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_STORAGE_DRIVER | None | string (local, s3) | local |
INFRAHUB_STORAGE_LOCAL | None | object | Check nested parameters |
INFRAHUB_STORAGE_S3 | None | object | Check nested parameters |
INFRAHUB_STORAGE_MAX_FILE_SIZE | Maximum file size in MB for file uploads | integer | 50 |
INFRAHUB_STORAGE_LOCAL​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_STORAGE_LOCAL_PATH | None | string | /opt/infrahub/storage |
INFRAHUB_STORAGE_S3​
| Name | Description | Type | Default |
|---|---|---|---|
AWS_ACCESS_KEY_ID | None | string | |
AWS_SECRET_ACCESS_KEY | None | string | |
INFRAHUB_STORAGE_BUCKET_NAME | None | string | |
INFRAHUB_STORAGE_ENDPOINT_URL | None | string | |
INFRAHUB_STORAGE_USE_SSL | None | boolean | True |
INFRAHUB_STORAGE_DEFAULT_ACL | None | string | private |
INFRAHUB_STORAGE_QUERYSTRING_AUTH | None | boolean | False |
INFRAHUB_STORAGE_CUSTOM_DOMAIN | None | string |
Trace​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_TRACE_ENABLE | None | boolean | False |
INFRAHUB_TRACE_INSECURE | Use insecure connection (HTTP) if True, otherwise use secure connection (HTTPS) | boolean | True |
INFRAHUB_TRACE_EXPORTER_TYPE | Type of exporter to be used for tracing | string (console, otlp) | console |
INFRAHUB_TRACE_EXPORTER_PROTOCOL | Protocol to be used for exporting traces | string (grpc, http/protobuf) | grpc |
INFRAHUB_TRACE_EXPORTER_ENDPOINT | OTLP endpoint for exporting traces | None | None |
Experimental features​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_EXPERIMENTAL_GRAPHQL_ENUMS | None | boolean | False |
INFRAHUB_EXPERIMENTAL_VALUE_DB_INDEX | None | boolean | False |
Log forwarding​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_LOG_FORWARDING_HOSTNAME | Hostname to use in syslog message headers. If not set, defaults to the system FQDN. | None | None |
INFRAHUB_LOG_FORWARDING_DESTINATION_NAMES | Comma-separated list of destination names to load from per-destination environment variables (e.g. INFRAHUB_LOG_FORWARDING_DESTINATION_PRIMARY_HOST where PRIMARY is the destination name). Names must match [a-z0-9_]+. Mutually exclusive with destinations. | array[string] | None |
INFRAHUB_LOG_FORWARDING_DESTINATIONS | List of log forwarding destinations. (Enterprise only: not available in the community version.) | array[object] | Check nested parameters |
INFRAHUB_LOG_FORWARDING_DESTINATIONS​
| Name | Description | Type | Default |
|---|---|---|---|
NAME | Unique name for the destination, used in all observability output. | string | None |
TYPE | Destination type. | string (syslog) | syslog |
HOST | Destination host or IP address. | string | None |
PORT | Destination port number. Defaults to 6514 for TLS, 514 otherwise. | None | None |
PROTOCOL | Transport protocol (tcp or udp). | string (tcp, udp) | udp |
FORMAT | Syslog format standard. | string (rfc5424, rfc3164) | rfc5424 |
TCP_FRAMING | TCP framing method (newline or octet-counting). | string (newline, octet-counting) | newline |
TLS_ENABLED | Enable TLS encryption for TCP connections. | boolean | False |
TLS_CA_BUNDLE | Path or PEM string for CA bundle to validate syslog server certificate. | None | None |
QUEUE_SIZE | Maximum number of messages in the per-destination queue. | integer | 10000 |
MAX_RECONNECT_INTERVAL | Maximum reconnection backoff interval in seconds. | integer | 60 |
SHUTDOWN_DRAIN_TIMEOUT | Seconds to wait for queue drain on graceful shutdown. | integer | 10 |
FORWARD_APPLICATION_LOGS | Forward application log messages to this destination. | boolean | False |
MIN_LOG_SEVERITY | Minimum Python log severity to forward when application log forwarding is enabled. | string (CRITICAL, ERROR, WARNING, INFO, DEBUG) | WARNING |