Infrahub configuration
The Infrahub containers have a number of environmental variables available at runtime to affect their behavior.
Here are a few common methods of setting configuration:
- Exporting in a shell, example:
export INFRAHUB_ADDRESS="http://localhost:8000" - Using a
.envfile - Using a
.tomlconfiguration file (setting names use lowercase with underscores, e.g.,address = "http://localhost:8000") - Using direnv
note
infrahubctl has it's own environmental variables. See the infrahubctl documentation for more information.
Main​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_DOCS_INDEX_PATH | Full path of saved json containing pre-indexed documentation | string | /opt/infrahub/docs/build/search-index.json |
INFRAHUB_INTERNAL_ADDRESS | None | None | None |
INFRAHUB_ALLOW_ANONYMOUS_ACCESS | Indicates if the system allows anonymous read access | boolean | True |
INFRAHUB_ANONYMOUS_ACCESS_ROLE | Name of the role defining which permissions anonymous users have | string | Anonymous User |
INFRAHUB_TELEMETRY_OPTOUT | Disable anonymous usage reporting | boolean | False |
INFRAHUB_TELEMETRY_ENDPOINT | None | string | https://telemetry.opsmill.cloud/infrahub |
INFRAHUB_PERMISSION_BACKENDS | List of modules to handle permissions, they will be run in the given order | array[string] | ['infrahub.permissions.LocalPermissionBackend'] |
INFRAHUB_PUBLIC_URL | Define the public URL of the Infrahub, might be required for OAuth2 and OIDC depending on your infrastructure. | None | None |
INFRAHUB_SCHEMA_STRICT_MODE | Enable strict schema validation. When set to False, human_friendly_id schema fields should not necessarily target a unique combination of peer attributes. | boolean | True |
INFRAHUB_DIFF_UPDATE_AFTER_MERGE | When enabled, diff updates are triggered for active branches after a branch merge. | boolean | True |
INFRAHUB_DELETE_BRANCH_AFTER_MERGE | When enabled, the Infrahub branch is automatically deleted after a successful merge. | boolean | False |
Api​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_API_CORS_ALLOW_ORIGINS | A list of origins that are authorized to make cross-site HTTP requests | array[string] | None |
INFRAHUB_API_CORS_ALLOW_METHODS | A list of HTTP verbs that are allowed for the actual request | array[string] | None |
INFRAHUB_API_CORS_ALLOW_HEADERS | The list of non-standard HTTP headers allowed in requests from the browser | array[string] | None |
INFRAHUB_API_CORS_ALLOW_CREDENTIALS | If True, cookies will be allowed to be included in cross-site HTTP requests | boolean | True |
Git​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_GIT_REPOSITORIES_DIRECTORY | None | string | repositories |
INFRAHUB_GIT_SYNC_INTERVAL | Time (in seconds) between git repositories synchronizations | integer | 10 |
INFRAHUB_GIT_APPEND_GIT_SUFFIX | Automatically append '.git' to HTTP URLs if for these domains. | array[string] | None |
INFRAHUB_GIT_IMPORT_SYNC_BRANCH_NAMES | Names or regex of branches to be created in infrahub during import e.g. 'infrahub/.', 'release/.', '^branch-'. Note: other branches created with sync with git will be imported also | array[string] | None |
INFRAHUB_GIT_USER_NAME | User name of the git user. This will be used as the user name when Infrahub commits code to a repository | string | Infrahub |
INFRAHUB_GIT_USER_EMAIL | Email of the git user. This will be used as the user email when Infrahub commits code to a repository | string | infrahub@opsmill.com |
INFRAHUB_GIT_GLOBAL_CONFIG_FILE | The location of the git config file. This will be set as the system GIT_CONFIG_GLOBAL environment variable if the environment variable is not initially set | string | /opt/infrahub/.gitconfig |
INFRAHUB_GIT_USE_EXPLICIT_MERGE_COMMIT | Whether to allow explicit merge commits when infrahub merges branches | boolean | False |
INFRAHUB_GIT_DELETE_GIT_BRANCH_AFTER_MERGE | When enabled, the corresponding Git branch is deleted after the Infrahub branch is deleted. Requires delete_branch_after_merge to be enabled. | boolean | False |
Dev​
The development settings are only relevant for local development.
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_DEV_FRONTEND_REDIRECT_SSO | Indicates of the frontend should be responsible for the SSO redirection | boolean | False |
INFRAHUB_DEV_ALLOW_ENTERPRISE_CONFIGURATION | Allow enterprise configuration in development mode, this will not enable the features just allow the configuration. | boolean | False |
INFRAHUB_DEV_GIT_CREDENTIAL_HELPER | Location of git credential helper | string | infrahub-git-credential |
Http​
The HTTP settings control how Infrahub interacts with external HTTP servers. This can be things like webhooks and OAuth2 providers.
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_HTTP_TIMEOUT | Default connection timeout in seconds | integer | 10 |
INFRAHUB_HTTP_TLS_INSECURE | Indicates if Infrahub will validate server certificates or if the validation is ignored. | boolean | False |
INFRAHUB_HTTP_TLS_CA_BUNDLE | Custom CA bundle in PEM format. The value should either be the CA bundle as a string, alternatively as a file path. | None | None |
Database​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_DB_INFRAHUB_DB_TYPE | None | string (neo4j, memgraph) | neo4j |
INFRAHUB_DB_PROTOCOL | None | string | bolt |
INFRAHUB_DB_USERNAME | None | string | neo4j |
INFRAHUB_DB_PASSWORD | None | string | admin |
INFRAHUB_DB_ADDRESS | None | string | localhost |
INFRAHUB_DB_PORT | None | integer | 7687 |
INFRAHUB_DB_DATABASE | Name of the database | None | None |
INFRAHUB_DB_POLICY | Routing policy for database connections | None | None |
INFRAHUB_DB_TLS_ENABLED | Indicates if TLS is enabled for the connection | boolean | False |
INFRAHUB_DB_TLS_INSECURE | Indicates if TLS certificates are verified | boolean | False |
INFRAHUB_DB_TLS_CA_FILE | File path to CA cert or bundle in PEM format | None | None |
INFRAHUB_DB_QUERY_SIZE_LIMIT | The max number of records to fetch in a single query before performing internal pagination. | integer | 5000 |
INFRAHUB_DB_MAX_DEPTH_SEARCH_HIERARCHY | Maximum number of level to search in a hierarchy. | integer | 5 |
INFRAHUB_DB_RETRY_LIMIT | Maximum number of times a transient issue in a transaction should be retried. | integer | 3 |
INFRAHUB_DB_RETRY_BASE_DELAY | Base delay in seconds for exponential backoff on transaction retries. | number | 0.1 |
INFRAHUB_DB_RETRY_MAX_DELAY | Maximum delay in seconds for exponential backoff on transaction retries. | number | 2.0 |
INFRAHUB_DB_RETRY_JITTER_MAX | Maximum jitter in seconds added to retry delay to avoid thundering herd. | number | 0.1 |
INFRAHUB_DB_MAX_CONCURRENT_QUERIES | Maximum number of concurrent queries that can run (0 means unlimited). | integer | 0 |
INFRAHUB_DB_MAX_CONCURRENT_QUERIES_DELAY | Delay to add when max_concurrent_queries is reached. | number | 0.01 |
Broker​
Configuration settings for the message bus.
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_BROKER_TLS_ENABLED | Indicates if TLS is enabled for the connection | boolean | False |
INFRAHUB_BROKER_TLS_INSECURE | Indicates if TLS certificates are verified | boolean | False |
INFRAHUB_BROKER_TLS_CA_FILE | File path to CA cert or bundle in PEM format | None | None |
INFRAHUB_BROKER_USERNAME | None | string | infrahub |
INFRAHUB_BROKER_PASSWORD | None | string | infrahub |
INFRAHUB_BROKER_ADDRESS | None | string | localhost |
INFRAHUB_BROKER_PORT | Specified if running on a non default port. | None | None |
INFRAHUB_BROKER_RABBITMQ_HTTP_PORT | None | None | None |
INFRAHUB_BROKER_NAMESPACE | None | string | infrahub |
INFRAHUB_BROKER_MAXIMUM_MESSAGE_RETRIES | The maximum number of retries that are attempted for failed messages | integer | 10 |
INFRAHUB_BROKER_MAXIMUM_CONCURRENT_MESSAGES | The maximum number of concurrent messages fetched by each worker | integer | 2 |
INFRAHUB_BROKER_VIRTUALHOST | The virtual host to connect to | string | / |
INFRAHUB_BROKER_DRIVER | None | string (rabbitmq, nats) | rabbitmq |
Cache​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_CACHE_ADDRESS | None | string | localhost |
INFRAHUB_CACHE_PORT | Specified if running on a non default port (6379) | None | None |
INFRAHUB_CACHE_DATABASE | Id of the database to use | integer | 0 |
INFRAHUB_CACHE_DRIVER | None | string (redis, nats) | redis |
INFRAHUB_CACHE_USERNAME | None | string | |
INFRAHUB_CACHE_PASSWORD | None | string | |
INFRAHUB_CACHE_TLS_ENABLED | Indicates if TLS is enabled for the connection | boolean | False |
INFRAHUB_CACHE_TLS_INSECURE | Indicates if TLS certificates are verified | boolean | False |
INFRAHUB_CACHE_TLS_CA_FILE | File path to CA cert or bundle in PEM format | None | None |
INFRAHUB_CACHE_CLEAN_UP_DEADLOCKS_INTERVAL_MINS | Age threshold in minutes: locks older than this and owned by inactive workers are deleted by the cleanup task. | integer | 15 |
Workflow​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_WORKFLOW_ADDRESS | None | string | localhost |
INFRAHUB_WORKFLOW_PORT | Specified if running on a non default port. | None | None |
INFRAHUB_WORKFLOW_TLS_ENABLED | Indicates if TLS is enabled for the connection | boolean | False |
INFRAHUB_WORKFLOW_DRIVER | None | string (local, worker) | worker |
INFRAHUB_WORKFLOW_DEFAULT_WORKER_TYPE | None | string | infrahubasync |
INFRAHUB_WORKFLOW_EXTRA_LOGGERS | A list of additional logger that will be captured during task execution. | array[string] | None |
INFRAHUB_WORKFLOW_EXTRA_LOG_LEVEL | Log level applied to all extra loggers. | string (CRITICAL, ERROR, WARNING, INFO, DEBUG) | INFO |
INFRAHUB_WORKFLOW_WORKER_POLLING_INTERVAL | Specify how often the worker should poll the server for tasks (sec) | integer | 2 |
INFRAHUB_WORKFLOW_FLOW_RUN_COUNT_CACHE_THRESHOLD | Threshold for caching flow run counts (0 to always cache, higher values to disable) | integer | 100000 |
Miscellaneous​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_MISC_PRINT_QUERY_DETAILS | None | boolean | False |
INFRAHUB_MISC_START_BACKGROUND_RUNNER | None | boolean | True |
INFRAHUB_MISC_MAXIMUM_VALIDATOR_EXECUTION_TIME | The maximum allowed time (in seconds) for a validator to run. | integer | 1800 |
INFRAHUB_MISC_RESPONSE_DELAY | Arbitrary delay to add when processing API requests. | integer | 0 |
Analytics​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_ANALYTICS_ENABLE | None | boolean | True |
INFRAHUB_ANALYTICS_ADDRESS | None | None | None |
INFRAHUB_ANALYTICS_API_KEY | None | None | None |
Initial​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_INITIAL_DEFAULT_BRANCH | Defines the name of the default branch within Infrahub, can only be set once during initialization of the system. | string | main |
INFRAHUB_INITIAL_ADMIN_TOKEN | An optional initial token for the admin account. | None | None |
INFRAHUB_INITIAL_ADMIN_PASSWORD | The initial password for the admin user | string | infrahub |
INFRAHUB_INITIAL_AGENT_TOKEN | An optional initial token for a git-agent account. | None | None |
INFRAHUB_INITIAL_AGENT_PASSWORD | An optional initial password for a git-agent account. | None | None |
Policy​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_POLICY_REQUIRED_PROPOSED_CHANGE_APPROVALS | Number of approvals required for proposed changes. (Enterprise only: not available in the community version.) | integer | 0 |
INFRAHUB_POLICY_REVOKE_PROPOSED_CHANGE_APPROVALS | Boolean indicating whether performing changes on a proposed change branch should revoke existing approvals. (Enterprise only: not available in the community version.) | boolean | False |
Security​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_SECURITY_ACCESS_TOKEN_LIFETIME | Lifetime of access token in seconds | integer | 3600 |
INFRAHUB_SECURITY_REFRESH_TOKEN_LIFETIME | Lifetime of refresh token in seconds | integer | 2592000 |
INFRAHUB_SECURITY_SECRET_KEY | The secret key used to validate authentication tokens | string | None |
INFRAHUB_SECURITY_OAUTH2_PROVIDERS | The selected OAuth2 providers | array[string] | None |
INFRAHUB_SECURITY_OAUTH2_PROVIDER_SETTINGS | None | object | Check nested parameters |
INFRAHUB_SECURITY_OIDC_PROVIDERS | The selected OIDC providers | array[string] | None |
INFRAHUB_SECURITY_OIDC_PROVIDER_SETTINGS | None | object | Check nested parameters |
INFRAHUB_SECURITY_RESTRICT_UNTRUSTED_JINJA2_FILTERS | Indicates if untrusted Jinja2 filters should be disallowed for computed attributes | boolean | True |
INFRAHUB_SECURITY_SSO_USER_DEFAULT_GROUP | Name of the group to which users authenticated via SSO will belong if not provided by identity provider | None | None |
INFRAHUB_SECURITY_AUTO_CREATE_GROUPS_FILTER | Regex(es) that decide which external identity-provider group claims become Infrahub groups. Accepts one regex or a list; the first matching pattern wins. Use a named capture group (?P<name>...) to set the group name; otherwise the full claim is used. Leave empty to disable auto-creation. | None | None |
INFRAHUB_SECURITY_AUTO_CREATE_GROUPS_MAX_PER_LOGIN | Maximum number of groups that can be auto-created during a single login. Once reached, further new groups are skipped (with a warning) but the login still succeeds. Adding the user to groups that already exist is not limited. | integer | 50 |
INFRAHUB_SECURITY_SSO_ACCOUNT_NAME_FALLBACK | When enabled, an SSO login that has no linked identity and matches an existing account by display name claims that account, as long as it has not already been linked to another identity. When disabled, such a login always provisions a separate account instead of reusing an existing one. | boolean | True |
INFRAHUB_SECURITY_OAUTH2_PROVIDER_SETTINGS​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_OAUTH2_GOOGLE_ICON | None | string | mdi:google |
INFRAHUB_OAUTH2_GOOGLE_USERINFO_METHOD | None | string (post, get) | get |
INFRAHUB_OAUTH2_GOOGLE_PKCE_ENABLED | Enable PKCE (RFC 7636) with S256 method for authorization code flow | boolean | True |
INFRAHUB_OAUTH2_GOOGLE_CLIENT_ID | Client ID of the application created in the auth provider | string | None |
INFRAHUB_OAUTH2_GOOGLE_CLIENT_SECRET | Client secret as defined in auth provider | None | None |
INFRAHUB_OAUTH2_GOOGLE_AUTHORIZATION_URL | None | string | https://accounts.google.com/o/oauth2/auth |
INFRAHUB_OAUTH2_GOOGLE_TOKEN_URL | None | string | https://oauth2.googleapis.com/token |
INFRAHUB_OAUTH2_GOOGLE_USERINFO_URL | None | string | https://www.googleapis.com/oauth2/v3/userinfo |
INFRAHUB_OAUTH2_GOOGLE_SCOPES | None | array[string] | None |
INFRAHUB_OAUTH2_GOOGLE_DISPLAY_LABEL | None | string | |
INFRAHUB_OAUTH2_GOOGLE_FETCH_GROUPS | Whether to use Cloud Identity API to fetch user groups. Note: requires additional scopes: https://www.googleapis.com/auth/cloud-identity.groups.readonly | boolean | False |
INFRAHUB_OAUTH2_GOOGLE_CLOUDIDENTITY_URL | Google Cloud endpoint for Cloud Identity. Using searchDirectGroups by default because it is available for the Free plan | string | https://cloudidentity.googleapis.com/v1/groups/-/memberships:searchDirectGroups |
INFRAHUB_OAUTH2_PROVIDER1_ICON | None | string | mdi:account-key |
INFRAHUB_OAUTH2_PROVIDER1_USERINFO_METHOD | None | string (post, get) | get |
INFRAHUB_OAUTH2_PROVIDER1_PKCE_ENABLED | Enable PKCE (RFC 7636) with S256 method for authorization code flow | boolean | True |
INFRAHUB_OAUTH2_PROVIDER1_CLIENT_ID | Client ID of the application created in the auth provider | string | None |
INFRAHUB_OAUTH2_PROVIDER1_CLIENT_SECRET | Client secret as defined in auth provider | None | None |
INFRAHUB_OAUTH2_PROVIDER1_AUTHORIZATION_URL | None | string | None |
INFRAHUB_OAUTH2_PROVIDER1_TOKEN_URL | None | string | None |
INFRAHUB_OAUTH2_PROVIDER1_USERINFO_URL | None | string | None |
INFRAHUB_OAUTH2_PROVIDER1_SCOPES | None | array[string] | None |
INFRAHUB_OAUTH2_PROVIDER1_DISPLAY_LABEL | None | string | Single Sign on |
INFRAHUB_OAUTH2_PROVIDER2_ICON | None | string | mdi:account-key |
INFRAHUB_OAUTH2_PROVIDER2_USERINFO_METHOD | None | string (post, get) | get |
INFRAHUB_OAUTH2_PROVIDER2_PKCE_ENABLED | Enable PKCE (RFC 7636) with S256 method for authorization code flow | boolean | True |
INFRAHUB_OAUTH2_PROVIDER2_CLIENT_ID | Client ID of the application created in the auth provider | string | None |
INFRAHUB_OAUTH2_PROVIDER2_CLIENT_SECRET | Client secret as defined in auth provider | None | None |
INFRAHUB_OAUTH2_PROVIDER2_AUTHORIZATION_URL | None | string | None |
INFRAHUB_OAUTH2_PROVIDER2_TOKEN_URL | None | string | None |
INFRAHUB_OAUTH2_PROVIDER2_USERINFO_URL | None | string | None |
INFRAHUB_OAUTH2_PROVIDER2_SCOPES | None | array[string] | None |
INFRAHUB_OAUTH2_PROVIDER2_DISPLAY_LABEL | None | string | Single Sign on |
INFRAHUB_SECURITY_OIDC_PROVIDER_SETTINGS​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_OIDC_GOOGLE_ICON | None | string | mdi:google |
INFRAHUB_OIDC_GOOGLE_DISPLAY_LABEL | None | string | |
INFRAHUB_OIDC_GOOGLE_USERINFO_METHOD | None | string (post, get) | get |
INFRAHUB_OIDC_GOOGLE_PKCE_ENABLED | Enable PKCE (RFC 7636) with S256 method for authorization code flow | boolean | True |
INFRAHUB_OIDC_GOOGLE_ID_TOKEN_VERIFY_SIGNATURE | Verify the cryptographic signature, audience and issuer of the OIDC id_token. | boolean | True |
INFRAHUB_OIDC_GOOGLE_CLIENT_ID | Client ID of the application created in the auth provider | string | None |
INFRAHUB_OIDC_GOOGLE_CLIENT_SECRET | Client secret as defined in auth provider | None | None |
INFRAHUB_OIDC_GOOGLE_DISCOVERY_URL | None | string | https://accounts.google.com/.well-known/openid-configuration |
INFRAHUB_OIDC_GOOGLE_SCOPES | None | array[string] | None |
INFRAHUB_OIDC_GOOGLE_FETCH_GROUPS | Whether to use Cloud Identity API to fetch user groups. Note: requires additional scope: https://www.googleapis.com/auth/cloud-identity.groups.readonly | boolean | False |
INFRAHUB_OIDC_GOOGLE_CLOUDIDENTITY_URL | Google Cloud endpoint for Cloud Identity. Using searchDirectGroups by default because it is available for the Free plan | string | https://cloudidentity.googleapis.com/v1/groups/-/memberships:searchDirectGroups |
INFRAHUB_OIDC_PROVIDER1_ICON | None | string | mdi:account-key |
INFRAHUB_OIDC_PROVIDER1_DISPLAY_LABEL | None | string | Single Sign on |
INFRAHUB_OIDC_PROVIDER1_USERINFO_METHOD | None | string (post, get) | get |
INFRAHUB_OIDC_PROVIDER1_PKCE_ENABLED | Enable PKCE (RFC 7636) with S256 method for authorization code flow | boolean | True |
INFRAHUB_OIDC_PROVIDER1_ID_TOKEN_VERIFY_SIGNATURE | Verify the cryptographic signature, audience and issuer of the OIDC id_token. | boolean | True |
INFRAHUB_OIDC_PROVIDER1_CLIENT_ID | Client ID of the application created in the auth provider | string | None |
INFRAHUB_OIDC_PROVIDER1_CLIENT_SECRET | Client secret as defined in auth provider | None | None |
INFRAHUB_OIDC_PROVIDER1_DISCOVERY_URL | The OIDC discovery URL xyz/.well-known/openid-configuration | string | None |
INFRAHUB_OIDC_PROVIDER1_SCOPES | None | array[string] | None |
INFRAHUB_OIDC_PROVIDER2_ICON | None | string | mdi:account-key |
INFRAHUB_OIDC_PROVIDER2_DISPLAY_LABEL | None | string | Single Sign on |
INFRAHUB_OIDC_PROVIDER2_USERINFO_METHOD | None | string (post, get) | get |
INFRAHUB_OIDC_PROVIDER2_PKCE_ENABLED | Enable PKCE (RFC 7636) with S256 method for authorization code flow | boolean | True |
INFRAHUB_OIDC_PROVIDER2_ID_TOKEN_VERIFY_SIGNATURE | Verify the cryptographic signature, audience and issuer of the OIDC id_token. | boolean | True |
INFRAHUB_OIDC_PROVIDER2_CLIENT_ID | Client ID of the application created in the auth provider | string | None |
INFRAHUB_OIDC_PROVIDER2_CLIENT_SECRET | Client secret as defined in auth provider | None | None |
INFRAHUB_OIDC_PROVIDER2_DISCOVERY_URL | The OIDC discovery URL xyz/.well-known/openid-configuration | string | None |
INFRAHUB_OIDC_PROVIDER2_SCOPES | None | array[string] | None |
Ldap​
LDAP authentication configuration.
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_LDAP_ENABLED | Enable LDAP authentication on this deployment. When turned off, new LDAP sign-ins are refused; existing sessions are unaffected. | boolean | False |
INFRAHUB_LDAP_SERVERS | Comma-separated list of LDAP server URIs (e.g. ldaps://dc1.example.com:636,ldaps://dc2.example.com:636). Each entry is tried in declaration order, falling through to the next when one is unreachable, so list a primary first and any standby replicas after it for high availability. URIs must use the ldap or ldaps scheme. | array[string] | None |
INFRAHUB_LDAP_SERVICE_ACCOUNT_DN | Distinguished name of the directory account used to look up users before verifying their credentials. | None | None |
INFRAHUB_LDAP_SERVICE_ACCOUNT_PASSWORD | Password for the service account used during the user lookup. | None | None |
INFRAHUB_LDAP_USER_SEARCH_BASE | Distinguished name of the directory subtree where user entries are stored, e.g. OU=Users,DC=corp,DC=example,DC=com. | None | None |
INFRAHUB_LDAP_USER_SEARCH_FILTER | LDAP filter used to locate a user entry by their sign-in name. The {username} placeholder is substituted at sign-in time with the user-supplied login name and is safely escaped to prevent filter injection. If left empty, a default is generated from the configured username attribute (attribute_username), so changing the username attribute keeps the filter aligned automatically. | None | None |
INFRAHUB_LDAP_ATTRIBUTE_USERNAME | Name of the LDAP attribute that holds a user's sign-in name. Defaults to sAMAccountName (typical on Active Directory); uid is typical on OpenLDAP. | string | sAMAccountName |
INFRAHUB_LDAP_ATTRIBUTE_DISPLAY_NAME | Name of the LDAP attribute that holds a user's human-readable display name. | string | displayName |
INFRAHUB_LDAP_ATTRIBUTE_DISABLED | Name of an LDAP attribute that signals whether an account is disabled. Defaults to userAccountControl (Active Directory's mechanism). Leave empty for directories that do not expose an equivalent attribute; the disabled-account check is then skipped. | None | userAccountControl |
INFRAHUB_LDAP_ATTRIBUTE_DISABLED_BITMASK | When attribute_disabled is set, the integer value of that attribute is treated as a bitmask; the account is considered disabled if any of these bits are set. Default 0x2 matches Active Directory's standard 'account disabled' flag. | integer | 2 |
INFRAHUB_LDAP_GROUP_ENABLED | Enable directory group resolution. When turned off, users sign in successfully but receive no permissions until they are assigned to local groups manually. When turned on, group_base_dn must be set. | boolean | False |
INFRAHUB_LDAP_GROUP_BASE_DN | Distinguished name of the directory subtree where group entries are stored, e.g. OU=Groups,DC=corp,DC=example,DC=com. Required when group_enabled is true. | None | None |
INFRAHUB_LDAP_GROUP_FILTER | LDAP filter used to look up the groups a user belongs to. The {user_dn} placeholder is substituted with the user's distinguished name at sign-in time and is safely escaped to prevent filter injection. | string | (member={user_dn}) |
INFRAHUB_LDAP_GROUP_NAME_ATTRIBUTE | Name of the LDAP attribute on group entries that is read as the group's name. The value is matched against local group names to grant the user the matching permissions. | string | cn |
INFRAHUB_LDAP_GROUP_STRATEGY | How nested-group memberships are resolved. ad_in_chain uses Active Directory's transitive-membership search to retrieve all nested groups in a single query; it is the fastest option against AD. bfs walks group memberships level by level and works against any LDAP-compatible directory. | string (bfs, ad_in_chain) | bfs |
INFRAHUB_LDAP_GROUP_BFS_MAX_DEPTH | Maximum number of nesting levels to traverse when group_strategy is bfs. Has no effect for other strategies. Cycles in the group structure are detected automatically. Minimum value is 10. | integer | 16 |
INFRAHUB_LDAP_TLS_ENABLED | Use an encrypted connection to the LDAP server. Pair with ldaps:// server URIs, or set tls_starttls = true to upgrade plain ldap:// connections. | boolean | False |
INFRAHUB_LDAP_TLS_STARTTLS | Upgrade a plain ldap:// connection to TLS using STARTTLS instead of connecting via ldaps://. | boolean | False |
INFRAHUB_LDAP_TLS_CA_BUNDLE | PEM-encoded certificate authority bundle used to verify the LDAP server's TLS certificate. May be a path to a file or the PEM contents directly. Checked at startup. | None | None |
INFRAHUB_LDAP_TLS_INSECURE | Skip TLS certificate validation. Test and development environments only; never enable in production. | boolean | False |
INFRAHUB_LDAP_TLS_MINIMUM_VERSION | Minimum TLS protocol version accepted when connecting to an LDAP server. | string (TLSv1.2, TLSv1.3) | TLSv1.2 |
INFRAHUB_LDAP_PER_SERVER_TIMEOUT | Maximum time, in seconds, to wait for an LDAP server to respond before treating it as unreachable and trying the next configured server. | number | 10.0 |
INFRAHUB_LDAP_DISPLAY_LABEL | Text shown on the LDAP sign-in button on the login page. | string | Sign in with LDAP |
INFRAHUB_LDAP_ICON | Icon shown on the LDAP sign-in button on the login page. | string | mdi:account-key-outline |
Storage​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_STORAGE_DRIVER | None | string (local, s3) | local |
INFRAHUB_STORAGE_LOCAL | None | object | Check nested parameters |
INFRAHUB_STORAGE_S3 | None | object | Check nested parameters |
INFRAHUB_STORAGE_MAX_FILE_SIZE | Maximum file size in MB for file uploads | integer | 50 |
INFRAHUB_STORAGE_LOCAL​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_STORAGE_LOCAL_PATH | None | string | /opt/infrahub/storage |
INFRAHUB_STORAGE_S3​
| Name | Description | Type | Default |
|---|---|---|---|
AWS_ACCESS_KEY_ID | None | string | |
AWS_SECRET_ACCESS_KEY | None | string | |
INFRAHUB_STORAGE_BUCKET_NAME | None | string | |
INFRAHUB_STORAGE_ENDPOINT_URL | None | string | |
INFRAHUB_STORAGE_USE_SSL | None | boolean | True |
INFRAHUB_STORAGE_DEFAULT_ACL | None | string | private |
INFRAHUB_STORAGE_QUERYSTRING_AUTH | None | boolean | False |
INFRAHUB_STORAGE_CUSTOM_DOMAIN | None | string |
Trace​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_TRACE_ENABLE | None | boolean | False |
INFRAHUB_TRACE_INSECURE | Use insecure connection (HTTP) if True, otherwise use secure connection (HTTPS) | boolean | True |
INFRAHUB_TRACE_EXPORTER_TYPE | Type of exporter to be used for tracing | string (console, otlp) | console |
INFRAHUB_TRACE_EXPORTER_PROTOCOL | Protocol to be used for exporting traces | string (grpc, http/protobuf) | grpc |
INFRAHUB_TRACE_EXPORTER_ENDPOINT | OTLP endpoint for exporting traces | None | None |
Experimental features​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_EXPERIMENTAL_GRAPHQL_ENUMS | None | boolean | False |
INFRAHUB_EXPERIMENTAL_VALUE_DB_INDEX | None | boolean | False |
Log forwarding​
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_LOG_FORWARDING_HOSTNAME | Hostname to use in syslog message headers. If not set, defaults to the system FQDN. | None | None |
INFRAHUB_LOG_FORWARDING_DESTINATION_NAMES | Comma-separated list of destination names to load from per-destination environment variables (e.g. INFRAHUB_LOG_FORWARDING_DESTINATION_PRIMARY_HOST where PRIMARY is the destination name). Names must match [a-z0-9_]+. Mutually exclusive with destinations. | array[string] | None |
INFRAHUB_LOG_FORWARDING_DESTINATIONS | List of log forwarding destinations. (Enterprise only: not available in the community version.) | array[object] | Check nested parameters |
INFRAHUB_LOG_FORWARDING_DESTINATIONS​
| Name | Description | Type | Default |
|---|---|---|---|
NAME | Unique name for the destination, used in all observability output. | string | None |
TYPE | Destination type. | string (syslog) | syslog |
HOST | Destination host or IP address. | string | None |
PORT | Destination port number. Defaults to 6514 for TLS, 514 otherwise. | None | None |
PROTOCOL | Transport protocol (tcp or udp). | string (tcp, udp) | udp |
FORMAT | Syslog format standard. | string (rfc5424, rfc3164) | rfc5424 |
TCP_FRAMING | TCP framing method (newline or octet-counting). | string (newline, octet-counting) | newline |
TLS_ENABLED | Enable TLS encryption for TCP connections. | boolean | False |
TLS_CA_BUNDLE | Path or PEM string for CA bundle to validate syslog server certificate. | None | None |
QUEUE_SIZE | Maximum number of messages in the per-destination queue. | integer | 10000 |
MAX_RECONNECT_INTERVAL | Maximum reconnection backoff interval in seconds. | integer | 60 |
SHUTDOWN_DRAIN_TIMEOUT | Seconds to wait for queue drain on graceful shutdown. | integer | 10 |
FORWARD_APPLICATION_LOGS | Forward application log messages to this destination. | boolean | False |
MIN_LOG_SEVERITY | Minimum Python log severity to forward when application log forwarding is enabled. | string (CRITICAL, ERROR, WARNING, INFO, DEBUG) | WARNING |