Environment Variables

Configure Artifact Keeper using environment variables. This page provides a complete reference of all available configuration options.

Core Settings

Variable	Required	Default	Description
`PORT`	No	`8080`	HTTP server port
`HOST`	No	`0.0.0.0`	HTTP server bind address
`RUST_LOG`	No	`info`	Log level (trace, debug, info, warn, error)
`LOG_FORMAT`	No	`json`	Log format (json, pretty, compact)
`DEMO_MODE`	No	`false`	Enable demo mode (read-only)
`BASE_URL`	No	-	Public base URL (e.g., https://registry.example.com)

Database

Variable	Required	Default	Description
`DATABASE_URL`	Yes	-	PostgreSQL connection string (postgres://user:pass@host:port/db)
`DB_POOL_SIZE`	No	`20`	Maximum database connection pool size
`DB_TIMEOUT_SECONDS`	No	`30`	Database connection timeout
`DB_SSL_MODE`	No	`prefer`	PostgreSQL SSL mode (disable, allow, prefer, require)

Authentication

Variable	Required	Default	Description
`JWT_SECRET`	Yes	-	Secret key for signing JWT tokens (generate with `openssl rand -base64 64`)
`JWT_ACCESS_TOKEN_EXPIRY`	No	`900`	Access token expiration in seconds (15 minutes)
`JWT_REFRESH_TOKEN_EXPIRY`	No	`604800`	Refresh token expiration in seconds (7 days)
`ADMIN_USERNAME`	No	`admin`	Default admin username (first-time setup)
`ADMIN_PASSWORD`	No	`admin`	Default admin password (change on first login)
`REQUIRE_HTTPS`	No	`false`	Require HTTPS for all connections
`RATE_LIMIT_LOGIN`	No	`5`	Maximum login attempts
`RATE_LIMIT_WINDOW`	No	`300`	Rate limit window in seconds (5 minutes)

LDAP Integration

Variable	Required	Default	Description
`LDAP_URL`	No	-	LDAP server URL (e.g., ldap://ldap.example.com:389)
`LDAP_BASE_DN`	No	-	LDAP base DN (e.g., dc=example,dc=com)
`LDAP_BIND_DN`	No	-	LDAP bind DN for authentication
`LDAP_BIND_PASSWORD`	No	-	LDAP bind password
`LDAP_USER_FILTER`	No	`(uid={username})`	LDAP user search filter
`LDAP_SYNC_INTERVAL`	No	`3600`	LDAP sync interval in seconds (1 hour)
`LDAP_GROUP_FILTER`	No	-	LDAP group search filter
`LDAP_GROUP_BASE_DN`	No	-	LDAP group base DN
`LDAP_GROUP_ATTRIBUTE`	No	`cn`	LDAP group name attribute

OIDC/SSO Integration

Variable	Required	Default	Description
`OIDC_ISSUER`	No	-	OIDC provider issuer URL
`OIDC_CLIENT_ID`	No	-	OIDC client ID
`OIDC_CLIENT_SECRET`	No	-	OIDC client secret
`OIDC_REDIRECT_URI`	No	-	OIDC redirect URI
`OIDC_SCOPES`	No	`openid,email,profile`	OIDC scopes (comma-separated)
`OIDC_USERNAME_CLAIM`	No	`preferred_username`	OIDC claim for username
`OIDC_EMAIL_CLAIM`	No	`email`	OIDC claim for email
`OIDC_NAME_CLAIM`	No	`name`	OIDC claim for full name
`OIDC_GROUPS_CLAIM`	No	`groups`	OIDC claim for groups

Storage Backend

Variable	Required	Default	Description
`STORAGE_BACKEND`	No	`filesystem`	Storage backend type (filesystem, s3)
`STORAGE_PATH`	No	`/var/lib/artifact-keeper/artifacts`	Filesystem storage path
`STORAGE_DIRECT_IO`	No	`false`	Enable direct I/O for large files
`STORAGE_BUFFER_SIZE`	No	`1048576`	Buffer size in bytes (1 MB)

S3 Storage

Variable	Required	Default	Description
`S3_BUCKET`	No	-	S3 bucket name
`S3_REGION`	No	`us-east-1`	S3 region
`S3_ENDPOINT`	No	-	S3-compatible endpoint (for MinIO, DigitalOcean Spaces, etc.)
`S3_ACCESS_KEY_ID`	No	-	S3 access key ID
`S3_SECRET_ACCESS_KEY`	No	-	S3 secret access key
`S3_PATH_PREFIX`	No	-	Prefix for all S3 keys
`S3_FORCE_PATH_STYLE`	No	`false`	Use path-style addressing (required for MinIO)
`S3_MULTIPART_THRESHOLD`	No	`104857600`	Multipart upload threshold in bytes (100 MB)
`S3_MULTIPART_CHUNK_SIZE`	No	`10485760`	Multipart chunk size in bytes (10 MB)
`S3_MAX_CONNECTIONS`	No	`50`	Maximum S3 connections
`S3_USE_TRANSFER_ACCELERATION`	No	`false`	Enable S3 transfer acceleration (AWS only)

Backup

Variable	Required	Default	Description
`BACKUP_ENABLED`	No	`false`	Enable scheduled backups
`BACKUP_SCHEDULE`	No	`0 2 * * *`	Backup schedule (cron format)
`BACKUP_RETENTION_DAYS`	No	`30`	Backup retention in days
`BACKUP_PATH`	No	`/var/backups/artifact-keeper`	Backup storage path
`BACKUP_INCLUDE_ARTIFACTS`	No	`true`	Include artifacts in backups
`BACKUP_COMPRESSION`	No	`gzip`	Compression method (gzip, zstd, none)
`BACKUP_STORAGE`	No	`filesystem`	Backup storage backend (filesystem, s3)
`BACKUP_S3_BUCKET`	No	-	S3 bucket for backups
`BACKUP_S3_REGION`	No	`us-east-1`	S3 region for backups
`BACKUP_S3_PREFIX`	No	`backups/`	S3 prefix for backups
`BACKUP_ENCRYPTION`	No	`false`	Enable backup encryption
`BACKUP_ENCRYPTION_KEY`	No	-	Path to encryption key file
`BACKUP_TYPE`	No	`full`	Backup type (full, incremental)
`BACKUP_FULL_SCHEDULE`	No	`0 2 * * 0`	Full backup schedule (cron)
`BACKUP_INCREMENTAL_SCHEDULE`	No	`0 2 * * 1-6`	Incremental backup schedule (cron)
`BACKUP_RETENTION_DAILY`	No	`7`	Daily backups to keep
`BACKUP_RETENTION_WEEKLY`	No	`4`	Weekly backups to keep
`BACKUP_RETENTION_MONTHLY`	No	`12`	Monthly backups to keep

Garbage Collection

Variable	Required	Default	Description
`GC_ENABLED`	No	`false`	Enable automatic garbage collection
`GC_SCHEDULE`	No	`0 2 * * *`	GC schedule (cron format)
`GC_RETENTION_DAYS`	No	`90`	Keep artifacts for N days
`GC_DRY_RUN`	No	`false`	Dry run mode (log without deleting)

Edge Nodes

Variable	Required	Default	Description
`ROLE`	No	`primary`	Node role (primary, edge)
`EDGE_ENABLED`	No	`false`	Enable edge node support
`EDGE_SECRET_KEY`	No	-	Secret key for edge authentication
`EDGE_AUTO_REGISTER`	No	`true`	Allow automatic edge registration
`PRIMARY_URL`	No	-	Primary node URL (for edge nodes)
`EDGE_API_KEY`	No	-	API key for edge node (from primary)
`EDGE_REGION`	No	-	Edge node region identifier
`EDGE_CACHE_SIZE_MB`	No	`102400`	Edge cache size in MB (100 GB)
`EDGE_HEARTBEAT_INTERVAL`	No	`60`	Heartbeat interval in seconds
`EDGE_P2P_ENABLED`	No	`false`	Enable peer-to-peer transfers
`EDGE_P2P_MAX_PEERS`	No	`5`	Maximum P2P peers
`EDGE_REPLICATION_BANDWIDTH_MBPS`	No	-	Replication bandwidth limit
`EDGE_REPLICATION_SCHEDULE`	No	-	Replication schedule (cron)
`EDGE_MIN_ARTIFACT_SIZE_MB`	No	-	Minimum artifact size to replicate
`EDGE_SYNC_STRATEGY`	No	`lru`	Sync strategy (lru, all, popular)
`EDGE_MAX_ARTIFACT_AGE_DAYS`	No	-	Maximum artifact age to replicate
`EDGE_CACHE_HIGH_WATER_MARK`	No	`90`	Start eviction at N% capacity
`EDGE_EVICTION_POLICY`	No	`lru`	Eviction policy (lru, lfu, fifo)

Plugins

Variable	Required	Default	Description
`PLUGINS_ENABLED`	No	`false`	Enable plugin system
`PLUGINS_PATH`	No	`/var/lib/artifact-keeper/plugins`	Plugin storage path
`PLUGIN_MAX_MEMORY_MB`	No	`256`	Max memory per plugin (MB)
`PLUGIN_MAX_CPU_MS`	No	`5000`	Max CPU time per plugin (ms)
`PLUGIN_MAX_EXECUTION_TIME_MS`	No	`30000`	Max execution time per plugin (ms)
`PLUGIN_ALLOW_NETWORK`	No	`false`	Allow plugins network access
`PLUGIN_REQUIRE_SIGNATURE`	No	`false`	Require plugin signature verification
`PLUGIN_TRUSTED_KEYS`	No	-	Path to trusted signature keys
`PLUGIN_ALLOWED_SOURCES`	No	-	Allowed plugin sources (comma-separated)
`PLUGIN_LOG_LEVEL`	No	`info`	Plugin log level

Webhooks

Variable	Required	Default	Description
`WEBHOOKS_ENABLED`	No	`true`	Enable webhooks
`WEBHOOK_TIMEOUT_SECONDS`	No	`30`	Webhook delivery timeout
`WEBHOOK_MAX_RETRIES`	No	`5`	Maximum delivery retries
`WEBHOOK_RETRY_BACKOFF`	No	`exponential`	Retry backoff strategy (exponential, linear)
`WEBHOOK_CONCURRENCY`	No	`10`	Concurrent webhook deliveries
`WEBHOOK_QUEUE_SIZE`	No	`1000`	Webhook queue size
`WEBHOOK_RATE_LIMIT`	No	`100`	Max deliveries per minute per webhook

Security Scanning

Variable	Required	Default	Description
`TRIVY_ENABLED`	No	`false`	Enable Trivy security scanning
`TRIVY_URL`	No	`http://localhost:8090`	Trivy server URL
`TRIVY_TIMEOUT_SECONDS`	No	`300`	Trivy scan timeout (5 minutes)
`SCAN_ON_UPLOAD`	No	`false`	Automatically scan artifacts on upload
`BLOCK_VULNERABLE_UPLOADS`	No	`false`	Block uploads with critical vulnerabilities
`VULNERABILITY_SEVERITY_THRESHOLD`	No	`HIGH`	Severity threshold (CRITICAL, HIGH, MEDIUM, LOW)

Monitoring

Variable	Required	Default	Description
`METRICS_ENABLED`	No	`true`	Enable Prometheus metrics
`METRICS_PATH`	No	`/metrics`	Metrics endpoint path
`TRACING_ENABLED`	No	`false`	Enable distributed tracing
`TRACING_ENDPOINT`	No	-	Jaeger/OpenTelemetry endpoint
`AUDIT_LOG_ENABLED`	No	`true`	Enable audit logging
`AUDIT_LOG_PATH`	No	`/var/log/artifact-keeper/audit.log`	Audit log file path

Performance Tuning

Variable	Required	Default	Description
`WORKER_THREADS`	No	`4`	Number of worker threads
`MAX_UPLOAD_SIZE_MB`	No	`10240`	Maximum upload size (10 GB)
`MAX_CONCURRENT_UPLOADS`	No	`10`	Maximum concurrent uploads
`CHUNK_SIZE_MB`	No	`10`	Upload chunk size (MB)
`CACHE_ENABLED`	No	`true`	Enable metadata caching
`CACHE_TTL_SECONDS`	No	`3600`	Cache TTL (1 hour)
`CACHE_SIZE_MB`	No	`1024`	Cache size (1 GB)

Search

Variable	Required	Default	Description
`SEARCH_ENABLED`	No	`true`	Enable search functionality
`SEARCH_INDEX_PATH`	No	`/var/lib/artifact-keeper/search`	Search index path
`SEARCH_UPDATE_INTERVAL`	No	`60`	Index update interval (seconds)

CORS

Variable	Required	Default	Description
`CORS_ENABLED`	No	`true`	Enable CORS
`CORS_ALLOWED_ORIGINS`	No	`*`	Allowed origins (comma-separated)
`CORS_ALLOWED_METHODS`	No	`GET,POST,PUT,DELETE,OPTIONS`	Allowed methods
`CORS_ALLOWED_HEADERS`	No	`*`	Allowed headers
`CORS_MAX_AGE`	No	`3600`	Preflight cache duration (seconds)

PostgreSQL WAL Archiving

Variable	Required	Default	Description
`POSTGRES_WAL_ARCHIVING`	No	`false`	Enable WAL archiving for PITR
`POSTGRES_WAL_ARCHIVE_PATH`	No	`/var/lib/postgres/wal_archive`	WAL archive path
`POSTGRES_WAL_RETENTION_DAYS`	No	`7`	WAL retention in days

Development/Testing

Variable	Required	Default	Description
`DEV_MODE`	No	`false`	Enable development mode (hot reload, verbose logs)
`MOCK_LDAP`	No	`false`	Use mock LDAP for testing
`MOCK_OIDC`	No	`false`	Use mock OIDC for testing
`DISABLE_AUTH`	No	`false`	Disable authentication (testing only)

Example Configuration Files

Minimal Production

# Required
DATABASE_URL=postgres://registry:password@localhost:5432/artifact_registry
JWT_SECRET=generate-secure-secret-here

# Storage
STORAGE_BACKEND=filesystem
STORAGE_PATH=/var/lib/artifact-keeper/artifacts

# Recommended
RUST_LOG=info
BACKUP_ENABLED=true
BACKUP_SCHEDULE="0 2 * * *"

S3 Storage with Edge Nodes

# Database
DATABASE_URL=postgres://registry:password@localhost:5432/artifact_registry
JWT_SECRET=generate-secure-secret-here

# S3 Storage
STORAGE_BACKEND=s3
S3_BUCKET=artifact-keeper-prod
S3_REGION=us-east-1
S3_ACCESS_KEY_ID=your-access-key
S3_SECRET_ACCESS_KEY=your-secret-key

# Edge Nodes
ROLE=primary
EDGE_ENABLED=true
EDGE_SECRET_KEY=edge-secret-key

# Backups
BACKUP_ENABLED=true
BACKUP_STORAGE=s3
BACKUP_S3_BUCKET=artifact-keeper-backups

LDAP/OIDC Authentication

# Database & JWT
DATABASE_URL=postgres://registry:password@localhost:5432/artifact_registry
JWT_SECRET=generate-secure-secret-here

# LDAP
LDAP_URL=ldap://ldap.example.com:389
LDAP_BASE_DN=dc=example,dc=com
LDAP_BIND_DN=cn=admin,dc=example,dc=com
LDAP_BIND_PASSWORD=ldap-password

# OIDC
OIDC_ISSUER=https://accounts.google.com
OIDC_CLIENT_ID=your-client-id
OIDC_CLIENT_SECRET=your-client-secret
OIDC_REDIRECT_URI=https://registry.example.com/api/v1/auth/oidc/callback

High-Security Configuration

# Database & JWT
DATABASE_URL=postgres://registry:password@localhost:5432/artifact_registry
JWT_SECRET=generate-secure-secret-here
JWT_ACCESS_TOKEN_EXPIRY=300  # 5 minutes

# Security
REQUIRE_HTTPS=true
RATE_LIMIT_LOGIN=3
TRIVY_ENABLED=true
SCAN_ON_UPLOAD=true
BLOCK_VULNERABLE_UPLOADS=true
VULNERABILITY_SEVERITY_THRESHOLD=HIGH

# Backups
BACKUP_ENABLED=true
BACKUP_ENCRYPTION=true
BACKUP_ENCRYPTION_KEY=/etc/artifact-keeper/backup.key

# Audit
AUDIT_LOG_ENABLED=true

# Plugins
PLUGINS_ENABLED=true
PLUGIN_REQUIRE_SIGNATURE=true