Configuration - Infrahub

Learn more about Mintlify

Enter your email to receive updates about new features and product releases.

Infrahub is configured using environment variables. This page documents all available configuration options organized by category.

Configuration methods

Core settings

Main settings

Variable	Default	Description
`INFRAHUB_ADDRESS`	-	External address for the Infrahub API (used by workers)
`INFRAHUB_INTERNAL_ADDRESS`	-	Internal address for inter-service communication
`INFRAHUB_PUBLIC_URL`	-	Public URL for OAuth2/OIDC redirects
`INFRAHUB_PRODUCTION`	`false`	Enable production mode
`INFRAHUB_LOG_LEVEL`	-	Log level (DEBUG, INFO, WARNING, ERROR, CRITICAL)
`INFRAHUB_ALLOW_ANONYMOUS_ACCESS`	`true`	Allow anonymous read access
`INFRAHUB_ANONYMOUS_ACCESS_ROLE`	`Anonymous User`	Role name for anonymous users
`INFRAHUB_SCHEMA_STRICT_MODE`	`true`	Enable strict schema validation
`INFRAHUB_PERMISSION_BACKENDS`	`["infrahub.permissions.LocalPermissionBackend"]`	Permission backend modules

Initial setup

Variable	Default	Description
`INFRAHUB_INITIAL_DEFAULT_BRANCH`	`main`	Default branch name (set only once)
`INFRAHUB_INITIAL_ADMIN_TOKEN`	-	Initial admin API token
`INFRAHUB_INITIAL_ADMIN_PASSWORD`	`infrahub`	Initial admin password
`INFRAHUB_INITIAL_AGENT_TOKEN`	-	Initial git-agent API token
`INFRAHUB_INITIAL_AGENT_PASSWORD`	-	Initial git-agent password

Database configuration

Neo4j settings

Variable	Default	Description
`INFRAHUB_DB_TYPE`	`neo4j`	Database type (neo4j)
`INFRAHUB_DB_ADDRESS`	`localhost`	Database hostname or IP
`INFRAHUB_DB_PORT`	`7687`	Database port
`INFRAHUB_DB_PROTOCOL`	`bolt`	Connection protocol
`INFRAHUB_DB_USERNAME`	`neo4j`	Database username
`INFRAHUB_DB_PASSWORD`	`admin`	Database password
`INFRAHUB_DB_DATABASE`	-	Database name (default: neo4j)
`INFRAHUB_DB_POLICY`	-	Routing policy for cluster
`INFRAHUB_DB_TLS_ENABLED`	`false`	Enable TLS for database
`INFRAHUB_DB_TLS_INSECURE`	`false`	Skip TLS certificate verification
`INFRAHUB_DB_TLS_CA_FILE`	-	CA certificate file path
`INFRAHUB_DB_QUERY_SIZE_LIMIT`	`5000`	Max records per query
`INFRAHUB_DB_MAX_DEPTH_SEARCH_HIERARCHY`	`5`	Max hierarchy depth
`INFRAHUB_DB_RETRY_LIMIT`	`3`	Transaction retry limit
`INFRAHUB_DB_MAX_CONCURRENT_QUERIES`	`0`	Max concurrent queries (0 = unlimited)
`INFRAHUB_DB_MAX_CONCURRENT_QUERIES_DELAY`	`0.01`	Delay when limit reached (seconds)

Message broker configuration

RabbitMQ / NATS settings

Variable	Default	Description
`INFRAHUB_BROKER_DRIVER`	`rabbitmq`	Message broker driver (rabbitmq, nats)
`INFRAHUB_BROKER_ADDRESS`	`localhost`	Broker hostname or IP
`INFRAHUB_BROKER_PORT`	-	Broker port (5672 for RabbitMQ, 4222 for NATS)
`INFRAHUB_BROKER_USERNAME`	`infrahub`	Broker username
`INFRAHUB_BROKER_PASSWORD`	`infrahub`	Broker password
`INFRAHUB_BROKER_NAMESPACE`	`infrahub`	Broker namespace/prefix
`INFRAHUB_BROKER_VIRTUALHOST`	`/`	RabbitMQ virtual host
`INFRAHUB_BROKER_RABBITMQ_HTTP_PORT`	-	RabbitMQ management port
`INFRAHUB_BROKER_TLS_ENABLED`	`false`	Enable TLS
`INFRAHUB_BROKER_TLS_INSECURE`	`false`	Skip TLS verification
`INFRAHUB_BROKER_TLS_CA_FILE`	-	CA certificate path
`INFRAHUB_BROKER_MAXIMUM_MESSAGE_RETRIES`	`10`	Max retry attempts
`INFRAHUB_BROKER_MAXIMUM_CONCURRENT_MESSAGES`	`2`	Max concurrent messages per worker

Cache configuration

Redis / NATS settings

Variable	Default	Description
`INFRAHUB_CACHE_DRIVER`	`redis`	Cache driver (redis, nats)
`INFRAHUB_CACHE_ADDRESS`	`localhost`	Cache hostname or IP
`INFRAHUB_CACHE_PORT`	-	Cache port (6379 for Redis, 4222 for NATS)
`INFRAHUB_CACHE_DATABASE`	`0`	Redis database number (0-15)
`INFRAHUB_CACHE_USERNAME`	-	Cache username
`INFRAHUB_CACHE_PASSWORD`	-	Cache password
`INFRAHUB_CACHE_TLS_ENABLED`	`false`	Enable TLS
`INFRAHUB_CACHE_TLS_INSECURE`	`false`	Skip TLS verification
`INFRAHUB_CACHE_TLS_CA_FILE`	-	CA certificate path
`INFRAHUB_CACHE_CLEAN_UP_DEADLOCKS_INTERVAL_MINS`	`15`	Deadlock cleanup interval (minutes)

Workflow configuration

Prefect settings

Variable	Default	Description
`INFRAHUB_WORKFLOW_DRIVER`	`worker`	Workflow driver (worker, local)
`INFRAHUB_WORKFLOW_ADDRESS`	`localhost`	Prefect server address
`INFRAHUB_WORKFLOW_PORT`	-	Prefect server port
`INFRAHUB_WORKFLOW_TLS_ENABLED`	`false`	Enable TLS
`INFRAHUB_WORKFLOW_DEFAULT_WORKER_TYPE`	`infrahubasync`	Default worker type
`INFRAHUB_WORKFLOW_WORKER_POLLING_INTERVAL`	`2`	Worker polling interval (seconds)
`INFRAHUB_WORKFLOW_FLOW_RUN_COUNT_CACHE_THRESHOLD`	`100000`	Flow run count cache threshold
`INFRAHUB_WORKFLOW_EXTRA_LOGGERS`	-	Additional loggers to capture
`INFRAHUB_WORKFLOW_EXTRA_LOG_LEVEL`	`INFO`	Log level for extra loggers

Task manager database

Variable	Default	Description
`INFRAHUB_TASKMANAGER_DB_USER`	`postgres`	PostgreSQL username
`INFRAHUB_TASKMANAGER_DB_PASSWORD`	`postgres`	PostgreSQL password
`INFRAHUB_TASKMANAGER_DB_DATABASE`	`prefect`	PostgreSQL database name

Storage configuration

Storage driver settings

Variable	Default	Description
`INFRAHUB_STORAGE_DRIVER`	`local`	Storage driver (local, s3)
`INFRAHUB_STORAGE_LOCAL_PATH`	`/opt/infrahub/storage`	Local storage directory

S3 storage settings

Variable	Default	Description
`AWS_ACCESS_KEY_ID`	-	S3 access key
`AWS_SECRET_ACCESS_KEY`	-	S3 secret key
`AWS_S3_BUCKET_NAME`	-	S3 bucket name
`AWS_S3_ENDPOINT_URL`	-	S3 endpoint URL (for MinIO, etc.)
`AWS_S3_USE_SSL`	`true`	Use SSL for S3
`AWS_DEFAULT_ACL`	`private`	Default ACL for objects
`AWS_QUERYSTRING_AUTH`	`false`	Use query string authentication
`AWS_S3_CUSTOM_DOMAIN`	-	Custom domain for S3 URLs

Security configuration

Authentication settings

Variable	Default	Description
`INFRAHUB_SECURITY_SECRET_KEY`	(auto-generated)	Secret key for token signing
`INFRAHUB_SECURITY_ACCESS_TOKEN_LIFETIME`	`3600`	Access token lifetime (seconds)
`INFRAHUB_SECURITY_REFRESH_TOKEN_LIFETIME`	`2592000`	Refresh token lifetime (seconds)
`INFRAHUB_SECURITY_RESTRICT_UNTRUSTED_JINJA2_FILTERS`	`true`	Restrict Jinja2 filters

SSO configuration

Variable	Default	Description
`INFRAHUB_SECURITY_SSO_USER_DEFAULT_GROUP`	-	Default group for SSO users
`INFRAHUB_SECURITY_OAUTH2_PROVIDERS`	-	OAuth2 providers (JSON list)
`INFRAHUB_SECURITY_OIDC_PROVIDERS`	-	OIDC providers (JSON list)

OAuth2 provider configuration

Variable	Description
`INFRAHUB_OAUTH2_PROVIDER1_CLIENT_ID`	OAuth2 client ID
`INFRAHUB_OAUTH2_PROVIDER1_CLIENT_SECRET`	OAuth2 client secret
`INFRAHUB_OAUTH2_PROVIDER1_AUTHORIZATION_URL`	Authorization endpoint
`INFRAHUB_OAUTH2_PROVIDER1_TOKEN_URL`	Token endpoint
`INFRAHUB_OAUTH2_PROVIDER1_USERINFO_URL`	User info endpoint
`INFRAHUB_OAUTH2_PROVIDER1_DISPLAY_LABEL`	Display label for UI
`INFRAHUB_OAUTH2_PROVIDER1_ICON`	Icon name

OIDC provider configuration

Variable	Description
`INFRAHUB_OIDC_PROVIDER1_CLIENT_ID`	OIDC client ID
`INFRAHUB_OIDC_PROVIDER1_CLIENT_SECRET`	OIDC client secret
`INFRAHUB_OIDC_PROVIDER1_DISCOVERY_URL`	OIDC discovery URL
`INFRAHUB_OIDC_PROVIDER1_DISPLAY_LABEL`	Display label for UI
`INFRAHUB_OIDC_PROVIDER1_ICON`	Icon name

Git configuration

Variable	Default	Description
`INFRAHUB_GIT_REPOSITORIES_DIRECTORY`	`repositories`	Git repositories directory
`INFRAHUB_GIT_SYNC_INTERVAL`	`10`	Sync interval (seconds, deprecated)
`INFRAHUB_GIT_APPEND_GIT_SUFFIX`	`github.com, gitlab.com`	Auto-append .git for these domains
`INFRAHUB_GIT_IMPORT_SYNC_BRANCH_NAMES`	-	Branch name patterns to import
`INFRAHUB_GIT_USER_NAME`	`Infrahub`	Git commit author name
`INFRAHUB_GIT_USER_EMAIL`	`[email protected]`	Git commit author email
`INFRAHUB_GIT_GLOBAL_CONFIG_FILE`	`/opt/infrahub/.gitconfig`	Git config file path
`INFRAHUB_GIT_USE_EXPLICIT_MERGE_COMMIT`	`false`	Use explicit merge commits

API configuration

CORS settings

Variable	Default	Description
`INFRAHUB_API_CORS_ALLOW_ORIGINS`	-	Allowed CORS origins (JSON list)
`INFRAHUB_API_CORS_ALLOW_METHODS`	`["DELETE", "GET", "OPTIONS", "PATCH", "POST", "PUT"]`	Allowed HTTP methods
`INFRAHUB_API_CORS_ALLOW_HEADERS`	`["accept", "authorization", "content-type", "user-agent", "x-csrftoken", "x-requested-with"]`	Allowed headers
`INFRAHUB_API_CORS_ALLOW_CREDENTIALS`	`true`	Allow credentials

HTTP client configuration

Variable	Default	Description
`INFRAHUB_HTTP_TIMEOUT`	`10`	HTTP client timeout (seconds)
`INFRAHUB_HTTP_TLS_INSECURE`	`false`	Skip TLS verification
`INFRAHUB_HTTP_TLS_CA_BUNDLE`	-	CA bundle path or PEM string

Observability configuration

Telemetry settings

Variable	Default	Description
`INFRAHUB_TELEMETRY_OPTOUT`	`false`	Disable anonymous telemetry
`INFRAHUB_TELEMETRY_ENDPOINT`	`https://telemetry.opsmill.cloud/infrahub`	Telemetry endpoint
`INFRAHUB_TELEMETRY_INTERVAL`	-	Telemetry interval

Tracing settings

Variable	Default	Description
`INFRAHUB_TRACE_ENABLE`	`false`	Enable distributed tracing
`INFRAHUB_TRACE_EXPORTER_TYPE`	`console`	Exporter type (console, otlp)
`INFRAHUB_TRACE_EXPORTER_PROTOCOL`	`grpc`	Exporter protocol (grpc, http/protobuf)
`INFRAHUB_TRACE_EXPORTER_ENDPOINT`	-	OTLP exporter endpoint
`INFRAHUB_TRACE_INSECURE`	`true`	Use insecure connection
`OTEL_RESOURCE_ATTRIBUTES`	-	OpenTelemetry resource attributes

Logging settings

Variable	Default	Description
`INFRAHUB_LOGGING_REMOTE_ENABLE`	`false`	Enable remote logging
`INFRAHUB_LOGGING_REMOTE_FRONTEND_DSN`	-	Frontend logging DSN
`INFRAHUB_LOGGING_REMOTE_API_SERVER_DSN`	-	API server logging DSN
`INFRAHUB_LOGGING_REMOTE_GIT_AGENT_DSN`	-	Git agent logging DSN

Analytics settings

Variable	Default	Description
`INFRAHUB_ANALYTICS_ENABLE`	`true`	Enable analytics
`INFRAHUB_ANALYTICS_ADDRESS`	-	Analytics service address
`INFRAHUB_ANALYTICS_API_KEY`	-	Analytics API key

Miscellaneous settings

Variable	Default	Description
`INFRAHUB_MISC_PRINT_QUERY_DETAILS`	`false`	Print detailed query information
`INFRAHUB_MISC_START_BACKGROUND_RUNNER`	`true`	Start background task runner
`INFRAHUB_MISC_MAXIMUM_VALIDATOR_EXECUTION_TIME`	`1800`	Max validator execution time (seconds)
`INFRAHUB_MISC_RESPONSE_DELAY`	`0`	Artificial API response delay (seconds)
`INFRAHUB_DOCS_INDEX_PATH`	`/opt/infrahub/docs/build/search-index.json`	Documentation index path
`INFRAHUB_TIMEOUT`	-	General timeout setting

Policy settings

Variable	Default	Description
`INFRAHUB_POLICY_REQUIRED_PROPOSED_CHANGE_APPROVALS`	`0`	Required approvals for proposed changes (Enterprise)
`INFRAHUB_POLICY_REVOKE_PROPOSED_CHANGE_APPROVALS`	`false`	Revoke approvals on change (Enterprise)

Experimental features

Variable	Default	Description
`INFRAHUB_EXPERIMENTAL_GRAPHQL_ENUMS`	`false`	Enable GraphQL enums

Docker Compose deployment - Configure with Docker Compose
Kubernetes deployment - Configure with Helm
Security best practices - Secure your deployment
Storage configuration - Configure object storage

Kubernetes deployment

Backup and restore

⌘I

Build docs developers (and LLMs) love

Get started for free Talk to us