Skip to content
Sirveo Documentation

Configuration

Sirveo is configured via a configuration file, command-line options, or environment variables. If you have access to the binary, the CLI interface is well-documented. See:

$ sirveo --help
$ sirveo server --help

Care is taken that all settings have associated environment variables.

Precedence

When using multiple configuration methods, the following precedence applies:

  • CLI options (always wins)
  • Environment variables
  • Configuration file
  • Default values

EULA Acceptance

CLIEnvironment variableDefaultNote
--eula-acceptSIRVEO_EULA_ACCEPTnoRequires a yes value

The EULA is also available via the sirveo legal --eula command.

Logging

CLIEnvironment variableDefaultNote
--log-levelSIRVEO_LOG_LEVELINFO[TRACE, DEBUG, INFO, WARN, ERROR ]

Configuration File

CLIEnvironment variableDefaultNote
--config-fileSIRVEO_CONFIG_FILEn/aSee command $ sirveo default-config

To generate a default configuration file, use these commands:

Terminal window
sirveo generate-config > /etc/sirveo/config.json
sirveo generate-config --yml > /etc/sirveo/config.yml
sirveo default-config --help

License

CLIEnvironment variableDefaultNote
--licenseSIRVEO_LICENSEnone

See licensing for details.

Database

CLIEnvironment variableDefaultNote
--db-typeSIRVEO_DB_TYPEpostgresOnly postgres supported
--db-hostSIRVEO_DB_HOSTlocalhostDatabase host address
--db-portSIRVEO_DB_PORT5432Database host port
--db-nameSIRVEO_DB_NAMEsirveoDatabase name
--db-userSIRVEO_DB_USERadminDatabase username
--db-passwordSIRVEO_DB_PASSWORDchangemeDatabase password
--db-sslmodeSIRVEO_DB_SSLMODEprefer

The following options are supported by SIRVEO_DB_SSLMODE:

  • disable
  • allow
  • prefer
  • require
  • verify-ca
  • verify-full

Default System User

If enabled, and no user accounts exists on start-up, create a default user account on start-up with these credentials.

CLIEnvironment variableDefaultNote
--create-default-userSIRVEO_CREATE_DEFAULT_USERfalse
--default-usernameSIRVEO_DEFAULT_USERNAMEadmin
--default-passwordSIRVEO_DEFAULT_PASSWORDsirveoadmin

Networking

For separating the server’s admin and inbound ports, see network isolation.

HTTP

CLIEnvironment variableDefaultNote
--listen-address-adminSIRVEO_LISTEN_ADDRESS_ADMIN127.0.0.1:7001
--listen-address-inboundSIRVEO_LISTEN_ADDRESS_INBOUND127.0.0.1:7005
--enable-corsSIRVEO_ENABLE_CORSfalse

Sirveo serves it’s admin UI and API on port 7001 by default.

A second port (“inbound”) exposes only flow related features - without the admin UI - on port 7005 by default. This feature is to achieve network separation between public-facing flow/link/webhook URLs, and the administration UI, where/if desired.

To disable the inbound port, set SIRVEO_LISTEN_ADDRESS_INBOUND to an empty string.

If CORS is enabled, the HTTP servers for admin and inbound ports are permissive to CORS requests from browsers.

Client IP Headers

CLIEnvironment variableDefaultNote
--ip-header-admin stringSIRVEO_IP_HEADER_ADMINnone
--ip-header-inbound stringSIRVEO_IP_HEADER_INBOUNDnone

These settings determine how Sirveo obtains the client IP address of incoming HTTP requests. Resolving the correct client IP’s are important in two places:

  • Sirveo logs successful and failed authentications as system events, which contains the client IP address
  • Sirveo provides the client IP address to flows, via webhooks and links.

Sirveo is (usually) deployed behind a reverse proxy, in which case the remote IP address of incoming HTTP requests will be the IP of the reverse proxy itself. This is the “real” or “bare” TCP address.

The reverse proxy should be forwarding the upstream client IP address in an HTTP header; typically X-Forward-For, but sometimes provider-specific headers like Do-Connecting-Ip or CF-Connecting-IP. Since IP headers can be spoofed, Sirveo does not trust standard headers, and this behaviour must be explicitly configured, for both admin and inbound HTTP ports (if the latter is enabled).

This value of these settings should be the name of the HTTP request header that contains the upstream client IP address. If the header value contains multiple IP addresses, the left-most IP address is assumed to be the client IP address.

For example, if a Sirveo deployment is behind a reverse proxy or upstream load balance that is configured place the client IP address in a X-Real-Ip request header, and it forwards requests to Sirveo on the inbound port, configure:

SIRVEO_IP_HEADER_INBOUND="X-Real-Ip"

For webhooks and links, request headers are provided as part of flow input data, and can therefore be inspected in flows.

External Access

CLIEnvironment variableDefaultNote
--url-admin stringSIRVEO_URL_ADMINhttp://127.0.0.1:7001
--url-inbound string SIRVEO_URL_INBOUNDhttp://127.0.0.1:7005

Sirveo is typically run behind a reverse proxy, or within a container. These settings tell the server about it’s public/external URLs. The management UI obtains these settings via API, so that certain URLs may be displayed correctly.

For example, if Sirveo’s admin interface listens on 0.0.0.0:7001 inside a Docker container, but it is exposed at https://sirveo.mydomain.io, then you would use:

SIRVEO_LISTEN_ADDRESS_ADMIN="0.0.0.0:7001"
SIRVEO_URL_ADMIN="https://sirveo.mydomain.io"

API Authentication

SIRVEO_JWT_EXPIRY

CLI --jwt-expiry
Config file key jwt_expiry
Default 4h

Determines the expiry time of JWTs issued by the server’s API. Accepts values between 15m and 168h (7 days).

SIRVEO_JWT_SIGNING_SECRET

CLI --jwt-signing-secret
Config file key jwt_signing_secret
Default none

Configures the signing secret used to sign authentication tokens issued by the server’s API. JWTs are signed with HMAC using SHA-512.

If configured, it must contain a hex-encoded value that contains at least 32 bytes, or up to and including 64 bytes. You can generate an appropriate value with OpenSSL:

Terminal window
$ openssl rand -hex 64
6d0851c14b977213af9b3aca3b0795c4826ac5e5a3ad50429436943abbc...

If not provided, the server generates a random 64-byte value when it starts. This behaviour will invalidate any existing JWTs, and require users to re-authenticate on the UI. For this reason, it is usually preferable to configure this value.

Data Retention

SIRVEO_RETENTION_PERIOD_SCHEDULES

CLI --retention-period-schedules
Config file key retention_period_schedules
Default 24h

Completed schedule trigger data will be deleted after this period. Accepts durations like 30m (minutes) or 72h (hours). Setting value to empty string disables retention.

What is “completed” schedule trigger data? Schedule trigger entries which:

  • Was created with a schedule node in a flow (not user-defined, cron-based schedules)
  • Has executed their target flows (with or without errors)

If enabled (value is not ""), this cleanup process runs when the server synchronizes its internal scheduler, which happens at least every 5 minutes.

SIRVEO_RETENTION_PERIOD_EVENTS

CLI --retention-period-events
Config file key retention_period_events
Default 720h (30 days)

Event data will be deleted after this period. Accepts durations like 30m (minutes) or 72h (hours). Setting value to empty string disables retention.

Telemetry

The following settings are used to configure and enable telemetry to a custom destination;

Settingdefaultnote
SIRVEO_TELEMETRY_MODEdisabledaccepts disabled, custom, default, both
SIRVEO_TELEMETRY_URLnonethe destination URL. Required for custom and both
SIRVEO_TELEMTRY_AUTHnoneoptional value for bearer token authentication
SIRVEO_TELEMETRY_FREQUENCY8haccepts values between 1h and 24h
SIRVEO_TELEMETRY_IDENTIFIERnonean optional name for the server, for custom mode

Other

CLIEnvironment variableDefaultNote
--data-dirSIRVEO_DATA_DIRn/a*

* Data directory, which is unused at this time. Sirveo has no filesystem side-effects.