Environment variables
Every config knob the API binary reads from the environment. Names are stable across minor releases; renames trigger a one-cycle deprecation warning before the old name is removed.
Required
| Variable | Purpose |
|---|---|
ORBITALREG_DATABASE_URL | Postgres DSN — postgres://user:pass@host:5432/dbname |
ORBITALREG_REDIS_URL | Redis DSN — redis://host:6379/0 |
ORBITALREG_S3_ENDPOINT | S3 endpoint — s3.amazonaws.com or minio.example.com:9000 |
ORBITALREG_S3_BUCKET | Artifact bucket name |
ORBITALREG_S3_ACCESS_KEY | Bucket access-key |
ORBITALREG_S3_SECRET_KEY | Bucket secret-key |
ORBITALREG_BIND_ADDR | Listen address — default :8080 |
Identity
| Variable | Purpose |
|---|---|
ORBITALREG_SAML_METADATA_URL | IdP metadata for SAML auth |
ORBITALREG_SAML_ENTITY_ID | This SP's entity-id |
ORBITALREG_SAML_CALLBACK_URL | Public ACS URL |
ORBITALREG_OIDC_ISSUER | OIDC issuer (alternative to SAML) |
ORBITALREG_OIDC_CLIENT_ID | OIDC client-id |
ORBITALREG_OIDC_CLIENT_SECRET | OIDC client-secret |
ORBITALREG_LOCAL_AUTH_ENABLED | true to enable local-username password auth |
Branding
| Variable | Purpose |
|---|---|
ORBITALREG_HELP_URL | Help-button target URL — empty hides the button |
ORBITALREG_PUBLIC_URL | Canonical public URL (used in webhook payloads) |
Air-gapped knobs
Each integration's master toggle. Stored in system_settings table; env vars set initial value at first boot only.
| Variable | Purpose |
|---|---|
ORBITALREG_ALLOW_OUTBOUND_WEBHOOKS | Master toggle for webhook deliveries |
ORBITALREG_ALLOW_OSV_LOOKUPS | OSV.dev advisory queries |
ORBITALREG_ALLOW_SIGSTORE_REKOR | Sigstore Rekor transparency-log lookups |
ORBITALREG_ALLOW_OTEL_EXPORT | OpenTelemetry exporter |
ORBITALREG_ALLOW_SERVICE_PINGS | Telemetry / version-check pings |
Tracing
| Variable | Purpose |
|---|---|
OTEL_EXPORTER_OTLP_ENDPOINT | OTLP collector endpoint |
OTEL_EXPORTER_OTLP_PROTOCOL | http/protobuf or grpc |
OTEL_SERVICE_NAME | Service name in spans (default orbitalreg-api) |
OTEL_TRACES_SAMPLER | Sampler — default parentbased_traceidratio |
OTEL_TRACES_SAMPLER_ARG | Sampler arg — default 0.1 (10% sample rate) |
OTEL_INSTRUMENTATION_PGX | true to span pgx queries |
OTEL_INSTRUMENTATION_S3 | true to span S3 calls |
Scanners
| Variable | Purpose |
|---|---|
ORBITALREG_TRIVY_DB_URL | Trivy DB mirror URL (air-gap) |
ORBITALREG_GRYPE_DB_URL | Grype DB mirror URL (air-gap) |
ORBITALREG_SCAN_WORKERS | Worker pool size (default 4) |
ORBITALREG_SCAN_QUEUE_DEPTH | Per-worker queue depth (default 100) |
Backups + storage
| Variable | Purpose |
|---|---|
ORBITALREG_S3_DUAL_WRITE_ENABLED | Mirror writes to a second bucket |
STORAGE_BACKUP_ENDPOINT | Replica S3 endpoint |
STORAGE_BACKUP_BUCKET | Replica S3 bucket |
STORAGE_BACKUP_ACCESS_KEY | Replica access-key |
STORAGE_BACKUP_SECRET_KEY | Replica secret-key |
ORBITALREG_BACKUP_VERIFICATION_CRON | Override the weekly verification schedule |
Limits
| Variable | Purpose |
|---|---|
ORBITALREG_UPLOAD_MAX_BYTES | Per-request upload cap (default 5 GiB) |
ORBITALREG_UPLOAD_TIMEOUT | Per-request upload timeout (default 30 m) |
ORBITALREG_RATE_LIMIT_RPS | Per-token request rate limit (default 100) |
Build-time
Set via -ldflags at compile time, not env:
| Symbol | Purpose |
|---|---|
main.Version | Surfaced via /api/admin/version and AdminOverview |
main.BuildTime | RFC-3339 build timestamp |
The shipped Makefile targets (make api-build, make docker) inject both with sensible defaults from git describe.