Environment configuration reference

Available environment variables

Required

  • SECRET_KEY:

Database

  • DB_CONN_MAX_AGE: The lifetime of a database connection, as an integer of seconds. Use 0 to close database connections at the end of each request — Django’s historical behavior. This setting is ignored if connection pooling is used. Defaults to: 60.

  • DB_POOL_ENABLED: Whether to use connection pooling. Defaults to: False.

  • DB_POOL_MIN_SIZE: The minimum number of connection the pool will hold. The pool will actively try to create new connections if some are lost (closed, broken) and will try to never go below min_size. Defaults to: 4.

  • DB_POOL_MAX_SIZE: The maximum number of connections the pool will hold. If None, or equal to min_size, the pool will not grow or shrink. If larger than min_size, the pool can grow if more than min_size connections are requested at the same time and will shrink back after the extra connections have been unused for more than max_idle seconds. Defaults to: None.

  • DB_POOL_TIMEOUT: The default maximum time in seconds that a client can wait to receive a connection from the pool (using connection() or getconn()). Note that these methods allow to override the timeout default. Defaults to: 30.

  • DB_POOL_MAX_WAITING: Maximum number of requests that can be queued to the pool, after which new requests will fail, raising TooManyRequests. 0 means no queue limit. Defaults to: 0.

  • DB_POOL_MAX_LIFETIME: The maximum lifetime of a connection in the pool, in seconds. Connections used for longer get closed and replaced by a new one. The amount is reduced by a random 10% to avoid mass eviction. Defaults to: 3600.

  • DB_POOL_MAX_IDLE: Maximum time, in seconds, that a connection can stay unused in the pool before being closed, and the pool shrunk. This only happens to connections more than min_size, if max_size allowed the pool to grow. Defaults to: 600.

  • DB_POOL_RECONNECT_TIMEOUT: Maximum time, in seconds, the pool will try to create a connection. If a connection attempt fails, the pool will try to reconnect a few times, using an exponential backoff and some random factor to avoid mass attempts. If repeated attempts fail, after reconnect_timeout second the connection attempt is aborted and the reconnect_failed() callback invoked. Defaults to: 300.

  • DB_POOL_NUM_WORKERS: Number of background worker threads used to maintain the pool state. Background workers are used for example to create new connections and to clean up connections when they are returned to the pool. Defaults to: 3.

Logging

  • LOG_STDOUT: whether to log to stdout or not. Defaults to: True.

  • LOG_LEVEL: control the verbosity of logging output. Available values are CRITICAL, ERROR, WARNING, INFO and DEBUG. Defaults to: INFO.

  • LOG_QUERIES: enable (query) logging at the database backend level. Note that you must also set DEBUG=1, which should be done very sparingly!. Defaults to: False.

  • LOG_REQUESTS: enable logging of the outgoing requests. This must be enabled along with LOG_OUTGOING_REQUESTS_DB_SAVE to save outgoing request logs in the database. Defaults to: False.

  • LOG_FORMAT_CONSOLE: The format for the console logging handler, possible options: json, plain_console. Defaults to: json.

  • ENABLE_STRUCTLOG_REQUESTS: enable structured logging of requests. Defaults to: True.

  • LOG_OUTGOING_REQUESTS_EMIT_BODY: Whether or not outgoing request bodies should be logged. Defaults to: True.

  • LOG_OUTGOING_REQUESTS_DB_SAVE: Whether or not outgoing request logs should be saved to the database. Defaults to: False.

  • LOG_OUTGOING_REQUESTS_DB_SAVE_BODY: Whether or not outgoing request bodies should be saved to the database. Defaults to: True.

  • LOG_OUTGOING_REQUESTS_MAX_AGE: The amount of time after which request logs should be deleted from the database. Defaults to: 7.

Celery

  • CELERY_LOGLEVEL: control the verbosity of logging output for celery, independent of LOG_LEVEL. Available values are CRITICAL, ERROR, WARNING, INFO and DEBUG. Defaults to: INFO.

  • CELERY_RESULT_BACKEND: the URL of the backend/broker that will be used by Celery to send the notifications. Defaults to: redis://localhost:6379/1.

Cross-Origin-Resource-Sharing

  • CORS_ALLOW_ALL_ORIGINS: allow cross-domain access from any client. Defaults to: False.

  • CORS_ALLOWED_ORIGINS: explicitly list the allowed origins for cross-domain requests. Example: http://localhost:3000,https://some-app.gemeente.nl. Defaults to: [].

  • CORS_ALLOWED_ORIGIN_REGEXES: same as CORS_ALLOWED_ORIGINS, but supports regular expressions. Defaults to: [].

  • CORS_EXTRA_ALLOW_HEADERS: headers that are allowed to be sent as part of the cross-domain request. By default, Authorization, Accept-Crs and Content-Crs are already included. The value of this variable is added to these already included headers. Defaults to: [].

Elastic APM

  • ELASTIC_APM_SERVER_URL: URL where Elastic APM is hosted. Defaults to: None.

  • ELASTIC_APM_SERVICE_NAME: Name of the service for this application in Elastic APM. Defaults to openorganisatie - <environment>.

  • ELASTIC_APM_TRANSACTION_SAMPLE_RATE: By default, the agent will sample every transaction (e.g. request to your service). To reduce overhead and storage requirements, set the sample rate to a value between 0.0 and 1.0. Defaults to: 0.1.

Content Security Policy

  • CSP_EXTRA_DEFAULT_SRC: Extra default source URLs for CSP other than self. Used for img-src, style-src and script-src. Defaults to: [].

  • CSP_EXTRA_FORM_ACTION: Additional form-action sources. Defaults to: [].

  • CSP_FORM_ACTION: Override the default form-action sources. Defaults to: ['"\'self\'"'].

  • CSP_EXTRA_IMG_SRC: Extra img-src sources. Defaults to: [].

  • CSP_OBJECT_SRC: object-src sources. Defaults to: ['"\'none\'"'].

  • CSP_REPORT_URI: URI for CSP report-uri directive. Defaults to: None.

  • CSP_REPORT_PERCENTAGE: Fraction (between 0 and 1) of requests to include report-uri directive. Defaults to: 0.0.

Optional

  • SITE_ID: The database ID of the site object. You usually won’t have to touch this. Defaults to: 1.

  • DEBUG: Defaults to: False.

  • ALLOWED_HOSTS: Defaults to: (empty string).

  • USE_X_FORWARDED_HOST: Defaults to: False.

  • IS_HTTPS: Defaults to: False.

  • DB_NAME: Defaults to: openorganisatie.

  • DB_USER: Defaults to: openorganisatie.

  • DB_PASSWORD: Defaults to: openorganisatie.

  • DB_HOST: Defaults to: localhost.

  • DB_PORT: Defaults to: 5432.

  • CACHE_DEFAULT: Defaults to: localhost:6379/0.

  • CACHE_AXES: Defaults to: localhost:6379/0.

  • EMAIL_HOST: Defaults to: localhost.

  • EMAIL_PORT: Defaults to: 25.

  • EMAIL_HOST_USER: Defaults to: (empty string).

  • EMAIL_HOST_PASSWORD: Defaults to: (empty string).

  • EMAIL_USE_TLS: Defaults to: False.

  • DEFAULT_FROM_EMAIL: The default email address from which emails are sent. Defaults to: openorganisatie@example.com.

  • SESSION_COOKIE_AGE: For how long, in seconds, the session cookie will be valid. Defaults to: 1209600.

  • SESSION_COOKIE_SAMESITE: The value of the SameSite flag on the session cookie. This flag prevents the cookie from being sent in cross-site requests thus preventing CSRF attacks and making some methods of stealing session cookie impossible.Currently interferes with OIDC. Keep the value set at Lax if used. Defaults to: Lax.

  • CSRF_COOKIE_SAMESITE: The value of the SameSite flag on the CSRF cookie. This flag prevents the cookie from being sent in cross-site requests. Defaults to: Strict.

  • ENVIRONMENT: Defaults to: (empty string).

  • SUBPATH: Defaults to: None.

  • RELEASE: Defaults to: 7d0dded974ed7fcc0d039f01ef46c31671e21bbe.

  • NUM_PROXIES: the number of reverse proxies in front of the application, as an integer. This is used to determine the actual client IP adres. On Kubernetes with an ingress you typically want to set this to 2. Defaults to: 1.

  • CSRF_TRUSTED_ORIGINS: A list of trusted origins for unsafe requests (e.g. POST). Defaults to: [].

  • NOTIFICATIONS_DISABLED: Indicates whether or not notifications should be sent to the Notificaties API for operations on the API endpoints. Defaults to: True.

  • SITE_DOMAIN: Defines the primary domain where the application is hosted. Defaults to: (empty string).

  • SENTRY_DSN: Defaults to: None.

  • ELASTIC_APM_SECRET_TOKEN: Defaults to: default.

  • DISABLE_2FA: Defaults to: False.

  • DB_ENGINE: Defaults to: django.db.backends.postgresql.

  • SCIM_NETLOC: Defaults to: localhost:8000.

  • ENVIRONMENT_LABEL: Defaults to: development.

  • ENVIRONMENT_BACKGROUND_COLOR: Defaults to: orange.

  • ENVIRONMENT_FOREGROUND_COLOR: Defaults to: black.

  • SHOW_ENVIRONMENT: Defaults to: True.

Specifying the environment variables

There are two strategies to specify the environment variables:

  • provide them in a .env file

  • start the component processes (with uwsgi/gunicorn/celery) in a process manager that defines the environment variables

Providing a .env file

This is the most simple setup and easiest to debug. The .env file must be at the root of the project - i.e. on the same level as the src directory ( NOT in the src directory).

The syntax is key-value:

SOME_VAR=some_value
OTHER_VAR="quoted_value"

Provide the envvars via the process manager

If you use a process manager (such as supervisor/systemd), use their techniques to define the envvars. The component will pick them up out of the box.