# Configuration Reference Each service is configured via environment variables. Please see a GitHub readme section for each service for the full list of configuration options: ## Ingest HTTP port where Ingest will be available. Public url where ingest service is deployed and available from internet, usually it's load balancer or reverse proxy. E.g. https://data.jitsu.mycompany.com. Should contain protocol and port (if it's not default).

INGEST_REPOSITORY_URL is an URL of console's export endpoint that returns configuration of `streams-with-destinations` entities: https://$console-endpoint/api/admin/export/streams-with-destinations.

INGEST_REPOSITORY_AUTH_TOKEN is used to authorize request to console. It must start with service-admin-account: prefix. E.g.: service-admin-account:console-token

See also CONSOLE_AUTH_TOKENS of console configuration

 Period in seconds for refreshing configuration from console's INGEST_REPOSITORY_URL. List of Kafka brokers separated by comma. Each broker should be in format host:port. If SSL should be enabled for Kafka Skip SSL verification of kafka server certificate. Kafka authorization as JSON object. E.g.: {'{"mechanism": "SCRAM-SHA-256", "username": "user", "password": "password"}'}

INGEST_ROTOR_URL is an URL of the main endpoint of Rotor service.
Example: http://rotor:3401.
Required for running functions on device destinations

INGEST_ROTOR_AUTH_KEY is used to authorized HTTP-request to Rotor.
See ROTOR_AUTH_TOKENS, ROTOR_TOKEN_SECRET and ROTOR_RAW_AUTH_TOKENS in the Rotor section

ClickHouse host and port to store incoming events log. E.g.: clickhouse.example.com:9440 ClickHouse database to store incoming events log. ClickHouse username and password. Enable SSL for Clickhouse connection Format of application logs (that are written to stdout). Possible values: `text` or `json` Failover logger is used to store events that failed to be sent to Kafka. Default values: Controls how failover logger files stored on local disk. Default values: Allows to set S3 destination for failover logger files. ## Bulker See list of all options on [Bulker github](https://github.com/jitsucom/bulker/blob/main/.docs/server-config.md) ## Rotor HTTP port where Rotor will be available.

ROTOR_AUTH_TOKENS is a list of hashed auth tokens that authorizes user in HTTP interface separated by comma. Each must have format: $salt.$hash where $salt should be random string. Hash is hex(sha512($token + $salt + ROTOR_TOKEN_SECRET).

To hash token, use following command in the root of this repository: pnpm install && ROTOR_TOKEN_SECRET=xxxx pnpm tool:hash $token

ROTOR_RAW_AUTH_TOKENS can be used instead of ROTOR_AUTH_TOKENS to provide a comma-separared list of raw takens instead of hases. It offers simplicity at cost of lower security.

REPOSITORY_BASE_URL is an URL of console's export endpoint that returns configuration of `streams-with-destinations` entities: https://$console-endpoint/api/admin/export.

REPOSITORY_AUTH_TOKEN is used to authorize request to console. It must start with service-admin-account: prefix. E.g.: service-admin-account:console-token

See also CONSOLE_AUTH_TOKENS of console configuration

 Period in seconds for refreshing configuration from console's export endpoint. ClickHouse host and port to store Events Log. E.g.: clickhouse.example.com:9440 Only HTTP(s) protocol is supported. ClickHouse database to store Events Log. ClickHouse username and password. Enable SSL for Clickhouse connection

BULKER_URL is an URL of Bulker service. Rotor will use it to send event intended to warehouse destinations

BULKER_AUTH_KEY is user to authentificated HTTP-request to Bulker. Should be one of{" "} BULKER_AUTH_KEYS you configured in Bulker

Used for Events Logs feature. List of Kafka brokers separated by comma. Each broker should be in format host:port. If SSL should be enabled for Kafka Custom CA certificate for verifying the Kafka server certificate. KAFKA_SSL_CA is a certificate in PEM format, KAFKA_SSL_CA_FILE is a path to the file with the certificate. Skip SSL verification of kafka server certificate. Kafka authorization as JSON object. E.g.: {'{"mechanism": "SCRAM-SHA-256", "username": "user", "password": "password"}'}

MongoDB is used for Functions Persistent Storage and Identity Stitching.

The value starts with mongodb:// and has the following format: mongodb://$user:$password@$host:$port/$database

To smoothly migrate from REDIS_URL you need to set REDIS_URL and MONGODB_URL at the same time. Rotor will look for records both in MongoDB and Redis, but new records will be added only to MongoDB. When you are sure that MongoDB is populated with enough data, you can remove REDIS_URL from the configuration.

Redis connection string. Always start with redis://: redis://$user:$password:localhost:6379.
Redis Sentinel Address: `sentinel1:26379,sentinel2:26379,sentinel3:26379`
Can be used for Functions Persistent Storage as alternative to MongoDB. Id of Bulker destination where Rotor will send event metrics.{" "} Only clickhouse destination is supported.{" "} If you don't want to send metrics, you can skip this option. Maximum number of retries for failed messages. Base value for exponential backoff for failed messages.{" "} For example, if MESSAGES_RETRY_COUNT is 3 and base is 10, then retry delays will be 10, 100, 1000 minutes Defines maximum possible retry delay in minutes. Default: 24 hours MaxMind database used for GeoIP enrichment.{" "} MaxMind database can be obtained from MaxMind servers using MAXMIND_LICENSE_KEY, from custom `MAXMIND_URL` or from S3 or compatible storage. Use localized geographic names.{" "} Supported locales Format of rotor application logs. Possible values: text or json ## Console HTTP port where Console will be available. This is a URL where Jitsu console will be publicly available, usually a load-balancer / reverse proxy address. E.g.: https://your-domain/

CONSOLE_AUTH_TOKENS is a list of hashed auth tokens that authorizes user in HTTP interface separated by comma. Each must have format: $salt.$hash where $salt should be random string. Hash is hex(sha512($token + $salt + CONSOLE_TOKEN_SECRET).

To hash token, use following command in the root of this repository: pnpm install && CONSOLE_TOKEN_SECRET=xxxx pnpm tool:hash $token

CONSOLE_RAW_AUTH_TOKENS can be used instead of CONSOLE_AUTH_TOKENS to provide a comma-separared list of raw takens instead of hases. It offers simplicity at cost of lower security.

PostgreSQL connection string. postgres://$user:$password@localhost:$port/database?sslmode=no-verify&schema=newjitsu

schema must be newjitsu, and sslmode must be no-verify

BULKER_URL is an url of Bulker service. Used for pulling event logs. E.g.: https://bulker.your-domain.com

BULKER_AUTH_KEY is used to authorized HTTP-request to Bulker. See BULKER_AUTH_TOKENS, BULKER_TOKEN_SECRET and BULKER_RAW_AUTH_TOKENS in Bulker configuration

ROTOR_URL is an url of the Rotor service. E.g.: http://rotor:3401

ROTOR_AUTH_KEY is used to authorized HTTP-request to Rotor. See ROTOR_AUTH_TOKENS, ROTOR_TOKEN_SECRET and ROTOR_RAW_AUTH_TOKENS in the Rotor section

To enable GitHub OAuth for Jitsu.

You'll need to create a GitHub OAuth application to get those values:

  1. Go to GitHub Developer settings » OAuth Apps » New OAuth App.
  2. Put any value to Application name.
  3. Set Homepage URL and Authorization callback URL with value of JITSU_PUBLIC_URL.
  4. Press Register application button.
  5. Press Generate a new client secret button.
  6. Copy Client ID and Client Secret values to .env file to GITHUB_CLIENT_ID and GITHUB_CLIENT_SECRET variables respectively.

To enable OpenID Connect based authentication for Jitsu.

Expected json object with the following properties: issuer (the issuer domain in valid URL format), clientId, and clientSecret

The well-known configuration endpoint for the provider is automatically set based on the issuer, and the default authorization request includes scopes for OpenID, email, and profile information.

Auth0 Example: {'{"issuer":"https://{yourDomain}.us.auth0.com/","clientId":"***","clientSecret":"***"}'}

 Url where Ingest service is publicly available. See INGEST_PUBLIC_URL param of `ingest` service for details. Whet set to true enables Connectors Syncs feature in Jitsu Console UI. Requires syncctl service Required if SYNCS_ENABLED=true. SYNCCTL_URL is an URL of the main endpoint of Syncctl service. SYNCCTL_AUTH_KEY is Syncctl service authentication key: one of SYNCCTL_AUTH_KEYS or SYNCCTL_RAW_AUTH_TOKENS configured in Syncctl For scheduling connectors syncs Google Cloud Scheduler is required. This is a Google Service Account Key in JSON format. If not set, you'll still be able to schedule syncs manually through Jitsu Console UI or via API. ClickHouse host and port where Events Log is stored. E.g.: clickhouse.example.com:9440 Only HTTP(s) protocol is supported. ClickHouse database to where Events Log is stored. ClickHouse cluster id to properly create replicate tables for Events Log. E.g.: jitsu_cluster ClickHouse username and password. Enable SSL for Clickhouse connection [//]: # () [//]: # () [//]: # ( Name of ClickHouse schema where Rotor service sends events metrics.) [//]: # () Email sending configuration:
SMTP_CONNECTION_STRING is a connection string to SMTP server in format: smtp://user:password@localhost:587
EMAIL_TRANSACTIONAL_SENDER is an email address that will be used as sender.
EMAIL_TRANSACTIONAL_REPLY_TO (optional) is an email address that will be used as Reply-To.
BCC_EMAIL (optional) is an email address where all emails will be sent as BCC. Format of console application logs. Possible values: text or json ## Syncctl HTTP port where Syncctl will be available.

A list of hashed auth tokens that authorizes user in HTTP interface separated by comma. Each must have format: $salt.$hash where $salt should be random string. Hash is hex(sha512($token + $salt + SYNCCTL_TOKEN_SECRET). $token must consist only of letters, digits, underscore and dash

SYNCCTL_RAW_AUTH_TOKENS can be used if you want to provide a comma-separared list of raw takens instead of hases. It offers simplicity at cost of lower security.

PostgreSQL connection string. postgres://$user:$password@localhost:$port/database?sslmode=no-verify&search_path=newjitsu. Should be the same as DATABASE_URL for console

search_path must be newjitsu, and sslmode must be no-verify

URL of the same PostgreSQL instance as it is reachable from kubernetes cluster. Required only if it is different from SYNCCTL_DATABASE_URL. E.g. if you use localhost in SYNCCTL_DATABASE_URL Path to kubernetes config file or kubernetes config in yaml format. If syncctl service itself runs in kubernetes cluster, you can skip this option or use local value. Name of kubernetes context if not the default one is used and name of kubernetes namespace where sync jobs will be created. Maximum time in hours that sync job can run. After that time sync job will be terminated. Format of syncctl application logs. Possible values: text or json ## Admin Admin service is used to perform maintenance tasks like reprocessing failover logger files. HTTP port where Ingest will be available. Public url where admin service is deployed and available from internet, usually it's load balancer or reverse proxy. E.g. https://data.jitsu.mycompany.com. Should contain protocol and port (if it's not default).

ADMIN_REPOSITORY_URL is an URL of console's export endpoint that returns configuration of `streams-with-destinations` entities: https://$console-endpoint/api/admin/export/streams-with-destinations.

ADMIN_REPOSITORY_AUTH_TOKEN is used to authorize request to console. It must start with service-admin-account: prefix. E.g.: service-admin-account:console-token

See also CONSOLE_AUTH_TOKENS of console configuration

 Period in seconds for refreshing configuration from console's ADMIN_REPOSITORY_URL. List of Kafka brokers separated by comma. Each broker should be in format host:port. If SSL should be enabled for Kafka Skip SSL verification of kafka server certificate. Kafka authorization as JSON object. E.g.: {'{"mechanism": "SCRAM-SHA-256", "username": "user", "password": "password"}'} Format of application logs (that are written to stdout). Possible values: `text` or `json`