Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Configuration reference

EHRbase-rs is configured entirely through EHRBASE_* environment variables, optionally backed by TOML files for values that do not fit cleanly in env (a Basic-auth user store, a full OIDC block, ABAC policies, and so on). This chapter is the complete reference: how configuration loads, the two naming conventions you must know, and a table per area listing every key with its type, default, and meaning. Everything here is drawn from the server’s own configuration code.

How configuration loads

There is no single global configuration object. The server is composed of independent modules, each of which loads its own settings from three layers, in increasing precedence:

  1. Built-in defaults (the values in the tables below),
  2. an optional TOML file for that module (pointed at by an EHRBASE_<AREA>_CONFIG variable), then
  3. EHRBASE_<AREA>_-prefixed environment variables, which win.

The development Compose stack, for example, points EHRBASE_REST_CONFIG at docker/ehrbase.dev.toml to supply the Basic-auth user store (which env cannot carry as a list), while everything else stays on defaults or env overrides.

Warning

Two naming conventions. Most modules use a double underscore (__) to separate nested fields — EHRBASE_REST_AUTH__ENABLED maps to auth.enabled. There are two exceptions:

  • Telemetry is flat: EHRBASE_OTEL_* and EHRBASE_LOG_* have no nesting.
  • Management uses a single underscore for its one nested group: EHRBASE_MANAGEMENT_ENDPOINTS_HEALTH, not __.

Getting the separator wrong is the most common configuration mistake.

Enum values are case-sensitive on the wire. Where a column lists enum{a,b,c}, use exactly those lowercase (or snake_case) tokens. Secret values (EHRBASE_SIGNING_KEY_PASSPHRASE, EHRBASE_REST_AUTH__OIDC__HMAC_SECRET, Basic-auth password hashes) are redacted from the management /env endpoint and from logs.

Server (REST)

Prefix EHRBASE_REST_, separator __, optional file EHRBASE_REST_CONFIG.

KeyTypeDefaultDescription
EHRBASE_REST_CONFIGpathnonePath to the REST TOML config file (loaded before env).
EHRBASE_REST_BINDsocket address0.0.0.0:8080Address the API listener binds.
EHRBASE_REST_BASE_PATHstring/ehrbase/rest/openehr/v1Base path all API routes hang off.
EHRBASE_REST_SWAGGER_UIbooleantrueServe Swagger UI + the OpenAPI JSON. Consider off in production.
EHRBASE_REST_CORS_PERMISSIVEbooleanfalseEnable a permissive (development) CORS policy.
EHRBASE_REST_ADMIN__ENABLEDbooleanfalseMount the ADMIN API group (routes 404 when off).
EHRBASE_REST_TERMINOLOGY__ENABLEDbooleanfalseMount the terminology extension API group.
EHRBASE_REST_EVENT_SUBSCRIPTION__ENABLEDbooleanfalseMount the event-subscription admin extension API.
EHRBASE_REST_FHIR__ENABLEDbooleanfalseMount the FHIR R4 inbound/façade routes.
EHRBASE_REST_TENANCY__ENABLEDbooleanfalseActivate multi-tenancy (tenant middleware + row-level scoping).
EHRBASE_REST_TENANCY__CLAIMstringtenantJWT-claim path carrying the tenant key.
EHRBASE_REST_TENANCY__HEADERstringnoneDev-only request-header tenant override. Leave unset in production — a client header must not select a tenant.

Authentication

Nested under EHRBASE_REST_AUTH__ (part of the REST config). The Basic-auth user store is a list and is realistically supplied via the mounted TOML file; the env forms are shown for completeness.

KeyTypeDefaultDescription
EHRBASE_REST_AUTH__ENABLEDbooleantrueMaster auth switch. false = all requests pass unauthenticated (development only).
EHRBASE_REST_AUTH__ADMIN_SCOPEstringnoneDeprecated back-compat scope→role alias; still consulted by the management admin gate.
EHRBASE_REST_AUTH__BASIC__USERSlist of {username, password_hash, roles}none (Basic off)Basic-auth user store. Passwords are Argon2 PHC hashes; per-user roles default to ["USER"]. Set via TOML.
EHRBASE_REST_AUTH__OIDC__ISSUERURLnone (bearer off)Expected token issuer (iss); also the OIDC discovery base.
EHRBASE_REST_AUTH__OIDC__AUDIENCESlist[] (not checked)Accepted aud values.
EHRBASE_REST_AUTH__OIDC__ALGORITHMSlist["RS256"]Accepted JWT signature algorithms.
EHRBASE_REST_AUTH__OIDC__HMAC_SECRETstring (secret)noneSymmetric HS256 secret (development/test). Prefer JWKS/discovery in production.
EHRBASE_REST_AUTH__OIDC__JWKS_JSONstring (JSON)noneStatic JWKS document; preferred over discovery when present.

Authorization (RBAC + ABAC)

Prefix EHRBASE_AUTHZ_, separator __, optional file EHRBASE_AUTHZ_CONFIG.

KeyTypeDefaultDescription
EHRBASE_AUTHZ_CONFIGpathnonePath to the authz TOML config file.
EHRBASE_AUTHZ_RBAC__ENABLEDbooleantrueCoarse role gate (active only when auth is enabled).
EHRBASE_AUTHZ_RBAC__ADMIN_ROLEstringADMINRole required for admin-class operations.
EHRBASE_AUTHZ_RBAC__USER_ROLEstringUSERBaseline clinical role.
EHRBASE_AUTHZ_RBAC__ROLE_CLAIMSlist["realm_access.roles","scope"]JWT claim paths mined for roles.
EHRBASE_AUTHZ_RBAC__MANAGEMENT_ACCESSenum{admin_only,private,public}admin_onlyAccess level for the management surface.
EHRBASE_AUTHZ_ABAC__ENABLEDbooleanfalseMaster ABAC (attribute-based) switch.
EHRBASE_AUTHZ_ABAC__ENGINEenum{cedar,remote}cedarPolicy engine: embedded Cedar or a remote decision point.
EHRBASE_AUTHZ_ABAC__ORGANIZATION_CLAIMstringorganization_idJWT claim carrying the caller’s organization.
EHRBASE_AUTHZ_ABAC__PATIENT_CLAIMstringpatient_idJWT claim carrying the patient id (blank disables the subject gate).
EHRBASE_AUTHZ_ABAC__CEDAR__POLICY_DIRpathnoneDirectory of *.cedar policy files (required for the cedar engine).
EHRBASE_AUTHZ_ABAC__CEDAR__RELOAD_SECSintegernoneOptional Cedar hot-reload interval (seconds).
EHRBASE_AUTHZ_ABAC__REMOTE__SERVERURLnoneRemote decision-point base URL (required for the remote engine).
EHRBASE_AUTHZ_ABAC__REMOTE__CONNECT_TIMEOUT_MSinteger (ms)2000Remote-PDP connect timeout.
EHRBASE_AUTHZ_ABAC__REMOTE__REQUEST_TIMEOUT_MSinteger (ms)5000Remote-PDP request timeout.

Database

Prefix EHRBASE_DB_, no nesting, environment-only (no config file).

KeyTypeDefaultDescription
EHRBASE_DB_URLURLnone (required)PostgreSQL connection URL, postgres://user:pass@host:port/db. DATABASE_URL is accepted as a fallback.
EHRBASE_DB_MAX_CONNECTIONSinteger10Upper bound of the connection pool.
EHRBASE_DB_MIN_CONNECTIONSinteger0Idle connections the pool keeps open.
EHRBASE_DB_ACQUIRE_TIMEOUT_SECSinteger (s)30Wait for a free connection before failing.

Note

EHRBASE_DB_NAME, EHRBASE_DB_USER, and EHRBASE_DB_PASSWORD are not read by the server — they configure the PostgreSQL init image. The server takes a single EHRBASE_DB_URL.

Telemetry and logging

Prefixes EHRBASE_OTEL_ and EHRBASE_LOG_. Flat (no __ nesting), environment-only.

KeyTypeDefaultDescription
EHRBASE_OTEL_OTLP_ENDPOINTURLnoneOTLP/gRPC collector endpoint. Unset = the OTel layer is not installed (zero overhead).
EHRBASE_OTEL_SERVICE_NAMEstringehrbaseservice.name resource attribute.
EHRBASE_OTEL_ENVIRONMENTstringdevdeployment.environment resource attribute.
EHRBASE_OTEL_TRACES_SAMPLE_RATIOfloat1.0Head-sampling ratio.
EHRBASE_OTEL_METRICS_PUSHbooleanfalseAlso push metrics over OTLP (alongside Prometheus pull).
EHRBASE_LOG_FORMATenum{auto,json,pretty}autoLog rendering. json for cluster log collectors; auto picks JSON when stdout is not a TTY.
EHRBASE_LOG_FILTERstringinfo,ehrbase=infoLog-filter directives (RUST_LOG is the fallback when unset).

Management surface

Prefix EHRBASE_MANAGEMENT_, single-underscore nesting for endpoints, optional file EHRBASE_MANAGEMENT_CONFIG. Off in the bare binary; the Helm chart turns it on for probes.

KeyTypeDefaultDescription
EHRBASE_MANAGEMENT_CONFIGpathnonePath to the management TOML config file.
EHRBASE_MANAGEMENT_ENABLEDbooleanfalseMaster switch; off = no management routes mounted.
EHRBASE_MANAGEMENT_BASE_PATHstring/managementBase path for the management endpoints.
EHRBASE_MANAGEMENT_PORTinteger (u16)noneServe management on its own listener/port instead of the main API listener.
EHRBASE_MANAGEMENT_ACCESS_DEFAULTenum{off,admin_only,private,public}admin_onlyGlobal default access level (a per-endpoint level wins).
EHRBASE_MANAGEMENT_PROBES_ENABLEDbooleanfalseMount the public /health/liveness + /health/readiness probes.
EHRBASE_MANAGEMENT_ENDPOINTS_HEALTHenum{off,admin_only,private,public}offAccess level of /management/health.
EHRBASE_MANAGEMENT_ENDPOINTS_INFOenum{off,admin_only,private,public}offAccess level of /management/info.
EHRBASE_MANAGEMENT_ENDPOINTS_METRICSenum{off,admin_only,private,public}offAccess level of /management/metrics.
EHRBASE_MANAGEMENT_ENDPOINTS_PROMETHEUSenum{off,admin_only,private,public}offAccess level of /management/prometheus.
EHRBASE_MANAGEMENT_ENDPOINTS_ENVenum{off,admin_only,private,public}offAccess level of /management/env (redacted config).
EHRBASE_MANAGEMENT_ENDPOINTS_LOGGERSenum{off,admin_only,private,public}offAccess level of /management/loggers (runtime log control).

Version signing

Prefix EHRBASE_SIGNING_, separator __, optional file EHRBASE_SIGNING_CONFIG. On by default in digest mode.

KeyTypeDefaultDescription
EHRBASE_SIGNING_CONFIGpathnonePath to the signing TOML config file.
EHRBASE_SIGNING_ENABLEDbooleantrueServer-side signing of committed versions.
EHRBASE_SIGNING_MODEenum{digest,pgp}digestSHA-256 integrity digest, or an OpenPGP detached signature.
EHRBASE_SIGNING_KEY_PATHpathnoneArmored RFC 4880 secret key (required for pgp).
EHRBASE_SIGNING_KEY_PASSPHRASEstring (secret)noneKey passphrase (kept in memory, never serialized).
EHRBASE_SIGNING_VERIFY_ON_READenum{off,warn,strict}offRead-time recompute-and-compare policy.

Warning

pgp mode fails closed at boot if the key is missing or unusable — the server will not start. Verify the key and passphrase before switching modes.

System log (ATNA auditing)

Prefix EHRBASE_ATNA_, separator __, optional file EHRBASE_ATNA_CONFIG. Off by default.

KeyTypeDefaultDescription
EHRBASE_ATNA_CONFIGpathnonePath to the ATNA TOML config file.
EHRBASE_ATNA_ENABLEDbooleanfalseMaster ATNA audit switch.
EHRBASE_ATNA_ENTERPRISE_SITE_IDstringnoneEnterprise/site id (AuditEnterpriseSiteID).
EHRBASE_ATNA_REPOSITORY_HOSTstringlocalhostAudit Record Repository (ARR) host.
EHRBASE_ATNA_REPOSITORY_PORTinteger (u16)514ARR port (514 UDP / 6514 TLS typical).
EHRBASE_ATNA_TRANSPORTenum{udp,tls}udpSyslog transport to the ARR. Use tls for PHI-adjacent audit.
EHRBASE_ATNA_SOURCE_IDstringehrbaseAudit source id.
EHRBASE_ATNA_VALUE_IF_MISSINGstringUNKNOWNFill value for empty mandatory fields.
EHRBASE_ATNA_SUPPRESS_LOGIN_EVENTSbooleantrueSkip auth/login activity events.
EHRBASE_ATNA_FAIL_MODEenum{open,closed}openOn undeliverable audit: succeed and meter (open) or reject with 503 (closed).
EHRBASE_ATNA_RESOLVE_SUBJECTbooleanfalseEnrich the patient participant via a subject lookup.
EHRBASE_ATNA_QUEUE_CAPACITYinteger1024Bounded audit queue capacity.
EHRBASE_ATNA_SERVER_HOSTstringnoneThis node’s advertised address (NetworkAccessPointID).
EHRBASE_ATNA_TLS_CA_PATHpathnonePEM CA file to trust for TLS transport.
EHRBASE_ATNA_TLS_IDENTITY_CERT_PATHpathnoneClient-certificate PEM for mutual TLS.
EHRBASE_ATNA_TLS_IDENTITY_KEY_PATHpathnoneClient-key PEM for mutual TLS.

Change events (AMQP outbox)

Prefix EHRBASE_EVENTS_, separator __, optional file EHRBASE_EVENTS_CONFIG. Off by default. Envelopes are PHI-free by design.

KeyTypeDefaultDescription
EHRBASE_EVENTS_CONFIGpathnonePath to the events TOML config file.
EHRBASE_EVENTS_ENABLEDbooleanfalseSpawn the outbox publisher.
EHRBASE_EVENTS_URLAMQP URLamqp://guest:guest@localhost:5672/%2fRabbitMQ broker URL.
EHRBASE_EVENTS_EXCHANGEstringehrbase.eventsTopic exchange for PHI-free event envelopes.
EHRBASE_EVENTS_TLSbooleanfalseUpgrade an amqp:// URL to amqps://.
EHRBASE_EVENTS_BATCH_SIZEinteger128Outbox rows drained per poll.
EHRBASE_EVENTS_POLL_INTERVAL_MSinteger (ms)1000Poll interval when the outbox is idle.
EHRBASE_EVENTS_RETENTION_DAYSinteger (days)7Published-row retention window.
EHRBASE_EVENTS_PRUNE_INTERVAL_SECSinteger (s)3600Retention-prune cadence.
EHRBASE_EVENTS_PUBLISH_MAX_RETRIESinteger3Per-row publish retries before backing off.

FHIR outbound emitter

Prefix EHRBASE_FHIR_OUTBOUND_, separator __, optional file EHRBASE_FHIR_OUTBOUND_CONFIG. Off by default.

KeyTypeDefaultDescription
EHRBASE_FHIR_OUTBOUND_CONFIGpathnonePath to the FHIR-outbound TOML config file.
EHRBASE_FHIR_OUTBOUND_ENABLEDbooleanfalseEnable the FHIR resource emitter.
EHRBASE_FHIR_OUTBOUND_URLAMQP URLamqp://guest:guest@localhost:5672/%2fBroker URL.
EHRBASE_FHIR_OUTBOUND_EXCHANGEstringehrbase.fhirTopic exchange (separate from events, for PHI isolation).
EHRBASE_FHIR_OUTBOUND_TLSbooleanfalseUpgrade an amqp:// URL to amqps://.
EHRBASE_FHIR_OUTBOUND_BATCH_SIZEinteger128Outbox rows scanned per poll.
EHRBASE_FHIR_OUTBOUND_POLL_INTERVAL_MSinteger (ms)1000Poll interval when idle.
EHRBASE_FHIR_OUTBOUND_PUBLISH_MAX_RETRIESinteger3Per-message publish retries before backing off.

Warning

This stream carries PHI — the mapped FHIR resource. It is a deliberately separate switch and exchange from the PHI-free change-event stream so broker access control can isolate it. Enable it only against a TLS, access-controlled broker.

S3 multimedia externalization

Prefix EHRBASE_MULTIMEDIA_, separator __, optional file EHRBASE_MULTIMEDIA_CONFIG. Off by default (blobs stay inline, byte-identical).

KeyTypeDefaultDescription
EHRBASE_MULTIMEDIA_CONFIGpathnonePath to the multimedia TOML config file.
EHRBASE_MULTIMEDIA_ENABLEDbooleanfalseExternalize large multimedia data to an object store.
EHRBASE_MULTIMEDIA_THRESHOLD_BYTESinteger (bytes)262144 (256 KiB)Decoded size strictly above which data is offloaded.
EHRBASE_MULTIMEDIA_ENDPOINTURLnoneS3-compatible endpoint. None = AWS default resolution.
EHRBASE_MULTIMEDIA_BUCKETstringopenehr-multimediaTarget bucket.
EHRBASE_MULTIMEDIA_REGIONstringus-east-1AWS region (required even for non-AWS endpoints).
EHRBASE_MULTIMEDIA_ACCESS_KEY_IDstringnoneS3 access key id (none + no secret = anonymous).
EHRBASE_MULTIMEDIA_SECRET_ACCESS_KEYstring (secret)noneS3 secret access key.
EHRBASE_MULTIMEDIA_ALLOW_HTTPbooleanfalseAllow plain-HTTP endpoints — development/test only.

External terminology validation

Prefix EHRBASE_VALIDATION_EXTERNAL_TERMINOLOGY_, separator __, optional file EHRBASE_VALIDATION_CONFIG. Off by default (the in-process openEHR bundle is used). Providers are a map keyed by a provider name (below shown as <NAME>, conventionally default).

KeyTypeDefaultDescription
EHRBASE_VALIDATION_CONFIGpathnonePath to the terminology-validation TOML config file.
EHRBASE_VALIDATION_EXTERNAL_TERMINOLOGY_ENABLEDbooleanfalseActivate external terminology validation.
EHRBASE_VALIDATION_EXTERNAL_TERMINOLOGY_FAIL_ON_ERRORbooleanfalseOn TS/connectivity error, reject (fail-closed) vs accept (fail-open).
EHRBASE_VALIDATION_EXTERNAL_TERMINOLOGY_PROVIDERS__<NAME>__TYPEenum{fhir}fhirProvider kind (FHIR R4).
EHRBASE_VALIDATION_EXTERNAL_TERMINOLOGY_PROVIDERS__<NAME>__URLURLnone (required)FHIR R4 base URL of the terminology server.
EHRBASE_VALIDATION_EXTERNAL_TERMINOLOGY_PROVIDERS__<NAME>__OPERATIONenum{validate_code,expand}validate_codeValue-set membership operation.
EHRBASE_VALIDATION_EXTERNAL_TERMINOLOGY_PROVIDERS__<NAME>__CONNECT_TIMEOUT_MSinteger (ms)2000Per-provider connect timeout.
EHRBASE_VALIDATION_EXTERNAL_TERMINOLOGY_PROVIDERS__<NAME>__REQUEST_TIMEOUT_MSinteger (ms)10000Per-provider request timeout.
EHRBASE_VALIDATION_EXTERNAL_TERMINOLOGY_PROVIDERS__<NAME>__OAUTH2_CLIENTstringnoneName of an OAuth2 client-credentials client for the provider.

Process / CLI

KeyTypeDefaultDescription
EHRBASE_HEALTHCHECK_URLURLhttp://127.0.0.1:8080/ehrbase/rest/statusTarget URL for the binary’s healthcheck subcommand (container HEALTHCHECK and Kubernetes exec probes).

What belongs in a mounted file

Env variables cannot carry lists or nested structures cleanly. Put these in the module’s TOML file (via EHRBASE_<AREA>_CONFIG, or the Helm chart’s config.files) instead:

  • the Basic-auth user store ([[auth.basic.users]]),
  • a full OIDC block with multiple audiences/algorithms,
  • RBAC role-claim lists and ABAC (Cedar) policies,
  • the external terminology provider map,
  • ATNA TLS certificate paths and the PGP signing key.

See docker/ehrbase.dev.toml in the repository for a worked example of the REST config file (bind address, CORS, admin, and the Basic-auth users).