Configuration Settings

Configuration can be done either by using a toml configuration file, environnement variable or secret files.

The configuration framework is based on the [pydantic settings](https://docs.pydantic.dev/latest/concepts/pydantic_settings/?query=Settings) package which provides strong validation for configuration data.

Environment variables

The mapping of configuration values follows the following pattern:

  • Environment variable names are case-insensitive.

  • Environment variables must be prefixed with CONF_

  • Nested settings are separated by __ (double underscore)

  • List and dictionnaries are populated from environnement by treating the environnement variable’s value as JSON-encoded strinf.

Example:

Consider the following the toml configuration:

[logging]
level = "DEBUG"

[worker]
service_name = "MyService"
broker_host = "rabbitmq"
broker_backend = "redis:6370/0"

[processing]
workdir = "/qgis-workdir"

[processing.plugins]
paths = ["/qgis-plugins"]

[processing.projects.search_paths]
'/' = "/qgis-projects"

And the corresponding configuration with environment variables:

CONF_LOGGING__LEVEL=DEBUG
CONF_WORKER__SERVICE_NAME=MyService
CONF_WORKER__BROKER_HOST=rabbitmq
CONF_WORKER__BACKEND_HOST=redis:6379/0
CONF_PROCESSING__WORKDIR=/qgis-workdir
CONF_PROCESSING__PLUGINS__PATHS='["/qgis-plugins"]'
CONF_PROCESSING__PROJECTS__SEARCH_PATHS: '{"/":"/qgis-projects"}'

Secret files

Instead of using exposed environment variables or configuration files, values may be stored in files that contains a single value and where the name of the file is the configuration.

A common usecase is to allow for storing sensitive values in Docker encrypted secret files.

Configuration precedence

Configuration precedence is (by decreasing priority):

  • Configuration file

  • Environment variables

  • Secret files

  • Default values

Worker configuration

  1[logging]
  2level = "INFO"
  3
  4
  5# Worker configuration
  6# 
  7# Configure celery worker settings
  8# 
  9[worker]
 10#
 11# Celery amqp broker host
 12broker_host = "localhost"
 13broker_use_tls = false
 14#broker_user =   	# Optional
 15#broker_password =   	# Optional
 16#
 17# Celery redis backend host
 18backend_host = "localhost:6379/0"
 19backend_use_tls = false
 20#backend_password =   	# Optional
 21#
 22# Task hard time limit in seconds.
 23# The worker processing the task will be killed
 24# and replaced with a new one when this is exceeded.
 25task_time_limit = 3600
 26#
 27# Grace period to add to the 'task_time_limit'
 28# value.
 29# The SoftTimeLimitExceeded exception will be raised
 30# when the 'task_time_limit' is exceeded.
 31task_time_grace_period = 60
 32#
 33# Time (in seconds), for when after stored task tombstones will
 34# be deleted
 35result_expires = 86400
 36#
 37# Concurrency
 38#
 39# The number of concurrent worker processes executing tasks.
 40#concurrency =   	# Optional
 41#
 42# Processes life cycle
 43#
 44# Maximum number of tasks a pool worker process can execute
 45# before it's replaced with a new one. Default is no limit.
 46#max_tasks_per_child =   	# Optional
 47#
 48# Maximum consumed memory
 49#
 50# Maximum amount of resident memory, in kilobytes,
 51# that may be consumed by a worker before it will
 52# be replaced by a new worker.
 53#max_memory_per_child =   	# Optional
 54#
 55# Autoscale
 56#
 57# Activate concurrency autoscaling
 58#autoscale =   	# Optional
 59#
 60# Name of the service
 61#
 62# Name used as location service name
 63# for initializing Celery worker.
 64# 
 65#service_name =   	# Required
 66#
 67# Service short title
 68title = ""
 69#
 70# Service description
 71description = ""
 72#
 73# Cleanup interval
 74#
 75# Interval is seconds between two cleanup of expired jobs.
 76# The minimun is 300s (5mn).
 77# 
 78cleanup_interval = 3600
 79#
 80# Reload watch file
 81#
 82# The file to watch for reloading processing plugins.
 83# When the the modified time of the file is changed, processing
 84# providers are reloaded.
 85# The restart is graceful, all running jobs are terminated normally.
 86# 
 87#reload_monitor =   	# Optional
 88
 89#
 90[worker.broker_tls]
 91#
 92# CA file
 93#cafile =   	# Optional
 94#
 95# TLS  certificat
 96#
 97# Path to the TLS cert file
 98#certfile =   	# Optional
 99#
100# TLS key file
101#
102# Path to the TLS key file
103#keyfile =   	# Optional
104
105#
106[worker.backend_tls]
107#
108# CA file
109#cafile =   	# Optional
110#
111# TLS  certificat
112#
113# Path to the TLS cert file
114#certfile =   	# Optional
115#
116# TLS key file
117#
118# Path to the TLS key file
119#keyfile =   	# Optional
120
121#
122[worker.security]
123#cert_store =   	# Required
124#keyfile =   	# Required
125#certfile =   	# Required
126
127#
128[worker.scheduler]
129#
130# Enable scheduler
131#
132# Enable embedded scheduler.
133# Prefer scheduler as a service if more
134# than one worker node is used.
135enabled = false
136#
137# Max interval
138#
139# Max seconds to sleep between schedule iterations.
140#max_interval =   	# Optional
141#
142# Scheduler database path
143#
144# Path to the schedule database.
145# Defaults to `celerybeat-schedule` (from Celery doc).
146#database =   	# Optional
147
148#
149# Service related links
150#
151[[worker.links]]
152#rel =   	# Optional
153#mime_type =   	# Optional
154title = ""
155#description =   	# Optional
156#length =   	# Optional
157templated = false
158#hreflang =   	# Optional
159#href =   	# Required
160
161
162[processing]
163#
164# Working directory
165#
166# Parent working directory where processes are executed.
167# Each processes will create a working directory for storing
168# result files and logs.
169# 
170#workdir =   	# Required
171#
172# Internal qgis providers exposed
173#
174# List of exposed QGIS processing internal providers.
175# NOTE: It is not recommended exposing all providers like
176# `qgis` or `native`, instead provide your own wrapping
177# algorithm, script or model.
178# 
179exposed_providers = ["script","model"]
180#
181# Expose deprecated algorithms
182#
183# Expose algorithm wich have the `Deprecated`
184# flag set.
185# 
186expose_deprecated_algorithms = true
187#
188# Default vector file extension
189#
190# Define the default vector file extensions for vector destination
191# parameters. If not specified, then the QGIS default value is used.
192# 
193default_vector_file_ext = "fgb"
194#
195# Default raster file extension
196#
197# Define the default raster file extensions for raster destination
198# parameters. If not specified, then the QGIS default value is used.
199# 
200#default_raster_file_ext =   	# Optional
201#
202# Force ellipsoid imposed by the source project
203#
204# Force the ellipsoid from the src project into the destination project.
205# This only apply if the src project has a valid CRS.
206# 
207adjust_ellipsoid = false
208#
209# Set default CRS
210#
211# Set the CRS to use when no source map is specified.
212# For more details on supported formats see the GDAL method
213# 'GdalSpatialReference::SetFromUserInput()'
214# 
215default_crs = "urn:ogc:def:crs:OGC:1.3:CRS84"
216#
217# Advertised services urls
218#
219# Url template used for OGC services references.
220advertised_services_url = "ows:$jobId/$name"
221#
222# Public download url
223#
224# Url template for downloading resources.
225# This is the public base url that will be seen in
226# referenced responses.
227# This url will need to be translated by the front end
228# executor to an effective download url.
229# 
230store_url = "${public_url}/jobs/$jobId/files/$resource"
231#
232# Use destination input as sink
233#
234# Allow input value as sink for destination layers.
235# This allow value passed as input value to be interpreted as
236# path or uri sink definition. This enable passing any string
237# that QGIS may use a input source but without open options except for the
238# 'layername=<name>' option.
239# 
240# NOTE: Running concurrent jobs with this option may result in unpredictable
241# behavior.
242# 
243# For that reason it is considered as an UNSAFE OPTION and you should never enable
244# this option if you are exposing the service publicly.
245# 
246# File path inputs prefixed with '/' will correspond to path located in the root
247# directory specified by the `raw_destination_root_path` option.
248# Otherwise, they will be stored in the job folder.
249# 
250raw_destination_input_sink = false
251#
252# Raw destination root path
253#
254# Specify the root directory for storing destination layers files when
255# the `raw_destination_input_sink` option is enabled.
256# If not specified, files will be stored in the job folder.
257# 
258#raw_destination_root_path =   	# Optional
259#
260# Project cache size
261#
262# The maximum number of projects in cache by process.
263max_cached_projects = 10
264#
265# Qgis settings
266#
267# Qgis settings override.
268# Use the syntax '<section>/<path>' for keys.
269# Not that values defined here will override those
270# from QGIS3.ini file."
271# 
272qgis_settings = {}
273
274#
275# Projects configuration
276#
277# Projects and cache configuration
278#
279[processing.projects]
280#
281# Trust layer metadata
282#
283# Trust layer metadata.
284# Improves layer load time by skipping expensive checks
285# like primary key unicity, geometry type and
286# srid and by using estimated metadata on layer load.
287# Since QGIS 3.16
288# 
289trust_layer_metadata = false
290#
291# Disable GetPrint requests
292#
293# Don't load print layouts.
294# Improves project read time if layouts are not required,
295# and allows projects to be safely read in background threads
296# (since print layouts are not thread safe).
297# 
298disable_getprint = false
299#
300# Force read only mode
301#
302# Force layers to open in read only mode
303force_readonly_layers = true
304#
305# Ignore bad layers
306#
307# Allow projects to be loaded with event if it contains
308# layers that cannot be loaded.
309# Note that the 'dont_resolve_layers flag' trigger automatically
310# this option.
311# 
312ignore_bad_layers = false
313#
314# Disable OWS advertised urls
315#
316# Disable ows urls defined in projects.
317# This may be necessary because Qgis projects
318# urls override proxy urls.
319disable_advertised_urls = false
320#
321# Scheme mapping definitions
322#
323# Defines mapping betweeen location base path and storage handler root url.
324# Resource path relative to location will be joined the the root url path.
325# In the case of Qgis storage, the handler is responsible for transforming
326# the result url into a comprehensive format for the corresponding
327# QgsProjectStorage implementation.
328# This is handled by the default storage implementation for Qgis native
329# project storage.
330# In case of custom QgsProjectStorage, if the scheme does not allow passing
331# project as path component, it is possible to specify a custom resolver function.
332# 
333search_paths = {}
334#
335# Allow direct path resolution
336#
337# Allow direct path resolution if there is
338# no matching from the search paths.
339# Uri are directly interpreted as valid Qgis project's path.
340# WARNING: allowing this may be a security vulnerabilty."
341# 
342allow_direct_path_resolution = false
343
344#
345# Project storage Handler configurations
346#
347# Configure storage handlers.
348# The name will be used as scheme for project's search path
349# configuration.
350# 
351#
352[processing.projects.handlers.'key']
353#handler =   	# Required
354config = {}
355
356#
357# Plugin configuration
358#
359[processing.plugins]
360#
361# Plugin paths
362#
363# The list of search paths for plugins.
364# Qgis plugins found will be loaded according to
365# the 'install' list.
366# If the list is empty, the 'QGIS_PLUGINPATH'
367# variable will be checked.
368paths = []
369#
370# Installable plugins
371#
372# The list of installable plugins.
373# Note: if the plugin directory contains other plugins
374# plugins not in the list will NOT be loaded !
375# The Plugins will be installed at startup
376# if the 'install_mode' is set to 'auto'.
377# Note that an empty list means what it is:
378# i.e, *no* installed plugins.
379#install =   	# Optional
380#
381# Plugin installation mode
382#
383# If set to 'auto', plugins installation
384# will be checked at startup. Otherwise,
385# Installation will be done from already available
386# plugins.
387install_mode = "external"
388#
389# Enable processing scripts
390#
391# Enable publication of processing scripts
392enable_scripts = true
393#
394# Extra builtins providers
395#
396# Load extra builtin processing providers
397# such as 'grass' and 'otb'.
398extra_builtin_providers = []
399#
400# Path to plugin manager executable
401#
402# The absolute path to the qgis-plugin_manager executable
403# that will be used for installing plugin in automatic mode.
404plugin_manager = "/usr/local/bin/qgis-plugin-manager"
405
406#
407# TLS Certificates
408#
409# TLS credentials to use for references inputs
410#
411[processing.certificats]
412#
413# CA file
414#cafile =   	# Optional
415#
416# TLS  certificat
417#
418# Path to the TLS cert file
419#certfile =   	# Optional
420#
421# TLS key file
422#
423# Path to the TLS key file
424#keyfile =   	# Optional
425
426#
427# Qgis network
428#
429[processing.network]
430#
431# Transfer timeout in ms
432#
433# Transfers are aborted if no bytes are transferred before
434# the timeout expires.
435# If set to 0, the timeout is disobled.
436# Default value is set to 10000 milliseconds.
437# 
438transfer_timeout = 10000
439#
440# Trace network activity
441trace = false
442#
443# Global cache policy
444#
445# Set a global cache policy for all requests"
446# If set, this will override requests cache policy".
447# 
448#cache_policy =   	# Optional
449
450#
451# Domain policies
452#
453# Set per domain policy
454#
455[processing.network.domain_policy.'key']
456#
457# Cache load control
458#
459# Override QNetworkRequest::CacheLoadControl for request.
460#cache_policy =   	# Optional
461#
462# Transfer timeout in ms
463#transfer_timeout =   	# Optional
464
465
466# Configure storage for processing data
467[storage]
468#
469# Storage module
470#
471# The module implementing storage accesses for
472# job's files.
473# 
474storage_class = "qjazz_processes.worker.storages.local.LocalStorage"
475config = {}

Server configuration

  1[logging]
  2level = "INFO"
  3
  4
  5# OAPI configuration
  6[oapi]
  7title = "Qjazz-Processes"
  8description = "Publish Qgis processing algorithms as OGC api processes"
  9
 10
 11# Configure access policy
 12[access_policy]
 13#
 14# Access policy module
 15#
 16# The module implementing the access policy for
 17# processes execution.
 18# 
 19policy_class = "qjazz_processes.server.policies.DefaultAccessPolicy"
 20config = {}
 21
 22
 23# Defining job realm allow filtering job's requests by a token that is
 24# set by the client when requesting task execution (see description below).
 25# 
 26[job_realm]
 27#
 28# Enable job realm header
 29#
 30# When enabled, use the 'X-Job-Realm' http header
 31# as a client identification token for retrieving jobs status and results.
 32# 
 33enabled = false
 34#
 35# Admininistrator realm jobs tokens
 36#
 37# Define catch all tokens for listing and retrieve status and results
 38# for all jobs.
 39# 
 40admin_tokens = []
 41
 42
 43[http]
 44#
 45# Interfaces to listen to
 46listen = ["127.0.0.1",9180]
 47#
 48# Use tls
 49use_tls = false
 50#
 51# CORS origin
 52#
 53# Allows to specify origin for CORS. If set 'all' will set
 54# Access-Control-Allow-Origin to '*'; 'same-origin' return
 55# the same value as the 'Origin' request header.
 56# A url may may be specified, restricting allowed origin to
 57# this url.
 58# 
 59cross_origin = "all"
 60#
 61# Service update interval
 62#
 63# Interval in seconds between update of available services
 64update_interval = 30
 65#
 66# Backend request timeout
 67timeout = 20
 68#
 69# Enable Web UI
 70enable_ui = true
 71
 72#
 73# TLS configuration
 74#
 75[http.tls]
 76#
 77# CA file
 78#cafile =   	# Optional
 79#
 80# TLS  certificat
 81#
 82# Path to the TLS cert file
 83#certfile =   	# Optional
 84#
 85# TLS key file
 86#
 87# Path to the TLS key file
 88#keyfile =   	# Optional
 89
 90#
 91[http.proxy]
 92#
 93# Enabled Forwarded headers
 94#
 95# Enable proxy headers resolution.
 96# Include support for 'Forwarded' headers
 97# and 'X-Forwarded' headers if allow_x_headers is
 98# enabled."
 99# 
100enable = false
101#
102# Support for 'X-Forwarded' headers
103allow_x_headers = false
104
105
106[executor]
107#
108# Message expiration timeout
109#
110# The amount of time an execution message
111# can wait on queue before beeing processed
112# with asynchronous response.
113# 
114message_expiration_timeout = 600
115
116#
117[executor.celery]
118#
119# Celery amqp broker host
120broker_host = "localhost"
121broker_use_tls = false
122#broker_user =   	# Optional
123#broker_password =   	# Optional
124#
125# Celery redis backend host
126backend_host = "localhost:6379/0"
127backend_use_tls = false
128#backend_password =   	# Optional
129#
130# Task hard time limit in seconds.
131# The worker processing the task will be killed
132# and replaced with a new one when this is exceeded.
133task_time_limit = 3600
134#
135# Grace period to add to the 'task_time_limit'
136# value.
137# The SoftTimeLimitExceeded exception will be raised
138# when the 'task_time_limit' is exceeded.
139task_time_grace_period = 60
140#
141# Time (in seconds), for when after stored task tombstones will
142# be deleted
143result_expires = 86400
144#
145# Concurrency
146#
147# The number of concurrent worker processes executing tasks.
148#concurrency =   	# Optional
149#
150# Processes life cycle
151#
152# Maximum number of tasks a pool worker process can execute
153# before it's replaced with a new one. Default is no limit.
154#max_tasks_per_child =   	# Optional
155#
156# Maximum consumed memory
157#
158# Maximum amount of resident memory, in kilobytes,
159# that may be consumed by a worker before it will
160# be replaced by a new worker.
161#max_memory_per_child =   	# Optional
162#
163# Autoscale
164#
165# Activate concurrency autoscaling
166#autoscale =   	# Optional
167
168#
169[executor.celery.broker_tls]
170#
171# CA file
172#cafile =   	# Optional
173#
174# TLS  certificat
175#
176# Path to the TLS cert file
177#certfile =   	# Optional
178#
179# TLS key file
180#
181# Path to the TLS key file
182#keyfile =   	# Optional
183
184#
185[executor.celery.backend_tls]
186#
187# CA file
188#cafile =   	# Optional
189#
190# TLS  certificat
191#
192# Path to the TLS cert file
193#certfile =   	# Optional
194#
195# TLS key file
196#
197# Path to the TLS key file
198#keyfile =   	# Optional
199
200#
201[executor.celery.security]
202#cert_store =   	# Required
203#keyfile =   	# Required
204#certfile =   	# Required
205
206#
207[executor.celery.scheduler]
208#
209# Enable scheduler
210#
211# Enable embedded scheduler.
212# Prefer scheduler as a service if more
213# than one worker node is used.
214enabled = false
215#
216# Max interval
217#
218# Max seconds to sleep between schedule iterations.
219#max_interval =   	# Optional
220#
221# Scheduler database path
222#
223# Path to the schedule database.
224# Defaults to `celerybeat-schedule` (from Celery doc).
225#database =   	# Optional
226
227
228# The storage configuration is used for configuring the
229# connections to storage backends used by workers.
230# 
231[storage]
232#
233# Allow insecure downloads
234#
235# If set to false, only TLS encrypted downloads are allowed
236allow_insecure_connection = true
237#
238# Download chunksize
239chunksize = 65536
240#
241# Download url expiration
242#
243# Download url expiration in seconds
244download_url_expiration = 3600
245
246#
247# TLS certifificats
248#
249# Certificats required for TLS downloads connections
250#
251[storage.tls]
252#
253# CA file
254#cafile =   	# Optional
255#
256# TLS  certificat
257#
258# Path to the TLS cert file
259#certfile =   	# Optional
260#
261# TLS key file
262#
263# Path to the TLS key file
264#keyfile =   	# Optional