Are you an LLM? Read llms.txt for a summary of the docs, or llms-full.txt for the full context.
Skip to content

Configuration

This page is the canonical reference for runtime environment variables and flag-to-env precedence for orlojd, orlojworker, and orlojctl.

See also CLI reference for exhaustive flag definitions.

Precedence

  1. CLI flags
  2. Environment variable fallback
  3. Code defaults

Example:

  • --task-execution-mode overrides ORLOJ_TASK_EXECUTION_MODE.
  • If neither is set, code defaults apply.

Runtime Environment Matrix

VariableUsed ByFlag OverridesPurpose / Conditions
ORLOJ_POSTGRES_DSNorlojd, orlojworker--postgres-dsnPostgres DSN when --storage-backend=postgres.
ORLOJ_TASK_EXECUTION_MODEorlojd, orlojworker--task-execution-modeTask execution mode: sequential or message-driven.
ORLOJ_EMBEDDED_WORKER_MAX_CONCURRENT_TASKSorlojd--embedded-worker-max-concurrent-tasksEmbedded worker default concurrency.
ORLOJ_TASK_WORKER_REGIONorlojd--task-worker-regionRegion for embedded worker registration.
ORLOJ_WORKER_HEALTHZ_ADDRorlojworker--healthz-addrOptional worker liveness endpoint bind address.
ORLOJ_MODEL_SECRET_ENV_PREFIXorlojd, orlojworker--model-secret-env-prefixEnv prefix for model endpoint secretRef lookups.
ORLOJ_TOOL_ISOLATION_BACKENDorlojd, orlojworker--tool-isolation-backendContainer isolation backend: none or container. WASM tools run independently.
ORLOJ_TOOL_CONTAINER_RUNTIMEorlojd, orlojworker--tool-container-runtimeContainer runtime binary for tool isolation.
ORLOJ_TOOL_CONTAINER_IMAGEorlojd, orlojworker--tool-container-imageContainer image used by isolated tool execution.
ORLOJ_TOOL_CONTAINER_NETWORKorlojd, orlojworker--tool-container-networkContainer network mode for isolated tools.
ORLOJ_TOOL_CONTAINER_MEMORYorlojd, orlojworker--tool-container-memoryContainer memory limit for isolated tools.
ORLOJ_TOOL_CONTAINER_CPUSorlojd, orlojworker--tool-container-cpusContainer CPU limit for isolated tools.
ORLOJ_TOOL_CONTAINER_PIDS_LIMITorlojworker--tool-container-pids-limitContainer PID limit for isolated tools.
ORLOJ_TOOL_CONTAINER_USERorlojd, orlojworker--tool-container-userContainer user/group for isolated tools.
ORLOJ_TOOL_SECRET_ENV_PREFIXorlojd, orlojworker--tool-secret-env-prefixEnv prefix for tool secretRef lookups.
ORLOJ_TOOL_WASM_MODULEorlojd, orlojworker--tool-wasm-moduleDefault WASM module path (per-tool spec.wasm.module takes precedence).
ORLOJ_TOOL_WASM_ENTRYPOINTorlojd, orlojworker--tool-wasm-entrypointDefault WASM entrypoint function name.
ORLOJ_TOOL_WASM_MEMORY_BYTESorlojd, orlojworker--tool-wasm-memory-bytesDefault max memory bytes for WASM runtime.
ORLOJ_TOOL_WASM_FUELorlojd, orlojworker--tool-wasm-fuelDefault WASM execution fuel limit.
ORLOJ_TOOL_WASM_WASIorlojd, orlojworker--tool-wasm-wasiDefault: enable WASI host functions for WASM tools.
ORLOJ_TOOL_WASM_CACHE_DIRorlojd, orlojworker--tool-wasm-cache-dirDisk cache directory for remote WASM modules (HTTPS/OCI). Default: ~/.orloj/wasm-cache.
ORLOJ_EVENT_BUS_BACKENDorlojd--event-bus-backendControl-plane event bus backend: memory or nats.
ORLOJ_NATS_URLorlojd, orlojworker--nats-url (server), --agent-message-nats-url (runtime bus)Base NATS URL; also fallback for runtime message bus URL.
ORLOJ_NATS_SUBJECT_PREFIXorlojd--nats-subject-prefixSubject prefix used for control-plane NATS event bus.
ORLOJ_AGENT_MESSAGE_BUS_BACKENDorlojd, orlojworker--agent-message-bus-backendRuntime message bus backend: none, memory, nats-jetstream.
ORLOJ_AGENT_MESSAGE_NATS_URLorlojd, orlojworker--agent-message-nats-urlNATS URL used when runtime bus backend is nats-jetstream.
ORLOJ_AGENT_MESSAGE_SUBJECT_PREFIXorlojd, orlojworker--agent-message-subject-prefixSubject prefix for runtime agent messages.
ORLOJ_AGENT_MESSAGE_STREAMorlojd, orlojworker--agent-message-stream-nameJetStream stream name for runtime agent messages.
ORLOJ_AGENT_MESSAGE_CONSUMEorlojworker--agent-message-consumeEnables worker-side runtime inbox consumers.
ORLOJ_AGENT_MESSAGE_CONSUMER_NAMESPACEorlojworker--agent-message-consumer-namespaceOptional namespace filter for runtime inbox consumers.
ORLOJ_API_TOKENorlojd, orlojctl, orloj-alertcheck--api-key (server), --api-token (client/checker)Bearer token fallback for API auth.
ORLOJ_API_TOKENSorlojdnoneMulti-token auth map (name:token:role entries; legacy token:role supported).
ORLOJ_UI_PATHorlojd--ui-pathBase URL path for the web console (default /).
ORLOJ_AUTH_MODEorlojd--auth-modeAPI auth mode (off, native, sso; sso unavailable in this distribution).
ORLOJ_AUTH_SESSION_TTLorlojd--auth-session-ttlSession TTL for native auth mode.
ORLOJ_AUTH_RESET_ADMIN_USERNAMEorlojd--auth-reset-admin-usernameOne-shot local admin reset username.
ORLOJ_AUTH_RESET_ADMIN_PASSWORDorlojd--auth-reset-admin-passwordOne-shot local admin reset password and exit.
ORLOJ_SETUP_TOKENorlojdnoneProtects /v1/auth/setup; required request value for initial setup when set.
ORLOJ_SECRET_ENCRYPTION_KEYorlojd, orlojworker--secret-encryption-keyAES key for encrypting Secret resource data at rest. On orlojd, it also wraps the stored SealedSecret private key.
ORLOJ_SECRET_<name>orlojd, orlojworker--model-secret-env-prefix, --tool-secret-env-prefixDynamic secret lookup fallback for secretRef resolution.
ORLOJ_SERVERorlojctl--serverDefault API base URL after ORLOJCTL_SERVER.
ORLOJCTL_SERVERorlojctl--serverHighest-precedence env default API base URL.
ORLOJCTL_API_TOKENorlojctl--api-tokenBearer token for CLI API calls.
OTEL_EXPORTER_OTLP_ENDPOINTorlojd, orlojworkernoneOTLP gRPC endpoint for OpenTelemetry traces. Empty disables export.
OTEL_EXPORTER_OTLP_INSECUREorlojd, orlojworkernoneSet true for non-TLS OTLP in development.
ORLOJ_LOG_LEVELorlojd, orlojworker--log-level, --debugMinimum log level: debug, info (default), warn, or error. --debug is equivalent to --log-level=debug and takes precedence.
ORLOJ_LOG_FORMATorlojd, orlojworkernoneLog format: json (default) or text.

Server and Worker Flags

Use CLI reference as the exhaustive list for all flags and defaults.

Quick grouping:

  • Server (orlojd): auth, storage, embedded worker, control-plane event bus, runtime message bus, model secret resolution, tool isolation.
  • Worker (orlojworker): identity/capacity, storage, runtime inbox consumers, model secret resolution, tool isolation.

Web Console Path

By default, orlojd serves the built-in web console at the root path (/). The REST API lives under /v1/..., /healthz, and /metrics, so there is no collision.

To mount the console at a subpath instead (useful when multiple services share a single reverse proxy hostname):

# Serve the console at https://tools.example.com/orloj/
orlojd --ui-path=/orloj/
# or
ORLOJ_UI_PATH=/orloj/ orlojd
SettingConsole URLAPI URL
--ui-path=/ (default)https://example.com/https://example.com/v1/...
--ui-path=/console/https://example.com/console/https://example.com/v1/...
--ui-path=/orloj/https://tools.example.com/orloj/https://tools.example.com/v1/...

The value is normalized to always have a leading and trailing /. Client-side routes (e.g. /tasks/my-task) are served via SPA fallback so browser refreshes work at any depth.

When using a custom DNS (e.g. console.example.com), you typically do not need to set ORLOJ_UI_PATH — the default / means the console is at https://console.example.com/. Point your DNS and reverse proxy at orlojd and everything works.

Secret Resolution

Model endpoints and tools resolve secretRef values in this order:

  1. Secret resources in the control-plane store.
  2. Environment variables with configurable prefixes (ORLOJ_SECRET_<name> by default).

Encryption at Rest

Set --secret-encryption-key (or ORLOJ_SECRET_ENCRYPTION_KEY) on every process sharing the same backing store.

  • Use one consistent key for all orlojd/orlojworker processes against the same database.
  • On orlojd, the same key also protects the persisted SealedSecret private key.
  • Rotating keys requires a migration procedure (see security/upgrade runbooks).

Postgres Tuning

Connection Pool (main store)

The main Postgres pool is configured via CLI flags:

FlagDefaultDescription
--postgres-max-open-conns20Maximum open connections
--postgres-max-idle-conns10Maximum idle connections kept warm
--postgres-conn-max-lifetime30mMaximum lifetime of a connection before recycling

Idle connections are evicted after 5 minutes to reduce stale TCP connection risk behind firewalls/load balancers.

Connection Pool (pgvector memory backend)

The pgvector backend uses a separate pgxpool created from the Memory resource spec.endpoint DSN. Tune it with DSN params:

postgres://user:pass@host:5432/db?pool_max_conns=10&pool_min_conns=2&pool_max_conn_idle_time=5m&pool_health_check_period=1m
ParameterDefaultDescription
pool_max_connsmax(4, NumCPU)Maximum pool size
pool_min_conns0Minimum warm connections
pool_max_conn_lifetime1hRecycle connections after this duration
pool_max_conn_idle_time30mClose idle connections after this duration
pool_health_check_period1mHow often to ping idle connections

Statement Timeout

Neither the main store nor pgvector backend sets statement_timeout by default. Add it via DSN options:

# Main store (30-second statement timeout)
--postgres-dsn="postgres://user:pass@host:5432/db?options=-c%20statement_timeout%3D30000"
 
# pgvector memory endpoint
postgres://user:pass@host:5432/db?options=-c%20statement_timeout%3D30000&pool_max_conns=10

Recommended Production Baseline

  • orlojd: --storage-backend=postgres, --task-execution-mode=message-driven, --agent-message-bus-backend=nats-jetstream
  • orlojworker: --storage-backend=postgres, --task-execution-mode=message-driven, --agent-message-consume
  • Enable --secret-encryption-key on all processes when using Secret resources
  • Configure model/tool credentials via ORLOJ_SECRET_<name> or external secret management
  • Set OTEL_EXPORTER_OTLP_ENDPOINT for distributed tracing
  • See Observability for tracing, metrics, and logs setup

Verification

curl -s http://127.0.0.1:8080/healthz | jq .
go run ./cmd/orlojctl get workers
go run ./cmd/orlojctl get tasks