Swiss AI-Hub

English

Deutsch

English

Deutsch

Appearance

Environment Variables

This page lists every environment variable read by the Swiss AI Hub deployment, organized by role. It is auto-generated from the Pydantic settings classes in packages/*/swiss_ai_hub/**/*settings.py and the docker-compose templates. Do not edit by hand — run make generate-env-docs to refresh.

Variables fall into three roles:

  • Compose-required — referenced as ${VAR} in docker-compose.yml. Must be set in .env because the project's compose templates do not provide fallback defaults.
  • App-required — read as a required field by a Pydantic BaseSettings class. The application refuses to start if unset.
  • Optional — has a default in code. Set in .env only to override the default.

The deployment has a base variant (CPU) plus pure-extension variants (GPU). The first section below lists every variable required by the base; subsequent sections list only the extra variables each extension introduces on top of the base.

Variables for the base deployment (CPU)

Required by docker-compose interpolation

These variables are referenced as ${VAR} (without a ${VAR:-default} fallback) somewhere in docker-compose.yml. Compose-parse will fail or render empty values if .env does not define them. The Consumer column shows the Pydantic settings field that reads the variable when our Python code consumes it; otherwise it points at the config file that embeds it (Keycloak realm import, identity-provider config, etc.) or — if neither — is left empty. The Service(s) column lists the compose service(s) whose environment: block receives the variable.

VariableConsumerService(s)Description
ACME_EMAILtraefik
ADMIN_EMAILopen-webui
ADMIN_PASSWORD_HASHtraefik
AIHUB_CREATE_DEFAULT_BUCKETSAIHubSettings.CREATE_DEFAULT_BUCKETSapi, seaweedfs-initCreates default knowledge buckets and namespaces
AIHUB_DEFAULT_BUCKET_NAMEAIHubSettings.DEFAULT_BUCKET_NAMEapi, default_rag_pipeline, seaweedfs-initName of the default knowledge bucket
AIHUB_DEFAULT_NAMESPACE_NAMEAIHubSettings.DEFAULT_NAMESPACE_NAMEapiName of the default namespace
AIHUB_SHARED_BUCKET_NAMEAIHubSettings.SHARED_BUCKET_NAMEapi, seaweedfs-init, shared_rag_pipelineName of the shared knowledge bucket
AIHUB_SHARED_NAMESPACE_NAMEAIHubSettings.SHARED_NAMESPACE_NAMEapiName of the shared namespace
AIHUB_STARTUP_TENANT_ACCESS_RULESStartupTenantSettings.ACCESS_RULESapiComma-separated access rules for the startup tenant. Use 'aihub.admin.>' for unrestricted access to all platform features.
AIHUB_STARTUP_TENANT_DESCRIPTIONStartupTenantSettings.DESCRIPTIONapiDescription of the startup tenant.
AIHUB_STARTUP_TENANT_IDStartupTenantSettings.IDapi, keycloakUnique identifier for the startup tenant. Also used as the Keycloak group name.
AIHUB_STARTUP_TENANT_NAMEStartupTenantSettings.NAMEapiDisplay name of the startup tenant.
AIHUB_USER_SIGNUP_FIRST_ADMIN_USER_ROLESUserSignupSettings.FIRST_ADMIN_USER_ROLESapiComma-separated list of roles assigned to the very first user. This user is typically the initial platform administrator.
AIHUB_USER_SIGNUP_REGULAR_USER_ROLESUserSignupSettings.REGULAR_USER_ROLESapiComma-separated list of roles assigned to regular users (not the first user). These users typically have standard platform access.
AIHUB_VERSIONAIHubSettings.VERSIONapi, bot, default_rag_pipeline, expert_asking_agent, expert_rag_agent, few_shot_agent, llm_wrapping_agent, namespace_selection_agent, rag_agent, retrieval_agent, shared_rag_pipeline, sysadmin-apiVersion of the app
AUTH_OPEN_WEBUI_SIGNING_SECRETAuthSettings.OPEN_WEBUI_SIGNING_SECRETapi, open-webui, sysadmin-apiOpenWebUI signing secret
BACKUP_MINIMUM_KEEPBackupSettings.MINIMUM_KEEPbackup-code
BACKUP_POSTGRES_SUBPROCESS_TIMEOUT_SECONDSBackupSettings.POSTGRES_SUBPROCESS_TIMEOUT_SECONDSbackup-code
BACKUP_RETENTION_DAYSBackupSettings.RETENTION_DAYSbackup-code
BACKUP_S3_BUCKETBackupSettings.S3_BUCKETbackup-code
DAGSTER_CLEANUP_BATCH_LIMITbackup-code
DAGSTER_DBbackup-code
DAGSTER_DEBUG_LOG_RETENTION_DAYSbackup-code
DAGSTER_INFO_LOG_RETENTION_DAYSbackup-code
DAGSTER_UNIMPORTANT_EVENT_RETENTION_DAYSbackup-code
DAGSTER_WARNING_LOG_RETENTION_DAYSbackup-code
DOMAINkeycloak-realm.jsonapi, bot, default_rag_pipeline, expert_asking_agent, expert_rag_agent, few_shot_agent, keycloak, langfuse-web, litellm, llm_wrapping_agent, namespace_selection_agent, oauth2proxy-attu, oauth2proxy-backup, oauth2proxy-dagster, oauth2proxy-seaweed, open-webui, rag_agent, retrieval_agent, seaweedfs-s3, shared_rag_pipeline, sysadmin-api, sysadmin-web, traefik, web
ENVapi, open-webui, sysadmin-api
ETCD_TOKENetcd, etcd-init, milvus-standalone, seaweedfs-filer
EXPERT_ASKING_CHANNEL_TYPEexpert_asking_agent
GEMINI_API_KEYlitellm
HUGGINGFACE_API_KEYlitellm, vllm, vllm-bge-m3, vllm-bge-reranker
JUPYTER_TOKENapi, jupyter, open-webui
KEYCLOAK_ADMIN_PASSWORDkeycloak
KEYCLOAK_ADMIN_USERkeycloak
KEYCLOAK_API_SERVICE_CLIENT_SECRETKeycloakSettings.API_SERVICE_CLIENT_SECRETapi, bot, keycloak, sysadmin-apiClient secret for the API service account
KEYCLOAK_AZURE_CLIENT_IDkeycloak-identity-providers.jsonkeycloak
KEYCLOAK_AZURE_CLIENT_SECRETkeycloak-identity-providers.jsonkeycloak
KEYCLOAK_AZURE_TENANT_IDkeycloak-identity-providers.jsonkeycloak
KEYCLOAK_OAUTH2_PROXY_ATTU_SECRETkeycloak-realm.jsonkeycloak, oauth2proxy-attu
KEYCLOAK_OAUTH2_PROXY_BACKUP_SECRETkeycloak-realm.jsonoauth2proxy-backup
KEYCLOAK_OAUTH2_PROXY_DAGSTER_SECRETkeycloak-realm.jsonkeycloak, oauth2proxy-dagster
KEYCLOAK_OAUTH2_PROXY_DATALAKE_SECRETkeycloak-realm.jsonkeycloak, oauth2proxy-seaweed
KEYCLOAK_OPENWEBUI_CLIENT_SECRETkeycloak-realm.jsonkeycloak, open-webui
KEYCLOAK_SHOW_KEYCLOAK_LOGINKeycloakSettings.SHOW_KEYCLOAK_LOGINapi, sysadmin-apiShow a direct Keycloak login button alongside federated IDPs
LANGFUSE_ALLOWED_ORGANIZATION_CREATORSlangfuse-web
LANGFUSE_CLICKHOUSE_PASSWORDbackup-code, clickhouse, langfuse-web, langfuse-worker
LANGFUSE_ENCRYPTION_KEYlangfuse-web, langfuse-worker
LANGFUSE_INIT_USER_EMAILlangfuse-web
LANGFUSE_INIT_USER_PASSWORDlangfuse-web
LANGFUSE_KEYCLOAK_CLIENT_SECRETkeycloak, langfuse-web
LANGFUSE_NEXTAUTH_SECRETlangfuse-web
LANGFUSE_PUBLIC_KEYLangfuseSettings.PUBLIC_KEYapi, langfuse-web, otel-collectorLangfuse public API key
LANGFUSE_SALTlangfuse-web, langfuse-worker
LANGFUSE_SECRET_KEYLangfuseSettings.SECRET_KEYapi, langfuse-web, otel-collectorLangfuse secret API key
LITELLM_MASTER_KEYlitellm-config.ymlapi, default_rag_pipeline, expert_asking_agent, expert_rag_agent, few_shot_agent, litellm, llm_wrapping_agent, mineru-api, namespace_selection_agent, rag_agent, retrieval_agent, shared_rag_pipeline
LITELLM_UI_PASSWORDlitellm
LITELLM_UI_USERNAMElitellm
LOCAL_LLM_TOKENlitellm-config.ymllitellm, vllm, vllm-bge-m3, vllm-bge-reranker
LOG_LEVELLogSettings.LEVELapi, bot, dagster-daemon, dagster-webserver, default_rag_pipeline, expert_asking_agent, expert_rag_agent, few_shot_agent, llm_wrapping_agent, namespace_selection_agent, open-webui, rag_agent, retrieval_agent, shared_rag_pipeline, sysadmin-api, traefikLogging level
MAINTENANCE_DISABLEDbackup-code
MEM0_EMBEDDING_MODEL_NAMEMem0Settings.EMBEDDING_MODEL_NAMEapi, bot, llm_wrapping_agent, rag_agent, shared_rag_pipelineName of the embedding model to use
MEM0_LLM_NAMEMem0Settings.LLM_NAMEapi, bot, llm_wrapping_agent, rag_agent, shared_rag_pipelineName of the LLM to use
MEM0_RERANKING_MODEL_NAMEMem0Settings.RERANKING_MODEL_NAMEapi, bot, llm_wrapping_agent, rag_agent, shared_rag_pipelineName of the embedding model to use
MILVUS_DIMENSIONMilvusSettings.DIMENSIONapi, default_rag_pipeline, expert_asking_agent, expert_rag_agent, few_shot_agent, llm_wrapping_agent, namespace_selection_agent, rag_agent, retrieval_agent, shared_rag_pipelineDimension of the embedding vector
MILVUS_ROOT_PASSWORDMilvusSettings.ROOT_PASSWORDapi, attu, backup-code, default_rag_pipeline, expert_asking_agent, expert_rag_agent, few_shot_agent, llm_wrapping_agent, milvus-standalone, namespace_selection_agent, open-webui, rag_agent, retrieval_agent, shared_rag_pipelineRoot password for Milvus authentication. If not set, no auth is used. Username is always 'root'.
MINERU_API_MAX_CONCURRENT_REQUESTSmineru-api
MINERU_API_TIMEOUTMineruSettings.API_TIMEOUTapi, default_rag_pipeline, shared_rag_pipelineTimeout for MinerU API calls in seconds
MINERU_FORMULA_ENABLEMineruSettings.FORMULA_ENABLEapi, default_rag_pipeline, shared_rag_pipelineEnable formula/equation parsing
MINERU_TABLE_ENABLEMineruSettings.TABLE_ENABLEapi, default_rag_pipeline, shared_rag_pipelineEnable table detection and parsing
MINERU_VLM_NAMEMineruSettings.VLM_NAMEapi, default_rag_pipeline, mineru-api, shared_rag_pipelineLiteLLM model alias for MinerU VLM
MONGO_PASSWORDapi, backup-code, bot, default_rag_pipeline, expert_asking_agent, expert_rag_agent, ferretdb, few_shot_agent, llm_wrapping_agent, namespace_selection_agent, postgres-ferretdb, rag_agent, retrieval_agent, shared_rag_pipeline, sysadmin-api
MONGO_USERNAMEapi, backup-code, bot, default_rag_pipeline, expert_asking_agent, expert_rag_agent, ferretdb, few_shot_agent, llm_wrapping_agent, namespace_selection_agent, postgres-ferretdb, rag_agent, retrieval_agent, shared_rag_pipeline, sysadmin-api
NATS_TOKENNatsSettings.TOKENapi, backup-code, bot, default_rag_pipeline, expert_asking_agent, expert_rag_agent, few_shot_agent, llm_wrapping_agent, namespace_selection_agent, nats, rag_agent, retrieval_agent, shared_rag_pipeline, sysadmin-apiAuthentication token for NATS server. If not set, no auth is used.
NEO4J_PASSWORDNeo4jSettings.PASSWORDapi, bot, llm_wrapping_agent, neo4j, rag_agent, shared_rag_pipelinePassword for Neo4j DB Server
NEO4J_USERNAMENeo4jSettings.USERNAMEapi, bot, llm_wrapping_agent, neo4j, rag_agent, shared_rag_pipelineUsername for Neo4j DB Server
NOTIFICATION_URLSNotificationSettings.URLSdefault_rag_pipeline, shared_rag_pipelineApprise notification URIs (comma-separated). Examples: 'slack://TokenA/TokenB/TokenC/#alerts', 'mailto://user:pw@smtp.example.com', 'discord://webhook_id/webhook_token'. See https://github.com/caronc/apprise for the full list.
OAUTH_ADMIN_ROLES_OPENWEBUIopen-webui
OAUTH_ALLOWED_GROUPS_ATTUoauth2proxy-attu
OAUTH_ALLOWED_GROUPS_BACKUPoauth2proxy-backup
OAUTH_ALLOWED_GROUPS_DAGSTERoauth2proxy-dagster
OAUTH_ALLOWED_GROUPS_SEAWEEDFSoauth2proxy-seaweed
OAUTH_CLIENT_IDapi, bot, open-webui, sysadmin-api, sysadmin-web, web
OAUTH_CLIENT_SECRETapi, bot, open-webui, sysadmin-api
OAUTH_COOKIE_SECRET_ATTUoauth2proxy-attu
OAUTH_COOKIE_SECRET_BACKUPoauth2proxy-backup
OAUTH_COOKIE_SECRET_DAGSTERoauth2proxy-dagster
OAUTH_COOKIE_SECRET_SEAWEEDFSoauth2proxy-seaweed
OAUTH_CUSTOM_SIGN_IN_LOGOoauth2proxy-attu, oauth2proxy-backup, oauth2proxy-dagster, oauth2proxy-seaweed
OAUTH_TENANT_IDapi, sysadmin-api
OPENWEBUI_SCIM_TOKENOpenWebuiSettings.SCIM_TOKENapi, open-webui, sysadmin-apiSCIM 2.0 bearer token for group and user provisioning
OPENWEBUI_SECRET_KEYOpenWebuiSettings.SECRET_KEYapi, open-webui, sysadmin-apiOpenWebUI WEBUI_SECRET_KEY for JWT signing
OPENWEBUI_SERVICE_ACCOUNT_IDOpenWebuiSettings.SERVICE_ACCOUNT_IDapi, openwebui-init, sysadmin-apiUUID of the AI-Hub service account in OpenWebUI's database
OPENWEBUI_WEBHOOK_SECRETOpenWebuiSettings.WEBHOOK_SECRETapi, open-webui, sysadmin-apiShared secret for authenticating OpenWebUI webhook calls
OTEL_CLOUD_ENDPOINTotel-config.ymlotel-collector
OTEL_CLOUD_HEADERSotel-config.ymlotel-collector
OTEL_ENABLEDOpenTelemetrySettings.ENABLEDapi, expert_asking_agent, expert_rag_agent, few_shot_agent, llm_wrapping_agent, namespace_selection_agent, rag_agent, retrieval_agent, sysadmin-apiEnable/disable OpenTelemetry tracing entirely
POSTGRES_PASSWORDopenwebui-init-openwebui.shbackup-code, dagster-daemon, dagster-webserver, default_rag_pipeline, keycloak, langfuse-web, langfuse-worker, litellm, open-webui, openwebui-init, pgbouncer, postgres, postgres-ferretdb, shared_rag_pipeline
POSTGRES_PORTopenwebui-init-openwebui.shbackup-code, openwebui-init
POSTGRES_USERopenwebui-init-openwebui.shbackup-code, dagster-daemon, dagster-webserver, default_rag_pipeline, keycloak, langfuse-web, langfuse-worker, litellm, open-webui, openwebui-init, pgbouncer, postgres, postgres-ferretdb, shared_rag_pipeline
RCLONE_RC_PASSRcloneSettings.RC_PASSrcloneRC API password for authentication.
RCLONE_RC_USERRcloneSettings.RC_USERrcloneRC API username for authentication.
REDIS_TOKENRedisSettings.TOKENapi, backup-code, expert_asking_agent, expert_rag_agent, few_shot_agent, langfuse-web, langfuse-worker, litellm, llm_wrapping_agent, namespace_selection_agent, open-webui, rag_agent, retrieval_agent, sysadmin-api, valkeyAuthentication token for Redis server. If not set, no auth is used.
S3_STORAGE_ACCESS_KEYS3StorageSettings.ACCESS_KEYapi, backup-code, clickhouse, default_rag_pipeline, expert_rag_agent, langfuse-web, langfuse-worker, milvus-standalone, open-webui, rag_agent, retrieval_agent, seaweedfs-init, seaweedfs-s3, shared_rag_pipelineThe access key for the s3 endpoint.
S3_STORAGE_SECRET_KEYS3StorageSettings.SECRET_KEYapi, backup-code, clickhouse, default_rag_pipeline, expert_rag_agent, langfuse-web, langfuse-worker, milvus-standalone, open-webui, rag_agent, retrieval_agent, seaweedfs-init, seaweedfs-s3, shared_rag_pipelineThe secret key for the s3 endpoint.
SEARXNG_SECRET_KEYsearxng
SEAWEEDFS_TOKENseaweedfs-filer, seaweedfs-master, seaweedfs-s3, seaweedfs-volume
SLACK_CHANNEL_IDexpert_asking_agent
SLACK_SERVICE_URLexpert_asking_agent
SUPERUSER_EMAILSuperuserSettings.EMAILapi, keycloak, sysadmin-apiKeycloak email used to look up the superuser.
SUPERUSER_FIRSTNAMEkeycloak-realm.jsonkeycloak
SUPERUSER_LASTNAMEkeycloak-realm.jsonkeycloak
SUPERUSER_PASSWORDkeycloak-realm.jsonkeycloak
SUPERUSER_ROLES_JSONSuperuserSettings.ROLES_JSONapi, keycloak, sysadmin-apiJSON array of realm roles assigned to the superuser, shared verbatim with the Keycloak realm import via the same environment variable. Must include AIHubSysAdmin.
SUPERUSER_TOKENSuperuserSettings.TOKENapi, open-webui, sysadmin-apiStatic bearer token for machine-to-machine API calls. Must start with 'sk-'.
SUPERUSER_USERNAMESuperuserSettings.USERNAMEapi, keycloak, sysadmin-apiKeycloak username of the seeded superuser.
SWISS_LLM_CLOUD_API_BASE_URLlitellm-config.ymllitellm
SWISS_LLM_CLOUD_API_KEYlitellm-config.ymllitellm
SWISS_LLM_CLOUD_EMBEDDING_API_BASE_URLlitellm-config.ymllitellm
SWISS_LLM_CLOUD_EMBEDDING_API_KEYlitellm-config.ymllitellm
SWISS_LLM_CLOUD_OCR_API_BASE_URLlitellm-config.ymllitellm
SWISS_LLM_CLOUD_OCR_API_KEYlitellm-config.ymllitellm
SWISS_LLM_CLOUD_RERANKING_API_BASE_URLlitellm-config.ymllitellm
SWISS_LLM_CLOUD_RERANKING_API_KEYlitellm-config.ymllitellm
SWISS_LLM_CLOUD_WHISPER_API_BASE_URLlitellm-config.ymllitellm
SWISS_LLM_CLOUD_WHISPER_API_KEYlitellm-config.ymllitellm
TEAMS_BOT_IDexpert_asking_agent
TEAMS_CHANNEL_IDexpert_asking_agent
TEAMS_TENANT_IDexpert_asking_agent

Required by SDK settings classes (not used by the default deployment)

These variables are declared as required fields on a Pydantic BaseSettings class and are not consumed by any service in the default docker-compose stack. The empty Service(s) column reflects this: no container in the default deployment loads the settings class. They become operationally required only when a custom agent, pipeline, or other extension is added to docker-compose that activates the corresponding SDK functionality (e.g. the SharePoint connector or Azure Document Intelligence loader). Until then, leaving the placeholders unchanged is fine — Pydantic only validates the class when something instantiates it.

VariableConsumerService(s)Description
AZURE_DATA_LAKE_CONNECTION_STRINGAzureDataLakeSettings.CONNECTION_STRINGAzure Data Lake connection string for explicit authentication. Recommended over implicit authentication.
AZURE_DOCUMENT_INTELLIGENCE_API_KEYAzureDocumentIntelligenceSettings.API_KEYAPI key for Document Intelligence
AZURE_DOCUMENT_INTELLIGENCE_ENDPOINTAzureDocumentIntelligenceSettings.ENDPOINT
SHAREPOINT_CLIENT_IDSharePointSettings.CLIENT_IDThe application (client) ID.
SHAREPOINT_CLIENT_SECRETSharePointSettings.CLIENT_SECRETThe client secret for authentication.
SHAREPOINT_SITE_URLSharePointSettings.SITE_URLThe SharePoint site URL.
SHAREPOINT_TENANT_IDSharePointSettings.TENANT_IDThe Azure AD tenant ID.

Optional: override platform defaults

These variables have sensible defaults (or are supplied to containers by docker-compose) and do not need to be set in .env. Add them only to override the default. Vars marked (supplied by compose) are required by the application but get their value injected through docker-compose.yml, so setting them in .env has no effect.

VariableConsumerDefaultService(s)Description
AIHUB_API_DEBUG_MODEAIHubSettings.API_DEBUG_MODEFalseDebug mode for development
AIHUB_CREATE_DEFAULT_ROLESAIHubSettings.CREATE_DEFAULT_ROLESTrueapi, sysadmin-apiCreates default roles like AI-Hub Admin and AI-Hub User
AIHUB_FRONTEND_ORIGINAIHubSettings.FRONTEND_ORIGIN(supplied by compose)api, bot, default_rag_pipeline, expert_asking_agent, expert_rag_agent, few_shot_agent, llm_wrapping_agent, namespace_selection_agent, rag_agent, retrieval_agent, shared_rag_pipeline, sysadmin-apiComma separated list of origins to allow CORS
AIHUB_MONGO_MAIN_DB_NAMEAIHubSettings.MONGO_MAIN_DB_NAME'aihub'Name of mongodb database that will be used to store data
AIHUB_OPENAI_API_BASE_URLAIHubSettings.OPENAI_API_BASE_URL'http://api:8000/api/v1/active/openai'apiBase URL of AI-Hub's OpenAI-compatible endpoint, used for Langfuse LLM connection
AUTH_ENABLE_API_ACCESSAuthSettings.ENABLE_API_ACCESSTrueapi, sysadmin-apiEnable API access
AZURE_DOCUMENT_INTELLIGENCE_API_VERSIONAzureDocumentIntelligenceSettings.API_VERSION'2024-11-30'
AZURE_DOCUMENT_INTELLIGENCE_EXTENSIONSAzureDocumentIntelligenceSettings.EXTENSIONS['pdf', 'docx', 'xlsx', 'pptx', 'html']Supported file extensions for document processing
BACKUP_AWS_ENDPOINT_URLBackupSettings.AWS_ENDPOINT_URL'http://seaweedfs-s3:9000'backup-code
BACKUP_CLICKHOUSE_HOSTBackupSettings.CLICKHOUSE_HOST'clickhouse'backup-code
BACKUP_CLICKHOUSE_PORTBackupSettings.CLICKHOUSE_PORT8123
BACKUP_CLICKHOUSE_USERBackupSettings.CLICKHOUSE_USER'clickhouse'backup-code
BACKUP_DAGSTER_CLEANUP_BATCH_LIMITBackupSettings.DAGSTER_CLEANUP_BATCH_LIMIT1000000backup-code
BACKUP_DAGSTER_DBBackupSettings.DAGSTER_DB'dagster'backup-code
BACKUP_DAGSTER_DEBUG_LOG_RETENTION_DAYSBackupSettings.DAGSTER_DEBUG_LOG_RETENTION_DAYS7backup-code
BACKUP_DAGSTER_INFO_LOG_RETENTION_DAYSBackupSettings.DAGSTER_INFO_LOG_RETENTION_DAYS60backup-code
BACKUP_DAGSTER_UNIMPORTANT_EVENT_RETENTION_DAYSBackupSettings.DAGSTER_UNIMPORTANT_EVENT_RETENTION_DAYS30backup-code
BACKUP_DAGSTER_WARNING_LOG_RETENTION_DAYSBackupSettings.DAGSTER_WARNING_LOG_RETENTION_DAYS60backup-code
BACKUP_LANGFUSE_CLICKHOUSE_PASSWORDBackupSettings.LANGFUSE_CLICKHOUSE_PASSWORD(supplied by compose)backup-code
BACKUP_MAINTENANCE_DISABLEDBackupSettings.MAINTENANCE_DISABLEDFalsebackup-code
BACKUP_MILVUS_HOSTBackupSettings.MILVUS_HOST'milvus-standalone'backup-code
BACKUP_MILVUS_PORTBackupSettings.MILVUS_PORT19530backup-code
BACKUP_MILVUS_ROOT_PASSWORDBackupSettings.MILVUS_ROOT_PASSWORD(supplied by compose)backup-code
BACKUP_MONGO_PASSWORDBackupSettings.MONGO_PASSWORD(supplied by compose)backup-code
BACKUP_MONGO_USERNAMEBackupSettings.MONGO_USERNAME'admin'backup-code
BACKUP_NATS_TOKENBackupSettings.NATS_TOKEN(supplied by compose)backup-code
BACKUP_NATS_URLBackupSettings.NATS_URL'nats://nats:4222'backup-code
BACKUP_NEO4J_CONTAINERBackupSettings.NEO4J_CONTAINER'neo4j'backup-code
BACKUP_POSTGRES_FERRETDB_HOSTBackupSettings.POSTGRES_FERRETDB_HOST'postgres-ferretdb'backup-code
BACKUP_POSTGRES_HOSTBackupSettings.POSTGRES_HOST'postgres'backup-code
BACKUP_POSTGRES_PASSWORDBackupSettings.POSTGRES_PASSWORD(supplied by compose)backup-code
BACKUP_POSTGRES_PORTBackupSettings.POSTGRES_PORT5432backup-code
BACKUP_POSTGRES_USERBackupSettings.POSTGRES_USER'admin'backup-code
BACKUP_REDIS_TOKENBackupSettings.REDIS_TOKEN(supplied by compose)backup-code
BACKUP_S3_STORAGE_ACCESS_KEYBackupSettings.S3_STORAGE_ACCESS_KEY'admin'backup-code
BACKUP_S3_STORAGE_SECRET_KEYBackupSettings.S3_STORAGE_SECRET_KEY(supplied by compose)backup-code
BACKUP_VALKEY_CONTAINERBackupSettings.VALKEY_CONTAINER'valkey'backup-code
BACKUP_VALKEY_HOSTBackupSettings.VALKEY_HOST'valkey'
BACKUP_VALKEY_PORTBackupSettings.VALKEY_PORT6379
KEYCLOAK_API_SERVICE_CLIENT_IDKeycloakSettings.API_SERVICE_CLIENT_ID'aihub-api-service'Client ID for the API service account
KEYCLOAK_EXTERNAL_URLKeycloakSettings.EXTERNAL_URLNoneapi, bot, sysadmin-apiKeycloak external URL as seen by browsers, used for issuer validation
KEYCLOAK_REALMKeycloakSettings.REALM'aihub'api, bot, sysadmin-apiKeycloak realm name
KEYCLOAK_URLKeycloakSettings.URL(supplied by compose)api, bot, sysadmin-apiKeycloak internal URL for direct access (e.g., http://keycloak:8080)
LANGFUSE_BASE_URLLangfuseSettings.BASE_URL(supplied by compose)apiLangfuse server base URL
LANGFUSE_PROJECT_IDLangfuseSettings.PROJECT_IDNoneapiLangfuse project ID for constructing dataset URLs
LANGFUSE_PUBLIC_URLLangfuseSettings.PUBLIC_URLNoneapiPublic-facing Langfuse URL for browser links (e.g. https://langfuse.example.com)
LANGFUSE_TIMEOUTLangfuseSettings.TIMEOUT60Timeout in seconds for Langfuse API requests
LITE_LLM_PROXY_API_KEYLiteLLMProxySettings.API_KEYNoneapi, default_rag_pipeline, expert_asking_agent, expert_rag_agent, few_shot_agent, llm_wrapping_agent, namespace_selection_agent, rag_agent, retrieval_agent, shared_rag_pipelineAPI key for authentication. If not provided, other authentication methods will be used.
LITE_LLM_PROXY_BASE_URLLiteLLMProxySettings.BASE_URL(supplied by compose)api, default_rag_pipeline, expert_asking_agent, expert_rag_agent, few_shot_agent, llm_wrapping_agent, namespace_selection_agent, rag_agent, retrieval_agent, shared_rag_pipelineThe base URL of the model.
LITE_LLM_PROXY_USER_BUDGET_DURATIONLiteLLMProxySettings.USER_BUDGET_DURATIONNoneBudget is reset at the end of specified duration. If not set, budget is never reset. You can set duration as seconds ("30s"), minutes ("30m"), hours ("30h"), days ("30d"), months ("1mo").
LITE_LLM_PROXY_USER_MAX_BUDGETLiteLLMProxySettings.USER_MAX_BUDGETNoneBudget available to a user in one period
LITE_LLM_PROXY_USER_MAX_PARALLEL_REQUESTSLiteLLMProxySettings.USER_MAX_PARALLEL_REQUESTSNoneRate limit a user based on the number of parallel requests. Raises 429 error, if user's parallel requests > x.
LITE_LLM_PROXY_USER_RPM_LIMITLiteLLMProxySettings.USER_RPM_LIMITNoneSpecify rpm limit for a given user (Requests per minute)
LITE_LLM_PROXY_USER_SOFT_BUDGETLiteLLMProxySettings.USER_SOFT_BUDGETNoneGet alerts when user crosses given budget, doesn't block requests.
LITE_LLM_PROXY_USER_TPM_LIMITLiteLLMProxySettings.USER_TPM_LIMITNoneSpecify tpm limit for a given user (Tokens per minute)
MEM0_SUPPORT_VISIONMem0Settings.SUPPORT_VISIONTrueWhether to support vision
MEM0_VISION_DETAILMem0Settings.VISION_DETAIL'auto'Vision details
MEMORY_DEFAULT_TENANT_IDMemorySettings.DEFAULT_TENANT_ID'AIHub'Default tenant ID for memory scoping
MEMORY_DEFAULT_TENANT_NAMESPACEMemorySettings.DEFAULT_TENANT_NAMESPACENoneDefault tenant namespace for department-level scoping
MILVUS_URLMilvusSettings.URL(supplied by compose)api, attu, default_rag_pipeline, expert_asking_agent, expert_rag_agent, few_shot_agent, llm_wrapping_agent, namespace_selection_agent, rag_agent, retrieval_agent, shared_rag_pipelineConnection URL for Milvus DB Server
MINERU_API_BASE_URLMineruSettings.API_BASE_URL'http://mineru-api:8000'api, default_rag_pipeline, shared_rag_pipelineMinerU API endpoint URL
MINERU_EXTENSIONSMineruSettings.EXTENSIONS['pdf', 'png', 'jpeg', 'jp2', 'webp', 'gif', 'bmp', 'jpg', 'tiff']File extensions supported by MinerU
MINERU_VLM_SERVER_API_KEYMineruSettings.VLM_SERVER_API_KEYSecretStr('')api, default_rag_pipeline, shared_rag_pipelineLiteLLM API key for VLM requests
MINERU_VLM_SERVER_URLMineruSettings.VLM_SERVER_URL'http://litellm:4000'api, default_rag_pipeline, shared_rag_pipelineLiteLLM proxy URL for VLM routing
MONGO_CONNECTION_STRINGMongoSettings.CONNECTION_STRING(supplied by compose)api, bot, default_rag_pipeline, expert_asking_agent, expert_rag_agent, few_shot_agent, llm_wrapping_agent, namespace_selection_agent, rag_agent, retrieval_agent, shared_rag_pipeline, sysadmin-apiOverwrite the MongoDB connection string
NATS_ENDPOINTNatsSettings.ENDPOINT(supplied by compose)api, bot, default_rag_pipeline, expert_asking_agent, expert_rag_agent, few_shot_agent, llm_wrapping_agent, namespace_selection_agent, rag_agent, retrieval_agent, shared_rag_pipeline, sysadmin-apiConnection endpoint for NATS messaging system
NEO4J_URLNeo4jSettings.URL(supplied by compose)api, bot, llm_wrapping_agent, rag_agent, shared_rag_pipelineConnection URL for Neo4j DB Server
NOTIFICATION_DAGSTER_UI_BASE_URLNotificationSettings.DAGSTER_UI_BASE_URLNonedefault_rag_pipeline, shared_rag_pipelineBase URL of the Dagster UI used to build deep links in notification bodies (e.g. 'https://dagster.example.com').
NOTIFICATION_MIN_INTERVAL_SECONDSNotificationSettings.MIN_INTERVAL_SECONDS30default_rag_pipeline, shared_rag_pipelineMinimum interval between sensor ticks in seconds.
NOTIFICATION_TITLE_PREFIXNotificationSettings.TITLE_PREFIX'Swiss AI Hub Pipeline'default_rag_pipeline, shared_rag_pipelinePrefix prepended to the notification title.
OPENWEBUI_BASE_URLOpenWebuiSettings.BASE_URL(supplied by compose)api, sysadmin-apiOpenWebUI server base URL
OTEL_EXPORTER_OTLP_ENDPOINTOpenTelemetrySettings.EXPORTER_OTLP_ENDPOINTNoneapi, expert_asking_agent, expert_rag_agent, few_shot_agent, litellm, llm_wrapping_agent, namespace_selection_agent, open-webui, rag_agent, retrieval_agent, sysadmin-apiOTLP exporter endpoint URL
OTEL_EXPORTER_OTLP_INSECUREOpenTelemetrySettings.EXPORTER_OTLP_INSECURETrueopen-webuiUse insecure connection (no TLS) for gRPC
OTEL_EXPORTER_OTLP_PROTOCOLOpenTelemetrySettings.EXPORTER_OTLP_PROTOCOL'grpc'api, expert_asking_agent, expert_rag_agent, few_shot_agent, litellm, llm_wrapping_agent, namespace_selection_agent, open-webui, rag_agent, retrieval_agent, sysadmin-apiOTLP protocol
OTEL_RESOURCE_SERVICE_NAMEOpenTelemetrySettings.RESOURCE_SERVICE_NAMENoneapi, expert_asking_agent, expert_rag_agent, few_shot_agent, llm_wrapping_agent, namespace_selection_agent, rag_agent, retrieval_agent, sysadmin-apiResource service name
OTEL_RESOURCE_SERVICE_NAMESPACEOpenTelemetrySettings.RESOURCE_SERVICE_NAMESPACENoneapi, expert_asking_agent, expert_rag_agent, few_shot_agent, llm_wrapping_agent, namespace_selection_agent, rag_agent, retrieval_agent, sysadmin-apiResource service namespace
OTEL_RESOURCE_SERVICE_VERSIONOpenTelemetrySettings.RESOURCE_SERVICE_VERSIONNoneapi, expert_asking_agent, expert_rag_agent, few_shot_agent, llm_wrapping_agent, namespace_selection_agent, rag_agent, retrieval_agent, sysadmin-apiResource service version
PARSING_PASSTHROUGH_EXTENSIONSParsingSettings.PASSTHROUGH_EXTENSIONS[]File extensions that return empty content instead of 400 (e.g. for agent-only processing). Set via env as JSON array: PARSING_PASSTHROUGH_EXTENSIONS='["zip","wav"]'
RCLONE_URLRcloneSettings.URL'http://rclone:5572'Rclone RC API URL (e.g., http://rclone:5572).
REDIS_URLRedisSettings.URL(supplied by compose)api, expert_asking_agent, expert_rag_agent, few_shot_agent, llm_wrapping_agent, namespace_selection_agent, open-webui, rag_agent, retrieval_agent, sysadmin-apiConnection URL for Redis server (without token)
S3_STORAGE_ENDPOINTS3StorageSettings.ENDPOINT(supplied by compose)api, default_rag_pipeline, expert_rag_agent, rag_agent, retrieval_agent, shared_rag_pipelineThe s3 endpoint from either aws or minio.
S3_STORAGE_PUBLIC_ENDPOINTS3StorageSettings.PUBLIC_ENDPOINTNoneapi, default_rag_pipeline, expert_rag_agent, rag_agent, retrieval_agent, shared_rag_pipelineThe publicly accessible s3 endpoint for presigned URLs. If not set, falls back to ENDPOINT. Use this when internal and external endpoints differ (e.g., Docker internal vs Traefik-routed external).
S3_STORAGE_REGIONS3StorageSettings.REGION'us-east-1'The region for the s3 endpoint. For minio, value does not matter
S3_STORAGE_URL_SIGNING_SECRETS3StorageSettings.URL_SIGNING_SECRET(supplied by compose)api, default_rag_pipeline, expert_rag_agent, rag_agent, retrieval_agent, shared_rag_pipelineA secret key used for signing and verifying temporary anonymous access URLs.
USAGE_LIMIT_WARNING_THRESHOLD_PERCENTUsageLimitSettings.WARNING_THRESHOLD_PERCENT80Usage percentage at which warning headers are emitted

Additional variables for GPU deployments

The GPU variant currently does not introduce any operator-controlled variables beyond the base set above.

Built with ❤️ in Switzerland 🇨🇭

Copyright © 2025-bbv Software Services AG.