Skip to main content
This page provides a comprehensive reference for all configuration options used in Chronoverse deployment.

Environment Variables

Global Settings

These environment variables are common across multiple services:
VariableDescriptionDefaultRequired
ENVEnvironment modedevelopment or productionYes
OTEL_EXPORTER_OTLP_ENDPOINTOpenTelemetry collector endpointhttp://lgtm:4317Yes
OTEL_EXPORTER_OTLP_PROTOCOLOTLP protocolgrpcYes

PostgreSQL Configuration

Service: postgres, users-service, workflows-service, jobs-service, notifications-service, analytics-service, scheduling-worker, analytics-processor
VariableDescriptionDefault
POSTGRES_HOSTPostgreSQL hostnamepostgres
POSTGRES_USERDatabase userprimary
POSTGRES_PASSWORDDatabase passwordchronoverse
POSTGRES_DBDatabase namechronoverse
POSTGRES_TLS_ENABLEDEnable TLStrue
POSTGRES_TLS_CA_FILECA certificate pathcerts/ca/ca.crt
POSTGRES_TLS_CERT_FILEClient certificate pathcerts/clients/client.crt
POSTGRES_TLS_KEY_FILEClient key pathcerts/clients/client.key
POSTGRES_MIN_CONNSMinimum connection pool size2
Change POSTGRES_PASSWORD before production deployment!

ClickHouse Configuration

Service: clickhouse, jobs-service, workflow-worker, joblogs-processor
VariableDescriptionDefault
CLICKHOUSE_HOSTSClickHouse host:portclickhouse:9440
CLICKHOUSE_USERNAMEClickHouse userchronoverse-client
CLICKHOUSE_PASSWORDClickHouse passwordchronoverse
CLICKHOUSE_TLS_ENABLEDEnable TLStrue
CLICKHOUSE_TLS_CA_FILECA certificate pathcerts/ca/ca.crt
CLICKHOUSE_TLS_CERT_FILEClient certificate pathcerts/clients/client.crt
CLICKHOUSE_TLS_KEY_FILEClient key pathcerts/clients/client.key
Change CLICKHOUSE_PASSWORD before production deployment!

Redis Configuration

Service: redis, users-service, workflows-service, jobs-service, server, workflow-worker, execution-worker, joblogs-processor
VariableDescriptionDefault
REDIS_HOSTRedis hostnameredis
REDIS_TLS_ENABLEDEnable TLStrue
REDIS_TLS_CA_FILECA certificate pathcerts/ca/ca.crt
REDIS_TLS_CERT_FILEClient certificate pathcerts/clients/client.crt
REDIS_TLS_KEY_FILEClient key pathcerts/clients/client.key

Kafka Configuration

Service: kafka, workflows-service, scheduling-worker, workflow-worker, execution-worker, joblogs-processor, analytics-processor
VariableDescriptionDefault
KAFKA_BROKERSKafka broker addresseskafka:9094
KAFKA_TLS_ENABLEDEnable TLStrue
KAFKA_TLS_CA_FILECA certificate pathcerts/ca/ca.crt
KAFKA_TLS_CERT_FILEClient certificate pathcerts/clients/client.crt
KAFKA_TLS_KEY_FILEClient key pathcerts/clients/client.key
KAFKA_CONSUMER_GROUPConsumer group IDService-specific

Kafka Broker Settings

VariableDescriptionDefault
KAFKA_KRAFT_MODEEnable KRaft modetrue
KAFKA_NODE_IDNode ID1
KAFKA_PROCESS_ROLESProcess rolescontroller,broker
KAFKA_LISTENERSListener endpointsSSL://kafka:9094,CONTROLLER://kafka:9093
KAFKA_SSL_CLIENT_AUTHClient authenticationrequired
KAFKA_LOG_RETENTION_HOURSLog retention168 (7 days)
CLUSTER_IDCluster identifierEDofQNqcSCa63isOyHHO9g

Meilisearch Configuration

Service: meilisearch, jobs-service, joblogs-processor
VariableDescriptionDefault
MEILI_MASTER_KEYMaster API key(See below)
MEILI_SSL_AUTH_PATHCA certificate path/certs/ca/ca.crt
MEILI_SSL_CERT_PATHServer certificate path/certs/meilisearch/meilisearch.crt
MEILI_SSL_KEY_PATHServer key path/certs/meilisearch/meilisearch.key
MEILISEARCH_URIService URIhttps://meilisearch:7700
MEILISEARCH_TLS_ENABLEDEnable TLStrue
MEILISEARCH_TLS_CA_FILECA certificate pathcerts/ca/ca.crt
MEILISEARCH_TLS_CERT_FILEClient certificate pathcerts/clients/client.crt
MEILISEARCH_TLS_KEY_FILEClient key pathcerts/clients/client.key
Default Master Key: 35b09c3c7b1001ed1fbed7db29a155d0201ab22d527b41bfba9003da7bb3b404Generate a new key for production:
openssl rand -hex 32

gRPC Service Configuration

All gRPC services share this configuration pattern:
VariableDescriptionService-Specific Port
GRPC_PORTgRPC server portSee table below
GRPC_TLS_ENABLEDEnable TLStrue
GRPC_TLS_CA_FILECA certificate pathcerts/ca/ca.crt
GRPC_TLS_CERT_FILEServer certificate pathcerts/{service}/{service}.crt
GRPC_TLS_KEY_FILEServer key pathcerts/{service}/{service}.key

gRPC Service Ports

ServicePortEnvironment Variable
users-service50051GRPC_PORT=50051
workflows-service50052GRPC_PORT=50052
jobs-service50053GRPC_PORT=50053
notifications-service50054GRPC_PORT=50054
analytics-service50055GRPC_PORT=50055

Service-to-Service Communication

Service: server, workflow-worker, execution-worker, notifications-service Each service that calls other gRPC services needs these variables: 
# Example: server service connecting to users-service
USERS_SERVICE_HOST=users-service
USERS_SERVICE_PORT=50051
USERS_SERVICE_TLS_ENABLED=true
USERS_SERVICE_TLS_CA_FILE=certs/ca/ca.crt

# Client certificates for mTLS
CLIENT_TLS_CERT_FILE=certs/clients/client.crt
CLIENT_TLS_KEY_FILE=certs/clients/client.key

Server Configuration

Service: server
VariableDescriptionDefault (Dev)Default (Prod)
SERVER_HOSTBind address0.0.0.00.0.0.0
SERVER_ALLOWED_ORIGINSCORS origins(not set)http://0.0.0.0:80,

Dashboard Configuration

Service: dashboard (development only)
VariableDescriptionDefault
NEXT_PUBLIC_API_URLAPI endpointhttp://localhost:8080

Worker Configuration

Service: workflow-worker, execution-worker
VariableDescriptionDefault
DOCKER_HOSTDocker daemon addresstcp://docker-proxy:2375

Port Mappings

Development Environment

All services expose ports in development: 
postgres:       5432:5432
clickhouse:     9440:9440
redis:          6379:6379
meilisearch:    7700:7700
kafka:          9094:9094, 9093:9093

Production Environment

Only nginx is exposed in production: 
nginx:  80:80    # HTTP entry point
lgtm:   3000:3000  # Grafana (internal)
All other services communicate internally on the chronoverse network.

Volume Mounts

Persistent Data Volumes

VolumeMount PointPurpose
postgres/var/lib/postgresqlPostgreSQL data
clickhouse/var/lib/clickhouseClickHouse data
redis/dataRedis persistence
meilisearch/meili_dataMeilisearch indices
kafka/var/lib/kafka/dataKafka logs
lgtm/dataGrafana/LGTM data
otel-lgtm/otel-lgtmOTLP collector data

Certificate Mounts

All services mount certificates: 
volumes:
  - ./certs:/certs:ro  # Read-only
The init-certs service mounts read-write: 
volumes:
  - ./certs:/certs:rw  # Read-write for generation

Configuration Mounts

# PostgreSQL configuration
postgres:
  volumes:
    - ./certs/postgres/config:/etc/postgresql

# ClickHouse configuration
clickhouse:
  volumes:
    - ./certs/clickhouse/config:/etc/clickhouse-server/conf.d:ro
    - ./certs/clickhouse/clients/config.xml:/etc/clickhouse-client/config.xml:ro

Health Check Configuration

PostgreSQL Health Check

healthcheck:
  test: |
    psql 'host=0.0.0.0 user=primary dbname=postgres 
         sslmode=verify-full sslrootcert=/certs/ca/ca.crt 
         sslcert=/certs/clients/client.crt 
         sslkey=/certs/clients/client.key' -c 'SELECT 1;'
  interval: 10s
  timeout: 5s
  retries: 5
  start_period: 5s

ClickHouse Health Check

healthcheck:
  test: |
    clickhouse-client --secure --host=localhost --port=9440 
                      --user=chronoverse-client --password=chronoverse 
                      --query 'SELECT 1'
  interval: 10s
  timeout: 5s
  retries: 10
  start_period: 5s

Redis Health Check

healthcheck:
  test: |
    redis-cli --tls --cert /certs/clients/client.crt 
              --key /certs/clients/client.key 
              --cacert /certs/ca/ca.crt -p 6379 ping | grep PONG
  interval: 10s
  timeout: 5s
  retries: 10
  start_period: 5s

gRPC Service Health Check

healthcheck:
  test: |
    if [ "$$GRPC_TLS_ENABLED" = "true" ]; then
      /bin/grpc-health-probe -addr=localhost:50051 \
        -connect-timeout 250ms -rpc-timeout 250ms \
        -tls -tls-ca-cert certs/ca/ca.crt \
        -tls-client-cert certs/users-service/users-service.crt \
        -tls-client-key certs/users-service/users-service.key \
        -tls-server-name=users-service \
        -rpc-header=Audience:grpc_probe \
        -rpc-header=Role:admin
    fi
  interval: 10s
  timeout: 5s
  retries: 5
  start_period: 30s

Certificate Structure

The init-certs service generates the following certificate structure: 
certs/
├── auth.ed              # ED25519 private key for JWT
├── auth.ed.pub          # ED25519 public key
├── ca/
│   ├── ca.crt          # Root CA certificate
│   └── ca.key          # Root CA key
├── clients/
│   ├── client.crt      # Client certificate for mTLS
│   └── client.key      # Client private key
├── postgres/
│   ├── postgres.crt    # PostgreSQL server certificate
│   ├── postgres.key    # PostgreSQL server key
│   └── config/
│       ├── postgresql.conf
│       └── pg_hba.conf
├── clickhouse/
│   ├── clickhouse.crt  # ClickHouse server certificate
│   ├── clickhouse.key  # ClickHouse server key
│   ├── config/
│   │   ├── tls.xml     # TLS configuration
│   │   └── users.xml   # User configuration
│   └── clients/
│       ├── client.crt  # ClickHouse client certificate
│       ├── client.key  # ClickHouse client key
│       └── config.xml  # Client configuration
├── redis/
│   ├── redis.crt       # Redis server certificate
│   └── redis.key       # Redis server key
├── kafka/
│   ├── kafka.crt       # Kafka certificate
│   ├── kafka.key       # Kafka key
│   ├── kafka.keystore.jks
│   ├── kafka.truststore.jks
│   └── *_creds.txt     # Keystore passwords
├── meilisearch/
│   ├── meilisearch.crt # Meilisearch certificate
│   └── meilisearch.key # Meilisearch key
└── [service-name]/
    ├── [service].crt   # Service-specific certificate
    └── [service].key   # Service-specific key

Docker Compose Profiles

Development Build Arguments

build:
  context: .
  dockerfile: Dockerfile
  args:
    - VERSION=v0.0.1
    - NAME=users-service
    - PRIVATE_KEY_PATH=certs/auth.ed
    - PUBLIC_KEY_PATH=certs/auth.ed.pub

Production Images

image: ghcr.io/hitesh22rana/chronoverse/users-service:latest

Resource Limits (Production)

YAML Anchors

x-limits:
  database-limits: &database-limits
    deploy:
      resources:
        limits:
          cpus: "1"
          memory: 1G
        reservations:
          cpus: "0.5"
          memory: 512M

  services-limit: &services-limit
    deploy:
      resources:
        limits:
          cpus: "0.25"
          memory: 256M
        reservations:
          cpus: "0.1"
          memory: 128M

  low-resources-workers-limit: &low-resources-workers-limit
    deploy:
      replicas: 2
      resources:
        limits:
          cpus: "0.5"
          memory: 2G
        reservations:
          cpus: "0.25"
          memory: 1G

  high-resources-workers-limit: &high-resources-workers-limit
    deploy:
      replicas: 2
      resources:
        limits:
          cpus: "2"
          memory: 4G
        reservations:
          cpus: "1"
          memory: 2G

Usage

services:
  postgres:
    <<: *database-limits
    # ... rest of config

  users-service:
    <<: *services-limit
    # ... rest of config

  execution-worker:
    <<: *high-resources-workers-limit
    # ... rest of config

Network Configuration

networks:
  chronoverse:
    name: chronoverse
    driver: bridge
All services connect to the chronoverse bridge network for isolated communication.

Next Steps

Development Guide

Set up development environment

Production Guide

Deploy to production

Security Best Practices

Secure your deployment

Troubleshooting

Common issues and solutions

Build docs developers (and LLMs) love

Get started for freeTalk to us