General Configuration#
BaSyx Go components use a shared configuration model from internal/common. Configuration can be provided through a YAML file and overridden with environment variables.
Configuration Source Precedence#
The shared configuration loader applies the following precedence:
Environment variables
YAML configuration file
Built-in defaults
Environment variables override YAML values. Nested keys use underscore notation, for example server.port becomes SERVER_PORT.
Common Configuration Sections#
These sections are part of the shared configuration model. Components ignore settings that are not relevant to their feature set.
server#
Key |
Default |
Purpose |
|---|---|---|
|
|
Host used for the HTTP server and generated Swagger server URL. |
|
|
HTTP server port. |
|
|
Base path for API, Swagger, and health endpoints. |
|
|
Enables descriptor persistence caches where supported. |
|
|
Semantic verification mode: |
|
|
Enables the |
postgres#
Key |
Default |
Purpose |
|---|---|---|
|
|
Complete PostgreSQL connection string. When non-empty, it replaces the individual connection fields listed below. |
|
|
PostgreSQL host. |
|
|
PostgreSQL port. |
|
|
Database user. |
|
|
Database password. |
|
|
Database name. |
|
|
PostgreSQL TLS verification mode: |
|
|
Path to the client certificate used for certificate-based PostgreSQL authentication. |
|
|
Path to the private key belonging to |
|
|
Path to the root CA certificate used to verify the PostgreSQL server certificate. |
|
|
Connection timeout in seconds. Must not be negative; |
|
|
PostgreSQL |
|
|
Fallback application name used when no primary application name is supplied. |
|
|
PostgreSQL schema search path for new sessions. |
|
|
Additional PostgreSQL server startup options. |
|
|
PostgreSQL session time zone. |
|
|
Maximum number of open DB connections. |
|
|
Maximum number of idle DB connections. |
|
|
Maximum DB connection lifetime in minutes. |
When postgres.dsn is non-empty, do not explicitly configure host, port, user, password, dbname, TLS, timeout, application-name, search-path, options, or time-zone fields in YAML or environment variables. The service rejects this ambiguous combination. Connection-pool settings can still be used with a DSN.
The DSN and database credentials are sensitive and should normally be supplied through a secret rather than committed to YAML.
cors#
Key |
Default |
Purpose |
|---|---|---|
|
|
Allowed CORS origins. |
|
|
Allowed HTTP methods. |
|
|
Allowed request headers. |
|
|
Enables credentialed CORS requests. |
oidc and abac#
Key |
Default |
Purpose |
|---|---|---|
|
|
JSON trustlist of accepted OIDC providers. |
|
|
Enables OIDC authentication and ABAC authorization middleware. |
|
|
ABAC access-rules model. |
|
|
Controls startup import of |
|
|
Optional database namespace for stored ABAC policies. An empty value uses the service’s built-in scope. |
|
|
Enables the protected API for managing the active ABAC policy at runtime. |
If abac.enabled is false, the shared security setup is skipped. If it is true, the trustlist is required. policyFileImport determines whether the policy file is loaded on every start, only if the database has no active policy, or never. policyScope controls the database-backed ABAC policy namespace; use different scopes to isolate deployments that share a database, and share a scope only when services should intentionally use the same active policy.
When set, policyScope is trimmed, must not exceed 255 characters, and may contain ASCII letters, digits, _, -, ., and :.
OIDC trustlist provider fields#
The source also defines the following provider fields for entries read from the JSON file at oidc.trustlistPath. They are not additional keys in the main YAML oidc section.
Field |
Purpose |
|---|---|
|
OIDC issuer URL whose tokens are accepted. |
|
Optional required token audience. Audience validation is skipped when this is empty. |
|
Scopes that an accepted token must provide. |
|
Optional non-standard OpenID Provider discovery URL. |
|
Optional JSON pointers identifying claims from which OAuth scopes are read. |
|
Optional rules that map provider-specific claims into canonical BaSyx claims. |
Each claimMappings entry contains:
Field |
Purpose |
|---|---|
|
Target claim name without the |
|
Mapping mode: |
|
Provider claim paths used as mapping inputs. |
general#
Key |
Default |
Purpose |
|---|---|---|
|
|
Allows implicit casts in ABAC/query expression evaluation. |
|
|
Enables descriptor query debug output. |
|
|
Enables discovery-specific descriptor behavior; some services set this internally. |
|
|
Enables custom claim/header middleware where supported. |
|
|
Accepts singular |
|
|
Enables AAS repository to AAS registry synchronization. |
|
|
Enables Submodel repository to Submodel registry synchronization. |
|
|
Public base URL used to generate synchronized registry endpoint descriptors. Multiple URLs can be comma-separated. |
|
|
Allows trusted reverse proxies to supply the public request scheme, host, and client information through |
|
|
CIDR allowlist of proxy source addresses whose forwarded headers may be trusted. |
|
|
Maximum upload size for repository/environment upload endpoints. |
|
|
AAS Environment startup import sources. Supports files or folders with |
|
|
Maximum row count per generated bulk SQL statement. Must be greater than |
When registry synchronization is enabled, general.externalUrl must be set to at least one absolute URL with scheme and host.
jws and swagger#
Key |
Default |
Purpose |
|---|---|---|
|
|
RSA private key used by Submodel Repository and AAS Environment signing use cases. |
|
|
PEM-encoded X.509 certificate chain included as the JWS |
|
|
Enables Swagger UI and OpenAPI specification endpoints. |
|
|
Contact name injected into OpenAPI/Swagger docs. |
|
|
Contact email injected into OpenAPI/Swagger docs. |
|
|
Contact URL injected into OpenAPI/Swagger docs. |
history#
History settings control API history, audit metadata, and optional external evidence storage. A component must implement history handling for these settings to have a runtime effect.
Key |
Default |
Purpose |
|---|---|---|
|
|
History mode: |
|
|
Requested database-history retention. Only |
|
|
Number of history rows between full snapshots. Must be at least |
|
|
Immutability mode: |
|
|
Identity detail stored with audit entries: |
|
|
External integrity-anchor backend. Only |
external_anchor cannot currently be used: it requires a non-none integrity-anchor provider, while no such provider is implemented yet.
history.evidence#
Evidence storage writes WORM-compatible history artifacts to object storage.
Key |
Default |
Purpose |
|---|---|---|
|
|
Enables external evidence artifact writing. Requires |
|
|
Evidence backend. Accepted values are |
|
|
S3 bucket that receives evidence artifacts. Required when evidence is enabled. |
|
|
Object-key prefix used inside the bucket. |
|
|
S3 region. Required when evidence is enabled. |
|
|
Optional custom S3-compatible endpoint, for example a MinIO endpoint. |
|
|
Optional explicit S3 access-key ID. Configure it together with |
|
|
Optional explicit S3 secret access key. Configure it together with |
|
|
Uses path-style S3 addressing instead of virtual-hosted bucket addressing. Often needed for local S3-compatible services. |
|
|
S3 Object Lock mode: |
|
|
Object-lock retention period. Must be at least |
|
|
Timeout for writing an evidence artifact. Must be at least |
|
|
Private key used to sign evidence manifests. If empty, |
|
|
Public key used for evidence-signature verification. |
|
|
Requires signing material. At least a signing private key, the JWS fallback key, or a public key must be configured. |
Credentials are sensitive. Prefer secret-backed environment variables or mounted secret files over committing them to YAML.
eventing#
The eventing configuration is reserved for future publishing and outbox support.
Key |
Default |
Purpose |
|---|---|---|
|
|
Requests event publishing. Currently rejected because event publishing is not implemented. |
|
|
Reserved event serialization format. |
|
|
Reserved list of event sink destinations. A non-empty list is currently rejected. |
|
|
Requests transactional outbox processing. Currently rejected. |
|
|
Reserved prefix for generated event topics. |
Keep enabled and outboxEnabled set to false and sinks empty until eventing support is implemented.
Example YAML#
server:
host: 0.0.0.0
port: 5004
contextPath: ""
cacheEnabled: false
strictVerification: permissive
verificationEndpointAvailable: true
postgres:
dsn: ""
host: db
port: 5432
dbname: basyxTestDB
user: admin
password: admin123
sslmode: disable
sslcert: ""
sslkey: ""
sslrootcert: ""
connectTimeoutSeconds: 0
applicationName: ""
fallbackApplicationName: ""
searchPath: ""
options: ""
timezone: ""
maxOpenConnections: 50
maxIdleConnections: 50
connMaxLifetimeMinutes: 5
cors:
allowedOrigins: []
allowedMethods: [GET, POST, PUT, PATCH, DELETE, OPTIONS]
allowedHeaders: []
allowCredentials: false
oidc:
trustlistPath: "config/trustlist.json"
abac:
enabled: false
modelPath: "config/access_rules/access-rules.json"
policyFileImport: ""
policyScope: ""
managementApi:
enabled: false
general:
enableImplicitCasts: true
enableDescriptorDebug: false
discoveryIntegration: false
enableCustomMiddlewareHeaderInjection: false
supportsSingularSupplementalSemanticId: false
aasRegistryIntegration: false
submodelRegistryIntegration: false
externalUrl: ""
trustProxyHeaders: false
trustedProxyCIDRs: []
uploadMaxSizeBytes: 134217728
aasPreconfigPaths: []
bulkBatchLimit: 1000
jws:
privateKeyPath: ""
certificateChainPath: ""
swagger:
enabled: true
contactName: "Eclipse BaSyx"
contactEmail: "basyx-dev@eclipse.org"
contactUrl: "https://basyx.org"
history:
mode: off
retentionDays: 0
fullSnapshotInterval: 1
immutability: none
auditIdentityMode: none
evidence:
enabled: false
provider: none
bucket: ""
prefix: basyx-history-evidence
region: us-east-1
endpoint: ""
accessKeyId: ""
secretAccessKey: ""
pathStyle: false
retentionMode: ""
retentionDays: 0
writeTimeoutSeconds: 10
signing:
privateKeyPath: ""
publicKeyPath: ""
required: false
integrityAnchor:
provider: none
eventing:
enabled: false
format: cloudevents
sinks: []
outboxEnabled: false
topicPrefix: basyx
Environment Variables#
For regular settings, use the uppercase YAML path with dots replaced by underscores:
SERVER_PORT=5004
SERVER_CONTEXTPATH=/api
SERVER_STRICTVERIFICATION=permissive
POSTGRES_HOST=db
POSTGRES_PORT=5432
POSTGRES_USER=admin
POSTGRES_PASSWORD=admin123
POSTGRES_DBNAME=basyxTestDB
POSTGRES_SSLMODE=disable
POSTGRES_CONNECTTIMEOUTSECONDS=10
ABAC_ENABLED=false
ABAC_POLICYFILEIMPORT=if_missing
ABAC_POLICY_SCOPE=aasregistryservice
ABAC_MANAGEMENTAPI_ENABLED=false
OIDC_TRUSTLISTPATH=config/trustlist.json
GENERAL_EXTERNALURL=https://example.org/aas
GENERAL_TRUSTPROXYHEADERS=false
GENERAL_UPLOADMAXSIZEBYTES=134217728
GENERAL_BULK_BATCH_LIMIT=1000
SWAGGER_ENABLED=true
GENERAL_AAS_PRECONFIG_PATHS is parsed as a comma-separated list and overrides general.aasPreconfigPaths:
GENERAL_AAS_PRECONFIG_PATHS=file:/data/example.aasx,/data/preconfigured-aas
The following explicit aliases are also supported:
YAML setting |
Environment variable |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The explicit aliases are applied after normal environment-variable decoding and therefore take precedence when both forms are set.
To use a complete PostgreSQL DSN, set only POSTGRES_DSN for the connection details. Do not also set individual connection variables such as POSTGRES_HOST or POSTGRES_SSLMODE:
POSTGRES_DSN=postgres://admin:secret@db:5432/basyx?sslmode=require
POSTGRES_MAXOPENCONNECTIONS=50
POSTGRES_MAXIDLECONNECTIONS=50
Security Files#
The shared configuration may reference these security-sensitive files:
oidc.trustlistPathabac.modelPathjws.privateKeyPathjws.certificateChainPathhistory.evidence.signing.privateKeyPathhistory.evidence.signing.publicKeyPathpostgres.sslcertpostgres.sslkeypostgres.sslrootcert
In containers, paths are resolved inside the container filesystem. Mount the files or their parent directory and point the YAML value or environment variable to the mounted path.
Notes#
The BaSyx Configuration Service mainly uses the
postgressection.Repository and environment services use
general.uploadMaxSizeBytesfor upload limits.AAS Environment additionally supports
general.aasPreconfigPaths.AAS Repository, Submodel Repository, and AAS Environment use the registry synchronization settings when enabled.