Configuration
This page lists commonly used flags and environment variables for the server, workers, and CLI. Values can be set via CLI flags or environment variables; environment variables are shown in ALL_CAPS.
Server (lyftdata run server)
LyftData serves HTTPS by default (self-signed if you do not provide TLS material). Most production deployments configure a trusted certificate or terminate TLS behind a reverse proxy—see Networking & TLS.
| Setting | Flag | Env | Default | Notes |
|---|---|---|---|---|
| Bind address | --bind-address | LYFTDATA_BIND_ADDRESS | 127.0.0.1:3000 | Use 0.0.0.0:3000 to accept remote connections. |
| Disable TLS | --disable-tls | — | off | Serve HTTP only (use behind a TLS-terminating reverse proxy, or for local-only eval). |
| TLS certificate | --tls-cert | LYFTDATA_TLS_CERT | — | Requires --tls-key. |
| TLS private key | --tls-key | LYFTDATA_TLS_KEY | — | Requires --tls-cert. |
| Staging directory | --staging-dir | LYFTDATA_STAGING_DIR | OS default | Recommended for services; stores control-plane state and logs. |
| Accept EULA non-interactively | — | LYFTDATA_LICENSE_EULA_ACCEPT | — | Set to yes, true, or 1 on first run to avoid prompts in automation. |
| Admin bootstrap password | --admin-init-password | LYFTDATA_ADMIN_INIT_PASSWORD | unset | If unset, the server enters Initial Setup Required and writes <staging-dir>/bootstrap/initial-admin.url. On a local TTY the ready splash may also show the full setup URL. |
| Retention (days) | --db-retention-days | LYFTDATA_LOG_RETENTION_DAYS | 30 | Cleanup applies when retention or disk thresholds are reached. |
| Disk usage threshold (%) | --disk-usage-max-percentage | LYFTDATA_DB_DISK_USE_MAX_PERCENT | 80 | Cleanup attempts begin when disk usage exceeds the threshold. |
| Bootstrap license | --bootstrap-license | LYFTDATA_LICENSE | unset | Apply a license non-interactively at startup (automation/scripted installs). |
For the full server flag catalog, see lyftdata run server --help.
Worker (lyftdata-worker)
External workers connect to the server using LYFTDATA_URL and authenticate using either a pre-issued API key or auto-enrollment. The worker binary defaults to http://localhost:3000, but most deployments should set an explicit https://... server URL.
| Setting | Flag | Env | Default | Notes |
|---|---|---|---|---|
| Server URL | --url | LYFTDATA_URL | http://localhost:3000 | Worker default is http://localhost:3000 for local compatibility. In most setups set https://…; use http://… only when the server runs with --disable-tls. |
| Worker ID | --worker-id | LYFTDATA_WORKER_ID | unset | If unset, the worker can persist identity locally after enrollment. |
| Worker API key | --worker-api-key | LYFTDATA_WORKER_API_KEY | unset | Required for pre-issued auth; keep it secret. |
| Auto-enrollment key | --auto-enrollment-key | LYFTDATA_AUTO_ENROLLMENT_KEY | unset | Alternative to pre-issued API keys; use only on trusted networks. |
| Worker name | --worker-name | LYFTDATA_WORKER_NAME | unset | Human-friendly label for dashboards. |
| Jobs directory | --worker-jobs-dir | LYFTDATA_JOBS_DIR | OS default | Recommended for services; stores cached job configs and local state. |
| Startup state reset | --reset-state | — | unset | One-time troubleshooting reset mode: auth, repair, or full. |
| Insecure TLS (evaluation only) | --tls-insecure | LYFTDATA_TLS_INSECURE | off | Accept self-signed certificates until you install a trusted certificate. |
For the full worker flag catalog, see lyftdata-worker --help.
Master keys (secrets encryption)
LyftData uses master keys to encrypt sensitive state at rest (for example: Variables, credentials, and worker settings). On developer desktops, you can often use the OS keyring. In headless environments (servers, CI, Docker), keyring calls may fail (commonly with DBus/Secret Service errors), so configure env-backed keys explicitly.
Generate 32 random bytes (64 hex chars) for each key:
openssl rand -hex 32| Purpose | Env | Used by | Notes |
|---|---|---|---|
| Variables encryption | LYFTDATA_VARIABLES_MASTER_KEY_SOURCE + LYFTDATA_VARIABLES_MASTER_KEY | server | Set *_SOURCE=env in headless environments to avoid keyring/DBus issues. |
| Credential manager encryption | LYFTDATA_CREDENTIAL_MANAGER_MASTER_KEY_SOURCE + LYFTDATA_CREDENTIAL_MANAGER_MASTER_KEY | server | Required when the credential manager feature is enabled (default in release builds). |
| Worker settings / credential transport | LYFTDATA_SETTINGS_MASTER_KEY_SOURCE + LYFTDATA_SETTINGS_MASTER_KEY | built-in worker + external workers | Required in headless environments because the built-in worker runs inside the server process. |
- Master keys can be provided as 64-character hex or base64-encoded 32 bytes.
- Keep these values secret and do not bake them into container images.
- For Docker/Compose examples wiring these variables, see Docker and Docker Compose.
Notes
- Prefer setting secrets via environment files managed by your service manager.
- Keep ports firewalled to trusted networks; see Security hardening.
- For troubleshooting and quick checks, see Troubleshooting.