Skip to main content
Version: 24.2

Configuration overview

Nextflow Tower Enterprise is now Seqera Platform Enterprise. Existing configuration parameters, configuration files, and API endpoints that include Tower currently remain unchanged.

Set Seqera configuration values using environment variables, a tower.yml configuration file, or individual values stored in AWS Parameter Store. Sensitive values such as database passwords should be stored securely (e.g., as SecureString type parameters in AWS Parameter Store).

Declare environment variables in a tower.env file. For example:

TOWER_CONTACT_EMAIL=hello@foo.com
TOWER_SMTP_HOST=your.smtphost.com

See the Environment variables option in each section below.

Configuration values not supported in tower.yml or AWS Parameter Store

Due to the order of operations when deploying Seqera Enterprise, some configuration values can only be retrieved from environment variables (tower.env). The following configuration values are not supported for tower.yml or AWS Parameter Store configuration and must be set as environment variables:

Environment variable

Description

Value

TOWER_DB_USER

The user account to access your database. If you are using an external database, you must create this user manually. For installation in a new environment, this value must be set as an environment variable.

Default: tower

TOWER_DB_PASSWORD

The user password to access your database. If you are using an external database, you must create this password manually. For installation in a new environment, this value must be set as an environment variable.

Default: tower

TOWER_DB_URL

The URL to access your database. For installation in a new environment, this value must be set as an environment variable. See the 24.1 release notes for information about the DB URL format.

Example: jdbc:mysql://db:3306/tower?permitMysqlScheme=true

TOWER_APP_NAME

Application name. To run multiple instances of the same Seqera account, each instance must have a unique name, e.g., tower-dev and tower-prod. Can also be set in tower.yml with tower.appName.

Default: tower

TOWER_ENABLE_AWS_SES

Set true to enable AWS Simple Email Service for sending Seqera emails instead of SMTP.

Default: false

TOWER_ENABLE_PLATFORMS

A comma-separated list of execution backends to enable. At least one is required.

altair-platform,awsbatch-platform,azbatch-platform,eks-platform,googlebatch-platform,gke-platform,k8s-platform,local-platform,lsf-platform,moab-platform,slurm-platform

TOWER_ENABLE_UNSAFE_MODE

Set to true to allow HTTP connections to Seqera. HTTP must not be used in production deployments. HTTPS is used by default from version 22.1.x.

Default: false

Basic configuration

Basic configuration options such as the Seqera instance server URL, application name, and license key.

Environment variable

Description

Value

TOWER_SERVER_URL

Your Seqera instance hostname, IP address, DNS name, or full reverse proxy path where the application is exposed. The https:// protocol is required for instances that use an SSL certificate. As of version 22.1, HTTPS is used by default. To use HTTP, set TOWER_ENABLE_UNSAFE_MODE=true.

Default: http://localhost:8000

TOWER_LICENSE

Your Seqera Enterprise license key (required). Contact us to obtain your license key. The key is base64-encoded by Seqera — paste this value exactly as received.

DT8G5F3...BBV90OW

TOWER_APP_NAME

Application name. To run multiple instances of the same Seqera account, each instance must have a unique name, e.g., tower-dev and tower-prod.

Default: tower

TOWER_CONFIG_FILE

Custom path for the tower.yml file.

path/to/tower/config

TOWER_LANDING_URL

Custom landing page for the application (requires version 21.10.1 or later). This value doesn't change the TOWER_SERVER_URL used for inbound Seqera connections.

https://your.custom.landing.example.net

TOWER_CRON_SERVER_PORT

Define the HTTP port used by the Seqera cron service (requires version 21.06.1 or later).

8080

TOWER_ROOT_USERS

Grant users access to the application admin panel.

user1@your-company.com,user2@your-company.com

TOWER_CONTACT_EMAIL

Your Seqera system administrator contact email.

seqera@your-company.com

TOWER_AUTH_DISABLE_EMAIL

Set to true to disable the email login. Ensure that you've configured an alternative authentication provider first.

Default: false

TOWER_USER_WORKSPACE_ENABLED

Enable or disable user private workspaces (requires version 22.1.0 or later).

Default: true

Seqera and Redis databases

Configuration values that control Seqera's interaction with databases and Redis instances. TOWER_DB_USER, TOWER_DB_PASSWORD, and TOWER_DB_URL must be specified using environment variables during initial Seqera Enterprise deployment in a new environment. A new installation will fail if DB values are only defined in tower.yml or the AWS Parameter Store. Once the database has been created, these values can be added to tower.yml or AWS Parameter Store entries and removed from your environment variables.

From Seqera Enterprise version 24.2:

  • Redis version 6.2 or greater is required.
  • Redis version 7 is officially supported.

Follow your cloud provider specifications to upgrade your instance.

If you use a database other than the provided db container, you must create a user and database schema manually.

CREATE DATABASE tower;
ALTER DATABASE tower CHARACTER SET utf8 COLLATE utf8_bin;

CREATE USER 'tower' IDENTIFIED BY <password>;
GRANT ALL PRIVILEGES ON tower.* TO tower@'%' ;

Managed Redis services

Seqera supports managed Redis services such as Amazon ElastiCache, Azure Cache for Redis, or Google Memorystore.

When using a managed Redis service, you must specify the service IP address or DNS name for the TOWER_REDIS_URL as described in the following sections.

  • Use a single-node cluster, as multi-node clusters are not supported
  • Use an instance with at least 6GB capacity (cache.m4.large or greater)
  • Specify your private ElastiCache instance in the Seqera environment variables:
TOWER_REDIS_URL=redis://<redis private IP>:6379

Database and Redis manual configuration

If the DB username and password variables are left empty when using Docker Compose, default tower database values are applied automatically. With Kubernetes and custom DB deployments, tower values are not pre-filled.

We recommend using managed cloud database services for production deployments.

Environment variable

Description

Value

TOWER_DB_USER

The user account to access your database. If you are using an external database, you must create this user manually.

Default: tower

TOWER_DB_PASSWORD

The user password to access your database. If you are using an external database, you must create this password manually.

Default: tower

TOWER_DB_URL

The URL to access your database.

Example: jdbc:mysql://db:3306/tower

TOWER_DB_MIN_POOL_SIZE

Minimum database connection pool size.

Default: 5

TOWER_DB_MAX_POOL_SIZE

Maximum database connection pool size.

Default: 10

TOWER_DB_MAX_LIFETIME

Maximum lifespan of database connections, in milliseconds.

Default: 1800000

TOWER_REDIS_URL

The URL to access your Seqera Redis instance.

Example: redis://redis:6379

TOWER_REDIS_PASSWORD

The password of your Seqera Redis instance.

Opt-in Seqera features

Configuration values that enable opt-in Seqera features per instance or workspace.

Core features

Environment variable

Description

Value

TOWER_ENABLE_WAVE

Enable Seqera integration with Wave containers.

Default: false

WAVE_SERVER_URL

Define the Wave containers service endpoint URL.

Example: https://wave.seqera.io

TOWER_ENABLE_AWS_SSM

Enable Seqera configuration value retrieval from AWS Parameter Store.

Default: false

TOWER_ENABLE_AWS_SES

Use AWS Simple Email Service (SES) to send Seqera emails instead of SMTP.

Default: false

TOWER_ALLOW_NEXTFLOW_LOGS

Allow log and report files from Nextflow CLI runs (-with-tower) to be accessible in the Seqera UI. Run output files must be accessible to your Seqera workspace primary compute environment.

Default: false

TOWER_STEPPED_LAUNCH_FORM_ALLOWED_WORKSPACES

Enable the stepped launch form in the workspaces specified. Set empty (TOWER_STEPPED_LAUNCH_FORM_ALLOWED_WORKSPACES=) to enable the new launch form in all workspaces, or provide a comma-separated list of workspace IDs to enable the form per workspace.

Example: 976xxxxxxxx604,402xxxxxxxx677

Data features

Configuration values used by Seqera for Data Explorer.

Environment variable

Description

Value

TOWER_DATA_EXPLORER_ENABLED

Enable Data Explorer in all workspaces. To mount data inside a data studio, you must enable Data Explorer.

Default: false

TOWER_DATA_EXPLORER_CLOUD_DISABLED_WORKSPACES

Disable Data Explorer automatic cloud bucket retrieval per workspace.

Example: <workspace-id1>,<workspace-id2>

TOWER_DATA_EXPLORER_CREDENTIALS_TTL

Data Explorer interval to fetch credentials from cloud providers for new buckets.

Default: 20m

TOWER_DATA_EXPLORER_LINK_STORE_TTL

Data Explorer cloud bucket cache duration.

Default: 30m

TOWER_DATA_EXPLORER_MAX_RETRIES

The number of retries Data Explorer will attempt to fetch cloud buckets in the event of temporary errors.

Default: 3

TOWER_CONTENT_MAX_FILE_SIZE

Data Explorer download file size limit. Increasing this value may degrade performance.

Default: 25MB

TOWER_DATA_STUDIO_CONNECT_URL

The URL of the Data Studios connect proxy. The connect proxy is used internally by Seqera Platform. See Data Studios deployment.

Example: https://connect.example.com/

TOWER_OIDC_REGISTRATION_INITIAL_ACCESS_TOKEN

An access token used to register new clients in Seqera Platform. Any alphanumeric value is allowed. See Data Studios deployment.

d5XDoRzHpWo1c............mDnfBpB

TOWER_OIDC_PEM_PATH

The file path to a PEM certificate used to sign the OIDC tokens for the OpenID connect provider. See Data Studios deployment.

Example: /data-studios-rsa.pem

Cryptographic options

Configuration values used by Seqera to encrypt your data.

Do not modify your crypto secret key between starts. Changing this value will prevent the decryption of existing data.

Environment variable

Description

Value

TOWER_CRYPTO_SECRETKEY

The secret key used to encrypt user credentials (required).

Random string of alphanumeric characters.

TOWER_JWT_SECRET

The secret used to generate the login JWT token (required).

Random string of 35 characters or more.

Compute environments

Configuration values to enable computing platforms and customize Batch Forge resource naming.

Environment variable

Description

Value

TOWER_ENABLE_PLATFORMS

Comma-separated list of the execution backends to enable. At least one is required.

altair-platform,awsbatch-platform,azbatch-platform,eks-platform,googlebatch-platform,gke-platform,k8s-platform,local-platform,lsf-platform,moab-platform,slurm-platform

MICRONAUT_ENVIRONMENTS

Configuration values to control the behavior of the Seqera cron and backend containers. Do not edit these values

Backend configuration: prod, redis, ha Cron configuration: prod, redis, cron

TOWER_FORGE_PREFIX

Override the default TowerForge prefix, appended to AWS resources created by Batch Forge, with a custom value.

Default: TowerForge

Git integration

Seqera Platform has built-in support for public and private Git repositories. Create Git provider credentials to allow Seqera to interact with the following services:

Credentials configured in your SCM providers list override Git credentials in your (organization or personal) workspace.

Public Git repositories can be accessed without authentication, but are often subject to throttling. We recommend always adding Git credentials to your Seqera workspace, regardless of the repository type you use.

Credentials and other secrets must not be hard-coded in environment variables in production environments. Credentials added using the application UI are SHA256-encrypted before secure storage and not exposed by any Seqera API.

Environment variable

Description

TOWER_SCM_PROVIDERS_GITHUB_USER

Your GitHub username.

TOWER_SCM_PROVIDERS_GITHUB_PASSWORD

Your GitHub (classic or fine-grained) access token.

TOWER_SCM_PROVIDERS_GITLAB_USER

Your GitLab username.

TOWER_SCM_PROVIDERS_GITLAB_PASSWORD

Your GitLab (Personal, Group, or Project) access token.

TOWER_SCM_PROVIDERS_GITLAB_TOKEN

Your GitLab (Personal, Group, or Project) access token.

TOWER_SCM_PROVIDERS_BITBUCKET_USER

Your BitBucket username.

TOWER_SCM_PROVIDERS_BITBUCKET_PASSWORD

Your BitBucket App password.

TOWER_SCM_PROVIDERS_GITEA_USER

Your Gitea username.

TOWER_SCM_PROVIDERS_GITEA_PASSWORD

Your Gitea token.

TOWER_SCM_PROVIDERS_AZUREREPOS_USER

Your Azure DevOps repository username.

TOWER_SCM_PROVIDERS_AZUREREPOS_TOKEN

Your Azure DevOps repository personal access token.

Local repositories

Seqera Enterprise can connect to workflows stored in local Git repositories. To do so, volume mount your local repository folder in your Seqera backend container. Then, update your tower.yml:

tower:
pipeline:
allow-local-repos:
- /path/to/repo

Mail server

Configure values for SMTP email service integration. Production SMTP hosts must use a TLS-protected connection. See SSL/TLS.

AWS deployments also support Amazon Simple Email Service (SES).

SMTP service integration

To use an SMTP gateway for mail service, set SMTP user and password values to null.

Your organization's email security policy may prevent the TOWER_CONTACT_EMAIL address from receiving Seqera emails. If this occurs after successful SMTP configuration, you may need to configure spf, dkim, and dmarc records for your domain. Contact your IT support staff for further assistance.

Environment variable

Description

Value

TOWER_SMTP_USER

Your email service user.

Example: user

TOWER_SMTP_PASSWORD

Your email service password.

TOWER_SMTP_HOST

Your email service host name, excluding protocol.

Example: email-smtp.eu-west-1.amazonaws.com

TOWER_SMTP_PORT

Your email service port. Most cloud services block port 25 by default.

Default: 587

TOWER_CONTACT_EMAIL

The email address used to send Seqera emails.

Example: seqera@your-company.com

TOWER_SMTP_AUTH

Use SMTP authentication when calling your email service endpoint.

Default: true

TOWER_SMTP_STARTTLS_ENABLED

Switch the connection to a TLS-protected connection before issuing login commands. Must be true for production SMTP hosts.

Recommended: true

TOWER_SMTP_STARTTLS_REQUIRED

Require the use of the STARTTLS command. Must be true for production SMTP hosts.

Recommended: true

TOWER_ENABLE_AWS_SES

Use AWS SES (Simple Email Service) to use Seqera emails, instead of SMTP.

Default: false

AWS SES integration

In AWS deployments, you can use AWS Simple Email Service (SES) instead of traditional SMTP for sending Seqera platform emails.

Simple Email Service (SES) is only supported in Seqera deployments on AWS.

To configure AWS SES as your Seqera email service:

  1. Set TOWER_ENABLE_AWS_SES=true in your environment variables.
  2. Specify the email address used to send Seqera emails with one of the following:
    • the TOWER_CONTACT_EMAIL environment variable
    • a mail.from entry in tower.yml
    • a /config/<application_name>/mail/from AWS Parameter Store entry
  3. The AWS SES service must run in the same region as your Seqera instance.
  4. The Seqera IAM role must include the ses:SendRawEmail permission.

Nextflow launch container

Do not replace the Seqera-provided default image unless absolutely necessary.

Environment VariableDescriptionValue
TOWER_LAUNCH_CONTAINERThe container image to run the Nextflow execution. This setting overrides the launch container selection for all organizations and workspaces in your account.Example: quay.io/seqeralabs/nf-launcher:j17-23.04.3

Seqera API

Enable the API endpoints to host the Seqera Enterprise OpenAPI specification and use the tw CLI. Set custom API rate limits and timeouts.

To configure API rate limit environment variables, you must add ratelim to the MICRONAUT_ENVIRONMENTS. Without ratelim being set, the rate limit configuration variables below are ignored.

Environment variableDescriptionValue
TOWER_ENABLE_OPENAPIEnable the OpenAPI documentation endpoint, e.g., cloud.seqera.io/openapi/index.html.Default: true
TOWER_RATELIMIT_PERIODSpecify the maximum number of HTTP requests that can be made during the TOWER_RATELIMIT_REFRESH period.Default: 20
TOWER_RATELIMIT_REFRESHAPI rate limit refresh period.Default: 1s
TOWER_RATELIMIT_TIMEOUTThe waiting period before rejecting requests over the TOWER_RATELIMIT_PERIOD limit during the refresh period.Default: 500ms

Custom navigation menu

Modify your Seqera instance's navigation menu options.

tower:
navbar:
menus:
- label: "My Community"
url: "https://host.com/foo"
- label: "My Pipelines"
url: "https://other.com/bar"

Logging

Logging-related configuration values to aid troubleshooting. See Audit logs for more information on application event logging.

Environment variable

Description

Value

TOWER_CRON_AUDIT_LOG_CLEAN_UP_TIME_OFFSET

Application event audit log retention period. Logged events older than this period are deleted. Value includes units (30d, 24h, 60m, etc.).

Default: 365d

TOWER_LOG_APPENDER

The output format of Platform logs.

Options: STDOUT, JSON

TOWER_LOG_LEVEL

Platform backend logging detail level.

Options: TRACE, DEBUG, INFO, WARN, ERROR

TOWER_SECURITY_LOGLEVEL

Platform authentication logging detail level.

Options: TRACE, DEBUG, INFO, WARN, ERROR

TOWER_LOG_DIR

Base directory to store Platform logs.

TOWER_LOG_PATTERN

The logging format emitted to STDOUT. See here for a reference of the full logback pattern syntax.

%d{MMM-dd HH:mm:ss.SSS} [%t] %X{ip:--} %-5level %logger{36} - %msg%n} # Default logging pattern shown

TOWER_LOG_MAX_HISTORY

The maximum number of backend log files retained by the system.

TOWER_LOG_MAX_SIZE

The maximum file size of the Platform backend log file. When this limit is reached, a new log file is created.

LOGGER_LEVELS_IO_SEQERA_TOWER_AGENT

Tower Agent logging detail level.

Options: TRACE, DEBUG, INFO, WARN, ERROR

TOWER_AGENT_HEARTBEAT

Tower Agent polling interval.

Example: 10s

TOWER_SSH_LOGLEVEL

Event logging detail level for the SSH connection library used by Seqera.

Options: TRACE, DEBUG, INFO, WARN, ERROR

TOWER_ALLOW_NEXTFLOW_LOGS

Set true to allow Seqera to retrieve logs and reports for runs launched with Nextflow CLI.

Default: false