Configuration overview
Nextflow Tower Enterprise is now Seqera Platform Enterprise. Existing configuration parameters, configuration files, and API endpoints that include Tower currently remain unchanged.
Set Seqera configuration values using environment variables, a tower.yml
configuration file, or individual values stored in AWS Parameter Store. Sensitive values such as database passwords should be stored securely (e.g., as SecureString type parameters in AWS Parameter Store).
- Environment variables
- tower.yml
- AWS Parameter Store
Declare environment variables in a tower.env file. For example:
TOWER_CONTACT_EMAIL=hello@foo.com
TOWER_SMTP_HOST=your.smtphost.com
See the Environment variables
option in each section below.
Declare YAML configuration values in a tower.yml file. For example:
mail:
from: "hello@foo.com"
smtp:
host: "your.smtphost.com"
See the tower.yml
option in each section below. YAML configuration keys on this page are listed in "dot" notation, i.e., the SMTP host value in the snippet above is represented as mail.smtp.host
in the tables that follow.
Don't declare duplicate keys in your tower.yml
configuration file. Platform will only enforce the last instance of configuration keys that are defined more than once, for example:
# This block will not be enforced due to the duplicate `tower` key below
tower:
trustedEmails:
- user@example.com
# This block will be enforced because it's defined last
tower:
auth:
oidc:
- "*@foo.com"
AWS Parameter Store configuration is only supported for AWS deployments.
Create parameters in the AWS Parameter Store individually, using the format
/config/<application_name>/<cfg_path> : <cfg_value>
. For example:
/config/tower-app/mail.smtp.user : <your_username>
/config/tower-app/mail.smtp.password : <your_password>
The default application name is tower-app
. To deploy multiple instances from the same Seqera Enterprise account, set a custom application name for each instance with the micronaut.application.name
value in your tower.yml
configuration file.
Sensitive values (such as database passwords) should be SecureString type parameters. See AWS Parameter Store for detailed instructions.
Configuration values not supported in tower.yml or AWS Parameter Store
Due to the order of operations when deploying Seqera Enterprise, some configuration values can only be retrieved from environment variables (tower.env
). The following configuration values are not supported for tower.yml
or AWS Parameter Store configuration and must be set as environment variables:
- Environment variables
Environment variable | Description | Value |
---|---|---|
| The user account to access your database. If you are using an external database, you must create this user manually. For installation in a new environment, this value must be set as an environment variable. | Default: |
| The user password to access your database. If you are using an external database, you must create this password manually. For installation in a new environment, this value must be set as an environment variable. | Default: |
| The URL to access your database. For installation in a new environment, this value must be set as an environment variable. See the 24.1 release notes for information about the DB URL format. | Example: |
| Application name. To run multiple instances of the same Seqera account, each instance must have a unique name, e.g., | Default: |
| Set | Default: |
| A comma-separated list of execution backends to enable. At least one is required. |
|
| Set to | Default: |
Basic configuration
Basic configuration options such as the Seqera instance server URL, application name, and license key.
- Environment variables
- tower.yml
- AWS Parameter Store
Environment variable | Description | Value |
---|---|---|
| Your Seqera instance hostname, IP address, DNS name, or full reverse proxy path where the application is exposed. The | Default: |
| Your Seqera Enterprise license key (required). Contact us to obtain your license key. The key is base64-encoded by Seqera — paste this value exactly as received. |
|
| Application name. To run multiple instances of the same Seqera account, each instance must have a unique name, e.g., | Default: |
| Custom path for the |
|
| Custom landing page for the application (requires version 21.10.1 or later). This value doesn't change the |
|
| Define the HTTP port used by the Seqera cron service (requires version 21.06.1 or later). |
|
| Grant users access to the application admin panel. |
|
| Your Seqera system administrator contact email. |
|
| Set to | Default: |
| Enable or disable user private workspaces (requires version 22.1.0 or later). | Default: |
YAML configuration keys in this table are listed in "dot" notation, i.e., a nested value:
...
mail:
smtp:
host: "your.smtphost.com"
...
is represented as mail.smtp.host
.
tower.yml | Description | Value |
---|---|---|
| Your Seqera instance hostname, IP address, DNS name, or full reverse proxy path where the application is exposed. The | Default: |
| Your Seqera Enterprise license key (required). Contact us to obtain your license key. The key is base64-encoded by Seqera — paste this value exactly as received. |
|
| Application name. To run multiple instances of the same Seqera account, each instance must have a unique name, e.g., | Default: |
| Custom landing page for the application (requires version 21.10.1 or later). This value doesn't change the |
|
| Define the HTTP port used by the Seqera cron service (requires version 21.06.1 or later). |
|
| Grant users access to the application admin panel. |
|
| Your Seqera system administrator contact email. |
|
| Set to | Default: |
| Enable or disable user private workspaces (requires version 22.1.0 or later). | Default: |
AWS Parameter Store configuration is only supported for AWS deployments.
Replace {prefix}
in each configuration path with /config/<application_name>
, where application_name
is tower
or your custom application name. See AWS Parameter Store.
AWS Parameter Store | Description | Value |
---|---|---|
| Your Seqera instance hostname, IP address, DNS name, or full reverse proxy path where the application is exposed. The | Default: |
| Your Seqera Enterprise license key (required). Contact us to obtain your license key. The key is base64-encoded by Seqera — paste this value exactly as received. |
|
| Custom landing page for the application (requires version 21.10.1 or later). This value doesn't change the |
|
| Define the HTTP port used by the Seqera cron service (requires version 21.06.1 or later). |
|
| Grant users access to the application admin panel. |
|
| Your Seqera system administrator contact email. |
|
| Set to | Default: |
| Enable or disable user private workspaces (requires version 22.1.0 or later). | Default: |
Seqera and Redis databases
Configuration values that control Seqera's interaction with databases and Redis instances. TOWER_DB_USER
, TOWER_DB_PASSWORD
, and TOWER_DB_URL
must be specified using environment variables during initial Seqera Enterprise deployment in a new environment. A new installation will fail if DB values are only defined in tower.yml
or the AWS Parameter Store. Once the database has been created, these values can be added to tower.yml
or AWS Parameter Store entries and removed from your environment variables.
From Seqera Enterprise version 24.2:
- Redis version 6.2 or greater is required.
- Redis version 7 is officially supported.
Follow your cloud provider specifications to upgrade your instance.
If you use a database other than the provided db
container, you must create a user and database schema manually.
- MySQL DB schema creation
- MariaDB schema creation
CREATE DATABASE tower;
ALTER DATABASE tower CHARACTER SET utf8 COLLATE utf8_bin;
CREATE USER 'tower' IDENTIFIED BY <password>;
GRANT ALL PRIVILEGES ON tower.* TO tower@'%' ;
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER on tower.* TO tower@'%';
Managed Redis services
Seqera supports managed Redis services such as Amazon ElastiCache, Azure Cache for Redis, or Google Memorystore.
When using a managed Redis service, you must specify the service IP address or DNS name for the TOWER_REDIS_URL
as described in the following sections.
- AWS ElastiCache
- Azure Cache for Redis
- Google Memorystore
- Self-hosted Redis
- Use a single-node cluster, as multi-node clusters are not supported
- Use an instance with at least 6GB capacity (cache.m4.large or greater)
- Specify your private ElastiCache instance in the Seqera environment variables:
TOWER_REDIS_URL=redis://<redis private IP>:6379
- Use a single-node cluster, as multi-node clusters are not supported
- Use an instance with at least 6GB capacity (C3 or greater)
- Specify your private Azure Cache for Redis instance in the Seqera environment variables:
TOWER_REDIS_URL=redis://<redis private IP>:6379
- Use a single-node cluster, as multi-node clusters are not supported
- Use an instance with at least 6GB capacity (M2 or greater)
- Specify your private Memorystore instance in the Seqera environment variables:
TOWER_REDIS_URL=redis://<redis private IP>:6379
If you run the Redis service as a container in your Docker or Kubernetes installation, specify the service name as part of the TOWER_REDIS_URL
:
TOWER_REDIS_URL=redis://redis:6379
Database and Redis manual configuration
If the DB username and password variables are left empty when using Docker Compose, default tower
database values are applied automatically. With Kubernetes and custom DB deployments, tower
values are not pre-filled.
We recommend using managed cloud database services for production deployments.
- Environment variables
- tower.yml
- AWS Parameter Store
Environment variable | Description | Value |
---|---|---|
| The user account to access your database. If you are using an external database, you must create this user manually. | Default: |
| The user password to access your database. If you are using an external database, you must create this password manually. | Default: |
| The URL to access your database. | Example: |
| Minimum database connection pool size. | Default: |
| Maximum database connection pool size. | Default: |
| Maximum lifespan of database connections, in milliseconds. | Default: |
| The URL to access your Seqera Redis instance. | Example: |
| The password of your Seqera Redis instance. |
TOWER_DB_USER
, TOWER_DB_PASSWORD
, and TOWER_DB_URL
must be specified using environment variables during initial Seqera Enterprise deployment in a new environment.
YAML configuration keys in this table are listed in "dot" notation, i.e., a nested value:
...
mail:
smtp:
host: "your.smtphost.com"
...
is represented as mail.smtp.host
.
tower.yml | Description | Value |
---|---|---|
| The user account to access your database. If you are using an external database, you must create this user manually. For installation in a new environment, this value must be set as an environment variable. | Default: |
| The user password to access your database. If you are using an external database, you must create this password manually. For installation in a new environment, this value must be set as an environment variable. | Default: |
| The URL to access your database. For installation in a new environment, this value must be set as an environment variable. | Example: |
| Minimum database connection pool size. | Default: |
| Maximum database connection pool size. | Default: |
| Maximum lifespan of database connections, in milliseconds. | Default: |
| The URL to access your Seqera Redis instance. | Example: |
| The password of your Seqera Redis instance. |
AWS Parameter Store configuration is only supported for AWS deployments.
TOWER_DB_USER
, TOWER_DB_PASSWORD
, and TOWER_DB_URL
must be specified using environment variables during initial Seqera Enterprise deployment in a new environment.
Replace {prefix}
in each configuration path with /config/<application_name>
, where application_name
is tower
or your custom application name. See AWS Parameter Store.
AWS Parameter Store | Description | Value |
---|---|---|
| The user account to access your database. If you are using an external database, you must create this user manually. For installation in a new environment, this value must be set as an environment variable. | Default: |
| The user password to access your database. If you are using an external database, you must create this password manually. For installation in a new environment, this value must be set as an environment variable. | Default: |
| The URL to access your database. For installation in a new environment, this value must be set as an environment variable. |
|
| Minimum database connection pool size. | Default: |
| Maximum database connection pool size. | Default: |
| Maximum lifespan of database connections, in milliseconds. | Default: |
| The URL to access your Seqera Redis instance. | Example: |
| The password of your Seqera Redis instance. |
Opt-in Seqera features
Configuration values that enable opt-in Seqera features per instance or workspace.
Core features
- Environment variables
Environment variable | Description | Value |
---|---|---|
| Enable Seqera integration with Wave containers. | Default: |
| Define the Wave containers service endpoint URL. | Example: |
| Enable Seqera configuration value retrieval from AWS Parameter Store. | Default: |
| Use AWS Simple Email Service (SES) to send Seqera emails instead of SMTP. | Default: |
| Allow log and report files from Nextflow CLI runs ( | Default: |
| Disable the stepped launch form in the workspaces specified. Omit or set empty ( | Default: Enabled for all workspaces |
Data features
Configuration values used by Seqera for Data Explorer.
- Environment variables
- tower.yml
Environment variable | Description | Value |
---|---|---|
| Enable Data Explorer in all workspaces. To mount data inside a data studio, you must enable Data Explorer. | Default: |
| Disable Data Explorer automatic cloud bucket retrieval per workspace. | Example: |
| Data Explorer interval to fetch credentials from cloud providers for new buckets. | Default: |
| Data Explorer cloud bucket cache duration. | Default: |
| The number of retries Data Explorer will attempt to fetch cloud buckets in the event of temporary errors. | Default: |
| Data Explorer download file size limit. Increasing this value may degrade performance. | Default: |
| The URL of the Data Studios connect proxy. The connect proxy is used internally by Seqera Platform. See Data Studios deployment. | Example: |
| An access token used to register new clients in Seqera Platform. Any alphanumeric value is allowed. See Data Studios deployment. | d5XDoRzHpWo1c............mDnfBpB |
| The file path to a PEM certificate used to sign the OIDC tokens for the OpenID connect provider. See Data Studios deployment. | Example: |
tower.yml | Description | Value |
---|---|---|
| You can set the downloadable file size limit for Data Explorer and workflow reports. Increasing this value may degrade Platform performance. The supported suffixes are | Default: |
| You can set the maximum number of items listed in Data Explorer. Increasing this value may degrade Platform performance. | Default: |
Cryptographic options
Configuration values used by Seqera to encrypt your data.
Do not modify your crypto secret key between starts. Changing this value will prevent the decryption of existing data.
- Environment variables
- tower.yml
- AWS Parameter Store
Environment variable | Description | Value |
---|---|---|
| The secret key used to encrypt user credentials (required). | Random string of alphanumeric characters. |
| The secret used to generate the login JWT token (required). | Random string of 35 characters or more. |
YAML configuration keys in this table are listed in "dot" notation, i.e., a nested value:
...
mail:
smtp:
host: "your.smtphost.com"
...
is represented as mail.smtp.host
.
tower.yml | Description | Value |
---|---|---|
| The secret key used to encrypt user credentials (required). | Random string of alphanumeric characters. |
| The secret used to generate the login JWT token (required). | Random string of 35 characters or more. |
| The secret used to generate the login refresh token (required). | Random string of 35 characters or more. |
AWS Parameter Store configuration is only supported for AWS deployments.
Replace {prefix}
in each configuration path with /config/<application_name>
, where application_name
is tower
or your custom application name. See AWS Parameter Store.
AWS Parameter Store | Description | Value |
---|---|---|
| The secret key used to encrypt user credentials (required). | Random string of alphanumeric characters. |
| The secret used to generate the login JWT token (required). | Random string of 35 characters or more. |
| The secret used to generate the login refresh token (required). | Random string of 35 characters or more. |
Compute environments
Configuration values to enable computing platforms and customize Batch Forge resource naming.
- Environment variables
Environment variable | Description | Value |
---|---|---|
| Comma-separated list of the execution backends to enable. At least one is required. |
|
| Configuration values to control the behavior of the Seqera | Backend configuration: |
| Override the default | Default: |
Git integration
Seqera Platform has built-in support for public and private Git repositories. Create Git provider credentials to allow Seqera to interact with the following services:
Credentials configured in your SCM providers list override Git credentials in your (organization or personal) workspace.
Public Git repositories can be accessed without authentication, but are often subject to throttling. We recommend always adding Git credentials to your Seqera workspace, regardless of the repository type you use.
- Environment variables
- tower.yml
- AWS Parameter Store
Credentials and other secrets must not be hard-coded in environment variables in production environments. Credentials added using the application UI are SHA256-encrypted before secure storage and not exposed by any Seqera API.
Environment variable | Description |
---|---|
| Your GitHub username. |
| Your GitHub (classic or fine-grained) access token. |
| Your GitLab username. |
| Your GitLab (Personal, Group, or Project) access token. |
| Your GitLab (Personal, Group, or Project) access token. |
| Your BitBucket username. |
| Your BitBucket App password. |
| Your Gitea username. |
| Your Gitea token. |
| Your Azure DevOps repository username. |
| Your Azure DevOps repository personal access token. |
Credentials and other secrets must not be stored in plain text in production environments. Credentials added using the application UI are SHA256-encrypted before secure storage and not exposed by any Seqera API.
YAML configuration keys in this table are listed in "dot" notation, i.e., a nested value:
...
mail:
smtp:
host: "your.smtphost.com"
...
is represented as mail.smtp.host
.
tower.yml | Description |
---|---|
| Your GitHub username. |
| Your GitHub (classic or fine-grained) access token. |
| Your GitLab username. |
| Your GitLab (Personal, Group, or Project) access token. |
| Your GitLab (Personal, Group, or Project) access token. |
| Your BitBucket username. |
| Your BitBucket App password. |
| Your Gitea username. |
| Your Gitea token. |
| Your Azure DevOps repository username. |
| Your Azure DevOps repository personal access token. |
AWS Parameter Store configuration is only supported for AWS deployments.
Replace {prefix}
in each configuration path with /config/<application_name>
, where application_name
is tower
or your custom application name. See AWS Parameter Store.
AWS Parameter Store | Description |
---|---|
| Your GitHub username. |
| Your GitHub (classic or fine-grained) access token. |
| Your GitLab username. |
| Your GitLab (Personal, Group, or Project) access token. |
| Your GitLab (Personal, Group, or Project) access token. |
| Your BitBucket username. |
| Your BitBucket App password. |
| Your Gitea username. |
| Your Gitea token. |
| Your Azure DevOps repository username. |
| Your Azure DevOps repository personal access token. |
Local repositories
Seqera Enterprise can connect to workflows stored in local Git repositories. To do so, volume mount your local repository folder in your Seqera backend container. Then, update your tower.yml
:
tower:
pipeline:
allow-local-repos:
- /path/to/repo
Mail server
Configure values for SMTP email service integration. Production SMTP hosts must use a TLS-protected connection. See SSL/TLS.
AWS deployments also support Amazon Simple Email Service (SES).
SMTP service integration
To use an SMTP gateway for mail service, set SMTP user and password values to null
.
Your organization's email security policy may prevent the TOWER_CONTACT_EMAIL
address from receiving Seqera emails. If this occurs after successful SMTP configuration, you may need to configure spf
, dkim
, and dmarc
records for your domain. Contact your IT support staff for further assistance.
- Environment variables
- tower.yml
- AWS Parameter Store
Environment variable | Description | Value |
---|---|---|
| Your email service user. | Example: |
| Your email service password. | |
| Your email service host name, excluding protocol. | Example: |
| Your email service port. Most cloud services block port 25 by default. | Default: |
| The email address used to send Seqera emails. | Example: |
| Use SMTP authentication when calling your email service endpoint. | Default: |
| Switch the connection to a TLS-protected connection before issuing login commands. Must be | Recommended: |
| Require the use of the STARTTLS command. Must be | Recommended: |
| Use AWS SES (Simple Email Service) to use Seqera emails, instead of SMTP. | Default: |
YAML configuration keys in this table are listed in "dot" notation, i.e., a nested value:
...
mail:
smtp:
host: "your.smtphost.com"
...
is represented as mail.smtp.host
.
tower.yml | Description | Value |
---|---|---|
| Your email service user. | Example: |
| Your email service password. | |
| Your email service host name, excluding protocol. | Example: |
| Your email service port. Most cloud services block port 25 by default. | Default: |
| The email address used to send Seqera emails. | Example: |
| Use SMTP authentication when calling your email service endpoint. | Default: |
| Switch the connection to a TLS-protected connection before issuing login commands. Must be | Recommended: |
| Require the use of the STARTTLS command. Must be | Recommended: |
AWS Parameter Store configuration is only supported for AWS deployments.
Replace {prefix}
in each configuration path with /config/<application_name>
, where application_name
is tower
or your custom application name. See AWS Parameter Store.
AWS Parameter Store | Description | Value |
---|---|---|
| Your email service user. | Example: |
| Your email service password. | |
| Your email service host name, excluding protocol. | Example: |
| Your email service port. Most cloud services block port 25 by default. | Default: |
| The email address used to send Seqera emails. | Example: |
| Use SMTP authentication when calling your email service endpoint. | Default: |
| Switch the connection to a TLS-protected connection before issuing login commands. Must be | Recommended: |
| Require the use of the STARTTLS command. Must be | Recommended: |
AWS SES integration
In AWS deployments, you can use AWS Simple Email Service (SES) instead of traditional SMTP for sending Seqera platform emails.
Simple Email Service (SES) is only supported in Seqera deployments on AWS.
To configure AWS SES as your Seqera email service:
- Set
TOWER_ENABLE_AWS_SES=true
in your environment variables. - Specify the email address used to send Seqera emails with one of the following:
- the
TOWER_CONTACT_EMAIL
environment variable - a
mail.from
entry intower.yml
- a
/config/<application_name>/mail/from
AWS Parameter Store entry
- the
- The AWS SES service must run in the same region as your Seqera instance.
- The Seqera IAM role must include the
ses:SendRawEmail
permission.
Nextflow launch container
Do not replace the Seqera-provided default image unless absolutely necessary.
- Environment variables
Environment Variable | Description | Value |
---|---|---|
TOWER_LAUNCH_CONTAINER | The container image to run the Nextflow execution. This setting overrides the launch container selection for all organizations and workspaces in your account. | Example: quay.io/seqeralabs/nf-launcher:j17-23.04.3 |
Seqera API
Enable the API endpoints to host the Seqera Enterprise OpenAPI specification and use the tw CLI. Set custom API rate limits and timeouts.
To configure API rate limit environment variables, you must add ratelim
to the MICRONAUT_ENVIRONMENTS
. Without ratelim
being set, the rate limit configuration variables below are ignored.
- Environment variables
Environment variable | Description | Value |
---|---|---|
TOWER_ENABLE_OPENAPI | Enable the OpenAPI documentation endpoint, e.g., cloud.seqera.io/openapi/index.html. | Default: true |
TOWER_RATELIMIT_PERIOD | Specify the maximum number of HTTP requests that can be made during the TOWER_RATELIMIT_REFRESH period. | Default: 20 |
TOWER_RATELIMIT_REFRESH | API rate limit refresh period. | Default: 1s |
TOWER_RATELIMIT_TIMEOUT | The waiting period before rejecting requests over the TOWER_RATELIMIT_PERIOD limit during the refresh period. | Default: 500ms |
Custom navigation menu
Modify your Seqera instance's navigation menu options.
- tower.yml
tower:
navbar:
menus:
- label: "My Community"
url: "https://host.com/foo"
- label: "My Pipelines"
url: "https://other.com/bar"
Logging
Logging-related configuration values to aid troubleshooting. See Audit logs for more information on application event logging.
- Environment variables
- tower.yml
Environment variable | Description | Value |
---|---|---|
| Application event audit log retention period. Logged events older than this period are deleted. Value includes units ( | Default: |
| The output format of Platform logs. | Options: |
| Platform backend logging detail level. | Options: |
| Platform authentication logging detail level. | Options: |
| Base directory to store Platform logs. | |
| The logging format emitted to STDOUT. See here for a reference of the full logback pattern syntax. |
|
| The maximum number of backend log files retained by the system. | |
| The maximum file size of the Platform backend log file. When this limit is reached, a new log file is created. | |
| Tower Agent logging detail level. | Options: |
| Tower Agent polling interval. | Example: |
| Event logging detail level for the SSH connection library used by Seqera. | Options: |
| Set | Default: |
Set the logging detail level for various Seqera services. Logs for particular services may be requested by support to assist with troubleshooting an issue. Set the logging configuration parameter in your Seqera YAML configuration before attempting to reproduce your issue. The example below sets the detail level for application and database logging:
logger
is a root-level object in the tower.yml
configuration file, i.e., it is not nested under tower
.
logger:
levels:
org.hibernate.SQL: DEBUG
org.hibernate.type: TRACE
io.seqera.tower: TRACE