Skip to main content
Variables marked as Required must be set for the service to function. Optional variables have sensible defaults.

​
OpenTaco/Statesman (State Backend)

The state backend service manages Terraform state storage and querying.

​
Server Configuration

​
OPENTACO_PORT
string
default:"8080"
HTTP server port
​
OPENTACO_HOST
string
default:"0.0.0.0"
HTTP server bind address
​
OPENTACO_LOG_LEVEL
string
default:"info"
Logging level: debug, info, warn, or error
​
OPENTACO_ENABLE_INTERNAL_ENDPOINTS
boolean
default:"false"
Enable internal management endpoints

​
Storage Backend

​
OPENTACO_STORAGE
string
default:"memory"
State file storage type. Options: memory (non-persistent) or s3
Required when OPENTACO_STORAGE=s3
​
OPENTACO_S3_BUCKET
string
required
S3 bucket name for state storage
​
OPENTACO_S3_REGION
string
required
AWS region for S3 bucket
​
OPENTACO_S3_PREFIX
string
Key prefix for state files in S3
​
AWS_ACCESS_KEY_ID
string
AWS access key (or use IAM role)
​
AWS_SECRET_ACCESS_KEY
string
AWS secret key (or use IAM role)
​
AWS_REGION
string
AWS region (alternative to S3_REGION)
​
AWS_ENDPOINT
string
Custom S3-compatible endpoint URL
​
AWS_SDK_LOAD_CONFIG
boolean
Load AWS config from default locations

​
Query Backend

​
OPENTACO_QUERY_BACKEND
string
default:"sqlite"
Database type for state queries. Options: sqlite, postgres, mysql, mssql
Used when OPENTACO_QUERY_BACKEND=sqlite
​
OPENTACO_SQLITE_DB_PATH
string
default:"./data/taco.db"
SQLite database file path
​
OPENTACO_SQLITE_CACHE
string
default:"shared"
SQLite cache mode
​
OPENTACO_SQLITE_BUSY_TIMEOUT
string
default:"5s"
Busy timeout duration
​
OPENTACO_SQLITE_MAX_OPEN_CONNS
number
default:"25"
Maximum open connections
​
OPENTACO_SQLITE_MAX_IDLE_CONNS
number
default:"10"
Maximum idle connections
​
OPENTACO_SQLITE_CONN_MAX_LIFETIME
string
default:"300s"
Connection max lifetime
​
OPENTACO_SQLITE_CONN_MAX_IDLE_TIME
string
default:"600s"
Connection max idle time
​
OPENTACO_SQLITE_PRAGMA_JOURNAL_MODE
string
default:"WAL"
SQLite journal mode
​
OPENTACO_SQLITE_PRAGMA_FOREIGN_KEYS
string
default:"ON"
Foreign keys enforcement
​
OPENTACO_SQLITE_PRAGMA_BUSY_TIMEOUT
number
default:"5000"
Busy timeout in milliseconds
Used when OPENTACO_QUERY_BACKEND=postgres
​
OPENTACO_POSTGRES_HOST
string
default:"localhost"
required
PostgreSQL server host
​
OPENTACO_POSTGRES_PORT
number
default:"5432"
PostgreSQL server port
​
OPENTACO_POSTGRES_USER
string
default:"postgres"
required
Database username
​
OPENTACO_POSTGRES_PASSWORD
string
required
Database password
​
OPENTACO_POSTGRES_DBNAME
string
default:"taco"
Database name
​
OPENTACO_POSTGRES_SSLMODE
string
default:"disable"
SSL mode: disable, require, verify-ca, or verify-full
​
OPENTACO_POSTGRES_MAX_OPEN_CONNS
number
default:"25"
Maximum open connections
​
OPENTACO_POSTGRES_MAX_IDLE_CONNS
number
default:"10"
Maximum idle connections
​
OPENTACO_POSTGRES_CONN_MAX_LIFETIME
string
default:"300s"
Connection max lifetime
​
OPENTACO_POSTGRES_CONN_MAX_IDLE_TIME
string
default:"600s"
Connection max idle time
Used when OPENTACO_QUERY_BACKEND=mysql
​
OPENTACO_MYSQL_HOST
string
default:"localhost"
required
MySQL server host
​
OPENTACO_MYSQL_PORT
number
default:"3306"
MySQL server port
​
OPENTACO_MYSQL_USER
string
default:"root"
required
Database username
​
OPENTACO_MYSQL_PASSWORD
string
required
Database password
​
OPENTACO_MYSQL_DBNAME
string
default:"taco"
Database name
​
OPENTACO_MYSQL_CHARSET
string
default:"utf8mb4"
Character set
​
OPENTACO_MYSQL_MAX_OPEN_CONNS
number
default:"25"
Maximum open connections
​
OPENTACO_MYSQL_MAX_IDLE_CONNS
number
default:"10"
Maximum idle connections
​
OPENTACO_MYSQL_CONN_MAX_LIFETIME
string
default:"300s"
Connection max lifetime
​
OPENTACO_MYSQL_CONN_MAX_IDLE_TIME
string
default:"600s"
Connection max idle time
Used when OPENTACO_QUERY_BACKEND=mssql
​
OPENTACO_MSSQL_HOST
string
default:"localhost"
required
MSSQL server host
​
OPENTACO_MSSQL_PORT
number
default:"1433"
MSSQL server port
​
OPENTACO_MSSQL_USER
string
required
Database username
​
OPENTACO_MSSQL_PASSWORD
string
required
Database password
​
OPENTACO_MSSQL_DBNAME
string
default:"taco"
Database name

​
Authentication

​
OPENTACO_AUTH_DISABLE
boolean
default:"false"
Disable authentication (not recommended for production)
​
OPENTACO_AUTH_ISSUER
string
OIDC issuer URL
​
OPENTACO_AUTH_CLIENT_ID
string
OIDC client ID
​
OPENTACO_AUTH_CLIENT_SECRET
string
OIDC client secret
​
OPENTACO_AUTH_AUTH_URL
string
OIDC authorization URL
​
OPENTACO_AUTH_TOKEN_URL
string
OIDC token URL
​
OPENTACO_AUTH_DEV_SKIP_VERIFY
boolean
default:"false"
Skip OIDC verification (development only)
​
OPENTACO_OAUTH_STATE_KEY
string
32+ character encryption key for OAuth state (required for PKCE flow)
​
OPENTACO_TOKENS_KID
string
default:"k1"
JWT Key ID
​
OPENTACO_TOKENS_PRIVATE_KEY_PEM_PATH
string
Path to Ed25519 private key PEM file for signing JWTs
​
OPENTACO_TOKENS_ACCESS_TTL
string
default:"1h"
Access token lifetime
​
OPENTACO_TOKENS_REFRESH_TTL
string
default:"720h"
Refresh token lifetime (30 days)
​
OPENTACO_PUBLIC_BASE_URL
string
Public base URL for JWT issuer claim

​
Sandbox Execution

​
OPENTACO_SANDBOX_PROVIDER
string
default:"none"
Sandbox provider for remote execution. Options: e2b or none
Required when OPENTACO_SANDBOX_PROVIDER=e2b
​
OPENTACO_E2B_SIDECAR_URL
string
required
E2B sidecar service URL (e.g., http://sidecar:9100)
​
OPENTACO_E2B_POLL_INTERVAL
string
default:"5s"
Polling interval for sandbox status
​
OPENTACO_E2B_POLL_TIMEOUT
string
default:"30m"
Maximum time to poll for results
​
OPENTACO_E2B_HTTP_TIMEOUT
string
default:"60s"
HTTP request timeout for E2B API

​
Database

​
DATABASE_URL
string
required
PostgreSQL connection string (e.g., postgres://user:password@host:5432/dbname?sslmode=disable)

​
GitHub App Integration

​
GITHUB_APP_ID
string
required
GitHub App ID from app settings
​
GITHUB_APP_CLIENT_ID
string
required
GitHub App client ID
​
GITHUB_APP_CLIENT_SECRET
string
required
GitHub App client secret
​
GITHUB_APP_PRIVATE_KEY_BASE64
string
required
Base64-encoded GitHub App private key
​
GITHUB_APP_PRIVATE_KEY
string
Raw GitHub App private key (alternative to BASE64 version)
​
GITHUB_WEBHOOK_SECRET
string
required
Webhook secret for verifying GitHub webhook signatures
​
GITHUB_ORG
string
Restrict to specific GitHub organization
​
GITHUB_PAT_TOKEN
string
GitHub Personal Access Token (for additional API access)

​
Sandbox Sidecar (E2B)

Provides sandboxed execution environment for Terraform operations.
​
PORT
number
default:"9100"
HTTP server port
​
SANDBOX_RUNNER
string
required
Must be set to e2b
​
E2B_API_KEY
string
required
E2B API key for authentication
​
E2B_BAREBONES_TEMPLATE_ID
string
required
E2B template ID for runtime environment

​
UI/Frontend Service

Web interface for OpenTaco.

​
WorkOS Authentication

​
WORKOS_CLIENT_ID
string
required
WorkOS client ID
​
WORKOS_API_KEY
string
required
WorkOS API key
​
WORKOS_REDIRECT_URI
string
required
OAuth redirect URI (e.g., http://localhost:3000/api/auth/callback)
​
WORKOS_COOKIE_PASSWORD
string
required
Cookie encryption password (minimum 32 characters)
​
WORKOS_WEBHOOK_SECRET
string
WorkOS webhook secret for verification

​
Database Services

​
PostgreSQL

When using the bundled PostgreSQL container:
​
POSTGRES_USER
string
default:"digger"
Database username
​
POSTGRES_PASSWORD
string
required
Database password
​
POSTGRES_DB
string
default:"digger"
Database name

​
See Also