Configuration overview

note

Nextflow Tower Enterprise is now Seqera Platform Enterprise. Existing configuration parameters, configuration files, and API endpoints that include Tower currently remain unchanged.

Set Seqera configuration values using environment variables, a tower.yml configuration file, or individual values stored in AWS Parameter Store. Sensitive values such as database passwords should be stored securely (e.g., as SecureString type parameters in AWS Parameter Store).

Environment variables

Declare environment variables in a tower.env file. For example:

TOWER_CONTACT_EMAIL=hello@foo.com
TOWER_SMTP_HOST=your.smtphost.com

See the Environment variables option in each section below.

tower.yml

Declare YAML configuration values in a tower.yml file. For example:

mail:
    from: "hello@foo.com"
    smtp:
        host: "your.smtphost.com"

See the tower.yml option in each section below. YAML configuration keys on this page are listed in "dot" notation, i.e., the SMTP host value in the snippet above is represented as mail.smtp.host in the tables that follow.

Don't declare duplicate keys in your tower.yml configuration file. Platform will only enforce the last instance of configuration keys that are defined more than once, for example:

# This block will not be enforced due to the duplicate `tower` key below
tower:
    trustedEmails:
        - user@example.com

# This block will be enforced because it's defined last
tower:
    auth:
        oidc:
            - "*@foo.com"

AWS Parameter Store

AWS Parameter Store configuration is only supported for AWS deployments.

Create parameters in the AWS Parameter Store individually, using the format /config/<application_name>/<cfg_path> : <cfg_value>. For example:

/config/tower-app/mail.smtp.user : <your_username>
/config/tower-app/mail.smtp.password : <your_password>

caution

The default application name is tower-app. To deploy multiple instances from the same Seqera Enterprise account, set a custom application name for each instance with the micronaut.application.name value in your tower.yml configuration file.

Sensitive values (such as database passwords) should be SecureString type parameters. See AWS Parameter Store for detailed instructions.

Configuration values not supported in tower.yml or AWS Parameter Store

Due to the order of operations when deploying Seqera Enterprise, some configuration values can only be retrieved from environment variables (tower.env). The following configuration values are not supported for tower.yml or AWS Parameter Store configuration and must be set as environment variables:

Environment variables

Environment variable	Description	Value
TOWER_DB_USER	The user account to access your database. If you are using an external database, you must create this user manually. For installation in a new environment, this value must be set as an environment variable.	Default: tower
TOWER_DB_PASSWORD	The user password to access your database. If you are using an external database, you must create this password manually. For installation in a new environment, this value must be set as an environment variable.	Default: tower
TOWER_DB_URL	The URL to access your database. For installation in a new environment, this value must be set as an environment variable. See the 24.1 release notes for information about the DB URL format.	Example: jdbc:mysql://db:3306/tower?permitMysqlScheme=true
TOWER_APP_NAME	Application name. To run multiple instances of the same Seqera account, each instance must have a unique name, e.g., tower-dev and tower-prod. Can also be set in tower.yml with tower.appName.	Default: tower
TOWER_ENABLE_AWS_SES	Set true to enable AWS Simple Email Service for sending Seqera emails instead of SMTP.	Default: false
TOWER_ENABLE_PLATFORMS	A comma-separated list of execution backends to enable. At least one is required.	altair-platform,awsbatch-platform,awscloud-platform,azbatch-platform,eks-platform,googlebatch-platform,googlecloud-platform,gke-platform,k8s-platform,local-platform,lsf-platform,moab-platform,slurm-platform
TOWER_ENABLE_UNSAFE_MODE	Set to true to allow HTTP connections to Seqera. HTTP must not be used in production deployments. HTTPS is used by default from version 22.1.x.	Default: false

Basic configuration

Basic configuration options such as the Seqera instance server URL, application name, and license key.

Environment variables

Environment variable	Description	Value
TOWER_SERVER_URL	Your Seqera instance hostname, IP address, DNS name, or full reverse proxy path where the application is exposed. The https:// protocol is required for instances that use an SSL certificate. As of version 22.1, HTTPS is used by default. To use HTTP, set TOWER_ENABLE_UNSAFE_MODE=true.	Default: http://localhost:8000
TOWER_LICENSE	Your Seqera Enterprise license key (required). Contact us to obtain your license key. The key is base64-encoded by Seqera — paste this value exactly as received.	DT8G5F3...BBV90OW
TOWER_APP_NAME	Application name. To run multiple instances of the same Seqera account, each instance must have a unique name, e.g., tower-dev and tower-prod.	Default: tower
TOWER_CONFIG_FILE	Custom path for the tower.yml file.	path/to/tower/config
TOWER_LANDING_URL	Custom landing page for the application (requires version 21.10.1 or later). This value doesn't change the TOWER_SERVER_URL used for inbound Seqera connections.	https://your.custom.landing.example.net
TOWER_BACKEND_SERVER_PORT	Define the HTTP port used by the Seqera backend service (requires version 25.3 or later).	8080
TOWER_CRON_SERVER_PORT	Define the HTTP port used by the Seqera cron service (requires version 21.06.1 or later).	8080
TOWER_ROOT_USERS	Grant users access to the application admin panel.	user1@your-company.com,user2@your-company.com
TOWER_CONTACT_EMAIL	Your Seqera system administrator contact email.	seqera@your-company.com
TOWER_AUTH_DISABLE_EMAIL	Set to true to disable the email login. Ensure that you've configured an alternative authentication provider first.	Default: false
TOWER_USER_WORKSPACE_ENABLED	Enable or disable user private workspaces (requires version 22.1.0 or later).	Default: true

tower.yml

YAML configuration keys in this table are listed in "dot" notation, i.e., a nested value:

...
mail:
  smtp:
    host: "your.smtphost.com"
...

is represented as mail.smtp.host.

tower.yml	Description	Value
tower.serverUrl	Your Seqera instance hostname, IP address, DNS name, or full reverse proxy path where the application is exposed. The https:// protocol is required for instances that use an SSL certificate. As of version 22.1, HTTPS is used by default. To use HTTP, set TOWER_ENABLE_UNSAFE_MODE=true.	Default: http://localhost:8000
tower.license	Your Seqera Enterprise license key (required). Contact us to obtain your license key. The key is base64-encoded by Seqera — paste this value exactly as received.	DT8G5F3...BBV90OW
tower.appName	Application name. To run multiple instances of the same Seqera account, each instance must have a unique name, e.g., tower-dev and tower-prod.	Default: tower
tower.landingUrl	Custom landing page for the application (requires version 21.10.1 or later). This value doesn't change the TOWER_SERVER_URL used for inbound Seqera connections.	https://your.custom.landing.example.net
micronaut.server.port	Define the HTTP port used by the Seqera cron service (requires version 21.06.1 or later).	8080
tower.admin.root-users	Grant users access to the application admin panel.	user1@your-company.com,user2@your-company.com
tower.contactEmail	Your Seqera system administrator contact email.	tower@your-company.com
tower.auth.disable-email	Set to true to disable the email login. Ensure that you've configured an alternative authentication provider first.	Default: false
tower.admin.user-workspace-enabled	Enable or disable user private workspaces (requires version 22.1.0 or later).	Default: true

AWS Parameter Store

AWS Parameter Store configuration is only supported for AWS deployments.

Replace {prefix} in each configuration path with /config/<application_name>, where application_name is tower or your custom application name. See AWS Parameter Store.

AWS Parameter Store	Description	Value
{prefix}/tower/serverUrl	Your Seqera instance hostname, IP address, DNS name, or full reverse proxy path where the application is exposed. The https:// protocol is required for instances that use an SSL certificate. As of version 22.1, HTTPS is used by default. To use HTTP, set TOWER_ENABLE_UNSAFE_MODE=true.	Default: http://localhost:8000
{prefix}/tower/license	Your Seqera Enterprise license key (required). Contact us to obtain your license key. The key is base64-encoded by Seqera — paste this value exactly as received.	DT8G5F3...BBV90OW
{prefix}/tower/landingUrl	Custom landing page for the application (requires version 21.10.1 or later). This value doesn't change the TOWER_SERVER_URL used for inbound Seqera connections.	https://your.custom.landing.example.net
{prefix}/micronaut/server/port	Define the HTTP port used by the Seqera cron service (requires version 21.06.1 or later).	8080
{prefix}/tower/admin/root-users	Grant users access to the application admin panel.	user1@your-company.com,user2@your-company.com
{prefix}/tower/contactEmail	Your Seqera system administrator contact email.	tower@your-company.com
{prefix}/tower/auth/disable-email	Set to true to disable the email login. Ensure that you've configured an alternative authentication provider first.	Default: false
{prefix}/tower/admin/user-workspace-enabled	Enable or disable user private workspaces (requires version 22.1.0 or later).	Default: true

Seqera and Redis databases

Configuration values that control Seqera's interaction with databases and Redis instances. TOWER_DB_USER, TOWER_DB_PASSWORD, and TOWER_DB_URL must be specified using environment variables during initial Seqera Enterprise deployment in a new environment. A new installation will fail if DB values are only defined in tower.yml or the AWS Parameter Store. Once the database has been created, these values can be added to tower.yml or AWS Parameter Store entries and removed from your environment variables.

note

Database version requirements:

From Seqera Enterprise version 23.4:

• MySQL 8 is the officially supported and tested database version.
• MySQL versions 5.6 and 5.7 are no longer supported.

From Seqera Enterprise version 24.2:

• Redis version 6.2 or greater is required.
• Redis version 7 is officially supported.

Follow your cloud provider specifications to upgrade your instance.

If you use a database other than the provided db container, you must create a user and database schema manually.

MySQL DB schema creation

CREATE DATABASE tower;
ALTER DATABASE tower CHARACTER SET utf8 COLLATE utf8_bin;

CREATE USER 'tower' IDENTIFIED BY <password>;
GRANT ALL PRIVILEGES ON tower.* TO tower@'%' ;

MariaDB schema creation

GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER on tower.* TO tower@'%';

Managed Redis services

Seqera supports managed Redis services such as Amazon ElastiCache, Azure Cache for Redis, or Google Memorystore.

When using a managed Redis service, you must specify the service IP address or DNS name for the TOWER_REDIS_URL as described in the following sections.

AWS ElastiCache

• Use a single-node cluster, as multi-node clusters are not supported
• Use an instance with at least 6 GB capacity (cache.m4.large or greater)
• Specify your private ElastiCache instance in the Seqera environment variables:

TOWER_REDIS_URL=redis://<redis private IP>:6379

Azure Cache for Redis

• Use a single-node cluster, as multi-node clusters are not supported
• Use an instance with at least 6 GB capacity (C3 or greater)
• Specify your private Azure Cache for Redis instance in the Seqera environment variables:

TOWER_REDIS_URL=redis://<redis private IP>:6379

Google Memorystore

• Use a single-node cluster, as multi-node clusters are not supported
• Use an instance with at least 6 GB capacity (M2 or greater)
• Specify your private Memorystore instance in the Seqera environment variables:

TOWER_REDIS_URL=redis://<redis private IP>:6379

Self-hosted Redis

If you run the Redis service as a container in your Docker or Kubernetes installation, specify the service name as part of the TOWER_REDIS_URL:

TOWER_REDIS_URL=redis://redis:6379

Database and Redis manual configuration

If the DB username and password variables are left empty when using Docker Compose, default tower database values are applied automatically. With Kubernetes and custom DB deployments, tower values are not pre-filled.

note

We recommend using managed cloud database services for production deployments.

Environment variables

Environment variable	Description	Value
TOWER_DB_USER	The user account to access your database. If you are using an external database, you must create this user manually.	Default: tower
TOWER_DB_PASSWORD	The user password to access your database. If you are using an external database, you must create this password manually.	Default: tower
TOWER_DB_URL	The URL to access your database.	Example: jdbc:mysql://db:3306/tower?permitMysqlScheme=true
TOWER_DB_MIN_POOL_SIZE	Minimum database connection pool size.	Default: 5
TOWER_DB_MAX_POOL_SIZE	Maximum database connection pool size.	Default: 10
TOWER_DB_MAX_LIFETIME	Maximum lifespan of database connections, in milliseconds.	Default: 1800000
TOWER_REDIS_URL	The URL to access your Seqera Redis instance.	Example: redis://redis:6379
TOWER_REDIS_PASSWORD	The password of your Seqera Redis instance.

tower.yml

TOWER_DB_USER, TOWER_DB_PASSWORD, and TOWER_DB_URL must be specified using environment variables during initial Seqera Enterprise deployment in a new environment.

YAML configuration keys in this table are listed in "dot" notation, i.e., a nested value:

...
mail:
  smtp:
    host: "your.smtphost.com"
...

is represented as mail.smtp.host.

tower.yml	Description	Value
datasources.default.username	The user account to access your database. If you are using an external database, you must create this user manually. For installation in a new environment, this value must be set as an environment variable.	Default: tower
datasources.default.password	The user password to access your database. If you are using an external database, you must create this password manually. For installation in a new environment, this value must be set as an environment variable.	Default: tower
datasources.default.url	The URL to access your database. For installation in a new environment, this value must be set as an environment variable.	Example: jdbc:mysql://db:3306/tower?permitMysqlScheme=true
datasources.default.minPoolSize	Minimum database connection pool size.	Default: 5
datasources.default.maxPoolSize	Maximum database connection pool size.	Default: 10
datasources.default.maxLifetime	Maximum lifespan of database connections, in milliseconds.	Default: 1800000
redisson.uri	The URL to access your Seqera Redis instance.	Example: redis://redis:6379
redisson.password	The password of your Seqera Redis instance.

AWS Parameter Store

AWS Parameter Store configuration is only supported for AWS deployments.

TOWER_DB_USER, TOWER_DB_PASSWORD, and TOWER_DB_URL must be specified using environment variables during initial Seqera Enterprise deployment in a new environment.

Replace {prefix} in each configuration path with /config/<application_name>, where application_name is tower or your custom application name. See AWS Parameter Store.

AWS Parameter Store	Description	Value
{prefix}/datasources/default/username	The user account to access your database. If you are using an external database, you must create this user manually. For installation in a new environment, this value must be set as an environment variable.	Default: tower
{prefix}/datasources/default/password	The user password to access your database. If you are using an external database, you must create this password manually. For installation in a new environment, this value must be set as an environment variable.	Default: tower
{prefix}/datasources/default/url	The URL to access your database. For installation in a new environment, this value must be set as an environment variable.	jdbc:mysql://db:3306/tower?permitMysqlScheme=true
{prefix}/datasources/default/minPoolSize	Minimum database connection pool size.	Default: 5
{prefix}/datasources/default/maxPoolSize	Maximum database connection pool size.	Default: 10
{prefix}/datasources/default/maxLifetime	Maximum lifespan of database connections, in milliseconds.	Default: 1800000
{prefix}/redisson/uri	The URL to access your Seqera Redis instance.	Example: redis://redis:6379
{prefix}/redisson/password	The password of your Seqera Redis instance.

Opt-in Seqera features

Configuration values that enable opt-in Seqera features per instance or workspace.

Core features

Environment variables

Environment variable	Description	Value
TOWER_ENABLE_WAVE	Enable Seqera integration with Wave containers.	Default: false
WAVE_SERVER_URL	Define the Wave containers service endpoint URL.	Example: https://wave.seqera.io
TOWER_ENABLE_AWS_SSM	Enable Seqera configuration value retrieval from AWS Parameter Store.	Default: false
TOWER_ENABLE_AWS_SES	Use AWS Simple Email Service (SES) to send Seqera emails instead of SMTP.	Default: false
TOWER_ALLOW_NEXTFLOW_LOGS	Allow log and report files from Nextflow CLI runs (-with-tower) to be accessible in the Seqera UI. Run output files must be accessible to your Seqera workspace primary compute environment.	Default: false
TOWER_STEPPED_LAUNCH_FORM_ALLOWED_WORKSPACES	Disable the stepped launch form in the workspaces specified. Omit or set empty (TOWER_STEPPED_LAUNCH_FORM_ALLOWED_WORKSPACES=) to enable the new launch form in all workspaces, or provide a comma-separated list of workspace IDs to enable the form per workspace.	Default: Enabled for all workspaces
TOWER_PIPELINE_VERSIONING_ALLOWED_WORKSPACES	Enable pipeline versioning in the workspaces specified. Accepts a comma-separated list of workspace IDs.	Default: Disabled for all workspaces

Data features

Configuration values used by Seqera for Datasets, Data Explorer, Data Lineage, and Studios.

Environment variables

Environment variable	Description	Value
TOWER_DATA_EXPLORER_ENABLED	Enable Data Explorer in all workspaces. To mount data inside a Studio, you must enable Data Explorer.	Default: true
TOWER_DATA_EXPLORER_CLOUD_DISABLED_WORKSPACES	Disable Data Explorer automatic cloud bucket retrieval per workspace.	Example: <workspace-id1>,<workspace-id2>
TOWER_DATA_EXPLORER_LINK_STORE_TTL	Data Explorer cloud bucket cache duration.	Default: 30m
TOWER_DATA_EXPLORER_LINK_STORE_BACKOFF	The amount of time that elapses after an error, before a retry attempt is made.	Default: 10m
TOWER_DATA_EXPLORER_MAX_RETRIES	The number of retries Data Explorer will attempt to fetch cloud buckets in the event of temporary errors.	Default: 3
TOWER_DATA_EXPLORER_LINK_STORE_RETRY_AFTER	The period of time that retry attempts will be made even when max retries has been exceeded.	Default: 1d
TOWER_CONTENT_MAX_FILE_SIZE	Data Explorer download file size limit. Increasing this value may degrade performance.	Default: 25MB
TOWER_DATA_DATASETS_LIST_MAX_ALLOWED	Maximum and default number of items returned in a single page when listing datasets.	Default: 100
TOWER_DATA_DATASET_VERSIONS_LIST_MAX_ALLOWED	Maximum and default number of items returned in a single page when listing dataset versions.	Default: 100
TOWER_DATA_STUDIO_CONNECT_URL	The URL of the Studios connect proxy. The connect proxy is used internally by Seqera Platform. See Studios deployment.	Example: https://connect.example.com/
TOWER_DATA_STUDIO_WAVE_CUSTOM_IMAGE_REPOSITORY	The custom image repository for Wave containers. Ignored if custom image registry is not present.	Default: data-studios/<tool>
TOWER_DATA_STUDIO_WAVE_CUSTOM_IMAGE_NAME_STRATEGY	The custom image name strategy for Wave containers. See the Wave documentation for available options.	Default: tagPrefix
TOWER_DATA_STUDIO_WAVE_CUSTOM_IMAGE_REGISTRY	The custom image registry for Wave containers, used as the destination for Studio images that are customized with a conda environment. When left null, defers to whatever Wave has configured as the default.	Default: null
TOWER_OIDC_REGISTRATION_INITIAL_ACCESS_TOKEN	An access token used to register new clients in Seqera Platform. Any alphanumeric value is allowed. See Studios deployment. Requires the OIDC provider to be configured. See Cryptographic options.	d5XDoRzHpWo1c............mDnfBp
TOWER_DATA_STUDIO_ENABLE_PATH_ROUTING	Add this variable and set it to true to configure Studios requests to use path-based routing and a single, fixed domain for Studio sessions. See Studios deployment.	Default: null
TOWER_OIDC_PEM_PATH	The file path to a PEM certificate used to sign the OIDC tokens for the OpenID connect provider. See Studios deployment.	Example: /data-studios-rsa.pem
TOWER_DATA_STUDIO_SSH_ALLOWED_WORKSPACES	Add this variable to enable SSH connection functionality in Studios. Set to comma-separated workspace IDs to enable for specific workspaces, an empty string ("") to enable for all workspaces, or null to disable for all workspaces. See Studios deployment for configuration details.	Default: null
TOWER_SSH_KEYS_MANAGEMENT_ENABLED	Enable SSH key management for Studios SSH connection functionality.	Default: false
TOWER_SSH_KEYS_SUPPORTED_TYPES	Comma-separated list of supported SSH public key types for user SSH key registration.	Default: ssh-rsa,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
TOWER_DATA_STUDIO_CONNECT_SSH_KEY_FINGERPRINT	SSH key fingerprint. This allows only SSH connections that have been authenticated with Seqera to connect to the server and is recommended for production environments. To generate the fingerprint, use ssh-keygen -lf <path-to-ssh-key>. See Studios deployment.	Example: SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s
TOWER_DATA_STUDIO_CONNECT_SSH_PORT	Connection string display purposes.	Default: 22
TOWER_DATA_STUDIO_CONNECT_SSH_ADDRESS	This is set only if the SSH server runs on a different domain to the Connect proxy.	Example: ssh.example.com
TOWER_DATA_STUDIO_ALLOWED_WORKSPACES	Control which workspaces have Studios enabled. Leave unset (default) to enable Studios in all workspaces, set to an empty string to disable Studios for all workspaces, or provide a comma-separated list of workspace IDs to enable Studios only in those workspaces.	Default: Enabled for all workspaces
TOWER_DATA_STUDIO_DEFAULT_LIFESPAN	Default lifespan in hours for Studios when no workspace-specific settings are configured.	Default: 8
TOWER_DATA_STUDIO_PRIVATE_STUDIO_BY_DEFAULT	Default privacy setting for Studios when no workspace-specific or Studio-specific settings are configured. Set to true to make Studios private by default; the default value (false) makes Studios collaborative unless overridden on creation.	Default: false
TOWER_DATA_STUDIO_LIST_MAX_ALLOWED	Maximum and default number of items returned in a single page when listing Studios.	Default: 100
TOWER_DATA_STUDIO_FEATURE_MANIFEST_URL	The manifest URL used for feature version compatibility checks of Studio clients.	Example: https://example.com/manifest.json
TOWER_DATA_STUDIO_CONNECT_IFRAME_ALLOWED_WORKSPACES	Control which workspaces have the Studio iframe in Connect enabled. Set to null (undefined) to disable for all workspaces, set to an empty string to enable for all workspaces, or provide a comma-separated list of workspace IDs to enable per workspace.	Default: null
TOWER_DATA_STUDIO_WAVE_STATUS_CHECK_INITIAL_DELAY	Initial delay before the job that checks Wave build status for Studios in building status runs for the first time.	Default: 5s
TOWER_DATA_STUDIO_WAVE_STATUS_CHECK_RATE	Fixed rate at which Wave build status is checked for Studios in building status.	Default: 30s
TOWER_DATA_STUDIO_WAVE_DISALLOWED_REGISTRIES	Comma-separated list of registry URLs that are not allowed as build destinations for dockerfile-based Studio images. Registries in this list won't be used for pushing dockerfile builds.	Default: community.wave.seqera.io
TOWER_STUDIO_METRICS_ENABLED_WORKSPACES	Control which workspaces have Studio startup metrics collection enabled. Set to null (undefined) to disable for all workspaces, set to an empty string to enable for all workspaces, or provide a comma-separated list of workspace IDs to enable per workspace.	Default: null
TOWER_STUDIO_METRICS_RETENTION_DAYS	Number of days to retain Studio startup metrics in the database before automatic deletion. Metrics older than this threshold are deleted by a daily scheduled job.	Default: 90
TOWER_LINEAGE_ALLOWED_WORKSPACES	Enable date lineage. Set to null (undefined) to disable for all workspaces, set to an empty string to enable for all workspaces, or provide a comma-separated list of workspace IDs to enable per workspace.	Default: null

tower.yml

tower.yml	Description	Value
tower.content.max-file-size	You can set the downloadable file size limit for Data Explorer and workflow reports. Increasing this value may degrade Platform performance. The supported suffixes are GB, MB, and KB.	Default: 25MB
tower.data.data-link-items.tree-list.max-allowed	You can set the maximum number of items listed in Data Explorer. Increasing this value may degrade Platform performance.	Default: 1000

Cryptographic options

Configuration values used by Seqera to encrypt your data.

caution

Do not modify your crypto secret key between starts. Changing this value will prevent the decryption of existing data.

Environment variables

Environment variable	Description	Value
TOWER_CRYPTO_SECRETKEY	The secret key used to encrypt credentials and secrets (required).	Random string of alphanumeric characters.
TOWER_OIDC_PEM_PATH	The file path to a PEM certificate used to sign tokens for Seqera Platform's built-in OIDC provider. This is required for Studios and for Google Cloud Batch Workload Identity Federation.	Example: /oidc.rsa.pem
TOWER_JWT_SECRET	The secret used to generate the login JWT token (required).	Random string of 35 characters or more.
TOWER_SECRET_ROTATION_ENABLED	Enable (true) or disable (false) rotation of the encryption key used to encrypt credentials and secrets in your Platform database.	Default: false
TOWER_SECRET_ROTATION_PREVIOUS_KEY	Used to store the value of the key used to encrypt existing credentials and secrets (TOWER_CRYPTO_SECRETKEY value before rotation), to keep cryptographic features enabled while rotation is in progress. Requires TOWER_SECRET_ROTATION_ENABLED=true.	Your existing TOWER_CRYPTO_SECRETKEY before rotation.
TOWER_SECRET_ROTATION_CHUNK_SIZE	The number of records to extract in chunks until all secrets and credentials are processed. Requires TOWER_SECRET_ROTATION_ENABLED=true.	Default: 50

tower.yml

YAML configuration keys in this table are listed in "dot" notation, i.e., a nested value:

...
mail:
  smtp:
    host: "your.smtphost.com"
...

is represented as mail.smtp.host.

tower.yml	Description	Value
tower.crypto.secretKey	The secret key used to encrypt user credentials (required).	Random string of alphanumeric characters.
micronaut.security.token.jwt.signatures.secret.generator.secret	The secret used to generate the login JWT token (required).	Random string of 35 characters or more.
micronaut.security.token.jwt.generator.refresh-token.secret	The secret used to generate the login refresh token (required).	Random string of 35 characters or more.
tower.secret-rotation.enabled	Enable (true) or disable (false) rotation of the encryption key used to encrypt credentials and secrets in your Platform database.	Default: false
tower.secret-rotation.previous-key	Used to store the value of the key used to encrypt existing credentials and secrets (tower.crypto.secretKey value before rotation), to keep cryptographic features enabled while rotation is in progress. Requires tower.secret-rotation.enabled=true.	Your existing tower.crypto.secretKey before rotation.
tower.secret-rotation.chunk-size	The number of records to extract in chunks until all secrets and credentials are processed. Requires tower.secret.rotation.enabled=true.	Default: 50

AWS Parameter Store

AWS Parameter Store configuration is only supported for AWS deployments.

Replace {prefix} in each configuration path with /config/<application_name>, where application_name is tower or your custom application name. See AWS Parameter Store.

AWS Parameter Store	Description	Value
{prefix}/tower/crypto/secretKey	The secret key used to encrypt user credentials (required).	Random string of alphanumeric characters.
{prefix}/micronaut/security/token/jwt/signatures/secret/generator/secret	The secret used to generate the login JWT token (required).	Random string of 35 characters or more.
{prefix}/micronaut/security/token/jwt/generator/refresh-token/secret	The secret used to generate the login refresh token (required).	Random string of 35 characters or more.
{prefix}/tower/secret-rotation/enabled	Enable (true) or disable (false) rotation of the encryption key used to encrypt credentials and secrets in your Platform database.	Default: false
{prefix}/tower/secret-rotation/previous-key	Used to store the value of the key used to encrypt existing credentials and secrets ({prefix}/tower/crypto/secretKey value before rotation), to keep cryptographic features enabled while rotation is in progress. Requires {prefix}/tower/secret-rotation/enabled=true.	Your existing /tower/crypto/secretKey before rotation.
{prefix}/tower/secret-rotation/chunk-size	The number of records to extract in chunks until all secrets and credentials are processed. Requires /tower/secret-rotation/enabled=true.	Default: 50

Secret key rotation

Rotate the key used to encrypt the credentials and secrets stored in your Platform database. Encryption key rotation is a security best practice and should be performed at an interval specified by your organization's security requirements, or in the event of a suspected compromise of your secret key.

Enable rotation by setting the following configuration values:

Environment variables

• TOWER_SECRET_ROTATION_ENABLED=true
• TOWER_SECRET_ROTATION_PREVIOUS_KEY=<EXISTING_TOWER_CRYPTO_SECRET_KEY_VALUE>
• TOWER_CRYPTO_SECRETKEY=<NEW_SECRET_KEY_VALUE>

tower.yml

• tower.secret.rotation.enabled: true
• tower.secret.rotation.previous-key: <EXISTING_tower.crypto.secretKey_VALUE>
• tower.crypto.secretKey: <NEW_SECRET_KEY_VALUE>

AWS Parameter Store

• /tower/secret-rotation/enabled: true
• /tower/secret-rotation/previous-key: <EXISTING_/tower/crypto/secretKey_VALUE>
• /tower/crypto/secretKey: <NEW_SECRET_KEY_VALUE>

With rotation enabled and the previous and new key values set, secret key rotation will run as part of the Platform cron service during application startup. Normal application startup is not affected by this process, and Platform is fully operational while the credentials and secrets in your database are being encrypted using your new secret key.

warning

• To prevent data loss, perform a backup of your Platform database and securely back up your current crypto secret key before enabling and performing key rotation.
• All backend pods or containers for your Enterprise deployment must contain the same previous and new secret key values in their Platform config and must be in a ready/running state before starting the Platform cron service.

The Admin panel Encryption tab displays the status of completed or errored encryption tasks.

Compute environments

Configuration values to enable computing platforms and customize Batch Forge resource naming.

Environment variables

Environment variable	Description	Value
TOWER_ENABLE_PLATFORMS	Comma-separated list of the execution backends to enable. At least one is required.	altair-platform,awsbatch-platform,awscloud-platform,azbatch-platform,eks-platform,googlebatch-platform,googlecloud-platform,gke-platform,k8s-platform,local-platform,lsf-platform,moab-platform,slurm-platform
MICRONAUT_ENVIRONMENTS	Configuration values to control the behavior of the Seqera cron and backend containers. Do not edit these values	Backend configuration: prod, redis, ha Cron configuration: prod, redis, cron
TOWER_FORGE_PREFIX	Override the default TowerForge prefix, appended to AWS resources created by Batch Forge, with a custom value.	Default: TowerForge
TOWER_ALLOW_INSTANCE_CREDENTIALS	Enable legacy role-based AWS credentials. When true, users provide an IAM role ARN only when creating AWS credentials. Access keys, secret keys, and External ID are not used.	Default: false

Compute environment cleanup

A scheduled cron job can transition compute environments that are stuck in CREATING or DELETING states into terminal states (ERRORED or INVALID). The cleanup job is disabled by default.

Environment variables

Environment variable	Description	Value
TOWER_COMPUTE_ENV_CLEANUP_ENABLED	Enable the compute environment cleanup cron job, which transitions compute environments stuck in CREATING to ERRORED, and those stuck in DELETING to INVALID. Only organization-scoped compute environments are processed; user-scoped ones are excluded.	Default: false
TOWER_COMPUTE_ENV_CLEANUP_DELAY	Stagger between consecutive batch start times. Batch i is scheduled to start i × time-offset seconds after the job tick.	Default: 1m
TOWER_COMPUTE_ENV_CLEANUP_INTERVAL	Interval at which the compute environment cleanup cron job runs.	Default: 1h
TOWER_COMPUTE_ENV_CLEANUP_BATCH_SIZE	Number of organizations processed per batch in the compute environment cleanup job.	Default: 10
TOWER_COMPUTE_ENV_CLEANUP_TIME_OFFSET	Delay between consecutive batch tasks in the compute environment cleanup job.	Default: 60s
TOWER_COMPUTE_ENV_CLEANUP_STUCK_CREATING_TIMEOUT	Time after which a compute environment stuck in the CREATING state is transitioned to ERRORED.	Default: 1h
TOWER_COMPUTE_ENV_CLEANUP_STUCK_DELETING_TIMEOUT	Time after which a compute environment stuck in the DELETING state is transitioned to INVALID.	Default: 1h

Git integration

Seqera Platform has built-in support for public and private Git repositories. Create Git provider credentials to allow Seqera to interact with the following services:

• GitHub
• BitBucket
• GitLab
• Gitea
• Azure Repos

caution

Credentials configured in your SCM providers list override Git credentials in your (organization or personal) workspace.

Public Git repositories can be accessed without authentication, but are often subject to throttling. We recommend always adding Git credentials to your Seqera workspace, regardless of the repository type you use.

Environment variables

Credentials and other secrets must not be hard-coded in environment variables in production environments. Credentials added using the application UI are SHA256-encrypted before secure storage and not exposed by any Seqera API.

Environment variable	Description
TOWER_SCM_PROVIDERS_GITHUB_USER	Your GitHub username.
TOWER_SCM_PROVIDERS_GITHUB_PASSWORD	Your GitHub (classic or fine-grained) access token.
TOWER_SCM_PROVIDERS_GITLAB_USER	Your GitLab username.
TOWER_SCM_PROVIDERS_GITLAB_PASSWORD	Your GitLab (Personal, Group, or Project) access token.
TOWER_SCM_PROVIDERS_GITLAB_TOKEN	Your GitLab (Personal, Group, or Project) access token.
TOWER_SCM_PROVIDERS_BITBUCKET_USER	Your BitBucket username.
TOWER_SCM_PROVIDERS_BITBUCKET_PASSWORD	Your BitBucket App password.
TOWER_SCM_PROVIDERS_GITEA_USER	Your Gitea username.
TOWER_SCM_PROVIDERS_GITEA_PASSWORD	Your Gitea token.
TOWER_SCM_PROVIDERS_AZUREREPOS_USER	Your Azure DevOps repository username.
TOWER_SCM_PROVIDERS_AZUREREPOS_TOKEN	Your Azure DevOps repository personal access token.

tower.yml

Credentials and other secrets must not be stored in plain text in production environments. Credentials added using the application UI are SHA256-encrypted before secure storage and not exposed by any Seqera API.

YAML configuration keys in this table are listed in "dot" notation, i.e., a nested value:

...
mail:
  smtp:
    host: "your.smtphost.com"
...

is represented as mail.smtp.host.

tower.yml	Description
tower.scm.provider.github.user	Your GitHub username.
tower.scm.provider.github.password	Your GitHub (classic or fine-grained) access token.
tower.scm.provider.gitlab.user	Your GitLab username.
tower.scm.provider.gitlab.password	Your GitLab (Personal, Group, or Project) access token.
tower.scm.provider.gitlab.token	Your GitLab (Personal, Group, or Project) access token.
tower.scm.provider.bitbucket.user	Your BitBucket username.
tower.scm.provider.bitbucket.password	Your BitBucket App password.
tower.scm.provider.gitea.user	Your Gitea username.
tower.scm.provider.gitea.password	Your Gitea token.
tower.scm.provider.azurerepos.user	Your Azure DevOps repository username.
tower.scm.provider.azurerepos.token	Your Azure DevOps repository personal access token.

AWS Parameter Store

AWS Parameter Store configuration is only supported for AWS deployments.

Replace {prefix} in each configuration path with /config/<application_name>, where application_name is tower or your custom application name. See AWS Parameter Store.

AWS Parameter Store	Description
{prefix}/tower/scm/provider/github/user	Your GitHub username.
{prefix}/tower/scm/provider/github/password	Your GitHub (classic or fine-grained) access token.
{prefix}/tower/scm/provider/gitlab/user	Your GitLab username.
{prefix}/tower/scm/provider/gitlab/password	Your GitLab (Personal, Group, or Project) access token.
{prefix}/tower/scm/provider/gitlab/token	Your GitLab (Personal, Group, or Project) access token.
{prefix}/tower/scm/provider/bitbucket/user	Your BitBucket username.
{prefix}/tower/scm/provider/bitbucket/password	Your BitBucket App password.
{prefix}/tower/scm/provider/gitea/user	Your Gitea username.
{prefix}/tower/scm/provider/gitea/password	Your Gitea token.
{prefix}/tower/scm/provider/azurerepos/user	Your Azure DevOps repository username.
{prefix}/tower/scm/provider/azurerepos/token	Your Azure DevOps repository personal access token.

Local repositories

Seqera Enterprise can connect to workflows stored in local Git repositories. To do so, volume mount your local repository folder in your Seqera backend container. Then, update your tower.yml:

tower:
  pipeline:
    allow-local-repos:
      - /path/to/repo

Mail server

Configure values for SMTP email service integration. Production SMTP hosts must use a TLS-protected connection. See SSL/TLS.

AWS deployments also support Amazon Simple Email Service (SES).

SMTP service integration

To use an SMTP gateway for mail service, set SMTP user and password values to null.

caution

Your organization's email security policy may prevent the TOWER_CONTACT_EMAIL address from receiving Seqera emails. If this occurs after successful SMTP configuration, you may need to configure spf, dkim, and dmarc records for your domain. Contact your IT support staff for further assistance.

Environment variables

Environment variable	Description	Value
TOWER_SMTP_USER	Your email service user.	Example: user
TOWER_SMTP_PASSWORD	Your email service password.
TOWER_SMTP_HOST	Your email service host name, excluding protocol.	Example: email-smtp.eu-west-1.amazonaws.com
TOWER_SMTP_PORT	Your email service port. Most cloud services block port 25 by default.	Default: 587
TOWER_CONTACT_EMAIL	The email address used to send Seqera emails.	Example: seqera@your-company.com
TOWER_SMTP_AUTH	Use SMTP authentication when calling your email service endpoint.	Default: true
TOWER_SMTP_STARTTLS_ENABLED	Switch the connection to a TLS-protected connection before issuing login commands. Must be true for production SMTP hosts.	Recommended: true
TOWER_SMTP_STARTTLS_REQUIRED	Require the use of the STARTTLS command. Must be true for production SMTP hosts.	Recommended: true
TOWER_ENABLE_AWS_SES	Use AWS SES (Simple Email Service) to use Seqera emails, instead of SMTP.	Default: false

tower.yml

YAML configuration keys in this table are listed in "dot" notation, i.e., a nested value:

...
mail:
  smtp:
    host: "your.smtphost.com"
...

is represented as mail.smtp.host.

tower.yml	Description	Value
mail.smtp.user	Your email service user.	Example: user
mail.smtp.password	Your email service password.
mail.smtp.host	Your email service host name, excluding protocol.	Example: email-smtp.eu-west-1.amazonaws.com
mail.smtp.port	Your email service port. Most cloud services block port 25 by default.	Default: 587
mail.from	The email address used to send Seqera emails.	Example: Seqera@your-company.com
mail.smtp.auth	Use SMTP authentication when calling your email service endpoint.	Default: true
mail.smtp.starttls.enable	Switch the connection to a TLS-protected connection before issuing login commands. Must be true for production SMTP hosts.	Recommended: true
mail.smtp.starttls.required	Require the use of the STARTTLS command. Must be true for production SMTP hosts.	Recommended: true

AWS Parameter Store

AWS Parameter Store configuration is only supported for AWS deployments.

Replace {prefix} in each configuration path with /config/<application_name>, where application_name is tower or your custom application name. See AWS Parameter Store.

AWS Parameter Store	Description	Value
{prefix}/mail/smtp/user	Your email service user.	Example: user
{prefix}/mail/smtp/password	Your email service password.
{prefix}/mail/smtp/host	Your email service host name, excluding protocol.	Example: email-smtp.eu-west-1.amazonaws.com
{prefix}/mail/smtp/port	Your email service port. Most cloud services block port 25 by default.	Default: 587
{prefix}/mail/from	The email address used to send Seqera emails.	Example: seqera@your-company.com
{prefix}/mail/smtp/auth	Use SMTP authentication when calling your email service endpoint.	Default: true
{prefix}/mail/smtp/starttls/enable	Switch the connection to a TLS-protected connection before issuing login commands. Must be true for production SMTP hosts.	Recommended: true
{prefix}/mail/smtp/starttls/required	Require the use of the STARTTLS command. Must be true for production SMTP hosts.	Recommended: true

AWS SES integration

In AWS deployments, you can use AWS Simple Email Service (SES) instead of traditional SMTP for sending Seqera platform emails.

note

Simple Email Service (SES) is only supported in Seqera deployments on AWS.

To configure AWS SES as your Seqera email service:

1. Set TOWER_ENABLE_AWS_SES=true in your environment variables.
2. Specify the email address used to send Seqera emails with one of the following:
   • the TOWER_CONTACT_EMAIL environment variable
   • a mail.from entry in tower.yml
   • a /config/<application_name>/mail/from AWS Parameter Store entry
3. The AWS SES service must run in the same region as your Seqera instance.
4. The Seqera IAM role must include the ses:SendRawEmail permission.

Nextflow launch container

caution

Do not replace the Seqera-provided default image unless absolutely necessary.

Environment variables

Environment Variable	Description	Value
TOWER_LAUNCH_CONTAINER	The container image to run the Nextflow execution. This setting overrides the launch container selection for all organizations and workspaces in your account.	Example: quay.io/seqeralabs/nf-launcher:j17-23.04.3

Seqera API

Enable the API endpoints to host the Seqera Enterprise OpenAPI specification and use the tw CLI. Set custom API rate limits and timeouts.

note

To configure API rate limit environment variables, you must add ratelim to the MICRONAUT_ENVIRONMENTS. Without ratelim being set, the rate limit configuration variables below are ignored.

Environment variables

Environment variable	Description	Value
TOWER_ENABLE_OPENAPI	Enable the OpenAPI documentation endpoint, e.g., cloud.seqera.io/openapi/index.html.	Default: false
TOWER_RATELIMIT_PERIOD	Specify the maximum number of HTTP requests that can be made during the TOWER_RATELIMIT_REFRESH period.	Default: 20
TOWER_RATELIMIT_REFRESH	API rate limit refresh period.	Default: 1s
TOWER_RATELIMIT_TIMEOUT	The waiting period before rejecting requests over the TOWER_RATELIMIT_PERIOD limit during the refresh period.	Default: 500ms

Custom navigation menu

Modify your Seqera instance's navigation menu options.

tower.yml

tower:
    navbar:
    menus:
        - label: "My Community"
        url: "https://host.com/foo"
        - label: "My Pipelines"
        url: "https://other.com/bar"

Logging

Logging-related configuration values to aid troubleshooting. See Audit logs for more information on application event logging. In 26.1, use TOWER_AUDIT_LOG_V2_WRITE_MODE to control whether audit events are written to the v2 schema, or to both the legacy and the v2 schema. Use TOWER_CRON_AUDIT_LOG_CLEAN_UP_ENABLED to disable automatic audit log deletion, and restart Platform after changing audit log settings.

Environment variables

Environment variable	Description	Value
TOWER_CRON_AUDIT_LOG_CLEAN_UP_ENABLED	Set false to disable automatic deletion of audit log records. In 26.1, this applies to both the legacy table and the new table. Restart Platform after changing this value.	Default: true
TOWER_CRON_AUDIT_LOG_CLEAN_UP_TIME_OFFSET	Application event audit log retention period. When cleanup is enabled, audit log records older than this period are celeted from both v1 and v2 audit log tables. Value includes units (30d, 24h, 60m, etc.). Value: "Default: 365d"
TOWER_AUDIT_LOG_V2_WRITE_MODE	Determines which audit log tables receive new write operations. Use dual to write to both legacy and v2 tables during the 26.1 migration period, or v2 for the new table only.	Options: dual, v2. Default: dual
TOWER_AUDIT_LOG_V2_CSV_EXPORT_MAX_LOGS	Maximum number of audit log v2 records allowed in a single CSV export.	Default: 500000
TOWER_LOG_APPENDER	The output format of Platform logs.	Options: STDOUT, JSON
TOWER_LOG_LEVEL	Platform backend logging detail level.	Options: TRACE, DEBUG, INFO, WARN, ERROR
TOWER_SECURITY_LOGLEVEL	Platform authentication logging detail level.	Options: TRACE, DEBUG, INFO, WARN, ERROR
TOWER_LOG_DIR	Base directory to store Platform logs.	Default: /. (deployment root directory)
TOWER_LOG_PATTERN	The logging format emitted to STDOUT. See here for a reference of the full logback pattern syntax.	%d{MMM-dd HH:mm:ss.SSS} [%t] %X{ip:--} %-5level %logger{36} - %msg%n} # Default logging pattern shown
TOWER_LOG_MAX_HISTORY	The maximum number of backend log files retained by the system.	Default: 10 (days)
TOWER_LOG_MAX_SIZE	The maximum file size of the Platform backend log file. When this limit is reached, a new log file is created.	Default: 200MB
LOGGER_LEVELS_IO_SEQERA_TOWER_AGENT	Tower Agent logging detail level.	Options: TRACE, DEBUG, INFO, WARN, ERROR
TOWER_AGENT_HEARTBEAT	Tower Agent polling interval.	Example: 10s
TOWER_SSH_LOGLEVEL	Event logging detail level for the SSH connection library used by Seqera.	Options: TRACE, DEBUG, INFO, WARN, ERROR
TOWER_ALLOW_NEXTFLOW_LOGS	Set true to allow Seqera to retrieve logs and reports for runs launched with Nextflow CLI.	Default: false

tower.yml

Set the logging detail level for various Seqera services. Logs for particular services may be requested by support to assist with troubleshooting an issue. Set the logging configuration parameter in your Seqera YAML configuration before attempting to reproduce your issue. The example below sets the detail level for application and database logging:

logger is a root-level object in the tower.yml configuration file, i.e., it is not nested under tower.

logger:
  levels:
    org.hibernate.SQL: DEBUG
    org.hibernate.type: TRACE
    io.seqera.tower: TRACE

Audit log v2

Configuration values for the v2 audit log subsystem and the audit log cleanup cron job. The v2 audit log adds support for pre/post change state capture and CSV export limits, and runs alongside the existing v1 table when TOWER_AUDIT_LOG_V2_WRITE_MODE is set to dual.

Environment variables

Environment variable	Description	Value
TOWER_AUDIT_LOG_V2_WRITE_MODE	Determine which audit log tables receive write operations. Accepted values are v1 (legacy table only), v2 (v2 table only), or dual (both tables simultaneously).	Default: dual
TOWER_AUDIT_LOG_V2_CSV_EXPORT_MAX_LOGS	Maximum number of records allowed in a single audit log CSV export.	Default: 500000
TOWER_AUDIT_LOG_V2_PRE_POST_CHANGE_ENABLED	Enable capturing pre- and post-change state images for audit log target resources in air-gapped Enterprise deployments. In deployments that are not air-gapped this is enabled through License Manager.	Default: false
TOWER_CRON_AUDIT_LOG_CLEAN_UP_ENABLED	Enable the audit log cleanup cron job.	Default: true
TOWER_CRON_AUDIT_LOG_CLEAN_UP_INTERVAL	Interval at which the audit log cleanup cron job runs.	Default: 5m
TOWER_CRON_AUDIT_LOG_CLEAN_UP_DELAY	Initial delay before the audit log cleanup cron job starts after application startup.	Default: 10s
TOWER_CRON_AUDIT_LOG_CLEAN_UP_CHUNK_SIZE	Maximum number of audit log records deleted per cleanup run.	Default: 1000