Overview

Configuration Reference

Format: HOCON (Human-Optimized Config Object Notation)

Settings are resolved in this order (highest to lowest):

• CLI flags (-r, --readonly, --config, etc.)
• System properties (-Dkey=value or -DKEY=VALUE)
• SCRIBE_* env vars (SCRIBE_LDAP_URL, SCRIBE_DATABASE_PASSWORD, etc.)
• Standard env vars (OTEL_*, POSTGRES_*, etc. where supported)
• This config file (values defined below)
• Built-in defaults

SCRIBE_* variables follow the config path with dots → underscores. Some frequently-tuned settings have shorter aliases.

The ${?VAR} syntax substitutes VAR if defined, otherwise keeps the previous value. When multiple assignments exist, the last one wins.

When ${?VAR} is used WITHOUT a preceding default, the key is undefined if VAR is not set. This allows runtime overrides to fill in values.

When a concrete default precedes ${?VAR}, that default “pins” the value:

key = "default"        # Key is always defined
key = ${?SCRIBE_KEY}   # Only overrides if SCRIBE_KEY is set

With -Dconfig.override_with_env_vars=true, any config key can be overridden using CONFIG_FORCE_* environment variables:

• CONFIG_FORCE_a_b__c___d → config key a.b-c_d
• Name mangling: _ → ., __ → -, ___ → _

The application searches for the config file in order:

• CLI: --config /path/to/identity-scribe.conf
• System property: -Dconfig.file=...
• Env var: SCRIBE_CONFIG_FILE (preferred)
• Env var: CONFIG_FILE (fallback)
• CWD: identity-scribe.conf
• CWD: config/identity-scribe.conf
• Next to binary: ./identity-scribe.conf
• Next to binary: ./config/identity-scribe.conf

Some sections support automatic inheritance:

• http {} → http.sockets.<name> {}
• ssl {} → ldap.ssl {}, http.ssl {}

For inheritable sections, just override what differs:

http.sockets.internal {
  port = 9001
  concurrency-limit.max-limit = 50
}

• Global
• App
• License
• Database
• Ldap
• Transcribes
• Indices
• Channels
• Monitoring
• Site
• Http
• Ssl
• Openapi
• Retry
• Log