Nuts node config

The Nuts node can be configured using a YAML configuration file, environment variables and commandline params.

The parameters follow the following convention: $ nuts --parameter X is equal to $ NUTS_PARAMETER=X nuts is equal to parameter: X in a yaml file.

Or for this piece of yaml

nested:
    parameter: X

is equal to $ nuts --nested.parameter X is equal to $ NUTS_NESTED_PARAMETER=X nuts

Config parameters for engines are prepended by the engine.ConfigKey by default (configurable):

engine:
    nested:
        parameter: X

is equal to $ nuts --engine.nested.parameter X is equal to $ NUTS_ENGINE_NESTED_PARAMETER=X nuts

While most options are a single value, some are represented as a list (indicated with the square brackets in the table below). To provide multiple values through flags or environment variables you can separate them with a comma (,).

Ordering

Command line parameters have the highest priority, then environment variables, then parameters from the configfile and lastly defaults. The location of the configfile is determined by the environment variable NUTS_CONFIGFILE or the commandline parameter --configfile. If both are missing the default location ./nuts.yaml is used.

Server options

The following options can be configured on the server:

Key

Default

Description

configfile

nuts.yaml

Nuts config file

datadir

./data

Directory where the node stores its files.

loggerformat

text

Log format (text, json)

strictmode

false

When set, insecure settings are forbidden.

verbosity

info

Log level (trace, debug, info, warn, error)

http.default.address

:1323

Address and port the server will be listening to

http.default.cors.origin

[]

When set, enables CORS from the specified origins for the on default HTTP interface.

Auth

auth.clockskew

5000

Allowed JWT Clock skew in milliseconds

auth.contractvalidators

[irma,uzi,dummy]

sets the different contract validators to use

auth.http.timeout

30

HTTP timeout (in seconds) used by the Auth API HTTP client

auth.irma.autoupdateschemas

true

set if you want automatically update the IRMA schemas every 60 minutes.

auth.irma.schememanager

pbdf

IRMA schemeManager to use for attributes. Can be either ‘pbdf’ or ‘irma-demo’.

auth.publicurl

public URL which can be reached by a users IRMA client, this should include the scheme and domain: https://example.com. Additional paths should only be added if some sort of url-rewriting is done in a reverse-proxy.

Crypto

crypto.storage

fs

Storage to use, ‘fs’ for file system, vaultkv for Vault KV store, default: fs.

crypto.vault.address

The Vault address. If set it overwrites the VAULT_ADDR env var.

crypto.vault.pathprefix

kv

The Vault path prefix. default: kv.

crypto.vault.token

The Vault token. If set it overwrites the VAULT_TOKEN env var.

Event manager

events.nats.hostname

localhost

Hostname for the NATS server

events.nats.port

4222

Port where the NATS server listens on

events.nats.storagedir

Directory where file-backed streams are stored in the NATS server

events.nats.timeout

30

Timeout for NATS server operations

JDONLD

jsonld.contexts.localmapping

[https://nuts.nl/credentials/v1=assets/contexts/nuts.ldjson,https://www.w3.org/2018/credentials/v1=assets/contexts/w3c-credentials-v1.ldjson,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json=assets/contexts/lds-jws2020-v1.ldjson,https://schema.org=assets/contexts/schema-org-v13.ldjson]

This setting allows mapping external URLs to local files for e.g. preventing external dependencies. These mappings have precedence over those in remoteallowlist.

jsonld.contexts.remoteallowlist

[https://schema.org,https://www.w3.org/2018/credentials/v1,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json]

In strict mode, fetching external JSON-LD contexts is not allowed except for context-URLs listed here.

Network

network.bootstrapnodes

[]

List of bootstrap nodes (<host>:<port>) which the node initially connect to.

network.certfile

PEM file containing the server certificate for the gRPC server. Required when enableTLS is true.

network.certkeyfile

PEM file containing the private key of the server certificate. Required when network.enabletls is true.

network.disablenodeauthentication

false

Disable node DID authentication using client certificate, causing all node DIDs to be accepted. Unsafe option, only intended for workshops/demo purposes. Not allowed in strict-mode.

network.enablediscovery

true

Whether to enable automatic connecting to other nodes.

network.enabletls

true

Whether to enable TLS for incoming and outgoing gRPC connections. When certfile or certkeyfile is specified it defaults to true, otherwise false.

network.grpcaddr

:5555

Local address for gRPC to listen on. If empty the gRPC server won’t be started and other nodes will not be able to connect to this node (outbound connections can still be made).

network.nodedid

Specifies the DID of the organization that operates this node, typically a vendor for EPD software. It is used to identify the node on the network. If the DID document does not exist of is deactivated, the node will not start.

network.protocols

[]

Specifies the list of network protocols to enable on the server. They are specified by version (1, 2). If not set, all protocols are enabled.

network.truststorefile

PEM file containing the trusted CA certificates for authenticating remote gRPC servers.

network.v1.advertdiagnosticsinterval

5000

Interval (in milliseconds) that specifies how often the node should broadcast its diagnostic information to other nodes (specify 0 to disable).

network.v1.adverthashesinterval

2000

Interval (in milliseconds) that specifies how often the node should broadcast its last hashes to other nodes.

network.v1.collectmissingpayloadsinterval

60000

Interval (in milliseconds) that specifies how often the node should check for missing payloads and broadcast its peers for it (specify 0 to disable). This check might be heavy on larger DAGs so make sure not to run it too often.

network.v2.diagnosticsinterval

5000

Interval (in milliseconds) that specifies how often the node should broadcast its diagnostic information to other nodes (specify 0 to disable).

network.v2.gossipinterval

5000

Interval (in milliseconds) that specifies how often the node should gossip its new hashes to other nodes.

VCR

vcr.overrideissueallpublic

true

Overrides the “Public” property of a credential when issuing credentials: if set to true, all issued credentials are published as public credentials, regardless of whether they’re actually marked as public.

This table is automatically generated using the configuration flags in the core and engines. When they’re changed the options table must be regenerated using the Makefile:

$ make update-docs