Customize deployment
Environment variables
This is a reference to all environment variables that can be used to configure a Lightdash deployment.
| Variable | Description | Required? | Default |
|---|---|---|---|
PGHOST | Hostname of postgres server to store Lightdash data | ||
PGPORT | Port of postgres server to store Lightdash data | ||
PGUSER | Username of postgres user to access postgres server to store Lightdash data | ||
PGPASSWORD | Password for PGUSER | ||
PGDATABASE | Database name inside postgres server to store Lightdash data | ||
PGCONNECTIONURI | Connection URI for postgres server to store Lightdash data in the format postgresql://user:password@host:port/db?params. This is an alternative to providing the previous PG variables. | ||
LIGHTDASH_SECRET | Secret key used to secure various tokens in Lightdash. This must be fixed between deployments. If the secret changes, you won’t have access to Lightdash data. | ||
SECURE_COOKIES | Only allows cookies to be stored over a https connection. We use cookies to keep you logged in. This is recommended to be set to true in production. | false | |
COOKIES_MAX_AGE_HOURS | How many hours a user session exists before the user is automatically signed out. For example if 24, then the user will be automatically after 24 hours of inactivity. | ||
TRUST_PROXY | This tells the Lightdash server that it can trust the X-Forwarded-Proto header it receives in requests. This is useful if you use SECURE_COOKIES=true behind a HTTPS terminated proxy that you can trust. | false | |
SITE_URL | Site url where Lightdash is being hosted. It should include the protocol. E.g https://lightdash.mycompany.com | http://localhost:8080 | |
INTERNAL_LIGHTDASH_HOST | Internal Lightdash host for the Headless browser to send requests when your Lightdash instance is not accessible from the Internet. Needs to support https if SECURE_COOKIES=true | Same as SITE_URL | |
STATIC_IP | Server static IP so users can add the IP to their warehouse allow-list. | http://localhost:8080 | |
LIGHTDASH_QUERY_MAX_LIMIT | Query max rows limit | 5000 | |
SCHEDULER_ENABLED | Enables/Disables the scheduler worker that triggers the scheduled deliveries. | true | |
SCHEDULER_CONCURRENCY | How many scheduled delivery jobs can be processed concurrently. | 3 | |
SCHEDULER_JOB_TIMEOUT | After how many milliseconds the job should be timeout so the scheduler worker can pick other jobs. | 600000 (10 minutes) | |
LIGHTDASH_CSV_CELLS_LIMIT | Max cells on CSV file exports | 100000 | |
LIGHTDASH_CHART_VERSION_HISTORY_DAYS_LIMIT | Configure how far back the chart versions history goes in days | 3 | |
LIGHTDASH_PIVOT_TABLE_MAX_COLUMN_LIMIT | Configure maximum number of columns in pivot table | 60 | |
GROUPS_ENABLED | Enables/Disables groups functionality | false | |
AUTH_ENABLE_OIDC_LINKING | Enables/Disables linking the new OIDC(aka SSO) identity to an existing user if they already have another OIDC with the same email | false | |
CUSTOM_VISUALIZATIONS_ENABLED | Enables/Disables custom chart functionality | false | |
LIGHTDASH_MAX_PAYLOAD | Maximum HTTP request body size | 5mb | |
LIGHTDASH_LICENSE_KEY | License key for Lightdash Enterprise Edition. Talk to us about Lightdash Enterprise Edition | ||
HEADLESS_BROWSER_HOST | Hostname for the headless browser | — | |
HEADLESS_BROWSER_PORT | Port for the headless browser | 3001 | |
ALLOW_MULTIPLE_ORGS | If set to true, new users registering on Lightdash will have their own organization, separated from others | false |
Lightdash also accepts all standard postgres environment variables
SMTP
This is a reference to all the SMTP environment variables that can be used to configure a Lightdash email client.
| Variable | Description | Required? | Default |
|---|---|---|---|
EMAIL_SMTP_HOST | Hostname of email server | ||
EMAIL_SMTP_PORT | Port of email server | 587 | |
EMAIL_SMTP_SECURE | Secure connection | true | |
EMAIL_SMTP_USER | Auth user | ||
EMAIL_SMTP_PASSWORD | Auth password | [1] | |
EMAIL_SMTP_ACCESS_TOKEN | Auth access token for Oauth2 authentication | [1] | |
EMAIL_SMTP_ALLOW_INVALID_CERT | Allow connection to TLS server with self-signed or invalid TLS certificate | false | |
EMAIL_SMTP_SENDER_EMAIL | The email address that sends emails | ||
EMAIL_SMTP_SENDER_NAME | The name of the email address that sends emails | Lightdash |
[1] EMAIL_SMTP_PASSWORD or EMAIL_SMTP_ACCESS_TOKEN needs to be provided
SSO
These variables enable you to control Single Sign On (SSO) functionality.
| Variable | Description | Required? | Default |
|---|---|---|---|
AUTH_DISABLE_PASSWORD_AUTHENTICATION | If “true” disables signing in with plain passwords | false | |
AUTH_ENABLE_GROUP_SYNC | If “true” enables assigning SSO groups to Lightdash groups | false | |
AUTH_GOOGLE_OAUTH2_CLIENT_ID | Required for Google SSO | ||
AUTH_GOOGLE_OAUTH2_CLIENT_SECRET | Required for Google SSO | ||
AUTH_OKTA_OAUTH_CLIENT_ID | Required for Okta SSO | ||
AUTH_OKTA_OAUTH_CLIENT_SECRET | Required for Okta SSO | ||
AUTH_OKTA_OAUTH_ISSUER | Required for Okta SSO | ||
AUTH_OKTA_DOMAIN | Required for Okta SSO | ||
AUTH_OKTA_AUTHORIZATION_SERVER_ID | Optional for Okta SSO with a custom authorization server | ||
AUTH_OKTA_EXTRA_SCOPES | Optional for Okta SSO scopes (e.g. groups) without a custom authorization server | ||
AUTH_ONE_LOGIN_OAUTH_CLIENT_ID | Required for One Login SSO | ||
AUTH_ONE_LOGIN_OAUTH_CLIENT_SECRET | Required for One Login SSO | ||
AUTH_ONE_LOGIN_OAUTH_ISSUER | Required for One Login SSO | ||
AUTH_AZURE_AD_OAUTH_CLIENT_ID | Required for Azure AD | ||
AUTH_AZURE_AD_OAUTH_CLIENT_SECRET | Required for Azure AD | ||
AUTH_AZURE_AD_OAUTH_TENANT_ID | Required for Azure AD | ||
AUTH_AZURE_AD_OIDC_METADATA_ENDPOINT | Optional for Azure AD | ||
AUTH_AZURE_AD_X509_CERT_PATH | Optional for Azure AD | ||
AUTH_AZURE_AD_X509_CERT | Optional for Azure AD | ||
AUTH_AZURE_AD_PRIVATE_KEY_PATH | Optional for Azure AD | ||
AUTH_AZURE_AD_PRIVATE_KEY | Optional for Azure AD |
S3
These variables allow you to configure S3 Object Storage.
| Variable | Description | Required? | Default |
|---|---|---|---|
S3_ENDPOINT | S3 endpoint for storing cached results | ||
S3_BUCKET | Name of the S3 bucket for storing files | ||
S3_REGION | Region where the S3 bucket is located | ||
S3_ACCESS_KEY | Access key for authenticating with the S3 bucket | ||
S3_SECRET_KEY | Secret key for authenticating with the S3 bucket | ||
S3_EXPIRATION_TIME | Expiration time for scheduled deliveries files | 259200 (3d) | |
S3_FORCE_PATH_STYLE | Force path style addressing, needed for MinIO setup e.g. http://your.s3.domain/BUCKET/KEY instead of http://BUCKET.your.s3.domain/KEY | false |
Cache
| Variable | Description | Required? | Default |
|---|---|---|---|
RESULTS_CACHE_ENABLED | Enables caching for chart results | false | |
AUTOCOMPLETE_CACHE_ENABLED | Enables caching for filter autocomplete results | false | |
RESULTS_CACHE_S3_BUCKET | Name of the S3 bucket used for caching query results | S3_BUCKET | |
RESULTS_CACHE_S3_REGION | Region where the S3 bucket is located | S3_REGION | |
RESULTS_CACHE_S3_ACCESS_KEY | Access key for authenticating with the S3 bucket | S3_ACCESS_KEY | |
RESULTS_CACHE_S3_SECRET_KEY | Secret key for authenticating with the S3 bucket | S3_SECRET_KEY | |
CACHE_STALE_TIME_SECONDS | Defines how long cached results remain valid before being considered stale | 86400 (24h) |
Note that you will need an Enterprise License Key for this functionality.
Logging
| Variable | Description | Required? | Default |
|---|---|---|---|
LIGHTDASH_LOG_LEVEL | The minimum level of log messages to display | INFO | |
LIGHTDASH_LOG_FORMAT | The format of log messages | pretty | |
| LIGHTDASH_LOG_OUTPUTS | The outputs to send log messages to | console | |
LIGHTDASH_LOG_CONSOLE_LEVEL | The minimum level of log messages to display on the console | LIGHTDASH_LOG_LEVEL | |
LIGHTDASH_LOG_CONSOLE_FORMAT | The format of log messages on the console | LIGHTDASH_LOG_FORMAT | |
LIGHTDASH_LOG_FILE_LEVEL | The minimum level of log messages to write to the log file | LIGHTDASH_LOG_LEVEL | |
LIGHTDASH_LOG_FILE_FORMAT | The format of log messages in the log file | LIGHTDASH_LOG_FORMAT | |
LIGHTDASH_LOG_FILE_PATH | The path to the log file | ./logs/all.log |
Prometheus
| Variable | Description | Required? | Default |
|---|---|---|---|
LIGHTDASH_PROMETHEUS_ENABLED | Enables/Disables Prometheus metrics endpoint | false | |
LIGHTDASH_PROMETHEUS_PORT | Port for Prometheus metrics endpoint | 9090 | |
LIGHTDASH_PROMETHEUS_PATH | Path for Prometheus metrics endpoint | /metrics | |
LIGHTDASH_PROMETHEUS_PREFIX | Prefix for metric names. | ||
LIGHTDASH_GC_DURATION_BUCKETS | Buckets for duration histogram in seconds. | 0.001, 0.01, 0.1, 1, 2, 5 | |
LIGHTDASH_EVENT_LOOP_MONITORING_PRECISION | Precision for event loop monitoring in milliseconds. Must be greater than zero. | 10 | |
LIGHTDASH_PROMETHEUS_LABELS | Labels to add to all metrics. Must be valid JSON |
Security
| Variable | Description | Required? | Default |
|---|---|---|---|
LIGHTDASH_CSP_REPORT_ONLY | Enables Content Security Policy (CSP) reporting only mode. This is recommended to be set to false in production. | true | |
LIGHTDASH_CSP_ALLOWED_DOMAINS | List of domains that are allowed to load resources from. Values must be separated by commas. | ||
LIGHTDASH_CSP_REPORT_URI | URI to send CSP violation reports to. |
Analytics & Event Tracking
| Variable | Description | Required? | Default |
|---|---|---|---|
RUDDERSTACK_WRITE_KEY | RudderStack key used to track events (by default Lightdash’s key is used) | ||
RUDDERSTACK_DATA_PLANE_URL | RudderStack data plane URL to which events are tracked (by default Lightdash’s data plane is used) | ||
RUDDERSTACK_ANALYTICS_DISABLED | Set to true to disable RudderStack analytics | ||
POSTHOG_PROJECT_API_KEY | API key for Posthog (by default Lightdash’s key is used) | ||
POSTHOG_FE_API_HOST | Hostname for Posthog’s front-end API | ||
POSTHOG_BE_API_HOST | Hostname for Posthog’s back-end API |
AI Analyst
These variables enable you to configure the AI Analyst functionality. Note that you will need an Enterprise Licence Key for this functionality.
| Variable | Description | Required? | Default |
|---|---|---|---|
OPENAI_API_KEY | Required for AI Analyst | ||
OPENAI_MODEL_NAME | Required for AI Analyst | ||
OPENAI_EMBEDDING_MODEL_NAME | Required for AI Analyst | ||
AI_COPILOT_ENABLED | Required for AI Analyst | ||
AI_COPILOT_EMBEDDING_SEARCH_ENABLED | Required for AI Analyst | ||
LANGCHAIN_TRACING_V2 | Required for AI Analyst | ||
LANGCHAIN_ENDPOINT | Required for AI Analyst | ||
LANGCHAIN_API_KEY | Required for AI Analyst | ||
LANGCHAIN_PROJECT | Required for AI Analyst |
Slack Integration
These variables enable you to configure the Slack integration.
| Variable | Description | Required? | Default |
|---|---|---|---|
SLACK_SIGNING_SECRET | Required for Slack integration | ||
SLACK_CLIENT_ID | Required for Slack integration | ||
SLACK_CLIENT_SECRET | Required for Slack integration | ||
SLACK_STATE_SECRET | Required for Slack integration |
GitHub Integration
These variables enable you to configure Github integrations
| Variable | Description | Required? | Default |
|---|---|---|---|
GITHUB_PRIVATE_KEY | GitHub private key for GitHub App authentication | ||
GITHUB_APP_ID | GitHub Application ID | ||
GITHUB_CLIENT_ID | GitHub OAuth client ID | ||
GITHUB_CLIENT_SECRET | GitHub OAuth client secret | ||
GITHUB_APP_NAME | Name of the GitHub App | ||
GITHUB_REDIRECT_DOMAIN | Domain for GitHub OAuth redirection |
Organization appearance
These variables allow you to customize the default appearance settings for your Lightdash instance’s organizations. This color palette will be set for all organizations in your instance. You can’t choose another one while these env vars are set.
| Variable | Description | Required? | Default |
|---|---|---|---|
OVERRIDE_COLOR_PALETTE_NAME | Name of the default color palette | ||
OVERRIDE_COLOR_PALETTE_COLORS | Comma-separated list of hex color codes for the default color palette (must be 20 colors) |
Initialize instance
When a new Lightdash instance is created, and there are no orgs and projects. You can initialize a new org and project using ENV variables to simplify the deployment process.
Currently we only support Databricks project types and Github dbt configuration.
| Variable | Description | Required? | Default |
|---|---|---|---|
LD_SETUP_ADMIN_NAME | Name of the admin user for initial setup | Admin User | |
LD_SETUP_ADMIN_EMAIL | Email of the admin user for initial setup | ||
LD_SETUP_ORGANIZATION_EMAIL_DOMAIN | Email domain for the organization whitelisting | ||
LD_SETUP_ORGANIZATION_DEFAULT_ROLE | Default role for new organization members | viewer | |
LD_SETUP_ORGANIZATION_NAME | Name of the organization | ||
LD_SETUP_ADMIN_API_KEY | API key for the admin user | ||
LD_SETUP_API_KEY_EXPIRATION | Number of days until API key expires (0 for no expiration) | 30 | |
LD_SETUP_PROJECT_NAME | Name of the project | ||
LD_SETUP_PROJECT_CATALOG | Catalog name for Databricks project | ||
LD_SETUP_PROJECT_SCHEMA | Schema/database name for the project | ||
LD_SETUP_PROJECT_HOST | Hostname for the Databricks server | ||
LD_SETUP_PROJECT_HTTP_PATH | HTTP path for Databricks connection | ||
LD_SETUP_PROJECT_PAT | Personal access token for Databricks | ||
LD_SETUP_START_OF_WEEK | Day to use as start of week | SUNDAY | |
LD_SETUP_PROJECT_COMPUTE | JSON string with Databricks compute configuration like {"name": "string", "httpPath": "string"} | ||
LD_SETUP_DBT_VERSION | Version of dbt to use (eg: v1.8) | latest | |
LD_SETUP_GITHUB_PAT | GitHub personal access token | ||
LD_SETUP_GITHUB_REPOSITORY | GitHub repository for dbt project | ||
LD_SETUP_GITHUB_BRANCH | GitHub branch for dbt project | ||
LD_SETUP_GITHUB_PATH | Subdirectory path within GitHub repository | / |
In order to login as the admin user using SSO, you must enable the following ENV variable too:
This will alow you to link your SSO account with the email provided without using an invitation code.
This email will be trusted, and any user with an OIDC account with that email will access the admin user.