Deploying Backend

MongoDB configs

This section defines the data storage settings for the instance. Most options are straightforward. The MaxJobs setting specifies the maximum number of concurrent connections used during intensive database operations, such as data ingestion. Regular, lightweight operations are not limited by this setting.

If you're running in a cluster mode, keep in mind that MaxJobs refers to the number of connections EACH instance will maintain - not the total across the entire cluster. Be sure to scale this setting appropriately.

For example, if MaxJobs is set to 10, a single instance will hold open up to 10 connections during intensive operations like data ingestion, until the task completes. Other quick tasks (such as typical CRUD operations) are not limited by this setting and may use additional connections. This means the total number of connections can exceed 10, but only 10 will be dedicated to heavy operations.

In a cluster with three instances, each maintaining 10 ingestion connections, the total number of concurrent connections across the cluster would be 30.

Redis configs

Redis configuration is simple, with only the host and port to be set. As of now no authentication or ACL is supported. If the redis server is a cluster, set the Cluster to true.

Keycloak configs

The primary OIDC provider for CV3 must be a Keycloak server, rather than a different OIDC provider. This is because CV3 relies not only on standard OIDC flows for user authentication, but also on Keycloak-specific configurations and features to manage users and access tokens.

The configuration includes all required information to connect to the Keycloak server. It also specifies the backend service URL and a list of all supported redirect URIs. Note that the client secret is not stored in the configuration file - it is securely managed within HashiCorp Vault.

Vault configs

Within a single HashiCorp Vault server, multiple secret engines can exist, and several applications may share the same engine. For CV3, two specific secret engines are required:

• A transit engine, used to store user keys and handle encryption/decryption of data payloads.

• A KV (Key-Value) engine, used to store other secrets such as the Keycloak client secret.

The TransitPath defines the path to the transit engine, while KV2Path defines the path to the KV engine. The KV2Prefix is the prefix applied to all keys stored in the KV engine.

It’s recommended to isolate access between different applications using Vault by applying Vault policies to distinct path prefixes.

CORS configs

The only setting that typically needs to be updated in the CORS configuration is the AllowedOrigin header. Once the external URLs are finalised, this should be set to the origin(s) where the frontend is hosted. Avoid changing the other headers unless you have a specific reason to extend the allowed methods or headers. Do not remove any existing headers, as this may prevent the backend from functioning correctly when accessed via a web browser.

Metrics configs

The CV3 backend includes built-in support for Prometheus metrics collection, exporting several application-level metrics. These do not conflict with or duplicate metrics from other sources, such as MongoDB exporters. When enabled, metrics will be collected and made available at the specified sub-path. If the Key parameter is set, access to the metrics endpoint will require an Authorization header containing the API key. Prometheus can be configured to use bearer authentication to scrape this endpoint.

Email configs

This configuration is essential, as the CV3 backend relies on email to notify admins about important events - such as access requests or critical issues like database inconsistencies. Most hosting environments include a built-in SMTP server; if not, it's recommended to use a third-party service that supports SMTP delivery. If this configuration is missing or misconfigured, CV3 will be unable to send alerts or deliver user credentials. As a result, key features such as BEACON endpoints, Nexus mode, and access request handling may fail silently.

Legacy configs

This section controls legacy features for compatibility with Cafe Variome V2 (CV2) instances. Nexus mode refers to the functionality previously known as Cafe Variome Net - a centralised network server that facilitates federation between CV2 nodes. When Nexus mode is enabled, this CV3 instance can act as the net server for CV2 instances, allowing admins to manage them via the Nexus page.

The access token field is used for a service account and requires a recent version of the CV2 codebase. It secures communication between CV2 and CV3. The Query option determines whether CV2 instances are allowed to send queries to this CV3 instance:

• When Query is set to true, the CV3 instance will appear as an installation named nexus in the CV2 networks and will accept incoming queries from CV2 nodes. However, it will not federate these queries outward, as the access control models differ between CV2 and CV3.

• When Query is set to false, CV2 instances cannot query this CV3 instance. However, CV3 will still be able to query CV2 instances automatically, if Nexus mode is enabled.

Logging configs

This configures the logging behaviour of the CV3 server. It sets the log level for the Quart application, which controls how application-level logs are captured. Note that this does not affect the ASGI server used to run the app - you’ll need to configure that separately depending on which ASGI server you're using. If desired, logs can also be forwarded to external systems using SplunkHEC or Loki, enabling integration with log analysis tools for real-time processing and monitoring.

CV3’s built-in file logger supports automatic log rotation. When a log file exceeds the limit set by MaxBytes, it is rotated, and a new log file is started. The number of archived log files kept is defined by BackupCount. Once this limit is reached, the oldest log file is deleted, helping prevent excessive disk usage over time.