Configuration reference
NuGetKeep is configured through environment variables (and a writable /data volume).
The most common settings:
| Variable | Meaning |
|---|---|
NUGETKEEP_BOOTSTRAP_APIKEY | Pins the first admin API key (else generated & logged once). |
NUGETKEEP_DB_PROVIDER | Database provider: Sqlite (default) or Postgres. See Choosing a database. |
NUGETKEEP_DB_CONNECTION | The connection string — SQLite file form, or Npgsql keyword form (Host=…;Database=…;Username=…;Password=…) for Postgres. Required when the provider is Postgres. |
NUGETKEEP_STORAGE_PROVIDER | Package blob storage: FileSystem (default), S3 (any S3-compatible store), or AzureBlob. See Choosing package storage. |
NUGETKEEP_S3_ENDPOINT | Custom S3-compatible endpoint URL (MinIO, R2, …). Empty means real AWS S3, addressed by NUGETKEEP_S3_REGION. |
NUGETKEEP_S3_BUCKET | The S3 bucket for package blobs. Required when the provider is S3. |
NUGETKEEP_S3_ACCESS_KEY / _SECRET_KEY | Static S3 credentials. Leave empty on AWS to use the IAM role / default credential chain. |
NUGETKEEP_AZURE_BLOB_CONNECTION | Azure Storage connection string. Required when the provider is AzureBlob. |
NUGETKEEP_AZURE_BLOB_CONTAINER | The Azure Blob container (default nugetkeep). |
NUGETKEEP_OIDC_AUTHORITY | OIDC issuer URL. Set with CLIENT_ID to enable SSO. |
NUGETKEEP_OIDC_CLIENT_ID / _CLIENT_SECRET | OIDC client credentials. |
NUGETKEEP_BOOTSTRAP_ADMINS | Comma-list of emails/subjects auto-granted Admin on first login. |
NUGETKEEP_LICENSE_KEY | Enterprise license JWT (see Licensing). |
NuGetKeep__MaxPackageSizeBytes | Max .nupkg push size (default 256 MB). |
NUGETKEEP_DOWNLOAD_FLUSH_INTERVAL | How often buffered download counts are written to the database — plain seconds or a TimeSpan like 00:00:30 (default 30 seconds). |
NUGETKEEP_METRICS_ENABLED | Exposes the Prometheus scrape endpoint at /metrics (default true). Set false to disable. |
Roles: Reader (browse), Publisher (package:push, package:unlist), Admin
(everything, incl. user & key management). NuGetKeep’s database is the source of truth for a
user’s role; the IdP only authenticates. See Identity & SSO.
Notation: keys like
NuGetKeep:LicensePathare ASP.NET Core configuration keys. In an environment variable they use a double underscore —NuGetKeep__LicensePath. The database and storage settings also have section forms (Persistence__Provider,Storage__Provider,Storage__S3__Bucket, …); the flatNUGETKEEP_DB_*/NUGETKEEP_STORAGE_*/NUGETKEEP_S3_*/NUGETKEEP_AZURE_BLOB_*variables take precedence when both are set.
Monitoring
Section titled “Monitoring”NuGetKeep ships Kubernetes-style health probes (/health/live, /health/ready) and an
OpenTelemetry-powered Prometheus scrape endpoint at /metrics — anonymous, on by default,
disabled with NUGETKEEP_METRICS_ENABLED=false. The scrape includes ASP.NET Core request
metrics, .NET runtime metrics, and NuGetKeep’s own counters, labelled by feed (never by
package, so cardinality stays bounded):
nugetkeep_packages_pushed_total— versions successfully pushednugetkeep_packages_quarantined_total— pushes quarantined by the supply-chain gatenugetkeep_packages_released_total— versions released from quarantinenugetkeep_package_downloads_total— successful.nupkgdownloads
A minimal Prometheus scrape config:
scrape_configs: - job_name: nugetkeep static_configs: - targets: ["nugetkeep.example.com:8080"]