/root/.barracuda.cnf reference

/root/.barracuda.cnf is the master host-level BOA configuration file. Every variable here applies system-wide — it affects every Octopus instance on the host unless overridden per-instance in octopus.cnf.

The functional defaults live in BOA source at lib/settings/barracuda.sh.cnf, which BOA sources on every barracuda pass. That file is authoritative for every variable name, default, and the condition under which each default applies. This page is the topical guide by family.

Two categories

Install-time-only — set once at initial install, NOT overridden on barracuda upgrade. Examples: _EASY_HOSTNAME, _MY_OWNIP, _THIS_DB_HOST. Changing these after install requires manual care.

Upgrade-honoured — re-read on every barracuda upgrade. Most operational variables fall here. Override is straightforward: edit the file, run barracuda up-lts.

Variable families

Host identity (install-time-only)

_EASY_HOSTNAME       FQDN, DNS-wildcard-enabled hostname (default placeholder
                       "wildcard-enabled-hostname")
_EASY_SETUP          PUBLIC (default) | LOCAL — install mode selector
_LOCAL_NETWORK_HN    Hostname for localhost mode (default empty)
_LOCAL_NETWORK_IP    Web server IP for localhost mode (default empty)
_MY_FRONT            Ægir frontend web address (default empty = use FQDN)
_MY_HOSTN            Server FQDN hostname (default empty = auto-detect)
_MY_OWNIP            Web server IP (default empty = auto-detect)
_SMTP_RELAY_HOST     SMTP relay host, no auth (default empty)
_SMTP_RELAY_TEST     YES (default) / NO — skip SMTP availability tests
_THIS_DB_HOST        localhost (default) | FQDN | literal name (→ remote-DB mode)

_THIS_DB_HOST is sensitive: localhost/FQDN are keywords, but any literal hostname switches on the experimental Remote DB Server Mode.

Operator identity + behaviour

_MY_EMAIL            System-admin email (default "notify@omega8.cc") —
                       install/upgrade notifications
_AUTOPILOT           YES / NO (default NO) — answer Y to every prompt (silent mode)
_DEBUG_MODE          YES / NO (default NO) — verbose Drush backend report
_DL_MODE             BATCH (default) | GIT | OLD — installer source preference
_INCIDENT_REPORT     OFF | ALL | MINI (default) | CRIT — monitor incident
                       notification depth (legacy NO→OFF, YES→MINI)
_XTRAS_LIST          Optional add-on packages (default empty) — see XTRAS list page

_XTRAS_LIST is the master add-on selector; its tokens and install modes are documented on _XTRAS_LIST & install modes.

CPU + load thresholds

_CPU_CRIT_RATIO      Per-core max 1-min load before killing PHP/Drush/Wget/Curl
                       (default 6.1)
_CPU_MAX_RATIO       Per-core max load before disabling Nginx (default 4.1)
_CPU_TASK_RATIO      Per-core max load to launch the task queue (default 3.1)
_CPU_SPIDER_RATIO    Per-core max load before blocking spiders (default 2.1)

These thresholds drive the host-level load-shedding in the monitor agent — see Monitoring & self-healing.

Database (Percona)

_DB_SERVER             Percona (default) | MySQL Server (from Trixie)
_DB_SERIES             5.7 (default) | 8.0 | 8.4
_DB_BINARY_LOG         YES / NO (default NO — disabled so CiviCRM tasks work;
                         ignored when _CUSTOM_CONFIG_SQL=YES)
_CUSTOM_COLLATION_SQL  Server-level collation override (default empty → the DB
                         server's utf8mb4_unicode_ci is used)
_SQL_LOW_MAX_TTL       Max TTL (seconds) per "problematic user" mysql process
                         listed in /etc/boa/.sql.problematic.users.cnf — the live
                         reader checks /etc/boa, this marker is in the migrated set
                         (default 60)
_SQL_MAX_TTL           Max TTL per user mysql process (default 3600; auto-lowered
                         to 1800 or 300 depending on .high_load.cnf / .big_db.cnf)
_USE_MYSQLTUNER        YES / NO (default NO) — use MySQLTuner to size limits

Full DB topic → Database.

Install behaviour

_DNS_SETUP_TEST      YES (default) / NO — skip DNS testing
_EXTRA_PACKAGES      Extra apt packages to install (default empty)
_FORCE_GIT_MIRROR    "" (default) | github | gitlab — pin a preferred git mirror
_LOCAL_DEBIAN_MIRROR Force non-default Debian mirror (default empty)
_LOCAL_DEVUAN_MIRROR Force non-default Devuan mirror (default empty)
_NEWRELIC_KEY        New Relic license (default empty; presence enables agent)
_MAGICK_FROM_SOURCES YES / NO (default NO) — build ImageMagick from source (webp)
_ENABLE_GOACCESS     YES / NO (default NO) — generate stats with GoAccess

Nginx DoS protection

_NGINX_DOS_LINES        access.log lines to check (default 1999)
_NGINX_DOS_LIMIT        Per-IP page-views limit out of the last 1999; on hit the
                          IP is denied for 1 h via /etc/csf/csf.deny (default 399)
_NGINX_DOS_MODE         1 | 2 — DoS-counter algorithm (default 2; mode 1 adds an
                          extra +5 to the per-IP counter for POST to /user
                          (register/pass/login) or /node/add, and +5 for GET to
                          /node/add or /search)
_NGINX_DOS_LOG          SILENT (default) | NORMAL | VERBOSE — detector verbosity
_NGINX_DOS_IGNORE       Regex; a matching access.log line is ignored
                          (default "doccomment")

autoupboa normalises _NGINX_DOS_LIMIT back to the current default of 399 on each pass (it hard-sets the line to 399).

scan_nginx IDS knobs

These tune the scan_nginx.sh intrusion-detection scoring. The script defines its own defaults and also reads /root/.barracuda.cnf, so they are overridable here; autoupboa seeds the increment knobs into the .cnf on upgrade. Full explanation on the Abuse guard topic.

_NGINX_DOS_DIV_INC_NR           Divisor used to derive the per-request increment
                                  from _NGINX_DOS_LIMIT (default 40 in scan_nginx.sh)
_NGINX_DOS_INC_MIN              Floor for the computed increment; scan_nginx.sh
                                  re-defaults an invalid value to 3 (default 3)
_NGINX_DOS_IGNORE_PATHS         Space-separated webhook/API endpoints exempt from
                                  IDS banning. Ships defaults
                                  (/shopify/webhook /quickbooks/webhook
                                  /stripe/webhook /paypal/webhook /github/webhook
                                  /gitlab/webhook /graphql /public-api /oauth2).
                                  Setting here REPLACES the default list.
_NGINX_PHP_PROBE_WEIGHT         Webshell *.php-probe fast-ban weight
                                  (default _NGINX_DOS_LIMIT / 3)
_NGINX_PATH_FLOOD_IP_THRESHOLD  Distinct IPs hitting one path prefix (200 and 444
                                  responses) in the scan window before a path
                                  flood is declared (default 30; declaration alone
                                  never bans — a per-IP gate decides who is blocked)
_NGINX_DOS_STOP      SQL-injection-keyword regex matched by scan_nginx.sh against
                       each access.log line; on match it adds a full
                       _NGINX_DOS_LIMIT to the per-IP counter (an immediate ban),
                       not the small per-request increment. Default catches
                       blind-timing and encoded SQLi probes
                       (`WAITFOR.DELAY|DECLARE.*@x|/**/|%27.*%29.*%3B|0x[0-9a-f]{6}`).

Full Nginx topic → Nginx internals.

PHP version management

_PHP_MULTI_INSTALL   Space-separated PHP versions to install (default "8.3 8.4 8.5")
_PHP_SINGLE_INSTALL  Single version; if set, overrides _PHP_MULTI_INSTALL,
                       _PHP_FPM_VERSION, _PHP_CLI_VERSION (default empty)
_PHP_CLI_VERSION     Default PHP-CLI version (default 8.4)
_PHP_FPM_VERSION     Default PHP-FPM version (default 8.4)
_PHP_FPM_DENY        Per-host disable_functions list; empty denies only `passthru`,
                       a non-empty value REPLACES that default (default empty)

Full PHP-FPM topic → PHP-FPM & performance.

Nginx + PHP build options

_NGINX_EXTRA_CONF    Custom configure-flags appended to Nginx build (default empty)
_NGINX_FORWARD_SECRECY  YES (default) / NO — PFS support (also forces OpenSSL+cURL)
_NGINX_HEADERS       YES / NO (default NO) — install Headers More module
_NGINX_LDAP          YES / NO (default NO) — install LDAP support
_NGINX_NAXSI         YES / NO (default NO) — install NAXSI WAF (experimental)
_NGINX_SPDY          YES (default) / NO — SPDY (also forces OpenSSL+cURL)
_NGINX_WORKERS       AUTO (default) | <integer> — override worker_processes
_PHP_EXTRA_CONF      Custom configure-flags appended to PHP build (default empty)
_PHP_FPM_WORKERS     AUTO (default) | <integer> — override pm.max_children
_PHP_IONCUBE         YES / NO (default NO) — install ionCube loader for all PHP
_PHP_MONGODB         YES / NO (default NO) — build MongoDB driver for all PHP
                       (equivalent to the MNG xtras token)

_PHP_GEOS is not a current control variable — the GEOS extension (php-geos 1.0.0) is built unconditionally for every PHP version except 5.6, and the old _PHP_GEOS=YES gate is read nowhere in the live code.

ICU / intl pin (_ICU_FORCE_VRN)

Off by default — the template ships no value; the var is read from /root/.barracuda.cnf by system.sh.inc. Advanced; for single-tenant dedicated boxes only. When set (dashed form, e.g. 73-1), BOA builds/links ICU at this version on all PHP versions and rebuilds the PHP intl extension against it, via apply / precheck / retire phases. It is a holding pattern to keep a legacy Drupal 7 site running after a system ICU bump without forcing a client codebase upgrade. Unset = per-OS default, no behaviour change. The pin is global per box, has a shelf life, and is NOT auto-carried on migration. Full procedure → OS lifecycle.

Auto-upgrade scheduling

These variables are not read by barracuda itself — they are consumed by autoupboa, which renders the /etc/crontab auto-upgrade lines. On a hosted BOA system autoupboa overrides them with fixed values, so they apply only on self-managed hosts.

_AUTO_VER            lts | pro | dev — release tier; maps to barracuda/octopus
                       up-<tier>. When empty, defaults to the build tier (${_tRee})
_AUTO_PHP            php-min | php-all | php-max — which PHP versions the
                       auto-upgrade rebuilds (otherwise no php argument is added)
_AUTO_UP_WEEKLY      Weekday (1-7) for the weekly system-only upgrade
_AUTO_UP_MONTH       Month (1-12) for the one-time full upgrade
_AUTO_UP_DAY         Day (1-31) for the one-time full upgrade
_AUTO_UP_HOUR        Hour (0-23) for the barracuda upgrade (default 0 when the
                       weekly/month/day trio is set)
_AUTO_UP_MINUTE      Minute (0-59) for the barracuda upgrade (default 15)
_AUTO_OCT_UP_HOUR    Hour for the octopus upgrade (default 1)
_AUTO_OCT_UP_MINUTE  Minute for the octopus upgrade (default 15)

The weekly system upgrade is scheduled only when _AUTO_UP_WEEKLY, _AUTO_UP_MONTH, and _AUTO_UP_DAY are all set; the hour/minute defaults above fill in only then.

Redis / Valkey (cache backend)

_REDIS_LISTEN_MODE     SOCKET (default, recommended) | PORT | remote IP
_REDIS_MAJOR_RELEASE   5 | 6 | 7 (default 7)
_VALKEY_LISTEN_MODE    SOCKET (default, recommended) | PORT | remote IP
_VALKEY_MAJOR_RELEASE  7 | 8 | 9 (default 9)

A non-default IP in either *_LISTEN_MODE switches all instances to a remote cache server and permanently disables the local one.

Runtime defaults applied by BOA (not operator variables): the cache instance runs as a cache, not a datastore. Persistence is disabled — no RDB snapshots (save "") — and the eviction policy is maxmemory-policy volatile-lfu. BOA enforces both on Valkey (/etc/valkey/valkey.conf) and Redis (/etc/redis/redis.conf) on each upgrade pass, restarting the service only when a value changed. To keep BOA from re-writing either file, set _CUSTOM_CONFIG_VALKEY=YES / _CUSTOM_CONFIG_REDIS=YES (below).

SSH

_SSH_ARMOUR        YES / NO (default NO) — stricter OpenSSH hardening (needs
                     _SSH_FROM_SOURCES=YES)
_SSH_FROM_SOURCES  YES (default) / NO — build OpenSSH from source (Debian only)
_SSH_PORT          22 (default) or any other valid port (also rewrites CSF)

Security + maintenance

_SKYNET_MODE             ON (default) / OFF — gates autoupboa self-update
_PERMISSIONS_FIX         YES (default) / NO — daily site file-permission re-fix
_MODULES_FIX             YES (default) / NO — the modules enable/disable enforcement
_MODULES_SKIP            Modules never auto-disabled (default empty; safelist)
_CLEAR_BOOST             YES (default) / NO — clear boost caches daily
_STRICT_BIN_PERMISSIONS  YES (default) / NO — aggressively protect /usr/local/bin
                           and other root-group binaries
_STRONG_PASSWORDS        YES (=64, default) | NO (=32) | integer 32-128
_RESERVED_RAM            MB reserved for non-BOA apps when sizing memory (default 0;
                           if unset BOA auto-reserves 1/4 of RAM)
_SPEED_VALID_MAX         Speed Booster max cache TTL in seconds (default 3600)

The _MODULES_* variables feed the enforcement detailed on the Drupal module support matrix.

Nightly maintenance (owl.sh)

_NIGHT_PARALLEL      YES / NO (default NO) — process Octopus accounts in
                       parallel during the nightly owl.sh run instead of serially
_NIGHT_MAX_PARALLEL  Max accounts processed concurrently when _NIGHT_PARALLEL=YES
                       (default empty = CPU core count; a non-numeric value is
                       sanitised to 1)
_LE_CLIENT_NOTIFY    YES (default) / NO — client-facing Let's Encrypt
                       renewal-failure notices from the nightly per-account run

With _NIGHT_PARALLEL=YES, each parallel launch waits for both a free slot and load headroom under the per-core ceiling _CPU_TASK_RATIO (owl.sh compares the current load against _O_LOAD_MAX = _CPU_TASK_RATIO × 100) — designed to wait for an overloaded account rather than skip it — and each account logs to its own file.

_LE_CLIENT_NOTIFY gates the notices sent to the affected account's client when a site's certificate renewal fails, throttled to once per 7 days per failing site. Only the value NO disables (case-insensitive, quotes/whitespace stripped — any other value including empty leaves notices ON); a per-account _LE_CLIENT_NOTIFY line in /root/.<user>.octopus.cnf overrides the global for that account.

These three, plus _CLEAR_BOOST above, are persistent cnf lines (post-5.10.3): written into a fresh /root/.barracuda.cnf at install and appended with their defaults on upgrade when the line is absent, so existing servers pick up no-op default lines automatically. The nightly run itself is documented on Nightly owl run.

Files-symlinking nightly automation

_AUTOSYMLINK_NIGHTLY      YES / NO (default NO) — nightly
                            `updatesymlinks --auto-fix` run
_ORPHAN_FILES_REPORT      YES / NO (default NO) — read-only daily orphaned-files
                            report emailed to _MY_EMAIL, only when orphaned
                            static/files entries are found
_AUTOSYMLINK_PAUSE_GRACE  Seconds updatesymlinks holds after pausing the Aegir
                            task queue before draining in-flight provision tasks
                            (runtime default 240; 0 = skip the wait)

The auto-fix run converts not-yet-symlinked site files/private dirs into the per-account static store and self-heals partly-symlinked sites. It is served by the root cron line 47 0-5,22,23 * * * — retried hourly through the night, scheduled clear of the 6-hourly duplicity backups; the first unblocked hour does the work and stamps the night done. The run is skipped while backups, provision tasks, or high load are active. The orphan report rides the same cron line and never converts or deletes; with only _ORPHAN_FILES_REPORT set, the run does the report alone.

Unlike the two toggles, _AUTOSYMLINK_PAUSE_GRACE is NOT persisted or templated anywhere — add the line to /root/.barracuda.cnf manually to override (updatesymlinks sources that file).

Seeding rule: on hosts whose hostname ends in .aegir.cc (the omega8.cc-hosted fleet) BOTH toggles are seeded to YES — but only when the line is not already present in the cnf, so an operator-set NO sticks and is never forced back. The switch keys on the hostname only, never on /root/.host8.cnf, so remotely-managed boxes are not swept in. Both toggles are persistent: written at install and appended with defaults on upgrade when absent. Mode semantics → Nightly automation and Configuration.

Nightly ghost-cleanup flags (dry-run by default)

Seven persistent host-wide flags, all default NO = detect-and-log only (dry-run). YES lets the nightly run move the item aside reversibly — the nightly cleanup itself never deletes anything.

_SHARED_CODEBASES_CLEANUP  Move unused legacy D6/D7 shared codebases under
                             /data/all into a codebases-cleanup backup dir
                             (/var/backups/codebases-cleanup, or
                             /data/disk/codebases-cleanup when /data/all is a
                             symlink)
_GHOST_CODEBASES_CLEANUP   Move orphaned trees under distro/ with no detectable
                             Drupal docroot at root or web/, docroot/, html/
                             into /var/backups/ghost-codebases-cleanup
_GHOST_PLATFORMS_CLEANUP   Move ghost/empty platform Drush aliases into the
                             undo/ dir
_GHOST_VHOSTS_CLEANUP      Move nginx vhosts with no matching site alias into
                             undo/
_GHOST_SITES_CLEANUP       Move a ghost site registration — alias + vhost —
                             whose site dir is gone
_GHOST_SITE_FILES_CLEANUP  ALSO move that ghost site's leftover files directory
                             (kept separate and default NO because it touches
                             data)
_GHOST_ALIASES_CLEANUP     Move stale per-site alias copies in the
                             limited-shell FTPS user tree

Caveat: on omega8.cc-hosted systems the moved-aside codebases-cleanup dir is pruned after 7 days, so recover promptly there; elsewhere pruning is manual.

The last five have per-account overrides in /root/.<user>.octopus.cnf; the first two are system-wide only. All seven are seeded idempotently into the live cnf on install and upgrade without clobbering operator-set values. Detection logic and safeguards — the always-on _provision_running interlock, consecutive-run confirmation, dry-run log line format — live on Ghost cleanup.

Custom-config protection flags

Tell the BOA upgrade tooling not to overwrite the named service's config when the operator has made manual edits. Set to YES after customising the config; all default to NO.

_CUSTOM_CONFIG_CSF       YES / NO — protect custom CSF config
_CUSTOM_CONFIG_LSHELL    YES / NO — protect custom Limited Shell config
_CUSTOM_CONFIG_VALKEY    YES / NO — protect custom Valkey config
_CUSTOM_CONFIG_REDIS     YES / NO — protect custom Redis config
_CUSTOM_CONFIG_SQL       YES / NO — protect custom SQL config (also makes
                           _DB_BINARY_LOG a no-op)

Force-reinstall flags

One-shot flags that force the named subsystem to reinstall from scratch on next barracuda upgrade. All default to NO.

_NGX_FORCE_REINSTALL     YES / NO — reinstall Nginx
_PHP_FORCE_REINSTALL     YES / NO — reinstall all PHP versions
_SQL_FORCE_REINSTALL     YES / NO — reinstall Percona / MySQL
_SSL_FORCE_REINSTALL     YES / NO — reinstall OpenSSL/cURL; when YES it also
                           forces _NGX_FORCE_REINSTALL, _PHP_FORCE_REINSTALL and
                           OpenSSH (sets them to YES internally; the same
                           cascade fires for _FULL_FORCE_REINSTALL=YES)
_FULL_FORCE_REINSTALL    YES / NO — reinstall everything from sources

All force-reinstall flags are transient one-shots at the file level: the config-cleanup pass scrubs EVERY *_FORCE_REINSTALL line — _NGX, _PHP, _SQL, _SSL, _SSH, _GIT and _FULL — from the live /root/.barracuda.cnf during each run (the values already sourced into memory still act during that run). Set the line to YES, run barracuda, and the flag is consumed and the line removed — it never persists across runs, which is why the cnf writers deliberately never persist any *_FORCE_REINSTALL line. _SSH_FORCE_REINSTALL is honoured and scrubbed the same way even though the settings template lists only _NGX/_PHP/_SQL/_SSL/_FULL; _GIT_FORCE_REINSTALL (reinstall Git tooling) is normally only added programmatically, so you do not set it by hand.

Aegir / system upgrade scope

_AEGIR_UPGRADE_ONLY   YES / NO (default NO) — run only the Ægir-side upgrade steps
_SYSTEM_UP_ONLY       YES / NO (default NO) — run only the system-side upgrade steps

Internal OS-version transition markers

Set by hand (or by the OS-upgrade tooling) to trigger a major dist-upgrade between release codenames; all default to NO. Flip exactly one to YES for the intended jump.

_JESSIE_TO_STRETCH       _STRETCH_TO_BUSTER       _BUSTER_TO_BULLSEYE
_BULLSEYE_TO_BOOKWORM    _BOOKWORM_TO_TRIXIE
_JESSIE_TO_BEOWULF       _STRETCH_TO_BEOWULF      _BUSTER_TO_BEOWULF
_BEOWULF_TO_CHIMAERA     _BULLSEYE_TO_CHIMAERA
_CHIMAERA_TO_DAEDALUS    _BOOKWORM_TO_DAEDALUS
_DAEDALUS_TO_EXCALIBUR   _TRIXIE_TO_EXCALIBUR

See OS lifecycle for the OS-upgrade lifecycle these markers drive.

Editing tips

  1. Make a backup before editing:
    cp /root/.barracuda.cnf /root/.barracuda.cnf.bak
  2. Variables are bash assignments — no quotes on simple values unless they contain whitespace.
  3. Lines starting with # are comments.
  4. Variables take effect on the next barracuda upgrade (or immediately for the few read by per-minute cron tasks).
  5. CLI arguments to barracuda up-lts override the config file — useful for one-off changes.

Related