provisioning/schemas/platform/defaults/common/external-services-defaults.ncl

# External Services Default Configuration
# Per-deployment-mode defaults for database, OCI registry, Git sources, and cache

let es_schema = import "../../common/external-services.ncl" in

{
  # Solo/Development Mode: No external infrastructure
  # - Filesystem storage for orchestrator
  # - Local filesystem for extensions (no OCI)
  # - Local directory cache
  solo | es_schema.ExternalServicesConfig = {
    database = {
      backend = "filesystem",
      path = "~/.provisioning/data/orchestrator",
      retry = true,
    },
    # Solo mode doesn't configure OCI registries or Git sources
    # Extensions are discovered and loaded from local filesystem
    oci_registries = [],
    git_sources = [],
    extension_path = {
      path = "~/.provisioning/extensions",
      writable = true,
    },
    cache = {
      mode = "local",
      path = "~/.provisioning/oci-cache",
    },
  },

  # Multiuser/Team Mode: Local Docker services
  # - SurrealDB server running in local Docker
  # - Zot OCI registry in local Docker
  # - Forgejo Git source in local Docker
  # - Local directory cache
  multiuser | es_schema.ExternalServicesConfig = {
    database = {
      backend = "surrealdb_server",
      connection_string = "ws://localhost:8000",
      namespace = "provisioning",
      database = "main",
      credentials = {
        username = "root",
        password = "root",
      },
      retry = true,
    },
    oci_registries = [
      {
        id = "local-zot",
        registry = "localhost:5000",
        namespace = "provisioning",
        verify_ssl = false,
      },
    ],
    git_sources = [
      {
        id = "local-forgejo",
        provider = "forgejo",
        url = "http://localhost:3000",
        organization = "provisioning",
        token_path = "~/.provisioning/secrets/forgejo-token.txt",
        verify_ssl = false,
      },
    ],
    cache = {
      mode = "local",
      path = "~/.provisioning/oci-cache",
    },
  },

  # CI/CD Mode: Containerized, temporary infrastructure
  # - SurrealDB server (temporary)
  # - Zot OCI registry (temporary)
  # - Forgejo Git source (temporary or external)
  # - Local cache for CI runners
  cicd | es_schema.ExternalServicesConfig = {
    database = {
      backend = "surrealdb_server",
      connection_string = "ws://localhost:8000",
      namespace = "provisioning",
      database = "cicd",
      credentials = {
        username = "cicd",
        password = "cicd_temp",
      },
      retry = true,
    },
    oci_registries = [
      {
        id = "ci-zot",
        registry = "localhost:5000",
        namespace = "provisioning/ci",
        verify_ssl = false,
      },
    ],
    git_sources = [
      {
        id = "ci-forgejo",
        provider = "forgejo",
        url = "http://localhost:3000",
        organization = "provisioning-ci",
        token_path = "/tmp/forgejo-token.txt",
        verify_ssl = false,
      },
    ],
    cache = {
      mode = "local",
      path = "/tmp/provisioning-cache",
    },
  },

  # Enterprise/Production Mode: Remote, high-availability services
  # - SurrealDB cluster (remote, replicated)
  # - Zot OCI registry with failover
  # - Forgejo + GitHub for source diversity
  # - Redis for distributed cache
  # NOTE: These are placeholder values. Users MUST override with actual infrastructure.
  enterprise | es_schema.ExternalServicesConfig = {
    database = {
      backend = "surrealdb_server",
      connection_string = "ws://surrealdb-primary.internal:8000",
      namespace = "provisioning",
      database = "production",
      credentials = {
        username = "provisioning",
        password = "REPLACE_WITH_SECRET_FROM_VAULT",
      },
      retry = true,
      max_retries = "5",
    },
    oci_registries = [
      {
        id = "primary-zot",
        registry = "zot-primary.internal:5000",
        namespace = "provisioning/extensions",
        verify_ssl = true,
      },
      {
        id = "secondary-harbor",
        registry = "harbor-backup.internal:443",
        namespace = "provisioning",
        auth_token_path = "/etc/secrets/harbor-token.txt",
        verify_ssl = true,
      },
    ],
    git_sources = [
      {
        id = "primary-forgejo",
        provider = "forgejo",
        url = "https://forge.internal:3000",
        organization = "provisioning",
        token_path = "/etc/secrets/forgejo-token.txt",
        verify_ssl = true,
      },
      {
        id = "company-github",
        provider = "github",
        organization = "company-provisioning",
        token_path = "/etc/secrets/github-token.txt",
        verify_ssl = true,
      },
    ],
    cache = {
      mode = "remote",
      url = "redis://redis-primary.internal:6379",
    },
  },
}
docs: update README and CHANGELOG for nickel branch (2026-05-12) 2026-05-12 02:23:01 +01:00			`# External Services Default Configuration`
			`# Per-deployment-mode defaults for database, OCI registry, Git sources, and cache`

			`let es_schema = import "../../common/external-services.ncl" in`

			`{`
			`# Solo/Development Mode: No external infrastructure`
			`# - Filesystem storage for orchestrator`
			`# - Local filesystem for extensions (no OCI)`
			`# - Local directory cache`
			`solo \| es_schema.ExternalServicesConfig = {`
			`database = {`
			`backend = "filesystem",`
			`path = "~/.provisioning/data/orchestrator",`
			`retry = true,`
			`},`
			`# Solo mode doesn't configure OCI registries or Git sources`
			`# Extensions are discovered and loaded from local filesystem`
			`oci_registries = [],`
			`git_sources = [],`
			`extension_path = {`
			`path = "~/.provisioning/extensions",`
			`writable = true,`
			`},`
			`cache = {`
			`mode = "local",`
			`path = "~/.provisioning/oci-cache",`
			`},`
			`},`

			`# Multiuser/Team Mode: Local Docker services`
			`# - SurrealDB server running in local Docker`
			`# - Zot OCI registry in local Docker`
			`# - Forgejo Git source in local Docker`
			`# - Local directory cache`
			`multiuser \| es_schema.ExternalServicesConfig = {`
			`database = {`
			`backend = "surrealdb_server",`
			`connection_string = "ws://localhost:8000",`
			`namespace = "provisioning",`
			`database = "main",`
			`credentials = {`
			`username = "root",`
			`password = "root",`
			`},`
			`retry = true,`
			`},`
			`oci_registries = [`
			`{`
			`id = "local-zot",`
			`registry = "localhost:5000",`
			`namespace = "provisioning",`
			`verify_ssl = false,`
			`},`
			`],`
			`git_sources = [`
			`{`
			`id = "local-forgejo",`
			`provider = "forgejo",`
			`url = "http://localhost:3000",`
			`organization = "provisioning",`
			`token_path = "~/.provisioning/secrets/forgejo-token.txt",`
			`verify_ssl = false,`
			`},`
			`],`
			`cache = {`
			`mode = "local",`
			`path = "~/.provisioning/oci-cache",`
			`},`
			`},`

			`# CI/CD Mode: Containerized, temporary infrastructure`
			`# - SurrealDB server (temporary)`
			`# - Zot OCI registry (temporary)`
			`# - Forgejo Git source (temporary or external)`
			`# - Local cache for CI runners`
			`cicd \| es_schema.ExternalServicesConfig = {`
			`database = {`
			`backend = "surrealdb_server",`
			`connection_string = "ws://localhost:8000",`
			`namespace = "provisioning",`
			`database = "cicd",`
			`credentials = {`
			`username = "cicd",`
			`password = "cicd_temp",`
			`},`
			`retry = true,`
			`},`
			`oci_registries = [`
			`{`
			`id = "ci-zot",`
			`registry = "localhost:5000",`
			`namespace = "provisioning/ci",`
			`verify_ssl = false,`
			`},`
			`],`
			`git_sources = [`
			`{`
			`id = "ci-forgejo",`
			`provider = "forgejo",`
			`url = "http://localhost:3000",`
			`organization = "provisioning-ci",`
			`token_path = "/tmp/forgejo-token.txt",`
			`verify_ssl = false,`
			`},`
			`],`
			`cache = {`
			`mode = "local",`
			`path = "/tmp/provisioning-cache",`
			`},`
			`},`

			`# Enterprise/Production Mode: Remote, high-availability services`
			`# - SurrealDB cluster (remote, replicated)`
			`# - Zot OCI registry with failover`
			`# - Forgejo + GitHub for source diversity`
			`# - Redis for distributed cache`
			`# NOTE: These are placeholder values. Users MUST override with actual infrastructure.`
			`enterprise \| es_schema.ExternalServicesConfig = {`
			`database = {`
			`backend = "surrealdb_server",`
			`connection_string = "ws://surrealdb-primary.internal:8000",`
			`namespace = "provisioning",`
			`database = "production",`
			`credentials = {`
			`username = "provisioning",`
			`password = "REPLACE_WITH_SECRET_FROM_VAULT",`
			`},`
			`retry = true,`
			`max_retries = "5",`
			`},`
			`oci_registries = [`
			`{`
			`id = "primary-zot",`
			`registry = "zot-primary.internal:5000",`
			`namespace = "provisioning/extensions",`
			`verify_ssl = true,`
			`},`
			`{`
			`id = "secondary-harbor",`
			`registry = "harbor-backup.internal:443",`
			`namespace = "provisioning",`
			`auth_token_path = "/etc/secrets/harbor-token.txt",`
			`verify_ssl = true,`
			`},`
			`],`
			`git_sources = [`
			`{`
			`id = "primary-forgejo",`
			`provider = "forgejo",`
			`url = "https://forge.internal:3000",`
			`organization = "provisioning",`
			`token_path = "/etc/secrets/forgejo-token.txt",`
			`verify_ssl = true,`
			`},`
			`{`
			`id = "company-github",`
			`provider = "github",`
			`organization = "company-provisioning",`
			`token_path = "/etc/secrets/github-token.txt",`
			`verify_ssl = true,`
			`},`
			`],`
			`cache = {`
			`mode = "remote",`
			`url = "redis://redis-primary.internal:6379",`
			`},`
			`},`
			`}`