provisioning/schemas/platform/vault-service.ncl

# Vault Service Schema
# Secrets management and encryption configuration

let constraints = import "schemas/platform/common/constraints.ncl" in
let docker_build_schema = import "schemas/platform/docker-build.ncl" in

let VaultStorage =
    std.contract.custom (
      fun label =>
        fun value =>
          let valid_backends = ["surrealdb", "etcd", "postgresql", "filesystem"] in
          if std.array.any (fun x => x == value) valid_backends then
            'Ok value
          else
            'Error {
              message = "Invalid storage_backend '%{value}'.\nValid values: surrealdb | etcd | postgresql | filesystem"
            }
    ) in

let DeploymentMode =
    std.contract.custom (
      fun label =>
        fun value =>
          let valid_modes = ["local", "docker", "kubernetes"] in
          if std.array.any (fun x => x == value) valid_modes then
            'Ok value
          else
            'Error {
              message = "Invalid deployment_mode '%{value}'.\nValid values: local | docker | kubernetes"
            }
    ) in

let LogLevel =
    std.contract.custom (
      fun label =>
        fun value =>
          let valid_levels = ["debug", "info", "warn", "error"] in
          if std.array.any (fun x => x == value) valid_levels then
            'Ok value
          else
            'Error {
              message = "Invalid log level '%{value}'.\nValid values: debug | info | warn | error"
            }
    ) in

let HAMode =
    std.contract.custom (
      fun label =>
        fun value =>
          let valid_modes = ["active-passive", "active-active"] in
          if std.array.any (fun x => x == value) valid_modes then
            'Ok value
          else
            'Error {
              message = "Invalid HA mode '%{value}'.\nValid values: active-passive | active-active"
            }
    ) in

let EncryptionAlgorithm =
    std.contract.custom (
      fun label =>
        fun value =>
          let valid_algos = ["aes-256-gcm", "aes-128-gcm", "chacha20-poly1305"] in
          if std.array.any (fun x => x == value) valid_algos then
            'Ok value
          else
            'Error {
              message = "Invalid encryption_algorithm '%{value}'.\nValid values: aes-256-gcm | aes-128-gcm | chacha20-poly1305"
            }
    ) in

{
  VaultServiceConfig = {
    # Server configuration (port must be >= 9000 for vault-service)
    server | {
      host | String,
      port | Number | constraints.port_high,
      workers | Number | optional,
      keep_alive | Number | optional,
      max_connections | Number | optional,
    } | optional,

    # Storage backend configuration
    storage | {
      backend | VaultStorage,
      path | String | optional,
      encryption_key_path | String | optional,
    } | optional,

    # Vault-specific settings
    vault | {
      server_url | String,
      storage_backend
        | doc "Storage Backend for Vault"
        | VaultStorage
        | default = "filesystem",
      deployment_mode | DeploymentMode | optional,
      auth_token | String | optional,
      mount_point | String | default = "transit",
      key_name | String | default = "provisioning-master",
      tls_verify | Bool | default = false,
      tls_ca_cert | String | optional,
    } | optional,

    # High Availability configuration
    ha | {
      enabled | Bool | default = false,
      mode | HAMode | optional,
    } | optional,

    # Security configuration
    security | {
      encryption_algorithm | EncryptionAlgorithm | optional,
      key_rotation_days | Number | optional,
    } | optional,

    # Monitoring and logging
    monitoring | {
      enabled | Bool | default = false,
      metrics_interval | Number | optional,
    } | optional,

    logging | {
      level | LogLevel | default = "info",
      format | String | optional,
    } | optional,

    # Docker build configuration
    build | docker_build_schema.DockerBuildConfig | optional,
  },
}
docs: update README and CHANGELOG for nickel branch (2026-05-12) 2026-05-12 02:23:01 +01:00			`# Vault Service Schema`
			`# Secrets management and encryption configuration`

			`let constraints = import "schemas/platform/common/constraints.ncl" in`
			`let docker_build_schema = import "schemas/platform/docker-build.ncl" in`

			`let VaultStorage =`
			`std.contract.custom (`
			`fun label =>`
			`fun value =>`
			`let valid_backends = ["surrealdb", "etcd", "postgresql", "filesystem"] in`
			`if std.array.any (fun x => x == value) valid_backends then`
			`'Ok value`
			`else`
			`'Error {`
			`message = "Invalid storage_backend '%{value}'.\nValid values: surrealdb \| etcd \| postgresql \| filesystem"`
			`}`
			`) in`

			`let DeploymentMode =`
			`std.contract.custom (`
			`fun label =>`
			`fun value =>`
			`let valid_modes = ["local", "docker", "kubernetes"] in`
			`if std.array.any (fun x => x == value) valid_modes then`
			`'Ok value`
			`else`
			`'Error {`
			`message = "Invalid deployment_mode '%{value}'.\nValid values: local \| docker \| kubernetes"`
			`}`
			`) in`

			`let LogLevel =`
			`std.contract.custom (`
			`fun label =>`
			`fun value =>`
			`let valid_levels = ["debug", "info", "warn", "error"] in`
			`if std.array.any (fun x => x == value) valid_levels then`
			`'Ok value`
			`else`
			`'Error {`
			`message = "Invalid log level '%{value}'.\nValid values: debug \| info \| warn \| error"`
			`}`
			`) in`

			`let HAMode =`
			`std.contract.custom (`
			`fun label =>`
			`fun value =>`
			`let valid_modes = ["active-passive", "active-active"] in`
			`if std.array.any (fun x => x == value) valid_modes then`
			`'Ok value`
			`else`
			`'Error {`
			`message = "Invalid HA mode '%{value}'.\nValid values: active-passive \| active-active"`
			`}`
			`) in`

			`let EncryptionAlgorithm =`
			`std.contract.custom (`
			`fun label =>`
			`fun value =>`
			`let valid_algos = ["aes-256-gcm", "aes-128-gcm", "chacha20-poly1305"] in`
			`if std.array.any (fun x => x == value) valid_algos then`
			`'Ok value`
			`else`
			`'Error {`
			`message = "Invalid encryption_algorithm '%{value}'.\nValid values: aes-256-gcm \| aes-128-gcm \| chacha20-poly1305"`
			`}`
			`) in`

			`{`
			`VaultServiceConfig = {`
			`# Server configuration (port must be >= 9000 for vault-service)`
			`server \| {`
			`host \| String,`
			`port \| Number \| constraints.port_high,`
			`workers \| Number \| optional,`
			`keep_alive \| Number \| optional,`
			`max_connections \| Number \| optional,`
			`} \| optional,`

			`# Storage backend configuration`
			`storage \| {`
			`backend \| VaultStorage,`
			`path \| String \| optional,`
			`encryption_key_path \| String \| optional,`
			`} \| optional,`

			`# Vault-specific settings`
			`vault \| {`
			`server_url \| String,`
			`storage_backend`
			`\| doc "Storage Backend for Vault"`
			`\| VaultStorage`
			`\| default = "filesystem",`
			`deployment_mode \| DeploymentMode \| optional,`
			`auth_token \| String \| optional,`
			`mount_point \| String \| default = "transit",`
			`key_name \| String \| default = "provisioning-master",`
			`tls_verify \| Bool \| default = false,`
			`tls_ca_cert \| String \| optional,`
			`} \| optional,`

			`# High Availability configuration`
			`ha \| {`
			`enabled \| Bool \| default = false,`
			`mode \| HAMode \| optional,`
			`} \| optional,`

			`# Security configuration`
			`security \| {`
			`encryption_algorithm \| EncryptionAlgorithm \| optional,`
			`key_rotation_days \| Number \| optional,`
			`} \| optional,`

			`# Monitoring and logging`
			`monitoring \| {`
			`enabled \| Bool \| default = false,`
			`metrics_interval \| Number \| optional,`
			`} \| optional,`

			`logging \| {`
			`level \| LogLevel \| default = "info",`
			`format \| String \| optional,`
			`} \| optional,`

			`# Docker build configuration`
			`build \| docker_build_schema.DockerBuildConfig \| optional,`
			`},`
			`}`