provisioning/schemas/platform/templates/configs/control-center-config.toml.ncl

# Control Center Service Configuration - TOML Export
# Generates TOML configuration for Control Center service
# Supports 4 deployment modes: solo, multiuser, cicd, enterprise
#
# Usage:
#   nickel export --format toml control-center-config.toml.ncl > control-center.toml

{
  # Server Configuration
  server = {
    host = "0.0.0.0",
    port = 8080,
    workers = 4,
    keep_alive = 75,
    max_connections = 512,
  },

  # Database Configuration
  database = {
    # Mode-specific overrides:
    # - solo: "rocksdb"
    # - multiuser: "postgres"
    # - cicd: "rocksdb" (in-memory)
    # - enterprise: "postgres_ha"
    backend = "rocksdb",

    # RocksDB configuration (solo, cicd modes)
    rocksdb = {
      path = "/var/lib/provisioning/control-center/db",
      cache_size = "256MB",
      max_open_files = 1000,
      compression = "snappy",
    },

    # PostgreSQL configuration (multiuser, enterprise modes)
    # postgres = {
    #   host = "localhost",
    #   port = 5432,
    #   database = "provisioning",
    #   user = "provisioning",
    #   password = "${DB_PASSWORD}",
    #   ssl_mode = "require",
    #   pool = {
    #     min_size = 5,
    #     max_size = 20,
    #     idle_timeout = 300,
    #   },
    # },
  },

  # Authentication Configuration
  auth = {
    enabled = true,

    # JWT configuration
    jwt = {
      issuer = "provisioning.local",
      audience = "control-center",
      secret = "${JWT_SECRET}",
      algorithm = "HS256",
      expiration = 3600,  # seconds (1 hour)
      refresh_token_expiration = 604800,  # seconds (7 days)
    },

    # OAUTH2 configuration (optional)
    oauth2 = {
      enabled = false,
      # provider = "google",
      # client_id = "${OAUTH_CLIENT_ID}",
      # client_secret = "${OAUTH_CLIENT_SECRET}",
    },

    # LDAP configuration (optional)
    ldap = {
      enabled = false,
      # server_url = "ldap://localhost:389",
      # bind_dn = "cn=admin,dc=example,dc=com",
      # bind_password = "${LDAP_PASSWORD}",
    },
  },

  # RBAC (Role-Based Access Control)
  rbac = {
    enabled = true,

    # Default roles
    default_role = "viewer",

    # Roles definition
    roles = {
      admin = {
        description = "Administrator with full access",
        permissions = ["*"],
      },
      operator = {
        description = "Operator managing orchestrator",
        permissions = [
          "orchestrator.view",
          "orchestrator.execute",
          "orchestrator.manage",
        ],
      },
      viewer = {
        description = "Read-only access",
        permissions = [
          "orchestrator.view",
          "policies.view",
        ],
      },
    },

    # Permission mapping
    permissions = {
      "orchestrator.view" = "List and view orchestrator workflows",
      "orchestrator.execute" = "Execute and manage tasks",
      "orchestrator.manage" = "Configure orchestrator settings",
      "policies.view" = "View security policies",
      "policies.manage" = "Edit security policies",
      "users.manage" = "Manage users and roles",
      "audit.view" = "View audit logs",
    },
  },

  # Multi-Factor Authentication (MFA)
  mfa = {
    # Mode-specific overrides:
    # - solo: false
    # - multiuser: false
    # - cicd: false
    # - enterprise: true
    required = false,

    # MFA methods
    methods = ["totp", "email"],

    # TOTP configuration
    totp = {
      enabled = true,
      issuer = "Provisioning",
      algorithm = "SHA1",
      digits = 6,
      period = 30,
    },

    # Email OTP configuration
    email = {
      enabled = true,
      expiration = 300,  # seconds (5 minutes)
    },
  },

  # Policies and Compliance
  policies = {
    # Password policy
    password = {
      min_length = 12,
      require_uppercase = true,
      require_lowercase = true,
      require_digits = true,
      require_special_chars = true,
      expiration_days = 90,
      history_count = 5,  # Cannot reuse last N passwords
    },

    # Session policy
    session = {
      max_duration = 86400,     # seconds (24 hours)
      idle_timeout = 1800,      # seconds (30 minutes)
      max_concurrent = 5,       # Max concurrent sessions per user
    },

    # Audit policy
    audit = {
      enabled = true,
      log_all_api_calls = true,
      log_user_actions = true,
      log_rbac_changes = true,
      retention_days = 90,
    },

    # Compliance
    compliance = {
      # SOC2 compliance
      soc2 = {
        enabled = false,
        log_all_access = false,
        require_mfa = false,
      },

      # HIPAA compliance
      hipaa = {
        enabled = false,
        encryption_required = true,
        audit_required = true,
      },
    },
  },

  # Rate Limiting
  rate_limit = {
    enabled = true,
    global = {
      requests_per_second = 1000,
      burst_size = 100,
    },
    per_user = {
      requests_per_second = 100,
      burst_size = 20,
    },
  },

  # CORS Configuration
  cors = {
    enabled = true,
    allowed_origins = ["https://localhost:3000", "https://control-center.example.com"],
    allowed_methods = ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
    allowed_headers = ["Content-Type", "Authorization"],
    expose_headers = ["X-Request-ID", "X-Total-Count"],
    max_age = 86400,
  },

  # TLS/SSL Configuration
  tls = {
    enabled = false,  # Typically behind reverse proxy
    cert_path = "/etc/provisioning/certs/cert.pem",
    key_path = "/etc/provisioning/certs/key.pem",
    min_version = "TLSv1.2",
  },

  # Monitoring and Observability
  monitoring = {
    enabled = true,

    # Metrics
    metrics = {
      enabled = true,
      interval = 30,  # seconds
      export_format = "prometheus",
    },

    # Health checks
    health_check = {
      enabled = true,
      interval = 30,
      timeout = 10,
    },

    # Tracing
    tracing = {
      enabled = false,
      sample_rate = 0.1,
    },
  },

  # Logging Configuration
  logging = {
    level = "info",
    format = "json",
    outputs = [
      {
        destination = "stdout",
        level = "info",
      },
      {
        destination = "file",
        path = "/var/log/provisioning/control-center/control-center.log",
        level = "debug",
        rotation = {
          max_size = "100MB",
          max_backups = 10,
          max_age = 30,
        },
      },
    ],
  },

  # Integration with Orchestrator
  orchestrator = {
    url = "http://orchestrator:9090",
    timeout = 30,  # seconds
    retry = {
      max_attempts = 3,
      initial_backoff = 100,
      max_backoff = 30000,
    },
  },

  # Feature Flags
  features = {
    enable_audit_logging = true,
    enable_policy_enforcement = true,
    enable_experimental_ui = false,
  },
}
chore: complete nickel migration and consolidate legacy configs - Remove KCL ecosystem (~220 files deleted) - Migrate all infrastructure to Nickel schema system - Consolidate documentation: legacy docs → provisioning/docs/src/ - Add CI/CD workflows (.github/) and Rust build config (.cargo/) - Update core system for Nickel schema parsing - Update README.md and CHANGES.md for v5.0.0 release - Fix pre-commit hooks: end-of-file, trailing-whitespace - Breaking changes: KCL workspaces require migration - Migration bridge available in docs/src/development/ 2026-01-08 09:55:37 +00:00			`# Control Center Service Configuration - TOML Export`
			`# Generates TOML configuration for Control Center service`
			`# Supports 4 deployment modes: solo, multiuser, cicd, enterprise`
			`#`
			`# Usage:`
			`# nickel export --format toml control-center-config.toml.ncl > control-center.toml`

			`{`
			`# Server Configuration`
			`server = {`
			`host = "0.0.0.0",`
			`port = 8080,`
			`workers = 4,`
			`keep_alive = 75,`
			`max_connections = 512,`
			`},`

			`# Database Configuration`
			`database = {`
			`# Mode-specific overrides:`
			`# - solo: "rocksdb"`
			`# - multiuser: "postgres"`
			`# - cicd: "rocksdb" (in-memory)`
			`# - enterprise: "postgres_ha"`
			`backend = "rocksdb",`

			`# RocksDB configuration (solo, cicd modes)`
			`rocksdb = {`
			`path = "/var/lib/provisioning/control-center/db",`
			`cache_size = "256MB",`
			`max_open_files = 1000,`
			`compression = "snappy",`
			`},`

			`# PostgreSQL configuration (multiuser, enterprise modes)`
			`# postgres = {`
			`# host = "localhost",`
			`# port = 5432,`
			`# database = "provisioning",`
			`# user = "provisioning",`
			`# password = "${DB_PASSWORD}",`
			`# ssl_mode = "require",`
			`# pool = {`
			`# min_size = 5,`
			`# max_size = 20,`
			`# idle_timeout = 300,`
			`# },`
			`# },`
			`},`

			`# Authentication Configuration`
			`auth = {`
			`enabled = true,`

			`# JWT configuration`
			`jwt = {`
			`issuer = "provisioning.local",`
			`audience = "control-center",`
			`secret = "${JWT_SECRET}",`
			`algorithm = "HS256",`
			`expiration = 3600, # seconds (1 hour)`
			`refresh_token_expiration = 604800, # seconds (7 days)`
			`},`

			`# OAUTH2 configuration (optional)`
			`oauth2 = {`
			`enabled = false,`
			`# provider = "google",`
			`# client_id = "${OAUTH_CLIENT_ID}",`
			`# client_secret = "${OAUTH_CLIENT_SECRET}",`
			`},`

			`# LDAP configuration (optional)`
			`ldap = {`
			`enabled = false,`
			`# server_url = "ldap://localhost:389",`
			`# bind_dn = "cn=admin,dc=example,dc=com",`
			`# bind_password = "${LDAP_PASSWORD}",`
			`},`
			`},`

			`# RBAC (Role-Based Access Control)`
			`rbac = {`
			`enabled = true,`

			`# Default roles`
			`default_role = "viewer",`

			`# Roles definition`
			`roles = {`
			`admin = {`
			`description = "Administrator with full access",`
			`permissions = ["*"],`
			`},`
			`operator = {`
			`description = "Operator managing orchestrator",`
			`permissions = [`
			`"orchestrator.view",`
			`"orchestrator.execute",`
			`"orchestrator.manage",`
			`],`
			`},`
			`viewer = {`
			`description = "Read-only access",`
			`permissions = [`
			`"orchestrator.view",`
			`"policies.view",`
			`],`
			`},`
			`},`

			`# Permission mapping`
			`permissions = {`
			`"orchestrator.view" = "List and view orchestrator workflows",`
			`"orchestrator.execute" = "Execute and manage tasks",`
			`"orchestrator.manage" = "Configure orchestrator settings",`
			`"policies.view" = "View security policies",`
			`"policies.manage" = "Edit security policies",`
			`"users.manage" = "Manage users and roles",`
			`"audit.view" = "View audit logs",`
			`},`
			`},`

			`# Multi-Factor Authentication (MFA)`
			`mfa = {`
			`# Mode-specific overrides:`
			`# - solo: false`
			`# - multiuser: false`
			`# - cicd: false`
			`# - enterprise: true`
			`required = false,`

			`# MFA methods`
			`methods = ["totp", "email"],`

			`# TOTP configuration`
			`totp = {`
			`enabled = true,`
			`issuer = "Provisioning",`
			`algorithm = "SHA1",`
			`digits = 6,`
			`period = 30,`
			`},`

			`# Email OTP configuration`
			`email = {`
			`enabled = true,`
			`expiration = 300, # seconds (5 minutes)`
			`},`
			`},`

			`# Policies and Compliance`
			`policies = {`
			`# Password policy`
			`password = {`
			`min_length = 12,`
			`require_uppercase = true,`
			`require_lowercase = true,`
			`require_digits = true,`
			`require_special_chars = true,`
			`expiration_days = 90,`
			`history_count = 5, # Cannot reuse last N passwords`
			`},`

			`# Session policy`
			`session = {`
			`max_duration = 86400, # seconds (24 hours)`
			`idle_timeout = 1800, # seconds (30 minutes)`
			`max_concurrent = 5, # Max concurrent sessions per user`
			`},`

			`# Audit policy`
			`audit = {`
			`enabled = true,`
			`log_all_api_calls = true,`
			`log_user_actions = true,`
			`log_rbac_changes = true,`
			`retention_days = 90,`
			`},`

			`# Compliance`
			`compliance = {`
			`# SOC2 compliance`
			`soc2 = {`
			`enabled = false,`
			`log_all_access = false,`
			`require_mfa = false,`
			`},`

			`# HIPAA compliance`
			`hipaa = {`
			`enabled = false,`
			`encryption_required = true,`
			`audit_required = true,`
			`},`
			`},`
			`},`

			`# Rate Limiting`
			`rate_limit = {`
			`enabled = true,`
			`global = {`
			`requests_per_second = 1000,`
			`burst_size = 100,`
			`},`
			`per_user = {`
			`requests_per_second = 100,`
			`burst_size = 20,`
			`},`
			`},`

			`# CORS Configuration`
			`cors = {`
			`enabled = true,`
			`allowed_origins = ["https://localhost:3000", "https://control-center.example.com"],`
			`allowed_methods = ["GET", "POST", "PUT", "DELETE", "OPTIONS"],`
			`allowed_headers = ["Content-Type", "Authorization"],`
			`expose_headers = ["X-Request-ID", "X-Total-Count"],`
			`max_age = 86400,`
			`},`

			`# TLS/SSL Configuration`
			`tls = {`
			`enabled = false, # Typically behind reverse proxy`
			`cert_path = "/etc/provisioning/certs/cert.pem",`
			`key_path = "/etc/provisioning/certs/key.pem",`
			`min_version = "TLSv1.2",`
			`},`

			`# Monitoring and Observability`
			`monitoring = {`
			`enabled = true,`

			`# Metrics`
			`metrics = {`
			`enabled = true,`
			`interval = 30, # seconds`
			`export_format = "prometheus",`
			`},`

			`# Health checks`
			`health_check = {`
			`enabled = true,`
			`interval = 30,`
			`timeout = 10,`
			`},`

			`# Tracing`
			`tracing = {`
			`enabled = false,`
			`sample_rate = 0.1,`
			`},`
			`},`

			`# Logging Configuration`
			`logging = {`
			`level = "info",`
			`format = "json",`
			`outputs = [`
			`{`
			`destination = "stdout",`
			`level = "info",`
			`},`
			`{`
			`destination = "file",`
			`path = "/var/log/provisioning/control-center/control-center.log",`
			`level = "debug",`
			`rotation = {`
			`max_size = "100MB",`
			`max_backups = 10,`
			`max_age = 30,`
			`},`
			`},`
			`],`
			`},`

			`# Integration with Orchestrator`
			`orchestrator = {`
			`url = "http://orchestrator:9090",`
			`timeout = 30, # seconds`
			`retry = {`
			`max_attempts = 3,`
			`initial_backoff = 100,`
			`max_backoff = 30000,`
			`},`
			`},`

			`# Feature Flags`
			`features = {`
			`enable_audit_logging = true,`
			`enable_policy_enforcement = true,`
			`enable_experimental_ui = false,`
			`},`
			`}`