provisioning/docs/src/infrastructure/configuration-system.md

214 lines
5 KiB
Markdown
Raw Normal View History

2026-01-17 03:58:28 +00:00
# Configuration System
2026-01-14 04:53:21 +00:00
2026-01-17 03:58:28 +00:00
The Provisioning platform uses a hierarchical configuration system with Nickel as the source of
truth for infrastructure definitions and TOML/YAML for application settings.
2026-01-14 04:53:21 +00:00
2026-01-17 03:58:28 +00:00
## Configuration Hierarchy
2026-01-14 04:53:21 +00:00
2026-01-17 03:58:28 +00:00
Configuration is loaded in order of precedence (highest to lowest):
```plaintext
1. Runtime Arguments - CLI flags (--config, --workspace, etc.)
2. Environment Variables - PROVISIONING_* environment variables
3. User Configuration - ~/.config/provisioning/user_config.yaml
4. Infrastructure Config - Nickel schemas in workspace/provisioning
5. System Defaults - provisioning/config/config.defaults.toml
```
Later sources override earlier ones, allowing flexible configuration management across environments.
2026-01-14 04:53:21 +00:00
## Configuration Files
2026-01-17 03:58:28 +00:00
### System Defaults
Located at `provisioning/config/config.defaults.toml`:
```toml
[general]
log_level = "info"
workspace_root = "./workspaces"
[providers]
default_provider = "local"
[orchestrator]
max_parallel_tasks = 4
checkpoint_enabled = true
```
### User Configuration
Located at `~/.config/provisioning/user_config.yaml`:
```yaml
general:
preferred_editor: nvim
default_workspace: production
providers:
upcloud:
default_zone: fi-hel1
aws:
default_region: eu-west-1
```
### Workspace Configuration
Nickel-based infrastructure configuration in workspace directories:
```plaintext
workspace/
├── config/
│ ├── main.ncl # Workspace configuration
│ ├── providers.ncl # Provider definitions
│ └── variables.ncl # Workspace variables
├── infra/
│ └── servers.ncl # Infrastructure definitions
└── .workspace/
└── metadata.toml # Workspace metadata
```
## Environment Variables
All configuration can be overridden via environment variables:
```bash
export PROVISIONING_LOG_LEVEL=debug
export PROVISIONING_WORKSPACE=production
export PROVISIONING_PROVIDER=upcloud
export PROVISIONING_DRY_RUN=true
```
Variable naming: `PROVISIONING_<SECTION>_<KEY>` (uppercase with underscores).
## Configuration Accessors
The platform provides 476+ configuration accessors for programmatic access:
```nushell
# Get configuration value
provisioning config get general.log_level
# Set configuration value (workspace-scoped)
provisioning config set providers.default_provider upcloud
# List all configuration
provisioning config list
# Validate configuration
provisioning config validate
```
## Profiles
Configuration supports profiles for different environments:
```toml
[profiles.development]
log_level = "debug"
dry_run = true
[profiles.production]
log_level = "warn"
dry_run = false
checkpoint_enabled = true
```
Activate profile:
```bash
provisioning --profile production deploy
```
## Inheritance and Overrides
Workspace configurations inherit from system defaults:
```nickel
# workspace/config/main.ncl
let parent = import "../../provisioning/schemas/defaults.ncl" in
parent & {
# Override specific values
general.log_level = "debug",
providers.default_provider = "aws",
}
```
## Secrets Management
Sensitive configuration is encrypted using SOPS/Age:
```bash
# Encrypt configuration
sops --encrypt --age <public-key> secrets.yaml > secrets.enc.yaml
# Decrypt and use
provisioning deploy --secrets secrets.enc.yaml
```
Integration with SecretumVault for enterprise secrets management (see [Secrets Management](../security/secrets-management.md)).
## Configuration Validation
All Nickel-based configuration is validated before use:
```bash
# Validate workspace configuration
provisioning config validate
# Check schema compliance
nickel export --format json workspace/config/main.ncl
```
Type-safety is mandatory - invalid configuration is rejected at load time.
## Best Practices
1. **Use Nickel for infrastructure** - Type-safe, validated infrastructure definitions
2. **Use TOML for application settings** - Simple key-value configuration
3. **Encrypt secrets** - Never commit unencrypted credentials
4. **Document overrides** - Comment why values differ from defaults
5. **Validate before deploy** - Always run `config validate` before deployment
6. **Version control** - Track configuration changes in Git
7. **Profile separation** - Isolate development/staging/production configs
## Troubleshooting
2026-01-14 04:53:21 +00:00
2026-01-17 03:58:28 +00:00
### Configuration Not Loading
2026-01-14 04:53:21 +00:00
2026-01-17 03:58:28 +00:00
Check precedence order:
2026-01-14 04:53:21 +00:00
2026-01-17 03:58:28 +00:00
```bash
# Show effective configuration
provisioning config show --debug
2026-01-14 04:53:21 +00:00
2026-01-17 03:58:28 +00:00
# Trace configuration loading
PROVISIONING_LOG_LEVEL=trace provisioning config list
```
2026-01-14 04:53:21 +00:00
2026-01-17 03:58:28 +00:00
### Schema Validation Failures
2026-01-14 04:53:21 +00:00
2026-01-17 03:58:28 +00:00
```bash
# Check Nickel syntax
nickel typecheck workspace/config/main.ncl
2026-01-14 04:53:21 +00:00
2026-01-17 03:58:28 +00:00
# Export and inspect
nickel export workspace/config/main.ncl
```
2026-01-14 04:53:21 +00:00
2026-01-17 03:58:28 +00:00
### Environment Variable Issues
2026-01-14 04:53:21 +00:00
2026-01-17 03:58:28 +00:00
```bash
# List all PROVISIONING_* variables
env | grep PROVISIONING_
2026-01-14 04:53:21 +00:00
2026-01-17 03:58:28 +00:00
# Clear all provisioning env vars
unset $(env | grep PROVISIONING_ | cut -d= -f1 | xargs)
```
2026-01-14 04:53:21 +00:00
2026-01-17 03:58:28 +00:00
## References
2026-01-14 04:53:21 +00:00
2026-01-17 03:58:28 +00:00
- [Nickel Guide](nickel-guide.md) - Infrastructure configuration
- [Schemas Reference](schemas-reference.md) - Schema structure
- [Secrets Management](../security/secrets-management.md) - SecretumVault integration