2026-01-17 03:58:28 +00:00
|
|
|
# Configuration System
|
2026-01-14 04:53:21 +00:00
|
|
|
|
2026-01-17 03:58:28 +00:00
|
|
|
The Provisioning platform uses a hierarchical configuration system with Nickel as the source of
|
|
|
|
|
truth for infrastructure definitions and TOML/YAML for application settings.
|
2026-01-14 04:53:21 +00:00
|
|
|
|
2026-01-17 03:58:28 +00:00
|
|
|
## Configuration Hierarchy
|
2026-01-14 04:53:21 +00:00
|
|
|
|
2026-01-17 03:58:28 +00:00
|
|
|
Configuration is loaded in order of precedence (highest to lowest):
|
|
|
|
|
|
|
|
|
|
```plaintext
|
|
|
|
|
1. Runtime Arguments - CLI flags (--config, --workspace, etc.)
|
|
|
|
|
2. Environment Variables - PROVISIONING_* environment variables
|
|
|
|
|
3. User Configuration - ~/.config/provisioning/user_config.yaml
|
|
|
|
|
4. Infrastructure Config - Nickel schemas in workspace/provisioning
|
|
|
|
|
5. System Defaults - provisioning/config/config.defaults.toml
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Later sources override earlier ones, allowing flexible configuration management across environments.
|
2026-01-14 04:53:21 +00:00
|
|
|
|
|
|
|
|
## Configuration Files
|
|
|
|
|
|
2026-01-17 03:58:28 +00:00
|
|
|
### System Defaults
|
|
|
|
|
|
|
|
|
|
Located at `provisioning/config/config.defaults.toml`:
|
|
|
|
|
|
|
|
|
|
```toml
|
|
|
|
|
[general]
|
|
|
|
|
log_level = "info"
|
|
|
|
|
workspace_root = "./workspaces"
|
|
|
|
|
|
|
|
|
|
[providers]
|
|
|
|
|
default_provider = "local"
|
|
|
|
|
|
|
|
|
|
[orchestrator]
|
|
|
|
|
max_parallel_tasks = 4
|
|
|
|
|
checkpoint_enabled = true
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### User Configuration
|
|
|
|
|
|
|
|
|
|
Located at `~/.config/provisioning/user_config.yaml`:
|
|
|
|
|
|
|
|
|
|
```yaml
|
|
|
|
|
general:
|
|
|
|
|
preferred_editor: nvim
|
|
|
|
|
default_workspace: production
|
|
|
|
|
|
|
|
|
|
providers:
|
|
|
|
|
upcloud:
|
|
|
|
|
default_zone: fi-hel1
|
|
|
|
|
aws:
|
|
|
|
|
default_region: eu-west-1
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Workspace Configuration
|
|
|
|
|
|
|
|
|
|
Nickel-based infrastructure configuration in workspace directories:
|
|
|
|
|
|
|
|
|
|
```plaintext
|
|
|
|
|
workspace/
|
|
|
|
|
├── config/
|
|
|
|
|
│ ├── main.ncl # Workspace configuration
|
|
|
|
|
│ ├── providers.ncl # Provider definitions
|
|
|
|
|
│ └── variables.ncl # Workspace variables
|
|
|
|
|
├── infra/
|
|
|
|
|
│ └── servers.ncl # Infrastructure definitions
|
|
|
|
|
└── .workspace/
|
|
|
|
|
└── metadata.toml # Workspace metadata
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Environment Variables
|
|
|
|
|
|
|
|
|
|
All configuration can be overridden via environment variables:
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
export PROVISIONING_LOG_LEVEL=debug
|
|
|
|
|
export PROVISIONING_WORKSPACE=production
|
|
|
|
|
export PROVISIONING_PROVIDER=upcloud
|
|
|
|
|
export PROVISIONING_DRY_RUN=true
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Variable naming: `PROVISIONING_<SECTION>_<KEY>` (uppercase with underscores).
|
|
|
|
|
|
|
|
|
|
## Configuration Accessors
|
|
|
|
|
|
|
|
|
|
The platform provides 476+ configuration accessors for programmatic access:
|
|
|
|
|
|
|
|
|
|
```nushell
|
|
|
|
|
# Get configuration value
|
|
|
|
|
provisioning config get general.log_level
|
|
|
|
|
|
|
|
|
|
# Set configuration value (workspace-scoped)
|
|
|
|
|
provisioning config set providers.default_provider upcloud
|
|
|
|
|
|
|
|
|
|
# List all configuration
|
|
|
|
|
provisioning config list
|
|
|
|
|
|
|
|
|
|
# Validate configuration
|
|
|
|
|
provisioning config validate
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Profiles
|
|
|
|
|
|
|
|
|
|
Configuration supports profiles for different environments:
|
|
|
|
|
|
|
|
|
|
```toml
|
|
|
|
|
[profiles.development]
|
|
|
|
|
log_level = "debug"
|
|
|
|
|
dry_run = true
|
|
|
|
|
|
|
|
|
|
[profiles.production]
|
|
|
|
|
log_level = "warn"
|
|
|
|
|
dry_run = false
|
|
|
|
|
checkpoint_enabled = true
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Activate profile:
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
provisioning --profile production deploy
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Inheritance and Overrides
|
|
|
|
|
|
|
|
|
|
Workspace configurations inherit from system defaults:
|
|
|
|
|
|
|
|
|
|
```nickel
|
|
|
|
|
# workspace/config/main.ncl
|
|
|
|
|
let parent = import "../../provisioning/schemas/defaults.ncl" in
|
|
|
|
|
parent & {
|
|
|
|
|
# Override specific values
|
|
|
|
|
general.log_level = "debug",
|
|
|
|
|
providers.default_provider = "aws",
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Secrets Management
|
|
|
|
|
|
|
|
|
|
Sensitive configuration is encrypted using SOPS/Age:
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
# Encrypt configuration
|
|
|
|
|
sops --encrypt --age <public-key> secrets.yaml > secrets.enc.yaml
|
|
|
|
|
|
|
|
|
|
# Decrypt and use
|
|
|
|
|
provisioning deploy --secrets secrets.enc.yaml
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Integration with SecretumVault for enterprise secrets management (see [Secrets Management](../security/secrets-management.md)).
|
|
|
|
|
|
|
|
|
|
## Configuration Validation
|
|
|
|
|
|
|
|
|
|
All Nickel-based configuration is validated before use:
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
# Validate workspace configuration
|
|
|
|
|
provisioning config validate
|
|
|
|
|
|
|
|
|
|
# Check schema compliance
|
|
|
|
|
nickel export --format json workspace/config/main.ncl
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Type-safety is mandatory - invalid configuration is rejected at load time.
|
|
|
|
|
|
|
|
|
|
## Best Practices
|
|
|
|
|
|
|
|
|
|
1. **Use Nickel for infrastructure** - Type-safe, validated infrastructure definitions
|
|
|
|
|
2. **Use TOML for application settings** - Simple key-value configuration
|
|
|
|
|
3. **Encrypt secrets** - Never commit unencrypted credentials
|
|
|
|
|
4. **Document overrides** - Comment why values differ from defaults
|
|
|
|
|
5. **Validate before deploy** - Always run `config validate` before deployment
|
|
|
|
|
6. **Version control** - Track configuration changes in Git
|
|
|
|
|
7. **Profile separation** - Isolate development/staging/production configs
|
|
|
|
|
|
|
|
|
|
## Troubleshooting
|
2026-01-14 04:53:21 +00:00
|
|
|
|
2026-01-17 03:58:28 +00:00
|
|
|
### Configuration Not Loading
|
2026-01-14 04:53:21 +00:00
|
|
|
|
2026-01-17 03:58:28 +00:00
|
|
|
Check precedence order:
|
2026-01-14 04:53:21 +00:00
|
|
|
|
2026-01-17 03:58:28 +00:00
|
|
|
```bash
|
|
|
|
|
# Show effective configuration
|
|
|
|
|
provisioning config show --debug
|
2026-01-14 04:53:21 +00:00
|
|
|
|
2026-01-17 03:58:28 +00:00
|
|
|
# Trace configuration loading
|
|
|
|
|
PROVISIONING_LOG_LEVEL=trace provisioning config list
|
|
|
|
|
```
|
2026-01-14 04:53:21 +00:00
|
|
|
|
2026-01-17 03:58:28 +00:00
|
|
|
### Schema Validation Failures
|
2026-01-14 04:53:21 +00:00
|
|
|
|
2026-01-17 03:58:28 +00:00
|
|
|
```bash
|
|
|
|
|
# Check Nickel syntax
|
|
|
|
|
nickel typecheck workspace/config/main.ncl
|
2026-01-14 04:53:21 +00:00
|
|
|
|
2026-01-17 03:58:28 +00:00
|
|
|
# Export and inspect
|
|
|
|
|
nickel export workspace/config/main.ncl
|
|
|
|
|
```
|
2026-01-14 04:53:21 +00:00
|
|
|
|
2026-01-17 03:58:28 +00:00
|
|
|
### Environment Variable Issues
|
2026-01-14 04:53:21 +00:00
|
|
|
|
2026-01-17 03:58:28 +00:00
|
|
|
```bash
|
|
|
|
|
# List all PROVISIONING_* variables
|
|
|
|
|
env | grep PROVISIONING_
|
2026-01-14 04:53:21 +00:00
|
|
|
|
2026-01-17 03:58:28 +00:00
|
|
|
# Clear all provisioning env vars
|
|
|
|
|
unset $(env | grep PROVISIONING_ | cut -d= -f1 | xargs)
|
|
|
|
|
```
|
2026-01-14 04:53:21 +00:00
|
|
|
|
2026-01-17 03:58:28 +00:00
|
|
|
## References
|
2026-01-14 04:53:21 +00:00
|
|
|
|
2026-01-17 03:58:28 +00:00
|
|
|
- [Nickel Guide](nickel-guide.md) - Infrastructure configuration
|
|
|
|
|
- [Schemas Reference](schemas-reference.md) - Schema structure
|
|
|
|
|
- [Secrets Management](../security/secrets-management.md) - SecretumVault integration
|