diff --git a/assets/provisioning.svg b/assets/provisioning.svg new file mode 100644 index 0000000..0323a9b --- /dev/null +++ b/assets/provisioning.svg @@ -0,0 +1,241 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/assets/provisioning_img.svg b/assets/provisioning_img.svg new file mode 100644 index 0000000..d8320ac --- /dev/null +++ b/assets/provisioning_img.svg @@ -0,0 +1,161 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/assets/provisioning_v.svg b/assets/provisioning_v.svg new file mode 100644 index 0000000..f701b3e --- /dev/null +++ b/assets/provisioning_v.svg @@ -0,0 +1,243 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/assets/web/README.md b/assets/web/README.md new file mode 100644 index 0000000..42f4dab --- /dev/null +++ b/assets/web/README.md @@ -0,0 +1,217 @@ +# Provisioning Web Assets + +Web-based landing page and static content for Provisioning. + +## Directory Structure + +```text +assets/web/ +├── src/ +│ ├── index.html # Source HTML (readable, 38.3KB) +│ └── architecture-diagram.html # Architecture diagram (readable, 28.1KB) +├── index.html # Minified landing page (19.8KB) +├── architecture-diagram.html # Minified architecture (21.3KB) +├── provisioning.svg # Logo (12KB) +├── logo-text.svg # Logo text (14KB) +├── minify.sh # Minification script +└── README.md # This file +``` + +## Files + +### `src/index.html` - Source Version + +- **Purpose**: Development and maintenance +- **Size**: 38.1KB (uncompressed) +- **Content**: + - Full formatting and indentation + - Inline CSS and JavaScript + - Bilingual (English/Spanish) content + - Language-aware dynamic switching + - Core capabilities showcase + - Technology stack display + - 13 Platform services showcase + +**Use for:** +- Editing content +- Understanding structure +- Version control +- Making translations updates + +### `index.html` - Production Version + +- **Purpose**: Served to browsers (fast loading) +- **Size**: 19.8KB (48% compression) +- **Optimizations**: + - Removed all comments + - Compressed CSS (removed spaces, combined rules) + - Minified JavaScript (single line) + - Removed whitespace between tags + - Preserved all functionality + +**Use for:** +- Production web server +- CDN distribution +- Browser caching +- Fast load times + +### `architecture-diagram.html` - Architecture Visualization + +- **Purpose**: Interactive system architecture diagram +- **Size**: 28.1KB source → 21.3KB minified (24% compression) +- **Content**: + - Visual representation of Provisioning platform + - Component relationships and data flows + - Interactive SVG diagram + - Dark theme with animations + +**Use for:** +- Understanding system design +- Architecture documentation +- Technical presentations +- Linked from landing page via "🏗️ ARCH" button + +## How to Use + +### Development + +Edit `src/index.html`: + +```bash +# Edit source file +nano provisioning/assets/web/src/index.html + +# Regenerate minified version (script below) +``` + +### Update Minified Versions + +When you update any source file in `src/`, regenerate all minified versions: + +```bash +# Minify both index.html and architecture-diagram.html +./provisioning/assets/web/minify.sh +``` + +This script automatically: +- Minifies `src/index.html` → `index.html` +- Minifies `src/architecture-diagram.html` → `architecture-diagram.html` +- Shows compression statistics for each file +- Validates that source files exist before processing +- Stops on any errors + +### Deployment + +Serve `index.html` from your web server: + +```bash + +# Using Rust +cargo install static-web-server +static-web-server -d provisioning/assets/web/ + +# Using Python +python3 -m http.server --directory provisioning/assets/web + +# Using Node.js +npx http-server provisioning/assets/web + +# Using nginx +# Point root to provisioning/assets/web/ +# Serve index.html as default +``` + +## Features + +✅ **Responsive Design** +- Mobile-first approach +- Flexbox layouts +- Media queries for mobile + +✅ **Performance** +- Inline CSS (no separate requests) +- Inline JavaScript (no blocking external scripts) +- Minimal dependencies (no frameworks) +- 19.6KB minified size + +✅ **Bilingual** +- English and Spanish +- LocalStorage persistence +- Data attributes for translations +- Dynamic language switching + +✅ **Modern CSS** +- CSS Gradients +- Animations (fadeInUp) +- Hover effects +- Grid layouts + +✅ **Styling** +- Provisioning color scheme +- Gradient backgrounds +- Monospace font (JetBrains Mono) +- Smooth transitions + +## Content Sections + +1. **Hero** - Title, tagline, logo (provisioning.svg + logo-text.svg) +2. **Core Capabilities** - 4 key capabilities +3. **How It Works** - Feature overview +4. **Technology Stack** - Tech badges +5. **Platform Services** - 13 core services: + - Orchestrator (Workflow engine) + - ControlCenter (CEDAR + AUTH) + - ControlCenter-UI (Dashboard interface) + - Installer (TUI + CLI + Unattended) + - MCP-Server (RAG + AI services) + - API-Gateway (REST routing) + - OCI-Registry (Extension distribution) + - Extension-Registry (Extension catalog) + - SecretumVault (PQC vault) + - TypeDialog (Type-safe config) + - Daemon-CLI (Service management) + - Monitoring (Prometheus + Grafana) + - CoreDNS (Service discovery) +6. **CTA** - Call-to-action button +7. **Footer** - Credits and links + +## Translations + +All text content is bilingual. Edit data attributes in `src/index.html`: + +```html + +Hello +``` + +The JavaScript automatically updates based on selected language. + +## Maintenance + +- Source edits go in `src/index.html` +- Regenerate `index.html` when source changes +- Both files are versioned in git +- Keep them in sync + +## Git Workflow + +```bash +# Edit source +git add provisioning/assets/web/src/index.html +git add provisioning/assets/web/index.html +git commit -m "Update landing page content" +git push +``` + +## Compression Statistics + +|File|Source|Minified|Compression|Saved| +|---|---|---|---|---| +|`index.html`|38.3KB|19.8KB|48%|18.5KB| +|`architecture-diagram.html`|28.1KB|21.3KB|24%|6.8KB| +|**TOTAL**|**66.4KB**|**41.1KB**|**38%**|**25.3KB**| + +--- + +**Last Updated**: 2026-02-10 +**Version**: 1.0.0 (matches Provisioning v3.5.0) diff --git a/assets/web/_index.html b/assets/web/_index.html new file mode 100644 index 0000000..c313b92 --- /dev/null +++ b/assets/web/_index.html @@ -0,0 +1,1394 @@ + + + + + + + Provisioning + + + + + +
+ +
+ + + + + 🏗️ ARCHITECTURE + +
+ +
+
+ +
+ Provisioning Logo +
+
+ Provisioning +
+

Provision at Scale

+

+ Infrastructure Orchestration +

+

+ Declarative infrastructure + + management with Nickel schemas, Nushell orchestration, + and Rust executables. Type-safe configuration, automated + validation, and cloud-native deployment across + Kubernetes, Docker, and custom platforms. + +
100% infrastructure as code. + +

+
+ +
+

+ Core Capabilities +

+
+
+
01
+

+ Type-Safe Configuration +

+

+ Nickel provides formal type checking, automated + validation, and recursive merging for infrastructure + definitions. Eliminate configuration drift and + parsing errors. +

+
+
+
02
+

+ Intelligent Orchestration +

+

+ Nushell scripts orchestrate complex deployment + workflows with structured data pipelines, state + management, and error recovery. Built-in type system + prevents runtime failures. +

+
+
+
03
+

+ Multi-Platform Support +

+

+ Deploy to Kubernetes, Docker Compose, local VMs, and + custom infrastructure. Unified interface with + platform-specific overrides and workspace isolation. +

+
+
+
04
+

+ Version Control Ready +

+

+ All infrastructure lives in Git. Configuration + schemas, Nickel modules, and Nushell scripts are + versionable, reviewable, and rollbackable. +

+
+
+
+ +
+

+ How It Works +

+
+
+
📝
+

+ Define with Nickel +

+

+ Write declarative infrastructure schemas with full + type safety. Nickel's lazy evaluation and recursive + merging enable powerful abstractions and + configuration composition. +

+ → Easy config via TypeDialog +
+
+
🔄
+

+ Orchestrate with Nushell +

+

+ Structured data pipelines, type-safe operations, and + stateful workflows. Nushell eliminates shell script + fragility while maintaining scripting simplicity. +

+ → Nushell plugins added +
+
+
+

+ Execute with Rust +

+

+ Performance-critical operations backed by Rust. + Zero-cost abstractions, memory safety, and fearless + concurrency for infrastructure tooling. +

+
+
+
📡
+

+ Coordinate via NATS JetStream +

+

+ Persistent event bus for decoupled service + coordination. Services exchange lease_id, task_id, + and status events — credentials never traverse the + bus. Auditable, replay-capable, at-least-once + delivery. +

+
+
+
🔐
+

+ Secure end-to-end +

+

+ Cedar policy-as-code for authorization, JWT sessions + managed exclusively by ControlCenter, and + post-quantum cryptography via SecretumVault. + Credentials never leave the vault — services operate + on lease references only. +

+ → SecretumVault repo +
+
+
🧩
+

+ Extend via OCI Registry +

+

+ Distribute custom providers, task services, and + cluster definitions as OCI artifacts. The Extension + Registry catalogs and versions capabilities + independently — swap or compose providers without + touching core platform code. +

+ → Provisioning Extensions +
+
+
🎛️
+

+ Platform CLI & External Services +

+

+ 8 platform subcommands (list, status, health, check, + config, connections, init, start) with declarative + external service management. Validates SurrealDB, OCI + registries (Zot/Harbor), Git sources (Forgejo/Gitea), + and cache before startup. +

+
+
+
📌
+

+ Centralized Version Management +

+

+ All tool and provider versions defined in Nickel + schemas. Generates bash-compatible exports via + ‘provisioning setup versions’. Automatic + provider discovery, shell script integration, and + single source of truth for Nushell, Nickel, SOPS, + Age, AWS CLI, and all providers. +

+
+
+
+ +
+

+ SOLID Architecture Boundaries +

+
+
+
🎯
+

+ Provider APIs — Orchestrator only +

+

+ All hcloud, AWS, and provider SDK calls are isolated + to the Orchestrator crate. Every other service routes + through the Orchestrator HTTP API. SSH operations + share this same boundary. +

+
+
+
🔐
+

+ Auth decisions — ControlCenter only +

+

+ JWT validation and Cedar policy evaluation happen + exclusively in ControlCenter. Other services receive + a UserContext via middleware — no service re-validates + tokens or evaluates policies directly. +

+
+
+
🔑
+

+ Secrets — Vault Service API only +

+

+ Credentials are never stored in NATS messages or + environment variables. Services hold a lease_id and + retrieve actual secrets via HTTPS to the Vault + Service. The bus carries references, not values. +

+
+
+
+ +
+

+ System Architecture +

+
+ + Architecture Diagram + Architecture Diagram + + Explore Architecture → +
+
+ +
+

+ Technology Stack +

+
+ Nickel + Nushell 0.110 + Rust + NATS JetStream + SurrealDB + Cedar + Leptos WASM + Kubernetes + Docker Compose + SOPS 3.10 + Age 1.2 + Git +
+
+ +
+

+ Platform Services (13) +

+
+
+ OrchestratorProvider APIs + SSH boundary +
+
+ ControlCenterCedar auth boundary +
+
+ ControlCenter-UILeptos WASM dashboard +
+
+ MCP-ServerRAG + AI tools +
+
+ AI-ServiceLLM inference layer +
+
+ Extension-RegistryExtension catalog +
+
+ SecretumVaultPQC secrets API +
+
+ DetectorEvent detection +
+
+ Daemon-CLIService lifecycle +
+
+ MachinesMachine management +
+
+ ObservabilityPrometheus metrics +
+
+ BackupState backup +
+
+ EncryptKey operations +
+
+
+ +
+

+ Ready for infrastructure automation? +

+

+ Built with Nickel & Nushell | Type-Safe | Open Source +

+ Explore Git Repo → +
+ + +
+ + + + diff --git a/assets/web/arch-diag-v2.svg b/assets/web/arch-diag-v2.svg new file mode 100644 index 0000000..4eb7b37 --- /dev/null +++ b/assets/web/arch-diag-v2.svg @@ -0,0 +1,700 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + CONTROL PLANE ARCHITECTURE + + + + + + + + + $ + CLI + provisioning + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Events Stream + NATS JetStream + :4222 + + + + + + + + + + + + + + + Orchestrator + :9011 + + + + Task State Machine • Provider API • SSH + + Webhooks • Rollback • Audit Collector + + + + + + + + + + Configuration + Nickel • ∞ TypeDialog + + + + + + + + + + Control Center + :9012 + + + + Cedar Policies • JWT • Sessions + + WebSocket • RBAC • Solo: auto-session + + + + + + + + + + + Extensions Registry + :8084 + + + + Git • OCI • LRU + + Providers • Taskservs • vault:// creds + + + + + + + + + + 🧠 + AI • MCP + :9082 + + + + RAG Engine • MCP Server • Tools + + Embeddings • Model Routing • KGraph + + + + + + + + + + 🛡 + Vault Service + :9094 + + + + Lease Lifecycle • Key Management + + SOPS • Age • Secrets never in NATS + + + + + + + + + + + + + + + + + + + + + + + + + + + + HTTPS + + + + + HTTPS + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + DATA PERSISTENCE + Solo: RocksDB • Multi: WebSocket + + + + orchestrator + + + vault + + + control_center + + + audit + + + workspace + + + Nickel config + + + + + + + + SOLID ENFORCEMENT LAYERS + + + Compile-time + + Dev-time + + Pre-commit + + CI/CD + + Runtime + + Audit + + + Providers APIs or CLI: Orchestrator only | SSH: Orchestrator + Machines | Auth: Control Center only | Secrets: Vault Service API only + + + + + + + + SERVICES + Orchestrator + Control Center + Vault Service + Extension Registry + AI • MCP + + INFRASTRUCTURE + + NATS Orbital Ring + + + + OCI registry + + Token and Auth + + SecretumVault + + Nickel + + + + SurrealDB + + CONNECTIONS + + + Encrypted + + I/O and Defs + + DBs data + + Secure access + + Events Stream + + MODES + + SOLO + RocksDB + local NATS + auto-session + + MULTI + WebSocket DB + NATS cluster + JWT+Cedar + + ENT + Enterprise + + + + + + + + Production + Hetzner • AWS + + + Staging + K8s cluster + + + Dev + Solo mode + + + Edge + On-prem • IoT + + + Custom + GitOps • Webhook + + + + v3.0.11 • ∞ Architecture + diff --git a/assets/web/arch-diag.svg b/assets/web/arch-diag.svg new file mode 100644 index 0000000..0534eb2 --- /dev/null +++ b/assets/web/arch-diag.svg @@ -0,0 +1,584 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + INFRASTRUCTURE PROVISIONING SYSTEM + TECHNICAL ARCHITECTURE + + + + + + + + + + + + + + + + + + + + + + + + Provisioning + Core + + + + + CLI + + + Libs + + + Plugins + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 🔧 + + Configuration Layer + + + + Nickel Schemas + + + Validation Engine + + + Type check + + + Constraints + + + Merge + + + + + + VALID + + + + + + + + + + + + + + + + + + + + Control Center + + + + Dashboard + + + Monitoring + + + Alerts + + + Registry + + + Authorizations + + + + + LIVE + + + + + + + + + + + + + + + + + + + + + + ⚙️ + + Extension Ecosystem + + + + + + AWS + EC2 · S3 · RDS + Lambda · VPC + + + + Hetzner + VM · Blob · SQL + Functions · VNet + + + + Kubernetes + Deployments · Services · ConfigMaps · Ingress + + + + Plugin Registry · Provider SDK · Custom Providers + + + + + + + + + + OUTPUT + + + + + + + + + + + + + + + + + + + + + + + + Orchestration Engine + + + + + Batch Workflows + DAG · Parallel + + + + Execution + Plan · Apply + + + + State Management + Locking · Drift Detection · Rollback + + + + + + + + + + + + + + + done + + + + + + + + + + + + + + + + + + + + ⌨️ + + INPUT + $ provision deploy + + + + + CLI → + + + + + + + + + + + + + + + + + + + + 📁 + + Workspace Runtime + + + + Context Mgmt + + + Multi-Env + + + Isolation Boundary + + + + + + + + + + + + + + + + + + + 🛡️ + + Vault Service + PQC + + + + Secrets + + + Encryption + + + SOPS · Age · Key Rotation + + + + + + + + + + + + + + + + + + + + + 🧠 + + AI · RAG · MCP + + + + RAG Engine + + + MCP Server + + + Embeddings · Knowledge · Tools + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Production + us-east-1 · 3 replicas + + + + + Staging + eu-west-1 · 1 replica + + + + + Dev Cluster + k8s · minikube + + + + + Edge / Custom + IoT · on-prem + + + + + + + + + + DATA FLOWS + + + User input + + + Config validation + + + Task orchestration + + + Cloud output + + + PLATFORM + + + Control center + + + Vault service + + + AI · RAG · MCP + + + + + + + + + + + + + + + + + + + + v3.0.11 · Architecture + + + + + diff --git a/assets/web/architecture-diagram.html b/assets/web/architecture-diagram.html new file mode 100644 index 0000000..e5f8281 --- /dev/null +++ b/assets/web/architecture-diagram.html @@ -0,0 +1 @@ +Infrastructure Provisioning System — Architecture
← PROVISIONING
Provisioning Architecture - Dark Mode
\ No newline at end of file diff --git a/assets/web/index.html b/assets/web/index.html new file mode 100644 index 0000000..0830029 --- /dev/null +++ b/assets/web/index.html @@ -0,0 +1 @@ + Provisioning
🏗️ ARCHITECTURE
Provisioning

Provision at Scale

Infrastructure Orchestration

Declarative infrastructure management with Nickel schemas, Nushell orchestration, and Rust executables. Type-safe configuration, automated validation, and cloud-native deployment across Kubernetes, Docker, and custom platforms.
100% infrastructure as code.

Core Capabilities

01

Type-Safe Configuration

Nickel provides formal type checking, automated validation, and recursive merging for infrastructure definitions. Eliminate configuration drift and parsing errors.

02

Intelligent Orchestration

Nushell scripts orchestrate complex deployment workflows with structured data pipelines, state management, and error recovery. Built-in type system prevents runtime failures.

03

Multi-Platform Support

Deploy to Kubernetes, Docker Compose, local VMs, and custom infrastructure. Unified interface with platform-specific overrides and workspace isolation.

04

Version Control Ready

All infrastructure lives in Git. Configuration schemas, Nickel modules, and Nushell scripts are versionable, reviewable, and rollbackable.

How It Works

📝

Define with Nickel

Write declarative infrastructure schemas with full type safety. Nickel's lazy evaluation and recursive merging enable powerful abstractions and configuration composition.

→ Easy config via TypeDialog
🔄

Orchestrate with Nushell

Structured data pipelines, type-safe operations, and stateful workflows. Nushell eliminates shell script fragility while maintaining scripting simplicity.

→ Nushell plugins added

Execute with Rust

Performance-critical operations backed by Rust. Zero-cost abstractions, memory safety, and fearless concurrency for infrastructure tooling.

📡

Coordinate via NATS JetStream

Persistent event bus for decoupled service coordination. Services exchange lease_id, task_id, and status events — credentials never traverse the bus. Auditable, replay-capable, at-least-once delivery.

🔐

Secure end-to-end

Cedar policy-as-code for authorization, JWT sessions managed exclusively by ControlCenter, and post-quantum cryptography via SecretumVault. Credentials never leave the vault — services operate on lease references only.

→ SecretumVault repo
🧩

Extend via OCI Registry

Distribute custom providers, task services, and cluster definitions as OCI artifacts. The Extension Registry catalogs and versions capabilities independently — swap or compose providers without touching core platform code.

→ Provisioning Extensions
🎛️

Platform CLI & External Services

8 platform subcommands (list, status, health, check, config, connections, init, start) with declarative external service management. Validates SurrealDB, OCI registries (Zot/Harbor), Git sources (Forgejo/Gitea), and cache before startup.

📌

Centralized Version Management

All tool and provider versions defined in Nickel schemas. Generates bash-compatible exports via ‘provisioning setup versions’. Automatic provider discovery, shell script integration, and single source of truth for Nushell, Nickel, SOPS, Age, AWS CLI, and all providers.

🔀

Typed DAG Execution

Workspace taskserv pipelines declared as typed Nickel DAGs — referential integrity validated at schema time. Formula::into_workflow converts to WorkflowDefinition consumed by the existing DependencyGraph with max_parallel_tasks dispatch. Parallelism and on_error semantics are declarative, not implicit.

🧭

Ontological Self-Governance

.ontology/core.ncl declares architectural nodes, invariants, and artifact paths. The on+re protocol runs governance modes (assess, audit, coverage, validate-formula) that detect MISSING artifacts and STALE node claims — keeping declared architecture in sync with the codebase at scan time.

SOLID Architecture Boundaries

🎯

Provider APIs — Orchestrator only

All hcloud, AWS, and provider SDK calls are isolated to the Orchestrator crate. Every other service routes through the Orchestrator HTTP API. SSH operations share this same boundary.

🔐

Auth decisions — ControlCenter only

JWT validation and Cedar policy evaluation happen exclusively in ControlCenter. Other services receive a UserContext via middleware — no service re-validates tokens or evaluates policies directly.

🔑

Secrets — Vault Service API only

Credentials are never stored in NATS messages or environment variables. Services hold a lease_id and retrieve actual secrets via HTTPS to the Vault Service. The bus carries references, not values.

System Architecture

Architecture DiagramArchitecture DiagramExplore Architecture →

Technology Stack

NickelNushell 0.110RustNATS JetStreamSurrealDBCedarLeptos WASMKubernetesDocker ComposeSOPS 3.10Age 1.2Git

Platform Services (13)

OrchestratorProvider APIs + SSH boundary
ControlCenterCedar auth boundary
ControlCenter-UILeptos WASM dashboard
MCP-ServerRAG + AI tools
AI-ServiceLLM inference layer
Extension-RegistryExtension catalog
SecretumVaultPQC secrets API
DetectorEvent detection
Daemon-CLIService lifecycle
MachinesMachine management
ObservabilityPrometheus metrics
BackupState backup
EncryptKey operations

Ready for infrastructure automation?

Built with Nickel & Nushell | Type-Safe | Open Source

Explore Git Repo →
\ No newline at end of file diff --git a/assets/web/logo-text.svg b/assets/web/logo-text.svg new file mode 100644 index 0000000..bef17d6 --- /dev/null +++ b/assets/web/logo-text.svg @@ -0,0 +1,149 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/assets/web/minify.sh b/assets/web/minify.sh new file mode 100755 index 0000000..2493039 --- /dev/null +++ b/assets/web/minify.sh @@ -0,0 +1,97 @@ +#!/bin/bash +# Minify HTML files from src/ to production versions +# Usage: ./minify.sh +# Processes: index.html and architecture-diagram.html + +set -e + +SCRIPT_DIR="$(dirname "$0")" +FILES=("index" "architecture-diagram") + +minify_file() { + local basename=$1 + local src_file="${SCRIPT_DIR}/src/${basename}.html" + local out_file="${SCRIPT_DIR}/${basename}.html" + local temp_file="${out_file}.tmp" + + if [ ! -f "$src_file" ]; then + echo "⚠️ Skipping $basename: source file not found: $src_file" + return 0 + fi + + echo "🔨 Minifying $basename.html..." + echo " Input: $src_file" + echo " Output: $out_file" + + perl -e " +use strict; +use warnings; + +open(my \$fh, '<', '$src_file') or die \$!; +my \$content = do { local \$/; <\$fh> }; +close(\$fh); + +# Remove HTML comments +\$content =~ s///gs; + +# Compress CSS (remove spaces and comments) +\$content =~ s/(]*>)(.*?)(<\/style>)/ + my \$before = \$1; + my \$style = \$2; + my \$after = \$3; + \$style =~ s{\/\*.*?\*\/}{}gs; + \$style =~ s{\s+}{ }gs; + \$style =~ s{\s*([{}:;,>+~])\s*}{\$1}gs; + \$before . \$style . \$after; +/gies; + +# Compress JavaScript (remove comments and extra spaces) +\$content =~ s/(]*>)(.*?)(<\/script>)/ + my \$before = \$1; + my \$script = \$2; + my \$after = \$3; + \$script =~ s{\/\/.*\$}{}gm; + \$script =~ s{\s+}{ }gs; + \$script =~ s{\s*([{}();,])\s*}{\$1}gs; + \$before . \$script . \$after; +/gies; + +# Remove whitespace between tags +\$content =~ s/>\s+', '$temp_file') or die \$!; +print \$out \$content; +close(\$out); +" || { + echo "❌ Minification failed for $basename" + rm -f "$temp_file" + return 1 + } + + mv "$temp_file" "$out_file" + + # Show statistics + original=$(wc -c < "$src_file") + minified=$(wc -c < "$out_file") + saved=$((original - minified)) + percent=$((saved * 100 / original)) + + echo " ✅ $basename.html minified" + printf " Original: %6d bytes | Minified: %6d bytes | Saved: %d%% (%d bytes)\n" "$original" "$minified" "$percent" "$saved" + echo "" +} + +echo "🔨 Minifying HTML files..." +echo "" + +for file in "${FILES[@]}"; do + minify_file "$file" || exit 1 +done + +echo "✅ All HTML files minified and ready for production" diff --git a/assets/web/provisioning.svg b/assets/web/provisioning.svg new file mode 100644 index 0000000..0323a9b --- /dev/null +++ b/assets/web/provisioning.svg @@ -0,0 +1,241 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/assets/web/provisioning_full_logo.svg b/assets/web/provisioning_full_logo.svg new file mode 100644 index 0000000..f701b3e --- /dev/null +++ b/assets/web/provisioning_full_logo.svg @@ -0,0 +1,243 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/assets/web/provisioning_img.svg b/assets/web/provisioning_img.svg new file mode 100644 index 0000000..d8320ac --- /dev/null +++ b/assets/web/provisioning_img.svg @@ -0,0 +1,161 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/assets/web/src/architecture-diagram.html b/assets/web/src/architecture-diagram.html new file mode 100644 index 0000000..d56bd6d --- /dev/null +++ b/assets/web/src/architecture-diagram.html @@ -0,0 +1,361 @@ + + + + + + Infrastructure Provisioning System — Architecture + + + +
+ + + + ← PROVISIONING +
+ +
+ Provisioning Architecture - Dark Mode + + +
+ + + + diff --git a/assets/web/src/index.html b/assets/web/src/index.html new file mode 100644 index 0000000..356f95d --- /dev/null +++ b/assets/web/src/index.html @@ -0,0 +1,1437 @@ + + + + + + + Provisioning + + + + + +
+ +
+ + + + + 🏗️ ARCHITECTURE + +
+ +
+
+ +
+ Provisioning +
+

Provision at Scale

+

+ Infrastructure Orchestration +

+

+ Declarative infrastructure + + management with Nickel schemas, Nushell orchestration, + and Rust executables. Type-safe configuration, automated + validation, and cloud-native deployment across + Kubernetes, Docker, and custom platforms. + +
100% infrastructure as code. + +

+
+ +
+

+ Core Capabilities +

+
+
+
01
+

+ Type-Safe Configuration +

+

+ Nickel provides formal type checking, automated + validation, and recursive merging for infrastructure + definitions. Eliminate configuration drift and + parsing errors. +

+
+
+
02
+

+ Intelligent Orchestration +

+

+ Nushell scripts orchestrate complex deployment + workflows with structured data pipelines, state + management, and error recovery. Built-in type system + prevents runtime failures. +

+
+
+
03
+

+ Multi-Platform Support +

+

+ Deploy to Kubernetes, Docker Compose, local VMs, and + custom infrastructure. Unified interface with + platform-specific overrides and workspace isolation. +

+
+
+
04
+

+ Version Control Ready +

+

+ All infrastructure lives in Git. Configuration + schemas, Nickel modules, and Nushell scripts are + versionable, reviewable, and rollbackable. +

+
+
+
+ +
+

+ How It Works +

+
+
+
📝
+

+ Define with Nickel +

+

+ Write declarative infrastructure schemas with full + type safety. Nickel's lazy evaluation and recursive + merging enable powerful abstractions and + configuration composition. +

+ → Easy config via TypeDialog +
+
+
🔄
+

+ Orchestrate with Nushell +

+

+ Structured data pipelines, type-safe operations, and + stateful workflows. Nushell eliminates shell script + fragility while maintaining scripting simplicity. +

+ → Nushell plugins added +
+
+
+

+ Execute with Rust +

+

+ Performance-critical operations backed by Rust. + Zero-cost abstractions, memory safety, and fearless + concurrency for infrastructure tooling. +

+
+
+
📡
+

+ Coordinate via NATS JetStream +

+

+ Persistent event bus for decoupled service + coordination. Services exchange lease_id, task_id, + and status events — credentials never traverse the + bus. Auditable, replay-capable, at-least-once + delivery. +

+
+
+
🔐
+

+ Secure end-to-end +

+

+ Cedar policy-as-code for authorization, JWT sessions + managed exclusively by ControlCenter, and + post-quantum cryptography via SecretumVault. + Credentials never leave the vault — services operate + on lease references only. +

+ → SecretumVault repo +
+
+
🧩
+

+ Extend via OCI Registry +

+

+ Distribute custom providers, task services, and + cluster definitions as OCI artifacts. The Extension + Registry catalogs and versions capabilities + independently — swap or compose providers without + touching core platform code. +

+ → Provisioning Extensions +
+
+
🎛️
+

+ Platform CLI & External Services +

+

+ 8 platform subcommands (list, status, health, check, + config, connections, init, start) with declarative + external service management. Validates SurrealDB, OCI + registries (Zot/Harbor), Git sources (Forgejo/Gitea), + and cache before startup. +

+
+
+
📌
+

+ Centralized Version Management +

+

+ All tool and provider versions defined in Nickel + schemas. Generates bash-compatible exports via + ‘provisioning setup versions’. Automatic + provider discovery, shell script integration, and + single source of truth for Nushell, Nickel, SOPS, + Age, AWS CLI, and all providers. +

+
+
+
🔀
+

+ Typed DAG Execution +

+

+ Workspace taskserv pipelines declared as typed Nickel + DAGs — referential integrity validated at schema time. + Formula::into_workflow converts to WorkflowDefinition + consumed by the existing DependencyGraph with + max_parallel_tasks dispatch. Parallelism and on_error + semantics are declarative, not implicit. +

+
+
+
🧭
+

+ Ontological Self-Governance +

+

+ .ontology/core.ncl declares architectural nodes, + invariants, and artifact paths. The on+re protocol + runs governance modes (assess, audit, coverage, + validate-formula) that detect MISSING artifacts and + STALE node claims — keeping declared architecture in + sync with the codebase at scan time. +

+
+
+
+ +
+

+ SOLID Architecture Boundaries +

+
+
+
🎯
+

+ Provider APIs — Orchestrator only +

+

+ All hcloud, AWS, and provider SDK calls are isolated + to the Orchestrator crate. Every other service routes + through the Orchestrator HTTP API. SSH operations + share this same boundary. +

+
+
+
🔐
+

+ Auth decisions — ControlCenter only +

+

+ JWT validation and Cedar policy evaluation happen + exclusively in ControlCenter. Other services receive + a UserContext via middleware — no service re-validates + tokens or evaluates policies directly. +

+
+
+
🔑
+

+ Secrets — Vault Service API only +

+

+ Credentials are never stored in NATS messages or + environment variables. Services hold a lease_id and + retrieve actual secrets via HTTPS to the Vault + Service. The bus carries references, not values. +

+
+
+
+ +
+

+ System Architecture +

+
+ + Architecture Diagram + Architecture Diagram + + Explore Architecture → +
+
+ +
+

+ Technology Stack +

+
+ Nickel + Nushell 0.110 + Rust + NATS JetStream + SurrealDB + Cedar + Leptos WASM + Kubernetes + Docker Compose + SOPS 3.10 + Age 1.2 + Git +
+
+ +
+

+ Platform Services (13) +

+
+
+ OrchestratorProvider APIs + SSH boundary +
+
+ ControlCenterCedar auth boundary +
+
+ ControlCenter-UILeptos WASM dashboard +
+
+ MCP-ServerRAG + AI tools +
+
+ AI-ServiceLLM inference layer +
+
+ Extension-RegistryExtension catalog +
+
+ SecretumVaultPQC secrets API +
+
+ DetectorEvent detection +
+
+ Daemon-CLIService lifecycle +
+
+ MachinesMachine management +
+
+ ObservabilityPrometheus metrics +
+
+ BackupState backup +
+
+ EncryptKey operations +
+
+
+ +
+

+ Ready for infrastructure automation? +

+

+ Built with Nickel & Nushell | Type-Safe | Open Source +

+ Explore Git Repo → +
+ +
+

+ Provisioning v3.0.11 +

+

+ Infrastructure orchestration made elegant and type-safe ✨ +

+

+ Configuration as Code | Multi-Platform | Cloud-Native | Ontological Governance +

+
+
+ + + + diff --git a/assets/web/w-arch-diag-v2.svg b/assets/web/w-arch-diag-v2.svg new file mode 100644 index 0000000..4291305 --- /dev/null +++ b/assets/web/w-arch-diag-v2.svg @@ -0,0 +1,703 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + CONTROL PLANE ARCHITECTURE + + + + + + + + + $ + CLI + provisioning + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Events Stream + NATS JetStream + :4222 + + + + + + + + + + + + + + + Orchestrator + :9011 + + + + Task State Machine • Provider API • SSH + + Webhooks • Rollback • Audit Collector + + + + + + + + + + Configuration + Nickel • ∞ TypeDialog + + + + + + + + + + Control Center + :9012 + + + + Cedar Policies • JWT • Sessions + + WebSocket • RBAC • Solo: auto-session + + + + + + + + + + + Extensions Registry + :8084 + + + + Git • OCI • LRU + + Providers • Taskservs • vault:// creds + + + + + + + + + + 🧠 + AI • MCP + :9082 + + + + RAG Engine • MCP Server • Tools + + Embeddings • Model Routing • KGraph + + + + + + + + + + 🛡 + Vault Service + :9094 + + + + Lease Lifecycle • Key Management + + SOPS • Age • Secrets never in NATS + + + + + + + + + + + + + + + + + + + + + + + + + + + + HTTPS + + + + + HTTPS + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + DATA PERSISTENCE + Solo: RocksDB • Multi: WebSocket + + + + orchestrator + + + vault + + + control_center + + + audit + + + workspace + + + Nickel config + + + + + + + + SOLID ENFORCEMENT LAYERS + + + Compile-time + + Dev-time + + Pre-commit + + CI/CD + + Runtime + + Audit + + + Providers APIs or CLI: Orchestrator only | SSH: Orchestrator + Machines | Auth: Control Center only | Secrets: Vault Service API only + + + + + + + + SERVICES + Orchestrator + Control Center + Vault Service + Extension Registry + AI • MCP + + INFRASTRUCTURE + + NATS Orbital Ring + + + + OCI registry + + Token and Auth + + SecretumVault + + Nickel + + + + SurrealDB + + CONNECTIONS + + + Encrypted + + I/O and Defs + + DBs data + + Secure access + + Events Stream + + MODES + + SOLO + RocksDB + local NATS + auto-session + + MULTI + WebSocket DB + NATS cluster + JWT+Cedar + + ENT + Enterprise + + + + + + + + Production + Hetzner • AWS + + + Staging + K8s cluster + + + Dev + Solo mode + + + Edge + On-prem • IoT + + + Custom + GitOps • Webhook + + + + v3.0.11 • ∞ Architecture + diff --git a/assets/web/w-arch-diag.svg b/assets/web/w-arch-diag.svg new file mode 100644 index 0000000..d386e1c --- /dev/null +++ b/assets/web/w-arch-diag.svg @@ -0,0 +1,584 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + INFRASTRUCTURE PROVISIONING SYSTEM + TECHNICAL ARCHITECTURE + + + + + + + + + + + + + + + + + + + + + + + + Provisioning + Core + + + + + CLI + + + Libs + + + Plugins + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 🔧 + + Configuration Layer + + + + Nickel Schemas + + + Validation Engine + + + Type check + + + Constraints + + + Merge + + + + + + VALID + + + + + + + + + + + + + + + + + + + + Control Center + + + + Dashboard + + + Monitoring + + + Alerts + + + Registry + + + Authorizations + + + + + LIVE + + + + + + + + + + + + + + + + + + + + + + ⚙️ + + Extension Ecosystem + + + + + + AWS + EC2 · S3 · RDS + Lambda · VPC + + + + Hetzner + VM · Blob · SQL + Functions · VNet + + + + Kubernetes + Deployments · Services · ConfigMaps · Ingress + + + + Plugin Registry · Provider SDK · Custom Providers + + + + + + + + + + OUTPUT + + + + + + + + + + + + + + + + + + + + + + + + Orchestration Engine + + + + + Batch Workflows + DAG · Parallel + + + + Execution + Plan · Apply + + + + State Management + Locking · Drift Detection · Rollback + + + + + + + + + + + + + + + done + + + + + + + + + + + + + + + + + + + + ⌨️ + + INPUT + $ provision deploy + + + + + CLI → + + + + + + + + + + + + + + + + + + + + 📁 + + Workspace Runtime + + + + Context Mgmt + + + Multi-Env + + + Isolation Boundary + + + + + + + + + + + + + + + + + + + 🛡️ + + Vault Service + PQC + + + + Secrets + + + Encryption + + + SOPS · Age · Key Rotation + + + + + + + + + + + + + + + + + + + + + 🧠 + + AI · RAG · MCP + + + + RAG Engine + + + MCP Server + + + Embeddings · Knowledge · Tools + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Production + us-east-1 · 3 replicas + + + + + Staging + eu-west-1 · 1 replica + + + + + Dev Cluster + k8s · minikube + + + + + Edge / Custom + IoT · on-prem + + + + + + + + + + DATA FLOWS + + + User input + + + Config validation + + + Task orchestration + + + Cloud output + + + PLATFORM + + + Control center + + + Vault service + + + AI · RAG · MCP + + + + + + + + + + + + + + + + + + + + v3.0.11 · Architecture + + + + +