# Example: Control Center Configuration - MultiUser Mode (Team Collaboration) # # This example shows a control center setup for team collaboration with: # - PostgreSQL for persistent storage # - RBAC for team access control # - JWT authentication for API access # - Team-friendly security (no MFA required, shared workspace) # - Moderate monitoring for team operations # # Usage: # nickel export --format toml control-center-multiuser.ncl > control-center.multiuser.toml # CONTROL_CENTER_CONFIG=control-center.multiuser.toml cargo run --bin control-center { # Server Configuration: Team-friendly server = { host = "0.0.0.0", # Listen on all interfaces port = 8080, workers = 4, keep_alive = 75, max_connections = 256, # Moderate connections for team }, # Database: PostgreSQL for persistent storage database = { backend = "postgres", postgres = { host = "postgres.provisioning.svc.cluster.local", port = 5432, database = "provisioning", user = "provisioning", password = "${DB_PASSWORD}", # From environment ssl_mode = "require", pool = { min_size = 5, max_size = 20, idle_timeout = 300, }, }, }, # Authentication: JWT for API access auth = { enabled = true, jwt = { issuer = "provisioning.team", audience = "control-center", secret = "${JWT_SECRET}", # From environment algorithm = "HS256", expiration = 28800, # 8 hours for team workday refresh_token_expiration = 2592000, # 30 days }, # OAuth2: Optional Google/GitHub integration oauth2 = { enabled = false, # provider = "github", # client_id = "${OAUTH_CLIENT_ID}", # client_secret = "${OAUTH_CLIENT_SECRET}", }, # LDAP: Optional for enterprise LDAP ldap = { enabled = false, # server_url = "ldap://ldap.example.com:389", # bind_dn = "cn=provisioning,dc=example,dc=com", # bind_password = "${LDAP_PASSWORD}", }, }, # RBAC: Team-based access control rbac = { enabled = true, default_role = "viewer", roles = { admin = { description = "Team lead with full access", permissions = ["*"], }, operator = { description = "Team member managing orchestrator", permissions = [ "orchestrator.view", "orchestrator.execute", "orchestrator.manage", "policies.view", ], }, developer = { description = "Developer with read-only access", permissions = [ "orchestrator.view", "policies.view", ], }, viewer = { description = "Read-only access for all team members", permissions = [ "orchestrator.view", "policies.view", ], }, }, permissions = { "orchestrator.view" = "List and view orchestrator workflows", "orchestrator.execute" = "Execute and manage tasks", "orchestrator.manage" = "Configure orchestrator settings", "policies.view" = "View security policies", "policies.manage" = "Edit security policies", "users.manage" = "Manage team users and roles", "audit.view" = "View audit logs", }, }, # MFA: Not required for team (optional per user) mfa = { required = false, methods = ["totp", "email"], totp = { enabled = true, issuer = "Provisioning Team", algorithm = "SHA1", digits = 6, period = 30, }, email = { enabled = true, expiration = 300, }, }, # Policies: Team-appropriate security policies = { password = { min_length = 12, require_uppercase = true, require_lowercase = true, require_digits = true, require_special_chars = false, # Relax for team usability expiration_days = 90, history_count = 3, }, session = { max_duration = 28800, # 8 hours (workday) idle_timeout = 3600, # 1 hour max_concurrent = 3, # Allow multiple sessions per user }, audit = { enabled = true, log_all_api_calls = true, log_user_actions = true, log_rbac_changes = true, retention_days = 90, }, compliance = { soc2 = { enabled = false, }, hipaa = { enabled = false, }, }, }, # Rate Limiting: Reasonable for team use rate_limit = { enabled = true, global = { requests_per_second = 1000, burst_size = 100, }, per_user = { requests_per_second = 100, burst_size = 20, }, }, # CORS: Team-friendly cors = { enabled = true, allowed_origins = [ "https://localhost:3000", # Local development "https://control-center.example.com", # Team domain "https://orchestrator.example.com", # Orchestrator domain ], allowed_methods = ["GET", "POST", "PUT", "DELETE", "OPTIONS"], allowed_headers = ["Content-Type", "Authorization"], expose_headers = ["X-Request-ID", "X-Total-Count"], max_age = 86400, }, # TLS: Optional (usually behind reverse proxy) tls = { enabled = false, # Use reverse proxy in production }, # Monitoring: Team operations monitoring = { enabled = true, metrics = { enabled = true, interval = 30, export_format = "prometheus", }, health_check = { enabled = true, interval = 30, timeout = 10, }, tracing = { enabled = false, sample_rate = 0.1, }, }, # Logging: Team operations logging = { level = "info", format = "json", outputs = [ { destination = "stdout", level = "warn", }, { destination = "file", path = "/var/log/provisioning/control-center/control-center.log", level = "info", rotation = { max_size = "200MB", max_backups = 15, max_age = 30, }, }, ], }, # Orchestrator Integration orchestrator = { url = "http://orchestrator:9090", timeout = 30, retry = { max_attempts = 3, initial_backoff = 100, max_backoff = 30000, }, }, # Features: Team-ready features = { enable_audit_logging = true, enable_policy_enforcement = true, enable_experimental_ui = false, }, }