# Control Center Service Configuration - TOML Export # Generates TOML configuration for Control Center service # Supports 4 deployment modes: solo, multiuser, cicd, enterprise # # Usage: # nickel export --format toml control-center-config.toml.ncl > control-center.toml { # Server Configuration server = { host = "0.0.0.0", port = 8080, workers = 4, keep_alive = 75, max_connections = 512, }, # Database Configuration database = { # Mode-specific overrides: # - solo: "rocksdb" # - multiuser: "postgres" # - cicd: "rocksdb" (in-memory) # - enterprise: "postgres_ha" backend = "rocksdb", # RocksDB configuration (solo, cicd modes) rocksdb = { path = "/var/lib/provisioning/control-center/db", cache_size = "256MB", max_open_files = 1000, compression = "snappy", }, # PostgreSQL configuration (multiuser, enterprise modes) # postgres = { # host = "localhost", # port = 5432, # database = "provisioning", # user = "provisioning", # password = "${DB_PASSWORD}", # ssl_mode = "require", # pool = { # min_size = 5, # max_size = 20, # idle_timeout = 300, # }, # }, }, # Authentication Configuration auth = { enabled = true, # JWT configuration jwt = { issuer = "provisioning.local", audience = "control-center", secret = "${JWT_SECRET}", algorithm = "HS256", expiration = 3600, # seconds (1 hour) refresh_token_expiration = 604800, # seconds (7 days) }, # OAUTH2 configuration (optional) oauth2 = { enabled = false, # provider = "google", # client_id = "${OAUTH_CLIENT_ID}", # client_secret = "${OAUTH_CLIENT_SECRET}", }, # LDAP configuration (optional) ldap = { enabled = false, # server_url = "ldap://localhost:389", # bind_dn = "cn=admin,dc=example,dc=com", # bind_password = "${LDAP_PASSWORD}", }, }, # RBAC (Role-Based Access Control) rbac = { enabled = true, # Default roles default_role = "viewer", # Roles definition roles = { admin = { description = "Administrator with full access", permissions = ["*"], }, operator = { description = "Operator managing orchestrator", permissions = [ "orchestrator.view", "orchestrator.execute", "orchestrator.manage", ], }, viewer = { description = "Read-only access", permissions = [ "orchestrator.view", "policies.view", ], }, }, # Permission mapping permissions = { "orchestrator.view" = "List and view orchestrator workflows", "orchestrator.execute" = "Execute and manage tasks", "orchestrator.manage" = "Configure orchestrator settings", "policies.view" = "View security policies", "policies.manage" = "Edit security policies", "users.manage" = "Manage users and roles", "audit.view" = "View audit logs", }, }, # Multi-Factor Authentication (MFA) mfa = { # Mode-specific overrides: # - solo: false # - multiuser: false # - cicd: false # - enterprise: true required = false, # MFA methods methods = ["totp", "email"], # TOTP configuration totp = { enabled = true, issuer = "Provisioning", algorithm = "SHA1", digits = 6, period = 30, }, # Email OTP configuration email = { enabled = true, expiration = 300, # seconds (5 minutes) }, }, # Policies and Compliance policies = { # Password policy password = { min_length = 12, require_uppercase = true, require_lowercase = true, require_digits = true, require_special_chars = true, expiration_days = 90, history_count = 5, # Cannot reuse last N passwords }, # Session policy session = { max_duration = 86400, # seconds (24 hours) idle_timeout = 1800, # seconds (30 minutes) max_concurrent = 5, # Max concurrent sessions per user }, # Audit policy audit = { enabled = true, log_all_api_calls = true, log_user_actions = true, log_rbac_changes = true, retention_days = 90, }, # Compliance compliance = { # SOC2 compliance soc2 = { enabled = false, log_all_access = false, require_mfa = false, }, # HIPAA compliance hipaa = { enabled = false, encryption_required = true, audit_required = true, }, }, }, # Rate Limiting rate_limit = { enabled = true, global = { requests_per_second = 1000, burst_size = 100, }, per_user = { requests_per_second = 100, burst_size = 20, }, }, # CORS Configuration cors = { enabled = true, allowed_origins = ["https://localhost:3000", "https://control-center.example.com"], allowed_methods = ["GET", "POST", "PUT", "DELETE", "OPTIONS"], allowed_headers = ["Content-Type", "Authorization"], expose_headers = ["X-Request-ID", "X-Total-Count"], max_age = 86400, }, # TLS/SSL Configuration tls = { enabled = false, # Typically behind reverse proxy cert_path = "/etc/provisioning/certs/cert.pem", key_path = "/etc/provisioning/certs/key.pem", min_version = "TLSv1.2", }, # Monitoring and Observability monitoring = { enabled = true, # Metrics metrics = { enabled = true, interval = 30, # seconds export_format = "prometheus", }, # Health checks health_check = { enabled = true, interval = 30, timeout = 10, }, # Tracing tracing = { enabled = false, sample_rate = 0.1, }, }, # Logging Configuration logging = { level = "info", format = "json", outputs = [ { destination = "stdout", level = "info", }, { destination = "file", path = "/var/log/provisioning/control-center/control-center.log", level = "debug", rotation = { max_size = "100MB", max_backups = 10, max_age = 30, }, }, ], }, # Integration with Orchestrator orchestrator = { url = "http://orchestrator:9090", timeout = 30, # seconds retry = { max_attempts = 3, initial_backoff = 100, max_backoff = 30000, }, }, # Feature Flags features = { enable_audit_logging = true, enable_policy_enforcement = true, enable_experimental_ui = false, }, }