jesus/provisioning
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
provisioning/schemas/infrastructure/nginx.ncl
Jesús Pérez 44648e3206
chore: complete nickel migration and consolidate legacy configs 
- Remove KCL ecosystem (~220 files deleted)
- Migrate all infrastructure to Nickel schema system
- Consolidate documentation: legacy docs → provisioning/docs/src/
- Add CI/CD workflows (.github/) and Rust build config (.cargo/)
- Update core system for Nickel schema parsing
- Update README.md and CHANGES.md for v5.0.0 release
- Fix pre-commit hooks: end-of-file, trailing-whitespace
- Breaking changes: KCL workspaces require migration
- Migration bridge available in docs/src/development/
2026-01-08 09:55:37 +00:00

234 lines
6.0 KiB
Plaintext
Raw Blame History

# Infrastructure - Nginx Schema
# Defines type-safe Nginx configuration generation
# Validates upstreams, locations, rate limiting, and TLS settings
{
# Upstream server configuration
UpstreamServer = {
address | String,
weight | Number | default = 1,
max_fails | Number | default = 3,
fail_timeout | String | default = "10s",
},
# Upstream pool definition
Upstream = {
name | String,
servers | Array UpstreamServer,
keepalive | Number | default = 32,
least_conn | Bool | default = false,
},
# Rate limiting zone
RateLimitZone = {
name | String,
key | String,
size | String | default = "10m",
rate | String,
},
# TLS/SSL configuration
TLSConfig = {
enabled | Bool | default = false,
cert_path | String | optional,
key_path | String | optional,
protocols | Array String | default = ["TLSv1.2", "TLSv1.3"],
ciphers | String | default = "HIGH:!aNULL:!MD5",
},
# Security headers
SecurityHeaders = {
strict_transport_security | String | optional,
content_security_policy | String | optional,
x_frame_options | String | optional,
x_content_type_options | String | optional,
},
# Location block configuration
Location = {
path | String,
proxy_pass | String | optional,
proxy_set_header | {_ | String} | default = {},
rate_limit | String | optional,
auth | {
enabled | Bool | default = false,
user_file | String | optional,
} | default = {enabled = false},
cors | {
enabled | Bool | default = false,
allowed_origins | Array String | optional,
allowed_methods | Array String | optional,
} | default = {enabled = false},
rewrite | {
pattern | String | optional,
replacement | String | optional,
flags | String | optional,
} | default = {},
},
# Server block configuration
ServerBlock = {
listen_port | Number | default = 80,
server_names | Array String,
tls | TLSConfig | default = {enabled = false},
security_headers | SecurityHeaders | default = {},
client_max_body_size | String | default = "1m",
proxy_read_timeout | String | default = "60s",
proxy_connect_timeout | String | default = "60s",
gzip_enabled | Bool | default = true,
locations | Array Location,
rate_limit_zone | String | optional,
},
# Nginx configuration
NginxConfig = {
user | String | default = "nginx",
worker_processes | Number | default = 4,
worker_connections | Number | default = 1024,
keepalive_timeout | String | default = "65s",
sendfile | Bool | default = true,
tcp_nopush | Bool | default = true,
tcp_nodelay | Bool | default = true,
types_hash_max_size | Number | default = 2048,
client_max_body_size | String | default = "20m",
upstreams | Array Upstream,
rate_limit_zones | Array RateLimitZone | default = [],
servers | Array ServerBlock,
},
# Platform service presets
platformServicePresets = {
orchestrator = {
name = "orchestrator",
listen_port = 8080,
rate_limit = "10r/s",
},
control_center = {
name = "control-center",
listen_port = 8081,
rate_limit = "5r/s",
},
extension_registry = {
name = "extension-registry",
listen_port = 8082,
rate_limit = "20r/s",
},
api_server = {
name = "api-server",
listen_port = 8083,
rate_limit = "100r/s",
},
mcp_server = {
name = "mcp-server",
listen_port = 8084,
rate_limit = "50r/s",
},
},
# Solo mode preset
soloNginxPreset = {
user = "nginx",
worker_processes = 1,
worker_connections = 512,
upstreams = [
{
name = "orchestrator",
servers = [{address = "127.0.0.1:8080"}],
},
{
name = "control-center",
servers = [{address = "127.0.0.1:8081"}],
},
],
rate_limit_zones = [
{
name = "api_limit",
key = "$binary_remote_addr",
rate = "10r/s",
},
],
servers = [
{
listen_port = 80,
server_names = ["localhost", "127.0.0.1"],
locations = [
{
path = "/api/orchestrator",
proxy_pass = "http://orchestrator",
rate_limit = "10r/s",
},
{
path = "/api/control-center",
proxy_pass = "http://control-center",
rate_limit = "5r/s",
},
],
},
],
},
# Enterprise mode preset
enterpriseNginxPreset = {
user = "nginx",
worker_processes = 8,
worker_connections = 2048,
client_max_body_size = "100m",
upstreams = [
{
name = "orchestrator",
servers = [
{address = "orchestrator-1:8080", weight = 1},
{address = "orchestrator-2:8080", weight = 1},
{address = "orchestrator-3:8080", weight = 1},
],
least_conn = true,
},
{
name = "control_center",
servers = [
{address = "control-center-1:8081", weight = 1},
{address = "control-center-2:8081", weight = 1},
],
},
],
rate_limit_zones = [
{
name = "api_limit",
key = "$binary_remote_addr",
rate = "100r/s",
size = "50m",
},
{
name = "login_limit",
key = "$binary_remote_addr",
rate = "5r/m",
size = "10m",
},
],
servers = [
{
listen_port = 80,
server_names = ["api.example.com"],
tls = {
enabled = true,
cert_path = "/etc/nginx/certs/api.crt",
key_path = "/etc/nginx/certs/api.key",
protocols = ["TLSv1.2", "TLSv1.3"],
},
security_headers = {
strict_transport_security = "max-age=31536000; includeSubDomains",
content_security_policy = "default-src 'self'",
x_frame_options = "DENY",
},
locations = [
{
path = "/api/",
proxy_pass = "http://orchestrator",
rate_limit = "100r/s",
},
],
},
],
},
}
Reference in New Issue View Git Blame Copy Permalink