44648e3206
- Remove KCL ecosystem (~220 files deleted) - Migrate all infrastructure to Nickel schema system - Consolidate documentation: legacy docs → provisioning/docs/src/ - Add CI/CD workflows (.github/) and Rust build config (.cargo/) - Update core system for Nickel schema parsing - Update README.md and CHANGES.md for v5.0.0 release - Fix pre-commit hooks: end-of-file, trailing-whitespace - Breaking changes: KCL workspaces require migration - Migration bridge available in docs/src/development/
Service Configuration Templates
Nickel-based configuration templates that export to TOML format for provisioning platform services.
Overview
This directory contains Nickel templates that generate TOML configuration files for the provisioning platform services:
- orchestrator-config.toml.ncl - Workflow engine configuration
- control-center-config.toml.ncl - Policy and RBAC management configuration
- mcp-server-config.toml.ncl - Model Context Protocol server configuration
These templates support all four deployment modes:
- solo: Single developer, minimal configuration
- multiuser: Team collaboration with full features
- cicd: CI/CD pipelines with ephemeral configuration
- enterprise: Production with advanced security and monitoring
Templates
orchestrator-config.toml.ncl
Orchestrator workflow engine configuration with sections for:
- Workspace: Workspace name, path, and multi-workspace support
- Server: HTTP server configuration (host, port, workers)
- Storage: Backend selection (filesystem, SurrealDB embedded, SurrealDB server)
- Queue: Task concurrency, retries, timeouts, deadletter queue
- Batch: Parallel limits, operation timeouts, checkpointing, rollback
- Monitoring: Metrics collection, health checks, resource tracking
- Logging: Log levels, outputs, rotation
- Security: JWT auth, CORS, TLS, rate limiting
- Extensions: Auto-loading from OCI registry
- Database: Connection pooling for non-filesystem storage
- Features: Feature flags for experimental functionality
Key Parameters:
max_concurrent_tasks: 1-100 (constrained)batch.parallel_limit: 1-50 (constrained)- Storage backend: filesystem, surrealdb_server, surrealdb_cluster
- Logging format: json or text
control-center-config.toml.ncl
Control Center policy and RBAC management configuration with sections for:
- Server: HTTP server configuration
- Database: Backend selection (RocksDB, PostgreSQL, PostgreSQL HA)
- Auth: JWT, OAUTH2, LDAP authentication methods
- RBAC: Role-based access control with roles and permissions
- MFA: Multi-factor authentication (TOTP, Email OTP)
- Policies: Password policy, session policy, audit, compliance
- Rate Limiting: Global and per-user rate limits
- CORS: Cross-origin resource sharing configuration
- TLS: SSL/TLS configuration
- Monitoring: Metrics, health checks, tracing
- Logging: Log outputs and rotation
- Orchestrator Integration: Connection to orchestrator service
- Features: Feature flags
Key Parameters:
database.backend: rocksdb, postgres, postgres_hamfa.required: false for solo/multiuser, true for enterprisepolicies.password.min_length: 12policies.compliance: SOC2, HIPAA support
mcp-server-config.toml.ncl
Model Context Protocol server configuration for AI/LLM integration with sections for:
- Server: HTTP/Stdio protocol configuration
- Capabilities: Tools, resources, prompts, sampling
- Tools: Tool categories and configurations (orchestrator, provisioning, workspace)
- Resources: File system, database, external API resources
- Prompts: System prompts and user prompt configuration
- Integration: Orchestrator, Control Center, Claude API integration
- Security: Authentication, authorization, rate limiting, input validation
- Monitoring: Metrics, health checks, audit logging
- Logging: Log outputs and configuration
- Features: Feature flags
- Performance: Thread pools, timeouts, caching
Key Parameters:
server.protocol: stdio (process-based) or http (network-based)capabilities.tools.enabled: true/falsecapabilities.resources.max_size: 1GB defaultintegration.claude.model: claude-3-opus (latest)
Usage
Exporting to TOML
Each template exports to TOML format:
# Export orchestrator configuration
nickel export --format toml orchestrator-config.toml.ncl > orchestrator.toml
# Export control-center configuration
nickel export --format toml control-center-config.toml.ncl > control-center.toml
# Export MCP server configuration
nickel export --format toml mcp-server-config.toml.ncl > mcp-server.toml
Mode-Specific Configuration
Override configuration values based on deployment mode using environment variables or configuration layering:
# Export solo mode configuration
ORCHESTRATOR_MODE=solo nickel export --format toml orchestrator-config.toml.ncl > orchestrator.solo.toml
# Export enterprise mode with full features
ORCHESTRATOR_MODE=enterprise nickel export --format toml orchestrator-config.toml.ncl > orchestrator.enterprise.toml
Integration with Rust Services
Rust services load TOML configuration in this order (high to low priority):
- Environment Variables -
ORCHESTRATOR_*,CONTROL_CENTER_*,MCP_* - User Configuration -
~/.config/provisioning/user_config.toml - Mode-Specific Config -
provisioning/platform/config/{service}.{mode}.toml - Default Configuration -
provisioning/platform/config/{service}.defaults.toml
Example loading in Rust:
use config::{Config, ConfigError, File};
pub fn load_config(mode: &str) -> Result<OrchestratorConfig, ConfigError> {
let config_path = format!("provisioning/platform/config/orchestrator.{}.toml", mode);
Config::builder()
.add_source(File::with_name("provisioning/platform/config/orchestrator.defaults"))
.add_source(File::with_name(&config_path).required(false))
.add_source(config::Environment::with_prefix("ORCHESTRATOR"))
.build()?
.try_deserialize()
}
Configuration Sections
Server Configuration (All Services)
[server]
host = "0.0.0.0"
port = 9090
workers = 4
keep_alive = 75
max_connections = 512
Database Configuration (Control Center)
RocksDB (solo, cicd modes):
[database]
backend = "rocksdb"
[database.rocksdb]
path = "/var/lib/provisioning/control-center/db"
cache_size = "256MB"
max_open_files = 1000
compression = "snappy"
PostgreSQL (multiuser, enterprise modes):
[database]
backend = "postgres"
[database.postgres]
host = "postgres.provisioning.svc.cluster.local"
port = 5432
database = "provisioning"
user = "provisioning"
password = "${DB_PASSWORD}"
ssl_mode = "require"
Storage Configuration (Orchestrator)
Filesystem (solo, cicd modes):
[storage]
backend = "filesystem"
path = "/var/lib/provisioning/orchestrator/data"
SurrealDB Server (multiuser mode):
[storage]
backend = "surrealdb_server"
surrealdb_url = "surrealdb://surrealdb:8000"
surrealdb_namespace = "provisioning"
surrealdb_database = "orchestrator"
SurrealDB Cluster (enterprise mode):
[storage]
backend = "surrealdb_cluster"
surrealdb_url = "surrealdb://surrealdb-cluster.provisioning.svc.cluster.local:8000"
surrealdb_namespace = "provisioning"
surrealdb_database = "orchestrator"
RBAC Configuration (Control Center)
[rbac]
enabled = true
default_role = "viewer"
[rbac.roles.admin]
description = "Administrator with full access"
permissions = ["*"]
[rbac.roles.operator]
description = "Operator managing orchestrator"
permissions = ["orchestrator.view", "orchestrator.execute"]
Queue Configuration (Orchestrator)
[queue]
max_concurrent_tasks = 50
retry_attempts = 3
retry_delay = 5000
task_timeout = 3600000
[queue.deadletter_queue]
enabled = true
max_messages = 1000
retention_period = 86400
Logging Configuration (All Services)
[logging]
level = "info"
format = "json"
[[logging.outputs]]
destination = "stdout"
level = "info"
[[logging.outputs]]
destination = "file"
path = "/var/log/provisioning/orchestrator/orchestrator.log"
level = "debug"
[logging.outputs.rotation]
max_size = "100MB"
max_backups = 10
max_age = 30
Monitoring Configuration (All Services)
[monitoring]
enabled = true
[monitoring.metrics]
enabled = true
interval = 30
export_format = "prometheus"
[monitoring.health_check]
enabled = true
interval = 30
timeout = 10
Security Configuration (All Services)
[security.auth]
enabled = true
method = "jwt"
jwt_secret = "${JWT_SECRET}"
jwt_issuer = "provisioning.local"
jwt_audience = "orchestrator"
token_expiration = 3600
[security.cors]
enabled = true
allowed_origins = ["https://control-center:8080"]
allowed_methods = ["GET", "POST", "PUT", "DELETE"]
[security.rate_limit]
enabled = true
requests_per_second = 1000
burst_size = 100
Environment Variables
All sensitive values should be provided via environment variables:
# Secrets
export JWT_SECRET="your-jwt-secret-here"
export DB_PASSWORD="your-database-password"
export ORCHESTRATOR_TOKEN="your-orchestrator-token"
export CONTROL_CENTER_TOKEN="your-control-center-token"
export CLAUDE_API_KEY="your-claude-api-key"
# Service URLs (if different from defaults)
export ORCHESTRATOR_URL="http://orchestrator:9090"
export CONTROL_CENTER_URL="http://control-center:8080"
# Mode selection
export PROVISIONING_MODE="enterprise"
Mode-Specific Overrides
Solo Mode
- Minimal resources: 2 CPU, 4GB RAM
- Filesystem storage for orchestrator
- RocksDB for control-center
- No MFA required
- Single replica deployments
- Logging: info level
MultiUser Mode
- Moderate resources: 4 CPU, 8GB RAM
- SurrealDB server for orchestrator
- PostgreSQL for control-center
- RBAC enabled
- 1 replica per service
- Logging: debug level
CI/CD Mode
- Stateless configuration
- Ephemeral storage (no persistence)
- API-driven (minimal UI)
- No MFA required
- 1 replica per service
- Logging: warn level (minimal)
Enterprise Mode
- High resources: 16+ CPU, 32+ GB RAM
- SurrealDB cluster for orchestrator HA
- PostgreSQL HA for control-center
- Full RBAC and MFA required
- 3+ replicas per service
- Full monitoring and audit logging
- Logging: info level with detailed audit
Validation
Validate configuration before using:
# Type check with Nickel
nickel typecheck orchestrator-config.toml.ncl
# Export and validate TOML syntax
nickel export --format toml orchestrator-config.toml.ncl | toml-cli validate -