jesus/provisioning

Jesús Pérez b7d8c123e1

fix(docs): markdown code fence violations and add production patterns

2026-01-14 03:16:00 +00:00

11 KiB

Raw Blame History

Service Configuration Templates\n\nNickel-based configuration templates that export to TOML format for provisioning platform services.\n\n## Overview\n\nThis directory contains Nickel templates that generate TOML configuration files for the provisioning platform services:\n\n- orchestrator-config.toml.ncl - Workflow engine configuration\n- control-center-config.toml.ncl - Policy and RBAC management configuration\n- mcp-server-config.toml.ncl - Model Context Protocol server configuration\n\nThese templates support all four deployment modes:\n\n- solo: Single developer, minimal configuration\n- multiuser: Team collaboration with full features\n- cicd: CI/CD pipelines with ephemeral configuration\n- enterprise: Production with advanced security and monitoring\n\n## Templates\n\n### orchestrator-config.toml.ncl\n\nOrchestrator workflow engine configuration with sections for:\n\n- Workspace: Workspace name, path, and multi-workspace support\n- Server: HTTP server configuration (host, port, workers)\n- Storage: Backend selection (filesystem, SurrealDB embedded, SurrealDB server)\n- Queue: Task concurrency, retries, timeouts, deadletter queue\n- Batch: Parallel limits, operation timeouts, checkpointing, rollback\n- Monitoring: Metrics collection, health checks, resource tracking\n- Logging: Log levels, outputs, rotation\n- Security: JWT auth, CORS, TLS, rate limiting\n- Extensions: Auto-loading from OCI registry\n- Database: Connection pooling for non-filesystem storage\n- Features: Feature flags for experimental functionality\n\nKey Parameters:\n- `max_concurrent_tasks`: 1-100 (constrained)\n- `batch.parallel_limit`: 1-50 (constrained)\n- Storage backend: filesystem, surrealdb_server, surrealdb_cluster\n- Logging format: json or text\n\n### control-center-config.toml.ncl\n\nControl Center policy and RBAC management configuration with sections for:\n\n- Server: HTTP server configuration\n- Database: Backend selection (RocksDB, PostgreSQL, PostgreSQL HA)\n- Auth: JWT, OAUTH2, LDAP authentication methods\n- RBAC: Role-based access control with roles and permissions\n- MFA: Multi-factor authentication (TOTP, Email OTP)\n- Policies: Password policy, session policy, audit, compliance\n- Rate Limiting: Global and per-user rate limits\n- CORS: Cross-origin resource sharing configuration\n- TLS: SSL/TLS configuration\n- Monitoring: Metrics, health checks, tracing\n- Logging: Log outputs and rotation\n- Orchestrator Integration: Connection to orchestrator service\n- Features: Feature flags\n\nKey Parameters:\n- `database.backend`: rocksdb, postgres, postgres_ha\n- `mfa.required`: false for solo/multiuser, true for enterprise\n- `policies.password.min_length`: 12\n- `policies.compliance`: SOC2, HIPAA support\n\n### mcp-server-config.toml.ncl\n\nModel Context Protocol server configuration for AI/LLM integration with sections for:\n\n- Server: HTTP/Stdio protocol configuration\n- Capabilities: Tools, resources, prompts, sampling\n- Tools: Tool categories and configurations (orchestrator, provisioning, workspace)\n- Resources: File system, database, external API resources\n- Prompts: System prompts and user prompt configuration\n- Integration: Orchestrator, Control Center, Claude API integration\n- Security: Authentication, authorization, rate limiting, input validation\n- Monitoring: Metrics, health checks, audit logging\n- Logging: Log outputs and configuration\n- Features: Feature flags\n- Performance: Thread pools, timeouts, caching\n\nKey Parameters:\n- `server.protocol`: stdio (process-based) or http (network-based)\n- `capabilities.tools.enabled`: true/false\n- `capabilities.resources.max_size`: 1GB default\n- `integration.claude.model`: claude-3-opus (latest)\n\n## Usage\n\n### Exporting to TOML\n\nEach template exports to TOML format:\n\n`\n# Export orchestrator configuration\nnickel export --format toml orchestrator-config.toml.ncl > orchestrator.toml\n\n# Export control-center configuration\nnickel export --format toml control-center-config.toml.ncl > control-center.toml\n\n# Export MCP server configuration\nnickel export --format toml mcp-server-config.toml.ncl > mcp-server.toml\n`\n\n### Mode-Specific Configuration\n\nOverride configuration values based on deployment mode using environment variables or configuration layering:\n\n`\n# Export solo mode configuration\nORCHESTRATOR_MODE=solo nickel export --format toml orchestrator-config.toml.ncl > orchestrator.solo.toml\n\n# Export enterprise mode with full features\nORCHESTRATOR_MODE=enterprise nickel export --format toml orchestrator-config.toml.ncl > orchestrator.enterprise.toml\n`\n\n### Integration with Rust Services\n\nRust services load TOML configuration in this order (high to low priority):\n\n1. Environment Variables - `ORCHESTRATOR_`, `CONTROL_CENTER_`, `MCP_`\n2. User Configuration - `~/.config/provisioning/user_config.toml`\n3. Mode-Specific Config - `provisioning/platform/config/{service}.{mode}.toml`\n4. Default Configuration - `provisioning/platform/config/{service}.defaults.toml`\n\nExample loading in Rust:\n\n\nuse config::{Config, ConfigError, File};\n\npub fn load_config(mode: &str) -> Result<OrchestratorConfig, ConfigError> {\n let config_path = format!("provisioning/platform/config/orchestrator.{}.toml", mode);\n\n Config::builder()\n .add_source(File::with_name("provisioning/platform/config/orchestrator.defaults"))\n .add_source(File::with_name(&config_path).required(false))\n .add_source(config::Environment::with_prefix("ORCHESTRATOR"))\n .build()?\n .try_deserialize()\n}\n\n\n## Configuration Sections\n\n### Server Configuration (All Services)\n\n`\n[server]\nhost = "0.0.0.0"\nport = 9090\nworkers = 4\nkeep_alive = 75\nmax_connections = 512\n`\n\n### Database Configuration (Control Center)\n\nRocksDB (solo, cicd modes):\n\n`\n[database]\nbackend = "rocksdb"\n\n[database.rocksdb]\npath = "/var/lib/provisioning/control-center/db"\ncache_size = "256MB"\nmax_open_files = 1000\ncompression = "snappy"\n`\n\nPostgreSQL (multiuser, enterprise modes):\n\n`\n[database]\nbackend = "postgres"\n\n[database.postgres]\nhost = "postgres.provisioning.svc.cluster.local"\nport = 5432\ndatabase = "provisioning"\nuser = "provisioning"\npassword = "${DB_PASSWORD}"\nssl_mode = "require"\n`\n\n### Storage Configuration (Orchestrator)\n\nFilesystem (solo, cicd modes):\n\n`\n[storage]\nbackend = "filesystem"\npath = "/var/lib/provisioning/orchestrator/data"\n`\n\nSurrealDB Server (multiuser mode):\n\n`\n[storage]\nbackend = "surrealdb_server"\nsurrealdb_url = "surrealdb://surrealdb:8000"\nsurrealdb_namespace = "provisioning"\nsurrealdb_database = "orchestrator"\n`\n\nSurrealDB Cluster (enterprise mode):\n\n`\n[storage]\nbackend = "surrealdb_cluster"\nsurrealdb_url = "surrealdb://surrealdb-cluster.provisioning.svc.cluster.local:8000"\nsurrealdb_namespace = "provisioning"\nsurrealdb_database = "orchestrator"\n`\n\n### RBAC Configuration (Control Center)\n\n`\n[rbac]\nenabled = true\ndefault_role = "viewer"\n\n[rbac.roles.admin]\ndescription = "Administrator with full access"\npermissions = [""]\n\n[rbac.roles.operator]\ndescription = "Operator managing orchestrator"\npermissions = ["orchestrator.view", "orchestrator.execute"]\n`\n\n### Queue Configuration (Orchestrator)\n\n`\n[queue]\nmax_concurrent_tasks = 50\nretry_attempts = 3\nretry_delay = 5000\ntask_timeout = 3600000\n\n[queue.deadletter_queue]\nenabled = true\nmax_messages = 1000\nretention_period = 86400\n`\n\n### Logging Configuration (All Services)\n\n`\n[logging]\nlevel = "info"\nformat = "json"\n\n[[logging.outputs]]\ndestination = "stdout"\nlevel = "info"\n\n[[logging.outputs]]\ndestination = "file"\npath = "/var/log/provisioning/orchestrator/orchestrator.log"\nlevel = "debug"\n\n[logging.outputs.rotation]\nmax_size = "100MB"\nmax_backups = 10\nmax_age = 30\n`\n\n### Monitoring Configuration (All Services)\n\n`\n[monitoring]\nenabled = true\n\n[monitoring.metrics]\nenabled = true\ninterval = 30\nexport_format = "prometheus"\n\n[monitoring.health_check]\nenabled = true\ninterval = 30\ntimeout = 10\n`\n\n### Security Configuration (All Services)\n\n`\n[security.auth]\nenabled = true\nmethod = "jwt"\njwt_secret = "${JWT_SECRET}"\njwt_issuer = "provisioning.local"\njwt_audience = "orchestrator"\ntoken_expiration = 3600\n\n[security.cors]\nenabled = true\nallowed_origins = ["https://control-center:8080"]\nallowed_methods = ["GET", "POST", "PUT", "DELETE"]\n\n[security.rate_limit]\nenabled = true\nrequests_per_second = 1000\nburst_size = 100\n`\n\n## Environment Variables\n\nAll sensitive values should be provided via environment variables:\n\n`\n# Secrets\nexport JWT_SECRET="your-jwt-secret-here"\nexport DB_PASSWORD="your-database-password"\nexport ORCHESTRATOR_TOKEN="your-orchestrator-token"\nexport CONTROL_CENTER_TOKEN="your-control-center-token"\nexport CLAUDE_API_KEY="your-claude-api-key"\n\n# Service URLs (if different from defaults)\nexport ORCHESTRATOR_URL="http://orchestrator:9090"\nexport CONTROL_CENTER_URL="http://control-center:8080"\n\n# Mode selection\nexport PROVISIONING_MODE="enterprise"\n`\n\n## Mode-Specific Overrides\n\n### Solo Mode\n- Minimal resources: 2 CPU, 4GB RAM\n- Filesystem storage for orchestrator\n- RocksDB for control-center\n- No MFA required\n- Single replica deployments\n- Logging: info level\n\n### MultiUser Mode\n- Moderate resources: 4 CPU, 8GB RAM\n- SurrealDB server for orchestrator\n- PostgreSQL for control-center\n- RBAC enabled\n- 1 replica per service\n- Logging: debug level\n\n### CI/CD Mode\n- Stateless configuration\n- Ephemeral storage (no persistence)\n- API-driven (minimal UI)\n- No MFA required\n- 1 replica per service\n- Logging: warn level (minimal)\n\n### Enterprise Mode\n- High resources: 16+ CPU, 32+ GB RAM\n- SurrealDB cluster for orchestrator HA\n- PostgreSQL HA for control-center\n- Full RBAC and MFA required\n- 3+ replicas per service\n- Full monitoring and audit logging\n- Logging: info level with detailed audit\n\n## Validation\n\nValidate configuration before using:\n\n`\n# Type check with Nickel\nnickel typecheck orchestrator-config.toml.ncl\n\n# Export and validate TOML syntax\nnickel export --format toml orchestrator-config.toml.ncl | toml-cli validate -\n`\n\n## References\n\n- Orchestrator Configuration Schema\n- Control Center Configuration Schema\n- MCP Server Configuration Schema\n- Nickel Language\n- TOML Format