provisioning/schemas/infrastructure/README.md

# Infrastructure Schemas

This directory contains Nickel type-safe schemas for infrastructure configuration generation.

## Overview

These schemas provide type contracts and validation for multi-format infrastructure configuration generation:

- **Docker Compose** (`docker-compose.ncl`) - Container orchestration via Docker Compose
- **Kubernetes** (`kubernetes.ncl`) - Kubernetes manifest generation (Deployments, Services, ConfigMaps)
- **Nginx** (`nginx.ncl`) - Reverse proxy and load balancer configuration
- **Prometheus** (`prometheus.ncl`) - Metrics collection and monitoring
- **Systemd** (`systemd.ncl`) - System service units for standalone deployments
- **OCI Registry** (`oci-registry.ncl`) - Container registry backend configuration (Zot, Distribution, Harbor)

## Key Features

### 1. Mode-Based Presets

Each schema includes presets for different deployment modes:

- **solo**: Single-node deployments (minimal resources)
- **multiuser**: Staging/small production (2 replicas, HA)
- **enterprise**: Large-scale production (3+ replicas, distributed storage)
- **cicd**: CI/CD pipeline deployments

### 2. Type Safety

```bash
# All fields are strongly typed with validation
ResourceLimits = {
  cpus | String,               # Type: string
  memory | String,
},

# Enum validation
ServiceType = [| 'ClusterIP, 'NodePort, 'LoadBalancer |],

# Numeric range validation
Port = Number | {
  predicate = fun n => n > 0 && n < 65536,
}
```

### 3. Export Formats

Schemas export to multiple formats:

```bash
# Export as YAML (K8s, Docker Compose)
nickel export --format yaml provisioning/schemas/infrastructure/kubernetes.ncl

# Export as JSON (OCI Registry, Prometheus configs)
nickel export --format json provisioning/schemas/infrastructure/oci-registry.ncl

# Export as TOML (systemd, Nginx)
nickel export --format toml provisioning/schemas/infrastructure/systemd.ncl
```

## Single Source of Truth Pattern

Define service configuration once, generate multiple infrastructure outputs:

```toml
orchestrator.ncl (Platform Service Schema)
    ↓
Infrastructure Schemas (Docker, Kubernetes, Nginx, etc.)
    ↓
[Multiple Outputs]
├─→ docker-compose.yaml
├─→ kubernetes/deployment.yaml
├─→ nginx.conf
├─→ prometheus.yml
└─→ systemd/orchestrator.service
```

### Example: Service Port Definition

```bash
# Platform service schema (provisioning/schemas/platform/schemas/orchestrator.ncl)
server = {
  port | Number,  # Define port once
}

# Used in Docker Compose
docker-compose = {
  services.orchestrator = {
    ports = ["%{orchestrator.server.port}:8080"],
  }
}

# Used in Kubernetes
kubernetes = {
  containers.ports = [{
    containerPort = orchestrator.server.port,
  }]
}

# Used in Nginx
nginx = {
  upstreams.orchestrator.servers = [{
    address = "orchestrator:%{orchestrator.server.port}",
  }]
}
```

**Benefit**: Change port in one place, all infrastructure configs update automatically.

## Validation Before Deployment

```bash
# Type check schema
nickel typecheck provisioning/schemas/infrastructure/docker-compose.ncl

# Validate export
nickel export --format json provisioning/schemas/infrastructure/kubernetes.ncl 
  | jq .  # Validate JSON structure

# Check generated YAML
nickel export --format yaml provisioning/schemas/infrastructure/kubernetes.ncl 
  | kubectl apply --dry-run=client -f -
```

## File Structure

```bash
infrastructure/
├── README.md                        # This file
├── docker-compose.ncl               # Docker Compose schema (232 lines)
├── kubernetes.ncl                   # Kubernetes manifests (376 lines)
├── nginx.ncl                        # Nginx configuration (233 lines)
├── prometheus.ncl                   # Prometheus configuration (280 lines)
├── systemd.ncl                      # Systemd service units (235 lines)
└── oci-registry.ncl                 # OCI Registry configuration (221 lines)
```

**Total**: 1,577 lines of type-safe infrastructure schemas

## Usage Patterns

### 1. Generate Solo Mode Infrastructure

```bash
# Export docker-compose for solo deployment
nickel export --format yaml provisioning/schemas/infrastructure/docker-compose.ncl 
  | tee provisioning/platform/infrastructure/docker/docker-compose.solo.yaml

# Validate with Docker
docker-compose -f docker-compose.solo.yaml config --quiet
```

### 2. Generate Enterprise HA Kubernetes

```yaml
# Export Kubernetes manifests
nickel export --format yaml provisioning/schemas/infrastructure/kubernetes.ncl 
  > provisioning/platform/infrastructure/kubernetes/deployment.yaml

# Validate and apply
kubectl apply --dry-run=client -f deployment.yaml
kubectl apply -f deployment.yaml
```

### 3. Generate Monitoring Stack

```bash
# Prometheus configuration
nickel export --format yaml provisioning/schemas/infrastructure/prometheus.ncl 
  > provisioning/platform/infrastructure/prometheus/prometheus.yml

# Validate Prometheus config
promtool check config provisioning/platform/infrastructure/prometheus/prometheus.yml
```

### 4. Auto-Generate Infrastructure from Service Schemas

```bash
# Composition function: generate Docker Compose from service port
let service = import "../platform/schemas/orchestrator.ncl" in
{
  services.orchestrator = {
    image = "provisioning/orchestrator:latest",
    ports = ["%{service.server.port}:8080"],
    deploy.resources.limits = service.deploy.resources.limits,
  }
}
```

## Documentation

### Inline Schema Documentation

Each schema field includes inline documentation (via `| doc`):

```bash
field | Type | doc "description" | default = value
```

**Important**: With Nickel, `| doc` must come BEFORE `| default`:

```nickel
✅ CORRECT:   cpus | String | doc "CPU limit" | default = "2.0"
❌ INCORRECT: cpus | String | default = "2.0" | doc "CPU limit"
```

For details, see `.claude/guidelines/nickel.md`

## Validation Rules

### Docker Compose

- ✅ Valid service names, port ranges
- ✅ Resource limits: CPU and memory strings
- ✅ Health check configuration
- ✅ Environment variables typed as strings

### Kubernetes

- ✅ Valid API versions (apps/v1, v1)
- ✅ Container resource requests/limits
- ✅ Valid restart policies (Always, OnFailure, Never)
- ✅ Port ranges (1-65535)

### Nginx

- ✅ Upstream server addresses
- ✅ Rate limiting zones and rules
- ✅ TLS configuration validation
- ✅ Security headers structure

### Prometheus

- ✅ Scrape job configuration
- ✅ Alert manager targets
- ✅ Scrape intervals (duration format)
- ✅ Relabel configuration

### Systemd

- ✅ Unit dependencies (after, requires, wants)
- ✅ Resource limits (CPU quota, memory)
- ✅ Restart policies
- ✅ Service types (simple, forking, oneshot, etc.)

### OCI Registry

- ✅ Registry backends (Zot, Distribution, Harbor)
- ✅ Storage backend selection (filesystem, S3, Azure)
- ✅ Authentication methods (none, basic, bearer, OIDC)
- ✅ Access control policies

## Deployment Examples

Two comprehensive infrastructure examples are provided demonstrating solo and enterprise configurations:

### Solo Deployment Example

**File**: `examples-solo-deployment.ncl`

Minimal single-node setup for development/testing:

```bash
# Exports 4 infrastructure components
docker_compose_services  # 5 services: orchestrator, control-center, coredns, kms, oci_registry
nginx_config             # Simple upstream routing to localhost services
prometheus_config        # 4 scrape jobs for basic monitoring
oci_registry_config      # Zot backend with filesystem storage
```

**Resource Allocation**:
- Orchestrator: 1.0 CPU, 1024M RAM
- Control Center: 0.5 CPU, 512M RAM
- Other services: 0.25-0.5 CPU, 256-512M RAM

**Export to JSON**:

```bash
nickel export --format json provisioning/schemas/infrastructure/examples-solo-deployment.ncl
# Output: 198 lines of configuration
```

### Enterprise Deployment Example

**File**: `examples-enterprise-deployment.ncl`

High-availability production-grade deployment:

```bash
# Exports 4 infrastructure components (HA versions)
docker_compose_services  # 6 services with 3 replicas for HA
nginx_config             # Multiple upstreams with rate limiting and failover
prometheus_config        # 7 scrape jobs with remote storage
oci_registry_config      # Harbor backend with S3 replication
```

**Resource Allocation**:
- Orchestrator: 4.0 CPU, 4096M RAM (3 replicas)
- Control Center: 2.0 CPU, 2048M RAM (HA)
- Services scale appropriately for production load

**Export to JSON**:

```bash
nickel export --format json provisioning/schemas/infrastructure/examples-enterprise-deployment.ncl
# Output: 313 lines of configuration
```

### Example Comparison

| Aspect | Solo | Enterprise |
| -------- | ------ | ----------- |
| **Services** | 5 | 6 |
| **Orchestrator CPU** | 1.0 | 4.0 |
| **Orchestrator Memory** | 1024M | 4096M |
| **Prometheus Jobs** | 4 | 7 |
| **Registry Backend** | Zot | Harbor |
| **Use Case** | Dev/Testing | Production |
| **JSON Size** | 198 lines | 313 lines |

### Validation Results

Both examples have been tested and validated:

✅ **Solo Deployment** (`examples-solo-deployment.ncl`):
- Type-checks without errors
- Exports to valid JSON (198 lines)
- All resource limits validated
- Port range validation: 8080, 9090, 5432, 53
- JSON structure: docker_compose_services, nginx_config, prometheus_config, oci_registry_config

✅ **Enterprise Deployment** (`examples-enterprise-deployment.ncl`):
- Type-checks without errors
- Exports to valid JSON (313 lines)
- HA configuration with 3 replicas
- Enhanced monitoring: 7 vs 4 scrape jobs
- Distributed storage backend (Harbor vs Zot)
- Full JSON structure validated with jq

## Automation Scripts

Generate all infrastructure configs in one command:

```toml
# Generate all formats for all modes
provisioning/platform/scripts/generate-infrastructure-configs.nu

# Generate specific mode/format
provisioning/platform/scripts/generate-infrastructure-configs.nu --mode solo --format yaml

# Specify output directory
provisioning/platform/scripts/generate-infrastructure-configs.nu --output-dir /tmp/infra
```

See `provisioning/platform/scripts/generate-infrastructure-configs.nu` for implementation details.

## Validation and Testing

### Test Generated Configs

```toml
# Export solo deployment
nickel export --format json provisioning/schemas/infrastructure/examples-solo-deployment.ncl 
  > solo-infra.json

# Validate JSON structure
jq . solo-infra.json

# Inspect specific component (Docker Compose services)
jq '.docker_compose_services | keys' solo-infra.json

# Check resource allocation
jq '.docker_compose_services.orchestrator.deploy.resources.limits' solo-infra.json
```

### Validate with Docker/Kubectl

```bash
# Export and validate Docker Compose
nickel export --format yaml examples-solo-deployment.ncl 
  | docker-compose config --quiet

# Validate Kubernetes (if applicable)
nickel export --format yaml examples-enterprise-deployment.ncl 
  | kubectl apply --dry-run=client -f -

# Validate Prometheus config
nickel export --format yaml prometheus.ncl 
  | promtool check config -
```

## Integration with ConfigLoader

Infrastructure schemas are independent from platform config schemas:

- **Platform configs** → Service-specific settings (port, timeouts, auth)
- **Infrastructure schemas** → Deployment-specific settings (replicas, resources, networking)

ConfigLoader automatically loads platform configs. Infrastructure configs are generated separately and deployed via infrastructure tools:

```toml
Platform Schema (Nickel)
    ↓ nickel export → TOML
    ↓ ConfigLoader → Service reads config

Infrastructure Schema (Nickel)
    ↓ nickel export → YAML/JSON
    ↓ Docker/Kubernetes/Nginx CLI
```

## Next Steps

1. **Use these schemas** in your infrastructure-as-code pipeline
2. **Generate configs** with the automation script
3. **Validate** before deployment using format-specific tools
4. **Maintain single source of truth** by updating schemas, not generated files

---

**Version**: 1.1.0 (Infrastructure Examples & Validation Added)
**Total Schemas**: 6 core files, 1,577 lines
**Deployment Examples**: 2 files, 54 lines (solo + enterprise)
**Validated**: All schemas and examples pass type-checking and export validation
**Last Updated**: 2025-01-06
**Nickel Version**: Latest