provisioning/schemas/deployment/modes/base/defaults.ncl

# Modes Base Defaults
# Default values for common mode configurations

{
  # Common authentication defaults
  no_auth = {
    auth_type = 'none,
    ssh_key_storage = 'local,
  },

  token_auth = {
    auth_type = 'token,
    token_config = {
      token_path = "~/.provisioning/tokens/auth",
      token_format = 'jwt,
      expiry_seconds = 86400,
      refresh_enabled = true,
    },
    ssh_key_storage = 'local,
  },

  mtls_auth = {
    auth_type = 'mtls,
    mtls_config = {
      client_cert_path = "/etc/provisioning/certs/client.crt",
      client_key_path = "/etc/provisioning/certs/client.key",
      ca_cert_path = "/etc/provisioning/certs/ca.crt",
      verify_server = true,
    },
    ssh_key_storage = 'kms,
  },

  # Common workspace policies
  no_locking = {
    locking = 'disabled,
    git_integration = 'optional,
    isolation = 'none,
  },

  user_locking = {
    locking = 'enabled,
    lock_provider = 'gitea,
    git_integration = 'required,
    isolation = 'user,
    max_workspaces_per_user = 5,
  },

  strict_locking = {
    locking = 'required,
    lock_provider = 'etcd,
    git_integration = 'required,
    isolation = 'strict,
    max_workspaces_per_user = 3,
  },

  # Common security configs
  minimal_security = {
    encryption_at_rest = false,
    encryption_in_transit = false,
    secret_provider = {
      provider = "sops",
    },
    dns_modification = 'none,
    audit_logging = false,
    network_isolation = false,
  },

  standard_security = {
    encryption_at_rest = false,
    encryption_in_transit = true,
    secret_provider = {
      provider = "sops",
    },
    dns_modification = 'coredns,
    audit_logging = true,
    audit_log_path = "/var/log/provisioning/audit.log",
    network_isolation = false,
  },

  strict_security = {
    encryption_at_rest = true,
    encryption_in_transit = true,
    secret_provider = {
      provider = "vault",
    },
    dns_modification = 'system,
    audit_logging = true,
    audit_log_path = "/var/log/provisioning/enterprise-audit.log",
    network_isolation = true,
  },

  # Common extension configs
  local_extensions = {
    source = 'local,
    local_path = "./provisioning/extensions",
    allow_mixed = true,
  },

  oci_extensions = {
    source = 'oci,
    oci_registry = {
      enabled = true,
      endpoint = "harbor.company.local",
      namespace = "provisioning-extensions",
      auth_token_path = "~/.provisioning/tokens/oci",
      tls_enabled = true,
      verify_ssl = true,
      cache_dir = "~/.provisioning/oci-cache",
    },
  },

  # Common resource limits
  dev_limits = {
    max_servers_per_user = 10,
    max_cpu_cores_per_user = 32,
    max_memory_gb_per_user = 128,
    max_storage_gb_per_user = 500,
  },

  prod_limits = {
    max_servers_per_user = 20,
    max_cpu_cores_per_user = 64,
    max_memory_gb_per_user = 256,
    max_storage_gb_per_user = 1000,
    max_total_servers = 500,
    max_total_cpu_cores = 2000,
    max_total_memory_gb = 8192,
  },
}