2 lines
11 KiB
Markdown
2 lines
11 KiB
Markdown
# Service Configuration Templates\n\nNickel-based configuration templates that export to TOML format for provisioning platform services.\n\n## Overview\n\nThis directory contains Nickel templates that generate TOML configuration files for the provisioning platform services:\n\n- **orchestrator-config.toml.ncl** - Workflow engine configuration\n- **control-center-config.toml.ncl** - Policy and RBAC management configuration\n- **mcp-server-config.toml.ncl** - Model Context Protocol server configuration\n\nThese templates support all four deployment modes:\n\n- **solo**: Single developer, minimal configuration\n- **multiuser**: Team collaboration with full features\n- **cicd**: CI/CD pipelines with ephemeral configuration\n- **enterprise**: Production with advanced security and monitoring\n\n## Templates\n\n### orchestrator-config.toml.ncl\n\nOrchestrator workflow engine configuration with sections for:\n\n- **Workspace**: Workspace name, path, and multi-workspace support\n- **Server**: HTTP server configuration (host, port, workers)\n- **Storage**: Backend selection (filesystem, SurrealDB embedded, SurrealDB server)\n- **Queue**: Task concurrency, retries, timeouts, deadletter queue\n- **Batch**: Parallel limits, operation timeouts, checkpointing, rollback\n- **Monitoring**: Metrics collection, health checks, resource tracking\n- **Logging**: Log levels, outputs, rotation\n- **Security**: JWT auth, CORS, TLS, rate limiting\n- **Extensions**: Auto-loading from OCI registry\n- **Database**: Connection pooling for non-filesystem storage\n- **Features**: Feature flags for experimental functionality\n\n**Key Parameters**:\n- `max_concurrent_tasks`: 1-100 (constrained)\n- `batch.parallel_limit`: 1-50 (constrained)\n- Storage backend: filesystem, surrealdb_server, surrealdb_cluster\n- Logging format: json or text\n\n### control-center-config.toml.ncl\n\nControl Center policy and RBAC management configuration with sections for:\n\n- **Server**: HTTP server configuration\n- **Database**: Backend selection (RocksDB, PostgreSQL, PostgreSQL HA)\n- **Auth**: JWT, OAUTH2, LDAP authentication methods\n- **RBAC**: Role-based access control with roles and permissions\n- **MFA**: Multi-factor authentication (TOTP, Email OTP)\n- **Policies**: Password policy, session policy, audit, compliance\n- **Rate Limiting**: Global and per-user rate limits\n- **CORS**: Cross-origin resource sharing configuration\n- **TLS**: SSL/TLS configuration\n- **Monitoring**: Metrics, health checks, tracing\n- **Logging**: Log outputs and rotation\n- **Orchestrator Integration**: Connection to orchestrator service\n- **Features**: Feature flags\n\n**Key Parameters**:\n- `database.backend`: rocksdb, postgres, postgres_ha\n- `mfa.required`: false for solo/multiuser, true for enterprise\n- `policies.password.min_length`: 12\n- `policies.compliance`: SOC2, HIPAA support\n\n### mcp-server-config.toml.ncl\n\nModel Context Protocol server configuration for AI/LLM integration with sections for:\n\n- **Server**: HTTP/Stdio protocol configuration\n- **Capabilities**: Tools, resources, prompts, sampling\n- **Tools**: Tool categories and configurations (orchestrator, provisioning, workspace)\n- **Resources**: File system, database, external API resources\n- **Prompts**: System prompts and user prompt configuration\n- **Integration**: Orchestrator, Control Center, Claude API integration\n- **Security**: Authentication, authorization, rate limiting, input validation\n- **Monitoring**: Metrics, health checks, audit logging\n- **Logging**: Log outputs and configuration\n- **Features**: Feature flags\n- **Performance**: Thread pools, timeouts, caching\n\n**Key Parameters**:\n- `server.protocol`: stdio (process-based) or http (network-based)\n- `capabilities.tools.enabled`: true/false\n- `capabilities.resources.max_size`: 1GB default\n- `integration.claude.model`: claude-3-opus (latest)\n\n## Usage\n\n### Exporting to TOML\n\nEach template exports to TOML format:\n\n```\n# Export orchestrator configuration\nnickel export --format toml orchestrator-config.toml.ncl > orchestrator.toml\n\n# Export control-center configuration\nnickel export --format toml control-center-config.toml.ncl > control-center.toml\n\n# Export MCP server configuration\nnickel export --format toml mcp-server-config.toml.ncl > mcp-server.toml\n```\n\n### Mode-Specific Configuration\n\nOverride configuration values based on deployment mode using environment variables or configuration layering:\n\n```\n# Export solo mode configuration\nORCHESTRATOR_MODE=solo nickel export --format toml orchestrator-config.toml.ncl > orchestrator.solo.toml\n\n# Export enterprise mode with full features\nORCHESTRATOR_MODE=enterprise nickel export --format toml orchestrator-config.toml.ncl > orchestrator.enterprise.toml\n```\n\n### Integration with Rust Services\n\nRust services load TOML configuration in this order (high to low priority):\n\n1. **Environment Variables** - `ORCHESTRATOR_*`, `CONTROL_CENTER_*`, `MCP_*`\n2. **User Configuration** - `~/.config/provisioning/user_config.toml`\n3. **Mode-Specific Config** - `provisioning/platform/config/{service}.{mode}.toml`\n4. **Default Configuration** - `provisioning/platform/config/{service}.defaults.toml`\n\nExample loading in Rust:\n\n```\nuse config::{Config, ConfigError, File};\n\npub fn load_config(mode: &str) -> Result<OrchestratorConfig, ConfigError> {\n let config_path = format!("provisioning/platform/config/orchestrator.{}.toml", mode);\n\n Config::builder()\n .add_source(File::with_name("provisioning/platform/config/orchestrator.defaults"))\n .add_source(File::with_name(&config_path).required(false))\n .add_source(config::Environment::with_prefix("ORCHESTRATOR"))\n .build()?\n .try_deserialize()\n}\n```\n\n## Configuration Sections\n\n### Server Configuration (All Services)\n\n```\n[server]\nhost = "0.0.0.0"\nport = 9090\nworkers = 4\nkeep_alive = 75\nmax_connections = 512\n```\n\n### Database Configuration (Control Center)\n\n**RocksDB** (solo, cicd modes):\n\n```\n[database]\nbackend = "rocksdb"\n\n[database.rocksdb]\npath = "/var/lib/provisioning/control-center/db"\ncache_size = "256MB"\nmax_open_files = 1000\ncompression = "snappy"\n```\n\n**PostgreSQL** (multiuser, enterprise modes):\n\n```\n[database]\nbackend = "postgres"\n\n[database.postgres]\nhost = "postgres.provisioning.svc.cluster.local"\nport = 5432\ndatabase = "provisioning"\nuser = "provisioning"\npassword = "${DB_PASSWORD}"\nssl_mode = "require"\n```\n\n### Storage Configuration (Orchestrator)\n\n**Filesystem** (solo, cicd modes):\n\n```\n[storage]\nbackend = "filesystem"\npath = "/var/lib/provisioning/orchestrator/data"\n```\n\n**SurrealDB Server** (multiuser mode):\n\n```\n[storage]\nbackend = "surrealdb_server"\nsurrealdb_url = "surrealdb://surrealdb:8000"\nsurrealdb_namespace = "provisioning"\nsurrealdb_database = "orchestrator"\n```\n\n**SurrealDB Cluster** (enterprise mode):\n\n```\n[storage]\nbackend = "surrealdb_cluster"\nsurrealdb_url = "surrealdb://surrealdb-cluster.provisioning.svc.cluster.local:8000"\nsurrealdb_namespace = "provisioning"\nsurrealdb_database = "orchestrator"\n```\n\n### RBAC Configuration (Control Center)\n\n```\n[rbac]\nenabled = true\ndefault_role = "viewer"\n\n[rbac.roles.admin]\ndescription = "Administrator with full access"\npermissions = ["*"]\n\n[rbac.roles.operator]\ndescription = "Operator managing orchestrator"\npermissions = ["orchestrator.view", "orchestrator.execute"]\n```\n\n### Queue Configuration (Orchestrator)\n\n```\n[queue]\nmax_concurrent_tasks = 50\nretry_attempts = 3\nretry_delay = 5000\ntask_timeout = 3600000\n\n[queue.deadletter_queue]\nenabled = true\nmax_messages = 1000\nretention_period = 86400\n```\n\n### Logging Configuration (All Services)\n\n```\n[logging]\nlevel = "info"\nformat = "json"\n\n[[logging.outputs]]\ndestination = "stdout"\nlevel = "info"\n\n[[logging.outputs]]\ndestination = "file"\npath = "/var/log/provisioning/orchestrator/orchestrator.log"\nlevel = "debug"\n\n[logging.outputs.rotation]\nmax_size = "100MB"\nmax_backups = 10\nmax_age = 30\n```\n\n### Monitoring Configuration (All Services)\n\n```\n[monitoring]\nenabled = true\n\n[monitoring.metrics]\nenabled = true\ninterval = 30\nexport_format = "prometheus"\n\n[monitoring.health_check]\nenabled = true\ninterval = 30\ntimeout = 10\n```\n\n### Security Configuration (All Services)\n\n```\n[security.auth]\nenabled = true\nmethod = "jwt"\njwt_secret = "${JWT_SECRET}"\njwt_issuer = "provisioning.local"\njwt_audience = "orchestrator"\ntoken_expiration = 3600\n\n[security.cors]\nenabled = true\nallowed_origins = ["https://control-center:8080"]\nallowed_methods = ["GET", "POST", "PUT", "DELETE"]\n\n[security.rate_limit]\nenabled = true\nrequests_per_second = 1000\nburst_size = 100\n```\n\n## Environment Variables\n\nAll sensitive values should be provided via environment variables:\n\n```\n# Secrets\nexport JWT_SECRET="your-jwt-secret-here"\nexport DB_PASSWORD="your-database-password"\nexport ORCHESTRATOR_TOKEN="your-orchestrator-token"\nexport CONTROL_CENTER_TOKEN="your-control-center-token"\nexport CLAUDE_API_KEY="your-claude-api-key"\n\n# Service URLs (if different from defaults)\nexport ORCHESTRATOR_URL="http://orchestrator:9090"\nexport CONTROL_CENTER_URL="http://control-center:8080"\n\n# Mode selection\nexport PROVISIONING_MODE="enterprise"\n```\n\n## Mode-Specific Overrides\n\n### Solo Mode\n- Minimal resources: 2 CPU, 4GB RAM\n- Filesystem storage for orchestrator\n- RocksDB for control-center\n- No MFA required\n- Single replica deployments\n- Logging: info level\n\n### MultiUser Mode\n- Moderate resources: 4 CPU, 8GB RAM\n- SurrealDB server for orchestrator\n- PostgreSQL for control-center\n- RBAC enabled\n- 1 replica per service\n- Logging: debug level\n\n### CI/CD Mode\n- Stateless configuration\n- Ephemeral storage (no persistence)\n- API-driven (minimal UI)\n- No MFA required\n- 1 replica per service\n- Logging: warn level (minimal)\n\n### Enterprise Mode\n- High resources: 16+ CPU, 32+ GB RAM\n- SurrealDB cluster for orchestrator HA\n- PostgreSQL HA for control-center\n- Full RBAC and MFA required\n- 3+ replicas per service\n- Full monitoring and audit logging\n- Logging: info level with detailed audit\n\n## Validation\n\nValidate configuration before using:\n\n```\n# Type check with Nickel\nnickel typecheck orchestrator-config.toml.ncl\n\n# Export and validate TOML syntax\nnickel export --format toml orchestrator-config.toml.ncl | toml-cli validate -\n```\n\n## References\n\n- [Orchestrator Configuration Schema](../../schemas/orchestrator.ncl)\n- [Control Center Configuration Schema](../../schemas/control-center.ncl)\n- [MCP Server Configuration Schema](../../schemas/mcp-server.ncl)\n- [Nickel Language](https://nickel-lang.org/)\n- [TOML Format](https://toml.io/)
|