jesus/provisioning
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
provisioning/schemas/platform/examples/control-center-multiuser.ncl
Jesús Pérez 44648e3206
chore: complete nickel migration and consolidate legacy configs 
- Remove KCL ecosystem (~220 files deleted)
- Migrate all infrastructure to Nickel schema system
- Consolidate documentation: legacy docs → provisioning/docs/src/
- Add CI/CD workflows (.github/) and Rust build config (.cargo/)
- Update core system for Nickel schema parsing
- Update README.md and CHANGES.md for v5.0.0 release
- Fix pre-commit hooks: end-of-file, trailing-whitespace
- Breaking changes: KCL workspaces require migration
- Migration bridge available in docs/src/development/
2026-01-08 09:55:37 +00:00

271 lines
6.2 KiB
Plaintext
Raw Blame History

# Example: Control Center Configuration - MultiUser Mode (Team Collaboration)
#
# This example shows a control center setup for team collaboration with:
# - PostgreSQL for persistent storage
# - RBAC for team access control
# - JWT authentication for API access
# - Team-friendly security (no MFA required, shared workspace)
# - Moderate monitoring for team operations
#
# Usage:
# nickel export --format toml control-center-multiuser.ncl > control-center.multiuser.toml
# CONTROL_CENTER_CONFIG=control-center.multiuser.toml cargo run --bin control-center
{
# Server Configuration: Team-friendly
server = {
host = "0.0.0.0", # Listen on all interfaces
port = 8080,
workers = 4,
keep_alive = 75,
max_connections = 256, # Moderate connections for team
},
# Database: PostgreSQL for persistent storage
database = {
backend = "postgres",
postgres = {
host = "postgres.provisioning.svc.cluster.local",
port = 5432,
database = "provisioning",
user = "provisioning",
password = "${DB_PASSWORD}", # From environment
ssl_mode = "require",
pool = {
min_size = 5,
max_size = 20,
idle_timeout = 300,
},
},
},
# Authentication: JWT for API access
auth = {
enabled = true,
jwt = {
issuer = "provisioning.team",
audience = "control-center",
secret = "${JWT_SECRET}", # From environment
algorithm = "HS256",
expiration = 28800, # 8 hours for team workday
refresh_token_expiration = 2592000, # 30 days
},
# OAuth2: Optional Google/GitHub integration
oauth2 = {
enabled = false,
# provider = "github",
# client_id = "${OAUTH_CLIENT_ID}",
# client_secret = "${OAUTH_CLIENT_SECRET}",
},
# LDAP: Optional for enterprise LDAP
ldap = {
enabled = false,
# server_url = "ldap://ldap.example.com:389",
# bind_dn = "cn=provisioning,dc=example,dc=com",
# bind_password = "${LDAP_PASSWORD}",
},
},
# RBAC: Team-based access control
rbac = {
enabled = true,
default_role = "viewer",
roles = {
admin = {
description = "Team lead with full access",
permissions = ["*"],
},
operator = {
description = "Team member managing orchestrator",
permissions = [
"orchestrator.view",
"orchestrator.execute",
"orchestrator.manage",
"policies.view",
],
},
developer = {
description = "Developer with read-only access",
permissions = [
"orchestrator.view",
"policies.view",
],
},
viewer = {
description = "Read-only access for all team members",
permissions = [
"orchestrator.view",
"policies.view",
],
},
},
permissions = {
"orchestrator.view" = "List and view orchestrator workflows",
"orchestrator.execute" = "Execute and manage tasks",
"orchestrator.manage" = "Configure orchestrator settings",
"policies.view" = "View security policies",
"policies.manage" = "Edit security policies",
"users.manage" = "Manage team users and roles",
"audit.view" = "View audit logs",
},
},
# MFA: Not required for team (optional per user)
mfa = {
required = false,
methods = ["totp", "email"],
totp = {
enabled = true,
issuer = "Provisioning Team",
algorithm = "SHA1",
digits = 6,
period = 30,
},
email = {
enabled = true,
expiration = 300,
},
},
# Policies: Team-appropriate security
policies = {
password = {
min_length = 12,
require_uppercase = true,
require_lowercase = true,
require_digits = true,
require_special_chars = false, # Relax for team usability
expiration_days = 90,
history_count = 3,
},
session = {
max_duration = 28800, # 8 hours (workday)
idle_timeout = 3600, # 1 hour
max_concurrent = 3, # Allow multiple sessions per user
},
audit = {
enabled = true,
log_all_api_calls = true,
log_user_actions = true,
log_rbac_changes = true,
retention_days = 90,
},
compliance = {
soc2 = {
enabled = false,
},
hipaa = {
enabled = false,
},
},
},
# Rate Limiting: Reasonable for team use
rate_limit = {
enabled = true,
global = {
requests_per_second = 1000,
burst_size = 100,
},
per_user = {
requests_per_second = 100,
burst_size = 20,
},
},
# CORS: Team-friendly
cors = {
enabled = true,
allowed_origins = [
"https://localhost:3000", # Local development
"https://control-center.example.com", # Team domain
"https://orchestrator.example.com", # Orchestrator domain
],
allowed_methods = ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
allowed_headers = ["Content-Type", "Authorization"],
expose_headers = ["X-Request-ID", "X-Total-Count"],
max_age = 86400,
},
# TLS: Optional (usually behind reverse proxy)
tls = {
enabled = false, # Use reverse proxy in production
},
# Monitoring: Team operations
monitoring = {
enabled = true,
metrics = {
enabled = true,
interval = 30,
export_format = "prometheus",
},
health_check = {
enabled = true,
interval = 30,
timeout = 10,
},
tracing = {
enabled = false,
sample_rate = 0.1,
},
},
# Logging: Team operations
logging = {
level = "info",
format = "json",
outputs = [
{
destination = "stdout",
level = "warn",
},
{
destination = "file",
path = "/var/log/provisioning/control-center/control-center.log",
level = "info",
rotation = {
max_size = "200MB",
max_backups = 15,
max_age = 30,
},
},
],
},
# Orchestrator Integration
orchestrator = {
url = "http://orchestrator:9090",
timeout = 30,
retry = {
max_attempts = 3,
initial_backoff = 100,
max_backoff = 30000,
},
},
# Features: Team-ready
features = {
enable_audit_logging = true,
enable_policy_enforcement = true,
enable_experimental_ui = false,
},
}
Reference in New Issue View Git Blame Copy Permalink