44648e3206
- Remove KCL ecosystem (~220 files deleted) - Migrate all infrastructure to Nickel schema system - Consolidate documentation: legacy docs → provisioning/docs/src/ - Add CI/CD workflows (.github/) and Rust build config (.cargo/) - Update core system for Nickel schema parsing - Update README.md and CHANGES.md for v5.0.0 release - Fix pre-commit hooks: end-of-file, trailing-whitespace - Breaking changes: KCL workspaces require migration - Migration bridge available in docs/src/development/
295 lines
6.6 KiB
Plaintext
295 lines
6.6 KiB
Plaintext
# Control Center Service Configuration - TOML Export
|
|
# Generates TOML configuration for Control Center service
|
|
# Supports 4 deployment modes: solo, multiuser, cicd, enterprise
|
|
#
|
|
# Usage:
|
|
# nickel export --format toml control-center-config.toml.ncl > control-center.toml
|
|
|
|
{
|
|
# Server Configuration
|
|
server = {
|
|
host = "0.0.0.0",
|
|
port = 8080,
|
|
workers = 4,
|
|
keep_alive = 75,
|
|
max_connections = 512,
|
|
},
|
|
|
|
# Database Configuration
|
|
database = {
|
|
# Mode-specific overrides:
|
|
# - solo: "rocksdb"
|
|
# - multiuser: "postgres"
|
|
# - cicd: "rocksdb" (in-memory)
|
|
# - enterprise: "postgres_ha"
|
|
backend = "rocksdb",
|
|
|
|
# RocksDB configuration (solo, cicd modes)
|
|
rocksdb = {
|
|
path = "/var/lib/provisioning/control-center/db",
|
|
cache_size = "256MB",
|
|
max_open_files = 1000,
|
|
compression = "snappy",
|
|
},
|
|
|
|
# PostgreSQL configuration (multiuser, enterprise modes)
|
|
# postgres = {
|
|
# host = "localhost",
|
|
# port = 5432,
|
|
# database = "provisioning",
|
|
# user = "provisioning",
|
|
# password = "${DB_PASSWORD}",
|
|
# ssl_mode = "require",
|
|
# pool = {
|
|
# min_size = 5,
|
|
# max_size = 20,
|
|
# idle_timeout = 300,
|
|
# },
|
|
# },
|
|
},
|
|
|
|
# Authentication Configuration
|
|
auth = {
|
|
enabled = true,
|
|
|
|
# JWT configuration
|
|
jwt = {
|
|
issuer = "provisioning.local",
|
|
audience = "control-center",
|
|
secret = "${JWT_SECRET}",
|
|
algorithm = "HS256",
|
|
expiration = 3600, # seconds (1 hour)
|
|
refresh_token_expiration = 604800, # seconds (7 days)
|
|
},
|
|
|
|
# OAUTH2 configuration (optional)
|
|
oauth2 = {
|
|
enabled = false,
|
|
# provider = "google",
|
|
# client_id = "${OAUTH_CLIENT_ID}",
|
|
# client_secret = "${OAUTH_CLIENT_SECRET}",
|
|
},
|
|
|
|
# LDAP configuration (optional)
|
|
ldap = {
|
|
enabled = false,
|
|
# server_url = "ldap://localhost:389",
|
|
# bind_dn = "cn=admin,dc=example,dc=com",
|
|
# bind_password = "${LDAP_PASSWORD}",
|
|
},
|
|
},
|
|
|
|
# RBAC (Role-Based Access Control)
|
|
rbac = {
|
|
enabled = true,
|
|
|
|
# Default roles
|
|
default_role = "viewer",
|
|
|
|
# Roles definition
|
|
roles = {
|
|
admin = {
|
|
description = "Administrator with full access",
|
|
permissions = ["*"],
|
|
},
|
|
operator = {
|
|
description = "Operator managing orchestrator",
|
|
permissions = [
|
|
"orchestrator.view",
|
|
"orchestrator.execute",
|
|
"orchestrator.manage",
|
|
],
|
|
},
|
|
viewer = {
|
|
description = "Read-only access",
|
|
permissions = [
|
|
"orchestrator.view",
|
|
"policies.view",
|
|
],
|
|
},
|
|
},
|
|
|
|
# Permission mapping
|
|
permissions = {
|
|
"orchestrator.view" = "List and view orchestrator workflows",
|
|
"orchestrator.execute" = "Execute and manage tasks",
|
|
"orchestrator.manage" = "Configure orchestrator settings",
|
|
"policies.view" = "View security policies",
|
|
"policies.manage" = "Edit security policies",
|
|
"users.manage" = "Manage users and roles",
|
|
"audit.view" = "View audit logs",
|
|
},
|
|
},
|
|
|
|
# Multi-Factor Authentication (MFA)
|
|
mfa = {
|
|
# Mode-specific overrides:
|
|
# - solo: false
|
|
# - multiuser: false
|
|
# - cicd: false
|
|
# - enterprise: true
|
|
required = false,
|
|
|
|
# MFA methods
|
|
methods = ["totp", "email"],
|
|
|
|
# TOTP configuration
|
|
totp = {
|
|
enabled = true,
|
|
issuer = "Provisioning",
|
|
algorithm = "SHA1",
|
|
digits = 6,
|
|
period = 30,
|
|
},
|
|
|
|
# Email OTP configuration
|
|
email = {
|
|
enabled = true,
|
|
expiration = 300, # seconds (5 minutes)
|
|
},
|
|
},
|
|
|
|
# Policies and Compliance
|
|
policies = {
|
|
# Password policy
|
|
password = {
|
|
min_length = 12,
|
|
require_uppercase = true,
|
|
require_lowercase = true,
|
|
require_digits = true,
|
|
require_special_chars = true,
|
|
expiration_days = 90,
|
|
history_count = 5, # Cannot reuse last N passwords
|
|
},
|
|
|
|
# Session policy
|
|
session = {
|
|
max_duration = 86400, # seconds (24 hours)
|
|
idle_timeout = 1800, # seconds (30 minutes)
|
|
max_concurrent = 5, # Max concurrent sessions per user
|
|
},
|
|
|
|
# Audit policy
|
|
audit = {
|
|
enabled = true,
|
|
log_all_api_calls = true,
|
|
log_user_actions = true,
|
|
log_rbac_changes = true,
|
|
retention_days = 90,
|
|
},
|
|
|
|
# Compliance
|
|
compliance = {
|
|
# SOC2 compliance
|
|
soc2 = {
|
|
enabled = false,
|
|
log_all_access = false,
|
|
require_mfa = false,
|
|
},
|
|
|
|
# HIPAA compliance
|
|
hipaa = {
|
|
enabled = false,
|
|
encryption_required = true,
|
|
audit_required = true,
|
|
},
|
|
},
|
|
},
|
|
|
|
# Rate Limiting
|
|
rate_limit = {
|
|
enabled = true,
|
|
global = {
|
|
requests_per_second = 1000,
|
|
burst_size = 100,
|
|
},
|
|
per_user = {
|
|
requests_per_second = 100,
|
|
burst_size = 20,
|
|
},
|
|
},
|
|
|
|
# CORS Configuration
|
|
cors = {
|
|
enabled = true,
|
|
allowed_origins = ["https://localhost:3000", "https://control-center.example.com"],
|
|
allowed_methods = ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
|
|
allowed_headers = ["Content-Type", "Authorization"],
|
|
expose_headers = ["X-Request-ID", "X-Total-Count"],
|
|
max_age = 86400,
|
|
},
|
|
|
|
# TLS/SSL Configuration
|
|
tls = {
|
|
enabled = false, # Typically behind reverse proxy
|
|
cert_path = "/etc/provisioning/certs/cert.pem",
|
|
key_path = "/etc/provisioning/certs/key.pem",
|
|
min_version = "TLSv1.2",
|
|
},
|
|
|
|
# Monitoring and Observability
|
|
monitoring = {
|
|
enabled = true,
|
|
|
|
# Metrics
|
|
metrics = {
|
|
enabled = true,
|
|
interval = 30, # seconds
|
|
export_format = "prometheus",
|
|
},
|
|
|
|
# Health checks
|
|
health_check = {
|
|
enabled = true,
|
|
interval = 30,
|
|
timeout = 10,
|
|
},
|
|
|
|
# Tracing
|
|
tracing = {
|
|
enabled = false,
|
|
sample_rate = 0.1,
|
|
},
|
|
},
|
|
|
|
# Logging Configuration
|
|
logging = {
|
|
level = "info",
|
|
format = "json",
|
|
outputs = [
|
|
{
|
|
destination = "stdout",
|
|
level = "info",
|
|
},
|
|
{
|
|
destination = "file",
|
|
path = "/var/log/provisioning/control-center/control-center.log",
|
|
level = "debug",
|
|
rotation = {
|
|
max_size = "100MB",
|
|
max_backups = 10,
|
|
max_age = 30,
|
|
},
|
|
},
|
|
],
|
|
},
|
|
|
|
# Integration with Orchestrator
|
|
orchestrator = {
|
|
url = "http://orchestrator:9090",
|
|
timeout = 30, # seconds
|
|
retry = {
|
|
max_attempts = 3,
|
|
initial_backoff = 100,
|
|
max_backoff = 30000,
|
|
},
|
|
},
|
|
|
|
# Feature Flags
|
|
features = {
|
|
enable_audit_logging = true,
|
|
enable_policy_enforcement = true,
|
|
enable_experimental_ui = false,
|
|
},
|
|
}
|