Configuration

Configuration File

The controlplane uses a YAML configuration file (config.yaml) to specify connection details and defaults.

Full Configuration Reference

debug: bool              # Enable debug mode (default: false)

api:
  host: string          # Server host (default: 0.0.0.0)
  port: int             # Server port (default: 8080)
  cors_origins:         # CORS allowed origins
    - http://localhost:5173
  rate_limit:
    global_per_ip: int  # Requests per minute per IP (default: 500)
    tenant_per_min: int # Requests per minute per tenant (default: 120)

auth:
  mode: string          # Auth mode: "none" | "apikey" | "oidc"
  admin_key: string     # Admin API key for platform-wide operations
  # API key auth options:
  api_key_header: string # Header name for API key (default: X-API-Key)
  # OIDC auth options:
  oidc_issuer: string
  oidc_audience: string
  oidc_client_id: string
  oidc_client_secret: string
  oidc_scopes:
    - openid
    - profile
    - email
  # JWT options:
  jwt_secret: string    # Secret for signing JWT tokens (HS256)

store:
  backend: string       # State store backend: "memory" | "consul" | "etcd" | "postgres"
  consul:               # Consul KV backend config
    address: string
    token: string
    datacenter: string
    prefix: string      # KV prefix (default: nomad-paas)
  etcd:
    etcd_addrs: []string
    etcd_prefix: string # (default: /nomad-paas)
  postgres_dsn: string  # PostgreSQL connection string
  status_cache_ttl: duration # Cache TTL (default: 10s)

nomad:
  default_strategy: string # Scheduling strategy: "primary" | "round-robin" | "least-loaded"
  clusters:
    - name: string
      address: string
      token: string
      region: string
      cloud: string     # "aws" | "gcp" | "azure" | "bare-metal"
      datacenters: []string
      primary: bool
      tls:
        ca_cert: string
        client_cert: string
        client_key: string
        server_name: string
        insecure: bool

consul:
  address: string
  token: string
  datacenter: string
  namespace: string    # Consul admin namespace
  tls:
    ca_cert: string
    client_cert: string
    client_key: string
    server_name: string
    insecure: bool

vault:
  address: string
  token: string
  namespace: string
  default_auth_path: string # Kubernetes auth path (default: auth/kubernetes)
  skip_verify: bool  # Skip TLS verification (dev only)
  tls:
    ca_cert: string
    client_cert: string
    client_key: string
    server_name: string
    insecure: bool

traefik:
  dynamic_config_dir: string    # Traefik dynamic config directory
  default_cert_resolver: string  # Cert resolver (default: letsencrypt)
  entry_point_https: string      # (default: websecure)
  entry_point_http: string      # (default: web)

metrics:
  enabled: bool
  namespace: string    # Prometheus metric prefix (default: nomadpaas)

Authentication Modes

None (Development)

auth:
  mode: none
  admin_key: ""       # No admin key in dev mode

API Key Auth

auth:
  mode: apikey
  api_key_header: X-API-Key
  admin_key: your-admin-secret
  jwt_secret: your-jwt-secret

Clients authenticate using the X-API-Key header with their tenant API key.

OIDC Auth

auth:
  mode: oidc
  oidc_issuer: https://auth.example.com
  oidc_audience: controlplane
  oidc_client_id: controlplane
  oidc_client_secret: your-client-secret
  oidc_scopes:
    - openid
    - profile
    - email
  jwt_secret: your-jwt-secret
  admin_key: your-admin-secret

Environment Variables

Configuration can also be provided via environment variables using the NPAAS_ prefix:

Variable	Description
NPAAS_API_HOST	Server host
NPAAS_API_PORT	Server port
NPAAS_AUTH_MODE	Auth mode
NPAAS_STORE_BACKEND	State store backend
NPAAS_STORE_CONSUL_ADDRESS	Consul address
NPAAS_STORE_CONSUL_TOKEN	Consul token
NPAAS_NOMAD_ADDRESS	Nomad address
NPAAS_NOMAD_CLUSTERS_0_TOKEN	Nomad cluster token
NPAAS_CONSUL_ADDRESS	Consul address
NPAAS_CONSUL_TOKEN	Consul token
NPAAS_VAULT_ADDRESS	Vault address
NPAAS_VAULT_TOKEN	Vault token

Profiles

Development

debug: true

api:
  host: 0.0.0.0
  port: 8080

auth:
  mode: none

store:
  backend: consul
  consul:
    address: 127.0.0.1:8500
    token: ""
    datacenter: dc1
    prefix: nomad-paas

nomad:
  default_strategy: primary
  clusters:
    - name: local
      address: http://127.0.0.1:4646
      token: ""
      cloud: local
      region: local
      datacenters: [dc1]
      primary: true

consul:
  address: 127.0.0.1:8500
  token: ""
  datacenter: dc1

vault:
  address: http://127.0.0.1:8200
  skip_verify: true

Production

debug: false

api:
  host: 0.0.0.0
  port: 8080
  cors_origins:
    - https://yourdomain.com

auth:
  mode: oidc
  oidc_issuer: https://auth.example.com
  oidc_audience: controlplane
  oidc_client_id: controlplane
  oidc_client_secret: ${OIDC_CLIENT_SECRET}
  jwt_secret: ${JWT_SECRET}
  admin_key: ${ADMIN_KEY}

store:
  backend: consul
  consul:
    address: https://consul.example.com:8500
    token: ${CONSUL_TOKEN}
    datacenter: dc1
    prefix: nomad-paas
    tls:
      ca_cert: /etc/nomad-paas/consul-ca.pem
      insecure: false

nomad:
  default_strategy: primary
  clusters:
    - name: production
      address: https://nomad.example.com:4646
      token: ${NOMAD_TOKEN}
      region: us-east-1
      cloud: aws
      datacenters: [us-east-1a, us-east-1b]
      primary: true
      tls:
        ca_cert: /etc/nomad-paas/nomad-ca.pem

consul:
  address: https://consul.example.com:8500
  token: ${CONSUL_TOKEN}
  datacenter: dc1

vault:
  address: https://vault.example.com:8200
  token: ${VAULT_TOKEN}
  namespace: admin/nomad-paas

metrics:
  enabled: true
  namespace: nomadpaas