Why Vigo

Simplicity, security, reliability, scalability, and price — where Vigo is different from every other configuration management system.

Releasing soon Vigo is in alpha and closing in on its first stable release. Expect breaking changes between releases until then — we're looking for testing partners with meaningful fleets across diverse architectures. Learn more →

One resource. One file.

Create a user with passwordless sudo and an SSH key — a task every team does. In Vigo it's a single resource in a single file, with SSH keys, sudo, and secrets built in.

Vigo — 1 file, 1 resource
configcrates/os-users.vgo
name: os-users

resources:
  - name: alice
    type: user
    username: alice
    comment: Alice Nguyen
    shell: /bin/bash
    groups: sudo, adm
    state: present
    password: secret:vigo/os-users/alice
    sudo_nopasswd: true
    authorized_keys: |
      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJqR... alice@laptop
1 file · just YAML · 1 resource · SSH keys, sudo, and secrets built in

📄 Simplicity

One server at any scale

No compile masters, no worker pools, no database clusters, no load balancers. One process, one SQLite file, one config directory. The architecture does not change whether you manage 10 nodes or 100,000.

~8 MiB static agent binary

No Ruby, no Python, no JVM, no package manager ecosystem on managed nodes. Copy the binary, run it. Zero runtime dependencies.

One config format, one config path

There is exactly one way to configure Vigo: edit YAML files and publish. No API writes, no database config, no UI mutations. One source of truth, one format, one tool.

No DSL

The configuration language is YAML. Go templates appear only inside content: attributes. No custom language to learn, no compiler, no parser quirks.

Bootstrap is one command

curl | sudo sh downloads the binary, generates TLS certificates, registers with the server, installs the service, and verifies connectivity. Under management in 30 seconds.

Seven OS families from one codebase

Linux, macOS, FreeBSD, OpenBSD, NetBSD, illumos, and Windows. Write type: service and it dispatches to systemd, launchctl, rc.d, rcctl, SMF, or sc.exe.

Conditional resources without an if DSL

when: "os_family('debian')" on any resource or configcrate. Boolean logic, builtins like has_command, arch, version_ge. Server evaluates what it can, passes the rest to the agent. No DSL, no plugins.

Visibility — trace any decision back to its source

One command — vigocli config trace danlap — shows the complete resolution chain for any node. Every configcrate, variable, dependency, compliance tag, waiver, and conditional traced to the exact file that defined it.

Vigo config trace showing directory inheritance tree with path and configcrate resolution for danlap
Path inheritance — the directory tree that contributes to this node's config, from fleet root down to the leaf entry file.
Vigo configcrate inheritance showing per-level configcrate lists and role expansion for danlap
Configcrate inheritance — which configcrates and roles came from which file, with role expansion showing the configcrates each role contributes.
Vigo variable inheritance chain showing per-level vars with override markers and final resolution sources
Variable inheritance — vars defined at each directory level, override markers where a child shadows a parent, and the final resolution showing where each var's value came from.
Vigo dependency inheritance showing depends_on, notify, and subscribes edges between resources
Dependency inheritance — the full DAG of depends_on, notify, and subscribes edges. Resources execute in topological order; notify triggers re-application when a dependency changes.
Vigo conditional inheritance showing server-side and agent-side when expressions with template variable resolution
Conditional inheritance — every when: expression with its evaluation side. Server-side conditions (like changed) are resolved before dispatch; agent-side conditions (like os_family and hour_range) run on the managed node. Template variables are resolved and shown beneath the original expression.
Vigo compliance inheritance mapping configcrates to framework controls across CIS, HIPAA, NIST, PCI DSS, SOC 2, ISO 27001, and HITRUST
Compliance inheritance — every configcrate's compliance tags mapped to framework controls. Seven frameworks, from CIS benchmarks to HIPAA and PCI DSS, traced to the configcrate that enforces them.
Vigo waiver inheritance showing approved compliance control exemptions with approver and source file
Waivers inheritance — approved exemptions for specific compliance controls. Each waiver records who approved it, why, and which file defined it. Waivers inherit through the directory chain.

🔒 Security

Per-request ED25519 signatures

Every agent request is individually signed and verified against stored public keys. Not just TLS — actual cryptographic proof of identity on every API call. Replay and impersonation require the private key, not just a valid certificate.

Secrets are never materialized

The secret: prefix resolves at config load through a pluggable provider and is stripped before transmission. Secrets never appear in YAML files, environment variables, logs, database rows, gRPC payloads, or run result reports.

No plaintext mode

mTLS is the only transport. There is no --no-ssl flag, no plaintext fallback, no "development mode" that skips encryption. The insecure path does not exist in the codebase.

One-time enrollment tokens

Tokens are bcrypt-hashed at rest and bound to hostname glob patterns. A token that matches *.web.prod cannot enroll a machine named db01.staging. Used once, then permanently invalidated.

Self-protection guardrails

The validation pipeline blocks any resource that targets the agent binary, server binary, config directory, or service unit. Even --dangerous mode cannot bypass these checks. The system cannot be used to break itself.

Verified agent binary

The agent binary is distributed with ED25519 signatures and SHA-256 checksums, verified at bootstrap. Binary hardening includes PIE, full RELRO, stack protectors, stripped symbols, and LTO.

⚡ Reliability

Idempotency enforced at publish time

Most CM tools treat idempotency as a discipline the operator has to maintain. Vigo makes it a publish-time invariant: config publish validates idempotency alongside syntax, so non-idempotent config fails at publish instead of landing on the fleet. It holds because every executor is check-before-act — file: compares a SHA-256, package: checks the installed version, service: checks is-active/is-enabled before doing anything. Re-evaluating a resource 86,400 times a day at a 1-second cadence makes zero changes and zero audit noise until something actually drifts.

Signed policy bundles with offline convergence

The server signs bundles with ED25519. The agent verifies, caches in LMDB, and continues converging indefinitely if the server disappears. Pending results queue and drain on reconnect.

Adaptive stream promotion

Agents default to lightweight stateless polling. Persistent streams are promoted only when the server has work to dispatch, then released. Idle agents consume zero stream resources.

Evaluation resilience

A template render error or a when: parse error in one resource skips that resource and continues with the rest of the convergence run. A single bad resource does not abort the entire policy.

Zero database operations on the hot path

The FleetIndex is a fully in-memory index with async dirty-set flushing. An agent check-in — lookup, policy compilation, and response — touches zero database queries.

The agent never exits on transient failures

Server unreachable, TLS handshake failure, malformed response, policy evaluation crash — all handled with backoff and retry. The agent binary, once started, runs until explicitly stopped.

Reload with graceful fallback

Config publish validates, syncs, and reloads. If the new config fails validation, the server keeps the previous working config. No downtime, no partial state.

Browser and CLI remote access (Scrier)

SSH terminals, RDP desktops, and live session shadowing from the web UI — or vigocli scrier ssh from your terminal over the same tunnel. No VPN, no bastion, no port forwarding. Tunnels through the agent's existing mTLS connection. Ephemeral keys per session. Shadow/assist mode lets help desk see and control a user's live desktop with consent.

Observe mode for safe migration

Run Vigo alongside existing CM. Agents report what they would change without applying anything. Cut over when confident. Per-node or fleet-wide.

📈 Scalability

Tens of thousands of envoys per server

On a single 8 vCPU / 32 GB machine, measured live — ~7,450 envoys at the one-second default, ~30,000 at a relaxed cadence. You set the cadence; capacity scales linearly with cores and RAM. No compile masters, no worker pools, no database clusters. See the analysis →

Microsecond hot path

The per-check-in hot work is a ~53 µs ED25519 signature verify (benchmarked); the timestamp check, index lookup, and hash compare are each sub-microsecond. No catalog compilation, no Ruby interpretation, zero database queries on the hot path — which is why a one-second cadence binds on CPU first, and a relaxed one on memory.

Linear, measured memory cost

~220 KB per connected envoy for the held stream, ~623 KB all-in once its inventory is cached — measured live, dead-linear with RAM. Small fleets run comfortably on a Raspberry Pi.

No external database

SQLite in WAL mode. No PostgreSQL cluster to provision, tune, backup, upgrade, or keep alive at 3 AM. The database is a single file you can copy with cp.

Delta streaming protocol

After the initial check-in, agents send only what changed — traits deltas, run completions, heartbeats. No redundant full-state transfers on every cycle.

Peer federation (spanner) for multi-region

When one server is not enough, spanner fans out enrollment, queries, and tasks across write-equal peer servers. Each peer manages its own partition of the fleet and aggregates results from the others. No shared database.

💰 Price

Free for 100 nodes. No time limit.*

No credit card, no feature gates. Every capability — orchestration, workflows, queries, native integrations, compliance export, AI assistant — is included at every tier.

No enterprise-only features

There is no "Enterprise Edition" with critical features held back. RBAC, OIDC, API tokens, compliance export, spanner — all included. The free tier is the full product.

Infrastructure cost: near zero

One process, one SQLite file, ~6 GB RAM at 10,000 envoys. No PostgreSQL cluster, no Redis, no message queue, no compile master fleet. The server that runs your monitoring can run Vigo too.

No per-node agent licensing

The agent binary is freely distributable. You pay for the server-side node count, not per agent install. Decommission and re-enroll without license churn.

Simple per-node pricing

$144/node/year at 101 nodes, dropping to $96/node/year at scale. Volume discounts are automatic. No sales calls required until 5,000+ nodes.

Lowest total cost of ownership

License is the only meaningful cost. No compile masters, no PostgreSQL DBA, no dedicated CM engineers — the server that runs your monitoring can run Vigo too.

See how it compares

A detailed comparison against the established configuration management tools, and guides for moving over.

Technical Comparison Migration Guides

* Free tier is provided AS IS with no support obligation. See Commercial Terms.