Vigo Documentation

Vigo is a distributed state enforcement engine for servers and network devices. Agents on managed nodes (envoys) pull desired state from a central server, apply idempotent changes, and report results back. 72 built-in resource types across 8 platforms. No DSL — plain YAML.

Full documentation is available inside the Vigo server web UI. The pages below are the public subset — concepts, getting started, compliance frameworks, executor reference, and examples.

Getting Started

• What is Vigo — Architecture, design principles, how it works
• Technical Comparison — Detailed comparison with Puppet, Ansible, Chef, Salt, CFEngine
• Installation — Docker setup, first boot
• Server Configuration — Full server.yaml reference
• Bootstrap — Agent enrollment on all platforms
• Quickstart — 10-minute first-envoy walkthrough
• First Module — Write your first .vgo module
• Core Use Cases — Configuration management, security, network, DR/IR, observability
• Performance: 1-Minute — Baseline projections
• Performance: 30-Second — Recommended for responsive fleets
• Performance: 15-Second — Near-real-time state enforcement

Concepts

• Architecture — Three binaries, ports, data flows
• Check-in Lifecycle — Pull loop, fingerprint, delta transfer
• Convergence Walkthrough — End-to-end with timing and traffic
• Compiled Promises — Bundle signing, TTL, offline convergence
• Config Format — Modules, roles, envoys, vars
• Resource DAG — depends_on, notify, subscribes
• Resource Language — foreach, case/match, conditional_block, defaults
• When Expressions — Boolean logic and builtin functions
• Templates — Go templates in content: attributes
• Secrets — Two backends and the secret: prefix
• Composition Patterns — Five layers of config reuse
• Multi-Axis Configuration — Per-environment overrides for multi-site fleets
• Compliance — Per-resource to fleet-wide status
• Observe Mode — Global and per-entry drift-only mode
• Guardrails — Self-protection for agent and server paths
• Module Retraction — Auto-undo when modules are removed
• Multi-Client Environments — MSP pattern: clients x environments
• Network Devices — Gateway proxy architecture
• Spanner — Hub-spoke multi-server topology
• Swarm — Peer-to-peer content distribution
• Vigosync — Per-user file sync across machines
• Custom Executors — JSON stdin/stdout protocol
• Custom Traits — Custom trait collector scripts

Compliance Frameworks

• HIPAA Checklist — 164.312 requirement mapping
• HITRUST CSF — 31 control references across 8 domains
• SOC 2 — 32 Trust Services Criteria across 5 categories
• PCI DSS v4.0 — 42 requirements + enforcement modules
• CIS Benchmarks — Ubuntu, RHEL, Windows Level 1 modules
• NIST 800-53 — 41 Federal/FedRAMP controls
• ISO 27001 — 33 Annex A controls
• GDPR — 13 EU data protection articles
• NERC CIP — 18 energy sector requirements
• Cyber Essentials Plus — UK government certification
• IEC 62443 — Industrial cybersecurity
• Compliance Reporting — JSON, HTML, and OSCAL output
• Security Scanning — CVE scanning, hardening audits, rootkit detection
• Remediation Workflow — Automated drift detection, fix, verification

Reference

• Executors — 72 built-in resource types across all platforms
• Supported Platforms — Linux, macOS, FreeBSD, OpenBSD, NetBSD, illumos, Windows, network devices

Security

• Self-Protection Guardrails — Blocked commands, protected paths, enforcement layers

Examples

• Nginx Module — Full nginx walkthrough
• Multi-Environment — Production/staging with environment_overrides
• Docker Stack — Container management
• Security Hardening — Firewall, fail2ban, SSH, sudo
• Monitoring Stack — Prometheus, node_exporter, Grafana
• Database Cluster — PostgreSQL with vars_from
• Kubernetes Nodes — OS-level k8s node config