Vigo Documentation

Vigo is a Distributed State Enforcement Engine for servers and network devices. Agents on managed nodes (envoys) pull desired state from a central server, apply idempotent changes, and report results back. 69 resource types — 68 built-in across 7 operating systems (16 of them SSH-based network-device executors for Cisco, Arista, and Juniper) plus a user-supplied custom executor. No DSL — plain YAML.

The pages below mirror the documentation that ships inside the Vigo server. The documentation license stays inside the authenticated product.

Tutorials

The guided golden path, start to finish:

Stand Up the Server — Get vigosrv running
Enroll Your First Envoy — Bring a node under management
Your First Configcrate — Declare and apply desired state
Your First Compliance Report — Score the fleet against a framework

Getting Started

What is Vigo — Architecture, design principles, how it works
Quickstart — Server up → enroll → configcrate → publish → verify
Install — Docker setup, first boot
Enroll an Envoy — Agent enrollment on all platforms
Write Your First Configcrate — Author your first .vgo configcrate
Publish Config — Validate, sync, reload
Technical Comparison — Head-to-head with Puppet, Ansible, Chef, Salt, CFEngine
Performance & Sizing — How many envoys one server holds, measured live
Glossary — Terminology reference

Concepts

Understanding-oriented explainers:

Architecture — Server, envoys, and the pull-based control loop
Convergence vs Compliance — Enforcing state vs scoring it
The Swarm — Peer-to-peer mTLS fabric across the fleet
Puddle Identity — Per-user identity primitive
Security Model — Trust boundaries, mTLS, outbound-only agents
Secrets — How secrets are stored, delivered, and held in memory
Scrier — Browser-based SSH, RDP, and Shadow
Spanner Federation — Peer-equal multi-server scale-out
High Availability — Failure modes and resilience
Compliance Model — Frameworks, controls, and coverage
Configcrates — The unit of configuration

Configcrates & Configuration

Composition Patterns — Five layers of config reuse
Configcrate Language — Configcrates, roles, envoys, vars, templates

How-To Guides

Subsystems

Swarm — Peer-to-peer content distribution
Puddle — Per-user identity primitive
Gitback — Personal git mirroring over the swarm
Lockbox — Per-user encrypted P2P directory sync
Longdrawer — Per-user LAN file sync
Curator — Content-addressed P2P artifact registry
Poolq — Ordered append-only log for the fleet
Scrier — Browser-based SSH, RDP, and Shadow
Spanner — Peer-equal multi-server federation
Network Devices — Cisco, Arista, Juniper over SSH

Operations

Authentication — Basic auth, OIDC, localhost trust
Monitoring — Prometheus, Grafana, metrics
Loki Integration — Ship logs to Loki
Log Correlation — Trace-id propagation across runs
Local Package Mirrors — In-fleet package hosting
Harden Envoy Secret Memory — Host hardening for envoy secret memory
Backup & Recovery — Litestream replication, snapshots
Disaster Recovery — Failure scenarios with runbooks
Compliance Reporting — JSON, HTML, OSCAL output
Troubleshoot — Common issues and diagnostics

Migrating

Migration Guides — From Puppet, Ansible, Chef, Salt, and CFEngine

Reference

Server YAML — Complete server.yaml reference
API Reference — gRPC and REST APIs
Compliance Matrix — Framework-to-control mapping
Admin CLI (vigocli) — vigocli admin commands
Resource Types — 69 resource types: 68 built-in (16 network-device executors) plus a custom executor
Trait Collectors — 50 system fact collectors

Examples

Nginx Configcrate — Full nginx walkthrough
Multi-Environment — Production/staging with environment_overrides
Multi-Cloud — Config patterns for AWS/GCP/Azure mix
Docker Stack — Container management
Security Hardening — Firewall, fail2ban, SSH, sudo
Monitoring Stack — Prometheus, node_exporter, Grafana
Database Cluster — PostgreSQL with vars_from
Kubernetes Nodes — OS-level k8s node config
Disk Hygiene — Trim, SMART, log rotation
Brown Noise — Continuous background convergence demo