Registry
Describe the desired state of a single-server production environment in strict YAML.
The registry is the declarative source of truth. SQLite is local state and indexing only; services, ports, domains, volumes, snapshots, and backup policy remain YAML-owned.
Default structure
/srv/server-registry/
├── services.yml
├── ports.yml
├── domains.yml
├── volumes.yml
├── snapshots.yml
├── backups.yml
├── policies.yml
├── approvals/
├── plans/
└── history/Validate the registry
opsctl registry validate --json
opsctl doctor --jsonregistry validate checks schemas and references. doctor adds policy analysis for port conflicts, production snapshot coverage, public database ports, and other operational risks.
Service declarations
A service record should make these facts explicit:
- Stable ID and environment.
- Deployment kind, such as systemd, Compose, or static files.
- Project path and health checks.
- Ownership of ports, domains, and volumes.
- Whether a
before_deploybackup gate applies.
Start from observations
opsctl scan --json
opsctl registry drift list --json
opsctl registry drift explain <drift-id> --jsonObserved state is not automatically source of truth. You may adopt clearly owned resources or record expiring ignores for accepted drift; both should leave audit evidence.
Change discipline
- Generate or review a draft.
- Run strict validation.
- Confirm the diff contains only the intended resources.
- Retain a snapshot and rollback plan for production mutations.
Never promote an entire scan into production truth. Unknown ownership, shared volumes, and public ports require human judgment.