Configuration reference
Reference for Arctic CLI and compose configuration files
CLI configuration
The Arctic CLI stores connection details in a configuration file.
File location
Default: ~/.config/arctic/config.yaml
Override with the --config flag or ARCTIC_CONFIG environment variable.
Configuration format
Groups peers by cluster with shared credentials and global preferences:
current_cluster: 01HABCDEF456...
clusters:
01HABCDEF456...:
cluster_id: 01HABCDEF456...
customer_id: cust_xyz789...
client_id: cl_01HXYZ...
client_secret: sec_abc123...
peers:
- url: http://192.168.1.10:8080
peer_id: 01HXYZABC123...
name: agent-a
- url: http://192.168.1.20:8080
peer_id: 01HXYZDEF789...
name: agent-b
default_peer: 01HXYZABC123...
name: Production
preferences:
cache_ttl: 3600 # Cache TTL in seconds (default: 3600)
auto_failover: false # Reserved for future useCluster object
| Field | Type | Description |
|---|---|---|
cluster_id | string | Cluster identifier (ULID) |
customer_id | string | Customer identifier from license |
client_id | string | OAuth client ID for cluster auth |
client_secret | string | OAuth client secret |
peers | array | List of peers in this cluster |
default_peer | string | Default peer ID for commands |
name | string | Optional human-readable name |
description | string | Optional description |
Peer object
| Field | Type | Description |
|---|---|---|
url | string | Agent API URL |
peer_id | string | Peer identifier (ULID) |
name | string | Optional human-readable name |
Preferences
Global CLI preferences that apply to all commands:
| Field | Type | Description | Default |
|---|---|---|---|
output_format | string | Default output format: table, json, yaml | table |
color | boolean | Enable colored terminal output | true |
timeout | integer | Default request timeout in seconds | 30 |
cache_ttl | integer | Completion cache TTL in seconds | 3600 |
auto_failover | boolean | Auto-failover to backup peers (reserved) | false |
Preference details:
- output_format: Sets the default output format for all commands. Can be overridden with
--outputflag. - color: Controls whether CLI output uses ANSI colors. Automatically disabled when
NO_COLORenvironment variable is set. - timeout: Default HTTP request timeout for API calls. Can be overridden with
--timeoutflag. - cache_ttl: Time-to-live for the completion cache in seconds. Cache is considered stale after this duration.
- auto_failover: Reserved for future peer failover feature. Currently not implemented.
Managing configuration
View current context:
arctic config currentSwitch context:
arctic config use-cluster ProductionList all contexts:
arctic config listView full config:
arctic config viewSecurity considerations
The config file contains credentials. Protect it:
chmod 600 ~/.config/arctic/config.yamlConsider using environment variables for CI/CD:
export ARCTIC_URL="http://agent:8080"
export ARCTIC_TOKEN="eyJ..."
arctic peers listCompose configuration
The compose configuration file defines the desired state of an Arctic cluster in YAML format. This section documents the complete schema, field definitions, and validation rules.
File format
Configuration files use YAML format with schema version v1. The file can be named anything, but cluster.yaml is the convention.
Configuration schema
Root structure
| Field | Type | Required | Description |
|---|---|---|---|
version | string | Yes | Schema version (must be v1) |
license | string | No | Relative path to license file from config location |
peers | array | Yes | List of peer configurations |
services | array | No | List of service configurations |
Peer configuration
| Field | Type | Required | Description |
|---|---|---|---|
name | string | Yes | Unique human-readable identifier for this peer |
address | string | Yes | Network address in host:port format |
Notes:
- Peers cannot be deleted via compose. Removing a peer from the configuration file will not remove it from the cluster. Use
arctic peers deleteto remove peers. - Peer names are used as references in service configurations.
Service configuration
| Field | Type | Required | Description |
|---|---|---|---|
name | string | Yes | Unique human-readable identifier for this service |
source_peer | string | Yes | Name of the source peer (must exist in peers list) |
target_peer | string | Yes | Name of the target peer (must exist in peers list) |
transport_type | string | Yes | Transport protocol: tcp or kcp |
fully_transparent | bool | No | Enable fully transparent proxying mode (default: false) |
interface | object | No | MACVLAN interface configuration |
qos | object | No | Quality of service settings |
routes | array | No | Routing rules for this service |
Notes:
- A service must have either
interface(withenabled: true) orroutesdefined. source_peerandtarget_peermust be different peers.
Interface configuration
| Field | Type | Required | Description |
|---|---|---|---|
enabled | bool | Yes | Enable MACVLAN interface creation for this service |
ipv4 | string | No | Desired IPv4 address in CIDR notation (e.g., 10.0.0.1/24) |
Notes:
- If
ipv4is omitted, the address is assigned via DHCP. - IPv4 cannot be
0.0.0.0/0(broadcast address). - IPv4 addresses must be unique per source peer across services.
QoS configuration
| Field | Type | Required | Description |
|---|---|---|---|
bandwidth_limit_mbps | uint64 | No | Maximum bandwidth in Mbps (0 = unlimited) |
Notes:
- QoS is recommended for KCP transport to prevent bandwidth saturation.
Route configuration
| Field | Type | Required | Description |
|---|---|---|---|
source_cidr | string | Conditional | Source network in CIDR notation |
dest_cidr | string | Conditional | Destination network in CIDR notation |
priority | uint64 | Yes | Route evaluation order (lower value = higher priority) |
Notes:
- At least one of
source_cidrordest_cidrmust be specified. - Cannot have both
source_cidranddest_cidrset to0.0.0.0/0. - Priorities must be unique within a service.
- Routes cannot conflict with another service on the same source peer (same source and dest CIDRs).
Validation rules
Errors
Errors must be fixed before the configuration can be applied.
| Field | Rule | Description |
|---|---|---|
version | required | Version field is required |
version | supported | Must be v1 |
peers | required | At least one peer is required |
peers[N].name | required | Peer name is required |
peers[N].name | unique | Peer names must be unique |
peers[N].address | required | Peer address is required |
peers[N].address | unique | Peer addresses must be unique |
services[N].name | required | Service name is required |
services[N].name | unique | Service names must be unique |
services[N].source_peer | required | Source peer is required |
services[N].source_peer | reference | Must exist in peers list |
services[N].target_peer | required | Target peer is required |
services[N].target_peer | reference | Must exist in peers list |
services[N] | different-peers | Source and target peers must be different |
services[N] | has-routing | Must have interface (enabled) or routes defined |
services[N].transport_type | required | Transport type is required |
services[N].transport_type | valid | Must be tcp or kcp |
services[N].interface.ipv4 | valid-cidr | Must be valid CIDR notation |
services[N].interface.ipv4 | not-broadcast | Cannot be 0.0.0.0/0 |
services[N].interface.ipv4 | unique-per-peer | No duplicate IPv4 for same source peer |
services[N].routes[M] | has-cidr | At least source_cidr or dest_cidr required |
services[N].routes[M].source_cidr | valid-cidr | Must be valid CIDR notation |
services[N].routes[M].dest_cidr | valid-cidr | Must be valid CIDR notation |
services[N].routes[M] | not-full-broadcast | Cannot have both CIDRs as 0.0.0.0/0 |
services[N].routes[M].priority | unique | Priorities must be unique within service |
services[N].routes[M] | no-conflicts | Route cannot conflict with another service on same source peer |
Warnings
Warnings are advisory and do not prevent configuration from being applied. Use --strict to treat warnings as errors.
| Rule | Field | Description |
|---|---|---|
missing-port | peers[N].address | Peer address missing port (typically :8080) |
interface-and-routes | services[N] | Service has both interface and routes (typically use one or the other) |
Canonical key ordering
The arctic compose fmt command reorders keys to a canonical order for consistency:
Root level: version, license, peers, services
Peer: name, address
Service: name, source_peer, target_peer, transport_type, fully_transparent, interface, qos, routes
Interface: enabled, ipv4
QoS: bandwidth_limit_mbps
Route: source_cidr, dest_cidr, priority
Examples
Minimal configuration
version: v1
peers:
- name: peer-1
address: 192.168.1.10:8080
- name: peer-2
address: 192.168.1.20:8080
services:
- name: tunnel-1-to-2
source_peer: peer-1
target_peer: peer-2
transport_type: tcp
routes:
- dest_cidr: 10.0.0.0/8
priority: 100Full configuration
version: v1
license: ./license.jwt
peers:
- name: datacenter-west
address: 10.0.1.10:8080
- name: datacenter-east
address: 10.0.2.10:8080
services:
# West to East tunnel
- name: west-to-east
source_peer: datacenter-west
target_peer: datacenter-east
transport_type: tcp
fully_transparent: true
interface:
enabled: true
ipv4: 10.100.0.1/24
qos:
bandwidth_limit_mbps: 100
routes:
- source_cidr: 0.0.0.0/0
dest_cidr: 10.0.2.0/24
priority: 100
- source_cidr: 192.168.0.0/16
dest_cidr: 172.16.0.0/12
priority: 200
# East to West tunnel (bidirectional)
- name: east-to-west
source_peer: datacenter-east
target_peer: datacenter-west
transport_type: tcp
fully_transparent: true
interface:
enabled: true
ipv4: 10.100.0.2/24
qos:
bandwidth_limit_mbps: 100
routes:
- source_cidr: 0.0.0.0/0
dest_cidr: 10.0.1.0/24
priority: 100KCP transport with QoS
version: v1
peers:
- name: site-a
address: 192.168.1.10:8080
- name: site-b
address: 192.168.2.10:8080
services:
- name: kcp-tunnel
source_peer: site-a
target_peer: site-b
transport_type: kcp
qos:
bandwidth_limit_mbps: 50 # Recommended for KCP
routes:
- dest_cidr: 10.20.0.0/16
priority: 100