One Writable Source of Truth, With a Code Default as Fallback

When configuration needs to be shared across several machines, resist the urge to sync a file around the fleet. File sync is fragile: it couples unrelated systems, invites race conditions, and fails in confusing ways when one node is unreachable. Instead, pick a single service that owns the writable config and let every other node fetch it at load time and on periodic refresh.

The key to making this safe is a layered fallback. Bake a sensible default directly into the code, then merge the fetched config over that default. When the source service is down, behavior simply equals the code default — no crash, no regression, no scramble. Availability of the config service becomes an optimization, not a hard dependency.

A related habit pays off here: decouple “forward” from “process.” A headless node may need to hand work off to another machine without doing the work itself locally. If a single flag suppresses both behaviors, you can’t express that. Split the concerns so each path can be enabled independently — the more orthogonal your switches, the more configurations you can support without new mechanisms.