# mc-proxy configuration for rift.
#
# Fronts metacrypt, mcr, and sgard containers:
#   :443  → metacrypt-web, mcr-web (L7, TLS termination + re-encrypt)
#   :8443 → metacrypt API, mcr API (L4 passthrough, SNI-multiplexed)
#   :9443 → metacrypt gRPC, mcr gRPC, sgardd (L4 passthrough, SNI-multiplexed)
#
# Copy to /srv/mc-proxy/mc-proxy.toml on rift before starting.

[database]
path = "/srv/mc-proxy/mc-proxy.db"

# :443 — L7 TLS-terminating routes to web UIs.
[[listeners]]
addr = ":443"

  [[listeners.routes]]
  hostname    = "metacrypt.svc.mcp.metacircular.net"
  backend     = "127.0.0.1:18080"
  mode        = "l7"
  tls_cert    = "/srv/mc-proxy/certs/metacrypt-svc.pem"
  tls_key     = "/srv/mc-proxy/certs/metacrypt-svc.key"
  backend_tls = true

  [[listeners.routes]]
  hostname    = "mcr.svc.mcp.metacircular.net"
  backend     = "127.0.0.1:28080"
  mode        = "l7"
  tls_cert    = "/srv/mc-proxy/certs/mcr-svc.pem"
  tls_key     = "/srv/mc-proxy/certs/mcr-svc.key"
  backend_tls = true

# :8443 — L4 passthrough, SNI-multiplexed: metacrypt API + mcr API.
[[listeners]]
addr = ":8443"

  [[listeners.routes]]
  hostname = "metacrypt.svc.mcp.metacircular.net"
  backend  = "127.0.0.1:18443"

  [[listeners.routes]]
  hostname = "mcr.svc.mcp.metacircular.net"
  backend  = "127.0.0.1:28443"

# :9443 — L4 passthrough, SNI-multiplexed: metacrypt gRPC + mcr gRPC + sgardd.
[[listeners]]
addr = ":9443"

  [[listeners.routes]]
  hostname = "metacrypt.svc.mcp.metacircular.net"
  backend  = "127.0.0.1:19443"

  [[listeners.routes]]
  hostname = "mcr.svc.mcp.metacircular.net"
  backend  = "127.0.0.1:29443"

  [[listeners.routes]]
  hostname = "sgard.svc.mcp.metacircular.net"
  backend  = "127.0.0.1:19473"

# gRPC admin API — Unix socket, secured by file permissions.
[grpc]
addr = "/srv/mc-proxy/mc-proxy.sock"

# Firewall — no GeoIP on local network, basic rate limiting.
[firewall]
blocked_ips       = []
blocked_cidrs     = []
blocked_countries = []
rate_limit        = 100
rate_window       = "1m"

# Prometheus metrics — loopback only, for node-local MCP scraping.
[metrics]
addr = "127.0.0.1:9091"
path = "/metrics"

[proxy]
connect_timeout  = "5s"
idle_timeout     = "300s"
shutdown_timeout = "30s"

[log]
level = "info"