# mc-proxy configuration
#
# This file seeds the database on first run. After that, the database is
# the source of truth — listener, route, and firewall fields here are ignored.

# Database. Required.
[database]
path = "/srv/mc-proxy/mc-proxy.db"

# Listeners. Each listener binds a TCP port and has its own route table.
[[listeners]]
addr = ":443"

  [[listeners.routes]]
  hostname = "metacrypt.metacircular.net"
  backend  = "127.0.0.1:18443"

  [[listeners.routes]]
  hostname = "mcias.metacircular.net"
  backend  = "127.0.0.1:28443"

[[listeners]]
addr = ":8443"

  [[listeners.routes]]
  hostname = "metacrypt.metacircular.net"
  backend  = "127.0.0.1:18443"

[[listeners]]
addr = ":9443"

  [[listeners.routes]]
  hostname = "mcias.metacircular.net"
  backend  = "127.0.0.1:28443"

# gRPC admin API. Optional — omit or leave addr empty to disable.
# Unix socket, secured by file permissions (no TLS needed).
[grpc]
addr = "/srv/mc-proxy/mc-proxy.sock"

# Firewall. Global blocklist, evaluated before routing. Default allow.
[firewall]
geoip_db          = "/srv/mc-proxy/GeoLite2-Country.mmdb"
blocked_ips       = []
blocked_cidrs     = []
blocked_countries = ["KP", "CN", "IN", "IL"]
rate_limit        = 100       # max connections per source IP per window (0 = disabled)
rate_window       = "1m"      # sliding window duration (required if rate_limit > 0)

# Prometheus metrics. Optional — omit or leave addr empty to disable.
[metrics]
addr = "127.0.0.1:9090"
path = "/metrics"

# Proxy behavior.
[proxy]
connect_timeout  = "5s"
idle_timeout     = "300s"
shutdown_timeout = "30s"

# Logging.
[log]
level = "info"