# mc-proxy configuration for rift.
#
# Fronts metacrypt containers:
#   :443  → metacrypt-web (L7, TLS termination + re-encrypt)
#   :8443 → metacrypt API (L4 passthrough)
#   :9443 → metacrypt gRPC (L4 passthrough)
#
# Copy to /srv/mc-proxy/mc-proxy.toml on rift before starting.

[database]
path = "/srv/mc-proxy/mc-proxy.db"

# :443 — L7 TLS-terminating route to metacrypt web UI.
[[listeners]]
addr = ":443"

  [[listeners.routes]]
  hostname    = "metacrypt.svc.mcp.metacircular.net"
  backend     = "127.0.0.1:18080"
  mode        = "l7"
  tls_cert    = "/srv/mc-proxy/certs/metacrypt-svc.pem"
  tls_key     = "/srv/mc-proxy/certs/metacrypt-svc.key"
  backend_tls = true

# :8443 — L4 passthrough to metacrypt API (already serves TLS).
[[listeners]]
addr = ":8443"

  [[listeners.routes]]
  hostname = "metacrypt.svc.mcp.metacircular.net"
  backend  = "127.0.0.1:18443"

# :9443 — L4 passthrough to metacrypt gRPC (already serves TLS).
[[listeners]]
addr = ":9443"

  [[listeners.routes]]
  hostname = "metacrypt.svc.mcp.metacircular.net"
  backend  = "127.0.0.1:19443"

# gRPC admin API — Unix socket, secured by file permissions.
[grpc]
addr = "/srv/mc-proxy/mc-proxy.sock"

# Firewall — no GeoIP on local network, basic rate limiting.
[firewall]
blocked_ips       = []
blocked_cidrs     = []
blocked_countries = []
rate_limit        = 100
rate_window       = "1m"

# Prometheus metrics — loopback only, for node-local MCP scraping.
[metrics]
addr = "127.0.0.1:9090"
path = "/metrics"

[proxy]
connect_timeout  = "5s"
idle_timeout     = "300s"
shutdown_timeout = "30s"

[log]
level = "info"