feat: integrate config system into relay main.go

Add support for loading configuration from YAML file via -config flag.
Wire up auth, rate limiting, and metrics interceptors based on config.

Changes:
- Add -config flag to relay command
- Use config types directly in auth package (AuthOperationConfig)
- Add conversion methods: RateLimitConfig.ToRateLimiter(), MetricsConfig.ToMetrics()
- Add Metrics.Serve() method for prometheus HTTP endpoint
- Update main.go to initialize interceptors from config
- Fix type naming: OperationAuthConfig -> AuthOperationConfig for consistency

Config now supports complete relay setup including auth read/write
allowlists, rate limiting, and prometheus metrics.

1 files changed, 75 insertions, 28 deletions

diff --git a/cmd/relay/main.go b/cmd/relay/main.go
index 3a1eeef..209d758 100644
--- a/cmd/relay/main.go
+++ b/cmd/relay/main.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+        "context"
         "flag"
         "log"
         "net"
@@ -9,8 +10,6 @@ import (
         "os/signal"
         "syscall"
 
-        "context"
-
         "connectrpc.com/connect"
         "golang.org/x/net/http2"
         "golang.org/x/net/http2/h2c"
@@ -18,23 +17,27 @@ import (
 
         pb "northwest.io/muxstr/api/nostr/v1"
         "northwest.io/muxstr/api/nostr/v1/nostrv1connect"
+        "northwest.io/muxstr/internal/auth"
+        "northwest.io/muxstr/internal/config"
         connecthandler "northwest.io/muxstr/internal/handler/connect"
         grpchandler "northwest.io/muxstr/internal/handler/grpc"
         wshandler "northwest.io/muxstr/internal/handler/websocket"
+        "northwest.io/muxstr/internal/metrics"
+        "northwest.io/muxstr/internal/ratelimit"
         "northwest.io/muxstr/internal/storage"
         "northwest.io/muxstr/internal/subscription"
 )
 
 func main() {
-        var (
-                grpcAddr  = flag.String("grpc-addr", ":50051", "gRPC server address")
-                wsAddr    = flag.String("ws-addr", ":8080", "WebSocket server address")
-                dbPath    = flag.String("db", "relay.db", "SQLite database path")
-                publicURL = flag.String("public-url", "", "Public URL for relay (e.g., nostr-grpc.x.bdw.to)")
-        )
+        configFile := flag.String("config", "", "Path to config file (optional)")
         flag.Parse()
 
-        store, err := storage.New(*dbPath)
+        cfg, err := config.Load(*configFile)
+        if err != nil {
+                log.Fatalf("failed to load config: %v", err)
+        }
+
+        store, err := storage.New(cfg.Database.Path)
         if err != nil {
                 log.Fatalf("failed to create storage: %v", err)
         }
@@ -51,42 +54,86 @@ func main() {
         path, handler := nostrv1connect.NewNostrRelayHandler(connectHandler, connect.WithInterceptors())
         mux.Handle(path, handler)
 
+        var serverOpts []grpc.ServerOption
+
+        if cfg.Auth.Read.Enabled || cfg.Auth.Write.Enabled {
+                authOpts := &auth.InterceptorOptions{
+                        Read:            cfg.Auth.Read,
+                        Write:           cfg.Auth.Write,
+                        TimestampWindow: cfg.Auth.TimestampWindow,
+                        SkipMethods:     cfg.Auth.SkipMethods,
+                }
+                serverOpts = append(serverOpts,
+                        grpc.UnaryInterceptor(auth.NostrUnaryInterceptor(authOpts)),
+                        grpc.StreamInterceptor(auth.NostrStreamInterceptor(authOpts)),
+                )
+        }
+
+        if cfg.RateLimit.Enabled {
+                limiter := ratelimit.New(cfg.RateLimit.ToRateLimiter())
+                serverOpts = append(serverOpts,
+                        grpc.ChainUnaryInterceptor(ratelimit.UnaryInterceptor(limiter)),
+                        grpc.ChainStreamInterceptor(ratelimit.StreamInterceptor(limiter)),
+                )
+        }
+
+        var m *metrics.Metrics
+        if cfg.Metrics.Enabled {
+                m = metrics.New(cfg.Metrics.ToMetrics())
+                serverOpts = append(serverOpts,
+                        grpc.ChainUnaryInterceptor(metrics.UnaryServerInterceptor(m)),
+                        grpc.ChainStreamInterceptor(metrics.StreamServerInterceptor(m)),
+                )
+
+                go func() {
+                        log.Printf("Metrics server listening on %s%s", cfg.Metrics.Addr, cfg.Metrics.Path)
+                        if err := m.Serve(cfg.Metrics.Addr, cfg.Metrics.Path); err != nil {
+                                log.Printf("Metrics server failed: %v", err)
+                        }
+                }()
+        }
+
         wsHandler := wshandler.NewHandler(store, subManager)
 
-        // Set public URLs for index page
         var grpcDisplay, httpDisplay, wsDisplay string
-        if *publicURL != "" {
-                // Use public URLs when behind reverse proxy (port 443)
-                grpcDisplay = *publicURL + ":443"
-                httpDisplay = "https://" + *publicURL
-                wsDisplay = "wss://" + *publicURL
+        if cfg.Server.PublicURL != "" {
+                grpcDisplay = cfg.Server.PublicURL + ":443"
+                httpDisplay = "https://" + cfg.Server.PublicURL
+                wsDisplay = "wss://" + cfg.Server.PublicURL
         } else {
-                // Use local addresses for development
-                grpcDisplay = *grpcAddr
-                httpDisplay = "http://" + *wsAddr
-                wsDisplay = "ws://" + *wsAddr
+                grpcDisplay = cfg.Server.GrpcAddr
+                httpDisplay = "http://" + cfg.Server.HttpAddr
+                wsDisplay = "ws://" + cfg.Server.HttpAddr
         }
         wsHandler.SetIndexData(grpcDisplay, httpDisplay, wsDisplay)
         mux.Handle("/", wsHandler)
 
-        grpcLis, err := net.Listen("tcp", *grpcAddr)
+        grpcLis, err := net.Listen("tcp", cfg.Server.GrpcAddr)
         if err != nil {
                 log.Fatalf("failed to listen on gRPC port: %v", err)
         }
 
-        grpcServer := grpc.NewServer()
+        grpcServer := grpc.NewServer(serverOpts...)
         pb.RegisterNostrRelayServer(grpcServer, grpcHandler)
 
         httpServer := &http.Server{
-                Addr:    *wsAddr,
-                Handler: h2c.NewHandler(mux, &http2.Server{}),
+                Addr:         cfg.Server.HttpAddr,
+                Handler:      h2c.NewHandler(mux, &http2.Server{}),
+                ReadTimeout:  cfg.Server.ReadTimeout,
+                WriteTimeout: cfg.Server.WriteTimeout,
         }
 
-        log.Printf("gRPC server listening on %s", *grpcAddr)
-        log.Printf("HTTP server listening on %s", *wsAddr)
-        log.Printf("  - Connect (gRPC-Web) at %s/nostr.v1.NostrRelay/*", *wsAddr)
-        log.Printf("  - WebSocket (Nostr) at %s/", *wsAddr)
-        log.Printf("Database: %s", *dbPath)
+        log.Printf("gRPC server listening on %s", cfg.Server.GrpcAddr)
+        log.Printf("HTTP server listening on %s", cfg.Server.HttpAddr)
+        log.Printf("  - Connect (gRPC-Web) at %s/nostr.v1.NostrRelay/*", cfg.Server.HttpAddr)
+        log.Printf("  - WebSocket (Nostr) at %s/", cfg.Server.HttpAddr)
+        log.Printf("Database: %s", cfg.Database.Path)
+        if cfg.Auth.Read.Enabled || cfg.Auth.Write.Enabled {
+                log.Printf("Auth: enabled (read=%v write=%v)", cfg.Auth.Read.Enabled, cfg.Auth.Write.Enabled)
+        }
+        if cfg.RateLimit.Enabled {
+                log.Printf("Rate limiting: enabled")
+        }
 
         sigChan := make(chan os.Signal, 1)
         signal.Notify(sigChan, os.Interrupt, syscall.SIGTERM)