1 files changed, 440 insertions, 0 deletions
diff --git a/internal/config/README.md b/internal/config/README.md
new file mode 100644
index 0000000..87d6fa1
--- /dev/null
+++ b/internal/config/README.md
@@ -0,0 +1,440 @@
+# Configuration
+This package provides configuration management for the relay with support for YAML files and environment variable overrides.
+## Overview
+Configuration can be loaded from:
+1. **YAML file** - Primary configuration source
+2. **Environment variables** - Override file values
+3. **Defaults** - Sensible defaults if not specified
+## Usage
+### Load from File
+```go
+import "northwest.io/muxstr/internal/config"
+// Load configuration
+cfg, err := config.Load("config.yaml")
+if err != nil {
+    log.Fatal(err)
+}
+// Use configuration
+fmt.Printf("gRPC listening on %s\n", cfg.Server.GrpcAddr)
+```
+### Load with Environment Overrides
+```bash
+# Set environment variables
+export MUXSTR_SERVER_GRPC_ADDR=":50051"
+export MUXSTR_AUTH_REQUIRED=true
+export MUXSTR_RATE_LIMIT_DEFAULT_RPS=100
+# Run relay
+./relay -config config.yaml
+```
+Environment variables use the format: `MUXSTR_<SECTION>_<KEY>`
+### Use Defaults
+```go
+// Get default configuration
+cfg := config.Default()
+```
+## Configuration File Format
+### Complete Example
+```yaml
+# Server configuration
+server:
+  # gRPC server address
+  grpc_addr: ":50051"
+  # HTTP server address (for Connect and WebSocket)
+  http_addr: ":8080"
+  # Public URL for reverse proxy deployments (optional)
+  # Example: "relay.example.com"
+  public_url: ""
+  # Read timeout for requests (optional)
+  read_timeout: "30s"
+  # Write timeout for responses (optional)
+  write_timeout: "30s"
+# Database configuration
+database:
+  # Path to SQLite database file
+  path: "relay.db"
+  # Maximum number of open connections
+  max_connections: 10
+  # Connection max lifetime
+  max_lifetime: "1h"
+# Authentication configuration
+auth:
+  # Enable authentication
+  enabled: false
+  # Require authentication for all requests
+  # If false, authentication is optional (pubkey available if provided)
+  required: false
+  # Timestamp window in seconds for replay protection
+  timestamp_window: 60
+  # Allowed pubkeys (optional, whitelist)
+  # If empty, all valid signatures are accepted
+  allowed_pubkeys: []
+  # Skip authentication for these methods
+  skip_methods:
+    - "/grpc.health.v1.Health/Check"
+# Rate limiting configuration
+rate_limit:
+  # Enable rate limiting
+  enabled: false
+  # Default rate limit (requests per second)
+  default_rps: 10
+  # Default burst size (token bucket capacity)
+  default_burst: 20
+  # Rate limit for unauthenticated users (per IP)
+  ip_rps: 5
+  ip_burst: 10
+  # Method-specific limits
+  methods:
+    "/nostr.v1.NostrRelay/PublishEvent":
+      rps: 2
+      burst: 5
+    "/nostr.v1.NostrRelay/Subscribe":
+      rps: 1
+      burst: 3
+  # User-specific limits (VIP/premium users)
+  users:
+    "vip-pubkey-here":
+      rps: 100
+      burst: 200
+  # Skip rate limiting for these methods
+  skip_methods:
+    - "/grpc.health.v1.Health/Check"
+  # Skip rate limiting for these pubkeys (admins)
+  skip_users: []
+  # Cleanup interval for idle limiters
+  cleanup_interval: "5m"
+  # Max idle time before limiter is removed
+  max_idle_time: "10m"
+# Metrics configuration
+metrics:
+  # Enable Prometheus metrics
+  enabled: true
+  # Metrics HTTP server address
+  addr: ":9090"
+  # Metrics path
+  path: "/metrics"
+  # Namespace for metrics
+  namespace: "muxstr"
+  # Subsystem for metrics
+  subsystem: "relay"
+# Logging configuration
+logging:
+  # Log level: debug, info, warn, error
+  level: "info"
+  # Log format: json, text
+  format: "json"
+  # Output: stdout, stderr, or file path
+  output: "stdout"
+# Storage configuration
+storage:
+  # Enable automatic compaction
+  auto_compact: true
+  # Compact interval
+  compact_interval: "24h"
+  # Maximum event age (0 = unlimited)
+  max_event_age: "0"
+```
+### Minimal Example
+```yaml
+server:
+  grpc_addr: ":50051"
+  http_addr: ":8080"
+database:
+  path: "relay.db"
+metrics:
+  enabled: true
+  addr: ":9090"
+```
+## Environment Variables
+All configuration values can be overridden with environment variables using the pattern:
+```
+MUXSTR_<SECTION>_<SUBSECTION>_<KEY>=value
+```
+Examples:
+| Config Path | Environment Variable |
+|-------------|---------------------|
+| `server.grpc_addr` | `MUXSTR_SERVER_GRPC_ADDR` |
+| `database.path` | `MUXSTR_DATABASE_PATH` |
+| `auth.required` | `MUXSTR_AUTH_REQUIRED` |
+| `rate_limit.default_rps` | `MUXSTR_RATE_LIMIT_DEFAULT_RPS` |
+| `metrics.enabled` | `MUXSTR_METRICS_ENABLED` |
+Complex types:
+```bash
+# Lists (comma-separated)
+export MUXSTR_AUTH_ALLOWED_PUBKEYS="pubkey1,pubkey2,pubkey3"
+# Durations
+export MUXSTR_SERVER_READ_TIMEOUT="30s"
+export MUXSTR_DATABASE_MAX_LIFETIME="1h"
+# Booleans
+export MUXSTR_AUTH_ENABLED=true
+export MUXSTR_METRICS_ENABLED=false
+```
+## Validation
+Configuration is validated on load:
+```go
+cfg, err := config.Load("config.yaml")
+if err != nil {
+    // Validation errors include detailed messages
+    log.Fatalf("Invalid configuration: %v", err)
+}
+```
+Validation checks:
+- Required fields are present
+- Addresses are valid (host:port format)
+- File paths are accessible
+- Numeric values are in valid ranges
+- Durations are parseable
+## Default Values
+If not specified, the following defaults are used:
+```go
+Server:
+  GrpcAddr: ":50051"
+  HttpAddr: ":8080"
+  ReadTimeout: 30s
+  WriteTimeout: 30s
+Database:
+  Path: "relay.db"
+  MaxConnections: 10
+  MaxLifetime: 1h
+Auth:
+  Enabled: false
+  Required: false
+  TimestampWindow: 60
+RateLimit:
+  Enabled: false
+  DefaultRPS: 10
+  DefaultBurst: 20
+  IPRPS: 5
+  IPBurst: 10
+  CleanupInterval: 5m
+  MaxIdleTime: 10m
+Metrics:
+  Enabled: true
+  Addr: ":9090"
+  Path: "/metrics"
+  Namespace: "muxstr"
+  Subsystem: "relay"
+Logging:
+  Level: "info"
+  Format: "json"
+  Output: "stdout"
+```
+## Configuration Precedence
+Values are loaded in this order (later overrides earlier):
+1. **Defaults** - Built-in default values
+2. **Config file** - Values from YAML file
+3. **Environment variables** - OS environment overrides
+Example:
+```yaml
+# config.yaml
+server:
+  grpc_addr: ":50051"
+```
+```bash
+# Environment override
+export MUXSTR_SERVER_GRPC_ADDR=":9000"
+# Result: gRPC listens on :9000 (env var wins)
+```
+## Reloading Configuration
+Configuration can be reloaded without restart (future feature):
+```go
+// Watch for changes
+watcher, err := config.Watch("config.yaml")
+if err != nil {
+    log.Fatal(err)
+}
+for cfg := range watcher.Updates {
+    // Apply new configuration
+    updateServer(cfg)
+}
+```
+## Best Practices
+1. **Use config files for static settings**: Server addresses, paths, etc.
+2. **Use env vars for deployment-specific settings**: Secrets, environment-specific URLs
+3. **Keep secrets out of config files**: Use env vars or secret management
+4. **Version control your config**: Check in config.yaml (without secrets)
+5. **Document custom settings**: Add comments to config.yaml
+6. **Validate in CI**: Run `relay -config config.yaml -validate` in CI pipeline
+7. **Use different configs per environment**: `config.dev.yaml`, `config.prod.yaml`
+## Example Configurations
+### Development
+```yaml
+server:
+  grpc_addr: ":50051"
+  http_addr: ":8080"
+database:
+  path: "relay-dev.db"
+auth:
+  enabled: false
+rate_limit:
+  enabled: false
+metrics:
+  enabled: true
+  addr: ":9090"
+logging:
+  level: "debug"
+  format: "text"
+```
+### Production
+```yaml
+server:
+  grpc_addr: ":50051"
+  http_addr: ":8080"
+  public_url: "relay.example.com"
+  read_timeout: "30s"
+  write_timeout: "30s"
+database:
+  path: "/var/lib/muxstr/relay.db"
+  max_connections: 50
+auth:
+  enabled: true
+  required: false
+  timestamp_window: 60
+rate_limit:
+  enabled: true
+  default_rps: 10
+  default_burst: 20
+  methods:
+    "/nostr.v1.NostrRelay/PublishEvent":
+      rps: 2
+      burst: 5
+metrics:
+  enabled: true
+  addr: ":9090"
+logging:
+  level: "info"
+  format: "json"
+  output: "/var/log/muxstr/relay.log"
+```
+### High-Performance
+```yaml
+server:
+  grpc_addr: ":50051"
+  http_addr: ":8080"
+database:
+  path: "/mnt/fast-ssd/relay.db"
+  max_connections: 100
+  max_lifetime: "30m"
+auth:
+  enabled: true
+  required: true
+  timestamp_window: 30
+rate_limit:
+  enabled: true
+  default_rps: 100
+  default_burst: 200
+metrics:
+  enabled: true
+  addr: ":9090"
+logging:
+  level: "warn"
+  format: "json"
+```

diff --git a/internal/config/README.md b/internal/config/README.md new file mode 100644 index 0000000..87d6fa1 --- /dev/null +++ b/internal/config/README.md
@@ -0,0 +1,440 @@
	1	# Configuration
	2
	3	This package provides configuration management for the relay with support for YAML files and environment variable overrides.
	4
	5	## Overview
	6
	7	Configuration can be loaded from:
	8	1. YAML file - Primary configuration source
	9	2. Environment variables - Override file values
	10	3. Defaults - Sensible defaults if not specified
	11
	12	## Usage
	13
	14	### Load from File
	15
	16	```go
	17	import "northwest.io/muxstr/internal/config"
	18
	19	// Load configuration
	20	cfg, err := config.Load("config.yaml")
	21	if err != nil {
	22	log.Fatal(err)
	23	}
	24
	25	// Use configuration
	26	fmt.Printf("gRPC listening on %s\n", cfg.Server.GrpcAddr)
	27	```
	28
	29	### Load with Environment Overrides
	30
	31	```bash
	32	# Set environment variables
	33	export MUXSTR_SERVER_GRPC_ADDR=":50051"
	34	export MUXSTR_AUTH_REQUIRED=true
	35	export MUXSTR_RATE_LIMIT_DEFAULT_RPS=100
	36
	37	# Run relay
	38	./relay -config config.yaml
	39	```
	40
	41	Environment variables use the format: `MUXSTR_<SECTION>_<KEY>`
	42
	43	### Use Defaults
	44
	45	```go
	46	// Get default configuration
	47	cfg := config.Default()
	48	```
	49
	50	## Configuration File Format
	51
	52	### Complete Example
	53
	54	```yaml
	55	# Server configuration
	56	server:
	57	# gRPC server address
	58	grpc_addr: ":50051"
	59
	60	# HTTP server address (for Connect and WebSocket)
	61	http_addr: ":8080"
	62
	63	# Public URL for reverse proxy deployments (optional)
	64	# Example: "relay.example.com"
	65	public_url: ""
	66
	67	# Read timeout for requests (optional)
	68	read_timeout: "30s"
	69
	70	# Write timeout for responses (optional)
	71	write_timeout: "30s"
	72
	73	# Database configuration
	74	database:
	75	# Path to SQLite database file
	76	path: "relay.db"
	77
	78	# Maximum number of open connections
	79	max_connections: 10
	80
	81	# Connection max lifetime
	82	max_lifetime: "1h"
	83
	84	# Authentication configuration
	85	auth:
	86	# Enable authentication
	87	enabled: false
	88
	89	# Require authentication for all requests
	90	# If false, authentication is optional (pubkey available if provided)
	91	required: false
	92
	93	# Timestamp window in seconds for replay protection
	94	timestamp_window: 60
	95
	96	# Allowed pubkeys (optional, whitelist)
	97	# If empty, all valid signatures are accepted
	98	allowed_pubkeys: []
	99
	100	# Skip authentication for these methods
	101	skip_methods:
	102	- "/grpc.health.v1.Health/Check"
	103
	104	# Rate limiting configuration
	105	rate_limit:
	106	# Enable rate limiting
	107	enabled: false
	108
	109	# Default rate limit (requests per second)
	110	default_rps: 10
	111
	112	# Default burst size (token bucket capacity)
	113	default_burst: 20
	114
	115	# Rate limit for unauthenticated users (per IP)
	116	ip_rps: 5
	117	ip_burst: 10
	118
	119	# Method-specific limits
	120	methods:
	121	"/nostr.v1.NostrRelay/PublishEvent":
	122	rps: 2
	123	burst: 5
	124	"/nostr.v1.NostrRelay/Subscribe":
	125	rps: 1
	126	burst: 3
	127
	128	# User-specific limits (VIP/premium users)
	129	users:
	130	"vip-pubkey-here":
	131	rps: 100
	132	burst: 200
	133
	134	# Skip rate limiting for these methods
	135	skip_methods:
	136	- "/grpc.health.v1.Health/Check"
	137
	138	# Skip rate limiting for these pubkeys (admins)
	139	skip_users: []
	140
	141	# Cleanup interval for idle limiters
	142	cleanup_interval: "5m"
	143
	144	# Max idle time before limiter is removed
	145	max_idle_time: "10m"
	146
	147	# Metrics configuration
	148	metrics:
	149	# Enable Prometheus metrics
	150	enabled: true
	151
	152	# Metrics HTTP server address
	153	addr: ":9090"
	154
	155	# Metrics path
	156	path: "/metrics"
	157
	158	# Namespace for metrics
	159	namespace: "muxstr"
	160
	161	# Subsystem for metrics
	162	subsystem: "relay"
	163
	164	# Logging configuration
	165	logging:
	166	# Log level: debug, info, warn, error
	167	level: "info"
	168
	169	# Log format: json, text
	170	format: "json"
	171
	172	# Output: stdout, stderr, or file path
	173	output: "stdout"
	174
	175	# Storage configuration
	176	storage:
	177	# Enable automatic compaction
	178	auto_compact: true
	179
	180	# Compact interval
	181	compact_interval: "24h"
	182
	183	# Maximum event age (0 = unlimited)
	184	max_event_age: "0"
	185	```
	186
	187	### Minimal Example
	188
	189	```yaml
	190	server:
	191	grpc_addr: ":50051"
	192	http_addr: ":8080"
	193
	194	database:
	195	path: "relay.db"
	196
	197	metrics:
	198	enabled: true
	199	addr: ":9090"
	200	```
	201
	202	## Environment Variables
	203
	204	All configuration values can be overridden with environment variables using the pattern:
	205
	206	```
	207	MUXSTR_<SECTION>_<SUBSECTION>_<KEY>=value
	208	```
	209
	210	Examples:
	211
	212	\| Config Path \| Environment Variable \|
	213	\|-------------\|---------------------\|
	214	\| `server.grpc_addr` \| `MUXSTR_SERVER_GRPC_ADDR` \|
	215	\| `database.path` \| `MUXSTR_DATABASE_PATH` \|
	216	\| `auth.required` \| `MUXSTR_AUTH_REQUIRED` \|
	217	\| `rate_limit.default_rps` \| `MUXSTR_RATE_LIMIT_DEFAULT_RPS` \|
	218	\| `metrics.enabled` \| `MUXSTR_METRICS_ENABLED` \|
	219
	220	Complex types:
	221
	222	```bash
	223	# Lists (comma-separated)
	224	export MUXSTR_AUTH_ALLOWED_PUBKEYS="pubkey1,pubkey2,pubkey3"
	225
	226	# Durations
	227	export MUXSTR_SERVER_READ_TIMEOUT="30s"
	228	export MUXSTR_DATABASE_MAX_LIFETIME="1h"
	229
	230	# Booleans
	231	export MUXSTR_AUTH_ENABLED=true
	232	export MUXSTR_METRICS_ENABLED=false
	233	```
	234
	235	## Validation
	236
	237	Configuration is validated on load:
	238
	239	```go
	240	cfg, err := config.Load("config.yaml")
	241	if err != nil {
	242	// Validation errors include detailed messages
	243	log.Fatalf("Invalid configuration: %v", err)
	244	}
	245	```
	246
	247	Validation checks:
	248	- Required fields are present
	249	- Addresses are valid (host:port format)
	250	- File paths are accessible
	251	- Numeric values are in valid ranges
	252	- Durations are parseable
	253
	254	## Default Values
	255
	256	If not specified, the following defaults are used:
	257
	258	```go
	259	Server:
	260	GrpcAddr: ":50051"
	261	HttpAddr: ":8080"
	262	ReadTimeout: 30s
	263	WriteTimeout: 30s
	264
	265	Database:
	266	Path: "relay.db"
	267	MaxConnections: 10
	268	MaxLifetime: 1h
	269
	270	Auth:
	271	Enabled: false
	272	Required: false
	273	TimestampWindow: 60
	274
	275	RateLimit:
	276	Enabled: false
	277	DefaultRPS: 10
	278	DefaultBurst: 20
	279	IPRPS: 5
	280	IPBurst: 10
	281	CleanupInterval: 5m
	282	MaxIdleTime: 10m
	283
	284	Metrics:
	285	Enabled: true
	286	Addr: ":9090"
	287	Path: "/metrics"
	288	Namespace: "muxstr"
	289	Subsystem: "relay"
	290
	291	Logging:
	292	Level: "info"
	293	Format: "json"
	294	Output: "stdout"
	295	```
	296
	297	## Configuration Precedence
	298
	299	Values are loaded in this order (later overrides earlier):
	300
	301	1. Defaults - Built-in default values
	302	2. Config file - Values from YAML file
	303	3. Environment variables - OS environment overrides
	304
	305	Example:
	306	```yaml
	307	# config.yaml
	308	server:
	309	grpc_addr: ":50051"
	310	```
	311
	312	```bash
	313	# Environment override
	314	export MUXSTR_SERVER_GRPC_ADDR=":9000"
	315
	316	# Result: gRPC listens on :9000 (env var wins)
	317	```
	318
	319	## Reloading Configuration
	320
	321	Configuration can be reloaded without restart (future feature):
	322
	323	```go
	324	// Watch for changes
	325	watcher, err := config.Watch("config.yaml")
	326	if err != nil {
	327	log.Fatal(err)
	328	}
	329
	330	for cfg := range watcher.Updates {
	331	// Apply new configuration
	332	updateServer(cfg)
	333	}
	334	```
	335
	336	## Best Practices
	337
	338	1. Use config files for static settings: Server addresses, paths, etc.
	339	2. Use env vars for deployment-specific settings: Secrets, environment-specific URLs
	340	3. Keep secrets out of config files: Use env vars or secret management
	341	4. Version control your config: Check in config.yaml (without secrets)
	342	5. Document custom settings: Add comments to config.yaml
	343	6. Validate in CI: Run `relay -config config.yaml -validate` in CI pipeline
	344	7. Use different configs per environment: `config.dev.yaml`, `config.prod.yaml`
	345
	346	## Example Configurations
	347
	348	### Development
	349
	350	```yaml
	351	server:
	352	grpc_addr: ":50051"
	353	http_addr: ":8080"
	354
	355	database:
	356	path: "relay-dev.db"
	357
	358	auth:
	359	enabled: false
	360
	361	rate_limit:
	362	enabled: false
	363
	364	metrics:
	365	enabled: true
	366	addr: ":9090"
	367
	368	logging:
	369	level: "debug"
	370	format: "text"
	371	```
	372
	373	### Production
	374
	375	```yaml
	376	server:
	377	grpc_addr: ":50051"
	378	http_addr: ":8080"
	379	public_url: "relay.example.com"
	380	read_timeout: "30s"
	381	write_timeout: "30s"
	382
	383	database:
	384	path: "/var/lib/muxstr/relay.db"
	385	max_connections: 50
	386
	387	auth:
	388	enabled: true
	389	required: false
	390	timestamp_window: 60
	391
	392	rate_limit:
	393	enabled: true
	394	default_rps: 10
	395	default_burst: 20
	396	methods:
	397	"/nostr.v1.NostrRelay/PublishEvent":
	398	rps: 2
	399	burst: 5
	400
	401	metrics:
	402	enabled: true
	403	addr: ":9090"
	404
	405	logging:
	406	level: "info"
	407	format: "json"
	408	output: "/var/log/muxstr/relay.log"
	409	```
	410
	411	### High-Performance
	412
	413	```yaml
	414	server:
	415	grpc_addr: ":50051"
	416	http_addr: ":8080"
	417
	418	database:
	419	path: "/mnt/fast-ssd/relay.db"
	420	max_connections: 100
	421	max_lifetime: "30m"
	422
	423	auth:
	424	enabled: true
	425	required: true
	426	timestamp_window: 30
	427
	428	rate_limit:
	429	enabled: true
	430	default_rps: 100
	431	default_burst: 200
	432
	433	metrics:
	434	enabled: true
	435	addr: ":9090"
	436
	437	logging:
	438	level: "warn"
	439	format: "json"
	440	```