aperture/sample-conf.yaml at master · lightninglabs-deploy/aperture · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
# The address which the proxy can be reached at.
listenaddr: "localhost:8081"

# The root path of static content to serve upon receiving a request the proxy
# cannot handle.
staticroot: "./static"

# Should the static file server be enabled that serves files from the directory
# specified in `staticroot`?
servestatic: false

# The log level that should be used for the proxy.
#
# Valid options include: trace, debug, info, warn, error, critical, off.
debuglevel: "debug"

# Custom path to a config file.
configfile: "/path/to/your/aperture.yaml"

# Directory to place all of aperture's files in.
basedir: "/path/to/.aperture"

# Whether the proxy should create a valid certificate through Let's Encrypt for
# the fully qualifying domain name.
autocert: false
servername: aperture.example.com

# Whether to listen on an insecure connection, disabling TLS for incoming
# connections.
insecure: false

# If TLS is terminated by a load balancer/ingress in front of aperture, make
# sure the load balancer's ALPN policy includes "h2". On AWS NLB, the default
# ALPN policy "None" does not negotiate ALPN and gRPC clients may fail with
# "missing selected ALPN property". With TCP passthrough, aperture negotiates
# ALPN directly.

# Whether we should verify the invoice status strictly or not. If set to true,
# then this requires all invoices to be read from disk at start up.
strictverify: false

# The number of invoices to fetch in a single request when interacting with LND.
invoicebatchsize: 100000

# The port on which the pprof profile will be served. If no port is provided,
# the profile will not be served.
profile: 9999

# The maximum amount of time a connection may be idle before being closed.
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
idletimeout: 2m

# The maximum amount of time to wait for a request to be fully read.
readtimeout: 15s

# The maximum amount of time to wait for a response to be fully written.
writetimeout: 30s

# Interval at which WebSocket-level pings are sent to connected clients. This
# keeps LNC connections alive through intermediary proxies and load balancers
# that may drop idle WebSocket connections. Set to 0 to disable.
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
wspinginterval: 30s

# Duration to wait for a WebSocket pong response after sending a ping. If no
# pong is received within this duration, the connection is considered dead.
# Must be strictly less than wspinginterval.
wspongwait: 15s

# Settings for the lnd node used to generate payment requests. All of these
# options are required.
authenticator:
  ## Common fields.

  # The chain network the lnd is active on.
  network: "simnet"

  # Set to true to disable any auth.
  disable: false


  ## Direct LND connection fields.

  # The host:port which lnd's RPC can be reached at.
  lndhost: "localhost:10009"

  # The path to lnd's TLS certificate.
  tlspath: "/path/to/lnd/tls.cert"

  # The path to lnd's macaroon directory.
  macdir: "/path/to/lnd/data/chain/bitcoin/simnet"


  ## LNC connection fields.

  # The LNC connection passphrase.
  # NOTE: The passphrase generates a secret for authenticating the LNC
  # connection. Once a passphrase has been utilized for a connection, it
  # cannot be reused in a different server/database.
  passphrase: "your pairing phrase"

  # The host:port of the mailbox server to be used.
  mailboxaddress: "mailbox.terminal.lightning.today:443"

  # Set to true to skip verification of the mailbox server's tls cert.
  devserver: false

  # Enable the Payment HTTP Authentication Scheme (MPP) alongside L402.
  # When enabled, 402 responses include both L402 and Payment challenges.
  # enablempp: true

  # Realm string used in MPP challenge headers. Defaults to the server's
  # listen address.
  # mpprealm: "api.example.com"

  # Enable MPP session intent for prepaid sessions with deposit, bearer,
  # top-up, and close operations. Requires enablempp to be true.
  # enablesessions: true

  # Number of service units per session deposit. Determines the deposit
  # invoice amount as (service price * multiplier). Default: 20.
  # sessiondepositmultiplier: 20

  # Session idle timeout in seconds. Default: 300 (5 minutes).
  # sessionidletimeout: 300

# Admin API configuration. Provides gRPC/REST endpoints for managing services,
# transactions, and tokens at runtime. Disabled by default.
# admin:
#   enabled: true
#   macaroonpath: "/path/to/aperture/data/admin.macaroon"
#   corsorigin:
#     - "https://dashboard.example.com"

# List of IPs to block from accessing the proxy.
blocklist:
  - "1.1.1.1"
  - "1.0.0.1"

# The selected database backend. The current default backend is "sqlite".
# Aperture also has support for postgres and etcd.
dbbackend: "sqlite"

# Settings for the sqlite process which the proxy will use to reliably store and
# retrieve token information.
sqlite:
    # The full path to the database.
    dbfile: "/path/to/.aperture/aperture.db"

    # Skip applying migrations on startup.
    skipmigrations: false

# Settings for the postgres instance which the proxy will use to reliably store
# and retrieve token information.
postgres:
    # Connection parameters.
    host: "localhost"
    port: 5432
    user: "user"
    password: "password"
    dbname: "aperture"

    # Max open connections to keep alive to the database server.
    maxconnections: 25

    # Whether to require using SSL (mode: require) when connecting to the
    # server.
    requireSSL: true

    # Skip applying migrations on startup.
    skipmigrations: false

# Settings for the etcd instance which the proxy will use to reliably store and
# retrieve token information.
etcd:
  # The client host:port which the etcd instance can be reached at.
  host: "localhost:2379"

  # If authentication is enabled, the user and password required to access the
  # etcd instance.
  user: "user"
  password: "password"

# List of services that should be reachable behind the proxy.  Requests will be
# matched to the services in order, picking the first that satisfies hostregexp
# and (if set) pathregexp. So order is important!
#
# Use single quotes for regular expressions with special characters in them to
# avoid YAML parsing errors!
services:
    # The identifying name of the service. This will also be used to identify
    # which capabilities caveat (if any) corresponds to the service.
  - name: "service1"

    # The regular expression used to match the service host.
    hostregexp: '^service1.com$'

    # The regular expression used to match the path of the URL.
    pathregexp: '^/.*$'

    # The host:port which the service can be reached at.
    address: "127.0.0.1:10009"

    # The HTTP protocol that should be used to connect to the service. Valid
    # options include: http, https.
    protocol: https

    # Payment auth scheme for this service. Valid values: "l402" (default),
    # "mpp" (Payment HTTP Auth only), or "l402+mpp" (both schemes).
    # authscheme: "l402"

    # Header fields to always pass to the service. Replace the placeholder
    # value with a real credential; do not commit secrets to version control.
    # headers:
    #   Authorization: "Bearer <your-api-key>"

    # Rewrite options allow prepending an absolute path prefix to every
    # request before it is forwarded to the backend.
    # rewrite:
    #   prefix: "/path/to/api"

    # If required, a path to the service's TLS certificate to successfully
    # establish a secure connection.
    tlscertpath: "path-to-optional-tls-cert/tls.cert"

    # A comma-delimited list of capabilities that will be granted for tokens of
    # the service at the base tier.
    capabilities: "add,subtract"

    # The set of constraints that are applied to tokens of the service at the
    # base tier.
    constraints:
        # This is just an example of how aperture could be extended
        # but would not have any effect without additional support added.
        "valid_until": 1682483169

    # a caveat will be added that expires the L402 after this many seconds,
    # 31557600 = 1 year.
    timeout: 31557600

    # The L402 value in satoshis for the service. It is ignored if
    # dynamicprice.enabled is set to true.
    price: 0

    # A list of regular expressions for path that are free of charge.
    authwhitelistpaths:
      - '^/freebieservice.*$'

    # A list of regular expressions for path that will skip invoice creation,
    # but still try to do the l402 authentication. This is useful for streaming
    # services, as they are not supported to be the initial request to receive
    # a L402.
    authskipinvoicecreationpaths:
      - '^/streamingservice.*$'

    # Optional per-endpoint rate limits using a token bucket algorithm.
    # Rate limiting is applied per L402 token ID (or IP address for
    # unauthenticated requests). All matching rules are evaluated; if any
    # rule denies the request, it is rejected.
    ratelimits:
        # Rate limit for general API endpoints.
      - pathregexp: '^/looprpc.SwapServer/LoopOutTerms.*$'
        # Number of requests allowed per time window. Must be provided and
        # positive.
        requests: 5
        # Time window duration (e.g., 1s, 1m, 1h).  Must be provided and
        # positive.
        per: 1s
        # Maximum burst capacity. Must be positive if provided.
        burst: 100

        # Stricter rate limit for quote endpoints.
      - pathregexp: '^/looprpc.SwapServer/LoopOutQuote.*$'
        requests: 2
        per: 1s
        burst: 2

    # Options to use for connection to the price serving gRPC server.
    dynamicprice:
      # Whether or not a gRPC server is available to query price data from. If
      # this option is set to true then the 'price' option is ignored.
      enabled: true

      # The address of the gRPC pricer server.
      grpcaddress: "127.0.0.1:10010"

      # Whether or not TLS encryption should be used for communications with the
      # gRPC server.
      insecure: false

      # The path to the pricer server's tls.cert. If the 'insecure' option is
      # set to true then this path must be set.
      tlscertpath: "path-to-pricer-server-tls-cert/tls.cert"

  - name: "service2"
    hostregexp: "service2.com:8083"
    pathregexp: '^/.*$'
    address: "123.456.789:8082"
    protocol: https
    constraints:
        "valid_until": "2020-01-01"
    price: 1

  - name: "service3"
    hostregexp: "service3.com:8083"
    pathregexp: '^/.*$'
    address: "123.456.789:8082"
    protocol: https
    constraints:
        "valid_until": "2020-01-01"
    dynamicprice:
      enbled: true
      grpcaddress: 123.456.789:8083
      insecure: false
      tlscertpath: "path-to-pricer-server-tls-cert/tls.cert"

# Settings for a Tor instance to allow requests over Tor as onion services.
# Configuring Tor is optional.
tor:
  # The host:port which Tor's control can be reached at.
  control: "localhost:9051"

  # The internal port we should listen on for client requests over Tor. Note
  # that this port should not be exposed to the outside world, it is only
  # intended to be reached by clients through the onion service.
  listenport: 8082

  # The port through which the onion services to be created can be reached at.
  virtualport: 8082

  # Whether a v3 onion service should be created to handle requests.
  v3: false

# Enable the Lightning Node Connect hashmail server, allowing up to 1k messages
# per burst and a new message every 20 milliseconds.
hashmail:
  enabled: true
  messagerate: 20ms
  messageburstallowance: 1000

  # The time after the last activity that a mailbox should be removed.
  # Set to -1s to disable. Valid time units are "ns", "us", "ms", "s", "m", "h".
  staletimeout: -1s # Example: 5m for 5 minutes, or -1s to disable

# Enable the prometheus metrics exporter so that a prometheus server can scrape
# the metrics.
prometheus:
  enabled: true
  listenaddr: "localhost:9000"

# Console and file logger settings.
logging:
  console:
    style: true
    disable: false
    callsite: off
    notimestamps: true

    # Log level for console output.
    # Valid options include: trace, debug, info, warn, error, critical, off.
    level: "info"
  file:
    disable: false
    callsite: long

    # Log level for file output.
    # Valid options include: trace, debug, info, warn, error, critical, off.
    level: "info"