21e8f7490c
Reverts the NUMA_DATA_DIR env var added in the previous commit and replaces it with a [server] data_dir TOML field. Numa already has a well-developed config system; adding a parallel env-var mechanism for a single knob was wrong. The principle: TOML is for application behavior configuration. Env vars are for bootstrap values (HOME, SUDO_USER to discover paths before config loads) and standard ecosystem conventions (RUST_LOG). data_dir is neither — it's an app knob, so it belongs in the TOML. Changes: - lib.rs::data_dir() reverts to the platform-specific fallback only - config.rs adds `data_dir: Option<PathBuf>` to ServerConfig - main.rs resolves config.server.data_dir with fallback to numa::data_dir() and passes it to build_tls_config, then stores the resolved path on ctx.data_dir for downstream consumers - tls.rs::build_tls_config takes `data_dir: &Path` as an explicit parameter instead of calling crate::data_dir() behind the caller's back. regenerate_tls and dot.rs self_signed_tls now pass &ctx.data_dir, honoring whatever path the config resolved to - tests/integration.sh Suite 6 uses `data_dir = "$NUMA_DATA"` in its test TOML instead of the NUMA_DATA_DIR env var prefix - numa.toml gains a commented-out data_dir example No behavior change for existing production deployments (the default path is unchanged). Test harness is now fully config-driven, and containerized deploys can override data_dir via mount+config without needing env var injection. 127/127 unit tests pass, Suite 6 passes end-to-end. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
104 lines
4.0 KiB
TOML
104 lines
4.0 KiB
TOML
[server]
|
|
bind_addr = "0.0.0.0:53"
|
|
api_port = 5380
|
|
# api_bind_addr = "127.0.0.1" # default; set to "0.0.0.0" for LAN dashboard access
|
|
# data_dir = "/usr/local/var/numa" # where numa stores TLS CA and cert material
|
|
# (default: /usr/local/var/numa on unix,
|
|
# %PROGRAMDATA%\numa on windows). Override for
|
|
# containerized deploys or tests that can't
|
|
# write to the system path.
|
|
|
|
# [upstream]
|
|
# mode = "forward" # "forward" (default) — relay to upstream
|
|
# # "recursive" — resolve from root hints (no address needed)
|
|
# address = "https://dns.quad9.net/dns-query" # DNS-over-HTTPS (encrypted)
|
|
# address = "https://cloudflare-dns.com/dns-query" # Cloudflare DoH
|
|
# address = "9.9.9.9" # plain UDP
|
|
# port = 53 # only for forward mode, plain UDP
|
|
# timeout_ms = 3000
|
|
# root_hints = [ # only used in recursive mode
|
|
# "198.41.0.4", # a.root-servers.net (Verisign)
|
|
# "199.9.14.201", # b.root-servers.net (USC-ISI)
|
|
# "192.33.4.12", # c.root-servers.net (Cogent)
|
|
# "199.7.91.13", # d.root-servers.net (UMD)
|
|
# "192.203.230.10", # e.root-servers.net (NASA)
|
|
# "192.5.5.241", # f.root-servers.net (ISC)
|
|
# "192.112.36.4", # g.root-servers.net (US DoD)
|
|
# "198.97.190.53", # h.root-servers.net (US Army)
|
|
# "192.36.148.17", # i.root-servers.net (Netnod)
|
|
# "192.58.128.30", # j.root-servers.net (Verisign)
|
|
# "193.0.14.129", # k.root-servers.net (RIPE NCC)
|
|
# "199.7.83.42", # l.root-servers.net (ICANN)
|
|
# "202.12.27.33", # m.root-servers.net (WIDE)
|
|
# ]
|
|
# prime_tlds = [ # TLDs to pre-warm on startup (recursive mode)
|
|
# "com", "net", "org", "info", # gTLDs
|
|
# "io", "dev", "app", "xyz", "me",
|
|
# "eu", "uk", "de", "fr", "nl", # EU + European ccTLDs
|
|
# "it", "es", "pl", "se", "no",
|
|
# "dk", "fi", "at", "be", "ie",
|
|
# "pt", "cz", "ro", "gr", "hu",
|
|
# "bg", "hr", "sk", "si", "lt",
|
|
# "lv", "ee", "ch", "is",
|
|
# "co", "br", "au", "ca", "jp", # other major ccTLDs
|
|
# ]
|
|
|
|
# [blocking]
|
|
# enabled = true # set to false to disable ad blocking
|
|
# refresh_hours = 24
|
|
# lists = ["https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/hosts/pro.txt"]
|
|
# allowlist = ["example.com"] # domains to never block
|
|
|
|
[cache]
|
|
max_entries = 10000
|
|
min_ttl = 60
|
|
max_ttl = 86400
|
|
|
|
[proxy]
|
|
enabled = true
|
|
port = 80
|
|
tls_port = 443
|
|
tld = "numa"
|
|
# bind_addr = "127.0.0.1" # default; set to "0.0.0.0" for LAN access to .numa services
|
|
|
|
# Pre-configured services (numa.numa is always added automatically)
|
|
# [[services]]
|
|
# name = "frontend"
|
|
# target_port = 5173
|
|
#
|
|
# [[services]]
|
|
# name = "api"
|
|
# target_port = 8000
|
|
|
|
# Example zone records:
|
|
# [[zones]]
|
|
# domain = "dimescu.ro"
|
|
# record_type = "A"
|
|
# value = "3.120.139.105"
|
|
# ttl = 30
|
|
|
|
# [[zones]]
|
|
# domain = "test.local"
|
|
# record_type = "A"
|
|
# value = "127.0.0.1"
|
|
# ttl = 60
|
|
|
|
# DNSSEC signature validation (requires mode = "recursive")
|
|
# [dnssec]
|
|
# enabled = false # opt-in: verify chain of trust from root KSK
|
|
# strict = false # true = SERVFAIL on bogus signatures
|
|
|
|
# DNS-over-TLS listener (RFC 7858) — encrypted DNS on port 853
|
|
# [dot]
|
|
# enabled = false # opt-in: accept DoT queries
|
|
# port = 853 # standard DoT port
|
|
# bind_addr = "0.0.0.0" # IPv4 or IPv6; unspecified binds all interfaces
|
|
# cert_path = "/etc/numa/dot.crt" # PEM cert; omit to use self-signed (proxy CA if available)
|
|
# key_path = "/etc/numa/dot.key" # PEM private key; must be set together with cert_path
|
|
|
|
# LAN service discovery via mDNS (disabled by default — no network traffic unless enabled)
|
|
# [lan]
|
|
# enabled = true # discover other Numa instances via mDNS (_numa._tcp.local)
|
|
# broadcast_interval_secs = 30
|
|
# peer_timeout_secs = 90
|