numa/numa.toml

[server]
bind_addr = "0.0.0.0:53"
api_port = 5380
# api_bind_addr = "127.0.0.1"  # default; set to "0.0.0.0" for LAN dashboard access
# data_dir = "/var/lib/numa"  # where numa stores TLS CA and cert material
                              # Defaults: /var/lib/numa on linux (FHS),
                              # /usr/local/var/numa on macos (homebrew prefix),
                              # %PROGRAMDATA%\numa on windows. Override for
                              # containerized deploys or tests that can't
                              # write to the system path.

# [upstream]
# mode = "forward"                              # "forward" (default) — relay to upstream
#                                               # "recursive" — resolve from root hints (no address needed)
# address = "9.9.9.9"                           # single upstream (plain UDP)
# address = ["192.168.1.1", "9.9.9.9:5353"]    # multiple upstreams — SRTT picks fastest
# address = "https://dns.quad9.net/dns-query"   # DNS-over-HTTPS (encrypted)
# fallback = ["8.8.8.8", "1.1.1.1"]            # tried only when all primaries fail
# port = 53                                     # default port for addresses without :port
# timeout_ms = 3000
# root_hints = [                                # only used in recursive mode
#     "198.41.0.4",      # a.root-servers.net (Verisign)
#     "199.9.14.201",    # b.root-servers.net (USC-ISI)
#     "192.33.4.12",     # c.root-servers.net (Cogent)
#     "199.7.91.13",     # d.root-servers.net (UMD)
#     "192.203.230.10",  # e.root-servers.net (NASA)
#     "192.5.5.241",     # f.root-servers.net (ISC)
#     "192.112.36.4",    # g.root-servers.net (US DoD)
#     "198.97.190.53",   # h.root-servers.net (US Army)
#     "192.36.148.17",   # i.root-servers.net (Netnod)
#     "192.58.128.30",   # j.root-servers.net (Verisign)
#     "193.0.14.129",    # k.root-servers.net (RIPE NCC)
#     "199.7.83.42",     # l.root-servers.net (ICANN)
#     "202.12.27.33",    # m.root-servers.net (WIDE)
# ]
# prime_tlds = [                                # TLDs to pre-warm on startup (recursive mode)
#     "com", "net", "org", "info",              # gTLDs
#     "io", "dev", "app", "xyz", "me",
#     "eu", "uk", "de", "fr", "nl",             # EU + European ccTLDs
#     "it", "es", "pl", "se", "no",
#     "dk", "fi", "at", "be", "ie",
#     "pt", "cz", "ro", "gr", "hu",
#     "bg", "hr", "sk", "si", "lt",
#     "lv", "ee", "ch", "is",
#     "co", "br", "au", "ca", "jp",             # other major ccTLDs
# ]

# [blocking]
# enabled = true               # set to false to disable ad blocking
# refresh_hours = 24
# lists = ["https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/hosts/pro.txt"]
# allowlist = ["example.com"]  # domains to never block

[cache]
max_entries = 10000
min_ttl = 60
max_ttl = 86400
# warm = ["google.com", "github.com"]  # resolve at startup, refresh before TTL expiry

[proxy]
enabled = true
port = 80
tls_port = 443
tld = "numa"
# bind_addr = "127.0.0.1"  # default; set to "0.0.0.0" for LAN access to .numa services

# Pre-configured services (numa.numa is always added automatically)
# [[services]]
# name = "frontend"
# target_port = 5173
#
# [[services]]
# name = "api"
# target_port = 8000

# Example zone records:
# [[zones]]
# domain = "dimescu.ro"
# record_type = "A"
# value = "3.120.139.105"
# ttl = 30

# [[zones]]
# domain = "test.local"
# record_type = "A"
# value = "127.0.0.1"
# ttl = 60

# DNSSEC signature validation (requires mode = "recursive")
# [dnssec]
# enabled = false             # opt-in: verify chain of trust from root KSK
# strict = false              # true = SERVFAIL on bogus signatures

# DNS-over-TLS listener (RFC 7858) — encrypted DNS on port 853
# [dot]
# enabled = false             # opt-in: accept DoT queries
# port = 853                  # standard DoT port
# bind_addr = "0.0.0.0"       # IPv4 or IPv6; unspecified binds all interfaces
# cert_path = "/etc/numa/dot.crt"  # PEM cert; omit to use self-signed (proxy CA if available)
# key_path = "/etc/numa/dot.key"   # PEM private key; must be set together with cert_path

# LAN service discovery via mDNS (disabled by default — no network traffic unless enabled)
# [lan]
# enabled = true              # discover other Numa instances via mDNS (_numa._tcp.local)
# broadcast_interval_secs = 30
# peer_timeout_secs = 90

# Mobile API — persistent HTTP listener serving read-only routes
# (/health, /ca.pem, /mobileconfig, /ca.mobileconfig) on a LAN-reachable
# port. Consumed by the iOS/Android companion apps for discovery and
# profile fetching, and by `numa setup-phone` for QR-based onboarding.
#
# Opt-in because the listener binds to the LAN by default. None of the
# exposed routes are cryptographically sensitive (no private keys, no
# state mutations, all idempotent GETs), but enabling it does add a new
# listener to any device on the LAN that scans port 8765.
#
# Safe for home LANs. Think twice before enabling on untrusted LANs
# (office Wi-Fi, coffee shops, etc.) — an attacker on the same network
# could run a competing Numa instance that shadows yours via mDNS and
# trick companion apps into installing their profile instead of yours.
[mobile]
enabled = true                # opt-in to the mobile API listener
# port = 8765                 # default; matches Discovery.swift defaultAPIPort
# bind_addr = "0.0.0.0"       # default; set to "127.0.0.1" for localhost-only