proxy-config.example.yaml

# Example configuration for the ethpandaops proxy server.
# The proxy holds datasource credentials and proxies requests from sandbox containers.
#
# Usage:
#   Local dev:  panda proxy -c proxy-config.yaml
#   Production: Deploy as a K8s service
#
# The MCP server connects to this proxy via its 'proxy.url' config.

server:
  # Address to listen on
  listen_addr: ":18081"

  # HTTP timeouts
  read_timeout: 30s
  write_timeout: 5m
  idle_timeout: 60s

auth:
  # Authentication mode:
  # - "none": No authentication (for local development only - DEFAULT)
  # - "oauth": Embedded GitHub-backed OAuth issuer hosted by panda-proxy
  # - "oidc": External OpenID Connect issuer (Dex, authentik, Keycloak, ...)
  mode: none  # Use 'oauth' or 'oidc' for hosted remote access

  # External URL used for OAuth metadata, callbacks, and token validation.
  # Required when mode is "oauth" or "oidc".
  # issuer_url: "https://proxy.example.com"

  # OIDC client identifier expected in bearer token audiences.
  # Required when mode is "oidc".
  # client_id: "panda-proxy"

  # GitHub OAuth app config (required when mode is "oauth")
  # github:
  #   client_id: "${GITHUB_CLIENT_ID}"
  #   client_secret: "${GITHUB_CLIENT_SECRET}"

  # Limit remote access to selected GitHub orgs
  # allowed_orgs:
  #   - ethpandaops
  #   - sigp

  # Proxy-issued bearer token signing key
  # tokens:
  #   secret_key: "${PROXY_TOKEN_SECRET}"

  # Proxy-issued token lifetimes
  # access_token_ttl: 1h
  # refresh_token_ttl: 720h

  # Customize the OAuth callback success page shown in the browser.
  # Rules are evaluated in order; the first match wins.
  # success_page:
  #   rules:
  #     - match:
  #         orgs: ["ethpandaops"]
  #         users: ["samcm", "mattevans"]
  #       media:
  #         type: ascii
  #         ascii_art_base64: "base64-encoded-art-here"
  #       tagline: "Enjoy debugging your devnet champ"
  #     - match:
  #         orgs: ["ethpandaops"]
  #       media:
  #         type: gif
  #         url: "https://example.com/cool.gif"
  #       tagline: "Enjoy debugging your devnet champ"
  #   default:
  #     tagline: "You can close this window and return to your terminal."

# ClickHouse clusters
clickhouse:
  - name: xatu
    description: "Main Xatu ClickHouse cluster"
    host: "${CLICKHOUSE_HOST}"
    port: 8443
    database: default
    username: "${CLICKHOUSE_USERNAME}"
    password: "${CLICKHOUSE_PASSWORD}"
    secure: true
    skip_verify: false
    timeout: 300
    # Restrict access to members of specific GitHub orgs.
    # Omit or leave empty to allow all authenticated users.
    # allowed_orgs:
    #   - ethpandaops

# Prometheus instances
prometheus:
  - name: primary
    description: "Primary Prometheus instance"
    url: "${PROMETHEUS_URL}"
    username: "${PROMETHEUS_USERNAME}"
    password: "${PROMETHEUS_PASSWORD}"
    # allowed_orgs:
    #   - ethpandaops

# Loki instances
loki:
  - name: primary
    description: "Primary Loki instance"
    url: "${LOKI_URL}"
    username: "${LOKI_USERNAME}"
    password: "${LOKI_PASSWORD}"
    # allowed_orgs:
    #   - ethpandaops

# Ethereum node API access (beacon and execution nodes)
# Single credential pair for all bn-*.srv.*.ethpandaops.io and rpc-*.srv.*.ethpandaops.io endpoints
# ethnode:
#   username: "${ETHPANDAOPS_ETHNODE_USERNAME}"
#   password: "${ETHPANDAOPS_ETHNODE_PASSWORD}"
#   allowed_orgs:
#     - ethpandaops

# Embedding API (optional — enables remote embedding for semantic search)
# embedding:
#   api_key: "${OPENROUTER_API_KEY}"
#   model: "openai/text-embedding-3-small"
#   cache:
#     backend: memory  # or "redis"
#     # redis_url: "redis://localhost:6379"

# Rate limiting
rate_limiting:
  enabled: true
  requests_per_minute: 60
  burst_size: 10

# Audit logging
audit:
  enabled: true

# Prometheus metrics
metrics:
  enabled: true
  listen_addr: "127.0.0.1:9090"
  port: 9090