pkg-proxy/config.example.yaml

# Proxy server configuration
# Copy to config.yaml and modify as needed

# Server listen address
listen: ":8080"

# Public URL where this proxy is accessible
# Used for rewriting package metadata URLs
base_url: "http://localhost:8080"

# Artifact storage configuration
storage:
  # Storage backend URL
  # Supported schemes:
  #   - file:///path/to/dir - Local filesystem (default)
  #   - s3://bucket-name - Amazon S3
  #   - s3://bucket?endpoint=http://localhost:9000 - S3-compatible (MinIO)
  #
  # For S3, configure credentials via environment variables:
  #   AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION
  url: ""

  # Local filesystem path (used when url is empty)
  # Deprecated: Use url with file:// scheme instead
  path: "./cache/artifacts"

  # Maximum cache size (e.g., "10GB", "500MB")
  # When exceeded, least recently used artifacts are evicted
  # Empty or "0" means unlimited
  max_size: ""

  # Redirect cached artifact downloads to presigned storage URLs (HTTP 302)
  # instead of streaming through the proxy. Only effective for S3 and Azure.
  # Leave disabled if clients reach the proxy through an authenticating gateway,
  # since presigned URLs bypass it.
  direct_serve: false

  # How long presigned URLs remain valid (e.g. "5m", "1h"). Default: "15m".
  direct_serve_ttl: "15m"

  # Public base URL to substitute into presigned URLs. Set this when the
  # proxy reaches storage at an internal address (127.0.0.1, a Docker
  # service name) but clients must use a public hostname. Only scheme and
  # host are used; the signed path and query are preserved. For S3/MinIO
  # the reverse proxy at this address must forward requests with the
  # internal Host header or the SigV4 signature will not validate.
  # direct_serve_base_url: "https://minio.example.com"

# Database configuration
database:
  # Database driver: "sqlite" (default) or "postgres"
  driver: "sqlite"

  # SQLite database file path (used when driver is "sqlite")
  path: "./cache/proxy.db"

  # PostgreSQL connection URL (used when driver is "postgres")
  # Example: "postgres://user:password@localhost:5432/proxy?sslmode=disable"
  url: ""

# Logging configuration
log:
  # Minimum log level: "debug", "info", "warn", "error"
  level: "info"

  # Log format: "text" or "json"
  format: "text"

# Upstream registry URLs and authentication
upstream:
  # npm registry URL
  npm: "https://registry.npmjs.org"

  # Cargo sparse index URL
  cargo: "https://index.crates.io"

  # Cargo crate download URL
  cargo_download: "https://static.crates.io/crates"

  # Authentication for upstream registries
  # Keys are URL prefixes matched against request URLs.
  # Values can reference environment variables using ${VAR_NAME} syntax.
  #
  # Supported auth types:
  #   - bearer: Authorization header with Bearer token
  #   - basic: Authorization header with Basic auth (username:password)
  #   - header: Custom header name and value
  auth:
    # Example: npm with bearer token
    # "https://registry.npmjs.org":
    #   type: bearer
    #   token: "${NPM_TOKEN}"

    # Example: GitHub npm registry
    # "https://npm.pkg.github.com":
    #   type: bearer
    #   token: "${GITHUB_TOKEN}"

    # Example: PyPI with basic auth
    # "https://pypi.org":
    #   type: basic
    #   username: "__token__"
    #   password: "${PYPI_TOKEN}"

    # Example: Custom header for private registry
    # "https://maven.mycompany.com":
    #   type: header
    #   header_name: "X-Auth-Token"
    #   header_value: "${MAVEN_TOKEN}"

# Version cooldown configuration
# Hides package versions published too recently, giving the community time
# to spot malicious releases before they're pulled into projects.
# Supported durations: "7d" (days), "48h" (hours), "30m" (minutes), "0" (disabled)
cooldown:
  # Global default cooldown for all ecosystems
  # default: "3d"

  # Per-ecosystem overrides
  # ecosystems:
  #   npm: "7d"
  #   cargo: "0"

  # Per-package overrides (keyed by PURL)
  # packages:
  #   "pkg:npm/lodash": "0"
  #   "pkg:npm/@babel/core": "14d"