Checkpoint/config/checkpoint.toml

# =============================================================================
# CHECKPOINT SECURITY CONFIGURATION
# =============================================================================
# This configuration controls the checkpoint security middleware that protects
# your services with proof-of-work challenges and token-based authentication.
# =============================================================================

# -----------------------------------------------------------------------------
# CORE SETTINGS
# -----------------------------------------------------------------------------
[Core]
# Enable or disable the checkpoint system entirely
Enabled = true

# Cookie name for storing checkpoint tokens
CookieName = "checkpoint_token"

# Cookie domain (empty = host-only cookie for localhost)
# Set to ".yourdomain.com" for all subdomains
CookieDomain = ""

# Enable URL path sanitization to prevent path traversal attacks
SanitizeURLs = true

# -----------------------------------------------------------------------------
# PROOF OF WORK SETTINGS
# -----------------------------------------------------------------------------
[ProofOfWork]
# Number of leading zeros required in the SHA-256 hash
Difficulty = 4

# Random salt length in bytes
SaltLength = 16

# Time allowed to solve a challenge before it expires
ChallengeExpiration = "3m"

# Maximum attempts per IP address per hour
MaxAttemptsPerHour = 10

# -----------------------------------------------------------------------------
# PROOF OF SPACE-TIME SETTINGS (Optional additional verification)
# -----------------------------------------------------------------------------
[ProofOfSpaceTime]
# Enable consistency checks for PoS-Time verification
Enabled = true

# Maximum allowed ratio between slowest and fastest PoS runs
ConsistencyRatio = 1.35

# -----------------------------------------------------------------------------
# TOKEN SETTINGS
# -----------------------------------------------------------------------------
[Token]
# How long tokens remain valid
Expiration = "24h"

# Maximum age for used nonces before cleanup
MaxNonceAge = "24h"

# -----------------------------------------------------------------------------
# STORAGE PATHS
# -----------------------------------------------------------------------------
[Storage]
# HMAC secret storage location
SecretPath = "./data/checkpoint_secret.json"

# Token database directory
TokenDBPath = "./db/tokenstore"

# Interstitial page templates (in order of preference)
InterstitialTemplates = [
  "/pages/interstitial/page.html",
  "/pages/ipfilter/default.html"
]

# -----------------------------------------------------------------------------
# EXCLUSION RULES
# -----------------------------------------------------------------------------
# Define which requests should bypass the checkpoint system.
# Each rule can specify:
#   - Path (required): URL path or prefix to match
#   - Hosts (optional): Specific hostnames this rule applies to
#   - UserAgents (optional): User-Agent patterns to match
# -----------------------------------------------------------------------------

[[Exclusion]]
# Skip checkpoint for all API endpoints (required for Immich and similar apps)
Path = "/api"
Hosts = ["gallery.caileb.com"]  # Optional: only for specific hosts

[[Exclusion]]
# Allows Git pushes w/ ForgeJo
Path = "/info/refs"
Hosts = ["git.caileb.com"]

# -----------------------------------------------------------------------------
# BYPASS KEYS
# -----------------------------------------------------------------------------
# Special keys that can bypass the checkpoint when provided

[[BypassKeys]]
# Query parameter bypass
Type = "query"
Key = "bypass_key"
Value = "your-secret-key-here"
Hosts = ["music.caileb.com"]  # Optional: restrict to specific hosts

[[BypassKeys]]
# Header bypass
Type = "header"
Key = "X-Bypass-Token"
Value = "another-secret-key"
# Hosts = []  # If empty or omitted, applies to all hosts