config

func AddToPermanentBlacklist ¶

func AddToPermanentBlacklist(pubkey string) error

func AddToTemporaryBlacklist ¶

func AddToTemporaryBlacklist(pubkey string, blacklistConfig cfgType.BlacklistConfig) error

Adds a pubkey to the temporary blacklist

func CheckAndMigrateConfig ¶ added in v0.5.0

func CheckAndMigrateConfig(filename string) error

CheckAndMigrateConfig reads the raw YAML file and checks for outdated config formats (e.g., the old mongodb section from before the nostrdb migration). It prints warnings to stderr since this runs before loggers are initialized.

func CheckBlacklistCached ¶

func CheckBlacklistCached(pubkey, eventContent string) (bool, string)

CheckBlacklistCached uses cached pubkey lists and respects enabled state for validation

func CheckWhitelistCached ¶

func CheckWhitelistCached(evt nostr.Event) (bool, string)

CheckWhitelistCached uses cached pubkey lists and respects enabled state for validation

func ClearTemporaryBans ¶

func ClearTemporaryBans()

func ConfigPath ¶ added in v0.5.0

func ConfigPath(filename string) string

ConfigPath returns the full path for a file within the data directory.

func EnsureAllConfigFiles ¶ added in v0.4.1

func EnsureAllConfigFiles() error

EnsureAllConfigFiles creates all default config files from embedded examples if they don't exist. Files are created in the resolved data directory.

func FetchGroupedMuteListPubkeys ¶ added in v0.4.1

func FetchGroupedMuteListPubkeys(authors []string) (map[string][]string, error)

FetchGroupedMuteListPubkeys returns public `p`-tag pubkeys from each configured author's NIP-51 mute list events, grouped by author pubkey.

For each author, the fetch path is:

1. Look up the author's NIP-65 mailbox list (kind:10002) via the client library's connected index relays.
2. Target their outbox relays (write + both). If none are published or reachable, fall back to the relay's configured default client relays.
3. Subscribe for kinds 10000 and 30000 from that author.
4. Keep only the latest event per (kind, d-tag) — replaceable/addressable semantics — and for kind 30000 require `d:"mute"` (filtered here because the client library's Filter type does not currently serialize NIP-01 `#<tag>` tag filters in the REQ wire format).
5. Extract public `p`-tag pubkeys from the winning events.

Encrypted `.content` entries (NIP-44 primarily, NIP-04 fallback per NIP-51) are not decrypted by the relay — only public tag entries are applied.

func GetBlacklistConfig ¶

func GetBlacklistConfig() *cfgType.BlacklistConfig

GetBlacklistConfig returns the blacklist configuration.

func GetConfig ¶

func GetConfig() *cfgType.ServerConfig

GetConfig returns the server configuration.

func GetDataDir ¶ added in v0.5.0

func GetDataDir() string

GetDataDir returns the resolved data directory path.

func GetTemporaryBlacklist ¶

func GetTemporaryBlacklist() []map[string]interface{}

GetTemporaryBlacklist fetches all currently active temporary bans

func GetWhitelistConfig ¶

func GetWhitelistConfig() *cfgType.WhitelistConfig

GetWhitelistConfig returns the whitelist configuration.

func InitializePubkeyCache ¶

func InitializePubkeyCache()

InitializePubkeyCache starts the cache system with initial refresh and background updates

func IsIPBlocked ¶ added in v0.5.4

func IsIPBlocked(ip string) (bool, string)

IsIPBlocked returns (true, reason) if the given IP string matches any permanent CIDR or has an active temp ban. The reason is suitable for log attribution.

func IsKindWhitelisted ¶

func IsKindWhitelisted(kind int) bool

Check if a kind is whitelisted

func IsPubKeyWhitelistedCached ¶

func IsPubKeyWhitelistedCached(pubKey string, skipEnabledCheck bool) bool

IsPubKeyWhitelistedCached for purging operations - always uses cache regardless of enabled state

func LoadBlacklistConfig ¶

func LoadBlacklistConfig(filename string) (*cfgType.BlacklistConfig, error)

LoadBlacklistConfig loads the blacklist configuration from blacklist.yml.

func LoadConfig ¶

func LoadConfig(filename string) (*cfgType.ServerConfig, error)

Update your LoadConfig function to call this:

func LoadIPBlocklist ¶ added in v0.5.4

func LoadIPBlocklist(cfg cfgType.BlacklistConfig)

LoadIPBlocklist initialises the in-memory permanent prefix list from the admin-curated config and the on-disk sidecar. Safe to call multiple times — subsequent calls replace the in-memory state. Should be called once at startup, after SetDataDir.

func LoadWhitelistConfig ¶

func LoadWhitelistConfig(filename string) (*cfgType.WhitelistConfig, error)

LoadWhitelistConfig loads the whitelist configuration from whitelist.yml.

func ParsePermanentIPPrefixes ¶ added in v0.5.4

func ParsePermanentIPPrefixes(entries []string) []netip.Prefix

ParsePermanentIPPrefixes converts a slice of strings (CIDRs or bare IPs) into netip.Prefix values. Invalid entries are skipped with a WARN log. A bare IP becomes a /32 (IPv4) or /128 (IPv6) prefix.

func RecordIPRateViolation ¶ added in v0.5.4

func RecordIPRateViolation(ip string, cfg cfgType.BlacklistConfig)

RecordIPRateViolation is the auto-escalation hook. The connection rate limiter calls this on every per-IP rate-limit rejection. Behaviour depends on cfg.IPRateViolationThreshold and IPMaxTempBans: when violations cross the threshold a temp ban is issued; once temp bans for that IP exceed the max, the IP is promoted to permanent and persisted to the sidecar.

All thresholds <= 0 disable the corresponding stage. With everything at 0 this function is a no-op and the IP escalation pipeline is off.

func ResetBlacklistConfig ¶

func ResetBlacklistConfig()

ResetBlacklistConfig clears the existing blacklist configuration.

func ResetConfig ¶

func ResetConfig()

ResetConfig clears the existing server configuration.

func ResetIPBlocklistForTest ¶ added in v0.5.4

func ResetIPBlocklistForTest()

ResetIPBlocklistForTest clears all in-memory IP-blocklist state. Tests only — production code paths use LoadIPBlocklist.

func ResetWhitelistConfig ¶

func ResetWhitelistConfig()

ResetWhitelistConfig clears the existing whitelist configuration.

func SetDataDir ¶ added in v0.5.0

func SetDataDir(dir string)

SetDataDir sets the resolved data directory path for the application.

func SetEmbeddedExamples ¶ added in v0.4.1

func SetEmbeddedExamples(fs embed.FS)

SetEmbeddedExamples sets the embedded filesystem from main package

func SetRateLimit ¶

func SetRateLimit(cfg *cfgType.ServerConfig)

SetRateLimit stores the rate limit configuration for later per-client use.

func SetResourceLimit ¶

func SetResourceLimit(cfg *cfgType.ResourceLimits)

func SetSizeLimit ¶

func SetSizeLimit(cfg *cfgType.ServerConfig)

func SizeLimit ¶

func SizeLimit(sl *SizeLimiter)

func StartIPBlocklistSweeper ¶ added in v0.5.4

func StartIPBlocklistSweeper()

StartIPBlocklistSweeper kicks off the background goroutine that expires temp bans every minute. Idempotent at the call site only — don't call this more than once.

func SweepExpiredIPTempBans ¶ added in v0.5.4

func SweepExpiredIPTempBans()

SweepExpiredIPTempBans removes temp ban entries past their unbanTime. Caller is expected to schedule this periodically; see StartIPBlocklistSweeper for the canonical loop.

func ValidateAndApplyDefaults ¶ added in v0.5.0

func ValidateAndApplyDefaults(cfg *cfgType.ServerConfig) (warnings []string, err error)

ValidateAndApplyDefaults checks the config for zero-valued fields and applies sensible defaults. It returns a list of warnings for each default applied and an error if the config is truly broken.

func WatchConfigFile ¶

func WatchConfigFile(filePath string, restartChan chan<- struct{})