···8989 address = mkOption {
9090 type = types.str;
9191 default = "ip:127.0.0.1:6314";
9292+ description = ''
9393+ Address to bind the server to.
9494+9595+ Use the 'ip:' prefix for an IP address (e.g. 'ip:127.0.0.1:6314'), or on
9696+ UNIX systems, the 'unix:' prefix for a UNIX socket path
9797+ (e.g. 'unix:/run/porxie.sock').
9898+ '';
9299 };
9310094101 authToken = mkOption {
95102 type = types.nullOr types.str;
96103 default = null;
104104+ description = ''
105105+ Bearer token for authenticating admin requests.
106106+107107+ When unset, all authenticated endpoints will reject requests with HTTP 401.
108108+ Should be set via {option}`environmentFiles` rather than directly.
109109+ '';
97110 };
98111 };
99112···101114 allowedMimetypes = mkOption {
102115 type = types.listOf types.str;
103116 default = [ "image/*" ];
117117+ description = ''
118118+ Blob mimetypes that can be served.
119119+120120+ Validation is done loosely via content inference. Further validation can be
121121+ done by a layer above this proxy, such as an image transformation service.
122122+ When inference fails, the blob's type falls back to
123123+ `application/octet-stream`. When that type is allowed, blobs failing
124124+ inference can still be served.
125125+ '';
104126 };
105127106128 maxSize = mkOption {
107129 type = types.str;
108130 default = "50mb";
131131+ description = ''
132132+ Maximum blob size that can be fetched and served.
133133+134134+ Blobs that exceed this limit will return HTTP 413. Setting this too high can
135135+ exhaust process or system memory. The minimum value is 512kb.
136136+ '';
109137 };
110138111139 cacheHeader = mkOption {
112140 type = types.str;
113141 default = "public, max-age=604800, must-revalidate, immutable";
142142+ description = ''
143143+ The Cache-Control header value to send alongside blob responses.
144144+145145+ This does not affect internal cache lifetimes, only how downstream clients
146146+ such as CDNs and browsers are instructed to cache responses. Intermediary
147147+ caches may need to be cleared manually for changes to take effect quickly.
148148+ '';
114149 };
115150116151 processingTimeout = mkOption {
117152 type = types.str;
118153 default = "1m";
154154+ description = ''
155155+ Maximum duration a blob can be processed by this server before aborting.
156156+ '';
119157 };
120158121159 httpTimeout = mkOption {
122160 type = types.str;
123161 default = "30s";
162162+ description = ''
163163+ Maximum duration before blob fetch requests are timed out.
164164+ '';
124165 };
125166126167 httpConnectTimeout = mkOption {
127168 type = types.str;
128169 default = "10s";
170170+ description = ''
171171+ Maximum duration before an attempted connection to a blob upstream is aborted.
172172+173173+ This value should be lower than {option}`settings.blob.httpTimeout`.
174174+ '';
129175 };
130176 };
131177···133179 plcUrl = mkOption {
134180 type = types.str;
135181 default = "https://plc.directory";
182182+ description = ''
183183+ URL of the PLC instance used for `did:plc` lookups.
184184+185185+ Can typically be left as default unless using a custom or local development
186186+ setup.
187187+ '';
136188 };
137189138190 httpTimeout = mkOption {
139191 type = types.str;
140192 default = "10s";
193193+ description = ''
194194+ Maximum duration before identity resolution requests are timed out.
195195+ '';
141196 };
142197143198 httpConnectTimeout = mkOption {
144199 type = types.str;
145200 default = "8s";
201201+ description = ''
202202+ Maximum duration before a connection attempt to an identity upstream is aborted.
203203+204204+ This value should be lower than {option}`settings.identity.httpTimeout`.
205205+ '';
146206 };
147207 };
148208···150210 allocation = mkOption {
151211 type = types.str;
152212 default = "512mb";
213213+ description = ''
214214+ Total memory allocation for the internal cache.
215215+216216+ Blobs are cached using an LFU policy. The most frequently requested blobs
217217+ are kept longest when the cache approaches its limit.
218218+219219+ For production deployments, a CDN or caching layer in front of this server
220220+ is recommended for lower latency and better global availability.
221221+222222+ Setting this too high can exhaust process or system memory. The minimum
223223+ value is 8mb.
224224+ '';
153225 };
154226155227 blobTti = mkOption {
156228 type = types.str;
157229 default = "7days";
230230+ description = ''
231231+ How long blobs can be idle in the cache before expiring.
232232+ '';
158233 };
159234160235 ownershipTtl = mkOption {
161236 type = types.str;
162237 default = "1day";
238238+ description = ''
239239+ How long blob ownership can be cached before expiring.
240240+ '';
163241 };
164242165243 policyTtl = mkOption {
166244 type = types.str;
167245 default = "1h";
246246+ description = ''
247247+ How long policy decisions can be cached before expiring.
248248+ '';
249249+ };
250250+251251+ identityTtl = mkOption {
252252+ type = types.str;
253253+ default = "1h";
254254+ description = ''
255255+ How long identity lookups (DID resolution, etc) can be cached before expiring.
256256+ '';
168257 };
169258 };
170259···172261 url = mkOption {
173262 type = types.nullOr types.str;
174263 default = null;
264264+ description = ''
265265+ Policy service URL that DID+CID pairs will be checked against.
266266+267267+ Requests are sent as HTTP GET <url>/<did>/<cid>.
268268+269269+ The service is expected to return HTTP 200 (OK) if permitted or HTTP 410
270270+ (GONE) if restricted.
271271+ '';
175272 };
176273177274 requestHeaders = mkOption {
178275 type = types.listOf types.str;
179276 default = [];
277277+ description = ''
278278+ Headers sent alongside all requests to the policy service.
279279+280280+ Each header must be in the format "Name: value". When setting via
281281+ environment variable, headers are pipe-separated (|).
282282+283283+ Should be set via {option}`environmentFiles` for sensitive values such as
284284+ API keys.
285285+ '';
180286 };
181287182288 failOpen = mkOption {
183289 type = types.bool;
184290 default = false;
291291+ description = ''
292292+ Allow requests to proceed if the policy service is unavailable or returns
293293+ an unexpected status code.
294294+295295+ Warning: enabling this means restricted blobs may be served when the
296296+ policy service is unreachable.
297297+ '';
185298 };
186299187300 httpTimeout = mkOption {
188301 type = types.str;
189302 default = "30s";
303303+ description = ''
304304+ Maximum duration before policy service requests are timed out.
305305+ '';
190306 };
191307192308 httpConnectTimeout = mkOption {
193309 type = types.str;
194310 default = "10s";
311311+ description = ''
312312+ Maximum duration before an attempted connection to the policy service is aborted.
313313+314314+ This value should be lower than {option}`settings.policy.httpTimeout`.
315315+ '';
195316 };
196317 };
197318 };
···236357 PORXIE_CACHE_BLOB_TTI = cfg.settings.cache.blobTti;
237358 PORXIE_CACHE_OWNERSHIP_TTL = cfg.settings.cache.ownershipTtl;
238359 PORXIE_CACHE_POLICY_TTL = cfg.settings.cache.policyTtl;
360360+ PORXIE_CACHE_IDENTITY_TTL = cfg.settings.cache.identityTtl;
239361 PORXIE_POLICY_URL = cfg.settings.policy.url;
240362 PORXIE_POLICY_REQUEST_HEADERS = if cfg.settings.policy.requestHeaders != [] then lib.concatStringsSep "|" cfg.settings.policy.requestHeaders else null;
241363 PORXIE_POLICY_FAIL_OPEN = if cfg.settings.policy.failOpen then "true" else null;