-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Initial commit (forced pushed a few times to get the basics worked ou…
…t without a ton of commits)
- Loading branch information
0 parents
commit 7bb77ac
Showing
80 changed files
with
13,498 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
/Dockerfile | ||
/LICENSE | ||
/README.md | ||
/.github |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
{ | ||
"$schema": "https://docs.renovatebot.com/renovate-schema.json", | ||
"extends": [ | ||
"config:base", | ||
"docker:enableMajor", | ||
"default:automergeDigest" | ||
], | ||
"packageRules": [ | ||
{ | ||
"matchDatasources": ["docker"], | ||
"matchPackageNames": ["ubuntu"], | ||
"matchUpdateTypes": ["minor", "patch", "pin", "digest"], | ||
"automerge": true | ||
} | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
name: Docker | ||
|
||
# This all came from github. I wrote none of it, but I did remove some bits that didn't work. | ||
|
||
on: | ||
push: | ||
branches: [ "main" ] | ||
# Publish semver tags as releases. | ||
tags: [ 'v*.*.*' ] | ||
pull_request: | ||
branches: [ "main" ] | ||
|
||
env: | ||
# Use docker.io for Docker Hub if empty | ||
REGISTRY: ghcr.io | ||
# github.repository as <account>/<repo> | ||
IMAGE_NAME: ${{ github.repository }} | ||
|
||
jobs: | ||
build: | ||
|
||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: read | ||
packages: write | ||
# This is used to complete the identity challenge | ||
# with sigstore/fulcio when running outside of PRs. | ||
id-token: write | ||
|
||
steps: | ||
- name: Checkout repository | ||
uses: actions/checkout@v4 | ||
with: | ||
# we need the whole thing so we can count commits. | ||
fetch-depth: '0' | ||
|
||
- name: Set up QEMU | ||
uses: docker/setup-qemu-action@v3 | ||
with: | ||
platforms: 'arm64' | ||
|
||
# Workaround: https://github.com/docker/build-push-action/issues/461 | ||
- name: Setup Docker buildx | ||
uses: docker/setup-buildx-action@v3 | ||
|
||
# Login against a Docker registry except on PR | ||
# https://github.com/docker/login-action | ||
- name: Log into registry ${{ env.REGISTRY }} | ||
if: github.event_name != 'pull_request' | ||
uses: docker/login-action@v3 | ||
with: | ||
registry: ${{ env.REGISTRY }} | ||
username: ${{ github.actor }} | ||
password: ${{ secrets.GITHUB_TOKEN }} | ||
|
||
# Extract metadata (tags, labels) for Docker | ||
# https://github.com/docker/metadata-action | ||
- name: Extract Docker metadata | ||
id: meta | ||
uses: docker/metadata-action@v5 | ||
with: | ||
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | ||
|
||
- name: More Docker metadata | ||
run: | | ||
echo BUILD_DATE=$(date -u +%Y-%m-%dT%H:%M:00Z) >> $GITHUB_ENV | ||
echo COMMITS=$(git rev-list --count --all || echo 0) >> $GITHUB_ENV | ||
# Build and push Docker image with Buildx (don't push on PR) | ||
# https://github.com/docker/build-push-action | ||
- name: Build and push Docker image | ||
id: build-and-push | ||
uses: docker/build-push-action@v5 | ||
with: | ||
context: . | ||
platforms: linux/amd64,linux/arm64 | ||
push: ${{ github.event_name != 'pull_request' }} | ||
tags: ${{ steps.meta.outputs.tags }} | ||
labels: ${{ steps.meta.outputs.labels }} | ||
cache-from: type=gha | ||
cache-to: type=gha,mode=max |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
/.vscode/* |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
# syntax=docker/dockerfile:1 | ||
|
||
FROM ghcr.io/linuxserver/baseimage-alpine-nginx:3.18 | ||
|
||
# install packages | ||
RUN \ | ||
if [ -z ${NGINX_VERSION+x} ]; then \ | ||
NGINX_VERSION=$(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64/APKINDEX.tar.gz" | tar -xz -C /tmp \ | ||
&& awk '/^P:nginx$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://'); \ | ||
fi && \ | ||
|
||
apk add --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/community \ | ||
php82-pecl-mcrypt && \ | ||
echo "**** configure php-fpm to pass env vars ****" && \ | ||
sed -E -i 's/^;?clear_env ?=.*$/clear_env = no/g' /etc/php82/php-fpm.d/www.conf && \ | ||
grep -qxF 'clear_env = no' /etc/php82/php-fpm.d/www.conf || echo 'clear_env = no' >> /etc/php82/php-fpm.d/www.conf && \ | ||
echo "env[PATH] = /usr/local/bin:/usr/bin:/bin" >> /etc/php82/php-fpm.conf | ||
|
||
# add local files | ||
COPY root/ / | ||
|
||
# ports and volumes | ||
EXPOSE 80 443 | ||
|
||
VOLUME /config |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,108 @@ | ||
![Logo](root/app/www/public/images/logo-64.png) | ||
|
||
# Starr Proxy | ||
|
||
## Note! | ||
|
||
This is still very much in development (mainly the templates) and being tested. There will be force pushes until the "base" code is stable and then a normal commit process will start. | ||
|
||
## Purpose | ||
|
||
Provide access scoped apikeys & stop letting every 3rd party app and script have full access to your starr instance(s)! | ||
|
||
Some apps only need one or two endpoints but have full access/control over everything, needlessly. | ||
|
||
Access logs per app are generated so you can see everytime the app hits the proxy, allowed and rejected requests, etc | ||
|
||
## App templates | ||
|
||
There are some pre-built templates than enable just the api access the app actually needs so they are quick and easy to setup. More will be added in time for the common 3rd party apps. | ||
|
||
## Automation | ||
|
||
When the app is first opened, it checks for a `key` file in `/config` and if it is not present, it creates it with a 32 char apikey. Since automation will not open the UI this file will need to be created automatically as well. Create `/config/key` and add a 32 character key to it. | ||
|
||
All internal api requests will authenticate with either: | ||
|
||
``` | ||
Header: "X-Api-Key: <starrproxy-apikey>" | ||
Parameter: "?apikey=<starrproxy-apikey>" | ||
``` | ||
|
||
If you need to auto add starr apps and 3rd party apps you can do that via the api endpoint `/api/addstarr`. Send a curl `post` request to the starr proxy url with the json header and the payload below | ||
|
||
``` json | ||
{ | ||
"name": "notifiarr", | ||
"starr": "radarr", | ||
"url": "http://<starr-ip>:<starr-port>", | ||
"apikey": "<starr-apikey>", | ||
"template": "notifiarr" | ||
} | ||
``` | ||
|
||
The `template` variable is not required but if you do not use an existing template then the app will have no starr api access initially. | ||
|
||
An example curl would be: | ||
|
||
``` bash | ||
curl -i -H "Content-Type:application/json" -d "{\"name\":\"notifiarr\",\"starr\":\"radarr\",\"url\":\"http://<starr-ip>:<starr-port>\",\"apikey\":\"<starr-apikey>\",\"template\":\"notifiarr\"}" "http://10.1.0.128:9090/api/addstarr?apikey=<starrproxy-apikey>" | ||
``` | ||
|
||
Responses will be `json` | ||
|
||
Success: | ||
|
||
``` json | ||
{ | ||
"proxied-scope": "notifiarr's template access (25 endpoints)", | ||
"proxied-url": "http://10.1.0.128:9090", | ||
"proxied-key": "c54696c9a238336712454dc7aa088190" | ||
} | ||
``` | ||
|
||
Errors: | ||
|
||
``` json | ||
{ | ||
"error": "Starr Proxy: no apikey provided" | ||
"error": "Starr Proxy: provided apikey is not valid for internal api access" | ||
"error": "Starr Proxy: missing required fields for addstarr endpoint. Optional: template | Required: name, starr, url, apikey" | ||
"error": "Starr Proxy: invalid internal api route" | ||
"error": "Starr Proxy: provided apikey is not valid or has no access" | ||
"error": "Starr Proxy: name field is required, should be the name of the 3rd party app/script" | ||
"error": "Starr Proxy: url field is required, should be the local url to the starr app" | ||
"error": "Starr Proxy: apikey field is required, should be the apikey to the starr app" | ||
"error": "Starr Proxy: starr field is required, should be one of: lidarr, radarr, readarr, sonarr, whisparr" | ||
"error": "Starr Proxy: starr field is not valid, should be one of: lidarr, radarr, readarr, sonarr, whisparr" | ||
"error": "Starr Proxy: could not connect to the starr app (radarr)" | ||
"error": "Starr Proxy: requested template (fake-template) does not exist for radarr, provide a valid template or leave it blank" | ||
} | ||
``` | ||
|
||
## Compose example | ||
|
||
``` yaml | ||
services: | ||
starrproxy: | ||
container_name: starrproxy | ||
image: ghcr.io/notifiarr/starrproxy:main | ||
restart: unless-stopped | ||
ports: | ||
- 9090:80/tcp | ||
environment: | ||
- TZ=America/New_York | ||
volumes: | ||
- /volume1/data/docker/starrproxy/config:/config | ||
|
||
``` | ||
|
||
## Screenshots | ||
|
||
When viewing the access log for an allowed app, the bottom contains all the endpoints referenced in the log and if the app has access or not. Clicking the red x allows access. | ||
|
||
![Usage](root/app/www/public/images/screenshots/endpointUsage.png) | ||
|
||
Easily view apps, what they access, etc | ||
|
||
![Apps](root/app/www/public/images/screenshots/apps.png) |
Oops, something went wrong.