Skip to content

Commit

Permalink
Initial commit (forced pushed a few times to get the basics worked ou…
Browse files Browse the repository at this point in the history
…t without a ton of commits)
  • Loading branch information
austinwbest committed Oct 20, 2024
0 parents commit c357cfd
Show file tree
Hide file tree
Showing 80 changed files with 13,471 additions and 0 deletions.
4 changes: 4 additions & 0 deletions .dockerignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
/Dockerfile
/LICENSE
/README.md
/.github
16 changes: 16 additions & 0 deletions .github/renovate.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:base",
"docker:enableMajor",
"default:automergeDigest"
],
"packageRules": [
{
"matchDatasources": ["docker"],
"matchPackageNames": ["ubuntu"],
"matchUpdateTypes": ["minor", "patch", "pin", "digest"],
"automerge": true
}
]
}
81 changes: 81 additions & 0 deletions .github/workflows/docker-publish.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
name: Docker

# This all came from github. I wrote none of it, but I did remove some bits that didn't work.

on:
push:
branches: [ "main" ]
# Publish semver tags as releases.
tags: [ 'v*.*.*' ]
pull_request:
branches: [ "main" ]

env:
# Use docker.io for Docker Hub if empty
REGISTRY: ghcr.io
# github.repository as <account>/<repo>
IMAGE_NAME: ${{ github.repository }}

jobs:
build:

runs-on: ubuntu-latest
permissions:
contents: read
packages: write
# This is used to complete the identity challenge
# with sigstore/fulcio when running outside of PRs.
id-token: write

steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
# we need the whole thing so we can count commits.
fetch-depth: '0'

- name: Set up QEMU
uses: docker/setup-qemu-action@v3
with:
platforms: 'arm64'

# Workaround: https://github.com/docker/build-push-action/issues/461
- name: Setup Docker buildx
uses: docker/setup-buildx-action@v3

# Login against a Docker registry except on PR
# https://github.com/docker/login-action
- name: Log into registry ${{ env.REGISTRY }}
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

# Extract metadata (tags, labels) for Docker
# https://github.com/docker/metadata-action
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

- name: More Docker metadata
run: |
echo BUILD_DATE=$(date -u +%Y-%m-%dT%H:%M:00Z) >> $GITHUB_ENV
echo COMMITS=$(git rev-list --count --all || echo 0) >> $GITHUB_ENV
# Build and push Docker image with Buildx (don't push on PR)
# https://github.com/docker/build-push-action
- name: Build and push Docker image
id: build-and-push
uses: docker/build-push-action@v5
with:
context: .
platforms: linux/amd64,linux/arm64
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
/.vscode/*
25 changes: 25 additions & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# syntax=docker/dockerfile:1

FROM ghcr.io/linuxserver/baseimage-alpine-nginx:3.18

# install packages
RUN \
if [ -z ${NGINX_VERSION+x} ]; then \
NGINX_VERSION=$(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64/APKINDEX.tar.gz" | tar -xz -C /tmp \
&& awk '/^P:nginx$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://'); \
fi && \

apk add --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/community \
php82-pecl-mcrypt && \
echo "**** configure php-fpm to pass env vars ****" && \
sed -E -i 's/^;?clear_env ?=.*$/clear_env = no/g' /etc/php82/php-fpm.d/www.conf && \
grep -qxF 'clear_env = no' /etc/php82/php-fpm.d/www.conf || echo 'clear_env = no' >> /etc/php82/php-fpm.d/www.conf && \
echo "env[PATH] = /usr/local/bin:/usr/bin:/bin" >> /etc/php82/php-fpm.conf

# add local files
COPY root/ /

# ports and volumes
EXPOSE 80 443

VOLUME /config
106 changes: 106 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
![Logo](root/app/www/public/images/logo-64.png)

# Starr Proxy

## Purpose

Provide access scoped apikeys & stop letting every 3rd party app and script have full access to your starr instance(s)!

Some apps only need one or two endpoints but have full access/control over everything, needlessly.

Access logs per app are generated so you can see everytime the app hits the proxy, allowed and rejected requests, etc

## App templates

There are some pre-built templates than enable just the api access the app actually needs so they are quick and easy to setup. More will be added in time for the common 3rd party apps.

## Automation

When the app is first opened, it checks for a `key` file in `/config` and if it is not present, it creates it with a 32 char apikey. Since automation will not open the UI this file will need to be created automatically as well. Create `/config/key` and add a 32 character key to it.

All internal api requests will authenticate with either:

```
Header: "X-Api-Key: <starrproxy-apikey>"
Parameter: "?apikey=<starrproxy-apikey>"
```

If you need to auto add starr apps and 3rd party apps you can do that via the api endpoint `/api/addstarr`. Send a curl `post` request to the starr proxy url with the json header and the payload below

``` json
{
"name": "notifiarr",
"starr": "radarr",
"url": "http://<starr-ip>:<starr-port>",
"apikey": "<starr-apikey>",
"template": "notifiarr"
}
```

The `template` variable is not required but if you do not use an existing template then the app will have no starr api access initially.

An example curl would be:

``` bash
curl -i -H "Content-Type:application/json" -d "{\"name\":\"notifiarr\",\"starr\":\"radarr\",\"url\":\"http://<starr-ip>:<starr-port>\",\"apikey\":\"<starr-apikey>\",\"template\":\"notifiarr\"}" "http://10.1.0.128:9090/api/addstarr?apikey=<starrproxy-apikey>"
```

Responses will be `json`

Success:

``` bash
{
"proxied-scope": "notifiarr's template access (25 endpoints)",
"proxied-url": "http://10.1.0.128:9090",
"proxied-key": "c54696c9a238336712454dc7aa088190"
}
```

Errors:

``` bash
{
"error": "Starr Proxy: no apikey provided"
"error": "Starr Proxy: provided apikey is not valid for internal api access"
"error": "Starr Proxy: missing required fields for addstarr endpoint. Optional: template | Required: name, starr, url, apikey"
"error": "Starr Proxy: invalid internal api route"
"error": "Starr Proxy: provided apikey is not valid or has no access"
"error": "Starr Proxy: name field is required, should be the name of the 3rd party app/script"
"error": "Starr Proxy: url field is required, should be the local url to the starr app"
"error": "Starr Proxy: apikey field is required, should be the apikey to the starr app"
"error": "Starr Proxy: starr field is required, should be one of: lidarr, radarr, readarr, sonarr, whisparr"
"error": "Starr Proxy: starr field is not valid, should be one of: lidarr, radarr, readarr, sonarr, whisparr"
"error": "Starr Proxy: could not connect to the starr app (radarr)"
"error": "Starr Proxy: requested template (fake-template) does not exist for radarr, provide a valid template or leave it blank"
"error": "Starr Proxy: provided apikey is missing access to /api/v3/movie"
"error": "Starr Proxy: provided apikey is missing access to /api/v3/movie using the post method"
}
```

## Compose example

``` yaml
services:
starrproxy:
container_name: starrproxy
image: ghcr.io/notifiarr/starrproxy:main
restart: unless-stopped
ports:
- 9090:80/tcp
environment:
- TZ=America/New_York
volumes:
- /volume1/data/docker/starrproxy/config:/config

```

## Screenshots

When viewing the access log for an allowed app, the bottom contains all the endpoints referenced in the log and if the app has access or not. Clicking the red x allows access.

![Usage](root/app/www/public/images/screenshots/endpointUsage.png)

Easily view apps, what they access, etc

![Apps](root/app/www/public/images/screenshots/apps.png)
Loading

0 comments on commit c357cfd

Please sign in to comment.