88316e7017
Gives the daemon a public HTTPS hostname (`https://<random>.trycloudflare.com`)
so the in-browser player on torrentclaw.com plays cross-network without
Tailscale or port forwarding — the mixed-content block that was breaking
HTTPS-page → HTTP-daemon fetches is gone. Bytes proxy through CloudFlare,
never through TorrentClaw infra (preserves the aggregator legal posture).
New surface:
• `internal/funnel/` package: subprocess wrapper + auto-download for
cloudflared. Linux amd64/arm64/armhf/386 fetched from GitHub releases
on first run, validated by ELF magic + size sanity, O_EXCL partial
write so concurrent daemons don't clobber each other.
• `unarr funnel on/off/status` cobra command (sibling of `unarr vpn`).
• Daemon supervisor goroutine keeps cloudflared up across crashes + CF's
~6h Quick Tunnel rotation. Exponential backoff (2 s → 5 min). On exit
the reported URL is cleared so the web stops handing out a dead host.
• Wire: agent registers/syncs a FunnelURL field; web prefers it over
Tailscale/LAN for in-browser playback (HlsStreamPlayer + Stremio
addon).
Default ON for fresh installs (NAS/Docker get it without terminal-in);
existing configs that pre-date the feature stay off until the operator
opts in with `unarr funnel on`.
Docker image now bundles cloudflared (built per TARGETARCH via buildx).
Also fixed: libx264 'frame MB size > level limit' on anamorphic >16:9
sources. The level we hint to libx264 was derived from height alone,
which busted on 720p cinemascope (1728×720 = 4860 MBs > level 3.1's
3600). Bumped each tier: 720p → 4.0, 1080p → 4.1.
Version: 0.9.4 → 0.9.5.
61 lines
2 KiB
Docker
61 lines
2 KiB
Docker
# ---- Build stage ----
|
|
FROM golang:1.25-alpine AS builder
|
|
|
|
RUN apk add --no-cache git ca-certificates
|
|
|
|
WORKDIR /src
|
|
|
|
# Copy go.mod/go.sum first for layer caching
|
|
COPY go.mod go.sum ./
|
|
RUN go mod download
|
|
|
|
# Copy source
|
|
COPY . .
|
|
|
|
ARG VERSION=dev
|
|
RUN CGO_ENABLED=0 go build -ldflags="-s -w -X github.com/torrentclaw/unarr/internal/cmd.Version=${VERSION}" -trimpath -o /unarr ./cmd/unarr/
|
|
|
|
# ---- Runtime stage ----
|
|
FROM alpine:3.22
|
|
|
|
# Use Alpine's native musl ffmpeg + ffprobe instead of the johnvansickle /
|
|
# BtbN static glibc builds — those need a glibc shim on Alpine and the
|
|
# vector-math symbols the GPL builds reference are not satisfiable by
|
|
# gcompat. Alpine ships ffmpeg ~7.x which is fine for the HLS transcoding
|
|
# pipeline (libx264 + libfdk-aac alternatives included).
|
|
RUN apk upgrade --no-cache && \
|
|
apk add --no-cache ca-certificates tzdata ffmpeg wget
|
|
|
|
# Bundle cloudflared so `unarr funnel on` (default: on, see config defaults)
|
|
# Just Works on a headless container with no first-run network round-trip.
|
|
# TARGETARCH is set automatically by Docker buildx during cross-builds.
|
|
ARG TARGETARCH=amd64
|
|
RUN case "$TARGETARCH" in \
|
|
amd64) CF_ARCH=amd64 ;; \
|
|
arm64) CF_ARCH=arm64 ;; \
|
|
arm) CF_ARCH=armhf ;; \
|
|
*) echo "unsupported TARGETARCH=$TARGETARCH" >&2; exit 1 ;; \
|
|
esac && \
|
|
wget -qO /usr/local/bin/cloudflared "https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-$CF_ARCH" && \
|
|
chmod +x /usr/local/bin/cloudflared
|
|
|
|
# Non-root user (UID 1000 matches typical host user for volume permissions)
|
|
RUN addgroup -g 1000 unarr && adduser -u 1000 -G unarr -D -h /home/unarr unarr
|
|
|
|
# Default directories
|
|
RUN mkdir -p /config /downloads /data && \
|
|
chown -R unarr:unarr /config /downloads /data
|
|
|
|
USER unarr
|
|
|
|
COPY --from=builder /unarr /usr/local/bin/unarr
|
|
|
|
# Environment: point config/data to container paths
|
|
ENV UNARR_CONFIG_DIR=/config
|
|
ENV UNARR_DOWNLOAD_DIR=/downloads
|
|
ENV XDG_DATA_HOME=/data
|
|
|
|
VOLUME ["/config", "/downloads", "/data"]
|
|
|
|
ENTRYPOINT ["unarr"]
|
|
CMD ["start"]
|