Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

App Submission: Phantombot #1608

Draft
wants to merge 11 commits into
base: master
Choose a base branch
from
Draft

App Submission: Phantombot #1608

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
b2603ad
feat: phantombot
kriakiku Oct 8, 2024
75697ff
feat: phantombot
kriakiku Oct 8, 2024
0823b1a
feat: phantombot
kriakiku Oct 8, 2024
26653e0
feat: phantombot
kriakiku Oct 8, 2024
185c52d
feat: phantombot
kriakiku Oct 8, 2024
4b08fad
feat: phantombot
kriakiku Oct 8, 2024
cbf93ff
feat: phantombot
kriakiku Oct 8, 2024
5aeecc1
feat: phantombot
kriakiku Oct 8, 2024
53170ec
feat: phantombot
kriakiku Oct 8, 2024
a848b5c
feat: phantombot
kriakiku Oct 8, 2024
e173670
feat: phantombot
kriakiku Oct 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Empty file added phantombot/data/.gitkeep
View file
Open in desktop
Empty file.
14 changes: 14 additions & 0 deletions phantombot/docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
services:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Umbrel's app proxy service should be added here as the first service, which can then point to the phantombot_server_1 container and default port 25000. That way you can remove the port mapping in your server service and then PhantomBot will running behind our transparent proxy and inherit the security properties of our umbrel auth:

firefox example to follow

umbrel-apps/firefox/docker-compose.yml

Lines 3 to 7 in 2dbb418

services:
app_proxy:
environment:
APP_HOST: firefox_server_1
APP_PORT: 3000

  • By default, we only let requests through the proxy if the user already has a valid auth cookie from the Umbrel homescreen. So if the PhantomBot dashboard has no auth of its own, it will still be protected by ours. This gives a good UX because there's zero friction for Umbrel users... they can just access the dashboard without re-entering any credentials if they are already logged in to their Umbrel.
  • It also has the benefit of inheriting other security properties of Umbrel auth, such as 2FA if they have it enabled on their Umbrel. They would then get 2FA security for all apps behind the auth proxy too.
  • And then if you need to allow external connections to PhantomBot running on port 25000 (e.g., not to the UI but to the api or something), you can whitelist certain routes, so that the web UI is protected by auth, but something like /api/* isn't:

e.g., adding this env var to the proxy container

PROXY_AUTH_WHITELIST: "/api/*"
  • You can also disable the auth portion of the app proxy container entirely with this env var:
PROXY_AUTH_ADD: "false"

server:
image: ghcr.io/phantombot/phantombot:3.14.1.0@sha256:dbec9818e40f967ac5aee3abcac5a1857481cbbe6b35400f9a2fa8f1dc638df0
user: 0:900
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If possible, we want to avoid running services as root. I haven't looked at the phantombot Dockerfile to see how they build the image so we might be stuck with this. But we should check if it is possible to run this non-root as the umbrel user (1000:1000).

restart: on-failure
volumes:
- ${APP_DATA_DIR}/data:/opt/PhantomBot_data
ports:

Check notice on line 8 in phantombot/docker-compose.yml

View workflow job for this annotation

GitHub Actions / Lint apps

External port mapping "${APP_PHANTOM_SERVER_PORT}:${APP_PHANTOM_SERVER_PORT}" 

Port mappings may be unnecessary for the app to function correctly. Docker's internal DNS resolves container names to IP addresses within the same network. External access to the web interface is handled by the app_proxy container. Port mappings are only needed if external access is required to a port not proxied by the app_proxy, or if an app needs to expose multiple ports for its functionality (e.g., DHCP, DNS, P2P, etc.).
- "${APP_PHANTOM_SERVER_PORT}:${APP_PHANTOM_SERVER_PORT}"
Copy link
Contributor

@nmfretz nmfretz Oct 28, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This ports section can be removed entirely once the app proxy service is added

environment:
PHANTOMBOT_USEHTTPS: "true"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven't tested this submission yet, but I'd imagine this forces user to use https, so they'd click the app and go to https://umbrel.local:25000, is that right? If so they'll be met with the big scary insecure warning that we shouldn't be teaching the average umbrel user to just click through.

We can set this to false, so the user is accessing over http on their local network.

PHANTOMBOT_PANELUSER: umbrel
PHANTOMBOT_PANELPASSWORD: $APP_PASSWORD
PHANTOMBOT_BASEPORT: $APP_PHANTOM_SERVER_PORT
Copy link
Contributor

@nmfretz nmfretz Oct 28, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if this is the default port that phantombot runs on, then this can be removed entirely #1608 (comment)

1 change: 1 addition & 0 deletions phantombot/exports.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
export APP_PHANTOM_SERVER_PORT="25000"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this is the default port, then this entire exports.sh should be removed for simplicity

36 changes: 36 additions & 0 deletions phantombot/umbrel-app.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
manifestVersion: 1.1
id: phantombot
category: social
name: PhantomBot
version: "3.14.1.0"
tagline: PhantomBot is a Twitch chat bot powered by Java
icon: ""
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This entire icon line can be removed. We'll host the icon here: https://github.com/getumbrel/umbrel-apps-gallery

And the icon rendering logic in umbrelOS will grab the correct icon.

gallery: []
description: >-
PhantomBot is an actively developed open source interactive Twitch bot with a vibrant community that provides entertainment and moderation for your channel,
allowing you to focus on what matters the most to you - your game and your viewers.


🛠️ Set-Up Instructions
Required! If you don't perform the initial setup, you will encounter an error when connecting to the control panel!

1. Connect Your Twitch Account
Using the instructions on the page https://umbrel.local:25000/oauth/, create oauth app and connect your Twitch account.

2. Fill Chanel Configuration Fields
Complete the channel and owner fields on the configuration page https://umbrel.local:25000/setup/.

3. Log In
Done! You can log in to the control panel at https://umbrel.local:25000/panel/login using the default credentials.
Comment on lines +14 to +24
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome work adding these!

If users can navigate to these links by clicking things within the UI, then I would suggest making these instructions more generic. For example, telling the user to "navigate to the oauth settings" instead of providing a specific link.

My reasoning here is that:

  1. These links may change in future app updates and it will be difficult to remember to update the app description

  2. It's possible that the user accesses their umbrel at a different hostname than umbrel.local. For example, they may access their umbrel via local IP address, or by Tailscale, or if they have multiple Umbrel devices they may be using umbrel-2.local

releaseNotes: ""
developer: PhantomBot
website: https://phantombot.dev
dependencies: []
repo: https://github.com/phantombot/PhantomBot
support: https://discord.com/invite/YKvMd78
port: 25000
path: ""
defaultUsername: "umbrel"
deterministicPassword: true
submitter: kriakiku
submission: https://github.com/getumbrel/umbrel-apps/pull/1608