unarr/Dockerfile

# ---- Build stage ----
FROM golang:1.25-alpine AS builder

RUN apk add --no-cache git ca-certificates

WORKDIR /src

# Copy go.mod/go.sum first for layer caching
COPY go.mod go.sum ./
RUN go mod download

# Copy source
COPY . .

ARG VERSION=dev
RUN CGO_ENABLED=0 go build -ldflags="-s -w -X github.com/torrentclaw/unarr/internal/cmd.Version=${VERSION}" -trimpath -o /unarr ./cmd/unarr/

# ---- Runtime stage ----
FROM alpine:3.22

# Use Alpine's native musl ffmpeg + ffprobe instead of the johnvansickle /
# BtbN static glibc builds — those need a glibc shim on Alpine and the
# vector-math symbols the GPL builds reference are not satisfiable by
# gcompat. Alpine ships ffmpeg ~7.x which is fine for the HLS transcoding
# pipeline (libx264 + libfdk-aac alternatives included).
RUN apk upgrade --no-cache && \
    apk add --no-cache ca-certificates tzdata ffmpeg wget

# Bundle cloudflared so `unarr funnel on` (default: on, see config defaults)
# Just Works on a headless container with no first-run network round-trip.
# TARGETARCH is set automatically by Docker buildx during cross-builds.
ARG TARGETARCH=amd64
RUN case "$TARGETARCH" in \
      amd64) CF_ARCH=amd64 ;; \
      arm64) CF_ARCH=arm64 ;; \
      arm)   CF_ARCH=armhf ;; \
      *)     echo "unsupported TARGETARCH=$TARGETARCH" >&2; exit 1 ;; \
    esac && \
    wget -qO /usr/local/bin/cloudflared "https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-$CF_ARCH" && \
    chmod +x /usr/local/bin/cloudflared

# Non-root user (UID 1000 matches typical host user for volume permissions)
RUN addgroup -g 1000 unarr && adduser -u 1000 -G unarr -D -h /home/unarr unarr

# Default directories
RUN mkdir -p /config /downloads /data && \
    chown -R unarr:unarr /config /downloads /data

USER unarr

COPY --from=builder /unarr /usr/local/bin/unarr

# Environment: point config/data to container paths
ENV UNARR_CONFIG_DIR=/config
ENV UNARR_DOWNLOAD_DIR=/downloads
ENV XDG_DATA_HOME=/data

VOLUME ["/config", "/downloads", "/data"]

ENTRYPOINT ["unarr"]
CMD ["start"]
feat: initial commit — unarr CLI Search, inspect, stream, and download torrents from the terminal. Replaces the entire *arr stack with a single binary. 2026-03-28 11:29:42 +01:00			`# ---- Build stage ----`
fix(docker): simplify Dockerfile for CI builds (no local go-client) 2026-03-30 14:30:20 +02:00			`FROM golang:1.25-alpine AS builder`
feat: initial commit — unarr CLI Search, inspect, stream, and download torrents from the terminal. Replaces the entire *arr stack with a single binary. 2026-03-28 11:29:42 +01:00
			`RUN apk add --no-cache git ca-certificates`

fix(docker): simplify Dockerfile for CI builds (no local go-client) 2026-03-30 14:30:20 +02:00			`WORKDIR /src`
feat: initial commit — unarr CLI Search, inspect, stream, and download torrents from the terminal. Replaces the entire *arr stack with a single binary. 2026-03-28 11:29:42 +01:00
			`# Copy go.mod/go.sum first for layer caching`
fix(docker): simplify Dockerfile for CI builds (no local go-client) 2026-03-30 14:30:20 +02:00			`COPY go.mod go.sum ./`
feat: initial commit — unarr CLI Search, inspect, stream, and download torrents from the terminal. Replaces the entire *arr stack with a single binary. 2026-03-28 11:29:42 +01:00			`RUN go mod download`

fix(docker): simplify Dockerfile for CI builds (no local go-client) 2026-03-30 14:30:20 +02:00			`# Copy source`
			`COPY . .`
feat: initial commit — unarr CLI Search, inspect, stream, and download torrents from the terminal. Replaces the entire *arr stack with a single binary. 2026-03-28 11:29:42 +01:00
fix(docker): simplify Dockerfile for CI builds (no local go-client) 2026-03-30 14:30:20 +02:00			`ARG VERSION=dev`
			`RUN CGO_ENABLED=0 go build -ldflags="-s -w -X github.com/torrentclaw/unarr/internal/cmd.Version=${VERSION}" -trimpath -o /unarr ./cmd/unarr/`
feat: initial commit — unarr CLI Search, inspect, stream, and download torrents from the terminal. Replaces the entire *arr stack with a single binary. 2026-03-28 11:29:42 +01:00
			`# ---- Runtime stage ----`
chore(deps): bump Alpine 3.21→3.22, update CI actions and linter - Dockerfile: alpine 3.21 → 3.22 (fewer CVEs per Docker Scout) - release.yml: actions/checkout v4→v6, setup-go v5→v6, setup-buildx v3→v4 - ci.yml: golangci-lint v2.11.3 → v2.11.4 - DOCKERHUB.md: update Alpine version reference 2026-03-31 11:39:45 +02:00			`FROM alpine:3.22`
feat: initial commit — unarr CLI Search, inspect, stream, and download torrents from the terminal. Replaces the entire *arr stack with a single binary. 2026-03-28 11:29:42 +01:00
feat(release): bundle ffmpeg + ffprobe in tarballs and Docker image Operators no longer have to install ffmpeg manually. Both the release tarballs (5 platforms × 2 binaries) and the Docker image now ship a working ffmpeg + ffprobe pair adjacent to the unarr binary; ResolveFFmpeg / ResolveFFprobe pick them up via the "adjacent to executable" branch with zero configuration. Tarball bundle (scripts/download-ffmpeg-static.sh + .goreleaser.yml): - ffbinaries.com (johnvansickle / Zeranoe-style static GPL builds) for linux-amd64, linux-arm64, darwin-amd64, windows-amd64 - evermeet.cx universal Mach-O for darwin-arm64 (ffbinaries lacks it) - BtbN/FFmpeg-Builds for windows-arm64 (ffbinaries lacks it) - Idempotent fetch with curl --retry 5 so transient github.com SSL errors don't fail the goreleaser before-hook - New `before.hooks` runs the script automatically per release; archive files glob `dist-ffbinaries/{{ .Os }}-{{ .Arch }}/*` + strip_parent - Migrated to non-deprecated `formats: [tar.gz]` / `formats: [zip]` - Verified via `goreleaser release --snapshot --clean --skip=publish` — 6 archives all carry ffmpeg + ffprobe (~60-130MB each) Docker image (Dockerfile): - Replaced the failing BtbN static glibc binaries with Alpine's native musl `apk add ffmpeg`. The static GPL builds need glibc + libmvec / libgcc_s; gcompat alone is not enough (vector-math symbols unresolved). Alpine ships ffmpeg 6.1.2 which is fine for the WebRTC transcoder. - Image size 174MB, built + ffmpeg/ffprobe/unarr smoke OK. Targets the v0.8 unarr release (per user direction — new feature, not a patch). dist-ffbinaries/ added to .gitignore. 2026-05-06 11:26:01 +02:00			`# Use Alpine's native musl ffmpeg + ffprobe instead of the johnvansickle /`
			`# BtbN static glibc builds — those need a glibc shim on Alpine and the`
			`# vector-math symbols the GPL builds reference are not satisfiable by`
feat(funnel): cloudflare quick tunnel embedded subprocess (0.9.5) Gives the daemon a public HTTPS hostname (`https://<random>.trycloudflare.com`) so the in-browser player on torrentclaw.com plays cross-network without Tailscale or port forwarding — the mixed-content block that was breaking HTTPS-page → HTTP-daemon fetches is gone. Bytes proxy through CloudFlare, never through TorrentClaw infra (preserves the aggregator legal posture). New surface: • `internal/funnel/` package: subprocess wrapper + auto-download for cloudflared. Linux amd64/arm64/armhf/386 fetched from GitHub releases on first run, validated by ELF magic + size sanity, O_EXCL partial write so concurrent daemons don't clobber each other. • `unarr funnel on/off/status` cobra command (sibling of `unarr vpn`). • Daemon supervisor goroutine keeps cloudflared up across crashes + CF's ~6h Quick Tunnel rotation. Exponential backoff (2 s → 5 min). On exit the reported URL is cleared so the web stops handing out a dead host. • Wire: agent registers/syncs a FunnelURL field; web prefers it over Tailscale/LAN for in-browser playback (HlsStreamPlayer + Stremio addon). Default ON for fresh installs (NAS/Docker get it without terminal-in); existing configs that pre-date the feature stay off until the operator opts in with `unarr funnel on`. Docker image now bundles cloudflared (built per TARGETARCH via buildx). Also fixed: libx264 'frame MB size > level limit' on anamorphic >16:9 sources. The level we hint to libx264 was derived from height alone, which busted on 720p cinemascope (1728×720 = 4860 MBs > level 3.1's 3600). Bumped each tier: 720p → 4.0, 1080p → 4.1. Version: 0.9.4 → 0.9.5. 2026-05-26 20:39:57 +02:00			`# gcompat. Alpine ships ffmpeg ~7.x which is fine for the HLS transcoding`
			`# pipeline (libx264 + libfdk-aac alternatives included).`
fix(docker): upgrade alpine packages to patch CVE-2025-60876 and CVE-2026-27171 2026-03-31 10:20:30 +02:00			`RUN apk upgrade --no-cache && \`
feat(funnel): cloudflare quick tunnel embedded subprocess (0.9.5) Gives the daemon a public HTTPS hostname (`https://<random>.trycloudflare.com`) so the in-browser player on torrentclaw.com plays cross-network without Tailscale or port forwarding — the mixed-content block that was breaking HTTPS-page → HTTP-daemon fetches is gone. Bytes proxy through CloudFlare, never through TorrentClaw infra (preserves the aggregator legal posture). New surface: • `internal/funnel/` package: subprocess wrapper + auto-download for cloudflared. Linux amd64/arm64/armhf/386 fetched from GitHub releases on first run, validated by ELF magic + size sanity, O_EXCL partial write so concurrent daemons don't clobber each other. • `unarr funnel on/off/status` cobra command (sibling of `unarr vpn`). • Daemon supervisor goroutine keeps cloudflared up across crashes + CF's ~6h Quick Tunnel rotation. Exponential backoff (2 s → 5 min). On exit the reported URL is cleared so the web stops handing out a dead host. • Wire: agent registers/syncs a FunnelURL field; web prefers it over Tailscale/LAN for in-browser playback (HlsStreamPlayer + Stremio addon). Default ON for fresh installs (NAS/Docker get it without terminal-in); existing configs that pre-date the feature stay off until the operator opts in with `unarr funnel on`. Docker image now bundles cloudflared (built per TARGETARCH via buildx). Also fixed: libx264 'frame MB size > level limit' on anamorphic >16:9 sources. The level we hint to libx264 was derived from height alone, which busted on 720p cinemascope (1728×720 = 4860 MBs > level 3.1's 3600). Bumped each tier: 720p → 4.0, 1080p → 4.1. Version: 0.9.4 → 0.9.5. 2026-05-26 20:39:57 +02:00			`apk add --no-cache ca-certificates tzdata ffmpeg wget`

			# Bundle cloudflared so `unarr funnel on` (default: on, see config defaults)
			`# Just Works on a headless container with no first-run network round-trip.`
			`# TARGETARCH is set automatically by Docker buildx during cross-builds.`
			`ARG TARGETARCH=amd64`
			`RUN case "$TARGETARCH" in \`
			`amd64) CF_ARCH=amd64 ;; \`
			`arm64) CF_ARCH=arm64 ;; \`
			`arm) CF_ARCH=armhf ;; \`
			`*) echo "unsupported TARGETARCH=$TARGETARCH" >&2; exit 1 ;; \`
			`esac && \`
			`wget -qO /usr/local/bin/cloudflared "https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-$CF_ARCH" && \`
			`chmod +x /usr/local/bin/cloudflared`
feat: initial commit — unarr CLI Search, inspect, stream, and download torrents from the terminal. Replaces the entire *arr stack with a single binary. 2026-03-28 11:29:42 +01:00
			`# Non-root user (UID 1000 matches typical host user for volume permissions)`
			`RUN addgroup -g 1000 unarr && adduser -u 1000 -G unarr -D -h /home/unarr unarr`

			`# Default directories`
			`RUN mkdir -p /config /downloads /data && \`
			`chown -R unarr:unarr /config /downloads /data`

			`USER unarr`

			`COPY --from=builder /unarr /usr/local/bin/unarr`

			`# Environment: point config/data to container paths`
			`ENV UNARR_CONFIG_DIR=/config`
			`ENV UNARR_DOWNLOAD_DIR=/downloads`
			`ENV XDG_DATA_HOME=/data`

			`VOLUME ["/config", "/downloads", "/data"]`

			`ENTRYPOINT ["unarr"]`
			`CMD ["start"]`