unarr/Dockerfile

# ---- Build stage ----
# Pin the builder to the host's native arch and cross-compile (CGO is off, so
# Go cross-compiles trivially). During multi-arch buildx this keeps `go build`
# at native speed instead of compiling under QEMU emulation for the foreign arch.
FROM --platform=$BUILDPLATFORM golang:1.25-alpine AS builder

RUN apk add --no-cache git ca-certificates

WORKDIR /src

# Copy go.mod/go.sum first for layer caching
COPY go.mod go.sum ./
RUN go mod download

# Copy source
COPY . .

ARG VERSION=dev
ARG TARGETOS
ARG TARGETARCH
RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -ldflags="-s -w -X github.com/torrentclaw/unarr/internal/cmd.Version=${VERSION}" -trimpath -o /unarr ./cmd/unarr/

# ---- Runtime stage ----
# glibc base (not Alpine/musl). NVIDIA's userspace — nvidia-smi and the
# libnvidia-encode / libcuda libs that `--gpus all` injects, plus the static
# BtbN ffmpeg that links nvenc — are all glibc ELF. On musl they fail with
# "no such file or directory" (missing glibc loader), so HW transcode is
# impossible on Alpine. bookworm-slim is the smallest base that runs the full
# NVIDIA stack while still falling back to software libx264 when no GPU is
# passed in.
FROM debian:bookworm-slim

# par2  → repair corrupted Usenet segments (without it a single bad segment
#         silently corrupts the output).
# 7z    → archive extractor for RAR/7z-packed downloads (p7zip-full also reads
#         RAR5, so unrar — unavailable as a free Debian package — isn't needed).
# tzdata/ca-certificates → TLS + correct local time for schedules/logs.
RUN apt-get update && \
    apt-get install -y --no-install-recommends \
      ca-certificates tzdata wget xz-utils par2 p7zip-full && \
    rm -rf /var/lib/apt/lists/*

# TARGETARCH is set automatically by Docker buildx during cross-builds.
ARG TARGETARCH=amd64

# Static GPL ffmpeg + ffprobe with nvenc compiled in (BtbN builds). nvenc is
# linked but the actual libnvidia-encode.so is dlopen'd at runtime from the
# host driver that `--gpus all` exposes — so the same binary does HW transcode
# when a GPU is present and falls back to libx264 when it isn't. Placed in
# /usr/local/bin so ResolveFFmpeg picks them up off PATH ahead of any distro
# ffmpeg. arm64 has no nvenc but the build still serves software transcode.
RUN case "$TARGETARCH" in \
      amd64) FF_ARCH=linux64 ;; \
      arm64) FF_ARCH=linuxarm64 ;; \
      *)     echo "unsupported TARGETARCH=$TARGETARCH" >&2; exit 1 ;; \
    esac && \
    wget -4 --tries=3 --timeout=30 -qO /tmp/ffmpeg.tar.xz "https://github.com/BtbN/FFmpeg-Builds/releases/download/latest/ffmpeg-master-latest-${FF_ARCH}-gpl.tar.xz" && \
    mkdir -p /tmp/ff && tar -xJf /tmp/ffmpeg.tar.xz -C /tmp/ff --strip-components=1 && \
    cp /tmp/ff/bin/ffmpeg /tmp/ff/bin/ffprobe /usr/local/bin/ && \
    chmod +x /usr/local/bin/ffmpeg /usr/local/bin/ffprobe && \
    rm -rf /tmp/ffmpeg.tar.xz /tmp/ff

# Bundle cloudflared so `unarr funnel on` (default: on, see config defaults)
# Just Works on a headless container with no first-run network round-trip.
RUN case "$TARGETARCH" in \
      amd64) CF_ARCH=amd64 ;; \
      arm64) CF_ARCH=arm64 ;; \
      arm)   CF_ARCH=armhf ;; \
      *)     echo "unsupported TARGETARCH=$TARGETARCH" >&2; exit 1 ;; \
    esac && \
    wget -4 --tries=3 --timeout=30 -qO /usr/local/bin/cloudflared "https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-$CF_ARCH" && \
    chmod +x /usr/local/bin/cloudflared

# Non-root user (UID 1000 matches typical host user for volume permissions)
RUN groupadd -g 1000 unarr && useradd -u 1000 -g 1000 -m -d /home/unarr unarr

# Default directories
RUN mkdir -p /config /downloads /data && \
    chown -R unarr:unarr /config /downloads /data

USER unarr

COPY --from=builder /unarr /usr/local/bin/unarr

# Environment: point config/data to container paths
ENV UNARR_CONFIG_DIR=/config
ENV UNARR_DOWNLOAD_DIR=/downloads
ENV XDG_DATA_HOME=/data

# NVIDIA passthrough defaults. `--gpus all` alone only grants the "utility" +
# "compute" capabilities; nvenc needs "video". Baking these here means a plain
# `docker run --gpus all` (or the compose device reservation) lights up HW
# transcode with zero extra flags. Harmless when no GPU is attached.
ENV NVIDIA_VISIBLE_DEVICES=all
ENV NVIDIA_DRIVER_CAPABILITIES=video,compute,utility

VOLUME ["/config", "/downloads", "/data"]

ENTRYPOINT ["unarr"]
CMD ["start"]
feat: initial commit — unarr CLI Search, inspect, stream, and download torrents from the terminal. Replaces the entire *arr stack with a single binary. 2026-03-28 11:29:42 +01:00			`# ---- Build stage ----`
feat(docker): glibc base with nvenc ffmpeg + par2/7z extractors Alpine/musl can't run NVIDIA's glibc userspace (nvidia-smi, libnvidia-encode, the static nvenc ffmpeg), so HW transcode was impossible — every 4K/anamorphic HLS encode fell back to software or failed. Switch the runtime stage to debian:bookworm-slim + a static BtbN ffmpeg built with nvenc, add par2 (Usenet segment repair) + 7z (RAR/7z extraction), and set NVIDIA_DRIVER_CAPABILITIES=video,compute,utility so a plain --gpus all (or the compose device reservation) lights up nvenc with no extra flags. Falls back to libx264 automatically when no GPU is attached. Build stage cross-compiles (--platform=BUILDPLATFORM) so multi-arch stays fast; downloads forced over IPv4. 2026-06-01 19:36:41 +02:00			`# Pin the builder to the host's native arch and cross-compile (CGO is off, so`
			# Go cross-compiles trivially). During multi-arch buildx this keeps `go build`
			`# at native speed instead of compiling under QEMU emulation for the foreign arch.`
			`FROM --platform=$BUILDPLATFORM golang:1.25-alpine AS builder`
feat: initial commit — unarr CLI Search, inspect, stream, and download torrents from the terminal. Replaces the entire *arr stack with a single binary. 2026-03-28 11:29:42 +01:00
			`RUN apk add --no-cache git ca-certificates`

fix(docker): simplify Dockerfile for CI builds (no local go-client) 2026-03-30 14:30:20 +02:00			`WORKDIR /src`
feat: initial commit — unarr CLI Search, inspect, stream, and download torrents from the terminal. Replaces the entire *arr stack with a single binary. 2026-03-28 11:29:42 +01:00
			`# Copy go.mod/go.sum first for layer caching`
fix(docker): simplify Dockerfile for CI builds (no local go-client) 2026-03-30 14:30:20 +02:00			`COPY go.mod go.sum ./`
feat: initial commit — unarr CLI Search, inspect, stream, and download torrents from the terminal. Replaces the entire *arr stack with a single binary. 2026-03-28 11:29:42 +01:00			`RUN go mod download`

fix(docker): simplify Dockerfile for CI builds (no local go-client) 2026-03-30 14:30:20 +02:00			`# Copy source`
			`COPY . .`
feat: initial commit — unarr CLI Search, inspect, stream, and download torrents from the terminal. Replaces the entire *arr stack with a single binary. 2026-03-28 11:29:42 +01:00
fix(docker): simplify Dockerfile for CI builds (no local go-client) 2026-03-30 14:30:20 +02:00			`ARG VERSION=dev`
feat(docker): glibc base with nvenc ffmpeg + par2/7z extractors Alpine/musl can't run NVIDIA's glibc userspace (nvidia-smi, libnvidia-encode, the static nvenc ffmpeg), so HW transcode was impossible — every 4K/anamorphic HLS encode fell back to software or failed. Switch the runtime stage to debian:bookworm-slim + a static BtbN ffmpeg built with nvenc, add par2 (Usenet segment repair) + 7z (RAR/7z extraction), and set NVIDIA_DRIVER_CAPABILITIES=video,compute,utility so a plain --gpus all (or the compose device reservation) lights up nvenc with no extra flags. Falls back to libx264 automatically when no GPU is attached. Build stage cross-compiles (--platform=BUILDPLATFORM) so multi-arch stays fast; downloads forced over IPv4. 2026-06-01 19:36:41 +02:00			`ARG TARGETOS`
			`ARG TARGETARCH`
			`RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -ldflags="-s -w -X github.com/torrentclaw/unarr/internal/cmd.Version=${VERSION}" -trimpath -o /unarr ./cmd/unarr/`
feat: initial commit — unarr CLI Search, inspect, stream, and download torrents from the terminal. Replaces the entire *arr stack with a single binary. 2026-03-28 11:29:42 +01:00
			`# ---- Runtime stage ----`
feat(docker): glibc base with nvenc ffmpeg + par2/7z extractors Alpine/musl can't run NVIDIA's glibc userspace (nvidia-smi, libnvidia-encode, the static nvenc ffmpeg), so HW transcode was impossible — every 4K/anamorphic HLS encode fell back to software or failed. Switch the runtime stage to debian:bookworm-slim + a static BtbN ffmpeg built with nvenc, add par2 (Usenet segment repair) + 7z (RAR/7z extraction), and set NVIDIA_DRIVER_CAPABILITIES=video,compute,utility so a plain --gpus all (or the compose device reservation) lights up nvenc with no extra flags. Falls back to libx264 automatically when no GPU is attached. Build stage cross-compiles (--platform=BUILDPLATFORM) so multi-arch stays fast; downloads forced over IPv4. 2026-06-01 19:36:41 +02:00			`# glibc base (not Alpine/musl). NVIDIA's userspace — nvidia-smi and the`
			# libnvidia-encode / libcuda libs that `--gpus all` injects, plus the static
			`# BtbN ffmpeg that links nvenc — are all glibc ELF. On musl they fail with`
			`# "no such file or directory" (missing glibc loader), so HW transcode is`
			`# impossible on Alpine. bookworm-slim is the smallest base that runs the full`
			`# NVIDIA stack while still falling back to software libx264 when no GPU is`
			`# passed in.`
			`FROM debian:bookworm-slim`
feat: initial commit — unarr CLI Search, inspect, stream, and download torrents from the terminal. Replaces the entire *arr stack with a single binary. 2026-03-28 11:29:42 +01:00
feat(docker): glibc base with nvenc ffmpeg + par2/7z extractors Alpine/musl can't run NVIDIA's glibc userspace (nvidia-smi, libnvidia-encode, the static nvenc ffmpeg), so HW transcode was impossible — every 4K/anamorphic HLS encode fell back to software or failed. Switch the runtime stage to debian:bookworm-slim + a static BtbN ffmpeg built with nvenc, add par2 (Usenet segment repair) + 7z (RAR/7z extraction), and set NVIDIA_DRIVER_CAPABILITIES=video,compute,utility so a plain --gpus all (or the compose device reservation) lights up nvenc with no extra flags. Falls back to libx264 automatically when no GPU is attached. Build stage cross-compiles (--platform=BUILDPLATFORM) so multi-arch stays fast; downloads forced over IPv4. 2026-06-01 19:36:41 +02:00			`# par2 → repair corrupted Usenet segments (without it a single bad segment`
			`# silently corrupts the output).`
			`# 7z → archive extractor for RAR/7z-packed downloads (p7zip-full also reads`
			`# RAR5, so unrar — unavailable as a free Debian package — isn't needed).`
			`# tzdata/ca-certificates → TLS + correct local time for schedules/logs.`
			`RUN apt-get update && \`
			`apt-get install -y --no-install-recommends \`
			`ca-certificates tzdata wget xz-utils par2 p7zip-full && \`
			`rm -rf /var/lib/apt/lists/*`
feat(funnel): cloudflare quick tunnel embedded subprocess (0.9.5) Gives the daemon a public HTTPS hostname (`https://<random>.trycloudflare.com`) so the in-browser player on torrentclaw.com plays cross-network without Tailscale or port forwarding — the mixed-content block that was breaking HTTPS-page → HTTP-daemon fetches is gone. Bytes proxy through CloudFlare, never through TorrentClaw infra (preserves the aggregator legal posture). New surface: • `internal/funnel/` package: subprocess wrapper + auto-download for cloudflared. Linux amd64/arm64/armhf/386 fetched from GitHub releases on first run, validated by ELF magic + size sanity, O_EXCL partial write so concurrent daemons don't clobber each other. • `unarr funnel on/off/status` cobra command (sibling of `unarr vpn`). • Daemon supervisor goroutine keeps cloudflared up across crashes + CF's ~6h Quick Tunnel rotation. Exponential backoff (2 s → 5 min). On exit the reported URL is cleared so the web stops handing out a dead host. • Wire: agent registers/syncs a FunnelURL field; web prefers it over Tailscale/LAN for in-browser playback (HlsStreamPlayer + Stremio addon). Default ON for fresh installs (NAS/Docker get it without terminal-in); existing configs that pre-date the feature stay off until the operator opts in with `unarr funnel on`. Docker image now bundles cloudflared (built per TARGETARCH via buildx). Also fixed: libx264 'frame MB size > level limit' on anamorphic >16:9 sources. The level we hint to libx264 was derived from height alone, which busted on 720p cinemascope (1728×720 = 4860 MBs > level 3.1's 3600). Bumped each tier: 720p → 4.0, 1080p → 4.1. Version: 0.9.4 → 0.9.5. 2026-05-26 20:39:57 +02:00
			`# TARGETARCH is set automatically by Docker buildx during cross-builds.`
			`ARG TARGETARCH=amd64`
feat(docker): glibc base with nvenc ffmpeg + par2/7z extractors Alpine/musl can't run NVIDIA's glibc userspace (nvidia-smi, libnvidia-encode, the static nvenc ffmpeg), so HW transcode was impossible — every 4K/anamorphic HLS encode fell back to software or failed. Switch the runtime stage to debian:bookworm-slim + a static BtbN ffmpeg built with nvenc, add par2 (Usenet segment repair) + 7z (RAR/7z extraction), and set NVIDIA_DRIVER_CAPABILITIES=video,compute,utility so a plain --gpus all (or the compose device reservation) lights up nvenc with no extra flags. Falls back to libx264 automatically when no GPU is attached. Build stage cross-compiles (--platform=BUILDPLATFORM) so multi-arch stays fast; downloads forced over IPv4. 2026-06-01 19:36:41 +02:00
			`# Static GPL ffmpeg + ffprobe with nvenc compiled in (BtbN builds). nvenc is`
			`# linked but the actual libnvidia-encode.so is dlopen'd at runtime from the`
			# host driver that `--gpus all` exposes — so the same binary does HW transcode
			`# when a GPU is present and falls back to libx264 when it isn't. Placed in`
			`# /usr/local/bin so ResolveFFmpeg picks them up off PATH ahead of any distro`
			`# ffmpeg. arm64 has no nvenc but the build still serves software transcode.`
			`RUN case "$TARGETARCH" in \`
			`amd64) FF_ARCH=linux64 ;; \`
			`arm64) FF_ARCH=linuxarm64 ;; \`
			`*) echo "unsupported TARGETARCH=$TARGETARCH" >&2; exit 1 ;; \`
			`esac && \`
			`wget -4 --tries=3 --timeout=30 -qO /tmp/ffmpeg.tar.xz "https://github.com/BtbN/FFmpeg-Builds/releases/download/latest/ffmpeg-master-latest-${FF_ARCH}-gpl.tar.xz" && \`
			`mkdir -p /tmp/ff && tar -xJf /tmp/ffmpeg.tar.xz -C /tmp/ff --strip-components=1 && \`
			`cp /tmp/ff/bin/ffmpeg /tmp/ff/bin/ffprobe /usr/local/bin/ && \`
			`chmod +x /usr/local/bin/ffmpeg /usr/local/bin/ffprobe && \`
			`rm -rf /tmp/ffmpeg.tar.xz /tmp/ff`

			# Bundle cloudflared so `unarr funnel on` (default: on, see config defaults)
			`# Just Works on a headless container with no first-run network round-trip.`
feat(funnel): cloudflare quick tunnel embedded subprocess (0.9.5) Gives the daemon a public HTTPS hostname (`https://<random>.trycloudflare.com`) so the in-browser player on torrentclaw.com plays cross-network without Tailscale or port forwarding — the mixed-content block that was breaking HTTPS-page → HTTP-daemon fetches is gone. Bytes proxy through CloudFlare, never through TorrentClaw infra (preserves the aggregator legal posture). New surface: • `internal/funnel/` package: subprocess wrapper + auto-download for cloudflared. Linux amd64/arm64/armhf/386 fetched from GitHub releases on first run, validated by ELF magic + size sanity, O_EXCL partial write so concurrent daemons don't clobber each other. • `unarr funnel on/off/status` cobra command (sibling of `unarr vpn`). • Daemon supervisor goroutine keeps cloudflared up across crashes + CF's ~6h Quick Tunnel rotation. Exponential backoff (2 s → 5 min). On exit the reported URL is cleared so the web stops handing out a dead host. • Wire: agent registers/syncs a FunnelURL field; web prefers it over Tailscale/LAN for in-browser playback (HlsStreamPlayer + Stremio addon). Default ON for fresh installs (NAS/Docker get it without terminal-in); existing configs that pre-date the feature stay off until the operator opts in with `unarr funnel on`. Docker image now bundles cloudflared (built per TARGETARCH via buildx). Also fixed: libx264 'frame MB size > level limit' on anamorphic >16:9 sources. The level we hint to libx264 was derived from height alone, which busted on 720p cinemascope (1728×720 = 4860 MBs > level 3.1's 3600). Bumped each tier: 720p → 4.0, 1080p → 4.1. Version: 0.9.4 → 0.9.5. 2026-05-26 20:39:57 +02:00			`RUN case "$TARGETARCH" in \`
			`amd64) CF_ARCH=amd64 ;; \`
			`arm64) CF_ARCH=arm64 ;; \`
			`arm) CF_ARCH=armhf ;; \`
			`*) echo "unsupported TARGETARCH=$TARGETARCH" >&2; exit 1 ;; \`
			`esac && \`
feat(docker): glibc base with nvenc ffmpeg + par2/7z extractors Alpine/musl can't run NVIDIA's glibc userspace (nvidia-smi, libnvidia-encode, the static nvenc ffmpeg), so HW transcode was impossible — every 4K/anamorphic HLS encode fell back to software or failed. Switch the runtime stage to debian:bookworm-slim + a static BtbN ffmpeg built with nvenc, add par2 (Usenet segment repair) + 7z (RAR/7z extraction), and set NVIDIA_DRIVER_CAPABILITIES=video,compute,utility so a plain --gpus all (or the compose device reservation) lights up nvenc with no extra flags. Falls back to libx264 automatically when no GPU is attached. Build stage cross-compiles (--platform=BUILDPLATFORM) so multi-arch stays fast; downloads forced over IPv4. 2026-06-01 19:36:41 +02:00			`wget -4 --tries=3 --timeout=30 -qO /usr/local/bin/cloudflared "https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-$CF_ARCH" && \`
feat(funnel): cloudflare quick tunnel embedded subprocess (0.9.5) Gives the daemon a public HTTPS hostname (`https://<random>.trycloudflare.com`) so the in-browser player on torrentclaw.com plays cross-network without Tailscale or port forwarding — the mixed-content block that was breaking HTTPS-page → HTTP-daemon fetches is gone. Bytes proxy through CloudFlare, never through TorrentClaw infra (preserves the aggregator legal posture). New surface: • `internal/funnel/` package: subprocess wrapper + auto-download for cloudflared. Linux amd64/arm64/armhf/386 fetched from GitHub releases on first run, validated by ELF magic + size sanity, O_EXCL partial write so concurrent daemons don't clobber each other. • `unarr funnel on/off/status` cobra command (sibling of `unarr vpn`). • Daemon supervisor goroutine keeps cloudflared up across crashes + CF's ~6h Quick Tunnel rotation. Exponential backoff (2 s → 5 min). On exit the reported URL is cleared so the web stops handing out a dead host. • Wire: agent registers/syncs a FunnelURL field; web prefers it over Tailscale/LAN for in-browser playback (HlsStreamPlayer + Stremio addon). Default ON for fresh installs (NAS/Docker get it without terminal-in); existing configs that pre-date the feature stay off until the operator opts in with `unarr funnel on`. Docker image now bundles cloudflared (built per TARGETARCH via buildx). Also fixed: libx264 'frame MB size > level limit' on anamorphic >16:9 sources. The level we hint to libx264 was derived from height alone, which busted on 720p cinemascope (1728×720 = 4860 MBs > level 3.1's 3600). Bumped each tier: 720p → 4.0, 1080p → 4.1. Version: 0.9.4 → 0.9.5. 2026-05-26 20:39:57 +02:00			`chmod +x /usr/local/bin/cloudflared`
feat: initial commit — unarr CLI Search, inspect, stream, and download torrents from the terminal. Replaces the entire *arr stack with a single binary. 2026-03-28 11:29:42 +01:00
			`# Non-root user (UID 1000 matches typical host user for volume permissions)`
feat(docker): glibc base with nvenc ffmpeg + par2/7z extractors Alpine/musl can't run NVIDIA's glibc userspace (nvidia-smi, libnvidia-encode, the static nvenc ffmpeg), so HW transcode was impossible — every 4K/anamorphic HLS encode fell back to software or failed. Switch the runtime stage to debian:bookworm-slim + a static BtbN ffmpeg built with nvenc, add par2 (Usenet segment repair) + 7z (RAR/7z extraction), and set NVIDIA_DRIVER_CAPABILITIES=video,compute,utility so a plain --gpus all (or the compose device reservation) lights up nvenc with no extra flags. Falls back to libx264 automatically when no GPU is attached. Build stage cross-compiles (--platform=BUILDPLATFORM) so multi-arch stays fast; downloads forced over IPv4. 2026-06-01 19:36:41 +02:00			`RUN groupadd -g 1000 unarr && useradd -u 1000 -g 1000 -m -d /home/unarr unarr`
feat: initial commit — unarr CLI Search, inspect, stream, and download torrents from the terminal. Replaces the entire *arr stack with a single binary. 2026-03-28 11:29:42 +01:00
			`# Default directories`
			`RUN mkdir -p /config /downloads /data && \`
			`chown -R unarr:unarr /config /downloads /data`

			`USER unarr`

			`COPY --from=builder /unarr /usr/local/bin/unarr`

			`# Environment: point config/data to container paths`
			`ENV UNARR_CONFIG_DIR=/config`
			`ENV UNARR_DOWNLOAD_DIR=/downloads`
			`ENV XDG_DATA_HOME=/data`

feat(docker): glibc base with nvenc ffmpeg + par2/7z extractors Alpine/musl can't run NVIDIA's glibc userspace (nvidia-smi, libnvidia-encode, the static nvenc ffmpeg), so HW transcode was impossible — every 4K/anamorphic HLS encode fell back to software or failed. Switch the runtime stage to debian:bookworm-slim + a static BtbN ffmpeg built with nvenc, add par2 (Usenet segment repair) + 7z (RAR/7z extraction), and set NVIDIA_DRIVER_CAPABILITIES=video,compute,utility so a plain --gpus all (or the compose device reservation) lights up nvenc with no extra flags. Falls back to libx264 automatically when no GPU is attached. Build stage cross-compiles (--platform=BUILDPLATFORM) so multi-arch stays fast; downloads forced over IPv4. 2026-06-01 19:36:41 +02:00			# NVIDIA passthrough defaults. `--gpus all` alone only grants the "utility" +
			`# "compute" capabilities; nvenc needs "video". Baking these here means a plain`
			# `docker run --gpus all` (or the compose device reservation) lights up HW
			`# transcode with zero extra flags. Harmless when no GPU is attached.`
			`ENV NVIDIA_VISIBLE_DEVICES=all`
			`ENV NVIDIA_DRIVER_CAPABILITIES=video,compute,utility`

feat: initial commit — unarr CLI Search, inspect, stream, and download torrents from the terminal. Replaces the entire *arr stack with a single binary. 2026-03-28 11:29:42 +01:00			`VOLUME ["/config", "/downloads", "/data"]`

			`ENTRYPOINT ["unarr"]`
			`CMD ["start"]`