diff --git a/.gitignore b/.gitignore index 4a230d2..6e83934 100644 --- a/.gitignore +++ b/.gitignore @@ -57,4 +57,9 @@ temp/ *.tmp # Docker -.dockerignore \ No newline at end of file +.dockerignore + +# Local development files (not for public repo) +*.local +CODE_STRUCTURE.local +RESTART_SUMMARY.md \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md index 19cda6e..3c527b1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file. ## [Unreleased] - v0.6.0 ### Added +- **🔐 Secure Configuration System**: Two-file configuration with automatic API key masking + - **Main `.env`**: Paths and preferences (safe to share for debugging) + - **Separate `.env.secrets`**: API keys and passwords (never committed to git) + - **Automatic Loading**: Both files loaded at startup with python-dotenv + - **Log Security**: API keys automatically masked in all log output + - **Git Protection**: Updated .gitignore prevents accidental commits of sensitive data - **🎯 Configurable Release Date Priority System**: Revolutionary smart fallback for manual imports - **Configurable Priority Order**: `RELEASE_DATE_PRIORITY=digital,physical,theatrical` (customizable) - **Digital Releases**: VOD/streaming dates (Netflix, iTunes, etc.) - TMDB type 4 @@ -30,15 +36,20 @@ All notable changes to this project will be documented in this file. - OMDb API for DVD/digital release dates - Jellyseerr integration for additional digital release data - **Deployment Documentation**: - - `DEPLOYMENT.md` - Complete Docker deployment guide + - `SETUP.md` - Secure configuration setup guide + - `DEPLOYMENT.md` - Complete Docker deployment guide - `TESTING.md` - Testing strategy and troubleshooting - - `.env.template` - Comprehensive configuration template - - `docker-compose.yml` - Production-ready deployment + - `.env.template` - Clean main configuration template + - `.env.secrets.template` - Secure secrets configuration template + - `docker-compose.yml` - Production-ready deployment with volume mounts ### Changed -- **Configuration Management**: Removed hardcoded paths, fully environment variable driven +- **Configuration Management**: Secure two-file system replaces single .env approach + - **Separated Concerns**: Main config (.env) vs sensitive data (.env.secrets) + - **Enhanced Security**: API key masking and git protection built-in + - **Docker Integration**: Updated docker-compose.yml with proper volume mounts - **Movie Priority Logic**: Enhanced `import_then_digital` to intelligently handle file date fallbacks -- **README.md**: Complete rewrite with all API endpoints, curl examples, and response formats +- **README.md**: Complete rewrite with secure configuration examples and curl commands ### Fixed - **Manual Import Handling**: Movies manually imported to Radarr now use digital release dates instead of file modification dates diff --git a/README.md b/README.md index 563d203..ed9f1c0 100644 --- a/README.md +++ b/README.md @@ -50,27 +50,87 @@ It integrates with **Sonarr** and **Radarr**, listens for import/rename/upgrade --- -## 🚀 Quick Start (Docker) +## 🚀 Quick Start (Docker Compose) +```bash +# 1. Copy configuration templates +cp .env.template .env +cp .env.secrets.template .env.secrets + +# 2. Edit your configuration files +# .env - paths and preferences (safe to share) +# .env.secrets - API keys and passwords (never commit) + +# 3. Start NFOGuard +docker-compose up -d +``` + +**Docker Compose (Recommended)**: +```yaml +version: '3.8' +services: + nfoguard: + image: ghcr.io/your-org/nfoguard:latest + container_name: nfoguard + ports: + - "8080:8080" + volumes: + - /mnt/unionfs/Media:/media:rw + - ./data:/app/data + - ./.env:/app/.env:ro # Main configuration + - ./.env.secrets:/app/.env.secrets:ro # Secure API keys + restart: unless-stopped +``` + +**Docker Run (Alternative)**: ```bash docker run -d \ --name=NFOGuard \ -p 8080:8080 \ -v /mnt/unionfs/Media:/media:rw \ -v /opt/NFOGuard/data:/app/data \ - -e TV_PATHS="/media/TV/tv,/media/TV/tv6" \ - -e MOVIE_PATHS="/media/Movies/movies,/media/Movies/movies6" \ + -v /opt/NFOGuard/.env:/app/.env:ro \ + -v /opt/NFOGuard/.env.secrets:/app/.env.secrets:ro \ ghcr.io/your-org/NFOGuard:latest -⚙️ Environment Variables -Variable Default Description -TV_PATHS /media/tv,/media/tv6 Comma-separated list of TV root paths -MOVIE_PATHS /media/movies,/media/movies6 Comma-separated list of Movie root paths -DB_PATH /app/data/media_dates.db Path to SQLite database -MANAGE_NFO true Write/update NFO files -FIX_DIR_MTIMES true Sync directory/file mtimes to import date -LOCK_METADATA true Add in NFOs -BATCH_DELAY 5.0 Delay before processing batched events -DEBUG false Enable verbose logging +``` + +## 🔧 Configuration Files + +NFOGuard uses a **secure two-file configuration system**: + +### **`.env` - Main Configuration** (safe to share) +```bash +# Media paths +MOVIE_PATHS=/media/Movies/movies,/media/Movies/movies6 +TV_PATHS=/media/TV/tv,/media/TV/tv6 + +# Release date priority (digital, physical, theatrical) +RELEASE_DATE_PRIORITY=digital,physical,theatrical +PREFER_RELEASE_DATES_OVER_FILE_DATES=true +ALLOW_FILE_DATE_FALLBACK=false + +# Database connection +RADARR_DB_HOST=radarr-postgres +RADARR_DB_PORT=5432 +RADARR_DB_NAME=radarr +RADARR_DB_USER=postgres +``` + +### **`.env.secrets` - Sensitive Data** (never commit) +```bash +# Database password +RADARR_DB_PASSWORD=your_actual_password + +# API keys +TMDB_API_KEY=your_tmdb_api_key +RADARR_API_KEY=your_radarr_api_key +SONARR_API_KEY=your_sonarr_api_key +``` + +**Security Features**: +- 🔐 **API key masking** in logs automatically +- 🚫 **Git protection** - secrets never committed +- 🛠️ **Easy debugging** - main .env safe to share 🔌 API Endpoints diff --git a/docker-compose.example.yml b/docker-compose.example.yml index 1573cd3..69165c8 100644 --- a/docker-compose.example.yml +++ b/docker-compose.example.yml @@ -1,8 +1,10 @@ +version: '3.8' + services: - NFOguard: + nfoguard: # image: ghcr.io/sbcrumb/nfoguard:latest # Use this once package is public build: . # Temporary local build - container_name: NFOguard + container_name: nfoguard restart: unless-stopped user: "1000:1000" networks: @@ -10,11 +12,21 @@ services: ports: - "8085:8080" volumes: + # Media directory - /mnt/unionfs/Media/:/media:rw + + # NFOGuard data directory for database and logs - ./data:/app/data:rw - - ./.env:/app/.env:ro - env_file: - - .env + + # Configuration files (SECURE TWO-FILE SYSTEM) + - ./.env:/app/.env:ro # Main config (safe to share) + - ./.env.secrets:/app/.env.secrets:ro # API keys & passwords (never commit) + + # Optional: Can use env_file for simple setups, but file mounting is more secure + # env_file: + # - .env + # - .env.secrets + healthcheck: test: ["CMD", "curl", "-f", "http://localhost:8080/health"] interval: 30s