285 lines
9.9 KiB
Python
285 lines
9.9 KiB
Python
"""Homelab Butler – Unified API proxy for Pfannkuchen homelab.
|
||
Reads credentials from Vaultwarden (Bitwarden CLI) on startup, caches locally."""
|
||
|
||
import os, json, asyncio, subprocess, logging
|
||
import httpx
|
||
from fastapi import FastAPI, Request, HTTPException, Depends
|
||
from fastapi.responses import JSONResponse
|
||
from contextlib import asynccontextmanager
|
||
|
||
log = logging.getLogger("butler")
|
||
VAULT_REFRESH_MINUTES = int(os.environ.get("VAULT_REFRESH_MINUTES", "30"))
|
||
|
||
API_DIR = os.environ.get("API_KEY_DIR", "/data/api")
|
||
BUTLER_TOKEN = os.environ.get("BUTLER_TOKEN", "")
|
||
BW_PASSWORD = os.environ.get("BW_PASSWORD", "")
|
||
VAULT_CACHE_DIR = os.environ.get("VAULT_CACHE_DIR", "/data/vault-cache")
|
||
|
||
# --- Vault sync ---
|
||
|
||
_vault_cache: dict[str, str] = {}
|
||
|
||
# Mapping: vault item name -> local file name
|
||
VAULT_TO_FILE = {
|
||
"HA_TOKEN": "homeassistent",
|
||
"N8N_API_KEY": "n8n",
|
||
"OUTLINE_API_KEY": "outline",
|
||
"HETZNER_DNS_TOKEN": "hetzner-dns",
|
||
"TG_HARALD_TOKEN": "tg-harald",
|
||
"TG_SASCHA_CHAT": "tg-sascha-chat",
|
||
"SEERR_URL": None, # skip URL-only items
|
||
}
|
||
|
||
def _sync_vault():
|
||
"""Pull all items from Vaultwarden via bw CLI and cache them."""
|
||
global _vault_cache
|
||
if not BW_PASSWORD:
|
||
log.info("No BW_PASSWORD set, skipping vault sync")
|
||
return False
|
||
try:
|
||
env = {**os.environ, "BW_PASSWORD": BW_PASSWORD}
|
||
session = subprocess.run(
|
||
["bw", "unlock", "--passwordenv", "BW_PASSWORD", "--raw"],
|
||
capture_output=True, text=True, env=env, timeout=30
|
||
).stdout.strip()
|
||
if not session:
|
||
log.warning("Vault unlock failed")
|
||
return False
|
||
subprocess.run(["bw", "sync", "--session", session],
|
||
capture_output=True, env=env, timeout=30)
|
||
result = subprocess.run(
|
||
["bw", "list", "items", "--session", session],
|
||
capture_output=True, text=True, env=env, timeout=30
|
||
)
|
||
items = json.loads(result.stdout)
|
||
new_cache = {}
|
||
for item in items:
|
||
name = item.get("name", "")
|
||
notes = item.get("notes") or ""
|
||
if name and notes:
|
||
new_cache[name] = notes.strip()
|
||
_vault_cache = new_cache
|
||
# Write to disk as cache (fallback if vault unreachable later)
|
||
os.makedirs(VAULT_CACHE_DIR, exist_ok=True)
|
||
for name, value in new_cache.items():
|
||
safe = name.lower().replace(" ", "-")
|
||
with open(f"{VAULT_CACHE_DIR}/{safe}", "w") as f:
|
||
f.write(value)
|
||
log.info(f"Vault sync: {len(new_cache)} items cached")
|
||
return True
|
||
except Exception as e:
|
||
log.warning(f"Vault sync failed: {e}")
|
||
return False
|
||
|
||
def _load_disk_cache():
|
||
"""Load cached vault items from disk (fallback)."""
|
||
global _vault_cache
|
||
cache_dir = VAULT_CACHE_DIR
|
||
if not os.path.isdir(cache_dir):
|
||
return
|
||
for f in os.listdir(cache_dir):
|
||
path = os.path.join(cache_dir, f)
|
||
if os.path.isfile(path):
|
||
_vault_cache[f] = open(path).read().strip()
|
||
log.info(f"Loaded {len(_vault_cache)} items from disk cache")
|
||
|
||
async def _periodic_vault_sync():
|
||
while True:
|
||
await asyncio.sleep(VAULT_REFRESH_MINUTES * 60)
|
||
log.info("Periodic vault refresh...")
|
||
_sync_vault()
|
||
|
||
@asynccontextmanager
|
||
async def lifespan(app: FastAPI):
|
||
# Startup: try vault sync in background, use file fallback immediately
|
||
_load_disk_cache()
|
||
loop = asyncio.get_event_loop()
|
||
loop.run_in_executor(None, _sync_vault) # non-blocking
|
||
task = asyncio.create_task(_periodic_vault_sync())
|
||
yield
|
||
task.cancel()
|
||
|
||
app = FastAPI(title="Homelab Butler", version="2.0.0", lifespan=lifespan)
|
||
|
||
# --- Credential reading (vault-first, file-fallback) ---
|
||
|
||
def _read(name):
|
||
"""Read a credential: vault cache first, then flat file."""
|
||
# Check vault cache by exact name
|
||
if name in _vault_cache:
|
||
return _vault_cache[name]
|
||
# Check vault cache by uppercase convention
|
||
upper = name.upper().replace("-", "_")
|
||
if upper in _vault_cache:
|
||
return _vault_cache[upper]
|
||
# Fallback to flat file
|
||
try:
|
||
return open(f"{API_DIR}/{name}").read().strip()
|
||
except FileNotFoundError:
|
||
return None
|
||
|
||
def _parse_kv(name):
|
||
raw = _read(name)
|
||
if not raw:
|
||
return {}
|
||
d = {}
|
||
for line in raw.splitlines():
|
||
if ":" in line:
|
||
k, v = line.split(":", 1)
|
||
d[k.strip().lower()] = v.strip()
|
||
return d
|
||
|
||
def _parse_url_key(name):
|
||
raw = _read(name)
|
||
if not raw:
|
||
return None, None
|
||
lines = [l.strip() for l in raw.splitlines() if l.strip()]
|
||
return (lines[0] if lines else None, lines[1] if len(lines) > 1 else None)
|
||
|
||
# --- Vault-aware credential getters ---
|
||
|
||
def _get_seerr_key():
|
||
return _read("seer") or _vault_cache.get("SEERR_API_KEY", "")
|
||
|
||
def _get_sonarr_key(variant=""):
|
||
if variant == "1080p":
|
||
return _read("sonarr1080p") or _vault_cache.get("SONARR_FHD_KEY", "")
|
||
return _read("sonarr") or _vault_cache.get("SONARR_UHD_KEY", "")
|
||
|
||
def _get_radarr_key(variant=""):
|
||
if variant == "1080p":
|
||
return _read("radarr1080p") or _vault_cache.get("RADARR_FHD_KEY", "")
|
||
return _read("radarr") or _vault_cache.get("RADARR_UHD_KEY", "")
|
||
|
||
# --- Service configs ---
|
||
|
||
SERVICES = {
|
||
"dockhand": {"url": "http://10.4.1.116:3000", "auth": "session"},
|
||
"sonarr": {"url": "http://10.2.1.100:8989", "auth": "apikey", "key_file": "sonarr"},
|
||
"sonarr1080p": {"url": None, "auth": "apikey_urlfile", "key_file": "sonarr1080p"},
|
||
"radarr": {"url": "http://10.2.1.100:7878", "auth": "apikey", "key_file": "radarr"},
|
||
"radarr1080p": {"url": None, "auth": "apikey_urlfile", "key_file": "radarr1080p"},
|
||
"seerr": {"url": "http://10.2.1.100:5055", "auth": "apikey", "key_file": "seer"},
|
||
"outline": {"url": "http://10.1.1.100:3000", "auth": "bearer", "key_file": "outline",
|
||
"vault_key": "OUTLINE_API_KEY"},
|
||
"n8n": {"url": "http://10.4.1.113:5678", "auth": "n8n", "key_file": "n8n",
|
||
"vault_key": "N8N_API_KEY"},
|
||
"proxmox": {"url": "https://10.5.85.11:8006", "auth": "proxmox"},
|
||
"homeassistant": {"url": "http://10.10.1.20:8123", "auth": "bearer", "key_file": "homeassistent",
|
||
"vault_key": "HA_TOKEN"},
|
||
"grafana": {"url": "http://10.1.1.111:3000", "auth": "bearer", "key_file": "grafana"},
|
||
"uptime": {"url": "http://159.69.245.190:3001", "auth": "bearer", "key_file": "uptime"},
|
||
}
|
||
|
||
# --- Dockhand session cache ---
|
||
|
||
_dockhand_cookie = None
|
||
|
||
async def _dockhand_login(client):
|
||
global _dockhand_cookie
|
||
pw = _read("dockhand")
|
||
r = await client.post(
|
||
f"{SERVICES['dockhand']['url']}/api/auth/login",
|
||
json={"username": "admin", "password": pw or ""},
|
||
)
|
||
if r.status_code == 200:
|
||
_dockhand_cookie = dict(r.cookies)
|
||
return _dockhand_cookie
|
||
|
||
# --- Auth ---
|
||
|
||
def _verify(request: Request):
|
||
if not BUTLER_TOKEN:
|
||
return
|
||
auth = request.headers.get("authorization", "")
|
||
if auth != f"Bearer {BUTLER_TOKEN}":
|
||
raise HTTPException(401, "Invalid token")
|
||
|
||
def _get_key(cfg):
|
||
"""Get API key from vault (preferred) or file (fallback)."""
|
||
vault_key = cfg.get("vault_key")
|
||
if vault_key and vault_key in _vault_cache:
|
||
return _vault_cache[vault_key]
|
||
return _read(cfg.get("key_file", ""))
|
||
|
||
# --- Routes ---
|
||
|
||
@app.get("/")
|
||
async def root():
|
||
return {
|
||
"service": "homelab-butler", "version": "2.0.0",
|
||
"services": list(SERVICES.keys()),
|
||
"vault_items": len(_vault_cache),
|
||
}
|
||
|
||
@app.get("/health")
|
||
async def health():
|
||
return {"status": "ok", "vault_items": len(_vault_cache)}
|
||
|
||
@app.post("/vault/refresh")
|
||
async def vault_refresh(_=Depends(_verify)):
|
||
ok = _sync_vault()
|
||
return {"refreshed": ok, "items": len(_vault_cache)}
|
||
|
||
@app.api_route("/{service}/{path:path}", methods=["GET", "POST", "PUT", "DELETE", "PATCH"])
|
||
async def proxy(service: str, path: str, request: Request, _=Depends(_verify)):
|
||
cfg = SERVICES.get(service)
|
||
if not cfg:
|
||
raise HTTPException(404, f"Unknown service: {service}. Available: {list(SERVICES.keys())}")
|
||
|
||
base_url = cfg["url"]
|
||
auth_type = cfg["auth"]
|
||
headers = dict(request.headers)
|
||
cookies = {}
|
||
|
||
for h in ["host", "content-length", "transfer-encoding", "authorization"]:
|
||
headers.pop(h, None)
|
||
|
||
if auth_type == "apikey":
|
||
headers["X-Api-Key"] = _get_key(cfg) or ""
|
||
|
||
elif auth_type == "apikey_urlfile":
|
||
url, key = _parse_url_key(cfg["key_file"])
|
||
base_url = url.rstrip("/") if url else ""
|
||
headers["X-Api-Key"] = key or ""
|
||
|
||
elif auth_type == "bearer":
|
||
headers["Authorization"] = f"Bearer {_get_key(cfg)}"
|
||
|
||
elif auth_type == "n8n":
|
||
headers["X-N8N-API-KEY"] = _get_key(cfg) or ""
|
||
|
||
elif auth_type == "proxmox":
|
||
pv = _parse_kv("proxmox")
|
||
headers["Authorization"] = f"PVEAPIToken={pv.get('tokenid', '')}={pv.get('secret', '')}"
|
||
|
||
elif auth_type == "session":
|
||
global _dockhand_cookie
|
||
if not _dockhand_cookie:
|
||
async with httpx.AsyncClient(verify=False) as c:
|
||
await _dockhand_login(c)
|
||
cookies = _dockhand_cookie or {}
|
||
|
||
target = f"{base_url}/{path}"
|
||
body = await request.body()
|
||
|
||
async with httpx.AsyncClient(verify=False, timeout=30.0) as client:
|
||
resp = await client.request(
|
||
method=request.method, url=target,
|
||
headers=headers, cookies=cookies, content=body,
|
||
)
|
||
if auth_type == "session" and resp.status_code == 401:
|
||
_dockhand_cookie = None
|
||
await _dockhand_login(client)
|
||
cookies = _dockhand_cookie or {}
|
||
resp = await client.request(
|
||
method=request.method, url=target,
|
||
headers=headers, cookies=cookies, content=body,
|
||
)
|
||
|
||
try:
|
||
data = resp.json()
|
||
except Exception:
|
||
data = resp.text
|
||
|
||
return JSONResponse(content=data, status_code=resp.status_code)
|