diff --git a/.github/workflows/create-docusaurus-pr.yml b/.github/workflows/create-docusaurus-pr.yml deleted file mode 100644 index 88359a60b..000000000 --- a/.github/workflows/create-docusaurus-pr.yml +++ /dev/null @@ -1,82 +0,0 @@ -name: Update API Documentation -on: - push: - branches: - - main - paths: - - 'api/docs/**' - workflow_dispatch: - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -# Add permissions for GITHUB_TOKEN -permissions: - contents: write - pull-requests: write -jobs: - create-docs-pr: - runs-on: ubuntu-latest - steps: - - name: Checkout source repository - uses: actions/checkout@v5 - with: - path: source-repo - - - name: Checkout docs repository - uses: actions/checkout@v5 - with: - repository: unraid/docs - path: docs-repo - token: ${{ secrets.DOCS_PAT_UNRAID_BOT }} - - - name: Copy and process docs - run: | - if [ ! -d "source-repo/api/docs" ]; then - echo "Source directory does not exist!" - exit 1 - fi - - # Remove old API docs but preserve other folders - rm -rf docs-repo/docs/API/ - mkdir -p docs-repo/docs/API - - # Copy all markdown files and maintain directory structure - cp -r source-repo/api/docs/public/. docs-repo/docs/API/ - - # Copy images to Docusaurus static directory - mkdir -p docs-repo/static/img/api - - # Copy images from public/images if they exist - if [ -d "source-repo/api/docs/public/images" ]; then - cp -r source-repo/api/docs/public/images/. docs-repo/static/img/api/ - fi - - # Also copy any images from the parent docs/images directory - if [ -d "source-repo/api/docs/images" ]; then - cp -r source-repo/api/docs/images/. docs-repo/static/img/api/ - fi - - # Update image paths in markdown files - # Replace relative image paths with absolute paths pointing to /img/api/ - find docs-repo/docs/API -name "*.md" -type f -exec sed -i 's|!\[\([^]]*\)\](\./images/\([^)]*\))|![\1](/img/api/\2)|g' {} \; - find docs-repo/docs/API -name "*.md" -type f -exec sed -i 's|!\[\([^]]*\)\](images/\([^)]*\))|![\1](/img/api/\2)|g' {} \; - find docs-repo/docs/API -name "*.md" -type f -exec sed -i 's|!\[\([^]]*\)\](../images/\([^)]*\))|![\1](/img/api/\2)|g' {} \; - - name: Create Pull Request - uses: peter-evans/create-pull-request@v7 - with: - token: ${{ secrets.DOCS_PAT_UNRAID_BOT }} - path: docs-repo - commit-message: 'docs: update API documentation' - title: 'Update API Documentation' - body: | - This PR updates the API documentation based on changes from the main repository. - - Changes were automatically generated from api/docs/* directory. - - @coderabbitai ignore - reviewers: ljm42, elibosley - branch: update-api-docs - base: main - delete-branch: true diff --git a/api/docs/public/_category_.json b/api/docs/public/_category_.json deleted file mode 100644 index 1e4ded6ca..000000000 --- a/api/docs/public/_category_.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "label": "Unraid API", - "position": 4 -} \ No newline at end of file diff --git a/api/docs/public/api-key-app-developer-authorization-flow.md b/api/docs/public/api-key-app-developer-authorization-flow.md deleted file mode 100644 index 5ba049651..000000000 --- a/api/docs/public/api-key-app-developer-authorization-flow.md +++ /dev/null @@ -1,100 +0,0 @@ -# API Key Authorization Flow - -This document describes the self-service API key creation flow for third-party applications. - -## Overview - -Applications can request API access to an Unraid server by redirecting users to a special authorization page where users can review requested permissions and create an API key with one click. - -## Flow - -1. **Application initiates request**: The app redirects the user to: - - ``` - https://[unraid-server]/ApiKeyAuthorize?name=MyApp&scopes=docker:read,vm:*&redirect_uri=https://myapp.com/callback&state=abc123 - ``` - -2. **User authentication**: If not already logged in, the user is redirected to login first (standard Unraid auth) - -3. **Consent screen**: User sees: - - Application name and description - - Requested permissions (with checkboxes to approve/deny specific scopes) - - API key name field (pre-filled) - - Authorize & Cancel buttons - -4. **API key creation**: Upon authorization: - - API key is created with approved scopes - - Key is displayed to the user - - If `redirect_uri` is provided, user is redirected back with the key - -5. **Callback**: App receives the API key: - ``` - https://myapp.com/callback?api_key=xxx&state=abc123 - ``` - -## Query Parameters - -- `name` (required): Name of the requesting application -- `description` (optional): Description of the application -- `scopes` (required): Comma-separated list of requested scopes -- `redirect_uri` (optional): URL to redirect after authorization -- `state` (optional): Opaque value for maintaining state - -## Scope Format - -Scopes follow the pattern: `resource:action` - -### Examples: - -- `docker:read` - Read access to Docker -- `vm:*` - Full access to VMs -- `system:update` - Update access to system -- `role:viewer` - Viewer role access -- `role:admin` - Admin role access - -### Available Resources: - -- `docker`, `vm`, `system`, `share`, `user`, `network`, `disk`, etc. - -### Available Actions: - -- `create`, `read`, `update`, `delete` or `*` for all - -## Security Considerations - -1. **HTTPS required**: Redirect URIs must use HTTPS (except localhost for development) -2. **User consent**: Users explicitly approve each permission -3. **Session-based**: Uses existing Unraid authentication session -4. **One-time display**: API keys are shown once and must be saved securely - -## Example Integration - -```javascript -// JavaScript example -const unraidServer = 'tower.local'; -const appName = 'My Docker Manager'; -const scopes = 'docker:*,system:read'; -const redirectUri = 'https://myapp.com/unraid/callback'; -const state = generateRandomState(); - -// Store state for verification -sessionStorage.setItem('oauth_state', state); - -// Redirect user to authorization page -window.location.href = - `https://${unraidServer}/ApiKeyAuthorize?` + - `name=${encodeURIComponent(appName)}&` + - `scopes=${encodeURIComponent(scopes)}&` + - `redirect_uri=${encodeURIComponent(redirectUri)}&` + - `state=${encodeURIComponent(state)}`; - -// Handle callback -const urlParams = new URLSearchParams(window.location.search); -const apiKey = urlParams.get('api_key'); -const returnedState = urlParams.get('state'); - -if (returnedState === sessionStorage.getItem('oauth_state')) { - // Save API key securely - saveApiKey(apiKey); -} -``` diff --git a/api/docs/public/cli.md b/api/docs/public/cli.md deleted file mode 100644 index 27d33c432..000000000 --- a/api/docs/public/cli.md +++ /dev/null @@ -1,210 +0,0 @@ ---- -title: CLI Reference -description: Complete reference for all Unraid API CLI commands -sidebar_position: 4 ---- - -# CLI Commands - -:::info[Command Structure] -All commands follow the pattern: `unraid-api [options]` -::: - -## 🚀 Service Management - -### Start - -```bash -unraid-api start [--log-level ] -``` - -Starts the Unraid API service. - -Options: - -- `--log-level`: Set logging level (trace|debug|info|warn|error|fatal) - -Alternative: You can also set the log level using the `LOG_LEVEL` environment variable: - -```bash -LOG_LEVEL=trace unraid-api start -``` - -### Stop - -```bash -unraid-api stop [--delete] -``` - -Stops the Unraid API service. - -- `--delete`: Optional. Delete the PM2 home directory - -### Restart - -```bash -unraid-api restart [--log-level ] -``` - -Restarts the Unraid API service. - -Options: - -- `--log-level`: Set logging level (trace|debug|info|warn|error|fatal) - -Alternative: You can also set the log level using the `LOG_LEVEL` environment variable: - -```bash -LOG_LEVEL=trace unraid-api restart -``` - -### Logs - -```bash -unraid-api logs [-l ] -``` - -View the API logs. - -- `-l, --lines`: Optional. Number of lines to tail (default: 100) - -## ⚙️ Configuration Commands - -### Config - -```bash -unraid-api config -``` - -Displays current configuration values. - -### Switch Environment - -```bash -unraid-api switch-env [-e ] -``` - -Switch between production and staging environments. - -- `-e, --environment`: Optional. Target environment (production|staging) - -### Developer Mode - -:::tip Web GUI Management -You can also manage developer options through the web interface at **Settings** → **Management Access** → **Developer Options** -::: - -```bash -unraid-api developer # Interactive prompt for tools -unraid-api developer --sandbox true # Enable GraphQL sandbox -unraid-api developer --sandbox false # Disable GraphQL sandbox -unraid-api developer --enable-modal # Enable modal testing tool -unraid-api developer --disable-modal # Disable modal testing tool -``` - -Configure developer features for the API: - -- **GraphQL Sandbox**: Enable/disable Apollo GraphQL sandbox at `/graphql` -- **Modal Testing Tool**: Enable/disable UI modal testing in the Unraid menu - -## API Key Management - -:::tip Web GUI Management -You can also manage API keys through the web interface at **Settings** → **Management Access** → **API Keys** -::: - -### API Key Commands - -```bash -unraid-api apikey [options] -``` - -Create and manage API keys via CLI. - -Options: - -- `--name `: Name of the key -- `--create`: Create a new key -- `-r, --roles `: Comma-separated list of roles -- `-p, --permissions `: Comma-separated list of permissions -- `-d, --description `: Description for the key - -## SSO (Single Sign-On) Management - -:::info OIDC Configuration -For OIDC/SSO provider configuration, see the web interface at **Settings** → **Management Access** → **API** → **OIDC** or refer to the [OIDC Provider Setup](./oidc-provider-setup.md) guide. -::: - -### SSO Base Command - -```bash -unraid-api sso -``` - -#### Add SSO User - -```bash -unraid-api sso add-user -# or -unraid-api sso add -# or -unraid-api sso a -``` - -Add a new user for SSO authentication. - -#### Remove SSO User - -```bash -unraid-api sso remove-user -# or -unraid-api sso remove -# or -unraid-api sso r -``` - -Remove a user (or all users) from SSO. - -#### List SSO Users - -```bash -unraid-api sso list-users -# or -unraid-api sso list -# or -unraid-api sso l -``` - -List all configured SSO users. - -#### Validate SSO Token - -```bash -unraid-api sso validate-token -# or -unraid-api sso validate -# or -unraid-api sso v -``` - -Validates an SSO token and returns its status. - -## Report Generation - -### Generate Report - -```bash -unraid-api report [-r] [-j] -``` - -Generate a system report. - -- `-r, --raw`: Display raw command output -- `-j, --json`: Display output in JSON format - -## Notes - -1. Most commands require appropriate permissions to modify system state -2. Some commands require the API to be running or stopped -3. Store API keys securely as they provide system access -4. SSO configuration changes may require a service restart diff --git a/api/docs/public/how-to-use-the-api.md b/api/docs/public/how-to-use-the-api.md deleted file mode 100644 index 794b2fb49..000000000 --- a/api/docs/public/how-to-use-the-api.md +++ /dev/null @@ -1,255 +0,0 @@ ---- -title: Using the Unraid API -description: Learn how to interact with your Unraid server through the GraphQL API -sidebar_position: 2 ---- - -# Using the Unraid API - -:::tip[Quick Start] -The Unraid API provides a powerful GraphQL interface for managing your server. This guide covers authentication, common queries, and best practices. -::: - -The Unraid API provides a GraphQL interface that allows you to interact with your Unraid server. This guide will help you get started with exploring and using the API. - -## 🎮 Enabling the GraphQL Sandbox - -### Web GUI Method (Recommended) - -:::info[Preferred Method] -Using the Web GUI is the easiest way to enable the GraphQL sandbox. -::: - -1. Navigate to **Settings** → **Management Access** → **Developer Options** -2. Enable the **GraphQL Sandbox** toggle -3. Access the GraphQL playground by navigating to: - - ```txt - http://YOUR_SERVER_IP/graphql - ``` - -### CLI Method - -Alternatively, you can enable developer mode using the CLI: - -```bash -unraid-api developer --sandbox true -``` - -Or use the interactive mode: - -```bash -unraid-api developer -``` - -## 🔑 Authentication - -:::warning[Required for Most Operations] -Most queries and mutations require authentication. Always include appropriate credentials in your requests. -::: - -You can authenticate using: - -1. **API Keys** - For programmatic access -2. **Cookies** - Automatic when signed into the WebGUI -3. **SSO/OIDC** - When configured with external providers - -### Managing API Keys - - - - -Navigate to **Settings** → **Management Access** → **API Keys** in your Unraid web interface to: - -- View existing API keys -- Create new API keys -- Manage permissions and roles -- Revoke or regenerate keys - - - - -You can also use the CLI to create an API key: - -```bash -unraid-api apikey --create -``` - -Follow the prompts to set: - -- Name -- Description -- Roles -- Permissions - - - - -### Using API Keys - -The generated API key should be included in your GraphQL requests as a header: - -```json -{ - "x-api-key": "YOUR_API_KEY" -} -``` - -## 📊 Available Schemas - -The API provides access to various aspects of your Unraid server: - -### System Information - -- Query system details including CPU, memory, and OS information -- Monitor system status and health -- Access baseboard and hardware information - -### Array Management - -- Query array status and configuration -- Manage array operations (start/stop) -- Monitor disk status and health -- Perform parity checks - -### Docker Management - -- List and manage Docker containers -- Monitor container status -- Manage Docker networks - -### Remote Access - -- Configure and manage remote access settings -- Handle SSO configuration -- Manage allowed origins - -### 💻 Example Queries - -#### Check System Status - -```graphql -query { - info { - os { - platform - distro - release - uptime - } - cpu { - manufacturer - brand - cores - threads - } - } -} -``` - -#### Monitor Array Status - -```graphql -query { - array { - state - capacity { - disks { - free - used - total - } - } - disks { - name - size - status - temp - } - } -} -``` - -#### List Docker Containers - -```graphql -query { - dockerContainers { - id - names - state - status - autoStart - } -} -``` - -## 🏗️ Schema Types - -The API includes several core types: - -### Base Types - -- `Node`: Interface for objects with unique IDs - please see [Object Identification](https://graphql.org/learn/global-object-identification/) -- `JSON`: For complex JSON data -- `DateTime`: For timestamp values -- `Long`: For 64-bit integers - -### Resource Types - -- `Array`: Array and disk management -- `Docker`: Container and network management -- `Info`: System information -- `Config`: Server configuration -- `Connect`: Remote access settings - -### Role-Based Access - -Available roles: - -- `admin`: Full access -- `connect`: Remote access features -- `guest`: Limited read access - -## ✨ Best Practices - -:::tip[Pro Tips] -1. Use the Apollo Sandbox to explore the schema and test queries -2. Start with small queries and gradually add fields as needed -3. Monitor your query complexity to maintain performance -4. Use appropriate roles and permissions for your API keys -5. Keep your API keys secure and rotate them periodically -::: - -## ⏱️ Rate Limiting - -:::caution[Rate Limits] -The API implements rate limiting to prevent abuse. Ensure your applications handle rate limit responses appropriately. -::: - -## 🚨 Error Handling - -The API returns standard GraphQL errors in the following format: - -```json -{ - "errors": [ - { - "message": "Error description", - "locations": [...], - "path": [...] - } - ] -} -``` - -## 📚 Additional Resources - -:::info[Learn More] -- Use the Apollo Sandbox's schema explorer to browse all available types and fields -- Check the documentation tab in Apollo Sandbox for detailed field descriptions -- Monitor the API's health using `unraid-api status` -- Generate reports using `unraid-api report` for troubleshooting - -For more information about specific commands and configuration options, refer to the [CLI documentation](/cli) or run `unraid-api --help`. -::: diff --git a/api/docs/public/images/advanced-rules.png b/api/docs/public/images/advanced-rules.png deleted file mode 100644 index dd60e6dc0..000000000 Binary files a/api/docs/public/images/advanced-rules.png and /dev/null differ diff --git a/api/docs/public/images/button-customization.png b/api/docs/public/images/button-customization.png deleted file mode 100644 index 516cd0c3c..000000000 Binary files a/api/docs/public/images/button-customization.png and /dev/null differ diff --git a/api/docs/public/images/configured-provider.png b/api/docs/public/images/configured-provider.png deleted file mode 100644 index c3026af92..000000000 Binary files a/api/docs/public/images/configured-provider.png and /dev/null differ diff --git a/api/docs/public/images/default-unraid-provider.png b/api/docs/public/images/default-unraid-provider.png deleted file mode 100644 index 8d1f3227d..000000000 Binary files a/api/docs/public/images/default-unraid-provider.png and /dev/null differ diff --git a/api/docs/public/images/sso-with-options.png b/api/docs/public/images/sso-with-options.png deleted file mode 100644 index 2206d8b85..000000000 Binary files a/api/docs/public/images/sso-with-options.png and /dev/null differ diff --git a/api/docs/public/index.md b/api/docs/public/index.md deleted file mode 100644 index 32dcda209..000000000 --- a/api/docs/public/index.md +++ /dev/null @@ -1,94 +0,0 @@ ---- -title: Welcome to Unraid API -description: The official GraphQL API for Unraid Server management and automation -sidebar_position: 1 ---- - -# Welcome to Unraid API - -:::tip[What's New] -Starting with Unraid OS v7.2, the API comes built into the operating system - no plugin installation required! -::: - -The Unraid API provides a GraphQL interface for programmatic interaction with your Unraid server. It enables automation, monitoring, and integration capabilities. - -## 📦 Availability - -### ✨ Native Integration (Unraid OS v7.2+) - -Starting with Unraid OS v7.2, the API is integrated directly into the operating system: - -- No plugin installation required -- Automatically available on system startup -- Deep system integration -- Access through **Settings** → **Management Access** → **API** - -### 🔌 Plugin Installation (Pre-7.2 and Advanced Users) - -For Unraid versions prior to v7.2 or to access newer API features: - -1. Install the Unraid Connect Plugin from Community Apps -2. [Configure the plugin](./how-to-use-the-api.md#enabling-the-graphql-sandbox) -3. Access API functionality through the [GraphQL Sandbox](./how-to-use-the-api.md) - -:::info Important Notes -- The Unraid Connect plugin provides the API for pre-7.2 versions -- You do NOT need to sign in to Unraid Connect to use the API locally -- Installing the plugin on 7.2+ gives you access to newer API features before they're included in OS releases -::: - -## 📚 Documentation Sections - - - - Complete reference for all CLI commands - - - Learn how to interact with the GraphQL API - - - Configure SSO authentication providers - - - See what's coming next - - - - -## 🌟 Key Features - -:::info[Core Capabilities] -The API provides: - -- **GraphQL Interface**: Modern, flexible API with strong typing -- **Authentication**: Multiple methods including API keys, session cookies, and SSO/OIDC -- **Comprehensive Coverage**: Access to system information, array management, and Docker operations -- **Developer Tools**: Built-in GraphQL sandbox configurable via web interface or CLI -- **Role-Based Access**: Granular permission control -- **Web Management**: Manage API keys and settings through the web interface -::: - -## 🚀 Get Started - - - - -1. The API is already installed and running -2. Access settings at **Settings** → **Management Access** → **API** -3. Enable the GraphQL Sandbox for development -4. Create your first API key -5. Start making GraphQL queries! - - - - -1. Install the Unraid Connect plugin from Community Apps -2. No Unraid Connect login required for local API access -3. Configure the plugin settings -4. Enable the GraphQL Sandbox -5. Start exploring the API! - - - - -For detailed usage instructions, see the [CLI Commands](./cli) reference. diff --git a/api/docs/public/moved-to-docs-repo.md b/api/docs/public/moved-to-docs-repo.md new file mode 100644 index 000000000..d7830fb49 --- /dev/null +++ b/api/docs/public/moved-to-docs-repo.md @@ -0,0 +1 @@ +# All Content Here has been permanently moved to [Unraid Docs](https://github.com/unraid/docs) diff --git a/api/docs/public/oidc-provider-setup.md b/api/docs/public/oidc-provider-setup.md deleted file mode 100644 index f28e183dc..000000000 --- a/api/docs/public/oidc-provider-setup.md +++ /dev/null @@ -1,420 +0,0 @@ ---- -title: OIDC Provider Setup -description: Configure OIDC (OpenID Connect) providers for SSO authentication in Unraid API -sidebar_position: 3 ---- - -# OIDC Provider Setup - -:::info[What is OIDC?] -OpenID Connect (OIDC) is an authentication protocol that allows users to sign in using their existing accounts from providers like Google, Microsoft, or your corporate identity provider. It enables Single Sign-On (SSO) for seamless and secure authentication. -::: - -This guide walks you through configuring OIDC (OpenID Connect) providers for SSO authentication in the Unraid API using the web interface. - -## 🚀 Quick Start - -
-Getting to OIDC Settings - -1. Navigate to your Unraid server's web interface -2. Go to **Settings** → **Management Access** → **API** → **OIDC** -3. You'll see tabs for different providers - click the **+** button to add a new provider - -
- -### OIDC Providers Interface Overview - -![Login Page with SSO Options](./images/sso-with-options.png) -*Login page showing traditional login form with SSO options - "Login With Unraid.net" and "Sign in with Google" buttons* - -The interface includes: - -- **Provider tabs**: Each configured provider (Unraid.net, Google, etc.) appears as a tab -- **Add Provider button**: Click the **+** button to add new providers -- **Authorization Mode dropdown**: Toggle between "simple" and "advanced" modes -- **Simple Authorization section**: Configure allowed email domains and specific addresses -- **Add Item buttons**: Click to add multiple authorization rules - -## Understanding Authorization Modes - -The interface provides two authorization modes: - -### Simple Mode (Recommended) - -Simple mode is the easiest way to configure authorization. You can: - -- Allow specific email domains (e.g., @company.com) -- Allow specific email addresses -- Configure who can access your Unraid server with minimal setup - -**When to use Simple Mode:** - -- You want to allow all users from your company domain -- You have a small list of specific users -- You're new to OIDC configuration - -
-Advanced Mode - -Advanced mode provides granular control using claim-based rules. You can: - -- Create complex authorization rules based on JWT claims -- Use operators like equals, contains, endsWith, startsWith -- Combine multiple conditions with OR/AND logic -- Choose whether ANY rule must pass (OR mode) or ALL rules must pass (AND mode) - -**When to use Advanced Mode:** - -- You need to check group memberships -- You want to verify multiple claims (e.g., email domain AND verified status) -- You have complex authorization requirements -- You need fine-grained control over how rules are evaluated - -
- -## Authorization Rules - -![Authorization Rules Configuration](./images/advanced-rules.png) -*Advanced authorization rules showing JWT claim configuration with email endsWith operator for domain-based access control* - -### Simple Mode Examples - -#### Allow Company Domain - -In Simple Authorization: - -- **Allowed Email Domains**: Enter `company.com` -- This allows anyone with @company.com email - -#### Allow Specific Users - -- **Specific Email Addresses**: Add individual emails -- Click **Add Item** to add multiple addresses - -
-Advanced Mode Examples - -#### Authorization Rule Mode - -When using multiple rules, you can choose how they're evaluated: - -- **OR Mode** (default): User is authorized if ANY rule passes -- **AND Mode**: User is authorized only if ALL rules pass - -#### Email Domain with Verification (AND Mode) - -To require both email domain AND verification: - -1. Set **Authorization Rule Mode** to `AND` -2. Add two rules: - - Rule 1: - - **Claim**: `email` - - **Operator**: `endsWith` - - **Value**: `@company.com` - - Rule 2: - - **Claim**: `email_verified` - - **Operator**: `equals` - - **Value**: `true` - -This ensures users must have both a company email AND a verified email address. - -#### Group-Based Access (OR Mode) - -To allow access to multiple groups: - -1. Set **Authorization Rule Mode** to `OR` (default) -2. Add rules for each group: - - **Claim**: `groups` - - **Operator**: `contains` - - **Value**: `admins` - - Or add another rule: - - **Claim**: `groups` - - **Operator**: `contains` - - **Value**: `developers` - -Users in either `admins` OR `developers` group will be authorized. - -#### Multiple Domains - -- **Claim**: `email` -- **Operator**: `endsWith` -- **Values**: Add multiple domains (e.g., `company.com`, `subsidiary.com`) - -#### Complex Authorization (AND Mode) - -For strict security requiring multiple conditions: - -1. Set **Authorization Rule Mode** to `AND` -2. Add multiple rules that ALL must pass: - - Email must be from company domain - - Email must be verified - - User must be in specific group - - Account must have 2FA enabled (if claim available) - -
- -
-Configuration Interface Details - -### Provider Tabs - -- Each configured provider appears as a tab at the top -- Click a tab to switch between provider configurations -- The **+** button on the right adds a new provider - -### Authorization Mode Dropdown - -- **simple**: Best for email-based authorization (recommended for most users) -- **advanced**: For complex claim-based rules using JWT claims - -### Simple Authorization Fields - -When "simple" mode is selected, you'll see: - -- **Allowed Email Domains**: Enter domains without @ (e.g., `company.com`) - - Helper text: "Users with emails ending in these domains can login" -- **Specific Email Addresses**: Add individual email addresses - - Helper text: "Only these exact email addresses can login" -- **Add Item** buttons to add multiple entries - -### Advanced Authorization Fields - -When "advanced" mode is selected, you'll see: - -- **Authorization Rule Mode**: Choose `OR` (any rule passes) or `AND` (all rules must pass) -- **Authorization Rules**: Add multiple claim-based rules -- **For each rule**: - - **Claim**: The JWT claim to check - - **Operator**: How to compare (equals, contains, endsWith, startsWith) - - **Value**: What to match against - -### Additional Interface Elements - -- **Enable Developer Sandbox**: Toggle to enable GraphQL sandbox at `/graphql` -- The interface uses a dark theme for better visibility -- Field validation indicators help ensure correct configuration - -
- -### Required Redirect URI - -:::caution[Important Configuration] -All providers must be configured with this exact redirect URI format: -::: - -```bash -http://YOUR_UNRAID_IP/graphql/api/auth/oidc/callback -``` - -:::tip -Replace `YOUR_UNRAID_IP` with your actual server IP address (e.g., `192.168.1.100` or `tower.local`). -::: - -### Issuer URL Format - -The **Issuer URL** field accepts both formats, but **base URL is strongly recommended** for security: - -- **Base URL** (recommended): `https://accounts.google.com` -- **Full discovery URL**: `https://accounts.google.com/.well-known/openid-configuration` - -**⚠️ Security Note**: Always use the base URL format when possible. The system automatically appends `/.well-known/openid-configuration` for OIDC discovery. Using the full discovery URL directly disables important issuer validation checks and is not recommended by the OpenID Connect specification. - -**Examples of correct base URLs:** -- Google: `https://accounts.google.com` -- Microsoft/Azure: `https://login.microsoftonline.com/YOUR_TENANT_ID/v2.0` -- Keycloak: `https://keycloak.example.com/realms/YOUR_REALM` -- Authelia: `https://auth.yourdomain.com` - -## ✅ Testing Your Configuration - -![Login Page with SSO Buttons](./images/sso-with-options.png) -*Unraid login page displaying both traditional username/password authentication and SSO options with customized provider buttons* - -1. Save your provider configuration -2. Log out (if logged in) -3. Navigate to the login page -4. Your configured provider button should appear -5. Click to test the login flow - -## 🔧 Troubleshooting - -### Common Issues - -#### "Provider not found" error - -- Ensure the Issuer URL is correct -- Check that the provider supports OIDC discovery (/.well-known/openid-configuration) - -#### "Authorization failed" - -- In Simple Mode: Check email domains are entered correctly (without @) -- In Advanced Mode: - - Verify claim names match exactly what your provider sends - - Check if Authorization Rule Mode is set correctly (OR vs AND) - - Ensure all required claims are present in the token -- Enable debug logging to see actual claims and rule evaluation - -#### "Invalid redirect URI" - -- Ensure the redirect URI in your provider matches exactly -- Include the correct port if using a non-standard configuration -- Verify the redirect URI protocol matches your server's configuration (HTTP or HTTPS) - -#### Cannot see login button - -- Check that at least one authorization rule is configured -- Verify the provider is enabled/saved - -### Debug Mode - -To troubleshoot issues: - -1. Enable debug logging: - -```bash -LOG_LEVEL=debug unraid-api start --debug -``` - -2. Check logs for: - -- Received claims from provider -- Authorization rule evaluation -- Token validation errors - -## 🔐 Security Best Practices - -1. **Use Simple Mode for authorization** - Prevents overly accepting configurations and reduces misconfiguration risks -2. **Be specific with authorization** - Don't use overly broad rules -3. **Rotate secrets regularly** - Update client secrets periodically -4. **Test thoroughly** - Verify only intended users can access - -## 💡 Need Help? - -- Check provider's OIDC documentation -- Review Unraid API logs for detailed error messages -- Ensure your provider supports standard OIDC discovery -- Verify network connectivity between Unraid and provider - -## 🏢 Provider-Specific Setup - -### Unraid.net Provider - -The Unraid.net provider is built-in and pre-configured. You only need to configure authorization rules in the interface. - -**Configuration:** - -- **Issuer URL**: Pre-configured (built-in provider) -- **Client ID/Secret**: Pre-configured (built-in provider) -- **Redirect URI**: `http://YOUR_UNRAID_IP/graphql/api/auth/oidc/callback` - -:::tip[Redirect URI Protocol] -**Match the protocol to your server setup:** Use `http://` if accessing your Unraid server without SSL/TLS (typical for local network access). Use `https://` if you've configured SSL/TLS on your server. Some OIDC providers (like Google) require HTTPS and won't accept HTTP redirect URIs. -::: - -Configure authorization rules using Simple Mode (allowed email domains/addresses) or Advanced Mode for complex requirements. - -### Google - -
-📋 Setup Steps - -Set up OAuth 2.0 credentials in [Google Cloud Console](https://console.cloud.google.com/): - -1. Go to **APIs & Services** → **Credentials** -2. Click **Create Credentials** → **OAuth client ID** -3. Choose **Web application** as the application type -4. Add your redirect URI to **Authorized redirect URIs** -5. Configure the OAuth consent screen if prompted - -
- -**Configuration:** - -- **Issuer URL**: `https://accounts.google.com` -- **Client ID/Secret**: From your OAuth 2.0 client credentials -- **Required Scopes**: `openid`, `profile`, `email` -- **Redirect URI**: `http://YOUR_UNRAID_IP/graphql/api/auth/oidc/callback` - -:::warning[Google Domain Requirements] -**Google requires valid domain names for OAuth redirect URIs.** Local IP addresses and `.local` domains are not accepted. To use Google OAuth with your Unraid server, you'll need: - -- **Option 1: Reverse Proxy** - Set up a reverse proxy (like NGINX Proxy Manager or Traefik) with a valid domain name pointing to your Unraid API -- **Option 2: Tailscale** - Use Tailscale to get a valid `*.ts.net` domain that Google will accept -- **Option 3: Dynamic DNS** - Use a DDNS service to get a public domain name for your server - -Remember to update your redirect URI in both Google Cloud Console and your Unraid OIDC configuration to use the valid domain. -::: - -For Google Workspace domains, use Advanced Mode with the `hd` claim to restrict access to your organization's domain. - -### Authelia - -Configure OIDC client in your Authelia `configuration.yml` with client ID `unraid-api` and generate a hashed secret using the Authelia hash-password command. - -**Configuration:** - -- **Issuer URL**: `https://auth.yourdomain.com` -- **Client ID**: `unraid-api` (or as configured in Authelia) -- **Client Secret**: Your unhashed secret -- **Required Scopes**: `openid`, `profile`, `email`, `groups` -- **Redirect URI**: `http://YOUR_UNRAID_IP/graphql/api/auth/oidc/callback` - -Use Advanced Mode with `groups` claim for group-based authorization. - -### Microsoft/Azure AD - -Register a new app in [Azure Portal](https://portal.azure.com/) under Azure Active Directory → App registrations. Note the Application ID, create a client secret, and note your tenant ID. - -**Configuration:** - -- **Issuer URL**: `https://login.microsoftonline.com/YOUR_TENANT_ID/v2.0` -- **Client ID**: Your Application (client) ID -- **Client Secret**: Generated client secret -- **Required Scopes**: `openid`, `profile`, `email` -- **Redirect URI**: `http://YOUR_UNRAID_IP/graphql/api/auth/oidc/callback` - -Authorization rules can be configured in the interface using email domains or advanced claims. - -### Keycloak - -Create a new confidential client in Keycloak Admin Console with `openid-connect` protocol and copy the client secret from the Credentials tab. - -**Configuration:** - -- **Issuer URL**: `https://keycloak.example.com/realms/YOUR_REALM` -- **Client ID**: `unraid-api` (or as configured in Keycloak) -- **Client Secret**: From Keycloak Credentials tab -- **Required Scopes**: `openid`, `profile`, `email` -- **Redirect URI**: `http://YOUR_UNRAID_IP/graphql/api/auth/oidc/callback` - -For role-based authorization, use Advanced Mode with `realm_access.roles` or `resource_access` claims. - -### Authentik - -Create a new OAuth2/OpenID Provider in Authentik, then create an Application and link it to the provider. - -**Configuration:** - -- **Issuer URL**: `https://authentik.example.com/application/o//` -- **Client ID**: From Authentik provider configuration -- **Client Secret**: From Authentik provider configuration -- **Required Scopes**: `openid`, `profile`, `email` -- **Redirect URI**: `http://YOUR_UNRAID_IP/graphql/api/auth/oidc/callback` - -Authorization rules can be configured in the interface. - -### Okta - -Create a new OIDC Web Application in Okta Admin Console and assign appropriate users or groups. - -**Configuration:** - -- **Issuer URL**: `https://YOUR_DOMAIN.okta.com` -- **Client ID**: From Okta application configuration -- **Client Secret**: From Okta application configuration -- **Required Scopes**: `openid`, `profile`, `email` -- **Redirect URI**: `http://YOUR_UNRAID_IP/graphql/api/auth/oidc/callback` - -Authorization rules can be configured in the interface using email domains or advanced claims. diff --git a/api/docs/public/programmatic-api-key-management.md b/api/docs/public/programmatic-api-key-management.md deleted file mode 100644 index d306e9759..000000000 --- a/api/docs/public/programmatic-api-key-management.md +++ /dev/null @@ -1,252 +0,0 @@ ---- -title: Programmatic API Key Management -description: Create, use, and delete API keys programmatically for automated workflows -sidebar_position: 4 ---- - -# Programmatic API Key Management - -This guide explains how to create, use, and delete API keys programmatically using the Unraid API CLI, enabling automated workflows and scripts. - -## Overview - -The `unraid-api apikey` command supports both interactive and non-interactive modes, making it suitable for: - -- Automated deployment scripts -- CI/CD pipelines -- Temporary access provisioning -- Infrastructure as code workflows - -:::tip[Quick Start] -Jump to the [Complete Workflow Example](#complete-workflow-example) to see everything in action. -::: - -## Creating API Keys Programmatically - -### Basic Creation with JSON Output - -Use the `--json` flag to get machine-readable output: - -```bash -unraid-api apikey --create --name "workflow key" --roles ADMIN --json -``` - -**Output:** - -```json -{ - "key": "your-generated-api-key-here", - "name": "workflow key", - "id": "generated-uuid" -} -``` - -### Advanced Creation with Permissions - -```bash -unraid-api apikey --create \ - --name "limited access key" \ - --permissions "DOCKER:READ_ANY,ARRAY:READ_ANY" \ - --description "Read-only access for monitoring" \ - --json -``` - -### Handling Existing Keys - -If a key with the same name exists, use `--overwrite`: - -```bash -unraid-api apikey --create --name "existing key" --roles ADMIN --overwrite --json -``` - -:::warning[Key Replacement] -The `--overwrite` flag will permanently replace the existing key. The old key will be immediately invalidated. -::: - -## Deleting API Keys Programmatically - -### Non-Interactive Deletion - -Delete a key by name without prompts: - -```bash -unraid-api apikey --delete --name "workflow key" -``` - -**Output:** - -``` -Successfully deleted 1 API key -``` - -### JSON Output for Deletion - -Use `--json` flag for machine-readable delete confirmation: - -```bash -unraid-api apikey --delete --name "workflow key" --json -``` - -**Success Output:** - -```json -{ - "deleted": 1, - "keys": [ - { - "id": "generated-uuid", - "name": "workflow key" - } - ] -} -``` - -**Error Output:** - -```json -{ - "deleted": 0, - "error": "No API key found with name: nonexistent key" -} -``` - -### Error Handling - -When the specified key doesn't exist: - -```bash -unraid-api apikey --delete --name "nonexistent key" -# Output: No API keys found to delete -``` - -**JSON Error Output:** - -```json -{ - "deleted": 0, - "message": "No API keys found to delete" -} -``` - -## Complete Workflow Example - -Here's a complete example for temporary access provisioning: - -```bash -#!/bin/bash -set -e - -# 1. Create temporary API key -echo "Creating temporary API key..." -KEY_DATA=$(unraid-api apikey --create \ - --name "temp deployment key" \ - --roles ADMIN \ - --description "Temporary key for deployment $(date)" \ - --json) - -# 2. Extract the API key -API_KEY=$(echo "$KEY_DATA" | jq -r '.key') -echo "API key created successfully" - -# 3. Use the key for operations -echo "Configuring services..." -curl -H "Authorization: Bearer $API_KEY" \ - -H "Content-Type: application/json" \ - -d '{"provider": "azure", "clientId": "your-client-id"}' \ - http://localhost:3001/graphql - -# 4. Clean up (always runs, even on error) -trap 'echo "Cleaning up..."; unraid-api apikey --delete --name "temp deployment key"' EXIT - -echo "Deployment completed successfully" -``` - -## Command Reference - -### Create Command Options - -| Flag | Description | Example | -| ----------------------- | ----------------------- | --------------------------------- | -| `--name ` | Key name (required) | `--name "my key"` | -| `--roles ` | Comma-separated roles | `--roles ADMIN,VIEWER` | -| `--permissions ` | Resource:action pairs | `--permissions "DOCKER:READ_ANY"` | -| `--description ` | Key description | `--description "CI/CD key"` | -| `--overwrite` | Replace existing key | `--overwrite` | -| `--json` | Machine-readable output | `--json` | - -### Available Roles - -- `ADMIN` - Full system access -- `CONNECT` - Unraid Connect features -- `VIEWER` - Read-only access -- `GUEST` - Limited access - -### Available Resources and Actions - -**Resources:** `ACTIVATION_CODE`, `API_KEY`, `ARRAY`, `CLOUD`, `CONFIG`, `CONNECT`, `CONNECT__REMOTE_ACCESS`, `CUSTOMIZATIONS`, `DASHBOARD`, `DISK`, `DISPLAY`, `DOCKER`, `FLASH`, `INFO`, `LOGS`, `ME`, `NETWORK`, `NOTIFICATIONS`, `ONLINE`, `OS`, `OWNER`, `PERMISSION`, `REGISTRATION`, `SERVERS`, `SERVICES`, `SHARE`, `VARS`, `VMS`, `WELCOME` - -**Actions:** `CREATE_ANY`, `CREATE_OWN`, `READ_ANY`, `READ_OWN`, `UPDATE_ANY`, `UPDATE_OWN`, `DELETE_ANY`, `DELETE_OWN` - -### Delete Command Options - -| Flag | Description | Example | -| --------------- | ------------------------ | ----------------- | -| `--delete` | Enable delete mode | `--delete` | -| `--name ` | Key to delete (optional) | `--name "my key"` | - -**Note:** If `--name` is omitted, the command runs interactively. - -## Best Practices - -:::info[Security Best Practices] -**Minimal Permissions** - -- Use specific permissions instead of ADMIN role when possible -- Example: `--permissions "DOCKER:READ_ANY"` instead of `--roles ADMIN` - -**Key Lifecycle Management** - -- Always clean up temporary keys after use -- Store API keys securely (environment variables, secrets management) -- Use descriptive names and descriptions for audit trails - ::: - -### Error Handling - -- Check exit codes (`$?`) after each command -- Use `set -e` in bash scripts to fail fast -- Implement proper cleanup with `trap` - -### Key Naming - -- Use descriptive names that include purpose and date -- Names must contain only letters, numbers, and spaces -- Unicode letters are supported - -## Troubleshooting - -### Common Issues - -:::note[Common Error Messages] - -**"API key name must contain only letters, numbers, and spaces"** - -- **Solution:** Remove special characters like hyphens, underscores, or symbols - -**"API key with name 'x' already exists"** - -- **Solution:** Use `--overwrite` flag or choose a different name - -**"Please add at least one role or permission to the key"** - -- **Solution:** Specify either `--roles` or `--permissions` (or both) - -::: - -### Debug Mode - -For troubleshooting, run with debug logging: - -```bash -LOG_LEVEL=debug unraid-api apikey --create --name "debug key" --roles ADMIN -``` diff --git a/api/docs/public/upcoming-features.md b/api/docs/public/upcoming-features.md deleted file mode 100644 index eb9949e86..000000000 --- a/api/docs/public/upcoming-features.md +++ /dev/null @@ -1,172 +0,0 @@ ---- -title: Roadmap & Features -description: Current status and upcoming features for the Unraid API -sidebar_position: 10 ---- - -# Roadmap & Features - -:::info Development Status -This roadmap outlines completed and planned features for the Unraid API. Features and timelines may change based on development priorities and community feedback. -::: - -## Feature Status Legend - -| Status | Description | -|--------|-------------| -| ✅ **Done** | Feature is complete and available | -| 🚧 **In Progress** | Currently under active development | -| 📅 **Planned** | Scheduled for future development | -| 💡 **Under Consideration** | Being evaluated for future inclusion | - -## Core Infrastructure - -### Completed Features ✅ - -| Feature | Available Since | -|---------|-----------------| -| **API Development Environment Improvements** | v4.0.0 | -| **Include API in Unraid OS** | Unraid v7.2-beta.1 | -| **Separate API from Connect Plugin** | Unraid v7.2-beta.1 | - -### Upcoming Features 📅 - -| Feature | Target Timeline | -|---------|-----------------| -| **Make API Open Source** | Q1 2025 | -| **Developer Tools for Plugins** | Q2 2025 | - -## Security & Authentication - -### Completed Features ✅ - -| Feature | Available Since | -|---------|-----------------| -| **Permissions System Rewrite** | v4.0.0 | -| **OIDC/SSO Support** | Unraid v7.2-beta.1 | - -### In Development 🚧 - -- **User Interface Component Library** - Enhanced security components for the UI - -## User Interface Improvements - -### Planned Features 📅 - -| Feature | Target Timeline | Description | -|---------|-----------------|-------------| -| **New Settings Pages** | Q2 2025 | Modernized settings interface with improved UX | -| **Custom Theme Creator** | Q2-Q3 2025 | Allow users to create and share custom themes | -| **New Connect Settings Interface** | Q1 2025 | Redesigned Unraid Connect configuration | - -## Array Management - -### Completed Features ✅ - -| Feature | Available Since | -|---------|-----------------| -| **Array Status Monitoring** | v4.0.0 | - -### Planned Features 📅 - -| Feature | Target Timeline | Description | -|---------|-----------------|-------------| -| **Storage Pool Creation Interface** | Q2 2025 | Simplified pool creation workflow | -| **Storage Pool Status Interface** | Q2 2025 | Real-time pool health monitoring | - -## Docker Integration - -### Completed Features ✅ - -| Feature | Available Since | -|---------|-----------------| -| **Docker Container Status Monitoring** | v4.0.0 | - -### Planned Features 📅 - -| Feature | Target Timeline | Description | -|---------|-----------------|-------------| -| **New Docker Status Interface Design** | Q3 2025 | Modern container management UI | -| **New Docker Status Interface** | Q3 2025 | Implementation of new design | -| **Docker Container Setup Interface** | Q3 2025 | Streamlined container deployment | -| **Docker Compose Support** | TBD | Native docker-compose.yml support | - -## Share Management - -### Completed Features ✅ - -| Feature | Available Since | -|---------|-----------------| -| **Array/Cache Share Status Monitoring** | v4.0.0 | - -### Under Consideration 💡 - -- **Storage Share Creation & Settings** - Enhanced share configuration options -- **Storage Share Management Interface** - Unified share management dashboard - -## Plugin System - -### Planned Features 📅 - -| Feature | Target Timeline | Description | -|---------|-----------------|-------------| -| **New Plugins Interface** | Q3 2025 | Redesigned plugin management UI | -| **Plugin Management Interface** | TBD | Advanced plugin configuration | -| **Plugin Development Tools** | TBD | SDK and tooling for developers | - -## Notifications - -### Completed Features ✅ - -| Feature | Available Since | -|---------|-----------------| -| **Notifications System** | v4.0.0 | -| **Notifications Interface** | v4.0.0 | - ---- - -## Recent Releases - -:::info Full Release History -For a complete list of all releases, changelogs, and download links, visit the [Unraid API GitHub Releases](https://github.com/unraid/api/releases) page. -::: - -### Unraid v7.2-beta.1 Highlights - -- 🎉 **API included in Unraid OS** - Native integration -- 🔐 **OIDC/SSO Support** - Enterprise authentication -- 📦 **Standalone API** - Separated from Connect plugin - -### v4.0.0 Highlights - -- 🛡️ **Permissions System Rewrite** - Enhanced security -- 📊 **Comprehensive Monitoring** - Array, Docker, and Share status -- 🔔 **Notifications System** - Real-time alerts and notifications -- 🛠️ **Developer Environment** - Improved development tools - -## Community Feedback - -:::tip Have a Feature Request? -We value community input! Please submit feature requests and feedback through: - -- [Unraid Forums](https://forums.unraid.net) -- [GitHub Issues](https://github.com/unraid/api/issues) - API is open source! - -::: - -## Version Support - -| Unraid Version | API Version | Support Status | -|----------------|-------------|----------------| -| Unraid v7.2-beta.1+ | Latest | ✅ Active | -| 7.0 - 7.1.x | v4.x via Plugin | ⚠️ Limited | -| 6.12.x | v4.x via Plugin | ⚠️ Limited | -| < 6.12 | Not Supported | ❌ EOL | - -:::warning Legacy Support -Versions prior to Unraid 7.2 require the API to be installed through the Unraid Connect plugin. Some features may not be available on older versions. -::: - -:::tip Pre-release Versions -You can always install the Unraid Connect plugin to access pre-release versions of the API and get early access to new features before they're included in Unraid OS releases. -:::