mirror of
https://github.com/jmagar/unraid-mcp.git
synced 2026-03-23 12:39:24 -07:00
2b777be927
Security: - Remove /mnt/ from _ALLOWED_LOG_PREFIXES to prevent Unraid share exposure - Add early .. detection for disk/logs and live/log_tail path validation - Add /boot/ prefix restriction for flash_backup source_path - Use hmac.compare_digest for timing-safe API key verification in server.py - Gate include_traceback on DEBUG log level (no tracebacks in production) Correctness: - Re-raise CredentialsNotConfiguredError in health check instead of swallowing - Fix ups_device query (remove non-existent nominalPower/currentPower fields) Best practices (BP-01, BP-05, BP-06): - Add # noqa: ASYNC109 to timeout params in _handle_live and unraid() - Fix start_array* → start_array in docstring (not in ARRAY_DESTRUCTIVE) - Remove from __future__ import annotations from snapshot.py - Replace import-time UNRAID_API_KEY/URL bindings with _settings.ATTR pattern in manager.py, snapshot.py, utils.py, diagnostics.py — fixes stale binding after apply_runtime_config() post-elicitation (BP-05) CI/CD: - Add .github/workflows/ci.yml (5-job pipeline: lint, typecheck, test, version-sync, audit) - Add fail_under = 80 to [tool.coverage.report] - Add version sync check to scripts/validate-marketplace.sh Documentation: - Sync plugin.json version 1.1.1 → 1.1.2 with pyproject.toml - Update CLAUDE.md: 3 tools, system domain count 18, scripts comment fix - Update README.md: 3 tools, security notes - Update docs/AUTHENTICATION.md: H1 title fix - Add UNRAID_CREDENTIALS_DIR to .env.example Bump: 1.1.1 → 1.1.2 Co-Authored-By: Claude <noreply@anthropic.com>
81 lines
3.1 KiB
Plaintext
81 lines
3.1 KiB
Plaintext
# Unraid MCP Server Configuration
|
|
# =================================
|
|
|
|
# Core API Configuration (Required)
|
|
# ---------------------------------
|
|
UNRAID_API_URL=https://your-unraid-server-url/graphql
|
|
UNRAID_API_KEY=your_unraid_api_key
|
|
|
|
# MCP Server Settings
|
|
# -------------------
|
|
UNRAID_MCP_TRANSPORT=streamable-http # Options: streamable-http (recommended), sse (deprecated), stdio
|
|
UNRAID_MCP_HOST=0.0.0.0
|
|
UNRAID_MCP_PORT=6970
|
|
|
|
# Logging Configuration
|
|
# ---------------------
|
|
UNRAID_MCP_LOG_LEVEL=INFO # Options: DEBUG, INFO, WARNING, ERROR
|
|
UNRAID_MCP_LOG_FILE=unraid-mcp.log # Log file name (saved to logs/ directory)
|
|
|
|
# SSL/TLS Configuration
|
|
# --------------------
|
|
# Set to 'false' or '0' to disable SSL verification (e.g., for self-signed certificates)
|
|
# Set to 'true' or '1' to enable SSL verification (default)
|
|
# Set to a file path to use a custom CA bundle
|
|
UNRAID_VERIFY_SSL=true
|
|
|
|
# Real-time Subscription Configuration
|
|
# ------------------------------------
|
|
# Enable automatic subscription startup (true/false)
|
|
UNRAID_AUTO_START_SUBSCRIPTIONS=true
|
|
|
|
# Maximum WebSocket reconnection attempts (numeric)
|
|
UNRAID_MAX_RECONNECT_ATTEMPTS=10
|
|
|
|
# Optional: Custom log file path for subscription auto-start diagnostics
|
|
# Defaults to standard log if not specified
|
|
# UNRAID_AUTOSTART_LOG_PATH=/custom/path/to/autostart.log
|
|
|
|
# Credentials Directory Override (Optional)
|
|
# -----------------------------------------
|
|
# Override the credentials directory (default: ~/.unraid-mcp/)
|
|
# UNRAID_CREDENTIALS_DIR=/custom/path/to/credentials
|
|
|
|
# Google OAuth Protection (Optional)
|
|
# -----------------------------------
|
|
# Protects the MCP HTTP server — clients must authenticate with Google before calling tools.
|
|
# Requires streamable-http or sse transport (not stdio).
|
|
#
|
|
# Setup:
|
|
# 1. Google Cloud Console → APIs & Services → Credentials
|
|
# 2. Create OAuth 2.0 Client ID (Web application)
|
|
# 3. Authorized redirect URIs: <UNRAID_MCP_BASE_URL>/auth/callback
|
|
# 4. Copy Client ID and Client Secret below
|
|
#
|
|
# UNRAID_MCP_BASE_URL: Public URL clients use to reach THIS server (for redirect URIs).
|
|
# Examples:
|
|
# http://10.1.0.2:6970 (LAN)
|
|
# http://100.x.x.x:6970 (Tailscale)
|
|
# https://mcp.yourdomain.com (reverse proxy)
|
|
#
|
|
# UNRAID_MCP_JWT_SIGNING_KEY: Stable secret for signing FastMCP JWT tokens.
|
|
# Generate once: python3 -c "import secrets; print(secrets.token_hex(32))"
|
|
# NEVER change after first use — all client sessions will be invalidated.
|
|
#
|
|
# Leave GOOGLE_CLIENT_ID empty to disable OAuth (server runs unprotected).
|
|
# GOOGLE_CLIENT_ID=
|
|
# GOOGLE_CLIENT_SECRET=
|
|
# UNRAID_MCP_BASE_URL=http://10.1.0.2:6970
|
|
# UNRAID_MCP_JWT_SIGNING_KEY=<generate with command above>
|
|
|
|
# API Key Authentication (Optional)
|
|
# -----------------------------------
|
|
# Alternative to Google OAuth — clients present this key as a bearer token:
|
|
# Authorization: Bearer <UNRAID_MCP_API_KEY>
|
|
#
|
|
# Can be the same value as UNRAID_API_KEY (reuse your Unraid key), or a
|
|
# separate dedicated secret. Set both GOOGLE_CLIENT_ID and UNRAID_MCP_API_KEY
|
|
# to accept either auth method (MultiAuth).
|
|
#
|
|
# Leave empty to disable API key auth.
|
|
# UNRAID_MCP_API_KEY= |