App Submission: Phantombot

[kriakiku]

App Submission

App name

Phantombot

Disclamer

• The service is required to run over HTTPS; otherwise, users won’t be able to connect their Twitch accounts. As a result, the proxy_server is not included in the docker-compose.
• I had to retain the root user, as the application fails to start otherwise.

256x256 SVG icon

https://svgshare.com/i/1BJ0.svg

Gallery images

1.png:

1.png (original):

2.png:

3.png:

4.png:

5.png:

I have tested my app on:

• umbrelOS on a Raspberry Pi
• umbrelOS on an Umbrel Home
• umbrelOS on Linux VM

[kriakiku]

Custom AppStore: https://github.com/kriakiku/umbrel-app-store

[github-actions]

🎉   Linting finished with no errors or warnings   🎉

Thank you for your submission! This is an automated linter that checks for common issues in pull requests to the Umbrel App Store.

Please review the linting results below and make any necessary changes to your submission.

Linting Results

Severity	File	Description
ℹ️	phantombot/docker-compose.yml	External port mapping "${APP_PHANTOM_SERVER_PORT}:${APP_PHANTOM_SERVER_PORT}": Port mappings may be unnecessary for the app to function correctly. Docker's internal DNS resolves container names to IP addresses within the same network. External access to the web interface is handled by the app_proxy container. Port mappings are only needed if external access is required to a port not proxied by the app_proxy, or if an app needs to expose multiple ports for its functionality (e.g., DHCP, DNS, P2P, etc.).

Legend

Symbol	Description
❌	Error: This must be resolved before this PR can be merged.
⚠️	Warning: This is highly encouraged to be resolved, but is not strictly mandatory.
ℹ️	Info: This is just for your information.

[kriakiku]

@nmfretz Hi! Is there anything else required from me for the approval of this merge request?

[kriakiku]

[nmfretz]

Thanks for submitting PhantomBot @kriakiku. This looks like a fantastic addition!

Really sorry for the delay in reviewing this. I'll try and be more prompt in follow-ups here, but sometimes I'll have my focus elsewhere.

I've left a review below. Once addressed I can give the app a test. Let me know if anything is confusing or if I've misunderstood something and I can take another look.

[nmfretz]

Umbrel's app proxy service should be added here as the first service, which can then point to the phantombot_server_1 container and default port 25000. That way you can remove the port mapping in your server service and then PhantomBot will running behind our transparent proxy and inherit the security properties of our umbrel auth:

firefox example to follow

umbrel-apps/firefox/docker-compose.yml

Lines 3 to 7 in 2dbb418

	services:
	app_proxy:
	environment:
	APP_HOST: firefox_server_1
	APP_PORT: 3000

• By default, we only let requests through the proxy if the user already has a valid auth cookie from the Umbrel homescreen. So if the PhantomBot dashboard has no auth of its own, it will still be protected by ours. This gives a good UX because there's zero friction for Umbrel users... they can just access the dashboard without re-entering any credentials if they are already logged in to their Umbrel.
• It also has the benefit of inheriting other security properties of Umbrel auth, such as 2FA if they have it enabled on their Umbrel. They would then get 2FA security for all apps behind the auth proxy too.
• And then if you need to allow external connections to PhantomBot running on port 25000 (e.g., not to the UI but to the api or something), you can whitelist certain routes, so that the web UI is protected by auth, but something like /api/* isn't:

e.g., adding this env var to the proxy container

PROXY_AUTH_WHITELIST: "/api/*"

• You can also disable the auth portion of the app proxy container entirely with this env var:

PROXY_AUTH_ADD: "false"

[nmfretz]

If possible, we want to avoid running services as root. I haven't looked at the phantombot Dockerfile to see how they build the image so we might be stuck with this. But we should check if it is possible to run this non-root as the umbrel user (1000:1000).

[nmfretz]

This ports section can be removed entirely once the app proxy service is added

[nmfretz]

I haven't tested this submission yet, but I'd imagine this forces user to use https, so they'd click the app and go to https://umbrel.local:25000, is that right? If so they'll be met with the big scary insecure warning that we shouldn't be teaching the average umbrel user to just click through.

We can set this to false, so the user is accessing over http on their local network.

[nmfretz]

if this is the default port that phantombot runs on, then this can be removed entirely #1608 (comment)

[nmfretz]

If this is the default port, then this entire exports.sh should be removed for simplicity

[nmfretz]

This entire icon line can be removed. We'll host the icon here: https://github.com/getumbrel/umbrel-apps-gallery

And the icon rendering logic in umbrelOS will grab the correct icon.

[nmfretz]

Awesome work adding these!

If users can navigate to these links by clicking things within the UI, then I would suggest making these instructions more generic. For example, telling the user to "navigate to the oauth settings" instead of providing a specific link.

My reasoning here is that:

1. These links may change in future app updates and it will be difficult to remember to update the app description

2. It's possible that the user accesses their umbrel at a different hostname than umbrel.local. For example, they may access their umbrel via local IP address, or by Tailscale, or if they have multiple Umbrel devices they may be using umbrel-2.local

[kriakiku]

Hey! I’ll try to make the changes in the coming days.

[nmfretz]

Converting to draft for now to keep things organized. @kriakiku ping me as soon as you're ready for me to test!