tux/icarus-restarter
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
1 commit 1 branch 0 tags 35 KiB
  • Python 97.4%
  • Dockerfile 2.6%
Find a file
Exact
Tux 99ef63fdac first commit
2026-04-07 23:24:30 +02:00
app.py first commit 2026-04-07 23:24:30 +02:00
Caddyfile first commit 2026-04-07 23:24:30 +02:00
docker-compose.yml first commit 2026-04-07 23:24:30 +02:00
Dockerfile first commit 2026-04-07 23:24:30 +02:00
README.md first commit 2026-04-07 23:24:30 +02:00
requirements.txt first commit 2026-04-07 23:24:30 +02:00

README.md

Icarus Server Restarter

A minimal, password-protected web UI that lets non-technical users restart an Icarus dedicated game server running in Docker — without SSH access or any command-line knowledge.

Overview

The restarter runs as a companion Docker container alongside the game server. It exposes a single web page with a password prompt and a Restart Server button. Under the hood it talks to the Docker daemon via the mounted socket to restart the target container.

A Caddy reverse proxy container handles automatic HTTPS via Let's Encrypt.

Features

  • Single-purpose UI — one button, no clutter.
  • Password protection — session-based login via a shared password.
  • Automatic HTTPS — Caddy obtains and renews TLS certificates.
  • Cooldown guard — prevents accidental rapid restarts (default: 30 s).
  • Live status indicator — shows whether the game server container is running or stopped.
  • Production-ready — served by Gunicorn, minimal attack surface.

Project Structure

.
├── docker-compose.yml      # Game server + restarter + Caddy
├── Caddyfile               # Caddy reverse proxy configuration
└── icarus-restarter/
    ├── app.py              # Flask application
    ├── Dockerfile          # Container build instructions
    └── requirements.txt    # Python dependencies

Quick Start

1. Place files

Put the icarus-restarter/ directory, Caddyfile, and docker-compose.yml in the same folder:

~/icarus/
├── docker-compose.yml
├── Caddyfile
└── icarus-restarter/
    ├── app.py
    ├── Dockerfile
    └── requirements.txt

2. Configure your domain

Edit Caddyfile and replace icarus.example.com with your actual domain or subdomain. Ensure the DNS A record points to your server's public IP.

3. Configure environment variables

Edit the restarter service in docker-compose.yml:

Variable Description Default
UI_PASSWORD Password your group enters on the web page changeme
CONTAINER_NAME Name of the game server container to restart icarus-styx
COOLDOWN_SECONDS Minimum seconds between restarts 30
SECRET_KEY Flask session signing key (use a random string) auto-generated

Generate a random secret key:

python3 -c "import secrets; print(secrets.token_urlsafe(32))"

4. Start everything

docker-compose up -d --build

Caddy will automatically obtain a TLS certificate. The restarter UI is then available at https://icarus.example.com.

5. Firewall

Only the game ports and HTTP/HTTPS need to be open:

# Example with ufw
sudo ufw allow 80/tcp    # Caddy (ACME challenges + redirect)
sudo ufw allow 443/tcp   # Caddy (HTTPS)
sudo ufw allow 17778/udp # Icarus game
sudo ufw allow 27016/udp # Icarus query

Port 8080 is only exposed internally between containers and should not be opened on the firewall.

How It Works

  1. A user visits https://icarus.example.com and enters the shared password.
  2. The Flask app validates the password and creates a session cookie.
  3. The user sees the container status and a Restart Server button.
  4. Clicking the button sends a POST to /api/restart.
  5. The app calls container.restart() via the Docker SDK.
  6. A 30-second cooldown prevents repeated restarts.

Security Considerations

  • Docker socket — The socket is mounted read-only (:ro). The app only calls restart on a single named container. However, read-only Docker socket access still grants significant privileges. The container should not be exposed without TLS and a strong password.
  • Password storage — The password is stored in plain text in the compose environment. For higher security, use Docker secrets or a .env file with restricted permissions.
  • Session secret — Set SECRET_KEY to a strong random value. If left unset, a random key is generated at startup, which means sessions are invalidated on every container restart.
  • IP restriction — The Caddyfile includes a commented-out example for restricting access to specific IP ranges. Uncomment and adjust if your group has static IPs.

Troubleshooting

Container not found
Verify CONTAINER_NAME matches the container_name in your game server service definition. Run docker ps to confirm.
Permission denied on Docker socket
The restarter container needs access to /var/run/docker.sock. The default setup mounts it read-only, which is sufficient for restart operations.
Caddy not issuing certificates
Ensure ports 80 and 443 are open and the DNS A record is correct. Check logs with docker logs icarus-caddy.

License

Do whatever you want with it.