# DIUN Webhook Dashboard

A Go web app that receives [DIUN](https://crazymax.dev/diun/) webhook events and shows image updates in a modern dashboard. Events are persisted to SQLite so they survive restarts.

- Receives DIUN webhooks at `POST /webhook`
- Serves a React SPA dashboard at `/`
- REST API for updates, tags, and acknowledgements
- Persistent storage via SQLite (`diun.db`)
- Tag/group system to organize images
- Dismiss (acknowledge) updates you've reviewed
- Optional webhook authentication via `WEBHOOK_SECRET`

## Quick Start

### Docker Compose (recommended)

```bash
# Pulls from Gitea registry, persists DB to a named volume
docker compose up -d
# open http://localhost:8080
```

### Standalone Docker

```bash
docker build -t diun-webhook-dashboard .
docker run --rm -p 8080:8080 -v diun-data:/data \
  -e DB_PATH=/data/diun.db \
  diun-webhook-dashboard
```

### From Source

```bash
cd frontend && bun install && bun run build && cd ..
go run ./cmd/diunwebhook/
```

See [CONTRIBUTING.md](CONTRIBUTING.md) for full development setup, testing, and build instructions.

## Configuration

### Environment Variables

| Variable | Default | Description |
|----------|---------|-------------|
| `PORT` | `8080` | HTTP listen port |
| `DB_PATH` | `./diun.db` | Path to the SQLite database file |
| `WEBHOOK_SECRET` | *(unset)* | When set, `POST /webhook` requires a matching `Authorization` header. When unset, the webhook is open (a warning is logged at startup). |

### Webhook Authentication

Set `WEBHOOK_SECRET` to protect the webhook endpoint with token authentication:

```bash
# Via environment variable
WEBHOOK_SECRET=your-secret-token-here docker compose up -d

# Or in a .env file alongside compose.yml
echo 'WEBHOOK_SECRET=your-secret-token-here' > .env
docker compose up -d
```

When set, every `POST /webhook` must include an `Authorization` header whose value matches `WEBHOOK_SECRET` exactly.

### DIUN Configuration

Configure DIUN to send webhooks to this app:

```yaml
notif:
  webhook:
    enable: true
    endpoint: http://your-host-or-ip:8080/webhook
    headers:
      authorization: "your-secret-token-here"
```

Or via environment variable: `DIUN_NOTIF_WEBHOOK_HEADERS_AUTHORIZATION=your-secret-token-here`

Expected JSON payload:

```json
{
  "image": "library/nginx",
  "tag": "1.27.0",
  "status": "new",
  "time": "2026-02-23T16:00:00Z"
}
```

## API Reference

| Method | Endpoint | Description |
|--------|----------|-------------|
| `POST` | `/webhook` | Accept a DIUN event JSON body |
| `GET` | `/api/updates` | Return all events (keyed by image) with tag and acknowledged state |
| `PATCH` | `/api/updates/{image}` | Mark an event as acknowledged (dismiss) |
| `GET` | `/api/tags` | List all tags |
| `POST` | `/api/tags` | Create a new tag |
| `DELETE` | `/api/tags/{id}` | Delete a tag (cascades to assignments) |
| `PUT` | `/api/tag-assignments` | Assign an image to a tag |
| `DELETE` | `/api/tag-assignments` | Unassign an image from its tag |

## Production Notes

- **Reverse proxy:** Ensure the app is reachable at `/webhook` from DIUN. Forward traffic to port `8080` (or your configured `PORT`).
- **Database persistence:** Data is stored in `diun.db` by default. Set `DB_PATH` to a persistent location (e.g. `DB_PATH=/data/diun.db`). The deploy compose file uses a named volume at `/data`.
- **Webhook security:** Set `WEBHOOK_SECRET` if the webhook endpoint is exposed publicly.

## Contributing

See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup, testing, project structure, and CI/CD details.

## License

MIT — see [LICENSE](LICENSE).