Add steam headless apps with security docs and verification guide

Apps/steam-moonlight/docker-compose.yaml

@@ -0,0 +1,131 @@
+name: steam-moonlight
+
+x-steam-common: &steam-common
+  image: josh5/steam-headless:debian-0.2.0@sha256:540366bee31297c5679a5006a84dbca039ca62aaab695852b51b5f62dffd2c14
+  restart: unless-stopped
+  shm_size: ${SHM_SIZE:-2G}
+  environment:
+    TZ: ${TZ}
+    PUID: ${PUID}
+    PGID: ${PGID}
+    UMASK: ${UMASK:-000}
+    USER_PASSWORD: ${USER_PASSWORD:-change-me}
+    MODE: ${MODE:-primary}
+    WEB_UI_MODE: ${WEB_UI_MODE:-vnc}
+    PORT_NOVNC_WEB: ${STEAM_WEB_PORT:-8083}
+    ENABLE_STEAM: ${ENABLE_STEAM:-true}
+    STEAM_ARGS: ${STEAM_ARGS:--silent}
+    ENABLE_SUNSHINE: ${ENABLE_SUNSHINE:-false}
+    SUNSHINE_USER: ${SUNSHINE_USER:-admin}
+    SUNSHINE_PASS: ${SUNSHINE_PASS:-change-me}
+
+services:
+  steam:
+    <<: *steam-common
+    container_name: steam-moonlight
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    ports:
+      - target: 8083
+        published: ${STEAM_WEB_PORT:-8083}
+        protocol: tcp
+    volumes:
+      - type: bind
+        source: /DATA/AppData/$AppID/home
+        target: /home/default
+      - type: bind
+        source: /DATA/AppData/$AppID/games
+        target: /mnt/games
+    x-casaos:
+      envs:
+        - container: TZ
+          description:
+            en_us: Timezone, for example Europe/Stockholm
+        - container: PUID
+          description:
+            en_us: User ID for filesystem permissions
+        - container: PGID
+          description:
+            en_us: Group ID for filesystem permissions
+        - container: STEAM_WEB_PORT
+          description:
+            en_us: Browser desktop port
+      ports:
+        - container: "8083"
+          description:
+            en_us: Steam desktop over web browser
+      volumes:
+        - container: /home/default
+          description:
+            en_us: Persistent user home and runtime state
+        - container: /mnt/games
+          description:
+            en_us: Persistent Steam game library
+
+  steam-moonlight:
+    <<: *steam-common
+    container_name: steam-moonlight-profile
+    profiles: ["moonlight"]
+    network_mode: host
+    ipc: host
+    security_opt:
+      - seccomp:unconfined
+      - apparmor:unconfined
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - NET_ADMIN
+      - SYS_ADMIN
+      - SYS_NICE
+    devices:
+      - /dev/fuse
+      - /dev/uinput
+      - ${GPU_CARD_DEVICE:-/dev/dri/card0}
+      - ${GPU_RENDER_DEVICE:-/dev/dri/renderD128}
+    device_cgroup_rules:
+      - 'c 13:* rmw'
+    environment:
+      TZ: ${TZ}
+      PUID: ${PUID}
+      PGID: ${PGID}
+      UMASK: ${UMASK:-000}
+      USER_PASSWORD: ${USER_PASSWORD:-change-me}
+      MODE: ${MODE:-primary}
+      WEB_UI_MODE: ${WEB_UI_MODE:-vnc}
+      PORT_NOVNC_WEB: ${STEAM_WEB_PORT:-8083}
+      ENABLE_STEAM: ${ENABLE_STEAM:-true}
+      STEAM_ARGS: ${STEAM_ARGS:--silent}
+      ENABLE_SUNSHINE: "true"
+      SUNSHINE_USER: ${SUNSHINE_USER:-admin}
+      SUNSHINE_PASS: ${SUNSHINE_PASS:-change-me}
+    volumes:
+      - type: bind
+        source: /DATA/AppData/$AppID/moonlight-home
+        target: /home/default
+      - type: bind
+        source: /DATA/AppData/$AppID/moonlight-games
+        target: /mnt/games
+
+x-casaos:
+  architectures:
+    - amd64
+  main: steam
+  category: Games
+  author: Zima Apps Team
+  developer: Steam-Headless community
+  icon: https://cdn.simpleicons.org/steam
+  tagline:
+    en_us: Steam web desktop with optional Moonlight profile
+  description:
+    en_us: >-
+      Browser-first Steam container with an explicit moonlight profile for higher
+      compatibility and controller support. The moonlight profile is opt-in and
+      carries additional security risk.
+  title:
+    en_us: Steam Moonlight (Scaffold)
+  index: /
+  port_map: ${STEAM_WEB_PORT:-8083}
+  scheme: http