Docker Compose for creating an IBKR Dashboard which includes risk data and current positions across all accessible accounts.
Consists of fouse containers
- ibeam - With some modifications for inter-pod discovery; a headless API Gateway enabling authenticating to Interactive Brokers Web API
- Created by Voyz with modifications made by me for service discovery across external containers
- ibkr-api-parser - Parses the IBKR API and returns to pre-formatted HTML and a downloadable CSV on a recurring interval
- ibkr-dashboard-nginx - An nginx web server for displaying the
ibkr-api-parser
generated pre-formatted HTML, enabled with TLS and Basic Authentication by default. - ibkr-push-gdrive - Pushes the updated and downloadable dashboard CSV data into Google Drive as a Google Sheet on a recurring interval, updating the existing file once created
The containers are made public within Docker Hub
- Python3
- Python3 pip
- Apache Utilities Package for Basic Authentication
- Docker Engine
- Google Account and target Google Drive Folder ID
- Embedded within the browser's URL when at the target folder usually after the
/folder/
string.
- Embedded within the browser's URL when at the target folder usually after the
- Install
requirements.txt
by executing within the git folderpip3 -r requirements.txt
- Generate Encrypted IBKR Password and Key Pair
- Docker Compose Environment Files
- nginx Config file
- Google Cloud OAuth With Enable APIs
- And the subsequent
client_secrets.json
containing theclient_secret
andclient_id
for use by the pydrive.auth library.
- And the subsequent
- Google App Password for authenticating to GMail's SMTP server with TLS to enable email alerts. This is optional and will require omissions of keys within the environment files as detailed below. OAuth is not used here as alerting would not work for broken tokens/authentication.
Encrypt your IBKR password and store the encryped password and key within the env.list.ibeam
when creating the Docker Compose Environment Files
Security Recommendation: It is recommend to first create an additional read-only user with a strong password. Additional IP restriction is also recommended if feasible. Refer to the official Interactive Brokers documenting here.
- Create a file named
gen_key_pw.py
- Add the following to the file, replacing
'password'
with your IBKR password. (this file is part of.gitignore
)from cryptography.fernet import Fernet key = Fernet.generate_key() f = Fernet(key) password = f.encrypt(b'password') print(f'PASSWORD={password}, KEY={key}')
- Execute the file via the command
python3 gen_key_pw.py
. Make not of the printed encrypted password and key, excluding theb
in front of each string. - Remove the password from the
gen_key_pw.py
file
Create the following Docker Compose environment files at the root of the git repo.
-
env.list.gdrive
PYTHONUNBUFFERED=1 folderId=Google_Drive_Folder_ID refreshPushSeconds=60 csvFileName=IBKR_Data gmailAppPassword=encrypted_password gmailAppPasswordKey=encryption_key gmailUserName=gmailuser@gmail.com gmailRecipient=gmailrecipient@gmail.com
PYTHONUNBUFFERED
should be specified as is to enable docker/container output logging.refreshPushSeconds
may be set to the desired CSV push interval for data overwrite in Google Drive. Defaults to 60 when omitted.csvFileName
(optional) the file name of the downloadable CSV. When specified must match the value withinenv.list.parser
env file. Defaults toIBKR_Data
.gmailAppPassword
use Google Accounts to generate an app password for GMail TLS SMTP Authentication. Encrypt the app password usinggen_key_pw.py
. Optional, if omitted alert emails will be disabled.gmailAppPasswordKey
the app password encryption key, generated from the same output as thegmailAppPassword
usinggen_key_pw.py
. Required when specifyinggmailAppPassword
.- Note that a plain text password may be used as a value for
gmailAppPassword
with thegmailAppPasswordKey
key and value omitted, this is not recommended however.
- Note that a plain text password may be used as a value for
gmailUserName
the GMail user sending the email and authenticating to GMail. Required when specifyinggmailAppPassword
.gmailRecipient
the recipient of the emails. Required when specifyinggmailAppPassword
.
-
env.list.ibeam
IBEAM_ACCOUNT=ibkr_username IBEAM_PASSWORD=encrypted_password IBEAM_KEY=encryption_key
- Input your IBKR Username and Password into
gen_key_pw.py
then execute the script to generate the required input data- Note that a plain text password may be used as a value for
IBEAM_PASSWORD
with theIBEAM_KEY
key and value omitted, this is not recommended however.
- Note that a plain text password may be used as a value for
- Input your IBKR Username and Password into
-
env.list.parser.
PYTHONUNBUFFERED=1 sleepTimeSeconds=60 csvFileName=IBKR_Data
PYTHONUNBUFFERED
should be specified as is to enable docker/container output logging.sleepTimeSeconds
may set to the desired API parser re-run interval. Defaults to 60 when omitted.- The pre-formatted HTML refresh interval will always be set to 5 seconds longer than this value.
csvFileName
(optional) the file name of the downloadable CSV. When specified must match the value withinenv.list.gdrive
env file. Defaults toIBKR_Data
when omitted.
The nginx config file provides customizable authentication settings, ports, TLS certificates, error and default web pages.
- default.conf
-
Global config - TLS, port, server name, and TLS cert settings
listen 8443 ssl; listen [::]:8443 ssl; server_name ibkr-dash.example.com; ssl_certificate /usr/src/app/server.crt; ssl_certificate_key /usr/src/app/server.key;
-
option details:
- listen: must match the port specified within the
docker-compose.yml
. Removessl
option to disable TLS auth - server_name: the full DNS of the webserver address. May be set to
localhost
- ssl_certificate: certificate file which is first copied from the root folder
./server.crt
- ssl_certificate_key: certificate private key which is first copied from the root folder
./server.key
- listen: must match the port specified within the
-
Local config - basic auth and default webpage settings
location / { root /usr/src/app/webserver/static; index index.html; auth_basic "Restricted"; auth_basic_user_file /etc/nginx/.htpasswd; include /etc/nginx/mime.types; }
-
option details:
- root: location where the static webpages are served
- index.html: default webpage filename
- auth_basic: leave as
"Restricted"
to enable password auth challenge - auth_basic_user_file: location of the
.htpasswd
which houses the authorized users and accompanying encrypted passwords. The file is generated upon runningrun.sh
the fist time and placed in the root folder, adding the initial authorized user.
-
Enable Google Cloud OAuth flow by creating a project in Google Console, enabling the Google Drive APIs, then downloading the OAuth client_secrets.json
for OAuth command authorization flow for container permissions to Google Drive.