From 05b4a6add787f23612c70b334d37f336bd2e2921 Mon Sep 17 00:00:00 2001 From: Alexandre Date: Sun, 21 Apr 2024 11:22:39 +0200 Subject: [PATCH] New connection!mode option https://github.com/alexbelgium/hassio-addons/security/advisories/GHSA-qv4x-8hwg-7cqj --- radarr/CHANGELOG.md | 1 + radarr/README.md | 1 + radarr/config.json | 11 ++-- .../etc/cont-init.d/32-nginx_ingress.sh | 59 +++++++++++------- readarr/CHANGELOG.md | 1 + readarr/README.md | 1 + readarr/config.json | 8 ++- .../etc/cont-init.d/32-nginx_ingress.sh | 60 ++++++++++++------- sonarr/CHANGELOG.md | 1 + sonarr/README.md | 1 + sonarr/config.json | 10 ++-- .../etc/cont-init.d/32-nginx_ingress.sh | 59 +++++++++++------- 12 files changed, 136 insertions(+), 77 deletions(-) diff --git a/radarr/CHANGELOG.md b/radarr/CHANGELOG.md index 1d022bcd9..ca95f617f 100644 --- a/radarr/CHANGELOG.md +++ b/radarr/CHANGELOG.md @@ -1,3 +1,4 @@ +- BREAKING CHANGE : ingress_disabled option removed. Instead, a new option connection_mode is added. It has 3 modes : ingress_noauth (default, disables authentification to allow a seamless ingress integration), noingress_auth (disables ingress to allow a simpler external url, enables authentification), ingress_auth (enables both ingress and authentification). Thanks @Ni3kjm ! ## 5.4.6.8723 (20-04-2024) - Update to latest version from linuxserver/docker-radarr (changelog : https://github.com/linuxserver/docker-radarr/releases) diff --git a/radarr/README.md b/radarr/README.md index c57728fd7..2809699d3 100644 --- a/radarr/README.md +++ b/radarr/README.md @@ -57,6 +57,7 @@ localdisks: sda1 #put the hardware name of your drive to mount separated by comm networkdisks: "//SERVER/SHARE" # optional, list of smb servers to mount, separated by commas cifsusername: "username" # optional, smb username, same for all smb shares cifspassword: "password" # optional, smb password +connection_mode: ingress_noauth (default, disables authentification to allow a seamless ingress integration), noingress_auth (disables ingress to allow a simpler external url, enables authentification), ingress_auth (enables both ingress and authentification) ``` ## Support diff --git a/radarr/config.json b/radarr/config.json index e7939d45d..203874d33 100644 --- a/radarr/config.json +++ b/radarr/config.json @@ -82,7 +82,9 @@ "name": "Radarr", "options": { "PGID": 0, - "PUID": 0 + "PUID": 0, + "connection_mode": "ingress_noauth" + }, "panel_icon": "mdi:movie-outline", "ports": { @@ -102,13 +104,12 @@ "cifsdomain": "str?", "cifspassword": "str?", "cifsusername": "str?", - "ingress_disabled": "bool?", + "connection_mode": "list(ingress_noauth,noingress_auth,ingress_auth)", "localdisks": "str?", - "networkdisks": "str?", - "smbv1": "bool?" + "networkdisks": "str?" }, "slug": "radarr_nas", "udev": true, "url": "https://github.com/alexbelgium/hassio-addons/tree/master/radarr", - "version": "5.4.6.8723" + "version": "5.4.6.8723-2" } diff --git a/radarr/rootfs/etc/cont-init.d/32-nginx_ingress.sh b/radarr/rootfs/etc/cont-init.d/32-nginx_ingress.sh index fa2665278..b10f65505 100755 --- a/radarr/rootfs/etc/cont-init.d/32-nginx_ingress.sh +++ b/radarr/rootfs/etc/cont-init.d/32-nginx_ingress.sh @@ -24,25 +24,42 @@ slug=radarr CONFIG_LOCATION=/config/addons_config/"$slug"/config.xml if [ -f "$CONFIG_LOCATION" ]; then - # Set UrlBase - if ! bashio::config.true "ingress_disabled"; then - bashio::log.warning "---------------------------" - bashio::log.warning "Ingress is enabled, authentification will be disabled and should be managed through HA itself. If you need authentification, please disable ingress in addon options" - bashio::log.warning "---------------------------" - # Define UrlBase - sed -i "/UrlBase/d" "$CONFIG_LOCATION" - sed -i "2a $slug<\/UrlBase>" "$CONFIG_LOCATION" - # Disable local auth - sed -i "/AuthenticationType/d" "$CONFIG_LOCATION" - sed -i "2a DisabledForLocalAddresses" "$CONFIG_LOCATION" - # Disable local auth - sed -i "/AuthenticationMethod/d" "$CONFIG_LOCATION" - sed -i "2a external" "$CONFIG_LOCATION" - else - bashio::log.warning "---------------------------" - bashio::log.info "Disabling ingress and enabling authentification" - bashio::log.warning "---------------------------" - sed -i "/UrlBase/d" "$CONFIG_LOCATION" - sed -i "/external/d" "$CONFIG_LOCATION" - fi + + # Define addon mode + connection_mode="$(bashio::config "connection_mode")" + bashio::log.green "---------------------------" + bashio::log.green "Connection_mode is $connection_mode" + bashio::log.green "---------------------------" + case connectionmode in + # Ingress mode, authentification is disabled + ingress_noauth) + bashio::log.green "Ingress is enabled, authentification is disabled" + bashio::log.yellow "WARNING : Make sure that the port is not exposed externally by your router to avoid a security risk !" + # Define UrlBase + sed -i "/UrlBase/d" "$CONFIG_LOCATION" + sed -i "2a $slug<\/UrlBase>" "$CONFIG_LOCATION" + # Disable local auth + sed -i "/AuthenticationType/d" "$CONFIG_LOCATION" + sed -i "2a DisabledForLocalAddresses" "$CONFIG_LOCATION" + # Disable local auth + sed -i "/AuthenticationMethod/d" "$CONFIG_LOCATION" + sed -i "2a external" "$CONFIG_LOCATION" + ;; + # Ingress mode, with authentification + ingress_auth) + bashio::log.green "Ingress is enabled, and external authentification is enabled" + # Define UrlBase + sed -i "/UrlBase/d" "$CONFIG_LOCATION" + sed -i "2a $slug<\/UrlBase>" "$CONFIG_LOCATION" + sed -i "/external/d" "$CONFIG_LOCATION" + ;; + # No ingress mode, with authentification + noingress_auth) + bashio::log.green "Disabling ingress and enabling authentification" + bashio::log.yellow "WARNING : Ingress is disabled so the app won't be available from HA itself !" + sed -i "/UrlBase/d" "$CONFIG_LOCATION" + sed -i "/external/d" "$CONFIG_LOCATION" + ;; + esac + fi diff --git a/readarr/CHANGELOG.md b/readarr/CHANGELOG.md index 8a8463be7..170de531a 100644 --- a/readarr/CHANGELOG.md +++ b/readarr/CHANGELOG.md @@ -1,3 +1,4 @@ +- BREAKING CHANGE : ingress_disabled option removed. Instead, a new option connection_mode is added. It has 3 modes : ingress_noauth (default, disables authentification to allow a seamless ingress integration), noingress_auth (disables ingress to allow a simpler external url, enables authentification), ingress_auth (enables both ingress and authentification). Thanks @Ni3kjm ! ## 0.3.24.2509 (20-04-2024) - Update to latest version from linuxserver/docker-readarr (changelog : https://github.com/linuxserver/docker-readarr/releases) diff --git a/readarr/README.md b/readarr/README.md index fc278bce3..e2cc9a141 100644 --- a/readarr/README.md +++ b/readarr/README.md @@ -61,6 +61,7 @@ localdisks: sda1 #put the hardware name of your drive to mount separated by comm networkdisks: "//SERVER/SHARE" # optional, list of smb servers to mount, separated by commas cifsusername: "username" # optional, smb username, same for all smb shares cifspassword: "password" # optional, smb password +connection_mode: ingress_noauth (default, disables authentification to allow a seamless ingress integration), noingress_auth (disables ingress to allow a simpler external url, enables authentification), ingress_auth (enables both ingress and authentification) ``` ### Within readarr itself diff --git a/readarr/config.json b/readarr/config.json index 9f361490d..b761f5616 100644 --- a/readarr/config.json +++ b/readarr/config.json @@ -81,7 +81,9 @@ "options": { "CONFIG_LOCATION": "/config/addons_config/readarr", "PGID": 0, - "PUID": 0 + "PUID": 0, + "connection_mode": "ingress_noauth" + }, "panel_icon": "mdi:download-circle", "ports": { @@ -102,12 +104,12 @@ "cifsdomain": "str?", "cifspassword": "str?", "cifsusername": "str?", - "ingress_disabled": "bool?", + "connection_mode": "list(ingress_noauth,noingress_auth,ingress_auth)", "localdisks": "str?", "networkdisks": "str?" }, "slug": "readarr_nas", "udev": true, "url": "https://github.com/alexbelgium/hassio-addons/tree/master/readarr", - "version": "0.3.24.2509" + "version": "0.3.24.2509-2" } diff --git a/readarr/rootfs/etc/cont-init.d/32-nginx_ingress.sh b/readarr/rootfs/etc/cont-init.d/32-nginx_ingress.sh index 90887928a..7efb51463 100755 --- a/readarr/rootfs/etc/cont-init.d/32-nginx_ingress.sh +++ b/readarr/rootfs/etc/cont-init.d/32-nginx_ingress.sh @@ -24,26 +24,42 @@ slug=readarr CONFIG_LOCATION=/config/addons_config/"$slug"/config.xml if [ -f "$CONFIG_LOCATION" ]; then - # Set UrlBase - if ! bashio::config.true "ingress_disabled"; then - bashio::log.warning "---------------------------" - bashio::log.warning "Ingress is enabled, authentification will be disabled and should be managed through HA itself. If you need authentification, please disable ingress in addon options" - bashio::log.warning "---------------------------" - # Define UrlBase - sed -i "/UrlBase/d" "$CONFIG_LOCATION" - sed -i "2a $slug<\/UrlBase>" "$CONFIG_LOCATION" - # Disable local auth - sed -i "/AuthenticationType/d" "$CONFIG_LOCATION" - sed -i "2a DisabledForLocalAddresses" "$CONFIG_LOCATION" - # Disable local auth - # sed -i "/AuthenticationMethod/d" "$CONFIG_LOCATION" - # sed -i "2a external" "$CONFIG_LOCATION" - else - bashio::log.warning "---------------------------" - bashio::log.info "Disabling ingress and enabling authentification" - bashio::log.warning "---------------------------" - sed -i "/UrlBase/d" "$CONFIG_LOCATION" - sed -i "/external/d" "$CONFIG_LOCATION" - # sed -i "/external/d" "$CONFIG_LOCATION" - fi + + # Define addon mode + connection_mode="$(bashio::config "connection_mode")" + bashio::log.green "---------------------------" + bashio::log.green "Connection_mode is $connection_mode" + bashio::log.green "---------------------------" + case connectionmode in + # Ingress mode, authentification is disabled + ingress_noauth) + bashio::log.green "Ingress is enabled, authentification is disabled" + bashio::log.yellow "WARNING : Make sure that the port is not exposed externally by your router to avoid a security risk !" + # Define UrlBase + sed -i "/UrlBase/d" "$CONFIG_LOCATION" + sed -i "2a $slug<\/UrlBase>" "$CONFIG_LOCATION" + # Disable local auth + sed -i "/AuthenticationType/d" "$CONFIG_LOCATION" + sed -i "2a DisabledForLocalAddresses" "$CONFIG_LOCATION" + # Disable local auth + sed -i "/AuthenticationMethod/d" "$CONFIG_LOCATION" + sed -i "2a external" "$CONFIG_LOCATION" + ;; + # Ingress mode, with authentification + ingress_auth) + bashio::log.green "Ingress is enabled, and external authentification is enabled" + # Define UrlBase + sed -i "/UrlBase/d" "$CONFIG_LOCATION" + sed -i "2a $slug<\/UrlBase>" "$CONFIG_LOCATION" + sed -i "/external/d" "$CONFIG_LOCATION" + ;; + # No ingress mode, with authentification + noingress_auth) + bashio::log.green "Disabling ingress and enabling authentification" + bashio::log.yellow "WARNING : Ingress is disabled so the app won't be available from HA itself !" + sed -i "/UrlBase/d" "$CONFIG_LOCATION" + sed -i "/external/d" "$CONFIG_LOCATION" + ;; + esac + fi diff --git a/sonarr/CHANGELOG.md b/sonarr/CHANGELOG.md index 008d01c7f..7c7170eea 100644 --- a/sonarr/CHANGELOG.md +++ b/sonarr/CHANGELOG.md @@ -1,3 +1,4 @@ +- BREAKING CHANGE : ingress_disabled option removed. Instead, a new option connection_mode is added. It has 3 modes : ingress_noauth (default, disables authentification to allow a seamless ingress integration), noingress_auth (disables ingress to allow a simpler external url, enables authentification), ingress_auth (enables both ingress and authentification). Thanks @Ni3kjm ! ## 4.0.4.1515 (20-04-2024) - Update to latest version from linuxserver/docker-sonarr (changelog : https://github.com/linuxserver/docker-sonarr/releases) diff --git a/sonarr/README.md b/sonarr/README.md index 9f21214d0..6b375777b 100644 --- a/sonarr/README.md +++ b/sonarr/README.md @@ -58,6 +58,7 @@ localdisks: sda1 #put the hardware name of your drive to mount separated by comm networkdisks: "//SERVER/SHARE" # optional, list of smb servers to mount, separated by commas cifsusername: "username" # optional, smb username, same for all smb shares cifspassword: "password" # optional, smb password +connection_mode: ingress_noauth (default, disables authentification to allow a seamless ingress integration), noingress_auth (disables ingress to allow a simpler external url, enables authentification), ingress_auth (enables both ingress and authentification) ``` ## Support diff --git a/sonarr/config.json b/sonarr/config.json index c00e27782..9eddb2a82 100644 --- a/sonarr/config.json +++ b/sonarr/config.json @@ -82,7 +82,8 @@ "name": "Sonarr", "options": { "PGID": 0, - "PUID": 0 + "PUID": 0, + "connection_mode": "ingress_noauth" }, "panel_icon": "mdi:television-classic", "ports": { @@ -102,13 +103,12 @@ "cifsdomain": "str?", "cifspassword": "str?", "cifsusername": "str?", - "ingress_disabled": "bool?", + "connection_mode": "list(ingress_noauth,noingress_auth,ingress_auth)", "localdisks": "str?", - "networkdisks": "str?", - "smbv1": "bool?" + "networkdisks": "str?" }, "slug": "sonarr_nas", "udev": true, "url": "https://github.com/alexbelgium/hassio-addons/tree/master/sonarr", - "version": "4.0.4.1515" + "version": "4.0.4.1515-2" } diff --git a/sonarr/rootfs/etc/cont-init.d/32-nginx_ingress.sh b/sonarr/rootfs/etc/cont-init.d/32-nginx_ingress.sh index b9ed14e86..5567a8922 100755 --- a/sonarr/rootfs/etc/cont-init.d/32-nginx_ingress.sh +++ b/sonarr/rootfs/etc/cont-init.d/32-nginx_ingress.sh @@ -24,25 +24,42 @@ slug=sonarr CONFIG_LOCATION=/config/addons_config/"$slug"/config.xml if [ -f "$CONFIG_LOCATION" ]; then - # Set UrlBase - if ! bashio::config.true "ingress_disabled"; then - bashio::log.warning "---------------------------" - bashio::log.warning "Ingress is enabled, authentification will be disabled and should be managed through HA itself. If you need authentification, please disable ingress in addon options" - bashio::log.warning "---------------------------" - # Define UrlBase - sed -i "/UrlBase/d" "$CONFIG_LOCATION" - sed -i "2a $slug<\/UrlBase>" "$CONFIG_LOCATION" - # Disable local auth - sed -i "/AuthenticationType/d" "$CONFIG_LOCATION" - sed -i "2a DisabledForLocalAddresses" "$CONFIG_LOCATION" - # Disable local auth - sed -i "/AuthenticationMethod/d" "$CONFIG_LOCATION" - sed -i "2a external" "$CONFIG_LOCATION" - else - bashio::log.warning "---------------------------" - bashio::log.info "Disabling ingress and enabling authentification" - bashio::log.warning "---------------------------" - sed -i "/UrlBase/d" "$CONFIG_LOCATION" - sed -i "/external/d" "$CONFIG_LOCATION" - fi + + # Define addon mode + connection_mode="$(bashio::config "connection_mode")" + bashio::log.green "---------------------------" + bashio::log.green "Connection_mode is $connection_mode" + bashio::log.green "---------------------------" + case connectionmode in + # Ingress mode, authentification is disabled + ingress_noauth) + bashio::log.green "Ingress is enabled, authentification is disabled" + bashio::log.yellow "WARNING : Make sure that the port is not exposed externally by your router to avoid a security risk !" + # Define UrlBase + sed -i "/UrlBase/d" "$CONFIG_LOCATION" + sed -i "2a $slug<\/UrlBase>" "$CONFIG_LOCATION" + # Disable local auth + sed -i "/AuthenticationType/d" "$CONFIG_LOCATION" + sed -i "2a DisabledForLocalAddresses" "$CONFIG_LOCATION" + # Disable local auth + sed -i "/AuthenticationMethod/d" "$CONFIG_LOCATION" + sed -i "2a external" "$CONFIG_LOCATION" + ;; + # Ingress mode, with authentification + ingress_auth) + bashio::log.green "Ingress is enabled, and external authentification is enabled" + # Define UrlBase + sed -i "/UrlBase/d" "$CONFIG_LOCATION" + sed -i "2a $slug<\/UrlBase>" "$CONFIG_LOCATION" + sed -i "/external/d" "$CONFIG_LOCATION" + ;; + # No ingress mode, with authentification + noingress_auth) + bashio::log.green "Disabling ingress and enabling authentification" + bashio::log.yellow "WARNING : Ingress is disabled so the app won't be available from HA itself !" + sed -i "/UrlBase/d" "$CONFIG_LOCATION" + sed -i "/external/d" "$CONFIG_LOCATION" + ;; + esac + fi