From 1ebaf6e0118fd0f5b2c1f19e03dfec99af421ef0 Mon Sep 17 00:00:00 2001
From: root <root@a0d7b954-ssh.local.hass.io>
Date: Mon, 16 Mar 2026 15:04:32 -0400
Subject: [PATCH] Update with proper configuration

---
 netalertx/apparmor.txt                        | 46 ++-----------------
 netalertx/config.yaml                         | 38 +++++----------
 .../rootfs/etc/cont-init.d/91-configure.sh    | 13 ++++--
 netalertx/rootfs/etc/cont-init.d/99-run.sh    |  2 +-
 4 files changed, 25 insertions(+), 74 deletions(-)

diff --git a/netalertx/apparmor.txt b/netalertx/apparmor.txt
index f6d83b215..c025dcf76 100644
--- a/netalertx/apparmor.txt
+++ b/netalertx/apparmor.txt
@@ -7,31 +7,15 @@ profile netalertx_addon flags=(attach_disconnected,mediate_deleted) {
   file,
   signal,
   mount,
-  umount,
   remount,
-  network udp,
-  network tcp,
-  network dgram,
-  network stream,
-  network inet,
-  network inet6,
-  network netlink raw,
-  network unix dgram,
+  umount,
+  network,
+  ptrace,
 
-  capability setgid,
-  capability setuid,
-  capability sys_admin,
-  capability dac_read_search,
-  # capability dac_override,
-  # capability sys_rawio,
-
-# S6-Overlay
   /init ix,
   /run/{s6,s6-rc*,service}/** ix,
   /package/** ix,
   /command/** ix,
-  /run/{,**} rwk,
-  /dev/tty rw,
   /bin/** ix,
   /usr/bin/** ix,
   /usr/lib/bashio/** ix,
@@ -40,27 +24,5 @@ profile netalertx_addon flags=(attach_disconnected,mediate_deleted) {
   /etc/services.d/** rwix,
   /etc/cont-init.d/** rwix,
   /etc/cont-finish.d/** rwix,
-  /init rix,
-  /var/run/** mrwkl,
-  /var/run/ mrwkl,
-  /dev/i2c-1 mrwkl,
-  # Files required
-  /dev/fuse mrwkl,
-  /dev/sda1 mrwkl,
-  /dev/sdb1 mrwkl,
-  /dev/nvme0 mrwkl,
-  /dev/nvme1 mrwkl,
-  /dev/mmcblk0p1 mrwkl,
-  /dev/* mrwkl,
-  /tmp/** mrkwl,
-
-  # Data access
-  /data/** rw,
-
-  # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
-  ptrace (trace,read) peer=docker-default,
-
-  # docker daemon confinement requires explict allow rule for signal
-  signal (receive) set=(kill,term) peer=/usr/bin/docker,
-
 }
+
diff --git a/netalertx/config.yaml b/netalertx/config.yaml
index a9915e7a8..587e3f27f 100644
--- a/netalertx/config.yaml
+++ b/netalertx/config.yaml
@@ -1,48 +1,34 @@
 arch:
   - aarch64
   - amd64
-description: "\U0001F5A7\U0001F50D WIFI / LAN scanner, intruder, and presence detector"
-environment:
-  PGID: "20211"
-  PORT: "20211"
-  PUID: "20211"
-  TZ: Europe/Berlin
-  NETALERTX_DATA: /config
-  NETALERTX_CONFIG: /config/config
-  NETALERTX_DB: /config/db
-  TMP_DIR: /tmp/tmp
-  NETALERTX_CONFIG_FILE: /config/config/app.conf
-  NETALERTX_DB_FILE: /config/db/app.db
+description: "\U0001F5A7\U0001F50D Centralized network visibility and continuous asset discovery."
 hassio_api: true
 host_network: true
 image: ghcr.io/alexbelgium/netalertx-{arch}
 ingress: true
-ingress_port: 0
+ingress_port: 20211
 ingress_stream: true
 init: false
 map:
-  - addon_config:rw
-  - media:rw
-  - share:rw
-  - ssl
+  - config:rw
 name: NetAlertX
-options:
-  env_vars: []
 panel_icon: mdi:wifi-check
 ports:
   20211/tcp: 20211
   20212/tcp: 20212
 ports_description:
-  20211/tcp: WebUI port
-  20212/tcp: GraphQL port
+  20211/tcp: NetAlertX WebUI port
+  20212/tcp: GraphQL & MCP port
 privileged:
   - NET_ADMIN
   - NET_RAW
+environment:
+  PUID: "20211"
+  PGID: "20211"
+  TZ: Atlantic/Reykjavik
+  # Home assistant grants excessive priviliges and does not support application integrity
+  SKIP_STARTUP_CHECKS: excessive capabilities.sh,appliance integrity.sh
 schema:
-  env_vars:
-    - name: match(^[A-Za-z0-9_]+$)
-      value: str?
-  APP_CONF_OVERRIDE: str?
   TZ: str?
 services:
   - mqtt:want
@@ -50,4 +36,4 @@ slug: netalertx
 tmpfs: true
 udev: true
 url: https://github.com/alexbelgium/hassio-addons
-version: "26.2.6-4"
+version: "26.3.16-1"
diff --git a/netalertx/rootfs/etc/cont-init.d/91-configure.sh b/netalertx/rootfs/etc/cont-init.d/91-configure.sh
index f4840cdfa..d5f7626c4 100755
--- a/netalertx/rootfs/etc/cont-init.d/91-configure.sh
+++ b/netalertx/rootfs/etc/cont-init.d/91-configure.sh
@@ -6,12 +6,11 @@ set -e
 # Update structure #
 ####################
 
-APP_UID=20211
 
 # 1. Fix the directories
-for folder in /tmp/run/tmp /tmp/api /tmp/log /tmp/run /tmp/nginx/active-config "$TMP_DIR" "$NETALERTX_DATA" "$NETALERTX_DB" "$NETALERTX_CONFIG"; do
+for folder in /tmp/run/tmp /tmp/api /tmp/log /tmp/run /tmp/nginx/active-config "${TMP_DIR:-/tmp}" "${NETALERTX_DATA:-/data}" "${NETALERTX_DB:-/data/db}" "${NETALERTX_CONFIG:-/data/config}"; do
     mkdir -p "$folder"
-    chown -R $APP_UID:$APP_UID "$folder"
+    chown -R ${PUID}:${PGID} "$folder"
     chmod -R 755 "$folder"
 done
 
@@ -22,13 +21,17 @@ chmod 666 /dev/stdout /dev/stderr
 
 # 3. Pre-create and chown log files
 touch /tmp/log/app.php_errors.log /tmp/log/cron.log /tmp/log/stdout.log /tmp/log/stderr.log
-chown $APP_UID:$APP_UID /tmp/log/*.log
+chown ${PUID}:${PGID} /tmp/log/*.log
 
 # 4. Create Symlinks
 for item in db config; do
+    # ADD THESE TWO LINES: Ensure the target exists and is owned by 20211
+    mkdir -p "/config/$item"
+    chown -R ${PUID}:${PGID} "/config/$item"
+
     rm -rf "/data/$item"
     ln -sf "/config/$item" "/data/$item"
-    chown -R $APP_UID:$APP_UID "/data/$item"
+    chown -R ${PUID}:${PGID} "/data/$item"
     chmod -R 755 "/data/$item"
 done
 
diff --git a/netalertx/rootfs/etc/cont-init.d/99-run.sh b/netalertx/rootfs/etc/cont-init.d/99-run.sh
index 1675ed83e..1d3c36d8b 100755
--- a/netalertx/rootfs/etc/cont-init.d/99-run.sh
+++ b/netalertx/rootfs/etc/cont-init.d/99-run.sh
@@ -3,4 +3,4 @@
 set -e
 
 bashio::log.info "Starting upstream app"
-gosu netalertx /entrypoint.sh
+/root-entrypoint.sh