Merge pull request #1020 from blowk/master

SSL option for Tandoor Recipes

tandoor_recipes/CHANGELOG.md

@@ -1,3 +1,5 @@
+## 1.5.6-test_ssl (14-10-2023)
+- Test if ssl is working
 
 ## 1.5.6 (02-09-2023)
 - Update to latest version from TandoorRecipes/recipes

tandoor_recipes/README.md

@@ -35,6 +35,9 @@ Required :
     "PORT": 9928 # By default, the webui is available on http://HAurl:9928. If you ever need to change the port, you should never do it within the app, but only through this option
     "Environment": 0|1 # 1 is debug mode, 0 is normal mode. You should run in normal mode unless actively developing.
 Optional :
+    "ssl" : "true|false", # Set ssl 
+    "certfile" : "fullchain.pem", # Name of your ssl files located in /ssl
+    "keyfile" : "privkey.pem", # Name of your ssl files located in /ssl
     "POSTGRES_HOST": "str?", # Needed for postgresql_external
     "POSTGRES_PORT": "str?", # Needed for postgresql_external
     "POSTGRES_USER": "str?", # Needed for postgresql_external

tandoor_recipes/config.json

@@ -62,6 +62,7 @@
     "DB_ENGINE": "django.db.backends.sqlite3",
     "DISABLE_INGRESS": "true",
     "POSTGRES_DB": "/config/addons_config/tandoor_recipes/recipes.db",
+    "TANDOOR_PORT": "8081",
     "TRUSTED_PROXIES": "**"
   },
   "image": "ghcr.io/alexbelgium/tandoor_recipes-{arch}",
@@ -76,7 +77,10 @@
     "DB_TYPE": "sqlite",
     "DEBUG": "0",
     "SECRET_KEY": "YOUR_SECRET_KEY",
-    "externalfiles_folder": "/config/addons_config/tandoor_recipes/externalfiles"
+    "externalfiles_folder": "/config/addons_config/tandoor_recipes/externalfiles",
+    "ssl" : "true",
+    "certfile" : "fullchain.pem",
+    "keyfile" : "privkey.pem"
   },
   "panel_icon": "mdi:silverware-fork-knife",
   "panel_title": "Tandoor Recipes",
@@ -96,7 +100,10 @@
     "POSTGRES_PORT": "str?",
     "POSTGRES_USER": "str?",
     "SECRET_KEY": "str",
-    "externalfiles_folder": "str?"
+    "externalfiles_folder": "str?",
+    "ssl" : "bool",
+    "certfile" : "str?",
+    "keyfile" : "str?"
   },
   "services": [
     "mysql:want"
@@ -104,5 +111,6 @@
   "slug": "tandoor_recipes",
   "udev": true,
   "url": "https://github.com/alexbelgium/hassio-addons",
-  "version": "1.5.6"
+  "version": "1.5.6-test_ssl",
+  "webui": "[PROTO:ssl]://[HOST]:[PORT:8080]"
 }

tandoor_recipes/rootfs/etc/cont-init.d/32-ingress.sh

@@ -1,22 +0,0 @@
-#!/usr/bin/bashio
-# shellcheck shell=bash
-set -e
-
-if [[ -n "${DISABLE_INGRESS}" ]]; then
-    bashio::log.info "Ingress disabled"
-    sed -i "/nginx/d" /etc/cont-init.d/99-run.sh
-    exit 0
-fi
-
-#################
-# NGINX SETTING #
-#################
-declare ingress_interface
-declare ingress_port
-
-ingress_port="$(bashio::addon.ingress_port)"
-ingress_interface="$(bashio::addon.ip_address)"
-ingress_entry=$(bashio::addon.ingress_entry)
-sed -i "s/%%port%%/${ingress_port}/g" /etc/nginx/servers/ingress.conf
-sed -i "s/%%interface%%/${ingress_interface}/g" /etc/nginx/servers/ingress.conf
-sed -i "s|%%ingress_entry%%|${ingress_entry}|g" /etc/nginx/servers/ingress.conf

tandoor_recipes/rootfs/etc/cont-init.d/32-nginx.sh

@@ -0,0 +1,21 @@
+#!/usr/bin/bashio
+# shellcheck shell=bash
+set -e
+
+if bashio::config.true 'ssl'; then
+
+    # Validate ssl
+    bashio::config.require.ssl
+
+    # Adapt nginx template
+    certfile=$(bashio::config 'certfile')
+    keyfile=$(bashio::config 'keyfile')
+    sed -i "s|%%certfile%%|${certfile}|g" /etc/nginx/servers/ssl.conf
+    sed -i "s|%%keyfile%%|${keyfile}|g" /etc/nginx/servers/ssl.conf
+    sed -i "s|8080;|8080 ssl;|g" /etc/nginx/servers/ssl.conf
+
+else
+
+    sed -i "/ssl/d" /etc/nginx/servers/ssl.conf
+
+fi

tandoor_recipes/rootfs/etc/nginx/servers/ssl.conf

@@ -0,0 +1,22 @@
+server {
+
+    listen 8080;
+
+    include /etc/nginx/includes/server_params.conf;
+    include /etc/nginx/includes/proxy_params.conf;
+
+    ssl_certificate /ssl/%%certfile%%;
+    ssl_certificate_key /ssl/%%keyfile%%;
+
+    location / {
+      # Proxy pass
+      proxy_pass http://127.0.0.1:8081;
+
+      # Next three lines allow websockets
+      proxy_http_version 1.1;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection "upgrade";
+
+      }
+
+}