ente: disable per-account storage limit by default (NO_STORAGE_LIMIT)

Ente's --no-limit is only available per-user via the interactive admin CLI,
so to make unlimited storage the default for all current and future accounts
the add-on now reconciles the museum subscriptions table directly (the method
documented by the Ente maintainers): every account is granted 100 TB of
storage and ~100 years of validity, matching what
`ente admin update-subscription --no-limit` writes.

- New NO_STORAGE_LIMIT option (default true); set false to keep Ente's limits
- Background reconcile re-applies every 60s so newly registered users are
  covered; storage and expiry are updated independently and tolerate errors
  so a transient DB hiccup or schema change can't break startup
- Document the option and the full port list in the README

https://claude.ai/code/session_01MaLKhb2CJiF9Fb3Dyr585r

README.md

@@ -321,7 +321,7 @@ If you want to do add the repository manually, please follow the procedure highl
 ![aarch64][aarch64-badge]
 ![amd64][amd64-badge]
 
-✓ ![image](https://api.iconify.design/mdi/file-search.svg) [FileBrowser Quantum](filebrowser_quantum/) : FileBrowser Quantum provides a modern, responsive file manager with multi-source support, advanced authentication options, and realtime indexing for your Home Assistant files.
+✓ ![image](https://api.iconify.design/mdi/file-search.svg) [FileBrowser Quantum](filebrowser_quantum/) : FileBrowser Quantum provides a modern, responsive file manager with multi-source support, advanced authentication options, and realtime indexing for your Home Assistant files
 
   ![Version](https://img.shields.io/badge/dynamic/yaml?label=Version&query=%24.version&url=https%3A%2F%2Fraw.githubusercontent.com%2Falexbelgium%2Fhassio-addons%2Fmaster%2Ffilebrowser_quantum%2Fconfig.yaml)
 ![Update](https://img.shields.io/badge/dynamic/json?label=Updated&query=%24.last_update&url=https%3A%2F%2Fraw.githubusercontent.com%2Falexbelgium%2Fhassio-addons%2Fmaster%2Ffilebrowser_quantum%2Fupdater.json)

birdnet-go/CHANGELOG.md

@@ -1,3 +1,5 @@
+## nightly-20260601-2 (03-06-2026)
+- Minor bugs fixed
 ## nightly-20260601 (2026-06-01)
 - Update to latest version from tphakala/birdnet-go (changelog : https://github.com/tphakala/birdnet-go/releases)
 ## nightly-20260524 (2026-05-30)

birdnet-go/config.yaml

@@ -126,4 +126,4 @@ slug: birdnet-go
 udev: true
 url: https://github.com/alexbelgium/hassio-addons/tree/master/birdnet-go
 usb: true
-version: "nightly-20260601"
+version: "nightly-20260601-2"

birdnet-go/rootfs/etc/cont-init.d/99-run.sh

@@ -38,7 +38,7 @@ fi
 
 bashio::log.info "Starting app..."
 # shellcheck disable=SC2086
-/usr/bin/entrypoint.sh birdnet-go realtime &
+/usr/bin/entrypoint.sh /usr/bin/startup-wrapper.sh birdnet-go realtime &
 true
 
 # Wait for app to become available to start nginx

ente/CHANGELOG.md

@@ -1,3 +1,31 @@
+## 4.4.22-7 (04-06-2026)
+- Disable the per-account storage limit by default via the new NO_STORAGE_LIMIT
+  option (default true). Grants every account 100 TB and ~100 years validity,
+  equivalent to `ente admin update-subscription --no-limit`. Set to false to
+  keep Ente's default storage limits.
+## 4.4.22-6 (04-06-2026)
+- Fix SIGPIPE (exit 141) on startup: tr piped to head -c against /dev/urandom
+  now suppresses the expected SIGPIPE under set -o pipefail
+## 4.4.22-5 (04-06-2026)
+- Fix AppArmor profile name (was copied from qbittorrent, could collide with that add-on)
+- Expose Accounts (3001), Auth (3003) and Cast (3004) ports so the login/2FA web apps are reachable
+- Default external Postgres port to 5432 when DB_PORT is left blank
+- Write the correct DB host/port to museum.yaml when using an external database
+- Exclude minio-data and postgres folders from Home Assistant backups
+## 4.4.22-4 (04-06-2026)
+- Minor bugs fixed
+## 4.4.22-3 (04-06-2026)
+- Remove DISABLE_WEB_UI option, web UI is now always enabled
+- Make MinIO internal-only (127.0.0.1) since museum proxies S3 operations
+- Fix web UI API origin: use ENTE_ENDPOINT_URL so browsers can reach the API
+- Hardcode MinIO credentials internally (no longer user-configurable)
+- Remove dead options: MINIO_DATA_LOCATION, MINIO_ROOT_USER, MINIO_ROOT_PASSWORD
+
+## 4.4.22-2 (04-06-2026)
+- Minor bugs fixed
+
+## 4.4.23 (2026-06-03)
+- Fix nginx rewrite loop on /index.html causing 500 Internal Server Error in Web UI
 
 ## 4.4.22 (2026-05-16)
 - Update to latest version from ente-io/ente (changelog : https://github.com/ente-io/ente/releases)

ente/Dockerfile

@@ -6,7 +6,7 @@
 ########################################################
 # 0) Build the ente-web static front-end (multi-stage) #
 ########################################################
-FROM node:22-bookworm-slim AS web-builder
+FROM node:24 AS web-builder
 
 # Build-time selector; set `--build-arg ENTE_WEB_TAG=vX.Y.Z` if you want a specific release
 ARG ENTE_WEB_TAG=main
@@ -15,7 +15,7 @@ ENV RUSTUP_HOME=/usr/local/rustup \
     CARGO_HOME=/usr/local/cargo \
     PATH=/usr/local/cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
-# Tools needed to build (git, rust, wasm-pack, yarn classic)
+# Tools needed to build (git, rust for ente-wasm)
 RUN set -eux; \
     apt-get update; \
     apt-get install -y --no-install-recommends \
@@ -23,17 +23,10 @@ RUN set -eux; \
       curl \
       ca-certificates \
       build-essential \
-      pkg-config \
-      python3 \
     ; \
     rm -rf /var/lib/apt/lists/*; \
     \
-    curl -sSf https://sh.rustup.rs | sh -s -- -y --profile minimal --default-toolchain stable; \
+    curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --target wasm32-unknown-unknown
-    rustup target add wasm32-unknown-unknown; \
-    \
-    corepack enable; \
-    corepack prepare yarn@1.22.22 --activate; \
-    npm install -g wasm-pack@0.13.1
 
 # Pull the web source
 WORKDIR /src
@@ -41,16 +34,20 @@ RUN git clone --depth 1 --branch "${ENTE_WEB_TAG}" https://github.com/ente-io/en
 
 # Build web workspace (lives in ./web)
 WORKDIR /src/web
-ENV NEXT_PUBLIC_ENTE_ENDPOINT=ENTE_API_ORIGIN_PLACEHOLDER \
+ENV NEXT_PUBLIC_ENTE_ENDPOINT=ENTE_API_ORIGIN_PLACEHOLDER
-    NEXT_PUBLIC_ENTE_ALBUMS_ENDPOINT=ENTE_ALBUMS_ORIGIN_PLACEHOLDER
+ENV NEXT_PUBLIC_ENTE_ALBUMS_ENDPOINT=ENTE_ALBUMS_ORIGIN_PLACEHOLDER
 
-RUN set -eux; \
+RUN npm ci
-    yarn config set network-timeout 900000 -g; \
+RUN npm run build:photos
-    yarn install --frozen-lockfile; \
+RUN npm run build:albums
-    yarn build:photos; \
+RUN npm run build:accounts
-    yarn build:accounts; \
+RUN npm run build:auth
-    yarn build:auth; \
+RUN npm run build:cast
-    yarn build:cast
+RUN npm run build:share
+RUN npm run build:embed
+RUN npm run build:paste
+RUN npm run build:locker
+RUN npm run build:memories
 
 #################
 # 1) Base image #
@@ -94,9 +91,15 @@ RUN apk add --no-cache nginx
 
 # Static files built in the previous stage
 COPY --from=web-builder /src/web/apps/photos/out    /www/photos
+COPY --from=web-builder /src/web/apps/albums/out    /www/albums
 COPY --from=web-builder /src/web/apps/accounts/out  /www/accounts
 COPY --from=web-builder /src/web/apps/auth/out      /www/auth
 COPY --from=web-builder /src/web/apps/cast/out      /www/cast
+COPY --from=web-builder /src/web/apps/share/out     /www/share
+COPY --from=web-builder /src/web/apps/embed/out     /www/embed
+COPY --from=web-builder /src/web/apps/paste/out     /www/paste
+COPY --from=web-builder /src/web/apps/locker/out    /www/locker
+COPY --from=web-builder /src/web/apps/memories/out  /www/memories
 
 ############################
 # 3) Install add-on helpers #
@@ -151,4 +154,4 @@ LABEL \
 #################
 # 6) Finish line
 #################
-EXPOSE 3000 3001 3002 3003 3004
+EXPOSE 3000 3001 3002 3003 3004 3005 3006 3007 3008 3009

ente/README.md

@@ -53,12 +53,9 @@ Webui can be found at <http://homeassistant:PORT>.
 
 | Option | Type | Default | Description |
 |--------|------|---------|-------------|
-| `ENTE_ENDPOINT_URL` | str | `http://homeassistant.local:8280` | The URL where Ente API will be accessible |
+| `ENTE_ENDPOINT_URL` | str | `http://homeassistant.local:8280` | The URL where Ente API will be accessible (used by web UI) |
-| `MINIO_ROOT_USER` | str | `minioadmin` | MinIO root username |
-| `MINIO_ROOT_PASSWORD` | str | `minioadmin` | MinIO root password |
-| `MINIO_DATA_LOCATION` | str | `/config/minio-data` | Path where MinIO stores data |
 | `DB_PASSWORD` | str | `ente` | Database password for internal PostgreSQL |
-| `DISABLE_WEB_UI` | bool | `true` | Disable the web UI (use mobile/desktop apps) |
+| `NO_STORAGE_LIMIT` | bool | `true` | Remove the per-account storage limit (grants every account 100 TB and ~100 years validity, equivalent to `ente admin update-subscription --no-limit`). Set to `false` to keep the default Ente storage limits. |
 | `USE_EXTERNAL_DB` | bool | `false` | Use external PostgreSQL database |
 | `TZ` | str | `Europe/Paris` | Timezone setting |
 
@@ -77,11 +74,7 @@ If you want to use an external PostgreSQL database, set `USE_EXTERNAL_DB: true`
 
 ```yaml
 ENTE_ENDPOINT_URL: "http://homeassistant.local:8280"
-MINIO_ROOT_USER: "myuser"
-MINIO_ROOT_PASSWORD: "mypassword"
-MINIO_DATA_LOCATION: "/config/ente-storage"
 DB_PASSWORD: "securepassword"
-DISABLE_WEB_UI: false
 TZ: "America/New_York"
 ```
 
@@ -137,11 +130,21 @@ After starting the addon for the first time:
 
 ## Ports
 
-The addon exposes three ports:
+The addon exposes the following ports:
 
-- **8300** (3000/tcp): Ente web UI (if enabled)
+- **8300** (3000/tcp): Ente web UI
+- **8301** (3001/tcp): Ente Accounts
+- **8302** (3002/tcp): Ente Albums
+- **8303** (3003/tcp): Ente Auth
+- **8304** (3004/tcp): Ente Cast
+- **8305** (3005/tcp): Ente Share
+- **8306** (3006/tcp): Ente Embed
+- **8307** (3007/tcp): Ente Paste
+- **8308** (3008/tcp): Ente Locker
+- **8309** (3009/tcp): Ente Memories
 - **8280** (8080/tcp): Ente API server (museum) - Main endpoint for apps
-- **8320** (3200/tcp): MinIO S3 endpoint (for storage backend)
+
+MinIO S3 is internal-only (127.0.0.1:3200) and not exposed externally since museum proxies all S3 operations.
 
 ## Data Storage
 

ente/apparmor.txt

@@ -1,6 +1,6 @@
 #include <tunables/global>
 
-profile db21ed7f_qbittorrent flags=(attach_disconnected,mediate_deleted) {
+profile ente_addon flags=(attach_disconnected,mediate_deleted) {
   #include <abstractions/base>
 
   capability chown,
@@ -43,7 +43,6 @@ profile db21ed7f_qbittorrent flags=(attach_disconnected,mediate_deleted) {
   /init rix,
   /var/run/** mrwkl,
   /var/run/ mrwkl,
-  /dev/i2c-1 mrwkl,
   # Files required
   /dev/fuse mrwkl,
   /dev/sda1 mrwkl,

ente/build.json

@@ -1,6 +1,6 @@
 {
   "build_from": {
-    "aarch64": "ghcr.io/ente-io/server:latest",
+    "aarch64": "ghcr.io/ente-io/server:927c6a316f181c7901446311f0085593b346b336",
-    "amd64": "ghcr.io/ente-io/server:latest"
+    "amd64": "ghcr.io/ente-io/server:927c6a316f181c7901446311f0085593b346b336"
   }
 }

ente/config.yaml

@@ -1,6 +1,9 @@
 arch:
   - aarch64
   - amd64
+backup_exclude:
+  - "**/minio-data/**"
+  - "**/postgres/**"
 description:
   Self-hosted, end-to-end-encrypted photo & video storage (Ente server
   + MinIO)
@@ -78,20 +81,33 @@ name: Ente
 options:
   env_vars: []
   DB_PASSWORD: ente
-  DISABLE_WEB_UI: true
   ENTE_ENDPOINT_URL: http://homeassistant.local:8280
-  MINIO_DATA_LOCATION: /config/minio-data
+  NO_STORAGE_LIMIT: true
-  MINIO_ROOT_PASSWORD: minioadmin
-  MINIO_ROOT_USER: minioadmin
   TZ: Europe/Paris
   USE_EXTERNAL_DB: false
 ports:
   3000/tcp: 8300
-  3200/tcp: 8320
+  3001/tcp: 8301
+  3002/tcp: 8302
+  3003/tcp: 8303
+  3004/tcp: 8304
+  3005/tcp: 8305
+  3006/tcp: 8306
+  3007/tcp: 8307
+  3008/tcp: 8308
+  3009/tcp: 8309
   8080/tcp: 8280
 ports_description:
   3000/tcp: Ente web UI
-  3200/tcp: MinIO S3 endpoint
+  3001/tcp: Ente Accounts
+  3002/tcp: Ente Albums
+  3003/tcp: Ente Auth
+  3004/tcp: Ente Cast
+  3005/tcp: Ente Share
+  3006/tcp: Ente Embed
+  3007/tcp: Ente Paste
+  3008/tcp: Ente Locker
+  3009/tcp: Ente Memories
   8080/tcp: Ente API (museum)
 privileged:
   - SYS_ADMIN
@@ -105,11 +121,8 @@ schema:
   DB_PASSWORD: str
   DB_PORT: int?
   DB_USERNAME: str?
-  DISABLE_WEB_UI: bool?
   ENTE_ENDPOINT_URL: str
-  MINIO_DATA_LOCATION: str
+  NO_STORAGE_LIMIT: bool?
-  MINIO_ROOT_PASSWORD: str
-  MINIO_ROOT_USER: str
   TZ: str?
   USE_EXTERNAL_DB: bool?
   cifsdomain: str?
@@ -120,6 +133,6 @@ schema:
 slug: ente
 udev: true
 url: https://github.com/alexbelgium/hassio-addons
-version: "4.4.22"
+version: "4.4.22-7"
 video: true
 webui: http://[HOST]:[PORT:3000]

ente/rootfs/etc/cont-init.d/99-run.sh

@@ -2,14 +2,32 @@
 # shellcheck shell=bash
 set -euo pipefail
 
-MINIO_USER="$(bashio::config 'MINIO_ROOT_USER')"
+# Internal MinIO credentials (not user-configurable; MinIO is 127.0.0.1 only)
-MINIO_PASS="$(bashio::config 'MINIO_ROOT_PASSWORD')"
+MINIO_CRED_FILE="/config/minio-creds"
+if [ -f "$MINIO_CRED_FILE" ]; then
+    # Reuse persisted credentials across restarts
+    MINIO_USER="$(sed -n '1p' "$MINIO_CRED_FILE")"
+    MINIO_PASS="$(sed -n '2p' "$MINIO_CRED_FILE")"
+    # Regenerate if file is corrupted
+    if [ -z "$MINIO_USER" ] || [ -z "$MINIO_PASS" ]; then
+        MINIO_USER="minio_$(tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c 8 || true)"
+        MINIO_PASS="$(head -c 24 /dev/urandom | base64 | tr -d '\n')"
+        printf '%s\n%s\n' "$MINIO_USER" "$MINIO_PASS" > "$MINIO_CRED_FILE"
+        chmod 600 "$MINIO_CRED_FILE"
+    fi
+else
+    # Generate random credentials on first run
+    MINIO_USER="minio_$(tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c 8 || true)"
+    MINIO_PASS="$(head -c 24 /dev/urandom | base64 | tr -d '\n')"
+    printf '%s\n%s\n' "$MINIO_USER" "$MINIO_PASS" > "$MINIO_CRED_FILE"
+    chmod 600 "$MINIO_CRED_FILE"
+fi
 S3_BUCKET="b2-eu-cen"
 
 export ENTE_S3_ARE_LOCAL_BUCKETS=true
 export ENTE_S3_B2_EU_CEN_KEY="$MINIO_USER"
 export ENTE_S3_B2_EU_CEN_SECRET="$MINIO_PASS"
-export ENTE_S3_B2_EU_CEN_ENDPOINT="http://192.168.178.23:$(bashio::addon.port "3200")"
+export ENTE_S3_B2_EU_CEN_ENDPOINT="http://127.0.0.1:3200"
 export ENTE_S3_B2_EU_CEN_REGION=eu-central-2
 export ENTE_S3_B2_EU_CEN_BUCKET="$S3_BUCKET"
 
@@ -33,6 +51,8 @@ DB_PASS="$(bashio::config 'DB_PASSWORD' || echo ente)"
 # External DB opts (may be blank)
 DB_HOST_EXT="$(bashio::config 'DB_HOSTNAME' || echo '')"
 DB_PORT_EXT="$(bashio::config 'DB_PORT' || echo '')"
+# Default external Postgres port when unset
+[ -z "$DB_PORT_EXT" ] && DB_PORT_EXT=5432
 
 USE_EXTERNAL_DB=false
 if bashio::config.true 'USE_EXTERNAL_DB'; then
@@ -42,9 +62,11 @@ else
     bashio::log.info "Using internal Postgres."
 fi
 
-DISABLE_WEB_UI=false
+# Disable per-account storage limits by default (mirrors `ente admin
-if bashio::config.true 'DISABLE_WEB_UI'; then
+# update-subscription --no-limit`). Set NO_STORAGE_LIMIT=false to keep limits.
-    DISABLE_WEB_UI=true
+NO_STORAGE_LIMIT=true
+if bashio::config.false 'NO_STORAGE_LIMIT'; then
+    NO_STORAGE_LIMIT=false
 fi
 
 # Active DB connection target (may be overridden below)
@@ -95,8 +117,8 @@ jwt:
   secret: $(_rand_b64url 32)
 
 db:
-  host:     ${DB_HOST_INTERNAL}
+  host:     ${DB_HOST}
-  port:     ${DB_PORT_INTERNAL}
+  port:     ${DB_PORT}
   name:     ${DB_NAME}
   user:     ${DB_USER}
   password: ${DB_PASS}
@@ -186,9 +208,11 @@ bootstrap_internal_db() {
 # MinIO
 ############################################
 start_minio() {
-    bashio::log.info "Starting MinIO (:3200)..."
+    bashio::log.info "Starting MinIO (127.0.0.1:3200)..."
     mkdir -p /config/minio-data
-    "$MINIO_BIN" server /config/minio-data --address ":3200" &
+    export MINIO_ROOT_USER="$MINIO_USER"
+    export MINIO_ROOT_PASSWORD="$MINIO_PASS"
+    "$MINIO_BIN" server /config/minio-data --address "127.0.0.1:3200" --console-address "127.0.0.1:9001" &
     MINIO_PID=$!
 }
 
@@ -206,13 +230,10 @@ wait_minio_ready_and_bucket() {
 # Web (static nginx bundle)
 ############################################
 start_web() {
-    if $DISABLE_WEB_UI; then
+    ENTE_API_ORIGIN="$(bashio::config 'ENTE_ENDPOINT_URL')"
-        bashio::log.info "Web UI disabled."
+    # Derive albums origin from the same host as the API endpoint, mapped to port 8302
-        return 0
+    ENTE_ALBUMS_HOST="$(echo "$ENTE_API_ORIGIN" | sed -E 's#(https?://[^:/]+).*#\1#')"
-    fi
+    ENTE_ALBUMS_ORIGIN="${ENTE_ALBUMS_HOST}:8302"
-
-    ENTE_API_ORIGIN=http://localhost:8080
-    ENTE_ALBUMS_ORIGIN=http://localhost:3002
     export ENTE_API_ORIGIN ENTE_ALBUMS_ORIGIN
 
     # Running ente-web-prepare
@@ -222,14 +243,53 @@ start_web() {
 
     mkdir -p /run/nginx /var/log/nginx
 
-    # Set nginx
+    # Set nginx (idempotent: only move if .bak still exists)
-    mv /etc/nginx/http.d/web.bak /etc/nginx/http.d/web.conf
+    if [ -f /etc/nginx/http.d/web.bak ]; then
+        mv /etc/nginx/http.d/web.bak /etc/nginx/http.d/web.conf
+    fi
 
-    bashio::log.info "Starting Ente web (nginx, ports 3000‑3004)..."
+    bashio::log.info "Starting Ente web (nginx, ports 3000‑3009)..."
-    exec nginx -g 'daemon off;' &
+    nginx -g 'daemon off;' &
     WEB_PID=$!
 }
 
+############################################
+# Storage limit (no-limit) reconcile
+############################################
+# Equivalent of `ente admin update-subscription --no-limit`: grant every
+# account 100 TB of storage and ~100 years of validity. The Ente CLI only
+# supports this per-user and interactively, so to make it the default for all
+# current and future accounts we reconcile the museum `subscriptions` table
+# directly (the method documented by the Ente maintainers). Runs in the
+# background and re-applies periodically so newly registered users are covered.
+NO_LIMIT_STORAGE_BYTES=109951162777600 # 100 * 1024^4 (100 TiB)
+NO_LIMIT_EXPIRY_SQL="(extract(epoch from now() + interval '100 years') * 1000000)::bigint"
+
+reconcile_no_limit() {
+    export PGPASSWORD="$DB_PASS"
+    while true; do
+        # Storage is the limit that actually enforces quota; apply it first and
+        # independently so a schema change to other columns can't block it.
+        psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" \
+            -c "UPDATE subscriptions SET storage = ${NO_LIMIT_STORAGE_BYTES} WHERE storage < ${NO_LIMIT_STORAGE_BYTES};" \
+            > /dev/null 2>&1 || true
+        psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" \
+            -c "UPDATE subscriptions SET expiry_time = ${NO_LIMIT_EXPIRY_SQL} WHERE expiry_time < ${NO_LIMIT_EXPIRY_SQL};" \
+            > /dev/null 2>&1 || true
+        sleep 60
+    done
+}
+
+start_no_limit_reconcile() {
+    if ! $NO_STORAGE_LIMIT; then
+        bashio::log.info "NO_STORAGE_LIMIT disabled; per-account storage limits stay in effect."
+        return 0
+    fi
+    bashio::log.info "NO_STORAGE_LIMIT enabled; granting unlimited storage to all accounts."
+    reconcile_no_limit &
+    NO_LIMIT_PID=$!
+}
+
 ############################################
 # Museum (API)
 ############################################
@@ -280,5 +340,7 @@ wait_minio_ready_and_bucket
 
 start_web
 
+start_no_limit_reconcile
+
 # Foreground — keeps container alive
 start_museum_foreground

ente/rootfs/etc/nginx/http.d/web.bak

@@ -1,20 +1,40 @@
 server {
     listen 3000; root /www/photos;
-    location / { try_files \$uri \$uri.html /index.html; }
+    location / { try_files $uri $uri.html /index.html =404; }
 }
 server {
     listen 3001; root /www/accounts;
-    location / { try_files \$uri \$uri.html /index.html; }
+    location / { try_files $uri $uri.html /index.html =404; }
 }
 server {
-    listen 3002; root /www/photos;
+    listen 3002; root /www/albums;
-    location / { try_files \$uri \$uri.html /index.html; }
+    location / { try_files $uri $uri.html /index.html =404; }
 }
 server {
     listen 3003; root /www/auth;
-    location / { try_files \$uri \$uri.html /index.html; }
+    location / { try_files $uri $uri.html /index.html =404; }
 }
 server {
     listen 3004; root /www/cast;
-    location / { try_files \$uri \$uri.html /index.html; }
+    location / { try_files $uri $uri.html /index.html =404; }
+}
+server {
+    listen 3005; root /www/share;
+    location / { try_files $uri $uri.html /index.html =404; }
+}
+server {
+    listen 3006; root /www/embed;
+    location / { try_files $uri $uri.html /index.html =404; }
+}
+server {
+    listen 3007; root /www/paste;
+    location / { try_files $uri $uri.html /index.html =404; }
+}
+server {
+    listen 3008; root /www/locker;
+    location / { try_files $uri $uri.html /index.html =404; }
+}
+server {
+    listen 3009; root /www/memories;
+    location / { try_files $uri $uri.html /index.html =404; }
 }

filebrowser_quantum/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.3.3-8 (2026-06-03)
+- Add `default_user_scope` option: sets the FileBrowser source path and default user scope (must be an existing absolute directory path, defaults to `/`)
+
+- Allow config persistence
 
 ## 1.3.3 (2026-05-19)
 - Update to latest version from gtsteffaniak/filebrowser (changelog : https://github.com/gtsteffaniak/filebrowser/releases)

filebrowser_quantum/Dockerfile

@@ -52,7 +52,7 @@ RUN chmod 744 /ha_automodules.sh && /ha_automodules.sh "$MODULES" && rm /ha_auto
 # Manual apps
 ENV PACKAGES="bind-tools \
     nginx \
-    python3"
+    python3 yq"
 
 # Automatic apps & bashio
 COPY ha_autoapps.sh /ha_autoapps.sh
@@ -71,7 +71,8 @@ RUN chmod 777 /ha_entrypoint.sh
 COPY bashio-standalone.sh /usr/local/lib/bashio-standalone.sh
 RUN chmod 0755 /usr/local/lib/bashio-standalone.sh
 
-RUN sed -i "s|/command/with-contenv|/usr/bin/env|g" "/ha_entrypoint.sh"
+RUN sed -i "s|/command/with-contenv|/usr/bin/env|g" "/ha_entrypoint.sh" && \
+    [[ -f /etc/cont-init.d/01-config_yaml.sh ]] && rm -r /etc/cont-init.d/01-config_yaml.sh
 
 VOLUME [ "/data" ]
 WORKDIR /
@@ -114,27 +115,4 @@ LABEL \
 # 6 Healthcheck #
 #################
 
-# Avoid spamming logs
+# Upstream
-# hadolint ignore=SC2016
-RUN \
-    # Handle Apache configuration
-    if [ -d /etc/apache2/sites-available ]; then \
-        for file in /etc/apache2/sites-*/*.conf; do \
-            sed -i '/<VirtualHost/a \ \n    # Match requests with the custom User-Agent "HealthCheck" \n    SetEnvIf User-Agent "HealthCheck" dontlog \n    # Exclude matching requests from access logs \n    CustomLog ${APACHE_LOG_DIR}/access.log combined env=!dontlog' "$file"; \
-        done; \
-    fi && \
-    \
-    # Handle Nginx configuration
-    if [ -f /etc/nginx/nginx.conf ]; then \
-        awk '/http \{/{print; print "map $http_user_agent $dontlog {\n  default 0;\n  \"~*HealthCheck\" 1;\n}\naccess_log /var/log/nginx/access.log combined if=$dontlog;"; next}1' /etc/nginx/nginx.conf > /etc/nginx/nginx.conf.new && \
-        mv /etc/nginx/nginx.conf.new /etc/nginx/nginx.conf; \
-    fi
-
-ENV HEALTH_PORT="8080" \
-    HEALTH_URL=""
-HEALTHCHECK \
-    --interval=5s \
-    --retries=5 \
-    --start-period=30s \
-    --timeout=25s \
-    CMD curl -A "HealthCheck: Docker/1.0" -s -f "http://127.0.0.1:${HEALTH_PORT}${HEALTH_URL}" &>/dev/null || curl -k --fail "https://127.0.0.1:${HEALTH_PORT}${HEALTH_URL}" &>/dev/null || exit 1

filebrowser_quantum/README.md

@@ -1,9 +1,7 @@
 # Home assistant add-on: FileBrowser Quantum
 
 
-I maintain this and other Home Assistant add-ons in my free time: keeping up with upstream changes, HA changes, and testing on real hardware takes a lot of time (and some money). I use around 5-10 of my >110 addons so regularly I install test machines (and purchase some test services such as vpn) that I don't use myself to troubleshoot and improve the addons
+I maintain this and other Home Assistant add-ons in my free time: keeping up with upstream changes, HA changes, and testing on real hardware takes a lot of time (and some money). I use around 5-10 hours a week for this. If this add-on saves you time or makes your setup easier, I would be very grateful for your support!
-
-If this add-on saves you time or makes your setup easier, I would be very grateful for your support!
 
 [![Buy me a coffee][donation-badge]](https://www.buymeacoffee.com/alexbelgium)
 [![Donate via PayPal][paypal-badge]](https://www.paypal.com/donate/?hosted_button_id=DZFULJZTP3UQA)
@@ -29,7 +27,7 @@ _Thanks to everyone having starred my repo! To star it click on the image below,
 
 ## About
 
-FileBrowser Quantum is a modern, responsive, multi-source file manager with realtime indexing, advanced sharing, and expanded authentication options (password, proxy, OIDC, or no-auth). It is a major fork of the original Filebrowser project, designed for faster browsing and richer previews.
+FileBrowser Quantum is a modern, responsive, multi-source file manager with realtime indexing, advanced sharing, and expanded authentication options (password, proxy, OIDC, or no-auth). It is a maintained fork of the original FileBrowser project.
 
 This addon is based on the [docker image](https://hub.docker.com/r/gtstef/filebrowser) from the FileBrowser Quantum project.
 
@@ -61,6 +59,7 @@ The web UI can be found at `<your-ip>:8071` or through the Home Assistant sideba
 | Option | Type | Default | Description |
 |--------|------|---------|-------------|
 | `auth_method` | list | `password` | Authentication method (`password`, `noauth`, `proxy`, `oidc`) |
+| `default_user_scope` | str | `/` | The root filesystem path used as the FileBrowser source and as the default scope for all users. Must be an existing absolute directory path (e.g. `/share`, `/media`). |
 | `localdisks` | str | _(optional)_ | Local drives to mount (e.g., `sda1,sdb1,MYNAS`) |
 | `networkdisks` | str | _(optional)_ | SMB shares to mount (e.g., `//SERVER/SHARE`) |
 | `cifsusername` | str | _(optional)_ | SMB username for network shares |
@@ -89,7 +88,7 @@ This addon supports mounting both local drives and remote SMB shares:
 This addon supports custom scripts and environment variables through the `addon_config` mapping:
 
 - **Custom scripts**: See [Running Custom Scripts in Addons](https://github.com/alexbelgium/hassio-addons/wiki/Running-custom-scripts-in-Addons)
-- **env_vars option**: Use the add-on `env_vars` option to pass extra environment variables (uppercase or lowercase names). See https://github.com/alexbelgium/hassio-addons/wiki/Add-Environment-variables-to-your-Addon-2 for details.
+- **env_vars option**: Use the add-on `env_vars` option to pass extra environment variables (uppercase or lowercase names). See https://github.com/alexbelgium/hassio-addons/wiki/Add-Environment-variables-to-add-ons
 
 ## Support
 
@@ -99,4 +98,3 @@ Create an issue on GitHub, or ask on the [Home Assistant Community thread](https
 [aarch64-shield]: https://img.shields.io/badge/aarch64-yes-green.svg
 [amd64-shield]: https://img.shields.io/badge/amd64-yes-green.svg
 [armv7-shield]: https://img.shields.io/badge/armv7-yes-green.svg
-

filebrowser_quantum/config.yaml

@@ -4,7 +4,7 @@ arch:
 description:
   FileBrowser Quantum provides a modern, responsive file manager with multi-source
   support, advanced authentication options, and realtime indexing for your Home
-  Assistant files.
+  Assistant files
 devices:
   - /dev/dri
   - /dev/dri/card0
@@ -73,6 +73,8 @@ devices:
   - /dev/md3
 environment:
   FB_BASEURL: /filebrowser_quantum
+  FILEBROWSER_CONFIG: "/config/config.yaml"
+  FILEBROWSER_DATABASE: "/config/database.db"
   PGID: "0"
   PUID: "0"
 image: ghcr.io/alexbelgium/filebrowser_quantum-{arch}
@@ -92,6 +94,7 @@ name: FileBrowser Quantum
 options:
   env_vars: []
   auth_method: noauth
+  default_user_scope: "/"
 panel_admin: false
 panel_icon: mdi:file-search
 privileged:
@@ -102,6 +105,7 @@ schema:
     - name: match(^[A-Za-z0-9_]+$)
       value: str?
   auth_method: list(password|noauth|proxy|oidc)
+  default_user_scope: str
   cifsdomain: str?
   cifspassword: str?
   cifsusername: str?
@@ -110,4 +114,4 @@ schema:
 slug: filebrowser_quantum
 udev: true
 url: https://github.com/alexbelgium/hassio-addons
-version: "1.3.3"
+version: "1.3.3-8"

filebrowser_quantum/rootfs/etc/cont-init.d/20-folders.sh

@@ -1,63 +0,0 @@
-#!/usr/bin/with-contenv bashio
-# shellcheck shell=bash
-set -e
-
-####################
-# Migrate database #
-####################
-
-if [ -f /homeassistant/addons_config/filebrowser_quantum/filebrowser_quantum.db ]; then
-    echo "Moving database from legacy addons_config location to /config"
-    cp -rnf /homeassistant/addons_config/filebrowser_quantum/* /config/
-    rm -r /homeassistant/addons_config/filebrowser_quantum
-fi
-
-if [ ! -f /config/filebrowser_quantum.db ] && [ -d /addon_configs ]; then
-    shopt -s nullglob
-    for addon_config_dir in /addon_configs/*_filebrowser_quantum; do
-        if [ -f "$addon_config_dir/filebrowser_quantum.db" ]; then
-            echo "Moving database from addon_configs location to /config"
-            cp -rnf "$addon_config_dir"/. /config/
-            break
-        fi
-    done
-    shopt -u nullglob
-fi
-
-######################
-# Link addon folders #
-######################
-
-# Clean symlinks
-find /config -maxdepth 1 -type l -delete
-if [ -d /homeassistant/addons_config ]; then
-    find /homeassistant/addons_config -maxdepth 1 -type l -delete
-fi
-# Remove erroneous folders
-if [ -d /homeassistant ]; then
-    if [ -d /config/addons_config ]; then
-        rm -r /config/addons_config
-    fi
-    if [ -d /config/addon_configs ]; then
-        rm -r /config/addon_configs
-    fi
-    if [ -d /config/addons_autoscripts ]; then
-        rm -r /config/addons_autoscripts
-    fi
-fi
-
-# Create symlinks with legacy folders
-addon_configs_symlink_dir=""
-if [ -d /homeassistant/addons_config ]; then
-    ln -s /homeassistant/addons_config /config
-    addon_configs_symlink_dir="/config/addons_config"
-elif [ -d /addon_configs ]; then
-    mkdir -p /config/addon_configs
-    addon_configs_symlink_dir="/config/addon_configs"
-fi
-if [ -n "$addon_configs_symlink_dir" ] && [ -d /addon_configs ]; then
-    find /addon_configs/ -maxdepth 1 -mindepth 1 -type d -not -name "*filebrowser_quantum*" -exec ln -s {} "$addon_configs_symlink_dir"/ \;
-fi
-if [ -d /homeassistant/addons_autoscripts ]; then
-    ln -s /homeassistant/addons_autoscripts /config
-fi

filebrowser_quantum/rootfs/etc/cont-init.d/99-run.sh

@@ -65,163 +65,80 @@ mkdir -p /var/log/nginx && touch /var/log/nginx/error.log
 # FILEBROWSER CONFIGURATION #
 ############################
 
-CONFIG_PATH="/config/filebrowser_quantum.yaml"
 mkdir -p /config /cache
 
-export FILEBROWSER_CONFIG="${CONFIG_PATH}"
+# Copy default config if not existing
+if [ ! -f "$FILEBROWSER_CONFIG" ]; then
+    cp /home/filebrowser/data/config.yaml "$FILEBROWSER_CONFIG"
+fi
 
-python3 - <<'PY'
+bashio::log.info "Updating FileBrowser config..."
-import json
-import os
 
-options_path = "/data/options.json"
+# --- Server (hardcoded values) ---
-config_path = os.environ["FILEBROWSER_CONFIG"]
+bashio::log.info "... set server"
+yq e -i ".server.port = 8080"            "$FILEBROWSER_CONFIG"
+yq e -i ".server.listen = \"0.0.0.0\""  "$FILEBROWSER_CONFIG"
+yq e -i ".server.database = \"/config/database.db\"" "$FILEBROWSER_CONFIG"
+yq e -i ".server.cacheDir = \"/cache\""  "$FILEBROWSER_CONFIG"
 
-with open(options_path, "r", encoding="utf-8") as f:
+# --- Default user scope / source path ---
-    options = json.load(f)
+bashio::log.info "... set default user scope"
+DEFAULT_USER_SCOPE=$(bashio::config 'default_user_scope' '/')
 
-base_url = options.get("base_url") or os.environ.get("FB_BASEURL") or "/"
+# Validate: must start with /
+if [[ "$DEFAULT_USER_SCOPE" != /* ]]; then
+    bashio::log.fatal "default_user_scope '${DEFAULT_USER_SCOPE}' is not a valid absolute path (must start with /). Stopping."
+    exit 1
+fi
 
-def bool_or_none(value):
+# Validate: path must exist
-    return value if isinstance(value, bool) else None
+if [ ! -d "$DEFAULT_USER_SCOPE" ]; then
+    bashio::log.fatal "default_user_scope '${DEFAULT_USER_SCOPE}' does not exist or is not a directory. Stopping."
+    exit 1
+fi
 
-sources = []
+bashio::log.info "... set source path and defaultUserScope to ${DEFAULT_USER_SCOPE}"
-for source in options.get("sources") or [{"path": "/", "name": "Root", "default_enabled": True}]:
+yq e -i ".server.sources[0].path = \"${DEFAULT_USER_SCOPE}\""  "$FILEBROWSER_CONFIG"
-    entry = {"path": source.get("path", "/")}
+yq e -i ".server.sources[0].name = \"Default\""                "$FILEBROWSER_CONFIG"
-    if source.get("name"):
+yq e -i ".server.sources[0].config.defaultUserScope = \"${DEFAULT_USER_SCOPE}\"" "$FILEBROWSER_CONFIG"
-        entry["name"] = source["name"]
 
-    source_config = {}
+# --- Base URL (from env or config) ---
-    config_mappings = {
+bashio::log.info "... set base URL to allow ingress"
-        "default_enabled": "defaultEnabled",
+BASE_URL=$(bashio::config 'base_url' "${FB_BASEURL:-/}")
-        "default_user_scope": "defaultUserScope",
+yq e -i ".server.baseURL = \"${BASE_URL}\"" "$FILEBROWSER_CONFIG"
-        "create_user_dir": "createUserDir",
-        "disable_indexing": "disableIndexing",
-        "deny_by_default": "denyByDefault",
-        "private": "private",
-        "indexing_interval_minutes": "indexingIntervalMinutes",
-    }
-    for option_key, config_key in config_mappings.items():
-        if option_key in source and source[option_key] not in (None, ""):
-            value = source[option_key]
-            if option_key == "indexing_interval_minutes" and not value:
-                continue
-            source_config[config_key] = value
 
-    conditionals = {}
+# --- Auth method ---
-    if "ignore_hidden" in source:
+AUTH_METHOD=$(bashio::config 'auth_method' 'password')
-        value = bool_or_none(source.get("ignore_hidden"))
+bashio::log.info "... authentication method set to $AUTH_METHOD"
-        if value is not None:
+case "$AUTH_METHOD" in
-            conditionals["ignoreHidden"] = value
+    noauth)
-    if "ignore_zero_size_folders" in source:
+        yq e -i ".auth.methods.noauth = true"            "$FILEBROWSER_CONFIG"
-        value = bool_or_none(source.get("ignore_zero_size_folders"))
+        yq e -i ".auth.methods.password.enabled = false" "$FILEBROWSER_CONFIG"
-        if value is not None:
+        yq e -i ".auth.methods.proxy.enabled = false"    "$FILEBROWSER_CONFIG"
-            conditionals["ignoreZeroSizeFolders"] = value
+        yq e -i ".auth.methods.oidc.enabled = false"     "$FILEBROWSER_CONFIG"
-    if conditionals:
+        ;;
-        source_config["conditionals"] = conditionals
+    password)
-
+        yq e -i ".auth.methods.noauth = false"           "$FILEBROWSER_CONFIG"
-    if source_config:
+        yq e -i ".auth.methods.password.enabled = true"  "$FILEBROWSER_CONFIG"
-        entry["config"] = source_config
+        yq e -i ".auth.methods.proxy.enabled = false"    "$FILEBROWSER_CONFIG"
-    sources.append(entry)
+        yq e -i ".auth.methods.oidc.enabled = false"     "$FILEBROWSER_CONFIG"
-
+        ;;
-server = {
+    proxy)
-    "port": 8080,
+        yq e -i ".auth.methods.noauth = false"           "$FILEBROWSER_CONFIG"
-    "listen": "0.0.0.0",
+        yq e -i ".auth.methods.password.enabled = false" "$FILEBROWSER_CONFIG"
-    "baseURL": base_url,
+        yq e -i ".auth.methods.proxy.enabled = true"     "$FILEBROWSER_CONFIG"
-    "logging": [
+        yq e -i ".auth.methods.oidc.enabled = false"     "$FILEBROWSER_CONFIG"
-        {
+        ;;
-            "levels": options.get("log_levels", "info|warning|error"),
+    oidc)
-        }
+        yq e -i ".auth.methods.noauth = false"           "$FILEBROWSER_CONFIG"
-    ],
+        yq e -i ".auth.methods.password.enabled = false" "$FILEBROWSER_CONFIG"
-    "database": "/config/filebrowser_quantum.db",
+        yq e -i ".auth.methods.proxy.enabled = false"    "$FILEBROWSER_CONFIG"
-    "cacheDir": "/cache",
+        yq e -i ".auth.methods.oidc.enabled = true"      "$FILEBROWSER_CONFIG"
-    "cacheDirCleanup": options.get("cache_dir_cleanup", True),
+        ;;
-    "disablePreviews": options.get("disable_previews", False),
+    *)
-    "disablePreviewResize": options.get("disable_preview_resize", False),
+        bashio::log.fatal "Unknown auth_method: $AUTH_METHOD"
-    "disableTypeDetectionByHeader": options.get("disable_type_detection_by_header", False),
+        ;;
-    "disableUpdateCheck": options.get("disable_update_check", False),
+esac
-    "sources": sources,
-}
-
-if options.get("external_url"):
-    server["externalUrl"] = options["external_url"]
-if options.get("internal_url"):
-    server["internalUrl"] = options["internal_url"]
-if options.get("max_archive_size_gb"):
-    server["maxArchiveSize"] = options["max_archive_size_gb"]
-
-certfile = os.environ.get("CERTFILE")
-keyfile = os.environ.get("KEYFILE")
-if certfile and keyfile:
-    server["tlsCert"] = certfile
-    server["tlsKey"] = keyfile
-
-auth_method = options.get("auth_method", "password")
-
-password_config = {
-    "enabled": auth_method == "password",
-    "minLength": options.get("password_min_length", 5),
-    "signup": options.get("password_signup", False),
-    "enforcedOtp": options.get("password_enforced_otp", False),
-}
-
-proxy_config = {
-    "enabled": auth_method == "proxy",
-}
-if options.get("proxy_auth_header"):
-    proxy_config["header"] = options["proxy_auth_header"]
-proxy_config["createUser"] = options.get("proxy_auth_create_user", False)
-if options.get("proxy_auth_logout_redirect_url"):
-    proxy_config["logoutRedirectUrl"] = options["proxy_auth_logout_redirect_url"]
-
-oidc_config = {
-    "enabled": auth_method == "oidc",
-}
-if options.get("oidc_client_id"):
-    oidc_config["clientId"] = options["oidc_client_id"]
-if options.get("oidc_client_secret"):
-    oidc_config["clientSecret"] = options["oidc_client_secret"]
-if options.get("oidc_issuer_url"):
-    oidc_config["issuerUrl"] = options["oidc_issuer_url"]
-if options.get("oidc_scopes"):
-    oidc_config["scopes"] = options["oidc_scopes"]
-if options.get("oidc_user_identifier"):
-    oidc_config["userIdentifier"] = options["oidc_user_identifier"]
-if options.get("oidc_admin_group"):
-    oidc_config["adminGroup"] = options["oidc_admin_group"]
-if options.get("oidc_groups_claim"):
-    oidc_config["groupsClaim"] = options["oidc_groups_claim"]
-if options.get("oidc_logout_redirect_url"):
-    oidc_config["logoutRedirectUrl"] = options["oidc_logout_redirect_url"]
-oidc_config["createUser"] = options.get("oidc_create_user", False)
-oidc_config["disableVerifyTLS"] = options.get("oidc_disable_verify_tls", False)
-
-auth = {
-    "tokenExpirationHours": options.get("token_expiration_hours", 2),
-    "adminUsername": options.get("admin_username", "admin"),
-    "adminPassword": options.get("admin_password", "admin"),
-    "methods": {
-        "noauth": auth_method == "noauth",
-        "password": password_config,
-        "proxy": proxy_config,
-        "oidc": oidc_config,
-    },
-}
-
-frontend = {
-    "name": "FileBrowser Quantum",
-}
-
-config = {
-    "server": server,
-    "auth": auth,
-    "frontend": frontend,
-}
-
-with open(config_path, "w", encoding="utf-8") as f:
-    json.dump(config, f, indent=2)
-    f.write("\n")
-PY
 
 ######################
 # LAUNCH FILEBROWSER #

filebrowser_quantum/rootfs/etc/nginx/servers/health.conf

@@ -0,0 +1,8 @@
+server {
+    listen 127.0.0.1:3001;
+    access_log off;
+
+    location /health {
+        return 200 'OK';
+    }
+}