fix(fireflyiii): respect user-configured DB credentials when using mariadb_addon

When DB_CONNECTION is set to mariadb_addon, the script now checks if the user
has explicitly configured DB_USERNAME, DB_PASSWORD, or DB_DATABASE in addon
options. If set, those values are used instead of the MariaDB addon service
discovery credentials. This fixes authentication failures when the service
account doesn't have proper access.

Fixes: Firefly III access denied for user 'service' issue

Agent-Logs-Url: https://github.com/alexbelgium/hassio-addons/sessions/7cacda5b-d03e-47c5-b4fc-4cfb4ef2a3dc

Co-authored-by: alexbelgium <44178713+alexbelgium@users.noreply.github.com>

README.md

@@ -112,13 +112,12 @@ If you want to do add the repository manually, please follow the procedure highl
 ![smb][smb-badge]
 ![localdisks][localdisks-badge]
 
-✓ ![image](https://api.iconify.design/mdi/subtitles-outline.svg) [Bazarr NAS](bazarr/) : Companion application to Sonarr and Radarr to download subtitles
+✓  [Bazarr NAS](bazarr/) : Companion application to Sonarr and Radarr to download subtitles
 
   ![Version](https://img.shields.io/badge/dynamic/yaml?label=Version&query=%24.version&url=https%3A%2F%2Fraw.githubusercontent.com%2Falexbelgium%2Fhassio-addons%2Fmaster%2Fbazarr%2Fconfig.yaml)
 ![Update](https://img.shields.io/badge/dynamic/json?label=Updated&query=%24.last_update&url=https%3A%2F%2Fraw.githubusercontent.com%2Falexbelgium%2Fhassio-addons%2Fmaster%2Fbazarr%2Fupdater.json)
 ![aarch64][aarch64-badge]
 ![amd64][amd64-badge]
-![ingress][ingress-badge]
 ![smb][smb-badge]
 ![localdisks][localdisks-badge]
 

bazarr/CHANGELOG.md

@@ -1,8 +1,4 @@
 
-## 1.5.6-3 (2026-04-20)
-- Add Ingress support with nginx reverse proxy for sidebar integration
-- Add connection_mode option (ingress_noauth/noingress_auth/ingress_auth)
-
 ## 1.5.6 (2026-02-28)
 - Update to latest version from linuxserver/docker-bazarr (changelog : https://github.com/linuxserver/docker-bazarr/releases)
 

bazarr/Dockerfile

@@ -47,14 +47,14 @@ RUN if [ ! -f /bin/sh ] && [ -f /usr/bin/sh ]; then ln -s /usr/bin/sh /bin/sh; f
     if [ ! -f /bin/bash ] && [ -f /usr/bin/bash ]; then ln -s /usr/bin/bash /bin/bash; fi
 
 # Modules
-ARG MODULES="00-banner.sh 01-custom_script.sh 90-disable_ingress.sh 00-local_mounts.sh 00-smb_mounts.sh"
+ARG MODULES="00-banner.sh 01-custom_script.sh 00-local_mounts.sh 00-smb_mounts.sh"
 
 # Automatic modules download
 COPY ha_automodules.sh /ha_automodules.sh
 RUN chmod 744 /ha_automodules.sh && /ha_automodules.sh "$MODULES" && rm /ha_automodules.sh
 
 # Manual apps
-ENV PACKAGES="nginx"
+ENV PACKAGES=""
 
 # Automatic apps & bashio
 COPY ha_autoapps.sh /ha_autoapps.sh

bazarr/README.md

@@ -48,26 +48,18 @@ Configurations can be done through the app webUI, except for the following optio
 | `PGID` | int | `0` | Group ID for file permissions |
 | `PUID` | int | `0` | User ID for file permissions |
 | `TZ` | str | | Timezone (e.g., `Europe/London`) |
-| `connection_mode` | list | `ingress_noauth` | Connection mode (ingress_noauth/noingress_auth/ingress_auth) |
 | `localdisks` | str | | Local drives to mount (e.g., `sda1,sdb1,MYNAS`) |
 | `networkdisks` | str | | SMB shares to mount (e.g., `//SERVER/SHARE`) |
 | `cifsusername` | str | | SMB username for network shares |
 | `cifspassword` | str | | SMB password for network shares |
 | `cifsdomain` | str | | SMB domain for network shares |
 
-### Connection Modes
-
-- `ingress_noauth` - Default, disables authentication for seamless ingress integration
-- `noingress_auth` - Disables ingress for external URL, enables authentication
-- `ingress_auth` - Enables both ingress and authentication
-
 ### Example Configuration
 
 ```yaml
 PGID: 0
 PUID: 0
 TZ: "Europe/London"
-connection_mode: "ingress_noauth"
 localdisks: "sda1,sdb1"
 networkdisks: "//192.168.1.100/media,//nas.local/subtitles"
 cifsusername: "mediauser"

bazarr/config.yaml

@@ -72,8 +72,6 @@ environment:
   PGID: "0"
   PUID: "0"
 image: ghcr.io/alexbelgium/bazarr-{arch}
-ingress: true
-ingress_entry: bazarr
 init: false
 map:
   - addon_config:rw
@@ -86,9 +84,6 @@ options:
   env_vars: []
   PGID: 0
   PUID: 0
-  connection_mode: ingress_noauth
-panel_admin: false
-panel_icon: mdi:subtitles-outline
 ports:
   6767/tcp: 6767
 ports_description:
@@ -106,11 +101,10 @@ schema:
   cifsdomain: str?
   cifspassword: str?
   cifsusername: str?
-  connection_mode: list(ingress_noauth|noingress_auth|ingress_auth)
   localdisks: str?
   networkdisks: str?
 slug: bazarr_nas
 udev: true
 url: https://github.com/alexbelgium/hassio-addons/tree/master/bazarr
-version: "1.5.6-3"
+version: "1.5.6"
 webui: "[PROTO:ssl]://[HOST]:[PORT:6767]"

bazarr/rootfs/etc/cont-init.d/32-nginx_ingress.sh

@@ -1,61 +0,0 @@
-#!/usr/bin/with-contenv bashio
-# shellcheck shell=bash
-set -e
-
-#################
-# NGINX SETTING #
-#################
-declare ingress_interface
-declare ingress_port
-
-ingress_port=$(bashio::addon.ingress_port)
-ingress_interface=$(bashio::addon.ip_address)
-ingress_entry=$(bashio::addon.ingress_entry)
-sed -i "s/%%port%%/${ingress_port}/g" /etc/nginx/servers/ingress.conf
-sed -i "s/%%interface%%/${ingress_interface}/g" /etc/nginx/servers/ingress.conf
-sed -i "s|%%ingress_entry%%|${ingress_entry}|g" /etc/nginx/servers/ingress.conf
-
-##################
-# CONFIG SETTING #
-##################
-
-# Values
-slug=bazarr
-CONFIG_LOCATION=/config/config/config.yaml
-
-if [ -f "$CONFIG_LOCATION" ]; then
-
-    # Define addon mode
-    connection_mode="$(bashio::config "connection_mode")"
-    bashio::log.green "---------------------------"
-    bashio::log.green "Connection_mode is $connection_mode"
-    bashio::log.green "---------------------------"
-    case "$connection_mode" in
-        # Ingress mode, authentication is disabled
-        ingress_noauth)
-            bashio::log.green "Ingress is enabled, authentication is disabled"
-            bashio::log.yellow "WARNING : Make sure that the port is not exposed externally by your router to avoid a security risk !"
-            # Set base_url
-            sed -i "s/  base_url:.*/  base_url: $slug/" "$CONFIG_LOCATION"
-            # Disable auth
-            sed -i '/^auth:/,/^[^ ]/{ s/  type:.*/  type: null/ }' "$CONFIG_LOCATION"
-            ;;
-        # Ingress mode, with authentication
-        ingress_auth)
-            bashio::log.green "Ingress is enabled, and external authentication is enabled"
-            # Set base_url
-            sed -i "s/  base_url:.*/  base_url: $slug/" "$CONFIG_LOCATION"
-            # Enable Bazarr auth when leaving ingress_noauth
-            sed -i '/^auth:/,/^[^ ]/{ s/  type:.*/  type: form/ }' "$CONFIG_LOCATION"
-            ;;
-        # No ingress mode, with authentication
-        noingress_auth)
-            bashio::log.green "Disabling ingress and enabling authentication"
-            bashio::log.yellow "WARNING : Ingress is disabled so the app won't be available from HA itself !"
-            sed -i "s/  base_url:.*/  base_url: ''/" "$CONFIG_LOCATION"
-            # Enable Bazarr auth when leaving ingress_noauth
-            sed -i '/^auth:/,/^[^ ]/{ s/  type:.*/  type: form/ }' "$CONFIG_LOCATION"
-            ;;
-    esac
-
-fi

bazarr/rootfs/etc/nginx/includes/mime.types

@@ -1,96 +0,0 @@
-types {
-    text/html                                        html htm shtml;
-    text/css                                         css;
-    text/xml                                         xml;
-    image/gif                                        gif;
-    image/jpeg                                       jpeg jpg;
-    application/javascript                           js;
-    application/atom+xml                             atom;
-    application/rss+xml                              rss;
-
-    text/mathml                                      mml;
-    text/plain                                       txt;
-    text/vnd.sun.j2me.app-descriptor                 jad;
-    text/vnd.wap.wml                                 wml;
-    text/x-component                                 htc;
-
-    image/png                                        png;
-    image/svg+xml                                    svg svgz;
-    image/tiff                                       tif tiff;
-    image/vnd.wap.wbmp                               wbmp;
-    image/webp                                       webp;
-    image/x-icon                                     ico;
-    image/x-jng                                      jng;
-    image/x-ms-bmp                                   bmp;
-
-    font/woff                                        woff;
-    font/woff2                                       woff2;
-
-    application/java-archive                         jar war ear;
-    application/json                                 json;
-    application/mac-binhex40                         hqx;
-    application/msword                               doc;
-    application/pdf                                  pdf;
-    application/postscript                           ps eps ai;
-    application/rtf                                  rtf;
-    application/vnd.apple.mpegurl                    m3u8;
-    application/vnd.google-earth.kml+xml             kml;
-    application/vnd.google-earth.kmz                 kmz;
-    application/vnd.ms-excel                         xls;
-    application/vnd.ms-fontobject                    eot;
-    application/vnd.ms-powerpoint                    ppt;
-    application/vnd.oasis.opendocument.graphics      odg;
-    application/vnd.oasis.opendocument.presentation  odp;
-    application/vnd.oasis.opendocument.spreadsheet   ods;
-    application/vnd.oasis.opendocument.text          odt;
-    application/vnd.openxmlformats-officedocument.presentationml.presentation
-                                                     pptx;
-    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
-                                                     xlsx;
-    application/vnd.openxmlformats-officedocument.wordprocessingml.document
-                                                     docx;
-    application/vnd.wap.wmlc                         wmlc;
-    application/x-7z-compressed                      7z;
-    application/x-cocoa                              cco;
-    application/x-java-archive-diff                  jardiff;
-    application/x-java-jnlp-file                     jnlp;
-    application/x-makeself                           run;
-    application/x-perl                               pl pm;
-    application/x-pilot                              prc pdb;
-    application/x-rar-compressed                     rar;
-    application/x-redhat-package-manager             rpm;
-    application/x-sea                                sea;
-    application/x-shockwave-flash                    swf;
-    application/x-stuffit                            sit;
-    application/x-tcl                                tcl tk;
-    application/x-x509-ca-cert                       der pem crt;
-    application/x-xpinstall                          xpi;
-    application/xhtml+xml                            xhtml;
-    application/xspf+xml                             xspf;
-    application/zip                                  zip;
-
-    application/octet-stream                         bin exe dll;
-    application/octet-stream                         deb;
-    application/octet-stream                         dmg;
-    application/octet-stream                         iso img;
-    application/octet-stream                         msi msp msm;
-
-    audio/midi                                       mid midi kar;
-    audio/mpeg                                       mp3;
-    audio/ogg                                        ogg;
-    audio/x-m4a                                      m4a;
-    audio/x-realaudio                                ra;
-
-    video/3gpp                                       3gpp 3gp;
-    video/mp2t                                       ts;
-    video/mp4                                        mp4;
-    video/mpeg                                       mpeg mpg;
-    video/quicktime                                  mov;
-    video/webm                                       webm;
-    video/x-flv                                      flv;
-    video/x-m4v                                      m4v;
-    video/x-mng                                      mng;
-    video/x-ms-asf                                   asx asf;
-    video/x-ms-wmv                                   wmv;
-    video/x-msvideo                                  avi;
-}

bazarr/rootfs/etc/nginx/includes/proxy_params.conf

@@ -1,16 +0,0 @@
-proxy_http_version          1.1;
-proxy_ignore_client_abort   off;
-proxy_read_timeout          86400s;
-proxy_redirect              off;
-proxy_send_timeout          86400s;
-proxy_max_temp_file_size    0;
-
-proxy_hide_header X-Frame-Options;
-proxy_set_header Accept-Encoding "";
-proxy_set_header Connection $connection_upgrade;
-proxy_set_header Upgrade $http_upgrade;
-proxy_set_header Host $http_host;
-proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-proxy_set_header X-Forwarded-Proto $scheme;
-proxy_set_header X-NginX-Proxy true;
-proxy_set_header X-Real-IP $remote_addr; 

bazarr/rootfs/etc/nginx/includes/resolver.conf

@@ -1 +0,0 @@
-resolver 127.0.0.11 ipv6=off;

bazarr/rootfs/etc/nginx/includes/server_params.conf

@@ -1,5 +0,0 @@
-server_name     $hostname;
-
-add_header X-Content-Type-Options nosniff;
-add_header X-XSS-Protection "1; mode=block";
-add_header X-Robots-Tag none;

bazarr/rootfs/etc/nginx/includes/ssl_params.conf

@@ -1,9 +0,0 @@
-ssl_protocols TLSv1.2;
-ssl_prefer_server_ciphers on;
-ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA;
-ssl_ecdh_curve secp384r1;
-ssl_session_timeout  10m;
-ssl_session_cache shared:SSL:10m;
-ssl_session_tickets off;
-ssl_stapling on;
-ssl_stapling_verify on;

bazarr/rootfs/etc/nginx/includes/upstream.conf

@@ -1,3 +0,0 @@
-upstream backend {
-    server 127.0.0.1:8080;
-}

bazarr/rootfs/etc/nginx/nginx.conf

@@ -1,57 +0,0 @@
-
-# Run nginx in foreground.
-daemon off;
-
-# This is run inside Docker.
-user root;
-
-# Pid storage location.
-pid /var/run/nginx.pid;
-
-# Set number of worker processes.
-worker_processes 1;
-
-# Enables the use of JIT for regular expressions to speed-up their processing.
-pcre_jit on;
-
-# Write error log to Hass.io add-on log.
-error_log /proc/1/fd/1 error;
-
-# Load allowed environment vars
-env HASSIO_TOKEN;
-
-# Load dynamic modules.
-include /etc/nginx/modules/*.conf;
-
-# Max num of simultaneous connections by a worker process.
-events {
-    worker_connections 512;
-}
-
-http {
-    include /etc/nginx/includes/mime.types;
-
-    log_format hassio '[$time_local] $status '
-                        '$http_x_forwarded_for($remote_addr) '
-                        '$request ($http_user_agent)';
-
-    access_log              /proc/1/fd/1 hassio;
-    client_max_body_size    4G;
-    default_type            application/octet-stream;
-    gzip                    on;
-    keepalive_timeout       65;
-    sendfile                on;
-    server_tokens           off;
-    tcp_nodelay             on;
-    tcp_nopush              on;
-
-    map $http_upgrade $connection_upgrade {
-        default upgrade;
-        ''      close;
-    }
-
-    include /etc/nginx/includes/resolver.conf;
-    include /etc/nginx/includes/upstream.conf;
-
-    include /etc/nginx/servers/*.conf;
-} 

bazarr/rootfs/etc/nginx/servers/ingress.conf

@@ -1,29 +0,0 @@
-server {
-    listen %%interface%%:%%port%% default_server;
-
-    #include /etc/nginx/includes/server_params.conf;
-    #include /etc/nginx/includes/proxy_params.conf;
-
-    client_max_body_size 0;
-
-   location / {
-       add_header Access-Control-Allow-Origin *;
-       proxy_connect_timeout 30m;
-       proxy_send_timeout 30m;
-       proxy_read_timeout 30m;
-       proxy_pass         http://127.0.0.1:6767;
-
-       # Allow websocket
-       proxy_http_version 1.1;
-       proxy_set_header Upgrade $http_upgrade;
-       proxy_set_header Connection $http_connection;
-       #auth_basic off;
-
-       # Correct base_url
-       proxy_set_header Accept-Encoding "";
-       sub_filter_once off;
-       sub_filter_types *;
-       sub_filter /bazarr %%ingress_entry%%/bazarr;
-  }
-
-}

bazarr/rootfs/etc/services.d/nginx/finish

@@ -1,8 +0,0 @@
-#!/usr/bin/execlineb -S0
-# ==============================================================================
-# Take down the S6 supervision tree when Nginx fails
-# ==============================================================================
-if { s6-test ${1} -ne 0 }
-if { s6-test ${1} -ne 256 }
-
-s6-svscanctl -t /var/run/s6/services

bazarr/rootfs/etc/services.d/nginx/run

@@ -1,28 +0,0 @@
-#!/usr/bin/with-contenv bashio
-# shellcheck shell=bash
-set -e
-# ==============================================================================
-
-# Set variables
-slug=bazarr
-port=6767
-CONFIG_LOCATION=/config/config/config.yaml
-
-# Wait for bazarr to become available
-bashio::net.wait_for "$port" localhost 900
-
-# Set base_url
-if [ -f "$CONFIG_LOCATION" ]; then
-    if ! bashio::config.true "ingress_disabled"; then
-        if ! bashio::config.has_value "connection_mode" || [ "$(bashio::config 'connection_mode')" != "noingress_auth" ]; then
-            if ! grep -q "base_url.*$slug" "$CONFIG_LOCATION"; then
-                bashio::log.warning "BaseUrl not set properly, restarting"
-                sed -i "s/  base_url:.*/  base_url: $slug/" "$CONFIG_LOCATION"
-                bashio::addon.restart
-            fi
-        fi
-    fi
-fi
-
-bashio::log.info "Starting NGinx..."
-exec nginx

fireflyiii/CHANGELOG.md

@@ -1,6 +1,7 @@
 
 ## 6.5.9 (2026-03-28)
 - Update to latest version from firefly-iii/firefly-iii (changelog : https://github.com/firefly-iii/firefly-iii/releases)
+- Fix: mariadb_addon now respects user-configured DB_USERNAME, DB_PASSWORD, and DB_DATABASE options instead of always using service discovery credentials
 
 ## 6.5.6 (2026-03-21)
 - Update to latest version from firefly-iii/firefly-iii (changelog : https://github.com/firefly-iii/firefly-iii/releases)

fireflyiii/README.md

@@ -51,9 +51,9 @@ Configurations can be done through the app webUI, except for the following optio
 | `DB_CONNECTION` | list | `sqlite_internal` | Database type (sqlite_internal/mariadb_addon/mysql/pgsql) |
 | `DB_HOST` | str | | Database host (for external databases) |
 | `DB_PORT` | str | | Database port (for external databases) |
-| `DB_DATABASE` | str | | Database name (for external databases) |
+| `DB_DATABASE` | str | | Database name (defaults to `firefly` for mariadb_addon) |
-| `DB_USERNAME` | str | | Database username (for external databases) |
+| `DB_USERNAME` | str | | Database username (overrides MariaDB addon service discovery if set) |
-| `DB_PASSWORD` | str | | Database password (for external databases) |
+| `DB_PASSWORD` | str | | Database password (overrides MariaDB addon service discovery if set) |
 | `Updates` | list | | Automatic update schedule (hourly/daily/weekly) |
 | `silent` | bool | `true` | Silent mode - set to false for debug info |
 

fireflyiii/rootfs/etc/cont-init.d/99-run.sh

@@ -90,9 +90,26 @@ case $(bashio::config 'DB_CONNECTION') in
         DB_CONNECTION=mysql
         DB_HOST=$(bashio::services "mysql" "host")
         DB_PORT=$(bashio::services "mysql" "port")
-        DB_DATABASE=firefly
+
-        DB_USERNAME=$(bashio::services "mysql" "username")
+        # Use user-configured database name if provided, otherwise default to 'firefly'
-        DB_PASSWORD=$(bashio::services "mysql" "password")
+        if bashio::config.has_value "DB_DATABASE"; then
+            DB_DATABASE=$(bashio::config "DB_DATABASE")
+        else
+            DB_DATABASE=firefly
+        fi
+
+        # Use user-configured credentials if provided, otherwise use service discovery
+        if bashio::config.has_value "DB_USERNAME"; then
+            DB_USERNAME=$(bashio::config "DB_USERNAME")
+        else
+            DB_USERNAME=$(bashio::services "mysql" "username")
+        fi
+        if bashio::config.has_value "DB_PASSWORD"; then
+            DB_PASSWORD=$(bashio::config "DB_PASSWORD")
+        else
+            DB_PASSWORD=$(bashio::services "mysql" "password")
+        fi
+
         export DB_CONNECTION
         export DB_HOST && bashio::log.blue "DB_HOST=$DB_HOST"
         export DB_PORT && bashio::log.blue "DB_PORT=$DB_PORT"
@@ -110,7 +127,7 @@ case $(bashio::config 'DB_CONNECTION') in
             --skip-ssl \
             -u "${DB_USERNAME}" -p"${DB_PASSWORD}" \
             -h "${DB_HOST}" -P "${DB_PORT}" \
-            -e "CREATE DATABASE IF NOT EXISTS \`firefly\`;"
+            -e "CREATE DATABASE IF NOT EXISTS \`${DB_DATABASE}\`;"
         ;;
 
         # Use remote