Added ingress support (#7)

* Added ingress support

* Removed entry because it is not used and Added manifest.json

* Added default start screen

.gitlab-ci.yml

@@ -10,6 +10,6 @@ variables:
   ADDON_ARMHF: "false"
   ADDON_AARCH64: "false"
 
-  ADDON_AMD64_BASE: "hassioaddons/ubuntu-base-amd64:3.0.0"
+  ADDON_AMD64_BASE: "hassioaddons/ubuntu-base-amd64:3.1.0"
-  ADDON_ARMV7_BASE: "hassioaddons/ubuntu-base-armv7:3.0.0"
+  ADDON_ARMV7_BASE: "hassioaddons/ubuntu-base-armv7:3.1.0"
-  ADDON_I386_BASE: "hassioaddons/ubuntu-base-i386:3.0.0"
+  ADDON_I386_BASE: "hassioaddons/ubuntu-base-i386:3.1.0"

mopidy/Dockerfile

@@ -1,4 +1,4 @@
-ARG BUILD_FROM=hassioaddons/ubuntu-base:3.0.0
+ARG BUILD_FROM=hassioaddons/ubuntu-base:3.1.0
 # hadolint ignore=DL3006
 FROM ${BUILD_FROM}
 
@@ -68,9 +68,13 @@ RUN \
     \
     && find /tmp/ -mindepth 1  -delete \
     && rm -fr \
+        /etc/nginx \
         /var/{cache,log}/* \
         /var/lib/apt/lists/* \
-        /root/.cache
+        /root/.cache \
+    \
+    && mkdir -p /var/log/nginx \
+    && touch /var/log/nginx/error.log
 
 # Copy root filesystem
 COPY rootfs /

mopidy/build.json

@@ -1,8 +1,8 @@
 {
     "build_from": {
-        "amd64": "hassioaddons/ubuntu-base-amd64:3.0.0",
+        "amd64": "hassioaddons/ubuntu-base-amd64:3.1.0",
-        "armv7": "hassioaddons/ubuntu-base-armv7:3.0.0",
+        "armv7": "hassioaddons/ubuntu-base-armv7:3.1.0",
-        "i386": "hassioaddons/ubuntu-base-i386:3.0.0"
+        "i386": "hassioaddons/ubuntu-base-i386:3.1.0"
     },
     "args": {}
 }

mopidy/config.json

@@ -2,9 +2,12 @@
   "name": "Mopidy",
   "version": "dev",
   "slug": "mopidy",
+  "panel_icon": "mdi:music-circle",
   "description": "Mopidy is an extensible music server",
   "url": "https://github.com/hassio-addons/addon-mopidy",
-  "webui": "http://[HOST]:[PORT:6680]/iris/",
+  "webui": "http://[HOST]:[PORT:80]/iris/",
+  "ingress": true,
+  "ingress_port": 1337,
   "startup": "application",
   "arch": [
     "amd64",
@@ -15,12 +18,16 @@
   "hassio_api": true,
   "auth_api": true,
   "hassio_role": "default",
-  "host_network": false,
   "audio": true,
   "ports": {
-    "55555/udp": 5555,
     "6600/tcp": 6600,
-    "6680/tcp": 6680
+    "5555/udp": 5555,
+    "80/tcp": null
+  },
+  "ports_description": {
+    "6600/tcp": "Mopidy",
+    "5555/udp": "Autoaudiosink",
+    "80/tcp": "Web interface (Not required for Hass.io Ingress)"
   },
   "map": [
     "config",

mopidy/rootfs/etc/cont-init.d/10-requirements.sh

@@ -1,7 +0,0 @@
-#!/usr/bin/with-contenv bashio
-# ==============================================================================
-# Community Hass.io Add-ons: Mopidy
-# This files check if all user configuration requirements are met
-# ==============================================================================
-bashio::config.require.ssl
-

mopidy/rootfs/etc/cont-init.d/11-nginx.sh

@@ -1,18 +1,37 @@
 #!/usr/bin/with-contenv bashio
 # ==============================================================================
-# Community Hass.io Add-ons: Mopidy
+# Community Hass.io Add-ons: InfluxDB
-# Configures NGINX for use with code-server
+# Configures NGINX for use with the Chronograf
 # ==============================================================================
+declare port
 declare certfile
+declare ingress_interface
+declare ingress_port
+declare ingress_entry
 declare keyfile
 
-mkdir -p /var/log/nginx
+port=$(bashio::addon.port 80)
+ingress_entry=$(bashio::addon.ingress_entry)
+if bashio::var.has_value "${port}"; then
+    bashio::config.require.ssl
 
-if bashio::config.true 'ssl'; then
+    if bashio::config.true 'ssl'; then
-    certfile=$(bashio::config 'certfile')
+        certfile=$(bashio::config 'certfile')
-    keyfile=$(bashio::config 'keyfile')
+        keyfile=$(bashio::config 'keyfile')
 
-    sed -i "s/%%certfile%%/${certfile}/g" /etc/nginx/nginx-ssl.conf
+        mv /etc/nginx/servers/direct-ssl.disabled /etc/nginx/servers/direct.conf
-    sed -i "s/%%keyfile%%/${keyfile}/g" /etc/nginx/nginx-ssl.conf
+        sed -i "s/%%certfile%%/${certfile}/g" /etc/nginx/servers/direct.conf
+        sed -i "s/%%keyfile%%/${keyfile}/g" /etc/nginx/servers/direct.conf
+
+    else
+        mv /etc/nginx/servers/direct.disabled /etc/nginx/servers/direct.conf
+    fi
+
+    sed -i "s#%%ingress_entry%%#${ingress_entry}#g" /etc/nginx/servers/direct.conf
 fi
 
+ingress_port=$(bashio::addon.ingress_port)
+ingress_interface=$(bashio::addon.ip_address)
+sed -i "s/%%port%%/${ingress_port}/g" /etc/nginx/servers/ingress.conf
+sed -i "s/%%interface%%/${ingress_interface}/g" /etc/nginx/servers/ingress.conf
+sed -i "s#%%ingress_entry%%#${ingress_entry}#g" /etc/nginx/servers/ingress.conf

mopidy/rootfs/etc/nginx/includes/mime.types

@@ -0,0 +1,96 @@
+types {
+    text/html                                        html htm shtml;
+    text/css                                         css;
+    text/xml                                         xml;
+    image/gif                                        gif;
+    image/jpeg                                       jpeg jpg;
+    application/javascript                           js;
+    application/atom+xml                             atom;
+    application/rss+xml                              rss;
+
+    text/mathml                                      mml;
+    text/plain                                       txt;
+    text/vnd.sun.j2me.app-descriptor                 jad;
+    text/vnd.wap.wml                                 wml;
+    text/x-component                                 htc;
+
+    image/png                                        png;
+    image/svg+xml                                    svg svgz;
+    image/tiff                                       tif tiff;
+    image/vnd.wap.wbmp                               wbmp;
+    image/webp                                       webp;
+    image/x-icon                                     ico;
+    image/x-jng                                      jng;
+    image/x-ms-bmp                                   bmp;
+
+    font/woff                                        woff;
+    font/woff2                                       woff2;
+
+    application/java-archive                         jar war ear;
+    application/json                                 json;
+    application/mac-binhex40                         hqx;
+    application/msword                               doc;
+    application/pdf                                  pdf;
+    application/postscript                           ps eps ai;
+    application/rtf                                  rtf;
+    application/vnd.apple.mpegurl                    m3u8;
+    application/vnd.google-earth.kml+xml             kml;
+    application/vnd.google-earth.kmz                 kmz;
+    application/vnd.ms-excel                         xls;
+    application/vnd.ms-fontobject                    eot;
+    application/vnd.ms-powerpoint                    ppt;
+    application/vnd.oasis.opendocument.graphics      odg;
+    application/vnd.oasis.opendocument.presentation  odp;
+    application/vnd.oasis.opendocument.spreadsheet   ods;
+    application/vnd.oasis.opendocument.text          odt;
+    application/vnd.openxmlformats-officedocument.presentationml.presentation
+                                                     pptx;
+    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
+                                                     xlsx;
+    application/vnd.openxmlformats-officedocument.wordprocessingml.document
+                                                     docx;
+    application/vnd.wap.wmlc                         wmlc;
+    application/x-7z-compressed                      7z;
+    application/x-cocoa                              cco;
+    application/x-java-archive-diff                  jardiff;
+    application/x-java-jnlp-file                     jnlp;
+    application/x-makeself                           run;
+    application/x-perl                               pl pm;
+    application/x-pilot                              prc pdb;
+    application/x-rar-compressed                     rar;
+    application/x-redhat-package-manager             rpm;
+    application/x-sea                                sea;
+    application/x-shockwave-flash                    swf;
+    application/x-stuffit                            sit;
+    application/x-tcl                                tcl tk;
+    application/x-x509-ca-cert                       der pem crt;
+    application/x-xpinstall                          xpi;
+    application/xhtml+xml                            xhtml;
+    application/xspf+xml                             xspf;
+    application/zip                                  zip;
+
+    application/octet-stream                         bin exe dll;
+    application/octet-stream                         deb;
+    application/octet-stream                         dmg;
+    application/octet-stream                         iso img;
+    application/octet-stream                         msi msp msm;
+
+    audio/midi                                       mid midi kar;
+    audio/mpeg                                       mp3;
+    audio/ogg                                        ogg;
+    audio/x-m4a                                      m4a;
+    audio/x-realaudio                                ra;
+
+    video/3gpp                                       3gpp 3gp;
+    video/mp2t                                       ts;
+    video/mp4                                        mp4;
+    video/mpeg                                       mpeg mpg;
+    video/quicktime                                  mov;
+    video/webm                                       webm;
+    video/x-flv                                      flv;
+    video/x-m4v                                      m4v;
+    video/x-mng                                      mng;
+    video/x-ms-asf                                   asx asf;
+    video/x-ms-wmv                                   wmv;
+    video/x-msvideo                                  avi;
+}

mopidy/rootfs/etc/nginx/includes/proxy_params.conf

@@ -0,0 +1,15 @@
+proxy_http_version          1.1;
+proxy_ignore_client_abort   off;
+proxy_read_timeout          86400s;
+proxy_redirect              off;
+proxy_send_timeout          86400s;
+proxy_max_temp_file_size    0;
+
+proxy_set_header Accept-Encoding "";
+proxy_set_header Connection $connection_upgrade;
+proxy_set_header Host $http_host;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-NginX-Proxy true;
+proxy_set_header X-Real-IP $remote_addr;

mopidy/rootfs/etc/nginx/includes/resolver.conf

@@ -0,0 +1 @@
+resolver 172.30.32.2;

mopidy/rootfs/etc/nginx/includes/server_params.conf

@@ -0,0 +1,6 @@
+root            /dev/null;
+server_name     $hostname;
+
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";
+add_header X-Robots-Tag none;

mopidy/rootfs/etc/nginx/includes/ssl_params.conf

@@ -0,0 +1,9 @@
+ssl_protocols TLSv1.2;
+ssl_prefer_server_ciphers on;
+ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA;
+ssl_ecdh_curve secp384r1;
+ssl_session_timeout  10m;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+ssl_stapling on;
+ssl_stapling_verify on;

mopidy/rootfs/etc/nginx/includes/upstream.conf

@@ -0,0 +1,3 @@
+upstream backend {
+    server 127.0.0.1:4478;
+}

mopidy/rootfs/etc/nginx/lua/ha-auth.lua

@@ -0,0 +1,83 @@
+local http = require "resty.http"
+local auths = ngx.shared.auths
+
+function authenticate()
+
+    --- Test Authentication header is set and with a value
+    local header = ngx.req.get_headers()['Authorization']
+    if header == nil or header:find(" ") == nil then
+        return false
+    end
+
+    local divider = header:find(' ')
+    if header:sub(0, divider-1) ~= 'Basic' then
+       return false
+    end
+
+    local auth = ngx.decode_base64(header:sub(divider+1))
+    if auth == nil or auth:find(':') == nil then
+        return false
+    end
+
+    divider = auth:find(':')
+    local username = auth:sub(0, divider-1)
+    local password = auth:sub(divider+1)
+
+    --- Check if authentication is cached
+    if auths:get(username) == password then
+        ngx.log(ngx.DEBUG, "Authenticated user against Home Assistant (cache).")
+        return true
+    end
+
+    --- HTTP request against Hassio API
+    local httpc = http.new()
+    local res, err = httpc:request_uri("http://hassio/auth", {
+        method = "POST",
+        body = ngx.encode_args({["username"]=username, ["password"]=password}),
+        headers = {
+            ["Content-Type"] = "application/x-www-form-urlencoded",
+            ["X-HASSIO-KEY"] = os.getenv("HASSIO_TOKEN"),
+        },
+        keepalive_timeout = 60,
+        keepalive_pool = 10
+    })
+
+    --- Error during API request
+    if err then
+        ngx.log(ngx.WARN, "Error during Hassio user authentication.", err)
+        return false
+    end
+
+    --- No result? Something went wrong...
+    if not res then
+        ngx.log(ngx.WARN, "Error during Hassio user authentication.")
+        return false
+    end
+
+    --- Valid response, the username/password is valid
+    if res.status == 200 then
+        ngx.log(ngx.INFO, "Authenticated user against Home Assistant.")
+        auths:set(username, password, 60)
+        return true
+    end
+
+    --- Whatever the response is, it is invalid
+    ngx.log(ngx.WARN, "Authentication against Home Assistant failed!")
+    return false
+end
+
+-- Only authenticate if its not disabled
+if not os.getenv('DISABLE_HA_AUTHENTICATION') then
+
+    --- Try to authenticate against HA
+    local authenticated = authenticate()
+
+    --- If authentication failed, throw a basic auth
+    if not authenticated then
+       ngx.header.content_type = 'text/plain'
+       ngx.header.www_authenticate = 'Basic realm="Home Assistant"'
+       ngx.status = ngx.HTTP_UNAUTHORIZED
+       ngx.say('401 Access Denied')
+       ngx.exit(ngx.HTTP_UNAUTHORIZED)
+    end
+end

mopidy/rootfs/etc/nginx/modules/ndk_http.conf

@@ -0,0 +1 @@
+load_module "/usr/lib/nginx/modules/ndk_http_module.so";

mopidy/rootfs/etc/nginx/modules/ngx_http_lua.conf

@@ -0,0 +1 @@
+load_module "/usr/lib/nginx/modules/ngx_http_lua_module.so";

mopidy/rootfs/etc/nginx/nginx-ssl.conf

@@ -1,72 +0,0 @@
-worker_processes  1;
-pid /var/run/nginx.pid;
-error_log stderr;
-env HASSIO_TOKEN;
-env DISABLE_HA_AUTHENTICATION;
-load_module "/usr/lib/nginx/modules/ndk_http_module.so";
-load_module "/usr/lib/nginx/modules/ngx_http_lua_module.so";
-
-events {
-    worker_connections  1024;
-}
-
-http {
-    access_log         stdout;
-    include            mime.types;
-    default_type       application/octet-stream;
-    sendfile           on;
-    keepalive_timeout  65;
-    lua_shared_dict    auths 16k;
-    resolver           127.0.0.11;
-
-    upstream mopidy {
-        ip_hash;
-        server 127.0.0.1:4478;
-    }
-
-    map $http_upgrade $connection_upgrade {
-        default upgrade;
-        ''      close;
-    }
-
-    server {
-        server_name hassio.local;
-        listen 6680 default_server ssl;
-        root /dev/null;
-
-        ssl_certificate /ssl/%%certfile%%;
-        ssl_certificate_key /ssl/%%keyfile%%;
-        ssl_protocols TLSv1.2;
-        ssl_prefer_server_ciphers on;
-        ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA;
-        ssl_ecdh_curve secp384r1;
-        ssl_session_timeout  10m;
-        ssl_session_cache shared:SSL:10m;
-        ssl_session_tickets off;
-        ssl_stapling on;
-        ssl_stapling_verify on;
-
-        add_header X-Content-Type-Options nosniff;
-        add_header X-XSS-Protection "1; mode=block";
-        add_header X-Robots-Tag none;
-
-        location / {
-            access_by_lua_file /etc/nginx/ha-auth.lua;
-
-            proxy_redirect off;
-            proxy_pass http://mopidy;
-
-            proxy_http_version 1.1;
-            proxy_set_header Upgrade $http_upgrade;
-            proxy_set_header Connection $connection_upgrade;
-            proxy_set_header Authorization "";
-
-            proxy_set_header X-Real-IP $remote_addr;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $scheme;
-            proxy_set_header Host $http_host;
-            proxy_set_header X-NginX-Proxy true;
-        }
-    }
-}
-

mopidy/rootfs/etc/nginx/nginx.conf

@@ -1,58 +1,58 @@
-worker_processes  1;
+# Run nginx in foreground.
+daemon off;
+
+# This is run inside Docker.
+user root;
+
+# Pid storage location.
 pid /var/run/nginx.pid;
-error_log stderr;
+
+# Set number of worker processes.
+worker_processes 1;
+
+# Enables the use of JIT for regular expressions to speed-up their processing.
+pcre_jit on;
+
+# Write error log to Hass.io add-on log.
+error_log /proc/1/fd/1 error;
+
+# Load allowed environment vars
 env HASSIO_TOKEN;
 env DISABLE_HA_AUTHENTICATION;
-load_module "/usr/lib/nginx/modules/ndk_http_module.so";
-load_module "/usr/lib/nginx/modules/ngx_http_lua_module.so";
 
+# Load dynamic modules.
+include /etc/nginx/modules/*.conf;
+
+# Max num of simultaneous connections by a worker process.
 events {
-    worker_connections  1024;
+    worker_connections 512;
 }
 
 http {
-    access_log         stdout;
+    include /etc/nginx/includes/mime.types;
-    include            mime.types;
-    default_type       application/octet-stream;
-    sendfile           on;
-    keepalive_timeout  65;
-    lua_shared_dict    auths 16k;
-    resolver           127.0.0.11;
 
-    upstream mopidy {
+    log_format hassio '[$time_local] $status '
-        ip_hash;
+                        '$http_x_forwarded_for($remote_addr) '
-        server 127.0.0.1:4478;
+                        '$request ($http_user_agent)';
-    }
+
+    access_log              /proc/1/fd/1 hassio;
+    client_max_body_size    4G;
+    default_type            application/octet-stream;
+    gzip                    on;
+    keepalive_timeout       65;
+    lua_shared_dict         auths 16k;
+    sendfile                on;
+    server_tokens           off;
+    tcp_nodelay             on;
+    tcp_nopush              on;
 
     map $http_upgrade $connection_upgrade {
         default upgrade;
         ''      close;
     }
 
-    server {
+    include /etc/nginx/includes/resolver.conf;
-        server_name hassio.local;
+    include /etc/nginx/includes/upstream.conf;
-        listen 6680 default_server;
-        root /dev/null;
 
-        location / {
+    include /etc/nginx/servers/*.conf;
-            access_by_lua_file /etc/nginx/ha-auth.lua;
-
-            proxy_redirect off;
-            proxy_pass http://mopidy;
-
-            proxy_http_version 1.1;
-            proxy_set_header Upgrade $http_upgrade;
-            proxy_set_header Connection $connection_upgrade;
-            proxy_set_header Authorization "";
-
-            proxy_set_header X-Real-IP $remote_addr;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $scheme;
-            proxy_set_header Host $http_host;
-            proxy_set_header X-NginX-Proxy true;
-            proxy_read_timeout 86400s;
-            proxy_send_timeout 86400s;
-        }
-    }
 }
-

mopidy/rootfs/etc/nginx/servers/direct-ssl.disabled

@@ -0,0 +1,16 @@
+server {
+    listen %%port%% default_server ssl http2;
+
+    include /etc/nginx/includes/server_params.conf;
+    include /etc/nginx/includes/ssl_params.conf;
+    include /etc/nginx/includes/proxy_params.conf;
+
+    ssl on;
+    ssl_certificate /ssl/%%certfile%%;
+    ssl_certificate_key /ssl/%%keyfile%%;
+
+    location / {
+        access_by_lua_file /etc/nginx/lua/ha-auth.lua;
+        proxy_pass http://backend/;
+    }
+}

mopidy/rootfs/etc/nginx/servers/direct.disabled

@@ -0,0 +1,11 @@
+server {
+    listen %%port%% default_server;
+
+    include /etc/nginx/includes/server_params.conf;
+    include /etc/nginx/includes/proxy_params.conf;
+
+    location / {
+        access_by_lua_file /etc/nginx/lua/ha-auth.lua;
+        proxy_pass http://backend/;
+    }
+}

mopidy/rootfs/etc/nginx/servers/ingress.conf

@@ -0,0 +1,19 @@
+server {
+    listen %%interface%%:%%port%% default_server;
+
+    include /etc/nginx/includes/server_params.conf;
+    include /etc/nginx/includes/proxy_params.conf;
+
+    location / {
+        allow   172.30.32.2;
+        deny    all;
+
+        proxy_pass http://backend/;
+        sub_filter_once off;
+        sub_filter_types *;
+        sub_filter '/iris/'  '%%ingress_entry%%/iris/';
+        sub_filter '/mopidy/ws' '%%ingress_entry%%/mopidy/ws';
+        sub_filter 'href="manifest.json">' 'href="manifest.json" crossorigin="use-credentials">';
+        sub_filter 'document.body.appendChild(js);' 'document.body.appendChild(js); (function() { var wait=function(){let t=document.querySelector(".sidebar__menu__item");t?t.click():setTimeout(function(){wait()},100)};wait(); })();';
+    }
+}

mopidy/rootfs/etc/services.d/nginx/run

@@ -6,11 +6,7 @@
 declare -a options
 
 # Wait for Mopidy to become available
-s6-svwait -u -t 5000 /var/run/s6/services/mopidy
+bashio::net.wait_for 4478
-timeout 15 \
-    bash -c \
-        'until echo > /dev/tcp/localhost/4478 ; do sleep 0.5; done' \
-            > /dev/null 2>&1
 
 bashio::log.info "Starting NGinx..."
 
@@ -19,10 +15,4 @@ if bashio::config.true 'leave_front_door_open'; then
     export DISABLE_HA_AUTHENTICATION=true
 fi
 
-options+=(-g "daemon off;")
-
-if bashio::config.true 'ssl'; then
-    options+=(-c /etc/nginx/nginx-ssl.conf)
-fi
-
 exec nginx "${options[@]}"