Add Baikal

baikal/Dockerfile

@@ -0,0 +1,73 @@
+ARG BUILD_FROM
+# hadolint ignore=DL3006
+FROM ${BUILD_FROM}
+
+# Set shell
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+ENV VERSION 0.9.3
+
+# Setup base
+# hadolint ignore=DL3003
+RUN \
+    apk add --no-cache \
+        nginx=1.22.1-r0 \
+        php8-curl=8.0.26-r0 \
+        php8-fpm=8.0.26-r0 \
+        php8-mbstring=8.0.26-r0 \
+        php8-xml=8.0.26-r0 \
+        php8=8.0.26-r0 \
+		php8-sqlite3=8.0.26-r0 \
+		php8-pdo=8.0.26-r0 \
+		php8-pdo_mysql=8.0.26-r0 \
+		php8-pdo_sqlite=8.0.26-r0 \
+		php8-session=8.0.26-r0 \
+		php8-dom=8.0.26-r0 \
+		php8-xmlreader=8.0.26-r0 \
+		php8-xmlwriter=8.0.26-r0 \
+    \
+    && curl -Ls "https://github.com/sabre-io/Baikal/releases/download/$VERSION/baikal-$VERSION.zip" -o baikal-$VERSION.zip \
+        && unzip -q baikal-$VERSION.zip -d /var/www/ \
+		&& rm baikal-$VERSION.zip \
+    \
+	&& rm -f -r \
+        /tmp/* \
+        /etc/nginx 
+
+# Copy root filesystem
+COPY rootfs /
+
+# Corrects permissions for s6 v3
+RUN if [ -d /etc/cont-init.d ]; then chmod -R 755 /etc/cont-init.d; fi && \
+    if [ -d /etc/services.d ]; then chmod -R 755 /etc/services.d; fi
+
+WORKDIR "/data"
+
+# Build arguments
+ARG BUILD_ARCH
+ARG BUILD_DATE
+ARG BUILD_DESCRIPTION
+ARG BUILD_NAME
+ARG BUILD_REF
+ARG BUILD_REPOSITORY
+ARG BUILD_VERSION
+
+# Labels
+LABEL \
+    io.hass.name="${BUILD_NAME}" \
+    io.hass.description="${BUILD_DESCRIPTION}" \
+    io.hass.arch="${BUILD_ARCH}" \
+    io.hass.type="addon" \
+    io.hass.version=${BUILD_VERSION} \
+    maintainer="Franck Nijhof <frenck@addons.community>" \
+    org.opencontainers.image.title="${BUILD_NAME}" \
+    org.opencontainers.image.description="${BUILD_DESCRIPTION}" \
+    org.opencontainers.image.vendor="Home Assistant Community Add-ons" \
+    org.opencontainers.image.authors="Franck Nijhof <frenck@addons.community>" \
+    org.opencontainers.image.licenses="MIT" \
+    org.opencontainers.image.url="https://addons.community" \
+    org.opencontainers.image.source="https://github.com/${BUILD_REPOSITORY}" \
+    org.opencontainers.image.documentation="https://github.com/${BUILD_REPOSITORY}/blob/main/README.md" \
+    org.opencontainers.image.created=${BUILD_DATE} \
+    org.opencontainers.image.revision=${BUILD_REF} \
+    org.opencontainers.image.version=${BUILD_VERSION}

baikal/LICENSE

@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Cyrill Kulka
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+

baikal/apparmor.txt

@@ -0,0 +1,66 @@
+
+#include <tunables/global>
+
+profile baikal_addon flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/base>
+
+  capability,
+  file,
+  signal,
+  mount,
+  umount,
+  remount,
+  network udp,
+  network tcp,
+  network dgram,
+  network stream,
+  network inet,
+  network inet6,
+  network netlink raw,
+  network unix dgram,
+
+  capability setgid,
+  capability setuid,
+  capability sys_admin,
+  capability dac_read_search,
+  # capability dac_override,
+  # capability sys_rawio,
+
+# S6-Overlay
+  /init ix,
+  /run/{s6,s6-rc*,service}/** ix,
+  /package/** ix,
+  /command/** ix,
+  /run/{,**} rwk,
+  /dev/tty rw,
+  /bin/** ix,
+  /usr/bin/** ix,
+  /usr/lib/bashio/** ix,
+  /etc/s6/** rix,
+  /run/s6/** rix,
+  /etc/services.d/** rwix,
+  /etc/cont-init.d/** rwix,
+  /etc/cont-finish.d/** rwix,
+  /init rix,
+  /var/run/** mrwkl,
+  /var/run/ mrwkl,
+  /dev/i2c-1 mrwkl,
+  # Files required
+  /dev/sda1 mrwkl,
+  /dev/sdb1 mrwkl,
+  /dev/nvme0 mrwkl,
+  /dev/nvme1 mrwkl,
+  /dev/mmcblk0p1 mrwkl,
+  /dev/* mrwkl,
+  /tmp/** mrkwl,
+
+  # Data access
+  /data/** rw,
+
+  # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
+  ptrace (trace,read) peer=docker-default,
+
+  # docker daemon confinement requires explict allow rule for signal
+  signal (receive) set=(kill,term) peer=/usr/bin/docker,
+
+}

baikal/build.json

@@ -0,0 +1,9 @@
+{
+  "build_from": {
+    "armhf" : "ghcr.io/hassio-addons/base:12.2.6",
+    "armv7": "ghcr.io/hassio-addons/base:12.2.6",
+    "aarch64": "ghcr.io/hassio-addons/base:12.2.6",
+    "amd64" : "ghcr.io/hassio-addons/base:12.2.6",
+    "i386" : "ghcr.io/hassio-addons/base:12.2.6"
+  }
+}

baikal/config.json

@@ -0,0 +1,36 @@
+{
+    "name": "Baikal",
+    "slug": "baikal",
+    "version": "0.9.3",
+    "description": "Baikal is a Cal and CardDAV server, based on sabre/dav, that includes an administrative interface for easy management.",
+    "url": "https://github.com/d-two/hassio-addons",
+    "startup": "application",
+	"init": false,
+	"webui": "[PROTO:ssl]://[HOST]:[PORT:80]",
+    "arch": [
+        "aarch64",
+        "amd64",
+        "armhf"
+    ],
+    "boot": "auto",
+    "map": [
+        "config:rw",
+		"ssl:ro"
+    ],
+	"ports": {
+	  "80/tcp": 8013
+    },
+    "ports_description": {
+	  "80/tcp": "Web UI port"
+    },
+	"options": {
+        "ssl": false,
+        "certfile": "fullchain.pem",
+        "keyfile": "privkey.pem"
+    },
+    "schema": {
+        "ssl": "bool",
+        "certfile": "match(^[^/].*)",
+        "keyfile": "match(^[^/].*)"
+    }
+}

baikal/rootfs/etc/cont-init.d/baikal.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# Copy data
+cp -rnf /var/www/baikal/* /data/
+
+# Fix permissions
+chown -R nginx:nginx /data
+

baikal/rootfs/etc/cont-init.d/nginx.sh

@@ -0,0 +1,26 @@
+#!/command/with-contenv bashio
+# ==============================================================================
+# Home Assistant Community Add-on: Baikal
+# Configures NGINX for use with the Chronograf
+# ==============================================================================
+declare port
+declare certfile
+declare keyfile
+
+port=$(bashio::addon.port 80)
+if bashio::var.has_value "${port}"; then
+    bashio::config.require.ssl
+
+    if bashio::config.true 'ssl'; then
+        certfile=$(bashio::config 'certfile')
+        keyfile=$(bashio::config 'keyfile')
+
+        mv /etc/nginx/servers/direct-ssl.disabled /etc/nginx/servers/direct.conf
+        sed -i "s#%%certfile%%#${certfile}#g" /etc/nginx/servers/direct.conf
+        sed -i "s#%%keyfile%%#${keyfile}#g" /etc/nginx/servers/direct.conf
+
+    else
+        mv /etc/nginx/servers/direct.disabled /etc/nginx/servers/direct.conf
+    fi
+fi
+

baikal/rootfs/etc/nginx/includes/fastcgi_params.conf

@@ -0,0 +1,24 @@
+fastcgi_param  QUERY_STRING       $query_string;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      $document_root;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+fastcgi_param  REQUEST_SCHEME     $scheme;
+fastcgi_param  HTTPS              $https if_not_empty;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  SERVER_ADDR        $server_addr;
+fastcgi_param  SERVER_PORT        $server_port;
+fastcgi_param  SERVER_NAME        $server_name;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param  REDIRECT_STATUS    200;

baikal/rootfs/etc/nginx/includes/mime.types

@@ -0,0 +1,96 @@
+types {
+    text/html                                        html htm shtml;
+    text/css                                         css;
+    text/xml                                         xml;
+    image/gif                                        gif;
+    image/jpeg                                       jpeg jpg;
+    application/javascript                           js;
+    application/atom+xml                             atom;
+    application/rss+xml                              rss;
+
+    text/mathml                                      mml;
+    text/plain                                       txt;
+    text/vnd.sun.j2me.app-descriptor                 jad;
+    text/vnd.wap.wml                                 wml;
+    text/x-component                                 htc;
+
+    image/png                                        png;
+    image/svg+xml                                    svg svgz;
+    image/tiff                                       tif tiff;
+    image/vnd.wap.wbmp                               wbmp;
+    image/webp                                       webp;
+    image/x-icon                                     ico;
+    image/x-jng                                      jng;
+    image/x-ms-bmp                                   bmp;
+
+    font/woff                                        woff;
+    font/woff2                                       woff2;
+
+    application/java-archive                         jar war ear;
+    application/json                                 json;
+    application/mac-binhex40                         hqx;
+    application/msword                               doc;
+    application/pdf                                  pdf;
+    application/postscript                           ps eps ai;
+    application/rtf                                  rtf;
+    application/vnd.apple.mpegurl                    m3u8;
+    application/vnd.google-earth.kml+xml             kml;
+    application/vnd.google-earth.kmz                 kmz;
+    application/vnd.ms-excel                         xls;
+    application/vnd.ms-fontobject                    eot;
+    application/vnd.ms-powerpoint                    ppt;
+    application/vnd.oasis.opendocument.graphics      odg;
+    application/vnd.oasis.opendocument.presentation  odp;
+    application/vnd.oasis.opendocument.spreadsheet   ods;
+    application/vnd.oasis.opendocument.text          odt;
+    application/vnd.openxmlformats-officedocument.presentationml.presentation
+                                                     pptx;
+    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
+                                                     xlsx;
+    application/vnd.openxmlformats-officedocument.wordprocessingml.document
+                                                     docx;
+    application/vnd.wap.wmlc                         wmlc;
+    application/x-7z-compressed                      7z;
+    application/x-cocoa                              cco;
+    application/x-java-archive-diff                  jardiff;
+    application/x-java-jnlp-file                     jnlp;
+    application/x-makeself                           run;
+    application/x-perl                               pl pm;
+    application/x-pilot                              prc pdb;
+    application/x-rar-compressed                     rar;
+    application/x-redhat-package-manager             rpm;
+    application/x-sea                                sea;
+    application/x-shockwave-flash                    swf;
+    application/x-stuffit                            sit;
+    application/x-tcl                                tcl tk;
+    application/x-x509-ca-cert                       der pem crt;
+    application/x-xpinstall                          xpi;
+    application/xhtml+xml                            xhtml;
+    application/xspf+xml                             xspf;
+    application/zip                                  zip;
+
+    application/octet-stream                         bin exe dll;
+    application/octet-stream                         deb;
+    application/octet-stream                         dmg;
+    application/octet-stream                         iso img;
+    application/octet-stream                         msi msp msm;
+
+    audio/midi                                       mid midi kar;
+    audio/mpeg                                       mp3;
+    audio/ogg                                        ogg;
+    audio/x-m4a                                      m4a;
+    audio/x-realaudio                                ra;
+
+    video/3gpp                                       3gpp 3gp;
+    video/mp2t                                       ts;
+    video/mp4                                        mp4;
+    video/mpeg                                       mpeg mpg;
+    video/quicktime                                  mov;
+    video/webm                                       webm;
+    video/x-flv                                      flv;
+    video/x-m4v                                      m4v;
+    video/x-mng                                      mng;
+    video/x-ms-asf                                   asx asf;
+    video/x-ms-wmv                                   wmv;
+    video/x-msvideo                                  avi;
+}

baikal/rootfs/etc/nginx/includes/server_params.conf

@@ -0,0 +1,21 @@
+server_name     $hostname;
+root            /data/html;
+index           index.php;
+
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";
+add_header X-Robots-Tag none;
+
+client_max_body_size 64M;
+
+location / {
+    try_files $uri $uri/ /index.php?$query_string;
+}
+
+location ~* .(jpg|jpeg|png|gif|ico|css|js)$ {
+    expires 365d;
+}
+
+location ~ /\.ht {
+    deny all;
+}

baikal/rootfs/etc/nginx/includes/ssl_params.conf

@@ -0,0 +1,8 @@
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_prefer_server_ciphers off;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_session_timeout  10m;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+ssl_stapling on;
+ssl_stapling_verify on;

baikal/rootfs/etc/nginx/nginx.conf

@@ -0,0 +1,46 @@
+# Run nginx in foreground.
+daemon off;
+
+# This is run inside Docker.
+user root;
+
+# Pid storage location.
+pid /var/run/nginx.pid;
+
+# Set number of worker processes.
+worker_processes 1;
+
+# Enables the use of JIT for regular expressions to speed-up their processing.
+pcre_jit on;
+
+# Write error log to the add-on log.
+error_log /proc/1/fd/1 error;
+
+# Load dynamic modules.
+include /etc/nginx/modules/*.conf;
+
+# Max num of simultaneous connections by a worker process.
+events {
+    worker_connections 512;
+}
+
+http {
+    include /etc/nginx/includes/mime.types;
+
+    access_log              off;
+    client_max_body_size    4G;
+    default_type            application/octet-stream;
+    gzip                    on;
+    keepalive_timeout       65;
+    sendfile                on;
+    server_tokens           off;
+    tcp_nodelay             on;
+    tcp_nopush              on;
+
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        ''      close;
+    }
+
+    include /etc/nginx/servers/*.conf;
+}

baikal/rootfs/etc/nginx/servers/direct-ssl.disabled

@@ -0,0 +1,37 @@
+server {
+  listen 80 ssl http2;
+  listen [::]:80 ssl http2;
+  server_name _;
+
+  include /etc/nginx/includes/server_params.conf;
+  include /etc/nginx/includes/ssl_params.conf;
+  
+  rewrite ^/.well-known/caldav /dav.php redirect;
+  rewrite ^/.well-known/carddav /dav.php redirect;
+
+  ssl_certificate /ssl/%%certfile%%;
+  ssl_certificate_key /ssl/%%keyfile%%;
+	
+  charset utf-8;
+
+  location ~ /(\.ht|Core|Specific) {
+    deny all;
+    return 404;
+  }
+
+  # Pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
+  location ~ ^(.+\.php)(.*)$ {
+    fastcgi_pass 127.0.0.1:9001;	
+    try_files $fastcgi_script_name =404;    
+    fastcgi_split_path_info  ^(.+\.php)(.*)$;
+	fastcgi_index index.php;
+    fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
+    fastcgi_param  PATH_INFO        $fastcgi_path_info;
+	include /etc/nginx/includes/fastcgi_params.conf;
+  }
+
+  # Deny access to Apache httpd .htaccess files, see https://github.com/JsBergbau/BaikalAnleitung#webserver-konfiguration
+  location ~ /.ht {
+    deny all;
+  }
+}

baikal/rootfs/etc/nginx/servers/direct.disabled

@@ -0,0 +1,33 @@
+server {
+  listen 80;
+  listen [::]:80;
+  server_name _;
+
+  include /etc/nginx/includes/server_params.conf;
+
+  rewrite ^/.well-known/caldav /dav.php redirect;
+  rewrite ^/.well-known/carddav /dav.php redirect;
+
+  charset utf-8;
+
+  location ~ /(\.ht|Core|Specific) {
+    deny all;
+    return 404;
+  }
+
+  # Pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
+  location ~ ^(.+\.php)(.*)$ {
+    fastcgi_pass 127.0.0.1:9001;	
+    try_files $fastcgi_script_name =404;    
+    fastcgi_split_path_info  ^(.+\.php)(.*)$;
+	fastcgi_index index.php;
+    fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
+    fastcgi_param  PATH_INFO        $fastcgi_path_info;
+	include /etc/nginx/includes/fastcgi_params.conf;
+  }
+
+  # Deny access to Apache httpd .htaccess files, see https://github.com/JsBergbau/BaikalAnleitung#webserver-konfiguration
+  location ~ /.ht {
+    deny all;
+  }
+}

baikal/rootfs/etc/php8/php-fpm.d/www.conf

@@ -0,0 +1,11 @@
+[ingress]
+user = nginx
+group = nginx
+listen = 127.0.0.1:9001
+pm = dynamic
+pm.max_children = 10
+pm.start_servers = 3
+pm.min_spare_servers = 2
+pm.max_spare_servers = 5
+pm.max_requests = 1024
+clear_env = no

baikal/rootfs/etc/services.d/nginx/finish

@@ -0,0 +1,11 @@
+#!/command/with-contenv bashio
+# ==============================================================================
+# Home Assistant Community Add-on: phpMyAdmin
+# Take down the S6 supervision tree when Nginx fails
+# ==============================================================================
+if [[ "${1}" -ne 0 ]] && [[ "${1}" -ne 256 ]]; then
+  bashio::log.warning "NGinx crashed, halting add-on"
+  /run/s6/basedir/bin/halt
+fi
+
+bashio::log.info "NGinx stoped, restarting..."

baikal/rootfs/etc/services.d/nginx/run

@@ -0,0 +1,12 @@
+#!/command/with-contenv bashio
+# ==============================================================================
+# Home Assistant Community Add-on: phpMyAdmin
+# Runs the Nginx daemon
+# ==============================================================================
+
+# Wait for PHP-FPM to become available
+bashio::net.wait_for 9001
+
+bashio::log.info "Starting NGinx...."
+
+exec nginx

baikal/rootfs/etc/services.d/php-fpm/finish

@@ -0,0 +1,11 @@
+#!/command/with-contenv bashio
+# ==============================================================================
+# Home Assistant Community Add-on: phpMyAdmin
+# Take down the S6 supervision tree when PHP FPM fails
+# ==============================================================================
+if [[ "${1}" -ne 0 ]] && [[ "${1}" -ne 256 ]]; then
+  bashio::log.warning "php-fpm crashed, halting add-on"
+  /run/s6/basedir/bin/halt
+fi
+
+bashio::log.info "php-fpm stoped, restarting..."

baikal/rootfs/etc/services.d/php-fpm/run

@@ -0,0 +1,8 @@
+#!/command/with-contenv bashio
+# ==============================================================================
+# Home Assistant Community Add-on: phpMyAdmin
+# Runs the PHP-FPM daemon
+# ==============================================================================
+bashio::log.info "Starting PHP-FPM..."
+
+exec php-fpm8 --nodaemonize