From e7d377dd5b23634ab56402c341569234c15c6399 Mon Sep 17 00:00:00 2001 From: Rich Braun Date: Thu, 12 Feb 2026 20:24:55 -0800 Subject: [PATCH 1/3] SYS-674 helm chart updates for auth protection of mythtv-backend --- images/mythtv-backend/README.md | 14 +++------ images/mythtv-backend/helm/values.yaml | 42 +++++++++----------------- 2 files changed, 18 insertions(+), 38 deletions(-) diff --git a/images/mythtv-backend/README.md b/images/mythtv-backend/README.md index fe256383..3ee38ae8 100644 --- a/images/mythtv-backend/README.md +++ b/images/mythtv-backend/README.md @@ -7,18 +7,15 @@ The MythTV backend built under Ubuntu noble (24.04). This image must be run in network_mode:host in order to communicate with HD Homerun tuners; assign a new IP address and hostname for this application, and define it as a secondary IP address on your Docker host's primary interface. -For configuration, see the example docker-compose.yml (for swarm or standalone docker) or [helm](https://github.com/instantlinux/docker-tools/blob/main/images/helm) or kubernetes.yaml to run on bare-metal Kubernetes. Set environment variables and secrets as defined here, and customize volume mounts as desired. This repo has complete instructions for -[building a kubernetes cluster](https://github.com/instantlinux/docker-tools/blob/main/k8s/README.md) where you can launch with [helm](https://github.com/instantlinux/docker-tools/tree/main/images/mythtv-backend/helm) or [kubernetes.yaml](https://github.com/instantlinux/docker-tools/blob/main/images/mythtv-backend/kubernetes.yaml) using _make_ and customizing [Makefile.vars](https://github.com/instantlinux/docker-tools/blob/main/k8s/Makefile.vars) after cloning this repo: +For configuration, see the example docker-compose.yml (for swarm or standalone docker) or [helm](https://github.com/instantlinux/docker-tools/blob/main/images/helm). Set variables and secrets as defined here, and customize volume mounts as desired. This repo has complete instructions for +[building a kubernetes cluster](https://github.com/instantlinux/docker-tools/blob/main/k8s/README.md) where you can launch with [helm](https://github.com/instantlinux/docker-tools/tree/main/images/mythtv-backend/helm) using _make_ and customizing [Makefile.vars](https://github.com/instantlinux/docker-tools/blob/main/k8s/Makefile.vars) after cloning this repo: ~~~ git clone https://github.com/instantlinux/docker-tools.git cd docker-tools/k8s make mythtv-backend ~~~ -If you have two Kubernetes nodes set up, run the kubernetes-ha.yaml to set up data sync between two identical drives across the nodes, and define a floating IP address. One copy of mythbackend will be running on one of the nodes at any given time, providing a simple high-availability configuration. See more details in the Makefile in k8s directory. The kubernetes.yaml sample provided here can also set up the mythweb virtual-host https://mythweb.yourdomain.com so you can schedule recordings when you're not home; create an htpasswd file with name _auth_ and then: -~~~ -kubectl create secret generic mythweb-auth --from-file=auth -~~~ +If you have two Kubernetes nodes set up, run the kubernetes-ha.yaml to set up data sync between two identical drives across the nodes, and define a floating IP address. One copy of mythbackend will be running on one of the nodes at any given time, providing a simple high-availability configuration. See more details in the Makefile in k8s directory. The kubernetes.yaml sample provided here can also set up the mythweb virtual-host https://mythweb.yourdomain.com so you can schedule recordings when you're not home. You can also run this image directly (without compose or kubernetes) using environment variables and secrets files. @@ -43,7 +40,6 @@ Starting with v34, mythtv-setup is accessed via :6544/setupwizard. Use t ### Variables Variable | Default | Description -------- | ------- | ----------- -APACHE_LOG_DIR | /var/log/apache2 | Apache logs DBNAME | mythtv | Database name DBSERVER | db00 | Database server hostname LANG | en_US.UTF-8 | @@ -69,11 +65,10 @@ Note that the [Kodi](https://kodi.tv/download/) frontend also provides limited s ### Volumes -Optionally, mount these path names to persistent storage: +Optionally, mount this path name to persistent storage: Path | Description ---- | ----------- -/var/log/apache2 | Apache logs /etc/ssh | Host keys and configs for ssh ### Secrets @@ -84,7 +79,6 @@ Secret | Description ------ | ----------- mythtv-db-password | Password of MythTV db user mythtv-user-password | Hashed password of MythTV ssh user -mythweb-auth | htpasswd for mythweb user(s) under k8s ### Upgrade Notes diff --git a/images/mythtv-backend/helm/values.yaml b/images/mythtv-backend/helm/values.yaml index 59fa8754..fd6450ae 100644 --- a/images/mythtv-backend/helm/values.yaml +++ b/images/mythtv-backend/helm/values.yaml @@ -85,40 +85,26 @@ autoscaling: enabled: false authelia: + # To override, use tlsHostname at top level fqdn: authtotp.example.com ip: 10.101.1.5 + path: /Myth/LoginUser ingress: # This ingress exposes your MythTV schedule and operational controls to - # the public Internet. - # TODO: change default back to true once the setup wizard screens - # are secured by the authentication framework. + # the public Internet. Set up the admin user before enabling. enabled: false - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/auth-type: basic - nginx.ingress.kubernetes.io/auth-secret: mythweb-auth - hosts: - - host: mythweb.example.com - paths: - - path: / - pathType: Prefix - tls: - - secretName: tls-mythtv-backend - hosts: - - mythweb.example.com ingressTOTP: - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - kubernetes.io/ingress.class: nginx - hosts: - - host: mythweb.example.com - paths: - - path: /settings - pathType: Prefix - tls: - - secretName: tls-mythtv-backend - hosts: [ mythweb.example.com ] + # Enable this ingress for TOTP if you have Authelia installed, + # along with an external DNS name. + # TODO: this helm chart does trigger TOTP, but Authelia's login + # splash page doesn't come up. The http-post operation to + # /Myth/LoginUser fails to redirect. But you can manually + # bring it up (e.g. https://authtotp.example.com) and authenticate + # there, then come back to the MythTV dashboard's login link. + # Fixing that is a low-priority, as ingress-nginx is deprecated + # and there may be an easier way to implement TOTP under envoy + # gateway. + enabled: false # Subchart data-sync, maintains persistent data across nodes data-sync: From ad5c70df6331eb0e9db976b75bf98677b9ca7ff6 Mon Sep 17 00:00:00 2001 From: Rich Braun Date: Thu, 12 Feb 2026 21:16:24 -0800 Subject: [PATCH 2/3] SYS-674 wip --- images/mythtv-backend/README.md | 6 ++++-- images/mythtv-backend/helm/values.yaml | 3 ++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/images/mythtv-backend/README.md b/images/mythtv-backend/README.md index 3ee38ae8..1793aa82 100644 --- a/images/mythtv-backend/README.md +++ b/images/mythtv-backend/README.md @@ -82,11 +82,13 @@ mythtv-user-password | Hashed password of MythTV ssh user ### Upgrade Notes -(This section applies only if you're running version 30, from 2020 or earlier.) +When upgrading to 36.0, the setup wizard is served on port 6544 without any auth protection. In upstream [MythTV issue #1077](https://github.com/MythTV/mythtv/issues/1077), I asked for a way to protect this sensitive management console in order to schedule recordings while away from home. As of Feb 2026, the [documentation](https://wiki.mythtv.org/wiki/Web_Application#API_and_Web_App_Authentication) states that upon this upgrade, it "comes with the admin user preinstalled". I couldn't login, but I could invoke _Settings -> Users -> New User_ to add the user `admin` with a password of my own choosing, and could then use admin to activate _Authentication Required for All IP Addresses_ user setting. + +(Below may apply only if you're running version 30, from 2020 or earlier.) You probably need to configure XMLTV in place of the old mythfilldatabase method used to fetch listings from [Schedules Direct](https://www.schedulesdirect.org/). See the documentation [Setup Video Sources](https://www.mythtv.org/wiki/Setup_Video_Sources). This image includes the required packages but does not automate setup. It's beyond scope of this document to describe the process fully but here are some of the required steps: -* Go into setupwizard, find your video source(s) and change the listings grabber to the new Schedules Direct xmltv setting for your location; make note of the video source name you're using and set a variable FILENAME to match +* Go into dashboard setup wizard, find your video source(s) and change the listings grabber to the new Schedules Direct xmltv setting for your location; make note of the video source name you're using and set a variable FILENAME to match * Invoke a channel-scan * Have your Schedules Direct username and password ready and invoke from a command shell inside the container: ``` diff --git a/images/mythtv-backend/helm/values.yaml b/images/mythtv-backend/helm/values.yaml index fd6450ae..05cfa1a5 100644 --- a/images/mythtv-backend/helm/values.yaml +++ b/images/mythtv-backend/helm/values.yaml @@ -91,7 +91,8 @@ authelia: path: /Myth/LoginUser ingress: # This ingress exposes your MythTV schedule and operational controls to - # the public Internet. Set up the admin user before enabling. + # the public Internet. Set up the admin user before enabling. See + # https://github.com/instantlinux/docker-tools/blob/main/images/mythtv-backend/README.md#upgrade-notes enabled: false ingressTOTP: # Enable this ingress for TOTP if you have Authelia installed, From e4d0386e34c8ca805d08e3a3def56ef815bfe6ab Mon Sep 17 00:00:00 2001 From: Rich Braun Date: Thu, 12 Feb 2026 21:28:46 -0800 Subject: [PATCH 3/3] SYS-674 wip --- images/mythtv-backend/helm/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/images/mythtv-backend/helm/Chart.yaml b/images/mythtv-backend/helm/Chart.yaml index 0fec45de..a82697a4 100644 --- a/images/mythtv-backend/helm/Chart.yaml +++ b/images/mythtv-backend/helm/Chart.yaml @@ -6,7 +6,7 @@ sources: - https://github.com/instantlinux/docker-tools - https://github.com/mythtv/mythtv type: application -version: 0.1.18 +version: 0.1.19 appVersion: "36.0-fixes.202602111500.0bcc85b590" dependencies: - name: chartlib