From 4d85255ce086773c4cd787198e06a2217c184f6d Mon Sep 17 00:00:00 2001
From: Seungmin Kim <8457324+ehfd@users.noreply.github.com>
Date: Wed, 26 Jun 2024 00:50:39 +0900
Subject: [PATCH] Fix KasmVNC

---
 Dockerfile                      |  2 +-
 README.md                       |  2 +-
 egl.yml                         |  4 ++--
 kasmvnc-entrypoint.sh           | 37 +++++++++++++++++++++++++++++----
 selkies-gstreamer-entrypoint.sh | 25 ----------------------
 supervisord.conf                |  4 ++--
 6 files changed, 39 insertions(+), 35 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 9c7c84e..79c79a0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -265,7 +265,7 @@ ENV DISPLAY_REFRESH=60
 ENV DISPLAY_DPI=96
 ENV DISPLAY_CDEPTH=24
 ENV VGL_DISPLAY=egl
-ENV KASMVNC_VIEWONLY=false
+ENV KASMVNC_ENABLE=false
 ENV SELKIES_ENCODER=nvh264enc
 ENV SELKIES_ENABLE_RESIZE=false
 ENV SELKIES_ENABLE_BASIC_AUTH=true
diff --git a/README.md b/README.md
index 9145efd..5f324dd 100644
--- a/README.md
+++ b/README.md
@@ -14,7 +14,7 @@ Wine, Winetricks, Lutris, and PlayOnLinux are bundled by default. Comment out th
 
 There are two web interfaces that can be chosen in this container, the first being the default [selkies-gstreamer](https://github.com/selkies-project/selkies-gstreamer) WebRTC HTML5 interface (requires a TURN server or host networking), and the second being the fallback [KasmVNC](https://github.com/kasmtech/KasmVNC) WebSocket HTML5 interface. While the KasmVNC interface does not support audio forwarding and remote cursors for gaming, it can be useful for troubleshooting the selkies-gstreamer WebRTC interface or using this container with low bandwidth environments.
 
-The KasmVNC interface is located in the `/vnc` path, where the environment variable `KASMVNC_VIEWONLY` can be set to `true` to disallow controlling the KasmVNC interface and only view the share screen.
+The KasmVNC interface can be enabled by setting `KASMVNC_ENABLE` to `true`. When using the KasmVNC interface, all environment variables related to the selkies-gstreamer WebRTC interface are ignored, with the exception of `SELKIES_BASIC_AUTH_PASSWORD`. As with the selkies-gstreamer WebRTC interface, the KasmVNC interface password will be set to `SELKIES_BASIC_AUTH_PASSWORD`, and uses `PASSWD` by default if not set.
 
 The container requires host NVIDIA GPU driver versions of at least **450.80.02** and preferably **470.42.01**, with the [NVIDIA Container Toolkit](https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/install-guide.html) to be also configured on the host for allocating GPUs. All Maxwell or later generation GPUs in the consumer, professional, or datacenter lineups will not have significant issues running this container, although the selkies-gstreamer high-performance NVENC backend may not be available (see the next paragraph). Kepler GPUs are untested and likely does not support the NVENC backend, but can be mostly functional using fallback software acceleration.
 
diff --git a/egl.yml b/egl.yml
index 9dc3c5a..b0033d4 100644
--- a/egl.yml
+++ b/egl.yml
@@ -45,8 +45,8 @@ spec:
 #            secretKeyRef:
 #              name: my-pass
 #              key: my-pass
-        # Uncomment to make KasmVNC available only for screen viewing without desktop control
-#        - name: KASMVNC_VIEWONLY
+        # Uncomment to enable KasmVNC instead of Selkies-GStreamer, `SELKIES_BASIC_AUTH_PASSWORD` is used for authentication with KasmVNC, defaulting to `PASSWD` if not provided
+#        - name: KASMVNC_ENABLE
 #          value: "true"
         ###
         # Selkies-GStreamer parameters, for additional configurations see `selkies-gstreamer --help`
diff --git a/kasmvnc-entrypoint.sh b/kasmvnc-entrypoint.sh
index d5ecd92..b9b6356 100644
--- a/kasmvnc-entrypoint.sh
+++ b/kasmvnc-entrypoint.sh
@@ -6,9 +6,6 @@
 
 set -e
 
-# Set password for basic authentication
-if [ "$(echo ${SELKIES_ENABLE_BASIC_AUTH} | tr '[:upper:]' '[:lower:]')" = "true" ] && [ -z "${SELKIES_BASIC_AUTH_PASSWORD}" ]; then export SELKIES_BASIC_AUTH_PASSWORD="${PASSWD}"; fi
-
 # Set default display
 export DISPLAY="${DISPLAY:-:0}"
 # PipeWire-Pulse server socket path
@@ -18,6 +15,39 @@ export PIPEWIRE_RUNTIME_DIR="${PIPEWIRE_RUNTIME_DIR:-${XDG_RUNTIME_DIR:-/tmp}}"
 export PULSE_RUNTIME_PATH="${PULSE_RUNTIME_PATH:-${XDG_RUNTIME_DIR:-/tmp}/pulse}"
 export PULSE_SERVER="${PULSE_SERVER:-unix:${PULSE_RUNTIME_PATH:-${XDG_RUNTIME_DIR:-/tmp}/pulse}/native}"
 
+# Configure NGINX
+if [ "$(echo ${SELKIES_ENABLE_BASIC_AUTH} | tr '[:upper:]' '[:lower:]')" != "false" ]; then htpasswd -bcm "${XDG_RUNTIME_DIR}/.htpasswd" "${SELKIES_BASIC_AUTH_USER:-${USER}}" "${SELKIES_BASIC_AUTH_PASSWORD:-${PASSWD}}"; fi
+echo "# Selkies KasmVNC NGINX Configuration
+server {
+    access_log /dev/stdout;
+    error_log /dev/stderr;
+    listen 8080 $(if [ \"$(echo ${SELKIES_ENABLE_HTTPS} | tr '[:upper:]' '[:lower:]')\" = \"true\" ]; then echo -n "ssl"; fi);
+    listen [::]:8080 $(if [ \"$(echo ${SELKIES_ENABLE_HTTPS} | tr '[:upper:]' '[:lower:]')\" = \"true\" ]; then echo -n "ssl"; fi);
+    ssl_certificate ${SELKIES_HTTPS_CERT-/etc/ssl/certs/ssl-cert-snakeoil.pem};
+    ssl_certificate_key ${SELKIES_HTTPS_KEY-/etc/ssl/private/ssl-cert-snakeoil.key};
+    $(if [ \"$(echo ${SELKIES_ENABLE_BASIC_AUTH} | tr '[:upper:]' '[:lower:]')\" != \"false\" ]; then echo "auth_basic \"Selkies\";"; echo -n "    auth_basic_user_file ${XDG_RUNTIME_DIR}/.htpasswd;"; fi)
+
+    location / {
+        proxy_set_header        Upgrade \$http_upgrade;
+        proxy_set_header        Connection \"upgrade\";
+
+        proxy_set_header        Host \$host;
+        proxy_set_header        X-Real-IP 127.0.0.1;
+        proxy_set_header        X-Forwarded-For 127.0.0.1;
+        proxy_set_header        X-Forwarded-Proto \$scheme;
+
+        proxy_http_version      1.1;
+        proxy_read_timeout      3600s;
+        proxy_send_timeout      3600s;
+        proxy_connect_timeout   3600s;
+        proxy_buffering         off;
+
+        client_max_body_size    10M;
+
+        proxy_pass http$(if [ \"$(echo ${SELKIES_ENABLE_HTTPS} | tr '[:upper:]' '[:lower:]')\" = \"true\" ]; then echo -n "s"; fi)://localhost:8082;
+    }
+}" | tee /etc/nginx/sites-available/default > /dev/null
+
 # Configure KasmVNC
 export KASM_DISPLAY=":50"
 yq -i "
@@ -36,7 +66,6 @@ if [ -n "${SELKIES_HTTPS_CERT}" ]; then yq -i ".network.ssl.pem_certificate = \"
 if [ -n "${SELKIES_HTTPS_KEY}" ]; then yq -i ".network.ssl.pem_key = \"${SELKIES_HTTPS_KEY-/etc/ssl/private/ssl-cert-snakeoil.key}\"" /etc/kasmvnc/kasmvnc.yaml; fi
 
 if [ "$(echo ${SELKIES_ENABLE_RESIZE} | tr '[:upper:]' '[:lower:]')" = "true" ]; then export KASM_PROXY_FLAG="${KASM_PROXY_FLAG} -r"; fi
-if [ "$(echo ${KASMVNC_VIEWONLY} | tr '[:upper:]' '[:lower:]')" = "true" ]; then export KASM_FLAG="${KASM_FLAG} -AcceptPointerEvents=0 -AcceptKeyEvents=0 -AcceptSetDesktopSize=0"; fi
 
 mkdir -pm700 ~/.vnc
 (echo "${SELKIES_BASIC_AUTH_PASSWORD:-${PASSWD}}"; echo "${SELKIES_BASIC_AUTH_PASSWORD:-${PASSWD}}";) | kasmvncpasswd -u "${SELKIES_BASIC_AUTH_USER:-${USER}}" -ow ~/.kasmpasswd
diff --git a/selkies-gstreamer-entrypoint.sh b/selkies-gstreamer-entrypoint.sh
index 121f5ce..438f4fe 100755
--- a/selkies-gstreamer-entrypoint.sh
+++ b/selkies-gstreamer-entrypoint.sh
@@ -6,9 +6,6 @@
 
 set -e
 
-# Set password for basic authentication
-if [ "$(echo ${SELKIES_ENABLE_BASIC_AUTH} | tr '[:upper:]' '[:lower:]')" = "true" ] && [ -z "${SELKIES_BASIC_AUTH_PASSWORD}" ]; then export SELKIES_BASIC_AUTH_PASSWORD="${PASSWD}"; fi
-
 # Set default display
 export DISPLAY="${DISPLAY:-:0}"
 # PipeWire-Pulse server socket path
@@ -111,28 +108,6 @@ server {
         proxy_pass http$(if [ \"$(echo ${SELKIES_ENABLE_HTTPS} | tr '[:upper:]' '[:lower:]')\" = \"true\" ]; then echo -n "s"; fi)://localhost:9081;
     }
 
-    location /vnc {
-        rewrite ^/vnc(.*)\$ \$1?\$args break;
-
-        proxy_set_header        Upgrade \$http_upgrade;
-        proxy_set_header        Connection \"upgrade\";
-
-        proxy_set_header        Host \$host;
-        proxy_set_header        X-Real-IP 127.0.0.1;
-        proxy_set_header        X-Forwarded-For 127.0.0.1;
-        proxy_set_header        X-Forwarded-Proto \$scheme;
-
-        proxy_http_version      1.1;
-        proxy_read_timeout      3600s;
-        proxy_send_timeout      3600s;
-        proxy_connect_timeout   3600s;
-        proxy_buffering         off;
-
-        client_max_body_size    10M;
-
-        proxy_pass http$(if [ \"$(echo ${SELKIES_ENABLE_HTTPS} | tr '[:upper:]' '[:lower:]')\" = \"true\" ]; then echo -n "s"; fi)://localhost:8082;
-    }
-
     error_page 500 502 503 504 /50x.html;
     location = /50x.html {
         root /opt/gst-web/;
diff --git a/supervisord.conf b/supervisord.conf
index 7dadd78..f89e63a 100644
--- a/supervisord.conf
+++ b/supervisord.conf
@@ -38,7 +38,7 @@ autorestart=true
 priority=1
 
 [program:selkies-gstreamer]
-command=bash -c "/etc/selkies-gstreamer-entrypoint.sh"
+command=bash -c "if [ $(echo %(ENV_KASMVNC_ENABLE)s | tr '[:upper:]' '[:lower:]') != true ]; then /etc/selkies-gstreamer-entrypoint.sh; else sleep infinity; fi"
 stdout_logfile=/tmp/selkies-gstreamer-entrypoint.log
 stdout_logfile_maxbytes=5MB
 stdout_logfile_backups=0
@@ -50,7 +50,7 @@ autorestart=true
 priority=20
 
 [program:kasmvnc]
-command=bash -c "/etc/kasmvnc-entrypoint.sh"
+command=bash -c "if [ $(echo %(ENV_KASMVNC_ENABLE)s | tr '[:upper:]' '[:lower:]') = true ]; then /etc/kasmvnc-entrypoint.sh; else sleep infinity; fi"
 stdout_logfile=/tmp/kasmvnc-entrypoint.log
 stdout_logfile_maxbytes=5MB
 stdout_logfile_backups=0