refactor(config): disperse Features section into category Advanced groups

The Features section was a grab-bag of ~27 toggles, most of which are
either category-specific (firewall, SSL, Docker network, SSH hardening)
or install-time choices that brick the box if flipped on a live
install (the WebUI / config / CLI / Docker requirements). One page
made auditing easier but flattened the risk hierarchy.

Reorganised so each toggle lives where it conceptually belongs, and
the dangerous install-time set is double-gated:

  network_docker     (Advanced)  DOCKER_NETWORK, DOCKER_NETWORK_PRUNE,
                                  DOCKER_SWITCHER
  network_firewall   (Advanced)  UFW, UFWD, WHITELIST_PORT_UPDATER  [new]
  network_domains    (field-Adv) SSLCERTS
  security_ssh       (Advanced)  SSHKEY_DOWNLOADER, SSH_DISABLE_PASSWORDS,
                                  BCRYPT_SAVE, GLUETUN_FOR_ALL          [new]
  general_terminal   (Advanced)  CRONTAB, CONFIGS_CHECK,
                                  CONFIGS_AUTO_UPDATE, CONFIGS_AUTO_DELETE,
                                  MISSING_IPS, CONTINUE_PROMPT,
                                  SUGGEST_INSTALLS, SUGGEST_METRICS
  general_install    (Adv+DEV)   CONFIG, COMMAND, WEBUI, WEBUI_SERVICE,
                                  DATABASE, PASSWORDS, DOCKER_CE,
                                  DOCKER_COMPOSE

The install-time eight are marked **ADVANCED** **DEV** — invisible
unless Developer Mode is on AND "Show Advanced Options" is expanded.
Each field's description was updated to note "Disabling on an existing
install will brick the system" / "install-time choice only" so a user
who does get to the toggle understands the gun before pulling the
trigger.

Other cleanup that fell out:
- Removed `configs/features/` directory entirely.
- Added the two new subcategories to SUBCATEGORY_ORDER in
  network/.category and security/.category.
- Dropped the `category === 'features'` Danger Zone header special-case
  in config-manager.js and its .danger-zone-section--header-only CSS
  variant (sole user).
- Trimmed an obsolete "Edit the features config" notice in
  check_requirements.sh.

Signed-off-by: librelad <librelad@digitalangels.vip>
This commit is contained in:
librelad 2026-05-27 14:39:58 +01:00
parent eac81abdbc
commit 8a3bf505c3
15 changed files with 35 additions and 74 deletions

View File

@ -1,5 +0,0 @@
TITLE=Features
DESCRIPTION=Toggle system components and features
ICON=features
ORDER=5
SUBCATEGORY_ORDER=features_core,features_security,features_terminal

View File

@ -1,18 +0,0 @@
# ================================================================================
# Core Features - Essential LibrePortal functionality and core services
# ================================================================================
CFG_REQUIREMENT_CONFIG=true # Configuration Management - Enable configuration management system for LibrePortal settings
CFG_REQUIREMENT_COMMAND=true # Command Line Tool - Install the libreportal command line tool for system management
CFG_REQUIREMENT_WEBUI=true # Web Interface - Install and manage the LibrePortal web based management interface
CFG_REQUIREMENT_WEBUI_SERVICE=true # Web Task Service - Install the task management systemd service for the web interface
CFG_REQUIREMENT_DATABASE=true # Database Support - Install and configure database support for application data storage
CFG_REQUIREMENT_PASSWORDS=true # Password Management - Enable password generation and management features
CFG_REQUIREMENT_DOCKER_CE=true # Docker CE - Install Docker Community Edition instead of the default Docker version
CFG_REQUIREMENT_DOCKER_COMPOSE=true # Docker Compose - Install Docker Compose for multi container application management
CFG_REQUIREMENT_DOCKER_NETWORK=true # Docker Network - Create and manage Docker network for container communication
CFG_REQUIREMENT_UFW=true # Firewall Protection - Install and configure the Uncomplicated Firewall for system security
CFG_REQUIREMENT_UFWD=true # Docker Firewall - Install UFW Docker for container aware firewall management which is rooted Docker specific
CFG_REQUIREMENT_SSLCERTS=true # SSL Certificates - Generate and manage SSL certificates for secure HTTPS connections
CFG_REQUIREMENT_CRONTAB=true # Scheduled Tasks - Setup scheduled tasks and automated maintenance jobs
CFG_REQUIREMENT_WHITELIST_PORT_UPDATER=true # Auto Port Management - Automatically update port whitelist when applications are installed or removed
CFG_REQUIREMENT_BCRYPT_SAVE=true # Password Encryption - Encrypt saved passwords using bcrypt for enhanced security

View File

@ -1,7 +0,0 @@
# ================================================================================
# Security and Authentication - SSH access and security configuration
# ================================================================================
CFG_REQUIREMENT_SSHKEY_DOWNLOADER=false # SSH Key Downloader - Enable SSH key download functionality for remote access
CFG_REQUIREMENT_SSH_DISABLE_PASSWORDS=false # SSH Password Disable - Disable password authentication for SSH requiring key based access only
CFG_REQUIREMENT_GLUETUN_FOR_ALL=false # Gluetun For All Apps - Allow routing through Gluetun VPN for every app (default: only curated categories)

View File

@ -1,12 +0,0 @@
# ================================================================================
# Terminal Only - Advanced terminal based features and utilities **ADVANCED**
# ================================================================================
CFG_REQUIREMENT_SUGGEST_INSTALLS=false # Install Suggestions - Enable application suggestions and recommendations during installation
CFG_REQUIREMENT_SUGGEST_METRICS=true # Metrics Suggestions - Offer Prometheus and Grafana during first install (requires Install Suggestions enabled)
CFG_REQUIREMENT_CONTINUE_PROMPT=false # Continue Prompts - Show continue prompts during installation for user confirmation
CFG_REQUIREMENT_CONFIGS_CHECK=true # Config Validation - Validate configuration files on startup for errors and consistency
CFG_REQUIREMENT_CONFIGS_AUTO_UPDATE=true # Auto Config Updates - Add new config options from the template (non-interactive)
CFG_REQUIREMENT_CONFIGS_AUTO_DELETE=true # Auto Config Deletes - Remove config options no longer present in the template
CFG_REQUIREMENT_MISSING_IPS=false # IP Configuration Check - Check for and alert about missing IP configurations
CFG_REQUIREMENT_DOCKER_NETWORK_PRUNE=true # Docker Network Cleanup - Enable automatic cleanup of unused Docker networks
CFG_REQUIREMENT_DOCKER_SWITCHER=true # Docker Switcher - Install Docker version switching utility for managing multiple Docker versions

View File

@ -10,3 +10,11 @@ CFG_GIT_USER=changeme # Git Username - Git us
CFG_GIT_KEY=changeme # Git Access Key - SSH key or API key for Git repository access CFG_GIT_KEY=changeme # Git Access Key - SSH key or API key for Git repository access
CFG_GIT_UPDATES=true # Auto Check Updates - Check for updates automatically CFG_GIT_UPDATES=true # Auto Check Updates - Check for updates automatically
CFG_GIT_AUTO_UPDATES=true # Auto Apply Updates - Automatically apply updates when available CFG_GIT_AUTO_UPDATES=true # Auto Apply Updates - Automatically apply updates when available
CFG_REQUIREMENT_CONFIG=true # Configuration Management - Install the configuration management system. Disabling this on an existing install will brick the system. **ADVANCED** **DEV**
CFG_REQUIREMENT_COMMAND=true # Command Line Tool - Install the libreportal command line tool. Disabling this on an existing install will brick the system. **ADVANCED** **DEV**
CFG_REQUIREMENT_WEBUI=true # Web Interface - Install the LibrePortal WebUI. Disabling this on an existing install will brick the system. **ADVANCED** **DEV**
CFG_REQUIREMENT_WEBUI_SERVICE=true # Web Task Service - Install the task-processor systemd service that backs the WebUI. Disabling this on an existing install will brick the system. **ADVANCED** **DEV**
CFG_REQUIREMENT_DATABASE=true # Database Support - Install and configure database support for application data storage. Install-time choice only — flipping post-install will not retrofit. **ADVANCED** **DEV**
CFG_REQUIREMENT_PASSWORDS=true # Password Management - Enable password generation and management features. Install-time choice only. **ADVANCED** **DEV**
CFG_REQUIREMENT_DOCKER_CE=true # Docker CE - Install Docker Community Edition instead of the distro default. Install-time choice only — flipping post-install does not swap Docker. **ADVANCED** **DEV**
CFG_REQUIREMENT_DOCKER_COMPOSE=true # Docker Compose - Install Docker Compose for multi-container application management. Install-time choice only. **ADVANCED** **DEV**

View File

@ -7,3 +7,11 @@ CFG_GENERATED_PASS_LENGTH=14 # Password Length - Len
CFG_GENERATED_USER_LENGTH=8 # Username Length - Length for auto generated usernames CFG_GENERATED_USER_LENGTH=8 # Username Length - Length for auto generated usernames
CFG_UFW_LOGGING=off # Firewall Logging - UFW firewall logging level [off|low|medium|high|full] CFG_UFW_LOGGING=off # Firewall Logging - UFW firewall logging level [off|low|medium|high|full]
CFG_TEXT_EDITOR=nano # Text Editor - Default text editor for system operations [nano|vim] CFG_TEXT_EDITOR=nano # Text Editor - Default text editor for system operations [nano|vim]
CFG_REQUIREMENT_CRONTAB=true # Scheduled Tasks - Install scheduled tasks and automated maintenance jobs
CFG_REQUIREMENT_CONFIGS_CHECK=true # Config Validation - Validate configuration files on startup for errors and consistency
CFG_REQUIREMENT_CONFIGS_AUTO_UPDATE=true # Auto Config Updates - Add new config options from the template (non-interactive)
CFG_REQUIREMENT_CONFIGS_AUTO_DELETE=true # Auto Config Deletes - Remove config options no longer present in the template
CFG_REQUIREMENT_MISSING_IPS=false # IP Configuration Check - Check for and alert about missing IP configurations
CFG_REQUIREMENT_CONTINUE_PROMPT=false # Continue Prompts - Show continue prompts during installation for user confirmation
CFG_REQUIREMENT_SUGGEST_INSTALLS=false # Install Suggestions - Enable application suggestions and recommendations during installation
CFG_REQUIREMENT_SUGGEST_METRICS=true # Metrics Suggestions - Offer Prometheus and Grafana during first install (requires Install Suggestions enabled)

View File

@ -2,4 +2,4 @@ TITLE=Network
DESCRIPTION=Network configuration and domain management DESCRIPTION=Network configuration and domain management
ICON=network ICON=network
ORDER=4 ORDER=4
SUBCATEGORY_ORDER=network_domains,network_whitelist,network_dns,network_docker,network_rootless,network_ports,network_headscale SUBCATEGORY_ORDER=network_domains,network_whitelist,network_firewall,network_dns,network_docker,network_rootless,network_ports,network_headscale

View File

@ -5,3 +5,6 @@
CFG_NETWORK_NAME=vpn # Network Name - Docker network name for container communication CFG_NETWORK_NAME=vpn # Network Name - Docker network name for container communication
CFG_NETWORK_SUBNET=10.100.0.0/16 # Network Subnet - Subnet range for Docker network CFG_NETWORK_SUBNET=10.100.0.0/16 # Network Subnet - Subnet range for Docker network
CFG_NETWORK_MTU=1500 # Network MTU - Maximum transmission unit for network packets CFG_NETWORK_MTU=1500 # Network MTU - Maximum transmission unit for network packets
CFG_REQUIREMENT_DOCKER_NETWORK=true # Docker Network - Create and manage the Docker network for container communication
CFG_REQUIREMENT_DOCKER_NETWORK_PRUNE=true # Network Cleanup - Automatically prune unused Docker networks
CFG_REQUIREMENT_DOCKER_SWITCHER=true # Docker Switcher - Install the Docker version switching utility

View File

@ -10,3 +10,4 @@ CFG_DOMAIN_6= # Domain 6 - Domain slo
CFG_DOMAIN_7= # Domain 7 - Domain slot 7 for a Traefik CFG_DOMAIN_7= # Domain 7 - Domain slot 7 for a Traefik
CFG_DOMAIN_8= # Domain 8 - Domain slot 8 for a Traefik CFG_DOMAIN_8= # Domain 8 - Domain slot 8 for a Traefik
CFG_DOMAIN_9= # Domain 9 - Domain slot 9 for a Traefik CFG_DOMAIN_9= # Domain 9 - Domain slot 9 for a Traefik
CFG_REQUIREMENT_SSLCERTS=true # SSL Certificates - Generate and manage SSL certificates for secure HTTPS connections **ADVANCED**

View File

@ -0,0 +1,6 @@
# ================================================================================
# Firewall - Host firewall and port-whitelist automation **ADVANCED**
# ================================================================================
CFG_REQUIREMENT_UFW=true # Firewall Protection - Install and configure the Uncomplicated Firewall (UFW) for system security
CFG_REQUIREMENT_UFWD=true # Docker Firewall - Install UFW-Docker for container-aware firewall management (rooted Docker only)
CFG_REQUIREMENT_WHITELIST_PORT_UPDATER=true # Auto Port Whitelisting - Update the port whitelist automatically when applications are installed or removed

View File

@ -2,4 +2,4 @@ TITLE=Security
DESCRIPTION=Intrusion prevention, bouncers, and host firewall configuration DESCRIPTION=Intrusion prevention, bouncers, and host firewall configuration
ICON=security ICON=security
ORDER=5 ORDER=5
SUBCATEGORY_ORDER=security_logins SUBCATEGORY_ORDER=security_logins,security_ssh

View File

@ -0,0 +1,7 @@
# ================================================================================
# SSH & Access Hardening - Secure remote access and auth-storage toggles **ADVANCED**
# ================================================================================
CFG_REQUIREMENT_SSHKEY_DOWNLOADER=false # SSH Key Downloader - Enable SSH key download functionality for remote access
CFG_REQUIREMENT_SSH_DISABLE_PASSWORDS=false # Disable SSH Passwords - Disable password authentication for SSH (requires key-based access only)
CFG_REQUIREMENT_BCRYPT_SAVE=true # Password Encryption - Encrypt saved passwords using bcrypt for enhanced security
CFG_REQUIREMENT_GLUETUN_FOR_ALL=false # Gluetun For All Apps - Allow routing through Gluetun VPN for every app (default: only curated categories)

View File

@ -47,22 +47,6 @@
font-style: italic; font-style: italic;
} }
/* Header-only variant used as a page-level banner (e.g. config?=features).
Without inner content below the header, the header's bottom margin
is wasted whitespace, and the section needs its own bottom margin
to separate from whatever follows. */
.danger-zone-section--header-only {
margin-bottom: 24px;
}
.danger-zone-section--header-only .danger-zone-header {
margin-bottom: 0;
}
.danger-zone-section--header-only .danger-zone-header p {
margin-top: 4px;
}
/* Inline variant — same recipe as .danger-zone-section, smaller padding. */ /* Inline variant — same recipe as .danger-zone-section, smaller padding. */
.danger-zone-banner { .danger-zone-banner {
background: rgba(var(--status-danger-rgb), 0.10); background: rgba(var(--status-danger-rgb), 0.10);

View File

@ -176,19 +176,6 @@ if (typeof window.ConfigManager === 'undefined') {
var formHTML = ''; var formHTML = '';
var self = this; // Preserve 'this' context var self = this; // Preserve 'this' context
// Features page is system-level — add a Danger Zone header at the
// top so it's visually obvious before the user touches anything.
// Reuses the same `.danger-zone-section` / `.danger-zone-header`
// styling used elsewhere, but without the advanced/unused toggle
// tickboxes that live inside the normal danger zone — this is just
// the heading.
if (category === 'features') {
formHTML += '<div class="danger-zone-section danger-zone-section--header-only"><div class="danger-zone-header"><h3>⚠️ Danger Zone</h3><p>These options are for advanced users and may affect system stability</p></div></div>';
// Divider below the features Danger Zone banner, separating it from
// the feature fields — same rule used elsewhere in the config form.
formHTML += '<div class="config-divider"></div>';
}
//console.log('ConfigManager: About to process configData entries:', Object.keys(configData)); //console.log('ConfigManager: About to process configData entries:', Object.keys(configData));
// Filter subcategories by type // Filter subcategories by type

View File

@ -4,7 +4,6 @@ checkRequirements()
{ {
isHeader "Checking Requirements" isHeader "Checking Requirements"
isNotice "Requirements are about to be installed." isNotice "Requirements are about to be installed."
isNotice "Edit the features config if you want to disable anything."
echo "" echo ""
checkRootRequirement; checkRootRequirement;