From d2595c3ef652e92da43a443e24a7b57c0636565b Mon Sep 17 00:00:00 2001 From: librelad Date: Mon, 25 May 2026 23:52:53 +0100 Subject: [PATCH] refactor(apps): per-app compose-tag hooks (remove the central App-Specific ladder) docker_config_setup_data.sh's "App Specific" if/elif ladder (pihole, nextcloud, searxng, speedtest, vaultwarden, wireguard, gluetun) becomes a generic hook dispatch: an app needing computed (non-CFG) compose tags ships containers//scripts/_compose_tags.sh defining appSetupComposeTags_ (live-sourced by the container scan, called with the compose path; reads host_setup/public_ip_v4/CFG_* from scope). Same declare -F pattern as the tool / update-specifics / webui-refresh hooks. - 7 per-app hook files added; central ladder replaced by the dispatch. - The generic gluetun network-mode block stays (any app may route through gluetun); tagsProcessorGluetunForwardedPorts stays central (hook + network-mode both use it). - Regenerate arrays (hooks live under containers/, not arrayed). Verified with stubs: each hook emits exactly the tags the old branch did (pihole REV_SERVER, nextcloud trusted-domains, gluetun VPN set + forwarded ports, etc.); apps without a hook are a clean no-op. Co-Authored-By: Claude Opus 4.7 Signed-off-by: librelad --- .../gluetun/scripts/gluetun_compose_tags.sh | 16 ++++++ .../scripts/nextcloud_compose_tags.sh | 9 +++ .../pihole/scripts/pihole_compose_tags.sh | 16 ++++++ .../searxng/scripts/searxng_compose_tags.sh | 7 +++ .../scripts/speedtest_compose_tags.sh | 7 +++ .../scripts/vaultwarden_compose_tags.sh | 8 +++ .../scripts/wireguard_compose_tags.sh | 9 +++ .../config/docker/docker_config_setup_data.sh | 57 ++++--------------- 8 files changed, 82 insertions(+), 47 deletions(-) create mode 100644 containers/gluetun/scripts/gluetun_compose_tags.sh create mode 100644 containers/nextcloud/scripts/nextcloud_compose_tags.sh create mode 100644 containers/pihole/scripts/pihole_compose_tags.sh create mode 100644 containers/searxng/scripts/searxng_compose_tags.sh create mode 100644 containers/speedtest/scripts/speedtest_compose_tags.sh create mode 100644 containers/vaultwarden/scripts/vaultwarden_compose_tags.sh create mode 100644 containers/wireguard/scripts/wireguard_compose_tags.sh diff --git a/containers/gluetun/scripts/gluetun_compose_tags.sh b/containers/gluetun/scripts/gluetun_compose_tags.sh new file mode 100644 index 0000000..9447e71 --- /dev/null +++ b/containers/gluetun/scripts/gluetun_compose_tags.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +# App-specific compose tags for Gluetun (VPN gateway) + its forwarded-port wiring. +appSetupComposeTags_gluetun() { + local full_file_path="$1" + tagsManagerUpdateUniversalTag "$full_file_path" "GLUETUN_VPN_SERVICE_PROVIDER_TAG" "$CFG_GLUETUN_VPN_SERVICE_PROVIDER" + tagsManagerUpdateUniversalTag "$full_file_path" "GLUETUN_VPN_TYPE_TAG" "$CFG_GLUETUN_VPN_TYPE" + tagsManagerUpdateUniversalTag "$full_file_path" "GLUETUN_VPN_COUNTRIES_TAG" "$CFG_GLUETUN_VPN_COUNTRIES" + tagsManagerUpdateUniversalTag "$full_file_path" "GLUETUN_OPENVPN_USER_TAG" "$CFG_GLUETUN_OPENVPN_USER" + tagsManagerUpdateUniversalTag "$full_file_path" "GLUETUN_OPENVPN_PASSWORD_TAG" "$CFG_GLUETUN_OPENVPN_PASSWORD" + tagsManagerUpdateUniversalTag "$full_file_path" "GLUETUN_WIREGUARD_PRIVATE_KEY_TAG" "$CFG_GLUETUN_WIREGUARD_PRIVATE_KEY" + tagsManagerUpdateUniversalTag "$full_file_path" "GLUETUN_WIREGUARD_ADDRESSES_TAG" "$CFG_GLUETUN_WIREGUARD_ADDRESSES" + tagsManagerUpdateUniversalTag "$full_file_path" "GLUETUN_HEALTH_TARGETS_TAG" "${CFG_GLUETUN_HEALTH_TARGETS:-mullvad.net:443,eff.org:443}" + tagsManagerUpdateUniversalTag "$full_file_path" "GLUETUN_HEALTH_ICMP_IPS_TAG" "${CFG_GLUETUN_HEALTH_ICMP_IPS:-9.9.9.9}" + tagsProcessorGluetunForwardedPorts +} diff --git a/containers/nextcloud/scripts/nextcloud_compose_tags.sh b/containers/nextcloud/scripts/nextcloud_compose_tags.sh new file mode 100644 index 0000000..914e189 --- /dev/null +++ b/containers/nextcloud/scripts/nextcloud_compose_tags.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +# App-specific compose tags for Nextcloud. host_setup + public_ip_v4 come from the +# caller's scope (variables_init_app). One value so the compose carries a single +# #LIBREPORTAL annotation per line; empty fields are filtered by Nextcloud's entrypoint. +appSetupComposeTags_nextcloud() { + local full_file_path="$1" + tagsManagerUpdateUniversalTag "$full_file_path" "NEXTCLOUD_TRUSTED_DOMAINS_TAG" "$host_setup $public_ip_v4 localhost 127.0.0.1" +} diff --git a/containers/pihole/scripts/pihole_compose_tags.sh b/containers/pihole/scripts/pihole_compose_tags.sh new file mode 100644 index 0000000..cbc9291 --- /dev/null +++ b/containers/pihole/scripts/pihole_compose_tags.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +# App-specific compose tags for Pi-hole — dispatched by dockerConfigSetupFileWithData +# (containers//scripts/_compose_tags.sh defining appSetupComposeTags_; +# $1 = the compose file path). The CFG_* tags are filled generically; only the +# computed REV_SERVER values need this handler. +appSetupComposeTags_pihole() { + local full_file_path="$1" + local default_gateway network_cidr + default_gateway=$(ip route | grep default | awk '{print $3}' | head -1) + [[ -z "$default_gateway" ]] && default_gateway="192.168.1.1" + network_cidr=$(ip route | grep -v default | grep -E "192\.168|10\.|172\." | awk '{print $1}' | head -1) + [[ -z "$network_cidr" ]] && network_cidr="192.168.0.0/16" + tagsManagerUpdateUniversalTag "$full_file_path" "PIHOLE_REV_SERVER_TARGET_TAG" "$default_gateway" + tagsManagerUpdateUniversalTag "$full_file_path" "PIHOLE_REV_SERVER_CIDR_TAG" "$network_cidr" +} diff --git a/containers/searxng/scripts/searxng_compose_tags.sh b/containers/searxng/scripts/searxng_compose_tags.sh new file mode 100644 index 0000000..ffbb11e --- /dev/null +++ b/containers/searxng/scripts/searxng_compose_tags.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +# App-specific compose tags for SearXNG. +appSetupComposeTags_searxng() { + local full_file_path="$1" + tagsManagerUpdateUniversalTag "$full_file_path" "SEARXNG_THEME_TAG" "$CFG_SEARXNG_THEME" +} diff --git a/containers/speedtest/scripts/speedtest_compose_tags.sh b/containers/speedtest/scripts/speedtest_compose_tags.sh new file mode 100644 index 0000000..0b3ffa4 --- /dev/null +++ b/containers/speedtest/scripts/speedtest_compose_tags.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +# App-specific compose tags for Speedtest Tracker. +appSetupComposeTags_speedtest() { + local full_file_path="$1" + tagsProcessorSpeedtestPass "$full_file_path" "$CFG_SPEEDTEST_PASSWORD_ENABLED" "$CFG_SPEEDTEST_PASSWORD" +} diff --git a/containers/vaultwarden/scripts/vaultwarden_compose_tags.sh b/containers/vaultwarden/scripts/vaultwarden_compose_tags.sh new file mode 100644 index 0000000..b3f86cf --- /dev/null +++ b/containers/vaultwarden/scripts/vaultwarden_compose_tags.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +# App-specific compose tags for Vaultwarden. +appSetupComposeTags_vaultwarden() { + local full_file_path="$1" + tagsManagerUpdateUniversalTag "$full_file_path" "VAULTWARDEN_ADMIN_TOKEN_TAG" "$CFG_VAULTWARDEN_ADMIN_TOKEN" + tagsManagerUpdateUniversalTag "$full_file_path" "VAULTWARDEN_SIGNUPS_ALLOWED_TAG" "$CFG_VAULTWARDEN_SIGNUPS_ALLOWED" +} diff --git a/containers/wireguard/scripts/wireguard_compose_tags.sh b/containers/wireguard/scripts/wireguard_compose_tags.sh new file mode 100644 index 0000000..744f01c --- /dev/null +++ b/containers/wireguard/scripts/wireguard_compose_tags.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +# App-specific compose tags for WireGuard (wg-easy) — bcrypt the admin password. +appSetupComposeTags_wireguard() { + local full_file_path="$1" + local bcrypt_hash + bcrypt_hash=$(hashPassword "$CFG_WIREGUARD_PASSWORD") + tagsManagerUpdateUniversalTag "$full_file_path" "WIREGUARD_PASSWORD_TAG" "$bcrypt_hash" +} diff --git a/scripts/config/docker/docker_config_setup_data.sh b/scripts/config/docker/docker_config_setup_data.sh index 09f31ee..732a93f 100755 --- a/scripts/config/docker/docker_config_setup_data.sh +++ b/scripts/config/docker/docker_config_setup_data.sh @@ -104,54 +104,17 @@ dockerConfigSetupFileWithData() tagsManagerUpdateUniversalTag "$full_file_path" "MAIL_FROM_TAG" "$CFG_MAIL_FROM" ############################################### - # App Specific + # App Specific (per-app hook) ############################################### - if [[ "$app_name" == "pihole" ]]; then - # PIHOLE_ADMIN_PASSWORD_TAG / PIHOLE_WEB_THEME_TAG are filled by the - # generic tagsProcessorAppConfigValues (CFG_PIHOLE_ADMIN_PASSWORD / - # CFG_PIHOLE_WEB_THEME). Only the computed REV_SERVER tags below - # need an app-specific handler. - local default_gateway - local network_cidr - default_gateway=$(ip route | grep default | awk '{print $3}' | head -1) - if [[ -z "$default_gateway" ]]; then - default_gateway="192.168.1.1" # Fallback - fi - network_cidr=$(ip route | grep -v default | grep -E "192\.168|10\.|172\." | awk '{print $1}' | head -1) - if [[ -z "$network_cidr" ]]; then - network_cidr="192.168.0.0/16" # Fallback - fi - tagsManagerUpdateUniversalTag "$full_file_path" "PIHOLE_REV_SERVER_TARGET_TAG" "$default_gateway" - tagsManagerUpdateUniversalTag "$full_file_path" "PIHOLE_REV_SERVER_CIDR_TAG" "$network_cidr" - elif [[ "$app_name" == "nextcloud" ]]; then - # Space-separated trusted-domains list. Built as one value so the - # compose carries one #LIBREPORTAL annotation per line — multiple - # annotations on a single line confuse the tag manager's - # placeholder-capture step. Empty fields (e.g. host_setup when - # no domain is configured) are filtered by Nextcloud's entrypoint. - tagsManagerUpdateUniversalTag "$full_file_path" "NEXTCLOUD_TRUSTED_DOMAINS_TAG" "$host_setup $public_ip_v4 localhost 127.0.0.1" - elif [[ "$app_name" == "searxng" ]]; then - tagsManagerUpdateUniversalTag "$full_file_path" "SEARXNG_THEME_TAG" "$CFG_SEARXNG_THEME" - elif [[ "$app_name" == "speedtest" ]]; then - tagsProcessorSpeedtestPass "$full_file_path" "$CFG_SPEEDTEST_PASSWORD_ENABLED" "$CFG_SPEEDTEST_PASSWORD" - elif [[ "$app_name" == "vaultwarden" ]]; then - tagsManagerUpdateUniversalTag "$full_file_path" "VAULTWARDEN_ADMIN_TOKEN_TAG" "$CFG_VAULTWARDEN_ADMIN_TOKEN" - tagsManagerUpdateUniversalTag "$full_file_path" "VAULTWARDEN_SIGNUPS_ALLOWED_TAG" "$CFG_VAULTWARDEN_SIGNUPS_ALLOWED" - elif [[ "$app_name" == "wireguard" ]]; then - local bcrypt_hash - bcrypt_hash=$(hashPassword "$CFG_WIREGUARD_PASSWORD") - tagsManagerUpdateUniversalTag "$full_file_path" "WIREGUARD_PASSWORD_TAG" "$bcrypt_hash" - elif [[ "$app_name" == "gluetun" ]]; then - tagsManagerUpdateUniversalTag "$full_file_path" "GLUETUN_VPN_SERVICE_PROVIDER_TAG" "$CFG_GLUETUN_VPN_SERVICE_PROVIDER" - tagsManagerUpdateUniversalTag "$full_file_path" "GLUETUN_VPN_TYPE_TAG" "$CFG_GLUETUN_VPN_TYPE" - tagsManagerUpdateUniversalTag "$full_file_path" "GLUETUN_VPN_COUNTRIES_TAG" "$CFG_GLUETUN_VPN_COUNTRIES" - tagsManagerUpdateUniversalTag "$full_file_path" "GLUETUN_OPENVPN_USER_TAG" "$CFG_GLUETUN_OPENVPN_USER" - tagsManagerUpdateUniversalTag "$full_file_path" "GLUETUN_OPENVPN_PASSWORD_TAG" "$CFG_GLUETUN_OPENVPN_PASSWORD" - tagsManagerUpdateUniversalTag "$full_file_path" "GLUETUN_WIREGUARD_PRIVATE_KEY_TAG" "$CFG_GLUETUN_WIREGUARD_PRIVATE_KEY" - tagsManagerUpdateUniversalTag "$full_file_path" "GLUETUN_WIREGUARD_ADDRESSES_TAG" "$CFG_GLUETUN_WIREGUARD_ADDRESSES" - tagsManagerUpdateUniversalTag "$full_file_path" "GLUETUN_HEALTH_TARGETS_TAG" "${CFG_GLUETUN_HEALTH_TARGETS:-mullvad.net:443,eff.org:443}" - tagsManagerUpdateUniversalTag "$full_file_path" "GLUETUN_HEALTH_ICMP_IPS_TAG" "${CFG_GLUETUN_HEALTH_ICMP_IPS:-9.9.9.9}" - tagsProcessorGluetunForwardedPorts + # An app needing computed (non-CFG) compose tags ships + # containers//scripts/_compose_tags.sh defining + # appSetupComposeTags_ (live-sourced by the container scan; called + # with the compose path, reads host_setup/public_ip_v4/CFG_* from scope). + # Plain CFG__ values are already filled by + # tagsProcessorAppConfigValues above, so most apps need no hook. + local _tags_hook="appSetupComposeTags_${app_name}" + if declare -F "$_tags_hook" >/dev/null 2>&1; then + "$_tags_hook" "$full_file_path" fi ###############################################