LibrePortal/scripts/network/traefik/traefik_port_middlewares.sh
librelad 196b8e1dc8 refactor(traefik): per-app middleware hooks + moneyapp placeholder icon
Last app-specific bits out of central infra (from the per-app audit):

- traefik middleware: replace the hardcoded onlyoffice/owncloud exclude-list +
  onlyoffice-headers special-case (in traefik_middlewares.sh AND
  traefik_port_middlewares.sh) with two per-app hooks an app ships in
  containers/<app>/scripts/<app>_traefik.sh:
    appTraefikSkipsDefaultMiddleware_<app>  (marker: opt out of default@file)
    appTraefikExtraMiddlewares_<app>        (echo extra middleware entries)
  onlyoffice defines both; owncloud defines the skip marker. Two narrow hooks
  (not one clever one) so behavior — incl. the different onlyoffice-headers
  ordering between the two files — is preserved exactly. Verified with stubs:
  identical middleware strings across normal/onlyoffice/owncloud × authelia/wl.

- moneyapp: add a placeholder icon (geometric banknote SVG, 512x512) so it no
  longer falls back to default.svg in the WebUI.

Central traefik/compose code is now app-agnostic.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-26 01:07:14 +01:00

83 lines
3.4 KiB
Bash

#!/bin/bash
# Per-port Traefik middleware writer.
#
# The legacy traefikSetupLabelsMiddlewares + MIDDLEWARE_TAG path treats login
# protection as a whole-app flag, which falls apart for apps that expose
# multiple HTTP routes (one needs auth, another doesn't) and for the Traefik
# dashboard which routes to api@internal rather than a container port.
#
# This processor walks the parsed port arrays from initializeAppVariables and
# stamps a separate MIDDLEWARE_TAG_<i> per port that has traefik=true. The
# per-port login_required column controls whether protectionAuth@file is
# included.
#
# Auth precedence: when Authelia is enabled and installed, it takes the auth
# slot and basic-auth (protectionAuth) is skipped — chaining both means the
# user gets two login prompts back-to-back, which is bad UX, not extra
# security. IP whitelist + auth still compose normally (network filter +
# identity check are layered concerns).
tagsProcessorPortMiddlewares()
{
local file="$1"
local app_name="$2"
if [[ -z "$file" || -z "$app_name" ]]; then
return 0
fi
# Apps opt out of the default middleware chain via a per-app hook
# (containers/<app>/scripts/<app>_traefik.sh defines
# appTraefikSkipsDefaultMiddleware_<app>) — e.g. onlyoffice / owncloud, which
# do their own routing.
local include_default="true"
declare -F "appTraefikSkipsDefaultMiddleware_${app_name}" >/dev/null 2>&1 && include_default="false"
local count=${#port_service_names[@]}
local i=0
while [[ $i -lt $count ]]; do
local idx=$((i + 1))
local p_traefik="${port_traefik_managed[$i]}"
local p_login="${port_login_requireds[$i]}"
if [[ "$p_traefik" == "true" ]]; then
local mw=()
[[ "$include_default" == "true" ]] && mw+=("default@file")
[[ "$whitelist" == "true" ]] && mw+=("global-ipwhitelist@file")
# Authelia precedence: if authelia is on AND installed, it owns
# the auth slot. protectionAuth is dropped even when login=true.
if [[ "$authelia_setup" == "true" ]] \
&& [[ $(dockerCheckAppInstalled "authelia" "docker") == "installed" ]]; then
mw+=("authelia@docker")
elif [[ "$p_login" == "true" ]]; then
mw+=("protectionAuth@file")
fi
# CrowdSec bouncer: HTTP-layer ban filter in front of every public
# route. Auto-attached when CrowdSec is installed on the host AND
# the global toggle is not "false". Per-app opt-out:
# CFG_<APP>_CROWDSEC_DISABLE=true.
local app_crowdsec_disable_var="CFG_${app_name^^}_CROWDSEC_DISABLE"
if [[ "${CFG_CROWDSEC_BOUNCER:-true}" == "true" ]] \
&& [[ "${!app_crowdsec_disable_var:-false}" != "true" ]] \
&& command -v cscli >/dev/null 2>&1; then
mw+=("crowdsec-bouncer@file")
fi
# App-specific extras (e.g. onlyoffice-headers) via the per-app hook.
if declare -F "appTraefikExtraMiddlewares_${app_name}" >/dev/null 2>&1; then
local _mw
while IFS= read -r _mw; do
[[ -n "$_mw" ]] && mw+=("$_mw")
done < <("appTraefikExtraMiddlewares_${app_name}")
fi
local joined; joined=$(IFS=,; echo "${mw[*]}")
tagsManagerUpdateUniversalTag "$file" "MIDDLEWARE_TAG_${idx}" "$joined"
fi
((i++))
done
}