Last app-specific bits out of central infra (from the per-app audit):
- traefik middleware: replace the hardcoded onlyoffice/owncloud exclude-list +
onlyoffice-headers special-case (in traefik_middlewares.sh AND
traefik_port_middlewares.sh) with two per-app hooks an app ships in
containers/<app>/scripts/<app>_traefik.sh:
appTraefikSkipsDefaultMiddleware_<app> (marker: opt out of default@file)
appTraefikExtraMiddlewares_<app> (echo extra middleware entries)
onlyoffice defines both; owncloud defines the skip marker. Two narrow hooks
(not one clever one) so behavior — incl. the different onlyoffice-headers
ordering between the two files — is preserved exactly. Verified with stubs:
identical middleware strings across normal/onlyoffice/owncloud × authelia/wl.
- moneyapp: add a placeholder icon (geometric banknote SVG, 512x512) so it no
longer falls back to default.svg in the WebUI.
Central traefik/compose code is now app-agnostic.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
83 lines
3.4 KiB
Bash
83 lines
3.4 KiB
Bash
#!/bin/bash
|
|
|
|
# Per-port Traefik middleware writer.
|
|
#
|
|
# The legacy traefikSetupLabelsMiddlewares + MIDDLEWARE_TAG path treats login
|
|
# protection as a whole-app flag, which falls apart for apps that expose
|
|
# multiple HTTP routes (one needs auth, another doesn't) and for the Traefik
|
|
# dashboard which routes to api@internal rather than a container port.
|
|
#
|
|
# This processor walks the parsed port arrays from initializeAppVariables and
|
|
# stamps a separate MIDDLEWARE_TAG_<i> per port that has traefik=true. The
|
|
# per-port login_required column controls whether protectionAuth@file is
|
|
# included.
|
|
#
|
|
# Auth precedence: when Authelia is enabled and installed, it takes the auth
|
|
# slot and basic-auth (protectionAuth) is skipped — chaining both means the
|
|
# user gets two login prompts back-to-back, which is bad UX, not extra
|
|
# security. IP whitelist + auth still compose normally (network filter +
|
|
# identity check are layered concerns).
|
|
tagsProcessorPortMiddlewares()
|
|
{
|
|
local file="$1"
|
|
local app_name="$2"
|
|
|
|
if [[ -z "$file" || -z "$app_name" ]]; then
|
|
return 0
|
|
fi
|
|
|
|
# Apps opt out of the default middleware chain via a per-app hook
|
|
# (containers/<app>/scripts/<app>_traefik.sh defines
|
|
# appTraefikSkipsDefaultMiddleware_<app>) — e.g. onlyoffice / owncloud, which
|
|
# do their own routing.
|
|
local include_default="true"
|
|
declare -F "appTraefikSkipsDefaultMiddleware_${app_name}" >/dev/null 2>&1 && include_default="false"
|
|
|
|
local count=${#port_service_names[@]}
|
|
local i=0
|
|
while [[ $i -lt $count ]]; do
|
|
local idx=$((i + 1))
|
|
local p_traefik="${port_traefik_managed[$i]}"
|
|
local p_login="${port_login_requireds[$i]}"
|
|
|
|
if [[ "$p_traefik" == "true" ]]; then
|
|
local mw=()
|
|
[[ "$include_default" == "true" ]] && mw+=("default@file")
|
|
[[ "$whitelist" == "true" ]] && mw+=("global-ipwhitelist@file")
|
|
|
|
# Authelia precedence: if authelia is on AND installed, it owns
|
|
# the auth slot. protectionAuth is dropped even when login=true.
|
|
if [[ "$authelia_setup" == "true" ]] \
|
|
&& [[ $(dockerCheckAppInstalled "authelia" "docker") == "installed" ]]; then
|
|
mw+=("authelia@docker")
|
|
elif [[ "$p_login" == "true" ]]; then
|
|
mw+=("protectionAuth@file")
|
|
fi
|
|
|
|
# CrowdSec bouncer: HTTP-layer ban filter in front of every public
|
|
# route. Auto-attached when CrowdSec is installed on the host AND
|
|
# the global toggle is not "false". Per-app opt-out:
|
|
# CFG_<APP>_CROWDSEC_DISABLE=true.
|
|
local app_crowdsec_disable_var="CFG_${app_name^^}_CROWDSEC_DISABLE"
|
|
if [[ "${CFG_CROWDSEC_BOUNCER:-true}" == "true" ]] \
|
|
&& [[ "${!app_crowdsec_disable_var:-false}" != "true" ]] \
|
|
&& command -v cscli >/dev/null 2>&1; then
|
|
mw+=("crowdsec-bouncer@file")
|
|
fi
|
|
|
|
# App-specific extras (e.g. onlyoffice-headers) via the per-app hook.
|
|
if declare -F "appTraefikExtraMiddlewares_${app_name}" >/dev/null 2>&1; then
|
|
local _mw
|
|
while IFS= read -r _mw; do
|
|
[[ -n "$_mw" ]] && mw+=("$_mw")
|
|
done < <("appTraefikExtraMiddlewares_${app_name}")
|
|
fi
|
|
|
|
local joined; joined=$(IFS=,; echo "${mw[*]}")
|
|
tagsManagerUpdateUniversalTag "$file" "MIDDLEWARE_TAG_${idx}" "$joined"
|
|
fi
|
|
|
|
((i++))
|
|
done
|
|
}
|