initial env var ingestion for rev proxy configs

2026-03-28 08:56:32 +09:00 · 2025-09-02 15:16:05 -04:00
parent fb4ba0deb0
commit 5942cc2253
8 changed files with 584 additions and 0 deletions
--- a/root/app/config-generator/generate_configs.py
+++ b/root/app/config-generator/generate_configs.py
@@ -0,0 +1,153 @@
+import os
+import json
+import subprocess
+from jinja2 import Environment, FileSystemLoader
+
+# --- Configuration ---
+TEMPLATE_DIR = '/app/config-generator/templates'
+PROXY_OUTPUT_DIR = '/config/nginx/proxy-confs'
+DEFAULT_CONF_OUTPUT = '/config/nginx/site-confs/default.conf'
+HTPASSWD_FILE = '/config/nginx/.htpasswd'
+# ---------------------
+
+def process_service_config(service_name, service_config_json, global_auth_provider, auth_exclude_list):
+    """Processes a single service configuration, including auth logic."""
+    service_config = json.loads(service_config_json)
+    
+    # The default service doesn't have a subdomain name in the traditional sense
+    if service_name.lower() == 'default':
+        # We still need a target container name, let the user define it or raise an error
+        if 'name' not in service_config:
+             raise ValueError("PROXY_CONFIG_DEFAULT must contain a 'name' key specifying the target container name.")
+    else:
+        service_config['name'] = service_name
+
+    # --- Authentication Logic ---
+    auth_provider = 'none' # Default
+    # 1. Per-service override
+    if 'auth' in service_config:
+        auth_provider = service_config['auth']
+        print(f"    - Found per-service auth override: '{auth_provider}'")
+    # 2. Global provider check
+    elif global_auth_provider and service_name not in auth_exclude_list:
+        auth_provider = global_auth_provider
+        print(f"    - Applying global auth provider: '{auth_provider}'")
+    # 3. Otherwise, no auth
+    else:
+        if service_name in auth_exclude_list:
+                print(f"    - Service is in global exclude list. No auth.")
+        else:
+                print(f"    - No auth provider specified.")
+
+    service_config['auth_provider'] = auth_provider
+    return service_config
+
+def generate_configs():
+    """
+    Generates Nginx config files from PROXY_CONFIG environment variables and a Jinja2 template.
+    """
+    print("--- Starting Nginx Config Generation from Environment Variables ---")
+
+    # Ensure output directories exist
+    os.makedirs(PROXY_OUTPUT_DIR, exist_ok=True)
+    os.makedirs(os.path.dirname(DEFAULT_CONF_OUTPUT), exist_ok=True)
+    print(f"Output directories are ready.")
+
+    # Get global auth settings from environment variables
+    global_auth_provider = os.environ.get('PROXY_AUTH_PROVIDER')
+    auth_exclude_list = os.environ.get('PROXY_AUTH_EXCLUDE', '').split(',')
+    auth_exclude_list = [name.strip() for name in auth_exclude_list if name.strip()]
+
+    # Get basic auth credentials
+    basic_auth_user = os.environ.get('PROXY_AUTH_BASIC_USER')
+    basic_auth_pass = os.environ.get('PROXY_AUTH_BASIC_PASS')
+    basic_auth_configured = False
+
+    print(f"Global Auth Provider: {global_auth_provider}")
+    print(f"Auth Exclude List: {auth_exclude_list}")
+
+    # Collect and process service configurations
+    subdomain_services = []
+    default_service = None
+
+    for key, value in os.environ.items():
+        if key.startswith('PROXY_CONFIG_'):
+            service_name = key.replace('PROXY_CONFIG_', '').lower()
+            print(f"  Processing service: {service_name}")
+            print(value)
+            try:
+                service_config = process_service_config(service_name, value, global_auth_provider, auth_exclude_list)
+
+                # Handle Basic Auth File Creation
+                if service_config['auth_provider'] == 'basic' and not basic_auth_configured:
+                    if basic_auth_user and basic_auth_pass:
+                        print(f"    - Configuring Basic Auth with user '{basic_auth_user}'.")
+                        try:
+                            os.makedirs(os.path.dirname(HTPASSWD_FILE), exist_ok=True)
+                            command = ['htpasswd', '-bc', HTPASSWD_FILE, basic_auth_user, basic_auth_pass]
+                            subprocess.run(command, check=True, capture_output=True, text=True)
+                            print(f"    - Successfully created '{HTPASSWD_FILE}'.")
+                            basic_auth_configured = True
+                        except subprocess.CalledProcessError as e:
+                            print(f"    [!!] ERROR: 'htpasswd' command failed: {e.stderr}. Basic auth will not be enabled.")
+                            service_config['auth_provider'] = 'none'
+                        except FileNotFoundError:
+                            print(f"    [!!] ERROR: 'htpasswd' command not found. Basic auth will not be enabled.")
+                            service_config['auth_provider'] = 'none'
+                    else:
+                        print(f"    [!!] WARNING: 'auth: basic' is set, but PROXY_AUTH_BASIC_USER or PROXY_AUTH_BASIC_PASS is missing. Skipping auth.")
+                        service_config['auth_provider'] = 'none'
+                
+                if service_name == 'default':
+                    default_service = service_config
+                else:
+                    subdomain_services.append(service_config)
+
+            except (json.JSONDecodeError, ValueError) as e:
+                print(f"  [!!] ERROR: Could not parse or validate config for {service_name}: {e}. Skipping.")
+            except Exception as e:
+                print(f"  [!!] ERROR: An unexpected error occurred processing {service_name}: {e}. Skipping.")
+
+    # Set up Jinja2 environment
+    try:
+        env = Environment(loader=FileSystemLoader(TEMPLATE_DIR), trim_blocks=True, lstrip_blocks=True)
+        proxy_template = env.get_template('proxy.conf.j2')
+        default_template = env.get_template('default.conf.j2')
+        print("\nJinja2 templates loaded successfully.")
+    except Exception as e:
+        print(f"ERROR: Failed to load Jinja2 templates from '{TEMPLATE_DIR}': {e}. Exiting.")
+        return
+
+    # Generate default site config if specified
+    if default_service:
+        print("\n--- Generating Default Site Config ---")
+        try:
+            rendered_content = default_template.render(item=default_service)
+            with open(DEFAULT_CONF_OUTPUT, 'w') as f:
+                f.write(rendered_content)
+            print(f"  [OK] Generated {os.path.basename(DEFAULT_CONF_OUTPUT)}")
+        except Exception as e:
+            print(f"  [!!] ERROR: Failed to render or write default config: {e}")
+    else:
+        print("\n--- PROXY_CONFIG_DEFAULT not set, default site config will not be generated. ---")
+
+
+    # Generate subdomain proxy configs
+    print("\n--- Generating Subdomain Proxy Configs ---")
+    if not subdomain_services:
+        print("No subdomain services found to configure.")
+    for service in subdomain_services:
+        filename = f"{service['name']}.subdomain.conf"
+        output_path = os.path.join(PROXY_OUTPUT_DIR, filename)
+        try:
+            rendered_content = proxy_template.render(item=service)
+            with open(output_path, 'w') as f:
+                f.write(rendered_content)
+            print(f"  [OK] Generated {filename}")
+        except Exception as e:
+            print(f"  [!!] ERROR: Failed to render or write config for {service['name']}: {e}")
+
+    print("\n--- Generation Complete ---")
+
+if __name__ == "__main__":
+    generate_configs()
--- a/root/app/config-generator/templates/default.conf.j2
+++ b/root/app/config-generator/templates/default.conf.j2
@@ -0,0 +1,103 @@
+## Version 2025/08/28
+# THIS FILE IS AUTO-GENERATED BY THE CONTAINER. DO NOT EDIT.
+#
+# This is the default server block, handling requests to the root domain.
+
+# redirect all traffic to https
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+# main server block
+server {
+    listen 443 ssl default_server;
+{% if item.quic %}
+    listen 443 quic reuseport default_server;
+{% else %}
+#    listen 443 quic reuseport default_server;
+{% endif %}
+    listen [::]:443 ssl default_server;
+{% if item.quic %}
+    listen [::]:443 quic reuseport default_server;
+{% else %}
+#    listen [::]:443 quic reuseport default_server;
+{% endif %}
+
+    server_name _;
+
+    include /config/nginx/ssl.conf;
+
+    client_max_body_size {{ item.client_max_body_size | default('0') }};
+{% if item.proxy_redirect_off %}
+    proxy_redirect off;
+{% endif %}
+{% if item.buffering_off %}
+    proxy_buffering off;
+{% endif %}
+
+{% if item.auth_provider and item.auth_provider not in ['none', 'basic'] %}
+    # enable for {{ item.auth_provider }}
+    include /config/nginx/{{ item.auth_provider }}-server.conf;
+{% endif %}
+
+    location / {
+{% if item.auth_provider == 'basic' %}
+        # enable for basic auth
+        auth_basic "Restricted";
+        auth_basic_user_file /config/nginx/.htpasswd;
+{% elif item.auth_provider and item.auth_provider != 'none' %}
+        # enable for {{ item.auth_provider }}
+        include /config/nginx/{{ item.auth_provider }}-location.conf;
+{% else %}
+        # No authentication enabled for this service.
+{% endif %}
+
+        include /config/nginx/proxy.conf;
+        include /config/nginx/resolver.conf;
+        set $upstream_app {{ item.name }};
+        set $upstream_port {{ item.port }};
+        set $upstream_proto {% if item.https %}https{% else %}http{% endif %};
+        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
+{% if item.proxy_set_headers %}
+{% for header in item.proxy_set_headers %}
+        proxy_set_header {{ header.key }} {{ header.value }};
+{% endfor %}
+{% endif %}
+{% if item.custom_directives %}
+{% for directive in item.custom_directives %}
+        {{ directive }};
+{% endfor %}
+{% endif %}
+    }
+
+{% if item.extra_locations %}
+{% for loc in item.extra_locations %}
+    location {{ loc.path }} {
+        include /config/nginx/proxy.conf;
+        include /config/nginx/resolver.conf;
+        set $upstream_app {{ loc.app | default(item.name) }};
+        set $upstream_port {{ loc.port | default(item.port) }};
+        set $upstream_proto {% if loc.https %}https{% elif item.https and loc.https is not defined %}https{% else %}http{% endif %};
+        proxy_pass $upstream_proto://$upstream_app:$upstream_port{% if loc.proxy_pass_path %}{{ loc.proxy_pass_path }}{% endif %};
+{% if loc.proxy_set_headers %}
+{% for header in loc.proxy_set_headers %}
+        proxy_set_header {{ header.key }} {{ header.value }};
+{% endfor %}
+{% endif %}
+{% if loc.custom_directives %}
+{% for directive in loc.custom_directives %}
+        {{ directive }};
+{% endfor %}
+{% endif %}
+    }
+{% endfor %}
+{% endif %}
+}
+
+# enable subdomain method reverse proxy confs
+include /config/nginx/proxy-confs/*.conf;
--- a/root/app/config-generator/templates/proxy.conf.j2
+++ b/root/app/config-generator/templates/proxy.conf.j2
@@ -0,0 +1,141 @@
+## Version 2025/08/28
+# THIS FILE IS AUTO-GENERATED BY THE CONTAINER. DO NOT EDIT.
+#
+# make sure that your {{ item.name }} container is named {{ item.name }}
+# make sure that your dns has a cname set for {{ item.name }}
+
+server {
+    listen 443 ssl;
+{% if item.quic %}
+    listen 443 quic reuseport;
+{% else %}
+#    listen 443 quic reuseport;
+{% endif %}
+    listen [::]:443 ssl;
+{% if item.quic %}
+    listen [::]:443 quic reuseport;
+{% else %}
+#    listen [::]:443 quic reuseport;
+{% endif %}
+
+    server_name {{ item.name }}.*;
+
+    include /config/nginx/ssl.conf;
+
+    client_max_body_size {{ item.client_max_body_size | default('0') }};
+{% if item.proxy_redirect_off %}
+    proxy_redirect off;
+{% endif %}
+{% if item.buffering_off %}
+    proxy_buffering off;
+{% endif %}
+
+{% if item.auth_provider and item.auth_provider not in ['none', 'basic'] %}
+    # enable for {{ item.auth_provider }}
+    include /config/nginx/{{ item.auth_provider }}-server.conf;
+{% endif %}
+
+    location / {
+{% if item.auth_provider == 'basic' %}
+        # enable for basic auth
+        auth_basic "Restricted";
+        auth_basic_user_file /config/nginx/.htpasswd;
+{% elif item.auth_provider and item.auth_provider != 'none' %}
+        # enable for {{ item.auth_provider }}
+        include /config/nginx/{{ item.auth_provider }}-location.conf;
+{% else %}
+        # No authentication enabled for this service.
+{% endif %}
+
+        include /config/nginx/proxy.conf;
+        include /config/nginx/resolver.conf;
+        set $upstream_app {{ item.name }};
+        set $upstream_port {{ item.port }};
+        set $upstream_proto {% if item.https %}https{% else %}http{% endif %};
+        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
+{% if item.hide_xframe %}
+        proxy_hide_header X-Frame-Options;
+{% endif %}
+{% if item.iframe_friendly %}
+        # Uncomment to allow loading in an iframe (i.e. Organizr)
+        #proxy_hide_header X-Frame-Options;
+{% endif %}
+{% if item.hide_x_forwarded_port %}
+        # Hide proxy port to prevent CSRF errors
+        proxy_hide_header X-Forwarded-Port;
+{% endif %}
+{% if item.set_x_scheme %}
+        proxy_set_header X-Scheme https;
+{% endif %}
+{% if item.websockets %}
+        proxy_buffering off;
+        proxy_socket_keepalive on;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Sec-WebSocket-Extensions $http_sec_websocket_extensions;
+        proxy_set_header Sec-WebSocket-Key $http_sec_websocket_key;
+        proxy_set_header Sec-WebSocket-Version $http_sec_websocket_version;
+{% endif %}
+{% if item.proxy_pass_headers %}
+{% for header in item.proxy_pass_headers %}
+        proxy_pass_header {{ header }};
+{% endfor %}
+{% endif %}
+{% if item.proxy_set_headers %}
+{% for header in item.proxy_set_headers %}
+        proxy_set_header {{ header.key }} {{ header.value }};
+{% endfor %}
+{% endif %}
+{% if item.proxy_hide_headers %}
+{% for header in item.proxy_hide_headers %}
+        proxy_hide_header {{ header }};
+{% endfor %}
+{% endif %}
+{% if item.add_headers %}
+{% for header in item.add_headers %}
+        add_header {{ header.key }} "{{ header.value }}";
+{% endfor %}
+{% endif %}
+{% if item.custom_directives %}
+{% for directive in item.custom_directives %}
+        {{ directive }};
+{% endfor %}
+{% endif %}
+    }
+{% if item.api %}
+    location ~ (?:/{{ item.name }})?/api {
+        include /config/nginx/proxy.conf;
+        include /config/nginx/resolver.conf;
+        set $upstream_app {{ item.name }};
+        set $upstream_port {{ item.port }};
+        set $upstream_proto {% if item.https %}https{% else %}http{% endif %};
+        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
+    }
+{% endif %}
+{% if item.extra_locations %}
+{% for loc in item.extra_locations %}
+    location ~ (?:/{{ item.name }})?{{ loc.path }} {
+        include /config/nginx/proxy.conf;
+        include /config/nginx/resolver.conf;
+        set $upstream_app {{ loc.app | default(item.name) }};
+        set $upstream_port {{ loc.port | default(item.port) }};
+        set $upstream_proto {% if loc.https %}https{% elif item.https and loc.https is not defined %}https{% else %}http{% endif %};
+        proxy_pass $upstream_proto://$upstream_app:$upstream_port{% if loc.proxy_pass_path %}{{ loc.proxy_pass_path }}{% endif %};
+{% if loc.proxy_set_headers %}
+{% for header in loc.proxy_set_headers %}
+        proxy_set_header {{ header.key }} {{ header.value }};
+{% endfor %}
+{% endif %}
+{% if loc.proxy_hide_headers %}
+{% for header in loc.proxy_hide_headers %}
+        proxy_hide_header {{ header }};
+{% endfor %}
+{% endif %}
+{% if loc.custom_directives %}
+{% for directive in loc.custom_directives %}
+        {{ directive }};
+{% endfor %}
+{% endif %}
+    }
+{% endfor %}
+{% endif %}
+}
--- a/root/etc/s6-overlay/s6-rc.d/init-swag-config/run
+++ b/root/etc/s6-overlay/s6-rc.d/init-swag-config/run
@@ -42,3 +42,20 @@ fi
 if [[ ! -f /config/nginx/ldap-server.conf ]]; then
    cp /defaults/nginx/ldap-server.conf.sample /config/nginx/ldap-server.conf
 fi
+
+# check if any PROXY_CONFIG environment variables are set
+if env | grep -q "^PROXY_CONFIG_"; then
+    echo "INFO: Found PROXY_CONFIG environment variables. Generating Nginx configs from environment..."
+    # clean the target directory to ensure a fresh start
+    echo "INFO: Cleaning /config/nginx/proxy-confs/ of existing files..."
+    rm -f /config/nginx/proxy-confs/*
+    # run the Python generator script
+    echo "INFO: Running python config generator..."
+    if ! python3 /app/config-generator/generate_configs.py; then
+        echo "ERROR: The python config generator script failed. Please check the logs above. Container will not start."
+        exit 1
+    fi
+    echo "INFO: Config generation complete."
+else
+    echo "INFO: No PROXY_CONFIG variables found. User is expected to manage /config/nginx/proxy-confs/ manually."
+fi