feat: Add nginx configuration rendering and HTTPS proxy support

- Introduced a new script `render_nginx.py` to generate nginx configuration and landing page HTML from templates based on environment variables.
- Updated `run.sh` to handle new access modes and configure HTTPS proxy settings for the gateway.
- Implemented TLS certificate generation for the built-in HTTPS proxy in `lan_https` mode.
- Enhanced disk usage reporting in the landing page.
- Updated translations for various languages to include new configuration options for access modes and authentication modes.
This commit is contained in:
techartdev
2026-02-23 10:07:25 +02:00
parent 9d0332a36a
commit 22c7d8ff4f
16 changed files with 1321 additions and 178 deletions
+22 -8
View File
@@ -66,23 +66,34 @@ options:
# - loopback: bind to 127.0.0.1 only (local access only, most secure)
# - lan: bind to all interfaces (accessible from local network)
# - tailnet: bind to Tailscale IP only (accessible only via Tailscale — recommended for remote access)
# - auto: prefer loopback; use tailnet if Tailscale is available
# Default is loopback for security.
gateway_bind_mode: loopback
# Gateway port to listen on
gateway_port: 18789
# Access mode preset — simplifies secure access configuration.
# custom: use individual gateway_bind_mode / auth_mode settings (backward compatible)
# local_only: loopback + token auth (Ingress / terminal only, most secure)
# lan_https: Built-in HTTPS reverse proxy for LAN access (recommended for phones/tablets)
# lan_reverse_proxy: LAN bind + trusted-proxy for an external reverse proxy (NPM, Caddy, …)
# tailnet_https: Tailscale interface bind + token auth
access_mode: custom
# Gateway authentication mode:
# - token: standard token auth (default)
# - trusted-proxy: trust auth headers from configured reverse proxies
gateway_auth_mode: token
# Comma-separated trusted proxy IP/CIDR list for trusted-proxy mode.
# Example: "127.0.0.1,192.168.88.0/24"
gateway_trusted_proxies: ""
# Enable OpenAI-compatible Chat Completions API endpoint
# When enabled, OpenClaw can be used as a conversation agent in HA Assist pipeline
# via Extended OpenAI Conversation (HACS) or any OpenAI-compatible client
enable_openai_api: false
# Allow insecure HTTP authentication (required for HTTP gateway access on LAN)
# WARNING: Only enable if you're using HTTP (not HTTPS) for gateway_public_url
# Default is false for security.
allow_insecure_auth: false
# Force IPv4-first DNS result ordering for Node fetch/network calls.
# Useful on networks where IPv6 resolution exists but IPv6 egress is broken
# (can affect Telegram API polling in some HAOS/VM setups).
@@ -104,8 +115,11 @@ schema:
clean_session_locks_on_start: bool?
clean_session_locks_on_exit: bool?
gateway_mode: list(local|remote)?
gateway_bind_mode: list(auto|loopback|lan|tailnet)?
gateway_bind_mode: list(loopback|lan|tailnet)?
gateway_port: int(1,65535)?
access_mode: list(custom|local_only|lan_https|lan_reverse_proxy|tailnet_https)?
gateway_auth_mode: list(token|trusted-proxy)?
gateway_trusted_proxies: str?
enable_openai_api: bool?
allow_insecure_auth: bool?
force_ipv4_dns: bool?