HA add-on: support telegram allowlist (skip pairing)

This commit is contained in:
TheLast
2026-01-27 21:10:32 +02:00
parent caf6681e6a
commit 8a32e304c9
2 changed files with 25 additions and 2 deletions
+4
View File
@@ -16,6 +16,9 @@ map:
options: options:
telegram_bot_token: "" telegram_bot_token: ""
timezone: "Europe/Sofia" timezone: "Europe/Sofia"
# Optional: lock DMs to specific Telegram user ids (comma-separated).
# If set, add-on will use dmPolicy=allowlist and allowFrom=<ids>.
telegram_allow_from: ""
homeassistant_token: "" homeassistant_token: ""
mikrotik_host: "192.168.88.1" mikrotik_host: "192.168.88.1"
mikrotik_ssh_user: "papur" mikrotik_ssh_user: "papur"
@@ -23,6 +26,7 @@ options:
schema: schema:
telegram_bot_token: str telegram_bot_token: str
timezone: str timezone: str
telegram_allow_from: str?
homeassistant_token: str? homeassistant_token: str?
mikrotik_host: str mikrotik_host: str
mikrotik_ssh_user: str mikrotik_ssh_user: str
+21 -2
View File
@@ -11,6 +11,7 @@ fi
BOT_TOKEN=$(jq -r '.telegram_bot_token // empty' "$OPTIONS_FILE") BOT_TOKEN=$(jq -r '.telegram_bot_token // empty' "$OPTIONS_FILE")
TZNAME=$(jq -r '.timezone // "Europe/Sofia"' "$OPTIONS_FILE") TZNAME=$(jq -r '.timezone // "Europe/Sofia"' "$OPTIONS_FILE")
ALLOW_FROM_RAW=$(jq -r '.telegram_allow_from // empty' "$OPTIONS_FILE")
HA_TOKEN=$(jq -r '.homeassistant_token // empty' "$OPTIONS_FILE") HA_TOKEN=$(jq -r '.homeassistant_token // empty' "$OPTIONS_FILE")
MT_HOST=$(jq -r '.mikrotik_host // "192.168.88.1"' "$OPTIONS_FILE") MT_HOST=$(jq -r '.mikrotik_host // "192.168.88.1"' "$OPTIONS_FILE")
MT_USER=$(jq -r '.mikrotik_ssh_user // "papur"' "$OPTIONS_FILE") MT_USER=$(jq -r '.mikrotik_ssh_user // "papur"' "$OPTIONS_FILE")
@@ -35,8 +36,23 @@ if [ -n "$HA_TOKEN" ]; then
printf '%s' "$HA_TOKEN" > /data/secrets/homeassistant.token printf '%s' "$HA_TOKEN" > /data/secrets/homeassistant.token
fi fi
# Decide Telegram DM access policy.
# If telegram_allow_from is set (comma-separated user ids), we use allowlist mode.
DM_POLICY="pairing"
ALLOW_FROM_JSON=""
if [ -n "$ALLOW_FROM_RAW" ]; then
DM_POLICY="allowlist"
# convert "1,2, 3" -> ["1","2","3"]
ALLOW_FROM_JSON=$(python3 - <<'PY'
import os,json
raw=os.environ.get('ALLOW_FROM_RAW','')
ids=[s.strip() for s in raw.split(',') if s.strip()]
print(json.dumps(ids))
PY
)
fi
# Write Clawdbot gateway config (JSON5) into the expected location. # Write Clawdbot gateway config (JSON5) into the expected location.
# Use pairing for DMs by default; no hardcoded chat allowlist needed.
cat > /data/.clawdbot/clawdbot.json <<EOF cat > /data/.clawdbot/clawdbot.json <<EOF
{ {
gateway: { mode: "local" }, gateway: { mode: "local" },
@@ -52,12 +68,15 @@ cat > /data/.clawdbot/clawdbot.json <<EOF
telegram: { telegram: {
enabled: true, enabled: true,
botToken: "${BOT_TOKEN}", botToken: "${BOT_TOKEN}",
dmPolicy: "pairing" dmPolicy: "${DM_POLICY}"${ALLOW_FROM_RAW:+,
allowFrom: ${ALLOW_FROM_JSON}}
} }
} }
} }
EOF EOF
echo "Telegram dmPolicy=${DM_POLICY}${ALLOW_FROM_RAW:+ (allowFrom=${ALLOW_FROM_RAW})}"
# Connectivity sanity checks (do NOT print the token) # Connectivity sanity checks (do NOT print the token)
echo "Sanity check: DNS + Telegram API reachability" echo "Sanity check: DNS + Telegram API reachability"
if curl -fsS --max-time 10 https://api.telegram.org/ >/dev/null; then if curl -fsS --max-time 10 https://api.telegram.org/ >/dev/null; then