Refactor gateway config and token management in run.sh
Refactor gateway configuration generation and improve token handling.
This commit is contained in:
+45
-46
@@ -131,53 +131,46 @@ if [ "$GW_BIND" = "lan" ] && [ -z "$GW_TOKEN" ]; then
|
|||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Build auth JSON: prefer fixed token (required for ingress proxy to work reliably)
|
GW_AUTH_BLOCK="auth: { mode: \"token\", token: \"${GW_TOKEN}\" }"
|
||||||
AUTH_TOKEN="$GW_TOKEN"
|
if [ -z "$GW_TOKEN" ]; then
|
||||||
|
# Let doctor generate one (loopback-only is still protected by local access)
|
||||||
# Write Clawdbot gateway config (strict JSON) into the expected location.
|
GW_AUTH_BLOCK="auth: { mode: \"token\" }"
|
||||||
# Use jq (available in the image) to avoid JSON5 syntax.
|
|
||||||
if [ -n "${ALLOW_FROM_JSON:-}" ]; then
|
|
||||||
ALLOW_FROM_ARG="--argjson allowFrom ${ALLOW_FROM_JSON}"
|
|
||||||
else
|
|
||||||
ALLOW_FROM_ARG=""
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# shellcheck disable=SC2086
|
# Write Clawdbot gateway config (JSON5) into the expected location.
|
||||||
jq -n \
|
cat > /config/.clawdbot/clawdbot.json <<EOF
|
||||||
--arg modelPrimary "$MODEL_PRIMARY" \
|
{
|
||||||
--arg botToken "$BOT_TOKEN" \
|
discovery: { wideArea: { enabled: false } },
|
||||||
--arg dmPolicy "$DM_POLICY" \
|
|
||||||
--arg bind "$GW_BIND" \
|
|
||||||
--argjson port "$GW_PORT" \
|
|
||||||
--arg token "$AUTH_TOKEN" \
|
|
||||||
$ALLOW_FROM_ARG \
|
|
||||||
'
|
|
||||||
def maybeAllowFrom: if (has("allowFrom") and (.allowFrom|type=="array") and (.allowFrom|length>0)) then {allowFrom: .allowFrom} else {} end;
|
|
||||||
def maybeToken: if (.token|length)>0 then {auth:{mode:"token", token:.token}} else {auth:{mode:"token"}} end;
|
|
||||||
|
|
||||||
{
|
gateway: {
|
||||||
|
mode: "local",
|
||||||
|
bind: "${GW_BIND}",
|
||||||
|
port: ${GW_PORT},
|
||||||
|
controlUi: { allowInsecureAuth: true },
|
||||||
|
${GW_AUTH_BLOCK}
|
||||||
|
},
|
||||||
agents: {
|
agents: {
|
||||||
defaults: {
|
defaults: {
|
||||||
model: {primary: $modelPrimary},
|
|
||||||
models: {($modelPrimary): {}},
|
|
||||||
workspace: "/config/clawd",
|
workspace: "/config/clawd",
|
||||||
maxConcurrent: 4,
|
model: { primary: "${MODEL_PRIMARY}" },
|
||||||
subagents: {maxConcurrent: 8}
|
models: {
|
||||||
},
|
"${MODEL_PRIMARY}": {}
|
||||||
list: [{id:"main"}]
|
|
||||||
},
|
|
||||||
commands: {native:"auto", nativeSkills:"auto"},
|
|
||||||
channels: {
|
|
||||||
telegram: (
|
|
||||||
{enabled:true, botToken:$botToken, dmPolicy:$dmPolicy} + maybeAllowFrom
|
|
||||||
)
|
|
||||||
},
|
|
||||||
gateway: (
|
|
||||||
{mode:"local", bind:$bind, port:$port, controlUi:{allowInsecureAuth:true}} + maybeToken
|
|
||||||
),
|
|
||||||
discovery: {wideArea:{enabled:false}}
|
|
||||||
}
|
}
|
||||||
' > /config/.clawdbot/clawdbot.json
|
},
|
||||||
|
list: [
|
||||||
|
{ id: "main" }
|
||||||
|
]
|
||||||
|
},
|
||||||
|
channels: {
|
||||||
|
telegram: {
|
||||||
|
enabled: true,
|
||||||
|
botToken: "${BOT_TOKEN}",
|
||||||
|
dmPolicy: "${DM_POLICY}"${ALLOW_FROM_RAW:+,
|
||||||
|
allowFrom: ${ALLOW_FROM_JSON}}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
|
||||||
echo "Model primary=${MODEL_PRIMARY}"
|
echo "Model primary=${MODEL_PRIMARY}"
|
||||||
echo "Gateway bind=${GW_BIND} port=${GW_PORT} token=${GW_TOKEN:+(set)}${GW_TOKEN:-(auto)}"
|
echo "Gateway bind=${GW_BIND} port=${GW_PORT} token=${GW_TOKEN:+(set)}${GW_TOKEN:-(auto)}"
|
||||||
@@ -286,12 +279,18 @@ fi
|
|||||||
# Render nginx config from template with the gateway token.
|
# Render nginx config from template with the gateway token.
|
||||||
# NOTE: This intentionally exposes the token in the browser URL via a redirect.
|
# NOTE: This intentionally exposes the token in the browser URL via a redirect.
|
||||||
# This matches Clawdbot Control UI's current expectations.
|
# This matches Clawdbot Control UI's current expectations.
|
||||||
if [ -z "$GW_TOKEN" ]; then
|
GW_TOKEN="$GW_TOKEN" python3 - <<'PY'
|
||||||
echo "WARN: gateway_token is empty; ingress UI will redirect with an empty token and Control UI will not authenticate."
|
import os
|
||||||
fi
|
from pathlib import Path
|
||||||
# Escape token for sed replacement
|
|
||||||
ESC_TOKEN=$(printf '%s' "$GW_TOKEN" | sed -e 's/[\\&|]/\\\\&/g')
|
tpl = Path('/etc/nginx/nginx.conf.tpl').read_text()
|
||||||
sed -e "s|__GATEWAY_TOKEN__|${ESC_TOKEN}|g" /etc/nginx/nginx.conf.tpl > /etc/nginx/nginx.conf
|
token = os.environ.get('GW_TOKEN','')
|
||||||
|
if not token:
|
||||||
|
print('WARN: gateway_token is empty; ingress UI will redirect with an empty token and Control UI will not authenticate.')
|
||||||
|
|
||||||
|
conf = tpl.replace('__GATEWAY_TOKEN__', token)
|
||||||
|
Path('/etc/nginx/nginx.conf').write_text(conf)
|
||||||
|
PY
|
||||||
|
|
||||||
echo "Starting ingress proxy (nginx) on :8099 ..."
|
echo "Starting ingress proxy (nginx) on :8099 ..."
|
||||||
nginx -g 'daemon off;' &
|
nginx -g 'daemon off;' &
|
||||||
|
|||||||
Reference in New Issue
Block a user