Refactor gateway config and token management in run.sh

Refactor gateway configuration generation and improve token handling.
This commit is contained in:
TechArtDev
2026-01-29 18:41:35 +02:00
committed by GitHub
parent 6bebc0de82
commit 9b072e8b5a
+47 -48
View File
@@ -131,53 +131,46 @@ if [ "$GW_BIND" = "lan" ] && [ -z "$GW_TOKEN" ]; then
exit 1 exit 1
fi fi
# Build auth JSON: prefer fixed token (required for ingress proxy to work reliably) GW_AUTH_BLOCK="auth: { mode: \"token\", token: \"${GW_TOKEN}\" }"
AUTH_TOKEN="$GW_TOKEN" if [ -z "$GW_TOKEN" ]; then
# Let doctor generate one (loopback-only is still protected by local access)
# Write Clawdbot gateway config (strict JSON) into the expected location. GW_AUTH_BLOCK="auth: { mode: \"token\" }"
# Use jq (available in the image) to avoid JSON5 syntax.
if [ -n "${ALLOW_FROM_JSON:-}" ]; then
ALLOW_FROM_ARG="--argjson allowFrom ${ALLOW_FROM_JSON}"
else
ALLOW_FROM_ARG=""
fi fi
# shellcheck disable=SC2086 # Write Clawdbot gateway config (JSON5) into the expected location.
jq -n \ cat > /config/.clawdbot/clawdbot.json <<EOF
--arg modelPrimary "$MODEL_PRIMARY" \ {
--arg botToken "$BOT_TOKEN" \ discovery: { wideArea: { enabled: false } },
--arg dmPolicy "$DM_POLICY" \
--arg bind "$GW_BIND" \
--argjson port "$GW_PORT" \
--arg token "$AUTH_TOKEN" \
$ALLOW_FROM_ARG \
'
def maybeAllowFrom: if (has("allowFrom") and (.allowFrom|type=="array") and (.allowFrom|length>0)) then {allowFrom: .allowFrom} else {} end;
def maybeToken: if (.token|length)>0 then {auth:{mode:"token", token:.token}} else {auth:{mode:"token"}} end;
{ gateway: {
agents: { mode: "local",
defaults: { bind: "${GW_BIND}",
model: {primary: $modelPrimary}, port: ${GW_PORT},
models: {($modelPrimary): {}}, controlUi: { allowInsecureAuth: true },
workspace: "/config/clawd", ${GW_AUTH_BLOCK}
maxConcurrent: 4, },
subagents: {maxConcurrent: 8} agents: {
}, defaults: {
list: [{id:"main"}] workspace: "/config/clawd",
model: { primary: "${MODEL_PRIMARY}" },
models: {
"${MODEL_PRIMARY}": {}
}
}, },
commands: {native:"auto", nativeSkills:"auto"}, list: [
channels: { { id: "main" }
telegram: ( ]
{enabled:true, botToken:$botToken, dmPolicy:$dmPolicy} + maybeAllowFrom },
) channels: {
}, telegram: {
gateway: ( enabled: true,
{mode:"local", bind:$bind, port:$port, controlUi:{allowInsecureAuth:true}} + maybeToken botToken: "${BOT_TOKEN}",
), dmPolicy: "${DM_POLICY}"${ALLOW_FROM_RAW:+,
discovery: {wideArea:{enabled:false}} allowFrom: ${ALLOW_FROM_JSON}}
}
} }
' > /config/.clawdbot/clawdbot.json }
EOF
echo "Model primary=${MODEL_PRIMARY}" echo "Model primary=${MODEL_PRIMARY}"
echo "Gateway bind=${GW_BIND} port=${GW_PORT} token=${GW_TOKEN:+(set)}${GW_TOKEN:-(auto)}" echo "Gateway bind=${GW_BIND} port=${GW_PORT} token=${GW_TOKEN:+(set)}${GW_TOKEN:-(auto)}"
@@ -286,12 +279,18 @@ fi
# Render nginx config from template with the gateway token. # Render nginx config from template with the gateway token.
# NOTE: This intentionally exposes the token in the browser URL via a redirect. # NOTE: This intentionally exposes the token in the browser URL via a redirect.
# This matches Clawdbot Control UI's current expectations. # This matches Clawdbot Control UI's current expectations.
if [ -z "$GW_TOKEN" ]; then GW_TOKEN="$GW_TOKEN" python3 - <<'PY'
echo "WARN: gateway_token is empty; ingress UI will redirect with an empty token and Control UI will not authenticate." import os
fi from pathlib import Path
# Escape token for sed replacement
ESC_TOKEN=$(printf '%s' "$GW_TOKEN" | sed -e 's/[\\&|]/\\\\&/g') tpl = Path('/etc/nginx/nginx.conf.tpl').read_text()
sed -e "s|__GATEWAY_TOKEN__|${ESC_TOKEN}|g" /etc/nginx/nginx.conf.tpl > /etc/nginx/nginx.conf token = os.environ.get('GW_TOKEN','')
if not token:
print('WARN: gateway_token is empty; ingress UI will redirect with an empty token and Control UI will not authenticate.')
conf = tpl.replace('__GATEWAY_TOKEN__', token)
Path('/etc/nginx/nginx.conf').write_text(conf)
PY
echo "Starting ingress proxy (nginx) on :8099 ..." echo "Starting ingress proxy (nginx) on :8099 ..."
nginx -g 'daemon off;' & nginx -g 'daemon off;' &