From f1f780f5a3da0bf979fb25d599a53251b00f11a4 Mon Sep 17 00:00:00 2001
From: Donavan Fritz <donavan.fritz@fritzlab.net>
Date: Fri, 12 Jun 2026 13:01:05 +0000
Subject: [PATCH] feat: optional site.yaml 'middlewares' list appended to
 Ingress middleware annotation

Lets a site opt into extra file-provider middlewares (e.g. authentik-forwardauth
to auth-gate a site). Backward-compatible: absent/empty key renders the exact
previous annotation.
---
 README.md                 | 5 +++++
 scripts/deploy.py         | 1 +
 scripts/utils.py          | 5 +++++
 templates/ingress.yaml.j2 | 2 +-
 4 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 08acaac..6873418 100644
--- a/README.md
+++ b/README.md
@@ -48,6 +48,11 @@ type: static          # static | hugo | mkdocs
 #                     # so they're both un-uploaded AND un-deleted. Use this
 #                     # for large assets managed out-of-band via aws-cli
 #                     # (e.g. media files updated more often than the site code).
+# middlewares:        # extra Traefik FILE-PROVIDER middleware names appended to the
+#   - authentik-forwardauth   # Ingress annotation (after https-redirect,retry-upstream).
+#                     # The middleware must already exist in the traefik-dynamic
+#                     # ConfigMap. Use authentik-forwardauth to auth-gate a site
+#                     # (also requires an Authentik proxy provider + app for the host).
 ```
 
 `.gitea/workflows/publish.yaml`:
diff --git a/scripts/deploy.py b/scripts/deploy.py
index 5b1aade..7b6cbc7 100644
--- a/scripts/deploy.py
+++ b/scripts/deploy.py
@@ -126,6 +126,7 @@ def render_site_manifests(site_name, action_dir, app_dir, manifests_dir, cfg):
         "domain": cfg["domain"],
         "aliases": cfg["aliases"],
         "namespace": NAMESPACE,
+        "middlewares": cfg["middlewares"],
     }
     render_templates(action_dir, template_vars, app_dir, manifests_dir)
 
diff --git a/scripts/utils.py b/scripts/utils.py
index 561e5d8..d61a36b 100644
--- a/scripts/utils.py
+++ b/scripts/utils.py
@@ -87,6 +87,10 @@ def parse_site_yaml(site_dir):
     if not isinstance(excludes, list) or any(not isinstance(p, str) for p in excludes):
         die("excludes must be a list of string patterns")
 
+    middlewares = cfg.get("middlewares") or []
+    if not isinstance(middlewares, list) or any(not isinstance(m, str) for m in middlewares):
+        die("middlewares must be a list of Traefik file-provider middleware names")
+
     site = {
         "domain": cfg["domain"],
         "type": site_type,
@@ -95,6 +99,7 @@ def parse_site_yaml(site_dir):
         "content_dir": cfg.get("content_dir", ""),
         "tidy": cfg.get("tidy", True),
         "excludes": excludes,
+        "middlewares": middlewares,
     }
 
     print("Site config:")
diff --git a/templates/ingress.yaml.j2 b/templates/ingress.yaml.j2
index 5d47238..e8b56c4 100644
--- a/templates/ingress.yaml.j2
+++ b/templates/ingress.yaml.j2
@@ -5,7 +5,7 @@ metadata:
   namespace: {{ namespace }}
 {%- if site_type != "docker" %}
   annotations:
-    traefik.ingress.kubernetes.io/router.middlewares: https-redirect@file,retry-upstream@file
+    traefik.ingress.kubernetes.io/router.middlewares: https-redirect@file,retry-upstream@file{% for m in middlewares %},{{ m }}@file{% endfor %}
 {%- endif %}
 spec:
   ingressClassName: traefik