Preserve YAML list indentation when appending

Add logic to preserve and match existing YAML list indentation when appending entries. Introduce appendToYAMLList helper in whitelist handler and use it to append CrowdSec whitelist items instead of hardcoding 4-space indentation. Change Traefik append calls to pass list items as "- <value>" and update Client.AppendLineToFileInContainer to insert after the last "- " item in a YAML block, detect existing indentation, and apply it to the inserted line. Also update the function comment to reflect the new behavior.

Author: hhftechnology

internal/api/handlers/whitelist.go

@@ -15,6 +15,36 @@ import (
 	"github.com/gin-gonic/gin"
 )
 
+// appendToYAMLList appends a new list item under a YAML section key, using the
+// same indentation as existing list items in that block. Falls back to 4-space
+// indent if the block has no existing items.
+func appendToYAMLList(content, sectionKey, value string) string {
+	lines := strings.Split(strings.TrimSpace(content), "\n")
+	detectedIndent := "    " // default 4 spaces
+	sectionIndent := -1
+	for _, line := range lines {
+		trimmed := strings.TrimLeft(line, " \t")
+		if strings.HasPrefix(trimmed, sectionKey) {
+			sectionIndent = len(line) - len(trimmed)
+			continue
+		}
+		if sectionIndent < 0 {
+			continue
+		}
+		if trimmed == "" {
+			continue
+		}
+		lineIndent := len(line) - len(trimmed)
+		if lineIndent <= sectionIndent {
+			break
+		}
+		if strings.HasPrefix(trimmed, "- ") || trimmed == "-" {
+			detectedIndent = line[:lineIndent]
+		}
+	}
+	return strings.TrimSpace(content) + "\n" + detectedIndent + "- " + value + "\n"
+}
+
 // =============================================================================
 // 3. WHITELIST MANAGEMENT
 // =============================================================================
@@ -134,8 +164,8 @@ whitelist:
     - %s
 `, req.IP)
 			} else {
-				// Append to existing whitelist
-				whitelistContent = strings.TrimSpace(currentWL) + fmt.Sprintf("\n    - %s\n", req.IP)
+				// Append to existing whitelist, matching its existing indentation
+				whitelistContent = appendToYAMLList(currentWL, "ip:", req.IP)
 			}
 
 			err = dockerClient.WriteFileToContainer(cfg.CrowdsecContainerName, cfg.CrowdSecWhitelistPath, []byte(whitelistContent))
@@ -156,7 +186,7 @@ whitelist:
 
 		if req.AddToTraefik {
 			// Update Traefik dynamic config
-			err := dockerClient.AppendLineToFileInContainer(cfg.TraefikContainerName, cfg.TraefikDynamicConfig, "sourceRange:", "        - "+req.IP)
+			err := dockerClient.AppendLineToFileInContainer(cfg.TraefikContainerName, cfg.TraefikDynamicConfig, "sourceRange:", "- "+req.IP)
 			if err != nil {
 				errMsg := fmt.Sprintf("Failed to add IP to Traefik whitelist: %v", err)
 				logger.Error(errMsg, "error", err)
@@ -231,7 +261,7 @@ whitelist:
 		}
 
 		if req.AddToTraefik {
-			err := dockerClient.AppendLineToFileInContainer(cfg.TraefikContainerName, cfg.TraefikDynamicConfig, "sourceRange:", "        - "+req.CIDR)
+			err := dockerClient.AppendLineToFileInContainer(cfg.TraefikContainerName, cfg.TraefikDynamicConfig, "sourceRange:", "- "+req.CIDR)
 			if err != nil {
 				errMsg := fmt.Sprintf("Failed to add CIDR to Traefik whitelist: %v", err)
 				logger.Error(errMsg, "error", err)

internal/api/handlers/whitelist_ops.go

@@ -116,7 +116,7 @@ func AddToTraefikWhitelist(dockerClient *docker.Client, cfg *config.Config) gin.
 
 		logger.Info("Adding to Traefik whitelist", "ip", req.IP)
 
-		err := dockerClient.AppendLineToFileInContainer(cfg.TraefikContainerName, cfg.TraefikDynamicConfig, "sourceRange:", "        - "+req.IP)
+		err := dockerClient.AppendLineToFileInContainer(cfg.TraefikContainerName, cfg.TraefikDynamicConfig, "sourceRange:", "- "+req.IP)
 		if err != nil {
 			c.JSON(http.StatusInternalServerError, models.Response{
 				Success: false,
@@ -272,7 +272,7 @@ whitelist:
 		}
 
 		// Add to Traefik
-		if err := dockerClient.AppendLineToFileInContainer(cfg.TraefikContainerName, cfg.TraefikDynamicConfig, "sourceRange:", "        - "+ip); err == nil {
+		if err := dockerClient.AppendLineToFileInContainer(cfg.TraefikContainerName, cfg.TraefikDynamicConfig, "sourceRange:", "- "+ip); err == nil {
 			results["traefik"] = true
 		}
 

internal/docker/client.go

@@ -364,29 +364,70 @@ func (c *Client) ReadFileFromContainer(containerName, filePath string) (string,
 }
 
 // AppendLineToFileInContainer reads a file from a container, appends a line
-// after the first occurrence of `afterLine`, and writes it back. Uses the
-// Docker copy API so no shell interpolation occurs.
+// after the last list item in the block started by `afterLine`, and writes it
+// back. Uses the Docker copy API so no shell interpolation occurs.
+//
+// For YAML list blocks (e.g. sourceRange:), the new entry is inserted after the
+// last existing "- " item in the block so that indentation stays consistent.
 func (c *Client) AppendLineToFileInContainer(containerName, filePath, afterLine, newLine string) error {
 	content, err := c.ReadFileFromContainer(containerName, filePath)
 	if err != nil {
 		return fmt.Errorf("failed to read file: %w", err)
 	}
 
 	lines := strings.Split(content, "\n")
-	var result []string
-	inserted := false
-	for _, line := range lines {
-		result = append(result, line)
-		if !inserted && strings.Contains(line, afterLine) {
-			result = append(result, newLine)
-			inserted = true
+
+	// Find the index of the section header.
+	sectionIdx := -1
+	for i, line := range lines {
+		if strings.Contains(line, afterLine) {
+			sectionIdx = i
+			break
 		}
 	}
-
-	if !inserted {
+	if sectionIdx == -1 {
 		return fmt.Errorf("pattern %q not found in %s", afterLine, filePath)
 	}
 
+	// Scan forward to find the last list item ("- ") in this block.
+	// A line that is non-empty, not a list item, and has less or equal
+	// indentation than the section header signals the end of the block.
+	// The indentation of the first found list item is captured so the new
+	// entry can match it exactly, regardless of what the caller passes.
+	sectionIndent := len(lines[sectionIdx]) - len(strings.TrimLeft(lines[sectionIdx], " \t"))
+	lastListIdx := sectionIdx // insert right after header if no items found
+	detectedIndent := ""
+	for i := sectionIdx + 1; i < len(lines); i++ {
+		trimmed := strings.TrimLeft(lines[i], " \t")
+		if trimmed == "" {
+			continue
+		}
+		lineIndent := len(lines[i]) - len(trimmed)
+		if lineIndent <= sectionIndent {
+			// Left the block.
+			break
+		}
+		if strings.HasPrefix(trimmed, "- ") || trimmed == "-" {
+			lastListIdx = i
+			if detectedIndent == "" {
+				detectedIndent = lines[i][:lineIndent]
+			}
+		}
+	}
+
+	// Apply detected indentation so the new entry always matches existing items.
+	// If the block has no existing items, use newLine verbatim.
+	insertLine := newLine
+	if detectedIndent != "" {
+		insertLine = detectedIndent + strings.TrimLeft(newLine, " \t")
+	}
+
+	// Insert after the last list item (or after the header if none exist).
+	result := make([]string, 0, len(lines)+1)
+	result = append(result, lines[:lastListIdx+1]...)
+	result = append(result, insertLine)
+	result = append(result, lines[lastListIdx+1:]...)
+
 	return c.WriteFileToContainer(containerName, filePath, []byte(strings.Join(result, "\n")))
 }
 

web/src/pages/Dashboard.tsx

@@ -293,16 +293,9 @@ export default function Dashboard() {
     <div className="space-y-6">
       <PageHeader
         title="Dashboard"
-        description="System overview, activity, and key metrics"
+        description="System overview, activity, key metrics and threat posture"
         actions={<span className="text-xs text-muted-foreground">{lastUpdatedLabel}</span>}
       />
-      <div>
-        <h1 className="text-3xl font-bold">Dashboard</h1>
-        <p className="text-muted-foreground mt-1">
-          System overview and threat posture
-        </p>
-      </div>
-
       {/* Connection error banner */}
       {isError && (
         <Alert variant="destructive">

web/src/pages/Whitelist.tsx

@@ -154,18 +154,25 @@ export default function Whitelist() {
   const ipError = useMemo(() => validateIP(manualIP), [manualIP])
   const cidrError = useMemo(() => validateCIDR(cidr), [cidr])
 
-  // Check for duplicates
+  // Check for duplicates — only true when the value already exists in every
+  // selected destination. If a toggle is off, that destination is ignored.
   const isIPDuplicate = useMemo(() => {
     if (!manualIP || !whitelistData) return false
-    const allIPs = [...(whitelistData.crowdsec || []), ...(whitelistData.traefik || [])]
-    return allIPs.includes(manualIP)
-  }, [manualIP, whitelistData])
+    const inCrowdSec = (whitelistData.crowdsec || []).includes(manualIP)
+    const inTraefik = (whitelistData.traefik || []).includes(manualIP)
+    const crowdSecSatisfied = !addToCrowdSec || inCrowdSec
+    const traefikSatisfied = !addToTraefik || inTraefik
+    return crowdSecSatisfied && traefikSatisfied
+  }, [manualIP, whitelistData, addToCrowdSec, addToTraefik])
 
   const isCIDRDuplicate = useMemo(() => {
     if (!cidr || !whitelistData) return false
-    const allIPs = [...(whitelistData.crowdsec || []), ...(whitelistData.traefik || [])]
-    return allIPs.includes(cidr)
-  }, [cidr, whitelistData])
+    const inCrowdSec = (whitelistData.crowdsec || []).includes(cidr)
+    const inTraefik = (whitelistData.traefik || []).includes(cidr)
+    const crowdSecSatisfied = !addToCrowdSec || inCrowdSec
+    const traefikSatisfied = !addToTraefik || inTraefik
+    return crowdSecSatisfied && traefikSatisfied
+  }, [cidr, whitelistData, addToCrowdSec, addToTraefik])
 
   const handleWhitelistManual = (e: React.FormEvent) => {
     e.preventDefault()