From 13b660d6068607219088b431cce119f6454a9803 Mon Sep 17 00:00:00 2001
From: Brian Munro <brian.alexander.munro@gmail.com>
Date: Thu, 25 Jan 2024 12:23:49 +0200
Subject: [PATCH] Added Crowdsec Bouncer 1.0.1.

---
 Dockerfile                                    | 11 +++++
 .../99_crowdsec-openresty-bouncer.sh          | 33 +++++++++++++++
 src/cs-openresty-bouncer/build.sh             | 40 +++++++++++++++++++
 src/openresty/build.sh                        |  4 +-
 4 files changed, 87 insertions(+), 1 deletion(-)
 create mode 100755 rootfs/etc/cont-init.d/99_crowdsec-openresty-bouncer.sh
 create mode 100755 src/cs-openresty-bouncer/build.sh

diff --git a/Dockerfile b/Dockerfile
index f177e36..ddbf5bc 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -9,6 +9,7 @@ ARG DOCKER_IMAGE_VERSION=
 
 # Define software versions.
 ARG OPENRESTY_VERSION=1.19.9.1
+ARG CROWDSEC_OPENRESTY_BOUNCER_VERSION=1.0.1
 ARG NGINX_PROXY_MANAGER_VERSION=2.10.4
 ARG NGINX_HTTP_GEOIP2_MODULE_VERSION=3.3
 ARG LIBMAXMINDDB_VERSION=1.5.0
@@ -16,6 +17,7 @@ ARG BCRYPT_TOOL_VERSION=1.1.2
 
 # Define software download URLs.
 ARG OPENRESTY_URL=https://openresty.org/download/openresty-${OPENRESTY_VERSION}.tar.gz
+ARG CROWDSEC_OPENRESTY_BOUNCER_URL=https://github.com/crowdsecurity/cs-openresty-bouncer/releases/download/v${CROWDSEC_OPENRESTY_BOUNCER_VERSION}/crowdsec-openresty-bouncer.tgz
 ARG NGINX_PROXY_MANAGER_URL=https://github.com/jc21/nginx-proxy-manager/archive/v${NGINX_PROXY_MANAGER_VERSION}.tar.gz
 ARG NGINX_HTTP_GEOIP2_MODULE_URL=https://github.com/leev/ngx_http_geoip2_module/archive/${NGINX_HTTP_GEOIP2_MODULE_VERSION}.tar.gz
 ARG LIBMAXMINDDB_URL=https://github.com/maxmind/libmaxminddb/releases/download/${LIBMAXMINDDB_VERSION}/libmaxminddb-${LIBMAXMINDDB_VERSION}.tar.gz
@@ -78,6 +80,14 @@ RUN \
     find /tmp/certbot-install/usr/lib/python3.10/site-packages -type f -name "*.exe" -delete && \
     find /tmp/certbot-install/usr/lib/python3.10/site-packages -type d -name tests -print0 | xargs -0 rm -r
 
+# Build cs-openresty-boucner.
+FROM alpine:3.16 AS cs-openresty-bouncer
+ARG TARGETPLATFORM
+ARG CROWDSEC_OPENRESTY_BOUNCER_URL
+COPY --from=xx / /
+COPY src/cs-openresty-bouncer /build
+RUN /build/build.sh "$CROWDSEC_OPENRESTY_BOUNCER_URL"
+
 # Pull base image.
 FROM jlesage/baseimage:alpine-3.16-v3.5.2
 
@@ -117,6 +127,7 @@ COPY --from=nginx /tmp/openresty-install/ /
 COPY --from=npm /tmp/nginx-proxy-manager-install/ /
 COPY --from=bcrypt-tool /tmp/go/bin/bcrypt-tool /usr/bin/
 COPY --from=certbot /tmp/certbot-install/ /
+COPY --from=cs-openresty-bouncer /tmp/crowdsec-openresty-bouncer-install/ /
 
 # Set internal environment variables.
 RUN \
diff --git a/rootfs/etc/cont-init.d/99_crowdsec-openresty-bouncer.sh b/rootfs/etc/cont-init.d/99_crowdsec-openresty-bouncer.sh
new file mode 100755
index 0000000..a43a661
--- /dev/null
+++ b/rootfs/etc/cont-init.d/99_crowdsec-openresty-bouncer.sh
@@ -0,0 +1,33 @@
+#!/bin/sh
+
+set -e # Exit immediately if a command exits with a non-zero status.
+
+mkdir -p /config/crowdsec/templates
+echo "Deploy Crowdsec Openresty Bouncer.." 
+sed -i 's|/defaults/crowdsec|/config/crowdsec|' /etc/nginx/conf.d/crowdsec_openresty.conf
+
+if [ -f /data/crowdsec/crowdsec-openresty-bouncer.conf ]; then
+    echo "Patch crowdsec-openresty-bouncer.conf .." 
+    sed "s/=.*//g" /config/crowdsec/crowdsec-openresty-bouncer.conf > /tmp/crowdsec.conf.raw
+    sed "s/=.*//g" /defaults/crowdsec/crowdsec-openresty-bouncer.conf > /tmp/crowdsec-openresty-bouncer.conf.raw
+    if grep -vf /tmp/crowdsec.conf.raw /tmp/crowdsec-openresty-bouncer.conf.raw ; then
+        grep -vf /tmp/crowdsec.conf.raw /tmp/crowdsec-openresty-bouncer.conf.raw > /tmp/config.newvals
+        cp /config/crowdsec/crowdsec-openresty-bouncer.conf /config/crowdsec/crowdsec-openresty-bouncer.conf.bak
+        grep -f /tmp/config.newvals /defaults/crowdsec/crowdsec-openresty-bouncer.conf >> /config/crowdsec/crowdsec-openresty-bouncer.conf
+    fi
+else
+    echo "Deploy new crowdsec-openresty-bouncer.conf .." 
+    cp /defaults/crowdsec/crowdsec-openresty-bouncer.conf /config/crowdsec/crowdsec-openresty-bouncer.conf    
+fi
+#Make sure the config location is where we get the config from instead of /default/
+sed -i 's|/defaults/crowdsec|/config/crowdsec|' /config/crowdsec/crowdsec-openresty-bouncer.conf
+echo "Deploy Crowdsec Templates .."
+#Make sure we only copy files that don't exist in /data/crowdsec.
+cd /defaults/crowdsec/templates/
+for file in *.html
+do
+  if [ ! -e "/config/crowdsec/templates/${file}" ]
+  then
+    cp -r "/defaults/crowdsec/templates/${file}" "/config/crowdsec/templates/"
+  fi
+done
diff --git a/src/cs-openresty-bouncer/build.sh b/src/cs-openresty-bouncer/build.sh
new file mode 100755
index 0000000..d4a7d95
--- /dev/null
+++ b/src/cs-openresty-bouncer/build.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+
+set -e # Exit immediately if a command exits with a non-zero status.
+set -u # Treat unset variables as an error.
+
+log() {
+    echo ">>> $*"
+}
+
+CROWDSEC_OPENRESTY_BOUNCER_URL="${1:-}"
+
+ROOTFS=/tmp/crowdsec-openresty-bouncer-install
+
+if [ -z "$CROWDSEC_OPENRESTY_BOUNCER_URL" ]; then
+    log "ERROR: bcrypt tool version missing."
+    exit 1
+fi
+
+#
+# Install required packages.
+#
+
+apk --no-cache add \
+    build-base \
+    gettext \
+    curl \
+    bash \
+
+#
+# Build.
+#
+
+log "Downloading Crowdsec Openresty Bouncer package..."
+mkdir /tmp/crowdsec-openresty-bouncer
+curl -# -L "${CROWDSEC_OPENRESTY_BOUNCER_URL}" | tar xz --strip 1 -C /tmp/crowdsec-openresty-bouncer
+log "Deploy Crowdsec Openresty Bouncer..."
+cd /tmp/crowdsec-openresty-bouncer
+bash ./install.sh --NGINX_CONF_DIR=${ROOTFS}/etc/nginx/conf.d --LIB_PATH=${ROOTFS}/var/lib/nginx/lualib --CONFIG_PATH=${ROOTFS}/defaults/crowdsec/ --DATA_PATH=${ROOTFS}/defaults/crowdsec/ --SSL_CERTS_PATH=/etc/ssl/certs/ca-cert-GTS_Root_R1.pem --docker
+sed -i 's|/tmp/crowdsec-openresty-bouncer-install||g' ${ROOTFS}/etc/nginx/conf.d/crowdsec_openresty.conf
+sed -i 's|ENABLED=.*|ENABLED=false|' ${ROOTFS}/defaults/crowdsec/crowdsec-openresty-bouncer.conf 
diff --git a/src/openresty/build.sh b/src/openresty/build.sh
index 155806f..4fa5463 100755
--- a/src/openresty/build.sh
+++ b/src/openresty/build.sh
@@ -180,6 +180,9 @@ make -C /tmp/openresty -j$(nproc)
 log "Installing OpenResty..."
 make DESTDIR=/tmp/openresty-install -C /tmp/openresty install
 
+#Install lua-resty-http required for Crowdsec OpenResty Bouncer 
+/tmp/openresty-install/var/lib/nginx/bin/opm --install-dir="/tmp/openresty-install/var/lib/nginx/site/" get pintsized/lua-resty-http
+
 rm -r \
     /tmp/openresty-install/etc/nginx/*.default \
     /tmp/openresty-install/var/lib/nginx/bin/opm \
@@ -189,5 +192,4 @@ rm -r \
     /tmp/openresty-install/var/lib/nginx/bin/md2pod.pl \
     /tmp/openresty-install/var/lib/nginx/pod \
     /tmp/openresty-install/var/lib/nginx/resty.index \
-    /tmp/openresty-install/var/lib/nginx/site \
     /tmp/openresty-install/var/run \