diff --git a/.github/workflows/BuildImage.yml b/.github/workflows/BuildImage.yml index bc152658..dc1a5f9e 100644 --- a/.github/workflows/BuildImage.yml +++ b/.github/workflows/BuildImage.yml @@ -1,12 +1,21 @@ name: Build Image -on: [push, pull_request_target, workflow_dispatch] +on: + push: + pull_request_target: + workflow_dispatch: + inputs: + mod_version: + type: string + required: false env: GITHUB_REPO: "linuxserver/docker-mods" #don't modify ENDPOINT: "linuxserver/mods" #don't modify BASEIMAGE: "swag" #replace MODNAME: "crowdsec" #replace + MOD_VERSION: ${{ inputs.mod_version }} #don't modify + MULTI_ARCH: "false" #set to false if not needed jobs: set-vars: @@ -19,15 +28,23 @@ jobs: echo "ENDPOINT=${{ env.ENDPOINT }}" >> $GITHUB_OUTPUT echo "BASEIMAGE=${{ env.BASEIMAGE }}" >> $GITHUB_OUTPUT echo "MODNAME=${{ env.MODNAME }}" >> $GITHUB_OUTPUT - # **** If the mod needs to be versioned, set the versioning logic below. Otherwise leave as is. **** - MOD_VERSION="" + echo "MULTI_ARCH=${{ env.MULTI_ARCH }}" >> $GITHUB_OUTPUT + if [[ -z "${{ env.MOD_VERSION }}" ]]; then + # **** If the mod needs to be versioned, set the versioning logic below. Otherwise leave as is. **** + MOD_VERSION=$(curl -sX GET "https://api.github.com/repos/crowdsecurity/cs-nginx-bouncer/releases/latest" | jq -r '.tag_name') + else + MOD_VERSION=${{ env.MOD_VERSION }} + echo "MOD_VERSION_OVERRIDE=true" >> $GITHUB_OUTPUT + fi echo "MOD_VERSION=${MOD_VERSION}" >> $GITHUB_OUTPUT outputs: GITHUB_REPO: ${{ steps.outputs.outputs.GITHUB_REPO }} ENDPOINT: ${{ steps.outputs.outputs.ENDPOINT }} BASEIMAGE: ${{ steps.outputs.outputs.BASEIMAGE }} MODNAME: ${{ steps.outputs.outputs.MODNAME }} + MULTI_ARCH: ${{ steps.outputs.outputs.MULTI_ARCH }} MOD_VERSION: ${{ steps.outputs.outputs.MOD_VERSION }} + MOD_VERSION_OVERRIDE: ${{ steps.outputs.outputs.MOD_VERSION_OVERRIDE }} build: uses: linuxserver/github-workflows/.github/workflows/docker-mod-builder.yml@v1 @@ -42,4 +59,6 @@ jobs: ENDPOINT: ${{ needs.set-vars.outputs.ENDPOINT }} BASEIMAGE: ${{ needs.set-vars.outputs.BASEIMAGE }} MODNAME: ${{ needs.set-vars.outputs.MODNAME }} + MULTI_ARCH: ${{ needs.set-vars.outputs.MULTI_ARCH }} MOD_VERSION: ${{ needs.set-vars.outputs.MOD_VERSION }} + MOD_VERSION_OVERRIDE: ${{ needs.set-vars.outputs.MOD_VERSION_OVERRIDE }} diff --git a/Dockerfile b/Dockerfile index 17029766..dabf6534 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,8 +1,32 @@ # syntax=docker/dockerfile:1 +FROM ghcr.io/linuxserver/baseimage-alpine:3.20 AS buildstage + +ARG MOD_VERSION + +RUN \ + mkdir -p /root-layer && \ + if [ -z "${MOD_VERSION}" ]; then \ + MOD_VERSION=$(curl -sX GET "https://api.github.com/repos/crowdsecurity/cs-nginx-bouncer/releases/latest" \ + | jq -r '.tag_name'); \ + fi && \ + if [ -z ${MOD_VERSION+x} ]; then \ + echo "**** Could not fetch current bouncer version from Github ****" \ + exit 1; \ + fi && \ + curl -sLo \ + /root-layer/crowdsec-nginx-bouncer.tgz -L \ + "https://github.com/crowdsecurity/cs-nginx-bouncer/releases/download/${MOD_VERSION}/crowdsec-nginx-bouncer.tgz" && \ + if ! tar -tzf /root-layer/crowdsec-nginx-bouncer.tgz >/dev/null 2>&1; then \ + echo "**** Invalid tarball, could not download crowdsec bouncer ****" \ + exit 1; \ + fi + +COPY root/ /root-layer/ + FROM scratch LABEL maintainer="thespad" -# copy local files -COPY root/ / +# Add files from buildstage +COPY --from=buildstage /root-layer/ / diff --git a/README.md b/README.md index cc84ba38..e23b8d02 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,6 @@ Set the following environment variables on your SWAG container. | `CROWDSEC_SITE_KEY` | **Optional** | CAPTCHA Site Key | | `CROWDSEC_SECRET_KEY` | **Optional** | CAPTCHA Secret Key | | `CROWDSEC_CAPTCHA_PROVIDER` | **Optional** | CAPTCHA Provider (currently supported providers are `recaptcha`, `hcaptcha`, `turnstile`), requires bouncer v1.0.5 or newer. | -| `CROWDSEC_VERSION` | **Optional** | Specify a version of the bouncer to install instead of using the latest release, for example `v1.0.0`. Must be a valid [release tag](https://github.com/crowdsecurity/cs-nginx-bouncer/tags). **Does not support versions older than v1.0.0**. | | `CROWDSEC_F2B_DISABLE` | **Optional** | Set to `true` to disable swag's built-in fail2ban service if you don't need it | | `CROWDSEC_MODE` | **Optional** | Set to `live` (immediate update) or `stream` to update requests every CROWDSEC_UPDATE_FREQUENCY seconds. Defaults to `live` | | `CROWDSEC_UPDATE_FREQUENCY` | **Optional** | Set update frequency for use with `stream` mode. Defaults to `10`. | @@ -73,6 +72,7 @@ e.g. `resolver 127.0.0.11 valid=30s ipv6=off;` ## Versions +* **11.09.24:** - Move versioning to mod tags. Bundle tarball at build time. * **05.06.24:** - Add lua-resty-string. * **06.02.24:** - Add AppSec support. * **29.03.23:** - Support multiple captcha providers from upstream. diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/run b/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/run index 35fa918e..9c61ad46 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/run +++ b/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/run @@ -5,10 +5,9 @@ CONFIG_PATH="/config/crowdsec/" LIB_PATH="/usr/local/lua/crowdsec/" DATA_PATH="/var/lib/crowdsec/lua/" -if [[ ${DOCKER_MODS_DEBUG_CURL,,} = "true" ]]; then - CURL_NOISE_LEVEL="-v" -else - CURL_NOISE_LEVEL="--silent" +if [[ ! -e "/crowdsec-nginx-bouncer.tgz" ]]; then + # Crowdsec bouncer already configured + exit 0 fi echo "**** Configuring CrowdSec nginx Bouncer ****" @@ -28,29 +27,11 @@ echo "\ lua-sec \ nginx-mod-http-lua" >> /mod-repo-packages-to-install.list -# Download nginx bouncer -if [[ -z ${CROWDSEC_VERSION+x} ]]; then \ - CROWDSEC_VERSION=$(curl -s "https://api.github.com/repos/crowdsecurity/cs-nginx-bouncer/releases/latest" | awk '/tag_name/{print $4;exit}' FS='[""]'); -fi - -if [[ -z ${CROWDSEC_VERSION+x} ]]; then \ - echo "**** Could not fetch current bouncer version from Github ****" - exit 1 -fi - -curl "${CURL_NOISE_LEVEL}" -Lo \ - /tmp/crowdsec.tar.gz -L \ - "https://github.com/crowdsecurity/cs-nginx-bouncer/releases/download/${CROWDSEC_VERSION}/crowdsec-nginx-bouncer.tgz" - +# Extract nginx bouncer mkdir -p /tmp/crowdsec -if ! tar -tzf /tmp/crowdsec.tar.gz >/dev/null 2>&1; then - echo "**** Invalid tarball, could not download crowdsec bouncer ****" - exit 1 -fi - tar xf \ - /tmp/crowdsec.tar.gz -C \ + /crowdsec-nginx-bouncer.tgz -C \ /tmp/crowdsec --strip-components=1 mkdir -p "${CONFIG_PATH}" @@ -97,20 +78,35 @@ if ! grep -q '[^#]include /etc/nginx/http.d/\*.conf;' '/config/nginx/nginx.conf' else # Warn about missing http.d include echo " - ******************************************************************** - * Warning: Your nginx.conf is missing required settings * - * Please add: * - * include /etc/nginx/http.d/*.conf; * - * to the http{} block and restart the container. * - * * - * The CrowdSec bouncer will not function until this is done. * - ********************************************************************" + ┌──────────────────────────────────────────────────────────────────┐ + │ Warning: Your nginx.conf is missing required settings │ + │ Please add: │ + │ include /etc/nginx/http.d/*.conf; │ + │ to the http{} block and restart the container. │ + │ │ + │ The CrowdSec bouncer will not function until this is done. │ + └──────────────────────────────────────────────────────────────────┘ + " fi fi # Clean up rm -rf \ /tmp/crowdsec \ - /tmp/crowdsec.tar.gz + /crowdsec-nginx-bouncer.tgz + +if [[ -n ${CROWDSEC_VERSION} ]]; then + echo " + ┌─────────────────────────────────────────────────────────────────────────┐ + │ !! ATTENTION !! │ + │ │ + │ This mod will ignore the │ + │ CROWDSEC_VERSION environment variable │ + │ │ + │ Versioning is now handled by mod tags │ + │ See https://hub.docker.com/r/linuxserver/mods/tags?name=swag-crowdsec-v │ + │ For a list of all available tags │ + └─────────────────────────────────────────────────────────────────────────┘" +fi echo "**** Successfully configured CrowdSec nginx Bouncer ${CROWDSEC_VERSION} ****"