linuxserver · thespad · Sep 11, 2024 · Sep 11, 2024 · Sep 11, 2024 · Sep 11, 2024
diff --git a/.github/workflows/BuildImage.yml b/.github/workflows/BuildImage.yml
@@ -1,12 +1,21 @@
 name: Build Image
 
-on: [push, pull_request_target, workflow_dispatch]
+on:
+  push:
+  pull_request_target:
+  workflow_dispatch:
+    inputs:
+      mod_version:
+        type: string
+        required: false
 
 env:
   GITHUB_REPO: "linuxserver/docker-mods" #don't modify
   ENDPOINT: "linuxserver/mods" #don't modify
   BASEIMAGE: "swag" #replace
   MODNAME: "crowdsec" #replace
+  MOD_VERSION: ${{ inputs.mod_version }} #don't modify
+  MULTI_ARCH: "false" #set to false if not needed
 
 jobs:
   set-vars:
@@ -19,15 +28,23 @@ jobs:
           echo "ENDPOINT=${{ env.ENDPOINT }}" >> $GITHUB_OUTPUT
           echo "BASEIMAGE=${{ env.BASEIMAGE }}" >> $GITHUB_OUTPUT
           echo "MODNAME=${{ env.MODNAME }}" >> $GITHUB_OUTPUT
-          # **** If the mod needs to be versioned, set the versioning logic below. Otherwise leave as is. ****
-          MOD_VERSION=""
+          echo "MULTI_ARCH=${{ env.MULTI_ARCH }}" >> $GITHUB_OUTPUT
+          if [[ -z "${{ env.MOD_VERSION }}" ]]; then
+            # **** If the mod needs to be versioned, set the versioning logic below. Otherwise leave as is. ****
+            MOD_VERSION=$(curl -sX GET "https://api.github.com/repos/crowdsecurity/cs-nginx-bouncer/releases/latest" | jq -r '.tag_name')
+          else
+            MOD_VERSION=${{ env.MOD_VERSION }}
+            echo "MOD_VERSION_OVERRIDE=true" >> $GITHUB_OUTPUT
+          fi
           echo "MOD_VERSION=${MOD_VERSION}" >> $GITHUB_OUTPUT
     outputs:
       GITHUB_REPO: ${{ steps.outputs.outputs.GITHUB_REPO }}
       ENDPOINT: ${{ steps.outputs.outputs.ENDPOINT }}
       BASEIMAGE: ${{ steps.outputs.outputs.BASEIMAGE }}
       MODNAME: ${{ steps.outputs.outputs.MODNAME }}
+      MULTI_ARCH: ${{ steps.outputs.outputs.MULTI_ARCH }}
       MOD_VERSION: ${{ steps.outputs.outputs.MOD_VERSION }}
+      MOD_VERSION_OVERRIDE: ${{ steps.outputs.outputs.MOD_VERSION_OVERRIDE }}
 
   build:
     uses: linuxserver/github-workflows/.github/workflows/docker-mod-builder.yml@v1
@@ -42,4 +59,6 @@ jobs:
       ENDPOINT: ${{ needs.set-vars.outputs.ENDPOINT }}
       BASEIMAGE: ${{ needs.set-vars.outputs.BASEIMAGE }}
       MODNAME: ${{ needs.set-vars.outputs.MODNAME }}
+      MULTI_ARCH: ${{ needs.set-vars.outputs.MULTI_ARCH }}
       MOD_VERSION: ${{ needs.set-vars.outputs.MOD_VERSION }}
+      MOD_VERSION_OVERRIDE: ${{ needs.set-vars.outputs.MOD_VERSION_OVERRIDE }}
diff --git a/Dockerfile b/Dockerfile
@@ -1,8 +1,32 @@
 # syntax=docker/dockerfile:1
 
+FROM ghcr.io/linuxserver/baseimage-alpine:3.20 AS buildstage
+
+ARG MOD_VERSION
+
+RUN \
+  mkdir -p /root-layer && \
+  if [[ -z "${MOD_VERSION}" ]]; then \
+    MOD_VERSION=$(curl -sX GET "https://api.github.com/repos/crowdsecurity/cs-nginx-bouncer/releases/latest" \
+    | jq -r '.tag_name'); \
+  fi && \
+  if [[ -z ${MOD_VERSION+x} ]]; then \
+    echo "**** Could not fetch current bouncer version from Github ****" \
+    exit 1; \
+  fi && \
+  curl -sLo \
+    /root-layer/crowdsec-nginx-bouncer.tgz -L \
+    "https://github.com/crowdsecurity/cs-nginx-bouncer/releases/download/${MOD_VERSION}/crowdsec-nginx-bouncer.tgz" && \
+  if ! tar -tzf /root-layer/crowdsec-nginx-bouncer.tgz >/dev/null 2>&1; then \
+    echo "**** Invalid tarball, could not download crowdsec bouncer ****" \
+    exit 1; \
+  fi
+
+COPY root/ /root-layer/
+
 FROM scratch
 
 LABEL maintainer="thespad"
 
-# copy local files
-COPY root/ /
+# Add files from buildstage
+COPY --from=buildstage /root-layer/ /
diff --git a/README.md b/README.md
@@ -32,7 +32,6 @@ Set the following environment variables on your SWAG container.
 | `CROWDSEC_SITE_KEY` | **Optional** | CAPTCHA Site Key |
 | `CROWDSEC_SECRET_KEY` | **Optional** | CAPTCHA Secret Key |
 | `CROWDSEC_CAPTCHA_PROVIDER` | **Optional** | CAPTCHA Provider (currently supported providers are `recaptcha`, `hcaptcha`, `turnstile`), requires bouncer v1.0.5 or newer. |
-| `CROWDSEC_VERSION` | **Optional** | Specify a version of the bouncer to install instead of using the latest release, for example `v1.0.0`. Must be a valid [release tag](https://github.com/crowdsecurity/cs-nginx-bouncer/tags). **Does not support versions older than v1.0.0**. |
 | `CROWDSEC_F2B_DISABLE` | **Optional** | Set to `true` to disable swag's built-in fail2ban service if you don't need it |
 | `CROWDSEC_MODE` | **Optional** | Set to `live` (immediate update) or `stream` to update requests every CROWDSEC_UPDATE_FREQUENCY seconds. Defaults to `live` |
 | `CROWDSEC_UPDATE_FREQUENCY` | **Optional** | Set update frequency for use with `stream` mode. Defaults to `10`. |
@@ -73,6 +72,7 @@ e.g. `resolver  127.0.0.11 valid=30s ipv6=off;`
 
 ## Versions
 
+* **11.09.24:** - Move versioning to mod tags. Bundle tarball at build time.
 * **05.06.24:** - Add lua-resty-string.
 * **06.02.24:** - Add AppSec support.
 * **29.03.23:** - Support multiple captcha providers from upstream.

diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/run b/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/run
@@ -5,10 +5,9 @@ CONFIG_PATH="/config/crowdsec/"
 LIB_PATH="/usr/local/lua/crowdsec/"
 DATA_PATH="/var/lib/crowdsec/lua/"
 
-if [[ ${DOCKER_MODS_DEBUG_CURL,,} = "true" ]]; then
-  CURL_NOISE_LEVEL="-v"
-else
-  CURL_NOISE_LEVEL="--silent"
+if [[ ! -e "/crowdsec-nginx-bouncer.tgz" ]]; then
+    # Crowdsec bouncer already configured
+    exit 0
 fi
 
 echo "**** Configuring CrowdSec nginx Bouncer ****"
@@ -28,29 +27,11 @@ echo "\
     lua-sec \
     nginx-mod-http-lua" >> /mod-repo-packages-to-install.list
 
-# Download nginx bouncer
-if [[ -z ${CROWDSEC_VERSION+x} ]]; then \
-    CROWDSEC_VERSION=$(curl -s "https://api.github.com/repos/crowdsecurity/cs-nginx-bouncer/releases/latest" | awk '/tag_name/{print $4;exit}' FS='[""]');
-fi
-
-if [[ -z ${CROWDSEC_VERSION+x} ]]; then \
-    echo "**** Could not fetch current bouncer version from Github ****"
-    exit 1
-fi
-
-curl "${CURL_NOISE_LEVEL}" -Lo \
-    /tmp/crowdsec.tar.gz -L \
-    "https://github.com/crowdsecurity/cs-nginx-bouncer/releases/download/${CROWDSEC_VERSION}/crowdsec-nginx-bouncer.tgz"
-
+# Extract nginx bouncer
 mkdir -p /tmp/crowdsec
 
-if ! tar -tzf /tmp/crowdsec.tar.gz >/dev/null 2>&1; then
-    echo "**** Invalid tarball, could not download crowdsec bouncer ****"
-    exit 1
-fi
-
 tar xf \
-    /tmp/crowdsec.tar.gz -C \
+    /crowdsec-nginx-bouncer.tgz -C \
     /tmp/crowdsec --strip-components=1
 
 mkdir -p "${CONFIG_PATH}"
@@ -97,20 +78,35 @@ if ! grep -q '[^#]include /etc/nginx/http.d/\*.conf;' '/config/nginx/nginx.conf'
     else
         # Warn about missing http.d include
         echo "
-        ********************************************************************
-        *    Warning: Your nginx.conf is missing required settings         *
-        *    Please add:                                                   *
-        *        include /etc/nginx/http.d/*.conf;                         *
-        *    to the http{} block and restart the container.                *
-        *                                                                  *
-        *    The CrowdSec bouncer will not function until this is done.    *
-        ********************************************************************"
+        ┌──────────────────────────────────────────────────────────────────┐
+        │    Warning: Your nginx.conf is missing required settings         │
+        │    Please add:                                                   │
+        │        include /etc/nginx/http.d/*.conf;                         │
+        │    to the http{} block and restart the container.                │
+        │                                                                  │
+        │    The CrowdSec bouncer will not function until this is done.    │
+        └──────────────────────────────────────────────────────────────────┘
+        "
     fi
 fi
 
 # Clean up
 rm -rf \
     /tmp/crowdsec \
-    /tmp/crowdsec.tar.gz
+    /crowdsec-nginx-bouncer.tgz
+
+if [[ -n ${CROWDSEC_VERSION} ]]; then
+    echo "
+    ┌─────────────────────────────────────────────────────────────────────────┐
+    │                             !! ATTENTION !!                             │
+    │                                                                         │
+    │                        This mod will ignore the                         │
+    │                  CROWDSEC_VERSION environment variable                  │
+    │                                                                         │
+    │                  Versioning is now handled by mod tags                  │
+    │ See https://hub.docker.com/r/linuxserver/mods/tags?name=swag-crowdsec-v │
+    │                     For a list of all available tags                    │
+    └─────────────────────────────────────────────────────────────────────────┘"
+fi
 
 echo "**** Successfully configured CrowdSec nginx Bouncer ${CROWDSEC_VERSION} ****"