diff --git a/.github/workflows/BuildImage.yml b/.github/workflows/BuildImage.yml index 518b0d8..ae4e146 100644 --- a/.github/workflows/BuildImage.yml +++ b/.github/workflows/BuildImage.yml @@ -3,9 +3,9 @@ name: Build Image on: [push, pull_request, workflow_dispatch] env: - ENDPOINT: "linuxserver/mods" #don't modify - BASEIMAGE: "replace_baseimage" #replace - MODNAME: "replace_modname" #replace + ENDPOINT: "linuxserver/mods" + BASEIMAGE: "swag" + MODNAME: "auto-proxy" jobs: build: diff --git a/Dockerfile b/Dockerfile index 4ece5e8..fca6f93 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ FROM scratch -LABEL maintainer="username" +LABEL maintainer="aptalca" # copy local files COPY root/ / diff --git a/Dockerfile.complex b/Dockerfile.complex deleted file mode 100644 index db4598e..0000000 --- a/Dockerfile.complex +++ /dev/null @@ -1,23 +0,0 @@ -## Buildstage ## -FROM ghcr.io/linuxserver/baseimage-alpine:3.12 as buildstage - -RUN \ - echo "**** install packages ****" && \ - apk add --no-cache \ - curl && \ - echo "**** grab rclone ****" && \ - mkdir -p /root-layer && \ - curl -o \ - /root-layer/rclone.deb -L \ - "https://downloads.rclone.org/v1.47.0/rclone-v1.47.0-linux-amd64.deb" - -# copy local files -COPY root/ /root-layer/ - -## Single layer deployed image ## -FROM scratch - -LABEL maintainer="username" - -# Add files from buildstage -COPY --from=buildstage /root-layer/ / diff --git a/README.md b/README.md index 5636dec..fb526fb 100644 --- a/README.md +++ b/README.md @@ -1,17 +1,37 @@ -# Rsync - Docker mod for openssh-server +# Auto-proxy - Docker mod for SWAG -This mod adds rsync to openssh-server, to be installed/updated during container start. +This mod gives SWAG the ability to auto-detect running containers via labels and automatically enable reverse proxy for them. -In openssh-server docker arguments, set an environment variable `DOCKER_MODS=linuxserver/mods:openssh-server-rsync` +## Requirements: +- This mod needs the `universal-docker` mod installed and set up with either mapping `docker.sock` or setting the environment variable `DOCKER_HOST=remoteaddress`. +- Other containers to be auto-detected and reverse proxied should be in the same [user defined bridge network](https://docs.linuxserver.io/general/swag#docker-networking) as SWAG. +- Containers to be auto-detected and reverse proxied must have a label `swag=enable` at a minimum. +- To benefit from curated preset proxy confs we provide, the container name must match the container names that are suggested in our readme examples (ie. `radarr` and not `Radarr-4K`). -If adding multiple mods, enter them in an array separated by `|`, such as `DOCKER_MODS=linuxserver/mods:openssh-server-rsync|linuxserver/mods:openssh-server-mod2` +## Labels: +- `swag=enable` - required for auto-detection +- `swag_port=80` - *optional* - overrides *internal* exposed port +- `swag_proto=http` - *optional* - overrides internal proto (defaults to http) +- `swag_url=containername.domain.com` - *optional* - overrides *server_name* (defaults to `containername.*`) +- `swag_auth=authelia` - *optional* - enables auth methods (options are `authelia`, `ldap` and `http` for basic http auth) +- `swag_auth_bypass=/api,/othersubfolder` - *optional* - bypasses auth for selected subfolders. Comma separated, no spaces. -# Mod creation instructions -* Fork the repo, create a new branch based on the branch `template`. -* Edit the `Dockerfile` for the mod. `Dockerfile.complex` is only an example and included for reference; it should be deleted when done. -* Inspect the `root` folder contents. Edit, add and remove as necessary. -* Edit this readme with pertinent info, delete these instructions. -* Finally edit the `.github/workflows/BuildImage.yml`. Customize the build branch, and the vars for `BASEIMAGE` and `MODNAME`. -* Ask the team to create a new branch named `-`. Baseimage should be the name of the image the mod will be applied to. The new branch will be based on the `template` branch. -* Submit PR against the branch created by the team. +In SWAG docker arguments, set an environment variable `DOCKER_MODS=linuxserver/mods:universal-docker|linuxserver/mods:swag-auto-proxy` and either add a volume mapping for `/var/run/docker.sock:/var/run/docker.sock:ro`, or set an environment var `DOCKER_HOST=remoteaddress`. + +## Security Consideration: +Mapping the `docker.sock`, especially in a publicly accessible container is a security liability. Since this mod only needs read-only access to the docker api, the recommended method is to proxy the `docker.sock` via a solution like [tecnativa/docker-socket-proxy](https://hub.docker.com/r/tecnativa/docker-socket-proxy), limit the access, and set `DOCKER_HOST=` to point to the proxy address. + +Here's a sample compose yaml snippet for tecnativa/docker-socket-proxy: +```yaml + dockerproxy: + image: ghcr.io/tecnativa/docker-socket-proxy:latest + container_name: dockerproxy + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + restart: unless-stopped + environment: + - CONTAINERS=1 + - POST=0 +``` +Then the env var in SWAG can be set as `DOCKER_HOST=dockerproxy`. This will allow docker cli in SWAG to be able to retrieve info on other containers, but it won't be allowed to spin up new containers. diff --git a/root/app/auto-proxy.sh b/root/app/auto-proxy.sh new file mode 100755 index 0000000..24f2b2f --- /dev/null +++ b/root/app/auto-proxy.sh @@ -0,0 +1,145 @@ +#!/usr/bin/with-contenv bash + +AUTO_GEN="" +# figure out which containers to generate confs for or which confs to remove +if [ ! -f /auto-proxy/enabled_containers ]; then + docker ps --filter "label=swag=enable" --format "{{.Names}}" > /auto-proxy/enabled_containers + AUTO_GEN=$(cat /auto-proxy/enabled_containers) +else + ENABLED_CONTAINERS=$(docker ps --filter "label=swag=enable" --format "{{.Names}}") + for CONTAINER in ${ENABLED_CONTAINERS}; do + if [ ! -f "/auto-proxy/${CONTAINER}.conf" ]; then + echo "**** New container ${CONTAINER} detected, will generate new conf. ****" + AUTO_GEN="${CONTAINER} ${AUTO_GEN}" + else + INSPECTION=$(docker inspect ${CONTAINER}) + for VAR in swag_port swag_proto swag_url swag_auth swag_auth_bypass; do + VAR_VALUE=$(echo ${INSPECTION} | jq -r ".[0].Config.Labels[\"${VAR}\"]") + if [ "${VAR_VALUE}" == "null" ]; then + VAR_VALUE="" + fi + if ! grep -q "${VAR}=\"${VAR_VALUE}\"" "/auto-proxy/${CONTAINER}.conf"; then + AUTO_GEN="${CONTAINER} ${AUTO_GEN}" + echo "**** Labels for ${CONTAINER} changed, will generate new conf. ****" + break + fi + done + fi + done + EXISTING_CONFS=$(cat /auto-proxy/enabled_containers) + for CONTAINER in $EXISTING_CONFS; do + if ! grep -q "${CONTAINER}" <<< "${ENABLED_CONTAINERS}"; then + echo "**** Removing conf for ${CONTAINER} ****" + rm -rf "/auto-proxy/${CONTAINER}.conf" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf" + REMOVED_CONTAINERS="true" + fi + done + echo "${ENABLED_CONTAINERS}" > /auto-proxy/enabled_containers +fi + +for CONTAINER in ${AUTO_GEN}; do + INSPECTION=$(docker inspect ${CONTAINER}) + rm -rf "/auto-proxy/${CONTAINER}.conf" + for VAR in swag_port swag_proto swag_url swag_auth swag_auth_bypass; do + VAR_VALUE=$(echo ${INSPECTION} | jq -r ".[0].Config.Labels[\"${VAR}\"]") + if [ "${VAR_VALUE}" == "null" ]; then + VAR_VALUE="" + fi + echo "${VAR}=\"${VAR_VALUE}\"" >> "/auto-proxy/${CONTAINER}.conf" + done + . /auto-proxy/${CONTAINER}.conf + if [ -f "/config/nginx/proxy-confs/${CONTAINER}.subdomain.conf.sample" ]; then + cp "/config/nginx/proxy-confs/${CONTAINER}.subdomain.conf.sample" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf" + echo "**** Using preset proxy conf for ${CONTAINER} ****" + if [ -n "${swag_auth_bypass}" ]; then + echo "**** Swag auth bypass is auto managed via preset confs and cannot be overridden via env vars ****" + fi + if [ -n "${swag_port}" ]; then + sed -i "s|set \$upstream_port .*|set \$upstream_port ${swag_port};|g" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf" + echo "**** Overriding port for ${CONTAINER} ****" + fi + if [ -n "${swag_proto}" ]; then + sed -i "s|set \$upstream_proto .*|set \$upstream_proto ${swag_proto};|g" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf" + echo "**** Overriding proto for ${CONTAINER} ****" + fi + if [ -n "${swag_url}" ]; then + sed -i "s|server_name .*|server_name ${swag_url};|" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf" + echo "**** Overriding url for ${CONTAINER} ****" + fi + if [ "${swag_auth}" == "authelia" ]; then + sed -i "s|#include /config/nginx/authelia|include /config/nginx/authelia|g" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf" + echo "**** Enabling Authelia for ${CONTAINER} ****" + elif [ "${swag_auth}" == "http" ]; then + sed -i "s|#auth_basic|auth_basic|g" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf" + echo "**** Enabling basic http auth for ${CONTAINER} ****" + elif [ "${swag_auth}" == "ldap" ]; then + sed -i "s|#include /config/nginx/ldap.conf;|include /config/nginx/ldap.conf;|g" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf" + sed -i "s|#auth_request /auth;|auth_request /auth;|g" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf" + sed -i "s|#error_page 401 =200 /ldaplogin;|error_page 401 =200 /ldaplogin;|g" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf" + echo "**** Enabling basic http auth for ${CONTAINER} ****" + fi + else + echo "**** No preset proxy conf found for ${CONTAINER}, generating from scratch ****" + cp "/config/nginx/proxy-confs/_template.subdomain.conf.sample" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf" + if [ -n "${swag_auth_bypass}" ]; then + sed -i 's|^}$||' "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf" + for location in $(echo ${swag_auth_bypass} | tr "," " "); do + cat <> "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf" + + location ~ ${location} { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set \$upstream_app ; + set \$upstream_port ; + set \$upstream_proto ; + proxy_pass \$upstream_proto://\$upstream_app:\$upstream_port; + + } + +DUDE + done + echo "}" >> "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf" + fi + sed -i "s||${CONTAINER}|g" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf" + if [ -z "${swag_port}" ]; then + swag_port=$(docker inspect ${CONTAINER} | jq -r '.[0].NetworkSettings.Ports | keys[0]' | sed 's|/.*||') + if [ "${swag_port}" == "null" ]; then + echo "**** No exposed ports found for ${CONTAINER}. Setting reverse proxy port to 80. ****" + swag_port="80" + fi + fi + sed -i "s|set \$upstream_port .*|set \$upstream_port ${swag_port};|g" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf" + echo "**** Setting port ${swag_port} for ${CONTAINER} ****" + if [ -z "${swag_proto}" ]; then + swag_proto="http" + fi + sed -i "s|set \$upstream_proto .*|set \$upstream_proto ${swag_proto};|g" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf" + echo "**** Setting proto ${swag_proto} for ${CONTAINER} ****" + if [ -z "${swag_url}" ]; then + swag_url="${CONTAINER}.*" + fi + sed -i "s|server_name .*|server_name ${swag_url};|" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf" + echo "**** Setting url ${swag_url} for ${CONTAINER} ****" + if [ "${swag_auth}" == "authelia" ]; then + sed -i "s|#include /config/nginx/authelia|include /config/nginx/authelia|g" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf" + echo "**** Enabling Authelia for ${CONTAINER} ****" + elif [ "${swag_auth}" == "http" ]; then + sed -i "s|#auth_basic|auth_basic|g" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf" + echo "**** Enabling basic http auth for ${CONTAINER} ****" + elif [ "${swag_auth}" == "ldap" ]; then + sed -i "s|#include /config/nginx/ldap.conf;|include /config/nginx/ldap.conf;|g" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf" + sed -i "s|#auth_request /auth;|auth_request /auth;|g" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf" + sed -i "s|#error_page 401 =200 /ldaplogin;|error_page 401 =200 /ldaplogin;|g" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf" + echo "**** Enabling basic http auth for ${CONTAINER} ****" + fi + fi +done + +if ([ -n "${AUTO_GEN}" ] || [ "${REMOVED_CONTAINERS}" == "true" ]) && ps aux | grep [n]ginx: > /dev/null; then + if /usr/sbin/nginx -c /config/nginx/nginx.conf -t; then + echo "**** Changes to nginx config are valid, reloading nginx ****" + /usr/sbin/nginx -c /config/nginx/nginx.conf -s reload + else + echo "**** Changes to nginx config are not valid, skipping nginx reload. Please double check the config including the auto-proxy confs. ****" + fi +fi diff --git a/root/defaults/auto-proxy-readme b/root/defaults/auto-proxy-readme new file mode 100644 index 0000000..aba23dc --- /dev/null +++ b/root/defaults/auto-proxy-readme @@ -0,0 +1,2 @@ +The files named "auto-proxy-.subdomain.conf" are managed by the SWAG-auto-proxy mod. +*** Do not manually modify those files *** \ No newline at end of file diff --git a/root/etc/cont-finish.d/98-auto-proxy b/root/etc/cont-finish.d/98-auto-proxy new file mode 100644 index 0000000..b0241f7 --- /dev/null +++ b/root/etc/cont-finish.d/98-auto-proxy @@ -0,0 +1,4 @@ +#!/usr/bin/with-contenv bash + +sed -i '/\/app\/auto-proxy.sh/d' /config/crontabs/root +rm -rf /config/nginx/proxy-confs/auto-proxy*.conf diff --git a/root/etc/cont-init.d/98-auto-proxy b/root/etc/cont-init.d/98-auto-proxy new file mode 100644 index 0000000..1b5d12b --- /dev/null +++ b/root/etc/cont-init.d/98-auto-proxy @@ -0,0 +1,18 @@ +#!/usr/bin/with-contenv bash + +if [ ! -f /usr/local/bin/docker ]; then + echo "**** Docker mod not installed, skipping SWAG auto-proxy ****" + exit 0 +fi + +rm -rf /config/nginx/proxy-confs/auto-proxy*.conf +cp /defaults/auto-proxy-readme /config/nginx/proxy-confs/auto-proxy-readme +rm -rf /auto-proxy +mkdir /auto-proxy + +if ! grep -q "/app/auto-proxy.sh" /config/crontabs/root; then + echo "* * * * * /app/auto-proxy.sh" >> /config/crontabs/root + cp /config/crontabs/root /etc/crontabs/root +fi + +/app/auto-proxy.sh diff --git a/root/etc/cont-init.d/98-vpn-config b/root/etc/cont-init.d/98-vpn-config deleted file mode 100644 index a5f9127..0000000 --- a/root/etc/cont-init.d/98-vpn-config +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/with-contenv bash - -# Determine if setup is needed -if [ ! -f /usr/local/lib/python***/dist-packages/sshuttle ] && \ -[ -f /usr/bin/apt ]; then - ## Ubuntu - apt-get update - apt-get install --no-install-recommends -y \ - iptables \ - openssh-client \ - python3 \ - python3-pip - pip3 install sshuttle -fi -if [ ! -f /usr/lib/python***/site-packages/sshuttle ] && \ -[ -f /sbin/apk ]; then - # Alpine - apk add --no-cache \ - iptables \ - openssh \ - py3-pip \ - python3 - pip3 install sshuttle -fi - -chown -R root:root /root -chmod -R 600 /root/.ssh diff --git a/root/etc/services.d/sshvpn/run b/root/etc/services.d/sshvpn/run deleted file mode 100644 index 7d49e79..0000000 --- a/root/etc/services.d/sshvpn/run +++ /dev/null @@ -1,3 +0,0 @@ -#!/usr/bin/with-contenv bash - -sshuttle --dns --remote root@${HOST}:${PORT} 0/0 -x 172.17.0.0/16