Publish swag-crowdsec mod (#315)

.github/workflows/BuildImage.yml

@@ -4,8 +4,8 @@ on: [push, pull_request, workflow_dispatch]
 
 env:
   ENDPOINT: "linuxserver/mods" #don't modify
-  BASEIMAGE: "replace_baseimage" #replace
-  MODNAME: "replace_modname" #replace
+  BASEIMAGE: "swag" #replace
+  MODNAME: "crowdsec" #replace
 
 jobs:
   build:

Dockerfile

@@ -1,6 +1,6 @@
 FROM scratch
 
-LABEL maintainer="username"
+LABEL maintainer="thespad"
 
 # copy local files
 COPY root/ /

Dockerfile.complex

@@ -1,23 +0,0 @@
-## Buildstage ##
-FROM ghcr.io/linuxserver/baseimage-alpine:3.12 as buildstage
-
-RUN \
- echo "**** install packages ****" && \
- apk add --no-cache \
-	curl && \
- echo "**** grab rclone ****" && \
- mkdir -p /root-layer && \
- curl -o \
-	/root-layer/rclone.deb -L \
-	"https://downloads.rclone.org/v1.47.0/rclone-v1.47.0-linux-amd64.deb"
-
-# copy local files
-COPY root/ /root-layer/
-
-## Single layer deployed image ##
-FROM scratch
-
-LABEL maintainer="username"
-
-# Add files from buildstage
-COPY --from=buildstage /root-layer/ /

README.md

@@ -1,25 +1,28 @@
-# Rsync - Docker mod for openssh-server
+# CrowdSec - Docker mod for SWAG
 
-This mod adds rsync to openssh-server, to be installed/updated during container start.
+This mod adds the [CrowdSec](https://crowdsec.net) [nginx bouncer](https://github.com/crowdsecurity/cs-nginx-bouncer/) to SWAG, to be installed/updated during container start.
 
-In openssh-server docker arguments, set an environment variable `DOCKER_MODS=linuxserver/mods:openssh-server-rsync`
+In SWAG docker arguments, set an environment variable `DOCKER_MODS=linuxserver/mods:swag-crowdsec`
 
-If adding multiple mods, enter them in an array separated by `|`, such as `DOCKER_MODS=linuxserver/mods:openssh-server-rsync|linuxserver/mods:openssh-server-mod2`
+If adding multiple mods, enter them in an array separated by `|`, such as `DOCKER_MODS=linuxserver/mods:swag-crowdsec|linuxserver/mods:swag-dbip`
 
-# Mod creation instructions
+## Mod usage instructions
 
-* Fork the repo, create a new branch based on the branch `template`.
-* Edit the `Dockerfile` for the mod. `Dockerfile.complex` is only an example and included for reference; it should be deleted when done.
-* Inspect the `root` folder contents. Edit, add and remove as necessary.
-* Edit this readme with pertinent info, delete these instructions.
-* Finally edit the `.github/workflows/BuildImage.yml`. Customize the build branch, and the vars for `BASEIMAGE` and `MODNAME`.
-* Ask the team to create a new branch named `<baseimagename>-<modname>`. Baseimage should be the name of the image the mod will be applied to. The new branch will be based on the `template` branch.
-* Submit PR against the branch created by the team.
+If running CrowdSec in a container it must be on a common docker network with SWAG.
 
+Generate an API key for the bouncer with `cscli bouncers add bouncer-swag` or `docker exec -t crowdsec cscli bouncers add bouncer-swag`, if you're running CrowdSec in a container.
 
-## Tips and tricks
+Make a note of the API key as you can't retrieve it later without removing and re-adding the bouncer.
 
-* To decrease startup times when multiple mods are used, we have consolidated `apt-get update` down to one file. As seen in the [nodejs mod](https://github.com/linuxserver/docker-mods/tree/code-server-nodejs/root/etc/cont-init.d)
-* Some images has helpers built in, these images are currently:
-    * [Openvscode-server](https://github.com/linuxserver/docker-openvscode-server/pull/10/files)
-    * [Code-server](https://github.com/linuxserver/docker-code-server/pull/95)
+Set the following environment variables on your SWAG container.
+
+| | | |
+| --- | --- | --- |
+| `CROWDSEC_API_KEY` | **Required** | Your bouncer API key |
+| `CROWDSEC_LAPI_URL` | **Required** | Your local CrowdSec API endpoint, for example `http://crowdsec:8080` |
+| `CROWDSEC_SITE_KEY` | **Optional** | reCAPTCHA v2 Site Key |
+| `CROWDSEC_SECRET_KEY` | **Optional** | reCAPTCHA v2 Secret Key |
+| `CROWDSEC_VERSION` | **Optional** | Specify a version of the bouncer to install instead of using the latest release, for example `v1.0.0`. Must be a valid [release tag](https://github.com/crowdsecurity/cs-nginx-bouncer/tags). **Does not support versions older than v1.0.0**.
+| | | |
+
+The variables need to remain in place while you are using the mod. If you remove **required** variables the bouncer will be disabled the next time you recreate the container, if you remove **optional** variables the associated features will be disabled the next time you recreate the container.

root/etc/cont-init.d/98-crowdsec

@@ -0,0 +1,68 @@
+#!/usr/bin/with-contenv bash
+
+CONFIG_PATH="/config/crowdsec/"
+LIB_PATH="/usr/local/lua/crowdsec/"
+DATA_PATH="/var/lib/crowdsec/lua/"
+
+echo "**** Configuring CrowdSec nginx Bouncer ****"
+
+# If API keys are missing, disable mod and exit
+if [[ -z $CROWDSEC_API_KEY ]] || [[ -z $CROWDSEC_LAPI_URL ]]; then
+    echo "**** Missing API key or CrowdSec LAPI URL, cannot configure bouncer ****"
+    exit 1
+fi
+
+apk add -U --upgrade --no-cache \
+    gettext \
+    lua5.1 \
+    lua5.1-cjson \
+    lua-resty-http \
+    lua-sec \
+    nginx-mod-http-lua
+
+# Download nginx bouncer
+if [ -z ${CROWDSEC_VERSION+x} ]; then \
+    CROWDSEC_VERSION=$(curl -sX GET "https://api.github.com/repos/crowdsecurity/cs-nginx-bouncer/releases/latest" | awk '/tag_name/{print $4;exit}' FS='[""]');
+fi
+
+curl -so \
+    /tmp/crowdsec.tar.gz -L \
+    "https://github.com/crowdsecurity/cs-nginx-bouncer/releases/download/${CROWDSEC_VERSION}/crowdsec-nginx-bouncer.tgz"
+
+mkdir -p /tmp/crowdsec
+
+tar xf \
+    /tmp/crowdsec.tar.gz -C \
+    /tmp/crowdsec --strip-components=1
+
+# Inject API keys into config file
+mkdir -p "${CONFIG_PATH}"
+API_KEY=${CROWDSEC_API_KEY} CROWDSEC_LAPI_URL=${CROWDSEC_LAPI_URL} envsubst < /tmp/crowdsec/lua-mod/config_example.conf > "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
+
+# Change config path
+sed -i "s|/etc/crowdsec/bouncers/|${CONFIG_PATH}|" /tmp/crowdsec/nginx/crowdsec_nginx.conf
+
+# Copy files
+mkdir -p ${DATA_PATH}/templates/
+cp -r /tmp/crowdsec/lua-mod/templates/* ${DATA_PATH}/templates/
+
+mkdir -p ${LIB_PATH}plugins/crowdsec
+cp -r /tmp/crowdsec/lua-mod/lib/* ${LIB_PATH}
+
+cp /tmp/crowdsec/nginx/crowdsec_nginx.conf /etc/nginx/http.d
+
+# Sed in ReCaptcha keys
+sed -ir "s|SECRET_KEY=.*$|SECRET_KEY=${CROWDSEC_SECRET_KEY}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
+sed -ir "s|SITE_KEY=.*$|SITE_KEY=${CROWDSEC_SITE_KEY}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
+
+# Sed in crowdsec include
+if grep -q '#include /etc/nginx/http.d/\*.conf;' '/config/nginx/nginx.conf'; then
+    sed -i 's|#include /etc/nginx/http.d/\*.conf;|include /etc/nginx/http.d/\*.conf;|' /config/nginx/nginx.conf
+fi
+
+# Clean up
+rm -rf \
+    /tmp/crowdsec \
+    /tmp/crowdsec.tar.gz
+
+echo "**** Successfully configured CrowdSec nginx Bouncer ${CROWDSEC_VERSION} ****"

root/etc/cont-init.d/98-vpn-config

@@ -1,27 +0,0 @@
-#!/usr/bin/with-contenv bash
-
-# Determine if setup is needed
-if [ ! -f /usr/local/lib/python***/dist-packages/sshuttle ] && \
-[ -f /usr/bin/apt ]; then
-  ## Ubuntu
-  apt-get update
-  apt-get install --no-install-recommends -y \
-    iptables \
-    openssh-client \
-    python3 \
-    python3-pip 
-  pip3 install sshuttle
-fi
-if [ ! -f /usr/lib/python***/site-packages/sshuttle ] && \
-[ -f /sbin/apk ]; then
-  # Alpine
-  apk add --no-cache \
-    iptables \
-    openssh \
-    py3-pip \
-    python3 
-  pip3 install sshuttle
-fi
-
-chown -R root:root /root
-chmod -R 600 /root/.ssh

root/etc/services.d/sshvpn/run

@@ -1,3 +0,0 @@
-#!/usr/bin/with-contenv bash
-
-sshuttle --dns --remote root@${HOST}:${PORT} 0/0 -x 172.17.0.0/16