diff --git a/.github/workflows/BuildImage.yml b/.github/workflows/BuildImage.yml index 518b0d8..5b957cb 100644 --- a/.github/workflows/BuildImage.yml +++ b/.github/workflows/BuildImage.yml @@ -4,8 +4,8 @@ on: [push, pull_request, workflow_dispatch] env: ENDPOINT: "linuxserver/mods" #don't modify - BASEIMAGE: "replace_baseimage" #replace - MODNAME: "replace_modname" #replace + BASEIMAGE: "swag" #replace + MODNAME: "crowdsec" #replace jobs: build: diff --git a/Dockerfile b/Dockerfile index 4ece5e8..2a0c3cb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ FROM scratch -LABEL maintainer="username" +LABEL maintainer="thespad" # copy local files COPY root/ / diff --git a/Dockerfile.complex b/Dockerfile.complex deleted file mode 100644 index db4598e..0000000 --- a/Dockerfile.complex +++ /dev/null @@ -1,23 +0,0 @@ -## Buildstage ## -FROM ghcr.io/linuxserver/baseimage-alpine:3.12 as buildstage - -RUN \ - echo "**** install packages ****" && \ - apk add --no-cache \ - curl && \ - echo "**** grab rclone ****" && \ - mkdir -p /root-layer && \ - curl -o \ - /root-layer/rclone.deb -L \ - "https://downloads.rclone.org/v1.47.0/rclone-v1.47.0-linux-amd64.deb" - -# copy local files -COPY root/ /root-layer/ - -## Single layer deployed image ## -FROM scratch - -LABEL maintainer="username" - -# Add files from buildstage -COPY --from=buildstage /root-layer/ / diff --git a/README.md b/README.md index 761c799..6c2af22 100644 --- a/README.md +++ b/README.md @@ -1,25 +1,28 @@ -# Rsync - Docker mod for openssh-server +# CrowdSec - Docker mod for SWAG -This mod adds rsync to openssh-server, to be installed/updated during container start. +This mod adds the [CrowdSec](https://crowdsec.net) [nginx bouncer](https://github.com/crowdsecurity/cs-nginx-bouncer/) to SWAG, to be installed/updated during container start. -In openssh-server docker arguments, set an environment variable `DOCKER_MODS=linuxserver/mods:openssh-server-rsync` +In SWAG docker arguments, set an environment variable `DOCKER_MODS=linuxserver/mods:swag-crowdsec` -If adding multiple mods, enter them in an array separated by `|`, such as `DOCKER_MODS=linuxserver/mods:openssh-server-rsync|linuxserver/mods:openssh-server-mod2` +If adding multiple mods, enter them in an array separated by `|`, such as `DOCKER_MODS=linuxserver/mods:swag-crowdsec|linuxserver/mods:swag-dbip` -# Mod creation instructions +## Mod usage instructions -* Fork the repo, create a new branch based on the branch `template`. -* Edit the `Dockerfile` for the mod. `Dockerfile.complex` is only an example and included for reference; it should be deleted when done. -* Inspect the `root` folder contents. Edit, add and remove as necessary. -* Edit this readme with pertinent info, delete these instructions. -* Finally edit the `.github/workflows/BuildImage.yml`. Customize the build branch, and the vars for `BASEIMAGE` and `MODNAME`. -* Ask the team to create a new branch named `-`. Baseimage should be the name of the image the mod will be applied to. The new branch will be based on the `template` branch. -* Submit PR against the branch created by the team. +If running CrowdSec in a container it must be on a common docker network with SWAG. +Generate an API key for the bouncer with `cscli bouncers add bouncer-swag` or `docker exec -t crowdsec cscli bouncers add bouncer-swag`, if you're running CrowdSec in a container. -## Tips and tricks +Make a note of the API key as you can't retrieve it later without removing and re-adding the bouncer. -* To decrease startup times when multiple mods are used, we have consolidated `apt-get update` down to one file. As seen in the [nodejs mod](https://github.com/linuxserver/docker-mods/tree/code-server-nodejs/root/etc/cont-init.d) -* Some images has helpers built in, these images are currently: - * [Openvscode-server](https://github.com/linuxserver/docker-openvscode-server/pull/10/files) - * [Code-server](https://github.com/linuxserver/docker-code-server/pull/95) +Set the following environment variables on your SWAG container. + +| | | | +| --- | --- | --- | +| `CROWDSEC_API_KEY` | **Required** | Your bouncer API key | +| `CROWDSEC_LAPI_URL` | **Required** | Your local CrowdSec API endpoint, for example `http://crowdsec:8080` | +| `CROWDSEC_SITE_KEY` | **Optional** | reCAPTCHA v2 Site Key | +| `CROWDSEC_SECRET_KEY` | **Optional** | reCAPTCHA v2 Secret Key | +| `CROWDSEC_VERSION` | **Optional** | Specify a version of the bouncer to install instead of using the latest release, for example `v1.0.0`. Must be a valid [release tag](https://github.com/crowdsecurity/cs-nginx-bouncer/tags). **Does not support versions older than v1.0.0**. +| | | | + +The variables need to remain in place while you are using the mod. If you remove **required** variables the bouncer will be disabled the next time you recreate the container, if you remove **optional** variables the associated features will be disabled the next time you recreate the container. diff --git a/root/etc/cont-init.d/98-crowdsec b/root/etc/cont-init.d/98-crowdsec new file mode 100644 index 0000000..44191f3 --- /dev/null +++ b/root/etc/cont-init.d/98-crowdsec @@ -0,0 +1,68 @@ +#!/usr/bin/with-contenv bash + +CONFIG_PATH="/config/crowdsec/" +LIB_PATH="/usr/local/lua/crowdsec/" +DATA_PATH="/var/lib/crowdsec/lua/" + +echo "**** Configuring CrowdSec nginx Bouncer ****" + +# If API keys are missing, disable mod and exit +if [[ -z $CROWDSEC_API_KEY ]] || [[ -z $CROWDSEC_LAPI_URL ]]; then + echo "**** Missing API key or CrowdSec LAPI URL, cannot configure bouncer ****" + exit 1 +fi + +apk add -U --upgrade --no-cache \ + gettext \ + lua5.1 \ + lua5.1-cjson \ + lua-resty-http \ + lua-sec \ + nginx-mod-http-lua + +# Download nginx bouncer +if [ -z ${CROWDSEC_VERSION+x} ]; then \ + CROWDSEC_VERSION=$(curl -sX GET "https://api.github.com/repos/crowdsecurity/cs-nginx-bouncer/releases/latest" | awk '/tag_name/{print $4;exit}' FS='[""]'); +fi + +curl -so \ + /tmp/crowdsec.tar.gz -L \ + "https://github.com/crowdsecurity/cs-nginx-bouncer/releases/download/${CROWDSEC_VERSION}/crowdsec-nginx-bouncer.tgz" + +mkdir -p /tmp/crowdsec + +tar xf \ + /tmp/crowdsec.tar.gz -C \ + /tmp/crowdsec --strip-components=1 + +# Inject API keys into config file +mkdir -p "${CONFIG_PATH}" +API_KEY=${CROWDSEC_API_KEY} CROWDSEC_LAPI_URL=${CROWDSEC_LAPI_URL} envsubst < /tmp/crowdsec/lua-mod/config_example.conf > "${CONFIG_PATH}crowdsec-nginx-bouncer.conf" + +# Change config path +sed -i "s|/etc/crowdsec/bouncers/|${CONFIG_PATH}|" /tmp/crowdsec/nginx/crowdsec_nginx.conf + +# Copy files +mkdir -p ${DATA_PATH}/templates/ +cp -r /tmp/crowdsec/lua-mod/templates/* ${DATA_PATH}/templates/ + +mkdir -p ${LIB_PATH}plugins/crowdsec +cp -r /tmp/crowdsec/lua-mod/lib/* ${LIB_PATH} + +cp /tmp/crowdsec/nginx/crowdsec_nginx.conf /etc/nginx/http.d + +# Sed in ReCaptcha keys +sed -ir "s|SECRET_KEY=.*$|SECRET_KEY=${CROWDSEC_SECRET_KEY}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf" +sed -ir "s|SITE_KEY=.*$|SITE_KEY=${CROWDSEC_SITE_KEY}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf" + +# Sed in crowdsec include +if grep -q '#include /etc/nginx/http.d/\*.conf;' '/config/nginx/nginx.conf'; then + sed -i 's|#include /etc/nginx/http.d/\*.conf;|include /etc/nginx/http.d/\*.conf;|' /config/nginx/nginx.conf +fi + +# Clean up +rm -rf \ + /tmp/crowdsec \ + /tmp/crowdsec.tar.gz + +echo "**** Successfully configured CrowdSec nginx Bouncer ${CROWDSEC_VERSION} ****" diff --git a/root/etc/cont-init.d/98-vpn-config b/root/etc/cont-init.d/98-vpn-config deleted file mode 100644 index a5f9127..0000000 --- a/root/etc/cont-init.d/98-vpn-config +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/with-contenv bash - -# Determine if setup is needed -if [ ! -f /usr/local/lib/python***/dist-packages/sshuttle ] && \ -[ -f /usr/bin/apt ]; then - ## Ubuntu - apt-get update - apt-get install --no-install-recommends -y \ - iptables \ - openssh-client \ - python3 \ - python3-pip - pip3 install sshuttle -fi -if [ ! -f /usr/lib/python***/site-packages/sshuttle ] && \ -[ -f /sbin/apk ]; then - # Alpine - apk add --no-cache \ - iptables \ - openssh \ - py3-pip \ - python3 - pip3 install sshuttle -fi - -chown -R root:root /root -chmod -R 600 /root/.ssh diff --git a/root/etc/services.d/sshvpn/run b/root/etc/services.d/sshvpn/run deleted file mode 100644 index 7d49e79..0000000 --- a/root/etc/services.d/sshvpn/run +++ /dev/null @@ -1,3 +0,0 @@ -#!/usr/bin/with-contenv bash - -sshuttle --dns --remote root@${HOST}:${PORT} 0/0 -x 172.17.0.0/16