universal: cloudflared mod initial release

.github/workflows/BuildImage.yml

@@ -4,8 +4,8 @@ on: [push, pull_request, workflow_dispatch]
 
 env:
   ENDPOINT: "linuxserver/mods" #don't modify
-  BASEIMAGE: "swag" #replace
-  MODNAME: "ioncube" #replace
+  BASEIMAGE: "universal" #replace
+  MODNAME: "cloudflared" #replace
 
 jobs:
   build:

Dockerfile

@@ -1,6 +1,34 @@
+# Build container
+FROM golang:alpine AS buildstage
+
+RUN mkdir /cloudflared
+WORKDIR /src
+
+RUN apk --no-cache add git build-base curl jq
+
+ENV GO111MODULE=on \
+    CGO_ENABLED=0
+
+RUN curl -s https://api.github.com/repos/cloudflare/cloudflared/releases/latest \
+  | jq -rc ".tag_name" \
+  | xargs -I TAG sh -c 'git -c advice.detachedHead=false clone https://github.com/cloudflare/cloudflared --depth=1 --branch TAG .'
+
+RUN GOOS=linux GOARCH=amd64 make cloudflared
+RUN mv cloudflared /cloudflared/cloudflared-amd64
+
+RUN GOOS=linux GOARCH=arm64 make cloudflared
+RUN mv cloudflared /cloudflared/cloudflared-arm64
+
+RUN GOOS=linux GOARCH=arm make cloudflared
+RUN mv cloudflared /cloudflared/cloudflared-armhf
+
+# Runtime container
 FROM scratch
+WORKDIR /
 
 LABEL maintainer="Spunkie"
 
+# copy cloudflared bins
+COPY --from=buildstage /cloudflared /cloudflared
 # copy local files
 COPY root/ /

README.md

@@ -1,7 +1,73 @@
-# Ioncube Loader - Docker mod for SWAG/nginx
+# Cloudflared - Universal docker mod
 
-This mod adds Ioncube loader to SWAG/nginx, to be installed/updated during container start.
+In docker arguments, set an environment variable `DOCKER_MODS=linuxserver/mods:universal-cloudflared`
 
-In SWAG/nginx docker arguments, set an environment variable `DOCKER_MODS=linuxserver/mods:swag-ioncube`
+If no additional parameters are supplied this mod builds `cloudflared` from [source](https://github.com/cloudflare/cloudflared) using the [latest release tag](https://github.com/cloudflare/cloudflared/releases/latest) and adds it to [any LSIO docker image](https://fleet.linuxserver.io/).
 
-If adding multiple mods, enter them in an array separated by `|`, such as `DOCKER_MODS=linuxserver/mods:swag-ioncube|linuxserver/mods:swag-auto-reload`
+If all additional parameters are supplied this docker mod will also create/configure/route/enable a cloudflare tunnel via `cloudflared` and the cloudflare v4 API.
+
+## Usage
+
+Here an example snippet to help you get started using this docker mod.
+
+### docker-compose ([recommended](https://docs.linuxserver.io/general/docker-compose))
+
+```yaml
+  swag:
+    image: ghcr.io/linuxserver/swag
+    container_name: swag
+    cap_add:
+      - NET_ADMIN
+    environment:
+      PUID: 1000
+      PGID: 1000
+      TZ: Europe/London
+      URL: yourdomain.url
+      SUBDOMAINS: test,gitlab,gitlab-ssh,
+      VALIDATION: dns
+      DNSPLUGIN: cloudflare #optional
+      ONLY_SUBDOMAINS: true #optional
+      EMAIL: #optional
+      EXTRA_DOMAINS: #optional
+      STAGING: false #optional
+      DOCKER_MODS: linuxserver/mods:universal-cloudflared
+      CF_ZONE_ID: #optional
+      CF_ACCOUNT_ID: #optional
+      CF_API_TOKEN: #optional
+      CF_TUNNEL_NAME: example #optional
+      CF_TUNNEL_PASSWORD: pleasedontusethisexamplepassword #optional
+      CF_TUNNEL_CONFIG: | #optional
+        ingress:
+          - hostname: test.yourdomain.url
+            service: hello_world
+          - hostname: gitlab.yourdomain.url
+            service: https://localhost:443
+          - hostname: gitlab-ssh.yourdomain.url
+            service: ssh://localhost:22
+          - service: http_status:404
+    volumes:
+      - /path/to/appdata/config:/config
+    ports:
+      - 443:443
+      # - 80:80 #optional
+    restart: unless-stopped
+```
+
+## Parameters
+
+Container images/mods are configured using parameters passed at runtime (such as those above).
+
+| Parameter | Function | Notes |
+| :----: | --- | --- |
+| `DOCKER_MODS` | Enabled this docker mod with `linuxserver/mods:universal-cloudflared` | If adding multiple mods, enter them in an array separated by `\|`, such as `DOCKER_MODS: linuxserver/mods:universal-cloudflared\|linuxserver/mods:universal-mod2` |
+
+### Optional tunnel parameters 
+
+| Parameter | Function | Notes |
+| :----: | --- | --- |
+| `CF_ZONE_ID` | Cloudflare zone ID |   |
+| `CF_ACCOUNT_ID` | Cloudflare account ID |   |
+| `CF_API_TOKEN` | Cloudflare API token | Must have the `Account.Argo Tunnel:Edit` and `Zone.DNS:Edit` permissions. |
+| `CF_TUNNEL_NAME` | Cloudflare tunnel name |   |
+| `CF_TUNNEL_PASSWORD` | Cloudflare tunnel password | 32 char minimum |
+| `CF_TUNNEL_CONFIG` | Cloudflare tunnel config, please refer to cloudflares official tunnel docs. | Do not add `tunnel`/`credentials-file` headers, these are handled automatically. |

root/etc/cont-init.d/98-cloudflared-config

@@ -0,0 +1,195 @@
+#!/usr/bin/with-contenv bash
+
+echo "**** Cloudflared setup script init... ****"
+
+echo "**** Checking cloudflared setup script requirements... ****"
+ARCH="$(command arch)"
+if [ "${ARCH}" = "x86_64" ]; then 
+  ARCH="amd64"
+elif [ "${ARCH}" = "aarch64" ]; then 
+  ARCH="arm64" 
+elif [ "${ARCH}" = "armv7l" ]; then 
+  ARCH="armhf" 
+else
+  echo "**** Unsupported Linux architecture ${ARCH} found, exiting... ****"
+  exit 1
+fi
+echo "**** Linux architecture found: ${ARCH} ****"
+
+UBUNTU=false
+ALPINE=false
+if [ -f /usr/bin/apt ]; then
+  UBUNTU=true
+  echo "**** Linux distro found: ubuntu ****"
+elif [ -f /sbin/apk ]; then
+  ALPINE=true
+  echo "**** Linux distro found: alpine ****"
+else
+  echo "**** Unknown Linux distro, exiting... ****"
+  exit 1
+fi
+
+echo "**** Checking for cloudflared setup script dependencies... ****"
+YQARCH="${ARCH}"
+if [ "${YQ_ARCH}" = "armhf" ]; then 
+  YQARCH="arm" 
+fi
+echo "**** Temporarily installing /tmp/yq... ****"
+curl -sLo /tmp/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_${YQARCH}
+chmod +x /tmp/yq
+
+declare -A CLEANUP=( [curl]=false [jq]=false )
+for PKG in "${!CLEANUP[@]}"; do
+  if [ -x "$(command -v ${PKG})" ]; then
+    echo "**** ${PKG} already installed, skipping... ****"
+  else
+    CLEANUP[$PKG]=true
+    echo "**** Temporarily installing ${PKG}... ****"
+    if $ALPINE; then
+      apk add --no-cache ${PKG}
+    elif $UBUNTU; then
+      apt-get -qqy install --no-install-recommends ${PKG}
+    fi
+  fi
+done
+
+echo "**** Installing cloudflared...****"
+if [ -d "/cloudflared/" ]; then
+  echo "**** Moving /cloudflared/cloudflared-${ARCH} to /usr/local/bin/cloudflared... ****"
+  mv /cloudflared/cloudflared-${ARCH} /usr/local/bin/cloudflared
+
+  echo "**** Deleting tmp /cloudflared dir... ****"
+  rm -rf /cloudflared 
+
+  echo "**** Cloudflared installed ****"
+elif [ -x "$(command -v cloudflared)" ]; then
+  echo "**** Cloudflared already installed, skipping... ****"
+else
+  echo "**** Cloudflared missing, exiting... ****"
+  exit 1
+fi
+cloudflared -v
+
+echo "**** Checking for optional cloudflare tunnel parameters... ****"
+if [[ ${#CF_ACCOUNT_ID} -gt 0 ]] && [[ ${#CF_API_TOKEN} -gt 0 ]] && [[ ${#CF_TUNNEL_NAME} -gt 0 ]]; then
+  if [[ ${#CF_TUNNEL_PASSWORD} -le 32 ]]; then
+    echo "**** Cloudflare tunnel password must be at least 32 characters long, exiting... ****"
+    exit 1 
+  else
+    echo "**** Cloudflare tunnel parameters found, starting cloudflare tunnel setup... ****"
+    echo "**** Creating cloudflare tunnel(${CF_TUNNEL_NAME}) via API... ****"
+
+    CF_TUNNEL_SECRET="$(command echo ${CF_TUNNEL_PASSWORD} | base64)"
+    JSON_RESULT=$(curl -sX \
+      POST "https://api.cloudflare.com/client/v4/accounts/${CF_ACCOUNT_ID}/tunnels" \
+        -H "Authorization: Bearer ${CF_API_TOKEN}" \
+        -H "Content-Type: application/json" \
+        --data "{\"name\":\"${CF_TUNNEL_NAME}\",\"tunnel_secret\":\"${CF_TUNNEL_SECRET}\"}")
+    echo ${JSON_RESULT} | jq
+
+    JSON_CODE_VALUE=$(echo ${JSON_RESULT} | jq -rc ".code")
+    if [[ ${JSON_CODE_VALUE} -eq 1013 ]]; then
+      echo "**** You already have a cloudflare tunnel named ${CF_TUNNEL_NAME} ****"
+    
+      echo "**** Searching existing cloudflare tunnels via API... ****"
+      JSON_RESULT=$(curl -sX \
+        GET "https://api.cloudflare.com/client/v4/accounts/${CF_ACCOUNT_ID}/tunnels?name=${CF_TUNNEL_NAME}&is_deleted=false" \
+          -H "Authorization: Bearer ${CF_API_TOKEN}" \
+          -H "Content-Type: application/json")
+      echo ${JSON_RESULT} | jq
+
+      echo "**** Fetching existing cloudflare tunnel(${CF_TUNNEL_NAME}) via API... ****"
+      CF_TUNNEL_ID=$(echo ${JSON_RESULT} | jq -rc ".[].id")
+      JSON_RESULT=$(curl -sX \
+        GET "https://api.cloudflare.com/client/v4/accounts/${CF_ACCOUNT_ID}/tunnels/${CF_TUNNEL_ID}?" \
+          -H "Authorization: Bearer ${CF_API_TOKEN}" \
+          -H "Content-Type: application/json")
+
+      JSON_RESULT=$(echo ${JSON_RESULT} | jq -rc ". + {\"credentials_file\": {\"AccountTag\": \"${CF_ACCOUNT_ID}\",\"TunnelID\": \"${CF_TUNNEL_ID}\",\"TunnelName\": \"${CF_TUNNEL_NAME}\",\"TunnelSecret\": \"${CF_TUNNEL_SECRET}\"}}")
+      echo ${JSON_RESULT} | jq
+    fi
+
+    CF_TUNNEL_ID=$(echo ${JSON_RESULT} | jq -rc ".id")
+    CREDENTIALS_FILE=$(echo ${JSON_RESULT} | jq -rc ".credentials_file")
+    echo "**** Saving cloudflare tunnel(${CF_TUNNEL_NAME}) credentials json... ****"
+    if [ ! -d "/etc/cloudflared/" ]; then
+      mkdir -p "/etc/cloudflared";
+    fi
+    printf "${CREDENTIALS_FILE}" > "/etc/cloudflared/${CF_TUNNEL_ID}.json"
+    echo ${JSON_RESULT} | jq -r ".credentials_file"
+    echo "**** Cloudflare tunnel(${CF_TUNNEL_NAME}) credentials saved to /etc/cloudflared/${CF_TUNNEL_ID}.json ****"
+
+    echo "**** Generating config.yml for cloudflare tunnel(${CF_TUNNEL_NAME})... ****"
+    printf "tunnel: ${CF_TUNNEL_ID}\n" > "/etc/cloudflared/config.yml"
+    printf "credentials-file: /etc/cloudflared/${CF_TUNNEL_ID}.json\n" >> "/etc/cloudflared/config.yml"
+    printf "no-autoupdate: true\n\n" >> "/etc/cloudflared/config.yml"
+    printf "${CF_TUNNEL_CONFIG}" >> "/etc/cloudflared/config.yml"
+    /tmp/yq e /etc/cloudflared/config.yml
+    echo "**** Config for cloudflare tunnel(${CF_TUNNEL_NAME}) saved to /etc/cloudflared/config.yml ****"
+
+    echo "**** Validating cloudflared tunnel rules... ****"
+    cloudflared tunnel ingress validate
+
+    echo "**** Updating cloudflare zone... ****"
+    for HOSTNAME in $(/tmp/yq e ".ingress.[].hostname" /etc/cloudflared/config.yml); do
+      if [ ! "${HOSTNAME}" = "null" ]; then
+        echo "**** Searching zone for hostname(${HOSTNAME}) via API... ****"
+        JSON_RESULT=$(curl -sX \
+          GET "https://api.cloudflare.com/client/v4/zones/${CF_ZONE_ID}/dns_records?name=${HOSTNAME}&type=CNAME&match=all" \
+            -H "Authorization: Bearer ${CF_API_TOKEN}" \
+            -H "Content-Type: application/json")
+
+        COUNT=$(echo ${JSON_RESULT} | jq -rc ".result_info.count")
+        if [[ ${COUNT} -eq 0 ]]; then
+          echo "**** Creating new CNAME for hostname(${HOSTNAME}) via API... ****"
+          JSON_RESULT=$(curl -sX \
+            POST "https://api.cloudflare.com/client/v4/zones/${CF_ZONE_ID}/dns_records" \
+              -H "Authorization: Bearer ${CF_API_TOKEN}" \
+              -H "Content-Type: application/json" \
+              --data "{\"type\":\"CNAME\",\"name\":\"${HOSTNAME}\",\"content\":\"${CF_TUNNEL_ID}.cfargotunnel.com\",\"ttl\":1,\"proxied\":true}")
+          echo ${JSON_RESULT} | jq
+        else
+          echo "**** Updating existing CNAME for hostname(${HOSTNAME}) via API... ****"
+          RECORD_ID=$(echo ${JSON_RESULT} | jq -rc ".result[].id")
+          JSON_RESULT=$(curl -sX \
+            PUT "https://api.cloudflare.com/client/v4/zones/${CF_ZONE_ID}/dns_records/${RECORD_ID}" \
+              -H "Authorization: Bearer ${CF_API_TOKEN}" \
+              -H "Content-Type: application/json" \
+              --data "{\"type\":\"CNAME\",\"name\":\"${HOSTNAME}\",\"content\":\"${CF_TUNNEL_ID}.cfargotunnel.com\",\"ttl\":1,\"proxied\":true}")
+          echo ${JSON_RESULT} | jq
+        fi
+      fi
+    done
+
+    echo "**** Installing cloudflared service... ****"
+    cloudflared service install
+    
+    echo "**** Enabling cloudflared service... ****"
+    if $ALPINE; then
+      rc-service cloudflared start
+    elif $UBUNTU; then
+      systemctl start cloudflared
+    fi
+  fi
+else
+  echo "**** Optional parameters blank or missing, skipped cloudflare tunnel setup ****"
+fi
+
+echo "**** Cleaning up cloudflared setup script dependencies if required... ****"
+for PKG in "${!CLEANUP[@]}"; do
+  if [ "${CLEANUP[$PKG]}" = true ]; then
+    CLEANUP[$PKG]=false
+    echo "**** Uninstalling ${PKG}... ****"
+    if $ALPINE; then
+      apk del ${PKG}
+    elif $UBUNTU; then
+      apt-get -qqy remove ${PKG}
+      apt-get -qqy autoremove
+    fi
+  fi
+done
+
+echo "**** Uninstalling /tmp/yq... ****"
+rm /tmp/yq
+
+echo "**** Cloudflared setup script done, exiting... ****"

root/etc/cont-init.d/98-ioncube-config

@@ -1,42 +0,0 @@
-#!/usr/bin/with-contenv bash
-echo "**** Installing Ioncube Loader ****"
-
-if php -m | grep -iq "ioncube"; then
-  echo "**** Ioncube Loader already installed, exiting... ****"
-  exit 0
-else
-  ARCH="$(command arch)"
-  if [ "${ARCH}" = "x86_64" ]; then 
-    ARCH="x86-64"
-    echo "**** Linux architecture found: x86-64 ****"
-  elif [ "${ARCH}" = "aarch64" ]; then 
-    ARCH="aarch64" 
-    echo "**** Linux architecture found: arm64 ****"
-  elif [ "${ARCH}" = "armv7l" ]; then 
-    ARCH="armv7l" 
-    echo "**** Linux architecture found: armhf ****"
-  else
-    echo "**** Unsupported Linux architecture ${ARCH} found, exiting... ****"
-    exit 1
-  fi
-
-  PHP_MAJOR_VERSION="$(command php -r 'echo PHP_MAJOR_VERSION;')"
-  PHP_MINOR_VERSION="$(command php -r 'echo PHP_MINOR_VERSION;')"
-  echo "**** PHP Version found: ${PHP_MAJOR_VERSION}.${PHP_MINOR_VERSION}.x ****"
-
-  echo "**** Downloading Ioncube Loader... ****"
-  wget https://downloads.ioncube.com/loader_downloads/ioncube_loaders_lin_${ARCH}.tar.gz -P /tmp/
-  echo "**** Ioncube Loader downloaded: ioncube_loaders_lin_${ARCH}.tar.gz ****"
-
-  echo "**** Extracting Ioncube Loader... ****"
-  tar -C /tmp -xzvf /tmp/ioncube_loaders_lin_${ARCH}.tar.gz \
-    && mkdir -p /usr/local/ioncube && cp /tmp/ioncube/*.so /usr/local/ioncube \
-    && rm /tmp/ioncube_loaders_lin_${ARCH}.tar.gz && rm -rf /tmp/ioncube
-  echo "**** Ioncube Loader extracted: /usr/local/ioncube ****"
-
-  echo "zend_extension = /usr/local/ioncube/ioncube_loader_lin_${PHP_MAJOR_VERSION}.${PHP_MINOR_VERSION}.so" \
-    > /etc/php${PHP_MAJOR_VERSION}/conf.d/00-ioncube.ini
-  echo "**** Ioncube Loader PHP extension enabled: ioncube_loader_lin_${PHP_MAJOR_VERSION}.${PHP_MINOR_VERSION}.so ****"
-
-  echo "**** Ioncube Loader Installed ****"
-fi