From c19a9679452bcfee2b6999d63780cad58bd0b2b6 Mon Sep 17 00:00:00 2001 From: aptalca <541623+aptalca@users.noreply.github.com> Date: Thu, 18 May 2023 15:30:37 -0400 Subject: [PATCH] universal-cloudflared update/add workflows --- .github/workflows/BuildImage.yml | 91 +++++-------- .github/workflows/call_issue_pr_tracker.yml | 16 +++ .github/workflows/permissions.yml | 10 ++ Dockerfile | 8 +- root/etc/cont-init.d/95-apt-get | 5 - root/etc/cont-init.d/98-cloudflared-config | 142 -------------------- root/etc/services.d/cloudflared/run | 3 - 7 files changed, 63 insertions(+), 212 deletions(-) create mode 100644 .github/workflows/call_issue_pr_tracker.yml create mode 100644 .github/workflows/permissions.yml delete mode 100644 root/etc/cont-init.d/95-apt-get delete mode 100644 root/etc/cont-init.d/98-cloudflared-config delete mode 100755 root/etc/services.d/cloudflared/run diff --git a/.github/workflows/BuildImage.yml b/.github/workflows/BuildImage.yml index 86f1e6f..aba919b 100644 --- a/.github/workflows/BuildImage.yml +++ b/.github/workflows/BuildImage.yml @@ -1,72 +1,45 @@ name: Build Image -on: [push, pull_request, workflow_dispatch] +on: [push, pull_request_target, workflow_dispatch] env: + GITHUB_REPO: "linuxserver/docker-mods" #don't modify ENDPOINT: "linuxserver/mods" #don't modify BASEIMAGE: "universal" #replace MODNAME: "cloudflared" #replace jobs: - build: + set-vars: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3.1.0 - - - name: Build image + - name: Set Vars + id: outputs run: | - CLOUDFLARED_TAG=$(curl -s https://api.github.com/repos/cloudflare/cloudflared/releases/latest | jq -rc ".tag_name") - echo "CLOUDFLARED_TAG=${CLOUDFLARED_TAG}" >> $GITHUB_ENV - docker build --no-cache --build-arg CLOUDFLARED_TAG=${CLOUDFLARED_TAG} -t ${{ github.sha }} . + echo "GITHUB_REPO=${{ env.GITHUB_REPO }}" >> $GITHUB_OUTPUT + echo "ENDPOINT=${{ env.ENDPOINT }}" >> $GITHUB_OUTPUT + echo "BASEIMAGE=${{ env.BASEIMAGE }}" >> $GITHUB_OUTPUT + echo "MODNAME=${{ env.MODNAME }}" >> $GITHUB_OUTPUT + # **** If the mod needs to be versioned, set the versioning logic below. Otherwise leave as is. **** + MOD_VERSION=$(curl -s https://api.github.com/repos/cloudflare/cloudflared/releases/latest | jq -rc ".tag_name") + echo "MOD_VERSION=${MOD_VERSION}" >> $GITHUB_OUTPUT + outputs: + GITHUB_REPO: ${{ steps.outputs.outputs.GITHUB_REPO }} + ENDPOINT: ${{ steps.outputs.outputs.ENDPOINT }} + BASEIMAGE: ${{ steps.outputs.outputs.BASEIMAGE }} + MODNAME: ${{ steps.outputs.outputs.MODNAME }} + MOD_VERSION: ${{ steps.outputs.outputs.MOD_VERSION }} - - name: Tag image - if: ${{ github.ref == format('refs/heads/{0}-{1}', env.BASEIMAGE, env.MODNAME) }} - run: | - docker tag ${{ github.sha }} ${ENDPOINT}:${BASEIMAGE}-${MODNAME} - docker tag ${{ github.sha }} ${ENDPOINT}:${BASEIMAGE}-${MODNAME}-${CLOUDFLARED_TAG} - docker tag ${{ github.sha }} ${ENDPOINT}:${BASEIMAGE}-${MODNAME}-${CLOUDFLARED_TAG}-${{ github.sha }} - docker tag ${{ github.sha }} ${ENDPOINT}:${BASEIMAGE}-${MODNAME}-${{ github.sha }} - docker tag ${{ github.sha }} ghcr.io/${ENDPOINT}:${BASEIMAGE}-${MODNAME} - docker tag ${{ github.sha }} ghcr.io/${ENDPOINT}:${BASEIMAGE}-${MODNAME}-${CLOUDFLARED_TAG} - docker tag ${{ github.sha }} ghcr.io/${ENDPOINT}:${BASEIMAGE}-${MODNAME}-${CLOUDFLARED_TAG}-${{ github.sha }} - docker tag ${{ github.sha }} ghcr.io/${ENDPOINT}:${BASEIMAGE}-${MODNAME}-${{ github.sha }} - - - name: Credential check - if: ${{ github.ref == format('refs/heads/{0}-{1}', env.BASEIMAGE, env.MODNAME) }} - run: | - echo "CR_USER=${{ secrets.CR_USER }}" >> $GITHUB_ENV - echo "CR_PAT=${{ secrets.CR_PAT }}" >> $GITHUB_ENV - echo "DOCKERUSER=${{ secrets.DOCKERUSER }}" >> $GITHUB_ENV - echo "DOCKERPASS=${{ secrets.DOCKERPASS }}" >> $GITHUB_ENV - if [[ "${{ secrets.CR_USER }}" == "" && "${{ secrets.CR_PAT }}" == "" && "${{ secrets.DOCKERUSER }}" == "" && "${{ secrets.DOCKERPASS }}" == "" ]]; then - echo "::error::Push credential secrets missing." - echo "::error::You must set either CR_USER & CR_PAT or DOCKERUSER & DOCKERPASS as secrets in your repo settings." - echo "::error::See https://github.com/linuxserver/docker-mods/blob/master/README.md for more information/instructions." - exit 1 - fi - - - name: Login to GitHub Container Registry - if: ${{ github.ref == format('refs/heads/{0}-{1}', env.BASEIMAGE, env.MODNAME) && env.CR_USER && env.CR_PAT }} - run: | - echo "${{ secrets.CR_PAT }}" | docker login ghcr.io -u ${{ secrets.CR_USER }} --password-stdin - - - name: Push tags to GitHub Container Registry - if: ${{ github.ref == format('refs/heads/{0}-{1}', env.BASEIMAGE, env.MODNAME) && env.CR_USER && env.CR_PAT }} - run: | - docker push ghcr.io/${ENDPOINT}:${BASEIMAGE}-${MODNAME}-${{ github.sha }} - docker push ghcr.io/${ENDPOINT}:${BASEIMAGE}-${MODNAME}-${CLOUDFLARED_TAG}-${{ github.sha }} - docker push ghcr.io/${ENDPOINT}:${BASEIMAGE}-${MODNAME}-${CLOUDFLARED_TAG} - docker push ghcr.io/${ENDPOINT}:${BASEIMAGE}-${MODNAME} - - - name: Login to DockerHub - if: ${{ github.ref == format('refs/heads/{0}-{1}', env.BASEIMAGE, env.MODNAME) && env.DOCKERUSER && env.DOCKERPASS }} - run: | - echo ${{ secrets.DOCKERPASS }} | docker login -u ${{ secrets.DOCKERUSER }} --password-stdin - - - name: Push tags to DockerHub - if: ${{ github.ref == format('refs/heads/{0}-{1}', env.BASEIMAGE, env.MODNAME) && env.DOCKERUSER && env.DOCKERPASS }} - run: | - docker push ${ENDPOINT}:${BASEIMAGE}-${MODNAME}-${{ github.sha }} - docker push ${ENDPOINT}:${BASEIMAGE}-${MODNAME}-${CLOUDFLARED_TAG}-${{ github.sha }} - docker push ${ENDPOINT}:${BASEIMAGE}-${MODNAME}-${CLOUDFLARED_TAG} - docker push ${ENDPOINT}:${BASEIMAGE}-${MODNAME} + build: + uses: linuxserver/github-workflows/.github/workflows/docker-mod-builder.yml@v1 + needs: set-vars + secrets: + CR_USER: ${{ secrets.CR_USER }} + CR_PAT: ${{ secrets.CR_PAT }} + DOCKERUSER: ${{ secrets.DOCKERUSER }} + DOCKERPASS: ${{ secrets.DOCKERPASS }} + with: + GITHUB_REPO: ${{ needs.set-vars.outputs.GITHUB_REPO }} + ENDPOINT: ${{ needs.set-vars.outputs.ENDPOINT }} + BASEIMAGE: ${{ needs.set-vars.outputs.BASEIMAGE }} + MODNAME: ${{ needs.set-vars.outputs.MODNAME }} + MOD_VERSION: ${{ needs.set-vars.outputs.MOD_VERSION }} diff --git a/.github/workflows/call_issue_pr_tracker.yml b/.github/workflows/call_issue_pr_tracker.yml new file mode 100644 index 0000000..2c30784 --- /dev/null +++ b/.github/workflows/call_issue_pr_tracker.yml @@ -0,0 +1,16 @@ +name: Issue & PR Tracker + +on: + issues: + types: [opened,reopened,labeled,unlabeled,closed] + pull_request_target: + types: [opened,reopened,review_requested,review_request_removed,labeled,unlabeled,closed] + pull_request_review: + types: [submitted,edited,dismissed] + +jobs: + manage-project: + permissions: + issues: write + uses: linuxserver/github-workflows/.github/workflows/issue-pr-tracker.yml@v1 + secrets: inherit diff --git a/.github/workflows/permissions.yml b/.github/workflows/permissions.yml new file mode 100644 index 0000000..1447bc5 --- /dev/null +++ b/.github/workflows/permissions.yml @@ -0,0 +1,10 @@ +name: Permission check +on: + pull_request_target: + paths: + - '**/run' + - '**/finish' + - '**/check' +jobs: + permission_check: + uses: linuxserver/github-workflows/.github/workflows/init-svc-executable-permissions.yml@v1 diff --git a/Dockerfile b/Dockerfile index 79664ee..8bba533 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,9 @@ +# syntax=docker/dockerfile:1 + # Build container FROM ghcr.io/linuxserver/baseimage-alpine:3.17 AS buildstage -ARG CLOUDFLARED_TAG +ARG MOD_VERSION RUN mkdir -p /root-layer/cloudflared WORKDIR /src @@ -16,12 +18,12 @@ ENV GO111MODULE=on \ CGO_ENABLED=0 RUN \ - if [ -z "${CLOUDFLARED_TAG}" ]; then \ + if [ -z "${MOD_VERSION}" ]; then \ curl -s https://api.github.com/repos/cloudflare/cloudflared/releases/latest \ | jq -rc ".tag_name" \ | xargs -I TAG sh -c 'git -c advice.detachedHead=false clone https://github.com/cloudflare/cloudflared --depth=1 --branch TAG .'; \ else \ - git -c advice.detachedHead=false clone https://github.com/cloudflare/cloudflared --depth=1 --branch ${CLOUDFLARED_TAG} .; \ + git -c advice.detachedHead=false clone https://github.com/cloudflare/cloudflared --depth=1 --branch ${MOD_VERSION} .; \ fi RUN GOOS=linux GOARCH=amd64 make cloudflared diff --git a/root/etc/cont-init.d/95-apt-get b/root/etc/cont-init.d/95-apt-get deleted file mode 100644 index 4797eca..0000000 --- a/root/etc/cont-init.d/95-apt-get +++ /dev/null @@ -1,5 +0,0 @@ -#!/usr/bin/with-contenv bash - -if [ -f /usr/bin/apt ]; then - apt-get update -fi \ No newline at end of file diff --git a/root/etc/cont-init.d/98-cloudflared-config b/root/etc/cont-init.d/98-cloudflared-config deleted file mode 100644 index bc36274..0000000 --- a/root/etc/cont-init.d/98-cloudflared-config +++ /dev/null @@ -1,142 +0,0 @@ -#!/usr/bin/with-contenv bash - -echo "**** Cloudflared setup script init... ****" - -echo "**** Checking cloudflared setup script requirements... ****" -ARCH="$(command arch)" -if [ "${ARCH}" = "x86_64" ]; then - ARCH="amd64" -elif [ "${ARCH}" = "aarch64" ]; then - ARCH="arm64" -elif [ "${ARCH}" = "armv7l" ]; then - ARCH="armhf" -else - echo "**** Unsupported Linux architecture ${ARCH} found, exiting... ****" - exit 1 -fi -echo "**** Linux architecture found: ${ARCH} ****" - -echo "**** Checking for cloudflared setup script dependencies... ****" -YQARCH="${ARCH}" -if [ "${YQ_ARCH}" = "armhf" ]; then - YQARCH="arm" -fi -echo "**** Temporarily installing /tmp/yq... ****" -curl -sLo /tmp/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_${YQARCH} -chmod +x /tmp/yq - -echo "**** Installing cloudflared...****" -if [ -d "/cloudflared/" ]; then - echo "**** Moving /cloudflared/cloudflared-${ARCH} to /usr/local/bin/cloudflared... ****" - mv /cloudflared/cloudflared-${ARCH} /usr/local/bin/cloudflared - - echo "**** Deleting tmp /cloudflared dir... ****" - rm -rf /cloudflared - - echo "**** Cloudflared installed ****" -elif [ -x "$(command -v cloudflared)" ]; then - echo "**** Cloudflared already installed, skipping... ****" -else - echo "**** Cloudflared missing, exiting... ****" - exit 1 -fi -cloudflared -v - -echo "**** Checking for cloudflare tunnel parameters... ****" -if [[ ${#CF_ZONE_ID} -gt 0 ]] && [[ ${#CF_ACCOUNT_ID} -gt 0 ]] && [[ ${#CF_API_TOKEN} -gt 0 ]] && [[ ${#CF_TUNNEL_NAME} -gt 0 ]] && [[ ${#CF_TUNNEL_CONFIG} -gt 0 ]]; then - if [[ ${#CF_TUNNEL_PASSWORD} -lt 32 ]]; then - echo "**** Cloudflare tunnel password must be at least 32 characters long, exiting... ****" - rm -rf /etc/services.d/cloudflared - exit 1 - else - echo "**** Cloudflare tunnel parameters found, starting cloudflare tunnel setup... ****" - echo "**** Creating cloudflare tunnel (${CF_TUNNEL_NAME}) via API... ****" - - CF_TUNNEL_SECRET="$(command echo ${CF_TUNNEL_PASSWORD} | base64 -w 0)" - JSON_RESULT=$(curl -sX \ - POST "https://api.cloudflare.com/client/v4/accounts/${CF_ACCOUNT_ID}/tunnels" \ - -H "Authorization: Bearer ${CF_API_TOKEN}" \ - -H "Content-Type: application/json" \ - --data "{\"name\":\"${CF_TUNNEL_NAME}\",\"tunnel_secret\":\"${CF_TUNNEL_SECRET}\"}") - echo ${JSON_RESULT} | jq - - JSON_CODE_VALUE=$(echo ${JSON_RESULT} | jq -rc ".code // .errors[].code") - if [[ ${JSON_CODE_VALUE} -eq 1013 ]]; then - echo "**** You already have a cloudflare tunnel named ${CF_TUNNEL_NAME} ****" - - echo "**** Searching existing cloudflare tunnels via API... ****" - JSON_RESULT=$(curl -sX \ - GET "https://api.cloudflare.com/client/v4/accounts/${CF_ACCOUNT_ID}/tunnels?name=${CF_TUNNEL_NAME}&is_deleted=false" \ - -H "Authorization: Bearer ${CF_API_TOKEN}" \ - -H "Content-Type: application/json") - echo ${JSON_RESULT} | jq - - echo "**** Fetching existing cloudflare tunnel (${CF_TUNNEL_NAME}) via API... ****" - CF_TUNNEL_ID=$(echo ${JSON_RESULT} | jq -rc ".[].id? // .result[].id") - JSON_RESULT=$(curl -sX \ - GET "https://api.cloudflare.com/client/v4/accounts/${CF_ACCOUNT_ID}/tunnels/${CF_TUNNEL_ID}?" \ - -H "Authorization: Bearer ${CF_API_TOKEN}" \ - -H "Content-Type: application/json") - - JSON_RESULT=$(echo ${JSON_RESULT} | jq -rc ". |= .+ {\"credentials_file\": {\"AccountTag\": \"${CF_ACCOUNT_ID}\",\"TunnelID\": \"${CF_TUNNEL_ID}\",\"TunnelName\": \"${CF_TUNNEL_NAME}\",\"TunnelSecret\": \"${CF_TUNNEL_SECRET}\"}}") - echo ${JSON_RESULT} | jq - fi - - CF_TUNNEL_ID=$(echo ${JSON_RESULT} | jq -rc ".id // .result.id") - CREDENTIALS_FILE=$(echo ${JSON_RESULT} | jq -rc ".credentials_file // .result.credentials_file") - echo "**** Saving cloudflare tunnel (${CF_TUNNEL_NAME}) credentials json... ****" - if [ ! -d "/etc/cloudflared/" ]; then - mkdir -p "/etc/cloudflared"; - fi - printf "${CREDENTIALS_FILE}" > "/etc/cloudflared/${CF_TUNNEL_ID}.json" - echo ${JSON_RESULT} | jq -r ".result.credentials_file" - echo "**** Cloudflare tunnel (${CF_TUNNEL_NAME}) credentials saved to /etc/cloudflared/${CF_TUNNEL_ID}.json ****" - - echo "**** Generating config.yml for cloudflare tunnel (${CF_TUNNEL_NAME})... ****" - printf "tunnel: ${CF_TUNNEL_ID}\n" > "/etc/cloudflared/config.yml" - printf "credentials-file: /etc/cloudflared/${CF_TUNNEL_ID}.json\n" >> "/etc/cloudflared/config.yml" - printf "no-autoupdate: true\n\n" >> "/etc/cloudflared/config.yml" - printf "${CF_TUNNEL_CONFIG}" >> "/etc/cloudflared/config.yml" - /tmp/yq e /etc/cloudflared/config.yml - echo "**** Config for cloudflare tunnel (${CF_TUNNEL_NAME}) saved to /etc/cloudflared/config.yml ****" - - echo "**** Validating cloudflared tunnel rules... ****" - cloudflared tunnel ingress validate - - echo "**** Updating cloudflare zone... ****" - for HOSTNAME in $(/tmp/yq e ".ingress.[].hostname" /etc/cloudflared/config.yml); do - if [ ! "${HOSTNAME}" = "null" ]; then - echo "**** Searching zone for hostname (${HOSTNAME}) via API... ****" - JSON_RESULT=$(curl -sX \ - GET "https://api.cloudflare.com/client/v4/zones/${CF_ZONE_ID}/dns_records?name=${HOSTNAME}&type=CNAME&match=all" \ - -H "Authorization: Bearer ${CF_API_TOKEN}" \ - -H "Content-Type: application/json") - - COUNT=$(echo ${JSON_RESULT} | jq -rc ".result_info.count") - if [[ ${COUNT} -eq 0 ]]; then - echo "**** Creating new CNAME for hostname (${HOSTNAME}) via API... ****" - JSON_RESULT=$(curl -sX \ - POST "https://api.cloudflare.com/client/v4/zones/${CF_ZONE_ID}/dns_records" \ - -H "Authorization: Bearer ${CF_API_TOKEN}" \ - -H "Content-Type: application/json" \ - --data "{\"type\":\"CNAME\",\"name\":\"${HOSTNAME}\",\"content\":\"${CF_TUNNEL_ID}.cfargotunnel.com\",\"ttl\":1,\"proxied\":true}") - echo ${JSON_RESULT} | jq - else - echo "**** Updating existing CNAME for hostname (${HOSTNAME}) via API... ****" - RECORD_ID=$(echo ${JSON_RESULT} | jq -rc ".result[].id") - JSON_RESULT=$(curl -sX \ - PUT "https://api.cloudflare.com/client/v4/zones/${CF_ZONE_ID}/dns_records/${RECORD_ID}" \ - -H "Authorization: Bearer ${CF_API_TOKEN}" \ - -H "Content-Type: application/json" \ - --data "{\"type\":\"CNAME\",\"name\":\"${HOSTNAME}\",\"content\":\"${CF_TUNNEL_ID}.cfargotunnel.com\",\"ttl\":1,\"proxied\":true}") - echo ${JSON_RESULT} | jq - fi - fi - done - fi -else - echo "**** Cloudflare parameters blank or missing, skipped cloudflare tunnel setup ****" - rm -rf /etc/services.d/cloudflared -fi - -echo "**** Cloudflared setup script done, exiting... ****" diff --git a/root/etc/services.d/cloudflared/run b/root/etc/services.d/cloudflared/run deleted file mode 100755 index b1813de..0000000 --- a/root/etc/services.d/cloudflared/run +++ /dev/null @@ -1,3 +0,0 @@ -#!/usr/bin/with-contenv bash - -exec s6-setuidgid abc cloudflared tunnel --no-autoupdate --config /etc/cloudflared/config.yml run \ No newline at end of file