diff --git a/.github/workflows/BuildImage.yml b/.github/workflows/BuildImage.yml index 518b0d8..ad9e2e1 100644 --- a/.github/workflows/BuildImage.yml +++ b/.github/workflows/BuildImage.yml @@ -3,9 +3,9 @@ name: Build Image on: [push, pull_request, workflow_dispatch] env: - ENDPOINT: "linuxserver/mods" #don't modify - BASEIMAGE: "replace_baseimage" #replace - MODNAME: "replace_modname" #replace + ENDPOINT: "linuxserver/mods" + BASEIMAGE: "swag" + MODNAME: "maxmind" jobs: build: diff --git a/Dockerfile b/Dockerfile index 4ece5e8..ae5c3e5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ FROM scratch -LABEL maintainer="username" +LABEL maintainer="quietsy" # copy local files COPY root/ / diff --git a/Dockerfile.complex b/Dockerfile.complex deleted file mode 100644 index db4598e..0000000 --- a/Dockerfile.complex +++ /dev/null @@ -1,23 +0,0 @@ -## Buildstage ## -FROM ghcr.io/linuxserver/baseimage-alpine:3.12 as buildstage - -RUN \ - echo "**** install packages ****" && \ - apk add --no-cache \ - curl && \ - echo "**** grab rclone ****" && \ - mkdir -p /root-layer && \ - curl -o \ - /root-layer/rclone.deb -L \ - "https://downloads.rclone.org/v1.47.0/rclone-v1.47.0-linux-amd64.deb" - -# copy local files -COPY root/ /root-layer/ - -## Single layer deployed image ## -FROM scratch - -LABEL maintainer="username" - -# Add files from buildstage -COPY --from=buildstage /root-layer/ / diff --git a/README.md b/README.md index 5636dec..277e990 100644 --- a/README.md +++ b/README.md @@ -1,17 +1,49 @@ -# Rsync - Docker mod for openssh-server +# Maxmind Docker mod for Nginx based images -This mod adds rsync to openssh-server, to be installed/updated during container start. +This mod adds the maxmind database to nginx using the license key defined in the environment variable. -In openssh-server docker arguments, set an environment variable `DOCKER_MODS=linuxserver/mods:openssh-server-rsync` +This mod downloads the `GeoLite2-City.mmdb` database under `/config/geoip2db`, the database is updated weekly. -If adding multiple mods, enter them in an array separated by `|`, such as `DOCKER_MODS=linuxserver/mods:openssh-server-rsync|linuxserver/mods:openssh-server-mod2` +**This mod should not be enabled together with the swag-dbip mod.** -# Mod creation instructions +Follow these steps to enable the maxmind mod: -* Fork the repo, create a new branch based on the branch `template`. -* Edit the `Dockerfile` for the mod. `Dockerfile.complex` is only an example and included for reference; it should be deleted when done. -* Inspect the `root` folder contents. Edit, add and remove as necessary. -* Edit this readme with pertinent info, delete these instructions. -* Finally edit the `.github/workflows/BuildImage.yml`. Customize the build branch, and the vars for `BASEIMAGE` and `MODNAME`. -* Ask the team to create a new branch named `-`. Baseimage should be the name of the image the mod will be applied to. The new branch will be based on the `template` branch. -* Submit PR against the branch created by the team. +1. Acquire a maxmind license here: https://www.maxmind.com/en/geolite2/signup +2. In the container's docker arguments, set an environment variable `DOCKER_MODS=linuxserver/mods:swag-maxmind` + + If adding multiple mods, enter them in an array separated by `|`, such as `DOCKER_MODS=linuxserver/mods:swag-maxmind|linuxserver/mods:swag-mod2` +3. In the container's docker arguments, set an environment variable `MAXMINDDB_LICENSE_KEY=` with your license key. +4. Add the following line to `/config/nginx/nginx.conf` under the `http` section: + + ```nginx + include /config/nginx/maxmind.conf; + ``` +5. Edit `/config/nginx/maxmind.conf` and add countries to the blocklist / whitelist according to the comments, for example: + + ```nginx + map $geoip2_data_country_iso_code $geo-whitelist { + default no; + UK yes; + } + + map $geoip2_data_country_iso_code $geo-blacklist { + default yes; + US no; + } + ``` +6. Use the definitions in the following way: + ```nginx + server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name some-app.*; + include /config/nginx/ssl.conf; + client_max_body_size 0; + + if ($lan-ip = yes) { set $geo-whitelist yes; } + if ($geo-whitelist = no) { return 404; } + + location / { + ``` +7. Recreate the container to apply the changes. diff --git a/root/defaults/maxmind.conf b/root/defaults/maxmind.conf new file mode 100644 index 0000000..f41526c --- /dev/null +++ b/root/defaults/maxmind.conf @@ -0,0 +1,34 @@ +geoip2 /config/geoip2db/GeoLite2-City.mmdb { + auto_reload 1w; + $geoip2_data_city_name city names en; + $geoip2_data_postal_code postal code; + $geoip2_data_latitude location latitude; + $geoip2_data_longitude location longitude; + $geoip2_data_state_name subdivisions 0 names en; + $geoip2_data_state_code subdivisions 0 iso_code; + $geoip2_data_continent_code continent code; + $geoip2_data_country_iso_code country iso_code; +} + +# Country Codes: https://en.wikipedia.org/wiki/ISO_3166-2 + +map $geoip2_data_country_iso_code $geo-whitelist { + default yes; + # Example for whitelisting a country, comment out 'default yes;' above and uncomment 'default no;' and the whitelisted country below + # default no; + # UK yes; +} + +map $geoip2_data_country_iso_code $geo-blacklist { + default yes; + # Example for blacklisting a country, uncomment the blacklisted country below + # UK no; + } + +geo $lan-ip { + default no; + 10.0.0.0/8 yes; + 172.16.0.0/12 yes; + 192.168.0.0/16 yes; + 127.0.0.1 yes; +} diff --git a/root/etc/cont-init.d/98-maxmind b/root/etc/cont-init.d/98-maxmind new file mode 100644 index 0000000..aab5db6 --- /dev/null +++ b/root/etc/cont-init.d/98-maxmind @@ -0,0 +1,27 @@ +#!/usr/bin/with-contenv bash + +echo "Applying the maxmind mod..." + +# create GeoIP2 folder symlink +[[ -d /var/lib/libmaxminddb ]] && [[ ! -L /var/lib/libmaxminddb ]] && \ + rm -rf /var/lib/libmaxminddb +[[ ! -d /var/lib/libmaxminddb ]] && \ + ln -s /config/geoip2db /var/lib/libmaxminddb +# check GeoIP2 database +if [ -n "$MAXMINDDB_LICENSE_KEY" ]; then + sed -i "s|.*MAXMINDDB_LICENSE_KEY.*|MAXMINDDB_LICENSE_KEY=\"${MAXMINDDB_LICENSE_KEY}\"|g" /etc/libmaxminddb.cron.conf + if [ ! -f /var/lib/libmaxminddb/GeoLite2-City.mmdb ]; then + echo "Downloading GeoIP2 City database." + /etc/periodic/weekly/libmaxminddb + fi +elif [ -f /var/lib/libmaxminddb/GeoLite2-City.mmdb ]; then + echo -e "Currently using the user provided GeoLite2-City.mmdb.\nIf you want to enable weekly auto-updates of the database, retrieve a free license key from MaxMind,\nand add a new env variable \"MAXMINDDB_LICENSE_KEY\", set to your license key." +else + echo -e "Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,\nand add a new env variable \"MAXMINDDB_LICENSE_KEY\", set to your license key." +fi + +if [ ! -f /config/nginx/maxmind.conf ]; then + cp /defaults/maxmind.conf /config/nginx/maxmind.conf +fi + +echo "Applied the maxmind mod" diff --git a/root/etc/cont-init.d/98-vpn-config b/root/etc/cont-init.d/98-vpn-config deleted file mode 100644 index a5f9127..0000000 --- a/root/etc/cont-init.d/98-vpn-config +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/with-contenv bash - -# Determine if setup is needed -if [ ! -f /usr/local/lib/python***/dist-packages/sshuttle ] && \ -[ -f /usr/bin/apt ]; then - ## Ubuntu - apt-get update - apt-get install --no-install-recommends -y \ - iptables \ - openssh-client \ - python3 \ - python3-pip - pip3 install sshuttle -fi -if [ ! -f /usr/lib/python***/site-packages/sshuttle ] && \ -[ -f /sbin/apk ]; then - # Alpine - apk add --no-cache \ - iptables \ - openssh \ - py3-pip \ - python3 - pip3 install sshuttle -fi - -chown -R root:root /root -chmod -R 600 /root/.ssh diff --git a/root/etc/services.d/sshvpn/run b/root/etc/services.d/sshvpn/run deleted file mode 100644 index 7d49e79..0000000 --- a/root/etc/services.d/sshvpn/run +++ /dev/null @@ -1,3 +0,0 @@ -#!/usr/bin/with-contenv bash - -sshuttle --dns --remote root@${HOST}:${PORT} 0/0 -x 172.17.0.0/16