Merge pull request #954 from linuxserver/swag-crowdsec-bundle

2026-03-23 00:05:28 +08:00 · 2024-09-11 20:27:37 +01:00 · 2024-09-11 20:27:37 +01:00 · f45c53b14f
commit f45c53b14f
parent df09bd2160 f8f7401a61
4 changed files with 78 additions and 39 deletions
--- a/.github/workflows/BuildImage.yml
+++ b/.github/workflows/BuildImage.yml
@ -1,12 +1,21 @@
 name: Build Image

-on: [push, pull_request_target, workflow_dispatch]
+on:
+  push:
+  pull_request_target:
+  workflow_dispatch:
+    inputs:
+      mod_version:
+        type: string
+        required: false

 env:
  GITHUB_REPO: "linuxserver/docker-mods" #don't modify
  ENDPOINT: "linuxserver/mods" #don't modify
  BASEIMAGE: "swag" #replace
  MODNAME: "crowdsec" #replace
+  MOD_VERSION: ${{ inputs.mod_version }} #don't modify
+  MULTI_ARCH: "false" #set to false if not needed

 jobs:
  set-vars:
@ -19,15 +28,23 @@ jobs:
          echo "ENDPOINT=${{ env.ENDPOINT }}" >> $GITHUB_OUTPUT
          echo "BASEIMAGE=${{ env.BASEIMAGE }}" >> $GITHUB_OUTPUT
          echo "MODNAME=${{ env.MODNAME }}" >> $GITHUB_OUTPUT
-          # **** If the mod needs to be versioned, set the versioning logic below. Otherwise leave as is. ****
-          MOD_VERSION=""
+          echo "MULTI_ARCH=${{ env.MULTI_ARCH }}" >> $GITHUB_OUTPUT
+          if [[ -z "${{ env.MOD_VERSION }}" ]]; then
+            # **** If the mod needs to be versioned, set the versioning logic below. Otherwise leave as is. ****
+            MOD_VERSION=$(curl -sX GET "https://api.github.com/repos/crowdsecurity/cs-nginx-bouncer/releases/latest" | jq -r '.tag_name')
+          else
+            MOD_VERSION=${{ env.MOD_VERSION }}
+            echo "MOD_VERSION_OVERRIDE=true" >> $GITHUB_OUTPUT
+          fi
          echo "MOD_VERSION=${MOD_VERSION}" >> $GITHUB_OUTPUT
    outputs:
      GITHUB_REPO: ${{ steps.outputs.outputs.GITHUB_REPO }}
      ENDPOINT: ${{ steps.outputs.outputs.ENDPOINT }}
      BASEIMAGE: ${{ steps.outputs.outputs.BASEIMAGE }}
      MODNAME: ${{ steps.outputs.outputs.MODNAME }}
+      MULTI_ARCH: ${{ steps.outputs.outputs.MULTI_ARCH }}
      MOD_VERSION: ${{ steps.outputs.outputs.MOD_VERSION }}
+      MOD_VERSION_OVERRIDE: ${{ steps.outputs.outputs.MOD_VERSION_OVERRIDE }}

  build:
    uses: linuxserver/github-workflows/.github/workflows/docker-mod-builder.yml@v1
@ -42,4 +59,6 @@ jobs:
      ENDPOINT: ${{ needs.set-vars.outputs.ENDPOINT }}
      BASEIMAGE: ${{ needs.set-vars.outputs.BASEIMAGE }}
      MODNAME: ${{ needs.set-vars.outputs.MODNAME }}
+      MULTI_ARCH: ${{ needs.set-vars.outputs.MULTI_ARCH }}
      MOD_VERSION: ${{ needs.set-vars.outputs.MOD_VERSION }}
+      MOD_VERSION_OVERRIDE: ${{ needs.set-vars.outputs.MOD_VERSION_OVERRIDE }}
--- a/28
+++ b/28
@ -1,8 +1,32 @@
 # syntax=docker/dockerfile:1

+FROM ghcr.io/linuxserver/baseimage-alpine:3.20 AS buildstage
+
+ARG MOD_VERSION
+
+RUN \
+  mkdir -p /root-layer && \
+  if [ -z "${MOD_VERSION}" ]; then \
+    MOD_VERSION=$(curl -sX GET "https://api.github.com/repos/crowdsecurity/cs-nginx-bouncer/releases/latest" \
+    | jq -r '.tag_name'); \
+  fi && \
+  if [ -z ${MOD_VERSION+x} ]; then \
+    echo "**** Could not fetch current bouncer version from Github ****" \
+    exit 1; \
+  fi && \
+  curl -sLo \
+    /root-layer/crowdsec-nginx-bouncer.tgz -L \
+    "https://github.com/crowdsecurity/cs-nginx-bouncer/releases/download/${MOD_VERSION}/crowdsec-nginx-bouncer.tgz" && \
+  if ! tar -tzf /root-layer/crowdsec-nginx-bouncer.tgz >/dev/null 2>&1; then \
+    echo "**** Invalid tarball, could not download crowdsec bouncer ****" \
+    exit 1; \
+  fi
+
+COPY root/ /root-layer/
+
 FROM scratch

 LABEL maintainer="thespad"

-# copy local files
-COPY root/ /
+# Add files from buildstage
+COPY --from=buildstage /root-layer/ /
--- a/README.md
+++ b/README.md
@ -32,7 +32,6 @@ Set the following environment variables on your SWAG container.
 | `CROWDSEC_SITE_KEY` | **Optional** | CAPTCHA Site Key |
 | `CROWDSEC_SECRET_KEY` | **Optional** | CAPTCHA Secret Key |
 | `CROWDSEC_CAPTCHA_PROVIDER` | **Optional** | CAPTCHA Provider (currently supported providers are `recaptcha`, `hcaptcha`, `turnstile`), requires bouncer v1.0.5 or newer. |
-| `CROWDSEC_VERSION` | **Optional** | Specify a version of the bouncer to install instead of using the latest release, for example `v1.0.0`. Must be a valid [release tag](https://github.com/crowdsecurity/cs-nginx-bouncer/tags). **Does not support versions older than v1.0.0**. |
 | `CROWDSEC_F2B_DISABLE` | **Optional** | Set to `true` to disable swag's built-in fail2ban service if you don't need it |
 | `CROWDSEC_MODE` | **Optional** | Set to `live` (immediate update) or `stream` to update requests every CROWDSEC_UPDATE_FREQUENCY seconds. Defaults to `live` |
 | `CROWDSEC_UPDATE_FREQUENCY` | **Optional** | Set update frequency for use with `stream` mode. Defaults to `10`. |
@ -73,6 +72,7 @@ e.g. `resolver  127.0.0.11 valid=30s ipv6=off;`

 ## Versions

+* **11.09.24:** - Move versioning to mod tags. Bundle tarball at build time.
 * **05.06.24:** - Add lua-resty-string.
 * **06.02.24:** - Add AppSec support.
 * **29.03.23:** - Support multiple captcha providers from upstream.
--- a/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/run
+++ b/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/run
@ -5,10 +5,9 @@ CONFIG_PATH="/config/crowdsec/"
 LIB_PATH="/usr/local/lua/crowdsec/"
 DATA_PATH="/var/lib/crowdsec/lua/"

-if [[ ${DOCKER_MODS_DEBUG_CURL,,} = "true" ]]; then
-  CURL_NOISE_LEVEL="-v"
-else
-  CURL_NOISE_LEVEL="--silent"
+if [[ ! -e "/crowdsec-nginx-bouncer.tgz" ]]; then
+    # Crowdsec bouncer already configured
+    exit 0
 fi

 echo "**** Configuring CrowdSec nginx Bouncer ****"
@ -28,29 +27,11 @@ echo "\
    lua-sec \
    nginx-mod-http-lua" >> /mod-repo-packages-to-install.list

-# Download nginx bouncer
-if [[ -z ${CROWDSEC_VERSION+x} ]]; then \
-    CROWDSEC_VERSION=$(curl -s "https://api.github.com/repos/crowdsecurity/cs-nginx-bouncer/releases/latest" | awk '/tag_name/{print $4;exit}' FS='[""]');
-fi
-
-if [[ -z ${CROWDSEC_VERSION+x} ]]; then \
-    echo "**** Could not fetch current bouncer version from Github ****"
-    exit 1
-fi
-
-curl "${CURL_NOISE_LEVEL}" -Lo \
-    /tmp/crowdsec.tar.gz -L \
-    "https://github.com/crowdsecurity/cs-nginx-bouncer/releases/download/${CROWDSEC_VERSION}/crowdsec-nginx-bouncer.tgz"
-
+# Extract nginx bouncer
 mkdir -p /tmp/crowdsec

-if ! tar -tzf /tmp/crowdsec.tar.gz >/dev/null 2>&1; then
-    echo "**** Invalid tarball, could not download crowdsec bouncer ****"
-    exit 1
-fi
-
 tar xf \
-    /tmp/crowdsec.tar.gz -C \
+    /crowdsec-nginx-bouncer.tgz -C \
    /tmp/crowdsec --strip-components=1

 mkdir -p "${CONFIG_PATH}"
@ -97,20 +78,35 @@ if ! grep -q '[^#]include /etc/nginx/http.d/\*.conf;' '/config/nginx/nginx.conf'
    else
        # Warn about missing http.d include
        echo "
-        ********************************************************************
-        *    Warning: Your nginx.conf is missing required settings         *
-        *    Please add:                                                   *
-        *        include /etc/nginx/http.d/*.conf;                         *
-        *    to the http{} block and restart the container.                *
-        *                                                                  *
-        *    The CrowdSec bouncer will not function until this is done.    *
-        ********************************************************************"
+        ┌──────────────────────────────────────────────────────────────────┐
+        │    Warning: Your nginx.conf is missing required settings         │
+        │    Please add:                                                   │
+        │        include /etc/nginx/http.d/*.conf;                         │
+        │    to the http{} block and restart the container.                │
+        │                                                                  │
+        │    The CrowdSec bouncer will not function until this is done.    │
+        └──────────────────────────────────────────────────────────────────┘
+        "
    fi
 fi

 # Clean up
 rm -rf \
    /tmp/crowdsec \
-    /tmp/crowdsec.tar.gz
+    /crowdsec-nginx-bouncer.tgz
+
+if [[ -n ${CROWDSEC_VERSION} ]]; then
+    echo "
+    ┌─────────────────────────────────────────────────────────────────────────┐
+    │                             !! ATTENTION !!                             │
+    │                                                                         │
+    │                        This mod will ignore the                         │
+    │                  CROWDSEC_VERSION environment variable                  │
+    │                                                                         │
+    │                  Versioning is now handled by mod tags                  │
+    │ See https://hub.docker.com/r/linuxserver/mods/tags?name=swag-crowdsec-v │
+    │                     For a list of all available tags                    │
+    └─────────────────────────────────────────────────────────────────────────┘"
+fi

 echo "**** Successfully configured CrowdSec nginx Bouncer ${CROWDSEC_VERSION} ****"