From 9f1f5909ea9f624cda405e3b2aa8c2b5fc41b8b5 Mon Sep 17 00:00:00 2001 From: thespad Date: Wed, 11 Sep 2024 18:23:53 +0100 Subject: [PATCH 1/4] Bundle bouncer at build time, add versioning, update docs --- .github/workflows/BuildImage.yml | 27 ++++++-- Dockerfile | 28 ++++++++- README.md | 2 +- .../s6-rc.d/init-mod-swag-crowdsec/run | 61 ++++++++----------- 4 files changed, 76 insertions(+), 42 deletions(-) diff --git a/.github/workflows/BuildImage.yml b/.github/workflows/BuildImage.yml index bc15265..9e1ede9 100644 --- a/.github/workflows/BuildImage.yml +++ b/.github/workflows/BuildImage.yml @@ -1,12 +1,21 @@ name: Build Image -on: [push, pull_request_target, workflow_dispatch] +on: + push: + pull_request_target: + workflow_dispatch: + inputs: + mod_version: + type: string + required: false env: GITHUB_REPO: "linuxserver/docker-mods" #don't modify ENDPOINT: "linuxserver/mods" #don't modify BASEIMAGE: "swag" #replace MODNAME: "crowdsec" #replace + MOD_VERSION: ${{ inputs.mod_version }} #don't modify + MULTI_ARCH: "false" #set to false if not needed jobs: set-vars: @@ -19,18 +28,26 @@ jobs: echo "ENDPOINT=${{ env.ENDPOINT }}" >> $GITHUB_OUTPUT echo "BASEIMAGE=${{ env.BASEIMAGE }}" >> $GITHUB_OUTPUT echo "MODNAME=${{ env.MODNAME }}" >> $GITHUB_OUTPUT - # **** If the mod needs to be versioned, set the versioning logic below. Otherwise leave as is. **** - MOD_VERSION="" + echo "MULTI_ARCH=${{ env.MULTI_ARCH }}" >> $GITHUB_OUTPUT + if [[ -z "${{ env.MOD_VERSION }}" ]]; then + # **** If the mod needs to be versioned, set the versioning logic below. Otherwise leave as is. **** + MOD_VERSION=$(curl -sX GET "https://api.github.com/repos/crowdsecurity/cs-nginx-bouncer/releases/latest" | jq -r '.tag_name') + else + MOD_VERSION=${{ env.MOD_VERSION }} + echo "MOD_VERSION_OVERRIDE=true" >> $GITHUB_OUTPUT + fi echo "MOD_VERSION=${MOD_VERSION}" >> $GITHUB_OUTPUT outputs: GITHUB_REPO: ${{ steps.outputs.outputs.GITHUB_REPO }} ENDPOINT: ${{ steps.outputs.outputs.ENDPOINT }} BASEIMAGE: ${{ steps.outputs.outputs.BASEIMAGE }} MODNAME: ${{ steps.outputs.outputs.MODNAME }} + MULTI_ARCH: ${{ steps.outputs.outputs.MULTI_ARCH }} MOD_VERSION: ${{ steps.outputs.outputs.MOD_VERSION }} + MOD_VERSION_OVERRIDE: ${{ steps.outputs.outputs.MOD_VERSION_OVERRIDE }} build: - uses: linuxserver/github-workflows/.github/workflows/docker-mod-builder.yml@v1 + uses: linuxserver/github-workflows/.github/workflows/docker-mod-builder.yml@v2 needs: set-vars secrets: CR_USER: ${{ secrets.CR_USER }} @@ -42,4 +59,6 @@ jobs: ENDPOINT: ${{ needs.set-vars.outputs.ENDPOINT }} BASEIMAGE: ${{ needs.set-vars.outputs.BASEIMAGE }} MODNAME: ${{ needs.set-vars.outputs.MODNAME }} + MULTI_ARCH: ${{ needs.set-vars.outputs.MULTI_ARCH }} MOD_VERSION: ${{ needs.set-vars.outputs.MOD_VERSION }} + MOD_VERSION_OVERRIDE: ${{ needs.set-vars.outputs.MOD_VERSION_OVERRIDE }} diff --git a/Dockerfile b/Dockerfile index 1702976..a883e78 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,8 +1,32 @@ # syntax=docker/dockerfile:1 +FROM ghcr.io/linuxserver/baseimage-alpine:3.20 AS buildstage + +ARG MOD_VERSION + +RUN \ + mkdir -p /root-layer && \ + if [[ -z "${MOD_VERSION}" ]]; then \ + MOD_VERSION=$(curl -sX GET "https://api.github.com/repos/crowdsecurity/cs-nginx-bouncer/releases/latest" \ + | jq -r '.tag_name'); \ + fi && \ + if [[ -z ${MOD_VERSION+x} ]]; then \ + echo "**** Could not fetch current bouncer version from Github ****" \ + exit 1; \ + fi && \ + curl -sLo \ + /root-layer/crowdsec-nginx-bouncer.tgz -L \ + "https://github.com/crowdsecurity/cs-nginx-bouncer/releases/download/${MOD_VERSION}/crowdsec-nginx-bouncer.tgz" && \ + if ! tar -tzf /root-layer/crowdsec-nginx-bouncer.tgz >/dev/null 2>&1; then \ + echo "**** Invalid tarball, could not download crowdsec bouncer ****" \ + exit 1; \ + fi + +COPY root/ /root-layer/ + FROM scratch LABEL maintainer="thespad" -# copy local files -COPY root/ / +# Add files from buildstage +COPY --from=buildstage /root-layer/ / diff --git a/README.md b/README.md index cc84ba3..e23b8d0 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,6 @@ Set the following environment variables on your SWAG container. | `CROWDSEC_SITE_KEY` | **Optional** | CAPTCHA Site Key | | `CROWDSEC_SECRET_KEY` | **Optional** | CAPTCHA Secret Key | | `CROWDSEC_CAPTCHA_PROVIDER` | **Optional** | CAPTCHA Provider (currently supported providers are `recaptcha`, `hcaptcha`, `turnstile`), requires bouncer v1.0.5 or newer. | -| `CROWDSEC_VERSION` | **Optional** | Specify a version of the bouncer to install instead of using the latest release, for example `v1.0.0`. Must be a valid [release tag](https://github.com/crowdsecurity/cs-nginx-bouncer/tags). **Does not support versions older than v1.0.0**. | | `CROWDSEC_F2B_DISABLE` | **Optional** | Set to `true` to disable swag's built-in fail2ban service if you don't need it | | `CROWDSEC_MODE` | **Optional** | Set to `live` (immediate update) or `stream` to update requests every CROWDSEC_UPDATE_FREQUENCY seconds. Defaults to `live` | | `CROWDSEC_UPDATE_FREQUENCY` | **Optional** | Set update frequency for use with `stream` mode. Defaults to `10`. | @@ -73,6 +72,7 @@ e.g. `resolver 127.0.0.11 valid=30s ipv6=off;` ## Versions +* **11.09.24:** - Move versioning to mod tags. Bundle tarball at build time. * **05.06.24:** - Add lua-resty-string. * **06.02.24:** - Add AppSec support. * **29.03.23:** - Support multiple captcha providers from upstream. diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/run b/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/run index 35fa918..5109556 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/run +++ b/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/run @@ -5,12 +5,6 @@ CONFIG_PATH="/config/crowdsec/" LIB_PATH="/usr/local/lua/crowdsec/" DATA_PATH="/var/lib/crowdsec/lua/" -if [[ ${DOCKER_MODS_DEBUG_CURL,,} = "true" ]]; then - CURL_NOISE_LEVEL="-v" -else - CURL_NOISE_LEVEL="--silent" -fi - echo "**** Configuring CrowdSec nginx Bouncer ****" # If API keys are missing, disable mod and exit @@ -28,29 +22,11 @@ echo "\ lua-sec \ nginx-mod-http-lua" >> /mod-repo-packages-to-install.list -# Download nginx bouncer -if [[ -z ${CROWDSEC_VERSION+x} ]]; then \ - CROWDSEC_VERSION=$(curl -s "https://api.github.com/repos/crowdsecurity/cs-nginx-bouncer/releases/latest" | awk '/tag_name/{print $4;exit}' FS='[""]'); -fi - -if [[ -z ${CROWDSEC_VERSION+x} ]]; then \ - echo "**** Could not fetch current bouncer version from Github ****" - exit 1 -fi - -curl "${CURL_NOISE_LEVEL}" -Lo \ - /tmp/crowdsec.tar.gz -L \ - "https://github.com/crowdsecurity/cs-nginx-bouncer/releases/download/${CROWDSEC_VERSION}/crowdsec-nginx-bouncer.tgz" - +# Extract nginx bouncer mkdir -p /tmp/crowdsec -if ! tar -tzf /tmp/crowdsec.tar.gz >/dev/null 2>&1; then - echo "**** Invalid tarball, could not download crowdsec bouncer ****" - exit 1 -fi - tar xf \ - /tmp/crowdsec.tar.gz -C \ + /crowdsec-nginx-bouncer.tgz -C \ /tmp/crowdsec --strip-components=1 mkdir -p "${CONFIG_PATH}" @@ -97,20 +73,35 @@ if ! grep -q '[^#]include /etc/nginx/http.d/\*.conf;' '/config/nginx/nginx.conf' else # Warn about missing http.d include echo " - ******************************************************************** - * Warning: Your nginx.conf is missing required settings * - * Please add: * - * include /etc/nginx/http.d/*.conf; * - * to the http{} block and restart the container. * - * * - * The CrowdSec bouncer will not function until this is done. * - ********************************************************************" + ┌──────────────────────────────────────────────────────────────────┐ + │ Warning: Your nginx.conf is missing required settings │ + │ Please add: │ + │ include /etc/nginx/http.d/*.conf; │ + │ to the http{} block and restart the container. │ + │ │ + │ The CrowdSec bouncer will not function until this is done. │ + └──────────────────────────────────────────────────────────────────┘ + " fi fi # Clean up rm -rf \ /tmp/crowdsec \ - /tmp/crowdsec.tar.gz + /crowdsec-nginx-bouncer.tgz + +if [[ -n ${CROWDSEC_VERSION} ]]; then + echo " + ┌─────────────────────────────────────────────────────────────────────────┐ + │ !! ATTENTION !! │ + │ │ + │ This mod will ignore the │ + │ CROWDSEC_VERSION environment variable │ + │ │ + │ Versioning is now handled by mod tags │ + │ See https://hub.docker.com/r/linuxserver/mods/tags?name=swag-crowdsec-v │ + │ For a list of all available tags │ + └─────────────────────────────────────────────────────────────────────────┘" +fi echo "**** Successfully configured CrowdSec nginx Bouncer ${CROWDSEC_VERSION} ****" From b18f1cc120445518966c57cee8e66dd67ddff50c Mon Sep 17 00:00:00 2001 From: thespad Date: Wed, 11 Sep 2024 19:25:38 +0100 Subject: [PATCH 2/4] Update workflow version --- .github/workflows/BuildImage.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/BuildImage.yml b/.github/workflows/BuildImage.yml index 9e1ede9..dc1a5f9 100644 --- a/.github/workflows/BuildImage.yml +++ b/.github/workflows/BuildImage.yml @@ -47,7 +47,7 @@ jobs: MOD_VERSION_OVERRIDE: ${{ steps.outputs.outputs.MOD_VERSION_OVERRIDE }} build: - uses: linuxserver/github-workflows/.github/workflows/docker-mod-builder.yml@v2 + uses: linuxserver/github-workflows/.github/workflows/docker-mod-builder.yml@v1 needs: set-vars secrets: CR_USER: ${{ secrets.CR_USER }} From 3fe3f420f697801701bb681455d930e665c8a93c Mon Sep 17 00:00:00 2001 From: thespad Date: Wed, 11 Sep 2024 19:59:09 +0100 Subject: [PATCH 3/4] Don't run through mod setup on restart --- root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/run | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/run b/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/run index 5109556..9c61ad4 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/run +++ b/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/run @@ -5,6 +5,11 @@ CONFIG_PATH="/config/crowdsec/" LIB_PATH="/usr/local/lua/crowdsec/" DATA_PATH="/var/lib/crowdsec/lua/" +if [[ ! -e "/crowdsec-nginx-bouncer.tgz" ]]; then + # Crowdsec bouncer already configured + exit 0 +fi + echo "**** Configuring CrowdSec nginx Bouncer ****" # If API keys are missing, disable mod and exit From f8f7401a61403ef6cc666d694b94c75cb51e9aae Mon Sep 17 00:00:00 2001 From: thespad Date: Wed, 11 Sep 2024 20:08:06 +0100 Subject: [PATCH 4/4] Fix comparison --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index a883e78..dabf653 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,11 +6,11 @@ ARG MOD_VERSION RUN \ mkdir -p /root-layer && \ - if [[ -z "${MOD_VERSION}" ]]; then \ + if [ -z "${MOD_VERSION}" ]; then \ MOD_VERSION=$(curl -sX GET "https://api.github.com/repos/crowdsecurity/cs-nginx-bouncer/releases/latest" \ | jq -r '.tag_name'); \ fi && \ - if [[ -z ${MOD_VERSION+x} ]]; then \ + if [ -z ${MOD_VERSION+x} ]; then \ echo "**** Could not fetch current bouncer version from Github ****" \ exit 1; \ fi && \