Merge pull request #678 from linuxserver/swag-crowdsec-update

swag-crowdsec update/add workflows

.github/workflows/BuildImage.yml

@@ -1,62 +1,45 @@
 name: Build Image
 
-on: [push, pull_request, workflow_dispatch]
+on: [push, pull_request_target, workflow_dispatch]
 
 env:
+  GITHUB_REPO: "linuxserver/docker-mods" #don't modify
   ENDPOINT: "linuxserver/mods" #don't modify
   BASEIMAGE: "swag" #replace
   MODNAME: "crowdsec" #replace
 
 jobs:
-  build:
+  set-vars:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-
-      - name: Build image
+      - name: Set Vars
+        id: outputs
         run: |
-          docker build --no-cache -t ${{ github.sha }} .
+          echo "GITHUB_REPO=${{ env.GITHUB_REPO }}" >> $GITHUB_OUTPUT
+          echo "ENDPOINT=${{ env.ENDPOINT }}" >> $GITHUB_OUTPUT
+          echo "BASEIMAGE=${{ env.BASEIMAGE }}" >> $GITHUB_OUTPUT
+          echo "MODNAME=${{ env.MODNAME }}" >> $GITHUB_OUTPUT
+          # **** If the mod needs to be versioned, set the versioning logic below. Otherwise leave as is. ****
+          MOD_VERSION=""
+          echo "MOD_VERSION=${MOD_VERSION}" >> $GITHUB_OUTPUT
+    outputs:
+      GITHUB_REPO: ${{ steps.outputs.outputs.GITHUB_REPO }}
+      ENDPOINT: ${{ steps.outputs.outputs.ENDPOINT }}
+      BASEIMAGE: ${{ steps.outputs.outputs.BASEIMAGE }}
+      MODNAME: ${{ steps.outputs.outputs.MODNAME }}
+      MOD_VERSION: ${{ steps.outputs.outputs.MOD_VERSION }}
 
-      - name: Tag image
-        if: ${{ github.ref == format('refs/heads/{0}-{1}', env.BASEIMAGE, env.MODNAME) }}
-        run: |
-          docker tag ${{ github.sha }} ${ENDPOINT}:${BASEIMAGE}-${MODNAME}
-          docker tag ${{ github.sha }} ${ENDPOINT}:${BASEIMAGE}-${MODNAME}-${{ github.sha }}
-          docker tag ${{ github.sha }} ghcr.io/${ENDPOINT}:${BASEIMAGE}-${MODNAME}
-          docker tag ${{ github.sha }} ghcr.io/${ENDPOINT}:${BASEIMAGE}-${MODNAME}-${{ github.sha }}
-
-      - name: Credential check
-        if: ${{ github.ref == format('refs/heads/{0}-{1}', env.BASEIMAGE, env.MODNAME) }}
-        run: |
-          echo "CR_USER=${{ secrets.CR_USER }}" >> $GITHUB_ENV
-          echo "CR_PAT=${{ secrets.CR_PAT }}" >> $GITHUB_ENV
-          echo "DOCKERUSER=${{ secrets.DOCKERUSER }}" >> $GITHUB_ENV
-          echo "DOCKERPASS=${{ secrets.DOCKERPASS }}" >> $GITHUB_ENV
-          if [[ "${{ secrets.CR_USER }}" == "" && "${{ secrets.CR_PAT }}" == "" && "${{ secrets.DOCKERUSER }}" == "" && "${{ secrets.DOCKERPASS }}" == "" ]]; then
-            echo "::error::Push credential secrets missing."
-            echo "::error::You must set either CR_USER & CR_PAT or DOCKERUSER & DOCKERPASS as secrets in your repo settings."
-            echo "::error::See https://github.com/linuxserver/docker-mods/blob/master/README.md for more information/instructions."
-            exit 1
-          fi
-
-      - name: Login to GitHub Container Registry
-        if: ${{ github.ref == format('refs/heads/{0}-{1}', env.BASEIMAGE, env.MODNAME) && env.CR_USER && env.CR_PAT }}
-        run: |
-          echo "${{ secrets.CR_PAT }}" | docker login ghcr.io -u ${{ secrets.CR_USER }} --password-stdin
-
-      - name: Push tags to GitHub Container Registry
-        if: ${{ github.ref == format('refs/heads/{0}-{1}', env.BASEIMAGE, env.MODNAME) && env.CR_USER && env.CR_PAT }}
-        run: |
-          docker push ghcr.io/${ENDPOINT}:${BASEIMAGE}-${MODNAME}-${{ github.sha }}
-          docker push ghcr.io/${ENDPOINT}:${BASEIMAGE}-${MODNAME}
-
-      - name: Login to DockerHub
-        if: ${{ github.ref == format('refs/heads/{0}-{1}', env.BASEIMAGE, env.MODNAME) && env.DOCKERUSER && env.DOCKERPASS }}
-        run: |
-          echo ${{ secrets.DOCKERPASS }} | docker login -u ${{ secrets.DOCKERUSER }} --password-stdin
-
-      - name: Push tags to DockerHub
-        if: ${{ github.ref == format('refs/heads/{0}-{1}', env.BASEIMAGE, env.MODNAME) && env.DOCKERUSER && env.DOCKERPASS }}
-        run: |
-          docker push ${ENDPOINT}:${BASEIMAGE}-${MODNAME}-${{ github.sha }}
-          docker push ${ENDPOINT}:${BASEIMAGE}-${MODNAME}
+  build:
+    uses: linuxserver/github-workflows/.github/workflows/docker-mod-builder.yml@v1
+    needs: set-vars
+    secrets:
+      CR_USER: ${{ secrets.CR_USER }}
+      CR_PAT: ${{ secrets.CR_PAT }}
+      DOCKERUSER: ${{ secrets.DOCKERUSER }}
+      DOCKERPASS: ${{ secrets.DOCKERPASS }}
+    with:
+      GITHUB_REPO: ${{ needs.set-vars.outputs.GITHUB_REPO }}
+      ENDPOINT: ${{ needs.set-vars.outputs.ENDPOINT }}
+      BASEIMAGE: ${{ needs.set-vars.outputs.BASEIMAGE }}
+      MODNAME: ${{ needs.set-vars.outputs.MODNAME }}
+      MOD_VERSION: ${{ needs.set-vars.outputs.MOD_VERSION }}

.github/workflows/call_issue_pr_tracker.yml

@@ -0,0 +1,16 @@
+name: Issue & PR Tracker
+
+on:
+  issues:
+    types: [opened,reopened,labeled,unlabeled,closed]
+  pull_request_target:
+    types: [opened,reopened,review_requested,review_request_removed,labeled,unlabeled,closed]
+  pull_request_review:
+    types: [submitted,edited,dismissed]
+
+jobs:
+  manage-project:
+    permissions:
+      issues: write
+    uses: linuxserver/github-workflows/.github/workflows/issue-pr-tracker.yml@v1
+    secrets: inherit

.github/workflows/permissions.yml

@@ -0,0 +1,10 @@
+name: Permission check
+on:
+  pull_request_target:
+    paths:
+      - '**/run'
+      - '**/finish'
+      - '**/check'
+jobs:
+  permission_check:
+    uses: linuxserver/github-workflows/.github/workflows/init-svc-executable-permissions.yml@v1

Dockerfile

@@ -1,3 +1,5 @@
+# syntax=docker/dockerfile:1
+
 FROM scratch
 
 LABEL maintainer="thespad"

root/etc/cont-init.d/98-crowdsec

@@ -1,105 +0,0 @@
-#!/usr/bin/with-contenv bash
-# shellcheck shell=bash
-
-CONFIG_PATH="/config/crowdsec/"
-LIB_PATH="/usr/local/lua/crowdsec/"
-DATA_PATH="/var/lib/crowdsec/lua/"
-
-echo "**** Configuring CrowdSec nginx Bouncer ****"
-
-# If API keys are missing, disable mod and exit
-if [[ -z $CROWDSEC_API_KEY ]] || [[ -z $CROWDSEC_LAPI_URL ]]; then
-    echo "**** Missing API key or CrowdSec LAPI URL, cannot configure bouncer ****"
-    exit 1
-fi
-
-apk add -U --upgrade --no-cache \
-    gettext \
-    lua5.1 \
-    lua5.1-cjson \
-    lua-resty-http \
-    lua-sec \
-    nginx-mod-http-lua
-
-# Download nginx bouncer
-if [[ -z ${CROWDSEC_VERSION+x} ]]; then \
-    CROWDSEC_VERSION=$(curl -sX GET "https://api.github.com/repos/crowdsecurity/cs-nginx-bouncer/releases/latest" | awk '/tag_name/{print $4;exit}' FS='[""]');
-fi
-
-curl -so \
-    /tmp/crowdsec.tar.gz -L \
-    "https://github.com/crowdsecurity/cs-nginx-bouncer/releases/download/${CROWDSEC_VERSION}/crowdsec-nginx-bouncer.tgz"
-
-mkdir -p /tmp/crowdsec
-
-if ! tar -tzf /tmp/crowdsec.tar.gz >/dev/null 2>&1; then
-    echo "**** Invalid tarball, could not download crowdsec bouncer ****"
-    exit 1
-fi
-
-tar xf \
-    /tmp/crowdsec.tar.gz -C \
-    /tmp/crowdsec --strip-components=1
-
-mkdir -p "${CONFIG_PATH}"
-if [[ ! -f "${CONFIG_PATH}crowdsec-nginx-bouncer.conf" ]]; then \
-    cp /tmp/crowdsec/lua-mod/config_example.conf "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
-fi
-
-# Inject API keys into config file
-sed -i -r "s|API_KEY=.*$|API_KEY=${CROWDSEC_API_KEY}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
-sed -i -r "s|API_URL=.*$|API_URL=${CROWDSEC_LAPI_URL}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
-
-# Sed in ReCaptcha settings
-sed -i -r "s|SECRET_KEY=.*$|SECRET_KEY=${CROWDSEC_SECRET_KEY}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
-sed -i -r "s|SITE_KEY=.*$|SITE_KEY=${CROWDSEC_SITE_KEY}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
-sed -i -r "s|CAPTCHA_PROVIDER=.*$|CAPTCHA_PROVIDER=${CROWDSEC_CAPTCHA_PROVIDER}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
-
-# Sed in CROWDSEC_MODE and UPDATE_FREQUENCY, if defined in the env, defaults to live and 10s
-sed -i -r "s|MODE=.*$|MODE=${CROWDSEC_MODE:-live}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
-sed -i -r "s|UPDATE_FREQUENCY=.*$|UPDATE_FREQUENCY=${CROWDSEC_UPDATE_FREQUENCY:-10}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
-
-# Change config path
-sed -i "s|/etc/crowdsec/bouncers/|${CONFIG_PATH}|" /tmp/crowdsec/nginx/crowdsec_nginx.conf
-
-# Copy files
-mkdir -p ${DATA_PATH}/templates/
-cp -r /tmp/crowdsec/lua-mod/templates/* ${DATA_PATH}/templates/
-
-mkdir -p ${LIB_PATH}plugins/crowdsec
-cp -r /tmp/crowdsec/lua-mod/lib/* ${LIB_PATH}
-
-cp /tmp/crowdsec/nginx/crowdsec_nginx.conf /etc/nginx/http.d
-
-# Sed in crowdsec include
-if ! grep -q '[^#]include /etc/nginx/http.d/\*.conf;' '/config/nginx/nginx.conf' && ! grep -q '[^#]include /etc/nginx/conf.d/\*.conf;' '/config/nginx/nginx.conf'; then
-    if grep -q '#include /etc/nginx/http.d/\*.conf;' '/config/nginx/nginx.conf'; then
-        # Enable http.d include
-        sed -i 's|#include /etc/nginx/http.d/\*.conf;|include /etc/nginx/http.d/\*.conf;|' /config/nginx/nginx.conf
-    else
-        # Warn about missing http.d include
-        echo "
-        ********************************************************************
-        *    Warning: Your nginx.conf is missing required settings         *
-        *    Please add:                                                   *
-        *        include /etc/nginx/http.d/*.conf;                         *
-        *    to the http{} block and restart the container.                *
-        *                                                                  *
-        *    The CrowdSec bouncer will not function until this is done.    *
-        ********************************************************************"
-    fi
-fi
-
-# Clean up
-rm -rf \
-    /tmp/crowdsec \
-    /tmp/crowdsec.tar.gz
-
-# Disable f2b if requested
-if [[ $CROWDSEC_F2B_DISABLE == "true" ]]; then
-    echo "**** Disabling fail2ban Service ****"
-    touch /etc/services.d/fail2ban/down
-    rm -rf /etc/logrotate.d/fail2ban
-fi
-
-echo "**** Successfully configured CrowdSec nginx Bouncer ${CROWDSEC_VERSION} ****"