Merge pull request #204 from Spunkie/universal-cloudflared

universal: cloudflared mod initial release
2026-06-17 22:03:32 -04:00 · 2021-05-28 23:48:35 -04:00
parent d1dc6e5858 6d20aac42f
commit 10ca5fc025
8 changed files with 299 additions and 71 deletions
@@ -4,8 +4,8 @@ on: [push, pull_request, workflow_dispatch]

 env:
  ENDPOINT: "linuxserver/mods" #don't modify
-  BASEIMAGE: "replace_baseimage" #replace
-  MODNAME: "replace_modname" #replace
+  BASEIMAGE: "universal" #replace
+  MODNAME: "cloudflared" #replace

 jobs:
  build:
@@ -15,14 +15,20 @@ jobs:

      - name: Build image
        run: |
-          docker build --no-cache -t ${{ github.sha }} .
+          CLOUDFLARED_TAG=$(curl -s https://api.github.com/repos/cloudflare/cloudflared/releases/latest | jq -rc ".tag_name")
+          echo "CLOUDFLARED_TAG=${CLOUDFLARED_TAG}" >> $GITHUB_ENV
+          docker build --no-cache --build-arg CLOUDFLARED_TAG=${CLOUDFLARED_TAG} -t ${{ github.sha }} .

      - name: Tag image
        if: ${{ github.ref == format('refs/heads/{0}-{1}', env.BASEIMAGE, env.MODNAME) }}
        run: |
          docker tag ${{ github.sha }} ${ENDPOINT}:${BASEIMAGE}-${MODNAME}
+          docker tag ${{ github.sha }} ${ENDPOINT}:${BASEIMAGE}-${MODNAME}-${CLOUDFLARED_TAG}
+          docker tag ${{ github.sha }} ${ENDPOINT}:${BASEIMAGE}-${MODNAME}-${CLOUDFLARED_TAG}-${{ github.sha }}
          docker tag ${{ github.sha }} ${ENDPOINT}:${BASEIMAGE}-${MODNAME}-${{ github.sha }}
          docker tag ${{ github.sha }} ghcr.io/${ENDPOINT}:${BASEIMAGE}-${MODNAME}
+          docker tag ${{ github.sha }} ghcr.io/${ENDPOINT}:${BASEIMAGE}-${MODNAME}-${CLOUDFLARED_TAG}
+          docker tag ${{ github.sha }} ghcr.io/${ENDPOINT}:${BASEIMAGE}-${MODNAME}-${CLOUDFLARED_TAG}-${{ github.sha }}
          docker tag ${{ github.sha }} ghcr.io/${ENDPOINT}:${BASEIMAGE}-${MODNAME}-${{ github.sha }}

      - name: Credential check
@@ -48,6 +54,8 @@ jobs:
        if: ${{ github.ref == format('refs/heads/{0}-{1}', env.BASEIMAGE, env.MODNAME) && env.CR_USER && env.CR_PAT }}
        run: |
          docker push ghcr.io/${ENDPOINT}:${BASEIMAGE}-${MODNAME}-${{ github.sha }}
+          docker push ghcr.io/${ENDPOINT}:${BASEIMAGE}-${MODNAME}-${CLOUDFLARED_TAG}-${{ github.sha }}
+          docker push ghcr.io/${ENDPOINT}:${BASEIMAGE}-${MODNAME}-${CLOUDFLARED_TAG}
          docker push ghcr.io/${ENDPOINT}:${BASEIMAGE}-${MODNAME}

      - name: Login to DockerHub
@@ -59,4 +67,6 @@ jobs:
        if: ${{ github.ref == format('refs/heads/{0}-{1}', env.BASEIMAGE, env.MODNAME) && env.DOCKERUSER && env.DOCKERPASS }}
        run: |
          docker push ${ENDPOINT}:${BASEIMAGE}-${MODNAME}-${{ github.sha }}
+          docker push ${ENDPOINT}:${BASEIMAGE}-${MODNAME}-${CLOUDFLARED_TAG}-${{ github.sha }}
+          docker push ${ENDPOINT}:${BASEIMAGE}-${MODNAME}-${CLOUDFLARED_TAG}
          docker push ${ENDPOINT}:${BASEIMAGE}-${MODNAME}
@@ -1,6 +1,40 @@
+# Build container
+FROM golang:alpine AS buildstage
+
+ARG CLOUDFLARED_TAG
+
+RUN mkdir -p /root-layer/cloudflared
+WORKDIR /src
+
+RUN apk --no-cache add git build-base curl jq
+
+ENV GO111MODULE=on \
+    CGO_ENABLED=0
+
+RUN \
+  if [ -z "${CLOUDFLARED_TAG}" ]; then \
+    curl -s https://api.github.com/repos/cloudflare/cloudflared/releases/latest \
+      | jq -rc ".tag_name" \
+      | xargs -I TAG sh -c 'git -c advice.detachedHead=false clone https://github.com/cloudflare/cloudflared --depth=1 --branch TAG .'; \
+  else \
+    git -c advice.detachedHead=false clone https://github.com/cloudflare/cloudflared --depth=1 --branch ${CLOUDFLARED_TAG} .; \
+  fi
+
+RUN GOOS=linux GOARCH=amd64 make cloudflared
+RUN mv cloudflared /root-layer/cloudflared/cloudflared-amd64
+
+RUN GOOS=linux GOARCH=arm64 make cloudflared
+RUN mv cloudflared /root-layer/cloudflared/cloudflared-arm64
+
+RUN GOOS=linux GOARCH=arm make cloudflared
+RUN mv cloudflared /root-layer/cloudflared/cloudflared-armhf
+
+COPY root/ /root-layer/
+
+## Single layer deployed image ##
 FROM scratch

-LABEL maintainer="username"
+LABEL maintainer="Spunkie"

-# copy local files
-COPY root/ /
+# Add files from buildstage
+COPY --from=buildstage /root-layer/ /
@@ -1,23 +0,0 @@
-## Buildstage ##
-FROM ghcr.io/linuxserver/baseimage-alpine:3.12 as buildstage
-
-RUN \
- echo "**** install packages ****" && \
- apk add --no-cache \
-	curl && \
- echo "**** grab rclone ****" && \
- mkdir -p /root-layer && \
- curl -o \
-	/root-layer/rclone.deb -L \
-	"https://downloads.rclone.org/v1.47.0/rclone-v1.47.0-linux-amd64.deb"
-
-# copy local files
-COPY root/ /root-layer/
-
-## Single layer deployed image ##
-FROM scratch
-
-LABEL maintainer="username"
-
-# Add files from buildstage
-COPY --from=buildstage /root-layer/ /
@@ -1,17 +1,66 @@
-# Rsync - Docker mod for openssh-server
+# Cloudflared - Universal docker mod

-This mod adds rsync to openssh-server, to be installed/updated during container start.
+In docker arguments, set an environment variable `DOCKER_MODS=linuxserver/mods:universal-cloudflared`

-In openssh-server docker arguments, set an environment variable `DOCKER_MODS=linuxserver/mods:openssh-server-rsync`
+If no additional parameters are supplied this mod adds [`cloudflared`](https://github.com/cloudflare/cloudflared) using the [latest release tag](https://github.com/cloudflare/cloudflared/releases/latest) to any [LSIO docker image](https://fleet.linuxserver.io/), to be installed/updated during container start.

-If adding multiple mods, enter them in an array separated by `|`, such as `DOCKER_MODS=linuxserver/mods:openssh-server-rsync|linuxserver/mods:openssh-server-mod2`
+If all additional parameters are supplied this docker mod will also create/configure/route/enable a cloudflare tunnel via `cloudflared` and the cloudflare v4 API.

-# Mod creation instructions
+## Usage

-* Fork the repo, create a new branch based on the branch `template`.
-* Edit the `Dockerfile` for the mod. `Dockerfile.complex` is only an example and included for reference; it should be deleted when done.
-* Inspect the `root` folder contents. Edit, add and remove as necessary.
-* Edit this readme with pertinent info, delete these instructions.
-* Finally edit the `.github/workflows/BuildImage.yml`. Customize the build branch, and the vars for `BASEIMAGE` and `MODNAME`.
-* Ask the team to create a new branch named `<baseimagename>-<modname>`. Baseimage should be the name of the image the mod will be applied to. The new branch will be based on the `template` branch.
-* Submit PR against the branch created by the team.
+Here an example snippet to help you get started using this docker mod.
+
+### docker-compose ([recommended](https://docs.linuxserver.io/general/docker-compose))
+
+```yaml
+  swag:
+    image: ghcr.io/linuxserver/swag
+    container_name: swag
+    cap_add:
+      - NET_ADMIN
+    environment:
+      PUID: 1000
+      PGID: 1000
+      TZ: Europe/London
+      URL: yourdomain.url
+      SUBDOMAINS: test,
+      VALIDATION: dns
+      DNSPLUGIN: cloudflare #optional
+      ONLY_SUBDOMAINS: true #optional
+      EMAIL: #optional
+      EXTRA_DOMAINS: #optional
+      STAGING: false #optional
+      DOCKER_MODS: linuxserver/mods:universal-cloudflared
+      CF_ZONE_ID: #optional
+      CF_ACCOUNT_ID: #optional
+      CF_API_TOKEN: #optional
+      CF_TUNNEL_NAME: example #optional
+      CF_TUNNEL_PASSWORD: pleasedontusethisexamplepassword #optional
+      CF_TUNNEL_CONFIG: | #optional
+        ingress:
+          - hostname: test.yourdomain.url
+            service: hello_world
+          - service: http_status:404
+    volumes:
+      - /path/to/appdata/config:/config
+    restart: unless-stopped
+```
+
+## Parameters
+
+Container images/mods are configured using parameters passed at runtime (such as those above).
+
+| Parameter | Function | Notes |
+| :----: | --- | --- |
+| `DOCKER_MODS` | Enabled this docker mod with `linuxserver/mods:universal-cloudflared` | If adding multiple mods, enter them in an array separated by `\|`, such as `DOCKER_MODS: linuxserver/mods:universal-cloudflared\|linuxserver/mods:universal-mod2` |
+
+### Optional tunnel parameters 
+
+| Parameter | Function | Notes |
+| :----: | --- | --- |
+| `CF_ZONE_ID` | Cloudflare zone ID |   |
+| `CF_ACCOUNT_ID` | Cloudflare account ID |   |
+| `CF_API_TOKEN` | Cloudflare API token | Must have the `Account.Argo Tunnel:Edit` and `Zone.DNS:Edit` permissions. |
+| `CF_TUNNEL_NAME` | Cloudflare tunnel name |   |
+| `CF_TUNNEL_PASSWORD` | Cloudflare tunnel password | 32 char minimum |
+| `CF_TUNNEL_CONFIG` | Cloudflare tunnel config, please refer to cloudflares official tunnel docs. | Do not add `tunnel`/`credentials-file` headers, these are handled automatically. |
@@ -0,0 +1,185 @@
+#!/usr/bin/with-contenv bash
+
+echo "**** Cloudflared setup script init... ****"
+
+echo "**** Checking cloudflared setup script requirements... ****"
+ARCH="$(command arch)"
+if [ "${ARCH}" = "x86_64" ]; then 
+  ARCH="amd64"
+elif [ "${ARCH}" = "aarch64" ]; then 
+  ARCH="arm64" 
+elif [ "${ARCH}" = "armv7l" ]; then 
+  ARCH="armhf" 
+else
+  echo "**** Unsupported Linux architecture ${ARCH} found, exiting... ****"
+  exit 1
+fi
+echo "**** Linux architecture found: ${ARCH} ****"
+
+UBUNTU=false
+ALPINE=false
+if [ -f /usr/bin/apt ]; then
+  UBUNTU=true
+  echo "**** Linux distro found: ubuntu ****"
+elif [ -f /sbin/apk ]; then
+  ALPINE=true
+  echo "**** Linux distro found: alpine ****"
+else
+  echo "**** Unknown Linux distro, exiting... ****"
+  exit 1
+fi
+
+echo "**** Checking for cloudflared setup script dependencies... ****"
+YQARCH="${ARCH}"
+if [ "${YQ_ARCH}" = "armhf" ]; then 
+  YQARCH="arm" 
+fi
+echo "**** Temporarily installing /tmp/yq... ****"
+curl -sLo /tmp/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_${YQARCH}
+chmod +x /tmp/yq
+
+declare -A CLEANUP=( [curl]=false [jq]=false )
+for PKG in "${!CLEANUP[@]}"; do
+  if [ -x "$(command -v ${PKG})" ]; then
+    echo "**** ${PKG} already installed, skipping... ****"
+  else
+    CLEANUP[$PKG]=true
+    echo "**** Temporarily installing ${PKG}... ****"
+    if $ALPINE; then
+      apk add --no-cache ${PKG}
+    elif $UBUNTU; then
+      apt-get -qqy install --no-install-recommends ${PKG}
+    fi
+  fi
+done
+
+echo "**** Installing cloudflared...****"
+if [ -d "/cloudflared/" ]; then
+  echo "**** Moving /cloudflared/cloudflared-${ARCH} to /usr/local/bin/cloudflared... ****"
+  mv /cloudflared/cloudflared-${ARCH} /usr/local/bin/cloudflared
+
+  echo "**** Deleting tmp /cloudflared dir... ****"
+  rm -rf /cloudflared 
+
+  echo "**** Cloudflared installed ****"
+elif [ -x "$(command -v cloudflared)" ]; then
+  echo "**** Cloudflared already installed, skipping... ****"
+else
+  echo "**** Cloudflared missing, exiting... ****"
+  exit 1
+fi
+cloudflared -v
+
+echo "**** Checking for optional cloudflare tunnel parameters... ****"
+if [[ ${#CF_ACCOUNT_ID} -gt 0 ]] && [[ ${#CF_API_TOKEN} -gt 0 ]] && [[ ${#CF_TUNNEL_NAME} -gt 0 ]]; then
+  if [[ ${#CF_TUNNEL_PASSWORD} -le 32 ]]; then
+    echo "**** Cloudflare tunnel password must be at least 32 characters long, exiting... ****"
+    exit 1 
+  else
+    echo "**** Cloudflare tunnel parameters found, starting cloudflare tunnel setup... ****"
+    echo "**** Creating cloudflare tunnel(${CF_TUNNEL_NAME}) via API... ****"
+
+    CF_TUNNEL_SECRET="$(command echo ${CF_TUNNEL_PASSWORD} | base64)"
+    JSON_RESULT=$(curl -sX \
+      POST "https://api.cloudflare.com/client/v4/accounts/${CF_ACCOUNT_ID}/tunnels" \
+        -H "Authorization: Bearer ${CF_API_TOKEN}" \
+        -H "Content-Type: application/json" \
+        --data "{\"name\":\"${CF_TUNNEL_NAME}\",\"tunnel_secret\":\"${CF_TUNNEL_SECRET}\"}")
+    echo ${JSON_RESULT} | jq
+
+    JSON_CODE_VALUE=$(echo ${JSON_RESULT} | jq -rc ".code")
+    if [[ ${JSON_CODE_VALUE} -eq 1013 ]]; then
+      echo "**** You already have a cloudflare tunnel named ${CF_TUNNEL_NAME} ****"
+    
+      echo "**** Searching existing cloudflare tunnels via API... ****"
+      JSON_RESULT=$(curl -sX \
+        GET "https://api.cloudflare.com/client/v4/accounts/${CF_ACCOUNT_ID}/tunnels?name=${CF_TUNNEL_NAME}&is_deleted=false" \
+          -H "Authorization: Bearer ${CF_API_TOKEN}" \
+          -H "Content-Type: application/json")
+      echo ${JSON_RESULT} | jq
+
+      echo "**** Fetching existing cloudflare tunnel(${CF_TUNNEL_NAME}) via API... ****"
+      CF_TUNNEL_ID=$(echo ${JSON_RESULT} | jq -rc ".[].id")
+      JSON_RESULT=$(curl -sX \
+        GET "https://api.cloudflare.com/client/v4/accounts/${CF_ACCOUNT_ID}/tunnels/${CF_TUNNEL_ID}?" \
+          -H "Authorization: Bearer ${CF_API_TOKEN}" \
+          -H "Content-Type: application/json")
+
+      JSON_RESULT=$(echo ${JSON_RESULT} | jq -rc ". + {\"credentials_file\": {\"AccountTag\": \"${CF_ACCOUNT_ID}\",\"TunnelID\": \"${CF_TUNNEL_ID}\",\"TunnelName\": \"${CF_TUNNEL_NAME}\",\"TunnelSecret\": \"${CF_TUNNEL_SECRET}\"}}")
+      echo ${JSON_RESULT} | jq
+    fi
+
+    CF_TUNNEL_ID=$(echo ${JSON_RESULT} | jq -rc ".id")
+    CREDENTIALS_FILE=$(echo ${JSON_RESULT} | jq -rc ".credentials_file")
+    echo "**** Saving cloudflare tunnel(${CF_TUNNEL_NAME}) credentials json... ****"
+    if [ ! -d "/etc/cloudflared/" ]; then
+      mkdir -p "/etc/cloudflared";
+    fi
+    printf "${CREDENTIALS_FILE}" > "/etc/cloudflared/${CF_TUNNEL_ID}.json"
+    echo ${JSON_RESULT} | jq -r ".credentials_file"
+    echo "**** Cloudflare tunnel(${CF_TUNNEL_NAME}) credentials saved to /etc/cloudflared/${CF_TUNNEL_ID}.json ****"
+
+    echo "**** Generating config.yml for cloudflare tunnel(${CF_TUNNEL_NAME})... ****"
+    printf "tunnel: ${CF_TUNNEL_ID}\n" > "/etc/cloudflared/config.yml"
+    printf "credentials-file: /etc/cloudflared/${CF_TUNNEL_ID}.json\n" >> "/etc/cloudflared/config.yml"
+    printf "no-autoupdate: true\n\n" >> "/etc/cloudflared/config.yml"
+    printf "${CF_TUNNEL_CONFIG}" >> "/etc/cloudflared/config.yml"
+    /tmp/yq e /etc/cloudflared/config.yml
+    echo "**** Config for cloudflare tunnel(${CF_TUNNEL_NAME}) saved to /etc/cloudflared/config.yml ****"
+
+    echo "**** Validating cloudflared tunnel rules... ****"
+    cloudflared tunnel ingress validate
+
+    echo "**** Updating cloudflare zone... ****"
+    for HOSTNAME in $(/tmp/yq e ".ingress.[].hostname" /etc/cloudflared/config.yml); do
+      if [ ! "${HOSTNAME}" = "null" ]; then
+        echo "**** Searching zone for hostname(${HOSTNAME}) via API... ****"
+        JSON_RESULT=$(curl -sX \
+          GET "https://api.cloudflare.com/client/v4/zones/${CF_ZONE_ID}/dns_records?name=${HOSTNAME}&type=CNAME&match=all" \
+            -H "Authorization: Bearer ${CF_API_TOKEN}" \
+            -H "Content-Type: application/json")
+
+        COUNT=$(echo ${JSON_RESULT} | jq -rc ".result_info.count")
+        if [[ ${COUNT} -eq 0 ]]; then
+          echo "**** Creating new CNAME for hostname(${HOSTNAME}) via API... ****"
+          JSON_RESULT=$(curl -sX \
+            POST "https://api.cloudflare.com/client/v4/zones/${CF_ZONE_ID}/dns_records" \
+              -H "Authorization: Bearer ${CF_API_TOKEN}" \
+              -H "Content-Type: application/json" \
+              --data "{\"type\":\"CNAME\",\"name\":\"${HOSTNAME}\",\"content\":\"${CF_TUNNEL_ID}.cfargotunnel.com\",\"ttl\":1,\"proxied\":true}")
+          echo ${JSON_RESULT} | jq
+        else
+          echo "**** Updating existing CNAME for hostname(${HOSTNAME}) via API... ****"
+          RECORD_ID=$(echo ${JSON_RESULT} | jq -rc ".result[].id")
+          JSON_RESULT=$(curl -sX \
+            PUT "https://api.cloudflare.com/client/v4/zones/${CF_ZONE_ID}/dns_records/${RECORD_ID}" \
+              -H "Authorization: Bearer ${CF_API_TOKEN}" \
+              -H "Content-Type: application/json" \
+              --data "{\"type\":\"CNAME\",\"name\":\"${HOSTNAME}\",\"content\":\"${CF_TUNNEL_ID}.cfargotunnel.com\",\"ttl\":1,\"proxied\":true}")
+          echo ${JSON_RESULT} | jq
+        fi
+      fi
+    done
+  fi
+else
+  echo "**** Optional parameters blank or missing, skipped cloudflare tunnel setup ****"
+fi
+
+echo "**** Cleaning up cloudflared setup script dependencies if required... ****"
+for PKG in "${!CLEANUP[@]}"; do
+  if [ "${CLEANUP[$PKG]}" = true ]; then
+    CLEANUP[$PKG]=false
+    echo "**** Uninstalling ${PKG}... ****"
+    if $ALPINE; then
+      apk del ${PKG}
+    elif $UBUNTU; then
+      apt-get -qqy remove ${PKG}
+      apt-get -qqy autoremove
+    fi
+  fi
+done
+
+echo "**** Uninstalling /tmp/yq... ****"
+rm /tmp/yq
+
+echo "**** Cloudflared setup script done, exiting... ****"
@@ -1,27 +0,0 @@
-#!/usr/bin/with-contenv bash
-
-# Determine if setup is needed
-if [ ! -f /usr/local/lib/python***/dist-packages/sshuttle ] && \
-[ -f /usr/bin/apt ]; then
-  ## Ubuntu
-  apt-get update
-  apt-get install --no-install-recommends -y \
-    iptables \
-    openssh-client \
-    python3 \
-    python3-pip 
-  pip3 install sshuttle
-fi
-if [ ! -f /usr/lib/python***/site-packages/sshuttle ] && \
-[ -f /sbin/apk ]; then
-  # Alpine
-  apk add --no-cache \
-    iptables \
-    openssh \
-    py3-pip \
-    python3 
-  pip3 install sshuttle
-fi
-
-chown -R root:root /root
-chmod -R 600 /root/.ssh
@@ -0,0 +1,3 @@
+#!/usr/bin/with-contenv bash
+
+exec s6-setuidgid abc cloudflared tunnel --no-autoupdate --config /etc/cloudflared/config.yml run
@@ -1,3 +0,0 @@
-#!/usr/bin/with-contenv bash
-
-sshuttle --dns --remote root@${HOST}:${PORT} 0/0 -x 172.17.0.0/16