From 259d7d70b88b90eded483e519e4541494870cfd7 Mon Sep 17 00:00:00 2001
From: TheSpad <git@spad.co.uk>
Date: Fri, 29 Jul 2022 16:20:20 +0100
Subject: [PATCH 1/4] Support universal package install

---
 .../dependencies.d/init-mods                  |  0
 .../s6-rc.d/init-mod-swag-crowdsec/run        | 88 +++++++++++++++++++
 .../s6-rc.d/init-mod-swag-crowdsec/type       |  1 +
 .../s6-rc.d/init-mod-swag-crowdsec/up         |  1 +
 .../dependencies.d/init-mod-swag-crowdsec     |  0
 5 files changed, 90 insertions(+)
 create mode 100644 root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/dependencies.d/init-mods
 create mode 100755 root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/run
 create mode 100644 root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/type
 create mode 100644 root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/up
 create mode 100644 root/etc/s6-overlay/s6-rc.d/init-mods-package-install/dependencies.d/init-mod-swag-crowdsec

diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/dependencies.d/init-mods b/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/dependencies.d/init-mods
new file mode 100644
index 0000000..e69de29
diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/run b/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/run
new file mode 100755
index 0000000..f88ceba
--- /dev/null
+++ b/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/run
@@ -0,0 +1,88 @@
+#!/usr/bin/with-contenv bash
+
+CONFIG_PATH="/config/crowdsec/"
+LIB_PATH="/usr/local/lua/crowdsec/"
+DATA_PATH="/var/lib/crowdsec/lua/"
+
+echo "**** Configuring CrowdSec nginx Bouncer ****"
+
+# If API keys are missing, disable mod and exit
+if [[ -z $CROWDSEC_API_KEY ]] || [[ -z $CROWDSEC_LAPI_URL ]]; then
+    echo "**** Missing API key or CrowdSec LAPI URL, cannot configure bouncer ****"
+    exit 1
+fi
+
+echo "\
+    gettext \
+    lua5.1 \
+    lua5.1-cjson \
+    lua-resty-http \
+    lua-sec \
+    nginx-mod-http-lua" >> /mod-repo-packages-to-install.list
+
+# Download nginx bouncer
+if [ -z ${CROWDSEC_VERSION+x} ]; then \
+    CROWDSEC_VERSION=$(curl -sX GET "https://api.github.com/repos/crowdsecurity/cs-nginx-bouncer/releases/latest" | awk '/tag_name/{print $4;exit}' FS='[""]');
+fi
+
+curl -so \
+    /tmp/crowdsec.tar.gz -L \
+    "https://github.com/crowdsecurity/cs-nginx-bouncer/releases/download/${CROWDSEC_VERSION}/crowdsec-nginx-bouncer.tgz"
+
+mkdir -p /tmp/crowdsec
+
+tar xf \
+    /tmp/crowdsec.tar.gz -C \
+    /tmp/crowdsec --strip-components=1
+
+# Inject API keys into config file
+mkdir -p "${CONFIG_PATH}"
+API_KEY=${CROWDSEC_API_KEY} CROWDSEC_LAPI_URL=${CROWDSEC_LAPI_URL} envsubst < /tmp/crowdsec/lua-mod/config_example.conf > "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
+
+# Change config path
+sed -i "s|/etc/crowdsec/bouncers/|${CONFIG_PATH}|" /tmp/crowdsec/nginx/crowdsec_nginx.conf
+
+# Copy files
+mkdir -p ${DATA_PATH}/templates/
+cp -r /tmp/crowdsec/lua-mod/templates/* ${DATA_PATH}/templates/
+
+mkdir -p ${LIB_PATH}plugins/crowdsec
+cp -r /tmp/crowdsec/lua-mod/lib/* ${LIB_PATH}
+
+cp /tmp/crowdsec/nginx/crowdsec_nginx.conf /etc/nginx/http.d
+
+# Sed in ReCaptcha keys
+sed -i -r "s|SECRET_KEY=.*$|SECRET_KEY=${CROWDSEC_SECRET_KEY}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
+sed -i -r "s|SITE_KEY=.*$|SITE_KEY=${CROWDSEC_SITE_KEY}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
+
+# Sed in crowdsec include
+if ! grep -q '[^#]include /etc/nginx/http.d/\*.conf;' '/config/nginx/nginx.conf' && ! grep -q '[^#]include /etc/nginx/conf.d/\*.conf;' '/config/nginx/nginx.conf'; then
+    if grep -q '#include /etc/nginx/http.d/\*.conf;' '/config/nginx/nginx.conf'; then
+        # Enable http.d include
+        sed -i 's|#include /etc/nginx/http.d/\*.conf;|include /etc/nginx/http.d/\*.conf;|' /config/nginx/nginx.conf
+    else
+        # Warn about missing http.d include
+        echo "
+        ********************************************************************
+        *    Warning: Your nginx.conf is missing required settings         *
+        *    Please add:                                                   *
+        *        include /etc/nginx/http.d/*.conf;                         *
+        *    to the http{} block and restart the container.                *
+        *                                                                  *
+        *    The CrowdSec bouncer will not function until this is done.    *
+        ********************************************************************"
+    fi
+fi
+
+# Clean up
+rm -rf \
+    /tmp/crowdsec \
+    /tmp/crowdsec.tar.gz
+
+# Disable f2b if requested
+if [[ $CROWDSEC_F2B_DISABLE == "true" ]]; then
+    echo "**** Disabling fail2ban Service ****"
+    touch /etc/services.d/fail2ban/down
+fi
+
+echo "**** Successfully configured CrowdSec nginx Bouncer ${CROWDSEC_VERSION} ****"
diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/type b/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/type
new file mode 100644
index 0000000..bdd22a1
--- /dev/null
+++ b/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/type
@@ -0,0 +1 @@
+oneshot
diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/up b/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/up
new file mode 100644
index 0000000..ed2c4e1
--- /dev/null
+++ b/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/up
@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/run
diff --git a/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/dependencies.d/init-mod-swag-crowdsec b/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/dependencies.d/init-mod-swag-crowdsec
new file mode 100644
index 0000000..e69de29

From 40c642530b23ac9ff11a2f74836788aad41a819d Mon Sep 17 00:00:00 2001
From: TheSpad <git@spad.co.uk>
Date: Fri, 29 Jul 2022 16:23:30 +0100
Subject: [PATCH 2/4] Add to user bundle

---
 .../dependencies.d/init-mods-swag-crowdsec}                       | 0
 .../dependencies.d/init-mods}                                     | 0
 .../{init-mod-swag-crowdsec => init-mods-swag-crowdsec}/run       | 0
 .../{init-mod-swag-crowdsec => init-mods-swag-crowdsec}/type      | 0
 .../{init-mod-swag-crowdsec => init-mods-swag-crowdsec}/up        | 0
 .../s6-overlay/s6-rc.d/user/contents.d/init-mods-swag-crowdsec    | 0
 6 files changed, 0 insertions(+), 0 deletions(-)
 rename root/etc/s6-overlay/s6-rc.d/{init-mod-swag-crowdsec/dependencies.d/init-mods => init-mods-package-install/dependencies.d/init-mods-swag-crowdsec} (100%)
 rename root/etc/s6-overlay/s6-rc.d/{init-mods-package-install/dependencies.d/init-mod-swag-crowdsec => init-mods-swag-crowdsec/dependencies.d/init-mods} (100%)
 rename root/etc/s6-overlay/s6-rc.d/{init-mod-swag-crowdsec => init-mods-swag-crowdsec}/run (100%)
 rename root/etc/s6-overlay/s6-rc.d/{init-mod-swag-crowdsec => init-mods-swag-crowdsec}/type (100%)
 rename root/etc/s6-overlay/s6-rc.d/{init-mod-swag-crowdsec => init-mods-swag-crowdsec}/up (100%)
 create mode 100644 root/etc/s6-overlay/s6-rc.d/user/contents.d/init-mods-swag-crowdsec

diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/dependencies.d/init-mods b/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/dependencies.d/init-mods-swag-crowdsec
similarity index 100%
rename from root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/dependencies.d/init-mods
rename to root/etc/s6-overlay/s6-rc.d/init-mods-package-install/dependencies.d/init-mods-swag-crowdsec
diff --git a/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/dependencies.d/init-mod-swag-crowdsec b/root/etc/s6-overlay/s6-rc.d/init-mods-swag-crowdsec/dependencies.d/init-mods
similarity index 100%
rename from root/etc/s6-overlay/s6-rc.d/init-mods-package-install/dependencies.d/init-mod-swag-crowdsec
rename to root/etc/s6-overlay/s6-rc.d/init-mods-swag-crowdsec/dependencies.d/init-mods
diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/run b/root/etc/s6-overlay/s6-rc.d/init-mods-swag-crowdsec/run
similarity index 100%
rename from root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/run
rename to root/etc/s6-overlay/s6-rc.d/init-mods-swag-crowdsec/run
diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/type b/root/etc/s6-overlay/s6-rc.d/init-mods-swag-crowdsec/type
similarity index 100%
rename from root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/type
rename to root/etc/s6-overlay/s6-rc.d/init-mods-swag-crowdsec/type
diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/up b/root/etc/s6-overlay/s6-rc.d/init-mods-swag-crowdsec/up
similarity index 100%
rename from root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/up
rename to root/etc/s6-overlay/s6-rc.d/init-mods-swag-crowdsec/up
diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-mods-swag-crowdsec b/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-mods-swag-crowdsec
new file mode 100644
index 0000000..e69de29

From d559049f4569dcbd3c4b86c9099a8a8896d08e33 Mon Sep 17 00:00:00 2001
From: TheSpad <git@spad.co.uk>
Date: Mon, 1 Aug 2022 14:58:28 +0100
Subject: [PATCH 3/4] Fix mod/mods naming

---
 .../dependencies.d/init-mods                                      | 0
 .../{init-mods-swag-crowdsec => init-mod-swag-crowdsec}/run       | 0
 .../{init-mods-swag-crowdsec => init-mod-swag-crowdsec}/type      | 0
 .../{init-mods-swag-crowdsec => init-mod-swag-crowdsec}/up        | 0
 .../dependencies.d/init-mod-swag-crowdsec}                        | 0
 .../dependencies.d/init-mod-swag-crowdsec}                        | 0
 .../etc/s6-overlay/s6-rc.d/user/contents.d/init-mod-swag-crowdsec | 0
 7 files changed, 0 insertions(+), 0 deletions(-)
 rename root/etc/s6-overlay/s6-rc.d/{init-mods-swag-crowdsec => init-mod-swag-crowdsec}/dependencies.d/init-mods (100%)
 rename root/etc/s6-overlay/s6-rc.d/{init-mods-swag-crowdsec => init-mod-swag-crowdsec}/run (100%)
 rename root/etc/s6-overlay/s6-rc.d/{init-mods-swag-crowdsec => init-mod-swag-crowdsec}/type (100%)
 rename root/etc/s6-overlay/s6-rc.d/{init-mods-swag-crowdsec => init-mod-swag-crowdsec}/up (100%)
 rename root/etc/s6-overlay/s6-rc.d/{init-mods-package-install/dependencies.d/init-mods-swag-crowdsec => init-mods-end/dependencies.d/init-mod-swag-crowdsec} (100%)
 rename root/etc/s6-overlay/s6-rc.d/{user/contents.d/init-mods-swag-crowdsec => init-mods-package-install/dependencies.d/init-mod-swag-crowdsec} (100%)
 create mode 100644 root/etc/s6-overlay/s6-rc.d/user/contents.d/init-mod-swag-crowdsec

diff --git a/root/etc/s6-overlay/s6-rc.d/init-mods-swag-crowdsec/dependencies.d/init-mods b/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/dependencies.d/init-mods
similarity index 100%
rename from root/etc/s6-overlay/s6-rc.d/init-mods-swag-crowdsec/dependencies.d/init-mods
rename to root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/dependencies.d/init-mods
diff --git a/root/etc/s6-overlay/s6-rc.d/init-mods-swag-crowdsec/run b/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/run
similarity index 100%
rename from root/etc/s6-overlay/s6-rc.d/init-mods-swag-crowdsec/run
rename to root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/run
diff --git a/root/etc/s6-overlay/s6-rc.d/init-mods-swag-crowdsec/type b/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/type
similarity index 100%
rename from root/etc/s6-overlay/s6-rc.d/init-mods-swag-crowdsec/type
rename to root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/type
diff --git a/root/etc/s6-overlay/s6-rc.d/init-mods-swag-crowdsec/up b/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/up
similarity index 100%
rename from root/etc/s6-overlay/s6-rc.d/init-mods-swag-crowdsec/up
rename to root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/up
diff --git a/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/dependencies.d/init-mods-swag-crowdsec b/root/etc/s6-overlay/s6-rc.d/init-mods-end/dependencies.d/init-mod-swag-crowdsec
similarity index 100%
rename from root/etc/s6-overlay/s6-rc.d/init-mods-package-install/dependencies.d/init-mods-swag-crowdsec
rename to root/etc/s6-overlay/s6-rc.d/init-mods-end/dependencies.d/init-mod-swag-crowdsec
diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-mods-swag-crowdsec b/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/dependencies.d/init-mod-swag-crowdsec
similarity index 100%
rename from root/etc/s6-overlay/s6-rc.d/user/contents.d/init-mods-swag-crowdsec
rename to root/etc/s6-overlay/s6-rc.d/init-mods-package-install/dependencies.d/init-mod-swag-crowdsec
diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-mod-swag-crowdsec b/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-mod-swag-crowdsec
new file mode 100644
index 0000000..e69de29

From dc03c94f88fcd659031ce3c9cc804b92976f90d8 Mon Sep 17 00:00:00 2001
From: TheSpad <git@spad.co.uk>
Date: Sun, 21 Aug 2022 20:25:49 +0100
Subject: [PATCH 4/4] Persist user changes to crowdsec conf

---
 root/etc/cont-init.d/98-crowdsec                | 17 +++++++++++------
 .../s6-rc.d/init-mod-swag-crowdsec/run          | 17 +++++++++++------
 2 files changed, 22 insertions(+), 12 deletions(-)

diff --git a/root/etc/cont-init.d/98-crowdsec b/root/etc/cont-init.d/98-crowdsec
index 45ccda3..17e0083 100644
--- a/root/etc/cont-init.d/98-crowdsec
+++ b/root/etc/cont-init.d/98-crowdsec
@@ -35,9 +35,18 @@ tar xf \
     /tmp/crowdsec.tar.gz -C \
     /tmp/crowdsec --strip-components=1
 
-# Inject API keys into config file
 mkdir -p "${CONFIG_PATH}"
-API_KEY=${CROWDSEC_API_KEY} CROWDSEC_LAPI_URL=${CROWDSEC_LAPI_URL} envsubst < /tmp/crowdsec/lua-mod/config_example.conf > "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
+if [ ! -f "${CONFIG_PATH}crowdsec-nginx-bouncer.conf" ]; then \
+    cp /tmp/crowdsec/lua-mod/config_example.conf "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
+fi
+
+# Inject API keys into config file
+sed -i -r "s|API_KEY=.*$|API_KEY=${CROWDSEC_API_KEY}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
+sed -i -r "s|API_URL=.*$|API_URL=${CROWDSEC_LAPI_URL}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
+
+# Sed in ReCaptcha keys
+sed -i -r "s|SECRET_KEY=.*$|SECRET_KEY=${CROWDSEC_SECRET_KEY}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
+sed -i -r "s|SITE_KEY=.*$|SITE_KEY=${CROWDSEC_SITE_KEY}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
 
 # Change config path
 sed -i "s|/etc/crowdsec/bouncers/|${CONFIG_PATH}|" /tmp/crowdsec/nginx/crowdsec_nginx.conf
@@ -51,10 +60,6 @@ cp -r /tmp/crowdsec/lua-mod/lib/* ${LIB_PATH}
 
 cp /tmp/crowdsec/nginx/crowdsec_nginx.conf /etc/nginx/http.d
 
-# Sed in ReCaptcha keys
-sed -i -r "s|SECRET_KEY=.*$|SECRET_KEY=${CROWDSEC_SECRET_KEY}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
-sed -i -r "s|SITE_KEY=.*$|SITE_KEY=${CROWDSEC_SITE_KEY}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
-
 # Sed in crowdsec include
 if ! grep -q '[^#]include /etc/nginx/http.d/\*.conf;' '/config/nginx/nginx.conf' && ! grep -q '[^#]include /etc/nginx/conf.d/\*.conf;' '/config/nginx/nginx.conf'; then
     if grep -q '#include /etc/nginx/http.d/\*.conf;' '/config/nginx/nginx.conf'; then
diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/run b/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/run
index f88ceba..656415a 100755
--- a/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/run
+++ b/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/run
@@ -35,9 +35,18 @@ tar xf \
     /tmp/crowdsec.tar.gz -C \
     /tmp/crowdsec --strip-components=1
 
-# Inject API keys into config file
 mkdir -p "${CONFIG_PATH}"
-API_KEY=${CROWDSEC_API_KEY} CROWDSEC_LAPI_URL=${CROWDSEC_LAPI_URL} envsubst < /tmp/crowdsec/lua-mod/config_example.conf > "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
+if [ ! -f "${CONFIG_PATH}crowdsec-nginx-bouncer.conf" ]; then \
+    cp /tmp/crowdsec/lua-mod/config_example.conf "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
+fi
+
+# Inject API keys into config file
+sed -i -r "s|API_KEY=.*$|API_KEY=${CROWDSEC_API_KEY}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
+sed -i -r "s|API_URL=.*$|API_URL=${CROWDSEC_LAPI_URL}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
+
+# Sed in ReCaptcha keys
+sed -i -r "s|SECRET_KEY=.*$|SECRET_KEY=${CROWDSEC_SECRET_KEY}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
+sed -i -r "s|SITE_KEY=.*$|SITE_KEY=${CROWDSEC_SITE_KEY}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
 
 # Change config path
 sed -i "s|/etc/crowdsec/bouncers/|${CONFIG_PATH}|" /tmp/crowdsec/nginx/crowdsec_nginx.conf
@@ -51,10 +60,6 @@ cp -r /tmp/crowdsec/lua-mod/lib/* ${LIB_PATH}
 
 cp /tmp/crowdsec/nginx/crowdsec_nginx.conf /etc/nginx/http.d
 
-# Sed in ReCaptcha keys
-sed -i -r "s|SECRET_KEY=.*$|SECRET_KEY=${CROWDSEC_SECRET_KEY}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
-sed -i -r "s|SITE_KEY=.*$|SITE_KEY=${CROWDSEC_SITE_KEY}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
-
 # Sed in crowdsec include
 if ! grep -q '[^#]include /etc/nginx/http.d/\*.conf;' '/config/nginx/nginx.conf' && ! grep -q '[^#]include /etc/nginx/conf.d/\*.conf;' '/config/nginx/nginx.conf'; then
     if grep -q '#include /etc/nginx/http.d/\*.conf;' '/config/nginx/nginx.conf'; then