Merge pull request #954 from linuxserver/swag-crowdsec-bundle

This commit is contained in:
Adam
2024-09-11 20:27:37 +01:00
committed by GitHub
4 changed files with 78 additions and 39 deletions
+22 -3
View File
@@ -1,12 +1,21 @@
name: Build Image name: Build Image
on: [push, pull_request_target, workflow_dispatch] on:
push:
pull_request_target:
workflow_dispatch:
inputs:
mod_version:
type: string
required: false
env: env:
GITHUB_REPO: "linuxserver/docker-mods" #don't modify GITHUB_REPO: "linuxserver/docker-mods" #don't modify
ENDPOINT: "linuxserver/mods" #don't modify ENDPOINT: "linuxserver/mods" #don't modify
BASEIMAGE: "swag" #replace BASEIMAGE: "swag" #replace
MODNAME: "crowdsec" #replace MODNAME: "crowdsec" #replace
MOD_VERSION: ${{ inputs.mod_version }} #don't modify
MULTI_ARCH: "false" #set to false if not needed
jobs: jobs:
set-vars: set-vars:
@@ -19,15 +28,23 @@ jobs:
echo "ENDPOINT=${{ env.ENDPOINT }}" >> $GITHUB_OUTPUT echo "ENDPOINT=${{ env.ENDPOINT }}" >> $GITHUB_OUTPUT
echo "BASEIMAGE=${{ env.BASEIMAGE }}" >> $GITHUB_OUTPUT echo "BASEIMAGE=${{ env.BASEIMAGE }}" >> $GITHUB_OUTPUT
echo "MODNAME=${{ env.MODNAME }}" >> $GITHUB_OUTPUT echo "MODNAME=${{ env.MODNAME }}" >> $GITHUB_OUTPUT
# **** If the mod needs to be versioned, set the versioning logic below. Otherwise leave as is. **** echo "MULTI_ARCH=${{ env.MULTI_ARCH }}" >> $GITHUB_OUTPUT
MOD_VERSION="" if [[ -z "${{ env.MOD_VERSION }}" ]]; then
# **** If the mod needs to be versioned, set the versioning logic below. Otherwise leave as is. ****
MOD_VERSION=$(curl -sX GET "https://api.github.com/repos/crowdsecurity/cs-nginx-bouncer/releases/latest" | jq -r '.tag_name')
else
MOD_VERSION=${{ env.MOD_VERSION }}
echo "MOD_VERSION_OVERRIDE=true" >> $GITHUB_OUTPUT
fi
echo "MOD_VERSION=${MOD_VERSION}" >> $GITHUB_OUTPUT echo "MOD_VERSION=${MOD_VERSION}" >> $GITHUB_OUTPUT
outputs: outputs:
GITHUB_REPO: ${{ steps.outputs.outputs.GITHUB_REPO }} GITHUB_REPO: ${{ steps.outputs.outputs.GITHUB_REPO }}
ENDPOINT: ${{ steps.outputs.outputs.ENDPOINT }} ENDPOINT: ${{ steps.outputs.outputs.ENDPOINT }}
BASEIMAGE: ${{ steps.outputs.outputs.BASEIMAGE }} BASEIMAGE: ${{ steps.outputs.outputs.BASEIMAGE }}
MODNAME: ${{ steps.outputs.outputs.MODNAME }} MODNAME: ${{ steps.outputs.outputs.MODNAME }}
MULTI_ARCH: ${{ steps.outputs.outputs.MULTI_ARCH }}
MOD_VERSION: ${{ steps.outputs.outputs.MOD_VERSION }} MOD_VERSION: ${{ steps.outputs.outputs.MOD_VERSION }}
MOD_VERSION_OVERRIDE: ${{ steps.outputs.outputs.MOD_VERSION_OVERRIDE }}
build: build:
uses: linuxserver/github-workflows/.github/workflows/docker-mod-builder.yml@v1 uses: linuxserver/github-workflows/.github/workflows/docker-mod-builder.yml@v1
@@ -42,4 +59,6 @@ jobs:
ENDPOINT: ${{ needs.set-vars.outputs.ENDPOINT }} ENDPOINT: ${{ needs.set-vars.outputs.ENDPOINT }}
BASEIMAGE: ${{ needs.set-vars.outputs.BASEIMAGE }} BASEIMAGE: ${{ needs.set-vars.outputs.BASEIMAGE }}
MODNAME: ${{ needs.set-vars.outputs.MODNAME }} MODNAME: ${{ needs.set-vars.outputs.MODNAME }}
MULTI_ARCH: ${{ needs.set-vars.outputs.MULTI_ARCH }}
MOD_VERSION: ${{ needs.set-vars.outputs.MOD_VERSION }} MOD_VERSION: ${{ needs.set-vars.outputs.MOD_VERSION }}
MOD_VERSION_OVERRIDE: ${{ needs.set-vars.outputs.MOD_VERSION_OVERRIDE }}
+26 -2
View File
@@ -1,8 +1,32 @@
# syntax=docker/dockerfile:1 # syntax=docker/dockerfile:1
FROM ghcr.io/linuxserver/baseimage-alpine:3.20 AS buildstage
ARG MOD_VERSION
RUN \
mkdir -p /root-layer && \
if [ -z "${MOD_VERSION}" ]; then \
MOD_VERSION=$(curl -sX GET "https://api.github.com/repos/crowdsecurity/cs-nginx-bouncer/releases/latest" \
| jq -r '.tag_name'); \
fi && \
if [ -z ${MOD_VERSION+x} ]; then \
echo "**** Could not fetch current bouncer version from Github ****" \
exit 1; \
fi && \
curl -sLo \
/root-layer/crowdsec-nginx-bouncer.tgz -L \
"https://github.com/crowdsecurity/cs-nginx-bouncer/releases/download/${MOD_VERSION}/crowdsec-nginx-bouncer.tgz" && \
if ! tar -tzf /root-layer/crowdsec-nginx-bouncer.tgz >/dev/null 2>&1; then \
echo "**** Invalid tarball, could not download crowdsec bouncer ****" \
exit 1; \
fi
COPY root/ /root-layer/
FROM scratch FROM scratch
LABEL maintainer="thespad" LABEL maintainer="thespad"
# copy local files # Add files from buildstage
COPY root/ / COPY --from=buildstage /root-layer/ /
+1 -1
View File
@@ -32,7 +32,6 @@ Set the following environment variables on your SWAG container.
| `CROWDSEC_SITE_KEY` | **Optional** | CAPTCHA Site Key | | `CROWDSEC_SITE_KEY` | **Optional** | CAPTCHA Site Key |
| `CROWDSEC_SECRET_KEY` | **Optional** | CAPTCHA Secret Key | | `CROWDSEC_SECRET_KEY` | **Optional** | CAPTCHA Secret Key |
| `CROWDSEC_CAPTCHA_PROVIDER` | **Optional** | CAPTCHA Provider (currently supported providers are `recaptcha`, `hcaptcha`, `turnstile`), requires bouncer v1.0.5 or newer. | | `CROWDSEC_CAPTCHA_PROVIDER` | **Optional** | CAPTCHA Provider (currently supported providers are `recaptcha`, `hcaptcha`, `turnstile`), requires bouncer v1.0.5 or newer. |
| `CROWDSEC_VERSION` | **Optional** | Specify a version of the bouncer to install instead of using the latest release, for example `v1.0.0`. Must be a valid [release tag](https://github.com/crowdsecurity/cs-nginx-bouncer/tags). **Does not support versions older than v1.0.0**. |
| `CROWDSEC_F2B_DISABLE` | **Optional** | Set to `true` to disable swag's built-in fail2ban service if you don't need it | | `CROWDSEC_F2B_DISABLE` | **Optional** | Set to `true` to disable swag's built-in fail2ban service if you don't need it |
| `CROWDSEC_MODE` | **Optional** | Set to `live` (immediate update) or `stream` to update requests every CROWDSEC_UPDATE_FREQUENCY seconds. Defaults to `live` | | `CROWDSEC_MODE` | **Optional** | Set to `live` (immediate update) or `stream` to update requests every CROWDSEC_UPDATE_FREQUENCY seconds. Defaults to `live` |
| `CROWDSEC_UPDATE_FREQUENCY` | **Optional** | Set update frequency for use with `stream` mode. Defaults to `10`. | | `CROWDSEC_UPDATE_FREQUENCY` | **Optional** | Set update frequency for use with `stream` mode. Defaults to `10`. |
@@ -73,6 +72,7 @@ e.g. `resolver 127.0.0.11 valid=30s ipv6=off;`
## Versions ## Versions
* **11.09.24:** - Move versioning to mod tags. Bundle tarball at build time.
* **05.06.24:** - Add lua-resty-string. * **05.06.24:** - Add lua-resty-string.
* **06.02.24:** - Add AppSec support. * **06.02.24:** - Add AppSec support.
* **29.03.23:** - Support multiple captcha providers from upstream. * **29.03.23:** - Support multiple captcha providers from upstream.
@@ -5,10 +5,9 @@ CONFIG_PATH="/config/crowdsec/"
LIB_PATH="/usr/local/lua/crowdsec/" LIB_PATH="/usr/local/lua/crowdsec/"
DATA_PATH="/var/lib/crowdsec/lua/" DATA_PATH="/var/lib/crowdsec/lua/"
if [[ ${DOCKER_MODS_DEBUG_CURL,,} = "true" ]]; then if [[ ! -e "/crowdsec-nginx-bouncer.tgz" ]]; then
CURL_NOISE_LEVEL="-v" # Crowdsec bouncer already configured
else exit 0
CURL_NOISE_LEVEL="--silent"
fi fi
echo "**** Configuring CrowdSec nginx Bouncer ****" echo "**** Configuring CrowdSec nginx Bouncer ****"
@@ -28,29 +27,11 @@ echo "\
lua-sec \ lua-sec \
nginx-mod-http-lua" >> /mod-repo-packages-to-install.list nginx-mod-http-lua" >> /mod-repo-packages-to-install.list
# Download nginx bouncer # Extract nginx bouncer
if [[ -z ${CROWDSEC_VERSION+x} ]]; then \
CROWDSEC_VERSION=$(curl -s "https://api.github.com/repos/crowdsecurity/cs-nginx-bouncer/releases/latest" | awk '/tag_name/{print $4;exit}' FS='[""]');
fi
if [[ -z ${CROWDSEC_VERSION+x} ]]; then \
echo "**** Could not fetch current bouncer version from Github ****"
exit 1
fi
curl "${CURL_NOISE_LEVEL}" -Lo \
/tmp/crowdsec.tar.gz -L \
"https://github.com/crowdsecurity/cs-nginx-bouncer/releases/download/${CROWDSEC_VERSION}/crowdsec-nginx-bouncer.tgz"
mkdir -p /tmp/crowdsec mkdir -p /tmp/crowdsec
if ! tar -tzf /tmp/crowdsec.tar.gz >/dev/null 2>&1; then
echo "**** Invalid tarball, could not download crowdsec bouncer ****"
exit 1
fi
tar xf \ tar xf \
/tmp/crowdsec.tar.gz -C \ /crowdsec-nginx-bouncer.tgz -C \
/tmp/crowdsec --strip-components=1 /tmp/crowdsec --strip-components=1
mkdir -p "${CONFIG_PATH}" mkdir -p "${CONFIG_PATH}"
@@ -97,20 +78,35 @@ if ! grep -q '[^#]include /etc/nginx/http.d/\*.conf;' '/config/nginx/nginx.conf'
else else
# Warn about missing http.d include # Warn about missing http.d include
echo " echo "
******************************************************************** ┌──────────────────────────────────────────────────────────────────┐
* Warning: Your nginx.conf is missing required settings * Warning: Your nginx.conf is missing required settings
* Please add: * Please add:
* include /etc/nginx/http.d/*.conf; * include /etc/nginx/http.d/*.conf;
* to the http{} block and restart the container. * to the http{} block and restart the container.
* * │ │
* The CrowdSec bouncer will not function until this is done. * The CrowdSec bouncer will not function until this is done.
********************************************************************" └──────────────────────────────────────────────────────────────────┘
"
fi fi
fi fi
# Clean up # Clean up
rm -rf \ rm -rf \
/tmp/crowdsec \ /tmp/crowdsec \
/tmp/crowdsec.tar.gz /crowdsec-nginx-bouncer.tgz
if [[ -n ${CROWDSEC_VERSION} ]]; then
echo "
┌─────────────────────────────────────────────────────────────────────────┐
│ !! ATTENTION !! │
│ │
│ This mod will ignore the │
│ CROWDSEC_VERSION environment variable │
│ │
│ Versioning is now handled by mod tags │
│ See https://hub.docker.com/r/linuxserver/mods/tags?name=swag-crowdsec-v │
│ For a list of all available tags │
└─────────────────────────────────────────────────────────────────────────┘"
fi
echo "**** Successfully configured CrowdSec nginx Bouncer ${CROWDSEC_VERSION} ****" echo "**** Successfully configured CrowdSec nginx Bouncer ${CROWDSEC_VERSION} ****"