Infra-Mirrors/docker-swag
1
0
Fork 0
mirror of https://github.com/linuxserver/docker-swag.git synced 2025-02-25 17:01:13 -05:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #526 from linuxserver/3.21

Browse Source
This commit is contained in:
Adam 2025-01-03 15:54:39 +00:00 committed by GitHub
commit d376c95088
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
15 changed files with 83 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Dockerfile
View File

@ -1,6 +1,6 @@
# syntax=docker/dockerfile:1 # syntax=docker/dockerfile:1
FROM ghcr.io/linuxserver/baseimage-alpine-nginx:3.20 FROM ghcr.io/linuxserver/baseimage-alpine-nginx:3.21
# set version label # set version label
ARG BUILD_DATE ARG BUILD_DATE
@ -88,7 +88,7 @@ RUN \
pip install -U --no-cache-dir \ pip install -U --no-cache-dir \
pip \ pip \
wheel && \ wheel && \
pip install -U --no-cache-dir --find-links https://wheel-index.linuxserver.io/alpine-3.20/ \ pip install -U --no-cache-dir --find-links https://wheel-index.linuxserver.io/alpine-3.21/ \
certbot==${CERTBOT_VERSION} \ certbot==${CERTBOT_VERSION} \
certbot-dns-acmedns \ certbot-dns-acmedns \
certbot-dns-aliyun \ certbot-dns-aliyun \
@ -150,9 +150,9 @@ RUN \
rm -f /etc/nginx/conf.d/stream.conf && \ rm -f /etc/nginx/conf.d/stream.conf && \
echo "**** correct ip6tables legacy issue ****" && \ echo "**** correct ip6tables legacy issue ****" && \
rm \ rm \
/sbin/ip6tables && \ /usr/sbin/ip6tables && \
ln -s \ ln -s \
/sbin/ip6tables-nft /sbin/ip6tables && \ /usr/sbin/ip6tables-nft /usr/sbin/ip6tables && \
echo "**** remove unnecessary fail2ban filters ****" && \ echo "**** remove unnecessary fail2ban filters ****" && \
rm \ rm \
/etc/fail2ban/jail.d/alpine-ssh.conf && \ /etc/fail2ban/jail.d/alpine-ssh.conf && \

8
Dockerfile.aarch64
View File

@ -1,6 +1,6 @@
# syntax=docker/dockerfile:1 # syntax=docker/dockerfile:1
FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm64v8-3.20 FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm64v8-3.21
# set version label # set version label
ARG BUILD_DATE ARG BUILD_DATE
@ -88,7 +88,7 @@ RUN \
pip install -U --no-cache-dir \ pip install -U --no-cache-dir \
pip \ pip \
wheel && \ wheel && \
pip install -U --no-cache-dir --find-links https://wheel-index.linuxserver.io/alpine-3.20/ \ pip install -U --no-cache-dir --find-links https://wheel-index.linuxserver.io/alpine-3.21/ \
certbot==${CERTBOT_VERSION} \ certbot==${CERTBOT_VERSION} \
certbot-dns-acmedns \ certbot-dns-acmedns \
certbot-dns-aliyun \ certbot-dns-aliyun \
@ -150,9 +150,9 @@ RUN \
rm -f /etc/nginx/conf.d/stream.conf && \ rm -f /etc/nginx/conf.d/stream.conf && \
echo "**** correct ip6tables legacy issue ****" && \ echo "**** correct ip6tables legacy issue ****" && \
rm \ rm \
/sbin/ip6tables && \ /usr/sbin/ip6tables && \
ln -s \ ln -s \
/sbin/ip6tables-nft /sbin/ip6tables && \ /usr/sbin/ip6tables-nft /usr/sbin/ip6tables && \
echo "**** remove unnecessary fail2ban filters ****" && \ echo "**** remove unnecessary fail2ban filters ****" && \
rm \ rm \
/etc/fail2ban/jail.d/alpine-ssh.conf && \ /etc/fail2ban/jail.d/alpine-ssh.conf && \

14
README.md
View File

@ -149,6 +149,15 @@ This will *ask* Google et al not to index and list your site. Be careful with th
Please follow the instructions [on this blog post](https://www.linuxserver.io/blog/2020-08-21-introducing-swag#migrate). Please follow the instructions [on this blog post](https://www.linuxserver.io/blog/2020-08-21-introducing-swag#migrate).
## Read-Only Operation
This image can be run with a read-only container filesystem. For details please [read the docs](https://docs.linuxserver.io/misc/read-only/).
### Caveats
* `/tmp` must be mounted to tmpfs
* fail2ban will not be available
## Usage ## Usage
To help you get started creating a container from this image you can either use docker-compose or the docker cli. To help you get started creating a container from this image you can either use docker-compose or the docker cli.
@ -180,6 +189,7 @@ services:
- ONLY_SUBDOMAINS=false #optional - ONLY_SUBDOMAINS=false #optional
- EXTRA_DOMAINS= #optional - EXTRA_DOMAINS= #optional
- STAGING=false #optional - STAGING=false #optional
- DISABLE_F2B= #optional
volumes: volumes:
- /path/to/swag/config:/config - /path/to/swag/config:/config
ports: ports:
@ -207,6 +217,7 @@ docker run -d \
-e ONLY_SUBDOMAINS=false `#optional` \ -e ONLY_SUBDOMAINS=false `#optional` \
-e EXTRA_DOMAINS= `#optional` \ -e EXTRA_DOMAINS= `#optional` \
-e STAGING=false `#optional` \ -e STAGING=false `#optional` \
-e DISABLE_F2B= `#optional` \
-p 443:443 \ -p 443:443 \
-p 80:80 `#optional` \ -p 80:80 `#optional` \
-v /path/to/swag/config:/config \ -v /path/to/swag/config:/config \
@ -235,7 +246,9 @@ Containers are configured using parameters passed at runtime (such as those abov
| `-e ONLY_SUBDOMAINS=false` | If you wish to get certs only for certain subdomains, but not the main domain (main domain may be hosted on another machine and cannot be validated), set this to `true` | | `-e ONLY_SUBDOMAINS=false` | If you wish to get certs only for certain subdomains, but not the main domain (main domain may be hosted on another machine and cannot be validated), set this to `true` |
| `-e EXTRA_DOMAINS=` | Additional fully qualified domain names (comma separated, no spaces) ie. `example.net,subdomain.example.net,*.example.org` | | `-e EXTRA_DOMAINS=` | Additional fully qualified domain names (comma separated, no spaces) ie. `example.net,subdomain.example.net,*.example.org` |
| `-e STAGING=false` | Set to `true` to retrieve certs in staging mode. Rate limits will be much higher, but the resulting cert will not pass the browser's security test. Only to be used for testing purposes. | | `-e STAGING=false` | Set to `true` to retrieve certs in staging mode. Rate limits will be much higher, but the resulting cert will not pass the browser's security test. Only to be used for testing purposes. |
| `-e DISABLE_F2B=` | Set to `true` to disable the Fail2ban service in the container, if you're already running it elsewhere or using a different IPS. |
| `-v /config` | Persistent config files | | `-v /config` | Persistent config files |
| `--read-only=true` | Run container with a read-only filesystem. Please [read the docs](https://docs.linuxserver.io/misc/read-only/). |
| `--cap-add=NET_ADMIN` | Required for fail2Ban to be able to modify iptables rules. | | `--cap-add=NET_ADMIN` | Required for fail2Ban to be able to modify iptables rules. |
### Portainer notice ### Portainer notice
@ -404,6 +417,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
## Versions ## Versions
* **17.12.24:** - Rebase to Alpine 3.21.
* **21.10.24:** - Fix naming issue with Dynu plugin. If you are using Dynu, please make sure your credentials are set in /config/dns-conf/dynu.ini and your DNSPLUGIN variable is set to dynu (not dynudns). * **21.10.24:** - Fix naming issue with Dynu plugin. If you are using Dynu, please make sure your credentials are set in /config/dns-conf/dynu.ini and your DNSPLUGIN variable is set to dynu (not dynudns).
* **30.08.24:** - Fix zerossl cert revocation. * **30.08.24:** - Fix zerossl cert revocation.
* **24.07.14:** - Rebase to Alpine 3.20. Remove deprecated Google Domains certbot plugin. Existing users should update their nginx confs to avoid http2 deprecation warnings. * **24.07.14:** - Rebase to Alpine 3.20. Remove deprecated Google Domains certbot plugin. Existing users should update their nginx confs to avoid http2 deprecation warnings.

6
readme-vars.yml
View File

@ -37,9 +37,14 @@ opt_param_env_vars:
- {env_var: "ONLY_SUBDOMAINS", env_value: "false", desc: "If you wish to get certs only for certain subdomains, but not the main domain (main domain may be hosted on another machine and cannot be validated), set this to `true`"} - {env_var: "ONLY_SUBDOMAINS", env_value: "false", desc: "If you wish to get certs only for certain subdomains, but not the main domain (main domain may be hosted on another machine and cannot be validated), set this to `true`"}
- {env_var: "EXTRA_DOMAINS", env_value: "", desc: "Additional fully qualified domain names (comma separated, no spaces) ie. `example.net,subdomain.example.net,*.example.org`"} - {env_var: "EXTRA_DOMAINS", env_value: "", desc: "Additional fully qualified domain names (comma separated, no spaces) ie. `example.net,subdomain.example.net,*.example.org`"}
- {env_var: "STAGING", env_value: "false", desc: "Set to `true` to retrieve certs in staging mode. Rate limits will be much higher, but the resulting cert will not pass the browser's security test. Only to be used for testing purposes."} - {env_var: "STAGING", env_value: "false", desc: "Set to `true` to retrieve certs in staging mode. Rate limits will be much higher, but the resulting cert will not pass the browser's security test. Only to be used for testing purposes."}
- {env_var: "DISABLE_F2B", env_value: "", desc: "Set to `true` to disable the Fail2ban service in the container, if you're already running it elsewhere or using a different IPS."}
opt_param_usage_include_ports: true opt_param_usage_include_ports: true
opt_param_ports: opt_param_ports:
- {external_port: "80", internal_port: "80", port_desc: "HTTP port (required for HTTP validation and HTTP -> HTTPS redirect)"} - {external_port: "80", internal_port: "80", port_desc: "HTTP port (required for HTTP validation and HTTP -> HTTPS redirect)"}
readonly_supported: true
readonly_message: |
* `/tmp` must be mounted to tmpfs
* fail2ban will not be available
# application setup block # application setup block
app_setup_block_enabled: true app_setup_block_enabled: true
app_setup_block: | app_setup_block: |
@ -200,6 +205,7 @@ init_diagram: |
"swag:latest" <- Base Images "swag:latest" <- Base Images
# changelog # changelog
changelogs: changelogs:
- {date: "17.12.24:", desc: "Rebase to Alpine 3.21."}
- {date: "21.10.24:", desc: "Fix naming issue with Dynu plugin. If you are using Dynu, please make sure your credentials are set in /config/dns-conf/dynu.ini and your DNSPLUGIN variable is set to dynu (not dynudns)."} - {date: "21.10.24:", desc: "Fix naming issue with Dynu plugin. If you are using Dynu, please make sure your credentials are set in /config/dns-conf/dynu.ini and your DNSPLUGIN variable is set to dynu (not dynudns)."}
- {date: "30.08.24:", desc: "Fix zerossl cert revocation."} - {date: "30.08.24:", desc: "Fix zerossl cert revocation."}
- {date: "24.07.14:", desc: "Rebase to Alpine 3.20. Remove deprecated Google Domains certbot plugin. Existing users should update their nginx confs to avoid http2 deprecation warnings."} - {date: "24.07.14:", desc: "Rebase to Alpine 3.20. Remove deprecated Google Domains certbot plugin. Existing users should update their nginx confs to avoid http2 deprecation warnings."}

2
root/app/le-renew.sh
View File

@ -6,4 +6,4 @@ echo
echo "<------------------------------------------------->" echo "<------------------------------------------------->"
echo "cronjob running on $(date)" echo "cronjob running on $(date)"
echo "Running certbot renew" echo "Running certbot renew"
certbot renew --non-interactive certbot renew --non-interactive --config-dir /config/etc/letsencrypt --logs-dir /config/log/letsencrypt --work-dir /tmp/letsencrypt --config /config/etc/letsencrypt/cli.ini

0
root/defaults/etc/letsencrypt/renewal-hooks/deploy/10-default Normal file → Executable file
View File

0
root/defaults/etc/letsencrypt/renewal-hooks/post/10-nginx Normal file → Executable file
View File

0
root/defaults/etc/letsencrypt/renewal-hooks/pre/10-nginx Normal file → Executable file
View File

4
root/defaults/nginx/site-confs/default.conf.sample
View File

@ -1,4 +1,4 @@
## Version 2024/07/16 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample ## Version 2024/12/17 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample
# redirect all traffic to https # redirect all traffic to https
server { server {
@ -80,5 +80,3 @@ server {
# enable subdomain method reverse proxy confs # enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf; include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;

2
root/etc/crontabs/root
View File

@ -5,4 +5,4 @@
0 3 * * 6 run-parts /etc/periodic/weekly 0 3 * * 6 run-parts /etc/periodic/weekly
0 5 1 * * run-parts /etc/periodic/monthly 0 5 1 * * run-parts /etc/periodic/monthly
8 2 * * * /app/le-renew.sh >> /config/log/letsencrypt/letsencrypt.log 2>&1 8 2 * * * /app/le-renew.sh >> /config/log/letsencrypt/renewal.log 2>&1

25
root/etc/s6-overlay/s6-rc.d/init-certbot-config/run
View File

@ -38,12 +38,6 @@ if [[ "${VALIDATION}" = "dns" ]] && ! echo "${CERTBOT_DNS_AUTHENTICATORS}" | gre
sleep infinity sleep infinity
fi fi
# set owner of certbot's CONFIG_DIR, WORK_DIR, and LOGS_DIR to abc
lsiown -R abc:abc \
/etc/letsencrypt \
/var/lib/letsencrypt \
/var/log/letsencrypt
# set_ini_value logic: # set_ini_value logic:
# - if the name is not found in the file, append the name=value to the end of the file # - if the name is not found in the file, append the name=value to the end of the file
# - if the name is found in the file, replace the value # - if the name is found in the file, replace the value
@ -67,7 +61,6 @@ cp -n /defaults/dns-conf/* /config/dns-conf/ 2> >(grep -v 'cp: not replacing')
lsiown -R abc:abc /config/dns-conf lsiown -R abc:abc /config/dns-conf
# copy default renewal hooks # copy default renewal hooks
chmod -R +x /defaults/etc/letsencrypt/renewal-hooks
cp -nR /defaults/etc/letsencrypt/renewal-hooks/* /config/etc/letsencrypt/renewal-hooks/ 2> >(grep -v 'cp: not replacing') cp -nR /defaults/etc/letsencrypt/renewal-hooks/* /config/etc/letsencrypt/renewal-hooks/ 2> >(grep -v 'cp: not replacing')
lsiown -R abc:abc /config/etc/letsencrypt/renewal-hooks lsiown -R abc:abc /config/etc/letsencrypt/renewal-hooks
@ -169,14 +162,14 @@ fi
rm -rf /config/keys/letsencrypt rm -rf /config/keys/letsencrypt
if [[ "${ONLY_SUBDOMAINS}" = "true" ]] && [[ ! "${SUBDOMAINS}" = "wildcard" ]]; then if [[ "${ONLY_SUBDOMAINS}" = "true" ]] && [[ ! "${SUBDOMAINS}" = "wildcard" ]]; then
DOMAIN="$(echo "${SUBDOMAINS}" | tr ',' ' ' | awk '{print $1}').${URL}" DOMAIN="$(echo "${SUBDOMAINS}" | tr ',' ' ' | awk '{print $1}').${URL}"
ln -s ../etc/letsencrypt/live/"${DOMAIN}" /config/keys/letsencrypt ln -s /config/etc/letsencrypt/live/"${DOMAIN}" /config/keys/letsencrypt
else else
ln -s ../etc/letsencrypt/live/"${URL}" /config/keys/letsencrypt ln -s /config/etc/letsencrypt/live/"${URL}" /config/keys/letsencrypt
fi fi
# cleanup unused csr and keys folders # cleanup unused csr and keys folders
rm -rf /etc/letsencrypt/csr rm -rf /config/etc/letsencrypt/csr
rm -rf /etc/letsencrypt/keys rm -rf /config/etc/letsencrypt/keys
# checking for changes in cert variables, revoking certs if necessary # checking for changes in cert variables, revoking certs if necessary
if [[ ! "${URL}" = "${ORIGURL}" ]] || if [[ ! "${URL}" = "${ORIGURL}" ]] ||
@ -197,9 +190,9 @@ if [[ ! "${URL}" = "${ORIGURL}" ]] ||
REV_ACMESERVER=("https://acme-v02.api.letsencrypt.org/directory") REV_ACMESERVER=("https://acme-v02.api.letsencrypt.org/directory")
fi fi
if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then
certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --key-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/privkey.pem --server "${REV_ACMESERVER[@]}" || true certbot revoke --config-dir /config/etc/letsencrypt --logs-dir /config/log/letsencrypt --work-dir /tmp/letsencrypt --config /config/etc/letsencrypt/cli.ini --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --key-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/privkey.pem --server "${REV_ACMESERVER[@]}" || true
else else
certbot revoke --non-interactive --cert-name "${ORIGDOMAIN}" --server "${REV_ACMESERVER[@]}" || true certbot revoke --config-dir /config/etc/letsencrypt --logs-dir /config/log/letsencrypt --work-dir /tmp/letsencrypt --config /config/etc/letsencrypt/cli.ini --non-interactive --cert-name "${ORIGDOMAIN}" --server "${REV_ACMESERVER[@]}" || true
fi fi
rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal} rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal}
fi fi
@ -212,9 +205,9 @@ if [[ -f "/config/keys/letsencrypt/chain.pem" ]] && { [[ "${CERTPROVIDER}" == "l
echo "The cert seems to be using the old LE root cert, which is no longer valid. Deleting and revoking." echo "The cert seems to be using the old LE root cert, which is no longer valid. Deleting and revoking."
REV_ACMESERVER=("https://acme-v02.api.letsencrypt.org/directory") REV_ACMESERVER=("https://acme-v02.api.letsencrypt.org/directory")
if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then
certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server "${REV_ACMESERVER[@]}" || true certbot revoke --config-dir /config/etc/letsencrypt --logs-dir /config/log/letsencrypt --work-dir /tmp/letsencrypt --config /config/etc/letsencrypt/cli.ini --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server "${REV_ACMESERVER[@]}" || true
else else
certbot revoke --non-interactive --cert-name "${ORIGDOMAIN}" --server "${REV_ACMESERVER[@]}" || true certbot revoke --config-dir /config/etc/letsencrypt --logs-dir /config/log/letsencrypt --work-dir /tmp/letsencrypt --config /config/etc/letsencrypt/cli.ini --non-interactive --cert-name "${ORIGDOMAIN}" --server "${REV_ACMESERVER[@]}" || true
fi fi
rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal} rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal}
fi fi
@ -347,7 +340,7 @@ if [[ ! -f "/config/keys/letsencrypt/fullchain.pem" ]]; then
set_ini_value "eab-hmac-key" "${ZEROSSL_EAB_HMAC_KEY}" /config/etc/letsencrypt/cli.ini set_ini_value "eab-hmac-key" "${ZEROSSL_EAB_HMAC_KEY}" /config/etc/letsencrypt/cli.ini
fi fi
echo "Generating new certificate" echo "Generating new certificate"
certbot certonly --non-interactive --renew-by-default certbot certonly --config-dir /config/etc/letsencrypt --logs-dir /config/log/letsencrypt --work-dir /tmp/letsencrypt --config /config/etc/letsencrypt/cli.ini --non-interactive --renew-by-default
if [[ ! -d /config/keys/letsencrypt ]]; then if [[ ! -d /config/keys/letsencrypt ]]; then
if [[ "${VALIDATION}" = "dns" ]]; then if [[ "${VALIDATION}" = "dns" ]]; then
echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the ${DNSCREDENTIALFILE} file." echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the ${DNSCREDENTIALFILE} file."

56
root/etc/s6-overlay/s6-rc.d/init-fail2ban-config/run
View File

@ -1,38 +1,40 @@
#!/usr/bin/with-contenv bash #!/usr/bin/with-contenv bash
# shellcheck shell=bash # shellcheck shell=bash
if ! iptables -L &> /dev/null; then if [[ -z ${LSIO_READ_ONLY_FS} ]] && [[ -z ${LSIO_NON_ROOT_USER} ]] && [[ "${DISABLE_F2B,,}" != "true" ]]; then
ln -sf /sbin/xtables-legacy-multi /sbin/iptables if ! iptables -L &> /dev/null; then
ln -sf /sbin/xtables-legacy-multi /sbin/iptables-save ln -sf /usr/sbin/xtables-legacy-multi /usr/sbin/iptables
ln -sf /sbin/xtables-legacy-multi /sbin/iptables-restore ln -sf /usr/sbin/xtables-legacy-multi /usr/sbin/iptables-save
ln -sf /sbin/xtables-legacy-multi /sbin/ip6tables ln -sf /usr/sbin/xtables-legacy-multi /usr/sbin/iptables-restore
ln -sf /sbin/xtables-legacy-multi /sbin/ip6tables-save ln -sf /usr/sbin/xtables-legacy-multi /usr/sbin/ip6tables
ln -sf /sbin/xtables-legacy-multi /sbin/ip6tables-restore ln -sf /usr/sbin/xtables-legacy-multi /usr/sbin/ip6tables-save
fi ln -sf /usr/sbin/xtables-legacy-multi /usr/sbin/ip6tables-restore
fi
# copy/update the fail2ban config defaults to/in /config # copy/update the fail2ban config defaults to/in /config
cp -R /defaults/fail2ban/filter.d /config/fail2ban/ cp -R /defaults/fail2ban/filter.d /config/fail2ban/
cp -R /defaults/fail2ban/action.d /config/fail2ban/ cp -R /defaults/fail2ban/action.d /config/fail2ban/
# if jail.local is missing in /config, copy default # if jail.local is missing in /config, copy default
if [[ ! -f /config/fail2ban/jail.local ]]; then if [[ ! -f /config/fail2ban/jail.local ]]; then
cp /defaults/fail2ban/jail.local /config/fail2ban/jail.local cp /defaults/fail2ban/jail.local /config/fail2ban/jail.local
fi fi
# Replace fail2ban config with user config # Replace fail2ban config with user config
if [[ -d /etc/fail2ban/filter.d ]]; then if [[ -d /etc/fail2ban/filter.d ]]; then
rm -rf /etc/fail2ban/filter.d rm -rf /etc/fail2ban/filter.d
fi fi
if [[ -d /etc/fail2ban/action.d ]]; then if [[ -d /etc/fail2ban/action.d ]]; then
rm -rf /etc/fail2ban/action.d rm -rf /etc/fail2ban/action.d
fi fi
cp -R /config/fail2ban/filter.d /etc/fail2ban/ cp -R /config/fail2ban/filter.d /etc/fail2ban/
cp -R /config/fail2ban/action.d /etc/fail2ban/ cp -R /config/fail2ban/action.d /etc/fail2ban/
cp /defaults/fail2ban/fail2ban.local /etc/fail2ban/ cp /defaults/fail2ban/fail2ban.local /etc/fail2ban/
cp /config/fail2ban/jail.local /etc/fail2ban/jail.local cp /config/fail2ban/jail.local /etc/fail2ban/jail.local
# logfiles needed by fail2ban # logfiles needed by fail2ban
if [[ ! -f /config/log/nginx/error.log ]]; then if [[ ! -f /config/log/nginx/error.log ]]; then
touch /config/log/nginx/error.log touch /config/log/nginx/error.log
fi fi
if [[ ! -f /config/log/nginx/access.log ]]; then if [[ ! -f /config/log/nginx/access.log ]]; then
touch /config/log/nginx/access.log touch /config/log/nginx/access.log
fi
fi fi

1
root/etc/s6-overlay/s6-rc.d/init-permissions-config/run
View File

@ -4,7 +4,6 @@
# permissions # permissions
lsiown -R abc:abc \ lsiown -R abc:abc \
/config /config
chmod -R 0644 /etc/logrotate.d
chmod -R +r /config/log chmod -R +r /config/log
# Workaround for systems with chmod errors # Workaround for systems with chmod errors

6
root/etc/s6-overlay/s6-rc.d/init-swag-folders/run
View File

@ -7,6 +7,6 @@ mkdir -p \
/config/etc/letsencrypt/renewal-hooks \ /config/etc/letsencrypt/renewal-hooks \
/config/log/{fail2ban,letsencrypt,nginx} \ /config/log/{fail2ban,letsencrypt,nginx} \
/config/nginx/proxy-confs \ /config/nginx/proxy-confs \
/run/fail2ban /run/fail2ban \
rm -rf /etc/letsencrypt /tmp/letsencrypt
ln -s /config/etc/letsencrypt /etc/letsencrypt

6
root/etc/s6-overlay/s6-rc.d/svc-fail2ban/run
View File

@ -1,5 +1,9 @@
#!/usr/bin/with-contenv bash #!/usr/bin/with-contenv bash
# shellcheck shell=bash # shellcheck shell=bash
exec \ if [[ -z ${LSIO_READ_ONLY_FS} ]] && [[ -z ${LSIO_NON_ROOT_USER} ]] && [[ "${DISABLE_F2B,,}" != "true" ]]; then
exec \
fail2ban-client -x -f start fail2ban-client -x -f start
else
sleep infinity
fi