Merge pull request #569 from linuxserver/swag-crowdsec-v3init

thespad · web-flow · commit 3892ce009cfe · 2023-01-28T16:54:03.000Z
diff --git a/.editorconfig b/.editorconfig
@@ -0,0 +1,20 @@
+# This file is globally distributed to all container image projects from
+# https://github.com/linuxserver/docker-jenkins-builder/blob/master/.editorconfig
+
+# top-most EditorConfig file
+root = true
+
+# Unix-style newlines with a newline ending every file
+[*]
+end_of_line = lf
+insert_final_newline = true
+# trim_trailing_whitespace may cause unintended issues and should not be globally set true
+trim_trailing_whitespace = false
+
+[{Dockerfile*,**.yml}]
+indent_style = space
+indent_size = 2
+
+[{**.sh,root/etc/cont-init.d/**,root/etc/services.d/**}]
+indent_style = space
+indent_size = 4
diff --git a/README.md b/README.md
@@ -31,6 +31,8 @@ Set the following environment variables on your SWAG container.
 | `CROWDSEC_SECRET_KEY` | **Optional** | reCAPTCHA v2 Secret Key |
 | `CROWDSEC_VERSION` | **Optional** | Specify a version of the bouncer to install instead of using the latest release, for example `v1.0.0`. Must be a valid [release tag](https://github.com/crowdsecurity/cs-nginx-bouncer/tags). **Does not support versions older than v1.0.0**.
 | `CROWDSEC_F2B_DISABLE` | **Optional** | Set to `true` to disable swag's built-in fail2ban service if you don't need it |
+| `CROWDSEC_MODE` | **Optional** | Set to `live` (immediate update) or `stream` to update requests every CROWDSEC_UPDATE_FREQUENCY seconds. Defaults to `live` |
+| `CROWDSEC_UPDATE_FREQUENCY` | **Optional** | Set update frequency for use with `stream` mode. Defaults to `10`. |
 | | | |
 
 The variables need to remain in place while you are using the mod. If you remove **required** variables the bouncer will be disabled the next time you recreate the container, if you remove **optional** variables the associated features will be disabled the next time you recreate the container.
@@ -40,3 +42,9 @@ The variables need to remain in place while you are using the mod. If you remove
 If you're using the reCAPTCHA capability and you're running in an IPv4-only environment then you need to edit your `/config/nginx/resolver.conf` and add `ipv6=off` to the end of the `resolver` statement otherwise the bouncer will attempt to contact the reCAPTCHA endpoint over IPv6 and fail.
 
 e.g. `resolver  127.0.0.11 valid=30s ipv6=off;`
+
+## Versions
+
+* **28.01.23:** - Support mode selection, handle s6v3 init.
+* **25.08.22:** - Make hybrid mod.
+* **14.03.22:** - Initial Release.
diff --git a/root/etc/cont-init.d/98-crowdsec b/root/etc/cont-init.d/98-crowdsec
@@ -1,4 +1,5 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 CONFIG_PATH="/config/crowdsec/"
 LIB_PATH="/usr/local/lua/crowdsec/"
@@ -21,7 +22,7 @@ apk add -U --upgrade --no-cache \
     nginx-mod-http-lua
 
 # Download nginx bouncer
-if [ -z ${CROWDSEC_VERSION+x} ]; then \
+if [[ -z ${CROWDSEC_VERSION+x} ]]; then \
     CROWDSEC_VERSION=$(curl -sX GET "https://api.github.com/repos/crowdsecurity/cs-nginx-bouncer/releases/latest" | awk '/tag_name/{print $4;exit}' FS='[""]');
 fi
 
@@ -36,7 +37,7 @@ tar xf \
     /tmp/crowdsec --strip-components=1
 
 mkdir -p "${CONFIG_PATH}"
-if [ ! -f "${CONFIG_PATH}crowdsec-nginx-bouncer.conf" ]; then \
+if [[ ! -f "${CONFIG_PATH}crowdsec-nginx-bouncer.conf" ]]; then \
     cp /tmp/crowdsec/lua-mod/config_example.conf "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
 fi
 
@@ -48,6 +49,10 @@ sed -i -r "s|API_URL=.*$|API_URL=${CROWDSEC_LAPI_URL}|" "${CONFIG_PATH}crowdsec-
 sed -i -r "s|SECRET_KEY=.*$|SECRET_KEY=${CROWDSEC_SECRET_KEY}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
 sed -i -r "s|SITE_KEY=.*$|SITE_KEY=${CROWDSEC_SITE_KEY}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
 
+# Sed in CROWDSEC_MODE and UPDATE_FREQUENCY, if defined in the env, defaults to live and 10s
+sed -i -r "s|MODE=.*$|MODE=${CROWDSEC_MODE:-live}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
+sed -i -r "s|UPDATE_FREQUENCY=.*$|UPDATE_FREQUENCY=${CROWDSEC_UPDATE_FREQUENCY:-10}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
+
 # Change config path
 sed -i "s|/etc/crowdsec/bouncers/|${CONFIG_PATH}|" /tmp/crowdsec/nginx/crowdsec_nginx.conf
 
diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec-f2b/dependencies.d/legacy-services b/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec-f2b/dependencies.d/legacy-services
diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec-f2b/run b/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec-f2b/run
@@ -0,0 +1,8 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+# Disable f2b if requested
+if [[ ${CROWDSEC_F2B_DISABLE,,} == "true" ]]; then
+    echo "**** Disabling fail2ban Service ****"
+    s6-svc -d /run/service/svc-fail2ban
+fi
diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec-f2b/type b/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec-f2b/type
@@ -0,0 +1 @@
+oneshot
diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec-f2b/up b/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec-f2b/up
@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec-f2b/run
diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/run b/root/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec/run
@@ -1,4 +1,5 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 CONFIG_PATH="/config/crowdsec/"
 LIB_PATH="/usr/local/lua/crowdsec/"
@@ -21,7 +22,7 @@ echo "\
     nginx-mod-http-lua" >> /mod-repo-packages-to-install.list
 
 # Download nginx bouncer
-if [ -z ${CROWDSEC_VERSION+x} ]; then \
+if [[ -z ${CROWDSEC_VERSION+x} ]]; then \
     CROWDSEC_VERSION=$(curl -sX GET "https://api.github.com/repos/crowdsecurity/cs-nginx-bouncer/releases/latest" | awk '/tag_name/{print $4;exit}' FS='[""]');
 fi
 
@@ -36,7 +37,7 @@ tar xf \
     /tmp/crowdsec --strip-components=1
 
 mkdir -p "${CONFIG_PATH}"
-if [ ! -f "${CONFIG_PATH}crowdsec-nginx-bouncer.conf" ]; then \
+if [[ ! -f "${CONFIG_PATH}crowdsec-nginx-bouncer.conf" ]]; then \
     cp /tmp/crowdsec/lua-mod/config_example.conf "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
 fi
 
@@ -48,6 +49,10 @@ sed -i -r "s|API_URL=.*$|API_URL=${CROWDSEC_LAPI_URL}|" "${CONFIG_PATH}crowdsec-
 sed -i -r "s|SECRET_KEY=.*$|SECRET_KEY=${CROWDSEC_SECRET_KEY}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
 sed -i -r "s|SITE_KEY=.*$|SITE_KEY=${CROWDSEC_SITE_KEY}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
 
+# Sed in CROWDSEC_MODE and UPDATE_FREQUENCY, if defined in the env, defaults to live and 10s
+sed -i -r "s|MODE=.*$|MODE=${CROWDSEC_MODE:-live}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
+sed -i -r "s|UPDATE_FREQUENCY=.*$|UPDATE_FREQUENCY=${CROWDSEC_UPDATE_FREQUENCY:-10}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
+
 # Change config path
 sed -i "s|/etc/crowdsec/bouncers/|${CONFIG_PATH}|" /tmp/crowdsec/nginx/crowdsec_nginx.conf
 
@@ -84,10 +89,4 @@ rm -rf \
     /tmp/crowdsec \
     /tmp/crowdsec.tar.gz
 
-# Disable f2b if requested
-if [[ $CROWDSEC_F2B_DISABLE == "true" ]]; then
-    echo "**** Disabling fail2ban Service ****"
-    touch /etc/services.d/fail2ban/down
-fi
-
 echo "**** Successfully configured CrowdSec nginx Bouncer ${CROWDSEC_VERSION} ****"
diff --git a/root/etc/s6-overlay/s6-rc.d/user2/contents.d/init-mod-swag-crowdsec-f2b b/root/etc/s6-overlay/s6-rc.d/user2/contents.d/init-mod-swag-crowdsec-f2b

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+/etc/s6-overlay/s6-rc.d/init-mod-swag-crowdsec-f2b/run`