├── .dockerignore
├── .editorconfig
├── .gitattributes
├── .github
├── CONTRIBUTING.md
├── FUNDING.yml
├── ISSUE_TEMPLATE
│ ├── config.yml
│ ├── issue.bug.yml
│ └── issue.feature.yml
├── PULL_REQUEST_TEMPLATE.md
└── workflows
│ ├── call_issue_pr_tracker.yml
│ ├── call_issues_cron.yml
│ ├── external_trigger.yml
│ ├── external_trigger_scheduler.yml
│ ├── greetings.yml
│ ├── package_trigger_scheduler.yml
│ └── permissions.yml
├── .gitignore
├── Dockerfile
├── Dockerfile.aarch64
├── Jenkinsfile
├── LICENSE
├── README.md
├── jenkins-vars.yml
├── package_versions.txt
├── readme-vars.yml
└── root
├── app
└── le-renew.sh
├── defaults
├── dns-conf
│ ├── acmedns-registration.json
│ ├── acmedns.ini
│ ├── aliyun.ini
│ ├── azure.ini
│ ├── bunny.ini
│ ├── cloudflare.ini
│ ├── cpanel.ini
│ ├── desec.ini
│ ├── digitalocean.ini
│ ├── directadmin.ini
│ ├── dnsimple.ini
│ ├── dnsmadeeasy.ini
│ ├── dnspod.ini
│ ├── do.ini
│ ├── domeneshop.ini
│ ├── dreamhost.ini
│ ├── duckdns.ini
│ ├── dynu.ini
│ ├── freedns.ini
│ ├── gandi.ini
│ ├── gehirn.ini
│ ├── glesys.ini
│ ├── godaddy.ini
│ ├── google.json
│ ├── he.ini
│ ├── hetzner.ini
│ ├── infomaniak.ini
│ ├── inwx.ini
│ ├── ionos.ini
│ ├── linode.ini
│ ├── loopia.ini
│ ├── luadns.ini
│ ├── namecheap.ini
│ ├── netcup.ini
│ ├── njalla.ini
│ ├── nsone.ini
│ ├── ovh.ini
│ ├── porkbun.ini
│ ├── rfc2136.ini
│ ├── route53.ini
│ ├── sakuracloud.ini
│ ├── standalone.ini
│ ├── transip.ini
│ └── vultr.ini
├── etc
│ └── letsencrypt
│ │ └── renewal-hooks
│ │ ├── deploy
│ │ └── 10-default
│ │ ├── post
│ │ └── 10-nginx
│ │ └── pre
│ │ └── 10-nginx
├── fail2ban
│ ├── fail2ban.local
│ ├── filter.d
│ │ ├── nginx-badbots.conf
│ │ ├── nginx-deny.conf
│ │ └── nginx-unauthorized.conf
│ └── jail.local
├── nginx
│ ├── authelia-location.conf.sample
│ ├── authelia-server.conf.sample
│ ├── authentik-location.conf.sample
│ ├── authentik-server.conf.sample
│ ├── ldap-location.conf.sample
│ ├── ldap-server.conf.sample
│ ├── proxy.conf.sample
│ ├── site-confs
│ │ └── default.conf.sample
│ ├── tinyauth-location.conf.sample
│ └── tinyauth-server.conf.sample
└── www
│ └── index.html
├── donate.txt
├── etc
├── crontabs
│ └── root
├── logrotate.d
│ ├── fail2ban
│ └── lerotate
└── s6-overlay
│ └── s6-rc.d
│ ├── init-certbot-config
│ ├── dependencies.d
│ │ └── init-swag-config
│ ├── run
│ ├── type
│ └── up
│ ├── init-config-end
│ └── dependencies.d
│ │ └── init-outdated-config
│ ├── init-fail2ban-config
│ ├── dependencies.d
│ │ └── init-swag-samples
│ ├── run
│ ├── type
│ └── up
│ ├── init-outdated-config
│ ├── dependencies.d
│ │ └── init-renew
│ ├── run
│ ├── type
│ └── up
│ ├── init-permissions-config
│ ├── dependencies.d
│ │ └── init-certbot-config
│ ├── run
│ ├── type
│ └── up
│ ├── init-renew
│ ├── dependencies.d
│ │ └── init-permissions-config
│ ├── run
│ ├── type
│ └── up
│ ├── init-require-url
│ ├── dependencies.d
│ │ └── init-config
│ ├── run
│ ├── type
│ └── up
│ ├── init-swag-config
│ ├── dependencies.d
│ │ └── init-fail2ban-config
│ ├── run
│ ├── type
│ └── up
│ ├── init-swag-folders
│ ├── dependencies.d
│ │ └── init-require-url
│ ├── run
│ ├── type
│ └── up
│ ├── init-swag-samples
│ ├── dependencies.d
│ │ └── init-swag-folders
│ ├── run
│ ├── type
│ └── up
│ ├── svc-fail2ban
│ ├── dependencies.d
│ │ └── init-services
│ ├── run
│ └── type
│ ├── svc-swag-auto-reload
│ ├── dependencies.d
│ │ └── init-services
│ ├── run
│ └── type
│ └── user
│ └── contents.d
│ ├── init-certbot-config
│ ├── init-fail2ban-config
│ ├── init-outdated-config
│ ├── init-permissions-config
│ ├── init-renew
│ ├── init-require-url
│ ├── init-swag-config
│ ├── init-swag-folders
│ ├── init-swag-samples
│ ├── svc-fail2ban
│ └── svc-swag-auto-reload
└── migrations
└── 02-swag-old-certbot-paths
/.dockerignore:
--------------------------------------------------------------------------------
1 | .git
2 | .gitignore
3 | .github
4 | .gitattributes
5 | READMETEMPLATE.md
6 |
--------------------------------------------------------------------------------
/.editorconfig:
--------------------------------------------------------------------------------
1 | # This file is globally distributed to all container image projects from
2 | # https://github.com/linuxserver/docker-jenkins-builder/blob/master/.editorconfig
3 |
4 | # top-most EditorConfig file
5 | root = true
6 |
7 | # Unix-style newlines with a newline ending every file
8 | [*]
9 | end_of_line = lf
10 | insert_final_newline = true
11 | # trim_trailing_whitespace may cause unintended issues and should not be globally set true
12 | trim_trailing_whitespace = false
13 |
14 | [{Dockerfile*,**.yml}]
15 | indent_style = space
16 | indent_size = 2
17 |
18 | [{**.sh,root/etc/s6-overlay/s6-rc.d/**,root/etc/cont-init.d/**,root/etc/services.d/**}]
19 | indent_style = space
20 | indent_size = 4
21 |
--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto
3 |
4 | # Custom for Visual Studio
5 | *.cs diff=csharp
6 |
7 | # Standard to msysgit
8 | *.doc diff=astextplain
9 | *.DOC diff=astextplain
10 | *.docx diff=astextplain
11 | *.DOCX diff=astextplain
12 | *.dot diff=astextplain
13 | *.DOT diff=astextplain
14 | *.pdf diff=astextplain
15 | *.PDF diff=astextplain
16 | *.rtf diff=astextplain
17 | *.RTF diff=astextplain
18 |
--------------------------------------------------------------------------------
/.github/CONTRIBUTING.md:
--------------------------------------------------------------------------------
1 | # Contributing to swag
2 |
3 | ## Gotchas
4 |
5 | * While contributing make sure to make all your changes before creating a Pull Request, as our pipeline builds each commit after the PR is open.
6 | * Read, and fill the Pull Request template
7 | * If this is a fix for a typo (in code, documentation, or the README) please file an issue and let us sort it out. We do not need a PR
8 | * If the PR is addressing an existing issue include, closes #\<issue number>, in the body of the PR commit message
9 | * If you want to discuss changes, you can also bring it up in [#dev-talk](https://discordapp.com/channels/354974912613449730/757585807061155840) in our [Discord server](https://linuxserver.io/discord)
10 |
11 | ## Common files
12 |
13 | | File | Use case |
14 | | :----: | --- |
15 | | `Dockerfile` | Dockerfile used to build amd64 images |
16 | | `Dockerfile.aarch64` | Dockerfile used to build 64bit ARM architectures |
17 | | `Dockerfile.armhf` | Dockerfile used to build 32bit ARM architectures |
18 | | `Jenkinsfile` | This file is a product of our builder and should not be edited directly. This is used to build the image |
19 | | `jenkins-vars.yml` | This file is used to generate the `Jenkinsfile` mentioned above, it only affects the build-process |
20 | | `package_versions.txt` | This file is generated as a part of the build-process and should not be edited directly. It lists all the installed packages and their versions |
21 | | `README.md` | This file is a product of our builder and should not be edited directly. This displays the readme for the repository and image registries |
22 | | `readme-vars.yml` | This file is used to generate the `README.md` |
23 |
24 | ## Readme
25 |
26 | If you would like to change our readme, please __**do not**__ directly edit the readme, as it is auto-generated on each commit.
27 | Instead edit the [readme-vars.yml](https://github.com/linuxserver/docker-swag/edit/master/readme-vars.yml).
28 |
29 | These variables are used in a template for our [Jenkins Builder](https://github.com/linuxserver/docker-jenkins-builder) as part of an ansible play.
30 | Most of these variables are also carried over to [docs.linuxserver.io](https://docs.linuxserver.io/images/docker-swag)
31 |
32 | ### Fixing typos or clarify the text in the readme
33 |
34 | There are variables for multiple parts of the readme, the most common ones are:
35 |
36 | | Variable | Description |
37 | | :----: | --- |
38 | | `project_blurb` | This is the short excerpt shown above the project logo. |
39 | | `app_setup_block` | This is the text that shows up under "Application Setup" if enabled |
40 |
41 | ### Parameters
42 |
43 | The compose and run examples are also generated from these variables.
44 |
45 | We have a [reference file](https://github.com/linuxserver/docker-jenkins-builder/blob/master/vars/_container-vars-blank) in our Jenkins Builder.
46 |
47 | These are prefixed with `param_` for required parameters, or `opt_param` for optional parameters, except for `cap_add`.
48 | Remember to enable param, if currently disabled. This differs between parameters, and can be seen in the reference file.
49 |
50 | Devices, environment variables, ports and volumes expects its variables in a certain way.
51 |
52 | ### Devices
53 |
54 | ```yml
55 | param_devices:
56 | - { device_path: "/dev/dri", device_host_path: "/dev/dri", desc: "For hardware transcoding" }
57 | opt_param_devices:
58 | - { device_path: "/dev/dri", device_host_path: "/dev/dri", desc: "For hardware transcoding" }
59 | ```
60 |
61 | ### Environment variables
62 |
63 | ```yml
64 | param_env_vars:
65 | - { env_var: "TZ", env_value: "Europe/London", desc: "Specify a timezone to use EG Europe/London." }
66 | opt_param_env_vars:
67 | - { env_var: "VERSION", env_value: "latest", desc: "Supported values are LATEST, PLEXPASS or a specific version number." }
68 | ```
69 |
70 | ### Ports
71 |
72 | ```yml
73 | param_ports:
74 | - { external_port: "80", internal_port: "80", port_desc: "Application WebUI" }
75 | opt_param_ports:
76 | - { external_port: "80", internal_port: "80", port_desc: "Application WebUI" }
77 | ```
78 |
79 | ### Volumes
80 |
81 | ```yml
82 | param_volumes:
83 | - { vol_path: "/config", vol_host_path: "</path/to/appdata/config>", desc: "Configuration files." }
84 | opt_param_volumes:
85 | - { vol_path: "/config", vol_host_path: "</path/to/appdata/config>", desc: "Configuration files." }
86 | ```
87 |
88 | ### Testing template changes
89 |
90 | After you make any changes to the templates, you can use our [Jenkins Builder](https://github.com/linuxserver/docker-jenkins-builder) to have the files updated from the modified templates. Please use the command found under `Running Locally` [on this page](https://github.com/linuxserver/docker-jenkins-builder/blob/master/README.md) to generate them prior to submitting a PR.
91 |
92 | ## Dockerfiles
93 |
94 | We use multiple Dockerfiles in our repos, this is because sometimes some CPU architectures needs different packages to work.
95 | If you are proposing additional packages to be added, ensure that you added the packages to all the Dockerfiles in alphabetical order.
96 |
97 | ### Testing your changes
98 |
99 | ```bash
100 | git clone https://github.com/linuxserver/docker-swag.git
101 | cd docker-swag
102 | docker build \
103 | --no-cache \
104 | --pull \
105 | -t linuxserver/swag:latest .
106 | ```
107 |
108 | The ARM variants can be built on x86_64 hardware and vice versa using `lscr.io/linuxserver/qemu-static`
109 |
110 | ```bash
111 | docker run --rm --privileged lscr.io/linuxserver/qemu-static --reset
112 | ```
113 |
114 | Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64`.
115 |
116 | ## Update the changelog
117 |
118 | If you are modifying the Dockerfiles or any of the startup scripts in [root](https://github.com/linuxserver/docker-swag/tree/master/root), add an entry to the changelog
119 |
120 | ```yml
121 | changelogs:
122 | - { date: "DD.MM.YY:", desc: "Added some love to templates" }
123 | ```
124 |
--------------------------------------------------------------------------------
/.github/FUNDING.yml:
--------------------------------------------------------------------------------
1 | github: linuxserver
2 | open_collective: linuxserver
3 | custom: ["https://supporters.eff.org/donate/support-work-on-certbot",]
4 |
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/config.yml:
--------------------------------------------------------------------------------
1 | blank_issues_enabled: false
2 | contact_links:
3 | - name: Discord chat support
4 | url: https://linuxserver.io/discord
5 | about: Realtime support / chat with the community and the team.
6 |
7 | - name: Discourse discussion forum
8 | url: https://discourse.linuxserver.io
9 | about: Post on our community forum.
10 |
11 | - name: Documentation
12 | url: https://docs.linuxserver.io/images/docker-swag
13 | about: Documentation - information about all of our containers.
14 |
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/issue.bug.yml:
--------------------------------------------------------------------------------
1 | # Based on the issue template
2 | name: Bug report
3 | description: Create a report to help us improve
4 | title: "[BUG] <title>"
5 | labels: [Bug]
6 | body:
7 | - type: checkboxes
8 | attributes:
9 | label: Is there an existing issue for this?
10 | description: Please search to see if an issue already exists for the bug you encountered.
11 | options:
12 | - label: I have searched the existing issues
13 | required: true
14 | - type: textarea
15 | attributes:
16 | label: Current Behavior
17 | description: Tell us what happens instead of the expected behavior.
18 | validations:
19 | required: true
20 | - type: textarea
21 | attributes:
22 | label: Expected Behavior
23 | description: Tell us what should happen.
24 | validations:
25 | required: false
26 | - type: textarea
27 | attributes:
28 | label: Steps To Reproduce
29 | description: Steps to reproduce the behavior.
30 | placeholder: |
31 | 1. In this environment...
32 | 2. With this config...
33 | 3. Run '...'
34 | 4. See error...
35 | validations:
36 | required: true
37 | - type: textarea
38 | attributes:
39 | label: Environment
40 | description: |
41 | examples:
42 | - **OS**: Ubuntu 20.04
43 | - **How docker service was installed**: distro's packagemanager
44 | value: |
45 | - OS:
46 | - How docker service was installed:
47 | render: markdown
48 | validations:
49 | required: false
50 | - type: dropdown
51 | attributes:
52 | label: CPU architecture
53 | options:
54 | - x86-64
55 | - arm64
56 | validations:
57 | required: true
58 | - type: textarea
59 | attributes:
60 | label: Docker creation
61 | description: |
62 | Command used to create docker container
63 | Provide your docker create/run command or compose yaml snippet, or a screenshot of settings if using a gui to create the container
64 | render: bash
65 | validations:
66 | required: true
67 | - type: textarea
68 | attributes:
69 | description: |
70 | Provide a full docker log, output of "docker logs swag"
71 | label: Container logs
72 | placeholder: |
73 | Output of `docker logs swag`
74 | render: bash
75 | validations:
76 | required: true
77 |
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/issue.feature.yml:
--------------------------------------------------------------------------------
1 | # Based on the issue template
2 | name: Feature request
3 | description: Suggest an idea for this project
4 | title: "[FEAT] <title>"
5 | labels: [enhancement]
6 | body:
7 | - type: checkboxes
8 | attributes:
9 | label: Is this a new feature request?
10 | description: Please search to see if a feature request already exists.
11 | options:
12 | - label: I have searched the existing issues
13 | required: true
14 | - type: textarea
15 | attributes:
16 | label: Wanted change
17 | description: Tell us what you want to happen.
18 | validations:
19 | required: true
20 | - type: textarea
21 | attributes:
22 | label: Reason for change
23 | description: Justify your request, why do you want it, what is the benefit.
24 | validations:
25 | required: true
26 | - type: textarea
27 | attributes:
28 | label: Proposed code change
29 | description: Do you have a potential code change in mind?
30 | validations:
31 | required: false
32 |
--------------------------------------------------------------------------------
/.github/PULL_REQUEST_TEMPLATE.md:
--------------------------------------------------------------------------------
1 | <!--- Provide a general summary of your changes in the Title above -->
2 |
3 | [linuxserverurl]: https://linuxserver.io
4 | [][linuxserverurl]
5 |
6 |
7 | <!--- Before submitting a pull request please check the following -->
8 |
9 | <!--- If this is a fix for a typo (in code, documentation, or the README) please file an issue and let us sort it out. We do not need a PR -->
10 | <!--- Ask yourself if this modification is something the whole userbase will benefit from, if this is a specific change for corner case functionality or plugins please look at making a Docker Mod or local script https://blog.linuxserver.io/2019/09/14/customizing-our-containers/ -->
11 | <!--- That if the PR is addressing an existing issue include, closes #<issue number> , in the body of the PR commit message -->
12 | <!--- You have included links to any files / patches etc your PR may be using in the body of the PR commit message -->
13 | <!--- We maintain a changelog of major revisions to the container at the end of readme-vars.yml in the root of this repository, please add your changes there if appropriate -->
14 |
15 |
16 | <!--- Coding guidelines: -->
17 | <!--- 1. Installed packages in the Dockerfiles should be in alphabetical order -->
18 | <!--- 2. Changes to Dockerfile should be replicated in Dockerfile.armhf and Dockerfile.aarch64 if applicable -->
19 | <!--- 3. Indentation style (tabs vs 4 spaces vs 1 space) should match the rest of the document -->
20 | <!--- 4. Readme is auto generated from readme-vars.yml, make your changes there -->
21 |
22 | ------------------------------
23 |
24 | - [ ] I have read the [contributing](https://github.com/linuxserver/docker-swag/blob/master/.github/CONTRIBUTING.md) guideline and understand that I have made the correct modifications
25 |
26 | ------------------------------
27 |
28 | <!--- We welcome all PR’s though this doesn’t guarantee it will be accepted. -->
29 |
30 | ## Description:
31 | <!--- Describe your changes in detail -->
32 |
33 | ## Benefits of this PR and context:
34 | <!--- Please explain why we should accept this PR. If this fixes an outstanding bug, please reference the issue # -->
35 |
36 | ## How Has This Been Tested?
37 | <!--- Please describe in detail how you tested your changes. -->
38 | <!--- Include details of your testing environment, and the tests you ran to -->
39 | <!--- see how your change affects other areas of the code, etc. -->
40 |
41 |
42 | ## Source / References:
43 | <!--- Please include any forum posts/github links relevant to the PR -->
44 |
--------------------------------------------------------------------------------
/.github/workflows/call_issue_pr_tracker.yml:
--------------------------------------------------------------------------------
1 | name: Issue & PR Tracker
2 |
3 | on:
4 | issues:
5 | types: [opened,reopened,labeled,unlabeled,closed]
6 | pull_request_target:
7 | types: [opened,reopened,review_requested,review_request_removed,labeled,unlabeled,closed]
8 | pull_request_review:
9 | types: [submitted,edited,dismissed]
10 |
11 | permissions:
12 | contents: read
13 |
14 | jobs:
15 | manage-project:
16 | permissions:
17 | issues: write
18 | uses: linuxserver/github-workflows/.github/workflows/issue-pr-tracker.yml@v1
19 | secrets: inherit
20 |
--------------------------------------------------------------------------------
/.github/workflows/call_issues_cron.yml:
--------------------------------------------------------------------------------
1 | name: Mark stale issues and pull requests
2 | on:
3 | schedule:
4 | - cron: '35 15 * * *'
5 | workflow_dispatch:
6 |
7 | permissions:
8 | contents: read
9 |
10 | jobs:
11 | stale:
12 | permissions:
13 | issues: write
14 | pull-requests: write
15 | uses: linuxserver/github-workflows/.github/workflows/issues-cron.yml@v1
16 | secrets: inherit
17 |
--------------------------------------------------------------------------------
/.github/workflows/external_trigger.yml:
--------------------------------------------------------------------------------
1 | name: External Trigger Main
2 |
3 | on:
4 | workflow_dispatch:
5 |
6 | permissions:
7 | contents: read
8 |
9 | jobs:
10 | external-trigger-master:
11 | runs-on: ubuntu-latest
12 | steps:
13 | - uses: actions/checkout@v4.1.1
14 |
15 | - name: External Trigger
16 | if: github.ref == 'refs/heads/master'
17 | env:
18 | SKIP_EXTERNAL_TRIGGER: ${{ vars.SKIP_EXTERNAL_TRIGGER }}
19 | run: |
20 | printf "# External trigger for docker-swag\n\n" >> $GITHUB_STEP_SUMMARY
21 | if grep -q "^swag_master_" <<< "${SKIP_EXTERNAL_TRIGGER}"; then
22 | echo "> [!NOTE]" >> $GITHUB_STEP_SUMMARY
23 | echo "> Github organizational variable \`SKIP_EXTERNAL_TRIGGER\` contains \`swag_master_\`; will skip trigger if version matches." >> $GITHUB_STEP_SUMMARY
24 | elif grep -q "^swag_master" <<< "${SKIP_EXTERNAL_TRIGGER}"; then
25 | echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
26 | echo "> Github organizational variable \`SKIP_EXTERNAL_TRIGGER\` contains \`swag_master\`; skipping trigger." >> $GITHUB_STEP_SUMMARY
27 | exit 0
28 | fi
29 | echo "> [!NOTE]" >> $GITHUB_STEP_SUMMARY
30 | echo "> External trigger running off of master branch. To disable this trigger, add \`swag_master\` into the Github organizational variable \`SKIP_EXTERNAL_TRIGGER\`." >> $GITHUB_STEP_SUMMARY
31 | printf "\n## Retrieving external version\n\n" >> $GITHUB_STEP_SUMMARY
32 | EXT_RELEASE=$(curl -sL "https://pypi.python.org/pypi/certbot/json" |jq -r '. | .info.version')
33 | echo "Type is \`pip_version\`" >> $GITHUB_STEP_SUMMARY
34 | if grep -q "^swag_master_${EXT_RELEASE}" <<< "${SKIP_EXTERNAL_TRIGGER}"; then
35 | echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
36 | echo "> Github organizational variable \`SKIP_EXTERNAL_TRIGGER\` matches current external release; skipping trigger." >> $GITHUB_STEP_SUMMARY
37 | exit 0
38 | fi
39 | if [ -z "${EXT_RELEASE}" ] || [ "${EXT_RELEASE}" == "null" ]; then
40 | echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
41 | echo "> Can't retrieve external version, exiting" >> $GITHUB_STEP_SUMMARY
42 | FAILURE_REASON="Can't retrieve external version for swag branch master"
43 | GHA_TRIGGER_URL="https://github.com/linuxserver/docker-swag/actions/runs/${{ github.run_id }}"
44 | curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 16711680,
45 | "description": "**Trigger Failed** \n**Reason:** '"${FAILURE_REASON}"' \n**Trigger URL:** '"${GHA_TRIGGER_URL}"' \n"}],
46 | "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }}
47 | exit 1
48 | fi
49 | EXT_RELEASE_SANITIZED=$(echo ${EXT_RELEASE} | sed 's/[~,%@+;:/]//g')
50 | echo "Sanitized external version: \`${EXT_RELEASE_SANITIZED}\`" >> $GITHUB_STEP_SUMMARY
51 | echo "Retrieving last pushed version" >> $GITHUB_STEP_SUMMARY
52 | image="linuxserver/swag"
53 | tag="latest"
54 | token=$(curl -sX GET \
55 | "https://ghcr.io/token?scope=repository%3Alinuxserver%2Fswag%3Apull" \
56 | | jq -r '.token')
57 | multidigest=$(curl -s \
58 | --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \
59 | --header "Accept: application/vnd.oci.image.index.v1+json" \
60 | --header "Authorization: Bearer ${token}" \
61 | "https://ghcr.io/v2/${image}/manifests/${tag}")
62 | if jq -e '.layers // empty' <<< "${multidigest}" >/dev/null 2>&1; then
63 | # If there's a layer element it's a single-arch manifest so just get that digest
64 | digest=$(jq -r '.config.digest' <<< "${multidigest}")
65 | else
66 | # Otherwise it's multi-arch or has manifest annotations
67 | if jq -e '.manifests[]?.annotations // empty' <<< "${multidigest}" >/dev/null 2>&1; then
68 | # Check for manifest annotations and delete if found
69 | multidigest=$(jq 'del(.manifests[] | select(.annotations))' <<< "${multidigest}")
70 | fi
71 | if [[ $(jq '.manifests | length' <<< "${multidigest}") -gt 1 ]]; then
72 | # If there's still more than one digest, it's multi-arch
73 | multidigest=$(jq -r ".manifests[] | select(.platform.architecture == \"amd64\").digest?" <<< "${multidigest}")
74 | else
75 | # Otherwise it's single arch
76 | multidigest=$(jq -r ".manifests[].digest?" <<< "${multidigest}")
77 | fi
78 | if digest=$(curl -s \
79 | --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \
80 | --header "Accept: application/vnd.oci.image.manifest.v1+json" \
81 | --header "Authorization: Bearer ${token}" \
82 | "https://ghcr.io/v2/${image}/manifests/${multidigest}"); then
83 | digest=$(jq -r '.config.digest' <<< "${digest}");
84 | fi
85 | fi
86 | image_info=$(curl -sL \
87 | --header "Authorization: Bearer ${token}" \
88 | "https://ghcr.io/v2/${image}/blobs/${digest}")
89 | if [[ $(echo $image_info | jq -r '.container_config') == "null" ]]; then
90 | image_info=$(echo $image_info | jq -r '.config')
91 | else
92 | image_info=$(echo $image_info | jq -r '.container_config')
93 | fi
94 | IMAGE_RELEASE=$(echo ${image_info} | jq -r '.Labels.build_version' | awk '{print $3}')
95 | IMAGE_VERSION=$(echo ${IMAGE_RELEASE} | awk -F'-ls' '{print $1}')
96 | if [ -z "${IMAGE_VERSION}" ]; then
97 | echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
98 | echo "Can't retrieve last pushed version, exiting" >> $GITHUB_STEP_SUMMARY
99 | FAILURE_REASON="Can't retrieve last pushed version for swag tag latest"
100 | curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 16711680,
101 | "description": "**Trigger Failed** \n**Reason:** '"${FAILURE_REASON}"' \n"}],
102 | "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }}
103 | exit 1
104 | fi
105 | echo "Last pushed version: \`${IMAGE_VERSION}\`" >> $GITHUB_STEP_SUMMARY
106 | if [ "${EXT_RELEASE_SANITIZED}" == "${IMAGE_VERSION}" ]; then
107 | echo "Sanitized version \`${EXT_RELEASE_SANITIZED}\` already pushed, exiting" >> $GITHUB_STEP_SUMMARY
108 | exit 0
109 | elif [ $(curl -s https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-swag/job/master/lastBuild/api/json | jq -r '.building') == "true" ]; then
110 | echo "New version \`${EXT_RELEASE}\` found; but there already seems to be an active build on Jenkins; exiting" >> $GITHUB_STEP_SUMMARY
111 | exit 0
112 | else
113 | if [[ "${artifacts_found}" == "false" ]]; then
114 | echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
115 | echo "> New version detected, but not all artifacts are published yet; skipping trigger" >> $GITHUB_STEP_SUMMARY
116 | FAILURE_REASON="New version ${EXT_RELEASE} for swag tag latest is detected, however not all artifacts are uploaded to upstream release yet. Will try again later."
117 | curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 9802903,
118 | "description": "**Trigger Failed** \n**Reason:** '"${FAILURE_REASON}"' \n"}],
119 | "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }}
120 | else
121 | printf "\n## Trigger new build\n\n" >> $GITHUB_STEP_SUMMARY
122 | echo "New sanitized version \`${EXT_RELEASE_SANITIZED}\` found; old version was \`${IMAGE_VERSION}\`. Triggering new build" >> $GITHUB_STEP_SUMMARY
123 | if [[ "${artifacts_found}" == "true" ]]; then
124 | echo "All artifacts seem to be uploaded." >> $GITHUB_STEP_SUMMARY
125 | fi
126 | response=$(curl -iX POST \
127 | https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-swag/job/master/buildWithParameters?PACKAGE_CHECK=false \
128 | --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} | grep -i location | sed "s|^[L|l]ocation: \(.*\)|\1|")
129 | echo "Jenkins [job queue url](${response%#39;\r'})" >> $GITHUB_STEP_SUMMARY
130 | echo "Sleeping 10 seconds until job starts" >> $GITHUB_STEP_SUMMARY
131 | sleep 10
132 | buildurl=$(curl -s "${response%#39;\r'}api/json" | jq -r '.executable.url')
133 | buildurl="${buildurl%#39;\r'}"
134 | echo "Jenkins job [build url](${buildurl})" >> $GITHUB_STEP_SUMMARY
135 | echo "Attempting to change the Jenkins job description" >> $GITHUB_STEP_SUMMARY
136 | curl -iX POST \
137 | "${buildurl}submitDescription" \
138 | --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} \
139 | --data-urlencode "description=GHA external trigger https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
140 | --data-urlencode "Submit=Submit"
141 | echo "**** Notifying Discord ****"
142 | TRIGGER_REASON="A version change was detected for swag tag latest. Old version:${IMAGE_VERSION} New version:${EXT_RELEASE_SANITIZED}"
143 | curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 9802903,
144 | "description": "**Build Triggered** \n**Reason:** '"${TRIGGER_REASON}"' \n**Build URL:** '"${buildurl}display/redirect"' \n"}],
145 | "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }}
146 | fi
147 | fi
148 |
--------------------------------------------------------------------------------
/.github/workflows/external_trigger_scheduler.yml:
--------------------------------------------------------------------------------
1 | name: External Trigger Scheduler
2 |
3 | on:
4 | schedule:
5 | - cron: '2 * * * *'
6 | workflow_dispatch:
7 |
8 | permissions:
9 | contents: read
10 |
11 | jobs:
12 | external-trigger-scheduler:
13 | runs-on: ubuntu-latest
14 | steps:
15 | - uses: actions/checkout@v4.1.1
16 | with:
17 | fetch-depth: '0'
18 |
19 | - name: External Trigger Scheduler
20 | run: |
21 | printf "# External trigger scheduler for docker-swag\n\n" >> $GITHUB_STEP_SUMMARY
22 | printf "Found the branches:\n\n%s\n" "$(git for-each-ref --format='- %(refname:lstrip=3)' refs/remotes)" >> $GITHUB_STEP_SUMMARY
23 | for br in $(git for-each-ref --format='%(refname:lstrip=3)' refs/remotes)
24 | do
25 | if [[ "${br}" == "HEAD" ]]; then
26 | printf "\nSkipping %s.\n" ${br} >> $GITHUB_STEP_SUMMARY
27 | continue
28 | fi
29 | printf "\n## Evaluating \`%s\`\n\n" ${br} >> $GITHUB_STEP_SUMMARY
30 | ls_jenkins_vars=$(curl -sX GET https://raw.githubusercontent.com/linuxserver/docker-swag/${br}/jenkins-vars.yml)
31 | ls_branch=$(echo "${ls_jenkins_vars}" | yq -r '.ls_branch')
32 | ls_trigger=$(echo "${ls_jenkins_vars}" | yq -r '.external_type')
33 | if [[ "${br}" == "${ls_branch}" ]] && [[ "${ls_trigger}" != "os" ]]; then
34 | echo "Branch appears to be live and trigger is not os; checking workflow." >> $GITHUB_STEP_SUMMARY
35 | if curl -sfX GET https://raw.githubusercontent.com/linuxserver/docker-swag/${br}/.github/workflows/external_trigger.yml > /dev/null 2>&1; then
36 | echo "Triggering external trigger workflow for branch." >> $GITHUB_STEP_SUMMARY
37 | curl -iX POST \
38 | -H "Authorization: token ${{ secrets.CR_PAT }}" \
39 | -H "Accept: application/vnd.github.v3+json" \
40 | -d "{\"ref\":\"refs/heads/${br}\"}" \
41 | https://api.github.com/repos/linuxserver/docker-swag/actions/workflows/external_trigger.yml/dispatches
42 | else
43 | echo "Skipping branch due to no external trigger workflow present." >> $GITHUB_STEP_SUMMARY
44 | fi
45 | else
46 | echo "Skipping branch due to being detected as dev branch or having no external version." >> $GITHUB_STEP_SUMMARY
47 | fi
48 | done
49 |
--------------------------------------------------------------------------------
/.github/workflows/greetings.yml:
--------------------------------------------------------------------------------
1 | name: Greetings
2 |
3 | on: [pull_request_target, issues]
4 |
5 | permissions:
6 | contents: read
7 |
8 | jobs:
9 | greeting:
10 | permissions:
11 | issues: write
12 | pull-requests: write
13 | runs-on: ubuntu-latest
14 | steps:
15 | - uses: actions/first-interaction@v1
16 | with:
17 | issue-message: 'Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.'
18 | pr-message: 'Thanks for opening this pull request! Be sure to follow the [pull request template](https://github.com/linuxserver/docker-swag/blob/master/.github/PULL_REQUEST_TEMPLATE.md)!'
19 | repo-token: ${{ secrets.GITHUB_TOKEN }}
20 |
--------------------------------------------------------------------------------
/.github/workflows/package_trigger_scheduler.yml:
--------------------------------------------------------------------------------
1 | name: Package Trigger Scheduler
2 |
3 | on:
4 | schedule:
5 | - cron: '1 3 * * 6'
6 | workflow_dispatch:
7 |
8 | permissions:
9 | contents: read
10 |
11 | jobs:
12 | package-trigger-scheduler:
13 | runs-on: ubuntu-latest
14 | steps:
15 | - uses: actions/checkout@v4.1.1
16 | with:
17 | fetch-depth: '0'
18 |
19 | - name: Package Trigger Scheduler
20 | env:
21 | SKIP_PACKAGE_TRIGGER: ${{ vars.SKIP_PACKAGE_TRIGGER }}
22 | run: |
23 | printf "# Package trigger scheduler for docker-swag\n\n" >> $GITHUB_STEP_SUMMARY
24 | printf "Found the branches:\n\n%s\n" "$(git for-each-ref --format='- %(refname:lstrip=3)' refs/remotes)" >> $GITHUB_STEP_SUMMARY
25 | for br in $(git for-each-ref --format='%(refname:lstrip=3)' refs/remotes)
26 | do
27 | if [[ "${br}" == "HEAD" ]]; then
28 | printf "\nSkipping %s.\n" ${br} >> $GITHUB_STEP_SUMMARY
29 | continue
30 | fi
31 | printf "\n## Evaluating \`%s\`\n\n" ${br} >> $GITHUB_STEP_SUMMARY
32 | JENKINS_VARS=$(curl -sX GET https://raw.githubusercontent.com/linuxserver/docker-swag/${br}/jenkins-vars.yml)
33 | if ! curl -sfX GET https://raw.githubusercontent.com/linuxserver/docker-swag/${br}/Jenkinsfile >/dev/null 2>&1; then
34 | echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
35 | echo "> No Jenkinsfile found. Branch is either deprecated or is an early dev branch." >> $GITHUB_STEP_SUMMARY
36 | skipped_branches="${skipped_branches}${br} "
37 | elif [[ "${br}" == $(yq -r '.ls_branch' <<< "${JENKINS_VARS}") ]]; then
38 | echo "Branch appears to be live; checking workflow." >> $GITHUB_STEP_SUMMARY
39 | README_VARS=$(curl -sX GET https://raw.githubusercontent.com/linuxserver/docker-swag/${br}/readme-vars.yml)
40 | if [[ $(yq -r '.project_deprecation_status' <<< "${README_VARS}") == "true" ]]; then
41 | echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
42 | echo "> Branch appears to be deprecated; skipping trigger." >> $GITHUB_STEP_SUMMARY
43 | skipped_branches="${skipped_branches}${br} "
44 | elif [[ $(yq -r '.skip_package_check' <<< "${JENKINS_VARS}") == "true" ]]; then
45 | echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
46 | echo "> Skipping branch ${br} due to \`skip_package_check\` being set in \`jenkins-vars.yml\`." >> $GITHUB_STEP_SUMMARY
47 | skipped_branches="${skipped_branches}${br} "
48 | elif grep -q "^swag_${br}" <<< "${SKIP_PACKAGE_TRIGGER}"; then
49 | echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
50 | echo "> Github organizational variable \`SKIP_PACKAGE_TRIGGER\` contains \`swag_${br}\`; skipping trigger." >> $GITHUB_STEP_SUMMARY
51 | skipped_branches="${skipped_branches}${br} "
52 | elif [ $(curl -s https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-swag/job/${br}/lastBuild/api/json | jq -r '.building' 2>/dev/null) == "true" ]; then
53 | echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
54 | echo "> There already seems to be an active build on Jenkins; skipping package trigger for ${br}" >> $GITHUB_STEP_SUMMARY
55 | skipped_branches="${skipped_branches}${br} "
56 | else
57 | echo "> [!NOTE]" >> $GITHUB_STEP_SUMMARY
58 | echo "> Triggering package trigger for branch ${br}" >> $GITHUB_STEP_SUMMARY
59 | printf "> To disable, add \`swag_%s\` into the Github organizational variable \`SKIP_PACKAGE_TRIGGER\`.\n\n" "${br}" >> $GITHUB_STEP_SUMMARY
60 | triggered_branches="${triggered_branches}${br} "
61 | response=$(curl -iX POST \
62 | https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-swag/job/${br}/buildWithParameters?PACKAGE_CHECK=true \
63 | --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} | grep -i location | sed "s|^[L|l]ocation: \(.*\)|\1|")
64 | if [[ -z "${response}" ]]; then
65 | echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
66 | echo "> Jenkins build could not be triggered. Skipping branch."
67 | continue
68 | fi
69 | echo "Jenkins [job queue url](${response%#39;\r'})" >> $GITHUB_STEP_SUMMARY
70 | echo "Sleeping 10 seconds until job starts" >> $GITHUB_STEP_SUMMARY
71 | sleep 10
72 | buildurl=$(curl -s "${response%#39;\r'}api/json" | jq -r '.executable.url')
73 | buildurl="${buildurl%#39;\r'}"
74 | echo "Jenkins job [build url](${buildurl})" >> $GITHUB_STEP_SUMMARY
75 | echo "Attempting to change the Jenkins job description" >> $GITHUB_STEP_SUMMARY
76 | if ! curl -ifX POST \
77 | "${buildurl}submitDescription" \
78 | --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} \
79 | --data-urlencode "description=GHA package trigger https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
80 | --data-urlencode "Submit=Submit"; then
81 | echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
82 | echo "> Unable to change the Jenkins job description."
83 | fi
84 | sleep 20
85 | fi
86 | else
87 | echo "Skipping branch ${br} due to being detected as dev branch." >> $GITHUB_STEP_SUMMARY
88 | fi
89 | done
90 | if [[ -n "${triggered_branches}" ]] || [[ -n "${skipped_branches}" ]]; then
91 | if [[ -n "${triggered_branches}" ]]; then
92 | NOTIFY_BRANCHES="**Triggered:** ${triggered_branches} \n"
93 | NOTIFY_BUILD_URL="**Build URL:** https://ci.linuxserver.io/blue/organizations/jenkins/Docker-Pipeline-Builders%2Fdocker-swag/activity/ \n"
94 | echo "**** Package check build(s) triggered for branch(es): ${triggered_branches} ****"
95 | fi
96 | if [[ -n "${skipped_branches}" ]]; then
97 | NOTIFY_BRANCHES="${NOTIFY_BRANCHES}**Skipped:** ${skipped_branches} \n"
98 | fi
99 | echo "**** Notifying Discord ****"
100 | curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 9802903,
101 | "description": "**Package Check Build(s) for swag** \n'"${NOTIFY_BRANCHES}"''"${NOTIFY_BUILD_URL}"'"}],
102 | "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }}
103 | fi
104 |
--------------------------------------------------------------------------------
/.github/workflows/permissions.yml:
--------------------------------------------------------------------------------
1 | name: Permission check
2 | on:
3 | pull_request_target:
4 | paths:
5 | - '**/run'
6 | - '**/finish'
7 | - '**/check'
8 | - 'root/migrations/*'
9 |
10 | jobs:
11 | permission_check:
12 | uses: linuxserver/github-workflows/.github/workflows/init-svc-executable-permissions.yml@v1
13 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | .idea
2 | .jenkins-external
3 |
--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
1 | # syntax=docker/dockerfile:1
2 |
3 | FROM ghcr.io/linuxserver/baseimage-alpine-nginx:3.21
4 |
5 | # set version label
6 | ARG BUILD_DATE
7 | ARG VERSION
8 | ARG CERTBOT_VERSION
9 | LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DATE}"
10 | LABEL maintainer="nemchik"
11 |
12 | # environment settings
13 | ENV DHLEVEL=2048 \
14 | ONLY_SUBDOMAINS=false \
15 | AWS_CONFIG_FILE=/config/dns-conf/route53.ini \
16 | S6_BEHAVIOUR_IF_STAGE2_FAILS=2
17 |
18 | RUN \
19 | echo "**** install build packages ****" && \
20 | apk add --no-cache --virtual=build-dependencies \
21 | build-base \
22 | cargo \
23 | libffi-dev \
24 | libxml2-dev \
25 | libxslt-dev \
26 | openssl-dev \
27 | python3-dev && \
28 | echo "**** install runtime packages ****" && \
29 | apk add --no-cache \
30 | fail2ban \
31 | gnupg \
32 | inotify-tools \
33 | iptables-legacy \
34 | memcached \
35 | nginx-mod-http-brotli \
36 | nginx-mod-http-dav-ext \
37 | nginx-mod-http-echo \
38 | nginx-mod-http-fancyindex \
39 | nginx-mod-http-geoip2 \
40 | nginx-mod-http-headers-more \
41 | nginx-mod-http-image-filter \
42 | nginx-mod-http-perl \
43 | nginx-mod-http-redis2 \
44 | nginx-mod-http-set-misc \
45 | nginx-mod-http-upload-progress \
46 | nginx-mod-http-xslt-filter \
47 | nginx-mod-mail \
48 | nginx-mod-rtmp \
49 | nginx-mod-stream \
50 | nginx-mod-stream-geoip2 \
51 | nginx-vim \
52 | php83-bcmath \
53 | php83-bz2 \
54 | php83-dom \
55 | php83-exif \
56 | php83-ftp \
57 | php83-gd \
58 | php83-gmp \
59 | php83-imap \
60 | php83-intl \
61 | php83-ldap \
62 | php83-mysqli \
63 | php83-mysqlnd \
64 | php83-opcache \
65 | php83-pdo_mysql \
66 | php83-pdo_odbc \
67 | php83-pdo_pgsql \
68 | php83-pdo_sqlite \
69 | php83-pear \
70 | php83-pecl-apcu \
71 | php83-pecl-mcrypt \
72 | php83-pecl-memcached \
73 | php83-pecl-redis \
74 | php83-pgsql \
75 | php83-posix \
76 | php83-soap \
77 | php83-sockets \
78 | php83-sodium \
79 | php83-sqlite3 \
80 | php83-tokenizer \
81 | php83-xmlreader \
82 | php83-xsl \
83 | whois && \
84 | echo "**** install certbot plugins ****" && \
85 | if [ -z ${CERTBOT_VERSION+x} ]; then \
86 | CERTBOT_VERSION=$(curl -sL https://pypi.python.org/pypi/certbot/json |jq -r '. | .info.version'); \
87 | fi && \
88 | python3 -m venv /lsiopy && \
89 | pip install -U --no-cache-dir \
90 | pip \
91 | wheel && \
92 | pip install -U --no-cache-dir --find-links https://wheel-index.linuxserver.io/alpine-3.21/ \
93 | certbot==${CERTBOT_VERSION} \
94 | certbot-dns-acmedns \
95 | certbot-dns-aliyun \
96 | certbot-dns-azure \
97 | certbot-dns-bunny \
98 | certbot-dns-cloudflare \
99 | certbot-dns-cpanel \
100 | certbot-dns-desec \
101 | certbot-dns-digitalocean \
102 | certbot-dns-directadmin \
103 | certbot-dns-dnsimple \
104 | certbot-dns-dnsmadeeasy \
105 | certbot-dns-dnspod \
106 | certbot-dns-do \
107 | certbot-dns-domeneshop \
108 | certbot-dns-dreamhost \
109 | certbot-dns-duckdns \
110 | certbot-dns-dynudns \
111 | certbot-dns-freedns \
112 | certbot-dns-gehirn \
113 | certbot-dns-glesys \
114 | certbot-dns-godaddy \
115 | certbot-dns-google \
116 | certbot-dns-he \
117 | certbot-dns-hetzner \
118 | certbot-dns-infomaniak \
119 | certbot-dns-inwx \
120 | certbot-dns-ionos \
121 | certbot-dns-linode \
122 | certbot-dns-loopia \
123 | certbot-dns-luadns \
124 | certbot-dns-namecheap \
125 | certbot-dns-netcup \
126 | certbot-dns-njalla \
127 | certbot-dns-nsone \
128 | certbot-dns-ovh \
129 | certbot-dns-porkbun \
130 | certbot-dns-rfc2136 \
131 | certbot-dns-route53 \
132 | certbot-dns-sakuracloud \
133 | certbot-dns-standalone \
134 | certbot-dns-transip \
135 | certbot-dns-vultr \
136 | certbot-plugin-gandi \
137 | cryptography \
138 | future \
139 | requests && \
140 | echo "**** enable OCSP stapling from base ****" && \
141 | sed -i \
142 | 's|#ssl_stapling on;|ssl_stapling on;|' \
143 | /defaults/nginx/ssl.conf.sample && \
144 | sed -i \
145 | 's|#ssl_stapling_verify on;|ssl_stapling_verify on;|' \
146 | /defaults/nginx/ssl.conf.sample && \
147 | sed -i \
148 | 's|#ssl_trusted_certificate /config/keys/cert.crt;|ssl_trusted_certificate /config/keys/cert.crt;|' \
149 | /defaults/nginx/ssl.conf.sample && \
150 | echo "**** remove stream.conf ****" && \
151 | rm -f /etc/nginx/conf.d/stream.conf && \
152 | echo "**** correct ip6tables legacy issue ****" && \
153 | rm \
154 | /usr/sbin/ip6tables && \
155 | ln -s \
156 | /usr/sbin/ip6tables-nft /usr/sbin/ip6tables && \
157 | echo "**** remove unnecessary fail2ban filters ****" && \
158 | rm \
159 | /etc/fail2ban/jail.d/alpine-ssh.conf && \
160 | echo "**** copy fail2ban default action and filter to /defaults ****" && \
161 | mkdir -p /defaults/fail2ban && \
162 | mv /etc/fail2ban/action.d /defaults/fail2ban/ && \
163 | mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \
164 | echo "**** define allowipv6 to silence warning ****" && \
165 | sed -i 's/#allowipv6 = auto/allowipv6 = auto/g' /etc/fail2ban/fail2ban.conf && \
166 | echo "**** copy proxy confs to /defaults ****" && \
167 | mkdir -p \
168 | /defaults/nginx/proxy-confs && \
169 | curl -o \
170 | /tmp/proxy-confs.tar.gz -L \
171 | "https://github.com/linuxserver/reverse-proxy-confs/tarball/master" && \
172 | tar xf \
173 | /tmp/proxy-confs.tar.gz -C \
174 | /defaults/nginx/proxy-confs --strip-components=1 --exclude=linux*/.editorconfig --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \
175 | printf "Linuxserver.io version: ${VERSION}\nBuild-date: ${BUILD_DATE}" > /build_version && \
176 | echo "**** cleanup ****" && \
177 | apk del --purge \
178 | build-dependencies && \
179 | rm -rf \
180 | /tmp/* \
181 | $HOME/.cache \
182 | $HOME/.cargo
183 |
184 | # copy local files
185 | COPY root/ /
186 |
187 | # ports and volumes
188 | EXPOSE 80 443
189 | VOLUME /config
190 |
--------------------------------------------------------------------------------
/Dockerfile.aarch64:
--------------------------------------------------------------------------------
1 | # syntax=docker/dockerfile:1
2 |
3 | FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm64v8-3.21
4 |
5 | # set version label
6 | ARG BUILD_DATE
7 | ARG VERSION
8 | ARG CERTBOT_VERSION
9 | LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DATE}"
10 | LABEL maintainer="nemchik"
11 |
12 | # environment settings
13 | ENV DHLEVEL=2048 \
14 | ONLY_SUBDOMAINS=false \
15 | AWS_CONFIG_FILE=/config/dns-conf/route53.ini \
16 | S6_BEHAVIOUR_IF_STAGE2_FAILS=2
17 |
18 | RUN \
19 | echo "**** install build packages ****" && \
20 | apk add --no-cache --virtual=build-dependencies \
21 | build-base \
22 | cargo \
23 | libffi-dev \
24 | libxml2-dev \
25 | libxslt-dev \
26 | openssl-dev \
27 | python3-dev && \
28 | echo "**** install runtime packages ****" && \
29 | apk add --no-cache \
30 | fail2ban \
31 | gnupg \
32 | inotify-tools \
33 | iptables-legacy \
34 | memcached \
35 | nginx-mod-http-brotli \
36 | nginx-mod-http-dav-ext \
37 | nginx-mod-http-echo \
38 | nginx-mod-http-fancyindex \
39 | nginx-mod-http-geoip2 \
40 | nginx-mod-http-headers-more \
41 | nginx-mod-http-image-filter \
42 | nginx-mod-http-perl \
43 | nginx-mod-http-redis2 \
44 | nginx-mod-http-set-misc \
45 | nginx-mod-http-upload-progress \
46 | nginx-mod-http-xslt-filter \
47 | nginx-mod-mail \
48 | nginx-mod-rtmp \
49 | nginx-mod-stream \
50 | nginx-mod-stream-geoip2 \
51 | nginx-vim \
52 | php83-bcmath \
53 | php83-bz2 \
54 | php83-dom \
55 | php83-exif \
56 | php83-ftp \
57 | php83-gd \
58 | php83-gmp \
59 | php83-imap \
60 | php83-intl \
61 | php83-ldap \
62 | php83-mysqli \
63 | php83-mysqlnd \
64 | php83-opcache \
65 | php83-pdo_mysql \
66 | php83-pdo_odbc \
67 | php83-pdo_pgsql \
68 | php83-pdo_sqlite \
69 | php83-pear \
70 | php83-pecl-apcu \
71 | php83-pecl-mcrypt \
72 | php83-pecl-memcached \
73 | php83-pecl-redis \
74 | php83-pgsql \
75 | php83-posix \
76 | php83-soap \
77 | php83-sockets \
78 | php83-sodium \
79 | php83-sqlite3 \
80 | php83-tokenizer \
81 | php83-xmlreader \
82 | php83-xsl \
83 | whois && \
84 | echo "**** install certbot plugins ****" && \
85 | if [ -z ${CERTBOT_VERSION+x} ]; then \
86 | CERTBOT_VERSION=$(curl -sL https://pypi.python.org/pypi/certbot/json |jq -r '. | .info.version'); \
87 | fi && \
88 | python3 -m venv /lsiopy && \
89 | pip install -U --no-cache-dir \
90 | pip \
91 | wheel && \
92 | pip install -U --no-cache-dir --find-links https://wheel-index.linuxserver.io/alpine-3.21/ \
93 | certbot==${CERTBOT_VERSION} \
94 | certbot-dns-acmedns \
95 | certbot-dns-aliyun \
96 | certbot-dns-azure \
97 | certbot-dns-bunny \
98 | certbot-dns-cloudflare \
99 | certbot-dns-cpanel \
100 | certbot-dns-desec \
101 | certbot-dns-digitalocean \
102 | certbot-dns-directadmin \
103 | certbot-dns-dnsimple \
104 | certbot-dns-dnsmadeeasy \
105 | certbot-dns-dnspod \
106 | certbot-dns-do \
107 | certbot-dns-domeneshop \
108 | certbot-dns-dreamhost \
109 | certbot-dns-duckdns \
110 | certbot-dns-dynudns \
111 | certbot-dns-freedns \
112 | certbot-dns-gehirn \
113 | certbot-dns-glesys \
114 | certbot-dns-godaddy \
115 | certbot-dns-google \
116 | certbot-dns-he \
117 | certbot-dns-hetzner \
118 | certbot-dns-infomaniak \
119 | certbot-dns-inwx \
120 | certbot-dns-ionos \
121 | certbot-dns-linode \
122 | certbot-dns-loopia \
123 | certbot-dns-luadns \
124 | certbot-dns-namecheap \
125 | certbot-dns-netcup \
126 | certbot-dns-njalla \
127 | certbot-dns-nsone \
128 | certbot-dns-ovh \
129 | certbot-dns-porkbun \
130 | certbot-dns-rfc2136 \
131 | certbot-dns-route53 \
132 | certbot-dns-sakuracloud \
133 | certbot-dns-standalone \
134 | certbot-dns-transip \
135 | certbot-dns-vultr \
136 | certbot-plugin-gandi \
137 | cryptography \
138 | future \
139 | requests && \
140 | echo "**** enable OCSP stapling from base ****" && \
141 | sed -i \
142 | 's|#ssl_stapling on;|ssl_stapling on;|' \
143 | /defaults/nginx/ssl.conf.sample && \
144 | sed -i \
145 | 's|#ssl_stapling_verify on;|ssl_stapling_verify on;|' \
146 | /defaults/nginx/ssl.conf.sample && \
147 | sed -i \
148 | 's|#ssl_trusted_certificate /config/keys/cert.crt;|ssl_trusted_certificate /config/keys/cert.crt;|' \
149 | /defaults/nginx/ssl.conf.sample && \
150 | echo "**** remove stream.conf ****" && \
151 | rm -f /etc/nginx/conf.d/stream.conf && \
152 | echo "**** correct ip6tables legacy issue ****" && \
153 | rm \
154 | /usr/sbin/ip6tables && \
155 | ln -s \
156 | /usr/sbin/ip6tables-nft /usr/sbin/ip6tables && \
157 | echo "**** remove unnecessary fail2ban filters ****" && \
158 | rm \
159 | /etc/fail2ban/jail.d/alpine-ssh.conf && \
160 | echo "**** copy fail2ban default action and filter to /defaults ****" && \
161 | mkdir -p /defaults/fail2ban && \
162 | mv /etc/fail2ban/action.d /defaults/fail2ban/ && \
163 | mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \
164 | echo "**** define allowipv6 to silence warning ****" && \
165 | sed -i 's/#allowipv6 = auto/allowipv6 = auto/g' /etc/fail2ban/fail2ban.conf && \
166 | echo "**** copy proxy confs to /defaults ****" && \
167 | mkdir -p \
168 | /defaults/nginx/proxy-confs && \
169 | curl -o \
170 | /tmp/proxy-confs.tar.gz -L \
171 | "https://github.com/linuxserver/reverse-proxy-confs/tarball/master" && \
172 | tar xf \
173 | /tmp/proxy-confs.tar.gz -C \
174 | /defaults/nginx/proxy-confs --strip-components=1 --exclude=linux*/.editorconfig --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \
175 | printf "Linuxserver.io version: ${VERSION}\nBuild-date: ${BUILD_DATE}" > /build_version && \
176 | echo "**** cleanup ****" && \
177 | apk del --purge \
178 | build-dependencies && \
179 | rm -rf \
180 | /tmp/* \
181 | $HOME/.cache \
182 | $HOME/.cargo
183 |
184 | # copy local files
185 | COPY root/ /
186 |
187 | # ports and volumes
188 | EXPOSE 80 443
189 | VOLUME /config
190 |
--------------------------------------------------------------------------------
/jenkins-vars.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | # jenkins variables
4 | project_name: docker-swag
5 | external_type: pip_version
6 | release_type: stable
7 | release_tag: latest
8 | ls_branch: master
9 | repo_vars:
10 | - EXT_PIP = 'certbot'
11 | - BUILD_VERSION_ARG = 'CERTBOT_VERSION'
12 | - LS_USER = 'linuxserver'
13 | - LS_REPO = 'docker-swag'
14 | - CONTAINER_NAME = 'swag'
15 | - DOCKERHUB_IMAGE = 'linuxserver/swag'
16 | - DEV_DOCKERHUB_IMAGE = 'lsiodev/swag'
17 | - PR_DOCKERHUB_IMAGE = 'lspipepr/swag'
18 | - DIST_IMAGE = 'alpine'
19 | - MULTIARCH='true'
20 | - CI='false'
21 | - CI_WEB='false'
22 | - CI_PORT='80'
23 | - CI_SSL='false'
24 | - CI_DELAY='30'
25 | - CI_DOCKERENV=''
26 | - CI_AUTH=''
27 | - CI_WEBPATH=''
28 | sponsor_links:
29 | - { name: "Certbot", url: "https://supporters.eff.org/donate/support-work-on-certbot" }
30 |
--------------------------------------------------------------------------------
/package_versions.txt:
--------------------------------------------------------------------------------
1 | NAME VERSION TYPE
2 | Simple Launcher 1.1.0.14 binary (+5 duplicates)
3 | acl-libs 2.3.2-r1 apk
4 | acme 4.1.1 python
5 | alpine-baselayout 3.6.8-r1 apk
6 | alpine-baselayout-data 3.6.8-r1 apk
7 | alpine-keys 2.5-r0 apk
8 | alpine-release 3.21.3-r0 apk
9 | aom-libs 3.11.0-r0 apk
10 | apache2-utils 2.4.62-r0 apk
11 | apk-tools 2.14.6-r3 apk
12 | apr 1.7.5-r0 apk
13 | apr-util 1.6.3-r1 apk
14 | argon2-libs 20190702-r5 apk
15 | attrs 25.3.0 python
16 | autocommand 2.2.2 python
17 | azure-common 1.1.28 python
18 | azure-core 1.35.0 python
19 | azure-identity 1.23.0 python
20 | azure-mgmt-core 1.6.0 python
21 | azure-mgmt-dns 8.2.0 python
22 | backports-tarfile 1.2.0 python
23 | bash 5.2.37-r0 apk
24 | beautifulsoup4 4.13.4 python
25 | boto3 1.39.4 python
26 | botocore 1.39.4 python
27 | brotli-libs 1.1.0-r2 apk
28 | bs4 0.0.2 python
29 | busybox 1.37.0-r12 apk
30 | busybox-binsh 1.37.0-r12 apk
31 | c-ares 1.34.5-r0 apk
32 | c-client 2007f-r15 apk
33 | ca-certificates 20241121-r1 apk
34 | ca-certificates-bundle 20241121-r1 apk
35 | cachetools 5.5.2 python
36 | catatonit 0.2.0-r0 apk
37 | certbot 4.1.1 python
38 | certbot-dns-acmedns 0.1.0 python
39 | certbot-dns-aliyun 2.0.0 python
40 | certbot-dns-azure 1.5.0 python
41 | certbot-dns-bunny 3.0.0 python
42 | certbot-dns-cloudflare 4.1.1 python
43 | certbot-dns-cpanel 0.4.0 python
44 | certbot-dns-desec 1.2.1 python
45 | certbot-dns-digitalocean 4.1.1 python
46 | certbot-dns-directadmin 1.0.15 python
47 | certbot-dns-dnsimple 4.1.1 python
48 | certbot-dns-dnsmadeeasy 4.1.1 python
49 | certbot-dns-dnspod 0.1.0 python
50 | certbot-dns-do 0.31.0 python
51 | certbot-dns-domeneshop 0.2.9 python
52 | certbot-dns-dreamhost 1.0 python
53 | certbot-dns-duckdns 1.6 python
54 | certbot-dns-dynudns 0.0.6 python
55 | certbot-dns-freedns 0.2.0 python
56 | certbot-dns-gehirn 4.1.1 python
57 | certbot-dns-glesys 2.1.0 python
58 | certbot-dns-godaddy 2.8.0 python
59 | certbot-dns-google 4.1.1 python
60 | certbot-dns-he 1.0.0 python
61 | certbot-dns-hetzner 2.0.1 python
62 | certbot-dns-infomaniak 0.2.3 python
63 | certbot-dns-inwx 3.0.3 python
64 | certbot-dns-ionos 2024.11.9 python
65 | certbot-dns-linode 4.1.1 python
66 | certbot-dns-loopia 1.0.1 python
67 | certbot-dns-luadns 4.1.1 python
68 | certbot-dns-namecheap 1.0.0 python
69 | certbot-dns-netcup 1.4.4 python
70 | certbot-dns-njalla 2.0.2 python
71 | certbot-dns-nsone 4.1.1 python
72 | certbot-dns-ovh 4.1.1 python
73 | certbot-dns-porkbun 0.10.1 python
74 | certbot-dns-rfc2136 4.1.1 python
75 | certbot-dns-route53 4.1.1 python
76 | certbot-dns-sakuracloud 4.1.1 python
77 | certbot-dns-standalone 1.2.1 python
78 | certbot-dns-transip 0.5.2 python
79 | certbot-dns-vultr 1.1.0 python
80 | certbot-plugin-gandi 1.5.0 python
81 | certifi 2025.7.9 python
82 | cffi 1.17.1 python
83 | charset-normalizer 3.4.2 python
84 | cli UNKNOWN binary
85 | cli-32 UNKNOWN binary
86 | cli-64 UNKNOWN binary
87 | cli-arm64 UNKNOWN binary
88 | cloudflare 2.19.4 python
89 | composer 2.8.10 binary
90 | configargparse 1.7.1 python
91 | configobj 5.0.9 python
92 | coreutils 9.5-r2 apk
93 | coreutils-env 9.5-r2 apk
94 | coreutils-fmt 9.5-r2 apk
95 | coreutils-sha512sum 9.5-r2 apk
96 | cryptography 45.0.5 python
97 | curl 8.12.1-r1 apk
98 | distro 1.9.0 python
99 | dns-lexicon 3.21.1 python
100 | dnslib 0.9.26 python
101 | dnspython 2.7.0 python
102 | domeneshop 0.4.4 python
103 | fail2ban 1.1.0 python
104 | fail2ban 1.1.0-r2 apk
105 | fail2ban-pyc 1.1.0-r2 apk
106 | filelock 3.18.0 python
107 | findutils 4.10.0-r0 apk
108 | fontconfig 2.15.0-r1 apk
109 | freetype 2.13.3-r0 apk
110 | future 1.0.0 python
111 | gdbm 1.24-r0 apk
112 | git 2.47.3-r0 apk
113 | git-init-template 2.47.3-r0 apk
114 | git-perl 2.47.3-r0 apk
115 | gmp 6.3.0-r2 apk
116 | gnupg 2.4.7-r0 apk
117 | gnupg-dirmngr 2.4.7-r0 apk
118 | gnupg-gpgconf 2.4.7-r0 apk
119 | gnupg-keyboxd 2.4.7-r0 apk
120 | gnupg-utils 2.4.7-r0 apk
121 | gnupg-wks-client 2.4.7-r0 apk
122 | gnutls 3.8.8-r0 apk
123 | google-api-core 2.25.1 python
124 | google-api-python-client 2.176.0 python
125 | google-auth 2.40.3 python
126 | google-auth-httplib2 0.2.0 python
127 | googleapis-common-protos 1.70.0 python
128 | gpg 2.4.7-r0 apk
129 | gpg-agent 2.4.7-r0 apk
130 | gpg-wks-server 2.4.7-r0 apk
131 | gpgsm 2.4.7-r0 apk
132 | gpgv 2.4.7-r0 apk
133 | gui UNKNOWN binary
134 | gui-32 UNKNOWN binary
135 | gui-64 UNKNOWN binary
136 | gui-arm64 UNKNOWN binary
137 | httplib2 0.22.0 python
138 | icu-data-en 74.2-r1 apk
139 | icu-libs 74.2-r1 apk
140 | idna 3.10 python
141 | importlib-metadata 8.0.0 python
142 | inflect 7.3.1 python
143 | inotify-tools 4.23.9.0-r0 apk
144 | inotify-tools-libs 4.23.9.0-r0 apk
145 | inwx-domrobot 3.2.0 python
146 | iptables 1.8.11-r1 apk
147 | iptables-legacy 1.8.11-r1 apk
148 | isodate 0.7.2 python
149 | jaraco-collections 5.1.0 python
150 | jaraco-context 5.3.0 python
151 | jaraco-functools 4.0.1 python
152 | jaraco-text 3.12.1 python
153 | jinja2 3.1.6 python
154 | jmespath 1.0.1 python
155 | josepy 2.1.0 python
156 | jq 1.7.1-r0 apk
157 | jsonlines 4.0.0 python
158 | jsonpickle 4.1.1 python
159 | libassuan 2.5.7-r0 apk
160 | libattr 2.5.2-r2 apk
161 | libavif 1.0.4-r0 apk
162 | libbsd 0.12.2-r0 apk
163 | libbz2 1.0.8-r6 apk
164 | libcrypto3 3.3.4-r0 apk
165 | libcurl 8.12.1-r1 apk
166 | libdav1d 1.5.0-r0 apk
167 | libedit 20240808.3.1-r0 apk
168 | libevent 2.1.12-r7 apk
169 | libexpat 2.7.0-r0 apk
170 | libffi 3.4.7-r0 apk
171 | libgcc 14.2.0-r4 apk
172 | libgcrypt 1.10.3-r1 apk
173 | libgd 2.3.3-r9 apk
174 | libgpg-error 1.51-r0 apk
175 | libice 1.1.1-r6 apk
176 | libidn2 2.3.7-r0 apk
177 | libintl 0.22.5-r0 apk
178 | libip4tc 1.8.11-r1 apk
179 | libip6tc 1.8.11-r1 apk
180 | libjpeg-turbo 3.0.4-r0 apk
181 | libksba 1.6.7-r0 apk
182 | libldap 2.6.8-r0 apk
183 | libmaxminddb-libs 1.9.1-r0 apk
184 | libmcrypt 2.5.8-r10 apk
185 | libmd 1.1.0-r0 apk
186 | libmemcached-libs 1.1.4-r1 apk
187 | libmnl 1.0.5-r2 apk
188 | libncursesw 6.5_p20241006-r3 apk
189 | libnftnl 1.2.8-r0 apk
190 | libpanelw 6.5_p20241006-r3 apk
191 | libpng 1.6.47-r0 apk
192 | libpq 17.5-r0 apk
193 | libproc2 4.0.4-r2 apk
194 | libpsl 0.21.5-r3 apk
195 | libsasl 2.1.28-r8 apk
196 | libseccomp 2.5.5-r1 apk
197 | libsharpyuv 1.4.0-r0 apk
198 | libsm 1.2.4-r4 apk
199 | libsodium 1.0.20-r0 apk
200 | libssl3 3.3.4-r0 apk
201 | libstdc++ 14.2.0-r4 apk
202 | libtasn1 4.20.0-r0 apk
203 | libunistring 1.2-r0 apk
204 | libuuid 2.40.4-r1 apk
205 | libwebp 1.4.0-r0 apk
206 | libx11 1.8.10-r0 apk
207 | libxau 1.0.11-r4 apk
208 | libxcb 1.16.1-r0 apk
209 | libxdmcp 1.1.5-r1 apk
210 | libxext 1.3.6-r2 apk
211 | libxml2 2.13.4-r6 apk
212 | libxpm 3.5.17-r0 apk
213 | libxslt 1.1.42-r2 apk
214 | libxt 1.3.1-r0 apk
215 | libxtables 1.8.11-r1 apk
216 | libzip 1.11.2-r0 apk
217 | linux-pam 1.6.1-r1 apk
218 | logrotate 3.21.0-r1 apk
219 | loopialib 0.2.0 python
220 | lxml 6.0.0 python
221 | lz4-libs 1.10.0-r0 apk
222 | markupsafe 3.0.2 python
223 | memcached 1.6.32-r0 apk
224 | mock 5.2.0 python
225 | more-itertools 10.3.0 python
226 | mpdecimal 4.0.0-r0 apk
227 | msal 1.32.3 python
228 | msal-extensions 1.3.1 python
229 | musl 1.2.5-r9 apk
230 | musl-utils 1.2.5-r9 apk
231 | my-test-package 1.0 python
232 | nano 8.2-r0 apk
233 | ncurses-terminfo-base 6.5_p20241006-r3 apk
234 | netcat-openbsd 1.226.1.1-r0 apk
235 | nettle 3.10-r1 apk
236 | nghttp2-libs 1.64.0-r0 apk
237 | nginx 1.26.3-r0 apk
238 | nginx-mod-devel-kit 1.26.3-r0 apk
239 | nginx-mod-http-brotli 1.26.3-r0 apk
240 | nginx-mod-http-dav-ext 1.26.3-r0 apk
241 | nginx-mod-http-echo 1.26.3-r0 apk
242 | nginx-mod-http-fancyindex 1.26.3-r0 apk
243 | nginx-mod-http-geoip2 1.26.3-r0 apk
244 | nginx-mod-http-headers-more 1.26.3-r0 apk
245 | nginx-mod-http-image-filter 1.26.3-r0 apk
246 | nginx-mod-http-perl 1.26.3-r0 apk
247 | nginx-mod-http-redis2 1.26.3-r0 apk
248 | nginx-mod-http-set-misc 1.26.3-r0 apk
249 | nginx-mod-http-upload-progress 1.26.3-r0 apk
250 | nginx-mod-http-xslt-filter 1.26.3-r0 apk
251 | nginx-mod-mail 1.26.3-r0 apk
252 | nginx-mod-rtmp 1.26.3-r0 apk
253 | nginx-mod-stream 1.26.3-r0 apk
254 | nginx-mod-stream-geoip2 1.26.3-r0 apk
255 | nginx-vim 1.26.3-r0 apk
256 | npth 1.6-r4 apk
257 | oniguruma 6.9.9-r0 apk
258 | openssl 3.3.4-r0 apk
259 | p11-kit 0.25.5-r2 apk
260 | packaging 24.2 python
261 | parsedatetime 2.6 python
262 | pcre 8.45-r3 apk
263 | pcre2 10.43-r0 apk
264 | perl 5.40.1-r1 apk
265 | perl-error 0.17029-r2 apk
266 | perl-git 2.47.3-r0 apk
267 | php83 8.3.19-r0 apk
268 | php83-bcmath 8.3.19-r0 apk
269 | php83-bz2 8.3.19-r0 apk
270 | php83-common 8.3.19-r0 apk
271 | php83-ctype 8.3.19-r0 apk
272 | php83-curl 8.3.19-r0 apk
273 | php83-dom 8.3.19-r0 apk
274 | php83-exif 8.3.19-r0 apk
275 | php83-fileinfo 8.3.19-r0 apk
276 | php83-fpm 8.3.19-r0 apk
277 | php83-ftp 8.3.19-r0 apk
278 | php83-gd 8.3.19-r0 apk
279 | php83-gmp 8.3.19-r0 apk
280 | php83-iconv 8.3.19-r0 apk
281 | php83-imap 8.3.19-r0 apk
282 | php83-intl 8.3.19-r0 apk
283 | php83-ldap 8.3.19-r0 apk
284 | php83-mbstring 8.3.19-r0 apk
285 | php83-mysqli 8.3.19-r0 apk
286 | php83-mysqlnd 8.3.19-r0 apk
287 | php83-opcache 8.3.19-r0 apk
288 | php83-openssl 8.3.19-r0 apk
289 | php83-pdo 8.3.19-r0 apk
290 | php83-pdo_mysql 8.3.19-r0 apk
291 | php83-pdo_odbc 8.3.19-r0 apk
292 | php83-pdo_pgsql 8.3.19-r0 apk
293 | php83-pdo_sqlite 8.3.19-r0 apk
294 | php83-pear 8.3.19-r0 apk
295 | php83-pecl-apcu 5.1.24-r0 apk
296 | php83-pecl-igbinary 3.2.16-r0 apk
297 | php83-pecl-mcrypt 1.0.7-r0 apk
298 | php83-pecl-memcached 3.3.0-r0 apk
299 | php83-pecl-msgpack 3.0.0-r0 apk
300 | php83-pecl-redis 6.2.0-r0 apk
301 | php83-pgsql 8.3.19-r0 apk
302 | php83-phar 8.3.19-r0 apk
303 | php83-posix 8.3.19-r0 apk
304 | php83-session 8.3.19-r0 apk
305 | php83-simplexml 8.3.19-r0 apk
306 | php83-soap 8.3.19-r0 apk
307 | php83-sockets 8.3.19-r0 apk
308 | php83-sodium 8.3.19-r0 apk
309 | php83-sqlite3 8.3.19-r0 apk
310 | php83-tokenizer 8.3.19-r0 apk
311 | php83-xml 8.3.19-r0 apk
312 | php83-xmlreader 8.3.19-r0 apk
313 | php83-xmlwriter 8.3.19-r0 apk
314 | php83-xsl 8.3.19-r0 apk
315 | php83-zip 8.3.19-r0 apk
316 | pinentry 1.3.1-r0 apk
317 | pip 25.1.1 python
318 | pkb-client 2.2.0 python
319 | platformdirs 4.2.2 python
320 | popt 1.19-r4 apk
321 | procps-ng 4.0.4-r2 apk
322 | proto-plus 1.26.1 python
323 | protobuf 6.31.1 python
324 | pyacmedns 0.4 python
325 | pyasn1 0.6.1 python
326 | pyasn1-modules 0.4.2 python
327 | pyc 3.12.11-r0 apk
328 | pycparser 2.22 python
329 | pyjwt 2.10.1 python
330 | pynamecheap 0.0.3 python
331 | pyopenssl 25.1.0 python
332 | pyotp 2.9.0 python
333 | pyparsing 3.2.3 python
334 | pyrfc3339 2.0.1 python
335 | python-dateutil 2.9.0.post0 python
336 | python-digitalocean 1.17.0 python
337 | python-transip 0.6.0 python
338 | python3 3.12.11-r0 apk
339 | python3-pyc 3.12.11-r0 apk
340 | python3-pycache-pyc0 3.12.11-r0 apk
341 | pytz 2025.2 python
342 | pyyaml 6.0.2 python
343 | readline 8.2.13-r0 apk
344 | requests 2.32.4 python
345 | requests-file 2.1.0 python
346 | requests-mock 1.12.1 python
347 | rsa 4.9.1 python
348 | s3transfer 0.13.0 python
349 | scanelf 1.3.8-r1 apk
350 | setuptools 80.9.0 python
351 | shadow 4.16.0-r1 apk
352 | six 1.17.0 python
353 | skalibs-libs 2.14.3.0-r0 apk
354 | soupsieve 2.7 python
355 | sqlite-libs 3.48.0-r2 apk
356 | ssl_client 1.37.0-r12 apk
357 | tiff 4.7.0-r0 apk
358 | tldextract 5.3.0 python
359 | tomli 2.0.1 python
360 | typeguard 4.3.0 python
361 | typing-extensions 4.12.2 python
362 | typing-extensions 4.14.1 python
363 | tzdata 2025b-r0 apk
364 | unixodbc 2.3.12-r0 apk
365 | uritemplate 4.2.0 python
366 | urllib3 2.5.0 python
367 | utmps-libs 0.1.2.3-r2 apk
368 | wheel 0.45.1 python (+1 duplicate)
369 | whois 5.5.23-r0 apk
370 | xz-libs 5.6.3-r1 apk
371 | zipp 3.19.2 python
372 | zlib 1.3.1-r2 apk
373 | zope-interface 7.2 python
374 | zstd-libs 1.5.6-r2 apk
375 |
--------------------------------------------------------------------------------
/readme-vars.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | # project information
4 | project_name: swag
5 | project_url: "https://linuxserver.io"
6 | project_logo: "https://github.com/linuxserver/docker-templates/raw/master/linuxserver.io/img/swag.gif"
7 | project_blurb: "SWAG - Secure Web Application Gateway (formerly known as letsencrypt, no relation to Let's Encrypt™) sets up an Nginx webserver and reverse proxy with php support and a built-in certbot client that automates free SSL server certificate generation and renewal processes (Let's Encrypt and ZeroSSL). It also contains fail2ban for intrusion prevention."
8 | project_lsio_github_repo_url: "https://github.com/linuxserver/docker-{{ project_name }}"
9 | project_categories: "Reverse Proxy"
10 | # supported architectures
11 | available_architectures:
12 | - {arch: "{{ arch_x86_64 }}", tag: "amd64-latest"}
13 | - {arch: "{{ arch_arm64 }}", tag: "arm64v8-latest"}
14 | # container parameters
15 | common_param_env_vars_enabled: true
16 | param_container_name: "{{ project_name }}"
17 | param_usage_include_env: true
18 | param_env_vars:
19 | - {env_var: "URL", env_value: "example.com", desc: "Top url you have control over (e.g. `example.com` if you own it, or `customsubdomain.example.com` if dynamic dns)."}
20 | - {env_var: "VALIDATION", env_value: "http", desc: "Certbot validation method to use, options are `http` or `dns` (`dns` method also requires `DNSPLUGIN` variable set).", env_options: ["http", "dns"]}
21 | param_usage_include_vols: true
22 | param_volumes:
23 | - {vol_path: "/config", vol_host_path: "/path/to/{{ project_name }}/config", desc: "Persistent config files"}
24 | param_usage_include_ports: true
25 | param_ports:
26 | - {external_port: "443", internal_port: "443", port_desc: "HTTPS port"}
27 | cap_add_param: true
28 | cap_add_param_vars:
29 | - {cap_add_var: "NET_ADMIN", desc: "Required for fail2Ban to be able to modify iptables rules."}
30 | # optional container parameters
31 | opt_param_usage_include_env: true
32 | opt_param_env_vars:
33 | - {env_var: "SUBDOMAINS", env_value: "www,", desc: "Subdomains you'd like the cert to cover (comma separated, no spaces) ie. `www,ftp,cloud`. For a wildcard cert, set this *exactly* to `wildcard` (wildcard cert is available via `dns` validation only)"}
34 | - {env_var: "CERTPROVIDER", env_value: "", desc: "Optionally define the cert provider. Set to `zerossl` for ZeroSSL certs (requires existing [ZeroSSL account](https://app.zerossl.com/signup) and the e-mail address entered in `EMAIL` env var). Otherwise defaults to Let's Encrypt."}
35 | - {env_var: "DNSPLUGIN", env_value: "cloudflare", desc: "Required if `VALIDATION` is set to `dns`. Options are `acmedns`, `aliyun`, `azure`, `bunny`, `cloudflare`, `cpanel`, `desec`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `dnspod`, `do`, `domeneshop`, `dreamhost`, `duckdns`, `dynu`, `freedns`, `gandi`, `gehirn`, `glesys`, `godaddy`, `google`, `he`, `hetzner`, `infomaniak`, `inwx`, `ionos`, `linode`, `loopia`, `luadns`, `namecheap`, `netcup`, `njalla`, `nsone`, `ovh`, `porkbun`, `rfc2136`, `route53`, `sakuracloud`, `standalone`, `transip`, and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`."}
36 | - {env_var: "PROPAGATION", env_value: "", desc: "Optionally override (in seconds) the default propagation time for the dns plugins."}
37 | - {env_var: "EMAIL", env_value: "", desc: "Optional e-mail address used for cert expiration notifications (Required for ZeroSSL)."}
38 | - {env_var: "ONLY_SUBDOMAINS", env_value: "false", desc: "If you wish to get certs only for certain subdomains, but not the main domain (main domain may be hosted on another machine and cannot be validated), set this to `true`"}
39 | - {env_var: "EXTRA_DOMAINS", env_value: "", desc: "Additional fully qualified domain names (comma separated, no spaces) ie. `example.net,subdomain.example.net,*.example.org`"}
40 | - {env_var: "STAGING", env_value: "false", desc: "Set to `true` to retrieve certs in staging mode. Rate limits will be much higher, but the resulting cert will not pass the browser's security test. Only to be used for testing purposes."}
41 | - {env_var: "DISABLE_F2B", env_value: "", desc: "Set to `true` to disable the Fail2ban service in the container, if you're already running it elsewhere or using a different IPS."}
42 | - {env_var: "SWAG_AUTORELOAD", env_value: "", desc: "Set to `true` to enable automatic reloading of confs on change without stopping/restarting nginx. Your filesystem must support inotify. This functionality was previously offered [via mod](https://github.com/linuxserver/docker-mods/tree/swag-auto-reload)."}
43 | - {env_var: "SWAG_AUTORELOAD_WATCHLIST", env_value: "", desc: "A [pipe](https://en.wikipedia.org/wiki/Vertical_bar)-separated list of additional folders for auto reload to watch in addition to `/config/nginx`"}
44 | opt_param_usage_include_ports: true
45 | opt_param_ports:
46 | - {external_port: "80", internal_port: "80", port_desc: "HTTP port (required for HTTP validation and HTTP -> HTTPS redirect)"}
47 | readonly_supported: true
48 | readonly_message: |
49 | * `/tmp` must be mounted to tmpfs
50 | * fail2ban will not be available
51 | # application setup block
52 | app_setup_block_enabled: true
53 | app_setup_block: |
54 | ### Validation and initial setup
55 |
56 | * Before running this container, make sure that the url and subdomains are properly forwarded to this container's host, and that port 443 (and/or 80) is not being used by another service on the host (NAS gui, another webserver, etc.).
57 | * If you need a dynamic dns provider, you can use the free provider duckdns.org where the `URL` will be `yoursubdomain.duckdns.org` and the `SUBDOMAINS` can be `www,ftp,cloud` with http validation, or `wildcard` with dns validation. You can use our [duckdns image](https://hub.docker.com/r/linuxserver/duckdns/) to update your IP on duckdns.org.
58 | * For `http` validation, port 80 on the internet side of the router should be forwarded to this container's port 80
59 | * For `dns` validation, make sure to enter your credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`
60 | * Cloudflare provides free accounts for managing dns and is very easy to use with this image. Make sure that it is set up for "dns only" instead of "dns + proxy"
61 | * Google dns plugin is meant to be used with "Google Cloud DNS", a paid enterprise product, and not for "Google Domains DNS"
62 | * DuckDNS only supports two types of DNS validated certificates (not both at the same time):
63 | 1. Certs that only cover your main subdomain (ie. `yoursubdomain.duckdns.org`, leave the `SUBDOMAINS` variable empty)
64 | 2. Certs that cover sub-subdomains of your main subdomain (ie. `*.yoursubdomain.duckdns.org`, set the `SUBDOMAINS` variable to `wildcard`)
65 | * `--cap-add=NET_ADMIN` is required for fail2ban to modify iptables
66 | * After setup, navigate to `https://example.com` to access the default homepage (http access through port 80 is disabled by default, you can enable it by editing the default site config at `/config/nginx/site-confs/default.conf`).
67 | * Certs are checked nightly and if expiration is within 30 days, renewal is attempted. If your cert is about to expire in less than 30 days, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing. It is recommended to input your e-mail in docker parameters so you receive expiration notices from Let's Encrypt in those circumstances.
68 |
69 | ### Certbot Plugins
70 |
71 | SWAG includes many Certbot plugins out of the box, but not all plugins can be included.
72 | If you need a plugin that is not included, the quickest way to have the plugin available is to use our [Universal Package Install Docker Mod](https://github.com/linuxserver/docker-mods/tree/universal-package-install).
73 |
74 | Set the following environment variables on your container:
75 |
76 | ```yaml
77 | DOCKER_MODS=linuxserver/mods:universal-package-install
78 | INSTALL_PIP_PACKAGES=certbot-dns-<plugin>
79 | ```
80 |
81 | Set the required credentials (usually found in the plugin documentation) in `/config/dns-conf/<plugin>.ini`.
82 | It is recommended to attempt obtaining a certificate with `STAGING=true` first to make sure the plugin is working as expected.
83 |
84 | ### Security and password protection
85 |
86 | * The container detects changes to url and subdomains, revokes existing certs and generates new ones during start.
87 | * Per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919), the container is shipping [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) as the `dhparams.pem`.
88 | * If you'd like to password protect your sites, you can use htpasswd. Run the following command on your host to generate the htpasswd file `docker exec -it swag htpasswd -c /config/nginx/.htpasswd <username>`
89 | * You can add multiple user:pass to `.htpasswd`. For the first user, use the above command, for others, use the above command without the `-c` flag, as it will force deletion of the existing `.htpasswd` and creation of a new one
90 | * You can also use ldap auth for security and access control. A sample, user configurable ldap.conf is provided, and it requires the separate image [linuxserver/ldap-auth](https://hub.docker.com/r/linuxserver/ldap-auth/) to communicate with an ldap server.
91 |
92 | ### Site config and reverse proxy
93 |
94 | * The default site config resides at `/config/nginx/site-confs/default.conf`. Feel free to modify this file, and you can add other conf files to this directory. However, if you delete the `default` file, a new default will be created on container start.
95 | * Preset reverse proxy config files are added for popular apps. See the `README.md` file under `/config/nginx/proxy_confs` for instructions on how to enable them. The preset confs reside in and get imported from [this repo](https://github.com/linuxserver/reverse-proxy-confs).
96 | * If you wish to hide your site from search engine crawlers, you may find it useful to add this configuration line to your site config, within the server block, above the line where ssl.conf is included
97 | `add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";`
98 | This will *ask* Google et al not to index and list your site. Be careful with this, as you will eventually be de-listed if you leave this line in on a site you wish to be present on search engines
99 | * If you wish to redirect http to https, you must expose port 80
100 |
101 | ### Using certs in other containers
102 |
103 | * This container includes auto-generated pfx and private-fullchain-bundle pem certs that are needed by other apps like Emby and Znc.
104 | * To use these certs in other containers, do either of the following:
105 | 1. *(Easier)* Mount the container's config folder in other containers (ie. `-v /path-to-swag-config:/swag-ssl`) and in the other containers, use the cert location `/swag-ssl/keys/letsencrypt/`
106 | 2. *(More secure)* Mount the SWAG folder `etc` that resides under `/config` in other containers (ie. `-v /path-to-swag-config/etc:/swag-ssl`) and in the other containers, use the cert location `/swag-ssl/letsencrypt/live/<your.domain.url>/` (This is more secure because the first method shares the entire SWAG config folder with other containers, including the www files, whereas the second method only shares the ssl certs)
107 | * These certs include:
108 | 1. `cert.pem`, `chain.pem`, `fullchain.pem` and `privkey.pem`, which are generated by Certbot and used by nginx and various other apps
109 | 2. `privkey.pfx`, a format supported by Microsoft and commonly used by dotnet apps such as Emby Server (no password)
110 | 3. `priv-fullchain-bundle.pem`, a pem cert that bundles the private key and the fullchain, used by apps like ZNC
111 |
112 | ### Using fail2ban
113 |
114 | * This container includes fail2ban set up with 5 jails by default:
115 | 1. nginx-http-auth
116 | 2. nginx-badbots
117 | 3. nginx-botsearch
118 | 4. nginx-deny
119 | 5. nginx-unauthorized
120 | * To enable or disable other jails, modify the file `/config/fail2ban/jail.local`
121 | * To modify filters and actions, instead of editing the `.conf` files, create `.local` files with the same name and edit those because .conf files get overwritten when the actions and filters are updated. `.local` files will append whatever's in the `.conf` files (ie. `nginx-http-auth.conf` --> `nginx-http-auth.local`)
122 | * You can check which jails are active via `docker exec -it swag fail2ban-client status`
123 | * You can check the status of a specific jail via `docker exec -it swag fail2ban-client status <jail name>`
124 | * You can unban an IP via `docker exec -it swag fail2ban-client set <jail name> unbanip <IP>`
125 | * A list of commands for fail2ban-client can be found [here](https://manpages.ubuntu.com/manpages/noble/man1/fail2ban-client.1.html)
126 |
127 | ### Updating configs
128 |
129 | * This container creates a number of configs for nginx, proxy samples, etc.
130 | * Config updates are noted in the changelog but not automatically applied to your files.
131 | * If you have modified a file with noted changes in the changelog:
132 | 1. Keep your existing configs as is (not broken, don't fix)
133 | 2. Review our repository commits and apply the new changes yourself
134 | 3. Delete the modified config file with listed updates, restart the container, reapply your changes
135 | * If you have NOT modified a file with noted changes in the changelog:
136 | 1. Delete the config file with listed updates, restart the container
137 | * Proxy sample updates are not listed in the changelog. See the changes here: [https://github.com/linuxserver/reverse-proxy-confs/commits/master](https://github.com/linuxserver/reverse-proxy-confs/commits/master)
138 | * Proxy sample files WILL be updated, however your renamed (enabled) proxy files will not.
139 | * You can check the new sample and adjust your active config as needed.
140 |
141 | ### Migration from the old `linuxserver/letsencrypt` image
142 |
143 | Please follow the instructions [on this blog post](https://www.linuxserver.io/blog/2020-08-21-introducing-swag#migrate).
144 | # init diagram
145 | init_diagram: |
146 | "swag:latest": {
147 | docker-mods
148 | base {
149 | fix-attr +\nlegacy cont-init
150 | }
151 | docker-mods -> base
152 | legacy-services
153 | custom services
154 | init-services -> legacy-services
155 | init-services -> custom services
156 | custom services -> legacy-services
157 | legacy-services -> ci-service-check
158 | init-migrations -> init-adduser
159 | init-swag-config -> init-certbot-config
160 | init-nginx-end -> init-config
161 | init-os-end -> init-config
162 | init-config -> init-config-end
163 | init-crontab-config -> init-config-end
164 | init-outdated-config -> init-config-end
165 | init-config -> init-crontab-config
166 | init-mods-end -> init-custom-files
167 | init-adduser -> init-device-perms
168 | base -> init-envfile
169 | init-swag-samples -> init-fail2ban-config
170 | init-os-end -> init-folders
171 | init-php -> init-keygen
172 | base -> init-migrations
173 | init-config-end -> init-mods
174 | init-mods-package-install -> init-mods-end
175 | init-mods -> init-mods-package-install
176 | init-samples -> init-nginx
177 | init-version-checks -> init-nginx-end
178 | init-adduser -> init-os-end
179 | init-device-perms -> init-os-end
180 | init-envfile -> init-os-end
181 | init-renew -> init-outdated-config
182 | init-keygen -> init-permissions
183 | init-certbot-config -> init-permissions-config
184 | init-nginx -> init-php
185 | init-permissions-config -> init-renew
186 | init-config -> init-require-url
187 | init-folders -> init-samples
188 | init-custom-files -> init-services
189 | init-fail2ban-config -> init-swag-config
190 | init-require-url -> init-swag-folders
191 | init-swag-folders -> init-swag-samples
192 | init-permissions -> init-version-checks
193 | init-services -> svc-cron
194 | svc-cron -> legacy-services
195 | init-services -> svc-fail2ban
196 | svc-fail2ban -> legacy-services
197 | init-services -> svc-nginx
198 | svc-nginx -> legacy-services
199 | init-services -> svc-php-fpm
200 | svc-php-fpm -> legacy-services
201 | init-services -> svc-swag-auto-reload
202 | svc-swag-auto-reload -> legacy-services
203 | }
204 | Base Images: {
205 | "baseimage-alpine-nginx:3.21" <- "baseimage-alpine:3.21"
206 | }
207 | "swag:latest" <- Base Images
208 | # changelog
209 | changelogs:
210 | - {date: "05.05.25:", desc: "Disable Certbot's built in log rotation."}
211 | - {date: "19.01.25:", desc: "Add [Auto Reload](https://github.com/linuxserver/docker-mods/tree/swag-auto-reload) functionality to SWAG."}
212 | - {date: "17.12.24:", desc: "Rebase to Alpine 3.21."}
213 | - {date: "21.10.24:", desc: "Fix naming issue with Dynu plugin. If you are using Dynu, please make sure your credentials are set in /config/dns-conf/dynu.ini and your DNSPLUGIN variable is set to dynu (not dynudns)."}
214 | - {date: "30.08.24:", desc: "Fix zerossl cert revocation."}
215 | - {date: "24.07.14:", desc: "Rebase to Alpine 3.20. Remove deprecated Google Domains certbot plugin. Existing users should update their nginx confs to avoid http2 deprecation warnings."}
216 | - {date: "01.07.24:", desc: "Fall back to iptables-legacy if iptables doesn't work."}
217 | - {date: "23.03.24:", desc: "Fix perms on the generated `priv-fullchain-bundle.pem`."}
218 | - {date: "14.03.24:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-location.conf, authelia-server.conf - Update Authelia conf samples with support for 4.38."}
219 | - {date: "11.03.24:", desc: "Restore support for DynuDNS using `certbot-dns-dynudns`."}
220 | - {date: "06.03.24:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) site-confs/default.conf - Cleanup default site conf."}
221 | - {date: "04.03.24:", desc: "Remove `stream.conf` inside the container to allow users to include their own block in `nginx.conf`."}
222 | - {date: "23.01.24:", desc: "Rebase to Alpine 3.19 with php 8.3, add root periodic crontabs for logrotate."}
223 | - {date: "01.01.24:", desc: "Add GleSYS DNS plugin."}
224 | - {date: "11.12.23:", desc: "Deprecate certbot-dns-dynu to resolve dependency conflicts with other plugins."}
225 | - {date: "30.11.23:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) site-confs/default.conf - Fix index.php being downloaded on 404."}
226 | - {date: "23.11.23:", desc: "Run certbot as root to allow fix http validation."}
227 | - {date: "01.10.23:", desc: "Fix \"unrecognized arguments\" issue in DirectAdmin DNS plugin."}
228 | - {date: "28.08.23:", desc: "Add Namecheap DNS plugin."}
229 | - {date: "12.08.23:", desc: "Add FreeDNS plugin. Detect certbot DNS authenticators using CLI."}
230 | - {date: "07.08.23:", desc: "Add Bunny DNS Configuration."}
231 | - {date: "27.07.23:", desc: "Added support for dreamhost validation."}
232 | - {date: "25.05.23:", desc: "Rebase to Alpine 3.18, deprecate armhf."}
233 | - {date: "27.04.23:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-location.conf, authelia-server.conf, authentik-location.conf, authentik-server.conf - Simplify auth configs and fix Set-Cookie header bug."}
234 | - {date: "13.04.23:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, authelia-location.conf, authentik-location.conf, and site-confs/default.conf - Move ssl.conf include to default.conf. Remove Authorization headers in authelia. Sort proxy_set_header in authelia and authentik."}
235 | - {date: "25.03.23:", desc: "Fix renewal post hook."}
236 | - {date: "10.03.23:", desc: "Cleanup unused csr and keys folders. See [certbot 2.3.0 release notes](https://github.com/certbot/certbot/releases/tag/v2.3.0)."}
237 | - {date: "09.03.23:", desc: "Add Google Domains DNS support, `google-domains`."}
238 | - {date: "02.03.23:", desc: "Set permissions on crontabs during init."}
239 | - {date: "09.02.23:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) proxy.conf, authelia-location.conf and authelia-server.conf - Add Authentik configs, update Authelia configs."}
240 | - {date: "06.02.23:", desc: "Add porkbun support back in."}
241 | - {date: "21.01.23:", desc: "Unpin certbot version (allow certbot 2.x). !!BREAKING CHANGE!! We are temporarily removing the certbot porkbun plugin until a new version is released that is compatible with certbot 2.x."}
242 | - {date: "20.01.23:", desc: "Rebase to alpine 3.17 with php8.1."}
243 | - {date: "16.01.23:", desc: "Remove nchan module because it keeps causing crashes."}
244 | - {date: "08.12.22:", desc: "Revamp certbot init."}
245 | - {date: "03.12.22:", desc: "Remove defunct cloudxns plugin."}
246 | - {date: "22.11.22:", desc: "Pin acme to the same version as certbot."}
247 | - {date: "22.11.22:", desc: "Pin certbot to 1.32.0 until plugin compatibility improves."}
248 | - {date: "05.11.22:", desc: "Update acmedns plugin handling."}
249 | - {date: "06.10.22:", desc: "Switch to certbot-dns-duckdns. Update cpanel and gandi dns plugin handling. Minor adjustments to init logic."}
250 | - {date: "05.10.22:", desc: "Use certbot file hooks instead of command line hooks"}
251 | - {date: "04.10.22:", desc: "Add godaddy and porkbun dns plugins."}
252 | - {date: "03.10.22:", desc: "Add default_server back to default site conf's https listen."}
253 | - {date: "22.09.22:", desc: "Added support for DO DNS validation."}
254 | - {date: "22.09.22:", desc: "Added certbot-dns-acmedns for DNS01 validation."}
255 | - {date: "20.08.22:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf - Rebasing to alpine 3.15 with php8. Restructure nginx configs ([see changes announcement](https://info.linuxserver.io/issues/2022-08-20-nginx-base))."}
256 | - {date: "10.08.22:", desc: "Added support for Dynu DNS validation."}
257 | - {date: "18.05.22:", desc: "Added support for Azure DNS validation."}
258 | - {date: "09.04.22:", desc: "Added certbot-dns-loopia for DNS01 validation."}
259 | - {date: "05.04.22:", desc: "Added support for standalone DNS validation."}
260 | - {date: "28.03.22:", desc: "created a logfile for fail2ban nginx-unauthorized in /etc/cont-init.d/50-config"}
261 | - {date: "09.01.22:", desc: "Added a fail2ban jail for nginx unauthorized"}
262 | - {date: "21.12.21:", desc: "Fixed issue with iptables not working as expected"}
263 | - {date: "30.11.21:", desc: "Move maxmind to a [new mod](https://github.com/linuxserver/docker-mods/tree/swag-maxmind)"}
264 | - {date: "22.11.21:", desc: "Added support for Infomaniak DNS for certificate generation."}
265 | - {date: "20.11.21:", desc: "Added support for dnspod validation."}
266 | - {date: "15.11.21:", desc: "Added support for deSEC DNS for wildcard certificate generation."}
267 | - {date: "26.10.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) proxy.conf - Mitigate <https://httpoxy.org/> vulnerabilities. Ref: <https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx#Defeating-the-Attack-using-NGINX-and-NGINX-Plus>"}
268 | - {date: "23.10.21:", desc: "Fix Hurricane Electric (HE) DNS validation."}
269 | - {date: "12.10.21:", desc: "Fix deprecated LE root cert check to fix failures when using `STAGING=true`, and failures in revoking."}
270 | - {date: "06.10.21:", desc: "Added support for Hurricane Electric (HE) DNS validation. Added lxml build deps."}
271 | - {date: "01.10.21:", desc: "Check if the cert uses the old LE root cert, revoke and regenerate if necessary. [Here's more info](https://twitter.com/letsencrypt/status/1443621997288767491) on LE root cert expiration"}
272 | - {date: "19.09.21:", desc: "Add an optional header to opt out of Google FLoC in `ssl.conf`."}
273 | - {date: "17.09.21:", desc: "Mark `SUBDOMAINS` var as optional."}
274 | - {date: "01.08.21:", desc: "Add support for ionos dns validation."}
275 | - {date: "15.07.21:", desc: "Fix libmaxminddb issue due to upstream change."}
276 | - {date: "07.07.21:", desc: "Rebase to alpine 3.14."}
277 | - {date: "24.06.21:", desc: "Update default nginx conf folder."}
278 | - {date: "28.05.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf - Use `resolver.conf` and patch for `CVE-2021-32637`."}
279 | - {date: "20.05.21:", desc: "Modify resolver.conf generation to detect and ignore ipv6."}
280 | - {date: "14.05.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, ssl.conf, proxy.conf, and the default site-conf - Rework nginx.conf to be inline with alpine upstream and relocate lines from other files. Use linuxserver.io wheel index for pip packages. Switch to using [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) for `dhparams.pem` per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919). Added `worker_processes.conf`, which sets the number of nginx workers, and `resolver.conf`, which sets the dns resolver. Both conf files are auto-generated only on first start and can be user modified later."}
281 | - {date: "21.04.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf and authelia-location.conf - Add remote name/email headers and pass http method."}
282 | - {date: "12.04.21:", desc: "Add php7-gmp and php7-pecl-mailparse."}
283 | - {date: "12.04.21:", desc: "Add support for vultr dns validation."}
284 | - {date: "14.03.21:", desc: "Add support for directadmin dns validation."}
285 | - {date: "12.02.21:", desc: "Clean up rust/cargo cache, which ballooned the image size in the last couple of builds."}
286 | - {date: "10.02.21:", desc: "Fix aliyun, domeneshop, inwx and transip dns confs for existing users."}
287 | - {date: "09.02.21:", desc: "Rebasing to alpine 3.13. Add nginx mods brotli and dav-ext. Remove nginx mods lua and lua-upstream (due to regression over the last couple of years)."}
288 | - {date: "26.01.21:", desc: "Add support for hetzner dns validation."}
289 | - {date: "20.01.21:", desc: "Add check for ZeroSSL EAB retrieval."}
290 | - {date: "08.01.21:", desc: "Add support for getting certs from [ZeroSSL](https://zerossl.com/) via optional `CERTPROVIDER` env var. Update aliyun, domeneshop, inwx and transip dns plugins with the new plugin names. Hide `donoteditthisfile.conf` because users were editing it despite its name. Suppress harmless error when no proxy confs are enabled."}
291 | - {date: "03.01.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) /config/nginx/site-confs/default.conf - Add helper pages to aid troubleshooting"}
292 | - {date: "10.12.20:", desc: "Add support for njalla dns validation"}
293 | - {date: "09.12.20:", desc: "Check for template/conf updates and notify in the log. Add support for gehirn and sakuracloud dns validation."}
294 | - {date: "01.11.20:", desc: "Add support for netcup dns validation"}
295 | - {date: "29.10.20:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) ssl.conf - Add frame-ancestors to Content-Security-Policy."}
296 | - {date: "04.10.20:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, proxy.conf, and ssl.conf - Minor cleanups and reordering."}
297 | - {date: "20.09.20:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf - Added geoip2 configs. Added MAXMINDDB_LICENSE_KEY variable to readme."}
298 | - {date: "08.09.20:", desc: "Add php7-xsl."}
299 | - {date: "01.09.20:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, proxy.conf, and various proxy samples - Global websockets across all configs."}
300 | - {date: "03.08.20:", desc: "Initial release."}
301 |
--------------------------------------------------------------------------------
/root/app/le-renew.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 | # shellcheck shell=bash
3 |
4 | echo "<------------------------------------------------->"
5 | echo
6 | echo "<------------------------------------------------->"
7 | echo "cronjob running on $(date)"
8 | echo "Running certbot renew"
9 | certbot renew --non-interactive --config-dir /config/etc/letsencrypt --logs-dir /config/log/letsencrypt --work-dir /tmp/letsencrypt --config /config/etc/letsencrypt/cli.ini
10 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/acmedns-registration.json:
--------------------------------------------------------------------------------
1 | {
2 | "yourdomain.com": {
3 | "username":"yourusername",
4 | "password":"yourpassword",
5 | "fulldomain":"<guid>.acme.yourdomain.com",
6 | "subdomain":"<guid>",
7 | "allowfrom":[]
8 | }
9 | }
10 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/acmedns.ini:
--------------------------------------------------------------------------------
1 | # See https://pypi.org/project/certbot-dns-acmedns/
2 | # https://github.com/joohoi/acme-dns
3 | #
4 | dns_acmedns_api_url = http://your-acme-dns-server.example.com/
5 | dns_acmedns_registration_file = /config/dns-conf/acmedns-registration.json
6 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/aliyun.ini:
--------------------------------------------------------------------------------
1 | # Obtain Aliyun RAM AccessKey
2 | # https://ram.console.aliyun.com/
3 | # And ensure your RAM account has AliyunDNSFullAccess permission.
4 |
5 | dns_aliyun_access_key = 12345678
6 | dns_aliyun_access_key_secret = 1234567890abcdef1234567890abcdef
7 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/azure.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://certbot-dns-azure.readthedocs.io/en/latest/
2 | # Replace with your values
3 | # dns_azure_environment can be one of the following: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud
4 | # Service Principal with Client Secret
5 | dns_azure_sp_client_id = 912ce44a-0156-4669-ae22-c16a17d34ca5
6 | dns_azure_sp_client_secret = E-xqXU83Y-jzTI6xe9fs2YC~mck3ZzUih9
7 | dns_azure_tenant_id = ed1090f3-ab18-4b12-816c-599af8a88cf7
8 | dns_azure_environment = "AzurePublicCloud"
9 | dns_azure_zone1 = example.com:/subscriptions/c135abce-d87d-48df-936c-15596c6968a5/resourceGroups/dns1
10 |
11 |
12 | # Service Prinicipal with Certificate
13 | #dns_azure_sp_client_id = 912ce44a-0156-4669-ae22-c16a17d34ca5
14 | #dns_azure_sp_certificate_path = /path/to/certificate.pem
15 | #dns_azure_tenant_id = ed1090f3-ab18-4b12-816c-599af8a88cf7
16 | #dns_azure_environment = "AzurePublicCloud"
17 | #dns_azure_zone1 = example.com:/subscriptions/c135abce-d87d-48df-936c-15596c6968a5/resourceGroups/dns1
18 |
19 | # Azure Managed Identity
20 | #dns_azure_msi_client_id = 912ce44a-0156-4669-ae22-c16a17d34ca5
21 | #dns_azure_zone1 = example.com:/subscriptions/c135abce-d87d-48df-936c-15596c6968a5/resourceGroups/dns1
22 |
23 | # System Assigned Azure Managed Identity
24 | #dns_azure_msi_system_assigned = true
25 | #dns_azure_environment = "AzurePublicCloud"
26 | #dns_azure_zone1 = example.com:/subscriptions/c135abce-d87d-48df-936c-15596c6968a5/resourceGroups/dns1
27 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/bunny.ini:
--------------------------------------------------------------------------------
1 | # Bunny API token used by Certbot
2 | dns_bunny_api_key = a65e8ebd-45ab-44d2-a542-40d4d009e3bf
--------------------------------------------------------------------------------
/root/defaults/dns-conf/cloudflare.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-cloudflare/certbot_dns_cloudflare/__init__.py#L20
2 | # Replace with your values
3 |
4 | # With global api key:
5 | dns_cloudflare_email = cloudflare@example.com
6 | dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567
7 |
8 | # With token (comment out both lines above and uncomment below):
9 | #dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567
10 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/cpanel.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/badjware/certbot-dns-cpanel#credentials
2 | # The url cPanel url
3 | # include the scheme and the port number (usually 2083 for https)
4 | cpanel_url = https://cpanel.exemple.com:2083
5 |
6 | # The cPanel username
7 | cpanel_username = user
8 |
9 | # The cPanel password
10 | cpanel_password = hunter2
11 |
12 | # The cPanel API Token
13 | cpanel_token = EUTQ793EY7MIRX4EMXXXXXXXXXXOX4JF
14 |
15 | # You only need to configure API Token or Password. If you supply both, the API Token will be used
16 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/desec.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://pypi.org/project/certbot-dns-desec/
2 | # Replace with your Desec V1 API Token
3 | dns_desec_token=YOUR_TOKEN_HERE
4 | dns_desec_endpoint=https://desec.io/api/v1/
5 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/digitalocean.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-digitalocean/certbot_dns_digitalocean/__init__.py#L21
2 | # Replace with your value
3 | dns_digitalocean_token = 0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff
4 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/directadmin.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/cybercinch/certbot-dns-directadmin/blob/master/certbot_dns_directadmin/__init__.py
2 |
3 | # It is recommended to create a login key in the DirectAdmin control panel to be used as value for directadmin_password.
4 | # Instructions on how to create such key can be found at https://help.directadmin.com/item.php?id=523.
5 | #
6 | # Make sure to grant the following permissions:
7 | # - CMD_API_LOGIN_TEST
8 | # - CMD_API_DNS_CONTROL
9 | # - CMD_API_SHOW_DOMAINS
10 | #
11 | # Username and password can also be used in case your DirectAdmin instance has no support for login keys.
12 |
13 | # The DirectAdmin Server url
14 | # include the scheme and the port number (Normally 2222)
15 | dns_directadmin_url = https://my.directadminserver.com:2222
16 |
17 | # The DirectAdmin username
18 | dns_directadmin_username = username
19 |
20 | # The DirectAdmin password
21 | dns_directadmin_password = aSuperStrongPassword
22 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/dnsimple.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-dnsimple/certbot_dns_dnsimple/__init__.py#L20
2 | # Replace with your value
3 | dns_dnsimple_token = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
4 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/dnsmadeeasy.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-dnsmadeeasy/certbot_dns_dnsmadeeasy/__init__.py#L20
2 | # Replace with your values
3 | dns_dnsmadeeasy_api_key = 1c1a3c91-4770-4ce7-96f4-54c0eb0e457a
4 | dns_dnsmadeeasy_secret_key = c9b5625f-9834-4ff8-baba-4ed5f32cae55
5 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/dnspod.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/SkyLothar/certbot-dns-dnspod#create-a-credentials-file
2 | # Obtain your own DNSPod API token at DNSPod console: https://console.dnspod.cn/account/token/token
3 | # Replace with your own email, id and token
4 | dns_dnspod_email = "me@example.com"
5 | dns_dnspod_api_token = "12345,1234567890abcdef1234567890abcdef"
6 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/do.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/georgeto/certbot-dns-do/blob/master/certbot_dns_do/__init__.py#L32
2 | # Replace with your values
3 | dns_do_api_token = YOUR_DO_LETSENCRYPT_API_KEY
4 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/domeneshop.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/domeneshop/certbot-dns-domeneshop#credentials
2 | # Replace with your values
3 | dns_domeneshop_client_token=1234567890abcdef
4 | dns_domeneshop_client_secret=1234567890abcdefghijklmnopqrstuvxyz1234567890abcdefghijklmnopqrs
5 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/dreamhost.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/goncalo-leal/certbot-dns-dreamhost#usage
2 | # Replace with your values
3 | dns_dreamhost_baseurl = "https://api.dreamhost.com/"
4 | dns_dreamhost_api_key = "<api_key>"
--------------------------------------------------------------------------------
/root/defaults/dns-conf/duckdns.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/infinityofspace/certbot_dns_duckdns#credentials-file-or-cli-parameters
2 | # Replace with your API token from your duckdns account.
3 | dns_duckdns_token=<your-duckdns-token>
4 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/dynu.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/DustyRah/certbot-dns-dynudns
2 | # Replace with your API token from your dynudns account.
3 | dns_dynu_auth_token = AbCbASsd!@34
4 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/freedns.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/schleuss/certbot_dns_freedns#credentials
2 | # Replace with your values
3 | dns_freedns_username = myremoteuser
4 | dns_freedns_password = verysecureremoteuserpassword
5 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/gandi.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/obynio/certbot-plugin-gandi#usage
2 | # Replace with your value
3 | # live dns v5 api key
4 | dns_gandi_api_key=APIKEY
5 |
6 | # optional organization id, remove it if not used
7 | #dns_gandi_sharing_id=SHARINGID
8 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/gehirn.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://certbot-dns-gehirn.readthedocs.io/en/stable/
2 | # Replace with your values
3 | dns_gehirn_api_token = 00000000-0000-0000-0000-000000000000
4 | dns_gehirn_api_secret = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
5 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/glesys.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/runfalk/certbot-dns-glesys#usage
2 |
3 | # GleSYS API credentials used by Certbot
4 | dns_glesys_user = CL00000
5 | dns_glesys_password = apikeygoeshere
6 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/godaddy.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/miigotu/certbot-dns-godaddy
2 | # Replace with your values
3 | dns_godaddy_secret = 0123456789abcdef0123456789abcdef01234567
4 | dns_godaddy_key = abcdef0123456789abcdef01234567abcdef0123
5 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/google.json:
--------------------------------------------------------------------------------
1 | {
2 | "instructions": "https://github.com/certbot/certbot/blob/master/certbot-dns-google/certbot_dns_google/__init__.py",
3 | "_comment": "Replace with your values",
4 | "type": "service_account",
5 | "rest": "..."
6 | }
7 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/he.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/TSaaristo/certbot-dns-he#example-usage
2 | # Replace with your values
3 | dns_he_user = Me
4 | dns_he_pass = my HE password
5 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/hetzner.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/ctrlaltcoop/certbot-dns-hetzner
2 | # Replace with your values
3 | dns_hetzner_api_token = nohnah4zoo9Kiejee9aGh0thoopee2sa
4 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/infomaniak.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/Infomaniak/certbot-dns-infomaniak#via-ini-file
2 | # Replace with your values
3 | dns_infomaniak_token = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
4 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/inwx.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/oGGy990/certbot-dns-inwx
2 | # Replace with your values
3 | dns_inwx_url = https://api.domrobot.com/xmlrpc/
4 | dns_inwx_username = your_username
5 | dns_inwx_password = your_password
6 | dns_inwx_shared_secret = your_shared_secret optional
7 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/ionos.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/helgeerbe/certbot-dns-ionos
2 | # Replace with your values
3 | dns_ionos_prefix = myapikeyprefix
4 | dns_ionos_secret = verysecureapikeysecret
5 | dns_ionos_endpoint = https://api.hosting.ionos.com
6 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/linode.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-linode/certbot_dns_linode/__init__.py#L25
2 | # Replace with your values
3 | dns_linode_key = 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ64
4 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/loopia.ini:
--------------------------------------------------------------------------------
1 | # Replace with your values
2 | dns_loopia_user = user@loopiaapi
3 | dns_loopia_password = passwordgoeshere
4 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/luadns.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-luadns/certbot_dns_luadns/__init__.py#L20
2 | # Replace with your values
3 | dns_luadns_email = user@example.com
4 | dns_luadns_token = 0123456789abcdef0123456789abcdef
5 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/namecheap.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/knoxell/certbot-dns-namecheap#credentials
2 | # Namecheap API credentials used by Certbot
3 | dns_namecheap_username=my-username
4 | dns_namecheap_api_key=my-api-key
5 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/netcup.ini:
--------------------------------------------------------------------------------
1 | # Recommended PROPAGATION value in environment for netcup is 900
2 |
3 | dns_netcup_customer_id = 123456
4 | dns_netcup_api_key = 0123456789abcdef0123456789abcdef01234567
5 | dns_netcup_api_password = abcdef0123456789abcdef01234567abcdef0123
6 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/njalla.ini:
--------------------------------------------------------------------------------
1 | # Generate your API token here: https://njal.la/settings/api/
2 | dns_njalla_token=0000000000000000000000000000000000000000
3 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/nsone.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-nsone/certbot_dns_nsone/__init__.py#L20
2 | # Replace with your value
3 | dns_nsone_api_key = MDAwMDAwMDAwMDAwMDAw
4 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/ovh.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-ovh/certbot_dns_ovh/__init__.py#L20
2 | # Replace with your values
3 | dns_ovh_endpoint = ovh-eu
4 | dns_ovh_application_key = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
5 | dns_ovh_application_secret = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
6 | dns_ovh_consumer_key = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
7 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/porkbun.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/infinityofspace/certbot_dns_porkbun
2 | # Replace with your values
3 | dns_porkbun_key=<your-porkbun-api-key>
4 | dns_porkbun_secret=<your-porkbun-api-secret>
5 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/rfc2136.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-rfc2136/certbot_dns_rfc2136/__init__.py#L20
2 | # Replace with your values
3 | # Target DNS server
4 | dns_rfc2136_server = 192.0.2.1
5 | # TSIG key name
6 | dns_rfc2136_name = keyname.
7 | # TSIG key secret
8 | dns_rfc2136_secret = 4q4wM/2I180UXoMyN4INVhJNi8V9BCV+jMw2mXgZw/CSuxUT8C7NKKFs \
9 | AmKd7ak51vWKgSl12ib86oQRPkpDjg==
10 | # TSIG key algorithm
11 | dns_rfc2136_algorithm = HMAC-SHA512
12 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/route53.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-route53/certbot_dns_route53/__init__.py#L18
2 | # Replace with your values
3 | [default]
4 | ; aws_access_key_id=AKIAIOSFODNN7EXAMPLE
5 | ; aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
6 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/sakuracloud.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://certbot-dns-sakuracloud.readthedocs.io/en/stable/
2 | # Replace with your values
3 | dns_sakuracloud_api_token = 00000000-0000-0000-0000-000000000000
4 | dns_sakuracloud_api_secret = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
5 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/standalone.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/siilike/certbot-dns-standalone/blob/master/README.rst
2 | # Make sure to expose UDP port 53 from your swag container:
3 | # - for docker cli, add argument: `-p 53:53/udp`
4 | # - for docker-compose, add the following line under ports: `- 53:53/udp`
5 | # This file does not need to be changed:
6 | # - no credentials are required
7 | # - it's not used and only for informational purpose
8 | # - prepare the correct DNS records as described in the plugin instructions instead
9 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/transip.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://readthedocs.org/projects/certbot-dns-transip/
2 | #
3 | # This DNS plugin can be used to generate SSL wildcard certificates via TransIP DNS TXT records
4 | #
5 | # Login with your TransIP account and go to My Account | API:
6 | # 1. API-settings: On
7 | #
8 | # 2. IP-address/ranges whitelist: Add a new authorized IP address (Swag Docker) to use the API
9 | #
10 | # 3. Generate a new Key Pair and copy the private key to a new transip.key file in the format:
11 | # -----BEGIN PRIVATE KEY-----
12 | # ...
13 | # -----END PRIVATE KEY-----
14 | #
15 | # 4. Convert the key to an RSA key with command:
16 | # openssl rsa -in transip.key -out /config/dns-conf/transip-rsa.key
17 | #
18 | # 5. Set permission
19 | # chmod 600 /config/dns-conf/transip-rsa.key
20 | #
21 | # 6. Replace <transip_username> below with your TransIP username
22 | #
23 | # 7. Create wildcard certificate with Swag environment variables:
24 | # SUBDOMAINS=wildcard
25 | # VALIDATION=dns
26 | # DNSPLUGIN=transip
27 |
28 | dns_transip_username = <transip_username>
29 | dns_transip_key_file = /config/dns-conf/transip-rsa.key
30 |
31 |
--------------------------------------------------------------------------------
/root/defaults/dns-conf/vultr.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/lezgomatt/certbot-dns-vultr
2 | # Replace with your vultr Personal Access Token (see https://www.vultr.com/docs/how-to-setup-dynamic-dns).
3 | dns_vultr_key = YOUR_VULTR_API_KEY
4 |
--------------------------------------------------------------------------------
/root/defaults/etc/letsencrypt/renewal-hooks/deploy/10-default:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 | # shellcheck shell=bash
3 |
4 | cd /config/keys/letsencrypt || exit 1
5 | openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:
6 | sleep 1
7 | cat {privkey,fullchain}.pem >priv-fullchain-bundle.pem
8 | chmod 600 priv-fullchain-bundle.pem
9 | chown -R abc:abc /config/etc/letsencrypt
10 |
--------------------------------------------------------------------------------
/root/defaults/etc/letsencrypt/renewal-hooks/post/10-nginx:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 | # shellcheck shell=bash
3 |
4 | # shellcheck source=/dev/null
5 | . /config/.donoteditthisfile.conf
6 |
7 | if [[ ! "${ORIGVALIDATION}" = "dns" ]] && [[ ! "${ORIGVALIDATION}" = "duckdns" ]]; then
8 | if pgrep -f "s6-supervise svc-nginx" >/dev/null; then
9 | s6-svc -u /run/service/svc-nginx
10 | fi
11 | else
12 | if pgrep -f "nginx:" >/dev/null; then
13 | s6-svc -h /run/service/svc-nginx
14 | fi
15 | fi
16 |
--------------------------------------------------------------------------------
/root/defaults/etc/letsencrypt/renewal-hooks/pre/10-nginx:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 | # shellcheck shell=bash
3 |
4 | # shellcheck source=/dev/null
5 | . /config/.donoteditthisfile.conf
6 |
7 | if [[ ! "${ORIGVALIDATION}" = "dns" ]] && [[ ! "${ORIGVALIDATION}" = "duckdns" ]]; then
8 | if pgrep -f "nginx:" >/dev/null; then
9 | s6-svc -d /run/service/svc-nginx
10 | fi
11 | fi
12 |
--------------------------------------------------------------------------------
/root/defaults/fail2ban/fail2ban.local:
--------------------------------------------------------------------------------
1 | [Definition]
2 |
3 | logtarget = /config/log/fail2ban/fail2ban.log
4 | dbfile = /config/fail2ban/fail2ban.sqlite3
5 |
--------------------------------------------------------------------------------
/root/defaults/fail2ban/filter.d/nginx-badbots.conf:
--------------------------------------------------------------------------------
1 | # Fail2Ban configuration file
2 | #
3 | # Regexp to catch known spambots and software alike. Please verify
4 | # that it is your intent to block IPs which were driven by
5 | # above mentioned bots.
6 |
7 |
8 | [Definition]
9 |
10 | badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider
11 | badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 \+http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots, \+http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00
12 |
13 | failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
14 |
15 | ignoreregex =
16 |
17 | # DEV Notes:
18 | # List of bad bots fetched from http://www.user-agents.org
19 | # Generated on Thu Nov 7 14:23:35 PST 2013 by files/gen_badbots.
20 | #
21 | # Author: Yaroslav Halchenko
22 |
--------------------------------------------------------------------------------
/root/defaults/fail2ban/filter.d/nginx-deny.conf:
--------------------------------------------------------------------------------
1 | # fail2ban filter configuration for nginx
2 |
3 |
4 | [Definition]
5 |
6 |
7 | failregex = ^ \[error\] \d+#\d+: \*\d+ (access forbidden by rule), client: <HOST>, server: \S*, request: "\S+ \S+ HTTP\/\d+\.\d+", host: "\S+"(?:, referrer: "\S+")?\s*$
8 |
9 | ignoreregex =
10 |
11 | datepattern = {^LN-BEG}
12 |
13 | # DEV NOTES:
14 | #
15 | # Author: notdriz
16 |
--------------------------------------------------------------------------------
/root/defaults/fail2ban/filter.d/nginx-unauthorized.conf:
--------------------------------------------------------------------------------
1 | # A fail2ban filter for unauthorized log messages
2 |
3 | [Definition]
4 |
5 | failregex = ^<HOST>.*"(GET|POST|HEAD).*" (401) .*$
6 |
--------------------------------------------------------------------------------
/root/defaults/fail2ban/jail.local:
--------------------------------------------------------------------------------
1 | ## Version 2022/08/20 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/fail2ban/jail.local
2 | # This is the custom version of the jail.conf for fail2ban
3 | # Feel free to modify this and add additional filters
4 | # Then you can drop the new filter conf files into the fail2ban-filters
5 | # folder and restart the container
6 |
7 | [DEFAULT]
8 | # Prevents banning LAN subnets
9 | ignoreip = 10.0.0.0/8
10 | 192.168.0.0/16
11 | 172.16.0.0/12
12 |
13 | # Changes the default ban action from "iptables-multiport", which causes issues on some platforms, to "iptables-allports".
14 | banaction = iptables-allports
15 |
16 | # "bantime" is the number of seconds that a host is banned.
17 | bantime = 600
18 |
19 | # A host is banned if it has generated "maxretry" during the last "findtime"
20 | # seconds.
21 | findtime = 600
22 |
23 | # "maxretry" is the number of failures before a host get banned.
24 | maxretry = 5
25 |
26 |
27 | [ssh]
28 | enabled = false
29 |
30 | [nginx-http-auth]
31 | enabled = true
32 | filter = nginx-http-auth
33 | port = http,https
34 | logpath = /config/log/nginx/error.log
35 |
36 | [nginx-badbots]
37 | enabled = true
38 | port = http,https
39 | filter = nginx-badbots
40 | logpath = /config/log/nginx/access.log
41 | maxretry = 2
42 |
43 | [nginx-botsearch]
44 | enabled = true
45 | port = http,https
46 | filter = nginx-botsearch
47 | logpath = /config/log/nginx/access.log
48 |
49 | [nginx-deny]
50 | enabled = true
51 | port = http,https
52 | filter = nginx-deny
53 | logpath = /config/log/nginx/error.log
54 |
55 | [nginx-unauthorized]
56 | enabled = true
57 | port = http,https
58 | filter = nginx-unauthorized
59 | logpath = /config/log/nginx/access.log
60 |
--------------------------------------------------------------------------------
/root/defaults/nginx/authelia-location.conf.sample:
--------------------------------------------------------------------------------
1 | ## Version 2025/03/25 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-location.conf.sample
2 | # Make sure that your authelia container is in the same user defined bridge network and is named authelia
3 | # Rename /config/nginx/proxy-confs/authelia.subdomain.conf.sample to /config/nginx/proxy-confs/authelia.subdomain.conf
4 |
5 | ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource
6 | auth_request /authelia/api/authz/auth-request;
7 |
8 | ## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal
9 | error_page 401 = @authelia_proxy_signin;
10 |
11 | ## Translate the user information response headers from the auth subrequest into variables
12 | auth_request_set $email $upstream_http_remote_email;
13 | auth_request_set $groups $upstream_http_remote_groups;
14 | auth_request_set $name $upstream_http_remote_name;
15 | auth_request_set $user $upstream_http_remote_user;
16 |
17 | ## Inject the user information into the request made to the actual upstream
18 | proxy_set_header Remote-Email $email;
19 | proxy_set_header Remote-Groups $groups;
20 | proxy_set_header Remote-Name $name;
21 | proxy_set_header Remote-User $user;
22 |
23 | ## Translate the Set-Cookie response header from the auth subrequest into a variable
24 | auth_request_set $set_cookie $upstream_http_set_cookie;
25 |
26 | ## Translate the Location response header from the auth subrequest into a variable
27 | auth_request_set $signin_url $upstream_http_location;
28 |
--------------------------------------------------------------------------------
/root/defaults/nginx/authelia-server.conf.sample:
--------------------------------------------------------------------------------
1 | ## Version 2025/03/25 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-server.conf.sample
2 | # Make sure that your authelia container is in the same user defined bridge network and is named authelia
3 | # Rename /config/nginx/proxy-confs/authelia.subdomain.conf.sample to /config/nginx/proxy-confs/authelia.subdomain.conf
4 |
5 | # location for authelia auth requests
6 | location = /authelia/api/authz/auth-request {
7 | internal;
8 |
9 | include /config/nginx/proxy.conf;
10 | include /config/nginx/resolver.conf;
11 | set $upstream_authelia authelia;
12 | proxy_pass http://$upstream_authelia:9091/api/authz/auth-request;
13 |
14 | ## Include the Set-Cookie header if present
15 | auth_request_set $set_cookie $upstream_http_set_cookie;
16 | add_header Set-Cookie $set_cookie;
17 |
18 | proxy_pass_request_body off;
19 | proxy_set_header Content-Length "";
20 | }
21 |
22 | # virtual location for authelia 401 redirects
23 | location @authelia_proxy_signin {
24 | internal;
25 |
26 | ## Include the Set-Cookie header if present
27 | auth_request_set $set_cookie $upstream_http_set_cookie;
28 | add_header Set-Cookie $set_cookie;
29 |
30 | ## Set the $target_url variable based on the original request
31 | set_escape_uri $target_url $scheme://$http_host$request_uri;
32 |
33 | ## Translate the Location response header from the auth subrequest into a variable
34 | auth_request_set $signin_url $upstream_http_location;
35 |
36 | ## Redirect to login
37 | return 302 $signin_url;
38 | }
39 |
--------------------------------------------------------------------------------
/root/defaults/nginx/authentik-location.conf.sample:
--------------------------------------------------------------------------------
1 | ## Version 2023/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authentik-location.conf.sample
2 | # Make sure that your authentik container is in the same user defined bridge network and is named authentik-server
3 | # Rename /config/nginx/proxy-confs/authentik.subdomain.conf.sample to /config/nginx/proxy-confs/authentik.subdomain.conf
4 |
5 | ## Send a subrequest to Authentik to verify if the user is authenticated and has permission to access the resource
6 | auth_request /outpost.goauthentik.io/auth/nginx;
7 |
8 | ## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal
9 | error_page 401 = @goauthentik_proxy_signin;
10 |
11 | ## Translate the user information response headers from the auth subrequest into variables
12 | auth_request_set $authentik_email $upstream_http_x_authentik_email;
13 | auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
14 | auth_request_set $authentik_name $upstream_http_x_authentik_name;
15 | auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
16 | auth_request_set $authentik_username $upstream_http_x_authentik_username;
17 |
18 | ## Inject the user information into the request made to the actual upstream
19 | proxy_set_header X-authentik-email $authentik_email;
20 | proxy_set_header X-authentik-groups $authentik_groups;
21 | proxy_set_header X-authentik-name $authentik_name;
22 | proxy_set_header X-authentik-uid $authentik_uid;
23 | proxy_set_header X-authentik-username $authentik_username;
24 |
25 | ## Translate the Set-Cookie response header from the auth subrequest into a variable
26 | auth_request_set $set_cookie $upstream_http_set_cookie;
27 |
--------------------------------------------------------------------------------
/root/defaults/nginx/authentik-server.conf.sample:
--------------------------------------------------------------------------------
1 | ## Version 2025/03/25 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authentik-server.conf.sample
2 | # Make sure that your authentik container is in the same user defined bridge network and is named authentik-server
3 | # Rename /config/nginx/proxy-confs/authentik.subdomain.conf.sample to /config/nginx/proxy-confs/authentik.subdomain.conf
4 |
5 | # location for authentik subfolder requests
6 | location ^~ /outpost.goauthentik.io {
7 | auth_request off; # requests to this subfolder must be accessible without authentication
8 |
9 | include /config/nginx/proxy.conf;
10 | include /config/nginx/resolver.conf;
11 | set $upstream_authentik authentik-server;
12 | proxy_pass http://$upstream_authentik:9000;
13 | }
14 |
15 | # location for authentik auth requests
16 | location = /outpost.goauthentik.io/auth/nginx {
17 | internal;
18 |
19 | include /config/nginx/proxy.conf;
20 | include /config/nginx/resolver.conf;
21 | set $upstream_authentik authentik-server;
22 | proxy_pass http://$upstream_authentik:9000/outpost.goauthentik.io/auth/nginx;
23 |
24 | ## Include the Set-Cookie header if present
25 | auth_request_set $set_cookie $upstream_http_set_cookie;
26 | add_header Set-Cookie $set_cookie;
27 |
28 | proxy_pass_request_body off;
29 | proxy_set_header Content-Length "";
30 | }
31 |
32 | # virtual location for authentik 401 redirects
33 | location @goauthentik_proxy_signin {
34 | internal;
35 |
36 | ## Include the Set-Cookie header if present
37 | auth_request_set $set_cookie $upstream_http_set_cookie;
38 | add_header Set-Cookie $set_cookie;
39 |
40 | ## Set the $target_url variable based on the original request
41 | set_escape_uri $target_url $scheme://$http_host$request_uri;
42 |
43 | ## Set the $signin_url variable
44 | set $signin_url https://$http_host/outpost.goauthentik.io/start?rd=$target_url;
45 |
46 | ## Redirect to login
47 | return 302 $signin_url;
48 | }
49 |
--------------------------------------------------------------------------------
/root/defaults/nginx/ldap-location.conf.sample:
--------------------------------------------------------------------------------
1 | ## Version 2022/08/20 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/ldap-location.conf.sample
2 |
3 | auth_request /auth;
4 | error_page 401 =200 /ldaplogin;
5 |
--------------------------------------------------------------------------------
/root/defaults/nginx/ldap-server.conf.sample:
--------------------------------------------------------------------------------
1 | ## Version 2022/08/20 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/ldap-server.conf.sample
2 | ## this conf is meant to be used in conjunction with our ldap-auth image: https://github.com/linuxserver/docker-ldap-auth
3 | ## see the heimdall example in the default site config for info on enabling ldap auth
4 | ## for further instructions on this conf, see https://github.com/nginxinc/nginx-ldap-auth
5 |
6 | location /ldaplogin {
7 |
8 | set $upstream_auth_app ldap-auth;
9 | set $upstream_auth_port 9000;
10 | set $upstream_auth_proto http;
11 | proxy_pass $upstream_auth_proto://$upstream_auth_app:$upstream_auth_port;
12 | proxy_set_header X-Target $request_uri;
13 | }
14 |
15 | location = /auth {
16 |
17 | set $upstream_auth_app ldap-auth;
18 | set $upstream_auth_port 8888;
19 | set $upstream_auth_proto http;
20 | proxy_pass $upstream_auth_proto://$upstream_auth_app:$upstream_auth_port;
21 |
22 | proxy_pass_request_body off;
23 | proxy_set_header Content-Length "";
24 |
25 | #Before enabling the below caching options, make sure you have the line "proxy_cache_path cache/ keys_zone=auth_cache:10m;" at the bottom your default site config
26 | #proxy_cache auth_cache;
27 | #proxy_cache_valid 200 10m;
28 | #proxy_cache_key "$http_authorization$cookie_nginxauth";
29 |
30 | # As implemented in nginx-ldap-auth-daemon.py, the ldap-auth daemon
31 | # communicates with a LDAP server, passing in the following
32 | # parameters to specify which user account to authenticate. To
33 | # eliminate the need to modify the Python code, this file contains
34 | # 'proxy_set_header' directives that set the values of the
35 | # parameters. Set or change them as instructed in the comments.
36 | #
37 | # Parameter Proxy header
38 | # ----------- ----------------
39 | # url X-Ldap-URL
40 | # starttls X-Ldap-Starttls
41 | # basedn X-Ldap-BaseDN
42 | # binddn X-Ldap-BindDN
43 | # bindpasswd X-Ldap-BindPass
44 | # cookiename X-CookieName
45 | # realm X-Ldap-Realm
46 | # template X-Ldap-Template
47 | # (Required) Set the URL and port for connecting to the LDAP server,
48 | # by replacing 'example.com'.
49 | # Do not mix ldaps-style URL and X-Ldap-Starttls as it will not work.
50 | proxy_set_header X-Ldap-URL "ldap://example.com";
51 |
52 | # (Optional) Establish a TLS-enabled LDAP session after binding to the
53 | # LDAP server.
54 | # This is the 'proper' way to establish encrypted TLS connections, see
55 | # http://www.openldap.org/faq/data/cache/185.html
56 | #proxy_set_header X-Ldap-Starttls "true";
57 |
58 | # (Required) Set the Base DN, by replacing the value enclosed in
59 | # double quotes.
60 | proxy_set_header X-Ldap-BaseDN "cn=Users,dc=test,dc=local";
61 |
62 | # (Required) Set the Bind DN, by replacing the value enclosed in
63 | # double quotes.
64 | # If AD, use "root@test.local"
65 | proxy_set_header X-Ldap-BindDN "cn=root,dc=test,dc=local";
66 |
67 | # (Required) Set the Bind password, by replacing 'secret'.
68 | proxy_set_header X-Ldap-BindPass "secret";
69 |
70 | # (Required) The following directives set the cookie name and pass
71 | # it, respectively. They are required for cookie-based
72 | # authentication. Comment them out if using HTTP basic
73 | # authentication.
74 | proxy_set_header X-CookieName "nginxauth";
75 | proxy_set_header Cookie nginxauth=$cookie_nginxauth;
76 |
77 | # (Required if using Microsoft Active Directory as the LDAP server)
78 | # Set the LDAP template by uncommenting the following directive.
79 | #proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)";
80 |
81 | # (Optional if using OpenLDAP as the LDAP server) Set the LDAP
82 | # template by uncommenting the following directive and replacing
83 | # '(cn=%(username)s)' which is the default set in
84 | # nginx-ldap-auth-daemon.py.
85 | #proxy_set_header X-Ldap-Template "(cn=%(username)s)";
86 | # (Optional) Set the realm name, by uncommenting the following
87 | # directive and replacing 'Restricted' which is the default set
88 | # in nginx-ldap-auth-daemon.py.
89 | #proxy_set_header X-Ldap-Realm "Restricted";
90 | }
91 |
--------------------------------------------------------------------------------
/root/defaults/nginx/proxy.conf.sample:
--------------------------------------------------------------------------------
1 | ## Version 2023/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/proxy.conf.sample
2 |
3 | # Timeout if the real server is dead
4 | proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
5 |
6 | # Proxy Connection Settings
7 | proxy_buffers 32 4k;
8 | proxy_connect_timeout 240;
9 | proxy_headers_hash_bucket_size 128;
10 | proxy_headers_hash_max_size 1024;
11 | proxy_http_version 1.1;
12 | proxy_read_timeout 240;
13 | proxy_redirect http:// $scheme://;
14 | proxy_send_timeout 240;
15 |
16 | # Proxy Cache and Cookie Settings
17 | proxy_cache_bypass $cookie_session;
18 | #proxy_cookie_path / "/; Secure"; # enable at your own risk, may break certain apps
19 | proxy_no_cache $cookie_session;
20 |
21 | # Proxy Header Settings
22 | proxy_set_header Connection $connection_upgrade;
23 | proxy_set_header Early-Data $ssl_early_data;
24 | proxy_set_header Host $host;
25 | proxy_set_header Proxy "";
26 | proxy_set_header Upgrade $http_upgrade;
27 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
28 | proxy_set_header X-Forwarded-Host $host;
29 | proxy_set_header X-Forwarded-Method $request_method;
30 | proxy_set_header X-Forwarded-Port $server_port;
31 | proxy_set_header X-Forwarded-Proto $scheme;
32 | proxy_set_header X-Forwarded-Server $host;
33 | proxy_set_header X-Forwarded-Ssl on;
34 | proxy_set_header X-Forwarded-Uri $request_uri;
35 | proxy_set_header X-Original-Method $request_method;
36 | proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
37 | proxy_set_header X-Real-IP $remote_addr;
38 |
--------------------------------------------------------------------------------
/root/defaults/nginx/site-confs/default.conf.sample:
--------------------------------------------------------------------------------
1 | ## Version 2024/12/17 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample
2 |
3 | # redirect all traffic to https
4 | server {
5 | listen 80 default_server;
6 | listen [::]:80 default_server;
7 |
8 | location / {
9 | return 301 https://$host$request_uri;
10 | }
11 | }
12 |
13 | # main server block
14 | server {
15 | listen 443 ssl default_server;
16 | listen [::]:443 ssl default_server;
17 |
18 | server_name _;
19 |
20 | include /config/nginx/ssl.conf;
21 |
22 | root /config/www;
23 | index index.html index.htm index.php;
24 |
25 | # enable subfolder method reverse proxy confs
26 | include /config/nginx/proxy-confs/*.subfolder.conf;
27 |
28 | # enable for ldap auth (requires ldap-location.conf in the location block)
29 | #include /config/nginx/ldap-server.conf;
30 |
31 | # enable for Authelia (requires authelia-location.conf in the location block)
32 | #include /config/nginx/authelia-server.conf;
33 |
34 | # enable for Authentik (requires authentik-location.conf in the location block)
35 | #include /config/nginx/authentik-server.conf;
36 |
37 | location / {
38 | # enable for basic auth
39 | #auth_basic "Restricted";
40 | #auth_basic_user_file /config/nginx/.htpasswd;
41 |
42 | # enable for ldap auth (requires ldap-server.conf in the server block)
43 | #include /config/nginx/ldap-location.conf;
44 |
45 | # enable for Authelia (requires authelia-server.conf in the server block)
46 | #include /config/nginx/authelia-location.conf;
47 |
48 | # enable for Authentik (requires authentik-server.conf in the server block)
49 | #include /config/nginx/authentik-location.conf;
50 |
51 | try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args;
52 | }
53 |
54 | location ~ ^(.+\.php)(.*)$ {
55 | # enable the next two lines for http auth
56 | #auth_basic "Restricted";
57 | #auth_basic_user_file /config/nginx/.htpasswd;
58 |
59 | # enable for ldap auth (requires ldap-server.conf in the server block)
60 | #include /config/nginx/ldap-location.conf;
61 |
62 | # enable for Authelia (requires authelia-server.conf in the server block)
63 | #include /config/nginx/authelia-location.conf;
64 |
65 | # enable for Authentik (requires authentik-server.conf in the server block)
66 | #include /config/nginx/authentik-location.conf;
67 |
68 | fastcgi_split_path_info ^(.+\.php)(.*)$;
69 | if (!-f $document_root$fastcgi_script_name) { return 404; }
70 | fastcgi_pass 127.0.0.1:9000;
71 | fastcgi_index index.php;
72 | include /etc/nginx/fastcgi_params;
73 | }
74 |
75 | # deny access to .htaccess/.htpasswd files
76 | location ~ /\.ht {
77 | deny all;
78 | }
79 | }
80 |
81 | # enable subdomain method reverse proxy confs
82 | include /config/nginx/proxy-confs/*.subdomain.conf;
83 |
--------------------------------------------------------------------------------
/root/defaults/nginx/tinyauth-location.conf.sample:
--------------------------------------------------------------------------------
1 | ## Version 2025/06/08 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/tinyauth-location.conf.sample
2 | # Make sure that your tinyauth container is in the same user defined bridge network and is named tinyauth
3 | # Rename /config/nginx/proxy-confs/tinyauth.subdomain.conf.sample to /config/nginx/proxy-confs/tinyauth.subdomain.conf
4 |
5 | ## Send a subrequest to tinyauth to verify if the user is authenticated and has permission to access the resource
6 | auth_request /tinyauth;
7 |
8 | ## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal
9 | error_page 401 = @tinyauth_login;
10 |
--------------------------------------------------------------------------------
/root/defaults/nginx/tinyauth-server.conf.sample:
--------------------------------------------------------------------------------
1 | ## Version 2025/06/08 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/tinyauth-server.conf.sample
2 | # Make sure that your tinyauth container is in the same user defined bridge network and is named tinyauth
3 | # Rename /config/nginx/proxy-confs/tinyauth.subdomain.conf.sample to /config/nginx/proxy-confs/tinyauth.subdomain.conf
4 |
5 | # location for tinyauth auth requests
6 | location /tinyauth {
7 | internal;
8 |
9 | include /config/nginx/proxy.conf;
10 | include /config/nginx/resolver.conf;
11 | set $upstream_tinyauth tinyauth;
12 | proxy_pass http://$upstream_tinyauth:3000/api/auth/nginx;
13 |
14 | proxy_set_header x-forwarded-proto $scheme;
15 | proxy_set_header x-forwarded-host $http_host;
16 | proxy_set_header x-forwarded-uri $request_uri;
17 | }
18 |
19 | # virtual location for tinyauth 401 redirects
20 | location @tinyauth_login {
21 | internal;
22 |
23 | ## Set the $target_url variable based on the original request
24 | set_escape_uri $target_url $scheme://$http_host$request_uri;
25 |
26 | ## Set the $signin_url variable
27 | set $domain $host;
28 | if ($host ~* "^[^.]+\.([^.]+\..+)quot;) {
29 | set $domain $1;
30 | }
31 | set $signin_url https://tinyauth.$domain/login?redirect_uri=$target_url;
32 |
33 | ## Redirect to login
34 | return 302 $signin_url;
35 | }
36 |
--------------------------------------------------------------------------------
/root/defaults/www/index.html:
--------------------------------------------------------------------------------
1 | <html>
2 | <head>
3 | <title>Welcome to your SWAG instance</title>
4 | <style>
5 | body{
6 | font-family: Helvetica, Arial, sans-serif;
7 | }
8 | .message{
9 | width:440px;
10 | padding:20px 40px;
11 | margin:0 auto;
12 | background-color:#f9f9f9;
13 | border:1px solid #ddd;
14 | color: #1e3d62;
15 | }
16 | center{
17 | margin:40px 0;
18 | }
19 | h1{
20 | font-size: 18px;
21 | line-height: 26px;
22 | }
23 | p{
24 | font-size: 12px;
25 | }
26 | a{
27 | color: rgb(207, 48, 139);
28 | }
29 | </style>
30 | </head>
31 | <body>
32 | <div class="message">
33 | <h1>Welcome to your <a target="_blank" href="https://github.com/linuxserver/docker-swag">SWAG</a> instance</h1>
34 | <p>A webserver and reverse proxy solution brought to you by <a target="_blank" href="https://www.linuxserver.io/">linuxserver.io</a> with php support and a built-in Certbot client.</p>
35 | <p>We have an article on how to use swag here: <a target="_blank" href="https://docs.linuxserver.io/general/swag">docs.linuxserver.io</a></p>
36 | <p>For help and support, please visit: <a target="_blank" href="https://www.linuxserver.io/support">linuxserver.io/support</a></p>
37 | </div>
38 | </body>
39 | </html>
40 |
--------------------------------------------------------------------------------
/root/donate.txt:
--------------------------------------------------------------------------------
1 | Certbot: https://supporters.eff.org/donate/support-work-on-certbot
2 |
--------------------------------------------------------------------------------
/root/etc/crontabs/root:
--------------------------------------------------------------------------------
1 | # min hour day month weekday command
2 | */15 * * * * run-parts /etc/periodic/15min
3 | 0 * * * * run-parts /etc/periodic/hourly
4 | 0 2 * * * run-parts /etc/periodic/daily
5 | 0 3 * * 6 run-parts /etc/periodic/weekly
6 | 0 5 1 * * run-parts /etc/periodic/monthly
7 |
8 | 8 2 * * * /app/le-renew.sh >> /config/log/letsencrypt/renewal.log 2>&1
9 |
--------------------------------------------------------------------------------
/root/etc/logrotate.d/fail2ban:
--------------------------------------------------------------------------------
1 | /config/log/fail2ban/fail2ban.log {
2 | weekly
3 | rotate 7
4 | missingok
5 | compress
6 | delaycompress
7 | nodateext
8 | postrotate
9 | /usr/bin/fail2ban-client flushlogs 1>/dev/null || true
10 | endscript
11 | su abc abc
12 | }
13 |
--------------------------------------------------------------------------------
/root/etc/logrotate.d/lerotate:
--------------------------------------------------------------------------------
1 | /config/log/letsencrypt/*.log {
2 | weekly
3 | rotate 52
4 | compress
5 | delaycompress
6 | nodateext
7 | missingok
8 | notifempty
9 | sharedscripts
10 | su abc abc
11 | }
12 |
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-certbot-config/dependencies.d/init-swag-config:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/linuxserver/docker-swag/bb78c0f50ed98657280a0166296f8b78c6fdcf29/root/etc/s6-overlay/s6-rc.d/init-certbot-config/dependencies.d/init-swag-config
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-certbot-config/run:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 | # shellcheck shell=bash
3 |
4 | # Display variables for troubleshooting
5 | echo -e "Variables set:\\n\
6 | PUID=${PUID}\\n\
7 | PGID=${PGID}\\n\
8 | TZ=${TZ}\\n\
9 | URL=${URL}\\n\
10 | SUBDOMAINS=${SUBDOMAINS}\\n\
11 | EXTRA_DOMAINS=${EXTRA_DOMAINS}\\n\
12 | ONLY_SUBDOMAINS=${ONLY_SUBDOMAINS}\\n\
13 | VALIDATION=${VALIDATION}\\n\
14 | CERTPROVIDER=${CERTPROVIDER}\\n\
15 | DNSPLUGIN=${DNSPLUGIN}\\n\
16 | EMAIL=${EMAIL}\\n\
17 | STAGING=${STAGING}\\n"
18 |
19 | # Sanitize variables
20 | SANED_VARS=(DNSPLUGIN EMAIL EXTRA_DOMAINS ONLY_SUBDOMAINS STAGING SUBDOMAINS URL VALIDATION CERTPROVIDER)
21 | for i in "${SANED_VARS[@]}"; do
22 | export echo "${i}"="${!i//\"/}"
23 | export echo "${i}"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')"
24 | done
25 |
26 | # Check for and install requested DNS plugins
27 | if grep -q "universal-package-install" <<< "${DOCKER_MODS}" && grep -q "certbot-dns" <<< "${INSTALL_PIP_PACKAGES}"; then
28 | echo "**** Installing requested dns plugins ****"
29 | /etc/s6-overlay/s6-rc.d/init-mod-universal-package-install-add-package/run
30 | /etc/s6-overlay/s6-rc.d/init-mods-package-install/run
31 | fi
32 |
33 | # check to make sure DNSPLUGIN is selected if dns validation is used
34 | CERTBOT_DNS_AUTHENTICATORS=$(certbot plugins --authenticators 2>/dev/null | sed -e 's/^Entry point: EntryPoint(name='\''cpanel'\''/Entry point: EntryPoint(name='\''dns-cpanel'\''/' -e '/EntryPoint(name='\''dns-/!d' -e 's/^Entry point: EntryPoint(name='\''dns-\([^ ]*\)'\'',/\1/' | sort)
35 | if [[ "${VALIDATION}" = "dns" ]] && ! echo "${CERTBOT_DNS_AUTHENTICATORS}" | grep -q "${DNSPLUGIN}"; then
36 | echo "Please set the DNSPLUGIN variable to one of the following:"
37 | echo "${CERTBOT_DNS_AUTHENTICATORS}"
38 | sleep infinity
39 | fi
40 |
41 | # set_ini_value logic:
42 | # - if the name is not found in the file, append the name=value to the end of the file
43 | # - if the name is found in the file, replace the value
44 | # - if the name is found in the file but commented out, uncomment the line and replace the value
45 | # call set_ini_value with parameters: $1=name $2=value $3=file
46 | function set_ini_value() {
47 | name=${1//\//\\/}
48 | value=${2//\//\\/}
49 | sed -i \
50 | -e '/^#\?\(\s*'"${name}"'\s*=\s*\).*/{s//\1'"${value}"'/;:a;n;ba;q}' \
51 | -e '$a'"${name}"'='"${value}" "${3}"
52 | }
53 |
54 | # ensure config files exist and has at least one value set (set_ini_value does not work on empty files)
55 | touch /config/etc/letsencrypt/cli.ini
56 | lsiown abc:abc /config/etc/letsencrypt/cli.ini
57 | grep -qF 'agree-tos' /config/etc/letsencrypt/cli.ini || echo 'agree-tos=true' >>/config/etc/letsencrypt/cli.ini
58 |
59 | # Check for broken dns credentials value in cli.ini and remove
60 | sed -i '/dns--credentials/d' /config/etc/letsencrypt/cli.ini
61 |
62 | # Disable Certbot's built in log rotation
63 | set_ini_value "max-log-backups" "0" /config/etc/letsencrypt/cli.ini
64 |
65 | # copy dns default configs
66 | cp -n /defaults/dns-conf/* /config/dns-conf/ 2> >(grep -v 'cp: not replacing')
67 | lsiown -R abc:abc /config/dns-conf
68 |
69 | # copy default renewal hooks
70 | cp -nR /defaults/etc/letsencrypt/renewal-hooks/* /config/etc/letsencrypt/renewal-hooks/ 2> >(grep -v 'cp: not replacing')
71 | lsiown -R abc:abc /config/etc/letsencrypt/renewal-hooks
72 |
73 | # replace nginx service location in renewal hooks
74 | find /config/etc/letsencrypt/renewal-hooks/ -type f -exec sed -i 's|/run/service/nginx|/run/service/svc-nginx|g' {} \;
75 | find /config/etc/letsencrypt/renewal-hooks/ -type f -exec sed -i 's|/var/run/s6/services/nginx|/run/service/svc-nginx|g' {} \;
76 | find /config/etc/letsencrypt/renewal-hooks/ -type f -exec sed -i 's|s6-supervise nginx|s6-supervise svc-nginx|g' {} \;
77 |
78 | # create original config file if it doesn't exist, move non-hidden legacy file to hidden
79 | if [[ -f "/config/donoteditthisfile.conf" ]]; then
80 | mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf
81 | fi
82 | if [[ ! -f "/config/.donoteditthisfile.conf" ]]; then
83 | echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\" ORIGEMAIL=\"${EMAIL}\"" >/config/.donoteditthisfile.conf
84 | echo "Created .donoteditthisfile.conf"
85 | fi
86 |
87 | # load original config settings
88 | # shellcheck source=/dev/null
89 | . /config/.donoteditthisfile.conf
90 |
91 | # setting ORIGDOMAIN for use in revoke sections
92 | if [[ "${ORIGONLY_SUBDOMAINS}" = "true" ]] && [[ ! "${ORIGSUBDOMAINS}" = "wildcard" ]]; then
93 | ORIGDOMAIN="$(echo "${ORIGSUBDOMAINS}" | tr ',' ' ' | awk '{print $1}').${ORIGURL}"
94 | else
95 | ORIGDOMAIN="${ORIGURL}"
96 | fi
97 |
98 | # update plugin names in dns conf inis
99 | sed -i 's|^certbot[-_]dns[-_]aliyun:||g' /config/dns-conf/aliyun.ini
100 | sed -i 's|^certbot[-_]dns[-_]cpanel:||g' /config/dns-conf/cpanel.ini
101 | sed -i 's|^dns[-_]cpanel[-_]|cpanel_|g' /config/dns-conf/cpanel.ini
102 | sed -i 's|^directadmin[-_]|dns_directadmin_|g' /config/dns-conf/directadmin.ini
103 | sed -i 's|^certbot[-_]dns[-_]domeneshop:||g' /config/dns-conf/domeneshop.ini
104 | sed -i 's|^certbot[-_]plugin[-_]gandi:dns[-_]|dns_gandi_|g' /config/dns-conf/gandi.ini
105 | sed -i 's|^certbot[-_]dns[-_]inwx:||g' /config/dns-conf/inwx.ini
106 | sed -i 's|^certbot[-_]dns[-_]transip:||g' /config/dns-conf/transip.ini
107 |
108 | # update plugin names in renewal conf
109 | if [[ -f "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf" ]] && [[ "${ORIGVALIDATION}" = "dns" ]]; then
110 | if [[ "${ORIGDNSPLUGIN}" =~ ^(aliyun)$ ]]; then
111 | sed -i 's|^authenticator = certbot[-_]dns[-_]aliyun:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
112 | sed -i 's|^certbot[-_]dns[-_]aliyun:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
113 | fi
114 | if [[ "${ORIGDNSPLUGIN}" =~ ^(cpanel)$ ]]; then
115 | sed -i 's|^authenticator = certbot[-_]dns[-_]cpanel:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
116 | sed -i 's|^certbot[-_]dns[-_]cpanel:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
117 | sed -i 's|^authenticator = dns[-_]cpanel|authenticator = cpanel|g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
118 | sed -i 's|^dns[-_]cpanel[-_]|cpanel_|g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
119 | fi
120 | if [[ "${ORIGDNSPLUGIN}" =~ ^(directadmin)$ ]]; then
121 | sed -i 's|^authenticator = directadmin|authenticator = dns-directadmin|g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
122 | sed -i 's|^directadmin[-_]|dns_directadmin_|g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
123 | fi
124 | if [[ "${ORIGDNSPLUGIN}" =~ ^(domeneshop)$ ]]; then
125 | sed -i 's|^authenticator = certbot[-_]dns[-_]domeneshop:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
126 | sed -i 's|^certbot[-_]dns[-_]domeneshop:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
127 | fi
128 | if [[ "${ORIGDNSPLUGIN}" =~ ^(gandi)$ ]]; then
129 | sed -i 's|^authenticator = certbot[-_]plugin[-_]gandi:dns|authenticator = dns-gandi|g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
130 | sed -i 's|^certbot[-_]plugin[-_]gandi:dns[-_]|dns_gandi_|g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
131 | fi
132 | if [[ "${ORIGDNSPLUGIN}" =~ ^(inwx)$ ]]; then
133 | sed -i 's|^authenticator = certbot[-_]dns[-_]inwx:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
134 | sed -i 's|^certbot[-_]dns[-_]inwx:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
135 | fi
136 | if [[ "${ORIGDNSPLUGIN}" =~ ^(transip)$ ]]; then
137 | sed -i 's|^authenticator = certbot[-_]dns[-_]transip:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
138 | sed -i 's|^certbot[-_]dns[-_]transip:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
139 | fi
140 | fi
141 |
142 | # set default validation to http
143 | if [[ -z "${VALIDATION}" ]]; then
144 | VALIDATION="http"
145 | echo "VALIDATION parameter not set; setting it to http"
146 | fi
147 |
148 | # set duckdns validation to dns
149 | if [[ "${VALIDATION}" = "duckdns" ]]; then
150 | VALIDATION="dns"
151 | DNSPLUGIN="duckdns"
152 | if [[ -n "${DUCKDNSTOKEN}" ]] && ! grep -q "dns_duckdns_token=${DUCKDNSTOKEN}quot; /config/dns-conf/duckdns.ini; then
153 | sed -i "s|^dns_duckdns_token=.*|dns_duckdns_token=${DUCKDNSTOKEN}|g" /config/dns-conf/duckdns.ini
154 | fi
155 | fi
156 | if [[ "${VALIDATION}" = "dns" ]] && [[ "${DNSPLUGIN}" = "duckdns" ]]; then
157 | if [[ "${SUBDOMAINS}" = "wildcard" ]]; then
158 | echo "the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org"
159 | export ONLY_SUBDOMAINS=true
160 | else
161 | echo "the resulting certificate will only cover the main domain due to a limitation of duckdns, ie. subdomain.duckdns.org"
162 | export SUBDOMAINS=""
163 | fi
164 | export EXTRA_DOMAINS=""
165 | fi
166 |
167 | # setting the symlink for key location
168 | rm -rf /config/keys/letsencrypt
169 | if [[ "${ONLY_SUBDOMAINS}" = "true" ]] && [[ ! "${SUBDOMAINS}" = "wildcard" ]]; then
170 | DOMAIN="$(echo "${SUBDOMAINS}" | tr ',' ' ' | awk '{print $1}').${URL}"
171 | ln -s /config/etc/letsencrypt/live/"${DOMAIN}" /config/keys/letsencrypt
172 | else
173 | ln -s /config/etc/letsencrypt/live/"${URL}" /config/keys/letsencrypt
174 | fi
175 |
176 | # cleanup unused csr and keys folders
177 | rm -rf /config/etc/letsencrypt/csr
178 | rm -rf /config/etc/letsencrypt/keys
179 |
180 | # checking for changes in cert variables, revoking certs if necessary
181 | if [[ ! "${URL}" = "${ORIGURL}" ]] ||
182 | [[ ! "${SUBDOMAINS}" = "${ORIGSUBDOMAINS}" ]] ||
183 | [[ ! "${ONLY_SUBDOMAINS}" = "${ORIGONLY_SUBDOMAINS}" ]] ||
184 | [[ ! "${EXTRA_DOMAINS}" = "${ORIGEXTRA_DOMAINS}" ]] ||
185 | [[ ! "${VALIDATION}" = "${ORIGVALIDATION}" ]] ||
186 | [[ ! "${DNSPLUGIN}" = "${ORIGDNSPLUGIN}" ]] ||
187 | [[ ! "${PROPAGATION}" = "${ORIGPROPAGATION}" ]] ||
188 | [[ ! "${STAGING}" = "${ORIGSTAGING}" ]] ||
189 | [[ ! "${CERTPROVIDER}" = "${ORIGCERTPROVIDER}" ]]; then
190 | echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created"
191 | if [[ "${ORIGCERTPROVIDER}" = "zerossl" ]]; then
192 | REV_ACMESERVER=("https://acme.zerossl.com/v2/DV90")
193 | elif [[ "${ORIGSTAGING}" = "true" ]]; then
194 | REV_ACMESERVER=("https://acme-staging-v02.api.letsencrypt.org/directory")
195 | else
196 | REV_ACMESERVER=("https://acme-v02.api.letsencrypt.org/directory")
197 | fi
198 | if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then
199 | certbot revoke --config-dir /config/etc/letsencrypt --logs-dir /config/log/letsencrypt --work-dir /tmp/letsencrypt --config /config/etc/letsencrypt/cli.ini --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --key-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/privkey.pem --server "${REV_ACMESERVER[@]}" || true
200 | else
201 | certbot revoke --config-dir /config/etc/letsencrypt --logs-dir /config/log/letsencrypt --work-dir /tmp/letsencrypt --config /config/etc/letsencrypt/cli.ini --non-interactive --cert-name "${ORIGDOMAIN}" --server "${REV_ACMESERVER[@]}" || true
202 | fi
203 | rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal}
204 | fi
205 |
206 | # saving new variables
207 | echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\" ORIGEMAIL=\"${EMAIL}\"" >/config/.donoteditthisfile.conf
208 |
209 | # Check if the cert is using the old LE root cert, revoke and regen if necessary
210 | if [[ -f "/config/keys/letsencrypt/chain.pem" ]] && { [[ "${CERTPROVIDER}" == "letsencrypt" ]] || [[ "${CERTPROVIDER}" == "" ]]; } && [[ "${STAGING}" != "true" ]] && ! openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"; then
211 | echo "The cert seems to be using the old LE root cert, which is no longer valid. Deleting and revoking."
212 | REV_ACMESERVER=("https://acme-v02.api.letsencrypt.org/directory")
213 | if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then
214 | certbot revoke --config-dir /config/etc/letsencrypt --logs-dir /config/log/letsencrypt --work-dir /tmp/letsencrypt --config /config/etc/letsencrypt/cli.ini --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server "${REV_ACMESERVER[@]}" || true
215 | else
216 | certbot revoke --config-dir /config/etc/letsencrypt --logs-dir /config/log/letsencrypt --work-dir /tmp/letsencrypt --config /config/etc/letsencrypt/cli.ini --non-interactive --cert-name "${ORIGDOMAIN}" --server "${REV_ACMESERVER[@]}" || true
217 | fi
218 | rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal}
219 | fi
220 |
221 | # if zerossl is selected or staging is set to true, use the relevant server
222 | if [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ "${STAGING}" = "true" ]]; then
223 | echo "ZeroSSL does not support staging mode, ignoring STAGING variable"
224 | fi
225 | if [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ -n "${EMAIL}" ]]; then
226 | echo "ZeroSSL is selected as the cert provider, registering cert with ${EMAIL}"
227 | ACMESERVER="https://acme.zerossl.com/v2/DV90"
228 | elif [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ -z "${EMAIL}" ]]; then
229 | echo "ZeroSSL is selected as the cert provider, but the e-mail address has not been entered. Please visit https://zerossl.com, register a new account and set the account e-mail address in the EMAIL environment variable"
230 | sleep infinity
231 | elif [[ "${STAGING}" = "true" ]]; then
232 | echo "NOTICE: Staging is active"
233 | echo "Using Let's Encrypt as the cert provider"
234 | ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory"
235 | else
236 | echo "Using Let's Encrypt as the cert provider"
237 | ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
238 | fi
239 |
240 | set_ini_value "server" "${ACMESERVER}" /config/etc/letsencrypt/cli.ini
241 |
242 | # figuring out domain only vs domain & subdomains vs subdomains only
243 | DOMAINS_ARRAY=()
244 | if [[ -z "${SUBDOMAINS}" ]] || [[ "${ONLY_SUBDOMAINS}" != true ]]; then
245 | DOMAINS_ARRAY+=("${URL}")
246 | fi
247 | if [[ -n "${SUBDOMAINS}" ]]; then
248 | echo "SUBDOMAINS entered, processing"
249 | SUBDOMAINS_ARRAY=()
250 | if [[ "${SUBDOMAINS}" = "wildcard" ]]; then
251 | SUBDOMAINS_ARRAY+=("*.${URL}")
252 | echo "Wildcard cert for ${URL} will be requested"
253 | else
254 | for job in $(echo "${SUBDOMAINS}" | tr "," " "); do
255 | SUBDOMAINS_ARRAY+=("${job}.${URL}")
256 | done
257 | echo "Sub-domains processed are: $(echo "${SUBDOMAINS_ARRAY[*]}" | tr " " ",")"
258 | fi
259 | DOMAINS_ARRAY+=("${SUBDOMAINS_ARRAY[@]}")
260 | fi
261 |
262 | # add extra domains
263 | if [[ -n "${EXTRA_DOMAINS}" ]]; then
264 | echo "EXTRA_DOMAINS entered, processing"
265 | EXTRA_DOMAINS_ARRAY=()
266 | for job in $(echo "${EXTRA_DOMAINS}" | tr "," " "); do
267 | EXTRA_DOMAINS_ARRAY+=("${job}")
268 | done
269 | echo "Extra domains processed are: $(echo "${EXTRA_DOMAINS_ARRAY[*]}" | tr " " ",")"
270 | DOMAINS_ARRAY+=("${EXTRA_DOMAINS_ARRAY[@]}")
271 | fi
272 |
273 | # setting domains in cli.ini
274 | set_ini_value "domains" "$(echo "${DOMAINS_ARRAY[*]}" | tr " " ",")" /config/etc/letsencrypt/cli.ini
275 |
276 | # figuring out whether to use e-mail and which
277 | if [[ ${EMAIL} == *@* ]]; then
278 | echo "E-mail address entered: ${EMAIL}"
279 | set_ini_value "email" "${EMAIL}" /config/etc/letsencrypt/cli.ini
280 | set_ini_value "no-eff-email" "true" /config/etc/letsencrypt/cli.ini
281 | set_ini_value "register-unsafely-without-email" "false" /config/etc/letsencrypt/cli.ini
282 | else
283 | echo "No e-mail address entered or address invalid"
284 | set_ini_value "register-unsafely-without-email" "true" /config/etc/letsencrypt/cli.ini
285 | fi
286 |
287 | # alter extension for error message
288 | if [[ "${DNSPLUGIN}" = "google" ]]; then
289 | DNSCREDENTIALFILE="/config/dns-conf/${DNSPLUGIN}.json"
290 | else
291 | DNSCREDENTIALFILE="/config/dns-conf/${DNSPLUGIN}.ini"
292 | fi
293 |
294 | # setting the validation method to use
295 | if [[ "${VALIDATION}" = "dns" ]]; then
296 | set_ini_value "preferred-challenges" "dns" /config/etc/letsencrypt/cli.ini
297 | set_ini_value "authenticator" "dns-${DNSPLUGIN}" /config/etc/letsencrypt/cli.ini
298 | set_ini_value "dns-${DNSPLUGIN}-credentials" "${DNSCREDENTIALFILE}" /config/etc/letsencrypt/cli.ini
299 | if [[ -n "${PROPAGATION}" ]]; then set_ini_value "dns-${DNSPLUGIN}-propagation-seconds" "${PROPAGATION}" /config/etc/letsencrypt/cli.ini; fi
300 |
301 | # plugins that don't support setting credentials file
302 | if [[ "${DNSPLUGIN}" =~ ^(route53|standalone)$ ]]; then
303 | sed -i "/^dns-${DNSPLUGIN}-credentials\b/d" /config/etc/letsencrypt/cli.ini
304 | fi
305 | # plugins that don't support setting propagation
306 | if [[ "${DNSPLUGIN}" =~ ^(azure|gandi|route53|standalone)$ ]]; then
307 | if [[ -n "${PROPAGATION}" ]]; then echo "${DNSPLUGIN} dns plugin does not support setting propagation time"; fi
308 | sed -i "/^dns-${DNSPLUGIN}-propagation-seconds\b/d" /config/etc/letsencrypt/cli.ini
309 | fi
310 | # plugins that use old parameter naming convention
311 | if [[ "${DNSPLUGIN}" =~ ^(cpanel)$ ]]; then
312 | sed -i "/^dns-${DNSPLUGIN}-credentials\b/d" /config/etc/letsencrypt/cli.ini
313 | sed -i "/^dns-${DNSPLUGIN}-propagation-seconds\b/d" /config/etc/letsencrypt/cli.ini
314 | set_ini_value "authenticator" "${DNSPLUGIN}" /config/etc/letsencrypt/cli.ini
315 | set_ini_value "${DNSPLUGIN}-credentials" "${DNSCREDENTIALFILE}" /config/etc/letsencrypt/cli.ini
316 | if [[ -n "${PROPAGATION}" ]]; then set_ini_value "${DNSPLUGIN}-propagation-seconds" "${PROPAGATION}" /config/etc/letsencrypt/cli.ini; fi
317 | fi
318 | # don't restore txt records when using DuckDNS plugin
319 | if [[ "${DNSPLUGIN}" =~ ^(duckdns)$ ]]; then
320 | set_ini_value "dns-${DNSPLUGIN}-no-txt-restore" "true" /config/etc/letsencrypt/cli.ini
321 | fi
322 |
323 | echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected"
324 | elif [[ "${VALIDATION}" = "tls-sni" ]]; then
325 | set_ini_value "preferred-challenges" "http" /config/etc/letsencrypt/cli.ini
326 | set_ini_value "authenticator" "standalone" /config/etc/letsencrypt/cli.ini
327 | echo "*****tls-sni validation has been deprecated, attempting http validation instead"
328 | else
329 | set_ini_value "preferred-challenges" "http" /config/etc/letsencrypt/cli.ini
330 | set_ini_value "authenticator" "standalone" /config/etc/letsencrypt/cli.ini
331 | echo "http validation is selected"
332 | fi
333 |
334 | # generating certs if necessary
335 | if [[ ! -f "/config/keys/letsencrypt/fullchain.pem" ]]; then
336 | if [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ -n "${EMAIL}" ]]; then
337 | echo "Retrieving EAB from ZeroSSL"
338 | EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=${EMAIL}")
339 | ZEROSSL_EAB_KID=$(echo "${EAB_CREDS}" | jq .eab_kid)
340 | ZEROSSL_EAB_HMAC_KEY=$(echo "${EAB_CREDS}" | jq .eab_hmac_key)
341 | if [[ -z "${ZEROSSL_EAB_KID}" ]] || [[ -z "${ZEROSSL_EAB_HMAC_KEY}" ]]; then
342 | echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
343 | sleep infinity
344 | fi
345 | set_ini_value "eab-kid" "${ZEROSSL_EAB_KID}" /config/etc/letsencrypt/cli.ini
346 | set_ini_value "eab-hmac-key" "${ZEROSSL_EAB_HMAC_KEY}" /config/etc/letsencrypt/cli.ini
347 | fi
348 | echo "Generating new certificate"
349 | certbot certonly --config-dir /config/etc/letsencrypt --logs-dir /config/log/letsencrypt --work-dir /tmp/letsencrypt --config /config/etc/letsencrypt/cli.ini --non-interactive --renew-by-default
350 | if [[ ! -d /config/keys/letsencrypt ]]; then
351 | if [[ "${VALIDATION}" = "dns" ]]; then
352 | echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the ${DNSCREDENTIALFILE} file."
353 | else
354 | echo "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container"
355 | fi
356 | sleep infinity
357 | fi
358 | run-parts /config/etc/letsencrypt/renewal-hooks/deploy/
359 | echo "New certificate generated; starting nginx"
360 | else
361 | echo "Certificate exists; parameters unchanged; starting nginx"
362 | fi
363 |
364 | # if certbot generated key exists, remove self-signed cert and replace it with symlink to live cert
365 | if [[ -d /config/keys/letsencrypt ]]; then
366 | rm -rf /config/keys/cert.crt
367 | ln -s ./letsencrypt/fullchain.pem /config/keys/cert.crt
368 | rm -rf /config/keys/cert.key
369 | ln -s ./letsencrypt/privkey.pem /config/keys/cert.key
370 | fi
371 |
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-certbot-config/type:
--------------------------------------------------------------------------------
1 | oneshot
2 |
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-certbot-config/up:
--------------------------------------------------------------------------------
1 | /etc/s6-overlay/s6-rc.d/init-certbot-config/run
2 |
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-config-end/dependencies.d/init-outdated-config:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/linuxserver/docker-swag/bb78c0f50ed98657280a0166296f8b78c6fdcf29/root/etc/s6-overlay/s6-rc.d/init-config-end/dependencies.d/init-outdated-config
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-fail2ban-config/dependencies.d/init-swag-samples:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/linuxserver/docker-swag/bb78c0f50ed98657280a0166296f8b78c6fdcf29/root/etc/s6-overlay/s6-rc.d/init-fail2ban-config/dependencies.d/init-swag-samples
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-fail2ban-config/run:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 | # shellcheck shell=bash
3 |
4 | if [[ -z ${LSIO_READ_ONLY_FS} ]] && [[ -z ${LSIO_NON_ROOT_USER} ]] && [[ "${DISABLE_F2B,,}" != "true" ]]; then
5 | if ! iptables -L &> /dev/null; then
6 | ln -sf /usr/sbin/xtables-legacy-multi /usr/sbin/iptables
7 | ln -sf /usr/sbin/xtables-legacy-multi /usr/sbin/iptables-save
8 | ln -sf /usr/sbin/xtables-legacy-multi /usr/sbin/iptables-restore
9 | ln -sf /usr/sbin/xtables-legacy-multi /usr/sbin/ip6tables
10 | ln -sf /usr/sbin/xtables-legacy-multi /usr/sbin/ip6tables-save
11 | ln -sf /usr/sbin/xtables-legacy-multi /usr/sbin/ip6tables-restore
12 | fi
13 |
14 | # copy/update the fail2ban config defaults to/in /config
15 | cp -R /defaults/fail2ban/filter.d /config/fail2ban/
16 | cp -R /defaults/fail2ban/action.d /config/fail2ban/
17 | # if jail.local is missing in /config, copy default
18 | if [[ ! -f /config/fail2ban/jail.local ]]; then
19 | cp /defaults/fail2ban/jail.local /config/fail2ban/jail.local
20 | fi
21 | # Replace fail2ban config with user config
22 | if [[ -d /etc/fail2ban/filter.d ]]; then
23 | rm -rf /etc/fail2ban/filter.d
24 | fi
25 | if [[ -d /etc/fail2ban/action.d ]]; then
26 | rm -rf /etc/fail2ban/action.d
27 | fi
28 | cp -R /config/fail2ban/filter.d /etc/fail2ban/
29 | cp -R /config/fail2ban/action.d /etc/fail2ban/
30 | cp /defaults/fail2ban/fail2ban.local /etc/fail2ban/
31 | cp /config/fail2ban/jail.local /etc/fail2ban/jail.local
32 |
33 | # logfiles needed by fail2ban
34 | if [[ ! -f /config/log/nginx/error.log ]]; then
35 | touch /config/log/nginx/error.log
36 | fi
37 | if [[ ! -f /config/log/nginx/access.log ]]; then
38 | touch /config/log/nginx/access.log
39 | fi
40 | fi
41 |
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-fail2ban-config/type:
--------------------------------------------------------------------------------
1 | oneshot
2 |
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-fail2ban-config/up:
--------------------------------------------------------------------------------
1 | /etc/s6-overlay/s6-rc.d/init-fail2ban-config/run
2 |
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-outdated-config/dependencies.d/init-renew:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/linuxserver/docker-swag/bb78c0f50ed98657280a0166296f8b78c6fdcf29/root/etc/s6-overlay/s6-rc.d/init-outdated-config/dependencies.d/init-renew
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-outdated-config/run:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 | # shellcheck shell=bash
3 |
4 | if [[ -f /config/nginx/geoip2.conf ]]; then
5 | echo "/config/nginx/geoip2.conf exists.
6 | Please migrate to https://github.com/linuxserver/docker-mods/tree/swag-maxmind"
7 | fi
8 | if [[ -f /config/nginx/ldap.conf ]]; then
9 | echo "/config/nginx/ldap.conf exists.
10 | Please apply any customizations to /config/nginx/ldap-server.conf
11 | Ensure your configs are updated and remove /config/nginx/ldap.conf
12 | If you do not use this config, simply remove it."
13 | fi
14 | if grep -qrle ' /etc/letsencrypt' /config/nginx; then
15 | echo " The following nginx confs are using certificates from the obsolete location
16 | /etc/letsencrypt and should be updated to point to /config/etc/letsencrypt
17 | "
18 | echo -n " " && grep -rle ' /etc/letsencrypt' /config/nginx
19 | fi
20 |
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-outdated-config/type:
--------------------------------------------------------------------------------
1 | oneshot
2 |
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-outdated-config/up:
--------------------------------------------------------------------------------
1 | /etc/s6-overlay/s6-rc.d/init-outdated-config/run
2 |
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-permissions-config/dependencies.d/init-certbot-config:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/linuxserver/docker-swag/bb78c0f50ed98657280a0166296f8b78c6fdcf29/root/etc/s6-overlay/s6-rc.d/init-permissions-config/dependencies.d/init-certbot-config
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-permissions-config/run:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 | # shellcheck shell=bash
3 |
4 | # permissions
5 | find /config/log ! -path '/config/log/logrotate.status' -exec chmod +r {} \+
6 |
7 | lsiown -R abc:abc \
8 | /config
9 |
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-permissions-config/type:
--------------------------------------------------------------------------------
1 | oneshot
2 |
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-permissions-config/up:
--------------------------------------------------------------------------------
1 | /etc/s6-overlay/s6-rc.d/init-permissions-config/run
2 |
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-renew/dependencies.d/init-permissions-config:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/linuxserver/docker-swag/bb78c0f50ed98657280a0166296f8b78c6fdcf29/root/etc/s6-overlay/s6-rc.d/init-renew/dependencies.d/init-permissions-config
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-renew/run:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 | # shellcheck shell=bash
3 |
4 | # Check if the cert is expired or expires within a day, if so, renew
5 | if openssl x509 -in /config/keys/letsencrypt/fullchain.pem -noout -checkend 86400 >/dev/null; then
6 | echo "The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am)."
7 | else
8 | echo "The cert is either expired or it expires within the next day. Attempting to renew. This could take up to 10 minutes."
9 | /app/le-renew.sh
10 | sleep 1
11 | fi
12 |
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-renew/type:
--------------------------------------------------------------------------------
1 | oneshot
2 |
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-renew/up:
--------------------------------------------------------------------------------
1 | /etc/s6-overlay/s6-rc.d/init-renew/run
2 |
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-require-url/dependencies.d/init-config:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/linuxserver/docker-swag/bb78c0f50ed98657280a0166296f8b78c6fdcf29/root/etc/s6-overlay/s6-rc.d/init-require-url/dependencies.d/init-config
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-require-url/run:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 | # shellcheck shell=bash
3 |
4 | # check to make sure that the required variables are set
5 | if [[ -z "${URL}" ]]; then
6 | echo "Please pass your URL as an environment variable in your docker run command. See docker info for more details."
7 | sleep infinity
8 | fi
9 |
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-require-url/type:
--------------------------------------------------------------------------------
1 | oneshot
2 |
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-require-url/up:
--------------------------------------------------------------------------------
1 | /etc/s6-overlay/s6-rc.d/init-require-url/run
2 |
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-swag-config/dependencies.d/init-fail2ban-config:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/linuxserver/docker-swag/bb78c0f50ed98657280a0166296f8b78c6fdcf29/root/etc/s6-overlay/s6-rc.d/init-swag-config/dependencies.d/init-fail2ban-config
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-swag-config/run:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 | # shellcheck shell=bash
3 |
4 | # copy default config files if they don't exist
5 | if [[ ! -f /config/nginx/proxy.conf ]]; then
6 | cp /defaults/nginx/proxy.conf.sample /config/nginx/proxy.conf
7 | fi
8 |
9 | # copy authelia config files if they don't exist
10 | if [[ ! -f /config/nginx/authelia-location.conf ]]; then
11 | cp /defaults/nginx/authelia-location.conf.sample /config/nginx/authelia-location.conf
12 | fi
13 | if [[ ! -f /config/nginx/authelia-server.conf ]]; then
14 | cp /defaults/nginx/authelia-server.conf.sample /config/nginx/authelia-server.conf
15 | fi
16 |
17 | # copy authentik config files if they don't exist
18 | if [[ ! -f /config/nginx/authentik-location.conf ]]; then
19 | cp /defaults/nginx/authentik-location.conf.sample /config/nginx/authentik-location.conf
20 | fi
21 | if [[ ! -f /config/nginx/authentik-server.conf ]]; then
22 | cp /defaults/nginx/authentik-server.conf.sample /config/nginx/authentik-server.conf
23 | fi
24 |
25 | # copy tinyauth config files if they don't exist
26 | if [[ ! -f /config/nginx/tinyauth-location.conf ]]; then
27 | cp /defaults/nginx/tinyauth-location.conf.sample /config/nginx/tinyauth-location.conf
28 | fi
29 | if [[ ! -f /config/nginx/tinyauth-server.conf ]]; then
30 | cp /defaults/nginx/tinyauth-server.conf.sample /config/nginx/tinyauth-server.conf
31 | fi
32 |
33 | # copy old ldap config file to new location
34 | if [[ -f /config/nginx/ldap.conf ]] && [[ ! -f /config/nginx/ldap-server.conf ]]; then
35 | cp /config/nginx/ldap.conf /config/nginx/ldap-server.conf
36 | fi
37 |
38 | # copy ldap config files if they don't exist
39 | if [[ ! -f /config/nginx/ldap-location.conf ]]; then
40 | cp /defaults/nginx/ldap-location.conf.sample /config/nginx/ldap-location.conf
41 | fi
42 | if [[ ! -f /config/nginx/ldap-server.conf ]]; then
43 | cp /defaults/nginx/ldap-server.conf.sample /config/nginx/ldap-server.conf
44 | fi
45 |
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-swag-config/type:
--------------------------------------------------------------------------------
1 | oneshot
2 |
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-swag-config/up:
--------------------------------------------------------------------------------
1 | /etc/s6-overlay/s6-rc.d/init-swag-config/run
2 |
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-swag-folders/dependencies.d/init-require-url:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/linuxserver/docker-swag/bb78c0f50ed98657280a0166296f8b78c6fdcf29/root/etc/s6-overlay/s6-rc.d/init-swag-folders/dependencies.d/init-require-url
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-swag-folders/run:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 | # shellcheck shell=bash
3 |
4 | # make our folders and links
5 | mkdir -p \
6 | /config/{fail2ban,dns-conf} \
7 | /config/etc/letsencrypt/renewal-hooks \
8 | /config/log/{fail2ban,letsencrypt,nginx} \
9 | /config/nginx/proxy-confs \
10 | /run/fail2ban \
11 | /tmp/letsencrypt
12 |
13 |
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-swag-folders/type:
--------------------------------------------------------------------------------
1 | oneshot
2 |
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-swag-folders/up:
--------------------------------------------------------------------------------
1 | /etc/s6-overlay/s6-rc.d/init-swag-folders/run
2 |
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-swag-samples/dependencies.d/init-swag-folders:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/linuxserver/docker-swag/bb78c0f50ed98657280a0166296f8b78c6fdcf29/root/etc/s6-overlay/s6-rc.d/init-swag-samples/dependencies.d/init-swag-folders
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-swag-samples/run:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 | # shellcheck shell=bash
3 |
4 | # samples are removed on init by the nginx base
5 |
6 | # copy new samples
7 | if [[ -d /defaults/nginx/proxy-confs/ ]]; then
8 | find /defaults/nginx/proxy-confs/ \
9 | -maxdepth 1 \
10 | -name "*.conf.sample" \
11 | -type f \
12 | -exec cp "{}" /config/nginx/proxy-confs/ \;
13 | fi
14 |
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-swag-samples/type:
--------------------------------------------------------------------------------
1 | oneshot
2 |
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/init-swag-samples/up:
--------------------------------------------------------------------------------
1 | /etc/s6-overlay/s6-rc.d/init-swag-samples/run
2 |
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/svc-fail2ban/dependencies.d/init-services:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/linuxserver/docker-swag/bb78c0f50ed98657280a0166296f8b78c6fdcf29/root/etc/s6-overlay/s6-rc.d/svc-fail2ban/dependencies.d/init-services
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/svc-fail2ban/run:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 | # shellcheck shell=bash
3 |
4 | if [[ -z ${LSIO_READ_ONLY_FS} ]] && [[ -z ${LSIO_NON_ROOT_USER} ]] && [[ "${DISABLE_F2B,,}" != "true" ]]; then
5 | exec \
6 | fail2ban-client -x -f start
7 | else
8 | sleep infinity
9 | fi
10 |
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/svc-fail2ban/type:
--------------------------------------------------------------------------------
1 | longrun
2 |
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/dependencies.d/init-services:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/linuxserver/docker-swag/bb78c0f50ed98657280a0166296f8b78c6fdcf29/root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/dependencies.d/init-services
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/run:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 | # shellcheck shell=bash
3 |
4 | if [[ ${SWAG_AUTORELOAD,,} == "true" ]]; then
5 | if [[ -f "/etc/s6-overlay/s6-rc.d/svc-mod-swag-auto-reload/run" ]]; then
6 | echo "ERROR: Legacy SWAG Auto Reload Mod detected, to use the built-in Auto Reload functionality please remove it from your container config."
7 | sleep infinity
8 | else
9 | echo "Auto-reload: Watching the following folders for changes to .conf files:"
10 | echo "/config/nginx"
11 | ACTIVE_WATCH=("/config/nginx")
12 | for i in $(echo "${SWAG_AUTORELOAD_WATCHLIST}" | tr "|" " "); do
13 | if [ -f "${i}" ] || [ -d "${i}" ]; then
14 | echo "${i}"
15 | ACTIVE_WATCH+=("${i}")
16 | fi
17 | done
18 |
19 | function wait_for_changes {
20 | inotifywait -rq \
21 | --event modify,move,create,delete \
22 | --includei '\.conf#39; \
23 | "${ACTIVE_WATCH[@]}"
24 | }
25 |
26 | while wait_for_changes; do
27 | NGINX_CONF=()
28 | if ! grep -q "/config/nginx/nginx.conf" /etc/nginx/nginx.conf; then
29 | NGINX_CONF=("-c" "/config/nginx/nginx.conf")
30 | fi
31 | if /usr/sbin/nginx "${NGINX_CONF[@]}" -t; then
32 | echo "Changes to nginx config detected and the changes are valid, reloading nginx"
33 | /usr/sbin/nginx "${NGINX_CONF[@]}" -s reload
34 | else
35 | echo "Changes to nginx config detected but the changes are not valid, skipping nginx reload. Please fix your config."
36 | fi
37 | done
38 | fi
39 | else
40 | sleep infinity
41 | fi
42 |
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/type:
--------------------------------------------------------------------------------
1 | longrun
2 |
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-certbot-config:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/linuxserver/docker-swag/bb78c0f50ed98657280a0166296f8b78c6fdcf29/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-certbot-config
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-fail2ban-config:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/linuxserver/docker-swag/bb78c0f50ed98657280a0166296f8b78c6fdcf29/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-fail2ban-config
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-outdated-config:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/linuxserver/docker-swag/bb78c0f50ed98657280a0166296f8b78c6fdcf29/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-outdated-config
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-permissions-config:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/linuxserver/docker-swag/bb78c0f50ed98657280a0166296f8b78c6fdcf29/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-permissions-config
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-renew:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/linuxserver/docker-swag/bb78c0f50ed98657280a0166296f8b78c6fdcf29/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-renew
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-require-url:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/linuxserver/docker-swag/bb78c0f50ed98657280a0166296f8b78c6fdcf29/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-require-url
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-swag-config:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/linuxserver/docker-swag/bb78c0f50ed98657280a0166296f8b78c6fdcf29/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-swag-config
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-swag-folders:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/linuxserver/docker-swag/bb78c0f50ed98657280a0166296f8b78c6fdcf29/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-swag-folders
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-swag-samples:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/linuxserver/docker-swag/bb78c0f50ed98657280a0166296f8b78c6fdcf29/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-swag-samples
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/user/contents.d/svc-fail2ban:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/linuxserver/docker-swag/bb78c0f50ed98657280a0166296f8b78c6fdcf29/root/etc/s6-overlay/s6-rc.d/user/contents.d/svc-fail2ban
--------------------------------------------------------------------------------
/root/etc/s6-overlay/s6-rc.d/user/contents.d/svc-swag-auto-reload:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/linuxserver/docker-swag/bb78c0f50ed98657280a0166296f8b78c6fdcf29/root/etc/s6-overlay/s6-rc.d/user/contents.d/svc-swag-auto-reload
--------------------------------------------------------------------------------
/root/migrations/02-swag-old-certbot-paths:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 | # shellcheck shell=bash
3 |
4 | # Migrate existing renewal confs with old paths from /etc/letsencrypt to /config/etc/letsencrypt
5 | if ls /config/etc/letsencrypt/renewal/*.conf >/dev/null 2>&1; then
6 | sed -i 's| /etc/letsencrypt| /config/etc/letsencrypt|' /config/etc/letsencrypt/renewal/*.conf
7 | fi
8 |
--------------------------------------------------------------------------------