diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..a92f7df --- /dev/null +++ b/.editorconfig @@ -0,0 +1,20 @@ +# This file is globally distributed to all container image projects from +# https://github.com/linuxserver/docker-jenkins-builder/blob/master/.editorconfig + +# top-most EditorConfig file +root = true + +# Unix-style newlines with a newline ending every file +[*] +end_of_line = lf +insert_final_newline = true +# trim_trailing_whitespace may cause unintended issues and should not be globally set true +trim_trailing_whitespace = false + +[{Dockerfile*,**.yml}] +indent_style = space +indent_size = 2 + +[{**.sh,root/etc/cont-init.d/**,root/etc/services.d/**}] +indent_style = space +indent_size = 4 diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md new file mode 100644 index 0000000..ced3683 --- /dev/null +++ b/.github/CONTRIBUTING.md @@ -0,0 +1,123 @@ +# Contributing to fail2ban + +## Gotchas + +* While contributing make sure to make all your changes before creating a Pull Request, as our pipeline builds each commit after the PR is open. +* Read, and fill the Pull Request template + * If this is a fix for a typo (in code, documentation, or the README) please file an issue and let us sort it out. We do not need a PR + * If the PR is addressing an existing issue include, closes #\, in the body of the PR commit message +* If you want to discuss changes, you can also bring it up in [#dev-talk](https://discordapp.com/channels/354974912613449730/757585807061155840) in our [Discord server](https://discord.gg/YWrKVTn) + +## Common files + +| File | Use case | +| :----: | --- | +| `Dockerfile` | Dockerfile used to build amd64 images | +| `Dockerfile.aarch64` | Dockerfile used to build 64bit ARM architectures | +| `Dockerfile.armhf` | Dockerfile used to build 32bit ARM architectures | +| `Jenkinsfile` | This file is a product of our builder and should not be edited directly. This is used to build the image | +| `jenkins-vars.yml` | This file is used to generate the `Jenkinsfile` mentioned above, it only affects the build-process | +| `package_versions.txt` | This file is generated as a part of the build-process and should not be edited directly. It lists all the installed packages and their versions | +| `README.md` | This file is a product of our builder and should not be edited directly. This displays the readme for the repository and image registries | +| `readme-vars.yml` | This file is used to generate the `README.md` | + +## Readme + +If you would like to change our readme, please __**do not**__ directly edit the readme, as it is auto-generated on each commit. +Instead edit the [readme-vars.yml](https://github.com/linuxserver/docker-fail2ban/edit/master/readme-vars.yml). + +These variables are used in a template for our [Jenkins Builder](https://github.com/linuxserver/docker-jenkins-builder) as part of an ansible play. +Most of these variables are also carried over to [docs.linuxserver.io](https://docs.linuxserver.io/images/docker-fail2ban) + +### Fixing typos or clarify the text in the readme + +There are variables for multiple parts of the readme, the most common ones are: + +| Variable | Description | +| :----: | --- | +| `project_blurb` | This is the short excerpt shown above the project logo. | +| `app_setup_block` | This is the text that shows up under "Application Setup" if enabled | + +### Parameters + +The compose and run examples are also generated from these variables. + +We have a [reference file](https://github.com/linuxserver/docker-jenkins-builder/blob/master/vars/_container-vars-blank) in our Jenkins Builder. + +These are prefixed with `param_` for required parameters, or `opt_param` for optional parameters, except for `cap_add`. +Remember to enable param, if currently disabled. This differs between parameters, and can be seen in the reference file. + +Devices, environment variables, ports and volumes expects its variables in a certain way. + +### Devices + +```yml +param_devices: + - { device_path: "/dev/dri", device_host_path: "/dev/dri", desc: "For hardware transcoding" } +opt_param_devices: + - { device_path: "/dev/dri", device_host_path: "/dev/dri", desc: "For hardware transcoding" } +``` + +### Environment variables + +```yml +param_env_vars: + - { env_var: "TZ", env_value: "Europe/London", desc: "Specify a timezone to use EG Europe/London." } +opt_param_env_vars: + - { env_var: "VERSION", env_value: "latest", desc: "Supported values are LATEST, PLEXPASS or a specific version number." } +``` + +### Ports + +```yml +param_ports: + - { external_port: "80", internal_port: "80", port_desc: "Application WebUI" } +opt_param_ports: + - { external_port: "80", internal_port: "80", port_desc: "Application WebUI" } +``` + +### Volumes + +```yml +param_volumes: + - { vol_path: "/config", vol_host_path: "", desc: "Configuration files." } +opt_param_volumes: + - { vol_path: "/config", vol_host_path: "", desc: "Configuration files." } +``` + +### Testing template changes + +After you make any changes to the templates, you can use our [Jenkins Builder](https://github.com/linuxserver/docker-jenkins-builder) to have the files updated from the modified templates. Please use the command found under `Running Locally` [on this page](https://github.com/linuxserver/docker-jenkins-builder/blob/master/README.md) to generate them prior to submitting a PR. + +## Dockerfiles + +We use multiple Dockerfiles in our repos, this is because sometimes some CPU architectures needs different packages to work. +If you are proposing additional packages to be added, ensure that you added the packages to all the Dockerfiles in alphabetical order. + +### Testing your changes + +```bash +git clone https://github.com/linuxserver/docker-fail2ban.git +cd docker-fail2ban +docker build \ + --no-cache \ + --pull \ + -t linuxserver/fail2ban:latest . +``` + +The ARM variants can be built on x86_64 hardware using `multiarch/qemu-user-static` + +```bash +docker run --rm --privileged multiarch/qemu-user-static:register --reset +``` + +Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64`. + +## Update the changelog + +If you are modifying the Dockerfiles or any of the startup scripts in [root](https://github.com/linuxserver/docker-fail2ban/tree/master/root), add an entry to the changelog + +```yml +changelogs: + - { date: "DD.MM.YY:", desc: "Added some love to templates" } +``` diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml new file mode 100644 index 0000000..7eaac77 --- /dev/null +++ b/.github/FUNDING.yml @@ -0,0 +1,2 @@ +github: linuxserver +open_collective: linuxserver diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml index fa12fe6..77dc35e 100644 --- a/.github/ISSUE_TEMPLATE/config.yml +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -9,5 +9,5 @@ contact_links: about: Post on our community forum. - name: Documentation - url: https://docs.linuxserver.io/images/fail2ban + url: https://docs.linuxserver.io/images/docker-fail2ban about: Documentation - information about all of our containers. diff --git a/.github/ISSUE_TEMPLATE/issue.bug.md b/.github/ISSUE_TEMPLATE/issue.bug.md index cab32e5..ae12ac1 100644 --- a/.github/ISSUE_TEMPLATE/issue.bug.md +++ b/.github/ISSUE_TEMPLATE/issue.bug.md @@ -4,7 +4,7 @@ about: Create a report to help us improve --- [linuxserverurl]: https://linuxserver.io -[![linuxserver.io](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/lsio-labs-wide.png)](https://linuxserver.io) +[![linuxserver.io](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/linuxserver_medium.png)][linuxserverurl] @@ -37,4 +37,4 @@ about: Create a report to help us improve ## Docker logs - + diff --git a/.github/ISSUE_TEMPLATE/issue.feature.md b/.github/ISSUE_TEMPLATE/issue.feature.md index a45ce2f..20a91fd 100644 --- a/.github/ISSUE_TEMPLATE/issue.feature.md +++ b/.github/ISSUE_TEMPLATE/issue.feature.md @@ -4,7 +4,7 @@ about: Suggest an idea for this project --- [linuxserverurl]: https://linuxserver.io -[![linuxserver.io](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/lsio-labs-wide.png)](https://linuxserver.io) +[![linuxserver.io](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/linuxserver_medium.png)][linuxserverurl] diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index 4855152..6870f1f 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -1,7 +1,8 @@ [linuxserverurl]: https://linuxserver.io -[![linuxserver.io](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/lsio-labs-wide.png)](https://linuxserver.io) +[![linuxserver.io](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/linuxserver_medium.png)][linuxserverurl] + @@ -11,6 +12,7 @@ + @@ -19,7 +21,7 @@ ------------------------------ - - [ ] I have read the [contributing](https://github.com/linuxserver-labs/docker-fail2ban/blob/main/.github/CONTRIBUTING.md) guideline and understand that I have made the correct modifications + - [ ] I have read the [contributing](https://github.com/linuxserver/docker-fail2ban/blob/master/.github/CONTRIBUTING.md) guideline and understand that I have made the correct modifications ------------------------------ @@ -36,5 +38,6 @@ + ## Source / References: diff --git a/.github/workflows/call-baseimage-update.yml b/.github/workflows/call-baseimage-update.yml index 989a208..5092e32 100644 --- a/.github/workflows/call-baseimage-update.yml +++ b/.github/workflows/call-baseimage-update.yml @@ -10,7 +10,7 @@ jobs: with: repo_owner: ${{ github.repository_owner }} baseimage: "alpine" - basebranch: "3.14" + basebranch: "3.16" app_name: "fail2ban" secrets: repo_release_token: ${{ secrets.repo_release_token }} diff --git a/.github/workflows/call-build-image.yml b/.github/workflows/call-build-image.yml index 5d14eda..1d0db2f 100644 --- a/.github/workflows/call-build-image.yml +++ b/.github/workflows/call-build-image.yml @@ -13,7 +13,7 @@ jobs: app_name: fail2ban release_type: alpine release_name: fail2Ban - release_url: "v3.14/main" + release_url: "v3.16/main" target-arch: "all" secrets: scarf_token: ${{ secrets.SCARF_TOKEN }} diff --git a/.github/workflows/call-check-and-release.yml b/.github/workflows/call-check-and-release.yml index 44be589..e94c210 100644 --- a/.github/workflows/call-check-and-release.yml +++ b/.github/workflows/call-check-and-release.yml @@ -12,7 +12,7 @@ jobs: repo_owner: ${{ github.repository_owner }} app_name: "fail2ban" release_type: "alpine" - release_url: "v3.14/main" + release_url: "v3.16/main" release_name: "fail2ban" branch: "master" secrets: diff --git a/.github/workflows/external_trigger.yml b/.github/workflows/external_trigger.yml new file mode 100644 index 0000000..6a16b12 --- /dev/null +++ b/.github/workflows/external_trigger.yml @@ -0,0 +1,93 @@ +name: External Trigger Main + +on: + workflow_dispatch: + +jobs: + external-trigger-master: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2.3.3 + + - name: External Trigger + if: github.ref == 'refs/heads/master' + run: | + if [ -n "${{ secrets.PAUSE_EXTERNAL_TRIGGER_FAIL2BAN_MASTER }}" ]; then + echo "**** Github secret PAUSE_EXTERNAL_TRIGGER_FAIL2BAN_MASTER is set; skipping trigger. ****" + exit 0 + fi + echo "**** External trigger running off of master branch. To disable this trigger, set a Github secret named \"PAUSE_EXTERNAL_TRIGGER_FAIL2BAN_MASTER\". ****" + echo "**** Retrieving external version ****" + EXT_RELEASE=$(curl -sL "http://nl.alpinelinux.org/alpine/v3.16/main/x86_64/APKINDEX.tar.gz" | tar -xz -C /tmp \ + && awk '/^P:'"fail2ban"'$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://') + if [ -z "${EXT_RELEASE}" ] || [ "${EXT_RELEASE}" == "null" ]; then + echo "**** Can't retrieve external version, exiting ****" + FAILURE_REASON="Can't retrieve external version for fail2ban branch master" + GHA_TRIGGER_URL="https://github.com/linuxserver/docker-fail2ban/actions/runs/${{ github.run_id }}" + curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 16711680, + "description": "**Trigger Failed** \n**Reason:** '"${FAILURE_REASON}"' \n**Trigger URL:** '"${GHA_TRIGGER_URL}"' \n"}], + "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }} + exit 1 + fi + EXT_RELEASE=$(echo ${EXT_RELEASE} | sed 's/[~,%@+;:/]//g') + echo "**** External version: ${EXT_RELEASE} ****" + echo "**** Retrieving last pushed version ****" + image="linuxserver/fail2ban" + tag="latest" + token=$(curl -sX GET \ + "https://ghcr.io/token?scope=repository%3Alinuxserver%2Ffail2ban%3Apull" \ + | jq -r '.token') + multidigest=$(curl -s \ + --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \ + --header "Authorization: Bearer ${token}" \ + "https://ghcr.io/v2/${image}/manifests/${tag}" \ + | jq -r 'first(.manifests[].digest)') + digest=$(curl -s \ + --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \ + --header "Authorization: Bearer ${token}" \ + "https://ghcr.io/v2/${image}/manifests/${multidigest}" \ + | jq -r '.config.digest') + image_info=$(curl -sL \ + --header "Authorization: Bearer ${token}" \ + "https://ghcr.io/v2/${image}/blobs/${digest}" \ + | jq -r '.container_config') + IMAGE_RELEASE=$(echo ${image_info} | jq -r '.Labels.build_version' | awk '{print $3}') + IMAGE_VERSION=$(echo ${IMAGE_RELEASE} | awk -F'-ls' '{print $1}') + if [ -z "${IMAGE_VERSION}" ]; then + echo "**** Can't retrieve last pushed version, exiting ****" + FAILURE_REASON="Can't retrieve last pushed version for fail2ban tag latest" + curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 16711680, + "description": "**Trigger Failed** \n**Reason:** '"${FAILURE_REASON}"' \n"}], + "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }} + exit 1 + fi + echo "**** Last pushed version: ${IMAGE_VERSION} ****" + if [ "${EXT_RELEASE}" == "${IMAGE_VERSION}" ]; then + echo "**** Version ${EXT_RELEASE} already pushed, exiting ****" + exit 0 + elif [ $(curl -s https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-fail2ban/job/master/lastBuild/api/json | jq -r '.building') == "true" ]; then + echo "**** New version ${EXT_RELEASE} found; but there already seems to be an active build on Jenkins; exiting ****" + exit 0 + else + echo "**** New version ${EXT_RELEASE} found; old version was ${IMAGE_VERSION}. Triggering new build ****" + response=$(curl -iX POST \ + https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-fail2ban/job/master/buildWithParameters?PACKAGE_CHECK=false \ + --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} | grep -i location | sed "s|^[L|l]ocation: \(.*\)|\1|") + echo "**** Jenkins job queue url: ${response%$'\r'} ****" + echo "**** Sleeping 10 seconds until job starts ****" + sleep 10 + buildurl=$(curl -s "${response%$'\r'}api/json" | jq -r '.executable.url') + buildurl="${buildurl%$'\r'}" + echo "**** Jenkins job build url: ${buildurl} ****" + echo "**** Attempting to change the Jenkins job description ****" + curl -iX POST \ + "${buildurl}submitDescription" \ + --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} \ + --data-urlencode "description=GHA external trigger https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" \ + --data-urlencode "Submit=Submit" + echo "**** Notifying Discord ****" + TRIGGER_REASON="A version change was detected for fail2ban tag latest. Old version:${IMAGE_VERSION} New version:${EXT_RELEASE}" + curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 9802903, + "description": "**Build Triggered** \n**Reason:** '"${TRIGGER_REASON}"' \n**Build URL:** '"${buildurl}display/redirect"' \n"}], + "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }} + fi diff --git a/.github/workflows/external_trigger_scheduler.yml b/.github/workflows/external_trigger_scheduler.yml new file mode 100644 index 0000000..d111ab2 --- /dev/null +++ b/.github/workflows/external_trigger_scheduler.yml @@ -0,0 +1,43 @@ +name: External Trigger Scheduler + +on: + schedule: + - cron: '02 * * * *' + workflow_dispatch: + +jobs: + external-trigger-scheduler: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2.3.3 + with: + fetch-depth: '0' + + - name: External Trigger Scheduler + run: | + echo "**** Branches found: ****" + git for-each-ref --format='%(refname:short)' refs/remotes + echo "**** Pulling the yq docker image ****" + docker pull ghcr.io/linuxserver/yq + for br in $(git for-each-ref --format='%(refname:short)' refs/remotes) + do + br=$(echo "$br" | sed 's|origin/||g') + echo "**** Evaluating branch ${br} ****" + ls_branch=$(curl -sX GET https://raw.githubusercontent.com/linuxserver/docker-fail2ban/${br}/jenkins-vars.yml \ + | docker run --rm -i --entrypoint yq ghcr.io/linuxserver/yq -r .ls_branch) + if [ "$br" == "$ls_branch" ]; then + echo "**** Branch ${br} appears to be live; checking workflow. ****" + if curl -sfX GET https://raw.githubusercontent.com/linuxserver/docker-fail2ban/${br}/.github/workflows/external_trigger.yml > /dev/null 2>&1; then + echo "**** Workflow exists. Triggering external trigger workflow for branch ${br} ****." + curl -iX POST \ + -H "Authorization: token ${{ secrets.CR_PAT }}" \ + -H "Accept: application/vnd.github.v3+json" \ + -d "{\"ref\":\"refs/heads/${br}\"}" \ + https://api.github.com/repos/linuxserver/docker-fail2ban/actions/workflows/external_trigger.yml/dispatches + else + echo "**** Workflow doesn't exist; skipping trigger. ****" + fi + else + echo "**** ${br} appears to be a dev branch; skipping trigger. ****" + fi + done diff --git a/.github/workflows/greetings.yml b/.github/workflows/greetings.yml index 31152c8..70ba8da 100644 --- a/.github/workflows/greetings.yml +++ b/.github/workflows/greetings.yml @@ -8,6 +8,6 @@ jobs: steps: - uses: actions/first-interaction@v1 with: - issue-message: 'Thanks for opening your first issue here! Be sure to follow the [bug](https://github.com/linuxserver-labs/docker-your_spotify/blob/main/.github/ISSUE_TEMPLATE/issue.bug.md) or [feature](https://github.com/linuxserver-labs/docker-your_spotify/blob/main/.github/ISSUE_TEMPLATE/issue.feature.md) issue templates!' - pr-message: 'Thanks for opening this pull request! Be sure to follow the [pull request template](https://github.com/linuxserver-labs/docker-your_spotify/blob/main/.github/PULL_REQUEST_TEMPLATE.md)!' + issue-message: 'Thanks for opening your first issue here! Be sure to follow the [bug](https://github.com/linuxserver/docker-fail2ban/blob/master/.github/ISSUE_TEMPLATE/issue.bug.md) or [feature](https://github.com/linuxserver/docker-fail2ban/blob/master/.github/ISSUE_TEMPLATE/issue.feature.md) issue templates!' + pr-message: 'Thanks for opening this pull request! Be sure to follow the [pull request template](https://github.com/linuxserver/docker-fail2ban/blob/master/.github/PULL_REQUEST_TEMPLATE.md)!' repo-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/package_trigger.yml b/.github/workflows/package_trigger.yml new file mode 100644 index 0000000..31123a9 --- /dev/null +++ b/.github/workflows/package_trigger.yml @@ -0,0 +1,38 @@ +name: Package Trigger Main + +on: + workflow_dispatch: + +jobs: + package-trigger-master: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2.3.3 + + - name: Package Trigger + if: github.ref == 'refs/heads/master' + run: | + if [ -n "${{ secrets.PAUSE_PACKAGE_TRIGGER_FAIL2BAN_MASTER }}" ]; then + echo "**** Github secret PAUSE_PACKAGE_TRIGGER_FAIL2BAN_MASTER is set; skipping trigger. ****" + exit 0 + fi + if [ $(curl -s https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-fail2ban/job/master/lastBuild/api/json | jq -r '.building') == "true" ]; then + echo "**** There already seems to be an active build on Jenkins; skipping package trigger ****" + exit 0 + fi + echo "**** Package trigger running off of master branch. To disable, set a Github secret named \"PAUSE_PACKAGE_TRIGGER_FAIL2BAN_MASTER\". ****" + response=$(curl -iX POST \ + https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-fail2ban/job/master/buildWithParameters?PACKAGE_CHECK=true \ + --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} | grep -i location | sed "s|^[L|l]ocation: \(.*\)|\1|") + echo "**** Jenkins job queue url: ${response%$'\r'} ****" + echo "**** Sleeping 10 seconds until job starts ****" + sleep 10 + buildurl=$(curl -s "${response%$'\r'}api/json" | jq -r '.executable.url') + buildurl="${buildurl%$'\r'}" + echo "**** Jenkins job build url: ${buildurl} ****" + echo "**** Attempting to change the Jenkins job description ****" + curl -iX POST \ + "${buildurl}submitDescription" \ + --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} \ + --data-urlencode "description=GHA package trigger https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" \ + --data-urlencode "Submit=Submit" diff --git a/.github/workflows/package_trigger_scheduler.yml b/.github/workflows/package_trigger_scheduler.yml new file mode 100644 index 0000000..af73d9d --- /dev/null +++ b/.github/workflows/package_trigger_scheduler.yml @@ -0,0 +1,50 @@ +name: Package Trigger Scheduler + +on: + schedule: + - cron: '32 11 * * 2' + workflow_dispatch: + +jobs: + package-trigger-scheduler: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2.3.3 + with: + fetch-depth: '0' + + - name: Package Trigger Scheduler + run: | + echo "**** Branches found: ****" + git for-each-ref --format='%(refname:short)' refs/remotes + echo "**** Pulling the yq docker image ****" + docker pull ghcr.io/linuxserver/yq + for br in $(git for-each-ref --format='%(refname:short)' refs/remotes) + do + br=$(echo "$br" | sed 's|origin/||g') + echo "**** Evaluating branch ${br} ****" + ls_branch=$(curl -sX GET https://raw.githubusercontent.com/linuxserver/docker-fail2ban/${br}/jenkins-vars.yml \ + | docker run --rm -i --entrypoint yq ghcr.io/linuxserver/yq -r .ls_branch) + if [ "${br}" == "${ls_branch}" ]; then + echo "**** Branch ${br} appears to be live; checking workflow. ****" + if curl -sfX GET https://raw.githubusercontent.com/linuxserver/docker-fail2ban/${br}/.github/workflows/package_trigger.yml > /dev/null 2>&1; then + echo "**** Workflow exists. Triggering package trigger workflow for branch ${br}. ****" + triggered_branches="${triggered_branches}${br} " + curl -iX POST \ + -H "Authorization: token ${{ secrets.CR_PAT }}" \ + -H "Accept: application/vnd.github.v3+json" \ + -d "{\"ref\":\"refs/heads/${br}\"}" \ + https://api.github.com/repos/linuxserver/docker-fail2ban/actions/workflows/package_trigger.yml/dispatches + sleep 30 + else + echo "**** Workflow doesn't exist; skipping trigger. ****" + fi + else + echo "**** ${br} appears to be a dev branch; skipping trigger. ****" + fi + done + echo "**** Package check build(s) triggered for branch(es): ${triggered_branches} ****" + echo "**** Notifying Discord ****" + curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 9802903, + "description": "**Package Check Build(s) Triggered for fail2ban** \n**Branch(es):** '"${triggered_branches}"' \n**Build URL:** '"https://ci.linuxserver.io/blue/organizations/jenkins/Docker-Pipeline-Builders%2Fdocker-fail2ban/activity/"' \n"}], + "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }} diff --git a/.gitignore b/.gitignore index 96374c4..be9245a 100644 --- a/.gitignore +++ b/.gitignore @@ -41,3 +41,6 @@ $RECYCLE.BIN/ Network Trash Folder Temporary Items .apdisk + +.history/ +.jenkins-external diff --git a/Dockerfile b/Dockerfile index a5232c5..6a622f7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,10 +1,10 @@ -FROM ghcr.io/linuxserver/baseimage-alpine:3.14 +FROM ghcr.io/linuxserver/baseimage-alpine:3.16 # set version label ARG BUILD_DATE ARG VERSION LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DATE}" -LABEL maintainer="nomandera" +LABEL maintainer="nomandera,nemchik" # environment settings ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2 @@ -14,8 +14,15 @@ RUN \ apk add --no-cache --upgrade \ curl \ fail2ban \ - fail2ban-doc - + fail2ban-doc \ + jq && \ + echo "**** cleanup ****" && \ + rm -rf \ + /root/.cache \ + /tmp/* # add local files COPY root/ / + +# ports and volumes +VOLUME /config diff --git a/Jenkinsfile b/Jenkinsfile new file mode 100644 index 0000000..e871fe2 --- /dev/null +++ b/Jenkinsfile @@ -0,0 +1,999 @@ +pipeline { + agent { + label 'X86-64-MULTI' + } + options { + buildDiscarder(logRotator(numToKeepStr: '10', daysToKeepStr: '60')) + parallelsAlwaysFailFast() + } + // Input to determine if this is a package check + parameters { + string(defaultValue: 'false', description: 'package check run', name: 'PACKAGE_CHECK') + } + // Configuration for the variables used for this specific repo + environment { + BUILDS_DISCORD=credentials('build_webhook_url') + GITHUB_TOKEN=credentials('498b4638-2d02-4ce5-832d-8a57d01d97ab') + GITLAB_TOKEN=credentials('b6f0f1dd-6952-4cf6-95d1-9c06380283f0') + GITLAB_NAMESPACE=credentials('gitlab-namespace-id') + SCARF_TOKEN=credentials('scarf_api_key') + BUILD_VERSION_ARG = 'FAIL2BAN_VERSION' + LS_USER = 'linuxserver' + LS_REPO = 'docker-fail2ban' + CONTAINER_NAME = 'fail2ban' + DOCKERHUB_IMAGE = 'linuxserver/fail2ban' + DEV_DOCKERHUB_IMAGE = 'lsiodev/fail2ban' + PR_DOCKERHUB_IMAGE = 'lspipepr/fail2ban' + DIST_IMAGE = 'alpine' + DIST_TAG = '3.16' + DIST_REPO = 'http://nl.alpinelinux.org/alpine/v3.16/main/' + DIST_REPO_PACKAGES = 'fail2ban' + MULTIARCH='true' + CI='true' + CI_WEB='false' + CI_PORT='' + CI_SSL='false' + CI_DELAY='120' + CI_DOCKERENV='TZ=US/Pacific' + CI_AUTH='user:password' + CI_WEBPATH='' + } + stages { + // Setup all the basic environment variables needed for the build + stage("Set ENV Variables base"){ + steps{ + script{ + env.EXIT_STATUS = '' + env.LS_RELEASE = sh( + script: '''docker run --rm ghcr.io/linuxserver/alexeiled-skopeo sh -c 'skopeo inspect docker://docker.io/'${DOCKERHUB_IMAGE}':latest 2>/dev/null' | jq -r '.Labels.build_version' | awk '{print $3}' | grep '\\-ls' || : ''', + returnStdout: true).trim() + env.LS_RELEASE_NOTES = sh( + script: '''cat readme-vars.yml | awk -F \\" '/date: "[0-9][0-9].[0-9][0-9].[0-9][0-9]:/ {print $4;exit;}' | sed -E ':a;N;$!ba;s/\\r{0,1}\\n/\\\\n/g' ''', + returnStdout: true).trim() + env.GITHUB_DATE = sh( + script: '''date '+%Y-%m-%dT%H:%M:%S%:z' ''', + returnStdout: true).trim() + env.COMMIT_SHA = sh( + script: '''git rev-parse HEAD''', + returnStdout: true).trim() + env.CODE_URL = 'https://github.com/' + env.LS_USER + '/' + env.LS_REPO + '/commit/' + env.GIT_COMMIT + env.DOCKERHUB_LINK = 'https://hub.docker.com/r/' + env.DOCKERHUB_IMAGE + '/tags/' + env.PULL_REQUEST = env.CHANGE_ID + env.TEMPLATED_FILES = 'Jenkinsfile README.md LICENSE .editorconfig ./.github/CONTRIBUTING.md ./.github/FUNDING.yml ./.github/ISSUE_TEMPLATE/config.yml ./.github/ISSUE_TEMPLATE/issue.bug.md ./.github/ISSUE_TEMPLATE/issue.feature.md ./.github/PULL_REQUEST_TEMPLATE.md ./.github/workflows/external_trigger_scheduler.yml ./.github/workflows/greetings.yml ./.github/workflows/package_trigger_scheduler.yml ./.github/workflows/stale.yml ./.github/workflows/external_trigger.yml ./.github/workflows/package_trigger.yml' + } + script{ + env.LS_RELEASE_NUMBER = sh( + script: '''echo ${LS_RELEASE} |sed 's/^.*-ls//g' ''', + returnStdout: true).trim() + } + script{ + env.LS_TAG_NUMBER = sh( + script: '''#! /bin/bash + tagsha=$(git rev-list -n 1 ${LS_RELEASE} 2>/dev/null) + if [ "${tagsha}" == "${COMMIT_SHA}" ]; then + echo ${LS_RELEASE_NUMBER} + elif [ -z "${GIT_COMMIT}" ]; then + echo ${LS_RELEASE_NUMBER} + else + echo $((${LS_RELEASE_NUMBER} + 1)) + fi''', + returnStdout: true).trim() + } + } + } + /* ####################### + Package Version Tagging + ####################### */ + // Grab the current package versions in Git to determine package tag + stage("Set Package tag"){ + steps{ + script{ + env.PACKAGE_TAG = sh( + script: '''#!/bin/bash + if [ -e package_versions.txt ] ; then + cat package_versions.txt | md5sum | cut -c1-8 + else + echo none + fi''', + returnStdout: true).trim() + } + } + } + /* ######################## + External Release Tagging + ######################## */ + // If this is an alpine repo change for external version determine an md5 from the version string + stage("Set tag Alpine Repo"){ + steps{ + script{ + env.EXT_RELEASE = sh( + script: '''curl -sL "${DIST_REPO}x86_64/APKINDEX.tar.gz" | tar -xz -C /tmp \ + && awk '/^P:'"${DIST_REPO_PACKAGES}"'$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://' ''', + returnStdout: true).trim() + env.RELEASE_LINK = 'alpine_repo' + } + } + } + // Sanitize the release tag and strip illegal docker or github characters + stage("Sanitize tag"){ + steps{ + script{ + env.EXT_RELEASE_CLEAN = sh( + script: '''echo ${EXT_RELEASE} | sed 's/[~,%@+;:/]//g' ''', + returnStdout: true).trim() + + def semver = env.EXT_RELEASE_CLEAN =~ /(\d+)\.(\d+)\.(\d+)/ + if (semver.find()) { + env.SEMVER = "${semver[0][1]}.${semver[0][2]}.${semver[0][3]}" + } else { + semver = env.EXT_RELEASE_CLEAN =~ /(\d+)\.(\d+)(?:\.(\d+))?(.*)/ + if (semver.find()) { + if (semver[0][3]) { + env.SEMVER = "${semver[0][1]}.${semver[0][2]}.${semver[0][3]}" + } else if (!semver[0][3] && !semver[0][4]) { + env.SEMVER = "${semver[0][1]}.${semver[0][2]}.${(new Date()).format('YYYYMMdd')}" + } + } + } + + if (env.SEMVER != null) { + if (BRANCH_NAME != "master" && BRANCH_NAME != "main") { + env.SEMVER = "${env.SEMVER}-${BRANCH_NAME}" + } + println("SEMVER: ${env.SEMVER}") + } else { + println("No SEMVER detected") + } + + } + } + } + // If this is a master build use live docker endpoints + stage("Set ENV live build"){ + when { + branch "master" + environment name: 'CHANGE_ID', value: '' + } + steps { + script{ + env.IMAGE = env.DOCKERHUB_IMAGE + env.GITHUBIMAGE = 'ghcr.io/' + env.LS_USER + '/' + env.CONTAINER_NAME + env.GITLABIMAGE = 'registry.gitlab.com/linuxserver.io/' + env.LS_REPO + '/' + env.CONTAINER_NAME + env.QUAYIMAGE = 'quay.io/linuxserver.io/' + env.CONTAINER_NAME + if (env.MULTIARCH == 'true') { + env.CI_TAGS = 'amd64-' + env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER + '|arm32v7-' + env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER + '|arm64v8-' + env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER + } else { + env.CI_TAGS = env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER + } + env.VERSION_TAG = env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER + env.META_TAG = env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER + env.EXT_RELEASE_TAG = 'version-' + env.EXT_RELEASE_CLEAN + } + } + } + // If this is a dev build use dev docker endpoints + stage("Set ENV dev build"){ + when { + not {branch "master"} + environment name: 'CHANGE_ID', value: '' + } + steps { + script{ + env.IMAGE = env.DEV_DOCKERHUB_IMAGE + env.GITHUBIMAGE = 'ghcr.io/' + env.LS_USER + '/lsiodev-' + env.CONTAINER_NAME + env.GITLABIMAGE = 'registry.gitlab.com/linuxserver.io/' + env.LS_REPO + '/lsiodev-' + env.CONTAINER_NAME + env.QUAYIMAGE = 'quay.io/linuxserver.io/lsiodev-' + env.CONTAINER_NAME + if (env.MULTIARCH == 'true') { + env.CI_TAGS = 'amd64-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA + '|arm32v7-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA + '|arm64v8-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA + } else { + env.CI_TAGS = env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA + } + env.VERSION_TAG = env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA + env.META_TAG = env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA + env.EXT_RELEASE_TAG = 'version-' + env.EXT_RELEASE_CLEAN + env.DOCKERHUB_LINK = 'https://hub.docker.com/r/' + env.DEV_DOCKERHUB_IMAGE + '/tags/' + } + } + } + // If this is a pull request build use dev docker endpoints + stage("Set ENV PR build"){ + when { + not {environment name: 'CHANGE_ID', value: ''} + } + steps { + script{ + env.IMAGE = env.PR_DOCKERHUB_IMAGE + env.GITHUBIMAGE = 'ghcr.io/' + env.LS_USER + '/lspipepr-' + env.CONTAINER_NAME + env.GITLABIMAGE = 'registry.gitlab.com/linuxserver.io/' + env.LS_REPO + '/lspipepr-' + env.CONTAINER_NAME + env.QUAYIMAGE = 'quay.io/linuxserver.io/lspipepr-' + env.CONTAINER_NAME + if (env.MULTIARCH == 'true') { + env.CI_TAGS = 'amd64-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST + '|arm32v7-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST + '|arm64v8-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST + } else { + env.CI_TAGS = env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST + } + env.VERSION_TAG = env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST + env.META_TAG = env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST + env.EXT_RELEASE_TAG = 'version-' + env.EXT_RELEASE_CLEAN + env.CODE_URL = 'https://github.com/' + env.LS_USER + '/' + env.LS_REPO + '/pull/' + env.PULL_REQUEST + env.DOCKERHUB_LINK = 'https://hub.docker.com/r/' + env.PR_DOCKERHUB_IMAGE + '/tags/' + } + } + } + // Run ShellCheck + stage('ShellCheck') { + when { + environment name: 'CI', value: 'true' + } + steps { + withCredentials([ + string(credentialsId: 'ci-tests-s3-key-id', variable: 'S3_KEY'), + string(credentialsId: 'ci-tests-s3-secret-access-key', variable: 'S3_SECRET') + ]) { + script{ + env.SHELLCHECK_URL = 'https://ci-tests.linuxserver.io/' + env.IMAGE + '/' + env.META_TAG + '/shellcheck-result.xml' + } + sh '''curl -sL https://raw.githubusercontent.com/linuxserver/docker-shellcheck/master/checkrun.sh | /bin/bash''' + sh '''#! /bin/bash + set -e + docker pull ghcr.io/linuxserver/lsiodev-spaces-file-upload:latest + docker run --rm \ + -e DESTINATION=\"${IMAGE}/${META_TAG}/shellcheck-result.xml\" \ + -e FILE_NAME="shellcheck-result.xml" \ + -e MIMETYPE="text/xml" \ + -v ${WORKSPACE}:/mnt \ + -e SECRET_KEY=\"${S3_SECRET}\" \ + -e ACCESS_KEY=\"${S3_KEY}\" \ + -t ghcr.io/linuxserver/lsiodev-spaces-file-upload:latest \ + python /upload.py''' + } + } + } + // Use helper containers to render templated files + stage('Update-Templates') { + when { + branch "master" + environment name: 'CHANGE_ID', value: '' + expression { + env.CONTAINER_NAME != null + } + } + steps { + sh '''#! /bin/bash + set -e + TEMPDIR=$(mktemp -d) + docker pull ghcr.io/linuxserver/jenkins-builder:latest + docker run --rm -e CONTAINER_NAME=${CONTAINER_NAME} -e GITHUB_BRANCH=master -v ${TEMPDIR}:/ansible/jenkins ghcr.io/linuxserver/jenkins-builder:latest + # Stage 1 - Jenkinsfile update + if [[ "$(md5sum Jenkinsfile | awk '{ print $1 }')" != "$(md5sum ${TEMPDIR}/docker-${CONTAINER_NAME}/Jenkinsfile | awk '{ print $1 }')" ]]; then + mkdir -p ${TEMPDIR}/repo + git clone https://github.com/${LS_USER}/${LS_REPO}.git ${TEMPDIR}/repo/${LS_REPO} + cd ${TEMPDIR}/repo/${LS_REPO} + git checkout -f master + cp ${TEMPDIR}/docker-${CONTAINER_NAME}/Jenkinsfile ${TEMPDIR}/repo/${LS_REPO}/ + git add Jenkinsfile + git commit -m 'Bot Updating Templated Files' + git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/${LS_USER}/${LS_REPO}.git --all + echo "true" > /tmp/${COMMIT_SHA}-${BUILD_NUMBER} + echo "Updating Jenkinsfile" + rm -Rf ${TEMPDIR} + exit 0 + else + echo "Jenkinsfile is up to date." + fi + # Stage 2 - Delete old templates + OLD_TEMPLATES=".github/ISSUE_TEMPLATE.md" + for i in ${OLD_TEMPLATES}; do + if [[ -f "${i}" ]]; then + TEMPLATES_TO_DELETE="${i} ${TEMPLATES_TO_DELETE}" + fi + done + if [[ -n "${TEMPLATES_TO_DELETE}" ]]; then + mkdir -p ${TEMPDIR}/repo + git clone https://github.com/${LS_USER}/${LS_REPO}.git ${TEMPDIR}/repo/${LS_REPO} + cd ${TEMPDIR}/repo/${LS_REPO} + git checkout -f master + for i in ${TEMPLATES_TO_DELETE}; do + git rm "${i}" + done + git commit -m 'Bot Updating Templated Files' + git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/${LS_USER}/${LS_REPO}.git --all + echo "true" > /tmp/${COMMIT_SHA}-${BUILD_NUMBER} + echo "Deleting old templates" + rm -Rf ${TEMPDIR} + exit 0 + else + echo "No templates to delete" + fi + # Stage 3 - Update templates + CURRENTHASH=$(grep -hs ^ ${TEMPLATED_FILES} | md5sum | cut -c1-8) + cd ${TEMPDIR}/docker-${CONTAINER_NAME} + NEWHASH=$(grep -hs ^ ${TEMPLATED_FILES} | md5sum | cut -c1-8) + if [[ "${CURRENTHASH}" != "${NEWHASH}" ]] || ! grep -q '.jenkins-external' "${WORKSPACE}/.gitignore" 2>/dev/null; then + mkdir -p ${TEMPDIR}/repo + git clone https://github.com/${LS_USER}/${LS_REPO}.git ${TEMPDIR}/repo/${LS_REPO} + cd ${TEMPDIR}/repo/${LS_REPO} + git checkout -f master + cd ${TEMPDIR}/docker-${CONTAINER_NAME} + mkdir -p ${TEMPDIR}/repo/${LS_REPO}/.github/workflows + mkdir -p ${TEMPDIR}/repo/${LS_REPO}/.github/ISSUE_TEMPLATE + cp --parents ${TEMPLATED_FILES} ${TEMPDIR}/repo/${LS_REPO}/ || : + cd ${TEMPDIR}/repo/${LS_REPO}/ + if ! grep -q '.jenkins-external' .gitignore 2>/dev/null; then + echo ".jenkins-external" >> .gitignore + git add .gitignore + fi + git add ${TEMPLATED_FILES} + git commit -m 'Bot Updating Templated Files' + git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/${LS_USER}/${LS_REPO}.git --all + echo "true" > /tmp/${COMMIT_SHA}-${BUILD_NUMBER} + else + echo "false" > /tmp/${COMMIT_SHA}-${BUILD_NUMBER} + fi + mkdir -p ${TEMPDIR}/gitbook + git clone https://github.com/linuxserver/docker-documentation.git ${TEMPDIR}/gitbook/docker-documentation + if [[ ("${BRANCH_NAME}" == "master") || ("${BRANCH_NAME}" == "main") ]] && [[ (! -f ${TEMPDIR}/gitbook/docker-documentation/images/docker-${CONTAINER_NAME}.md) || ("$(md5sum ${TEMPDIR}/gitbook/docker-documentation/images/docker-${CONTAINER_NAME}.md | awk '{ print $1 }')" != "$(md5sum ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/docker-${CONTAINER_NAME}.md | awk '{ print $1 }')") ]]; then + cp ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/docker-${CONTAINER_NAME}.md ${TEMPDIR}/gitbook/docker-documentation/images/ + cd ${TEMPDIR}/gitbook/docker-documentation/ + git add images/docker-${CONTAINER_NAME}.md + git commit -m 'Bot Updating Documentation' + git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/linuxserver/docker-documentation.git --all + fi + mkdir -p ${TEMPDIR}/unraid + git clone https://github.com/linuxserver/docker-templates.git ${TEMPDIR}/unraid/docker-templates + git clone https://github.com/linuxserver/templates.git ${TEMPDIR}/unraid/templates + if [[ -f ${TEMPDIR}/unraid/docker-templates/linuxserver.io/img/${CONTAINER_NAME}-logo.png ]]; then + sed -i "s|master/linuxserver.io/img/linuxserver-ls-logo.png|master/linuxserver.io/img/${CONTAINER_NAME}-logo.png|" ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/${CONTAINER_NAME}.xml + fi + if [[ ("${BRANCH_NAME}" == "master") || ("${BRANCH_NAME}" == "main") ]] && [[ (! -f ${TEMPDIR}/unraid/templates/unraid/${CONTAINER_NAME}.xml) || ("$(md5sum ${TEMPDIR}/unraid/templates/unraid/${CONTAINER_NAME}.xml | awk '{ print $1 }')" != "$(md5sum ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/${CONTAINER_NAME}.xml | awk '{ print $1 }')") ]]; then + cd ${TEMPDIR}/unraid/templates/ + if grep -wq "${CONTAINER_NAME}" ${TEMPDIR}/unraid/templates/unraid/ignore.list; then + echo "Image is on the ignore list, marking Unraid template as deprecated" + cp ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/${CONTAINER_NAME}.xml ${TEMPDIR}/unraid/templates/unraid/ + git add -u unraid/${CONTAINER_NAME}.xml + git mv unraid/${CONTAINER_NAME}.xml unraid/deprecated/${CONTAINER_NAME}.xml || : + git commit -m 'Bot Moving Deprecated Unraid Template' || : + else + cp ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/${CONTAINER_NAME}.xml ${TEMPDIR}/unraid/templates/unraid/ + git add unraid/${CONTAINER_NAME}.xml + git commit -m 'Bot Updating Unraid Template' + fi + git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/linuxserver/templates.git --all + fi + rm -Rf ${TEMPDIR}''' + script{ + env.FILES_UPDATED = sh( + script: '''cat /tmp/${COMMIT_SHA}-${BUILD_NUMBER}''', + returnStdout: true).trim() + } + } + } + // Exit the build if the Templated files were just updated + stage('Template-exit') { + when { + branch "master" + environment name: 'CHANGE_ID', value: '' + environment name: 'FILES_UPDATED', value: 'true' + expression { + env.CONTAINER_NAME != null + } + } + steps { + script{ + env.EXIT_STATUS = 'ABORTED' + } + } + } + /* ####################### + GitLab Mirroring + ####################### */ + // Ping into Gitlab to mirror this repo and have a registry endpoint + stage("GitLab Mirror"){ + when { + environment name: 'EXIT_STATUS', value: '' + } + steps{ + sh '''curl -H "Content-Type: application/json" -H "Private-Token: ${GITLAB_TOKEN}" -X POST https://gitlab.com/api/v4/projects \ + -d '{"namespace_id":'${GITLAB_NAMESPACE}',\ + "name":"'${LS_REPO}'", + "mirror":true,\ + "import_url":"https://github.com/linuxserver/'${LS_REPO}'.git",\ + "issues_access_level":"disabled",\ + "merge_requests_access_level":"disabled",\ + "repository_access_level":"enabled",\ + "visibility":"public"}' ''' + } + } + /* ####################### + Scarf.sh package registry + ####################### */ + // Add package to Scarf.sh and set permissions + stage("Scarf.sh package registry"){ + when { + branch "master" + environment name: 'EXIT_STATUS', value: '' + } + steps{ + sh '''#! /bin/bash + set -e + PACKAGE_UUID=$(curl -X GET -H "Authorization: Bearer ${SCARF_TOKEN}" https://scarf.sh/api/v1/organizations/linuxserver-ci/packages | jq -r '.[] | select(.name=="linuxserver/fail2ban") | .uuid') + if [ -z "${PACKAGE_UUID}" ]; then + echo "Adding package to Scarf.sh" + curl -sX POST https://scarf.sh/api/v1/organizations/linuxserver-ci/packages \ + -H "Authorization: Bearer ${SCARF_TOKEN}" \ + -H "Content-Type: application/json" \ + -d '{"name":"linuxserver/fail2ban",\ + "shortDescription":"example description",\ + "libraryType":"docker",\ + "website":"https://github.com/linuxserver/docker-fail2ban",\ + "backendUrl":"https://ghcr.io/linuxserver/fail2ban",\ + "publicUrl":"https://lscr.io/linuxserver/fail2ban"}' || : + else + echo "Package already exists on Scarf.sh" + fi + ''' + } + } + /* ############### + Build Container + ############### */ + // Build Docker container for push to LS Repo + stage('Build-Single') { + when { + expression { + env.MULTIARCH == 'false' || params.PACKAGE_CHECK == 'true' + } + environment name: 'EXIT_STATUS', value: '' + } + steps { + echo "Running on node: ${NODE_NAME}" + sh "docker build \ + --label \"org.opencontainers.image.created=${GITHUB_DATE}\" \ + --label \"org.opencontainers.image.authors=linuxserver.io\" \ + --label \"org.opencontainers.image.url=https://github.com/linuxserver/docker-fail2ban/packages\" \ + --label \"org.opencontainers.image.documentation=https://docs.linuxserver.io/images/docker-fail2ban\" \ + --label \"org.opencontainers.image.source=https://github.com/linuxserver/docker-fail2ban\" \ + --label \"org.opencontainers.image.version=${EXT_RELEASE_CLEAN}-ls${LS_TAG_NUMBER}\" \ + --label \"org.opencontainers.image.revision=${COMMIT_SHA}\" \ + --label \"org.opencontainers.image.vendor=linuxserver.io\" \ + --label \"org.opencontainers.image.licenses=GPL-3.0-only\" \ + --label \"org.opencontainers.image.ref.name=${COMMIT_SHA}\" \ + --label \"org.opencontainers.image.title=Fail2ban\" \ + --label \"org.opencontainers.image.description=[Fail2ban](http://www.fail2ban.org/) is a daemon to ban hosts that cause multiple authentication errors. \" \ + --no-cache --pull -t ${IMAGE}:${META_TAG} \ + --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ." + } + } + // Build MultiArch Docker containers for push to LS Repo + stage('Build-Multi') { + when { + allOf { + environment name: 'MULTIARCH', value: 'true' + expression { params.PACKAGE_CHECK == 'false' } + } + environment name: 'EXIT_STATUS', value: '' + } + parallel { + stage('Build X86') { + steps { + echo "Running on node: ${NODE_NAME}" + sh "docker build \ + --label \"org.opencontainers.image.created=${GITHUB_DATE}\" \ + --label \"org.opencontainers.image.authors=linuxserver.io\" \ + --label \"org.opencontainers.image.url=https://github.com/linuxserver/docker-fail2ban/packages\" \ + --label \"org.opencontainers.image.documentation=https://docs.linuxserver.io/images/docker-fail2ban\" \ + --label \"org.opencontainers.image.source=https://github.com/linuxserver/docker-fail2ban\" \ + --label \"org.opencontainers.image.version=${EXT_RELEASE_CLEAN}-ls${LS_TAG_NUMBER}\" \ + --label \"org.opencontainers.image.revision=${COMMIT_SHA}\" \ + --label \"org.opencontainers.image.vendor=linuxserver.io\" \ + --label \"org.opencontainers.image.licenses=GPL-3.0-only\" \ + --label \"org.opencontainers.image.ref.name=${COMMIT_SHA}\" \ + --label \"org.opencontainers.image.title=Fail2ban\" \ + --label \"org.opencontainers.image.description=[Fail2ban](http://www.fail2ban.org/) is a daemon to ban hosts that cause multiple authentication errors. \" \ + --no-cache --pull -t ${IMAGE}:amd64-${META_TAG} \ + --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ." + } + } + stage('Build ARMHF') { + agent { + label 'ARMHF' + } + steps { + echo "Running on node: ${NODE_NAME}" + echo 'Logging into Github' + sh '''#! /bin/bash + echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin + ''' + sh "docker build \ + --label \"org.opencontainers.image.created=${GITHUB_DATE}\" \ + --label \"org.opencontainers.image.authors=linuxserver.io\" \ + --label \"org.opencontainers.image.url=https://github.com/linuxserver/docker-fail2ban/packages\" \ + --label \"org.opencontainers.image.documentation=https://docs.linuxserver.io/images/docker-fail2ban\" \ + --label \"org.opencontainers.image.source=https://github.com/linuxserver/docker-fail2ban\" \ + --label \"org.opencontainers.image.version=${EXT_RELEASE_CLEAN}-ls${LS_TAG_NUMBER}\" \ + --label \"org.opencontainers.image.revision=${COMMIT_SHA}\" \ + --label \"org.opencontainers.image.vendor=linuxserver.io\" \ + --label \"org.opencontainers.image.licenses=GPL-3.0-only\" \ + --label \"org.opencontainers.image.ref.name=${COMMIT_SHA}\" \ + --label \"org.opencontainers.image.title=Fail2ban\" \ + --label \"org.opencontainers.image.description=[Fail2ban](http://www.fail2ban.org/) is a daemon to ban hosts that cause multiple authentication errors. \" \ + --no-cache --pull -f Dockerfile.armhf -t ${IMAGE}:arm32v7-${META_TAG} \ + --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ." + sh "docker tag ${IMAGE}:arm32v7-${META_TAG} ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER}" + retry(5) { + sh "docker push ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER}" + } + sh '''docker rmi \ + ${IMAGE}:arm32v7-${META_TAG} \ + ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} || :''' + } + } + stage('Build ARM64') { + agent { + label 'ARM64' + } + steps { + echo "Running on node: ${NODE_NAME}" + echo 'Logging into Github' + sh '''#! /bin/bash + echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin + ''' + sh "docker build \ + --label \"org.opencontainers.image.created=${GITHUB_DATE}\" \ + --label \"org.opencontainers.image.authors=linuxserver.io\" \ + --label \"org.opencontainers.image.url=https://github.com/linuxserver/docker-fail2ban/packages\" \ + --label \"org.opencontainers.image.documentation=https://docs.linuxserver.io/images/docker-fail2ban\" \ + --label \"org.opencontainers.image.source=https://github.com/linuxserver/docker-fail2ban\" \ + --label \"org.opencontainers.image.version=${EXT_RELEASE_CLEAN}-ls${LS_TAG_NUMBER}\" \ + --label \"org.opencontainers.image.revision=${COMMIT_SHA}\" \ + --label \"org.opencontainers.image.vendor=linuxserver.io\" \ + --label \"org.opencontainers.image.licenses=GPL-3.0-only\" \ + --label \"org.opencontainers.image.ref.name=${COMMIT_SHA}\" \ + --label \"org.opencontainers.image.title=Fail2ban\" \ + --label \"org.opencontainers.image.description=[Fail2ban](http://www.fail2ban.org/) is a daemon to ban hosts that cause multiple authentication errors. \" \ + --no-cache --pull -f Dockerfile.aarch64 -t ${IMAGE}:arm64v8-${META_TAG} \ + --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ." + sh "docker tag ${IMAGE}:arm64v8-${META_TAG} ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER}" + retry(5) { + sh "docker push ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER}" + } + sh '''docker rmi \ + ${IMAGE}:arm64v8-${META_TAG} \ + ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} || :''' + } + } + } + } + // Take the image we just built and dump package versions for comparison + stage('Update-packages') { + when { + branch "master" + environment name: 'CHANGE_ID', value: '' + environment name: 'EXIT_STATUS', value: '' + } + steps { + sh '''#! /bin/bash + set -e + TEMPDIR=$(mktemp -d) + if [ "${MULTIARCH}" == "true" ] && [ "${PACKAGE_CHECK}" == "false" ]; then + LOCAL_CONTAINER=${IMAGE}:amd64-${META_TAG} + else + LOCAL_CONTAINER=${IMAGE}:${META_TAG} + fi + if [ "${DIST_IMAGE}" == "alpine" ]; then + docker run --rm --entrypoint '/bin/sh' -v ${TEMPDIR}:/tmp ${LOCAL_CONTAINER} -c '\ + apk info -v > /tmp/package_versions.txt && \ + sort -o /tmp/package_versions.txt /tmp/package_versions.txt && \ + chmod 777 /tmp/package_versions.txt' + elif [ "${DIST_IMAGE}" == "ubuntu" ]; then + docker run --rm --entrypoint '/bin/sh' -v ${TEMPDIR}:/tmp ${LOCAL_CONTAINER} -c '\ + apt list -qq --installed | sed "s#/.*now ##g" | cut -d" " -f1 > /tmp/package_versions.txt && \ + sort -o /tmp/package_versions.txt /tmp/package_versions.txt && \ + chmod 777 /tmp/package_versions.txt' + elif [ "${DIST_IMAGE}" == "fedora" ]; then + docker run --rm --entrypoint '/bin/sh' -v ${TEMPDIR}:/tmp ${LOCAL_CONTAINER} -c '\ + rpm -qa > /tmp/package_versions.txt && \ + sort -o /tmp/package_versions.txt /tmp/package_versions.txt && \ + chmod 777 /tmp/package_versions.txt' + elif [ "${DIST_IMAGE}" == "arch" ]; then + docker run --rm --entrypoint '/bin/sh' -v ${TEMPDIR}:/tmp ${LOCAL_CONTAINER} -c '\ + pacman -Q > /tmp/package_versions.txt && \ + chmod 777 /tmp/package_versions.txt' + fi + NEW_PACKAGE_TAG=$(md5sum ${TEMPDIR}/package_versions.txt | cut -c1-8 ) + echo "Package tag sha from current packages in buit container is ${NEW_PACKAGE_TAG} comparing to old ${PACKAGE_TAG} from github" + if [ "${NEW_PACKAGE_TAG}" != "${PACKAGE_TAG}" ]; then + git clone https://github.com/${LS_USER}/${LS_REPO}.git ${TEMPDIR}/${LS_REPO} + git --git-dir ${TEMPDIR}/${LS_REPO}/.git checkout -f master + cp ${TEMPDIR}/package_versions.txt ${TEMPDIR}/${LS_REPO}/ + cd ${TEMPDIR}/${LS_REPO}/ + wait + git add package_versions.txt + git commit -m 'Bot Updating Package Versions' + git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/${LS_USER}/${LS_REPO}.git --all + echo "true" > /tmp/packages-${COMMIT_SHA}-${BUILD_NUMBER} + echo "Package tag updated, stopping build process" + else + echo "false" > /tmp/packages-${COMMIT_SHA}-${BUILD_NUMBER} + echo "Package tag is same as previous continue with build process" + fi + rm -Rf ${TEMPDIR}''' + script{ + env.PACKAGE_UPDATED = sh( + script: '''cat /tmp/packages-${COMMIT_SHA}-${BUILD_NUMBER}''', + returnStdout: true).trim() + } + } + } + // Exit the build if the package file was just updated + stage('PACKAGE-exit') { + when { + branch "master" + environment name: 'CHANGE_ID', value: '' + environment name: 'PACKAGE_UPDATED', value: 'true' + environment name: 'EXIT_STATUS', value: '' + } + steps { + sh '''#! /bin/bash + echo "Packages were updated. Cleaning up the image and exiting." + if [ "${MULTIARCH}" == "true" ] && [ "${PACKAGE_CHECK}" == "false" ]; then + docker rmi ${IMAGE}:amd64-${META_TAG} + else + docker rmi ${IMAGE}:${META_TAG} + fi''' + script{ + env.EXIT_STATUS = 'ABORTED' + } + } + } + // Exit the build if this is just a package check and there are no changes to push + stage('PACKAGECHECK-exit') { + when { + branch "master" + environment name: 'CHANGE_ID', value: '' + environment name: 'PACKAGE_UPDATED', value: 'false' + environment name: 'EXIT_STATUS', value: '' + expression { + params.PACKAGE_CHECK == 'true' + } + } + steps { + sh '''#! /bin/bash + echo "There are no package updates. Cleaning up the image and exiting." + if [ "${MULTIARCH}" == "true" ] && [ "${PACKAGE_CHECK}" == "false" ]; then + docker rmi ${IMAGE}:amd64-${META_TAG} + else + docker rmi ${IMAGE}:${META_TAG} + fi''' + script{ + env.EXIT_STATUS = 'ABORTED' + } + } + } + /* ####### + Testing + ####### */ + // Run Container tests + stage('Test') { + when { + environment name: 'CI', value: 'true' + environment name: 'EXIT_STATUS', value: '' + } + steps { + withCredentials([ + string(credentialsId: 'ci-tests-s3-key-id', variable: 'S3_KEY'), + string(credentialsId: 'ci-tests-s3-secret-access-key ', variable: 'S3_SECRET') + ]) { + script{ + env.CI_URL = 'https://ci-tests.linuxserver.io/' + env.IMAGE + '/' + env.META_TAG + '/index.html' + } + sh '''#! /bin/bash + set -e + docker pull ghcr.io/linuxserver/ci:latest + if [ "${MULTIARCH}" == "true" ]; then + docker pull ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} + docker pull ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} + docker tag ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} ${IMAGE}:arm32v7-${META_TAG} + docker tag ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} ${IMAGE}:arm64v8-${META_TAG} + fi + docker run --rm \ + --shm-size=1gb \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -e IMAGE=\"${IMAGE}\" \ + -e DELAY_START=\"${CI_DELAY}\" \ + -e TAGS=\"${CI_TAGS}\" \ + -e META_TAG=\"${META_TAG}\" \ + -e PORT=\"${CI_PORT}\" \ + -e SSL=\"${CI_SSL}\" \ + -e BASE=\"${DIST_IMAGE}\" \ + -e SECRET_KEY=\"${S3_SECRET}\" \ + -e ACCESS_KEY=\"${S3_KEY}\" \ + -e DOCKER_ENV=\"${CI_DOCKERENV}\" \ + -e WEB_SCREENSHOT=\"${CI_WEB}\" \ + -e WEB_AUTH=\"${CI_AUTH}\" \ + -e WEB_PATH=\"${CI_WEBPATH}\" \ + -e DO_REGION="ams3" \ + -e DO_BUCKET="lsio-ci" \ + -t ghcr.io/linuxserver/ci:latest \ + python /ci/ci.py''' + } + } + } + /* ################## + Release Logic + ################## */ + // If this is an amd64 only image only push a single image + stage('Docker-Push-Single') { + when { + environment name: 'MULTIARCH', value: 'false' + environment name: 'EXIT_STATUS', value: '' + } + steps { + withCredentials([ + [ + $class: 'UsernamePasswordMultiBinding', + credentialsId: '3f9ba4d5-100d-45b0-a3c4-633fd6061207', + usernameVariable: 'DOCKERUSER', + passwordVariable: 'DOCKERPASS' + ], + [ + $class: 'UsernamePasswordMultiBinding', + credentialsId: 'Quay.io-Robot', + usernameVariable: 'QUAYUSER', + passwordVariable: 'QUAYPASS' + ] + ]) { + retry(5) { + sh '''#! /bin/bash + set -e + echo $DOCKERPASS | docker login -u $DOCKERUSER --password-stdin + echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin + echo $GITLAB_TOKEN | docker login registry.gitlab.com -u LinuxServer.io --password-stdin + echo $QUAYPASS | docker login quay.io -u $QUAYUSER --password-stdin + for PUSHIMAGE in "${GITHUBIMAGE}" "${GITLABIMAGE}" "${QUAYIMAGE}" "${IMAGE}"; do + docker tag ${IMAGE}:${META_TAG} ${PUSHIMAGE}:${META_TAG} + docker tag ${PUSHIMAGE}:${META_TAG} ${PUSHIMAGE}:latest + docker tag ${PUSHIMAGE}:${META_TAG} ${PUSHIMAGE}:${EXT_RELEASE_TAG} + if [ -n "${SEMVER}" ]; then + docker tag ${PUSHIMAGE}:${META_TAG} ${PUSHIMAGE}:${SEMVER} + fi + docker push ${PUSHIMAGE}:latest + docker push ${PUSHIMAGE}:${META_TAG} + docker push ${PUSHIMAGE}:${EXT_RELEASE_TAG} + if [ -n "${SEMVER}" ]; then + docker push ${PUSHIMAGE}:${SEMVER} + fi + done + ''' + } + sh '''#! /bin/bash + for DELETEIMAGE in "${GITHUBIMAGE}" "${GITLABIMAGE}" "${QUAYIMAGE}" "${IMAGE}"; do + docker rmi \ + ${DELETEIMAGE}:${META_TAG} \ + ${DELETEIMAGE}:${EXT_RELEASE_TAG} \ + ${DELETEIMAGE}:latest || : + if [ -n "${SEMVER}" ]; then + docker rmi ${DELETEIMAGE}:${SEMVER} || : + fi + done + ''' + } + } + } + // If this is a multi arch release push all images and define the manifest + stage('Docker-Push-Multi') { + when { + environment name: 'MULTIARCH', value: 'true' + environment name: 'EXIT_STATUS', value: '' + } + steps { + withCredentials([ + [ + $class: 'UsernamePasswordMultiBinding', + credentialsId: '3f9ba4d5-100d-45b0-a3c4-633fd6061207', + usernameVariable: 'DOCKERUSER', + passwordVariable: 'DOCKERPASS' + ], + [ + $class: 'UsernamePasswordMultiBinding', + credentialsId: 'Quay.io-Robot', + usernameVariable: 'QUAYUSER', + passwordVariable: 'QUAYPASS' + ] + ]) { + retry(5) { + sh '''#! /bin/bash + set -e + echo $DOCKERPASS | docker login -u $DOCKERUSER --password-stdin + echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin + echo $GITLAB_TOKEN | docker login registry.gitlab.com -u LinuxServer.io --password-stdin + echo $QUAYPASS | docker login quay.io -u $QUAYUSER --password-stdin + if [ "${CI}" == "false" ]; then + docker pull ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} + docker pull ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} + docker tag ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} ${IMAGE}:arm32v7-${META_TAG} + docker tag ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} ${IMAGE}:arm64v8-${META_TAG} + fi + for MANIFESTIMAGE in "${IMAGE}" "${GITLABIMAGE}" "${GITHUBIMAGE}" "${QUAYIMAGE}"; do + docker tag ${IMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-${META_TAG} + docker tag ${IMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${META_TAG} + docker tag ${IMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${META_TAG} + docker tag ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-latest + docker tag ${MANIFESTIMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-latest + docker tag ${MANIFESTIMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-latest + docker tag ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG} + docker tag ${MANIFESTIMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG} + docker tag ${MANIFESTIMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG} + if [ -n "${SEMVER}" ]; then + docker tag ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-${SEMVER} + docker tag ${MANIFESTIMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${SEMVER} + docker tag ${MANIFESTIMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${SEMVER} + fi + docker push ${MANIFESTIMAGE}:amd64-${META_TAG} + docker push ${MANIFESTIMAGE}:arm32v7-${META_TAG} + docker push ${MANIFESTIMAGE}:arm64v8-${META_TAG} + docker push ${MANIFESTIMAGE}:amd64-latest + docker push ${MANIFESTIMAGE}:arm32v7-latest + docker push ${MANIFESTIMAGE}:arm64v8-latest + docker push ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG} + docker push ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG} + docker push ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG} + if [ -n "${SEMVER}" ]; then + docker push ${MANIFESTIMAGE}:amd64-${SEMVER} + docker push ${MANIFESTIMAGE}:arm32v7-${SEMVER} + docker push ${MANIFESTIMAGE}:arm64v8-${SEMVER} + fi + docker manifest push --purge ${MANIFESTIMAGE}:latest || : + docker manifest create ${MANIFESTIMAGE}:latest ${MANIFESTIMAGE}:amd64-latest ${MANIFESTIMAGE}:arm32v7-latest ${MANIFESTIMAGE}:arm64v8-latest + docker manifest annotate ${MANIFESTIMAGE}:latest ${MANIFESTIMAGE}:arm32v7-latest --os linux --arch arm + docker manifest annotate ${MANIFESTIMAGE}:latest ${MANIFESTIMAGE}:arm64v8-latest --os linux --arch arm64 --variant v8 + docker manifest push --purge ${MANIFESTIMAGE}:${META_TAG} || : + docker manifest create ${MANIFESTIMAGE}:${META_TAG} ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${META_TAG} + docker manifest annotate ${MANIFESTIMAGE}:${META_TAG} ${MANIFESTIMAGE}:arm32v7-${META_TAG} --os linux --arch arm + docker manifest annotate ${MANIFESTIMAGE}:${META_TAG} ${MANIFESTIMAGE}:arm64v8-${META_TAG} --os linux --arch arm64 --variant v8 + docker manifest push --purge ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} || : + docker manifest create ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG} + docker manifest annotate ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG} --os linux --arch arm + docker manifest annotate ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG} --os linux --arch arm64 --variant v8 + if [ -n "${SEMVER}" ]; then + docker manifest push --purge ${MANIFESTIMAGE}:${SEMVER} || : + docker manifest create ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:amd64-${SEMVER} ${MANIFESTIMAGE}:arm32v7-${SEMVER} ${MANIFESTIMAGE}:arm64v8-${SEMVER} + docker manifest annotate ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:arm32v7-${SEMVER} --os linux --arch arm + docker manifest annotate ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:arm64v8-${SEMVER} --os linux --arch arm64 --variant v8 + fi + docker manifest push --purge ${MANIFESTIMAGE}:latest + docker manifest push --purge ${MANIFESTIMAGE}:${META_TAG} + docker manifest push --purge ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} + if [ -n "${SEMVER}" ]; then + docker manifest push --purge ${MANIFESTIMAGE}:${SEMVER} + fi + done + ''' + } + sh '''#! /bin/bash + for DELETEIMAGE in "${GITHUBIMAGE}" "${GITLABIMAGE}" "${QUAYIMAGE}" "${IMAGE}"; do + docker rmi \ + ${DELETEIMAGE}:amd64-${META_TAG} \ + ${DELETEIMAGE}:amd64-latest \ + ${DELETEIMAGE}:amd64-${EXT_RELEASE_TAG} \ + ${DELETEIMAGE}:arm32v7-${META_TAG} \ + ${DELETEIMAGE}:arm32v7-latest \ + ${DELETEIMAGE}:arm32v7-${EXT_RELEASE_TAG} \ + ${DELETEIMAGE}:arm64v8-${META_TAG} \ + ${DELETEIMAGE}:arm64v8-latest \ + ${DELETEIMAGE}:arm64v8-${EXT_RELEASE_TAG} || : + if [ -n "${SEMVER}" ]; then + docker rmi \ + ${DELETEIMAGE}:amd64-${SEMVER} \ + ${DELETEIMAGE}:arm32v7-${SEMVER} \ + ${DELETEIMAGE}:arm64v8-${SEMVER} || : + fi + done + docker rmi \ + ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} \ + ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} || : + ''' + } + } + } + // If this is a public release tag it in the LS Github + stage('Github-Tag-Push-Release') { + when { + branch "master" + expression { + env.LS_RELEASE != env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER + } + environment name: 'CHANGE_ID', value: '' + environment name: 'EXIT_STATUS', value: '' + } + steps { + echo "Pushing New tag for current commit ${META_TAG}" + sh '''curl -H "Authorization: token ${GITHUB_TOKEN}" -X POST https://api.github.com/repos/${LS_USER}/${LS_REPO}/git/tags \ + -d '{"tag":"'${META_TAG}'",\ + "object": "'${COMMIT_SHA}'",\ + "message": "Tagging Release '${EXT_RELEASE_CLEAN}'-ls'${LS_TAG_NUMBER}' to master",\ + "type": "commit",\ + "tagger": {"name": "LinuxServer Jenkins","email": "jenkins@linuxserver.io","date": "'${GITHUB_DATE}'"}}' ''' + echo "Pushing New release for Tag" + sh '''#! /bin/bash + echo "Updating external repo packages to ${EXT_RELEASE_CLEAN}" > releasebody.json + echo '{"tag_name":"'${META_TAG}'",\ + "target_commitish": "master",\ + "name": "'${META_TAG}'",\ + "body": "**LinuxServer Changes:**\\n\\n'${LS_RELEASE_NOTES}'\\n\\n**Repo Changes:**\\n\\n' > start + printf '","draft": false,"prerelease": false}' >> releasebody.json + paste -d'\\0' start releasebody.json > releasebody.json.done + curl -H "Authorization: token ${GITHUB_TOKEN}" -X POST https://api.github.com/repos/${LS_USER}/${LS_REPO}/releases -d @releasebody.json.done''' + } + } + // Use helper container to sync the current README on master to the dockerhub endpoint + stage('Sync-README') { + when { + environment name: 'CHANGE_ID', value: '' + environment name: 'EXIT_STATUS', value: '' + } + steps { + withCredentials([ + [ + $class: 'UsernamePasswordMultiBinding', + credentialsId: '3f9ba4d5-100d-45b0-a3c4-633fd6061207', + usernameVariable: 'DOCKERUSER', + passwordVariable: 'DOCKERPASS' + ] + ]) { + sh '''#! /bin/bash + set -e + TEMPDIR=$(mktemp -d) + docker pull ghcr.io/linuxserver/jenkins-builder:latest + docker run --rm -e CONTAINER_NAME=${CONTAINER_NAME} -e GITHUB_BRANCH="${BRANCH_NAME}" -v ${TEMPDIR}:/ansible/jenkins ghcr.io/linuxserver/jenkins-builder:latest + docker pull ghcr.io/linuxserver/readme-sync + docker run --rm=true \ + -e DOCKERHUB_USERNAME=$DOCKERUSER \ + -e DOCKERHUB_PASSWORD=$DOCKERPASS \ + -e GIT_REPOSITORY=${LS_USER}/${LS_REPO} \ + -e DOCKER_REPOSITORY=${IMAGE} \ + -e GIT_BRANCH=master \ + -v ${TEMPDIR}/docker-${CONTAINER_NAME}:/mnt \ + ghcr.io/linuxserver/readme-sync bash -c 'node sync' + rm -Rf ${TEMPDIR} ''' + } + } + } + // If this is a Pull request send the CI link as a comment on it + stage('Pull Request Comment') { + when { + not {environment name: 'CHANGE_ID', value: ''} + environment name: 'CI', value: 'true' + environment name: 'EXIT_STATUS', value: '' + } + steps { + sh '''curl -H "Authorization: token ${GITHUB_TOKEN}" -X POST https://api.github.com/repos/${LS_USER}/${LS_REPO}/issues/${PULL_REQUEST}/comments \ + -d '{"body": "I am a bot, here are the test results for this PR: \\n'${CI_URL}' \\n'${SHELLCHECK_URL}'"}' ''' + } + } + } + /* ###################### + Send status to Discord + ###################### */ + post { + always { + script{ + if (env.EXIT_STATUS == "ABORTED"){ + sh 'echo "build aborted"' + } + else if (currentBuild.currentResult == "SUCCESS"){ + sh ''' curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://wiki.jenkins-ci.org/download/attachments/2916393/headshot.png","embeds": [{"color": 1681177,\ + "description": "**Build:** '${BUILD_NUMBER}'\\n**CI Results:** '${CI_URL}'\\n**ShellCheck Results:** '${SHELLCHECK_URL}'\\n**Status:** Success\\n**Job:** '${RUN_DISPLAY_URL}'\\n**Change:** '${CODE_URL}'\\n**External Release:**: '${RELEASE_LINK}'\\n**DockerHub:** '${DOCKERHUB_LINK}'\\n"}],\ + "username": "Jenkins"}' ${BUILDS_DISCORD} ''' + } + else { + sh ''' curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://wiki.jenkins-ci.org/download/attachments/2916393/headshot.png","embeds": [{"color": 16711680,\ + "description": "**Build:** '${BUILD_NUMBER}'\\n**CI Results:** '${CI_URL}'\\n**ShellCheck Results:** '${SHELLCHECK_URL}'\\n**Status:** failure\\n**Job:** '${RUN_DISPLAY_URL}'\\n**Change:** '${CODE_URL}'\\n**External Release:**: '${RELEASE_LINK}'\\n**DockerHub:** '${DOCKERHUB_LINK}'\\n"}],\ + "username": "Jenkins"}' ${BUILDS_DISCORD} ''' + } + } + } + cleanup { + cleanWs() + } + } +} diff --git a/README.md b/README.md index ca4eddb..c09d340 100644 --- a/README.md +++ b/README.md @@ -1 +1,283 @@ -docker-fail2ban + + + +[![linuxserver.io](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/linuxserver_medium.png)](https://linuxserver.io) + +[![Blog](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=linuxserver.io&message=Blog)](https://blog.linuxserver.io "all the things you can do with our containers including How-To guides, opinions and much more!") +[![Discord](https://img.shields.io/discord/354974912613449730.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=Discord&logo=discord)](https://discord.gg/YWrKVTn "realtime support / chat with the community and the team.") +[![Discourse](https://img.shields.io/discourse/https/discourse.linuxserver.io/topics.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=discourse)](https://discourse.linuxserver.io "post on our community forum.") +[![Fleet](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=linuxserver.io&message=Fleet)](https://fleet.linuxserver.io "an online web interface which displays all of our maintained images.") +[![GitHub](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=linuxserver.io&message=GitHub&logo=github)](https://github.com/linuxserver "view the source for all of our repositories.") +[![Open Collective](https://img.shields.io/opencollective/all/linuxserver.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=Supporters&logo=open%20collective)](https://opencollective.com/linuxserver "please consider helping us by either donating or contributing to our budget") + +The [LinuxServer.io](https://linuxserver.io) team brings you another container release featuring: + +* regular and timely application updates +* easy user mappings (PGID, PUID) +* custom base image with s6 overlay +* weekly base OS updates with common layers across the entire LinuxServer.io ecosystem to minimise space usage, down time and bandwidth +* regular security updates + +Find us at: + +* [Blog](https://blog.linuxserver.io) - all the things you can do with our containers including How-To guides, opinions and much more! +* [Discord](https://discord.gg/YWrKVTn) - realtime support / chat with the community and the team. +* [Discourse](https://discourse.linuxserver.io) - post on our community forum. +* [Fleet](https://fleet.linuxserver.io) - an online web interface which displays all of our maintained images. +* [GitHub](https://github.com/linuxserver) - view the source for all of our repositories. +* [Open Collective](https://opencollective.com/linuxserver) - please consider helping us by either donating or contributing to our budget + +# [linuxserver/fail2ban](https://github.com/linuxserver/docker-fail2ban) + +[![Scarf.io pulls](https://scarf.sh/installs-badge/linuxserver-ci/linuxserver%2Ffail2ban?color=94398d&label-color=555555&logo-color=ffffff&style=for-the-badge&package-type=docker)](https://scarf.sh/gateway/linuxserver-ci/docker/linuxserver%2Ffail2ban) +[![GitHub Stars](https://img.shields.io/github/stars/linuxserver/docker-fail2ban.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=github)](https://github.com/linuxserver/docker-fail2ban) +[![GitHub Release](https://img.shields.io/github/release/linuxserver/docker-fail2ban.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=github)](https://github.com/linuxserver/docker-fail2ban/releases) +[![GitHub Package Repository](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=linuxserver.io&message=GitHub%20Package&logo=github)](https://github.com/linuxserver/docker-fail2ban/packages) +[![GitLab Container Registry](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=linuxserver.io&message=GitLab%20Registry&logo=gitlab)](https://gitlab.com/linuxserver.io/docker-fail2ban/container_registry) +[![Quay.io](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=linuxserver.io&message=Quay.io)](https://quay.io/repository/linuxserver.io/fail2ban) +[![Docker Pulls](https://img.shields.io/docker/pulls/linuxserver/fail2ban.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=pulls&logo=docker)](https://hub.docker.com/r/linuxserver/fail2ban) +[![Docker Stars](https://img.shields.io/docker/stars/linuxserver/fail2ban.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=stars&logo=docker)](https://hub.docker.com/r/linuxserver/fail2ban) +[![Jenkins Build](https://img.shields.io/jenkins/build?labelColor=555555&logoColor=ffffff&style=for-the-badge&jobUrl=https%3A%2F%2Fci.linuxserver.io%2Fjob%2FDocker-Pipeline-Builders%2Fjob%2Fdocker-fail2ban%2Fjob%2Fmaster%2F&logo=jenkins)](https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-fail2ban/job/master/) +[![LSIO CI](https://img.shields.io/badge/dynamic/yaml?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=CI&query=CI&url=https%3A%2F%2Fci-tests.linuxserver.io%2Flinuxserver%2Ffail2ban%2Flatest%2Fci-status.yml)](https://ci-tests.linuxserver.io/linuxserver/fail2ban/latest/index.html) + +[Fail2ban](http://www.fail2ban.org/) is a daemon to ban hosts that cause multiple authentication errors. + +[![fail2ban](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/fail2ban.png)](http://www.fail2ban.org/) + +## Supported Architectures + +We utilise the docker manifest for multi-platform awareness. More information is available from docker [here](https://github.com/docker/distribution/blob/master/docs/spec/manifest-v2-2.md#manifest-list) and our announcement [here](https://blog.linuxserver.io/2019/02/21/the-lsio-pipeline-project/). + +Simply pulling `lscr.io/linuxserver/fail2ban:latest` should retrieve the correct image for your arch, but you can also pull specific arch images via tags. + +The architectures supported by this image are: + +| Architecture | Available | Tag | +| :----: | :----: | ---- | +| x86-64 | ✅ | amd64-\ | +| arm64 | ✅ | arm64v8-\ | +| armhf| ✅ | arm32v7-\ | + +## Application Setup + +App Setup Info + +## Usage + +Here are some example snippets to help you get started creating a container. + +### docker-compose (recommended, [click here for more info](https://docs.linuxserver.io/general/docker-compose)) + +```yaml +--- +version: "2.1" +services: + fail2ban: + image: lscr.io/linuxserver/fail2ban:latest + container_name: fail2ban + environment: + - PUID=1000 + - PGID=1000 + - TZ=America/New_York + volumes: + - /path/to/appdata/config:/config + - /var/log:/var/log:ro + - /path/to/airsonic/airsonic.log:/remotelogs/airsonic/airsonic.log:ro #optional + - /path/to/apache2/log:/remotelogs/apache2:ro #optional + - /path/to/audit/audit.log:/remotelogs/audit/audit.log:ro #optional + - /path/to/authelia/authelia.log:/remotelogs/authelia/authelia.log:ro #optional + - /path/to/emby/embyserver.txt:/remotelogs/emby/embyserver.txt:ro #optional + - /path/to/exim/mainlog:/remotelogs/exim/mainlog:ro #optional + - /path/to/filebrowser/filebrowser.log:/remotelogs/filebrowser/filebrowser.log:ro #optional + - /path/to/gitea/gitea.log:/remotelogs/gitea/gitea.log:ro #optional + - /path/to/homeassistant/home-assistant.log:/remotelogs/homeassistant/home-assistant.log:ro #optional + - /path/to/lighttpd/error.log:/remotelogs/lighttpd/error.log:ro #optional + - /path/to/nginx/log:/remotelogs/nginx:ro #optional + - /path/to/nzbget.log:/remotelogs/nzbget:ro #optional + - /path/to/overseerr/overseerr.log:/remotelogs/overseerr/overseerr.log:ro #optional + - /path/to/prowlarr/prowlarr.txt:/remotelogs/prowlarr/prowlarr.txt:ro #optional + - /path/to/radarr/radarr.txt:/remotelogs/radarr/radarr.txt:ro #optional + - /path/to/roundcube/errors:/remotelogs/roundcube/errors:ro #optional + - /path/to/sonarr/sonarr.txt:/remotelogs/sonarr/sonarr.txt:ro #optional + - /path/to/unificontroller/server.log:/remotelogs/unificontroller/server.log:ro #optional + - /path/to/vaultwarden/vaultwarden.log:/remotelogs/vaultwarden/vaultwarden.log:ro #optional + - /path/to/vsftpd.log:/remotelogs/vsftpd.log:ro #optional + restart: unless-stopped +``` + +### docker cli ([click here for more info](https://docs.docker.com/engine/reference/commandline/cli/)) + +```bash +docker run -d \ + --name=fail2ban \ + -e PUID=1000 \ + -e PGID=1000 \ + -e TZ=America/New_York \ + -v /path/to/appdata/config:/config \ + -v /var/log:/var/log:ro \ + -v /path/to/airsonic/airsonic.log:/remotelogs/airsonic/airsonic.log:ro `#optional` \ + -v /path/to/apache2/log:/remotelogs/apache2:ro `#optional` \ + -v /path/to/audit/audit.log:/remotelogs/audit/audit.log:ro `#optional` \ + -v /path/to/authelia/authelia.log:/remotelogs/authelia/authelia.log:ro `#optional` \ + -v /path/to/emby/embyserver.txt:/remotelogs/emby/embyserver.txt:ro `#optional` \ + -v /path/to/exim/mainlog:/remotelogs/exim/mainlog:ro `#optional` \ + -v /path/to/filebrowser/filebrowser.log:/remotelogs/filebrowser/filebrowser.log:ro `#optional` \ + -v /path/to/gitea/gitea.log:/remotelogs/gitea/gitea.log:ro `#optional` \ + -v /path/to/homeassistant/home-assistant.log:/remotelogs/homeassistant/home-assistant.log:ro `#optional` \ + -v /path/to/lighttpd/error.log:/remotelogs/lighttpd/error.log:ro `#optional` \ + -v /path/to/nginx/log:/remotelogs/nginx:ro `#optional` \ + -v /path/to/nzbget.log:/remotelogs/nzbget:ro `#optional` \ + -v /path/to/overseerr/overseerr.log:/remotelogs/overseerr/overseerr.log:ro `#optional` \ + -v /path/to/prowlarr/prowlarr.txt:/remotelogs/prowlarr/prowlarr.txt:ro `#optional` \ + -v /path/to/radarr/radarr.txt:/remotelogs/radarr/radarr.txt:ro `#optional` \ + -v /path/to/roundcube/errors:/remotelogs/roundcube/errors:ro `#optional` \ + -v /path/to/sonarr/sonarr.txt:/remotelogs/sonarr/sonarr.txt:ro `#optional` \ + -v /path/to/unificontroller/server.log:/remotelogs/unificontroller/server.log:ro `#optional` \ + -v /path/to/vaultwarden/vaultwarden.log:/remotelogs/vaultwarden/vaultwarden.log:ro `#optional` \ + -v /path/to/vsftpd.log:/remotelogs/vsftpd.log:ro `#optional` \ + --restart unless-stopped \ + lscr.io/linuxserver/fail2ban:latest +``` + +## Parameters + +Container images are configured using parameters passed at runtime (such as those above). These parameters are separated by a colon and indicate `:` respectively. For example, `-p 8080:80` would expose port `80` from inside the container to be accessible from the host's IP on port `8080` outside the container. + +| Parameter | Function | +| :----: | --- | +| `-e PUID=1000` | for UserID - see below for explanation | +| `-e PGID=1000` | for GroupID - see below for explanation | +| `-e TZ=America/New_York` | Specify a timezone to use EG America/New_York | +| `-v /config` | Contains all relevant configuration files. | +| `-v /var/log:ro` | Host logs. Mounted as Read Only. | +| `-v /remotelogs/airsonic/airsonic.log:ro` | Path to airsonic log file. Mounted as Read Only. | +| `-v /remotelogs/apache2:ro` | Path to apache2 log folder. Mounted as Read Only. | +| `-v /remotelogs/audit/audit.log:ro` | Path to auditd log file. Mounted as Read Only. | +| `-v /remotelogs/authelia/authelia.log:ro` | Path to authelia log file. Mounted as Read Only. | +| `-v /remotelogs/emby/embyserver.txt:ro` | Path to emby log file. Mounted as Read Only. | +| `-v /remotelogs/exim/mainlog:ro` | Path to exim log file. Mounted as Read Only. | +| `-v /remotelogs/filebrowser/filebrowser.log:ro` | Path to filebrowser log file. Mounted as Read Only. | +| `-v /remotelogs/gitea/gitea.log:ro` | Path to gitea log file. Mounted as Read Only. | +| `-v /remotelogs/homeassistant/home-assistant.log:ro` | Path to homeassistant log file. Mounted as Read Only. | +| `-v /remotelogs/lighttpd/error.log:ro` | Path to lighttpd error log file. Mounted as Read Only. | +| `-v /remotelogs/nginx:ro` | Path to nginx log folder. Mounted as Read Only. | +| `-v /remotelogs/nzbget:ro` | Path to nzbget log folder. Mounted as Read Only. | +| `-v /remotelogs/overseerr/overseerr.log:ro` | Path to overseerr log file. Mounted as Read Only. | +| `-v /remotelogs/prowlarr/prowlarr.txt:ro` | Path to prowlarr log file. Mounted as Read Only. | +| `-v /remotelogs/radarr/radarr.txt:ro` | Path to radarr log file. Mounted as Read Only. | +| `-v /remotelogs/roundcube/errors:ro` | Path to roundcube error log file. Mounted as Read Only. | +| `-v /remotelogs/sonarr/sonarr.txt:ro` | Path to sonarr log file. Mounted as Read Only. | +| `-v /remotelogs/unificontroller/server.log:ro` | Path to unificontroller server log file. Mounted as Read Only. | +| `-v /remotelogs/vaultwarden/vaultwarden.log:ro` | Path to vaultwarden log file. Mounted as Read Only. | +| `-v /remotelogs/vsftpd.log:ro` | Path to vsftpd log file. Mounted as Read Only. | + +## Environment variables from files (Docker secrets) + +You can set any environment variable from a file by using a special prepend `FILE__`. + +As an example: + +```bash +-e FILE__PASSWORD=/run/secrets/mysecretpassword +``` + +Will set the environment variable `PASSWORD` based on the contents of the `/run/secrets/mysecretpassword` file. + +## Umask for running applications + +For all of our images we provide the ability to override the default umask settings for services started within the containers using the optional `-e UMASK=022` setting. +Keep in mind umask is not chmod it subtracts from permissions based on it's value it does not add. Please read up [here](https://en.wikipedia.org/wiki/Umask) before asking for support. + +## User / Group Identifiers + +When using volumes (`-v` flags) permissions issues can arise between the host OS and the container, we avoid this issue by allowing you to specify the user `PUID` and group `PGID`. + +Ensure any volume directories on the host are owned by the same user you specify and any permissions issues will vanish like magic. + +In this instance `PUID=1000` and `PGID=1000`, to find yours use `id user` as below: + +```bash + $ id username + uid=1000(dockeruser) gid=1000(dockergroup) groups=1000(dockergroup) +``` + +## Docker Mods + +[![Docker Mods](https://img.shields.io/badge/dynamic/yaml?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=fail2ban&query=%24.mods%5B%27fail2ban%27%5D.mod_count&url=https%3A%2F%2Fraw.githubusercontent.com%2Flinuxserver%2Fdocker-mods%2Fmaster%2Fmod-list.yml)](https://mods.linuxserver.io/?mod=fail2ban "view available mods for this container.") [![Docker Universal Mods](https://img.shields.io/badge/dynamic/yaml?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=universal&query=%24.mods%5B%27universal%27%5D.mod_count&url=https%3A%2F%2Fraw.githubusercontent.com%2Flinuxserver%2Fdocker-mods%2Fmaster%2Fmod-list.yml)](https://mods.linuxserver.io/?mod=universal "view available universal mods.") + +We publish various [Docker Mods](https://github.com/linuxserver/docker-mods) to enable additional functionality within the containers. The list of Mods available for this image (if any) as well as universal mods that can be applied to any one of our images can be accessed via the dynamic badges above. + +## Support Info + +* Shell access whilst the container is running: `docker exec -it fail2ban /bin/bash` +* To monitor the logs of the container in realtime: `docker logs -f fail2ban` +* container version number + * `docker inspect -f '{{ index .Config.Labels "build_version" }}' fail2ban` +* image version number + * `docker inspect -f '{{ index .Config.Labels "build_version" }}' lscr.io/linuxserver/fail2ban:latest` + +## Updating Info + +Most of our images are static, versioned, and require an image update and container recreation to update the app inside. With some exceptions (ie. nextcloud, plex), we do not recommend or support updating apps inside the container. Please consult the [Application Setup](#application-setup) section above to see if it is recommended for the image. + +Below are the instructions for updating containers: + +### Via Docker Compose + +* Update all images: `docker-compose pull` + * or update a single image: `docker-compose pull fail2ban` +* Let compose update all containers as necessary: `docker-compose up -d` + * or update a single container: `docker-compose up -d fail2ban` +* You can also remove the old dangling images: `docker image prune` + +### Via Docker Run + +* Update the image: `docker pull lscr.io/linuxserver/fail2ban:latest` +* Stop the running container: `docker stop fail2ban` +* Delete the container: `docker rm fail2ban` +* Recreate a new container with the same docker run parameters as instructed above (if mapped correctly to a host folder, your `/config` folder and settings will be preserved) +* You can also remove the old dangling images: `docker image prune` + +### Via Watchtower auto-updater (only use if you don't remember the original parameters) + +* Pull the latest image at its tag and replace it with the same env variables in one run: + + ```bash + docker run --rm \ + -v /var/run/docker.sock:/var/run/docker.sock \ + containrrr/watchtower \ + --run-once fail2ban + ``` + +* You can also remove the old dangling images: `docker image prune` + +**Note:** We do not endorse the use of Watchtower as a solution to automated updates of existing Docker containers. In fact we generally discourage automated updates. However, this is a useful tool for one-time manual updates of containers where you have forgotten the original parameters. In the long term, we highly recommend using [Docker Compose](https://docs.linuxserver.io/general/docker-compose). + +### Image Update Notifications - Diun (Docker Image Update Notifier) + +* We recommend [Diun](https://crazymax.dev/diun/) for update notifications. Other tools that automatically update containers unattended are not recommended or supported. + +## Building locally + +If you want to make local modifications to these images for development purposes or just to customize the logic: + +```bash +git clone https://github.com/linuxserver/docker-fail2ban.git +cd docker-fail2ban +docker build \ + --no-cache \ + --pull \ + -t lscr.io/linuxserver/fail2ban:latest . +``` + +The ARM variants can be built on x86_64 hardware using `multiarch/qemu-user-static` + +```bash +docker run --rm --privileged multiarch/qemu-user-static:register --reset +``` + +Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64`. + +## Versions + +* **01.08.22:** - Initial Release. diff --git a/jenkins-vars.yml b/jenkins-vars.yml new file mode 100644 index 0000000..caa0196 --- /dev/null +++ b/jenkins-vars.yml @@ -0,0 +1,29 @@ +--- + +# jenkins variables +project_name: docker-fail2ban +external_type: alpine_repo +release_type: stable +release_tag: latest +ls_branch: master +repo_vars: + - BUILD_VERSION_ARG = 'FAIL2BAN_VERSION' + - LS_USER = 'linuxserver' + - LS_REPO = 'docker-fail2ban' + - CONTAINER_NAME = 'fail2ban' + - DOCKERHUB_IMAGE = 'linuxserver/fail2ban' + - DEV_DOCKERHUB_IMAGE = 'lsiodev/fail2ban' + - PR_DOCKERHUB_IMAGE = 'lspipepr/fail2ban' + - DIST_IMAGE = 'alpine' + - DIST_TAG = '3.16' + - DIST_REPO = 'http://nl.alpinelinux.org/alpine/v3.16/main/' + - DIST_REPO_PACKAGES = 'fail2ban' + - MULTIARCH='true' + - CI='true' + - CI_WEB='false' + - CI_PORT='' + - CI_SSL='false' + - CI_DELAY='120' + - CI_DOCKERENV='TZ=US/Pacific' + - CI_AUTH='user:password' + - CI_WEBPATH='' diff --git a/readme-vars.yml b/readme-vars.yml new file mode 100644 index 0000000..0f699f8 --- /dev/null +++ b/readme-vars.yml @@ -0,0 +1,66 @@ +--- + +# project information +project_name: fail2ban +project_url: "http://www.fail2ban.org/" +project_logo: "https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/fail2ban.png" +project_blurb: | + [{{ project_name|capitalize }}]({{ project_url }}) is a daemon to ban hosts that cause multiple authentication errors. + +project_lsio_github_repo_url: "https://github.com/linuxserver/docker-{{ project_name }}" + +# supported architectures +available_architectures: + - { arch: "{{ arch_x86_64 }}", tag: "amd64-latest"} + - { arch: "{{ arch_arm64 }}", tag: "arm64v8-latest"} + - { arch: "{{ arch_armhf }}", tag: "arm32v7-latest"} + +# container parameters +common_param_env_vars_enabled: true +param_container_name: "{{ project_name }}" +param_net: "host" +param_net_desc: "Shares host networking with container." +param_usage_include_env: true +param_env_vars: + - { env_var: "TZ", env_value: "America/New_York", desc: "Specify a timezone to use EG America/New_York"} +param_usage_include_vols: true +param_volumes: + - { vol_path: "/config", vol_host_path: "/path/to/appdata/config", desc: "Contains all relevant configuration files." } + - { vol_path: "/var/log:ro", vol_host_path: "/var/log", desc: "Host logs. Mounted as Read Only." } +cap_add_param: false +cap_add_param_vars: + - { cap_add_var: "NET_ADMIN" } + - { cap_add_var: "NET_RAW" } + +# optional parameters +opt_param_usage_include_vols: true +opt_param_volumes: + - { vol_path: "/remotelogs/airsonic/airsonic.log:ro", vol_host_path: "/path/to/airsonic/airsonic.log", desc: "Path to airsonic log file. Mounted as Read Only." } + - { vol_path: "/remotelogs/apache2:ro", vol_host_path: "/path/to/apache2/log", desc: "Path to apache2 log folder. Mounted as Read Only." } + - { vol_path: "/remotelogs/audit/audit.log:ro", vol_host_path: "/path/to/audit/audit.log", desc: "Path to auditd log file. Mounted as Read Only." } + - { vol_path: "/remotelogs/authelia/authelia.log:ro", vol_host_path: "/path/to/authelia/authelia.log", desc: "Path to authelia log file. Mounted as Read Only." } + - { vol_path: "/remotelogs/emby/embyserver.txt:ro", vol_host_path: "/path/to/emby/embyserver.txt", desc: "Path to emby log file. Mounted as Read Only." } + - { vol_path: "/remotelogs/exim/mainlog:ro", vol_host_path: "/path/to/exim/mainlog", desc: "Path to exim log file. Mounted as Read Only." } + - { vol_path: "/remotelogs/filebrowser/filebrowser.log:ro", vol_host_path: "/path/to/filebrowser/filebrowser.log", desc: "Path to filebrowser log file. Mounted as Read Only." } + - { vol_path: "/remotelogs/gitea/gitea.log:ro", vol_host_path: "/path/to/gitea/gitea.log", desc: "Path to gitea log file. Mounted as Read Only." } + - { vol_path: "/remotelogs/homeassistant/home-assistant.log:ro", vol_host_path: "/path/to/homeassistant/home-assistant.log", desc: "Path to homeassistant log file. Mounted as Read Only." } + - { vol_path: "/remotelogs/lighttpd/error.log:ro", vol_host_path: "/path/to/lighttpd/error.log", desc: "Path to lighttpd error log file. Mounted as Read Only." } + - { vol_path: "/remotelogs/nginx:ro", vol_host_path: "/path/to/nginx/log", desc: "Path to nginx log folder. Mounted as Read Only." } + - { vol_path: "/remotelogs/nzbget:ro", vol_host_path: "/path/to/nzbget.log", desc: "Path to nzbget log folder. Mounted as Read Only." } + - { vol_path: "/remotelogs/overseerr/overseerr.log:ro", vol_host_path: "/path/to/overseerr/overseerr.log", desc: "Path to overseerr log file. Mounted as Read Only." } + - { vol_path: "/remotelogs/prowlarr/prowlarr.txt:ro", vol_host_path: "/path/to/prowlarr/prowlarr.txt", desc: "Path to prowlarr log file. Mounted as Read Only." } + - { vol_path: "/remotelogs/radarr/radarr.txt:ro", vol_host_path: "/path/to/radarr/radarr.txt", desc: "Path to radarr log file. Mounted as Read Only." } + - { vol_path: "/remotelogs/roundcube/errors:ro", vol_host_path: "/path/to/roundcube/errors", desc: "Path to roundcube error log file. Mounted as Read Only." } + - { vol_path: "/remotelogs/sonarr/sonarr.txt:ro", vol_host_path: "/path/to/sonarr/sonarr.txt", desc: "Path to sonarr log file. Mounted as Read Only." } + - { vol_path: "/remotelogs/unificontroller/server.log:ro", vol_host_path: "/path/to/unificontroller/server.log", desc: "Path to unificontroller server log file. Mounted as Read Only." } + - { vol_path: "/remotelogs/vaultwarden/vaultwarden.log:ro", vol_host_path: "/path/to/vaultwarden/vaultwarden.log", desc: "Path to vaultwarden log file. Mounted as Read Only." } + - { vol_path: "/remotelogs/vsftpd.log:ro", vol_host_path: "/path/to/vsftpd.log", desc: "Path to vsftpd log file. Mounted as Read Only." } + +# application setup block +app_setup_block_enabled: true +app_setup_block: | + App Setup Info + +# changelog +changelogs: + - { date: "01.08.22:", desc: "Initial Release." } diff --git a/root/defaults/crontabs/abc b/root/defaults/crontabs/abc new file mode 100644 index 0000000..b5e283c --- /dev/null +++ b/root/defaults/crontabs/abc @@ -0,0 +1 @@ +# min hour day month weekday command diff --git a/root/defaults/crontabs/root b/root/defaults/crontabs/root new file mode 100644 index 0000000..b5e283c --- /dev/null +++ b/root/defaults/crontabs/root @@ -0,0 +1 @@ +# min hour day month weekday command diff --git a/root/defaults/fail2ban/README.md b/root/defaults/fail2ban/README.md new file mode 100644 index 0000000..fa70b2f --- /dev/null +++ b/root/defaults/fail2ban/README.md @@ -0,0 +1,51 @@ +# Configuration README + +!! NOTICE !! + +The `*.conf` files in this directory and its subdirectories will be replaced every time the container restarts. The files are meant to be easily viewed so that you can reference them. + +If you would like to customize anything, create a `*.local` file with the same name as the `*.conf` file and apply your customizations. You do not need to copy the entire `*.conf` file to `*.local`, you only need to include things you want to change. + +For example, to adjust `jail.conf`, create `jail.local` and apply your customizations there. + +## Example jail.local + +This example uses `apprise-api` for notifications, `cloudflare` for additional web proxy banning, and `abuseipdb` to report bad actors. You can remove any of these, or add more as you see fit. + +```ini +[DEFAULT] +# Prevents banning LAN subnets +ignoreip = 127.0.0.1/8 ::1 + 10.0.0.0/8 + 172.16.0.0/12 + 192.168.0.0/16 + +# Change the default ban action from "iptables-multiport", which causes issues on some platforms, to "iptables-allports". +#banaction = %(banaction_allports)s + +# Add additional actions +action = %(action_)s + apprise-api[host="127.0.0.1", tag="fail2ban"] + cloudflare[cfuser="YOUR-EMAIL", cftoken="YOUR-TOKEN"] + +abuseipdb_apikey = YOUR-API-KEY + +[unraid-sshd] +# configuration inherits from jail.d/unraid-sshd.conf +enabled = true +action = %(known/action)s + abuseipdb[abuseipdb_apikey="%(known/abuseipdb_apikey)s", abuseipdb_category="18,22"] + +[unraid-webgui] +# configuration inherits from jail.d/unraid-webgui.conf +enabled = true +port = http,https,YOUR-UNRAID-MY-SERVERS-WAN-PORT +action = %(known/action)s + abuseipdb[abuseipdb_apikey="%(known/abuseipdb_apikey)s", abuseipdb_category="18,21"] + +[unifi-controller-auth] +# configuration inherits from jail.d/unifi-controller-auth.conf +enabled = true +action = %(known/action)s + abuseipdb[abuseipdb_apikey="%(known/abuseipdb_apikey)s", abuseipdb_category="18,21"] +``` diff --git a/root/defaults/fail2ban/action.d/apprise-api.conf b/root/defaults/fail2ban/action.d/apprise-api.conf new file mode 100644 index 0000000..da01325 --- /dev/null +++ b/root/defaults/fail2ban/action.d/apprise-api.conf @@ -0,0 +1,59 @@ +# Fail2Ban action configuration for apprise-api +# Author: Roxedus https://github.com/Roxedus +# Modified by: nemchik https://github.com/nemchik + +[Definition] + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +actionstart = curl -X POST -d '{"tag": "", "type": "info", "body": "The jail as been started successfully."}' \ + -H "Content-Type: application/json" \ + + +# Option: actionstop +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +actionstop = curl -X POST -d '{"tag": "", "type": "info", "body": "The jail has been stopped."}' \ + -H "Content-Type: application/json" \ + + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# + +actionban = curl -X POST -d '{"tag": "", "type": "warning", "body": "The IP has just been banned from after attempts."}' \ + -H "Content-Type: application/json" \ + + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# + +actionunban = curl -X POST -d '{"tag": "", "type": "success", "body": "The IP has just been unbanned from ."}' \ + -H "Content-Type: application/json" \ + + +[Init] + +proto = http +host = apprise +port = 8000 +key = apprise +url = ://:/notify/ +#tag = fail2ban +tag = all diff --git a/root/defaults/fail2ban/action.d/apprise.conf b/root/defaults/fail2ban/action.d/apprise.conf deleted file mode 100644 index c4c6c1c..0000000 --- a/root/defaults/fail2ban/action.d/apprise.conf +++ /dev/null @@ -1,51 +0,0 @@ -[Definition] - -# Option: actionstart -# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). -# Values: CMD -# -actionstart = curl -X POST -d '{"tag": "f2b", "type": "info", "body": "The guard in is waking up."}' \ - -H "Content-Type: application/json" \ - - -# Option: actionstop -# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) -# Values: CMD -# -actionstop = - -# Option: actioncheck -# Notes.: command executed once before each actionban command -# Values: CMD -# -actioncheck = - -# Option: actionban -# Notes.: command executed when banning an IP. Take care that the -# command is executed with Fail2Ban user rights. -# Tags: IP address -# number of failures -#