Merge pull request #1 from szaimen/enh/noid/initial-commit

szaimen · Sep 27, 2023 · e86634e · e86634e
2 parents d50d782 + f354c3f
commit e86634e
Show file tree

Hide file tree

Showing 8 changed files with 240 additions and 0 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,17 @@
+version: 2
+updates:
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+    interval: "daily"
+    time: "12:00"
+  open-pull-requests-limit: 10
+- package-ecosystem: "docker"
+  directory: "/"
+  schedule:
+    interval: "daily"
+    time: "12:00"
+  open-pull-requests-limit: 10
+  labels:
+  - 3. to review
+  - dependencies
diff --git a/.github/workflows/build_image.yml b/.github/workflows/build_image.yml
@@ -0,0 +1,54 @@
+name: Build docker image
+
+on:
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        platform: [
+          {arch: 'linux/amd64', tag: 'develop'},
+          {arch: 'linux/arm64', tag: 'develop-arm64'}]
+        container: [
+          {name: 'aio-fail2ban', context: './'}]
+
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v3
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v2 
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Docker metadata
+        id: metadata
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            szaimen/${{ matrix.container.name }}
+          tags: |
+            ${{ matrix.platform.tag }}
+
+      - name: Build docker image and push to dockerhub
+        uses: docker/build-push-action@v4
+        with:
+          context: ${{ matrix.container.context }}
+          platforms: ${{matrix.platform.arch}}
+          no-cache: true
+          push: true
+          tags: ${{ steps.metadata.outputs.tags }}
+          provenance: false
+          # Needed since when on default 'application/vnd.oci.image.index.v1+json' is used which does not work with "docker manifest create" (multiarch)
+          # TODO make it work with default value
diff --git a/.github/workflows/docker-lint.yml b/.github/workflows/docker-lint.yml
@@ -0,0 +1,38 @@
+name: Docker Lint
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  docker-lint:
+    runs-on: ubuntu-latest
+
+    name: docker-lint
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install hadolint
+        run: |
+          sudo wget https://github.com/hadolint/hadolint/releases/latest/download/hadolint-Linux-x86_64 -O /usr/bin/hadolint
+          sudo chmod +x /usr/bin/hadolint
+
+      - name: run lint
+        run: |
+          DOCKERFILES="$(find ./ -name Dockerfile)"
+          mapfile -t DOCKERFILES <<< "$DOCKERFILES"
+          for file in "${DOCKERFILES[@]}"; do
+            # DL3018 warning: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
+            # DL4006 warning: Set the SHELL option -o pipefail before RUN with a pipe in it. If you are using /bin/sh in an alpine image or if your shell is symlinked to busybox then consider explicitly setting your SHELL to /bin/ash, or disable this check
+            hadolint "$file" --ignore DL3018 --ignore DL4006 | tee -a ./hadolint.log
+          done
+          if grep -q "DL[0-9]\+\|SC[0-9]\+" ./hadolint.log; then
+            exit 1
+          fi
diff --git a/.github/workflows/promote-to-beta.yml b/.github/workflows/promote-to-beta.yml
@@ -0,0 +1,32 @@
+name: Promote to beta
+
+on:
+  workflow_dispatch:
+
+jobs:
+  promote_to_latest:
+    runs-on: ubuntu-latest
+    name: Promote from develop to beta 
+
+    strategy:
+      fail-fast: false
+      matrix:
+        name: ['aio-fail2ban']
+
+    steps:
+    - name: Login to DockerHub
+      uses: docker/login-action@v2 
+      with:
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+    - name: Promote images from develop to beta (create multiarch)
+      run: |
+        set -x
+        AIO_NAME=${{ matrix.name }}
+        DOCKER_HUB_ORG=szaimen
+        set +x
+        
+        # create multiarch image
+        docker manifest create "$DOCKER_HUB_ORG"/$AIO_NAME\:beta -a "$DOCKER_HUB_ORG"/$AIO_NAME\:develop -a "$DOCKER_HUB_ORG"/$AIO_NAME\:develop-arm64
+        docker manifest push "$DOCKER_HUB_ORG"/$AIO_NAME\:beta
diff --git a/.github/workflows/promote-to-latest.yml b/.github/workflows/promote-to-latest.yml
@@ -0,0 +1,30 @@
+name: Promote to latest
+
+on:
+  workflow_dispatch:
+
+jobs:
+  promote_to_latest:
+    runs-on: ubuntu-latest
+    name: Promote from beta to latest 
+
+    strategy:
+      fail-fast: false
+      matrix:
+        name: ['aio-fail2ban']
+
+    steps:
+    - name: Login to DockerHub
+      uses: docker/login-action@v2 
+      with:
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+    - name: Promote images from beta to latest
+      run: |
+        set -x
+        AIO_NAME=${{ matrix.name }}
+        DOCKER_HUB_ORG=szaimen
+        set +x
+
+        docker buildx imagetools create --tag "$DOCKER_HUB_ORG"/$AIO_NAME\:latest "$DOCKER_HUB_ORG"/$AIO_NAME\:beta
diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml
@@ -0,0 +1,24 @@
+name: Shellcheck
+
+on:
+  pull_request:
+    paths:
+      - '**.sh'
+  push:
+    branches:
+      - main
+    paths:
+      - '**.sh'
+
+jobs:
+  shellcheck:
+    name: Check Shell
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Run Shellcheck
+      uses: ludeeus/action-shellcheck@2.0.0
+      with:
+        check_together: 'yes'
+      env:
+        SHELLCHECK_OPTS: --shell bash
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,10 @@
+FROM alpine:3.18.3
+
+RUN set -ex; \
+    apk add --no-cache fail2ban tzdata util-linux-misc
+
+COPY --chmod=775 start.sh /start.sh
+
+# hadolint ignore=DL3002
+USER root
+ENTRYPOINT [ "/start.sh" ]
diff --git a/start.sh b/start.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+if ! mountpoint -q /nextcloud; then
+    echo "/nextcloud is not a mountpoint which it must be!"
+    exit 1
+fi
+
+while ! [ -f /nextcloud/data/nextcloud.log ]; do
+    echo "Waiting for /nextcloud/data/nextcloud.log to become available"
+    sleep 5
+done
+
+cat << FILTER > /etc/fail2ban/filter.d/nextcloud.log
+[Definition]
+_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
+failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
+            ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
+datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
+FILTER
+
+cat << JAIL > /etc/fail2ban/jail.d/nextcloud.local
+[nextcloud]
+backend = auto
+enabled = true
+port = 80,443,8080,8443,3478
+protocol = tcp
+filter = nextcloud
+maxretry = 3
+bantime = 86400
+findtime = 43200
+logpath = /nextcloud/data/nextcloud.log
+chain=DOCKER-USER
+JAIL
+
+fail2ban-server -f --logtarget stderr --loglevel info