-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Simon L <szaimen@e.mail.de>
- Loading branch information
Showing
8 changed files
with
240 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
version: 2 | ||
updates: | ||
- package-ecosystem: "github-actions" | ||
directory: "/" | ||
schedule: | ||
interval: "daily" | ||
time: "12:00" | ||
open-pull-requests-limit: 10 | ||
- package-ecosystem: "docker" | ||
directory: "/" | ||
schedule: | ||
interval: "daily" | ||
time: "12:00" | ||
open-pull-requests-limit: 10 | ||
labels: | ||
- 3. to review | ||
- dependencies |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
name: Build docker image | ||
|
||
on: | ||
workflow_dispatch: | ||
|
||
jobs: | ||
build: | ||
runs-on: ubuntu-latest | ||
|
||
strategy: | ||
fail-fast: false | ||
matrix: | ||
platform: [ | ||
{arch: 'linux/amd64', tag: 'develop'}, | ||
{arch: 'linux/arm64', tag: 'develop-arm64'}] | ||
container: [ | ||
{name: 'aio-fail2ban', context: './'}] | ||
|
||
steps: | ||
- name: Check out the repo | ||
uses: actions/checkout@v3 | ||
|
||
- name: Set up QEMU | ||
uses: docker/setup-qemu-action@v2 | ||
|
||
- name: Set up Docker Buildx | ||
uses: docker/setup-buildx-action@v2 | ||
|
||
- name: Login to DockerHub | ||
uses: docker/login-action@v2 | ||
with: | ||
username: ${{ secrets.DOCKERHUB_USERNAME }} | ||
password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
|
||
- name: Docker metadata | ||
id: metadata | ||
uses: docker/metadata-action@v4 | ||
with: | ||
images: | | ||
szaimen/${{ matrix.container.name }} | ||
tags: | | ||
${{ matrix.platform.tag }} | ||
- name: Build docker image and push to dockerhub | ||
uses: docker/build-push-action@v4 | ||
with: | ||
context: ${{ matrix.container.context }} | ||
platforms: ${{matrix.platform.arch}} | ||
no-cache: true | ||
push: true | ||
tags: ${{ steps.metadata.outputs.tags }} | ||
provenance: false | ||
# Needed since when on default 'application/vnd.oci.image.index.v1+json' is used which does not work with "docker manifest create" (multiarch) | ||
# TODO make it work with default value |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
name: Docker Lint | ||
|
||
on: | ||
pull_request: | ||
push: | ||
branches: | ||
- main | ||
|
||
permissions: | ||
contents: read | ||
|
||
jobs: | ||
docker-lint: | ||
runs-on: ubuntu-latest | ||
|
||
name: docker-lint | ||
|
||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v4 | ||
|
||
- name: Install hadolint | ||
run: | | ||
sudo wget https://github.com/hadolint/hadolint/releases/latest/download/hadolint-Linux-x86_64 -O /usr/bin/hadolint | ||
sudo chmod +x /usr/bin/hadolint | ||
- name: run lint | ||
run: | | ||
DOCKERFILES="$(find ./ -name Dockerfile)" | ||
mapfile -t DOCKERFILES <<< "$DOCKERFILES" | ||
for file in "${DOCKERFILES[@]}"; do | ||
# DL3018 warning: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>` | ||
# DL4006 warning: Set the SHELL option -o pipefail before RUN with a pipe in it. If you are using /bin/sh in an alpine image or if your shell is symlinked to busybox then consider explicitly setting your SHELL to /bin/ash, or disable this check | ||
hadolint "$file" --ignore DL3018 --ignore DL4006 | tee -a ./hadolint.log | ||
done | ||
if grep -q "DL[0-9]\+\|SC[0-9]\+" ./hadolint.log; then | ||
exit 1 | ||
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
name: Promote to beta | ||
|
||
on: | ||
workflow_dispatch: | ||
|
||
jobs: | ||
promote_to_latest: | ||
runs-on: ubuntu-latest | ||
name: Promote from develop to beta | ||
|
||
strategy: | ||
fail-fast: false | ||
matrix: | ||
name: ['aio-fail2ban'] | ||
|
||
steps: | ||
- name: Login to DockerHub | ||
uses: docker/login-action@v2 | ||
with: | ||
username: ${{ secrets.DOCKERHUB_USERNAME }} | ||
password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
|
||
- name: Promote images from develop to beta (create multiarch) | ||
run: | | ||
set -x | ||
AIO_NAME=${{ matrix.name }} | ||
DOCKER_HUB_ORG=szaimen | ||
set +x | ||
# create multiarch image | ||
docker manifest create "$DOCKER_HUB_ORG"/$AIO_NAME\:beta -a "$DOCKER_HUB_ORG"/$AIO_NAME\:develop -a "$DOCKER_HUB_ORG"/$AIO_NAME\:develop-arm64 | ||
docker manifest push "$DOCKER_HUB_ORG"/$AIO_NAME\:beta |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
name: Promote to latest | ||
|
||
on: | ||
workflow_dispatch: | ||
|
||
jobs: | ||
promote_to_latest: | ||
runs-on: ubuntu-latest | ||
name: Promote from beta to latest | ||
|
||
strategy: | ||
fail-fast: false | ||
matrix: | ||
name: ['aio-fail2ban'] | ||
|
||
steps: | ||
- name: Login to DockerHub | ||
uses: docker/login-action@v2 | ||
with: | ||
username: ${{ secrets.DOCKERHUB_USERNAME }} | ||
password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
|
||
- name: Promote images from beta to latest | ||
run: | | ||
set -x | ||
AIO_NAME=${{ matrix.name }} | ||
DOCKER_HUB_ORG=szaimen | ||
set +x | ||
docker buildx imagetools create --tag "$DOCKER_HUB_ORG"/$AIO_NAME\:latest "$DOCKER_HUB_ORG"/$AIO_NAME\:beta |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
name: Shellcheck | ||
|
||
on: | ||
pull_request: | ||
paths: | ||
- '**.sh' | ||
push: | ||
branches: | ||
- main | ||
paths: | ||
- '**.sh' | ||
|
||
jobs: | ||
shellcheck: | ||
name: Check Shell | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v4 | ||
- name: Run Shellcheck | ||
uses: ludeeus/action-shellcheck@2.0.0 | ||
with: | ||
check_together: 'yes' | ||
env: | ||
SHELLCHECK_OPTS: --shell bash |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
FROM alpine:3.18.3 | ||
|
||
RUN set -ex; \ | ||
apk add --no-cache fail2ban tzdata util-linux-misc | ||
|
||
COPY --chmod=775 start.sh /start.sh | ||
|
||
# hadolint ignore=DL3002 | ||
USER root | ||
ENTRYPOINT [ "/start.sh" ] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
#!/bin/bash | ||
|
||
if ! mountpoint -q /nextcloud; then | ||
echo "/nextcloud is not a mountpoint which it must be!" | ||
exit 1 | ||
fi | ||
|
||
while ! [ -f /nextcloud/data/nextcloud.log ]; do | ||
echo "Waiting for /nextcloud/data/nextcloud.log to become available" | ||
sleep 5 | ||
done | ||
|
||
cat << FILTER > /etc/fail2ban/filter.d/nextcloud.log | ||
[Definition] | ||
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*) | ||
failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed: | ||
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error. | ||
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" | ||
FILTER | ||
|
||
cat << JAIL > /etc/fail2ban/jail.d/nextcloud.local | ||
[nextcloud] | ||
backend = auto | ||
enabled = true | ||
port = 80,443,8080,8443,3478 | ||
protocol = tcp | ||
filter = nextcloud | ||
maxretry = 3 | ||
bantime = 86400 | ||
findtime = 43200 | ||
logpath = /nextcloud/data/nextcloud.log | ||
chain=DOCKER-USER | ||
JAIL | ||
|
||
fail2ban-server -f --logtarget stderr --loglevel info |