From f354c3fc742f8afd85d8992b8d7a384e5181ec8c Mon Sep 17 00:00:00 2001 From: Simon L Date: Wed, 27 Sep 2023 15:44:50 +0200 Subject: [PATCH] initial commit Signed-off-by: Simon L --- .github/dependabot.yml | 17 ++++++++ .github/workflows/build_image.yml | 54 +++++++++++++++++++++++++ .github/workflows/docker-lint.yml | 38 +++++++++++++++++ .github/workflows/promote-to-beta.yml | 32 +++++++++++++++ .github/workflows/promote-to-latest.yml | 30 ++++++++++++++ .github/workflows/shellcheck.yml | 24 +++++++++++ Dockerfile | 10 +++++ start.sh | 35 ++++++++++++++++ 8 files changed, 240 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/build_image.yml create mode 100644 .github/workflows/docker-lint.yml create mode 100644 .github/workflows/promote-to-beta.yml create mode 100644 .github/workflows/promote-to-latest.yml create mode 100644 .github/workflows/shellcheck.yml create mode 100644 Dockerfile create mode 100644 start.sh diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..04e46be --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,17 @@ +version: 2 +updates: +- package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + time: "12:00" + open-pull-requests-limit: 10 +- package-ecosystem: "docker" + directory: "/" + schedule: + interval: "daily" + time: "12:00" + open-pull-requests-limit: 10 + labels: + - 3. to review + - dependencies diff --git a/.github/workflows/build_image.yml b/.github/workflows/build_image.yml new file mode 100644 index 0000000..2ff3193 --- /dev/null +++ b/.github/workflows/build_image.yml @@ -0,0 +1,54 @@ +name: Build docker image + +on: + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + + strategy: + fail-fast: false + matrix: + platform: [ + {arch: 'linux/amd64', tag: 'develop'}, + {arch: 'linux/arm64', tag: 'develop-arm64'}] + container: [ + {name: 'aio-fail2ban', context: './'}] + + steps: + - name: Check out the repo + uses: actions/checkout@v3 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v2 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + + - name: Login to DockerHub + uses: docker/login-action@v2 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Docker metadata + id: metadata + uses: docker/metadata-action@v4 + with: + images: | + szaimen/${{ matrix.container.name }} + tags: | + ${{ matrix.platform.tag }} + + - name: Build docker image and push to dockerhub + uses: docker/build-push-action@v4 + with: + context: ${{ matrix.container.context }} + platforms: ${{matrix.platform.arch}} + no-cache: true + push: true + tags: ${{ steps.metadata.outputs.tags }} + provenance: false + # Needed since when on default 'application/vnd.oci.image.index.v1+json' is used which does not work with "docker manifest create" (multiarch) + # TODO make it work with default value \ No newline at end of file diff --git a/.github/workflows/docker-lint.yml b/.github/workflows/docker-lint.yml new file mode 100644 index 0000000..1d6a229 --- /dev/null +++ b/.github/workflows/docker-lint.yml @@ -0,0 +1,38 @@ +name: Docker Lint + +on: + pull_request: + push: + branches: + - main + +permissions: + contents: read + +jobs: + docker-lint: + runs-on: ubuntu-latest + + name: docker-lint + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Install hadolint + run: | + sudo wget https://github.com/hadolint/hadolint/releases/latest/download/hadolint-Linux-x86_64 -O /usr/bin/hadolint + sudo chmod +x /usr/bin/hadolint + + - name: run lint + run: | + DOCKERFILES="$(find ./ -name Dockerfile)" + mapfile -t DOCKERFILES <<< "$DOCKERFILES" + for file in "${DOCKERFILES[@]}"; do + # DL3018 warning: Pin versions in apk add. Instead of `apk add ` use `apk add =` + # DL4006 warning: Set the SHELL option -o pipefail before RUN with a pipe in it. If you are using /bin/sh in an alpine image or if your shell is symlinked to busybox then consider explicitly setting your SHELL to /bin/ash, or disable this check + hadolint "$file" --ignore DL3018 --ignore DL4006 | tee -a ./hadolint.log + done + if grep -q "DL[0-9]\+\|SC[0-9]\+" ./hadolint.log; then + exit 1 + fi diff --git a/.github/workflows/promote-to-beta.yml b/.github/workflows/promote-to-beta.yml new file mode 100644 index 0000000..a45faed --- /dev/null +++ b/.github/workflows/promote-to-beta.yml @@ -0,0 +1,32 @@ +name: Promote to beta + +on: + workflow_dispatch: + +jobs: + promote_to_latest: + runs-on: ubuntu-latest + name: Promote from develop to beta + + strategy: + fail-fast: false + matrix: + name: ['aio-fail2ban'] + + steps: + - name: Login to DockerHub + uses: docker/login-action@v2 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Promote images from develop to beta (create multiarch) + run: | + set -x + AIO_NAME=${{ matrix.name }} + DOCKER_HUB_ORG=szaimen + set +x + + # create multiarch image + docker manifest create "$DOCKER_HUB_ORG"/$AIO_NAME\:beta -a "$DOCKER_HUB_ORG"/$AIO_NAME\:develop -a "$DOCKER_HUB_ORG"/$AIO_NAME\:develop-arm64 + docker manifest push "$DOCKER_HUB_ORG"/$AIO_NAME\:beta diff --git a/.github/workflows/promote-to-latest.yml b/.github/workflows/promote-to-latest.yml new file mode 100644 index 0000000..ce25dbe --- /dev/null +++ b/.github/workflows/promote-to-latest.yml @@ -0,0 +1,30 @@ +name: Promote to latest + +on: + workflow_dispatch: + +jobs: + promote_to_latest: + runs-on: ubuntu-latest + name: Promote from beta to latest + + strategy: + fail-fast: false + matrix: + name: ['aio-fail2ban'] + + steps: + - name: Login to DockerHub + uses: docker/login-action@v2 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Promote images from beta to latest + run: | + set -x + AIO_NAME=${{ matrix.name }} + DOCKER_HUB_ORG=szaimen + set +x + + docker buildx imagetools create --tag "$DOCKER_HUB_ORG"/$AIO_NAME\:latest "$DOCKER_HUB_ORG"/$AIO_NAME\:beta diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml new file mode 100644 index 0000000..697b180 --- /dev/null +++ b/.github/workflows/shellcheck.yml @@ -0,0 +1,24 @@ +name: Shellcheck + +on: + pull_request: + paths: + - '**.sh' + push: + branches: + - main + paths: + - '**.sh' + +jobs: + shellcheck: + name: Check Shell + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Run Shellcheck + uses: ludeeus/action-shellcheck@2.0.0 + with: + check_together: 'yes' + env: + SHELLCHECK_OPTS: --shell bash diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..5363c32 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,10 @@ +FROM alpine:3.18.3 + +RUN set -ex; \ + apk add --no-cache fail2ban tzdata util-linux-misc + +COPY --chmod=775 start.sh /start.sh + +# hadolint ignore=DL3002 +USER root +ENTRYPOINT [ "/start.sh" ] diff --git a/start.sh b/start.sh new file mode 100644 index 0000000..f21e957 --- /dev/null +++ b/start.sh @@ -0,0 +1,35 @@ +#!/bin/bash + +if ! mountpoint -q /nextcloud; then + echo "/nextcloud is not a mountpoint which it must be!" + exit 1 +fi + +while ! [ -f /nextcloud/data/nextcloud.log ]; do + echo "Waiting for /nextcloud/data/nextcloud.log to become available" + sleep 5 +done + +cat << FILTER > /etc/fail2ban/filter.d/nextcloud.log +[Definition] +_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*) +failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Login failed: + ^\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Trusted domain error. +datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" +FILTER + +cat << JAIL > /etc/fail2ban/jail.d/nextcloud.local +[nextcloud] +backend = auto +enabled = true +port = 80,443,8080,8443,3478 +protocol = tcp +filter = nextcloud +maxretry = 3 +bantime = 86400 +findtime = 43200 +logpath = /nextcloud/data/nextcloud.log +chain=DOCKER-USER +JAIL + +fail2ban-server -f --logtarget stderr --loglevel info