Merge pull request #115 from linuxserver/upstream-defaults

Rework nginx.conf to be inline with alpine upstream and relocate line…
2025-10-31 04:57:43 +09:00 · 2021-05-18 10:53:05 -04:00
parent c48705cbc4 1cc2e4d395
commit 27e727eede
22 changed files with 867 additions and 825 deletions
--- a/281
+++ b/281
@@ -12,148 +12,145 @@ ENV DHLEVEL=2048 ONLY_SUBDOMAINS=false AWS_CONFIG_FILE=/config/dns-conf/route53.
 ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2

 RUN \
- echo "**** install build packages ****" && \
- apk add --no-cache --virtual=build-dependencies \
-	cargo \
-	g++ \
-	gcc \
-	libffi-dev \
-	openssl-dev \
-	python3-dev && \
- echo "**** install runtime packages ****" && \
- apk add --no-cache --upgrade \
-	curl \
-	fail2ban \
-	gnupg \
-	memcached \
-	nginx \
-	nginx-mod-http-brotli \
-	nginx-mod-http-dav-ext \
-	nginx-mod-http-echo \
-	nginx-mod-http-fancyindex \
-	nginx-mod-http-geoip2 \
-	nginx-mod-http-headers-more \
-	nginx-mod-http-image-filter \
-	nginx-mod-http-nchan \
-	nginx-mod-http-perl \
-	nginx-mod-http-redis2 \
-	nginx-mod-http-set-misc \
-	nginx-mod-http-upload-progress \
-	nginx-mod-http-xslt-filter \
-	nginx-mod-mail \
-	nginx-mod-rtmp \
-	nginx-mod-stream \
-	nginx-mod-stream-geoip2 \
-	nginx-vim \
-	php7-bcmath \
-	php7-bz2 \
-	php7-ctype \
-	php7-curl \
-	php7-dom \
-	php7-exif \
-	php7-ftp \
-	php7-gd \
-	php7-gmp \
-	php7-iconv \
-	php7-imap \
-	php7-intl \
-	php7-ldap \
-	php7-mcrypt \
-	php7-memcached \
-	php7-mysqli \
-	php7-mysqlnd \
-	php7-opcache \
-	php7-pdo_mysql \
-	php7-pdo_odbc \
-	php7-pdo_pgsql \
-	php7-pdo_sqlite \
-	php7-pear \
-	php7-pecl-apcu \
-	php7-pecl-mailparse \
-	php7-pecl-redis \
-	php7-pgsql \
-	php7-phar \
-	php7-posix \
-	php7-soap \
-	php7-sockets \
-	php7-sodium \
-	php7-sqlite3 \
-	php7-tokenizer \
-	php7-xml \
-	php7-xmlreader \
-	php7-xmlrpc \
-	php7-xsl \
-	php7-zip \
-	py3-cryptography \
-	py3-future \
-	py3-pip \
-	whois && \
- echo "**** install certbot plugins ****" && \
- if [ -z ${CERTBOT_VERSION+x} ]; then \
-        CERTBOT="certbot"; \
- else \
-        CERTBOT="certbot==${CERTBOT_VERSION}"; \
- fi && \
- pip3 install -U \
-	pip && \
- pip3 install -U \
-	${CERTBOT} \
-	certbot-dns-aliyun \
-	certbot-dns-cloudflare \
-	certbot-dns-cloudxns \
-	certbot-dns-cpanel \
-	certbot-dns-digitalocean \
-	certbot-dns-directadmin \
-	certbot-dns-dnsimple \
-	certbot-dns-dnsmadeeasy \
-	certbot-dns-domeneshop \
-	certbot-dns-google \
-	certbot-dns-hetzner \
-	certbot-dns-inwx \
-	certbot-dns-linode \
-	certbot-dns-luadns \
-	certbot-dns-netcup \
-	certbot-dns-njalla \
-	certbot-dns-nsone \
-	certbot-dns-ovh \
-	certbot-dns-rfc2136 \
-	certbot-dns-route53 \
-	certbot-dns-transip \
-	certbot-dns-vultr \
-	certbot-plugin-gandi \
-	cryptography \
-	requests && \
- echo "**** remove unnecessary fail2ban filters ****" && \
- rm \
-	/etc/fail2ban/jail.d/alpine-ssh.conf && \
- echo "**** copy fail2ban default action and filter to /default ****" && \
- mkdir -p /defaults/fail2ban && \
- mv /etc/fail2ban/action.d /defaults/fail2ban/ && \
- mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \
- echo "**** copy proxy confs to /default ****" && \
- mkdir -p /defaults/proxy-confs && \
- curl -o \
-	/tmp/proxy.tar.gz -L \
-	"https://github.com/linuxserver/reverse-proxy-confs/tarball/master" && \
- tar xf \
-	/tmp/proxy.tar.gz -C \
-	/defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \
- echo "**** configure nginx ****" && \
- rm -f /etc/nginx/conf.d/default.conf && \
- curl -o \
-	/defaults/dhparams.pem -L \
-	"https://lsio.ams3.digitaloceanspaces.com/dhparams.pem" && \
- echo "**** cleanup ****" && \
- apk del --purge \
-	build-dependencies && \
- for cleanfiles in *.pyc *.pyo; \
-	do \
-	find /usr/lib/python3.*  -iname "${cleanfiles}" -exec rm -f '{}' + \
-	; done && \
- rm -rf \
-	/tmp/* \
-	/root/.cache \
-	/root/.cargo
+  echo "**** install build packages ****" && \
+  apk add --no-cache --virtual=build-dependencies \
+    cargo \
+    g++ \
+    gcc \
+    libffi-dev \
+    openssl-dev \
+    python3-dev && \
+  echo "**** install runtime packages ****" && \
+  apk add --no-cache --upgrade \
+    curl \
+    fail2ban \
+    gnupg \
+    memcached \
+    nginx \
+    nginx-mod-http-brotli \
+    nginx-mod-http-dav-ext \
+    nginx-mod-http-echo \
+    nginx-mod-http-fancyindex \
+    nginx-mod-http-geoip2 \
+    nginx-mod-http-headers-more \
+    nginx-mod-http-image-filter \
+    nginx-mod-http-nchan \
+    nginx-mod-http-perl \
+    nginx-mod-http-redis2 \
+    nginx-mod-http-set-misc \
+    nginx-mod-http-upload-progress \
+    nginx-mod-http-xslt-filter \
+    nginx-mod-mail \
+    nginx-mod-rtmp \
+    nginx-mod-stream \
+    nginx-mod-stream-geoip2 \
+    nginx-vim \
+    php7-bcmath \
+    php7-bz2 \
+    php7-ctype \
+    php7-curl \
+    php7-dom \
+    php7-exif \
+    php7-ftp \
+    php7-gd \
+    php7-gmp \
+    php7-iconv \
+    php7-imap \
+    php7-intl \
+    php7-ldap \
+    php7-mcrypt \
+    php7-memcached \
+    php7-mysqli \
+    php7-mysqlnd \
+    php7-opcache \
+    php7-pdo_mysql \
+    php7-pdo_odbc \
+    php7-pdo_pgsql \
+    php7-pdo_sqlite \
+    php7-pear \
+    php7-pecl-apcu \
+    php7-pecl-mailparse \
+    php7-pecl-redis \
+    php7-pgsql \
+    php7-phar \
+    php7-posix \
+    php7-soap \
+    php7-sockets \
+    php7-sodium \
+    php7-sqlite3 \
+    php7-tokenizer \
+    php7-xml \
+    php7-xmlreader \
+    php7-xmlrpc \
+    php7-xsl \
+    php7-zip \
+    py3-cryptography \
+    py3-future \
+    py3-pip \
+    whois && \
+  echo "**** install certbot plugins ****" && \
+  if [ -z ${CERTBOT_VERSION+x} ]; then \
+    CERTBOT="certbot"; \
+  else \
+    CERTBOT="certbot==${CERTBOT_VERSION}"; \
+  fi && \
+  pip3 install -U \
+    pip && \
+  pip3 install -U --find-links https://wheel-index.linuxserver.io/alpine/ \
+    ${CERTBOT} \
+    certbot-dns-aliyun \
+    certbot-dns-cloudflare \
+    certbot-dns-cloudxns \
+    certbot-dns-cpanel \
+    certbot-dns-digitalocean \
+    certbot-dns-directadmin \
+    certbot-dns-dnsimple \
+    certbot-dns-dnsmadeeasy \
+    certbot-dns-domeneshop \
+    certbot-dns-google \
+    certbot-dns-hetzner \
+    certbot-dns-inwx \
+    certbot-dns-linode \
+    certbot-dns-luadns \
+    certbot-dns-netcup \
+    certbot-dns-njalla \
+    certbot-dns-nsone \
+    certbot-dns-ovh \
+    certbot-dns-rfc2136 \
+    certbot-dns-route53 \
+    certbot-dns-transip \
+    certbot-dns-vultr \
+    certbot-plugin-gandi \
+    cryptography \
+    requests && \
+  echo "**** remove unnecessary fail2ban filters ****" && \
+  rm \
+    /etc/fail2ban/jail.d/alpine-ssh.conf && \
+  echo "**** copy fail2ban default action and filter to /default ****" && \
+  mkdir -p /defaults/fail2ban && \
+  mv /etc/fail2ban/action.d /defaults/fail2ban/ && \
+  mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \
+  echo "**** copy proxy confs to /default ****" && \
+  mkdir -p /defaults/proxy-confs && \
+  curl -o \
+    /tmp/proxy.tar.gz -L \
+    "https://github.com/linuxserver/reverse-proxy-confs/tarball/master" && \
+  tar xf \
+    /tmp/proxy.tar.gz -C \
+    /defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \
+  echo "**** configure nginx ****" && \
+  rm -f /etc/nginx/conf.d/default.conf && \
+  echo "**** cleanup ****" && \
+  apk del --purge \
+    build-dependencies && \
+  for cleanfiles in *.pyc *.pyo; \
+    do \
+    find /usr/lib/python3.*  -iname "${cleanfiles}" -exec rm -f '{}' + \
+    ; done && \
+  rm -rf \
+    /tmp/* \
+    /root/.cache \
+    /root/.cargo

 # add local files
 COPY root/ /
--- a/Dockerfile.aarch64
+++ b/Dockerfile.aarch64
@@ -12,148 +12,145 @@ ENV DHLEVEL=2048 ONLY_SUBDOMAINS=false AWS_CONFIG_FILE=/config/dns-conf/route53.
 ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2

 RUN \
- echo "**** install build packages ****" && \
- apk add --no-cache --virtual=build-dependencies \
-	cargo \
-	g++ \
-	gcc \
-	libffi-dev \
-	openssl-dev \
-	python3-dev && \
- echo "**** install runtime packages ****" && \
- apk add --no-cache --upgrade \
-	curl \
-	fail2ban \
-	gnupg \
-	memcached \
-	nginx \
-	nginx-mod-http-brotli \
-	nginx-mod-http-dav-ext \
-	nginx-mod-http-echo \
-	nginx-mod-http-fancyindex \
-	nginx-mod-http-geoip2 \
-	nginx-mod-http-headers-more \
-	nginx-mod-http-image-filter \
-	nginx-mod-http-nchan \
-	nginx-mod-http-perl \
-	nginx-mod-http-redis2 \
-	nginx-mod-http-set-misc \
-	nginx-mod-http-upload-progress \
-	nginx-mod-http-xslt-filter \
-	nginx-mod-mail \
-	nginx-mod-rtmp \
-	nginx-mod-stream \
-	nginx-mod-stream-geoip2 \
-	nginx-vim \
-	php7-bcmath \
-	php7-bz2 \
-	php7-ctype \
-	php7-curl \
-	php7-dom \
-	php7-exif \
-	php7-ftp \
-	php7-gd \
-	php7-gmp \
-	php7-iconv \
-	php7-imap \
-	php7-intl \
-	php7-ldap \
-	php7-mcrypt \
-	php7-memcached \
-	php7-mysqli \
-	php7-mysqlnd \
-	php7-opcache \
-	php7-pdo_mysql \
-	php7-pdo_odbc \
-	php7-pdo_pgsql \
-	php7-pdo_sqlite \
-	php7-pear \
-	php7-pecl-apcu \
-	php7-pecl-mailparse \
-	php7-pecl-redis \
-	php7-pgsql \
-	php7-phar \
-	php7-posix \
-	php7-soap \
-	php7-sockets \
-	php7-sodium \
-	php7-sqlite3 \
-	php7-tokenizer \
-	php7-xml \
-	php7-xmlreader \
-	php7-xmlrpc \
-	php7-xsl \
-	php7-zip \
-	py3-cryptography \
-	py3-future \
-	py3-pip \
-	whois && \
- echo "**** install certbot plugins ****" && \
- if [ -z ${CERTBOT_VERSION+x} ]; then \
-        CERTBOT="certbot"; \
- else \
-        CERTBOT="certbot==${CERTBOT_VERSION}"; \
- fi && \
- pip3 install -U \
-	pip && \
- pip3 install -U \
-	${CERTBOT} \
-	certbot-dns-aliyun \
-	certbot-dns-cloudflare \
-	certbot-dns-cloudxns \
-	certbot-dns-cpanel \
-	certbot-dns-digitalocean \
-	certbot-dns-directadmin \
-	certbot-dns-dnsimple \
-	certbot-dns-dnsmadeeasy \
-	certbot-dns-domeneshop \
-	certbot-dns-google \
-	certbot-dns-hetzner \
-	certbot-dns-inwx \
-	certbot-dns-linode \
-	certbot-dns-luadns \
-	certbot-dns-netcup \
-	certbot-dns-njalla \
-	certbot-dns-nsone \
-	certbot-dns-ovh \
-	certbot-dns-rfc2136 \
-	certbot-dns-route53 \
-	certbot-dns-transip \
-	certbot-dns-vultr \
-	certbot-plugin-gandi \
-	cryptography \
-	requests && \
- echo "**** remove unnecessary fail2ban filters ****" && \
- rm \
-	/etc/fail2ban/jail.d/alpine-ssh.conf && \
- echo "**** copy fail2ban default action and filter to /default ****" && \
- mkdir -p /defaults/fail2ban && \
- mv /etc/fail2ban/action.d /defaults/fail2ban/ && \
- mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \
- echo "**** copy proxy confs to /default ****" && \
- mkdir -p /defaults/proxy-confs && \
- curl -o \
-	/tmp/proxy.tar.gz -L \
-	"https://github.com/linuxserver/reverse-proxy-confs/tarball/master" && \
- tar xf \
-	/tmp/proxy.tar.gz -C \
-	/defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \
- echo "**** configure nginx ****" && \
- rm -f /etc/nginx/conf.d/default.conf && \
- curl -o \
-	/defaults/dhparams.pem -L \
-	"https://lsio.ams3.digitaloceanspaces.com/dhparams.pem" && \
- echo "**** cleanup ****" && \
- apk del --purge \
-	build-dependencies && \
- for cleanfiles in *.pyc *.pyo; \
-	do \
-	find /usr/lib/python3.*  -iname "${cleanfiles}" -exec rm -f '{}' + \
-	; done && \
- rm -rf \
-	/tmp/* \
-	/root/.cache \
-	/root/.cargo
+  echo "**** install build packages ****" && \
+  apk add --no-cache --virtual=build-dependencies \
+    cargo \
+    g++ \
+    gcc \
+    libffi-dev \
+    openssl-dev \
+    python3-dev && \
+  echo "**** install runtime packages ****" && \
+  apk add --no-cache --upgrade \
+    curl \
+    fail2ban \
+    gnupg \
+    memcached \
+    nginx \
+    nginx-mod-http-brotli \
+    nginx-mod-http-dav-ext \
+    nginx-mod-http-echo \
+    nginx-mod-http-fancyindex \
+    nginx-mod-http-geoip2 \
+    nginx-mod-http-headers-more \
+    nginx-mod-http-image-filter \
+    nginx-mod-http-nchan \
+    nginx-mod-http-perl \
+    nginx-mod-http-redis2 \
+    nginx-mod-http-set-misc \
+    nginx-mod-http-upload-progress \
+    nginx-mod-http-xslt-filter \
+    nginx-mod-mail \
+    nginx-mod-rtmp \
+    nginx-mod-stream \
+    nginx-mod-stream-geoip2 \
+    nginx-vim \
+    php7-bcmath \
+    php7-bz2 \
+    php7-ctype \
+    php7-curl \
+    php7-dom \
+    php7-exif \
+    php7-ftp \
+    php7-gd \
+    php7-gmp \
+    php7-iconv \
+    php7-imap \
+    php7-intl \
+    php7-ldap \
+    php7-mcrypt \
+    php7-memcached \
+    php7-mysqli \
+    php7-mysqlnd \
+    php7-opcache \
+    php7-pdo_mysql \
+    php7-pdo_odbc \
+    php7-pdo_pgsql \
+    php7-pdo_sqlite \
+    php7-pear \
+    php7-pecl-apcu \
+    php7-pecl-mailparse \
+    php7-pecl-redis \
+    php7-pgsql \
+    php7-phar \
+    php7-posix \
+    php7-soap \
+    php7-sockets \
+    php7-sodium \
+    php7-sqlite3 \
+    php7-tokenizer \
+    php7-xml \
+    php7-xmlreader \
+    php7-xmlrpc \
+    php7-xsl \
+    php7-zip \
+    py3-cryptography \
+    py3-future \
+    py3-pip \
+    whois && \
+  echo "**** install certbot plugins ****" && \
+  if [ -z ${CERTBOT_VERSION+x} ]; then \
+    CERTBOT="certbot"; \
+  else \
+    CERTBOT="certbot==${CERTBOT_VERSION}"; \
+  fi && \
+  pip3 install -U \
+    pip && \
+  pip3 install -U --find-links https://wheel-index.linuxserver.io/alpine/ \
+    ${CERTBOT} \
+    certbot-dns-aliyun \
+    certbot-dns-cloudflare \
+    certbot-dns-cloudxns \
+    certbot-dns-cpanel \
+    certbot-dns-digitalocean \
+    certbot-dns-directadmin \
+    certbot-dns-dnsimple \
+    certbot-dns-dnsmadeeasy \
+    certbot-dns-domeneshop \
+    certbot-dns-google \
+    certbot-dns-hetzner \
+    certbot-dns-inwx \
+    certbot-dns-linode \
+    certbot-dns-luadns \
+    certbot-dns-netcup \
+    certbot-dns-njalla \
+    certbot-dns-nsone \
+    certbot-dns-ovh \
+    certbot-dns-rfc2136 \
+    certbot-dns-route53 \
+    certbot-dns-transip \
+    certbot-dns-vultr \
+    certbot-plugin-gandi \
+    cryptography \
+    requests && \
+  echo "**** remove unnecessary fail2ban filters ****" && \
+  rm \
+    /etc/fail2ban/jail.d/alpine-ssh.conf && \
+  echo "**** copy fail2ban default action and filter to /default ****" && \
+  mkdir -p /defaults/fail2ban && \
+  mv /etc/fail2ban/action.d /defaults/fail2ban/ && \
+  mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \
+  echo "**** copy proxy confs to /default ****" && \
+  mkdir -p /defaults/proxy-confs && \
+  curl -o \
+    /tmp/proxy.tar.gz -L \
+    "https://github.com/linuxserver/reverse-proxy-confs/tarball/master" && \
+  tar xf \
+    /tmp/proxy.tar.gz -C \
+    /defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \
+  echo "**** configure nginx ****" && \
+  rm -f /etc/nginx/conf.d/default.conf && \
+  echo "**** cleanup ****" && \
+  apk del --purge \
+    build-dependencies && \
+  for cleanfiles in *.pyc *.pyo; \
+    do \
+    find /usr/lib/python3.*  -iname "${cleanfiles}" -exec rm -f '{}' + \
+    ; done && \
+  rm -rf \
+    /tmp/* \
+    /root/.cache \
+    /root/.cargo

 # add local files
 COPY root/ /
--- a/Dockerfile.armhf
+++ b/Dockerfile.armhf
@@ -12,148 +12,145 @@ ENV DHLEVEL=2048 ONLY_SUBDOMAINS=false AWS_CONFIG_FILE=/config/dns-conf/route53.
 ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2

 RUN \
- echo "**** install build packages ****" && \
- apk add --no-cache --virtual=build-dependencies \
-	cargo \
-	g++ \
-	gcc \
-	libffi-dev \
-	openssl-dev \
-	python3-dev && \
- echo "**** install runtime packages ****" && \
- apk add --no-cache --upgrade \
-	curl \
-	fail2ban \
-	gnupg \
-	memcached \
-	nginx \
-	nginx-mod-http-brotli \
-	nginx-mod-http-dav-ext \
-	nginx-mod-http-echo \
-	nginx-mod-http-fancyindex \
-	nginx-mod-http-geoip2 \
-	nginx-mod-http-headers-more \
-	nginx-mod-http-image-filter \
-	nginx-mod-http-nchan \
-	nginx-mod-http-perl \
-	nginx-mod-http-redis2 \
-	nginx-mod-http-set-misc \
-	nginx-mod-http-upload-progress \
-	nginx-mod-http-xslt-filter \
-	nginx-mod-mail \
-	nginx-mod-rtmp \
-	nginx-mod-stream \
-	nginx-mod-stream-geoip2 \
-	nginx-vim \
-	php7-bcmath \
-	php7-bz2 \
-	php7-ctype \
-	php7-curl \
-	php7-dom \
-	php7-exif \
-	php7-ftp \
-	php7-gd \
-	php7-gmp \
-	php7-iconv \
-	php7-imap \
-	php7-intl \
-	php7-ldap \
-	php7-mcrypt \
-	php7-memcached \
-	php7-mysqli \
-	php7-mysqlnd \
-	php7-opcache \
-	php7-pdo_mysql \
-	php7-pdo_odbc \
-	php7-pdo_pgsql \
-	php7-pdo_sqlite \
-	php7-pear \
-	php7-pecl-apcu \
-	php7-pecl-mailparse \
-	php7-pecl-redis \
-	php7-pgsql \
-	php7-phar \
-	php7-posix \
-	php7-soap \
-	php7-sockets \
-	php7-sodium \
-	php7-sqlite3 \
-	php7-tokenizer \
-	php7-xml \
-	php7-xmlreader \
-	php7-xmlrpc \
-	php7-xsl \
-	php7-zip \
-	py3-cryptography \
-	py3-future \
-	py3-pip \
-	whois && \
- echo "**** install certbot plugins ****" && \
- if [ -z ${CERTBOT_VERSION+x} ]; then \
-        CERTBOT="certbot"; \
- else \
-        CERTBOT="certbot==${CERTBOT_VERSION}"; \
- fi && \
- pip3 install -U \
-	pip && \
- pip3 install -U \
-	${CERTBOT} \
-	certbot-dns-aliyun \
-	certbot-dns-cloudflare \
-	certbot-dns-cloudxns \
-	certbot-dns-cpanel \
-	certbot-dns-digitalocean \
-	certbot-dns-directadmin \
-	certbot-dns-dnsimple \
-	certbot-dns-dnsmadeeasy \
-	certbot-dns-domeneshop \
-	certbot-dns-google \
-	certbot-dns-hetzner \
-	certbot-dns-inwx \
-	certbot-dns-linode \
-	certbot-dns-luadns \
-	certbot-dns-netcup \
-	certbot-dns-njalla \
-	certbot-dns-nsone \
-	certbot-dns-ovh \
-	certbot-dns-rfc2136 \
-	certbot-dns-route53 \
-	certbot-dns-transip \
-	certbot-dns-vultr \
-	certbot-plugin-gandi \
-	cryptography \
-	requests && \
- echo "**** remove unnecessary fail2ban filters ****" && \
- rm \
-	/etc/fail2ban/jail.d/alpine-ssh.conf && \
- echo "**** copy fail2ban default action and filter to /default ****" && \
- mkdir -p /defaults/fail2ban && \
- mv /etc/fail2ban/action.d /defaults/fail2ban/ && \
- mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \
- echo "**** copy proxy confs to /default ****" && \
- mkdir -p /defaults/proxy-confs && \
- curl -o \
-	/tmp/proxy.tar.gz -L \
-	"https://github.com/linuxserver/reverse-proxy-confs/tarball/master" && \
- tar xf \
-	/tmp/proxy.tar.gz -C \
-	/defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \
- echo "**** configure nginx ****" && \
- rm -f /etc/nginx/conf.d/default.conf && \
- curl -o \
-	/defaults/dhparams.pem -L \
-	"https://lsio.ams3.digitaloceanspaces.com/dhparams.pem" && \
- echo "**** cleanup ****" && \
- apk del --purge \
-	build-dependencies && \
- for cleanfiles in *.pyc *.pyo; \
-	do \
-	find /usr/lib/python3.*  -iname "${cleanfiles}" -exec rm -f '{}' + \
-	; done && \
- rm -rf \
-	/tmp/* \
-	/root/.cache \
-	/root/.cargo
+  echo "**** install build packages ****" && \
+  apk add --no-cache --virtual=build-dependencies \
+    cargo \
+    g++ \
+    gcc \
+    libffi-dev \
+    openssl-dev \
+    python3-dev && \
+  echo "**** install runtime packages ****" && \
+  apk add --no-cache --upgrade \
+    curl \
+    fail2ban \
+    gnupg \
+    memcached \
+    nginx \
+    nginx-mod-http-brotli \
+    nginx-mod-http-dav-ext \
+    nginx-mod-http-echo \
+    nginx-mod-http-fancyindex \
+    nginx-mod-http-geoip2 \
+    nginx-mod-http-headers-more \
+    nginx-mod-http-image-filter \
+    nginx-mod-http-nchan \
+    nginx-mod-http-perl \
+    nginx-mod-http-redis2 \
+    nginx-mod-http-set-misc \
+    nginx-mod-http-upload-progress \
+    nginx-mod-http-xslt-filter \
+    nginx-mod-mail \
+    nginx-mod-rtmp \
+    nginx-mod-stream \
+    nginx-mod-stream-geoip2 \
+    nginx-vim \
+    php7-bcmath \
+    php7-bz2 \
+    php7-ctype \
+    php7-curl \
+    php7-dom \
+    php7-exif \
+    php7-ftp \
+    php7-gd \
+    php7-gmp \
+    php7-iconv \
+    php7-imap \
+    php7-intl \
+    php7-ldap \
+    php7-mcrypt \
+    php7-memcached \
+    php7-mysqli \
+    php7-mysqlnd \
+    php7-opcache \
+    php7-pdo_mysql \
+    php7-pdo_odbc \
+    php7-pdo_pgsql \
+    php7-pdo_sqlite \
+    php7-pear \
+    php7-pecl-apcu \
+    php7-pecl-mailparse \
+    php7-pecl-redis \
+    php7-pgsql \
+    php7-phar \
+    php7-posix \
+    php7-soap \
+    php7-sockets \
+    php7-sodium \
+    php7-sqlite3 \
+    php7-tokenizer \
+    php7-xml \
+    php7-xmlreader \
+    php7-xmlrpc \
+    php7-xsl \
+    php7-zip \
+    py3-cryptography \
+    py3-future \
+    py3-pip \
+    whois && \
+  echo "**** install certbot plugins ****" && \
+  if [ -z ${CERTBOT_VERSION+x} ]; then \
+    CERTBOT="certbot"; \
+  else \
+    CERTBOT="certbot==${CERTBOT_VERSION}"; \
+  fi && \
+  pip3 install -U \
+    pip && \
+  pip3 install -U --find-links https://wheel-index.linuxserver.io/alpine/ \
+    ${CERTBOT} \
+    certbot-dns-aliyun \
+    certbot-dns-cloudflare \
+    certbot-dns-cloudxns \
+    certbot-dns-cpanel \
+    certbot-dns-digitalocean \
+    certbot-dns-directadmin \
+    certbot-dns-dnsimple \
+    certbot-dns-dnsmadeeasy \
+    certbot-dns-domeneshop \
+    certbot-dns-google \
+    certbot-dns-hetzner \
+    certbot-dns-inwx \
+    certbot-dns-linode \
+    certbot-dns-luadns \
+    certbot-dns-netcup \
+    certbot-dns-njalla \
+    certbot-dns-nsone \
+    certbot-dns-ovh \
+    certbot-dns-rfc2136 \
+    certbot-dns-route53 \
+    certbot-dns-transip \
+    certbot-dns-vultr \
+    certbot-plugin-gandi \
+    cryptography \
+    requests && \
+  echo "**** remove unnecessary fail2ban filters ****" && \
+  rm \
+    /etc/fail2ban/jail.d/alpine-ssh.conf && \
+  echo "**** copy fail2ban default action and filter to /default ****" && \
+  mkdir -p /defaults/fail2ban && \
+  mv /etc/fail2ban/action.d /defaults/fail2ban/ && \
+  mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \
+  echo "**** copy proxy confs to /default ****" && \
+  mkdir -p /defaults/proxy-confs && \
+  curl -o \
+    /tmp/proxy.tar.gz -L \
+    "https://github.com/linuxserver/reverse-proxy-confs/tarball/master" && \
+  tar xf \
+    /tmp/proxy.tar.gz -C \
+    /defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \
+  echo "**** configure nginx ****" && \
+  rm -f /etc/nginx/conf.d/default.conf && \
+  echo "**** cleanup ****" && \
+  apk del --purge \
+    build-dependencies && \
+  for cleanfiles in *.pyc *.pyo; \
+    do \
+    find /usr/lib/python3.*  -iname "${cleanfiles}" -exec rm -f '{}' + \
+    ; done && \
+  rm -rf \
+    /tmp/* \
+    /root/.cache \
+    /root/.cargo

 # add local files
 COPY root/ /
--- a/README.md
+++ b/README.md
@@ -82,7 +82,7 @@ The architectures supported by this image are:
 * Certs are checked nightly and if expiration is within 30 days, renewal is attempted. If your cert is about to expire in less than 30 days, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing. It is recommended to input your e-mail in docker parameters so you receive expiration notices from Let's Encrypt in those circumstances.
 ### Security and password protection
 * The container detects changes to url and subdomains, revokes existing certs and generates new ones during start.
-* The container provides a pre-generated 4096-bit dhparams.pem (rotated weekly via [Jenkins job](https://ci.linuxserver.io/blue/organizations/jenkins/Xtras-Builders-Etc%2Fdhparams-uploader/activity)) for new instances, however you may generate your own by running `docker exec swag openssl dhparam -out /config/nginx/dhparams.pem 4096` WARNING: This takes a very long time
+* Per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919), the container is shipping [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) as the `dhparams.pem`.
 * If you'd like to password protect your sites, you can use htpasswd. Run the following command on your host to generate the htpasswd file `docker exec -it swag htpasswd -c /config/nginx/.htpasswd <username>`
 * You can add multiple user:pass to `.htpasswd`. For the first user, use the above command, for others, use the above command without the `-c` flag, as it will force deletion of the existing `.htpasswd` and creation of a new one
 * You can also use ldap auth for security and access control. A sample, user configurable ldap.conf is provided, and it requires the separate image [linuxserver/ldap-auth](https://hub.docker.com/r/linuxserver/ldap-auth/) to communicate with an ldap server.
@@ -330,6 +330,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64

 ## Versions

+* **14.05.21:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, ssl.conf, proxy.conf, and the default site-conf - Rework nginx.conf to be inline with alpine upstream and relocate lines from other files. Use linuxserver.io wheel index for pip packages. Switch to using [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) for `dhparams.pem` per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919). Added `worker_processes.conf`, which sets the number of nginx workers, and `resolver.conf`, which sets the dns resolver. Both conf files are auto-generated only on first start and can be user modified later.
 * **21.04.21:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf and authelia-location.conf - Add remote name/email headers and pass http method.
 * **12.04.21:** - Add php7-gmp and php7-pecl-mailparse.
 * **12.04.21:** - Add support for vultr dns validation.
--- a/readme-vars.yml
+++ b/readme-vars.yml
@@ -101,7 +101,7 @@ app_setup_block: |
  * Certs are checked nightly and if expiration is within 30 days, renewal is attempted. If your cert is about to expire in less than 30 days, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing. It is recommended to input your e-mail in docker parameters so you receive expiration notices from Let's Encrypt in those circumstances.
  ### Security and password protection
  * The container detects changes to url and subdomains, revokes existing certs and generates new ones during start.
-  * The container provides a pre-generated 4096-bit dhparams.pem (rotated weekly via [Jenkins job](https://ci.linuxserver.io/blue/organizations/jenkins/Xtras-Builders-Etc%2Fdhparams-uploader/activity)) for new instances, however you may generate your own by running `docker exec swag openssl dhparam -out /config/nginx/dhparams.pem 4096` WARNING: This takes a very long time
+  * Per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919), the container is shipping [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) as the `dhparams.pem`.
  * If you'd like to password protect your sites, you can use htpasswd. Run the following command on your host to generate the htpasswd file `docker exec -it swag htpasswd -c /config/nginx/.htpasswd <username>`
  * You can add multiple user:pass to `.htpasswd`. For the first user, use the above command, for others, use the above command without the `-c` flag, as it will force deletion of the existing `.htpasswd` and creation of a new one
  * You can also use ldap auth for security and access control. A sample, user configurable ldap.conf is provided, and it requires the separate image [linuxserver/ldap-auth](https://hub.docker.com/r/linuxserver/ldap-auth/) to communicate with an ldap server.
@@ -151,6 +151,7 @@ app_setup_nginx_reverse_proxy_block: ""

 # changelog
 changelogs:
+  - { date: "14.05.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, ssl.conf, proxy.conf, and the default site-conf - Rework nginx.conf to be inline with alpine upstream and relocate lines from other files. Use linuxserver.io wheel index for pip packages. Switch to using [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) for `dhparams.pem` per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919). Added `worker_processes.conf`, which sets the number of nginx workers, and `resolver.conf`, which sets the dns resolver. Both conf files are auto-generated only on first start and can be user modified later." }
  - { date: "21.04.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf and authelia-location.conf - Add remote name/email headers and pass http method." }
  - { date: "12.04.21:", desc: "Add php7-gmp and php7-pecl-mailparse." }
  - { date: "12.04.21:", desc: "Add support for vultr dns validation." }
--- a/root/defaults/502.html
+++ b/root/defaults/502.html
@@ -41,4 +41,4 @@
            <p>For help and support, please visit: <a target="_blank" href="https://www.linuxserver.io/support">linuxserver.io/support</a></p>
        </div>
    </body>
-</html>
+</html>
--- a/root/defaults/default
+++ b/root/defaults/default
@@ -1,155 +1,153 @@
-## Version 2021/01/03 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/default
+## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/default

 error_page 502 /502.html;

 # redirect all traffic to https
 server {
-	listen 80 default_server;
-	listen [::]:80 default_server;
-	server_name _;
-	return 301 https://$host$request_uri;
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    server_name _;
+    return 301 https://$host$request_uri;
 }

 # main server block
 server {
-	listen 443 ssl http2 default_server;
-	listen [::]:443 ssl http2 default_server;
+    listen 443 ssl http2 default_server;
+    listen [::]:443 ssl http2 default_server;

-	root /config/www;
-	index index.html index.htm index.php;
+    root /config/www;
+    index index.html index.htm index.php;

-	server_name _;
+    server_name _;

-	# enable subfolder method reverse proxy confs
-	include /config/nginx/proxy-confs/*.subfolder.conf;
+    # enable subfolder method reverse proxy confs
+    include /config/nginx/proxy-confs/*.subfolder.conf;

-	# all ssl related config moved to ssl.conf
-	include /config/nginx/ssl.conf;
+    # all ssl related config moved to ssl.conf
+    include /config/nginx/ssl.conf;

-	# enable for ldap auth
-	#include /config/nginx/ldap.conf;
+    # enable for ldap auth
+    #include /config/nginx/ldap.conf;

-	# enable for Authelia
-	#include /config/nginx/authelia-server.conf;
+    # enable for Authelia
+    #include /config/nginx/authelia-server.conf;

-	# enable for geo blocking
-	# See /config/nginx/geoip2.conf for more information.
-	#if ($allowed_country = no) {
-	#return 444;
-	#}
+    # enable for geo blocking
+    # See /config/nginx/geoip2.conf for more information.
+    #if ($allowed_country = no) {
+    #return 444;
+    #}

-	client_max_body_size 0;
+    client_max_body_size 0;

-	location / {
-		try_files $uri $uri/ /index.html /index.php?$args =404;
-	}
+    location / {
+        try_files $uri $uri/ /index.html /index.php?$args =404;
+    }

-	location ~ \.php$ {
-		fastcgi_split_path_info ^(.+\.php)(/.+)$;
-		fastcgi_pass 127.0.0.1:9000;
-		fastcgi_index index.php;
-		include /etc/nginx/fastcgi_params;
-	}
+    location ~ \.php$ {
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass 127.0.0.1:9000;
+        fastcgi_index index.php;
+        include /etc/nginx/fastcgi_params;
+    }

 # sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"
 # notice this is within the same server block as the base
 # don't forget to generate the .htpasswd file as described on docker hub
-#	location ^~ /cp {
-#		auth_basic "Restricted";
-#		auth_basic_user_file /config/nginx/.htpasswd;
-#		include /config/nginx/proxy.conf;
-#		proxy_pass http://192.168.1.50:5050/cp;
-#	}
+#    location ^~ /cp {
+#        auth_basic "Restricted";
+#        auth_basic_user_file /config/nginx/.htpasswd;
+#        include /config/nginx/proxy.conf;
+#        proxy_pass http://192.168.1.50:5050/cp;
+#    }

 }

 # sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above
 # notice this is a new server block, you need a new server block for each subdomain
 #server {
-#	listen 443 ssl http2;
-#	listen [::]:443 ssl http2;
+#    listen 443 ssl http2;
+#    listen [::]:443 ssl http2;
 #
-#	root /config/www;
-#	index index.html index.htm index.php;
+#    root /config/www;
+#    index index.html index.htm index.php;
 #
-#	server_name cp.*;
+#    server_name cp.*;
 #
-#	include /config/nginx/ssl.conf;
+#    include /config/nginx/ssl.conf;
 #
-#	client_max_body_size 0;
+#    client_max_body_size 0;
 #
-#	location / {
-#		auth_basic "Restricted";
-#		auth_basic_user_file /config/nginx/.htpasswd;
-#		include /config/nginx/proxy.conf;
-#		proxy_pass http://192.168.1.50:5050;
-#	}
+#    location / {
+#        auth_basic "Restricted";
+#        auth_basic_user_file /config/nginx/.htpasswd;
+#        include /config/nginx/proxy.conf;
+#        proxy_pass http://192.168.1.50:5050;
+#    }
 #}

 # sample reverse proxy config for "heimdall" via subdomain, with ldap authentication
 # ldap-auth container has to be running and the /config/nginx/ldap.conf file should be filled with ldap info
 # notice this is a new server block, you need a new server block for each subdomain
 #server {
-#	listen 443 ssl http2;
-#	listen [::]:443 ssl http2;
+#    listen 443 ssl http2;
+#    listen [::]:443 ssl http2;
 #
-#	root /config/www;
-#	index index.html index.htm index.php;
+#    root /config/www;
+#    index index.html index.htm index.php;
 #
-#	server_name heimdall.*;
+#    server_name heimdall.*;
 #
-#	include /config/nginx/ssl.conf;
+#    include /config/nginx/ssl.conf;
 #
-#	include /config/nginx/ldap.conf;
+#    include /config/nginx/ldap.conf;
 #
-#	client_max_body_size 0;
+#    client_max_body_size 0;
 #
-#	location / {
-#		# the next two lines will enable ldap auth along with the included ldap.conf in the server block
-#		auth_request /auth;
-#		error_page 401 =200 /ldaplogin;
+#    location / {
+#        # the next two lines will enable ldap auth along with the included ldap.conf in the server block
+#        auth_request /auth;
+#        error_page 401 =200 /ldaplogin;
 #
-#		include /config/nginx/proxy.conf;
-#		resolver 127.0.0.11 valid=30s;
-#		set $upstream_app heimdall;
-#		set $upstream_port 443;
-#		set $upstream_proto https;
-#		proxy_pass $upstream_proto://$upstream_app:$upstream_port;
-#	}
+#        include /config/nginx/proxy.conf;
+#        resolver 127.0.0.11 valid=30s;
+#        set $upstream_app heimdall;
+#        set $upstream_port 443;
+#        set $upstream_proto https;
+#        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
+#    }
 #}

 # sample reverse proxy config for "heimdall" via subdomain, with Authelia
 # Authelia container has to be running in the same user defined bridge network, with container name "authelia", and with 'path: "authelia"' set in its configuration.yml
 # notice this is a new server block, you need a new server block for each subdomain
 #server {
-#	listen 443 ssl http2;
-#	listen [::]:443 ssl http2;
+#    listen 443 ssl http2;
+#    listen [::]:443 ssl http2;
 #
-#	root /config/www;
-#	index index.html index.htm index.php;
+#    root /config/www;
+#    index index.html index.htm index.php;
 #
-#	server_name heimdall.*;
+#    server_name heimdall.*;
 #
-#	include /config/nginx/ssl.conf;
+#    include /config/nginx/ssl.conf;
 #
-#	include /config/nginx/authelia-server.conf;
+#    include /config/nginx/authelia-server.conf;
 #
-#	client_max_body_size 0;
+#    client_max_body_size 0;
 #
-#	location / {
-#		# the next line will enable Authelia along with the included authelia-server.conf in the server block
-#		include /config/nginx/authelia-location.conf;
+#    location / {
+#        # the next line will enable Authelia along with the included authelia-server.conf in the server block
+#        include /config/nginx/authelia-location.conf;
 #
-#		include /config/nginx/proxy.conf;
-#		resolver 127.0.0.11 valid=30s;
-#		set $upstream_app heimdall;
-#		set $upstream_port 443;
-#		set $upstream_proto https;
-#		proxy_pass $upstream_proto://$upstream_app:$upstream_port;
-#	}
+#        include /config/nginx/proxy.conf;
+#        resolver 127.0.0.11 valid=30s;
+#        set $upstream_app heimdall;
+#        set $upstream_port 443;
+#        set $upstream_proto https;
+#        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
+#    }
 #}

 # enable subdomain method reverse proxy confs
 include /config/nginx/proxy-confs/*.subdomain.conf;
-# enable proxy cache for auth
-proxy_cache_path cache/ keys_zone=auth_cache:10m;
--- a/root/defaults/dhparams.pem
+++ b/root/defaults/dhparams.pem
@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
+7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
+nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
+8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
+iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
+zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
+-----END DH PARAMETERS-----
--- a/root/defaults/dns-conf/cloudflare.ini
+++ b/root/defaults/dns-conf/cloudflare.ini
@@ -6,4 +6,4 @@ dns_cloudflare_email = cloudflare@example.com
 dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567

 # With token (comment out both lines above and uncomment below):
-#dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567
+#dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567
--- a/root/defaults/dns-conf/cpanel.ini
+++ b/root/defaults/dns-conf/cpanel.ini
@@ -3,4 +3,4 @@
 # include the scheme and the port number (usually 2083 for https)
 certbot_dns_cpanel:cpanel_url = https://cpanel.example.com:2083
 certbot_dns_cpanel:cpanel_username = username
-certbot_dns_cpanel:cpanel_password = 1234567890abcdef
+certbot_dns_cpanel:cpanel_password = 1234567890abcdef
--- a/root/defaults/dns-conf/domeneshop.ini
+++ b/root/defaults/dns-conf/domeneshop.ini
@@ -1,4 +1,4 @@
 # Instructions: https://github.com/domeneshop/certbot-dns-domeneshop#credentials
 # Replace with your values
 dns_domeneshop_client_token=1234567890abcdef
-dns_domeneshop_client_secret=1234567890abcdefghijklmnopqrstuvxyz1234567890abcdefghijklmnopqrs
+dns_domeneshop_client_secret=1234567890abcdefghijklmnopqrstuvxyz1234567890abcdefghijklmnopqrs
--- a/root/defaults/dns-conf/google.json
+++ b/root/defaults/dns-conf/google.json
@@ -3,4 +3,4 @@
  "_comment": "Replace with your values",
  "type": "service_account",
  "rest": "..."
-}
+}
--- a/root/defaults/dns-conf/hetzner.ini
+++ b/root/defaults/dns-conf/hetzner.ini
@@ -1,3 +1,3 @@
 # Instructions: https://github.com/ctrlaltcoop/certbot-dns-hetzner
 # Replace with your values
-dns_hetzner_api_token = nohnah4zoo9Kiejee9aGh0thoopee2sa
+dns_hetzner_api_token = nohnah4zoo9Kiejee9aGh0thoopee2sa
--- a/root/defaults/geoip2.conf
+++ b/root/defaults/geoip2.conf
@@ -51,22 +51,22 @@ geo $allow_list {
 # Add the following if statements inside any server context where you want to geo block countries.

 ########################################
-#   if ($allow_list = yes) {
-#   set $allowed_country yes;
-#   }
-#	if ($allowed_country = no) {
-#	return 444;
-#	}
+#    if ($allow_list = yes) {
+#       set $allowed_country yes;
+#    }
+#    if ($allowed_country = no) {
+#       return 444;
+#    }
 #########################################

 # Add the following if statements inside any server context where you want to geo block cities.
 ########################################
-#   if ($allow_list = yes) {
-#   set $allowed_country yes;
-#   }
-#	if ($allowed_city = no) {
-#	return 444;
-#	}
+#    if ($allow_list = yes) {
+#       set $allowed_country yes;
+#    }
+#    if ($allowed_city = no) {
+#       return 444;
+#    }
 #########################################

 # Example using a config from proxy-confs
@@ -90,12 +90,12 @@ geo $allow_list {

 #   # Allow lan access if default is set to no
 #   if ($allow_list = yes) {
-#   set $allowed_country yes;
+#       set $allowed_country yes;
 #   }
-#    # Country geo block
-#    if ($allowed_country = no) {
+#   # Country geo block
+#   if ($allowed_country = no) {
 #       return 444;
-#    }
+#   }


 #
--- a/root/defaults/index.html
+++ b/root/defaults/index.html
@@ -36,4 +36,4 @@
            <p>For help and support, please visit: <a target="_blank" href="https://www.linuxserver.io/support">linuxserver.io/support</a></p>
        </div>
    </body>
-</html>
+</html>
--- a/root/defaults/nginx.conf
+++ b/root/defaults/nginx.conf
@@ -1,120 +1,150 @@
-## Version 2021/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf
+## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf

 user abc;
-worker_processes 4;
-pid /run/nginx.pid;
+
+# Set number of worker processes automatically based on number of CPU cores.
+include /config/nginx/worker_processes.conf;
+
+# Enables the use of JIT for regular expressions to speed-up their processing.
+pcre_jit on;
+
+# Configures default error logger.
+error_log /config/log/nginx/error.log;
+
+# Includes files with directives to load dynamic modules.
 include /etc/nginx/modules/*.conf;

 events {
-	worker_connections 768;
-	# multi_accept on;
+    # The maximum number of simultaneous connections that can be opened by
+    # a worker process.
+    worker_connections 1024;
+    # multi_accept on;
 }

 http {
+    # Includes mapping of file name extensions to MIME types of responses
+    # and defines the default type.
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;

-	##
-	# Basic Settings
-	##
+    # Name servers used to resolve names of upstream servers into addresses.
+    # It's also needed when using tcpsocket and udpsocket in Lua modules.
+    #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001;
+    include /config/nginx/resolver.conf;

-	client_body_buffer_size 128k;
-	client_max_body_size 0;
-	keepalive_timeout 65;
-	large_client_header_buffers 4 16k;
-	send_timeout 5m;
-	sendfile on;
-	tcp_nodelay on;
-	tcp_nopush on;
-	types_hash_max_size 2048;
-	variables_hash_max_size 2048;
+    # Don't tell nginx version to the clients. Default is 'on'.
+    server_tokens off;

-	# server_tokens off;
-	# server_names_hash_bucket_size 64;
-	# server_name_in_redirect off;
+    # Specifies the maximum accepted body size of a client request, as
+    # indicated by the request header Content-Length. If the stated content
+    # length is greater than this size, then the client receives the HTTP
+    # error code 413. Set to 0 to disable. Default is '1m'.
+    client_max_body_size 0;

-	include /etc/nginx/mime.types;
-	default_type application/octet-stream;
+    # Sendfile copies data between one FD and other from within the kernel,
+    # which is more efficient than read() + write(). Default is off.
+    sendfile on;

-	##
-	# Logging Settings
-	##
+    # Causes nginx to attempt to send its HTTP response head in one packet,
+    # instead of using partial frames. Default is 'off'.
+    tcp_nopush on;

-	access_log /config/log/nginx/access.log;
-	error_log /config/log/nginx/error.log;
+    # Helper variable for proxying websockets.
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        '' close;
+    }

-	##
-	# Gzip Settings
-	##
+    # Sets the path, format, and configuration for a buffered log write.
+    access_log /config/log/nginx/access.log;

-	gzip on;
-	gzip_disable "msie6";
+    # Includes virtual hosts configs.
+    #include /etc/nginx/http.d/*.conf;

-	# gzip_vary on;
-	# gzip_proxied any;
-	# gzip_comp_level 6;
-	# gzip_buffers 16 8k;
-	# gzip_http_version 1.1;
-	# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+    # WARNING: Don't use this directory for virtual hosts anymore.
+    # This include will be moved to the root context in Alpine 3.14.
+    #include /etc/nginx/conf.d/*.conf;

-	##
-	# nginx-naxsi config
-	##
-	# Uncomment it if you installed nginx-naxsi
-	##

-	#include /etc/nginx/naxsi_core.rules;
+    ##
+    # Basic Settings
+    ##

-	##
-	# nginx-passenger config
-	##
-	# Uncomment it if you installed nginx-passenger
-	##
+    client_body_buffer_size 128k;
+    keepalive_timeout 65;
+    large_client_header_buffers 4 16k;
+    send_timeout 5m;
+    tcp_nodelay on;
+    types_hash_max_size 2048;
+    variables_hash_max_size 2048;
+    # server_names_hash_bucket_size 64;
+    # server_name_in_redirect off;

-	#passenger_root /usr;
-	#passenger_ruby /usr/bin/ruby;
+    ##
+    # Gzip Settings
+    ##

-	##
-	# WebSocket proxying
-	##
-	map $http_upgrade $connection_upgrade {
-		default upgrade;
-		''      close;
-	}
+    gzip on;
+    gzip_disable "msie6";
+    # gzip_vary on;
+    # gzip_proxied any;
+    # gzip_comp_level 6;
+    # gzip_buffers 16 8k;
+    # gzip_http_version 1.1;
+    # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

-	##
-	# Virtual Host Configs
-	##
-	include /etc/nginx/conf.d/*.conf;
-	include /config/nginx/site-confs/*;
-	#Removed lua. Do not remove this comment
+    ##
+    # nginx-naxsi config
+    ##
+    # Uncomment it if you installed nginx-naxsi
+    ##

-	##
-	# Geoip2 config
-	##
-	# Uncomment to add the Geoip2 configs needed to geo block countries/cities.
-	##
+    #include /etc/nginx/naxsi_core.rules;

-	#include /config/nginx/geoip2.conf;
+    ##
+    # nginx-passenger config
+    ##
+    # Uncomment it if you installed nginx-passenger
+    ##
+
+    #passenger_root /usr;
+    #passenger_ruby /usr/bin/ruby;
+
+    ##
+    # Virtual Host Configs
+    ##
+    include /config/nginx/site-confs/*;
+    #Removed lua. Do not remove this comment
+
+    ##
+    # Geoip2 config
+    ##
+    # Uncomment to add the Geoip2 configs needed to geo block countries/cities.
+    ##
+
+    #include /config/nginx/geoip2.conf;
 }

-
 #mail {
-#	# See sample authentication script at:
-#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
+#    # See sample authentication script at:
+#    # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
 #
-#	# auth_http localhost/auth.php;
-#	# pop3_capabilities "TOP" "USER";
-#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
+#    # auth_http localhost/auth.php;
+#    # pop3_capabilities "TOP" "USER";
+#    # imap_capabilities "IMAP4rev1" "UIDPLUS";
 #
-#	server {
-#		listen     localhost:110;
-#		protocol   pop3;
-#		proxy      on;
-#	}
+#    server {
+#        listen     localhost:110;
+#        protocol   pop3;
+#        proxy      on;
+#    }
 #
-#	server {
-#		listen     localhost:143;
-#		protocol   imap;
-#		proxy      on;
-#	}
+#    server {
+#        listen     localhost:143;
+#        protocol   imap;
+#        proxy      on;
+#    }
 #}
+
 daemon off;
+pid /run/nginx.pid;
--- a/root/defaults/proxy.conf
+++ b/root/defaults/proxy.conf
@@ -1,4 +1,4 @@
-## Version 2020/10/04 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf
+## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf

 # Timeout if the real server is dead
 proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
@@ -15,6 +15,7 @@ proxy_send_timeout 240;

 # Proxy Cache and Cookie Settings
 proxy_cache_bypass $cookie_session;
+proxy_cache_path cache/ keys_zone=auth_cache:10m;
 #proxy_cookie_path / "/; Secure"; # enable at your own risk, may break certain apps
 proxy_no_cache $cookie_session;

--- a/root/defaults/ssl.conf
+++ b/root/defaults/ssl.conf
@@ -1,4 +1,4 @@
-## Version 2020/10/29 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ssl.conf
+## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ssl.conf

 ### Mozilla Recommendations
 # generated 2020-06-17, Mozilla Guideline v5.4, nginx 1.18.0-r0, OpenSSL 1.1.1g-r0, intermediate configuration
@@ -29,9 +29,6 @@ ssl_trusted_certificate /config/keys/letsencrypt/fullchain.pem;
 # Diffie-Hellman Parameters
 ssl_dhparam /config/nginx/dhparams.pem;

-# Resolver
-resolver 127.0.0.11 valid=30s; # Docker DNS Server
-
 # Enable TLS 1.3 early data
 ssl_early_data on;

--- a/root/etc/cont-init.d/50-config
+++ b/root/etc/cont-init.d/50-config
@@ -17,26 +17,26 @@ STAGING=${STAGING}\\n"

 # Echo init finish for test runs
 if [ -n "${TEST_RUN}" ]; then
-	echo '[services.d] done.'
+    echo '[services.d] done.'
 fi

 # Sanitize variables
 SANED_VARS=( DNSPLUGIN EMAIL EXTRA_DOMAINS ONLY_SUBDOMAINS STAGING SUBDOMAINS URL VALIDATION CERTPROVIDER )
 for i in "${SANED_VARS[@]}"
 do
-  export echo "$i"="${!i//\"/}"
-  export echo "$i"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')"
+    export echo "$i"="${!i//\"/}"
+    export echo "$i"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')"
 done

 # check to make sure that the required variables are set
 [[ -z "$URL" ]] && \
-  echo "Please pass your URL as an environment variable in your docker run command. See docker info for more details." && \
-  sleep infinity
+    echo "Please pass your URL as an environment variable in your docker run command. See docker info for more details." && \
+    sleep infinity

 # make our folders and links
 mkdir -p \
-	/config/{log/letsencrypt,log/fail2ban,etc/letsencrypt,fail2ban,crontabs,dns-conf,geoip2db} \
-	/var/run/fail2ban
+    /config/{log/letsencrypt,log/fail2ban,etc/letsencrypt,fail2ban,crontabs,dns-conf,geoip2db} \
+    /var/run/fail2ban
 rm -rf /etc/letsencrypt
 ln -s /config/etc/letsencrypt /etc/letsencrypt

@@ -52,12 +52,12 @@ cp -R /defaults/fail2ban/filter.d /config/fail2ban/
 cp -R /defaults/fail2ban/action.d /config/fail2ban/
 # if jail.local is missing in /config, copy default
 [[ ! -f /config/fail2ban/jail.local ]] && \
-	cp /defaults/jail.local /config/fail2ban/jail.local
+    cp /defaults/jail.local /config/fail2ban/jail.local
 # Replace fail2ban config with user config
 [[ -d /etc/fail2ban/filter.d ]] && \
-	rm -rf /etc/fail2ban/filter.d
+    rm -rf /etc/fail2ban/filter.d
 [[ -d /etc/fail2ban/action.d ]] && \
-	rm -rf /etc/fail2ban/action.d
+    rm -rf /etc/fail2ban/action.d
 cp -R /config/fail2ban/filter.d /etc/fail2ban/
 cp -R /config/fail2ban/action.d /etc/fail2ban/
 cp /defaults/fail2ban/fail2ban.local /etc/fail2ban/
@@ -65,43 +65,53 @@ cp /config/fail2ban/jail.local /etc/fail2ban/jail.local

 # copy crontab and proxy defaults if needed
 [[ ! -f /config/crontabs/root ]] && \
-	cp /etc/crontabs/root /config/crontabs/
+    cp /etc/crontabs/root /config/crontabs/
 [[ ! -f /config/nginx/proxy.conf ]] && \
-	cp /defaults/proxy.conf /config/nginx/proxy.conf
+    cp /defaults/proxy.conf /config/nginx/proxy.conf
 [[ ! -f /config/nginx/ssl.conf ]] && \
-	cp /defaults/ssl.conf /config/nginx/ssl.conf
+    cp /defaults/ssl.conf /config/nginx/ssl.conf
 [[ ! -f /config/nginx/ldap.conf ]] && \
-	cp /defaults/ldap.conf /config/nginx/ldap.conf
+    cp /defaults/ldap.conf /config/nginx/ldap.conf
 [[ ! -f /config/nginx/authelia-server.conf ]] && \
-	cp /defaults/authelia-server.conf /config/nginx/authelia-server.conf
+    cp /defaults/authelia-server.conf /config/nginx/authelia-server.conf
 [[ ! -f /config/nginx/authelia-location.conf ]] && \
-	cp /defaults/authelia-location.conf /config/nginx/authelia-location.conf
+    cp /defaults/authelia-location.conf /config/nginx/authelia-location.conf
 [[ ! -f /config/nginx/geoip2.conf ]] && \
-	cp /defaults/geoip2.conf /config/nginx/geoip2.conf
+    cp /defaults/geoip2.conf /config/nginx/geoip2.conf
 [[ ! -f /config/www/502.html ]] &&
-	cp /defaults/502.html /config/www/502.html
+    cp /defaults/502.html /config/www/502.html
+
+# Set resolver
+if ! grep -q 'resolver' /config/nginx/resolver.conf; then
+    RESOLVER=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {print $2}' /etc/resolv.conf)
+    echo "Setting resolver to ${RESOLVER}"
+    echo -e "# This file is auto-generated only on first start, based on the container's /etc/resolv.conf file. Feel free to modify it as you wish.\n\nresolver ${RESOLVER} valid=30s;" > /config/nginx/resolver.conf
+fi
+
+# Set worker_processes
+if ! grep -q 'worker_processes' /config/nginx/worker_processes.conf; then
+    WORKER_PROCESSES=$(nproc)
+    echo "Setting worker_processes to ${WORKER_PROCESSES}"
+    echo -e "# This file is auto-generated only on first start, based on the cpu cores detected. Feel free to change it to any other number or to auto to let nginx handle it automatically.\n\nworker_processes ${WORKER_PROCESSES};" > /config/nginx/worker_processes.conf
+fi

 # remove lua bits from nginx.conf if not done before
-if ! grep -q '#Removed lua' /config/nginx/nginx.conf; then 
-  echo "Removing lua specific info from nginx.conf"
-  sed -i 's|\tlua_load_resty_core off;|\t#Removed lua. Do not remove this comment|g' /config/nginx/nginx.conf
+if ! grep -q '#Removed lua' /config/nginx/nginx.conf; then
+    echo "Removing lua specific info from nginx.conf"
+    sed -i 's|\tlua_load_resty_core off;|\t#Removed lua. Do not remove this comment|g' /config/nginx/nginx.conf
 fi

 # copy pre-generated dhparams or generate if needed
 [[ ! -f /config/nginx/dhparams.pem ]] && \
-  cp /defaults/dhparams.pem /config/nginx/dhparams.pem
+    cp /defaults/dhparams.pem /config/nginx/dhparams.pem
 if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then
-  curl -o /config/nginx/dhparams.pem -L "https://lsio.ams3.digitaloceanspaces.com/dhparams.pem"
-fi
-if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then
-  echo "Generating dhparams.pem. This will take a long time. Do not stop the container until this process is completed."
-  openssl dhparam -out /config/nginx/dhparams.pem 4096
+    curl -o /config/nginx/dhparams.pem -L "https://ssl-config.mozilla.org/ffdhe4096.txt"
 fi

 # check to make sure DNSPLUGIN is selected if dns validation is used
 [[ "$VALIDATION" = "dns" ]] && [[ ! "$DNSPLUGIN" =~ ^(aliyun|cloudflare|cloudxns|cpanel|digitalocean|directadmin|dnsimple|dnsmadeeasy|domeneshop|gandi|gehirn|google|hetzner|inwx|linode|luadns|netcup|njalla|nsone|ovh|rfc2136|route53|sakuracloud|transip|vultr)$ ]] && \
-  echo "Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details." && \
-  sleep infinity
+    echo "Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details." && \
+    sleep infinity

 # import user crontabs
 rm /etc/crontabs/*
@@ -109,11 +119,11 @@ cp /config/crontabs/* /etc/crontabs/

 # create original config file if it doesn't exist, move non-hidden legacy file to hidden
 if [ -f "/config/donoteditthisfile.conf" ]; then
-  mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf
+    mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf
 fi
 if [ ! -f "/config/.donoteditthisfile.conf" ]; then
-  echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGDUCKDNSTOKEN=\"$DUCKDNSTOKEN\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" > /config/.donoteditthisfile.conf
-  echo "Created .donoteditthisfile.conf"
+    echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGDUCKDNSTOKEN=\"$DUCKDNSTOKEN\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" > /config/.donoteditthisfile.conf
+    echo "Created .donoteditthisfile.conf"
 fi

 # load original config settings
@@ -122,75 +132,75 @@ fi

 # set default validation to http
 if [ -z "$VALIDATION" ]; then
-  VALIDATION="http"
-  echo "VALIDATION parameter not set; setting it to http"
+    VALIDATION="http"
+    echo "VALIDATION parameter not set; setting it to http"
 fi

 # if zerossl is selected or staging is set to true, use the relevant server
 if [ "$CERTPROVIDER" = "zerossl" ] && [ "$STAGING" = "true" ]; then
-  echo "ZeroSSL does not support staging mode, ignoring STAGING variable"
+    echo "ZeroSSL does not support staging mode, ignoring STAGING variable"
 fi
 if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then
-  echo "ZeroSSL is selected as the cert provider, registering cert with $EMAIL"
-  ACMESERVER="https://acme.zerossl.com/v2/DV90"
+    echo "ZeroSSL is selected as the cert provider, registering cert with $EMAIL"
+    ACMESERVER="https://acme.zerossl.com/v2/DV90"
 elif [ "$CERTPROVIDER" = "zerossl" ] && [ -z "$EMAIL" ]; then
-  echo "ZeroSSL is selected as the cert provider, but the e-mail address has not been entered. Please visit https://zerossl.com, register a new account and set the account e-mail address in the EMAIL environment variable"
-  sleep infinity
+    echo "ZeroSSL is selected as the cert provider, but the e-mail address has not been entered. Please visit https://zerossl.com, register a new account and set the account e-mail address in the EMAIL environment variable"
+    sleep infinity
 elif [ "$STAGING" = "true" ]; then
-  echo "NOTICE: Staging is active"
-  echo "Using Let's Encrypt as the cert provider"
-  ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory"
+    echo "NOTICE: Staging is active"
+    echo "Using Let's Encrypt as the cert provider"
+    ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory"
 else
-  echo "Using Let's Encrypt as the cert provider"
-  ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
+    echo "Using Let's Encrypt as the cert provider"
+    ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
 fi

 # figuring out url only vs url & subdomains vs subdomains only
 if [ -n "$SUBDOMAINS" ]; then
-  echo "SUBDOMAINS entered, processing"
-  if [ "$SUBDOMAINS" = "wildcard" ]; then
-    if [ "$ONLY_SUBDOMAINS" = true ]; then
-      export URL_REAL="-d *.${URL}"
-      echo "Wildcard cert for only the subdomains of $URL will be requested"
-    else
-      export URL_REAL="-d *.${URL} -d ${URL}"
-      echo "Wildcard cert for $URL will be requested"
-    fi
-  else
    echo "SUBDOMAINS entered, processing"
-    for job in $(echo "$SUBDOMAINS" | tr "," " "); do
-      export SUBDOMAINS_REAL="$SUBDOMAINS_REAL -d ${job}.${URL}"
-    done
-    if [ "$ONLY_SUBDOMAINS" = true ]; then
-      URL_REAL="$SUBDOMAINS_REAL"
-      echo "Only subdomains, no URL in cert"
+    if [ "$SUBDOMAINS" = "wildcard" ]; then
+        if [ "$ONLY_SUBDOMAINS" = true ]; then
+            export URL_REAL="-d *.${URL}"
+            echo "Wildcard cert for only the subdomains of $URL will be requested"
+        else
+            export URL_REAL="-d *.${URL} -d ${URL}"
+            echo "Wildcard cert for $URL will be requested"
+        fi
    else
-      URL_REAL="-d ${URL}${SUBDOMAINS_REAL}"
+        echo "SUBDOMAINS entered, processing"
+        for job in $(echo "$SUBDOMAINS" | tr "," " "); do
+            export SUBDOMAINS_REAL="$SUBDOMAINS_REAL -d ${job}.${URL}"
+        done
+        if [ "$ONLY_SUBDOMAINS" = true ]; then
+            URL_REAL="$SUBDOMAINS_REAL"
+            echo "Only subdomains, no URL in cert"
+        else
+            URL_REAL="-d ${URL}${SUBDOMAINS_REAL}"
+        fi
+        echo "Sub-domains processed are: $SUBDOMAINS_REAL"
    fi
-    echo "Sub-domains processed are: $SUBDOMAINS_REAL"
-  fi
 else
-  echo "No subdomains defined"
-  URL_REAL="-d $URL"
+    echo "No subdomains defined"
+    URL_REAL="-d $URL"
 fi

 # add extra domains
 if [ -n "$EXTRA_DOMAINS" ]; then
-  echo "EXTRA_DOMAINS entered, processing"
-  for job in $(echo "$EXTRA_DOMAINS" | tr "," " "); do
-    export EXTRA_DOMAINS_REAL="$EXTRA_DOMAINS_REAL -d ${job}"
-  done
-  echo "Extra domains processed are: $EXTRA_DOMAINS_REAL"
-  URL_REAL="$URL_REAL $EXTRA_DOMAINS_REAL"
+    echo "EXTRA_DOMAINS entered, processing"
+    for job in $(echo "$EXTRA_DOMAINS" | tr "," " "); do
+        export EXTRA_DOMAINS_REAL="$EXTRA_DOMAINS_REAL -d ${job}"
+    done
+    echo "Extra domains processed are: $EXTRA_DOMAINS_REAL"
+    URL_REAL="$URL_REAL $EXTRA_DOMAINS_REAL"
 fi

 # figuring out whether to use e-mail and which
 if [[ $EMAIL == *@* ]]; then
-  echo "E-mail address entered: ${EMAIL}"
-  EMAILPARAM="-m ${EMAIL} --no-eff-email"
+    echo "E-mail address entered: ${EMAIL}"
+    EMAILPARAM="-m ${EMAIL} --no-eff-email"
 else
-  echo "No e-mail address entered or address invalid"
-  EMAILPARAM="--register-unsafely-without-email"
+    echo "No e-mail address entered or address invalid"
+    EMAILPARAM="--register-unsafely-without-email"
 fi

 # update plugin names in dns conf inis
@@ -201,82 +211,82 @@ sed -i 's|^certbot_dns_transip:||g' /config/dns-conf/transip.ini

 # setting the validation method to use
 if [ "$VALIDATION" = "dns" ]; then
-  if [ "$DNSPLUGIN" = "route53" ]; then
-    if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
-    PREFCHAL="--dns-${DNSPLUGIN} ${PROPAGATIONPARAM}"
-  elif [[ "$DNSPLUGIN" =~ ^(cpanel)$ ]]; then
-    if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
-    PREFCHAL="-a certbot-dns-${DNSPLUGIN}:${DNSPLUGIN} --certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
-  elif [[ "$DNSPLUGIN" =~ ^(gandi)$ ]]; then
-    if [ -n "$PROPAGATION" ];then echo "Gandi dns plugin does not support setting propagation time"; fi
-    PREFCHAL="-a certbot-plugin-${DNSPLUGIN}:dns --certbot-plugin-${DNSPLUGIN}:dns-credentials /config/dns-conf/${DNSPLUGIN}.ini"
-  elif [[ "$DNSPLUGIN" =~ ^(google)$ ]]; then
-    if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
-    PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.json ${PROPAGATIONPARAM}"
-  elif [[ "$DNSPLUGIN" =~ ^(aliyun|domeneshop|hetzner|inwx|netcup|njalla|transip|vultr)$ ]]; then
-    if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
-    PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
-  elif [[ "$DNSPLUGIN" =~ ^(directadmin)$ ]]; then
-    if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
-    PREFCHAL="-a ${DNSPLUGIN} --${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
-  else
-    if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
-    PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
-  fi
-  echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected"
+    if [ "$DNSPLUGIN" = "route53" ]; then
+        if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
+        PREFCHAL="--dns-${DNSPLUGIN} ${PROPAGATIONPARAM}"
+    elif [[ "$DNSPLUGIN" =~ ^(cpanel)$ ]]; then
+        if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
+        PREFCHAL="-a certbot-dns-${DNSPLUGIN}:${DNSPLUGIN} --certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
+    elif [[ "$DNSPLUGIN" =~ ^(gandi)$ ]]; then
+        if [ -n "$PROPAGATION" ];then echo "Gandi dns plugin does not support setting propagation time"; fi
+        PREFCHAL="-a certbot-plugin-${DNSPLUGIN}:dns --certbot-plugin-${DNSPLUGIN}:dns-credentials /config/dns-conf/${DNSPLUGIN}.ini"
+    elif [[ "$DNSPLUGIN" =~ ^(google)$ ]]; then
+        if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
+        PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.json ${PROPAGATIONPARAM}"
+    elif [[ "$DNSPLUGIN" =~ ^(aliyun|domeneshop|hetzner|inwx|netcup|njalla|transip|vultr)$ ]]; then
+        if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
+        PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
+    elif [[ "$DNSPLUGIN" =~ ^(directadmin)$ ]]; then
+        if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
+        PREFCHAL="-a ${DNSPLUGIN} --${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
+    else
+        if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
+        PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
+    fi
+    echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected"
 elif [ "$VALIDATION" = "tls-sni" ]; then
-  PREFCHAL="--non-interactive --standalone --preferred-challenges http"
-  echo "*****tls-sni validation has been deprecated, attempting http validation instead"
+    PREFCHAL="--non-interactive --standalone --preferred-challenges http"
+    echo "*****tls-sni validation has been deprecated, attempting http validation instead"
 elif [ "$VALIDATION" = "duckdns" ]; then
-  PREFCHAL="--non-interactive --manual --preferred-challenges dns --manual-auth-hook /app/duckdns-txt"
-  chmod +x /app/duckdns-txt
-  echo "duckdns validation is selected"
-  if [ "$SUBDOMAINS" = "wildcard" ]; then
-    echo "the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org"
-    export URL_REAL="-d *.${URL}"
-  else
-    echo "the resulting certificate will only cover the main domain due to a limitation of duckdns, ie. subdomain.duckdns.org"
-    export URL_REAL="-d ${URL}"
-  fi
+    PREFCHAL="--non-interactive --manual --preferred-challenges dns --manual-auth-hook /app/duckdns-txt"
+    chmod +x /app/duckdns-txt
+    echo "duckdns validation is selected"
+    if [ "$SUBDOMAINS" = "wildcard" ]; then
+        echo "the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org"
+        export URL_REAL="-d *.${URL}"
+    else
+        echo "the resulting certificate will only cover the main domain due to a limitation of duckdns, ie. subdomain.duckdns.org"
+        export URL_REAL="-d ${URL}"
+    fi
 else
-  PREFCHAL="--non-interactive --standalone --preferred-challenges http"
-  echo "http validation is selected"
+    PREFCHAL="--non-interactive --standalone --preferred-challenges http"
+    echo "http validation is selected"
 fi

 # setting the symlink for key location
 rm -rf /config/keys/letsencrypt
 if [ "$ONLY_SUBDOMAINS" = "true" ] && [ ! "$SUBDOMAINS" = "wildcard" ] ; then
-  DOMAIN="$(echo "$SUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${URL}"
-  ln -s ../etc/letsencrypt/live/"$DOMAIN" /config/keys/letsencrypt
+    DOMAIN="$(echo "$SUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${URL}"
+    ln -s ../etc/letsencrypt/live/"$DOMAIN" /config/keys/letsencrypt
 else
-  ln -s ../etc/letsencrypt/live/"$URL" /config/keys/letsencrypt
+    ln -s ../etc/letsencrypt/live/"$URL" /config/keys/letsencrypt
 fi

 # checking for changes in cert variables, revoking certs if necessary
 if [ ! "$URL" = "$ORIGURL" ] || [ ! "$SUBDOMAINS" = "$ORIGSUBDOMAINS" ] || [ ! "$ONLY_SUBDOMAINS" = "$ORIGONLY_SUBDOMAINS" ] || [ ! "$EXTRA_DOMAINS" = "$ORIGEXTRA_DOMAINS" ] || [ ! "$VALIDATION" = "$ORIGVALIDATION" ] || [ ! "$DNSPLUGIN" = "$ORIGDNSPLUGIN" ] || [ ! "$PROPAGATION" = "$ORIGPROPAGATION" ] || [ ! "$STAGING" = "$ORIGSTAGING" ] || [ ! "$DUCKDNSTOKEN" = "$ORIGDUCKDNSTOKEN" ] || [ ! "$CERTPROVIDER" = "$ORIGCERTPROVIDER" ]; then
-  echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created"
-  if [ "$ORIGONLY_SUBDOMAINS" = "true" ] && [ ! "$ORIGSUBDOMAINS" = "wildcard" ]; then
-    ORIGDOMAIN="$(echo "$ORIGSUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${ORIGURL}"
-  else
-    ORIGDOMAIN="$ORIGURL"
-  fi
-  if [ "$ORIGCERTPROVIDER" = "zerossl" ] && [ -n "$ORIGEMAIL" ]; then
-    REV_EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$ORIGEMAIL")
-    REV_ZEROSSL_EAB_KID=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
-    REV_ZEROSSL_EAB_HMAC_KEY=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
-    if [ -z "$REV_ZEROSSL_EAB_KID" ] || [ -z "$REV_ZEROSSL_EAB_HMAC_KEY" ]; then
-      echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
-      sleep infinity
+    echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created"
+    if [ "$ORIGONLY_SUBDOMAINS" = "true" ] && [ ! "$ORIGSUBDOMAINS" = "wildcard" ]; then
+        ORIGDOMAIN="$(echo "$ORIGSUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${ORIGURL}"
+    else
+        ORIGDOMAIN="$ORIGURL"
    fi
-    REV_ACMESERVER="https://acme.zerossl.com/v2/DV90 --eab-kid ${REV_ZEROSSL_EAB_KID} --eab-hmac-key ${REV_ZEROSSL_EAB_HMAC_KEY}"
-  elif [ "$ORIGSTAGING" = "true" ]; then
-    REV_ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory"
-  else
-    REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
-  fi
-  [[ -f /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem ]] && certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER
-  rm -rf /config/etc/letsencrypt
-  mkdir -p /config/etc/letsencrypt
+    if [ "$ORIGCERTPROVIDER" = "zerossl" ] && [ -n "$ORIGEMAIL" ]; then
+        REV_EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$ORIGEMAIL")
+        REV_ZEROSSL_EAB_KID=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
+        REV_ZEROSSL_EAB_HMAC_KEY=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
+        if [ -z "$REV_ZEROSSL_EAB_KID" ] || [ -z "$REV_ZEROSSL_EAB_HMAC_KEY" ]; then
+            echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
+            sleep infinity
+        fi
+        REV_ACMESERVER="https://acme.zerossl.com/v2/DV90 --eab-kid ${REV_ZEROSSL_EAB_KID} --eab-hmac-key ${REV_ZEROSSL_EAB_HMAC_KEY}"
+    elif [ "$ORIGSTAGING" = "true" ]; then
+        REV_ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory"
+    else
+        REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
+    fi
+    [[ -f /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem ]] && certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER
+    rm -rf /config/etc/letsencrypt
+    mkdir -p /config/etc/letsencrypt
 fi

 # saving new variables
@@ -284,74 +294,74 @@ echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$

 # alter extension for error message
 if [ "$DNSPLUGIN" = "google" ]; then
-  FILENAME="$DNSPLUGIN.json"
+    FILENAME="$DNSPLUGIN.json"
 else
-  FILENAME="$DNSPLUGIN.ini"
+    FILENAME="$DNSPLUGIN.ini"
 fi

 # generating certs if necessary
 if [ ! -f "/config/keys/letsencrypt/fullchain.pem" ]; then
-  if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then
-    echo "Retrieving EAB from ZeroSSL"
-    EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$EMAIL")
-    ZEROSSL_EAB_KID=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
-    ZEROSSL_EAB_HMAC_KEY=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
-    if [ -z "$ZEROSSL_EAB_KID" ] || [ -z "$ZEROSSL_EAB_HMAC_KEY" ]; then
-      echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
-      sleep infinity
+    if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then
+        echo "Retrieving EAB from ZeroSSL"
+        EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$EMAIL")
+        ZEROSSL_EAB_KID=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
+        ZEROSSL_EAB_HMAC_KEY=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
+        if [ -z "$ZEROSSL_EAB_KID" ] || [ -z "$ZEROSSL_EAB_HMAC_KEY" ]; then
+            echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
+            sleep infinity
+        fi
+        ZEROSSL_EAB="--eab-kid ${ZEROSSL_EAB_KID} --eab-hmac-key ${ZEROSSL_EAB_HMAC_KEY}"
    fi
-    ZEROSSL_EAB="--eab-kid ${ZEROSSL_EAB_KID} --eab-hmac-key ${ZEROSSL_EAB_HMAC_KEY}"
-  fi
-  echo "Generating new certificate"
-  # shellcheck disable=SC2086
-  certbot certonly --renew-by-default --server $ACMESERVER $ZEROSSL_EAB $PREFCHAL --rsa-key-size 4096 $EMAILPARAM --agree-tos $URL_REAL
-  if [ -d /config/keys/letsencrypt ]; then
-    cd /config/keys/letsencrypt || exit
-  else
-    if [ "$VALIDATION" = "dns" ]; then
-      echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/${FILENAME} file."
-    elif [ "$VALIDATION" = "duckdns" ]; then
-      echo "ERROR: Cert does not exist! Please see the validation error above. Make sure your DUCKDNSTOKEN is correct."
+    echo "Generating new certificate"
+    # shellcheck disable=SC2086
+    certbot certonly --renew-by-default --server $ACMESERVER $ZEROSSL_EAB $PREFCHAL --rsa-key-size 4096 $EMAILPARAM --agree-tos $URL_REAL
+    if [ -d /config/keys/letsencrypt ]; then
+        cd /config/keys/letsencrypt || exit
    else
-      echo "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container"
+        if [ "$VALIDATION" = "dns" ]; then
+            echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/${FILENAME} file."
+        elif [ "$VALIDATION" = "duckdns" ]; then
+            echo "ERROR: Cert does not exist! Please see the validation error above. Make sure your DUCKDNSTOKEN is correct."
+        else
+            echo "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container"
+        fi
+        sleep infinity
    fi
-    sleep infinity
-  fi
-  openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:
-  sleep 1
-  cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem
-  echo "New certificate generated; starting nginx"
+    openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:
+    sleep 1
+    cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem
+    echo "New certificate generated; starting nginx"
 else
-  echo "Certificate exists; parameters unchanged; starting nginx"
+    echo "Certificate exists; parameters unchanged; starting nginx"
 fi

 # create GeoIP2 folder symlink
 [[ -d /var/lib/libmaxminddb ]] && [[ ! -L /var/lib/libmaxminddb ]] && \
-  rm -rf /var/lib/libmaxminddb
+    rm -rf /var/lib/libmaxminddb
 [[ ! -d /var/lib/libmaxminddb ]] && \
-  ln -s /config/geoip2db /var/lib/libmaxminddb
+    ln -s /config/geoip2db /var/lib/libmaxminddb
 # check GeoIP2 database
 if [ -n "$MAXMINDDB_LICENSE_KEY" ]; then
-  sed -i "s|.*MAXMINDDB_LICENSE_KEY.*|MAXMINDDB_LICENSE_KEY=\"${MAXMINDDB_LICENSE_KEY}\"|g" /etc/conf.d/libmaxminddb
-  if [ ! -f /var/lib/libmaxminddb/GeoLite2-City.mmdb ]; then
-    echo "Downloading GeoIP2 City database."
-    /etc/periodic/weekly/libmaxminddb
-  fi
+    sed -i "s|.*MAXMINDDB_LICENSE_KEY.*|MAXMINDDB_LICENSE_KEY=\"${MAXMINDDB_LICENSE_KEY}\"|g" /etc/conf.d/libmaxminddb
+    if [ ! -f /var/lib/libmaxminddb/GeoLite2-City.mmdb ]; then
+        echo "Downloading GeoIP2 City database."
+        /etc/periodic/weekly/libmaxminddb
+    fi
 elif [ -f /var/lib/libmaxminddb/GeoLite2-City.mmdb ]; then
-  echo -e "Currently using the user provided GeoLite2-City.mmdb.\nIf you want to enable weekly auto-updates of the database, retrieve a free license key from MaxMind,\nand add a new env variable \"MAXMINDDB_LICENSE_KEY\", set to your license key."
+    echo -e "Currently using the user provided GeoLite2-City.mmdb.\nIf you want to enable weekly auto-updates of the database, retrieve a free license key from MaxMind,\nand add a new env variable \"MAXMINDDB_LICENSE_KEY\", set to your license key."
 else
-  echo -e "Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,\nand add a new env variable \"MAXMINDDB_LICENSE_KEY\", set to your license key."
+    echo -e "Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,\nand add a new env variable \"MAXMINDDB_LICENSE_KEY\", set to your license key."
 fi

 # logfiles needed by fail2ban
 [[ ! -f /config/log/nginx/error.log ]] && \
-	touch /config/log/nginx/error.log
+    touch /config/log/nginx/error.log
 [[ ! -f /config/log/nginx/access.log ]] && \
-	touch /config/log/nginx/access.log
+    touch /config/log/nginx/access.log

 # permissions
 chown -R abc:abc \
-	/config
+    /config
 chmod -R 0644 /etc/logrotate.d
 chmod -R +r /config/log
 chmod +x /app/le-renew.sh
--- a/root/etc/cont-init.d/60-renew
+++ b/root/etc/cont-init.d/60-renew
@@ -7,4 +7,4 @@ else
    echo "The cert is either expired or it expires within the next day. Attempting to renew. This could take up to 10 minutes."
    /app/le-renew.sh
    sleep 1
-fi
+fi
--- a/root/etc/logrotate.d/lerotate
+++ b/root/etc/logrotate.d/lerotate
@@ -1,11 +1,11 @@
 /config/log/letsencrypt/*.log {
- weekly
- rotate 52
- compress
- delaycompress
- nodateext
- missingok
- notifempty
- sharedscripts
- su abc abc
+    weekly
+    rotate 52
+    compress
+    delaycompress
+    nodateext
+    missingok
+    notifempty
+    sharedscripts
+    su abc abc
 }
--- a/root/etc/services.d/fail2ban/run
+++ b/root/etc/services.d/fail2ban/run
@@ -1,4 +1,4 @@
 #!/usr/bin/with-contenv bash

-  exec \
-        fail2ban-client -x -f start
+exec \
+    fail2ban-client -x -f start