From 17387674b8371917120550a46cb78b9842feee18 Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Sun, 30 Jul 2023 01:17:57 -0500
Subject: [PATCH 1/7] standard cron

Signed-off-by: Eric Nemchik <eric@nemchik.com>
---
 root/defaults/crontabs/abc                    |  2 +
 root/etc/crontabs/root                        |  9 -----
 .../s6-rc.d/init-certbot-config/run           | 11 +++---
 .../dependencies.d/init-fail2ban-config       |  0
 .../s6-rc.d/init-crontab-config/run           | 22 +++++++++++
 .../type                                      |  0
 .../s6-overlay/s6-rc.d/init-crontab-config/up |  1 +
 .../s6-rc.d/init-crontabs-config/run          | 38 -------------------
 .../s6-rc.d/init-crontabs-config/up           |  1 -
 .../dependencies.d/init-crontab-config}       |  0
 .../contents.d/init-crontab-config}           |  0
 .../user/contents.d/init-crontabs-config      |  0
 12 files changed, 31 insertions(+), 53 deletions(-)
 create mode 100644 root/defaults/crontabs/abc
 delete mode 100644 root/etc/crontabs/root
 rename root/etc/s6-overlay/s6-rc.d/{init-crontabs-config => init-crontab-config}/dependencies.d/init-fail2ban-config (100%)
 create mode 100644 root/etc/s6-overlay/s6-rc.d/init-crontab-config/run
 rename root/etc/s6-overlay/s6-rc.d/{init-crontabs-config => init-crontab-config}/type (100%)
 create mode 100644 root/etc/s6-overlay/s6-rc.d/init-crontab-config/up
 delete mode 100755 root/etc/s6-overlay/s6-rc.d/init-crontabs-config/run
 delete mode 100644 root/etc/s6-overlay/s6-rc.d/init-crontabs-config/up
 rename root/etc/{crontabs/abc => s6-overlay/s6-rc.d/init-nginx-config/dependencies.d/init-crontab-config} (100%)
 rename root/etc/s6-overlay/s6-rc.d/{init-nginx-config/dependencies.d/init-crontabs-config => user/contents.d/init-crontab-config} (100%)
 delete mode 100644 root/etc/s6-overlay/s6-rc.d/user/contents.d/init-crontabs-config

diff --git a/root/defaults/crontabs/abc b/root/defaults/crontabs/abc
new file mode 100644
index 0000000..a9909e3
--- /dev/null
+++ b/root/defaults/crontabs/abc
@@ -0,0 +1,2 @@
+# min   hour    day     month   weekday command
+8       2       *       *       *       /app/le-renew.sh >> /config/log/letsencrypt/letsencrypt.log 2>&1
diff --git a/root/etc/crontabs/root b/root/etc/crontabs/root
deleted file mode 100644
index c24fea0..0000000
--- a/root/etc/crontabs/root
+++ /dev/null
@@ -1,9 +0,0 @@
-# do daily/weekly/monthly maintenance
-# min   hour    day     month   weekday command
-*/15    *       *       *       *       run-parts /etc/periodic/15min
-0       *       *       *       *       run-parts /etc/periodic/hourly
-0       2       *       *       *       run-parts /etc/periodic/daily
-0       3       *       *       6       run-parts /etc/periodic/weekly
-0       5       1       *       *       run-parts /etc/periodic/monthly
-# renew letsencrypt certs
-8       2       *       *       *       /app/le-renew.sh >> /config/log/letsencrypt/letsencrypt.log 2>&1
diff --git a/root/etc/s6-overlay/s6-rc.d/init-certbot-config/run b/root/etc/s6-overlay/s6-rc.d/init-certbot-config/run
index 6d33344..e872e8d 100755
--- a/root/etc/s6-overlay/s6-rc.d/init-certbot-config/run
+++ b/root/etc/s6-overlay/s6-rc.d/init-certbot-config/run
@@ -44,6 +44,7 @@ function set_ini_value() {
 
 # ensure config files exist and has at least one value set (set_ini_value does not work on empty files)
 touch /config/etc/letsencrypt/cli.ini
+lsiown abc:abc /config/etc/letsencrypt/cli.ini
 grep -qF 'agree-tos' /config/etc/letsencrypt/cli.ini || echo 'agree-tos=true' >>/config/etc/letsencrypt/cli.ini
 
 # copy dns default configs
@@ -190,9 +191,9 @@ if [[ ! "${URL}" = "${ORIGURL}" ]] ||
         REV_ACMESERVER=("https://acme-v02.api.letsencrypt.org/directory")
     fi
     if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then
-        certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server "${REV_ACMESERVER[@]}" || true
+        s6-setuidgid abc certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server "${REV_ACMESERVER[@]}" || true
     else
-        certbot revoke --non-interactive --cert-name "${ORIGDOMAIN}" --server "${REV_ACMESERVER[@]}" || true
+        s6-setuidgid abc certbot revoke --non-interactive --cert-name "${ORIGDOMAIN}" --server "${REV_ACMESERVER[@]}" || true
     fi
     rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal}
 fi
@@ -205,9 +206,9 @@ if [[ -f "/config/keys/letsencrypt/chain.pem" ]] && { [[ "${CERTPROVIDER}" == "l
     echo "The cert seems to be using the old LE root cert, which is no longer valid. Deleting and revoking."
     REV_ACMESERVER=("https://acme-v02.api.letsencrypt.org/directory")
     if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then
-        certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server "${REV_ACMESERVER[@]}" || true
+        s6-setuidgid abc certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server "${REV_ACMESERVER[@]}" || true
     else
-        certbot revoke --non-interactive --cert-name "${ORIGDOMAIN}" --server "${REV_ACMESERVER[@]}" || true
+        s6-setuidgid abc certbot revoke --non-interactive --cert-name "${ORIGDOMAIN}" --server "${REV_ACMESERVER[@]}" || true
     fi
     rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal}
 fi
@@ -340,7 +341,7 @@ if [[ ! -f "/config/keys/letsencrypt/fullchain.pem" ]]; then
         set_ini_value "eab-hmac-key" "${ZEROSSL_EAB_HMAC_KEY}" /config/etc/letsencrypt/cli.ini
     fi
     echo "Generating new certificate"
-    certbot certonly --non-interactive --renew-by-default
+    s6-setuidgid abc certbot certonly --non-interactive --renew-by-default
     if [[ ! -d /config/keys/letsencrypt ]]; then
         if [[ "${VALIDATION}" = "dns" ]]; then
             echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the ${DNSCREDENTIALFILE} file."
diff --git a/root/etc/s6-overlay/s6-rc.d/init-crontabs-config/dependencies.d/init-fail2ban-config b/root/etc/s6-overlay/s6-rc.d/init-crontab-config/dependencies.d/init-fail2ban-config
similarity index 100%
rename from root/etc/s6-overlay/s6-rc.d/init-crontabs-config/dependencies.d/init-fail2ban-config
rename to root/etc/s6-overlay/s6-rc.d/init-crontab-config/dependencies.d/init-fail2ban-config
diff --git a/root/etc/s6-overlay/s6-rc.d/init-crontab-config/run b/root/etc/s6-overlay/s6-rc.d/init-crontab-config/run
new file mode 100644
index 0000000..c49a50c
--- /dev/null
+++ b/root/etc/s6-overlay/s6-rc.d/init-crontab-config/run
@@ -0,0 +1,22 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+# make folders
+mkdir -p \
+    /config/crontabs
+
+## abc
+# if crontabs do not exist in config
+if [[ ! -f /config/crontabs/abc ]]; then
+    # copy crontab from system
+    if crontab -l -u abc; then
+        crontab -l -u abc >/config/crontabs/abc
+    fi
+
+    # if crontabs still do not exist in config (were not copied from system)
+    # copy crontab from included defaults (using -n, do not overwrite an existing file)
+    cp -n /defaults/crontabs/abc /config/crontabs/
+fi
+# set permissions and import user crontabs
+lsiown abc:abc /config/crontabs/abc
+crontab -u abc /config/crontabs/abc
diff --git a/root/etc/s6-overlay/s6-rc.d/init-crontabs-config/type b/root/etc/s6-overlay/s6-rc.d/init-crontab-config/type
similarity index 100%
rename from root/etc/s6-overlay/s6-rc.d/init-crontabs-config/type
rename to root/etc/s6-overlay/s6-rc.d/init-crontab-config/type
diff --git a/root/etc/s6-overlay/s6-rc.d/init-crontab-config/up b/root/etc/s6-overlay/s6-rc.d/init-crontab-config/up
new file mode 100644
index 0000000..d354111
--- /dev/null
+++ b/root/etc/s6-overlay/s6-rc.d/init-crontab-config/up
@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-crontab-config/run
diff --git a/root/etc/s6-overlay/s6-rc.d/init-crontabs-config/run b/root/etc/s6-overlay/s6-rc.d/init-crontabs-config/run
deleted file mode 100755
index c0bb241..0000000
--- a/root/etc/s6-overlay/s6-rc.d/init-crontabs-config/run
+++ /dev/null
@@ -1,38 +0,0 @@
-#!/usr/bin/with-contenv bash
-# shellcheck shell=bash
-
-# make folders
-mkdir -p \
-    /config/crontabs
-
-## root
-# if crontabs do not exist in config
-if [[ ! -f /config/crontabs/root ]]; then
-    # copy crontab from system
-    if crontab -l -u root; then
-        crontab -l -u root >/config/crontabs/root
-    fi
-
-    # if crontabs still do not exist in config (were not copied from system)
-    # copy crontab from included defaults (using -n, do not overwrite an existing file)
-    cp -n /etc/crontabs/root /config/crontabs/ 2> >(grep -v 'cp: not replacing')
-fi
-# set permissions and import user crontabs
-lsiown root:root /config/crontabs/root
-crontab -u root /config/crontabs/root
-
-## abc
-# if crontabs do not exist in config
-if [[ ! -f /config/crontabs/abc ]]; then
-    # copy crontab from system
-    if crontab -l -u abc; then
-        crontab -l -u abc >/config/crontabs/abc
-    fi
-
-    # if crontabs still do not exist in config (were not copied from system)
-    # copy crontab from included defaults (using -n, do not overwrite an existing file)
-    cp -n /etc/crontabs/abc /config/crontabs/ 2> >(grep -v 'cp: not replacing')
-fi
-# set permissions and import user crontabs
-lsiown abc:abc /config/crontabs/abc
-crontab -u abc /config/crontabs/abc
diff --git a/root/etc/s6-overlay/s6-rc.d/init-crontabs-config/up b/root/etc/s6-overlay/s6-rc.d/init-crontabs-config/up
deleted file mode 100644
index 006d814..0000000
--- a/root/etc/s6-overlay/s6-rc.d/init-crontabs-config/up
+++ /dev/null
@@ -1 +0,0 @@
-/etc/s6-overlay/s6-rc.d/init-crontabs-config/run
diff --git a/root/etc/crontabs/abc b/root/etc/s6-overlay/s6-rc.d/init-nginx-config/dependencies.d/init-crontab-config
similarity index 100%
rename from root/etc/crontabs/abc
rename to root/etc/s6-overlay/s6-rc.d/init-nginx-config/dependencies.d/init-crontab-config
diff --git a/root/etc/s6-overlay/s6-rc.d/init-nginx-config/dependencies.d/init-crontabs-config b/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-crontab-config
similarity index 100%
rename from root/etc/s6-overlay/s6-rc.d/init-nginx-config/dependencies.d/init-crontabs-config
rename to root/etc/s6-overlay/s6-rc.d/user/contents.d/init-crontab-config
diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-crontabs-config b/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-crontabs-config
deleted file mode 100644
index e69de29..0000000

From 269e9cdd3f533f3b647df3d12ccf3a944b89b75d Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Sun, 30 Jul 2023 09:50:18 -0500
Subject: [PATCH 2/7] Fix perms

Signed-off-by: Eric Nemchik <eric@nemchik.com>
---
 root/etc/s6-overlay/s6-rc.d/init-crontab-config/run | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 mode change 100644 => 100755 root/etc/s6-overlay/s6-rc.d/init-crontab-config/run

diff --git a/root/etc/s6-overlay/s6-rc.d/init-crontab-config/run b/root/etc/s6-overlay/s6-rc.d/init-crontab-config/run
old mode 100644
new mode 100755

From 0b738d9ee00c0b78643fddeeafbe169b002df22c Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Mon, 31 Jul 2023 15:13:43 -0500
Subject: [PATCH 3/7] set owner of certbot folders to abc

Signed-off-by: Eric Nemchik <eric@nemchik.com>
---
 root/etc/s6-overlay/s6-rc.d/init-certbot-config/run | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/root/etc/s6-overlay/s6-rc.d/init-certbot-config/run b/root/etc/s6-overlay/s6-rc.d/init-certbot-config/run
index e872e8d..b1c6b5c 100755
--- a/root/etc/s6-overlay/s6-rc.d/init-certbot-config/run
+++ b/root/etc/s6-overlay/s6-rc.d/init-certbot-config/run
@@ -29,6 +29,12 @@ if [[ "${VALIDATION}" = "dns" ]] && [[ ! "${DNSPLUGIN}" =~ ^(acmedns|aliyun|azur
     sleep infinity
 fi
 
+# set owner of certbot's CONFIG_DIR, WORK_DIR, and LOGS_DIR to abc
+lsiown -R abc \
+    /etc/letsencrypt \
+    /var/lib/letsencrypt \
+    /var/log/letsencrypt
+
 # set_ini_value logic:
 # - if the name is not found in the file, append the name=value to the end of the file
 # - if the name is found in the file, replace the value

From 919b8ac152707ef510cc7c5a3b71c573a4f51890 Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Fri, 18 Aug 2023 23:38:31 -0500
Subject: [PATCH 4/7] cron in base

Signed-off-by: Eric Nemchik <eric@nemchik.com>
---
 .../s6-rc.d/init-crontab-config/run           | 22 -------------------
 .../s6-rc.d/init-crontab-config/type          |  1 -
 .../s6-overlay/s6-rc.d/init-crontab-config/up |  1 -
 .../dependencies.d/init-crontab-config        |  0
 .../dependencies.d/init-fail2ban-config       |  0
 .../user/contents.d/init-crontab-config       |  0
 6 files changed, 24 deletions(-)
 delete mode 100755 root/etc/s6-overlay/s6-rc.d/init-crontab-config/run
 delete mode 100644 root/etc/s6-overlay/s6-rc.d/init-crontab-config/type
 delete mode 100644 root/etc/s6-overlay/s6-rc.d/init-crontab-config/up
 delete mode 100644 root/etc/s6-overlay/s6-rc.d/init-nginx-config/dependencies.d/init-crontab-config
 rename root/etc/s6-overlay/s6-rc.d/{init-crontab-config => init-nginx-config}/dependencies.d/init-fail2ban-config (100%)
 delete mode 100644 root/etc/s6-overlay/s6-rc.d/user/contents.d/init-crontab-config

diff --git a/root/etc/s6-overlay/s6-rc.d/init-crontab-config/run b/root/etc/s6-overlay/s6-rc.d/init-crontab-config/run
deleted file mode 100755
index c49a50c..0000000
--- a/root/etc/s6-overlay/s6-rc.d/init-crontab-config/run
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/usr/bin/with-contenv bash
-# shellcheck shell=bash
-
-# make folders
-mkdir -p \
-    /config/crontabs
-
-## abc
-# if crontabs do not exist in config
-if [[ ! -f /config/crontabs/abc ]]; then
-    # copy crontab from system
-    if crontab -l -u abc; then
-        crontab -l -u abc >/config/crontabs/abc
-    fi
-
-    # if crontabs still do not exist in config (were not copied from system)
-    # copy crontab from included defaults (using -n, do not overwrite an existing file)
-    cp -n /defaults/crontabs/abc /config/crontabs/
-fi
-# set permissions and import user crontabs
-lsiown abc:abc /config/crontabs/abc
-crontab -u abc /config/crontabs/abc
diff --git a/root/etc/s6-overlay/s6-rc.d/init-crontab-config/type b/root/etc/s6-overlay/s6-rc.d/init-crontab-config/type
deleted file mode 100644
index bdd22a1..0000000
--- a/root/etc/s6-overlay/s6-rc.d/init-crontab-config/type
+++ /dev/null
@@ -1 +0,0 @@
-oneshot
diff --git a/root/etc/s6-overlay/s6-rc.d/init-crontab-config/up b/root/etc/s6-overlay/s6-rc.d/init-crontab-config/up
deleted file mode 100644
index d354111..0000000
--- a/root/etc/s6-overlay/s6-rc.d/init-crontab-config/up
+++ /dev/null
@@ -1 +0,0 @@
-/etc/s6-overlay/s6-rc.d/init-crontab-config/run
diff --git a/root/etc/s6-overlay/s6-rc.d/init-nginx-config/dependencies.d/init-crontab-config b/root/etc/s6-overlay/s6-rc.d/init-nginx-config/dependencies.d/init-crontab-config
deleted file mode 100644
index e69de29..0000000
diff --git a/root/etc/s6-overlay/s6-rc.d/init-crontab-config/dependencies.d/init-fail2ban-config b/root/etc/s6-overlay/s6-rc.d/init-nginx-config/dependencies.d/init-fail2ban-config
similarity index 100%
rename from root/etc/s6-overlay/s6-rc.d/init-crontab-config/dependencies.d/init-fail2ban-config
rename to root/etc/s6-overlay/s6-rc.d/init-nginx-config/dependencies.d/init-fail2ban-config
diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-crontab-config b/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-crontab-config
deleted file mode 100644
index e69de29..0000000

From 7e1db9c5622c367aa20186f5199360b66a93cca5 Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Sat, 19 Aug 2023 08:42:48 -0500
Subject: [PATCH 5/7] Crontabs folder created in base

Signed-off-by: Eric Nemchik <eric@nemchik.com>
---
 root/etc/s6-overlay/s6-rc.d/init-folders-config/run | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/root/etc/s6-overlay/s6-rc.d/init-folders-config/run b/root/etc/s6-overlay/s6-rc.d/init-folders-config/run
index 87cef4e..c18da5b 100755
--- a/root/etc/s6-overlay/s6-rc.d/init-folders-config/run
+++ b/root/etc/s6-overlay/s6-rc.d/init-folders-config/run
@@ -3,7 +3,7 @@
 
 # make our folders and links
 mkdir -p \
-    /config/{fail2ban,crontabs,dns-conf} \
+    /config/{fail2ban,dns-conf} \
     /config/etc/letsencrypt/renewal-hooks \
     /config/log/{fail2ban,letsencrypt,nginx} \
     /config/nginx/proxy-confs \

From 23728cba0b41f6cd445068a6b602c616e8645df0 Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Sat, 19 Aug 2023 10:17:40 -0500
Subject: [PATCH 6/7] Move crontabs to etc

Signed-off-by: Eric Nemchik <eric@nemchik.com>
---
 root/{defaults => etc}/crontabs/abc | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename root/{defaults => etc}/crontabs/abc (100%)

diff --git a/root/defaults/crontabs/abc b/root/etc/crontabs/abc
similarity index 100%
rename from root/defaults/crontabs/abc
rename to root/etc/crontabs/abc

From 8b49f2b0d4ba3bf772710f12c74e4abb618426b0 Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Sat, 4 Nov 2023 18:36:31 -0500
Subject: [PATCH 7/7] fix chown for group

Signed-off-by: Eric Nemchik <eric@nemchik.com>
---
 root/etc/s6-overlay/s6-rc.d/init-certbot-config/run | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/root/etc/s6-overlay/s6-rc.d/init-certbot-config/run b/root/etc/s6-overlay/s6-rc.d/init-certbot-config/run
index 6515f6d..c233e2c 100755
--- a/root/etc/s6-overlay/s6-rc.d/init-certbot-config/run
+++ b/root/etc/s6-overlay/s6-rc.d/init-certbot-config/run
@@ -32,7 +32,7 @@ if [[ "${VALIDATION}" = "dns" ]] && ! echo "${CERTBOT_DNS_AUTHENTICATORS}" | gre
 fi
 
 # set owner of certbot's CONFIG_DIR, WORK_DIR, and LOGS_DIR to abc
-lsiown -R abc \
+lsiown -R abc:abc \
     /etc/letsencrypt \
     /var/lib/letsencrypt \
     /var/log/letsencrypt