Use standard nginx.conf from lsio alpine nginx base image

root/etc/cont-init.d/30-test-run

@@ -0,0 +1,6 @@
+#!/usr/bin/with-contenv bash
+
+# Echo init finish for test runs
+if [[ -n "${TEST_RUN}" ]]; then
+    echo '[services.d] done.'
+fi

root/etc/cont-init.d/31-require-url

@@ -0,0 +1,7 @@
+#!/usr/bin/with-contenv bash
+
+# check to make sure that the required variables are set
+if [[ -z "${URL}" ]]; then
+    echo "Please pass your URL as an environment variable in your docker run command. See docker info for more details."
+    sleep infinity
+fi

root/etc/cont-init.d/40-folders

@@ -0,0 +1,11 @@
+#!/usr/bin/with-contenv bash
+
+# make our folders and links
+mkdir -p \
+    /config/{fail2ban,crontabs,dns-conf} \
+    /config/etc/letsencrypt \
+    /config/log/{fail2ban,letsencrypt,nginx} \
+    /config/nginx/proxy-confs \
+    /var/run/fail2ban
+rm -rf /etc/letsencrypt
+ln -s /config/etc/letsencrypt /etc/letsencrypt

root/etc/cont-init.d/41-samples

@@ -0,0 +1,12 @@
+#!/usr/bin/with-contenv bash
+
+# samples are removed on init by the nginx base
+
+# copy new samples
+if [[ -d /defaults/nginx/proxy-confs/ ]]; then
+    find /defaults/nginx/proxy-confs/ \
+        -maxdepth 1 \
+        -name "*.conf.sample" \
+        -type f \
+        -exec cp "{}" /config/nginx/proxy-confs/ +
+fi

root/etc/cont-init.d/42-fail2ban

@@ -0,0 +1,28 @@
+#!/usr/bin/with-contenv bash
+
+# copy/update the fail2ban config defaults to/in /config
+cp -R /defaults/fail2ban/filter.d /config/fail2ban/
+cp -R /defaults/fail2ban/action.d /config/fail2ban/
+# if jail.local is missing in /config, copy default
+if [[ ! -f /config/fail2ban/jail.local ]]; then
+    cp /defaults/fail2ban/jail.local /config/fail2ban/jail.local
+fi
+# Replace fail2ban config with user config
+if [[ -d /etc/fail2ban/filter.d ]]; then
+    rm -rf /etc/fail2ban/filter.d
+fi
+if [[ -d /etc/fail2ban/action.d ]]; then
+    rm -rf /etc/fail2ban/action.d
+fi
+cp -R /config/fail2ban/filter.d /etc/fail2ban/
+cp -R /config/fail2ban/action.d /etc/fail2ban/
+cp /defaults/fail2ban/fail2ban.local /etc/fail2ban/
+cp /config/fail2ban/jail.local /etc/fail2ban/jail.local
+
+# logfiles needed by fail2ban
+if [[ ! -f /config/log/nginx/error.log ]]; then
+    touch /config/log/nginx/error.log
+fi
+if [[ ! -f /config/log/nginx/access.log ]]; then
+    touch /config/log/nginx/access.log
+fi

root/etc/cont-init.d/43-crontabs

@@ -0,0 +1,10 @@
+#!/usr/bin/with-contenv bash
+
+# copy crontabs if needed
+if [[ ! -f /config/crontabs/root ]]; then
+    cp /etc/crontabs/root /config/crontabs/
+fi
+
+# import user crontabs
+rm /etc/crontabs/*
+cp /config/crontabs/* /etc/crontabs/

root/etc/cont-init.d/45-nginx

@@ -0,0 +1,12 @@
+#!/usr/bin/with-contenv bash
+
+# copy default config files if they don't exist
+if [[ ! -f /config/nginx/error_pages.conf ]]; then
+    cp /defaults/nginx/error_pages.conf.sample /config/nginx/error_pages.conf
+fi
+if [[ ! -f /config/nginx/proxy.conf ]]; then
+    cp /defaults/nginx/proxy.conf.sample /config/nginx/proxy.conf
+fi
+if [[ ! -f /config/www/502.html ]]; then
+    cp /defaults/www/502.html /config/www/502.html
+fi

root/etc/cont-init.d/50-certbot

@@ -15,11 +15,6 @@ DNSPLUGIN=${DNSPLUGIN}\\n\
 EMAIL=${EMAIL}\\n\
 STAGING=${STAGING}\\n"
 
-# Echo init finish for test runs
-if [ -n "${TEST_RUN}" ]; then
-    echo '[services.d] done.'
-fi
-
 # Sanitize variables
 SANED_VARS=( DNSPLUGIN EMAIL EXTRA_DOMAINS ONLY_SUBDOMAINS STAGING SUBDOMAINS URL VALIDATION CERTPROVIDER )
 for i in "${SANED_VARS[@]}"
@@ -28,105 +23,15 @@ do
     export echo "$i"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')"
 done
 
-# check to make sure that the required variables are set
-[[ -z "$URL" ]] && \
-    echo "Please pass your URL as an environment variable in your docker run command. See docker info for more details." && \
-    sleep infinity
-
-# make our folders and links
-mkdir -p \
-    /config/{log/letsencrypt,log/fail2ban,etc/letsencrypt,fail2ban,crontabs,dns-conf,geoip2db} \
-    /var/run/fail2ban
-rm -rf /etc/letsencrypt
-ln -s /config/etc/letsencrypt /etc/letsencrypt
-
 # copy dns default configs
 cp -n /defaults/dns-conf/* /config/dns-conf/
 chown -R abc:abc /config/dns-conf
 
-# copy reverse proxy configs
-cp -R /defaults/proxy-confs /config/nginx/
-
-# copy/update the fail2ban config defaults to/in /config
-cp -R /defaults/fail2ban/filter.d /config/fail2ban/
-cp -R /defaults/fail2ban/action.d /config/fail2ban/
-# if jail.local is missing in /config, copy default
-[[ ! -f /config/fail2ban/jail.local ]] && \
-    cp /defaults/jail.local /config/fail2ban/jail.local
-# Replace fail2ban config with user config
-[[ -d /etc/fail2ban/filter.d ]] && \
-    rm -rf /etc/fail2ban/filter.d
-[[ -d /etc/fail2ban/action.d ]] && \
-    rm -rf /etc/fail2ban/action.d
-cp -R /config/fail2ban/filter.d /etc/fail2ban/
-cp -R /config/fail2ban/action.d /etc/fail2ban/
-cp /defaults/fail2ban/fail2ban.local /etc/fail2ban/
-cp /config/fail2ban/jail.local /etc/fail2ban/jail.local
-
-# copy crontab and proxy defaults if needed
-[[ ! -f /config/crontabs/root ]] && \
-    cp /etc/crontabs/root /config/crontabs/
-[[ ! -f /config/nginx/proxy.conf ]] && \
-    cp /defaults/proxy.conf /config/nginx/proxy.conf
-[[ ! -f /config/nginx/ssl.conf ]] && \
-    cp /defaults/ssl.conf /config/nginx/ssl.conf
-[[ ! -f /config/nginx/ldap.conf ]] && \
-    cp /defaults/ldap.conf /config/nginx/ldap.conf
-[[ ! -f /config/nginx/authelia-server.conf ]] && \
-    cp /defaults/authelia-server.conf /config/nginx/authelia-server.conf
-[[ ! -f /config/nginx/authelia-location.conf ]] && \
-    cp /defaults/authelia-location.conf /config/nginx/authelia-location.conf
-[[ ! -f /config/www/502.html ]] &&
-    cp /defaults/502.html /config/www/502.html
-
-# Set resolver, ignore ipv6 addresses
-if ! grep -q 'resolver' /config/nginx/resolver.conf; then
-    RESOLVERRAW=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {print $2}' /etc/resolv.conf)
-    for i in ${RESOLVERRAW}; do
-        if [ $(awk -F ':' '{print NF-1}' <<< ${i}) -le 2 ]; then
-            RESOLVER="${RESOLVER} ${i}"
-        fi
-    done
-    if [ -z "${RESOLVER}" ]; then
-        RESOLVER="127.0.0.11"
-    fi
-    echo "Setting resolver to ${RESOLVER}"
-    echo -e "# This file is auto-generated only on first start, based on the container's /etc/resolv.conf file. Feel free to modify it as you wish.\n\nresolver ${RESOLVER} valid=30s;" > /config/nginx/resolver.conf
-fi
-
-# Set worker_processes
-if ! grep -q 'worker_processes' /config/nginx/worker_processes.conf; then
-    WORKER_PROCESSES=$(nproc)
-    echo "Setting worker_processes to ${WORKER_PROCESSES}"
-    echo -e "# This file is auto-generated only on first start, based on the cpu cores detected. Feel free to change it to any other number or to auto to let nginx handle it automatically.\n\nworker_processes ${WORKER_PROCESSES};" > /config/nginx/worker_processes.conf
-fi
-
-# remove lua bits from nginx.conf if not done before
-if ! grep -q '#Removed lua' /config/nginx/nginx.conf; then
-    echo "Removing lua specific info from nginx.conf"
-    sed -i 's|\tlua_load_resty_core off;|\t#Removed lua. Do not remove this comment|g' /config/nginx/nginx.conf
-fi
-
-# patch authelia-server.conf for CVE-2021-32637
-if ! grep -q 'if ($request_uri ~' /config/nginx/authelia-server.conf; then
-    sed -i '/internal;/a \ \ \ \ if ($request_uri ~ [^a-zA-Z0-9_+-=\\!@$%&*?~.:#'\''\\;\\(\\)\\[\\]]) { return 401; }' /config/nginx/authelia-server.conf
-fi
-
-# copy pre-generated dhparams or generate if needed
-[[ ! -f /config/nginx/dhparams.pem ]] && \
-    cp /defaults/dhparams.pem /config/nginx/dhparams.pem
-if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then
-    curl -o /config/nginx/dhparams.pem -L "https://ssl-config.mozilla.org/ffdhe4096.txt"
-fi
-
 # check to make sure DNSPLUGIN is selected if dns validation is used
-[[ "$VALIDATION" = "dns" ]] && [[ ! "$DNSPLUGIN" =~ ^(aliyun|azure|cloudflare|cloudxns|cpanel|desec|digitalocean|directadmin|dnsimple|dnsmadeeasy|dnspod|domeneshop|dynu|gandi|gehirn|google|he|hetzner|infomaniak|inwx|ionos|linode|loopia|luadns|netcup|njalla|nsone|ovh|rfc2136|route53|sakuracloud|standalone|transip|vultr)$ ]] && \
-    echo "Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details." && \
+if [[ "$VALIDATION" = "dns" ]] && [[ ! "$DNSPLUGIN" =~ ^(aliyun|azure|cloudflare|cloudxns|cpanel|desec|digitalocean|directadmin|dnsimple|dnsmadeeasy|dnspod|domeneshop|dynu|gandi|gehirn|google|he|hetzner|infomaniak|inwx|ionos|linode|loopia|luadns|netcup|njalla|nsone|ovh|rfc2136|route53|sakuracloud|standalone|transip|vultr)$ ]]; then
+    echo "Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details."
     sleep infinity
-
-# import user crontabs
-rm /etc/crontabs/*
-cp /config/crontabs/* /etc/crontabs/
+fi
 
 # create original config file if it doesn't exist, move non-hidden legacy file to hidden
 if [ -f "/config/donoteditthisfile.conf" ]; then
@@ -278,6 +183,10 @@ if [ "$ONLY_SUBDOMAINS" = "true" ] && [ ! "$SUBDOMAINS" = "wildcard" ] ; then
 else
     ln -s ../etc/letsencrypt/live/"$URL" /config/keys/letsencrypt
 fi
+rm -rf /config/keys/cert.crt
+ln -s ./letsencrypt/fullchain.pem /config/keys/cert.crt
+rm -rf /config/keys/cert.key
+ln -s ./letsencrypt/privkey.pem /config/keys/cert.key
 
 # checking for changes in cert variables, revoking certs if necessary
 if [ ! "$URL" = "$ORIGURL" ] || [ ! "$SUBDOMAINS" = "$ORIGSUBDOMAINS" ] || [ ! "$ONLY_SUBDOMAINS" = "$ORIGONLY_SUBDOMAINS" ] || [ ! "$EXTRA_DOMAINS" = "$ORIGEXTRA_DOMAINS" ] || [ ! "$VALIDATION" = "$ORIGVALIDATION" ] || [ ! "$DNSPLUGIN" = "$ORIGDNSPLUGIN" ] || [ ! "$PROPAGATION" = "$ORIGPROPAGATION" ] || [ ! "$STAGING" = "$ORIGSTAGING" ] || [ ! "$DUCKDNSTOKEN" = "$ORIGDUCKDNSTOKEN" ] || [ ! "$CERTPROVIDER" = "$ORIGCERTPROVIDER" ]; then
@@ -301,7 +210,9 @@ if [ ! "$URL" = "$ORIGURL" ] || [ ! "$SUBDOMAINS" = "$ORIGSUBDOMAINS" ] || [ ! "
     else
         REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
     fi
-    [[ -f /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem ]] && certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER
+    if [[ -f /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem ]]; then
+        certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER
+    fi
     rm -rf /config/etc/letsencrypt
     mkdir -p /config/etc/letsencrypt
 fi
@@ -360,26 +271,3 @@ if [ ! -f "/config/keys/letsencrypt/fullchain.pem" ]; then
 else
     echo "Certificate exists; parameters unchanged; starting nginx"
 fi
-
-# create GeoIP2 folder symlink
-[[ -d /var/lib/libmaxminddb ]] && [[ ! -L /var/lib/libmaxminddb ]] && \
-    rm -rf /var/lib/libmaxminddb
-[[ ! -d /var/lib/libmaxminddb ]] && \
-    ln -s /config/geoip2db /var/lib/libmaxminddb
-
-# logfiles needed by fail2ban
-[[ ! -f /config/log/nginx/error.log ]] && \
-    touch /config/log/nginx/error.log
-[[ ! -f /config/log/nginx/access.log ]] && \
-    touch /config/log/nginx/access.log
-[[ ! -f /config/log/nginx/unauthorized.log ]] && \
-    touch /config/log/nginx/unauthorized.log
-
-# permissions
-chown -R abc:abc \
-    /config
-chmod -R 0644 /etc/logrotate.d
-chmod -R +r /config/log
-chmod +x /app/le-renew.sh
-chmod 700 /defaults/dns-conf
-chmod 600 /defaults/dns-conf/*

root/etc/cont-init.d/55-permissions

@@ -0,0 +1,8 @@
+#!/usr/bin/with-contenv bash
+
+# permissions
+chown -R abc:abc \
+    /config
+chmod -R 0644 /etc/logrotate.d
+chmod -R +r /config/log
+chmod +x /app/le-renew.sh

root/etc/cont-init.d/70-outdated

@@ -0,0 +1,16 @@
+#!/usr/bin/with-contenv bash
+
+if [[ -f /config/nginx/502.conf ]]; then
+    echo "/config/nginx/502.conf exists.
+        Please migrate to error_pages.conf"
+fi
+if [[ -f /config/nginx/geoip2.conf ]]; then
+    echo "/config/nginx/geoip2.conf exists.
+        Please migrate to https://github.com/linuxserver/docker-mods/tree/swag-maxmind"
+fi
+if [[ -f /config/nginx/ldap.conf ]]; then
+    echo "/config/nginx/ldap.conf exists.
+        Please apply any customizations to /config/nginx/ldap-server.conf
+        Ensure your nginx.conf is updated and remove /config/nginx/ldap.conf
+        If you do not use this config, simply remove it."
+fi

root/etc/cont-init.d/70-templates

@@ -1,41 +0,0 @@
-#!/usr/bin/with-contenv bash
-
-nginx_confs=( \
-    authelia-location.conf \
-    authelia-server.conf \
-    ldap.conf \
-    nginx.conf \
-    proxy.conf \
-    site-confs/default \
-    ssl.conf )
-
-for i in ${nginx_confs[@]}; do
-    if [ "$(sed -nE 's|^## Version ([0-9]{4}\/[0-9]{2}\/[0-9]{2}).*|\1|p' /config/nginx/${i})" != "$(sed -nE 's|^## Version ([0-9]{4}\/[0-9]{2}\/[0-9]{2}).*|\1|p' /defaults/$(basename ${i}))" ]; then
-        nginx_confs_changed="/config/nginx/${i}\n${nginx_confs_changed}"
-    fi
-done
-
-if [ -n "$nginx_confs_changed" ]; then
-    echo "**** The following nginx confs have different version dates than the defaults that are shipped. ****"
-    echo "**** This may be due to user customization or an update to the defaults. ****"
-    echo "**** To update them to the latest defaults shipped within the image, delete these files and restart the container. ****"
-    echo "**** If they are user customized, check the date version at the top and compare to the upstream changelog via the link. ****"
-    echo -e "${nginx_confs_changed}"
-fi
-
-proxy_confs=$(ls /config/nginx/proxy-confs/*.conf 2>/dev/null)
-
-for i in $proxy_confs; do
-    if [ -f "${i}.sample" ]; then
-        if [ "$(sed -nE 's|^## Version ([0-9]{4}\/[0-9]{2}\/[0-9]{2}).*|\1|p' ${i})" != "$(sed -nE 's|^## Version ([0-9]{4}\/[0-9]{2}\/[0-9]{2}).*|\1|p' ${i}.sample)" ]; then
-            proxy_confs_changed="${i}\n${proxy_confs_changed}"
-        fi
-    fi
-done
-
-if [ -n "$proxy_confs_changed" ]; then
-    echo "**** The following reverse proxy confs have different version dates than the samples that are shipped. ****"
-    echo "**** This may be due to user customization or an update to the samples. ****"
-    echo "**** You should compare them to the samples in the same folder to make sure you have the latest updates. ****"
-    echo -e "${proxy_confs_changed}"
-fi