From 515fdf45d8e7fe019b15e947e19489d8df872c74 Mon Sep 17 00:00:00 2001 From: thespad Date: Sun, 19 Jan 2025 16:52:45 +0000 Subject: [PATCH 1/7] Skip logrotate.status file in log chmod --- root/etc/s6-overlay/s6-rc.d/init-permissions-config/run | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/root/etc/s6-overlay/s6-rc.d/init-permissions-config/run b/root/etc/s6-overlay/s6-rc.d/init-permissions-config/run index 4412726..8f897c3 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-permissions-config/run +++ b/root/etc/s6-overlay/s6-rc.d/init-permissions-config/run @@ -2,9 +2,7 @@ # shellcheck shell=bash # permissions +find /config/log ! -path '/config/log/logrotate.status' -exec chmod +r {} \+ + lsiown -R abc:abc \ /config -chmod -R +r /config/log - -# Workaround for systems with chmod errors -true From 02ed03a455b5771129fcb13b79bf06fd576877e1 Mon Sep 17 00:00:00 2001 From: thespad Date: Sun, 19 Jan 2025 17:03:14 +0000 Subject: [PATCH 2/7] Add auto-reload --- Dockerfile | 1 + Dockerfile.aarch64 | 1 + README.md | 4 ++ readme-vars.yml | 2 + .../dependencies.d/init-services | 0 .../s6-rc.d/svc-swag-auto-reload/run | 41 +++++++++++++++++++ .../s6-rc.d/svc-swag-auto-reload/type | 1 + .../user/contents.d/svc-swag-auto-reload | 0 8 files changed, 50 insertions(+) create mode 100644 root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/dependencies.d/init-services create mode 100755 root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/run create mode 100644 root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/type create mode 100644 root/etc/s6-overlay/s6-rc.d/user/contents.d/svc-swag-auto-reload diff --git a/Dockerfile b/Dockerfile index 08c365d..3016894 100755 --- a/Dockerfile +++ b/Dockerfile @@ -29,6 +29,7 @@ RUN \ apk add --no-cache \ fail2ban \ gnupg \ + inotify-tools \ iptables-legacy \ memcached \ nginx-mod-http-brotli \ diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index 9bc2aed..516f30e 100755 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -29,6 +29,7 @@ RUN \ apk add --no-cache \ fail2ban \ gnupg \ + inotify-tools \ iptables-legacy \ memcached \ nginx-mod-http-brotli \ diff --git a/README.md b/README.md index 7623cc3..f06b429 100644 --- a/README.md +++ b/README.md @@ -190,6 +190,7 @@ services: - EXTRA_DOMAINS= #optional - STAGING=false #optional - DISABLE_F2B= #optional + - SWAG_AUTORELOAD= #optional volumes: - /path/to/swag/config:/config ports: @@ -218,6 +219,7 @@ docker run -d \ -e EXTRA_DOMAINS= `#optional` \ -e STAGING=false `#optional` \ -e DISABLE_F2B= `#optional` \ + -e SWAG_AUTORELOAD= `#optional` \ -p 443:443 \ -p 80:80 `#optional` \ -v /path/to/swag/config:/config \ @@ -247,6 +249,7 @@ Containers are configured using parameters passed at runtime (such as those abov | `-e EXTRA_DOMAINS=` | Additional fully qualified domain names (comma separated, no spaces) ie. `example.net,subdomain.example.net,*.example.org` | | `-e STAGING=false` | Set to `true` to retrieve certs in staging mode. Rate limits will be much higher, but the resulting cert will not pass the browser's security test. Only to be used for testing purposes. | | `-e DISABLE_F2B=` | Set to `true` to disable the Fail2ban service in the container, if you're already running it elsewhere or using a different IPS. | +| `-e SWAG_AUTORELOAD=` | Set to `true` to enable automatic reloading of nginx configs on change. Your filesystem must support inotify. This functionality was previous offered [via mod](https://github.com/linuxserver/docker-mods/tree/swag-auto-reload). | | `-v /config` | Persistent config files | | `--read-only=true` | Run container with a read-only filesystem. Please [read the docs](https://docs.linuxserver.io/misc/read-only/). | | `--cap-add=NET_ADMIN` | Required for fail2Ban to be able to modify iptables rules. | @@ -417,6 +420,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64 ## Versions +* **19.01.25:** - Add [Auto Reload](https://github.com/linuxserver/docker-mods/tree/swag-auto-reload) functionality to SWAG. * **17.12.24:** - Rebase to Alpine 3.21. * **21.10.24:** - Fix naming issue with Dynu plugin. If you are using Dynu, please make sure your credentials are set in /config/dns-conf/dynu.ini and your DNSPLUGIN variable is set to dynu (not dynudns). * **30.08.24:** - Fix zerossl cert revocation. diff --git a/readme-vars.yml b/readme-vars.yml index 63b5604..103e507 100644 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -38,6 +38,7 @@ opt_param_env_vars: - {env_var: "EXTRA_DOMAINS", env_value: "", desc: "Additional fully qualified domain names (comma separated, no spaces) ie. `example.net,subdomain.example.net,*.example.org`"} - {env_var: "STAGING", env_value: "false", desc: "Set to `true` to retrieve certs in staging mode. Rate limits will be much higher, but the resulting cert will not pass the browser's security test. Only to be used for testing purposes."} - {env_var: "DISABLE_F2B", env_value: "", desc: "Set to `true` to disable the Fail2ban service in the container, if you're already running it elsewhere or using a different IPS."} + - {env_var: "SWAG_AUTORELOAD", env_value: "", desc: "Set to `true` to enable automatic reloading of nginx configs on change. Your filesystem must support inotify. This functionality was previous offered [via mod](https://github.com/linuxserver/docker-mods/tree/swag-auto-reload)."} opt_param_usage_include_ports: true opt_param_ports: - {external_port: "80", internal_port: "80", port_desc: "HTTP port (required for HTTP validation and HTTP -> HTTPS redirect)"} @@ -200,6 +201,7 @@ init_diagram: | "swag:latest" <- Base Images # changelog changelogs: + - {date: "19.01.25:", desc: "Add [Auto Reload](https://github.com/linuxserver/docker-mods/tree/swag-auto-reload) functionality to SWAG."} - {date: "17.12.24:", desc: "Rebase to Alpine 3.21."} - {date: "21.10.24:", desc: "Fix naming issue with Dynu plugin. If you are using Dynu, please make sure your credentials are set in /config/dns-conf/dynu.ini and your DNSPLUGIN variable is set to dynu (not dynudns)."} - {date: "30.08.24:", desc: "Fix zerossl cert revocation."} diff --git a/root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/dependencies.d/init-services b/root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/dependencies.d/init-services new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/run b/root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/run new file mode 100755 index 0000000..92cc7e2 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/run @@ -0,0 +1,41 @@ +#!/usr/bin/with-contenv bash +# shellcheck shell=bash + +if [[ ${SWAG_AUTORELOAD,,} == "true" ]]; then + if [[ -f "/etc/s6-overlay/s6-rc.d/svc-mod-swag-auto-reload/run" ]]; then + echo "ERROR: Legacy SWAG Auto Reload Mod detected, to use the built-in Auto Reload functionality please remove it from your container config." + sleep infinity + else + echo "Auto-reload: Watching the following files/folders for changes (excluding .sample, .swp, and .md files):" + echo "/config/nginx" + ACTIVE_WATCH=("/config/nginx") + for i in $(echo "${WATCHLIST}" | tr "|" " "); do + if [ -f "${i}" ] || [ -d "${i}" ]; then + echo "${i}" + ACTIVE_WATCH+=("${i}") + fi + done + + function wait_for_changes { + inotifywait -rq \ + --event modify,move,create,delete \ + --excludei '\.(sample|md|swp)' \ + "${ACTIVE_WATCH[@]}" + } + + while wait_for_changes; do + NGINX_CONF=() + if ! grep -q "/config/nginx/nginx.conf" /etc/nginx/nginx.conf; then + NGINX_CONF=("-c" "/config/nginx/nginx.conf") + fi + if /usr/sbin/nginx "${NGINX_CONF[@]}" -t; then + echo "Changes to nginx config detected and the changes are valid, reloading nginx" + /usr/sbin/nginx "${NGINX_CONF[@]}" -s reload + else + echo "Changes to nginx config detected but the changes are not valid, skipping nginx reload. Please fix your config." + fi + done + fi +else + sleep infinity +fi diff --git a/root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/type b/root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/type new file mode 100644 index 0000000..5883cff --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/type @@ -0,0 +1 @@ +longrun diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/svc-swag-auto-reload b/root/etc/s6-overlay/s6-rc.d/user/contents.d/svc-swag-auto-reload new file mode 100644 index 0000000..e69de29 From 21b5a79e06c987e05149e5a091a87e88a3175019 Mon Sep 17 00:00:00 2001 From: thespad Date: Sun, 19 Jan 2025 17:30:11 +0000 Subject: [PATCH 3/7] Switch to include, document watchlist functionality --- README.md | 5 ++++- readme-vars.yml | 3 ++- root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/run | 4 ++-- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index f06b429..b28de8b 100644 --- a/README.md +++ b/README.md @@ -191,6 +191,7 @@ services: - STAGING=false #optional - DISABLE_F2B= #optional - SWAG_AUTORELOAD= #optional + - SWAG_AUTORELOAD_WATCHLIST= #optional volumes: - /path/to/swag/config:/config ports: @@ -220,6 +221,7 @@ docker run -d \ -e STAGING=false `#optional` \ -e DISABLE_F2B= `#optional` \ -e SWAG_AUTORELOAD= `#optional` \ + -e SWAG_AUTORELOAD_WATCHLIST= `#optional` \ -p 443:443 \ -p 80:80 `#optional` \ -v /path/to/swag/config:/config \ @@ -249,7 +251,8 @@ Containers are configured using parameters passed at runtime (such as those abov | `-e EXTRA_DOMAINS=` | Additional fully qualified domain names (comma separated, no spaces) ie. `example.net,subdomain.example.net,*.example.org` | | `-e STAGING=false` | Set to `true` to retrieve certs in staging mode. Rate limits will be much higher, but the resulting cert will not pass the browser's security test. Only to be used for testing purposes. | | `-e DISABLE_F2B=` | Set to `true` to disable the Fail2ban service in the container, if you're already running it elsewhere or using a different IPS. | -| `-e SWAG_AUTORELOAD=` | Set to `true` to enable automatic reloading of nginx configs on change. Your filesystem must support inotify. This functionality was previous offered [via mod](https://github.com/linuxserver/docker-mods/tree/swag-auto-reload). | +| `-e SWAG_AUTORELOAD=` | Set to `true` to enable automatic reloading of nginx confs on change. Your filesystem must support inotify. This functionality was previous offered [via mod](https://github.com/linuxserver/docker-mods/tree/swag-auto-reload). | +| `-e SWAG_AUTORELOAD_WATCHLIST=` | A `|`-separated list of additional folders for auto reload to watch in addition to `/config/nginx` | | `-v /config` | Persistent config files | | `--read-only=true` | Run container with a read-only filesystem. Please [read the docs](https://docs.linuxserver.io/misc/read-only/). | | `--cap-add=NET_ADMIN` | Required for fail2Ban to be able to modify iptables rules. | diff --git a/readme-vars.yml b/readme-vars.yml index 103e507..5a6f94f 100644 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -38,7 +38,8 @@ opt_param_env_vars: - {env_var: "EXTRA_DOMAINS", env_value: "", desc: "Additional fully qualified domain names (comma separated, no spaces) ie. `example.net,subdomain.example.net,*.example.org`"} - {env_var: "STAGING", env_value: "false", desc: "Set to `true` to retrieve certs in staging mode. Rate limits will be much higher, but the resulting cert will not pass the browser's security test. Only to be used for testing purposes."} - {env_var: "DISABLE_F2B", env_value: "", desc: "Set to `true` to disable the Fail2ban service in the container, if you're already running it elsewhere or using a different IPS."} - - {env_var: "SWAG_AUTORELOAD", env_value: "", desc: "Set to `true` to enable automatic reloading of nginx configs on change. Your filesystem must support inotify. This functionality was previous offered [via mod](https://github.com/linuxserver/docker-mods/tree/swag-auto-reload)."} + - {env_var: "SWAG_AUTORELOAD", env_value: "", desc: "Set to `true` to enable automatic reloading of nginx confs on change. Your filesystem must support inotify. This functionality was previous offered [via mod](https://github.com/linuxserver/docker-mods/tree/swag-auto-reload)."} + - {env_var: "SWAG_AUTORELOAD_WATCHLIST", env_value: "", desc: "A `|`-separated list of additional folders for auto reload to watch in addition to `/config/nginx`"} opt_param_usage_include_ports: true opt_param_ports: - {external_port: "80", internal_port: "80", port_desc: "HTTP port (required for HTTP validation and HTTP -> HTTPS redirect)"} diff --git a/root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/run b/root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/run index 92cc7e2..2b291dc 100755 --- a/root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/run +++ b/root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/run @@ -9,7 +9,7 @@ if [[ ${SWAG_AUTORELOAD,,} == "true" ]]; then echo "Auto-reload: Watching the following files/folders for changes (excluding .sample, .swp, and .md files):" echo "/config/nginx" ACTIVE_WATCH=("/config/nginx") - for i in $(echo "${WATCHLIST}" | tr "|" " "); do + for i in $(echo "${SWAG_AUTORELOAD_WATCHLIST}" | tr "|" " "); do if [ -f "${i}" ] || [ -d "${i}" ]; then echo "${i}" ACTIVE_WATCH+=("${i}") @@ -19,7 +19,7 @@ if [[ ${SWAG_AUTORELOAD,,} == "true" ]]; then function wait_for_changes { inotifywait -rq \ --event modify,move,create,delete \ - --excludei '\.(sample|md|swp)' \ + --include '\.(conf)' \ "${ACTIVE_WATCH[@]}" } From d81e33b63b647f43f11af182abe56eb29b5f4a18 Mon Sep 17 00:00:00 2001 From: thespad Date: Sun, 19 Jan 2025 17:33:22 +0000 Subject: [PATCH 4/7] Anchor to avoid samples --- root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/run | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/run b/root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/run index 2b291dc..f8263dc 100755 --- a/root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/run +++ b/root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/run @@ -19,7 +19,7 @@ if [[ ${SWAG_AUTORELOAD,,} == "true" ]]; then function wait_for_changes { inotifywait -rq \ --event modify,move,create,delete \ - --include '\.(conf)' \ + --include '\.conf$' \ "${ACTIVE_WATCH[@]}" } From 2160126f96755126fe83daec2146c86d5e29ea73 Mon Sep 17 00:00:00 2001 From: thespad Date: Sun, 19 Jan 2025 17:34:21 +0000 Subject: [PATCH 5/7] Use case-insensitive include just in case (no pun) --- root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/run | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/run b/root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/run index f8263dc..4a1f0de 100755 --- a/root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/run +++ b/root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/run @@ -19,7 +19,7 @@ if [[ ${SWAG_AUTORELOAD,,} == "true" ]]; then function wait_for_changes { inotifywait -rq \ --event modify,move,create,delete \ - --include '\.conf$' \ + --includei '\.conf$' \ "${ACTIVE_WATCH[@]}" } From c0adf4fd0a2b47c3844cc25c3a9a3d233f550f6d Mon Sep 17 00:00:00 2001 From: thespad Date: Sun, 19 Jan 2025 17:36:15 +0000 Subject: [PATCH 6/7] Update log message --- root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/run | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/run b/root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/run index 4a1f0de..b374ad9 100755 --- a/root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/run +++ b/root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/run @@ -6,7 +6,7 @@ if [[ ${SWAG_AUTORELOAD,,} == "true" ]]; then echo "ERROR: Legacy SWAG Auto Reload Mod detected, to use the built-in Auto Reload functionality please remove it from your container config." sleep infinity else - echo "Auto-reload: Watching the following files/folders for changes (excluding .sample, .swp, and .md files):" + echo "Auto-reload: Watching the following folders for changes to .conf files:" echo "/config/nginx" ACTIVE_WATCH=("/config/nginx") for i in $(echo "${SWAG_AUTORELOAD_WATCHLIST}" | tr "|" " "); do From 14cab18c36d5da0637708015defd5ed4cdebdb00 Mon Sep 17 00:00:00 2001 From: thespad Date: Sun, 19 Jan 2025 17:56:10 +0000 Subject: [PATCH 7/7] Spelling --- readme-vars.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/readme-vars.yml b/readme-vars.yml index 5a6f94f..5a15f84 100644 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -38,7 +38,7 @@ opt_param_env_vars: - {env_var: "EXTRA_DOMAINS", env_value: "", desc: "Additional fully qualified domain names (comma separated, no spaces) ie. `example.net,subdomain.example.net,*.example.org`"} - {env_var: "STAGING", env_value: "false", desc: "Set to `true` to retrieve certs in staging mode. Rate limits will be much higher, but the resulting cert will not pass the browser's security test. Only to be used for testing purposes."} - {env_var: "DISABLE_F2B", env_value: "", desc: "Set to `true` to disable the Fail2ban service in the container, if you're already running it elsewhere or using a different IPS."} - - {env_var: "SWAG_AUTORELOAD", env_value: "", desc: "Set to `true` to enable automatic reloading of nginx confs on change. Your filesystem must support inotify. This functionality was previous offered [via mod](https://github.com/linuxserver/docker-mods/tree/swag-auto-reload)."} + - {env_var: "SWAG_AUTORELOAD", env_value: "", desc: "Set to `true` to enable automatic reloading of nginx confs on change. Your filesystem must support inotify. This functionality was previously offered [via mod](https://github.com/linuxserver/docker-mods/tree/swag-auto-reload)."} - {env_var: "SWAG_AUTORELOAD_WATCHLIST", env_value: "", desc: "A `|`-separated list of additional folders for auto reload to watch in addition to `/config/nginx`"} opt_param_usage_include_ports: true opt_param_ports: