Rebase to 3.21

root/app/le-renew.sh

@@ -6,4 +6,4 @@ echo
 echo "<------------------------------------------------->"
 echo "cronjob running on $(date)"
 echo "Running certbot renew"
-certbot renew --non-interactive
+certbot renew --non-interactive --config-dir /config/etc/letsencrypt --logs-dir /config/log/letsencrypt --work-dir /tmp/letsencrypt --config /config/etc/letsencrypt/cli.ini

root/etc/crontabs/root

@@ -5,4 +5,4 @@
 0       3       *       *       6       run-parts /etc/periodic/weekly
 0       5       1       *       *       run-parts /etc/periodic/monthly
 
-8       2       *       *       *       /app/le-renew.sh >> /config/log/letsencrypt/letsencrypt.log 2>&1
+8       2       *       *       *       /app/le-renew.sh >> /config/log/letsencrypt/renewal.log 2>&1

root/etc/s6-overlay/s6-rc.d/init-certbot-config/run

@@ -38,12 +38,6 @@ if [[ "${VALIDATION}" = "dns" ]] && ! echo "${CERTBOT_DNS_AUTHENTICATORS}" | gre
     sleep infinity
 fi
 
-# set owner of certbot's CONFIG_DIR, WORK_DIR, and LOGS_DIR to abc
-lsiown -R abc:abc \
-    /etc/letsencrypt \
-    /var/lib/letsencrypt \
-    /var/log/letsencrypt
-
 # set_ini_value logic:
 # - if the name is not found in the file, append the name=value to the end of the file
 # - if the name is found in the file, replace the value
@@ -67,7 +61,6 @@ cp -n /defaults/dns-conf/* /config/dns-conf/ 2> >(grep -v 'cp: not replacing')
 lsiown -R abc:abc /config/dns-conf
 
 # copy default renewal hooks
-chmod -R +x /defaults/etc/letsencrypt/renewal-hooks
 cp -nR /defaults/etc/letsencrypt/renewal-hooks/* /config/etc/letsencrypt/renewal-hooks/ 2> >(grep -v 'cp: not replacing')
 lsiown -R abc:abc /config/etc/letsencrypt/renewal-hooks
 
@@ -169,14 +162,14 @@ fi
 rm -rf /config/keys/letsencrypt
 if [[ "${ONLY_SUBDOMAINS}" = "true" ]] && [[ ! "${SUBDOMAINS}" = "wildcard" ]]; then
     DOMAIN="$(echo "${SUBDOMAINS}" | tr ',' ' ' | awk '{print $1}').${URL}"
-    ln -s ../etc/letsencrypt/live/"${DOMAIN}" /config/keys/letsencrypt
+    ln -s /config/etc/letsencrypt/live/"${DOMAIN}" /config/keys/letsencrypt
 else
-    ln -s ../etc/letsencrypt/live/"${URL}" /config/keys/letsencrypt
+    ln -s /config/etc/letsencrypt/live/"${URL}" /config/keys/letsencrypt
 fi
 
 # cleanup unused csr and keys folders
-rm -rf /etc/letsencrypt/csr
-rm -rf /etc/letsencrypt/keys
+rm -rf /config/etc/letsencrypt/csr
+rm -rf /config/etc/letsencrypt/keys
 
 # checking for changes in cert variables, revoking certs if necessary
 if [[ ! "${URL}" = "${ORIGURL}" ]] ||
@@ -197,9 +190,9 @@ if [[ ! "${URL}" = "${ORIGURL}" ]] ||
         REV_ACMESERVER=("https://acme-v02.api.letsencrypt.org/directory")
     fi
     if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then
-        certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --key-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/privkey.pem --server "${REV_ACMESERVER[@]}" || true
+        certbot revoke --config-dir /config/etc/letsencrypt --logs-dir /config/log/letsencrypt --work-dir /tmp/letsencrypt --config /config/etc/letsencrypt/cli.ini --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --key-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/privkey.pem --server "${REV_ACMESERVER[@]}" || true
     else
-        certbot revoke --non-interactive --cert-name "${ORIGDOMAIN}" --server "${REV_ACMESERVER[@]}" || true
+        certbot revoke --config-dir /config/etc/letsencrypt --logs-dir /config/log/letsencrypt --work-dir /tmp/letsencrypt --config /config/etc/letsencrypt/cli.ini --non-interactive --cert-name "${ORIGDOMAIN}" --server "${REV_ACMESERVER[@]}" || true
     fi
     rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal}
 fi
@@ -212,9 +205,9 @@ if [[ -f "/config/keys/letsencrypt/chain.pem" ]] && { [[ "${CERTPROVIDER}" == "l
     echo "The cert seems to be using the old LE root cert, which is no longer valid. Deleting and revoking."
     REV_ACMESERVER=("https://acme-v02.api.letsencrypt.org/directory")
     if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then
-        certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server "${REV_ACMESERVER[@]}" || true
+        certbot revoke --config-dir /config/etc/letsencrypt --logs-dir /config/log/letsencrypt --work-dir /tmp/letsencrypt --config /config/etc/letsencrypt/cli.ini --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server "${REV_ACMESERVER[@]}" || true
     else
-        certbot revoke --non-interactive --cert-name "${ORIGDOMAIN}" --server "${REV_ACMESERVER[@]}" || true
+        certbot revoke --config-dir /config/etc/letsencrypt --logs-dir /config/log/letsencrypt --work-dir /tmp/letsencrypt --config /config/etc/letsencrypt/cli.ini --non-interactive --cert-name "${ORIGDOMAIN}" --server "${REV_ACMESERVER[@]}" || true
     fi
     rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal}
 fi
@@ -347,7 +340,7 @@ if [[ ! -f "/config/keys/letsencrypt/fullchain.pem" ]]; then
         set_ini_value "eab-hmac-key" "${ZEROSSL_EAB_HMAC_KEY}" /config/etc/letsencrypt/cli.ini
     fi
     echo "Generating new certificate"
-    certbot certonly --non-interactive --renew-by-default
+    certbot certonly --config-dir /config/etc/letsencrypt --logs-dir /config/log/letsencrypt --work-dir /tmp/letsencrypt --config /config/etc/letsencrypt/cli.ini --non-interactive --renew-by-default
     if [[ ! -d /config/keys/letsencrypt ]]; then
         if [[ "${VALIDATION}" = "dns" ]]; then
             echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the ${DNSCREDENTIALFILE} file."

root/etc/s6-overlay/s6-rc.d/init-fail2ban-config/run

@@ -1,38 +1,42 @@
 #!/usr/bin/with-contenv bash
 # shellcheck shell=bash
 
-if ! iptables -L &> /dev/null; then
-    ln -sf /sbin/xtables-legacy-multi /sbin/iptables
-    ln -sf /sbin/xtables-legacy-multi /sbin/iptables-save
-    ln -sf /sbin/xtables-legacy-multi /sbin/iptables-restore
-    ln -sf /sbin/xtables-legacy-multi /sbin/ip6tables
-    ln -sf /sbin/xtables-legacy-multi /sbin/ip6tables-save
-    ln -sf /sbin/xtables-legacy-multi /sbin/ip6tables-restore
-fi
+if [[ -z ${LSIO_READ_ONLY_FS} ]] && [[ -z ${LSIO_NON_ROOT_USER} ]]; then
+    if ! iptables -L &> /dev/null; then
+        ln -sf /usr/sbin/xtables-legacy-multi /usr/sbin/iptables
+        ln -sf /usr/sbin/xtables-legacy-multi /usr/sbin/iptables-save
+        ln -sf /usr/sbin/xtables-legacy-multi /usr/sbin/iptables-restore
+        ln -sf /usr/sbin/xtables-legacy-multi /usr/sbin/ip6tables
+        ln -sf /usr/sbin/xtables-legacy-multi /usr/sbin/ip6tables-save
+        ln -sf /usr/sbin/xtables-legacy-multi /usr/sbin/ip6tables-restore
+    fi
 
-# copy/update the fail2ban config defaults to/in /config
-cp -R /defaults/fail2ban/filter.d /config/fail2ban/
-cp -R /defaults/fail2ban/action.d /config/fail2ban/
-# if jail.local is missing in /config, copy default
-if [[ ! -f /config/fail2ban/jail.local ]]; then
-    cp /defaults/fail2ban/jail.local /config/fail2ban/jail.local
-fi
-# Replace fail2ban config with user config
-if [[ -d /etc/fail2ban/filter.d ]]; then
-    rm -rf /etc/fail2ban/filter.d
-fi
-if [[ -d /etc/fail2ban/action.d ]]; then
-    rm -rf /etc/fail2ban/action.d
-fi
-cp -R /config/fail2ban/filter.d /etc/fail2ban/
-cp -R /config/fail2ban/action.d /etc/fail2ban/
-cp /defaults/fail2ban/fail2ban.local /etc/fail2ban/
-cp /config/fail2ban/jail.local /etc/fail2ban/jail.local
+    # copy/update the fail2ban config defaults to/in /config
+    cp -R /defaults/fail2ban/filter.d /config/fail2ban/
+    cp -R /defaults/fail2ban/action.d /config/fail2ban/
+    # if jail.local is missing in /config, copy default
+    if [[ ! -f /config/fail2ban/jail.local ]]; then
+        cp /defaults/fail2ban/jail.local /config/fail2ban/jail.local
+    fi
+    # Replace fail2ban config with user config
+    if [[ -d /etc/fail2ban/filter.d ]]; then
+        rm -rf /etc/fail2ban/filter.d
+    fi
+    if [[ -d /etc/fail2ban/action.d ]]; then
+        rm -rf /etc/fail2ban/action.d
+    fi
+    cp -R /config/fail2ban/filter.d /etc/fail2ban/
+    cp -R /config/fail2ban/action.d /etc/fail2ban/
+    cp /defaults/fail2ban/fail2ban.local /etc/fail2ban/
+    cp /config/fail2ban/jail.local /etc/fail2ban/jail.local
 
-# logfiles needed by fail2ban
-if [[ ! -f /config/log/nginx/error.log ]]; then
-    touch /config/log/nginx/error.log
-fi
-if [[ ! -f /config/log/nginx/access.log ]]; then
-    touch /config/log/nginx/access.log
+    # logfiles needed by fail2ban
+    if [[ ! -f /config/log/nginx/error.log ]]; then
+        touch /config/log/nginx/error.log
+    fi
+    if [[ ! -f /config/log/nginx/access.log ]]; then
+        touch /config/log/nginx/access.log
+    fi
+else
+    rm -rf /etc/logrotate.d/fail2ban
 fi

root/etc/s6-overlay/s6-rc.d/init-permissions-config/run

@@ -4,8 +4,10 @@
 # permissions
 lsiown -R abc:abc \
     /config
-chmod -R 0644 /etc/logrotate.d
 chmod -R +r /config/log
+if [[ -z ${LSIO_READ_ONLY_FS} ]]; then
+    chmod -R 0644 /etc/logrotate.d
+fi
 
 # Workaround for systems with chmod errors
 true

root/etc/s6-overlay/s6-rc.d/init-swag-folders/run

@@ -7,6 +7,7 @@ mkdir -p \
     /config/etc/letsencrypt/renewal-hooks \
     /config/log/{fail2ban,letsencrypt,nginx} \
     /config/nginx/proxy-confs \
-    /run/fail2ban
-rm -rf /etc/letsencrypt
-ln -s /config/etc/letsencrypt /etc/letsencrypt
+    /run/fail2ban \
+    /tmp/letsencrypt \
+    /tmp/nginx/cache
+

root/etc/s6-overlay/s6-rc.d/svc-fail2ban/run

@@ -1,5 +1,9 @@
 #!/usr/bin/with-contenv bash
 # shellcheck shell=bash
 
-exec \
-    fail2ban-client -x -f start
+if [[ -z ${LSIO_READ_ONLY_FS} ]] && [[ -z ${LSIO_NON_ROOT_USER} ]]; then
+    exec \
+        fail2ban-client -x -f start
+else
+    sleep infinity
+fi