Bot Updating Package Versions

Rework nginx.conf to be inline with alpine upstream and relocate line…

.github/CONTRIBUTING.md

@@ -96,7 +96,7 @@ If you are proposing additional packages to be added, ensure that you added the
 
 ### Testing your changes
 
-```
+```bash
 git clone https://github.com/linuxserver/docker-swag.git
 cd docker-swag
 docker build \
@@ -106,13 +106,14 @@ docker build \
 ```
 
 The ARM variants can be built on x86_64 hardware using `multiarch/qemu-user-static`
-```
+
+```bash
 docker run --rm --privileged multiarch/qemu-user-static:register --reset
 ```
 
 Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64`.
 
-## Update the chagelog
+## Update the changelog
 
 If you are modifying the Dockerfiles or any of the startup scripts in [root](https://github.com/linuxserver/docker-swag/tree/master/root), add an entry to the changelog
 

Dockerfile

@@ -53,6 +53,7 @@ RUN \
     php7-exif \
     php7-ftp \
     php7-gd \
+    php7-gmp \
     php7-iconv \
     php7-imap \
     php7-intl \
@@ -68,6 +69,7 @@ RUN \
     php7-pdo_sqlite \
     php7-pear \
     php7-pecl-apcu \
+    php7-pecl-mailparse \
     php7-pecl-redis \
     php7-pgsql \
     php7-phar \
@@ -94,13 +96,14 @@ RUN \
   fi && \
   pip3 install -U \
     pip && \
- pip3 install -U \
+  pip3 install -U --find-links https://wheel-index.linuxserver.io/alpine/ \
     ${CERTBOT} \
     certbot-dns-aliyun \
     certbot-dns-cloudflare \
     certbot-dns-cloudxns \
     certbot-dns-cpanel \
     certbot-dns-digitalocean \
+    certbot-dns-directadmin \
     certbot-dns-dnsimple \
     certbot-dns-dnsmadeeasy \
     certbot-dns-domeneshop \
@@ -116,6 +119,7 @@ RUN \
     certbot-dns-rfc2136 \
     certbot-dns-route53 \
     certbot-dns-transip \
+    certbot-dns-vultr \
     certbot-plugin-gandi \
     cryptography \
     requests && \
@@ -136,9 +140,6 @@ RUN \
     /defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \
   echo "**** configure nginx ****" && \
   rm -f /etc/nginx/conf.d/default.conf && \
- curl -o \
-	/defaults/dhparams.pem -L \
-	"https://lsio.ams3.digitaloceanspaces.com/dhparams.pem" && \
   echo "**** cleanup ****" && \
   apk del --purge \
     build-dependencies && \

Dockerfile.aarch64

@@ -53,6 +53,7 @@ RUN \
     php7-exif \
     php7-ftp \
     php7-gd \
+    php7-gmp \
     php7-iconv \
     php7-imap \
     php7-intl \
@@ -68,6 +69,7 @@ RUN \
     php7-pdo_sqlite \
     php7-pear \
     php7-pecl-apcu \
+    php7-pecl-mailparse \
     php7-pecl-redis \
     php7-pgsql \
     php7-phar \
@@ -94,13 +96,14 @@ RUN \
   fi && \
   pip3 install -U \
     pip && \
- pip3 install -U \
+  pip3 install -U --find-links https://wheel-index.linuxserver.io/alpine/ \
     ${CERTBOT} \
     certbot-dns-aliyun \
     certbot-dns-cloudflare \
     certbot-dns-cloudxns \
     certbot-dns-cpanel \
     certbot-dns-digitalocean \
+    certbot-dns-directadmin \
     certbot-dns-dnsimple \
     certbot-dns-dnsmadeeasy \
     certbot-dns-domeneshop \
@@ -116,6 +119,7 @@ RUN \
     certbot-dns-rfc2136 \
     certbot-dns-route53 \
     certbot-dns-transip \
+    certbot-dns-vultr \
     certbot-plugin-gandi \
     cryptography \
     requests && \
@@ -136,9 +140,6 @@ RUN \
     /defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \
   echo "**** configure nginx ****" && \
   rm -f /etc/nginx/conf.d/default.conf && \
- curl -o \
-	/defaults/dhparams.pem -L \
-	"https://lsio.ams3.digitaloceanspaces.com/dhparams.pem" && \
   echo "**** cleanup ****" && \
   apk del --purge \
     build-dependencies && \

Dockerfile.armhf

@@ -53,6 +53,7 @@ RUN \
     php7-exif \
     php7-ftp \
     php7-gd \
+    php7-gmp \
     php7-iconv \
     php7-imap \
     php7-intl \
@@ -68,6 +69,7 @@ RUN \
     php7-pdo_sqlite \
     php7-pear \
     php7-pecl-apcu \
+    php7-pecl-mailparse \
     php7-pecl-redis \
     php7-pgsql \
     php7-phar \
@@ -94,13 +96,14 @@ RUN \
   fi && \
   pip3 install -U \
     pip && \
- pip3 install -U \
+  pip3 install -U --find-links https://wheel-index.linuxserver.io/alpine/ \
     ${CERTBOT} \
     certbot-dns-aliyun \
     certbot-dns-cloudflare \
     certbot-dns-cloudxns \
     certbot-dns-cpanel \
     certbot-dns-digitalocean \
+    certbot-dns-directadmin \
     certbot-dns-dnsimple \
     certbot-dns-dnsmadeeasy \
     certbot-dns-domeneshop \
@@ -116,6 +119,7 @@ RUN \
     certbot-dns-rfc2136 \
     certbot-dns-route53 \
     certbot-dns-transip \
+    certbot-dns-vultr \
     certbot-plugin-gandi \
     cryptography \
     requests && \
@@ -136,9 +140,6 @@ RUN \
     /defaults/proxy-confs --strip-components=1 --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \
   echo "**** configure nginx ****" && \
   rm -f /etc/nginx/conf.d/default.conf && \
- curl -o \
-	/defaults/dhparams.pem -L \
-	"https://lsio.ams3.digitaloceanspaces.com/dhparams.pem" && \
   echo "**** cleanup ****" && \
   apk del --purge \
     build-dependencies && \

Jenkinsfile

@@ -56,7 +56,7 @@ pipeline {
           env.CODE_URL = 'https://github.com/' + env.LS_USER + '/' + env.LS_REPO + '/commit/' + env.GIT_COMMIT
           env.DOCKERHUB_LINK = 'https://hub.docker.com/r/' + env.DOCKERHUB_IMAGE + '/tags/'
           env.PULL_REQUEST = env.CHANGE_ID
-          env.TEMPLATED_FILES = 'Jenkinsfile README.md LICENSE ./.github/CONTRIBUTING.md ./.github/FUNDING.yml ./.github/ISSUE_TEMPLATE/config.yml ./.github/ISSUE_TEMPLATE/issue.bug.md ./.github/ISSUE_TEMPLATE/issue.feature.md ./.github/PULL_REQUEST_TEMPLATE.md ./.github/workflows/greetings.yml ./.github/workflows/stale.yml ./root/donate.txt ./.github/workflows/package_trigger.yml ./.github/workflows/package_trigger_scheduler.yml ./.github/workflows/external_trigger.yml ./.github/workflows/external_trigger_scheduler.yml'
+          env.TEMPLATED_FILES = 'Jenkinsfile README.md LICENSE ./.github/CONTRIBUTING.md ./.github/FUNDING.yml ./.github/ISSUE_TEMPLATE/config.yml ./.github/ISSUE_TEMPLATE/issue.bug.md ./.github/ISSUE_TEMPLATE/issue.feature.md ./.github/PULL_REQUEST_TEMPLATE.md ./.github/workflows/external_trigger_scheduler.yml ./.github/workflows/greetings.yml ./.github/workflows/package_trigger_scheduler.yml ./.github/workflows/stale.yml ./.github/workflows/external_trigger.yml ./.github/workflows/package_trigger.yml ./root/donate.txt'
         }
         script{
           env.LS_RELEASE_NUMBER = sh(
@@ -310,19 +310,21 @@ pipeline {
               mkdir -p ${TEMPDIR}/unraid
               git clone https://github.com/linuxserver/docker-templates.git ${TEMPDIR}/unraid/docker-templates
               git clone https://github.com/linuxserver/templates.git ${TEMPDIR}/unraid/templates
-              if [[ -f ${TEMPDIR}/unraid/docker-templates/linuxserver.io/img/${CONTAINER_NAME}-icon.png ]]; then
+              if [[ -f ${TEMPDIR}/unraid/docker-templates/linuxserver.io/img/${CONTAINER_NAME}-logo.png ]]; then
-                sed -i "s|master/linuxserver.io/img/linuxserver-ls-logo.png|master/linuxserver.io/img/${CONTAINER_NAME}-icon.png|" ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/${CONTAINER_NAME}.xml
+                sed -i "s|master/linuxserver.io/img/linuxserver-ls-logo.png|master/linuxserver.io/img/${CONTAINER_NAME}-logo.png|" ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/${CONTAINER_NAME}.xml
               fi
               if [[ ("${BRANCH_NAME}" == "master") || ("${BRANCH_NAME}" == "main") ]] && [[ (! -f ${TEMPDIR}/unraid/templates/unraid/${CONTAINER_NAME}.xml) || ("$(md5sum ${TEMPDIR}/unraid/templates/unraid/${CONTAINER_NAME}.xml | awk '{ print $1 }')" != "$(md5sum ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/${CONTAINER_NAME}.xml | awk '{ print $1 }')") ]]; then
+                cd ${TEMPDIR}/unraid/templates/
                 if grep -wq "${CONTAINER_NAME}" ${TEMPDIR}/unraid/templates/unraid/ignore.list; then
-                  echo "Image is on the ignore list, skipping Unraid template upload"
+                  echo "Image is on the ignore list, removing Unraid template"
+                  git rm unraid/${CONTAINER_NAME}.xml || :
+                  git commit -m 'Bot Removing Deprecated Unraid Template' || :
                 else
                   cp ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/${CONTAINER_NAME}.xml ${TEMPDIR}/unraid/templates/unraid/
-                  cd ${TEMPDIR}/unraid/templates/
                   git add unraid/${CONTAINER_NAME}.xml
                   git commit -m 'Bot Updating Unraid Template'
-                  git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/linuxserver/templates.git --all
                 fi
+                git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/linuxserver/templates.git --all
               fi
               rm -Rf ${TEMPDIR}'''
         script{
@@ -379,7 +381,20 @@ pipeline {
       }
       steps {
         echo "Running on node: ${NODE_NAME}"
-        sh "docker build --no-cache --pull -t ${IMAGE}:${META_TAG} \
+        sh "docker build \
+          --label \"org.opencontainers.image.created=${GITHUB_DATE}\" \
+          --label \"org.opencontainers.image.authors=linuxserver.io\" \
+          --label \"org.opencontainers.image.url=https://github.com/linuxserver/docker-swag/packages\" \
+          --label \"org.opencontainers.image.documentation=https://docs.linuxserver.io/images/docker-swag\" \
+          --label \"org.opencontainers.image.source=https://github.com/linuxserver/docker-swag\" \
+          --label \"org.opencontainers.image.version=${EXT_RELEASE_CLEAN}-ls${LS_TAG_NUMBER}\" \
+          --label \"org.opencontainers.image.revision=${COMMIT_SHA}\" \
+          --label \"org.opencontainers.image.vendor=linuxserver.io\" \
+          --label \"org.opencontainers.image.licenses=GPL-3.0-only\" \
+          --label \"org.opencontainers.image.ref.name=${COMMIT_SHA}\" \
+          --label \"org.opencontainers.image.title=Swag\" \
+          --label \"org.opencontainers.image.description=SWAG - Secure Web Application Gateway (formerly known as letsencrypt, no relation to Let's Encrypt™) sets up an Nginx webserver and reverse proxy with php support and a built-in certbot client that automates free SSL server certificate generation and renewal processes (Let's Encrypt and ZeroSSL). It also contains fail2ban for intrusion prevention.\" \
+          --no-cache --pull -t ${IMAGE}:${META_TAG} \
           --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ."
       }
     }
@@ -393,7 +408,20 @@ pipeline {
         stage('Build X86') {
           steps {
             echo "Running on node: ${NODE_NAME}"
-            sh "docker build --no-cache --pull -t ${IMAGE}:amd64-${META_TAG} \
+            sh "docker build \
+              --label \"org.opencontainers.image.created=${GITHUB_DATE}\" \
+              --label \"org.opencontainers.image.authors=linuxserver.io\" \
+              --label \"org.opencontainers.image.url=https://github.com/linuxserver/docker-swag/packages\" \
+              --label \"org.opencontainers.image.documentation=https://docs.linuxserver.io/images/docker-swag\" \
+              --label \"org.opencontainers.image.source=https://github.com/linuxserver/docker-swag\" \
+              --label \"org.opencontainers.image.version=${EXT_RELEASE_CLEAN}-ls${LS_TAG_NUMBER}\" \
+              --label \"org.opencontainers.image.revision=${COMMIT_SHA}\" \
+              --label \"org.opencontainers.image.vendor=linuxserver.io\" \
+              --label \"org.opencontainers.image.licenses=GPL-3.0-only\" \
+              --label \"org.opencontainers.image.ref.name=${COMMIT_SHA}\" \
+              --label \"org.opencontainers.image.title=Swag\" \
+              --label \"org.opencontainers.image.description=SWAG - Secure Web Application Gateway (formerly known as letsencrypt, no relation to Let's Encrypt™) sets up an Nginx webserver and reverse proxy with php support and a built-in certbot client that automates free SSL server certificate generation and renewal processes (Let's Encrypt and ZeroSSL). It also contains fail2ban for intrusion prevention.\" \
+              --no-cache --pull -t ${IMAGE}:amd64-${META_TAG} \
               --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ."
           }
         }
@@ -407,7 +435,20 @@ pipeline {
             sh '''#! /bin/bash
                   echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin
                '''
-            sh "docker build --no-cache --pull -f Dockerfile.armhf -t ${IMAGE}:arm32v7-${META_TAG} \
+            sh "docker build \
+              --label \"org.opencontainers.image.created=${GITHUB_DATE}\" \
+              --label \"org.opencontainers.image.authors=linuxserver.io\" \
+              --label \"org.opencontainers.image.url=https://github.com/linuxserver/docker-swag/packages\" \
+              --label \"org.opencontainers.image.documentation=https://docs.linuxserver.io/images/docker-swag\" \
+              --label \"org.opencontainers.image.source=https://github.com/linuxserver/docker-swag\" \
+              --label \"org.opencontainers.image.version=${EXT_RELEASE_CLEAN}-ls${LS_TAG_NUMBER}\" \
+              --label \"org.opencontainers.image.revision=${COMMIT_SHA}\" \
+              --label \"org.opencontainers.image.vendor=linuxserver.io\" \
+              --label \"org.opencontainers.image.licenses=GPL-3.0-only\" \
+              --label \"org.opencontainers.image.ref.name=${COMMIT_SHA}\" \
+              --label \"org.opencontainers.image.title=Swag\" \
+              --label \"org.opencontainers.image.description=SWAG - Secure Web Application Gateway (formerly known as letsencrypt, no relation to Let's Encrypt™) sets up an Nginx webserver and reverse proxy with php support and a built-in certbot client that automates free SSL server certificate generation and renewal processes (Let's Encrypt and ZeroSSL). It also contains fail2ban for intrusion prevention.\" \
+              --no-cache --pull -f Dockerfile.armhf -t ${IMAGE}:arm32v7-${META_TAG} \
               --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ."
             sh "docker tag ${IMAGE}:arm32v7-${META_TAG} ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER}"
             retry(5) {
@@ -428,7 +469,20 @@ pipeline {
             sh '''#! /bin/bash
                   echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin
                '''
-            sh "docker build --no-cache --pull -f Dockerfile.aarch64 -t ${IMAGE}:arm64v8-${META_TAG} \
+            sh "docker build \
+              --label \"org.opencontainers.image.created=${GITHUB_DATE}\" \
+              --label \"org.opencontainers.image.authors=linuxserver.io\" \
+              --label \"org.opencontainers.image.url=https://github.com/linuxserver/docker-swag/packages\" \
+              --label \"org.opencontainers.image.documentation=https://docs.linuxserver.io/images/docker-swag\" \
+              --label \"org.opencontainers.image.source=https://github.com/linuxserver/docker-swag\" \
+              --label \"org.opencontainers.image.version=${EXT_RELEASE_CLEAN}-ls${LS_TAG_NUMBER}\" \
+              --label \"org.opencontainers.image.revision=${COMMIT_SHA}\" \
+              --label \"org.opencontainers.image.vendor=linuxserver.io\" \
+              --label \"org.opencontainers.image.licenses=GPL-3.0-only\" \
+              --label \"org.opencontainers.image.ref.name=${COMMIT_SHA}\" \
+              --label \"org.opencontainers.image.title=Swag\" \
+              --label \"org.opencontainers.image.description=SWAG - Secure Web Application Gateway (formerly known as letsencrypt, no relation to Let's Encrypt™) sets up an Nginx webserver and reverse proxy with php support and a built-in certbot client that automates free SSL server certificate generation and renewal processes (Let's Encrypt and ZeroSSL). It also contains fail2ban for intrusion prevention.\" \
+              --no-cache --pull -f Dockerfile.aarch64 -t ${IMAGE}:arm64v8-${META_TAG} \
               --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ."
             sh "docker tag ${IMAGE}:arm64v8-${META_TAG} ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER}"
             retry(5) {

README.md

@@ -1,5 +1,5 @@
 <!-- DO NOT EDIT THIS FILE MANUALLY  -->
-<!-- Please read the CONTRIBUTING.md -->
+<!-- Please read the https://github.com/linuxserver/docker-swag/blob/master/.github/CONTRIBUTING.md -->
 
 [![linuxserver.io](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/linuxserver_medium.png)](https://linuxserver.io)
 
@@ -19,6 +19,7 @@ The [LinuxServer.io](https://linuxserver.io) team brings you another container r
 * regular security updates
 
 Find us at:
+
 * [Blog](https://blog.linuxserver.io) - all the things you can do with our containers including How-To guides, opinions and much more!
 * [Discord](https://discord.gg/YWrKVTn) - realtime support / chat with the community and the team.
 * [Discourse](https://discourse.linuxserver.io) - post on our community forum.
@@ -56,134 +57,6 @@ The architectures supported by this image are:
 | arm64 | arm64v8-latest |
 | armhf | arm32v7-latest |
 
-
-## Usage
-
-Here are some example snippets to help you get started creating a container.
-
-### docker-compose ([recommended](https://docs.linuxserver.io/general/docker-compose))
-
-Compatible with docker-compose v2 schemas.
-
-```yaml
----
-version: "2.1"
-services:
-  swag:
-    image: ghcr.io/linuxserver/swag
-    container_name: swag
-    cap_add:
-      - NET_ADMIN
-    environment:
-      - PUID=1000
-      - PGID=1000
-      - TZ=Europe/London
-      - URL=yourdomain.url
-      - SUBDOMAINS=www,
-      - VALIDATION=http
-      - CERTPROVIDER= #optional
-      - DNSPLUGIN=cloudflare #optional
-      - PROPAGATION= #optional
-      - DUCKDNSTOKEN= #optional
-      - EMAIL= #optional
-      - ONLY_SUBDOMAINS=false #optional
-      - EXTRA_DOMAINS= #optional
-      - STAGING=false #optional
-      - MAXMINDDB_LICENSE_KEY= #optional
-    volumes:
-      - /path/to/appdata/config:/config
-    ports:
-      - 443:443
-      - 80:80 #optional
-    restart: unless-stopped
-```
-
-### docker cli
-
-```
-docker run -d \
-  --name=swag \
-  --cap-add=NET_ADMIN \
-  -e PUID=1000 \
-  -e PGID=1000 \
-  -e TZ=Europe/London \
-  -e URL=yourdomain.url \
-  -e SUBDOMAINS=www, \
-  -e VALIDATION=http \
-  -e CERTPROVIDER= `#optional` \
-  -e DNSPLUGIN=cloudflare `#optional` \
-  -e PROPAGATION= `#optional` \
-  -e DUCKDNSTOKEN= `#optional` \
-  -e EMAIL= `#optional` \
-  -e ONLY_SUBDOMAINS=false `#optional` \
-  -e EXTRA_DOMAINS= `#optional` \
-  -e STAGING=false `#optional` \
-  -e MAXMINDDB_LICENSE_KEY= `#optional` \
-  -p 443:443 \
-  -p 80:80 `#optional` \
-  -v /path/to/appdata/config:/config \
-  --restart unless-stopped \
-  ghcr.io/linuxserver/swag
-```
-
-
-## Parameters
-
-Container images are configured using parameters passed at runtime (such as those above). These parameters are separated by a colon and indicate `<external>:<internal>` respectively. For example, `-p 8080:80` would expose port `80` from inside the container to be accessible from the host's IP on port `8080` outside the container.
-
-| Parameter | Function |
-| :----: | --- |
-| `-p 443` | Https port |
-| `-p 80` | Http port (required for http validation and http -> https redirect) |
-| `-e PUID=1000` | for UserID - see below for explanation |
-| `-e PGID=1000` | for GroupID - see below for explanation |
-| `-e TZ=Europe/London` | Specify a timezone to use EG Europe/London. |
-| `-e URL=yourdomain.url` | Top url you have control over (`customdomain.com` if you own it, or `customsubdomain.ddnsprovider.com` if dynamic dns). |
-| `-e SUBDOMAINS=www,` | Subdomains you'd like the cert to cover (comma separated, no spaces) ie. `www,ftp,cloud`. For a wildcard cert, set this _exactly_ to `wildcard` (wildcard cert is available via `dns` and `duckdns` validation only) |
-| `-e VALIDATION=http` | Certbot validation method to use, options are `http`, `dns` or `duckdns` (`dns` method also requires `DNSPLUGIN` variable set) (`duckdns` method requires `DUCKDNSTOKEN` variable set, and the `SUBDOMAINS` variable must be either empty or set to `wildcard`). |
-| `-e CERTPROVIDER=` | Optionally define the cert provider. Set to `zerossl` for ZeroSSL certs (requires existing [ZeroSSL account](https://app.zerossl.com/signup) and the e-mail address entered in `EMAIL` env var). Otherwise defaults to Let's Encrypt. |
-| `-e DNSPLUGIN=cloudflare` | Required if `VALIDATION` is set to `dns`. Options are `aliyun`, `cloudflare`, `cloudxns`, `cpanel`, `digitalocean`, `dnsimple`, `dnsmadeeasy`, `domeneshop`, `gandi`, `gehirn`, `google`, `hetzner`, `inwx`, `linode`, `luadns`, `netcup`, `njalla`, `nsone`, `ovh`, `rfc2136`, `route53`, `sakuracloud` and `transip`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`. |
-| `-e PROPAGATION=` | Optionally override (in seconds) the default propagation time for the dns plugins. |
-| `-e DUCKDNSTOKEN=` | Required if `VALIDATION` is set to `duckdns`. Retrieve your token from https://www.duckdns.org |
-| `-e EMAIL=` | Optional e-mail address used for cert expiration notifications (Required for ZeroSSL). |
-| `-e ONLY_SUBDOMAINS=false` | If you wish to get certs only for certain subdomains, but not the main domain (main domain may be hosted on another machine and cannot be validated), set this to `true` |
-| `-e EXTRA_DOMAINS=` | Additional fully qualified domain names (comma separated, no spaces) ie. `extradomain.com,subdomain.anotherdomain.org,*.anotherdomain.org` |
-| `-e STAGING=false` | Set to `true` to retrieve certs in staging mode. Rate limits will be much higher, but the resulting cert will not pass the browser's security test. Only to be used for testing purposes. |
-| `-e MAXMINDDB_LICENSE_KEY=` | Add your MaxmindDB license key to automatically download the GeoLite2-City.mmdb database. Download location is /config/geoip2db. The database is updated weekly. |
-| `-v /config` | All the config files including the webroot reside here. |
-
-## Environment variables from files (Docker secrets)
-
-You can set any environment variable from a file by using a special prepend `FILE__`.
-
-As an example:
-
-```
--e FILE__PASSWORD=/run/secrets/mysecretpassword
-```
-
-Will set the environment variable `PASSWORD` based on the contents of the `/run/secrets/mysecretpassword` file.
-
-## Umask for running applications
-
-For all of our images we provide the ability to override the default umask settings for services started within the containers using the optional `-e UMASK=022` setting.
-Keep in mind umask is not chmod it subtracts from permissions based on it's value it does not add. Please read up [here](https://en.wikipedia.org/wiki/Umask) before asking for support.
-
-## User / Group Identifiers
-
-When using volumes (`-v` flags) permissions issues can arise between the host OS and the container, we avoid this issue by allowing you to specify the user `PUID` and group `PGID`.
-
-Ensure any volume directories on the host are owned by the same user you specify and any permissions issues will vanish like magic.
-
-In this instance `PUID=1000` and `PGID=1000`, to find yours use `id user` as below:
-
-```
-  $ id username
-    uid=1000(dockeruser) gid=1000(dockergroup) groups=1000(dockergroup)
-```
-
-
-&nbsp;
 ## Application Setup
 
 > ### Migrating from the old `linuxserver/letsencrypt` image
@@ -209,7 +82,7 @@ In this instance `PUID=1000` and `PGID=1000`, to find yours use `id user` as bel
 * Certs are checked nightly and if expiration is within 30 days, renewal is attempted. If your cert is about to expire in less than 30 days, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing. It is recommended to input your e-mail in docker parameters so you receive expiration notices from Let's Encrypt in those circumstances.
 ### Security and password protection
 * The container detects changes to url and subdomains, revokes existing certs and generates new ones during start.
-* The container provides a pre-generated 4096-bit dhparams.pem (rotated weekly via [Jenkins job](https://ci.linuxserver.io/blue/organizations/jenkins/Xtras-Builders-Etc%2Fdhparams-uploader/activity)) for new instances, however you may generate your own by running `docker exec swag openssl dhparam -out /config/nginx/dhparams.pem 4096` WARNING: This takes a very long time
+* Per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919), the container is shipping [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) as the `dhparams.pem`.
 * If you'd like to password protect your sites, you can use htpasswd. Run the following command on your host to generate the htpasswd file `docker exec -it swag htpasswd -c /config/nginx/.htpasswd <username>`
 * You can add multiple user:pass to `.htpasswd`. For the first user, use the above command, for others, use the above command without the `-c` flag, as it will force deletion of the existing `.htpasswd` and creation of a new one
 * You can also use ldap auth for security and access control. A sample, user configurable ldap.conf is provided, and it requires the separate image [linuxserver/ldap-auth](https://hub.docker.com/r/linuxserver/ldap-auth/) to communicate with an ldap server.
@@ -254,13 +127,136 @@ This will *ask* Google et al not to index and list your site. Be careful with th
 * Proxy sample files WILL be updated, however your renamed (enabled) proxy files will not.
 * You can check the new sample and adjust your active config as needed.
 
+## Usage
+
+Here are some example snippets to help you get started creating a container.
+
+### docker-compose ([recommended](https://docs.linuxserver.io/general/docker-compose))
+
+Compatible with docker-compose v2 schemas.
+
+```yaml
+---
+version: "2.1"
+services:
+  swag:
+    image: ghcr.io/linuxserver/swag
+    container_name: swag
+    cap_add:
+      - NET_ADMIN
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/London
+      - URL=yourdomain.url
+      - SUBDOMAINS=www,
+      - VALIDATION=http
+      - CERTPROVIDER= #optional
+      - DNSPLUGIN=cloudflare #optional
+      - PROPAGATION= #optional
+      - DUCKDNSTOKEN= #optional
+      - EMAIL= #optional
+      - ONLY_SUBDOMAINS=false #optional
+      - EXTRA_DOMAINS= #optional
+      - STAGING=false #optional
+      - MAXMINDDB_LICENSE_KEY= #optional
+    volumes:
+      - /path/to/appdata/config:/config
+    ports:
+      - 443:443
+      - 80:80 #optional
+    restart: unless-stopped
+```
+
+### docker cli
+
+```bash
+docker run -d \
+  --name=swag \
+  --cap-add=NET_ADMIN \
+  -e PUID=1000 \
+  -e PGID=1000 \
+  -e TZ=Europe/London \
+  -e URL=yourdomain.url \
+  -e SUBDOMAINS=www, \
+  -e VALIDATION=http \
+  -e CERTPROVIDER= `#optional` \
+  -e DNSPLUGIN=cloudflare `#optional` \
+  -e PROPAGATION= `#optional` \
+  -e DUCKDNSTOKEN= `#optional` \
+  -e EMAIL= `#optional` \
+  -e ONLY_SUBDOMAINS=false `#optional` \
+  -e EXTRA_DOMAINS= `#optional` \
+  -e STAGING=false `#optional` \
+  -e MAXMINDDB_LICENSE_KEY= `#optional` \
+  -p 443:443 \
+  -p 80:80 `#optional` \
+  -v /path/to/appdata/config:/config \
+  --restart unless-stopped \
+  ghcr.io/linuxserver/swag
+```
+
+## Parameters
+
+Container images are configured using parameters passed at runtime (such as those above). These parameters are separated by a colon and indicate `<external>:<internal>` respectively. For example, `-p 8080:80` would expose port `80` from inside the container to be accessible from the host's IP on port `8080` outside the container.
+
+| Parameter | Function |
+| :----: | --- |
+| `-p 443` | Https port |
+| `-p 80` | Http port (required for http validation and http -> https redirect) |
+| `-e PUID=1000` | for UserID - see below for explanation |
+| `-e PGID=1000` | for GroupID - see below for explanation |
+| `-e TZ=Europe/London` | Specify a timezone to use EG Europe/London. |
+| `-e URL=yourdomain.url` | Top url you have control over (`customdomain.com` if you own it, or `customsubdomain.ddnsprovider.com` if dynamic dns). |
+| `-e SUBDOMAINS=www,` | Subdomains you'd like the cert to cover (comma separated, no spaces) ie. `www,ftp,cloud`. For a wildcard cert, set this _exactly_ to `wildcard` (wildcard cert is available via `dns` and `duckdns` validation only) |
+| `-e VALIDATION=http` | Certbot validation method to use, options are `http`, `dns` or `duckdns` (`dns` method also requires `DNSPLUGIN` variable set) (`duckdns` method requires `DUCKDNSTOKEN` variable set, and the `SUBDOMAINS` variable must be either empty or set to `wildcard`). |
+| `-e CERTPROVIDER=` | Optionally define the cert provider. Set to `zerossl` for ZeroSSL certs (requires existing [ZeroSSL account](https://app.zerossl.com/signup) and the e-mail address entered in `EMAIL` env var). Otherwise defaults to Let's Encrypt. |
+| `-e DNSPLUGIN=cloudflare` | Required if `VALIDATION` is set to `dns`. Options are `aliyun`, `cloudflare`, `cloudxns`, `cpanel`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `domeneshop`, `gandi`, `gehirn`, `google`, `hetzner`, `inwx`, `linode`, `luadns`, `netcup`, `njalla`, `nsone`, `ovh`, `rfc2136`, `route53`, `sakuracloud`, `transip` and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`. |
+| `-e PROPAGATION=` | Optionally override (in seconds) the default propagation time for the dns plugins. |
+| `-e DUCKDNSTOKEN=` | Required if `VALIDATION` is set to `duckdns`. Retrieve your token from https://www.duckdns.org |
+| `-e EMAIL=` | Optional e-mail address used for cert expiration notifications (Required for ZeroSSL). |
+| `-e ONLY_SUBDOMAINS=false` | If you wish to get certs only for certain subdomains, but not the main domain (main domain may be hosted on another machine and cannot be validated), set this to `true` |
+| `-e EXTRA_DOMAINS=` | Additional fully qualified domain names (comma separated, no spaces) ie. `extradomain.com,subdomain.anotherdomain.org,*.anotherdomain.org` |
+| `-e STAGING=false` | Set to `true` to retrieve certs in staging mode. Rate limits will be much higher, but the resulting cert will not pass the browser's security test. Only to be used for testing purposes. |
+| `-e MAXMINDDB_LICENSE_KEY=` | Add your MaxmindDB license key to automatically download the GeoLite2-City.mmdb database. Download location is /config/geoip2db. The database is updated weekly. |
+| `-v /config` | All the config files including the webroot reside here. |
+
+## Environment variables from files (Docker secrets)
+
+You can set any environment variable from a file by using a special prepend `FILE__`.
+
+As an example:
+
+```bash
+-e FILE__PASSWORD=/run/secrets/mysecretpassword
+```
+
+Will set the environment variable `PASSWORD` based on the contents of the `/run/secrets/mysecretpassword` file.
+
+## Umask for running applications
+
+For all of our images we provide the ability to override the default umask settings for services started within the containers using the optional `-e UMASK=022` setting.
+Keep in mind umask is not chmod it subtracts from permissions based on it's value it does not add. Please read up [here](https://en.wikipedia.org/wiki/Umask) before asking for support.
+
+## User / Group Identifiers
+
+When using volumes (`-v` flags) permissions issues can arise between the host OS and the container, we avoid this issue by allowing you to specify the user `PUID` and group `PGID`.
+
+Ensure any volume directories on the host are owned by the same user you specify and any permissions issues will vanish like magic.
+
+In this instance `PUID=1000` and `PGID=1000`, to find yours use `id user` as below:
+
+```bash
+  $ id username
+    uid=1000(dockeruser) gid=1000(dockergroup) groups=1000(dockergroup)
+```
 
 ## Docker Mods
+
 [![Docker Mods](https://img.shields.io/badge/dynamic/yaml?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=swag&query=%24.mods%5B%27swag%27%5D.mod_count&url=https%3A%2F%2Fraw.githubusercontent.com%2Flinuxserver%2Fdocker-mods%2Fmaster%2Fmod-list.yml)](https://mods.linuxserver.io/?mod=swag "view available mods for this container.") [![Docker Universal Mods](https://img.shields.io/badge/dynamic/yaml?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=universal&query=%24.mods%5B%27universal%27%5D.mod_count&url=https%3A%2F%2Fraw.githubusercontent.com%2Flinuxserver%2Fdocker-mods%2Fmaster%2Fmod-list.yml)](https://mods.linuxserver.io/?mod=universal "view available universal mods.")
 
 We publish various [Docker Mods](https://github.com/linuxserver/docker-mods) to enable additional functionality within the containers. The list of Mods available for this image (if any) as well as universal mods that can be applied to any one of our images can be accessed via the dynamic badges above.
 
-
 ## Support Info
 
 * Shell access whilst the container is running: `docker exec -it swag /bin/bash`
@@ -277,6 +273,7 @@ Most of our images are static, versioned, and require an image update and contai
 Below are the instructions for updating containers:
 
 ### Via Docker Compose
+
 * Update all images: `docker-compose pull`
   * or update a single image: `docker-compose pull swag`
 * Let compose update all containers as necessary: `docker-compose up -d`
@@ -284,6 +281,7 @@ Below are the instructions for updating containers:
 * You can also remove the old dangling images: `docker image prune`
 
 ### Via Docker Run
+
 * Update the image: `docker pull ghcr.io/linuxserver/swag`
 * Stop the running container: `docker stop swag`
 * Delete the container: `docker rm swag`
@@ -291,24 +289,29 @@ Below are the instructions for updating containers:
 * You can also remove the old dangling images: `docker image prune`
 
 ### Via Watchtower auto-updater (only use if you don't remember the original parameters)
+
 * Pull the latest image at its tag and replace it with the same env variables in one run:
-  ```
+
+  ```bash
   docker run --rm \
   -v /var/run/docker.sock:/var/run/docker.sock \
   containrrr/watchtower \
   --run-once swag
   ```
+
 * You can also remove the old dangling images: `docker image prune`
 
 **Note:** We do not endorse the use of Watchtower as a solution to automated updates of existing Docker containers. In fact we generally discourage automated updates. However, this is a useful tool for one-time manual updates of containers where you have forgotten the original parameters. In the long term, we highly recommend using [Docker Compose](https://docs.linuxserver.io/general/docker-compose).
 
 ### Image Update Notifications - Diun (Docker Image Update Notifier)
+
 * We recommend [Diun](https://crazymax.dev/diun/) for update notifications. Other tools that automatically update containers unattended are not recommended or supported.
 
 ## Building locally
 
 If you want to make local modifications to these images for development purposes or just to customize the logic:
-```
+
+```bash
 git clone https://github.com/linuxserver/docker-swag.git
 cd docker-swag
 docker build \
@@ -318,7 +321,8 @@ docker build \
 ```
 
 The ARM variants can be built on x86_64 hardware using `multiarch/qemu-user-static`
-```
+
+```bash
 docker run --rm --privileged multiarch/qemu-user-static:register --reset
 ```
 
@@ -326,6 +330,11 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **14.05.21:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, ssl.conf, proxy.conf, and the default site-conf - Rework nginx.conf to be inline with alpine upstream and relocate lines from other files. Use linuxserver.io wheel index for pip packages. Switch to using [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) for `dhparams.pem` per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919). Added `worker_processes.conf`, which sets the number of nginx workers, and `resolver.conf`, which sets the dns resolver. Both conf files are auto-generated only on first start and can be user modified later.
+* **21.04.21:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf and authelia-location.conf - Add remote name/email headers and pass http method.
+* **12.04.21:** - Add php7-gmp and php7-pecl-mailparse.
+* **12.04.21:** - Add support for vultr dns validation.
+* **14.03.21:** - Add support for directadmin dns validation.
 * **12.02.21:** - Clean up rust/cargo cache, which ballooned the image size in the last couple of builds.
 * **10.02.21:** - Fix aliyun, domeneshop, inwx and transip dns confs for existing users.
 * **09.02.21:** - Rebasing to alpine 3.13. Add nginx mods brotli and dav-ext. Remove nginx mods lua and lua-upstream (due to regression over the last couple of years).

package_versions.txt

@@ -1,28 +1,28 @@
 alpine-baselayout-3.2.0-r8
 alpine-keys-2.2-r0
 apache2-utils-2.4.46-r3
-apk-tools-2.12.1-r0
+apk-tools-2.12.5-r0
 apr-1.7.0-r0
 apr-util-1.6.1-r7
 argon2-libs-20190702-r1
 bash-5.1.0-r0
 brotli-libs-1.0.9-r3
-busybox-1.32.1-r3
+busybox-1.32.1-r6
 c-client-2007f-r11
 ca-certificates-20191127-r5
 ca-certificates-bundle-20191127-r5
 coreutils-8.32-r2
-curl-7.74.0-r0
+curl-7.76.1-r0
 expat-2.2.10-r1
 fail2ban-0.11.1-r4
 freetype-2.10.4-r1
 gdbm-1.19-r0
-git-2.30.1-r0
+git-2.30.2-r0
-git-perl-2.30.1-r0
+git-perl-2.30.2-r0
-glib-2.66.7-r0
+glib-2.66.8-r0
 gmp-6.2.1-r0
 gnupg-2.2.27-r0
-gnutls-3.7.0-r0
+gnutls-3.7.1-r0
 icu-libs-67.1-r2
 ip6tables-1.8.6-r0
 iptables-1.8.6-r0
@@ -34,8 +34,8 @@ libbsd-0.10.0-r0
 libbz2-1.0.8-r1
 libc-utils-0.7.2-r3
 libcap-2.46-r0
-libcrypto1.1-1.1.1i-r0
+libcrypto1.1-1.1.1k-r0
-libcurl-7.74.0-r0
+libcurl-7.76.1-r0
 libedit-20191231.3.1-r1
 libevent-2.1.12-r1
 libffi-3.3-r2
@@ -46,27 +46,27 @@ libgpg-error-1.41-r0
 libice-1.0.10-r0
 libidn-1.35-r0
 libintl-0.20.2-r2
-libjpeg-turbo-2.0.6-r0
+libjpeg-turbo-2.1.0-r0
 libksba-1.5.0-r0
-libldap-2.4.56-r0
+libldap-2.4.57-r1
 libmagic-5.39-r0
-libmaxminddb-1.5.0-r0
+libmaxminddb-1.5.0-r1
 libmcrypt-2.5.8-r9
 libmemcached-libs-1.0.18-r4
 libmnl-1.0.4-r1
 libmount-2.36.1-r1
 libnftnl-libs-1.1.8-r0
 libpng-1.6.37-r1
-libpq-13.1-r2
+libpq-13.3-r0
 libproc-3.3.16-r0
 libressl3.1-libcrypto-3.1.5-r0
 libressl3.1-libssl-3.1.5-r0
 libsasl-2.1.27-r10
-libseccomp-2.5.1-r0
+libseccomp-2.5.1-r1
 libsecret-0.20.4-r0
 libsm-1.2.3-r0
 libsodium-1.0.18-r0
-libssl1.1-1.1.1i-r0
+libssl1.1-1.1.1k-r0
 libstdc++-10.2.1_pre1-r3
 libtasn1-4.16.0-r1
 libtls-standalone-2.9.1-r1
@@ -92,7 +92,7 @@ musl-utils-1.2.2-r0
 nano-5.4-r1
 ncurses-libs-6.2_p20210109-r0
 ncurses-terminfo-base-6.2_p20210109-r0
-nettle-3.7-r0
+nettle-3.7.2-r0
 nghttp2-libs-1.42.0-r1
 nginx-1.18.0-r13
 nginx-mod-devel-kit-1.18.0-r13
@@ -116,62 +116,64 @@ nginx-mod-stream-geoip2-1.18.0-r13
 nginx-vim-1.18.0-r13
 npth-1.6-r0
 oniguruma-6.9.6-r0
-openssl-1.1.1i-r0
+openssl-1.1.1k-r0
 p11-kit-0.23.22-r0
 pcre-8.44-r0
 pcre2-10.36-r0
 perl-5.32.0-r0
 perl-error-0.17029-r1
-perl-git-2.30.1-r0
+perl-git-2.30.2-r0
-php7-7.4.15-r0
+php7-7.4.19-r0
-php7-bcmath-7.4.15-r0
+php7-bcmath-7.4.19-r0
-php7-bz2-7.4.15-r0
+php7-bz2-7.4.19-r0
-php7-common-7.4.15-r0
+php7-common-7.4.19-r0
-php7-ctype-7.4.15-r0
+php7-ctype-7.4.19-r0
-php7-curl-7.4.15-r0
+php7-curl-7.4.19-r0
-php7-dom-7.4.15-r0
+php7-dom-7.4.19-r0
-php7-exif-7.4.15-r0
+php7-exif-7.4.19-r0
-php7-fileinfo-7.4.15-r0
+php7-fileinfo-7.4.19-r0
-php7-fpm-7.4.15-r0
+php7-fpm-7.4.19-r0
-php7-ftp-7.4.15-r0
+php7-ftp-7.4.19-r0
-php7-gd-7.4.15-r0
+php7-gd-7.4.19-r0
-php7-iconv-7.4.15-r0
+php7-gmp-7.4.19-r0
-php7-imap-7.4.15-r0
+php7-iconv-7.4.19-r0
-php7-intl-7.4.15-r0
+php7-imap-7.4.19-r0
-php7-json-7.4.15-r0
+php7-intl-7.4.19-r0
-php7-ldap-7.4.15-r0
+php7-json-7.4.19-r0
-php7-mbstring-7.4.15-r0
+php7-ldap-7.4.19-r0
-php7-mysqli-7.4.15-r0
+php7-mbstring-7.4.19-r0
-php7-mysqlnd-7.4.15-r0
+php7-mysqli-7.4.19-r0
-php7-opcache-7.4.15-r0
+php7-mysqlnd-7.4.19-r0
-php7-openssl-7.4.15-r0
+php7-opcache-7.4.19-r0
-php7-pdo-7.4.15-r0
+php7-openssl-7.4.19-r0
-php7-pdo_mysql-7.4.15-r0
+php7-pdo-7.4.19-r0
-php7-pdo_odbc-7.4.15-r0
+php7-pdo_mysql-7.4.19-r0
-php7-pdo_pgsql-7.4.15-r0
+php7-pdo_odbc-7.4.19-r0
-php7-pdo_sqlite-7.4.15-r0
+php7-pdo_pgsql-7.4.19-r0
-php7-pear-7.4.15-r0
+php7-pdo_sqlite-7.4.19-r0
-php7-pecl-apcu-5.1.19-r1
+php7-pear-7.4.19-r0
-php7-pecl-igbinary-3.2.2_rc1-r0
+php7-pecl-apcu-5.1.20-r0
+php7-pecl-igbinary-3.2.2-r0
+php7-pecl-mailparse-3.1.1-r1
 php7-pecl-mcrypt-1.0.4-r0
 php7-pecl-memcached-3.1.5-r2
-php7-pecl-redis-5.3.3-r0
+php7-pecl-redis-5.3.4-r0
-php7-pgsql-7.4.15-r0
+php7-pgsql-7.4.19-r0
-php7-phar-7.4.15-r0
+php7-phar-7.4.19-r0
-php7-posix-7.4.15-r0
+php7-posix-7.4.19-r0
-php7-session-7.4.15-r0
+php7-session-7.4.19-r0
-php7-simplexml-7.4.15-r0
+php7-simplexml-7.4.19-r0
-php7-soap-7.4.15-r0
+php7-soap-7.4.19-r0
-php7-sockets-7.4.15-r0
+php7-sockets-7.4.19-r0
-php7-sodium-7.4.15-r0
+php7-sodium-7.4.19-r0
-php7-sqlite3-7.4.15-r0
+php7-sqlite3-7.4.19-r0
-php7-tokenizer-7.4.15-r0
+php7-tokenizer-7.4.19-r0
-php7-xml-7.4.15-r0
+php7-xml-7.4.19-r0
-php7-xmlreader-7.4.15-r0
+php7-xmlreader-7.4.19-r0
-php7-xmlrpc-7.4.15-r0
+php7-xmlrpc-7.4.19-r0
-php7-xmlwriter-7.4.15-r0
+php7-xmlwriter-7.4.19-r0
-php7-xsl-7.4.15-r0
+php7-xsl-7.4.19-r0
-php7-zip-7.4.15-r0
+php7-zip-7.4.19-r0
 pinentry-1.1.1-r0
 popt-1.18-r0
 procps-3.3.16-r0
@@ -205,14 +207,14 @@ py3-six-1.15.0-r0
 py3-toml-0.10.2-r0
 py3-urllib3-1.26.2-r1
 py3-webencodings-0.5.1-r3
-python3-3.8.7-r0
+python3-3.8.10-r0
 readline-8.1.0-r0
 s6-ipcserver-2.10.0.0-r0
 scanelf-1.2.8-r0
 shadow-4.8.1-r0
 skalibs-2.10.0.0-r0
 sqlite-libs-3.34.1-r0
-ssl_client-1.32.1-r3
+ssl_client-1.32.1-r6
 tzdata-2021a-r0
 unixodbc-2.3.9-r1
 utmps-0.1.0.0-r0

readme-vars.yml

@@ -51,7 +51,7 @@ cap_add_param_vars:
 opt_param_usage_include_env: true
 opt_param_env_vars:
   - { env_var: "CERTPROVIDER", env_value: "", desc: "Optionally define the cert provider. Set to `zerossl` for ZeroSSL certs (requires existing [ZeroSSL account](https://app.zerossl.com/signup) and the e-mail address entered in `EMAIL` env var). Otherwise defaults to Let's Encrypt." }
-  - { env_var: "DNSPLUGIN", env_value: "cloudflare", desc: "Required if `VALIDATION` is set to `dns`. Options are `aliyun`, `cloudflare`, `cloudxns`, `cpanel`, `digitalocean`, `dnsimple`, `dnsmadeeasy`, `domeneshop`, `gandi`, `gehirn`, `google`, `hetzner`, `inwx`, `linode`, `luadns`, `netcup`, `njalla`, `nsone`, `ovh`, `rfc2136`, `route53`, `sakuracloud` and `transip`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`." }
+  - { env_var: "DNSPLUGIN", env_value: "cloudflare", desc: "Required if `VALIDATION` is set to `dns`. Options are `aliyun`, `cloudflare`, `cloudxns`, `cpanel`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `domeneshop`, `gandi`, `gehirn`, `google`, `hetzner`, `inwx`, `linode`, `luadns`, `netcup`, `njalla`, `nsone`, `ovh`, `rfc2136`, `route53`, `sakuracloud`, `transip` and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`." }
   - { env_var: "PROPAGATION", env_value: "", desc: "Optionally override (in seconds) the default propagation time for the dns plugins." }
   - { env_var: "DUCKDNSTOKEN", env_value: "", desc: "Required if `VALIDATION` is set to `duckdns`. Retrieve your token from https://www.duckdns.org" }
   - { env_var: "EMAIL", env_value: "", desc: "Optional e-mail address used for cert expiration notifications (Required for ZeroSSL)." }
@@ -101,7 +101,7 @@ app_setup_block: |
   * Certs are checked nightly and if expiration is within 30 days, renewal is attempted. If your cert is about to expire in less than 30 days, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing. It is recommended to input your e-mail in docker parameters so you receive expiration notices from Let's Encrypt in those circumstances.
   ### Security and password protection
   * The container detects changes to url and subdomains, revokes existing certs and generates new ones during start.
-  * The container provides a pre-generated 4096-bit dhparams.pem (rotated weekly via [Jenkins job](https://ci.linuxserver.io/blue/organizations/jenkins/Xtras-Builders-Etc%2Fdhparams-uploader/activity)) for new instances, however you may generate your own by running `docker exec swag openssl dhparam -out /config/nginx/dhparams.pem 4096` WARNING: This takes a very long time
+  * Per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919), the container is shipping [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) as the `dhparams.pem`.
   * If you'd like to password protect your sites, you can use htpasswd. Run the following command on your host to generate the htpasswd file `docker exec -it swag htpasswd -c /config/nginx/.htpasswd <username>`
   * You can add multiple user:pass to `.htpasswd`. For the first user, use the above command, for others, use the above command without the `-c` flag, as it will force deletion of the existing `.htpasswd` and creation of a new one
   * You can also use ldap auth for security and access control. A sample, user configurable ldap.conf is provided, and it requires the separate image [linuxserver/ldap-auth](https://hub.docker.com/r/linuxserver/ldap-auth/) to communicate with an ldap server.
@@ -151,6 +151,11 @@ app_setup_nginx_reverse_proxy_block: ""
 
 # changelog
 changelogs:
+  - { date: "14.05.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, ssl.conf, proxy.conf, and the default site-conf - Rework nginx.conf to be inline with alpine upstream and relocate lines from other files. Use linuxserver.io wheel index for pip packages. Switch to using [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) for `dhparams.pem` per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919). Added `worker_processes.conf`, which sets the number of nginx workers, and `resolver.conf`, which sets the dns resolver. Both conf files are auto-generated only on first start and can be user modified later." }
+  - { date: "21.04.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf and authelia-location.conf - Add remote name/email headers and pass http method." }
+  - { date: "12.04.21:", desc: "Add php7-gmp and php7-pecl-mailparse." }
+  - { date: "12.04.21:", desc: "Add support for vultr dns validation." }
+  - { date: "14.03.21:", desc: "Add support for directadmin dns validation." }
   - { date: "12.02.21:", desc: "Clean up rust/cargo cache, which ballooned the image size in the last couple of builds." }
   - { date: "10.02.21:", desc: "Fix aliyun, domeneshop, inwx and transip dns confs for existing users." }
   - { date: "09.02.21:", desc: "Rebasing to alpine 3.13. Add nginx mods brotli and dav-ext. Remove nginx mods lua and lua-upstream (due to regression over the last couple of years)." }

root/defaults/authelia-location.conf

@@ -1,4 +1,4 @@
-## Version 2020/05/31 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/authelia-location.conf
+## Version 2021/04/21 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/authelia-location.conf
 # Make sure that your authelia container is in the same user defined bridge network and is named authelia
 # Make sure that the authelia configuration.yml has 'path: "authelia"' defined
 
@@ -6,6 +6,10 @@ auth_request /authelia/api/verify;
 auth_request_set $target_url $scheme://$http_host$request_uri;
 auth_request_set $user $upstream_http_remote_user;
 auth_request_set $groups $upstream_http_remote_groups;
+auth_request_set $name $upstream_http_remote_name;
+auth_request_set $email $upstream_http_remote_email;
 proxy_set_header Remote-User $user;
 proxy_set_header Remote-Groups $groups;
+proxy_set_header Remote-Name $name;
+proxy_set_header Remote-Email $email;
 error_page 401 =302 https://$http_host/authelia/?rd=$target_url;

root/defaults/authelia-server.conf

@@ -1,4 +1,4 @@
-## Version 2020/05/31 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/authelia-server.conf
+## Version 2021/04/21 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/authelia-server.conf
 # Make sure that your authelia container is in the same user defined bridge network and is named authelia
 
 location ^~ /authelia {
@@ -29,6 +29,7 @@ location = /authelia/api/verify {
     proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header X-Forwarded-Method $request_method;
     proxy_set_header X-Forwarded-Proto $scheme;
     proxy_set_header X-Forwarded-Host $http_host;
     proxy_set_header X-Forwarded-Uri $request_uri;

root/defaults/default

@@ -1,4 +1,4 @@
-## Version 2021/01/03 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/default
+## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/default
 
 error_page 502 /502.html;
 
@@ -151,5 +151,3 @@ server {
 
 # enable subdomain method reverse proxy confs
 include /config/nginx/proxy-confs/*.subdomain.conf;
-# enable proxy cache for auth
-proxy_cache_path cache/ keys_zone=auth_cache:10m;

root/defaults/dhparams.pem

@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
+7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
+nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
+8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
+iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
+zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
+-----END DH PARAMETERS-----

root/defaults/dns-conf/directadmin.ini

@@ -0,0 +1,21 @@
+# Instructions: https://github.com/cybercinch/certbot-dns-directadmin/blob/master/certbot_dns_directadmin/__init__.py
+
+# It is recommended to create a login key in the DirectAdmin control panel to be used as value for directadmin_password.
+# Instructions on how to create such key can be found at https://help.directadmin.com/item.php?id=523.
+#
+# Make sure to grant the following permissions:
+# - CMD_API_LOGIN_TEST
+# - CMD_API_DNS_CONTROL
+# - CMD_API_SHOW_DOMAINS
+#
+# Username and password can also be used in case your DirectAdmin instance has no support for login keys.
+
+# The DirectAdmin Server url
+# include the scheme and the port number (Normally 2222)
+directadmin_url = https://my.directadminserver.com:2222
+
+# The DirectAdmin username
+directadmin_username = username
+
+# The DirectAdmin password
+directadmin_password = aSuperStrongPassword

root/defaults/dns-conf/vultr.ini

@@ -0,0 +1,3 @@
+# Instructions: https://github.com/lezgomatt/certbot-dns-vultr
+# Replace with your vultr Personal Access Token (see https://www.vultr.com/docs/how-to-setup-dynamic-dns).
+dns_vultr_key = YOUR_VULTR_API_KEY

root/defaults/nginx.conf

@@ -1,53 +1,91 @@
-## Version 2021/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf
+## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf
 
 user abc;
-worker_processes 4;
+
-pid /run/nginx.pid;
+# Set number of worker processes automatically based on number of CPU cores.
+include /config/nginx/worker_processes.conf;
+
+# Enables the use of JIT for regular expressions to speed-up their processing.
+pcre_jit on;
+
+# Configures default error logger.
+error_log /config/log/nginx/error.log;
+
+# Includes files with directives to load dynamic modules.
 include /etc/nginx/modules/*.conf;
 
 events {
-	worker_connections 768;
+    # The maximum number of simultaneous connections that can be opened by
+    # a worker process.
+    worker_connections 1024;
     # multi_accept on;
 }
 
 http {
+    # Includes mapping of file name extensions to MIME types of responses
+    # and defines the default type.
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    # Name servers used to resolve names of upstream servers into addresses.
+    # It's also needed when using tcpsocket and udpsocket in Lua modules.
+    #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001;
+    include /config/nginx/resolver.conf;
+
+    # Don't tell nginx version to the clients. Default is 'on'.
+    server_tokens off;
+
+    # Specifies the maximum accepted body size of a client request, as
+    # indicated by the request header Content-Length. If the stated content
+    # length is greater than this size, then the client receives the HTTP
+    # error code 413. Set to 0 to disable. Default is '1m'.
+    client_max_body_size 0;
+
+    # Sendfile copies data between one FD and other from within the kernel,
+    # which is more efficient than read() + write(). Default is off.
+    sendfile on;
+
+    # Causes nginx to attempt to send its HTTP response head in one packet,
+    # instead of using partial frames. Default is 'off'.
+    tcp_nopush on;
+
+    # Helper variable for proxying websockets.
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        '' close;
+    }
+
+    # Sets the path, format, and configuration for a buffered log write.
+    access_log /config/log/nginx/access.log;
+
+    # Includes virtual hosts configs.
+    #include /etc/nginx/http.d/*.conf;
+
+    # WARNING: Don't use this directory for virtual hosts anymore.
+    # This include will be moved to the root context in Alpine 3.14.
+    #include /etc/nginx/conf.d/*.conf;
+
 
     ##
     # Basic Settings
     ##
 
     client_body_buffer_size 128k;
-	client_max_body_size 0;
     keepalive_timeout 65;
     large_client_header_buffers 4 16k;
     send_timeout 5m;
-	sendfile on;
     tcp_nodelay on;
-	tcp_nopush on;
     types_hash_max_size 2048;
     variables_hash_max_size 2048;
-
-	# server_tokens off;
     # server_names_hash_bucket_size 64;
     # server_name_in_redirect off;
 
-	include /etc/nginx/mime.types;
-	default_type application/octet-stream;
-
-	##
-	# Logging Settings
-	##
-
-	access_log /config/log/nginx/access.log;
-	error_log /config/log/nginx/error.log;
-
     ##
     # Gzip Settings
     ##
 
     gzip on;
     gzip_disable "msie6";
-
     # gzip_vary on;
     # gzip_proxied any;
     # gzip_comp_level 6;
@@ -72,18 +110,9 @@ http {
     #passenger_root /usr;
     #passenger_ruby /usr/bin/ruby;
 
-	##
-	# WebSocket proxying
-	##
-	map $http_upgrade $connection_upgrade {
-		default upgrade;
-		''      close;
-	}
-
     ##
     # Virtual Host Configs
     ##
-	include /etc/nginx/conf.d/*.conf;
     include /config/nginx/site-confs/*;
     #Removed lua. Do not remove this comment
 
@@ -96,7 +125,6 @@ http {
     #include /config/nginx/geoip2.conf;
 }
 
-
 #mail {
 #    # See sample authentication script at:
 #    # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
@@ -117,4 +145,6 @@ http {
 #        proxy      on;
 #    }
 #}
+
 daemon off;
+pid /run/nginx.pid;

root/defaults/proxy.conf

@@ -1,4 +1,4 @@
-## Version 2020/10/04 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf
+## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf
 
 # Timeout if the real server is dead
 proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
@@ -15,6 +15,7 @@ proxy_send_timeout 240;
 
 # Proxy Cache and Cookie Settings
 proxy_cache_bypass $cookie_session;
+proxy_cache_path cache/ keys_zone=auth_cache:10m;
 #proxy_cookie_path / "/; Secure"; # enable at your own risk, may break certain apps
 proxy_no_cache $cookie_session;
 

root/defaults/ssl.conf

@@ -1,4 +1,4 @@
-## Version 2020/10/29 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ssl.conf
+## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ssl.conf
 
 ### Mozilla Recommendations
 # generated 2020-06-17, Mozilla Guideline v5.4, nginx 1.18.0-r0, OpenSSL 1.1.1g-r0, intermediate configuration
@@ -29,9 +29,6 @@ ssl_trusted_certificate /config/keys/letsencrypt/fullchain.pem;
 # Diffie-Hellman Parameters
 ssl_dhparam /config/nginx/dhparams.pem;
 
-# Resolver
-resolver 127.0.0.11 valid=30s; # Docker DNS Server
-
 # Enable TLS 1.3 early data
 ssl_early_data on;
 

root/etc/cont-init.d/50-config

@@ -81,6 +81,20 @@ cp /config/fail2ban/jail.local /etc/fail2ban/jail.local
 [[ ! -f /config/www/502.html ]] &&
     cp /defaults/502.html /config/www/502.html
 
+# Set resolver
+if ! grep -q 'resolver' /config/nginx/resolver.conf; then
+    RESOLVER=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {print $2}' /etc/resolv.conf)
+    echo "Setting resolver to ${RESOLVER}"
+    echo -e "# This file is auto-generated only on first start, based on the container's /etc/resolv.conf file. Feel free to modify it as you wish.\n\nresolver ${RESOLVER} valid=30s;" > /config/nginx/resolver.conf
+fi
+
+# Set worker_processes
+if ! grep -q 'worker_processes' /config/nginx/worker_processes.conf; then
+    WORKER_PROCESSES=$(nproc)
+    echo "Setting worker_processes to ${WORKER_PROCESSES}"
+    echo -e "# This file is auto-generated only on first start, based on the cpu cores detected. Feel free to change it to any other number or to auto to let nginx handle it automatically.\n\nworker_processes ${WORKER_PROCESSES};" > /config/nginx/worker_processes.conf
+fi
+
 # remove lua bits from nginx.conf if not done before
 if ! grep -q '#Removed lua' /config/nginx/nginx.conf; then
     echo "Removing lua specific info from nginx.conf"
@@ -91,15 +105,11 @@ fi
 [[ ! -f /config/nginx/dhparams.pem ]] && \
     cp /defaults/dhparams.pem /config/nginx/dhparams.pem
 if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then
-  curl -o /config/nginx/dhparams.pem -L "https://lsio.ams3.digitaloceanspaces.com/dhparams.pem"
+    curl -o /config/nginx/dhparams.pem -L "https://ssl-config.mozilla.org/ffdhe4096.txt"
-fi
-if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then
-  echo "Generating dhparams.pem. This will take a long time. Do not stop the container until this process is completed."
-  openssl dhparam -out /config/nginx/dhparams.pem 4096
 fi
 
 # check to make sure DNSPLUGIN is selected if dns validation is used
-[[ "$VALIDATION" = "dns" ]] && [[ ! "$DNSPLUGIN" =~ ^(aliyun|cloudflare|cloudxns|cpanel|digitalocean|dnsimple|dnsmadeeasy|domeneshop|gandi|gehirn|google|hetzner|inwx|linode|luadns|netcup|njalla|nsone|ovh|rfc2136|route53|sakuracloud|transip)$ ]] && \
+[[ "$VALIDATION" = "dns" ]] && [[ ! "$DNSPLUGIN" =~ ^(aliyun|cloudflare|cloudxns|cpanel|digitalocean|directadmin|dnsimple|dnsmadeeasy|domeneshop|gandi|gehirn|google|hetzner|inwx|linode|luadns|netcup|njalla|nsone|ovh|rfc2136|route53|sakuracloud|transip|vultr)$ ]] && \
     echo "Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details." && \
     sleep infinity
 
@@ -213,9 +223,12 @@ if [ "$VALIDATION" = "dns" ]; then
     elif [[ "$DNSPLUGIN" =~ ^(google)$ ]]; then
         if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
         PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.json ${PROPAGATIONPARAM}"
-  elif [[ "$DNSPLUGIN" =~ ^(aliyun|domeneshop|hetzner|inwx|netcup|njalla|transip)$ ]]; then
+    elif [[ "$DNSPLUGIN" =~ ^(aliyun|domeneshop|hetzner|inwx|netcup|njalla|transip|vultr)$ ]]; then
         if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
         PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
+    elif [[ "$DNSPLUGIN" =~ ^(directadmin)$ ]]; then
+        if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
+        PREFCHAL="-a ${DNSPLUGIN} --${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
     else
         if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
         PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"