Bot Updating Package Versions

2026-03-03 00:43:34 +09:00 · 2022-03-16 21:57:12 +01:00 · 2022-03-10 06:19:39 +01:00 · 2022-03-02 00:56:48 +01:00 · 2022-02-24 06:18:30 +01:00 · 2022-02-17 06:18:01 +01:00
21 changed files with 386 additions and 307 deletions
--- a/13
+++ b/13
@@ -18,6 +18,8 @@ RUN \
    g++ \
    gcc \
    libffi-dev \
+    libxml2-dev \
+    libxslt-dev \
    openssl-dev \
    python3-dev && \
  echo "**** install runtime packages ****" && \
@@ -102,14 +104,19 @@ RUN \
    certbot-dns-cloudflare \
    certbot-dns-cloudxns \
    certbot-dns-cpanel \
+    certbot-dns-desec \
    certbot-dns-digitalocean \
    certbot-dns-directadmin \
    certbot-dns-dnsimple \
    certbot-dns-dnsmadeeasy \
+    certbot-dns-dnspod \
    certbot-dns-domeneshop \
    certbot-dns-google \
+    certbot-dns-he \
    certbot-dns-hetzner \
+    certbot-dns-infomaniak \
    certbot-dns-inwx \
+    certbot-dns-ionos \
    certbot-dns-linode \
    certbot-dns-luadns \
    certbot-dns-netcup \
@@ -120,9 +127,15 @@ RUN \
    certbot-dns-route53 \
    certbot-dns-transip \
    certbot-dns-vultr \
+    certbot-dns-desec \
    certbot-plugin-gandi \
    cryptography \
    requests && \
+  echo "**** correct ip6tables legacy issue ****" && \
+  rm \ 
+    /sbin/ip6tables && \
+  ln -s \
+    /sbin/ip6tables-nft /sbin/ip6tables && \
  echo "**** remove unnecessary fail2ban filters ****" && \
  rm \
    /etc/fail2ban/jail.d/alpine-ssh.conf && \
--- a/Dockerfile.aarch64
+++ b/Dockerfile.aarch64
@@ -18,6 +18,8 @@ RUN \
    g++ \
    gcc \
    libffi-dev \
+    libxml2-dev \
+    libxslt-dev \
    openssl-dev \
    python3-dev && \
  echo "**** install runtime packages ****" && \
@@ -102,14 +104,19 @@ RUN \
    certbot-dns-cloudflare \
    certbot-dns-cloudxns \
    certbot-dns-cpanel \
+    certbot-dns-desec \
    certbot-dns-digitalocean \
    certbot-dns-directadmin \
    certbot-dns-dnsimple \
    certbot-dns-dnsmadeeasy \
+    certbot-dns-dnspod \
    certbot-dns-domeneshop \
    certbot-dns-google \
+    certbot-dns-he \
    certbot-dns-hetzner \
+    certbot-dns-infomaniak \
    certbot-dns-inwx \
+    certbot-dns-ionos \
    certbot-dns-linode \
    certbot-dns-luadns \
    certbot-dns-netcup \
@@ -120,9 +127,15 @@ RUN \
    certbot-dns-route53 \
    certbot-dns-transip \
    certbot-dns-vultr \
+    certbot-dns-desec \
    certbot-plugin-gandi \
    cryptography \
    requests && \
+  echo "**** correct ip6tables legacy issue ****" && \
+  rm \ 
+    /sbin/ip6tables && \
+  ln -s \
+    /sbin/ip6tables-nft /sbin/ip6tables && \
  echo "**** remove unnecessary fail2ban filters ****" && \
  rm \
    /etc/fail2ban/jail.d/alpine-ssh.conf && \
--- a/Dockerfile.armhf
+++ b/Dockerfile.armhf
@@ -18,6 +18,8 @@ RUN \
    g++ \
    gcc \
    libffi-dev \
+    libxml2-dev \
+    libxslt-dev \
    openssl-dev \
    python3-dev && \
  echo "**** install runtime packages ****" && \
@@ -102,14 +104,19 @@ RUN \
    certbot-dns-cloudflare \
    certbot-dns-cloudxns \
    certbot-dns-cpanel \
+    certbot-dns-desec \
    certbot-dns-digitalocean \
    certbot-dns-directadmin \
    certbot-dns-dnsimple \
    certbot-dns-dnsmadeeasy \
+    certbot-dns-dnspod \
    certbot-dns-domeneshop \
    certbot-dns-google \
+    certbot-dns-he \
    certbot-dns-hetzner \
+    certbot-dns-infomaniak \
    certbot-dns-inwx \
+    certbot-dns-ionos \
    certbot-dns-linode \
    certbot-dns-luadns \
    certbot-dns-netcup \
@@ -123,6 +130,11 @@ RUN \
    certbot-plugin-gandi \
    cryptography \
    requests && \
+  echo "**** correct ip6tables legacy issue ****" && \
+  rm \ 
+    /sbin/ip6tables && \
+  ln -s \
+    /sbin/ip6tables-nft /sbin/ip6tables && \
  echo "**** remove unnecessary fail2ban filters ****" && \
  rm \
    /etc/fail2ban/jail.d/alpine-ssh.conf && \
--- a/129
+++ b/129
@@ -16,6 +16,7 @@ pipeline {
    GITHUB_TOKEN=credentials('498b4638-2d02-4ce5-832d-8a57d01d97ab')
    GITLAB_TOKEN=credentials('b6f0f1dd-6952-4cf6-95d1-9c06380283f0')
    GITLAB_NAMESPACE=credentials('gitlab-namespace-id')
+    SCARF_TOKEN=credentials('scarf_api_key')
    EXT_PIP = 'certbot'
    BUILD_VERSION_ARG = 'CERTBOT_VERSION'
    LS_USER = 'linuxserver'
@@ -116,6 +117,30 @@ pipeline {
          env.EXT_RELEASE_CLEAN = sh(
            script: '''echo ${EXT_RELEASE} | sed 's/[~,%@+;:/]//g' ''',
            returnStdout: true).trim()
+
+          def semver = env.EXT_RELEASE_CLEAN =~ /(\d+)\.(\d+)\.(\d+)/
+          if (semver.find()) {
+            env.SEMVER = "${semver[0][1]}.${semver[0][2]}.${semver[0][3]}"
+          } else {
+            semver = env.EXT_RELEASE_CLEAN =~ /(\d+)\.(\d+)(?:\.(\d+))?(.*)/
+            if (semver.find()) {
+              if (semver[0][3]) {
+                env.SEMVER = "${semver[0][1]}.${semver[0][2]}.${semver[0][3]}"
+              } else if (!semver[0][3] && !semver[0][4]) {
+                env.SEMVER = "${semver[0][1]}.${semver[0][2]}.${(new Date()).format('YYYYMMdd')}"
+              }
+            }
+          }
+
+          if (env.SEMVER != null) {
+            if (BRANCH_NAME != "master" && BRANCH_NAME != "main") {
+              env.SEMVER = "${env.SEMVER}-${BRANCH_NAME}"
+            }
+            println("SEMVER: ${env.SEMVER}")
+          } else {
+            println("No SEMVER detected")
+          }
+
        }
      }
    }
@@ -130,6 +155,7 @@ pipeline {
          env.IMAGE = env.DOCKERHUB_IMAGE
          env.GITHUBIMAGE = 'ghcr.io/' + env.LS_USER + '/' + env.CONTAINER_NAME
          env.GITLABIMAGE = 'registry.gitlab.com/linuxserver.io/' + env.LS_REPO + '/' + env.CONTAINER_NAME
+          env.QUAYIMAGE = 'quay.io/linuxserver.io/' + env.CONTAINER_NAME
          if (env.MULTIARCH == 'true') {
            env.CI_TAGS = 'amd64-' + env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER + '|arm32v7-' + env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER + '|arm64v8-' + env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER
          } else {
@@ -152,6 +178,7 @@ pipeline {
          env.IMAGE = env.DEV_DOCKERHUB_IMAGE
          env.GITHUBIMAGE = 'ghcr.io/' + env.LS_USER + '/lsiodev-' + env.CONTAINER_NAME
          env.GITLABIMAGE = 'registry.gitlab.com/linuxserver.io/' + env.LS_REPO + '/lsiodev-' + env.CONTAINER_NAME
+          env.QUAYIMAGE = 'quay.io/linuxserver.io/lsiodev-' + env.CONTAINER_NAME
          if (env.MULTIARCH == 'true') {
            env.CI_TAGS = 'amd64-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA + '|arm32v7-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA + '|arm64v8-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA
          } else {
@@ -174,6 +201,7 @@ pipeline {
          env.IMAGE = env.PR_DOCKERHUB_IMAGE
          env.GITHUBIMAGE = 'ghcr.io/' + env.LS_USER + '/lspipepr-' + env.CONTAINER_NAME
          env.GITLABIMAGE = 'registry.gitlab.com/linuxserver.io/' + env.LS_REPO + '/lspipepr-' + env.CONTAINER_NAME
+          env.QUAYIMAGE = 'quay.io/linuxserver.io/lspipepr-' + env.CONTAINER_NAME
          if (env.MULTIARCH == 'true') {
            env.CI_TAGS = 'amd64-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST + '|arm32v7-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST + '|arm64v8-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST
          } else {
@@ -369,13 +397,45 @@ pipeline {
             "visibility":"public"}' '''
      } 
    }
+    /* #######################
+           Scarf.sh package registry
+       ####################### */
+    // Add package to Scarf.sh and set permissions
+    stage("Scarf.sh package registry"){
+      when {
+        branch "master"
+        environment name: 'EXIT_STATUS', value: ''
+      }
+      steps{
+        sh '''#! /bin/bash
+              set -e
+              PACKAGE_UUID=$(curl -X GET -H "Authorization: Bearer ${SCARF_TOKEN}" https://scarf.sh/api/v1/organizations/linuxserver-ci/packages | jq -r '.[] | select(.name=="linuxserver/swag") | .uuid')
+              if [ -z "${PACKAGE_UUID}" ]; then
+                echo "Adding package to Scarf.sh"
+                curl -sX POST https://scarf.sh/api/v1/organizations/linuxserver-ci/packages \
+                  -H "Authorization: Bearer ${SCARF_TOKEN}" \
+                  -H "Content-Type: application/json" \
+                  -d '{"name":"linuxserver/swag",\
+                       "shortDescription":"example description",\
+                       "libraryType":"docker",\
+                       "website":"https://github.com/linuxserver/docker-swag",\
+                       "backendUrl":"https://ghcr.io/linuxserver/swag",\
+                       "publicUrl":"https://lscr.io/linuxserver/swag"}' || :
+              else
+                echo "Package already exists on Scarf.sh"
+              fi
+           '''
+      } 
+    }
    /* ###############
       Build Container
       ############### */
    // Build Docker container for push to LS Repo
    stage('Build-Single') {
      when {
-        environment name: 'MULTIARCH', value: 'false'
+        expression {
+          env.MULTIARCH == 'false' || params.PACKAGE_CHECK == 'true'
+        }
        environment name: 'EXIT_STATUS', value: ''
      }
      steps {
@@ -400,7 +460,10 @@ pipeline {
    // Build MultiArch Docker containers for push to LS Repo
    stage('Build-Multi') {
      when {
-        environment name: 'MULTIARCH', value: 'true'
+        allOf {
+          environment name: 'MULTIARCH', value: 'true'
+          expression { params.PACKAGE_CHECK == 'false' }
+        }
        environment name: 'EXIT_STATUS', value: ''
      }
      parallel {
@@ -505,7 +568,7 @@ pipeline {
        sh '''#! /bin/bash
              set -e
              TEMPDIR=$(mktemp -d)
-              if [ "${MULTIARCH}" == "true" ]; then
+              if [ "${MULTIARCH}" == "true" ] && [ "${PACKAGE_CHECK}" == "false" ]; then
                LOCAL_CONTAINER=${IMAGE}:amd64-${META_TAG}
              else
                LOCAL_CONTAINER=${IMAGE}:${META_TAG}
@@ -566,7 +629,7 @@ pipeline {
      steps {
        sh '''#! /bin/bash
              echo "Packages were updated. Cleaning up the image and exiting."
-              if [ "${MULTIARCH}" == "true" ]; then
+              if [ "${MULTIARCH}" == "true" ] && [ "${PACKAGE_CHECK}" == "false" ]; then
                docker rmi ${IMAGE}:amd64-${META_TAG}
              else
                docker rmi ${IMAGE}:${META_TAG}
@@ -590,7 +653,7 @@ pipeline {
      steps {
        sh '''#! /bin/bash
              echo "There are no package updates. Cleaning up the image and exiting."
-              if [ "${MULTIARCH}" == "true" ]; then
+              if [ "${MULTIARCH}" == "true" ] && [ "${PACKAGE_CHECK}" == "false" ]; then
                docker rmi ${IMAGE}:amd64-${META_TAG}
              else
                docker rmi ${IMAGE}:${META_TAG}
@@ -665,6 +728,12 @@ pipeline {
            credentialsId: '3f9ba4d5-100d-45b0-a3c4-633fd6061207',
            usernameVariable: 'DOCKERUSER',
            passwordVariable: 'DOCKERPASS'
+          ],
+          [
+            $class: 'UsernamePasswordMultiBinding',
+            credentialsId: 'Quay.io-Robot',
+            usernameVariable: 'QUAYUSER',
+            passwordVariable: 'QUAYPASS'
          ]
        ]) {
          retry(5) {
@@ -673,22 +742,32 @@ pipeline {
                  echo $DOCKERPASS | docker login -u $DOCKERUSER --password-stdin
                  echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin
                  echo $GITLAB_TOKEN | docker login registry.gitlab.com -u LinuxServer.io --password-stdin
-                  for PUSHIMAGE in "${GITHUBIMAGE}" "${GITLABIMAGE}" "${IMAGE}"; do
+                  echo $QUAYPASS | docker login quay.io -u $QUAYUSER --password-stdin
+                  for PUSHIMAGE in "${GITHUBIMAGE}" "${GITLABIMAGE}" "${QUAYIMAGE}" "${IMAGE}"; do
                    docker tag ${IMAGE}:${META_TAG} ${PUSHIMAGE}:${META_TAG}
                    docker tag ${PUSHIMAGE}:${META_TAG} ${PUSHIMAGE}:latest
                    docker tag ${PUSHIMAGE}:${META_TAG} ${PUSHIMAGE}:${EXT_RELEASE_TAG}
+                    if [ -n "${SEMVER}" ]; then
+                      docker tag ${PUSHIMAGE}:${META_TAG} ${PUSHIMAGE}:${SEMVER}
+                    fi
                    docker push ${PUSHIMAGE}:latest
                    docker push ${PUSHIMAGE}:${META_TAG}
                    docker push ${PUSHIMAGE}:${EXT_RELEASE_TAG}
+                    if [ -n "${SEMVER}" ]; then
+                     docker push ${PUSHIMAGE}:${SEMVER}
+                    fi
                  done
               '''
          }
          sh '''#! /bin/bash
-                for DELETEIMAGE in "${GITHUBIMAGE}" "${GITLABIMAGE}" "${IMAGE}"; do
+                for DELETEIMAGE in "${GITHUBIMAGE}" "${GITLABIMAGE}" "${QUAYIMAGE}" "${IMAGE}"; do
                  docker rmi \
                  ${DELETEIMAGE}:${META_TAG} \
                  ${DELETEIMAGE}:${EXT_RELEASE_TAG} \
                  ${DELETEIMAGE}:latest || :
+                  if [ -n "${SEMVER}" ]; then
+                    docker rmi ${DELETEIMAGE}:${SEMVER} || :
+                  fi
                done
             '''
        }
@@ -707,6 +786,12 @@ pipeline {
            credentialsId: '3f9ba4d5-100d-45b0-a3c4-633fd6061207',
            usernameVariable: 'DOCKERUSER',
            passwordVariable: 'DOCKERPASS'
+          ],
+          [
+            $class: 'UsernamePasswordMultiBinding',
+            credentialsId: 'Quay.io-Robot',
+            usernameVariable: 'QUAYUSER',
+            passwordVariable: 'QUAYPASS'
          ]
        ]) {
          retry(5) {
@@ -715,13 +800,14 @@ pipeline {
                  echo $DOCKERPASS | docker login -u $DOCKERUSER --password-stdin
                  echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin
                  echo $GITLAB_TOKEN | docker login registry.gitlab.com -u LinuxServer.io --password-stdin
+                  echo $QUAYPASS | docker login quay.io -u $QUAYUSER --password-stdin
                  if [ "${CI}" == "false" ]; then
                    docker pull ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER}
                    docker pull ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER}
                    docker tag ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} ${IMAGE}:arm32v7-${META_TAG}
                    docker tag ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} ${IMAGE}:arm64v8-${META_TAG}
                  fi
-                  for MANIFESTIMAGE in "${IMAGE}" "${GITLABIMAGE}" "${GITHUBIMAGE}"; do
+                  for MANIFESTIMAGE in "${IMAGE}" "${GITLABIMAGE}" "${GITHUBIMAGE}" "${QUAYIMAGE}"; do
                    docker tag ${IMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-${META_TAG}
                    docker tag ${IMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${META_TAG}
                    docker tag ${IMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${META_TAG}
@@ -731,6 +817,11 @@ pipeline {
                    docker tag ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG}
                    docker tag ${MANIFESTIMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG}
                    docker tag ${MANIFESTIMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG}
+                    if [ -n "${SEMVER}" ]; then
+                      docker tag ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-${SEMVER}
+                      docker tag ${MANIFESTIMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${SEMVER}
+                      docker tag ${MANIFESTIMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${SEMVER}
+                    fi
                    docker push ${MANIFESTIMAGE}:amd64-${META_TAG}
                    docker push ${MANIFESTIMAGE}:arm32v7-${META_TAG}
                    docker push ${MANIFESTIMAGE}:arm64v8-${META_TAG}
@@ -740,6 +831,11 @@ pipeline {
                    docker push ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG}
                    docker push ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG}
                    docker push ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG}
+                    if [ -n "${SEMVER}" ]; then
+                      docker push ${MANIFESTIMAGE}:amd64-${SEMVER}
+                      docker push ${MANIFESTIMAGE}:arm32v7-${SEMVER}
+                      docker push ${MANIFESTIMAGE}:arm64v8-${SEMVER}
+                    fi
                    docker manifest push --purge ${MANIFESTIMAGE}:latest || :
                    docker manifest create ${MANIFESTIMAGE}:latest ${MANIFESTIMAGE}:amd64-latest ${MANIFESTIMAGE}:arm32v7-latest ${MANIFESTIMAGE}:arm64v8-latest
                    docker manifest annotate ${MANIFESTIMAGE}:latest ${MANIFESTIMAGE}:arm32v7-latest --os linux --arch arm
@@ -752,14 +848,23 @@ pipeline {
                    docker manifest create ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG}
                    docker manifest annotate ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG} --os linux --arch arm
                    docker manifest annotate ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG} --os linux --arch arm64 --variant v8
+                    if [ -n "${SEMVER}" ]; then
+                      docker manifest push --purge ${MANIFESTIMAGE}:${SEMVER} || :
+                      docker manifest create ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:amd64-${SEMVER} ${MANIFESTIMAGE}:arm32v7-${SEMVER} ${MANIFESTIMAGE}:arm64v8-${SEMVER}
+                      docker manifest annotate ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:arm32v7-${SEMVER} --os linux --arch arm
+                      docker manifest annotate ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:arm64v8-${SEMVER} --os linux --arch arm64 --variant v8
+                    fi
                    docker manifest push --purge ${MANIFESTIMAGE}:latest
                    docker manifest push --purge ${MANIFESTIMAGE}:${META_TAG} 
                    docker manifest push --purge ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} 
+                    if [ -n "${SEMVER}" ]; then
+                      docker manifest push --purge ${MANIFESTIMAGE}:${SEMVER} 
+                    fi
                  done
               '''
          }
          sh '''#! /bin/bash
-                for DELETEIMAGE in "${GITHUBIMAGE}" "${GITLABIMAGE}" "${IMAGE}"; do
+                for DELETEIMAGE in "${GITHUBIMAGE}" "${GITLABIMAGE}" "${QUAYIMAGE}" "${IMAGE}"; do
                  docker rmi \
                  ${DELETEIMAGE}:amd64-${META_TAG} \
                  ${DELETEIMAGE}:amd64-latest \
@@ -770,6 +875,12 @@ pipeline {
                  ${DELETEIMAGE}:arm64v8-${META_TAG} \
                  ${DELETEIMAGE}:arm64v8-latest \
                  ${DELETEIMAGE}:arm64v8-${EXT_RELEASE_TAG} || :
+                  if [ -n "${SEMVER}" ]; then
+                    docker rmi \
+                    ${DELETEIMAGE}:amd64-${SEMVER} \
+                    ${DELETEIMAGE}:arm32v7-${SEMVER} \
+                    ${DELETEIMAGE}:arm64v8-${SEMVER} || :
+                  fi
                done
                docker rmi \
                ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} \
--- a/README.md
+++ b/README.md
@@ -29,10 +29,12 @@ Find us at:

 # [linuxserver/swag](https://github.com/linuxserver/docker-swag)

+[![Scarf.io pulls](https://scarf.sh/installs-badge/linuxserver-ci/linuxserver%2Fswag?color=94398d&label-color=555555&logo-color=ffffff&style=for-the-badge&package-type=docker)](https://scarf.sh/gateway/linuxserver-ci/docker/linuxserver%2Fswag)
 [![GitHub Stars](https://img.shields.io/github/stars/linuxserver/docker-swag.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=github)](https://github.com/linuxserver/docker-swag)
 [![GitHub Release](https://img.shields.io/github/release/linuxserver/docker-swag.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=github)](https://github.com/linuxserver/docker-swag/releases)
 [![GitHub Package Repository](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=linuxserver.io&message=GitHub%20Package&logo=github)](https://github.com/linuxserver/docker-swag/packages)
 [![GitLab Container Registry](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=linuxserver.io&message=GitLab%20Registry&logo=gitlab)](https://gitlab.com/linuxserver.io/docker-swag/container_registry)
+[![Quay.io](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=linuxserver.io&message=Quay.io)](https://quay.io/repository/linuxserver.io/swag)
 [![Docker Pulls](https://img.shields.io/docker/pulls/linuxserver/swag.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=pulls&logo=docker)](https://hub.docker.com/r/linuxserver/swag)
 [![Docker Stars](https://img.shields.io/docker/stars/linuxserver/swag.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=stars&logo=docker)](https://hub.docker.com/r/linuxserver/swag)
 [![Jenkins Build](https://img.shields.io/jenkins/build?labelColor=555555&logoColor=ffffff&style=for-the-badge&jobUrl=https%3A%2F%2Fci.linuxserver.io%2Fjob%2FDocker-Pipeline-Builders%2Fjob%2Fdocker-swag%2Fjob%2Fmaster%2F&logo=jenkins)](https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-swag/job/master/)
@@ -46,7 +48,7 @@ SWAG - Secure Web Application Gateway (formerly known as letsencrypt, no relatio

 Our images support multiple architectures such as `x86-64`, `arm64` and `armhf`. We utilise the docker manifest for multi-platform awareness. More information is available from docker [here](https://github.com/docker/distribution/blob/master/docs/spec/manifest-v2-2.md#manifest-list) and our announcement [here](https://blog.linuxserver.io/2019/02/21/the-lsio-pipeline-project/).

-Simply pulling `ghcr.io/linuxserver/swag` should retrieve the correct image for your arch, but you can also pull specific arch images via tags.
+Simply pulling `lscr.io/linuxserver/swag` should retrieve the correct image for your arch, but you can also pull specific arch images via tags.

 The architectures supported by this image are:

@@ -58,17 +60,8 @@ The architectures supported by this image are:

 ## Application Setup

-> ### Migrating from the old `linuxserver/letsencrypt` image
-> * If using docker cli:
->   * Stop and remove existing container via `docker stop letsencrypt` and `docker rm letsencrypt`
->   * Create new container using the sample on this page (container name: `swag`, image name: `linuxserver/swag`)
-> * If using docker compose:
->   * Edit the compose yaml to change the image to `linuxserver/swag` and change the service and container names to `swag`
->   * Issue `docker-compose up -d --remove-orphans`
->   * If you don't want to or can't use the option `--remove-orphans`, then you can first do `docker-compose down`, then edit the compose yaml as above, and then issue `docker-compose up -d`
-
-> Make sure to also update any references to this container by name. For instance, Nextcloud's `config.php` references this container in its `trusted_proxies` directive, which would have to be updated to `swag`.
 ### Validation and initial setup
+
 * Before running this container, make sure that the url and subdomains are properly forwarded to this container's host, and that port 443 (and/or 80) is not being used by another service on the host (NAS gui, another webserver, etc.).
 * For `http` validation, port 80 on the internet side of the router should be forwarded to this container's port 80
 * For `dns` validation, make sure to enter your credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`
@@ -79,20 +72,26 @@ The architectures supported by this image are:
 * If you need a dynamic dns provider, you can use the free provider duckdns.org where the `URL` will be `yoursubdomain.duckdns.org` and the `SUBDOMAINS` can be `www,ftp,cloud` with http validation, or `wildcard` with dns validation.
 * After setup, navigate to `https://yourdomain.url` to access the default homepage (http access through port 80 is disabled by default, you can enable it by editing the default site config at `/config/nginx/site-confs/default`).
 * Certs are checked nightly and if expiration is within 30 days, renewal is attempted. If your cert is about to expire in less than 30 days, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing. It is recommended to input your e-mail in docker parameters so you receive expiration notices from Let's Encrypt in those circumstances.
+
 ### Security and password protection
+
 * The container detects changes to url and subdomains, revokes existing certs and generates new ones during start.
 * Per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919), the container is shipping [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) as the `dhparams.pem`.
 * If you'd like to password protect your sites, you can use htpasswd. Run the following command on your host to generate the htpasswd file `docker exec -it swag htpasswd -c /config/nginx/.htpasswd <username>`
 * You can add multiple user:pass to `.htpasswd`. For the first user, use the above command, for others, use the above command without the `-c` flag, as it will force deletion of the existing `.htpasswd` and creation of a new one
 * You can also use ldap auth for security and access control. A sample, user configurable ldap.conf is provided, and it requires the separate image [linuxserver/ldap-auth](https://hub.docker.com/r/linuxserver/ldap-auth/) to communicate with an ldap server.
+
 ### Site config and reverse proxy
+
 * The default site config resides at `/config/nginx/site-confs/default`. Feel free to modify this file, and you can add other conf files to this directory. However, if you delete the `default` file, a new default will be created on container start.
 * Preset reverse proxy config files are added for popular apps. See the `README.md` file under `/config/nginx/proxy_confs` for instructions on how to enable them. The preset confs reside in and get imported from [this repo](https://github.com/linuxserver/reverse-proxy-confs).
 * If you wish to hide your site from search engine crawlers, you may find it useful to add this configuration line to your site config, within the server block, above the line where ssl.conf is included
 `add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";`
 This will *ask* Google et al not to index and list your site. Be careful with this, as you will eventually be de-listed if you leave this line in on a site you wish to be present on search engines
 * If you wish to redirect http to https, you must expose port 80
+
 ### Using certs in other containers
+
 * This container includes auto-generated pfx and private-fullchain-bundle pem certs that are needed by other apps like Emby and Znc.
  * To use these certs in other containers, do either of the following:
  1. *(Easier)* Mount the container's config folder in other containers (ie. `-v /path-to-le-config:/le-ssl`) and in the other containers, use the cert location `/le-ssl/keys/letsencrypt/`
@@ -101,7 +100,9 @@ This will *ask* Google et al not to index and list your site. Be careful with th
  1. `cert.pem`, `chain.pem`, `fullchain.pem` and `privkey.pem`, which are generated by Certbot and used by nginx and various other apps
  2. `privkey.pfx`, a format supported by Microsoft and commonly used by dotnet apps such as Emby Server (no password)
  3. `priv-fullchain-bundle.pem`, a pem cert that bundles the private key and the fullchain, used by apps like ZNC
+
 ### Using fail2ban
+
 * This container includes fail2ban set up with 4 jails by default:
  1. nginx-http-auth
  2. nginx-badbots
@@ -113,7 +114,9 @@ This will *ask* Google et al not to index and list your site. Be careful with th
 * You can check the status of a specific jail via `docker exec -it swag fail2ban-client status <jail name>`
 * You can unban an IP via `docker exec -it swag fail2ban-client set <jail name> unbanip <IP>`
 * A list of commands can be found here: https://www.fail2ban.org/wiki/index.php/Commands
+
 ### Updating configs
+
 * This container creates a number of configs for nginx, proxy samples, etc.
 * Config updates are noted in the changelog but not automatically applied to your files.
 * If you have modified a file with noted changes in the changelog:
@@ -126,6 +129,9 @@ This will *ask* Google et al not to index and list your site. Be careful with th
 * Proxy sample files WILL be updated, however your renamed (enabled) proxy files will not.
 * You can check the new sample and adjust your active config as needed.

+### Migration from the old `linuxserver/letsencrypt` image
+Please follow the instructions [on this blog post](https://www.linuxserver.io/blog/2020-08-21-introducing-swag#migrate).
+
 ## Usage

 Here are some example snippets to help you get started creating a container.
@@ -137,7 +143,7 @@ Here are some example snippets to help you get started creating a container.
 version: "2.1"
 services:
  swag:
-    image: ghcr.io/linuxserver/swag
+    image: lscr.io/linuxserver/swag
    container_name: swag
    cap_add:
      - NET_ADMIN
@@ -146,8 +152,8 @@ services:
      - PGID=1000
      - TZ=Europe/London
      - URL=yourdomain.url
-      - SUBDOMAINS=www,
      - VALIDATION=http
+      - SUBDOMAINS=www, #optional
      - CERTPROVIDER= #optional
      - DNSPLUGIN=cloudflare #optional
      - PROPAGATION= #optional
@@ -156,7 +162,6 @@ services:
      - ONLY_SUBDOMAINS=false #optional
      - EXTRA_DOMAINS= #optional
      - STAGING=false #optional
-      - MAXMINDDB_LICENSE_KEY= #optional
    volumes:
      - /path/to/appdata/config:/config
    ports:
@@ -175,8 +180,8 @@ docker run -d \
  -e PGID=1000 \
  -e TZ=Europe/London \
  -e URL=yourdomain.url \
-  -e SUBDOMAINS=www, \
  -e VALIDATION=http \
+  -e SUBDOMAINS=www, `#optional` \
  -e CERTPROVIDER= `#optional` \
  -e DNSPLUGIN=cloudflare `#optional` \
  -e PROPAGATION= `#optional` \
@@ -185,12 +190,11 @@ docker run -d \
  -e ONLY_SUBDOMAINS=false `#optional` \
  -e EXTRA_DOMAINS= `#optional` \
  -e STAGING=false `#optional` \
-  -e MAXMINDDB_LICENSE_KEY= `#optional` \
  -p 443:443 \
  -p 80:80 `#optional` \
  -v /path/to/appdata/config:/config \
  --restart unless-stopped \
-  ghcr.io/linuxserver/swag
+  lscr.io/linuxserver/swag
 ```

 ## Parameters
@@ -205,17 +209,16 @@ Container images are configured using parameters passed at runtime (such as thos
 | `-e PGID=1000` | for GroupID - see below for explanation |
 | `-e TZ=Europe/London` | Specify a timezone to use EG Europe/London. |
 | `-e URL=yourdomain.url` | Top url you have control over (`customdomain.com` if you own it, or `customsubdomain.ddnsprovider.com` if dynamic dns). |
-| `-e SUBDOMAINS=www,` | Subdomains you'd like the cert to cover (comma separated, no spaces) ie. `www,ftp,cloud`. For a wildcard cert, set this _exactly_ to `wildcard` (wildcard cert is available via `dns` and `duckdns` validation only) |
 | `-e VALIDATION=http` | Certbot validation method to use, options are `http`, `dns` or `duckdns` (`dns` method also requires `DNSPLUGIN` variable set) (`duckdns` method requires `DUCKDNSTOKEN` variable set, and the `SUBDOMAINS` variable must be either empty or set to `wildcard`). |
+| `-e SUBDOMAINS=www,` | Subdomains you'd like the cert to cover (comma separated, no spaces) ie. `www,ftp,cloud`. For a wildcard cert, set this _exactly_ to `wildcard` (wildcard cert is available via `dns` and `duckdns` validation only) |
 | `-e CERTPROVIDER=` | Optionally define the cert provider. Set to `zerossl` for ZeroSSL certs (requires existing [ZeroSSL account](https://app.zerossl.com/signup) and the e-mail address entered in `EMAIL` env var). Otherwise defaults to Let's Encrypt. |
-| `-e DNSPLUGIN=cloudflare` | Required if `VALIDATION` is set to `dns`. Options are `aliyun`, `cloudflare`, `cloudxns`, `cpanel`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `domeneshop`, `gandi`, `gehirn`, `google`, `hetzner`, `inwx`, `linode`, `luadns`, `netcup`, `njalla`, `nsone`, `ovh`, `rfc2136`, `route53`, `sakuracloud`, `transip` and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`. |
+| `-e DNSPLUGIN=cloudflare` | Required if `VALIDATION` is set to `dns`. Options are `aliyun`, `cloudflare`, `cloudxns`, `cpanel`, `desec`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `dnspod`, `domeneshop`, `gandi`, `gehirn`, `google`, `he`, `hetzner`, `infomaniak`, `inwx`, `ionos`, `linode`, `luadns`, `netcup`, `njalla`, `nsone`, `ovh`, `rfc2136`, `route53`, `sakuracloud`, `transip` and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`. |
 | `-e PROPAGATION=` | Optionally override (in seconds) the default propagation time for the dns plugins. |
 | `-e DUCKDNSTOKEN=` | Required if `VALIDATION` is set to `duckdns`. Retrieve your token from https://www.duckdns.org |
 | `-e EMAIL=` | Optional e-mail address used for cert expiration notifications (Required for ZeroSSL). |
 | `-e ONLY_SUBDOMAINS=false` | If you wish to get certs only for certain subdomains, but not the main domain (main domain may be hosted on another machine and cannot be validated), set this to `true` |
 | `-e EXTRA_DOMAINS=` | Additional fully qualified domain names (comma separated, no spaces) ie. `extradomain.com,subdomain.anotherdomain.org,*.anotherdomain.org` |
 | `-e STAGING=false` | Set to `true` to retrieve certs in staging mode. Rate limits will be much higher, but the resulting cert will not pass the browser's security test. Only to be used for testing purposes. |
-| `-e MAXMINDDB_LICENSE_KEY=` | Add your MaxmindDB license key to automatically download the GeoLite2-City.mmdb database. Download location is /config/geoip2db. The database is updated weekly. |
 | `-v /config` | All the config files including the webroot reside here. |

 ## Environment variables from files (Docker secrets)
@@ -261,7 +264,7 @@ We publish various [Docker Mods](https://github.com/linuxserver/docker-mods) to
 * container version number
  * `docker inspect -f '{{ index .Config.Labels "build_version" }}' swag`
 * image version number
-  * `docker inspect -f '{{ index .Config.Labels "build_version" }}' ghcr.io/linuxserver/swag`
+  * `docker inspect -f '{{ index .Config.Labels "build_version" }}' lscr.io/linuxserver/swag`

 ## Updating Info

@@ -279,7 +282,7 @@ Below are the instructions for updating containers:

 ### Via Docker Run

-* Update the image: `docker pull ghcr.io/linuxserver/swag`
+* Update the image: `docker pull lscr.io/linuxserver/swag`
 * Stop the running container: `docker stop swag`
 * Delete the container: `docker rm swag`
 * Recreate a new container with the same docker run parameters as instructed above (if mapped correctly to a host folder, your `/config` folder and settings will be preserved)
@@ -314,7 +317,7 @@ cd docker-swag
 docker build \
  --no-cache \
  --pull \
-  -t ghcr.io/linuxserver/swag:latest .
+  -t lscr.io/linuxserver/swag:latest .
 ```

 The ARM variants can be built on x86_64 hardware using `multiarch/qemu-user-static`
@@ -327,6 +330,20 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64

 ## Versions

+* **09.01.22:** - Added a fail2ban jail for nginx unauthorized
+* **21.12.21:** - Fixed issue with iptables not working as expected
+* **30.11.21:** - Move maxmind to a [new mod](https://github.com/linuxserver/docker-mods/tree/swag-maxmind)
+* **22.11.21:** - Added support for Infomaniak DNS for certificate generation.
+* **20.11.21:** - Added support for dnspod validation.
+* **15.11.21:** - Added support for deSEC DNS for wildcard certificate generation.
+* **26.10.21:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) proxy.conf - Mitigate https://httpoxy.org/ vulnerabilities. Ref: https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx#Defeating-the-Attack-using-NGINX-and-NGINX-Plus
+* **23.10.21:** - Fix Hurricane Electric (HE) DNS validation.
+* **12.10.21:** - Fix deprecated LE root cert check to fix failures when using `STAGING=true`, and failures in revoking.
+* **06.10.21:** - Added support for Hurricane Electric (HE) DNS validation. Added lxml build deps.
+* **01.10.21:** - Check if the cert uses the old LE root cert, revoke and regenerate if necessary. [Here's more info](https://twitter.com/letsencrypt/status/1443621997288767491) on LE root cert expiration
+* **19.09.21:** - Add an optional header to opt out of Google FLoC in `ssl.conf`.
+* **17.09.21:** - Mark `SUBDOMAINS` var as optional.
+* **01.08.21:** - Add support for ionos dns validation.
 * **15.07.21:** - Fix libmaxminddb issue due to upstream change.
 * **07.07.21:** - Rebase to alpine 3.14.
 * **24.06.21:** - Update default nginx conf folder.
--- a/package_versions.txt
+++ b/package_versions.txt
@@ -1,27 +1,27 @@
 alpine-baselayout-3.2.0-r16
-alpine-keys-2.3-r1
-apache2-utils-2.4.48-r0
-apk-tools-2.12.5-r1
+alpine-keys-2.4-r0
+apache2-utils-2.4.52-r0
+apk-tools-2.12.7-r0
 apr-1.7.0-r0
 apr-util-1.6.1-r7
 argon2-libs-20190702-r1
 bash-5.1.4-r0
 brotli-libs-1.0.9-r5
-busybox-1.33.1-r3
+busybox-1.33.1-r6
 c-client-2007f-r11
-ca-certificates-20191127-r5
-ca-certificates-bundle-20191127-r5
+ca-certificates-20211220-r0
+ca-certificates-bundle-20211220-r0
 coreutils-8.32-r2
-curl-7.78.0-r0
-expat-2.4.1-r0
+curl-7.79.1-r0
+expat-2.4.7-r0
 fail2ban-0.11.2-r0
 freetype-2.10.4-r1
 gdbm-1.19-r0
 git-2.32.0-r0
 git-perl-2.32.0-r0
 glib-2.68.3-r0
-gmp-6.2.1-r0
-gnupg-2.2.27-r0
+gmp-6.2.1-r1
+gnupg-2.2.31-r0
 gnutls-3.7.1-r0
 icu-libs-67.1-r2
 ip6tables-1.8.7-r1
@@ -29,19 +29,19 @@ iptables-1.8.7-r1
 libacl-2.2.53-r0
 libassuan-2.5.5-r0
 libattr-2.5.1-r0
-libblkid-2.37-r0
+libblkid-2.37.4-r0
 libbsd-0.11.3-r0
 libbz2-1.0.8-r1
 libc-utils-0.7.2-r3
 libcap-2.50-r0
-libcrypto1.1-1.1.1k-r0
-libcurl-7.78.0-r0
+libcrypto1.1-1.1.1n-r0
+libcurl-7.79.1-r0
 libedit-20210216.3.1-r0
 libevent-2.1.12-r2
 libffi-3.3-r2
 libgcc-10.3.1_git20210424-r2
-libgcrypt-1.9.3-r0
-libgd-2.3.2-r0
+libgcrypt-1.9.4-r0
+libgd-2.3.2-r1
 libgpg-error-1.42-r0
 libice-1.0.10-r0
 libidn-1.37-r0
@@ -55,38 +55,38 @@ libmcrypt-2.5.8-r9
 libmd-1.0.3-r0
 libmemcached-libs-1.0.18-r4
 libmnl-1.0.4-r1
-libmount-2.37-r0
+libmount-2.37.4-r0
 libnftnl-libs-1.2.0-r0
 libpng-1.6.37-r1
-libpq-13.3-r0
+libpq-13.6-r0
 libproc-3.3.17-r0
 libressl3.3-libcrypto-3.3.3-r0
 libressl3.3-libssl-3.3.3-r0
-libretls-3.3.3-r2
+libretls-3.3.3p1-r2
 libsasl-2.1.27-r12
 libseccomp-2.5.1-r2
 libsecret-0.20.4-r1
 libsm-1.2.3-r0
 libsodium-1.0.18-r0
-libssl1.1-1.1.1k-r0
+libssl1.1-1.1.1n-r0
 libstdc++-10.3.1_git20210424-r2
 libtasn1-4.17.0-r0
 libunistring-0.9.10-r1
-libuuid-2.37-r0
+libuuid-2.37.4-r0
 libwebp-1.2.0-r2
 libx11-1.7.2-r0
 libxau-1.0.9-r0
 libxcb-1.14-r2
 libxdmcp-1.1.3-r0
 libxext-1.3.4-r0
-libxml2-2.9.12-r1
+libxml2-2.9.13-r0
 libxpm-3.5.13-r0
-libxslt-1.1.34-r1
+libxslt-1.1.35-r0
 libxt-1.2.1-r0
 libzip-1.7.3-r2
 linux-pam-1.5.1-r1
-logrotate-3.18.1-r0
-lz4-libs-1.9.3-r0
+logrotate-3.18.1-r1
+lz4-libs-1.9.3-r1
 memcached-1.6.9-r0
 mpdecimal-2.5.1-r1
 musl-1.2.2-r3
@@ -94,88 +94,88 @@ musl-utils-1.2.2-r3
 nano-5.7-r2
 ncurses-libs-6.2_p20210612-r0
 ncurses-terminfo-base-6.2_p20210612-r0
-nettle-3.7.2-r0
+nettle-3.7.3-r0
 nghttp2-libs-1.43.0-r0
-nginx-1.20.1-r3
-nginx-mod-devel-kit-1.20.1-r3
-nginx-mod-http-brotli-1.20.1-r3
-nginx-mod-http-dav-ext-1.20.1-r3
-nginx-mod-http-echo-1.20.1-r3
-nginx-mod-http-fancyindex-1.20.1-r3
-nginx-mod-http-geoip2-1.20.1-r3
-nginx-mod-http-headers-more-1.20.1-r3
-nginx-mod-http-image-filter-1.20.1-r3
-nginx-mod-http-nchan-1.20.1-r3
-nginx-mod-http-perl-1.20.1-r3
-nginx-mod-http-redis2-1.20.1-r3
-nginx-mod-http-set-misc-1.20.1-r3
-nginx-mod-http-upload-progress-1.20.1-r3
-nginx-mod-http-xslt-filter-1.20.1-r3
-nginx-mod-mail-1.20.1-r3
-nginx-mod-rtmp-1.20.1-r3
-nginx-mod-stream-1.20.1-r3
-nginx-mod-stream-geoip2-1.20.1-r3
-nginx-vim-1.20.1-r3
+nginx-1.20.2-r0
+nginx-mod-devel-kit-1.20.2-r0
+nginx-mod-http-brotli-1.20.2-r0
+nginx-mod-http-dav-ext-1.20.2-r0
+nginx-mod-http-echo-1.20.2-r0
+nginx-mod-http-fancyindex-1.20.2-r0
+nginx-mod-http-geoip2-1.20.2-r0
+nginx-mod-http-headers-more-1.20.2-r0
+nginx-mod-http-image-filter-1.20.2-r0
+nginx-mod-http-nchan-1.20.2-r0
+nginx-mod-http-perl-1.20.2-r0
+nginx-mod-http-redis2-1.20.2-r0
+nginx-mod-http-set-misc-1.20.2-r0
+nginx-mod-http-upload-progress-1.20.2-r0
+nginx-mod-http-xslt-filter-1.20.2-r0
+nginx-mod-mail-1.20.2-r0
+nginx-mod-rtmp-1.20.2-r0
+nginx-mod-stream-1.20.2-r0
+nginx-mod-stream-geoip2-1.20.2-r0
+nginx-vim-1.20.2-r0
 npth-1.6-r0
 oniguruma-6.9.7.1-r0
-openssl-1.1.1k-r0
+openssl-1.1.1l-r0
 p11-kit-0.23.22-r0
 pcre-8.44-r0
 pcre2-10.36-r0
 perl-5.32.1-r0
 perl-error-0.17029-r1
 perl-git-2.32.0-r0
-php7-7.4.21-r0
-php7-bcmath-7.4.21-r0
-php7-bz2-7.4.21-r0
-php7-common-7.4.21-r0
-php7-ctype-7.4.21-r0
-php7-curl-7.4.21-r0
-php7-dom-7.4.21-r0
-php7-exif-7.4.21-r0
-php7-fileinfo-7.4.21-r0
-php7-fpm-7.4.21-r0
-php7-ftp-7.4.21-r0
-php7-gd-7.4.21-r0
-php7-gmp-7.4.21-r0
-php7-iconv-7.4.21-r0
-php7-imap-7.4.21-r0
-php7-intl-7.4.21-r0
-php7-json-7.4.21-r0
-php7-ldap-7.4.21-r0
-php7-mbstring-7.4.21-r0
-php7-mysqli-7.4.21-r0
-php7-mysqlnd-7.4.21-r0
-php7-opcache-7.4.21-r0
-php7-openssl-7.4.21-r0
-php7-pdo-7.4.21-r0
-php7-pdo_mysql-7.4.21-r0
-php7-pdo_odbc-7.4.21-r0
-php7-pdo_pgsql-7.4.21-r0
-php7-pdo_sqlite-7.4.21-r0
-php7-pear-7.4.21-r0
-php7-pecl-apcu-5.1.20-r0
-php7-pecl-igbinary-3.2.4-r0
+php7-7.4.26-r0
+php7-bcmath-7.4.26-r0
+php7-bz2-7.4.26-r0
+php7-common-7.4.26-r0
+php7-ctype-7.4.26-r0
+php7-curl-7.4.26-r0
+php7-dom-7.4.26-r0
+php7-exif-7.4.26-r0
+php7-fileinfo-7.4.26-r0
+php7-fpm-7.4.26-r0
+php7-ftp-7.4.26-r0
+php7-gd-7.4.26-r0
+php7-gmp-7.4.26-r0
+php7-iconv-7.4.26-r0
+php7-imap-7.4.26-r0
+php7-intl-7.4.26-r0
+php7-json-7.4.26-r0
+php7-ldap-7.4.26-r0
+php7-mbstring-7.4.26-r0
+php7-mysqli-7.4.26-r0
+php7-mysqlnd-7.4.26-r0
+php7-opcache-7.4.26-r0
+php7-openssl-7.4.26-r0
+php7-pdo-7.4.26-r0
+php7-pdo_mysql-7.4.26-r0
+php7-pdo_odbc-7.4.26-r0
+php7-pdo_pgsql-7.4.26-r0
+php7-pdo_sqlite-7.4.26-r0
+php7-pear-7.4.26-r0
+php7-pecl-apcu-5.1.21-r0
+php7-pecl-igbinary-3.2.6-r0
 php7-pecl-mailparse-3.1.1-r1
 php7-pecl-mcrypt-1.0.4-r0
 php7-pecl-memcached-3.1.5-r2
 php7-pecl-redis-5.3.4-r0
-php7-pgsql-7.4.21-r0
-php7-phar-7.4.21-r0
-php7-posix-7.4.21-r0
-php7-session-7.4.21-r0
-php7-simplexml-7.4.21-r0
-php7-soap-7.4.21-r0
-php7-sockets-7.4.21-r0
-php7-sodium-7.4.21-r0
-php7-sqlite3-7.4.21-r0
-php7-tokenizer-7.4.21-r0
-php7-xml-7.4.21-r0
-php7-xmlreader-7.4.21-r0
-php7-xmlrpc-7.4.21-r0
-php7-xmlwriter-7.4.21-r0
-php7-xsl-7.4.21-r0
-php7-zip-7.4.21-r0
+php7-pgsql-7.4.26-r0
+php7-phar-7.4.26-r0
+php7-posix-7.4.26-r0
+php7-session-7.4.26-r0
+php7-simplexml-7.4.26-r0
+php7-soap-7.4.26-r0
+php7-sockets-7.4.26-r0
+php7-sodium-7.4.26-r0
+php7-sqlite3-7.4.26-r0
+php7-tokenizer-7.4.26-r0
+php7-xml-7.4.26-r0
+php7-xmlreader-7.4.26-r0
+php7-xmlrpc-7.4.26-r0
+php7-xmlwriter-7.4.26-r0
+php7-xsl-7.4.26-r0
+php7-zip-7.4.26-r0
 pinentry-1.1.1-r0
 popt-1.18-r0
 procps-3.3.17-r0
@@ -209,15 +209,15 @@ py3-six-1.15.0-r1
 py3-toml-0.10.2-r2
 py3-urllib3-1.26.5-r0
 py3-webencodings-0.5.1-r4
-python3-3.9.5-r1
+python3-3.9.5-r2
 readline-8.1.0-r0
 s6-ipcserver-2.10.0.3-r0
 scanelf-1.3.2-r0
 shadow-4.8.1-r0
 skalibs-2.10.0.3-r0
 sqlite-libs-3.35.5-r0
-ssl_client-1.33.1-r3
-tzdata-2021a-r0
+ssl_client-1.33.1-r6
+tzdata-2021e-r0
 unixodbc-2.3.9-r1
 utmps-0.1.0.2-r0
 whois-5.5.10-r0
--- a/readme-vars.yml
+++ b/readme-vars.yml
@@ -32,7 +32,6 @@ param_usage_include_env: true
 param_env_vars:
  - { env_var: "TZ", env_value: "Europe/London", desc: "Specify a timezone to use EG Europe/London." }
  - { env_var: "URL", env_value: "yourdomain.url", desc: "Top url you have control over (`customdomain.com` if you own it, or `customsubdomain.ddnsprovider.com` if dynamic dns)." }
-  - { env_var: "SUBDOMAINS", env_value: "www,", desc: "Subdomains you'd like the cert to cover (comma separated, no spaces) ie. `www,ftp,cloud`. For a wildcard cert, set this _exactly_ to `wildcard` (wildcard cert is available via `dns` and `duckdns` validation only)" }
  - { env_var: "VALIDATION", env_value: "http", desc: "Certbot validation method to use, options are `http`, `dns` or `duckdns` (`dns` method also requires `DNSPLUGIN` variable set) (`duckdns` method requires `DUCKDNSTOKEN` variable set, and the `SUBDOMAINS` variable must be either empty or set to `wildcard`)." }
 param_usage_include_vols: true
 param_volumes:
@@ -50,15 +49,15 @@ cap_add_param_vars:
 # optional container parameters
 opt_param_usage_include_env: true
 opt_param_env_vars:
+  - { env_var: "SUBDOMAINS", env_value: "www,", desc: "Subdomains you'd like the cert to cover (comma separated, no spaces) ie. `www,ftp,cloud`. For a wildcard cert, set this _exactly_ to `wildcard` (wildcard cert is available via `dns` and `duckdns` validation only)" }
  - { env_var: "CERTPROVIDER", env_value: "", desc: "Optionally define the cert provider. Set to `zerossl` for ZeroSSL certs (requires existing [ZeroSSL account](https://app.zerossl.com/signup) and the e-mail address entered in `EMAIL` env var). Otherwise defaults to Let's Encrypt." }
-  - { env_var: "DNSPLUGIN", env_value: "cloudflare", desc: "Required if `VALIDATION` is set to `dns`. Options are `aliyun`, `cloudflare`, `cloudxns`, `cpanel`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `domeneshop`, `gandi`, `gehirn`, `google`, `hetzner`, `inwx`, `linode`, `luadns`, `netcup`, `njalla`, `nsone`, `ovh`, `rfc2136`, `route53`, `sakuracloud`, `transip` and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`." }
+  - { env_var: "DNSPLUGIN", env_value: "cloudflare", desc: "Required if `VALIDATION` is set to `dns`. Options are `aliyun`, `cloudflare`, `cloudxns`, `cpanel`, `desec`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `dnspod`, `domeneshop`, `gandi`, `gehirn`, `google`, `he`, `hetzner`, `infomaniak`, `inwx`, `ionos`, `linode`, `luadns`, `netcup`, `njalla`, `nsone`, `ovh`, `rfc2136`, `route53`, `sakuracloud`, `transip` and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`." }
  - { env_var: "PROPAGATION", env_value: "", desc: "Optionally override (in seconds) the default propagation time for the dns plugins." }
  - { env_var: "DUCKDNSTOKEN", env_value: "", desc: "Required if `VALIDATION` is set to `duckdns`. Retrieve your token from https://www.duckdns.org" }
  - { env_var: "EMAIL", env_value: "", desc: "Optional e-mail address used for cert expiration notifications (Required for ZeroSSL)." }
  - { env_var: "ONLY_SUBDOMAINS", env_value: "false", desc: "If you wish to get certs only for certain subdomains, but not the main domain (main domain may be hosted on another machine and cannot be validated), set this to `true`" }
  - { env_var: "EXTRA_DOMAINS", env_value: "", desc: "Additional fully qualified domain names (comma separated, no spaces) ie. `extradomain.com,subdomain.anotherdomain.org,*.anotherdomain.org`" }
  - { env_var: "STAGING", env_value: "false", desc: "Set to `true` to retrieve certs in staging mode. Rate limits will be much higher, but the resulting cert will not pass the browser's security test. Only to be used for testing purposes." }
-  - { env_var: "MAXMINDDB_LICENSE_KEY", env_value: "", desc: "Add your MaxmindDB license key to automatically download the GeoLite2-City.mmdb database. Download location is /config/geoip2db. The database is updated weekly."}
 opt_param_usage_include_vols: false
 opt_param_volumes:
  - { vol_path: "/config", vol_host_path: "/path/to/appdata/config", desc: "Configuration files." }
@@ -78,17 +77,8 @@ optional_block_1_items: ""
 # application setup block
 app_setup_block_enabled: true
 app_setup_block: |
-  > ### Migrating from the old `linuxserver/letsencrypt` image
-  > * If using docker cli:
-  >   * Stop and remove existing container via `docker stop letsencrypt` and `docker rm letsencrypt`
-  >   * Create new container using the sample on this page (container name: `swag`, image name: `linuxserver/swag`)
-  > * If using docker compose:
-  >   * Edit the compose yaml to change the image to `linuxserver/swag` and change the service and container names to `swag`
-  >   * Issue `docker-compose up -d --remove-orphans`
-  >   * If you don't want to or can't use the option `--remove-orphans`, then you can first do `docker-compose down`, then edit the compose yaml as above, and then issue `docker-compose up -d`
-
-  > Make sure to also update any references to this container by name. For instance, Nextcloud's `config.php` references this container in its `trusted_proxies` directive, which would have to be updated to `swag`.
  ### Validation and initial setup
+
  * Before running this container, make sure that the url and subdomains are properly forwarded to this container's host, and that port 443 (and/or 80) is not being used by another service on the host (NAS gui, another webserver, etc.).
  * For `http` validation, port 80 on the internet side of the router should be forwarded to this container's port 80
  * For `dns` validation, make sure to enter your credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`
@@ -99,20 +89,26 @@ app_setup_block: |
  * If you need a dynamic dns provider, you can use the free provider duckdns.org where the `URL` will be `yoursubdomain.duckdns.org` and the `SUBDOMAINS` can be `www,ftp,cloud` with http validation, or `wildcard` with dns validation.
  * After setup, navigate to `https://yourdomain.url` to access the default homepage (http access through port 80 is disabled by default, you can enable it by editing the default site config at `/config/nginx/site-confs/default`).
  * Certs are checked nightly and if expiration is within 30 days, renewal is attempted. If your cert is about to expire in less than 30 days, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing. It is recommended to input your e-mail in docker parameters so you receive expiration notices from Let's Encrypt in those circumstances.
+
  ### Security and password protection
+
  * The container detects changes to url and subdomains, revokes existing certs and generates new ones during start.
  * Per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919), the container is shipping [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) as the `dhparams.pem`.
  * If you'd like to password protect your sites, you can use htpasswd. Run the following command on your host to generate the htpasswd file `docker exec -it swag htpasswd -c /config/nginx/.htpasswd <username>`
  * You can add multiple user:pass to `.htpasswd`. For the first user, use the above command, for others, use the above command without the `-c` flag, as it will force deletion of the existing `.htpasswd` and creation of a new one
  * You can also use ldap auth for security and access control. A sample, user configurable ldap.conf is provided, and it requires the separate image [linuxserver/ldap-auth](https://hub.docker.com/r/linuxserver/ldap-auth/) to communicate with an ldap server.
+
  ### Site config and reverse proxy
+
  * The default site config resides at `/config/nginx/site-confs/default`. Feel free to modify this file, and you can add other conf files to this directory. However, if you delete the `default` file, a new default will be created on container start.
  * Preset reverse proxy config files are added for popular apps. See the `README.md` file under `/config/nginx/proxy_confs` for instructions on how to enable them. The preset confs reside in and get imported from [this repo](https://github.com/linuxserver/reverse-proxy-confs).
  * If you wish to hide your site from search engine crawlers, you may find it useful to add this configuration line to your site config, within the server block, above the line where ssl.conf is included
  `add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";`
  This will *ask* Google et al not to index and list your site. Be careful with this, as you will eventually be de-listed if you leave this line in on a site you wish to be present on search engines
  * If you wish to redirect http to https, you must expose port 80
+
  ### Using certs in other containers
+
  * This container includes auto-generated pfx and private-fullchain-bundle pem certs that are needed by other apps like Emby and Znc.
    * To use these certs in other containers, do either of the following:
    1. *(Easier)* Mount the container's config folder in other containers (ie. `-v /path-to-le-config:/le-ssl`) and in the other containers, use the cert location `/le-ssl/keys/letsencrypt/`
@@ -121,7 +117,9 @@ app_setup_block: |
    1. `cert.pem`, `chain.pem`, `fullchain.pem` and `privkey.pem`, which are generated by Certbot and used by nginx and various other apps
    2. `privkey.pfx`, a format supported by Microsoft and commonly used by dotnet apps such as Emby Server (no password)
    3. `priv-fullchain-bundle.pem`, a pem cert that bundles the private key and the fullchain, used by apps like ZNC
+
  ### Using fail2ban
+
  * This container includes fail2ban set up with 4 jails by default:
    1. nginx-http-auth
    2. nginx-badbots
@@ -133,7 +131,9 @@ app_setup_block: |
  * You can check the status of a specific jail via `docker exec -it swag fail2ban-client status <jail name>`
  * You can unban an IP via `docker exec -it swag fail2ban-client set <jail name> unbanip <IP>`
  * A list of commands can be found here: https://www.fail2ban.org/wiki/index.php/Commands
+
  ### Updating configs
+
  * This container creates a number of configs for nginx, proxy samples, etc.
  * Config updates are noted in the changelog but not automatically applied to your files.
  * If you have modified a file with noted changes in the changelog:
@@ -146,11 +146,28 @@ app_setup_block: |
  * Proxy sample files WILL be updated, however your renamed (enabled) proxy files will not.
  * You can check the new sample and adjust your active config as needed.

+  ### Migration from the old `linuxserver/letsencrypt` image
+  Please follow the instructions [on this blog post](https://www.linuxserver.io/blog/2020-08-21-introducing-swag#migrate).
+
 app_setup_nginx_reverse_proxy_snippet: false
 app_setup_nginx_reverse_proxy_block: ""

 # changelog
 changelogs:
+  - { date: "09.01.22:", desc: "Added a fail2ban jail for nginx unauthorized" }
+  - { date: "21.12.21:", desc: "Fixed issue with iptables not working as expected" }
+  - { date: "30.11.21:", desc: "Move maxmind to a [new mod](https://github.com/linuxserver/docker-mods/tree/swag-maxmind)" }
+  - { date: "22.11.21:", desc: "Added support for Infomaniak DNS for certificate generation." }
+  - { date: "20.11.21:", desc: "Added support for dnspod validation." }
+  - { date: "15.11.21:", desc: "Added support for deSEC DNS for wildcard certificate generation." }
+  - { date: "26.10.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) proxy.conf - Mitigate https://httpoxy.org/ vulnerabilities. Ref: https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx#Defeating-the-Attack-using-NGINX-and-NGINX-Plus" }
+  - { date: "23.10.21:", desc: "Fix Hurricane Electric (HE) DNS validation." }
+  - { date: "12.10.21:", desc: "Fix deprecated LE root cert check to fix failures when using `STAGING=true`, and failures in revoking." }
+  - { date: "06.10.21:", desc: "Added support for Hurricane Electric (HE) DNS validation. Added lxml build deps." }
+  - { date: "01.10.21:", desc: "Check if the cert uses the old LE root cert, revoke and regenerate if necessary. [Here's more info](https://twitter.com/letsencrypt/status/1443621997288767491) on LE root cert expiration" }
+  - { date: "19.09.21:", desc: "Add an optional header to opt out of Google FLoC in `ssl.conf`." }
+  - { date: "17.09.21:", desc: "Mark `SUBDOMAINS` var as optional." }
+  - { date: "01.08.21:", desc: "Add support for ionos dns validation." }
  - { date: "15.07.21:", desc: "Fix libmaxminddb issue due to upstream change." }
  - { date: "07.07.21:", desc: "Rebase to alpine 3.14." }
  - { date: "24.06.21:", desc: "Update default nginx conf folder." }
--- a/root/defaults/default
+++ b/root/defaults/default
@@ -32,12 +32,6 @@ server {
    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

-    # enable for geo blocking
-    # See /config/nginx/geoip2.conf for more information.
-    #if ($allowed_country = no) {
-    #return 444;
-    #}
-
    client_max_body_size 0;

    location / {
--- a/root/defaults/dns-conf/desec.ini
+++ b/root/defaults/dns-conf/desec.ini
@@ -0,0 +1,4 @@
+# Instructions: https://pypi.org/project/certbot-dns-desec/
+# Replace with your Desec V1 API Token
+dns_desec_token=YOUR_TOKEN_HERE
+dns_desec_endpoint=https://desec.io/api/v1/
--- a/root/defaults/dns-conf/dnspod.ini
+++ b/root/defaults/dns-conf/dnspod.ini
@@ -0,0 +1,5 @@
+# Instructions: https://github.com/SkyLothar/certbot-dns-dnspod#create-a-credentials-file
+# Obtain your own DNSPod API token at DNSPod console: https://console.dnspod.cn/account/token/token
+# Replace with your own email, id and token
+dns_dnspod_email = "me@example.com"
+dns_dnspod_api_token = "12345,1234567890abcdef1234567890abcdef"
--- a/root/defaults/dns-conf/he.ini
+++ b/root/defaults/dns-conf/he.ini
@@ -0,0 +1,4 @@
+# Instructions: https://github.com/TSaaristo/certbot-dns-he#example-usage
+# Replace with your values
+dns_he_user = Me
+dns_he_pass = my HE password
--- a/root/defaults/dns-conf/infomaniak.ini
+++ b/root/defaults/dns-conf/infomaniak.ini
@@ -0,0 +1,3 @@
+ Instructions: https://github.com/Infomaniak/certbot-dns-infomaniak#via-ini-file
+# Replace with your values
+dns_infomaniak_token = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
--- a/root/defaults/dns-conf/ionos.ini
+++ b/root/defaults/dns-conf/ionos.ini
@@ -0,0 +1,5 @@
+# Instructions: https://github.com/helgeerbe/certbot-dns-ionos
+# Replace with your values
+dns_ionos_prefix = myapikeyprefix
+dns_ionos_secret = verysecureapikeysecret
+dns_ionos_endpoint = https://api.hosting.ionos.com
--- a/root/defaults/fail2ban/filter.d/nginx-unauthorized.conf
+++ b/root/defaults/fail2ban/filter.d/nginx-unauthorized.conf
@@ -0,0 +1,7 @@
+# A fail2ban filter for unauthorized log messages
+
+[Definition]
+
+failregex = ^(?!.*?(?i)plex)<HOST>.*"(GET|POST|HEAD).*" 401 .*$
+
+ignoreregex = 
--- a/root/defaults/geoip2.conf
+++ b/root/defaults/geoip2.conf
@@ -1,123 +0,0 @@
-## Version 2020/10/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/geoip2.conf
-# To enable, uncommment the Geoip2 config line in nginx.conf
-# Add the -e MAXMINDDB_LICENSE_KEY=<licensekey> to automatically download the Geolite2 database.
-# A Maxmind license key can be acquired here: https://www.maxmind.com/en/geolite2/signup
-
-geoip2 /config/geoip2db/GeoLite2-City.mmdb {
-    auto_reload 1w;
-    $geoip2_data_city_name   city names en;
-    $geoip2_data_postal_code postal code;
-    $geoip2_data_latitude    location latitude;
-    $geoip2_data_longitude   location longitude;
-    $geoip2_data_state_name  subdivisions 0 names en;
-    $geoip2_data_state_code  subdivisions 0 iso_code;
-    $geoip2_data_continent_code   continent code;
-    $geoip2_data_country_iso_code country iso_code;
-}
-
-# GEOIP2 COUNTRY CONFIG
-map $geoip2_data_country_iso_code $allowed_country {
-    # default must be yes or no
-    # If default is set to "no" you will need to add the local ip ranges that you want to allow access in the $allow_list variable below.
-    default yes;
-
-    # Below you will setup conditions with yes or no
-    # ex: <condition> <yes/no>;
-
-    # allow United Kingdom.
-    #GB yes;
-}
-
-# GEOIP2 CITY CONFIG
-map $geoip2_data_city_name $allowed_city {
-    # default must be yes or no
-    # If default is set to "no" you will need to add the local ip ranges that you want to allow access in the $allow_list variable below.
-    default yes;
-
-    # Below you will setup conditions with yes or no
-    # ex: <condition> <yes/no>;
-
-    # allow Inverness.
-    #Inverness yes;
-}
-
-# ALLOW LOCAL ACCESS
-geo $allow_list {
-    default yes; # Set this to no if $allowed_country or $allowed_city default is no. 
-    # IP/CIDR yes; # e.g. 192.168.1.0/24 yes;
-}
-
-# Server config example:
-# Add the following if statements inside any server context where you want to geo block countries.
-
-########################################
-#    if ($allow_list = yes) {
-#       set $allowed_country yes;
-#    }
-#    if ($allowed_country = no) {
-#       return 444;
-#    }
-#########################################
-
-# Add the following if statements inside any server context where you want to geo block cities.
-########################################
-#    if ($allow_list = yes) {
-#       set $allowed_country yes;
-#    }
-#    if ($allowed_city = no) {
-#       return 444;
-#    }
-#########################################
-
-# Example using a config from proxy-confs
-
-#server {
-#    listen 443 ssl;
-#    listen [::]:443 ssl;
-#
-#    server_name unifi.*;
-#
-#    include /config/nginx/ssl.conf;
-#
-#    client_max_body_size 0;
-#
-#    # enable for ldap auth, fill in ldap details in ldap.conf
-#    #include /config/nginx/ldap.conf;
-#
-#    # enable for Authelia
-#    #include /config/nginx/authelia-server.conf;
-
-
-#   # Allow lan access if default is set to no
-#   if ($allow_list = yes) {
-#       set $allowed_country yes;
-#   }
-#   # Country geo block
-#   if ($allowed_country = no) {
-#       return 444;
-#   }
-
-
-#
-#    location / {
-#        # enable the next two lines for http auth
-#        #auth_basic "Restricted";
-#        #auth_basic_user_file /config/nginx/.htpasswd;
-#
-#        # enable the next two lines for ldap auth
-#        #auth_request /auth;
-#        #error_page 401 =200 /ldaplogin;
-#
-#        # enable for Authelia
-#        #include /config/nginx/authelia-location.conf;
-#
-#        include /config/nginx/proxy.conf;
-#        resolver 127.0.0.11 valid=30s;
-#        set $upstream_app unifi-controller;
-#        set $upstream_port 8443;
-#        set $upstream_proto https;
-#        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
-#
-#        proxy_buffering off;
-#    }
-#}
--- a/root/defaults/jail.local
+++ b/root/defaults/jail.local
@@ -1,10 +1,14 @@
-## Version 2020/05/10 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/jail.local
+## Version 2022/01/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/jail.local
 # This is the custom version of the jail.conf for fail2ban
 # Feel free to modify this and add additional filters
 # Then you can drop the new filter conf files into the fail2ban-filters
 # folder and restart the container

 [DEFAULT]
+# Prevents banning LAN subnets
+ignoreip = 10.0.0.0/8
+           192.168.0.0/16
+           172.16.0.0/12

 # Changes the default ban action from "iptables-multiport", which causes issues on some platforms, to "iptables-allports".
 banaction = iptables-allports
@@ -21,37 +25,35 @@ maxretry = 5


 [ssh]
-
 enabled = false

-
 [nginx-http-auth]
-
 enabled  = true
 filter   = nginx-http-auth
 port     = http,https
 logpath  = /config/log/nginx/error.log

-
 [nginx-badbots]
-
 enabled  = true
 port     = http,https
 filter   = nginx-badbots
 logpath  = /config/log/nginx/access.log
 maxretry = 2

-
 [nginx-botsearch]
-
 enabled  = true
 port     = http,https
 filter   = nginx-botsearch
 logpath  = /config/log/nginx/access.log

 [nginx-deny]
-
 enabled  = true
 port     = http,https
 filter   = nginx-deny
 logpath  = /config/log/nginx/error.log
+
+[nginx-unauthorized]
+enabled  = true
+port     = http,https
+filter   = nginx-unauthorized
+logpath  = /config/log/nginx/unauthorized.log
--- a/root/defaults/nginx.conf
+++ b/root/defaults/nginx.conf
@@ -1,4 +1,4 @@
-## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf
+## Version 2022/01/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf

 user abc;

@@ -55,6 +55,13 @@ http {
        '' close;
    }

+    # Saves unauthorized log messages to a separate log file
+    map $status $unauthorized {
+        default 0;
+        ~^401  1;
+    }
+    access_log /config/log/nginx/unauthorized.log combined if=$unauthorized;
+    
    # Sets the path, format, and configuration for a buffered log write.
    access_log /config/log/nginx/access.log;

@@ -115,14 +122,6 @@ http {
    ##
    include /config/nginx/site-confs/*;
    #Removed lua. Do not remove this comment
-
-    ##
-    # Geoip2 config
-    ##
-    # Uncomment to add the Geoip2 configs needed to geo block countries/cities.
-    ##
-
-    #include /config/nginx/geoip2.conf;
 }

 #mail {
--- a/root/defaults/proxy.conf
+++ b/root/defaults/proxy.conf
@@ -1,4 +1,4 @@
-## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf
+## Version 2021/10/26 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf

 # Timeout if the real server is dead
 proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
@@ -22,6 +22,7 @@ proxy_no_cache $cookie_session;
 proxy_set_header Connection $connection_upgrade;
 proxy_set_header Early-Data $ssl_early_data;
 proxy_set_header Host $host;
+proxy_set_header Proxy "";
 proxy_set_header Upgrade $http_upgrade;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Host $host;
--- a/root/defaults/ssl.conf
+++ b/root/defaults/ssl.conf
@@ -1,4 +1,4 @@
-## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ssl.conf
+## Version 2021/09/19 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ssl.conf

 ### Mozilla Recommendations
 # generated 2020-06-17, Mozilla Guideline v5.4, nginx 1.18.0-r0, OpenSSL 1.1.1g-r0, intermediate configuration
@@ -38,6 +38,7 @@ ssl_early_data on;
 # Optional additional headers
 #add_header Cache-Control "no-transform" always;
 #add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'";
+#add_header Permissions-Policy "interest-cohort=()";
 #add_header Referrer-Policy "same-origin" always;
 #add_header X-Content-Type-Options "nosniff" always;
 #add_header X-Frame-Options "SAMEORIGIN" always;
--- a/root/etc/cont-init.d/50-config
+++ b/root/etc/cont-init.d/50-config
@@ -76,8 +76,6 @@ cp /config/fail2ban/jail.local /etc/fail2ban/jail.local
    cp /defaults/authelia-server.conf /config/nginx/authelia-server.conf
 [[ ! -f /config/nginx/authelia-location.conf ]] && \
    cp /defaults/authelia-location.conf /config/nginx/authelia-location.conf
-[[ ! -f /config/nginx/geoip2.conf ]] && \
-    cp /defaults/geoip2.conf /config/nginx/geoip2.conf
 [[ ! -f /config/www/502.html ]] &&
    cp /defaults/502.html /config/www/502.html

@@ -122,7 +120,7 @@ if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then
 fi

 # check to make sure DNSPLUGIN is selected if dns validation is used
-[[ "$VALIDATION" = "dns" ]] && [[ ! "$DNSPLUGIN" =~ ^(aliyun|cloudflare|cloudxns|cpanel|digitalocean|directadmin|dnsimple|dnsmadeeasy|domeneshop|gandi|gehirn|google|hetzner|inwx|linode|luadns|netcup|njalla|nsone|ovh|rfc2136|route53|sakuracloud|transip|vultr)$ ]] && \
+[[ "$VALIDATION" = "dns" ]] && [[ ! "$DNSPLUGIN" =~ ^(aliyun|cloudflare|cloudxns|cpanel|desec|digitalocean|directadmin|dnsimple|dnsmadeeasy|dnspod|domeneshop|gandi|gehirn|google|he|hetzner|infomaniak|inwx|ionos|linode|luadns|netcup|njalla|nsone|ovh|rfc2136|route53|sakuracloud|transip|vultr)$ ]] && \
    echo "Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details." && \
    sleep infinity

@@ -236,7 +234,7 @@ if [ "$VALIDATION" = "dns" ]; then
    elif [[ "$DNSPLUGIN" =~ ^(google)$ ]]; then
        if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
        PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.json ${PROPAGATIONPARAM}"
-    elif [[ "$DNSPLUGIN" =~ ^(aliyun|domeneshop|hetzner|inwx|netcup|njalla|transip|vultr)$ ]]; then
+    elif [[ "$DNSPLUGIN" =~ ^(aliyun|desec|dnspod|domeneshop|he|hetzner|infomaniak|inwx|ionos|netcup|njalla|transip|vultr)$ ]]; then
        if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
        PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
    elif [[ "$DNSPLUGIN" =~ ^(directadmin)$ ]]; then
@@ -312,6 +310,15 @@ else
    FILENAME="$DNSPLUGIN.ini"
 fi

+# Check if the cert is using the old LE root cert, revoke and regen if necessary
+if [ -f "/config/keys/letsencrypt/chain.pem" ] && ([ "${CERTPROVIDER}" == "letsencrypt" ] || [ "${CERTPROVIDER}" == "" ]) && [ "${STAGING}" != "true" ] && ! openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"; then
+    echo "The cert seems to be using the old LE root cert, which is no longer valid. Deleting and revoking."
+    REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
+    certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER
+    rm -rf /config/etc/letsencrypt
+    mkdir -p /config/etc/letsencrypt
+fi
+
 # generating certs if necessary
 if [ ! -f "/config/keys/letsencrypt/fullchain.pem" ]; then
    if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then
@@ -353,18 +360,6 @@ fi
    rm -rf /var/lib/libmaxminddb
 [[ ! -d /var/lib/libmaxminddb ]] && \
    ln -s /config/geoip2db /var/lib/libmaxminddb
-# check GeoIP2 database
-if [ -n "$MAXMINDDB_LICENSE_KEY" ]; then
-    sed -i "s|.*MAXMINDDB_LICENSE_KEY.*|MAXMINDDB_LICENSE_KEY=\"${MAXMINDDB_LICENSE_KEY}\"|g" /etc/libmaxminddb.cron.conf
-    if [ ! -f /var/lib/libmaxminddb/GeoLite2-City.mmdb ]; then
-        echo "Downloading GeoIP2 City database."
-        /etc/periodic/weekly/libmaxminddb
-    fi
-elif [ -f /var/lib/libmaxminddb/GeoLite2-City.mmdb ]; then
-    echo -e "Currently using the user provided GeoLite2-City.mmdb.\nIf you want to enable weekly auto-updates of the database, retrieve a free license key from MaxMind,\nand add a new env variable \"MAXMINDDB_LICENSE_KEY\", set to your license key."
-else
-    echo -e "Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,\nand add a new env variable \"MAXMINDDB_LICENSE_KEY\", set to your license key."
-fi

 # logfiles needed by fail2ban
 [[ ! -f /config/log/nginx/error.log ]] && \
--- a/root/etc/cont-init.d/70-templates
+++ b/root/etc/cont-init.d/70-templates
@@ -3,7 +3,6 @@
 nginx_confs=( \
    authelia-location.conf \
    authelia-server.conf \
-    geoip2.conf \
    ldap.conf \
    nginx.conf \
    proxy.conf \
Author	SHA1	Message	Date
LinuxServer-CI	a5389c3f40	Bot Updating Package Versions	2022-03-16 21:57:12 +01:00
LinuxServer-CI	1fbae23bcf	Bot Updating Package Versions	2022-03-10 06:19:39 +01:00
LinuxServer-CI	555b2837cb	Bot Updating Package Versions	2022-03-02 00:56:48 +01:00
LinuxServer-CI	7c5005f9ad	Bot Updating Package Versions	2022-02-24 06:18:30 +01:00
LinuxServer-CI	7fb7364c96	Bot Updating Package Versions	2022-02-17 06:18:01 +01:00
LinuxServer-CI	274369c4ba	Bot Updating Package Versions	2022-02-08 19:58:44 +01:00
LinuxServer-CI	7562a1c26a	Bot Updating Package Versions	2022-02-03 06:18:15 +01:00
LinuxServer-CI	7d6b5e66c1	Bot Updating Package Versions	2022-01-27 06:19:02 +01:00
LinuxServer-CI	6fde2f5f8f	Bot Updating Package Versions	2022-01-20 06:19:07 +01:00
Roxedus	08d0680a0c	Merge pull request #202 from quietsy/master	2022-01-11 08:34:43 +01:00
quietsy	665eace79f	Ignore plex unauthorized requests	2022-01-11 09:19:16 +02:00
Roxedus	51d6132d63	Merge pull request #201 from quietsy/master	2022-01-10 19:48:30 +01:00
quietsy	251917b23f	Added a fail2ban jail for nginx unauthorized	2022-01-09 17:16:11 +02:00
LinuxServer-CI	bedff470cf	Bot Updating Package Versions	2021-12-30 06:19:44 +01:00
driz	84cdf58b66	Merge pull request #196 from linuxserver/ipv6-fix replace ip6tables legacy with ip6tables-nft due to missing kernel module	2021-12-21 17:27:47 -05:00
drizuid	e843b50fc8	replace ip6tables legacy with ip6tables-nft due to missing kernel module	2021-12-21 14:40:37 -05:00
LinuxServer-CI	682689d0fc	Bot Updating Package Versions	2021-12-09 06:19:24 +01:00
LinuxServer-CI	29a92e6bf1	Bot Updating Templated Files	2021-12-05 20:41:44 +01:00
Eric Nemchik	119df9f88b	Merge pull request #176 from quietsy/master Move maxmind to a new mod	2021-12-05 13:40:32 -06:00
quietsy	4929672e62	Move maxmind to a new mod	2021-12-04 20:57:16 +02:00
LinuxServer-CI	522fed5d1b	Bot Updating Package Versions	2021-12-02 06:19:05 +01:00
LinuxServer-CI	7b2dab1fbf	Bot Updating Package Versions	2021-11-25 06:18:49 +01:00
LinuxServer-CI	3b0095bdec	Bot Updating Templated Files	2021-11-22 13:52:15 +01:00
aptalca	4989825cb0	Merge pull request #189 from github-cli/master add support for infomaniak certbot plugin	2021-11-22 07:50:55 -05:00
Questionario	96e0fc7838	Update infomaniak.ini	2021-11-22 08:04:05 +01:00
Questionario	6f3a967360	Update 50-config	2021-11-22 07:50:31 +01:00
Questionario	671d51a345	Create infomaniak.ini	2021-11-22 07:46:55 +01:00
Questionario	2a9294a1db	Update readme-vars.yml	2021-11-22 07:44:32 +01:00
Questionario	a001fd849b	Update readme-vars.yml	2021-11-22 07:42:46 +01:00
Questionario	f617df2ba7	Update Dockerfile.armhf	2021-11-22 07:40:54 +01:00
Questionario	0952b6eb3e	Update Dockerfile.aarch64	2021-11-22 07:40:20 +01:00
Questionario	cb5a367323	Update Dockerfile	2021-11-22 07:39:20 +01:00
LinuxServer-CI	df1ba1c60a	Bot Updating Package Versions	2021-11-20 18:29:59 +01:00
LinuxServer-CI	5f526e4f89	Bot Updating Templated Files	2021-11-20 18:24:46 +01:00
aptalca	f9090d4a50	Merge pull request #181 from dongshuzhao/dnspod-support Add DNSPod support	2021-11-20 12:23:37 -05:00
aptalca	48f6b00530	Merge branch 'master' into dnspod-support	2021-11-20 12:08:46 -05:00
LinuxServer-CI	146687121e	Bot Updating Package Versions	2021-11-18 06:18:16 +01:00
LinuxServer-CI	93ba4f18b1	Bot Updating Package Versions	2021-11-16 14:13:21 +01:00
LinuxServer-CI	ce544dd810	Bot Updating Templated Files	2021-11-16 14:08:24 +01:00
Eric Nemchik	411970a947	Merge pull request #182 from fariszr/master add deSEC DNS plugin to certbot	2021-11-16 07:06:57 -06:00
FarisZR	7ea16018d5	update changelog	2021-11-15 19:10:19 +03:00
fariszr	8a4af00f01	Sort alphabetically. Co-authored-by: Eric Nemchik <eric@nemchik.com>	2021-11-15 19:03:44 +03:00
fariszr	fee6fe9a17	Sorted alphabetically. Co-authored-by: Eric Nemchik <eric@nemchik.com>	2021-11-15 19:03:16 +03:00
dongshuzhao	bf21716886	Update dnspod.ini document address resolve linuxserver/docker-swag#98	2021-11-13 01:04:17 +08:00
FarisZR	0d5f7b24b8	add desec as an option to readme	2021-11-12 16:29:14 +03:00
FarisZR	637ddc29a5	alphabetical order	2021-11-12 16:26:57 +03:00
FarisZR	9b169f5da2	add desec config	2021-11-12 16:22:13 +03:00
FarisZR	71cda1f685	add desec certbot plugin	2021-11-12 16:18:15 +03:00
dongshuzhao	08c23bde51	Add DnsPod support. resolve linuxserver/docker-swag#98	2021-11-12 16:58:47 +08:00
LinuxServer-CI	0109a07cfb	Bot Updating Package Versions	2021-11-11 06:18:42 +01:00
LinuxServer-CI	00fde50825	Bot Updating Package Versions	2021-10-27 17:13:43 +02:00
Eric Nemchik	69649d102f	Merge pull request #174 from linuxserver/fix-httpoxy Mitigate https://httpoxy.org/ vulnerabilities.	2021-10-27 10:02:17 -05:00
Eric Nemchik	66a4c1203b	Mitigate https://httpoxy.org/ vulnerabilities. Ref: https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx#Defeating-the-Attack-using-NGINX-and-NGINX-Plus	2021-10-26 08:33:36 -05:00
LinuxServer-CI	c40c2bd6e5	Bot Updating Package Versions	2021-10-24 01:20:35 +02:00
aptalca	11302bce96	Merge pull request #171 from linuxserver/hedns fix HE dns validation	2021-10-23 19:15:34 -04:00
aptalca	537c47f293	fix HE dns validation	2021-10-23 14:04:11 -04:00
LinuxServer-CI	d65b388b9f	Bot Updating Package Versions	2021-10-21 07:17:38 +02:00
LinuxServer-CI	ed3402fe51	Bot Updating Package Versions	2021-10-14 07:18:03 +02:00
LinuxServer-CI	f63303b610	Bot Updating Package Versions	2021-10-12 17:18:33 +02:00
aptalca	9953568f06	Merge pull request #166 from linuxserver/rootstaging fix old root detection (staging and acme server)	2021-10-12 11:06:00 -04:00
aptalca	915f209ea5	fix old root detection (staging and acme server)	2021-10-12 10:04:57 -04:00
aptalca	3ff891f75d	Merge pull request #164 from obsidiangroup/master Added support for Hurricane Electric (HE) DNS validation	2021-10-06 16:11:45 -04:00
aptalca	e9bea31a3f	update readme	2021-10-06 15:39:36 -04:00
aptalca	09dff4ff5e	consolidate dns plugins, add lxml deps	2021-10-06 15:08:00 -04:00
obsidiangroup	0ffa850cdc	Fixed HE DNS validation. Fixed HE DNS validation to adhere to certbot/certbot PR#8131 (https://github.com/certbot/certbot/pull/8131)	2021-10-06 13:41:58 -04:00
obsidiangroup	aa9990b496	Added support for Hurricane Electric (HE) DNS validation Adds support for Hurricane Electric's Free DNS Service validation.	2021-10-05 19:23:25 -04:00
LinuxServer-CI	8c150cf0fa	Bot Updating Templated Files	2021-10-05 19:08:28 +02:00
LinuxServer-CI	e2dc9fe654	Bot Updating Templated Files	2021-10-05 19:07:19 +02:00
LinuxServer-CI	ce33eeebe7	Bot Updating Package Versions	2021-10-01 17:41:32 +02:00
aptalca	d027970b50	Merge pull request #162 from linuxserver/rootcert detect old root cert and revoke/regen	2021-10-01 11:36:04 -04:00
aptalca	a73daf773a	detect old root cert and revoke/regen	2021-10-01 11:18:12 -04:00
LinuxServer-CI	3f88a30d5c	Bot Updating Package Versions	2021-09-30 07:17:43 +02:00
LinuxServer-CI	b72b1b25ea	Bot Updating Package Versions	2021-09-23 07:17:48 +02:00
LinuxServer-CI	73c0dc9084	Bot Updating Templated Files	2021-09-19 22:26:54 +02:00
Eric Nemchik	da8f646fc8	Merge pull request #158 from quietsy/master Add an optional header to opt out of Google FLoC	2021-09-19 15:25:23 -05:00
quietsy	b309e1ce45	Add an optional header to opt out of Google FLoC	2021-09-19 22:37:47 +03:00
LinuxServer-CI	10b235cc1d	Bot Updating Package Versions	2021-09-17 17:53:21 +02:00
driz	9f700b50d9	Merge pull request #156 from linuxserver/optionalsubs make subdomains optional, minimize migration info	2021-09-17 11:42:21 -04:00
aptalca	e37e972875	make subdomains optional, minimize migration info	2021-09-17 11:05:27 -04:00
LinuxServer-CI	e2699a7ee8	Bot Updating Package Versions	2021-09-16 07:17:45 +02:00
LinuxServer-CI	0aa7ffb50d	Bot Updating Package Versions	2021-09-09 07:17:30 +02:00
LinuxServer-CI	f89d5883d9	Bot Updating Package Versions	2021-09-07 13:51:04 +02:00
aptalca	5c5751255b	Merge pull request #153 from linuxserver/readme Format app_setup_block	2021-09-07 07:44:51 -04:00
Roxedus	1afac8b5bf	Format app_setup_block closes #152	2021-09-07 08:48:25 +02:00
LinuxServer-CI	093fadb043	Bot Updating Package Versions	2021-09-02 07:23:33 +02:00
LinuxServer-CI	4a6038f334	Bot Updating Templated Files	2021-09-02 07:16:11 +02:00
LinuxServer-CI	71be04a03f	Bot Updating Package Versions	2021-08-26 07:22:11 +02:00
LinuxServer-CI	d19e63a447	Bot Updating Templated Files	2021-08-26 07:15:49 +02:00
LinuxServer-CI	1ae82126d8	Bot Updating Package Versions	2021-08-19 07:21:50 +02:00
LinuxServer-CI	44f30c7ae3	Bot Updating Package Versions	2021-08-07 19:27:09 +02:00
Homer	e4a5adec12	Merge pull request #146 from linuxserver/ionos add ionos dns plugin	2021-08-07 18:21:05 +01:00
LinuxServer-CI	5a72468780	Bot Updating Package Versions	2021-08-04 00:59:37 +02:00
aptalca	31190157fb	add ionos dns plugin	2021-08-01 12:51:47 -04:00