Bot Updating Package Versions

Replace even older service location

.github/workflows/call_invalid_helper.yml

@@ -0,0 +1,12 @@
+name: Comment on invalid interaction
+on:
+  issues:
+    types:
+      - labeled
+jobs:
+  add-comment-on-invalid:
+    if: github.event.label.name == 'invalid'
+    permissions:
+      issues: write
+    uses: linuxserver/github-workflows/.github/workflows/invalid-interaction-helper.yml@v1
+    secrets: inherit

.github/workflows/external_trigger.yml

@@ -18,7 +18,7 @@ jobs:
           fi
           echo "**** External trigger running off of master branch. To disable this trigger, set a Github secret named \"PAUSE_EXTERNAL_TRIGGER_SWAG_MASTER\". ****"
           echo "**** Retrieving external version ****"
-          EXT_RELEASE=$(echo '1.32.0')
+          EXT_RELEASE=$(curl -sL "https://pypi.python.org/pypi/certbot/json" |jq -r '. | .info.version')
           if [ -z "${EXT_RELEASE}" ] || [ "${EXT_RELEASE}" == "null" ]; then
             echo "**** Can't retrieve external version, exiting ****"
             FAILURE_REASON="Can't retrieve external version for swag branch master"

Dockerfile

@@ -1,4 +1,6 @@
-FROM ghcr.io/linuxserver/baseimage-alpine-nginx:3.15
+# syntax=docker/dockerfile:1
+
+FROM ghcr.io/linuxserver/baseimage-alpine-nginx:3.17
 
 # set version label
 ARG BUILD_DATE
@@ -14,9 +16,8 @@ ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2
 RUN \
   echo "**** install build packages ****" && \
   apk add --no-cache --virtual=build-dependencies \
+    build-base \
     cargo \
-    g++ \
-    gcc \
     libffi-dev \
     libxml2-dev \
     libxslt-dev \
@@ -24,11 +25,9 @@ RUN \
     python3-dev && \
   echo "**** install runtime packages ****" && \
   apk add --no-cache --upgrade \
-    curl \
     fail2ban \
     gnupg \
     memcached \
-    nginx \
     nginx-mod-http-brotli \
     nginx-mod-http-dav-ext \
     nginx-mod-http-echo \
@@ -36,7 +35,6 @@ RUN \
     nginx-mod-http-geoip2 \
     nginx-mod-http-headers-more \
     nginx-mod-http-image-filter \
-    nginx-mod-http-nchan \
     nginx-mod-http-perl \
     nginx-mod-http-redis2 \
     nginx-mod-http-set-misc \
@@ -47,67 +45,60 @@ RUN \
     nginx-mod-stream \
     nginx-mod-stream-geoip2 \
     nginx-vim \
-    php8-bcmath \
-    php8-bz2 \
-    php8-ctype \
-    php8-curl \
-    php8-dom \
-    php8-exif \
-    php8-ftp \
-    php8-gd \
-    php8-gmp \
-    php8-iconv \
-    php8-imap \
-    php8-intl \
-    php8-ldap \
-    php8-mysqli \
-    php8-mysqlnd \
-    php8-opcache \
-    php8-pdo_mysql \
-    php8-pdo_odbc \
-    php8-pdo_pgsql \
-    php8-pdo_sqlite \
-    php8-pear \
-    php8-pecl-apcu \
-    php8-pecl-mailparse \
-    php8-pecl-mcrypt \
-    php8-pecl-memcached \
-    php8-pecl-redis \
-    php8-pgsql \
-    php8-phar \
-    php8-posix \
-    php8-soap \
-    php8-sockets \
-    php8-sodium \
-    php8-sqlite3 \
-    php8-tokenizer \
-    php8-xml \
-    php8-xmlreader \
-    php8-xsl \
-    php8-zip \
-    py3-cryptography \
-    py3-future \
-    py3-pip \
+    php81-bcmath \
+    php81-bz2 \
+    php81-ctype \
+    php81-curl \
+    php81-dom \
+    php81-exif \
+    php81-ftp \
+    php81-gd \
+    php81-gmp \
+    php81-iconv \
+    php81-imap \
+    php81-intl \
+    php81-ldap \
+    php81-mysqli \
+    php81-mysqlnd \
+    php81-opcache \
+    php81-pdo_mysql \
+    php81-pdo_odbc \
+    php81-pdo_pgsql \
+    php81-pdo_sqlite \
+    php81-pear \
+    php81-pecl-apcu \
+    php81-pecl-mailparse \
+    php81-pecl-memcached \
+    php81-pecl-redis \
+    php81-pgsql \
+    php81-phar \
+    php81-posix \
+    php81-soap \
+    php81-sockets \
+    php81-sodium \
+    php81-sqlite3 \
+    php81-tokenizer \
+    php81-xmlreader \
+    php81-xsl \
+    php81-zip \
     whois && \
-  apk add --no-cache \
-    --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing \
-    php8-pecl-xmlrpc && \
+  apk add --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing \
+    php81-pecl-mcrypt \
+    php81-pecl-xmlrpc && \
   echo "**** install certbot plugins ****" && \
   if [ -z ${CERTBOT_VERSION+x} ]; then \
-    CERTBOT="certbot"; \
-  else \
-    CERTBOT="certbot==${CERTBOT_VERSION}"; \
+    CERTBOT_VERSION=$(curl -sL  https://pypi.python.org/pypi/certbot/json |jq -r '. | .info.version'); \
   fi && \
-  pip3 install -U \
-    pip wheel && \
-  pip install -U --find-links https://wheel-index.linuxserver.io/alpine-3.15/ \
-    acme==${CERTBOT_VERSION} \
-    ${CERTBOT} \
+  python3 -m ensurepip && \
+  pip3 install -U --no-cache-dir \
+    pip \
+    wheel && \
+  pip3 install -U --no-cache-dir --find-links https://wheel-index.linuxserver.io/alpine-3.17/ \
+    certbot==${CERTBOT_VERSION} \
     certbot-dns-acmedns \
     certbot-dns-aliyun \
     certbot-dns-azure \
     certbot-dns-cloudflare \
-    certbot-dns-cloudxns \
     certbot-dns-cpanel \
     certbot-dns-desec \
     certbot-dns-digitalocean \
@@ -134,7 +125,6 @@ RUN \
     certbot-dns-njalla \
     certbot-dns-nsone \
     certbot-dns-ovh \
-    certbot-dns-porkbun \
     certbot-dns-rfc2136 \
     certbot-dns-route53 \
     certbot-dns-sakuracloud \
@@ -143,6 +133,7 @@ RUN \
     certbot-dns-vultr \
     certbot-plugin-gandi \
     cryptography \
+    future \
     requests && \
   echo "**** enable OCSP stapling from base ****" && \
   sed -i \
@@ -178,14 +169,10 @@ RUN \
   echo "**** cleanup ****" && \
   apk del --purge \
     build-dependencies && \
-  for cleanfiles in *.pyc *.pyo; \
-    do \
-    find /usr/lib/python3.*  -iname "${cleanfiles}" -exec rm -f '{}' + \
-    ; done && \
   rm -rf \
     /tmp/* \
-    /root/.cache \
-    /root/.cargo
+    $HOME/.cache \
+    $HOME/.cargo
 
 # copy local files
 COPY root/ /

Dockerfile.aarch64

@@ -1,4 +1,6 @@
-FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm64v8-3.15
+# syntax=docker/dockerfile:1
+
+FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm64v8-3.17
 
 # set version label
 ARG BUILD_DATE
@@ -14,9 +16,8 @@ ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2
 RUN \
   echo "**** install build packages ****" && \
   apk add --no-cache --virtual=build-dependencies \
+    build-base \
     cargo \
-    g++ \
-    gcc \
     libffi-dev \
     libxml2-dev \
     libxslt-dev \
@@ -24,11 +25,9 @@ RUN \
     python3-dev && \
   echo "**** install runtime packages ****" && \
   apk add --no-cache --upgrade \
-    curl \
     fail2ban \
     gnupg \
     memcached \
-    nginx \
     nginx-mod-http-brotli \
     nginx-mod-http-dav-ext \
     nginx-mod-http-echo \
@@ -36,7 +35,6 @@ RUN \
     nginx-mod-http-geoip2 \
     nginx-mod-http-headers-more \
     nginx-mod-http-image-filter \
-    nginx-mod-http-nchan \
     nginx-mod-http-perl \
     nginx-mod-http-redis2 \
     nginx-mod-http-set-misc \
@@ -47,67 +45,60 @@ RUN \
     nginx-mod-stream \
     nginx-mod-stream-geoip2 \
     nginx-vim \
-    php8-bcmath \
-    php8-bz2 \
-    php8-ctype \
-    php8-curl \
-    php8-dom \
-    php8-exif \
-    php8-ftp \
-    php8-gd \
-    php8-gmp \
-    php8-iconv \
-    php8-imap \
-    php8-intl \
-    php8-ldap \
-    php8-mysqli \
-    php8-mysqlnd \
-    php8-opcache \
-    php8-pdo_mysql \
-    php8-pdo_odbc \
-    php8-pdo_pgsql \
-    php8-pdo_sqlite \
-    php8-pear \
-    php8-pecl-apcu \
-    php8-pecl-mailparse \
-    php8-pecl-mcrypt \
-    php8-pecl-memcached \
-    php8-pecl-redis \
-    php8-pgsql \
-    php8-phar \
-    php8-posix \
-    php8-soap \
-    php8-sockets \
-    php8-sodium \
-    php8-sqlite3 \
-    php8-tokenizer \
-    php8-xml \
-    php8-xmlreader \
-    php8-xsl \
-    php8-zip \
-    py3-cryptography \
-    py3-future \
-    py3-pip \
+    php81-bcmath \
+    php81-bz2 \
+    php81-ctype \
+    php81-curl \
+    php81-dom \
+    php81-exif \
+    php81-ftp \
+    php81-gd \
+    php81-gmp \
+    php81-iconv \
+    php81-imap \
+    php81-intl \
+    php81-ldap \
+    php81-mysqli \
+    php81-mysqlnd \
+    php81-opcache \
+    php81-pdo_mysql \
+    php81-pdo_odbc \
+    php81-pdo_pgsql \
+    php81-pdo_sqlite \
+    php81-pear \
+    php81-pecl-apcu \
+    php81-pecl-mailparse \
+    php81-pecl-memcached \
+    php81-pecl-redis \
+    php81-pgsql \
+    php81-phar \
+    php81-posix \
+    php81-soap \
+    php81-sockets \
+    php81-sodium \
+    php81-sqlite3 \
+    php81-tokenizer \
+    php81-xmlreader \
+    php81-xsl \
+    php81-zip \
     whois && \
-  apk add --no-cache \
-    --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing \
-    php8-pecl-xmlrpc && \
+  apk add --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing \
+    php81-pecl-mcrypt \
+    php81-pecl-xmlrpc && \
   echo "**** install certbot plugins ****" && \
   if [ -z ${CERTBOT_VERSION+x} ]; then \
-    CERTBOT="certbot"; \
-  else \
-    CERTBOT="certbot==${CERTBOT_VERSION}"; \
+    CERTBOT_VERSION=$(curl -sL  https://pypi.python.org/pypi/certbot/json |jq -r '. | .info.version'); \
   fi && \
-  pip3 install -U \
-    pip wheel && \
-  pip install -U --find-links https://wheel-index.linuxserver.io/alpine-3.15/ \
-    acme==${CERTBOT_VERSION} \
-    ${CERTBOT} \
+  python3 -m ensurepip && \
+  pip3 install -U --no-cache-dir \
+    pip \
+    wheel && \
+  pip3 install -U --no-cache-dir --find-links https://wheel-index.linuxserver.io/alpine-3.17/ \
+    certbot==${CERTBOT_VERSION} \
     certbot-dns-acmedns \
     certbot-dns-aliyun \
     certbot-dns-azure \
     certbot-dns-cloudflare \
-    certbot-dns-cloudxns \
     certbot-dns-cpanel \
     certbot-dns-desec \
     certbot-dns-digitalocean \
@@ -134,7 +125,6 @@ RUN \
     certbot-dns-njalla \
     certbot-dns-nsone \
     certbot-dns-ovh \
-    certbot-dns-porkbun \
     certbot-dns-rfc2136 \
     certbot-dns-route53 \
     certbot-dns-sakuracloud \
@@ -143,6 +133,7 @@ RUN \
     certbot-dns-vultr \
     certbot-plugin-gandi \
     cryptography \
+    future \
     requests && \
   echo "**** enable OCSP stapling from base ****" && \
   sed -i \
@@ -178,14 +169,10 @@ RUN \
   echo "**** cleanup ****" && \
   apk del --purge \
     build-dependencies && \
-  for cleanfiles in *.pyc *.pyo; \
-    do \
-    find /usr/lib/python3.*  -iname "${cleanfiles}" -exec rm -f '{}' + \
-    ; done && \
   rm -rf \
     /tmp/* \
-    /root/.cache \
-    /root/.cargo
+    $HOME/.cache \
+    $HOME/.cargo
 
 # copy local files
 COPY root/ /

Dockerfile.armhf

@@ -1,4 +1,6 @@
-FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm32v7-3.15
+# syntax=docker/dockerfile:1
+
+FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm32v7-3.17
 
 # set version label
 ARG BUILD_DATE
@@ -14,9 +16,8 @@ ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2
 RUN \
   echo "**** install build packages ****" && \
   apk add --no-cache --virtual=build-dependencies \
+    build-base \
     cargo \
-    g++ \
-    gcc \
     libffi-dev \
     libxml2-dev \
     libxslt-dev \
@@ -24,11 +25,9 @@ RUN \
     python3-dev && \
   echo "**** install runtime packages ****" && \
   apk add --no-cache --upgrade \
-    curl \
     fail2ban \
     gnupg \
     memcached \
-    nginx \
     nginx-mod-http-brotli \
     nginx-mod-http-dav-ext \
     nginx-mod-http-echo \
@@ -36,7 +35,6 @@ RUN \
     nginx-mod-http-geoip2 \
     nginx-mod-http-headers-more \
     nginx-mod-http-image-filter \
-    nginx-mod-http-nchan \
     nginx-mod-http-perl \
     nginx-mod-http-redis2 \
     nginx-mod-http-set-misc \
@@ -47,67 +45,60 @@ RUN \
     nginx-mod-stream \
     nginx-mod-stream-geoip2 \
     nginx-vim \
-    php8-bcmath \
-    php8-bz2 \
-    php8-ctype \
-    php8-curl \
-    php8-dom \
-    php8-exif \
-    php8-ftp \
-    php8-gd \
-    php8-gmp \
-    php8-iconv \
-    php8-imap \
-    php8-intl \
-    php8-ldap \
-    php8-mysqli \
-    php8-mysqlnd \
-    php8-opcache \
-    php8-pdo_mysql \
-    php8-pdo_odbc \
-    php8-pdo_pgsql \
-    php8-pdo_sqlite \
-    php8-pear \
-    php8-pecl-apcu \
-    php8-pecl-mailparse \
-    php8-pecl-mcrypt \
-    php8-pecl-memcached \
-    php8-pecl-redis \
-    php8-pgsql \
-    php8-phar \
-    php8-posix \
-    php8-soap \
-    php8-sockets \
-    php8-sodium \
-    php8-sqlite3 \
-    php8-tokenizer \
-    php8-xml \
-    php8-xmlreader \
-    php8-xsl \
-    php8-zip \
-    py3-cryptography \
-    py3-future \
-    py3-pip \
+    php81-bcmath \
+    php81-bz2 \
+    php81-ctype \
+    php81-curl \
+    php81-dom \
+    php81-exif \
+    php81-ftp \
+    php81-gd \
+    php81-gmp \
+    php81-iconv \
+    php81-imap \
+    php81-intl \
+    php81-ldap \
+    php81-mysqli \
+    php81-mysqlnd \
+    php81-opcache \
+    php81-pdo_mysql \
+    php81-pdo_odbc \
+    php81-pdo_pgsql \
+    php81-pdo_sqlite \
+    php81-pear \
+    php81-pecl-apcu \
+    php81-pecl-mailparse \
+    php81-pecl-memcached \
+    php81-pecl-redis \
+    php81-pgsql \
+    php81-phar \
+    php81-posix \
+    php81-soap \
+    php81-sockets \
+    php81-sodium \
+    php81-sqlite3 \
+    php81-tokenizer \
+    php81-xmlreader \
+    php81-xsl \
+    php81-zip \
     whois && \
-  apk add --no-cache \
-    --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing \
-    php8-pecl-xmlrpc && \
+  apk add --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing \
+    php81-pecl-mcrypt \
+    php81-pecl-xmlrpc && \
   echo "**** install certbot plugins ****" && \
   if [ -z ${CERTBOT_VERSION+x} ]; then \
-    CERTBOT="certbot"; \
-  else \
-    CERTBOT="certbot==${CERTBOT_VERSION}"; \
+    CERTBOT_VERSION=$(curl -sL  https://pypi.python.org/pypi/certbot/json |jq -r '. | .info.version'); \
   fi && \
-  pip3 install -U \
-    pip wheel && \
-  pip install -U --find-links https://wheel-index.linuxserver.io/alpine-3.15/ \
-    acme==${CERTBOT_VERSION} \
-    ${CERTBOT} \
+  python3 -m ensurepip && \
+  pip3 install -U --no-cache-dir \
+    pip \
+    wheel && \
+  pip3 install -U --no-cache-dir --find-links https://wheel-index.linuxserver.io/alpine-3.17/ \
+    certbot==${CERTBOT_VERSION} \
     certbot-dns-acmedns \
     certbot-dns-aliyun \
     certbot-dns-azure \
     certbot-dns-cloudflare \
-    certbot-dns-cloudxns \
     certbot-dns-cpanel \
     certbot-dns-desec \
     certbot-dns-digitalocean \
@@ -134,7 +125,6 @@ RUN \
     certbot-dns-njalla \
     certbot-dns-nsone \
     certbot-dns-ovh \
-    certbot-dns-porkbun \
     certbot-dns-rfc2136 \
     certbot-dns-route53 \
     certbot-dns-sakuracloud \
@@ -143,6 +133,7 @@ RUN \
     certbot-dns-vultr \
     certbot-plugin-gandi \
     cryptography \
+    future \
     requests && \
   echo "**** enable OCSP stapling from base ****" && \
   sed -i \
@@ -178,14 +169,10 @@ RUN \
   echo "**** cleanup ****" && \
   apk del --purge \
     build-dependencies && \
-  for cleanfiles in *.pyc *.pyo; \
-    do \
-    find /usr/lib/python3.*  -iname "${cleanfiles}" -exec rm -f '{}' + \
-    ; done && \
   rm -rf \
     /tmp/* \
-    /root/.cache \
-    /root/.cargo
+    $HOME/.cache \
+    $HOME/.cargo
 
 # copy local files
 COPY root/ /

Jenkinsfile

@@ -100,18 +100,17 @@ pipeline {
     /* ########################
        External Release Tagging
        ######################## */
-    // If this is a custom command to determine version use that command
-    stage("Set tag custom bash"){
+    // If this is a pip release set the external tag to the pip version
+    stage("Set ENV pip_version"){
       steps{
         script{
           env.EXT_RELEASE = sh(
-            script: ''' echo '1.32.0' ''',
+            script: '''curl -sL  https://pypi.python.org/pypi/${EXT_PIP}/json |jq -r '. | .info.version' ''',
             returnStdout: true).trim()
-            env.RELEASE_LINK = 'custom_command'
+          env.RELEASE_LINK = 'https://pypi.python.org/pypi/' + env.EXT_PIP
         }
       }
-    }
-    // Sanitize the release tag and strip illegal docker or github characters
+    }    // Sanitize the release tag and strip illegal docker or github characters
     stage("Sanitize tag"){
       steps{
         script{
@@ -912,11 +911,11 @@ pipeline {
              "tagger": {"name": "LinuxServer Jenkins","email": "jenkins@linuxserver.io","date": "'${GITHUB_DATE}'"}}' '''
         echo "Pushing New release for Tag"
         sh '''#! /bin/bash
-              echo "Updating to ${EXT_RELEASE_CLEAN}" > releasebody.json
+              echo "Updating PIP version of ${EXT_PIP} to ${EXT_RELEASE_CLEAN}" > releasebody.json
               echo '{"tag_name":"'${META_TAG}'",\
                      "target_commitish": "master",\
                      "name": "'${META_TAG}'",\
-                     "body": "**LinuxServer Changes:**\\n\\n'${LS_RELEASE_NOTES}'\\n\\n**Remote Changes:**\\n\\n' > start
+                     "body": "**LinuxServer Changes:**\\n\\n'${LS_RELEASE_NOTES}'\\n\\n**PIP Changes:**\\n\\n' > start
               printf '","draft": false,"prerelease": false}' >> releasebody.json
               paste -d'\\0' start releasebody.json > releasebody.json.done
               curl -H "Authorization: token ${GITHUB_TOKEN}" -X POST https://api.github.com/repos/${LS_USER}/${LS_REPO}/releases -d @releasebody.json.done'''

README.md

@@ -214,7 +214,7 @@ Container images are configured using parameters passed at runtime (such as thos
 | `-e VALIDATION=http` | Certbot validation method to use, options are `http` or `dns` (`dns` method also requires `DNSPLUGIN` variable set). |
 | `-e SUBDOMAINS=www,` | Subdomains you'd like the cert to cover (comma separated, no spaces) ie. `www,ftp,cloud`. For a wildcard cert, set this *exactly* to `wildcard` (wildcard cert is available via `dns` validation only) |
 | `-e CERTPROVIDER=` | Optionally define the cert provider. Set to `zerossl` for ZeroSSL certs (requires existing [ZeroSSL account](https://app.zerossl.com/signup) and the e-mail address entered in `EMAIL` env var). Otherwise defaults to Let's Encrypt. |
-| `-e DNSPLUGIN=cloudflare` | Required if `VALIDATION` is set to `dns`. Options are `acmedns`, `aliyun`, `azure`, `cloudflare`, `cloudxns`, `cpanel`, `desec`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `dnspod`, `do`, `domeneshop`, `duckdns`, `dynu`, `gandi`, `gehirn`, `godaddy`, `google`, `he`, `hetzner`, `infomaniak`, `inwx`, `ionos`, `linode`, `loopia`, `luadns`, `netcup`, `njalla`, `nsone`, `ovh`, `porkbun`, `rfc2136`, `route53`, `sakuracloud`, `standalone`, `transip`, and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`. |
+| `-e DNSPLUGIN=cloudflare` | Required if `VALIDATION` is set to `dns`. Options are `acmedns`, `aliyun`, `azure`, `cloudflare`, `cpanel`, `desec`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `dnspod`, `do`, `domeneshop`, `duckdns`, `dynu`, `gandi`, `gehirn`, `godaddy`, `google`, `he`, `hetzner`, `infomaniak`, `inwx`, `ionos`, `linode`, `loopia`, `luadns`, `netcup`, `njalla`, `nsone`, `ovh`, `porkbun`, `rfc2136`, `route53`, `sakuracloud`, `standalone`, `transip`, and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`. |
 | `-e PROPAGATION=` | Optionally override (in seconds) the default propagation time for the dns plugins. |
 | `-e EMAIL=` | Optional e-mail address used for cert expiration notifications (Required for ZeroSSL). |
 | `-e ONLY_SUBDOMAINS=false` | If you wish to get certs only for certain subdomains, but not the main domain (main domain may be hosted on another machine and cannot be validated), set this to `true` |
@@ -335,6 +335,11 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **21.01.23:** - Unpin certbot version (allow certbot 2.x). !!BREAKING CHANGE!! We are temporarily removing the certbot porkbun plugin until a new version is released that is compatible with certbot 2.x.
+* **20.01.23:** - Rebase to alpine 3.17 with php8.1.
+* **16.01.23:** - Remove nchan module because it keeps causing crashes.
+* **08.12.22:** - Revamp certbot init.
+* **03.12.22:** - Remove defunct cloudxns plugin.
 * **22.11.22:** - Pin acme to the same version as certbot.
 * **22.11.22:** - Pin certbot to 1.32.0 until plugin compatibility improves.
 * **05.11.22:** - Update acmedns plugin handling.

jenkins-vars.yml

@@ -2,12 +2,7 @@
 
 # jenkins variables
 project_name: docker-swag
-
-# Pin certbot to 1.32.0 until plugin compatibility improves
-external_type: na
-custom_version_command: "echo '1.32.0'"
-
-#external_type: pip_version
+external_type: pip_version
 release_type: stable
 release_tag: latest
 ls_branch: master

package_versions.txt

@@ -1,229 +1,204 @@
-alpine-baselayout-3.2.0-r18
+alpine-baselayout-3.4.0-r0
+alpine-baselayout-data-3.4.0-r0
 alpine-keys-2.4-r1
-apache2-utils-2.4.54-r0
-apk-tools-2.12.7-r3
-apr-1.7.0-r1
-apr-util-1.6.1-r11
-argon2-libs-20190702-r1
-bash-5.1.16-r0
-brotli-libs-1.0.9-r5
-busybox-1.34.1-r7
-c-client-2007f-r13
-ca-certificates-20220614-r0
-ca-certificates-bundle-20220614-r0
-coreutils-9.0-r2
-curl-7.80.0-r4
-expat-2.5.0-r0
-fail2ban-0.11.2-r1
-freetype-2.11.1-r2
-gdbm-1.22-r0
-git-2.34.5-r0
-git-perl-2.34.5-r0
-gmp-6.2.1-r1
-gnupg-2.2.31-r2
-gnupg-dirmngr-2.2.31-r2
-gnupg-gpgconf-2.2.31-r2
-gnupg-utils-2.2.31-r2
-gnupg-wks-client-2.2.31-r2
-gnutls-3.7.1-r1
-gpg-2.2.31-r2
-gpg-agent-2.2.31-r2
-gpg-wks-server-2.2.31-r2
-gpgsm-2.2.31-r2
-gpgv-2.2.31-r2
-icu-libs-69.1-r1
-ip6tables-1.8.7-r1
-iptables-1.8.7-r1
-libacl-2.2.53-r0
-libassuan-2.5.5-r0
-libattr-2.5.1-r1
-libbsd-0.11.3-r1
-libbz2-1.0.8-r1
+alpine-release-3.17.1-r0
+aom-libs-3.5.0-r0
+apache2-utils-2.4.55-r0
+apk-tools-2.12.10-r1
+apr-1.7.0-r2
+apr-util-1.6.1-r14
+argon2-libs-20190702-r2
+bash-5.2.15-r0
+brotli-libs-1.0.9-r9
+busybox-1.35.0-r29
+busybox-binsh-1.35.0-r29
+c-client-2007f-r14
+ca-certificates-20220614-r4
+ca-certificates-bundle-20220614-r4
+coreutils-9.1-r0
+curl-7.87.0-r1
+fail2ban-1.0.2-r0
+fontconfig-2.14.1-r0
+freetype-2.12.1-r0
+gdbm-1.23-r0
+git-2.38.3-r1
+git-perl-2.38.3-r1
+gmp-6.2.1-r2
+gnupg-2.2.40-r0
+gnupg-dirmngr-2.2.40-r0
+gnupg-gpgconf-2.2.40-r0
+gnupg-utils-2.2.40-r0
+gnupg-wks-client-2.2.40-r0
+gnutls-3.7.8-r2
+gpg-2.2.40-r0
+gpg-agent-2.2.40-r0
+gpg-wks-server-2.2.40-r0
+gpgsm-2.2.40-r0
+gpgv-2.2.40-r0
+icu-data-en-72.1-r1
+icu-libs-72.1-r1
+ip6tables-1.8.8-r2
+iptables-1.8.8-r2
+jq-1.6-r2
+libacl-2.3.1-r1
+libassuan-2.5.5-r1
+libattr-2.5.1-r2
+libavif-0.11.1-r0
+libbsd-0.11.7-r0
+libbz2-1.0.8-r4
 libc-utils-0.7.2-r3
-libcap-2.61-r0
-libcrypto1.1-1.1.1s-r1
-libcurl-7.80.0-r4
-libedit-20210910.3.1-r0
-libevent-2.1.12-r4
-libffi-3.4.2-r1
-libgcc-10.3.1_git20211027-r0
-libgcrypt-1.9.4-r0
-libgd-2.3.2-r1
-libgpg-error-1.42-r1
-libice-1.0.10-r0
-libidn-1.38-r0
-libintl-0.21-r0
-libjpeg-turbo-2.1.2-r0
-libksba-1.6.0-r0
-libldap-2.6.2-r0
-libmaxminddb-1.6.0-r0
-libmcrypt-2.5.8-r9
-libmd-1.0.3-r0
-libmemcached-libs-1.0.18-r4
-libmnl-1.0.4-r2
-libnftnl-1.2.1-r0
-libpng-1.6.37-r1
-libpq-14.5-r0
-libproc-3.3.17-r0
-libretls-3.3.4-r3
-libsasl-2.1.28-r0
-libseccomp-2.5.2-r0
-libsm-1.2.3-r0
-libsodium-1.0.18-r0
-libssl1.1-1.1.1s-r1
-libstdc++-10.3.1_git20211027-r0
-libtasn1-4.18.0-r0
-libunistring-0.9.10-r1
-libuuid-2.37.4-r0
-libwebp-1.2.2-r0
-libx11-1.7.3.1-r0
-libxau-1.0.9-r0
-libxcb-1.14-r2
-libxdmcp-1.1.3-r0
-libxext-1.3.4-r0
-libxml2-2.9.14-r2
-libxpm-3.5.13-r0
-libxslt-1.1.35-r0
+libcrypto3-3.0.7-r2
+libcurl-7.87.0-r1
+libdav1d-1.0.0-r2
+libedit-20221030.3.1-r0
+libevent-2.1.12-r5
+libexpat-2.5.0-r0
+libffi-3.4.4-r0
+libgcc-12.2.1_git20220924-r4
+libgcrypt-1.10.1-r0
+libgd-2.3.3-r3
+libgpg-error-1.46-r1
+libice-1.0.10-r1
+libidn-1.41-r0
+libintl-0.21.1-r1
+libjpeg-turbo-2.1.4-r0
+libksba-1.6.3-r0
+libldap-2.6.3-r6
+libmaxminddb-libs-1.7.1-r0
+libmcrypt-2.5.8-r10
+libmd-1.0.4-r0
+libmemcached-libs-1.0.18-r5
+libmnl-1.0.5-r0
+libnftnl-1.2.4-r0
+libpng-1.6.38-r0
+libpq-15.1-r0
+libproc-3.3.17-r2
+libsasl-2.1.28-r3
+libseccomp-2.5.4-r0
+libsm-1.2.3-r1
+libsodium-1.0.18-r2
+libssl3-3.0.7-r2
+libstdc++-12.2.1_git20220924-r4
+libtasn1-4.19.0-r0
+libunistring-1.1-r0
+libuuid-2.38.1-r1
+libwebp-1.2.4-r1
+libx11-1.8.3-r1
+libxau-1.0.10-r0
+libxcb-1.15-r0
+libxdmcp-1.1.4-r0
+libxext-1.3.5-r0
+libxml2-2.10.3-r1
+libxpm-3.5.15-r0
+libxslt-1.1.37-r0
 libxt-1.2.1-r0
-libzip-1.8.0-r1
-linux-pam-1.5.2-r0
-logrotate-3.18.1-r4
-lz4-libs-1.9.3-r1
-memcached-1.6.12-r0
+libzip-1.9.2-r2
+linux-pam-1.5.2-r1
+logrotate-3.20.1-r3
+lz4-libs-1.9.4-r1
+memcached-1.6.17-r0
 mpdecimal-2.5.1-r1
-musl-1.2.2-r7
-musl-utils-1.2.2-r7
-nano-5.9-r0
-ncurses-libs-6.3_p20211120-r1
-ncurses-terminfo-base-6.3_p20211120-r1
-nettle-3.7.3-r0
-nghttp2-libs-1.46.0-r0
-nginx-1.20.2-r1
-nginx-mod-devel-kit-1.20.2-r1
-nginx-mod-http-brotli-1.20.2-r1
-nginx-mod-http-dav-ext-1.20.2-r1
-nginx-mod-http-echo-1.20.2-r1
-nginx-mod-http-fancyindex-1.20.2-r1
-nginx-mod-http-geoip2-1.20.2-r1
-nginx-mod-http-headers-more-1.20.2-r1
-nginx-mod-http-image-filter-1.20.2-r1
-nginx-mod-http-nchan-1.20.2-r1
-nginx-mod-http-perl-1.20.2-r1
-nginx-mod-http-redis2-1.20.2-r1
-nginx-mod-http-set-misc-1.20.2-r1
-nginx-mod-http-upload-progress-1.20.2-r1
-nginx-mod-http-xslt-filter-1.20.2-r1
-nginx-mod-mail-1.20.2-r1
-nginx-mod-rtmp-1.20.2-r1
-nginx-mod-stream-1.20.2-r1
-nginx-mod-stream-geoip2-1.20.2-r1
-nginx-vim-1.20.2-r1
-npth-1.6-r1
-oniguruma-6.9.7.1-r0
-openssl-1.1.1s-r1
-p11-kit-0.24.0-r1
-pcre-8.45-r1
-pcre2-10.40-r0
-perl-5.34.0-r1
+musl-1.2.3-r4
+musl-utils-1.2.3-r4
+nano-7.0-r0
+ncurses-libs-6.3_p20221119-r0
+ncurses-terminfo-base-6.3_p20221119-r0
+nettle-3.8.1-r0
+nghttp2-libs-1.51.0-r0
+nginx-1.22.1-r0
+nginx-mod-devel-kit-1.22.1-r0
+nginx-mod-http-brotli-1.22.1-r0
+nginx-mod-http-dav-ext-1.22.1-r0
+nginx-mod-http-echo-1.22.1-r0
+nginx-mod-http-fancyindex-1.22.1-r0
+nginx-mod-http-geoip2-1.22.1-r0
+nginx-mod-http-headers-more-1.22.1-r0
+nginx-mod-http-image-filter-1.22.1-r0
+nginx-mod-http-perl-1.22.1-r0
+nginx-mod-http-redis2-1.22.1-r0
+nginx-mod-http-set-misc-1.22.1-r0
+nginx-mod-http-upload-progress-1.22.1-r0
+nginx-mod-http-xslt-filter-1.22.1-r0
+nginx-mod-mail-1.22.1-r0
+nginx-mod-rtmp-1.22.1-r0
+nginx-mod-stream-1.22.1-r0
+nginx-mod-stream-geoip2-1.22.1-r0
+nginx-vim-1.22.1-r0
+npth-1.6-r2
+oniguruma-6.9.8-r0
+openssl-3.0.7-r2
+p11-kit-0.24.1-r1
+pcre-8.45-r2
+pcre2-10.42-r0
+perl-5.36.0-r0
 perl-error-0.17029-r1
-perl-git-2.34.5-r0
-php8-8.0.25-r0
-php8-bcmath-8.0.25-r0
-php8-bz2-8.0.25-r0
-php8-common-8.0.25-r0
-php8-ctype-8.0.25-r0
-php8-curl-8.0.25-r0
-php8-dom-8.0.25-r0
-php8-exif-8.0.25-r0
-php8-fileinfo-8.0.25-r0
-php8-fpm-8.0.25-r0
-php8-ftp-8.0.25-r0
-php8-gd-8.0.25-r0
-php8-gmp-8.0.25-r0
-php8-iconv-8.0.25-r0
-php8-imap-8.0.25-r0
-php8-intl-8.0.25-r0
-php8-ldap-8.0.25-r0
-php8-mbstring-8.0.25-r0
-php8-mysqli-8.0.25-r0
-php8-mysqlnd-8.0.25-r0
-php8-opcache-8.0.25-r0
-php8-openssl-8.0.25-r0
-php8-pdo-8.0.25-r0
-php8-pdo_mysql-8.0.25-r0
-php8-pdo_odbc-8.0.25-r0
-php8-pdo_pgsql-8.0.25-r0
-php8-pdo_sqlite-8.0.25-r0
-php8-pear-8.0.25-r0
-php8-pecl-apcu-5.1.21-r0
-php8-pecl-igbinary-3.2.6-r0
-php8-pecl-mailparse-3.1.3-r0
-php8-pecl-mcrypt-1.0.4-r0
-php8-pecl-memcached-3.1.5-r1
-php8-pecl-redis-5.3.6-r0
-php8-pecl-xmlrpc-1.0.0_rc3-r0
-php8-pgsql-8.0.25-r0
-php8-phar-8.0.25-r0
-php8-posix-8.0.25-r0
-php8-session-8.0.25-r0
-php8-simplexml-8.0.25-r0
-php8-soap-8.0.25-r0
-php8-sockets-8.0.25-r0
-php8-sodium-8.0.25-r0
-php8-sqlite3-8.0.25-r0
-php8-tokenizer-8.0.25-r0
-php8-xml-8.0.25-r0
-php8-xmlreader-8.0.25-r0
-php8-xmlwriter-8.0.25-r0
-php8-xsl-8.0.25-r0
-php8-zip-8.0.25-r0
-pinentry-1.2.0-r0
-popt-1.18-r0
-procps-3.3.17-r0
-py3-appdirs-1.4.4-r2
-py3-asn1crypto-1.4.0-r1
-py3-cachecontrol-0.12.10-r0
-py3-certifi-2020.12.5-r1
-py3-cffi-1.14.5-r4
-py3-charset-normalizer-2.0.7-r0
-py3-colorama-0.4.4-r1
-py3-contextlib2-21.6.0-r1
-py3-cparser-2.20-r1
-py3-cryptography-3.3.2-r3
-py3-distlib-0.3.3-r0
-py3-distro-1.6.0-r0
-py3-future-0.18.2-r3
-py3-html5lib-1.1-r1
-py3-idna-3.3-r0
-py3-lockfile-0.12.2-r4
-py3-msgpack-1.0.2-r1
-py3-ordered-set-4.0.2-r2
-py3-packaging-20.9-r1
-py3-parsing-2.4.7-r2
-py3-pep517-0.12.0-r0
-py3-pip-20.3.4-r1
-py3-progress-1.6-r0
-py3-requests-2.26.0-r1
-py3-retrying-1.3.3-r2
-py3-setuptools-52.0.0-r4
-py3-six-1.16.0-r0
-py3-toml-0.10.2-r2
-py3-tomli-1.2.2-r0
-py3-urllib3-1.26.7-r0
-py3-webencodings-0.5.1-r4
-python3-3.9.15-r0
-readline-8.1.1-r0
-s6-ipcserver-2.11.0.0-r0
-scanelf-1.3.3-r0
-shadow-4.8.1-r1
-skalibs-2.11.0.0-r0
-sqlite-libs-3.36.0-r0
-ssl_client-1.34.1-r7
+perl-git-2.38.3-r1
+php81-8.1.14-r0
+php81-bcmath-8.1.14-r0
+php81-bz2-8.1.14-r0
+php81-common-8.1.14-r0
+php81-ctype-8.1.14-r0
+php81-curl-8.1.14-r0
+php81-dom-8.1.14-r0
+php81-exif-8.1.14-r0
+php81-fileinfo-8.1.14-r0
+php81-fpm-8.1.14-r0
+php81-ftp-8.1.14-r0
+php81-gd-8.1.14-r0
+php81-gmp-8.1.14-r0
+php81-iconv-8.1.14-r0
+php81-imap-8.1.14-r0
+php81-intl-8.1.14-r0
+php81-ldap-8.1.14-r0
+php81-mbstring-8.1.14-r0
+php81-mysqli-8.1.14-r0
+php81-mysqlnd-8.1.14-r0
+php81-opcache-8.1.14-r0
+php81-openssl-8.1.14-r0
+php81-pdo-8.1.14-r0
+php81-pdo_mysql-8.1.14-r0
+php81-pdo_odbc-8.1.14-r0
+php81-pdo_pgsql-8.1.14-r0
+php81-pdo_sqlite-8.1.14-r0
+php81-pear-8.1.14-r0
+php81-pecl-apcu-5.1.22-r0
+php81-pecl-igbinary-3.2.12-r0
+php81-pecl-mailparse-3.1.4-r0
+php81-pecl-mcrypt-1.0.4-r0
+php81-pecl-memcached-3.2.0-r0
+php81-pecl-redis-5.3.7-r0
+php81-pecl-xmlrpc-1.0.0_rc3-r0
+php81-pgsql-8.1.14-r0
+php81-phar-8.1.14-r0
+php81-posix-8.1.14-r0
+php81-session-8.1.14-r0
+php81-simplexml-8.1.14-r0
+php81-soap-8.1.14-r0
+php81-sockets-8.1.14-r0
+php81-sodium-8.1.14-r0
+php81-sqlite3-8.1.14-r0
+php81-tokenizer-8.1.14-r0
+php81-xml-8.1.14-r0
+php81-xmlreader-8.1.14-r0
+php81-xmlwriter-8.1.14-r0
+php81-xsl-8.1.14-r0
+php81-zip-8.1.14-r0
+pinentry-1.2.1-r0
+popt-1.19-r0
+procps-3.3.17-r2
+python3-3.10.9-r1
+readline-8.2.0-r0
+scanelf-1.3.5-r1
+shadow-4.13-r0
+skalibs-2.12.0.1-r0
+sqlite-libs-3.40.1-r0
+ssl_client-1.35.0-r29
+tiff-4.4.0-r1
 tzdata-2022f-r1
-unixodbc-2.3.9-r1
-utmps-0.1.0.3-r0
-whois-5.5.10-r0
-xz-5.2.5-r1
-xz-libs-5.2.5-r1
-zlib-1.2.12-r3
-zstd-libs-1.5.0-r0
+unixodbc-2.3.11-r0
+utmps-libs-0.1.2.0-r1
+whois-5.5.14-r0
+xz-5.2.9-r0
+xz-libs-5.2.9-r0
+zlib-1.2.13-r0
+zstd-libs-1.5.2-r9

readme-vars.yml

@@ -51,7 +51,7 @@ opt_param_usage_include_env: true
 opt_param_env_vars:
   - { env_var: "SUBDOMAINS", env_value: "www,", desc: "Subdomains you'd like the cert to cover (comma separated, no spaces) ie. `www,ftp,cloud`. For a wildcard cert, set this *exactly* to `wildcard` (wildcard cert is available via `dns` validation only)" }
   - { env_var: "CERTPROVIDER", env_value: "", desc: "Optionally define the cert provider. Set to `zerossl` for ZeroSSL certs (requires existing [ZeroSSL account](https://app.zerossl.com/signup) and the e-mail address entered in `EMAIL` env var). Otherwise defaults to Let's Encrypt." }
-  - { env_var: "DNSPLUGIN", env_value: "cloudflare", desc: "Required if `VALIDATION` is set to `dns`. Options are `acmedns`, `aliyun`, `azure`, `cloudflare`, `cloudxns`, `cpanel`, `desec`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `dnspod`, `do`, `domeneshop`, `duckdns`, `dynu`, `gandi`, `gehirn`, `godaddy`, `google`, `he`, `hetzner`, `infomaniak`, `inwx`, `ionos`, `linode`, `loopia`, `luadns`, `netcup`, `njalla`, `nsone`, `ovh`, `porkbun`, `rfc2136`, `route53`, `sakuracloud`, `standalone`, `transip`, and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`." }
+  - { env_var: "DNSPLUGIN", env_value: "cloudflare", desc: "Required if `VALIDATION` is set to `dns`. Options are `acmedns`, `aliyun`, `azure`, `cloudflare`, `cpanel`, `desec`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `dnspod`, `do`, `domeneshop`, `duckdns`, `dynu`, `gandi`, `gehirn`, `godaddy`, `google`, `he`, `hetzner`, `infomaniak`, `inwx`, `ionos`, `linode`, `loopia`, `luadns`, `netcup`, `njalla`, `nsone`, `ovh`, `porkbun`, `rfc2136`, `route53`, `sakuracloud`, `standalone`, `transip`, and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`." }
   - { env_var: "PROPAGATION", env_value: "", desc: "Optionally override (in seconds) the default propagation time for the dns plugins." }
   - { env_var: "EMAIL", env_value: "", desc: "Optional e-mail address used for cert expiration notifications (Required for ZeroSSL)." }
   - { env_var: "ONLY_SUBDOMAINS", env_value: "false", desc: "If you wish to get certs only for certain subdomains, but not the main domain (main domain may be hosted on another machine and cannot be validated), set this to `true`" }
@@ -152,11 +152,13 @@ app_setup_block: |
 
   Please follow the instructions [on this blog post](https://www.linuxserver.io/blog/2020-08-21-introducing-swag#migrate).
 
-app_setup_nginx_reverse_proxy_snippet: false
-app_setup_nginx_reverse_proxy_block: ""
-
 # changelog
 changelogs:
+  - { date: "21.01.23:", desc: "Unpin certbot version (allow certbot 2.x). !!BREAKING CHANGE!! We are temporarily removing the certbot porkbun plugin until a new version is released that is compatible with certbot 2.x." }
+  - { date: "20.01.23:", desc: "Rebase to alpine 3.17 with php8.1." }
+  - { date: "16.01.23:", desc: "Remove nchan module because it keeps causing crashes." }
+  - { date: "08.12.22:", desc: "Revamp certbot init."}
+  - { date: "03.12.22:", desc: "Remove defunct cloudxns plugin."}
   - { date: "22.11.22:", desc: "Pin acme to the same version as certbot."}
   - { date: "22.11.22:", desc: "Pin certbot to 1.32.0 until plugin compatibility improves."}
   - { date: "05.11.22:", desc: "Update acmedns plugin handling."}

root/app/le-renew.sh

@@ -1,4 +1,5 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 echo "<------------------------------------------------->"
 echo

root/defaults/dns-conf/cloudxns.ini

@@ -1,4 +0,0 @@
-# Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-cloudxns/certbot_dns_cloudxns/__init__.py#L20
-# Replace with your values
-dns_cloudxns_api_key = 1234567890abcdef1234567890abcdef
-dns_cloudxns_secret_key = 1122334455667788

root/defaults/dns-conf/cpanel.ini

@@ -1,6 +1,15 @@
 # Instructions: https://github.com/badjware/certbot-dns-cpanel#credentials
-# Replace with your values
+# The url cPanel url
 # include the scheme and the port number (usually 2083 for https)
-dns_cpanel_url = https://cpanel.example.com:2083
-dns_cpanel_username = username
-dns_cpanel_password = 1234567890abcdef
+cpanel_url = https://cpanel.exemple.com:2083
+
+# The cPanel username
+cpanel_username = user
+
+# The cPanel password 
+cpanel_password = hunter2
+
+# The cPanel API Token
+cpanel_token = EUTQ793EY7MIRX4EMXXXXXXXXXXOX4JF
+
+# You only need to configure API Token or Password. If you supply both, the API Token will be used

root/defaults/dns-conf/directadmin.ini

@@ -12,10 +12,10 @@
 
 # The DirectAdmin Server url
 # include the scheme and the port number (Normally 2222)
-directadmin_url = https://my.directadminserver.com:2222
+dns_directadmin_url = https://my.directadminserver.com:2222
 
 # The DirectAdmin username
-directadmin_username = username
+dns_directadmin_username = username
 
 # The DirectAdmin password
-directadmin_password = aSuperStrongPassword
+dns_directadmin_password = aSuperStrongPassword

root/defaults/etc/letsencrypt/renewal-hooks/deploy/10-default

@@ -1,4 +1,5 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 cd /config/keys/letsencrypt || exit 1
 openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:

root/defaults/etc/letsencrypt/renewal-hooks/post/10-nginx

@@ -1,13 +1,15 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
+# shellcheck source=/dev/null
 . /config/.donoteditthisfile.conf
 
-if [ ! "$ORIGVALIDATION" = "dns" ] && [ ! "$ORIGVALIDATION" = "duckdns" ]; then
-	if ps aux | grep 's6-supervise nginx' | grep -v grep >/dev/null; then
-		s6-svc -u /run/service/nginx
-	fi
+if [[ ! "${ORIGVALIDATION}" = "dns" ]] && [[ ! "${ORIGVALIDATION}" = "duckdns" ]]; then
+    if pgrep -f "s6-supervise nginx" >/dev/null; then
+        s6-svc -u /run/service/svc-nginx
+    fi
 else
-	if ps aux | grep [n]ginx: >/dev/null; then
-		s6-svc -h /run/service/nginx
-	fi
+    if pgrep -f "nginx:" >/dev/null; then
+        s6-svc -h /run/service/svc-nginx
+    fi
 fi

root/defaults/etc/letsencrypt/renewal-hooks/pre/10-nginx

@@ -1,9 +1,11 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
+# shellcheck source=/dev/null
 . /config/.donoteditthisfile.conf
 
-if [ ! "$ORIGVALIDATION" = "dns" ] && [ ! "$ORIGVALIDATION" = "duckdns" ]; then
-	if ps aux | grep [n]ginx: >/dev/null; then
-		s6-svc -d /run/service/nginx
-	fi
+if [[ ! "${ORIGVALIDATION}" = "dns" ]] && [[ ! "${ORIGVALIDATION}" = "duckdns" ]]; then
+    if pgrep -f "nginx:" >/dev/null; then
+        s6-svc -d /run/service/svc-nginx
+    fi
 fi

root/etc/cont-init.d/43-crontabs

@@ -1,10 +0,0 @@
-#!/usr/bin/with-contenv bash
-
-# copy crontabs if needed
-if [[ ! -f /config/crontabs/root ]]; then
-    cp /etc/crontabs/root /config/crontabs/
-fi
-
-# import user crontabs
-rm /etc/crontabs/*
-cp /config/crontabs/* /etc/crontabs/

root/etc/cont-init.d/50-certbot

@@ -1,282 +0,0 @@
-#!/usr/bin/with-contenv bash
-
-# Display variables for troubleshooting
-echo -e "Variables set:\\n\
-PUID=${PUID}\\n\
-PGID=${PGID}\\n\
-TZ=${TZ}\\n\
-URL=${URL}\\n\
-SUBDOMAINS=${SUBDOMAINS}\\n\
-EXTRA_DOMAINS=${EXTRA_DOMAINS}\\n\
-ONLY_SUBDOMAINS=${ONLY_SUBDOMAINS}\\n\
-VALIDATION=${VALIDATION}\\n\
-CERTPROVIDER=${CERTPROVIDER}\\n\
-DNSPLUGIN=${DNSPLUGIN}\\n\
-EMAIL=${EMAIL}\\n\
-STAGING=${STAGING}\\n"
-
-# Sanitize variables
-SANED_VARS=(DNSPLUGIN EMAIL EXTRA_DOMAINS ONLY_SUBDOMAINS STAGING SUBDOMAINS URL VALIDATION CERTPROVIDER)
-for i in "${SANED_VARS[@]}"; do
-    export echo "$i"="${!i//\"/}"
-    export echo "$i"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')"
-done
-
-# check to make sure DNSPLUGIN is selected if dns validation is used
-if [[ "$VALIDATION" = "dns" ]] && [[ ! "$DNSPLUGIN" =~ ^(acmedns|aliyun|azure|cloudflare|cloudxns|cpanel|desec|digitalocean|directadmin|dnsimple|dnsmadeeasy|dnspod|do|domeneshop|duckdns|dynu|gandi|gehirn|godaddy|google|he|hetzner|infomaniak|inwx|ionos|linode|loopia|luadns|netcup|njalla|nsone|ovh|porkbun|rfc2136|route53|sakuracloud|standalone|transip|vultr)$ ]]; then
-    echo "Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details."
-    sleep infinity
-fi
-
-# copy dns default configs
-cp -n /defaults/dns-conf/* /config/dns-conf/
-chown -R abc:abc /config/dns-conf
-
-# update plugin names in dns conf inis
-sed -i 's|^certbot_dns_aliyun:||g' /config/dns-conf/aliyun.ini
-sed -i 's|^certbot_dns_cpanel:|dns_|g' /config/dns-conf/cpanel.ini
-sed -i 's|^certbot_dns_domeneshop:||g' /config/dns-conf/domeneshop.ini
-sed -i 's|^certbot_dns_inwx:||g' /config/dns-conf/inwx.ini
-sed -i 's|^certbot_dns_transip:||g' /config/dns-conf/transip.ini
-sed -i 's|^certbot_plugin_gandi:dns_|dns_gandi_|g' /config/dns-conf/gandi.ini
-
-# copy default renewal hooks
-chmod -R +x /defaults/etc/letsencrypt/renewal-hooks
-cp -nR /defaults/etc/letsencrypt/renewal-hooks/* /config/etc/letsencrypt/renewal-hooks/
-chown -R abc:abc /config/etc/letsencrypt/renewal-hooks
-
-# create original config file if it doesn't exist, move non-hidden legacy file to hidden
-if [ -f "/config/donoteditthisfile.conf" ]; then
-    mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf
-fi
-if [ ! -f "/config/.donoteditthisfile.conf" ]; then
-    echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" >/config/.donoteditthisfile.conf
-    echo "Created .donoteditthisfile.conf"
-fi
-
-# load original config settings
-# shellcheck disable=SC1091
-. /config/.donoteditthisfile.conf
-
-# set default validation to http
-if [ -z "$VALIDATION" ]; then
-    VALIDATION="http"
-    echo "VALIDATION parameter not set; setting it to http"
-fi
-
-# set duckdns validation to dns
-if [ "$VALIDATION" = "duckdns" ]; then
-    VALIDATION="dns"
-    DNSPLUGIN="duckdns"
-    if [ -n "$DUCKDNSTOKEN" ] && ! grep -q "dns_duckdns_token=${DUCKDNSTOKEN}$" /config/dns-conf/duckdns.ini;then
-        sed -i "s|^dns_duckdns_token=.*|dns_duckdns_token=${DUCKDNSTOKEN}|g" /config/dns-conf/duckdns.ini
-    fi
-fi
-if [ "$VALIDATION" = "dns" ] && [ "$DNSPLUGIN" = "duckdns" ]; then
-    if [ "$SUBDOMAINS" = "wildcard" ]; then
-        echo "the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org"
-        export ONLY_SUBDOMAINS=true
-    else
-        echo "the resulting certificate will only cover the main domain due to a limitation of duckdns, ie. subdomain.duckdns.org"
-        export SUBDOMAINS=""
-    fi
-    export EXTRA_DOMAINS=""
-fi
-
-# if zerossl is selected or staging is set to true, use the relevant server
-if [ "$CERTPROVIDER" = "zerossl" ] && [ "$STAGING" = "true" ]; then
-    echo "ZeroSSL does not support staging mode, ignoring STAGING variable"
-fi
-if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then
-    echo "ZeroSSL is selected as the cert provider, registering cert with $EMAIL"
-    ACMESERVER="https://acme.zerossl.com/v2/DV90"
-elif [ "$CERTPROVIDER" = "zerossl" ] && [ -z "$EMAIL" ]; then
-    echo "ZeroSSL is selected as the cert provider, but the e-mail address has not been entered. Please visit https://zerossl.com, register a new account and set the account e-mail address in the EMAIL environment variable"
-    sleep infinity
-elif [ "$STAGING" = "true" ]; then
-    echo "NOTICE: Staging is active"
-    echo "Using Let's Encrypt as the cert provider"
-    ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory"
-else
-    echo "Using Let's Encrypt as the cert provider"
-    ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
-fi
-
-# figuring out url only vs url & subdomains vs subdomains only
-if [ -n "$SUBDOMAINS" ]; then
-    echo "SUBDOMAINS entered, processing"
-    if [ "$SUBDOMAINS" = "wildcard" ]; then
-        if [ "$ONLY_SUBDOMAINS" = true ]; then
-            export URL_REAL="-d *.${URL}"
-            echo "Wildcard cert for only the subdomains of $URL will be requested"
-        else
-            export URL_REAL="-d *.${URL} -d ${URL}"
-            echo "Wildcard cert for $URL will be requested"
-        fi
-    else
-        echo "SUBDOMAINS entered, processing"
-        for job in $(echo "$SUBDOMAINS" | tr "," " "); do
-            export SUBDOMAINS_REAL="$SUBDOMAINS_REAL -d ${job}.${URL}"
-        done
-        if [ "$ONLY_SUBDOMAINS" = true ]; then
-            URL_REAL="$SUBDOMAINS_REAL"
-            echo "Only subdomains, no URL in cert"
-        else
-            URL_REAL="-d ${URL}${SUBDOMAINS_REAL}"
-        fi
-        echo "Sub-domains processed are: $SUBDOMAINS_REAL"
-    fi
-else
-    echo "No subdomains defined"
-    URL_REAL="-d $URL"
-fi
-
-# add extra domains
-if [ -n "$EXTRA_DOMAINS" ]; then
-    echo "EXTRA_DOMAINS entered, processing"
-    for job in $(echo "$EXTRA_DOMAINS" | tr "," " "); do
-        export EXTRA_DOMAINS_REAL="$EXTRA_DOMAINS_REAL -d ${job}"
-    done
-    echo "Extra domains processed are: $EXTRA_DOMAINS_REAL"
-    URL_REAL="$URL_REAL $EXTRA_DOMAINS_REAL"
-fi
-
-# figuring out whether to use e-mail and which
-if [[ $EMAIL == *@* ]]; then
-    echo "E-mail address entered: ${EMAIL}"
-    EMAILPARAM="-m ${EMAIL} --no-eff-email"
-else
-    echo "No e-mail address entered or address invalid"
-    EMAILPARAM="--register-unsafely-without-email"
-fi
-
-# setting the validation method to use
-if [ "$VALIDATION" = "dns" ]; then
-    if [ "$DNSPLUGIN" = "route53" ]; then
-        if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
-        PREFCHAL="--dns-${DNSPLUGIN} ${PROPAGATIONPARAM}"
-    elif [[ "$DNSPLUGIN" =~ ^(azure|gandi)$ ]]; then
-        if [ -n "$PROPAGATION" ]; then echo "${DNSPLUGIN} dns plugin does not support setting propagation time"; fi
-        PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini"
-    elif [[ "$DNSPLUGIN" =~ ^(duckdns)$ ]]; then
-        if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
-        PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini --dns-duckdns-no-txt-restore ${PROPAGATIONPARAM}"
-    elif [[ "$DNSPLUGIN" =~ ^(google)$ ]]; then
-        if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
-        PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.json ${PROPAGATIONPARAM}"
-    elif [[ "$DNSPLUGIN" =~ ^(acmedns|aliyun|cpanel|desec|dnspod|do|domeneshop|dynu|godaddy|he|hetzner|infomaniak|inwx|ionos|loopia|netcup|njalla|porkbun|transip|vultr)$ ]]; then
-        if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
-        PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
-    elif [[ "$DNSPLUGIN" =~ ^(standalone)$ ]]; then
-        if [ -n "$PROPAGATION" ]; then echo "standalone dns plugin does not support setting propagation time"; fi
-        PREFCHAL="-a dns-${DNSPLUGIN}"
-    elif [[ "$DNSPLUGIN" =~ ^(directadmin)$ ]]; then
-        if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
-        PREFCHAL="-a ${DNSPLUGIN} --${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
-    else
-        if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
-        PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
-    fi
-    echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected"
-elif [ "$VALIDATION" = "tls-sni" ]; then
-    PREFCHAL="--standalone --preferred-challenges http"
-    echo "*****tls-sni validation has been deprecated, attempting http validation instead"
-else
-    PREFCHAL="--standalone --preferred-challenges http"
-    echo "http validation is selected"
-fi
-
-# setting the symlink for key location
-rm -rf /config/keys/letsencrypt
-if [ "$ONLY_SUBDOMAINS" = "true" ] && [ ! "$SUBDOMAINS" = "wildcard" ]; then
-    DOMAIN="$(echo "$SUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${URL}"
-    ln -s ../etc/letsencrypt/live/"$DOMAIN" /config/keys/letsencrypt
-else
-    ln -s ../etc/letsencrypt/live/"$URL" /config/keys/letsencrypt
-fi
-
-# checking for changes in cert variables, revoking certs if necessary
-if [ ! "$URL" = "$ORIGURL" ] || [ ! "$SUBDOMAINS" = "$ORIGSUBDOMAINS" ] || [ ! "$ONLY_SUBDOMAINS" = "$ORIGONLY_SUBDOMAINS" ] || [ ! "$EXTRA_DOMAINS" = "$ORIGEXTRA_DOMAINS" ] || [ ! "$VALIDATION" = "$ORIGVALIDATION" ] || [ ! "$DNSPLUGIN" = "$ORIGDNSPLUGIN" ] || [ ! "$PROPAGATION" = "$ORIGPROPAGATION" ] || [ ! "$STAGING" = "$ORIGSTAGING" ] || [ ! "$CERTPROVIDER" = "$ORIGCERTPROVIDER" ]; then
-    echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created"
-    if [ "$ORIGONLY_SUBDOMAINS" = "true" ] && [ ! "$ORIGSUBDOMAINS" = "wildcard" ]; then
-        ORIGDOMAIN="$(echo "$ORIGSUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${ORIGURL}"
-    else
-        ORIGDOMAIN="$ORIGURL"
-    fi
-    if [ "$ORIGCERTPROVIDER" = "zerossl" ] && [ -n "$ORIGEMAIL" ]; then
-        REV_EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$ORIGEMAIL")
-        REV_ZEROSSL_EAB_KID=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
-        REV_ZEROSSL_EAB_HMAC_KEY=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
-        if [ -z "$REV_ZEROSSL_EAB_KID" ] || [ -z "$REV_ZEROSSL_EAB_HMAC_KEY" ]; then
-            echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
-            sleep infinity
-        fi
-        REV_ACMESERVER="https://acme.zerossl.com/v2/DV90 --eab-kid ${REV_ZEROSSL_EAB_KID} --eab-hmac-key ${REV_ZEROSSL_EAB_HMAC_KEY}"
-    elif [ "$ORIGSTAGING" = "true" ]; then
-        REV_ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory"
-    else
-        REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
-    fi
-    if [[ -f /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem ]]; then
-        certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER
-    fi
-    rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal}
-fi
-
-# saving new variables
-echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" >/config/.donoteditthisfile.conf
-
-# alter extension for error message
-if [ "$DNSPLUGIN" = "google" ]; then
-    FILENAME="$DNSPLUGIN.json"
-else
-    FILENAME="$DNSPLUGIN.ini"
-fi
-
-# Check if the cert is using the old LE root cert, revoke and regen if necessary
-if [ -f "/config/keys/letsencrypt/chain.pem" ] && { [ "${CERTPROVIDER}" == "letsencrypt" ] || [ "${CERTPROVIDER}" == "" ]; } && [ "${STAGING}" != "true" ] && ! openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"; then
-    echo "The cert seems to be using the old LE root cert, which is no longer valid. Deleting and revoking."
-    REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
-    if [[ -f /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem ]]; then
-        certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER
-    fi
-    rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal}
-fi
-
-# generating certs if necessary
-if [ ! -f "/config/keys/letsencrypt/fullchain.pem" ]; then
-    if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then
-        echo "Retrieving EAB from ZeroSSL"
-        EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$EMAIL")
-        ZEROSSL_EAB_KID=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
-        ZEROSSL_EAB_HMAC_KEY=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
-        if [ -z "$ZEROSSL_EAB_KID" ] || [ -z "$ZEROSSL_EAB_HMAC_KEY" ]; then
-            echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
-            sleep infinity
-        fi
-        ZEROSSL_EAB="--eab-kid ${ZEROSSL_EAB_KID} --eab-hmac-key ${ZEROSSL_EAB_HMAC_KEY}"
-    fi
-    echo "Generating new certificate"
-    # shellcheck disable=SC2086
-    certbot certonly --non-interactive --renew-by-default --server $ACMESERVER $ZEROSSL_EAB $PREFCHAL --rsa-key-size 4096 $EMAILPARAM --agree-tos $URL_REAL
-    if [ ! -d /config/keys/letsencrypt ]; then
-        if [ "$VALIDATION" = "dns" ]; then
-            echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/${FILENAME} file."
-        else
-            echo "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container"
-        fi
-        sleep infinity
-    fi
-    run-parts /config/etc/letsencrypt/renewal-hooks/deploy/
-    echo "New certificate generated; starting nginx"
-else
-    echo "Certificate exists; parameters unchanged; starting nginx"
-fi
-
-# if certbot generated key exists, remove self-signed cert and replace it with symlink to live cert
-if [ -d /config/keys/letsencrypt ]; then
-    rm -rf /config/keys/cert.crt
-    ln -s ./letsencrypt/fullchain.pem /config/keys/cert.crt
-    rm -rf /config/keys/cert.key
-    ln -s ./letsencrypt/privkey.pem /config/keys/cert.key
-fi

root/etc/s6-overlay/s6-rc.d/init-certbot-config/run

@@ -0,0 +1,333 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+# Display variables for troubleshooting
+echo -e "Variables set:\\n\
+PUID=${PUID}\\n\
+PGID=${PGID}\\n\
+TZ=${TZ}\\n\
+URL=${URL}\\n\
+SUBDOMAINS=${SUBDOMAINS}\\n\
+EXTRA_DOMAINS=${EXTRA_DOMAINS}\\n\
+ONLY_SUBDOMAINS=${ONLY_SUBDOMAINS}\\n\
+VALIDATION=${VALIDATION}\\n\
+CERTPROVIDER=${CERTPROVIDER}\\n\
+DNSPLUGIN=${DNSPLUGIN}\\n\
+EMAIL=${EMAIL}\\n\
+STAGING=${STAGING}\\n"
+
+# Sanitize variables
+SANED_VARS=(DNSPLUGIN EMAIL EXTRA_DOMAINS ONLY_SUBDOMAINS STAGING SUBDOMAINS URL VALIDATION CERTPROVIDER)
+for i in "${SANED_VARS[@]}"; do
+    export echo "${i}"="${!i//\"/}"
+    export echo "${i}"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')"
+done
+
+# check to make sure DNSPLUGIN is selected if dns validation is used
+if [[ "${VALIDATION}" = "dns" ]] && [[ ! "${DNSPLUGIN}" =~ ^(acmedns|aliyun|azure|cloudflare|cpanel|desec|digitalocean|directadmin|dnsimple|dnsmadeeasy|dnspod|do|domeneshop|duckdns|dynu|gandi|gehirn|godaddy|google|he|hetzner|infomaniak|inwx|ionos|linode|loopia|luadns|netcup|njalla|nsone|ovh|rfc2136|route53|sakuracloud|standalone|transip|vultr)$ ]]; then
+    echo "Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details."
+    sleep infinity
+fi
+
+# copy dns default configs
+cp -n /defaults/dns-conf/* /config/dns-conf/
+lsiown -R abc:abc /config/dns-conf
+
+# copy default renewal hooks
+chmod -R +x /defaults/etc/letsencrypt/renewal-hooks
+cp -nR /defaults/etc/letsencrypt/renewal-hooks/* /config/etc/letsencrypt/renewal-hooks/
+lsiown -R abc:abc /config/etc/letsencrypt/renewal-hooks
+
+# replace nginx service location in renewal hooks
+find /config/etc/letsencrypt/renewal-hooks/ -type f -exec sed -i 's|/run/service/nginx|/run/service/svc-nginx|g' {} \;
+find /config/etc/letsencrypt/renewal-hooks/ -type f -exec sed -i 's|/var/run/s6/services/nginx|/run/service/svc-nginx|g' {} \;
+
+# create original config file if it doesn't exist, move non-hidden legacy file to hidden
+if [[ -f "/config/donoteditthisfile.conf" ]]; then
+    mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf
+fi
+if [[ ! -f "/config/.donoteditthisfile.conf" ]]; then
+    echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\" ORIGEMAIL=\"${EMAIL}\"" >/config/.donoteditthisfile.conf
+    echo "Created .donoteditthisfile.conf"
+fi
+
+# load original config settings
+# shellcheck source=/dev/null
+. /config/.donoteditthisfile.conf
+
+# setting ORIGDOMAIN for use in revoke sections
+if [[ "${ORIGONLY_SUBDOMAINS}" = "true" ]] && [[ ! "${ORIGSUBDOMAINS}" = "wildcard" ]]; then
+    ORIGDOMAIN="$(echo "${ORIGSUBDOMAINS}" | tr ',' ' ' | awk '{print $1}').${ORIGURL}"
+else
+    ORIGDOMAIN="${ORIGURL}"
+fi
+
+# update plugin names in dns conf inis
+sed -i 's|^certbot[-_]dns[-_]aliyun:||g' /config/dns-conf/aliyun.ini
+sed -i 's|^certbot[-_]dns[-_]cpanel:||g' /config/dns-conf/cpanel.ini
+sed -i 's|^dns[-_]cpanel[-_]|cpanel_|g' /config/dns-conf/cpanel.ini
+sed -i 's|^directadmin[-_]|dns_directadmin_|g' /config/dns-conf/directadmin.ini
+sed -i 's|^certbot[-_]dns[-_]domeneshop:||g' /config/dns-conf/domeneshop.ini
+sed -i 's|^certbot[-_]plugin[-_]gandi:dns[-_]|dns_gandi_|g' /config/dns-conf/gandi.ini
+sed -i 's|^certbot[-_]dns[-_]inwx:||g' /config/dns-conf/inwx.ini
+sed -i 's|^certbot[-_]dns[-_]transip:||g' /config/dns-conf/transip.ini
+
+# update plugin names in renewal conf
+if [[ -f "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf" ]] && [[ "${ORIGVALIDATION}" = "dns" ]]; then
+    if [[ "${ORIGDNSPLUGIN}" =~ ^(aliyun)$ ]]; then
+        sed -i 's|^authenticator = certbot[-_]dns[-_]aliyun:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
+        sed -i 's|^certbot[-_]dns[-_]aliyun:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
+    fi
+    if [[ "${ORIGDNSPLUGIN}" =~ ^(cpanel)$ ]]; then
+        sed -i 's|^authenticator = certbot[-_]dns[-_]cpanel:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
+        sed -i 's|^certbot[-_]dns[-_]cpanel:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
+        sed -i 's|^authenticator = dns[-_]cpanel|authenticator = cpanel|g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
+        sed -i 's|^dns[-_]cpanel[-_]|cpanel_|g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
+    fi
+    if [[ "${ORIGDNSPLUGIN}" =~ ^(directadmin)$ ]]; then
+        sed -i 's|^authenticator = directadmin|authenticator = dns-directadmin|g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
+        sed -i 's|^directadmin[-_]|dns_directadmin_|g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
+    fi
+    if [[ "${ORIGDNSPLUGIN}" =~ ^(domeneshop)$ ]]; then
+        sed -i 's|^authenticator = certbot[-_]dns[-_]domeneshop:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
+        sed -i 's|^certbot[-_]dns[-_]domeneshop:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
+    fi
+    if [[ "${ORIGDNSPLUGIN}" =~ ^(gandi)$ ]]; then
+        sed -i 's|^authenticator = certbot[-_]plugin[-_]gandi:dns|authenticator = dns-gandi|g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
+        sed -i 's|^certbot[-_]plugin[-_]gandi:dns[-_]|dns_gandi_|g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
+    fi
+    if [[ "${ORIGDNSPLUGIN}" =~ ^(inwx)$ ]]; then
+        sed -i 's|^authenticator = certbot[-_]dns[-_]inwx:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
+        sed -i 's|^certbot[-_]dns[-_]inwx:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
+    fi
+    if [[ "${ORIGDNSPLUGIN}" =~ ^(transip)$ ]]; then
+        sed -i 's|^authenticator = certbot[-_]dns[-_]transip:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
+        sed -i 's|^certbot[-_]dns[-_]transip:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
+    fi
+fi
+
+# set default validation to http
+if [[ -z "${VALIDATION}" ]]; then
+    VALIDATION="http"
+    echo "VALIDATION parameter not set; setting it to http"
+fi
+
+# set duckdns validation to dns
+if [[ "${VALIDATION}" = "duckdns" ]]; then
+    VALIDATION="dns"
+    DNSPLUGIN="duckdns"
+    if [[ -n "${DUCKDNSTOKEN}" ]] && ! grep -q "dns_duckdns_token=${DUCKDNSTOKEN}$" /config/dns-conf/duckdns.ini; then
+        sed -i "s|^dns_duckdns_token=.*|dns_duckdns_token=${DUCKDNSTOKEN}|g" /config/dns-conf/duckdns.ini
+    fi
+fi
+if [[ "${VALIDATION}" = "dns" ]] && [[ "${DNSPLUGIN}" = "duckdns" ]]; then
+    if [[ "${SUBDOMAINS}" = "wildcard" ]]; then
+        echo "the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org"
+        export ONLY_SUBDOMAINS=true
+    else
+        echo "the resulting certificate will only cover the main domain due to a limitation of duckdns, ie. subdomain.duckdns.org"
+        export SUBDOMAINS=""
+    fi
+    export EXTRA_DOMAINS=""
+fi
+
+# setting the symlink for key location
+rm -rf /config/keys/letsencrypt
+if [[ "${ONLY_SUBDOMAINS}" = "true" ]] && [[ ! "${SUBDOMAINS}" = "wildcard" ]]; then
+    DOMAIN="$(echo "${SUBDOMAINS}" | tr ',' ' ' | awk '{print $1}').${URL}"
+    ln -s ../etc/letsencrypt/live/"${DOMAIN}" /config/keys/letsencrypt
+else
+    ln -s ../etc/letsencrypt/live/"${URL}" /config/keys/letsencrypt
+fi
+
+# checking for changes in cert variables, revoking certs if necessary
+if [[ ! "${URL}" = "${ORIGURL}" ]] ||
+    [[ ! "${SUBDOMAINS}" = "${ORIGSUBDOMAINS}" ]] ||
+    [[ ! "${ONLY_SUBDOMAINS}" = "${ORIGONLY_SUBDOMAINS}" ]] ||
+    [[ ! "${EXTRA_DOMAINS}" = "${ORIGEXTRA_DOMAINS}" ]] ||
+    [[ ! "${VALIDATION}" = "${ORIGVALIDATION}" ]] ||
+    [[ ! "${DNSPLUGIN}" = "${ORIGDNSPLUGIN}" ]] ||
+    [[ ! "${PROPAGATION}" = "${ORIGPROPAGATION}" ]] ||
+    [[ ! "${STAGING}" = "${ORIGSTAGING}" ]] ||
+    [[ ! "${CERTPROVIDER}" = "${ORIGCERTPROVIDER}" ]]; then
+    echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created"
+    if [[ "${ORIGCERTPROVIDER}" = "zerossl" ]] && [[ -n "${ORIGEMAIL}" ]]; then
+        REV_EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=${ORIGEMAIL}")
+        REV_ZEROSSL_EAB_KID=$(echo "${REV_EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
+        REV_ZEROSSL_EAB_HMAC_KEY=$(echo "${REV_EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
+        if [[ -z "${REV_ZEROSSL_EAB_KID}" ]] || [[ -z "${REV_ZEROSSL_EAB_HMAC_KEY}" ]]; then
+            echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
+            sleep infinity
+        fi
+        REV_ACMESERVER="https://acme.zerossl.com/v2/DV90 --eab-kid ${REV_ZEROSSL_EAB_KID} --eab-hmac-key ${REV_ZEROSSL_EAB_HMAC_KEY}"
+    elif [[ "${ORIGSTAGING}" = "true" ]]; then
+        REV_ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory"
+    else
+        REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
+    fi
+    if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then
+        certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server ${REV_ACMESERVER} || true
+    fi
+    rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal}
+fi
+
+# saving new variables
+echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\" ORIGEMAIL=\"${EMAIL}\"" >/config/.donoteditthisfile.conf
+
+# Check if the cert is using the old LE root cert, revoke and regen if necessary
+if [[ -f "/config/keys/letsencrypt/chain.pem" ]] && { [[ "${CERTPROVIDER}" == "letsencrypt" ]] || [[ "${CERTPROVIDER}" == "" ]]; } && [[ "${STAGING}" != "true" ]] && ! openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"; then
+    echo "The cert seems to be using the old LE root cert, which is no longer valid. Deleting and revoking."
+    REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
+    if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then
+        certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server ${REV_ACMESERVER} || true
+    fi
+    rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal}
+fi
+
+# if zerossl is selected or staging is set to true, use the relevant server
+if [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ "${STAGING}" = "true" ]]; then
+    echo "ZeroSSL does not support staging mode, ignoring STAGING variable"
+fi
+if [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ -n "${EMAIL}" ]]; then
+    echo "ZeroSSL is selected as the cert provider, registering cert with ${EMAIL}"
+    ACMESERVER="https://acme.zerossl.com/v2/DV90"
+elif [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ -z "${EMAIL}" ]]; then
+    echo "ZeroSSL is selected as the cert provider, but the e-mail address has not been entered. Please visit https://zerossl.com, register a new account and set the account e-mail address in the EMAIL environment variable"
+    sleep infinity
+elif [[ "${STAGING}" = "true" ]]; then
+    echo "NOTICE: Staging is active"
+    echo "Using Let's Encrypt as the cert provider"
+    ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory"
+else
+    echo "Using Let's Encrypt as the cert provider"
+    ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
+fi
+
+# figuring out url only vs url & subdomains vs subdomains only
+if [[ -n "${SUBDOMAINS}" ]]; then
+    echo "SUBDOMAINS entered, processing"
+    if [[ "${SUBDOMAINS}" = "wildcard" ]]; then
+        if [[ "${ONLY_SUBDOMAINS}" = true ]]; then
+            export URL_REAL="-d *.${URL}"
+            echo "Wildcard cert for only the subdomains of ${URL} will be requested"
+        else
+            export URL_REAL="-d *.${URL} -d ${URL}"
+            echo "Wildcard cert for ${URL} will be requested"
+        fi
+    else
+        echo "SUBDOMAINS entered, processing"
+        for job in $(echo "${SUBDOMAINS}" | tr "," " "); do
+            export SUBDOMAINS_REAL="${SUBDOMAINS_REAL} -d ${job}.${URL}"
+        done
+        if [[ "${ONLY_SUBDOMAINS}" = true ]]; then
+            URL_REAL="${SUBDOMAINS_REAL}"
+            echo "Only subdomains, no URL in cert"
+        else
+            URL_REAL="-d ${URL}${SUBDOMAINS_REAL}"
+        fi
+        echo "Sub-domains processed are: ${SUBDOMAINS_REAL}"
+    fi
+else
+    echo "No subdomains defined"
+    URL_REAL="-d ${URL}"
+fi
+
+# add extra domains
+if [[ -n "${EXTRA_DOMAINS}" ]]; then
+    echo "EXTRA_DOMAINS entered, processing"
+    for job in $(echo "${EXTRA_DOMAINS}" | tr "," " "); do
+        export EXTRA_DOMAINS_REAL="${EXTRA_DOMAINS_REAL} -d ${job}"
+    done
+    echo "Extra domains processed are: ${EXTRA_DOMAINS_REAL}"
+    URL_REAL="${URL_REAL} ${EXTRA_DOMAINS_REAL}"
+fi
+
+# figuring out whether to use e-mail and which
+if [[ ${EMAIL} == *@* ]]; then
+    echo "E-mail address entered: ${EMAIL}"
+    EMAILPARAM="-m ${EMAIL} --no-eff-email"
+else
+    echo "No e-mail address entered or address invalid"
+    EMAILPARAM="--register-unsafely-without-email"
+fi
+
+# alter extension for error message
+if [[ "${DNSPLUGIN}" = "google" ]]; then
+    DNSCREDENTIALFILE="/config/dns-conf/${DNSPLUGIN}.json"
+else
+    DNSCREDENTIALFILE="/config/dns-conf/${DNSPLUGIN}.ini"
+fi
+
+# setting the validation method to use
+if [[ "${VALIDATION}" = "dns" ]]; then
+    AUTHENTICATORPARAM="--authenticator dns-${DNSPLUGIN}"
+    DNSCREDENTIALSPARAM="--dns-${DNSPLUGIN}-credentials ${DNSCREDENTIALFILE}"
+    if [[ -n "${PROPAGATION}" ]]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
+
+    # plugins that don't support setting credentials file
+    if [[ "${DNSPLUGIN}" =~ ^(route53|standalone)$ ]]; then
+        DNSCREDENTIALSPARAM=""
+    fi
+    # plugins that don't support setting propagation
+    if [[ "${DNSPLUGIN}" =~ ^(azure|gandi|standalone)$ ]]; then
+        if [[ -n "${PROPAGATION}" ]]; then echo "${DNSPLUGIN} dns plugin does not support setting propagation time"; fi
+        PROPAGATIONPARAM=""
+    fi
+    # plugins that use old parameter naming convention
+    if [[ "${DNSPLUGIN}" =~ ^(cpanel)$ ]]; then
+        AUTHENTICATORPARAM="--authenticator ${DNSPLUGIN}"
+        DNSCREDENTIALSPARAM="--${DNSPLUGIN}-credentials ${DNSCREDENTIALFILE}"
+        if [[ -n "${PROPAGATION}" ]]; then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
+    fi
+    # don't restore txt records when using DuckDNS plugin
+    if [[ "${DNSPLUGIN}" =~ ^(duckdns)$ ]]; then
+        AUTHENTICATORPARAM="${AUTHENTICATORPARAM} --dns-${DNSPLUGIN}-no-txt-restore"
+    fi
+
+    PREFCHAL="${AUTHENTICATORPARAM} ${DNSCREDENTIALSPARAM} ${PROPAGATIONPARAM}"
+    echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected"
+elif [[ "${VALIDATION}" = "tls-sni" ]]; then
+    PREFCHAL="--standalone --preferred-challenges http"
+    echo "*****tls-sni validation has been deprecated, attempting http validation instead"
+else
+    PREFCHAL="--standalone --preferred-challenges http"
+    echo "http validation is selected"
+fi
+
+# generating certs if necessary
+if [[ ! -f "/config/keys/letsencrypt/fullchain.pem" ]]; then
+    if [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ -n "${EMAIL}" ]]; then
+        echo "Retrieving EAB from ZeroSSL"
+        EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=${EMAIL}")
+        ZEROSSL_EAB_KID=$(echo "${EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
+        ZEROSSL_EAB_HMAC_KEY=$(echo "${EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
+        if [[ -z "${ZEROSSL_EAB_KID}" ]] || [[ -z "${ZEROSSL_EAB_HMAC_KEY}" ]]; then
+            echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
+            sleep infinity
+        fi
+        ZEROSSL_EAB="--eab-kid ${ZEROSSL_EAB_KID} --eab-hmac-key ${ZEROSSL_EAB_HMAC_KEY}"
+    fi
+    echo "Generating new certificate"
+    # shellcheck disable=SC2086
+    certbot certonly --non-interactive --renew-by-default --server ${ACMESERVER} ${ZEROSSL_EAB} ${PREFCHAL} --rsa-key-size 4096 ${EMAILPARAM} --agree-tos ${URL_REAL}
+    if [[ ! -d /config/keys/letsencrypt ]]; then
+        if [[ "${VALIDATION}" = "dns" ]]; then
+            echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the ${DNSCREDENTIALFILE} file."
+        else
+            echo "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container"
+        fi
+        sleep infinity
+    fi
+    run-parts /config/etc/letsencrypt/renewal-hooks/deploy/
+    echo "New certificate generated; starting nginx"
+else
+    echo "Certificate exists; parameters unchanged; starting nginx"
+fi
+
+# if certbot generated key exists, remove self-signed cert and replace it with symlink to live cert
+if [[ -d /config/keys/letsencrypt ]]; then
+    rm -rf /config/keys/cert.crt
+    ln -s ./letsencrypt/fullchain.pem /config/keys/cert.crt
+    rm -rf /config/keys/cert.key
+    ln -s ./letsencrypt/privkey.pem /config/keys/cert.key
+fi

root/etc/s6-overlay/s6-rc.d/init-certbot-config/type

@@ -0,0 +1 @@
+oneshot

root/etc/s6-overlay/s6-rc.d/init-certbot-config/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-certbot-config/run

root/etc/s6-overlay/s6-rc.d/init-crontabs-config/run

@@ -0,0 +1,17 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+# if root crontabs do not exist in config
+# copy root crontab from system
+if [[ ! -f /config/crontabs/root ]] && crontab -l -u root; then
+    crontab -l -u root >/config/crontabs/root
+fi
+
+# if root crontabs still do not exist in config (were not copied from system)
+# copy root crontab from included defaults
+if [[ ! -f /config/crontabs/root ]]; then
+    cp /etc/crontabs/root /config/crontabs/
+fi
+
+# import user crontabs
+crontab -u root /config/crontabs/root

root/etc/s6-overlay/s6-rc.d/init-crontabs-config/type

@@ -0,0 +1 @@
+oneshot

root/etc/s6-overlay/s6-rc.d/init-crontabs-config/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-crontabs-config/run

root/etc/s6-overlay/s6-rc.d/init-fail2ban-config/run

@@ -1,4 +1,5 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 # copy/update the fail2ban config defaults to/in /config
 cp -R /defaults/fail2ban/filter.d /config/fail2ban/

root/etc/s6-overlay/s6-rc.d/init-fail2ban-config/type

@@ -0,0 +1 @@
+oneshot

root/etc/s6-overlay/s6-rc.d/init-fail2ban-config/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-fail2ban-config/run

root/etc/s6-overlay/s6-rc.d/init-folders-config/run

@@ -1,4 +1,5 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 # make our folders and links
 mkdir -p \

root/etc/s6-overlay/s6-rc.d/init-folders-config/type

@@ -0,0 +1 @@
+oneshot

root/etc/s6-overlay/s6-rc.d/init-folders-config/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-folders-config/run

root/etc/s6-overlay/s6-rc.d/init-nginx-config/run

@@ -1,4 +1,5 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 # copy default config files if they don't exist
 if [[ ! -f /config/nginx/proxy.conf ]]; then

root/etc/s6-overlay/s6-rc.d/init-nginx-config/type

@@ -0,0 +1 @@
+oneshot

root/etc/s6-overlay/s6-rc.d/init-nginx-config/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-nginx-config/run

root/etc/s6-overlay/s6-rc.d/init-outdated-config/run

@@ -1,4 +1,5 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 if [[ -f /config/nginx/geoip2.conf ]]; then
     echo "/config/nginx/geoip2.conf exists.

root/etc/s6-overlay/s6-rc.d/init-outdated-config/type

@@ -0,0 +1 @@
+oneshot

root/etc/s6-overlay/s6-rc.d/init-outdated-config/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-outdated-config/run

root/etc/s6-overlay/s6-rc.d/init-permissions-config/run

@@ -1,7 +1,8 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 # permissions
-chown -R abc:abc \
+lsiown -R abc:abc \
     /config
 chmod -R 0644 /etc/logrotate.d
 chmod -R +r /config/log

root/etc/s6-overlay/s6-rc.d/init-permissions-config/type

@@ -0,0 +1 @@
+oneshot

root/etc/s6-overlay/s6-rc.d/init-permissions-config/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-permissions-config/run

root/etc/s6-overlay/s6-rc.d/init-renew/run

@@ -1,7 +1,8 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 # Check if the cert is expired or expires within a day, if so, renew
-if openssl x509 -in /config/keys/letsencrypt/fullchain.pem -noout -checkend 86400 >/dev/null; then 
+if openssl x509 -in /config/keys/letsencrypt/fullchain.pem -noout -checkend 86400 >/dev/null; then
     echo "The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am)."
 else
     echo "The cert is either expired or it expires within the next day. Attempting to renew. This could take up to 10 minutes."

root/etc/s6-overlay/s6-rc.d/init-renew/type

@@ -0,0 +1 @@
+oneshot

root/etc/s6-overlay/s6-rc.d/init-renew/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-renew/run

root/etc/s6-overlay/s6-rc.d/init-require-url/run

@@ -1,4 +1,5 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 # check to make sure that the required variables are set
 if [[ -z "${URL}" ]]; then

root/etc/s6-overlay/s6-rc.d/init-require-url/type

@@ -0,0 +1 @@
+oneshot

root/etc/s6-overlay/s6-rc.d/init-require-url/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-require-url/run

root/etc/s6-overlay/s6-rc.d/init-samples-config/run

@@ -1,4 +1,5 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 # samples are removed on init by the nginx base
 

root/etc/s6-overlay/s6-rc.d/init-samples-config/type

@@ -0,0 +1 @@
+oneshot

root/etc/s6-overlay/s6-rc.d/init-samples-config/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-samples-config/run

root/etc/s6-overlay/s6-rc.d/init-test-run/run

@@ -1,4 +1,5 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 # Echo init finish for test runs
 if [[ -n "${TEST_RUN}" ]]; then

root/etc/s6-overlay/s6-rc.d/init-test-run/type

@@ -0,0 +1 @@
+oneshot

root/etc/s6-overlay/s6-rc.d/init-test-run/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-test-run/run

root/etc/s6-overlay/s6-rc.d/svc-fail2ban/run

@@ -1,4 +1,5 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 exec \
     fail2ban-client -x -f start

root/etc/s6-overlay/s6-rc.d/svc-fail2ban/type

@@ -0,0 +1 @@
+longrun