Bot Updating Package Versions

add new dns methods, check confs, add workflows

.github/workflows/external_trigger.yml

@@ -0,0 +1,90 @@
+name: External Trigger Main
+
+on:
+  workflow_dispatch:
+
+jobs:
+  external-trigger-master:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2.3.3
+
+      - name: External Trigger
+        if: github.ref == 'refs/heads/master'
+        run: |
+          if [ -n "${{ secrets.PAUSE_EXTERNAL_TRIGGER_SWAG_MASTER }}" ]; then
+            echo "**** Github secret PAUSE_EXTERNAL_TRIGGER_SWAG_MASTER is set; skipping trigger. ****"
+            exit 0
+          fi
+          echo "**** External trigger running off of master branch. To disable this trigger, set a Github secret named \"PAUSE_EXTERNAL_TRIGGER_SWAG_MASTER\". ****"
+          echo "**** Retrieving external version ****"
+          EXT_RELEASE=$(curl -sL "https://pypi.python.org/pypi/certbot/json" |jq -r '. | .info.version')
+          if [ -z "${EXT_RELEASE}" ] || [ "${EXT_RELEASE}" == "null" ]; then
+            echo "**** Can't retrieve external version, exiting ****"
+            FAILURE_REASON="Can't retrieve external version for swag branch master"
+            curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 16711680,
+              "description": "**Trigger Failed** \n**Reason:** '"${FAILURE_REASON}"' \n"}],
+              "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }}
+            exit 1
+          fi
+          echo "**** External version: ${EXT_RELEASE} ****"
+          echo "**** Retrieving last pushed version ****"
+          image="linuxserver/swag"
+          tag="latest"
+          token=$(curl -sX GET \
+            "https://ghcr.io/token?scope=repository%3Alinuxserver%2Fswag%3Apull" \
+            | jq -r '.token')
+            multidigest=$(curl -s \
+              --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \
+              --header "Authorization: Bearer ${token}" \
+              "https://ghcr.io/v2/${image}/manifests/${tag}" \
+              | jq -r 'first(.manifests[].digest)')
+            digest=$(curl -s \
+              --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \
+              --header "Authorization: Bearer ${token}" \
+              "https://ghcr.io/v2/${image}/manifests/${multidigest}" \
+              | jq -r '.config.digest')
+          image_info=$(curl -sL \
+            --header "Authorization: Bearer ${token}" \
+            "https://ghcr.io/v2/${image}/blobs/${digest}" \
+            | jq -r '.container_config')
+          IMAGE_RELEASE=$(echo ${image_info} | jq -r '.Labels.build_version' | awk '{print $3}')
+          IMAGE_VERSION=$(echo ${IMAGE_RELEASE} | awk -F'-ls' '{print $1}')
+          if [ -z "${IMAGE_VERSION}" ]; then
+            echo "**** Can't retrieve last pushed version, exiting ****"
+            FAILURE_REASON="Can't retrieve last pushed version for swag tag latest"
+            curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 16711680,
+              "description": "**Trigger Failed** \n**Reason:** '"${FAILURE_REASON}"' \n"}],
+              "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }}
+            exit 1
+          fi
+          echo "**** Last pushed version: ${IMAGE_VERSION} ****"
+          if [ "${EXT_RELEASE}" == "${IMAGE_VERSION}" ]; then
+            echo "**** Version ${EXT_RELEASE} already pushed, exiting ****"
+            exit 0
+          elif [ $(curl -s https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-swag/job/master/lastBuild/api/json | jq -r '.building') == "true" ]; then
+            echo "**** New version ${EXT_RELEASE} found; but there already seems to be an active build on Jenkins; exiting ****"
+            exit 0
+          else
+            echo "**** New version ${EXT_RELEASE} found; old version was ${IMAGE_VERSION}. Triggering new build ****"
+            response=$(curl -iX POST \
+              https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-swag/job/master/buildWithParameters?PACKAGE_CHECK=false \
+              --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} | grep -i location | sed "s|^[L|l]ocation: \(.*\)|\1|")
+            echo "**** Jenkins job queue url: ${response%$'\r'} ****"
+            echo "**** Sleeping 10 seconds until job starts ****"
+            sleep 10
+            buildurl=$(curl -s "${response%$'\r'}api/json" | jq -r '.executable.url')
+            buildurl="${buildurl%$'\r'}"
+            echo "**** Jenkins job build url: ${buildurl} ****"
+            echo "**** Attempting to change the Jenkins job description ****"
+            curl -iX POST \
+              "${buildurl}submitDescription" \
+              --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} \
+              --data-urlencode "description=GHA external trigger https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
+              --data-urlencode "Submit=Submit"
+            echo "**** Notifying Discord ****"
+            TRIGGER_REASON="A version change was detected for swag tag latest. Old version:${IMAGE_VERSION} New version:${EXT_RELEASE}"
+            curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 9802903,
+              "description": "**Build Triggered** \n**Reason:** '"${TRIGGER_REASON}"' \n**Build URL:** '"${buildurl}display/redirect"' \n"}],
+              "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }}
+          fi

.github/workflows/external_trigger_scheduler.yml

@@ -0,0 +1,43 @@
+name: External Trigger Scheduler
+
+on:
+  schedule:
+    - cron:  '50 * * * *'
+  workflow_dispatch:
+
+jobs:
+  external-trigger-scheduler:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2.3.3
+        with:
+          fetch-depth: '0'
+        
+      - name: External Trigger Scheduler
+        run: |
+          echo "**** Branches found: ****"
+          git for-each-ref --format='%(refname:short)' refs/remotes
+          echo "**** Pulling the yq docker image ****"
+          docker pull ghcr.io/linuxserver/yq
+          for br in $(git for-each-ref --format='%(refname:short)' refs/remotes)
+          do
+            br=$(echo "$br" | sed 's|origin/||g')
+            echo "**** Evaluating branch ${br} ****"
+            ls_branch=$(curl -sX GET https://raw.githubusercontent.com/linuxserver/docker-swag/${br}/jenkins-vars.yml \
+              | docker run --rm -i --entrypoint yq ghcr.io/linuxserver/yq -r .ls_branch)
+            if [ "$br" == "$ls_branch" ]; then
+              echo "**** Branch ${br} appears to be live; checking workflow. ****"
+              if curl -sfX GET https://raw.githubusercontent.com/linuxserver/docker-swag/${br}/.github/workflows/external_trigger.yml > /dev/null 2>&1; then
+                echo "**** Workflow exists. Triggering external trigger workflow for branch ${br} ****."
+                curl -iX POST \
+                  -H "Authorization: token ${{ secrets.CR_PAT }}" \
+                  -H "Accept: application/vnd.github.v3+json" \
+                  -d "{\"ref\":\"refs/heads/${br}\"}" \
+                  https://api.github.com/repos/linuxserver/docker-swag/actions/workflows/external_trigger.yml/dispatches
+              else
+                echo "**** Workflow doesn't exist; skipping trigger. ****"
+              fi
+            else
+              echo "**** ${br} appears to be a dev branch; skipping trigger. ****"
+            fi
+          done

.github/workflows/package_trigger.yml

@@ -0,0 +1,38 @@
+name: Package Trigger Main
+
+on:
+  workflow_dispatch:
+
+jobs:
+  package-trigger-master:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2.3.3
+
+      - name: Package Trigger
+        if: github.ref == 'refs/heads/master'
+        run: |
+          if [ -n "${{ secrets.PAUSE_PACKAGE_TRIGGER_SWAG_MASTER }}" ]; then
+            echo "**** Github secret PAUSE_PACKAGE_TRIGGER_SWAG_MASTER is set; skipping trigger. ****"
+            exit 0
+          fi
+          if [ $(curl -s https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-swag/job/master/lastBuild/api/json | jq -r '.building') == "true" ]; then
+            echo "**** There already seems to be an active build on Jenkins; skipping package trigger ****"
+            exit 0
+          fi
+          echo "**** Package trigger running off of master branch. To disable, set a Github secret named \"PAUSE_PACKAGE_TRIGGER_SWAG_MASTER\". ****"
+          response=$(curl -iX POST \
+            https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-swag/job/master/buildWithParameters?PACKAGE_CHECK=true \
+            --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} | grep -i location | sed "s|^[L|l]ocation: \(.*\)|\1|")
+          echo "**** Jenkins job queue url: ${response%$'\r'} ****"
+          echo "**** Sleeping 10 seconds until job starts ****"
+          sleep 10
+          buildurl=$(curl -s "${response%$'\r'}api/json" | jq -r '.executable.url')
+          buildurl="${buildurl%$'\r'}"
+          echo "**** Jenkins job build url: ${buildurl} ****"
+          echo "**** Attempting to change the Jenkins job description ****"
+          curl -iX POST \
+            "${buildurl}submitDescription" \
+            --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} \
+            --data-urlencode "description=GHA package trigger https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
+            --data-urlencode "Submit=Submit"

.github/workflows/package_trigger_scheduler.yml

@@ -0,0 +1,50 @@
+name: Package Trigger Scheduler
+
+on:
+  schedule:
+    - cron:  '55 13 * * 5'
+  workflow_dispatch:
+
+jobs:
+  package-trigger-scheduler:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2.3.3
+        with:
+          fetch-depth: '0'
+        
+      - name: Package Trigger Scheduler
+        run: |
+          echo "**** Branches found: ****"
+          git for-each-ref --format='%(refname:short)' refs/remotes
+          echo "**** Pulling the yq docker image ****"
+          docker pull ghcr.io/linuxserver/yq
+          for br in $(git for-each-ref --format='%(refname:short)' refs/remotes)
+          do
+            br=$(echo "$br" | sed 's|origin/||g')
+            echo "**** Evaluating branch ${br} ****"
+            ls_branch=$(curl -sX GET https://raw.githubusercontent.com/linuxserver/docker-swag/${br}/jenkins-vars.yml \
+              | docker run --rm -i --entrypoint yq ghcr.io/linuxserver/yq -r .ls_branch)
+            if [ "${br}" == "${ls_branch}" ]; then
+              echo "**** Branch ${br} appears to be live; checking workflow. ****"
+              if curl -sfX GET https://raw.githubusercontent.com/linuxserver/docker-swag/${br}/.github/workflows/package_trigger.yml > /dev/null 2>&1; then
+                echo "**** Workflow exists. Triggering package trigger workflow for branch ${br}. ****"
+                triggered_branches="${triggered_branches}${br} "
+                curl -iX POST \
+                  -H "Authorization: token ${{ secrets.CR_PAT }}" \
+                  -H "Accept: application/vnd.github.v3+json" \
+                  -d "{\"ref\":\"refs/heads/${br}\"}" \
+                  https://api.github.com/repos/linuxserver/docker-swag/actions/workflows/package_trigger.yml/dispatches
+                sleep 30
+              else
+                echo "**** Workflow doesn't exist; skipping trigger. ****"
+              fi
+            else
+              echo "**** ${br} appears to be a dev branch; skipping trigger. ****"
+            fi
+          done
+          echo "**** Package check build(s) triggered for branch(es): ${triggered_branches} ****"
+          echo "**** Notifying Discord ****"
+          curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 9802903,
+            "description": "**Package Check Build(s) Triggered for swag** \n**Branch(es):** '"${triggered_branches}"' \n**Build URL:** '"https://ci.linuxserver.io/blue/organizations/jenkins/Docker-Pipeline-Builders%2Fdocker-swag/activity/"' \n"}],
+            "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }}

Dockerfile

@@ -1,4 +1,4 @@
-FROM lsiobase/nginx:3.12
+FROM ghcr.io/linuxserver/baseimage-alpine-nginx:3.12
 
 # set version label
 ARG BUILD_DATE
@@ -107,6 +107,7 @@ RUN \
 	certbot-dns-inwx \
 	certbot-dns-linode \
 	certbot-dns-luadns \
+	certbot-dns-netcup \
 	certbot-dns-nsone \
 	certbot-dns-ovh \
 	certbot-dns-rfc2136 \

Dockerfile.aarch64

@@ -1,4 +1,4 @@
-FROM lsiobase/nginx:arm64v8-3.12
+FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm64v8-3.12
 
 # set version label
 ARG BUILD_DATE
@@ -107,6 +107,7 @@ RUN \
 	certbot-dns-inwx \
 	certbot-dns-linode \
 	certbot-dns-luadns \
+	certbot-dns-netcup \
 	certbot-dns-nsone \
 	certbot-dns-ovh \
 	certbot-dns-rfc2136 \

Dockerfile.armhf

@@ -1,4 +1,4 @@
-FROM lsiobase/nginx:arm32v7-3.12
+FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm32v7-3.12
 
 # set version label
 ARG BUILD_DATE
@@ -107,6 +107,7 @@ RUN \
 	certbot-dns-inwx \
 	certbot-dns-linode \
 	certbot-dns-luadns \
+	certbot-dns-netcup \
 	certbot-dns-nsone \
 	certbot-dns-ovh \
 	certbot-dns-rfc2136 \

Jenkinsfile

@@ -42,7 +42,7 @@ pipeline {
         script{
           env.EXIT_STATUS = ''
           env.LS_RELEASE = sh(
-            script: '''docker run --rm alexeiled/skopeo sh -c 'skopeo inspect docker://docker.io/'${DOCKERHUB_IMAGE}':latest 2>/dev/null' | jq -r '.Labels.build_version' | awk '{print $3}' | grep '\\-ls' || : ''',
+            script: '''docker run --rm ghcr.io/linuxserver/alexeiled-skopeo sh -c 'skopeo inspect docker://docker.io/'${DOCKERHUB_IMAGE}':latest 2>/dev/null' | jq -r '.Labels.build_version' | awk '{print $3}' | grep '\\-ls' || : ''',
             returnStdout: true).trim()
           env.LS_RELEASE_NOTES = sh(
             script: '''cat readme-vars.yml | awk -F \\" '/date: "[0-9][0-9].[0-9][0-9].[0-9][0-9]:/ {print $4;exit;}' | sed -E ':a;N;$!ba;s/\\r{0,1}\\n/\\\\n/g' ''',
@@ -128,7 +128,7 @@ pipeline {
       steps {
         script{
           env.IMAGE = env.DOCKERHUB_IMAGE
-          env.GITHUBIMAGE = 'docker.pkg.github.com/' + env.LS_USER + '/' + env.LS_REPO + '/' + env.CONTAINER_NAME
+          env.GITHUBIMAGE = 'ghcr.io/' + env.LS_USER + '/' + env.CONTAINER_NAME
           env.GITLABIMAGE = 'registry.gitlab.com/linuxserver.io/' + env.LS_REPO + '/' + env.CONTAINER_NAME
           if (env.MULTIARCH == 'true') {
             env.CI_TAGS = 'amd64-' + env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER + '|arm32v7-' + env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER + '|arm64v8-' + env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER
@@ -149,7 +149,7 @@ pipeline {
       steps {
         script{
           env.IMAGE = env.DEV_DOCKERHUB_IMAGE
-          env.GITHUBIMAGE = 'docker.pkg.github.com/' + env.LS_USER + '/' + env.LS_REPO + '/lsiodev-' + env.CONTAINER_NAME
+          env.GITHUBIMAGE = 'ghcr.io/' + env.LS_USER + '/lsiodev-' + env.CONTAINER_NAME
           env.GITLABIMAGE = 'registry.gitlab.com/linuxserver.io/' + env.LS_REPO + '/lsiodev-' + env.CONTAINER_NAME
           if (env.MULTIARCH == 'true') {
             env.CI_TAGS = 'amd64-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA + '|arm32v7-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA + '|arm64v8-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA
@@ -170,7 +170,7 @@ pipeline {
       steps {
         script{
           env.IMAGE = env.PR_DOCKERHUB_IMAGE
-          env.GITHUBIMAGE = 'docker.pkg.github.com/' + env.LS_USER + '/' + env.LS_REPO + '/lspipepr-' + env.CONTAINER_NAME
+          env.GITHUBIMAGE = 'ghcr.io/' + env.LS_USER + '/lspipepr-' + env.CONTAINER_NAME
           env.GITLABIMAGE = 'registry.gitlab.com/linuxserver.io/' + env.LS_REPO + '/lspipepr-' + env.CONTAINER_NAME
           if (env.MULTIARCH == 'true') {
             env.CI_TAGS = 'amd64-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST + '|arm32v7-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST + '|arm64v8-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST
@@ -191,24 +191,24 @@ pipeline {
       }
       steps {
         withCredentials([
-          string(credentialsId: 'spaces-key', variable: 'DO_KEY'),
-          string(credentialsId: 'spaces-secret', variable: 'DO_SECRET')
+          string(credentialsId: 'ci-tests-s3-key-id', variable: 'S3_KEY'),
+          string(credentialsId: 'ci-tests-s3-secret-access-key', variable: 'S3_SECRET')
         ]) {
           script{
-            env.SHELLCHECK_URL = 'https://lsio-ci.ams3.digitaloceanspaces.com/' + env.IMAGE + '/' + env.META_TAG + '/shellcheck-result.xml'
+            env.SHELLCHECK_URL = 'https://ci-tests.linuxserver.io/' + env.IMAGE + '/' + env.META_TAG + '/shellcheck-result.xml'
           }
           sh '''curl -sL https://raw.githubusercontent.com/linuxserver/docker-shellcheck/master/checkrun.sh | /bin/bash'''
           sh '''#! /bin/bash
                 set -e
-                docker pull lsiodev/spaces-file-upload:latest
+                docker pull ghcr.io/linuxserver/lsiodev-spaces-file-upload:latest
                 docker run --rm \
                 -e DESTINATION=\"${IMAGE}/${META_TAG}/shellcheck-result.xml\" \
                 -e FILE_NAME="shellcheck-result.xml" \
                 -e MIMETYPE="text/xml" \
                 -v ${WORKSPACE}:/mnt \
-                -e SECRET_KEY=\"${DO_SECRET}\" \
-                -e ACCESS_KEY=\"${DO_KEY}\" \
-                -t lsiodev/spaces-file-upload:latest \
+                -e SECRET_KEY=\"${S3_SECRET}\" \
+                -e ACCESS_KEY=\"${S3_KEY}\" \
+                -t ghcr.io/linuxserver/lsiodev-spaces-file-upload:latest \
                 python /upload.py'''
         }
       }
@@ -226,8 +226,8 @@ pipeline {
         sh '''#! /bin/bash
               set -e
               TEMPDIR=$(mktemp -d)
-              docker pull linuxserver/jenkins-builder:latest
-              docker run --rm -e CONTAINER_NAME=${CONTAINER_NAME} -e GITHUB_BRANCH=master -v ${TEMPDIR}:/ansible/jenkins linuxserver/jenkins-builder:latest 
+              docker pull ghcr.io/linuxserver/jenkins-builder:latest
+              docker run --rm -e CONTAINER_NAME=${CONTAINER_NAME} -e GITHUB_BRANCH=master -v ${TEMPDIR}:/ansible/jenkins ghcr.io/linuxserver/jenkins-builder:latest 
               CURRENTHASH=$(grep -hs ^ ${TEMPLATED_FILES} | md5sum | cut -c1-8)
               cd ${TEMPDIR}/docker-${CONTAINER_NAME}
               NEWHASH=$(grep -hs ^ ${TEMPLATED_FILES} | md5sum | cut -c1-8)
@@ -332,28 +332,19 @@ pipeline {
             label 'ARMHF'
           }
           steps {
-            withCredentials([
-              [
-                $class: 'UsernamePasswordMultiBinding',
-                credentialsId: '3f9ba4d5-100d-45b0-a3c4-633fd6061207',
-                usernameVariable: 'DOCKERUSER',
-                passwordVariable: 'DOCKERPASS'
-              ]
-            ]) {
-              echo 'Logging into DockerHub'
-              sh '''#! /bin/bash
-                 echo $DOCKERPASS | docker login -u $DOCKERUSER --password-stdin
-                 '''
-              sh "docker build --no-cache --pull -f Dockerfile.armhf -t ${IMAGE}:arm32v7-${META_TAG} \
-                           --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${META_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ."
-              sh "docker tag ${IMAGE}:arm32v7-${META_TAG} lsiodev/buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER}"
-              retry(5) {
-                sh "docker push lsiodev/buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER}"
-              }
-              sh '''docker rmi \
-                    ${IMAGE}:arm32v7-${META_TAG} \
-                    lsiodev/buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} || :'''
+            echo 'Logging into Github'
+            sh '''#! /bin/bash
+                  echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin
+               '''
+            sh "docker build --no-cache --pull -f Dockerfile.armhf -t ${IMAGE}:arm32v7-${META_TAG} \
+                         --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${META_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ."
+            sh "docker tag ${IMAGE}:arm32v7-${META_TAG} ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER}"
+            retry(5) {
+              sh "docker push ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER}"
             }
+            sh '''docker rmi \
+                  ${IMAGE}:arm32v7-${META_TAG} \
+                  ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} || :'''
           }
         }
         stage('Build ARM64') {
@@ -361,28 +352,19 @@ pipeline {
             label 'ARM64'
           }
           steps {
-            withCredentials([
-              [
-                $class: 'UsernamePasswordMultiBinding',
-                credentialsId: '3f9ba4d5-100d-45b0-a3c4-633fd6061207',
-                usernameVariable: 'DOCKERUSER',
-                passwordVariable: 'DOCKERPASS'
-              ]
-            ]) {
-              echo 'Logging into DockerHub'
-              sh '''#! /bin/bash
-                 echo $DOCKERPASS | docker login -u $DOCKERUSER --password-stdin
-                 '''
-              sh "docker build --no-cache --pull -f Dockerfile.aarch64 -t ${IMAGE}:arm64v8-${META_TAG} \
-                           --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${META_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ."
-              sh "docker tag ${IMAGE}:arm64v8-${META_TAG} lsiodev/buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER}"
-              retry(5) {
-                sh "docker push lsiodev/buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER}"
-              }
-              sh '''docker rmi \
-                    ${IMAGE}:arm64v8-${META_TAG} \
-                    lsiodev/buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} || :'''
+            echo 'Logging into Github'
+            sh '''#! /bin/bash
+                  echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin
+               '''
+            sh "docker build --no-cache --pull -f Dockerfile.aarch64 -t ${IMAGE}:arm64v8-${META_TAG} \
+                         --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${META_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ."
+            sh "docker tag ${IMAGE}:arm64v8-${META_TAG} ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER}"
+            retry(5) {
+              sh "docker push ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER}"
             }
+            sh '''docker rmi \
+                  ${IMAGE}:arm64v8-${META_TAG} \
+                  ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} || :'''
           }
         }
       }
@@ -481,20 +463,20 @@ pipeline {
       }
       steps {
         withCredentials([
-          string(credentialsId: 'spaces-key', variable: 'DO_KEY'),
-          string(credentialsId: 'spaces-secret', variable: 'DO_SECRET')
+          string(credentialsId: 'ci-tests-s3-key-id', variable: 'S3_KEY'),
+          string(credentialsId: 'ci-tests-s3-secret-access-key	', variable: 'S3_SECRET')
         ]) {
           script{
-            env.CI_URL = 'https://lsio-ci.ams3.digitaloceanspaces.com/' + env.IMAGE + '/' + env.META_TAG + '/index.html'
+            env.CI_URL = 'https://ci-tests.linuxserver.io/' + env.IMAGE + '/' + env.META_TAG + '/index.html'
           }
           sh '''#! /bin/bash
                 set -e
-                docker pull lsiodev/ci:latest
+                docker pull ghcr.io/linuxserver/lsiodev-ci:latest
                 if [ "${MULTIARCH}" == "true" ]; then
-                  docker pull lsiodev/buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER}
-                  docker pull lsiodev/buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER}
-                  docker tag lsiodev/buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} ${IMAGE}:arm32v7-${META_TAG}
-                  docker tag lsiodev/buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} ${IMAGE}:arm64v8-${META_TAG}
+                  docker pull ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER}
+                  docker pull ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER}
+                  docker tag ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} ${IMAGE}:arm32v7-${META_TAG}
+                  docker tag ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} ${IMAGE}:arm64v8-${META_TAG}
                 fi
                 docker run --rm \
                 --shm-size=1gb \
@@ -506,15 +488,15 @@ pipeline {
                 -e PORT=\"${CI_PORT}\" \
                 -e SSL=\"${CI_SSL}\" \
                 -e BASE=\"${DIST_IMAGE}\" \
-                -e SECRET_KEY=\"${DO_SECRET}\" \
-                -e ACCESS_KEY=\"${DO_KEY}\" \
+                -e SECRET_KEY=\"${S3_SECRET}\" \
+                -e ACCESS_KEY=\"${S3_KEY}\" \
                 -e DOCKER_ENV=\"${CI_DOCKERENV}\" \
                 -e WEB_SCREENSHOT=\"${CI_WEB}\" \
                 -e WEB_AUTH=\"${CI_AUTH}\" \
                 -e WEB_PATH=\"${CI_WEBPATH}\" \
                 -e DO_REGION="ams3" \
                 -e DO_BUCKET="lsio-ci" \
-                -t lsiodev/ci:latest \
+                -t ghcr.io/linuxserver/lsiodev-ci:latest \
                 python /ci/ci.py'''
         }
       }
@@ -541,7 +523,7 @@ pipeline {
             sh '''#! /bin/bash
                   set -e
                   echo $DOCKERPASS | docker login -u $DOCKERUSER --password-stdin
-                  echo $GITHUB_TOKEN | docker login docker.pkg.github.com -u LinuxServer-CI --password-stdin
+                  echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin
                   echo $GITLAB_TOKEN | docker login registry.gitlab.com -u LinuxServer.io --password-stdin
                   for PUSHIMAGE in "${GITHUBIMAGE}" "${GITLABIMAGE}" "${IMAGE}"; do
                     docker tag ${IMAGE}:${META_TAG} ${PUSHIMAGE}:${META_TAG}
@@ -583,15 +565,15 @@ pipeline {
             sh '''#! /bin/bash
                   set -e
                   echo $DOCKERPASS | docker login -u $DOCKERUSER --password-stdin
-                  echo $GITHUB_TOKEN | docker login docker.pkg.github.com -u LinuxServer-CI --password-stdin
+                  echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin
                   echo $GITLAB_TOKEN | docker login registry.gitlab.com -u LinuxServer.io --password-stdin
                   if [ "${CI}" == "false" ]; then
-                    docker pull lsiodev/buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER}
-                    docker pull lsiodev/buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER}
-                    docker tag lsiodev/buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} ${IMAGE}:arm32v7-${META_TAG}
-                    docker tag lsiodev/buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} ${IMAGE}:arm64v8-${META_TAG}
+                    docker pull ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER}
+                    docker pull ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER}
+                    docker tag ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} ${IMAGE}:arm32v7-${META_TAG}
+                    docker tag ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} ${IMAGE}:arm64v8-${META_TAG}
                   fi
-                  for MANIFESTIMAGE in "${IMAGE}" "${GITLABIMAGE}"; do
+                  for MANIFESTIMAGE in "${IMAGE}" "${GITLABIMAGE}" "${GITHUBIMAGE}"; do
                     docker tag ${IMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-${META_TAG}
                     docker tag ${IMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${META_TAG}
                     docker tag ${IMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${META_TAG}
@@ -625,28 +607,6 @@ pipeline {
                     docker manifest push --purge ${MANIFESTIMAGE}:${META_TAG} 
                     docker manifest push --purge ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} 
                   done
-                  docker tag ${IMAGE}:amd64-${META_TAG} ${GITHUBIMAGE}:amd64-${META_TAG}
-                  docker tag ${IMAGE}:arm32v7-${META_TAG} ${GITHUBIMAGE}:arm32v7-${META_TAG}
-                  docker tag ${IMAGE}:arm64v8-${META_TAG} ${GITHUBIMAGE}:arm64v8-${META_TAG}
-                  docker tag ${GITHUBIMAGE}:amd64-${META_TAG} ${GITHUBIMAGE}:latest
-                  docker tag ${GITHUBIMAGE}:amd64-${META_TAG} ${GITHUBIMAGE}:${META_TAG}
-                  docker tag ${GITHUBIMAGE}:arm32v7-${META_TAG} ${GITHUBIMAGE}:arm32v7-latest
-                  docker tag ${GITHUBIMAGE}:arm64v8-${META_TAG} ${GITHUBIMAGE}:arm64v8-latest
-                  docker tag ${GITHUBIMAGE}:amd64-${META_TAG} ${GITHUBIMAGE}:amd64-${EXT_RELEASE_TAG}
-                  docker tag ${GITHUBIMAGE}:amd64-${META_TAG} ${GITHUBIMAGE}:${EXT_RELEASE_TAG}
-                  docker tag ${GITHUBIMAGE}:arm32v7-${META_TAG} ${GITHUBIMAGE}:arm32v7-${EXT_RELEASE_TAG}
-                  docker tag ${GITHUBIMAGE}:arm64v8-${META_TAG} ${GITHUBIMAGE}:arm64v8-${EXT_RELEASE_TAG}
-                  docker push ${GITHUBIMAGE}:amd64-${META_TAG}
-                  docker push ${GITHUBIMAGE}:arm32v7-${META_TAG}
-                  docker push ${GITHUBIMAGE}:arm64v8-${META_TAG}
-                  docker push ${GITHUBIMAGE}:latest
-                  docker push ${GITHUBIMAGE}:${META_TAG}
-                  docker push ${GITHUBIMAGE}:arm32v7-latest
-                  docker push ${GITHUBIMAGE}:arm64v8-latest
-                  docker push ${GITHUBIMAGE}:${EXT_RELEASE_TAG}
-                  docker push ${GITHUBIMAGE}:amd64-${EXT_RELEASE_TAG}
-                  docker push ${GITHUBIMAGE}:arm32v7-${EXT_RELEASE_TAG}
-                  docker push ${GITHUBIMAGE}:arm64v8-${EXT_RELEASE_TAG}
                '''
           }
           sh '''#! /bin/bash
@@ -660,8 +620,8 @@ pipeline {
                   ${DELETEIMAGE}:arm64v8-latest || :
                 done
                 docker rmi \
-                lsiodev/buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} \
-                lsiodev/buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} || :
+                ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} \
+                ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} || :
              '''
         }
       }
@@ -714,9 +674,9 @@ pipeline {
           sh '''#! /bin/bash
                 set -e
                 TEMPDIR=$(mktemp -d)
-                docker pull linuxserver/jenkins-builder:latest
-                docker run --rm -e CONTAINER_NAME=${CONTAINER_NAME} -e GITHUB_BRANCH="${BRANCH_NAME}" -v ${TEMPDIR}:/ansible/jenkins linuxserver/jenkins-builder:latest 
-                docker pull lsiodev/readme-sync
+                docker pull ghcr.io/linuxserver/jenkins-builder:latest
+                docker run --rm -e CONTAINER_NAME=${CONTAINER_NAME} -e GITHUB_BRANCH="${BRANCH_NAME}" -v ${TEMPDIR}:/ansible/jenkins ghcr.io/linuxserver/jenkins-builder:latest 
+                docker pull ghcr.io/linuxserver/lsiodev-readme-sync
                 docker run --rm=true \
                   -e DOCKERHUB_USERNAME=$DOCKERUSER \
                   -e DOCKERHUB_PASSWORD=$DOCKERPASS \
@@ -724,7 +684,7 @@ pipeline {
                   -e DOCKER_REPOSITORY=${IMAGE} \
                   -e GIT_BRANCH=master \
                   -v ${TEMPDIR}/docker-${CONTAINER_NAME}:/mnt \
-                  lsiodev/readme-sync bash -c 'node sync' 
+                  ghcr.io/linuxserver/lsiodev-readme-sync bash -c 'node sync' 
                 rm -Rf ${TEMPDIR} '''
         }
       }

README.md

@@ -36,7 +36,7 @@ Find us at:
 [![Docker Pulls](https://img.shields.io/docker/pulls/linuxserver/swag.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=pulls&logo=docker)](https://hub.docker.com/r/linuxserver/swag)
 [![Docker Stars](https://img.shields.io/docker/stars/linuxserver/swag.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=stars&logo=docker)](https://hub.docker.com/r/linuxserver/swag)
 [![Jenkins Build](https://img.shields.io/jenkins/build?labelColor=555555&logoColor=ffffff&style=for-the-badge&jobUrl=https%3A%2F%2Fci.linuxserver.io%2Fjob%2FDocker-Pipeline-Builders%2Fjob%2Fdocker-swag%2Fjob%2Fmaster%2F&logo=jenkins)](https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-swag/job/master/)
-[![LSIO CI](https://img.shields.io/badge/dynamic/yaml?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=CI&query=CI&url=https%3A%2F%2Flsio-ci.ams3.digitaloceanspaces.com%2Flinuxserver%2Fswag%2Flatest%2Fci-status.yml)](https://lsio-ci.ams3.digitaloceanspaces.com/linuxserver/swag/latest/index.html)
+[![LSIO CI](https://img.shields.io/badge/dynamic/yaml?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=CI&query=CI&url=https%3A%2F%2Fci-tests.linuxserver.io%2Flinuxserver%2Fswag%2Flatest%2Fci-status.yml)](https://ci-tests.linuxserver.io/linuxserver/swag/latest/index.html)
 
 SWAG - Secure Web Application Gateway (formerly known as letsencrypt, no relation to Let's Encrypt™) sets up an Nginx webserver and reverse proxy with php support and a built-in certbot client that automates free SSL server certificate generation and renewal processes. It also contains fail2ban for intrusion prevention.
 
@@ -46,7 +46,7 @@ SWAG - Secure Web Application Gateway (formerly known as letsencrypt, no relatio
 
 Our images support multiple architectures such as `x86-64`, `arm64` and `armhf`. We utilise the docker manifest for multi-platform awareness. More information is available from docker [here](https://github.com/docker/distribution/blob/master/docs/spec/manifest-v2-2.md#manifest-list) and our announcement [here](https://blog.linuxserver.io/2019/02/21/the-lsio-pipeline-project/).
 
-Simply pulling `linuxserver/swag` should retrieve the correct image for your arch, but you can also pull specific arch images via tags.
+Simply pulling `ghcr.io/linuxserver/swag` should retrieve the correct image for your arch, but you can also pull specific arch images via tags.
 
 The architectures supported by this image are:
 
@@ -70,7 +70,7 @@ Compatible with docker-compose v2 schemas.
 version: "2.1"
 services:
   swag:
-    image: linuxserver/swag
+    image: ghcr.io/linuxserver/swag
     container_name: swag
     cap_add:
       - NET_ADMIN
@@ -121,7 +121,7 @@ docker run -d \
   -p 80:80 `#optional` \
   -v /path/to/appdata/config:/config \
   --restart unless-stopped \
-  linuxserver/swag
+  ghcr.io/linuxserver/swag
 ```
 
 
@@ -139,7 +139,7 @@ Container images are configured using parameters passed at runtime (such as thos
 | `-e URL=yourdomain.url` | Top url you have control over (`customdomain.com` if you own it, or `customsubdomain.ddnsprovider.com` if dynamic dns). |
 | `-e SUBDOMAINS=www,` | Subdomains you'd like the cert to cover (comma separated, no spaces) ie. `www,ftp,cloud`. For a wildcard cert, set this _exactly_ to `wildcard` (wildcard cert is available via `dns` and `duckdns` validation only) |
 | `-e VALIDATION=http` | Certbot validation method to use, options are `http`, `dns` or `duckdns` (`dns` method also requires `DNSPLUGIN` variable set) (`duckdns` method requires `DUCKDNSTOKEN` variable set, and the `SUBDOMAINS` variable must be either empty or set to `wildcard`). |
-| `-e DNSPLUGIN=cloudflare` | Required if `VALIDATION` is set to `dns`. Options are `aliyun`, `cloudflare`, `cloudxns`, `cpanel`, `digitalocean`, `dnsimple`, `dnsmadeeasy`, `domeneshop`, `gandi`, `google`, `inwx`, `linode`, `luadns`, `nsone`, `ovh`, `rfc2136`, `route53` and `transip`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`. |
+| `-e DNSPLUGIN=cloudflare` | Required if `VALIDATION` is set to `dns`. Options are `aliyun`, `cloudflare`, `cloudxns`, `cpanel`, `digitalocean`, `dnsimple`, `dnsmadeeasy`, `domeneshop`, `gandi`,`gehirn`, `google`, `inwx`, `linode`, `luadns`, `netcup`, `nsone`, `ovh`, `rfc2136`, `route53`, `sakuracloud` and `transip`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`. |
 | `-e PROPAGATION=` | Optionally override (in seconds) the default propagation time for the dns plugins. |
 | `-e DUCKDNSTOKEN=` | Required if `VALIDATION` is set to `duckdns`. Retrieve your token from https://www.duckdns.org |
 | `-e EMAIL=` | Optional e-mail address used for cert expiration notifications. |
@@ -227,10 +227,11 @@ This will *ask* Google et al not to index and list your site. Be careful with th
   2. `privkey.pfx`, a format supported by Microsoft and commonly used by dotnet apps such as Emby Server (no password)
   3. `priv-fullchain-bundle.pem`, a pem cert that bundles the private key and the fullchain, used by apps like ZNC
 ### Using fail2ban
-* This container includes fail2ban set up with 3 jails by default:
+* This container includes fail2ban set up with 4 jails by default:
   1. nginx-http-auth
   2. nginx-badbots
   3. nginx-botsearch
+  4. nginx-deny
 * To enable or disable other jails, modify the file `/config/fail2ban/jail.local`
 * To modify filters and actions, instead of editing the `.conf` files, create `.local` files with the same name and edit those because .conf files get overwritten when the actions and filters are updated. `.local` files will append whatever's in the `.conf` files (ie. `nginx-http-auth.conf` --> `nginx-http-auth.local`)
 * You can check which jails are active via `docker exec -it swag fail2ban-client status`
@@ -264,7 +265,7 @@ We publish various [Docker Mods](https://github.com/linuxserver/docker-mods) to
 * container version number
   * `docker inspect -f '{{ index .Config.Labels "build_version" }}' swag`
 * image version number
-  * `docker inspect -f '{{ index .Config.Labels "build_version" }}' linuxserver/swag`
+  * `docker inspect -f '{{ index .Config.Labels "build_version" }}' ghcr.io/linuxserver/swag`
 
 ## Updating Info
 
@@ -280,7 +281,7 @@ Below are the instructions for updating containers:
 * You can also remove the old dangling images: `docker image prune`
 
 ### Via Docker Run
-* Update the image: `docker pull linuxserver/swag`
+* Update the image: `docker pull ghcr.io/linuxserver/swag`
 * Stop the running container: `docker stop swag`
 * Delete the container: `docker rm swag`
 * Recreate a new container with the same docker run parameters as instructed above (if mapped correctly to a host folder, your `/config` folder and settings will be preserved)
@@ -310,7 +311,7 @@ cd docker-swag
 docker build \
   --no-cache \
   --pull \
-  -t linuxserver/swag:latest .
+  -t ghcr.io/linuxserver/swag:latest .
 ```
 
 The ARM variants can be built on x86_64 hardware using `multiarch/qemu-user-static`
@@ -322,6 +323,8 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **09.11.20:** - Check for template/conf updates and notify in the log. Add support for gehirn and sakuracloud dns validation.
+* **01.11.20:** - Add support for netcup dns validation
 * **29.10.20:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) ssl.conf - Add frame-ancestors to Content-Security-Policy.
 * **04.10.20:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, proxy.conf, and ssl.conf - Minor cleanups and reordering.
 * **20.09.20:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf - Added geoip2 configs. Added MAXMINDDB_LICENSE_KEY variable to readme.

package_versions.txt

@@ -1,6 +1,6 @@
 alpine-baselayout-3.2.0-r7
 alpine-keys-2.2-r0
-apache2-utils-2.4.46-r0
+apache2-utils-2.4.46-r1
 apk-tools-2.10.5-r1
 apr-1.7.0-r0
 apr-util-1.6.1-r6
@@ -12,7 +12,7 @@ c-client-2007f-r11
 ca-certificates-20191127-r4
 ca-certificates-bundle-20191127-r4
 coreutils-8.32-r0
-curl-7.69.1-r1
+curl-7.69.1-r2
 db-5.3.28-r1
 expat-2.2.9-r1
 fail2ban-0.11.1-r3
@@ -36,7 +36,7 @@ libbz2-1.0.8-r1
 libc-utils-0.7.2-r3
 libcap-2.27-r0
 libcrypto1.1-1.1.1g-r0
-libcurl-7.69.1-r1
+libcurl-7.69.1-r2
 libedit-20191231.3.1-r0
 libevent-2.1.11-r1
 libffi-3.3-r2
@@ -49,7 +49,7 @@ libidn-1.35-r0
 libintl-0.20.2-r0
 libjpeg-turbo-2.0.5-r0
 libksba-1.4.0-r0
-libldap-2.4.50-r0
+libldap-2.4.50-r1
 libmagic-5.38-r0
 libmaxminddb-1.4.2-r1
 libmcrypt-2.5.8-r8
@@ -58,7 +58,7 @@ libmnl-1.0.4-r0
 libmount-2.35.2-r0
 libnftnl-libs-1.1.6-r0
 libpng-1.6.37-r1
-libpq-12.4-r0
+libpq-12.5-r0
 libproc-3.3.16-r0
 libressl3.1-libcrypto-3.1.2-r0
 libressl3.1-libssl-3.1.2-r0
@@ -88,8 +88,8 @@ linux-pam-1.3.1-r4
 logrotate-3.16.0-r0
 luajit-5.1.20190925-r0
 memcached-1.6.6-r0
-musl-1.1.24-r9
-musl-utils-1.1.24-r9
+musl-1.1.24-r10
+musl-utils-1.1.24-r10
 nano-4.9.3-r0
 ncurses-libs-6.2_p20200523-r0
 ncurses-terminfo-base-6.2_p20200523-r0
@@ -123,55 +123,55 @@ pcre2-10.35-r0
 perl-5.30.3-r0
 perl-error-0.17029-r0
 perl-git-2.26.2-r0
-php7-7.3.23-r0
-php7-bcmath-7.3.23-r0
-php7-bz2-7.3.23-r0
-php7-common-7.3.23-r0
-php7-ctype-7.3.23-r0
-php7-curl-7.3.23-r0
-php7-dom-7.3.23-r0
-php7-exif-7.3.23-r0
-php7-fileinfo-7.3.23-r0
-php7-fpm-7.3.23-r0
-php7-ftp-7.3.23-r0
-php7-gd-7.3.23-r0
-php7-iconv-7.3.23-r0
-php7-imap-7.3.23-r0
-php7-intl-7.3.23-r0
-php7-json-7.3.23-r0
-php7-ldap-7.3.23-r0
-php7-mbstring-7.3.23-r0
-php7-mysqli-7.3.23-r0
-php7-mysqlnd-7.3.23-r0
-php7-opcache-7.3.23-r0
-php7-openssl-7.3.23-r0
-php7-pdo-7.3.23-r0
-php7-pdo_mysql-7.3.23-r0
-php7-pdo_odbc-7.3.23-r0
-php7-pdo_pgsql-7.3.23-r0
-php7-pdo_sqlite-7.3.23-r0
-php7-pear-7.3.23-r0
+php7-7.3.25-r0
+php7-bcmath-7.3.25-r0
+php7-bz2-7.3.25-r0
+php7-common-7.3.25-r0
+php7-ctype-7.3.25-r0
+php7-curl-7.3.25-r0
+php7-dom-7.3.25-r0
+php7-exif-7.3.25-r0
+php7-fileinfo-7.3.25-r0
+php7-fpm-7.3.25-r0
+php7-ftp-7.3.25-r0
+php7-gd-7.3.25-r0
+php7-iconv-7.3.25-r0
+php7-imap-7.3.25-r0
+php7-intl-7.3.25-r0
+php7-json-7.3.25-r0
+php7-ldap-7.3.25-r0
+php7-mbstring-7.3.25-r0
+php7-mysqli-7.3.25-r0
+php7-mysqlnd-7.3.25-r0
+php7-opcache-7.3.25-r0
+php7-openssl-7.3.25-r0
+php7-pdo-7.3.25-r0
+php7-pdo_mysql-7.3.25-r0
+php7-pdo_odbc-7.3.25-r0
+php7-pdo_pgsql-7.3.25-r0
+php7-pdo_sqlite-7.3.25-r0
+php7-pear-7.3.25-r0
 php7-pecl-apcu-5.1.19-r0
 php7-pecl-igbinary-3.1.6-r0
 php7-pecl-mcrypt-1.0.3-r0
 php7-pecl-memcached-3.1.5-r0
 php7-pecl-redis-5.2.2-r1
-php7-pgsql-7.3.23-r0
-php7-phar-7.3.23-r0
-php7-posix-7.3.23-r0
-php7-session-7.3.23-r0
-php7-simplexml-7.3.23-r0
-php7-soap-7.3.23-r0
-php7-sockets-7.3.23-r0
-php7-sodium-7.3.23-r0
-php7-sqlite3-7.3.23-r0
-php7-tokenizer-7.3.23-r0
-php7-xml-7.3.23-r0
-php7-xmlreader-7.3.23-r0
-php7-xmlrpc-7.3.23-r0
-php7-xmlwriter-7.3.23-r0
-php7-xsl-7.3.23-r0
-php7-zip-7.3.23-r0
+php7-pgsql-7.3.25-r0
+php7-phar-7.3.25-r0
+php7-posix-7.3.25-r0
+php7-session-7.3.25-r0
+php7-simplexml-7.3.25-r0
+php7-soap-7.3.25-r0
+php7-sockets-7.3.25-r0
+php7-sodium-7.3.25-r0
+php7-sqlite3-7.3.25-r0
+php7-tokenizer-7.3.25-r0
+php7-xml-7.3.25-r0
+php7-xmlreader-7.3.25-r0
+php7-xmlrpc-7.3.25-r0
+php7-xmlwriter-7.3.25-r0
+php7-xsl-7.3.25-r0
+php7-zip-7.3.25-r0
 pinentry-1.1.0-r2
 popt-1.16-r7
 procps-3.3.16-r0
@@ -212,7 +212,7 @@ scanelf-1.2.6-r0
 shadow-4.8.1-r0
 sqlite-libs-3.32.1-r0
 ssl_client-1.31.1-r19
-tzdata-2020a-r0
+tzdata-2020c-r1
 unixodbc-2.3.7-r2
 whois-5.5.6-r0
 xz-5.2.5-r0

readme-vars.yml

@@ -50,7 +50,7 @@ cap_add_param_vars:
 # optional container parameters
 opt_param_usage_include_env: true
 opt_param_env_vars:
-  - { env_var: "DNSPLUGIN", env_value: "cloudflare", desc: "Required if `VALIDATION` is set to `dns`. Options are `aliyun`, `cloudflare`, `cloudxns`, `cpanel`, `digitalocean`, `dnsimple`, `dnsmadeeasy`, `domeneshop`, `gandi`, `google`, `inwx`, `linode`, `luadns`, `nsone`, `ovh`, `rfc2136`, `route53` and `transip`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`." }
+  - { env_var: "DNSPLUGIN", env_value: "cloudflare", desc: "Required if `VALIDATION` is set to `dns`. Options are `aliyun`, `cloudflare`, `cloudxns`, `cpanel`, `digitalocean`, `dnsimple`, `dnsmadeeasy`, `domeneshop`, `gandi`,`gehirn`, `google`, `inwx`, `linode`, `luadns`, `netcup`, `nsone`, `ovh`, `rfc2136`, `route53`, `sakuracloud` and `transip`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`." }
   - { env_var: "PROPAGATION", env_value: "", desc: "Optionally override (in seconds) the default propagation time for the dns plugins." }
   - { env_var: "DUCKDNSTOKEN", env_value: "", desc: "Required if `VALIDATION` is set to `duckdns`. Retrieve your token from https://www.duckdns.org" }
   - { env_var: "EMAIL", env_value: "", desc: "Optional e-mail address used for cert expiration notifications." }
@@ -121,10 +121,11 @@ app_setup_block: |
     2. `privkey.pfx`, a format supported by Microsoft and commonly used by dotnet apps such as Emby Server (no password)
     3. `priv-fullchain-bundle.pem`, a pem cert that bundles the private key and the fullchain, used by apps like ZNC
   ### Using fail2ban
-  * This container includes fail2ban set up with 3 jails by default:
+  * This container includes fail2ban set up with 4 jails by default:
     1. nginx-http-auth
     2. nginx-badbots
     3. nginx-botsearch
+    4. nginx-deny
   * To enable or disable other jails, modify the file `/config/fail2ban/jail.local`
   * To modify filters and actions, instead of editing the `.conf` files, create `.local` files with the same name and edit those because .conf files get overwritten when the actions and filters are updated. `.local` files will append whatever's in the `.conf` files (ie. `nginx-http-auth.conf` --> `nginx-http-auth.local`)
   * You can check which jails are active via `docker exec -it swag fail2ban-client status`
@@ -149,6 +150,8 @@ app_setup_nginx_reverse_proxy_block: ""
 
 # changelog
 changelogs:
+  - { date: "09.11.20:", desc: "Check for template/conf updates and notify in the log. Add support for gehirn and sakuracloud dns validation." }
+  - { date: "01.11.20:", desc: "Add support for netcup dns validation" }
   - { date: "29.10.20:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) ssl.conf - Add frame-ancestors to Content-Security-Policy." }
   - { date: "04.10.20:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, proxy.conf, and ssl.conf - Minor cleanups and reordering." }
   - { date: "20.09.20:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf - Added geoip2 configs. Added MAXMINDDB_LICENSE_KEY variable to readme."}

root/defaults/dns-conf/gehirn.ini

@@ -0,0 +1,4 @@
+# Instructions: https://certbot-dns-gehirn.readthedocs.io/en/stable/
+# Replace with your values
+dns_gehirn_api_token  = 00000000-0000-0000-0000-000000000000
+dns_gehirn_api_secret = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw

root/defaults/dns-conf/netcup.ini

@@ -0,0 +1,3 @@
+dns_netcup_customer_id  = 123456
+dns_netcup_api_key      = 0123456789abcdef0123456789abcdef01234567
+dns_netcup_api_password = abcdef0123456789abcdef01234567abcdef0123

root/defaults/dns-conf/sakuracloud.ini

@@ -0,0 +1,4 @@
+# Instructions: https://certbot-dns-sakuracloud.readthedocs.io/en/stable/
+# Replace with your values
+dns_sakuracloud_api_token  = 00000000-0000-0000-0000-000000000000
+dns_sakuracloud_api_secret = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw

root/etc/cont-init.d/50-config

@@ -45,8 +45,6 @@ chown -R abc:abc /config/dns-conf
 
 # copy reverse proxy configs
 cp -R /defaults/proxy-confs /config/nginx/
-# remove outdated files (remove this action after 2020/10/17)
-rm -f /config/nginx/proxy-confs/seafile.subdomain.config.sample /config/nginx/proxy-confs/librespeed.subdomain.com.sample
 
 # copy/update the fail2ban config defaults to/in /config
 cp -R /defaults/fail2ban/filter.d /config/fail2ban/
@@ -92,7 +90,7 @@ if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then
 fi
 
 # check to make sure DNSPLUGIN is selected if dns validation is used
-[[ "$VALIDATION" = "dns" ]] && [[ ! "$DNSPLUGIN" =~ ^(aliyun|cloudflare|cloudxns|cpanel|digitalocean|dnsimple|dnsmadeeasy|domeneshop|gandi|google|inwx|linode|luadns|nsone|ovh|rfc2136|route53|transip)$ ]] && \
+[[ "$VALIDATION" = "dns" ]] && [[ ! "$DNSPLUGIN" =~ ^(aliyun|cloudflare|cloudxns|cpanel|digitalocean|dnsimple|dnsmadeeasy|domeneshop|gandi|gehirn|google|inwx|linode|luadns|netcup|nsone|ovh|rfc2136|route53|sakuracloud|transip)$ ]] && \
   echo "Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details." && \
   sleep infinity
 
@@ -176,29 +174,32 @@ fi
 if [ "$VALIDATION" = "dns" ]; then
   if [ "$DNSPLUGIN" = "route53" ]; then
     if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
-    PREFCHAL="--dns-${DNSPLUGIN} ${PROPAGATIONPARAM} --manual-public-ip-logging-ok"
+    PREFCHAL="--dns-${DNSPLUGIN} ${PROPAGATIONPARAM}"
   elif [[ "$DNSPLUGIN" =~ ^(cpanel)$ ]]; then
     if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
-    PREFCHAL="-a certbot-dns-${DNSPLUGIN}:${DNSPLUGIN} --certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM} --manual-public-ip-logging-ok"
+    PREFCHAL="-a certbot-dns-${DNSPLUGIN}:${DNSPLUGIN} --certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
   elif [[ "$DNSPLUGIN" =~ ^(gandi)$ ]]; then
     if [ -n "$PROPAGATION" ];then echo "Gandi dns plugin does not support setting propagation time"; fi
-    PREFCHAL="-a certbot-plugin-${DNSPLUGIN}:dns --certbot-plugin-${DNSPLUGIN}:dns-credentials /config/dns-conf/${DNSPLUGIN}.ini --manual-public-ip-logging-ok"
+    PREFCHAL="-a certbot-plugin-${DNSPLUGIN}:dns --certbot-plugin-${DNSPLUGIN}:dns-credentials /config/dns-conf/${DNSPLUGIN}.ini"
   elif [[ "$DNSPLUGIN" =~ ^(google)$ ]]; then
     if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
-    PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.json ${PROPAGATIONPARAM} --manual-public-ip-logging-ok"
+    PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.json ${PROPAGATIONPARAM}"
   elif [[ "$DNSPLUGIN" =~ ^(aliyun|domeneshop|inwx|transip)$ ]]; then
     if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--certbot-dns-${DNSPLUGIN}:dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
-    PREFCHAL="-a certbot-dns-${DNSPLUGIN}:dns-${DNSPLUGIN} --certbot-dns-${DNSPLUGIN}:dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM} --manual-public-ip-logging-ok"
+    PREFCHAL="-a certbot-dns-${DNSPLUGIN}:dns-${DNSPLUGIN} --certbot-dns-${DNSPLUGIN}:dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
+  elif [[ "$DNSPLUGIN" =~ ^(netcup)$ ]]; then
+    if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
+    PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
   else
     if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
-    PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM} --manual-public-ip-logging-ok"
+    PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
   fi
   echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected"
 elif [ "$VALIDATION" = "tls-sni" ]; then
   PREFCHAL="--non-interactive --standalone --preferred-challenges http"
   echo "*****tls-sni validation has been deprecated, attempting http validation instead"
 elif [ "$VALIDATION" = "duckdns" ]; then
-  PREFCHAL="--non-interactive --manual --preferred-challenges dns --manual-public-ip-logging-ok --manual-auth-hook /app/duckdns-txt"
+  PREFCHAL="--non-interactive --manual --preferred-challenges dns --manual-auth-hook /app/duckdns-txt"
   chmod +x /app/duckdns-txt
   echo "duckdns validation is selected"
   if [ "$SUBDOMAINS" = "wildcard" ]; then

root/etc/cont-init.d/70-templates

@@ -0,0 +1,42 @@
+#!/usr/bin/with-contenv bash
+
+nginx_confs=( \
+    authelia-location.conf \
+    authelia-server.conf \
+    geoip2.conf \
+    ldap.conf \
+    nginx.conf \
+    proxy.conf \
+    site-confs/default \
+    ssl.conf )
+
+for i in ${nginx_confs[@]}; do
+    if [ "$(sed -nE 's|^## Version ([0-9]{4}\/[0-9]{2}\/[0-9]{2}).*|\1|p' /config/nginx/${i})" != "$(sed -nE 's|^## Version ([0-9]{4}\/[0-9]{2}\/[0-9]{2}).*|\1|p' /defaults/$(basename ${i}))" ]; then
+        nginx_confs_changed="/config/nginx/${i}\n${nginx_confs_changed}"
+    fi
+done
+
+if [ -n "$nginx_confs_changed" ]; then
+    echo "**** The following nginx confs have different version dates than the defaults that are shipped. ****"
+    echo "**** This may be due to user customization or an update to the defaults. ****"
+    echo "**** To update them to the latest defaults shipped within the image, delete these files and restart the container. ****"
+    echo "**** If they are user customized, check the date version at the top and compare to the upstream changelog via the link. ****"
+    echo -e "${nginx_confs_changed}"
+fi
+
+proxy_confs=$(ls /config/nginx/proxy-confs/*.conf)
+
+for i in $proxy_confs; do
+    if [ -f "${i}.sample" ]; then
+        if [ "$(sed -nE 's|^## Version ([0-9]{4}\/[0-9]{2}\/[0-9]{2}).*|\1|p' ${i})" != "$(sed -nE 's|^## Version ([0-9]{4}\/[0-9]{2}\/[0-9]{2}).*|\1|p' ${i}.sample)" ]; then
+            proxy_confs_changed="${i}\n${proxy_confs_changed}"
+        fi
+    fi
+done
+
+if [ -n "$proxy_confs_changed" ]; then
+    echo "**** The following reverse proxy confs have different version dates than the samples that are shipped. ****"
+    echo "**** This may be due to user customization or an update to the samples. ****"
+    echo "**** You should compare them to the samples in the same folder to make sure you have the latest updates. ****"
+    echo -e "${proxy_confs_changed}"
+fi