Bot Updating Package Versions

Bot Updating Templated Files
2026-02-26 14:40:30 +09:00 · 2024-08-31 03:22:26 +00:00 · 2024-08-24 03:27:44 +00:00 · 2024-08-24 03:22:15 +00:00 · 2024-08-24 03:20:37 +00:00 · 2024-08-17 03:20:39 +00:00
51 changed files with 1457 additions and 1105 deletions
--- a/.editorconfig
+++ b/.editorconfig
@@ -15,6 +15,6 @@ trim_trailing_whitespace = false
 indent_style = space
 indent_size = 2

-[{**.sh,root/etc/cont-init.d/**,root/etc/services.d/**}]
+[{**.sh,root/etc/s6-overlay/s6-rc.d/**,root/etc/cont-init.d/**,root/etc/services.d/**}]
 indent_style = space
 indent_size = 4
--- a/.github/ISSUE_TEMPLATE/issue.bug.yml
+++ b/.github/ISSUE_TEMPLATE/issue.bug.yml
@@ -53,7 +53,6 @@ body:
      options:
        - x86-64
        - arm64
-        - armhf
    validations:
      required: true
  - type: textarea
@@ -68,10 +67,10 @@ body:
  - type: textarea
    attributes:
      description: |
-        Provide a full docker log, output of "docker logs linuxserver.io"
+        Provide a full docker log, output of "docker logs swag"
      label: Container logs
      placeholder: |
-        Output of `docker logs linuxserver.io`
+        Output of `docker logs swag`
      render: bash
    validations:
      required: true
--- a/.github/workflows/call_invalid_helper.yml
+++ b/.github/workflows/call_invalid_helper.yml
@@ -1,12 +0,0 @@
-name: Comment on invalid interaction
-on:
-  issues:
-    types:
-      - labeled
-jobs:
-  add-comment-on-invalid:
-    if: github.event.label.name == 'invalid'
-    permissions:
-      issues: write
-    uses: linuxserver/github-workflows/.github/workflows/invalid-interaction-helper.yml@v1
-    secrets: inherit
--- a/.github/workflows/call_issue_pr_tracker.yml
+++ b/.github/workflows/call_issue_pr_tracker.yml
@@ -0,0 +1,16 @@
+name: Issue & PR Tracker
+
+on:
+  issues:
+    types: [opened,reopened,labeled,unlabeled,closed]
+  pull_request_target:
+    types: [opened,reopened,review_requested,review_request_removed,labeled,unlabeled,closed]
+  pull_request_review:
+    types: [submitted,edited,dismissed]
+
+jobs:
+  manage-project:
+    permissions:
+      issues: write
+    uses: linuxserver/github-workflows/.github/workflows/issue-pr-tracker.yml@v1
+    secrets: inherit
--- a/.github/workflows/call_issues_cron.yml
+++ b/.github/workflows/call_issues_cron.yml
@@ -0,0 +1,13 @@
+name: Mark stale issues and pull requests
+on:
+  schedule:
+    - cron:  '35 15 * * *'
+  workflow_dispatch:
+
+jobs:
+  stale:
+    permissions:
+      issues: write
+      pull-requests: write
+    uses: linuxserver/github-workflows/.github/workflows/issues-cron.yml@v1
+    secrets: inherit
--- a/.github/workflows/external_trigger.yml
+++ b/.github/workflows/external_trigger.yml
@@ -7,20 +7,25 @@ jobs:
  external-trigger-master:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3.1.0
+      - uses: actions/checkout@v4.1.1

      - name: External Trigger
        if: github.ref == 'refs/heads/master'
        run: |
+          printf "# External trigger for docker-swag\n\n" >> $GITHUB_STEP_SUMMARY
          if [ -n "${{ secrets.PAUSE_EXTERNAL_TRIGGER_SWAG_MASTER }}" ]; then
-            echo "**** Github secret PAUSE_EXTERNAL_TRIGGER_SWAG_MASTER is set; skipping trigger. ****"
+            echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
+            echo "> Github secret \`PAUSE_EXTERNAL_TRIGGER_SWAG_MASTER\` is set; skipping trigger." >> $GITHUB_STEP_SUMMARY
            exit 0
          fi
-          echo "**** External trigger running off of master branch. To disable this trigger, set a Github secret named \"PAUSE_EXTERNAL_TRIGGER_SWAG_MASTER\". ****"
-          echo "**** Retrieving external version ****"
+          echo "> [!NOTE]" >> $GITHUB_STEP_SUMMARY
+          echo "> External trigger running off of master branch. To disable this trigger, set a Github secret named \`PAUSE_EXTERNAL_TRIGGER_SWAG_MASTER\`" >> $GITHUB_STEP_SUMMARY
+          printf "\n## Retrieving external version\n\n" >> $GITHUB_STEP_SUMMARY
          EXT_RELEASE=$(curl -sL "https://pypi.python.org/pypi/certbot/json" |jq -r '. | .info.version')
+          echo "Type is \`pip_version\`" >> $GITHUB_STEP_SUMMARY
          if [ -z "${EXT_RELEASE}" ] || [ "${EXT_RELEASE}" == "null" ]; then
-            echo "**** Can't retrieve external version, exiting ****"
+            echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
+            echo "> Can't retrieve external version, exiting" >> $GITHUB_STEP_SUMMARY
            FAILURE_REASON="Can't retrieve external version for swag branch master"
            GHA_TRIGGER_URL="https://github.com/linuxserver/docker-swag/actions/runs/${{ github.run_id }}"
            curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 16711680,
@@ -29,8 +34,8 @@ jobs:
            exit 1
          fi
          EXT_RELEASE=$(echo ${EXT_RELEASE} | sed 's/[~,%@+;:/]//g')
-          echo "**** External version: ${EXT_RELEASE} ****"
-          echo "**** Retrieving last pushed version ****"
+          echo "External version: \`${EXT_RELEASE}\`" >> $GITHUB_STEP_SUMMARY
+          echo "Retrieving last pushed version" >> $GITHUB_STEP_SUMMARY
          image="linuxserver/swag"
          tag="latest"
          token=$(curl -sX GET \
@@ -57,32 +62,34 @@ jobs:
          IMAGE_RELEASE=$(echo ${image_info} | jq -r '.Labels.build_version' | awk '{print $3}')
          IMAGE_VERSION=$(echo ${IMAGE_RELEASE} | awk -F'-ls' '{print $1}')
          if [ -z "${IMAGE_VERSION}" ]; then
-            echo "**** Can't retrieve last pushed version, exiting ****"
+            echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
+            echo "Can't retrieve last pushed version, exiting" >> $GITHUB_STEP_SUMMARY
            FAILURE_REASON="Can't retrieve last pushed version for swag tag latest"
            curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 16711680,
              "description": "**Trigger Failed** \n**Reason:** '"${FAILURE_REASON}"' \n"}],
              "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }}
            exit 1
          fi
-          echo "**** Last pushed version: ${IMAGE_VERSION} ****"
+          echo "Last pushed version: \`${IMAGE_VERSION}\`" >> $GITHUB_STEP_SUMMARY
          if [ "${EXT_RELEASE}" == "${IMAGE_VERSION}" ]; then
-            echo "**** Version ${EXT_RELEASE} already pushed, exiting ****"
+            echo "Version \`${EXT_RELEASE}\` already pushed, exiting" >> $GITHUB_STEP_SUMMARY
            exit 0
          elif [ $(curl -s https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-swag/job/master/lastBuild/api/json | jq -r '.building') == "true" ]; then
-            echo "**** New version ${EXT_RELEASE} found; but there already seems to be an active build on Jenkins; exiting ****"
+            echo "New version \`${EXT_RELEASE}\` found; but there already seems to be an active build on Jenkins; exiting" >> $GITHUB_STEP_SUMMARY
            exit 0
          else
-            echo "**** New version ${EXT_RELEASE} found; old version was ${IMAGE_VERSION}. Triggering new build ****"
+            printf "\n## Trigger new build\n\n" >> $GITHUB_STEP_SUMMARY
+            echo "New version \`${EXT_RELEASE}\` found; old version was \`${IMAGE_VERSION}\`. Triggering new build" >> $GITHUB_STEP_SUMMARY
            response=$(curl -iX POST \
              https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-swag/job/master/buildWithParameters?PACKAGE_CHECK=false \
              --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} | grep -i location | sed "s|^[L|l]ocation: \(.*\)|\1|")
-            echo "**** Jenkins job queue url: ${response%$'\r'} ****"
-            echo "**** Sleeping 10 seconds until job starts ****"
+            echo "Jenkins [job queue url](${response%$'\r'})" >> $GITHUB_STEP_SUMMARY
+            echo "Sleeping 10 seconds until job starts" >> $GITHUB_STEP_SUMMARY
            sleep 10
            buildurl=$(curl -s "${response%$'\r'}api/json" | jq -r '.executable.url')
            buildurl="${buildurl%$'\r'}"
-            echo "**** Jenkins job build url: ${buildurl} ****"
-            echo "**** Attempting to change the Jenkins job description ****"
+            echo "Jenkins job [build url](${buildurl})" >> $GITHUB_STEP_SUMMARY
+            echo "Attempting to change the Jenkins job description" >> $GITHUB_STEP_SUMMARY
            curl -iX POST \
              "${buildurl}submitDescription" \
              --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} \
--- a/.github/workflows/external_trigger_scheduler.yml
+++ b/.github/workflows/external_trigger_scheduler.yml
@@ -2,42 +2,44 @@ name: External Trigger Scheduler

 on:
  schedule:
-    - cron:  '50 * * * *'
+    - cron:  '2 * * * *'
  workflow_dispatch:

 jobs:
  external-trigger-scheduler:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3.1.0
+      - uses: actions/checkout@v4.1.1
        with:
          fetch-depth: '0'

      - name: External Trigger Scheduler
        run: |
-          echo "**** Branches found: ****"
-          git for-each-ref --format='%(refname:short)' refs/remotes
-          echo "**** Pulling the yq docker image ****"
-          docker pull ghcr.io/linuxserver/yq
-          for br in $(git for-each-ref --format='%(refname:short)' refs/remotes)
+          printf "# External trigger scheduler for docker-swag\n\n" >> $GITHUB_STEP_SUMMARY
+          printf "Found the branches:\n\n%s\n" "$(git for-each-ref --format='- %(refname:lstrip=3)' refs/remotes)" >> $GITHUB_STEP_SUMMARY
+          for br in $(git for-each-ref --format='%(refname:lstrip=3)' refs/remotes)
          do
-            br=$(echo "$br" | sed 's|origin/||g')
-            echo "**** Evaluating branch ${br} ****"
-            ls_branch=$(curl -sX GET https://raw.githubusercontent.com/linuxserver/docker-swag/${br}/jenkins-vars.yml \
-              | docker run --rm -i --entrypoint yq ghcr.io/linuxserver/yq -r .ls_branch)
-            if [ "$br" == "$ls_branch" ]; then
-              echo "**** Branch ${br} appears to be live; checking workflow. ****"
+            if [[ "${br}" == "HEAD" ]]; then
+              printf "\nSkipping %s.\n" ${br} >> $GITHUB_STEP_SUMMARY
+              continue
+            fi
+            printf "\n## Evaluating \`%s\`\n\n" ${br} >> $GITHUB_STEP_SUMMARY
+            ls_jenkins_vars=$(curl -sX GET https://raw.githubusercontent.com/linuxserver/docker-swag/${br}/jenkins-vars.yml)
+            ls_branch=$(echo "${ls_jenkins_vars}" | yq -r '.ls_branch')
+            ls_trigger=$(echo "${ls_jenkins_vars}" | yq -r '.external_type')
+            if [[ "${br}" == "${ls_branch}" ]] && [[ "${ls_trigger}" != "os" ]]; then
+              echo "Branch appears to be live and trigger is not os; checking workflow." >> $GITHUB_STEP_SUMMARY
              if curl -sfX GET https://raw.githubusercontent.com/linuxserver/docker-swag/${br}/.github/workflows/external_trigger.yml > /dev/null 2>&1; then
-                echo "**** Workflow exists. Triggering external trigger workflow for branch ${br} ****."
+                echo "Triggering external trigger workflow for branch." >> $GITHUB_STEP_SUMMARY
                curl -iX POST \
                  -H "Authorization: token ${{ secrets.CR_PAT }}" \
                  -H "Accept: application/vnd.github.v3+json" \
                  -d "{\"ref\":\"refs/heads/${br}\"}" \
                  https://api.github.com/repos/linuxserver/docker-swag/actions/workflows/external_trigger.yml/dispatches
              else
-                echo "**** Workflow doesn't exist; skipping trigger. ****"
+                echo "Skipping branch due to no external trigger workflow present." >> $GITHUB_STEP_SUMMARY
              fi
            else
-              echo "**** ${br} appears to be a dev branch; skipping trigger. ****"
+              echo "Skipping branch due to being detected as dev branch or having no external version." >> $GITHUB_STEP_SUMMARY
            fi
          done
--- a/.github/workflows/greetings.yml
+++ b/.github/workflows/greetings.yml
@@ -8,6 +8,6 @@ jobs:
    steps:
    - uses: actions/first-interaction@v1
      with:
-        issue-message: 'Thanks for opening your first issue here! Be sure to follow the [bug](https://github.com/linuxserver/docker-swag/blob/master/.github/ISSUE_TEMPLATE/issue.bug.yml) or [feature](https://github.com/linuxserver/docker-swag/blob/master/.github/ISSUE_TEMPLATE/issue.feature.yml) issue templates!'
+        issue-message: 'Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.'
        pr-message: 'Thanks for opening this pull request! Be sure to follow the [pull request template](https://github.com/linuxserver/docker-swag/blob/master/.github/PULL_REQUEST_TEMPLATE.md)!'
        repo-token: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/package_trigger.yml
+++ b/.github/workflows/package_trigger.yml
@@ -7,30 +7,34 @@ jobs:
  package-trigger-master:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3.1.0
+      - uses: actions/checkout@v4.1.1

      - name: Package Trigger
        if: github.ref == 'refs/heads/master'
        run: |
+          printf "# Package trigger for docker-swag\n\n" >> $GITHUB_STEP_SUMMARY
          if [ -n "${{ secrets.PAUSE_PACKAGE_TRIGGER_SWAG_MASTER }}" ]; then
-            echo "**** Github secret PAUSE_PACKAGE_TRIGGER_SWAG_MASTER is set; skipping trigger. ****"
+            echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
+            echo "> Github secret \`PAUSE_PACKAGE_TRIGGER_SWAG_MASTER\` is set; skipping trigger." >> $GITHUB_STEP_SUMMARY
            exit 0
          fi
          if [ $(curl -s https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-swag/job/master/lastBuild/api/json | jq -r '.building') == "true" ]; then
-            echo "**** There already seems to be an active build on Jenkins; skipping package trigger ****"
+            echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
+            echo "> There already seems to be an active build on Jenkins; skipping package trigger" >> $GITHUB_STEP_SUMMARY
            exit 0
          fi
-          echo "**** Package trigger running off of master branch. To disable, set a Github secret named \"PAUSE_PACKAGE_TRIGGER_SWAG_MASTER\". ****"
+          echo "> [!NOTE]" >> $GITHUB_STEP_SUMMARY
+          echo "> Package trigger running off of master branch. To disable, set a Github secret named \`PAUSE_PACKAGE_TRIGGER_SWAG_MASTER\`" >> $GITHUB_STEP_SUMMARY
          response=$(curl -iX POST \
            https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-swag/job/master/buildWithParameters?PACKAGE_CHECK=true \
            --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} | grep -i location | sed "s|^[L|l]ocation: \(.*\)|\1|")
-          echo "**** Jenkins job queue url: ${response%$'\r'} ****"
-          echo "**** Sleeping 10 seconds until job starts ****"
+          echo "Jenkins [job queue url](${response%$'\r'})" >> $GITHUB_STEP_SUMMARY
+          echo "Sleeping 10 seconds until job starts" >> $GITHUB_STEP_SUMMARY
          sleep 10
          buildurl=$(curl -s "${response%$'\r'}api/json" | jq -r '.executable.url')
          buildurl="${buildurl%$'\r'}"
-          echo "**** Jenkins job build url: ${buildurl} ****"
-          echo "**** Attempting to change the Jenkins job description ****"
+          echo "Jenkins job [build url](${buildurl})" >> $GITHUB_STEP_SUMMARY
+          echo "Attempting to change the Jenkins job description" >> $GITHUB_STEP_SUMMARY
          curl -iX POST \
            "${buildurl}submitDescription" \
            --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} \
--- a/.github/workflows/package_trigger_scheduler.yml
+++ b/.github/workflows/package_trigger_scheduler.yml
@@ -2,33 +2,33 @@ name: Package Trigger Scheduler

 on:
  schedule:
-    - cron:  '03 5 * * 4'
+    - cron:  '1 3 * * 6'
  workflow_dispatch:

 jobs:
  package-trigger-scheduler:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3.1.0
+      - uses: actions/checkout@v4.1.1
        with:
          fetch-depth: '0'

      - name: Package Trigger Scheduler
        run: |
-          echo "**** Branches found: ****"
-          git for-each-ref --format='%(refname:short)' refs/remotes
-          echo "**** Pulling the yq docker image ****"
-          docker pull ghcr.io/linuxserver/yq
-          for br in $(git for-each-ref --format='%(refname:short)' refs/remotes)
+          printf "# Package trigger scheduler for docker-swag\n\n" >> $GITHUB_STEP_SUMMARY
+          printf "Found the branches:\n\n%s\n" "$(git for-each-ref --format='- %(refname:lstrip=3)' refs/remotes)" >> $GITHUB_STEP_SUMMARY
+          for br in $(git for-each-ref --format='%(refname:lstrip=3)' refs/remotes)
          do
-            br=$(echo "$br" | sed 's|origin/||g')
-            echo "**** Evaluating branch ${br} ****"
-            ls_branch=$(curl -sX GET https://raw.githubusercontent.com/linuxserver/docker-swag/${br}/jenkins-vars.yml \
-              | docker run --rm -i --entrypoint yq ghcr.io/linuxserver/yq -r .ls_branch)
+            if [[ "${br}" == "HEAD" ]]; then
+              printf "\nSkipping %s.\n" ${br} >> $GITHUB_STEP_SUMMARY
+              continue
+            fi
+            printf "\n## Evaluating \`%s\`\n\n" ${br} >> $GITHUB_STEP_SUMMARY
+            ls_branch=$(curl -sX GET https://raw.githubusercontent.com/linuxserver/docker-swag/${br}/jenkins-vars.yml | yq -r '.ls_branch')
            if [ "${br}" == "${ls_branch}" ]; then
-              echo "**** Branch ${br} appears to be live; checking workflow. ****"
+              echo "Branch appears to be live; checking workflow." >> $GITHUB_STEP_SUMMARY
              if curl -sfX GET https://raw.githubusercontent.com/linuxserver/docker-swag/${br}/.github/workflows/package_trigger.yml > /dev/null 2>&1; then
-                echo "**** Workflow exists. Triggering package trigger workflow for branch ${br}. ****"
+                echo "Triggering package trigger workflow for branch ${br}" >> $GITHUB_STEP_SUMMARY
                triggered_branches="${triggered_branches}${br} "
                curl -iX POST \
                  -H "Authorization: token ${{ secrets.CR_PAT }}" \
@@ -37,10 +37,10 @@ jobs:
                  https://api.github.com/repos/linuxserver/docker-swag/actions/workflows/package_trigger.yml/dispatches
                sleep 30
              else
-                echo "**** Workflow doesn't exist; skipping trigger. ****"
+                echo "Skipping branch ${br} due to no package trigger workflow present." >> $GITHUB_STEP_SUMMARY
              fi
            else
-              echo "**** ${br} appears to be a dev branch; skipping trigger. ****"
+              echo "Skipping branch ${br} due to being detected as dev branch." >> $GITHUB_STEP_SUMMARY
            fi
          done
          echo "**** Package check build(s) triggered for branch(es): ${triggered_branches} ****"
--- a/.github/workflows/permissions.yml
+++ b/.github/workflows/permissions.yml
@@ -0,0 +1,12 @@
+name: Permission check
+on:
+  pull_request_target:
+    paths:
+      - '**/run'
+      - '**/finish'
+      - '**/check'
+      - 'root/migrations/*'
+
+jobs:
+  permission_check:
+    uses: linuxserver/github-workflows/.github/workflows/init-svc-executable-permissions.yml@v1
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -1,23 +0,0 @@
-name: Mark stale issues and pull requests
-
-on:
-  schedule:
-  - cron: "30 1 * * *"
-
-jobs:
-  stale:
-
-    runs-on: ubuntu-latest
-
-    steps:
-    - uses: actions/stale@v6.0.1
-      with:
-        stale-issue-message: "This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions."
-        stale-pr-message: "This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions."
-        stale-issue-label: 'no-issue-activity'
-        stale-pr-label: 'no-pr-activity'
-        days-before-stale: 30
-        days-before-close: 365
-        exempt-issue-labels: 'awaiting-approval,work-in-progress'
-        exempt-pr-labels: 'awaiting-approval,work-in-progress'
-        repo-token: ${{ secrets.GITHUB_TOKEN }}
--- a/96
+++ b/96
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1

-FROM ghcr.io/linuxserver/baseimage-alpine-nginx:3.17
+FROM ghcr.io/linuxserver/baseimage-alpine-nginx:3.20

 # set version label
 ARG BUILD_DATE
@@ -24,9 +24,10 @@ RUN \
    openssl-dev \
    python3-dev && \
  echo "**** install runtime packages ****" && \
-  apk add --no-cache --upgrade \
+  apk add --no-cache \
    fail2ban \
    gnupg \
+    iptables-legacy \
    memcached \
    nginx-mod-http-brotli \
    nginx-mod-http-dav-ext \
@@ -45,59 +46,52 @@ RUN \
    nginx-mod-stream \
    nginx-mod-stream-geoip2 \
    nginx-vim \
-    php81-bcmath \
-    php81-bz2 \
-    php81-ctype \
-    php81-curl \
-    php81-dom \
-    php81-exif \
-    php81-ftp \
-    php81-gd \
-    php81-gmp \
-    php81-iconv \
-    php81-imap \
-    php81-intl \
-    php81-ldap \
-    php81-mysqli \
-    php81-mysqlnd \
-    php81-opcache \
-    php81-pdo_mysql \
-    php81-pdo_odbc \
-    php81-pdo_pgsql \
-    php81-pdo_sqlite \
-    php81-pear \
-    php81-pecl-apcu \
-    php81-pecl-mailparse \
-    php81-pecl-memcached \
-    php81-pecl-redis \
-    php81-pgsql \
-    php81-phar \
-    php81-posix \
-    php81-soap \
-    php81-sockets \
-    php81-sodium \
-    php81-sqlite3 \
-    php81-tokenizer \
-    php81-xmlreader \
-    php81-xsl \
-    php81-zip \
+    php83-bcmath \
+    php83-bz2 \
+    php83-dom \
+    php83-exif \
+    php83-ftp \
+    php83-gd \
+    php83-gmp \
+    php83-imap \
+    php83-intl \
+    php83-ldap \
+    php83-mysqli \
+    php83-mysqlnd \
+    php83-opcache \
+    php83-pdo_mysql \
+    php83-pdo_odbc \
+    php83-pdo_pgsql \
+    php83-pdo_sqlite \
+    php83-pear \
+    php83-pecl-apcu \
+    php83-pecl-mcrypt \
+    php83-pecl-memcached \
+    php83-pecl-redis \
+    php83-pgsql \
+    php83-posix \
+    php83-soap \
+    php83-sockets \
+    php83-sodium \
+    php83-sqlite3 \
+    php83-tokenizer \
+    php83-xmlreader \
+    php83-xsl \
    whois && \
-  apk add --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing \
-    php81-pecl-mcrypt \
-    php81-pecl-xmlrpc && \
  echo "**** install certbot plugins ****" && \
  if [ -z ${CERTBOT_VERSION+x} ]; then \
    CERTBOT_VERSION=$(curl -sL  https://pypi.python.org/pypi/certbot/json |jq -r '. | .info.version'); \
  fi && \
-  python3 -m ensurepip && \
-  pip3 install -U --no-cache-dir \
+  python3 -m venv /lsiopy && \
+  pip install -U --no-cache-dir \
    pip \
    wheel && \
-  pip3 install -U --no-cache-dir --find-links https://wheel-index.linuxserver.io/alpine-3.17/ \
+  pip install -U --no-cache-dir --find-links https://wheel-index.linuxserver.io/alpine-3.20/ \
    certbot==${CERTBOT_VERSION} \
    certbot-dns-acmedns \
    certbot-dns-aliyun \
    certbot-dns-azure \
+    certbot-dns-bunny \
    certbot-dns-cloudflare \
    certbot-dns-cpanel \
    certbot-dns-desec \
@@ -108,9 +102,12 @@ RUN \
    certbot-dns-dnspod \
    certbot-dns-do \
    certbot-dns-domeneshop \
+    certbot-dns-dreamhost \
    certbot-dns-duckdns \
-    certbot-dns-dynu \
+    certbot-dns-dynudns \
+    certbot-dns-freedns \
    certbot-dns-gehirn \
+    certbot-dns-glesys \
    certbot-dns-godaddy \
    certbot-dns-google \
    certbot-dns-he \
@@ -121,10 +118,12 @@ RUN \
    certbot-dns-linode \
    certbot-dns-loopia \
    certbot-dns-luadns \
+    certbot-dns-namecheap \
    certbot-dns-netcup \
    certbot-dns-njalla \
    certbot-dns-nsone \
    certbot-dns-ovh \
+    certbot-dns-porkbun \
    certbot-dns-rfc2136 \
    certbot-dns-route53 \
    certbot-dns-sakuracloud \
@@ -145,8 +144,10 @@ RUN \
  sed -i \
    's|#ssl_trusted_certificate /config/keys/cert.crt;|ssl_trusted_certificate /config/keys/cert.crt;|' \
    /defaults/nginx/ssl.conf.sample && \
+  echo "**** remove stream.conf ****" && \
+  rm -f /etc/nginx/conf.d/stream.conf && \
  echo "**** correct ip6tables legacy issue ****" && \
-  rm \ 
+  rm \
    /sbin/ip6tables && \
  ln -s \
    /sbin/ip6tables-nft /sbin/ip6tables && \
@@ -157,6 +158,8 @@ RUN \
  mkdir -p /defaults/fail2ban && \
  mv /etc/fail2ban/action.d /defaults/fail2ban/ && \
  mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \
+  echo "**** define allowipv6 to silence warning ****" && \
+  sed -i 's/#allowipv6 = auto/allowipv6 = auto/g' /etc/fail2ban/fail2ban.conf && \
  echo "**** copy proxy confs to /defaults ****" && \
  mkdir -p \
    /defaults/nginx/proxy-confs && \
@@ -166,6 +169,7 @@ RUN \
  tar xf \
    /tmp/proxy-confs.tar.gz -C \
    /defaults/nginx/proxy-confs --strip-components=1 --exclude=linux*/.editorconfig --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \
+  printf "Linuxserver.io version: ${VERSION}\nBuild-date: ${BUILD_DATE}" > /build_version && \
  echo "**** cleanup ****" && \
  apk del --purge \
    build-dependencies && \
--- a/Dockerfile.aarch64
+++ b/Dockerfile.aarch64
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1

-FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm64v8-3.17
+FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm64v8-3.20

 # set version label
 ARG BUILD_DATE
@@ -24,9 +24,10 @@ RUN \
    openssl-dev \
    python3-dev && \
  echo "**** install runtime packages ****" && \
-  apk add --no-cache --upgrade \
+  apk add --no-cache \
    fail2ban \
    gnupg \
+    iptables-legacy \
    memcached \
    nginx-mod-http-brotli \
    nginx-mod-http-dav-ext \
@@ -45,59 +46,52 @@ RUN \
    nginx-mod-stream \
    nginx-mod-stream-geoip2 \
    nginx-vim \
-    php81-bcmath \
-    php81-bz2 \
-    php81-ctype \
-    php81-curl \
-    php81-dom \
-    php81-exif \
-    php81-ftp \
-    php81-gd \
-    php81-gmp \
-    php81-iconv \
-    php81-imap \
-    php81-intl \
-    php81-ldap \
-    php81-mysqli \
-    php81-mysqlnd \
-    php81-opcache \
-    php81-pdo_mysql \
-    php81-pdo_odbc \
-    php81-pdo_pgsql \
-    php81-pdo_sqlite \
-    php81-pear \
-    php81-pecl-apcu \
-    php81-pecl-mailparse \
-    php81-pecl-memcached \
-    php81-pecl-redis \
-    php81-pgsql \
-    php81-phar \
-    php81-posix \
-    php81-soap \
-    php81-sockets \
-    php81-sodium \
-    php81-sqlite3 \
-    php81-tokenizer \
-    php81-xmlreader \
-    php81-xsl \
-    php81-zip \
+    php83-bcmath \
+    php83-bz2 \
+    php83-dom \
+    php83-exif \
+    php83-ftp \
+    php83-gd \
+    php83-gmp \
+    php83-imap \
+    php83-intl \
+    php83-ldap \
+    php83-mysqli \
+    php83-mysqlnd \
+    php83-opcache \
+    php83-pdo_mysql \
+    php83-pdo_odbc \
+    php83-pdo_pgsql \
+    php83-pdo_sqlite \
+    php83-pear \
+    php83-pecl-apcu \
+    php83-pecl-mcrypt \
+    php83-pecl-memcached \
+    php83-pecl-redis \
+    php83-pgsql \
+    php83-posix \
+    php83-soap \
+    php83-sockets \
+    php83-sodium \
+    php83-sqlite3 \
+    php83-tokenizer \
+    php83-xmlreader \
+    php83-xsl \
    whois && \
-  apk add --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing \
-    php81-pecl-mcrypt \
-    php81-pecl-xmlrpc && \
  echo "**** install certbot plugins ****" && \
  if [ -z ${CERTBOT_VERSION+x} ]; then \
    CERTBOT_VERSION=$(curl -sL  https://pypi.python.org/pypi/certbot/json |jq -r '. | .info.version'); \
  fi && \
-  python3 -m ensurepip && \
-  pip3 install -U --no-cache-dir \
+  python3 -m venv /lsiopy && \
+  pip install -U --no-cache-dir \
    pip \
    wheel && \
-  pip3 install -U --no-cache-dir --find-links https://wheel-index.linuxserver.io/alpine-3.17/ \
+  pip install -U --no-cache-dir --find-links https://wheel-index.linuxserver.io/alpine-3.20/ \
    certbot==${CERTBOT_VERSION} \
    certbot-dns-acmedns \
    certbot-dns-aliyun \
    certbot-dns-azure \
+    certbot-dns-bunny \
    certbot-dns-cloudflare \
    certbot-dns-cpanel \
    certbot-dns-desec \
@@ -108,9 +102,12 @@ RUN \
    certbot-dns-dnspod \
    certbot-dns-do \
    certbot-dns-domeneshop \
+    certbot-dns-dreamhost \
    certbot-dns-duckdns \
-    certbot-dns-dynu \
+    certbot-dns-dynudns \
+    certbot-dns-freedns \
    certbot-dns-gehirn \
+    certbot-dns-glesys \
    certbot-dns-godaddy \
    certbot-dns-google \
    certbot-dns-he \
@@ -121,10 +118,12 @@ RUN \
    certbot-dns-linode \
    certbot-dns-loopia \
    certbot-dns-luadns \
+    certbot-dns-namecheap \
    certbot-dns-netcup \
    certbot-dns-njalla \
    certbot-dns-nsone \
    certbot-dns-ovh \
+    certbot-dns-porkbun \
    certbot-dns-rfc2136 \
    certbot-dns-route53 \
    certbot-dns-sakuracloud \
@@ -145,8 +144,10 @@ RUN \
  sed -i \
    's|#ssl_trusted_certificate /config/keys/cert.crt;|ssl_trusted_certificate /config/keys/cert.crt;|' \
    /defaults/nginx/ssl.conf.sample && \
+  echo "**** remove stream.conf ****" && \
+  rm -f /etc/nginx/conf.d/stream.conf && \
  echo "**** correct ip6tables legacy issue ****" && \
-  rm \ 
+  rm \
    /sbin/ip6tables && \
  ln -s \
    /sbin/ip6tables-nft /sbin/ip6tables && \
@@ -157,6 +158,8 @@ RUN \
  mkdir -p /defaults/fail2ban && \
  mv /etc/fail2ban/action.d /defaults/fail2ban/ && \
  mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \
+  echo "**** define allowipv6 to silence warning ****" && \
+  sed -i 's/#allowipv6 = auto/allowipv6 = auto/g' /etc/fail2ban/fail2ban.conf && \
  echo "**** copy proxy confs to /defaults ****" && \
  mkdir -p \
    /defaults/nginx/proxy-confs && \
@@ -166,6 +169,7 @@ RUN \
  tar xf \
    /tmp/proxy-confs.tar.gz -C \
    /defaults/nginx/proxy-confs --strip-components=1 --exclude=linux*/.editorconfig --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \
+  printf "Linuxserver.io version: ${VERSION}\nBuild-date: ${BUILD_DATE}" > /build_version && \
  echo "**** cleanup ****" && \
  apk del --purge \
    build-dependencies && \
--- a/Dockerfile.armhf
+++ b/Dockerfile.armhf
@@ -1,182 +0,0 @@
-# syntax=docker/dockerfile:1
-
-FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm32v7-3.17
-
-# set version label
-ARG BUILD_DATE
-ARG VERSION
-ARG CERTBOT_VERSION
-LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DATE}"
-LABEL maintainer="nemchik"
-
-# environment settings
-ENV DHLEVEL=2048 ONLY_SUBDOMAINS=false AWS_CONFIG_FILE=/config/dns-conf/route53.ini
-ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2
-
-RUN \
-  echo "**** install build packages ****" && \
-  apk add --no-cache --virtual=build-dependencies \
-    build-base \
-    cargo \
-    libffi-dev \
-    libxml2-dev \
-    libxslt-dev \
-    openssl-dev \
-    python3-dev && \
-  echo "**** install runtime packages ****" && \
-  apk add --no-cache --upgrade \
-    fail2ban \
-    gnupg \
-    memcached \
-    nginx-mod-http-brotli \
-    nginx-mod-http-dav-ext \
-    nginx-mod-http-echo \
-    nginx-mod-http-fancyindex \
-    nginx-mod-http-geoip2 \
-    nginx-mod-http-headers-more \
-    nginx-mod-http-image-filter \
-    nginx-mod-http-perl \
-    nginx-mod-http-redis2 \
-    nginx-mod-http-set-misc \
-    nginx-mod-http-upload-progress \
-    nginx-mod-http-xslt-filter \
-    nginx-mod-mail \
-    nginx-mod-rtmp \
-    nginx-mod-stream \
-    nginx-mod-stream-geoip2 \
-    nginx-vim \
-    php81-bcmath \
-    php81-bz2 \
-    php81-ctype \
-    php81-curl \
-    php81-dom \
-    php81-exif \
-    php81-ftp \
-    php81-gd \
-    php81-gmp \
-    php81-iconv \
-    php81-imap \
-    php81-intl \
-    php81-ldap \
-    php81-mysqli \
-    php81-mysqlnd \
-    php81-opcache \
-    php81-pdo_mysql \
-    php81-pdo_odbc \
-    php81-pdo_pgsql \
-    php81-pdo_sqlite \
-    php81-pear \
-    php81-pecl-apcu \
-    php81-pecl-mailparse \
-    php81-pecl-memcached \
-    php81-pecl-redis \
-    php81-pgsql \
-    php81-phar \
-    php81-posix \
-    php81-soap \
-    php81-sockets \
-    php81-sodium \
-    php81-sqlite3 \
-    php81-tokenizer \
-    php81-xmlreader \
-    php81-xsl \
-    php81-zip \
-    whois && \
-  apk add --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing \
-    php81-pecl-mcrypt \
-    php81-pecl-xmlrpc && \
-  echo "**** install certbot plugins ****" && \
-  if [ -z ${CERTBOT_VERSION+x} ]; then \
-    CERTBOT_VERSION=$(curl -sL  https://pypi.python.org/pypi/certbot/json |jq -r '. | .info.version'); \
-  fi && \
-  python3 -m ensurepip && \
-  pip3 install -U --no-cache-dir \
-    pip \
-    wheel && \
-  pip3 install -U --no-cache-dir --find-links https://wheel-index.linuxserver.io/alpine-3.17/ \
-    certbot==${CERTBOT_VERSION} \
-    certbot-dns-acmedns \
-    certbot-dns-aliyun \
-    certbot-dns-azure \
-    certbot-dns-cloudflare \
-    certbot-dns-cpanel \
-    certbot-dns-desec \
-    certbot-dns-digitalocean \
-    certbot-dns-directadmin \
-    certbot-dns-dnsimple \
-    certbot-dns-dnsmadeeasy \
-    certbot-dns-dnspod \
-    certbot-dns-do \
-    certbot-dns-domeneshop \
-    certbot-dns-duckdns \
-    certbot-dns-dynu \
-    certbot-dns-gehirn \
-    certbot-dns-godaddy \
-    certbot-dns-google \
-    certbot-dns-he \
-    certbot-dns-hetzner \
-    certbot-dns-infomaniak \
-    certbot-dns-inwx \
-    certbot-dns-ionos \
-    certbot-dns-linode \
-    certbot-dns-loopia \
-    certbot-dns-luadns \
-    certbot-dns-netcup \
-    certbot-dns-njalla \
-    certbot-dns-nsone \
-    certbot-dns-ovh \
-    certbot-dns-rfc2136 \
-    certbot-dns-route53 \
-    certbot-dns-sakuracloud \
-    certbot-dns-standalone \
-    certbot-dns-transip \
-    certbot-dns-vultr \
-    certbot-plugin-gandi \
-    cryptography \
-    future \
-    requests && \
-  echo "**** enable OCSP stapling from base ****" && \
-  sed -i \
-    's|#ssl_stapling on;|ssl_stapling on;|' \
-    /defaults/nginx/ssl.conf.sample && \
-  sed -i \
-    's|#ssl_stapling_verify on;|ssl_stapling_verify on;|' \
-    /defaults/nginx/ssl.conf.sample && \
-  sed -i \
-    's|#ssl_trusted_certificate /config/keys/cert.crt;|ssl_trusted_certificate /config/keys/cert.crt;|' \
-    /defaults/nginx/ssl.conf.sample && \
-  echo "**** correct ip6tables legacy issue ****" && \
-  rm \ 
-    /sbin/ip6tables && \
-  ln -s \
-    /sbin/ip6tables-nft /sbin/ip6tables && \
-  echo "**** remove unnecessary fail2ban filters ****" && \
-  rm \
-    /etc/fail2ban/jail.d/alpine-ssh.conf && \
-  echo "**** copy fail2ban default action and filter to /defaults ****" && \
-  mkdir -p /defaults/fail2ban && \
-  mv /etc/fail2ban/action.d /defaults/fail2ban/ && \
-  mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \
-  echo "**** copy proxy confs to /defaults ****" && \
-  mkdir -p \
-    /defaults/nginx/proxy-confs && \
-  curl -o \
-    /tmp/proxy-confs.tar.gz -L \
-    "https://github.com/linuxserver/reverse-proxy-confs/tarball/master" && \
-  tar xf \
-    /tmp/proxy-confs.tar.gz -C \
-    /defaults/nginx/proxy-confs --strip-components=1 --exclude=linux*/.editorconfig --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \
-  echo "**** cleanup ****" && \
-  apk del --purge \
-    build-dependencies && \
-  rm -rf \
-    /tmp/* \
-    $HOME/.cache \
-    $HOME/.cargo
-
-# copy local files
-COPY root/ /
-
-# ports and volumes
-EXPOSE 80 443
-VOLUME /config
--- a/645
+++ b/645
@@ -16,7 +16,9 @@ pipeline {
    GITHUB_TOKEN=credentials('498b4638-2d02-4ce5-832d-8a57d01d97ab')
    GITLAB_TOKEN=credentials('b6f0f1dd-6952-4cf6-95d1-9c06380283f0')
    GITLAB_NAMESPACE=credentials('gitlab-namespace-id')
-    SCARF_TOKEN=credentials('scarf_api_key')
+    DOCKERHUB_TOKEN=credentials('docker-hub-ci-pat')
+    QUAYIO_API_TOKEN=credentials('quayio-repo-api-token')
+    GIT_SIGNING_KEY=credentials('484fbca6-9a4f-455e-b9e3-97ac98785f5f')
    EXT_PIP = 'certbot'
    BUILD_VERSION_ARG = 'CERTBOT_VERSION'
    LS_USER = 'linuxserver'
@@ -37,13 +39,33 @@ pipeline {
    CI_WEBPATH=''
  }
  stages {
+    stage("Set git config"){
+      steps{
+        sh '''#!/bin/bash
+              cat ${GIT_SIGNING_KEY} > /config/.ssh/id_sign
+              chmod 600 /config/.ssh/id_sign
+              ssh-keygen -y -f /config/.ssh/id_sign > /config/.ssh/id_sign.pub
+              echo "Using $(ssh-keygen -lf /config/.ssh/id_sign) to sign commits"
+              git config --global gpg.format ssh
+              git config --global user.signingkey /config/.ssh/id_sign
+              git config --global commit.gpgsign true
+        '''
+      }
+    }
    // Setup all the basic environment variables needed for the build
    stage("Set ENV Variables base"){
      steps{
+        echo "Running on node: ${NODE_NAME}"
+        sh '''#! /bin/bash
+              containers=$(docker ps -aq)
+              if [[ -n "${containers}" ]]; then
+                docker stop ${containers}
+              fi
+              docker system prune -af --volumes || : '''
        script{
          env.EXIT_STATUS = ''
          env.LS_RELEASE = sh(
-            script: '''docker run --rm ghcr.io/linuxserver/alexeiled-skopeo sh -c 'skopeo inspect docker://docker.io/'${DOCKERHUB_IMAGE}':latest 2>/dev/null' | jq -r '.Labels.build_version' | awk '{print $3}' | grep '\\-ls' || : ''',
+            script: '''docker run --rm quay.io/skopeo/stable:v1 inspect docker://ghcr.io/${LS_USER}/${CONTAINER_NAME}:latest 2>/dev/null | jq -r '.Labels.build_version' | awk '{print $3}' | grep '\\-ls' || : ''',
            returnStdout: true).trim()
          env.LS_RELEASE_NOTES = sh(
            script: '''cat readme-vars.yml | awk -F \\" '/date: "[0-9][0-9].[0-9][0-9].[0-9][0-9]:/ {print $4;exit;}' | sed -E ':a;N;$!ba;s/\\r{0,1}\\n/\\\\n/g' ''',
@@ -54,11 +76,16 @@ pipeline {
          env.COMMIT_SHA = sh(
            script: '''git rev-parse HEAD''',
            returnStdout: true).trim()
+          env.GH_DEFAULT_BRANCH = sh(
+            script: '''git remote show origin | grep "HEAD branch:" | sed 's|.*HEAD branch: ||' ''',
+            returnStdout: true).trim()
          env.CODE_URL = 'https://github.com/' + env.LS_USER + '/' + env.LS_REPO + '/commit/' + env.GIT_COMMIT
          env.DOCKERHUB_LINK = 'https://hub.docker.com/r/' + env.DOCKERHUB_IMAGE + '/tags/'
          env.PULL_REQUEST = env.CHANGE_ID
-          env.TEMPLATED_FILES = 'Jenkinsfile README.md LICENSE .editorconfig ./.github/CONTRIBUTING.md ./.github/FUNDING.yml ./.github/ISSUE_TEMPLATE/config.yml ./.github/ISSUE_TEMPLATE/issue.bug.yml ./.github/ISSUE_TEMPLATE/issue.feature.yml ./.github/PULL_REQUEST_TEMPLATE.md ./.github/workflows/external_trigger_scheduler.yml ./.github/workflows/greetings.yml ./.github/workflows/package_trigger_scheduler.yml ./.github/workflows/stale.yml ./.github/workflows/external_trigger.yml ./.github/workflows/package_trigger.yml ./root/donate.txt'
+          env.TEMPLATED_FILES = 'Jenkinsfile README.md LICENSE .editorconfig ./.github/CONTRIBUTING.md ./.github/FUNDING.yml ./.github/ISSUE_TEMPLATE/config.yml ./.github/ISSUE_TEMPLATE/issue.bug.yml ./.github/ISSUE_TEMPLATE/issue.feature.yml ./.github/PULL_REQUEST_TEMPLATE.md ./.github/workflows/external_trigger_scheduler.yml ./.github/workflows/greetings.yml ./.github/workflows/package_trigger_scheduler.yml ./.github/workflows/call_issue_pr_tracker.yml ./.github/workflows/call_issues_cron.yml ./.github/workflows/permissions.yml ./.github/workflows/external_trigger.yml ./.github/workflows/package_trigger.yml ./root/donate.txt'
        }
+        sh '''#! /bin/bash
+              echo "The default github branch detected as ${GH_DEFAULT_BRANCH}" '''
        script{
          env.LS_RELEASE_NUMBER = sh(
            script: '''echo ${LS_RELEASE} |sed 's/^.*-ls//g' ''',
@@ -115,7 +142,7 @@ pipeline {
      steps{
        script{
          env.EXT_RELEASE_CLEAN = sh(
-            script: '''echo ${EXT_RELEASE} | sed 's/[~,%@+;:/]//g' ''',
+            script: '''echo ${EXT_RELEASE} | sed 's/[~,%@+;:/ ]//g' ''',
            returnStdout: true).trim()

          def semver = env.EXT_RELEASE_CLEAN =~ /(\d+)\.(\d+)\.(\d+)/
@@ -133,7 +160,7 @@ pipeline {
          }

          if (env.SEMVER != null) {
-            if (BRANCH_NAME != "master" && BRANCH_NAME != "main") {
+            if (BRANCH_NAME != "${env.GH_DEFAULT_BRANCH}") {
              env.SEMVER = "${env.SEMVER}-${BRANCH_NAME}"
            }
            println("SEMVER: ${env.SEMVER}")
@@ -157,7 +184,7 @@ pipeline {
          env.GITLABIMAGE = 'registry.gitlab.com/linuxserver.io/' + env.LS_REPO + '/' + env.CONTAINER_NAME
          env.QUAYIMAGE = 'quay.io/linuxserver.io/' + env.CONTAINER_NAME
          if (env.MULTIARCH == 'true') {
-            env.CI_TAGS = 'amd64-' + env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER + '|arm32v7-' + env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER + '|arm64v8-' + env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER
+            env.CI_TAGS = 'amd64-' + env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER + '|arm64v8-' + env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER
          } else {
            env.CI_TAGS = env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER
          }
@@ -180,7 +207,7 @@ pipeline {
          env.GITLABIMAGE = 'registry.gitlab.com/linuxserver.io/' + env.LS_REPO + '/lsiodev-' + env.CONTAINER_NAME
          env.QUAYIMAGE = 'quay.io/linuxserver.io/lsiodev-' + env.CONTAINER_NAME
          if (env.MULTIARCH == 'true') {
-            env.CI_TAGS = 'amd64-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA + '|arm32v7-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA + '|arm64v8-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA
+            env.CI_TAGS = 'amd64-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA + '|arm64v8-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA
          } else {
            env.CI_TAGS = env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA
          }
@@ -203,12 +230,12 @@ pipeline {
          env.GITLABIMAGE = 'registry.gitlab.com/linuxserver.io/' + env.LS_REPO + '/lspipepr-' + env.CONTAINER_NAME
          env.QUAYIMAGE = 'quay.io/linuxserver.io/lspipepr-' + env.CONTAINER_NAME
          if (env.MULTIARCH == 'true') {
-            env.CI_TAGS = 'amd64-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST + '|arm32v7-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST + '|arm64v8-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST
+            env.CI_TAGS = 'amd64-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA + '-pr-' + env.PULL_REQUEST + '|arm64v8-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA + '-pr-' + env.PULL_REQUEST
          } else {
-            env.CI_TAGS = env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST
+            env.CI_TAGS = env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA + '-pr-' + env.PULL_REQUEST
          }
-          env.VERSION_TAG = env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST
-          env.META_TAG = env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST
+          env.VERSION_TAG = env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA + '-pr-' + env.PULL_REQUEST
+          env.META_TAG = env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA + '-pr-' + env.PULL_REQUEST
          env.EXT_RELEASE_TAG = 'version-' + env.EXT_RELEASE_CLEAN
          env.CODE_URL = 'https://github.com/' + env.LS_USER + '/' + env.LS_REPO + '/pull/' + env.PULL_REQUEST
          env.DOCKERHUB_LINK = 'https://hub.docker.com/r/' + env.PR_DOCKERHUB_IMAGE + '/tags/'
@@ -228,19 +255,18 @@ pipeline {
          script{
            env.SHELLCHECK_URL = 'https://ci-tests.linuxserver.io/' + env.IMAGE + '/' + env.META_TAG + '/shellcheck-result.xml'
          }
-          sh '''curl -sL https://raw.githubusercontent.com/linuxserver/docker-shellcheck/master/checkrun.sh | /bin/bash'''
+          sh '''curl -sL https://raw.githubusercontent.com/linuxserver/docker-jenkins-builder/master/checkrun.sh | /bin/bash'''
          sh '''#! /bin/bash
-                set -e
-                docker pull ghcr.io/linuxserver/lsiodev-spaces-file-upload:latest
                docker run --rm \
-                -e DESTINATION=\"${IMAGE}/${META_TAG}/shellcheck-result.xml\" \
-                -e FILE_NAME="shellcheck-result.xml" \
-                -e MIMETYPE="text/xml" \
-                -v ${WORKSPACE}:/mnt \
-                -e SECRET_KEY=\"${S3_SECRET}\" \
-                -e ACCESS_KEY=\"${S3_KEY}\" \
-                -t ghcr.io/linuxserver/lsiodev-spaces-file-upload:latest \
-                python /upload.py'''
+                  -v ${WORKSPACE}:/mnt \
+                  -e AWS_ACCESS_KEY_ID=\"${S3_KEY}\" \
+                  -e AWS_SECRET_ACCESS_KEY=\"${S3_SECRET}\" \
+                  ghcr.io/linuxserver/baseimage-alpine:3.20 s6-envdir -fn -- /var/run/s6/container_environment /bin/bash -c "\
+                    apk add --no-cache python3 && \
+                    python3 -m venv /lsiopy && \
+                    pip install --no-cache-dir -U pip && \
+                    pip install --no-cache-dir s3cmd && \
+                    s3cmd put --no-preserve --acl-public -m text/xml /mnt/shellcheck-result.xml s3://ci-tests.linuxserver.io/${IMAGE}/${META_TAG}/shellcheck-result.xml" || :'''
        }
      }
    }
@@ -258,8 +284,15 @@ pipeline {
              set -e
              TEMPDIR=$(mktemp -d)
              docker pull ghcr.io/linuxserver/jenkins-builder:latest
-              docker run --rm -e CONTAINER_NAME=${CONTAINER_NAME} -e GITHUB_BRANCH=master -v ${TEMPDIR}:/ansible/jenkins ghcr.io/linuxserver/jenkins-builder:latest 
-              # Stage 1 - Jenkinsfile update
+              # Cloned repo paths for templating:
+              # ${TEMPDIR}/docker-${CONTAINER_NAME}: Cloned branch master of ${LS_USER}/${LS_REPO} for running the jenkins builder on
+              # ${TEMPDIR}/repo/${LS_REPO}: Cloned branch master of ${LS_USER}/${LS_REPO} for commiting various templated file changes and pushing back to Github
+              # ${TEMPDIR}/docs/docker-documentation: Cloned docs repo for pushing docs updates to Github
+              # ${TEMPDIR}/unraid/docker-templates: Cloned docker-templates repo to check for logos
+              # ${TEMPDIR}/unraid/templates: Cloned templates repo for commiting unraid template changes and pushing back to Github
+              git clone --branch master --depth 1 https://github.com/${LS_USER}/${LS_REPO}.git ${TEMPDIR}/docker-${CONTAINER_NAME}
+              docker run --rm -v ${TEMPDIR}/docker-${CONTAINER_NAME}:/tmp -e LOCAL=true -e PUID=$(id -u) -e PGID=$(id -g) ghcr.io/linuxserver/jenkins-builder:latest 
+              echo "Starting Stage 1 - Jenkinsfile update"
              if [[ "$(md5sum Jenkinsfile | awk '{ print $1 }')" != "$(md5sum ${TEMPDIR}/docker-${CONTAINER_NAME}/Jenkinsfile | awk '{ print $1 }')" ]]; then
                mkdir -p ${TEMPDIR}/repo
                git clone https://github.com/${LS_USER}/${LS_REPO}.git ${TEMPDIR}/repo/${LS_REPO}
@@ -268,16 +301,17 @@ pipeline {
                cp ${TEMPDIR}/docker-${CONTAINER_NAME}/Jenkinsfile ${TEMPDIR}/repo/${LS_REPO}/
                git add Jenkinsfile
                git commit -m 'Bot Updating Templated Files'
-                git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/${LS_USER}/${LS_REPO}.git --all
+                git pull https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/${LS_USER}/${LS_REPO}.git master
+                git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/${LS_USER}/${LS_REPO}.git master
                echo "true" > /tmp/${COMMIT_SHA}-${BUILD_NUMBER}
-                echo "Updating Jenkinsfile"
+                echo "Updating Jenkinsfile and exiting build, new one will trigger based on commit"
                rm -Rf ${TEMPDIR}
                exit 0
              else
                echo "Jenkinsfile is up to date."
              fi
-              # Stage 2 - Delete old templates
-              OLD_TEMPLATES=".github/ISSUE_TEMPLATE.md\n.github/ISSUE_TEMPLATE/issue.bug.md\n.github/ISSUE_TEMPLATE/issue.feature.md"
+              echo "Starting Stage 2 - Delete old templates"
+              OLD_TEMPLATES=".github/ISSUE_TEMPLATE.md .github/ISSUE_TEMPLATE/issue.bug.md .github/ISSUE_TEMPLATE/issue.feature.md .github/workflows/call_invalid_helper.yml .github/workflows/stale.yml"
              for i in ${OLD_TEMPLATES}; do
                if [[ -f "${i}" ]]; then
                  TEMPLATES_TO_DELETE="${i} ${TEMPLATES_TO_DELETE}"
@@ -292,15 +326,16 @@ pipeline {
                  git rm "${i}"
                done
                git commit -m 'Bot Updating Templated Files'
-                git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/${LS_USER}/${LS_REPO}.git --all
+                git pull https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/${LS_USER}/${LS_REPO}.git master
+                git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/${LS_USER}/${LS_REPO}.git master
                echo "true" > /tmp/${COMMIT_SHA}-${BUILD_NUMBER}
-                echo "Deleting old templates"
+                echo "Deleting old/deprecated templates and exiting build, new one will trigger based on commit"
                rm -Rf ${TEMPDIR}
                exit 0
              else
                echo "No templates to delete"
              fi
-              # Stage 3 - Update templates
+              echo "Starting Stage 3 - Update templates"
              CURRENTHASH=$(grep -hs ^ ${TEMPLATED_FILES} | md5sum | cut -c1-8)
              cd ${TEMPDIR}/docker-${CONTAINER_NAME}
              NEWHASH=$(grep -hs ^ ${TEMPLATED_FILES} | md5sum | cut -c1-8)
@@ -313,36 +348,58 @@ pipeline {
                mkdir -p ${TEMPDIR}/repo/${LS_REPO}/.github/workflows
                mkdir -p ${TEMPDIR}/repo/${LS_REPO}/.github/ISSUE_TEMPLATE
                cp --parents ${TEMPLATED_FILES} ${TEMPDIR}/repo/${LS_REPO}/ || :
+                cp --parents readme-vars.yml ${TEMPDIR}/repo/${LS_REPO}/ || :
                cd ${TEMPDIR}/repo/${LS_REPO}/
                if ! grep -q '.jenkins-external' .gitignore 2>/dev/null; then
                  echo ".jenkins-external" >> .gitignore
                  git add .gitignore
                fi
-                git add ${TEMPLATED_FILES}
+                git add readme-vars.yml ${TEMPLATED_FILES}
                git commit -m 'Bot Updating Templated Files'
-                git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/${LS_USER}/${LS_REPO}.git --all
+                git pull https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/${LS_USER}/${LS_REPO}.git master
+                git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/${LS_USER}/${LS_REPO}.git master
                echo "true" > /tmp/${COMMIT_SHA}-${BUILD_NUMBER}
+                echo "Updating templates and exiting build, new one will trigger based on commit"
+                rm -Rf ${TEMPDIR}
+                exit 0
              else
                echo "false" > /tmp/${COMMIT_SHA}-${BUILD_NUMBER}
+                echo "No templates to update"
              fi
-              mkdir -p ${TEMPDIR}/gitbook
-              git clone https://github.com/linuxserver/docker-documentation.git ${TEMPDIR}/gitbook/docker-documentation
-              if [[ ("${BRANCH_NAME}" == "master") || ("${BRANCH_NAME}" == "main") ]] && [[ (! -f ${TEMPDIR}/gitbook/docker-documentation/images/docker-${CONTAINER_NAME}.md) || ("$(md5sum ${TEMPDIR}/gitbook/docker-documentation/images/docker-${CONTAINER_NAME}.md | awk '{ print $1 }')" != "$(md5sum ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/docker-${CONTAINER_NAME}.md | awk '{ print $1 }')") ]]; then
-                cp ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/docker-${CONTAINER_NAME}.md ${TEMPDIR}/gitbook/docker-documentation/images/
-                cd ${TEMPDIR}/gitbook/docker-documentation/
-                git add images/docker-${CONTAINER_NAME}.md
+              echo "Starting Stage 4 - External repo updates: Docs, Unraid Template and Readme Sync to Docker Hub"
+              mkdir -p ${TEMPDIR}/docs
+              git clone --depth=1 https://github.com/linuxserver/docker-documentation.git ${TEMPDIR}/docs/docker-documentation
+              if [[ "${BRANCH_NAME}" == "${GH_DEFAULT_BRANCH}"  ]] && [[ (! -f ${TEMPDIR}/docs/docker-documentation/docs/images/docker-${CONTAINER_NAME}.md) || ("$(md5sum ${TEMPDIR}/docs/docker-documentation/docs/images/docker-${CONTAINER_NAME}.md | awk '{ print $1 }')" != "$(md5sum ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/docker-${CONTAINER_NAME}.md | awk '{ print $1 }')") ]]; then
+                cp ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/docker-${CONTAINER_NAME}.md ${TEMPDIR}/docs/docker-documentation/docs/images/
+                cd ${TEMPDIR}/docs/docker-documentation
+                GH_DOCS_DEFAULT_BRANCH=$(git remote show origin | grep "HEAD branch:" | sed 's|.*HEAD branch: ||')
+                git add docs/images/docker-${CONTAINER_NAME}.md
+                echo "Updating docs repo"
                git commit -m 'Bot Updating Documentation'
-                git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/linuxserver/docker-documentation.git --all
+                git pull https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/linuxserver/docker-documentation.git ${GH_DOCS_DEFAULT_BRANCH} --rebase
+                git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/linuxserver/docker-documentation.git ${GH_DOCS_DEFAULT_BRANCH} || \
+                  (MAXWAIT="10" && echo "Push to docs failed, trying again in ${MAXWAIT} seconds" && \
+                  sleep $((RANDOM % MAXWAIT)) && \
+                  git pull https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/linuxserver/docker-documentation.git ${GH_DOCS_DEFAULT_BRANCH} --rebase && \
+                  git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/linuxserver/docker-documentation.git ${GH_DOCS_DEFAULT_BRANCH})
+              else
+                echo "Docs update not needed, skipping"
              fi
              mkdir -p ${TEMPDIR}/unraid
-              git clone https://github.com/linuxserver/docker-templates.git ${TEMPDIR}/unraid/docker-templates
-              git clone https://github.com/linuxserver/templates.git ${TEMPDIR}/unraid/templates
+              git clone --depth=1 https://github.com/linuxserver/docker-templates.git ${TEMPDIR}/unraid/docker-templates
+              git clone --depth=1 https://github.com/linuxserver/templates.git ${TEMPDIR}/unraid/templates
              if [[ -f ${TEMPDIR}/unraid/docker-templates/linuxserver.io/img/${CONTAINER_NAME}-logo.png ]]; then
                sed -i "s|master/linuxserver.io/img/linuxserver-ls-logo.png|master/linuxserver.io/img/${CONTAINER_NAME}-logo.png|" ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/${CONTAINER_NAME}.xml
+              elif [[ -f ${TEMPDIR}/unraid/docker-templates/linuxserver.io/img/${CONTAINER_NAME}-icon.png ]]; then
+                sed -i "s|master/linuxserver.io/img/linuxserver-ls-logo.png|master/linuxserver.io/img/${CONTAINER_NAME}-icon.png|" ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/${CONTAINER_NAME}.xml
              fi
-              if [[ ("${BRANCH_NAME}" == "master") || ("${BRANCH_NAME}" == "main") ]] && [[ (! -f ${TEMPDIR}/unraid/templates/unraid/${CONTAINER_NAME}.xml) || ("$(md5sum ${TEMPDIR}/unraid/templates/unraid/${CONTAINER_NAME}.xml | awk '{ print $1 }')" != "$(md5sum ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/${CONTAINER_NAME}.xml | awk '{ print $1 }')") ]]; then
+              if [[ "${BRANCH_NAME}" == "${GH_DEFAULT_BRANCH}" ]] && [[ (! -f ${TEMPDIR}/unraid/templates/unraid/${CONTAINER_NAME}.xml) || ("$(md5sum ${TEMPDIR}/unraid/templates/unraid/${CONTAINER_NAME}.xml | awk '{ print $1 }')" != "$(md5sum ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/${CONTAINER_NAME}.xml | awk '{ print $1 }')") ]]; then
+                echo "Updating Unraid template"
                cd ${TEMPDIR}/unraid/templates/
-                if grep -wq "${CONTAINER_NAME}" ${TEMPDIR}/unraid/templates/unraid/ignore.list; then
+                GH_TEMPLATES_DEFAULT_BRANCH=$(git remote show origin | grep "HEAD branch:" | sed 's|.*HEAD branch: ||')
+                if grep -wq "^${CONTAINER_NAME}$" ${TEMPDIR}/unraid/templates/unraid/ignore.list && [[ -f ${TEMPDIR}/unraid/templates/unraid/deprecated/${CONTAINER_NAME}.xml ]]; then
+                  echo "Image is on the ignore list, and already in the deprecation folder."
+                elif grep -wq "^${CONTAINER_NAME}$" ${TEMPDIR}/unraid/templates/unraid/ignore.list; then
                  echo "Image is on the ignore list, marking Unraid template as deprecated"
                  cp ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/${CONTAINER_NAME}.xml ${TEMPDIR}/unraid/templates/unraid/
                  git add -u unraid/${CONTAINER_NAME}.xml
@@ -353,7 +410,42 @@ pipeline {
                  git add unraid/${CONTAINER_NAME}.xml
                  git commit -m 'Bot Updating Unraid Template'
                fi
-                git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/linuxserver/templates.git --all
+                git pull https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/linuxserver/templates.git ${GH_TEMPLATES_DEFAULT_BRANCH} --rebase
+                git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/linuxserver/templates.git ${GH_TEMPLATES_DEFAULT_BRANCH} || \
+                  (MAXWAIT="10" && echo "Push to unraid templates failed, trying again in ${MAXWAIT} seconds" && \
+                  sleep $((RANDOM % MAXWAIT)) && \
+                  git pull https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/linuxserver/templates.git ${GH_TEMPLATES_DEFAULT_BRANCH} --rebase && \
+                  git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/linuxserver/templates.git ${GH_TEMPLATES_DEFAULT_BRANCH})
+              else
+                echo "No updates to Unraid template needed, skipping"
+              fi
+              if [[ "${BRANCH_NAME}" == "${GH_DEFAULT_BRANCH}" ]]; then
+                if [[ $(cat ${TEMPDIR}/docker-${CONTAINER_NAME}/README.md | wc -m) -gt 25000 ]]; then
+                  echo "Readme is longer than 25,000 characters. Syncing the lite version to Docker Hub"
+                  DH_README_SYNC_PATH="${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/README.lite"
+                else
+                  echo "Syncing readme to Docker Hub"
+                  DH_README_SYNC_PATH="${TEMPDIR}/docker-${CONTAINER_NAME}/README.md"
+                fi
+                if curl -s https://hub.docker.com/v2/namespaces/${DOCKERHUB_IMAGE%%/*}/repositories/${DOCKERHUB_IMAGE##*/}/tags | jq -r '.message' | grep -q 404; then
+                  echo "Docker Hub endpoint doesn't exist. Creating endpoint first."
+                  DH_TOKEN=$(curl -d '{"username":"linuxserverci", "password":"'${DOCKERHUB_TOKEN}'"}' -H "Content-Type: application/json" -X POST https://hub.docker.com/v2/users/login | jq -r '.token')
+                  curl -s \
+                    -H "Authorization: JWT ${DH_TOKEN}" \
+                    -H "Content-Type: application/json" \
+                    -X POST \
+                    -d '{"name":"'${DOCKERHUB_IMAGE##*/}'", "namespace":"'${DOCKERHUB_IMAGE%%/*}'"}' \
+                    https://hub.docker.com/v2/repositories/ || :
+                fi
+                DH_TOKEN=$(curl -d '{"username":"linuxserverci", "password":"'${DOCKERHUB_TOKEN}'"}' -H "Content-Type: application/json" -X POST https://hub.docker.com/v2/users/login | jq -r '.token')
+                curl -s \
+                  -H "Authorization: JWT ${DH_TOKEN}" \
+                  -H "Content-Type: application/json" \
+                  -X PATCH \
+                  -d "{\\"full_description\\":$(jq -Rsa . ${DH_README_SYNC_PATH})}" \
+                  https://hub.docker.com/v2/repositories/${DOCKERHUB_IMAGE} || :
+              else
+                echo "Not the default Github branch. Skipping readme sync to Docker Hub."
              fi
              rm -Rf ${TEMPDIR}'''
        script{
@@ -379,54 +471,48 @@ pipeline {
        }
      }
    }
+    // If this is a master build check the S6 service file perms
+    stage("Check S6 Service file Permissions"){
+      when {
+        branch "master"
+        environment name: 'CHANGE_ID', value: ''
+        environment name: 'EXIT_STATUS', value: ''
+      }
+      steps {
+        script{
+          sh '''#! /bin/bash
+            WRONG_PERM=$(find ./  -path "./.git" -prune -o \\( -name "run" -o -name "finish" -o -name "check" \\) -not -perm -u=x,g=x,o=x -print)
+            if [[ -n "${WRONG_PERM}" ]]; then
+              echo "The following S6 service files are missing the executable bit; canceling the faulty build: ${WRONG_PERM}"
+              exit 1
+            else
+              echo "S6 service file perms look good."
+            fi '''
+        }
+      }
+    }
    /* #######################
-           GitLab Mirroring
+       GitLab Mirroring and Quay.io Repo Visibility
       ####################### */
-    // Ping into Gitlab to mirror this repo and have a registry endpoint
-    stage("GitLab Mirror"){
+    // Ping into Gitlab to mirror this repo and have a registry endpoint & mark this repo on Quay.io as public
+    stage("GitLab Mirror and Quay.io Visibility"){
      when {
        environment name: 'EXIT_STATUS', value: ''
      }
      steps{
        sh '''curl -H "Content-Type: application/json" -H "Private-Token: ${GITLAB_TOKEN}" -X POST https://gitlab.com/api/v4/projects \
-        -d '{"namespace_id":'${GITLAB_NAMESPACE}',\
-             "name":"'${LS_REPO}'",
-             "mirror":true,\
-             "import_url":"https://github.com/linuxserver/'${LS_REPO}'.git",\
-             "issues_access_level":"disabled",\
-             "merge_requests_access_level":"disabled",\
-             "repository_access_level":"enabled",\
-             "visibility":"public"}' '''
-      } 
-    }
-    /* #######################
-           Scarf.sh package registry
-       ####################### */
-    // Add package to Scarf.sh and set permissions
-    stage("Scarf.sh package registry"){
-      when {
-        branch "master"
-        environment name: 'EXIT_STATUS', value: ''
-      }
-      steps{
-        sh '''#! /bin/bash
-              set -e
-              PACKAGE_UUID=$(curl -X GET -H "Authorization: Bearer ${SCARF_TOKEN}" https://scarf.sh/api/v1/organizations/linuxserver-ci/packages | jq -r '.[] | select(.name=="linuxserver/swag") | .uuid')
-              if [ -z "${PACKAGE_UUID}" ]; then
-                echo "Adding package to Scarf.sh"
-                curl -sX POST https://scarf.sh/api/v1/organizations/linuxserver-ci/packages \
-                  -H "Authorization: Bearer ${SCARF_TOKEN}" \
-                  -H "Content-Type: application/json" \
-                  -d '{"name":"linuxserver/swag",\
-                       "shortDescription":"example description",\
-                       "libraryType":"docker",\
-                       "website":"https://github.com/linuxserver/docker-swag",\
-                       "backendUrl":"https://ghcr.io/linuxserver/swag",\
-                       "publicUrl":"https://lscr.io/linuxserver/swag"}' || :
-              else
-                echo "Package already exists on Scarf.sh"
-              fi
-           '''
+          -d '{"namespace_id":'${GITLAB_NAMESPACE}',\
+            "name":"'${LS_REPO}'",
+            "mirror":true,\
+            "import_url":"https://github.com/linuxserver/'${LS_REPO}'.git",\
+            "issues_access_level":"disabled",\
+            "merge_requests_access_level":"disabled",\
+            "repository_access_level":"enabled",\
+            "visibility":"public"}' '''
+        sh '''curl -H "Private-Token: ${GITLAB_TOKEN}" -X PUT "https://gitlab.com/api/v4/projects/Linuxserver.io%2F${LS_REPO}" \
+          -d "mirror=true&import_url=https://github.com/linuxserver/${LS_REPO}.git" '''
+        sh '''curl -H "Content-Type: application/json" -H "Authorization: Bearer ${QUAYIO_API_TOKEN}" -X POST "https://quay.io/api/v1/repository${QUAYIMAGE/quay.io/}/changevisibility" \
+          -d '{"visibility":"public"}' ||: '''
      } 
    }
    /* ###############
@@ -442,7 +528,8 @@ pipeline {
      }
      steps {
        echo "Running on node: ${NODE_NAME}"
-        sh "docker build \
+        sh "sed -r -i 's|(^FROM .*)|\\1\\n\\nENV LSIO_FIRST_PARTY=true|g' Dockerfile"
+        sh "docker buildx build \
          --label \"org.opencontainers.image.created=${GITHUB_DATE}\" \
          --label \"org.opencontainers.image.authors=linuxserver.io\" \
          --label \"org.opencontainers.image.url=https://github.com/linuxserver/docker-swag/packages\" \
@@ -455,7 +542,8 @@ pipeline {
          --label \"org.opencontainers.image.ref.name=${COMMIT_SHA}\" \
          --label \"org.opencontainers.image.title=Swag\" \
          --label \"org.opencontainers.image.description=SWAG - Secure Web Application Gateway (formerly known as letsencrypt, no relation to Let's Encrypt™) sets up an Nginx webserver and reverse proxy with php support and a built-in certbot client that automates free SSL server certificate generation and renewal processes (Let's Encrypt and ZeroSSL). It also contains fail2ban for intrusion prevention.\" \
-          --no-cache --pull -t ${IMAGE}:${META_TAG} \
+          --no-cache --pull -t ${IMAGE}:${META_TAG} --platform=linux/amd64 \
+          --provenance=false --sbom=false \
          --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ."
      }
    }
@@ -472,7 +560,8 @@ pipeline {
        stage('Build X86') {
          steps {
            echo "Running on node: ${NODE_NAME}"
-            sh "docker build \
+            sh "sed -r -i 's|(^FROM .*)|\\1\\n\\nENV LSIO_FIRST_PARTY=true|g' Dockerfile"
+            sh "docker buildx build \
              --label \"org.opencontainers.image.created=${GITHUB_DATE}\" \
              --label \"org.opencontainers.image.authors=linuxserver.io\" \
              --label \"org.opencontainers.image.url=https://github.com/linuxserver/docker-swag/packages\" \
@@ -485,44 +574,11 @@ pipeline {
              --label \"org.opencontainers.image.ref.name=${COMMIT_SHA}\" \
              --label \"org.opencontainers.image.title=Swag\" \
              --label \"org.opencontainers.image.description=SWAG - Secure Web Application Gateway (formerly known as letsencrypt, no relation to Let's Encrypt™) sets up an Nginx webserver and reverse proxy with php support and a built-in certbot client that automates free SSL server certificate generation and renewal processes (Let's Encrypt and ZeroSSL). It also contains fail2ban for intrusion prevention.\" \
-              --no-cache --pull -t ${IMAGE}:amd64-${META_TAG} \
+              --no-cache --pull -t ${IMAGE}:amd64-${META_TAG} --platform=linux/amd64 \
+              --provenance=false --sbom=false \
              --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ."
          }
        }
-        stage('Build ARMHF') {
-          agent {
-            label 'ARMHF'
-          }
-          steps {
-            echo "Running on node: ${NODE_NAME}"
-            echo 'Logging into Github'
-            sh '''#! /bin/bash
-                  echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin
-               '''
-            sh "docker build \
-              --label \"org.opencontainers.image.created=${GITHUB_DATE}\" \
-              --label \"org.opencontainers.image.authors=linuxserver.io\" \
-              --label \"org.opencontainers.image.url=https://github.com/linuxserver/docker-swag/packages\" \
-              --label \"org.opencontainers.image.documentation=https://docs.linuxserver.io/images/docker-swag\" \
-              --label \"org.opencontainers.image.source=https://github.com/linuxserver/docker-swag\" \
-              --label \"org.opencontainers.image.version=${EXT_RELEASE_CLEAN}-ls${LS_TAG_NUMBER}\" \
-              --label \"org.opencontainers.image.revision=${COMMIT_SHA}\" \
-              --label \"org.opencontainers.image.vendor=linuxserver.io\" \
-              --label \"org.opencontainers.image.licenses=GPL-3.0-only\" \
-              --label \"org.opencontainers.image.ref.name=${COMMIT_SHA}\" \
-              --label \"org.opencontainers.image.title=Swag\" \
-              --label \"org.opencontainers.image.description=SWAG - Secure Web Application Gateway (formerly known as letsencrypt, no relation to Let's Encrypt™) sets up an Nginx webserver and reverse proxy with php support and a built-in certbot client that automates free SSL server certificate generation and renewal processes (Let's Encrypt and ZeroSSL). It also contains fail2ban for intrusion prevention.\" \
-              --no-cache --pull -f Dockerfile.armhf -t ${IMAGE}:arm32v7-${META_TAG} \
-              --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ."
-            sh "docker tag ${IMAGE}:arm32v7-${META_TAG} ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER}"
-            retry(5) {
-              sh "docker push ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER}"
-            }
-            sh '''docker rmi \
-                  ${IMAGE}:arm32v7-${META_TAG} \
-                  ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} || :'''
-          }
-        }
        stage('Build ARM64') {
          agent {
            label 'ARM64'
@@ -533,7 +589,8 @@ pipeline {
            sh '''#! /bin/bash
                  echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin
               '''
-            sh "docker build \
+            sh "sed -r -i 's|(^FROM .*)|\\1\\n\\nENV LSIO_FIRST_PARTY=true|g' Dockerfile.aarch64"
+            sh "docker buildx build \
              --label \"org.opencontainers.image.created=${GITHUB_DATE}\" \
              --label \"org.opencontainers.image.authors=linuxserver.io\" \
              --label \"org.opencontainers.image.url=https://github.com/linuxserver/docker-swag/packages\" \
@@ -546,15 +603,19 @@ pipeline {
              --label \"org.opencontainers.image.ref.name=${COMMIT_SHA}\" \
              --label \"org.opencontainers.image.title=Swag\" \
              --label \"org.opencontainers.image.description=SWAG - Secure Web Application Gateway (formerly known as letsencrypt, no relation to Let's Encrypt™) sets up an Nginx webserver and reverse proxy with php support and a built-in certbot client that automates free SSL server certificate generation and renewal processes (Let's Encrypt and ZeroSSL). It also contains fail2ban for intrusion prevention.\" \
-              --no-cache --pull -f Dockerfile.aarch64 -t ${IMAGE}:arm64v8-${META_TAG} \
+              --no-cache --pull -f Dockerfile.aarch64 -t ${IMAGE}:arm64v8-${META_TAG} --platform=linux/arm64 \
+              --provenance=false --sbom=false \
              --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ."
            sh "docker tag ${IMAGE}:arm64v8-${META_TAG} ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER}"
-            retry(5) {
+            retry_backoff(5,5) {
              sh "docker push ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER}"
            }
-            sh '''docker rmi \
-                  ${IMAGE}:arm64v8-${META_TAG} \
-                  ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} || :'''
+            sh '''#! /bin/bash
+                  containers=$(docker ps -aq)
+                  if [[ -n "${containers}" ]]; then
+                    docker stop ${containers}
+                  fi
+                  docker system prune -af --volumes || : '''
          }
        }
      }
@@ -570,31 +631,17 @@ pipeline {
        sh '''#! /bin/bash
              set -e
              TEMPDIR=$(mktemp -d)
-              if [ "${MULTIARCH}" == "true" ] && [ "${PACKAGE_CHECK}" == "false" ]; then
+              if [ "${MULTIARCH}" == "true" ] && [ "${PACKAGE_CHECK}" != "true" ]; then
                LOCAL_CONTAINER=${IMAGE}:amd64-${META_TAG}
              else
                LOCAL_CONTAINER=${IMAGE}:${META_TAG}
              fi
-              if [ "${DIST_IMAGE}" == "alpine" ]; then
-                docker run --rm --entrypoint '/bin/sh' -v ${TEMPDIR}:/tmp ${LOCAL_CONTAINER} -c '\
-                  apk info -v > /tmp/package_versions.txt && \
-                  sort -o /tmp/package_versions.txt  /tmp/package_versions.txt && \
-                  chmod 777 /tmp/package_versions.txt'
-              elif [ "${DIST_IMAGE}" == "ubuntu" ]; then
-                docker run --rm --entrypoint '/bin/sh' -v ${TEMPDIR}:/tmp ${LOCAL_CONTAINER} -c '\
-                  apt list -qq --installed | sed "s#/.*now ##g" | cut -d" " -f1 > /tmp/package_versions.txt && \
-                  sort -o /tmp/package_versions.txt  /tmp/package_versions.txt && \
-                  chmod 777 /tmp/package_versions.txt'
-              elif [ "${DIST_IMAGE}" == "fedora" ]; then
-                docker run --rm --entrypoint '/bin/sh' -v ${TEMPDIR}:/tmp ${LOCAL_CONTAINER} -c '\
-                  rpm -qa > /tmp/package_versions.txt && \
-                  sort -o /tmp/package_versions.txt  /tmp/package_versions.txt && \
-                  chmod 777 /tmp/package_versions.txt'
-              elif [ "${DIST_IMAGE}" == "arch" ]; then
-                docker run --rm --entrypoint '/bin/sh' -v ${TEMPDIR}:/tmp ${LOCAL_CONTAINER} -c '\
-                  pacman -Q > /tmp/package_versions.txt && \
-                  chmod 777 /tmp/package_versions.txt'
-              fi
+              touch ${TEMPDIR}/package_versions.txt
+              docker run --rm \
+                -v /var/run/docker.sock:/var/run/docker.sock:ro \
+                -v ${TEMPDIR}:/tmp \
+                ghcr.io/anchore/syft:latest \
+                ${LOCAL_CONTAINER} -o table=/tmp/package_versions.txt
              NEW_PACKAGE_TAG=$(md5sum ${TEMPDIR}/package_versions.txt | cut -c1-8 )
              echo "Package tag sha from current packages in buit container is ${NEW_PACKAGE_TAG} comparing to old ${PACKAGE_TAG} from github"
              if [ "${NEW_PACKAGE_TAG}" != "${PACKAGE_TAG}" ]; then
@@ -605,7 +652,8 @@ pipeline {
                wait
                git add package_versions.txt
                git commit -m 'Bot Updating Package Versions'
-                git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/${LS_USER}/${LS_REPO}.git --all
+                git pull https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/${LS_USER}/${LS_REPO}.git master
+                git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/${LS_USER}/${LS_REPO}.git master
                echo "true" > /tmp/packages-${COMMIT_SHA}-${BUILD_NUMBER}
                echo "Package tag updated, stopping build process"
              else
@@ -629,13 +677,6 @@ pipeline {
        environment name: 'EXIT_STATUS', value: ''
      }
      steps {
-        sh '''#! /bin/bash
-              echo "Packages were updated. Cleaning up the image and exiting."
-              if [ "${MULTIARCH}" == "true" ] && [ "${PACKAGE_CHECK}" == "false" ]; then
-                docker rmi ${IMAGE}:amd64-${META_TAG}
-              else
-                docker rmi ${IMAGE}:${META_TAG}
-              fi'''
        script{
          env.EXIT_STATUS = 'ABORTED'
        }
@@ -653,13 +694,6 @@ pipeline {
        }
      }
      steps {
-        sh '''#! /bin/bash
-              echo "There are no package updates. Cleaning up the image and exiting."
-              if [ "${MULTIARCH}" == "true" ] && [ "${PACKAGE_CHECK}" == "false" ]; then
-                docker rmi ${IMAGE}:amd64-${META_TAG}
-              else
-                docker rmi ${IMAGE}:${META_TAG}
-              fi'''
        script{
          env.EXIT_STATUS = 'ABORTED'
        }
@@ -681,21 +715,20 @@ pipeline {
        ]) {
          script{
            env.CI_URL = 'https://ci-tests.linuxserver.io/' + env.IMAGE + '/' + env.META_TAG + '/index.html'
+            env.CI_JSON_URL = 'https://ci-tests.linuxserver.io/' + env.IMAGE + '/' + env.META_TAG + '/report.json'
          }
          sh '''#! /bin/bash
                set -e
                docker pull ghcr.io/linuxserver/ci:latest
                if [ "${MULTIARCH}" == "true" ]; then
-                  docker pull ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER}
-                  docker pull ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER}
-                  docker tag ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} ${IMAGE}:arm32v7-${META_TAG}
+                  docker pull ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} --platform=arm64
                  docker tag ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} ${IMAGE}:arm64v8-${META_TAG}
                fi
                docker run --rm \
                --shm-size=1gb \
                -v /var/run/docker.sock:/var/run/docker.sock \
                -e IMAGE=\"${IMAGE}\" \
-                -e DELAY_START=\"${CI_DELAY}\" \
+                -e DOCKER_LOGS_TIMEOUT=\"${CI_DELAY}\" \
                -e TAGS=\"${CI_TAGS}\" \
                -e META_TAG=\"${META_TAG}\" \
                -e PORT=\"${CI_PORT}\" \
@@ -707,8 +740,6 @@ pipeline {
                -e WEB_SCREENSHOT=\"${CI_WEB}\" \
                -e WEB_AUTH=\"${CI_AUTH}\" \
                -e WEB_PATH=\"${CI_WEBPATH}\" \
-                -e DO_REGION="ams3" \
-                -e DO_BUCKET="lsio-ci" \
                -t ghcr.io/linuxserver/ci:latest \
                python3 test_build.py'''
        }
@@ -725,12 +756,6 @@ pipeline {
      }
      steps {
        withCredentials([
-          [
-            $class: 'UsernamePasswordMultiBinding',
-            credentialsId: '3f9ba4d5-100d-45b0-a3c4-633fd6061207',
-            usernameVariable: 'DOCKERUSER',
-            passwordVariable: 'DOCKERPASS'
-          ],
          [
            $class: 'UsernamePasswordMultiBinding',
            credentialsId: 'Quay.io-Robot',
@@ -738,10 +763,10 @@ pipeline {
            passwordVariable: 'QUAYPASS'
          ]
        ]) {
-          retry(5) {
+          retry_backoff(5,5) {
            sh '''#! /bin/bash
                  set -e
-                  echo $DOCKERPASS | docker login -u $DOCKERUSER --password-stdin
+                  echo $DOCKERHUB_TOKEN | docker login -u linuxserverci --password-stdin
                  echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin
                  echo $GITLAB_TOKEN | docker login registry.gitlab.com -u LinuxServer.io --password-stdin
                  echo $QUAYPASS | docker login quay.io -u $QUAYUSER --password-stdin
@@ -756,22 +781,11 @@ pipeline {
                    docker push ${PUSHIMAGE}:${META_TAG}
                    docker push ${PUSHIMAGE}:${EXT_RELEASE_TAG}
                    if [ -n "${SEMVER}" ]; then
-                     docker push ${PUSHIMAGE}:${SEMVER}
+                      docker push ${PUSHIMAGE}:${SEMVER}
                    fi
                  done
               '''
          }
-          sh '''#! /bin/bash
-                for DELETEIMAGE in "${GITHUBIMAGE}" "${GITLABIMAGE}" "${QUAYIMAGE}" "${IMAGE}"; do
-                  docker rmi \
-                  ${DELETEIMAGE}:${META_TAG} \
-                  ${DELETEIMAGE}:${EXT_RELEASE_TAG} \
-                  ${DELETEIMAGE}:latest || :
-                  if [ -n "${SEMVER}" ]; then
-                    docker rmi ${DELETEIMAGE}:${SEMVER} || :
-                  fi
-                done
-             '''
        }
      }
    }
@@ -783,12 +797,6 @@ pipeline {
      }
      steps {
        withCredentials([
-          [
-            $class: 'UsernamePasswordMultiBinding',
-            credentialsId: '3f9ba4d5-100d-45b0-a3c4-633fd6061207',
-            usernameVariable: 'DOCKERUSER',
-            passwordVariable: 'DOCKERPASS'
-          ],
          [
            $class: 'UsernamePasswordMultiBinding',
            credentialsId: 'Quay.io-Robot',
@@ -796,98 +804,49 @@ pipeline {
            passwordVariable: 'QUAYPASS'
          ]
        ]) {
-          retry(5) {
+          retry_backoff(5,5) {
            sh '''#! /bin/bash
                  set -e
-                  echo $DOCKERPASS | docker login -u $DOCKERUSER --password-stdin
+                  echo $DOCKERHUB_TOKEN | docker login -u linuxserverci --password-stdin
                  echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin
                  echo $GITLAB_TOKEN | docker login registry.gitlab.com -u LinuxServer.io --password-stdin
                  echo $QUAYPASS | docker login quay.io -u $QUAYUSER --password-stdin
                  if [ "${CI}" == "false" ]; then
-                    docker pull ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER}
-                    docker pull ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER}
-                    docker tag ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} ${IMAGE}:arm32v7-${META_TAG}
+                    docker pull ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} --platform=arm64
                    docker tag ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} ${IMAGE}:arm64v8-${META_TAG}
                  fi
                  for MANIFESTIMAGE in "${IMAGE}" "${GITLABIMAGE}" "${GITHUBIMAGE}" "${QUAYIMAGE}"; do
                    docker tag ${IMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-${META_TAG}
-                    docker tag ${IMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${META_TAG}
-                    docker tag ${IMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${META_TAG}
                    docker tag ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-latest
-                    docker tag ${MANIFESTIMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-latest
-                    docker tag ${MANIFESTIMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-latest
                    docker tag ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG}
-                    docker tag ${MANIFESTIMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG}
+                    docker tag ${IMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${META_TAG}
+                    docker tag ${MANIFESTIMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-latest
                    docker tag ${MANIFESTIMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG}
                    if [ -n "${SEMVER}" ]; then
                      docker tag ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-${SEMVER}
-                      docker tag ${MANIFESTIMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${SEMVER}
                      docker tag ${MANIFESTIMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${SEMVER}
                    fi
                    docker push ${MANIFESTIMAGE}:amd64-${META_TAG}
-                    docker push ${MANIFESTIMAGE}:arm32v7-${META_TAG}
-                    docker push ${MANIFESTIMAGE}:arm64v8-${META_TAG}
-                    docker push ${MANIFESTIMAGE}:amd64-latest
-                    docker push ${MANIFESTIMAGE}:arm32v7-latest
-                    docker push ${MANIFESTIMAGE}:arm64v8-latest
                    docker push ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG}
-                    docker push ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG}
+                    docker push ${MANIFESTIMAGE}:amd64-latest
+                    docker push ${MANIFESTIMAGE}:arm64v8-${META_TAG}
+                    docker push ${MANIFESTIMAGE}:arm64v8-latest
                    docker push ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG}
                    if [ -n "${SEMVER}" ]; then
                      docker push ${MANIFESTIMAGE}:amd64-${SEMVER}
-                      docker push ${MANIFESTIMAGE}:arm32v7-${SEMVER}
                      docker push ${MANIFESTIMAGE}:arm64v8-${SEMVER}
                    fi
-                    docker manifest push --purge ${MANIFESTIMAGE}:latest || :
-                    docker manifest create ${MANIFESTIMAGE}:latest ${MANIFESTIMAGE}:amd64-latest ${MANIFESTIMAGE}:arm32v7-latest ${MANIFESTIMAGE}:arm64v8-latest
-                    docker manifest annotate ${MANIFESTIMAGE}:latest ${MANIFESTIMAGE}:arm32v7-latest --os linux --arch arm
-                    docker manifest annotate ${MANIFESTIMAGE}:latest ${MANIFESTIMAGE}:arm64v8-latest --os linux --arch arm64 --variant v8
-                    docker manifest push --purge ${MANIFESTIMAGE}:${META_TAG} || :
-                    docker manifest create ${MANIFESTIMAGE}:${META_TAG} ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${META_TAG}
-                    docker manifest annotate ${MANIFESTIMAGE}:${META_TAG} ${MANIFESTIMAGE}:arm32v7-${META_TAG} --os linux --arch arm
-                    docker manifest annotate ${MANIFESTIMAGE}:${META_TAG} ${MANIFESTIMAGE}:arm64v8-${META_TAG} --os linux --arch arm64 --variant v8
-                    docker manifest push --purge ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} || :
-                    docker manifest create ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG}
-                    docker manifest annotate ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG} --os linux --arch arm
-                    docker manifest annotate ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG} --os linux --arch arm64 --variant v8
+                  done
+                  for MANIFESTIMAGE in "${IMAGE}" "${GITLABIMAGE}" "${GITHUBIMAGE}" "${QUAYIMAGE}"; do
+                    docker buildx imagetools create -t ${MANIFESTIMAGE}:latest ${MANIFESTIMAGE}:amd64-latest ${MANIFESTIMAGE}:arm64v8-latest
+                    docker buildx imagetools create -t ${MANIFESTIMAGE}:${META_TAG} ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${META_TAG}
+                    docker buildx imagetools create -t ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG}
                    if [ -n "${SEMVER}" ]; then
-                      docker manifest push --purge ${MANIFESTIMAGE}:${SEMVER} || :
-                      docker manifest create ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:amd64-${SEMVER} ${MANIFESTIMAGE}:arm32v7-${SEMVER} ${MANIFESTIMAGE}:arm64v8-${SEMVER}
-                      docker manifest annotate ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:arm32v7-${SEMVER} --os linux --arch arm
-                      docker manifest annotate ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:arm64v8-${SEMVER} --os linux --arch arm64 --variant v8
-                    fi
-                    docker manifest push --purge ${MANIFESTIMAGE}:latest
-                    docker manifest push --purge ${MANIFESTIMAGE}:${META_TAG} 
-                    docker manifest push --purge ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} 
-                    if [ -n "${SEMVER}" ]; then
-                      docker manifest push --purge ${MANIFESTIMAGE}:${SEMVER} 
+                      docker buildx imagetools create -t ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:amd64-${SEMVER} ${MANIFESTIMAGE}:arm64v8-${SEMVER}
                    fi
                  done
               '''
          }
-          sh '''#! /bin/bash
-                for DELETEIMAGE in "${GITHUBIMAGE}" "${GITLABIMAGE}" "${QUAYIMAGE}" "${IMAGE}"; do
-                  docker rmi \
-                  ${DELETEIMAGE}:amd64-${META_TAG} \
-                  ${DELETEIMAGE}:amd64-latest \
-                  ${DELETEIMAGE}:amd64-${EXT_RELEASE_TAG} \
-                  ${DELETEIMAGE}:arm32v7-${META_TAG} \
-                  ${DELETEIMAGE}:arm32v7-latest \
-                  ${DELETEIMAGE}:arm32v7-${EXT_RELEASE_TAG} \
-                  ${DELETEIMAGE}:arm64v8-${META_TAG} \
-                  ${DELETEIMAGE}:arm64v8-latest \
-                  ${DELETEIMAGE}:arm64v8-${EXT_RELEASE_TAG} || :
-                  if [ -n "${SEMVER}" ]; then
-                    docker rmi \
-                    ${DELETEIMAGE}:amd64-${SEMVER} \
-                    ${DELETEIMAGE}:arm32v7-${SEMVER} \
-                    ${DELETEIMAGE}:arm64v8-${SEMVER} || :
-                  fi
-                done
-                docker rmi \
-                ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} \
-                ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} || :
-             '''
        }
      }
    }
@@ -908,7 +867,7 @@ pipeline {
             "object": "'${COMMIT_SHA}'",\
             "message": "Tagging Release '${EXT_RELEASE_CLEAN}'-ls'${LS_TAG_NUMBER}' to master",\
             "type": "commit",\
-             "tagger": {"name": "LinuxServer Jenkins","email": "jenkins@linuxserver.io","date": "'${GITHUB_DATE}'"}}' '''
+             "tagger": {"name": "LinuxServer-CI","email": "ci@linuxserver.io","date": "'${GITHUB_DATE}'"}}' '''
        echo "Pushing New release for Tag"
        sh '''#! /bin/bash
              echo "Updating PIP version of ${EXT_PIP} to ${EXT_RELEASE_CLEAN}" > releasebody.json
@@ -921,49 +880,117 @@ pipeline {
              curl -H "Authorization: token ${GITHUB_TOKEN}" -X POST https://api.github.com/repos/${LS_USER}/${LS_REPO}/releases -d @releasebody.json.done'''
      }
    }
-    // Use helper container to sync the current README on master to the dockerhub endpoint
-    stage('Sync-README') {
+    // Add protection to the release branch
+    stage('Github-Release-Branch-Protection') {
      when {
+        branch "master"
        environment name: 'CHANGE_ID', value: ''
        environment name: 'EXIT_STATUS', value: ''
      }
      steps {
-        withCredentials([
-          [
-            $class: 'UsernamePasswordMultiBinding',
-            credentialsId: '3f9ba4d5-100d-45b0-a3c4-633fd6061207',
-            usernameVariable: 'DOCKERUSER',
-            passwordVariable: 'DOCKERPASS'
-          ]
-        ]) {
-          sh '''#! /bin/bash
-                set -e
-                TEMPDIR=$(mktemp -d)
-                docker pull ghcr.io/linuxserver/jenkins-builder:latest
-                docker run --rm -e CONTAINER_NAME=${CONTAINER_NAME} -e GITHUB_BRANCH="${BRANCH_NAME}" -v ${TEMPDIR}:/ansible/jenkins ghcr.io/linuxserver/jenkins-builder:latest
-                docker pull ghcr.io/linuxserver/readme-sync
-                docker run --rm=true \
-                  -e DOCKERHUB_USERNAME=$DOCKERUSER \
-                  -e DOCKERHUB_PASSWORD=$DOCKERPASS \
-                  -e GIT_REPOSITORY=${LS_USER}/${LS_REPO} \
-                  -e DOCKER_REPOSITORY=${IMAGE} \
-                  -e GIT_BRANCH=master \
-                  -v ${TEMPDIR}/docker-${CONTAINER_NAME}:/mnt \
-                  ghcr.io/linuxserver/readme-sync bash -c 'node sync'
-                rm -Rf ${TEMPDIR} '''
-        }
+        echo "Setting up protection for release branch master"
+        sh '''#! /bin/bash
+          curl -H "Authorization: token ${GITHUB_TOKEN}" -X PUT https://api.github.com/repos/${LS_USER}/${LS_REPO}/branches/master/protection \
+          -d $(jq -c .  << EOF
+            {
+              "required_status_checks": null,
+              "enforce_admins": false,
+              "required_pull_request_reviews": {
+                "dismiss_stale_reviews": false,
+                "require_code_owner_reviews": false,
+                "require_last_push_approval": false,
+                "required_approving_review_count": 1
+              },
+              "restrictions": null,
+              "required_linear_history": false,
+              "allow_force_pushes": false,
+              "allow_deletions": false,
+              "block_creations": false,
+              "required_conversation_resolution": true,
+              "lock_branch": false,
+              "allow_fork_syncing": false,
+              "required_signatures": false
+            }
+EOF
+          ) '''
      }
    }
    // If this is a Pull request send the CI link as a comment on it
    stage('Pull Request Comment') {
      when {
        not {environment name: 'CHANGE_ID', value: ''}
-        environment name: 'CI', value: 'true'
        environment name: 'EXIT_STATUS', value: ''
      }
      steps {
-        sh '''curl -H "Authorization: token ${GITHUB_TOKEN}" -X POST https://api.github.com/repos/${LS_USER}/${LS_REPO}/issues/${PULL_REQUEST}/comments \
-        -d '{"body": "I am a bot, here are the test results for this PR: \\n'${CI_URL}' \\n'${SHELLCHECK_URL}'"}' '''
+        sh '''#! /bin/bash
+            # Function to retrieve JSON data from URL
+            get_json() {
+              local url="$1"
+              local response=$(curl -s "$url")
+              if [ $? -ne 0 ]; then
+                echo "Failed to retrieve JSON data from $url"
+                return 1
+              fi
+              local json=$(echo "$response" | jq .)
+              if [ $? -ne 0 ]; then
+                echo "Failed to parse JSON data from $url"
+                return 1
+              fi
+              echo "$json"
+            }
+
+            build_table() {
+              local data="$1"
+
+              # Get the keys in the JSON data
+              local keys=$(echo "$data" | jq -r 'to_entries | map(.key) | .[]')
+
+              # Check if keys are empty
+              if [ -z "$keys" ]; then
+                echo "JSON report data does not contain any keys or the report does not exist."
+                return 1
+              fi
+
+              # Build table header
+              local header="| Tag | Passed |\\n| --- | --- |\\n"
+
+              # Loop through the JSON data to build the table rows
+              local rows=""
+              for build in $keys; do
+                local status=$(echo "$data" | jq -r ".[\\"$build\\"].test_success")
+                if [ "$status" = "true" ]; then
+                  status="✅"
+                else
+                  status="❌"
+                fi
+                local row="| "$build" | "$status" |\\n"
+                rows="${rows}${row}"
+              done
+
+              local table="${header}${rows}"
+              local escaped_table=$(echo "$table" | sed 's/\"/\\\\"/g')
+              echo "$escaped_table"
+            }
+
+            if [[ "${CI}" = "true" ]]; then
+              # Retrieve JSON data from URL
+              data=$(get_json "$CI_JSON_URL")
+              # Create table from JSON data
+              table=$(build_table "$data")
+              echo -e "$table"
+
+              curl -X POST -H "Authorization: token $GITHUB_TOKEN" \
+                -H "Accept: application/vnd.github.v3+json" \
+                "https://api.github.com/repos/$LS_USER/$LS_REPO/issues/$PULL_REQUEST/comments" \
+                -d "{\\"body\\": \\"I am a bot, here are the test results for this PR: \\n${CI_URL}\\n${SHELLCHECK_URL}\\n${table}\\"}"
+            else
+              curl -X POST -H "Authorization: token $GITHUB_TOKEN" \
+                -H "Accept: application/vnd.github.v3+json" \
+                "https://api.github.com/repos/$LS_USER/$LS_REPO/issues/$PULL_REQUEST/comments" \
+                -d "{\\"body\\": \\"I am a bot, here is the pushed image/manifest for this PR: \\n\\n\\`${GITHUBIMAGE}:${META_TAG}\\`\\"}"
+            fi
+            '''
+
      }
    }
  }
@@ -972,24 +999,56 @@ pipeline {
     ###################### */
  post {
    always {
+      sh '''#!/bin/bash
+            rm -rf /config/.ssh/id_sign
+            rm -rf /config/.ssh/id_sign.pub
+            git config --global --unset gpg.format
+            git config --global --unset user.signingkey
+            git config --global --unset commit.gpgsign
+        '''
      script{
        if (env.EXIT_STATUS == "ABORTED"){
          sh 'echo "build aborted"'
        }
        else if (currentBuild.currentResult == "SUCCESS"){
-          sh ''' curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://wiki.jenkins-ci.org/download/attachments/2916393/headshot.png","embeds": [{"color": 1681177,\
+          sh ''' curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/jenkins-avatar.png","embeds": [{"color": 1681177,\
                 "description": "**Build:**  '${BUILD_NUMBER}'\\n**CI Results:**  '${CI_URL}'\\n**ShellCheck Results:**  '${SHELLCHECK_URL}'\\n**Status:**  Success\\n**Job:** '${RUN_DISPLAY_URL}'\\n**Change:** '${CODE_URL}'\\n**External Release:**: '${RELEASE_LINK}'\\n**DockerHub:** '${DOCKERHUB_LINK}'\\n"}],\
                 "username": "Jenkins"}' ${BUILDS_DISCORD} '''
        }
        else {
-          sh ''' curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://wiki.jenkins-ci.org/download/attachments/2916393/headshot.png","embeds": [{"color": 16711680,\
+          sh ''' curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/jenkins-avatar.png","embeds": [{"color": 16711680,\
                 "description": "**Build:**  '${BUILD_NUMBER}'\\n**CI Results:**  '${CI_URL}'\\n**ShellCheck Results:**  '${SHELLCHECK_URL}'\\n**Status:**  failure\\n**Job:** '${RUN_DISPLAY_URL}'\\n**Change:** '${CODE_URL}'\\n**External Release:**: '${RELEASE_LINK}'\\n**DockerHub:** '${DOCKERHUB_LINK}'\\n"}],\
                 "username": "Jenkins"}' ${BUILDS_DISCORD} '''
        }
      }
    }
    cleanup {
+      sh '''#! /bin/bash
+            echo "Performing docker system prune!!"
+            containers=$(docker ps -aq)
+            if [[ -n "${containers}" ]]; then
+              docker stop ${containers}
+            fi
+            docker system prune -af --volumes || :
+         '''
      cleanWs()
    }
  }
 }
+
+def retry_backoff(int max_attempts, int power_base, Closure c) {
+  int n = 0
+  while (n < max_attempts) {
+    try {
+      c()
+      return
+    } catch (err) {
+      if ((n + 1) >= max_attempts) {
+        throw err
+      }
+      sleep(power_base ** n)
+      n++
+    }
+  }
+  return
+}
--- a/README.md
+++ b/README.md
@@ -1,6 +1,5 @@
-<!-- DO NOT EDIT THIS FILE MANUALLY  -->
-<!-- Please read the https://github.com/linuxserver/docker-swag/blob/master/.github/CONTRIBUTING.md -->
-
+<!-- DO NOT EDIT THIS FILE MANUALLY -->
+<!-- Please read https://github.com/linuxserver/docker-swag/blob/master/.github/CONTRIBUTING.md -->
 [![linuxserver.io](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/linuxserver_medium.png)](https://linuxserver.io)

 [![Blog](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=linuxserver.io&message=Blog)](https://blog.linuxserver.io "all the things you can do with our containers including How-To guides, opinions and much more!")
@@ -29,7 +28,7 @@ Find us at:

 # [linuxserver/swag](https://github.com/linuxserver/docker-swag)

-[![Scarf.io pulls](https://scarf.sh/installs-badge/linuxserver-ci/linuxserver%2Fswag?color=94398d&label-color=555555&logo-color=ffffff&style=for-the-badge&package-type=docker)](https://scarf.sh/gateway/linuxserver-ci/docker/linuxserver%2Fswag)
+[![Scarf.io pulls](https://scarf.sh/installs-badge/linuxserver-ci/linuxserver%2Fswag?color=94398d&label-color=555555&logo-color=ffffff&style=for-the-badge&package-type=docker)](https://scarf.sh)
 [![GitHub Stars](https://img.shields.io/github/stars/linuxserver/docker-swag.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=github)](https://github.com/linuxserver/docker-swag)
 [![GitHub Release](https://img.shields.io/github/release/linuxserver/docker-swag.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=github)](https://github.com/linuxserver/docker-swag/releases)
 [![GitHub Package Repository](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=linuxserver.io&message=GitHub%20Package&logo=github)](https://github.com/linuxserver/docker-swag/packages)
@@ -46,7 +45,7 @@ SWAG - Secure Web Application Gateway (formerly known as letsencrypt, no relatio

 ## Supported Architectures

-We utilise the docker manifest for multi-platform awareness. More information is available from docker [here](https://github.com/docker/distribution/blob/master/docs/spec/manifest-v2-2.md#manifest-list) and our announcement [here](https://blog.linuxserver.io/2019/02/21/the-lsio-pipeline-project/).
+We utilise the docker manifest for multi-platform awareness. More information is available from docker [here](https://distribution.github.io/distribution/spec/manifest-v2-2/#manifest-list) and our announcement [here](https://blog.linuxserver.io/2019/02/21/the-lsio-pipeline-project/).

 Simply pulling `lscr.io/linuxserver/swag:latest` should retrieve the correct image for your arch, but you can also pull specific arch images via tags.

@@ -56,7 +55,7 @@ The architectures supported by this image are:
 | :----: | :----: | ---- |
 | x86-64 | ✅ | amd64-\<version tag\> |
 | arm64 | ✅ | arm64v8-\<version tag\> |
-| armhf| ✅ | arm32v7-\<version tag\> |
+| armhf | ❌ | |

 ## Application Setup

@@ -68,13 +67,28 @@ The architectures supported by this image are:
 * For `dns` validation, make sure to enter your credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`
  * Cloudflare provides free accounts for managing dns and is very easy to use with this image. Make sure that it is set up for "dns only" instead of "dns + proxy"
  * Google dns plugin is meant to be used with "Google Cloud DNS", a paid enterprise product, and not for "Google Domains DNS"
-  * DuckDNS only supoprts two types of DNS validated certificates (not both at the same time):
+  * DuckDNS only supports two types of DNS validated certificates (not both at the same time):
    1. Certs that only cover your main subdomain (ie. `yoursubdomain.duckdns.org`, leave the `SUBDOMAINS` variable empty)
    2. Certs that cover sub-subdomains of your main subdomain (ie. `*.yoursubdomain.duckdns.org`, set the `SUBDOMAINS` variable to `wildcard`)
 * `--cap-add=NET_ADMIN` is required for fail2ban to modify iptables
 * After setup, navigate to `https://yourdomain.url` to access the default homepage (http access through port 80 is disabled by default, you can enable it by editing the default site config at `/config/nginx/site-confs/default.conf`).
 * Certs are checked nightly and if expiration is within 30 days, renewal is attempted. If your cert is about to expire in less than 30 days, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing. It is recommended to input your e-mail in docker parameters so you receive expiration notices from Let's Encrypt in those circumstances.

+### Certbot Plugins
+
+SWAG includes many Certbot plugins out of the box, but not all plugins can be included.
+If you need a plugin that is not included, the quickest way to have the plugin available is to use our [Universal Package Install Docker Mod](https://github.com/linuxserver/docker-mods/tree/universal-package-install).
+
+Set the following environment variables on your container:
+
+```yaml
+DOCKER_MODS=linuxserver/mods:universal-package-install
+INSTALL_PIP_PACKAGES=certbot-dns-<plugin>
+```
+
+Set the required credentials (usually found in the plugin documentation) in `/config/dns-conf/<plugin>.ini`.
+It is recommended to attempt obtaining a certificate with `STAGING=true` first to make sure the plugin is working as expected.
+
 ### Security and password protection

 * The container detects changes to url and subdomains, revokes existing certs and generates new ones during start.
@@ -138,13 +152,12 @@ Please follow the instructions [on this blog post](https://www.linuxserver.io/bl

 ## Usage

-Here are some example snippets to help you get started creating a container.
+To help you get started creating a container from this image you can either use docker-compose or the docker cli.

 ### docker-compose (recommended, [click here for more info](https://docs.linuxserver.io/general/docker-compose))

 ```yaml
 ---
-version: "2.1"
 services:
  swag:
    image: lscr.io/linuxserver/swag:latest
@@ -154,7 +167,7 @@ services:
    environment:
      - PUID=1000
      - PGID=1000
-      - TZ=Europe/London
+      - TZ=Etc/UTC
      - URL=yourdomain.url
      - VALIDATION=http
      - SUBDOMAINS=www, #optional
@@ -166,7 +179,7 @@ services:
      - EXTRA_DOMAINS= #optional
      - STAGING=false #optional
    volumes:
-      - /path/to/appdata/config:/config
+      - /path/to/swag/config:/config
    ports:
      - 443:443
      - 80:80 #optional
@@ -181,7 +194,7 @@ docker run -d \
  --cap-add=NET_ADMIN \
  -e PUID=1000 \
  -e PGID=1000 \
-  -e TZ=Europe/London \
+  -e TZ=Etc/UTC \
  -e URL=yourdomain.url \
  -e VALIDATION=http \
  -e SUBDOMAINS=www, `#optional` \
@@ -194,14 +207,14 @@ docker run -d \
  -e STAGING=false `#optional` \
  -p 443:443 \
  -p 80:80 `#optional` \
-  -v /path/to/appdata/config:/config \
+  -v /path/to/swag/config:/config \
  --restart unless-stopped \
  lscr.io/linuxserver/swag:latest
 ```

 ## Parameters

-Container images are configured using parameters passed at runtime (such as those above). These parameters are separated by a colon and indicate `<external>:<internal>` respectively. For example, `-p 8080:80` would expose port `80` from inside the container to be accessible from the host's IP on port `8080` outside the container.
+Containers are configured using parameters passed at runtime (such as those above). These parameters are separated by a colon and indicate `<external>:<internal>` respectively. For example, `-p 8080:80` would expose port `80` from inside the container to be accessible from the host's IP on port `8080` outside the container.

 | Parameter | Function |
 | :----: | --- |
@@ -209,18 +222,18 @@ Container images are configured using parameters passed at runtime (such as thos
 | `-p 80` | Http port (required for http validation and http -> https redirect) |
 | `-e PUID=1000` | for UserID - see below for explanation |
 | `-e PGID=1000` | for GroupID - see below for explanation |
-| `-e TZ=Europe/London` | Specify a timezone to use EG Europe/London. |
+| `-e TZ=Etc/UTC` | specify a timezone to use, see this [list](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List). |
 | `-e URL=yourdomain.url` | Top url you have control over (`customdomain.com` if you own it, or `customsubdomain.ddnsprovider.com` if dynamic dns). |
 | `-e VALIDATION=http` | Certbot validation method to use, options are `http` or `dns` (`dns` method also requires `DNSPLUGIN` variable set). |
 | `-e SUBDOMAINS=www,` | Subdomains you'd like the cert to cover (comma separated, no spaces) ie. `www,ftp,cloud`. For a wildcard cert, set this *exactly* to `wildcard` (wildcard cert is available via `dns` validation only) |
 | `-e CERTPROVIDER=` | Optionally define the cert provider. Set to `zerossl` for ZeroSSL certs (requires existing [ZeroSSL account](https://app.zerossl.com/signup) and the e-mail address entered in `EMAIL` env var). Otherwise defaults to Let's Encrypt. |
-| `-e DNSPLUGIN=cloudflare` | Required if `VALIDATION` is set to `dns`. Options are `acmedns`, `aliyun`, `azure`, `cloudflare`, `cpanel`, `desec`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `dnspod`, `do`, `domeneshop`, `duckdns`, `dynu`, `gandi`, `gehirn`, `godaddy`, `google`, `he`, `hetzner`, `infomaniak`, `inwx`, `ionos`, `linode`, `loopia`, `luadns`, `netcup`, `njalla`, `nsone`, `ovh`, `porkbun`, `rfc2136`, `route53`, `sakuracloud`, `standalone`, `transip`, and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`. |
+| `-e DNSPLUGIN=cloudflare` | Required if `VALIDATION` is set to `dns`. Options are `acmedns`, `aliyun`, `azure`, `bunny`, `cloudflare`, `cpanel`, `desec`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `dnspod`, `do`, `domeneshop`, `dreamhost`, `duckdns`, `dynudns`, `freedns`, `gandi`, `gehirn`, `glesys`, `godaddy`, `google`, `he`, `hetzner`, `infomaniak`, `inwx`, `ionos`, `linode`, `loopia`, `luadns`, `namecheap`, `netcup`, `njalla`, `nsone`, `ovh`, `porkbun`, `rfc2136`, `route53`, `sakuracloud`, `standalone`, `transip`, and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`. |
 | `-e PROPAGATION=` | Optionally override (in seconds) the default propagation time for the dns plugins. |
 | `-e EMAIL=` | Optional e-mail address used for cert expiration notifications (Required for ZeroSSL). |
 | `-e ONLY_SUBDOMAINS=false` | If you wish to get certs only for certain subdomains, but not the main domain (main domain may be hosted on another machine and cannot be validated), set this to `true` |
 | `-e EXTRA_DOMAINS=` | Additional fully qualified domain names (comma separated, no spaces) ie. `extradomain.com,subdomain.anotherdomain.org,*.anotherdomain.org` |
 | `-e STAGING=false` | Set to `true` to retrieve certs in staging mode. Rate limits will be much higher, but the resulting cert will not pass the browser's security test. Only to be used for testing purposes. |
-| `-v /config` | All the config files including the webroot reside here. |
+| `-v /config` | Persistent config files |

 ### Portainer notice

@@ -233,10 +246,10 @@ You can set any environment variable from a file by using a special prepend `FIL
 As an example:

 ```bash
-e FILE__PASSWORD=/run/secrets/mysecretpassword
+-e FILE__MYVAR=/run/secrets/mysecretvariable
 ```

-Will set the environment variable `PASSWORD` based on the contents of the `/run/secrets/mysecretpassword` file.
+Will set the environment variable `MYVAR` based on the contents of the `/run/secrets/mysecretvariable` file.

 ## Umask for running applications

@@ -245,15 +258,20 @@ Keep in mind umask is not chmod it subtracts from permissions based on it's valu

 ## User / Group Identifiers

-When using volumes (`-v` flags) permissions issues can arise between the host OS and the container, we avoid this issue by allowing you to specify the user `PUID` and group `PGID`.
+When using volumes (`-v` flags), permissions issues can arise between the host OS and the container, we avoid this issue by allowing you to specify the user `PUID` and group `PGID`.

 Ensure any volume directories on the host are owned by the same user you specify and any permissions issues will vanish like magic.

-In this instance `PUID=1000` and `PGID=1000`, to find yours use `id user` as below:
+In this instance `PUID=1000` and `PGID=1000`, to find yours use `id your_user` as below:

 ```bash
-  $ id username
-    uid=1000(dockeruser) gid=1000(dockergroup) groups=1000(dockergroup)
+id your_user
+```
+
+Example output:
+
+```text
+uid=1000(your_user) gid=1000(your_user) groups=1000(your_user)
 ```

 ## Docker Mods
@@ -264,53 +282,100 @@ We publish various [Docker Mods](https://github.com/linuxserver/docker-mods) to

 ## Support Info

-* Shell access whilst the container is running: `docker exec -it swag /bin/bash`
-* To monitor the logs of the container in realtime: `docker logs -f swag`
-* container version number
-  * `docker inspect -f '{{ index .Config.Labels "build_version" }}' swag`
-* image version number
-  * `docker inspect -f '{{ index .Config.Labels "build_version" }}' lscr.io/linuxserver/swag:latest`
+* Shell access whilst the container is running:
+
+    ```bash
+    docker exec -it swag /bin/bash
+    ```
+
+* To monitor the logs of the container in realtime:
+
+    ```bash
+    docker logs -f swag
+    ```
+
+* Container version number:
+
+    ```bash
+    docker inspect -f '{{ index .Config.Labels "build_version" }}' swag
+    ```
+
+* Image version number:
+
+    ```bash
+    docker inspect -f '{{ index .Config.Labels "build_version" }}' lscr.io/linuxserver/swag:latest
+    ```

 ## Updating Info

-Most of our images are static, versioned, and require an image update and container recreation to update the app inside. With some exceptions (ie. nextcloud, plex), we do not recommend or support updating apps inside the container. Please consult the [Application Setup](#application-setup) section above to see if it is recommended for the image.
+Most of our images are static, versioned, and require an image update and container recreation to update the app inside. With some exceptions (noted in the relevant readme.md), we do not recommend or support updating apps inside the container. Please consult the [Application Setup](#application-setup) section above to see if it is recommended for the image.

 Below are the instructions for updating containers:

 ### Via Docker Compose

-* Update all images: `docker-compose pull`
-  * or update a single image: `docker-compose pull swag`
-* Let compose update all containers as necessary: `docker-compose up -d`
-  * or update a single container: `docker-compose up -d swag`
-* You can also remove the old dangling images: `docker image prune`
+* Update images:
+    * All images:
+
+        ```bash
+        docker-compose pull
+        ```
+
+    * Single image:
+
+        ```bash
+        docker-compose pull swag
+        ```
+
+* Update containers:
+    * All containers:
+
+        ```bash
+        docker-compose up -d
+        ```
+
+    * Single container:
+
+        ```bash
+        docker-compose up -d swag
+        ```
+
+* You can also remove the old dangling images:
+
+    ```bash
+    docker image prune
+    ```

 ### Via Docker Run

-* Update the image: `docker pull lscr.io/linuxserver/swag:latest`
-* Stop the running container: `docker stop swag`
-* Delete the container: `docker rm swag`
+* Update the image:
+
+    ```bash
+    docker pull lscr.io/linuxserver/swag:latest
+    ```
+
+* Stop the running container:
+
+    ```bash
+    docker stop swag
+    ```
+
+* Delete the container:
+
+    ```bash
+    docker rm swag
+    ```
+
 * Recreate a new container with the same docker run parameters as instructed above (if mapped correctly to a host folder, your `/config` folder and settings will be preserved)
-* You can also remove the old dangling images: `docker image prune`
+* You can also remove the old dangling images:

-### Via Watchtower auto-updater (only use if you don't remember the original parameters)
-
-* Pull the latest image at its tag and replace it with the same env variables in one run:
-
-  ```bash
-  docker run --rm \
-  -v /var/run/docker.sock:/var/run/docker.sock \
-  containrrr/watchtower \
-  --run-once swag
-  ```
-
-* You can also remove the old dangling images: `docker image prune`
-
-**Note:** We do not endorse the use of Watchtower as a solution to automated updates of existing Docker containers. In fact we generally discourage automated updates. However, this is a useful tool for one-time manual updates of containers where you have forgotten the original parameters. In the long term, we highly recommend using [Docker Compose](https://docs.linuxserver.io/general/docker-compose).
+    ```bash
+    docker image prune
+    ```

 ### Image Update Notifications - Diun (Docker Image Update Notifier)

-* We recommend [Diun](https://crazymax.dev/diun/) for update notifications. Other tools that automatically update containers unattended are not recommended or supported.
+**tip**: We recommend [Diun](https://crazymax.dev/diun/) for update notifications. Other tools that automatically update containers unattended are not recommended or supported.

 ## Building locally

@@ -335,6 +400,32 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64

 ## Versions

+* **24.07.14:** - Rebase to Alpine 3.20. Remove deprecated Google Domains certbot plugin. Existing users should update their nginx confs to avoid http2 deprecation warnings.
+* **01.07.24:** - Fall back to iptables-legacy if iptables doesn't work.
+* **23.03.24:** - Fix perms on the generated `priv-fullchain-bundle.pem`.
+* **14.03.24:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-location.conf, authelia-server.conf - Update Authelia conf samples with support for 4.38.
+* **11.03.24:** - Restore support for DynuDNS using `certbot-dns-dynudns`.
+* **06.03.24:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) site-confs/default.conf - Cleanup default site conf.
+* **04.03.24:** - Remove `stream.conf` inside the container to allow users to include their own block in `nginx.conf`.
+* **23.01.24:** - Rebase to Alpine 3.19 with php 8.3, add root periodic crontabs for logrotate.
+* **01.01.24:** - Add GleSYS DNS plugin.
+* **11.12.23:** - Deprecate certbot-dns-dynu to resolve dependency conflicts with other plugins.
+* **30.11.23:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) site-confs/default.conf - Fix index.php being downloaded on 404.
+* **23.11.23:** - Run certbot as root to allow fix http validation.
+* **01.10.23:** - Fix "unrecognized arguments" issue in DirectAdmin DNS plugin.
+* **28.08.23:** - Add Namecheap DNS plugin.
+* **12.08.23:** - Add FreeDNS plugin. Detect certbot DNS authenticators using CLI.
+* **07.08.23:** - Add Bunny DNS Configuration.
+* **27.07.23:** - Added support for dreamhost validation.
+* **25.05.23:** - Rebase to Alpine 3.18, deprecate armhf.
+* **27.04.23:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-location.conf, authelia-server.conf, authentik-location.conf, authentik-server.conf - Simplify auth configs and fix Set-Cookie header bug.
+* **13.04.23:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, authelia-location.conf, authentik-location.conf, and site-confs/default.conf - Move ssl.conf include to default.conf. Remove Authorization headers in authelia. Sort proxy_set_header in authelia and authentik.
+* **25.03.23:** - Fix renewal post hook.
+* **10.03.23:** - Cleanup unused csr and keys folders. See [certbot 2.3.0 release notes](https://github.com/certbot/certbot/releases/tag/v2.3.0).
+* **09.03.23:** - Add Google Domains DNS support, `google-domains`.
+* **02.03.23:** - Set permissions on crontabs during init.
+* **09.02.23:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) proxy.conf, authelia-location.conf and authelia-server.conf - Add Authentik configs, update Authelia configs.
+* **06.02.23:** - Add porkbun support back in.
 * **21.01.23:** - Unpin certbot version (allow certbot 2.x). !!BREAKING CHANGE!! We are temporarily removing the certbot porkbun plugin until a new version is released that is compatible with certbot 2.x.
 * **20.01.23:** - Rebase to alpine 3.17 with php8.1.
 * **16.01.23:** - Remove nchan module because it keeps causing crashes.
--- a/package_versions.txt
+++ b/package_versions.txt
@@ -1,204 +1,362 @@
-alpine-baselayout-3.4.0-r0
-alpine-baselayout-data-3.4.0-r0
-alpine-keys-2.4-r1
-alpine-release-3.17.1-r0
-aom-libs-3.5.0-r0
-apache2-utils-2.4.55-r0
-apk-tools-2.12.10-r1
-apr-1.7.0-r2
-apr-util-1.6.1-r14
-argon2-libs-20190702-r2
-bash-5.2.15-r0
-brotli-libs-1.0.9-r9
-busybox-1.35.0-r29
-busybox-binsh-1.35.0-r29
-c-client-2007f-r14
-ca-certificates-20220614-r4
-ca-certificates-bundle-20220614-r4
-coreutils-9.1-r0
-curl-7.87.0-r1
-fail2ban-1.0.2-r0
-fontconfig-2.14.1-r0
-freetype-2.12.1-r0
-gdbm-1.23-r0
-git-2.38.3-r1
-git-perl-2.38.3-r1
-gmp-6.2.1-r2
-gnupg-2.2.40-r0
-gnupg-dirmngr-2.2.40-r0
-gnupg-gpgconf-2.2.40-r0
-gnupg-utils-2.2.40-r0
-gnupg-wks-client-2.2.40-r0
-gnutls-3.7.8-r2
-gpg-2.2.40-r0
-gpg-agent-2.2.40-r0
-gpg-wks-server-2.2.40-r0
-gpgsm-2.2.40-r0
-gpgv-2.2.40-r0
-icu-data-en-72.1-r1
-icu-libs-72.1-r1
-ip6tables-1.8.8-r2
-iptables-1.8.8-r2
-jq-1.6-r2
-libacl-2.3.1-r1
-libassuan-2.5.5-r1
-libattr-2.5.1-r2
-libavif-0.11.1-r0
-libbsd-0.11.7-r0
-libbz2-1.0.8-r4
-libc-utils-0.7.2-r3
-libcrypto3-3.0.7-r2
-libcurl-7.87.0-r1
-libdav1d-1.0.0-r2
-libedit-20221030.3.1-r0
-libevent-2.1.12-r5
-libexpat-2.5.0-r0
-libffi-3.4.4-r0
-libgcc-12.2.1_git20220924-r4
-libgcrypt-1.10.1-r0
-libgd-2.3.3-r3
-libgpg-error-1.46-r1
-libice-1.0.10-r1
-libidn-1.41-r0
-libintl-0.21.1-r1
-libjpeg-turbo-2.1.4-r0
-libksba-1.6.3-r0
-libldap-2.6.3-r6
-libmaxminddb-libs-1.7.1-r0
-libmcrypt-2.5.8-r10
-libmd-1.0.4-r0
-libmemcached-libs-1.0.18-r5
-libmnl-1.0.5-r0
-libnftnl-1.2.4-r0
-libpng-1.6.38-r0
-libpq-15.1-r0
-libproc-3.3.17-r2
-libsasl-2.1.28-r3
-libseccomp-2.5.4-r0
-libsm-1.2.3-r1
-libsodium-1.0.18-r2
-libssl3-3.0.7-r2
-libstdc++-12.2.1_git20220924-r4
-libtasn1-4.19.0-r0
-libunistring-1.1-r0
-libuuid-2.38.1-r1
-libwebp-1.2.4-r1
-libx11-1.8.3-r1
-libxau-1.0.10-r0
-libxcb-1.15-r0
-libxdmcp-1.1.4-r0
-libxext-1.3.5-r0
-libxml2-2.10.3-r1
-libxpm-3.5.15-r0
-libxslt-1.1.37-r0
-libxt-1.2.1-r0
-libzip-1.9.2-r2
-linux-pam-1.5.2-r1
-logrotate-3.20.1-r3
-lz4-libs-1.9.4-r1
-memcached-1.6.17-r0
-mpdecimal-2.5.1-r1
-musl-1.2.3-r4
-musl-utils-1.2.3-r4
-nano-7.0-r0
-ncurses-libs-6.3_p20221119-r0
-ncurses-terminfo-base-6.3_p20221119-r0
-nettle-3.8.1-r0
-nghttp2-libs-1.51.0-r0
-nginx-1.22.1-r0
-nginx-mod-devel-kit-1.22.1-r0
-nginx-mod-http-brotli-1.22.1-r0
-nginx-mod-http-dav-ext-1.22.1-r0
-nginx-mod-http-echo-1.22.1-r0
-nginx-mod-http-fancyindex-1.22.1-r0
-nginx-mod-http-geoip2-1.22.1-r0
-nginx-mod-http-headers-more-1.22.1-r0
-nginx-mod-http-image-filter-1.22.1-r0
-nginx-mod-http-perl-1.22.1-r0
-nginx-mod-http-redis2-1.22.1-r0
-nginx-mod-http-set-misc-1.22.1-r0
-nginx-mod-http-upload-progress-1.22.1-r0
-nginx-mod-http-xslt-filter-1.22.1-r0
-nginx-mod-mail-1.22.1-r0
-nginx-mod-rtmp-1.22.1-r0
-nginx-mod-stream-1.22.1-r0
-nginx-mod-stream-geoip2-1.22.1-r0
-nginx-vim-1.22.1-r0
-npth-1.6-r2
-oniguruma-6.9.8-r0
-openssl-3.0.7-r2
-p11-kit-0.24.1-r1
-pcre-8.45-r2
-pcre2-10.42-r0
-perl-5.36.0-r0
-perl-error-0.17029-r1
-perl-git-2.38.3-r1
-php81-8.1.14-r0
-php81-bcmath-8.1.14-r0
-php81-bz2-8.1.14-r0
-php81-common-8.1.14-r0
-php81-ctype-8.1.14-r0
-php81-curl-8.1.14-r0
-php81-dom-8.1.14-r0
-php81-exif-8.1.14-r0
-php81-fileinfo-8.1.14-r0
-php81-fpm-8.1.14-r0
-php81-ftp-8.1.14-r0
-php81-gd-8.1.14-r0
-php81-gmp-8.1.14-r0
-php81-iconv-8.1.14-r0
-php81-imap-8.1.14-r0
-php81-intl-8.1.14-r0
-php81-ldap-8.1.14-r0
-php81-mbstring-8.1.14-r0
-php81-mysqli-8.1.14-r0
-php81-mysqlnd-8.1.14-r0
-php81-opcache-8.1.14-r0
-php81-openssl-8.1.14-r0
-php81-pdo-8.1.14-r0
-php81-pdo_mysql-8.1.14-r0
-php81-pdo_odbc-8.1.14-r0
-php81-pdo_pgsql-8.1.14-r0
-php81-pdo_sqlite-8.1.14-r0
-php81-pear-8.1.14-r0
-php81-pecl-apcu-5.1.22-r0
-php81-pecl-igbinary-3.2.12-r0
-php81-pecl-mailparse-3.1.4-r0
-php81-pecl-mcrypt-1.0.4-r0
-php81-pecl-memcached-3.2.0-r0
-php81-pecl-redis-5.3.7-r0
-php81-pecl-xmlrpc-1.0.0_rc3-r0
-php81-pgsql-8.1.14-r0
-php81-phar-8.1.14-r0
-php81-posix-8.1.14-r0
-php81-session-8.1.14-r0
-php81-simplexml-8.1.14-r0
-php81-soap-8.1.14-r0
-php81-sockets-8.1.14-r0
-php81-sodium-8.1.14-r0
-php81-sqlite3-8.1.14-r0
-php81-tokenizer-8.1.14-r0
-php81-xml-8.1.14-r0
-php81-xmlreader-8.1.14-r0
-php81-xmlwriter-8.1.14-r0
-php81-xsl-8.1.14-r0
-php81-zip-8.1.14-r0
-pinentry-1.2.1-r0
-popt-1.19-r0
-procps-3.3.17-r2
-python3-3.10.9-r1
-readline-8.2.0-r0
-scanelf-1.3.5-r1
-shadow-4.13-r0
-skalibs-2.12.0.1-r0
-sqlite-libs-3.40.1-r0
-ssl_client-1.35.0-r29
-tiff-4.4.0-r1
-tzdata-2022f-r1
-unixodbc-2.3.11-r0
-utmps-libs-0.1.2.0-r1
-whois-5.5.14-r0
-xz-5.2.9-r0
-xz-libs-5.2.9-r0
-zlib-1.2.13-r0
-zstd-libs-1.5.2-r9
+NAME                            VERSION                TYPE                    
+Simple Launcher                 1.1.0.14               dotnet  (+5 duplicates)  
+acme                            2.11.0                 python                   
+alpine-baselayout               3.6.5-r0               apk                      
+alpine-baselayout-data          3.6.5-r0               apk                      
+alpine-keys                     2.4-r1                 apk                      
+alpine-release                  3.20.2-r0              apk                      
+aom-libs                        3.9.1-r0               apk                      
+apache2-utils                   2.4.62-r0              apk                      
+apk-tools                       2.14.4-r0              apk                      
+apr                             1.7.4-r0               apk                      
+apr-util                        1.6.3-r1               apk                      
+argon2-libs                     20190702-r5            apk                      
+attrs                           24.2.0                 python                   
+autocommand                     2.2.2                  python                   
+azure-common                    1.1.28                 python                   
+azure-core                      1.30.2                 python                   
+azure-identity                  1.17.1                 python                   
+azure-mgmt-core                 1.4.0                  python                   
+azure-mgmt-dns                  8.1.0                  python                   
+backports-tarfile               1.2.0                  python                   
+bash                            5.2.26-r0              apk                      
+beautifulsoup4                  4.12.3                 python                   
+boto3                           1.35.10                python                   
+botocore                        1.35.10                python                   
+brotli-libs                     1.1.0-r2               apk                      
+bs4                             0.0.2                  python                   
+busybox                         1.36.1-r29             apk                      
+busybox-binsh                   1.36.1-r29             apk                      
+c-ares                          1.28.1-r0              apk                      
+c-client                        2007f-r15              apk                      
+ca-certificates                 20240705-r0            apk                      
+ca-certificates-bundle          20240705-r0            apk                      
+cachetools                      5.5.0                  python                   
+catatonit                       0.2.0-r0               apk                      
+certbot                         2.11.0                 python                   
+certbot-dns-acmedns             0.1.0                  python                   
+certbot-dns-aliyun              2.0.0                  python                   
+certbot-dns-azure               2.5.0                  python                   
+certbot-dns-bunny               0.0.9                  python                   
+certbot-dns-cloudflare          2.11.0                 python                   
+certbot-dns-cpanel              0.4.0                  python                   
+certbot-dns-desec               1.2.1                  python                   
+certbot-dns-digitalocean        2.11.0                 python                   
+certbot-dns-directadmin         1.0.4                  python                   
+certbot-dns-dnsimple            2.11.0                 python                   
+certbot-dns-dnsmadeeasy         2.11.0                 python                   
+certbot-dns-dnspod              0.1.0                  python                   
+certbot-dns-do                  0.31.0                 python                   
+certbot-dns-domeneshop          0.2.9                  python                   
+certbot-dns-dreamhost           1.0                    python                   
+certbot-dns-duckdns             1.3                    python                   
+certbot-dns-dynudns             0.0.6                  python                   
+certbot-dns-freedns             0.2.0                  python                   
+certbot-dns-gehirn              2.11.0                 python                   
+certbot-dns-glesys              2.1.0                  python                   
+certbot-dns-godaddy             2.8.0                  python                   
+certbot-dns-google              2.11.0                 python                   
+certbot-dns-he                  1.0.0                  python                   
+certbot-dns-hetzner             2.0.1                  python                   
+certbot-dns-infomaniak          0.2.2                  python                   
+certbot-dns-inwx                2.2.0                  python                   
+certbot-dns-ionos               2024.1.8               python                   
+certbot-dns-linode              2.11.0                 python                   
+certbot-dns-loopia              1.0.1                  python                   
+certbot-dns-luadns              2.11.0                 python                   
+certbot-dns-namecheap           1.0.0                  python                   
+certbot-dns-netcup              1.4.3                  python                   
+certbot-dns-njalla              1.0.0                  python                   
+certbot-dns-nsone               2.11.0                 python                   
+certbot-dns-ovh                 2.11.0                 python                   
+certbot-dns-porkbun             0.8                    python                   
+certbot-dns-rfc2136             2.11.0                 python                   
+certbot-dns-route53             2.11.0                 python                   
+certbot-dns-sakuracloud         2.11.0                 python                   
+certbot-dns-standalone          1.1                    python                   
+certbot-dns-transip             0.5.2                  python                   
+certbot-dns-vultr               1.1.0                  python                   
+certbot-plugin-gandi            1.5.0                  python                   
+certifi                         2024.8.30              python                   
+cffi                            1.17.0                 python                   
+charset-normalizer              3.3.2                  python                   
+cloudflare                      2.19.4                 python                   
+composer                        2.7.8                  binary                   
+configargparse                  1.7                    python                   
+configobj                       5.0.8                  python                   
+coreutils                       9.5-r1                 apk                      
+coreutils-env                   9.5-r1                 apk                      
+coreutils-fmt                   9.5-r1                 apk                      
+coreutils-sha512sum             9.5-r1                 apk                      
+cryptography                    43.0.0                 python                   
+curl                            8.9.0-r0               apk                      
+distro                          1.9.0                  python                   
+dns-lexicon                     3.18.0                 python                   
+dnslib                          0.9.25                 python                   
+dnspython                       2.6.1                  python                   
+domeneshop                      0.4.4                  python                   
+fail2ban                        1.1.0                  python                   
+fail2ban                        1.1.0-r0               apk                      
+fail2ban-pyc                    1.1.0-r0               apk                      
+filelock                        3.15.4                 python                   
+findutils                       4.9.0-r5               apk                      
+fontconfig                      2.15.0-r1              apk                      
+freetype                        2.13.2-r0              apk                      
+future                          1.0.0                  python                   
+gdbm                            1.23-r1                apk                      
+git                             2.45.2-r0              apk                      
+git-init-template               2.45.2-r0              apk                      
+git-perl                        2.45.2-r0              apk                      
+gmp                             6.3.0-r1               apk                      
+gnupg                           2.4.5-r0               apk                      
+gnupg-dirmngr                   2.4.5-r0               apk                      
+gnupg-gpgconf                   2.4.5-r0               apk                      
+gnupg-keyboxd                   2.4.5-r0               apk                      
+gnupg-utils                     2.4.5-r0               apk                      
+gnupg-wks-client                2.4.5-r0               apk                      
+gnutls                          3.8.5-r0               apk                      
+google-api-core                 2.19.2                 python                   
+google-api-python-client        2.143.0                python                   
+google-auth                     2.34.0                 python                   
+google-auth-httplib2            0.2.0                  python                   
+googleapis-common-protos        1.65.0                 python                   
+gpg                             2.4.5-r0               apk                      
+gpg-agent                       2.4.5-r0               apk                      
+gpg-wks-server                  2.4.5-r0               apk                      
+gpgsm                           2.4.5-r0               apk                      
+gpgv                            2.4.5-r0               apk                      
+httplib2                        0.22.0                 python                   
+icu-data-en                     74.2-r0                apk                      
+icu-libs                        74.2-r0                apk                      
+idna                            3.8                    python                   
+importlib-metadata              8.0.0                  python                   
+importlib-resources             6.4.0                  python                   
+inflect                         7.3.1                  python                   
+iptables                        1.8.10-r3              apk                      
+iptables-legacy                 1.8.10-r3              apk                      
+isodate                         0.6.1                  python                   
+jaraco-context                  5.3.0                  python                   
+jaraco-functools                4.0.1                  python                   
+jaraco-text                     3.12.1                 python                   
+jmespath                        1.0.1                  python                   
+josepy                          1.14.0                 python                   
+jq                              1.7.1-r0               apk                      
+jsonlines                       4.0.0                  python                   
+jsonpickle                      3.2.2                  python                   
+libacl                          2.3.2-r0               apk                      
+libassuan                       2.5.7-r0               apk                      
+libattr                         2.5.2-r0               apk                      
+libavif                         1.0.4-r0               apk                      
+libbsd                          0.12.2-r0              apk                      
+libbz2                          1.0.8-r6               apk                      
+libcrypto3                      3.3.1-r3               apk                      
+libcurl                         8.9.0-r0               apk                      
+libdav1d                        1.4.2-r0               apk                      
+libedit                         20240517.3.1-r0        apk                      
+libevent                        2.1.12-r7              apk                      
+libexpat                        2.6.2-r0               apk                      
+libffi                          3.4.6-r0               apk                      
+libgcc                          13.2.1_git20240309-r0  apk                      
+libgcrypt                       1.10.3-r0              apk                      
+libgd                           2.3.3-r9               apk                      
+libgpg-error                    1.49-r0                apk                      
+libice                          1.1.1-r6               apk                      
+libidn2                         2.3.7-r0               apk                      
+libintl                         0.22.5-r0              apk                      
+libip4tc                        1.8.10-r3              apk                      
+libip6tc                        1.8.10-r3              apk                      
+libjpeg-turbo                   3.0.3-r0               apk                      
+libksba                         1.6.6-r0               apk                      
+libldap                         2.6.7-r0               apk                      
+libmaxminddb-libs               1.9.1-r0               apk                      
+libmcrypt                       2.5.8-r10              apk                      
+libmd                           1.1.0-r0               apk                      
+libmemcached-libs               1.1.4-r1               apk                      
+libmnl                          1.0.5-r2               apk                      
+libncursesw                     6.4_p20240420-r0       apk                      
+libnftnl                        1.2.6-r0               apk                      
+libpanelw                       6.4_p20240420-r0       apk                      
+libpng                          1.6.43-r0              apk                      
+libpq                           16.3-r0                apk                      
+libproc2                        4.0.4-r0               apk                      
+libpsl                          0.21.5-r1              apk                      
+libsasl                         2.1.28-r6              apk                      
+libseccomp                      2.5.5-r1               apk                      
+libsharpyuv                     1.3.2-r0               apk                      
+libsm                           1.2.4-r4               apk                      
+libsodium                       1.0.19-r0              apk                      
+libssl3                         3.3.1-r3               apk                      
+libstdc++                       13.2.1_git20240309-r0  apk                      
+libtasn1                        4.19.0-r2              apk                      
+libunistring                    1.2-r0                 apk                      
+libuuid                         2.40.1-r1              apk                      
+libwebp                         1.3.2-r0               apk                      
+libx11                          1.8.9-r1               apk                      
+libxau                          1.0.11-r4              apk                      
+libxcb                          1.16.1-r0              apk                      
+libxdmcp                        1.1.5-r1               apk                      
+libxext                         1.3.6-r2               apk                      
+libxml2                         2.12.7-r0              apk                      
+libxpm                          3.5.17-r0              apk                      
+libxslt                         1.1.39-r1              apk                      
+libxt                           1.3.0-r5               apk                      
+libxtables                      1.8.10-r3              apk                      
+libzip                          1.10.1-r0              apk                      
+linux-pam                       1.6.0-r0               apk                      
+logrotate                       3.21.0-r1              apk                      
+loopialib                       0.2.0                  python                   
+lxml                            5.3.0                  python                   
+lz4-libs                        1.9.4-r5               apk                      
+memcached                       1.6.27-r0              apk                      
+mock                            5.1.0                  python                   
+more-itertools                  10.3.0                 python                   
+mpdecimal                       4.0.0-r0               apk                      
+msal                            1.30.0                 python                   
+msal-extensions                 1.2.0                  python                   
+musl                            1.2.5-r0               apk                      
+musl-utils                      1.2.5-r0               apk                      
+my-test-package                 1.0                    python                   
+nano                            8.0-r0                 apk                      
+ncurses-terminfo-base           6.4_p20240420-r0       apk                      
+netcat-openbsd                  1.226-r0               apk                      
+nettle                          3.9.1-r0               apk                      
+nghttp2-libs                    1.62.1-r0              apk                      
+nginx                           1.26.2-r0              apk                      
+nginx-mod-devel-kit             1.26.2-r0              apk                      
+nginx-mod-http-brotli           1.26.2-r0              apk                      
+nginx-mod-http-dav-ext          1.26.2-r0              apk                      
+nginx-mod-http-echo             1.26.2-r0              apk                      
+nginx-mod-http-fancyindex       1.26.2-r0              apk                      
+nginx-mod-http-geoip2           1.26.2-r0              apk                      
+nginx-mod-http-headers-more     1.26.2-r0              apk                      
+nginx-mod-http-image-filter     1.26.2-r0              apk                      
+nginx-mod-http-perl             1.26.2-r0              apk                      
+nginx-mod-http-redis2           1.26.2-r0              apk                      
+nginx-mod-http-set-misc         1.26.2-r0              apk                      
+nginx-mod-http-upload-progress  1.26.2-r0              apk                      
+nginx-mod-http-xslt-filter      1.26.2-r0              apk                      
+nginx-mod-mail                  1.26.2-r0              apk                      
+nginx-mod-rtmp                  1.26.2-r0              apk                      
+nginx-mod-stream                1.26.2-r0              apk                      
+nginx-mod-stream-geoip2         1.26.2-r0              apk                      
+nginx-vim                       1.26.2-r0              apk                      
+npth                            1.6-r4                 apk                      
+oniguruma                       6.9.9-r0               apk                      
+openssl                         3.3.1-r3               apk                      
+p11-kit                         0.25.3-r0              apk                      
+packaging                       24.1                   python                   
+parsedatetime                   2.6                    python                   
+pcre                            8.45-r3                apk                      
+pcre2                           10.43-r0               apk                      
+perl                            5.38.2-r0              apk                      
+perl-error                      0.17029-r2             apk                      
+perl-git                        2.45.2-r0              apk                      
+php83                           8.3.10-r0              apk                      
+php83-bcmath                    8.3.10-r0              apk                      
+php83-bz2                       8.3.10-r0              apk                      
+php83-common                    8.3.10-r0              apk                      
+php83-ctype                     8.3.10-r0              apk                      
+php83-curl                      8.3.10-r0              apk                      
+php83-dom                       8.3.10-r0              apk                      
+php83-exif                      8.3.10-r0              apk                      
+php83-fileinfo                  8.3.10-r0              apk                      
+php83-fpm                       8.3.10-r0              apk                      
+php83-ftp                       8.3.10-r0              apk                      
+php83-gd                        8.3.10-r0              apk                      
+php83-gmp                       8.3.10-r0              apk                      
+php83-iconv                     8.3.10-r0              apk                      
+php83-imap                      8.3.10-r0              apk                      
+php83-intl                      8.3.10-r0              apk                      
+php83-ldap                      8.3.10-r0              apk                      
+php83-mbstring                  8.3.10-r0              apk                      
+php83-mysqli                    8.3.10-r0              apk                      
+php83-mysqlnd                   8.3.10-r0              apk                      
+php83-opcache                   8.3.10-r0              apk                      
+php83-openssl                   8.3.10-r0              apk                      
+php83-pdo                       8.3.10-r0              apk                      
+php83-pdo_mysql                 8.3.10-r0              apk                      
+php83-pdo_odbc                  8.3.10-r0              apk                      
+php83-pdo_pgsql                 8.3.10-r0              apk                      
+php83-pdo_sqlite                8.3.10-r0              apk                      
+php83-pear                      8.3.10-r0              apk                      
+php83-pecl-apcu                 5.1.23-r0              apk                      
+php83-pecl-igbinary             3.2.15-r0              apk                      
+php83-pecl-mcrypt               1.0.7-r0               apk                      
+php83-pecl-memcached            3.2.0-r0               apk                      
+php83-pecl-msgpack              2.2.0-r2               apk                      
+php83-pecl-redis                6.0.2-r0               apk                      
+php83-pgsql                     8.3.10-r0              apk                      
+php83-phar                      8.3.10-r0              apk                      
+php83-posix                     8.3.10-r0              apk                      
+php83-session                   8.3.10-r0              apk                      
+php83-simplexml                 8.3.10-r0              apk                      
+php83-soap                      8.3.10-r0              apk                      
+php83-sockets                   8.3.10-r0              apk                      
+php83-sodium                    8.3.10-r0              apk                      
+php83-sqlite3                   8.3.10-r0              apk                      
+php83-tokenizer                 8.3.10-r0              apk                      
+php83-xml                       8.3.10-r0              apk                      
+php83-xmlreader                 8.3.10-r0              apk                      
+php83-xmlwriter                 8.3.10-r0              apk                      
+php83-xsl                       8.3.10-r0              apk                      
+php83-zip                       8.3.10-r0              apk                      
+pinentry                        1.3.0-r0               apk                      
+pip                             24.2                   python                   
+pkb-client                      1.2                    python                   
+platformdirs                    4.2.2                  python                   
+popt                            1.19-r3                apk                      
+portalocker                     2.10.1                 python                   
+procps-ng                       4.0.4-r0               apk                      
+proto-plus                      1.24.0                 python                   
+protobuf                        5.28.0                 python                   
+pyacmedns                       0.4                    python                   
+pyasn1                          0.6.0                  python                   
+pyasn1-modules                  0.4.0                  python                   
+pyc                             3.12.3-r2              apk                      
+pycparser                       2.22                   python                   
+pyjwt                           2.9.0                  python                   
+pynamecheap                     0.0.3                  python                   
+pyopenssl                       24.2.1                 python                   
+pyotp                           2.9.0                  python                   
+pyparsing                       3.1.4                  python                   
+pyrfc3339                       1.1                    python                   
+python-dateutil                 2.9.0.post0            python                   
+python-digitalocean             1.17.0                 python                   
+python-transip                  0.6.0                  python                   
+python3                         3.12.3-r2              apk                      
+python3-pyc                     3.12.3-r2              apk                      
+python3-pycache-pyc0            3.12.3-r2              apk                      
+pytz                            2024.1                 python                   
+pyyaml                          6.0.2                  python                   
+readline                        8.2.10-r0              apk                      
+requests                        2.32.3                 python                   
+requests-file                   2.1.0                  python                   
+requests-mock                   1.12.1                 python                   
+rsa                             4.9                    python                   
+s3transfer                      0.10.2                 python                   
+scanelf                         1.3.7-r2               apk                      
+setuptools                      74.0.0                 python                   
+shadow                          4.15.1-r0              apk                      
+six                             1.16.0                 python                   
+skalibs                         2.14.1.1-r0            apk                      
+soupsieve                       2.6                    python                   
+sqlite-libs                     3.45.3-r1              apk                      
+ssl_client                      1.36.1-r29             apk                      
+tiff                            4.6.0t-r0              apk                      
+tldextract                      5.1.2                  python                   
+tomli                           2.0.1                  python                   
+typeguard                       4.3.0                  python                   
+typing-extensions               4.12.2                 python  (+1 duplicate)   
+tzdata                          2024a-r1               apk                      
+unixodbc                        2.3.12-r0              apk                      
+uritemplate                     4.1.1                  python                   
+urllib3                         2.2.2                  python                   
+utmps-libs                      0.1.2.2-r1             apk                      
+wheel                           0.43.0                 python                   
+wheel                           0.44.0                 python                   
+whois                           5.5.23-r0              apk                      
+xz-libs                         5.6.2-r0               apk                      
+zipp                            3.19.2                 python                   
+zlib                            1.3.1-r1               apk                      
+zope-interface                  7.0.3                  python                   
+zstd-libs                       1.5.6-r0               apk                      
--- a/readme-vars.yml
+++ b/readme-vars.yml
@@ -7,41 +7,24 @@ project_logo: "https://github.com/linuxserver/docker-templates/raw/master/linuxs
 project_blurb: "SWAG - Secure Web Application Gateway (formerly known as letsencrypt, no relation to Let's Encrypt™) sets up an Nginx webserver and reverse proxy with php support and a built-in certbot client that automates free SSL server certificate generation and renewal processes (Let's Encrypt and ZeroSSL). It also contains fail2ban for intrusion prevention."
 project_lsio_github_repo_url: "https://github.com/linuxserver/docker-{{ project_name }}"

-project_blurb_optional_extras_enabled: false
-project_blurb_optional_extras: []
-
 # supported architectures
 available_architectures:
  - { arch: "{{ arch_x86_64 }}", tag: "amd64-latest"}
  - { arch: "{{ arch_arm64 }}", tag: "arm64v8-latest"}
-  - { arch: "{{ arch_armhf }}", tag: "arm32v7-latest"}
-
-# development version
-development_versions: false
-development_versions_items:
-  - { tag: "latest", desc: "Stable releases" }
-

 # container parameters
-common_param_env_vars_enabled: true #PGID, PUID, etc, you can set it to 'optional'
+common_param_env_vars_enabled: true
 param_container_name: "{{ project_name }}"
-param_usage_include_net: false #you can set it to 'optional'
-param_net: "host"
-param_net_desc: "Shares host networking with container."
 param_usage_include_env: true
 param_env_vars:
-  - { env_var: "TZ", env_value: "Europe/London", desc: "Specify a timezone to use EG Europe/London." }
  - { env_var: "URL", env_value: "yourdomain.url", desc: "Top url you have control over (`customdomain.com` if you own it, or `customsubdomain.ddnsprovider.com` if dynamic dns)." }
-  - { env_var: "VALIDATION", env_value: "http", desc: "Certbot validation method to use, options are `http` or `dns` (`dns` method also requires `DNSPLUGIN` variable set)." }
+  - { env_var: "VALIDATION", env_value: "http", desc: "Certbot validation method to use, options are `http` or `dns` (`dns` method also requires `DNSPLUGIN` variable set).", env_options: ["http", "dns"] }
 param_usage_include_vols: true
 param_volumes:
-  - { vol_path: "/config", vol_host_path: "/path/to/appdata/config", desc: "All the config files including the webroot reside here." }
+  - { vol_path: "/config", vol_host_path: "/path/to/{{ project_name }}/config", desc: "Persistent config files" }
 param_usage_include_ports: true
 param_ports:
  - { external_port: "443", internal_port: "443", port_desc: "Https port" }
-param_device_map: false
-param_devices:
-  - { device_path: "/dev/dri", device_host_path: "/dev/dri", desc: "For hardware transcoding" }
 cap_add_param: true
 cap_add_param_vars:
  - { cap_add_var: "NET_ADMIN" }
@@ -51,27 +34,15 @@ opt_param_usage_include_env: true
 opt_param_env_vars:
  - { env_var: "SUBDOMAINS", env_value: "www,", desc: "Subdomains you'd like the cert to cover (comma separated, no spaces) ie. `www,ftp,cloud`. For a wildcard cert, set this *exactly* to `wildcard` (wildcard cert is available via `dns` validation only)" }
  - { env_var: "CERTPROVIDER", env_value: "", desc: "Optionally define the cert provider. Set to `zerossl` for ZeroSSL certs (requires existing [ZeroSSL account](https://app.zerossl.com/signup) and the e-mail address entered in `EMAIL` env var). Otherwise defaults to Let's Encrypt." }
-  - { env_var: "DNSPLUGIN", env_value: "cloudflare", desc: "Required if `VALIDATION` is set to `dns`. Options are `acmedns`, `aliyun`, `azure`, `cloudflare`, `cpanel`, `desec`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `dnspod`, `do`, `domeneshop`, `duckdns`, `dynu`, `gandi`, `gehirn`, `godaddy`, `google`, `he`, `hetzner`, `infomaniak`, `inwx`, `ionos`, `linode`, `loopia`, `luadns`, `netcup`, `njalla`, `nsone`, `ovh`, `porkbun`, `rfc2136`, `route53`, `sakuracloud`, `standalone`, `transip`, and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`." }
+  - { env_var: "DNSPLUGIN", env_value: "cloudflare", desc: "Required if `VALIDATION` is set to `dns`. Options are `acmedns`, `aliyun`, `azure`, `bunny`, `cloudflare`, `cpanel`, `desec`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `dnspod`, `do`, `domeneshop`, `dreamhost`, `duckdns`, `dynudns`, `freedns`, `gandi`, `gehirn`, `glesys`, `godaddy`, `google`, `he`, `hetzner`, `infomaniak`, `inwx`, `ionos`, `linode`, `loopia`, `luadns`, `namecheap`, `netcup`, `njalla`, `nsone`, `ovh`, `porkbun`, `rfc2136`, `route53`, `sakuracloud`, `standalone`, `transip`, and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`." }
  - { env_var: "PROPAGATION", env_value: "", desc: "Optionally override (in seconds) the default propagation time for the dns plugins." }
  - { env_var: "EMAIL", env_value: "", desc: "Optional e-mail address used for cert expiration notifications (Required for ZeroSSL)." }
  - { env_var: "ONLY_SUBDOMAINS", env_value: "false", desc: "If you wish to get certs only for certain subdomains, but not the main domain (main domain may be hosted on another machine and cannot be validated), set this to `true`" }
  - { env_var: "EXTRA_DOMAINS", env_value: "", desc: "Additional fully qualified domain names (comma separated, no spaces) ie. `extradomain.com,subdomain.anotherdomain.org,*.anotherdomain.org`" }
  - { env_var: "STAGING", env_value: "false", desc: "Set to `true` to retrieve certs in staging mode. Rate limits will be much higher, but the resulting cert will not pass the browser's security test. Only to be used for testing purposes." }
-opt_param_usage_include_vols: false
-opt_param_volumes:
-  - { vol_path: "/config", vol_host_path: "/path/to/appdata/config", desc: "Configuration files." }
 opt_param_usage_include_ports: true
 opt_param_ports:
  - { external_port: "80", internal_port: "80", port_desc: "Http port (required for http validation and http -> https redirect)" }
-opt_param_device_map: false
-opt_param_devices:
-  - { device_path: "/dev/dri", device_host_path: "/dev/dri", desc: "For hardware transcoding" }
-opt_cap_add_param: false
-opt_cap_add_param_vars:
-  - { cap_add_var: "NET_ADMIN" }
-
-optional_block_1: false
-optional_block_1_items: ""

 # application setup block
 app_setup_block_enabled: true
@@ -84,13 +55,28 @@ app_setup_block: |
  * For `dns` validation, make sure to enter your credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`
    * Cloudflare provides free accounts for managing dns and is very easy to use with this image. Make sure that it is set up for "dns only" instead of "dns + proxy"
    * Google dns plugin is meant to be used with "Google Cloud DNS", a paid enterprise product, and not for "Google Domains DNS"
-    * DuckDNS only supoprts two types of DNS validated certificates (not both at the same time):
+    * DuckDNS only supports two types of DNS validated certificates (not both at the same time):
      1. Certs that only cover your main subdomain (ie. `yoursubdomain.duckdns.org`, leave the `SUBDOMAINS` variable empty)
      2. Certs that cover sub-subdomains of your main subdomain (ie. `*.yoursubdomain.duckdns.org`, set the `SUBDOMAINS` variable to `wildcard`)
  * `--cap-add=NET_ADMIN` is required for fail2ban to modify iptables
  * After setup, navigate to `https://yourdomain.url` to access the default homepage (http access through port 80 is disabled by default, you can enable it by editing the default site config at `/config/nginx/site-confs/default.conf`).
  * Certs are checked nightly and if expiration is within 30 days, renewal is attempted. If your cert is about to expire in less than 30 days, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing. It is recommended to input your e-mail in docker parameters so you receive expiration notices from Let's Encrypt in those circumstances.

+  ### Certbot Plugins
+
+  SWAG includes many Certbot plugins out of the box, but not all plugins can be included.
+  If you need a plugin that is not included, the quickest way to have the plugin available is to use our [Universal Package Install Docker Mod](https://github.com/linuxserver/docker-mods/tree/universal-package-install).
+
+  Set the following environment variables on your container:
+
+  ```yaml
+  DOCKER_MODS=linuxserver/mods:universal-package-install
+  INSTALL_PIP_PACKAGES=certbot-dns-<plugin>
+  ```
+
+  Set the required credentials (usually found in the plugin documentation) in `/config/dns-conf/<plugin>.ini`.
+  It is recommended to attempt obtaining a certificate with `STAGING=true` first to make sure the plugin is working as expected.
+
  ### Security and password protection

  * The container detects changes to url and subdomains, revokes existing certs and generates new ones during start.
@@ -154,6 +140,32 @@ app_setup_block: |

 # changelog
 changelogs:
+  - { date: "24.07.14:", desc: "Rebase to Alpine 3.20. Remove deprecated Google Domains certbot plugin. Existing users should update their nginx confs to avoid http2 deprecation warnings."}
+  - { date: "01.07.24:", desc: "Fall back to iptables-legacy if iptables doesn't work." }
+  - { date: "23.03.24:", desc: "Fix perms on the generated `priv-fullchain-bundle.pem`." }
+  - { date: "14.03.24:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-location.conf, authelia-server.conf - Update Authelia conf samples with support for 4.38." }
+  - { date: "11.03.24:", desc: "Restore support for DynuDNS using `certbot-dns-dynudns`." }
+  - { date: "06.03.24:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) site-confs/default.conf - Cleanup default site conf." }
+  - { date: "04.03.24:", desc: "Remove `stream.conf` inside the container to allow users to include their own block in `nginx.conf`." }
+  - { date: "23.01.24:", desc: "Rebase to Alpine 3.19 with php 8.3, add root periodic crontabs for logrotate." }
+  - { date: "01.01.24:", desc: "Add GleSYS DNS plugin." }
+  - { date: "11.12.23:", desc: "Deprecate certbot-dns-dynu to resolve dependency conflicts with other plugins." }
+  - { date: "30.11.23:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) site-confs/default.conf - Fix index.php being downloaded on 404." }
+  - { date: "23.11.23:", desc: "Run certbot as root to allow fix http validation." }
+  - { date: "01.10.23:", desc: "Fix \"unrecognized arguments\" issue in DirectAdmin DNS plugin." }
+  - { date: "28.08.23:", desc: "Add Namecheap DNS plugin." }
+  - { date: "12.08.23:", desc: "Add FreeDNS plugin. Detect certbot DNS authenticators using CLI." }
+  - { date: "07.08.23:", desc: "Add Bunny DNS Configuration." }
+  - { date: "27.07.23:", desc: "Added support for dreamhost validation." }
+  - { date: "25.05.23:", desc: "Rebase to Alpine 3.18, deprecate armhf." }
+  - { date: "27.04.23:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-location.conf, authelia-server.conf, authentik-location.conf, authentik-server.conf - Simplify auth configs and fix Set-Cookie header bug." }
+  - { date: "13.04.23:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, authelia-location.conf, authentik-location.conf, and site-confs/default.conf - Move ssl.conf include to default.conf. Remove Authorization headers in authelia. Sort proxy_set_header in authelia and authentik." }
+  - { date: "25.03.23:", desc: "Fix renewal post hook." }
+  - { date: "10.03.23:", desc: "Cleanup unused csr and keys folders. See [certbot 2.3.0 release notes](https://github.com/certbot/certbot/releases/tag/v2.3.0)." }
+  - { date: "09.03.23:", desc: "Add Google Domains DNS support, `google-domains`." }
+  - { date: "02.03.23:", desc: "Set permissions on crontabs during init." }
+  - { date: "09.02.23:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) proxy.conf, authelia-location.conf and authelia-server.conf - Add Authentik configs, update Authelia configs." }
+  - { date: "06.02.23:", desc: "Add porkbun support back in." }
  - { date: "21.01.23:", desc: "Unpin certbot version (allow certbot 2.x). !!BREAKING CHANGE!! We are temporarily removing the certbot porkbun plugin until a new version is released that is compatible with certbot 2.x." }
  - { date: "20.01.23:", desc: "Rebase to alpine 3.17 with php8.1." }
  - { date: "16.01.23:", desc: "Remove nchan module because it keeps causing crashes." }
--- a/root/defaults/dns-conf/bunny.ini
+++ b/root/defaults/dns-conf/bunny.ini
@@ -0,0 +1,2 @@
+# Bunny API token used by Certbot
+dns_bunny_api_key = a65e8ebd-45ab-44d2-a542-40d4d009e3bf
--- a/root/defaults/dns-conf/dreamhost.ini
+++ b/root/defaults/dns-conf/dreamhost.ini
@@ -0,0 +1,4 @@
+# Instructions: https://github.com/goncalo-leal/certbot-dns-dreamhost#usage
+# Replace with your values
+dns_dreamhost_baseurl = "https://api.dreamhost.com/"
+dns_dreamhost_api_key = "<api_key>"
--- a/root/defaults/dns-conf/dynu-credentials.ini
+++ b/root/defaults/dns-conf/dynu-credentials.ini
@@ -0,0 +1,3 @@
+# Instructions: https://github.com/DustyRah/certbot-dns-dynudns
+# Replace with your API token from your dynudns account.
+dns_dynu_auth_token = AbCbASsd!@34
--- a/root/defaults/dns-conf/dynu.ini
+++ b/root/defaults/dns-conf/dynu.ini
@@ -1,3 +0,0 @@
-# Instructions: https://github.com/bikram990/certbot-dns-dynu#configuration
-# Replace with your API token from your dynu account.
-dns_dynu_auth_token = AbCbASsd!@34
--- a/root/defaults/dns-conf/freedns.ini
+++ b/root/defaults/dns-conf/freedns.ini
@@ -0,0 +1,4 @@
+# Instructions: https://github.com/schleuss/certbot_dns_freedns#credentials
+# Replace with your values
+dns_freedns_username = myremoteuser
+dns_freedns_password = verysecureremoteuserpassword
--- a/root/defaults/dns-conf/glesys.ini
+++ b/root/defaults/dns-conf/glesys.ini
@@ -0,0 +1,5 @@
+# Instructions: https://github.com/runfalk/certbot-dns-glesys#usage
+
+# GleSYS API credentials used by Certbot
+dns_glesys_user = CL00000
+dns_glesys_password = apikeygoeshere
--- a/root/defaults/dns-conf/namecheap.ini
+++ b/root/defaults/dns-conf/namecheap.ini
@@ -0,0 +1,4 @@
+# Instructions: https://github.com/knoxell/certbot-dns-namecheap#credentials
+# Namecheap API credentials used by Certbot
+dns_namecheap_username=my-username
+dns_namecheap_api_key=my-api-key
--- a/root/defaults/dns-conf/netcup.ini
+++ b/root/defaults/dns-conf/netcup.ini
@@ -1,3 +1,5 @@
+# Recommended PROPAGATION value in environment for netcup is 900
+
 dns_netcup_customer_id  = 123456
 dns_netcup_api_key      = 0123456789abcdef0123456789abcdef01234567
 dns_netcup_api_password = abcdef0123456789abcdef01234567abcdef0123
--- a/root/defaults/dns-conf/route53.ini
+++ b/root/defaults/dns-conf/route53.ini
@@ -1,5 +1,5 @@
 # Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-route53/certbot_dns_route53/__init__.py#L18
 # Replace with your values
 [default]
-aws_access_key_id=AKIAIOSFODNN7EXAMPLE
-aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+; aws_access_key_id=AKIAIOSFODNN7EXAMPLE
+; aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
--- a/root/defaults/etc/letsencrypt/renewal-hooks/deploy/10-default
+++ b/root/defaults/etc/letsencrypt/renewal-hooks/deploy/10-default
@@ -5,4 +5,5 @@ cd /config/keys/letsencrypt || exit 1
 openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:
 sleep 1
 cat {privkey,fullchain}.pem >priv-fullchain-bundle.pem
+chmod 600 priv-fullchain-bundle.pem
 chown -R abc:abc /config/etc/letsencrypt
--- a/root/defaults/etc/letsencrypt/renewal-hooks/post/10-nginx
+++ b/root/defaults/etc/letsencrypt/renewal-hooks/post/10-nginx
@@ -5,7 +5,7 @@
 . /config/.donoteditthisfile.conf

 if [[ ! "${ORIGVALIDATION}" = "dns" ]] && [[ ! "${ORIGVALIDATION}" = "duckdns" ]]; then
-    if pgrep -f "s6-supervise nginx" >/dev/null; then
+    if pgrep -f "s6-supervise svc-nginx" >/dev/null; then
        s6-svc -u /run/service/svc-nginx
    fi
 else
--- a/root/defaults/fail2ban/filter.d/nginx-deny.conf
+++ b/root/defaults/fail2ban/filter.d/nginx-deny.conf
@@ -12,4 +12,4 @@ datepattern = {^LN-BEG}

 # DEV NOTES:
 #
-# Author: Will L (driz@linuxserver.io)
+# Author: notdriz
--- a/root/defaults/fail2ban/filter.d/nginx-unauthorized.conf
+++ b/root/defaults/fail2ban/filter.d/nginx-unauthorized.conf
@@ -3,5 +3,3 @@
 [Definition]

 failregex = ^<HOST>.*"(GET|POST|HEAD).*" (401) .*$
-
-ignoreregex = .*(?i)plex.*
--- a/root/defaults/nginx/authelia-location.conf.sample
+++ b/root/defaults/nginx/authelia-location.conf.sample
@@ -1,15 +1,32 @@
-## Version 2022/08/20 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-location.conf.sample
+## Version 2024/03/14 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-location.conf.sample
 # Make sure that your authelia container is in the same user defined bridge network and is named authelia
-# Make sure that the authelia configuration.yml has 'path: "authelia"' defined
+# Rename /config/nginx/proxy-confs/authelia.subdomain.conf.sample to /config/nginx/proxy-confs/authelia.subdomain.conf
+# For authelia 4.37 and below, make sure that the authelia configuration.yml has 'path: "authelia"' defined
+# For authelia 4.38 and above, make sure that the authelia configuration.yml has 'address: "tcp://:9091/authelia"' defined

-auth_request /authelia/api/verify;
-auth_request_set $target_url $scheme://$http_host$request_uri;
-auth_request_set $user $upstream_http_remote_user;
+## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource
+## For authelia 4.37 and below, use the following line
+# auth_request /authelia/api/verify;
+## For authelia 4.38 and above, use the following line
+auth_request /authelia/api/authz/auth-request;
+
+## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal
+error_page 401 = @authelia_proxy_signin;
+
+## Translate the user information response headers from the auth subrequest into variables
+auth_request_set $email $upstream_http_remote_email;
 auth_request_set $groups $upstream_http_remote_groups;
 auth_request_set $name $upstream_http_remote_name;
-auth_request_set $email $upstream_http_remote_email;
-proxy_set_header Remote-User $user;
+auth_request_set $user $upstream_http_remote_user;
+
+## Inject the user information into the request made to the actual upstream
+proxy_set_header Remote-Email $email;
 proxy_set_header Remote-Groups $groups;
 proxy_set_header Remote-Name $name;
-proxy_set_header Remote-Email $email;
-error_page 401 =302 https://$http_host/authelia/?rd=$target_url;
+proxy_set_header Remote-User $user;
+
+## Translate the Set-Cookie response header from the auth subrequest into a variable
+auth_request_set $set_cookie $upstream_http_set_cookie;
+
+## Translate the Location response header from the auth subrequest into a variable
+auth_request_set $signin_url $upstream_http_location;
--- a/root/defaults/nginx/authelia-server.conf.sample
+++ b/root/defaults/nginx/authelia-server.conf.sample
@@ -1,50 +1,72 @@
-## Version 2022/09/22 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-server.conf.sample
+## Version 2024/03/16 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-server.conf.sample
 # Make sure that your authelia container is in the same user defined bridge network and is named authelia
+# Rename /config/nginx/proxy-confs/authelia.subdomain.conf.sample to /config/nginx/proxy-confs/authelia.subdomain.conf
+# For authelia 4.37 and below, make sure that the authelia configuration.yml has 'path: "authelia"' defined
+# For authelia 4.38 and above, make sure that the authelia configuration.yml has 'address: "tcp://:9091/authelia"' defined

+# location for authelia subfolder requests
 location ^~ /authelia {
+    auth_request off; # requests to this subfolder must be accessible without authentication
+
    include /config/nginx/proxy.conf;
    include /config/nginx/resolver.conf;
    set $upstream_authelia authelia;
    proxy_pass http://$upstream_authelia:9091;
 }

+# location for authelia 4.37 and below auth requests
 location = /authelia/api/verify {
    internal;

+    include /config/nginx/proxy.conf;
    include /config/nginx/resolver.conf;
    set $upstream_authelia authelia;
-    proxy_pass_request_body off;
    proxy_pass http://$upstream_authelia:9091;
+
+    ## Include the Set-Cookie header if present
+    auth_request_set $set_cookie $upstream_http_set_cookie;
+    add_header Set-Cookie $set_cookie;
+
+    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
-
-    # Timeout if the real server is dead
-    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
-
-    # [REQUIRED] Needed by Authelia to check authorizations of the resource.
-    # Provide either X-Original-URL and X-Forwarded-Proto or
-    # X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both.
-    # Those headers will be used by Authelia to deduce the target url of the user.
-    # Basic Proxy Config
-    client_body_buffer_size 128k;
-    proxy_set_header Host $host;
-    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $remote_addr;
-    proxy_set_header X-Forwarded-Method $request_method;
-    proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_set_header X-Forwarded-Host $http_host;
-    proxy_set_header X-Forwarded-Uri $request_uri;
-    proxy_set_header X-Forwarded-Ssl on;
-    proxy_redirect  http://  $scheme://;
-    proxy_http_version 1.1;
-    proxy_set_header Connection "";
-    proxy_cache_bypass $cookie_session;
-    proxy_no_cache $cookie_session;
-    proxy_buffers 4 32k;
-
-    # Advanced Proxy Config
-    send_timeout 5m;
-    proxy_read_timeout 240;
-    proxy_send_timeout 240;
-    proxy_connect_timeout 240;
+}
+
+# location for authelia 4.38 and above auth requests
+location = /authelia/api/authz/auth-request {
+    internal;
+
+    include /config/nginx/proxy.conf;
+    include /config/nginx/resolver.conf;
+    set $upstream_authelia authelia;
+    proxy_pass http://$upstream_authelia:9091;
+
+    ## Include the Set-Cookie header if present
+    auth_request_set $set_cookie $upstream_http_set_cookie;
+    add_header Set-Cookie $set_cookie;
+
+    proxy_pass_request_body off;
+    proxy_set_header Content-Length "";
+}
+
+# virtual location for authelia 401 redirects
+location @authelia_proxy_signin {
+    internal;
+
+    ## Include the Set-Cookie header if present
+    auth_request_set $set_cookie $upstream_http_set_cookie;
+    add_header Set-Cookie $set_cookie;
+
+    ## Set the $target_url variable based on the original request
+    set_escape_uri $target_url $scheme://$http_host$request_uri;
+
+    ## Translate the Location response header from the auth subrequest into a variable
+    auth_request_set $signin_url $upstream_http_location;
+
+    if ($signin_url = '') {
+        ## Set the $signin_url variable
+        set $signin_url https://$http_host/authelia/?rd=$target_url;
+    }
+
+    ## Redirect to login
+    return 302 $signin_url;
 }
--- a/root/defaults/nginx/authentik-location.conf.sample
+++ b/root/defaults/nginx/authentik-location.conf.sample
@@ -0,0 +1,26 @@
+## Version 2023/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authentik-location.conf.sample
+# Make sure that your authentik container is in the same user defined bridge network and is named authentik-server
+# Rename /config/nginx/proxy-confs/authentik.subdomain.conf.sample to /config/nginx/proxy-confs/authentik.subdomain.conf
+
+## Send a subrequest to Authentik to verify if the user is authenticated and has permission to access the resource
+auth_request /outpost.goauthentik.io/auth/nginx;
+
+## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal
+error_page 401 = @goauthentik_proxy_signin;
+
+## Translate the user information response headers from the auth subrequest into variables
+auth_request_set $authentik_email $upstream_http_x_authentik_email;
+auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
+auth_request_set $authentik_name $upstream_http_x_authentik_name;
+auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
+auth_request_set $authentik_username $upstream_http_x_authentik_username;
+
+## Inject the user information into the request made to the actual upstream
+proxy_set_header X-authentik-email $authentik_email;
+proxy_set_header X-authentik-groups $authentik_groups;
+proxy_set_header X-authentik-name $authentik_name;
+proxy_set_header X-authentik-uid $authentik_uid;
+proxy_set_header X-authentik-username $authentik_username;
+
+## Translate the Set-Cookie response header from the auth subrequest into a variable
+auth_request_set $set_cookie $upstream_http_set_cookie;
--- a/root/defaults/nginx/authentik-server.conf.sample
+++ b/root/defaults/nginx/authentik-server.conf.sample
@@ -0,0 +1,48 @@
+## Version 2023/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authentik-server.conf.sample
+# Make sure that your authentik container is in the same user defined bridge network and is named authentik-server
+# Rename /config/nginx/proxy-confs/authentik.subdomain.conf.sample to /config/nginx/proxy-confs/authentik.subdomain.conf
+
+# location for authentik subfolder requests
+location ^~ /outpost.goauthentik.io {
+    auth_request off; # requests to this subfolder must be accessible without authentication
+
+    include /config/nginx/proxy.conf;
+    include /config/nginx/resolver.conf;
+    set $upstream_authentik authentik-server;
+    proxy_pass http://$upstream_authentik:9000;
+}
+
+# location for authentik auth requests
+location = /outpost.goauthentik.io/auth/nginx {
+    internal;
+
+    include /config/nginx/proxy.conf;
+    include /config/nginx/resolver.conf;
+    set $upstream_authentik authentik-server;
+    proxy_pass http://$upstream_authentik:9000;
+
+    ## Include the Set-Cookie header if present
+    auth_request_set $set_cookie $upstream_http_set_cookie;
+    add_header Set-Cookie $set_cookie;
+
+    proxy_pass_request_body off;
+    proxy_set_header Content-Length "";
+}
+
+# virtual location for authentik 401 redirects
+location @goauthentik_proxy_signin {
+    internal;
+
+    ## Include the Set-Cookie header if present
+    auth_request_set $set_cookie $upstream_http_set_cookie;
+    add_header Set-Cookie $set_cookie;
+
+    ## Set the $target_url variable based on the original request
+    set_escape_uri $target_url $scheme://$http_host$request_uri;
+
+    ## Set the $signin_url variable
+    set $signin_url https://$http_host/outpost.goauthentik.io/start?rd=$target_url;
+
+    ## Redirect to login
+    return 302 $signin_url;
+}
--- a/root/defaults/nginx/proxy.conf.sample
+++ b/root/defaults/nginx/proxy.conf.sample
@@ -1,4 +1,4 @@
-## Version 2022/09/01 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/proxy.conf.sample
+## Version 2023/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/proxy.conf.sample

 # Timeout if the real server is dead
 proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
@@ -25,11 +25,13 @@ proxy_set_header Host $host;
 proxy_set_header Proxy "";
 proxy_set_header Upgrade $http_upgrade;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-proxy_set_header X-Forwarded-Host $host:$server_port;
+proxy_set_header X-Forwarded-Host $host;
 proxy_set_header X-Forwarded-Method $request_method;
+proxy_set_header X-Forwarded-Port $server_port;
 proxy_set_header X-Forwarded-Proto $scheme;
 proxy_set_header X-Forwarded-Server $host;
 proxy_set_header X-Forwarded-Ssl on;
 proxy_set_header X-Forwarded-Uri $request_uri;
+proxy_set_header X-Original-Method $request_method;
 proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
 proxy_set_header X-Real-IP $remote_addr;
--- a/root/defaults/nginx/site-confs/default.conf.sample
+++ b/root/defaults/nginx/site-confs/default.conf.sample
@@ -1,4 +1,4 @@
-## Version 2022/10/03 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample
+## Version 2024/07/16 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample

 # redirect all traffic to https
 server {
@@ -12,11 +12,13 @@ server {

 # main server block
 server {
-    listen 443 ssl http2 default_server;
-    listen [::]:443 ssl http2 default_server;
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;

    server_name _;

+    include /config/nginx/ssl.conf;
+
    root /config/www;
    index index.html index.htm index.php;

@@ -29,6 +31,9 @@ server {
    # enable for Authelia (requires authelia-location.conf in the location block)
    #include /config/nginx/authelia-server.conf;

+    # enable for Authentik (requires authentik-location.conf in the location block)
+    #include /config/nginx/authentik-server.conf;
+
    location / {
        # enable for basic auth
        #auth_basic "Restricted";
@@ -40,11 +45,28 @@ server {
        # enable for Authelia (requires authelia-server.conf in the server block)
        #include /config/nginx/authelia-location.conf;

-        try_files $uri $uri/ /index.html /index.php$is_args$args =404;
+        # enable for Authentik (requires authentik-server.conf in the server block)
+        #include /config/nginx/authentik-location.conf;
+
+        try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args;
    }

    location ~ ^(.+\.php)(.*)$ {
+        # enable the next two lines for http auth
+        #auth_basic "Restricted";
+        #auth_basic_user_file /config/nginx/.htpasswd;
+
+        # enable for ldap auth (requires ldap-server.conf in the server block)
+        #include /config/nginx/ldap-location.conf;
+
+        # enable for Authelia (requires authelia-server.conf in the server block)
+        #include /config/nginx/authelia-location.conf;
+
+        # enable for Authentik (requires authentik-server.conf in the server block)
+        #include /config/nginx/authentik-location.conf;
+
        fastcgi_split_path_info ^(.+\.php)(.*)$;
+        if (!-f $document_root$fastcgi_script_name) { return 404; }
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        include /etc/nginx/fastcgi_params;
--- a/root/etc/crontabs/abc
+++ b/root/etc/crontabs/abc
--- a/root/etc/crontabs/root
+++ b/root/etc/crontabs/root
@@ -1,9 +1,8 @@
-# do daily/weekly/monthly maintenance
 # min   hour    day     month   weekday command
 */15    *       *       *       *       run-parts /etc/periodic/15min
 0       *       *       *       *       run-parts /etc/periodic/hourly
 0       2       *       *       *       run-parts /etc/periodic/daily
 0       3       *       *       6       run-parts /etc/periodic/weekly
 0       5       1       *       *       run-parts /etc/periodic/monthly
-# renew letsencrypt certs
+
 8       2       *       *       *       /app/le-renew.sh >> /config/log/letsencrypt/letsencrypt.log 2>&1
--- a/root/etc/s6-overlay/s6-rc.d/init-certbot-config/run
+++ b/root/etc/s6-overlay/s6-rc.d/init-certbot-config/run
@@ -23,24 +23,58 @@ for i in "${SANED_VARS[@]}"; do
    export echo "${i}"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')"
 done

+# Check for and install requested DNS plugins
+if grep -q "universal-package-install" <<< "${DOCKER_MODS}" && grep -q "certbot-dns" <<< "${INSTALL_PIP_PACKAGES}"; then
+    echo "**** Installing requested dns plugins ****"
+    /etc/s6-overlay/s6-rc.d/init-mod-universal-package-install-add-package/run
+    /etc/s6-overlay/s6-rc.d/init-mods-package-install/run
+fi
+
 # check to make sure DNSPLUGIN is selected if dns validation is used
-if [[ "${VALIDATION}" = "dns" ]] && [[ ! "${DNSPLUGIN}" =~ ^(acmedns|aliyun|azure|cloudflare|cpanel|desec|digitalocean|directadmin|dnsimple|dnsmadeeasy|dnspod|do|domeneshop|duckdns|dynu|gandi|gehirn|godaddy|google|he|hetzner|infomaniak|inwx|ionos|linode|loopia|luadns|netcup|njalla|nsone|ovh|rfc2136|route53|sakuracloud|standalone|transip|vultr)$ ]]; then
-    echo "Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details."
+CERTBOT_DNS_AUTHENTICATORS=$(certbot plugins --authenticators 2>/dev/null | sed -e 's/^Entry point: EntryPoint(name='\''cpanel'\''/Entry point: EntryPoint(name='\''dns-cpanel'\''/' -e '/EntryPoint(name='\''dns-/!d' -e 's/^Entry point: EntryPoint(name='\''dns-\([^ ]*\)'\'',/\1/' | sort)
+if [[ "${VALIDATION}" = "dns" ]] && ! echo "${CERTBOT_DNS_AUTHENTICATORS}" | grep -q "${DNSPLUGIN}"; then
+    echo "Please set the DNSPLUGIN variable to one of the following:"
+    echo "${CERTBOT_DNS_AUTHENTICATORS}"
    sleep infinity
 fi

+# set owner of certbot's CONFIG_DIR, WORK_DIR, and LOGS_DIR to abc
+lsiown -R abc:abc \
+    /etc/letsencrypt \
+    /var/lib/letsencrypt \
+    /var/log/letsencrypt
+
+# set_ini_value logic:
+# - if the name is not found in the file, append the name=value to the end of the file
+# - if the name is found in the file, replace the value
+# - if the name is found in the file but commented out, uncomment the line and replace the value
+# call set_ini_value with parameters: $1=name $2=value $3=file
+function set_ini_value() {
+    name=${1//\//\\/}
+    value=${2//\//\\/}
+    sed -i \
+        -e '/^#\?\(\s*'"${name}"'\s*=\s*\).*/{s//\1'"${value}"'/;:a;n;ba;q}' \
+        -e '$a'"${name}"'='"${value}" "${3}"
+}
+
+# ensure config files exist and has at least one value set (set_ini_value does not work on empty files)
+touch /config/etc/letsencrypt/cli.ini
+lsiown abc:abc /config/etc/letsencrypt/cli.ini
+grep -qF 'agree-tos' /config/etc/letsencrypt/cli.ini || echo 'agree-tos=true' >>/config/etc/letsencrypt/cli.ini
+
 # copy dns default configs
-cp -n /defaults/dns-conf/* /config/dns-conf/
+cp -n /defaults/dns-conf/* /config/dns-conf/ 2> >(grep -v 'cp: not replacing')
 lsiown -R abc:abc /config/dns-conf

 # copy default renewal hooks
 chmod -R +x /defaults/etc/letsencrypt/renewal-hooks
-cp -nR /defaults/etc/letsencrypt/renewal-hooks/* /config/etc/letsencrypt/renewal-hooks/
+cp -nR /defaults/etc/letsencrypt/renewal-hooks/* /config/etc/letsencrypt/renewal-hooks/ 2> >(grep -v 'cp: not replacing')
 lsiown -R abc:abc /config/etc/letsencrypt/renewal-hooks

 # replace nginx service location in renewal hooks
 find /config/etc/letsencrypt/renewal-hooks/ -type f -exec sed -i 's|/run/service/nginx|/run/service/svc-nginx|g' {} \;
 find /config/etc/letsencrypt/renewal-hooks/ -type f -exec sed -i 's|/var/run/s6/services/nginx|/run/service/svc-nginx|g' {} \;
+find /config/etc/letsencrypt/renewal-hooks/ -type f -exec sed -i 's|s6-supervise nginx|s6-supervise svc-nginx|g' {} \;

 # create original config file if it doesn't exist, move non-hidden legacy file to hidden
 if [[ -f "/config/donoteditthisfile.conf" ]]; then
@@ -140,6 +174,10 @@ else
    ln -s ../etc/letsencrypt/live/"${URL}" /config/keys/letsencrypt
 fi

+# cleanup unused csr and keys folders
+rm -rf /etc/letsencrypt/csr
+rm -rf /etc/letsencrypt/keys
+
 # checking for changes in cert variables, revoking certs if necessary
 if [[ ! "${URL}" = "${ORIGURL}" ]] ||
    [[ ! "${SUBDOMAINS}" = "${ORIGSUBDOMAINS}" ]] ||
@@ -152,21 +190,25 @@ if [[ ! "${URL}" = "${ORIGURL}" ]] ||
    [[ ! "${CERTPROVIDER}" = "${ORIGCERTPROVIDER}" ]]; then
    echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created"
    if [[ "${ORIGCERTPROVIDER}" = "zerossl" ]] && [[ -n "${ORIGEMAIL}" ]]; then
-        REV_EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=${ORIGEMAIL}")
-        REV_ZEROSSL_EAB_KID=$(echo "${REV_EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
-        REV_ZEROSSL_EAB_HMAC_KEY=$(echo "${REV_EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
+        REV_ACMESERVER=("https://acme.zerossl.com/v2/DV90")
+        REV_ZEROSSL_EAB_KID=$(awk -F "=" '/eab-kid/ {print $2}' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf" | tr -d ' ')
+        REV_ZEROSSL_EAB_HMAC_KEY=$(awk -F "=" '/eab-hmac-key/ {print $2}' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf" | tr -d ' ')
        if [[ -z "${REV_ZEROSSL_EAB_KID}" ]] || [[ -z "${REV_ZEROSSL_EAB_HMAC_KEY}" ]]; then
-            echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
-            sleep infinity
+            REV_ZEROSSL_EAB_KID=$(awk -F "=" '/eab-kid/ {print $2}' /config/etc/letsencrypt/cli.ini | tr -d ' ')
+            REV_ZEROSSL_EAB_HMAC_KEY=$(awk -F "=" '/eab-hmac-key/ {print $2}' /config/etc/letsencrypt/cli.ini | tr -d ' ')
+        fi
+        if [[ -n "${REV_ZEROSSL_EAB_KID}" ]] && [[ -n "${REV_ZEROSSL_EAB_HMAC_KEY}" ]]; then
+            REV_ACMESERVER+=("--eab-kid" "${REV_ZEROSSL_EAB_KID}" "--eab-hmac-key" "${REV_ZEROSSL_EAB_HMAC_KEY}")
        fi
-        REV_ACMESERVER="https://acme.zerossl.com/v2/DV90 --eab-kid ${REV_ZEROSSL_EAB_KID} --eab-hmac-key ${REV_ZEROSSL_EAB_HMAC_KEY}"
    elif [[ "${ORIGSTAGING}" = "true" ]]; then
-        REV_ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory"
+        REV_ACMESERVER=("https://acme-staging-v02.api.letsencrypt.org/directory")
    else
-        REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
+        REV_ACMESERVER=("https://acme-v02.api.letsencrypt.org/directory")
    fi
    if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then
-        certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server ${REV_ACMESERVER} || true
+        certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server "${REV_ACMESERVER[@]}" || true
+    else
+        certbot revoke --non-interactive --cert-name "${ORIGDOMAIN}" --server "${REV_ACMESERVER[@]}" || true
    fi
    rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal}
 fi
@@ -177,9 +219,11 @@ echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS
 # Check if the cert is using the old LE root cert, revoke and regen if necessary
 if [[ -f "/config/keys/letsencrypt/chain.pem" ]] && { [[ "${CERTPROVIDER}" == "letsencrypt" ]] || [[ "${CERTPROVIDER}" == "" ]]; } && [[ "${STAGING}" != "true" ]] && ! openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"; then
    echo "The cert seems to be using the old LE root cert, which is no longer valid. Deleting and revoking."
-    REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
+    REV_ACMESERVER=("https://acme-v02.api.letsencrypt.org/directory")
    if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then
-        certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server ${REV_ACMESERVER} || true
+        certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server "${REV_ACMESERVER[@]}" || true
+    else
+        certbot revoke --non-interactive --cert-name "${ORIGDOMAIN}" --server "${REV_ACMESERVER[@]}" || true
    fi
    rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal}
 fi
@@ -203,52 +247,51 @@ else
    ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
 fi

-# figuring out url only vs url & subdomains vs subdomains only
+set_ini_value "server" "${ACMESERVER}" /config/etc/letsencrypt/cli.ini
+
+# figuring out domain only vs domain & subdomains vs subdomains only
+DOMAINS_ARRAY=()
+if [[ -z "${SUBDOMAINS}" ]] || [[ "${ONLY_SUBDOMAINS}" != true ]]; then
+    DOMAINS_ARRAY+=("${URL}")
+fi
 if [[ -n "${SUBDOMAINS}" ]]; then
    echo "SUBDOMAINS entered, processing"
+    SUBDOMAINS_ARRAY=()
    if [[ "${SUBDOMAINS}" = "wildcard" ]]; then
-        if [[ "${ONLY_SUBDOMAINS}" = true ]]; then
-            export URL_REAL="-d *.${URL}"
-            echo "Wildcard cert for only the subdomains of ${URL} will be requested"
-        else
-            export URL_REAL="-d *.${URL} -d ${URL}"
-            echo "Wildcard cert for ${URL} will be requested"
-        fi
+        SUBDOMAINS_ARRAY+=("*.${URL}")
+        echo "Wildcard cert for ${URL} will be requested"
    else
-        echo "SUBDOMAINS entered, processing"
        for job in $(echo "${SUBDOMAINS}" | tr "," " "); do
-            export SUBDOMAINS_REAL="${SUBDOMAINS_REAL} -d ${job}.${URL}"
+            SUBDOMAINS_ARRAY+=("${job}.${URL}")
        done
-        if [[ "${ONLY_SUBDOMAINS}" = true ]]; then
-            URL_REAL="${SUBDOMAINS_REAL}"
-            echo "Only subdomains, no URL in cert"
-        else
-            URL_REAL="-d ${URL}${SUBDOMAINS_REAL}"
-        fi
-        echo "Sub-domains processed are: ${SUBDOMAINS_REAL}"
+        echo "Sub-domains processed are: $(echo "${SUBDOMAINS_ARRAY[*]}" | tr " " ",")"
    fi
-else
-    echo "No subdomains defined"
-    URL_REAL="-d ${URL}"
+    DOMAINS_ARRAY+=("${SUBDOMAINS_ARRAY[@]}")
 fi

 # add extra domains
 if [[ -n "${EXTRA_DOMAINS}" ]]; then
    echo "EXTRA_DOMAINS entered, processing"
+    EXTRA_DOMAINS_ARRAY=()
    for job in $(echo "${EXTRA_DOMAINS}" | tr "," " "); do
-        export EXTRA_DOMAINS_REAL="${EXTRA_DOMAINS_REAL} -d ${job}"
+        EXTRA_DOMAINS_ARRAY+=("${job}")
    done
-    echo "Extra domains processed are: ${EXTRA_DOMAINS_REAL}"
-    URL_REAL="${URL_REAL} ${EXTRA_DOMAINS_REAL}"
+    echo "Extra domains processed are: $(echo "${EXTRA_DOMAINS_ARRAY[*]}" | tr " " ",")"
+    DOMAINS_ARRAY+=("${EXTRA_DOMAINS_ARRAY[@]}")
 fi

+# setting domains in cli.ini
+set_ini_value "domains" "$(echo "${DOMAINS_ARRAY[*]}" | tr " " ",")" /config/etc/letsencrypt/cli.ini
+
 # figuring out whether to use e-mail and which
 if [[ ${EMAIL} == *@* ]]; then
    echo "E-mail address entered: ${EMAIL}"
-    EMAILPARAM="-m ${EMAIL} --no-eff-email"
+    set_ini_value "email" "${EMAIL}" /config/etc/letsencrypt/cli.ini
+    set_ini_value "no-eff-email" "true" /config/etc/letsencrypt/cli.ini
+    set_ini_value "register-unsafely-without-email" "false" /config/etc/letsencrypt/cli.ini
 else
    echo "No e-mail address entered or address invalid"
-    EMAILPARAM="--register-unsafely-without-email"
+    set_ini_value "register-unsafely-without-email" "true" /config/etc/letsencrypt/cli.ini
 fi

 # alter extension for error message
@@ -260,37 +303,41 @@ fi

 # setting the validation method to use
 if [[ "${VALIDATION}" = "dns" ]]; then
-    AUTHENTICATORPARAM="--authenticator dns-${DNSPLUGIN}"
-    DNSCREDENTIALSPARAM="--dns-${DNSPLUGIN}-credentials ${DNSCREDENTIALFILE}"
-    if [[ -n "${PROPAGATION}" ]]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
+    set_ini_value "preferred-challenges" "dns" /config/etc/letsencrypt/cli.ini
+    set_ini_value "authenticator" "dns-${DNSPLUGIN}" /config/etc/letsencrypt/cli.ini
+    set_ini_value "dns-${DNSPLUGIN}-credentials" "${DNSCREDENTIALFILE}" /config/etc/letsencrypt/cli.ini
+    if [[ -n "${PROPAGATION}" ]]; then set_ini_value "dns-${DNSPLUGIN}-propagation-seconds" "${PROPAGATION}" /config/etc/letsencrypt/cli.ini; fi

    # plugins that don't support setting credentials file
    if [[ "${DNSPLUGIN}" =~ ^(route53|standalone)$ ]]; then
-        DNSCREDENTIALSPARAM=""
+        sed -i "/^dns-${DNSPLUGIN}-credentials\b/d" /config/etc/letsencrypt/cli.ini
    fi
    # plugins that don't support setting propagation
-    if [[ "${DNSPLUGIN}" =~ ^(azure|gandi|standalone)$ ]]; then
+    if [[ "${DNSPLUGIN}" =~ ^(azure|gandi|route53|standalone)$ ]]; then
        if [[ -n "${PROPAGATION}" ]]; then echo "${DNSPLUGIN} dns plugin does not support setting propagation time"; fi
-        PROPAGATIONPARAM=""
+        sed -i "/^dns-${DNSPLUGIN}-propagation-seconds\b/d" /config/etc/letsencrypt/cli.ini
    fi
    # plugins that use old parameter naming convention
    if [[ "${DNSPLUGIN}" =~ ^(cpanel)$ ]]; then
-        AUTHENTICATORPARAM="--authenticator ${DNSPLUGIN}"
-        DNSCREDENTIALSPARAM="--${DNSPLUGIN}-credentials ${DNSCREDENTIALFILE}"
-        if [[ -n "${PROPAGATION}" ]]; then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
+        sed -i "/^dns-${DNSPLUGIN}-credentials\b/d" /config/etc/letsencrypt/cli.ini
+        sed -i "/^dns-${DNSPLUGIN}-propagation-seconds\b/d" /config/etc/letsencrypt/cli.ini
+        set_ini_value "authenticator" "${DNSPLUGIN}" /config/etc/letsencrypt/cli.ini
+        set_ini_value "${DNSPLUGIN}-credentials" "${DNSCREDENTIALFILE}" /config/etc/letsencrypt/cli.ini
+        if [[ -n "${PROPAGATION}" ]]; then set_ini_value "${DNSPLUGIN}-propagation-seconds" "${PROPAGATION}" /config/etc/letsencrypt/cli.ini; fi
    fi
    # don't restore txt records when using DuckDNS plugin
    if [[ "${DNSPLUGIN}" =~ ^(duckdns)$ ]]; then
-        AUTHENTICATORPARAM="${AUTHENTICATORPARAM} --dns-${DNSPLUGIN}-no-txt-restore"
+        set_ini_value "dns-${DNSPLUGIN}-no-txt-restore" "true" /config/etc/letsencrypt/cli.ini
    fi

-    PREFCHAL="${AUTHENTICATORPARAM} ${DNSCREDENTIALSPARAM} ${PROPAGATIONPARAM}"
    echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected"
 elif [[ "${VALIDATION}" = "tls-sni" ]]; then
-    PREFCHAL="--standalone --preferred-challenges http"
+    set_ini_value "preferred-challenges" "http" /config/etc/letsencrypt/cli.ini
+    set_ini_value "authenticator" "standalone" /config/etc/letsencrypt/cli.ini
    echo "*****tls-sni validation has been deprecated, attempting http validation instead"
 else
-    PREFCHAL="--standalone --preferred-challenges http"
+    set_ini_value "preferred-challenges" "http" /config/etc/letsencrypt/cli.ini
+    set_ini_value "authenticator" "standalone" /config/etc/letsencrypt/cli.ini
    echo "http validation is selected"
 fi

@@ -299,17 +346,17 @@ if [[ ! -f "/config/keys/letsencrypt/fullchain.pem" ]]; then
    if [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ -n "${EMAIL}" ]]; then
        echo "Retrieving EAB from ZeroSSL"
        EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=${EMAIL}")
-        ZEROSSL_EAB_KID=$(echo "${EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
-        ZEROSSL_EAB_HMAC_KEY=$(echo "${EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
+        ZEROSSL_EAB_KID=$(echo "${EAB_CREDS}" | jq .eab_kid)
+        ZEROSSL_EAB_HMAC_KEY=$(echo "${EAB_CREDS}" | jq .eab_hmac_key)
        if [[ -z "${ZEROSSL_EAB_KID}" ]] || [[ -z "${ZEROSSL_EAB_HMAC_KEY}" ]]; then
            echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
            sleep infinity
        fi
-        ZEROSSL_EAB="--eab-kid ${ZEROSSL_EAB_KID} --eab-hmac-key ${ZEROSSL_EAB_HMAC_KEY}"
+        set_ini_value "eab-kid" "${ZEROSSL_EAB_KID}" /config/etc/letsencrypt/cli.ini
+        set_ini_value "eab-hmac-key" "${ZEROSSL_EAB_HMAC_KEY}" /config/etc/letsencrypt/cli.ini
    fi
    echo "Generating new certificate"
-    # shellcheck disable=SC2086
-    certbot certonly --non-interactive --renew-by-default --server ${ACMESERVER} ${ZEROSSL_EAB} ${PREFCHAL} --rsa-key-size 4096 ${EMAILPARAM} --agree-tos ${URL_REAL}
+    certbot certonly --non-interactive --renew-by-default
    if [[ ! -d /config/keys/letsencrypt ]]; then
        if [[ "${VALIDATION}" = "dns" ]]; then
            echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the ${DNSCREDENTIALFILE} file."
--- a/root/etc/s6-overlay/s6-rc.d/init-crontabs-config/run
+++ b/root/etc/s6-overlay/s6-rc.d/init-crontabs-config/run
@@ -1,30 +0,0 @@
-#!/usr/bin/with-contenv bash
-# shellcheck shell=bash
-
-# if root crontabs do not exist in config
-# copy root crontab from system
-if [[ ! -f /config/crontabs/root ]] && crontab -l -u root; then
-    crontab -l -u root >/config/crontabs/root
-fi
-
-# if root crontabs still do not exist in config (were not copied from system)
-# copy root crontab from included defaults
-if [[ ! -f /config/crontabs/root ]]; then
-    cp /etc/crontabs/root /config/crontabs/
-fi
-
-# if abc crontabs do not exist in config
-# copy abc crontab from system
-if [[ ! -f /config/crontabs/abc ]] && crontab -l -u abc; then
-    crontab -l -u abc >/config/crontabs/abc
-fi
-
-# if abc crontabs still do not exist in config (were not copied from system)
-# copy abc crontab from included defaults
-if [[ ! -f /config/crontabs/abc ]]; then
-    cp /etc/crontabs/abc /config/crontabs/
-fi
-
-# import user crontabs
-crontab -u root /config/crontabs/root
-crontab -u abc /config/crontabs/abc
--- a/root/etc/s6-overlay/s6-rc.d/init-crontabs-config/type
+++ b/root/etc/s6-overlay/s6-rc.d/init-crontabs-config/type
@@ -1 +0,0 @@
-oneshot
--- a/root/etc/s6-overlay/s6-rc.d/init-crontabs-config/up
+++ b/root/etc/s6-overlay/s6-rc.d/init-crontabs-config/up
@@ -1 +0,0 @@
-/etc/s6-overlay/s6-rc.d/init-crontabs-config/run
--- a/root/etc/s6-overlay/s6-rc.d/init-fail2ban-config/run
+++ b/root/etc/s6-overlay/s6-rc.d/init-fail2ban-config/run
@@ -1,6 +1,15 @@
 #!/usr/bin/with-contenv bash
 # shellcheck shell=bash

+if ! iptables -L &> /dev/null; then
+  ln -sf /sbin/xtables-legacy-multi /sbin/iptables
+  ln -sf /sbin/xtables-legacy-multi /sbin/iptables-save
+  ln -sf /sbin/xtables-legacy-multi /sbin/iptables-restore
+  ln -sf /sbin/xtables-legacy-multi /sbin/ip6tables
+  ln -sf /sbin/xtables-legacy-multi /sbin/ip6tables-save
+  ln -sf /sbin/xtables-legacy-multi /sbin/ip6tables-restore
+fi
+
 # copy/update the fail2ban config defaults to/in /config
 cp -R /defaults/fail2ban/filter.d /config/fail2ban/
 cp -R /defaults/fail2ban/action.d /config/fail2ban/
--- a/root/etc/s6-overlay/s6-rc.d/init-folders-config/run
+++ b/root/etc/s6-overlay/s6-rc.d/init-folders-config/run
@@ -3,7 +3,7 @@

 # make our folders and links
 mkdir -p \
-    /config/{fail2ban,crontabs,dns-conf} \
+    /config/{fail2ban,dns-conf} \
    /config/etc/letsencrypt/renewal-hooks \
    /config/log/{fail2ban,letsencrypt,nginx} \
    /config/nginx/proxy-confs \
--- a/root/etc/s6-overlay/s6-rc.d/init-nginx-config/dependencies.d/init-crontabs-config
+++ b/root/etc/s6-overlay/s6-rc.d/init-nginx-config/dependencies.d/init-crontabs-config
--- a/root/etc/s6-overlay/s6-rc.d/init-crontabs-config/dependencies.d/init-fail2ban-config
+++ b/root/etc/s6-overlay/s6-rc.d/init-crontabs-config/dependencies.d/init-fail2ban-config
--- a/root/etc/s6-overlay/s6-rc.d/init-nginx-config/run
+++ b/root/etc/s6-overlay/s6-rc.d/init-nginx-config/run
@@ -14,6 +14,14 @@ if [[ ! -f /config/nginx/authelia-server.conf ]]; then
    cp /defaults/nginx/authelia-server.conf.sample /config/nginx/authelia-server.conf
 fi

+# copy authentik config files if they don't exist
+if [[ ! -f /config/nginx/authentik-location.conf ]]; then
+    cp /defaults/nginx/authentik-location.conf.sample /config/nginx/authentik-location.conf
+fi
+if [[ ! -f /config/nginx/authentik-server.conf ]]; then
+    cp /defaults/nginx/authentik-server.conf.sample /config/nginx/authentik-server.conf
+fi
+
 # copy old ldap config file to new location
 if [[ -f /config/nginx/ldap.conf ]] && [[ ! -f /config/nginx/ldap-server.conf ]]; then
    cp /config/nginx/ldap.conf /config/nginx/ldap-server.conf
--- a/root/etc/s6-overlay/s6-rc.d/init-samples-config/run
+++ b/root/etc/s6-overlay/s6-rc.d/init-samples-config/run
@@ -9,5 +9,5 @@ if [[ -d /defaults/nginx/proxy-confs/ ]]; then
        -maxdepth 1 \
        -name "*.conf.sample" \
        -type f \
-        -exec cp "{}" /config/nginx/proxy-confs/ +
+        -exec cp "{}" /config/nginx/proxy-confs/ \;
 fi
--- a/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-crontabs-config
+++ b/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-crontabs-config
				`@@ -1 +0,0 @@`
				`/etc/s6-overlay/s6-rc.d/init-crontabs-config/run`