Merge pull request #602 from linuxserver/tinyauth-fix

Add missing tinyauth blocks to default conf

.github/CONTRIBUTING.md

@@ -6,7 +6,7 @@
 * Read, and fill the Pull Request template
   * If this is a fix for a typo (in code, documentation, or the README) please file an issue and let us sort it out. We do not need a PR
   * If the PR is addressing an existing issue include, closes #\<issue number>, in the body of the PR commit message
-* If you want to discuss changes, you can also bring it up in [#dev-talk](https://discordapp.com/channels/354974912613449730/757585807061155840) in our [Discord server](https://discord.gg/YWrKVTn)
+* If you want to discuss changes, you can also bring it up in [#dev-talk](https://discordapp.com/channels/354974912613449730/757585807061155840) in our [Discord server](https://linuxserver.io/discord)
 
 ## Common files
 
@@ -105,10 +105,10 @@ docker build \
   -t linuxserver/swag:latest .
 ```
 
-The ARM variants can be built on x86_64 hardware using `multiarch/qemu-user-static`
+The ARM variants can be built on x86_64 hardware and vice versa using `lscr.io/linuxserver/qemu-static`
 
 ```bash
-docker run --rm --privileged multiarch/qemu-user-static:register --reset
+docker run --rm --privileged lscr.io/linuxserver/qemu-static --reset
 ```
 
 Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64`.

.github/ISSUE_TEMPLATE/config.yml

@@ -1,7 +1,7 @@
 blank_issues_enabled: false
 contact_links:
   - name: Discord chat support
-    url: https://discord.gg/YWrKVTn
+    url: https://linuxserver.io/discord
     about: Realtime support / chat with the community and the team.
 
   - name: Discourse discussion forum

.github/ISSUE_TEMPLATE/issue.bug.yml

@@ -53,7 +53,6 @@ body:
       options:
         - x86-64
         - arm64
-        - armhf
     validations:
       required: true
   - type: textarea
@@ -68,10 +67,10 @@ body:
   - type: textarea
     attributes:
       description: |
-        Provide a full docker log, output of "docker logs linuxserver.io"
+        Provide a full docker log, output of "docker logs swag"
       label: Container logs
       placeholder: |
-        Output of `docker logs linuxserver.io`
+        Output of `docker logs swag`
       render: bash
     validations:
       required: true

.github/workflows/call_issue_pr_tracker.yml

@@ -8,6 +8,9 @@ on:
   pull_request_review:
     types: [submitted,edited,dismissed]
 
+permissions:
+  contents: read
+
 jobs:
   manage-project:
     permissions:

.github/workflows/call_issues_cron.yml

@@ -4,6 +4,9 @@ on:
     - cron:  '35 15 * * *'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   stale:
     permissions:

.github/workflows/external_trigger.yml

@@ -3,26 +3,42 @@ name: External Trigger Main
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   external-trigger-master:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3.1.0
+      - uses: actions/checkout@v4.1.1
 
       - name: External Trigger
         if: github.ref == 'refs/heads/master'
+        env:
+          SKIP_EXTERNAL_TRIGGER: ${{ vars.SKIP_EXTERNAL_TRIGGER }}
         run: |
-          if [ -n "${{ secrets.PAUSE_EXTERNAL_TRIGGER_SWAG_MASTER }}" ]; then
+          printf "# External trigger for docker-swag\n\n" >> $GITHUB_STEP_SUMMARY
-            echo "**** Github secret PAUSE_EXTERNAL_TRIGGER_SWAG_MASTER is set; skipping trigger. ****"
+          if grep -q "^swag_master_" <<< "${SKIP_EXTERNAL_TRIGGER}"; then
-            echo "Github secret \`PAUSE_EXTERNAL_TRIGGER_SWAG_MASTER\` is set; skipping trigger." >> $GITHUB_STEP_SUMMARY
+            echo "> [!NOTE]" >> $GITHUB_STEP_SUMMARY
+            echo "> Github organizational variable \`SKIP_EXTERNAL_TRIGGER\` contains \`swag_master_\`; will skip trigger if version matches." >> $GITHUB_STEP_SUMMARY
+          elif grep -q "^swag_master" <<< "${SKIP_EXTERNAL_TRIGGER}"; then
+            echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
+            echo "> Github organizational variable \`SKIP_EXTERNAL_TRIGGER\` contains \`swag_master\`; skipping trigger." >> $GITHUB_STEP_SUMMARY
             exit 0
           fi
-          echo "**** External trigger running off of master branch. To disable this trigger, set a Github secret named \"PAUSE_EXTERNAL_TRIGGER_SWAG_MASTER\". ****"
+          echo "> [!NOTE]" >> $GITHUB_STEP_SUMMARY
-          echo "External trigger running off of master branch. To disable this trigger, set a Github secret named \`PAUSE_EXTERNAL_TRIGGER_SWAG_MASTER\`" >> $GITHUB_STEP_SUMMARY
+          echo "> External trigger running off of master branch. To disable this trigger, add \`swag_master\` into the Github organizational variable \`SKIP_EXTERNAL_TRIGGER\`." >> $GITHUB_STEP_SUMMARY
-          echo "**** Retrieving external version ****"
+          printf "\n## Retrieving external version\n\n" >> $GITHUB_STEP_SUMMARY
           EXT_RELEASE=$(curl -sL "https://pypi.python.org/pypi/certbot/json" |jq -r '. | .info.version')
+          echo "Type is \`pip_version\`" >> $GITHUB_STEP_SUMMARY
+          if grep -q "^swag_master_${EXT_RELEASE}" <<< "${SKIP_EXTERNAL_TRIGGER}"; then
+            echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
+            echo "> Github organizational variable \`SKIP_EXTERNAL_TRIGGER\` matches current external release; skipping trigger." >> $GITHUB_STEP_SUMMARY
+            exit 0
+          fi
           if [ -z "${EXT_RELEASE}" ] || [ "${EXT_RELEASE}" == "null" ]; then
-            echo "**** Can't retrieve external version, exiting ****"
+            echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
+            echo "> Can't retrieve external version, exiting" >> $GITHUB_STEP_SUMMARY
             FAILURE_REASON="Can't retrieve external version for swag branch master"
             GHA_TRIGGER_URL="https://github.com/linuxserver/docker-swag/actions/runs/${{ github.run_id }}"
             curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 16711680,
@@ -30,25 +46,43 @@ jobs:
               "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }}
             exit 1
           fi
-          EXT_RELEASE=$(echo ${EXT_RELEASE} | sed 's/[~,%@+;:/]//g')
+          EXT_RELEASE_SANITIZED=$(echo ${EXT_RELEASE} | sed 's/[~,%@+;:/]//g')
-          echo "**** External version: ${EXT_RELEASE} ****"
+          echo "Sanitized external version: \`${EXT_RELEASE_SANITIZED}\`" >> $GITHUB_STEP_SUMMARY
-          echo "External version: ${EXT_RELEASE}" >> $GITHUB_STEP_SUMMARY
+          echo "Retrieving last pushed version" >> $GITHUB_STEP_SUMMARY
-          echo "**** Retrieving last pushed version ****"
           image="linuxserver/swag"
           tag="latest"
           token=$(curl -sX GET \
             "https://ghcr.io/token?scope=repository%3Alinuxserver%2Fswag%3Apull" \
             | jq -r '.token')
-            multidigest=$(curl -s \
+          multidigest=$(curl -s \
+            --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \
+            --header "Accept: application/vnd.oci.image.index.v1+json" \
+            --header "Authorization: Bearer ${token}" \
+            "https://ghcr.io/v2/${image}/manifests/${tag}")
+          if jq -e '.layers // empty' <<< "${multidigest}" >/dev/null 2>&1; then
+            # If there's a layer element it's a single-arch manifest so just get that digest
+            digest=$(jq -r '.config.digest' <<< "${multidigest}")
+          else
+            # Otherwise it's multi-arch or has manifest annotations
+            if jq -e '.manifests[]?.annotations // empty' <<< "${multidigest}" >/dev/null 2>&1; then
+              # Check for manifest annotations and delete if found
+              multidigest=$(jq 'del(.manifests[] | select(.annotations))' <<< "${multidigest}")
+            fi
+            if [[ $(jq '.manifests | length' <<< "${multidigest}") -gt 1 ]]; then
+              # If there's still more than one digest, it's multi-arch
+              multidigest=$(jq -r ".manifests[] | select(.platform.architecture == \"amd64\").digest?" <<< "${multidigest}")
+            else
+              # Otherwise it's single arch
+              multidigest=$(jq -r ".manifests[].digest?" <<< "${multidigest}")
+            fi
+            if digest=$(curl -s \
               --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \
+              --header "Accept: application/vnd.oci.image.manifest.v1+json" \
               --header "Authorization: Bearer ${token}" \
-              "https://ghcr.io/v2/${image}/manifests/${tag}" \
+              "https://ghcr.io/v2/${image}/manifests/${multidigest}"); then
-              | jq -r 'first(.manifests[].digest)')
+              digest=$(jq -r '.config.digest' <<< "${digest}");
-            digest=$(curl -s \
+            fi
-              --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \
+          fi
-              --header "Authorization: Bearer ${token}" \
-              "https://ghcr.io/v2/${image}/manifests/${multidigest}" \
-              | jq -r '.config.digest')
           image_info=$(curl -sL \
             --header "Authorization: Bearer ${token}" \
             "https://ghcr.io/v2/${image}/blobs/${digest}")
@@ -60,45 +94,54 @@ jobs:
           IMAGE_RELEASE=$(echo ${image_info} | jq -r '.Labels.build_version' | awk '{print $3}')
           IMAGE_VERSION=$(echo ${IMAGE_RELEASE} | awk -F'-ls' '{print $1}')
           if [ -z "${IMAGE_VERSION}" ]; then
-            echo "**** Can't retrieve last pushed version, exiting ****"
+            echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
+            echo "Can't retrieve last pushed version, exiting" >> $GITHUB_STEP_SUMMARY
             FAILURE_REASON="Can't retrieve last pushed version for swag tag latest"
             curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 16711680,
               "description": "**Trigger Failed** \n**Reason:** '"${FAILURE_REASON}"' \n"}],
               "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }}
             exit 1
           fi
-          echo "**** Last pushed version: ${IMAGE_VERSION} ****"
+          echo "Last pushed version: \`${IMAGE_VERSION}\`" >> $GITHUB_STEP_SUMMARY
-          echo "Last pushed version: ${IMAGE_VERSION}" >> $GITHUB_STEP_SUMMARY
+          if [ "${EXT_RELEASE_SANITIZED}" == "${IMAGE_VERSION}" ]; then
-          if [ "${EXT_RELEASE}" == "${IMAGE_VERSION}" ]; then
+            echo "Sanitized version \`${EXT_RELEASE_SANITIZED}\` already pushed, exiting" >> $GITHUB_STEP_SUMMARY
-            echo "**** Version ${EXT_RELEASE} already pushed, exiting ****"
-            echo "Version ${EXT_RELEASE} already pushed, exiting" >> $GITHUB_STEP_SUMMARY
             exit 0
           elif [ $(curl -s https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-swag/job/master/lastBuild/api/json | jq -r '.building') == "true" ]; then
-            echo "**** New version ${EXT_RELEASE} found; but there already seems to be an active build on Jenkins; exiting ****"
+            echo "New version \`${EXT_RELEASE}\` found; but there already seems to be an active build on Jenkins; exiting" >> $GITHUB_STEP_SUMMARY
-            echo "New version ${EXT_RELEASE} found; but there already seems to be an active build on Jenkins; exiting" >> $GITHUB_STEP_SUMMARY
             exit 0
           else
-            echo "**** New version ${EXT_RELEASE} found; old version was ${IMAGE_VERSION}. Triggering new build ****"
+            if [[ "${artifacts_found}" == "false" ]]; then
-            echo "New version ${EXT_RELEASE} found; old version was ${IMAGE_VERSION}. Triggering new build" >> $GITHUB_STEP_SUMMARY
+              echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
-            response=$(curl -iX POST \
+              echo "> New version detected, but not all artifacts are published yet; skipping trigger" >> $GITHUB_STEP_SUMMARY
-              https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-swag/job/master/buildWithParameters?PACKAGE_CHECK=false \
+              FAILURE_REASON="New version ${EXT_RELEASE} for swag tag latest is detected, however not all artifacts are uploaded to upstream release yet. Will try again later."
-              --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} | grep -i location | sed "s|^[L|l]ocation: \(.*\)|\1|")
+              curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 9802903,
-            echo "**** Jenkins job queue url: ${response%$'\r'} ****"
+                "description": "**Trigger Failed** \n**Reason:** '"${FAILURE_REASON}"' \n"}],
-            echo "**** Sleeping 10 seconds until job starts ****"
+                "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }}
-            sleep 10
+            else
-            buildurl=$(curl -s "${response%$'\r'}api/json" | jq -r '.executable.url')
+              printf "\n## Trigger new build\n\n" >> $GITHUB_STEP_SUMMARY
-            buildurl="${buildurl%$'\r'}"
+              echo "New sanitized version \`${EXT_RELEASE_SANITIZED}\` found; old version was \`${IMAGE_VERSION}\`. Triggering new build" >> $GITHUB_STEP_SUMMARY
-            echo "**** Jenkins job build url: ${buildurl} ****"
+              if [[ "${artifacts_found}" == "true" ]]; then
-            echo "Jenkins job build url: ${buildurl}" >> $GITHUB_STEP_SUMMARY
+                echo "All artifacts seem to be uploaded." >> $GITHUB_STEP_SUMMARY
-            echo "**** Attempting to change the Jenkins job description ****"
+              fi
-            curl -iX POST \
+              response=$(curl -iX POST \
-              "${buildurl}submitDescription" \
+                https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-swag/job/master/buildWithParameters?PACKAGE_CHECK=false \
-              --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} \
+                --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} | grep -i location | sed "s|^[L|l]ocation: \(.*\)|\1|")
-              --data-urlencode "description=GHA external trigger https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
+              echo "Jenkins [job queue url](${response%$'\r'})" >> $GITHUB_STEP_SUMMARY
-              --data-urlencode "Submit=Submit"
+              echo "Sleeping 10 seconds until job starts" >> $GITHUB_STEP_SUMMARY
-            echo "**** Notifying Discord ****"
+              sleep 10
-            TRIGGER_REASON="A version change was detected for swag tag latest. Old version:${IMAGE_VERSION} New version:${EXT_RELEASE}"
+              buildurl=$(curl -s "${response%$'\r'}api/json" | jq -r '.executable.url')
-            curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 9802903,
+              buildurl="${buildurl%$'\r'}"
-              "description": "**Build Triggered** \n**Reason:** '"${TRIGGER_REASON}"' \n**Build URL:** '"${buildurl}display/redirect"' \n"}],
+              echo "Jenkins job [build url](${buildurl})" >> $GITHUB_STEP_SUMMARY
-              "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }}
+              echo "Attempting to change the Jenkins job description" >> $GITHUB_STEP_SUMMARY
+              curl -iX POST \
+                "${buildurl}submitDescription" \
+                --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} \
+                --data-urlencode "description=GHA external trigger https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
+                --data-urlencode "Submit=Submit"
+              echo "**** Notifying Discord ****"
+              TRIGGER_REASON="A version change was detected for swag tag latest. Old version:${IMAGE_VERSION} New version:${EXT_RELEASE_SANITIZED}"
+              curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 9802903,
+                "description": "**Build Triggered** \n**Reason:** '"${TRIGGER_REASON}"' \n**Build URL:** '"${buildurl}display/redirect"' \n"}],
+                "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }}
+            fi
           fi

.github/workflows/external_trigger_scheduler.yml

@@ -5,41 +5,44 @@ on:
     - cron:  '2 * * * *'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   external-trigger-scheduler:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3.1.0
+      - uses: actions/checkout@v4.1.1
         with:
           fetch-depth: '0'
 
       - name: External Trigger Scheduler
         run: |
-          echo "**** Branches found: ****"
+          printf "# External trigger scheduler for docker-swag\n\n" >> $GITHUB_STEP_SUMMARY
-          git for-each-ref --format='%(refname:short)' refs/remotes
+          printf "Found the branches:\n\n%s\n" "$(git for-each-ref --format='- %(refname:lstrip=3)' refs/remotes)" >> $GITHUB_STEP_SUMMARY
-          for br in $(git for-each-ref --format='%(refname:short)' refs/remotes)
+          for br in $(git for-each-ref --format='%(refname:lstrip=3)' refs/remotes)
           do
-            br=$(echo "$br" | sed 's|origin/||g')
+            if [[ "${br}" == "HEAD" ]]; then
-            echo "**** Evaluating branch ${br} ****"
+              printf "\nSkipping %s.\n" ${br} >> $GITHUB_STEP_SUMMARY
+              continue
+            fi
+            printf "\n## Evaluating \`%s\`\n\n" ${br} >> $GITHUB_STEP_SUMMARY
             ls_jenkins_vars=$(curl -sX GET https://raw.githubusercontent.com/linuxserver/docker-swag/${br}/jenkins-vars.yml)
             ls_branch=$(echo "${ls_jenkins_vars}" | yq -r '.ls_branch')
             ls_trigger=$(echo "${ls_jenkins_vars}" | yq -r '.external_type')
             if [[ "${br}" == "${ls_branch}" ]] && [[ "${ls_trigger}" != "os" ]]; then
-              echo "**** Branch ${br} appears to be live and trigger is not os; checking workflow. ****"
+              echo "Branch appears to be live and trigger is not os; checking workflow." >> $GITHUB_STEP_SUMMARY
               if curl -sfX GET https://raw.githubusercontent.com/linuxserver/docker-swag/${br}/.github/workflows/external_trigger.yml > /dev/null 2>&1; then
-                echo "**** Workflow exists. Triggering external trigger workflow for branch ${br} ****."
+                echo "Triggering external trigger workflow for branch." >> $GITHUB_STEP_SUMMARY
-                echo "Triggering external trigger workflow for branch ${br}" >> $GITHUB_STEP_SUMMARY
                 curl -iX POST \
                   -H "Authorization: token ${{ secrets.CR_PAT }}" \
                   -H "Accept: application/vnd.github.v3+json" \
                   -d "{\"ref\":\"refs/heads/${br}\"}" \
                   https://api.github.com/repos/linuxserver/docker-swag/actions/workflows/external_trigger.yml/dispatches
               else
-                echo "**** Workflow doesn't exist; skipping trigger. ****"
+                echo "Skipping branch due to no external trigger workflow present." >> $GITHUB_STEP_SUMMARY
-                echo "Skipping branch ${br} due to no external trigger workflow present." >> $GITHUB_STEP_SUMMARY
               fi
             else
-              echo "**** ${br} is either a dev branch, or has no external version; skipping trigger. ****"
+              echo "Skipping branch due to being detected as dev branch or having no external version." >> $GITHUB_STEP_SUMMARY
-              echo "Skipping branch ${br} due to being detected as dev branch or having no external version." >> $GITHUB_STEP_SUMMARY
             fi
           done

.github/workflows/greetings.yml

@@ -2,8 +2,14 @@ name: Greetings
 
 on: [pull_request_target, issues]
 
+permissions:
+  contents: read
+
 jobs:
   greeting:
+    permissions:
+      issues: write
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
     - uses: actions/first-interaction@v1

.github/workflows/package_trigger.yml

@@ -1,42 +0,0 @@
-name: Package Trigger Main
-
-on:
-  workflow_dispatch:
-
-jobs:
-  package-trigger-master:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3.1.0
-
-      - name: Package Trigger
-        if: github.ref == 'refs/heads/master'
-        run: |
-          if [ -n "${{ secrets.PAUSE_PACKAGE_TRIGGER_SWAG_MASTER }}" ]; then
-            echo "**** Github secret PAUSE_PACKAGE_TRIGGER_SWAG_MASTER is set; skipping trigger. ****"
-            echo "Github secret \`PAUSE_PACKAGE_TRIGGER_SWAG_MASTER\` is set; skipping trigger." >> $GITHUB_STEP_SUMMARY
-            exit 0
-          fi
-          if [ $(curl -s https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-swag/job/master/lastBuild/api/json | jq -r '.building') == "true" ]; then
-            echo "**** There already seems to be an active build on Jenkins; skipping package trigger ****"
-            echo "There already seems to be an active build on Jenkins; skipping package trigger" >> $GITHUB_STEP_SUMMARY
-            exit 0
-          fi
-          echo "**** Package trigger running off of master branch. To disable, set a Github secret named \"PAUSE_PACKAGE_TRIGGER_SWAG_MASTER\". ****"
-          echo "Package trigger running off of master branch. To disable, set a Github secret named \`PAUSE_PACKAGE_TRIGGER_SWAG_MASTER\`" >> $GITHUB_STEP_SUMMARY
-          response=$(curl -iX POST \
-            https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-swag/job/master/buildWithParameters?PACKAGE_CHECK=true \
-            --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} | grep -i location | sed "s|^[L|l]ocation: \(.*\)|\1|")
-          echo "**** Jenkins job queue url: ${response%$'\r'} ****"
-          echo "**** Sleeping 10 seconds until job starts ****"
-          sleep 10
-          buildurl=$(curl -s "${response%$'\r'}api/json" | jq -r '.executable.url')
-          buildurl="${buildurl%$'\r'}"
-          echo "**** Jenkins job build url: ${buildurl} ****"
-          echo "Jenkins job build url: ${buildurl}" >> $GITHUB_STEP_SUMMARY
-          echo "**** Attempting to change the Jenkins job description ****"
-          curl -iX POST \
-            "${buildurl}submitDescription" \
-            --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} \
-            --data-urlencode "description=GHA package trigger https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
-            --data-urlencode "Submit=Submit"

.github/workflows/package_trigger_scheduler.yml

@@ -5,46 +5,99 @@ on:
     - cron:  '1 3 * * 6'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   package-trigger-scheduler:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3.1.0
+      - uses: actions/checkout@v4.1.1
         with:
           fetch-depth: '0'
 
       - name: Package Trigger Scheduler
+        env:
+          SKIP_PACKAGE_TRIGGER: ${{ vars.SKIP_PACKAGE_TRIGGER }}
         run: |
-          echo "**** Branches found: ****"
+          printf "# Package trigger scheduler for docker-swag\n\n" >> $GITHUB_STEP_SUMMARY
-          git for-each-ref --format='%(refname:short)' refs/remotes
+          printf "Found the branches:\n\n%s\n" "$(git for-each-ref --format='- %(refname:lstrip=3)' refs/remotes)" >> $GITHUB_STEP_SUMMARY
-          for br in $(git for-each-ref --format='%(refname:short)' refs/remotes)
+          for br in $(git for-each-ref --format='%(refname:lstrip=3)' refs/remotes)
           do
-            br=$(echo "$br" | sed 's|origin/||g')
+            if [[ "${br}" == "HEAD" ]]; then
-            echo "**** Evaluating branch ${br} ****"
+              printf "\nSkipping %s.\n" ${br} >> $GITHUB_STEP_SUMMARY
-            ls_branch=$(curl -sX GET https://raw.githubusercontent.com/linuxserver/docker-swag/${br}/jenkins-vars.yml | yq -r '.ls_branch')
+              continue
-            if [ "${br}" == "${ls_branch}" ]; then
+            fi
-              echo "**** Branch ${br} appears to be live; checking workflow. ****"
+            printf "\n## Evaluating \`%s\`\n\n" ${br} >> $GITHUB_STEP_SUMMARY
-              if curl -sfX GET https://raw.githubusercontent.com/linuxserver/docker-swag/${br}/.github/workflows/package_trigger.yml > /dev/null 2>&1; then
+            JENKINS_VARS=$(curl -sX GET https://raw.githubusercontent.com/linuxserver/docker-swag/${br}/jenkins-vars.yml)
-                echo "**** Workflow exists. Triggering package trigger workflow for branch ${br}. ****"
+            if ! curl -sfX GET https://raw.githubusercontent.com/linuxserver/docker-swag/${br}/Jenkinsfile >/dev/null 2>&1; then
-                echo "Triggering package trigger workflow for branch ${br}" >> $GITHUB_STEP_SUMMARY
+              echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
-                triggered_branches="${triggered_branches}${br} "
+              echo "> No Jenkinsfile found. Branch is either deprecated or is an early dev branch." >> $GITHUB_STEP_SUMMARY
-                curl -iX POST \
+              skipped_branches="${skipped_branches}${br} "
-                  -H "Authorization: token ${{ secrets.CR_PAT }}" \
+            elif [[ "${br}" == $(yq -r '.ls_branch' <<< "${JENKINS_VARS}") ]]; then
-                  -H "Accept: application/vnd.github.v3+json" \
+              echo "Branch appears to be live; checking workflow." >> $GITHUB_STEP_SUMMARY
-                  -d "{\"ref\":\"refs/heads/${br}\"}" \
+              README_VARS=$(curl -sX GET https://raw.githubusercontent.com/linuxserver/docker-swag/${br}/readme-vars.yml)
-                  https://api.github.com/repos/linuxserver/docker-swag/actions/workflows/package_trigger.yml/dispatches
+              if [[ $(yq -r '.project_deprecation_status' <<< "${README_VARS}") == "true" ]]; then
-                sleep 30
+                echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
+                echo "> Branch appears to be deprecated; skipping trigger." >> $GITHUB_STEP_SUMMARY
+                skipped_branches="${skipped_branches}${br} "
+              elif [[ $(yq -r '.skip_package_check' <<< "${JENKINS_VARS}") == "true" ]]; then
+                echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
+                echo "> Skipping branch ${br} due to \`skip_package_check\` being set in \`jenkins-vars.yml\`." >> $GITHUB_STEP_SUMMARY
+                skipped_branches="${skipped_branches}${br} "
+              elif grep -q "^swag_${br}" <<< "${SKIP_PACKAGE_TRIGGER}"; then
+                echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
+                echo "> Github organizational variable \`SKIP_PACKAGE_TRIGGER\` contains \`swag_${br}\`; skipping trigger." >> $GITHUB_STEP_SUMMARY
+                skipped_branches="${skipped_branches}${br} "
+              elif [ $(curl -s https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-swag/job/${br}/lastBuild/api/json | jq -r '.building' 2>/dev/null) == "true" ]; then
+                echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
+                echo "> There already seems to be an active build on Jenkins; skipping package trigger for ${br}" >> $GITHUB_STEP_SUMMARY
+                skipped_branches="${skipped_branches}${br} "
               else
-                echo "**** Workflow doesn't exist; skipping trigger. ****"
+                echo "> [!NOTE]" >> $GITHUB_STEP_SUMMARY
-                echo "Skipping branch ${br} due to no package trigger workflow present." >> $GITHUB_STEP_SUMMARY
+                echo "> Triggering package trigger for branch ${br}" >> $GITHUB_STEP_SUMMARY
+                printf "> To disable, add \`swag_%s\` into the Github organizational variable \`SKIP_PACKAGE_TRIGGER\`.\n\n" "${br}" >> $GITHUB_STEP_SUMMARY
+                triggered_branches="${triggered_branches}${br} "
+                response=$(curl -iX POST \
+                  https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-swag/job/${br}/buildWithParameters?PACKAGE_CHECK=true \
+                  --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} | grep -i location | sed "s|^[L|l]ocation: \(.*\)|\1|")
+                if [[ -z "${response}" ]]; then
+                  echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
+                  echo "> Jenkins build could not be triggered. Skipping branch."
+                  continue
+                fi
+                echo "Jenkins [job queue url](${response%$'\r'})" >> $GITHUB_STEP_SUMMARY
+                echo "Sleeping 10 seconds until job starts" >> $GITHUB_STEP_SUMMARY
+                sleep 10
+                buildurl=$(curl -s "${response%$'\r'}api/json" | jq -r '.executable.url')
+                buildurl="${buildurl%$'\r'}"
+                echo "Jenkins job [build url](${buildurl})" >> $GITHUB_STEP_SUMMARY
+                echo "Attempting to change the Jenkins job description" >> $GITHUB_STEP_SUMMARY
+                if ! curl -ifX POST \
+                  "${buildurl}submitDescription" \
+                  --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} \
+                  --data-urlencode "description=GHA package trigger https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
+                  --data-urlencode "Submit=Submit"; then
+                  echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
+                  echo "> Unable to change the Jenkins job description."
+                fi
+                sleep 20
               fi
             else
-              echo "**** ${br} appears to be a dev branch; skipping trigger. ****"
               echo "Skipping branch ${br} due to being detected as dev branch." >> $GITHUB_STEP_SUMMARY
             fi
           done
-          echo "**** Package check build(s) triggered for branch(es): ${triggered_branches} ****"
+          if [[ -n "${triggered_branches}" ]] || [[ -n "${skipped_branches}" ]]; then
-          echo "**** Notifying Discord ****"
+            if [[ -n "${triggered_branches}" ]]; then
-          curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 9802903,
+              NOTIFY_BRANCHES="**Triggered:** ${triggered_branches} \n"
-            "description": "**Package Check Build(s) Triggered for swag** \n**Branch(es):** '"${triggered_branches}"' \n**Build URL:** '"https://ci.linuxserver.io/blue/organizations/jenkins/Docker-Pipeline-Builders%2Fdocker-swag/activity/"' \n"}],
+              NOTIFY_BUILD_URL="**Build URL:** https://ci.linuxserver.io/blue/organizations/jenkins/Docker-Pipeline-Builders%2Fdocker-swag/activity/ \n"
-            "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }}
+              echo "**** Package check build(s) triggered for branch(es): ${triggered_branches} ****"
+            fi
+            if [[ -n "${skipped_branches}" ]]; then
+              NOTIFY_BRANCHES="${NOTIFY_BRANCHES}**Skipped:** ${skipped_branches} \n"
+            fi
+            echo "**** Notifying Discord ****"
+            curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 9802903,
+              "description": "**Package Check Build(s) for swag** \n'"${NOTIFY_BRANCHES}"''"${NOTIFY_BUILD_URL}"'"}],
+              "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }}
+          fi

.github/workflows/permissions.yml

@@ -5,6 +5,8 @@ on:
       - '**/run'
       - '**/finish'
       - '**/check'
+      - 'root/migrations/*'
+
 jobs:
   permission_check:
     uses: linuxserver/github-workflows/.github/workflows/init-svc-executable-permissions.yml@v1

.gitignore

@@ -1 +1,2 @@
+.idea
 .jenkins-external

Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-FROM ghcr.io/linuxserver/baseimage-alpine-nginx:3.17
+FROM ghcr.io/linuxserver/baseimage-alpine-nginx:3.22
 
 # set version label
 ARG BUILD_DATE
@@ -10,8 +10,10 @@ LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DA
 LABEL maintainer="nemchik"
 
 # environment settings
-ENV DHLEVEL=2048 ONLY_SUBDOMAINS=false AWS_CONFIG_FILE=/config/dns-conf/route53.ini
+ENV DHLEVEL=2048 \
-ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2
+  ONLY_SUBDOMAINS=false \
+  AWS_CONFIG_FILE=/config/dns-conf/route53.ini \
+  S6_BEHAVIOUR_IF_STAGE2_FAILS=2
 
 RUN \
   echo "**** install build packages ****" && \
@@ -24,9 +26,11 @@ RUN \
     openssl-dev \
     python3-dev && \
   echo "**** install runtime packages ****" && \
-  apk add --no-cache --upgrade \
+  apk add --no-cache \
     fail2ban \
     gnupg \
+    inotify-tools \
+    iptables-legacy \
     memcached \
     nginx-mod-http-brotli \
     nginx-mod-http-dav-ext \
@@ -45,59 +49,51 @@ RUN \
     nginx-mod-stream \
     nginx-mod-stream-geoip2 \
     nginx-vim \
-    php81-bcmath \
+    php84-bcmath \
-    php81-bz2 \
+    php84-bz2 \
-    php81-ctype \
+    php84-dom \
-    php81-curl \
+    php84-exif \
-    php81-dom \
+    php84-ftp \
-    php81-exif \
+    php84-gd \
-    php81-ftp \
+    php84-gmp \
-    php81-gd \
+    php84-imap \
-    php81-gmp \
+    php84-intl \
-    php81-iconv \
+    php84-ldap \
-    php81-imap \
+    php84-mysqli \
-    php81-intl \
+    php84-mysqlnd \
-    php81-ldap \
+    php84-opcache \
-    php81-mysqli \
+    php84-pdo_mysql \
-    php81-mysqlnd \
+    php84-pdo_odbc \
-    php81-opcache \
+    php84-pdo_pgsql \
-    php81-pdo_mysql \
+    php84-pdo_sqlite \
-    php81-pdo_odbc \
+    php84-pear \
-    php81-pdo_pgsql \
+    php84-pecl-apcu \
-    php81-pdo_sqlite \
+    php84-pecl-memcached \
-    php81-pear \
+    php84-pecl-redis \
-    php81-pecl-apcu \
+    php84-pgsql \
-    php81-pecl-mailparse \
+    php84-posix \
-    php81-pecl-memcached \
+    php84-soap \
-    php81-pecl-redis \
+    php84-sockets \
-    php81-pgsql \
+    php84-sodium \
-    php81-phar \
+    php84-sqlite3 \
-    php81-posix \
+    php84-tokenizer \
-    php81-soap \
+    php84-xmlreader \
-    php81-sockets \
+    php84-xsl \
-    php81-sodium \
-    php81-sqlite3 \
-    php81-tokenizer \
-    php81-xmlreader \
-    php81-xsl \
-    php81-zip \
     whois && \
-  apk add --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing \
-    php81-pecl-mcrypt \
-    php81-pecl-xmlrpc && \
   echo "**** install certbot plugins ****" && \
   if [ -z ${CERTBOT_VERSION+x} ]; then \
     CERTBOT_VERSION=$(curl -sL  https://pypi.python.org/pypi/certbot/json |jq -r '. | .info.version'); \
   fi && \
-  python3 -m ensurepip && \
+  python3 -m venv /lsiopy && \
-  pip3 install -U --no-cache-dir \
+  pip install -U --no-cache-dir \
     pip \
     wheel && \
-  pip3 install -U --no-cache-dir --find-links https://wheel-index.linuxserver.io/alpine-3.17/ \
+  pip install -U --no-cache-dir --find-links https://wheel-index.linuxserver.io/alpine-3.22/ \
     certbot==${CERTBOT_VERSION} \
     certbot-dns-acmedns \
     certbot-dns-aliyun \
     certbot-dns-azure \
+    certbot-dns-bunny \
     certbot-dns-cloudflare \
     certbot-dns-cpanel \
     certbot-dns-desec \
@@ -108,20 +104,24 @@ RUN \
     certbot-dns-dnspod \
     certbot-dns-do \
     certbot-dns-domeneshop \
+    certbot-dns-dreamhost \
     certbot-dns-duckdns \
-    certbot-dns-dynu \
+    certbot-dns-dynudns \
+    certbot-dns-freedns \
     certbot-dns-gehirn \
+    certbot-dns-glesys \
     certbot-dns-godaddy \
     certbot-dns-google \
-    certbot-dns-google-domains \
     certbot-dns-he \
     certbot-dns-hetzner \
+    certbot-dns-hetzner-cloud \
     certbot-dns-infomaniak \
     certbot-dns-inwx \
     certbot-dns-ionos \
     certbot-dns-linode \
     certbot-dns-loopia \
     certbot-dns-luadns \
+    certbot-dns-namecheap \
     certbot-dns-netcup \
     certbot-dns-njalla \
     certbot-dns-nsone \
@@ -147,11 +147,13 @@ RUN \
   sed -i \
     's|#ssl_trusted_certificate /config/keys/cert.crt;|ssl_trusted_certificate /config/keys/cert.crt;|' \
     /defaults/nginx/ssl.conf.sample && \
+  echo "**** remove stream.conf ****" && \
+  rm -f /etc/nginx/conf.d/stream.conf && \
   echo "**** correct ip6tables legacy issue ****" && \
   rm \
-    /sbin/ip6tables && \
+    /usr/sbin/ip6tables && \
   ln -s \
-    /sbin/ip6tables-nft /sbin/ip6tables && \
+    /usr/sbin/ip6tables-nft /usr/sbin/ip6tables && \
   echo "**** remove unnecessary fail2ban filters ****" && \
   rm \
     /etc/fail2ban/jail.d/alpine-ssh.conf && \
@@ -170,6 +172,7 @@ RUN \
   tar xf \
     /tmp/proxy-confs.tar.gz -C \
     /defaults/nginx/proxy-confs --strip-components=1 --exclude=linux*/.editorconfig --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \
+  printf "Linuxserver.io version: ${VERSION}\nBuild-date: ${BUILD_DATE}" > /build_version && \
   echo "**** cleanup ****" && \
   apk del --purge \
     build-dependencies && \

Dockerfile.aarch64

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm64v8-3.17
+FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm64v8-3.22
 
 # set version label
 ARG BUILD_DATE
@@ -10,8 +10,10 @@ LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DA
 LABEL maintainer="nemchik"
 
 # environment settings
-ENV DHLEVEL=2048 ONLY_SUBDOMAINS=false AWS_CONFIG_FILE=/config/dns-conf/route53.ini
+ENV DHLEVEL=2048 \
-ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2
+  ONLY_SUBDOMAINS=false \
+  AWS_CONFIG_FILE=/config/dns-conf/route53.ini \
+  S6_BEHAVIOUR_IF_STAGE2_FAILS=2
 
 RUN \
   echo "**** install build packages ****" && \
@@ -24,9 +26,11 @@ RUN \
     openssl-dev \
     python3-dev && \
   echo "**** install runtime packages ****" && \
-  apk add --no-cache --upgrade \
+  apk add --no-cache \
     fail2ban \
     gnupg \
+    inotify-tools \
+    iptables-legacy \
     memcached \
     nginx-mod-http-brotli \
     nginx-mod-http-dav-ext \
@@ -45,59 +49,51 @@ RUN \
     nginx-mod-stream \
     nginx-mod-stream-geoip2 \
     nginx-vim \
-    php81-bcmath \
+    php84-bcmath \
-    php81-bz2 \
+    php84-bz2 \
-    php81-ctype \
+    php84-dom \
-    php81-curl \
+    php84-exif \
-    php81-dom \
+    php84-ftp \
-    php81-exif \
+    php84-gd \
-    php81-ftp \
+    php84-gmp \
-    php81-gd \
+    php84-imap \
-    php81-gmp \
+    php84-intl \
-    php81-iconv \
+    php84-ldap \
-    php81-imap \
+    php84-mysqli \
-    php81-intl \
+    php84-mysqlnd \
-    php81-ldap \
+    php84-opcache \
-    php81-mysqli \
+    php84-pdo_mysql \
-    php81-mysqlnd \
+    php84-pdo_odbc \
-    php81-opcache \
+    php84-pdo_pgsql \
-    php81-pdo_mysql \
+    php84-pdo_sqlite \
-    php81-pdo_odbc \
+    php84-pear \
-    php81-pdo_pgsql \
+    php84-pecl-apcu \
-    php81-pdo_sqlite \
+    php84-pecl-memcached \
-    php81-pear \
+    php84-pecl-redis \
-    php81-pecl-apcu \
+    php84-pgsql \
-    php81-pecl-mailparse \
+    php84-posix \
-    php81-pecl-memcached \
+    php84-soap \
-    php81-pecl-redis \
+    php84-sockets \
-    php81-pgsql \
+    php84-sodium \
-    php81-phar \
+    php84-sqlite3 \
-    php81-posix \
+    php84-tokenizer \
-    php81-soap \
+    php84-xmlreader \
-    php81-sockets \
+    php84-xsl \
-    php81-sodium \
-    php81-sqlite3 \
-    php81-tokenizer \
-    php81-xmlreader \
-    php81-xsl \
-    php81-zip \
     whois && \
-  apk add --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing \
-    php81-pecl-mcrypt \
-    php81-pecl-xmlrpc && \
   echo "**** install certbot plugins ****" && \
   if [ -z ${CERTBOT_VERSION+x} ]; then \
     CERTBOT_VERSION=$(curl -sL  https://pypi.python.org/pypi/certbot/json |jq -r '. | .info.version'); \
   fi && \
-  python3 -m ensurepip && \
+  python3 -m venv /lsiopy && \
-  pip3 install -U --no-cache-dir \
+  pip install -U --no-cache-dir \
     pip \
     wheel && \
-  pip3 install -U --no-cache-dir --find-links https://wheel-index.linuxserver.io/alpine-3.17/ \
+  pip install -U --no-cache-dir --find-links https://wheel-index.linuxserver.io/alpine-3.22/ \
     certbot==${CERTBOT_VERSION} \
     certbot-dns-acmedns \
     certbot-dns-aliyun \
     certbot-dns-azure \
+    certbot-dns-bunny \
     certbot-dns-cloudflare \
     certbot-dns-cpanel \
     certbot-dns-desec \
@@ -108,20 +104,24 @@ RUN \
     certbot-dns-dnspod \
     certbot-dns-do \
     certbot-dns-domeneshop \
+    certbot-dns-dreamhost \
     certbot-dns-duckdns \
-    certbot-dns-dynu \
+    certbot-dns-dynudns \
+    certbot-dns-freedns \
     certbot-dns-gehirn \
+    certbot-dns-glesys \
     certbot-dns-godaddy \
     certbot-dns-google \
-    certbot-dns-google-domains \
     certbot-dns-he \
     certbot-dns-hetzner \
+    certbot-dns-hetzner-cloud \
     certbot-dns-infomaniak \
     certbot-dns-inwx \
     certbot-dns-ionos \
     certbot-dns-linode \
     certbot-dns-loopia \
     certbot-dns-luadns \
+    certbot-dns-namecheap \
     certbot-dns-netcup \
     certbot-dns-njalla \
     certbot-dns-nsone \
@@ -147,11 +147,13 @@ RUN \
   sed -i \
     's|#ssl_trusted_certificate /config/keys/cert.crt;|ssl_trusted_certificate /config/keys/cert.crt;|' \
     /defaults/nginx/ssl.conf.sample && \
+  echo "**** remove stream.conf ****" && \
+  rm -f /etc/nginx/conf.d/stream.conf && \
   echo "**** correct ip6tables legacy issue ****" && \
   rm \
-    /sbin/ip6tables && \
+    /usr/sbin/ip6tables && \
   ln -s \
-    /sbin/ip6tables-nft /sbin/ip6tables && \
+    /usr/sbin/ip6tables-nft /usr/sbin/ip6tables && \
   echo "**** remove unnecessary fail2ban filters ****" && \
   rm \
     /etc/fail2ban/jail.d/alpine-ssh.conf && \
@@ -170,6 +172,7 @@ RUN \
   tar xf \
     /tmp/proxy-confs.tar.gz -C \
     /defaults/nginx/proxy-confs --strip-components=1 --exclude=linux*/.editorconfig --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \
+  printf "Linuxserver.io version: ${VERSION}\nBuild-date: ${BUILD_DATE}" > /build_version && \
   echo "**** cleanup ****" && \
   apk del --purge \
     build-dependencies && \

Dockerfile.armhf

@@ -1,186 +0,0 @@
-# syntax=docker/dockerfile:1
-
-FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm32v7-3.17
-
-# set version label
-ARG BUILD_DATE
-ARG VERSION
-ARG CERTBOT_VERSION
-LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DATE}"
-LABEL maintainer="nemchik"
-
-# environment settings
-ENV DHLEVEL=2048 ONLY_SUBDOMAINS=false AWS_CONFIG_FILE=/config/dns-conf/route53.ini
-ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2
-
-RUN \
-  echo "**** install build packages ****" && \
-  apk add --no-cache --virtual=build-dependencies \
-    build-base \
-    cargo \
-    libffi-dev \
-    libxml2-dev \
-    libxslt-dev \
-    openssl-dev \
-    python3-dev && \
-  echo "**** install runtime packages ****" && \
-  apk add --no-cache --upgrade \
-    fail2ban \
-    gnupg \
-    memcached \
-    nginx-mod-http-brotli \
-    nginx-mod-http-dav-ext \
-    nginx-mod-http-echo \
-    nginx-mod-http-fancyindex \
-    nginx-mod-http-geoip2 \
-    nginx-mod-http-headers-more \
-    nginx-mod-http-image-filter \
-    nginx-mod-http-perl \
-    nginx-mod-http-redis2 \
-    nginx-mod-http-set-misc \
-    nginx-mod-http-upload-progress \
-    nginx-mod-http-xslt-filter \
-    nginx-mod-mail \
-    nginx-mod-rtmp \
-    nginx-mod-stream \
-    nginx-mod-stream-geoip2 \
-    nginx-vim \
-    php81-bcmath \
-    php81-bz2 \
-    php81-ctype \
-    php81-curl \
-    php81-dom \
-    php81-exif \
-    php81-ftp \
-    php81-gd \
-    php81-gmp \
-    php81-iconv \
-    php81-imap \
-    php81-intl \
-    php81-ldap \
-    php81-mysqli \
-    php81-mysqlnd \
-    php81-opcache \
-    php81-pdo_mysql \
-    php81-pdo_odbc \
-    php81-pdo_pgsql \
-    php81-pdo_sqlite \
-    php81-pear \
-    php81-pecl-apcu \
-    php81-pecl-mailparse \
-    php81-pecl-memcached \
-    php81-pecl-redis \
-    php81-pgsql \
-    php81-phar \
-    php81-posix \
-    php81-soap \
-    php81-sockets \
-    php81-sodium \
-    php81-sqlite3 \
-    php81-tokenizer \
-    php81-xmlreader \
-    php81-xsl \
-    php81-zip \
-    whois && \
-  apk add --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing \
-    php81-pecl-mcrypt \
-    php81-pecl-xmlrpc && \
-  echo "**** install certbot plugins ****" && \
-  if [ -z ${CERTBOT_VERSION+x} ]; then \
-    CERTBOT_VERSION=$(curl -sL  https://pypi.python.org/pypi/certbot/json |jq -r '. | .info.version'); \
-  fi && \
-  python3 -m ensurepip && \
-  pip3 install -U --no-cache-dir \
-    pip \
-    wheel && \
-  pip3 install -U --no-cache-dir --find-links https://wheel-index.linuxserver.io/alpine-3.17/ \
-    certbot==${CERTBOT_VERSION} \
-    certbot-dns-acmedns \
-    certbot-dns-aliyun \
-    certbot-dns-azure \
-    certbot-dns-cloudflare \
-    certbot-dns-cpanel \
-    certbot-dns-desec \
-    certbot-dns-digitalocean \
-    certbot-dns-directadmin \
-    certbot-dns-dnsimple \
-    certbot-dns-dnsmadeeasy \
-    certbot-dns-dnspod \
-    certbot-dns-do \
-    certbot-dns-domeneshop \
-    certbot-dns-duckdns \
-    certbot-dns-dynu \
-    certbot-dns-gehirn \
-    certbot-dns-godaddy \
-    certbot-dns-google \
-    certbot-dns-google-domains \
-    certbot-dns-he \
-    certbot-dns-hetzner \
-    certbot-dns-infomaniak \
-    certbot-dns-inwx \
-    certbot-dns-ionos \
-    certbot-dns-linode \
-    certbot-dns-loopia \
-    certbot-dns-luadns \
-    certbot-dns-netcup \
-    certbot-dns-njalla \
-    certbot-dns-nsone \
-    certbot-dns-ovh \
-    certbot-dns-porkbun \
-    certbot-dns-rfc2136 \
-    certbot-dns-route53 \
-    certbot-dns-sakuracloud \
-    certbot-dns-standalone \
-    certbot-dns-transip \
-    certbot-dns-vultr \
-    certbot-plugin-gandi \
-    cryptography \
-    future \
-    requests && \
-  echo "**** enable OCSP stapling from base ****" && \
-  sed -i \
-    's|#ssl_stapling on;|ssl_stapling on;|' \
-    /defaults/nginx/ssl.conf.sample && \
-  sed -i \
-    's|#ssl_stapling_verify on;|ssl_stapling_verify on;|' \
-    /defaults/nginx/ssl.conf.sample && \
-  sed -i \
-    's|#ssl_trusted_certificate /config/keys/cert.crt;|ssl_trusted_certificate /config/keys/cert.crt;|' \
-    /defaults/nginx/ssl.conf.sample && \
-  echo "**** correct ip6tables legacy issue ****" && \
-  rm \
-    /sbin/ip6tables && \
-  ln -s \
-    /sbin/ip6tables-nft /sbin/ip6tables && \
-  echo "**** remove unnecessary fail2ban filters ****" && \
-  rm \
-    /etc/fail2ban/jail.d/alpine-ssh.conf && \
-  echo "**** copy fail2ban default action and filter to /defaults ****" && \
-  mkdir -p /defaults/fail2ban && \
-  mv /etc/fail2ban/action.d /defaults/fail2ban/ && \
-  mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \
-  echo "**** define allowipv6 to silence warning ****" && \
-  sed -i 's/#allowipv6 = auto/allowipv6 = auto/g' /etc/fail2ban/fail2ban.conf && \
-  echo "**** copy proxy confs to /defaults ****" && \
-  mkdir -p \
-    /defaults/nginx/proxy-confs && \
-  curl -o \
-    /tmp/proxy-confs.tar.gz -L \
-    "https://github.com/linuxserver/reverse-proxy-confs/tarball/master" && \
-  tar xf \
-    /tmp/proxy-confs.tar.gz -C \
-    /defaults/nginx/proxy-confs --strip-components=1 --exclude=linux*/.editorconfig --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \
-  echo "**** cleanup ****" && \
-  apk del --purge \
-    build-dependencies && \
-  rm -rf \
-    /tmp/* \
-    $HOME/.cache \
-    $HOME/.cargo
-
-# copy local files
-COPY root/ /
-
-# ports and volumes
-EXPOSE 80 443
-VOLUME /config

README.md

@@ -1,12 +1,10 @@
-<!-- DO NOT EDIT THIS FILE MANUALLY  -->
+<!-- DO NOT EDIT THIS FILE MANUALLY -->
-<!-- Please read the https://github.com/linuxserver/docker-swag/blob/master/.github/CONTRIBUTING.md -->
+<!-- Please read https://github.com/linuxserver/docker-swag/blob/master/.github/CONTRIBUTING.md -->
-
 [![linuxserver.io](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/linuxserver_medium.png)](https://linuxserver.io)
 
 [![Blog](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=linuxserver.io&message=Blog)](https://blog.linuxserver.io "all the things you can do with our containers including How-To guides, opinions and much more!")
-[![Discord](https://img.shields.io/discord/354974912613449730.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=Discord&logo=discord)](https://discord.gg/YWrKVTn "realtime support / chat with the community and the team.")
+[![Discord](https://img.shields.io/discord/354974912613449730.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=Discord&logo=discord)](https://linuxserver.io/discord "realtime support / chat with the community and the team.")
 [![Discourse](https://img.shields.io/discourse/https/discourse.linuxserver.io/topics.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=discourse)](https://discourse.linuxserver.io "post on our community forum.")
-[![Fleet](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=linuxserver.io&message=Fleet)](https://fleet.linuxserver.io "an online web interface which displays all of our maintained images.")
 [![GitHub](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=linuxserver.io&message=GitHub&logo=github)](https://github.com/linuxserver "view the source for all of our repositories.")
 [![Open Collective](https://img.shields.io/opencollective/all/linuxserver.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=Supporters&logo=open%20collective)](https://opencollective.com/linuxserver "please consider helping us by either donating or contributing to our budget")
 
@@ -21,15 +19,14 @@ The [LinuxServer.io](https://linuxserver.io) team brings you another container r
 Find us at:
 
 * [Blog](https://blog.linuxserver.io) - all the things you can do with our containers including How-To guides, opinions and much more!
-* [Discord](https://discord.gg/YWrKVTn) - realtime support / chat with the community and the team.
+* [Discord](https://linuxserver.io/discord) - realtime support / chat with the community and the team.
 * [Discourse](https://discourse.linuxserver.io) - post on our community forum.
-* [Fleet](https://fleet.linuxserver.io) - an online web interface which displays all of our maintained images.
 * [GitHub](https://github.com/linuxserver) - view the source for all of our repositories.
 * [Open Collective](https://opencollective.com/linuxserver) - please consider helping us by either donating or contributing to our budget
 
 # [linuxserver/swag](https://github.com/linuxserver/docker-swag)
 
-[![Scarf.io pulls](https://scarf.sh/installs-badge/linuxserver-ci/linuxserver%2Fswag?color=94398d&label-color=555555&logo-color=ffffff&style=for-the-badge&package-type=docker)](https://scarf.sh/gateway/linuxserver-ci/docker/linuxserver%2Fswag)
+[![Scarf.io pulls](https://scarf.sh/installs-badge/linuxserver-ci/linuxserver%2Fswag?color=94398d&label-color=555555&logo-color=ffffff&style=for-the-badge&package-type=docker)](https://scarf.sh)
 [![GitHub Stars](https://img.shields.io/github/stars/linuxserver/docker-swag.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=github)](https://github.com/linuxserver/docker-swag)
 [![GitHub Release](https://img.shields.io/github/release/linuxserver/docker-swag.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=github)](https://github.com/linuxserver/docker-swag/releases)
 [![GitHub Package Repository](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=linuxserver.io&message=GitHub%20Package&logo=github)](https://github.com/linuxserver/docker-swag/packages)
@@ -38,7 +35,6 @@ Find us at:
 [![Docker Pulls](https://img.shields.io/docker/pulls/linuxserver/swag.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=pulls&logo=docker)](https://hub.docker.com/r/linuxserver/swag)
 [![Docker Stars](https://img.shields.io/docker/stars/linuxserver/swag.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=stars&logo=docker)](https://hub.docker.com/r/linuxserver/swag)
 [![Jenkins Build](https://img.shields.io/jenkins/build?labelColor=555555&logoColor=ffffff&style=for-the-badge&jobUrl=https%3A%2F%2Fci.linuxserver.io%2Fjob%2FDocker-Pipeline-Builders%2Fjob%2Fdocker-swag%2Fjob%2Fmaster%2F&logo=jenkins)](https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-swag/job/master/)
-[![LSIO CI](https://img.shields.io/badge/dynamic/yaml?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=CI&query=CI&url=https%3A%2F%2Fci-tests.linuxserver.io%2Flinuxserver%2Fswag%2Flatest%2Fci-status.yml)](https://ci-tests.linuxserver.io/linuxserver/swag/latest/index.html)
 
 SWAG - Secure Web Application Gateway (formerly known as letsencrypt, no relation to Let's Encrypt™) sets up an Nginx webserver and reverse proxy with php support and a built-in certbot client that automates free SSL server certificate generation and renewal processes (Let's Encrypt and ZeroSSL). It also contains fail2ban for intrusion prevention.
 
@@ -46,7 +42,7 @@ SWAG - Secure Web Application Gateway (formerly known as letsencrypt, no relatio
 
 ## Supported Architectures
 
-We utilise the docker manifest for multi-platform awareness. More information is available from docker [here](https://github.com/docker/distribution/blob/master/docs/spec/manifest-v2-2.md#manifest-list) and our announcement [here](https://blog.linuxserver.io/2019/02/21/the-lsio-pipeline-project/).
+We utilise the docker manifest for multi-platform awareness. More information is available from docker [here](https://distribution.github.io/distribution/spec/manifest-v2-2/#manifest-list) and our announcement [here](https://blog.linuxserver.io/2019/02/21/the-lsio-pipeline-project/).
 
 Simply pulling `lscr.io/linuxserver/swag:latest` should retrieve the correct image for your arch, but you can also pull specific arch images via tags.
 
@@ -56,7 +52,6 @@ The architectures supported by this image are:
 | :----: | :----: | ---- |
 | x86-64 | ✅ | amd64-\<version tag\> |
 | arm64 | ✅ | arm64v8-\<version tag\> |
-| armhf | ✅ | arm32v7-\<version tag\> |
 
 ## Application Setup
 
@@ -68,13 +63,28 @@ The architectures supported by this image are:
 * For `dns` validation, make sure to enter your credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`
   * Cloudflare provides free accounts for managing dns and is very easy to use with this image. Make sure that it is set up for "dns only" instead of "dns + proxy"
   * Google dns plugin is meant to be used with "Google Cloud DNS", a paid enterprise product, and not for "Google Domains DNS"
-  * DuckDNS only supoprts two types of DNS validated certificates (not both at the same time):
+  * DuckDNS only supports two types of DNS validated certificates (not both at the same time):
     1. Certs that only cover your main subdomain (ie. `yoursubdomain.duckdns.org`, leave the `SUBDOMAINS` variable empty)
     2. Certs that cover sub-subdomains of your main subdomain (ie. `*.yoursubdomain.duckdns.org`, set the `SUBDOMAINS` variable to `wildcard`)
 * `--cap-add=NET_ADMIN` is required for fail2ban to modify iptables
-* After setup, navigate to `https://yourdomain.url` to access the default homepage (http access through port 80 is disabled by default, you can enable it by editing the default site config at `/config/nginx/site-confs/default.conf`).
+* After setup, navigate to `https://example.com` to access the default homepage (http access through port 80 is disabled by default, you can enable it by editing the default site config at `/config/nginx/site-confs/default.conf`).
 * Certs are checked nightly and if expiration is within 30 days, renewal is attempted. If your cert is about to expire in less than 30 days, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing. It is recommended to input your e-mail in docker parameters so you receive expiration notices from Let's Encrypt in those circumstances.
 
+### Certbot Plugins
+
+SWAG includes many Certbot plugins out of the box, but not all plugins can be included.
+If you need a plugin that is not included, the quickest way to have the plugin available is to use our [Universal Package Install Docker Mod](https://github.com/linuxserver/docker-mods/tree/universal-package-install).
+
+Set the following environment variables on your container:
+
+```yaml
+DOCKER_MODS=linuxserver/mods:universal-package-install
+INSTALL_PIP_PACKAGES=certbot-dns-<plugin>
+```
+
+Set the required credentials (usually found in the plugin documentation) in `/config/dns-conf/<plugin>.ini`.
+It is recommended to attempt obtaining a certificate with `STAGING=true` first to make sure the plugin is working as expected.
+
 ### Security and password protection
 
 * The container detects changes to url and subdomains, revokes existing certs and generates new ones during start.
@@ -116,7 +126,7 @@ This will *ask* Google et al not to index and list your site. Be careful with th
 * You can check which jails are active via `docker exec -it swag fail2ban-client status`
 * You can check the status of a specific jail via `docker exec -it swag fail2ban-client status <jail name>`
 * You can unban an IP via `docker exec -it swag fail2ban-client set <jail name> unbanip <IP>`
-* A list of commands can be found here: <https://www.fail2ban.org/wiki/index.php/Commands>
+* A list of commands for fail2ban-client can be found [here](https://manpages.ubuntu.com/manpages/noble/man1/fail2ban-client.1.html)
 
 ### Updating configs
 
@@ -132,19 +142,40 @@ This will *ask* Google et al not to index and list your site. Be careful with th
 * Proxy sample files WILL be updated, however your renamed (enabled) proxy files will not.
 * You can check the new sample and adjust your active config as needed.
 
+### QUIC support
+
+This image supports QUIC (also known as HTTP/3) but it must be explicitly enabled in each proxy conf, and the default conf, because if the listener is enabled and you don't expose 443/UDP, it can break connections with some browsers.
+
+To enable QUIC, expose 443/UDP to your clients, then uncomment both QUIC listeners in all of your active proxy confs, as well as the default conf, and restart the container.
+
+You should also uncomment the `Alt-Svc` header in your `ssl.conf` so that browsers are aware that you offer QUIC connectivity.
+
+It is [recommended](https://quic-go.net/docs/quic/optimizations/#udp-buffer-sizes) to increase the UDP send/recieve buffer **on the host** by setting the `net.core.rmem_max` and `net.core.wmem_max` sysctls. Suggested values are 4-16Mb (4194304-16777216 bytes). For persistence between reboots use `/etc/sysctl.d/`.
+
 ### Migration from the old `linuxserver/letsencrypt` image
 
 Please follow the instructions [on this blog post](https://www.linuxserver.io/blog/2020-08-21-introducing-swag#migrate).
 
+## Read-Only Operation
+
+This image can be run with a read-only container filesystem. For details please [read the docs](https://docs.linuxserver.io/misc/read-only/).
+
+### Caveats
+
+* `/tmp` must be mounted to tmpfs
+* fail2ban will not be available
+
 ## Usage
 
-Here are some example snippets to help you get started creating a container.
+To help you get started creating a container from this image you can either use docker-compose or the docker cli.
+
+>[!NOTE]
+>Unless a parameter is flagged as 'optional', it is *mandatory* and a value must be provided.
 
 ### docker-compose (recommended, [click here for more info](https://docs.linuxserver.io/general/docker-compose))
 
 ```yaml
 ---
-version: "2.1"
 services:
   swag:
     image: lscr.io/linuxserver/swag:latest
@@ -155,7 +186,7 @@ services:
       - PUID=1000
       - PGID=1000
       - TZ=Etc/UTC
-      - URL=yourdomain.url
+      - URL=example.com
       - VALIDATION=http
       - SUBDOMAINS=www, #optional
       - CERTPROVIDER= #optional
@@ -165,11 +196,15 @@ services:
       - ONLY_SUBDOMAINS=false #optional
       - EXTRA_DOMAINS= #optional
       - STAGING=false #optional
+      - DISABLE_F2B= #optional
+      - SWAG_AUTORELOAD= #optional
+      - SWAG_AUTORELOAD_WATCHLIST= #optional
     volumes:
-      - /path/to/appdata/config:/config
+      - /path/to/swag/config:/config
     ports:
       - 443:443
       - 80:80 #optional
+      - 443:443/udp #optional
     restart: unless-stopped
 ```
 
@@ -182,7 +217,7 @@ docker run -d \
   -e PUID=1000 \
   -e PGID=1000 \
   -e TZ=Etc/UTC \
-  -e URL=yourdomain.url \
+  -e URL=example.com \
   -e VALIDATION=http \
   -e SUBDOMAINS=www, `#optional` \
   -e CERTPROVIDER= `#optional` \
@@ -192,36 +227,45 @@ docker run -d \
   -e ONLY_SUBDOMAINS=false `#optional` \
   -e EXTRA_DOMAINS= `#optional` \
   -e STAGING=false `#optional` \
+  -e DISABLE_F2B= `#optional` \
+  -e SWAG_AUTORELOAD= `#optional` \
+  -e SWAG_AUTORELOAD_WATCHLIST= `#optional` \
   -p 443:443 \
   -p 80:80 `#optional` \
-  -v /path/to/appdata/config:/config \
+  -p 443:443/udp `#optional` \
+  -v /path/to/swag/config:/config \
   --restart unless-stopped \
   lscr.io/linuxserver/swag:latest
-
 ```
 
 ## Parameters
 
-Container images are configured using parameters passed at runtime (such as those above). These parameters are separated by a colon and indicate `<external>:<internal>` respectively. For example, `-p 8080:80` would expose port `80` from inside the container to be accessible from the host's IP on port `8080` outside the container.
+Containers are configured using parameters passed at runtime (such as those above). These parameters are separated by a colon and indicate `<external>:<internal>` respectively. For example, `-p 8080:80` would expose port `80` from inside the container to be accessible from the host's IP on port `8080` outside the container.
 
 | Parameter | Function |
 | :----: | --- |
-| `-p 443` | Https port |
+| `-p 443:443` | HTTPS port |
-| `-p 80` | Http port (required for http validation and http -> https redirect) |
+| `-p 80` | HTTP port (required for HTTP validation and HTTP -> HTTPS redirect) |
+| `-p 443/udp` | QUIC (HTTP/3) port. Must be enabled in the default and proxy confs. |
 | `-e PUID=1000` | for UserID - see below for explanation |
 | `-e PGID=1000` | for GroupID - see below for explanation |
 | `-e TZ=Etc/UTC` | specify a timezone to use, see this [list](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List). |
-| `-e URL=yourdomain.url` | Top url you have control over (`customdomain.com` if you own it, or `customsubdomain.ddnsprovider.com` if dynamic dns). |
+| `-e URL=example.com` | Top url you have control over (e.g. `example.com` if you own it, or `customsubdomain.example.com` if dynamic dns). |
 | `-e VALIDATION=http` | Certbot validation method to use, options are `http` or `dns` (`dns` method also requires `DNSPLUGIN` variable set). |
 | `-e SUBDOMAINS=www,` | Subdomains you'd like the cert to cover (comma separated, no spaces) ie. `www,ftp,cloud`. For a wildcard cert, set this *exactly* to `wildcard` (wildcard cert is available via `dns` validation only) |
 | `-e CERTPROVIDER=` | Optionally define the cert provider. Set to `zerossl` for ZeroSSL certs (requires existing [ZeroSSL account](https://app.zerossl.com/signup) and the e-mail address entered in `EMAIL` env var). Otherwise defaults to Let's Encrypt. |
-| `-e DNSPLUGIN=cloudflare` | Required if `VALIDATION` is set to `dns`. Options are `acmedns`, `aliyun`, `azure`, `cloudflare`, `cpanel`, `desec`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `dnspod`, `do`, `domeneshop`, `duckdns`, `dynu`, `gandi`, `gehirn`, `godaddy`, `google`, `google-domains`, `he`, `hetzner`, `infomaniak`, `inwx`, `ionos`, `linode`, `loopia`, `luadns`, `netcup`, `njalla`, `nsone`, `ovh`, `porkbun`, `rfc2136`, `route53`, `sakuracloud`, `standalone`, `transip`, and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`. |
+| `-e DNSPLUGIN=cloudflare` | Required if `VALIDATION` is set to `dns`. Options are `acmedns`, `aliyun`, `azure`, `bunny`, `cloudflare`, `cpanel`, `desec`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `dnspod`, `do`, `domeneshop`, `dreamhost`, `duckdns`, `dynu`, `freedns`, `gandi`, `gehirn`, `glesys`, `godaddy`, `google`, `he`, `hetzner`, `hetzner-cloud`, `infomaniak`, `inwx`, `ionos`, `linode`, `loopia`, `luadns`, `namecheap`, `netcup`, `njalla`, `nsone`, `ovh`, `porkbun`, `rfc2136`, `route53`, `sakuracloud`, `standalone`, `transip`, and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`. |
 | `-e PROPAGATION=` | Optionally override (in seconds) the default propagation time for the dns plugins. |
 | `-e EMAIL=` | Optional e-mail address used for cert expiration notifications (Required for ZeroSSL). |
 | `-e ONLY_SUBDOMAINS=false` | If you wish to get certs only for certain subdomains, but not the main domain (main domain may be hosted on another machine and cannot be validated), set this to `true` |
-| `-e EXTRA_DOMAINS=` | Additional fully qualified domain names (comma separated, no spaces) ie. `extradomain.com,subdomain.anotherdomain.org,*.anotherdomain.org` |
+| `-e EXTRA_DOMAINS=` | Additional fully qualified domain names (comma separated, no spaces) ie. `example.net,subdomain.example.net,*.example.org` |
 | `-e STAGING=false` | Set to `true` to retrieve certs in staging mode. Rate limits will be much higher, but the resulting cert will not pass the browser's security test. Only to be used for testing purposes. |
-| `-v /config` | All the config files including the webroot reside here. |
+| `-e DISABLE_F2B=` | Set to `true` to disable the Fail2ban service in the container, if you're already running it elsewhere or using a different IPS. |
+| `-e SWAG_AUTORELOAD=` | Set to `true` to enable automatic reloading of confs on change without stopping/restarting nginx. Your filesystem must support inotify. This functionality was previously offered [via mod](https://github.com/linuxserver/docker-mods/tree/swag-auto-reload). |
+| `-e SWAG_AUTORELOAD_WATCHLIST=` | A [pipe](https://en.wikipedia.org/wiki/Vertical_bar)-separated list of additional folders for auto reload to watch in addition to `/config/nginx` |
+| `-v /config` | Persistent config files |
+| `--read-only=true` | Run container with a read-only filesystem. Please [read the docs](https://docs.linuxserver.io/misc/read-only/). |
+| `--cap-add=NET_ADMIN` | Required for fail2Ban to be able to modify iptables rules. |
 
 ### Portainer notice
 
@@ -234,10 +278,10 @@ You can set any environment variable from a file by using a special prepend `FIL
 As an example:
 
 ```bash
--e FILE__PASSWORD=/run/secrets/mysecretpassword
+-e FILE__MYVAR=/run/secrets/mysecretvariable
 ```
 
-Will set the environment variable `PASSWORD` based on the contents of the `/run/secrets/mysecretpassword` file.
+Will set the environment variable `MYVAR` based on the contents of the `/run/secrets/mysecretvariable` file.
 
 ## Umask for running applications
 
@@ -246,15 +290,20 @@ Keep in mind umask is not chmod it subtracts from permissions based on it's valu
 
 ## User / Group Identifiers
 
-When using volumes (`-v` flags) permissions issues can arise between the host OS and the container, we avoid this issue by allowing you to specify the user `PUID` and group `PGID`.
+When using volumes (`-v` flags), permissions issues can arise between the host OS and the container, we avoid this issue by allowing you to specify the user `PUID` and group `PGID`.
 
 Ensure any volume directories on the host are owned by the same user you specify and any permissions issues will vanish like magic.
 
-In this instance `PUID=1000` and `PGID=1000`, to find yours use `id user` as below:
+In this instance `PUID=1000` and `PGID=1000`, to find yours use `id your_user` as below:
 
 ```bash
-  $ id username
+id your_user
-    uid=1000(dockeruser) gid=1000(dockergroup) groups=1000(dockergroup)
+```
+
+Example output:
+
+```text
+uid=1000(your_user) gid=1000(your_user) groups=1000(your_user)
 ```
 
 ## Docker Mods
@@ -265,53 +314,101 @@ We publish various [Docker Mods](https://github.com/linuxserver/docker-mods) to
 
 ## Support Info
 
-* Shell access whilst the container is running: `docker exec -it swag /bin/bash`
+* Shell access whilst the container is running:
-* To monitor the logs of the container in realtime: `docker logs -f swag`
+
-* container version number
+    ```bash
-  * `docker inspect -f '{{ index .Config.Labels "build_version" }}' swag`
+    docker exec -it swag /bin/bash
-* image version number
+    ```
-  * `docker inspect -f '{{ index .Config.Labels "build_version" }}' lscr.io/linuxserver/swag:latest`
+
+* To monitor the logs of the container in realtime:
+
+    ```bash
+    docker logs -f swag
+    ```
+
+* Container version number:
+
+    ```bash
+    docker inspect -f '{{ index .Config.Labels "build_version" }}' swag
+    ```
+
+* Image version number:
+
+    ```bash
+    docker inspect -f '{{ index .Config.Labels "build_version" }}' lscr.io/linuxserver/swag:latest
+    ```
 
 ## Updating Info
 
-Most of our images are static, versioned, and require an image update and container recreation to update the app inside. With some exceptions (ie. nextcloud, plex), we do not recommend or support updating apps inside the container. Please consult the [Application Setup](#application-setup) section above to see if it is recommended for the image.
+Most of our images are static, versioned, and require an image update and container recreation to update the app inside. With some exceptions (noted in the relevant readme.md), we do not recommend or support updating apps inside the container. Please consult the [Application Setup](#application-setup) section above to see if it is recommended for the image.
 
 Below are the instructions for updating containers:
 
 ### Via Docker Compose
 
-* Update all images: `docker-compose pull`
+* Update images:
-  * or update a single image: `docker-compose pull swag`
+    * All images:
-* Let compose update all containers as necessary: `docker-compose up -d`
+
-  * or update a single container: `docker-compose up -d swag`
+        ```bash
-* You can also remove the old dangling images: `docker image prune`
+        docker-compose pull
+        ```
+
+    * Single image:
+
+        ```bash
+        docker-compose pull swag
+        ```
+
+* Update containers:
+    * All containers:
+
+        ```bash
+        docker-compose up -d
+        ```
+
+    * Single container:
+
+        ```bash
+        docker-compose up -d swag
+        ```
+
+* You can also remove the old dangling images:
+
+    ```bash
+    docker image prune
+    ```
 
 ### Via Docker Run
 
-* Update the image: `docker pull lscr.io/linuxserver/swag:latest`
+* Update the image:
-* Stop the running container: `docker stop swag`
+
-* Delete the container: `docker rm swag`
+    ```bash
+    docker pull lscr.io/linuxserver/swag:latest
+    ```
+
+* Stop the running container:
+
+    ```bash
+    docker stop swag
+    ```
+
+* Delete the container:
+
+    ```bash
+    docker rm swag
+    ```
+
 * Recreate a new container with the same docker run parameters as instructed above (if mapped correctly to a host folder, your `/config` folder and settings will be preserved)
-* You can also remove the old dangling images: `docker image prune`
+* You can also remove the old dangling images:
 
-### Via Watchtower auto-updater (only use if you don't remember the original parameters)
+    ```bash
-
+    docker image prune
-* Pull the latest image at its tag and replace it with the same env variables in one run:
+    ```
-
-  ```bash
-  docker run --rm \
-  -v /var/run/docker.sock:/var/run/docker.sock \
-  containrrr/watchtower \
-  --run-once swag
-  ```
-
-* You can also remove the old dangling images: `docker image prune`
-
-**Note:** We do not endorse the use of Watchtower as a solution to automated updates of existing Docker containers. In fact we generally discourage automated updates. However, this is a useful tool for one-time manual updates of containers where you have forgotten the original parameters. In the long term, we highly recommend using [Docker Compose](https://docs.linuxserver.io/general/docker-compose).
 
 ### Image Update Notifications - Diun (Docker Image Update Notifier)
 
-* We recommend [Diun](https://crazymax.dev/diun/) for update notifications. Other tools that automatically update containers unattended are not recommended or supported.
+>[!TIP]
+>We recommend [Diun](https://crazymax.dev/diun/) for update notifications. Other tools that automatically update containers unattended are not recommended or supported.
 
 ## Building locally
 
@@ -326,16 +423,43 @@ docker build \
   -t lscr.io/linuxserver/swag:latest .
 ```
 
-The ARM variants can be built on x86_64 hardware using `multiarch/qemu-user-static`
+The ARM variants can be built on x86_64 hardware and vice versa using `lscr.io/linuxserver/qemu-static`
 
 ```bash
-docker run --rm --privileged multiarch/qemu-user-static:register --reset
+docker run --rm --privileged lscr.io/linuxserver/qemu-static --reset
 ```
 
 Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64`.
 
 ## Versions
 
+* **23.01.26:** - Reorder init to fix proxy conf version checks.
+* **21.12.25:** - Add support for hetzner-cloud dns validation.
+* **04.11.25:** - Switch default Gandi credentials from API Key to Token, allow DNS propagation time for Azure DNS plugin.
+* **18.07.25:** - Rebase to Alpine 3.22 with PHP 8.4. Add QUIC support. Drop PHP bindings for mcrypt as it is no longer maintained.
+* **05.05.25:** - Disable Certbot's built in log rotation.
+* **19.01.25:** - Add [Auto Reload](https://github.com/linuxserver/docker-mods/tree/swag-auto-reload) functionality to SWAG.
+* **17.12.24:** - Rebase to Alpine 3.21.
+* **21.10.24:** - Fix naming issue with Dynu plugin. If you are using Dynu, please make sure your credentials are set in /config/dns-conf/dynu.ini and your DNSPLUGIN variable is set to dynu (not dynudns).
+* **30.08.24:** - Fix zerossl cert revocation.
+* **24.07.14:** - Rebase to Alpine 3.20. Remove deprecated Google Domains certbot plugin. Existing users should update their nginx confs to avoid http2 deprecation warnings.
+* **01.07.24:** - Fall back to iptables-legacy if iptables doesn't work.
+* **23.03.24:** - Fix perms on the generated `priv-fullchain-bundle.pem`.
+* **14.03.24:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-location.conf, authelia-server.conf - Update Authelia conf samples with support for 4.38.
+* **11.03.24:** - Restore support for DynuDNS using `certbot-dns-dynudns`.
+* **06.03.24:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) site-confs/default.conf - Cleanup default site conf.
+* **04.03.24:** - Remove `stream.conf` inside the container to allow users to include their own block in `nginx.conf`.
+* **23.01.24:** - Rebase to Alpine 3.19 with php 8.3, add root periodic crontabs for logrotate.
+* **01.01.24:** - Add GleSYS DNS plugin.
+* **11.12.23:** - Deprecate certbot-dns-dynu to resolve dependency conflicts with other plugins.
+* **30.11.23:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) site-confs/default.conf - Fix index.php being downloaded on 404.
+* **23.11.23:** - Run certbot as root to allow fix http validation.
+* **01.10.23:** - Fix "unrecognized arguments" issue in DirectAdmin DNS plugin.
+* **28.08.23:** - Add Namecheap DNS plugin.
+* **12.08.23:** - Add FreeDNS plugin. Detect certbot DNS authenticators using CLI.
+* **07.08.23:** - Add Bunny DNS Configuration.
+* **27.07.23:** - Added support for dreamhost validation.
+* **25.05.23:** - Rebase to Alpine 3.18, deprecate armhf.
 * **27.04.23:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-location.conf, authelia-server.conf, authentik-location.conf, authentik-server.conf - Simplify auth configs and fix Set-Cookie header bug.
 * **13.04.23:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, authelia-location.conf, authentik-location.conf, and site-confs/default.conf - Move ssl.conf include to default.conf. Remove Authorization headers in authelia. Sort proxy_set_header in authelia and authentik.
 * **25.03.23:** - Fix renewal post hook.

jenkins-vars.yml

@@ -17,12 +17,12 @@ repo_vars:
   - PR_DOCKERHUB_IMAGE = 'lspipepr/swag'
   - DIST_IMAGE = 'alpine'
   - MULTIARCH='true'
-  - CI='true'
+  - CI='false'
   - CI_WEB='false'
   - CI_PORT='80'
   - CI_SSL='false'
   - CI_DELAY='30'
-  - CI_DOCKERENV='TEST_RUN=1'
+  - CI_DOCKERENV=''
   - CI_AUTH=''
   - CI_WEBPATH=''
 sponsor_links:

package_versions.txt

@@ -1,339 +1,369 @@
-NAME                            VERSION                TYPE   
+NAME                            VERSION               TYPE                    
-ConfigArgParse                  1.5.3                  python  
+Simple Launcher                 1.1.0.14              binary  (+5 duplicates)  
-PyJWT                           2.7.0                  python  
+acl-libs                        2.3.2-r1              apk                      
-PyYAML                          6.0                    python  
+acme                            5.3.1                 python                   
-acme                            2.6.0                  python  
+alpine-baselayout               3.7.0-r0              apk                      
-alpine-baselayout               3.4.0-r0               apk     
+alpine-baselayout-data          3.7.0-r0              apk                      
-alpine-baselayout-data          3.4.0-r0               apk     
+alpine-keys                     2.5-r0                apk                      
-alpine-keys                     2.4-r1                 apk     
+alpine-release                  3.22.3-r0             apk                      
-alpine-release                  3.17.3-r0              apk     
+aom-libs                        3.12.1-r0             apk                      
-aom-libs                        3.5.0-r0               apk     
+apache2-utils                   2.4.66-r0             apk                      
-apache2-utils                   2.4.57-r0              apk     
+apk-tools                       2.14.9-r3             apk                      
-apk-tools                       2.12.10-r1             apk     
+apr                             1.7.5-r0              apk                      
-apr                             1.7.2-r0               apk     
+apr-util                        1.6.3-r1              apk                      
-apr-util                        1.6.3-r0               apk     
+argon2-libs                     20190702-r5           apk                      
-argon2-libs                     20190702-r2            apk     
+attrs                           25.4.0                python                   
-attrs                           23.1.0                 python  
+autocommand                     2.2.2                 python                   
-azure-common                    1.1.28                 python  
+azure-common                    1.1.28                python                   
-azure-core                      1.26.4                 python  
+azure-core                      1.38.2                python                   
-azure-identity                  1.12.0                 python  
+azure-identity                  1.25.2                python                   
-azure-mgmt-core                 1.4.0                  python  
+azure-mgmt-core                 1.6.0                 python                   
-azure-mgmt-dns                  8.0.0                  python  
+azure-mgmt-dns                  9.0.0                 python                   
-bash                            5.2.15-r0              apk     
+backports-tarfile               1.2.0                 python                   
-beautifulsoup4                  4.12.2                 python  
+bash                            5.2.37-r0             apk                      
-boto3                           1.26.132               python  
+beautifulsoup4                  4.14.3                python                   
-botocore                        1.29.132               python  
+boto3                           1.42.63               python                   
-brotli-libs                     1.0.9-r9               apk     
+botocore                        1.42.63               python                   
-bs4                             0.0.1                  python  
+brotli-libs                     1.1.0-r2              apk                      
-busybox                         1.35.0                 binary  
+bs4                             0.0.2                 python                   
-busybox                         1.35.0-r29             apk     
+busybox                         1.37.0-r20            apk                      
-busybox-binsh                   1.35.0-r29             apk     
+busybox-binsh                   1.37.0-r20            apk                      
-c-client                        2007f-r14              apk     
+c-ares                          1.34.6-r0             apk                      
-ca-certificates                 20230506-r0            apk     
+c-client                        2007f-r15             apk                      
-ca-certificates-bundle          20220614-r4            apk     
+ca-certificates                 20250911-r0           apk                      
-cachetools                      5.3.0                  python  
+ca-certificates-bundle          20250911-r0           apk                      
-certbot                         2.6.0                  python  
+catatonit                       0.2.1-r0              apk                      
-certbot-dns-acmedns             0.1.0                  python  
+certbot                         5.3.1                 python                   
-certbot-dns-aliyun              2.0.0                  python  
+certbot-dns-acmedns             0.1.0                 python                   
-certbot-dns-azure               2.1.0                  python  
+certbot-dns-aliyun              2.0.0                 python                   
-certbot-dns-cloudflare          2.6.0                  python  
+certbot-dns-azure               1.5.0                 python                   
-certbot-dns-cpanel              0.4.0                  python  
+certbot-dns-bunny               3.0.0                 python                   
-certbot-dns-desec               1.2.1                  python  
+certbot-dns-cloudflare          5.3.1                 python                   
-certbot-dns-digitalocean        2.6.0                  python  
+certbot-dns-cpanel              0.4.0                 python                   
-certbot-dns-directadmin         1.0.3                  python  
+certbot-dns-desec               1.3.2                 python                   
-certbot-dns-dnsimple            2.6.0                  python  
+certbot-dns-digitalocean        5.3.1                 python                   
-certbot-dns-dnsmadeeasy         2.6.0                  python  
+certbot-dns-directadmin         1.0.15                python                   
-certbot-dns-dnspod              0.1.0                  python  
+certbot-dns-dnsimple            5.3.1                 python                   
-certbot-dns-do                  0.31.0                 python  
+certbot-dns-dnsmadeeasy         5.3.1                 python                   
-certbot-dns-domeneshop          0.2.9                  python  
+certbot-dns-dnspod              0.1.0                 python                   
-certbot-dns-duckdns             1.3                    python  
+certbot-dns-do                  0.31.0                python                   
-certbot-dns-dynu                0.0.4                  python  
+certbot-dns-domeneshop          0.2.9                 python                   
-certbot-dns-gehirn              2.6.0                  python  
+certbot-dns-dreamhost           1.0                   python                   
-certbot-dns-godaddy             0.2.2                  python  
+certbot-dns-duckdns             1.8.0                 python                   
-certbot-dns-google              2.6.0                  python  
+certbot-dns-dynudns             0.0.6                 python                   
-certbot-dns-google-domains      0.1.11                 python  
+certbot-dns-freedns             0.2.0                 python                   
-certbot-dns-he                  1.0.0                  python  
+certbot-dns-gehirn              5.3.1                 python                   
-certbot-dns-hetzner             2.0.0                  python  
+certbot-dns-glesys              2.1.0                 python                   
-certbot-dns-infomaniak          0.2.1                  python  
+certbot-dns-godaddy             2.8.0                 python                   
-certbot-dns-inwx                2.2.0                  python  
+certbot-dns-google              5.3.1                 python                   
-certbot-dns-ionos               2022.11.24             python  
+certbot-dns-he                  1.0.0                 python                   
-certbot-dns-linode              2.6.0                  python  
+certbot-dns-hetzner             3.0.0                 python                   
-certbot-dns-loopia              1.0.1                  python  
+certbot-dns-hetzner-cloud       1.0.5                 python                   
-certbot-dns-luadns              2.6.0                  python  
+certbot-dns-infomaniak          0.2.4                 python                   
-certbot-dns-netcup              1.2.0                  python  
+certbot-dns-inwx                3.0.3                 python                   
-certbot-dns-njalla              1.0.0                  python  
+certbot-dns-ionos               2024.11.9             python                   
-certbot-dns-nsone               2.6.0                  python  
+certbot-dns-linode              5.3.1                 python                   
-certbot-dns-ovh                 2.6.0                  python  
+certbot-dns-loopia              1.0.1                 python                   
-certbot-dns-porkbun             0.8                    python  
+certbot-dns-luadns              5.3.1                 python                   
-certbot-dns-rfc2136             2.6.0                  python  
+certbot-dns-namecheap           1.0.0                 python                   
-certbot-dns-route53             2.6.0                  python  
+certbot-dns-netcup              2.0.0                 python                   
-certbot-dns-sakuracloud         2.6.0                  python  
+certbot-dns-njalla              2.0.2                 python                   
-certbot-dns-standalone          1.1                    python  
+certbot-dns-nsone               5.3.1                 python                   
-certbot-dns-transip             0.5.2                  python  
+certbot-dns-ovh                 5.3.1                 python                   
-certbot-dns-vultr               1.0.3                  python  
+certbot-dns-porkbun             0.11.0                python                   
-certbot-plugin-gandi            1.4.3                  python  
+certbot-dns-rfc2136             5.3.1                 python                   
-certifi                         2023.5.7               python  
+certbot-dns-route53             5.3.1                 python                   
-cffi                            1.15.1                 python  
+certbot-dns-sakuracloud         5.3.1                 python                   
-charset-normalizer              3.1.0                  python  
+certbot-dns-standalone          1.2.1                 python                   
-cloudflare                      2.11.1                 python  
+certbot-dns-transip             0.5.2                 python                   
-configobj                       5.0.8                  python  
+certbot-dns-vultr               1.1.0                 python                   
-coreutils                       9.1-r0                 apk     
+certbot-plugin-gandi            1.5.0                 python                   
-cryptography                    40.0.2                 python  
+certifi                         2026.2.25             python                   
-curl                            8.0.1-r0               apk     
+cffi                            2.0.0                 python                   
-dataclasses-json                0.5.7                  python  
+charset-normalizer              3.4.5                 python                   
-distro                          1.8.0                  python  
+cli                             UNKNOWN               binary                   
-dns-lexicon                     3.11.7                 python  
+cli-32                          UNKNOWN               binary                   
-dnslib                          0.9.23                 python  
+cli-64                          UNKNOWN               binary                   
-dnspython                       2.3.0                  python  
+cli-arm64                       UNKNOWN               binary                   
-domeneshop                      0.4.3                  python  
+cloudflare                      2.19.4                python                   
-fail2ban                        1.0.2                  python  
+composer                        2.9.5                 binary                   
-fail2ban                        1.0.2-r0               apk     
+configargparse                  1.7.1                 python                   
-filelock                        3.12.0                 python  
+configobj                       5.0.9                 python                   
-fontconfig                      2.14.1-r0              apk     
+coreutils                       9.7-r1                apk                      
-freetype                        2.12.1-r0              apk     
+coreutils-env                   9.7-r1                apk                      
-future                          0.18.3                 python  
+coreutils-fmt                   9.7-r1                apk                      
-gdbm                            1.23-r0                apk     
+coreutils-sha512sum             9.7-r1                apk                      
-git                             2.38.5-r0              apk     
+cryptography                    46.0.5                python                   
-git-perl                        2.38.5-r0              apk     
+curl                            8.14.1-r2             apk                      
-gmp                             6.2.1-r2               apk     
+distro                          1.9.0                 python                   
-gnupg                           2.2.40-r0              apk     
+dns-lexicon                     3.23.2                python                   
-gnupg-dirmngr                   2.2.40-r0              apk     
+dns-lexicon-coop                3.24.2                python                   
-gnupg-gpgconf                   2.2.40-r0              apk     
+dnslib                          0.9.26                python                   
-gnupg-utils                     2.2.40-r0              apk     
+dnspython                       2.8.0                 python                   
-gnupg-wks-client                2.2.40-r0              apk     
+domeneshop                      0.4.4                 python                   
-gnutls                          3.7.8-r3               apk     
+fail2ban                        1.1.0                 python                   
-google-api-core                 2.11.0                 python  
+fail2ban                        1.1.0-r3              apk                      
-google-api-python-client        2.86.0                 python  
+fail2ban-pyc                    1.1.0-r3              apk                      
-google-auth                     2.18.0                 python  
+filelock                        3.25.0                python                   
-google-auth-httplib2            0.1.0                  python  
+findutils                       4.10.0-r0             apk                      
-googleapis-common-protos        1.59.0                 python  
+fontconfig                      2.15.0-r3             apk                      
-gpg                             2.2.40-r0              apk     
+freetype                        2.13.3-r0             apk                      
-gpg-agent                       2.2.40-r0              apk     
+future                          1.0.0                 python                   
-gpg-wks-server                  2.2.40-r0              apk     
+gdbm                            1.24-r0               apk                      
-gpgsm                           2.2.40-r0              apk     
+git                             2.49.1-r0             apk                      
-gpgv                            2.2.40-r0              apk     
+git-init-template               2.49.1-r0             apk                      
-httplib2                        0.22.0                 python  
+git-perl                        2.49.1-r0             apk                      
-icu-data-en                     72.1-r1                apk     
+gmp                             6.3.0-r3              apk                      
-icu-libs                        72.1-r1                apk     
+gnupg                           2.4.9-r0              apk                      
-idna                            3.4                    python  
+gnupg-dirmngr                   2.4.9-r0              apk                      
-importlib-metadata              6.6.0                  python  
+gnupg-gpgconf                   2.4.9-r0              apk                      
-ip6tables                       1.8.8-r2               apk     
+gnupg-keyboxd                   2.4.9-r0              apk                      
-iptables                        1.8.8-r2               apk     
+gnupg-utils                     2.4.9-r0              apk                      
-isodate                         0.6.1                  python  
+gnupg-wks-client                2.4.9-r0              apk                      
-jmespath                        1.0.1                  python  
+gnutls                          3.8.12-r0             apk                      
-josepy                          1.13.0                 python  
+google-api-core                 2.30.0                python                   
-jq                              1.6-r2                 apk     
+google-api-python-client        2.192.0               python                   
-jsonlines                       3.1.0                  python  
+google-auth                     2.49.0                python                   
-jsonpickle                      3.0.1                  python  
+google-auth-httplib2            0.3.0                 python                   
-libacl                          2.3.1-r1               apk     
+googleapis-common-protos        1.73.0                python                   
-libassuan                       2.5.5-r1               apk     
+gpg                             2.4.9-r0              apk                      
-libattr                         2.5.1-r2               apk     
+gpg-agent                       2.4.9-r0              apk                      
-libavif                         0.11.1-r0              apk     
+gpg-wks-server                  2.4.9-r0              apk                      
-libbsd                          0.11.7-r0              apk     
+gpgsm                           2.4.9-r0              apk                      
-libbz2                          1.0.8-r4               apk     
+gpgv                            2.4.9-r0              apk                      
-libc-utils                      0.7.2-r3               apk     
+gui                             UNKNOWN               binary                   
-libcrypto3                      3.0.8-r4               apk     
+gui-32                          UNKNOWN               binary                   
-libcurl                         8.0.1-r0               apk     
+gui-64                          UNKNOWN               binary                   
-libdav1d                        1.0.0-r2               apk     
+gui-arm64                       UNKNOWN               binary                   
-libedit                         20221030.3.1-r0        apk     
+hcloud                          2.17.0                python                   
-libevent                        2.1.12-r5              apk     
+httplib2                        0.31.2                python                   
-libexpat                        2.5.0-r0               apk     
+icu-data-en                     76.1-r1               apk                      
-libffi                          3.4.4-r0               apk     
+icu-libs                        76.1-r1               apk                      
-libgcc                          12.2.1_git20220924-r4  apk     
+idna                            3.11                  python                   
-libgcrypt                       1.10.1-r0              apk     
+importlib-metadata              8.7.1                 python                   
-libgd                           2.3.3-r3               apk     
+inotify-tools                   4.23.9.0-r0           apk                      
-libgpg-error                    1.46-r1                apk     
+inotify-tools-libs              4.23.9.0-r0           apk                      
-libice                          1.0.10-r1              apk     
+inwx-domrobot                   3.2.0                 python                   
-libidn                          1.41-r0                apk     
+iptables                        1.8.11-r1             apk                      
-libintl                         0.21.1-r1              apk     
+iptables-legacy                 1.8.11-r1             apk                      
-libjpeg-turbo                   2.1.4-r0               apk     
+isodate                         0.7.2                 python                   
-libksba                         1.6.3-r0               apk     
+jaraco-context                  6.1.0                 python                   
-libldap                         2.6.3-r6               apk     
+jaraco-functools                4.4.0                 python                   
-libmaxminddb-libs               1.7.1-r0               apk     
+jaraco-text                     4.0.0                 python                   
-libmcrypt                       2.5.8-r10              apk     
+jinja2                          3.1.6                 python                   
-libmd                           1.0.4-r0               apk     
+jmespath                        1.1.0                 python                   
-libmemcached-libs               1.0.18-r5              apk     
+josepy                          2.2.0                 python                   
-libmnl                          1.0.5-r0               apk     
+jq                              1.8.1-r0              apk                      
-libnftnl                        1.2.4-r0               apk     
+jsonlines                       4.0.0                 python                   
-libpng                          1.6.38-r0              apk     
+jsonpickle                      4.1.1                 python                   
-libpq                           15.2-r0                apk     
+libapk2                         2.14.9-r3             apk                      
-libproc                         3.3.17-r2              apk     
+libassuan                       2.5.7-r0              apk                      
-libsasl                         2.1.28-r3              apk     
+libattr                         2.5.2-r2              apk                      
-libseccomp                      2.5.4-r0               apk     
+libavif                         1.3.0-r0              apk                      
-libsm                           1.2.3-r1               apk     
+libbsd                          0.12.2-r0             apk                      
-libsodium                       1.0.18-r2              apk     
+libbz2                          1.0.8-r6              apk                      
-libssl3                         3.0.8-r4               apk     
+libcrypto3                      3.5.5-r0              apk                      
-libstdc++                       12.2.1_git20220924-r4  apk     
+libcurl                         8.14.1-r2             apk                      
-libtasn1                        4.19.0-r0              apk     
+libdav1d                        1.5.1-r0              apk                      
-libunistring                    1.1-r0                 apk     
+libedit                         20250104.3.1-r1       apk                      
-libuuid                         2.38.1-r1              apk     
+libevent                        2.1.12-r8             apk                      
-libwebp                         1.2.4-r1               apk     
+libexpat                        2.7.4-r0              apk                      
-libx11                          1.8.4-r0               apk     
+libffi                          3.4.8-r0              apk                      
-libxau                          1.0.10-r0              apk     
+libgcc                          14.2.0-r6             apk                      
-libxcb                          1.15-r0                apk     
+libgcrypt                       1.10.3-r1             apk                      
-libxdmcp                        1.1.4-r0               apk     
+libgd                           2.3.3-r10             apk                      
-libxext                         1.3.5-r0               apk     
+libgpg-error                    1.55-r0               apk                      
-libxml2                         2.10.4-r0              apk     
+libice                          1.1.2-r0              apk                      
-libxpm                          3.5.15-r0              apk     
+libidn2                         2.3.7-r0              apk                      
-libxslt                         1.1.37-r1              apk     
+libintl                         0.24.1-r0             apk                      
-libxt                           1.2.1-r0               apk     
+libip4tc                        1.8.11-r1             apk                      
-libzip                          1.9.2-r2               apk     
+libip6tc                        1.8.11-r1             apk                      
-linux-pam                       1.5.2-r1               apk     
+libjpeg-turbo                   3.1.0-r0              apk                      
-logrotate                       3.20.1-r3              apk     
+libksba                         1.6.7-r0              apk                      
-loopialib                       0.2.0                  python  
+libldap                         2.6.8-r0              apk                      
-lxml                            4.9.2                  python  
+libmaxminddb-libs               1.9.1-r0              apk                      
-lz4-libs                        1.9.4-r1               apk     
+libmd                           1.1.0-r0              apk                      
-marshmallow                     3.19.0                 python  
+libmemcached-libs               1.1.4-r1              apk                      
-marshmallow-enum                1.5.1                  python  
+libmnl                          1.0.5-r2              apk                      
-memcached                       1.6.17                 binary  
+libncursesw                     6.5_p20250503-r0      apk                      
-memcached                       1.6.17-r0              apk     
+libnftnl                        1.2.9-r0              apk                      
-mock                            5.0.2                  python  
+libpanelw                       6.5_p20250503-r0      apk                      
-mpdecimal                       2.5.1-r1               apk     
+libpng                          1.6.55-r0             apk                      
-msal                            1.22.0                 python  
+libpq                           17.8-r0               apk                      
-msal-extensions                 1.0.0                  python  
+libproc2                        4.0.4-r3              apk                      
-msrest                          0.7.1                  python  
+libpsl                          0.21.5-r3             apk                      
-musl                            1.2.3-r4               apk     
+libsasl                         2.1.28-r8             apk                      
-musl-utils                      1.2.3-r4               apk     
+libseccomp                      2.6.0-r0              apk                      
-mypy-extensions                 1.0.0                  python  
+libsharpyuv                     1.5.0-r0              apk                      
-nano                            7.0-r0                 apk     
+libsm                           1.2.5-r0              apk                      
-ncurses-libs                    6.3_p20221119-r0       apk     
+libsodium                       1.0.20-r1             apk                      
-ncurses-terminfo-base           6.3_p20221119-r0       apk     
+libssl3                         3.5.5-r0              apk                      
-netcat-openbsd                  1.130-r4               apk     
+libstdc++                       14.2.0-r6             apk                      
-nettle                          3.8.1-r0               apk     
+libtasn1                        4.21.0-r0             apk                      
-nghttp2-libs                    1.51.0-r0              apk     
+libunistring                    1.3-r0                apk                      
-nginx                           1.22.1-r0              apk     
+libuuid                         2.41-r9               apk                      
-nginx-mod-devel-kit             1.22.1-r0              apk     
+libwebp                         1.5.0-r0              apk                      
-nginx-mod-http-brotli           1.22.1-r0              apk     
+libx11                          1.8.11-r0             apk                      
-nginx-mod-http-dav-ext          1.22.1-r0              apk     
+libxau                          1.0.12-r0             apk                      
-nginx-mod-http-echo             1.22.1-r0              apk     
+libxcb                          1.17.0-r0             apk                      
-nginx-mod-http-fancyindex       1.22.1-r0              apk     
+libxdmcp                        1.1.5-r1              apk                      
-nginx-mod-http-geoip2           1.22.1-r0              apk     
+libxext                         1.3.6-r2              apk                      
-nginx-mod-http-headers-more     1.22.1-r0              apk     
+libxml2                         2.13.9-r0             apk                      
-nginx-mod-http-image-filter     1.22.1-r0              apk     
+libxpm                          3.5.17-r0             apk                      
-nginx-mod-http-perl             1.22.1-r0              apk     
+libxslt                         1.1.43-r3             apk                      
-nginx-mod-http-redis2           1.22.1-r0              apk     
+libxt                           1.3.1-r0              apk                      
-nginx-mod-http-set-misc         1.22.1-r0              apk     
+libxtables                      1.8.11-r1             apk                      
-nginx-mod-http-upload-progress  1.22.1-r0              apk     
+libyuv                          0.0.1887.20251502-r1  apk                      
-nginx-mod-http-xslt-filter      1.22.1-r0              apk     
+libzip                          1.11.4-r0             apk                      
-nginx-mod-mail                  1.22.1-r0              apk     
+linux-pam                       1.7.0-r4              apk                      
-nginx-mod-rtmp                  1.22.1-r0              apk     
+logrotate                       3.21.0-r1             apk                      
-nginx-mod-stream                1.22.1-r0              apk     
+loopialib                       0.2.0                 python                   
-nginx-mod-stream-geoip2         1.22.1-r0              apk     
+lxml                            6.0.2                 python                   
-nginx-vim                       1.22.1-r0              apk     
+lz4-libs                        1.10.0-r0             apk                      
-npth                            1.6-r2                 apk     
+markupsafe                      3.0.3                 python                   
-oauthlib                        3.2.2                  python  
+memcached                       1.6.32-r0             apk                      
-oniguruma                       6.9.8-r0               apk     
+mock                            5.2.0                 python                   
-openssl                         3.0.8-r4               apk     
+more-itertools                  10.8.0                python                   
-p11-kit                         0.24.1-r1              apk     
+mpdecimal                       4.0.1-r0              apk                      
-packaging                       23.1                   python  
+msal                            1.35.1                python                   
-parsedatetime                   2.6                    python  
+msal-extensions                 1.3.1                 python                   
-pcre                            8.45-r2                apk     
+musl                            1.2.5-r10             apk                      
-pcre2                           10.42-r0               apk     
+musl-utils                      1.2.5-r10             apk                      
-perl                            5.36.0-r1              apk     
+nano                            8.4-r0                apk                      
-perl-error                      0.17029-r1             apk     
+ncurses-terminfo-base           6.5_p20250503-r0      apk                      
-perl-git                        2.38.5-r0              apk     
+netcat-openbsd                  1.229.1-r0            apk                      
-php-cli                         8.1.18                 binary  
+nettle                          3.10.2-r0             apk                      
-php-fpm                         8.1.18                 binary  
+nghttp2-libs                    1.65.0-r0             apk                      
-php81                           8.1.18-r0              apk     
+nginx                           1.28.2-r0             apk                      
-php81-bcmath                    8.1.18-r0              apk     
+nginx-mod-devel-kit             1.28.2-r0             apk                      
-php81-bz2                       8.1.18-r0              apk     
+nginx-mod-http-brotli           1.28.2-r0             apk                      
-php81-common                    8.1.18-r0              apk     
+nginx-mod-http-dav-ext          1.28.2-r0             apk                      
-php81-ctype                     8.1.18-r0              apk     
+nginx-mod-http-echo             1.28.2-r0             apk                      
-php81-curl                      8.1.18-r0              apk     
+nginx-mod-http-fancyindex       1.28.2-r0             apk                      
-php81-dom                       8.1.18-r0              apk     
+nginx-mod-http-geoip2           1.28.2-r0             apk                      
-php81-exif                      8.1.18-r0              apk     
+nginx-mod-http-headers-more     1.28.2-r0             apk                      
-php81-fileinfo                  8.1.18-r0              apk     
+nginx-mod-http-image-filter     1.28.2-r0             apk                      
-php81-fpm                       8.1.18-r0              apk     
+nginx-mod-http-perl             1.28.2-r0             apk                      
-php81-ftp                       8.1.18-r0              apk     
+nginx-mod-http-redis2           1.28.2-r0             apk                      
-php81-gd                        8.1.18-r0              apk     
+nginx-mod-http-set-misc         1.28.2-r0             apk                      
-php81-gmp                       8.1.18-r0              apk     
+nginx-mod-http-upload-progress  1.28.2-r0             apk                      
-php81-iconv                     8.1.18-r0              apk     
+nginx-mod-http-xslt-filter      1.28.2-r0             apk                      
-php81-imap                      8.1.18-r0              apk     
+nginx-mod-mail                  1.28.2-r0             apk                      
-php81-intl                      8.1.18-r0              apk     
+nginx-mod-rtmp                  1.28.2-r0             apk                      
-php81-ldap                      8.1.18-r0              apk     
+nginx-mod-stream                1.28.2-r0             apk                      
-php81-mbstring                  8.1.18-r0              apk     
+nginx-mod-stream-geoip2         1.28.2-r0             apk                      
-php81-mysqli                    8.1.18-r0              apk     
+nginx-vim                       1.28.2-r0             apk                      
-php81-mysqlnd                   8.1.18-r0              apk     
+npth                            1.8-r0                apk                      
-php81-opcache                   8.1.18-r0              apk     
+oniguruma                       6.9.10-r0             apk                      
-php81-openssl                   8.1.18-r0              apk     
+openssl                         3.5.5-r0              apk                      
-php81-pdo                       8.1.18-r0              apk     
+p11-kit                         0.25.5-r2             apk                      
-php81-pdo_mysql                 8.1.18-r0              apk     
+packaging                       26.0                  python  (+1 duplicate)   
-php81-pdo_odbc                  8.1.18-r0              apk     
+parsedatetime                   2.6                   python                   
-php81-pdo_pgsql                 8.1.18-r0              apk     
+pcre2                           10.46-r0              apk                      
-php81-pdo_sqlite                8.1.18-r0              apk     
+perl                            5.40.3-r0             apk                      
-php81-pear                      8.1.18-r0              apk     
+perl-error                      0.17030-r0            apk                      
-php81-pecl-apcu                 5.1.22-r0              apk     
+perl-git                        2.49.1-r0             apk                      
-php81-pecl-igbinary             3.2.12-r0              apk     
+php84                           8.4.16-r0             apk                      
-php81-pecl-mailparse            3.1.4-r0               apk     
+php84-bcmath                    8.4.16-r0             apk                      
-php81-pecl-mcrypt               1.0.6-r0               apk     
+php84-bz2                       8.4.16-r0             apk                      
-php81-pecl-memcached            3.2.0-r0               apk     
+php84-common                    8.4.16-r0             apk                      
-php81-pecl-redis                5.3.7-r0               apk     
+php84-ctype                     8.4.16-r0             apk                      
-php81-pecl-xmlrpc               1.0.0_rc3-r1           apk     
+php84-curl                      8.4.16-r0             apk                      
-php81-pgsql                     8.1.18-r0              apk     
+php84-dom                       8.4.16-r0             apk                      
-php81-phar                      8.1.18-r0              apk     
+php84-exif                      8.4.16-r0             apk                      
-php81-posix                     8.1.18-r0              apk     
+php84-fileinfo                  8.4.16-r0             apk                      
-php81-session                   8.1.18-r0              apk     
+php84-fpm                       8.4.16-r0             apk                      
-php81-simplexml                 8.1.18-r0              apk     
+php84-ftp                       8.4.16-r0             apk                      
-php81-soap                      8.1.18-r0              apk     
+php84-gd                        8.4.16-r0             apk                      
-php81-sockets                   8.1.18-r0              apk     
+php84-gmp                       8.4.16-r0             apk                      
-php81-sodium                    8.1.18-r0              apk     
+php84-iconv                     8.4.16-r0             apk                      
-php81-sqlite3                   8.1.18-r0              apk     
+php84-intl                      8.4.16-r0             apk                      
-php81-tokenizer                 8.1.18-r0              apk     
+php84-ldap                      8.4.16-r0             apk                      
-php81-xml                       8.1.18-r0              apk     
+php84-mbstring                  8.4.16-r0             apk                      
-php81-xmlreader                 8.1.18-r0              apk     
+php84-mysqli                    8.4.16-r0             apk                      
-php81-xmlwriter                 8.1.18-r0              apk     
+php84-mysqlnd                   8.4.16-r0             apk                      
-php81-xsl                       8.1.18-r0              apk     
+php84-opcache                   8.4.16-r0             apk                      
-php81-zip                       8.1.18-r0              apk     
+php84-openssl                   8.4.16-r0             apk                      
-pinentry                        1.2.1-r0               apk     
+php84-pdo                       8.4.16-r0             apk                      
-pip                             23.1.2                 python  
+php84-pdo_mysql                 8.4.16-r0             apk                      
-pkb-client                      1.2                    python  
+php84-pdo_odbc                  8.4.16-r0             apk                      
-popt                            1.19-r0                apk     
+php84-pdo_pgsql                 8.4.16-r0             apk                      
-portalocker                     2.7.0                  python  
+php84-pdo_sqlite                8.4.16-r0             apk                      
-procps                          3.3.17-r2              apk     
+php84-pear                      8.4.16-r0             apk                      
-protobuf                        4.23.0                 python  
+php84-pecl-apcu                 5.1.27-r0             apk                      
-publicsuffixlist                0.9.4                  python  
+php84-pecl-igbinary             3.2.16-r1             apk                      
-pyOpenSSL                       23.1.1                 python  
+php84-pecl-imap                 1.0.3-r0              apk                      
-pyRFC3339                       1.1                    python  
+php84-pecl-memcached            3.3.0-r0              apk                      
-pyacmedns                       0.4                    python  
+php84-pecl-msgpack              3.0.0-r0              apk                      
-pyasn1                          0.5.0                  python  
+php84-pecl-redis                6.3.0-r0              apk                      
-pyasn1-modules                  0.3.0                  python  
+php84-pgsql                     8.4.16-r0             apk                      
-pycparser                       2.21                   python  
+php84-phar                      8.4.16-r0             apk                      
-pyparsing                       3.0.9                  python  
+php84-posix                     8.4.16-r0             apk                      
-python                          3.10.11                binary  
+php84-session                   8.4.16-r0             apk                      
-python-dateutil                 2.8.2                  python  
+php84-simplexml                 8.4.16-r0             apk                      
-python-digitalocean             1.17.0                 python  
+php84-soap                      8.4.16-r0             apk                      
-python-transip                  0.6.0                  python  
+php84-sockets                   8.4.16-r0             apk                      
-python3                         3.10.11-r0             apk     
+php84-sodium                    8.4.16-r0             apk                      
-pytz                            2023.3                 python  
+php84-sqlite3                   8.4.16-r0             apk                      
-readline                        8.2.0-r0               apk     
+php84-tokenizer                 8.4.16-r0             apk                      
-requests                        2.30.0                 python  
+php84-xml                       8.4.16-r0             apk                      
-requests-file                   1.5.1                  python  
+php84-xmlreader                 8.4.16-r0             apk                      
-requests-mock                   1.10.0                 python  
+php84-xmlwriter                 8.4.16-r0             apk                      
-requests-oauthlib               1.3.1                  python  
+php84-xsl                       8.4.16-r0             apk                      
-rsa                             4.9                    python  
+php84-zip                       8.4.16-r0             apk                      
-s3transfer                      0.6.1                  python  
+pinentry                        1.3.1-r0              apk                      
-scanelf                         1.3.5-r1               apk     
+pip                             26.0.1                python                   
-setuptools                      65.5.0                 python  
+pkb-client                      2.2.0                 python                   
-shadow                          4.13-r0                apk     
+platformdirs                    4.4.0                 python                   
-six                             1.16.0                 python  
+popt                            1.19-r4               apk                      
-skalibs                         2.12.0.1-r0            apk     
+procps-ng                       4.0.4-r3              apk                      
-soupsieve                       2.4.1                  python  
+proto-plus                      1.27.1                python                   
-sqlite-libs                     3.40.1-r0              apk     
+protobuf                        6.33.5                python                   
-ssl_client                      1.35.0-r29             apk     
+pyacmedns                       0.4                   python                   
-tiff                            4.4.0-r3               apk     
+pyasn1                          0.6.2                 python                   
-tldextract                      3.4.1                  python  
+pyasn1-modules                  0.4.2                 python                   
-typing-inspect                  0.8.0                  python  
+pyc                             3.12.12-r0            apk                      
-typing_extensions               4.5.0                  python  
+pycparser                       3.0                   python                   
-tzdata                          2023c-r0               apk     
+pyjwt                           2.11.0                python                   
-unixodbc                        2.3.11-r0              apk     
+pynamecheap                     0.0.3                 python                   
-uritemplate                     4.1.1                  python  
+pyopenssl                       25.3.0                python                   
-urllib3                         1.26.15                python  
+pyotp                           2.9.0                 python                   
-utmps-libs                      0.1.2.0-r1             apk     
+pyparsing                       3.3.2                 python                   
-wheel                           0.40.0                 python  
+pyrfc3339                       2.1.0                 python                   
-whois                           5.5.14-r0              apk     
+python-dateutil                 2.9.0.post0           python                   
-xz                              5.2.9-r0               apk     
+python-digitalocean             1.17.0                python                   
-xz-libs                         5.2.9-r0               apk     
+python-transip                  0.6.0                 python                   
-zipp                            3.15.0                 python  
+python3                         3.12.12-r0            apk                      
-zlib                            1.2.13-r0              apk     
+python3-pyc                     3.12.12-r0            apk                      
-zope.interface                  6.0                    python  
+python3-pycache-pyc0            3.12.12-r0            apk                      
-zstd-libs                       1.5.5-r0               apk     
+pyyaml                          6.0.3                 python                   
+readline                        8.2.13-r1             apk                      
+requests                        2.32.5                python                   
+requests-file                   3.0.1                 python                   
+requests-mock                   1.12.1                python                   
+rsa                             4.9.1                 python                   
+s3transfer                      0.16.0                python                   
+scanelf                         1.3.8-r1              apk                      
+setuptools                      82.0.0                python                   
+shadow                          4.17.3-r0             apk                      
+six                             1.17.0                python                   
+skalibs-libs                    2.14.4.0-r0           apk                      
+soupsieve                       2.8.3                 python                   
+sqlite-libs                     3.49.2-r1             apk                      
+ssl_client                      1.37.0-r20            apk                      
+tiff                            4.7.1-r0              apk                      
+tldextract                      5.3.1                 python                   
+tomli                           2.4.0                 python                   
+typing-extensions               4.15.0                python                   
+tzdata                          2025c-r0              apk                      
+unixodbc                        2.3.12-r0             apk                      
+uritemplate                     4.2.0                 python                   
+urllib3                         2.6.3                 python                   
+utmps-libs                      0.1.3.1-r0            apk                      
+wheel                           0.46.3                python  (+1 duplicate)   
+whois                           5.6.3-r0              apk                      
+xz-libs                         5.8.1-r0              apk                      
+zipp                            3.23.0                python                   
+zlib                            1.3.1-r2              apk                      
+zope-interface                  8.2                   python                   
+zstd-libs                       1.5.7-r0              apk                      

readme-vars.yml

@@ -6,73 +6,49 @@ project_url: "https://linuxserver.io"
 project_logo: "https://github.com/linuxserver/docker-templates/raw/master/linuxserver.io/img/swag.gif"
 project_blurb: "SWAG - Secure Web Application Gateway (formerly known as letsencrypt, no relation to Let's Encrypt™) sets up an Nginx webserver and reverse proxy with php support and a built-in certbot client that automates free SSL server certificate generation and renewal processes (Let's Encrypt and ZeroSSL). It also contains fail2ban for intrusion prevention."
 project_lsio_github_repo_url: "https://github.com/linuxserver/docker-{{ project_name }}"
-
+project_categories: "Reverse Proxy"
-project_blurb_optional_extras_enabled: false
-project_blurb_optional_extras: []
-
 # supported architectures
 available_architectures:
-  - { arch: "{{ arch_x86_64 }}", tag: "amd64-latest"}
+  - {arch: "{{ arch_x86_64 }}", tag: "amd64-latest"}
-  - { arch: "{{ arch_arm64 }}", tag: "arm64v8-latest"}
+  - {arch: "{{ arch_arm64 }}", tag: "arm64v8-latest"}
-  - { arch: "{{ arch_armhf }}", tag: "arm32v7-latest"}
-
-# development version
-development_versions: false
-development_versions_items:
-  - { tag: "latest", desc: "Stable releases" }
-
-
 # container parameters
-common_param_env_vars_enabled: true #PGID, PUID, etc, you can set it to 'optional'
+common_param_env_vars_enabled: true
 param_container_name: "{{ project_name }}"
-param_usage_include_net: false #you can set it to 'optional'
-param_net: "host"
-param_net_desc: "Shares host networking with container."
 param_usage_include_env: true
 param_env_vars:
-  - { env_var: "TZ", env_value: "Europe/London", desc: "Specify a timezone to use EG Europe/London." }
+  - {env_var: "URL", env_value: "example.com", desc: "Top url you have control over (e.g. `example.com` if you own it, or `customsubdomain.example.com` if dynamic dns)."}
-  - { env_var: "URL", env_value: "yourdomain.url", desc: "Top url you have control over (`customdomain.com` if you own it, or `customsubdomain.ddnsprovider.com` if dynamic dns)." }
+  - {env_var: "VALIDATION", env_value: "http", desc: "Certbot validation method to use, options are `http` or `dns` (`dns` method also requires `DNSPLUGIN` variable set).", env_options: ["http", "dns"]}
-  - { env_var: "VALIDATION", env_value: "http", desc: "Certbot validation method to use, options are `http` or `dns` (`dns` method also requires `DNSPLUGIN` variable set)." }
 param_usage_include_vols: true
 param_volumes:
-  - { vol_path: "/config", vol_host_path: "/path/to/appdata/config", desc: "All the config files including the webroot reside here." }
+  - {vol_path: "/config", vol_host_path: "/path/to/{{ project_name }}/config", desc: "Persistent config files"}
 param_usage_include_ports: true
 param_ports:
-  - { external_port: "443", internal_port: "443", port_desc: "Https port" }
+  - {external_port: "443", internal_port: "443", port_desc: "HTTPS port"}
-param_device_map: false
-param_devices:
-  - { device_path: "/dev/dri", device_host_path: "/dev/dri", desc: "For hardware transcoding" }
 cap_add_param: true
 cap_add_param_vars:
-  - { cap_add_var: "NET_ADMIN" }
+  - {cap_add_var: "NET_ADMIN", desc: "Required for fail2Ban to be able to modify iptables rules."}
-
 # optional container parameters
 opt_param_usage_include_env: true
 opt_param_env_vars:
-  - { env_var: "SUBDOMAINS", env_value: "www,", desc: "Subdomains you'd like the cert to cover (comma separated, no spaces) ie. `www,ftp,cloud`. For a wildcard cert, set this *exactly* to `wildcard` (wildcard cert is available via `dns` validation only)" }
+  - {env_var: "SUBDOMAINS", env_value: "www,", desc: "Subdomains you'd like the cert to cover (comma separated, no spaces) ie. `www,ftp,cloud`. For a wildcard cert, set this *exactly* to `wildcard` (wildcard cert is available via `dns` validation only)"}
-  - { env_var: "CERTPROVIDER", env_value: "", desc: "Optionally define the cert provider. Set to `zerossl` for ZeroSSL certs (requires existing [ZeroSSL account](https://app.zerossl.com/signup) and the e-mail address entered in `EMAIL` env var). Otherwise defaults to Let's Encrypt." }
+  - {env_var: "CERTPROVIDER", env_value: "", desc: "Optionally define the cert provider. Set to `zerossl` for ZeroSSL certs (requires existing [ZeroSSL account](https://app.zerossl.com/signup) and the e-mail address entered in `EMAIL` env var). Otherwise defaults to Let's Encrypt."}
-  - { env_var: "DNSPLUGIN", env_value: "cloudflare", desc: "Required if `VALIDATION` is set to `dns`. Options are `acmedns`, `aliyun`, `azure`, `cloudflare`, `cpanel`, `desec`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `dnspod`, `do`, `domeneshop`, `duckdns`, `dynu`, `gandi`, `gehirn`, `godaddy`, `google`, `google-domains`, `he`, `hetzner`, `infomaniak`, `inwx`, `ionos`, `linode`, `loopia`, `luadns`, `netcup`, `njalla`, `nsone`, `ovh`, `porkbun`, `rfc2136`, `route53`, `sakuracloud`, `standalone`, `transip`, and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`." }
+  - {env_var: "DNSPLUGIN", env_value: "cloudflare", desc: "Required if `VALIDATION` is set to `dns`. Options are `acmedns`, `aliyun`, `azure`, `bunny`, `cloudflare`, `cpanel`, `desec`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `dnspod`, `do`, `domeneshop`, `dreamhost`, `duckdns`, `dynu`, `freedns`, `gandi`, `gehirn`, `glesys`, `godaddy`, `google`, `he`, `hetzner`, `hetzner-cloud`, `infomaniak`, `inwx`, `ionos`, `linode`, `loopia`, `luadns`, `namecheap`, `netcup`, `njalla`, `nsone`, `ovh`, `porkbun`, `rfc2136`, `route53`, `sakuracloud`, `standalone`, `transip`, and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`."}
-  - { env_var: "PROPAGATION", env_value: "", desc: "Optionally override (in seconds) the default propagation time for the dns plugins." }
+  - {env_var: "PROPAGATION", env_value: "", desc: "Optionally override (in seconds) the default propagation time for the dns plugins."}
-  - { env_var: "EMAIL", env_value: "", desc: "Optional e-mail address used for cert expiration notifications (Required for ZeroSSL)." }
+  - {env_var: "EMAIL", env_value: "", desc: "Optional e-mail address used for cert expiration notifications (Required for ZeroSSL)."}
-  - { env_var: "ONLY_SUBDOMAINS", env_value: "false", desc: "If you wish to get certs only for certain subdomains, but not the main domain (main domain may be hosted on another machine and cannot be validated), set this to `true`" }
+  - {env_var: "ONLY_SUBDOMAINS", env_value: "false", desc: "If you wish to get certs only for certain subdomains, but not the main domain (main domain may be hosted on another machine and cannot be validated), set this to `true`"}
-  - { env_var: "EXTRA_DOMAINS", env_value: "", desc: "Additional fully qualified domain names (comma separated, no spaces) ie. `extradomain.com,subdomain.anotherdomain.org,*.anotherdomain.org`" }
+  - {env_var: "EXTRA_DOMAINS", env_value: "", desc: "Additional fully qualified domain names (comma separated, no spaces) ie. `example.net,subdomain.example.net,*.example.org`"}
-  - { env_var: "STAGING", env_value: "false", desc: "Set to `true` to retrieve certs in staging mode. Rate limits will be much higher, but the resulting cert will not pass the browser's security test. Only to be used for testing purposes." }
+  - {env_var: "STAGING", env_value: "false", desc: "Set to `true` to retrieve certs in staging mode. Rate limits will be much higher, but the resulting cert will not pass the browser's security test. Only to be used for testing purposes."}
-opt_param_usage_include_vols: false
+  - {env_var: "DISABLE_F2B", env_value: "", desc: "Set to `true` to disable the Fail2ban service in the container, if you're already running it elsewhere or using a different IPS."}
-opt_param_volumes:
+  - {env_var: "SWAG_AUTORELOAD", env_value: "", desc: "Set to `true` to enable automatic reloading of confs on change without stopping/restarting nginx. Your filesystem must support inotify. This functionality was previously offered [via mod](https://github.com/linuxserver/docker-mods/tree/swag-auto-reload)."}
-  - { vol_path: "/config", vol_host_path: "/path/to/appdata/config", desc: "Configuration files." }
+  - {env_var: "SWAG_AUTORELOAD_WATCHLIST", env_value: "", desc: "A [pipe](https://en.wikipedia.org/wiki/Vertical_bar)-separated list of additional folders for auto reload to watch in addition to `/config/nginx`"}
 opt_param_usage_include_ports: true
 opt_param_ports:
-  - { external_port: "80", internal_port: "80", port_desc: "Http port (required for http validation and http -> https redirect)" }
+  - {external_port: "80", internal_port: "80", port_desc: "HTTP port (required for HTTP validation and HTTP -> HTTPS redirect)"}
-opt_param_device_map: false
+  - {external_port: "443", internal_port: "443/udp", port_desc: "QUIC (HTTP/3) port. Must be enabled in the default and proxy confs."}
-opt_param_devices:
+readonly_supported: true
-  - { device_path: "/dev/dri", device_host_path: "/dev/dri", desc: "For hardware transcoding" }
+readonly_message: |
-opt_cap_add_param: false
+  * `/tmp` must be mounted to tmpfs
-opt_cap_add_param_vars:
+  * fail2ban will not be available
-  - { cap_add_var: "NET_ADMIN" }
-
-optional_block_1: false
-optional_block_1_items: ""
-
 # application setup block
 app_setup_block_enabled: true
 app_setup_block: |
@@ -84,13 +60,28 @@ app_setup_block: |
   * For `dns` validation, make sure to enter your credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`
     * Cloudflare provides free accounts for managing dns and is very easy to use with this image. Make sure that it is set up for "dns only" instead of "dns + proxy"
     * Google dns plugin is meant to be used with "Google Cloud DNS", a paid enterprise product, and not for "Google Domains DNS"
-    * DuckDNS only supoprts two types of DNS validated certificates (not both at the same time):
+    * DuckDNS only supports two types of DNS validated certificates (not both at the same time):
       1. Certs that only cover your main subdomain (ie. `yoursubdomain.duckdns.org`, leave the `SUBDOMAINS` variable empty)
       2. Certs that cover sub-subdomains of your main subdomain (ie. `*.yoursubdomain.duckdns.org`, set the `SUBDOMAINS` variable to `wildcard`)
   * `--cap-add=NET_ADMIN` is required for fail2ban to modify iptables
-  * After setup, navigate to `https://yourdomain.url` to access the default homepage (http access through port 80 is disabled by default, you can enable it by editing the default site config at `/config/nginx/site-confs/default.conf`).
+  * After setup, navigate to `https://example.com` to access the default homepage (http access through port 80 is disabled by default, you can enable it by editing the default site config at `/config/nginx/site-confs/default.conf`).
   * Certs are checked nightly and if expiration is within 30 days, renewal is attempted. If your cert is about to expire in less than 30 days, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing. It is recommended to input your e-mail in docker parameters so you receive expiration notices from Let's Encrypt in those circumstances.
 
+  ### Certbot Plugins
+
+  SWAG includes many Certbot plugins out of the box, but not all plugins can be included.
+  If you need a plugin that is not included, the quickest way to have the plugin available is to use our [Universal Package Install Docker Mod](https://github.com/linuxserver/docker-mods/tree/universal-package-install).
+
+  Set the following environment variables on your container:
+
+  ```yaml
+  DOCKER_MODS=linuxserver/mods:universal-package-install
+  INSTALL_PIP_PACKAGES=certbot-dns-<plugin>
+  ```
+
+  Set the required credentials (usually found in the plugin documentation) in `/config/dns-conf/<plugin>.ini`.
+  It is recommended to attempt obtaining a certificate with `STAGING=true` first to make sure the plugin is working as expected.
+
   ### Security and password protection
 
   * The container detects changes to url and subdomains, revokes existing certs and generates new ones during start.
@@ -132,7 +123,7 @@ app_setup_block: |
   * You can check which jails are active via `docker exec -it swag fail2ban-client status`
   * You can check the status of a specific jail via `docker exec -it swag fail2ban-client status <jail name>`
   * You can unban an IP via `docker exec -it swag fail2ban-client set <jail name> unbanip <IP>`
-  * A list of commands can be found here: <https://www.fail2ban.org/wiki/index.php/Commands>
+  * A list of commands for fail2ban-client can be found [here](https://manpages.ubuntu.com/manpages/noble/man1/fail2ban-client.1.html)
 
   ### Updating configs
 
@@ -148,77 +139,178 @@ app_setup_block: |
   * Proxy sample files WILL be updated, however your renamed (enabled) proxy files will not.
   * You can check the new sample and adjust your active config as needed.
 
+  ### QUIC support
+
+  This image supports QUIC (also known as HTTP/3) but it must be explicitly enabled in each proxy conf, and the default conf, because if the listener is enabled and you don't expose 443/UDP, it can break connections with some browsers.
+
+  To enable QUIC, expose 443/UDP to your clients, then uncomment both QUIC listeners in all of your active proxy confs, as well as the default conf, and restart the container.
+
+  You should also uncomment the `Alt-Svc` header in your `ssl.conf` so that browsers are aware that you offer QUIC connectivity.
+
+  It is [recommended](https://quic-go.net/docs/quic/optimizations/#udp-buffer-sizes) to increase the UDP send/recieve buffer **on the host** by setting the `net.core.rmem_max` and `net.core.wmem_max` sysctls. Suggested values are 4-16Mb (4194304-16777216 bytes). For persistence between reboots use `/etc/sysctl.d/`.
+
   ### Migration from the old `linuxserver/letsencrypt` image
 
   Please follow the instructions [on this blog post](https://www.linuxserver.io/blog/2020-08-21-introducing-swag#migrate).
-
+# init diagram
+init_diagram: |
+  "swag:latest": {
+    docker-mods
+    base {
+      fix-attr +\nlegacy cont-init
+    }
+    docker-mods -> base
+    legacy-services
+    custom services
+    init-services -> legacy-services
+    init-services -> custom services
+    custom services -> legacy-services
+    legacy-services -> ci-service-check
+    init-migrations -> init-adduser
+    init-swag-config -> init-certbot-config
+    init-nginx-end -> init-config
+    init-os-end -> init-config
+    init-config -> init-config-end
+    init-crontab-config -> init-config-end
+    init-outdated-config -> init-config-end
+    init-config -> init-crontab-config
+    init-mods-end -> init-custom-files
+    init-adduser -> init-device-perms
+    base -> init-envfile
+    init-require-url -> init-fail2ban-config
+    init-os-end -> init-folders
+    init-php -> init-keygen
+    base -> init-migrations
+    init-config-end -> init-mods
+    init-mods-package-install -> init-mods-end
+    init-mods -> init-mods-package-install
+    init-samples -> init-nginx
+    init-version-checks -> init-nginx-end
+    init-adduser -> init-os-end
+    init-device-perms -> init-os-end
+    init-envfile -> init-os-end
+    init-renew -> init-outdated-config
+    init-keygen -> init-permissions
+    init-certbot-config -> init-permissions-config
+    init-nginx -> init-php
+    init-permissions-config -> init-renew
+    init-config -> init-require-url
+    init-folders -> init-samples
+    init-custom-files -> init-services
+    init-fail2ban-config -> init-swag-config
+    init-permissions -> init-swag-folders
+    init-swag-folders -> init-swag-samples
+    init-permissions -> init-version-checks
+    init-swag-samples -> init-version-checks
+    init-services -> svc-cron
+    svc-cron -> legacy-services
+    init-services -> svc-fail2ban
+    svc-fail2ban -> legacy-services
+    init-services -> svc-nginx
+    svc-nginx -> legacy-services
+    init-services -> svc-php-fpm
+    svc-php-fpm -> legacy-services
+    init-services -> svc-swag-auto-reload
+    svc-swag-auto-reload -> legacy-services
+  }
+  Base Images: {
+    "baseimage-alpine-nginx:3.22" <- "baseimage-alpine:3.22"
+  }
+  "swag:latest" <- Base Images
 # changelog
 changelogs:
-  - { date: "27.04.23:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-location.conf, authelia-server.conf, authentik-location.conf, authentik-server.conf - Simplify auth configs and fix Set-Cookie header bug." }
+  - {date: "23.01.26:", desc: "Reorder init to fix proxy conf version checks."}
-  - { date: "13.04.23:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, authelia-location.conf, authentik-location.conf, and site-confs/default.conf - Move ssl.conf include to default.conf. Remove Authorization headers in authelia. Sort proxy_set_header in authelia and authentik." }
+  - {date: "21.12.25:", desc: "Add support for hetzner-cloud dns validation."}
-  - { date: "25.03.23:", desc: "Fix renewal post hook." }
+  - {date: "04.11.25:", desc: "Switch default Gandi credentials from API Key to Token, allow DNS propagation time for Azure DNS plugin."}
-  - { date: "10.03.23:", desc: "Cleanup unused csr and keys folders. See [certbot 2.3.0 release notes](https://github.com/certbot/certbot/releases/tag/v2.3.0)." }
+  - {date: "18.07.25:", desc: "Rebase to Alpine 3.22 with PHP 8.4. Add QUIC support. Drop PHP bindings for mcrypt as it is no longer maintained."}
-  - { date: "09.03.23:", desc: "Add Google Domains DNS support, `google-domains`." }
+  - {date: "05.05.25:", desc: "Disable Certbot's built in log rotation."}
-  - { date: "02.03.23:", desc: "Set permissions on crontabs during init." }
+  - {date: "19.01.25:", desc: "Add [Auto Reload](https://github.com/linuxserver/docker-mods/tree/swag-auto-reload) functionality to SWAG."}
-  - { date: "09.02.23:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) proxy.conf, authelia-location.conf and authelia-server.conf - Add Authentik configs, update Authelia configs." }
+  - {date: "17.12.24:", desc: "Rebase to Alpine 3.21."}
-  - { date: "06.02.23:", desc: "Add porkbun support back in." }
+  - {date: "21.10.24:", desc: "Fix naming issue with Dynu plugin. If you are using Dynu, please make sure your credentials are set in /config/dns-conf/dynu.ini and your DNSPLUGIN variable is set to dynu (not dynudns)."}
-  - { date: "21.01.23:", desc: "Unpin certbot version (allow certbot 2.x). !!BREAKING CHANGE!! We are temporarily removing the certbot porkbun plugin until a new version is released that is compatible with certbot 2.x." }
+  - {date: "30.08.24:", desc: "Fix zerossl cert revocation."}
-  - { date: "20.01.23:", desc: "Rebase to alpine 3.17 with php8.1." }
+  - {date: "24.07.14:", desc: "Rebase to Alpine 3.20. Remove deprecated Google Domains certbot plugin. Existing users should update their nginx confs to avoid http2 deprecation warnings."}
-  - { date: "16.01.23:", desc: "Remove nchan module because it keeps causing crashes." }
+  - {date: "01.07.24:", desc: "Fall back to iptables-legacy if iptables doesn't work."}
-  - { date: "08.12.22:", desc: "Revamp certbot init."}
+  - {date: "23.03.24:", desc: "Fix perms on the generated `priv-fullchain-bundle.pem`."}
-  - { date: "03.12.22:", desc: "Remove defunct cloudxns plugin."}
+  - {date: "14.03.24:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-location.conf, authelia-server.conf - Update Authelia conf samples with support for 4.38."}
-  - { date: "22.11.22:", desc: "Pin acme to the same version as certbot."}
+  - {date: "11.03.24:", desc: "Restore support for DynuDNS using `certbot-dns-dynudns`."}
-  - { date: "22.11.22:", desc: "Pin certbot to 1.32.0 until plugin compatibility improves."}
+  - {date: "06.03.24:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) site-confs/default.conf - Cleanup default site conf."}
-  - { date: "05.11.22:", desc: "Update acmedns plugin handling."}
+  - {date: "04.03.24:", desc: "Remove `stream.conf` inside the container to allow users to include their own block in `nginx.conf`."}
-  - { date: "06.10.22:", desc: "Switch to certbot-dns-duckdns. Update cpanel and gandi dns plugin handling. Minor adjustments to init logic." }
+  - {date: "23.01.24:", desc: "Rebase to Alpine 3.19 with php 8.3, add root periodic crontabs for logrotate."}
-  - { date: "05.10.22:", desc: "Use certbot file hooks instead of command line hooks" }
+  - {date: "01.01.24:", desc: "Add GleSYS DNS plugin."}
-  - { date: "04.10.22:", desc: "Add godaddy and porkbun dns plugins." }
+  - {date: "11.12.23:", desc: "Deprecate certbot-dns-dynu to resolve dependency conflicts with other plugins."}
-  - { date: "03.10.22:", desc: "Add default_server back to default site conf's https listen." }
+  - {date: "30.11.23:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) site-confs/default.conf - Fix index.php being downloaded on 404."}
-  - { date: "22.09.22:", desc: "Added support for DO DNS validation." }
+  - {date: "23.11.23:", desc: "Run certbot as root to allow fix http validation."}
-  - { date: "22.09.22:", desc: "Added certbot-dns-acmedns for DNS01 validation." }
+  - {date: "01.10.23:", desc: "Fix \"unrecognized arguments\" issue in DirectAdmin DNS plugin."}
-  - { date: "20.08.22:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf - Rebasing to alpine 3.15 with php8. Restructure nginx configs ([see changes announcement](https://info.linuxserver.io/issues/2022-08-20-nginx-base))." }
+  - {date: "28.08.23:", desc: "Add Namecheap DNS plugin."}
-  - { date: "10.08.22:", desc: "Added support for Dynu DNS validation." }
+  - {date: "12.08.23:", desc: "Add FreeDNS plugin. Detect certbot DNS authenticators using CLI."}
-  - { date: "18.05.22:", desc: "Added support for Azure DNS validation." }
+  - {date: "07.08.23:", desc: "Add Bunny DNS Configuration."}
-  - { date: "09.04.22:", desc: "Added certbot-dns-loopia for DNS01 validation." }
+  - {date: "27.07.23:", desc: "Added support for dreamhost validation."}
-  - { date: "05.04.22:", desc: "Added support for standalone DNS validation." }
+  - {date: "25.05.23:", desc: "Rebase to Alpine 3.18, deprecate armhf."}
-  - { date: "28.03.22:", desc: "created a logfile for fail2ban nginx-unauthorized in /etc/cont-init.d/50-config" }
+  - {date: "27.04.23:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-location.conf, authelia-server.conf, authentik-location.conf, authentik-server.conf - Simplify auth configs and fix Set-Cookie header bug."}
-  - { date: "09.01.22:", desc: "Added a fail2ban jail for nginx unauthorized" }
+  - {date: "13.04.23:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, authelia-location.conf, authentik-location.conf, and site-confs/default.conf - Move ssl.conf include to default.conf. Remove Authorization headers in authelia. Sort proxy_set_header in authelia and authentik."}
-  - { date: "21.12.21:", desc: "Fixed issue with iptables not working as expected" }
+  - {date: "25.03.23:", desc: "Fix renewal post hook."}
-  - { date: "30.11.21:", desc: "Move maxmind to a [new mod](https://github.com/linuxserver/docker-mods/tree/swag-maxmind)" }
+  - {date: "10.03.23:", desc: "Cleanup unused csr and keys folders. See [certbot 2.3.0 release notes](https://github.com/certbot/certbot/releases/tag/v2.3.0)."}
-  - { date: "22.11.21:", desc: "Added support for Infomaniak DNS for certificate generation." }
+  - {date: "09.03.23:", desc: "Add Google Domains DNS support, `google-domains`."}
-  - { date: "20.11.21:", desc: "Added support for dnspod validation." }
+  - {date: "02.03.23:", desc: "Set permissions on crontabs during init."}
-  - { date: "15.11.21:", desc: "Added support for deSEC DNS for wildcard certificate generation." }
+  - {date: "09.02.23:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) proxy.conf, authelia-location.conf and authelia-server.conf - Add Authentik configs, update Authelia configs."}
-  - { date: "26.10.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) proxy.conf - Mitigate <https://httpoxy.org/> vulnerabilities. Ref: <https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx#Defeating-the-Attack-using-NGINX-and-NGINX-Plus>" }
+  - {date: "06.02.23:", desc: "Add porkbun support back in."}
-  - { date: "23.10.21:", desc: "Fix Hurricane Electric (HE) DNS validation." }
+  - {date: "21.01.23:", desc: "Unpin certbot version (allow certbot 2.x). !!BREAKING CHANGE!! We are temporarily removing the certbot porkbun plugin until a new version is released that is compatible with certbot 2.x."}
-  - { date: "12.10.21:", desc: "Fix deprecated LE root cert check to fix failures when using `STAGING=true`, and failures in revoking." }
+  - {date: "20.01.23:", desc: "Rebase to alpine 3.17 with php8.1."}
-  - { date: "06.10.21:", desc: "Added support for Hurricane Electric (HE) DNS validation. Added lxml build deps." }
+  - {date: "16.01.23:", desc: "Remove nchan module because it keeps causing crashes."}
-  - { date: "01.10.21:", desc: "Check if the cert uses the old LE root cert, revoke and regenerate if necessary. [Here's more info](https://twitter.com/letsencrypt/status/1443621997288767491) on LE root cert expiration" }
+  - {date: "08.12.22:", desc: "Revamp certbot init."}
-  - { date: "19.09.21:", desc: "Add an optional header to opt out of Google FLoC in `ssl.conf`." }
+  - {date: "03.12.22:", desc: "Remove defunct cloudxns plugin."}
-  - { date: "17.09.21:", desc: "Mark `SUBDOMAINS` var as optional." }
+  - {date: "22.11.22:", desc: "Pin acme to the same version as certbot."}
-  - { date: "01.08.21:", desc: "Add support for ionos dns validation." }
+  - {date: "22.11.22:", desc: "Pin certbot to 1.32.0 until plugin compatibility improves."}
-  - { date: "15.07.21:", desc: "Fix libmaxminddb issue due to upstream change." }
+  - {date: "05.11.22:", desc: "Update acmedns plugin handling."}
-  - { date: "07.07.21:", desc: "Rebase to alpine 3.14." }
+  - {date: "06.10.22:", desc: "Switch to certbot-dns-duckdns. Update cpanel and gandi dns plugin handling. Minor adjustments to init logic."}
-  - { date: "24.06.21:", desc: "Update default nginx conf folder." }
+  - {date: "05.10.22:", desc: "Use certbot file hooks instead of command line hooks"}
-  - { date: "28.05.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf - Use `resolver.conf` and patch for `CVE-2021-32637`." }
+  - {date: "04.10.22:", desc: "Add godaddy and porkbun dns plugins."}
-  - { date: "20.05.21:", desc: "Modify resolver.conf generation to detect and ignore ipv6." }
+  - {date: "03.10.22:", desc: "Add default_server back to default site conf's https listen."}
-  - { date: "14.05.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, ssl.conf, proxy.conf, and the default site-conf - Rework nginx.conf to be inline with alpine upstream and relocate lines from other files. Use linuxserver.io wheel index for pip packages. Switch to using [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) for `dhparams.pem` per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919). Added `worker_processes.conf`, which sets the number of nginx workers, and `resolver.conf`, which sets the dns resolver. Both conf files are auto-generated only on first start and can be user modified later." }
+  - {date: "22.09.22:", desc: "Added support for DO DNS validation."}
-  - { date: "21.04.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf and authelia-location.conf - Add remote name/email headers and pass http method." }
+  - {date: "22.09.22:", desc: "Added certbot-dns-acmedns for DNS01 validation."}
-  - { date: "12.04.21:", desc: "Add php7-gmp and php7-pecl-mailparse." }
+  - {date: "20.08.22:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf - Rebasing to alpine 3.15 with php8. Restructure nginx configs ([see changes announcement](https://info.linuxserver.io/issues/2022-08-20-nginx-base))."}
-  - { date: "12.04.21:", desc: "Add support for vultr dns validation." }
+  - {date: "10.08.22:", desc: "Added support for Dynu DNS validation."}
-  - { date: "14.03.21:", desc: "Add support for directadmin dns validation." }
+  - {date: "18.05.22:", desc: "Added support for Azure DNS validation."}
-  - { date: "12.02.21:", desc: "Clean up rust/cargo cache, which ballooned the image size in the last couple of builds." }
+  - {date: "09.04.22:", desc: "Added certbot-dns-loopia for DNS01 validation."}
-  - { date: "10.02.21:", desc: "Fix aliyun, domeneshop, inwx and transip dns confs for existing users." }
+  - {date: "05.04.22:", desc: "Added support for standalone DNS validation."}
-  - { date: "09.02.21:", desc: "Rebasing to alpine 3.13. Add nginx mods brotli and dav-ext. Remove nginx mods lua and lua-upstream (due to regression over the last couple of years)." }
+  - {date: "28.03.22:", desc: "created a logfile for fail2ban nginx-unauthorized in /etc/cont-init.d/50-config"}
-  - { date: "26.01.21:", desc: "Add support for hetzner dns validation." }
+  - {date: "09.01.22:", desc: "Added a fail2ban jail for nginx unauthorized"}
-  - { date: "20.01.21:", desc: "Add check for ZeroSSL EAB retrieval." }
+  - {date: "21.12.21:", desc: "Fixed issue with iptables not working as expected"}
-  - { date: "08.01.21:", desc: "Add support for getting certs from [ZeroSSL](https://zerossl.com/) via optional `CERTPROVIDER` env var. Update aliyun, domeneshop, inwx and transip dns plugins with the new plugin names. Hide `donoteditthisfile.conf` because users were editing it despite its name. Suppress harmless error when no proxy confs are enabled." }
+  - {date: "30.11.21:", desc: "Move maxmind to a [new mod](https://github.com/linuxserver/docker-mods/tree/swag-maxmind)"}
-  - { date: "03.01.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) /config/nginx/site-confs/default.conf - Add helper pages to aid troubleshooting" }
+  - {date: "22.11.21:", desc: "Added support for Infomaniak DNS for certificate generation."}
-  - { date: "10.12.20:", desc: "Add support for njalla dns validation" }
+  - {date: "20.11.21:", desc: "Added support for dnspod validation."}
-  - { date: "09.12.20:", desc: "Check for template/conf updates and notify in the log. Add support for gehirn and sakuracloud dns validation." }
+  - {date: "15.11.21:", desc: "Added support for deSEC DNS for wildcard certificate generation."}
-  - { date: "01.11.20:", desc: "Add support for netcup dns validation" }
+  - {date: "26.10.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) proxy.conf - Mitigate <https://httpoxy.org/> vulnerabilities. Ref: <https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx#Defeating-the-Attack-using-NGINX-and-NGINX-Plus>"}
-  - { date: "29.10.20:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) ssl.conf - Add frame-ancestors to Content-Security-Policy." }
+  - {date: "23.10.21:", desc: "Fix Hurricane Electric (HE) DNS validation."}
-  - { date: "04.10.20:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, proxy.conf, and ssl.conf - Minor cleanups and reordering." }
+  - {date: "12.10.21:", desc: "Fix deprecated LE root cert check to fix failures when using `STAGING=true`, and failures in revoking."}
-  - { date: "20.09.20:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf - Added geoip2 configs. Added MAXMINDDB_LICENSE_KEY variable to readme."}
+  - {date: "06.10.21:", desc: "Added support for Hurricane Electric (HE) DNS validation. Added lxml build deps."}
-  - { date: "08.09.20:", desc: "Add php7-xsl." }
+  - {date: "01.10.21:", desc: "Check if the cert uses the old LE root cert, revoke and regenerate if necessary. [Here's more info](https://twitter.com/letsencrypt/status/1443621997288767491) on LE root cert expiration"}
-  - { date: "01.09.20:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, proxy.conf, and various proxy samples - Global websockets across all configs." }
+  - {date: "19.09.21:", desc: "Add an optional header to opt out of Google FLoC in `ssl.conf`."}
-  - { date: "03.08.20:", desc: "Initial release." }
+  - {date: "17.09.21:", desc: "Mark `SUBDOMAINS` var as optional."}
+  - {date: "01.08.21:", desc: "Add support for ionos dns validation."}
+  - {date: "15.07.21:", desc: "Fix libmaxminddb issue due to upstream change."}
+  - {date: "07.07.21:", desc: "Rebase to alpine 3.14."}
+  - {date: "24.06.21:", desc: "Update default nginx conf folder."}
+  - {date: "28.05.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf - Use `resolver.conf` and patch for `CVE-2021-32637`."}
+  - {date: "20.05.21:", desc: "Modify resolver.conf generation to detect and ignore ipv6."}
+  - {date: "14.05.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, ssl.conf, proxy.conf, and the default site-conf - Rework nginx.conf to be inline with alpine upstream and relocate lines from other files. Use linuxserver.io wheel index for pip packages. Switch to using [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) for `dhparams.pem` per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919). Added `worker_processes.conf`, which sets the number of nginx workers, and `resolver.conf`, which sets the dns resolver. Both conf files are auto-generated only on first start and can be user modified later."}
+  - {date: "21.04.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf and authelia-location.conf - Add remote name/email headers and pass http method."}
+  - {date: "12.04.21:", desc: "Add php7-gmp and php7-pecl-mailparse."}
+  - {date: "12.04.21:", desc: "Add support for vultr dns validation."}
+  - {date: "14.03.21:", desc: "Add support for directadmin dns validation."}
+  - {date: "12.02.21:", desc: "Clean up rust/cargo cache, which ballooned the image size in the last couple of builds."}
+  - {date: "10.02.21:", desc: "Fix aliyun, domeneshop, inwx and transip dns confs for existing users."}
+  - {date: "09.02.21:", desc: "Rebasing to alpine 3.13. Add nginx mods brotli and dav-ext. Remove nginx mods lua and lua-upstream (due to regression over the last couple of years)."}
+  - {date: "26.01.21:", desc: "Add support for hetzner dns validation."}
+  - {date: "20.01.21:", desc: "Add check for ZeroSSL EAB retrieval."}
+  - {date: "08.01.21:", desc: "Add support for getting certs from [ZeroSSL](https://zerossl.com/) via optional `CERTPROVIDER` env var. Update aliyun, domeneshop, inwx and transip dns plugins with the new plugin names. Hide `donoteditthisfile.conf` because users were editing it despite its name. Suppress harmless error when no proxy confs are enabled."}
+  - {date: "03.01.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) /config/nginx/site-confs/default.conf - Add helper pages to aid troubleshooting"}
+  - {date: "10.12.20:", desc: "Add support for njalla dns validation"}
+  - {date: "09.12.20:", desc: "Check for template/conf updates and notify in the log. Add support for gehirn and sakuracloud dns validation."}
+  - {date: "01.11.20:", desc: "Add support for netcup dns validation"}
+  - {date: "29.10.20:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) ssl.conf - Add frame-ancestors to Content-Security-Policy."}
+  - {date: "04.10.20:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, proxy.conf, and ssl.conf - Minor cleanups and reordering."}
+  - {date: "20.09.20:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf - Added geoip2 configs. Added MAXMINDDB_LICENSE_KEY variable to readme."}
+  - {date: "08.09.20:", desc: "Add php7-xsl."}
+  - {date: "01.09.20:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, proxy.conf, and various proxy samples - Global websockets across all configs."}
+  - {date: "03.08.20:", desc: "Initial release."}

root/app/le-renew.sh

@@ -6,4 +6,4 @@ echo
 echo "<------------------------------------------------->"
 echo "cronjob running on $(date)"
 echo "Running certbot renew"
-certbot renew --non-interactive
+certbot renew --non-interactive --config-dir /config/etc/letsencrypt --logs-dir /config/log/letsencrypt --work-dir /tmp/letsencrypt --config /config/etc/letsencrypt/cli.ini

root/defaults/dns-conf/bunny.ini

@@ -0,0 +1,2 @@
+# Bunny API token used by Certbot
+dns_bunny_api_key = a65e8ebd-45ab-44d2-a542-40d4d009e3bf

root/defaults/dns-conf/dreamhost.ini

@@ -0,0 +1,4 @@
+# Instructions: https://github.com/goncalo-leal/certbot-dns-dreamhost#usage
+# Replace with your values
+dns_dreamhost_baseurl = "https://api.dreamhost.com/"
+dns_dreamhost_api_key = "<api_key>"

root/defaults/dns-conf/dynu.ini

@@ -1,3 +1,3 @@
-# Instructions: https://github.com/bikram990/certbot-dns-dynu#configuration
+# Instructions: https://github.com/DustyRah/certbot-dns-dynudns
-# Replace with your API token from your dynu account.
+# Replace with your API token from your dynudns account.
 dns_dynu_auth_token = AbCbASsd!@34

root/defaults/dns-conf/freedns.ini

@@ -0,0 +1,4 @@
+# Instructions: https://github.com/schleuss/certbot_dns_freedns#credentials
+# Replace with your values
+dns_freedns_username = myremoteuser
+dns_freedns_password = verysecureremoteuserpassword

root/defaults/dns-conf/gandi.ini

@@ -1,7 +1,6 @@
 # Instructions: https://github.com/obynio/certbot-plugin-gandi#usage
-# Replace with your value
+# Replace with your Gandi Live DNS v5 Personal Access Token
-# live dns v5 api key
+dns_gandi_token=TOKEN
-dns_gandi_api_key=APIKEY
 
 # optional organization id, remove it if not used
 #dns_gandi_sharing_id=SHARINGID

root/defaults/dns-conf/glesys.ini

@@ -0,0 +1,5 @@
+# Instructions: https://github.com/runfalk/certbot-dns-glesys#usage
+
+# GleSYS API credentials used by Certbot
+dns_glesys_user = CL00000
+dns_glesys_password = apikeygoeshere

root/defaults/dns-conf/google-domains.ini

@@ -1,4 +0,0 @@
-# Instructions: https://github.com/aaomidi/certbot-dns-google-domains#credentials
-# Replace with your value
-dns_google_domains_access_token = abcdef
-dns_google_domains_zone = example.com

root/defaults/dns-conf/hetzner-cloud.ini

@@ -0,0 +1,2 @@
+# Hetzner Cloud API Token
+dns_hetzner_cloud_api_token = your_api_token_here

root/defaults/dns-conf/namecheap.ini

@@ -0,0 +1,4 @@
+# Instructions: https://github.com/knoxell/certbot-dns-namecheap#credentials
+# Namecheap API credentials used by Certbot
+dns_namecheap_username=my-username
+dns_namecheap_api_key=my-api-key

root/defaults/etc/letsencrypt/renewal-hooks/deploy/10-default

@@ -5,4 +5,5 @@ cd /config/keys/letsencrypt || exit 1
 openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:
 sleep 1
 cat {privkey,fullchain}.pem >priv-fullchain-bundle.pem
+chmod 600 priv-fullchain-bundle.pem
 chown -R abc:abc /config/etc/letsencrypt

root/defaults/fail2ban/filter.d/nginx-deny.conf

@@ -12,4 +12,4 @@ datepattern = {^LN-BEG}
 
 # DEV NOTES:
 #
-# Author: Will L (driz@linuxserver.io)
+# Author: notdriz

root/defaults/fail2ban/filter.d/nginx-unauthorized.conf

@@ -3,5 +3,3 @@
 [Definition]
 
 failregex = ^<HOST>.*"(GET|POST|HEAD).*" (401) .*$
-
-ignoreregex = .*(?i)plex.*

root/defaults/nginx/authelia-location.conf.sample

@@ -1,10 +1,10 @@
-## Version 2023/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-location.conf.sample
+## Version 2025/03/25 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-location.conf.sample
 # Make sure that your authelia container is in the same user defined bridge network and is named authelia
 # Rename /config/nginx/proxy-confs/authelia.subdomain.conf.sample to /config/nginx/proxy-confs/authelia.subdomain.conf
-# Make sure that the authelia configuration.yml has 'path: "authelia"' defined
 
 ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource
-auth_request /authelia/api/verify;
+auth_request /authelia/api/authz/auth-request;
+
 ## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal
 error_page 401 = @authelia_proxy_signin;
 

root/defaults/nginx/authelia-server.conf.sample

@@ -1,25 +1,15 @@
-## Version 2023/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-server.conf.sample
+## Version 2025/03/25 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-server.conf.sample
 # Make sure that your authelia container is in the same user defined bridge network and is named authelia
 # Rename /config/nginx/proxy-confs/authelia.subdomain.conf.sample to /config/nginx/proxy-confs/authelia.subdomain.conf
-# Make sure that the authelia configuration.yml has 'path: "authelia"' defined
-
-# location for authelia subfolder requests
-location ^~ /authelia {
-    auth_request off; # requests to this subfolder must be accessible without authentication
-    include /config/nginx/proxy.conf;
-    include /config/nginx/resolver.conf;
-    set $upstream_authelia authelia;
-    proxy_pass http://$upstream_authelia:9091;
-}
 
 # location for authelia auth requests
-location = /authelia/api/verify {
+location = /authelia/api/authz/auth-request {
     internal;
 
     include /config/nginx/proxy.conf;
     include /config/nginx/resolver.conf;
     set $upstream_authelia authelia;
-    proxy_pass http://$upstream_authelia:9091;
+    proxy_pass http://$upstream_authelia:9091/api/authz/auth-request;
 
     ## Include the Set-Cookie header if present
     auth_request_set $set_cookie $upstream_http_set_cookie;
@@ -43,11 +33,6 @@ location @authelia_proxy_signin {
     ## Translate the Location response header from the auth subrequest into a variable
     auth_request_set $signin_url $upstream_http_location;
 
-    if ($signin_url = '') {
-        ## Set the $signin_url variable
-        set $signin_url https://$http_host/authelia/?rd=$target_url;
-    }
-
     ## Redirect to login
     return 302 $signin_url;
 }

root/defaults/nginx/authentik-location.conf.sample

@@ -4,6 +4,7 @@
 
 ## Send a subrequest to Authentik to verify if the user is authenticated and has permission to access the resource
 auth_request /outpost.goauthentik.io/auth/nginx;
+
 ## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal
 error_page 401 = @goauthentik_proxy_signin;
 

root/defaults/nginx/authentik-server.conf.sample

@@ -1,10 +1,11 @@
-## Version 2023/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authentik-server.conf.sample
+## Version 2025/03/25 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authentik-server.conf.sample
 # Make sure that your authentik container is in the same user defined bridge network and is named authentik-server
 # Rename /config/nginx/proxy-confs/authentik.subdomain.conf.sample to /config/nginx/proxy-confs/authentik.subdomain.conf
 
 # location for authentik subfolder requests
 location ^~ /outpost.goauthentik.io {
     auth_request off; # requests to this subfolder must be accessible without authentication
+
     include /config/nginx/proxy.conf;
     include /config/nginx/resolver.conf;
     set $upstream_authentik authentik-server;
@@ -18,7 +19,7 @@ location = /outpost.goauthentik.io/auth/nginx {
     include /config/nginx/proxy.conf;
     include /config/nginx/resolver.conf;
     set $upstream_authentik authentik-server;
-    proxy_pass http://$upstream_authentik:9000;
+    proxy_pass http://$upstream_authentik:9000/outpost.goauthentik.io/auth/nginx;
 
     ## Include the Set-Cookie header if present
     auth_request_set $set_cookie $upstream_http_set_cookie;

root/defaults/nginx/site-confs/default.conf.sample

@@ -1,4 +1,4 @@
-## Version 2023/04/13 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample
+## Version 2026/03/07 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample
 
 # redirect all traffic to https
 server {
@@ -12,8 +12,10 @@ server {
 
 # main server block
 server {
-    listen 443 ssl http2 default_server;
+    listen 443 ssl default_server;
-    listen [::]:443 ssl http2 default_server;
+#    listen 443 quic reuseport default_server;
+    listen [::]:443 ssl default_server;
+#    listen [::]:443 quic reuseport default_server;
 
     server_name _;
 
@@ -34,6 +36,9 @@ server {
     # enable for Authentik (requires authentik-location.conf in the location block)
     #include /config/nginx/authentik-server.conf;
 
+    # enable for Tinyauth (requires tinyauth-location.conf in the location block)
+    #include /config/nginx/tinyauth-server.conf;
+
     location / {
         # enable for basic auth
         #auth_basic "Restricted";
@@ -48,11 +53,28 @@ server {
         # enable for Authentik (requires authentik-server.conf in the server block)
         #include /config/nginx/authentik-location.conf;
 
-        try_files $uri $uri/ /index.html /index.php$is_args$args =404;
+        # enable for Tinyauth (requires tinyauth-server.conf in the server block)
+        #include /config/nginx/tinyauth-location.conf;
+
+        try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args;
     }
 
     location ~ ^(.+\.php)(.*)$ {
+        # enable the next two lines for http auth
+        #auth_basic "Restricted";
+        #auth_basic_user_file /config/nginx/.htpasswd;
+
+        # enable for ldap auth (requires ldap-server.conf in the server block)
+        #include /config/nginx/ldap-location.conf;
+
+        # enable for Authelia (requires authelia-server.conf in the server block)
+        #include /config/nginx/authelia-location.conf;
+
+        # enable for Authentik (requires authentik-server.conf in the server block)
+        #include /config/nginx/authentik-location.conf;
+
         fastcgi_split_path_info ^(.+\.php)(.*)$;
+        if (!-f $document_root$fastcgi_script_name) { return 404; }
         fastcgi_pass 127.0.0.1:9000;
         fastcgi_index index.php;
         include /etc/nginx/fastcgi_params;
@@ -66,5 +88,3 @@ server {
 
 # enable subdomain method reverse proxy confs
 include /config/nginx/proxy-confs/*.subdomain.conf;
-# enable proxy cache for auth
-proxy_cache_path cache/ keys_zone=auth_cache:10m;

root/defaults/nginx/tinyauth-location.conf.sample

@@ -0,0 +1,9 @@
+## Version 2025/06/08 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/tinyauth-location.conf.sample
+# Make sure that your tinyauth container is in the same user defined bridge network and is named tinyauth
+# Rename /config/nginx/proxy-confs/tinyauth.subdomain.conf.sample to /config/nginx/proxy-confs/tinyauth.subdomain.conf
+
+## Send a subrequest to tinyauth to verify if the user is authenticated and has permission to access the resource
+auth_request /tinyauth;
+
+## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal
+error_page 401 = @tinyauth_login;

root/defaults/nginx/tinyauth-server.conf.sample

@@ -0,0 +1,35 @@
+## Version 2025/06/08 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/tinyauth-server.conf.sample
+# Make sure that your tinyauth container is in the same user defined bridge network and is named tinyauth
+# Rename /config/nginx/proxy-confs/tinyauth.subdomain.conf.sample to /config/nginx/proxy-confs/tinyauth.subdomain.conf
+
+# location for tinyauth auth requests
+location /tinyauth {
+    internal;
+
+    include /config/nginx/proxy.conf;
+    include /config/nginx/resolver.conf;
+    set $upstream_tinyauth tinyauth;
+    proxy_pass http://$upstream_tinyauth:3000/api/auth/nginx;
+
+    proxy_set_header x-forwarded-proto $scheme;
+    proxy_set_header x-forwarded-host $http_host;
+    proxy_set_header x-forwarded-uri $request_uri;
+}
+
+# virtual location for tinyauth 401 redirects
+location @tinyauth_login {
+    internal;
+
+    ## Set the $target_url variable based on the original request
+    set_escape_uri $target_url $scheme://$http_host$request_uri;
+    
+    ## Set the $signin_url variable
+    set $domain $host;
+    if ($host ~* "^[^.]+\.([^.]+\..+)$") {
+        set $domain $1;
+    }
+    set $signin_url https://tinyauth.$domain/login?redirect_uri=$target_url;
+
+    ## Redirect to login
+    return 302 $signin_url;
+}

root/etc/crontabs/root

@@ -1,9 +1,8 @@
-# do daily/weekly/monthly maintenance
 # min   hour    day     month   weekday command
 */15    *       *       *       *       run-parts /etc/periodic/15min
 0       *       *       *       *       run-parts /etc/periodic/hourly
 0       2       *       *       *       run-parts /etc/periodic/daily
 0       3       *       *       6       run-parts /etc/periodic/weekly
 0       5       1       *       *       run-parts /etc/periodic/monthly
-# renew letsencrypt certs
+
-8       2       *       *       *       /app/le-renew.sh >> /config/log/letsencrypt/letsencrypt.log 2>&1
+8       2       *       *       *       /app/le-renew.sh >> /config/log/letsencrypt/renewal.log 2>&1

root/etc/s6-overlay/s6-rc.d/init-certbot-config/run

@@ -23,19 +23,51 @@ for i in "${SANED_VARS[@]}"; do
     export echo "${i}"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')"
 done
 
+# Check for and install requested DNS plugins
+if grep -q "universal-package-install" <<< "${DOCKER_MODS}" && grep -q "certbot-dns" <<< "${INSTALL_PIP_PACKAGES}"; then
+    echo "**** Installing requested dns plugins ****"
+    /etc/s6-overlay/s6-rc.d/init-mod-universal-package-install-add-package/run
+    /etc/s6-overlay/s6-rc.d/init-mods-package-install/run
+fi
+
 # check to make sure DNSPLUGIN is selected if dns validation is used
-if [[ "${VALIDATION}" = "dns" ]] && [[ ! "${DNSPLUGIN}" =~ ^(acmedns|aliyun|azure|cloudflare|cpanel|desec|digitalocean|directadmin|dnsimple|dnsmadeeasy|dnspod|do|domeneshop|duckdns|dynu|gandi|gehirn|godaddy|google|google-domains|he|hetzner|infomaniak|inwx|ionos|linode|loopia|luadns|netcup|njalla|nsone|ovh|porkbun|rfc2136|route53|sakuracloud|standalone|transip|vultr)$ ]]; then
+CERTBOT_DNS_AUTHENTICATORS=$(certbot plugins --authenticators 2>/dev/null | sed -e 's/^Entry point: EntryPoint(name='\''cpanel'\''/Entry point: EntryPoint(name='\''dns-cpanel'\''/' -e '/EntryPoint(name='\''dns-/!d' -e 's/^Entry point: EntryPoint(name='\''dns-\([^ ]*\)'\'',/\1/' | sort)
-    echo "Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details."
+if [[ "${VALIDATION}" = "dns" ]] && ! echo "${CERTBOT_DNS_AUTHENTICATORS}" | grep -q "${DNSPLUGIN}"; then
+    echo "Please set the DNSPLUGIN variable to one of the following:"
+    echo "${CERTBOT_DNS_AUTHENTICATORS}"
     sleep infinity
 fi
 
+# set_ini_value logic:
+# - if the name is not found in the file, append the name=value to the end of the file
+# - if the name is found in the file, replace the value
+# - if the name is found in the file but commented out, uncomment the line and replace the value
+# call set_ini_value with parameters: $1=name $2=value $3=file
+function set_ini_value() {
+    name=${1//\//\\/}
+    value=${2//\//\\/}
+    sed -i \
+        -e '/^#\?\(\s*'"${name}"'\s*=\s*\).*/{s//\1'"${value}"'/;:a;n;ba;q}' \
+        -e '$a'"${name}"'='"${value}" "${3}"
+}
+
+# ensure config files exist and has at least one value set (set_ini_value does not work on empty files)
+touch /config/etc/letsencrypt/cli.ini
+lsiown abc:abc /config/etc/letsencrypt/cli.ini
+grep -qF 'agree-tos' /config/etc/letsencrypt/cli.ini || echo 'agree-tos=true' >>/config/etc/letsencrypt/cli.ini
+
+# Check for broken dns credentials value in cli.ini and remove
+sed -i '/dns--credentials/d' /config/etc/letsencrypt/cli.ini
+
+# Disable Certbot's built in log rotation
+set_ini_value "max-log-backups" "0" /config/etc/letsencrypt/cli.ini
+
 # copy dns default configs
-cp -n /defaults/dns-conf/* /config/dns-conf/
+cp -n /defaults/dns-conf/* /config/dns-conf/ 2> >(grep -v 'cp: not replacing')
 lsiown -R abc:abc /config/dns-conf
 
 # copy default renewal hooks
-chmod -R +x /defaults/etc/letsencrypt/renewal-hooks
+cp -nR /defaults/etc/letsencrypt/renewal-hooks/* /config/etc/letsencrypt/renewal-hooks/ 2> >(grep -v 'cp: not replacing')
-cp -nR /defaults/etc/letsencrypt/renewal-hooks/* /config/etc/letsencrypt/renewal-hooks/
 lsiown -R abc:abc /config/etc/letsencrypt/renewal-hooks
 
 # replace nginx service location in renewal hooks
@@ -142,8 +174,8 @@ else
 fi
 
 # cleanup unused csr and keys folders
-rm -rf /etc/letsencrypt/csr
+rm -rf /config/etc/letsencrypt/csr
-rm -rf /etc/letsencrypt/keys
+rm -rf /config/etc/letsencrypt/keys
 
 # checking for changes in cert variables, revoking certs if necessary
 if [[ ! "${URL}" = "${ORIGURL}" ]] ||
@@ -156,22 +188,17 @@ if [[ ! "${URL}" = "${ORIGURL}" ]] ||
     [[ ! "${STAGING}" = "${ORIGSTAGING}" ]] ||
     [[ ! "${CERTPROVIDER}" = "${ORIGCERTPROVIDER}" ]]; then
     echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created"
-    if [[ "${ORIGCERTPROVIDER}" = "zerossl" ]] && [[ -n "${ORIGEMAIL}" ]]; then
+    if [[ "${ORIGCERTPROVIDER}" = "zerossl" ]]; then
-        REV_EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=${ORIGEMAIL}")
+        REV_ACMESERVER=("https://acme.zerossl.com/v2/DV90")
-        REV_ZEROSSL_EAB_KID=$(echo "${REV_EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
-        REV_ZEROSSL_EAB_HMAC_KEY=$(echo "${REV_EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
-        if [[ -z "${REV_ZEROSSL_EAB_KID}" ]] || [[ -z "${REV_ZEROSSL_EAB_HMAC_KEY}" ]]; then
-            echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
-            sleep infinity
-        fi
-        REV_ACMESERVER="https://acme.zerossl.com/v2/DV90 --eab-kid ${REV_ZEROSSL_EAB_KID} --eab-hmac-key ${REV_ZEROSSL_EAB_HMAC_KEY}"
     elif [[ "${ORIGSTAGING}" = "true" ]]; then
-        REV_ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory"
+        REV_ACMESERVER=("https://acme-staging-v02.api.letsencrypt.org/directory")
     else
-        REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
+        REV_ACMESERVER=("https://acme-v02.api.letsencrypt.org/directory")
     fi
     if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then
-        certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server ${REV_ACMESERVER} || true
+        certbot revoke --config-dir /config/etc/letsencrypt --logs-dir /config/log/letsencrypt --work-dir /tmp/letsencrypt --config /config/etc/letsencrypt/cli.ini --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --key-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/privkey.pem --server "${REV_ACMESERVER[@]}" || true
+    else
+        certbot revoke --config-dir /config/etc/letsencrypt --logs-dir /config/log/letsencrypt --work-dir /tmp/letsencrypt --config /config/etc/letsencrypt/cli.ini --non-interactive --cert-name "${ORIGDOMAIN}" --server "${REV_ACMESERVER[@]}" || true
     fi
     rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal}
 fi
@@ -182,9 +209,11 @@ echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS
 # Check if the cert is using the old LE root cert, revoke and regen if necessary
 if [[ -f "/config/keys/letsencrypt/chain.pem" ]] && { [[ "${CERTPROVIDER}" == "letsencrypt" ]] || [[ "${CERTPROVIDER}" == "" ]]; } && [[ "${STAGING}" != "true" ]] && ! openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"; then
     echo "The cert seems to be using the old LE root cert, which is no longer valid. Deleting and revoking."
-    REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
+    REV_ACMESERVER=("https://acme-v02.api.letsencrypt.org/directory")
     if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then
-        certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server ${REV_ACMESERVER} || true
+        certbot revoke --config-dir /config/etc/letsencrypt --logs-dir /config/log/letsencrypt --work-dir /tmp/letsencrypt --config /config/etc/letsencrypt/cli.ini --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server "${REV_ACMESERVER[@]}" || true
+    else
+        certbot revoke --config-dir /config/etc/letsencrypt --logs-dir /config/log/letsencrypt --work-dir /tmp/letsencrypt --config /config/etc/letsencrypt/cli.ini --non-interactive --cert-name "${ORIGDOMAIN}" --server "${REV_ACMESERVER[@]}" || true
     fi
     rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal}
 fi
@@ -208,52 +237,51 @@ else
     ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
 fi
 
-# figuring out url only vs url & subdomains vs subdomains only
+set_ini_value "server" "${ACMESERVER}" /config/etc/letsencrypt/cli.ini
+
+# figuring out domain only vs domain & subdomains vs subdomains only
+DOMAINS_ARRAY=()
+if [[ -z "${SUBDOMAINS}" ]] || [[ "${ONLY_SUBDOMAINS}" != true ]]; then
+    DOMAINS_ARRAY+=("${URL}")
+fi
 if [[ -n "${SUBDOMAINS}" ]]; then
     echo "SUBDOMAINS entered, processing"
+    SUBDOMAINS_ARRAY=()
     if [[ "${SUBDOMAINS}" = "wildcard" ]]; then
-        if [[ "${ONLY_SUBDOMAINS}" = true ]]; then
+        SUBDOMAINS_ARRAY+=("*.${URL}")
-            export URL_REAL="-d *.${URL}"
+        echo "Wildcard cert for ${URL} will be requested"
-            echo "Wildcard cert for only the subdomains of ${URL} will be requested"
-        else
-            export URL_REAL="-d *.${URL} -d ${URL}"
-            echo "Wildcard cert for ${URL} will be requested"
-        fi
     else
-        echo "SUBDOMAINS entered, processing"
         for job in $(echo "${SUBDOMAINS}" | tr "," " "); do
-            export SUBDOMAINS_REAL="${SUBDOMAINS_REAL} -d ${job}.${URL}"
+            SUBDOMAINS_ARRAY+=("${job}.${URL}")
         done
-        if [[ "${ONLY_SUBDOMAINS}" = true ]]; then
+        echo "Sub-domains processed are: $(echo "${SUBDOMAINS_ARRAY[*]}" | tr " " ",")"
-            URL_REAL="${SUBDOMAINS_REAL}"
-            echo "Only subdomains, no URL in cert"
-        else
-            URL_REAL="-d ${URL}${SUBDOMAINS_REAL}"
-        fi
-        echo "Sub-domains processed are: ${SUBDOMAINS_REAL}"
     fi
-else
+    DOMAINS_ARRAY+=("${SUBDOMAINS_ARRAY[@]}")
-    echo "No subdomains defined"
-    URL_REAL="-d ${URL}"
 fi
 
 # add extra domains
 if [[ -n "${EXTRA_DOMAINS}" ]]; then
     echo "EXTRA_DOMAINS entered, processing"
+    EXTRA_DOMAINS_ARRAY=()
     for job in $(echo "${EXTRA_DOMAINS}" | tr "," " "); do
-        export EXTRA_DOMAINS_REAL="${EXTRA_DOMAINS_REAL} -d ${job}"
+        EXTRA_DOMAINS_ARRAY+=("${job}")
     done
-    echo "Extra domains processed are: ${EXTRA_DOMAINS_REAL}"
+    echo "Extra domains processed are: $(echo "${EXTRA_DOMAINS_ARRAY[*]}" | tr " " ",")"
-    URL_REAL="${URL_REAL} ${EXTRA_DOMAINS_REAL}"
+    DOMAINS_ARRAY+=("${EXTRA_DOMAINS_ARRAY[@]}")
 fi
 
+# setting domains in cli.ini
+set_ini_value "domains" "$(echo "${DOMAINS_ARRAY[*]}" | tr " " ",")" /config/etc/letsencrypt/cli.ini
+
 # figuring out whether to use e-mail and which
 if [[ ${EMAIL} == *@* ]]; then
     echo "E-mail address entered: ${EMAIL}"
-    EMAILPARAM="-m ${EMAIL} --no-eff-email"
+    set_ini_value "email" "${EMAIL}" /config/etc/letsencrypt/cli.ini
+    set_ini_value "no-eff-email" "true" /config/etc/letsencrypt/cli.ini
+    set_ini_value "register-unsafely-without-email" "false" /config/etc/letsencrypt/cli.ini
 else
     echo "No e-mail address entered or address invalid"
-    EMAILPARAM="--register-unsafely-without-email"
+    set_ini_value "register-unsafely-without-email" "true" /config/etc/letsencrypt/cli.ini
 fi
 
 # alter extension for error message
@@ -265,37 +293,41 @@ fi
 
 # setting the validation method to use
 if [[ "${VALIDATION}" = "dns" ]]; then
-    AUTHENTICATORPARAM="--authenticator dns-${DNSPLUGIN}"
+    set_ini_value "preferred-challenges" "dns" /config/etc/letsencrypt/cli.ini
-    DNSCREDENTIALSPARAM="--dns-${DNSPLUGIN}-credentials ${DNSCREDENTIALFILE}"
+    set_ini_value "authenticator" "dns-${DNSPLUGIN}" /config/etc/letsencrypt/cli.ini
-    if [[ -n "${PROPAGATION}" ]]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
+    set_ini_value "dns-${DNSPLUGIN}-credentials" "${DNSCREDENTIALFILE}" /config/etc/letsencrypt/cli.ini
+    if [[ -n "${PROPAGATION}" ]]; then set_ini_value "dns-${DNSPLUGIN}-propagation-seconds" "${PROPAGATION}" /config/etc/letsencrypt/cli.ini; fi
 
     # plugins that don't support setting credentials file
     if [[ "${DNSPLUGIN}" =~ ^(route53|standalone)$ ]]; then
-        DNSCREDENTIALSPARAM=""
+        sed -i "/^dns-${DNSPLUGIN}-credentials\b/d" /config/etc/letsencrypt/cli.ini
     fi
     # plugins that don't support setting propagation
-    if [[ "${DNSPLUGIN}" =~ ^(azure|gandi|route53|standalone)$ ]]; then
+    if [[ "${DNSPLUGIN}" =~ ^(gandi|route53|standalone)$ ]]; then
         if [[ -n "${PROPAGATION}" ]]; then echo "${DNSPLUGIN} dns plugin does not support setting propagation time"; fi
-        PROPAGATIONPARAM=""
+        sed -i "/^dns-${DNSPLUGIN}-propagation-seconds\b/d" /config/etc/letsencrypt/cli.ini
     fi
     # plugins that use old parameter naming convention
     if [[ "${DNSPLUGIN}" =~ ^(cpanel)$ ]]; then
-        AUTHENTICATORPARAM="--authenticator ${DNSPLUGIN}"
+        sed -i "/^dns-${DNSPLUGIN}-credentials\b/d" /config/etc/letsencrypt/cli.ini
-        DNSCREDENTIALSPARAM="--${DNSPLUGIN}-credentials ${DNSCREDENTIALFILE}"
+        sed -i "/^dns-${DNSPLUGIN}-propagation-seconds\b/d" /config/etc/letsencrypt/cli.ini
-        if [[ -n "${PROPAGATION}" ]]; then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
+        set_ini_value "authenticator" "${DNSPLUGIN}" /config/etc/letsencrypt/cli.ini
+        set_ini_value "${DNSPLUGIN}-credentials" "${DNSCREDENTIALFILE}" /config/etc/letsencrypt/cli.ini
+        if [[ -n "${PROPAGATION}" ]]; then set_ini_value "${DNSPLUGIN}-propagation-seconds" "${PROPAGATION}" /config/etc/letsencrypt/cli.ini; fi
     fi
     # don't restore txt records when using DuckDNS plugin
     if [[ "${DNSPLUGIN}" =~ ^(duckdns)$ ]]; then
-        AUTHENTICATORPARAM="${AUTHENTICATORPARAM} --dns-${DNSPLUGIN}-no-txt-restore"
+        set_ini_value "dns-${DNSPLUGIN}-no-txt-restore" "true" /config/etc/letsencrypt/cli.ini
     fi
 
-    PREFCHAL="${AUTHENTICATORPARAM} ${DNSCREDENTIALSPARAM} ${PROPAGATIONPARAM}"
     echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected"
 elif [[ "${VALIDATION}" = "tls-sni" ]]; then
-    PREFCHAL="--standalone --preferred-challenges http"
+    set_ini_value "preferred-challenges" "http" /config/etc/letsencrypt/cli.ini
+    set_ini_value "authenticator" "standalone" /config/etc/letsencrypt/cli.ini
     echo "*****tls-sni validation has been deprecated, attempting http validation instead"
 else
-    PREFCHAL="--standalone --preferred-challenges http"
+    set_ini_value "preferred-challenges" "http" /config/etc/letsencrypt/cli.ini
+    set_ini_value "authenticator" "standalone" /config/etc/letsencrypt/cli.ini
     echo "http validation is selected"
 fi
 
@@ -304,17 +336,17 @@ if [[ ! -f "/config/keys/letsencrypt/fullchain.pem" ]]; then
     if [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ -n "${EMAIL}" ]]; then
         echo "Retrieving EAB from ZeroSSL"
         EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=${EMAIL}")
-        ZEROSSL_EAB_KID=$(echo "${EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
+        ZEROSSL_EAB_KID=$(echo "${EAB_CREDS}" | jq .eab_kid)
-        ZEROSSL_EAB_HMAC_KEY=$(echo "${EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
+        ZEROSSL_EAB_HMAC_KEY=$(echo "${EAB_CREDS}" | jq .eab_hmac_key)
         if [[ -z "${ZEROSSL_EAB_KID}" ]] || [[ -z "${ZEROSSL_EAB_HMAC_KEY}" ]]; then
             echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
             sleep infinity
         fi
-        ZEROSSL_EAB="--eab-kid ${ZEROSSL_EAB_KID} --eab-hmac-key ${ZEROSSL_EAB_HMAC_KEY}"
+        set_ini_value "eab-kid" "${ZEROSSL_EAB_KID}" /config/etc/letsencrypt/cli.ini
+        set_ini_value "eab-hmac-key" "${ZEROSSL_EAB_HMAC_KEY}" /config/etc/letsencrypt/cli.ini
     fi
     echo "Generating new certificate"
-    # shellcheck disable=SC2086
+    certbot certonly --config-dir /config/etc/letsencrypt --logs-dir /config/log/letsencrypt --work-dir /tmp/letsencrypt --config /config/etc/letsencrypt/cli.ini --non-interactive --renew-by-default
-    certbot certonly --non-interactive --renew-by-default --server ${ACMESERVER} ${ZEROSSL_EAB} ${PREFCHAL} --rsa-key-size 4096 ${EMAILPARAM} --agree-tos ${URL_REAL}
     if [[ ! -d /config/keys/letsencrypt ]]; then
         if [[ "${VALIDATION}" = "dns" ]]; then
             echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the ${DNSCREDENTIALFILE} file."

root/etc/s6-overlay/s6-rc.d/init-crontabs-config/run

@@ -1,38 +0,0 @@
-#!/usr/bin/with-contenv bash
-# shellcheck shell=bash
-
-# make folders
-mkdir -p \
-    /config/crontabs
-
-## root
-# if crontabs do not exist in config
-if [[ ! -f /config/crontabs/root ]]; then
-    # copy crontab from system
-    if crontab -l -u root; then
-        crontab -l -u root >/config/crontabs/root
-    fi
-
-    # if crontabs still do not exist in config (were not copied from system)
-    # copy crontab from included defaults (using -n, do not overwrite an existing file)
-    cp -n /etc/crontabs/root /config/crontabs/
-fi
-# set permissions and import user crontabs
-lsiown root:root /config/crontabs/root
-crontab -u root /config/crontabs/root
-
-## abc
-# if crontabs do not exist in config
-if [[ ! -f /config/crontabs/abc ]]; then
-    # copy crontab from system
-    if crontab -l -u abc; then
-        crontab -l -u abc >/config/crontabs/abc
-    fi
-
-    # if crontabs still do not exist in config (were not copied from system)
-    # copy crontab from included defaults (using -n, do not overwrite an existing file)
-    cp -n /etc/crontabs/abc /config/crontabs/
-fi
-# set permissions and import user crontabs
-lsiown abc:abc /config/crontabs/abc
-crontab -u abc /config/crontabs/abc

root/etc/s6-overlay/s6-rc.d/init-crontabs-config/up

@@ -1 +0,0 @@
-/etc/s6-overlay/s6-rc.d/init-crontabs-config/run

root/etc/s6-overlay/s6-rc.d/init-fail2ban-config/run

@@ -1,29 +1,40 @@
 #!/usr/bin/with-contenv bash
 # shellcheck shell=bash
 
-# copy/update the fail2ban config defaults to/in /config
+if [[ -z ${LSIO_READ_ONLY_FS} ]] && [[ -z ${LSIO_NON_ROOT_USER} ]] && [[ "${DISABLE_F2B,,}" != "true" ]]; then
-cp -R /defaults/fail2ban/filter.d /config/fail2ban/
+    if ! iptables -L &> /dev/null; then
-cp -R /defaults/fail2ban/action.d /config/fail2ban/
+        ln -sf /usr/sbin/xtables-legacy-multi /usr/sbin/iptables
-# if jail.local is missing in /config, copy default
+        ln -sf /usr/sbin/xtables-legacy-multi /usr/sbin/iptables-save
-if [[ ! -f /config/fail2ban/jail.local ]]; then
+        ln -sf /usr/sbin/xtables-legacy-multi /usr/sbin/iptables-restore
-    cp /defaults/fail2ban/jail.local /config/fail2ban/jail.local
+        ln -sf /usr/sbin/xtables-legacy-multi /usr/sbin/ip6tables
-fi
+        ln -sf /usr/sbin/xtables-legacy-multi /usr/sbin/ip6tables-save
-# Replace fail2ban config with user config
+        ln -sf /usr/sbin/xtables-legacy-multi /usr/sbin/ip6tables-restore
-if [[ -d /etc/fail2ban/filter.d ]]; then
+    fi
-    rm -rf /etc/fail2ban/filter.d
-fi
-if [[ -d /etc/fail2ban/action.d ]]; then
-    rm -rf /etc/fail2ban/action.d
-fi
-cp -R /config/fail2ban/filter.d /etc/fail2ban/
-cp -R /config/fail2ban/action.d /etc/fail2ban/
-cp /defaults/fail2ban/fail2ban.local /etc/fail2ban/
-cp /config/fail2ban/jail.local /etc/fail2ban/jail.local
 
-# logfiles needed by fail2ban
+    # copy/update the fail2ban config defaults to/in /config
-if [[ ! -f /config/log/nginx/error.log ]]; then
+    cp -R /defaults/fail2ban/filter.d /config/fail2ban/
-    touch /config/log/nginx/error.log
+    cp -R /defaults/fail2ban/action.d /config/fail2ban/
-fi
+    # if jail.local is missing in /config, copy default
-if [[ ! -f /config/log/nginx/access.log ]]; then
+    if [[ ! -f /config/fail2ban/jail.local ]]; then
-    touch /config/log/nginx/access.log
+        cp /defaults/fail2ban/jail.local /config/fail2ban/jail.local
+    fi
+    # Replace fail2ban config with user config
+    if [[ -d /etc/fail2ban/filter.d ]]; then
+        rm -rf /etc/fail2ban/filter.d
+    fi
+    if [[ -d /etc/fail2ban/action.d ]]; then
+        rm -rf /etc/fail2ban/action.d
+    fi
+    cp -R /config/fail2ban/filter.d /etc/fail2ban/
+    cp -R /config/fail2ban/action.d /etc/fail2ban/
+    cp /defaults/fail2ban/fail2ban.local /etc/fail2ban/
+    cp /config/fail2ban/jail.local /etc/fail2ban/jail.local
+
+    # logfiles needed by fail2ban
+    if [[ ! -f /config/log/nginx/error.log ]]; then
+        touch /config/log/nginx/error.log
+    fi
+    if [[ ! -f /config/log/nginx/access.log ]]; then
+        touch /config/log/nginx/access.log
+    fi
 fi

root/etc/s6-overlay/s6-rc.d/init-folders-config/up

@@ -1 +0,0 @@
-/etc/s6-overlay/s6-rc.d/init-folders-config/run

root/etc/s6-overlay/s6-rc.d/init-nginx-config/up

@@ -1 +0,0 @@
-/etc/s6-overlay/s6-rc.d/init-nginx-config/run

root/etc/s6-overlay/s6-rc.d/init-outdated-config/run

@@ -11,3 +11,9 @@ if [[ -f /config/nginx/ldap.conf ]]; then
         Ensure your configs are updated and remove /config/nginx/ldap.conf
         If you do not use this config, simply remove it."
 fi
+if grep -qrle ' /etc/letsencrypt' /config/nginx; then
+    echo "    The following nginx confs are using certificates from the obsolete location
+    /etc/letsencrypt and should be updated to point to /config/etc/letsencrypt
+        "
+    echo -n "    " && grep -rle ' /etc/letsencrypt' /config/nginx
+fi

root/etc/s6-overlay/s6-rc.d/init-permissions-config/run

@@ -2,8 +2,7 @@
 # shellcheck shell=bash
 
 # permissions
+find /config/log ! -path '/config/log/logrotate.status' -exec chmod +r {} \+
+
 lsiown -R abc:abc \
     /config
-chmod -R 0644 /etc/logrotate.d
-chmod -R +r /config/log
-chmod +x /app/le-renew.sh

root/etc/s6-overlay/s6-rc.d/init-samples-config/type

@@ -1 +0,0 @@
-oneshot

root/etc/s6-overlay/s6-rc.d/init-samples-config/up

@@ -1 +0,0 @@
-/etc/s6-overlay/s6-rc.d/init-samples-config/run

root/etc/s6-overlay/s6-rc.d/init-swag-config/run

@@ -22,6 +22,14 @@ if [[ ! -f /config/nginx/authentik-server.conf ]]; then
     cp /defaults/nginx/authentik-server.conf.sample /config/nginx/authentik-server.conf
 fi
 
+# copy tinyauth config files if they don't exist
+if [[ ! -f /config/nginx/tinyauth-location.conf ]]; then
+    cp /defaults/nginx/tinyauth-location.conf.sample /config/nginx/tinyauth-location.conf
+fi
+if [[ ! -f /config/nginx/tinyauth-server.conf ]]; then
+    cp /defaults/nginx/tinyauth-server.conf.sample /config/nginx/tinyauth-server.conf
+fi
+
 # copy old ldap config file to new location
 if [[ -f /config/nginx/ldap.conf ]] && [[ ! -f /config/nginx/ldap-server.conf ]]; then
     cp /config/nginx/ldap.conf /config/nginx/ldap-server.conf

root/etc/s6-overlay/s6-rc.d/init-swag-config/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-swag-config/run

root/etc/s6-overlay/s6-rc.d/init-swag-folders/run

@@ -3,10 +3,10 @@
 
 # make our folders and links
 mkdir -p \
-    /config/{fail2ban,crontabs,dns-conf} \
+    /config/{fail2ban,dns-conf} \
     /config/etc/letsencrypt/renewal-hooks \
     /config/log/{fail2ban,letsencrypt,nginx} \
     /config/nginx/proxy-confs \
-    /run/fail2ban
+    /run/fail2ban \
-rm -rf /etc/letsencrypt
+    /tmp/letsencrypt
-ln -s /config/etc/letsencrypt /etc/letsencrypt
+

root/etc/s6-overlay/s6-rc.d/init-swag-folders/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-swag-folders/run

root/etc/s6-overlay/s6-rc.d/init-swag-samples/run

@@ -9,5 +9,5 @@ if [[ -d /defaults/nginx/proxy-confs/ ]]; then
         -maxdepth 1 \
         -name "*.conf.sample" \
         -type f \
-        -exec cp "{}" /config/nginx/proxy-confs/ +
+        -exec cp "{}" /config/nginx/proxy-confs/ \;
 fi

root/etc/s6-overlay/s6-rc.d/init-swag-samples/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-swag-samples/run

root/etc/s6-overlay/s6-rc.d/init-test-run/run

@@ -1,7 +0,0 @@
-#!/usr/bin/with-contenv bash
-# shellcheck shell=bash
-
-# Echo init finish for test runs
-if [[ -n "${TEST_RUN}" ]]; then
-    echo '[services.d] done.'
-fi

root/etc/s6-overlay/s6-rc.d/init-test-run/type

@@ -1 +0,0 @@
-oneshot

root/etc/s6-overlay/s6-rc.d/init-test-run/up

@@ -1 +0,0 @@
-/etc/s6-overlay/s6-rc.d/init-test-run/run

root/etc/s6-overlay/s6-rc.d/svc-fail2ban/run

@@ -1,5 +1,9 @@
 #!/usr/bin/with-contenv bash
 # shellcheck shell=bash
 
-exec \
+if [[ -z ${LSIO_READ_ONLY_FS} ]] && [[ -z ${LSIO_NON_ROOT_USER} ]] && [[ "${DISABLE_F2B,,}" != "true" ]]; then
-    fail2ban-client -x -f start
+    exec \
+        fail2ban-client -x -f start
+else
+    sleep infinity
+fi

root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/run

@@ -0,0 +1,41 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+if [[ ${SWAG_AUTORELOAD,,} == "true" ]]; then
+    if [[ -f "/etc/s6-overlay/s6-rc.d/svc-mod-swag-auto-reload/run" ]]; then
+        echo "ERROR: Legacy SWAG Auto Reload Mod detected, to use the built-in Auto Reload functionality please remove it from your container config."
+        sleep infinity
+    else
+        echo "Auto-reload: Watching the following folders for changes to .conf files:"
+        echo "/config/nginx"
+        ACTIVE_WATCH=("/config/nginx")
+        for i in $(echo "${SWAG_AUTORELOAD_WATCHLIST}" | tr "|" " "); do
+            if [ -f "${i}" ] || [ -d "${i}" ]; then
+                echo "${i}"
+                ACTIVE_WATCH+=("${i}")
+            fi
+            done
+
+            function wait_for_changes {
+            inotifywait -rq \
+                --event modify,move,create,delete \
+                --includei '\.conf$' \
+                "${ACTIVE_WATCH[@]}"
+            }
+
+            while wait_for_changes; do
+            NGINX_CONF=()
+            if ! grep -q "/config/nginx/nginx.conf" /etc/nginx/nginx.conf; then
+                NGINX_CONF=("-c" "/config/nginx/nginx.conf")
+            fi
+            if /usr/sbin/nginx "${NGINX_CONF[@]}" -t; then
+                echo "Changes to nginx config detected and the changes are valid, reloading nginx"
+                /usr/sbin/nginx "${NGINX_CONF[@]}" -s reload
+            else
+                echo "Changes to nginx config detected but the changes are not valid, skipping nginx reload. Please fix your config."
+            fi
+        done
+    fi
+else
+    sleep infinity
+fi

root/etc/s6-overlay/s6-rc.d/svc-swag-auto-reload/type

@@ -0,0 +1 @@
+longrun

root/migrations/02-swag-old-certbot-paths

@@ -0,0 +1,7 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+# Migrate existing renewal confs with old paths from /etc/letsencrypt to /config/etc/letsencrypt
+if ls /config/etc/letsencrypt/renewal/*.conf >/dev/null 2>&1; then
+    sed -i 's| /etc/letsencrypt| /config/etc/letsencrypt|' /config/etc/letsencrypt/renewal/*.conf
+fi