From 0debee9b0a207bd2bf4eac478a273433c90a7309 Mon Sep 17 00:00:00 2001
From: Simon L <szaimen@e.mail.de>
Date: Mon, 2 Oct 2023 15:53:15 +0200
Subject: [PATCH] initial implementation

Signed-off-by: Simon L <szaimen@e.mail.de>
---
 .github/workflows/docker-build.yml |   2 +-
 Caddyfile                          |  11 +++
 Dockerfile                         |  37 ++++++--
 README.md                          |   4 +-
 start.sh                           | 139 +++++++++++++----------------
 5 files changed, 106 insertions(+), 87 deletions(-)
 create mode 100644 Caddyfile

diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index b9c12bf..64d8473 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -38,5 +38,5 @@ jobs:
           context: './'
           no-cache: true
           file: 'Dockerfile'
-          tags: szaimen/aio-fail2ban:${{ github.event.inputs.tagName }}
+          tags: szaimen/aio-caddy:${{ github.event.inputs.tagName }}
           provenance: false
diff --git a/Caddyfile b/Caddyfile
new file mode 100644
index 0000000..9e6f0ae
--- /dev/null
+++ b/Caddyfile
@@ -0,0 +1,11 @@
+{
+    auto_https disable_redirects
+
+    storage file_system {
+        root /data
+    }
+
+    log {
+        level ERROR
+    }
+}
diff --git a/Dockerfile b/Dockerfile
index 01456a2..474a554 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,15 +1,38 @@
+
+FROM golang:1.21.1-alpine3.18 as go
+
+ENV XCADDY_VERSION 0.3.5
+ENV CADDY_HASH 29233e285b83dfa070d1f6889c021cb32c161b89
+
+# hadolint ignore=DL3018
+RUN set -ex; \
+    apk add --no-cache \
+        build-base; \
+    go install github.com/caddyserver/xcaddy/cmd/xcaddy@"$XCADDY_VERSION"; \
+    chmod +x /go/bin/xcaddy; \
+    /go/bin/xcaddy build --with github.com/porech/caddy-maxmind-geolocation@"$CADDY_HASH"
+
 FROM alpine:3.18.4
 
 # hadolint ignore=DL3018
 RUN set -ex; \
-    apk add --no-cache fail2ban tzdata util-linux-misc bash nftables ip6tables; \
-    mv /etc/fail2ban/filter.d/common.conf /tmp/; \
-    rm -r /etc/fail2ban/jail.d/*; \
-    rm -r /etc/fail2ban/filter.d/*; \
-    mv /tmp/common.conf /etc/fail2ban/filter.d/
+    apk add --no-cache shadow; \
+    deluser www-data; \
+    groupmod -g 333 xfs; \
+    usermod -u 333 -g 333 xfs; \
+    addgroup -g 33 -S www-data; \
+    adduser -u 33 -D -S -G www-data www-data; \
+    apk del shadow; \
+    apk add --no-cache tzdata bash bind-tools netcat-openbsd; \
+    mkdir /data; \
+    chown 33:33 -R /data; \
+    chmod 770 -R /data
+
+VOLUME /data
 
+COPY --from=go /go/bin/caddy /usr/local/bin/caddy
 COPY --chmod=775 start.sh /start.sh
+COPY --chmod=664 Caddyfile /Caddyfile
 
-# hadolint ignore=DL3002
-USER root
+USER www-data
 ENTRYPOINT [ "/start.sh" ]
diff --git a/README.md b/README.md
index 5421962..c7faa53 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,2 @@
-# aio-fail2ban
-Fail2ban container used in https://github.com/nextcloud/all-in-one/tree/main/community-containers/fail2ban
+# aio-caddy
+Caddy container used in https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy
diff --git a/start.sh b/start.sh
index 86b8bdd..6e8b741 100644
--- a/start.sh
+++ b/start.sh
@@ -1,94 +1,79 @@
 #!/bin/bash
 
-# Fix socket
-rm -f /run/fail2ban/*
-
-if ! mountpoint -q /nextcloud; then
-    echo "/nextcloud is not a mountpoint which it must be!"
+if ! mountpoint -q /data; then
+    echo "/data is not a mountpoint!"
     exit 1
 fi
 
-while ! [ -f /nextcloud/data/nextcloud.log ]; do
-    echo "Waiting for /nextcloud/data/nextcloud.log to become available"
+while ! nc -z nextcloud-aio-nextcloud 9001; do
+    echo "Waiting for nextcloud to start"
     sleep 5
 done
 
-cat << FILTER > /etc/fail2ban/filter.d/nextcloud.conf
-[INCLUDES]
-before = common.conf
-
-[Definition]
-_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
-failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
-            ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
-datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
-FILTER
+set -x
+# Reset the file
+sed -i "/(GEOFILTER)/,$ d" /Cadddyfile
 
-cat << JAIL > /etc/fail2ban/jail.d/nextcloud.local
-[nextcloud]
-enabled = true
-port = 80,443,8080,8443,3478
-protocol = tcp,udp
-filter = nextcloud
-banaction = %(banaction_allports)s
-maxretry = 3
-bantime = 14400
-findtime = 14400
-logpath = /nextcloud/data/nextcloud.log
-chain=DOCKER-USER
-JAIL
+ALLOW_CONTRIES="$(head -n 1 filename /nextcloud/admin/files/nextcloud-aio-caddy/allowed-countries.txt)"
+if echo "$ALLOW_CONTRIES" | grep -q '^[A-Z ]\+$'; then
+    FILTER_SET=1
+fi
+if [ -f "/nextcloud/admin/files/nextcloud-aio-caddy/GeoLite2-Country.mmdb" ]; then
+    rm -f /data/GeoLite2-Country.mmdb
+    cp /nextcloud/admin/files/nextcloud-aio-caddy/GeoLite2-Country.mmdb /data/
+    FILE_THERE=1
+fi
 
-if [ -f /vaultwarden/vaultwarden.log ]; then
-    echo "Configuring vaultwarden for logs"
-    # Vaultwarden conf
-    cat << BW_CONF > /etc/fail2ban/filter.d/vaultwarden.conf
-[INCLUDES]
-before = common.conf
+if [ "$FILTER_SET" = 1 ] && [ "$FILE_THERE" = 1 ]; then
+    cat << CADDY >> /Caddyfile
+(GEOFILTER) {
+    @geofilter {
+        not maxmind_geolocation {
+            db_path "/data/GeoLite2-Country.mmdb"
+            allow_countries $ALLOW_CONTRIES
+        }
+        not remote_ip private_ranges
+    }
+    respond @geofilter 403
+}
+CADDY
+fi
 
-[Definition]
-failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
-ignoreregex =
-BW_CONF
+cat << CADDY >> /Caddyfile
+https://{\$NC_DOMAIN}:443 {
+    # import GEOFILTER
+    reverse_proxy nextcloud-aio-apache:{\$APACHE_PORT}
 
-    # Vaultwarden jail
-    cat << BW_JAIL_CONF > /etc/fail2ban/jail.d/vaultwarden.local
-[vaultwarden]
-enabled = true
-port = 80,443,8812
-protocol = tcp,udp
-filter = vaultwarden
-banaction = %(banaction_allports)s
-logpath = /vaultwarden/vaultwarden.log
-maxretry = 3
-bantime = 14400
-findtime = 14400
-chain=DOCKER-USER
-BW_JAIL_CONF
+    # TLS options
+    tls {
+        issuer acme {
+            disable_http_challenge
+        }
+    }
+}
+CADDY
 
-    # Vaultwarden-admin conf
-    cat << BWA_CONF > /etc/fail2ban/filter.d/vaultwarden-admin.conf
-[INCLUDES]
-before = common.conf
+if [ -n "$(dig A +short nextcloud-aio-vaultwarden)" ]; then
+    cat << CADDY >> /Caddyfile
+https://bw.{\$NC_DOMAIN}:443 {
+    # import GEOFILTER
+    reverse_proxy nextcloud-aio-vaultwarden:8812
 
-[Definition]
-failregex = ^.*Invalid admin token\. IP: <ADDR>.*$
-ignoreregex =
-BWA_CONF
+    # TLS options
+    tls {
+        issuer acme {
+            disable_http_challenge
+        }
+    }
+}
+CADDY
+fi
 
-    # Vaultwarden-admin jail
-    cat << BWA_JAIL_CONF > /etc/fail2ban/jail.d/vaultwarden-admin.local
-[vaultwarden-admin]
-enabled = true
-port = 80,443,8812
-protocol = tcp,udp
-filter = vaultwarden-admin
-banaction = %(banaction_allports)s
-logpath = /vaultwarden/vaultwarden.log
-maxretry = 3
-bantime = 14400
-findtime = 14400
-chain=DOCKER-USER
-BWA_JAIL_CONF
+if [ "$FILTER_SET" = 1 ] && [ "$FILE_THERE" = 1 ]; then
+    sed -i "s|# import GEOFILTER|import GEOFILTER|" /Caddyfile
 fi
+set +x
+
+caddy fmt --overwrite /Caddyfile
 
-fail2ban-server -f --logtarget stderr --loglevel info 
+caddy run --config /Caddyfile