initial implementation

Signed-off-by: Simon L <[email protected]>
szaimen · Oct 2, 2023 · fde5943 · fde5943
1 parent 60044a8
commit fde5943
Show file tree

Hide file tree

Showing 5 changed files with 74 additions and 101 deletions.
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
@@ -38,5 +38,5 @@ jobs:
           context: './'
           no-cache: true
           file: 'Dockerfile'
-          tags: szaimen/aio-fail2ban:${{ github.event.inputs.tagName }}
+          tags: szaimen/aio-caddy:${{ github.event.inputs.tagName }}
           provenance: false
diff --git a/Caddyfile b/Caddyfile
@@ -0,0 +1,46 @@
+{
+    auto_https disable_redirects
+
+    storage file_system {
+        root /data
+    }
+
+    log {
+        level ERROR
+    }
+}
+
+(GEOFILTER) {
+        @geofilter {
+                not maxmind_geolocation {
+                        db_path "/usr/share/GeoIP/GeoLite2-Country.mmdb"
+                        allow_countries DE
+                }
+                not remote_ip private_ranges
+        }
+        respond @geofilter 403
+}
+
+https://{$NC_DOMAIN}:443 {
+    import GEOFILTER
+    reverse_proxy nextcloud-aio-apache:{$APACHE_PORT}
+
+    # TLS options
+    tls {
+        issuer acme {
+            disable_http_challenge
+        }
+    }
+}
+
+https://bw.{$NC_DOMAIN}:443 {
+    import GEOFILTER
+    reverse_proxy nextcloud-aio-vaultarden:8812
+
+    # TLS options
+    tls {
+        issuer acme {
+            disable_http_challenge
+        }
+    }
+}
diff --git a/Dockerfile b/Dockerfile
@@ -1,15 +1,31 @@
+
+FROM golang:1.21.1-alpine3.18 as go
+
+ENV XCADDY_VERSION 0.3.5
+ENV CADDY_HASH 29233e285b83dfa070d1f6889c021cb32c161b89
+
+RUN set -ex; \
+    apk add --no-cache \
+        build-base; \
+    go install github.com/caddyserver/xcaddy/cmd/xcaddy@"$XCADDY_VERSION"; \
+    chmod +x /go/bin/xcaddy; \
+    /go/bin/xcaddy build --with github.com/porech/caddy-maxmind-geolocation@"$CADDY_HASH"
+
 FROM alpine:3.18.4
 
-# hadolint ignore=DL3018
 RUN set -ex; \
-    apk add --no-cache fail2ban tzdata util-linux-misc bash nftables ip6tables; \
-    mv /etc/fail2ban/filter.d/common.conf /tmp/; \
-    rm -r /etc/fail2ban/jail.d/*; \
-    rm -r /etc/fail2ban/filter.d/*; \
-    mv /tmp/common.conf /etc/fail2ban/filter.d/
+    apk add --no-cache shadow; \
+    deluser www-data; \
+    groupmod -g 333 xfs; \
+    usermod -u 333 -g 333 xfs; \
+    addgroup -g 33 -S www-data; \
+    adduser -u 33 -D -S -G www-data www-data; \
+    apk del shadow; \
+    apk add --no-cache tzdata util-linux-misc bash bind-tools
 
+COPY --from=go /go/bin/caddy /usr/local/bin/caddy
 COPY --chmod=775 start.sh /start.sh
+COPY --chmod=664 Caddyfile /Caddyfile
 
-# hadolint ignore=DL3002
-USER root
+USER www-data
 ENTRYPOINT [ "/start.sh" ]
diff --git a/README.md b/README.md
@@ -1,2 +1,2 @@
-# aio-fail2ban
-Fail2ban container used in https://github.com/nextcloud/all-in-one/tree/main/community-containers/fail2ban
+# aio-caddy
+Caddy container used in https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy
diff --git a/start.sh b/start.sh
@@ -1,94 +1,5 @@
 #!/bin/bash
 
-# Fix socket
-rm -f /run/fail2ban/*
 
-if ! mountpoint -q /nextcloud; then
-    echo "/nextcloud is not a mountpoint which it must be!"
-    exit 1
-fi
 
-while ! [ -f /nextcloud/data/nextcloud.log ]; do
-    echo "Waiting for /nextcloud/data/nextcloud.log to become available"
-    sleep 5
-done
-
-cat << FILTER > /etc/fail2ban/filter.d/nextcloud.conf
-[INCLUDES]
-before = common.conf
-
-[Definition]
-_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
-failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
-            ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
-datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
-FILTER
-
-cat << JAIL > /etc/fail2ban/jail.d/nextcloud.local
-[nextcloud]
-enabled = true
-port = 80,443,8080,8443,3478
-protocol = tcp,udp
-filter = nextcloud
-banaction = %(banaction_allports)s
-maxretry = 3
-bantime = 14400
-findtime = 14400
-logpath = /nextcloud/data/nextcloud.log
-chain=DOCKER-USER
-JAIL
-
-if [ -f /vaultwarden/vaultwarden.log ]; then
-    echo "Configuring vaultwarden for logs"
-    # Vaultwarden conf
-    cat << BW_CONF > /etc/fail2ban/filter.d/vaultwarden.conf
-[INCLUDES]
-before = common.conf
-
-[Definition]
-failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
-ignoreregex =
-BW_CONF
-
-    # Vaultwarden jail
-    cat << BW_JAIL_CONF > /etc/fail2ban/jail.d/vaultwarden.local
-[vaultwarden]
-enabled = true
-port = 80,443,8812
-protocol = tcp,udp
-filter = vaultwarden
-banaction = %(banaction_allports)s
-logpath = /vaultwarden/vaultwarden.log
-maxretry = 3
-bantime = 14400
-findtime = 14400
-chain=DOCKER-USER
-BW_JAIL_CONF
-
-    # Vaultwarden-admin conf
-    cat << BWA_CONF > /etc/fail2ban/filter.d/vaultwarden-admin.conf
-[INCLUDES]
-before = common.conf
-
-[Definition]
-failregex = ^.*Invalid admin token\. IP: <ADDR>.*$
-ignoreregex =
-BWA_CONF
-
-    # Vaultwarden-admin jail
-    cat << BWA_JAIL_CONF > /etc/fail2ban/jail.d/vaultwarden-admin.local
-[vaultwarden-admin]
-enabled = true
-port = 80,443,8812
-protocol = tcp,udp
-filter = vaultwarden-admin
-banaction = %(banaction_allports)s
-logpath = /vaultwarden/vaultwarden.log
-maxretry = 3
-bantime = 14400
-findtime = 14400
-chain=DOCKER-USER
-BWA_JAIL_CONF
-fi
-
-fail2ban-server -f --logtarget stderr --loglevel info 
+caddy run --config /Caddyfile