upgraded. Now works.

docker/Dockerfile

@@ -3,7 +3,7 @@
 
 # This file assumes that the frontend has been built using ./scripts/frontend-build
 
-FROM nginxproxymanager/nginx-full:local_certbot-node
+FROM baudneo/nginx-full:certbot-node
 
 ARG TARGETPLATFORM
 ARG BUILD_VERSION
@@ -25,7 +25,7 @@ ENV SUPPRESS_NO_CONFIG_WARNING=1 \
 
 RUN echo "fs.file-max = 65535" > /etc/sysctl.conf \
         && apt-get update \
-        && apt-get install -y --no-install-recommends jq logrotate \
+        && apt-get install -y --no-install-recommends jq logrotate gettext-base \
         && apt-get clean \
         && rm -rf /var/lib/apt/lists/*
 

docker/rootfs/etc/cont-init.d/01_perms.sh

@@ -1,7 +1,9 @@
 #!/usr/bin/with-contenv bash
 # shellcheck shell=bash
 set -e
-
+log() {
+  echo -e "${BLUE}[cont-init.d] ${RED}$(basename "$0")${CYAN}>>>${RESET} $*"
+}
 mkdir -p /data/logs
-echo "Changing ownership of /data/logs to $(id -u):$(id -g)"
+log "Changing ownership of /data/logs to $(id -u):$(id -g)"
 chown -R "$(id -u):$(id -g)" /data/logs

docker/rootfs/etc/cont-init.d/02_s6-secret-init.sh

@@ -1,10 +1,13 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 # ref: https://github.com/linuxserver/docker-baseimage-alpine/blob/master/root/etc/cont-init.d/01-envfile
-
+log() {
+  echo -e "${BLUE}[cont-init.d] ${RED}$(basename "$0")${CYAN}>>>${RESET} $*"
+}
 # in s6, environmental variables are written as text files for s6 to monitor
 # seach through full-path filenames for files ending in "__FILE"
 for FILENAME in $(find /var/run/s6/container_environment/ | grep "__FILE$"); do
-    echo "[secret-init] Evaluating ${FILENAME##*/} ..."
+    log "Evaluating ${FILENAME##*/} ..."
 
     # set SECRETFILE to the contents of the full-path textfile
     SECRETFILE=$(cat ${FILENAME})
@@ -21,9 +24,9 @@ for FILENAME in $(find /var/run/s6/container_environment/ | grep "__FILE$"); do
         # since s6 uses text files, this is effectively "export ..."
         printf $(cat ${SECRETFILE}) > ${STRIPFILE}
         # echo "[secret-init] Set ${STRIPFILE##*/} to $(cat ${STRIPFILE})"  # DEBUG - rm for prod!"
-        echo "[secret-init] Success! ${STRIPFILE##*/} set from ${FILENAME##*/}"
+        echo "Success! ${STRIPFILE##*/} set from ${FILENAME##*/}"
 
     else
-        echo "[secret-init] cannot find secret in ${FILENAME}"
+        echo "cannot find secret in ${FILENAME}"
     fi
 done

docker/rootfs/etc/cont-init.d/03_timezone.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+log() {
+    echo -e "${BLUE}[cont-init.d] ${RED}$(basename "$0")${CYAN}>>>${RESET} $*"
+}
+
+
+if [ -n "${TZ}" ]; then
+  log "Setting timezone to ${TZ}"
+    echo "${TZ}" > /etc/timezone
+    ln -sf "/usr/share/zoneinfo/${TZ}" /etc/localtime
+fi

docker/rootfs/etc/cont-init.d/80_logging-options.sh

@@ -0,0 +1,38 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+log() {
+  echo -e "${BLUE}[cont-init.d] ${RED}$(basename "$0")${CYAN}>>>${RESET} $*"
+}
+
+if [[ -f /etc/nginx/conf.d/production.conf ]]; then
+admin_log=$(grep "<ADMIN_ACCESS_LOG>" /etc/nginx/conf.d/production.conf)
+  if [[ ${ADMIN_PANEL_LOG} == "1" ]] || [[ ${ADMIN_PANEL_LOG} -eq 1 ]]; then
+    if [[ -n "${admin_log}" ]]; then
+      log "Enabling admin dashboard logging"
+      sed -i 's|<ADMIN_ACCESS_LOG>|/data/logs/admin-panel_access.log standard|' /etc/nginx/conf.d/production.conf
+      sed -i 's|<ADMIN_ERROR_LOG>|/data/logs/admin-panel_error.log warn|' /etc/nginx/conf.d/production.conf
+    fi
+  else
+    if [[ -n "${admin_log}" ]]; then
+      log "Leaving admin dashboard logging off (default behavior)"
+      sed -i 's|<ADMIN_ACCESS_LOG>|/dev/null|' /etc/nginx/conf.d/production.conf
+      sed -i 's|<ADMIN_ERROR_LOG>|/dev/null|' /etc/nginx/conf.d/production.conf
+    fi
+  fi
+fi
+
+
+default_log=$(grep "<ERROR_LOG_LEVEL>" /etc/nginx/nginx.conf)
+if [[ ${OPENRESTY_DEBUG} == "1" ]] || [[ ${OPENRESTY_DEBUG} -eq 1 ]]; then
+  if [[ -n "${default_log}" ]]; then
+    log "Changing OpenResty ERROR (fallback_error.log) logging to level: DEBUG"
+    sed -i 's|<ERROR_LOG_LEVEL>|debug|' /etc/nginx/nginx.conf
+  fi
+else
+  if [[ -n "${default_log}" ]]; then
+    log "Leaving OpenResty ERROR (fallback_error.log) logging at level: WARN (default behavior)"
+    sed -i 's|<ERROR_LOG_LEVEL>|warn|' /etc/nginx/nginx.conf
+  fi
+fi
+

docker/rootfs/etc/cont-init.d/90_mmdb.sh

@@ -0,0 +1,89 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+log() {
+  echo -e "${BLUE}[cont-init.d] ${RED}$(basename "$0")${CYAN}>>>${RESET} $*"
+}
+
+if [[ -n "${GEOLITE2_DB_GRAB}" ]]; then
+  if [[ "${GEOLITE2_DB_GRAB}" == "1" ]] || [[ "${GEOLITE2_DB_GRAB}" -eq 1 ]]; then
+    log "GeoLite2 DB Grab configured, installing/updating GeoLite2 Database's"
+    geo2="${GEOIP_DIR:-/geoip}/2"
+    mkdir -p "$geo2/tmp"
+    GEOIP2_DB_URLS=(
+      "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-City.mmdb"
+      "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb"
+      "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-ASN.mmdb"
+    )
+    # download new dbs and diff them, update if different
+    for db in "${GEOIP2_DB_URLS[@]}"; do
+      log "Downloading ${db##*/} from ${db%/*}..."
+      curl -s -L -o "${geo2}/tmp/${db##*/}" "$db"
+      if [ "$?" -ne 0 ]; then
+          log "Failed to download ${db##*/} from ${db%/*}!"
+          exit 1
+      fi
+
+      if [ -f "${geo2}/${db##*/}" ]; then
+          log "Diffing ${db##*/}..."
+          diff "${geo2}/${db##*/}" "${geo2}/tmp/${db##*/}"
+          if [ "$?" -eq 0 ]; then
+          log "${db##*/} is up to date..."
+          else
+          log "${db##*/} is different, updating db..."
+          mv "${geo2}/tmp/${db##*/}" "${geo2}/${db##*/}"
+          fi
+      else
+          log "${db##*/} does not exist, installing..."
+          mv "${geo2}/tmp/${db##*/}" "${geo2}/${db##*/}"
+      fi
+    done
+    rm -rf "${geo2}/tmp/"
+  fi
+fi
+
+if [[ -n "${GEOLITE_DB_GRAB}" ]]; then
+  if [ "${GEOLITE_DB_GRAB}" == "1" ] || [ "${GEOLITE2_DB_GRAB}" -eq 1 ]; then
+    log "GeoLite LEGACY DB Grab configured, downloading GeoLite LEGACY Database's"
+
+    geo1="${GEOIP_DIR:-/geoip}/1"
+    mkdir -p "$geo1"
+
+
+    # If http proxy needed
+    #https_proxy="http://foo.bar:3128"
+    export https_proxy
+    for f in $GeoIP_1_FILES; do
+      # Make sure .gz is stripped
+      f=${f%*.gz}
+      # Make sure .dat exists
+      if [[ ! "$f" =~ \.csv ]]; then f=${f%*.dat}.dat; fi
+      wget -nv -T 30 --max-redirect 0 "https://mailfud.org/geoip-legacy/$f.gz"
+      RET=$?
+      if [ $RET -ne 0 ]; then
+          log "wget $f.gz failed: $RET" >&2
+          continue
+      fi
+      # Unpack and replace files atomically
+      if gzip -dc "$f.gz" >"$f.tmp"; then
+          if [[ -f "${geo1}/${f}" ]]; then
+              if ! diff "${geo1}/${f}" "$f".tmp >/dev/null 2>&1; then
+                  log "${geo1}/${f} is different, updating db..."
+                  chmod 644 "$f.tmp"
+                  /bin/mv -f "$f.tmp" "${geo1}/${f}"
+              else
+                  log "${geo1}/${f} is up to date..."
+              fi
+          else
+              log "${geo1}/${f} does not exist, installing..."
+              chmod 644 "$f.tmp"
+              /bin/mv -f "$f.tmp" "${geo1}/${f}"
+          fi
+      else
+          log "gunzip $f failed" >&2
+          rm -f "$f.gz"
+      fi
+      rm -f "$f.tmp"
+    done
+  fi
+fi

docker/rootfs/etc/cont-init.d/97_modsecurity.sh

@@ -5,11 +5,14 @@ set -e # Exit immediately if a command exits with a non-zero status.
 set -u # Treat unset variables as an error.
 
 log() {
-  echo "[cont-init.d] $(basename "$0"): $*"
+  echo -e "${BLUE}[cont-init.d] ${RED}$(basename "$0")${CYAN}>>>${RESET} $*"
 }
 
 mkdir -p /data/modsec/ruleset
-ln -s /data/modsec/ /etc/nginx
+if [ ! -L /etc/nginx/modsec ]; then
+  log "Symbolically Linking /data/modsec into /etc/nginx"
+  ln -s /data/modsec/ /etc/nginx
+fi
 
 [ ! -f /data/modsec/main.conf ] && MODSEC_CREATE="1"
 
@@ -20,7 +23,11 @@ if [ "${MODSEC_CREATE}" == "1" ] || [ "${MODSEC_CREATE}" -eq 1 ]; then
   cp /usr/local/modsecurity/templates/unicode.mapping /data/modsec/unicode.mapping
   cp -r /usr/local/modsecurity/templates/* /data/modsec/
   cp -r /usr/local/modsecurity/templates/ruleset/* /data/modsec/ruleset/
-  mv /data/modsec/ruleset/crs-setup.conf.example /data/modsec/ruleset/crs-setup.conf
+  if [ -f /data/modsec/ruleset/crs-setup.conf.example ]; then
+    mv /data/modsec/ruleset/crs-setup.conf.example /data/modsec/ruleset/crs-setup.conf
+  elif [ -f /data/modsec/ruleset/crs-setup.conf ]; then
+    mv /data/modsec/ruleset/crs-setup.conf /data/modsec/ruleset/crs-setup.conf
+  fi
 fi
 
 # Enable modsecurity in the server block of :80 and :443

docker/rootfs/etc/cont-init.d/98_crowdsec-upgrade-init.sh

@@ -0,0 +1,52 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+# Update CrowdSec OpenResty bouncer, allows for overriding the 99 init file and crowdsec_openresty.conf
+
+log() {
+  echo -e "${BLUE}[cont-init.d] ${RED}$(basename "$0")${CYAN}>>>${RESET} $*"
+}
+
+if [ -n "${CROWDSEC_UPDATE_DIR}" ]; then
+  mkdir -p "${CROWDSEC_UPDATE_DIR:-/cs-update}"
+  log "Evaluating Crowdsec update files located at ${CROWDSEC_UPDATE_DIR}"
+
+  for entry in "${CROWDSEC_UPDATE_DIR}"/*; do
+    if [[ "$entry" == "$CROWDSEC_UPDATE_DIR"'/*' ]]; then
+      log "Nothing found in the upgrade directory, using current release"
+      break
+    fi
+    basepath_=${entry##*/}
+    ext_=${entry##*.}
+    dest_="/etc/nginx/lualib/"
+    type_=""
+    succ=0
+    log_msg=""
+    # File
+    if [[ -f "$entry" ]]; then
+      type_="file"
+      [[ $ext_ == "lua" ]] && succ=1
+      [[ $basepath_ == "crowdsec_openresty.conf" ]] && dest_="/etc/nginx/conf.d/" && succ=1
+      [[ $basepath_ == "99_crowdsec-openresty-bouncer.sh" ]] && dest_="/etc/cont-init.d/" && succ=1
+    # Directory
+    elif [[ -d "$entry" ]]; then
+      type_="directory"
+      [[ $basepath_ == "plugins" ]] && succ=1
+    else
+      log "IDK WTF MAN, its not a file or a directory?"
+      continue
+    fi
+#      log "Found ${type_}: $entry | extension: $ext_ | success: $succ | basepath: $basepath_"
+    log_msg="UPGRADED! Copied '$type_' $entry to $dest_"
+    if [[ "${succ}" -eq 2 ]]; then
+      cp '-r' "${entry}" "${dest_}"
+    elif [[ "${succ}" -eq 1 ]]; then
+      cp "${entry}" "${dest_}"
+    elif [[ "${succ}" -eq 0 ]]; then
+      log_msg="Ignoring $type_ -> $entry"
+    else
+      log_msg="ERROR> something is wrong! value: $succ should be between 0 and 2"
+    fi
+    log "$log_msg"
+  done
+fi

docker/rootfs/etc/cont-init.d/98_logging-options.sh

@@ -1,29 +0,0 @@
-#!/usr/bin/with-contenv bash
-# shellcheck shell=bash
-
-set -e # Exit immediately if a command exits with a non-zero status.
-set -u # Treat unset variables as an error.
-
-log() {
-  echo "[cont-init.d] $(basename "$0"): $*"
-}
-
-# Redirect admin panel logs from /dev/null to log files if enabled
-if [[ ${ADMIN_PANEL_LOG} == "1" ]] || [[ ${ADMIN_PANEL_LOG} -eq 1 ]]; then
-  log "Enabling admin dashboard logging"
-  sed-patch 's|<ADMIN_ACCESS_LOG>|/data/logs/admin-panel_access.log standard|' /etc/nginx/conf.d/production.conf
-  sed-patch 's|<ADMIN_ERROR_LOG>|/data/logs/admin-panel_error.log warn|' /etc/nginx/conf.d/production.conf
-else
-  log "Leaving admin dashboard logging off (default behavior)"
-  sed-patch 's|<ADMIN_ACCESS_LOG>|/dev/null|' /etc/nginx/conf.d/production.conf
-  sed-patch 's|<ADMIN_ERROR_LOG>|/dev/null|' /etc/nginx/conf.d/production.conf
-fi
-
-if [[ ${OPENRESTY_DEBUG} == "1" ]] || [[ ${OPENRESTY_DEBUG} -eq 1 ]]; then
-  log "Changing OpenResty ERROR (fallback_error.log) logging to level: DEBUG"
-  sed-patch 's|<ERROR_LOG_LEVEL>|debug|' /etc/nginx/nginx.conf
-
-else
-  log "Leaving OpenResty ERROR (fallback_error.log) logging at level: WARN (default behavior)"
-  sed-patch 's|<ERROR_LOG_LEVEL>|warn|' /etc/nginx/nginx.conf
-fi

docker/rootfs/etc/cont-init.d/99_crowdsec-openresty-bouncer.sh

@@ -5,20 +5,24 @@ set -e # Exit immediately if a command exits with a non-zero status.
 set -u # Treat unset variables as an error.
 
 log() {
-  echo "[cont-init.d] $(basename "$0"): $*"
+  echo -e "${BLUE}[cont-init.d] ${RED}$(basename "$0")${CYAN}>>>${RESET} $*"
 }
 
 if [ "${CROWDSEC_BOUNCER}" == "1" ] || [ "${CROWDSEC_BOUNCER}" -eq 1 ]; then
   log "Enabling CrowdSec OpenResty Bouncer"
   mkdir -p /data/crowdsec
-  if [ -f /data/crowdsec/crowdsec-openresty-bouncer.conf ]; then
+  if [ ! -f /data/crowdsec/crowdsec-openresty-bouncer.conf ]; then
     #Install Crowdsec Bouncer Config.
     cp /crowdsec/crowdsec-openresty-bouncer.conf.template /data/crowdsec/crowdsec-openresty-bouncer.conf
     log "Crowdsec OpenResty Bouncer Config copied to /data/crowdsec/crowdsec-openresty-bouncer.conf"
   fi
   # Create lualib plugin directory for crowdsec and move crowdsec lua libs into it
   mkdir -p /etc/nginx/lualib/plugins/crowdsec/
-  cp /crowdsec/lua/* /etc/nginx/lualib/plugins/crowdsec/
+  cp -r /crowdsec/lua/lib/* /etc/nginx/lualib/
   # This initilizes crowdsec as /etc/nginx/conf.d/* is included in nginx.conf
-  cp /crowdsec/crowdsec_openresty.conf /etc/nginx/conf.d/
+  # Fixes -> SSL_CTX_load_verify_locations("/etc/nginx/${SSL_CERTS_PATH}") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/nginx/${SSL_CERTS_PATH}','r') error:2006D080:BIO routines:BIO_new_file:no such file error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib)
+  SSL_CERTS_PATH=${SSL_CERTS_PATH} envsubst < /crowdsec/crowdsec_openresty.conf > /etc/nginx/conf.d/crowdsec_openresty.conf
+#  cp /crowdsec/crowdsec_openresty.conf /etc/nginx/conf.d/
+  else
+  log "CrowdSec OpenResty Bouncer Disabled"
 fi