diff --git a/.dockerignore b/.dockerignore index 0fd7edb79dce4115f18ea026b5ae269f30de26a1..cdb1a82fcdcbd1acab66880791d5e5b897f920cb 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,9 +1,6 @@ .git -.github .gitignore -docker-compose.yml -LICENSE.md +.github +.gitattributes +READMETEMPLATE.md README.md -README-zh.md -vpn.env -vpn.env.example diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000000000000000000000000000000000000..5f150f350e1eaf55b5424950659ed429915f5dcf --- /dev/null +++ b/.editorconfig @@ -0,0 +1,20 @@ +# This file is globally distributed to all container image projects from +# https://github.com/linuxserver/docker-jenkins-builder/blob/master/.editorconfig + +# top-most EditorConfig file +root = true + +# Unix-style newlines with a newline ending every file +[*] +end_of_line = lf +insert_final_newline = true +# trim_trailing_whitespace may cause unintended issues and should not be globally set true +trim_trailing_whitespace = false + +[{Dockerfile*,**.yml}] +indent_style = space +indent_size = 2 + +[{**.sh,root/etc/s6-overlay/s6-rc.d/**,root/etc/cont-init.d/**,root/etc/services.d/**}] +indent_style = space +indent_size = 4 diff --git a/.gitattributes b/.gitattributes index c7d9f3332a950355d5a77d85000f05e6f45435ea..bdb0cabc87cf50106df6e15097dff816c8c3eb34 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,34 +1,17 @@ -*.7z filter=lfs diff=lfs merge=lfs -text -*.arrow filter=lfs diff=lfs merge=lfs -text -*.bin filter=lfs diff=lfs merge=lfs -text -*.bz2 filter=lfs diff=lfs merge=lfs -text -*.ckpt filter=lfs diff=lfs merge=lfs -text -*.ftz filter=lfs diff=lfs merge=lfs -text -*.gz filter=lfs diff=lfs merge=lfs -text -*.h5 filter=lfs diff=lfs merge=lfs -text -*.joblib filter=lfs diff=lfs merge=lfs -text -*.lfs.* filter=lfs diff=lfs merge=lfs -text -*.mlmodel filter=lfs diff=lfs merge=lfs -text -*.model filter=lfs diff=lfs merge=lfs -text -*.msgpack filter=lfs diff=lfs merge=lfs -text -*.npy filter=lfs diff=lfs merge=lfs -text -*.npz filter=lfs diff=lfs merge=lfs -text -*.onnx filter=lfs diff=lfs merge=lfs -text -*.ot filter=lfs diff=lfs merge=lfs -text -*.parquet filter=lfs diff=lfs merge=lfs -text -*.pb filter=lfs diff=lfs merge=lfs -text -*.pickle filter=lfs diff=lfs merge=lfs -text -*.pkl filter=lfs diff=lfs merge=lfs -text -*.pt filter=lfs diff=lfs merge=lfs -text -*.pth filter=lfs diff=lfs merge=lfs -text -*.rar filter=lfs diff=lfs merge=lfs -text -*.safetensors filter=lfs diff=lfs merge=lfs -text -saved_model/**/* filter=lfs diff=lfs merge=lfs -text -*.tar.* filter=lfs diff=lfs merge=lfs -text -*.tflite filter=lfs diff=lfs merge=lfs -text -*.tgz filter=lfs diff=lfs merge=lfs -text -*.wasm filter=lfs diff=lfs merge=lfs -text -*.xz filter=lfs diff=lfs merge=lfs -text -*.zip filter=lfs diff=lfs merge=lfs -text -*.zst filter=lfs diff=lfs merge=lfs -text -*tfevents* filter=lfs diff=lfs merge=lfs -text +# Auto detect text files and perform LF normalization +* text=auto + +# Custom for Visual Studio +*.cs diff=csharp + +# Standard to msysgit +*.doc diff=astextplain +*.DOC diff=astextplain +*.docx diff=astextplain +*.DOCX diff=astextplain +*.dot diff=astextplain +*.DOT diff=astextplain +*.pdf diff=astextplain +*.PDF diff=astextplain +*.rtf diff=astextplain +*.RTF diff=astextplain diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md new file mode 100644 index 0000000000000000000000000000000000000000..10f550880cc9cef54a893f182f619c64a97b5923 --- /dev/null +++ b/.github/CONTRIBUTING.md @@ -0,0 +1,123 @@ +# Contributing to openssh-server + +## Gotchas + +* While contributing make sure to make all your changes before creating a Pull Request, as our pipeline builds each commit after the PR is open. +* Read, and fill the Pull Request template + * If this is a fix for a typo (in code, documentation, or the README) please file an issue and let us sort it out. We do not need a PR + * If the PR is addressing an existing issue include, closes #\, in the body of the PR commit message +* If you want to discuss changes, you can also bring it up in [#dev-talk](https://discordapp.com/channels/354974912613449730/757585807061155840) in our [Discord server](https://discord.gg/YWrKVTn) + +## Common files + +| File | Use case | +| :----: | --- | +| `Dockerfile` | Dockerfile used to build amd64 images | +| `Dockerfile.aarch64` | Dockerfile used to build 64bit ARM architectures | +| `Dockerfile.armhf` | Dockerfile used to build 32bit ARM architectures | +| `Jenkinsfile` | This file is a product of our builder and should not be edited directly. This is used to build the image | +| `jenkins-vars.yml` | This file is used to generate the `Jenkinsfile` mentioned above, it only affects the build-process | +| `package_versions.txt` | This file is generated as a part of the build-process and should not be edited directly. It lists all the installed packages and their versions | +| `README.md` | This file is a product of our builder and should not be edited directly. This displays the readme for the repository and image registries | +| `readme-vars.yml` | This file is used to generate the `README.md` | + +## Readme + +If you would like to change our readme, please __**do not**__ directly edit the readme, as it is auto-generated on each commit. +Instead edit the [readme-vars.yml](https://github.com/linuxserver/docker-openssh-server/edit/master/readme-vars.yml). + +These variables are used in a template for our [Jenkins Builder](https://github.com/linuxserver/docker-jenkins-builder) as part of an ansible play. +Most of these variables are also carried over to [docs.linuxserver.io](https://docs.linuxserver.io/images/docker-openssh-server) + +### Fixing typos or clarify the text in the readme + +There are variables for multiple parts of the readme, the most common ones are: + +| Variable | Description | +| :----: | --- | +| `project_blurb` | This is the short excerpt shown above the project logo. | +| `app_setup_block` | This is the text that shows up under "Application Setup" if enabled | + +### Parameters + +The compose and run examples are also generated from these variables. + +We have a [reference file](https://github.com/linuxserver/docker-jenkins-builder/blob/master/vars/_container-vars-blank) in our Jenkins Builder. + +These are prefixed with `param_` for required parameters, or `opt_param` for optional parameters, except for `cap_add`. +Remember to enable param, if currently disabled. This differs between parameters, and can be seen in the reference file. + +Devices, environment variables, ports and volumes expects its variables in a certain way. + +### Devices + +```yml +param_devices: + - { device_path: "/dev/dri", device_host_path: "/dev/dri", desc: "For hardware transcoding" } +opt_param_devices: + - { device_path: "/dev/dri", device_host_path: "/dev/dri", desc: "For hardware transcoding" } +``` + +### Environment variables + +```yml +param_env_vars: + - { env_var: "TZ", env_value: "Europe/London", desc: "Specify a timezone to use EG Europe/London." } +opt_param_env_vars: + - { env_var: "VERSION", env_value: "latest", desc: "Supported values are LATEST, PLEXPASS or a specific version number." } +``` + +### Ports + +```yml +param_ports: + - { external_port: "80", internal_port: "80", port_desc: "Application WebUI" } +opt_param_ports: + - { external_port: "80", internal_port: "80", port_desc: "Application WebUI" } +``` + +### Volumes + +```yml +param_volumes: + - { vol_path: "/config", vol_host_path: "", desc: "Configuration files." } +opt_param_volumes: + - { vol_path: "/config", vol_host_path: "", desc: "Configuration files." } +``` + +### Testing template changes + +After you make any changes to the templates, you can use our [Jenkins Builder](https://github.com/linuxserver/docker-jenkins-builder) to have the files updated from the modified templates. Please use the command found under `Running Locally` [on this page](https://github.com/linuxserver/docker-jenkins-builder/blob/master/README.md) to generate them prior to submitting a PR. + +## Dockerfiles + +We use multiple Dockerfiles in our repos, this is because sometimes some CPU architectures needs different packages to work. +If you are proposing additional packages to be added, ensure that you added the packages to all the Dockerfiles in alphabetical order. + +### Testing your changes + +```bash +git clone https://github.com/linuxserver/docker-openssh-server.git +cd docker-openssh-server +docker build \ + --no-cache \ + --pull \ + -t linuxserver/openssh-server:latest . +``` + +The ARM variants can be built on x86_64 hardware using `multiarch/qemu-user-static` + +```bash +docker run --rm --privileged multiarch/qemu-user-static:register --reset +``` + +Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64`. + +## Update the changelog + +If you are modifying the Dockerfiles or any of the startup scripts in [root](https://github.com/linuxserver/docker-openssh-server/tree/master/root), add an entry to the changelog + +```yml +changelogs: + - { date: "DD.MM.YY:", desc: "Added some love to templates" } +``` diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml new file mode 100644 index 0000000000000000000000000000000000000000..7eaac771728082d8ac8292c11e3a39e1712c69a9 --- /dev/null +++ b/.github/FUNDING.yml @@ -0,0 +1,2 @@ +github: linuxserver +open_collective: linuxserver diff --git a/.github/ISSUE_TEMPLATE/00-bug-report.md b/.github/ISSUE_TEMPLATE/00-bug-report.md deleted file mode 100644 index b47a8629e5725910702e27f0022e5f3fba9a07e6..0000000000000000000000000000000000000000 --- a/.github/ISSUE_TEMPLATE/00-bug-report.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -name: Bug report -about: Tell us about a problem you are experiencing -title: '' -labels: '' -assignees: '' - ---- - -**Checklist** - -- [ ] I read the [README](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md) -- [ ] I read the [Important notes](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#important-notes) -- [ ] I followed instructions to [configure VPN clients](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#next-steps) -- [ ] I checked [IKEv1 troubleshooting](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#ikev1-troubleshooting), [IKEv2 troubleshooting](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md#ikev2-troubleshooting), [enabled logs](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage.md#enable-libreswan-logs) and checked [VPN status](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#check-logs-and-vpn-status) -- [ ] I searched existing [Issues](https://github.com/hwdsl2/docker-ipsec-vpn-server/issues?q=is%3Aissue) -- [ ] This bug is about the IPsec VPN server Docker image, and not IPsec VPN itself - - - -**Describe the issue** -A clear and concise description of what the bug is. - -**To Reproduce** -Steps to reproduce the behavior: - -1. ... -2. ... - -**Expected behavior** -A clear and concise description of what you expected to happen. - -**Logs** -[Enable logs](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage.md#enable-libreswan-logs), check [VPN status](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#check-logs-and-vpn-status), and add error logs to help explain the problem, if applicable. - -**Server (please complete the following information)** -- Docker host OS: [e.g. Ubuntu 20.04] -- Hosting provider (if applicable): [e.g. GCP, AWS] - -**Client (please complete the following information)** -- Device: [e.g. iPhone 12] -- OS: [e.g. iOS 15] -- VPN mode: [IPsec/L2TP, IPsec/XAuth ("Cisco IPsec") or IKEv2] - -**Additional context** -Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/10-bug-report-zh.md b/.github/ISSUE_TEMPLATE/10-bug-report-zh.md deleted file mode 100644 index ee30a150dedc0a15ec0d1665502f99352c040c01..0000000000000000000000000000000000000000 --- a/.github/ISSUE_TEMPLATE/10-bug-report-zh.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -name: 错误报告 -about: 请使用这个模板来提交 bug -title: '' -labels: '' -assignees: '' - ---- - -**任务列表** - -- [ ] 我已阅读 [自述文件](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md) -- [ ] 我已阅读 [重要提示](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#重要提示) -- [ ] 我已按照说明 [配置 VPN 客户端](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#下一步) -- [ ] 我检查了 [IKEv1 故障排除](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md#ikev1-故障排除),[IKEv2 故障排除](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto-zh.md#ikev2-故障排除),[启用日志](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage-zh.md#启用-libreswan-日志) 并查看了 [VPN 状态](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md#检查日志及-vpn-状态) -- [ ] 我搜索了已有的 [Issues](https://github.com/hwdsl2/docker-ipsec-vpn-server/issues?q=is%3Aissue) -- [ ] 这个 bug 是关于 IPsec VPN 服务器 Docker 镜像,而不是 IPsec VPN 本身 - - - -**问题描述** -使用清楚简明的语言描述这个 bug。 - -**重现步骤** -重现该 bug 的步骤: - -1. ... -2. ... - -**期待的正确结果** -简要地描述你期望的正确结果。 - -**日志** -[启用日志](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage-zh.md#启用-libreswan-日志),检查 [VPN 状态](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md#检查日志及-vpn-状态),并且添加错误日志以帮助解释该问题(如果适用)。 - -**服务器信息(请填写以下信息)** -- Docker 主机操作系统: [比如 Ubuntu 20.04] -- 服务提供商(如果适用): [比如 GCP, AWS] - -**客户端信息(请填写以下信息)** -- 设备: [比如 iPhone 12] -- 操作系统: [比如 iOS 15] -- VPN 模式: [IPsec/L2TP, IPsec/XAuth ("Cisco IPsec") 或 IKEv2] - -**其它信息** -添加关于该 bug 的其它信息。 diff --git a/.github/ISSUE_TEMPLATE/20-enhancement-request.md b/.github/ISSUE_TEMPLATE/20-enhancement-request.md deleted file mode 100644 index 77c408c6de662dceb81f8a21baf9eb2ddab3e20c..0000000000000000000000000000000000000000 --- a/.github/ISSUE_TEMPLATE/20-enhancement-request.md +++ /dev/null @@ -1,26 +0,0 @@ ---- -name: Enhancement request -about: Suggest an improvement for this project -title: '' -labels: '' -assignees: '' - ---- - -**Checklist** - -- [ ] I searched existing [Issues](https://github.com/hwdsl2/docker-ipsec-vpn-server/issues?q=is%3Aissue), and did not find a similar enhancement request -- [ ] This enhancement request is about the IPsec VPN server Docker image, and not IPsec VPN itself -- [ ] I read the [README](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md) -- [ ] I read the [Important notes](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#important-notes) -- [ ] I followed instructions to [configure VPN clients](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#next-steps) -- [ ] I checked [IKEv1 troubleshooting](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#ikev1-troubleshooting), [IKEv2 troubleshooting](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md#ikev2-troubleshooting), [enabled logs](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage.md#enable-libreswan-logs) and checked [VPN status](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#check-logs-and-vpn-status) - -**Describe the enhancement request** -A clear and concise description of your enhancement request. - -**Is your enhancement request related to a problem? Please describe.** -(If applicable) A clear and concise description of what the problem is. - -**Additional context** -Add any other context about the enhancement request here. diff --git a/.github/ISSUE_TEMPLATE/30-enhancement-request-zh.md b/.github/ISSUE_TEMPLATE/30-enhancement-request-zh.md deleted file mode 100644 index 05232d8174790c75bd02350140c1daa33c41cbcd..0000000000000000000000000000000000000000 --- a/.github/ISSUE_TEMPLATE/30-enhancement-request-zh.md +++ /dev/null @@ -1,26 +0,0 @@ ---- -name: 改进建议 -about: 请使用这个模板来提交改进建议 -title: '' -labels: '' -assignees: '' - ---- - -**任务列表** - -- [ ] 我搜索了已有的 [Issues](https://github.com/hwdsl2/docker-ipsec-vpn-server/issues?q=is%3Aissue),没有找到类似的改进建议 -- [ ] 这个改进建议是关于 IPsec VPN 服务器 Docker 镜像,而不是 IPsec VPN 本身 -- [ ] 我已阅读 [自述文件](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md) -- [ ] 我已阅读 [重要提示](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#重要提示) -- [ ] 我已按照说明 [配置 VPN 客户端](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#下一步) -- [ ] 我检查了 [IKEv1 故障排除](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md#ikev1-故障排除),[IKEv2 故障排除](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto-zh.md#ikev2-故障排除),[启用日志](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage-zh.md#启用-libreswan-日志) 并查看了 [VPN 状态](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md#检查日志及-vpn-状态) - -**描述改进建议** -使用清楚简明的语言描述你的改进建议。 - -**你的改进建议与遇到的问题有关吗?请描述。** -(如果适用)清楚,简洁地说明问题所在。 - -**其它信息** -添加关于该改进建议的其它信息。 diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 0000000000000000000000000000000000000000..7f296be3ee5d0e7e82005239bc90057b4dc12a72 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1,13 @@ +blank_issues_enabled: false +contact_links: + - name: Discord chat support + url: https://discord.gg/YWrKVTn + about: Realtime support / chat with the community and the team. + + - name: Discourse discussion forum + url: https://discourse.linuxserver.io + about: Post on our community forum. + + - name: Documentation + url: https://docs.linuxserver.io/images/docker-openssh-server + about: Documentation - information about all of our containers. diff --git a/.github/ISSUE_TEMPLATE/issue.bug.yml b/.github/ISSUE_TEMPLATE/issue.bug.yml new file mode 100644 index 0000000000000000000000000000000000000000..59a10f5696c6315b0434ca76caecbfe852a92f0f --- /dev/null +++ b/.github/ISSUE_TEMPLATE/issue.bug.yml @@ -0,0 +1,77 @@ +# Based on the issue template +name: Bug report +description: Create a report to help us improve +title: "[BUG] " +labels: [Bug] +body: + - type: checkboxes + attributes: + label: Is there an existing issue for this? + description: Please search to see if an issue already exists for the bug you encountered. + options: + - label: I have searched the existing issues + required: true + - type: textarea + attributes: + label: Current Behavior + description: Tell us what happens instead of the expected behavior. + validations: + required: true + - type: textarea + attributes: + label: Expected Behavior + description: Tell us what should happen. + validations: + required: false + - type: textarea + attributes: + label: Steps To Reproduce + description: Steps to reproduce the behavior. + placeholder: | + 1. In this environment... + 2. With this config... + 3. Run '...' + 4. See error... + validations: + required: true + - type: textarea + attributes: + label: Environment + description: | + examples: + - **OS**: Ubuntu 20.04 + - **How docker service was installed**: distro's packagemanager + value: | + - OS: + - How docker service was installed: + render: markdown + validations: + required: false + - type: dropdown + attributes: + label: CPU architecture + options: + - x86-64 + - arm64 + - armhf + validations: + required: true + - type: textarea + attributes: + label: Docker creation + description: | + Command used to create docker container + Provide your docker create/run command or compose yaml snippet, or a screenshot of settings if using a gui to create the container + render: bash + validations: + required: true + - type: textarea + attributes: + description: | + Provide a full docker log, output of "docker logs linuxserver.io" + label: Container logs + placeholder: | + Output of `docker logs linuxserver.io` + render: bash + validations: + required: true diff --git a/.github/ISSUE_TEMPLATE/issue.feature.yml b/.github/ISSUE_TEMPLATE/issue.feature.yml new file mode 100644 index 0000000000000000000000000000000000000000..099dcdb5ec0b878c31483f35e8fea2bc5c06d5a7 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/issue.feature.yml @@ -0,0 +1,31 @@ +# Based on the issue template +name: Feature request +description: Suggest an idea for this project +title: "[FEAT] <title>" +labels: [enhancement] +body: + - type: checkboxes + attributes: + label: Is this a new feature request? + description: Please search to see if a feature request already exists. + options: + - label: I have searched the existing issues + required: true + - type: textarea + attributes: + label: Wanted change + description: Tell us what you want to happen. + validations: + required: true + - type: textarea + attributes: + label: Reason for change + description: Justify your request, why do you want it, what is the benefit. + validations: + required: true + - type: textarea + attributes: + label: Proposed code change + description: Do you have a potential code change in mind? + validations: + required: false diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000000000000000000000000000000000000..f0f486486e86c9ee3335761660cfe98beb21dfbb --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,43 @@ +<!--- Provide a general summary of your changes in the Title above --> + +[linuxserverurl]: https://linuxserver.io +[![linuxserver.io](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/linuxserver_medium.png)][linuxserverurl] + + +<!--- Before submitting a pull request please check the following --> + +<!--- If this is a fix for a typo (in code, documentation, or the README) please file an issue and let us sort it out. We do not need a PR --> +<!--- Ask yourself if this modification is something the whole userbase will benefit from, if this is a specific change for corner case functionality or plugins please look at making a Docker Mod or local script https://blog.linuxserver.io/2019/09/14/customizing-our-containers/ --> +<!--- That if the PR is addressing an existing issue include, closes #<issue number> , in the body of the PR commit message --> +<!--- You have included links to any files / patches etc your PR may be using in the body of the PR commit message --> +<!--- We maintain a changelog of major revisions to the container at the end of readme-vars.yml in the root of this repository, please add your changes there if appropriate --> + + +<!--- Coding guidelines: --> +<!--- 1. Installed packages in the Dockerfiles should be in alphabetical order --> +<!--- 2. Changes to Dockerfile should be replicated in Dockerfile.armhf and Dockerfile.aarch64 if applicable --> +<!--- 3. Indentation style (tabs vs 4 spaces vs 1 space) should match the rest of the document --> +<!--- 4. Readme is auto generated from readme-vars.yml, make your changes there --> + +------------------------------ + + - [ ] I have read the [contributing](https://github.com/linuxserver/docker-openssh-server/blob/master/.github/CONTRIBUTING.md) guideline and understand that I have made the correct modifications + +------------------------------ + +<!--- We welcome all PR’s though this doesn’t guarantee it will be accepted. --> + +## Description: +<!--- Describe your changes in detail --> + +## Benefits of this PR and context: +<!--- Please explain why we should accept this PR. If this fixes an outstanding bug, please reference the issue # --> + +## How Has This Been Tested? +<!--- Please describe in detail how you tested your changes. --> +<!--- Include details of your testing environment, and the tests you ran to --> +<!--- see how your change affects other areas of the code, etc. --> + + +## Source / References: +<!--- Please include any forum posts/github links relevant to the PR --> diff --git a/.github/workflows/buildx.yml b/.github/workflows/buildx.yml deleted file mode 100644 index c17c0bae98fff9a9863573b079b1788e2b0f830a..0000000000000000000000000000000000000000 --- a/.github/workflows/buildx.yml +++ /dev/null @@ -1,187 +0,0 @@ -# -# Copyright (C) 2020-2023 Lin Song <linsongui@gmail.com> -# -# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 -# Unported License: http://creativecommons.org/licenses/by-sa/3.0/ -# -# Attribution required: please include my name in any derivative and let me -# know how you have improved it! - -name: buildx - -on: - workflow_call: - inputs: - os_type: - required: true - type: string - secrets: - CACHE_NAME: - required: true - DOCKER_TOKEN: - required: true - QUAY_USER: - required: true - QUAY_TOKEN: - required: true - BUILD_ONLY: - required: true - -jobs: - buildx: - runs-on: ubuntu-20.04 - if: github.repository_owner == 'hwdsl2' - steps: - - uses: actions/checkout@v3 - with: - persist-credentials: false - - name: Cache - uses: actions/cache@v3 - with: - path: | - ${{ runner.temp }}/.buildx-bin - ${{ runner.temp }}/.buildx-cache - ${{ runner.temp }}/.docker-images - key: ${{ secrets.CACHE_NAME }}-${{ github.sha }}-${{ github.run_id }} - restore-keys: | - ${{ secrets.CACHE_NAME }}- - - name: Set up Buildx - env: - RUNNER_TEMP: ${{ runner.temp }} - run: | - [ ! -x /usr/bin/docker ] && exit 1 - if [ ! -x /usr/bin/wget ] || [ ! -x /usr/bin/jq ]; then - export DEBIAN_FRONTEND=noninteractive - sudo apt-get -yq update - sudo apt-get -yq install wget jq - fi - - BUILDX_VER=$(wget -t 3 -T 30 -qO- "https://api.github.com/repos/docker/buildx/releases/latest" | jq -r ".tag_name") - [ -z "${BUILDX_VER}" ] && exit 1 - echo "Buildx version: ${BUILDX_VER}" - - DOCKER_DIR="${HOME}/.docker/cli-plugins" - CACHE_DIR="${RUNNER_TEMP}/.buildx-bin" - mkdir -p "${DOCKER_DIR}" - if [ -s "${CACHE_DIR}/docker-buildx-${BUILDX_VER}" ]; then - echo "Using buildx binary from cache..." - cp -f "${CACHE_DIR}/docker-buildx-${BUILDX_VER}" "${DOCKER_DIR}/docker-buildx" - else - echo "Downloading buildx..." - BUILDX_URL="https://github.com/docker/buildx/releases/download/${BUILDX_VER}/buildx-${BUILDX_VER}.linux-amd64" - wget -t 3 -T 30 -nv -O "${DOCKER_DIR}/docker-buildx" "${BUILDX_URL}" - [ ! -s "${DOCKER_DIR}/docker-buildx" ] && exit 1 - /bin/rm -rf "${CACHE_DIR}" - mkdir -p "${CACHE_DIR}" - /bin/cp -f "${DOCKER_DIR}/docker-buildx" "${CACHE_DIR}/docker-buildx-${BUILDX_VER}" - fi - chmod a+x "${DOCKER_DIR}/docker-buildx" - - docker info - docker buildx version - - image_cache_dir="${RUNNER_TEMP}/.docker-images" - for image in "quay.io/hwdsl2/qemu-user-static:latest" "moby/buildkit:buildx-stable-1"; do - image_file=$(printf '%s' "${image}.tar.gz" | tr '/' '-' | tr ':' '-') - if [ -s "${image_cache_dir}/${image_file}" ]; then - echo "Using ${image} from cache..." - docker load -i "${image_cache_dir}/${image_file}" - else - echo "Downloading ${image}..." - docker pull -q "${image}" - mkdir -p "${image_cache_dir}" - docker save "${image}" | gzip > "${image_cache_dir}/${image_file}" - fi - done - - docker run --rm --privileged quay.io/hwdsl2/qemu-user-static:latest --reset -p yes --credential yes - docker buildx create --name "builder-${GITHUB_SHA::8}" --driver docker-container --use - docker buildx inspect --bootstrap - - name: Docker Hub Login - env: - DOCKER_USER: ${{ github.repository_owner }} - DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }} - run: echo "$DOCKER_TOKEN" | docker login --username "$DOCKER_USER" --password-stdin 2>&1 - - name: Quay.io Login - env: - QUAY_USER: ${{ secrets.QUAY_USER }} - QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }} - run: echo "$QUAY_TOKEN" | docker login quay.io --username "$QUAY_USER" --password-stdin 2>&1 - - name: Docker Buildx - env: - DOCKER_USER: ${{ github.repository_owner }} - BUILD_ONLY: ${{ secrets.BUILD_ONLY }} - RUNNER_TEMP: ${{ runner.temp }} - OS_TYPE: ${{ inputs.os_type }} - run: | - cd "$GITHUB_WORKSPACE" - pwd - ls -ld vpn.env.example - - [ "$BUILD_ONLY" = "true" ] && BUILD_ONLY="" - ts_now=$(date -u +'%Y-%m-%dT%H:%M:%SZ') - - if [ "$OS_TYPE" = "alpine" ]; then - docker buildx build \ - --progress plain \ - --platform=linux/amd64,linux/arm64,linux/arm/v7 \ - --build-arg BUILD_DATE=$ts_now \ - --build-arg VCS_REF=${GITHUB_SHA::8} \ - --build-arg VERSION=alpine-latest \ - --cache-from type=local,src="${RUNNER_TEMP}/.buildx-cache" \ - --cache-to type=local,dest="${RUNNER_TEMP}/.buildx-cache-new" \ - -t "$DOCKER_USER/ipsec-vpn-server:latest" \ - --pull \ - ${BUILD_ONLY:+--push} \ - . - - docker buildx build \ - --progress plain \ - --platform=linux/amd64,linux/arm64,linux/arm/v7 \ - --build-arg BUILD_DATE=$ts_now \ - --build-arg VCS_REF=${GITHUB_SHA::8} \ - --build-arg VERSION=alpine-latest \ - --cache-from type=local,src="${RUNNER_TEMP}/.buildx-cache-new" \ - -t "quay.io/$DOCKER_USER/ipsec-vpn-server:latest" \ - --pull \ - ${BUILD_ONLY:+--push} \ - . - elif [ "$OS_TYPE" = "debian" ]; then - docker buildx build \ - --progress plain \ - --platform=linux/amd64,linux/arm64,linux/arm/v7 \ - --build-arg BUILD_DATE=$ts_now \ - --build-arg VCS_REF=${GITHUB_SHA::8} \ - --build-arg VERSION=debian-latest \ - --cache-from type=local,src="${RUNNER_TEMP}/.buildx-cache" \ - --cache-to type=local,dest="${RUNNER_TEMP}/.buildx-cache-new" \ - -f Dockerfile.debian \ - -t "$DOCKER_USER/ipsec-vpn-server:debian" \ - --pull \ - ${BUILD_ONLY:+--push} \ - . - - docker buildx build \ - --progress plain \ - --platform=linux/amd64,linux/arm64,linux/arm/v7 \ - --build-arg BUILD_DATE=$ts_now \ - --build-arg VCS_REF=${GITHUB_SHA::8} \ - --build-arg VERSION=debian-latest \ - --cache-from type=local,src="${RUNNER_TEMP}/.buildx-cache-new" \ - -f Dockerfile.debian \ - -t "quay.io/$DOCKER_USER/ipsec-vpn-server:debian" \ - --pull \ - ${BUILD_ONLY:+--push} \ - . - else - exit 1 - fi - - /bin/rm -rf "${RUNNER_TEMP}/.buildx-cache" - /bin/mv -f "${RUNNER_TEMP}/.buildx-cache-new" "${RUNNER_TEMP}/.buildx-cache" - - name: Clear - if: always() - run: | - shred -u "${HOME}/.docker/config.json" - rm -f "${HOME}/.docker/config.json" - docker buildx rm "builder-${GITHUB_SHA::8}" || true diff --git a/.github/workflows/call_issue_pr_tracker.yml b/.github/workflows/call_issue_pr_tracker.yml new file mode 100644 index 0000000000000000000000000000000000000000..87243e2c4f723965f52d2dd6240a29ebf5b01902 --- /dev/null +++ b/.github/workflows/call_issue_pr_tracker.yml @@ -0,0 +1,14 @@ +name: Issue & PR Tracker + +on: + issues: + types: [opened,reopened,labeled,unlabeled] + pull_request_target: + types: [opened,reopened,review_requested,review_request_removed,labeled,unlabeled] + +jobs: + manage-project: + permissions: + issues: write + uses: linuxserver/github-workflows/.github/workflows/issue-pr-tracker.yml@v1 + secrets: inherit diff --git a/.github/workflows/call_issues_cron.yml b/.github/workflows/call_issues_cron.yml new file mode 100644 index 0000000000000000000000000000000000000000..c42aa42db2d0f23032b5f171c8b13a1be70f0bfb --- /dev/null +++ b/.github/workflows/call_issues_cron.yml @@ -0,0 +1,13 @@ +name: Mark stale issues and pull requests +on: + schedule: + - cron: '26 1 * * *' + workflow_dispatch: + +jobs: + stale: + permissions: + issues: write + pull-requests: write + uses: linuxserver/github-workflows/.github/workflows/issues-cron.yml@v1 + secrets: inherit diff --git a/.github/workflows/check_update.yml b/.github/workflows/check_update.yml deleted file mode 100644 index aef079874f777f0ef107bc6886fbebfa0a6850ce..0000000000000000000000000000000000000000 --- a/.github/workflows/check_update.yml +++ /dev/null @@ -1,97 +0,0 @@ -# -# Copyright (C) 2020-2023 Lin Song <linsongui@gmail.com> -# -# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 -# Unported License: http://creativecommons.org/licenses/by-sa/3.0/ -# -# Attribution required: please include my name in any derivative and let me -# know how you have improved it! - -name: check_update - -on: - workflow_call: - inputs: - os_type: - required: true - type: string - secrets: - CACHE_NAME: - required: true - outputs: - should_test: - value: ${{ jobs.check_update.outputs.should_test }} - should_update: - value: ${{ jobs.check_update.outputs.should_update }} - -jobs: - check_update: - runs-on: ubuntu-20.04 - if: github.repository_owner == 'hwdsl2' - env: - DOCKER_USER: ${{ github.repository_owner }} - OS_TYPE: ${{ inputs.os_type }} - outputs: - should_test: ${{ steps.check.outputs.should_test }} - should_update: ${{ steps.check.outputs.should_update }} - steps: - - name: Cache - uses: actions/cache@v3 - with: - path: | - ${{ runner.temp }}/.buildx-bin - ${{ runner.temp }}/.buildx-cache - ${{ runner.temp }}/.docker-images - key: ${{ secrets.CACHE_NAME }}-${{ github.sha }}-${{ github.run_id }}-check - restore-keys: | - ${{ secrets.CACHE_NAME }}- - - name: Prepare - run: | - if [ "$OS_TYPE" = "alpine" ]; then - docker pull alpine:3.17 - docker pull "$DOCKER_USER/ipsec-vpn-server" - elif [ "$OS_TYPE" = "debian" ]; then - docker pull debian:bullseye-slim - docker pull "$DOCKER_USER/ipsec-vpn-server:debian" - else - exit 1 - fi - - name: Check - id: check - run: | - BASE_UPDATED=false - - if [ "$OS_TYPE" = "alpine" ]; then - base_ts=$(docker inspect --format='{{.Created}}' alpine:3.17) - image_ts=$(docker inspect --format='{{.Created}}' "$DOCKER_USER/ipsec-vpn-server") - elif [ "$OS_TYPE" = "debian" ]; then - base_ts=$(docker inspect --format='{{.Created}}' debian:bullseye-slim) - image_ts=$(docker inspect --format='{{.Created}}' "$DOCKER_USER/ipsec-vpn-server:debian") - else - exit 1 - fi - - if [ -n "$base_ts" ] && [ -n "$image_ts" ]; then - base_ts_s=$(date -d "$base_ts" +%s) - image_ts_s=$(date -d "$image_ts" +%s) - ts_now=$(date -u +'%Y-%m-%dT%H:%M:%SZ') - ts_now_s=$(date -d "$ts_now" +%s) - diff_s=$((ts_now_s - base_ts_s)) - diff=$(printf '%dd %dh:%dm:%ds\n' $(($diff_s/86400)) $(($diff_s%86400/3600)) $(($diff_s%3600/60)) $(($diff_s%60))) - - echo "Base update time: $base_ts" - echo "Image update time: $image_ts" - echo "Current time: $ts_now" - echo "Time diff (cur-base): $diff (${diff_s}s)" - - if [ -n "$base_ts_s" ] && [ -n "$image_ts_s" ] \ - && [ "$base_ts_s" -ge "$image_ts_s" ] \ - && [ "$diff_s" -ge 14400 ]; then - echo "Starting build..." - BASE_UPDATED=true - else - echo "Not starting build." - fi - fi - echo "should_test=${BASE_UPDATED}" >> "$GITHUB_OUTPUT" - echo "should_update=${BASE_UPDATED}" >> "$GITHUB_OUTPUT" diff --git a/.github/workflows/cron-alpine.yml b/.github/workflows/cron-alpine.yml deleted file mode 100644 index 5a1d91b26b10134d62f6f722ad2f5eb65a36d22a..0000000000000000000000000000000000000000 --- a/.github/workflows/cron-alpine.yml +++ /dev/null @@ -1,43 +0,0 @@ -# -# Copyright (C) 2020-2023 Lin Song <linsongui@gmail.com> -# -# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 -# Unported License: http://creativecommons.org/licenses/by-sa/3.0/ -# -# Attribution required: please include my name in any derivative and let me -# know how you have improved it! - -name: build cron - -on: - schedule: - - cron: '40 2,14 * * *' - -jobs: - check_update: - if: github.repository_owner == 'hwdsl2' - uses: ./.github/workflows/check_update.yml - with: - os_type: alpine - secrets: - CACHE_NAME: ${{ secrets.CACHE_NAME2 }} - - vpn_test: - needs: check_update - if: needs.check_update.outputs.should_test == 'true' - uses: ./.github/workflows/vpn_test.yml - with: - os_type: alpine - - buildx: - needs: [check_update, vpn_test] - if: needs.check_update.outputs.should_update == 'true' - uses: ./.github/workflows/buildx.yml - with: - os_type: alpine - secrets: - CACHE_NAME: ${{ secrets.CACHE_NAME2 }} - DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }} - QUAY_USER: ${{ secrets.QUAY_USER }} - QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }} - BUILD_ONLY: ${{ secrets.BUILD_ONLY }} diff --git a/.github/workflows/cron-debian.yml b/.github/workflows/cron-debian.yml deleted file mode 100644 index c484d053005b24b654dc683e23585cd4bce09f96..0000000000000000000000000000000000000000 --- a/.github/workflows/cron-debian.yml +++ /dev/null @@ -1,43 +0,0 @@ -# -# Copyright (C) 2020-2023 Lin Song <linsongui@gmail.com> -# -# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 -# Unported License: http://creativecommons.org/licenses/by-sa/3.0/ -# -# Attribution required: please include my name in any derivative and let me -# know how you have improved it! - -name: build debian cron - -on: - schedule: - - cron: '25 2,14 * * *' - -jobs: - check_update: - if: github.repository_owner == 'hwdsl2' - uses: ./.github/workflows/check_update.yml - with: - os_type: debian - secrets: - CACHE_NAME: ${{ secrets.CACHE_NAME }} - - vpn_test: - needs: check_update - if: needs.check_update.outputs.should_test == 'true' - uses: ./.github/workflows/vpn_test.yml - with: - os_type: debian - - buildx: - needs: [check_update, vpn_test] - if: needs.check_update.outputs.should_update == 'true' - uses: ./.github/workflows/buildx.yml - with: - os_type: debian - secrets: - CACHE_NAME: ${{ secrets.CACHE_NAME }} - DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }} - QUAY_USER: ${{ secrets.QUAY_USER }} - QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }} - BUILD_ONLY: ${{ secrets.BUILD_ONLY }} diff --git a/.github/workflows/external_trigger.yml b/.github/workflows/external_trigger.yml new file mode 100644 index 0000000000000000000000000000000000000000..67d5922d0419c981520267e8d3e5d92fd4e63487 --- /dev/null +++ b/.github/workflows/external_trigger.yml @@ -0,0 +1,104 @@ +name: External Trigger Main + +on: + workflow_dispatch: + +jobs: + external-trigger-master: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3.1.0 + + - name: External Trigger + if: github.ref == 'refs/heads/master' + run: | + if [ -n "${{ secrets.PAUSE_EXTERNAL_TRIGGER_OPENSSH_SERVER_MASTER }}" ]; then + echo "**** Github secret PAUSE_EXTERNAL_TRIGGER_OPENSSH_SERVER_MASTER is set; skipping trigger. ****" + exit 0 + fi + echo "**** External trigger running off of master branch. To disable this trigger, set a Github secret named \"PAUSE_EXTERNAL_TRIGGER_OPENSSH_SERVER_MASTER\". ****" + echo "**** Retrieving external version ****" + EXT_RELEASE=$(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.17/main/x86_64/APKINDEX.tar.gz" | tar -xz -C /tmp \ + && awk '/^P:'"openssh-server-pam"'$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://') + if [ -z "${EXT_RELEASE}" ] || [ "${EXT_RELEASE}" == "null" ]; then + echo "**** Can't retrieve external version, exiting ****" + FAILURE_REASON="Can't retrieve external version for openssh-server branch master" + GHA_TRIGGER_URL="https://github.com/linuxserver/docker-openssh-server/actions/runs/${{ github.run_id }}" + curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 16711680, + "description": "**Trigger Failed** \n**Reason:** '"${FAILURE_REASON}"' \n**Trigger URL:** '"${GHA_TRIGGER_URL}"' \n"}], + "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }} + exit 1 + fi + EXT_RELEASE=$(echo ${EXT_RELEASE} | sed 's/[~,%@+;:/]//g') + echo "**** External version: ${EXT_RELEASE} ****" + echo "**** Retrieving last pushed version ****" + image="linuxserver/openssh-server" + tag="latest" + token=$(curl -sX GET \ + "https://ghcr.io/token?scope=repository%3Alinuxserver%2Fopenssh-server%3Apull" \ + | jq -r '.token') + multidigest=$(curl -s \ + --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \ + --header "Authorization: Bearer ${token}" \ + "https://ghcr.io/v2/${image}/manifests/${tag}" \ + | jq -r 'first(.manifests[].digest)') + digest=$(curl -s \ + --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \ + --header "Authorization: Bearer ${token}" \ + "https://ghcr.io/v2/${image}/manifests/${multidigest}" \ + | jq -r '.config.digest') + image_info=$(curl -sL \ + --header "Authorization: Bearer ${token}" \ + "https://ghcr.io/v2/${image}/blobs/${digest}") + if [[ $(echo $image_info | jq -r '.container_config') == "null" ]]; then + image_info=$(echo $image_info | jq -r '.config') + else + image_info=$(echo $image_info | jq -r '.container_config') + fi + IMAGE_RELEASE=$(echo ${image_info} | jq -r '.Labels.build_version' | awk '{print $3}') + IMAGE_VERSION=$(echo ${IMAGE_RELEASE} | awk -F'-ls' '{print $1}') + if [ -z "${IMAGE_VERSION}" ]; then + echo "**** Can't retrieve last pushed version, exiting ****" + FAILURE_REASON="Can't retrieve last pushed version for openssh-server tag latest" + curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 16711680, + "description": "**Trigger Failed** \n**Reason:** '"${FAILURE_REASON}"' \n"}], + "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }} + exit 1 + fi + echo "**** Last pushed version: ${IMAGE_VERSION} ****" + if [ "${EXT_RELEASE}" == "${IMAGE_VERSION}" ]; then + echo "**** Version ${EXT_RELEASE} already pushed, exiting ****" + exit 0 + elif [[ $(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.17/main/aarch64/APKINDEX.tar.gz" | tar -xz -C /tmp && awk '/^P:'"openssh-server-pam"'$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://') != "${EXT_RELEASE}" ]] || [[ $(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.17/main/armv7/APKINDEX.tar.gz" | tar -xz -C /tmp && awk '/^P:'"openssh-server-pam"'$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://') != "${EXT_RELEASE}" ]]; then + echo "**** New version ${EXT_RELEASE} found; but not all arch repos updated yet; exiting ****" + FAILURE_REASON="New version ${EXT_RELEASE} for openssh-server tag latest is detected, however not all arch repos are updated yet. Will try again later." + curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 9802903, + "description": "**Trigger Failed** \n**Reason:** '"${FAILURE_REASON}"' \n"}], + "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }} + exit 0 + elif [ $(curl -s https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-openssh-server/job/master/lastBuild/api/json | jq -r '.building') == "true" ]; then + echo "**** New version ${EXT_RELEASE} found; but there already seems to be an active build on Jenkins; exiting ****" + exit 0 + else + echo "**** New version ${EXT_RELEASE} found; old version was ${IMAGE_VERSION}. Triggering new build ****" + response=$(curl -iX POST \ + https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-openssh-server/job/master/buildWithParameters?PACKAGE_CHECK=false \ + --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} | grep -i location | sed "s|^[L|l]ocation: \(.*\)|\1|") + echo "**** Jenkins job queue url: ${response%$'\r'} ****" + echo "**** Sleeping 10 seconds until job starts ****" + sleep 10 + buildurl=$(curl -s "${response%$'\r'}api/json" | jq -r '.executable.url') + buildurl="${buildurl%$'\r'}" + echo "**** Jenkins job build url: ${buildurl} ****" + echo "**** Attempting to change the Jenkins job description ****" + curl -iX POST \ + "${buildurl}submitDescription" \ + --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} \ + --data-urlencode "description=GHA external trigger https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" \ + --data-urlencode "Submit=Submit" + echo "**** Notifying Discord ****" + TRIGGER_REASON="A version change was detected for openssh-server tag latest. Old version:${IMAGE_VERSION} New version:${EXT_RELEASE}" + curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 9802903, + "description": "**Build Triggered** \n**Reason:** '"${TRIGGER_REASON}"' \n**Build URL:** '"${buildurl}display/redirect"' \n"}], + "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }} + fi diff --git a/.github/workflows/external_trigger_scheduler.yml b/.github/workflows/external_trigger_scheduler.yml new file mode 100644 index 0000000000000000000000000000000000000000..99a16d98ccdb2c944005dbe620a2667868d64c90 --- /dev/null +++ b/.github/workflows/external_trigger_scheduler.yml @@ -0,0 +1,43 @@ +name: External Trigger Scheduler + +on: + schedule: + - cron: '01 * * * *' + workflow_dispatch: + +jobs: + external-trigger-scheduler: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3.1.0 + with: + fetch-depth: '0' + + - name: External Trigger Scheduler + run: | + echo "**** Branches found: ****" + git for-each-ref --format='%(refname:short)' refs/remotes + echo "**** Pulling the yq docker image ****" + docker pull ghcr.io/linuxserver/yq + for br in $(git for-each-ref --format='%(refname:short)' refs/remotes) + do + br=$(echo "$br" | sed 's|origin/||g') + echo "**** Evaluating branch ${br} ****" + ls_branch=$(curl -sX GET https://raw.githubusercontent.com/linuxserver/docker-openssh-server/${br}/jenkins-vars.yml \ + | docker run --rm -i --entrypoint yq ghcr.io/linuxserver/yq -r .ls_branch) + if [ "$br" == "$ls_branch" ]; then + echo "**** Branch ${br} appears to be live; checking workflow. ****" + if curl -sfX GET https://raw.githubusercontent.com/linuxserver/docker-openssh-server/${br}/.github/workflows/external_trigger.yml > /dev/null 2>&1; then + echo "**** Workflow exists. Triggering external trigger workflow for branch ${br} ****." + curl -iX POST \ + -H "Authorization: token ${{ secrets.CR_PAT }}" \ + -H "Accept: application/vnd.github.v3+json" \ + -d "{\"ref\":\"refs/heads/${br}\"}" \ + https://api.github.com/repos/linuxserver/docker-openssh-server/actions/workflows/external_trigger.yml/dispatches + else + echo "**** Workflow doesn't exist; skipping trigger. ****" + fi + else + echo "**** ${br} appears to be a dev branch; skipping trigger. ****" + fi + done diff --git a/.github/workflows/greetings.yml b/.github/workflows/greetings.yml new file mode 100644 index 0000000000000000000000000000000000000000..63070c18bf2a9d8ded5a40f55e922913ba14111e --- /dev/null +++ b/.github/workflows/greetings.yml @@ -0,0 +1,13 @@ +name: Greetings + +on: [pull_request_target, issues] + +jobs: + greeting: + runs-on: ubuntu-latest + steps: + - uses: actions/first-interaction@v1 + with: + issue-message: 'Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.' + pr-message: 'Thanks for opening this pull request! Be sure to follow the [pull request template](https://github.com/linuxserver/docker-openssh-server/blob/master/.github/PULL_REQUEST_TEMPLATE.md)!' + repo-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/main-alpine.yml b/.github/workflows/main-alpine.yml deleted file mode 100644 index cc50c994061c7eaa3d47d805430d679e3d2bdb77..0000000000000000000000000000000000000000 --- a/.github/workflows/main-alpine.yml +++ /dev/null @@ -1,45 +0,0 @@ -# -# Copyright (C) 2020-2023 Lin Song <linsongui@gmail.com> -# -# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 -# Unported License: http://creativecommons.org/licenses/by-sa/3.0/ -# -# Attribution required: please include my name in any derivative and let me -# know how you have improved it! - -name: build - -on: - push: - branches: [master] - paths: - - '.github/workflows/main-alpine.yml' - - '.github/workflows/buildx.yml' - - '.github/workflows/shellcheck.yml' - - '.github/workflows/vpn_test.yml' - - '.dockerignore' - - 'Dockerfile' - - 'run.sh' - -jobs: - shellcheck: - if: github.repository_owner == 'hwdsl2' - uses: ./.github/workflows/shellcheck.yml - - vpn_test: - if: github.repository_owner == 'hwdsl2' - uses: ./.github/workflows/vpn_test.yml - with: - os_type: alpine - - buildx: - needs: [shellcheck, vpn_test] - uses: ./.github/workflows/buildx.yml - with: - os_type: alpine - secrets: - CACHE_NAME: ${{ secrets.CACHE_NAME2 }} - DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }} - QUAY_USER: ${{ secrets.QUAY_USER }} - QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }} - BUILD_ONLY: ${{ secrets.BUILD_ONLY }} diff --git a/.github/workflows/main-debian.yml b/.github/workflows/main-debian.yml deleted file mode 100644 index 79aebf6447b8ad1447417c497b818b5e44122764..0000000000000000000000000000000000000000 --- a/.github/workflows/main-debian.yml +++ /dev/null @@ -1,45 +0,0 @@ -# -# Copyright (C) 2020-2023 Lin Song <linsongui@gmail.com> -# -# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 -# Unported License: http://creativecommons.org/licenses/by-sa/3.0/ -# -# Attribution required: please include my name in any derivative and let me -# know how you have improved it! - -name: build debian - -on: - push: - branches: [master] - paths: - - '.github/workflows/main-debian.yml' - - '.github/workflows/buildx.yml' - - '.github/workflows/shellcheck.yml' - - '.github/workflows/vpn_test.yml' - - '.dockerignore' - - 'Dockerfile.debian' - - 'run.sh' - -jobs: - shellcheck: - if: github.repository_owner == 'hwdsl2' - uses: ./.github/workflows/shellcheck.yml - - vpn_test: - if: github.repository_owner == 'hwdsl2' - uses: ./.github/workflows/vpn_test.yml - with: - os_type: debian - - buildx: - needs: [shellcheck, vpn_test] - uses: ./.github/workflows/buildx.yml - with: - os_type: debian - secrets: - CACHE_NAME: ${{ secrets.CACHE_NAME }} - DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }} - QUAY_USER: ${{ secrets.QUAY_USER }} - QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }} - BUILD_ONLY: ${{ secrets.BUILD_ONLY }} diff --git a/.github/workflows/package_trigger.yml b/.github/workflows/package_trigger.yml new file mode 100644 index 0000000000000000000000000000000000000000..ce29045b58ba6c6b8b5cc72bf3cddf3dc84a46da --- /dev/null +++ b/.github/workflows/package_trigger.yml @@ -0,0 +1,38 @@ +name: Package Trigger Main + +on: + workflow_dispatch: + +jobs: + package-trigger-master: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3.1.0 + + - name: Package Trigger + if: github.ref == 'refs/heads/master' + run: | + if [ -n "${{ secrets.PAUSE_PACKAGE_TRIGGER_OPENSSH_SERVER_MASTER }}" ]; then + echo "**** Github secret PAUSE_PACKAGE_TRIGGER_OPENSSH_SERVER_MASTER is set; skipping trigger. ****" + exit 0 + fi + if [ $(curl -s https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-openssh-server/job/master/lastBuild/api/json | jq -r '.building') == "true" ]; then + echo "**** There already seems to be an active build on Jenkins; skipping package trigger ****" + exit 0 + fi + echo "**** Package trigger running off of master branch. To disable, set a Github secret named \"PAUSE_PACKAGE_TRIGGER_OPENSSH_SERVER_MASTER\". ****" + response=$(curl -iX POST \ + https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-openssh-server/job/master/buildWithParameters?PACKAGE_CHECK=true \ + --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} | grep -i location | sed "s|^[L|l]ocation: \(.*\)|\1|") + echo "**** Jenkins job queue url: ${response%$'\r'} ****" + echo "**** Sleeping 10 seconds until job starts ****" + sleep 10 + buildurl=$(curl -s "${response%$'\r'}api/json" | jq -r '.executable.url') + buildurl="${buildurl%$'\r'}" + echo "**** Jenkins job build url: ${buildurl} ****" + echo "**** Attempting to change the Jenkins job description ****" + curl -iX POST \ + "${buildurl}submitDescription" \ + --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} \ + --data-urlencode "description=GHA package trigger https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" \ + --data-urlencode "Submit=Submit" diff --git a/.github/workflows/package_trigger_scheduler.yml b/.github/workflows/package_trigger_scheduler.yml new file mode 100644 index 0000000000000000000000000000000000000000..9839faa534898621154a957a8fa9a6337534cd3b --- /dev/null +++ b/.github/workflows/package_trigger_scheduler.yml @@ -0,0 +1,50 @@ +name: Package Trigger Scheduler + +on: + schedule: + - cron: '39 18 * * 0' + workflow_dispatch: + +jobs: + package-trigger-scheduler: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3.1.0 + with: + fetch-depth: '0' + + - name: Package Trigger Scheduler + run: | + echo "**** Branches found: ****" + git for-each-ref --format='%(refname:short)' refs/remotes + echo "**** Pulling the yq docker image ****" + docker pull ghcr.io/linuxserver/yq + for br in $(git for-each-ref --format='%(refname:short)' refs/remotes) + do + br=$(echo "$br" | sed 's|origin/||g') + echo "**** Evaluating branch ${br} ****" + ls_branch=$(curl -sX GET https://raw.githubusercontent.com/linuxserver/docker-openssh-server/${br}/jenkins-vars.yml \ + | docker run --rm -i --entrypoint yq ghcr.io/linuxserver/yq -r .ls_branch) + if [ "${br}" == "${ls_branch}" ]; then + echo "**** Branch ${br} appears to be live; checking workflow. ****" + if curl -sfX GET https://raw.githubusercontent.com/linuxserver/docker-openssh-server/${br}/.github/workflows/package_trigger.yml > /dev/null 2>&1; then + echo "**** Workflow exists. Triggering package trigger workflow for branch ${br}. ****" + triggered_branches="${triggered_branches}${br} " + curl -iX POST \ + -H "Authorization: token ${{ secrets.CR_PAT }}" \ + -H "Accept: application/vnd.github.v3+json" \ + -d "{\"ref\":\"refs/heads/${br}\"}" \ + https://api.github.com/repos/linuxserver/docker-openssh-server/actions/workflows/package_trigger.yml/dispatches + sleep 30 + else + echo "**** Workflow doesn't exist; skipping trigger. ****" + fi + else + echo "**** ${br} appears to be a dev branch; skipping trigger. ****" + fi + done + echo "**** Package check build(s) triggered for branch(es): ${triggered_branches} ****" + echo "**** Notifying Discord ****" + curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 9802903, + "description": "**Package Check Build(s) Triggered for openssh-server** \n**Branch(es):** '"${triggered_branches}"' \n**Build URL:** '"https://ci.linuxserver.io/blue/organizations/jenkins/Docker-Pipeline-Builders%2Fdocker-openssh-server/activity/"' \n"}], + "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }} diff --git a/.github/workflows/permissions.yml b/.github/workflows/permissions.yml new file mode 100644 index 0000000000000000000000000000000000000000..1447bc55a5579548a75ddd49545c333ac7bfd019 --- /dev/null +++ b/.github/workflows/permissions.yml @@ -0,0 +1,10 @@ +name: Permission check +on: + pull_request_target: + paths: + - '**/run' + - '**/finish' + - '**/check' +jobs: + permission_check: + uses: linuxserver/github-workflows/.github/workflows/init-svc-executable-permissions.yml@v1 diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml deleted file mode 100644 index cdb01f23dd5b978f28e219689f30fb90e09e97f4..0000000000000000000000000000000000000000 --- a/.github/workflows/shellcheck.yml +++ /dev/null @@ -1,38 +0,0 @@ -# -# Copyright (C) 2020-2023 Lin Song <linsongui@gmail.com> -# -# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 -# Unported License: http://creativecommons.org/licenses/by-sa/3.0/ -# -# Attribution required: please include my name in any derivative and let me -# know how you have improved it! - -name: shellcheck - -on: workflow_call - -jobs: - shellcheck: - runs-on: ubuntu-20.04 - if: github.repository_owner == 'hwdsl2' - steps: - - uses: actions/checkout@v3 - with: - persist-credentials: false - - name: Check - run: | - if [ ! -x /usr/bin/shellcheck ]; then - export DEBIAN_FRONTEND=noninteractive - sudo apt-get -yqq update - sudo apt-get -yqq install shellcheck - fi - - cd "$GITHUB_WORKSPACE" - pwd - ls -ld vpn.env.example - - export SHELLCHECK_OPTS="-e SC1090,SC1091" - shellcheck --version - shopt -s globstar - ls -ld -- **/*.sh - shellcheck **/*.sh diff --git a/.github/workflows/vpn_test.yml b/.github/workflows/vpn_test.yml deleted file mode 100644 index 2f472c5ee15126bb6b0b934c751206f1695ddff5..0000000000000000000000000000000000000000 --- a/.github/workflows/vpn_test.yml +++ /dev/null @@ -1,166 +0,0 @@ -# -# Copyright (C) 2020-2023 Lin Song <linsongui@gmail.com> -# -# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 -# Unported License: http://creativecommons.org/licenses/by-sa/3.0/ -# -# Attribution required: please include my name in any derivative and let me -# know how you have improved it! - -name: vpn_test - -on: - workflow_call: - inputs: - os_type: - required: true - type: string - -jobs: - vpn_test: - runs-on: ubuntu-20.04 - if: github.repository_owner == 'hwdsl2' - strategy: - matrix: - test_id: [no-env, with-env] - fail-fast: false - env: - OS_TYPE: ${{ inputs.os_type }} - TEST_ID: ${{ matrix.test_id }} - steps: - - uses: actions/checkout@v3 - with: - persist-credentials: false - - name: Test - run: | - [ ! -x /usr/bin/docker ] && exit 1 - - cd "$GITHUB_WORKSPACE" - pwd - ls -ld vpn.env.example - sed -i '/ swan_ver_latest=/s/^/#/' run.sh - sed -i \ - -e '/VPN_IPSEC_PSK/s/# //' \ - -e '/VPN_USER/s/# //' \ - -e '/VPN_PASSWORD/s/# //' \ - -e '/VPN_DNS_NAME/s/# //' \ - -e '/VPN_CLIENT_NAME/s/# //' \ - -e '/VPN_DNS_SRV1/s/# //' \ - -e '/VPN_DNS_SRV2/s/# //' vpn.env.example - - set -x - - if [ "$OS_TYPE" = "alpine" ]; then - docker build -t vpn-test . - elif [ "$OS_TYPE" = "debian" ]; then - docker build -f Dockerfile.debian -t vpn-test . - else - exit 1 - fi - - if [ "$TEST_ID" = "with-env" ]; then - docker run \ - --name "$TEST_ID" \ - --env-file ./vpn.env.example \ - --restart=always \ - -v ikev2-vpn-data:/etc/ipsec.d \ - -p 500:500/udp \ - -p 4500:4500/udp \ - -d --cap-add=NET_ADMIN \ - --device=/dev/ppp \ - --sysctl net.ipv4.ip_forward=1 \ - --sysctl net.ipv4.conf.all.accept_redirects=0 \ - --sysctl net.ipv4.conf.all.send_redirects=0 \ - --sysctl net.ipv4.conf.all.rp_filter=0 \ - --sysctl net.ipv4.conf.default.accept_redirects=0 \ - --sysctl net.ipv4.conf.default.send_redirects=0 \ - --sysctl net.ipv4.conf.default.rp_filter=0 \ - --sysctl net.ipv4.conf.eth0.send_redirects=0 \ - --sysctl net.ipv4.conf.eth0.rp_filter=0 \ - vpn-test - elif [ "$TEST_ID" = "no-env" ]; then - docker run \ - --name "$TEST_ID" \ - --restart=always \ - -p 500:500/udp \ - -p 4500:4500/udp \ - -d --privileged \ - vpn-test - fi - - sleep 30 - docker ps | grep "$TEST_ID" - docker logs "$TEST_ID" - docker exec "$TEST_ID" netstat -anpu | grep pluto - docker exec "$TEST_ID" netstat -anpu | grep xl2tpd - docker exec "$TEST_ID" iptables -nvL - docker exec "$TEST_ID" iptables -nvL | grep -q 'ppp+' - docker exec "$TEST_ID" iptables -nvL | grep -q '192\.168\.43\.0/24' - docker exec "$TEST_ID" iptables -nvL -t nat - docker exec "$TEST_ID" iptables -nvL -t nat | grep -q '192\.168\.42\.0/24' - docker exec "$TEST_ID" iptables -nvL -t nat | grep -q '192\.168\.43\.0/24' - docker exec "$TEST_ID" ipsec status - docker exec "$TEST_ID" ipsec status | grep -q l2tp-psk - docker exec "$TEST_ID" ipsec status | grep -q xauth-psk - if [ "$TEST_ID" = "with-env" ]; then - source ./vpn.env.example - docker exec "$TEST_ID" grep "$VPN_IPSEC_PSK" /etc/ipsec.secrets - docker exec "$TEST_ID" grep "$VPN_USER" /etc/ppp/chap-secrets - docker exec "$TEST_ID" grep "$VPN_PASSWORD" /etc/ppp/chap-secrets - docker exec "$TEST_ID" grep "$VPN_USER" /etc/ipsec.d/passwd - docker exec "$TEST_ID" ipsec status | grep -q ikev2-cp - docker exec "$TEST_ID" grep "leftid=vpn.example.com" /etc/ipsec.conf - docker exec "$TEST_ID" grep 'modecfgdns="1.1.1.1 1.0.0.1"' /etc/ipsec.conf - docker exec "$TEST_ID" grep 'ms-dns 1.1.1.1' /etc/ppp/options.xl2tpd - docker exec "$TEST_ID" grep 'ms-dns 1.0.0.1' /etc/ppp/options.xl2tpd - docker exec "$TEST_ID" grep 'leftid=@vpn.example.com' /etc/ipsec.d/ikev2.conf - docker exec "$TEST_ID" grep 'modecfgdns="1.1.1.1 1.0.0.1"' /etc/ipsec.d/ikev2.conf - docker exec "$TEST_ID" ls -ld /etc/ipsec.d/your_client_name.mobileconfig - docker exec "$TEST_ID" ls -ld /etc/ipsec.d/your_client_name.sswan - docker exec "$TEST_ID" ls -ld /etc/ipsec.d/your_client_name.p12 - docker exec "$TEST_ID" grep 'vpn.example.com' /etc/ipsec.d/your_client_name.mobileconfig - docker exec "$TEST_ID" grep 'vpn.example.com' /etc/ipsec.d/your_client_name.sswan - docker exec "$TEST_ID" ikev2.sh --addclient vpnclient2 - docker exec "$TEST_ID" ls -ld /etc/ipsec.d/vpnclient2.mobileconfig - docker exec "$TEST_ID" ls -ld /etc/ipsec.d/vpnclient2.sswan - docker exec "$TEST_ID" ls -ld /etc/ipsec.d/vpnclient2.p12 - docker exec "$TEST_ID" rm -f /etc/ipsec.d/vpnclient2* - docker exec "$TEST_ID" ikev2.sh --exportclient vpnclient2 - docker exec "$TEST_ID" ls -ld /etc/ipsec.d/vpnclient2.mobileconfig - docker exec "$TEST_ID" ls -ld /etc/ipsec.d/vpnclient2.sswan - docker exec "$TEST_ID" ls -ld /etc/ipsec.d/vpnclient2.p12 - docker exec "$TEST_ID" ikev2.sh --listclients - echo "y" | docker exec -i "$TEST_ID" ikev2.sh --revokeclient vpnclient2 - else - docker exec "$TEST_ID" ipsec status | grep -q ikev2-cp && exit 1 - fi - - docker restart "$TEST_ID" - - sleep 10 - docker ps | grep "$TEST_ID" - docker logs "$TEST_ID" - docker exec "$TEST_ID" netstat -anpu | grep pluto - docker exec "$TEST_ID" netstat -anpu | grep xl2tpd - docker exec "$TEST_ID" iptables -nvL - docker exec "$TEST_ID" iptables -nvL | grep -q 'ppp+' - docker exec "$TEST_ID" iptables -nvL | grep -q '192\.168\.43\.0/24' - docker exec "$TEST_ID" iptables -nvL -t nat - docker exec "$TEST_ID" iptables -nvL -t nat | grep -q '192\.168\.42\.0/24' - docker exec "$TEST_ID" iptables -nvL -t nat | grep -q '192\.168\.43\.0/24' - docker exec "$TEST_ID" ipsec status - docker exec "$TEST_ID" ipsec status | grep -q l2tp-psk - docker exec "$TEST_ID" ipsec status | grep -q xauth-psk - if [ "$TEST_ID" = "with-env" ]; then - docker exec "$TEST_ID" ipsec status | grep -q ikev2-cp - echo "y" | docker exec -i "$TEST_ID" ikev2.sh --removeikev2 - sleep 3 - fi - docker exec "$TEST_ID" ipsec status | grep -q ikev2-cp && exit 1 - - exit 0 - - name: Clear - if: always() - run: | - docker rm -f "$TEST_ID" || true - docker rmi vpn-test || true diff --git a/.gitignore b/.gitignore index 4bc5fec0ee60af563964f96dd9fab9037b278727..6e8ad9772558fd7c0155fd7fb6747e660699f0e9 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,44 @@ -vpn.env +# Windows image file caches +Thumbs.db +ehthumbs.db + +# Folder config file +Desktop.ini + +# Recycle Bin used on file shares +$RECYCLE.BIN/ + +# Windows Installer files +*.cab +*.msi +*.msm +*.msp + +# Windows shortcuts +*.lnk + +# ========================= +# Operating System Files +# ========================= + +# OSX +# ========================= + +.DS_Store +.AppleDouble +.LSOverride + +# Thumbnails +._* + +# Files that might appear on external disk +.Spotlight-V100 +.Trashes + +# Directories potentially created on remote AFP share +.AppleDB +.AppleDesktop +Network Trash Folder +Temporary Items +.apdisk +.jenkins-external diff --git a/Dockerfile b/Dockerfile index 86cd19311a046f240f5975588bad459e5c104acb..e8a6fda2a6e580cdf8cdd5894d8292e472a982ed 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,60 +1,39 @@ -# -# Copyright (C) 2021-2023 Lin Song <linsongui@gmail.com> -# -# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 -# Unported License: http://creativecommons.org/licenses/by-sa/3.0/ -# -# Attribution required: please include my name in any derivative and let me -# know how you have improved it! +# syntax=docker/dockerfile:1 -FROM alpine:3.17 +FROM ghcr.io/linuxserver/baseimage-alpine:3.17 -ENV SWAN_VER 4.10 -WORKDIR /opt/src - -RUN set -x \ - && apk add --no-cache \ - bash bind-tools coreutils openssl uuidgen wget xl2tpd iproute2 \ - libcap-ng libcurl libevent linux-pam musl nspr nss nss-tools openrc \ - bison flex gcc make libc-dev bsd-compat-headers linux-pam-dev \ - nss-dev libcap-ng-dev libevent-dev curl-dev nspr-dev \ - && wget -t 3 -T 30 -nv -O libreswan.tar.gz "https://github.com/libreswan/libreswan/archive/v${SWAN_VER}.tar.gz" \ - || wget -t 3 -T 30 -nv -O libreswan.tar.gz "https://download.libreswan.org/libreswan-${SWAN_VER}.tar.gz" \ - && tar xzf libreswan.tar.gz \ - && rm -f libreswan.tar.gz \ - && cd "libreswan-${SWAN_VER}" \ - && printf 'WERROR_CFLAGS=-w -s\nUSE_DNSSEC=false\nUSE_DH2=true\nFINALNSSDIR=/etc/ipsec.d\n' > Makefile.inc.local \ - && make -s base \ - && make -s install-base \ - && cd /opt/src \ - && mkdir -p /run/openrc \ - && touch /run/openrc/softlevel \ - && rm -rf "/opt/src/libreswan-${SWAN_VER}" \ - && apk del --no-cache \ - bison flex gcc make libc-dev bsd-compat-headers linux-pam-dev \ - nss-dev libcap-ng-dev libevent-dev curl-dev nspr-dev +# set version label +ARG BUILD_DATE +ARG VERSION +ARG OPENSSH_RELEASE +LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DATE}" +LABEL maintainer="aptalca" -RUN wget -t 3 -T 30 -nv -O /opt/src/ikev2.sh https://github.com/hwdsl2/setup-ipsec-vpn/raw/2039f91151c4a339c57fff221d6b540d523dd262/extras/ikev2setup.sh \ - && chmod +x /opt/src/ikev2.sh \ - && ln -s /opt/src/ikev2.sh /usr/bin +RUN \ + echo "**** install runtime packages ****" && \ + apk add --no-cache --upgrade \ + logrotate \ + nano \ + netcat-openbsd \ + sudo && \ + echo "**** install openssh-server ****" && \ + if [ -z ${OPENSSH_RELEASE+x} ]; then \ + OPENSSH_RELEASE=$(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.17/main/x86_64/APKINDEX.tar.gz" | tar -xz -C /tmp && \ + awk '/^P:openssh-server-pam$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://'); \ + fi && \ + apk add --no-cache \ + openssh-client==${OPENSSH_RELEASE} \ + openssh-server-pam==${OPENSSH_RELEASE} \ + openssh-sftp-server==${OPENSSH_RELEASE} && \ + echo "**** setup openssh environment ****" && \ + sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config && \ + usermod --shell /bin/bash abc && \ + rm -rf \ + /tmp/* -COPY ./run.sh /opt/src/run.sh -RUN chmod 755 /opt/src/run.sh -EXPOSE 500/udp 7860/udp -CMD ["/opt/src/run.sh"] +# add local files +COPY /root / -ARG BUILD_DATE -ARG VERSION -ARG VCS_REF -ENV IMAGE_VER $BUILD_DATE +EXPOSE 2222 -LABEL maintainer="Lin Song <linsongui@gmail.com>" \ - org.opencontainers.image.created="$BUILD_DATE" \ - org.opencontainers.image.version="$VERSION" \ - org.opencontainers.image.revision="$VCS_REF" \ - org.opencontainers.image.authors="Lin Song <linsongui@gmail.com>" \ - org.opencontainers.image.title="IPsec VPN Server on Docker" \ - org.opencontainers.image.description="Docker image to run an IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2." \ - org.opencontainers.image.url="https://github.com/hwdsl2/docker-ipsec-vpn-server" \ - org.opencontainers.image.source="https://github.com/hwdsl2/docker-ipsec-vpn-server" \ - org.opencontainers.image.documentation="https://github.com/hwdsl2/docker-ipsec-vpn-server" +VOLUME /config diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 new file mode 100644 index 0000000000000000000000000000000000000000..c1674fa85de0e7bee249d545e767e2f41f60a0f1 --- /dev/null +++ b/Dockerfile.aarch64 @@ -0,0 +1,39 @@ +# syntax=docker/dockerfile:1 + +FROM ghcr.io/linuxserver/baseimage-alpine:arm64v8-3.17 + +# set version label +ARG BUILD_DATE +ARG VERSION +ARG OPENSSH_RELEASE +LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DATE}" +LABEL maintainer="aptalca" + +RUN \ + echo "**** install runtime packages ****" && \ + apk add --no-cache --upgrade \ + logrotate \ + nano \ + netcat-openbsd \ + sudo && \ + echo "**** install openssh-server ****" && \ + if [ -z ${OPENSSH_RELEASE+x} ]; then \ + OPENSSH_RELEASE=$(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.17/main/aarch64/APKINDEX.tar.gz" | tar -xz -C /tmp && \ + awk '/^P:openssh-server-pam$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://'); \ + fi && \ + apk add --no-cache \ + openssh-client==${OPENSSH_RELEASE} \ + openssh-server-pam==${OPENSSH_RELEASE} \ + openssh-sftp-server==${OPENSSH_RELEASE} && \ + echo "**** setup openssh environment ****" && \ + sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config && \ + usermod --shell /bin/bash abc && \ + rm -rf \ + /tmp/* + +# add local files +COPY /root / + +EXPOSE 2222 + +VOLUME /config diff --git a/Dockerfile.armhf b/Dockerfile.armhf new file mode 100644 index 0000000000000000000000000000000000000000..96582bcce8f5f003273013d0a1646a42a87cfe42 --- /dev/null +++ b/Dockerfile.armhf @@ -0,0 +1,39 @@ +# syntax=docker/dockerfile:1 + +FROM ghcr.io/linuxserver/baseimage-alpine:arm32v7-3.17 + +# set version label +ARG BUILD_DATE +ARG VERSION +ARG OPENSSH_RELEASE +LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DATE}" +LABEL maintainer="aptalca" + +RUN \ + echo "**** install runtime packages ****" && \ + apk add --no-cache --upgrade \ + logrotate \ + nano \ + netcat-openbsd \ + sudo && \ + echo "**** install openssh-server ****" && \ + if [ -z ${OPENSSH_RELEASE+x} ]; then \ + OPENSSH_RELEASE=$(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.17/main/armhf/APKINDEX.tar.gz" | tar -xz -C /tmp && \ + awk '/^P:openssh-server-pam$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://'); \ + fi && \ + apk add --no-cache \ + openssh-client==${OPENSSH_RELEASE} \ + openssh-server-pam==${OPENSSH_RELEASE} \ + openssh-sftp-server==${OPENSSH_RELEASE} && \ + echo "**** setup openssh environment ****" && \ + sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config && \ + usermod --shell /bin/bash abc && \ + rm -rf \ + /tmp/* + +# add local files +COPY /root / + +EXPOSE 2222 + +VOLUME /config diff --git a/Dockerfile.debian b/Dockerfile.debian deleted file mode 100644 index b257c1a831f3768c5d1350cf16497602d420045f..0000000000000000000000000000000000000000 --- a/Dockerfile.debian +++ /dev/null @@ -1,68 +0,0 @@ -# -# Copyright (C) 2016-2023 Lin Song <linsongui@gmail.com> -# -# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 -# Unported License: http://creativecommons.org/licenses/by-sa/3.0/ -# -# Attribution required: please include my name in any derivative and let me -# know how you have improved it! - -FROM debian:bullseye-slim - -ENV SWAN_VER 4.10 -WORKDIR /opt/src - -RUN apt-get -yqq update \ - && DEBIAN_FRONTEND=noninteractive \ - apt-get -yqq --no-install-recommends install \ - wget dnsutils openssl ca-certificates kmod iproute2 \ - gawk net-tools iptables bsdmainutils libcurl3-nss \ - libnss3-tools libevent-dev uuid-runtime xl2tpd \ - libnss3-dev libnspr4-dev pkg-config libpam0g-dev \ - libcap-ng-dev libcap-ng-utils libselinux1-dev \ - libcurl4-nss-dev flex bison gcc make \ - && wget -t 3 -T 30 -nv -O libreswan.tar.gz "https://github.com/libreswan/libreswan/archive/v${SWAN_VER}.tar.gz" \ - || wget -t 3 -T 30 -nv -O libreswan.tar.gz "https://download.libreswan.org/libreswan-${SWAN_VER}.tar.gz" \ - && tar xzf libreswan.tar.gz \ - && rm -f libreswan.tar.gz \ - && cd "libreswan-${SWAN_VER}" \ - && printf 'WERROR_CFLAGS=-w -s\nUSE_DNSSEC=false\nUSE_SYSTEMD_WATCHDOG=false\n' > Makefile.inc.local \ - && printf 'USE_DH2=true\nUSE_NSS_KDF=false\nFINALNSSDIR=/etc/ipsec.d\n' >> Makefile.inc.local \ - && make -s base \ - && make -s install-base \ - && cd /opt/src \ - && rm -rf "/opt/src/libreswan-${SWAN_VER}" \ - && apt-get -yqq remove \ - libnss3-dev libnspr4-dev pkg-config libpam0g-dev \ - libcap-ng-dev libcap-ng-utils libselinux1-dev \ - libcurl4-nss-dev flex bison gcc make \ - && apt-get -yqq autoremove \ - && apt-get -y clean \ - && rm -rf /var/lib/apt/lists/* \ - && rm -rf /var/log/* \ - && update-alternatives --set iptables /usr/sbin/iptables-legacy - -RUN wget -t 3 -T 30 -nv -O /opt/src/ikev2.sh https://github.com/hwdsl2/setup-ipsec-vpn/raw/2039f91151c4a339c57fff221d6b540d523dd262/extras/ikev2setup.sh \ - && chmod +x /opt/src/ikev2.sh \ - && ln -s /opt/src/ikev2.sh /usr/bin - -COPY ./run.sh /opt/src/run.sh -RUN chmod 755 /opt/src/run.sh -EXPOSE 500/udp 4500/udp -CMD ["/opt/src/run.sh"] - -ARG BUILD_DATE -ARG VERSION -ARG VCS_REF -ENV IMAGE_VER $BUILD_DATE - -LABEL maintainer="Lin Song <linsongui@gmail.com>" \ - org.opencontainers.image.created="$BUILD_DATE" \ - org.opencontainers.image.version="$VERSION" \ - org.opencontainers.image.revision="$VCS_REF" \ - org.opencontainers.image.authors="Lin Song <linsongui@gmail.com>" \ - org.opencontainers.image.title="IPsec VPN Server on Docker" \ - org.opencontainers.image.description="Docker image to run an IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2." \ - org.opencontainers.image.url="https://github.com/hwdsl2/docker-ipsec-vpn-server" \ - org.opencontainers.image.source="https://github.com/hwdsl2/docker-ipsec-vpn-server" \ - org.opencontainers.image.documentation="https://github.com/hwdsl2/docker-ipsec-vpn-server" diff --git a/Jenkinsfile b/Jenkinsfile new file mode 100644 index 0000000000000000000000000000000000000000..e001fe2ca827ff722342327c1dd218610383d68d --- /dev/null +++ b/Jenkinsfile @@ -0,0 +1,986 @@ +pipeline { + agent { + label 'X86-64-MULTI' + } + options { + buildDiscarder(logRotator(numToKeepStr: '10', daysToKeepStr: '60')) + parallelsAlwaysFailFast() + } + // Input to determine if this is a package check + parameters { + string(defaultValue: 'false', description: 'package check run', name: 'PACKAGE_CHECK') + } + // Configuration for the variables used for this specific repo + environment { + BUILDS_DISCORD=credentials('build_webhook_url') + GITHUB_TOKEN=credentials('498b4638-2d02-4ce5-832d-8a57d01d97ab') + GITLAB_TOKEN=credentials('b6f0f1dd-6952-4cf6-95d1-9c06380283f0') + GITLAB_NAMESPACE=credentials('gitlab-namespace-id') + SCARF_TOKEN=credentials('scarf_api_key') + CONTAINER_NAME = 'openssh-server' + BUILD_VERSION_ARG = 'OPENSSH_RELEASE' + LS_USER = 'linuxserver' + LS_REPO = 'docker-openssh-server' + DOCKERHUB_IMAGE = 'linuxserver/openssh-server' + DEV_DOCKERHUB_IMAGE = 'lsiodev/openssh-server' + PR_DOCKERHUB_IMAGE = 'lspipepr/openssh-server' + DIST_IMAGE = 'alpine' + DIST_TAG = '3.17' + DIST_REPO = 'http://dl-cdn.alpinelinux.org/alpine/v3.17/main/' + DIST_REPO_PACKAGES = 'openssh-server-pam' + MULTIARCH='true' + CI='true' + CI_WEB='false' + CI_PORT='80' + CI_SSL='false' + CI_DELAY='60' + CI_DOCKERENV='TZ=US/Pacific' + CI_AUTH='user:password' + CI_WEBPATH='' + } + stages { + // Setup all the basic environment variables needed for the build + stage("Set ENV Variables base"){ + steps{ + script{ + env.EXIT_STATUS = '' + env.LS_RELEASE = sh( + script: '''docker run --rm ghcr.io/linuxserver/alexeiled-skopeo sh -c 'skopeo inspect docker://docker.io/'${DOCKERHUB_IMAGE}':latest 2>/dev/null' | jq -r '.Labels.build_version' | awk '{print $3}' | grep '\\-ls' || : ''', + returnStdout: true).trim() + env.LS_RELEASE_NOTES = sh( + script: '''cat readme-vars.yml | awk -F \\" '/date: "[0-9][0-9].[0-9][0-9].[0-9][0-9]:/ {print $4;exit;}' | sed -E ':a;N;$!ba;s/\\r{0,1}\\n/\\\\n/g' ''', + returnStdout: true).trim() + env.GITHUB_DATE = sh( + script: '''date '+%Y-%m-%dT%H:%M:%S%:z' ''', + returnStdout: true).trim() + env.COMMIT_SHA = sh( + script: '''git rev-parse HEAD''', + returnStdout: true).trim() + env.CODE_URL = 'https://github.com/' + env.LS_USER + '/' + env.LS_REPO + '/commit/' + env.GIT_COMMIT + env.DOCKERHUB_LINK = 'https://hub.docker.com/r/' + env.DOCKERHUB_IMAGE + '/tags/' + env.PULL_REQUEST = env.CHANGE_ID + env.TEMPLATED_FILES = 'Jenkinsfile README.md LICENSE .editorconfig ./.github/CONTRIBUTING.md ./.github/FUNDING.yml ./.github/ISSUE_TEMPLATE/config.yml ./.github/ISSUE_TEMPLATE/issue.bug.yml ./.github/ISSUE_TEMPLATE/issue.feature.yml ./.github/PULL_REQUEST_TEMPLATE.md ./.github/workflows/external_trigger_scheduler.yml ./.github/workflows/greetings.yml ./.github/workflows/package_trigger_scheduler.yml ./.github/workflows/call_issue_pr_tracker.yml ./.github/workflows/call_issues_cron.yml ./.github/workflows/permissions.yml ./.github/workflows/external_trigger.yml ./.github/workflows/package_trigger.yml' + } + script{ + env.LS_RELEASE_NUMBER = sh( + script: '''echo ${LS_RELEASE} |sed 's/^.*-ls//g' ''', + returnStdout: true).trim() + } + script{ + env.LS_TAG_NUMBER = sh( + script: '''#! /bin/bash + tagsha=$(git rev-list -n 1 ${LS_RELEASE} 2>/dev/null) + if [ "${tagsha}" == "${COMMIT_SHA}" ]; then + echo ${LS_RELEASE_NUMBER} + elif [ -z "${GIT_COMMIT}" ]; then + echo ${LS_RELEASE_NUMBER} + else + echo $((${LS_RELEASE_NUMBER} + 1)) + fi''', + returnStdout: true).trim() + } + } + } + /* ####################### + Package Version Tagging + ####################### */ + // Grab the current package versions in Git to determine package tag + stage("Set Package tag"){ + steps{ + script{ + env.PACKAGE_TAG = sh( + script: '''#!/bin/bash + if [ -e package_versions.txt ] ; then + cat package_versions.txt | md5sum | cut -c1-8 + else + echo none + fi''', + returnStdout: true).trim() + } + } + } + /* ######################## + External Release Tagging + ######################## */ + // If this is an alpine repo change for external version determine an md5 from the version string + stage("Set tag Alpine Repo"){ + steps{ + script{ + env.EXT_RELEASE = sh( + script: '''curl -sL "${DIST_REPO}x86_64/APKINDEX.tar.gz" | tar -xz -C /tmp \ + && awk '/^P:'"${DIST_REPO_PACKAGES}"'$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://' ''', + returnStdout: true).trim() + env.RELEASE_LINK = 'alpine_repo' + } + } + } + // Sanitize the release tag and strip illegal docker or github characters + stage("Sanitize tag"){ + steps{ + script{ + env.EXT_RELEASE_CLEAN = sh( + script: '''echo ${EXT_RELEASE} | sed 's/[~,%@+;:/]//g' ''', + returnStdout: true).trim() + + def semver = env.EXT_RELEASE_CLEAN =~ /(\d+)\.(\d+)\.(\d+)/ + if (semver.find()) { + env.SEMVER = "${semver[0][1]}.${semver[0][2]}.${semver[0][3]}" + } else { + semver = env.EXT_RELEASE_CLEAN =~ /(\d+)\.(\d+)(?:\.(\d+))?(.*)/ + if (semver.find()) { + if (semver[0][3]) { + env.SEMVER = "${semver[0][1]}.${semver[0][2]}.${semver[0][3]}" + } else if (!semver[0][3] && !semver[0][4]) { + env.SEMVER = "${semver[0][1]}.${semver[0][2]}.${(new Date()).format('YYYYMMdd')}" + } + } + } + + if (env.SEMVER != null) { + if (BRANCH_NAME != "master" && BRANCH_NAME != "main") { + env.SEMVER = "${env.SEMVER}-${BRANCH_NAME}" + } + println("SEMVER: ${env.SEMVER}") + } else { + println("No SEMVER detected") + } + + } + } + } + // If this is a master build use live docker endpoints + stage("Set ENV live build"){ + when { + branch "master" + environment name: 'CHANGE_ID', value: '' + } + steps { + script{ + env.IMAGE = env.DOCKERHUB_IMAGE + env.GITHUBIMAGE = 'ghcr.io/' + env.LS_USER + '/' + env.CONTAINER_NAME + env.GITLABIMAGE = 'registry.gitlab.com/linuxserver.io/' + env.LS_REPO + '/' + env.CONTAINER_NAME + env.QUAYIMAGE = 'quay.io/linuxserver.io/' + env.CONTAINER_NAME + if (env.MULTIARCH == 'true') { + env.CI_TAGS = 'amd64-' + env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER + '|arm32v7-' + env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER + '|arm64v8-' + env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER + } else { + env.CI_TAGS = env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER + } + env.VERSION_TAG = env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER + env.META_TAG = env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER + env.EXT_RELEASE_TAG = 'version-' + env.EXT_RELEASE_CLEAN + } + } + } + // If this is a dev build use dev docker endpoints + stage("Set ENV dev build"){ + when { + not {branch "master"} + environment name: 'CHANGE_ID', value: '' + } + steps { + script{ + env.IMAGE = env.DEV_DOCKERHUB_IMAGE + env.GITHUBIMAGE = 'ghcr.io/' + env.LS_USER + '/lsiodev-' + env.CONTAINER_NAME + env.GITLABIMAGE = 'registry.gitlab.com/linuxserver.io/' + env.LS_REPO + '/lsiodev-' + env.CONTAINER_NAME + env.QUAYIMAGE = 'quay.io/linuxserver.io/lsiodev-' + env.CONTAINER_NAME + if (env.MULTIARCH == 'true') { + env.CI_TAGS = 'amd64-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA + '|arm32v7-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA + '|arm64v8-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA + } else { + env.CI_TAGS = env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA + } + env.VERSION_TAG = env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA + env.META_TAG = env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA + env.EXT_RELEASE_TAG = 'version-' + env.EXT_RELEASE_CLEAN + env.DOCKERHUB_LINK = 'https://hub.docker.com/r/' + env.DEV_DOCKERHUB_IMAGE + '/tags/' + } + } + } + // If this is a pull request build use dev docker endpoints + stage("Set ENV PR build"){ + when { + not {environment name: 'CHANGE_ID', value: ''} + } + steps { + script{ + env.IMAGE = env.PR_DOCKERHUB_IMAGE + env.GITHUBIMAGE = 'ghcr.io/' + env.LS_USER + '/lspipepr-' + env.CONTAINER_NAME + env.GITLABIMAGE = 'registry.gitlab.com/linuxserver.io/' + env.LS_REPO + '/lspipepr-' + env.CONTAINER_NAME + env.QUAYIMAGE = 'quay.io/linuxserver.io/lspipepr-' + env.CONTAINER_NAME + if (env.MULTIARCH == 'true') { + env.CI_TAGS = 'amd64-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST + '|arm32v7-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST + '|arm64v8-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST + } else { + env.CI_TAGS = env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST + } + env.VERSION_TAG = env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST + env.META_TAG = env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST + env.EXT_RELEASE_TAG = 'version-' + env.EXT_RELEASE_CLEAN + env.CODE_URL = 'https://github.com/' + env.LS_USER + '/' + env.LS_REPO + '/pull/' + env.PULL_REQUEST + env.DOCKERHUB_LINK = 'https://hub.docker.com/r/' + env.PR_DOCKERHUB_IMAGE + '/tags/' + } + } + } + // Run ShellCheck + stage('ShellCheck') { + when { + environment name: 'CI', value: 'true' + } + steps { + withCredentials([ + string(credentialsId: 'ci-tests-s3-key-id', variable: 'S3_KEY'), + string(credentialsId: 'ci-tests-s3-secret-access-key', variable: 'S3_SECRET') + ]) { + script{ + env.SHELLCHECK_URL = 'https://ci-tests.linuxserver.io/' + env.IMAGE + '/' + env.META_TAG + '/shellcheck-result.xml' + } + sh '''curl -sL https://raw.githubusercontent.com/linuxserver/docker-shellcheck/master/checkrun.sh | /bin/bash''' + sh '''#! /bin/bash + docker run --rm \ + -v ${WORKSPACE}:/mnt \ + -e AWS_ACCESS_KEY_ID=\"${S3_KEY}\" \ + -e AWS_SECRET_ACCESS_KEY=\"${S3_SECRET}\" \ + ghcr.io/linuxserver/baseimage-alpine:3.17 s6-envdir -fn -- /var/run/s6/container_environment /bin/bash -c "\ + apk add --no-cache py3-pip && \ + pip install s3cmd && \ + s3cmd put --no-preserve --acl-public -m text/xml /mnt/shellcheck-result.xml s3://ci-tests.linuxserver.io/${IMAGE}/${META_TAG}/shellcheck-result.xml" || :''' + } + } + } + // Use helper containers to render templated files + stage('Update-Templates') { + when { + branch "master" + environment name: 'CHANGE_ID', value: '' + expression { + env.CONTAINER_NAME != null + } + } + steps { + sh '''#! /bin/bash + set -e + TEMPDIR=$(mktemp -d) + docker pull ghcr.io/linuxserver/jenkins-builder:latest + docker run --rm -e CONTAINER_NAME=${CONTAINER_NAME} -e GITHUB_BRANCH=master -v ${TEMPDIR}:/ansible/jenkins ghcr.io/linuxserver/jenkins-builder:latest + # Stage 1 - Jenkinsfile update + if [[ "$(md5sum Jenkinsfile | awk '{ print $1 }')" != "$(md5sum ${TEMPDIR}/docker-${CONTAINER_NAME}/Jenkinsfile | awk '{ print $1 }')" ]]; then + mkdir -p ${TEMPDIR}/repo + git clone https://github.com/${LS_USER}/${LS_REPO}.git ${TEMPDIR}/repo/${LS_REPO} + cd ${TEMPDIR}/repo/${LS_REPO} + git checkout -f master + cp ${TEMPDIR}/docker-${CONTAINER_NAME}/Jenkinsfile ${TEMPDIR}/repo/${LS_REPO}/ + git add Jenkinsfile + git commit -m 'Bot Updating Templated Files' + git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/${LS_USER}/${LS_REPO}.git --all + echo "true" > /tmp/${COMMIT_SHA}-${BUILD_NUMBER} + echo "Updating Jenkinsfile" + rm -Rf ${TEMPDIR} + exit 0 + else + echo "Jenkinsfile is up to date." + fi + # Stage 2 - Delete old templates + OLD_TEMPLATES=".github/ISSUE_TEMPLATE.md .github/ISSUE_TEMPLATE/issue.bug.md .github/ISSUE_TEMPLATE/issue.feature.md .github/workflows/call_invalid_helper.yml .github/workflows/stale.yml" + for i in ${OLD_TEMPLATES}; do + if [[ -f "${i}" ]]; then + TEMPLATES_TO_DELETE="${i} ${TEMPLATES_TO_DELETE}" + fi + done + if [[ -n "${TEMPLATES_TO_DELETE}" ]]; then + mkdir -p ${TEMPDIR}/repo + git clone https://github.com/${LS_USER}/${LS_REPO}.git ${TEMPDIR}/repo/${LS_REPO} + cd ${TEMPDIR}/repo/${LS_REPO} + git checkout -f master + for i in ${TEMPLATES_TO_DELETE}; do + git rm "${i}" + done + git commit -m 'Bot Updating Templated Files' + git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/${LS_USER}/${LS_REPO}.git --all + echo "true" > /tmp/${COMMIT_SHA}-${BUILD_NUMBER} + echo "Deleting old and deprecated templates" + rm -Rf ${TEMPDIR} + exit 0 + else + echo "No templates to delete" + fi + # Stage 3 - Update templates + CURRENTHASH=$(grep -hs ^ ${TEMPLATED_FILES} | md5sum | cut -c1-8) + cd ${TEMPDIR}/docker-${CONTAINER_NAME} + NEWHASH=$(grep -hs ^ ${TEMPLATED_FILES} | md5sum | cut -c1-8) + if [[ "${CURRENTHASH}" != "${NEWHASH}" ]] || ! grep -q '.jenkins-external' "${WORKSPACE}/.gitignore" 2>/dev/null; then + mkdir -p ${TEMPDIR}/repo + git clone https://github.com/${LS_USER}/${LS_REPO}.git ${TEMPDIR}/repo/${LS_REPO} + cd ${TEMPDIR}/repo/${LS_REPO} + git checkout -f master + cd ${TEMPDIR}/docker-${CONTAINER_NAME} + mkdir -p ${TEMPDIR}/repo/${LS_REPO}/.github/workflows + mkdir -p ${TEMPDIR}/repo/${LS_REPO}/.github/ISSUE_TEMPLATE + cp --parents ${TEMPLATED_FILES} ${TEMPDIR}/repo/${LS_REPO}/ || : + cd ${TEMPDIR}/repo/${LS_REPO}/ + if ! grep -q '.jenkins-external' .gitignore 2>/dev/null; then + echo ".jenkins-external" >> .gitignore + git add .gitignore + fi + git add ${TEMPLATED_FILES} + git commit -m 'Bot Updating Templated Files' + git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/${LS_USER}/${LS_REPO}.git --all + echo "true" > /tmp/${COMMIT_SHA}-${BUILD_NUMBER} + else + echo "false" > /tmp/${COMMIT_SHA}-${BUILD_NUMBER} + fi + mkdir -p ${TEMPDIR}/gitbook + git clone https://github.com/linuxserver/docker-documentation.git ${TEMPDIR}/gitbook/docker-documentation + if [[ ("${BRANCH_NAME}" == "master") || ("${BRANCH_NAME}" == "main") ]] && [[ (! -f ${TEMPDIR}/gitbook/docker-documentation/images/docker-${CONTAINER_NAME}.md) || ("$(md5sum ${TEMPDIR}/gitbook/docker-documentation/images/docker-${CONTAINER_NAME}.md | awk '{ print $1 }')" != "$(md5sum ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/docker-${CONTAINER_NAME}.md | awk '{ print $1 }')") ]]; then + cp ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/docker-${CONTAINER_NAME}.md ${TEMPDIR}/gitbook/docker-documentation/images/ + cd ${TEMPDIR}/gitbook/docker-documentation/ + git add images/docker-${CONTAINER_NAME}.md + git commit -m 'Bot Updating Documentation' + git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/linuxserver/docker-documentation.git --all + fi + mkdir -p ${TEMPDIR}/unraid + git clone https://github.com/linuxserver/docker-templates.git ${TEMPDIR}/unraid/docker-templates + git clone https://github.com/linuxserver/templates.git ${TEMPDIR}/unraid/templates + if [[ -f ${TEMPDIR}/unraid/docker-templates/linuxserver.io/img/${CONTAINER_NAME}-logo.png ]]; then + sed -i "s|master/linuxserver.io/img/linuxserver-ls-logo.png|master/linuxserver.io/img/${CONTAINER_NAME}-logo.png|" ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/${CONTAINER_NAME}.xml + fi + if [[ ("${BRANCH_NAME}" == "master") || ("${BRANCH_NAME}" == "main") ]] && [[ (! -f ${TEMPDIR}/unraid/templates/unraid/${CONTAINER_NAME}.xml) || ("$(md5sum ${TEMPDIR}/unraid/templates/unraid/${CONTAINER_NAME}.xml | awk '{ print $1 }')" != "$(md5sum ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/${CONTAINER_NAME}.xml | awk '{ print $1 }')") ]]; then + cd ${TEMPDIR}/unraid/templates/ + if grep -wq "${CONTAINER_NAME}" ${TEMPDIR}/unraid/templates/unraid/ignore.list; then + echo "Image is on the ignore list, marking Unraid template as deprecated" + cp ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/${CONTAINER_NAME}.xml ${TEMPDIR}/unraid/templates/unraid/ + git add -u unraid/${CONTAINER_NAME}.xml + git mv unraid/${CONTAINER_NAME}.xml unraid/deprecated/${CONTAINER_NAME}.xml || : + git commit -m 'Bot Moving Deprecated Unraid Template' || : + else + cp ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/${CONTAINER_NAME}.xml ${TEMPDIR}/unraid/templates/unraid/ + git add unraid/${CONTAINER_NAME}.xml + git commit -m 'Bot Updating Unraid Template' + fi + git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/linuxserver/templates.git --all + fi + rm -Rf ${TEMPDIR}''' + script{ + env.FILES_UPDATED = sh( + script: '''cat /tmp/${COMMIT_SHA}-${BUILD_NUMBER}''', + returnStdout: true).trim() + } + } + } + // Exit the build if the Templated files were just updated + stage('Template-exit') { + when { + branch "master" + environment name: 'CHANGE_ID', value: '' + environment name: 'FILES_UPDATED', value: 'true' + expression { + env.CONTAINER_NAME != null + } + } + steps { + script{ + env.EXIT_STATUS = 'ABORTED' + } + } + } + /* ####################### + GitLab Mirroring + ####################### */ + // Ping into Gitlab to mirror this repo and have a registry endpoint + stage("GitLab Mirror"){ + when { + environment name: 'EXIT_STATUS', value: '' + } + steps{ + sh '''curl -H "Content-Type: application/json" -H "Private-Token: ${GITLAB_TOKEN}" -X POST https://gitlab.com/api/v4/projects \ + -d '{"namespace_id":'${GITLAB_NAMESPACE}',\ + "name":"'${LS_REPO}'", + "mirror":true,\ + "import_url":"https://github.com/linuxserver/'${LS_REPO}'.git",\ + "issues_access_level":"disabled",\ + "merge_requests_access_level":"disabled",\ + "repository_access_level":"enabled",\ + "visibility":"public"}' ''' + } + } + /* ####################### + Scarf.sh package registry + ####################### */ + // Add package to Scarf.sh and set permissions + stage("Scarf.sh package registry"){ + when { + branch "master" + environment name: 'EXIT_STATUS', value: '' + } + steps{ + sh '''#! /bin/bash + set -e + PACKAGE_UUID=$(curl -X GET -H "Authorization: Bearer ${SCARF_TOKEN}" https://scarf.sh/api/v1/organizations/linuxserver-ci/packages | jq -r '.[] | select(.name=="linuxserver/openssh-server") | .uuid') + if [ -z "${PACKAGE_UUID}" ]; then + echo "Adding package to Scarf.sh" + curl -sX POST https://scarf.sh/api/v1/organizations/linuxserver-ci/packages \ + -H "Authorization: Bearer ${SCARF_TOKEN}" \ + -H "Content-Type: application/json" \ + -d '{"name":"linuxserver/openssh-server",\ + "shortDescription":"example description",\ + "libraryType":"docker",\ + "website":"https://github.com/linuxserver/docker-openssh-server",\ + "backendUrl":"https://ghcr.io/linuxserver/openssh-server",\ + "publicUrl":"https://lscr.io/linuxserver/openssh-server"}' || : + else + echo "Package already exists on Scarf.sh" + fi + ''' + } + } + /* ############### + Build Container + ############### */ + // Build Docker container for push to LS Repo + stage('Build-Single') { + when { + expression { + env.MULTIARCH == 'false' || params.PACKAGE_CHECK == 'true' + } + environment name: 'EXIT_STATUS', value: '' + } + steps { + echo "Running on node: ${NODE_NAME}" + sh "sed -r -i 's|(^FROM .*)|\\1\\n\\nENV LSIO_FIRST_PARTY=true|g' Dockerfile" + sh "docker buildx build \ + --label \"org.opencontainers.image.created=${GITHUB_DATE}\" \ + --label \"org.opencontainers.image.authors=linuxserver.io\" \ + --label \"org.opencontainers.image.url=https://github.com/linuxserver/docker-openssh-server/packages\" \ + --label \"org.opencontainers.image.documentation=https://docs.linuxserver.io/images/docker-openssh-server\" \ + --label \"org.opencontainers.image.source=https://github.com/linuxserver/docker-openssh-server\" \ + --label \"org.opencontainers.image.version=${EXT_RELEASE_CLEAN}-ls${LS_TAG_NUMBER}\" \ + --label \"org.opencontainers.image.revision=${COMMIT_SHA}\" \ + --label \"org.opencontainers.image.vendor=linuxserver.io\" \ + --label \"org.opencontainers.image.licenses=GPL-3.0-only\" \ + --label \"org.opencontainers.image.ref.name=${COMMIT_SHA}\" \ + --label \"org.opencontainers.image.title=Openssh-server\" \ + --label \"org.opencontainers.image.description=[Openssh-server](https://www.openssh.com/) is a sandboxed environment that allows ssh access without giving keys to the entire server. Giving ssh access via private key often means giving full access to the server. This container creates a limited and sandboxed environment that others can ssh into. The users only have access to the folders mapped and the processes running inside this container.\" \ + --no-cache --pull -t ${IMAGE}:${META_TAG} --platform=linux/amd64 \ + --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ." + } + } + // Build MultiArch Docker containers for push to LS Repo + stage('Build-Multi') { + when { + allOf { + environment name: 'MULTIARCH', value: 'true' + expression { params.PACKAGE_CHECK == 'false' } + } + environment name: 'EXIT_STATUS', value: '' + } + parallel { + stage('Build X86') { + steps { + echo "Running on node: ${NODE_NAME}" + sh "sed -r -i 's|(^FROM .*)|\\1\\n\\nENV LSIO_FIRST_PARTY=true|g' Dockerfile" + sh "docker buildx build \ + --label \"org.opencontainers.image.created=${GITHUB_DATE}\" \ + --label \"org.opencontainers.image.authors=linuxserver.io\" \ + --label \"org.opencontainers.image.url=https://github.com/linuxserver/docker-openssh-server/packages\" \ + --label \"org.opencontainers.image.documentation=https://docs.linuxserver.io/images/docker-openssh-server\" \ + --label \"org.opencontainers.image.source=https://github.com/linuxserver/docker-openssh-server\" \ + --label \"org.opencontainers.image.version=${EXT_RELEASE_CLEAN}-ls${LS_TAG_NUMBER}\" \ + --label \"org.opencontainers.image.revision=${COMMIT_SHA}\" \ + --label \"org.opencontainers.image.vendor=linuxserver.io\" \ + --label \"org.opencontainers.image.licenses=GPL-3.0-only\" \ + --label \"org.opencontainers.image.ref.name=${COMMIT_SHA}\" \ + --label \"org.opencontainers.image.title=Openssh-server\" \ + --label \"org.opencontainers.image.description=[Openssh-server](https://www.openssh.com/) is a sandboxed environment that allows ssh access without giving keys to the entire server. Giving ssh access via private key often means giving full access to the server. This container creates a limited and sandboxed environment that others can ssh into. The users only have access to the folders mapped and the processes running inside this container.\" \ + --no-cache --pull -t ${IMAGE}:amd64-${META_TAG} --platform=linux/amd64 \ + --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ." + } + } + stage('Build ARMHF') { + agent { + label 'ARMHF' + } + steps { + echo "Running on node: ${NODE_NAME}" + echo 'Logging into Github' + sh '''#! /bin/bash + echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin + ''' + sh "sed -r -i 's|(^FROM .*)|\\1\\n\\nENV LSIO_FIRST_PARTY=true|g' Dockerfile.armhf" + sh "docker buildx build \ + --label \"org.opencontainers.image.created=${GITHUB_DATE}\" \ + --label \"org.opencontainers.image.authors=linuxserver.io\" \ + --label \"org.opencontainers.image.url=https://github.com/linuxserver/docker-openssh-server/packages\" \ + --label \"org.opencontainers.image.documentation=https://docs.linuxserver.io/images/docker-openssh-server\" \ + --label \"org.opencontainers.image.source=https://github.com/linuxserver/docker-openssh-server\" \ + --label \"org.opencontainers.image.version=${EXT_RELEASE_CLEAN}-ls${LS_TAG_NUMBER}\" \ + --label \"org.opencontainers.image.revision=${COMMIT_SHA}\" \ + --label \"org.opencontainers.image.vendor=linuxserver.io\" \ + --label \"org.opencontainers.image.licenses=GPL-3.0-only\" \ + --label \"org.opencontainers.image.ref.name=${COMMIT_SHA}\" \ + --label \"org.opencontainers.image.title=Openssh-server\" \ + --label \"org.opencontainers.image.description=[Openssh-server](https://www.openssh.com/) is a sandboxed environment that allows ssh access without giving keys to the entire server. Giving ssh access via private key often means giving full access to the server. This container creates a limited and sandboxed environment that others can ssh into. The users only have access to the folders mapped and the processes running inside this container.\" \ + --no-cache --pull -f Dockerfile.armhf -t ${IMAGE}:arm32v7-${META_TAG} --platform=linux/arm/v7 \ + --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ." + sh "docker tag ${IMAGE}:arm32v7-${META_TAG} ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER}" + retry(5) { + sh "docker push ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER}" + } + sh '''docker rmi \ + ${IMAGE}:arm32v7-${META_TAG} \ + ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} || :''' + } + } + stage('Build ARM64') { + agent { + label 'ARM64' + } + steps { + echo "Running on node: ${NODE_NAME}" + echo 'Logging into Github' + sh '''#! /bin/bash + echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin + ''' + sh "sed -r -i 's|(^FROM .*)|\\1\\n\\nENV LSIO_FIRST_PARTY=true|g' Dockerfile.aarch64" + sh "docker buildx build \ + --label \"org.opencontainers.image.created=${GITHUB_DATE}\" \ + --label \"org.opencontainers.image.authors=linuxserver.io\" \ + --label \"org.opencontainers.image.url=https://github.com/linuxserver/docker-openssh-server/packages\" \ + --label \"org.opencontainers.image.documentation=https://docs.linuxserver.io/images/docker-openssh-server\" \ + --label \"org.opencontainers.image.source=https://github.com/linuxserver/docker-openssh-server\" \ + --label \"org.opencontainers.image.version=${EXT_RELEASE_CLEAN}-ls${LS_TAG_NUMBER}\" \ + --label \"org.opencontainers.image.revision=${COMMIT_SHA}\" \ + --label \"org.opencontainers.image.vendor=linuxserver.io\" \ + --label \"org.opencontainers.image.licenses=GPL-3.0-only\" \ + --label \"org.opencontainers.image.ref.name=${COMMIT_SHA}\" \ + --label \"org.opencontainers.image.title=Openssh-server\" \ + --label \"org.opencontainers.image.description=[Openssh-server](https://www.openssh.com/) is a sandboxed environment that allows ssh access without giving keys to the entire server. Giving ssh access via private key often means giving full access to the server. This container creates a limited and sandboxed environment that others can ssh into. The users only have access to the folders mapped and the processes running inside this container.\" \ + --no-cache --pull -f Dockerfile.aarch64 -t ${IMAGE}:arm64v8-${META_TAG} --platform=linux/arm64 \ + --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ." + sh "docker tag ${IMAGE}:arm64v8-${META_TAG} ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER}" + retry(5) { + sh "docker push ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER}" + } + sh '''docker rmi \ + ${IMAGE}:arm64v8-${META_TAG} \ + ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} || :''' + } + } + } + } + // Take the image we just built and dump package versions for comparison + stage('Update-packages') { + when { + branch "master" + environment name: 'CHANGE_ID', value: '' + environment name: 'EXIT_STATUS', value: '' + } + steps { + sh '''#! /bin/bash + set -e + TEMPDIR=$(mktemp -d) + if [ "${MULTIARCH}" == "true" ] && [ "${PACKAGE_CHECK}" == "false" ]; then + LOCAL_CONTAINER=${IMAGE}:amd64-${META_TAG} + else + LOCAL_CONTAINER=${IMAGE}:${META_TAG} + fi + touch ${TEMPDIR}/package_versions.txt + docker run --rm \ + -v /var/run/docker.sock:/var/run/docker.sock:ro \ + -v ${TEMPDIR}:/tmp \ + ghcr.io/anchore/syft:latest \ + ${LOCAL_CONTAINER} -o table=/tmp/package_versions.txt + NEW_PACKAGE_TAG=$(md5sum ${TEMPDIR}/package_versions.txt | cut -c1-8 ) + echo "Package tag sha from current packages in buit container is ${NEW_PACKAGE_TAG} comparing to old ${PACKAGE_TAG} from github" + if [ "${NEW_PACKAGE_TAG}" != "${PACKAGE_TAG}" ]; then + git clone https://github.com/${LS_USER}/${LS_REPO}.git ${TEMPDIR}/${LS_REPO} + git --git-dir ${TEMPDIR}/${LS_REPO}/.git checkout -f master + cp ${TEMPDIR}/package_versions.txt ${TEMPDIR}/${LS_REPO}/ + cd ${TEMPDIR}/${LS_REPO}/ + wait + git add package_versions.txt + git commit -m 'Bot Updating Package Versions' + git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/${LS_USER}/${LS_REPO}.git --all + echo "true" > /tmp/packages-${COMMIT_SHA}-${BUILD_NUMBER} + echo "Package tag updated, stopping build process" + else + echo "false" > /tmp/packages-${COMMIT_SHA}-${BUILD_NUMBER} + echo "Package tag is same as previous continue with build process" + fi + rm -Rf ${TEMPDIR}''' + script{ + env.PACKAGE_UPDATED = sh( + script: '''cat /tmp/packages-${COMMIT_SHA}-${BUILD_NUMBER}''', + returnStdout: true).trim() + } + } + } + // Exit the build if the package file was just updated + stage('PACKAGE-exit') { + when { + branch "master" + environment name: 'CHANGE_ID', value: '' + environment name: 'PACKAGE_UPDATED', value: 'true' + environment name: 'EXIT_STATUS', value: '' + } + steps { + sh '''#! /bin/bash + echo "Packages were updated. Cleaning up the image and exiting." + if [ "${MULTIARCH}" == "true" ] && [ "${PACKAGE_CHECK}" == "false" ]; then + docker rmi ${IMAGE}:amd64-${META_TAG} + else + docker rmi ${IMAGE}:${META_TAG} + fi''' + script{ + env.EXIT_STATUS = 'ABORTED' + } + } + } + // Exit the build if this is just a package check and there are no changes to push + stage('PACKAGECHECK-exit') { + when { + branch "master" + environment name: 'CHANGE_ID', value: '' + environment name: 'PACKAGE_UPDATED', value: 'false' + environment name: 'EXIT_STATUS', value: '' + expression { + params.PACKAGE_CHECK == 'true' + } + } + steps { + sh '''#! /bin/bash + echo "There are no package updates. Cleaning up the image and exiting." + if [ "${MULTIARCH}" == "true" ] && [ "${PACKAGE_CHECK}" == "false" ]; then + docker rmi ${IMAGE}:amd64-${META_TAG} + else + docker rmi ${IMAGE}:${META_TAG} + fi''' + script{ + env.EXIT_STATUS = 'ABORTED' + } + } + } + /* ####### + Testing + ####### */ + // Run Container tests + stage('Test') { + when { + environment name: 'CI', value: 'true' + environment name: 'EXIT_STATUS', value: '' + } + steps { + withCredentials([ + string(credentialsId: 'ci-tests-s3-key-id', variable: 'S3_KEY'), + string(credentialsId: 'ci-tests-s3-secret-access-key ', variable: 'S3_SECRET') + ]) { + script{ + env.CI_URL = 'https://ci-tests.linuxserver.io/' + env.IMAGE + '/' + env.META_TAG + '/index.html' + } + sh '''#! /bin/bash + set -e + docker pull ghcr.io/linuxserver/ci:latest + if [ "${MULTIARCH}" == "true" ]; then + docker pull ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} + docker pull ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} + docker tag ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} ${IMAGE}:arm32v7-${META_TAG} + docker tag ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} ${IMAGE}:arm64v8-${META_TAG} + fi + docker run --rm \ + --shm-size=1gb \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -e IMAGE=\"${IMAGE}\" \ + -e DELAY_START=\"${CI_DELAY}\" \ + -e TAGS=\"${CI_TAGS}\" \ + -e META_TAG=\"${META_TAG}\" \ + -e PORT=\"${CI_PORT}\" \ + -e SSL=\"${CI_SSL}\" \ + -e BASE=\"${DIST_IMAGE}\" \ + -e SECRET_KEY=\"${S3_SECRET}\" \ + -e ACCESS_KEY=\"${S3_KEY}\" \ + -e DOCKER_ENV=\"${CI_DOCKERENV}\" \ + -e WEB_SCREENSHOT=\"${CI_WEB}\" \ + -e WEB_AUTH=\"${CI_AUTH}\" \ + -e WEB_PATH=\"${CI_WEBPATH}\" \ + -e DO_REGION="ams3" \ + -e DO_BUCKET="lsio-ci" \ + -t ghcr.io/linuxserver/ci:latest \ + python3 test_build.py''' + } + } + } + /* ################## + Release Logic + ################## */ + // If this is an amd64 only image only push a single image + stage('Docker-Push-Single') { + when { + environment name: 'MULTIARCH', value: 'false' + environment name: 'EXIT_STATUS', value: '' + } + steps { + withCredentials([ + [ + $class: 'UsernamePasswordMultiBinding', + credentialsId: '3f9ba4d5-100d-45b0-a3c4-633fd6061207', + usernameVariable: 'DOCKERUSER', + passwordVariable: 'DOCKERPASS' + ], + [ + $class: 'UsernamePasswordMultiBinding', + credentialsId: 'Quay.io-Robot', + usernameVariable: 'QUAYUSER', + passwordVariable: 'QUAYPASS' + ] + ]) { + retry(5) { + sh '''#! /bin/bash + set -e + echo $DOCKERPASS | docker login -u $DOCKERUSER --password-stdin + echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin + echo $GITLAB_TOKEN | docker login registry.gitlab.com -u LinuxServer.io --password-stdin + echo $QUAYPASS | docker login quay.io -u $QUAYUSER --password-stdin + for PUSHIMAGE in "${GITHUBIMAGE}" "${GITLABIMAGE}" "${QUAYIMAGE}" "${IMAGE}"; do + docker tag ${IMAGE}:${META_TAG} ${PUSHIMAGE}:${META_TAG} + docker tag ${PUSHIMAGE}:${META_TAG} ${PUSHIMAGE}:latest + docker tag ${PUSHIMAGE}:${META_TAG} ${PUSHIMAGE}:${EXT_RELEASE_TAG} + if [ -n "${SEMVER}" ]; then + docker tag ${PUSHIMAGE}:${META_TAG} ${PUSHIMAGE}:${SEMVER} + fi + docker push ${PUSHIMAGE}:latest + docker push ${PUSHIMAGE}:${META_TAG} + docker push ${PUSHIMAGE}:${EXT_RELEASE_TAG} + if [ -n "${SEMVER}" ]; then + docker push ${PUSHIMAGE}:${SEMVER} + fi + done + ''' + } + sh '''#! /bin/bash + for DELETEIMAGE in "${GITHUBIMAGE}" "${GITLABIMAGE}" "${QUAYIMAGE}" "${IMAGE}"; do + docker rmi \ + ${DELETEIMAGE}:${META_TAG} \ + ${DELETEIMAGE}:${EXT_RELEASE_TAG} \ + ${DELETEIMAGE}:latest || : + if [ -n "${SEMVER}" ]; then + docker rmi ${DELETEIMAGE}:${SEMVER} || : + fi + done + ''' + } + } + } + // If this is a multi arch release push all images and define the manifest + stage('Docker-Push-Multi') { + when { + environment name: 'MULTIARCH', value: 'true' + environment name: 'EXIT_STATUS', value: '' + } + steps { + withCredentials([ + [ + $class: 'UsernamePasswordMultiBinding', + credentialsId: '3f9ba4d5-100d-45b0-a3c4-633fd6061207', + usernameVariable: 'DOCKERUSER', + passwordVariable: 'DOCKERPASS' + ], + [ + $class: 'UsernamePasswordMultiBinding', + credentialsId: 'Quay.io-Robot', + usernameVariable: 'QUAYUSER', + passwordVariable: 'QUAYPASS' + ] + ]) { + retry(5) { + sh '''#! /bin/bash + set -e + echo $DOCKERPASS | docker login -u $DOCKERUSER --password-stdin + echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin + echo $GITLAB_TOKEN | docker login registry.gitlab.com -u LinuxServer.io --password-stdin + echo $QUAYPASS | docker login quay.io -u $QUAYUSER --password-stdin + if [ "${CI}" == "false" ]; then + docker pull ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} + docker tag ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} ${IMAGE}:arm32v7-${META_TAG} + docker pull ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} + docker tag ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} ${IMAGE}:arm64v8-${META_TAG} + fi + for MANIFESTIMAGE in "${IMAGE}" "${GITLABIMAGE}" "${GITHUBIMAGE}" "${QUAYIMAGE}"; do + docker tag ${IMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-${META_TAG} + docker tag ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-latest + docker tag ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG} + docker tag ${IMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${META_TAG} + docker tag ${MANIFESTIMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-latest + docker tag ${MANIFESTIMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG} + docker tag ${IMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${META_TAG} + docker tag ${MANIFESTIMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-latest + docker tag ${MANIFESTIMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG} + if [ -n "${SEMVER}" ]; then + docker tag ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-${SEMVER} + docker tag ${MANIFESTIMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${SEMVER} + docker tag ${MANIFESTIMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${SEMVER} + fi + docker push ${MANIFESTIMAGE}:amd64-${META_TAG} + docker push ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG} + docker push ${MANIFESTIMAGE}:amd64-latest + docker push ${MANIFESTIMAGE}:arm32v7-${META_TAG} + docker push ${MANIFESTIMAGE}:arm32v7-latest + docker push ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG} + docker push ${MANIFESTIMAGE}:arm64v8-${META_TAG} + docker push ${MANIFESTIMAGE}:arm64v8-latest + docker push ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG} + if [ -n "${SEMVER}" ]; then + docker push ${MANIFESTIMAGE}:amd64-${SEMVER} + docker push ${MANIFESTIMAGE}:arm32v7-${SEMVER} + docker push ${MANIFESTIMAGE}:arm64v8-${SEMVER} + fi + docker manifest push --purge ${MANIFESTIMAGE}:latest || : + docker manifest create ${MANIFESTIMAGE}:latest ${MANIFESTIMAGE}:amd64-latest ${MANIFESTIMAGE}:arm32v7-latest ${MANIFESTIMAGE}:arm64v8-latest + docker manifest annotate ${MANIFESTIMAGE}:latest ${MANIFESTIMAGE}:arm32v7-latest --os linux --arch arm + docker manifest annotate ${MANIFESTIMAGE}:latest ${MANIFESTIMAGE}:arm64v8-latest --os linux --arch arm64 --variant v8 + docker manifest push --purge ${MANIFESTIMAGE}:${META_TAG} || : + docker manifest create ${MANIFESTIMAGE}:${META_TAG} ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${META_TAG} + docker manifest annotate ${MANIFESTIMAGE}:${META_TAG} ${MANIFESTIMAGE}:arm32v7-${META_TAG} --os linux --arch arm + docker manifest annotate ${MANIFESTIMAGE}:${META_TAG} ${MANIFESTIMAGE}:arm64v8-${META_TAG} --os linux --arch arm64 --variant v8 + docker manifest push --purge ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} || : + docker manifest create ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG} + docker manifest annotate ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG} --os linux --arch arm + docker manifest annotate ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG} --os linux --arch arm64 --variant v8 + if [ -n "${SEMVER}" ]; then + docker manifest push --purge ${MANIFESTIMAGE}:${SEMVER} || : + docker manifest create ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:amd64-${SEMVER} ${MANIFESTIMAGE}:arm32v7-${SEMVER} ${MANIFESTIMAGE}:arm64v8-${SEMVER} + docker manifest annotate ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:arm32v7-${SEMVER} --os linux --arch arm + docker manifest annotate ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:arm64v8-${SEMVER} --os linux --arch arm64 --variant v8 + fi + docker manifest push --purge ${MANIFESTIMAGE}:latest + docker manifest push --purge ${MANIFESTIMAGE}:${META_TAG} + docker manifest push --purge ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} + if [ -n "${SEMVER}" ]; then + docker manifest push --purge ${MANIFESTIMAGE}:${SEMVER} + fi + done + ''' + } + sh '''#! /bin/bash + for DELETEIMAGE in "${GITHUBIMAGE}" "${GITLABIMAGE}" "${QUAYIMAGE}" "${IMAGE}"; do + docker rmi \ + ${DELETEIMAGE}:amd64-${META_TAG} \ + ${DELETEIMAGE}:amd64-latest \ + ${DELETEIMAGE}:amd64-${EXT_RELEASE_TAG} \ + ${DELETEIMAGE}:arm32v7-${META_TAG} \ + ${DELETEIMAGE}:arm32v7-latest \ + ${DELETEIMAGE}:arm32v7-${EXT_RELEASE_TAG} \ + ${DELETEIMAGE}:arm64v8-${META_TAG} \ + ${DELETEIMAGE}:arm64v8-latest \ + ${DELETEIMAGE}:arm64v8-${EXT_RELEASE_TAG} || : + if [ -n "${SEMVER}" ]; then + docker rmi \ + ${DELETEIMAGE}:amd64-${SEMVER} \ + ${DELETEIMAGE}:arm32v7-${SEMVER} \ + ${DELETEIMAGE}:arm64v8-${SEMVER} || : + fi + done + docker rmi \ + ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} \ + ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} || : + ''' + } + } + } + // If this is a public release tag it in the LS Github + stage('Github-Tag-Push-Release') { + when { + branch "master" + expression { + env.LS_RELEASE != env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER + } + environment name: 'CHANGE_ID', value: '' + environment name: 'EXIT_STATUS', value: '' + } + steps { + echo "Pushing New tag for current commit ${META_TAG}" + sh '''curl -H "Authorization: token ${GITHUB_TOKEN}" -X POST https://api.github.com/repos/${LS_USER}/${LS_REPO}/git/tags \ + -d '{"tag":"'${META_TAG}'",\ + "object": "'${COMMIT_SHA}'",\ + "message": "Tagging Release '${EXT_RELEASE_CLEAN}'-ls'${LS_TAG_NUMBER}' to master",\ + "type": "commit",\ + "tagger": {"name": "LinuxServer Jenkins","email": "jenkins@linuxserver.io","date": "'${GITHUB_DATE}'"}}' ''' + echo "Pushing New release for Tag" + sh '''#! /bin/bash + echo "Updating external repo packages to ${EXT_RELEASE_CLEAN}" > releasebody.json + echo '{"tag_name":"'${META_TAG}'",\ + "target_commitish": "master",\ + "name": "'${META_TAG}'",\ + "body": "**LinuxServer Changes:**\\n\\n'${LS_RELEASE_NOTES}'\\n\\n**Repo Changes:**\\n\\n' > start + printf '","draft": false,"prerelease": false}' >> releasebody.json + paste -d'\\0' start releasebody.json > releasebody.json.done + curl -H "Authorization: token ${GITHUB_TOKEN}" -X POST https://api.github.com/repos/${LS_USER}/${LS_REPO}/releases -d @releasebody.json.done''' + } + } + // Use helper container to sync the current README on master to the dockerhub endpoint + stage('Sync-README') { + when { + environment name: 'CHANGE_ID', value: '' + environment name: 'EXIT_STATUS', value: '' + } + steps { + withCredentials([ + [ + $class: 'UsernamePasswordMultiBinding', + credentialsId: '3f9ba4d5-100d-45b0-a3c4-633fd6061207', + usernameVariable: 'DOCKERUSER', + passwordVariable: 'DOCKERPASS' + ] + ]) { + sh '''#! /bin/bash + set -e + TEMPDIR=$(mktemp -d) + docker pull ghcr.io/linuxserver/jenkins-builder:latest + docker run --rm -e CONTAINER_NAME=${CONTAINER_NAME} -e GITHUB_BRANCH="${BRANCH_NAME}" -v ${TEMPDIR}:/ansible/jenkins ghcr.io/linuxserver/jenkins-builder:latest + docker pull ghcr.io/linuxserver/readme-sync + docker run --rm=true \ + -e DOCKERHUB_USERNAME=$DOCKERUSER \ + -e DOCKERHUB_PASSWORD=$DOCKERPASS \ + -e GIT_REPOSITORY=${LS_USER}/${LS_REPO} \ + -e DOCKER_REPOSITORY=${IMAGE} \ + -e GIT_BRANCH=master \ + -v ${TEMPDIR}/docker-${CONTAINER_NAME}:/mnt \ + ghcr.io/linuxserver/readme-sync bash -c 'node sync' + rm -Rf ${TEMPDIR} ''' + } + } + } + // If this is a Pull request send the CI link as a comment on it + stage('Pull Request Comment') { + when { + not {environment name: 'CHANGE_ID', value: ''} + environment name: 'CI', value: 'true' + environment name: 'EXIT_STATUS', value: '' + } + steps { + sh '''curl -H "Authorization: token ${GITHUB_TOKEN}" -X POST https://api.github.com/repos/${LS_USER}/${LS_REPO}/issues/${PULL_REQUEST}/comments \ + -d '{"body": "I am a bot, here are the test results for this PR: \\n'${CI_URL}' \\n'${SHELLCHECK_URL}'"}' ''' + } + } + } + /* ###################### + Send status to Discord + ###################### */ + post { + always { + script{ + if (env.EXIT_STATUS == "ABORTED"){ + sh 'echo "build aborted"' + } + else if (currentBuild.currentResult == "SUCCESS"){ + sh ''' curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/jenkins-avatar.png","embeds": [{"color": 1681177,\ + "description": "**Build:** '${BUILD_NUMBER}'\\n**CI Results:** '${CI_URL}'\\n**ShellCheck Results:** '${SHELLCHECK_URL}'\\n**Status:** Success\\n**Job:** '${RUN_DISPLAY_URL}'\\n**Change:** '${CODE_URL}'\\n**External Release:**: '${RELEASE_LINK}'\\n**DockerHub:** '${DOCKERHUB_LINK}'\\n"}],\ + "username": "Jenkins"}' ${BUILDS_DISCORD} ''' + } + else { + sh ''' curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/jenkins-avatar.png","embeds": [{"color": 16711680,\ + "description": "**Build:** '${BUILD_NUMBER}'\\n**CI Results:** '${CI_URL}'\\n**ShellCheck Results:** '${SHELLCHECK_URL}'\\n**Status:** failure\\n**Job:** '${RUN_DISPLAY_URL}'\\n**Change:** '${CODE_URL}'\\n**External Release:**: '${RELEASE_LINK}'\\n**DockerHub:** '${DOCKERHUB_LINK}'\\n"}],\ + "username": "Jenkins"}' ${BUILDS_DISCORD} ''' + } + } + } + cleanup { + cleanWs() + } + } +} diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000000000000000000000000000000000000..f288702d2fa16d3cdf0035b15a9fcbc552cd88e7 --- /dev/null +++ b/LICENSE @@ -0,0 +1,674 @@ + GNU GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/> + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU General Public License is a free, copyleft license for +software and other kinds of works. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +the GNU General Public License is intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. We, the Free Software Foundation, use the +GNU General Public License for most of our software; it applies also to +any other work released this way by its authors. You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + To protect your rights, we need to prevent others from denying you +these rights or asking you to surrender the rights. Therefore, you have +certain responsibilities if you distribute copies of the software, or if +you modify it: responsibilities to respect the freedom of others. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must pass on to the recipients the same +freedoms that you received. You must make sure that they, too, receive +or can get the source code. And you must show them these terms so they +know their rights. + + Developers that use the GNU GPL protect your rights with two steps: +(1) assert copyright on the software, and (2) offer you this License +giving you legal permission to copy, distribute and/or modify it. + + For the developers' and authors' protection, the GPL clearly explains +that there is no warranty for this free software. For both users' and +authors' sake, the GPL requires that modified versions be marked as +changed, so that their problems will not be attributed erroneously to +authors of previous versions. + + Some devices are designed to deny users access to install or run +modified versions of the software inside them, although the manufacturer +can do so. This is fundamentally incompatible with the aim of +protecting users' freedom to change the software. The systematic +pattern of such abuse occurs in the area of products for individuals to +use, which is precisely where it is most unacceptable. Therefore, we +have designed this version of the GPL to prohibit the practice for those +products. If such problems arise substantially in other domains, we +stand ready to extend this provision to those domains in future versions +of the GPL, as needed to protect the freedom of users. + + Finally, every program is threatened constantly by software patents. +States should not allow patents to restrict development and use of +software on general-purpose computers, but in those that do, we wish to +avoid the special danger that patents applied to a free program could +make it effectively proprietary. To prevent this, the GPL assures that +patents cannot be used to render the program non-free. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Use with the GNU Affero General Public License. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU Affero General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the special requirements of the GNU Affero General Public License, +section 13, concerning interaction through a network will apply to the +combination as such. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + <one line to give the program's name and a brief idea of what it does.> + Copyright (C) <year> <name of author> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + +Also add information on how to contact you by electronic and paper mail. + + If the program does terminal interaction, make it output a short +notice like this when it starts in an interactive mode: + + <program> Copyright (C) <year> <name of author> + This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, your program's commands +might be different; for a GUI interface, you would use an "about box". + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU GPL, see +<https://www.gnu.org/licenses/>. + + The GNU General Public License does not permit incorporating your program +into proprietary programs. If your program is a subroutine library, you +may consider it more useful to permit linking proprietary applications with +the library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. But first, please read +<https://www.gnu.org/licenses/why-not-lgpl.html>. diff --git a/LICENSE.md b/LICENSE.md deleted file mode 100644 index 902d35117c64d2236487aedd4a5c4a7794243451..0000000000000000000000000000000000000000 --- a/LICENSE.md +++ /dev/null @@ -1,406 +0,0 @@ -### Creative Commons Attribution-ShareAlike 3.0 Unported License -Link to license summary: https://creativecommons.org/licenses/by-sa/3.0/ - -Copyright (C) 2016-2023 [Lin Song](https://github.com/hwdsl2) -Based on [the work of Thomas Sarlandie](https://github.com/sarfata/voodooprivacy) (Copyright 2012) - -<p>THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS -OF THIS CREATIVE COMMONS PUBLIC LICENSE ("CCPL" OR -"LICENSE"). THE WORK IS PROTECTED BY COPYRIGHT AND/OR OTHER -APPLICABLE LAW. ANY USE OF THE WORK OTHER THAN AS -AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS -PROHIBITED.</p> -<p>BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU -ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. -TO THE EXTENT THIS LICENSE MAY BE CONSIDERED TO BE A -CONTRACT, THE LICENSOR GRANTS YOU THE RIGHTS CONTAINED HERE -IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND -CONDITIONS.</p> -<p><strong>1. Definitions</strong></p> -<ol type="a"> -<li><strong>"Adaptation"</strong> means a work based upon -the Work, or upon the Work and other pre-existing works, -such as a translation, adaptation, derivative work, -arrangement of music or other alterations of a literary -or artistic work, or phonogram or performance and -includes cinematographic adaptations or any other form in -which the Work may be recast, transformed, or adapted -including in any form recognizably derived from the -original, except that a work that constitutes a -Collection will not be considered an Adaptation for the -purpose of this License. For the avoidance of doubt, -where the Work is a musical work, performance or -phonogram, the synchronization of the Work in -timed-relation with a moving image ("synching") will be -considered an Adaptation for the purpose of this -License.</li> -<li><strong>"Collection"</strong> means a collection of -literary or artistic works, such as encyclopedias and -anthologies, or performances, phonograms or broadcasts, -or other works or subject matter other than works listed -in Section 1(f) below, which, by reason of the selection -and arrangement of their contents, constitute -intellectual creations, in which the Work is included in -its entirety in unmodified form along with one or more -other contributions, each constituting separate and -independent works in themselves, which together are -assembled into a collective whole. A work that -constitutes a Collection will not be considered an -Adaptation (as defined below) for the purposes of this -License.</li> -<li><strong>"Creative Commons Compatible -License"</strong> means a license that is listed at -https://creativecommons.org/compatiblelicenses that has -been approved by Creative Commons as being essentially -equivalent to this License, including, at a minimum, -because that license: (i) contains terms that have the -same purpose, meaning and effect as the License Elements -of this License; and, (ii) explicitly permits the -relicensing of adaptations of works made available under -that license under this License or a Creative Commons -jurisdiction license with the same License Elements as -this License.</li> -<li><strong>"Distribute"</strong> means to make available -to the public the original and copies of the Work or -Adaptation, as appropriate, through sale or other -transfer of ownership.</li> -<li><strong>"License Elements"</strong> means the -following high-level license attributes as selected by -Licensor and indicated in the title of this License: -Attribution, ShareAlike.</li> -<li><strong>"Licensor"</strong> means the individual, -individuals, entity or entities that offer(s) the Work -under the terms of this License.</li> -<li><strong>"Original Author"</strong> means, in the case -of a literary or artistic work, the individual, -individuals, entity or entities who created the Work or -if no individual or entity can be identified, the -publisher; and in addition (i) in the case of a -performance the actors, singers, musicians, dancers, and -other persons who act, sing, deliver, declaim, play in, -interpret or otherwise perform literary or artistic works -or expressions of folklore; (ii) in the case of a -phonogram the producer being the person or legal entity -who first fixes the sounds of a performance or other -sounds; and, (iii) in the case of broadcasts, the -organization that transmits the broadcast.</li> -<li><strong>"Work"</strong> means the literary and/or -artistic work offered under the terms of this License -including without limitation any production in the -literary, scientific and artistic domain, whatever may be -the mode or form of its expression including digital -form, such as a book, pamphlet and other writing; a -lecture, address, sermon or other work of the same -nature; a dramatic or dramatico-musical work; a -choreographic work or entertainment in dumb show; a -musical composition with or without words; a -cinematographic work to which are assimilated works -expressed by a process analogous to cinematography; a -work of drawing, painting, architecture, sculpture, -engraving or lithography; a photographic work to which -are assimilated works expressed by a process analogous to -photography; a work of applied art; an illustration, map, -plan, sketch or three-dimensional work relative to -geography, topography, architecture or science; a -performance; a broadcast; a phonogram; a compilation of -data to the extent it is protected as a copyrightable -work; or a work performed by a variety or circus -performer to the extent it is not otherwise considered a -literary or artistic work.</li> -<li><strong>"You"</strong> means an individual or entity -exercising rights under this License who has not -previously violated the terms of this License with -respect to the Work, or who has received express -permission from the Licensor to exercise rights under -this License despite a previous violation.</li> -<li><strong>"Publicly Perform"</strong> means to perform -public recitations of the Work and to communicate to the -public those public recitations, by any means or process, -including by wire or wireless means or public digital -performances; to make available to the public Works in -such a way that members of the public may access these -Works from a place and at a place individually chosen by -them; to perform the Work to the public by any means or -process and the communication to the public of the -performances of the Work, including by public digital -performance; to broadcast and rebroadcast the Work by any -means including signs, sounds or images.</li> -<li><strong>"Reproduce"</strong> means to make copies of -the Work by any means including without limitation by -sound or visual recordings and the right of fixation and -reproducing fixations of the Work, including storage of a -protected performance or phonogram in digital form or -other electronic medium.</li> -</ol> -<p><strong>2. Fair Dealing Rights.</strong> Nothing in this -License is intended to reduce, limit, or restrict any uses -free from copyright or rights arising from limitations or -exceptions that are provided for in connection with the -copyright protection under copyright law or other -applicable laws.</p> -<p><strong>3. License Grant.</strong> Subject to the terms -and conditions of this License, Licensor hereby grants You -a worldwide, royalty-free, non-exclusive, perpetual (for -the duration of the applicable copyright) license to -exercise the rights in the Work as stated below:</p> -<ol type="a"> -<li>to Reproduce the Work, to incorporate the Work into -one or more Collections, and to Reproduce the Work as -incorporated in the Collections;</li> -<li>to create and Reproduce Adaptations provided that any -such Adaptation, including any translation in any medium, -takes reasonable steps to clearly label, demarcate or -otherwise identify that changes were made to the original -Work. For example, a translation could be marked "The -original work was translated from English to Spanish," or -a modification could indicate "The original work has been -modified.";</li> -<li>to Distribute and Publicly Perform the Work including -as incorporated in Collections; and,</li> -<li>to Distribute and Publicly Perform Adaptations.</li> -<li> -<p>For the avoidance of doubt:</p> -<ol type="i"> -<li><strong>Non-waivable Compulsory License -Schemes</strong>. In those jurisdictions in which the -right to collect royalties through any statutory or -compulsory licensing scheme cannot be waived, the -Licensor reserves the exclusive right to collect such -royalties for any exercise by You of the rights -granted under this License;</li> -<li><strong>Waivable Compulsory License -Schemes</strong>. In those jurisdictions in which the -right to collect royalties through any statutory or -compulsory licensing scheme can be waived, the -Licensor waives the exclusive right to collect such -royalties for any exercise by You of the rights -granted under this License; and,</li> -<li><strong>Voluntary License Schemes</strong>. The -Licensor waives the right to collect royalties, -whether individually or, in the event that the -Licensor is a member of a collecting society that -administers voluntary licensing schemes, via that -society, from any exercise by You of the rights -granted under this License.</li> -</ol> -</li> -</ol> -<p>The above rights may be exercised in all media and -formats whether now known or hereafter devised. The above -rights include the right to make such modifications as are -technically necessary to exercise the rights in other media -and formats. Subject to Section 8(f), all rights not -expressly granted by Licensor are hereby reserved.</p> -<p><strong>4. Restrictions.</strong> The license granted in -Section 3 above is expressly made subject to and limited by -the following restrictions:</p> -<ol type="a"> -<li>You may Distribute or Publicly Perform the Work only -under the terms of this License. You must include a copy -of, or the Uniform Resource Identifier (URI) for, this -License with every copy of the Work You Distribute or -Publicly Perform. You may not offer or impose any terms -on the Work that restrict the terms of this License or -the ability of the recipient of the Work to exercise the -rights granted to that recipient under the terms of the -License. You may not sublicense the Work. You must keep -intact all notices that refer to this License and to the -disclaimer of warranties with every copy of the Work You -Distribute or Publicly Perform. When You Distribute or -Publicly Perform the Work, You may not impose any -effective technological measures on the Work that -restrict the ability of a recipient of the Work from You -to exercise the rights granted to that recipient under -the terms of the License. This Section 4(a) applies to -the Work as incorporated in a Collection, but this does -not require the Collection apart from the Work itself to -be made subject to the terms of this License. If You -create a Collection, upon notice from any Licensor You -must, to the extent practicable, remove from the -Collection any credit as required by Section 4(c), as -requested. If You create an Adaptation, upon notice from -any Licensor You must, to the extent practicable, remove -from the Adaptation any credit as required by Section -4(c), as requested.</li> -<li>You may Distribute or Publicly Perform an Adaptation -only under the terms of: (i) this License; (ii) a later -version of this License with the same License Elements as -this License; (iii) a Creative Commons jurisdiction -license (either this or a later license version) that -contains the same License Elements as this License (e.g., -Attribution-ShareAlike 3.0 US)); (iv) a Creative Commons -Compatible License. If you license the Adaptation under -one of the licenses mentioned in (iv), you must comply -with the terms of that license. If you license the -Adaptation under the terms of any of the licenses -mentioned in (i), (ii) or (iii) (the "Applicable -License"), you must comply with the terms of the -Applicable License generally and the following -provisions: (I) You must include a copy of, or the URI -for, the Applicable License with every copy of each -Adaptation You Distribute or Publicly Perform; (II) You -may not offer or impose any terms on the Adaptation that -restrict the terms of the Applicable License or the -ability of the recipient of the Adaptation to exercise -the rights granted to that recipient under the terms of -the Applicable License; (III) You must keep intact all -notices that refer to the Applicable License and to the -disclaimer of warranties with every copy of the Work as -included in the Adaptation You Distribute or Publicly -Perform; (IV) when You Distribute or Publicly Perform the -Adaptation, You may not impose any effective -technological measures on the Adaptation that restrict -the ability of a recipient of the Adaptation from You to -exercise the rights granted to that recipient under the -terms of the Applicable License. This Section 4(b) -applies to the Adaptation as incorporated in a -Collection, but this does not require the Collection -apart from the Adaptation itself to be made subject to -the terms of the Applicable License.</li> -<li>If You Distribute, or Publicly Perform the Work or -any Adaptations or Collections, You must, unless a -request has been made pursuant to Section 4(a), keep -intact all copyright notices for the Work and provide, -reasonable to the medium or means You are utilizing: (i) -the name of the Original Author (or pseudonym, if -applicable) if supplied, and/or if the Original Author -and/or Licensor designate another party or parties (e.g., -a sponsor institute, publishing entity, journal) for -attribution ("Attribution Parties") in Licensor's -copyright notice, terms of service or by other reasonable -means, the name of such party or parties; (ii) the title -of the Work if supplied; (iii) to the extent reasonably -practicable, the URI, if any, that Licensor specifies to -be associated with the Work, unless such URI does not -refer to the copyright notice or licensing information -for the Work; and (iv) , consistent with Ssection 3(b), -in the case of an Adaptation, a credit identifying the -use of the Work in the Adaptation (e.g., "French -translation of the Work by Original Author," or -"Screenplay based on original Work by Original Author"). -The credit required by this Section 4(c) may be -implemented in any reasonable manner; provided, however, -that in the case of a Adaptation or Collection, at a -minimum such credit will appear, if a credit for all -contributing authors of the Adaptation or Collection -appears, then as part of these credits and in a manner at -least as prominent as the credits for the other -contributing authors. For the avoidance of doubt, You may -only use the credit required by this Section for the -purpose of attribution in the manner set out above and, -by exercising Your rights under this License, You may not -implicitly or explicitly assert or imply any connection -with, sponsorship or endorsement by the Original Author, -Licensor and/or Attribution Parties, as appropriate, of -You or Your use of the Work, without the separate, -express prior written permission of the Original Author, -Licensor and/or Attribution Parties.</li> -<li>Except as otherwise agreed in writing by the Licensor -or as may be otherwise permitted by applicable law, if -You Reproduce, Distribute or Publicly Perform the Work -either by itself or as part of any Adaptations or -Collections, You must not distort, mutilate, modify or -take other derogatory action in relation to the Work -which would be prejudicial to the Original Author's honor -or reputation. Licensor agrees that in those -jurisdictions (e.g. Japan), in which any exercise of the -right granted in Section 3(b) of this License (the right -to make Adaptations) would be deemed to be a distortion, -mutilation, modification or other derogatory action -prejudicial to the Original Author's honor and -reputation, the Licensor will waive or not assert, as -appropriate, this Section, to the fullest extent -permitted by the applicable national law, to enable You -to reasonably exercise Your right under Section 3(b) of -this License (right to make Adaptations) but not -otherwise.</li> -</ol> -<p><strong>5. Representations, Warranties and -Disclaimer</strong></p> -<p>UNLESS OTHERWISE MUTUALLY AGREED TO BY THE PARTIES IN -WRITING, LICENSOR OFFERS THE WORK AS-IS AND MAKES NO -REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE -WORK, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, -WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY, -FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE -ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE -PRESENCE OF ABSENCE OF ERRORS, WHETHER OR NOT DISCOVERABLE. -SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED -WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY TO YOU.</p> -<p><strong>6. Limitation on Liability.</strong> EXCEPT TO -THE EXTENT REQUIRED BY APPLICABLE LAW, IN NO EVENT WILL -LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY -SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY -DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK, -EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF -SUCH DAMAGES.</p> -<p><strong>7. Termination</strong></p> -<ol type="a"> -<li>This License and the rights granted hereunder will -terminate automatically upon any breach by You of the -terms of this License. Individuals or entities who have -received Adaptations or Collections from You under this -License, however, will not have their licenses terminated -provided such individuals or entities remain in full -compliance with those licenses. Sections 1, 2, 5, 6, 7, -and 8 will survive any termination of this License.</li> -<li>Subject to the above terms and conditions, the -license granted here is perpetual (for the duration of -the applicable copyright in the Work). Notwithstanding -the above, Licensor reserves the right to release the -Work under different license terms or to stop -distributing the Work at any time; provided, however that -any such election will not serve to withdraw this License -(or any other license that has been, or is required to -be, granted under the terms of this License), and this -License will continue in full force and effect unless -terminated as stated above.</li> -</ol> -<p><strong>8. Miscellaneous</strong></p> -<ol type="a"> -<li>Each time You Distribute or Publicly Perform the Work -or a Collection, the Licensor offers to the recipient a -license to the Work on the same terms and conditions as -the license granted to You under this License.</li> -<li>Each time You Distribute or Publicly Perform an -Adaptation, Licensor offers to the recipient a license to -the original Work on the same terms and conditions as the -license granted to You under this License.</li> -<li>If any provision of this License is invalid or -unenforceable under applicable law, it shall not affect -the validity or enforceability of the remainder of the -terms of this License, and without further action by the -parties to this agreement, such provision shall be -reformed to the minimum extent necessary to make such -provision valid and enforceable.</li> -<li>No term or provision of this License shall be deemed -waived and no breach consented to unless such waiver or -consent shall be in writing and signed by the party to be -charged with such waiver or consent.</li> -<li>This License constitutes the entire agreement between -the parties with respect to the Work licensed here. There -are no understandings, agreements or representations with -respect to the Work not specified here. Licensor shall -not be bound by any additional provisions that may appear -in any communication from You. This License may not be -modified without the mutual written agreement of the -Licensor and You.</li> -<li>The rights granted under, and the subject matter -referenced, in this License were drafted utilizing the -terminology of the Berne Convention for the Protection of -Literary and Artistic Works (as amended on September 28, -1979), the Rome Convention of 1961, the WIPO Copyright -Treaty of 1996, the WIPO Performances and Phonograms -Treaty of 1996 and the Universal Copyright Convention (as -revised on July 24, 1971). These rights and subject -matter take effect in the relevant jurisdiction in which -the License terms are sought to be enforced according to -the corresponding provisions of the implementation of -those treaty provisions in the applicable national law. -If the standard suite of rights granted under applicable -copyright law includes additional rights not granted -under this License, such additional rights are deemed to -be included in the License; this License is not intended -to restrict the license of any rights under applicable -law.</li> -</ol> diff --git a/README-zh.md b/README-zh.md deleted file mode 100644 index 49c3b8715d6bc3aff78ab197cb150f690ba1b732..0000000000000000000000000000000000000000 --- a/README-zh.md +++ /dev/null @@ -1,360 +0,0 @@ -[English](README.md) | [中文](README-zh.md) - -# Docker 上的 IPsec VPN 服务器 - -[![Build Status](https://github.com/hwdsl2/docker-ipsec-vpn-server/actions/workflows/main-alpine.yml/badge.svg)](https://github.com/hwdsl2/docker-ipsec-vpn-server/actions/workflows/main-alpine.yml) [![GitHub Stars](docs/images/badges/github-stars.svg)](https://github.com/hwdsl2/docker-ipsec-vpn-server/stargazers) [![Docker Stars](docs/images/badges/docker-stars.svg)](https://hub.docker.com/r/hwdsl2/ipsec-vpn-server/) [![Docker Pulls](docs/images/badges/docker-pulls.svg)](https://hub.docker.com/r/hwdsl2/ipsec-vpn-server/) - -使用这个 Docker 镜像快速搭建 IPsec VPN 服务器。支持 IPsec/L2TP,Cisco IPsec 和 IKEv2 协议。 - -本镜像以 Alpine 3.17 或 Debian 11 为基础,并使用 [Libreswan](https://libreswan.org) (IPsec VPN 软件) 和 [xl2tpd](https://github.com/xelerance/xl2tpd) (L2TP 服务进程)。 - -IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时,你和 VPN 服务器之间的任何人对你的数据的未经授权的访问。在使用不安全的网络时,这是特别有用的,例如在咖啡厅,机场或旅馆房间。 - -[**» 另见:IPsec VPN 服务器一键安装脚本**](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md) - -## 快速开始 - -使用以下命令在 Docker 上快速搭建 IPsec VPN 服务器: - -``` -docker run \ - --name ipsec-vpn-server \ - --restart=always \ - -v ikev2-vpn-data:/etc/ipsec.d \ - -v /lib/modules:/lib/modules:ro \ - -p 500:500/udp \ - -p 4500:4500/udp \ - -d --privileged \ - hwdsl2/ipsec-vpn-server -``` - -你的 VPN 登录凭证将会被自动随机生成。请参见 [获取 VPN 登录信息](#获取-vpn-登录信息)。 - -要了解更多有关如何使用本镜像的信息,请继续阅读以下部分。 - -## 功能特性 - -- 支持具有强大和快速加密算法(例如 AES-GCM)的 IKEv2 模式 -- 生成 VPN 配置文件以自动配置 iOS, macOS 和 Android 设备 -- 支持 Windows, macOS, iOS, Android, Chrome OS 和 Linux 客户端 -- 包括辅助脚本以管理 IKEv2 用户和证书 - -## 安装 Docker - -首先在你的 Linux 服务器上 [安装 Docker](https://docs.docker.com/engine/install/)。另外你也可以使用 [Podman](https://podman.io) 运行本镜像,需要首先为 `docker` 命令 [创建一个别名](https://podman.io/whatis.html)。 - -高级用户可以在 macOS 上通过安装 [Docker for Mac](https://docs.docker.com/docker-for-mac/) 使用本镜像。在使用 IPsec/L2TP 模式之前,你可能需要运行 `docker restart ipsec-vpn-server` 重启一次 Docker 容器。本镜像不支持 Docker for Windows。 - -## 下载 - -预构建的可信任镜像可在 [Docker Hub registry](https://hub.docker.com/r/hwdsl2/ipsec-vpn-server/) 下载: - -``` -docker pull hwdsl2/ipsec-vpn-server -``` - -或者,你也可以从 [Quay.io](https://quay.io/repository/hwdsl2/ipsec-vpn-server) 下载: - -``` -docker pull quay.io/hwdsl2/ipsec-vpn-server -docker image tag quay.io/hwdsl2/ipsec-vpn-server hwdsl2/ipsec-vpn-server -``` - -支持以下架构系统:`linux/amd64`, `linux/arm64` 和 `linux/arm/v7`。 - -高级用户可以自己从 GitHub [编译源代码](docs/advanced-usage-zh.md#从源代码构建)。 - -### 镜像对照表 - -有两个预构建的镜像可用。默认的基于 Alpine 的镜像大小仅 ~17MB。 - -| | 基于 Alpine | 基于 Debian | -| --------------- | ------------------------ | ------------------------------ | -| 镜像名称 | hwdsl2/ipsec-vpn-server | hwdsl2/ipsec-vpn-server:debian | -| 压缩后大小 | ~ 17 MB | ~ 62 MB | -| 基础镜像 | Alpine Linux 3.17 | Debian Linux 11 | -| 系统架构 | amd64, arm64, arm/v7 | amd64, arm64, arm/v7 | -| Libreswan 版本 | 4.10 | 4.10 | -| IPsec/L2TP | ✅ | ✅ | -| Cisco IPsec | ✅ | ✅ | -| IKEv2 | ✅ | ✅ | - -**注:** 要使用基于 Debian 的镜像,请将本自述文件中所有的 `hwdsl2/ipsec-vpn-server` 替换为 `hwdsl2/ipsec-vpn-server:debian`。这些镜像当前与 Synology NAS 系统不兼容。 - -## 如何使用本镜像 - -### 环境变量 - -**注:** 所有这些变量对于本镜像都是可选的,也就是说无需定义它们就可以搭建 IPsec VPN 服务器。你可以运行 `touch vpn.env` 创建一个空的 `env` 文件,然后跳到下一节。 - -这个 Docker 镜像使用以下几个变量,可以在一个 `env` 文件中定义(参见[示例](vpn.env.example)): - -``` -VPN_IPSEC_PSK=your_ipsec_pre_shared_key -VPN_USER=your_vpn_username -VPN_PASSWORD=your_vpn_password -``` - -这将创建一个用于 VPN 登录的用户账户,它可以在你的多个设备上使用[*](#重要提示)。 IPsec PSK (预共享密钥) 由 `VPN_IPSEC_PSK` 环境变量指定。 VPN 用户名和密码分别在 `VPN_USER` 和 `VPN_PASSWORD` 中定义。 - -支持创建额外的 VPN 用户,如果需要,可以像下面这样在你的 `env` 文件中定义。用户名和密码必须分别使用空格进行分隔,并且用户名不能有重复。所有的 VPN 用户将共享同一个 IPsec PSK。 - -``` -VPN_ADDL_USERS=additional_username_1 additional_username_2 -VPN_ADDL_PASSWORDS=additional_password_1 additional_password_2 -``` - -**注:** 在你的 `env` 文件中,**不要**为变量值添加 `""` 或者 `''`,或在 `=` 两边添加空格。**不要**在值中使用这些字符: `\ " '`。一个安全的 IPsec PSK 应该至少包含 20 个随机字符。 - -**注:** 如果在创建 Docker 容器后修改 `env` 文件,则必须删除并重新创建容器才能使更改生效。参见[更新 Docker 镜像](#更新-docker-镜像)。 - -<details> -<summary> -:information_source: 你可以指定一个域名,客户端名称和/或另外的 DNS 服务器。这是可选的。:information_source: -</summary> - -高级用户可以指定一个域名作为 IKEv2 服务器地址。这是可选的。该域名必须是一个全称域名 (FQDN)。示例如下: - -``` -VPN_DNS_NAME=vpn.example.com -``` - -你可以指定第一个 IKEv2 客户端的名称。该名称不能包含空格或者除 `-` `_` 之外的任何特殊字符。如果未指定,则使用默认值 `vpnclient`。 - -``` -VPN_CLIENT_NAME=your_client_name -``` - -在 VPN 已连接时,客户端默认配置为使用 [Google Public DNS](https://developers.google.com/speed/public-dns/)。你可以为所有的 VPN 模式指定另外的 DNS 服务器。示例如下: - -``` -VPN_DNS_SRV1=1.1.1.1 -VPN_DNS_SRV2=1.0.0.1 -``` - -默认情况下,导入 IKEv2 客户端配置时不需要密码。你可以选择使用随机密码保护客户端配置文件。 - -``` -VPN_PROTECT_CONFIG=yes -``` - -**注:** 如果在 Docker 容器中已经配置了 IKEv2,则以上变量对 IKEv2 模式无效。在这种情况下,你可以移除 IKEv2 并使用自定义选项重新配置它。参见 [配置并使用 IKEv2 VPN](#配置并使用-ikev2-vpn)。 -</details> - -### 运行 IPsec VPN 服务器 - -使用本镜像创建一个新的 Docker 容器 (将 `./vpn.env` 替换为你自己的 `env` 文件): - -``` -docker run \ - --name ipsec-vpn-server \ - --env-file ./vpn.env \ - --restart=always \ - -v ikev2-vpn-data:/etc/ipsec.d \ - -v /lib/modules:/lib/modules:ro \ - -p 500:500/udp \ - -p 4500:4500/udp \ - -d --privileged \ - hwdsl2/ipsec-vpn-server -``` - -在该命令中,我们使用 `docker run` 的 `-v` 选项来创建一个名为 `ikev2-vpn-data` 的新 [Docker 卷](https://docs.docker.com/storage/volumes/),并且将它挂载到容器内的 `/etc/ipsec.d` 目录下。IKEv2 的相关数据(比如证书和密钥)在该卷中保存,之后当你需要重新创建 Docker 容器的时候,只需指定同一个卷。 - -推荐在使用本镜像时启用 IKEv2。如果你不想启用 IKEv2 而仅使用 IPsec/L2TP 和 IPsec/XAuth ("Cisco IPsec") 模式连接到 VPN,可以去掉上面 `docker run` 命令中的第一个 `-v` 选项。 - -**注:** 高级用户也可以 [不启用 privileged 模式运行](docs/advanced-usage-zh.md#不启用-privileged-模式运行)。 - -### 获取 VPN 登录信息 - -如果你在上述 `docker run` 命令中没有指定 `env` 文件,`VPN_USER` 会默认为 `vpnuser`,并且 `VPN_IPSEC_PSK` 和 `VPN_PASSWORD` 会被自动随机生成。要获取这些登录信息,可以查看容器的日志: - -``` -docker logs ipsec-vpn-server -``` - -在命令输出中查找这些行: - -``` -Connect to your new VPN with these details: - -Server IP: 你的VPN服务器IP -IPsec PSK: 你的IPsec预共享密钥 -Username: 你的VPN用户名 -Password: 你的VPN密码 -``` - -在命令输出中也会包含 IKEv2 配置信息(如果已启用)。 - -(可选步骤)备份自动生成的 VPN 登录信息(如果有)到当前目录: - -``` -docker cp ipsec-vpn-server:/etc/ipsec.d/vpn-gen.env ./ -``` - -## 下一步 - -*其他语言版本: [English](README.md#next-steps), [中文](README-zh.md#下一步)。* - -配置你的计算机或其它设备使用 VPN。请参见: - -**[配置并使用 IKEv2 VPN(推荐)](#配置并使用-ikev2-vpn)** - -**[配置 IPsec/L2TP VPN 客户端](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md)** - -**[配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-xauth-zh.md)** - -**[:book: 电子书:搭建自己的 IPsec VPN, OpenVPN 和 WireGuard 服务器](https://mybook.to/vpnzhs)** - -开始使用自己的专属 VPN! :sparkles::tada::rocket::sparkles: - -喜欢这个项目?[:heart: 赞助](https://github.com/sponsors/hwdsl2?metadata_o=dz) 或 [:coffee: 支持](https://ko-fi.com/hwdsl2) 并访问 [额外内容](https://ko-fi.com/post/Support-this-project-and-get-access-to-supporter-o-X8X5FVFZC)。 - -## 重要提示 - -**Windows 用户** 对于 IPsec/L2TP 模式,在首次连接之前需要 [修改注册表](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md#windows-错误-809),以解决 VPN 服务器或客户端与 NAT(比如家用路由器)的兼容问题。 - -同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性,如果需要连接在同一个 NAT(比如家用路由器)后面的多个设备,你必须使用 [IKEv2](#配置并使用-ikev2-vpn) 或者 [IPsec/XAuth](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-xauth-zh.md) 模式。 - -如需添加,修改或者删除 VPN 用户账户,首先更新你的 `env` 文件,然后你必须按照 [下一节](#更新-docker-镜像) 的说明来删除并重新创建 Docker 容器。高级用户可以 [绑定挂载](docs/advanced-usage-zh.md#绑定挂载-env-文件) `env` 文件。 - -对于有外部防火墙的服务器(比如 [EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html)/[GCE](https://cloud.google.com/vpc/docs/firewalls)),请为 VPN 打开 UDP 端口 500 和 4500。阿里云用户请参见 [#433](https://github.com/hwdsl2/setup-ipsec-vpn/issues/433)。 - -在 VPN 已连接时,客户端配置为使用 [Google Public DNS](https://developers.google.com/speed/public-dns/)。如果偏好其它的域名解析服务,请看 [这里](docs/advanced-usage-zh.md#使用其他的-dns-服务器)。 - -## 更新 Docker 镜像 - -要更新 Docker 镜像和容器,首先 [下载](#下载) 最新版本: - -``` -docker pull hwdsl2/ipsec-vpn-server -``` - -如果 Docker 镜像已经是最新的,你会看到提示: - -``` -Status: Image is up to date for hwdsl2/ipsec-vpn-server:latest -``` - -否则将会下载最新版本。要更新你的 Docker 容器,首先在纸上记下你所有的 [VPN 登录信息](#获取-vpn-登录信息)。然后删除 Docker 容器: `docker rm -f ipsec-vpn-server`。最后按照 [如何使用本镜像](#如何使用本镜像) 的说明来重新创建它。 - -## 配置并使用 IKEv2 VPN - -IKEv2 模式是比 IPsec/L2TP 和 IPsec/XAuth ("Cisco IPsec") 更佳的连接模式,该模式无需 IPsec PSK, 用户名或密码。更多信息请看[这里](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto-zh.md)。 - -首先,查看容器的日志以获取 IKEv2 配置信息: - -```bash -docker logs ipsec-vpn-server -``` - -**注:** 如果你无法找到 IKEv2 配置信息,IKEv2 可能没有在容器中启用。尝试按照 [更新 Docker 镜像](#更新-docker-镜像) 一节的说明更新 Docker 镜像和容器。 - -在 IKEv2 安装过程中会创建一个 IKEv2 客户端(默认名称为 `vpnclient`),并且导出它的配置到 **容器内** 的 `/etc/ipsec.d` 目录下。你可以将配置文件复制到 Docker 主机: - -```bash -# 查看容器内的 /etc/ipsec.d 目录的文件 -docker exec -it ipsec-vpn-server ls -l /etc/ipsec.d -# 示例:将一个客户端配置文件从容器复制到 Docker 主机当前目录 -docker cp ipsec-vpn-server:/etc/ipsec.d/vpnclient.p12 ./ -``` - -**下一步:** [配置你的设备](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto-zh.md) 以使用 IKEv2 VPN。 - -<details> -<summary> -了解如何管理 IKEv2 客户端。 -</summary> - -你可以使用辅助脚本管理 IKEv2 客户端。示例如下。如需自定义客户端选项,可以在不添加参数的情况下运行脚本。 - -```bash -# 添加一个客户端(使用默认选项) -docker exec -it ipsec-vpn-server ikev2.sh --addclient [client name] -# 导出一个已有的客户端的配置 -docker exec -it ipsec-vpn-server ikev2.sh --exportclient [client name] -# 列出已有的客户端 -docker exec -it ipsec-vpn-server ikev2.sh --listclients -# 显示使用信息 -docker exec -it ipsec-vpn-server ikev2.sh -h -``` - -**注:** 如果你遇到错误 "executable file not found",将上面的 `ikev2.sh` 换成 `/opt/src/ikev2.sh`。 -</details> -<details> -<summary> -了解如何更改 IKEv2 服务器地址。 -</summary> - -在某些情况下,你可能需要更改 IKEv2 服务器地址。例如切换为使用域名,或者在服务器的 IP 更改之后。要更改 IKEv2 服务器地址,首先[在容器中运行 Bash shell](docs/advanced-usage-zh.md#在容器中运行-bash-shell),然后[按照这里的说明操作](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto-zh.md#更改-ikev2-服务器地址)。请注意,容器的日志在你重启 Docker 容器之前将不显示新的 IKEv2 服务器地址。 -</details> -<details> -<summary> -移除 IKEv2 并使用自定义选项重新配置。 -</summary> - -在某些情况下,你可能需要移除 IKEv2 并使用自定义选项重新配置它。 - -**警告:** 这将**永久删除**所有的 IKEv2 配置(包括证书和密钥),并且**不可撤销**! - -**选项 1:** 使用辅助脚本移除 IKEv2 并重新配置。 - -请注意,这将覆盖你在 `env` 文件中指定的变量,例如 `VPN_DNS_NAME` 和 `VPN_CLIENT_NAME`,并且容器的日志将不再显示 IKEv2 的最新信息。 - -```bash -# 移除 IKEv2 并删除所有的 IKEv2 配置 -docker exec -it ipsec-vpn-server ikev2.sh --removeikev2 -# 使用自定义选项重新配置 IKEv2 -docker exec -it ipsec-vpn-server ikev2.sh -``` - -**选项 2:** 移除 `ikev2-vpn-data` 并重新创建容器。 - -1. 在纸上记下你所有的 [VPN 登录信息](#获取-vpn-登录信息)。 -1. 删除 Docker 容器:`docker rm -f ipsec-vpn-server`。 -1. 删除 `ikev2-vpn-data` 卷:`docker volume rm ikev2-vpn-data`。 -1. 更新你的 `env` 文件并添加自定义 IKEv2 选项,例如 `VPN_DNS_NAME` 和 `VPN_CLIENT_NAME`,然后重新创建容器。参见[如何使用本镜像](#如何使用本镜像)。 -</details> - -## 高级用法 - -请参见 [高级用法](docs/advanced-usage-zh.md)。 - -- [使用其他的 DNS 服务器](docs/advanced-usage-zh.md#使用其他的-dns-服务器) -- [不启用 privileged 模式运行](docs/advanced-usage-zh.md#不启用-privileged-模式运行) -- [选择 VPN 模式](docs/advanced-usage-zh.md#选择-vpn-模式) -- [访问 Docker 主机上的其它容器](docs/advanced-usage-zh.md#访问-docker-主机上的其它容器) -- [指定 VPN 服务器的公有 IP](docs/advanced-usage-zh.md#指定-vpn-服务器的公有-ip) -- [为 VPN 客户端指定静态 IP](docs/advanced-usage-zh.md#为-vpn-客户端指定静态-ip) -- [自定义 VPN 子网](docs/advanced-usage-zh.md#自定义-vpn-子网) -- [关于 host network 模式](docs/advanced-usage-zh.md#关于-host-network-模式) -- [启用 Libreswan 日志](docs/advanced-usage-zh.md#启用-libreswan-日志) -- [查看服务器状态](docs/advanced-usage-zh.md#查看服务器状态) -- [从源代码构建](docs/advanced-usage-zh.md#从源代码构建) -- [在容器中运行 Bash shell](docs/advanced-usage-zh.md#在容器中运行-bash-shell) -- [绑定挂载 env 文件](docs/advanced-usage-zh.md#绑定挂载-env-文件) -- [部署 Google BBR 拥塞控制](docs/advanced-usage-zh.md#部署-google-bbr-拥塞控制) - -## 技术细节 - -需要运行以下两个服务:`Libreswan (pluto)` 提供 IPsec VPN,`xl2tpd` 提供 L2TP 支持。 - -默认的 IPsec 配置支持以下协议: - -* IPsec/L2TP with PSK -* IKEv1 with PSK and XAuth ("Cisco IPsec") -* IKEv2 - -为使 VPN 服务器正常工作,将会打开以下端口: - -* 4500/udp and 500/udp for IPsec - -## 授权协议 - -**注:** 预构建镜像中的软件组件(例如 Libreswan 和 xl2tpd)在其各自版权所有者选择的相应许可下。对于任何预构建的镜像的使用,用户有责任确保对该镜像的任何使用符合其中包含的所有软件的任何相关许可。 - -版权所有 (C) 2016-2023 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) -基于 [Thomas Sarlandie 的工作](https://github.com/sarfata/voodooprivacy) (版权所有 2012) - -[![Creative Commons License](https://i.creativecommons.org/l/by-sa/3.0/88x31.png)](http://creativecommons.org/licenses/by-sa/3.0/) -这个项目是以 [知识共享署名-相同方式共享3.0](http://creativecommons.org/licenses/by-sa/3.0/) 许可协议授权。 -必须署名: 请包括我的名字在任何衍生产品,并且让我知道你是如何改善它的! diff --git a/docker-compose.yml b/docker-compose.yml deleted file mode 100644 index 37be370973eeff7dc14650418a252e0df07b48b8..0000000000000000000000000000000000000000 --- a/docker-compose.yml +++ /dev/null @@ -1,20 +0,0 @@ -version: '3' - -volumes: - ikev2-vpn-data: - -services: - vpn: - image: hwdsl2/ipsec-vpn-server - restart: always - env_file: - - ./vpn.env - ports: - - "500:500/udp" - - "4500:4500/udp" - privileged: true - hostname: ipsec-vpn-server - container_name: ipsec-vpn-server - volumes: - - ikev2-vpn-data:/etc/ipsec.d - - /lib/modules:/lib/modules:ro diff --git a/docs/advanced-usage-zh.md b/docs/advanced-usage-zh.md deleted file mode 100644 index 29c9a5dce7f668971148da32aad33e42ee71a6ed..0000000000000000000000000000000000000000 --- a/docs/advanced-usage-zh.md +++ /dev/null @@ -1,319 +0,0 @@ -[English](advanced-usage.md) | [中文](advanced-usage-zh.md) - -# 高级用法 - -- [使用其他的 DNS 服务器](#使用其他的-dns-服务器) -- [不启用 privileged 模式运行](#不启用-privileged-模式运行) -- [选择 VPN 模式](#选择-vpn-模式) -- [访问 Docker 主机上的其它容器](#访问-docker-主机上的其它容器) -- [指定 VPN 服务器的公有 IP](#指定-vpn-服务器的公有-ip) -- [为 VPN 客户端指定静态 IP](#为-vpn-客户端指定静态-ip) -- [自定义 VPN 子网](#自定义-vpn-子网) -- [关于 host network 模式](#关于-host-network-模式) -- [启用 Libreswan 日志](#启用-libreswan-日志) -- [查看服务器状态](#查看服务器状态) -- [从源代码构建](#从源代码构建) -- [在容器中运行 Bash shell](#在容器中运行-bash-shell) -- [绑定挂载 env 文件](#绑定挂载-env-文件) -- [部署 Google BBR 拥塞控制](#部署-google-bbr-拥塞控制) - -## 使用其他的 DNS 服务器 - -在 VPN 已连接时,客户端配置为使用 [Google Public DNS](https://developers.google.com/speed/public-dns/)。如果偏好其它的域名解析服务,你可以在 `env` 文件中定义 `VPN_DNS_SRV1` 和 `VPN_DNS_SRV2`(可选),然后按照[说明](../README-zh.md#更新-docker-镜像)重新创建 Docker 容器。比如你想使用 [Cloudflare 的 DNS 服务](https://1.1.1.1): - -``` -VPN_DNS_SRV1=1.1.1.1 -VPN_DNS_SRV2=1.0.0.1 -``` - -请注意,如果 Docker 容器中已经配置了 IKEv2,你还需要编辑 Docker 容器内的 `/etc/ipsec.d/ikev2.conf` 并将 `8.8.8.8` 和 `8.8.4.4` 替换为你的其他的 DNS 服务器,然后重新启动 Docker 容器。 - -## 不启用 privileged 模式运行 - -高级用户可以在不启用 [privileged 模式](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities) 的情况下使用本镜像创建一个 Docker 容器(将以下命令中的 `./vpn.env` 替换为你自己的 `env` 文件)。 - -**注:** 如果你的 Docker 主机运行 CentOS Stream, Oracle Linux 8+, Rocky Linux 或者 AlmaLinux,推荐使用 [privileged 模式](../README-zh.md#运行-ipsec-vpn-服务器)。如果你想要不启用 privileged 模式运行,则 **必须** 在创建 Docker 容器之前以及系统启动时运行 `modprobe ip_tables`。 - -``` -docker run \ - --name ipsec-vpn-server \ - --env-file ./vpn.env \ - --restart=always \ - -v ikev2-vpn-data:/etc/ipsec.d \ - -p 500:500/udp \ - -p 4500:4500/udp \ - -d --cap-add=NET_ADMIN \ - --device=/dev/ppp \ - --sysctl net.ipv4.ip_forward=1 \ - --sysctl net.ipv4.conf.all.accept_redirects=0 \ - --sysctl net.ipv4.conf.all.send_redirects=0 \ - --sysctl net.ipv4.conf.all.rp_filter=0 \ - --sysctl net.ipv4.conf.default.accept_redirects=0 \ - --sysctl net.ipv4.conf.default.send_redirects=0 \ - --sysctl net.ipv4.conf.default.rp_filter=0 \ - --sysctl net.ipv4.conf.eth0.send_redirects=0 \ - --sysctl net.ipv4.conf.eth0.rp_filter=0 \ - hwdsl2/ipsec-vpn-server -``` - -在不启用 privileged 模式运行时,容器不能更改 `sysctl` 设置。这可能会影响本镜像的某些功能。一个已知问题是 [Android MTU/MSS fix](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md#android-mtumss-问题) 需要另外在 `docker run` 命令添加 `--sysctl net.ipv4.ip_no_pmtu_disc=1` 才有效。如果你遇到任何问题,可以尝试换用 [privileged 模式](../README-zh.md#运行-ipsec-vpn-服务器) 重新创建容器。 - -在创建 Docker 容器之后,请转到 [获取 VPN 登录信息](../README-zh.md#获取-vpn-登录信息)。 - -类似地,如果你使用 [Docker compose](https://docs.docker.com/compose/),可以将 [docker-compose.yml](../docker-compose.yml) 中的 `privileged: true` 替换为: - -``` - cap_add: - - NET_ADMIN - devices: - - "/dev/ppp:/dev/ppp" - sysctls: - - net.ipv4.ip_forward=1 - - net.ipv4.conf.all.accept_redirects=0 - - net.ipv4.conf.all.send_redirects=0 - - net.ipv4.conf.all.rp_filter=0 - - net.ipv4.conf.default.accept_redirects=0 - - net.ipv4.conf.default.send_redirects=0 - - net.ipv4.conf.default.rp_filter=0 - - net.ipv4.conf.eth0.send_redirects=0 - - net.ipv4.conf.eth0.rp_filter=0 -``` - -更多信息请参见 [compose file reference](https://docs.docker.com/compose/compose-file/)。 - -## 选择 VPN 模式 - -在使用此 Docker 镜像时,默认启用 IPsec/L2TP 和 IPsec/XAuth ("Cisco IPsec") 模式。此外,如果在创建 Docker 容器时在 `docker run` 命令中[指定](../README-zh.md#运行-ipsec-vpn-服务器)了 `-v ikev2-vpn-data:/etc/ipsec.d` 选项,则会启用 IKEv2 模式。 - -高级用户可以有选择性地禁用 VPN 模式,通过在 `env` 文件中设置以下变量并重新创建 Docker 容器来实现。 - -禁用 IPsec/L2TP 模式:`VPN_DISABLE_IPSEC_L2TP=yes` -禁用 IPsec/XAuth ("Cisco IPsec") 模式:`VPN_DISABLE_IPSEC_XAUTH=yes` -禁用 IPsec/L2TP 和 IPsec/XAuth 模式:`VPN_IKEV2_ONLY=yes` - -## 访问 Docker 主机上的其它容器 - -连接到 VPN 后,VPN 客户端通常可以访问在同一 Docker 主机上其他容器中运行的服务,而无需进行其他配置。 - -例如,如果 IPsec VPN 服务器容器的 IP 为 `172.17.0.2`,并且一个 IP 为 `172.17.0.3` 的 Nginx 容器在同一 Docker 主机上运行,则 VPN 客户端可以使用 IP `172.17.0.3` 来访问 Nginx 容器上的服务。要找出分配给容器的 IP ,可以运行 `docker inspect <container name>`。 - -## 指定 VPN 服务器的公有 IP - -在具有多个公有 IP 地址的 Docker 主机上,高级用户可以使用 `env` 文件中的变量 `VPN_PUBLIC_IP` 为 VPN 服务器指定一个公有 IP,然后重新创建 Docker 容器。例如,如果 Docker 主机的 IP 为 `192.0.2.1` 和 `192.0.2.2`,并且你想要 VPN 服务器使用 `192.0.2.2`: - -``` -VPN_PUBLIC_IP=192.0.2.2 -``` - -请注意,如果在 Docker 容器中已经配置了 IKEv2,则此变量对 IKEv2 模式无效。在这种情况下,你可以移除 IKEv2 并使用自定义选项重新配置它。参见 [配置并使用 IKEv2 VPN](../README-zh.md#配置并使用-ikev2-vpn)。 - -如果你想要 VPN 客户端在 VPN 连接处于活动状态时使用指定的公有 IP 作为其 "出站 IP",并且指定的 IP **不是** Docker 主机上的主 IP(或默认路由),则可能需要额外的配置。在这种情况下,你可以尝试在 Docker 主机上添加一个 IPTables `SNAT` 规则。如果要在重启后继续有效,你可以将命令添加到 `/etc/rc.local`。 - -继续上面的例子,如果 Docker 容器具有内部 IP `172.17.0.2`(使用 `docker inspect ipsec-vpn-server` 查看),Docker 的网络接口名称为 `docker0`(使用 `iptables -nvL -t nat` 查看),并且你希望 "出站 IP" 为 `192.0.2.2`: - -``` -iptables -t nat -I POSTROUTING -s 172.17.0.2 ! -o docker0 -j SNAT --to 192.0.2.2 -``` - -要检查一个已连接的 VPN 客户端的 "出站 IP",你可以在该客户端上打开浏览器并到 [这里](https://www.ipchicken.com) 检测 IP 地址。 - -## 为 VPN 客户端指定静态 IP - -在使用 IPsec/L2TP 模式连接时,VPN 服务器(Docker 容器)在虚拟网络 `192.168.42.0/24` 内具有内网 IP `192.168.42.1`。为客户端分配的内网 IP 在这个范围内:`192.168.42.10` 到 `192.168.42.250`。要找到为特定的客户端分配的 IP,可以查看该 VPN 客户端上的连接状态。 - -在使用 IPsec/XAuth ("Cisco IPsec") 或 IKEv2 模式连接时,VPN 服务器(Docker 容器)在虚拟网络 `192.168.43.0/24` 内 **没有** 内网 IP。为客户端分配的内网 IP 在这个范围内:`192.168.43.10` 到 `192.168.43.250`。 - -高级用户可以将静态 IP 分配给 VPN 客户端。这是可选的。IKEv2 模式 **不支持** 此功能。要分配静态 IP,在你的 `env` 文件中定义 `VPN_ADDL_IP_ADDRS` 变量,然后重新创建 Docker 容器。例如: - -``` -VPN_ADDL_USERS=user1 user2 user3 user4 user5 -VPN_ADDL_PASSWORDS=pass1 pass2 pass3 pass4 pass5 -VPN_ADDL_IP_ADDRS=* * 192.168.42.2 192.168.43.2 -``` - -在此示例中,我们为 IPsec/L2TP 模式的 `user3` 分配静态 IP `192.168.42.2`,并为 IPsec/XAuth ("Cisco IPsec") 模式的 `user4` 分配静态 IP `192.168.43.2`。`user1`, `user2` 和 `user5` 的内网 IP 将被自动分配。`user3` 在 IPsec/XAuth 模式下的内网 IP 和 `user4` 在 IPsec/L2TP 模式下的内网 IP 也将被自动分配。你可以使用 `*` 来指定自动分配的 IP,或者将这些用户放在列表的末尾。 - -你为 IPsec/L2TP 模式指定的静态 IP 必须在 `192.168.42.2` 到 `192.168.42.9` 范围内。你为 IPsec/XAuth ("Cisco IPsec") 模式指定的静态 IP 必须在 `192.168.43.2` 到 `192.168.43.9` 范围内。 - -如果你需要分配更多静态 IP,则必须缩小自动分配的 IP 地址池。示例如下: - -``` -VPN_L2TP_POOL=192.168.42.100-192.168.42.250 -VPN_XAUTH_POOL=192.168.43.100-192.168.43.250 -``` - -这将允许你为 IPsec/L2TP 模式在 `192.168.42.2` 到 `192.168.42.99` 范围内分配静态 IP,并且为 IPsec/XAuth ("Cisco IPsec") 模式在 `192.168.43.2` 到 `192.168.43.99` 范围内分配静态 IP。 - -请注意,如果你在 `env` 文件中指定了 `VPN_XAUTH_POOL`,并且在 Docker 容器中已经配置了 IKEv2,你 **必须** 在重新创建 Docker 容器之前手动编辑容器内的 `/etc/ipsec.d/ikev2.conf` 并将 `rightaddresspool=192.168.43.10-192.168.43.250` 替换为与 `VPN_XAUTH_POOL` **相同的值**。否则 IKEv2 可能会停止工作。 - -**注:** 在你的 `env` 文件中,**不要**为变量值添加 `""` 或者 `''`,或在 `=` 两边添加空格。**不要**在值中使用这些字符: `\ " '`。 - -## 自定义 VPN 子网 - -默认情况下,IPsec/L2TP VPN 客户端将使用内部 VPN 子网 `192.168.42.0/24`,而 IPsec/XAuth ("Cisco IPsec") 和 IKEv2 VPN 客户端将使用内部 VPN 子网 `192.168.43.0/24`。有关更多详细信息,请阅读上一节。 - -对于大多数用例,没有必要也 **不建议** 自定义这些子网。但是,如果你的用例需要它,你可以在 `env` 文件中指定自定义子网,然后你必须重新创建 Docker 容器。 - -``` -# 示例:为 IPsec/L2TP 模式指定自定义 VPN 子网 -# 注:必须指定所有三个变量。 -VPN_L2TP_NET=10.1.0.0/16 -VPN_L2TP_LOCAL=10.1.0.1 -VPN_L2TP_POOL=10.1.0.10-10.1.254.254 -``` - -``` -# 示例:为 IPsec/XAuth 和 IKEv2 模式指定自定义 VPN 子网 -# 注:必须指定以下两个变量。 -VPN_XAUTH_NET=10.2.0.0/16 -VPN_XAUTH_POOL=10.2.0.10-10.2.254.254 -``` - -**注:** 在你的 `env` 文件中,**不要**为变量值添加 `""` 或者 `''`,或在 `=` 两边添加空格。 - -在上面的例子中,`VPN_L2TP_LOCAL` 是在 IPsec/L2TP 模式下的 VPN 服务器的内网 IP。`VPN_L2TP_POOL` 和 `VPN_XAUTH_POOL` 是为 VPN 客户端自动分配的 IP 地址池。 - -请注意,如果你在 `env` 文件中指定了 `VPN_XAUTH_POOL`,并且在 Docker 容器中已经配置了 IKEv2,你 **必须** 在重新创建 Docker 容器之前手动编辑容器内的 `/etc/ipsec.d/ikev2.conf` 并将 `rightaddresspool=192.168.43.10-192.168.43.250` 替换为与 `VPN_XAUTH_POOL` **相同的值**。否则 IKEv2 可能会停止工作。 - -## 关于 host network 模式 - -高级用户可以使用 [host network 模式](https://docs.docker.com/network/host/) 运行本镜像,通过为 `docker run` 命令添加 `--network=host` 参数来实现。另外,如果 [不启用 privileged 模式运行](#不启用-privileged-模式运行),你可能还需要将 `eth0` 替换为你的 Docker 主机的网络接口名称。 - -在非必要的情况下,**不推荐**使用 host network 模式运行本镜像。在该模式下,容器的网络栈未与 Docker 主机隔离,从而在使用 IPsec/L2TP 模式连接之后,VPN 客户端可以使用 Docker 主机的 VPN 内网 IP `192.168.42.1` 访问主机上的端口或服务。请注意,当你不再使用本镜像时,你需要手动清理 [run.sh](../run.sh) 所更改的 IPTables 规则和 sysctl 设置,或者重启服务器。 - -某些 Docker 主机操作系统,比如 Debian 10,不能使用 host network 模式运行本镜像,因为它们使用 nftables。 - -## 启用 Libreswan 日志 - -为了保持较小的 Docker 镜像,Libreswan (IPsec) 日志默认未开启。如果你需要启用它以进行故障排除,首先在正在运行的 Docker 容器中开始一个 Bash 会话: - -``` -docker exec -it ipsec-vpn-server env TERM=xterm bash -l -``` - -然后运行以下命令: - -``` -# For Alpine-based image -apk add --no-cache rsyslog -rsyslogd -rc-service ipsec stop; rc-service -D ipsec start >/dev/null 2>&1 -sed -i '/pluto\.pid/a rsyslogd' /opt/src/run.sh -exit -# For Debian-based image -apt-get update && apt-get -y install rsyslog -service rsyslog restart -service ipsec restart -sed -i '/pluto\.pid/a service rsyslog restart' /opt/src/run.sh -exit -``` - -**注:** 如果你在不启用 privileged 模式的情况下使用本镜像,则错误 `rsyslogd: imklog: cannot open kernel log` 是正常的。 - -完成后你可以这样查看 Libreswan 日志: - -``` -docker exec -it ipsec-vpn-server grep pluto /var/log/auth.log -``` - -如需查看 xl2tpd 日志,请运行 `docker logs ipsec-vpn-server`。 - -## 查看服务器状态 - -检查 IPsec VPN 服务器状态: - -``` -docker exec -it ipsec-vpn-server ipsec status -``` - -查看当前已建立的 VPN 连接: - -``` -docker exec -it ipsec-vpn-server ipsec trafficstatus -``` - -## 从源代码构建 - -高级用户可以从 GitHub 下载并自行编译源代码: - -``` -git clone https://github.com/hwdsl2/docker-ipsec-vpn-server -cd docker-ipsec-vpn-server -# To build Alpine-based image -docker build -t hwdsl2/ipsec-vpn-server . -# To build Debian-based image -docker build -f Dockerfile.debian -t hwdsl2/ipsec-vpn-server:debian . -``` - -若不需要改动源码,也可以这样: - -``` -# To build Alpine-based image -docker build -t hwdsl2/ipsec-vpn-server github.com/hwdsl2/docker-ipsec-vpn-server -# To build Debian-based image -docker build -f Dockerfile.debian -t hwdsl2/ipsec-vpn-server:debian \ - github.com/hwdsl2/docker-ipsec-vpn-server -``` - -## 在容器中运行 Bash shell - -在正在运行的 Docker 容器中开始一个 Bash 会话: - -``` -docker exec -it ipsec-vpn-server env TERM=xterm bash -l -``` - -(可选步骤)安装 `nano` 编辑器: - -``` -# For Alpine-based image -apk add --no-cache nano -# For Debian-based image -apt-get update && apt-get -y install nano -``` - -然后在容器中运行你的命令。完成后退出并重启 Docker 容器(如果需要): - -``` -exit -docker restart ipsec-vpn-server -``` - -## 绑定挂载 env 文件 - -作为 `--env-file` 选项的替代方案,高级用户可以绑定挂载 `env` 文件。该方法的好处是你在更新 `env` 文件之后可以重启 Docker 容器以生效,而不需要重新创建它。要使用这个方法,你必须首先编辑你的 `env` 文件并将所有的变量值用单引号 `''` 括起来。然后(重新)创建 Docker 容器(将第一个 `vpn.env` 替换为你自己的 `env` 文件): - -``` -docker run \ - --name ipsec-vpn-server \ - --restart=always \ - -v "$(pwd)/vpn.env:/opt/src/env/vpn.env:ro" \ - -v ikev2-vpn-data:/etc/ipsec.d \ - -v /lib/modules:/lib/modules:ro \ - -p 500:500/udp \ - -p 4500:4500/udp \ - -d --privileged \ - hwdsl2/ipsec-vpn-server -``` - -## 部署 Google BBR 拥塞控制 - -VPN 服务器搭建完成后,可以通过在 Docker 主机上部署 Google BBR 拥塞控制算法提升性能。 - -这通常只需要在配置文件 `/etc/sysctl.conf` 中插入设定即可完成。但是部分 Linux 发行版可能需要额外更新 Linux 内核。 - -详细的部署方法,可以参考[这篇文档](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/bbr-zh.md)。在完成后重启 Docker 容器: - -``` -docker restart ipsec-vpn-server -``` - -## 授权协议 - -**注:** 预构建镜像中的软件组件(例如 Libreswan 和 xl2tpd)在其各自版权所有者选择的相应许可下。对于任何预构建的镜像的使用,用户有责任确保对该镜像的任何使用符合其中包含的所有软件的任何相关许可。 - -版权所有 (C) 2016-2023 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) - -[![Creative Commons License](https://i.creativecommons.org/l/by-sa/3.0/88x31.png)](http://creativecommons.org/licenses/by-sa/3.0/) -这个项目是以 [知识共享署名-相同方式共享3.0](http://creativecommons.org/licenses/by-sa/3.0/) 许可协议授权。 -必须署名: 请包括我的名字在任何衍生产品,并且让我知道你是如何改善它的! diff --git a/docs/advanced-usage.md b/docs/advanced-usage.md deleted file mode 100644 index 663fe8a9c41e3ce6472e0942ffd15d77d81519c1..0000000000000000000000000000000000000000 --- a/docs/advanced-usage.md +++ /dev/null @@ -1,319 +0,0 @@ -[English](advanced-usage.md) | [中文](advanced-usage-zh.md) - -# Advanced Usage - -- [Use alternative DNS servers](#use-alternative-dns-servers) -- [Run without privileged mode](#run-without-privileged-mode) -- [Select VPN modes](#select-vpn-modes) -- [Access other containers on the Docker host](#access-other-containers-on-the-docker-host) -- [Specify VPN server's public IP](#specify-vpn-servers-public-ip) -- [Assign static IPs to VPN clients](#assign-static-ips-to-vpn-clients) -- [Customize VPN subnets](#customize-vpn-subnets) -- [About host network mode](#about-host-network-mode) -- [Enable Libreswan logs](#enable-libreswan-logs) -- [Check server status](#check-server-status) -- [Build from source code](#build-from-source-code) -- [Bash shell inside container](#bash-shell-inside-container) -- [Bind mount the env file](#bind-mount-the-env-file) -- [Deploy Google BBR congestion control](#deploy-google-bbr-congestion-control) - -## Use alternative DNS servers - -Clients are set to use [Google Public DNS](https://developers.google.com/speed/public-dns/) when the VPN is active. If another DNS provider is preferred, define `VPN_DNS_SRV1` and optionally `VPN_DNS_SRV2` in your `env` file, then follow [instructions](../README.md#update-docker-image) to re-create the Docker container. For example, if you want to use [Cloudflare's DNS service](https://1.1.1.1/dns/): - -``` -VPN_DNS_SRV1=1.1.1.1 -VPN_DNS_SRV2=1.0.0.1 -``` - -Note that if IKEv2 is already set up in the Docker container, you will also need to edit `/etc/ipsec.d/ikev2.conf` inside the Docker container and replace `8.8.8.8` and `8.8.4.4` with your alternative DNS server(s), then restart the Docker container. - -## Run without privileged mode - -Advanced users can create a Docker container from this image without using [privileged mode](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities) (replace `./vpn.env` in the command below with your own `env` file). - -**Note:** If your Docker host runs CentOS Stream, Oracle Linux 8+, Rocky Linux or AlmaLinux, it is recommended to use [privileged mode](../README.md#start-the-ipsec-vpn-server). If you want to run without privileged mode, you **must** run `modprobe ip_tables` before creating the Docker container and also on boot. - -``` -docker run \ - --name ipsec-vpn-server \ - --env-file ./vpn.env \ - --restart=always \ - -v ikev2-vpn-data:/etc/ipsec.d \ - -p 500:500/udp \ - -p 4500:4500/udp \ - -d --cap-add=NET_ADMIN \ - --device=/dev/ppp \ - --sysctl net.ipv4.ip_forward=1 \ - --sysctl net.ipv4.conf.all.accept_redirects=0 \ - --sysctl net.ipv4.conf.all.send_redirects=0 \ - --sysctl net.ipv4.conf.all.rp_filter=0 \ - --sysctl net.ipv4.conf.default.accept_redirects=0 \ - --sysctl net.ipv4.conf.default.send_redirects=0 \ - --sysctl net.ipv4.conf.default.rp_filter=0 \ - --sysctl net.ipv4.conf.eth0.send_redirects=0 \ - --sysctl net.ipv4.conf.eth0.rp_filter=0 \ - hwdsl2/ipsec-vpn-server -``` - -When running without privileged mode, the container is unable to change `sysctl` settings. This could affect certain features of this image. A known issue is that the [Android MTU/MSS fix](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#android-mtumss-issues) also requires adding `--sysctl net.ipv4.ip_no_pmtu_disc=1` to the `docker run` command. If you encounter any issues, try re-creating the container using [privileged mode](../README.md#start-the-ipsec-vpn-server). - -After creating the Docker container, see [Retrieve VPN login details](../README.md#retrieve-vpn-login-details). - -Similarly, if using [Docker compose](https://docs.docker.com/compose/), you may replace `privileged: true` in [docker-compose.yml](../docker-compose.yml) with: - -``` - cap_add: - - NET_ADMIN - devices: - - "/dev/ppp:/dev/ppp" - sysctls: - - net.ipv4.ip_forward=1 - - net.ipv4.conf.all.accept_redirects=0 - - net.ipv4.conf.all.send_redirects=0 - - net.ipv4.conf.all.rp_filter=0 - - net.ipv4.conf.default.accept_redirects=0 - - net.ipv4.conf.default.send_redirects=0 - - net.ipv4.conf.default.rp_filter=0 - - net.ipv4.conf.eth0.send_redirects=0 - - net.ipv4.conf.eth0.rp_filter=0 -``` - -For more information, see [compose file reference](https://docs.docker.com/compose/compose-file/). - -## Select VPN modes - -Using this Docker image, the IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes are enabled by default. In addition, IKEv2 mode will be enabled if the `-v ikev2-vpn-data:/etc/ipsec.d` option [is specified](../README.md#start-the-ipsec-vpn-server) in the `docker run` command when creating the Docker container. - -Advanced users can selectively disable VPN modes by setting the following variable(s) in the `env` file, then re-create the Docker container. - -Disable IPsec/L2TP mode: `VPN_DISABLE_IPSEC_L2TP=yes` -Disable IPsec/XAuth ("Cisco IPsec") mode: `VPN_DISABLE_IPSEC_XAUTH=yes` -Disable both IPsec/L2TP and IPsec/XAuth modes: `VPN_IKEV2_ONLY=yes` - -## Access other containers on the Docker host - -After connecting to the VPN, VPN clients can generally access services running in other containers on the same Docker host, without additional configuration. - -For example, if the IPsec VPN server container has IP `172.17.0.2`, and an Nginx container with IP `172.17.0.3` is running on the same Docker host, VPN clients can use IP `172.17.0.3` to access services on the Nginx container. To find out which IP is assigned to a container, run `docker inspect <container name>`. - -## Specify VPN server's public IP - -On Docker hosts with multiple public IP addresses, advanced users can specify a public IP for the VPN server using variable `VPN_PUBLIC_IP` in the `env` file, then re-create the Docker container. For example, if the Docker host has IPs `192.0.2.1` and `192.0.2.2`, and you want the VPN server to use `192.0.2.2`: - -``` -VPN_PUBLIC_IP=192.0.2.2 -``` - -Note that this variable has no effect for IKEv2 mode, if IKEv2 is already set up in the Docker container. In this case, you may remove IKEv2 and set it up again using custom options. Refer to [Configure and use IKEv2 VPN](../README.md#configure-and-use-ikev2-vpn). - -Additional configuration may be required if you want VPN clients to use the specified public IP as their "outgoing IP" when the VPN connection is active, and the specified IP is NOT the main IP (or default route) on the Docker host. In this case, you can try adding an IPTables `SNAT` rule on the Docker host. To persist after reboot, you may add the command to `/etc/rc.local`. - -Continuing with the example above, if the Docker container has internal IP `172.17.0.2` (check using `docker inspect ipsec-vpn-server`), Docker's network interface name is `docker0` (check using `iptables -nvL -t nat`), and you want the "outgoing IP" to be `192.0.2.2`: - -``` -iptables -t nat -I POSTROUTING -s 172.17.0.2 ! -o docker0 -j SNAT --to 192.0.2.2 -``` - -To check the "outgoing IP" for a connected VPN client, you may open a browser on the client and [look up the IP address on Google](https://www.google.com/search?q=my+ip). - -## Assign static IPs to VPN clients - -When connecting using IPsec/L2TP mode, the VPN server (Docker container) has internal IP `192.168.42.1` within the VPN subnet `192.168.42.0/24`. Clients are assigned internal IPs from `192.168.42.10` to `192.168.42.250`. To check which IP is assigned to a client, view the connection status on the VPN client. - -When connecting using IPsec/XAuth ("Cisco IPsec") or IKEv2 mode, the VPN server (Docker container) does NOT have an internal IP within the VPN subnet `192.168.43.0/24`. Clients are assigned internal IPs from `192.168.43.10` to `192.168.43.250`. - -Advanced users may optionally assign static IPs to VPN clients. IKEv2 mode does NOT support this feature. To assign static IPs, declare the `VPN_ADDL_IP_ADDRS` variable in your `env` file, then re-create the Docker container. Example: - -``` -VPN_ADDL_USERS=user1 user2 user3 user4 user5 -VPN_ADDL_PASSWORDS=pass1 pass2 pass3 pass4 pass5 -VPN_ADDL_IP_ADDRS=* * 192.168.42.2 192.168.43.2 -``` - -In this example, we assign static IP `192.168.42.2` for `user3` for IPsec/L2TP mode, and assign static IP `192.168.43.2` for `user4` for IPsec/XAuth ("Cisco IPsec") mode. Internal IPs for `user1`, `user2` and `user5` will be auto-assigned. The internal IP for `user3` for IPsec/XAuth mode and the internal IP for `user4` for IPsec/L2TP mode will also be auto-assigned. You may use `*` to specify auto-assigned IPs, or put those user(s) at the end of the list. - -Static IPs that you specify for IPsec/L2TP mode must be within the range from `192.168.42.2` to `192.168.42.9`. Static IPs that you specify for IPsec/XAuth ("Cisco IPsec") mode must be within the range from `192.168.43.2` to `192.168.43.9`. - -If you need to assign more static IPs, you must shrink the pool of auto-assigned IP addresses. Example: - -``` -VPN_L2TP_POOL=192.168.42.100-192.168.42.250 -VPN_XAUTH_POOL=192.168.43.100-192.168.43.250 -``` - -This will allow you to assign static IPs within the range from `192.168.42.2` to `192.168.42.99` for IPsec/L2TP mode, and within the range from `192.168.43.2` to `192.168.43.99` for IPsec/XAuth ("Cisco IPsec") mode. - -Note that if you specify `VPN_XAUTH_POOL` in the `env` file, and IKEv2 is already set up in the Docker container, you **must** manually edit `/etc/ipsec.d/ikev2.conf` inside the container and replace `rightaddresspool=192.168.43.10-192.168.43.250` with the **same value** as `VPN_XAUTH_POOL`, before re-creating the Docker container. Otherwise, IKEv2 may stop working. - -**Note:** In your `env` file, DO NOT put `""` or `''` around values, or add space around `=`. DO NOT use these special characters within values: `\ " '`. - -## Customize VPN subnets - -By default, IPsec/L2TP VPN clients will use internal VPN subnet `192.168.42.0/24`, while IPsec/XAuth ("Cisco IPsec") and IKEv2 VPN clients will use internal VPN subnet `192.168.43.0/24`. For more details, read the previous section. - -For most use cases, it is NOT necessary and NOT recommended to customize these subnets. If your use case requires it, however, you may specify custom subnet(s) in your `env` file, then you must re-create the Docker container. - -``` -# Example: Specify custom VPN subnet for IPsec/L2TP mode -# Note: All three variables must be specified. -VPN_L2TP_NET=10.1.0.0/16 -VPN_L2TP_LOCAL=10.1.0.1 -VPN_L2TP_POOL=10.1.0.10-10.1.254.254 -``` - -``` -# Example: Specify custom VPN subnet for IPsec/XAuth and IKEv2 modes -# Note: Both variables must be specified. -VPN_XAUTH_NET=10.2.0.0/16 -VPN_XAUTH_POOL=10.2.0.10-10.2.254.254 -``` - -**Note:** In your `env` file, DO NOT put `""` or `''` around values, or add space around `=`. - -In the examples above, `VPN_L2TP_LOCAL` is the VPN server's internal IP for IPsec/L2TP mode. `VPN_L2TP_POOL` and `VPN_XAUTH_POOL` are the pools of auto-assigned IP addresses for VPN clients. - -Note that if you specify `VPN_XAUTH_POOL` in the `env` file, and IKEv2 is already set up in the Docker container, you **must** manually edit `/etc/ipsec.d/ikev2.conf` inside the container and replace `rightaddresspool=192.168.43.10-192.168.43.250` with the **same value** as `VPN_XAUTH_POOL`, before re-creating the Docker container. Otherwise, IKEv2 may stop working. - -## About host network mode - -Advanced users can run this image in [host network mode](https://docs.docker.com/network/host/), by adding `--network=host` to the `docker run` command. In addition, if [running without privileged mode](#run-without-privileged-mode), you may also need to replace `eth0` with the network interface name of your Docker host. - -Host network mode is NOT recommended for this image, unless your use case requires it. In this mode, the container's network stack is not isolated from the Docker host, and VPN clients may be able to access ports or services on the Docker host using its internal VPN IP `192.168.42.1` after connecting using IPsec/L2TP mode. Note that you will need to manually clean up the changes to IPTables rules and sysctl settings by [run.sh](../run.sh) or reboot the server when you no longer use this image. - -Some Docker host OS, such as Debian 10, cannot run this image in host network mode due to the use of nftables. - -## Enable Libreswan logs - -To keep the Docker image small, Libreswan (IPsec) logs are not enabled by default. If you need to enable it for troubleshooting purposes, first start a Bash session in the running container: - -``` -docker exec -it ipsec-vpn-server env TERM=xterm bash -l -``` - -Then run the following commands: - -``` -# For Alpine-based image -apk add --no-cache rsyslog -rsyslogd -rc-service ipsec stop; rc-service -D ipsec start >/dev/null 2>&1 -sed -i '/pluto\.pid/a rsyslogd' /opt/src/run.sh -exit -# For Debian-based image -apt-get update && apt-get -y install rsyslog -service rsyslog restart -service ipsec restart -sed -i '/pluto\.pid/a service rsyslog restart' /opt/src/run.sh -exit -``` - -**Note:** The error `rsyslogd: imklog: cannot open kernel log` is normal if you use this Docker image without privileged mode. - -When finished, you may check Libreswan logs with: - -``` -docker exec -it ipsec-vpn-server grep pluto /var/log/auth.log -``` - -To check xl2tpd logs, run `docker logs ipsec-vpn-server`. - -## Check server status - -Check the status of the IPsec VPN server: - -``` -docker exec -it ipsec-vpn-server ipsec status -``` - -Show currently established VPN connections: - -``` -docker exec -it ipsec-vpn-server ipsec trafficstatus -``` - -## Build from source code - -Advanced users can download and compile the source code from GitHub: - -``` -git clone https://github.com/hwdsl2/docker-ipsec-vpn-server -cd docker-ipsec-vpn-server -# To build Alpine-based image -docker build -t hwdsl2/ipsec-vpn-server . -# To build Debian-based image -docker build -f Dockerfile.debian -t hwdsl2/ipsec-vpn-server:debian . -``` - -Or use this if not modifying the source code: - -``` -# To build Alpine-based image -docker build -t hwdsl2/ipsec-vpn-server github.com/hwdsl2/docker-ipsec-vpn-server -# To build Debian-based image -docker build -f Dockerfile.debian -t hwdsl2/ipsec-vpn-server:debian \ - github.com/hwdsl2/docker-ipsec-vpn-server -``` - -## Bash shell inside container - -To start a Bash session in the running container: - -``` -docker exec -it ipsec-vpn-server env TERM=xterm bash -l -``` - -(Optional) Install the `nano` editor: - -``` -# For Alpine-based image -apk add --no-cache nano -# For Debian-based image -apt-get update && apt-get -y install nano -``` - -Then run your commands inside the container. When finished, exit the container and restart if needed: - -``` -exit -docker restart ipsec-vpn-server -``` - -## Bind mount the env file - -As an alternative to the `--env-file` option, advanced users can bind mount the `env` file. The advantage of this method is that after updating the `env` file, you can restart the Docker container to take effect instead of re-creating it. To use this method, you must first edit your `env` file and use single quotes `''` to enclose the values of all variables. Then (re-)create the Docker container (replace the first `vpn.env` with your own `env` file): - -``` -docker run \ - --name ipsec-vpn-server \ - --restart=always \ - -v "$(pwd)/vpn.env:/opt/src/env/vpn.env:ro" \ - -v ikev2-vpn-data:/etc/ipsec.d \ - -v /lib/modules:/lib/modules:ro \ - -p 500:500/udp \ - -p 4500:4500/udp \ - -d --privileged \ - hwdsl2/ipsec-vpn-server -``` - -## Deploy Google BBR congestion control - -After the VPN server is set up, the performance can be improved by deploying the Google BBR congestion control algorithm on your Docker host. - -This is usually done by modifying the configuration file `/etc/sysctl.conf`. However, some Linux distributions may additionally require updates to the Linux kernel. - -For detailed deployment methods, please refer to [this document](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/bbr.md). When finished, restart the Docker container: - -``` -docker restart ipsec-vpn-server -``` - -## License - -**Note:** The software components inside the pre-built image (such as Libreswan and xl2tpd) are under the respective licenses chosen by their respective copyright holders. As for any pre-built image usage, it is the image user's responsibility to ensure that any use of this image complies with any relevant licenses for all software contained within. - -Copyright (C) 2016-2023 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) - -[![Creative Commons License](https://i.creativecommons.org/l/by-sa/3.0/88x31.png)](http://creativecommons.org/licenses/by-sa/3.0/) -This work is licensed under the [Creative Commons Attribution-ShareAlike 3.0 Unported License](http://creativecommons.org/licenses/by-sa/3.0/) -Attribution required: please include my name in any derivative and let me know how you have improved it! diff --git a/docs/images/badges/docker-pulls.svg b/docs/images/badges/docker-pulls.svg deleted file mode 100644 index 350bdc9475b2035a4439df83b0d883326717b73c..0000000000000000000000000000000000000000 --- a/docs/images/badges/docker-pulls.svg +++ /dev/null @@ -1 +0,0 @@ -<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="127" height="20" role="img" aria-label="docker pulls: 31M"><title>docker pulls: 31Mdocker pulls31M diff --git a/docs/images/badges/docker-stars.svg b/docs/images/badges/docker-stars.svg deleted file mode 100644 index 0aad9c2d3707400c17bbeedcf1a16aeccf3e3116..0000000000000000000000000000000000000000 --- a/docs/images/badges/docker-stars.svg +++ /dev/null @@ -1 +0,0 @@ -docker stars: 466docker stars466 diff --git a/docs/images/badges/github-stars.svg b/docs/images/badges/github-stars.svg deleted file mode 100644 index 2047a0fc45e9e9e8e87aff2901428284b12df3c4..0000000000000000000000000000000000000000 --- a/docs/images/badges/github-stars.svg +++ /dev/null @@ -1 +0,0 @@ -stars5.4k diff --git a/jenkins-vars.yml b/jenkins-vars.yml new file mode 100644 index 0000000000000000000000000000000000000000..856176378ad97f2b2a853f8f01ca444a85f1bb4d --- /dev/null +++ b/jenkins-vars.yml @@ -0,0 +1,29 @@ +--- + +# jenkins variables +project_name: docker-openssh-server +external_type: alpine_repo +release_type: stable +release_tag: latest +ls_branch: master +repo_vars: + - CONTAINER_NAME = 'openssh-server' + - BUILD_VERSION_ARG = 'OPENSSH_RELEASE' + - LS_USER = 'linuxserver' + - LS_REPO = 'docker-openssh-server' + - DOCKERHUB_IMAGE = 'linuxserver/openssh-server' + - DEV_DOCKERHUB_IMAGE = 'lsiodev/openssh-server' + - PR_DOCKERHUB_IMAGE = 'lspipepr/openssh-server' + - DIST_IMAGE = 'alpine' + - DIST_TAG = '3.17' + - DIST_REPO = 'http://dl-cdn.alpinelinux.org/alpine/v3.17/main/' + - DIST_REPO_PACKAGES = 'openssh-server-pam' + - MULTIARCH='true' + - CI='true' + - CI_WEB='false' + - CI_PORT='80' + - CI_SSL='false' + - CI_DELAY='60' + - CI_DOCKERENV='TZ=US/Pacific' + - CI_AUTH='user:password' + - CI_WEBPATH='' diff --git a/package_versions.txt b/package_versions.txt new file mode 100644 index 0000000000000000000000000000000000000000..990aef15b300ffd469e5bef9770f8add835a83ec --- /dev/null +++ b/package_versions.txt @@ -0,0 +1,56 @@ +NAME VERSION TYPE +alpine-baselayout 3.4.0-r0 apk +alpine-baselayout-data 3.4.0-r0 apk +alpine-keys 2.4-r1 apk +alpine-release 3.17.3-r0 apk +apk-tools 2.12.10-r1 apk +bash 5.2.15-r0 apk +brotli-libs 1.0.9-r9 apk +busybox 1.35.0 binary +busybox 1.35.0-r29 apk +busybox-binsh 1.35.0-r29 apk +ca-certificates 20220614-r4 apk +ca-certificates-bundle 20220614-r4 apk +coreutils 9.1-r0 apk +curl 7.88.1-r1 apk +jq 1.6-r2 apk +libacl 2.3.1-r1 apk +libattr 2.5.1-r2 apk +libbsd 0.11.7-r0 apk +libc-utils 0.7.2-r3 apk +libcrypto3 3.0.8-r3 apk +libcurl 7.88.1-r1 apk +libedit 20221030.3.1-r0 apk +libintl 0.21.1-r1 apk +libmd 1.0.4-r0 apk +libproc 3.3.17-r2 apk +libssl3 3.0.8-r3 apk +linux-pam 1.5.2-r1 apk +logrotate 3.20.1-r3 apk +musl 1.2.3-r4 apk +musl-utils 1.2.3-r4 apk +nano 7.0-r0 apk +ncurses-libs 6.3_p20221119-r0 apk +ncurses-terminfo-base 6.3_p20221119-r0 apk +netcat-openbsd 1.130-r4 apk +nghttp2-libs 1.51.0-r0 apk +oniguruma 6.9.8-r0 apk +openssh-client-common 9.1_p1-r2 apk +openssh-client-default 9.1_p1-r2 apk +openssh-keygen 9.1_p1-r2 apk +openssh-server-common 9.1_p1-r2 apk +openssh-server-pam 9.1_p1-r2 apk +openssh-sftp-server 9.1_p1-r2 apk +popt 1.19-r0 apk +procps 3.3.17-r2 apk +readline 8.2.0-r0 apk +scanelf 1.3.5-r1 apk +shadow 4.13-r0 apk +skalibs 2.12.0.1-r0 apk +ssl_client 1.35.0-r29 apk +sudo 1.9.12_p2-r1 apk +tzdata 2023c-r0 apk +utmps-libs 0.1.2.0-r1 apk +xz 5.2.9-r0 apk +xz-libs 5.2.9-r0 apk +zlib 1.2.13-r0 apk diff --git a/readme-vars.yml b/readme-vars.yml new file mode 100644 index 0000000000000000000000000000000000000000..13a2aa82002b71897dbb5ffc01ebacb09359a86d --- /dev/null +++ b/readme-vars.yml @@ -0,0 +1,111 @@ +--- + +# project information +project_name: openssh-server +project_url: "https://www.openssh.com/" +project_logo: "https://upload.wikimedia.org/wikipedia/en/6/65/OpenSSH_logo.png" +project_blurb: "[{{ project_name|capitalize }}]({{ project_url }}) is a sandboxed environment that allows ssh access without giving keys to the entire server. + + Giving ssh access via private key often means giving full access to the server. This container creates a limited and sandboxed environment that others can ssh into. + + The users only have access to the folders mapped and the processes running inside this container." + +project_lsio_github_repo_url: "https://github.com/linuxserver/docker-{{ project_name }}" + +# supported architectures +available_architectures: + - { arch: "{{ arch_x86_64 }}", tag: "amd64-latest"} + - { arch: "{{ arch_arm64 }}", tag: "arm64v8-latest"} + - { arch: "{{ arch_armhf }}", tag: "arm32v7-latest"} + +# development version +development_versions: false +development_versions_items: + - { tag: "latest", desc: "Stable releases" } + +# container parameters +common_param_env_vars_enabled: true +param_container_name: "{{ project_name }}" +param_usage_include_hostname: 'optional' #you can set it to 'optional' +param_hostname: "{{ project_name }}" +param_hostname_desc: "Optionally the hostname can be defined." +param_usage_include_vols: true +param_volumes: + - { vol_path: "/config", vol_host_path: "/path/to/appdata/config", desc: "Contains all relevant configuration files." } +param_usage_include_ports: true +param_ports: + - { external_port: "2222", internal_port: "2222", port_desc: "ssh port" } +param_usage_include_env: true +param_env_vars: + - { env_var: "TZ", env_value: "Europe/London", desc: "Specify a timezone to use EG Europe/London"} + +# optional container parameters +opt_param_usage_include_env: true +opt_param_env_vars: + - { env_var: "PUBLIC_KEY", env_value: "yourpublickey", desc: "Optional ssh public key, which will automatically be added to authorized_keys."} + - { env_var: "PUBLIC_KEY_FILE", env_value: "/path/to/file", desc: "Optionally specify a file containing the public key (works with docker secrets)."} + - { env_var: "PUBLIC_KEY_DIR", env_value: "/path/to/directory/containing/_only_/pubkeys", desc: "Optionally specify a directory containing the public keys (works with docker secrets)."} + - { env_var: "PUBLIC_KEY_URL", env_value: "https://github.com/username.keys", desc: "Optionally specify a URL containing the public key."} + - { env_var: "SUDO_ACCESS", env_value: "false", desc: "Set to `true` to allow `linuxserver.io`, the ssh user, sudo access. Without `USER_PASSWORD` set, this will allow passwordless sudo access."} + - { env_var: "PASSWORD_ACCESS", env_value: "false", desc: "Set to `true` to allow user/password ssh access. You will want to set `USER_PASSWORD` or `USER_PASSWORD_FILE` as well."} + - { env_var: "USER_PASSWORD", env_value: "password", desc: "Optionally set a sudo password for `linuxserver.io`, the ssh user. If this or `USER_PASSWORD_FILE` are not set but `SUDO_ACCESS` is set to true, the user will have passwordless sudo access."} + - { env_var: "USER_PASSWORD_FILE", env_value: "/path/to/file", desc: "Optionally specify a file that contains the password. This setting supersedes the `USER_PASSWORD` option (works with docker secrets)."} + - { env_var: "USER_NAME", env_value: "linuxserver.io", desc: "Optionally specify a user name (Default:`linuxserver.io`)"} + +optional_block_1: false +optional_block_1_items: "" + +# application setup block +app_setup_block_enabled: true +app_setup_block: | + If `PUBLIC_KEY` or `PUBLIC_KEY_FILE`, or `PUBLIC_KEY_DIR` variables are set, the specified keys will automatically be added to `authorized_keys`. If not, the keys can manually be added to `/config/.ssh/authorized_keys` and the container should be restarted. + Removing `PUBLIC_KEY` or `PUBLIC_KEY_FILE` variables from docker run environment variables will not remove the keys from `authorized_keys`. `PUBLIC_KEY_FILE` and `PUBLIC_KEY_DIR` can be used with docker secrets. + + We provide the ability to set and allow password based access via the `PASSWORD_ACCESS` and `USER_PASSWORD` variables, though we as an organization discourage using password auth for public facing ssh endpoints. + + Connect to server via `ssh -i /path/to/private/key -p PORT USER_NAME@SERVERIP` + + Setting `SUDO_ACCESS` to `true` by itself will allow passwordless sudo. `USER_PASSWORD` and `USER_PASSWORD_FILE` allow setting an optional sudo password. + + The users only have access to the folders mapped and the processes running inside this container. + Add any volume mappings you like for the users to have access to. + To install packages or services for users to access, use the LinuxServer container customization methods described [in this blog article](https://blog.linuxserver.io/2019/09/14/customizing-our-containers/). + + Sample use case is when a server admin would like to have automated incoming backups from a remote server to the local server, but they might not want all the other admins of the remote server to have full access to the local server. + This container can be set up with a mounted folder for incoming backups, and rsync installed via LinuxServer container customization described above, so that the incoming backups can proceed, but remote server and its admins' access would be limited to the backup folder. + + It is also possible to run multiple copies of this container with different ports mapped, different folders mounted and access to different private keys for compartmentalized access. + + #### TIPS + You can volume map your own text file to `/etc/motd` to override the message displayed upon connection. + You can optionally set the docker argument `hostname` + + ## Key Generation + + This container has a helper script to generate an ssh private/public key. In order to generate a key please run: + ``` + docker run --rm -it --entrypoint /keygen.sh linuxserver/openssh-server + ``` + + Then simply follow the prompts. + The keys generated by this script are only displayed on your console output, so make sure to save them somewhere after generation. + + +# changelog +changelogs: + - { date: "05.03.23:", desc: "Rebase to Alpine 3.17."} + - { date: "18.10.22:", desc: "Fix wrong behavior of password/passwordless sudo"} + - { date: "11.10.22:", desc: "Rebase to Alpine 3.16, migrate to s6v3."} + - { date: "15.09.22:", desc: "add netcat-openbsd with support for proxies."} + - { date: "18.07.22:", desc: "Fix service perms to comply with upgrade to s6 v3."} + - { date: "16.04.22:", desc: "Rebase to alpine 3.15."} + - { date: "16.11.21:", desc: "Add PUBLIC_KEY_URL option"} + - { date: "28.06.21:", desc: "Rebasing to alpine 3.14. Add support for PAM." } + - { date: "10.02.21:", desc: "Rebasing to alpine 3.13. Add openssh-client for scp." } + - { date: "21.10.20:", desc: "Implement s6-log for openssh, which adds local timestamps to logs and can be used with a log parser like fail2ban." } + - { date: "20.10.20:", desc: "Set umask for sftp." } + - { date: "01.06.20:", desc: "Rebasing to alpine 3.12." } + - { date: "18.01.20:", desc: "Add key generation script." } + - { date: "13.01.20:", desc: "Add openssh-sftp-server." } + - { date: "19.12.19:", desc: "Rebasing to alpine 3.11." } + - { date: "17.10.19:", desc: "Initial Release." } diff --git a/root/etc/motd b/root/etc/motd new file mode 100644 index 0000000000000000000000000000000000000000..6b6d6611c072f60aea556ffcbb66c392ca82578d --- /dev/null +++ b/root/etc/motd @@ -0,0 +1,2 @@ +Welcome to OpenSSH Server + diff --git a/root/etc/s6-overlay/s6-rc.d/init-adduser/run b/root/etc/s6-overlay/s6-rc.d/init-adduser/run new file mode 100644 index 0000000000000000000000000000000000000000..0af12403c6a895df9e57b94697a31d4bd4303928 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-adduser/run @@ -0,0 +1,56 @@ +#!/usr/bin/with-contenv bash +# shellcheck shell=bash + +USER_NAME=${USER_NAME:-linuxserver.io} + +PUID=${PUID:-911} +PGID=${PGID:-911} + +if [[ "$USER_NAME" != "abc" ]]; then + usermod -l "$USER_NAME" abc + groupmod -n "$USER_NAME" abc +fi + +groupmod -o -g "$PGID" "$USER_NAME" +usermod -o -u "$PUID" "$USER_NAME" + +cat /etc/s6-overlay/s6-rc.d/init-adduser/branding + +if [[ -f /donate.txt ]]; then + echo ' +To support the app dev(s) visit:' + cat /donate.txt +fi +echo ' +To support LSIO projects visit: +https://www.linuxserver.io/donate/ + +─────────────────────────────────────── +GID/UID +───────────────────────────────────────' +echo " +User UID: $(id -u "${USER_NAME}") +User GID: $(id -g "${USER_NAME}") +─────────────────────────────────────── +" + +time32="$(date +%Y)" + +if [[ "${time32}" == "1970" || "${time32}" == "1969" ]] && [ "$(uname -m)" == "armv7l" ]; then + echo ' +╔═════════════════════════════════════════════════════════════════════════════╗ +║ ║ +║ Your Docker Host is running an outdated version of libseccomp ║ +║ ║ +║ To fix this, please visit https://docs.linuxserver.io/faq#libseccomp ║ +║ ║ +║ Apps will not behave correctly without this ║ +║ ║ +╚═════════════════════════════════════════════════════════════════════════════╝ +' + sleep infinity +fi + +lsiown "${USER_NAME}":"${USER_NAME}" /app +lsiown "${USER_NAME}":"${USER_NAME}" /config +lsiown "${USER_NAME}":"${USER_NAME}" /defaults diff --git a/root/etc/s6-overlay/s6-rc.d/init-config-end/dependencies.d/init-openssh-server-config b/root/etc/s6-overlay/s6-rc.d/init-config-end/dependencies.d/init-openssh-server-config new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/root/etc/s6-overlay/s6-rc.d/init-openssh-server-config/dependencies.d/init-config b/root/etc/s6-overlay/s6-rc.d/init-openssh-server-config/dependencies.d/init-config new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/root/etc/s6-overlay/s6-rc.d/init-openssh-server-config/run b/root/etc/s6-overlay/s6-rc.d/init-openssh-server-config/run new file mode 100644 index 0000000000000000000000000000000000000000..9844ea51b406ebcd28f7a52f33d240102f06d8f9 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-openssh-server-config/run @@ -0,0 +1,119 @@ +#!/usr/bin/with-contenv bash +# shellcheck shell=bash + +# create folders +mkdir -p \ + /config/{.ssh,ssh_host_keys,logs/openssh} + +USER_NAME=${USER_NAME:-linuxserver.io} +echo "User name is set to $USER_NAME" + +# set password for abc to unlock it and set sudo access +sed -i "/${USER_NAME} ALL.*/d" /etc/sudoers +if [[ "$SUDO_ACCESS" == "true" ]]; then + if [[ -n "$USER_PASSWORD" || (-n "$USER_PASSWORD_FILE" && -f "$USER_PASSWORD_FILE") ]]; then + echo "${USER_NAME} ALL=(ALL) ALL" >> /etc/sudoers + echo "Sudo is enabled with password." + else + echo "${USER_NAME} ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers + echo "Sudo is enabled without password." + fi +else + echo "Sudo is disabled." +fi + +if [[ -n "$USER_PASSWORD_FILE" ]] && [[ -f "$USER_PASSWORD_FILE" ]]; then + USER_PASSWORD=$(cat "$USER_PASSWORD_FILE") + echo "User password is retrieved from file." +fi + +USER_PASSWORD=${USER_PASSWORD:-$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c"${1:-8}";echo;)} +echo "${USER_NAME}:${USER_PASSWORD}" | chpasswd + +# symlink out ssh config directory +if [[ ! -L /etc/ssh ]]; then + if [[ ! -f /config/ssh_host_keys/sshd_config ]]; then + sed -i '/#PidFile/c\PidFile \/config\/sshd.pid' /etc/ssh/sshd_config + cp -a /etc/ssh/sshd_config /config/ssh_host_keys/ + fi + rm -Rf /etc/ssh + ln -s /config/ssh_host_keys /etc/ssh + ssh-keygen -A +fi + +# password access +if [[ "$PASSWORD_ACCESS" == "true" ]]; then + sed -i '/^#PasswordAuthentication/c\PasswordAuthentication yes' /etc/ssh/sshd_config + sed -i '/^PasswordAuthentication/c\PasswordAuthentication yes' /etc/ssh/sshd_config + chown root:"${USER_NAME}" \ + /etc/shadow + echo "User/password ssh access is enabled." +else + sed -i '/^PasswordAuthentication/c\PasswordAuthentication no' /etc/ssh/sshd_config + chown root:root \ + /etc/shadow + echo "User/password ssh access is disabled." +fi + +# set umask for sftp +UMASK=${UMASK:-022} +sed -i "s|/usr/lib/ssh/sftp-server$|/usr/lib/ssh/sftp-server -u ${UMASK}|g" /etc/ssh/sshd_config + +# set key auth in file +if [[ ! -f /config/.ssh/authorized_keys ]]; then + touch /config/.ssh/authorized_keys +fi + +if [[ -n "$PUBLIC_KEY" ]]; then + if ! grep -q "${PUBLIC_KEY}" /config/.ssh/authorized_keys; then + echo "$PUBLIC_KEY" >> /config/.ssh/authorized_keys + echo "Public key from env variable added" + fi +fi + +if [[ -n "$PUBLIC_KEY_URL" ]]; then + PUBLIC_KEY_DOWNLOADED=$(curl -s "$PUBLIC_KEY_URL") + if ! grep -q "$PUBLIC_KEY_DOWNLOADED" /config/.ssh/authorized_keys; then + echo "$PUBLIC_KEY_DOWNLOADED" >> /config/.ssh/authorized_keys + echo "Public key downloaded from '$PUBLIC_KEY_URL' added" + fi +fi + +if [[ -n "$PUBLIC_KEY_FILE" ]] && [[ -f "$PUBLIC_KEY_FILE" ]]; then + PUBLIC_KEY2=$(cat "$PUBLIC_KEY_FILE") + if ! grep -q "$PUBLIC_KEY2" /config/.ssh/authorized_keys; then + echo "$PUBLIC_KEY2" >> /config/.ssh/authorized_keys + echo "Public key from file added" + fi +fi + +if [[ -d "$PUBLIC_KEY_DIR" ]]; then + for F in "${PUBLIC_KEY_DIR}"/*; do + PUBLIC_KEYN=$(cat "$F") + if ! grep -q "$PUBLIC_KEYN" /config/.ssh/authorized_keys; then + echo "$PUBLIC_KEYN" >> /config/.ssh/authorized_keys + echo "Public key from file '$F' added" + fi + done +fi + +# back up old log files processed by logrotate +if [[ -f /config/logs/openssh/openssh.log ]]; then + mv /config/logs/openssh /config/logs/openssh.old.logs + mkdir -p /config/logs/openssh +fi + +# add log file info +if [[ ! -f /config/logs/loginfo.txt ]]; then + echo "The current log file is named \"current\". The rotated log files are gzipped, named with a TAI64N timestamp and a \".s\" extension" > /config/logs/loginfo.txt +fi + +# permissions +lsiown -R "${USER_NAME}":"${USER_NAME}" \ + /config +chmod go-w \ + /config +chmod 700 \ + /config/.ssh +chmod 600 \ + /config/.ssh/authorized_keys diff --git a/root/etc/s6-overlay/s6-rc.d/init-openssh-server-config/type b/root/etc/s6-overlay/s6-rc.d/init-openssh-server-config/type new file mode 100644 index 0000000000000000000000000000000000000000..bdd22a1850ae6c03a414eeb8084998679a2cdf92 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-openssh-server-config/type @@ -0,0 +1 @@ +oneshot diff --git a/root/etc/s6-overlay/s6-rc.d/init-openssh-server-config/up b/root/etc/s6-overlay/s6-rc.d/init-openssh-server-config/up new file mode 100644 index 0000000000000000000000000000000000000000..ae91bfb8fa173789742c5aea194a25ccf19a1d6b --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-openssh-server-config/up @@ -0,0 +1 @@ +/etc/s6-overlay/s6-rc.d/init-openssh-server-config/run diff --git a/root/etc/s6-overlay/s6-rc.d/log-openssh-server/consumer-for b/root/etc/s6-overlay/s6-rc.d/log-openssh-server/consumer-for new file mode 100644 index 0000000000000000000000000000000000000000..6782e72352b981dcaa5ea6d108f966ef0b605539 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/log-openssh-server/consumer-for @@ -0,0 +1 @@ +svc-openssh-server \ No newline at end of file diff --git a/root/etc/s6-overlay/s6-rc.d/log-openssh-server/dependencies.d/init-openssh-server-config b/root/etc/s6-overlay/s6-rc.d/log-openssh-server/dependencies.d/init-openssh-server-config new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/root/etc/s6-overlay/s6-rc.d/log-openssh-server/dependencies.d/init-services b/root/etc/s6-overlay/s6-rc.d/log-openssh-server/dependencies.d/init-services new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/root/etc/s6-overlay/s6-rc.d/log-openssh-server/pipeline-name b/root/etc/s6-overlay/s6-rc.d/log-openssh-server/pipeline-name new file mode 100644 index 0000000000000000000000000000000000000000..860bff09b2658325c8d438543c271735707e260d --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/log-openssh-server/pipeline-name @@ -0,0 +1 @@ +pipeline-openssh-server \ No newline at end of file diff --git a/root/etc/s6-overlay/s6-rc.d/log-openssh-server/run b/root/etc/s6-overlay/s6-rc.d/log-openssh-server/run new file mode 100644 index 0000000000000000000000000000000000000000..a4200cda589c7d9932ec4d814d5cb62c70ce384e --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/log-openssh-server/run @@ -0,0 +1,7 @@ +#!/usr/bin/with-contenv bash +# shellcheck shell=bash + +USER_NAME=${USER_NAME:-linuxserver.io} + +exec \ + s6-setuidgid "${USER_NAME}" s6-log n30 s10000000 S30000000 T !"gzip -nq9" /config/logs/openssh diff --git a/root/etc/s6-overlay/s6-rc.d/log-openssh-server/type b/root/etc/s6-overlay/s6-rc.d/log-openssh-server/type new file mode 100644 index 0000000000000000000000000000000000000000..1780f9f44efd7a9a5240468e2d3d851ae5b7a471 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/log-openssh-server/type @@ -0,0 +1 @@ +longrun \ No newline at end of file diff --git a/root/etc/s6-overlay/s6-rc.d/svc-openssh-server/dependencies.d/init-services b/root/etc/s6-overlay/s6-rc.d/svc-openssh-server/dependencies.d/init-services new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/root/etc/s6-overlay/s6-rc.d/svc-openssh-server/notification-fd b/root/etc/s6-overlay/s6-rc.d/svc-openssh-server/notification-fd new file mode 100644 index 0000000000000000000000000000000000000000..00750edc07d6415dcc07ae0351e9397b0222b7ba --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/svc-openssh-server/notification-fd @@ -0,0 +1 @@ +3 diff --git a/root/etc/s6-overlay/s6-rc.d/svc-openssh-server/producer-for b/root/etc/s6-overlay/s6-rc.d/svc-openssh-server/producer-for new file mode 100644 index 0000000000000000000000000000000000000000..62b44ee2fc0bd5d72ef210f243ea21f4ce1d5352 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/svc-openssh-server/producer-for @@ -0,0 +1 @@ +log-openssh-server \ No newline at end of file diff --git a/root/etc/s6-overlay/s6-rc.d/svc-openssh-server/run b/root/etc/s6-overlay/s6-rc.d/svc-openssh-server/run new file mode 100644 index 0000000000000000000000000000000000000000..e1b6ad1f5032d6a456bfb4f1526ca1926fbb4151 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/svc-openssh-server/run @@ -0,0 +1,8 @@ +#!/usr/bin/with-contenv bash +# shellcheck shell=bash + +USER_NAME=${USER_NAME:-linuxserver.io} + +exec 2>&1 \ + s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z localhost 2222" \ + s6-setuidgid "${USER_NAME}" /usr/sbin/sshd.pam -D -e -p 2222 diff --git a/root/etc/s6-overlay/s6-rc.d/svc-openssh-server/type b/root/etc/s6-overlay/s6-rc.d/svc-openssh-server/type new file mode 100644 index 0000000000000000000000000000000000000000..5883cff0cd1514b2836f4ffa39fdac769a5213cb --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/svc-openssh-server/type @@ -0,0 +1 @@ +longrun diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-openssh-server-config b/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-openssh-server-config new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/log-openssh-server b/root/etc/s6-overlay/s6-rc.d/user/contents.d/log-openssh-server new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/svc-openssh-server b/root/etc/s6-overlay/s6-rc.d/user/contents.d/svc-openssh-server new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/root/keygen.sh b/root/keygen.sh new file mode 100644 index 0000000000000000000000000000000000000000..b2771ffac2837e14b7ec0bf896b0104d670e3c3d --- /dev/null +++ b/root/keygen.sh @@ -0,0 +1,29 @@ +#! /bin/bash + +# selection menu +echo "Please select your key type to generate" +printf "1.) ecdsa\n2.) rsa\n3.) ed25519\n4.) dsa\n[default ecdsa]:" +read opt +case $opt in + "ecdsa"|1) TYPE="ecdsa" BITS="-b 521";; + "rsa"|2) TYPE="rsa";; + "ed25519"|3) TYPE="ed25519";; + "dsa"|4) TYPE="dsa";; + *) echo "blank or unknown option choosing ecdsa" && TYPE="ecdsa" BITS="-b 521";; +esac +# rsa bit selection +if [[ "$TYPE" == "rsa" ]]; then +echo "Please select RSA bits" +printf "1.) 4096\n2.) 2048\n3.) 1024\n[default 4096]:" +read opt +case $opt in + 4096|1) BITS="-b 4096";; + 2048|2) BITS="-b 2048";; + 1024|3) BITS="-b 1024";; + *) echo "blank or unknown option choosing 4096" && BITS="-b 4096";; +esac +fi + +# key generation +echo "YOUR KEY/PUBFILE IS BELOW PLEASE SAVE THIS DATA AS WE WILL NOT" +echo /tmp/stderr{,.pub} | xargs -n 1 ln -sf /dev/stderr && yes | ssh-keygen -t ${TYPE} ${BITS} -N '' -qf /tmp/stderr > /dev/null diff --git a/run.sh b/run.sh deleted file mode 100644 index 753c1e2af07e96b9dc54bb4183af1c94ac252691..0000000000000000000000000000000000000000 --- a/run.sh +++ /dev/null @@ -1,742 +0,0 @@ -#!/bin/bash -# -# Docker script to configure and start an IPsec VPN server -# -# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! THIS IS ONLY MEANT TO BE RUN -# IN A CONTAINER! -# -# This file is part of IPsec VPN Docker image, available at: -# https://github.com/hwdsl2/docker-ipsec-vpn-server -# -# Copyright (C) 2016-2023 Lin Song -# Based on the work of Thomas Sarlandie (Copyright 2012) -# -# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 -# Unported License: http://creativecommons.org/licenses/by-sa/3.0/ -# -# Attribution required: please include my name in any derivative and let me -# know how you have improved it! - -export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" - -exiterr() { echo "Error: $1" >&2; exit 1; } -nospaces() { printf '%s' "$1" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//'; } -onespace() { printf '%s' "$1" | tr -s ' '; } -noquotes() { printf '%s' "$1" | sed -e 's/^"\(.*\)"$/\1/' -e "s/^'\(.*\)'$/\1/"; } -noquotes2() { printf '%s' "$1" | sed -e 's/" "/ /g' -e "s/' '/ /g"; } - -check_ip() { - IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$' - printf '%s' "$1" | tr -d '\n' | grep -Eq "$IP_REGEX" -} - -check_dns_name() { - FQDN_REGEX='^([a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$' - printf '%s' "$1" | tr -d '\n' | grep -Eq "$FQDN_REGEX" -} - -check_client_name() { - ! { [ "${#1}" -gt "64" ] || printf '%s' "$1" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \ - || case $1 in -*) true ;; *) false ;; esac; } -} - -if [ ! -f "/.dockerenv" ] && [ ! -f "/run/.containerenv" ] \ - && [ -z "$KUBERNETES_SERVICE_HOST" ] \ - && ! head -n 1 /proc/1/sched 2>/dev/null | grep -q '^run\.sh '; then - exiterr "This script ONLY runs in a container (e.g. Docker, Podman)." -fi - -if ip link add dummy0 type dummy 2>&1 | grep -q "not permitted"; then -cat 1>&2 <<'EOF' -Error: This Docker image should be run in privileged mode. - See: https://github.com/hwdsl2/docker-ipsec-vpn-server - -EOF - exit 1 -fi -ip link delete dummy0 >/dev/null 2>&1 - -os_type=debian -os_arch=$(uname -m | tr -dc 'A-Za-z0-9_-') -[ -f /etc/os-release ] && os_type=$(. /etc/os-release && printf '%s' "$ID") - -if [ ! -e /dev/ppp ]; then -cat <<'EOF' - -Warning: /dev/ppp is missing, and IPsec/L2TP mode may not work. - Please use IKEv2 or IPsec/XAuth mode to connect. - Debian 11/10 users, see https://vpnsetup.net/debian10 -EOF -fi - -NET_IFACE=$(route 2>/dev/null | grep -m 1 '^default' | grep -o '[^ ]*$') -[ -z "$NET_IFACE" ] && NET_IFACE=$(ip -4 route list 0/0 2>/dev/null | grep -m 1 -Po '(?<=dev )(\S+)') -[ -z "$NET_IFACE" ] && NET_IFACE=eth0 - -mkdir -p /opt/src -vpn_env="/opt/src/vpn.env" -vpn_env_dir="/opt/src/env/vpn.env" -if [ -f "$vpn_env_dir" ]; then - vpn_env="$vpn_env_dir" -fi -vpn_gen_env="/etc/ipsec.d/vpn-gen.env" -if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then - if [ -f "$vpn_env" ]; then - echo - echo 'Retrieving VPN credentials...' - . "$vpn_env" - elif [ -f "$vpn_gen_env" ]; then - echo - echo 'Retrieving previously generated VPN credentials...' - . "$vpn_gen_env" - else - echo - echo 'VPN credentials not set by user. Generating random PSK and password...' - VPN_IPSEC_PSK=$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' /dev/null | head -c 20) - VPN_USER=vpnuser - VPN_PASSWORD=$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' /dev/null | head -c 16) - printf '%s\n' "VPN_IPSEC_PSK='$VPN_IPSEC_PSK'" > "$vpn_gen_env" - printf '%s\n' "VPN_USER='$VPN_USER'" >> "$vpn_gen_env" - printf '%s\n' "VPN_PASSWORD='$VPN_PASSWORD'" >> "$vpn_gen_env" - chmod 600 "$vpn_gen_env" - fi -fi - -# Remove whitespace and quotes around VPN variables, if any -VPN_IPSEC_PSK=$(nospaces "$VPN_IPSEC_PSK") -VPN_IPSEC_PSK=$(noquotes "$VPN_IPSEC_PSK") -VPN_USER=$(nospaces "$VPN_USER") -VPN_USER=$(noquotes "$VPN_USER") -VPN_PASSWORD=$(nospaces "$VPN_PASSWORD") -VPN_PASSWORD=$(noquotes "$VPN_PASSWORD") -if [ -n "$VPN_ADDL_USERS" ] && [ -n "$VPN_ADDL_PASSWORDS" ]; then - VPN_ADDL_USERS=$(nospaces "$VPN_ADDL_USERS") - VPN_ADDL_USERS=$(noquotes "$VPN_ADDL_USERS") - VPN_ADDL_USERS=$(onespace "$VPN_ADDL_USERS") - VPN_ADDL_USERS=$(noquotes2 "$VPN_ADDL_USERS") - VPN_ADDL_PASSWORDS=$(nospaces "$VPN_ADDL_PASSWORDS") - VPN_ADDL_PASSWORDS=$(noquotes "$VPN_ADDL_PASSWORDS") - VPN_ADDL_PASSWORDS=$(onespace "$VPN_ADDL_PASSWORDS") - VPN_ADDL_PASSWORDS=$(noquotes2 "$VPN_ADDL_PASSWORDS") - if [ -n "$VPN_ADDL_IP_ADDRS" ]; then - VPN_ADDL_IP_ADDRS=$(nospaces "$VPN_ADDL_IP_ADDRS") - VPN_ADDL_IP_ADDRS=$(noquotes "$VPN_ADDL_IP_ADDRS") - VPN_ADDL_IP_ADDRS=$(onespace "$VPN_ADDL_IP_ADDRS") - VPN_ADDL_IP_ADDRS=$(noquotes2 "$VPN_ADDL_IP_ADDRS") - fi -else - VPN_ADDL_USERS="" - VPN_ADDL_PASSWORDS="" - VPN_ADDL_IP_ADDRS="" -fi -if [ -n "$VPN_DNS_SRV1" ]; then - VPN_DNS_SRV1=$(nospaces "$VPN_DNS_SRV1") - VPN_DNS_SRV1=$(noquotes "$VPN_DNS_SRV1") -fi -if [ -n "$VPN_DNS_SRV2" ]; then - VPN_DNS_SRV2=$(nospaces "$VPN_DNS_SRV2") - VPN_DNS_SRV2=$(noquotes "$VPN_DNS_SRV2") -fi -if [ -n "$VPN_CLIENT_NAME" ]; then - VPN_CLIENT_NAME=$(nospaces "$VPN_CLIENT_NAME") - VPN_CLIENT_NAME=$(noquotes "$VPN_CLIENT_NAME") -fi -if [ -n "$VPN_DNS_NAME" ]; then - VPN_DNS_NAME=$(nospaces "$VPN_DNS_NAME") - VPN_DNS_NAME=$(noquotes "$VPN_DNS_NAME") -fi -if [ -n "$VPN_PUBLIC_IP" ]; then - VPN_PUBLIC_IP=$(nospaces "$VPN_PUBLIC_IP") - VPN_PUBLIC_IP=$(noquotes "$VPN_PUBLIC_IP") -fi -if [ -n "$VPN_ANDROID_MTU_FIX" ]; then - VPN_ANDROID_MTU_FIX=$(nospaces "$VPN_ANDROID_MTU_FIX") - VPN_ANDROID_MTU_FIX=$(noquotes "$VPN_ANDROID_MTU_FIX") -fi -if [ -n "$VPN_SHA2_TRUNCBUG" ]; then - VPN_SHA2_TRUNCBUG=$(nospaces "$VPN_SHA2_TRUNCBUG") - VPN_SHA2_TRUNCBUG=$(noquotes "$VPN_SHA2_TRUNCBUG") -fi -if [ -n "$VPN_PROTECT_CONFIG" ]; then - VPN_PROTECT_CONFIG=$(nospaces "$VPN_PROTECT_CONFIG") - VPN_PROTECT_CONFIG=$(noquotes "$VPN_PROTECT_CONFIG") -fi -if [ -n "$VPN_DISABLE_IPSEC_L2TP" ]; then - VPN_DISABLE_IPSEC_L2TP=$(nospaces "$VPN_DISABLE_IPSEC_L2TP") - VPN_DISABLE_IPSEC_L2TP=$(noquotes "$VPN_DISABLE_IPSEC_L2TP") -fi -if [ -n "$VPN_DISABLE_IPSEC_XAUTH" ]; then - VPN_DISABLE_IPSEC_XAUTH=$(nospaces "$VPN_DISABLE_IPSEC_XAUTH") - VPN_DISABLE_IPSEC_XAUTH=$(noquotes "$VPN_DISABLE_IPSEC_XAUTH") -fi -if [ -n "$VPN_IKEV2_ONLY" ]; then - VPN_IKEV2_ONLY=$(nospaces "$VPN_IKEV2_ONLY") - VPN_IKEV2_ONLY=$(noquotes "$VPN_IKEV2_ONLY") -fi -if [ -n "$VPN_ENABLE_MODP1024" ]; then - VPN_ENABLE_MODP1024=$(nospaces "$VPN_ENABLE_MODP1024") - VPN_ENABLE_MODP1024=$(noquotes "$VPN_ENABLE_MODP1024") -fi -if [ -n "$VPN_ENABLE_MODP1536" ]; then - VPN_ENABLE_MODP1536=$(nospaces "$VPN_ENABLE_MODP1536") - VPN_ENABLE_MODP1536=$(noquotes "$VPN_ENABLE_MODP1536") -fi -if [ -n "$VPN_L2TP_NET" ]; then - VPN_L2TP_NET=$(nospaces "$VPN_L2TP_NET") - VPN_L2TP_NET=$(noquotes "$VPN_L2TP_NET") -fi -if [ -n "$VPN_L2TP_LOCAL" ]; then - VPN_L2TP_LOCAL=$(nospaces "$VPN_L2TP_LOCAL") - VPN_L2TP_LOCAL=$(noquotes "$VPN_L2TP_LOCAL") -fi -if [ -n "$VPN_L2TP_POOL" ]; then - VPN_L2TP_POOL=$(nospaces "$VPN_L2TP_POOL") - VPN_L2TP_POOL=$(noquotes "$VPN_L2TP_POOL") -fi -if [ -n "$VPN_XAUTH_NET" ]; then - VPN_XAUTH_NET=$(nospaces "$VPN_XAUTH_NET") - VPN_XAUTH_NET=$(noquotes "$VPN_XAUTH_NET") -fi -if [ -n "$VPN_XAUTH_POOL" ]; then - VPN_XAUTH_POOL=$(nospaces "$VPN_XAUTH_POOL") - VPN_XAUTH_POOL=$(noquotes "$VPN_XAUTH_POOL") -fi - -if [ -z "$VPN_IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then - exiterr "All VPN credentials must be specified. Edit your 'env' file and re-enter them." -fi -if printf '%s' "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD $VPN_ADDL_USERS $VPN_ADDL_PASSWORDS" | LC_ALL=C grep -q '[^ -~]\+'; then - exiterr "VPN credentials must not contain non-ASCII characters." -fi -case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD $VPN_ADDL_USERS $VPN_ADDL_PASSWORDS" in - *[\\\"\']*) - exiterr "VPN credentials must not contain these special characters: \\ \" '" - ;; -esac -if printf '%s' "$VPN_USER $VPN_ADDL_USERS" | tr ' ' '\n' | sort | uniq -c | grep -qv '^ *1 '; then - exiterr "VPN usernames must not contain duplicates." -fi - -# Check DNS servers and try to resolve hostnames to IPs -if [ -n "$VPN_DNS_SRV1" ]; then - check_ip "$VPN_DNS_SRV1" || VPN_DNS_SRV1=$(dig -t A -4 +short "$VPN_DNS_SRV1") - if ! check_ip "$VPN_DNS_SRV1"; then -cat <<'EOF' - -Warning: Invalid DNS server. Check VPN_DNS_SRV1 in your 'env' file. -EOF - VPN_DNS_SRV1="" - fi -fi -if [ -n "$VPN_DNS_SRV2" ]; then - check_ip "$VPN_DNS_SRV2" || VPN_DNS_SRV2=$(dig -t A -4 +short "$VPN_DNS_SRV2") - if ! check_ip "$VPN_DNS_SRV2"; then -cat <<'EOF' - -Warning: Invalid DNS server. Check VPN_DNS_SRV2 in your 'env' file. -EOF - VPN_DNS_SRV2="" - fi -fi -if [ -n "$VPN_CLIENT_NAME" ]; then - if ! check_client_name "$VPN_CLIENT_NAME"; then -cat <<'EOF' - -Warning: Invalid client name. Use one word only, no special characters except '-' and '_'. - Falling back to default client name 'vpnclient'. -EOF - VPN_CLIENT_NAME="" - fi -fi -if [ -n "$VPN_DNS_NAME" ]; then - if ! check_dns_name "$VPN_DNS_NAME"; then -cat <<'EOF' - -Warning: Invalid DNS name. 'VPN_DNS_NAME' must be a fully qualified domain name (FQDN). - Falling back to using this server's IP address. -EOF - VPN_DNS_NAME="" - fi -fi - -if [ -n "$VPN_DNS_NAME" ]; then - server_addr="$VPN_DNS_NAME" -else - echo - echo 'Trying to auto discover IP of this server...' - # In case auto IP discovery fails, manually define the public IP - # of this server in your 'env' file, as variable 'VPN_PUBLIC_IP'. - public_ip=${VPN_PUBLIC_IP:-''} - check_ip "$public_ip" || public_ip=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) - check_ip "$public_ip" || public_ip=$(wget -t 2 -T 10 -qO- http://ipv4.icanhazip.com) - check_ip "$public_ip" || public_ip=$(wget -t 2 -T 10 -qO- http://ip1.dynupdate.no-ip.com) - check_ip "$public_ip" || exiterr "Cannot detect this server's public IP. Define it in your 'env' file as 'VPN_PUBLIC_IP'." - server_addr="$public_ip" -fi - -L2TP_NET=${VPN_L2TP_NET:-'192.168.42.0/24'} -L2TP_LOCAL=${VPN_L2TP_LOCAL:-'192.168.42.1'} -L2TP_POOL=${VPN_L2TP_POOL:-'192.168.42.10-192.168.42.250'} -XAUTH_NET=${VPN_XAUTH_NET:-'192.168.43.0/24'} -XAUTH_POOL=${VPN_XAUTH_POOL:-'192.168.43.10-192.168.43.250'} -DNS_SRV1=${VPN_DNS_SRV1:-'8.8.8.8'} -DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'} -DNS_SRVS="\"$DNS_SRV1 $DNS_SRV2\"" -[ -n "$VPN_DNS_SRV1" ] && [ -z "$VPN_DNS_SRV2" ] && DNS_SRVS="$DNS_SRV1" - -if [ -n "$VPN_DNS_SRV1" ] && [ -n "$VPN_DNS_SRV2" ]; then - echo - echo "Setting DNS servers to $VPN_DNS_SRV1 and $VPN_DNS_SRV2..." -elif [ -n "$VPN_DNS_SRV1" ]; then - echo - echo "Setting DNS server to $VPN_DNS_SRV1..." -fi - -sha2_truncbug=no -case $VPN_SHA2_TRUNCBUG in - [yY][eE][sS]) - echo - echo "Setting sha2-truncbug to yes in ipsec.conf..." - sha2_truncbug=yes - ;; -esac -disable_ipsec_l2tp=no -case $VPN_DISABLE_IPSEC_L2TP in - [yY][eE][sS]) - disable_ipsec_l2tp=yes - ;; -esac -disable_ipsec_xauth=no -case $VPN_DISABLE_IPSEC_XAUTH in - [yY][eE][sS]) - disable_ipsec_xauth=yes - ;; -esac -case $VPN_IKEV2_ONLY in - [yY][eE][sS]) - disable_ipsec_l2tp=yes - disable_ipsec_xauth=yes - ;; -esac -ike_algs="aes256-sha2;modp2048,aes128-sha2;modp2048,aes256-sha1;modp2048,aes128-sha1;modp2048" -ike_algs_addl_1=",aes256-sha2;modp1024,aes128-sha1;modp1024" -ike_algs_addl_2=",aes256-sha2;modp1536,aes128-sha1;modp1536" -case $VPN_ENABLE_MODP1024 in - [yY][eE][sS]) - echo - echo "Enabling modp1024 in ipsec.conf..." - ike_algs="$ike_algs$ike_algs_addl_1" - ;; -esac -case $VPN_ENABLE_MODP1536 in - [yY][eE][sS]) - echo - echo "Enabling modp1536 in ipsec.conf..." - ike_algs="$ike_algs$ike_algs_addl_2" - ;; -esac - -if [ "$disable_ipsec_l2tp" = yes ] && [ "$disable_ipsec_xauth" = yes ]; then -cat <<'EOF' - -Note: Running in IKEv2-only mode via env file option. - IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes are disabled. -EOF - if ! grep -q " /etc/ipsec.d " /proc/mounts; then -cat <<'EOF' - -Warning: /etc/ipsec.d not mounted. IKEv2 setup requires a Docker volume - mounted at /etc/ipsec.d. -EOF - fi -elif [ "$disable_ipsec_l2tp" = yes ]; then -cat <<'EOF' - -Note: IPsec/L2TP mode is disabled via env file option. -EOF -elif [ "$disable_ipsec_xauth" = yes ]; then -cat <<'EOF' - -Note: IPsec/XAuth ("Cisco IPsec") mode is disabled via env file option. -EOF -fi - -# Create IPsec config -cat > /etc/ipsec.conf <> /etc/ipsec.conf <<'EOF' -conn l2tp-psk - auto=add - leftprotoport=17/1701 - rightprotoport=17/%any - type=transport - also=shared - -EOF -fi -if [ "$disable_ipsec_xauth" != yes ]; then -cat >> /etc/ipsec.conf <> /etc/ipsec.conf <<'EOF' -include /etc/ipsec.d/*.conf -EOF - -if uname -r | grep -qi 'coreos'; then - sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf -fi -if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then - sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf -fi - -# Specify IPsec PSK -cat > /etc/ipsec.secrets < /etc/xl2tpd/xl2tpd.conf < /etc/ppp/options.xl2tpd <> /etc/ppp/options.xl2tpd < /etc/ppp/chap-secrets < /etc/ipsec.d/passwd <> /etc/ppp/chap-secrets <> /etc/ipsec.d/passwd </dev/null -$syt kernel.msgmax=65536 2>/dev/null -$syt net.ipv4.ip_forward=1 2>/dev/null -$syt net.ipv4.conf.all.accept_redirects=0 2>/dev/null -$syt net.ipv4.conf.all.send_redirects=0 2>/dev/null -$syt net.ipv4.conf.all.rp_filter=0 2>/dev/null -$syt net.ipv4.conf.default.accept_redirects=0 2>/dev/null -$syt net.ipv4.conf.default.send_redirects=0 2>/dev/null -$syt net.ipv4.conf.default.rp_filter=0 2>/dev/null -$syt "net.ipv4.conf.$NET_IFACE.send_redirects=0" 2>/dev/null -$syt "net.ipv4.conf.$NET_IFACE.rp_filter=0" 2>/dev/null -$syt net.ipv4.tcp_rmem="4096 87380 16777216" 2>/dev/null -$syt net.ipv4.tcp_wmem="4096 87380 16777216" 2>/dev/null -if modprobe -q tcp_bbr 2>/dev/null \ - && printf '%s\n%s' "4.20" "$(uname -r)" | sort -C -V; then - $syt net.ipv4.tcp_congestion_control=bbr 2>/dev/null -fi - -# Create IPTables rules -ipi='iptables -I INPUT' -ipf='iptables -I FORWARD' -ipp='iptables -t nat -I POSTROUTING' -res='RELATED,ESTABLISHED' -if ! iptables -t nat -C POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE 2>/dev/null; then - $ipi 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP - $ipi 2 -m conntrack --ctstate INVALID -j DROP - $ipi 3 -m conntrack --ctstate "$res" -j ACCEPT - $ipi 4 -p udp -m multiport --dports 500,7860 -j ACCEPT - $ipi 5 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT - $ipi 6 -p udp --dport 1701 -j DROP - $ipf 1 -m conntrack --ctstate INVALID -j DROP - $ipf 2 -i "$NET_IFACE" -o ppp+ -m conntrack --ctstate "$res" -j ACCEPT - $ipf 3 -i ppp+ -o "$NET_IFACE" -j ACCEPT - $ipf 4 -i ppp+ -o ppp+ -j ACCEPT - $ipf 5 -i "$NET_IFACE" -d "$XAUTH_NET" -m conntrack --ctstate "$res" -j ACCEPT - $ipf 6 -s "$XAUTH_NET" -o "$NET_IFACE" -j ACCEPT - $ipf 7 -s "$XAUTH_NET" -o ppp+ -j ACCEPT - # Client-to-client traffic is allowed by default. To *disallow* such traffic, - # uncomment below and restart the Docker container. - # $ipf 2 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j DROP - # $ipf 3 -s "$XAUTH_NET" -d "$XAUTH_NET" -j DROP - # $ipf 4 -i ppp+ -d "$XAUTH_NET" -j DROP - # $ipf 5 -s "$XAUTH_NET" -o ppp+ -j DROP - iptables -A FORWARD -j DROP - $ipp -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE - $ipp -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE -fi - -case $VPN_ANDROID_MTU_FIX in - [yY][eE][sS]) - echo - echo "Applying fix for Android MTU/MSS issues..." - iptables -t mangle -A FORWARD -m policy --pol ipsec --dir in \ - -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 \ - -j TCPMSS --set-mss 1360 - iptables -t mangle -A FORWARD -m policy --pol ipsec --dir out \ - -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 \ - -j TCPMSS --set-mss 1360 - echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc - ;; -esac - -# Update file attributes -chmod 600 /etc/ipsec.secrets /etc/ppp/chap-secrets /etc/ipsec.d/passwd - -echo -echo "Starting IPsec service..." -mkdir -p /run/pluto /var/run/pluto -rm -f /run/pluto/pluto.pid /var/run/pluto/pluto.pid -if [ "$os_type" = "alpine" ]; then - sed -i '1c\#!/sbin/openrc-run' /etc/init.d/ipsec - rc-status >/dev/null 2>&1 - rc-service ipsec zap >/dev/null - rc-service -D ipsec start >/dev/null 2>&1 - mkdir -p /etc/crontabs - cron_cmd="rc-service -c -D ipsec zap start" -if ! grep -qs "$cron_cmd" /etc/crontabs/root; then -cat >> /etc/crontabs/root </dev/null 2>&1 -fi - -if [ -n "$VPN_DNS_NAME" ]; then - server_text="Server" -else - server_text="Server IP" -fi - -if [ "$disable_ipsec_l2tp" != yes ] || [ "$disable_ipsec_xauth" != yes ]; then -cat <"$ikev2_log" 2>&1; then - status=1 - status_text="IKEv2 setup successful." - else - status=4 - rm -f "$ikev2_conf" - echo "IKEv2 setup failed." - fi - chmod 600 "$ikev2_log" -fi -if [ "$status" = 0 ] && [ -f "$ikev2_conf" ] && [ -s "$ikev2_log" ]; then - status=2 - status_text="IKEv2 is already set up." -fi -if [ "$status" = 1 ] || [ "$status" = 2 ]; then -cat </dev/null) - swan_ver=$(printf '%s' "$ipsec_ver" | sed -e 's/.*Libreswan U\?//' -e 's/\( (\|\/K\).*//') - base_url="https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0" - swan_ver_url="$base_url/upg-docker-$os_type-$os_arch-swanver" - swan_ver_latest=$(wget -t 2 -T 10 -qO- "$swan_ver_url" | head -n 1) - if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|[1-9][0-9]{1,2})){1,2}$' \ - && [ -n "$swan_ver" ] && [ "$swan_ver" != "$swan_ver_latest" ] \ - && printf '%s\n%s' "$swan_ver" "$swan_ver_latest" | sort -C -V; then -cat <