Light version

Dockerfile

@@ -17,7 +17,6 @@ RUN \
   echo "**** install build packages ****" && \
   apk add --no-cache --virtual=build-dependencies \
     build-base \
-    cargo \
     libffi-dev \
     libxml2-dev \
     libxslt-dev \
@@ -27,57 +26,10 @@ RUN \
   apk add --no-cache \
     fail2ban \
     gnupg \
-    memcached \
     nginx-mod-http-brotli \
-    nginx-mod-http-dav-ext \
-    nginx-mod-http-echo \
-    nginx-mod-http-fancyindex \
-    nginx-mod-http-geoip2 \
-    nginx-mod-http-headers-more \
-    nginx-mod-http-image-filter \
-    nginx-mod-http-perl \
-    nginx-mod-http-redis2 \
-    nginx-mod-http-set-misc \
-    nginx-mod-http-upload-progress \
-    nginx-mod-http-xslt-filter \
-    nginx-mod-mail \
-    nginx-mod-rtmp \
-    nginx-mod-stream \
-    nginx-mod-stream-geoip2 \
-    nginx-vim \
-    php83-bcmath \
-    php83-bz2 \
-    php83-dom \
-    php83-exif \
-    php83-ftp \
-    php83-gd \
-    php83-gmp \
-    php83-imap \
-    php83-intl \
-    php83-ldap \
-    php83-mysqli \
-    php83-mysqlnd \
-    php83-opcache \
-    php83-pdo_mysql \
-    php83-pdo_odbc \
-    php83-pdo_pgsql \
-    php83-pdo_sqlite \
-    php83-pear \
-    php83-pecl-apcu \
-    php83-pecl-memcached \
-    php83-pecl-redis \
-    php83-pgsql \
-    php83-posix \
-    php83-soap \
-    php83-sockets \
-    php83-sodium \
-    php83-sqlite3 \
-    php83-tokenizer \
-    php83-xmlreader \
-    php83-xsl \
     whois && \
   apk add --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/community \
-    php83-pecl-mcrypt && \
+  && \
   echo "**** install certbot plugins ****" && \
   if [ -z ${CERTBOT_VERSION+x} ]; then \
     CERTBOT_VERSION=$(curl -sL  https://pypi.python.org/pypi/certbot/json |jq -r '. | .info.version'); \
@@ -88,50 +40,6 @@ RUN \
     wheel && \
   pip install -U --no-cache-dir --find-links https://wheel-index.linuxserver.io/alpine-3.19/ \
     certbot==${CERTBOT_VERSION} \
-    certbot-dns-acmedns \
-    certbot-dns-aliyun \
-    certbot-dns-azure \
-    certbot-dns-bunny \
-    certbot-dns-cloudflare \
-    certbot-dns-cpanel \
-    certbot-dns-desec \
-    certbot-dns-digitalocean \
-    certbot-dns-directadmin \
-    certbot-dns-dnsimple \
-    certbot-dns-dnsmadeeasy \
-    certbot-dns-dnspod \
-    certbot-dns-do \
-    certbot-dns-domeneshop \
-    certbot-dns-dreamhost \
-    certbot-dns-duckdns \
-    certbot-dns-dynudns \
-    certbot-dns-freedns \
-    certbot-dns-gehirn \
-    certbot-dns-glesys \
-    certbot-dns-godaddy \
-    certbot-dns-google \
-    certbot-dns-google-domains \
-    certbot-dns-he \
-    certbot-dns-hetzner \
-    certbot-dns-infomaniak \
-    certbot-dns-inwx \
-    certbot-dns-ionos \
-    certbot-dns-linode \
-    certbot-dns-loopia \
-    certbot-dns-luadns \
-    certbot-dns-namecheap \
-    certbot-dns-netcup \
-    certbot-dns-njalla \
-    certbot-dns-nsone \
-    certbot-dns-ovh \
-    certbot-dns-porkbun \
-    certbot-dns-rfc2136 \
-    certbot-dns-route53 \
-    certbot-dns-sakuracloud \
-    certbot-dns-standalone \
-    certbot-dns-transip \
-    certbot-dns-vultr \
-    certbot-plugin-gandi \
     cryptography \
     future \
     requests && \
@@ -172,8 +80,31 @@ RUN \
     /defaults/nginx/proxy-confs --strip-components=1 --exclude=linux*/.editorconfig --exclude=linux*/.gitattributes --exclude=linux*/.github --exclude=linux*/.gitignore --exclude=linux*/LICENSE && \
   echo "**** cleanup ****" && \
   apk del --purge \
-    build-dependencies && \
+    build-dependencies \
+    php83 \
+    php83-ctype \
+    php83-curl \
+    php83-fileinfo \
+    php83-fpm \
+    php83-iconv \
+    php83-json \
+    php83-mbstring \
+    php83-openssl \
+    php83-phar \
+    php83-session \
+    php83-simplexml \
+    php83-xml \
+    php83-xmlwriter \
+    php83-zip \
+    php83-zlib && \
   rm -rf \
+    /etc/s6-overlay/s6-rc.d/init-php/ \
+    /etc/s6-overlay/s6-rc.d/svc-php-fpm/ \
+    /etc/s6-overlay/s6-rc.d/user/contents.d/svc-php-fpm \
+    /etc/s6-overlay/s6-rc.d/user/contents.d/init-php \
+    /etc/s6-overlay/s6-rc.d/init-keygen/dependencies.d/init-php \
+    /etc/logrotate.d/php-fpm \
+    ./config/php \
     /tmp/* \
     $HOME/.cache \
     $HOME/.cargo

Dockerfile.aarch64

@@ -45,39 +45,8 @@ RUN \
     nginx-mod-stream \
     nginx-mod-stream-geoip2 \
     nginx-vim \
-    php83-bcmath \
-    php83-bz2 \
-    php83-dom \
-    php83-exif \
-    php83-ftp \
-    php83-gd \
-    php83-gmp \
-    php83-imap \
-    php83-intl \
-    php83-ldap \
-    php83-mysqli \
-    php83-mysqlnd \
-    php83-opcache \
-    php83-pdo_mysql \
-    php83-pdo_odbc \
-    php83-pdo_pgsql \
-    php83-pdo_sqlite \
-    php83-pear \
-    php83-pecl-apcu \
-    php83-pecl-memcached \
-    php83-pecl-redis \
-    php83-pgsql \
-    php83-posix \
-    php83-soap \
-    php83-sockets \
-    php83-sodium \
-    php83-sqlite3 \
-    php83-tokenizer \
-    php83-xmlreader \
-    php83-xsl \
     whois && \
   apk add --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/community \
-    php83-pecl-mcrypt && \
   echo "**** install certbot plugins ****" && \
   if [ -z ${CERTBOT_VERSION+x} ]; then \
     CERTBOT_VERSION=$(curl -sL  https://pypi.python.org/pypi/certbot/json |jq -r '. | .info.version'); \

readme-vars.yml

@@ -51,6 +51,8 @@ opt_param_env_vars:
   - { env_var: "SUBDOMAINS", env_value: "www,", desc: "Subdomains you'd like the cert to cover (comma separated, no spaces) ie. `www,ftp,cloud`. For a wildcard cert, set this *exactly* to `wildcard` (wildcard cert is available via `dns` validation only)" }
   - { env_var: "CERTPROVIDER", env_value: "", desc: "Optionally define the cert provider. Set to `zerossl` for ZeroSSL certs (requires existing [ZeroSSL account](https://app.zerossl.com/signup) and the e-mail address entered in `EMAIL` env var). Otherwise defaults to Let's Encrypt." }
   - { env_var: "DNSPLUGIN", env_value: "cloudflare", desc: "Required if `VALIDATION` is set to `dns`. Options are `acmedns`, `aliyun`, `azure`, `bunny`, `cloudflare`, `cpanel`, `desec`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `dnspod`, `do`, `domeneshop`, `dreamhost`, `duckdns`, `dynudns`, `freedns`, `gandi`, `gehirn`, `glesys`, `godaddy`, `google`, `google-domains`, `he`, `hetzner`, `infomaniak`, `inwx`, `ionos`, `linode`, `loopia`, `luadns`, `namecheap`, `netcup`, `njalla`, `nsone`, `ovh`, `porkbun`, `rfc2136`, `route53`, `sakuracloud`, `standalone`, `transip`, and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`." }
+  - { env_var: "ACMESERVER", env_value: "", desc: "The URL of a custom ACME server to use." }
+  - { env_var: "ACMECABUNDLE", env_value: "", desc: "A base64-encoded PEM file containing a CA bundle to trust, for use with an internal ACME CA. Required for a custom ACME CA." }
   - { env_var: "PROPAGATION", env_value: "", desc: "Optionally override (in seconds) the default propagation time for the dns plugins." }
   - { env_var: "EMAIL", env_value: "", desc: "Optional e-mail address used for cert expiration notifications (Required for ZeroSSL)." }
   - { env_var: "ONLY_SUBDOMAINS", env_value: "false", desc: "If you wish to get certs only for certain subdomains, but not the main domain (main domain may be hosted on another machine and cannot be validated), set this to `true`" }
@@ -184,6 +186,7 @@ changelogs:
   - { date: "07.08.23:", desc: "Add Bunny DNS Configuration." }
   - { date: "27.07.23:", desc: "Added support for dreamhost validation." }
   - { date: "25.05.23:", desc: "Rebase to Alpine 3.18, deprecate armhf." }
+  - { date: "21.05.23:", desc: "Allow custom ACME servers. Supply URL and CA bundle" }
   - { date: "27.04.23:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-location.conf, authelia-server.conf, authentik-location.conf, authentik-server.conf - Simplify auth configs and fix Set-Cookie header bug." }
   - { date: "13.04.23:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, authelia-location.conf, authentik-location.conf, and site-confs/default.conf - Move ssl.conf include to default.conf. Remove Authorization headers in authelia. Sort proxy_set_header in authelia and authentik." }
   - { date: "25.03.23:", desc: "Fix renewal post hook." }

root/app/le-renew.sh

@@ -1,6 +1,10 @@
 #!/usr/bin/with-contenv bash
 # shellcheck shell=bash
 
+if [[ -f "/config/cabundle.pem" ]]; then
+	export REQUESTS_CA_BUNDLE="/config/cabundle.pem"
+fi
+
 echo "<------------------------------------------------->"
 echo
 echo "<------------------------------------------------->"

root/defaults/nginx/site-confs/default.conf.sample

@@ -20,7 +20,7 @@ server {
     include /config/nginx/ssl.conf;
 
     root /config/www;
-    index index.html index.htm index.php;
+    index index.html index.htm;
 
     # enable subfolder method reverse proxy confs
     include /config/nginx/proxy-confs/*.subfolder.conf;
@@ -48,28 +48,7 @@ server {
         # enable for Authentik (requires authentik-server.conf in the server block)
         #include /config/nginx/authentik-location.conf;
 
-        try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args;
-    }
-
-    location ~ ^(.+\.php)(.*)$ {
-        # enable the next two lines for http auth
-        #auth_basic "Restricted";
-        #auth_basic_user_file /config/nginx/.htpasswd;
-
-        # enable for ldap auth (requires ldap-server.conf in the server block)
-        #include /config/nginx/ldap-location.conf;
-
-        # enable for Authelia (requires authelia-server.conf in the server block)
-        #include /config/nginx/authelia-location.conf;
-
-        # enable for Authentik (requires authentik-server.conf in the server block)
-        #include /config/nginx/authentik-location.conf;
-
-        fastcgi_split_path_info ^(.+\.php)(.*)$;
-        if (!-f $document_root$fastcgi_script_name) { return 404; }
-        fastcgi_pass 127.0.0.1:9000;
-        fastcgi_index index.php;
-        include /etc/nginx/fastcgi_params;
+        try_files $uri $uri/ /index.html;
     }
 
     # deny access to .htaccess/.htpasswd files

root/etc/s6-overlay/s6-rc.d/init-certbot-config/run

@@ -12,6 +12,8 @@ EXTRA_DOMAINS=${EXTRA_DOMAINS}\\n\
 ONLY_SUBDOMAINS=${ONLY_SUBDOMAINS}\\n\
 VALIDATION=${VALIDATION}\\n\
 CERTPROVIDER=${CERTPROVIDER}\\n\
+ACMESERVER=${ACMESERVER}\\n\
+ACMECABUNDLE=${ACMECABUNDLE}\\n\
 DNSPLUGIN=${DNSPLUGIN}\\n\
 EMAIL=${EMAIL}\\n\
 STAGING=${STAGING}\\n"
@@ -81,7 +83,7 @@ if [[ -f "/config/donoteditthisfile.conf" ]]; then
     mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf
 fi
 if [[ ! -f "/config/.donoteditthisfile.conf" ]]; then
-    echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\" ORIGEMAIL=\"${EMAIL}\"" >/config/.donoteditthisfile.conf
+    echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\"  ORIGACMESERVER=\"$ACMESERVER\" ORIGACMECABUNDLE=\"$ACMECABUNDLE\" ORIGEMAIL=\"${EMAIL}\"" >/config/.donoteditthisfile.conf
     echo "Created .donoteditthisfile.conf"
 fi
 
@@ -214,10 +216,10 @@ if [[ ! "${URL}" = "${ORIGURL}" ]] ||
 fi
 
 # saving new variables
-echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\" ORIGEMAIL=\"${EMAIL}\"" >/config/.donoteditthisfile.conf
+echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\" ORIGACMESERVER=\"$ACMESERVER\" ORIGACMECABUNDLE=\"$ACMECABUNDLE\" ORIGEMAIL=\"${EMAIL}\"" >/config/.donoteditthisfile.conf
 
 # Check if the cert is using the old LE root cert, revoke and regen if necessary
-if [[ -f "/config/keys/letsencrypt/chain.pem" ]] && { [[ "${CERTPROVIDER}" == "letsencrypt" ]] || [[ "${CERTPROVIDER}" == "" ]]; } && [[ "${STAGING}" != "true" ]] && ! openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"; then
+if [[ -f "/config/keys/letsencrypt/chain.pem" ]] && { [[ "${CERTPROVIDER}" == "letsencrypt" ]] || ([[ "${CERTPROVIDER}" == "" ]] && [[ -z "$ACMECABUNDLE" ]]); } && [[ "${STAGING}" != "true" ]] && ! openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"; then
     echo "The cert seems to be using the old LE root cert, which is no longer valid. Deleting and revoking."
     REV_ACMESERVER=("https://acme-v02.api.letsencrypt.org/directory")
     if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then
@@ -232,12 +234,24 @@ fi
 if [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ "${STAGING}" = "true" ]]; then
     echo "ZeroSSL does not support staging mode, ignoring STAGING variable"
 fi
+if [[ "${CERTPROVIDER}" = "custom" ]] && [[ "${STAGING}" = "true" ]]; then
+    echo "Custom ACME does not support staging mode, ignoring STAGING variable"
+fi
 if [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ -n "${EMAIL}" ]]; then
     echo "ZeroSSL is selected as the cert provider, registering cert with ${EMAIL}"
     ACMESERVER="https://acme.zerossl.com/v2/DV90"
 elif [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ -z "${EMAIL}" ]]; then
     echo "ZeroSSL is selected as the cert provider, but the e-mail address has not been entered. Please visit https://zerossl.com, register a new account and set the account e-mail address in the EMAIL environment variable"
     sleep infinity
+elif [[ "${CERTPROVIDER}" = "custom" ]] && [[ -n "${EMAIL}" ]]; then
+    echo "Using $ACMESERVER as the cert provider; registering cert with $EMAIL"
+    if [ -n "$ACMECABUNDLE" ]; then
+        echo "$ACMECABUNDLE" | base64 -d - > /config/cabundle.pem
+        export REQUESTS_CA_BUNDLE="/config/cabundle.pem"
+    fi
+elif [[ "${CERTPROVIDER}" = "custom" ]] && [[ -z "${EMAIL}" ]]; then
+    echo "A custom ACME server is selected as the cert provider, but the e-email address has not been entered."
+    sleep infinity
 elif [[ "${STAGING}" = "true" ]]; then
     echo "NOTICE: Staging is active"
     echo "Using Let's Encrypt as the cert provider"