From a1fcbd4b83dee9c754479af9e4fcbc09c5128eca Mon Sep 17 00:00:00 2001
From: bunkerity <contact@bunkerity.com>
Date: Mon, 21 Jun 2021 18:27:12 +0200
Subject: [PATCH] fix actions and configure

---
 .../build-bunkerized-nginx-autoconf.yml       | 21 ++++---------
 .../workflows/build-bunkerized-nginx-ui.yml   | 21 ++++---------
 .github/workflows/build-bunkerized-nginx.yml  | 30 +++++--------------
 helpers/dependencies.sh                       |  5 +++-
 helpers/install.sh                            | 10 ++++++-
 tests/linux.sh                                | 18 ++++++++---
 6 files changed, 47 insertions(+), 58 deletions(-)

diff --git a/.github/workflows/build-bunkerized-nginx-autoconf.yml b/.github/workflows/build-bunkerized-nginx-autoconf.yml
index 6f4724c..3279cb1 100644
--- a/.github/workflows/build-bunkerized-nginx-autoconf.yml
+++ b/.github/workflows/build-bunkerized-nginx-autoconf.yml
@@ -46,7 +46,7 @@ jobs:
           file: autoconf/Dockerfile
           platforms: linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8
           push: false
-          tags: bunkerity/bunkerized-nginx-autoconf:dev
+          tags: bunkerized-nginx-autoconf
           cache-from: type=local,src=/tmp/.buildx-cache
           cache-to: type=local,dest=/tmp/.buildx-cache-new
 
@@ -64,23 +64,13 @@ jobs:
           file: autoconf/Dockerfile
           platforms: linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8
           push: false
-          tags: bunkerity/bunkerized-nginx-autoconf:latest,bunkerity/bunkerized-nginx-autoconf:${{ env.VERSION }}
+          tags: bunkerized-nginx-autoconf
+          cache-to: type=local,dest=/tmp/.buildx-cache-master
 
-      - name: Run Trivy security scanner (dev)
-        if: github.ref == 'refs/heads/dev'
+      - name: Run Trivy security scanner
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: 'bunkerity/bunkerized-nginx-autoconf:dev'
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
-          severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
-
-      - name: Run Trivy security scanner (master)
-        if: github.ref == 'refs/heads/master'
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: 'bunkerity/bunkerized-nginx-autoconf'
+          image-ref: 'bunkerized-nginx-autoconf'
           format: 'table'
           exit-code: '1'
           ignore-unfixed: true
@@ -106,3 +96,4 @@ jobs:
           platforms: linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8
           push: true
           tags: bunkerity/bunkerized-nginx-autoconf:latest,bunkerity/bunkerized-nginx-autoconf:${{ env.VERSION }}
+          cache-from: type=local,src=/tmp/.buildx-cache-master
diff --git a/.github/workflows/build-bunkerized-nginx-ui.yml b/.github/workflows/build-bunkerized-nginx-ui.yml
index 0098b19..3d59c79 100644
--- a/.github/workflows/build-bunkerized-nginx-ui.yml
+++ b/.github/workflows/build-bunkerized-nginx-ui.yml
@@ -46,7 +46,7 @@ jobs:
           file: ui/Dockerfile
           platforms: linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8
           push: false
-          tags: bunkerity/bunkerized-nginx-ui:dev
+          tags: bunkerized-nginx-ui
           cache-from: type=local,src=/tmp/.buildx-cache
           cache-to: type=local,dest=/tmp/.buildx-cache-new
 
@@ -64,23 +64,13 @@ jobs:
           file: ui/Dockerfile
           platforms: linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8
           push: false
-          tags: bunkerity/bunkerized-nginx-ui:latest,bunkerity/bunkerized-nginx-ui:${{ env.VERSION }}
+          tags: bunkerized-nginx-ui
+          cache-to: type=local,dest=/tmp/.buildx-cache-master
 
-      - name: Run Trivy security scanner (dev)
-        if: github.ref == 'refs/heads/dev'
+      - name: Run Trivy security scanner
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: 'bunkerity/bunkerized-nginx-ui:dev'
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
-          severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
-
-      - name: Run Trivy security scanner (master)
-        if: github.ref == 'refs/heads/master'
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: 'bunkerity/bunkerized-nginx-ui'
+          image-ref: 'bunkerized-nginx-ui'
           format: 'table'
           exit-code: '1'
           ignore-unfixed: true
@@ -106,3 +96,4 @@ jobs:
           platforms: linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8
           push: true
           tags: bunkerity/bunkerized-nginx-ui:latest,bunkerity/bunkerized-nginx-ui:${{ env.VERSION }}
+          cache-from: type=local,src=/tmp/.buildx-cache-master
diff --git a/.github/workflows/build-bunkerized-nginx.yml b/.github/workflows/build-bunkerized-nginx.yml
index be8fc55..a7908e7 100644
--- a/.github/workflows/build-bunkerized-nginx.yml
+++ b/.github/workflows/build-bunkerized-nginx.yml
@@ -45,7 +45,7 @@ jobs:
           context: .
           platforms: linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8
           push: false
-          tags: bunkerity/bunkerized-nginx:dev
+          tags: bunkerized-nginx
           cache-from: type=local,src=/tmp/.buildx-cache
           cache-to: type=local,dest=/tmp/.buildx-cache-new
 
@@ -62,31 +62,16 @@ jobs:
           context: .
           platforms: linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8
           push: false
-          tags: bunkerity/bunkerized-nginx:latest,bunkerity/bunkerized-nginx:${{ env.VERSION }}
+          tags: bunkerized-nginx
+          cache-to: type=local,dest=/tmp/.buildx-cache-master
 
-      - name: Run autotest (dev)
-        if: github.ref == 'refs/heads/dev'
-        run: docker run bunkerity/bunkerized-nginx:dev test
+      - name: Run autotest
+        run: docker run bunkerized-nginx test
 
-      - name: Run autotest (master)
-        if: github.ref == 'refs/heads/master'
-        run: docker run bunkerity/bunkerized-nginx test
-
-      - name: Run Trivy security scanner (dev)
-        if: github.ref == 'refs/heads/dev'
+      - name: Run Trivy security scanner
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: 'bunkerity/bunkerized-nginx:dev'
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
-          severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
-
-      - name: Run Trivy security scanner (master)
-        if: github.ref == 'refs/heads/master'
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: 'bunkerity/bunkerized-nginx'
+          image-ref: 'bunkerized-nginx'
           format: 'table'
           exit-code: '1'
           ignore-unfixed: true
@@ -110,3 +95,4 @@ jobs:
           platforms: linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8
           push: true
           tags: bunkerity/bunkerized-nginx:latest,bunkerity/bunkerized-nginx:${{ env.VERSION }}
+          cache-from: type=local,src=/tmp/.buildx-cache-master
diff --git a/helpers/dependencies.sh b/helpers/dependencies.sh
index 927f5b9..75e7d72 100644
--- a/helpers/dependencies.sh
+++ b/helpers/dependencies.sh
@@ -527,7 +527,10 @@ CHANGE_DIR="/tmp/bunkerized-nginx" do_and_check_cmd tar -xvzf nginx-${NGINX_VERS
 echo "[*] Compile dynamic modules"
 CONFARGS="$(nginx -V 2>&1 | sed -n -e 's/^.*arguments: //p')"
 CONFARGS="${CONFARGS/-Os -fomit-frame-pointer -g/-Os}"
-CHANGE_DIR="/tmp/bunkerized-nginx/nginx-${NGINX_VERSION}" LUAJIT_LIB="/usr/local/lib/" LUAJIT_INC="/usr/local/include/luajit-2.1" do_and_check_cmd ./configure $CONFARGS --add-dynamic-module=/tmp/bunkerized-nginx/ModSecurity-nginx --add-dynamic-module=/tmp/bunkerized-nginx/headers-more-nginx-module --add-dynamic-module=/tmp/bunkerized-nginx/ngx_http_geoip2_module --add-dynamic-module=/tmp/bunkerized-nginx/nginx_cookie_flag_module --add-dynamic-module=/tmp/bunkerized-nginx/lua-nginx-module --add-dynamic-module=/tmp/bunkerized-nginx/ngx_brotli
+echo "\#/bin/sh" > "/tmp/bunkerized-nginx/nginx-${NGINX_VERSION}/configure-fix.sh"
+echo "./configure $CONFARGS --add-dynamic-module=/tmp/bunkerized-nginx/ModSecurity-nginx --add-dynamic-module=/tmp/bunkerized-nginx/headers-more-nginx-module --add-dynamic-module=/tmp/bunkerized-nginx/ngx_http_geoip2_module --add-dynamic-module=/tmp/bunkerized-nginx/nginx_cookie_flag_module --add-dynamic-module=/tmp/bunkerized-nginx/lua-nginx-module --add-dynamic-module=/tmp/bunkerized-nginx/ngx_brotli" >> "/tmp/bunkerized-nginx/nginx-${NGINX_VERSION}/configure-fix.sh"
+do_and_check_cmd chmod +x "/tmp/bunkerized-nginx/nginx-${NGINX_VERSION}/configure-fix.sh"
+CHANGE_DIR="/tmp/bunkerized-nginx/nginx-${NGINX_VERSION}" LUAJIT_LIB="/usr/local/lib/" LUAJIT_INC="/usr/local/include/luajit-2.1" do_and_check_cmd ./configure-fix.sh
 CHANGE_DIR="/tmp/bunkerized-nginx/nginx-${NGINX_VERSION}" do_and_check_cmd make -j $NTASK modules
 if [ "$OS" = "centos" ] ; then
 	CHANGE_DIR="/tmp/bunkerized-nginx/nginx-${NGINX_VERSION}" do_and_check_cmd cp ./objs/*.so /usr/lib64/nginx/modules
diff --git a/helpers/install.sh b/helpers/install.sh
index 4bc249a..75c572c 100644
--- a/helpers/install.sh
+++ b/helpers/install.sh
@@ -93,12 +93,19 @@ fi
 
 # Clone the repo
 echo "[*] Clone bunkerity/bunkerized-nginx"
-CHANGE_DIR="/tmp" do_and_check_cmd git_secure_clone https://github.com/bunkerity/bunkerized-nginx.git 93543d3962473af42eb0295868f8ac4184d8eeca
+#CHANGE_DIR="/tmp" do_and_check_cmd git_secure_clone https://github.com/bunkerity/bunkerized-nginx.git 09a2a4f9e531b93684b0916a5146091a818501d3
+# TODO : do a secure clone
+CHANGE_DIR="/tmp" do_and_check_cmd git clone https://github.com/bunkerity/bunkerized-nginx.git
+CHANGE_DIR="/tmp/bunkerized-nginx" do_and_check_cmd git checkout dev
 
 # Copy generator
 echo "[*] Copy generator"
 do_and_check_cmd cp -r /tmp/bunkerized-nginx/gen /opt/bunkerized-nginx
 
+# Copy entrypoint
+echo "[*] Copy entrypoint"
+do_and_check_cmd cp -r /tmp/bunkerized-nginx/entrypoint /opt/bunkerized-nginx
+
 # Copy configs
 echo "[*] Copy configs"
 do_and_check_cmd cp -r /tmp/bunkerized-nginx/confs /opt/bunkerized-nginx
@@ -191,6 +198,7 @@ do_and_check_cmd find /opt -type d -exec chmod 0750 {} \;
 do_and_check_cmd chmod 770 /opt/bunkerized-nginx/cache
 do_and_check_cmd chmod 770 /opt/bunkerized-nginx/acme-challenge
 do_and_check_cmd chmod 750 /opt/bunkerized-nginx/scripts/*
+do_and_check_cmd chmod 750 /opt/bunkerized-nginx/entrypoint/*
 
 # Install cron
 echo "[*] Add jobs to crontab"
diff --git a/tests/linux.sh b/tests/linux.sh
index 4014668..fd49027 100755
--- a/tests/linux.sh
+++ b/tests/linux.sh
@@ -1,11 +1,16 @@
-#!/bin/sh
+#!/bin/bash
+
+function cleanup() {
+	docker kill "$1"
+}
 
 image="$1"
 
 echo "[*] Run $image"
-id="$(docker run -d -it "$image")"
+id="$(docker run --rm -d -it "$image")"
 if [ $? -ne 0 ] ; then
 	echo "[!] docker run failed"
+	cleanup "$id"
 	exit 1
 fi
 
@@ -13,6 +18,7 @@ echo "[*] Copy dependencies.sh"
 docker cp helpers/dependencies.sh "$id:/tmp"
 if [ $? -ne 0 ] ; then
 	echo "[!] docker cp failed"
+	cleanup "$id"
 	exit 2
 fi
 
@@ -20,6 +26,7 @@ echo "[*] Exec dependencies.sh"
 docker exec "$id" /bin/bash -c 'chmod +x /tmp/dependencies.sh && /tmp/dependencies.sh'
 if [ $? -ne 0 ] ; then
 	echo "[!] docker exec failed"
+	cleanup "$id"
 	exit 3
 fi
 
@@ -27,6 +34,7 @@ echo "[*] Copy install.sh"
 docker cp helpers/install.sh "$id:/tmp"
 if [ $? -ne 0 ] ; then
 	echo "[!] docker cp failed"
+	cleanup "$id"
 	exit 4
 fi
 
@@ -34,12 +42,14 @@ echo "[*] Exec install.sh"
 docker exec "$id" /bin/bash -c 'chmod +x /tmp/install.sh && /tmp/install.sh'
 if [ $? -ne 0 ] ; then
 	echo "[!] docker exec failed"
-	exit 4
+	cleanup "$id"
+	exit 5
 fi
 
 echo "[*] Exec nginx -V"
 docker exec "$id" nginx -V
 if [ $? -ne 0 ] ; then
 	echo "[!] docker exec failed"
-	exit 5
+	cleanup "$id"
+	exit 6
 fi