Bot Updating Package Versions

route53 no longer supports propagation

.editorconfig

@@ -15,6 +15,6 @@ trim_trailing_whitespace = false
 indent_style = space
 indent_size = 2
 
-[{**.sh,root/etc/cont-init.d/**,root/etc/services.d/**}]
+[{**.sh,root/etc/s6-overlay/s6-rc.d/**,root/etc/cont-init.d/**,root/etc/services.d/**}]
 indent_style = space
 indent_size = 4

.github/ISSUE_TEMPLATE/issue.bug.md

@@ -1,40 +0,0 @@
----
-name: Bug report
-about: Create a report to help us improve
-
----
-[linuxserverurl]: https://linuxserver.io
-[![linuxserver.io](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/linuxserver_medium.png)][linuxserverurl]
-
-<!--- If you are new to Docker or this application our issue tracker is **ONLY** used for reporting bugs or requesting features. Please use [our discord server](https://discord.gg/YWrKVTn) for general support. --->
-
-<!--- Provide a general summary of the bug in the Title above -->
-
-------------------------------
-
-## Expected Behavior
-<!--- Tell us what should happen -->
-
-## Current Behavior
-<!--- Tell us what happens instead of the expected behavior -->
-
-## Steps to Reproduce
-<!--- Provide a link to a live example, or an unambiguous set of steps to -->
-<!--- reproduce this bug. Include code to reproduce, if relevant -->
-1.
-2.
-3.
-4.
-
-## Environment
-**OS:**
-**CPU architecture:** x86_64/arm32/arm64
-**How docker service was installed:**
-<!--- ie. from the official docker repo, from the distro repo, nas OS provided, etc. -->
-<!--- Providing context helps us come up with a solution that is most useful in the real world -->
-
-## Command used to create docker container (run/create/compose/screenshot)
-<!--- Provide your docker create/run command or compose yaml snippet, or a screenshot of settings if using a gui to create the container -->
-
-## Docker logs
-<!--- Provide a full docker log, output of "docker logs swag" -->

.github/ISSUE_TEMPLATE/issue.bug.yml

@@ -0,0 +1,77 @@
+# Based on the issue template
+name: Bug report
+description: Create a report to help us improve
+title: "[BUG] <title>"
+labels: [Bug]
+body:
+  - type: checkboxes
+    attributes:
+      label: Is there an existing issue for this?
+      description: Please search to see if an issue already exists for the bug you encountered.
+      options:
+        - label: I have searched the existing issues
+          required: true
+  - type: textarea
+    attributes:
+      label: Current Behavior
+      description: Tell us what happens instead of the expected behavior.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Expected Behavior
+      description: Tell us what should happen.
+    validations:
+      required: false
+  - type: textarea
+    attributes:
+      label: Steps To Reproduce
+      description: Steps to reproduce the behavior.
+      placeholder: |
+        1. In this environment...
+        2. With this config...
+        3. Run '...'
+        4. See error...
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Environment
+      description: |
+        examples:
+          - **OS**: Ubuntu 20.04
+          - **How docker service was installed**: distro's packagemanager
+      value: |
+        - OS:
+        - How docker service was installed:
+      render: markdown
+    validations:
+      required: false
+  - type: dropdown
+    attributes:
+      label: CPU architecture
+      options:
+        - x86-64
+        - arm64
+        - armhf
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Docker creation
+      description: |
+        Command used to create docker container
+        Provide your docker create/run command or compose yaml snippet, or a screenshot of settings if using a gui to create the container
+      render: bash
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      description: |
+        Provide a full docker log, output of "docker logs linuxserver.io"
+      label: Container logs
+      placeholder: |
+        Output of `docker logs linuxserver.io`
+      render: bash
+    validations:
+      required: true

.github/ISSUE_TEMPLATE/issue.feature.md

@@ -1,25 +0,0 @@
----
-name: Feature request
-about: Suggest an idea for this project
-
----
-[linuxserverurl]: https://linuxserver.io
-[![linuxserver.io](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/linuxserver_medium.png)][linuxserverurl]
-
-<!--- If you are new to Docker or this application our issue tracker is **ONLY** used for reporting bugs or requesting features. Please use [our discord server](https://discord.gg/YWrKVTn) for general support. --->
-
-<!--- If this acts as a feature request please ask yourself if this modification is something the whole userbase will benefit from --->
-<!--- If this is a specific change for corner case functionality or plugins please look at making a Docker Mod or local script  https://blog.linuxserver.io/2019/09/14/customizing-our-containers/ -->
-
-<!--- Provide a general summary of the request in the Title above -->
-
-------------------------------
-
-## Desired Behavior
-<!--- Tell us what should happen -->
-
-## Current Behavior
-<!--- Tell us what happens instead of the expected behavior -->
-
-## Alternatives Considered
-<!--- Tell us what other options you have tried or considered -->

.github/ISSUE_TEMPLATE/issue.feature.yml

@@ -0,0 +1,31 @@
+# Based on the issue template
+name: Feature request
+description: Suggest an idea for this project
+title: "[FEAT] <title>"
+labels: [enhancement]
+body:
+  - type: checkboxes
+    attributes:
+      label: Is this a new feature request?
+      description: Please search to see if a feature request already exists.
+      options:
+        - label: I have searched the existing issues
+          required: true
+  - type: textarea
+    attributes:
+      label: Wanted change
+      description: Tell us what you want to happen.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Reason for change
+      description: Justify your request, why do you want it, what is the benefit.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Proposed code change
+      description: Do you have a potential code change in mind?
+    validations:
+      required: false

.github/workflows/call_issue_pr_tracker.yml

@@ -0,0 +1,14 @@
+name: Issue & PR Tracker
+
+on:
+  issues:
+    types: [opened,reopened,labeled,unlabeled]
+  pull_request_target:
+    types: [opened,reopened,review_requested,review_request_removed,labeled,unlabeled]
+
+jobs:
+  manage-project:
+    permissions:
+      issues: write
+    uses: linuxserver/github-workflows/.github/workflows/issue-pr-tracker.yml@v1
+    secrets: inherit

.github/workflows/call_issues_cron.yml

@@ -0,0 +1,13 @@
+name: Mark stale issues and pull requests
+on:
+  schedule:
+    - cron:  '35 15 * * *'
+  workflow_dispatch:
+
+jobs:
+  stale:
+    permissions:
+      issues: write
+      pull-requests: write
+    uses: linuxserver/github-workflows/.github/workflows/issues-cron.yml@v1
+    secrets: inherit

.github/workflows/external_trigger.yml

@@ -7,7 +7,7 @@ jobs:
   external-trigger-master:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2.3.3
+      - uses: actions/checkout@v3.1.0
 
       - name: External Trigger
         if: github.ref == 'refs/heads/master'
@@ -48,8 +48,12 @@ jobs:
               | jq -r '.config.digest')
           image_info=$(curl -sL \
             --header "Authorization: Bearer ${token}" \
-            "https://ghcr.io/v2/${image}/blobs/${digest}" \
+            "https://ghcr.io/v2/${image}/blobs/${digest}")
-            | jq -r '.container_config')
+          if [[ $(echo $image_info | jq -r '.container_config') == "null" ]]; then
+            image_info=$(echo $image_info | jq -r '.config')
+          else
+            image_info=$(echo $image_info | jq -r '.container_config')
+          fi
           IMAGE_RELEASE=$(echo ${image_info} | jq -r '.Labels.build_version' | awk '{print $3}')
           IMAGE_VERSION=$(echo ${IMAGE_RELEASE} | awk -F'-ls' '{print $1}')
           if [ -z "${IMAGE_VERSION}" ]; then

.github/workflows/external_trigger_scheduler.yml

@@ -9,7 +9,7 @@ jobs:
   external-trigger-scheduler:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2.3.3
+      - uses: actions/checkout@v3.1.0
         with:
           fetch-depth: '0'
 

.github/workflows/greetings.yml

@@ -8,6 +8,6 @@ jobs:
     steps:
     - uses: actions/first-interaction@v1
       with:
-        issue-message: 'Thanks for opening your first issue here! Be sure to follow the [bug](https://github.com/linuxserver/docker-swag/blob/master/.github/ISSUE_TEMPLATE/issue.bug.md) or [feature](https://github.com/linuxserver/docker-swag/blob/master/.github/ISSUE_TEMPLATE/issue.feature.md) issue templates!'
+        issue-message: 'Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.'
         pr-message: 'Thanks for opening this pull request! Be sure to follow the [pull request template](https://github.com/linuxserver/docker-swag/blob/master/.github/PULL_REQUEST_TEMPLATE.md)!'
         repo-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/package_trigger.yml

@@ -7,7 +7,7 @@ jobs:
   package-trigger-master:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2.3.3
+      - uses: actions/checkout@v3.1.0
 
       - name: Package Trigger
         if: github.ref == 'refs/heads/master'

.github/workflows/package_trigger_scheduler.yml

@@ -2,14 +2,14 @@ name: Package Trigger Scheduler
 
 on:
   schedule:
-    - cron:  '03 5 * * 4'
+    - cron:  '1 3 * * 6'
   workflow_dispatch:
 
 jobs:
   package-trigger-scheduler:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2.3.3
+      - uses: actions/checkout@v3.1.0
         with:
           fetch-depth: '0'
 

.github/workflows/permissions.yml

@@ -0,0 +1,10 @@
+name: Permission check
+on:
+  pull_request_target:
+    paths:
+      - '**/run'
+      - '**/finish'
+      - '**/check'
+jobs:
+  permission_check:
+    uses: linuxserver/github-workflows/.github/workflows/init-svc-executable-permissions.yml@v1

.github/workflows/stale.yml

@@ -1,23 +0,0 @@
-name: Mark stale issues and pull requests
-
-on:
-  schedule:
-  - cron: "30 1 * * *"
-
-jobs:
-  stale:
-
-    runs-on: ubuntu-latest
-
-    steps:
-    - uses: actions/stale@v3
-      with:
-        stale-issue-message: "This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions."
-        stale-pr-message: "This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions."
-        stale-issue-label: 'no-issue-activity'
-        stale-pr-label: 'no-pr-activity'
-        days-before-stale: 30
-        days-before-close: 365
-        exempt-issue-labels: 'awaiting-approval,work-in-progress'
-        exempt-pr-labels: 'awaiting-approval,work-in-progress'
-        repo-token: ${{ secrets.GITHUB_TOKEN }}

Dockerfile

@@ -1,11 +1,13 @@
-FROM ghcr.io/linuxserver/baseimage-alpine-nginx:3.15
+# syntax=docker/dockerfile:1
+
+FROM ghcr.io/linuxserver/baseimage-alpine-nginx:3.17
 
 # set version label
 ARG BUILD_DATE
 ARG VERSION
 ARG CERTBOT_VERSION
 LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DATE}"
-LABEL maintainer="aptalca"
+LABEL maintainer="nemchik"
 
 # environment settings
 ENV DHLEVEL=2048 ONLY_SUBDOMAINS=false AWS_CONFIG_FILE=/config/dns-conf/route53.ini
@@ -14,9 +16,8 @@ ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2
 RUN \
   echo "**** install build packages ****" && \
   apk add --no-cache --virtual=build-dependencies \
+    build-base \
     cargo \
-    g++ \
-    gcc \
     libffi-dev \
     libxml2-dev \
     libxslt-dev \
@@ -24,11 +25,9 @@ RUN \
     python3-dev && \
   echo "**** install runtime packages ****" && \
   apk add --no-cache --upgrade \
-    curl \
     fail2ban \
     gnupg \
     memcached \
-    nginx \
     nginx-mod-http-brotli \
     nginx-mod-http-dav-ext \
     nginx-mod-http-echo \
@@ -36,7 +35,6 @@ RUN \
     nginx-mod-http-geoip2 \
     nginx-mod-http-headers-more \
     nginx-mod-http-image-filter \
-    nginx-mod-http-nchan \
     nginx-mod-http-perl \
     nginx-mod-http-redis2 \
     nginx-mod-http-set-misc \
@@ -47,66 +45,60 @@ RUN \
     nginx-mod-stream \
     nginx-mod-stream-geoip2 \
     nginx-vim \
-    php8-bcmath \
+    php81-bcmath \
-    php8-bz2 \
+    php81-bz2 \
-    php8-ctype \
+    php81-ctype \
-    php8-curl \
+    php81-curl \
-    php8-dom \
+    php81-dom \
-    php8-exif \
+    php81-exif \
-    php8-ftp \
+    php81-ftp \
-    php8-gd \
+    php81-gd \
-    php8-gmp \
+    php81-gmp \
-    php8-iconv \
+    php81-iconv \
-    php8-imap \
+    php81-imap \
-    php8-intl \
+    php81-intl \
-    php8-ldap \
+    php81-ldap \
-    php8-mysqli \
+    php81-mysqli \
-    php8-mysqlnd \
+    php81-mysqlnd \
-    php8-opcache \
+    php81-opcache \
-    php8-pdo_mysql \
+    php81-pdo_mysql \
-    php8-pdo_odbc \
+    php81-pdo_odbc \
-    php8-pdo_pgsql \
+    php81-pdo_pgsql \
-    php8-pdo_sqlite \
+    php81-pdo_sqlite \
-    php8-pear \
+    php81-pear \
-    php8-pecl-apcu \
+    php81-pecl-apcu \
-    php8-pecl-mailparse \
+    php81-pecl-mailparse \
-    php8-pecl-mcrypt \
+    php81-pecl-memcached \
-    php8-pecl-memcached \
+    php81-pecl-redis \
-    php8-pecl-redis \
+    php81-pgsql \
-    php8-pgsql \
+    php81-phar \
-    php8-phar \
+    php81-posix \
-    php8-posix \
+    php81-soap \
-    php8-soap \
+    php81-sockets \
-    php8-sockets \
+    php81-sodium \
-    php8-sodium \
+    php81-sqlite3 \
-    php8-sqlite3 \
+    php81-tokenizer \
-    php8-tokenizer \
+    php81-xmlreader \
-    php8-xml \
+    php81-xsl \
-    php8-xmlreader \
+    php81-zip \
-    php8-xsl \
-    php8-zip \
-    py3-cryptography \
-    py3-future \
-    py3-pip \
     whois && \
-  apk add --no-cache \
+  apk add --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing \
-    --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing \
+    php81-pecl-mcrypt \
-    php8-pecl-xmlrpc && \
+    php81-pecl-xmlrpc && \
   echo "**** install certbot plugins ****" && \
   if [ -z ${CERTBOT_VERSION+x} ]; then \
-    CERTBOT="certbot"; \
+    CERTBOT_VERSION=$(curl -sL  https://pypi.python.org/pypi/certbot/json |jq -r '. | .info.version'); \
-  else \
-    CERTBOT="certbot==${CERTBOT_VERSION}"; \
   fi && \
-  pip3 install -U \
+  python3 -m ensurepip && \
-    pip wheel && \
+  pip3 install -U --no-cache-dir \
-  pip install -U --find-links https://wheel-index.linuxserver.io/alpine-3.15/ \
+    pip \
-    ${CERTBOT} \
+    wheel && \
+  pip3 install -U --no-cache-dir --find-links https://wheel-index.linuxserver.io/alpine-3.17/ \
+    certbot==${CERTBOT_VERSION} \
     certbot-dns-acmedns \
     certbot-dns-aliyun \
     certbot-dns-azure \
     certbot-dns-cloudflare \
-    certbot-dns-cloudxns \
     certbot-dns-cpanel \
     certbot-dns-desec \
     certbot-dns-digitalocean \
@@ -114,9 +106,14 @@ RUN \
     certbot-dns-dnsimple \
     certbot-dns-dnsmadeeasy \
     certbot-dns-dnspod \
+    certbot-dns-do \
     certbot-dns-domeneshop \
+    certbot-dns-duckdns \
     certbot-dns-dynu \
+    certbot-dns-gehirn \
+    certbot-dns-godaddy \
     certbot-dns-google \
+    certbot-dns-google-domains \
     certbot-dns-he \
     certbot-dns-hetzner \
     certbot-dns-infomaniak \
@@ -129,14 +126,16 @@ RUN \
     certbot-dns-njalla \
     certbot-dns-nsone \
     certbot-dns-ovh \
+    certbot-dns-porkbun \
     certbot-dns-rfc2136 \
     certbot-dns-route53 \
+    certbot-dns-sakuracloud \
     certbot-dns-standalone \
     certbot-dns-transip \
     certbot-dns-vultr \
-    certbot-dns-desec \
     certbot-plugin-gandi \
     cryptography \
+    future \
     requests && \
   echo "**** enable OCSP stapling from base ****" && \
   sed -i \
@@ -160,6 +159,8 @@ RUN \
   mkdir -p /defaults/fail2ban && \
   mv /etc/fail2ban/action.d /defaults/fail2ban/ && \
   mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \
+  echo "**** define allowipv6 to silence warning ****" && \
+  sed -i 's/#allowipv6 = auto/allowipv6 = auto/g' /etc/fail2ban/fail2ban.conf && \
   echo "**** copy proxy confs to /defaults ****" && \
   mkdir -p \
     /defaults/nginx/proxy-confs && \
@@ -172,14 +173,10 @@ RUN \
   echo "**** cleanup ****" && \
   apk del --purge \
     build-dependencies && \
-  for cleanfiles in *.pyc *.pyo; \
-    do \
-    find /usr/lib/python3.*  -iname "${cleanfiles}" -exec rm -f '{}' + \
-    ; done && \
   rm -rf \
     /tmp/* \
-    /root/.cache \
+    $HOME/.cache \
-    /root/.cargo
+    $HOME/.cargo
 
 # copy local files
 COPY root/ /

Dockerfile.aarch64

@@ -1,11 +1,13 @@
-FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm64v8-3.15
+# syntax=docker/dockerfile:1
+
+FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm64v8-3.17
 
 # set version label
 ARG BUILD_DATE
 ARG VERSION
 ARG CERTBOT_VERSION
 LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DATE}"
-LABEL maintainer="aptalca"
+LABEL maintainer="nemchik"
 
 # environment settings
 ENV DHLEVEL=2048 ONLY_SUBDOMAINS=false AWS_CONFIG_FILE=/config/dns-conf/route53.ini
@@ -14,9 +16,8 @@ ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2
 RUN \
   echo "**** install build packages ****" && \
   apk add --no-cache --virtual=build-dependencies \
+    build-base \
     cargo \
-    g++ \
-    gcc \
     libffi-dev \
     libxml2-dev \
     libxslt-dev \
@@ -24,11 +25,9 @@ RUN \
     python3-dev && \
   echo "**** install runtime packages ****" && \
   apk add --no-cache --upgrade \
-    curl \
     fail2ban \
     gnupg \
     memcached \
-    nginx \
     nginx-mod-http-brotli \
     nginx-mod-http-dav-ext \
     nginx-mod-http-echo \
@@ -36,7 +35,6 @@ RUN \
     nginx-mod-http-geoip2 \
     nginx-mod-http-headers-more \
     nginx-mod-http-image-filter \
-    nginx-mod-http-nchan \
     nginx-mod-http-perl \
     nginx-mod-http-redis2 \
     nginx-mod-http-set-misc \
@@ -47,66 +45,60 @@ RUN \
     nginx-mod-stream \
     nginx-mod-stream-geoip2 \
     nginx-vim \
-    php8-bcmath \
+    php81-bcmath \
-    php8-bz2 \
+    php81-bz2 \
-    php8-ctype \
+    php81-ctype \
-    php8-curl \
+    php81-curl \
-    php8-dom \
+    php81-dom \
-    php8-exif \
+    php81-exif \
-    php8-ftp \
+    php81-ftp \
-    php8-gd \
+    php81-gd \
-    php8-gmp \
+    php81-gmp \
-    php8-iconv \
+    php81-iconv \
-    php8-imap \
+    php81-imap \
-    php8-intl \
+    php81-intl \
-    php8-ldap \
+    php81-ldap \
-    php8-mysqli \
+    php81-mysqli \
-    php8-mysqlnd \
+    php81-mysqlnd \
-    php8-opcache \
+    php81-opcache \
-    php8-pdo_mysql \
+    php81-pdo_mysql \
-    php8-pdo_odbc \
+    php81-pdo_odbc \
-    php8-pdo_pgsql \
+    php81-pdo_pgsql \
-    php8-pdo_sqlite \
+    php81-pdo_sqlite \
-    php8-pear \
+    php81-pear \
-    php8-pecl-apcu \
+    php81-pecl-apcu \
-    php8-pecl-mailparse \
+    php81-pecl-mailparse \
-    php8-pecl-mcrypt \
+    php81-pecl-memcached \
-    php8-pecl-memcached \
+    php81-pecl-redis \
-    php8-pecl-redis \
+    php81-pgsql \
-    php8-pgsql \
+    php81-phar \
-    php8-phar \
+    php81-posix \
-    php8-posix \
+    php81-soap \
-    php8-soap \
+    php81-sockets \
-    php8-sockets \
+    php81-sodium \
-    php8-sodium \
+    php81-sqlite3 \
-    php8-sqlite3 \
+    php81-tokenizer \
-    php8-tokenizer \
+    php81-xmlreader \
-    php8-xml \
+    php81-xsl \
-    php8-xmlreader \
+    php81-zip \
-    php8-xsl \
-    php8-zip \
-    py3-cryptography \
-    py3-future \
-    py3-pip \
     whois && \
-  apk add --no-cache \
+  apk add --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing \
-    --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing \
+    php81-pecl-mcrypt \
-    php8-pecl-xmlrpc && \
+    php81-pecl-xmlrpc && \
   echo "**** install certbot plugins ****" && \
   if [ -z ${CERTBOT_VERSION+x} ]; then \
-    CERTBOT="certbot"; \
+    CERTBOT_VERSION=$(curl -sL  https://pypi.python.org/pypi/certbot/json |jq -r '. | .info.version'); \
-  else \
-    CERTBOT="certbot==${CERTBOT_VERSION}"; \
   fi && \
-  pip3 install -U \
+  python3 -m ensurepip && \
-    pip wheel && \
+  pip3 install -U --no-cache-dir \
-  pip install -U --find-links https://wheel-index.linuxserver.io/alpine-3.15/ \
+    pip \
-    ${CERTBOT} \
+    wheel && \
+  pip3 install -U --no-cache-dir --find-links https://wheel-index.linuxserver.io/alpine-3.17/ \
+    certbot==${CERTBOT_VERSION} \
     certbot-dns-acmedns \
     certbot-dns-aliyun \
     certbot-dns-azure \
     certbot-dns-cloudflare \
-    certbot-dns-cloudxns \
     certbot-dns-cpanel \
     certbot-dns-desec \
     certbot-dns-digitalocean \
@@ -114,9 +106,14 @@ RUN \
     certbot-dns-dnsimple \
     certbot-dns-dnsmadeeasy \
     certbot-dns-dnspod \
+    certbot-dns-do \
     certbot-dns-domeneshop \
+    certbot-dns-duckdns \
     certbot-dns-dynu \
+    certbot-dns-gehirn \
+    certbot-dns-godaddy \
     certbot-dns-google \
+    certbot-dns-google-domains \
     certbot-dns-he \
     certbot-dns-hetzner \
     certbot-dns-infomaniak \
@@ -129,14 +126,16 @@ RUN \
     certbot-dns-njalla \
     certbot-dns-nsone \
     certbot-dns-ovh \
+    certbot-dns-porkbun \
     certbot-dns-rfc2136 \
     certbot-dns-route53 \
+    certbot-dns-sakuracloud \
     certbot-dns-standalone \
     certbot-dns-transip \
     certbot-dns-vultr \
-    certbot-dns-desec \
     certbot-plugin-gandi \
     cryptography \
+    future \
     requests && \
   echo "**** enable OCSP stapling from base ****" && \
   sed -i \
@@ -160,6 +159,8 @@ RUN \
   mkdir -p /defaults/fail2ban && \
   mv /etc/fail2ban/action.d /defaults/fail2ban/ && \
   mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \
+  echo "**** define allowipv6 to silence warning ****" && \
+  sed -i 's/#allowipv6 = auto/allowipv6 = auto/g' /etc/fail2ban/fail2ban.conf && \
   echo "**** copy proxy confs to /defaults ****" && \
   mkdir -p \
     /defaults/nginx/proxy-confs && \
@@ -172,14 +173,10 @@ RUN \
   echo "**** cleanup ****" && \
   apk del --purge \
     build-dependencies && \
-  for cleanfiles in *.pyc *.pyo; \
-    do \
-    find /usr/lib/python3.*  -iname "${cleanfiles}" -exec rm -f '{}' + \
-    ; done && \
   rm -rf \
     /tmp/* \
-    /root/.cache \
+    $HOME/.cache \
-    /root/.cargo
+    $HOME/.cargo
 
 # copy local files
 COPY root/ /

Dockerfile.armhf

@@ -1,11 +1,13 @@
-FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm32v7-3.15
+# syntax=docker/dockerfile:1
+
+FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm32v7-3.17
 
 # set version label
 ARG BUILD_DATE
 ARG VERSION
 ARG CERTBOT_VERSION
 LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DATE}"
-LABEL maintainer="aptalca"
+LABEL maintainer="nemchik"
 
 # environment settings
 ENV DHLEVEL=2048 ONLY_SUBDOMAINS=false AWS_CONFIG_FILE=/config/dns-conf/route53.ini
@@ -14,9 +16,8 @@ ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2
 RUN \
   echo "**** install build packages ****" && \
   apk add --no-cache --virtual=build-dependencies \
+    build-base \
     cargo \
-    g++ \
-    gcc \
     libffi-dev \
     libxml2-dev \
     libxslt-dev \
@@ -24,11 +25,9 @@ RUN \
     python3-dev && \
   echo "**** install runtime packages ****" && \
   apk add --no-cache --upgrade \
-    curl \
     fail2ban \
     gnupg \
     memcached \
-    nginx \
     nginx-mod-http-brotli \
     nginx-mod-http-dav-ext \
     nginx-mod-http-echo \
@@ -36,7 +35,6 @@ RUN \
     nginx-mod-http-geoip2 \
     nginx-mod-http-headers-more \
     nginx-mod-http-image-filter \
-    nginx-mod-http-nchan \
     nginx-mod-http-perl \
     nginx-mod-http-redis2 \
     nginx-mod-http-set-misc \
@@ -47,66 +45,60 @@ RUN \
     nginx-mod-stream \
     nginx-mod-stream-geoip2 \
     nginx-vim \
-    php8-bcmath \
+    php81-bcmath \
-    php8-bz2 \
+    php81-bz2 \
-    php8-ctype \
+    php81-ctype \
-    php8-curl \
+    php81-curl \
-    php8-dom \
+    php81-dom \
-    php8-exif \
+    php81-exif \
-    php8-ftp \
+    php81-ftp \
-    php8-gd \
+    php81-gd \
-    php8-gmp \
+    php81-gmp \
-    php8-iconv \
+    php81-iconv \
-    php8-imap \
+    php81-imap \
-    php8-intl \
+    php81-intl \
-    php8-ldap \
+    php81-ldap \
-    php8-mysqli \
+    php81-mysqli \
-    php8-mysqlnd \
+    php81-mysqlnd \
-    php8-opcache \
+    php81-opcache \
-    php8-pdo_mysql \
+    php81-pdo_mysql \
-    php8-pdo_odbc \
+    php81-pdo_odbc \
-    php8-pdo_pgsql \
+    php81-pdo_pgsql \
-    php8-pdo_sqlite \
+    php81-pdo_sqlite \
-    php8-pear \
+    php81-pear \
-    php8-pecl-apcu \
+    php81-pecl-apcu \
-    php8-pecl-mailparse \
+    php81-pecl-mailparse \
-    php8-pecl-mcrypt \
+    php81-pecl-memcached \
-    php8-pecl-memcached \
+    php81-pecl-redis \
-    php8-pecl-redis \
+    php81-pgsql \
-    php8-pgsql \
+    php81-phar \
-    php8-phar \
+    php81-posix \
-    php8-posix \
+    php81-soap \
-    php8-soap \
+    php81-sockets \
-    php8-sockets \
+    php81-sodium \
-    php8-sodium \
+    php81-sqlite3 \
-    php8-sqlite3 \
+    php81-tokenizer \
-    php8-tokenizer \
+    php81-xmlreader \
-    php8-xml \
+    php81-xsl \
-    php8-xmlreader \
+    php81-zip \
-    php8-xsl \
-    php8-zip \
-    py3-cryptography \
-    py3-future \
-    py3-pip \
     whois && \
-  apk add --no-cache \
+  apk add --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing \
-    --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing \
+    php81-pecl-mcrypt \
-    php8-pecl-xmlrpc && \
+    php81-pecl-xmlrpc && \
   echo "**** install certbot plugins ****" && \
   if [ -z ${CERTBOT_VERSION+x} ]; then \
-    CERTBOT="certbot"; \
+    CERTBOT_VERSION=$(curl -sL  https://pypi.python.org/pypi/certbot/json |jq -r '. | .info.version'); \
-  else \
-    CERTBOT="certbot==${CERTBOT_VERSION}"; \
   fi && \
-  pip3 install -U \
+  python3 -m ensurepip && \
-    pip wheel && \
+  pip3 install -U --no-cache-dir \
-  pip install -U --find-links https://wheel-index.linuxserver.io/alpine-3.15/ \
+    pip \
-    ${CERTBOT} \
+    wheel && \
+  pip3 install -U --no-cache-dir --find-links https://wheel-index.linuxserver.io/alpine-3.17/ \
+    certbot==${CERTBOT_VERSION} \
     certbot-dns-acmedns \
     certbot-dns-aliyun \
     certbot-dns-azure \
     certbot-dns-cloudflare \
-    certbot-dns-cloudxns \
     certbot-dns-cpanel \
     certbot-dns-desec \
     certbot-dns-digitalocean \
@@ -114,9 +106,14 @@ RUN \
     certbot-dns-dnsimple \
     certbot-dns-dnsmadeeasy \
     certbot-dns-dnspod \
+    certbot-dns-do \
     certbot-dns-domeneshop \
+    certbot-dns-duckdns \
     certbot-dns-dynu \
+    certbot-dns-gehirn \
+    certbot-dns-godaddy \
     certbot-dns-google \
+    certbot-dns-google-domains \
     certbot-dns-he \
     certbot-dns-hetzner \
     certbot-dns-infomaniak \
@@ -129,13 +126,16 @@ RUN \
     certbot-dns-njalla \
     certbot-dns-nsone \
     certbot-dns-ovh \
+    certbot-dns-porkbun \
     certbot-dns-rfc2136 \
     certbot-dns-route53 \
+    certbot-dns-sakuracloud \
     certbot-dns-standalone \
     certbot-dns-transip \
     certbot-dns-vultr \
     certbot-plugin-gandi \
     cryptography \
+    future \
     requests && \
   echo "**** enable OCSP stapling from base ****" && \
   sed -i \
@@ -159,6 +159,8 @@ RUN \
   mkdir -p /defaults/fail2ban && \
   mv /etc/fail2ban/action.d /defaults/fail2ban/ && \
   mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \
+  echo "**** define allowipv6 to silence warning ****" && \
+  sed -i 's/#allowipv6 = auto/allowipv6 = auto/g' /etc/fail2ban/fail2ban.conf && \
   echo "**** copy proxy confs to /defaults ****" && \
   mkdir -p \
     /defaults/nginx/proxy-confs && \
@@ -171,14 +173,10 @@ RUN \
   echo "**** cleanup ****" && \
   apk del --purge \
     build-dependencies && \
-  for cleanfiles in *.pyc *.pyo; \
-    do \
-    find /usr/lib/python3.*  -iname "${cleanfiles}" -exec rm -f '{}' + \
-    ; done && \
   rm -rf \
     /tmp/* \
-    /root/.cache \
+    $HOME/.cache \
-    /root/.cargo
+    $HOME/.cargo
 
 # copy local files
 COPY root/ /

Jenkinsfile

@@ -57,7 +57,7 @@ pipeline {
           env.CODE_URL = 'https://github.com/' + env.LS_USER + '/' + env.LS_REPO + '/commit/' + env.GIT_COMMIT
           env.DOCKERHUB_LINK = 'https://hub.docker.com/r/' + env.DOCKERHUB_IMAGE + '/tags/'
           env.PULL_REQUEST = env.CHANGE_ID
-          env.TEMPLATED_FILES = 'Jenkinsfile README.md LICENSE .editorconfig ./.github/CONTRIBUTING.md ./.github/FUNDING.yml ./.github/ISSUE_TEMPLATE/config.yml ./.github/ISSUE_TEMPLATE/issue.bug.md ./.github/ISSUE_TEMPLATE/issue.feature.md ./.github/PULL_REQUEST_TEMPLATE.md ./.github/workflows/external_trigger_scheduler.yml ./.github/workflows/greetings.yml ./.github/workflows/package_trigger_scheduler.yml ./.github/workflows/stale.yml ./.github/workflows/external_trigger.yml ./.github/workflows/package_trigger.yml ./root/donate.txt'
+          env.TEMPLATED_FILES = 'Jenkinsfile README.md LICENSE .editorconfig ./.github/CONTRIBUTING.md ./.github/FUNDING.yml ./.github/ISSUE_TEMPLATE/config.yml ./.github/ISSUE_TEMPLATE/issue.bug.yml ./.github/ISSUE_TEMPLATE/issue.feature.yml ./.github/PULL_REQUEST_TEMPLATE.md ./.github/workflows/external_trigger_scheduler.yml ./.github/workflows/greetings.yml ./.github/workflows/package_trigger_scheduler.yml ./.github/workflows/call_issue_pr_tracker.yml ./.github/workflows/call_issues_cron.yml ./.github/workflows/permissions.yml ./.github/workflows/external_trigger.yml ./.github/workflows/package_trigger.yml ./root/donate.txt'
         }
         script{
           env.LS_RELEASE_NUMBER = sh(
@@ -230,17 +230,14 @@ pipeline {
           }
           sh '''curl -sL https://raw.githubusercontent.com/linuxserver/docker-shellcheck/master/checkrun.sh | /bin/bash'''
           sh '''#! /bin/bash
-                set -e
-                docker pull ghcr.io/linuxserver/lsiodev-spaces-file-upload:latest
                 docker run --rm \
-                -e DESTINATION=\"${IMAGE}/${META_TAG}/shellcheck-result.xml\" \
-                -e FILE_NAME="shellcheck-result.xml" \
-                -e MIMETYPE="text/xml" \
                   -v ${WORKSPACE}:/mnt \
-                -e SECRET_KEY=\"${S3_SECRET}\" \
+                  -e AWS_ACCESS_KEY_ID=\"${S3_KEY}\" \
-                -e ACCESS_KEY=\"${S3_KEY}\" \
+                  -e AWS_SECRET_ACCESS_KEY=\"${S3_SECRET}\" \
-                -t ghcr.io/linuxserver/lsiodev-spaces-file-upload:latest \
+                  ghcr.io/linuxserver/baseimage-alpine:3.17 s6-envdir -fn -- /var/run/s6/container_environment /bin/bash -c "\
-                python /upload.py'''
+                    apk add --no-cache py3-pip && \
+                    pip install s3cmd && \
+                    s3cmd put --no-preserve --acl-public -m text/xml /mnt/shellcheck-result.xml s3://ci-tests.linuxserver.io/${IMAGE}/${META_TAG}/shellcheck-result.xml" || :'''
         }
       }
     }
@@ -277,7 +274,7 @@ pipeline {
                 echo "Jenkinsfile is up to date."
               fi
               # Stage 2 - Delete old templates
-              OLD_TEMPLATES=".github/ISSUE_TEMPLATE.md"
+              OLD_TEMPLATES=".github/ISSUE_TEMPLATE.md .github/ISSUE_TEMPLATE/issue.bug.md .github/ISSUE_TEMPLATE/issue.feature.md .github/workflows/call_invalid_helper.yml .github/workflows/stale.yml"
               for i in ${OLD_TEMPLATES}; do
                 if [[ -f "${i}" ]]; then
                   TEMPLATES_TO_DELETE="${i} ${TEMPLATES_TO_DELETE}"
@@ -294,7 +291,7 @@ pipeline {
                 git commit -m 'Bot Updating Templated Files'
                 git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/${LS_USER}/${LS_REPO}.git --all
                 echo "true" > /tmp/${COMMIT_SHA}-${BUILD_NUMBER}
-                echo "Deleting old templates"
+                echo "Deleting old and deprecated templates"
                 rm -Rf ${TEMPDIR}
                 exit 0
               else
@@ -442,7 +439,8 @@ pipeline {
       }
       steps {
         echo "Running on node: ${NODE_NAME}"
-        sh "docker build \
+        sh "sed -r -i 's|(^FROM .*)|\\1\\n\\nENV LSIO_FIRST_PARTY=true|g' Dockerfile"
+        sh "docker buildx build \
           --label \"org.opencontainers.image.created=${GITHUB_DATE}\" \
           --label \"org.opencontainers.image.authors=linuxserver.io\" \
           --label \"org.opencontainers.image.url=https://github.com/linuxserver/docker-swag/packages\" \
@@ -455,7 +453,7 @@ pipeline {
           --label \"org.opencontainers.image.ref.name=${COMMIT_SHA}\" \
           --label \"org.opencontainers.image.title=Swag\" \
           --label \"org.opencontainers.image.description=SWAG - Secure Web Application Gateway (formerly known as letsencrypt, no relation to Let's Encrypt™) sets up an Nginx webserver and reverse proxy with php support and a built-in certbot client that automates free SSL server certificate generation and renewal processes (Let's Encrypt and ZeroSSL). It also contains fail2ban for intrusion prevention.\" \
-          --no-cache --pull -t ${IMAGE}:${META_TAG} \
+          --no-cache --pull -t ${IMAGE}:${META_TAG} --platform=linux/amd64 \
           --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ."
       }
     }
@@ -472,7 +470,8 @@ pipeline {
         stage('Build X86') {
           steps {
             echo "Running on node: ${NODE_NAME}"
-            sh "docker build \
+            sh "sed -r -i 's|(^FROM .*)|\\1\\n\\nENV LSIO_FIRST_PARTY=true|g' Dockerfile"
+            sh "docker buildx build \
               --label \"org.opencontainers.image.created=${GITHUB_DATE}\" \
               --label \"org.opencontainers.image.authors=linuxserver.io\" \
               --label \"org.opencontainers.image.url=https://github.com/linuxserver/docker-swag/packages\" \
@@ -485,7 +484,7 @@ pipeline {
               --label \"org.opencontainers.image.ref.name=${COMMIT_SHA}\" \
               --label \"org.opencontainers.image.title=Swag\" \
               --label \"org.opencontainers.image.description=SWAG - Secure Web Application Gateway (formerly known as letsencrypt, no relation to Let's Encrypt™) sets up an Nginx webserver and reverse proxy with php support and a built-in certbot client that automates free SSL server certificate generation and renewal processes (Let's Encrypt and ZeroSSL). It also contains fail2ban for intrusion prevention.\" \
-              --no-cache --pull -t ${IMAGE}:amd64-${META_TAG} \
+              --no-cache --pull -t ${IMAGE}:amd64-${META_TAG} --platform=linux/amd64 \
               --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ."
           }
         }
@@ -499,7 +498,8 @@ pipeline {
             sh '''#! /bin/bash
                   echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin
                '''
-            sh "docker build \
+            sh "sed -r -i 's|(^FROM .*)|\\1\\n\\nENV LSIO_FIRST_PARTY=true|g' Dockerfile.armhf"
+            sh "docker buildx build \
               --label \"org.opencontainers.image.created=${GITHUB_DATE}\" \
               --label \"org.opencontainers.image.authors=linuxserver.io\" \
               --label \"org.opencontainers.image.url=https://github.com/linuxserver/docker-swag/packages\" \
@@ -512,7 +512,7 @@ pipeline {
               --label \"org.opencontainers.image.ref.name=${COMMIT_SHA}\" \
               --label \"org.opencontainers.image.title=Swag\" \
               --label \"org.opencontainers.image.description=SWAG - Secure Web Application Gateway (formerly known as letsencrypt, no relation to Let's Encrypt™) sets up an Nginx webserver and reverse proxy with php support and a built-in certbot client that automates free SSL server certificate generation and renewal processes (Let's Encrypt and ZeroSSL). It also contains fail2ban for intrusion prevention.\" \
-              --no-cache --pull -f Dockerfile.armhf -t ${IMAGE}:arm32v7-${META_TAG} \
+              --no-cache --pull -f Dockerfile.armhf -t ${IMAGE}:arm32v7-${META_TAG} --platform=linux/arm/v7 \
               --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ."
             sh "docker tag ${IMAGE}:arm32v7-${META_TAG} ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER}"
             retry(5) {
@@ -533,7 +533,8 @@ pipeline {
             sh '''#! /bin/bash
                   echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin
                '''
-            sh "docker build \
+            sh "sed -r -i 's|(^FROM .*)|\\1\\n\\nENV LSIO_FIRST_PARTY=true|g' Dockerfile.aarch64"
+            sh "docker buildx build \
               --label \"org.opencontainers.image.created=${GITHUB_DATE}\" \
               --label \"org.opencontainers.image.authors=linuxserver.io\" \
               --label \"org.opencontainers.image.url=https://github.com/linuxserver/docker-swag/packages\" \
@@ -546,7 +547,7 @@ pipeline {
               --label \"org.opencontainers.image.ref.name=${COMMIT_SHA}\" \
               --label \"org.opencontainers.image.title=Swag\" \
               --label \"org.opencontainers.image.description=SWAG - Secure Web Application Gateway (formerly known as letsencrypt, no relation to Let's Encrypt™) sets up an Nginx webserver and reverse proxy with php support and a built-in certbot client that automates free SSL server certificate generation and renewal processes (Let's Encrypt and ZeroSSL). It also contains fail2ban for intrusion prevention.\" \
-              --no-cache --pull -f Dockerfile.aarch64 -t ${IMAGE}:arm64v8-${META_TAG} \
+              --no-cache --pull -f Dockerfile.aarch64 -t ${IMAGE}:arm64v8-${META_TAG} --platform=linux/arm64 \
               --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ."
             sh "docker tag ${IMAGE}:arm64v8-${META_TAG} ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER}"
             retry(5) {
@@ -575,26 +576,12 @@ pipeline {
               else
                 LOCAL_CONTAINER=${IMAGE}:${META_TAG}
               fi
-              if [ "${DIST_IMAGE}" == "alpine" ]; then
+              touch ${TEMPDIR}/package_versions.txt
-                docker run --rm --entrypoint '/bin/sh' -v ${TEMPDIR}:/tmp ${LOCAL_CONTAINER} -c '\
+              docker run --rm \
-                  apk info -v > /tmp/package_versions.txt && \
+                -v /var/run/docker.sock:/var/run/docker.sock:ro \
-                  sort -o /tmp/package_versions.txt  /tmp/package_versions.txt && \
+                -v ${TEMPDIR}:/tmp \
-                  chmod 777 /tmp/package_versions.txt'
+                ghcr.io/anchore/syft:latest \
-              elif [ "${DIST_IMAGE}" == "ubuntu" ]; then
+                ${LOCAL_CONTAINER} -o table=/tmp/package_versions.txt
-                docker run --rm --entrypoint '/bin/sh' -v ${TEMPDIR}:/tmp ${LOCAL_CONTAINER} -c '\
-                  apt list -qq --installed | sed "s#/.*now ##g" | cut -d" " -f1 > /tmp/package_versions.txt && \
-                  sort -o /tmp/package_versions.txt  /tmp/package_versions.txt && \
-                  chmod 777 /tmp/package_versions.txt'
-              elif [ "${DIST_IMAGE}" == "fedora" ]; then
-                docker run --rm --entrypoint '/bin/sh' -v ${TEMPDIR}:/tmp ${LOCAL_CONTAINER} -c '\
-                  rpm -qa > /tmp/package_versions.txt && \
-                  sort -o /tmp/package_versions.txt  /tmp/package_versions.txt && \
-                  chmod 777 /tmp/package_versions.txt'
-              elif [ "${DIST_IMAGE}" == "arch" ]; then
-                docker run --rm --entrypoint '/bin/sh' -v ${TEMPDIR}:/tmp ${LOCAL_CONTAINER} -c '\
-                  pacman -Q > /tmp/package_versions.txt && \
-                  chmod 777 /tmp/package_versions.txt'
-              fi
               NEW_PACKAGE_TAG=$(md5sum ${TEMPDIR}/package_versions.txt | cut -c1-8 )
               echo "Package tag sha from current packages in buit container is ${NEW_PACKAGE_TAG} comparing to old ${PACKAGE_TAG} from github"
               if [ "${NEW_PACKAGE_TAG}" != "${PACKAGE_TAG}" ]; then
@@ -805,19 +792,19 @@ pipeline {
                   echo $QUAYPASS | docker login quay.io -u $QUAYUSER --password-stdin
                   if [ "${CI}" == "false" ]; then
                     docker pull ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER}
-                    docker pull ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER}
                     docker tag ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} ${IMAGE}:arm32v7-${META_TAG}
+                    docker pull ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER}
                     docker tag ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} ${IMAGE}:arm64v8-${META_TAG}
                   fi
                   for MANIFESTIMAGE in "${IMAGE}" "${GITLABIMAGE}" "${GITHUBIMAGE}" "${QUAYIMAGE}"; do
                     docker tag ${IMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-${META_TAG}
-                    docker tag ${IMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${META_TAG}
-                    docker tag ${IMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${META_TAG}
                     docker tag ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-latest
-                    docker tag ${MANIFESTIMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-latest
-                    docker tag ${MANIFESTIMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-latest
                     docker tag ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG}
+                    docker tag ${IMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${META_TAG}
+                    docker tag ${MANIFESTIMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-latest
                     docker tag ${MANIFESTIMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG}
+                    docker tag ${IMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${META_TAG}
+                    docker tag ${MANIFESTIMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-latest
                     docker tag ${MANIFESTIMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG}
                     if [ -n "${SEMVER}" ]; then
                       docker tag ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-${SEMVER}
@@ -825,13 +812,13 @@ pipeline {
                       docker tag ${MANIFESTIMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${SEMVER}
                     fi
                     docker push ${MANIFESTIMAGE}:amd64-${META_TAG}
-                    docker push ${MANIFESTIMAGE}:arm32v7-${META_TAG}
-                    docker push ${MANIFESTIMAGE}:arm64v8-${META_TAG}
-                    docker push ${MANIFESTIMAGE}:amd64-latest
-                    docker push ${MANIFESTIMAGE}:arm32v7-latest
-                    docker push ${MANIFESTIMAGE}:arm64v8-latest
                     docker push ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG}
+                    docker push ${MANIFESTIMAGE}:amd64-latest
+                    docker push ${MANIFESTIMAGE}:arm32v7-${META_TAG}
+                    docker push ${MANIFESTIMAGE}:arm32v7-latest
                     docker push ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG}
+                    docker push ${MANIFESTIMAGE}:arm64v8-${META_TAG}
+                    docker push ${MANIFESTIMAGE}:arm64v8-latest
                     docker push ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG}
                     if [ -n "${SEMVER}" ]; then
                       docker push ${MANIFESTIMAGE}:amd64-${SEMVER}
@@ -977,12 +964,12 @@ pipeline {
           sh 'echo "build aborted"'
         }
         else if (currentBuild.currentResult == "SUCCESS"){
-          sh ''' curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://wiki.jenkins-ci.org/download/attachments/2916393/headshot.png","embeds": [{"color": 1681177,\
+          sh ''' curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/jenkins-avatar.png","embeds": [{"color": 1681177,\
                  "description": "**Build:**  '${BUILD_NUMBER}'\\n**CI Results:**  '${CI_URL}'\\n**ShellCheck Results:**  '${SHELLCHECK_URL}'\\n**Status:**  Success\\n**Job:** '${RUN_DISPLAY_URL}'\\n**Change:** '${CODE_URL}'\\n**External Release:**: '${RELEASE_LINK}'\\n**DockerHub:** '${DOCKERHUB_LINK}'\\n"}],\
                  "username": "Jenkins"}' ${BUILDS_DISCORD} '''
         }
         else {
-          sh ''' curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://wiki.jenkins-ci.org/download/attachments/2916393/headshot.png","embeds": [{"color": 16711680,\
+          sh ''' curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/jenkins-avatar.png","embeds": [{"color": 16711680,\
                  "description": "**Build:**  '${BUILD_NUMBER}'\\n**CI Results:**  '${CI_URL}'\\n**ShellCheck Results:**  '${SHELLCHECK_URL}'\\n**Status:**  failure\\n**Job:** '${RUN_DISPLAY_URL}'\\n**Change:** '${CODE_URL}'\\n**External Release:**: '${RELEASE_LINK}'\\n**DockerHub:** '${DOCKERHUB_LINK}'\\n"}],\
                  "username": "Jenkins"}' ${BUILDS_DISCORD} '''
         }

README.md

@@ -63,13 +63,15 @@ The architectures supported by this image are:
 ### Validation and initial setup
 
 * Before running this container, make sure that the url and subdomains are properly forwarded to this container's host, and that port 443 (and/or 80) is not being used by another service on the host (NAS gui, another webserver, etc.).
+* If you need a dynamic dns provider, you can use the free provider duckdns.org where the `URL` will be `yoursubdomain.duckdns.org` and the `SUBDOMAINS` can be `www,ftp,cloud` with http validation, or `wildcard` with dns validation. You can use our [duckdns image](https://hub.docker.com/r/linuxserver/duckdns/) to update your IP on duckdns.org.
 * For `http` validation, port 80 on the internet side of the router should be forwarded to this container's port 80
 * For `dns` validation, make sure to enter your credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`
   * Cloudflare provides free accounts for managing dns and is very easy to use with this image. Make sure that it is set up for "dns only" instead of "dns + proxy"
   * Google dns plugin is meant to be used with "Google Cloud DNS", a paid enterprise product, and not for "Google Domains DNS"
-* For `duckdns` validation, either leave the `SUBDOMAINS` variable empty or set it to `wildcard`, and set the `DUCKDNSTOKEN` variable with your duckdns token. Due to a limitation of duckdns, the resulting cert will only cover either main subdomain (ie. `yoursubdomain.duckdns.org`), or sub-subdomains (ie. `*.yoursubdomain.duckdns.org`), but will not both at the same time. You can use our [duckdns image](https://hub.docker.com/r/linuxserver/duckdns/) to update your IP on duckdns.org.
+  * DuckDNS only supoprts two types of DNS validated certificates (not both at the same time):
+    1. Certs that only cover your main subdomain (ie. `yoursubdomain.duckdns.org`, leave the `SUBDOMAINS` variable empty)
+    2. Certs that cover sub-subdomains of your main subdomain (ie. `*.yoursubdomain.duckdns.org`, set the `SUBDOMAINS` variable to `wildcard`)
 * `--cap-add=NET_ADMIN` is required for fail2ban to modify iptables
-* If you need a dynamic dns provider, you can use the free provider duckdns.org where the `URL` will be `yoursubdomain.duckdns.org` and the `SUBDOMAINS` can be `www,ftp,cloud` with http validation, or `wildcard` with dns validation.
 * After setup, navigate to `https://yourdomain.url` to access the default homepage (http access through port 80 is disabled by default, you can enable it by editing the default site config at `/config/nginx/site-confs/default.conf`).
 * Certs are checked nightly and if expiration is within 30 days, renewal is attempted. If your cert is about to expire in less than 30 days, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing. It is recommended to input your e-mail in docker parameters so you receive expiration notices from Let's Encrypt in those circumstances.
 
@@ -114,7 +116,7 @@ This will *ask* Google et al not to index and list your site. Be careful with th
 * You can check which jails are active via `docker exec -it swag fail2ban-client status`
 * You can check the status of a specific jail via `docker exec -it swag fail2ban-client status <jail name>`
 * You can unban an IP via `docker exec -it swag fail2ban-client set <jail name> unbanip <IP>`
-* A list of commands can be found here: https://www.fail2ban.org/wiki/index.php/Commands
+* A list of commands can be found here: <https://www.fail2ban.org/wiki/index.php/Commands>
 
 ### Updating configs
 
@@ -131,6 +133,7 @@ This will *ask* Google et al not to index and list your site. Be careful with th
 * You can check the new sample and adjust your active config as needed.
 
 ### Migration from the old `linuxserver/letsencrypt` image
+
 Please follow the instructions [on this blog post](https://www.linuxserver.io/blog/2020-08-21-introducing-swag#migrate).
 
 ## Usage
@@ -151,14 +154,13 @@ services:
     environment:
       - PUID=1000
       - PGID=1000
-      - TZ=Europe/London
+      - TZ=Etc/UTC
       - URL=yourdomain.url
       - VALIDATION=http
       - SUBDOMAINS=www, #optional
       - CERTPROVIDER= #optional
       - DNSPLUGIN=cloudflare #optional
       - PROPAGATION= #optional
-      - DUCKDNSTOKEN= #optional
       - EMAIL= #optional
       - ONLY_SUBDOMAINS=false #optional
       - EXTRA_DOMAINS= #optional
@@ -179,14 +181,13 @@ docker run -d \
   --cap-add=NET_ADMIN \
   -e PUID=1000 \
   -e PGID=1000 \
-  -e TZ=Europe/London \
+  -e TZ=Etc/UTC \
   -e URL=yourdomain.url \
   -e VALIDATION=http \
   -e SUBDOMAINS=www, `#optional` \
   -e CERTPROVIDER= `#optional` \
   -e DNSPLUGIN=cloudflare `#optional` \
   -e PROPAGATION= `#optional` \
-  -e DUCKDNSTOKEN= `#optional` \
   -e EMAIL= `#optional` \
   -e ONLY_SUBDOMAINS=false `#optional` \
   -e EXTRA_DOMAINS= `#optional` \
@@ -196,6 +197,7 @@ docker run -d \
   -v /path/to/appdata/config:/config \
   --restart unless-stopped \
   lscr.io/linuxserver/swag:latest
+
 ```
 
 ## Parameters
@@ -208,14 +210,13 @@ Container images are configured using parameters passed at runtime (such as thos
 | `-p 80` | Http port (required for http validation and http -> https redirect) |
 | `-e PUID=1000` | for UserID - see below for explanation |
 | `-e PGID=1000` | for GroupID - see below for explanation |
-| `-e TZ=Europe/London` | Specify a timezone to use EG Europe/London. |
+| `-e TZ=Etc/UTC` | specify a timezone to use, see this [list](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List). |
 | `-e URL=yourdomain.url` | Top url you have control over (`customdomain.com` if you own it, or `customsubdomain.ddnsprovider.com` if dynamic dns). |
-| `-e VALIDATION=http` | Certbot validation method to use, options are `http`, `dns` or `duckdns` (`dns` method also requires `DNSPLUGIN` variable set) (`duckdns` method requires `DUCKDNSTOKEN` variable set, and the `SUBDOMAINS` variable must be either empty or set to `wildcard`). |
+| `-e VALIDATION=http` | Certbot validation method to use, options are `http` or `dns` (`dns` method also requires `DNSPLUGIN` variable set). |
-| `-e SUBDOMAINS=www,` | Subdomains you'd like the cert to cover (comma separated, no spaces) ie. `www,ftp,cloud`. For a wildcard cert, set this _exactly_ to `wildcard` (wildcard cert is available via `dns` and `duckdns` validation only) |
+| `-e SUBDOMAINS=www,` | Subdomains you'd like the cert to cover (comma separated, no spaces) ie. `www,ftp,cloud`. For a wildcard cert, set this *exactly* to `wildcard` (wildcard cert is available via `dns` validation only) |
 | `-e CERTPROVIDER=` | Optionally define the cert provider. Set to `zerossl` for ZeroSSL certs (requires existing [ZeroSSL account](https://app.zerossl.com/signup) and the e-mail address entered in `EMAIL` env var). Otherwise defaults to Let's Encrypt. |
-| `-e DNSPLUGIN=cloudflare` | Required if `VALIDATION` is set to `dns`. Options are `acmedns`,`aliyun`, `azure`, `cloudflare`, `cloudxns`, `cpanel`, `desec`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `dnspod`, `domeneshop`, `dynu`, `gandi`, `gehirn`, `google`, `he`, `hetzner`, `infomaniak`, `inwx`, `ionos`, `linode`, `loopia`, `luadns`, `netcup`, `njalla`, `nsone`, `ovh`, `rfc2136`, `route53`, `sakuracloud`, `standalone`, `transip` and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`. |
+| `-e DNSPLUGIN=cloudflare` | Required if `VALIDATION` is set to `dns`. Options are `acmedns`, `aliyun`, `azure`, `cloudflare`, `cpanel`, `desec`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `dnspod`, `do`, `domeneshop`, `duckdns`, `dynu`, `gandi`, `gehirn`, `godaddy`, `google`, `google-domains`, `he`, `hetzner`, `infomaniak`, `inwx`, `ionos`, `linode`, `loopia`, `luadns`, `netcup`, `njalla`, `nsone`, `ovh`, `porkbun`, `rfc2136`, `route53`, `sakuracloud`, `standalone`, `transip`, and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`. |
 | `-e PROPAGATION=` | Optionally override (in seconds) the default propagation time for the dns plugins. |
-| `-e DUCKDNSTOKEN=` | Required if `VALIDATION` is set to `duckdns`. Retrieve your token from https://www.duckdns.org |
 | `-e EMAIL=` | Optional e-mail address used for cert expiration notifications (Required for ZeroSSL). |
 | `-e ONLY_SUBDOMAINS=false` | If you wish to get certs only for certain subdomains, but not the main domain (main domain may be hosted on another machine and cannot be validated), set this to `true` |
 | `-e EXTRA_DOMAINS=` | Additional fully qualified domain names (comma separated, no spaces) ie. `extradomain.com,subdomain.anotherdomain.org,*.anotherdomain.org` |
@@ -335,6 +336,25 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **25.03.23:** - Fix renewal post hook.
+* **10.03.23:** - Cleanup unused csr and keys folders. See [certbot 2.3.0 release notes](https://github.com/certbot/certbot/releases/tag/v2.3.0).
+* **09.03.23:** - Add Google Domains DNS support, `google-domains`.
+* **02.03.23:** - Set permissions on crontabs during init.
+* **09.02.23:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) proxy.conf, authelia-location.conf and authelia-server.conf - Add Authentik configs, update Authelia configs.
+* **06.02.23:** - Add porkbun support back in.
+* **21.01.23:** - Unpin certbot version (allow certbot 2.x). !!BREAKING CHANGE!! We are temporarily removing the certbot porkbun plugin until a new version is released that is compatible with certbot 2.x.
+* **20.01.23:** - Rebase to alpine 3.17 with php8.1.
+* **16.01.23:** - Remove nchan module because it keeps causing crashes.
+* **08.12.22:** - Revamp certbot init.
+* **03.12.22:** - Remove defunct cloudxns plugin.
+* **22.11.22:** - Pin acme to the same version as certbot.
+* **22.11.22:** - Pin certbot to 1.32.0 until plugin compatibility improves.
+* **05.11.22:** - Update acmedns plugin handling.
+* **06.10.22:** - Switch to certbot-dns-duckdns. Update cpanel and gandi dns plugin handling. Minor adjustments to init logic.
+* **05.10.22:** - Use certbot file hooks instead of command line hooks
+* **04.10.22:** - Add godaddy and porkbun dns plugins.
+* **03.10.22:** - Add default_server back to default site conf's https listen.
+* **22.09.22:** - Added support for DO DNS validation.
 * **22.09.22:** - Added certbot-dns-acmedns for DNS01 validation.
 * **20.08.22:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf - Rebasing to alpine 3.15 with php8. Restructure nginx configs ([see changes announcement](https://info.linuxserver.io/issues/2022-08-20-nginx-base)).
 * **10.08.22:** - Added support for Dynu DNS validation.
@@ -348,7 +368,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 * **22.11.21:** - Added support for Infomaniak DNS for certificate generation.
 * **20.11.21:** - Added support for dnspod validation.
 * **15.11.21:** - Added support for deSEC DNS for wildcard certificate generation.
-* **26.10.21:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) proxy.conf - Mitigate https://httpoxy.org/ vulnerabilities. Ref: https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx#Defeating-the-Attack-using-NGINX-and-NGINX-Plus
+* **26.10.21:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) proxy.conf - Mitigate <https://httpoxy.org/> vulnerabilities. Ref: <https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx#Defeating-the-Attack-using-NGINX-and-NGINX-Plus>
 * **23.10.21:** - Fix Hurricane Electric (HE) DNS validation.
 * **12.10.21:** - Fix deprecated LE root cert check to fix failures when using `STAGING=true`, and failures in revoking.
 * **06.10.21:** - Added support for Hurricane Electric (HE) DNS validation. Added lxml build deps.

package_versions.txt

@@ -1,229 +1,340 @@
-alpine-baselayout-3.2.0-r18
+NAME                            VERSION                TYPE   
-alpine-keys-2.4-r1
+ConfigArgParse                  1.5.3                  python  
-apache2-utils-2.4.54-r0
+PyJWT                           2.6.0                  python  
-apk-tools-2.12.7-r3
+PyYAML                          6.0                    python  
-apr-1.7.0-r1
+acme                            2.5.0                  python  
-apr-util-1.6.1-r11
+alpine-baselayout               3.4.0-r0               apk     
-argon2-libs-20190702-r1
+alpine-baselayout-data          3.4.0-r0               apk     
-bash-5.1.16-r0
+alpine-keys                     2.4-r1                 apk     
-brotli-libs-1.0.9-r5
+alpine-release                  3.17.3-r0              apk     
-busybox-1.34.1-r7
+aom-libs                        3.5.0-r0               apk     
-c-client-2007f-r13
+apache2-utils                   2.4.56-r0              apk     
-ca-certificates-20220614-r0
+apk-tools                       2.12.10-r1             apk     
-ca-certificates-bundle-20220614-r0
+apr                             1.7.2-r0               apk     
-coreutils-9.0-r2
+apr-util                        1.6.3-r0               apk     
-curl-7.80.0-r3
+argon2-libs                     20190702-r2            apk     
-expat-2.4.9-r0
+attrs                           22.2.0                 python  
-fail2ban-0.11.2-r1
+azure-common                    1.1.28                 python  
-freetype-2.11.1-r2
+azure-core                      1.26.4                 python  
-gdbm-1.22-r0
+azure-identity                  1.12.0                 python  
-git-2.34.4-r0
+azure-mgmt-core                 1.4.0                  python  
-git-perl-2.34.4-r0
+azure-mgmt-dns                  8.0.0                  python  
-gmp-6.2.1-r1
+bash                            5.2.15-r0              apk     
-gnupg-2.2.31-r2
+beautifulsoup4                  4.12.2                 python  
-gnupg-dirmngr-2.2.31-r2
+boto3                           1.26.109               python  
-gnupg-gpgconf-2.2.31-r2
+botocore                        1.29.109               python  
-gnupg-utils-2.2.31-r2
+brotli-libs                     1.0.9-r9               apk     
-gnupg-wks-client-2.2.31-r2
+bs4                             0.0.1                  python  
-gnutls-3.7.1-r1
+busybox                         1.35.0                 binary  
-gpg-2.2.31-r2
+busybox                         1.35.0-r29             apk     
-gpg-agent-2.2.31-r2
+busybox-binsh                   1.35.0-r29             apk     
-gpg-wks-server-2.2.31-r2
+c-client                        2007f-r14              apk     
-gpgsm-2.2.31-r2
+ca-certificates                 20220614-r4            apk     
-gpgv-2.2.31-r2
+ca-certificates-bundle          20220614-r4            apk     
-icu-libs-69.1-r1
+cachetools                      5.3.0                  python  
-ip6tables-1.8.7-r1
+certbot                         2.5.0                  python  
-iptables-1.8.7-r1
+certbot-dns-acmedns             0.1.0                  python  
-libacl-2.2.53-r0
+certbot-dns-aliyun              2.0.0                  python  
-libassuan-2.5.5-r0
+certbot-dns-azure               2.1.0                  python  
-libattr-2.5.1-r1
+certbot-dns-cloudflare          2.5.0                  python  
-libbsd-0.11.3-r1
+certbot-dns-cpanel              0.4.0                  python  
-libbz2-1.0.8-r1
+certbot-dns-desec               1.2.1                  python  
-libc-utils-0.7.2-r3
+certbot-dns-digitalocean        2.5.0                  python  
-libcap-2.61-r0
+certbot-dns-directadmin         1.0.3                  python  
-libcrypto1.1-1.1.1q-r0
+certbot-dns-dnsimple            2.5.0                  python  
-libcurl-7.80.0-r3
+certbot-dns-dnsmadeeasy         2.5.0                  python  
-libedit-20210910.3.1-r0
+certbot-dns-dnspod              0.1.0                  python  
-libevent-2.1.12-r4
+certbot-dns-do                  0.31.0                 python  
-libffi-3.4.2-r1
+certbot-dns-domeneshop          0.2.9                  python  
-libgcc-10.3.1_git20211027-r0
+certbot-dns-duckdns             1.3                    python  
-libgcrypt-1.9.4-r0
+certbot-dns-dynu                0.0.4                  python  
-libgd-2.3.2-r1
+certbot-dns-gehirn              2.5.0                  python  
-libgpg-error-1.42-r1
+certbot-dns-godaddy             0.2.2                  python  
-libice-1.0.10-r0
+certbot-dns-google              2.5.0                  python  
-libidn-1.38-r0
+certbot-dns-google-domains      0.1.9                  python  
-libintl-0.21-r0
+certbot-dns-he                  1.0.0                  python  
-libjpeg-turbo-2.1.2-r0
+certbot-dns-hetzner             2.0.0                  python  
-libksba-1.6.0-r0
+certbot-dns-infomaniak          0.2.1                  python  
-libldap-2.6.2-r0
+certbot-dns-inwx                2.2.0                  python  
-libmaxminddb-1.6.0-r0
+certbot-dns-ionos               2022.11.24             python  
-libmcrypt-2.5.8-r9
+certbot-dns-linode              2.5.0                  python  
-libmd-1.0.3-r0
+certbot-dns-loopia              1.0.1                  python  
-libmemcached-libs-1.0.18-r4
+certbot-dns-luadns              2.5.0                  python  
-libmnl-1.0.4-r2
+certbot-dns-netcup              1.2.0                  python  
-libnftnl-1.2.1-r0
+certbot-dns-njalla              1.0.0                  python  
-libpng-1.6.37-r1
+certbot-dns-nsone               2.5.0                  python  
-libpq-14.5-r0
+certbot-dns-ovh                 2.5.0                  python  
-libproc-3.3.17-r0
+certbot-dns-porkbun             0.8                    python  
-libretls-3.3.4-r3
+certbot-dns-rfc2136             2.5.0                  python  
-libsasl-2.1.28-r0
+certbot-dns-route53             2.5.0                  python  
-libseccomp-2.5.2-r0
+certbot-dns-sakuracloud         2.5.0                  python  
-libsm-1.2.3-r0
+certbot-dns-standalone          1.1                    python  
-libsodium-1.0.18-r0
+certbot-dns-transip             0.5.2                  python  
-libssl1.1-1.1.1q-r0
+certbot-dns-vultr               1.0.3                  python  
-libstdc++-10.3.1_git20211027-r0
+certbot-plugin-gandi            1.4.3                  python  
-libtasn1-4.18.0-r0
+certifi                         2022.12.7              python  
-libunistring-0.9.10-r1
+cffi                            1.15.1                 python  
-libuuid-2.37.4-r0
+charset-normalizer              3.1.0                  python  
-libwebp-1.2.2-r0
+cloudflare                      2.11.1                 python  
-libx11-1.7.2-r0
+configobj                       5.0.8                  python  
-libxau-1.0.9-r0
+coreutils                       9.1-r0                 apk     
-libxcb-1.14-r2
+cryptography                    40.0.1                 python  
-libxdmcp-1.1.3-r0
+curl                            7.88.1-r1              apk     
-libxext-1.3.4-r0
+dataclasses-json                0.5.7                  python  
-libxml2-2.9.14-r1
+distro                          1.8.0                  python  
-libxpm-3.5.13-r0
+dns-lexicon                     3.11.7                 python  
-libxslt-1.1.35-r0
+dnslib                          0.9.23                 python  
-libxt-1.2.1-r0
+dnspython                       2.3.0                  python  
-libzip-1.8.0-r1
+domeneshop                      0.4.3                  python  
-linux-pam-1.5.2-r0
+fail2ban                        1.0.2                  python  
-logrotate-3.18.1-r4
+fail2ban                        1.0.2-r0               apk     
-lz4-libs-1.9.3-r1
+filelock                        3.11.0                 python  
-memcached-1.6.12-r0
+fontconfig                      2.14.1-r0              apk     
-mpdecimal-2.5.1-r1
+freetype                        2.12.1-r0              apk     
-musl-1.2.2-r7
+future                          0.18.3                 python  
-musl-utils-1.2.2-r7
+gdbm                            1.23-r0                apk     
-nano-5.9-r0
+git                             2.38.4-r1              apk     
-ncurses-libs-6.3_p20211120-r1
+git-perl                        2.38.4-r1              apk     
-ncurses-terminfo-base-6.3_p20211120-r1
+gmp                             6.2.1-r2               apk     
-nettle-3.7.3-r0
+gnupg                           2.2.40-r0              apk     
-nghttp2-libs-1.46.0-r0
+gnupg-dirmngr                   2.2.40-r0              apk     
-nginx-1.20.2-r1
+gnupg-gpgconf                   2.2.40-r0              apk     
-nginx-mod-devel-kit-1.20.2-r1
+gnupg-utils                     2.2.40-r0              apk     
-nginx-mod-http-brotli-1.20.2-r1
+gnupg-wks-client                2.2.40-r0              apk     
-nginx-mod-http-dav-ext-1.20.2-r1
+gnutls                          3.7.8-r3               apk     
-nginx-mod-http-echo-1.20.2-r1
+google-api-core                 2.11.0                 python  
-nginx-mod-http-fancyindex-1.20.2-r1
+google-api-python-client        2.84.0                 python  
-nginx-mod-http-geoip2-1.20.2-r1
+google-auth                     2.17.2                 python  
-nginx-mod-http-headers-more-1.20.2-r1
+google-auth-httplib2            0.1.0                  python  
-nginx-mod-http-image-filter-1.20.2-r1
+googleapis-common-protos        1.59.0                 python  
-nginx-mod-http-nchan-1.20.2-r1
+gpg                             2.2.40-r0              apk     
-nginx-mod-http-perl-1.20.2-r1
+gpg-agent                       2.2.40-r0              apk     
-nginx-mod-http-redis2-1.20.2-r1
+gpg-wks-server                  2.2.40-r0              apk     
-nginx-mod-http-set-misc-1.20.2-r1
+gpgsm                           2.2.40-r0              apk     
-nginx-mod-http-upload-progress-1.20.2-r1
+gpgv                            2.2.40-r0              apk     
-nginx-mod-http-xslt-filter-1.20.2-r1
+httplib2                        0.22.0                 python  
-nginx-mod-mail-1.20.2-r1
+icu-data-en                     72.1-r1                apk     
-nginx-mod-rtmp-1.20.2-r1
+icu-libs                        72.1-r1                apk     
-nginx-mod-stream-1.20.2-r1
+idna                            3.4                    python  
-nginx-mod-stream-geoip2-1.20.2-r1
+importlib-metadata              6.2.0                  python  
-nginx-vim-1.20.2-r1
+ip6tables                       1.8.8-r2               apk     
-npth-1.6-r1
+iptables                        1.8.8-r2               apk     
-oniguruma-6.9.7.1-r0
+isodate                         0.6.1                  python  
-openssl-1.1.1q-r0
+jmespath                        1.0.1                  python  
-p11-kit-0.24.0-r1
+josepy                          1.13.0                 python  
-pcre-8.45-r1
+jq                              1.6-r2                 apk     
-pcre2-10.40-r0
+jsonlines                       3.1.0                  python  
-perl-5.34.0-r1
+jsonpickle                      3.0.1                  python  
-perl-error-0.17029-r1
+libacl                          2.3.1-r1               apk     
-perl-git-2.34.4-r0
+libassuan                       2.5.5-r1               apk     
-php8-8.0.18-r0
+libattr                         2.5.1-r2               apk     
-php8-bcmath-8.0.18-r0
+libavif                         0.11.1-r0              apk     
-php8-bz2-8.0.18-r0
+libbsd                          0.11.7-r0              apk     
-php8-common-8.0.18-r0
+libbz2                          1.0.8-r4               apk     
-php8-ctype-8.0.18-r0
+libc-utils                      0.7.2-r3               apk     
-php8-curl-8.0.18-r0
+libcrypto3                      3.0.8-r3               apk     
-php8-dom-8.0.18-r0
+libcurl                         7.88.1-r1              apk     
-php8-exif-8.0.18-r0
+libdav1d                        1.0.0-r2               apk     
-php8-fileinfo-8.0.18-r0
+libedit                         20221030.3.1-r0        apk     
-php8-fpm-8.0.18-r0
+libevent                        2.1.12-r5              apk     
-php8-ftp-8.0.18-r0
+libexpat                        2.5.0-r0               apk     
-php8-gd-8.0.18-r0
+libffi                          3.4.4-r0               apk     
-php8-gmp-8.0.18-r0
+libgcc                          12.2.1_git20220924-r4  apk     
-php8-iconv-8.0.18-r0
+libgcrypt                       1.10.1-r0              apk     
-php8-imap-8.0.18-r0
+libgd                           2.3.3-r3               apk     
-php8-intl-8.0.18-r0
+libgpg-error                    1.46-r1                apk     
-php8-ldap-8.0.18-r0
+libice                          1.0.10-r1              apk     
-php8-mbstring-8.0.18-r0
+libidn                          1.41-r0                apk     
-php8-mysqli-8.0.18-r0
+libintl                         0.21.1-r1              apk     
-php8-mysqlnd-8.0.18-r0
+libjpeg-turbo                   2.1.4-r0               apk     
-php8-opcache-8.0.18-r0
+libksba                         1.6.3-r0               apk     
-php8-openssl-8.0.18-r0
+libldap                         2.6.3-r6               apk     
-php8-pdo-8.0.18-r0
+libmaxminddb-libs               1.7.1-r0               apk     
-php8-pdo_mysql-8.0.18-r0
+libmcrypt                       2.5.8-r10              apk     
-php8-pdo_odbc-8.0.18-r0
+libmd                           1.0.4-r0               apk     
-php8-pdo_pgsql-8.0.18-r0
+libmemcached-libs               1.0.18-r5              apk     
-php8-pdo_sqlite-8.0.18-r0
+libmnl                          1.0.5-r0               apk     
-php8-pear-8.0.18-r0
+libnftnl                        1.2.4-r0               apk     
-php8-pecl-apcu-5.1.21-r0
+libpng                          1.6.38-r0              apk     
-php8-pecl-igbinary-3.2.6-r0
+libpq                           15.2-r0                apk     
-php8-pecl-mailparse-3.1.3-r0
+libproc                         3.3.17-r2              apk     
-php8-pecl-mcrypt-1.0.4-r0
+libsasl                         2.1.28-r3              apk     
-php8-pecl-memcached-3.1.5-r1
+libseccomp                      2.5.4-r0               apk     
-php8-pecl-redis-5.3.6-r0
+libsm                           1.2.3-r1               apk     
-php8-pecl-xmlrpc-1.0.0_rc3-r0
+libsodium                       1.0.18-r2              apk     
-php8-pgsql-8.0.18-r0
+libssl3                         3.0.8-r3               apk     
-php8-phar-8.0.18-r0
+libstdc++                       12.2.1_git20220924-r4  apk     
-php8-posix-8.0.18-r0
+libtasn1                        4.19.0-r0              apk     
-php8-session-8.0.18-r0
+libunistring                    1.1-r0                 apk     
-php8-simplexml-8.0.18-r0
+libuuid                         2.38.1-r1              apk     
-php8-soap-8.0.18-r0
+libwebp                         1.2.4-r1               apk     
-php8-sockets-8.0.18-r0
+libx11                          1.8.4-r0               apk     
-php8-sodium-8.0.18-r0
+libxau                          1.0.10-r0              apk     
-php8-sqlite3-8.0.18-r0
+libxcb                          1.15-r0                apk     
-php8-tokenizer-8.0.18-r0
+libxdmcp                        1.1.4-r0               apk     
-php8-xml-8.0.18-r0
+libxext                         1.3.5-r0               apk     
-php8-xmlreader-8.0.18-r0
+libxml2                         2.10.3-r1              apk     
-php8-xmlwriter-8.0.18-r0
+libxpm                          3.5.15-r0              apk     
-php8-xsl-8.0.18-r0
+libxslt                         1.1.37-r1              apk     
-php8-zip-8.0.18-r0
+libxt                           1.2.1-r0               apk     
-pinentry-1.2.0-r0
+libzip                          1.9.2-r2               apk     
-popt-1.18-r0
+linux-pam                       1.5.2-r1               apk     
-procps-3.3.17-r0
+logrotate                       3.20.1-r3              apk     
-py3-appdirs-1.4.4-r2
+loopialib                       0.2.0                  python  
-py3-asn1crypto-1.4.0-r1
+lxml                            4.9.2                  python  
-py3-cachecontrol-0.12.10-r0
+lz4-libs                        1.9.4-r1               apk     
-py3-certifi-2020.12.5-r1
+marshmallow                     3.19.0                 python  
-py3-cffi-1.14.5-r4
+marshmallow-enum                1.5.1                  python  
-py3-charset-normalizer-2.0.7-r0
+memcached                       1.6.17                 binary  
-py3-colorama-0.4.4-r1
+memcached                       1.6.17-r0              apk     
-py3-contextlib2-21.6.0-r1
+mock                            5.0.1                  python  
-py3-cparser-2.20-r1
+mpdecimal                       2.5.1-r1               apk     
-py3-cryptography-3.3.2-r3
+msal                            1.21.0                 python  
-py3-distlib-0.3.3-r0
+msal-extensions                 1.0.0                  python  
-py3-distro-1.6.0-r0
+msrest                          0.7.1                  python  
-py3-future-0.18.2-r3
+musl                            1.2.3-r4               apk     
-py3-html5lib-1.1-r1
+musl-utils                      1.2.3-r4               apk     
-py3-idna-3.3-r0
+mypy-extensions                 1.0.0                  python  
-py3-lockfile-0.12.2-r4
+nano                            7.0-r0                 apk     
-py3-msgpack-1.0.2-r1
+ncurses-libs                    6.3_p20221119-r0       apk     
-py3-ordered-set-4.0.2-r2
+ncurses-terminfo-base           6.3_p20221119-r0       apk     
-py3-packaging-20.9-r1
+netcat-openbsd                  1.130-r4               apk     
-py3-parsing-2.4.7-r2
+nettle                          3.8.1-r0               apk     
-py3-pep517-0.12.0-r0
+nghttp2-libs                    1.51.0-r0              apk     
-py3-pip-20.3.4-r1
+nginx                           1.22.1-r0              apk     
-py3-progress-1.6-r0
+nginx-mod-devel-kit             1.22.1-r0              apk     
-py3-requests-2.26.0-r1
+nginx-mod-http-brotli           1.22.1-r0              apk     
-py3-retrying-1.3.3-r2
+nginx-mod-http-dav-ext          1.22.1-r0              apk     
-py3-setuptools-52.0.0-r4
+nginx-mod-http-echo             1.22.1-r0              apk     
-py3-six-1.16.0-r0
+nginx-mod-http-fancyindex       1.22.1-r0              apk     
-py3-toml-0.10.2-r2
+nginx-mod-http-geoip2           1.22.1-r0              apk     
-py3-tomli-1.2.2-r0
+nginx-mod-http-headers-more     1.22.1-r0              apk     
-py3-urllib3-1.26.7-r0
+nginx-mod-http-image-filter     1.22.1-r0              apk     
-py3-webencodings-0.5.1-r4
+nginx-mod-http-perl             1.22.1-r0              apk     
-python3-3.9.13-r1
+nginx-mod-http-redis2           1.22.1-r0              apk     
-readline-8.1.1-r0
+nginx-mod-http-set-misc         1.22.1-r0              apk     
-s6-ipcserver-2.11.0.0-r0
+nginx-mod-http-upload-progress  1.22.1-r0              apk     
-scanelf-1.3.3-r0
+nginx-mod-http-xslt-filter      1.22.1-r0              apk     
-shadow-4.8.1-r1
+nginx-mod-mail                  1.22.1-r0              apk     
-skalibs-2.11.0.0-r0
+nginx-mod-rtmp                  1.22.1-r0              apk     
-sqlite-libs-3.36.0-r0
+nginx-mod-stream                1.22.1-r0              apk     
-ssl_client-1.34.1-r7
+nginx-mod-stream-geoip2         1.22.1-r0              apk     
-tzdata-2022c-r0
+nginx-vim                       1.22.1-r0              apk     
-unixodbc-2.3.9-r1
+npth                            1.6-r2                 apk     
-utmps-0.1.0.3-r0
+oauth2client                    4.1.3                  python  
-whois-5.5.10-r0
+oauthlib                        3.2.2                  python  
-xz-5.2.5-r1
+oniguruma                       6.9.8-r0               apk     
-xz-libs-5.2.5-r1
+openssl                         3.0.8-r3               apk     
-zlib-1.2.12-r3
+p11-kit                         0.24.1-r1              apk     
-zstd-libs-1.5.0-r0
+packaging                       23.0                   python  
+parsedatetime                   2.6                    python  
+pcre                            8.45-r2                apk     
+pcre2                           10.42-r0               apk     
+perl                            5.36.0-r0              apk     
+perl-error                      0.17029-r1             apk     
+perl-git                        2.38.4-r1              apk     
+php-cli                         8.1.17                 binary  
+php-fpm                         8.1.17                 binary  
+php81                           8.1.17-r0              apk     
+php81-bcmath                    8.1.17-r0              apk     
+php81-bz2                       8.1.17-r0              apk     
+php81-common                    8.1.17-r0              apk     
+php81-ctype                     8.1.17-r0              apk     
+php81-curl                      8.1.17-r0              apk     
+php81-dom                       8.1.17-r0              apk     
+php81-exif                      8.1.17-r0              apk     
+php81-fileinfo                  8.1.17-r0              apk     
+php81-fpm                       8.1.17-r0              apk     
+php81-ftp                       8.1.17-r0              apk     
+php81-gd                        8.1.17-r0              apk     
+php81-gmp                       8.1.17-r0              apk     
+php81-iconv                     8.1.17-r0              apk     
+php81-imap                      8.1.17-r0              apk     
+php81-intl                      8.1.17-r0              apk     
+php81-ldap                      8.1.17-r0              apk     
+php81-mbstring                  8.1.17-r0              apk     
+php81-mysqli                    8.1.17-r0              apk     
+php81-mysqlnd                   8.1.17-r0              apk     
+php81-opcache                   8.1.17-r0              apk     
+php81-openssl                   8.1.17-r0              apk     
+php81-pdo                       8.1.17-r0              apk     
+php81-pdo_mysql                 8.1.17-r0              apk     
+php81-pdo_odbc                  8.1.17-r0              apk     
+php81-pdo_pgsql                 8.1.17-r0              apk     
+php81-pdo_sqlite                8.1.17-r0              apk     
+php81-pear                      8.1.17-r0              apk     
+php81-pecl-apcu                 5.1.22-r0              apk     
+php81-pecl-igbinary             3.2.12-r0              apk     
+php81-pecl-mailparse            3.1.4-r0               apk     
+php81-pecl-mcrypt               1.0.6-r0               apk     
+php81-pecl-memcached            3.2.0-r0               apk     
+php81-pecl-redis                5.3.7-r0               apk     
+php81-pecl-xmlrpc               1.0.0_rc3-r0           apk     
+php81-pgsql                     8.1.17-r0              apk     
+php81-phar                      8.1.17-r0              apk     
+php81-posix                     8.1.17-r0              apk     
+php81-session                   8.1.17-r0              apk     
+php81-simplexml                 8.1.17-r0              apk     
+php81-soap                      8.1.17-r0              apk     
+php81-sockets                   8.1.17-r0              apk     
+php81-sodium                    8.1.17-r0              apk     
+php81-sqlite3                   8.1.17-r0              apk     
+php81-tokenizer                 8.1.17-r0              apk     
+php81-xml                       8.1.17-r0              apk     
+php81-xmlreader                 8.1.17-r0              apk     
+php81-xmlwriter                 8.1.17-r0              apk     
+php81-xsl                       8.1.17-r0              apk     
+php81-zip                       8.1.17-r0              apk     
+pinentry                        1.2.1-r0               apk     
+pip                             23.0.1                 python  
+pkb-client                      1.2                    python  
+popt                            1.19-r0                apk     
+portalocker                     2.7.0                  python  
+procps                          3.3.17-r2              apk     
+protobuf                        4.22.1                 python  
+publicsuffixlist                0.9.3                  python  
+pyOpenSSL                       23.1.1                 python  
+pyRFC3339                       1.1                    python  
+pyacmedns                       0.4                    python  
+pyasn1                          0.4.8                  python  
+pyasn1-modules                  0.2.8                  python  
+pycparser                       2.21                   python  
+pyparsing                       3.0.9                  python  
+python                          3.10.11                binary  
+python-dateutil                 2.8.2                  python  
+python-digitalocean             1.17.0                 python  
+python-transip                  0.6.0                  python  
+python3                         3.10.11-r0             apk     
+pytz                            2023.3                 python  
+readline                        8.2.0-r0               apk     
+requests                        2.28.2                 python  
+requests-file                   1.5.1                  python  
+requests-mock                   1.10.0                 python  
+requests-oauthlib               1.3.1                  python  
+rsa                             4.9                    python  
+s3transfer                      0.6.0                  python  
+scanelf                         1.3.5-r1               apk     
+setuptools                      65.5.0                 python  
+shadow                          4.13-r0                apk     
+six                             1.16.0                 python  
+skalibs                         2.12.0.1-r0            apk     
+soupsieve                       2.4                    python  
+sqlite-libs                     3.40.1-r0              apk     
+ssl_client                      1.35.0-r29             apk     
+tiff                            4.4.0-r3               apk     
+tldextract                      3.4.0                  python  
+typing-inspect                  0.8.0                  python  
+typing_extensions               4.5.0                  python  
+tzdata                          2023c-r0               apk     
+unixodbc                        2.3.11-r0              apk     
+uritemplate                     4.1.1                  python  
+urllib3                         1.26.15                python  
+utmps-libs                      0.1.2.0-r1             apk     
+wheel                           0.40.0                 python  
+whois                           5.5.14-r0              apk     
+xz                              5.2.9-r0               apk     
+xz-libs                         5.2.9-r0               apk     
+zipp                            3.15.0                 python  
+zlib                            1.2.13-r0              apk     
+zope.interface                  6.0                    python  
+zstd-libs                       1.5.5-r0               apk     

readme-vars.yml

@@ -32,7 +32,7 @@ param_usage_include_env: true
 param_env_vars:
   - { env_var: "TZ", env_value: "Europe/London", desc: "Specify a timezone to use EG Europe/London." }
   - { env_var: "URL", env_value: "yourdomain.url", desc: "Top url you have control over (`customdomain.com` if you own it, or `customsubdomain.ddnsprovider.com` if dynamic dns)." }
-  - { env_var: "VALIDATION", env_value: "http", desc: "Certbot validation method to use, options are `http`, `dns` or `duckdns` (`dns` method also requires `DNSPLUGIN` variable set) (`duckdns` method requires `DUCKDNSTOKEN` variable set, and the `SUBDOMAINS` variable must be either empty or set to `wildcard`)." }
+  - { env_var: "VALIDATION", env_value: "http", desc: "Certbot validation method to use, options are `http` or `dns` (`dns` method also requires `DNSPLUGIN` variable set)." }
 param_usage_include_vols: true
 param_volumes:
   - { vol_path: "/config", vol_host_path: "/path/to/appdata/config", desc: "All the config files including the webroot reside here." }
@@ -49,11 +49,10 @@ cap_add_param_vars:
 # optional container parameters
 opt_param_usage_include_env: true
 opt_param_env_vars:
-  - { env_var: "SUBDOMAINS", env_value: "www,", desc: "Subdomains you'd like the cert to cover (comma separated, no spaces) ie. `www,ftp,cloud`. For a wildcard cert, set this _exactly_ to `wildcard` (wildcard cert is available via `dns` and `duckdns` validation only)" }
+  - { env_var: "SUBDOMAINS", env_value: "www,", desc: "Subdomains you'd like the cert to cover (comma separated, no spaces) ie. `www,ftp,cloud`. For a wildcard cert, set this *exactly* to `wildcard` (wildcard cert is available via `dns` validation only)" }
   - { env_var: "CERTPROVIDER", env_value: "", desc: "Optionally define the cert provider. Set to `zerossl` for ZeroSSL certs (requires existing [ZeroSSL account](https://app.zerossl.com/signup) and the e-mail address entered in `EMAIL` env var). Otherwise defaults to Let's Encrypt." }
-  - { env_var: "DNSPLUGIN", env_value: "cloudflare", desc: "Required if `VALIDATION` is set to `dns`. Options are `acmedns`,`aliyun`, `azure`, `cloudflare`, `cloudxns`, `cpanel`, `desec`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `dnspod`, `domeneshop`, `dynu`, `gandi`, `gehirn`, `google`, `he`, `hetzner`, `infomaniak`, `inwx`, `ionos`, `linode`, `loopia`, `luadns`, `netcup`, `njalla`, `nsone`, `ovh`, `rfc2136`, `route53`, `sakuracloud`, `standalone`, `transip` and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`." }
+  - { env_var: "DNSPLUGIN", env_value: "cloudflare", desc: "Required if `VALIDATION` is set to `dns`. Options are `acmedns`, `aliyun`, `azure`, `cloudflare`, `cpanel`, `desec`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `dnspod`, `do`, `domeneshop`, `duckdns`, `dynu`, `gandi`, `gehirn`, `godaddy`, `google`, `google-domains`, `he`, `hetzner`, `infomaniak`, `inwx`, `ionos`, `linode`, `loopia`, `luadns`, `netcup`, `njalla`, `nsone`, `ovh`, `porkbun`, `rfc2136`, `route53`, `sakuracloud`, `standalone`, `transip`, and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`." }
   - { env_var: "PROPAGATION", env_value: "", desc: "Optionally override (in seconds) the default propagation time for the dns plugins." }
-  - { env_var: "DUCKDNSTOKEN", env_value: "", desc: "Required if `VALIDATION` is set to `duckdns`. Retrieve your token from https://www.duckdns.org" }
   - { env_var: "EMAIL", env_value: "", desc: "Optional e-mail address used for cert expiration notifications (Required for ZeroSSL)." }
   - { env_var: "ONLY_SUBDOMAINS", env_value: "false", desc: "If you wish to get certs only for certain subdomains, but not the main domain (main domain may be hosted on another machine and cannot be validated), set this to `true`" }
   - { env_var: "EXTRA_DOMAINS", env_value: "", desc: "Additional fully qualified domain names (comma separated, no spaces) ie. `extradomain.com,subdomain.anotherdomain.org,*.anotherdomain.org`" }
@@ -80,13 +79,15 @@ app_setup_block: |
   ### Validation and initial setup
 
   * Before running this container, make sure that the url and subdomains are properly forwarded to this container's host, and that port 443 (and/or 80) is not being used by another service on the host (NAS gui, another webserver, etc.).
+  * If you need a dynamic dns provider, you can use the free provider duckdns.org where the `URL` will be `yoursubdomain.duckdns.org` and the `SUBDOMAINS` can be `www,ftp,cloud` with http validation, or `wildcard` with dns validation. You can use our [duckdns image](https://hub.docker.com/r/linuxserver/duckdns/) to update your IP on duckdns.org.
   * For `http` validation, port 80 on the internet side of the router should be forwarded to this container's port 80
   * For `dns` validation, make sure to enter your credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`
     * Cloudflare provides free accounts for managing dns and is very easy to use with this image. Make sure that it is set up for "dns only" instead of "dns + proxy"
     * Google dns plugin is meant to be used with "Google Cloud DNS", a paid enterprise product, and not for "Google Domains DNS"
-  * For `duckdns` validation, either leave the `SUBDOMAINS` variable empty or set it to `wildcard`, and set the `DUCKDNSTOKEN` variable with your duckdns token. Due to a limitation of duckdns, the resulting cert will only cover either main subdomain (ie. `yoursubdomain.duckdns.org`), or sub-subdomains (ie. `*.yoursubdomain.duckdns.org`), but will not both at the same time. You can use our [duckdns image](https://hub.docker.com/r/linuxserver/duckdns/) to update your IP on duckdns.org.
+    * DuckDNS only supoprts two types of DNS validated certificates (not both at the same time):
+      1. Certs that only cover your main subdomain (ie. `yoursubdomain.duckdns.org`, leave the `SUBDOMAINS` variable empty)
+      2. Certs that cover sub-subdomains of your main subdomain (ie. `*.yoursubdomain.duckdns.org`, set the `SUBDOMAINS` variable to `wildcard`)
   * `--cap-add=NET_ADMIN` is required for fail2ban to modify iptables
-  * If you need a dynamic dns provider, you can use the free provider duckdns.org where the `URL` will be `yoursubdomain.duckdns.org` and the `SUBDOMAINS` can be `www,ftp,cloud` with http validation, or `wildcard` with dns validation.
   * After setup, navigate to `https://yourdomain.url` to access the default homepage (http access through port 80 is disabled by default, you can enable it by editing the default site config at `/config/nginx/site-confs/default.conf`).
   * Certs are checked nightly and if expiration is within 30 days, renewal is attempted. If your cert is about to expire in less than 30 days, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing. It is recommended to input your e-mail in docker parameters so you receive expiration notices from Let's Encrypt in those circumstances.
 
@@ -131,7 +132,7 @@ app_setup_block: |
   * You can check which jails are active via `docker exec -it swag fail2ban-client status`
   * You can check the status of a specific jail via `docker exec -it swag fail2ban-client status <jail name>`
   * You can unban an IP via `docker exec -it swag fail2ban-client set <jail name> unbanip <IP>`
-  * A list of commands can be found here: https://www.fail2ban.org/wiki/index.php/Commands
+  * A list of commands can be found here: <https://www.fail2ban.org/wiki/index.php/Commands>
 
   ### Updating configs
 
@@ -148,13 +149,30 @@ app_setup_block: |
   * You can check the new sample and adjust your active config as needed.
 
   ### Migration from the old `linuxserver/letsencrypt` image
-  Please follow the instructions [on this blog post](https://www.linuxserver.io/blog/2020-08-21-introducing-swag#migrate).
 
-app_setup_nginx_reverse_proxy_snippet: false
+  Please follow the instructions [on this blog post](https://www.linuxserver.io/blog/2020-08-21-introducing-swag#migrate).
-app_setup_nginx_reverse_proxy_block: ""
 
 # changelog
 changelogs:
+  - { date: "25.03.23:", desc: "Fix renewal post hook." }
+  - { date: "10.03.23:", desc: "Cleanup unused csr and keys folders. See [certbot 2.3.0 release notes](https://github.com/certbot/certbot/releases/tag/v2.3.0)." }
+  - { date: "09.03.23:", desc: "Add Google Domains DNS support, `google-domains`." }
+  - { date: "02.03.23:", desc: "Set permissions on crontabs during init." }
+  - { date: "09.02.23:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) proxy.conf, authelia-location.conf and authelia-server.conf - Add Authentik configs, update Authelia configs." }
+  - { date: "06.02.23:", desc: "Add porkbun support back in." }
+  - { date: "21.01.23:", desc: "Unpin certbot version (allow certbot 2.x). !!BREAKING CHANGE!! We are temporarily removing the certbot porkbun plugin until a new version is released that is compatible with certbot 2.x." }
+  - { date: "20.01.23:", desc: "Rebase to alpine 3.17 with php8.1." }
+  - { date: "16.01.23:", desc: "Remove nchan module because it keeps causing crashes." }
+  - { date: "08.12.22:", desc: "Revamp certbot init."}
+  - { date: "03.12.22:", desc: "Remove defunct cloudxns plugin."}
+  - { date: "22.11.22:", desc: "Pin acme to the same version as certbot."}
+  - { date: "22.11.22:", desc: "Pin certbot to 1.32.0 until plugin compatibility improves."}
+  - { date: "05.11.22:", desc: "Update acmedns plugin handling."}
+  - { date: "06.10.22:", desc: "Switch to certbot-dns-duckdns. Update cpanel and gandi dns plugin handling. Minor adjustments to init logic." }
+  - { date: "05.10.22:", desc: "Use certbot file hooks instead of command line hooks" }
+  - { date: "04.10.22:", desc: "Add godaddy and porkbun dns plugins." }
+  - { date: "03.10.22:", desc: "Add default_server back to default site conf's https listen." }
+  - { date: "22.09.22:", desc: "Added support for DO DNS validation." }
   - { date: "22.09.22:", desc: "Added certbot-dns-acmedns for DNS01 validation." }
   - { date: "20.08.22:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf - Rebasing to alpine 3.15 with php8. Restructure nginx configs ([see changes announcement](https://info.linuxserver.io/issues/2022-08-20-nginx-base))." }
   - { date: "10.08.22:", desc: "Added support for Dynu DNS validation." }
@@ -168,7 +186,7 @@ changelogs:
   - { date: "22.11.21:", desc: "Added support for Infomaniak DNS for certificate generation." }
   - { date: "20.11.21:", desc: "Added support for dnspod validation." }
   - { date: "15.11.21:", desc: "Added support for deSEC DNS for wildcard certificate generation." }
-  - { date: "26.10.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) proxy.conf - Mitigate https://httpoxy.org/ vulnerabilities. Ref: https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx#Defeating-the-Attack-using-NGINX-and-NGINX-Plus" }
+  - { date: "26.10.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) proxy.conf - Mitigate <https://httpoxy.org/> vulnerabilities. Ref: <https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx#Defeating-the-Attack-using-NGINX-and-NGINX-Plus>" }
   - { date: "23.10.21:", desc: "Fix Hurricane Electric (HE) DNS validation." }
   - { date: "12.10.21:", desc: "Fix deprecated LE root cert check to fix failures when using `STAGING=true`, and failures in revoking." }
   - { date: "06.10.21:", desc: "Added support for Hurricane Electric (HE) DNS validation. Added lxml build deps." }

root/app/duckdns-txt

@@ -1,8 +0,0 @@
-#!/bin/bash
-
-. /config/.donoteditthisfile.conf
-
-curl https://www.duckdns.org/update?domains=${CERTBOT_DOMAIN}\&token=${ORIGDUCKDNSTOKEN}\&txt=${CERTBOT_VALIDATION}
-
-echo "sleeping 60"
-sleep 60

root/app/le-renew.sh

@@ -1,27 +1,9 @@
 #!/usr/bin/with-contenv bash
-
+# shellcheck shell=bash
-. /config/.donoteditthisfile.conf
 
 echo "<------------------------------------------------->"
 echo
 echo "<------------------------------------------------->"
-echo "cronjob running on "$(date)
+echo "cronjob running on $(date)"
 echo "Running certbot renew"
-if [ "$ORIGVALIDATION" = "dns" ] || [ "$ORIGVALIDATION" = "duckdns" ]; then
+certbot renew --non-interactive
-  certbot -n renew \
-    --post-hook "if ps aux | grep [n]ginx: > /dev/null; then s6-svc -h /var/run/s6/services/nginx; fi; \
-    cd /config/keys/letsencrypt && \
-    openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: && \
-    sleep 1 && \
-    cat privkey.pem fullchain.pem > priv-fullchain-bundle.pem && \
-    chown -R abc:abc /config/etc/letsencrypt"
-else
-  certbot -n renew \
-    --pre-hook "if ps aux | grep [n]ginx: > /dev/null; then s6-svc -d /var/run/s6/services/nginx; fi" \
-    --post-hook "if ps aux | grep 's6-supervise nginx' | grep -v grep > /dev/null; then s6-svc -u /var/run/s6/services/nginx; fi; \
-    cd /config/keys/letsencrypt && \
-    openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: && \
-    sleep 1 && \
-    cat privkey.pem fullchain.pem > priv-fullchain-bundle.pem && \
-    chown -R abc:abc /config/etc/letsencrypt"
-fi

root/defaults/dns-conf/cloudxns.ini

@@ -1,4 +0,0 @@
-# Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-cloudxns/certbot_dns_cloudxns/__init__.py#L20
-# Replace with your values
-dns_cloudxns_api_key = 1234567890abcdef1234567890abcdef
-dns_cloudxns_secret_key = 1122334455667788

root/defaults/dns-conf/cpanel.ini

@@ -1,6 +1,15 @@
 # Instructions: https://github.com/badjware/certbot-dns-cpanel#credentials
-# Replace with your values
+# The url cPanel url
 # include the scheme and the port number (usually 2083 for https)
-certbot_dns_cpanel:cpanel_url = https://cpanel.example.com:2083
+cpanel_url = https://cpanel.exemple.com:2083
-certbot_dns_cpanel:cpanel_username = username
+
-certbot_dns_cpanel:cpanel_password = 1234567890abcdef
+# The cPanel username
+cpanel_username = user
+
+# The cPanel password 
+cpanel_password = hunter2
+
+# The cPanel API Token
+cpanel_token = EUTQ793EY7MIRX4EMXXXXXXXXXXOX4JF
+
+# You only need to configure API Token or Password. If you supply both, the API Token will be used

root/defaults/dns-conf/directadmin.ini

@@ -12,10 +12,10 @@
 
 # The DirectAdmin Server url
 # include the scheme and the port number (Normally 2222)
-directadmin_url = https://my.directadminserver.com:2222
+dns_directadmin_url = https://my.directadminserver.com:2222
 
 # The DirectAdmin username
-directadmin_username = username
+dns_directadmin_username = username
 
 # The DirectAdmin password
-directadmin_password = aSuperStrongPassword
+dns_directadmin_password = aSuperStrongPassword

root/defaults/dns-conf/do.ini

@@ -0,0 +1,3 @@
+# Instructions: https://github.com/georgeto/certbot-dns-do/blob/master/certbot_dns_do/__init__.py#L32
+# Replace with your values
+dns_do_api_token = YOUR_DO_LETSENCRYPT_API_KEY

root/defaults/dns-conf/duckdns.ini

@@ -0,0 +1,3 @@
+# Instructions: https://github.com/infinityofspace/certbot_dns_duckdns#credentials-file-or-cli-parameters
+# Replace with your API token from your duckdns account.
+dns_duckdns_token=<your-duckdns-token>

root/defaults/dns-conf/gandi.ini

@@ -1,3 +1,7 @@
 # Instructions: https://github.com/obynio/certbot-plugin-gandi#usage
 # Replace with your value
-certbot_plugin_gandi:dns_api_key=APIKEY
+# live dns v5 api key
+dns_gandi_api_key=APIKEY
+
+# optional organization id, remove it if not used
+#dns_gandi_sharing_id=SHARINGID

root/defaults/dns-conf/godaddy.ini

@@ -0,0 +1,4 @@
+# Instructions: https://github.com/miigotu/certbot-dns-godaddy
+# Replace with your values
+dns_godaddy_secret      = 0123456789abcdef0123456789abcdef01234567
+dns_godaddy_key = abcdef0123456789abcdef01234567abcdef0123

root/defaults/dns-conf/google-domains.ini

@@ -0,0 +1,4 @@
+# Instructions: https://github.com/aaomidi/certbot-dns-google-domains#credentials
+# Replace with your value
+dns_google_domains_access_token = abcdef
+dns_google_domains_zone = example.com

root/defaults/dns-conf/infomaniak.ini

@@ -1,3 +1,3 @@
- Instructions: https://github.com/Infomaniak/certbot-dns-infomaniak#via-ini-file
+# Instructions: https://github.com/Infomaniak/certbot-dns-infomaniak#via-ini-file
 # Replace with your values
 dns_infomaniak_token = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

root/defaults/dns-conf/netcup.ini

@@ -1,3 +1,5 @@
+# Recommended PROPAGATION value in environment for netcup is 900
+
 dns_netcup_customer_id  = 123456
 dns_netcup_api_key      = 0123456789abcdef0123456789abcdef01234567
 dns_netcup_api_password = abcdef0123456789abcdef01234567abcdef0123

root/defaults/dns-conf/porkbun.ini

@@ -0,0 +1,4 @@
+# Instructions: https://github.com/infinityofspace/certbot_dns_porkbun
+# Replace with your values
+dns_porkbun_key=<your-porkbun-api-key>
+dns_porkbun_secret=<your-porkbun-api-secret>

root/defaults/dns-conf/route53.ini

@@ -1,5 +1,5 @@
 # Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-route53/certbot_dns_route53/__init__.py#L18
 # Replace with your values
 [default]
-aws_access_key_id=AKIAIOSFODNN7EXAMPLE
+; aws_access_key_id=AKIAIOSFODNN7EXAMPLE
-aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+; aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

root/defaults/etc/letsencrypt/renewal-hooks/deploy/10-default

@@ -0,0 +1,8 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+cd /config/keys/letsencrypt || exit 1
+openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:
+sleep 1
+cat {privkey,fullchain}.pem >priv-fullchain-bundle.pem
+chown -R abc:abc /config/etc/letsencrypt

root/defaults/etc/letsencrypt/renewal-hooks/post/10-nginx

@@ -0,0 +1,15 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+# shellcheck source=/dev/null
+. /config/.donoteditthisfile.conf
+
+if [[ ! "${ORIGVALIDATION}" = "dns" ]] && [[ ! "${ORIGVALIDATION}" = "duckdns" ]]; then
+    if pgrep -f "s6-supervise svc-nginx" >/dev/null; then
+        s6-svc -u /run/service/svc-nginx
+    fi
+else
+    if pgrep -f "nginx:" >/dev/null; then
+        s6-svc -h /run/service/svc-nginx
+    fi
+fi

root/defaults/etc/letsencrypt/renewal-hooks/pre/10-nginx

@@ -0,0 +1,11 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+# shellcheck source=/dev/null
+. /config/.donoteditthisfile.conf
+
+if [[ ! "${ORIGVALIDATION}" = "dns" ]] && [[ ! "${ORIGVALIDATION}" = "duckdns" ]]; then
+    if pgrep -f "nginx:" >/dev/null; then
+        s6-svc -d /run/service/svc-nginx
+    fi
+fi

root/defaults/nginx/authelia-location.conf.sample

@@ -1,15 +1,29 @@
-## Version 2022/08/20 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-location.conf.sample
+## Version 2023/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-location.conf.sample
 # Make sure that your authelia container is in the same user defined bridge network and is named authelia
+# Rename /config/nginx/proxy-confs/authelia.subdomain.conf.sample to /config/nginx/proxy-confs/authelia.subdomain.conf
 # Make sure that the authelia configuration.yml has 'path: "authelia"' defined
 
+## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
 auth_request /authelia/api/verify;
-auth_request_set $target_url $scheme://$http_host$request_uri;
+## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal.
+error_page 401 = @authelia_proxy_signin;
+
+## Translate response headers from Authelia into variables
 auth_request_set $user $upstream_http_remote_user;
 auth_request_set $groups $upstream_http_remote_groups;
 auth_request_set $name $upstream_http_remote_name;
 auth_request_set $email $upstream_http_remote_email;
+auth_request_set $authorization $upstream_http_authorization;
+auth_request_set $proxy_authorization $upstream_http_proxy_authorization;
+
+## Inject the response header variables into the request made to the actual upstream
 proxy_set_header Remote-User $user;
 proxy_set_header Remote-Groups $groups;
 proxy_set_header Remote-Name $name;
 proxy_set_header Remote-Email $email;
-error_page 401 =302 https://$http_host/authelia/?rd=$target_url;
+proxy_set_header Authorization $authorization;
+proxy_set_header Proxy-Authorization $proxy_authorization;
+
+## Include the Set-Cookie header if present.
+auth_request_set $set_cookie $upstream_http_set_cookie;
+add_header Set-Cookie $set_cookie;

root/defaults/nginx/authelia-server.conf.sample

@@ -1,50 +1,55 @@
-## Version 2022/09/22 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-server.conf.sample
+## Version 2023/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-server.conf.sample
 # Make sure that your authelia container is in the same user defined bridge network and is named authelia
+# Rename /config/nginx/proxy-confs/authelia.subdomain.conf.sample to /config/nginx/proxy-confs/authelia.subdomain.conf
+# Make sure that the authelia configuration.yml has 'path: "authelia"' defined
 
+# location for authelia subfolder requests
 location ^~ /authelia {
+    auth_request off; # requests to this subfolder must be accessible without authentication
     include /config/nginx/proxy.conf;
     include /config/nginx/resolver.conf;
     set $upstream_authelia authelia;
     proxy_pass http://$upstream_authelia:9091;
 }
 
+# location for authelia auth requests
 location = /authelia/api/verify {
     internal;
 
+    include /config/nginx/proxy.conf;
     include /config/nginx/resolver.conf;
     set $upstream_authelia authelia;
+    proxy_pass http://$upstream_authelia:9091/authelia/api/verify;
+
+    ## Include the Set-Cookie header if present.
+    auth_request_set $set_cookie $upstream_http_set_cookie;
+    add_header Set-Cookie $set_cookie;
+
     proxy_pass_request_body off;
-    proxy_pass http://$upstream_authelia:9091;
     proxy_set_header Content-Length "";
-
+}
-    # Timeout if the real server is dead
+
-    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
+# Virtual location for authelia 401 redirects
-
+location @authelia_proxy_signin {
-    # [REQUIRED] Needed by Authelia to check authorizations of the resource.
+    internal;
-    # Provide either X-Original-URL and X-Forwarded-Proto or
+
-    # X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both.
+    ## Set the $target_url variable based on the original request.
-    # Those headers will be used by Authelia to deduce the target url of the user.
+    set_escape_uri $target_url $scheme://$http_host$request_uri;
-    # Basic Proxy Config
+
-    client_body_buffer_size 128k;
+    ## Include the Set-Cookie header if present.
-    proxy_set_header Host $host;
+    auth_request_set $set_cookie $upstream_http_set_cookie;
-    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+    add_header Set-Cookie $set_cookie;
-    proxy_set_header X-Real-IP $remote_addr;
+
-    proxy_set_header X-Forwarded-For $remote_addr;
+    ## Set $authelia_backend to route requests to the current domain by default
-    proxy_set_header X-Forwarded-Method $request_method;
+    set $authelia_backend $http_host;
-    proxy_set_header X-Forwarded-Proto $scheme;
+    ## In order for Webauthn to work with multiple domains authelia must operate on a separate subdomain
-    proxy_set_header X-Forwarded-Host $http_host;
+    ## To use authelia on a separate subdomain:
-    proxy_set_header X-Forwarded-Uri $request_uri;
+    ##  * comment the $authelia_backend line above
-    proxy_set_header X-Forwarded-Ssl on;
+    ##  * rename /config/nginx/proxy-confs/authelia.conf.sample to /config/nginx/proxy-confs/authelia.conf
-    proxy_redirect  http://  $scheme://;
+    ##  * make sure that your dns has a cname set for authelia
-    proxy_http_version 1.1;
+    ##  * uncomment the $authelia_backend line below and change example.com to your domain
-    proxy_set_header Connection "";
+    ##  * restart the swag container
-    proxy_cache_bypass $cookie_session;
+    #set $authelia_backend authelia.example.com;
-    proxy_no_cache $cookie_session;
+
-    proxy_buffers 4 32k;
+    return 302 https://$authelia_backend/authelia/?rd=$target_url;
-
-    # Advanced Proxy Config
-    send_timeout 5m;
-    proxy_read_timeout 240;
-    proxy_send_timeout 240;
-    proxy_connect_timeout 240;
 }

root/defaults/nginx/authentik-location.conf.sample

@@ -0,0 +1,26 @@
+## Version 2023/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authentik-location.conf.sample
+# Make sure that your authentik container is in the same user defined bridge network and is named authentik-server
+# Rename /config/nginx/proxy-confs/authentik.subdomain.conf.sample to /config/nginx/proxy-confs/authentik.subdomain.conf
+
+## Send a subrequest to Authentik to verify if the user is authenticated and has permission to access the resource.
+auth_request /outpost.goauthentik.io/auth/nginx;
+## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal.
+error_page 401 = @goauthentik_proxy_signin;
+
+## Translate response headers from Authentik into variables
+auth_request_set $authentik_username $upstream_http_x_authentik_username;
+auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
+auth_request_set $authentik_email $upstream_http_x_authentik_email;
+auth_request_set $authentik_name $upstream_http_x_authentik_name;
+auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
+
+## Inject the response header variables into the request made to the actual upstream
+proxy_set_header X-authentik-username $authentik_username;
+proxy_set_header X-authentik-groups $authentik_groups;
+proxy_set_header X-authentik-email $authentik_email;
+proxy_set_header X-authentik-name $authentik_name;
+proxy_set_header X-authentik-uid $authentik_uid;
+
+## Include the Set-Cookie header if present.
+auth_request_set $set_cookie $upstream_http_set_cookie;
+add_header Set-Cookie $set_cookie;

root/defaults/nginx/authentik-server.conf.sample

@@ -0,0 +1,45 @@
+## Version 2023/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authentik-server.conf.sample
+# Make sure that your authentik container is in the same user defined bridge network and is named authentik-server
+# Rename /config/nginx/proxy-confs/authentik.subdomain.conf.sample to /config/nginx/proxy-confs/authentik.subdomain.conf
+
+# location for authentik subfolder requests
+location ^~ /outpost.goauthentik.io {
+    auth_request off; # requests to this subfolder must be accessible without authentication
+    include /config/nginx/proxy.conf;
+    include /config/nginx/resolver.conf;
+    set $upstream_authentik authentik-server;
+    proxy_pass http://$upstream_authentik:9000;
+}
+
+# location for authentik auth requests
+location = /outpost.goauthentik.io/auth/nginx {
+    internal;
+
+    include /config/nginx/proxy.conf;
+    include /config/nginx/resolver.conf;
+    set $upstream_authentik authentik-server;
+    proxy_pass http://$upstream_authentik:9000/outpost.goauthentik.io/auth/nginx;
+
+    ## Include the Set-Cookie header if present.
+    auth_request_set $set_cookie $upstream_http_set_cookie;
+    add_header Set-Cookie $set_cookie;
+
+    proxy_pass_request_body off;
+    proxy_set_header Content-Length "";
+}
+
+# Virtual location for authentik 401 redirects
+location @goauthentik_proxy_signin {
+    internal;
+
+    ## Set the $target_url variable based on the original request.
+    set_escape_uri $target_url $scheme://$http_host$request_uri;
+
+    ## Include the Set-Cookie header if present.
+    auth_request_set $set_cookie $upstream_http_set_cookie;
+    add_header Set-Cookie $set_cookie;
+
+    ## Set $authentik_backend to route requests to the current domain by default
+    set $authentik_backend $http_host;
+    return 302 https://$authentik_backend/outpost.goauthentik.io/start?rd=$target_url;
+}

root/defaults/nginx/proxy.conf.sample

@@ -1,4 +1,4 @@
-## Version 2022/09/01 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/proxy.conf.sample
+## Version 2023/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/proxy.conf.sample
 
 # Timeout if the real server is dead
 proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
@@ -25,11 +25,13 @@ proxy_set_header Host $host;
 proxy_set_header Proxy "";
 proxy_set_header Upgrade $http_upgrade;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-proxy_set_header X-Forwarded-Host $host:$server_port;
+proxy_set_header X-Forwarded-Host $host;
 proxy_set_header X-Forwarded-Method $request_method;
+proxy_set_header X-Forwarded-Port $server_port;
 proxy_set_header X-Forwarded-Proto $scheme;
 proxy_set_header X-Forwarded-Server $host;
 proxy_set_header X-Forwarded-Ssl on;
 proxy_set_header X-Forwarded-Uri $request_uri;
+proxy_set_header X-Original-Method $request_method;
 proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
 proxy_set_header X-Real-IP $remote_addr;

root/defaults/nginx/site-confs/default.conf.sample

@@ -1,4 +1,4 @@
-## Version 2022/09/01 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample
+## Version 2023/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample
 
 # redirect all traffic to https
 server {
@@ -12,8 +12,8 @@ server {
 
 # main server block
 server {
-    listen 443 ssl http2;
+    listen 443 ssl http2 default_server;
-    listen [::]:443 ssl http2;
+    listen [::]:443 ssl http2 default_server;
 
     server_name _;
 
@@ -29,6 +29,9 @@ server {
     # enable for Authelia (requires authelia-location.conf in the location block)
     #include /config/nginx/authelia-server.conf;
 
+    # enable for Authentik (requires authentik-location.conf in the location block)
+    #include /config/nginx/authentik-server.conf;
+
     location / {
         # enable for basic auth
         #auth_basic "Restricted";
@@ -40,6 +43,9 @@ server {
         # enable for Authelia (requires authelia-server.conf in the server block)
         #include /config/nginx/authelia-location.conf;
 
+        # enable for Authentik (requires authentik-server.conf in the server block)
+        #include /config/nginx/authentik-location.conf;
+
         try_files $uri $uri/ /index.html /index.php$is_args$args =404;
     }
 

root/etc/cont-init.d/43-crontabs

@@ -1,10 +0,0 @@
-#!/usr/bin/with-contenv bash
-
-# copy crontabs if needed
-if [[ ! -f /config/crontabs/root ]]; then
-    cp /etc/crontabs/root /config/crontabs/
-fi
-
-# import user crontabs
-rm /etc/crontabs/*
-cp /config/crontabs/* /etc/crontabs/

root/etc/cont-init.d/50-certbot

@@ -1,273 +0,0 @@
-#!/usr/bin/with-contenv bash
-
-# Display variables for troubleshooting
-echo -e "Variables set:\\n\
-PUID=${PUID}\\n\
-PGID=${PGID}\\n\
-TZ=${TZ}\\n\
-URL=${URL}\\n\
-SUBDOMAINS=${SUBDOMAINS}\\n\
-EXTRA_DOMAINS=${EXTRA_DOMAINS}\\n\
-ONLY_SUBDOMAINS=${ONLY_SUBDOMAINS}\\n\
-VALIDATION=${VALIDATION}\\n\
-CERTPROVIDER=${CERTPROVIDER}\\n\
-DNSPLUGIN=${DNSPLUGIN}\\n\
-EMAIL=${EMAIL}\\n\
-STAGING=${STAGING}\\n"
-
-# Sanitize variables
-SANED_VARS=( DNSPLUGIN EMAIL EXTRA_DOMAINS ONLY_SUBDOMAINS STAGING SUBDOMAINS URL VALIDATION CERTPROVIDER )
-for i in "${SANED_VARS[@]}"
-do
-    export echo "$i"="${!i//\"/}"
-    export echo "$i"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')"
-done
-
-# copy dns default configs
-cp -n /defaults/dns-conf/* /config/dns-conf/
-chown -R abc:abc /config/dns-conf
-
-# check to make sure DNSPLUGIN is selected if dns validation is used
-if [[ "$VALIDATION" = "dns" ]] && [[ ! "$DNSPLUGIN" =~ ^(acmedns|aliyun|azure|cloudflare|cloudxns|cpanel|desec|digitalocean|directadmin|dnsimple|dnsmadeeasy|dnspod|domeneshop|dynu|gandi|gehirn|google|he|hetzner|infomaniak|inwx|ionos|linode|loopia|luadns|netcup|njalla|nsone|ovh|rfc2136|route53|sakuracloud|standalone|transip|vultr)$ ]]; then
-    echo "Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details."
-    sleep infinity
-fi
-
-# create original config file if it doesn't exist, move non-hidden legacy file to hidden
-if [ -f "/config/donoteditthisfile.conf" ]; then
-    mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf
-fi
-if [ ! -f "/config/.donoteditthisfile.conf" ]; then
-    echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGDUCKDNSTOKEN=\"$DUCKDNSTOKEN\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" > /config/.donoteditthisfile.conf
-    echo "Created .donoteditthisfile.conf"
-fi
-
-# load original config settings
-# shellcheck disable=SC1091
-. /config/.donoteditthisfile.conf
-
-# set default validation to http
-if [ -z "$VALIDATION" ]; then
-    VALIDATION="http"
-    echo "VALIDATION parameter not set; setting it to http"
-fi
-
-# if zerossl is selected or staging is set to true, use the relevant server
-if [ "$CERTPROVIDER" = "zerossl" ] && [ "$STAGING" = "true" ]; then
-    echo "ZeroSSL does not support staging mode, ignoring STAGING variable"
-fi
-if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then
-    echo "ZeroSSL is selected as the cert provider, registering cert with $EMAIL"
-    ACMESERVER="https://acme.zerossl.com/v2/DV90"
-elif [ "$CERTPROVIDER" = "zerossl" ] && [ -z "$EMAIL" ]; then
-    echo "ZeroSSL is selected as the cert provider, but the e-mail address has not been entered. Please visit https://zerossl.com, register a new account and set the account e-mail address in the EMAIL environment variable"
-    sleep infinity
-elif [ "$STAGING" = "true" ]; then
-    echo "NOTICE: Staging is active"
-    echo "Using Let's Encrypt as the cert provider"
-    ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory"
-else
-    echo "Using Let's Encrypt as the cert provider"
-    ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
-fi
-
-# figuring out url only vs url & subdomains vs subdomains only
-if [ -n "$SUBDOMAINS" ]; then
-    echo "SUBDOMAINS entered, processing"
-    if [ "$SUBDOMAINS" = "wildcard" ]; then
-        if [ "$ONLY_SUBDOMAINS" = true ]; then
-            export URL_REAL="-d *.${URL}"
-            echo "Wildcard cert for only the subdomains of $URL will be requested"
-        else
-            export URL_REAL="-d *.${URL} -d ${URL}"
-            echo "Wildcard cert for $URL will be requested"
-        fi
-    else
-        echo "SUBDOMAINS entered, processing"
-        for job in $(echo "$SUBDOMAINS" | tr "," " "); do
-            export SUBDOMAINS_REAL="$SUBDOMAINS_REAL -d ${job}.${URL}"
-        done
-        if [ "$ONLY_SUBDOMAINS" = true ]; then
-            URL_REAL="$SUBDOMAINS_REAL"
-            echo "Only subdomains, no URL in cert"
-        else
-            URL_REAL="-d ${URL}${SUBDOMAINS_REAL}"
-        fi
-        echo "Sub-domains processed are: $SUBDOMAINS_REAL"
-    fi
-else
-    echo "No subdomains defined"
-    URL_REAL="-d $URL"
-fi
-
-# add extra domains
-if [ -n "$EXTRA_DOMAINS" ]; then
-    echo "EXTRA_DOMAINS entered, processing"
-    for job in $(echo "$EXTRA_DOMAINS" | tr "," " "); do
-        export EXTRA_DOMAINS_REAL="$EXTRA_DOMAINS_REAL -d ${job}"
-    done
-    echo "Extra domains processed are: $EXTRA_DOMAINS_REAL"
-    URL_REAL="$URL_REAL $EXTRA_DOMAINS_REAL"
-fi
-
-# figuring out whether to use e-mail and which
-if [[ $EMAIL == *@* ]]; then
-    echo "E-mail address entered: ${EMAIL}"
-    EMAILPARAM="-m ${EMAIL} --no-eff-email"
-else
-    echo "No e-mail address entered or address invalid"
-    EMAILPARAM="--register-unsafely-without-email"
-fi
-
-# update plugin names in dns conf inis
-sed -i 's|^certbot_dns_aliyun:||g' /config/dns-conf/aliyun.ini
-sed -i 's|^certbot_dns_domeneshop:||g' /config/dns-conf/domeneshop.ini
-sed -i 's|^certbot_dns_inwx:||g' /config/dns-conf/inwx.ini
-sed -i 's|^certbot_dns_transip:||g' /config/dns-conf/transip.ini
-
-# setting the validation method to use
-if [ "$VALIDATION" = "dns" ]; then
-    if [ "$DNSPLUGIN" = "route53" ]; then
-        if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
-        PREFCHAL="--dns-${DNSPLUGIN} ${PROPAGATIONPARAM}"
-    elif [[ "$DNSPLUGIN" =~ ^(cpanel)$ ]]; then
-        if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
-        PREFCHAL="-a certbot-dns-${DNSPLUGIN}:${DNSPLUGIN} --certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
-    elif [[ "$DNSPLUGIN" =~ ^(gandi)$ ]]; then
-        if [ -n "$PROPAGATION" ];then echo "Gandi dns plugin does not support setting propagation time"; fi
-        PREFCHAL="-a certbot-plugin-${DNSPLUGIN}:dns --certbot-plugin-${DNSPLUGIN}:dns-credentials /config/dns-conf/${DNSPLUGIN}.ini"
-    elif [[ "$DNSPLUGIN" =~ ^(google)$ ]]; then
-        if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
-        PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.json ${PROPAGATIONPARAM}"
-    elif [[ "$DNSPLUGIN" =~ ^(aliyun|desec|dnspod|domeneshop|dynu|he|hetzner|infomaniak|inwx|ionos|loopia|netcup|njalla|transip|vultr)$ ]]; then
-        if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
-        PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
-    elif [[ "$DNSPLUGIN" =~ ^(standalone)$ ]]; then
-        if [ -n "$PROPAGATION" ];then echo "standalone dns plugin does not support setting propagation time"; fi
-        PREFCHAL="-a dns-${DNSPLUGIN}"
-    elif [[ "$DNSPLUGIN" =~ ^(directadmin)$ ]]; then
-        if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
-        PREFCHAL="-a ${DNSPLUGIN} --${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
-    elif [[ "$DNSPLUGIN" =~ ^(azure)$ ]]; then
-        if [ -n "$PROPAGATION" ];then echo "Azure dns plugin does not support setting propagation time"; fi
-        PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini"
-    else
-        if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
-        PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
-    fi
-    echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected"
-elif [ "$VALIDATION" = "tls-sni" ]; then
-    PREFCHAL="--non-interactive --standalone --preferred-challenges http"
-    echo "*****tls-sni validation has been deprecated, attempting http validation instead"
-elif [ "$VALIDATION" = "duckdns" ]; then
-    PREFCHAL="--non-interactive --manual --preferred-challenges dns --manual-auth-hook /app/duckdns-txt"
-    chmod +x /app/duckdns-txt
-    echo "duckdns validation is selected"
-    if [ "$SUBDOMAINS" = "wildcard" ]; then
-        echo "the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org"
-        export URL_REAL="-d *.${URL}"
-    else
-        echo "the resulting certificate will only cover the main domain due to a limitation of duckdns, ie. subdomain.duckdns.org"
-        export URL_REAL="-d ${URL}"
-    fi
-else
-    PREFCHAL="--non-interactive --standalone --preferred-challenges http"
-    echo "http validation is selected"
-fi
-
-# setting the symlink for key location
-rm -rf /config/keys/letsencrypt
-if [ "$ONLY_SUBDOMAINS" = "true" ] && [ ! "$SUBDOMAINS" = "wildcard" ] ; then
-    DOMAIN="$(echo "$SUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${URL}"
-    ln -s ../etc/letsencrypt/live/"$DOMAIN" /config/keys/letsencrypt
-else
-    ln -s ../etc/letsencrypt/live/"$URL" /config/keys/letsencrypt
-fi
-rm -rf /config/keys/cert.crt
-ln -s ./letsencrypt/fullchain.pem /config/keys/cert.crt
-rm -rf /config/keys/cert.key
-ln -s ./letsencrypt/privkey.pem /config/keys/cert.key
-
-# checking for changes in cert variables, revoking certs if necessary
-if [ ! "$URL" = "$ORIGURL" ] || [ ! "$SUBDOMAINS" = "$ORIGSUBDOMAINS" ] || [ ! "$ONLY_SUBDOMAINS" = "$ORIGONLY_SUBDOMAINS" ] || [ ! "$EXTRA_DOMAINS" = "$ORIGEXTRA_DOMAINS" ] || [ ! "$VALIDATION" = "$ORIGVALIDATION" ] || [ ! "$DNSPLUGIN" = "$ORIGDNSPLUGIN" ] || [ ! "$PROPAGATION" = "$ORIGPROPAGATION" ] || [ ! "$STAGING" = "$ORIGSTAGING" ] || [ ! "$DUCKDNSTOKEN" = "$ORIGDUCKDNSTOKEN" ] || [ ! "$CERTPROVIDER" = "$ORIGCERTPROVIDER" ]; then
-    echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created"
-    if [ "$ORIGONLY_SUBDOMAINS" = "true" ] && [ ! "$ORIGSUBDOMAINS" = "wildcard" ]; then
-        ORIGDOMAIN="$(echo "$ORIGSUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${ORIGURL}"
-    else
-        ORIGDOMAIN="$ORIGURL"
-    fi
-    if [ "$ORIGCERTPROVIDER" = "zerossl" ] && [ -n "$ORIGEMAIL" ]; then
-        REV_EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$ORIGEMAIL")
-        REV_ZEROSSL_EAB_KID=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
-        REV_ZEROSSL_EAB_HMAC_KEY=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
-        if [ -z "$REV_ZEROSSL_EAB_KID" ] || [ -z "$REV_ZEROSSL_EAB_HMAC_KEY" ]; then
-            echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
-            sleep infinity
-        fi
-        REV_ACMESERVER="https://acme.zerossl.com/v2/DV90 --eab-kid ${REV_ZEROSSL_EAB_KID} --eab-hmac-key ${REV_ZEROSSL_EAB_HMAC_KEY}"
-    elif [ "$ORIGSTAGING" = "true" ]; then
-        REV_ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory"
-    else
-        REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
-    fi
-    if [[ -f /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem ]]; then
-        certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER
-    fi
-    rm -rf /config/etc/letsencrypt
-    mkdir -p /config/etc/letsencrypt
-fi
-
-# saving new variables
-echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGDUCKDNSTOKEN=\"$DUCKDNSTOKEN\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" > /config/.donoteditthisfile.conf
-
-# alter extension for error message
-if [ "$DNSPLUGIN" = "google" ]; then
-    FILENAME="$DNSPLUGIN.json"
-else
-    FILENAME="$DNSPLUGIN.ini"
-fi
-
-# Check if the cert is using the old LE root cert, revoke and regen if necessary
-if [ -f "/config/keys/letsencrypt/chain.pem" ] && ([ "${CERTPROVIDER}" == "letsencrypt" ] || [ "${CERTPROVIDER}" == "" ]) && [ "${STAGING}" != "true" ] && ! openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"; then
-    echo "The cert seems to be using the old LE root cert, which is no longer valid. Deleting and revoking."
-    REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
-    certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER
-    rm -rf /config/etc/letsencrypt
-    mkdir -p /config/etc/letsencrypt
-fi
-
-# generating certs if necessary
-if [ ! -f "/config/keys/letsencrypt/fullchain.pem" ]; then
-    if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then
-        echo "Retrieving EAB from ZeroSSL"
-        EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$EMAIL")
-        ZEROSSL_EAB_KID=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
-        ZEROSSL_EAB_HMAC_KEY=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
-        if [ -z "$ZEROSSL_EAB_KID" ] || [ -z "$ZEROSSL_EAB_HMAC_KEY" ]; then
-            echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
-            sleep infinity
-        fi
-        ZEROSSL_EAB="--eab-kid ${ZEROSSL_EAB_KID} --eab-hmac-key ${ZEROSSL_EAB_HMAC_KEY}"
-    fi
-    echo "Generating new certificate"
-    # shellcheck disable=SC2086
-    certbot certonly --renew-by-default --server $ACMESERVER $ZEROSSL_EAB $PREFCHAL --rsa-key-size 4096 $EMAILPARAM --agree-tos $URL_REAL
-    if [ -d /config/keys/letsencrypt ]; then
-        cd /config/keys/letsencrypt || exit
-    else
-        if [ "$VALIDATION" = "dns" ]; then
-            echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/${FILENAME} file."
-        elif [ "$VALIDATION" = "duckdns" ]; then
-            echo "ERROR: Cert does not exist! Please see the validation error above. Make sure your DUCKDNSTOKEN is correct."
-        else
-            echo "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container"
-        fi
-        sleep infinity
-    fi
-    openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:
-    sleep 1
-    cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem
-    echo "New certificate generated; starting nginx"
-else
-    echo "Certificate exists; parameters unchanged; starting nginx"
-fi

root/etc/s6-overlay/s6-rc.d/init-certbot-config/run

@@ -0,0 +1,338 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+# Display variables for troubleshooting
+echo -e "Variables set:\\n\
+PUID=${PUID}\\n\
+PGID=${PGID}\\n\
+TZ=${TZ}\\n\
+URL=${URL}\\n\
+SUBDOMAINS=${SUBDOMAINS}\\n\
+EXTRA_DOMAINS=${EXTRA_DOMAINS}\\n\
+ONLY_SUBDOMAINS=${ONLY_SUBDOMAINS}\\n\
+VALIDATION=${VALIDATION}\\n\
+CERTPROVIDER=${CERTPROVIDER}\\n\
+DNSPLUGIN=${DNSPLUGIN}\\n\
+EMAIL=${EMAIL}\\n\
+STAGING=${STAGING}\\n"
+
+# Sanitize variables
+SANED_VARS=(DNSPLUGIN EMAIL EXTRA_DOMAINS ONLY_SUBDOMAINS STAGING SUBDOMAINS URL VALIDATION CERTPROVIDER)
+for i in "${SANED_VARS[@]}"; do
+    export echo "${i}"="${!i//\"/}"
+    export echo "${i}"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')"
+done
+
+# check to make sure DNSPLUGIN is selected if dns validation is used
+if [[ "${VALIDATION}" = "dns" ]] && [[ ! "${DNSPLUGIN}" =~ ^(acmedns|aliyun|azure|cloudflare|cpanel|desec|digitalocean|directadmin|dnsimple|dnsmadeeasy|dnspod|do|domeneshop|duckdns|dynu|gandi|gehirn|godaddy|google|google-domains|he|hetzner|infomaniak|inwx|ionos|linode|loopia|luadns|netcup|njalla|nsone|ovh|porkbun|rfc2136|route53|sakuracloud|standalone|transip|vultr)$ ]]; then
+    echo "Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details."
+    sleep infinity
+fi
+
+# copy dns default configs
+cp -n /defaults/dns-conf/* /config/dns-conf/
+lsiown -R abc:abc /config/dns-conf
+
+# copy default renewal hooks
+chmod -R +x /defaults/etc/letsencrypt/renewal-hooks
+cp -nR /defaults/etc/letsencrypt/renewal-hooks/* /config/etc/letsencrypt/renewal-hooks/
+lsiown -R abc:abc /config/etc/letsencrypt/renewal-hooks
+
+# replace nginx service location in renewal hooks
+find /config/etc/letsencrypt/renewal-hooks/ -type f -exec sed -i 's|/run/service/nginx|/run/service/svc-nginx|g' {} \;
+find /config/etc/letsencrypt/renewal-hooks/ -type f -exec sed -i 's|/var/run/s6/services/nginx|/run/service/svc-nginx|g' {} \;
+find /config/etc/letsencrypt/renewal-hooks/ -type f -exec sed -i 's|s6-supervise nginx|s6-supervise svc-nginx|g' {} \;
+
+# create original config file if it doesn't exist, move non-hidden legacy file to hidden
+if [[ -f "/config/donoteditthisfile.conf" ]]; then
+    mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf
+fi
+if [[ ! -f "/config/.donoteditthisfile.conf" ]]; then
+    echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\" ORIGEMAIL=\"${EMAIL}\"" >/config/.donoteditthisfile.conf
+    echo "Created .donoteditthisfile.conf"
+fi
+
+# load original config settings
+# shellcheck source=/dev/null
+. /config/.donoteditthisfile.conf
+
+# setting ORIGDOMAIN for use in revoke sections
+if [[ "${ORIGONLY_SUBDOMAINS}" = "true" ]] && [[ ! "${ORIGSUBDOMAINS}" = "wildcard" ]]; then
+    ORIGDOMAIN="$(echo "${ORIGSUBDOMAINS}" | tr ',' ' ' | awk '{print $1}').${ORIGURL}"
+else
+    ORIGDOMAIN="${ORIGURL}"
+fi
+
+# update plugin names in dns conf inis
+sed -i 's|^certbot[-_]dns[-_]aliyun:||g' /config/dns-conf/aliyun.ini
+sed -i 's|^certbot[-_]dns[-_]cpanel:||g' /config/dns-conf/cpanel.ini
+sed -i 's|^dns[-_]cpanel[-_]|cpanel_|g' /config/dns-conf/cpanel.ini
+sed -i 's|^directadmin[-_]|dns_directadmin_|g' /config/dns-conf/directadmin.ini
+sed -i 's|^certbot[-_]dns[-_]domeneshop:||g' /config/dns-conf/domeneshop.ini
+sed -i 's|^certbot[-_]plugin[-_]gandi:dns[-_]|dns_gandi_|g' /config/dns-conf/gandi.ini
+sed -i 's|^certbot[-_]dns[-_]inwx:||g' /config/dns-conf/inwx.ini
+sed -i 's|^certbot[-_]dns[-_]transip:||g' /config/dns-conf/transip.ini
+
+# update plugin names in renewal conf
+if [[ -f "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf" ]] && [[ "${ORIGVALIDATION}" = "dns" ]]; then
+    if [[ "${ORIGDNSPLUGIN}" =~ ^(aliyun)$ ]]; then
+        sed -i 's|^authenticator = certbot[-_]dns[-_]aliyun:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
+        sed -i 's|^certbot[-_]dns[-_]aliyun:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
+    fi
+    if [[ "${ORIGDNSPLUGIN}" =~ ^(cpanel)$ ]]; then
+        sed -i 's|^authenticator = certbot[-_]dns[-_]cpanel:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
+        sed -i 's|^certbot[-_]dns[-_]cpanel:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
+        sed -i 's|^authenticator = dns[-_]cpanel|authenticator = cpanel|g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
+        sed -i 's|^dns[-_]cpanel[-_]|cpanel_|g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
+    fi
+    if [[ "${ORIGDNSPLUGIN}" =~ ^(directadmin)$ ]]; then
+        sed -i 's|^authenticator = directadmin|authenticator = dns-directadmin|g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
+        sed -i 's|^directadmin[-_]|dns_directadmin_|g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
+    fi
+    if [[ "${ORIGDNSPLUGIN}" =~ ^(domeneshop)$ ]]; then
+        sed -i 's|^authenticator = certbot[-_]dns[-_]domeneshop:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
+        sed -i 's|^certbot[-_]dns[-_]domeneshop:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
+    fi
+    if [[ "${ORIGDNSPLUGIN}" =~ ^(gandi)$ ]]; then
+        sed -i 's|^authenticator = certbot[-_]plugin[-_]gandi:dns|authenticator = dns-gandi|g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
+        sed -i 's|^certbot[-_]plugin[-_]gandi:dns[-_]|dns_gandi_|g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
+    fi
+    if [[ "${ORIGDNSPLUGIN}" =~ ^(inwx)$ ]]; then
+        sed -i 's|^authenticator = certbot[-_]dns[-_]inwx:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
+        sed -i 's|^certbot[-_]dns[-_]inwx:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
+    fi
+    if [[ "${ORIGDNSPLUGIN}" =~ ^(transip)$ ]]; then
+        sed -i 's|^authenticator = certbot[-_]dns[-_]transip:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
+        sed -i 's|^certbot[-_]dns[-_]transip:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
+    fi
+fi
+
+# set default validation to http
+if [[ -z "${VALIDATION}" ]]; then
+    VALIDATION="http"
+    echo "VALIDATION parameter not set; setting it to http"
+fi
+
+# set duckdns validation to dns
+if [[ "${VALIDATION}" = "duckdns" ]]; then
+    VALIDATION="dns"
+    DNSPLUGIN="duckdns"
+    if [[ -n "${DUCKDNSTOKEN}" ]] && ! grep -q "dns_duckdns_token=${DUCKDNSTOKEN}$" /config/dns-conf/duckdns.ini; then
+        sed -i "s|^dns_duckdns_token=.*|dns_duckdns_token=${DUCKDNSTOKEN}|g" /config/dns-conf/duckdns.ini
+    fi
+fi
+if [[ "${VALIDATION}" = "dns" ]] && [[ "${DNSPLUGIN}" = "duckdns" ]]; then
+    if [[ "${SUBDOMAINS}" = "wildcard" ]]; then
+        echo "the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org"
+        export ONLY_SUBDOMAINS=true
+    else
+        echo "the resulting certificate will only cover the main domain due to a limitation of duckdns, ie. subdomain.duckdns.org"
+        export SUBDOMAINS=""
+    fi
+    export EXTRA_DOMAINS=""
+fi
+
+# setting the symlink for key location
+rm -rf /config/keys/letsencrypt
+if [[ "${ONLY_SUBDOMAINS}" = "true" ]] && [[ ! "${SUBDOMAINS}" = "wildcard" ]]; then
+    DOMAIN="$(echo "${SUBDOMAINS}" | tr ',' ' ' | awk '{print $1}').${URL}"
+    ln -s ../etc/letsencrypt/live/"${DOMAIN}" /config/keys/letsencrypt
+else
+    ln -s ../etc/letsencrypt/live/"${URL}" /config/keys/letsencrypt
+fi
+
+# cleanup unused csr and keys folders
+rm -rf /etc/letsencrypt/csr
+rm -rf /etc/letsencrypt/keys
+
+# checking for changes in cert variables, revoking certs if necessary
+if [[ ! "${URL}" = "${ORIGURL}" ]] ||
+    [[ ! "${SUBDOMAINS}" = "${ORIGSUBDOMAINS}" ]] ||
+    [[ ! "${ONLY_SUBDOMAINS}" = "${ORIGONLY_SUBDOMAINS}" ]] ||
+    [[ ! "${EXTRA_DOMAINS}" = "${ORIGEXTRA_DOMAINS}" ]] ||
+    [[ ! "${VALIDATION}" = "${ORIGVALIDATION}" ]] ||
+    [[ ! "${DNSPLUGIN}" = "${ORIGDNSPLUGIN}" ]] ||
+    [[ ! "${PROPAGATION}" = "${ORIGPROPAGATION}" ]] ||
+    [[ ! "${STAGING}" = "${ORIGSTAGING}" ]] ||
+    [[ ! "${CERTPROVIDER}" = "${ORIGCERTPROVIDER}" ]]; then
+    echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created"
+    if [[ "${ORIGCERTPROVIDER}" = "zerossl" ]] && [[ -n "${ORIGEMAIL}" ]]; then
+        REV_EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=${ORIGEMAIL}")
+        REV_ZEROSSL_EAB_KID=$(echo "${REV_EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
+        REV_ZEROSSL_EAB_HMAC_KEY=$(echo "${REV_EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
+        if [[ -z "${REV_ZEROSSL_EAB_KID}" ]] || [[ -z "${REV_ZEROSSL_EAB_HMAC_KEY}" ]]; then
+            echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
+            sleep infinity
+        fi
+        REV_ACMESERVER="https://acme.zerossl.com/v2/DV90 --eab-kid ${REV_ZEROSSL_EAB_KID} --eab-hmac-key ${REV_ZEROSSL_EAB_HMAC_KEY}"
+    elif [[ "${ORIGSTAGING}" = "true" ]]; then
+        REV_ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory"
+    else
+        REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
+    fi
+    if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then
+        certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server ${REV_ACMESERVER} || true
+    fi
+    rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal}
+fi
+
+# saving new variables
+echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\" ORIGEMAIL=\"${EMAIL}\"" >/config/.donoteditthisfile.conf
+
+# Check if the cert is using the old LE root cert, revoke and regen if necessary
+if [[ -f "/config/keys/letsencrypt/chain.pem" ]] && { [[ "${CERTPROVIDER}" == "letsencrypt" ]] || [[ "${CERTPROVIDER}" == "" ]]; } && [[ "${STAGING}" != "true" ]] && ! openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"; then
+    echo "The cert seems to be using the old LE root cert, which is no longer valid. Deleting and revoking."
+    REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
+    if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then
+        certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server ${REV_ACMESERVER} || true
+    fi
+    rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal}
+fi
+
+# if zerossl is selected or staging is set to true, use the relevant server
+if [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ "${STAGING}" = "true" ]]; then
+    echo "ZeroSSL does not support staging mode, ignoring STAGING variable"
+fi
+if [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ -n "${EMAIL}" ]]; then
+    echo "ZeroSSL is selected as the cert provider, registering cert with ${EMAIL}"
+    ACMESERVER="https://acme.zerossl.com/v2/DV90"
+elif [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ -z "${EMAIL}" ]]; then
+    echo "ZeroSSL is selected as the cert provider, but the e-mail address has not been entered. Please visit https://zerossl.com, register a new account and set the account e-mail address in the EMAIL environment variable"
+    sleep infinity
+elif [[ "${STAGING}" = "true" ]]; then
+    echo "NOTICE: Staging is active"
+    echo "Using Let's Encrypt as the cert provider"
+    ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory"
+else
+    echo "Using Let's Encrypt as the cert provider"
+    ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
+fi
+
+# figuring out url only vs url & subdomains vs subdomains only
+if [[ -n "${SUBDOMAINS}" ]]; then
+    echo "SUBDOMAINS entered, processing"
+    if [[ "${SUBDOMAINS}" = "wildcard" ]]; then
+        if [[ "${ONLY_SUBDOMAINS}" = true ]]; then
+            export URL_REAL="-d *.${URL}"
+            echo "Wildcard cert for only the subdomains of ${URL} will be requested"
+        else
+            export URL_REAL="-d *.${URL} -d ${URL}"
+            echo "Wildcard cert for ${URL} will be requested"
+        fi
+    else
+        echo "SUBDOMAINS entered, processing"
+        for job in $(echo "${SUBDOMAINS}" | tr "," " "); do
+            export SUBDOMAINS_REAL="${SUBDOMAINS_REAL} -d ${job}.${URL}"
+        done
+        if [[ "${ONLY_SUBDOMAINS}" = true ]]; then
+            URL_REAL="${SUBDOMAINS_REAL}"
+            echo "Only subdomains, no URL in cert"
+        else
+            URL_REAL="-d ${URL}${SUBDOMAINS_REAL}"
+        fi
+        echo "Sub-domains processed are: ${SUBDOMAINS_REAL}"
+    fi
+else
+    echo "No subdomains defined"
+    URL_REAL="-d ${URL}"
+fi
+
+# add extra domains
+if [[ -n "${EXTRA_DOMAINS}" ]]; then
+    echo "EXTRA_DOMAINS entered, processing"
+    for job in $(echo "${EXTRA_DOMAINS}" | tr "," " "); do
+        export EXTRA_DOMAINS_REAL="${EXTRA_DOMAINS_REAL} -d ${job}"
+    done
+    echo "Extra domains processed are: ${EXTRA_DOMAINS_REAL}"
+    URL_REAL="${URL_REAL} ${EXTRA_DOMAINS_REAL}"
+fi
+
+# figuring out whether to use e-mail and which
+if [[ ${EMAIL} == *@* ]]; then
+    echo "E-mail address entered: ${EMAIL}"
+    EMAILPARAM="-m ${EMAIL} --no-eff-email"
+else
+    echo "No e-mail address entered or address invalid"
+    EMAILPARAM="--register-unsafely-without-email"
+fi
+
+# alter extension for error message
+if [[ "${DNSPLUGIN}" = "google" ]]; then
+    DNSCREDENTIALFILE="/config/dns-conf/${DNSPLUGIN}.json"
+else
+    DNSCREDENTIALFILE="/config/dns-conf/${DNSPLUGIN}.ini"
+fi
+
+# setting the validation method to use
+if [[ "${VALIDATION}" = "dns" ]]; then
+    AUTHENTICATORPARAM="--authenticator dns-${DNSPLUGIN}"
+    DNSCREDENTIALSPARAM="--dns-${DNSPLUGIN}-credentials ${DNSCREDENTIALFILE}"
+    if [[ -n "${PROPAGATION}" ]]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
+
+    # plugins that don't support setting credentials file
+    if [[ "${DNSPLUGIN}" =~ ^(route53|standalone)$ ]]; then
+        DNSCREDENTIALSPARAM=""
+    fi
+    # plugins that don't support setting propagation
+    if [[ "${DNSPLUGIN}" =~ ^(azure|gandi|route53|standalone)$ ]]; then
+        if [[ -n "${PROPAGATION}" ]]; then echo "${DNSPLUGIN} dns plugin does not support setting propagation time"; fi
+        PROPAGATIONPARAM=""
+    fi
+    # plugins that use old parameter naming convention
+    if [[ "${DNSPLUGIN}" =~ ^(cpanel)$ ]]; then
+        AUTHENTICATORPARAM="--authenticator ${DNSPLUGIN}"
+        DNSCREDENTIALSPARAM="--${DNSPLUGIN}-credentials ${DNSCREDENTIALFILE}"
+        if [[ -n "${PROPAGATION}" ]]; then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
+    fi
+    # don't restore txt records when using DuckDNS plugin
+    if [[ "${DNSPLUGIN}" =~ ^(duckdns)$ ]]; then
+        AUTHENTICATORPARAM="${AUTHENTICATORPARAM} --dns-${DNSPLUGIN}-no-txt-restore"
+    fi
+
+    PREFCHAL="${AUTHENTICATORPARAM} ${DNSCREDENTIALSPARAM} ${PROPAGATIONPARAM}"
+    echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected"
+elif [[ "${VALIDATION}" = "tls-sni" ]]; then
+    PREFCHAL="--standalone --preferred-challenges http"
+    echo "*****tls-sni validation has been deprecated, attempting http validation instead"
+else
+    PREFCHAL="--standalone --preferred-challenges http"
+    echo "http validation is selected"
+fi
+
+# generating certs if necessary
+if [[ ! -f "/config/keys/letsencrypt/fullchain.pem" ]]; then
+    if [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ -n "${EMAIL}" ]]; then
+        echo "Retrieving EAB from ZeroSSL"
+        EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=${EMAIL}")
+        ZEROSSL_EAB_KID=$(echo "${EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
+        ZEROSSL_EAB_HMAC_KEY=$(echo "${EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
+        if [[ -z "${ZEROSSL_EAB_KID}" ]] || [[ -z "${ZEROSSL_EAB_HMAC_KEY}" ]]; then
+            echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
+            sleep infinity
+        fi
+        ZEROSSL_EAB="--eab-kid ${ZEROSSL_EAB_KID} --eab-hmac-key ${ZEROSSL_EAB_HMAC_KEY}"
+    fi
+    echo "Generating new certificate"
+    # shellcheck disable=SC2086
+    certbot certonly --non-interactive --renew-by-default --server ${ACMESERVER} ${ZEROSSL_EAB} ${PREFCHAL} --rsa-key-size 4096 ${EMAILPARAM} --agree-tos ${URL_REAL}
+    if [[ ! -d /config/keys/letsencrypt ]]; then
+        if [[ "${VALIDATION}" = "dns" ]]; then
+            echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the ${DNSCREDENTIALFILE} file."
+        else
+            echo "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container"
+        fi
+        sleep infinity
+    fi
+    run-parts /config/etc/letsencrypt/renewal-hooks/deploy/
+    echo "New certificate generated; starting nginx"
+else
+    echo "Certificate exists; parameters unchanged; starting nginx"
+fi
+
+# if certbot generated key exists, remove self-signed cert and replace it with symlink to live cert
+if [[ -d /config/keys/letsencrypt ]]; then
+    rm -rf /config/keys/cert.crt
+    ln -s ./letsencrypt/fullchain.pem /config/keys/cert.crt
+    rm -rf /config/keys/cert.key
+    ln -s ./letsencrypt/privkey.pem /config/keys/cert.key
+fi

root/etc/s6-overlay/s6-rc.d/init-certbot-config/type

@@ -0,0 +1 @@
+oneshot

root/etc/s6-overlay/s6-rc.d/init-certbot-config/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-certbot-config/run

root/etc/s6-overlay/s6-rc.d/init-crontabs-config/run

@@ -0,0 +1,38 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+# make folders
+mkdir -p \
+    /config/crontabs
+
+## root
+# if crontabs do not exist in config
+if [[ ! -f /config/crontabs/root ]]; then
+    # copy crontab from system
+    if crontab -l -u root; then
+        crontab -l -u root >/config/crontabs/root
+    fi
+
+    # if crontabs still do not exist in config (were not copied from system)
+    # copy crontab from included defaults (using -n, do not overwrite an existing file)
+    cp -n /etc/crontabs/root /config/crontabs/
+fi
+# set permissions and import user crontabs
+lsiown root:root /config/crontabs/root
+crontab -u root /config/crontabs/root
+
+## abc
+# if crontabs do not exist in config
+if [[ ! -f /config/crontabs/abc ]]; then
+    # copy crontab from system
+    if crontab -l -u abc; then
+        crontab -l -u abc >/config/crontabs/abc
+    fi
+
+    # if crontabs still do not exist in config (were not copied from system)
+    # copy crontab from included defaults (using -n, do not overwrite an existing file)
+    cp -n /etc/crontabs/abc /config/crontabs/
+fi
+# set permissions and import user crontabs
+lsiown abc:abc /config/crontabs/abc
+crontab -u abc /config/crontabs/abc

root/etc/s6-overlay/s6-rc.d/init-crontabs-config/type

@@ -0,0 +1 @@
+oneshot

root/etc/s6-overlay/s6-rc.d/init-crontabs-config/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-crontabs-config/run

root/etc/s6-overlay/s6-rc.d/init-fail2ban-config/run

@@ -1,4 +1,5 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 # copy/update the fail2ban config defaults to/in /config
 cp -R /defaults/fail2ban/filter.d /config/fail2ban/

root/etc/s6-overlay/s6-rc.d/init-fail2ban-config/type

@@ -0,0 +1 @@
+oneshot

root/etc/s6-overlay/s6-rc.d/init-fail2ban-config/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-fail2ban-config/run

root/etc/s6-overlay/s6-rc.d/init-folders-config/run

@@ -1,11 +1,12 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 # make our folders and links
 mkdir -p \
     /config/{fail2ban,crontabs,dns-conf} \
-    /config/etc/letsencrypt \
+    /config/etc/letsencrypt/renewal-hooks \
     /config/log/{fail2ban,letsencrypt,nginx} \
     /config/nginx/proxy-confs \
-    /var/run/fail2ban
+    /run/fail2ban
 rm -rf /etc/letsencrypt
 ln -s /config/etc/letsencrypt /etc/letsencrypt

root/etc/s6-overlay/s6-rc.d/init-folders-config/type

@@ -0,0 +1 @@
+oneshot

root/etc/s6-overlay/s6-rc.d/init-folders-config/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-folders-config/run

root/etc/s6-overlay/s6-rc.d/init-nginx-config/run

@@ -1,4 +1,5 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 # copy default config files if they don't exist
 if [[ ! -f /config/nginx/proxy.conf ]]; then
@@ -13,6 +14,14 @@ if [[ ! -f /config/nginx/authelia-server.conf ]]; then
     cp /defaults/nginx/authelia-server.conf.sample /config/nginx/authelia-server.conf
 fi
 
+# copy authentik config files if they don't exist
+if [[ ! -f /config/nginx/authentik-location.conf ]]; then
+    cp /defaults/nginx/authentik-location.conf.sample /config/nginx/authentik-location.conf
+fi
+if [[ ! -f /config/nginx/authentik-server.conf ]]; then
+    cp /defaults/nginx/authentik-server.conf.sample /config/nginx/authentik-server.conf
+fi
+
 # copy old ldap config file to new location
 if [[ -f /config/nginx/ldap.conf ]] && [[ ! -f /config/nginx/ldap-server.conf ]]; then
     cp /config/nginx/ldap.conf /config/nginx/ldap-server.conf

root/etc/s6-overlay/s6-rc.d/init-nginx-config/type

@@ -0,0 +1 @@
+oneshot

root/etc/s6-overlay/s6-rc.d/init-nginx-config/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-nginx-config/run

root/etc/s6-overlay/s6-rc.d/init-outdated-config/run

@@ -1,4 +1,5 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 if [[ -f /config/nginx/geoip2.conf ]]; then
     echo "/config/nginx/geoip2.conf exists.

root/etc/s6-overlay/s6-rc.d/init-outdated-config/type

@@ -0,0 +1 @@
+oneshot

root/etc/s6-overlay/s6-rc.d/init-outdated-config/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-outdated-config/run

root/etc/s6-overlay/s6-rc.d/init-permissions-config/run

@@ -1,7 +1,8 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 # permissions
-chown -R abc:abc \
+lsiown -R abc:abc \
     /config
 chmod -R 0644 /etc/logrotate.d
 chmod -R +r /config/log

root/etc/s6-overlay/s6-rc.d/init-permissions-config/type

@@ -0,0 +1 @@
+oneshot

root/etc/s6-overlay/s6-rc.d/init-permissions-config/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-permissions-config/run

root/etc/s6-overlay/s6-rc.d/init-renew/run

@@ -1,4 +1,5 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 # Check if the cert is expired or expires within a day, if so, renew
 if openssl x509 -in /config/keys/letsencrypt/fullchain.pem -noout -checkend 86400 >/dev/null; then

root/etc/s6-overlay/s6-rc.d/init-renew/type

@@ -0,0 +1 @@
+oneshot

root/etc/s6-overlay/s6-rc.d/init-renew/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-renew/run

root/etc/s6-overlay/s6-rc.d/init-require-url/run

@@ -1,4 +1,5 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 # check to make sure that the required variables are set
 if [[ -z "${URL}" ]]; then

root/etc/s6-overlay/s6-rc.d/init-require-url/type

@@ -0,0 +1 @@
+oneshot

root/etc/s6-overlay/s6-rc.d/init-require-url/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-require-url/run

root/etc/s6-overlay/s6-rc.d/init-samples-config/run

@@ -1,4 +1,5 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 # samples are removed on init by the nginx base
 

root/etc/s6-overlay/s6-rc.d/init-samples-config/type

@@ -0,0 +1 @@
+oneshot

root/etc/s6-overlay/s6-rc.d/init-samples-config/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-samples-config/run

root/etc/s6-overlay/s6-rc.d/init-test-run/run

@@ -1,4 +1,5 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 # Echo init finish for test runs
 if [[ -n "${TEST_RUN}" ]]; then

root/etc/s6-overlay/s6-rc.d/init-test-run/type

@@ -0,0 +1 @@
+oneshot

root/etc/s6-overlay/s6-rc.d/init-test-run/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-test-run/run

root/etc/s6-overlay/s6-rc.d/svc-fail2ban/run

@@ -1,4 +1,5 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 exec \
     fail2ban-client -x -f start

root/etc/s6-overlay/s6-rc.d/svc-fail2ban/type

@@ -0,0 +1 @@
+longrun