From 062e13bda0362eee1fc69f5e6deb9e4eaedc22d7 Mon Sep 17 00:00:00 2001
From: f <f@sutty.nl>
Date: Tue, 5 Nov 2024 11:21:04 -0300
Subject: [PATCH] feat: modsecurity

---
 .woodpecker.yml | 2 ++
 Dockerfile      | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/.woodpecker.yml b/.woodpecker.yml
index 877b449..f9e06ea 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -13,6 +13,7 @@ steps:
       - "ACCESS_LOG_VERSION=${ACCESS_LOG_VERSION}"
       - "NGINX_VERSION=${NGINX_VERSION}"
       - "BASE_IMAGE=gitea.nulo.in/sutty/monit"
+      - "EXTRA_PACKAGES="
       password:
         from_secret: "DOCKER_PASSWORD"
     when:
@@ -23,6 +24,7 @@ matrix:
   - ALPINE_VERSION: "3.20.3"
     ACCESS_LOG_VERSION: "0.5.8"
     NGINX_VERSION: "1.26.2-r0"
+    EXTRA_PACKAGES: "nginx-mod-http-modsecurity coreruleset"
   - ALPINE_VERSION: "3.19.4"
     ACCESS_LOG_VERSION: "0.5.8"
     NGINX_VERSION: "1.24.0-r16"
diff --git a/Dockerfile b/Dockerfile
index 6e56160..c934e24 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -6,6 +6,7 @@ LABEL org.opencontainers.image.authors="f@sutty.nl"
 ARG NGINX_VERSION="1.24.0-r7"
 ARG ACCESS_LOGS_FLAGS="--database=sqlite3:///var/log/access_log.sqlite3 -c /usr/share/crawler-user-agents/crawler-user-agents.json"
 ARG ACCESS_LOG_VERSION="0.5.6"
+ARG EXTRA_PACKAGES
 
 ENV ACCESS_LOGS_FLAGS=${ACCESS_LOGS_FLAGS}
 
@@ -24,7 +25,7 @@ COPY --chown=nginx:nginx ./nginx /etc/nginx
 COPY ./access_log.sqlite3 /var/lib/access_log.sqlite3
 
 # Install modules after rewriting /etc/nginx
-RUN apk add --no-cache nginx-mod-http-brotli nginx-mod-http-geoip2 nginx-mod-http-naxsi
+RUN apk add --no-cache nginx-mod-http-brotli nginx-mod-http-geoip2 ${EXTRA_PACKAGES}
 
 # Add support for request_uri parsing if access_log >= 0.3.0
 RUN mv /etc/nginx/access_logd_`access_log -v`.conf /etc/nginx/access_logd.conf