defaultear a los parametros actualizados

así no depende de tener parametros seteados externamente

.woodpecker.yml

@@ -1,4 +1,4 @@
-steps:
+pipeline:
   publish:
     image: "docker.io/woodpeckerci/plugin-docker-buildx"
     settings:
@@ -11,17 +11,15 @@ steps:
       build_args:
       - "ALPINE_VERSION=${ALPINE_VERSION}"
       - "ACCESS_LOG_VERSION=${ACCESS_LOG_VERSION}"
-      - "NGINX_VERSION=${NGINX_VERSION}"
       - "BASE_IMAGE=gitea.nulo.in/sutty/monit"
-      - "EXTRA_PACKAGES=${EXTRA_PACKAGES}"
-      password:
-        from_secret: "DOCKER_PASSWORD"
+    secrets:
+    - "DOCKER_PASSWORD"
     when:
       branch: "antifascista"
       event: "push"
 matrix:
-  include:
-  - ALPINE_VERSION: "3.20.3"
-    ACCESS_LOG_VERSION: "0.5.9"
-    NGINX_VERSION: "1.26.2-r0"
-    EXTRA_PACKAGES: "nginx-mod-http-modsecurity coreruleset"
+  ALPINE_VERSION:
+  - "3.18.3"
+  - "3.17.5"
+  ACCESS_LOG_VERSION:
+  - "0.5.5"

Dockerfile

@@ -1,17 +1,15 @@
 ARG ALPINE_VERSION=3.18.3
 ARG BASE_IMAGE=gitea.nulo.in/sutty/monit
 FROM ${BASE_IMAGE}:${ALPINE_VERSION}
-LABEL org.opencontainers.image.authors="f@sutty.nl"
+MAINTAINER "f <f@sutty.nl>"
 
-ARG NGINX_VERSION="1.24.0-r7"
 ARG ACCESS_LOGS_FLAGS="--database=sqlite3:///var/log/access_log.sqlite3 -c /usr/share/crawler-user-agents/crawler-user-agents.json"
-ARG ACCESS_LOG_VERSION="0.5.6"
-ARG EXTRA_PACKAGES
+ARG ACCESS_LOG_VERSION="0.5.5"
 
 ENV ACCESS_LOGS_FLAGS=${ACCESS_LOGS_FLAGS}
 
 # Install nginx and remove default config
-RUN apk add --no-cache nginx~${NGINX_VERSION} daemonize access_log~${ACCESS_LOG_VERSION} nginx-prometheus-exporter geoip2-database-country geoip2-database-city crawler-user-agents \
+RUN apk add --no-cache nginx daemonize access_log~${ACCESS_LOG_VERSION} nginx-prometheus-exporter geoip2-database-country geoip2-database-city crawler-user-agents \
     && rm -rf /etc/nginx
 
 # Add ssl group so nginx has access to certificates
@@ -21,14 +19,15 @@ RUN addgroup nginx ssl
 COPY ./monit.conf /etc/monit.d/nginx.conf
 COPY ./prometheusd.sh /usr/local/bin/prometheusd
 COPY ./access_logd.sh /usr/bin/access_logd
-COPY --chown=nginx:nginx ./nginx /etc/nginx
+COPY ./nginx /etc/nginx
 COPY ./access_log.sqlite3 /var/lib/access_log.sqlite3
 
 # Install modules after rewriting /etc/nginx
-RUN apk add --no-cache nginx-mod-http-brotli nginx-mod-http-geoip2 ${EXTRA_PACKAGES}
+RUN apk add --no-cache nginx-mod-http-brotli nginx-mod-http-geoip2
 
 # Add support for request_uri parsing if access_log >= 0.3.0
 RUN mv /etc/nginx/access_logd_`access_log -v`.conf /etc/nginx/access_logd.conf
+RUN chown -R nginx:nginx /etc/nginx
 RUN nginx -t
 
 RUN chown nginx:nginx /var/lib/access_log.sqlite3
@@ -37,7 +36,6 @@ RUN chown nginx:nginx /var/lib/access_log.sqlite3
 VOLUME /etc/nginx/sites
 VOLUME /etc/letsencrypt
 VOLUME /var/lib/letsencrypt
-VOLUME /var/log
 
 EXPOSE 80
 EXPOSE 443

access_logd.sh

@@ -10,8 +10,6 @@ pid=/run/access_logd.pid
 
 case $1 in
   start)
-    test -f $pid && exit 0
-
     # Copy default database
     install -m 640 -o nobody /var/lib/access_log.sqlite3 /var/log/access_log.sqlite3
 
@@ -19,7 +17,7 @@ case $1 in
     rm -f /tmp/access_log.socket
 
     # Read from fifo and load into database
-    daemonize -p $pid -u nginx /usr/local/bin/syslogize /usr/bin/access_log $ACCESS_LOGS_FLAGS
+    daemonize -p /run/access_logd.pid -u nginx /usr/local/bin/syslogize /usr/bin/access_log $ACCESS_LOGS_FLAGS
   ;;
   stop)
     test -f $pid || exit 0

nginx/access_logd_0.5.6.conf

@@ -1,3 +0,0 @@
-log_format access_logd escape=json '{"host":"$host","msec":$msec,"server_protocol":"$server_protocol","request_method":"$request_method","request_completion":"$request_completion","uri":"$uri","query_string":"$query_string","status":$status,"sent_http_content_type":"$sent_http_content_type","sent_http_content_encoding":"$sent_http_content_encoding","sent_http_etag":"$sent_http_etag","sent_http_last_modified":"$sent_http_last_modified","http_accept":"$http_accept","http_accept_encoding":"$http_accept_encoding","http_accept_language":"$http_accept_language","http_pragma":"$http_pragma","http_cache_control":"$http_cache_control","http_if_none_match":"$http_if_none_match","http_dnt":"$http_dnt","http_user_agent":"$http_user_agent","http_origin":"$http_origin","http_referer":{"origin":"$http_origin","referrer":"$http_referer","policy":"origin-when-cross-origin"},"request_time":$request_time,"bytes_sent":$bytes_sent,"body_bytes_sent":$body_bytes_sent,"request_length":$request_length,"http_connection":"$http_connection","pipe":"$pipe","connection_requests":$connection_requests,"geoip2_data_country_name":"$geoip2_data_country_name","geoip2_data_country_iso_code":"$geoip2_data_country_iso_code","geoip2_data_city_name":"$geoip2_data_city_name","ssl_server_name":"$ssl_server_name","ssl_protocol":"$ssl_protocol","ssl_early_data":"$ssl_early_data","ssl_session_reused":"$ssl_session_reused","ssl_curves":"$ssl_curves","ssl_ciphers":"$ssl_ciphers","ssl_cipher":"$ssl_cipher","sent_http_x_xss_protection":"$sent_http_x_xss_protection","sent_http_x_frame_options":"$sent_http_x_frame_options","sent_http_x_content_type_options":"$sent_http_x_content_type_options","sent_http_strict_transport_security":"$sent_http_strict_transport_security","nginx_version":"$nginx_version","pid":"$pid","remote_user":"$remote_user","request_uri":"$request_uri"}';
-
-access_log syslog:server=unix:/tmp/access_log.socket,nohostname access_logd;

nginx/access_logd_0.5.7.conf

@@ -1,3 +0,0 @@
-log_format access_logd escape=json '{"host":"$host","msec":$msec,"server_protocol":"$server_protocol","request_method":"$request_method","request_completion":"$request_completion","uri":"$uri","query_string":"$query_string","status":$status,"sent_http_content_type":"$sent_http_content_type","sent_http_content_encoding":"$sent_http_content_encoding","sent_http_etag":"$sent_http_etag","sent_http_last_modified":"$sent_http_last_modified","http_accept":"$http_accept","http_accept_encoding":"$http_accept_encoding","http_accept_language":"$http_accept_language","http_pragma":"$http_pragma","http_cache_control":"$http_cache_control","http_if_none_match":"$http_if_none_match","http_dnt":"$http_dnt","http_user_agent":"$http_user_agent","http_origin":"$http_origin","http_referer":{"origin":"$http_origin","referrer":"$http_referer","policy":"origin-when-cross-origin"},"request_time":$request_time,"bytes_sent":$bytes_sent,"body_bytes_sent":$body_bytes_sent,"request_length":$request_length,"http_connection":"$http_connection","pipe":"$pipe","connection_requests":$connection_requests,"geoip2_data_country_name":"$geoip2_data_country_name","geoip2_data_country_iso_code":"$geoip2_data_country_iso_code","geoip2_data_city_name":"$geoip2_data_city_name","ssl_server_name":"$ssl_server_name","ssl_protocol":"$ssl_protocol","ssl_early_data":"$ssl_early_data","ssl_session_reused":"$ssl_session_reused","ssl_curves":"$ssl_curves","ssl_ciphers":"$ssl_ciphers","ssl_cipher":"$ssl_cipher","sent_http_x_xss_protection":"$sent_http_x_xss_protection","sent_http_x_frame_options":"$sent_http_x_frame_options","sent_http_x_content_type_options":"$sent_http_x_content_type_options","sent_http_strict_transport_security":"$sent_http_strict_transport_security","nginx_version":"$nginx_version","pid":"$pid","remote_user":"$remote_user","request_uri":"$request_uri"}';
-
-access_log syslog:server=unix:/tmp/access_log.socket,nohostname access_logd;

nginx/access_logd_0.5.8.conf

@@ -1,3 +0,0 @@
-log_format access_logd escape=json '{"host":"$host","msec":$msec,"server_protocol":"$server_protocol","request_method":"$request_method","request_completion":"$request_completion","uri":"$uri","query_string":"$query_string","status":$status,"sent_http_content_type":"$sent_http_content_type","sent_http_content_encoding":"$sent_http_content_encoding","sent_http_etag":"$sent_http_etag","sent_http_last_modified":"$sent_http_last_modified","http_accept":"$http_accept","http_accept_encoding":"$http_accept_encoding","http_accept_language":"$http_accept_language","http_pragma":"$http_pragma","http_cache_control":"$http_cache_control","http_if_none_match":"$http_if_none_match","http_dnt":"$http_dnt","http_user_agent":"$http_user_agent","http_origin":"$http_origin","http_referer":{"origin":"$http_origin","referrer":"$http_referer","policy":"origin-when-cross-origin"},"request_time":$request_time,"bytes_sent":$bytes_sent,"body_bytes_sent":$body_bytes_sent,"request_length":$request_length,"http_connection":"$http_connection","pipe":"$pipe","connection_requests":$connection_requests,"geoip2_data_country_name":"$geoip2_data_country_name","geoip2_data_country_iso_code":"$geoip2_data_country_iso_code","geoip2_data_city_name":"$geoip2_data_city_name","ssl_server_name":"$ssl_server_name","ssl_protocol":"$ssl_protocol","ssl_early_data":"$ssl_early_data","ssl_session_reused":"$ssl_session_reused","ssl_curves":"$ssl_curves","ssl_ciphers":"$ssl_ciphers","ssl_cipher":"$ssl_cipher","sent_http_x_xss_protection":"$sent_http_x_xss_protection","sent_http_x_frame_options":"$sent_http_x_frame_options","sent_http_x_content_type_options":"$sent_http_x_content_type_options","sent_http_strict_transport_security":"$sent_http_strict_transport_security","nginx_version":"$nginx_version","pid":"$pid","remote_user":"$remote_user","request_uri":"$request_uri"}';
-
-access_log syslog:server=unix:/tmp/access_log.socket,nohostname access_logd;

nginx/nginx.conf

@@ -39,7 +39,6 @@ http {
   geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb {
     $geoip2_data_country_name country names en;
     $geoip2_data_country_iso_code country iso_code;
-    $geoip2_data_continent_code country continent_code;
   }
 
   geoip2 /usr/share/GeoIP/GeoLite2-City.mmdb {

nginx/snippets/modsecurity.conf

@@ -1,30 +0,0 @@
-modsecurity on;
-modsecurity_rules 'SecRuleEngine On';
-modsecurity_rules 'SecAuditLogFormat JSON';
-modsecurity_rules_file /etc/modsecurity/modsecurity.conf;
-modsecurity_rules_file /etc/crs4/crs-setup.conf;
-modsecurity_rules_file /etc/crs4/rules/REQUEST-901-INITIALIZATION.conf;
-modsecurity_rules_file /etc/crs4/rules/REQUEST-905-COMMON-EXCEPTIONS.conf;
-modsecurity_rules_file /etc/crs4/rules/REQUEST-911-METHOD-ENFORCEMENT.conf;
-modsecurity_rules_file /etc/crs4/rules/REQUEST-913-SCANNER-DETECTION.conf;
-modsecurity_rules_file /etc/crs4/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf;
-modsecurity_rules_file /etc/crs4/rules/REQUEST-921-PROTOCOL-ATTACK.conf;
-modsecurity_rules_file /etc/crs4/rules/REQUEST-922-MULTIPART-ATTACK.conf;
-modsecurity_rules_file /etc/crs4/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf;
-modsecurity_rules_file /etc/crs4/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf;
-modsecurity_rules_file /etc/crs4/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf;
-modsecurity_rules_file /etc/crs4/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf;
-modsecurity_rules_file /etc/crs4/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf;
-modsecurity_rules_file /etc/crs4/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf;
-modsecurity_rules_file /etc/crs4/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf;
-modsecurity_rules_file /etc/crs4/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf;
-modsecurity_rules_file /etc/crs4/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf;
-modsecurity_rules_file /etc/crs4/rules/REQUEST-949-BLOCKING-EVALUATION.conf;
-modsecurity_rules_file /etc/crs4/rules/RESPONSE-950-DATA-LEAKAGES.conf;
-modsecurity_rules_file /etc/crs4/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf;
-modsecurity_rules_file /etc/crs4/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf;
-modsecurity_rules_file /etc/crs4/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf;
-modsecurity_rules_file /etc/crs4/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf;
-modsecurity_rules_file /etc/crs4/rules/RESPONSE-955-WEB-SHELLS.conf;
-modsecurity_rules_file /etc/crs4/rules/RESPONSE-959-BLOCKING-EVALUATION.conf;
-modsecurity_rules_file /etc/crs4/rules/RESPONSE-980-CORRELATION.conf;