diff --git a/.drone.star b/.drone.star deleted file mode 100644 index 03e52a6..0000000 --- a/.drone.star +++ /dev/null @@ -1,52 +0,0 @@ -def main(ctx): - out = [] - out += pipeline("5.2.2", "https://d.barracudanetworks.com/VPN/Linux/VPNClient_5.2.2_Linux.tar.gz", "barracudavpn_5.2.2_amd64.deb", True ) - out += pipeline("5.1.4", "https://d.barracudanetworks.com/VPN/Linux/VPNClient_5.1.4_Linux.tar.gz", "barracudavpn_5.1.4_amd64.deb" ) - out += pipeline("5.0.2.7", "https://d.barracudanetworks.com/VPN/Linux/VPNClient_5.0.2.7_Linux.tar.gz", "barracudavpn_5.0.2.7_amd64.deb" ) - return out - -def pipeline(tag, url, debname, latest=False): - out = [{ - "kind": "pipeline", - "type": "docker", - "name": "barracudavpn-%s" % (tag), - "platform": { - "arch": "amd64", - "os": "linux", - }, - "steps": [{ - "name": "build_on_push", - "image": "plugins/docker:linux-amd64", - "settings": { - "context": "src", - "dockerfile": "src/Dockerfile", - "build_args": [ - "URL=" + url, - "DEBNAME=" + debname - ], - "username": { - "from_secret": "docker_username", - }, - "password": { - "from_secret": "docker_password", - }, - "registry": "docker.asperti.com", - "repo": "docker.asperti.com/paspo/barracudavpn", - "tags": [ - "%s" % (tag) - ], - "auto_tag": False, - "force_tag": True, - "daemon_off": False, - }, - }], - "trigger": { - "ref": [ - "refs/heads/master", - "refs/tags/**", - ], - } - }] - if latest: - out[0]["steps"][0]["settings"]["tags"].append("latest") - return out diff --git a/.gitea/workflows/build_and_publish.yaml b/.gitea/workflows/build_and_publish.yaml new file mode 100644 index 0000000..ed95d46 --- /dev/null +++ b/.gitea/workflows/build_and_publish.yaml @@ -0,0 +1,92 @@ +--- +name: Container Publish + +env: + REGISTRY: docker.asperti.com + REPOSITORY: paspo/barracudavpn + +on: + push: + tags: + - '*' + schedule: + - cron: "0 12 3 * *" + workflow_dispatch: + workflow_call: + workflow_run: + workflows: [vulnscan.yaml] + types: [completed] + +jobs: + on-success-skip: + runs-on: + labels: ubuntu-latest + if: ${{ github.event.workflow_run.conclusion == 'success' }} + steps: + - run: exit_with_success + + build-image: + runs-on: + labels: [ubuntu-latest, "arch-${{ matrix.arch }}"] + container: + image: catthehacker/ubuntu:act-latest + strategy: + matrix: + include: + - ver: "5.2.2" + debname: barracudavpn_5.2.2_amd64.deb + url: https://d.barracudanetworks.com/VPN/Linux/VPNClient_5.2.2_Linux.tar.gz + arch: amd64 + - ver: "5.1.4" + debname: barracudavpn_5.1.4_amd64.deb + url: https://d.barracudanetworks.com/VPN/Linux/VPNClient_5.1.4_Linux.tar.gz + arch: amd64 + - ver: "5.0.2.7" + debname: barracudavpn_5.0.2.7_amd64.deb + url: https://d.barracudanetworks.com/VPN/Linux/VPNClient_5.0.2.7_Linux.tar.gz + arch: amd64 + + steps: + - uses: actions/checkout@v4 + + - name: Login to registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ secrets.REGISTRY_USER }} + password: ${{ secrets.REGISTRY_TOKEN }} + + - name: Build and publish + run: | + cd src + docker build \ + --tag ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ matrix.ver }}-${{ matrix.arch }} \ + --build-arg URL=${{ matrix.url }} \ + --build-arg DEBNAME=${{ matrix.debname }} \ + --platform linux/${{ matrix.arch }} -f Dockerfile . + docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ matrix.ver }}-${{ matrix.arch }} + + manifest: + name: update docker manifest + needs: build-image + runs-on: ubuntu-latest + container: + image: catthehacker/ubuntu:act-latest + strategy: + matrix: + ver: ["5.2.2", "5.1.4", "5.0.2.7"] + + steps: + - name: Login to registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ secrets.REGISTRY_USER }} + password: ${{ secrets.REGISTRY_TOKEN }} + + - name: latest + run: | + docker manifest create \ + ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ matrix.ver }} \ + --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ matrix.ver }}-amd64 + docker manifest push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ matrix.ver }} diff --git a/.gitea/workflows/vulnscan.yaml b/.gitea/workflows/vulnscan.yaml new file mode 100644 index 0000000..61294c7 --- /dev/null +++ b/.gitea/workflows/vulnscan.yaml @@ -0,0 +1,65 @@ +--- +name: Vulnerability Scan + +env: + REGISTRY: docker.asperti.com + REPOSITORY: paspo/barracudavpn + +on: + schedule: + - cron: "0 14 * * *" + workflow_dispatch: + workflow_call: + workflow_run: + workflows: [build_and_publish.yaml] + types: [completed] + +jobs: + scan: + name: Daily Vulnerability Scan + runs-on: + labels: [ubuntu-latest, "arch-${{ matrix.arch }}"] + container: + image: catthehacker/ubuntu:act-latest + strategy: + matrix: + arch: [amd64] + ver: ["5.2.2", "5.1.4", "5.0.2.7"] + + steps: + - name: Pull docker image + run: docker pull ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ matrix.ver }} + + - name: Setup trivy + run: | + echo "Installing Trivy for arch: $(uname -m)" + case $(uname -m) in + x86_64) + wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-64bit.deb ;; + aarch64) + wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-ARM64.deb ;; + *) exit 1 ;; + esac + dpkg -i /tmp/trivy.deb + + - name: Run Trivy vulnerability scanner + id: scan + run: | + trivy --server ${{ secrets.TRIVY_SERVER }} --token ${{ secrets.TRIVY_TOKEN }} image --format json ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ matrix.ver }} > trivy-results.json + + # if some vulnerability is found, we fail + - name: check output + id: vulncount + run: | + echo "VULNCOUNT=$(jq '.Results[0].Vulnerabilities|length' trivy-results.json)" >> ${GITHUB_OUTPUT} + if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi + + - name: send telegram notification + if: failure() + uses: appleboy/telegram-action@master + with: + to: ${{ secrets.TELEGRAM_TO }} + token: ${{ secrets.TELEGRAM_TOKEN }} + format: markdown + message: | + Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ github.repository }}` diff --git a/src/Dockerfile b/src/Dockerfile index 3def8ed..97839d9 100644 --- a/src/Dockerfile +++ b/src/Dockerfile @@ -14,9 +14,9 @@ FROM debian:bookworm-slim COPY --from=BUILDER /usr/local/bin/barracudavpn /app/ RUN \ - DEBIAN_FRONTEND=noninteractive apt update && \ - DEBIAN_FRONTEND=noninteractive apt upgrade && \ - DEBIAN_FRONTEND=noninteractive apt install -y iproute2 gettext-base tini && \ + DEBIAN_FRONTEND=noninteractive apt-get update && \ + DEBIAN_FRONTEND=noninteractive apt-get upgrade -y && \ + DEBIAN_FRONTEND=noninteractive apt-get install -y iproute2 gettext-base tini && \ rm -rf /var/lib/apt/lists/* COPY rootfs /