install ca-certificates explicitly

Author: tprasadtp

.goreleaser.yml

@@ -17,6 +17,7 @@ dockers:
       - 'ghcr.io/tprasadtp/{{ .ProjectName }}:{{ .FullCommit }}-amd64'
 
     build_flag_templates:
+      - --build-arg=VERSION={{ .Version }}
       - --label=org.opencontainers.image.created={{.Date}}
       - --label=org.opencontainers.image.revision={{.FullCommit}}
       - --label=org.opencontainers.image.version={{.Version}}
@@ -65,6 +66,7 @@ dockers:
       - 'ghcr.io/tprasadtp/{{ .ProjectName }}:{{ .FullCommit }}-arm64'
 
     build_flag_templates:
+      - --build-arg=VERSION={{ .Version }}
       - --label=org.opencontainers.image.created={{.Date}}
       - --label=org.opencontainers.image.revision={{.FullCommit}}
       - --label=org.opencontainers.image.version={{.Version}}
@@ -105,6 +107,7 @@ dockers:
       - 'ghcr.io/tprasadtp/{{ .ProjectName }}:{{ .FullCommit }}-arm'
 
     build_flag_templates:
+      - --build-arg=VERSION={{ .Version }}
       - --label=org.opencontainers.image.created={{.Date}}
       - --label=org.opencontainers.image.revision={{.FullCommit}}
       - --label=org.opencontainers.image.version={{.Version}}

Dockerfile

@@ -3,6 +3,9 @@
 FROM ubuntu:focal-20210921 as upstream
 FROM upstream as base
 
+ARG VERSION="v0.0.0"
+ENV VERSION="${VERSION}"
+
 # Overlay defaults
 ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2 \
     S6_CMD_WAIT_FOR_SERVICES=1 \
@@ -34,9 +37,11 @@ RUN --mount=type=tmpfs,target=/downloads/ \
     curl \
     procps \
     iptables \
+    ca-certificates \
     openvpn \
     dialog \
     python3-pip \
+    && update-ca-certificates \
     && ARCH="$(uname -m)" \
     && export ARCH \
     && if [ "$ARCH" = "x86_64" ]; then \

Makefile

@@ -27,6 +27,8 @@ UPSTREAM_URL     := https://github.com/ProtonVPN/linux-cli
 include $(REPO_ROOT)/makefiles/help.mk
 include $(REPO_ROOT)/makefiles/docker.mk
 
+# Inject Version into image
+DOCKER_EXTRA_ARGS := --build-arg VERSION=$(VERSION_ID)
 
 .PHONY: shellcheck
 shellcheck: ## Runs shellcheck

docs/healthcheck.md

@@ -2,10 +2,33 @@
 
 - There is a `healthcheck.py` script available under /usr/local/bin. It will use `PROTONVPN_IPCHECK_ENDPOINT` (`https://ip.prasadt.workers.dev/` by default) to verify the IP address matches with one of the logical servers. By default service will keep checking every `PROTONVPN_CHECK_INTERVAL` _(default = 90)_ seconds using the same api endpoint.
 
-- `https://ip.prasadt.workers.dev/` Service runs as a cloudflare worker and is fast, as it sits at their edge network. It is very simple, It returns your public IP and nothing else. You can use any of the following services by setting the variable (or host your own) as they too return your public IP address.
+- `https://ip.prasadt.workers.dev/` Service runs as a cloudflare worker and is fast, as it sits at their edge network. It is very simple, It returns your public IP and nothing else.
+
+- You can use any of the following services by setting the variable (or host your own) as they too return your public IP address. These can also be used if default endpoint is rate limited or unavailable.
   * https://ip.prasadt.workers.dev/
-  * https://checkip.amazonaws.com/
   * https://icanhazip.com/
+  * https://checkip.amazonaws.com/
   * https://api.ipify.org/
 
 - Version 4.x and below use `https://ipinfo.io` as healthcheck endpoint and check for connected country. This endpoint be changed. If you are hitting rate limits, you should upgrade to v5.0.0+ or reduce check interval via `PROTONVPN_CHECK_INTERVAL` to 180 seconds or more.
+
+## Hosting your own ip worker
+
+- Signup for [Cloudflare workers](https://dash.cloudflare.com/sign-up/workers)
+- Create a new worker
+- Code for worker is extremely dumb and simple its less than 10 lines of code. You can simply copy paste the following snipet, or look under worker folder.
+  ```js
+  addEventListener("fetch", (event) => {
+    event.respondWith(
+      handleRequest(event.request).catch(
+        (err) => new Response(err.stack, { status: 500 })
+      )
+    );
+  });
+
+  async function handleRequest(request) {
+    return new Response(request.headers.get("CF-Connecting-IP"))
+  }
+  ```
+-. Hit save and deploy. Please note that the preview is not available in the cloudflare console,
+as the script uses CF-* headers which are not availablein preview.

makefiles/help.mk

@@ -82,6 +82,12 @@ else
 	GIT_BRANCH            :=
 endif
 
+# Version ID
+# This can return only commit id, if in a shallow clone repo,
+# otherwise can return something like 5.0.1-3-gf24fb56-dirty
+VERSION_ID := $(shell git -c log.showSignature=false describe --tags --always --broken --dirty 2> /dev/null )
+export VERSION_ID
+
 # Base Buidler/CI Info collector
 # -------------------------------------
 
@@ -146,6 +152,7 @@ show-vars-base: ## Show Base variables
 	@echo "GIT_COMMIT_TIMESTAMP : $(GIT_COMMIT_TIMESTAMP)"
 	@echo "GIT_DEFAULT_BRANCH   : $(GIT_DEFAULT_BRANCH)"
 	@echo "GIT_TREE_STATE       : $(GIT_TREE_STATE)"
+	@echo "VERSION_ID           : $(VERSION_ID)"
 
 	@echo "----------- BASE BUILD VARIABLES --------------"
 	@echo "BUILD_HOST           : $(BUILD_HOST)"

root/etc/services.d/protonvpn/run

@@ -82,7 +82,6 @@ function api_check() {
     thrshold_f=0
   else
     log_error "Healthcheck #$((++thrshold_f)) Failed!"
-    log_error "Connected to #${COUNTRY} instead of #${PROTONVPN_COUNTRY}"
     if [[ $thrshold_f -gt "${PROTONVPN_FAIL_THRESHOLD}" ]]; then
       log_error "Reconnecting! (${PROTONVPN_FAIL_THRESHOLD})"
       reconnect_vpn

root/usr/bin/healthcheck

@@ -49,12 +49,17 @@ logging.debug(f"Allowed IPs: {connected_server_ips}")
 
 ip_endpoint = os.getenv("PROTONVPN_IPCHECK_ENDPOINT",
                         "https://ip.prasadt.workers.dev/")
+hciv = os.getenv("PROTONVPN_CHECK_INTERVAL", "0")
+version = os.getenv("VERSION", "v0.0.0")
+user_agent = f"protonvpn-docker/{version}/{hciv}"
+
 logging.debug(f"Fetch Public IP from {ip_endpoint}")
+logging.debug(f"Using User-Agent - {user_agent}")
 
 ip_resp_request = urllib.request.Request(
     ip_endpoint,
     data=None,
-    headers={"User-Agent": "protonvpn-cli-docker"},
+    headers={"User-Agent": user_agent},
 )
 with urllib.request.urlopen(ip_resp_request) as ip_response:
     current_ip = str(ip_response.read(), "utf-8")