system-config/docker/gitea/Dockerfile

# syntax=docker/dockerfile:1.3
# Copyright (c) 2018 Red Hat, Inc.
# Copyright (c) 2016 The Gitea Authors
# Copyright (c) 2015 The Gogs Authors
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.

# Wed Oct 11 15:53:34 UTC 2023 - trigger rebuild

###################################
# Build stage
FROM docker.io/library/golang:1.22-bookworm AS build-env

LABEL maintainer="infra-root@openstack.org"

ARG GOPROXY
ENV GOPROXY ${GOPROXY:-direct}

ARG GITEA_VERSION="v1.22.3"
ENV TAGS "bindata timetzdata $TAGS"

# Build deps
RUN apt-get update \
  && apt-get -y dist-upgrade \
  && apt-get -y install build-essential git apt-transport-https curl gnupg2 \
  && curl -sS https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add - \
  && echo "deb https://deb.nodesource.com/node_20.x bookworm main" | tee /etc/apt/sources.list.d/nodesource.list \
  && apt-get update \
  && apt-get -q --option "Dpkg::Options::=--force-confold" --assume-yes install nodejs \
  && mkdir -p ${GOPATH}/src/code.gitea.io/gitea

# Setup repo
RUN git clone https://github.com/go-gitea/gitea ${GOPATH}/src/code.gitea.io/gitea
WORKDIR ${GOPATH}/src/code.gitea.io/gitea

# Checkout version if set
RUN if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \
 && make clean-all build

# This is a utility the upstream image builds to translate env vars into
# the app.ini config. We primarily rely on ansible for this instead but
# build an include it anyway to stay in sync with upstream tooling.
RUN go build contrib/environment-to-ini/environment-to-ini.go

# TODO upstream performs this COPY then chmods the docker/root/ prefixed
# files below against /tmp/local. The copy fails for us due to some bad
# interaction with docker image build caching. I think due to how we clone
# the repo above. We should align better with upstream if possible.
## Copy local files
# COPY docker/root /tmp/local

# Set permissions
RUN chmod 755 docker/root/usr/bin/entrypoint \
              docker/root/usr/local/bin/gitea \
              docker/root/etc/s6/gitea/* \
              docker/root/etc/s6/openssh/* \
              docker/root/etc/s6/.s6-svscan/* \
              /go/src/code.gitea.io/gitea/gitea \
              /go/src/code.gitea.io/gitea/environment-to-ini
RUN chmod 644 /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete

###################################
# Basic system setup common to all containers in our pod

FROM docker.io/library/debian:bookworm-slim as base

RUN apt-get update \
  && apt-get -y dist-upgrade \
  && apt-get -y install \
    bash \
    ca-certificates \
    curl \
    gettext \
    git \
    openssh-client \
    gnupg \
  && apt-get clean \
  && rm -rf /var/lib/apt/lists/*

RUN addgroup --system --gid 1000 git \
  && adduser \
    --system --no-create-home --disabled-login \
    --home /data/git \
    --shell /bin/bash \
    --uid 1000 \
    --gid 1000 \
    git \
  && echo "git:$(dd if=/dev/urandom bs=24 count=1 status=none | base64)" | chpasswd \
  && mkdir /custom

# Copy the /etc config files and entrypoint script
COPY --from=build-env /go/src/code.gitea.io/gitea/docker/root /

# Copy the app
COPY --from=build-env /go/src/code.gitea.io/gitea/gitea /app/gitea/gitea
COPY --from=build-env /go/src/code.gitea.io/gitea/environment-to-ini /usr/local/bin/environment-to-ini
COPY --from=build-env /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete /etc/profile.d/gitea_bash_autocomplete.sh

# Copy our custom templates and some additional image files
COPY custom/ /custom/
# Copy our opendev logo contents to the custom location
RUN --mount=type=bind,from=opendevorg/assets,target=/tmp/assets cp -r /tmp/assets/* /custom/public/assets/img/

ENV GITEA_CUSTOM /custom
# This is used the the openssh container image to set sshd_config AllowUsers
# even though that container runs as root (due to low port selection).
# The main gitea web container also uses this USER env var for basic user
# setup in its entrypoint.
ENV USER git

###################################
# The gitea image
FROM base as gitea

RUN apt-get update && apt-get -y install pandoc \
  && apt-get clean \
  && rm -rf /var/lib/apt/lists/*

EXPOSE 3000
VOLUME ["/data"]
ENTRYPOINT ["/usr/bin/entrypoint"]
CMD ["/usr/local/bin/gitea", "web"]
USER 1000:1000

###################################
# The openssh server image
FROM base as gitea-openssh

RUN apt-get update \
  && DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confold" \
     install openssh-server \
  && apt-get clean \
  && rm -rf /var/lib/apt/lists/* \
  && mkdir /run/sshd

COPY sshd-entrypoint.sh /usr/bin/entrypoint

EXPOSE 22
VOLUME ["/data"]
ENTRYPOINT ["/usr/bin/entrypoint"]
CMD ["/usr/sbin/sshd", "-D", "-e"]