machine/Dockerfile.development at main · building-envelope-data/machine · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
# syntax=docker/dockerfile:1.21
# check=error=true
# Available versions are listed on https://hub.docker.com/r/docker/dockerfile

FROM debian:trixie
SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]

ARG GROUP_ID
ARG USER_ID

RUN \
  if [ -z "$GROUP_ID" ]; then echo "required 'GROUP_ID'"; exit 1; fi && \
  if [ -z "$USER_ID" ]; then echo "required 'USER_ID'"; exit 1; fi

# Create non-root user to run commands in (see https://medium.com/@mccode/processes-in-containers-should-not-run-as-root-2feae3f0df3b)
# id --user --name "${USER_ID}" 2>/dev/null
RUN \
  apt-get update && \
  apt-get install \
  --assume-yes \
  --no-install-recommends \
  adduser \
  sudo && \
  existing_user_name="$( (getent passwd ${USER_ID} 2>/dev/null || true) | cut --delimiter=: --fields=1)" && \
  if test -n "${existing_user_name}"; then \
  deluser "${existing_user_name}"; \
  fi && \
  existing_group_name="$( (getent group ${GROUP_ID} 2>/dev/null || true) | cut --delimiter=: --fields=1)" && \
  if test -n "${existing_group_name}"; then \
  delgroup "${existing_group_name}"; \
  fi && \
  addgroup \
  --system \
  --gid "${GROUP_ID}" \
  cloud && \
  adduser \
  --system \
  --home /home/cloud \
  --uid "${USER_ID}" \
  --ingroup cloud \
  cloud && \
  usermod \
  --append \
  --groups sudo \
  cloud && \
  echo "cloud ALL=(ALL) NOPASSWD:ALL" \
  >> /etc/sudoers.d/cloud && \
  chmod 0440 /etc/sudoers.d/cloud && \
  rm \
  --recursive \
  --force \
  /var/lib/apt/lists/*

#############
# As `root` #
#############

# The Ubuntu codename for the Debian distribution can be found on
# https://docs.ansible.com/projects/ansible/latest/installation_guide/installation_distros.html#installing-ansible-on-debian

# less: used by `ansible-config dump`
# python3-apt: used by `ansible-playbook --check`
ENV UBUNTU_CODENAME=jammy
RUN apt-get update \
  && apt-get install \
  --assume-yes \
  --no-install-recommends \
  cron \
  less \
  make \
  neovim \
  # npm \
  pipx \
  python3-apt \
  systemd \
  tini \
  && rm \
  --recursive \
  --force \
  /var/lib/apt/lists/*

ENV HOME=/home/cloud
RUN mkdir "${HOME}/machine" \
  && chown \
  --recursive \
  cloud:cloud \
  "${HOME}/machine" \
  && ln --symbolic "${HOME}" /app

###########
# As `cloud` #
###########
USER cloud
WORKDIR /app/machine

# RUN \
#   sudo npm install --global npm@latest \
#   sudo npm install --global dclint

RUN pipx ensurepath \
  && pipx install --include-deps ansible==12.3 \
  && pipx inject --include-deps --include-apps \
  ansible \
  python-debian==1.1.0 \
  ansible-dev-tools==26.1
# eval '"$(register-python-argcomplete pipx)"' \
#   >> "${HOME}/.bash_profile"

RUN mkdir --parents /app/.ssh \
  && echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUg2JEPWwiqC3saYGX0cyNx6evyDdFZ281BE3hw0uWK" > /app/.ssh/authorized_keys \
  && mkdir --parents /app/{production,staging} \
  && touch /app/production/.env \
  /app/staging/.env \
  && sudo chmod 600 \
  /app/production/.env \
  /app/staging/.env \
  && sudo mkdir --mode=600 /etc/ssh

ENV SHELL=/bin/bash

ENTRYPOINT ["/usr/bin/tini", "--"]