-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathContainerfile
More file actions
134 lines (122 loc) · 5.45 KB
/
Containerfile
File metadata and controls
134 lines (122 loc) · 5.45 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
# Containerfile -- Dotfiles Development Environment
#
# Builds a container image with all dotfiles tooling pre-installed.
# Each dependency gets its own layer so rebuilds only reinstall what changed.
#
# Build:
# podman build --secret id=github_token,env=GITHUB_TOKEN -t dotfiles .
#
# Quick build with GitHub token (avoids rate limits):
# GITHUB_TOKEN=$(gh auth token) podman build --secret id=github_token,env=GITHUB_TOKEN -t dotfiles .
#
# Run:
# podman run -it dotfiles
#
# Override identity:
# podman build \
# --build-arg GIT_USER_NAME="Your Name" \
# --build-arg GIT_USER_EMAIL="[email protected]" \
# --secret id=github_token,env=GITHUB_TOKEN \
# -t dotfiles .
FROM registry.fedoraproject.org/fedora:latest
# =============================================================================
# Layer: system packages
# =============================================================================
RUN --mount=type=cache,target=/var/cache/dnf \
dnf install -y \
--setopt=install_weak_deps=False \
--setopt=keepcache=True \
bc \
ca-certificates \
curl \
gcc \
gcc-c++ \
git \
git-lfs \
htop \
jq \
make \
ncurses \
openssl-devel \
pkg-config \
tar \
tmux \
unzip \
util-linux-user \
zsh
# =============================================================================
# Layer: cosign (signature verification)
# =============================================================================
ARG COSIGN_VERSION=v2.5.3
RUN ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/') \
&& curl -fsSL "https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-${ARCH}" \
-o /usr/local/bin/cosign \
&& chmod +x /usr/local/bin/cosign
# =============================================================================
# Layer: mise (tool version manager)
# =============================================================================
RUN curl -fsSL https://mise.run | MISE_INSTALL_PATH=/usr/local/bin/mise sh
# =============================================================================
# Layer: chezmoi (dotfiles manager)
# =============================================================================
RUN --mount=type=secret,id=github_token \
ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/') \
&& AUTH_HEADER="" \
&& [ -f /run/secrets/github_token ] && AUTH_HEADER="Authorization: token $(cat /run/secrets/github_token)" \
&& VERSION=$(curl -fsSL ${AUTH_HEADER:+-H "$AUTH_HEADER"} https://api.github.com/repos/twpayne/chezmoi/releases/latest | grep '"tag_name"' | cut -d'"' -f4 | sed 's/^v//') \
&& curl -fsSL "https://github.com/twpayne/chezmoi/releases/download/v${VERSION}/chezmoi_${VERSION}_linux_${ARCH}.tar.gz" \
| tar -xzf - -C /usr/local/bin chezmoi \
&& chmod +x /usr/local/bin/chezmoi
# =============================================================================
# Non-root user
# =============================================================================
ARG USERNAME=agent
ARG USER_UID=10000
ARG USER_GID=10000
RUN groupadd -g "${USER_GID}" "${USERNAME}" \
&& useradd -m -u "${USER_UID}" -g "${USER_GID}" -s /usr/bin/zsh "${USERNAME}"
ENV CONTAINER=podman \
TERM=xterm-256color \
HOME=/home/agent \
XDG_CACHE_HOME=/home/agent/.cache \
XDG_CONFIG_HOME=/home/agent/.config \
XDG_DATA_HOME=/home/agent/.local/share \
XDG_STATE_HOME=/home/agent/.local/state \
PATH="/home/agent/.local/share/mise/shims:/home/agent/.local/bin:${PATH}"
# =============================================================================
# Dotfiles source
# =============================================================================
COPY --chown=agent:agent . /home/agent/.dotfiles
USER agent
WORKDIR /home/agent
# =============================================================================
# Layer: chezmoi apply + mise tools
#
# chezmoi apply places the mise config, then its run_onchange script runs
# `mise install`. The secret mount provides GITHUB_TOKEN to avoid rate limits.
# Cache mounts at staging paths speed up rebuilds — mise downloads and installs
# into the cache, then we copy the results into the image layer.
# =============================================================================
ARG GIT_USER_NAME="Ivy Evans"
ARG GIT_USER_EMAIL="[email protected]"
ARG USE_BEDROCK=false
RUN --mount=type=cache,target=/tmp/mise-data,uid=10000,gid=10000 \
--mount=type=cache,target=/tmp/mise-cache,uid=10000,gid=10000 \
--mount=type=cache,target=/tmp/mise-state,uid=10000,gid=10000 \
--mount=type=secret,id=github_token,mode=0444 \
export GITHUB_TOKEN="$(cat /run/secrets/github_token 2>/dev/null || true)" \
&& export MISE_DATA_DIR=/tmp/mise-data \
&& export MISE_CACHE_DIR=/tmp/mise-cache \
&& export MISE_STATE_DIR=/tmp/mise-state \
&& chezmoi init --apply \
--source="/home/agent/.dotfiles" \
--working-tree="/home/agent/.dotfiles" \
--promptString "Git user.name=${GIT_USER_NAME}" \
--promptString "Git user.email=${GIT_USER_EMAIL}" \
--promptBool "Use AWS Bedrock for Claude Code=${USE_BEDROCK}" \
--promptString "1Password ref for OpenAI Codex=" \
--promptString "1Password ref for Claude API=" \
--promptString "1Password ref for Buildkite=" \
&& mkdir -p /home/agent/.local/share/mise \
&& cp -a /tmp/mise-data/. /home/agent/.local/share/mise/
CMD ["zsh", "-l"]