Cradicle Explorer
gatekeeper-os
/ Containerfile
Containerfile
  1  FROM quay.io/fedora/fedora-bootc:latest
  2  
  3  # Install basic system
  4  RUN <<END_OF_BLOCK
  5  set -eu
  6  
  7  mkdir /var/roothome
  8  
  9  dnf -y install dnf5-plugins
 10  
 11  dnf -y copr enable neilalexander/yggdrasil-go
 12  
 13  dnf -y install  --setopt="install_weak_deps=False" \
 14  	NetworkManager-tui \
 15  	cockpit \
 16  	mc \
 17  	htop \
 18  	zsh \
 19  	jq \
 20  	yggdrasil \
 21  	radvd \
 22  	dhcp-server \
 23  	greenboot \
 24  	dhcp-server \
 25  	greenboot-default-health-checks \
 26  	firewalld \
 27  	freeipa-client
 28  
 29  dnf -y clean all
 30  END_OF_BLOCK
 31  
 32  # Install local packages (if available).
 33  RUN --mount=type=bind,source=./packages,target=/packages  <<END_OF_BLOCK
 34  set -eu
 35  shopt -s extglob
 36  shopt -s nullglob
 37  
 38  for file in /packages/*.@("$(arch)".rpm|noarch.rpm); do
 39  	dnf -y install "$file"
 40  done
 41  
 42  END_OF_BLOCK
 43  ARG sshkeys=""
 44  ENV imagename="gatekeeper-os"
 45  ARG buildid="unset"
 46  ARG commit="unknown"
 47  
 48  LABEL org.opencontainers.image.vendor="Dirk Gottschalk" \
 49  	org.opencontainers.image.authors="Dirk Gottschalk" \
 50  	org.opencontainers.image.name=${imagename} \
 51  	org.opencontainers.image.version=${buildid} \
 52  	org.opencontainers.image.description="A bootc gateway/router image." \
 53  	org.opencontainers.image.commit-id=${commit}
 54  
 55  # Copy prepared files
 56  COPY --chmod=600 configs/ssh-00-0local.conf /etc/ssh/sshd_config.d/00-0local.conf
 57  COPY --chmod=644 configs/rpm-ostreed.conf /etc/rpm-ostreed.conf
 58  COPY --chmod=644 configs/watchdog.conf /etc/watchdog.conf
 59  COPY --chmod=700 scripts/device-init.sh /usr/bin/device-init.sh
 60  COPY --chmod=700 scripts/bootupctl-shim /usr/bin/bootupctl
 61  COPY --chmod=600 configs/sudoers-wheel /etc/sudoers.d/wheel
 62  COPY --chmod=600 configs/jail-10-sshd.conf /etc/fail2ban/jail.d/10-sshd.conf
 63  COPY --chmod=644 configs/dconf-user /usr/share/dconf/profile/user
 64  COPY --chmod=644 configs/dconf-00-extensions /etc/dconf/db/local.d/00-extensions
 65  COPY --chmod=644 configs/tmpfiles.conf /usr/lib/tmpfiles.d/cardterm.conf
 66  COPY --chmod=644 configs/sysusers-yggdrasil.conf /usr/lib/sysusers.d/yggdrasil.conf
 67  COPY systemd /usr/lib/systemd/system
 68  
 69  # Image signature settings
 70  COPY --chmod=644 configs/registries-sigstore.yaml /usr/share/containers/registries.d/sigstore.yaml
 71  COPY --chmod=644 configs/containers-toolbox.conf /etc/containers/toolbox.conf
 72  COPY --chmod=644 configs/containers-policy.json /usr/share/containers/policy.json
 73  COPY --chmod=644 keys /usr/share/containers/keys
 74  
 75  # Do some 'abrakadabra' to build the image.
 76  RUN <<END_OF_MAGIC
 77  # Abort on error and when unbound variables are used
 78  set -eu
 79  
 80  echo "IMAGE_ID=${buildid}" >>/usr/lib/os-release
 81  echo "IMAGE_VERSION=${imagename}" >>/usr/lib/os-release
 82  
 83  # Embed ssh keys for root if provided
 84  if [[ -n "$sshkeys" ]]; then
 85  	mkdir -p /usr/ssh
 86  	echo $sshkeys > /usr/ssh/root.pub
 87  fi
 88  
 89  # Enable required services
 90  systemctl enable device-init firewalld cockpit.socket yggdrasil
 91  
 92  # Configure Firewall with some defaults
 93  firewall-offline-cmd --zone=public --add-service=dhcpv6-client
 94  firewall-offline-cmd --zone=public --add-service=mdns
 95  firewall-offline-cmd --zone=public --add-service=ssh
 96  firewall-offline-cmd --new-zone=mesh
 97  firewall-offline-cmd --zone=mesh --add-interface=tun0
 98  firewall-offline-cmd --zone=mesh --add-service=ssh
 99  firewall-offline-cmd --new-policy=int-to-pub
100  firewall-offline-cmd --policy=int-to-pub --add-ingress-zone=internal
101  firewall-offline-cmd --policy=int-to-pub --add-egress-zone=public
102  firewall-offline-cmd --policy=int-to-pub --set-target=ACCEPT
103  firewall-offline-cmd --new-policy=public-to-int
104  firewall-offline-cmd --policy=public-to-int --add-ingress-zone=public
105  firewall-offline-cmd --policy=public-to-int --add-egress-zone=internal
106  firewall-offline-cmd --policy=public-to-int --set-target=CONTINUE
107  firewall-offline-cmd --new-policy=int-to-mesh
108  firewall-offline-cmd --policy=int-to-mesh --add-ingress-zone=internal
109  firewall-offline-cmd --policy=int-to-mesh --add-egress-zone=mesh
110  firewall-offline-cmd --policy=int-to-mesh --set-target=ACCEPT
111  firewall-offline-cmd --new-policy=mesh-to-int
112  firewall-offline-cmd --policy=mesh-to-int --set-target=CONTINUE
113  
114  rm -rf /var/{cache,log,tmp,spool}/*
115  
116  END_OF_MAGIC