image-forgejo-runner/Dockerfile

# git.auengun.net/homelab/image-forgejo-runner
# Copyright (C) 2024  GregoryDosh

ARG FORGEJO_RUNNER_VERSION=act-latest@sha256:8943e69edcada5141b8c1fcc1a84bab15568a49f438387bd858cb3e4df5a436d
FROM ghcr.io/catthehacker/ubuntu:$FORGEJO_RUNNER_VERSION

RUN apt update && \
    apt install -y libpam0g-dev

##########
# Golang #
##########
# renovate: datasource=golang-version depName=golang-version
ENV GOLANG_VERSION=1.25.3
LABEL net.auengun.golang.version=${GOLANG_VERSION}

RUN curl https://go.dev/dl/go${GOLANG_VERSION}.linux-amd64.tar.gz -s -L -o go${GOLANG_VERSION}.linux-amd64.tar.gz && \
    rm -rf /usr/local/go && tar -C /usr/local -xzf go${GOLANG_VERSION}.linux-amd64.tar.gz && \
    rm go${GOLANG_VERSION}.linux-amd64.tar.gz

ENV PATH=$PATH:/usr/local/go/bin

#############################
# Setup Env for Homelab PKI #
#############################
# renovate: datasource=github-releases depName=smallstep/cli
ENV STEP_VERSION=v0.28.7
LABEL net.auengun.step.version=${STEP_VERSION}

ADD https://spm-ca.pages.dev/assets/spm-root.crt /usr/local/share/ca-certificates/spm-cert.crt
RUN update-ca-certificates && \
    cp /usr/local/share/ca-certificates/spm-cert.crt /spm-root.crt && \
    chmod 644 /spm-root.crt && \
    mkdir ./step && \
    export STEP_URL="https://github.com/smallstep/cli/releases/download/${STEP_VERSION}/step_linux_${STEP_VERSION##v}_amd64.tar.gz" && \
    curl -s "$STEP_URL" -L -o - | tar xvz --strip-components=1 -C ./step && \
    cp ./step/bin/step /usr/local/bin && \
    rm -rf ./step

# Git
RUN git config --system http."https://git.auengun.net/".sslCAInfo /spm-root.crt && \
    git config --system --add safe.directory '/workspace'

# Node
ENV NODE_EXTRA_CA_CERTS=/spm-root.crt

# Python
RUN rm -rf /root/.cache/pip && \
    pip config set global.cert /etc/ssl/certs/ca-certificates.crt
ENV REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
ENV PIP_ROOT_USER_ACTION=ignore

# OpenSSL
ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt

#################################
# Infisical for Homelab Secrets #
#################################
# renovate: datasource=github-releases depName=gh-infisical-cli packageName=infisical/infisical
ENV INFISICAL_VERSION=v0.41.90
ENV INFISICAL_API_URL=https://infisical.auengun.net/api
ENV INFISICAL_DISABLE_UPDATE_CHECK=true
LABEL net.auengun.infisical.version=${INFISICAL_VERSION}

RUN export INFISICAL_URL="https://github.com/infisical/infisical/releases/download/infisical-cli/${INFISICAL_VERSION}/infisical_${INFISICAL_VERSION##v}_linux_amd64.deb" && \
    curl -s "$INFISICAL_URL" -L -o ./infisical_linux_amd64.deb && \
    apt install -f -y ./infisical_linux_amd64.deb && \
    rm -rf ./infisical_linux_amd64.deb

##########################################
# Poetry for Common Homelab Dependencies #
##########################################
# renovate: datasource=github-releases depName=python-poetry/poetry
ENV POETRY_VERSION=2.2.1
LABEL net.auengun.poetry.version=${POETRY_VERSION}
RUN python3 -m pip install poetry==${POETRY_VERSION}

###########
# Ansible #
###########
# renovate: datasource=pypi depName=ansible
ENV ANSIBLE_VERSION=10.7.0
LABEL net.auengun.ansible.version=${ANSIBLE_VERSION}

RUN python3 -m pip install ansible==${ANSIBLE_VERSION}

############
# OpenTofu #
############
# renovate: datasource=github-releases depName=opentofu/opentofu
ENV OPENTOFU_VERSION=v1.10.6
ENV TOFU_ENABLE_STATIC_SENSITIVE=1
LABEL net.auengun.opentofu.version=${OPENTOFU_VERSION}

RUN export OPENTOFU_URL="https://github.com/opentofu/opentofu/releases/download/${OPENTOFU_VERSION}/tofu_${OPENTOFU_VERSION##v}_amd64.deb" && \
    curl -s "$OPENTOFU_URL" -L -o ./opentofu_amd64.deb && \
    apt install -f -y ./opentofu_amd64.deb && \
    rm -rf ./opentofu_amd64.deb

#########
# Grype #
#########
# renovate: datasource=github-releases depName=anchore/grype
ENV GRYPE_VERSION=v0.103.0
LABEL net.auengun.grype.version=${GRYPE_VERSION}

RUN export GRYPE_URL="https://github.com/anchore/grype/releases/download/${GRYPE_VERSION}/grype_${GRYPE_VERSION##v}_linux_amd64.deb" && \
    curl -s "$GRYPE_URL" -L -o ./grype_linux_amd64.deb && \
    apt install -f -y ./grype_linux_amd64.deb && \
    rm -rf ./grype_linux_amd64.deb

#########
# Syft #
#########
# renovate: datasource=github-releases depName=anchore/syft
ENV SYFT_VERSION=v1.37.0
LABEL net.auengun.syft.version=${SYFT_VERSION}

RUN export SYFT_URL="https://github.com/anchore/syft/releases/download/${SYFT_VERSION}/syft_${SYFT_VERSION##v}_linux_amd64.deb" && \
    curl -s "$SYFT_URL" -L -o ./syft_linux_amd64.deb && \
    apt install -f -y ./syft_linux_amd64.deb && \
    rm -rf ./syft_linux_amd64.deb

#########
# REUSE #
#########
# renovate: datasource=pypi depName=reuse
ENV REUSE_VERSION=6.2.0
LABEL net.auengun.reuse.version=${REUSE_VERSION}
RUN python3 -m pip install reuse==${REUSE_VERSION}

##########################
# commit-and-tag-version #
##########################
# renovate: datasource=npm depName=commit-and-tag-version
ENV COMMIT_AND_TAG_VERSION_VERSION=12.6.0
LABEL net.auengun.commit-and-tag-version.version=${COMMIT_AND_TAG_VERSION_VERSION}

RUN npm i --global "commit-and-tag-version@${COMMIT_AND_TAG_VERSION_VERSION}"

##############################
# For QMK / Crossbuild Stuff #
##############################
RUN apt install -y apt-utils gcc-mingw-w64-x86-64 g++-mingw-w64-x86-64 libasound2-dev

###################
# Single-user Nix #
###################
RUN curl -L https://nixos.org/nix/install | sh -s -- --daemon

###########################
# SSH Timeout and CA Cert #
###########################
RUN cat <<EOF >> /etc/ssh/ssh_config.d/default-timeout
ServerAliveCountMax 3
ServerAliveInterval 15
EOF

RUN cat <<EOF >> /etc/ssh/ssh_known_hosts
@cert-authority * ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAwv6FShAz9+pvPsfFSI6XIiPxXx6UOzw67JfSZbSF92yQ6toqfPPXrpSn+FmbCw0iFgnG3+X3zhTbUHqG708Y0=
EOF