mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2024-11-18 11:15:11 +00:00
467ecfdc99
- Added support for Quay.io - Added support for GHCR.io To enable support for these container image registries the following needs to be added. As `Actions secrets and variables` - `Secrets` - `DOCKERHUB_TOKEN` and `DOCKERHUB_USERNAME` - `QUAY_TOKEN` and `QUAY_USERNAME` As `Actions secrets and variables` - `Variables` - `Repository Variables` - `DOCKERHUB_REPO` - `GHCR_REPO` - `QUAY_REPO` The `DOCKERHUB_REPO` currently configured in `Secrets` can be removed if wanted, probably best after this PR has been merged. If one of the vars/secrets are not configured it will skip that specific registry!
152 lines
5.7 KiB
Docker
152 lines
5.7 KiB
Docker
# syntax=docker/dockerfile:1
|
|
|
|
# This file was generated using a Jinja2 template.
|
|
# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
|
|
|
|
# Using multistage build:
|
|
# https://docs.docker.com/develop/develop-images/multistage-build/
|
|
# https://whitfin.io/speeding-up-rust-docker-builds/
|
|
####################### VAULT BUILD IMAGE #######################
|
|
# The web-vault digest specifies a particular web-vault build on Docker Hub.
|
|
# Using the digest instead of the tag name provides better security,
|
|
# as the digest of an image is immutable, whereas a tag name can later
|
|
# be changed to point to a malicious image.
|
|
#
|
|
# To verify the current digest for a given tag name:
|
|
# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
|
|
# click the tag name to view the digest of the image it currently points to.
|
|
# - From the command line:
|
|
# $ docker pull vaultwarden/web-vault:v2023.3.0
|
|
# $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2023.3.0
|
|
# [vaultwarden/web-vault@sha256:8b658e46339dde404b6370b381422e3522a133560264266e285acdd9adf807fe]
|
|
#
|
|
# - Conversely, to get the tag name from the digest:
|
|
# $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:8b658e46339dde404b6370b381422e3522a133560264266e285acdd9adf807fe
|
|
# [vaultwarden/web-vault:v2023.3.0]
|
|
#
|
|
FROM vaultwarden/web-vault@sha256:8b658e46339dde404b6370b381422e3522a133560264266e285acdd9adf807fe as vault
|
|
|
|
########################## BUILD IMAGE ##########################
|
|
FROM rust:1.68.1-bullseye as build
|
|
|
|
# Build time options to avoid dpkg warnings and help with reproducible builds.
|
|
ENV DEBIAN_FRONTEND=noninteractive \
|
|
LANG=C.UTF-8 \
|
|
TZ=UTC \
|
|
TERM=xterm-256color \
|
|
CARGO_HOME="/root/.cargo" \
|
|
USER="root"
|
|
|
|
# Create CARGO_HOME folder and don't download rust docs
|
|
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
|
|
&& rustup set profile minimal
|
|
|
|
# Install build dependencies for the armel architecture
|
|
RUN dpkg --add-architecture armel \
|
|
&& apt-get update \
|
|
&& apt-get install -y \
|
|
--no-install-recommends \
|
|
gcc-arm-linux-gnueabi \
|
|
libc6-dev:armel \
|
|
libcap2-bin \
|
|
libmariadb-dev:armel \
|
|
libmariadb-dev-compat:armel \
|
|
libmariadb3:armel \
|
|
libpq-dev:armel \
|
|
libpq5:armel \
|
|
libssl-dev:armel \
|
|
#
|
|
# Make sure cargo has the right target config
|
|
&& echo '[target.arm-unknown-linux-gnueabi]' >> "${CARGO_HOME}/config" \
|
|
&& echo 'linker = "arm-linux-gnueabi-gcc"' >> "${CARGO_HOME}/config" \
|
|
&& echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabi"]' >> "${CARGO_HOME}/config"
|
|
|
|
# Set arm specific environment values
|
|
ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc" \
|
|
CROSS_COMPILE="1" \
|
|
OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi" \
|
|
OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi"
|
|
|
|
# Creates a dummy project used to grab dependencies
|
|
RUN USER=root cargo new --bin /app
|
|
WORKDIR /app
|
|
|
|
# Copies over *only* your manifests and build files
|
|
COPY ./Cargo.* ./
|
|
COPY ./rust-toolchain ./rust-toolchain
|
|
COPY ./build.rs ./build.rs
|
|
|
|
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add arm-unknown-linux-gnueabi
|
|
|
|
# Configure the DB ARG as late as possible to not invalidate the cached layers above
|
|
ARG DB=sqlite,mysql,postgresql
|
|
|
|
# Builds your dependencies and removes the
|
|
# dummy project, except the target folder
|
|
# This folder contains the compiled dependencies
|
|
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi \
|
|
&& find . -not -path "./target*" -delete
|
|
|
|
# Copies the complete project
|
|
# To avoid copying unneeded files, use .dockerignore
|
|
COPY . .
|
|
|
|
# Make sure that we actually build the project
|
|
RUN touch src/main.rs
|
|
|
|
# Builds again, this time it'll just be
|
|
# your actual source files being built
|
|
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
|
|
|
|
# Add the `cap_net_bind_service` capability to allow listening on
|
|
# privileged (< 1024) ports even when running as a non-root user.
|
|
# This is only done if building with BuildKit; with the legacy
|
|
# builder, the `COPY` instruction doesn't carry over capabilities.
|
|
RUN setcap cap_net_bind_service=+ep target/arm-unknown-linux-gnueabi/release/vaultwarden
|
|
|
|
######################## RUNTIME IMAGE ########################
|
|
# Create a new stage with a minimal image
|
|
# because we already have a binary built
|
|
FROM balenalib/rpi-debian:bullseye
|
|
|
|
ENV ROCKET_PROFILE="release" \
|
|
ROCKET_ADDRESS=0.0.0.0 \
|
|
ROCKET_PORT=80
|
|
|
|
RUN [ "cross-build-start" ]
|
|
|
|
# Create data folder and Install needed libraries
|
|
RUN mkdir /data \
|
|
&& apt-get update && apt-get install -y \
|
|
--no-install-recommends \
|
|
ca-certificates \
|
|
curl \
|
|
libmariadb-dev-compat \
|
|
libpq5 \
|
|
openssl \
|
|
&& apt-get clean \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# In the Balena Bullseye images for armv6/rpi-debian there is a missing symlink.
|
|
# This symlink was there in the buster images, and for some reason this is needed.
|
|
RUN ln -v -s /lib/ld-linux-armhf.so.3 /lib/ld-linux.so.3
|
|
|
|
RUN [ "cross-build-end" ]
|
|
|
|
VOLUME /data
|
|
EXPOSE 80
|
|
EXPOSE 3012
|
|
|
|
# Copies the files from the context (Rocket.toml file and web-vault)
|
|
# and the binary from the "build" stage to the current stage
|
|
WORKDIR /
|
|
COPY --from=vault /web-vault ./web-vault
|
|
COPY --from=build /app/target/arm-unknown-linux-gnueabi/release/vaultwarden .
|
|
|
|
COPY docker/healthcheck.sh /healthcheck.sh
|
|
COPY docker/start.sh /start.sh
|
|
|
|
HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
|
|
|
|
CMD ["/start.sh"]
|