Merge pull request #17 from dubo-dubon-duponey/work

Work

.editorconfig

@@ -25,3 +25,6 @@ trim_trailing_whitespace = false
 [Makefile]
 indent_style = tab
 indent_size = 4
+
+[*.cue]
+indent_style = tab

.github/workflows/CI.yml

@@ -20,47 +20,54 @@ jobs:
           path: $GITHUB_WORKSPACE/cache
           key: cache
 
-      - name: Install hadolint
+      - name: Prepare directories
         run: |
-          curl --proto '=https' --tlsv1.2 -sSfL -o hadolint "https://github.com/hadolint/hadolint/releases/download/v1.18.2/hadolint-$(uname -s)-$(uname -m)"
-          chmod 700 ./hadolint
-
-      - name: Install cuelang
-        # XXX move to alpha4 ASAP
-        run: |
-          curl --proto '=https' --tlsv1.2 -sSfL -o cue.tar.gz "https://github.com/cuelang/cue/releases/download/v0.3.0-alpha1/cue_0.3.0-alpha1_$(uname -s)_$(uname -m).tar.gz"
-          tar -xf cue.tar.gz
-          rm cue.tar.gz
-
-      - name: Install buildctl
-        run: |
-          curl --proto '=https' --tlsv1.2 -sSfL -o buildctl.tar.gz "https://github.com/moby/buildkit/releases/download/v0.7.2/buildkit-v0.7.2.linux-amd64.tar.gz"
-          tar -xf buildctl.tar.gz
-          rm buildctl.tar.gz
-          mv bin/buildctl .
+          sudo mkdir -p "$GITHUB_WORKSPACE/cache/apt"
+          sudo mkdir -p "$GITHUB_WORKSPACE/cache/certs"
+          sudo mkdir -p "$GITHUB_WORKSPACE/cache/bin"
+          sudo chown -R 2000:root "$GITHUB_WORKSPACE/cache/apt"
+          sudo chown -R 2000:root "$GITHUB_WORKSPACE/cache/certs"
+          sudo chown -R $(id -u) "$GITHUB_WORKSPACE/cache/bin"
 
       - name: Start apt proxy
         run: |
-          mkdir -p "$GITHUB_WORKSPACE/cache/apt"
-          chmod a+rwx "$GITHUB_WORKSPACE/cache/apt"
-          docker run -d --name aptcache --read-only --cap-drop=ALL --volume $GITHUB_WORKSPACE/cache/apt:/data --expose 3142 dubodubonduponey/aptutil:buster-2020-08-01
-
-      - name: Install multi-arch buildx environment
-        # XXX replace by our own image binfmt call
-        run: |
-          # Install buildx from our container
-          # docker run --name installbuildx dubodubonduponey/utils /dist/buildx version
-          # mkdir -p ~/.docker/cli-plugins
-          # docker cp installbuildx:/dist/buildx ~/.docker/cli-plugins/docker-buildx
-          # docker rm -f installbuildx
-          # Enable multi-arch building
-          docker run --rm --privileged docker/binfmt:a7996909642ee92942dcd6cff44b9b95f08dad64
+          # Hiding the read-only token base64 to avoid github disabling it...
+          echo OWMyMGVhYzk4N2NhYWQxYmI3MzhmNTZkODNmOGMwOGJjZjlhNDc4YQo= | base64 -d | docker login ghcr.io -u dubo-dubon-duponey --password-stdin
+          docker run --rm -d --expose 443 --expose 80 --pull always \
+            --name apt-front \
+            --read-only \
+            --cap-drop=ALL \
+            --cap-add=CAP_NET_BIND_SERVICE \
+            --env TLS_AUTO=ignore_loaded_certs \
+            --env TLS=internal \
+            --env IS_PROXY=true \
+            --env DOMAIN=apt-front.local \
+            --env PORT=443 \
+            --env PORT_HTTP=80 \
+            --env ADDITIONAL_DOMAINS=*.debian.org \
+            --volume "$GITHUB_WORKSPACE/cache/certs":/certs \
+            --volume "$GITHUB_WORKSPACE/cache/apt":/data \
+            ghcr.io/dubo-dubon-duponey/aptutil:bullseye-2021-08-01
 
       - name: test
-        # XXX move to GH registry instead of Docker Hub for our base image
         run: |
-          PATH=$PATH:$(pwd)
-          cd "$GITHUB_WORKSPACE"
-          export APT_OPTIONS="Acquire::HTTP::proxy=http://$(docker inspect aptcache | jq -rc .[0].NetworkSettings.Networks.bridge.IPAddress):3142 Acquire::HTTP::User-Agent=GH-DuboDubonDuponey/0.1 Acquire::Check-Valid-Until=no"
-          # export BASE_BASE="ghcr.io/dubo-dubon-duponey/base"
-          ./test.sh
+          # Set the path and install the tools
+          BIN_LOCATION="$GITHUB_WORKSPACE/cache/bin" source ./hack/helpers/install-tools.sh
+          # Start buildkit
+          bkaddr="$(./hack/helpers/start-buildkit.sh 2>/dev/null)"
+          # Sanity check
+          echo "Sanity checks"
+          cue version
+          hadolint --version
+          shellcheck --version
+          buildctl --version
+          buildctl --addr "$bkaddr" debug workers
+          docker logs --tail 200 apt-front
+          # Lint
+          ./hack/lint.sh
+          # Test, with our injected proxy and environment
+          ./hack/test.sh \
+            --inject bk="$bkaddr" \
+            --inject ip="$(docker inspect apt-front | jq -rc .[0].NetworkSettings.Networks.bridge.IPAddress)" \
+            --inject trust="$(sudo cat "$GITHUB_WORKSPACE/cache/certs/pki/authorities/local/root.crt")" \
+            ".github/workflows/environment.cue"

.github/workflows/environment.cue

@@ -0,0 +1,30 @@
+package cake
+
+import (
+	"duponey.cloud/scullery"
+)
+
+UserDefined: scullery.#Icing & {
+	buildkit: {
+		address: string @tag(bk, type=string)
+	}
+	hosts: {
+		// This allows usage of the apt-front with mTLS
+		"snapshot.debian.org": {
+			ip: string @tag(ip, type=string)
+		}
+	}
+	subsystems: {
+		apt: {
+			// proxy: string @tag(apt_proxy, type=string)
+			user_agent: "DuboDubonDuponey/1.0 (apt)"
+			check_valid: false
+		}
+		curl: {
+			user_agent: "DuboDubonDuponey/1.0 (curl)"
+		}
+	}
+	trust: {
+		authority: string @tag(trust, type=string)
+	}
+}

.gitignore

@@ -1,3 +1,4 @@
 .DS_Store
 /.idea
+*/cache/*
 cache

DEVELOP.md

@@ -5,65 +5,42 @@
 ### TL;DR
 
 ```bash
-./hack/cue-bake image --inject tags=registry/you/image
+./hack/build.sh image --inject tags=registry/you/image
 ```
 
 ### The what
 
-This image is built using: `dubodubonduponey/base:builder-$DEBOOTSTRAP_SUITE-$DEBOOTSTRAP_DATE` 
+This image is built using: `ghcr.io/dubo-dubon-duponey/base:builder-bullseye-2021-09-01` 
 
-The runtime part is based on: `dubodubonduponey/base:runtime-$DEBOOTSTRAP_SUITE-$DEBOOTSTRAP_DATE`
+The runtime part is based on: `ghcr.io/dubo-dubon-duponey/base:runtime-bullseye-2021-09-01`
 
-Both these images are built upon: `dubodubonduponey/debian:$DEBOOTSTRAP_SUITE-$DEBOOTSTRAP_DATE`, a debootstrapped version of Debian ("buster" at this time), built from a snapshot at `$DEBOOTSTRAP_DATE`.
-
-At the time of this writing, `DEBOOTSTRAP_DATE` evaluates to `2020-09-01`, and is updated every 15 days.
+Both these images are built upon: `ghcr.io/dubo-dubon-duponey/debian:bullseye-2021-09-01`
 
 You can find out more here:
 
  * https://github.com/dubo-dubon-duponey/docker-debian for the debootstrapped Debian base
  * https://github.com/dubo-dubon-duponey/docker-base for the builder and runtime images
 
-These images provide very little - they are (mostly) barebone Buster with some ONBUILD
+These images provide very little - they are (mostly) barebone bullseye with some ONBUILD
 Docker syntactic sugar (metadata, user creation, entrypoint).
 
 Let me repeat: you have very little reason to go and add anything up there.
 
 ### Configuration reference
 
 ```bash
-# Have a look at the bake_tool.cue file if you want to modify hard-wired values (image title and description for example)
+# Have a look at the hack/recipe.cue file if you want to modify hard-wired values
 
 # The following flags are currently supported:
 
 # Override default platform choice (not all images allow that):
-./hack/cue-bake image --inject platforms="linux/amd64,linux/arm/v7"
+./hack/build.sh image --inject platforms="linux/amd64,linux/arm/v7"
 
 # Specify a collection of tags to push to
-./hack/cue-bake image --inject tags="registry1/name/image,registry2/name/image:tag"
+./hack/build.sh image --inject tags="registry1/name/image,registry2/name/image:tag"
 
 # Bust cache
-./hack/cue-bake image --inject no_cache=true
-
-# Environment variables you may tweak
-
-# Space-separated options to be passed to apt-get
-export APT_OPTIONS=""
-# If you want to use entirely different sources.list
-export APT_SOURCES
-# If you need to trust additional GPG keys
-export APT_GPG_KEYRING
-
-# Self-explanatory
-export http_proxy
-export https_proxy
-
-# Which base date you want to use (eg: 2020-09-01)
-export DEBOOTSTRAP_DATE
-# Which base suite you want to use (only buster exist for now)
-export DEBOOTSTRAP_SUITE
-
-# Allows you to pass a goproxy
-export GOPROXY
+./hack/build.sh image --inject no_cache=true
 ```
 
 ## Develop
@@ -72,13 +49,13 @@ export GOPROXY
 
 Hack away.
 
-Be sure to run `./test.sh` before submitting anything.
+Be sure to run `./hack/lint.sh` and `./hack/test.sh` before submitting anything.
 
 ### About branches
 
-`master` is the currently stable version that published images are based on.
+`master` is usually outdated, but stable
 
-`work` is a development branch, with possibly unstable / dramatic changes.
+`work` is a development branch, with possibly unstable / dramatic changes
 
 ### Philosophy