Merge pull request #7 from dubo-dubon-duponey/work

Work
dubo-dubon-duponey · Sep 1, 2021 · 7abca8f · 7abca8f
2 parents 1cc3998 + a27f76d
commit 7abca8f
Show file tree

Hide file tree

Showing 41 changed files with 2,256 additions and 832 deletions.
diff --git a/.editorconfig b/.editorconfig
@@ -25,3 +25,6 @@ trim_trailing_whitespace = false
 [Makefile]
 indent_style = tab
 indent_size = 4
+
+[*.cue]
+indent_style = tab
diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
@@ -20,47 +20,54 @@ jobs:
           path: $GITHUB_WORKSPACE/cache
           key: cache
 
-      - name: Install hadolint
+      - name: Prepare directories
         run: |
-          curl --proto '=https' --tlsv1.2 -sSfL -o hadolint "https://github.com/hadolint/hadolint/releases/download/v1.18.2/hadolint-$(uname -s)-$(uname -m)"
-          chmod 700 ./hadolint
-
-      - name: Install cuelang
-        # XXX move to alpha4 ASAP
-        run: |
-          curl --proto '=https' --tlsv1.2 -sSfL -o cue.tar.gz "https://github.com/cuelang/cue/releases/download/v0.3.0-alpha1/cue_0.3.0-alpha1_$(uname -s)_$(uname -m).tar.gz"
-          tar -xf cue.tar.gz
-          rm cue.tar.gz
-
-      - name: Install buildctl
-        run: |
-          curl --proto '=https' --tlsv1.2 -sSfL -o buildctl.tar.gz "https://github.com/moby/buildkit/releases/download/v0.7.2/buildkit-v0.7.2.linux-amd64.tar.gz"
-          tar -xf buildctl.tar.gz
-          rm buildctl.tar.gz
-          mv bin/buildctl .
+          sudo mkdir -p "$GITHUB_WORKSPACE/cache/apt"
+          sudo mkdir -p "$GITHUB_WORKSPACE/cache/certs"
+          sudo mkdir -p "$GITHUB_WORKSPACE/cache/bin"
+          sudo chown -R 2000:root "$GITHUB_WORKSPACE/cache/apt"
+          sudo chown -R 2000:root "$GITHUB_WORKSPACE/cache/certs"
+          sudo chown -R $(id -u) "$GITHUB_WORKSPACE/cache/bin"
 
       - name: Start apt proxy
         run: |
-          mkdir -p "$GITHUB_WORKSPACE/cache/apt"
-          chmod a+rwx "$GITHUB_WORKSPACE/cache/apt"
-          docker run -d --name aptcache --read-only --cap-drop=ALL --volume $GITHUB_WORKSPACE/cache/apt:/data --expose 3142 dubodubonduponey/aptutil:buster-2020-08-01
-
-      - name: Install multi-arch buildx environment
-        # XXX replace by our own image binfmt call
-        run: |
-          # Install buildx from our container
-          # docker run --name installbuildx dubodubonduponey/utils /dist/buildx version
-          # mkdir -p ~/.docker/cli-plugins
-          # docker cp installbuildx:/dist/buildx ~/.docker/cli-plugins/docker-buildx
-          # docker rm -f installbuildx
-          # Enable multi-arch building
-          docker run --rm --privileged docker/binfmt:a7996909642ee92942dcd6cff44b9b95f08dad64
+          # Hiding the read-only token base64 to avoid github disabling it...
+          echo OWMyMGVhYzk4N2NhYWQxYmI3MzhmNTZkODNmOGMwOGJjZjlhNDc4YQo= | base64 -d | docker login ghcr.io -u dubo-dubon-duponey --password-stdin
+          docker run --rm -d --expose 443 --expose 80 --pull always \
+            --name apt-front \
+            --read-only \
+            --cap-drop=ALL \
+            --cap-add=CAP_NET_BIND_SERVICE \
+            --env TLS_AUTO=ignore_loaded_certs \
+            --env TLS=internal \
+            --env IS_PROXY=true \
+            --env DOMAIN=apt-front.local \
+            --env PORT=443 \
+            --env PORT_HTTP=80 \
+            --env ADDITIONAL_DOMAINS=*.debian.org \
+            --volume "$GITHUB_WORKSPACE/cache/certs":/certs \
+            --volume "$GITHUB_WORKSPACE/cache/apt":/data \
+            ghcr.io/dubo-dubon-duponey/aptutil:bullseye-2021-08-01
 
       - name: test
-        # XXX move to GH registry instead of Docker Hub for our base image
         run: |
-          PATH=$PATH:$(pwd)
-          cd "$GITHUB_WORKSPACE"
-          export APT_OPTIONS="Acquire::HTTP::proxy=http://$(docker inspect aptcache | jq -rc .[0].NetworkSettings.Networks.bridge.IPAddress):3142 Acquire::HTTP::User-Agent=GH-DuboDubonDuponey/0.1 Acquire::Check-Valid-Until=no"
-          # export BASE_BASE="ghcr.io/dubo-dubon-duponey/base"
-          ./test.sh
+          # Set the path and install the tools
+          BIN_LOCATION="$GITHUB_WORKSPACE/cache/bin" source ./hack/helpers/install-tools.sh
+          # Start buildkit
+          bkaddr="$(./hack/helpers/start-buildkit.sh 2>/dev/null)"
+          # Sanity check
+          echo "Sanity checks"
+          cue version
+          hadolint --version
+          shellcheck --version
+          buildctl --version
+          buildctl --addr "$bkaddr" debug workers
+          docker logs --tail 200 apt-front
+          # Lint
+          ./hack/lint.sh
+          # Test, with our injected proxy and environment
+          ./hack/test.sh \
+            --inject bk="$bkaddr" \
+            --inject ip="$(docker inspect apt-front | jq -rc .[0].NetworkSettings.Networks.bridge.IPAddress)" \
+            --inject trust="$(sudo cat "$GITHUB_WORKSPACE/cache/certs/pki/authorities/local/root.crt")" \
+            ".github/workflows/environment.cue"
diff --git a/.github/workflows/environment.cue b/.github/workflows/environment.cue
@@ -0,0 +1,30 @@
+package cake
+
+import (
+	"duponey.cloud/scullery"
+)
+
+UserDefined: scullery.#Icing & {
+	buildkit: {
+		address: string @tag(bk, type=string)
+	}
+	hosts: {
+		// This allows usage of the apt-front with mTLS
+		"snapshot.debian.org": {
+			ip: string @tag(ip, type=string)
+		}
+	}
+	subsystems: {
+		apt: {
+			// proxy: string @tag(apt_proxy, type=string)
+			user_agent: "DuboDubonDuponey/1.0 (apt)"
+			check_valid: false
+		}
+		curl: {
+			user_agent: "DuboDubonDuponey/1.0 (curl)"
+		}
+	}
+	trust: {
+		authority: string @tag(trust, type=string)
+	}
+}
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,4 @@
 .DS_Store
 /.idea
+*/cache/*
 cache
diff --git a/Dockerfile.auditor b/Dockerfile.auditor
@@ -0,0 +1,70 @@
+ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-09-01@sha256:7231d833660dd4fe1ec0aa4b4484cde1e538fe77b0b6871f8ea55197c56cf692
+
+# XXX a new experimental image meant for auditing shit
+FROM          $FROM_REGISTRY/$FROM_IMAGE_RUNTIME                                                                        AS auditor
+
+# hadolint ignore=DL3008
+RUN           --mount=type=secret,uid=100,id=CA \
+              --mount=type=secret,uid=100,id=CERTIFICATE \
+              --mount=type=secret,uid=100,id=KEY \
+              --mount=type=secret,uid=100,id=GPG.gpg \
+              --mount=type=secret,id=NETRC \
+              --mount=type=secret,id=APT_SOURCES \
+              --mount=type=secret,id=APT_CONFIG \
+              packages=(); \
+              for architecture in armel armhf arm64 ppc64el i386 s390x amd64; do \
+                dpkg --add-architecture "$architecture"; \
+                packages+=(libc6:"$architecture"=2.31-13); \
+              done; \
+              apt-get update -qq; \
+              apt-get install -qq --no-install-recommends \
+                curl=7.74.0-1.3+b1 file=1:5.39-3 binutils=2.35.2-2 schroot=1.6.10-12 patchelf=0.12-1 \
+                procps=2:3.3.17-5 iproute2=5.10.0-4 libcap2-bin=1:2.44-1 \
+                dnsutils=1:9.16.15-1 iputils-ping=3:20210202-1 \
+                lynis=3.0.2-1 devscripts=2.21.3; \
+              apt-get install -qq --no-install-recommends \
+                "${packages[@]}"; \
+              apt-get -qq autoremove; \
+              apt-get -qq clean; \
+              rm -rf /var/lib/apt/lists/*; \
+              rm -rf /tmp/*; \
+              rm -rf /var/tmp/*
+
+COPY          ./dubo-check /usr/bin/
+
+# Add metadata
+ARG           BUILD_CREATED="1976-04-14T17:00:00-07:00"
+ARG           BUILD_URL="https://github.com/dubo-dubon-duponey/docker-base"
+ARG           BUILD_DOCUMENTATION="https://github.com/dubo-dubon-duponey/docker-base"
+ARG           BUILD_SOURCE="https://github.com/dubo-dubon-duponey/docker-base"
+ARG           BUILD_VERSION="unknown"
+ARG           BUILD_REVISION="unknown"
+ARG           BUILD_VENDOR="dubodubonduponey"
+ARG           BUILD_LICENSES="MIT"
+ARG           BUILD_REF_NAME="latest"
+ARG           BUILD_TITLE="A DBDBDP image"
+ARG           BUILD_DESCRIPTION="So image. Much DBDBDP. Such description."
+
+LABEL         org.opencontainers.image.created="$BUILD_CREATED"
+LABEL         org.opencontainers.image.authors="Dubo Dubon Duponey <dubo-dubon-duponey@farcloser.world>"
+LABEL         org.opencontainers.image.url="$BUILD_URL"
+LABEL         org.opencontainers.image.documentation="$BUILD_DOCUMENTATION"
+LABEL         org.opencontainers.image.source="$BUILD_SOURCE"
+LABEL         org.opencontainers.image.version="$BUILD_VERSION"
+LABEL         org.opencontainers.image.revision="$BUILD_REVISION"
+LABEL         org.opencontainers.image.vendor="$BUILD_VENDOR"
+LABEL         org.opencontainers.image.licenses="$BUILD_LICENSES"
+LABEL         org.opencontainers.image.ref.name="$BUILD_REF_NAME"
+LABEL         org.opencontainers.image.title="$BUILD_TITLE"
+LABEL         org.opencontainers.image.description="$BUILD_DESCRIPTION"
+
+# Image building from here can use this for buildtime (that is usually set at the time of the last commit to their repo)
+ONBUILD ARG   BUILD_CREATED="1976-04-14T17:00:00-07:00"
+
+# Helper for our secrets
+# Pointing curl home out, allowing for /run/secrets/.curlrc to be seen automatically
+ENV           CURL_HOME=/run/secrets
+
+# Location
+WORKDIR       /dist