code-server-dind/Dockerfile

# SPDX-License-Identifier: GPL-3.0-or-later
# Copyright (C) 2025 Jesus E.
#
# This file is part of code-server-dind.
# This program is licensed under the GNU GPL version 3 or (at your option) any later version.
# See the LICENSE file or https://www.gnu.org/licenses/gpl-3.0.txt for more details.

FROM debian:bookworm-slim

# Build-time architecture detection
ARG TARGETARCH
ENV ARCH=${TARGETARCH:-amd64}
ENV DEBIAN_FRONTEND=noninteractive
ENV KUBECTL_VERSION=1.33.0
ENV KUBECTL_DATE=2025-05-01

# User config
ENV DOCKER_USER=coder \
    UID=1000 \
    GID=1000 \
    PASSWORD=undefined \
    HASHED_PASSWORD=undefined

# Base packages
RUN apt-get update -y && apt-get upgrade -y && apt-get install --no-install-recommends -y \
    bash \
    bash-completion \
    ca-certificates \
    curl \
    dbus \
    default-jre \
    doas \
    dumb-init \
    fuse3 \
    git \
    gnupg \
    iproute2 \
    iptables \
    jq \
    lsb-release \
    nano \
    net-tools \
    nodejs \
    npm \
    passwd \
    python3 \
    python3-pip \
    python3-venv \
    siege \
    sudo \
    tar \
    tree \
    uidmap \
    unzip \
    virtualenv \
    wget \
    xz-utils && \
    curl -fsSL https://aquasecurity.github.io/trivy-repo/deb/public.key | \
    gpg --dearmor > /usr/share/keyrings/trivy.gpg && \
    echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" > /etc/apt/sources.list.d/trivy.list && \
    apt-get update -y && apt-get install --no-install-recommends -y trivy && \
    apt-get clean && rm -rf /var/lib/apt/lists/*

# Docker
RUN curl -fsSL https://get.docker.com | sh && dockerd --version

# pre-commit
RUN pip3 install --break-system-packages --no-cache-dir pipx && \
    pipx install pre-commit && \
    ln -s /root/.local/pipx/venvs/pre-commit/bin/pre-commit /usr/local/bin/pre-commit

# AWS CLI (handle arch manually)
RUN set -e; \
    case "$ARCH" in \
      amd64) AWS_ARCH="x86_64" ;; \
      arm64) AWS_ARCH="aarch64" ;; \
      *) echo "Unsupported ARCH: $ARCH" && exit 1 ;; \
    esac && \
    curl -o awscliv2.zip "https://awscli.amazonaws.com/awscli-exe-linux-${AWS_ARCH}.zip" && \
    unzip awscliv2.zip && ./aws/install --bin-dir /usr/local/bin --install-dir /usr/local/aws-cli --update && \
    rm -rf awscliv2.zip aws/

# kubectl
RUN curl -o kubectl https://s3.us-west-2.amazonaws.com/amazon-eks/${KUBECTL_VERSION}/${KUBECTL_DATE}/bin/linux/${ARCH}/kubectl && \
    chmod +x kubectl && mv kubectl /usr/local/bin/

# eksctl
RUN curl -sLO "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_Linux_${ARCH}.tar.gz" && \
    curl -sL "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_checksums.txt" | grep "Linux_${ARCH}" | sha256sum --check && \
    tar -xzf eksctl_Linux_${ARCH}.tar.gz -C /tmp && \
    mv /tmp/eksctl /usr/local/bin && rm eksctl_Linux_${ARCH}.tar.gz

# code-server (auto-detects arch)
RUN curl -fsSL https://code-server.dev/install.sh | sh

# Custom shell prompt
RUN curl -Ls https://git.fridu.us/heckyel/hyperterm/raw/branch/master/install.sh -o "$HOME/install.sh" && \
    bash "$HOME/install.sh" -s && rm "$HOME/install.sh"

# Pre-commit config
COPY .pre-commit-config.yaml /usr/local/share/default-pre-commit-config.yaml
COPY .setup-precommit.sh /usr/local/bin/setup-precommit
RUN chmod +x /usr/local/bin/setup-precommit

# Gitleaks
ENV GITLEAKS_VERSION="8.27.2"
RUN set -e; \
    case "$ARCH" in \
      amd64) GITLEAKS_ARCH="x64" ;; \
      arm64) GITLEAKS_ARCH="arm64" ;; \
      *) echo "Unsupported ARCH: $ARCH" && exit 1 ;; \
    esac && \
    curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_${GITLEAKS_ARCH}.tar.gz" -o gitleaks.tar.gz && \
    tar -xzf gitleaks.tar.gz gitleaks && \
    mv gitleaks /usr/local/bin/gitleaks && chmod +x /usr/local/bin/gitleaks && \
    rm gitleaks.tar.gz

# BFG
ENV BFG_VERSION=1.15.0
RUN curl -L -o /usr/local/bin/bfg.jar "https://repo1.maven.org/maven2/com/madgag/bfg/${BFG_VERSION}/bfg-${BFG_VERSION}.jar" && \
    printf '#!/bin/sh\nexec java -jar /usr/local/bin/bfg.jar "$@"\n' > /usr/local/bin/bfg && \
    chmod +x /usr/local/bin/bfg

COPY entrypoint.sh /usr/local/bin/entrypoint.sh
RUN chmod +x /usr/local/bin/entrypoint.sh

VOLUME ["/home/coder"]
EXPOSE 8080

ENTRYPOINT ["/usr/bin/dumb-init", "--"]
CMD ["/usr/local/bin/entrypoint.sh"]