-
Notifications
You must be signed in to change notification settings - Fork 9
Expand file tree
/
Copy pathDockerfile
More file actions
190 lines (164 loc) · 8.18 KB
/
Copy pathDockerfile
File metadata and controls
190 lines (164 loc) · 8.18 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
FROM ubuntu:24.04
# 1. Base Packages & Rust CLI Tools (consolidated, slimmed)
# The Ubuntu base image strips /usr/share/doc/* (dpkg.cfg.d/excludes), but fzf
# ships its shell keybindings ONLY under /usr/share/doc/fzf/examples/. Re-include
# that one file (must be set BEFORE fzf is unpacked below) so the Ctrl+R/Ctrl+T/
# Alt+C bindings sourced from bashrc actually exist. The ** completion lives under
# /usr/share/bash-completion/ and is unaffected.
RUN printf 'path-include=/usr/share/doc/fzf/examples/key-bindings.bash\n' \
> /etc/dpkg/dpkg.cfg.d/zz-squarebox-fzf \
&& apt-get update && apt-get install -y --no-install-recommends \
git \
curl \
unzip \
jq \
less \
sudo \
ca-certificates \
fd-find \
ripgrep \
bat \
fzf \
bash-completion \
nano \
zstd \
zoxide \
toilet \
toilet-fonts \
libicu-dev \
locales \
# Runtime deps for mise-managed SDKs:
# gpg — mise verifies upstream signatures (Node, etc.)
# libatomic1 — required by official Node Linux builds
gpg \
libatomic1 \
&& sed -i '/en_US.UTF-8/s/^# //' /etc/locale.gen \
&& locale-gen \
&& rm -rf /var/lib/apt/lists/* \
&& ln -s $(which fdfind) /usr/local/bin/fd \
&& ln -s $(which batcat) /usr/local/bin/bat
ENV LANG=en_US.UTF-8
ENV LC_ALL=en_US.UTF-8
# 2. External APT Repos (GitHub CLI, Eza) + Binary Tools
# Pinned tool versions — update via: scripts/update-versions.sh
ARG DELTA_VERSION=0.19.2
ARG YQ_VERSION=4.53.2
ARG XH_VERSION=0.25.3
ARG STARSHIP_VERSION=1.24.2
ARG GLOW_VERSION=2.1.2
ARG GUM_VERSION=0.17.0
ARG JUST_VERSION=1.49.0
ARG DIFFTASTIC_VERSION=0.68.0
ARG MISE_VERSION=2026.5.4
# Validate version ARGs are non-empty
RUN test -n "$DELTA_VERSION" || { echo "Error: DELTA_VERSION is empty" >&2; exit 1; } \
&& test -n "$YQ_VERSION" || { echo "Error: YQ_VERSION is empty" >&2; exit 1; } \
&& test -n "$XH_VERSION" || { echo "Error: XH_VERSION is empty" >&2; exit 1; } \
&& test -n "$STARSHIP_VERSION" || { echo "Error: STARSHIP_VERSION is empty" >&2; exit 1; } \
&& test -n "$GLOW_VERSION" || { echo "Error: GLOW_VERSION is empty" >&2; exit 1; } \
&& test -n "$GUM_VERSION" || { echo "Error: GUM_VERSION is empty" >&2; exit 1; } \
&& test -n "$JUST_VERSION" || { echo "Error: JUST_VERSION is empty" >&2; exit 1; } \
&& test -n "$DIFFTASTIC_VERSION" || { echo "Error: DIFFTASTIC_VERSION is empty" >&2; exit 1; } \
&& test -n "$MISE_VERSION" || { echo "Error: MISE_VERSION is empty" >&2; exit 1; }
# Checksum verification infrastructure
COPY checksums.txt /tmp/checksums.txt
COPY scripts/verify-checksum.sh /usr/local/bin/verify-checksum
COPY scripts/lib/tools.yaml /tmp/tools.yaml
COPY scripts/lib/tool-lib.sh /tmp/tool-lib.sh
RUN chmod +x /usr/local/bin/verify-checksum
# tool-lib.sh uses bash parameter substitution
SHELL ["/bin/bash", "-c"]
# 2a. External APT repos (GitHub CLI, Eza) — needs gnupg, stays combined
RUN mkdir -p -m 755 /etc/apt/keyrings \
&& ARCH=$(dpkg --print-architecture) \
&& apt-get update \
&& apt-get install -y --no-install-recommends gnupg \
# GitHub CLI
&& curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null \
&& chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg \
&& echo "deb [arch=${ARCH} signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | tee /etc/apt/sources.list.d/github-cli.list > /dev/null \
# Eza
&& curl -fsSL https://raw.githubusercontent.com/eza-community/eza/main/deb.asc | gpg --dearmor -o /etc/apt/keyrings/gierens.gpg \
&& echo "deb [signed-by=/etc/apt/keyrings/gierens.gpg] https://deb.gierens.de stable main" | tee /etc/apt/sources.list.d/gierens.list \
# Install from repos
&& apt-get update \
&& apt-get install -y --no-install-recommends gh eza \
# Note: gnupg is kept (also installed in layer 1 as `gpg`) — mise needs it
# at runtime to verify Node release signatures.
&& rm -rf /var/lib/apt/lists/*
# Build-time tool install helper: sources library + wires up checksum verification
RUN echo '. /tmp/tool-lib.sh; sb_verify() { verify-checksum "$1" "$2"; }' > /tmp/sb-init.sh
# 3. Binary tool installs (one per layer for cache granularity)
RUN . /tmp/sb-init.sh && sb_install delta "$DELTA_VERSION"
RUN . /tmp/sb-init.sh && sb_install yq "$YQ_VERSION"
RUN . /tmp/sb-init.sh && sb_install xh "$XH_VERSION"
RUN . /tmp/sb-init.sh && sb_install glow "$GLOW_VERSION"
RUN . /tmp/sb-init.sh && sb_install gum "$GUM_VERSION"
RUN . /tmp/sb-init.sh && sb_install starship "$STARSHIP_VERSION"
RUN . /tmp/sb-init.sh && sb_install just "$JUST_VERSION"
RUN . /tmp/sb-init.sh && sb_install difftastic "$DIFFTASTIC_VERSION"
RUN . /tmp/sb-init.sh && sb_install mise "$MISE_VERSION"
# Clean up build-time files
RUN rm -f /tmp/checksums.txt /tmp/tools.yaml /tmp/tool-lib.sh /tmp/sb-init.sh
# 4. User Setup
RUN userdel -r ubuntu 2>/dev/null || true \
&& useradd -m -s /bin/bash -u 1000 dev \
&& echo 'dev ALL=(ALL) NOPASSWD: /usr/bin/apt-get, /usr/bin/dpkg, /usr/bin/chown, /usr/bin/install' > /etc/sudoers.d/dev \
&& mkdir -p /home/dev/.claude /home/dev/.config /home/dev/.ssh \
&& chown -R dev:dev /home/dev
# 5. Config Files
RUN printf '[core]\n\tpager = delta\n[interactive]\n\tdiffFilter = delta --color-only\n[delta]\n\tnavigate = true\n\tdark = true\n[merge]\n\tconflictstyle = zdiff3\n' > /etc/gitconfig
# 6. Setup script
#
# setup.sh and motd.sh live under /usr/local/lib/squarebox/ rather than
# /home/dev/ so they stay image-managed. /home/dev/ is backed by the
# squarebox-home named volume, which Docker only seeds from the image when
# the volume is first created — anything we put there would go stale after
# a `sqrbx-rebuild` against an existing volume.
COPY --chown=dev:dev starship.toml /home/dev/.config/starship.toml
COPY motd.sh /usr/local/lib/squarebox/motd.sh
COPY setup.sh /usr/local/lib/squarebox/setup.sh
COPY scripts/squarebox-update.sh /usr/local/bin/sqrbx-update
COPY scripts/squarebox-setup.sh /usr/local/bin/sqrbx-setup
COPY scripts/sqrbx-learn /usr/local/bin/sqrbx-learn
COPY scripts/squarebox-help.sh /usr/local/bin/sqrbx-help
COPY scripts/squarebox-entrypoint.sh /usr/local/bin/squarebox-entrypoint
COPY scripts/squarebox-refresh-dotfiles.sh /usr/local/lib/squarebox/refresh-dotfiles.sh
COPY scripts/lib/tools.yaml /usr/local/lib/squarebox/tools.yaml
COPY scripts/lib/tool-lib.sh /usr/local/lib/squarebox/tool-lib.sh
# Image-managed dotfiles also live under a non-volume path so the entrypoint can
# refresh them into the squarebox-home volume on every start. Without this the
# volume shadows the /home/dev image layer and dotfile updates never reach
# upgraded containers (issue #89). The /home/dev copies below still seed a fresh
# volume; these are the source of truth the refresh re-applies thereafter.
COPY dotfiles/bashrc /usr/local/lib/squarebox/dotfiles/bashrc
COPY starship.toml /usr/local/lib/squarebox/dotfiles/starship.toml
RUN chmod +x /usr/local/lib/squarebox/setup.sh \
/usr/local/lib/squarebox/motd.sh \
/usr/local/lib/squarebox/refresh-dotfiles.sh \
/usr/local/bin/sqrbx-update \
/usr/local/bin/sqrbx-setup \
/usr/local/bin/sqrbx-learn \
/usr/local/bin/sqrbx-help \
/usr/local/bin/squarebox-entrypoint
RUN chown -R dev:dev /home/dev/.config /home/dev/.claude \
&& mkdir -p /workspace && chown dev:dev /workspace
# The container starts as root so the entrypoint can honour PUID/PGID, then
# drops to `dev` via setpriv. With the default 1000:1000 this is a no-op and
# the running process is `dev` — identical to a plain `USER dev` image. PUID/
# PGID are declared here so docker-compose / Unraid template UIs surface them.
ENV HOME=/home/dev
ENV SQUAREBOX=1
ENV PUID=1000
ENV PGID=1000
# 7. Shell Config
# The .bashrc lives in dotfiles/ on the host so install.sh can bind-mount it
# into the container — keeping it in sync with the repo while shell history
# and per-user state stay in the squarebox-home named volume. The COPY here
# seeds a fresh volume; the desktop install path then bind-mounts the host copy,
# and the pull/compose path keeps it current via the entrypoint dotfile refresh
# (issue #89) since there is no bind-mount in that path.
COPY --chown=dev:dev dotfiles/bashrc /home/dev/.bashrc
WORKDIR /workspace
ENTRYPOINT ["/usr/local/bin/squarebox-entrypoint"]
CMD ["/bin/bash"]