Initial commit of new flow

2025-10-05 16:28:41 +00:00 · 2023-09-10 21:21:51 +01:00
commit a1072f203d
28 changed files with 701 additions and 0 deletions
--- a/docker/hadolint/Dockerfile
+++ b/docker/hadolint/Dockerfile
@@ -0,0 +1,9 @@
+FROM hadolint/hadolint:v2.10.0-beta-alpine
+COPY "build.sh" "/build.sh"
+
+RUN chmod +x /build.sh && \
+	addgroup -S hugo && adduser -S hugo -G hugo
+
+USER hugo
+
+ENTRYPOINT []
--- a/docker/hadolint/build.sh
+++ b/docker/hadolint/build.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+find /work -type f -name 'Dockerfile' -print0 | xargs -0 -n1 hadolint
--- a/docker/html/Dockerfile
+++ b/docker/html/Dockerfile
@@ -0,0 +1,19 @@
+FROM debian:stable-20211011-slim AS builder
+
+ADD https://github.com/validator/validator/releases/download/20.6.30/vnu.linux.zip .
+ADD https://github.com/validator/validator/releases/download/20.6.30/vnu.linux.zip.sha1 .
+COPY "build.sh" "/build.sh"
+
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+RUN apt-get update && apt-get install --no-install-recommends -y \
+       unzip=6.0-26 \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/* \
+    && echo "$(cat vnu.linux.zip.sha1) vnu.linux.zip" | sha1sum -c - \
+    && unzip ./vnu.linux.zip \
+    && rm ./vnu.linux.zip* \
+    && apt-get purge -y --auto-remove unzip \
+    && chmod +x /build.sh \
+	&& addgroup --gid 1000 hugo && adduser --gid 1000 hugo
+
+USER hugo
--- a/docker/html/build.sh
+++ b/docker/html/build.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+find result/ -type f -name '*.html' -print0 | xargs -0 -n1 /nix/store/p7adf8zk6akdbjr60vb98fajxp5aaa7i-html-tidy-5.8.0/bin/tidy 2>/dev/null
--- a/docker/hugo/Dockerfile
+++ b/docker/hugo/Dockerfile
@@ -0,0 +1,12 @@
+FROM alpine:3.15.4
+RUN apk add --no-cache hugo=0.89.4-r2 git-2.34.8-r0
+COPY "build.sh" "/build.sh"
+
+RUN chmod +x /build.sh && \
+	mkdir /sentinels && \
+	chmod a+rwx /sentinels && \
+	addgroup -S hugo && adduser -S hugo -G hugo
+
+USER hugo
+
+ENTRYPOINT []
--- a/docker/hugo/build.sh
+++ b/docker/hugo/build.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+SOURCE_DIR=$(readlink -f "$1")
+OUTPUT_DIR=$(readlink -f "$2")
+
+rm -rf "${OUTPUT_DIR:?}/*" && \
+hugo --minify --source "$SOURCE_DIR" --destination "$OUTPUT_DIR"
--- a/docker/latex/Dockerfile
+++ b/docker/latex/Dockerfile
@@ -0,0 +1,28 @@
+FROM pandoc/latex:2.18.0.0 AS basic
+
+RUN apk add --no-cache texlive=20210325-r4
+
+# texlive is huuuge and we don't want to keep re-downloading it; don't warn on the repeated RUN command
+# hadolint ignore=DL3059
+RUN tlmgr update --self && \
+    tlmgr install tikz-cd && \
+    tlmgr install mdframed && \
+    tlmgr install mathtools && \
+    # Dependencies of mdframed \
+    tlmgr install zref && \
+    tlmgr install needspace
+
+FROM basic AS build
+
+COPY "build.sh" "/build.sh"
+
+RUN mkdir /sentinels && \
+    chmod a+rwx /sentinels && \
+    chmod +x /build.sh && \
+    addgroup -S pdftex && adduser -S pdftex -G pdftex
+
+USER pdftex
+
+WORKDIR /home/pdftex
+
+ENTRYPOINT []
--- a/docker/latex/build.sh
+++ b/docker/latex/build.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+USER_DIR=$(readlink -f "$1")
+WORKDIR=$(mktemp -d -p "$USER_DIR")
+
+cd "$WORKDIR" || exit 1
+
+SHELL="/bin/sh"
+
+# Build PDFs from LaTeX. Do the build twice to sort out any bookmarks.
+# For some reason, using $0 instead of `sh` makes Hadolint warn about the single-quotes not expanding expressions
+# shellcheck disable=SC2016
+find "$USER_DIR" -type f -name '*.tex' -exec "$SHELL" -c '
+  if [ -f "${@%.*}.pdf" ]; then exit 0; fi;
+  output=$(dirname "$@")/$(basename "$@" .tex).pdf
+  echo "$@ - $output"
+  HOME=$(pwd) SOURCE_DATE_EPOCH=1622905527 pdflatex "$@" || exit 1
+  HOME=$(pwd) SOURCE_DATE_EPOCH=1622905527 pdflatex "$@" || exit 1
+  mv "$(basename "$output")" "$output" || exit 1
+' -- {} \; || exit 1
+
+cd "$USER_DIR" || exit 1
+rm -r "$WORKDIR"
--- a/docker/load/Dockerfile
+++ b/docker/load/Dockerfile
@@ -0,0 +1,13 @@
+FROM alpine:3.13.5
+
+COPY "build.sh" "/build.sh"
+RUN chmod +x /build.sh && \
+    mkdir /sentinels && \
+    chmod a+rwx /sentinels && \
+    addgroup -S load && adduser -S load -G load && \
+    mkdir /output && \
+    chown load /output
+
+USER load
+
+ENTRYPOINT []
--- a/docker/load/build.sh
+++ b/docker/load/build.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+rm -f /sentinels/load.txt
+
+rm -rf -- /output/*
+cp -Rf /git/. /output || exit 1
+
+chmod -R a+rw /output || exit 1
+
+touch /sentinels/load.txt
--- a/docker/pictures/Dockerfile
+++ b/docker/pictures/Dockerfile
@@ -0,0 +1,14 @@
+FROM alpine:3.15.4
+RUN apk add --no-cache imagemagick=7.1.0.16-r0
+
+COPY "build.sh" "/build.sh"
+
+RUN chmod +x /build.sh && \
+	mkdir /sentinels && \
+	chmod a+rwx /sentinels && \
+	addgroup -S pictures && adduser -S pictures -G pictures
+
+USER pictures
+WORKDIR /home/pictures
+
+ENTRYPOINT []
--- a/docker/pictures/build.sh
+++ b/docker/pictures/build.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+TO_SCAN="$1"
+
+SHELL="/bin/sh"
+
+# For some reason, using $0 instead of `sh` makes Shellcheck warn about the single-quotes not expanding expressions
+# shellcheck disable=SC2016
+find "$TO_SCAN" -type f ! -name '*-thumb.jpg' -name '*.jpg' -exec "$SHELL" -c '
+  if [ -f "${@%.*}-thumb.jpg" ]; then exit 0; fi;
+  echo "$@"
+  convert "$@" -thumbnail 100x100^ -gravity center -extent 100x100 "${1%.*}-thumb.jpg"
+' -- {} \; || exit 1
--- a/docker/reconcile/Dockerfile
+++ b/docker/reconcile/Dockerfile
@@ -0,0 +1,9 @@
+FROM alpine:3.13.5
+
+COPY "build.sh" "/build.sh"
+
+RUN chmod +x /build.sh && \
+	mkdir /sentinels && \
+	chmod a+rwx /sentinels
+
+ENTRYPOINT []
--- a/docker/shellcheck/Dockerfile
+++ b/docker/shellcheck/Dockerfile
@@ -0,0 +1,9 @@
+FROM koalaman/shellcheck-alpine:v0.8.0
+COPY "build.sh" "/build.sh"
+
+RUN chmod +x /build.sh && \
+	addgroup -S shellcheck && adduser -S shellcheck -G shellcheck
+
+USER shellcheck
+
+ENTRYPOINT []
--- a/docker/shellcheck/build.sh
+++ b/docker/shellcheck/build.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+find "$1" -type f -name '*.*sh' -print0 | xargs -0 -n1 shellcheck