From b1a377d0342deb82c69d6fc05e91d0a887d321ad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D0=9D=D0=B8=D0=BA=D0=B8=D1=82=D0=B0=20=D0=A1=D1=8B=D1=87?=
 =?UTF-8?q?=D0=B5=D0=B2?= <sychev.na@nstart.space>
Date: Tue, 16 Dec 2025 16:46:14 +0300
Subject: [PATCH] Initial commit

---
 .gitlab-ci.yml        | 23 ++++++++++++++++
 Dockerfile.node-deb   | 11 ++++++++
 Dockerfile.python-deb | 11 ++++++++
 README.md             | 55 ++++++++++++++++++++++++++++++++++++++
 apt/99ca              |  3 +++
 apt/debian.sources    | 11 ++++++++
 ca/nstart.local.crt   | 21 +++++++++++++++
 docker-bake.hcl       | 61 +++++++++++++++++++++++++++++++++++++++++++
 node/npmrc            |  3 +++
 python/pip.conf       |  4 +++
 10 files changed, 203 insertions(+)
 create mode 100644 .gitlab-ci.yml
 create mode 100644 Dockerfile.node-deb
 create mode 100644 Dockerfile.python-deb
 create mode 100644 README.md
 create mode 100644 apt/99ca
 create mode 100644 apt/debian.sources
 create mode 100644 ca/nstart.local.crt
 create mode 100644 docker-bake.hcl
 create mode 100644 node/npmrc
 create mode 100644 python/pip.conf

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 0000000..543c01f
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,23 @@
+stages:
+  - build
+
+build-images:
+  stage: build
+  image: repo.nstart.local/nstart/docker-cli-buildx:1.0.0
+  services:
+    - name: repo.nstart.local/nstart/docker-dind-ca:1.0.0
+      alias: docker
+      command: ["--tls=false"]
+  variables:
+    DOCKER_HOST: tcp://docker:2375
+    DOCKER_TLS_CERTDIR: ""
+  parallel:
+    matrix:
+      - BAKE_TARGET:
+          - images-node-debian
+          - images-python-debian
+  script:
+    - echo $REGISTRY_PASSWORD | docker login -u $REGISTRY_USER --password-stdin $REGISTRY
+    - docker bake "$BAKE_TARGET" --no-cache --push
+  only:
+    - main
diff --git a/Dockerfile.node-deb b/Dockerfile.node-deb
new file mode 100644
index 0000000..c545b5d
--- /dev/null
+++ b/Dockerfile.node-deb
@@ -0,0 +1,11 @@
+ARG BASE_REPO="repo.nstart.local/library/"
+ARG BASE_TAG="25-trixie-slim"
+
+FROM ${BASE_REPO}node:${BASE_TAG}
+
+COPY --chmod=007 ca/nstart.local.crt /usr/local/share/ca-certificates/nstart.local.crt
+
+COPY apt/99ca /etc/apt/apt.conf.d/99ca
+COPY apt/debian.sources /etc/apt/sources.list.d/debian.sources
+
+COPY node/npmrc /usr/local/etc/npmrc
diff --git a/Dockerfile.python-deb b/Dockerfile.python-deb
new file mode 100644
index 0000000..3895d67
--- /dev/null
+++ b/Dockerfile.python-deb
@@ -0,0 +1,11 @@
+ARG BASE_REPO="repo.nstart.local/library/"
+ARG BASE_TAG="3.14-slim-trixie"
+
+FROM ${BASE_REPO}python:${BASE_TAG}
+
+COPY --chmod=007 ca/nstart.local.crt /usr/local/share/ca-certificates/nstart.local.crt
+
+COPY apt/99ca /etc/apt/apt.conf.d/99ca
+COPY apt/debian.sources /etc/apt/sources.list.d/debian.sources
+
+COPY python/pip.conf /etc/pip.conf
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..d1805e5
--- /dev/null
+++ b/README.md
@@ -0,0 +1,55 @@
+# Базовые OCI-образы
+
+Набор базовых Docker-образов для внутренней инфраструктуры: с корпоративным CA
+и настройками для локальных зеркал репозиториев
+
+## Собираемые образы
+
+- Node (Debian)
+- Python (Debian)
+
+## Сборка
+
+Требования: Docker с BuildKit/buildx.
+
+Список таргетов:
+
+```bash
+docker bake --list=targets
+```
+
+Локальная сборка (загрузка в Docker Engine):
+
+```bash
+docker bake all --load
+```
+
+Сборка и публикация в registry:
+
+```bash
+docker bake all --push
+```
+
+Для публикации требуется авторизация в registry (`docker login`).
+
+## Параметры
+
+Переопределяемые переменные (`docker-bake.hcl`):
+
+- `registry` (по умолчанию `repo.nstart.local`) - registry для публикации итоговых образов
+- `base_repo` (по умолчанию `repo.nstart.local/library/`) - репозиторий базовых образов
+
+Пример переопределения:
+
+```bash
+registry=registry.example.local \
+base_repo=registry.example.local/library/ \
+docker bake all --push
+```
+
+Переопределение тега базового образа через Bake:
+
+```bash
+docker buildx bake images-node-debian \
+  --set images-node-debian.args.BASE_TAG=<tag>
+```
diff --git a/apt/99ca b/apt/99ca
new file mode 100644
index 0000000..41a8e03
--- /dev/null
+++ b/apt/99ca
@@ -0,0 +1,3 @@
+Acquire::https::repo.nstart.local::Verify-Peer "true";
+Acquire::https::repo.nstart.local::Verify-Host "true";
+Acquire::https::repo.nstart.local::CaInfo "/usr/local/share/ca-certificates/nstart.local.crt";
diff --git a/apt/debian.sources b/apt/debian.sources
new file mode 100644
index 0000000..d37343a
--- /dev/null
+++ b/apt/debian.sources
@@ -0,0 +1,11 @@
+Types: deb
+URIs: https://repo.nstart.local/repository/apt-proxy/debian
+Suites: trixie trixie-updates
+Components: main
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+Types: deb
+URIs: https://repo.nstart.local/repository/apt-proxy/debian-security
+Suites: trixie-security
+Components: main
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
diff --git a/ca/nstart.local.crt b/ca/nstart.local.crt
new file mode 100644
index 0000000..78c0314
--- /dev/null
+++ b/ca/nstart.local.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDbTCCAlWgAwIBAgIUIjJbBQwjttGdplafh/xeEbpQsVEwDQYJKoZIhvcNAQEL
+BQAwRjEjMCEGA1UECgwa0JDQniDQndC+0LLRi9C5INCh0YLQsNGA0YIxHzAdBgNV
+BAMMFnNydmt3dHMwMS5uc3RhcnQubG9jYWwwHhcNMjUwOTAyMTM0NDQzWhcNMzcx
+MjE1MTM0NDQzWjBGMSMwIQYDVQQKDBrQkNCeINCd0L7QstGL0Lkg0KHRgtCw0YDR
+gjEfMB0GA1UEAwwWc3J2a3d0czAxLm5zdGFydC5sb2NhbDCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAPHmRc1s3oYq9VJFZ0a6iCuXI4PtZt0fnrvmtL1x
+qZ2B2SefdWHMiGu7uZeN+n5hbefYxwLNG5uvoZGOObYfaHAmwNdEea6xKT15Q9+y
+yaV4i4zvTvyJhb/Q2Vldpc0h62DWSMRMTYFnfXuvaRFIYtUWe0xa92zNFi5/rCA3
+F0LhxJtJBe/52UgNHFaJ8xw4do38ihoLsM93UJrt86SkDj4XtvRP5wJBTDYdMUhg
+Uw1wgOjHNC5OSwnGLmvd2agI9DxfrFtts7C2m4TfpQRSEv1RBepuRRhsh2P/3edW
+9paegFxZQxoSuGzl47b+bFjZ1Qa+AYDWRa2d00IwBp4FK2UCAwEAAaNTMFEwHQYD
+VR0OBBYEFGxIHnoLch0XMz+Vq/OWbLSpxCVOMB8GA1UdIwQYMBaAFGxIHnoLch0X
+Mz+Vq/OWbLSpxCVOMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
+AGnFpgBBnXbXw2SgYeGSrKwe2Ash66MSzNFXZEuNoIjkS64ZymvysE7S9peezVCb
+u26p3DSPGVFXuXCe+trt1OnTTkOMHOYMrrWwjBkPlU/hjEUDmjhr11d/a6HfRC5i
+r/44xy1/i8F7yBVRYKTrHkC1pFs1hyabFB9C4PNBJ3eAnk3s5Ikh08lRQ5nD4Eoe
+5/Gz62znb09b2+/SobHRm8gufOXzd8AT9OWuyt6KgHIJ5Gc5F3tydXGDpxeWRtux
+0o7O1wGEbKAVcfKvx/2NgRUmEhASXjVsjiB56BBEHxRlZpV38BTjUBPryuRiz3Ze
+hneIyDjekpH7U7LogVpAkUg=
+-----END CERTIFICATE-----
diff --git a/docker-bake.hcl b/docker-bake.hcl
new file mode 100644
index 0000000..2dda760
--- /dev/null
+++ b/docker-bake.hcl
@@ -0,0 +1,61 @@
+variable "registry" {
+  default = "repo.nstart.local"
+}
+
+variable "base_repo" {
+  default = "repo.nstart.local/library/"
+}
+
+function "oci_labels" {
+  params = [name, version]
+  result = {
+    "org.opencontainers.image.version"     = version,
+    "org.opencontainers.image.vendor"      = "New Start",
+    "org.opencontainers.image.authors"     = "Sychev Nikita <Sychev.NA@nstart.space>",
+    "org.opencontainers.image.base.name"   = "${base_repo}${name}:${version}",
+    "org.opencontainers.image.title"       = "Base image for ${name} with custom CA and local repos",
+    "org.opencontainers.image.description" = "Slim base image for ${name} with internal CA and local package mirrors",
+  }
+}
+
+function "image_ref" {
+  params = [name]
+  result = registry != "" ? "${registry}/nstart/${name}" : "nstart/${name}"
+}
+
+target "image" {
+  name = "images-${combo.image}-${combo.distro}"
+
+  matrix = {
+    combo = [
+      { image = "node", distro= "debian", version = "25-trixie-slim", dockerfile="Dockerfile.node-deb" },
+      { image = "python", distro= "debian", version = "3.14-slim-trixie", dockerfile="Dockerfile.python-deb" }
+    ]
+  }
+
+  platforms = ["linux/amd64"]
+  output = ["type=image,registry.insecure=true"]
+  attest = [
+    "type=sbom",
+    "type=provenance,mode=max"
+  ]
+
+  context    = "."
+  dockerfile = combo.dockerfile
+
+  args = {
+    BASE_REPO = base_repo
+    BASE_TAG   = combo.version
+  }
+
+  tags = [
+    "${image_ref(combo.image)}:${combo.version}",
+    "${image_ref(combo.image)}:latest",
+  ]
+
+  labels = oci_labels(combo.image, combo.version)
+}
+
+group "all" {
+  targets = ["image"]
+}
diff --git a/node/npmrc b/node/npmrc
new file mode 100644
index 0000000..295e4a3
--- /dev/null
+++ b/node/npmrc
@@ -0,0 +1,3 @@
+registry=https://repo.nstart.local/repository/npm-group/
+strict-ssl=true
+cafile=/usr/local/share/ca-certificates/nstart.local.crt
diff --git a/python/pip.conf b/python/pip.conf
new file mode 100644
index 0000000..a084bc6
--- /dev/null
+++ b/python/pip.conf
@@ -0,0 +1,4 @@
+[global]
+index-url = https://repo.nstart.local/repository/pypi-group/simple
+cert = /usr/local/share/ca-certificates/nstart.local.crt
+disable-pip-version-check = true