Initial commit

.gitlab-ci.yml

@@ -0,0 +1,23 @@
+stages:
+  - build
+
+build-images:
+  stage: build
+  image: repo.nstart.local/nstart/docker-cli-buildx:1.0.0
+  services:
+    - name: repo.nstart.local/nstart/docker-dind-ca:1.0.0
+      alias: docker
+      command: ["--tls=false"]
+  variables:
+    DOCKER_HOST: tcp://docker:2375
+    DOCKER_TLS_CERTDIR: ""
+  parallel:
+    matrix:
+      - BAKE_TARGET:
+          - images-node-debian
+          - images-python-debian
+  script:
+    - echo $REGISTRY_PASSWORD | docker login -u $REGISTRY_USER --password-stdin $REGISTRY
+    - docker bake "$BAKE_TARGET" --no-cache --push
+  only:
+    - main

Dockerfile.node-deb

@@ -0,0 +1,11 @@
+ARG BASE_REPO="repo.nstart.local/library/"
+ARG BASE_TAG="25-trixie-slim"
+
+FROM ${BASE_REPO}node:${BASE_TAG}
+
+COPY --chmod=007 ca/nstart.local.crt /usr/local/share/ca-certificates/nstart.local.crt
+
+COPY apt/99ca /etc/apt/apt.conf.d/99ca
+COPY apt/debian.sources /etc/apt/sources.list.d/debian.sources
+
+COPY node/npmrc /usr/local/etc/npmrc

Dockerfile.python-deb

@@ -0,0 +1,11 @@
+ARG BASE_REPO="repo.nstart.local/library/"
+ARG BASE_TAG="3.14-slim-trixie"
+
+FROM ${BASE_REPO}python:${BASE_TAG}
+
+COPY --chmod=007 ca/nstart.local.crt /usr/local/share/ca-certificates/nstart.local.crt
+
+COPY apt/99ca /etc/apt/apt.conf.d/99ca
+COPY apt/debian.sources /etc/apt/sources.list.d/debian.sources
+
+COPY python/pip.conf /etc/pip.conf

README.md

@@ -0,0 +1,55 @@
+# Базовые OCI-образы
+
+Набор базовых Docker-образов для внутренней инфраструктуры: с корпоративным CA
+и настройками для локальных зеркал репозиториев
+
+## Собираемые образы
+
+- Node (Debian)
+- Python (Debian)
+
+## Сборка
+
+Требования: Docker с BuildKit/buildx.
+
+Список таргетов:
+
+```bash
+docker bake --list=targets
+```
+
+Локальная сборка (загрузка в Docker Engine):
+
+```bash
+docker bake all --load
+```
+
+Сборка и публикация в registry:
+
+```bash
+docker bake all --push
+```
+
+Для публикации требуется авторизация в registry (`docker login`).
+
+## Параметры
+
+Переопределяемые переменные (`docker-bake.hcl`):
+
+- `registry` (по умолчанию `repo.nstart.local`) - registry для публикации итоговых образов
+- `base_repo` (по умолчанию `repo.nstart.local/library/`) - репозиторий базовых образов
+
+Пример переопределения:
+
+```bash
+registry=registry.example.local \
+base_repo=registry.example.local/library/ \
+docker bake all --push
+```
+
+Переопределение тега базового образа через Bake:
+
+```bash
+docker buildx bake images-node-debian \
+  --set images-node-debian.args.BASE_TAG=<tag>
+```

apt/99ca

@@ -0,0 +1,3 @@
+Acquire::https::repo.nstart.local::Verify-Peer "true";
+Acquire::https::repo.nstart.local::Verify-Host "true";
+Acquire::https::repo.nstart.local::CaInfo "/usr/local/share/ca-certificates/nstart.local.crt";

apt/debian.sources

@@ -0,0 +1,11 @@
+Types: deb
+URIs: https://repo.nstart.local/repository/apt-proxy/debian
+Suites: trixie trixie-updates
+Components: main
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+Types: deb
+URIs: https://repo.nstart.local/repository/apt-proxy/debian-security
+Suites: trixie-security
+Components: main
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

ca/nstart.local.crt

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDbTCCAlWgAwIBAgIUIjJbBQwjttGdplafh/xeEbpQsVEwDQYJKoZIhvcNAQEL
+BQAwRjEjMCEGA1UECgwa0JDQniDQndC+0LLRi9C5INCh0YLQsNGA0YIxHzAdBgNV
+BAMMFnNydmt3dHMwMS5uc3RhcnQubG9jYWwwHhcNMjUwOTAyMTM0NDQzWhcNMzcx
+MjE1MTM0NDQzWjBGMSMwIQYDVQQKDBrQkNCeINCd0L7QstGL0Lkg0KHRgtCw0YDR
+gjEfMB0GA1UEAwwWc3J2a3d0czAxLm5zdGFydC5sb2NhbDCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAPHmRc1s3oYq9VJFZ0a6iCuXI4PtZt0fnrvmtL1x
+qZ2B2SefdWHMiGu7uZeN+n5hbefYxwLNG5uvoZGOObYfaHAmwNdEea6xKT15Q9+y
+yaV4i4zvTvyJhb/Q2Vldpc0h62DWSMRMTYFnfXuvaRFIYtUWe0xa92zNFi5/rCA3
+F0LhxJtJBe/52UgNHFaJ8xw4do38ihoLsM93UJrt86SkDj4XtvRP5wJBTDYdMUhg
+Uw1wgOjHNC5OSwnGLmvd2agI9DxfrFtts7C2m4TfpQRSEv1RBepuRRhsh2P/3edW
+9paegFxZQxoSuGzl47b+bFjZ1Qa+AYDWRa2d00IwBp4FK2UCAwEAAaNTMFEwHQYD
+VR0OBBYEFGxIHnoLch0XMz+Vq/OWbLSpxCVOMB8GA1UdIwQYMBaAFGxIHnoLch0X
+Mz+Vq/OWbLSpxCVOMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
+AGnFpgBBnXbXw2SgYeGSrKwe2Ash66MSzNFXZEuNoIjkS64ZymvysE7S9peezVCb
+u26p3DSPGVFXuXCe+trt1OnTTkOMHOYMrrWwjBkPlU/hjEUDmjhr11d/a6HfRC5i
+r/44xy1/i8F7yBVRYKTrHkC1pFs1hyabFB9C4PNBJ3eAnk3s5Ikh08lRQ5nD4Eoe
+5/Gz62znb09b2+/SobHRm8gufOXzd8AT9OWuyt6KgHIJ5Gc5F3tydXGDpxeWRtux
+0o7O1wGEbKAVcfKvx/2NgRUmEhASXjVsjiB56BBEHxRlZpV38BTjUBPryuRiz3Ze
+hneIyDjekpH7U7LogVpAkUg=
+-----END CERTIFICATE-----

docker-bake.hcl

@@ -0,0 +1,61 @@
+variable "registry" {
+  default = "repo.nstart.local"
+}
+
+variable "base_repo" {
+  default = "repo.nstart.local/library/"
+}
+
+function "oci_labels" {
+  params = [name, version]
+  result = {
+    "org.opencontainers.image.version"     = version,
+    "org.opencontainers.image.vendor"      = "New Start",
+    "org.opencontainers.image.authors"     = "Sychev Nikita <Sychev.NA@nstart.space>",
+    "org.opencontainers.image.base.name"   = "${base_repo}${name}:${version}",
+    "org.opencontainers.image.title"       = "Base image for ${name} with custom CA and local repos",
+    "org.opencontainers.image.description" = "Slim base image for ${name} with internal CA and local package mirrors",
+  }
+}
+
+function "image_ref" {
+  params = [name]
+  result = registry != "" ? "${registry}/nstart/${name}" : "nstart/${name}"
+}
+
+target "image" {
+  name = "images-${combo.image}-${combo.distro}"
+
+  matrix = {
+    combo = [
+      { image = "node", distro= "debian", version = "25-trixie-slim", dockerfile="Dockerfile.node-deb" },
+      { image = "python", distro= "debian", version = "3.14-slim-trixie", dockerfile="Dockerfile.python-deb" }
+    ]
+  }
+
+  platforms = ["linux/amd64"]
+  output = ["type=image,registry.insecure=true"]
+  attest = [
+    "type=sbom",
+    "type=provenance,mode=max"
+  ]
+
+  context    = "."
+  dockerfile = combo.dockerfile
+
+  args = {
+    BASE_REPO = base_repo
+    BASE_TAG   = combo.version
+  }
+
+  tags = [
+    "${image_ref(combo.image)}:${combo.version}",
+    "${image_ref(combo.image)}:latest",
+  ]
+
+  labels = oci_labels(combo.image, combo.version)
+}
+
+group "all" {
+  targets = ["image"]
+}

node/npmrc

@@ -0,0 +1,3 @@
+registry=https://repo.nstart.local/repository/npm-group/
+strict-ssl=true
+cafile=/usr/local/share/ca-certificates/nstart.local.crt

python/pip.conf

@@ -0,0 +1,4 @@
+[global]
+index-url = https://repo.nstart.local/repository/pypi-group/simple
+cert = /usr/local/share/ca-certificates/nstart.local.crt
+disable-pip-version-check = true