aboutsummaryrefslogtreecommitdiff
path: root/docker
diff options
context:
space:
mode:
authorMathijs van Veluw <[email protected]>2023-10-23 00:18:38 +0200
committerGitHub <[email protected]>2023-10-23 00:18:38 +0200
commitd722328f05f65910e00d01c7b156d30ab9ac8986 (patch)
tree9c193bd2deea807592efb58c48dfa7f7165e6bc8 /docker
parentcb4b683dcd51eff4508bcf50e34d657b8d2225d4 (diff)
downloadvaultwarden-d722328f05f65910e00d01c7b156d30ab9ac8986.tar.gz
vaultwarden-d722328f05f65910e00d01c7b156d30ab9ac8986.zip
Container building changes (#3958)
* WIP: Container building changes * Small updates - Updated to rust 1.73.0 - Updated crates - Updated documentation - Added a bake.sh script to make baking easier * Update GitHub Actions Workflow - Updated workflow to use qemu and buildx bake In the future i would like to extract the alpine based binaries and add them as artifacts to the release. * Address review remarks and small updates - Addressed review remarks - Added `podman-bake.sh` script to build Vaultwarden with podman - Updated README - Updated crates - Added `VW_VERSION` support - Added annotations - Updated web-vault to v2023.9.1
Diffstat (limited to 'docker')
-rw-r--r--docker/DockerSettings.yaml28
-rw-r--r--docker/Dockerfile.alpine160
-rw-r--r--docker/Dockerfile.buildx34
-rw-r--r--docker/Dockerfile.debian194
-rw-r--r--docker/Dockerfile.j2301
-rw-r--r--docker/Makefile19
-rw-r--r--docker/README.md184
-rw-r--r--docker/amd64/Dockerfile119
-rw-r--r--docker/amd64/Dockerfile.alpine116
-rw-r--r--docker/amd64/Dockerfile.buildkit119
-rw-r--r--docker/amd64/Dockerfile.buildkit.alpine116
-rw-r--r--docker/arm64/Dockerfile141
-rw-r--r--docker/arm64/Dockerfile.alpine118
-rw-r--r--docker/arm64/Dockerfile.buildkit141
-rw-r--r--docker/arm64/Dockerfile.buildkit.alpine118
-rw-r--r--docker/armv6/Dockerfile141
-rw-r--r--docker/armv6/Dockerfile.alpine120
-rw-r--r--docker/armv6/Dockerfile.buildkit141
-rw-r--r--docker/armv6/Dockerfile.buildkit.alpine120
-rw-r--r--docker/armv7/Dockerfile141
-rw-r--r--docker/armv7/Dockerfile.alpine118
-rw-r--r--docker/armv7/Dockerfile.buildkit141
-rw-r--r--docker/armv7/Dockerfile.buildkit.alpine118
-rwxr-xr-xdocker/bake.sh15
-rw-r--r--docker/bake_env.sh33
-rw-r--r--docker/docker-bake.hcl229
-rwxr-xr-xdocker/healthcheck.sh2
-rwxr-xr-xdocker/podman-bake.sh105
-rwxr-xr-xdocker/render_template20
29 files changed, 1116 insertions, 2236 deletions
diff --git a/docker/DockerSettings.yaml b/docker/DockerSettings.yaml
new file mode 100644
index 00000000..908f9721
--- /dev/null
+++ b/docker/DockerSettings.yaml
@@ -0,0 +1,28 @@
+---
+vault_version: "v2023.9.1"
+vault_image_digest: "sha256:ccf76db7406378b36cb937c1a3ca884448e32e7f82effd4d97b335cd725c75fd"
+# Cross Compile Docker Helper Scripts v1.3.0
+# We use the linux/amd64 platform shell scripts since there is no difference between the different platform scripts
+xx_image_digest: "sha256:c9609ace652bbe51dd4ce90e0af9d48a4590f1214246da5bc70e46f6dd586edc"
+rust_version: 1.73.0 # Rust version to be used
+debian_version: bookworm # Debian release name to be used
+alpine_version: 3.18 # Alpine version to be used
+# For which platforms/architectures will we try to build images
+platforms: ["linux/amd64", "linux/arm64", "linux/arm/v7", "linux/arm/v6"]
+# Determine the build images per OS/Arch
+build_stage_image:
+ debian:
+ image: "docker.io/library/rust:{{rust_version}}-slim-{{debian_version}}"
+ platform: "$BUILDPLATFORM"
+ alpine:
+ image: "build_${TARGETARCH}${TARGETVARIANT}"
+ platform: "linux/amd64" # The Alpine build images only have linux/amd64 images
+ arch_image:
+ amd64: "ghcr.io/blackdex/rust-musl:x86_64-musl-stable-{{rust_version}}"
+ arm64: "ghcr.io/blackdex/rust-musl:aarch64-musl-stable-{{rust_version}}"
+ armv7: "ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-{{rust_version}}"
+ armv6: "ghcr.io/blackdex/rust-musl:arm-musleabi-stable-{{rust_version}}"
+# The final image which will be used to distribute the container images
+runtime_stage_image:
+ debian: "docker.io/library/debian:{{debian_version}}-slim"
+ alpine: "docker.io/library/alpine:{{alpine_version}}"
diff --git a/docker/Dockerfile.alpine b/docker/Dockerfile.alpine
new file mode 100644
index 00000000..8a8332f0
--- /dev/null
+++ b/docker/Dockerfile.alpine
@@ -0,0 +1,160 @@
+# syntax=docker/dockerfile:1
+
+# This file was generated using a Jinja2 template.
+# Please make your changes in `DockerSettings.yaml` or `Dockerfile.j2` and then `make`
+# This will generate two Dockerfile's `Dockerfile.debian` and `Dockerfile.alpine`
+
+# Using multistage build:
+# https://docs.docker.com/develop/develop-images/multistage-build/
+# https://whitfin.io/speeding-up-rust-docker-builds/
+
+####################### VAULT BUILD IMAGE #######################
+# The web-vault digest specifies a particular web-vault build on Docker Hub.
+# Using the digest instead of the tag name provides better security,
+# as the digest of an image is immutable, whereas a tag name can later
+# be changed to point to a malicious image.
+#
+# To verify the current digest for a given tag name:
+# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
+# click the tag name to view the digest of the image it currently points to.
+# - From the command line:
+# $ docker pull docker.io/vaultwarden/web-vault:v2023.9.1
+# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.9.1
+# [docker.io/vaultwarden/web-vault@sha256:ccf76db7406378b36cb937c1a3ca884448e32e7f82effd4d97b335cd725c75fd]
+#
+# - Conversely, to get the tag name from the digest:
+# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:ccf76db7406378b36cb937c1a3ca884448e32e7f82effd4d97b335cd725c75fd
+# [docker.io/vaultwarden/web-vault:v2023.9.1]
+#
+FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:ccf76db7406378b36cb937c1a3ca884448e32e7f82effd4d97b335cd725c75fd as vault
+
+########################## ALPINE BUILD IMAGES ##########################
+## NOTE: The Alpine Base Images do not support other platforms then linux/amd64
+## And for Alpine we define all build images here, they will only be loaded when actually used
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.73.0 as build_amd64
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.73.0 as build_arm64
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.73.0 as build_armv7
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.73.0 as build_armv6
+
+########################## BUILD IMAGE ##########################
+# hadolint ignore=DL3006
+FROM --platform=linux/amd64 build_${TARGETARCH}${TARGETVARIANT} as build
+ARG TARGETARCH
+ARG TARGETVARIANT
+ARG TARGETPLATFORM
+
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive \
+ LANG=C.UTF-8 \
+ TZ=UTC \
+ TERM=xterm-256color \
+ CARGO_HOME="/root/.cargo" \
+ USER="root" \
+ # Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11
+ # Debian Bookworm already contains libpq v15
+ PQ_LIB_DIR="/usr/local/musl/pq15/lib"
+
+
+# Create CARGO_HOME folder and don't download rust docs
+RUN mkdir -pv "${CARGO_HOME}" \
+ && rustup set profile minimal
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Shared variables across Debian and Alpine
+RUN echo "export CARGO_TARGET=${RUST_MUSL_CROSS_TARGET}" >> /env-cargo && \
+ # To be able to build the armv6 image with mimalloc we need to tell the linker to also look for libatomic
+ if [[ "${TARGETARCH}${TARGETVARIANT}" == "armv6" ]] ; then echo "export RUSTFLAGS='-Clink-arg=-latomic'" >> /env-cargo ; fi && \
+ # Output the current contents of the file
+ cat /env-cargo
+
+# Enable MiMalloc to improve performance on Alpine builds
+ARG DB=sqlite,mysql,postgresql,enable_mimalloc
+
+RUN source /env-cargo && \
+ rustup target add "${CARGO_TARGET}"
+
+ARG CARGO_PROFILE=release
+ARG VW_VERSION
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain.toml ./rust-toolchain.toml
+COPY ./build.rs ./build.rs
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN source /env-cargo && \
+ cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \
+ find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Builds again, this time it will be the actual source files being build
+RUN source /env-cargo && \
+ # Make sure that we actually build the project by updating the src/main.rs timestamp
+ touch src/main.rs && \
+ # Create a symlink to the binary target folder to easy copy the binary in the final stage
+ cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \
+ if [[ "${CARGO_PROFILE}" == "dev" ]] ; then \
+ ln -vfsr "/app/target/${CARGO_TARGET}/debug" /app/target/final ; \
+ else \
+ ln -vfsr "/app/target/${CARGO_TARGET}/${CARGO_PROFILE}" /app/target/final ; \
+ fi
+
+
+######################## RUNTIME IMAGE ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+#
+# To build these images you need to have qemu binfmt support.
+# See the following pages to help install these tools locally
+# Ubuntu/Debian: https://wiki.debian.org/QemuUserEmulation
+# Arch Linux: https://wiki.archlinux.org/title/QEMU#Chrooting_into_arm/arm64_environment_from_x86_64
+#
+# Or use a Docker image which modifies your host system to support this.
+# The GitHub Actions Workflow uses the same image as used below.
+# See: https://github.com/tonistiigi/binfmt
+# Usage: docker run --privileged --rm tonistiigi/binfmt --install arm64,arm
+# To uninstall: docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*'
+#
+# We need to add `--platform` here, because of a podman bug: https://github.com/containers/buildah/issues/4742
+FROM --platform=$TARGETPLATFORM docker.io/library/alpine:3.18
+
+ENV ROCKET_PROFILE="release" \
+ ROCKET_ADDRESS=0.0.0.0 \
+ ROCKET_PORT=80 \
+ SSL_CERT_DIR=/etc/ssl/certs
+
+# Create data folder and Install needed libraries
+RUN mkdir /data && \
+ apk --no-cache add \
+ ca-certificates \
+ curl \
+ openssl \
+ tzdata
+
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+WORKDIR /
+
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh
+
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/final/vaultwarden .
+
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
+
+CMD ["/start.sh"]
diff --git a/docker/Dockerfile.buildx b/docker/Dockerfile.buildx
deleted file mode 100644
index c250312c..00000000
--- a/docker/Dockerfile.buildx
+++ /dev/null
@@ -1,34 +0,0 @@
-# syntax=docker/dockerfile:1
-# The cross-built images have the build arch (`amd64`) embedded in the image
-# manifest, rather than the target arch. For example:
-#
-# $ docker inspect vaultwarden/server:latest-armv7 | jq -r '.[]|.Architecture'
-# amd64
-#
-# Recent versions of Docker have started printing a warning when the image's
-# claimed arch doesn't match the host arch. For example:
-#
-# WARNING: The requested image's platform (linux/amd64) does not match the
-# detected host platform (linux/arm/v7) and no specific platform was requested
-#
-# The image still works fine, but the spurious warning creates confusion.
-#
-# Docker doesn't seem to provide a way to directly set the arch of an image
-# at build time. To resolve the build vs. target arch discrepancy, we use
-# Docker Buildx to build a new set of images with the correct target arch.
-#
-# Docker Buildx uses this Dockerfile to build an image for each requested
-# platform. Since the Dockerfile basically consists of a single `FROM`
-# instruction, we're effectively telling Buildx to build a platform-specific
-# image by simply copying the existing cross-built image and setting the
-# correct target arch as a side effect.
-#
-# References:
-#
-# - https://docs.docker.com/buildx/working-with-buildx/#build-multi-platform-images
-# - https://docs.docker.com/engine/reference/builder/#automatic-platform-args-in-the-global-scope
-# - https://docs.docker.com/engine/reference/builder/#understand-how-arg-and-from-interact
-#
-ARG LOCAL_REPO
-ARG DOCKER_TAG
-FROM ${LOCAL_REPO}:${DOCKER_TAG}-${TARGETARCH}${TARGETVARIANT}
diff --git a/docker/Dockerfile.debian b/docker/Dockerfile.debian
new file mode 100644
index 00000000..6d4522a7
--- /dev/null
+++ b/docker/Dockerfile.debian
@@ -0,0 +1,194 @@
+# syntax=docker/dockerfile:1
+
+# This file was generated using a Jinja2 template.
+# Please make your changes in `DockerSettings.yaml` or `Dockerfile.j2` and then `make`
+# This will generate two Dockerfile's `Dockerfile.debian` and `Dockerfile.alpine`
+
+# Using multistage build:
+# https://docs.docker.com/develop/develop-images/multistage-build/
+# https://whitfin.io/speeding-up-rust-docker-builds/
+
+####################### VAULT BUILD IMAGE #######################
+# The web-vault digest specifies a particular web-vault build on Docker Hub.
+# Using the digest instead of the tag name provides better security,
+# as the digest of an image is immutable, whereas a tag name can later
+# be changed to point to a malicious image.
+#
+# To verify the current digest for a given tag name:
+# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
+# click the tag name to view the digest of the image it currently points to.
+# - From the command line:
+# $ docker pull docker.io/vaultwarden/web-vault:v2023.9.1
+# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.9.1
+# [docker.io/vaultwarden/web-vault@sha256:ccf76db7406378b36cb937c1a3ca884448e32e7f82effd4d97b335cd725c75fd]
+#
+# - Conversely, to get the tag name from the digest:
+# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:ccf76db7406378b36cb937c1a3ca884448e32e7f82effd4d97b335cd725c75fd
+# [docker.io/vaultwarden/web-vault:v2023.9.1]
+#
+FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:ccf76db7406378b36cb937c1a3ca884448e32e7f82effd4d97b335cd725c75fd as vault
+
+########################## Cross Compile Docker Helper Scripts ##########################
+## We use the linux/amd64 no matter which Build Platform, since these are all bash scripts
+## And these bash scripts do not have any significant difference if at all
+FROM --platform=linux/amd64 docker.io/tonistiigi/xx@sha256:c9609ace652bbe51dd4ce90e0af9d48a4590f1214246da5bc70e46f6dd586edc AS xx
+
+########################## BUILD IMAGE ##########################
+# hadolint ignore=DL3006
+FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.73.0-slim-bookworm as build
+COPY --from=xx / /
+ARG TARGETARCH
+ARG TARGETVARIANT
+ARG TARGETPLATFORM
+
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive \
+ LANG=C.UTF-8 \
+ TZ=UTC \
+ TERM=xterm-256color \
+ CARGO_HOME="/root/.cargo" \
+ USER="root"
+
+# Install clang to get `xx-cargo` working
+# Install pkg-config to allow amd64 builds to find all libraries
+# Install git so build.rs can determine the correct version
+# Install the libc cross packages based upon the debian-arch
+RUN apt-get update && \
+ apt-get install -y \
+ --no-install-recommends \
+ clang \
+ pkg-config \
+ git \
+ "libc6-$(xx-info debian-arch)-cross" \
+ "libc6-dev-$(xx-info debian-arch)-cross" \
+ "linux-libc-dev-$(xx-info debian-arch)-cross" && \
+ # Run xx-cargo early, since it sometimes seems to break when run at a later stage
+ echo "export CARGO_TARGET=$(xx-cargo --print-target-triple)" >> /env-cargo
+
+RUN xx-apt-get install -y \
+ --no-install-recommends \
+ gcc \
+ libmariadb3 \
+ libpq-dev \
+ libpq5 \
+ libssl-dev && \
+ # Force install arch dependend mariadb dev packages
+ # Installing them the normal way breaks several other packages (again)
+ apt-get download "libmariadb-dev-compat:$(xx-info debian-arch)" "libmariadb-dev:$(xx-info debian-arch)" && \
+ dpkg --force-all -i ./libmariadb-dev*.deb
+
+# Create CARGO_HOME folder and don't download rust docs
+RUN mkdir -pv "${CARGO_HOME}" \
+ && rustup set profile minimal
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Environment variables for cargo across Debian and Alpine
+RUN source /env-cargo && \
+ if xx-info is-cross ; then \
+ # We can't use xx-cargo since that uses clang, which doesn't work for our libraries.
+ # Because of this we generate the needed environment variables here which we can load in the needed steps.
+ echo "export CC_$(echo "${CARGO_TARGET}" | tr '[:upper:]' '[:lower:]' | tr - _)=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \
+ echo "export CARGO_TARGET_$(echo "${CARGO_TARGET}" | tr '[:lower:]' '[:upper:]' | tr - _)_LINKER=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \
+ echo "export PKG_CONFIG=/usr/bin/$(xx-info)-pkg-config" >> /env-cargo && \
+ echo "export CROSS_COMPILE=1" >> /env-cargo && \
+ echo "export OPENSSL_INCLUDE_DIR=/usr/include/$(xx-info)" >> /env-cargo && \
+ echo "export OPENSSL_LIB_DIR=/usr/lib/$(xx-info)" >> /env-cargo ; \
+ fi && \
+ # Output the current contents of the file
+ cat /env-cargo
+
+# Configure the DB ARG as late as possible to not invalidate the cached layers above
+ARG DB=sqlite,mysql,postgresql
+
+RUN source /env-cargo && \
+ rustup target add "${CARGO_TARGET}"
+
+ARG CARGO_PROFILE=release
+ARG VW_VERSION
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain.toml ./rust-toolchain.toml
+COPY ./build.rs ./build.rs
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN source /env-cargo && \
+ cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \
+ find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Builds again, this time it will be the actual source files being build
+RUN source /env-cargo && \
+ # Make sure that we actually build the project by updating the src/main.rs timestamp
+ touch src/main.rs && \
+ # Create a symlink to the binary target folder to easy copy the binary in the final stage
+ cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \
+ if [[ "${CARGO_PROFILE}" == "dev" ]] ; then \
+ ln -vfsr "/app/target/${CARGO_TARGET}/debug" /app/target/final ; \
+ else \
+ ln -vfsr "/app/target/${CARGO_TARGET}/${CARGO_PROFILE}" /app/target/final ; \
+ fi
+
+
+######################## RUNTIME IMAGE ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+#
+# To build these images you need to have qemu binfmt support.
+# See the following pages to help install these tools locally
+# Ubuntu/Debian: https://wiki.debian.org/QemuUserEmulation
+# Arch Linux: https://wiki.archlinux.org/title/QEMU#Chrooting_into_arm/arm64_environment_from_x86_64
+#
+# Or use a Docker image which modifies your host system to support this.
+# The GitHub Actions Workflow uses the same image as used below.
+# See: https://github.com/tonistiigi/binfmt
+# Usage: docker run --privileged --rm tonistiigi/binfmt --install arm64,arm
+# To uninstall: docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*'
+#
+# We need to add `--platform` here, because of a podman bug: https://github.com/containers/buildah/issues/4742
+FROM --platform=$TARGETPLATFORM docker.io/library/debian:bookworm-slim
+
+ENV ROCKET_PROFILE="release" \
+ ROCKET_ADDRESS=0.0.0.0 \
+ ROCKET_PORT=80 \
+ DEBIAN_FRONTEND=noninteractive
+
+# Create data folder and Install needed libraries
+RUN mkdir /data && \
+ apt-get update && apt-get install -y \
+ --no-install-recommends \
+ ca-certificates \
+ curl \
+ libmariadb-dev-compat \
+ libpq5 \
+ openssl && \
+ apt-get clean && \
+ rm -rf /var/lib/apt/lists/*
+
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+WORKDIR /
+
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh
+
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/final/vaultwarden .
+
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
+
+CMD ["/start.sh"]
diff --git a/docker/Dockerfile.j2 b/docker/Dockerfile.j2
index ab4c4ff4..7fa39bfb 100644
--- a/docker/Dockerfile.j2
+++ b/docker/Dockerfile.j2
@@ -1,68 +1,14 @@
# syntax=docker/dockerfile:1
# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-{% set rust_version = "1.72.0" %}
-{% set debian_version = "bookworm" %}
-{% set alpine_version = "3.17" %}
-{% set build_stage_base_image = "docker.io/library/rust:%s-%s" % (rust_version, debian_version) %}
-{% if "alpine" in target_file %}
-{% if "amd64" in target_file %}
-{% set build_stage_base_image = "docker.io/blackdex/rust-musl:x86_64-musl-stable-%s-openssl3" % rust_version %}
-{% set runtime_stage_base_image = "docker.io/library/alpine:%s" % alpine_version %}
-{% set package_arch_target = "x86_64-unknown-linux-musl" %}
-{% elif "armv7" in target_file %}
-{% set build_stage_base_image = "docker.io/blackdex/rust-musl:armv7-musleabihf-stable-%s-openssl3" % rust_version %}
-{% set runtime_stage_base_image = "docker.io/balenalib/armv7hf-alpine:%s" % alpine_version %}
-{% set package_arch_target = "armv7-unknown-linux-musleabihf" %}
-{% elif "armv6" in target_file %}
-{% set build_stage_base_image = "docker.io/blackdex/rust-musl:arm-musleabi-stable-%s-openssl3" % rust_version %}
-{% set runtime_stage_base_image = "docker.io/balenalib/rpi-alpine:%s" % alpine_version %}
-{% set package_arch_target = "arm-unknown-linux-musleabi" %}
-{% elif "arm64" in target_file %}
-{% set build_stage_base_image = "docker.io/blackdex/rust-musl:aarch64-musl-stable-%s-openssl3" % rust_version %}
-{% set runtime_stage_base_image = "docker.io/balenalib/aarch64-alpine:%s" % alpine_version %}
-{% set package_arch_target = "aarch64-unknown-linux-musl" %}
-{% endif %}
-{% elif "amd64" in target_file %}
-{% set runtime_stage_base_image = "docker.io/library/debian:%s-slim" % debian_version %}
-{% elif "arm64" in target_file %}
-{% set runtime_stage_base_image = "docker.io/balenalib/aarch64-debian:%s" % debian_version %}
-{% set package_arch_name = "arm64" %}
-{% set package_arch_target = "aarch64-unknown-linux-gnu" %}
-{% set package_cross_compiler = "aarch64-linux-gnu" %}
-{% elif "armv6" in target_file %}
-{% set runtime_stage_base_image = "docker.io/balenalib/rpi-debian:%s" % debian_version %}
-{% set package_arch_name = "armel" %}
-{% set package_arch_target = "arm-unknown-linux-gnueabi" %}
-{% set package_cross_compiler = "arm-linux-gnueabi" %}
-{% elif "armv7" in target_file %}
-{% set runtime_stage_base_image = "docker.io/balenalib/armv7hf-debian:%s" % debian_version %}
-{% set package_arch_name = "armhf" %}
-{% set package_arch_target = "armv7-unknown-linux-gnueabihf" %}
-{% set package_cross_compiler = "arm-linux-gnueabihf" %}
-{% endif %}
-{% if package_arch_name is defined %}
-{% set package_arch_prefix = ":" + package_arch_name %}
-{% else %}
-{% set package_arch_prefix = "" %}
-{% endif %}
-{% if package_arch_target is defined %}
-{% set package_arch_target_param = " --target=" + package_arch_target %}
-{% else %}
-{% set package_arch_target_param = "" %}
-{% endif %}
-{% if "buildkit" in target_file %}
-{% set mount_rust_cache = "--mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry " %}
-{% else %}
-{% set mount_rust_cache = "" %}
-{% endif %}
+# Please make your changes in `DockerSettings.yaml` or `Dockerfile.j2` and then `make`
+# This will generate two Dockerfile's `Dockerfile.debian` and `Dockerfile.alpine`
+
# Using multistage build:
# https://docs.docker.com/develop/develop-images/multistage-build/
# https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE #######################
-{% set vault_version = "v2023.8.2" %}
-{% set vault_image_digest = "sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252" %}
+
+####################### VAULT BUILD IMAGE #######################
# The web-vault digest specifies a particular web-vault build on Docker Hub.
# Using the digest instead of the tag name provides better security,
# as the digest of an image is immutable, whereas a tag name can later
@@ -80,10 +26,33 @@
# $ docker image inspect --format "{{ '{{' }}.RepoTags}}" docker.io/vaultwarden/web-vault@{{ vault_image_digest }}
# [docker.io/vaultwarden/web-vault:{{ vault_version }}]
#
-FROM docker.io/vaultwarden/web-vault@{{ vault_image_digest }} as vault
+FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@{{ vault_image_digest }} as vault
+
+{% if base == "debian" %}
+########################## Cross Compile Docker Helper Scripts ##########################
+## We use the linux/amd64 no matter which Build Platform, since these are all bash scripts
+## And these bash scripts do not have any significant difference if at all
+FROM --platform=linux/amd64 docker.io/tonistiigi/xx@{{ xx_image_digest }} AS xx
+{% elif base == "alpine" %}
+########################## ALPINE BUILD IMAGES ##########################
+## NOTE: The Alpine Base Images do not support other platforms then linux/amd64
+## And for Alpine we define all build images here, they will only be loaded when actually used
+{% for arch in build_stage_image[base].arch_image %}
+FROM --platform={{ build_stage_image[base].platform }} {{ build_stage_image[base].arch_image[arch] }} as build_{{ arch }}
+{% endfor %}
+{% endif %}
+
+########################## BUILD IMAGE ##########################
+# hadolint ignore=DL3006
+FROM --platform={{ build_stage_image[base].platform }} {{ build_stage_image[base].image }} as build
+{% if base == "debian" %}
+COPY --from=xx / /
+{% endif %}
+ARG TARGETARCH
+ARG TARGETVARIANT
+ARG TARGETPLATFORM
-########################## BUILD IMAGE ##########################
-FROM {{ build_stage_base_image }} as build
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
# Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive \
@@ -91,133 +60,162 @@ ENV DEBIAN_FRONTEND=noninteractive \
TZ=UTC \
TERM=xterm-256color \
CARGO_HOME="/root/.cargo" \
- REGISTRIES_CRATES_IO_PROTOCOL=sparse \
USER="root"
+{%- if base == "alpine" %} \
+ # Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11
+ # Debian Bookworm already contains libpq v15
+ PQ_LIB_DIR="/usr/local/musl/pq15/lib"
+{% endif %}
-# Create CARGO_HOME folder and don't download rust docs
-RUN {{ mount_rust_cache -}} mkdir -pv "${CARGO_HOME}" \
- && rustup set profile minimal
+{% if base == "debian" %}
-{% if "alpine" in target_file %}
-# Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11
-# Debian Bookworm already contains libpq v15
-ENV PQ_LIB_DIR="/usr/local/musl/pq15/lib"
-{% if "armv6" in target_file %}
-# To be able to build the armv6 image with mimalloc we need to tell the linker to also look for libatomic
-ENV RUSTFLAGS='-Clink-arg=-latomic'
-{% endif %}
-{% elif "arm" in target_file %}
-# Install build dependencies for the {{ package_arch_name }} architecture
-RUN {{ mount_rust_cache -}} dpkg --add-architecture {{ package_arch_name }} \
- && apt-get update \
- && apt-get install -y \
+# Install clang to get `xx-cargo` working
+# Install pkg-config to allow amd64 builds to find all libraries
+# Install git so build.rs can determine the correct version
+# Install the libc cross packages based upon the debian-arch
+RUN apt-get update && \
+ apt-get install -y \
--no-install-recommends \
- gcc-{{ package_cross_compiler }} \
- libc6-dev{{ package_arch_prefix }} \
- linux-libc-dev{{ package_arch_prefix }} \
- libmariadb-dev{{ package_arch_prefix }} \
- libmariadb-dev-compat{{ package_arch_prefix }} \
- libmariadb3{{ package_arch_prefix }} \
- libpq-dev{{ package_arch_prefix }} \
- libpq5{{ package_arch_prefix }} \
- libssl-dev{{ package_arch_prefix }} \
- #
- # Make sure cargo has the right target config
- && echo '[target.{{ package_arch_target }}]' >> "${CARGO_HOME}/config" \
- && echo 'linker = "{{ package_cross_compiler }}-gcc"' >> "${CARGO_HOME}/config" \
- && echo 'rustflags = ["-L/usr/lib/{{ package_cross_compiler }}"]' >> "${CARGO_HOME}/config"
-
-# Set arm specific environment values
-ENV CC_{{ package_arch_target | replace("-", "_") }}="/usr/bin/{{ package_cross_compiler }}-gcc" \
- CROSS_COMPILE="1" \
- OPENSSL_INCLUDE_DIR="/usr/include/{{ package_cross_compiler }}" \
- OPENSSL_LIB_DIR="/usr/lib/{{ package_cross_compiler }}"
-{% elif "amd64" in target_file %}
-# Install build dependencies
-RUN apt-get update \
- && apt-get install -y \
+ clang \
+ pkg-config \
+ git \
+ "libc6-$(xx-info debian-arch)-cross" \
+ "libc6-dev-$(xx-info debian-arch)-cross" \
+ "linux-libc-dev-$(xx-info debian-arch)-cross" && \
+ # Run xx-cargo early, since it sometimes seems to break when run at a later stage
+ echo "export CARGO_TARGET=$(xx-cargo --print-target-triple)" >> /env-cargo
+
+RUN xx-apt-get install -y \
--no-install-recommends \
- libmariadb-dev \
- libpq-dev
+ gcc \
+ libmariadb3 \
+ libpq-dev \
+ libpq5 \
+ libssl-dev && \
+ # Force install arch dependend mariadb dev packages
+ # Installing them the normal way breaks several other packages (again)
+ apt-get download "libmariadb-dev-compat:$(xx-info debian-arch)" "libmariadb-dev:$(xx-info debian-arch)" && \
+ dpkg --force-all -i ./libmariadb-dev*.deb
{% endif %}
+# Create CARGO_HOME folder and don't download rust docs
+RUN mkdir -pv "${CARGO_HOME}" \
+ && rustup set profile minimal
+
# Creates a dummy project used to grab dependencies
RUN USER=root cargo new --bin /app
WORKDIR /app
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain.toml ./rust-toolchain.toml
-COPY ./build.rs ./build.rs
-
-{% if package_arch_target is defined %}
-RUN {{ mount_rust_cache -}} rustup target add {{ package_arch_target }}
-{% endif %}
+{% if base == "debian" %}
+# Environment variables for cargo across Debian and Alpine
+RUN source /env-cargo && \
+ if xx-info is-cross ; then \
+ # We can't use xx-cargo since that uses clang, which doesn't work for our libraries.
+ # Because of this we generate the needed environment variables here which we can load in the needed steps.
+ echo "export CC_$(echo "${CARGO_TARGET}" | tr '[:upper:]' '[:lower:]' | tr - _)=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \
+ echo "export CARGO_TARGET_$(echo "${CARGO_TARGET}" | tr '[:lower:]' '[:upper:]' | tr - _)_LINKER=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \
+ echo "export PKG_CONFIG=/usr/bin/$(xx-info)-pkg-config" >> /env-cargo && \
+ echo "export CROSS_COMPILE=1" >> /env-cargo && \
+ echo "export OPENSSL_INCLUDE_DIR=/usr/include/$(xx-info)" >> /env-cargo && \
+ echo "export OPENSSL_LIB_DIR=/usr/lib/$(xx-info)" >> /env-cargo ; \
+ fi && \
+ # Output the current contents of the file
+ cat /env-cargo
# Configure the DB ARG as late as possible to not invalidate the cached layers above
-{% if "alpine" in target_file %}
+ARG DB=sqlite,mysql,postgresql
+{% elif base == "alpine" %}
+# Shared variables across Debian and Alpine
+RUN echo "export CARGO_TARGET=${RUST_MUSL_CROSS_TARGET}" >> /env-cargo && \
+ # To be able to build the armv6 image with mimalloc we need to tell the linker to also look for libatomic
+ if [[ "${TARGETARCH}${TARGETVARIANT}" == "armv6" ]] ; then echo "export RUSTFLAGS='-Clink-arg=-latomic'" >> /env-cargo ; fi && \
+ # Output the current contents of the file
+ cat /env-cargo
+
# Enable MiMalloc to improve performance on Alpine builds
ARG DB=sqlite,mysql,postgresql,enable_mimalloc
-{% else %}
-ARG DB=sqlite,mysql,postgresql
{% endif %}
+RUN source /env-cargo && \
+ rustup target add "${CARGO_TARGET}"
+
+ARG CARGO_PROFILE=release
+ARG VW_VERSION
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain.toml ./rust-toolchain.toml
+COPY ./build.rs ./build.rs
+
# Builds your dependencies and removes the
# dummy project, except the target folder
# This folder contains the compiled dependencies
-RUN {{ mount_rust_cache -}} cargo build --features ${DB} --release{{ package_arch_target_param }} \
- && find . -not -path "./target*" -delete
+RUN source /env-cargo && \
+ cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \
+ find . -not -path "./target*" -delete
# Copies the complete project
# To avoid copying unneeded files, use .dockerignore
COPY . .
-# Make sure that we actually build the project
-RUN touch src/main.rs
+# Builds again, this time it will be the actual source files being build
+RUN source /env-cargo && \
+ # Make sure that we actually build the project by updating the src/main.rs timestamp
+ touch src/main.rs && \
+ # Create a symlink to the binary target folder to easy copy the binary in the final stage
+ cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \
+ if [[ "${CARGO_PROFILE}" == "dev" ]] ; then \
+ ln -vfsr "/app/target/${CARGO_TARGET}/debug" /app/target/final ; \
+ else \
+ ln -vfsr "/app/target/${CARGO_TARGET}/${CARGO_PROFILE}" /app/target/final ; \
+ fi
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN {{ mount_rust_cache -}} cargo build --features ${DB} --release{{ package_arch_target_param }}
######################## RUNTIME IMAGE ########################
# Create a new stage with a minimal image
# because we already have a binary built
-FROM {{ runtime_stage_base_image }}
+#
+# To build these images you need to have qemu binfmt support.
+# See the following pages to help install these tools locally
+# Ubuntu/Debian: https://wiki.debian.org/QemuUserEmulation
+# Arch Linux: https://wiki.archlinux.org/title/QEMU#Chrooting_into_arm/arm64_environment_from_x86_64
+#
+# Or use a Docker image which modifies your host system to support this.
+# The GitHub Actions Workflow uses the same image as used below.
+# See: https://github.com/tonistiigi/binfmt
+# Usage: docker run --privileged --rm tonistiigi/binfmt --install arm64,arm
+# To uninstall: docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*'
+#
+# We need to add `--platform` here, because of a podman bug: https://github.com/containers/buildah/issues/4742
+FROM --platform=$TARGETPLATFORM {{ runtime_stage_image[base] }}
ENV ROCKET_PROFILE="release" \
ROCKET_ADDRESS=0.0.0.0 \
ROCKET_PORT=80
-{%- if "alpine" in runtime_stage_base_image %} \
+{%- if base == "debian" %} \
+ DEBIAN_FRONTEND=noninteractive
+{% elif base == "alpine" %} \
SSL_CERT_DIR=/etc/ssl/certs
{% endif %}
-
-{% if "amd64" not in target_file %}
-RUN [ "cross-build-start" ]
-{% endif %}
-
# Create data folder and Install needed libraries
-RUN mkdir /data \
-{% if "alpine" in runtime_stage_base_image %}
- && apk add --no-cache \
+RUN mkdir /data && \
+{% if base == "debian" %}
+ apt-get update && apt-get install -y \
+ --no-install-recommends \
+ ca-certificates \
+ curl \
+ libmariadb-dev-compat \
+ libpq5 \
+ openssl && \
+ apt-get clean && \
+ rm -rf /var/lib/apt/lists/*
+{% elif base == "alpine" %}
+ apk --no-cache add \
ca-certificates \
curl \
openssl \
tzdata
-{% else %}
- && apt-get update && apt-get install -y \
- --no-install-recommends \
- ca-certificates \
- curl \
- libmariadb-dev-compat \
- libpq5 \
- openssl \
- && apt-get clean \
- && rm -rf /var/lib/apt/lists/*
-{% endif %}
-
-{% if "amd64" not in target_file %}
-RUN [ "cross-build-end" ]
{% endif %}
VOLUME /data
@@ -227,16 +225,13 @@ EXPOSE 3012
# Copies the files from the context (Rocket.toml file and web-vault)
# and the binary from the "build" stage to the current stage
WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-{% if package_arch_target is defined %}
-COPY --from=build /app/target/{{ package_arch_target }}/release/vaultwarden .
-{% else %}
-COPY --from=build /app/target/release/vaultwarden .
-{% endif %}
COPY docker/healthcheck.sh /healthcheck.sh
COPY docker/start.sh /start.sh
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/final/vaultwarden .
+
HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
CMD ["/start.sh"]
diff --git a/docker/Makefile b/docker/Makefile
index d7c0ab80..e8c0760a 100644
--- a/docker/Makefile
+++ b/docker/Makefile
@@ -1,15 +1,4 @@
-OBJECTS := $(shell find ./ -mindepth 2 -name 'Dockerfile*')
-
-all: $(OBJECTS)
-
-%/Dockerfile: Dockerfile.j2 render_template
- ./render_template "$<" "{\"target_file\":\"$@\"}" > "$@"
-
-%/Dockerfile.alpine: Dockerfile.j2 render_template
- ./render_template "$<" "{\"target_file\":\"$@\"}" > "$@"
-
-%/Dockerfile.buildkit: Dockerfile.j2 render_template
- ./render_template "$<" "{\"target_file\":\"$@\"}" > "$@"
-
-%/Dockerfile.buildkit.alpine: Dockerfile.j2 render_template
- ./render_template "$<" "{\"target_file\":\"$@\"}" > "$@"
+all:
+ ./render_template Dockerfile.j2 '{"base": "debian"}' > Dockerfile.debian
+ ./render_template Dockerfile.j2 '{"base": "alpine"}' > Dockerfile.alpine
+.PHONY: all
diff --git a/docker/README.md b/docker/README.md
index 1dbfe22c..3c74043c 100644
--- a/docker/README.md
+++ b/docker/README.md
@@ -1,3 +1,183 @@
-The arch-specific directory names follow the arch identifiers used by the Docker official images:
+# Vaultwarden Container Building
-https://github.com/docker-library/official-images/blob/master/README.md#architectures-other-than-amd64
+To build and release new testing and stable releases of Vaultwarden we use `docker buildx bake`.<br>
+This can be used locally by running the command yourself, but it is also used by GitHub Actions.
+
+This makes it easier for us to test and maintain the different architectures we provide.<br>
+We also just have two Dockerfile's one for Debian and one for Alpine based images.<br>
+With just these two files we can build both Debian and Alpine images for the following platforms:
+ - amd64 (linux/amd64)
+ - arm64 (linux/arm64)
+ - armv7 (linux/arm/v7)
+ - armv6 (linux/arm/v6)
+
+To build these containers you need to enable QEMU binfmt support to be able to run/emulate architectures which are different then your host.<br>
+This ensures the container build process can run binaries from other architectures.<br>
+
+**NOTE**: Run all the examples below from the root of the repo.<br>
+
+
+## How to install QEMU binfmt support
+
+This is different per host OS, but most support this in some way.<br>
+
+### Ubuntu/Debian
+```bash
+apt install binfmt-support qemu-user-static
+```
+
+### Arch Linux (others based upon it)
+```bash
+pacman -S qemu-user-static qemu-user-static-binfmt
+```
+
+### Fedora
+```bash
+dnf install qemu-user-static
+```
+
+### Others
+There also is an option to use an other docker container to provide support for this.
+```bash
+# To install and activate
+docker run --privileged --rm tonistiigi/binfmt --install arm64,arm
+# To unistall
+docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*'
+```
+
+
+## Single architecture container building
+
+You can build a container per supported architecture as long as you have QEMU binfmt support installed on your system.<br>
+
+```bash
+# Default bake triggers a Debian build using the hosts architecture
+docker buildx bake --file docker/docker-bake.hcl
+
+# Bake Debian ARM64 using a debug build
+CARGO_PROFILE=dev \
+SOURCE_COMMIT="$(git rev-parse HEAD)" \
+docker buildx bake --file docker/docker-bake.hcl debian-arm64
+
+# Bake Alpine ARMv6 as a release build
+SOURCE_COMMIT="$(git rev-parse HEAD)" \
+docker buildx bake --file docker/docker-bake.hcl alpine-armv6
+```
+
+
+## Local Multi Architecture container building
+
+Start the initialization, this only needs to be done once.
+
+```bash
+# Create and use a new buildx builder instance which connects to the host network
+docker buildx create --name vaultwarden --use --driver-opt network=host
+
+# Validate it runs
+docker buildx inspect --bootstrap
+
+# Create a local container registry directly reachable on the localhost
+docker run -d --name registry --network host registry:2
+```
+
+After that is done, you should be able to build and push to the local registry.<br>
+Use the following command with the modified variables to bake the Alpine images.<br>
+Replace `alpine` with `debian` if you want to build the debian multi arch images.
+
+```bash
+# Start a buildx bake using a debug build
+CARGO_PROFILE=dev \
+SOURCE_COMMIT="$(git rev-parse HEAD)" \
+CONTAINER_REGISTRIES="localhost:5000/vaultwarden/server" \
+docker buildx bake --file docker/docker-bake.hcl alpine-multi
+```
+
+
+## Using the `bake.sh` script
+
+To make it a bit more easier to trigger a build, there also is a `bake.sh` script.<br>
+This script calls `docker buildx bake` with all the right parameters and also generates the `SOURCE_COMMIT` and `SOURCE_VERSION` variables.<br>
+This script can be called from both the repo root or within the docker directory.
+
+So, if you want to build a Multi Arch Alpine container pushing to your localhost registry you can run this from within the docker directory. (Just make sure you executed the initialization steps above first)
+```bash
+CONTAINER_REGISTRIES="localhost:5000/vaultwarden/server" \
+./bake.sh alpine-multi
+```
+
+Or if you want to just build a Debian container from the repo root, you can run this.
+```bash
+docker/bake.sh
+```
+
+You can append both `alpine` and `debian` with `-amd64`, `-arm64`, `-armv7` or `-armv6`, which will trigger a build for that specific platform.<br>
+This will also append those values to the tag so you can see the builded container when running `docker images`.
+
+You can also append extra arguments after the target if you want. This can be useful for example to print what bake will use.
+```bash
+docker/bake.sh alpine-all --print
+```
+
+### Testing baked images
+
+To test these images you can run these images by using the correct tag and provide the platform.<br>
+For example, after you have build an arm64 image via `./bake.sh debian-arm64` you can run:
+```bash
+docker run --rm -it \
+ -e DISABLE_ADMIN_TOKEN=true \
+ -e I_REALLY_WANT_VOLATILE_STORAGE=true \
+ -p8080:80 --platform=linux/arm64 \
+ vaultwarden/server:testing-arm64
+```
+
+
+## Using the `podman-bake.sh` script
+
+To also make building easier using podman, there is a `podman-bake.sh` script.<br>
+This script calls `podman buildx build` with the needed parameters and the same as `bake.sh`, it will generate some variables automatically.<br>
+This script can be called from both the repo root or within the docker directory.
+
+**NOTE:** Unlike the `bake.sh` script, this only supports a single `CONTAINER_REGISTRIES`, and a single `BASE_TAGS` value, no comma separated values. It also only supports building separate architectures, no Multi Arch containers.
+
+To build an Alpine arm64 image with only sqlite support and mimalloc, run this:
+```bash
+DB="sqlite,enable_mimalloc" \
+./podman-bake.sh alpine-arm64
+```
+
+Or if you want to just build a Debian container from the repo root, you can run this.
+```bash
+docker/podman-bake.sh
+```
+
+You can append extra arguments after the target if you want. This can be useful for example to disable cache like this.
+```bash
+./podman-bake.sh alpine-arm64 --no-cache
+```
+
+For the podman builds you can, just like the `bake.sh` script, also append the architecture to build for that specific platform.<br>
+
+### Testing podman builded images
+
+The command to start a podman built container is almost the same as for the docker/bake built containers. The images start with `localhost/`, so you need to prepend that.
+
+```bash
+podman run --rm -it \
+ -e DISABLE_ADMIN_TOKEN=true \
+ -e I_REALLY_WANT_VOLATILE_STORAGE=true \
+ -p8080:80 --platform=linux/arm64 \
+ localhost/vaultwarden/server:testing-arm64
+```
+
+
+## Variables supported
+| Variable | default | description |
+| --------------------- | ------------------ | ----------- |
+| CARGO_PROFILE | null | Which cargo profile to use. `null` means what is defined in the Dockerfile |
+| DB | null | Which `features` to build. `null` means what is defined in the Dockerfile |
+| SOURCE_REPOSITORY_URL | null | The source repository form where this build is triggered |
+| SOURCE_COMMIT | null | The commit hash of the current commit for this build |
+| SOURCE_VERSION | null | The current exact tag of this commit, else the last tag and the first 8 chars of the source commit |
+| BASE_TAGS | testing | Tags to be used. Can be a comma separated value like "latest,1.29.2" |
+| CONTAINER_REGISTRIES | vaultwarden/server | Comma separated value of container registries. Like `ghcr.io/dani-garcia/vaultwarden,docker.io/vaultwarden/server` |
+| VW_VERSION | null | To override the `SOURCE_VERSION` value. This is also used by the `build.rs` code for example |
diff --git a/docker/amd64/Dockerfile b/docker/amd64/Dockerfile
deleted file mode 100644
index 2efaf77a..00000000
--- a/docker/amd64/Dockerfile
+++ /dev/null
@@ -1,119 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-# Using multistage build:
-# https://docs.docker.com/develop/develop-images/multistage-build/
-# https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-# click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-# $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2
-# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2
-# [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252]
-#
-# - Conversely, to get the tag name from the digest:
-# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252
-# [docker.io/vaultwarden/web-vault:v2023.8.2]
-#
-FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault
-
-########################## BUILD IMAGE ##########################
-FROM docker.io/library/rust:1.72.0-bookworm as build
-
-# Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive \
- LANG=C.UTF-8 \
- TZ=UTC \
- TERM=xterm-256color \
- CARGO_HOME="/root/.cargo" \
- REGISTRIES_CRATES_IO_PROTOCOL=sparse \
- USER="root"
-
-# Create CARGO_HOME folder and don't download rust docs
-RUN mkdir -pv "${CARGO_HOME}" \
- && rustup set profile minimal
-
-# Install build dependencies
-RUN apt-get update \
- && apt-get install -y \
- --no-install-recommends \
- libmariadb-dev \
- libpq-dev
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin /app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain.toml ./rust-toolchain.toml
-COPY ./build.rs ./build.rs
-
-
-# Configure the DB ARG as late as possible to not invalidate the cached layers above
-ARG DB=sqlite,mysql,postgresql
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN cargo build --features ${DB} --release \
- && find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN cargo build --features ${DB} --release
-
-######################## RUNTIME IMAGE ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM docker.io/library/debian:bookworm-slim
-
-ENV ROCKET_PROFILE="release" \
- ROCKET_ADDRESS=0.0.0.0 \
- ROCKET_PORT=80
-
-
-# Create data folder and Install needed libraries
-RUN mkdir /data \
- && apt-get update && apt-get install -y \
- --no-install-recommends \
- ca-certificates \
- curl \
- libmariadb-dev-compat \
- libpq5 \
- openssl \
- && apt-get clean \
- && rm -rf /var/lib/apt/lists/*
-
-
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/release/vaultwarden .
-
-COPY docker/healthcheck.sh /healthcheck.sh
-COPY docker/start.sh /start.sh
-
-HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
-
-CMD ["/start.sh"]
diff --git a/docker/amd64/Dockerfile.alpine b/docker/amd64/Dockerfile.alpine
deleted file mode 100644
index 3e4f3efd..00000000
--- a/docker/amd64/Dockerfile.alpine
+++ /dev/null
@@ -1,116 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-# Using multistage build:
-# https://docs.docker.com/develop/develop-images/multistage-build/
-# https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-# click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-# $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2
-# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2
-# [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252]
-#
-# - Conversely, to get the tag name from the digest:
-# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252
-# [docker.io/vaultwarden/web-vault:v2023.8.2]
-#
-FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault
-
-########################## BUILD IMAGE ##########################
-FROM docker.io/blackdex/rust-musl:x86_64-musl-stable-1.72.0-openssl3 as build
-
-# Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive \
- LANG=C.UTF-8 \
- TZ=UTC \
- TERM=xterm-256color \
- CARGO_HOME="/root/.cargo" \
- REGISTRIES_CRATES_IO_PROTOCOL=sparse \
- USER="root"
-
-# Create CARGO_HOME folder and don't download rust docs
-RUN mkdir -pv "${CARGO_HOME}" \
- && rustup set profile minimal
-
-# Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11
-# Debian Bookworm already contains libpq v15
-ENV PQ_LIB_DIR="/usr/local/musl/pq15/lib"
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin /app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain.toml ./rust-toolchain.toml
-COPY ./build.rs ./build.rs
-
-RUN rustup target add x86_64-unknown-linux-musl
-
-# Configure the DB ARG as late as possible to not invalidate the cached layers above
-# Enable MiMalloc to improve performance on Alpine builds
-ARG DB=sqlite,mysql,postgresql,enable_mimalloc
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl \
- && find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl
-
-######################## RUNTIME IMAGE ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM docker.io/library/alpine:3.17
-
-ENV ROCKET_PROFILE="release" \
- ROCKET_ADDRESS=0.0.0.0 \
- ROCKET_PORT=80 \
- SSL_CERT_DIR=/etc/ssl/certs
-
-
-
-# Create data folder and Install needed libraries
-RUN mkdir /data \
- && apk add --no-cache \
- ca-certificates \
- curl \
- openssl \
- tzdata
-
-
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/x86_64-unknown-linux-musl/release/vaultwarden .
-
-COPY docker/healthcheck.sh /healthcheck.sh
-COPY docker/start.sh /start.sh
-
-HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
-
-CMD ["/start.sh"]
diff --git a/docker/amd64/Dockerfile.buildkit b/docker/amd64/Dockerfile.buildkit
deleted file mode 100644
index eac7a5ea..00000000
--- a/docker/amd64/Dockerfile.buildkit
+++ /dev/null
@@ -1,119 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-# Using multistage build:
-# https://docs.docker.com/develop/develop-images/multistage-build/
-# https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-# click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-# $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2
-# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2
-# [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252]
-#
-# - Conversely, to get the tag name from the digest:
-# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252
-# [docker.io/vaultwarden/web-vault:v2023.8.2]
-#
-FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault
-
-########################## BUILD IMAGE ##########################
-FROM docker.io/library/rust:1.72.0-bookworm as build
-
-# Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive \
- LANG=C.UTF-8 \
- TZ=UTC \
- TERM=xterm-256color \
- CARGO_HOME="/root/.cargo" \
- REGISTRIES_CRATES_IO_PROTOCOL=sparse \
- USER="root"
-
-# Create CARGO_HOME folder and don't download rust docs
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
- && rustup set profile minimal
-
-# Install build dependencies
-RUN apt-get update \
- && apt-get install -y \
- --no-install-recommends \
- libmariadb-dev \
- libpq-dev
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin /app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain.toml ./rust-toolchain.toml
-COPY ./build.rs ./build.rs
-
-
-# Configure the DB ARG as late as possible to not invalidate the cached layers above
-ARG DB=sqlite,mysql,postgresql
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release \
- && find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release
-
-######################## RUNTIME IMAGE ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM docker.io/library/debian:bookworm-slim
-
-ENV ROCKET_PROFILE="release" \
- ROCKET_ADDRESS=0.0.0.0 \
- ROCKET_PORT=80
-
-
-# Create data folder and Install needed libraries
-RUN mkdir /data \
- && apt-get update && apt-get install -y \
- --no-install-recommends \
- ca-certificates \
- curl \
- libmariadb-dev-compat \
- libpq5 \
- openssl \
- && apt-get clean \
- && rm -rf /var/lib/apt/lists/*
-
-
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/release/vaultwarden .
-
-COPY docker/healthcheck.sh /healthcheck.sh
-COPY docker/start.sh /start.sh
-
-HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
-
-CMD ["/start.sh"]
diff --git a/docker/amd64/Dockerfile.buildkit.alpine b/docker/amd64/Dockerfile.buildkit.alpine
deleted file mode 100644
index c1f199f5..00000000
--- a/docker/amd64/Dockerfile.buildkit.alpine
+++ /dev/null
@@ -1,116 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-# Using multistage build:
-# https://docs.docker.com/develop/develop-images/multistage-build/
-# https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-# click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-# $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2
-# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2
-# [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252]
-#
-# - Conversely, to get the tag name from the digest:
-# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252
-# [docker.io/vaultwarden/web-vault:v2023.8.2]
-#
-FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault
-
-########################## BUILD IMAGE ##########################
-FROM docker.io/blackdex/rust-musl:x86_64-musl-stable-1.72.0-openssl3 as build
-
-# Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive \
- LANG=C.UTF-8 \
- TZ=UTC \
- TERM=xterm-256color \
- CARGO_HOME="/root/.cargo" \
- REGISTRIES_CRATES_IO_PROTOCOL=sparse \
- USER="root"
-
-# Create CARGO_HOME folder and don't download rust docs
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
- && rustup set profile minimal
-
-# Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11
-# Debian Bookworm already contains libpq v15
-ENV PQ_LIB_DIR="/usr/local/musl/pq15/lib"
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin /app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain.toml ./rust-toolchain.toml
-COPY ./build.rs ./build.rs
-
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add x86_64-unknown-linux-musl
-
-# Configure the DB ARG as late as possible to not invalidate the cached layers above
-# Enable MiMalloc to improve performance on Alpine builds
-ARG DB=sqlite,mysql,postgresql,enable_mimalloc
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl \
- && find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl
-
-######################## RUNTIME IMAGE ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM docker.io/library/alpine:3.17
-
-ENV ROCKET_PROFILE="release" \
- ROCKET_ADDRESS=0.0.0.0 \
- ROCKET_PORT=80 \
- SSL_CERT_DIR=/etc/ssl/certs
-
-
-
-# Create data folder and Install needed libraries
-RUN mkdir /data \
- && apk add --no-cache \
- ca-certificates \
- curl \
- openssl \
- tzdata
-
-
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/x86_64-unknown-linux-musl/release/vaultwarden .
-
-COPY docker/healthcheck.sh /healthcheck.sh
-COPY docker/start.sh /start.sh
-
-HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
-
-CMD ["/start.sh"]
diff --git a/docker/arm64/Dockerfile b/docker/arm64/Dockerfile
deleted file mode 100644
index 910568d0..00000000
--- a/docker/arm64/Dockerfile
+++ /dev/null
@@ -1,141 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-# Using multistage build:
-# https://docs.docker.com/develop/develop-images/multistage-build/
-# https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-# click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-# $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2
-# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2
-# [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252]
-#
-# - Conversely, to get the tag name from the digest:
-# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252
-# [docker.io/vaultwarden/web-vault:v2023.8.2]
-#
-FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault
-
-########################## BUILD IMAGE ##########################
-FROM docker.io/library/rust:1.72.0-bookworm as build
-
-# Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive \
- LANG=C.UTF-8 \
- TZ=UTC \
- TERM=xterm-256color \
- CARGO_HOME="/root/.cargo" \
- REGISTRIES_CRATES_IO_PROTOCOL=sparse \
- USER="root"
-
-# Create CARGO_HOME folder and don't download rust docs
-RUN mkdir -pv "${CARGO_HOME}" \
- && rustup set profile minimal
-
-# Install build dependencies for the arm64 architecture
-RUN dpkg --add-architecture arm64 \
- && apt-get update \
- && apt-get install -y \
- --no-install-recommends \
- gcc-aarch64-linux-gnu \
- libc6-dev:arm64 \
- linux-libc-dev:arm64 \
- libmariadb-dev:arm64 \
- libmariadb-dev-compat:arm64 \
- libmariadb3:arm64 \
- libpq-dev:arm64 \
- libpq5:arm64 \
- libssl-dev:arm64 \
- #
- # Make sure cargo has the right target config
- && echo '[target.aarch64-unknown-linux-gnu]' >> "${CARGO_HOME}/config" \
- && echo 'linker = "aarch64-linux-gnu-gcc"' >> "${CARGO_HOME}/config" \
- && echo 'rustflags = ["-L/usr/lib/aarch64-linux-gnu"]' >> "${CARGO_HOME}/config"
-
-# Set arm specific environment values
-ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc" \
- CROSS_COMPILE="1" \
- OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu" \
- OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu"
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin /app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain.toml ./rust-toolchain.toml
-COPY ./build.rs ./build.rs
-
-RUN rustup target add aarch64-unknown-linux-gnu
-
-# Configure the DB ARG as late as possible to not invalidate the cached layers above
-ARG DB=sqlite,mysql,postgresql
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu \
- && find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
-
-######################## RUNTIME IMAGE ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM docker.io/balenalib/aarch64-debian:bookworm
-
-ENV ROCKET_PROFILE="release" \
- ROCKET_ADDRESS=0.0.0.0 \
- ROCKET_PORT=80
-
-RUN [ "cross-build-start" ]
-
-# Create data folder and Install needed libraries
-RUN mkdir /data \
- && apt-get update && apt-get install -y \
- --no-install-recommends \
- ca-certificates \
- curl \
- libmariadb-dev-compat \
- libpq5 \
- openssl \
- && apt-get clean \
- && rm -rf /var/lib/apt/lists/*
-
-RUN [ "cross-build-end" ]
-
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/vaultwarden .
-
-COPY docker/healthcheck.sh /healthcheck.sh
-COPY docker/start.sh /start.sh
-
-HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
-
-CMD ["/start.sh"]
diff --git a/docker/arm64/Dockerfile.alpine b/docker/arm64/Dockerfile.alpine
deleted file mode 100644
index e23c306a..00000000
--- a/docker/arm64/Dockerfile.alpine
+++ /dev/null
@@ -1,118 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-# Using multistage build:
-# https://docs.docker.com/develop/develop-images/multistage-build/
-# https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-# click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-# $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2
-# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2
-# [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252]
-#
-# - Conversely, to get the tag name from the digest:
-# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252
-# [docker.io/vaultwarden/web-vault:v2023.8.2]
-#
-FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault
-
-########################## BUILD IMAGE ##########################
-FROM docker.io/blackdex/rust-musl:aarch64-musl-stable-1.72.0-openssl3 as build
-
-# Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive \
- LANG=C.UTF-8 \
- TZ=UTC \
- TERM=xterm-256color \
- CARGO_HOME="/root/.cargo" \
- REGISTRIES_CRATES_IO_PROTOCOL=sparse \
- USER="root"
-
-# Create CARGO_HOME folder and don't download rust docs
-RUN mkdir -pv "${CARGO_HOME}" \
- && rustup set profile minimal
-
-# Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11
-# Debian Bookworm already contains libpq v15
-ENV PQ_LIB_DIR="/usr/local/musl/pq15/lib"
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin /app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain.toml ./rust-toolchain.toml
-COPY ./build.rs ./build.rs
-
-RUN rustup target add aarch64-unknown-linux-musl
-
-# Configure the DB ARG as late as possible to not invalidate the cached layers above
-# Enable MiMalloc to improve performance on Alpine builds
-ARG DB=sqlite,mysql,postgresql,enable_mimalloc
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl \
- && find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl
-
-######################## RUNTIME IMAGE ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM docker.io/balenalib/aarch64-alpine:3.17
-
-ENV ROCKET_PROFILE="release" \
- ROCKET_ADDRESS=0.0.0.0 \
- ROCKET_PORT=80 \
- SSL_CERT_DIR=/etc/ssl/certs
-
-
-RUN [ "cross-build-start" ]
-
-# Create data folder and Install needed libraries
-RUN mkdir /data \
- && apk add --no-cache \
- ca-certificates \
- curl \
- openssl \
- tzdata
-
-RUN [ "cross-build-end" ]
-
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/aarch64-unknown-linux-musl/release/vaultwarden .
-
-COPY docker/healthcheck.sh /healthcheck.sh
-COPY docker/start.sh /start.sh
-
-HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
-
-CMD ["/start.sh"]
diff --git a/docker/arm64/Dockerfile.buildkit b/docker/arm64/Dockerfile.buildkit
deleted file mode 100644
index 7f370c4e..00000000
--- a/docker/arm64/Dockerfile.buildkit
+++ /dev/null
@@ -1,141 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-# Using multistage build:
-# https://docs.docker.com/develop/develop-images/multistage-build/
-# https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-# click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-# $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2
-# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2
-# [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252]
-#
-# - Conversely, to get the tag name from the digest:
-# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252
-# [docker.io/vaultwarden/web-vault:v2023.8.2]
-#
-FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault
-
-########################## BUILD IMAGE ##########################
-FROM docker.io/library/rust:1.72.0-bookworm as build
-
-# Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive \
- LANG=C.UTF-8 \
- TZ=UTC \
- TERM=xterm-256color \
- CARGO_HOME="/root/.cargo" \
- REGISTRIES_CRATES_IO_PROTOCOL=sparse \
- USER="root"
-
-# Create CARGO_HOME folder and don't download rust docs
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
- && rustup set profile minimal
-
-# Install build dependencies for the arm64 architecture
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry dpkg --add-architecture arm64 \
- && apt-get update \
- && apt-get install -y \
- --no-install-recommends \
- gcc-aarch64-linux-gnu \
- libc6-dev:arm64 \
- linux-libc-dev:arm64 \
- libmariadb-dev:arm64 \
- libmariadb-dev-compat:arm64 \
- libmariadb3:arm64 \
- libpq-dev:arm64 \
- libpq5:arm64 \
- libssl-dev:arm64 \
- #
- # Make sure cargo has the right target config
- && echo '[target.aarch64-unknown-linux-gnu]' >> "${CARGO_HOME}/config" \
- && echo 'linker = "aarch64-linux-gnu-gcc"' >> "${CARGO_HOME}/config" \
- && echo 'rustflags = ["-L/usr/lib/aarch64-linux-gnu"]' >> "${CARGO_HOME}/config"
-
-# Set arm specific environment values
-ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc" \
- CROSS_COMPILE="1" \
- OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu" \
- OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu"
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin /app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain.toml ./rust-toolchain.toml
-COPY ./build.rs ./build.rs
-
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add aarch64-unknown-linux-gnu
-
-# Configure the DB ARG as late as possible to not invalidate the cached layers above
-ARG DB=sqlite,mysql,postgresql
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu \
- && find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
-
-######################## RUNTIME IMAGE ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM docker.io/balenalib/aarch64-debian:bookworm
-
-ENV ROCKET_PROFILE="release" \
- ROCKET_ADDRESS=0.0.0.0 \
- ROCKET_PORT=80
-
-RUN [ "cross-build-start" ]
-
-# Create data folder and Install needed libraries
-RUN mkdir /data \
- && apt-get update && apt-get install -y \
- --no-install-recommends \
- ca-certificates \
- curl \
- libmariadb-dev-compat \
- libpq5 \
- openssl \
- && apt-get clean \
- && rm -rf /var/lib/apt/lists/*
-
-RUN [ "cross-build-end" ]
-
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/vaultwarden .
-
-COPY docker/healthcheck.sh /healthcheck.sh
-COPY docker/start.sh /start.sh
-
-HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
-
-CMD ["/start.sh"]
diff --git a/docker/arm64/Dockerfile.buildkit.alpine b/docker/arm64/Dockerfile.buildkit.alpine
deleted file mode 100644
index 8cad80d3..00000000
--- a/docker/arm64/Dockerfile.buildkit.alpine
+++ /dev/null
@@ -1,118 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-# Using multistage build:
-# https://docs.docker.com/develop/develop-images/multistage-build/
-# https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-# click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-# $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2
-# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2
-# [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252]
-#
-# - Conversely, to get the tag name from the digest:
-# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252
-# [docker.io/vaultwarden/web-vault:v2023.8.2]
-#
-FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault
-
-########################## BUILD IMAGE ##########################
-FROM docker.io/blackdex/rust-musl:aarch64-musl-stable-1.72.0-openssl3 as build
-
-# Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive \
- LANG=C.UTF-8 \
- TZ=UTC \
- TERM=xterm-256color \
- CARGO_HOME="/root/.cargo" \
- REGISTRIES_CRATES_IO_PROTOCOL=sparse \
- USER="root"
-
-# Create CARGO_HOME folder and don't download rust docs
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
- && rustup set profile minimal
-
-# Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11
-# Debian Bookworm already contains libpq v15
-ENV PQ_LIB_DIR="/usr/local/musl/pq15/lib"
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin /app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain.toml ./rust-toolchain.toml
-COPY ./build.rs ./build.rs
-
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add aarch64-unknown-linux-musl
-
-# Configure the DB ARG as late as possible to not invalidate the cached layers above
-# Enable MiMalloc to improve performance on Alpine builds
-ARG DB=sqlite,mysql,postgresql,enable_mimalloc
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl \
- && find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl
-
-######################## RUNTIME IMAGE ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM docker.io/balenalib/aarch64-alpine:3.17
-
-ENV ROCKET_PROFILE="release" \
- ROCKET_ADDRESS=0.0.0.0 \
- ROCKET_PORT=80 \
- SSL_CERT_DIR=/etc/ssl/certs
-
-
-RUN [ "cross-build-start" ]
-
-# Create data folder and Install needed libraries
-RUN mkdir /data \
- && apk add --no-cache \
- ca-certificates \
- curl \
- openssl \
- tzdata
-
-RUN [ "cross-build-end" ]
-
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/aarch64-unknown-linux-musl/release/vaultwarden .
-
-COPY docker/healthcheck.sh /healthcheck.sh
-COPY docker/start.sh /start.sh
-
-HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
-
-CMD ["/start.sh"]
diff --git a/docker/armv6/Dockerfile b/docker/armv6/Dockerfile
deleted file mode 100644
index 6480c9a6..00000000
--- a/docker/armv6/Dockerfile
+++ /dev/null
@@ -1,141 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-# Using multistage build:
-# https://docs.docker.com/develop/develop-images/multistage-build/
-# https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-# click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-# $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2
-# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2
-# [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252]
-#
-# - Conversely, to get the tag name from the digest:
-# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252
-# [docker.io/vaultwarden/web-vault:v2023.8.2]
-#
-FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault
-
-########################## BUILD IMAGE ##########################
-FROM docker.io/library/rust:1.72.0-bookworm as build
-
-# Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive \
- LANG=C.UTF-8 \
- TZ=UTC \
- TERM=xterm-256color \
- CARGO_HOME="/root/.cargo" \
- REGISTRIES_CRATES_IO_PROTOCOL=sparse \
- USER="root"
-
-# Create CARGO_HOME folder and don't download rust docs
-RUN mkdir -pv "${CARGO_HOME}" \
- && rustup set profile minimal
-
-# Install build dependencies for the armel architecture
-RUN dpkg --add-architecture armel \
- && apt-get update \
- && apt-get install -y \
- --no-install-recommends \
- gcc-arm-linux-gnueabi \
- libc6-dev:armel \
- linux-libc-dev:armel \
- libmariadb-dev:armel \
- libmariadb-dev-compat:armel \
- libmariadb3:armel \
- libpq-dev:armel \
- libpq5:armel \
- libssl-dev:armel \
- #
- # Make sure cargo has the right target config
- && echo '[target.arm-unknown-linux-gnueabi]' >> "${CARGO_HOME}/config" \
- && echo 'linker = "arm-linux-gnueabi-gcc"' >> "${CARGO_HOME}/config" \
- && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabi"]' >> "${CARGO_HOME}/config"
-
-# Set arm specific environment values
-ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc" \
- CROSS_COMPILE="1" \
- OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi" \
- OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi"
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin /app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain.toml ./rust-toolchain.toml
-COPY ./build.rs ./build.rs
-
-RUN rustup target add arm-unknown-linux-gnueabi
-
-# Configure the DB ARG as late as possible to not invalidate the cached layers above
-ARG DB=sqlite,mysql,postgresql
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi \
- && find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
-
-######################## RUNTIME IMAGE ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM docker.io/balenalib/rpi-debian:bookworm
-
-ENV ROCKET_PROFILE="release" \
- ROCKET_ADDRESS=0.0.0.0 \
- ROCKET_PORT=80
-
-RUN [ "cross-build-start" ]
-
-# Create data folder and Install needed libraries
-RUN mkdir /data \
- && apt-get update && apt-get install -y \
- --no-install-recommends \
- ca-certificates \
- curl \
- libmariadb-dev-compat \
- libpq5 \
- openssl \
- && apt-get clean \
- && rm -rf /var/lib/apt/lists/*
-
-RUN [ "cross-build-end" ]
-
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/arm-unknown-linux-gnueabi/release/vaultwarden .
-
-COPY docker/healthcheck.sh /healthcheck.sh
-COPY docker/start.sh /start.sh
-
-HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
-
-CMD ["/start.sh"]
diff --git a/docker/armv6/Dockerfile.alpine b/docker/armv6/Dockerfile.alpine
deleted file mode 100644
index acec859a..00000000
--- a/docker/armv6/Dockerfile.alpine
+++ /dev/null
@@ -1,120 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-# Using multistage build:
-# https://docs.docker.com/develop/develop-images/multistage-build/
-# https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-# click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-# $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2
-# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2
-# [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252]
-#
-# - Conversely, to get the tag name from the digest:
-# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252
-# [docker.io/vaultwarden/web-vault:v2023.8.2]
-#
-FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault
-
-########################## BUILD IMAGE ##########################
-FROM docker.io/blackdex/rust-musl:arm-musleabi-stable-1.72.0-openssl3 as build
-
-# Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive \
- LANG=C.UTF-8 \
- TZ=UTC \
- TERM=xterm-256color \
- CARGO_HOME="/root/.cargo" \
- REGISTRIES_CRATES_IO_PROTOCOL=sparse \
- USER="root"
-
-# Create CARGO_HOME folder and don't download rust docs
-RUN mkdir -pv "${CARGO_HOME}" \
- && rustup set profile minimal
-
-# Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11
-# Debian Bookworm already contains libpq v15
-ENV PQ_LIB_DIR="/usr/local/musl/pq15/lib"
-# To be able to build the armv6 image with mimalloc we need to tell the linker to also look for libatomic
-ENV RUSTFLAGS='-Clink-arg=-latomic'
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin /app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain.toml ./rust-toolchain.toml
-COPY ./build.rs ./build.rs
-
-RUN rustup target add arm-unknown-linux-musleabi
-
-# Configure the DB ARG as late as possible to not invalidate the cached layers above
-# Enable MiMalloc to improve performance on Alpine builds
-ARG DB=sqlite,mysql,postgresql,enable_mimalloc
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi \
- && find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi
-
-######################## RUNTIME IMAGE ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM docker.io/balenalib/rpi-alpine:3.17
-
-ENV ROCKET_PROFILE="release" \
- ROCKET_ADDRESS=0.0.0.0 \
- ROCKET_PORT=80 \
- SSL_CERT_DIR=/etc/ssl/certs
-
-
-RUN [ "cross-build-start" ]
-
-# Create data folder and Install needed libraries
-RUN mkdir /data \
- && apk add --no-cache \
- ca-certificates \
- curl \
- openssl \
- tzdata
-
-RUN [ "cross-build-end" ]
-
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/arm-unknown-linux-musleabi/release/vaultwarden .
-
-COPY docker/healthcheck.sh /healthcheck.sh
-COPY docker/start.sh /start.sh
-
-HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
-
-CMD ["/start.sh"]
diff --git a/docker/armv6/Dockerfile.buildkit b/docker/armv6/Dockerfile.buildkit
deleted file mode 100644
index 6211d9a3..00000000
--- a/docker/armv6/Dockerfile.buildkit
+++ /dev/null
@@ -1,141 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-# Using multistage build:
-# https://docs.docker.com/develop/develop-images/multistage-build/
-# https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-# click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-# $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2
-# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2
-# [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252]
-#
-# - Conversely, to get the tag name from the digest:
-# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252
-# [docker.io/vaultwarden/web-vault:v2023.8.2]
-#
-FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault
-
-########################## BUILD IMAGE ##########################
-FROM docker.io/library/rust:1.72.0-bookworm as build
-
-# Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive \
- LANG=C.UTF-8 \
- TZ=UTC \
- TERM=xterm-256color \
- CARGO_HOME="/root/.cargo" \
- REGISTRIES_CRATES_IO_PROTOCOL=sparse \
- USER="root"
-
-# Create CARGO_HOME folder and don't download rust docs
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
- && rustup set profile minimal
-
-# Install build dependencies for the armel architecture
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry dpkg --add-architecture armel \
- && apt-get update \
- && apt-get install -y \
- --no-install-recommends \
- gcc-arm-linux-gnueabi \
- libc6-dev:armel \
- linux-libc-dev:armel \
- libmariadb-dev:armel \
- libmariadb-dev-compat:armel \
- libmariadb3:armel \
- libpq-dev:armel \
- libpq5:armel \
- libssl-dev:armel \
- #
- # Make sure cargo has the right target config
- && echo '[target.arm-unknown-linux-gnueabi]' >> "${CARGO_HOME}/config" \
- && echo 'linker = "arm-linux-gnueabi-gcc"' >> "${CARGO_HOME}/config" \
- && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabi"]' >> "${CARGO_HOME}/config"
-
-# Set arm specific environment values
-ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc" \
- CROSS_COMPILE="1" \
- OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi" \
- OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi"
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin /app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain.toml ./rust-toolchain.toml
-COPY ./build.rs ./build.rs
-
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add arm-unknown-linux-gnueabi
-
-# Configure the DB ARG as late as possible to not invalidate the cached layers above
-ARG DB=sqlite,mysql,postgresql
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi \
- && find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
-
-######################## RUNTIME IMAGE ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM docker.io/balenalib/rpi-debian:bookworm
-
-ENV ROCKET_PROFILE="release" \
- ROCKET_ADDRESS=0.0.0.0 \
- ROCKET_PORT=80
-
-RUN [ "cross-build-start" ]
-
-# Create data folder and Install needed libraries
-RUN mkdir /data \
- && apt-get update && apt-get install -y \
- --no-install-recommends \
- ca-certificates \
- curl \
- libmariadb-dev-compat \
- libpq5 \
- openssl \
- && apt-get clean \
- && rm -rf /var/lib/apt/lists/*
-
-RUN [ "cross-build-end" ]
-
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/arm-unknown-linux-gnueabi/release/vaultwarden .
-
-COPY docker/healthcheck.sh /healthcheck.sh
-COPY docker/start.sh /start.sh
-
-HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
-
-CMD ["/start.sh"]
diff --git a/docker/armv6/Dockerfile.buildkit.alpine b/docker/armv6/Dockerfile.buildkit.alpine
deleted file mode 100644
index 21315cb3..00000000
--- a/docker/armv6/Dockerfile.buildkit.alpine
+++ /dev/null
@@ -1,120 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-# Using multistage build:
-# https://docs.docker.com/develop/develop-images/multistage-build/
-# https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-# click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-# $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2
-# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2
-# [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252]
-#
-# - Conversely, to get the tag name from the digest:
-# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252
-# [docker.io/vaultwarden/web-vault:v2023.8.2]
-#
-FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault
-
-########################## BUILD IMAGE ##########################
-FROM docker.io/blackdex/rust-musl:arm-musleabi-stable-1.72.0-openssl3 as build
-
-# Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive \
- LANG=C.UTF-8 \
- TZ=UTC \
- TERM=xterm-256color \
- CARGO_HOME="/root/.cargo" \
- REGISTRIES_CRATES_IO_PROTOCOL=sparse \
- USER="root"
-
-# Create CARGO_HOME folder and don't download rust docs
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
- && rustup set profile minimal
-
-# Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11
-# Debian Bookworm already contains libpq v15
-ENV PQ_LIB_DIR="/usr/local/musl/pq15/lib"
-# To be able to build the armv6 image with mimalloc we need to tell the linker to also look for libatomic
-ENV RUSTFLAGS='-Clink-arg=-latomic'
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin /app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain.toml ./rust-toolchain.toml
-COPY ./build.rs ./build.rs
-
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add arm-unknown-linux-musleabi
-
-# Configure the DB ARG as late as possible to not invalidate the cached layers above
-# Enable MiMalloc to improve performance on Alpine builds
-ARG DB=sqlite,mysql,postgresql,enable_mimalloc
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi \
- && find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi
-
-######################## RUNTIME IMAGE ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM docker.io/balenalib/rpi-alpine:3.17
-
-ENV ROCKET_PROFILE="release" \
- ROCKET_ADDRESS=0.0.0.0 \
- ROCKET_PORT=80 \
- SSL_CERT_DIR=/etc/ssl/certs
-
-
-RUN [ "cross-build-start" ]
-
-# Create data folder and Install needed libraries
-RUN mkdir /data \
- && apk add --no-cache \
- ca-certificates \
- curl \
- openssl \
- tzdata
-
-RUN [ "cross-build-end" ]
-
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/arm-unknown-linux-musleabi/release/vaultwarden .
-
-COPY docker/healthcheck.sh /healthcheck.sh
-COPY docker/start.sh /start.sh
-
-HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
-
-CMD ["/start.sh"]
diff --git a/docker/armv7/Dockerfile b/docker/armv7/Dockerfile
deleted file mode 100644
index b5174133..00000000
--- a/docker/armv7/Dockerfile
+++ /dev/null
@@ -1,141 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-# Using multistage build:
-# https://docs.docker.com/develop/develop-images/multistage-build/
-# https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-# click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-# $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2
-# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2
-# [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252]
-#
-# - Conversely, to get the tag name from the digest:
-# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252
-# [docker.io/vaultwarden/web-vault:v2023.8.2]
-#
-FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault
-
-########################## BUILD IMAGE ##########################
-FROM docker.io/library/rust:1.72.0-bookworm as build
-
-# Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive \
- LANG=C.UTF-8 \
- TZ=UTC \
- TERM=xterm-256color \
- CARGO_HOME="/root/.cargo" \
- REGISTRIES_CRATES_IO_PROTOCOL=sparse \
- USER="root"
-
-# Create CARGO_HOME folder and don't download rust docs
-RUN mkdir -pv "${CARGO_HOME}" \
- && rustup set profile minimal
-
-# Install build dependencies for the armhf architecture
-RUN dpkg --add-architecture armhf \
- && apt-get update \
- && apt-get install -y \
- --no-install-recommends \
- gcc-arm-linux-gnueabihf \
- libc6-dev:armhf \
- linux-libc-dev:armhf \
- libmariadb-dev:armhf \
- libmariadb-dev-compat:armhf \
- libmariadb3:armhf \
- libpq-dev:armhf \
- libpq5:armhf \
- libssl-dev:armhf \
- #
- # Make sure cargo has the right target config
- && echo '[target.armv7-unknown-linux-gnueabihf]' >> "${CARGO_HOME}/config" \
- && echo 'linker = "arm-linux-gnueabihf-gcc"' >> "${CARGO_HOME}/config" \
- && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabihf"]' >> "${CARGO_HOME}/config"
-
-# Set arm specific environment values
-ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc" \
- CROSS_COMPILE="1" \
- OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf" \
- OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf"
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin /app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain.toml ./rust-toolchain.toml
-COPY ./build.rs ./build.rs
-
-RUN rustup target add armv7-unknown-linux-gnueabihf
-
-# Configure the DB ARG as late as possible to not invalidate the cached layers above
-ARG DB=sqlite,mysql,postgresql
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf \
- && find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf
-
-######################## RUNTIME IMAGE ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM docker.io/balenalib/armv7hf-debian:bookworm
-
-ENV ROCKET_PROFILE="release" \
- ROCKET_ADDRESS=0.0.0.0 \
- ROCKET_PORT=80
-
-RUN [ "cross-build-start" ]
-
-# Create data folder and Install needed libraries
-RUN mkdir /data \
- && apt-get update && apt-get install -y \
- --no-install-recommends \
- ca-certificates \
- curl \
- libmariadb-dev-compat \
- libpq5 \
- openssl \
- && apt-get clean \
- && rm -rf /var/lib/apt/lists/*
-
-RUN [ "cross-build-end" ]
-
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/armv7-unknown-linux-gnueabihf/release/vaultwarden .
-
-COPY docker/healthcheck.sh /healthcheck.sh
-COPY docker/start.sh /start.sh
-
-HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
-
-CMD ["/start.sh"]
diff --git a/docker/armv7/Dockerfile.alpine b/docker/armv7/Dockerfile.alpine
deleted file mode 100644
index 450d1963..00000000
--- a/docker/armv7/Dockerfile.alpine
+++ /dev/null
@@ -1,118 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-# Using multistage build:
-# https://docs.docker.com/develop/develop-images/multistage-build/
-# https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-# click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-# $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2
-# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2
-# [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252]
-#
-# - Conversely, to get the tag name from the digest:
-# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252
-# [docker.io/vaultwarden/web-vault:v2023.8.2]
-#
-FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault
-
-########################## BUILD IMAGE ##########################
-FROM docker.io/blackdex/rust-musl:armv7-musleabihf-stable-1.72.0-openssl3 as build
-
-# Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive \
- LANG=C.UTF-8 \
- TZ=UTC \
- TERM=xterm-256color \
- CARGO_HOME="/root/.cargo" \
- REGISTRIES_CRATES_IO_PROTOCOL=sparse \
- USER="root"
-
-# Create CARGO_HOME folder and don't download rust docs
-RUN mkdir -pv "${CARGO_HOME}" \
- && rustup set profile minimal
-
-# Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11
-# Debian Bookworm already contains libpq v15
-ENV PQ_LIB_DIR="/usr/local/musl/pq15/lib"
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin /app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain.toml ./rust-toolchain.toml
-COPY ./build.rs ./build.rs
-
-RUN rustup target add armv7-unknown-linux-musleabihf
-
-# Configure the DB ARG as late as possible to not invalidate the cached layers above
-# Enable MiMalloc to improve performance on Alpine builds
-ARG DB=sqlite,mysql,postgresql,enable_mimalloc
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf \
- && find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf
-
-######################## RUNTIME IMAGE ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM docker.io/balenalib/armv7hf-alpine:3.17
-
-ENV ROCKET_PROFILE="release" \
- ROCKET_ADDRESS=0.0.0.0 \
- ROCKET_PORT=80 \
- SSL_CERT_DIR=/etc/ssl/certs
-
-
-RUN [ "cross-build-start" ]
-
-# Create data folder and Install needed libraries
-RUN mkdir /data \
- && apk add --no-cache \
- ca-certificates \
- curl \
- openssl \
- tzdata
-
-RUN [ "cross-build-end" ]
-
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/armv7-unknown-linux-musleabihf/release/vaultwarden .
-
-COPY docker/healthcheck.sh /healthcheck.sh
-COPY docker/start.sh /start.sh
-
-HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
-
-CMD ["/start.sh"]
diff --git a/docker/armv7/Dockerfile.buildkit b/docker/armv7/Dockerfile.buildkit
deleted file mode 100644
index aa291135..00000000
--- a/docker/armv7/Dockerfile.buildkit
+++ /dev/null
@@ -1,141 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-# Using multistage build:
-# https://docs.docker.com/develop/develop-images/multistage-build/
-# https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-# click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-# $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2
-# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2
-# [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252]
-#
-# - Conversely, to get the tag name from the digest:
-# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252
-# [docker.io/vaultwarden/web-vault:v2023.8.2]
-#
-FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault
-
-########################## BUILD IMAGE ##########################
-FROM docker.io/library/rust:1.72.0-bookworm as build
-
-# Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive \
- LANG=C.UTF-8 \
- TZ=UTC \
- TERM=xterm-256color \
- CARGO_HOME="/root/.cargo" \
- REGISTRIES_CRATES_IO_PROTOCOL=sparse \
- USER="root"
-
-# Create CARGO_HOME folder and don't download rust docs
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
- && rustup set profile minimal
-
-# Install build dependencies for the armhf architecture
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry dpkg --add-architecture armhf \
- && apt-get update \
- && apt-get install -y \
- --no-install-recommends \
- gcc-arm-linux-gnueabihf \
- libc6-dev:armhf \
- linux-libc-dev:armhf \
- libmariadb-dev:armhf \
- libmariadb-dev-compat:armhf \
- libmariadb3:armhf \
- libpq-dev:armhf \
- libpq5:armhf \
- libssl-dev:armhf \
- #
- # Make sure cargo has the right target config
- && echo '[target.armv7-unknown-linux-gnueabihf]' >> "${CARGO_HOME}/config" \
- && echo 'linker = "arm-linux-gnueabihf-gcc"' >> "${CARGO_HOME}/config" \
- && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabihf"]' >> "${CARGO_HOME}/config"
-
-# Set arm specific environment values
-ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc" \
- CROSS_COMPILE="1" \
- OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf" \
- OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf"
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin /app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain.toml ./rust-toolchain.toml
-COPY ./build.rs ./build.rs
-
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add armv7-unknown-linux-gnueabihf
-
-# Configure the DB ARG as late as possible to not invalidate the cached layers above
-ARG DB=sqlite,mysql,postgresql
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf \
- && find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf
-
-######################## RUNTIME IMAGE ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM docker.io/balenalib/armv7hf-debian:bookworm
-
-ENV ROCKET_PROFILE="release" \
- ROCKET_ADDRESS=0.0.0.0 \
- ROCKET_PORT=80
-
-RUN [ "cross-build-start" ]
-
-# Create data folder and Install needed libraries
-RUN mkdir /data \
- && apt-get update && apt-get install -y \
- --no-install-recommends \
- ca-certificates \
- curl \
- libmariadb-dev-compat \
- libpq5 \
- openssl \
- && apt-get clean \
- && rm -rf /var/lib/apt/lists/*
-
-RUN [ "cross-build-end" ]
-
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/armv7-unknown-linux-gnueabihf/release/vaultwarden .
-
-COPY docker/healthcheck.sh /healthcheck.sh
-COPY docker/start.sh /start.sh
-
-HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
-
-CMD ["/start.sh"]
diff --git a/docker/armv7/Dockerfile.buildkit.alpine b/docker/armv7/Dockerfile.buildkit.alpine
deleted file mode 100644
index 58a32af9..00000000
--- a/docker/armv7/Dockerfile.buildkit.alpine
+++ /dev/null
@@ -1,118 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-# Using multistage build:
-# https://docs.docker.com/develop/develop-images/multistage-build/
-# https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-# click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-# $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2
-# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2
-# [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252]
-#
-# - Conversely, to get the tag name from the digest:
-# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252
-# [docker.io/vaultwarden/web-vault:v2023.8.2]
-#
-FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault
-
-########################## BUILD IMAGE ##########################
-FROM docker.io/blackdex/rust-musl:armv7-musleabihf-stable-1.72.0-openssl3 as build
-
-# Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive \
- LANG=C.UTF-8 \
- TZ=UTC \
- TERM=xterm-256color \
- CARGO_HOME="/root/.cargo" \
- REGISTRIES_CRATES_IO_PROTOCOL=sparse \
- USER="root"
-
-# Create CARGO_HOME folder and don't download rust docs
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
- && rustup set profile minimal
-
-# Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11
-# Debian Bookworm already contains libpq v15
-ENV PQ_LIB_DIR="/usr/local/musl/pq15/lib"
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin /app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain.toml ./rust-toolchain.toml
-COPY ./build.rs ./build.rs
-
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add armv7-unknown-linux-musleabihf
-
-# Configure the DB ARG as late as possible to not invalidate the cached layers above
-# Enable MiMalloc to improve performance on Alpine builds
-ARG DB=sqlite,mysql,postgresql,enable_mimalloc
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf \
- && find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf
-
-######################## RUNTIME IMAGE ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM docker.io/balenalib/armv7hf-alpine:3.17
-
-ENV ROCKET_PROFILE="release" \
- ROCKET_ADDRESS=0.0.0.0 \
- ROCKET_PORT=80 \
- SSL_CERT_DIR=/etc/ssl/certs
-
-
-RUN [ "cross-build-start" ]
-
-# Create data folder and Install needed libraries
-RUN mkdir /data \
- && apk add --no-cache \
- ca-certificates \
- curl \
- openssl \
- tzdata
-
-RUN [ "cross-build-end" ]
-
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/armv7-unknown-linux-musleabihf/release/vaultwarden .
-
-COPY docker/healthcheck.sh /healthcheck.sh
-COPY docker/start.sh /start.sh
-
-HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
-
-CMD ["/start.sh"]
diff --git a/docker/bake.sh b/docker/bake.sh
new file mode 100755
index 00000000..8aeac2fb
--- /dev/null
+++ b/docker/bake.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+# Determine the basedir of this script.
+# It should be located in the same directory as the docker-bake.hcl
+# This ensures you can run this script from both inside and outside of the docker directory
+BASEDIR=$(RL=$(readlink -n "$0"); SP="${RL:-$0}"; dirname "$(cd "$(dirname "${SP}")" || exit; pwd)/$(basename "${SP}")")
+
+# Load build env's
+source "${BASEDIR}/bake_env.sh"
+
+# Be verbose on what is being executed
+set -x
+
+# Make sure we set the context to `..` so it will go up one directory
+docker buildx bake --progress plain --set "*.context=${BASEDIR}/.." -f "${BASEDIR}/docker-bake.hcl" "$@"
diff --git a/docker/bake_env.sh b/docker/bake_env.sh
new file mode 100644
index 00000000..343f8952
--- /dev/null
+++ b/docker/bake_env.sh
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+
+# If SOURCE_COMMIT is provided via env skip this
+if [ -z "${SOURCE_COMMIT+x}" ]; then
+ SOURCE_COMMIT="$(git rev-parse HEAD)"
+fi
+
+# If VW_VERSION is provided via env use it as SOURCE_VERSION
+# Else define it using git
+if [[ -n "${VW_VERSION}" ]]; then
+ SOURCE_VERSION="${VW_VERSION}"
+else
+ GIT_EXACT_TAG="$(git describe --tags --abbrev=0 --exact-match 2>/dev/null)"
+ if [[ -n "${GIT_EXACT_TAG}" ]]; then
+ SOURCE_VERSION="${GIT_EXACT_TAG}"
+ else
+ GIT_LAST_TAG="$(git describe --tags --abbrev=0)"
+ SOURCE_VERSION="${GIT_LAST_TAG}-${SOURCE_COMMIT:0:8}"
+ GIT_BRANCH="$(git rev-parse --abbrev-ref HEAD)"
+ case "${GIT_BRANCH}" in
+ main|master|HEAD)
+ # Do not add the branch name for these branches
+ ;;
+ *)
+ SOURCE_VERSION="${SOURCE_VERSION} (${GIT_BRANCH})"
+ ;;
+ esac
+ fi
+fi
+
+# Export the rendered variables above so bake will use them
+export SOURCE_COMMIT
+export SOURCE_VERSION
diff --git a/docker/docker-bake.hcl b/docker/docker-bake.hcl
new file mode 100644
index 00000000..332b46c9
--- /dev/null
+++ b/docker/docker-bake.hcl
@@ -0,0 +1,229 @@
+// ==== Baking Variables ====
+
+// Set which cargo profile to use, dev or release for example
+// Use the value provided in the Dockerfile as default
+variable "CARGO_PROFILE" {
+ default = null
+}
+
+// Set which DB's (features) to enable
+// Use the value provided in the Dockerfile as default
+variable "DB" {
+ default = null
+}
+
+// The repository this build was triggered from
+variable "SOURCE_REPOSITORY_URL" {
+ default = null
+}
+
+// The commit hash of of the current commit this build was triggered on
+variable "SOURCE_COMMIT" {
+ default = null
+}
+
+// The version of this build
+// Typically the current exact tag of this commit,
+// else the last tag and the first 8 characters of the source commit
+variable "SOURCE_VERSION" {
+ default = null
+}
+
+// This can be used to overwrite SOURCE_VERSION
+// It will be used during the build.rs building stage
+variable "VW_VERSION" {
+ default = null
+}
+
+// The base tag(s) to use
+// This can be a comma separated value like "testing,1.29.2"
+variable "BASE_TAGS" {
+ default = "testing"
+}
+
+// Which container registries should be used for the tagging
+// This can be a comma separated value
+// Use a full URI like `ghcr.io/dani-garcia/vaultwarden,docker.io/vaultwarden/server`
+variable "CONTAINER_REGISTRIES" {
+ default = "vaultwarden/server"
+}
+
+
+// ==== Baking Groups ====
+
+group "default" {
+ targets = ["debian"]
+}
+
+
+// ==== Shared Baking ====
+function "labels" {
+ params = []
+ result = {
+ "org.opencontainers.image.description" = "Unofficial Bitwarden compatible server written in Rust - ${SOURCE_VERSION}"
+ "org.opencontainers.image.licenses" = "AGPL-3.0-only"
+ "org.opencontainers.image.documentation" = "https://github.com/dani-garcia/vaultwarden/wiki"
+ "org.opencontainers.image.url" = "https://github.com/dani-garcia/vaultwarden"
+ "org.opencontainers.image.created" = "${formatdate("YYYY-MM-DD'T'hh:mm:ssZZZZZ", timestamp())}"
+ "org.opencontainers.image.source" = "${SOURCE_REPOSITORY_URL}"
+ "org.opencontainers.image.revision" = "${SOURCE_COMMIT}"
+ "org.opencontainers.image.version" = "${SOURCE_VERSION}"
+ }
+}
+
+target "_default_attributes" {
+ labels = labels()
+ args = {
+ DB = "${DB}"
+ CARGO_PROFILE = "${CARGO_PROFILE}"
+ VW_VERSION = "${VW_VERSION}"
+ }
+}
+
+
+// ==== Debian Baking ====
+
+// Default Debian target, will build a container using the hosts platform architecture
+target "debian" {
+ inherits = ["_default_attributes"]
+ dockerfile = "docker/Dockerfile.debian"
+ tags = generate_tags("", platform_tag())
+ output = [join(",", flatten([["type=docker"], image_index_annotations()]))]
+}
+
+// Multi Platform target, will build one tagged manifest with all supported architectures
+// This is mainly used by GitHub Actions to build and push new containers
+target "debian-multi" {
+ inherits = ["debian"]
+ platforms = ["linux/amd64", "linux/arm64", "linux/arm/v7", "linux/arm/v6"]
+ tags = generate_tags("", "")
+ output = [join(",", flatten([["type=registry"], image_index_annotations()]))]
+}
+
+// Per platform targets, to individually test building per platform locally
+target "debian-amd64" {
+ inherits = ["debian"]
+ platforms = ["linux/amd64"]
+ tags = generate_tags("", "-amd64")
+}
+
+target "debian-arm64" {
+ inherits = ["debian"]
+ platforms = ["linux/arm64"]
+ tags = generate_tags("", "-arm64")
+}
+
+target "debian-armv7" {
+ inherits = ["debian"]
+ platforms = ["linux/arm/v7"]
+ tags = generate_tags("", "-armv7")
+}
+
+target "debian-armv6" {
+ inherits = ["debian"]
+ platforms = ["linux/arm/v6"]
+ tags = generate_tags("", "-armv6")
+}
+
+// A Group to build all platforms individually for local testing
+group "debian-all" {
+ targets = ["debian-amd64", "debian-arm64", "debian-armv7", "debian-armv6"]
+}
+
+
+// ==== Alpine Baking ====
+
+// Default Alpine target, will build a container using the hosts platform architecture
+target "alpine" {
+ inherits = ["_default_attributes"]
+ dockerfile = "docker/Dockerfile.alpine"
+ tags = generate_tags("-alpine", platform_tag())
+ output = [join(",", flatten([["type=docker"], image_index_annotations()]))]
+}
+
+// Multi Platform target, will build one tagged manifest with all supported architectures
+// This is mainly used by GitHub Actions to build and push new containers
+target "alpine-multi" {
+ inherits = ["alpine"]
+ platforms = ["linux/amd64", "linux/arm64", "linux/arm/v7", "linux/arm/v6"]
+ tags = generate_tags("-alpine", "")
+ output = [join(",", flatten([["type=registry"], image_index_annotations()]))]
+}
+
+// Per platform targets, to individually test building per platform locally
+target "alpine-amd64" {
+ inherits = ["alpine"]
+ platforms = ["linux/amd64"]
+ tags = generate_tags("-alpine", "-amd64")
+}
+
+target "alpine-arm64" {
+ inherits = ["alpine"]
+ platforms = ["linux/arm64"]
+ tags = generate_tags("-alpine", "-arm64")
+}
+
+target "alpine-armv7" {
+ inherits = ["alpine"]
+ platforms = ["linux/arm/v7"]
+ tags = generate_tags("-alpine", "-armv7")
+}
+
+target "alpine-armv6" {
+ inherits = ["alpine"]
+ platforms = ["linux/arm/v6"]
+ tags = generate_tags("-alpine", "-armv6")
+}
+
+// A Group to build all platforms individually for local testing
+group "alpine-all" {
+ targets = ["alpine-amd64", "alpine-arm64", "alpine-armv7", "alpine-armv6"]
+}
+
+
+// ==== Bake everything locally ====
+
+group "all" {
+ targets = ["debian-all", "alpine-all"]
+}
+
+
+// ==== Baking functions ====
+
+// This will return the local platform as amd64, arm64 or armv7 for example
+// It can be used for creating a local image tag
+function "platform_tag" {
+ params = []
+ result = "-${replace(replace(BAKE_LOCAL_PLATFORM, "linux/", ""), "/", "")}"
+}
+
+
+function "get_container_registries" {
+ params = []
+ result = flatten(split(",", CONTAINER_REGISTRIES))
+}
+
+function "get_base_tags" {
+ params = []
+ result = flatten(split(",", BASE_TAGS))
+}
+
+function "generate_tags" {
+ params = [
+ suffix, // What to append to the BASE_TAG when needed, like `-alpine` for example
+ platform // the platform we are building for if needed
+ ]
+ result = flatten([
+ for registry in get_container_registries() :
+ [for base_tag in get_base_tags() :
+ concat(["${registry}:${base_tag}${suffix}${platform}"])]
+ ])
+}
+
+function "image_index_annotations" {
+ params = []
+ result = flatten([
+ for key, value in labels() :
+ value != null ? formatlist("annotation-index.%s=%s", "${key}", "${value}") : []
+ ])
+}
diff --git a/docker/healthcheck.sh b/docker/healthcheck.sh
index ee95d57d..5021b187 100755
--- a/docker/healthcheck.sh
+++ b/docker/healthcheck.sh
@@ -10,7 +10,7 @@ CONFIG_FILE="${DATA_FOLDER}"/config.json
# Given a config key, return the corresponding config value from the
# config file. If the key doesn't exist, return an empty string.
get_config_val() {
- local key="$1"
+ key="$1"
# Extract a line of the form:
# "domain": "https://bw.example.com/path",
grep "\"${key}\":" "${CONFIG_FILE}" |
diff --git a/docker/podman-bake.sh b/docker/podman-bake.sh
new file mode 100755
index 00000000..9c97825e
--- /dev/null
+++ b/docker/podman-bake.sh
@@ -0,0 +1,105 @@
+#!/usr/bin/env bash
+
+# Determine the basedir of this script.
+# It should be located in the same directory as the docker-bake.hcl
+# This ensures you can run this script from both inside and outside of the docker directory
+BASEDIR=$(RL=$(readlink -n "$0"); SP="${RL:-$0}"; dirname "$(cd "$(dirname "${SP}")" || exit; pwd)/$(basename "${SP}")")
+
+# Load build env's
+source "${BASEDIR}/bake_env.sh"
+
+# Check if a target is given as first argument
+# If not we assume the defaults and pass the given arguments to the podman command
+case "${1}" in
+ alpine*|debian*)
+ TARGET="${1}"
+ # Now shift the $@ array so we only have the rest of the arguments
+ # This allows us too append these as extra arguments too the podman buildx build command
+ shift
+ ;;
+esac
+
+LABEL_ARGS=(
+ --label org.opencontainers.image.description="Unofficial Bitwarden compatible server written in Rust"
+ --label org.opencontainers.image.licenses="AGPL-3.0-only"
+ --label org.opencontainers.image.documentation="https://github.com/dani-garcia/vaultwarden/wiki"
+ --label org.opencontainers.image.url="https://github.com/dani-garcia/vaultwarden"
+ --label org.opencontainers.image.created="$(date --utc --iso-8601=seconds)"
+)
+if [[ -n "${SOURCE_REPOSITORY_URL}" ]]; then
+ LABEL_ARGS+=(--label org.opencontainers.image.source="${SOURCE_REPOSITORY_URL}")
+fi
+if [[ -n "${SOURCE_COMMIT}" ]]; then
+ LABEL_ARGS+=(--label org.opencontainers.image.revision="${SOURCE_COMMIT}")
+fi
+if [[ -n "${SOURCE_VERSION}" ]]; then
+ LABEL_ARGS+=(--label org.opencontainers.image.version="${SOURCE_VERSION}")
+fi
+
+# Check if and which --build-arg arguments we need to configure
+BUILD_ARGS=()
+if [[ -n "${DB}" ]]; then
+ BUILD_ARGS+=(--build-arg DB="${DB}")
+fi
+if [[ -n "${CARGO_PROFILE}" ]]; then
+ BUILD_ARGS+=(--build-arg CARGO_PROFILE="${CARGO_PROFILE}")
+fi
+if [[ -n "${VW_VERSION}" ]]; then
+ BUILD_ARGS+=(--build-arg VW_VERSION="${VW_VERSION}")
+fi
+
+# Set the default BASE_TAGS if non are provided
+if [[ -z "${BASE_TAGS}" ]]; then
+ BASE_TAGS="testing"
+fi
+
+# Set the default CONTAINER_REGISTRIES if non are provided
+if [[ -z "${CONTAINER_REGISTRIES}" ]]; then
+ CONTAINER_REGISTRIES="vaultwarden/server"
+fi
+
+# Check which Dockerfile we need to use, default is debian
+case "${TARGET}" in
+ alpine*)
+ BASE_TAGS="${BASE_TAGS}-alpine"
+ DOCKERFILE="Dockerfile.alpine"
+ ;;
+ *)
+ DOCKERFILE="Dockerfile.debian"
+ ;;
+esac
+
+# Check which platform we need to build and append the BASE_TAGS with the architecture
+case "${TARGET}" in
+ *-arm64)
+ BASE_TAGS="${BASE_TAGS}-arm64"
+ PLATFORM="linux/arm64"
+ ;;
+ *-armv7)
+ BASE_TAGS="${BASE_TAGS}-armv7"
+ PLATFORM="linux/arm/v7"
+ ;;
+ *-armv6)
+ BASE_TAGS="${BASE_TAGS}-armv6"
+ PLATFORM="linux/arm/v6"
+ ;;
+ *)
+ BASE_TAGS="${BASE_TAGS}-amd64"
+ PLATFORM="linux/amd64"
+ ;;
+esac
+
+# Be verbose on what is being executed
+set -x
+
+# Build the image with podman
+# We use the docker format here since we are using `SHELL`, which is not supported by OCI
+# shellcheck disable=SC2086
+podman buildx build \
+ --platform="${PLATFORM}" \
+ --tag="${CONTAINER_REGISTRIES}:${BASE_TAGS}" \
+ --format=docker \
+ "${LABEL_ARGS[@]}" \
+ "${BUILD_ARGS[@]}" \
+ --file="${BASEDIR}/${DOCKERFILE}" "$@" \
+ "${BASEDIR}/.."
diff --git a/docker/render_template b/docker/render_template
index c9978d5a..401e0ad0 100755
--- a/docker/render_template
+++ b/docker/render_template
@@ -1,17 +1,31 @@
#!/usr/bin/env python3
-import os, argparse, json
-
+import os
+import argparse
+import json
+import yaml
import jinja2
+# Load settings file
+with open("DockerSettings.yaml", 'r') as yaml_file:
+ yaml_data = yaml.safe_load(yaml_file)
+
+settings_env = jinja2.Environment(
+ loader=jinja2.FileSystemLoader(os.getcwd()),
+)
+settings_yaml = yaml.safe_load(settings_env.get_template("DockerSettings.yaml").render(yaml_data))
+
args_parser = argparse.ArgumentParser()
args_parser.add_argument('template_file', help='Jinja2 template file to render.')
args_parser.add_argument('render_vars', help='JSON-encoded data to pass to the templating engine.')
cli_args = args_parser.parse_args()
+# Merge the default config yaml with the json arguments given.
render_vars = json.loads(cli_args.render_vars)
+settings_yaml.update(render_vars)
+
environment = jinja2.Environment(
loader=jinja2.FileSystemLoader(os.getcwd()),
trim_blocks=True,
)
-print(environment.get_template(cli_args.template_file).render(render_vars))
+print(environment.get_template(cli_args.template_file).render(settings_yaml))