this repo has no description
feat(deployments/well-known): Docker deployment
+111
-1
+3
Makefile
+3
Makefile
+1
-1
cmd/well-known/main.go
+1
-1
cmd/well-known/main.go
···
103
103
executable = filepath.Base(args[0])
104
104
)
105
105
if len(args) < 2 {
106
-
logger.Error("insufficient arguments", slog.String("usage", executable+" command"))
106
+
logger.Error("insufficient arguments", slog.String("usage", executable+" command"), slog.String("cmd", strings.Join(os.Args, " ")))
107
107
os.Exit(1)
108
108
}
109
109
switch args[1] {
+40
deployments/docker-compose.yml
+40
deployments/docker-compose.yml
···
1
+
services:
2
+
well-known:
3
+
build:
4
+
context: ..
5
+
dockerfile: deployments/well-known/Dockerfile
6
+
image: darccio/bsky.cat-well-known:latest
7
+
container_name: bskycat-well-known
8
+
restart: unless-stopped
9
+
user: "65532:65532"
10
+
# Security hardening
11
+
read_only: true
12
+
cap_drop:
13
+
- ALL
14
+
security_opt:
15
+
- no-new-privileges:true
16
+
# Network configuration
17
+
ports:
18
+
- "127.0.0.1:3002:3002"
19
+
networks:
20
+
- bskycat-net
21
+
# Environment variables
22
+
environment:
23
+
- BSKYCAT_WELLKNOWN_ROOT=/data
24
+
- DD_SERVICE=bsky.cat/well-known
25
+
# Volume for persistent data
26
+
volumes:
27
+
- well-known-data:/data:ro
28
+
labels:
29
+
com.datadoghq.ad.logs: '[{"source": "go", "service": "bsky.cat/well-known"}]'
30
+
31
+
networks:
32
+
bskycat-net:
33
+
driver: bridge
34
+
internal: false
35
+
ipam:
36
+
config:
37
+
- subnet: 172.20.1.0/24
38
+
39
+
volumes:
40
+
well-known-data:
+67
deployments/well-known/Dockerfile
+67
deployments/well-known/Dockerfile
···
1
+
# Build stage
2
+
# Digest from `docker images --digests`
3
+
FROM golang:1.25-alpine@sha256:d3f0cf7723f3429e3f9ed846243970b20a2de7bae6a5b66fc5914e228d831bbb AS builder
4
+
# TODO: automate image digest update
5
+
6
+
# Install ca-certificates for HTTPS requests and create non-root build user
7
+
RUN apk add --no-cache ca-certificates=20250911-r0 git=2.49.1-r0 && \
8
+
addgroup -g 10001 -S buildgroup && \
9
+
adduser -u 10001 -S builduser -G buildgroup
10
+
11
+
# Set working directory
12
+
WORKDIR /build
13
+
14
+
# Ensure builduser have permissions
15
+
RUN chown builduser:buildgroup /build
16
+
17
+
# Copy go mod files first for better caching
18
+
COPY --chown=builduser:buildgroup go.mod go.sum ./
19
+
RUN go mod download
20
+
21
+
# Switch to non-root user for build
22
+
USER builduser
23
+
24
+
# Setup Orchestrion
25
+
RUN go install github.com/DataDog/orchestrion@v1.6.1
26
+
RUN orchestrion pin
27
+
28
+
# Copy source code
29
+
COPY --chown=builduser:buildgroup . .
30
+
31
+
ARG TARGETARCH
32
+
ARG TARGETOS
33
+
34
+
# Build the application with hardening flags
35
+
RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} orchestrion go build \
36
+
-tags=appsec \
37
+
-mod=readonly \
38
+
-ldflags="-w -s -extldflags '-static'" \
39
+
-trimpath \
40
+
-buildvcs=true \
41
+
-o well-known ./cmd/well-known && \
42
+
chmod 755 well-known
43
+
44
+
# Final stage - minimal scratch image
45
+
FROM scratch
46
+
47
+
COPY --from=builder /lib/ld-musl-*.so.1 /lib/
48
+
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
49
+
COPY --from=builder --chown=65532:65532 /build/well-known /app/well-known
50
+
51
+
# Expose port
52
+
EXPOSE 3002
53
+
54
+
# Run the application
55
+
ARG DD_GIT_COMMIT_SHA
56
+
ENV DD_APM_TRACING_ENABLED=true
57
+
ENV DD_APPSEC_ENABLED=true
58
+
ENV DD_PROFILING_ENABLED=true
59
+
ENV DD_RUNTIME_METRICS_ENABLED=true
60
+
ENV DD_GIT_REPOSITORY_URL=https://tangled.sh/@dario.cat/bsky.cat
61
+
62
+
LABEL com.datadoghq.git.repository_url="${DD_GIT_REPOSITORY_URL}"
63
+
LABEL com.datadoghq.git.commit.sha="${DD_GIT_COMMIT_SHA}"
64
+
65
+
ENV DD_TAGS="git.repository_url:${DD_GIT_REPOSITORY_URL},git.commit.sha:${DD_GIT_COMMIT_SHA}"
66
+
ENTRYPOINT ["/app/well-known"]
67
+
CMD ["server"]