archy/image-recipe/Dockerfile.alpine-base

# Alpine Linux Base Image for Archipelago Bitcoin Node OS
# Multi-arch support: ARM64 (Raspberry Pi) and x86_64

ARG ALPINE_VERSION=3.19
FROM alpine:${ALPINE_VERSION}

# Install essential packages
RUN apk add --no-cache \
    bash \
    curl \
    wget \
    ca-certificates \
    openssl \
    sudo \
    shadow \
    systemd \
    systemd-openrc \
    dbus \
    udev \
    util-linux \
    e2fsprogs \
    dosfstools \
    parted \
    gptfdisk \
    rsync \
    git \
    vim \
    nano \
    htop \
    iotop \
    net-tools \
    iproute2 \
    iputils \
    tcpdump \
    tzdata \
    logrotate \
    fail2ban \
    ufw \
    && rm -rf /var/cache/apk/*

# Install Podman and dependencies
RUN apk add --no-cache \
    podman \
    podman-compose \
    crun \
    fuse-overlayfs \
    slirp4netns \
    && rm -rf /var/cache/apk/*

# Create archipelago user for rootless containers
RUN adduser -D -s /bin/bash archipelago && \
    echo "archipelago ALL=(ALL) NOPASSWD: /usr/bin/podman, /usr/bin/podman-compose" >> /etc/sudoers

# Configure Podman for rootless operation
RUN mkdir -p /home/archipelago/.config/containers && \
    echo 'driver = "overlay"' > /home/archipelago/.config/containers/storage.conf && \
    echo 'rootless_storage_path = "/home/archipelago/.local/share/containers/storage"' >> /home/archipelago/.config/containers/storage.conf

# Set up systemd for container management
RUN systemctl enable systemd-resolved && \
    systemctl enable dbus

# Create necessary directories
RUN mkdir -p \
    /var/lib/archipelago \
    /var/lib/archipelago/apps \
    /var/lib/archipelago/secrets \
    /var/lib/archipelago/logs \
    /var/lib/archipelago/backups \
    /etc/archipelago

# Copy hardening scripts
COPY scripts/harden-alpine.sh /usr/local/bin/
COPY scripts/install-podman.sh /usr/local/bin/
RUN chmod +x /usr/local/bin/harden-alpine.sh /usr/local/bin/install-podman.sh

# Run hardening script
RUN /usr/local/bin/harden-alpine.sh

# Set timezone to UTC
RUN ln -sf /usr/share/zoneinfo/UTC /etc/localtime

# Configure log rotation
COPY configs/logrotate.conf /etc/logrotate.d/archipelago

# Set up firewall defaults (will be configured on first boot)
RUN ufw --force enable || true

# Expose common ports (will be managed by firewall rules)
EXPOSE 22 80 443 8332 8333 9735 10009 8080 8443

# Default command
CMD ["/bin/bash"]