Use debian bookworm for base

- Updated node to v20
- Updated go to 1.21 and deps
- Updated python, certbot and deps
- Removed nancy from go image

Author: jc21

.jenkins/Jenkinsfile

@@ -29,12 +29,12 @@ pipeline {
 					}
 					steps {
 						script {
-							env.BASE_TAG                       = 'latest'
-							env.BUILDX_PUSH_TAGS               = "-t docker.io/jc21/${IMAGE}:${BASE_TAG}"
-							env.BUILDX_PUSH_TAGS_ACMESH        = "-t docker.io/jc21/${IMAGE}:acmesh"
-							env.BUILDX_PUSH_TAGS_CERTBOT       = "-t docker.io/jc21/${IMAGE}:certbot"
-							env.BUILDX_PUSH_TAGS_ACMESH_GOLANG = "-t docker.io/jc21/${IMAGE}:acmesh-golang"
-							env.BUILDX_PUSH_TAGS_CERTBOT_NODE  = "-t docker.io/jc21/${IMAGE}:certbot-node"
+							env.BASE_IMAGE                     = "jc21/${IMAGE}:latest"
+							env.BUILDX_PUSH_TAGS               = "-t ${BASE_IMAGE}"
+							env.BUILDX_PUSH_TAGS_ACMESH        = "-t jc21/${IMAGE}:acmesh"
+							env.BUILDX_PUSH_TAGS_CERTBOT       = "-t jc21/${IMAGE}:certbot"
+							env.BUILDX_PUSH_TAGS_ACMESH_GOLANG = "-t jc21/${IMAGE}:acmesh-golang"
+							env.BUILDX_PUSH_TAGS_CERTBOT_NODE  = "-t jc21/${IMAGE}:certbot-node"
 						}
 					}
 				}
@@ -47,10 +47,10 @@ pipeline {
 					steps {
 						script {
 							// Defaults to the Branch name, which is applies to all branches AND pr's
-							env.BASE_TAG                       = "github-${BRANCH_LOWER}"
-							env.ACMESH_BASE_TAG                = "github-${BRANCH_LOWER}-acmesh"
-							env.CERTBOT_BASE_TAG               = "github-${BRANCH_LOWER}-certbot"
-							env.BUILDX_PUSH_TAGS               = "-t docker.io/jc21/${IMAGE}:${BASE_TAG}"
+							env.BASE_IMAGE                     = "jc21/${IMAGE}:github-${BRANCH_LOWER}"
+							env.ACMESH_IMAGE                   = "${BASE_IMAGE}-acmesh"
+							env.CERTBOT_IMAGE                  = "${BASE_IMAGE}-certbot"
+							env.BUILDX_PUSH_TAGS               = "-t ${BASE_IMAGE}"
 							env.BUILDX_PUSH_TAGS_ACMESH        = "${BUILDX_PUSH_TAGS}-acmesh"
 							env.BUILDX_PUSH_TAGS_CERTBOT       = "${BUILDX_PUSH_TAGS}-certbot"
 							env.BUILDX_PUSH_TAGS_ACMESH_GOLANG = "${BUILDX_PUSH_TAGS}-acmesh-golang"

docker/Dockerfile

@@ -2,7 +2,7 @@
 # Nginx Builder
 #############
 
-FROM debian:buster-slim as nginxbuilder
+FROM debian:bookworm-slim as nginxbuilder
 
 ARG OPENRESTY_VERSION
 ARG LUA_VERSION
@@ -33,13 +33,13 @@ RUN /tmp/build-openresty
 # Final Image
 #############
 
-FROM debian:buster-slim
+FROM debian:bookworm-slim as final
 LABEL maintainer="Jamie Curnow <[email protected]>"
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 ARG TARGETPLATFORM
-RUN echo "Base: debian:buster-slim, ${TARGETPLATFORM:-linux/amd64}" > /built-for-arch
+RUN echo "Base: debian:bookworm-slim, ${TARGETPLATFORM:-linux/amd64}" > /built-for-arch
 
 # OpenResty uses LuaJIT which has a dependency on GCC
 RUN apt-get update \
@@ -51,7 +51,7 @@ RUN apt-get update \
 	jq \
 	libncurses6 \
 	libpcre3 \
-	libreadline7 \
+	libreadline8 \
 	openssl \
 	perl \
 	tzdata \

docker/Dockerfile.acmesh

@@ -1,8 +1,11 @@
-FROM jc21/nginx-full:${BASE_TAG:-latest}
+ARG BASE_IMAGE=jc21/nginx-full:latest
+FROM $BASE_IMAGE as final
+ARG BASE_IMAGE
+ARG TARGETPLATFORM
+
 LABEL maintainer="Jamie Curnow <[email protected]>"
 
-ARG TARGETPLATFORM
-RUN echo "Acme.sh: jc21/nginx-full:${BASE_TAG:-latest}, ${TARGETPLATFORM:-linux/amd64}" >> /built-for-arch
+RUN echo "Acme.sh: $BASE_IMAGE, ${TARGETPLATFORM:-linux/amd64}" >> /built-for-arch
 
 ENV CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
 

docker/Dockerfile.acmesh-golang

@@ -1,9 +1,12 @@
-FROM golang:1.20 as go
-FROM jc21/nginx-full:${ACMESH_BASE_TAG:-acmesh}
+ARG ACMESH_IMAGE=jc21/nginx-full:acmesh
+FROM golang:1.21 as go
+FROM $ACMESH_IMAGE as final
+ARG ACMESH_IMAGE
+ARG TARGETPLATFORM
+
 LABEL maintainer="Jamie Curnow <[email protected]>"
 
-ARG TARGETPLATFORM
-RUN echo "Golang: jc21/nginx-full:${BASE_TAG:-acmesh}, ${TARGETPLATFORM:-linux/amd64}" >> /built-for-arch
+RUN echo "Golang: $ACMESH_IMAGE, ${TARGETPLATFORM:-linux/amd64}" >> /built-for-arch
 
 RUN apt-get update \
 	&& apt-get install -y wget gcc g++ make git sqlite3 jq \
@@ -30,9 +33,8 @@ WORKDIR /root
 COPY ./files/.bashrc.acmesh-golang /root/.bashrc
 
 # Gotools
-RUN cd /usr && wget -O- -nv https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s v1.52.2
+RUN cd /usr && wget -O- -nv https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s v1.55.2
 RUN go install github.com/kyoh86/richgo@latest \
-	&& go install github.com/sonatype-nexus-community/nancy@latest \
 	&& go install github.com/mfridman/tparse@latest \
 	&& go install golang.org/x/vuln/cmd/govulncheck@latest \
 	&& rm -rf /root/.cache/go-build

docker/Dockerfile.certbot

@@ -1,22 +1,26 @@
+ARG BASE_IMAGE=jc21/nginx-full:latest
+
 #############
 # Certbot Builder
 #############
 
-FROM debian:buster-slim as certbotbuilder
+FROM debian:bookworm-slim as certbotbuilder
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 RUN apt-get update
 RUN apt-get install -y \
 	build-essential \
+	ca-certificates \
 	curl \
 	libaugeas0 \
-	python3 \
-	python3-dev \
 	libffi-dev \
 	libssl-dev \
-	python3-venv \
-	ca-certificates
+	openssl \
+	pkg-config \
+	python3 \
+	python3-dev \
+	python3-venv
 
 ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
 
@@ -30,26 +34,20 @@ ENV PATH="/opt/certbot/bin:$PATH"
 
 RUN curl -L 'https://bootstrap.pypa.io/get-pip.py' | python3
 
-# Handle an extremely specific issue when building the cryptography package for
-# 32-bit architectures within QEMU running on a 64-bit host
-# Special thanks to https://github.com/JonasAlfredsson/docker-nginx-certbot
-RUN if [ "$(getconf LONG_BIT)" = "32" ]; then \
-	pip3 install --no-cache-dir -U cryptography==3.3.2; \
-	fi
-
-RUN pip install cryptography==2.8 \
-	pip install --no-cache-dir cffi certbot \
+RUN pip install --no-cache-dir --upgrade pyopenssl \
+	&& pip install --no-cache-dir cffi certbot cryptography \
 	&& pip install tldextract
 
 #############
 # Final Image
 #############
+FROM $BASE_IMAGE as final
+ARG BASE_IMAGE
+ARG TARGETPLATFORM
 
-FROM jc21/nginx-full:${BASE_TAG:-latest}
 LABEL maintainer="Jamie Curnow <[email protected]>"
 
-ARG TARGETPLATFORM
-RUN echo "Certbot: jc21/nginx-full:${BASE_TAG:-latest}, ${TARGETPLATFORM:-linux/amd64}" >> /built-for-arch
+RUN echo "Certbot: $BASE_IMAGE, ${TARGETPLATFORM:-linux/amd64}" >> /built-for-arch
 
 COPY scripts/install-cert-prune /tmp/install-cert-prune
 RUN /tmp/install-cert-prune "${TARGETPLATFORM:-linux/amd64}" && rm -f /tmp/install-cert-prune
@@ -67,8 +65,11 @@ COPY ./files/.bashrc.certbot /root/.bashrc
 
 # Copy certbot
 COPY --from=certbotbuilder /opt/certbot /opt/certbot
-RUN curl -L 'https://bootstrap.pypa.io/get-pip.py' | python3 \
-	&& python3 -m venv /opt/certbot/ \
+
+ENV PATH="/opt/certbot/bin:$PATH"
+
+RUN python3 -m venv /opt/certbot/ \
+	&& curl -L 'https://bootstrap.pypa.io/get-pip.py' | /opt/certbot/bin/python3 \
 	&& sed -i 's/include-system-site-packages = false/include-system-site-packages = true/g' -i /opt/certbot/pyvenv.cfg \
 	&& ln -s /opt/certbot/bin/certbot /usr/bin/certbot
 

docker/Dockerfile.certbot-node

@@ -1,12 +1,15 @@
-FROM jc21/nginx-full:${CERTBOT_BASE_TAG:-certbot}
+ARG CERTBOT_IMAGE=jc21/nginx-full:certbot
+FROM $CERTBOT_IMAGE as final
+ARG CERTBOT_IMAGE
+ARG TARGETPLATFORM
+
 LABEL maintainer="Jamie Curnow <[email protected]>"
 
-ARG TARGETPLATFORM
-RUN echo "Node: jc21/nginx-full:${BASE_TAG:-certbot}, ${TARGETPLATFORM:-linux/amd64}" >> /built-for-arch
+RUN echo "Node: $CERTBOT_IMAGE, ${TARGETPLATFORM:-linux/amd64}" >> /built-for-arch
 
 ENV CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
 
-RUN curl -fsSL https://deb.nodesource.com/setup_16.x | bash - \
+RUN curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \
 	&& apt-get update \
 	&& apt-get install -y gcc make g++ git nodejs \
 	&& apt-get clean \
@@ -22,4 +25,3 @@ RUN node /tmp/test.js \
 	&& rm -f /tmp/test.js
 
 LABEL org.label-schema.cmd="docker run --rm -ti jc21/nginx-full:certbot-node"
-

local-build.sh

@@ -6,13 +6,20 @@ YELLOW='\E[1;33m'
 GREEN='\E[1;32m'
 RESET='\E[0m'
 
-DOCKER_IMAGE=jc21/nginx-full
+REGISTRY=${REGISTRY:-}
+DOCKER_IMAGE="${REGISTRY}jc21/nginx-full"
 
 export OPENRESTY_VERSION=1.21.4.3
 export CROWDSEC_OPENRESTY_BOUNCER_VERSION=0.1.7
 export LUA_VERSION=5.1.5
 export LUAROCKS_VERSION=3.3.1
 
+export BASE_IMAGE="${DOCKER_IMAGE}:latest"
+export ACMESH_IMAGE="${DOCKER_IMAGE}:acmesh"
+export CERTBOT_IMAGE="${DOCKER_IMAGE}:certbot"
+export CERTBOT_NODE_IMAGE="${DOCKER_IMAGE}:certbot-node"
+export ACMESH_GOLANG_IMAGE="${DOCKER_IMAGE}:acmesh-golang"
+
 # Builds
 
 echo -e "${BLUE}❯ ${CYAN}Building ${YELLOW}latest ${CYAN}...${RESET}"
@@ -22,35 +29,35 @@ docker build \
 	--build-arg CROWDSEC_OPENRESTY_BOUNCER_VERSION \
 	--build-arg LUA_VERSION \
 	--build-arg LUAROCKS_VERSION \
-	-t ${DOCKER_IMAGE}:latest \
+	-t "$BASE_IMAGE" \
 	-f docker/Dockerfile \
 	.
 
 echo -e "${BLUE}❯ ${CYAN}Building ${YELLOW}acmesh ${CYAN}...${RESET}"
 docker build \
-	--build-arg BASE_TAG=latest \
-	-t ${DOCKER_IMAGE}:acmesh \
+	--build-arg BASE_IMAGE \
+	-t "$ACMESH_IMAGE" \
 	-f docker/Dockerfile.acmesh \
 	.
 
 echo -e "${BLUE}❯ ${CYAN}Building ${YELLOW}certbot ${CYAN}...${RESET}"
 docker build \
-	--build-arg BASE_TAG=latest \
-	-t ${DOCKER_IMAGE}:certbot \
+	--build-arg BASE_IMAGE \
+	-t "$CERTBOT_IMAGE" \
 	-f docker/Dockerfile.certbot \
 	.
 
 echo -e "${BLUE}❯ ${CYAN}Building ${YELLOW}acmesh-golang ${CYAN}...${RESET}"
 docker build \
-	--build-arg BASE_TAG=acmesh \
-	-t ${DOCKER_IMAGE}:acmesh-golang \
+	--build-arg ACMESH_IMAGE \
+	-t "$ACMESH_GOLANG_IMAGE" \
 	-f docker/Dockerfile.acmesh-golang \
 	.
 
 echo -e "${BLUE}❯ ${CYAN}Building ${YELLOW}certbot-node ${CYAN}...${RESET}"
 docker build \
-	--build-arg BASE_TAG=certbot \
-	-t ${DOCKER_IMAGE}:certbot-node \
+	--build-arg CERTBOT_IMAGE \
+	-t "$CERTBOT_NODE_IMAGE" \
 	-f docker/Dockerfile.certbot-node \
 	.
 

local-buildx.sh

@@ -0,0 +1,88 @@
+#!/bin/bash -e
+
+BLUE='\E[1;34m'
+CYAN='\E[1;36m'
+YELLOW='\E[1;33m'
+GREEN='\E[1;32m'
+RESET='\E[0m'
+
+REGISTRY=${REGISTRY:-docker.jc21.com/}
+DOCKER_IMAGE="${REGISTRY}jc21/nginx-full"
+PLATFORMS=linux/amd64,linux/arm64,linux/arm/7
+
+export OPENRESTY_VERSION=1.21.4.3
+export CROWDSEC_OPENRESTY_BOUNCER_VERSION=0.1.7
+export LUA_VERSION=5.1.5
+export LUAROCKS_VERSION=3.3.1
+
+export BASE_IMAGE="${DOCKER_IMAGE}:latest"
+export ACMESH_IMAGE="${DOCKER_IMAGE}:acmesh"
+export CERTBOT_IMAGE="${DOCKER_IMAGE}:certbot"
+export CERTBOT_NODE_IMAGE="${DOCKER_IMAGE}:certbot-node"
+export ACMESH_GOLANG_IMAGE="${DOCKER_IMAGE}:acmesh-golang"
+
+# Setup
+
+docker buildx rm "${BUILDX_NAME:-nginx-full}" || echo
+docker buildx create --name "${BUILDX_NAME:-nginx-full}" || echo
+docker buildx use "${BUILDX_NAME:-nginx-full}"
+
+# Builds
+
+echo -e "${BLUE}❯ ${CYAN}Building ${YELLOW}latest ${CYAN}...${RESET}"
+docker buildx build \
+	--platform "$PLATFORMS" \
+	--progress plain \
+	--pull \
+	--push \
+	--build-arg OPENRESTY_VERSION \
+	--build-arg CROWDSEC_OPENRESTY_BOUNCER_VERSION \
+	--build-arg LUA_VERSION \
+	--build-arg LUAROCKS_VERSION \
+	-t "$BASE_IMAGE" \
+	-f docker/Dockerfile \
+	.
+
+echo -e "${BLUE}❯ ${CYAN}Building ${YELLOW}acmesh ${CYAN}...${RESET}"
+docker buildx build \
+	--platform "$PLATFORMS" \
+	--progress plain \
+	--push \
+	--build-arg BASE_IMAGE \
+	-t "$ACMESH_IMAGE" \
+	-f docker/Dockerfile.acmesh \
+	.
+
+echo -e "${BLUE}❯ ${CYAN}Building ${YELLOW}certbot ${CYAN}...${RESET}"
+docker buildx build \
+	--platform "$PLATFORMS" \
+	--progress plain \
+	--push \
+	--build-arg BASE_IMAGE \
+	-t "$CERTBOT_IMAGE" \
+	-f docker/Dockerfile.certbot \
+	.
+
+echo -e "${BLUE}❯ ${CYAN}Building ${YELLOW}acmesh-golang ${CYAN}...${RESET}"
+docker buildx build \
+	--platform "$PLATFORMS" \
+	--progress plain \
+	--push \
+	--build-arg ACMESH_IMAGE \
+	-t "$ACMESH_GOLANG_IMAGE" \
+	-f docker/Dockerfile.acmesh-golang \
+	.
+
+echo -e "${BLUE}❯ ${CYAN}Building ${YELLOW}certbot-node ${CYAN}...${RESET}"
+docker buildx build \
+	--platform "$PLATFORMS" \
+	--progress plain \
+	--push \
+	--build-arg CERTBOT_IMAGE \
+	-t "$CERTBOT_NODE_IMAGE" \
+	-f docker/Dockerfile.certbot-node \
+	.
+
+docker buildx rm "${BUILDX_NAME:-nginx-full}"
+
+echo -e "${BLUE}❯ ${GREEN}All done!${RESET}"

scripts/buildx

@@ -19,9 +19,9 @@ docker buildx build \
 	--platform linux/amd64,linux/arm64,linux/arm/7 \
 	--progress plain \
 	--pull \
-	--build-arg BASE_TAG \
-	--build-arg ACMESH_BASE_TAG \
-	--build-arg CERTBOT_BASE_TAG \
+	--build-arg BASE_IMAGE \
+	--build-arg ACMESH_IMAGE \
+	--build-arg CERTBOT_IMAGE \
 	--build-arg OPENRESTY_VERSION \
 	--build-arg LUA_VERSION \
 	--build-arg LUAROCKS_VERSION \