privacyint · CJFWeatherhead · Jun 16, 2025 · Jun 9, 2025 · Jun 9, 2025 · Jun 9, 2025
diff --git a/Dockerfile b/Dockerfile
@@ -1,30 +1,29 @@
-# ---
-# Tool version args
-# Bump these every time there is a new release. Don't forget the checksum!
+###################
+# BUILD PREP
+###################
+# Tool version arguments
+# Bump these every time there is a new release.
+# We're pulling these from github source, don't forget to bump the checksum!
 ARG HEADSCALE_VERSION="0.26.1"
 ARG HEADSCALE_SHA256="5012577e6fc5d4234aab7b4be0d6e271ea1a4ec38521a8aa472f80ea1fe81cba"
 
 ARG LITESTREAM_VERSION="0.3.13"
 ARG LITESTREAM_SHA256="eb75a3de5cab03875cdae9f5f539e6aedadd66607003d9b1e7a9077948818ba0"
 
-# ---
-# Container version args
-# Bump these every time there is a new release. No checksum needed.
+# No checksum needed for these tools, we pull from official images
 ARG CADDY_VERSION="2.10.0"
 ARG MAIN_IMAGE_ALPINE_VERSION="3.22.0"
 ARG HEADSCALE_ADMIN_VERSION="dev"
 
-# ---
-# Tool download links
+# github download links
 # These should never need adjusting unless the URIs change
 ARG HEADSCALE_DOWNLOAD_URL="https://github.com/juanfont/headscale/releases/download/v${HEADSCALE_VERSION}/headscale_${HEADSCALE_VERSION}_linux_amd64"
 ARG LITESTREAM_DOWNLOAD_URL="https://github.com/benbjohnson/litestream/releases/download/v${LITESTREAM_VERSION}/litestream-v${LITESTREAM_VERSION}-linux-amd64.tar.gz"
 
-###########
-# LOGIC STARTS HERE
-###########
+###################
+# BUILD PROCESS
+###################
 
-# ---
 # Build caddy with Cloudflare DNS support
 FROM caddy:${CADDY_VERSION}-builder AS caddy-builder
     # Set SHELL flags for RUN commands to allow -e and pipefail
@@ -34,65 +33,61 @@ FROM caddy:${CADDY_VERSION}-builder AS caddy-builder
     RUN xcaddy build \
         --with github.com/caddy-dns/cloudflare
 
-# ---
 # Docker hates variables in COPY, apparently. Hello, workaround.
 FROM goodieshq/headscale-admin:${HEADSCALE_ADMIN_VERSION} AS admin-gui
 
-# --- 
 # Build our main image
 FROM alpine:${MAIN_IMAGE_ALPINE_VERSION}
     # Set SHELL flags for RUN commands to allow -e and pipefail
     # Rationale: https://github.com/hadolint/hadolint/wiki/DL4006
     SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 
-    # ---
-    # import our "global" `ARG` values into this stage
+    # Import our "global" `ARG` values into this stage
     ARG HEADSCALE_DOWNLOAD_URL
     ARG HEADSCALE_SHA256
     ARG LITESTREAM_DOWNLOAD_URL
     ARG LITESTREAM_SHA256
 
-    # ---
     # Upgrade system and install various dependencies
     # - BusyBox's wget isn't reliable enough
     # - I'm gonna need a better shell
     # - We need GNU sed
     # hadolint ignore=DL3018,SC2086
     RUN BUILD_DEPS="wget"; \
-        RUNTIME_DEPS="bash sed"; \
+        RUNTIME_DEPS="bash sed gettext"; \
         apk --no-cache upgrade; \
         apk add --no-cache --virtual BuildTimeDeps ${BUILD_DEPS}; \
         apk add --no-cache ${RUNTIME_DEPS}
 
-    # ---
     # Copy caddy from the first stage
     COPY --from=caddy-builder /usr/bin/caddy /usr/local/bin/caddy
     # Caddy smoke test
     RUN [ "$(command -v caddy)" = '/usr/local/bin/caddy' ]; \
         caddy version
 
-    # ---
     # Headscale
-    RUN { \
+    RUN set -ex; { \
             wget --retry-connrefused \
                  --waitretry=1 \
                  --read-timeout=20 \
                  --timeout=15 \
                  -t 0 \
                  -q \
                  -O headscale \
-                 ${HEADSCALE_DOWNLOAD_URL} \
-            ; \
+                 ${HEADSCALE_DOWNLOAD_URL} || { \
+                    echo "Failed to download Headscale from ${HEADSCALE_DOWNLOAD_URL}"; \
+                    exit 1; \
+                }; \
             echo "${HEADSCALE_SHA256} *headscale" | sha256sum -c - >/dev/null 2>&1; \
             chmod +x headscale; \
             mv headscale /usr/local/bin/; \
         }; \
-        # smoke test
+        # Headscale smoke test
         [ "$(command -v headscale)" = '/usr/local/bin/headscale' ]; \
         headscale version;
 
     # Litestream
-    RUN { \
+    RUN set -ex; { \
             wget --retry-connrefused \
                  --waitretry=1 \
                  --read-timeout=20 \
@@ -107,7 +102,7 @@ FROM alpine:${MAIN_IMAGE_ALPINE_VERSION}
             mv litestream /usr/local/bin/; \
             rm -f litestream.tar.gz; \
         }; \
-        # smoke test
+        # Litestream smoke test
         [ "$(command -v litestream)" = '/usr/local/bin/litestream' ]; \
         litestream version;
 
@@ -117,13 +112,16 @@ FROM alpine:${MAIN_IMAGE_ALPINE_VERSION}
     # Remove build-time dependencies
     RUN apk del BuildTimeDeps
 
-    # ---
-    # copy configuration and templates
+    # Copy configuration templates
     COPY ./templates/headscale.template.yaml /etc/headscale/config.yaml
     COPY ./templates/litestream.template.yml /etc/litestream.yml
     COPY ./templates/caddy.http.template.yaml /etc/caddy/Caddyfile-http
     COPY ./templates/caddy.https.template.yaml /etc/caddy/Caddyfile-https
-    COPY ./scripts/container-entrypoint.sh /container-entrypoint.sh
-    RUN chmod +x /container-entrypoint.sh
+
+    # Copy and setup entrypoint script
+    COPY --chmod=755 ./scripts/container-entrypoint.sh /container-entrypoint.sh
+
+    # Default HTTPS port - override with $PUBLIC_LISTEN_PORT environment variable
+    EXPOSE 443
 
     ENTRYPOINT ["/container-entrypoint.sh"]
diff --git a/docs/index.md b/docs/index.md
@@ -28,4 +28,4 @@ Details about configuration options.
 
 ## Contributing
 
-Guidelines for contributing to the project.
+Guidelines for contributing to the project.
Original file line number	Diff line number	Diff line change
Expand Up		@@ -28,4 +28,4 @@ Details about configuration options.

		## Contributing

		Guidelines for contributing to the project.
		Guidelines for contributing to the project.