From 9c67d7cf5b353d1266822093260269f6b9ebfa15 Mon Sep 17 00:00:00 2001
From: tangowithfoxtrot <5676771+tangowithfoxtrot@users.noreply.github.com>
Date: Tue, 25 Feb 2025 10:05:35 -0800
Subject: [PATCH] wip: build projects in image instead of host; comment-out
 problematic root-only operations

---
 .gitignore                               |  4 ++
 bitwarden_license/src/Scim/entrypoint.sh |  8 +--
 bitwarden_license/src/Sso/entrypoint.sh  | 14 ++--
 docker-compose.yml                       | 67 ++++++++++++++++---
 src/Admin/Dockerfile                     | 84 ++++++++++++++++++++----
 src/Admin/entrypoint.sh                  |  8 +--
 src/Api/Dockerfile                       | 51 ++++++++------
 src/Api/entrypoint.sh                    |  8 +--
 src/Billing/Dockerfile                   | 55 ++++++++++++----
 src/Billing/entrypoint.sh                |  8 +--
 src/Events/Dockerfile                    | 83 +++++++++++++++++++----
 src/Events/entrypoint.sh                 |  8 +--
 src/EventsProcessor/entrypoint.sh        |  8 +--
 src/Icons/Dockerfile                     | 80 ++++++++++++++++++----
 src/Icons/entrypoint.sh                  |  8 +--
 src/Identity/Dockerfile                  | 54 +++++----------
 src/Identity/entrypoint.sh               |  8 +--
 src/Notifications/entrypoint.sh          |  8 +--
 util/Attachments/Dockerfile              | 21 +++---
 util/Server/Dockerfile                   | 47 ++++++++++++-
 20 files changed, 455 insertions(+), 177 deletions(-)

diff --git a/.gitignore b/.gitignore
index 65157bf4aa..65e187de88 100644
--- a/.gitignore
+++ b/.gitignore
@@ -225,3 +225,7 @@ src/Notifications/Notifications.zip
 bitwarden_license/src/Portal/Portal.zip
 bitwarden_license/src/Sso/Sso.zip
 **/src/**/flags.json
+
+logs/*
+config/*
+storage/*
diff --git a/bitwarden_license/src/Scim/entrypoint.sh b/bitwarden_license/src/Scim/entrypoint.sh
index edc3bbe14a..a1fa82d02a 100644
--- a/bitwarden_license/src/Scim/entrypoint.sh
+++ b/bitwarden_license/src/Scim/entrypoint.sh
@@ -35,10 +35,10 @@ mkdir -p /etc/bitwarden/logs
 mkdir -p /etc/bitwarden/ca-certificates
 chown -R $USERNAME:$GROUPNAME /etc/bitwarden
 
-if [[ $globalSettings__selfHosted == "true" ]]; then
-  cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-    && update-ca-certificates
-fi
+# if [[ $globalSettings__selfHosted == "true" ]]; then
+#   cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+#     && update-ca-certificates
+# fi
 
 if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
   chown -R $USERNAME:$GROUPNAME /etc/bitwarden/kerberos
diff --git a/bitwarden_license/src/Sso/entrypoint.sh b/bitwarden_license/src/Sso/entrypoint.sh
index 2c7bd18b84..9a188d8054 100644
--- a/bitwarden_license/src/Sso/entrypoint.sh
+++ b/bitwarden_license/src/Sso/entrypoint.sh
@@ -35,16 +35,16 @@ mkdir -p /etc/bitwarden/logs
 mkdir -p /etc/bitwarden/ca-certificates
 chown -R $USERNAME:$GROUPNAME /etc/bitwarden
 
-if [[ $globalSettings__selfHosted == "true" ]]; then
-  cp /etc/bitwarden/identity/identity.pfx /app/identity.pfx
-fi
+# if [[ $globalSettings__selfHosted == "true" ]]; then
+#   cp /etc/bitwarden/identity/identity.pfx /app/identity.pfx
+# fi
 
 chown -R $USERNAME:$GROUPNAME /app
 
-if [[ $globalSettings__selfHosted == "true" ]]; then
-  cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-    && update-ca-certificates
-fi
+# if [[ $globalSettings__selfHosted == "true" ]]; then
+#   cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+#     && update-ca-certificates
+# fi
 
 if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
   chown -R $USERNAME:$GROUPNAME /etc/bitwarden/kerberos
diff --git a/docker-compose.yml b/docker-compose.yml
index 98bcbe8227..c15fc605c5 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,29 +1,80 @@
 services:
+  base: # this is just here to build the base image for the others to use
+    build:
+      context: .
+      dockerfile: ./util/Server/Dockerfile
+    entrypoint: ["true"]
+  admin:
+    build:
+      context: .
+      dockerfile: ./src/Admin/Dockerfile
+    ports:
+      - "62911:5000"
+    volumes:
+      - ./config/:/config
+      - ./logs/:/var/log/bitwarden
+    env_file:
+      - ./dev/.env
+  attachments:
+    build:
+      context: .
+      dockerfile: ./util/Attachments/Dockerfile
+    ports:
+      - "50004:5000"
+    volumes:
+      - ./config/:/config
+      - ./logs/:/var/log/bitwarden
+    environment:
+      LOCAL_UID: "${PUID}"
+      LOCAL_GID: "${PGID}"
+    env_file:
+      - ./dev/.env
   api:
     build:
       context: .
       dockerfile: ./src/Api/Dockerfile
     ports:
       - "4000:5000"
-    environment:
-      globalSettings__DataProtection__directory: /home/app/.aspnet/DataProtection-Keys
-      globalSettings__selfHosted: true
+    volumes:
+      - ./config/:/config
+      - ./logs/:/var/log/bitwarden
+    env_file:
+      - ./dev/.env
+  icons:
+    build:
+      context: .
+      dockerfile: ./src/Icons/Dockerfile
+    ports:
+      - "50024:5000"
+    env_file:
+      - ./dev/.env
   identity:
     build:
       context: .
       dockerfile: ./src/Identity/Dockerfile
     ports:
       - "33656:5000"
-    environment:
-      globalSettings__DataProtection__directory: /home/app/.aspnet/DataProtection-Keys
-      globalSettings__selfHosted: true
-      globalSettings__IdentityServer__CertificateLocation: /home/app/config/identity_server_dev.pfx
     volumes:
+      - ./config/:/config
+      - ./logs/:/var/log/bitwarden
       - ./dev:/home/app/config # identity.pfx exists here
+    env_file:
+      - ./dev/.env
   mssql:
-    image: bitwarden/mssql:2024.10.0
+    image: bitwarden/mssql:2025.1.4
     container_name: bitwarden-mssql
     ports:
       - "1433:1433"
     environment:
       ACCEPT_EULA: true
+    env_file:
+      - ./dev/.env
+  # nginx:
+  #   image: nginx:alpine
+  #   container_name: nginx
+  #   volumes:
+  #     - "./dev/reverse-proxy.conf:/etc/nginx/conf.d/default.conf"
+  #   ports:
+  #     - "${API_PROXY_PORT:-4100}:${API_PROXY_PORT:-4100}"
+  #     - "${IDENTITY_PROXY_PORT:-33756}:${IDENTITY_PROXY_PORT:-33756}"
+
diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index 79d117681c..ad8a4565fc 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -1,21 +1,77 @@
-FROM mcr.microsoft.com/dotnet/aspnet:8.0
+FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+ARG PROJECT_NAME=Admin
 
+WORKDIR /build
+COPY ../../ ./
+
+WORKDIR /build/src/${PROJECT_NAME}
+
+RUN <<EOF
+  case "$TARGETPLATFORM" in
+    *"linux/amd64"*)
+      dotnet publish --self-contained /p:PublishSingleFile=true -r linux-x64 -o out
+      ;;
+    *"linux/arm64"*)
+      dotnet publish --self-contained /p:PublishSingleFile=true -r linux-arm64 -o out
+      ;;
+    *)
+      echo "unsupported target platform: $TARGETPLATFORM"
+      exit 1;;
+  esac
+EOF
+
+# FROM ghcr.io/linuxserver/baseimage-ubuntu:noble
+FROM mcr.microsoft.com/dotnet/aspnet:8.0
+# TODO: move this to a base image
 LABEL com.bitwarden.product="bitwarden"
 
-RUN apt-get update \
-    && apt-get install -y --no-install-recommends \
-    gosu \
-    curl \
-    krb5-user \    
-    && rm -rf /var/lib/apt/lists/*
+ENV PROJECT_NAME=Admin
 
+# RUN groupadd \
+#   --gid=$APP_UID \
+#   app \
+#   && useradd -l \
+#   --uid=$APP_UID \
+#   --gid=$APP_UID \
+#   --create-home \
+#   app
+
+RUN mkdir -p {/config} \
+  && chown -R app:app {/config}
+
+# RUN apt-get update \
+#     && apt-get install -y --no-install-recommends \
+#     gosu \
+#     curl \
+#     krb5-user \
+#     && rm -rf /var/lib/apt/lists/*
+
+# RUN apt-get update \
+#     && apt-get install -y --no-install-recommends \
+#         ca-certificates \
+#         \
+#         # .NET dependencies
+#         libc6 \
+#         libgcc-s1 \
+#         # libicu70 \
+#         libicu74 \
+#         libssl3 \
+#         libstdc++6 \
+#         tzdata \
+#         zlib1g \
+#     && rm -rf /var/lib/apt/lists/*
+
+# ENV HOME=/home/app
 ENV ASPNETCORE_URLS http://+:5000
-WORKDIR /app
+# END: move to base image
+
 EXPOSE 5000
-COPY obj/build-output/publish .
-COPY entrypoint.sh /
-RUN chmod +x /entrypoint.sh
+WORKDIR /app
+COPY --from=build /build/src/${PROJECT_NAME}/out /app
+HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1
 
-HEALTHCHECK CMD curl -f http://localhost:5000 || exit 1
-
-ENTRYPOINT ["/entrypoint.sh"]
+# TODO: use an entrypoint script with `set -e && exec ${PROJECT_NAME}`
+USER app
+ENTRYPOINT ["./Admin"]
diff --git a/src/Admin/entrypoint.sh b/src/Admin/entrypoint.sh
index 2c564b1ce6..132a5b1f0d 100644
--- a/src/Admin/entrypoint.sh
+++ b/src/Admin/entrypoint.sh
@@ -35,10 +35,10 @@ mkdir -p /etc/bitwarden/logs
 mkdir -p /etc/bitwarden/ca-certificates
 chown -R $USERNAME:$GROUPNAME /etc/bitwarden
 
-if [[ $globalSettings__selfHosted == "true" ]]; then
-  cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-    && update-ca-certificates
-fi
+# if [[ $globalSettings__selfHosted == "true" ]]; then
+#   cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+#     && update-ca-certificates
+# fi
 
 if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
   chown -R $USERNAME:$GROUPNAME /etc/bitwarden/kerberos
diff --git a/src/Api/Dockerfile b/src/Api/Dockerfile
index 024b4e08f7..642f072e61 100644
--- a/src/Api/Dockerfile
+++ b/src/Api/Dockerfile
@@ -1,11 +1,12 @@
 FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
+ARG PROJECT_NAME=Api
 
 WORKDIR /build
 COPY ../../ ./
 
-WORKDIR /build/src/Api
+WORKDIR /build/src/${PROJECT_NAME}
 
 RUN <<EOF
   case "$TARGETPLATFORM" in
@@ -21,11 +22,30 @@ RUN <<EOF
   esac
 EOF
 
-
 FROM ghcr.io/linuxserver/baseimage-ubuntu:noble
-
+# TODO: move this to a base image
 LABEL com.bitwarden.product="bitwarden"
 
+ENV APP_UID=1654
+ENV ASPNETCORE_HTTP_PORTS=8080
+ENV DOTNET_RUNNING_IN_CONTAINER=true
+ENV PROJECT_NAME=Api
+
+RUN groupadd \
+  --gid=$APP_UID \
+  app \
+  && useradd -l \
+  --uid=$APP_UID \
+  --gid=$APP_UID \
+  --create-home \
+  app
+
+RUN mkdir -p {/admin,/api,/identity,/events,/notifications} \
+  && chown -R app:app {/admin,/api,/identity,/events,/notifications}
+
+RUN mkdir -p {/config} \
+  && chown -R app:app {/config}
+
 # RUN apt-get update \
 #     && apt-get install -y --no-install-recommends \
 #     gosu \
@@ -33,10 +53,6 @@ LABEL com.bitwarden.product="bitwarden"
 #     krb5-user \
 #     && rm -rf /var/lib/apt/lists/*
 
-ENV APP_UID=1654
-ENV ASPNETCORE_HTTP_PORTS=8080
-ENV DOTNET_RUNNING_IN_CONTAINER=true
-
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \
         ca-certificates \
@@ -52,22 +68,15 @@ RUN apt-get update \
         zlib1g \
     && rm -rf /var/lib/apt/lists/*
 
-# Create a non-root user and group
-RUN groupadd \
-        --gid=$APP_UID \
-        app \
-    && useradd -l \
-        --uid=$APP_UID \
-        --gid=$APP_UID \
-        --create-home \
-        app
-
-EXPOSE 5000
-
-USER app
 ENV HOME=/home/app
 ENV ASPNETCORE_URLS http://+:5000
+# END: move to base image
+
+EXPOSE 5000
 WORKDIR /app
-COPY --from=build /build/src/Api/out /app
+COPY --from=build /build/src/${PROJECT_NAME}/out /app
 HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1
+
+# TODO: use an entrypoint script with `set -e && exec ${PROJECT_NAME}`
+USER app
 ENTRYPOINT ["./Api"]
diff --git a/src/Api/entrypoint.sh b/src/Api/entrypoint.sh
index 37d117215c..e01f95aec7 100644
--- a/src/Api/entrypoint.sh
+++ b/src/Api/entrypoint.sh
@@ -35,10 +35,10 @@ mkdir -p /etc/bitwarden/logs
 mkdir -p /etc/bitwarden/ca-certificates
 chown -R $USERNAME:$GROUPNAME /etc/bitwarden
 
-if [[ $globalSettings__selfHosted == "true" ]]; then
-  cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-    && update-ca-certificates
-fi
+# if [[ $globalSettings__selfHosted == "true" ]]; then
+#   cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+#     && update-ca-certificates
+# fi
 
 if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
   chown -R $USERNAME:$GROUPNAME /etc/bitwarden/kerberos
diff --git a/src/Billing/Dockerfile b/src/Billing/Dockerfile
index 9abbe16477..256a7fdde6 100644
--- a/src/Billing/Dockerfile
+++ b/src/Billing/Dockerfile
@@ -1,21 +1,50 @@
-FROM mcr.microsoft.com/dotnet/aspnet:8.0
+FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+ARG PROJECT_NAME=Identity
 
+WORKDIR /build
+COPY ../../ ./
+
+WORKDIR /build/src/${PROJECT_NAME}
+
+RUN <<EOF
+  case "$TARGETPLATFORM" in
+    *"linux/amd64"*)
+      dotnet publish --self-contained /p:PublishSingleFile=true -r linux-x64 -o out
+      ;;
+    *"linux/arm64"*)
+      dotnet publish --self-contained /p:PublishSingleFile=true -r linux-arm64 -o out
+      ;;
+    *)
+      echo "unsupported target platform: $TARGETPLATFORM"
+      exit 1;;
+  esac
+EOF
+
+# TODO: move this to a base image
 LABEL com.bitwarden.product="bitwarden"
 
-RUN apt-get update \
-    && apt-get install -y --no-install-recommends \
-    gosu \
-    curl \
-    && rm -rf /var/lib/apt/lists/*
+ENV PROJECT_NAME=Identity
+
+RUN mkdir -p {/config} \
+    && chown -R app:app {/config}
+
+# RUN apt-get update \
+#     && apt-get install -y --no-install-recommends \
+#     gosu \
+#     curl \
+#     krb5-user \
+#     && rm -rf /var/lib/apt/lists/*
+
+ENV ASPNETCORE_URLS=http://+:5000
+# END: move to base image
 
-ENV ASPNETCORE_URLS http://+:5000
 WORKDIR /app
 EXPOSE 5000
-COPY entrypoint.sh /
-RUN chmod +x /entrypoint.sh
-
-COPY obj/build-output/publish .
-
+COPY --from=build /build/src/${PROJECT_NAME}/out /app
 HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1
 
-ENTRYPOINT ["/entrypoint.sh"]
+# TODO: use an entrypoint script with `set -e && exec ${PROJECT_NAME}`
+USER app
+ENTRYPOINT ["./Billing"]
diff --git a/src/Billing/entrypoint.sh b/src/Billing/entrypoint.sh
index 6d98cfa6f6..95b5bde087 100644
--- a/src/Billing/entrypoint.sh
+++ b/src/Billing/entrypoint.sh
@@ -35,9 +35,9 @@ mkdir -p /etc/bitwarden/logs
 mkdir -p /etc/bitwarden/ca-certificates
 chown -R $USERNAME:$GROUPNAME /etc/bitwarden
 
-if [[ $globalSettings__selfHosted == "true" ]]; then
-  cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-    && update-ca-certificates
-fi
+# if [[ $globalSettings__selfHosted == "true" ]]; then
+#   cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+#     && update-ca-certificates
+# fi
 
 exec gosu $USERNAME:$GROUPNAME dotnet /app/Billing.dll
diff --git a/src/Events/Dockerfile b/src/Events/Dockerfile
index 6970dfa7bb..c25af886c8 100644
--- a/src/Events/Dockerfile
+++ b/src/Events/Dockerfile
@@ -1,21 +1,76 @@
-FROM mcr.microsoft.com/dotnet/aspnet:8.0
+FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+ARG PROJECT_NAME=Events
 
+WORKDIR /build
+COPY ../../ ./
+
+WORKDIR /build/src/${PROJECT_NAME}
+
+RUN <<EOF
+  case "$TARGETPLATFORM" in
+    *"linux/amd64"*)
+      dotnet publish --self-contained /p:PublishSingleFile=true -r linux-x64 -o out
+      ;;
+    *"linux/arm64"*)
+      dotnet publish --self-contained /p:PublishSingleFile=true -r linux-arm64 -o out
+      ;;
+    *)
+      echo "unsupported target platform: $TARGETPLATFORM"
+      exit 1;;
+  esac
+EOF
+
+# FROM ghcr.io/linuxserver/baseimage-ubuntu:noble
+FROM mcr.microsoft.com/dotnet/aspnet:8.0
+# TODO: move this to a base image
 LABEL com.bitwarden.product="bitwarden"
 
-RUN apt-get update \
-    && apt-get install -y --no-install-recommends \
-    gosu \
-    curl \
-    krb5-user \
-    && rm -rf /var/lib/apt/lists/*
+ENV PROJECT_NAME=Events
 
+# RUN groupadd \
+#   --gid=$APP_UID \
+#   app \
+#   && useradd -l \
+#   --uid=$APP_UID \
+#   --gid=$APP_UID \
+#   --create-home \
+#   app
+
+RUN mkdir -p {/config} \
+    && chown -R app:app {/config}
+
+# RUN apt-get update \
+#     && apt-get install -y --no-install-recommends \
+#     gosu \
+#     curl \
+#     krb5-user \
+#     && rm -rf /var/lib/apt/lists/*
+
+# RUN apt-get update \
+#     && apt-get install -y --no-install-recommends \
+#         ca-certificates \
+#         \
+#         # .NET dependencies
+#         libc6 \
+#         libgcc-s1 \
+#         # libicu70 \
+#         libicu74 \
+#         libssl3 \
+#         libstdc++6 \
+#         tzdata \
+#         zlib1g \
+#     && rm -rf /var/lib/apt/lists/*
+
+# ENV HOME=/home/app
 ENV ASPNETCORE_URLS http://+:5000
-WORKDIR /app
+# END: move to base image
+
 EXPOSE 5000
-COPY obj/build-output/publish .
-COPY entrypoint.sh /
-RUN chmod +x /entrypoint.sh
+WORKDIR /app
+COPY --from=build /build/src/${PROJECT_NAME}/out /app
+HEALTHCHECK CMD curl -f http://localhost:5000/google.com/icon.png || exit 1
 
-HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1
-
-ENTRYPOINT ["/entrypoint.sh"]
+USER app
+ENTRYPOINT ["./Events"]
diff --git a/src/Events/entrypoint.sh b/src/Events/entrypoint.sh
index f1bd48e1a3..750805a248 100644
--- a/src/Events/entrypoint.sh
+++ b/src/Events/entrypoint.sh
@@ -35,10 +35,10 @@ mkdir -p /etc/bitwarden/logs
 mkdir -p /etc/bitwarden/ca-certificates
 chown -R $USERNAME:$GROUPNAME /etc/bitwarden
 
-if [[ $globalSettings__selfHosted == "true" ]]; then
-  cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-    && update-ca-certificates
-fi
+# if [[ $globalSettings__selfHosted == "true" ]]; then
+#   cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+#     && update-ca-certificates
+# fi
 
 if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
   chown -R $USERNAME:$GROUPNAME /etc/bitwarden/kerberos
diff --git a/src/EventsProcessor/entrypoint.sh b/src/EventsProcessor/entrypoint.sh
index 0ae7b82cb5..1119e19efc 100644
--- a/src/EventsProcessor/entrypoint.sh
+++ b/src/EventsProcessor/entrypoint.sh
@@ -34,9 +34,9 @@ mkdir -p /etc/bitwarden/logs
 #mkdir -p /etc/bitwarden/ca-certificates
 chown -R $USERNAME:$GROUPNAME /etc/bitwarden
 
-if [[ $globalSettings__selfHosted == "true" ]]; then
-  cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-    && update-ca-certificates
-fi
+# if [[ $globalSettings__selfHosted == "true" ]]; then
+#   cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+#     && update-ca-certificates
+# fi
 
 exec gosu $USERNAME:$GROUPNAME dotnet /app/EventsProcessor.dll
diff --git a/src/Icons/Dockerfile b/src/Icons/Dockerfile
index edc1e0905b..7c2f738289 100644
--- a/src/Icons/Dockerfile
+++ b/src/Icons/Dockerfile
@@ -1,20 +1,76 @@
-FROM mcr.microsoft.com/dotnet/aspnet:8.0
+FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+ARG PROJECT_NAME=Icons
 
+WORKDIR /build
+COPY ../../ ./
+
+WORKDIR /build/src/${PROJECT_NAME}
+
+RUN <<EOF
+  case "$TARGETPLATFORM" in
+    *"linux/amd64"*)
+      dotnet publish --self-contained /p:PublishSingleFile=true -r linux-x64 -o out
+      ;;
+    *"linux/arm64"*)
+      dotnet publish --self-contained /p:PublishSingleFile=true -r linux-arm64 -o out
+      ;;
+    *)
+      echo "unsupported target platform: $TARGETPLATFORM"
+      exit 1;;
+  esac
+EOF
+
+# FROM ghcr.io/linuxserver/baseimage-ubuntu:noble
+FROM mcr.microsoft.com/dotnet/aspnet:8.0
+# TODO: move this to a base image
 LABEL com.bitwarden.product="bitwarden"
 
-RUN apt-get update \
-    && apt-get install -y --no-install-recommends \
-    gosu \
-    curl \
-    && rm -rf /var/lib/apt/lists/*
+ENV PROJECT_NAME=Icons
 
+# RUN groupadd \
+#   --gid=$APP_UID \
+#   app \
+#   && useradd -l \
+#   --uid=$APP_UID \
+#   --gid=$APP_UID \
+#   --create-home \
+#   app
+
+RUN mkdir -p {/config} \
+    && chown -R app:app {/config}
+
+# RUN apt-get update \
+#     && apt-get install -y --no-install-recommends \
+#     gosu \
+#     curl \
+#     krb5-user \
+#     && rm -rf /var/lib/apt/lists/*
+
+# RUN apt-get update \
+#     && apt-get install -y --no-install-recommends \
+#         ca-certificates \
+#         \
+#         # .NET dependencies
+#         libc6 \
+#         libgcc-s1 \
+#         # libicu70 \
+#         libicu74 \
+#         libssl3 \
+#         libstdc++6 \
+#         tzdata \
+#         zlib1g \
+#     && rm -rf /var/lib/apt/lists/*
+
+# ENV HOME=/home/app
 ENV ASPNETCORE_URLS http://+:5000
-WORKDIR /app
-EXPOSE 5000
-COPY obj/build-output/publish .
-COPY entrypoint.sh /
-RUN chmod +x /entrypoint.sh
+# END: move to base image
 
+EXPOSE 5000
+WORKDIR /app
+COPY --from=build /build/src/${PROJECT_NAME}/out /app
 HEALTHCHECK CMD curl -f http://localhost:5000/google.com/icon.png || exit 1
 
-ENTRYPOINT ["/entrypoint.sh"]
+USER app
+ENTRYPOINT ["./Icons"]
diff --git a/src/Icons/entrypoint.sh b/src/Icons/entrypoint.sh
index 9ed16fba23..162927278d 100644
--- a/src/Icons/entrypoint.sh
+++ b/src/Icons/entrypoint.sh
@@ -34,9 +34,9 @@ mkdir -p /etc/bitwarden/logs
 mkdir -p /etc/bitwarden/ca-certificates
 chown -R $USERNAME:$GROUPNAME /etc/bitwarden
 
-if [[ $globalSettings__selfHosted == "true" ]]; then
-  cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-    && update-ca-certificates
-fi
+# if [[ $globalSettings__selfHosted == "true" ]]; then
+#   cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+#     && update-ca-certificates
+# fi
 
 exec gosu $USERNAME:$GROUPNAME dotnet /app/Icons.dll
diff --git a/src/Identity/Dockerfile b/src/Identity/Dockerfile
index c89d0ba486..3f6144bea7 100644
--- a/src/Identity/Dockerfile
+++ b/src/Identity/Dockerfile
@@ -1,11 +1,12 @@
 FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
+ARG PROJECT_NAME=Identity
 
 WORKDIR /build
 COPY ../../ ./
 
-WORKDIR /build/src/Identity
+WORKDIR /build/src/${PROJECT_NAME}
 
 RUN <<EOF
   case "$TARGETPLATFORM" in
@@ -21,11 +22,17 @@ RUN <<EOF
   esac
 EOF
 
+# FROM ghcr.io/linuxserver/baseimage-ubuntu:noble
+FROM mcr.microsoft.com/dotnet/aspnet:8.0
 
-FROM ghcr.io/linuxserver/baseimage-ubuntu:noble
-
+# TODO: move this to a base image
 LABEL com.bitwarden.product="bitwarden"
 
+ENV PROJECT_NAME=Identity
+
+RUN mkdir -p {/config} \
+  && chown -R app:app {/config}
+
 # RUN apt-get update \
 #     && apt-get install -y --no-install-recommends \
 #     gosu \
@@ -33,41 +40,14 @@ LABEL com.bitwarden.product="bitwarden"
 #     krb5-user \
 #     && rm -rf /var/lib/apt/lists/*
 
-ENV APP_UID=1654
-ENV ASPNETCORE_HTTP_PORTS=8080
-ENV DOTNET_RUNNING_IN_CONTAINER=true
-
-RUN apt-get update \
-    && apt-get install -y --no-install-recommends \
-        ca-certificates \
-        \
-        # .NET dependencies
-        libc6 \
-        libgcc-s1 \
-        # libicu70 \
-        libicu74 \
-        libssl3 \
-        libstdc++6 \
-        tzdata \
-        zlib1g \
-    && rm -rf /var/lib/apt/lists/*
-
-# Create a non-root user and group
-RUN groupadd \
-        --gid=$APP_UID \
-        app \
-    && useradd -l \
-        --uid=$APP_UID \
-        --gid=$APP_UID \
-        --create-home \
-        app
+ENV ASPNETCORE_URLS=http://+:5000
+# END: move to base image
 
 EXPOSE 5000
-
-USER app
-ENV HOME=/home/app
-ENV ASPNETCORE_URLS=http://+:5000
 WORKDIR /app
-COPY --from=build /build/src/Identity/out /app
-HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1
+COPY --from=build /build/src/${PROJECT_NAME}/out /app
+HEALTHCHECK CMD curl -f http://localhost:5000/.well-known/openid-configuration || exit 1
+
+# TODO: use an entrypoint script with `set -e && exec ${PROJECT_NAME}`
+USER app
 ENTRYPOINT ["./Identity"]
diff --git a/src/Identity/entrypoint.sh b/src/Identity/entrypoint.sh
index cf59bee472..4c95bfd093 100644
--- a/src/Identity/entrypoint.sh
+++ b/src/Identity/entrypoint.sh
@@ -41,10 +41,10 @@ fi
 
 chown -R $USERNAME:$GROUPNAME /app
 
-if [[ $globalSettings__selfHosted == "true" ]]; then
-  cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-    && update-ca-certificates
-fi
+# if [[ $globalSettings__selfHosted == "true" ]]; then
+#   cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+#     && update-ca-certificates
+# fi
 
 if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
   chown -R $USERNAME:$GROUPNAME /etc/bitwarden/kerberos
diff --git a/src/Notifications/entrypoint.sh b/src/Notifications/entrypoint.sh
index e1555b6c50..87f7bb9466 100644
--- a/src/Notifications/entrypoint.sh
+++ b/src/Notifications/entrypoint.sh
@@ -34,9 +34,9 @@ mkdir -p /etc/bitwarden/logs
 mkdir -p /etc/bitwarden/ca-certificates
 chown -R $USERNAME:$GROUPNAME /etc/bitwarden
 
-if [[ $globalSettings__selfHosted == "true" ]]; then
-  cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-    && update-ca-certificates
-fi
+# if [[ $globalSettings__selfHosted == "true" ]]; then
+#   cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+#     && update-ca-certificates
+# fi
 
 exec gosu $USERNAME:$GROUPNAME dotnet /app/Notifications.dll
diff --git a/util/Attachments/Dockerfile b/util/Attachments/Dockerfile
index 2d99aa5911..d434ea8817 100644
--- a/util/Attachments/Dockerfile
+++ b/util/Attachments/Dockerfile
@@ -1,18 +1,13 @@
-FROM bitwarden/server:latest
+FROM bitwarden/server:latest as build
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+ARG PROJECT_NAME=Attachments
 
-LABEL com.bitwarden.product="bitwarden"
+RUN mkdir -p {/storage/attachments,/bitwarden_server,/config} \
+  && chown -R app:app {/storage/attachments,/bitwarden_server,/config}
 
-RUN apt-get update \
-    && apt-get install -y --no-install-recommends \
-        gosu \
-        curl \
-    && rm -rf /var/lib/apt/lists/*
-
-ENV ASPNETCORE_URLS http://+:5000
 EXPOSE 5000
-COPY entrypoint.sh /
-RUN chmod +x /entrypoint.sh
-
 HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1
 
-ENTRYPOINT ["/entrypoint.sh"]
+USER app
+ENTRYPOINT ["/bitwarden_server/Server", "/contentRoot=/config/core/attachments", "/webRoot=.", "/serveUnknown=true"]
diff --git a/util/Server/Dockerfile b/util/Server/Dockerfile
index 6755a85284..cc2037a685 100644
--- a/util/Server/Dockerfile
+++ b/util/Server/Dockerfile
@@ -1,5 +1,48 @@
+FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+ARG PROJECT_NAME=Server
+
+WORKDIR /build
+COPY ../../ ./
+
+WORKDIR /build/util/${PROJECT_NAME}
+
+RUN <<EOF
+  case "$TARGETPLATFORM" in
+    *"linux/amd64"*)
+      dotnet publish "./Server.csproj" -c "Release" --self-contained /p:PublishSingleFile=true -r linux-x64 -o out # || \
+      # ls -hal && exit 1
+      ;;
+    *"linux/arm64"*)
+      dotnet publish "./Server.csproj" -c "Release" --self-contained /p:PublishSingleFile=true -r linux-arm64 -o out # || \
+      # ls -hal && exit 1
+      ;;
+    *)
+      echo "unsupported target platform: $TARGETPLATFORM"
+      exit 1
+      ;;
+  esac
+EOF
+
 FROM mcr.microsoft.com/dotnet/aspnet:8.0
-
+RUN true
 LABEL com.bitwarden.product="bitwarden"
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+ARG PROJECT_NAME=Server
 
-COPY obj/build-output/publish /bitwarden_server
+# RUN apt-get update \
+#     && apt-get install -y --no-install-recommends \
+#     gosu \
+#     curl \
+#     krb5-user \
+#     && rm -rf /var/lib/apt/lists/*
+
+ENV ASPNETCORE_URLS=http://+:5000
+
+# file will be in: /build/util/Server/bin/Release/net8.0/linux-arm64/Server.dll
+COPY --from=build /build/util/${PROJECT_NAME}/out/ /bitwarden_server
+
+RUN mkdir -p {/app,/bitwarden_server,/config,/storage} \
+  && chown -R app:app {/app,/bitwarden_server,/config,/storage}