wip: build projects in image instead of host; comment-out problematic root-only operations

2025-04-13 09:08:17 -05:00 · 2025-02-25 10:05:35 -08:00 · 2025-02-25 10:05:35 -08:00 · 9c67d7cf5b
commit 9c67d7cf5b
parent f356d0a2b1
20 changed files with 455 additions and 177 deletions
--- a/.gitignore
+++ b/.gitignore
@ -225,3 +225,7 @@ src/Notifications/Notifications.zip
 bitwarden_license/src/Portal/Portal.zip
 bitwarden_license/src/Sso/Sso.zip
 **/src/**/flags.json
+
+logs/*
+config/*
+storage/*
--- a/bitwarden_license/src/Scim/entrypoint.sh
+++ b/bitwarden_license/src/Scim/entrypoint.sh
@ -35,10 +35,10 @@ mkdir -p /etc/bitwarden/logs
 mkdir -p /etc/bitwarden/ca-certificates
 chown -R $USERNAME:$GROUPNAME /etc/bitwarden

-if [[ $globalSettings__selfHosted == "true" ]]; then
-  cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-    && update-ca-certificates
-fi
+# if [[ $globalSettings__selfHosted == "true" ]]; then
+#   cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+#     && update-ca-certificates
+# fi

 if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
  chown -R $USERNAME:$GROUPNAME /etc/bitwarden/kerberos
--- a/bitwarden_license/src/Sso/entrypoint.sh
+++ b/bitwarden_license/src/Sso/entrypoint.sh
@ -35,16 +35,16 @@ mkdir -p /etc/bitwarden/logs
 mkdir -p /etc/bitwarden/ca-certificates
 chown -R $USERNAME:$GROUPNAME /etc/bitwarden

-if [[ $globalSettings__selfHosted == "true" ]]; then
-  cp /etc/bitwarden/identity/identity.pfx /app/identity.pfx
-fi
+# if [[ $globalSettings__selfHosted == "true" ]]; then
+#   cp /etc/bitwarden/identity/identity.pfx /app/identity.pfx
+# fi

 chown -R $USERNAME:$GROUPNAME /app

-if [[ $globalSettings__selfHosted == "true" ]]; then
-  cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-    && update-ca-certificates
-fi
+# if [[ $globalSettings__selfHosted == "true" ]]; then
+#   cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+#     && update-ca-certificates
+# fi

 if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
  chown -R $USERNAME:$GROUPNAME /etc/bitwarden/kerberos
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -1,29 +1,80 @@
 services:
+  base: # this is just here to build the base image for the others to use
+    build:
+      context: .
+      dockerfile: ./util/Server/Dockerfile
+    entrypoint: ["true"]
+  admin:
+    build:
+      context: .
+      dockerfile: ./src/Admin/Dockerfile
+    ports:
+      - "62911:5000"
+    volumes:
+      - ./config/:/config
+      - ./logs/:/var/log/bitwarden
+    env_file:
+      - ./dev/.env
+  attachments:
+    build:
+      context: .
+      dockerfile: ./util/Attachments/Dockerfile
+    ports:
+      - "50004:5000"
+    volumes:
+      - ./config/:/config
+      - ./logs/:/var/log/bitwarden
+    environment:
+      LOCAL_UID: "${PUID}"
+      LOCAL_GID: "${PGID}"
+    env_file:
+      - ./dev/.env
  api:
    build:
      context: .
      dockerfile: ./src/Api/Dockerfile
    ports:
      - "4000:5000"
-    environment:
-      globalSettings__DataProtection__directory: /home/app/.aspnet/DataProtection-Keys
-      globalSettings__selfHosted: true
+    volumes:
+      - ./config/:/config
+      - ./logs/:/var/log/bitwarden
+    env_file:
+      - ./dev/.env
+  icons:
+    build:
+      context: .
+      dockerfile: ./src/Icons/Dockerfile
+    ports:
+      - "50024:5000"
+    env_file:
+      - ./dev/.env
  identity:
    build:
      context: .
      dockerfile: ./src/Identity/Dockerfile
    ports:
      - "33656:5000"
-    environment:
-      globalSettings__DataProtection__directory: /home/app/.aspnet/DataProtection-Keys
-      globalSettings__selfHosted: true
-      globalSettings__IdentityServer__CertificateLocation: /home/app/config/identity_server_dev.pfx
    volumes:
+      - ./config/:/config
+      - ./logs/:/var/log/bitwarden
      - ./dev:/home/app/config # identity.pfx exists here
+    env_file:
+      - ./dev/.env
  mssql:
-    image: bitwarden/mssql:2024.10.0
+    image: bitwarden/mssql:2025.1.4
    container_name: bitwarden-mssql
    ports:
      - "1433:1433"
    environment:
      ACCEPT_EULA: true
+    env_file:
+      - ./dev/.env
+  # nginx:
+  #   image: nginx:alpine
+  #   container_name: nginx
+  #   volumes:
+  #     - "./dev/reverse-proxy.conf:/etc/nginx/conf.d/default.conf"
+  #   ports:
+  #     - "${API_PROXY_PORT:-4100}:${API_PROXY_PORT:-4100}"
+  #     - "${IDENTITY_PROXY_PORT:-33756}:${IDENTITY_PROXY_PORT:-33756}"
+
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@ -1,21 +1,77 @@
-FROM mcr.microsoft.com/dotnet/aspnet:8.0
+FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+ARG PROJECT_NAME=Admin

+WORKDIR /build
+COPY ../../ ./
+
+WORKDIR /build/src/${PROJECT_NAME}
+
+RUN <<EOF
+  case "$TARGETPLATFORM" in
+    *"linux/amd64"*)
+      dotnet publish --self-contained /p:PublishSingleFile=true -r linux-x64 -o out
+      ;;
+    *"linux/arm64"*)
+      dotnet publish --self-contained /p:PublishSingleFile=true -r linux-arm64 -o out
+      ;;
+    *)
+      echo "unsupported target platform: $TARGETPLATFORM"
+      exit 1;;
+  esac
+EOF
+
+# FROM ghcr.io/linuxserver/baseimage-ubuntu:noble
+FROM mcr.microsoft.com/dotnet/aspnet:8.0
+# TODO: move this to a base image
 LABEL com.bitwarden.product="bitwarden"

-RUN apt-get update \
-    && apt-get install -y --no-install-recommends \
-    gosu \
-    curl \
-    krb5-user \    
-    && rm -rf /var/lib/apt/lists/*
+ENV PROJECT_NAME=Admin

+# RUN groupadd \
+#   --gid=$APP_UID \
+#   app \
+#   && useradd -l \
+#   --uid=$APP_UID \
+#   --gid=$APP_UID \
+#   --create-home \
+#   app
+
+RUN mkdir -p {/config} \
+  && chown -R app:app {/config}
+
+# RUN apt-get update \
+#     && apt-get install -y --no-install-recommends \
+#     gosu \
+#     curl \
+#     krb5-user \
+#     && rm -rf /var/lib/apt/lists/*
+
+# RUN apt-get update \
+#     && apt-get install -y --no-install-recommends \
+#         ca-certificates \
+#         \
+#         # .NET dependencies
+#         libc6 \
+#         libgcc-s1 \
+#         # libicu70 \
+#         libicu74 \
+#         libssl3 \
+#         libstdc++6 \
+#         tzdata \
+#         zlib1g \
+#     && rm -rf /var/lib/apt/lists/*
+
+# ENV HOME=/home/app
 ENV ASPNETCORE_URLS http://+:5000
-WORKDIR /app
+# END: move to base image
+
 EXPOSE 5000
-COPY obj/build-output/publish .
-COPY entrypoint.sh /
-RUN chmod +x /entrypoint.sh
+WORKDIR /app
+COPY --from=build /build/src/${PROJECT_NAME}/out /app
+HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1

-HEALTHCHECK CMD curl -f http://localhost:5000 || exit 1
-
-ENTRYPOINT ["/entrypoint.sh"]
+# TODO: use an entrypoint script with `set -e && exec ${PROJECT_NAME}`
+USER app
+ENTRYPOINT ["./Admin"]
--- a/src/Admin/entrypoint.sh
+++ b/src/Admin/entrypoint.sh
@ -35,10 +35,10 @@ mkdir -p /etc/bitwarden/logs
 mkdir -p /etc/bitwarden/ca-certificates
 chown -R $USERNAME:$GROUPNAME /etc/bitwarden

-if [[ $globalSettings__selfHosted == "true" ]]; then
-  cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-    && update-ca-certificates
-fi
+# if [[ $globalSettings__selfHosted == "true" ]]; then
+#   cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+#     && update-ca-certificates
+# fi

 if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
  chown -R $USERNAME:$GROUPNAME /etc/bitwarden/kerberos
--- a/src/Api/Dockerfile
+++ b/src/Api/Dockerfile
@ -1,11 +1,12 @@
 FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
+ARG PROJECT_NAME=Api

 WORKDIR /build
 COPY ../../ ./

-WORKDIR /build/src/Api
+WORKDIR /build/src/${PROJECT_NAME}

 RUN <<EOF
  case "$TARGETPLATFORM" in
@ -21,11 +22,30 @@ RUN <<EOF
  esac
 EOF

-
 FROM ghcr.io/linuxserver/baseimage-ubuntu:noble
-
+# TODO: move this to a base image
 LABEL com.bitwarden.product="bitwarden"

+ENV APP_UID=1654
+ENV ASPNETCORE_HTTP_PORTS=8080
+ENV DOTNET_RUNNING_IN_CONTAINER=true
+ENV PROJECT_NAME=Api
+
+RUN groupadd \
+  --gid=$APP_UID \
+  app \
+  && useradd -l \
+  --uid=$APP_UID \
+  --gid=$APP_UID \
+  --create-home \
+  app
+
+RUN mkdir -p {/admin,/api,/identity,/events,/notifications} \
+  && chown -R app:app {/admin,/api,/identity,/events,/notifications}
+
+RUN mkdir -p {/config} \
+  && chown -R app:app {/config}
+
 # RUN apt-get update \
 #     && apt-get install -y --no-install-recommends \
 #     gosu \
@ -33,10 +53,6 @@ LABEL com.bitwarden.product="bitwarden"
 #     krb5-user \
 #     && rm -rf /var/lib/apt/lists/*

-ENV APP_UID=1654
-ENV ASPNETCORE_HTTP_PORTS=8080
-ENV DOTNET_RUNNING_IN_CONTAINER=true
-
 RUN apt-get update \
    && apt-get install -y --no-install-recommends \
        ca-certificates \
@ -52,22 +68,15 @@ RUN apt-get update \
        zlib1g \
    && rm -rf /var/lib/apt/lists/*

-# Create a non-root user and group
-RUN groupadd \
-        --gid=$APP_UID \
-        app \
-    && useradd -l \
-        --uid=$APP_UID \
-        --gid=$APP_UID \
-        --create-home \
-        app
-
-EXPOSE 5000
-
-USER app
 ENV HOME=/home/app
 ENV ASPNETCORE_URLS http://+:5000
+# END: move to base image
+
+EXPOSE 5000
 WORKDIR /app
-COPY --from=build /build/src/Api/out /app
+COPY --from=build /build/src/${PROJECT_NAME}/out /app
 HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1
+
+# TODO: use an entrypoint script with `set -e && exec ${PROJECT_NAME}`
+USER app
 ENTRYPOINT ["./Api"]
--- a/src/Api/entrypoint.sh
+++ b/src/Api/entrypoint.sh
@ -35,10 +35,10 @@ mkdir -p /etc/bitwarden/logs
 mkdir -p /etc/bitwarden/ca-certificates
 chown -R $USERNAME:$GROUPNAME /etc/bitwarden

-if [[ $globalSettings__selfHosted == "true" ]]; then
-  cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-    && update-ca-certificates
-fi
+# if [[ $globalSettings__selfHosted == "true" ]]; then
+#   cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+#     && update-ca-certificates
+# fi

 if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
  chown -R $USERNAME:$GROUPNAME /etc/bitwarden/kerberos
--- a/src/Billing/Dockerfile
+++ b/src/Billing/Dockerfile
@ -1,21 +1,50 @@
-FROM mcr.microsoft.com/dotnet/aspnet:8.0
+FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+ARG PROJECT_NAME=Identity

+WORKDIR /build
+COPY ../../ ./
+
+WORKDIR /build/src/${PROJECT_NAME}
+
+RUN <<EOF
+  case "$TARGETPLATFORM" in
+    *"linux/amd64"*)
+      dotnet publish --self-contained /p:PublishSingleFile=true -r linux-x64 -o out
+      ;;
+    *"linux/arm64"*)
+      dotnet publish --self-contained /p:PublishSingleFile=true -r linux-arm64 -o out
+      ;;
+    *)
+      echo "unsupported target platform: $TARGETPLATFORM"
+      exit 1;;
+  esac
+EOF
+
+# TODO: move this to a base image
 LABEL com.bitwarden.product="bitwarden"

-RUN apt-get update \
-    && apt-get install -y --no-install-recommends \
-    gosu \
-    curl \
-    && rm -rf /var/lib/apt/lists/*
+ENV PROJECT_NAME=Identity
+
+RUN mkdir -p {/config} \
+    && chown -R app:app {/config}
+
+# RUN apt-get update \
+#     && apt-get install -y --no-install-recommends \
+#     gosu \
+#     curl \
+#     krb5-user \
+#     && rm -rf /var/lib/apt/lists/*
+
+ENV ASPNETCORE_URLS=http://+:5000
+# END: move to base image

-ENV ASPNETCORE_URLS http://+:5000
 WORKDIR /app
 EXPOSE 5000
-COPY entrypoint.sh /
-RUN chmod +x /entrypoint.sh
-
-COPY obj/build-output/publish .
-
+COPY --from=build /build/src/${PROJECT_NAME}/out /app
 HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1

-ENTRYPOINT ["/entrypoint.sh"]
+# TODO: use an entrypoint script with `set -e && exec ${PROJECT_NAME}`
+USER app
+ENTRYPOINT ["./Billing"]
--- a/src/Billing/entrypoint.sh
+++ b/src/Billing/entrypoint.sh
@ -35,9 +35,9 @@ mkdir -p /etc/bitwarden/logs
 mkdir -p /etc/bitwarden/ca-certificates
 chown -R $USERNAME:$GROUPNAME /etc/bitwarden

-if [[ $globalSettings__selfHosted == "true" ]]; then
-  cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-    && update-ca-certificates
-fi
+# if [[ $globalSettings__selfHosted == "true" ]]; then
+#   cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+#     && update-ca-certificates
+# fi

 exec gosu $USERNAME:$GROUPNAME dotnet /app/Billing.dll
--- a/src/Events/Dockerfile
+++ b/src/Events/Dockerfile
@ -1,21 +1,76 @@
-FROM mcr.microsoft.com/dotnet/aspnet:8.0
+FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+ARG PROJECT_NAME=Events

+WORKDIR /build
+COPY ../../ ./
+
+WORKDIR /build/src/${PROJECT_NAME}
+
+RUN <<EOF
+  case "$TARGETPLATFORM" in
+    *"linux/amd64"*)
+      dotnet publish --self-contained /p:PublishSingleFile=true -r linux-x64 -o out
+      ;;
+    *"linux/arm64"*)
+      dotnet publish --self-contained /p:PublishSingleFile=true -r linux-arm64 -o out
+      ;;
+    *)
+      echo "unsupported target platform: $TARGETPLATFORM"
+      exit 1;;
+  esac
+EOF
+
+# FROM ghcr.io/linuxserver/baseimage-ubuntu:noble
+FROM mcr.microsoft.com/dotnet/aspnet:8.0
+# TODO: move this to a base image
 LABEL com.bitwarden.product="bitwarden"

-RUN apt-get update \
-    && apt-get install -y --no-install-recommends \
-    gosu \
-    curl \
-    krb5-user \
-    && rm -rf /var/lib/apt/lists/*
+ENV PROJECT_NAME=Events

+# RUN groupadd \
+#   --gid=$APP_UID \
+#   app \
+#   && useradd -l \
+#   --uid=$APP_UID \
+#   --gid=$APP_UID \
+#   --create-home \
+#   app
+
+RUN mkdir -p {/config} \
+    && chown -R app:app {/config}
+
+# RUN apt-get update \
+#     && apt-get install -y --no-install-recommends \
+#     gosu \
+#     curl \
+#     krb5-user \
+#     && rm -rf /var/lib/apt/lists/*
+
+# RUN apt-get update \
+#     && apt-get install -y --no-install-recommends \
+#         ca-certificates \
+#         \
+#         # .NET dependencies
+#         libc6 \
+#         libgcc-s1 \
+#         # libicu70 \
+#         libicu74 \
+#         libssl3 \
+#         libstdc++6 \
+#         tzdata \
+#         zlib1g \
+#     && rm -rf /var/lib/apt/lists/*
+
+# ENV HOME=/home/app
 ENV ASPNETCORE_URLS http://+:5000
-WORKDIR /app
+# END: move to base image
+
 EXPOSE 5000
-COPY obj/build-output/publish .
-COPY entrypoint.sh /
-RUN chmod +x /entrypoint.sh
+WORKDIR /app
+COPY --from=build /build/src/${PROJECT_NAME}/out /app
+HEALTHCHECK CMD curl -f http://localhost:5000/google.com/icon.png || exit 1

-HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1
-
-ENTRYPOINT ["/entrypoint.sh"]
+USER app
+ENTRYPOINT ["./Events"]
--- a/src/Events/entrypoint.sh
+++ b/src/Events/entrypoint.sh
@ -35,10 +35,10 @@ mkdir -p /etc/bitwarden/logs
 mkdir -p /etc/bitwarden/ca-certificates
 chown -R $USERNAME:$GROUPNAME /etc/bitwarden

-if [[ $globalSettings__selfHosted == "true" ]]; then
-  cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-    && update-ca-certificates
-fi
+# if [[ $globalSettings__selfHosted == "true" ]]; then
+#   cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+#     && update-ca-certificates
+# fi

 if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
  chown -R $USERNAME:$GROUPNAME /etc/bitwarden/kerberos
--- a/src/EventsProcessor/entrypoint.sh
+++ b/src/EventsProcessor/entrypoint.sh
@ -34,9 +34,9 @@ mkdir -p /etc/bitwarden/logs
 #mkdir -p /etc/bitwarden/ca-certificates
 chown -R $USERNAME:$GROUPNAME /etc/bitwarden

-if [[ $globalSettings__selfHosted == "true" ]]; then
-  cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-    && update-ca-certificates
-fi
+# if [[ $globalSettings__selfHosted == "true" ]]; then
+#   cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+#     && update-ca-certificates
+# fi

 exec gosu $USERNAME:$GROUPNAME dotnet /app/EventsProcessor.dll
--- a/src/Icons/Dockerfile
+++ b/src/Icons/Dockerfile
@ -1,20 +1,76 @@
-FROM mcr.microsoft.com/dotnet/aspnet:8.0
+FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+ARG PROJECT_NAME=Icons

+WORKDIR /build
+COPY ../../ ./
+
+WORKDIR /build/src/${PROJECT_NAME}
+
+RUN <<EOF
+  case "$TARGETPLATFORM" in
+    *"linux/amd64"*)
+      dotnet publish --self-contained /p:PublishSingleFile=true -r linux-x64 -o out
+      ;;
+    *"linux/arm64"*)
+      dotnet publish --self-contained /p:PublishSingleFile=true -r linux-arm64 -o out
+      ;;
+    *)
+      echo "unsupported target platform: $TARGETPLATFORM"
+      exit 1;;
+  esac
+EOF
+
+# FROM ghcr.io/linuxserver/baseimage-ubuntu:noble
+FROM mcr.microsoft.com/dotnet/aspnet:8.0
+# TODO: move this to a base image
 LABEL com.bitwarden.product="bitwarden"

-RUN apt-get update \
-    && apt-get install -y --no-install-recommends \
-    gosu \
-    curl \
-    && rm -rf /var/lib/apt/lists/*
+ENV PROJECT_NAME=Icons

+# RUN groupadd \
+#   --gid=$APP_UID \
+#   app \
+#   && useradd -l \
+#   --uid=$APP_UID \
+#   --gid=$APP_UID \
+#   --create-home \
+#   app
+
+RUN mkdir -p {/config} \
+    && chown -R app:app {/config}
+
+# RUN apt-get update \
+#     && apt-get install -y --no-install-recommends \
+#     gosu \
+#     curl \
+#     krb5-user \
+#     && rm -rf /var/lib/apt/lists/*
+
+# RUN apt-get update \
+#     && apt-get install -y --no-install-recommends \
+#         ca-certificates \
+#         \
+#         # .NET dependencies
+#         libc6 \
+#         libgcc-s1 \
+#         # libicu70 \
+#         libicu74 \
+#         libssl3 \
+#         libstdc++6 \
+#         tzdata \
+#         zlib1g \
+#     && rm -rf /var/lib/apt/lists/*
+
+# ENV HOME=/home/app
 ENV ASPNETCORE_URLS http://+:5000
-WORKDIR /app
-EXPOSE 5000
-COPY obj/build-output/publish .
-COPY entrypoint.sh /
-RUN chmod +x /entrypoint.sh
+# END: move to base image

+EXPOSE 5000
+WORKDIR /app
+COPY --from=build /build/src/${PROJECT_NAME}/out /app
 HEALTHCHECK CMD curl -f http://localhost:5000/google.com/icon.png || exit 1

-ENTRYPOINT ["/entrypoint.sh"]
+USER app
+ENTRYPOINT ["./Icons"]
--- a/src/Icons/entrypoint.sh
+++ b/src/Icons/entrypoint.sh
@ -34,9 +34,9 @@ mkdir -p /etc/bitwarden/logs
 mkdir -p /etc/bitwarden/ca-certificates
 chown -R $USERNAME:$GROUPNAME /etc/bitwarden

-if [[ $globalSettings__selfHosted == "true" ]]; then
-  cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-    && update-ca-certificates
-fi
+# if [[ $globalSettings__selfHosted == "true" ]]; then
+#   cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+#     && update-ca-certificates
+# fi

 exec gosu $USERNAME:$GROUPNAME dotnet /app/Icons.dll
--- a/src/Identity/Dockerfile
+++ b/src/Identity/Dockerfile
@ -1,11 +1,12 @@
 FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
+ARG PROJECT_NAME=Identity

 WORKDIR /build
 COPY ../../ ./

-WORKDIR /build/src/Identity
+WORKDIR /build/src/${PROJECT_NAME}

 RUN <<EOF
  case "$TARGETPLATFORM" in
@ -21,11 +22,17 @@ RUN <<EOF
  esac
 EOF

+# FROM ghcr.io/linuxserver/baseimage-ubuntu:noble
+FROM mcr.microsoft.com/dotnet/aspnet:8.0

-FROM ghcr.io/linuxserver/baseimage-ubuntu:noble
-
+# TODO: move this to a base image
 LABEL com.bitwarden.product="bitwarden"

+ENV PROJECT_NAME=Identity
+
+RUN mkdir -p {/config} \
+  && chown -R app:app {/config}
+
 # RUN apt-get update \
 #     && apt-get install -y --no-install-recommends \
 #     gosu \
@ -33,41 +40,14 @@ LABEL com.bitwarden.product="bitwarden"
 #     krb5-user \
 #     && rm -rf /var/lib/apt/lists/*

-ENV APP_UID=1654
-ENV ASPNETCORE_HTTP_PORTS=8080
-ENV DOTNET_RUNNING_IN_CONTAINER=true
-
-RUN apt-get update \
-    && apt-get install -y --no-install-recommends \
-        ca-certificates \
-        \
-        # .NET dependencies
-        libc6 \
-        libgcc-s1 \
-        # libicu70 \
-        libicu74 \
-        libssl3 \
-        libstdc++6 \
-        tzdata \
-        zlib1g \
-    && rm -rf /var/lib/apt/lists/*
-
-# Create a non-root user and group
-RUN groupadd \
-        --gid=$APP_UID \
-        app \
-    && useradd -l \
-        --uid=$APP_UID \
-        --gid=$APP_UID \
-        --create-home \
-        app
+ENV ASPNETCORE_URLS=http://+:5000
+# END: move to base image

 EXPOSE 5000
-
-USER app
-ENV HOME=/home/app
-ENV ASPNETCORE_URLS=http://+:5000
 WORKDIR /app
-COPY --from=build /build/src/Identity/out /app
-HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1
+COPY --from=build /build/src/${PROJECT_NAME}/out /app
+HEALTHCHECK CMD curl -f http://localhost:5000/.well-known/openid-configuration || exit 1
+
+# TODO: use an entrypoint script with `set -e && exec ${PROJECT_NAME}`
+USER app
 ENTRYPOINT ["./Identity"]
--- a/src/Identity/entrypoint.sh
+++ b/src/Identity/entrypoint.sh
@ -41,10 +41,10 @@ fi

 chown -R $USERNAME:$GROUPNAME /app

-if [[ $globalSettings__selfHosted == "true" ]]; then
-  cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-    && update-ca-certificates
-fi
+# if [[ $globalSettings__selfHosted == "true" ]]; then
+#   cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+#     && update-ca-certificates
+# fi

 if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
  chown -R $USERNAME:$GROUPNAME /etc/bitwarden/kerberos
--- a/src/Notifications/entrypoint.sh
+++ b/src/Notifications/entrypoint.sh
@ -34,9 +34,9 @@ mkdir -p /etc/bitwarden/logs
 mkdir -p /etc/bitwarden/ca-certificates
 chown -R $USERNAME:$GROUPNAME /etc/bitwarden

-if [[ $globalSettings__selfHosted == "true" ]]; then
-  cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-    && update-ca-certificates
-fi
+# if [[ $globalSettings__selfHosted == "true" ]]; then
+#   cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+#     && update-ca-certificates
+# fi

 exec gosu $USERNAME:$GROUPNAME dotnet /app/Notifications.dll
--- a/util/Attachments/Dockerfile
+++ b/util/Attachments/Dockerfile
@ -1,18 +1,13 @@
-FROM bitwarden/server:latest
+FROM bitwarden/server:latest as build
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+ARG PROJECT_NAME=Attachments

-LABEL com.bitwarden.product="bitwarden"
+RUN mkdir -p {/storage/attachments,/bitwarden_server,/config} \
+  && chown -R app:app {/storage/attachments,/bitwarden_server,/config}

-RUN apt-get update \
-    && apt-get install -y --no-install-recommends \
-        gosu \
-        curl \
-    && rm -rf /var/lib/apt/lists/*
-
-ENV ASPNETCORE_URLS http://+:5000
 EXPOSE 5000
-COPY entrypoint.sh /
-RUN chmod +x /entrypoint.sh
-
 HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1

-ENTRYPOINT ["/entrypoint.sh"]
+USER app
+ENTRYPOINT ["/bitwarden_server/Server", "/contentRoot=/config/core/attachments", "/webRoot=.", "/serveUnknown=true"]
--- a/util/Server/Dockerfile
+++ b/util/Server/Dockerfile
@ -1,5 +1,48 @@
+FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+ARG PROJECT_NAME=Server
+
+WORKDIR /build
+COPY ../../ ./
+
+WORKDIR /build/util/${PROJECT_NAME}
+
+RUN <<EOF
+  case "$TARGETPLATFORM" in
+    *"linux/amd64"*)
+      dotnet publish "./Server.csproj" -c "Release" --self-contained /p:PublishSingleFile=true -r linux-x64 -o out # || \
+      # ls -hal && exit 1
+      ;;
+    *"linux/arm64"*)
+      dotnet publish "./Server.csproj" -c "Release" --self-contained /p:PublishSingleFile=true -r linux-arm64 -o out # || \
+      # ls -hal && exit 1
+      ;;
+    *)
+      echo "unsupported target platform: $TARGETPLATFORM"
+      exit 1
+      ;;
+  esac
+EOF
+
 FROM mcr.microsoft.com/dotnet/aspnet:8.0
-
+RUN true
 LABEL com.bitwarden.product="bitwarden"
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+ARG PROJECT_NAME=Server

-COPY obj/build-output/publish /bitwarden_server
+# RUN apt-get update \
+#     && apt-get install -y --no-install-recommends \
+#     gosu \
+#     curl \
+#     krb5-user \
+#     && rm -rf /var/lib/apt/lists/*
+
+ENV ASPNETCORE_URLS=http://+:5000
+
+# file will be in: /build/util/Server/bin/Release/net8.0/linux-arm64/Server.dll
+COPY --from=build /build/util/${PROJECT_NAME}/out/ /bitwarden_server
+
+RUN mkdir -p {/app,/bitwarden_server,/config,/storage} \
+  && chown -R app:app {/app,/bitwarden_server,/config,/storage}