Dockerfile

# syntax=docker/dockerfile:1

FROM debian:trixie-slim

ARG TARGETARCH
ARG VERSION_ARG="0.0"
ARG VERSION_VNC="1.6.0"
ARG VERSION_UTK="1.2.0"
ARG VERSION_PASST="2025_09_19"

ARG DEBCONF_NOWARNINGS="yes"
ARG DEBIAN_FRONTEND="noninteractive"
ARG DEBCONF_NONINTERACTIVE_SEEN="true"

RUN set -eu && \
    apt-get update && \
    apt-get --no-install-recommends -y install \
        bc \
        jq \
        xxd \
        tini \
        wget \
        7zip \
        curl \
        ovmf \
        fdisk \
        nginx \
        swtpm \
        procps \
        ethtool \
        iptables \
        iproute2 \
        dnsmasq \
        xz-utils \
        apt-utils \
        net-tools \
        e2fsprogs \
        qemu-utils \
        websocketd \
        iputils-ping \
        genisoimage \
        inotify-tools \
        netcat-openbsd \
        ca-certificates \
        qemu-system-x86 && \
    wget "https://github.com/qemus/passt/releases/download/v${VERSION_PASST}/passt_${VERSION_PASST}_${TARGETARCH}.deb" -O /tmp/passt.deb -q && \
    dpkg -i /tmp/passt.deb && \
    apt-get clean && \
    mkdir -p /etc/qemu && \
    echo "allow br0" > /etc/qemu/bridge.conf && \
    mkdir -p /usr/share/novnc && \
    wget "https://github.com/novnc/noVNC/archive/refs/heads/master.tar.gz" -O /tmp/novnc.tar.gz -q --timeout=10 && \
    tar -xf /tmp/novnc.tar.gz -C /tmp/ && \
    cd "/tmp/noVNC-master" && \
    mv app core vendor package.json ./*.html /usr/share/novnc && \
    unlink /etc/nginx/sites-enabled/default && \
    sed -i 's/^worker_processes.*/worker_processes 1;/' /etc/nginx/nginx.conf && \
    echo "$VERSION_ARG" > /run/version && \
    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

RUN set -eu && \
    # Ensure runtime directories exist and are writable by unprivileged users
    mkdir -p /run /run/shm /storage && \
    # /run/shm should be a sticky tmpfs-like directory
    chmod 1777 /run/shm && \
    chmod 0777 /storage || true && \
    # Prepare nginx config slot so non-root users (e.g. UID 1000 in Spaces)
    # can write runtime site configs without permission errors.
    mkdir -p /etc/nginx/sites-enabled && \
    chmod 0777 /etc/nginx/sites-enabled || true && \
    # Ensure nginx runtime dirs are writable for unprivileged users
        mkdir -p /var/lib/nginx/body /var/log/nginx /var/cache/nginx /var/run && \
        # Prefer setting ownership to the unprivileged UID 1000 used by Spaces;
        # if that fails (image built elsewhere), fall back to world-writable modes.
        chown -R 1000:1000 /var/lib/nginx /var/log/nginx /var/cache/nginx /var/run 2>/dev/null || \
            chmod -R 0777 /var/lib/nginx /var/log/nginx /var/cache/nginx /var/run || true && \
        mkdir -p /run/shm && touch /run/shm/websocketd.log && chown 1000:1000 /run/shm/websocketd.log 2>/dev/null || \
            chmod 0666 /run/shm/websocketd.log || true && \
        # Ensure nginx can create/open its pid file when running non-root
        touch /run/nginx.pid && chown 1000:1000 /run/nginx.pid 2>/dev/null || \
            chmod 0666 /run/nginx.pid || true

COPY --chmod=755 ./src /run/
COPY --chmod=755 ./web /var/www/
COPY --chmod=664 ./web/conf/defaults.json /usr/share/novnc
COPY --chmod=664 ./web/conf/mandatory.json /usr/share/novnc
COPY --chmod=744 ./web/conf/nginx.conf /etc/nginx/default.conf

ADD --chmod=755 "https://github.com/qemus/fiano/releases/download/v${VERSION_UTK}/utk_${VERSION_UTK}_${TARGETARCH}.bin" /run/utk.bin

VOLUME /storage
EXPOSE 22 5900 8006

ENV BOOT="alpine"
ENV CPU_CORES="2"
ENV RAM_SIZE="2G"
ENV DISK_SIZE="64G"

ENTRYPOINT ["/usr/bin/tini", "-s", "/run/entry.sh"]