services:
  build:
    image: docker.io/gentoo/stage3:musl-hardened
    command: /build/build-image.sh
    privileged: true
    environment:
      DISTPATH: "/build/artifacts/dist"
      IMGPATH: "/build/images"
      MINOR: ${MINOR}
      SECBOOT: ${SECBOOT}
      TPM: ${TPM}
      REQSIG: ${REQSIG}
      DISTURL: ${DISTURL}
    secrets:
      - pgp_key_public
    volumes:
      - ./build:/build
  sign:
    image: docker.io/vladgh/gpg
    command: --batch --import /run/secrets/signing_key_private --passphrase-file /run/secrets/pgp_key_password
    secrets:
     - pgp_key_password
     - pgp_key_private
     - pgp_key_public
    volumes:
     - ./build/images:/images
  serve:
    image: docker.io/halverneus/static-file-server
    volumes:
     - ./build/images:/images

secrets:
  # PGP keys: For signing image files, overlays, and other release artifacts.
  pgp_key_password:
    file: secrets/HalogenOS_pgp_key_password.txt
  pgp_key_private:
    file: secrets/HalogenOS_pgp_key_private.asc
  pgp_key_public:
    file: secrets/HalogenOS_pgp_key_public.asc
  # X509 keys: For signing kernel modules. Unused for now.
  # Unless keys are synced across builds, kernel modules cannot be used in
  # overlays, because by default new keys are automatically generated on each
  # build.
  x509_key_password:
    file: secrets/HalogenOS_x509_key_password.txt
  x509_key_private:
    file: secrets/HalogenOS_x509_key_private.pfx
  x509_key_public:
    file: secrets/HalogenOS_x509_key_public.cer