services:
  build:
    image: docker.io/gentoo/stage3:musl-hardened
    command: /build/build-image.sh
    privileged: true
    environment:
      DISTPATH: "/build/artifacts/dist"
      IMGPATH: "/build/images"
      MINOR: ${MINOR}
      SECBOOT: ${SECBOOT}
      TPM: ${TPM}
      REQSIG: ${REQSIG}
    secrets:
      - signing_key_public
    volumes:
      - ./build:/build
  sign:
    image: docker.io/vladgh/gpg
    command: --batch --import /run/secrets/signing_key_private --passphrase-file /run/secrets/signing_key_password
    secrets:
     - signing_key_password
     - signing_key_private
     - signing_key_public
    volumes:
     - ./build/images:/images
  serve:
    image: docker.io/halverneus/static-file-server
    volumes:
     - ./build/images:/images

secrets:
  signing_key_password:
    file: secrets/signing_key_password.txt
  signing_key_private:
    file: secrets/HalogenOS_private.asc
  signing_key_public:
    file: secrets/HalogenOS_public.asc