49 lines
1.5 KiB
YAML
49 lines
1.5 KiB
YAML
services:
|
|
build:
|
|
image: docker.io/gentoo/stage3:musl-hardened
|
|
command: /build/build-image.sh
|
|
privileged: true
|
|
environment:
|
|
DISTPATH: "/build/artifacts/dist"
|
|
IMGPATH: "/build/images"
|
|
MINOR: ${MINOR}
|
|
SECBOOT: ${SECBOOT}
|
|
TPM: ${TPM}
|
|
REQSIG: ${REQSIG}
|
|
DISTURL: ${DISTURL}
|
|
secrets:
|
|
- pgp_key_public
|
|
volumes:
|
|
- ./build:/build
|
|
sign:
|
|
image: docker.io/vladgh/gpg
|
|
command: --batch --import /run/secrets/signing_key_private --passphrase-file /run/secrets/pgp_key_password
|
|
secrets:
|
|
- pgp_key_password
|
|
- pgp_key_private
|
|
- pgp_key_public
|
|
volumes:
|
|
- ./build/images:/images
|
|
serve:
|
|
image: docker.io/halverneus/static-file-server
|
|
volumes:
|
|
- ./build/images:/images
|
|
|
|
secrets:
|
|
# PGP keys: For signing image files, overlays, and other release artifacts.
|
|
pgp_key_password:
|
|
file: secrets/HalogenOS_pgp_key_password.txt
|
|
pgp_key_private:
|
|
file: secrets/HalogenOS_pgp_key_private.asc
|
|
pgp_key_public:
|
|
file: secrets/HalogenOS_pgp_key_public.asc
|
|
# X509 keys: For signing kernel modules. Unused for now.
|
|
# Unless keys are synced across builds, kernel modules cannot be used in
|
|
# overlays, because by default new keys are automatically generated on each
|
|
# build.
|
|
x509_key_password:
|
|
file: secrets/HalogenOS_x509_key_password.txt
|
|
x509_key_private:
|
|
file: secrets/HalogenOS_x509_key_private.pfx
|
|
x509_key_public:
|
|
file: secrets/HalogenOS_x509_key_public.cer |