FROM debian:13-slim

ARG TARGETARCH
ARG NODE_VERSION="20 24"
ARG RUNNER=runner
ARG BUILD_DATE
ARG BUILD_REF
ARG BUILD_TAG=gitea-debian-runner
ARG BUILD_TAG_VERSION=13-slim
ARG BUILD_OWNER=ipng
ARG BUILD_REPO=gitea-debian-runner

ENV DEBIAN_FRONTEND=noninteractive \
    ImageOS=debian13 \
    IMAGE_OS=debian13 \
    LSB_RELEASE=13 \
    LSB_OS_VERSION=13 \
    AGENT_TOOLSDIRECTORY=/opt/hostedtoolcache \
    RUN_TOOL_CACHE=/opt/hostedtoolcache \
    ACT_TOOLSDIRECTORY=/opt/acttoolcache \
    DEPLOYMENT_BASEPATH=/opt/runner \
    RUNNER_TEMP=/home/runner/work/_temp \
    USER=runner \
    RUNNER_USER=runner \
    PATH=/home/runner/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

SHELL ["/bin/bash", "--login", "-eo", "pipefail", "-c"]
WORKDIR /tmp

RUN <<'EOF'
set -Eeuxo pipefail

node_arch() {
  case "$(uname -m)" in
    aarch64) echo arm64 ;;
    x86_64)  echo x64 ;;
    armv7l)  echo armv7l ;;
    *) exit 1 ;;
  esac
}
yq_arch() {
  case "$(uname -m)" in
    aarch64) echo arm64 ;;
    x86_64)  echo amd64 ;;
    armv7l)  echo arm ;;
    *) exit 1 ;;
  esac
}
go_arch() {
  case "$(uname -m)" in
    aarch64) echo arm64 ;;
    x86_64)  echo amd64 ;;
    armv7l)  echo armv6l ;;
    *) exit 1 ;;
  esac
}

apt-get -yq update
apt-get -yq install --no-install-recommends \
  ca-certificates curl wget gnupg ssh sudo gawk jq \
  zstd zip unzip xz-utils \
  git git-lfs rsync \
  python3-pip python3-venv pipx \
  libyaml-0-2

ln -sf "$(command -v python3)" /usr/local/bin/python
git config --system --add safe.directory '*'

install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
chmod a+r /etc/apt/keyrings/docker.asc
. /etc/os-release
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian ${VERSION_CODENAME} stable" \
  > /etc/apt/sources.list.d/docker.list
apt-get -yq update
apt-get -yq install --no-install-recommends \
  docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

mkdir -m 0700 -p /root/.ssh
{ ssh-keyscan github.com; ssh-keyscan ssh.dev.azure.com; } >> /etc/ssh/ssh_known_hosts

sed -i 's|"||g' /etc/environment
{
  echo "ImageOS=${ImageOS}"
  echo "IMAGE_OS=${IMAGE_OS}"
  echo "LSB_RELEASE=${LSB_RELEASE}"
  echo "LSB_OS_VERSION=${LSB_OS_VERSION}"
  echo "AGENT_TOOLSDIRECTORY=${AGENT_TOOLSDIRECTORY}"
  echo "RUN_TOOL_CACHE=${RUN_TOOL_CACHE}"
  echo "ACT_TOOLSDIRECTORY=${ACT_TOOLSDIRECTORY}"
  echo "DEPLOYMENT_BASEPATH=${DEPLOYMENT_BASEPATH}"
  echo "USER=${USER}"
  echo "RUNNER_USER=${RUNNER_USER}"
  echo "RUNNER_TEMP=${RUNNER_TEMP}"
} >> /etc/environment

mkdir -m 0777 -p "${AGENT_TOOLSDIRECTORY}" "${ACT_TOOLSDIRECTORY}" /github

IFS=' ' read -r -a NODE <<<"${NODE_VERSION}"
for ver in "${NODE[@]}"; do
  if [[ "${ver}" == "24" && "$(node_arch)" == "armv7l" ]]; then
    ver=22
  fi
  VER=$(curl -fsSL https://nodejs.org/download/release/index.json \
    | jq -r "[.[] | select(.version|test(\"^v${ver}\\\\.\"))][0].version")
  NODEPATH="${ACT_TOOLSDIRECTORY}/node/${VER:1}/$(node_arch)"
  mkdir -m 0777 -p "${NODEPATH}"
  wget -q "https://nodejs.org/download/release/latest-v${ver}.x/node-${VER}-linux-$(node_arch).tar.xz" -O node.tar.xz
  tar -Jxf node.tar.xz --strip-components=1 -C "${NODEPATH}"
  rm node.tar.xz
  if [[ "${ver}" == "24" || ( "${ver}" == "22" && "$(node_arch)" == "armv7l" ) ]]; then
    ln -sfn "${NODEPATH}" "${ACT_TOOLSDIRECTORY}/node/current"
    ln -sf "${NODEPATH}"/bin/node "${NODEPATH}"/bin/npm "${NODEPATH}"/bin/npx "${NODEPATH}"/bin/corepack /usr/local/bin/
  fi
done

base_url=https://github.com/mikefarah/yq/releases/latest/download
wget -q "${base_url}/yq_linux_$(yq_arch)" -O /usr/bin/yq
chmod +x /usr/bin/yq

GO_VER=$(curl -fsSL 'https://go.dev/dl/?mode=json' | jq -r '.[0].version' | sed 's/^go//')
GO_PATH="${ACT_TOOLSDIRECTORY}/go/${GO_VER}/$(go_arch)"
mkdir -m 0777 -p "${GO_PATH}"
wget -qO- "https://go.dev/dl/go${GO_VER}.linux-$(go_arch).tar.gz" | tar -zxf - --strip-components=1 -C "${GO_PATH}"
touch "${GO_PATH}.complete"
ln -sf "${GO_PATH}"/bin/* /usr/local/bin/

groupadd -g 1001 "${RUNNER}"
RUNNERADMIN="${RUNNER}admin"
groupadd -g 1000 "${RUNNERADMIN}" || RUNNERADMIN="$(id -gn 1000)"
useradd  -u 1001 -g "${RUNNER}" -G sudo -m -s /bin/bash "${RUNNER}"
useradd  -u 1000 -g "${RUNNERADMIN}" -G sudo -m -s /bin/bash "${RUNNERADMIN}" || true
usermod -aG docker "${RUNNER}"
usermod -aG docker "${RUNNERADMIN}"
{
  echo "${RUNNER} ALL=(ALL) NOPASSWD: ALL"
  echo "${RUNNERADMIN} ALL=(ALL) NOPASSWD: ALL"
} >> /etc/sudoers

mkdir -p "/home/${RUNNER}/work/_temp"
mkdir -m 0700 -p "/home/${RUNNER}/.ssh"
{ ssh-keyscan -t rsa github.com; ssh-keyscan -t rsa ssh.dev.azure.com; } > "/home/${RUNNER}/.ssh/known_hosts"
chmod 644 "/home/${RUNNER}/.ssh/known_hosts"
chown -R "${RUNNER}":"${RUNNER}" "/home/${RUNNER}"
chown -R "${RUNNER}":"${RUNNERADMIN}" "${AGENT_TOOLSDIRECTORY}" "${ACT_TOOLSDIRECTORY}" /github

apt-get clean
rm -rf /var/cache/* /var/log/* /var/lib/apt/lists/* /tmp/* || true
EOF

LABEL org.opencontainers.image.created="${BUILD_DATE}"
LABEL org.opencontainers.image.vendor="${BUILD_OWNER}"
LABEL org.opencontainers.image.url="https://git.ipng.ch/${BUILD_OWNER}/${BUILD_REPO}"
LABEL org.opencontainers.image.source="https://git.ipng.ch/${BUILD_OWNER}/${BUILD_REPO}"
LABEL org.opencontainers.image.version="${BUILD_TAG_VERSION}"
LABEL org.opencontainers.image.title="${BUILD_TAG}-${TARGETARCH}"
LABEL org.opencontainers.image.description="IPng Debian Runner — Gitea Actions runner image based on debian:13-slim, with git-lfs, rsync and Go"
LABEL org.opencontainers.image.revision="${BUILD_REF}"

USER ${RUNNER}