initial commit

Author: jaredallard

.github/workflows/docker.yml

@@ -0,0 +1,57 @@
+name: docker
+
+on:
+  push:
+    branches: [main]
+  pull_request: {}
+
+jobs:
+  build:
+    runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
+      attestations: write
+    env:
+      REGISTRY: ghcr.io
+      IMAGE_NAME: ${{ github.repository }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+      - name: Set up QEMU
+        id: qemu
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >>"$GITHUB_ENV"
+      - run: echo "TOR_VERSION=$(tr -d '\n' <VERSION) >>"$GITHUB_ENV"
+      - name: Build and push image
+        uses: docker/build-push-action@v6
+        id: push
+        env:
+          SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }}
+        with:
+          context: .
+          outputs: type=registry,rewrite-timestamp=true
+          sbom: true
+          push: ${{ github.event_name != 'pull_request' }}
+          provenance: "max"
+          build-args: TOR_VERSION=${{ env.TOR_VERSION }}
+          platforms: "linux/amd64,linux/arm64"
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TOR_VERSION }}
+      - name: Attest
+        uses: actions/attest-build-provenance@v2
+        id: attest
+        if: ${{ github.event_name == 'push' }}
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true

Dockerfile

@@ -0,0 +1,36 @@
+# syntax=docker/dockerfile:1
+FROM gentoo/portage:latest AS portage
+FROM gentoo/stage3:latest AS builder
+
+# https://gitlab.torproject.org/tpo/core/tor/-/tags
+ARG TOR_VERSION
+
+COPY --from=portage /var/db/repos/gentoo /var/db/repos/gentoo
+
+RUN <<EOF
+  set -euo pipefail
+  
+  export MAKEOPTS="-j$(nproc)"
+  export EMERGE_DEFAULT_OPTS="--jobs 2"
+  export USE="${USE:-""} hardened zstd static-libs"
+
+  # Allows us to install any version of tor (we specify it anyways)
+  echo 'net-vpn/tor **' >/etc/portage/package.accept_keywords/tor
+
+  # Use static libs for tor
+  mkdir -p /etc/portage/env
+  echo 'EXTRA_ECONF="--enable-static-tor --with-libevent-dir=/usr/lib64 --with-openssl-dir=/usr/lib64 --with-zlib-dir=/usr/lib64"' >/etc/portage/env/torstatic.conf
+  echo 'net-vpn/tor torstatic.conf' >>/etc/portage/package.env
+
+  # Build tor dependencies first (this ensures they're updated and built
+  # with static-libs)
+  emerge dev-libs/libevent dev-libs/openssl sys-libs/libcap sys-libs/libseccomp \
+    sys-libs/zlib app-arch/xz-utils app-arch/zstd
+
+  emerge "=net-vpn/tor-${TOR_VERSION}"
+  strip /usr/bin/tor
+EOF
+
+FROM gcr.io/distroless/static-debian12:nonroot
+COPY --from=builder /usr/bin/tor /usr/bin/tor
+ENTRYPOINT ["/usr/bin/tor"]