football/Dockerfile

# KNEL-Football ISO Builder - Dockerfile
# Multi-stage build for security hardening and reproducible builds
# Copyright © 2026 Known Element Enterprises LLC
# License: GNU Affero General Public License v3.0 only

# Base stage - minimal Debian 13 base
FROM debian:13.3-slim@sha256:1d3c811171a08a5adaa4a163fbafd96b61b87aa871bbc7aa15431ac275d3d430 AS base

# Set environment variables for non-interactive installation
ENV DEBIAN_FRONTEND=noninteractive
ENV LANG=C.UTF-8
ENV LC_ALL=C
ENV TZ=UTC

# Install base dependencies (versions pinned for reproducible builds - FINDING-006)
RUN apt-get update && apt-get install -y --no-install-recommends \
    ca-certificates=20250419 \
    gnupg=2.4.7-21+deb13u1 \
    curl=8.14.1-2+deb13u2 \
    wget=1.25.0-2 \
    git=1:2.47.3-0+deb13u1 \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

# Builder stage - ISO build tools
FROM base AS builder

# Install live-build and ISO creation tools (versions pinned for reproducible builds - FINDING-006)
RUN apt-get update && apt-get install -y --no-install-recommends \
    live-build=1:20250505+deb13u1 \
    debootstrap=1.0.141 \
    squashfs-tools=1:4.6.1-1 \
    xorriso=1.5.6-1.2+b1 \
    grub-pc-bin=2.12-9+deb13u1 \
    grub-efi-amd64-bin=2.12-9+deb13u1 \
    grub-efi-ia32-bin=2.12-9+deb13u1 \
    mtools=4.0.48-1 \
    dosfstools=4.2-1.2 \
    syslinux-utils=3:6.04~git20190206.bf6db5b4+dfsg1-3.1 \
    isolinux=3:6.04~git20190206.bf6db5b4+dfsg1-3.1 \
    file=1:5.46-5 \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

# Install testing framework (versions pinned for reproducible builds - FINDING-006)
RUN apt-get update && apt-get install -y --no-install-recommends \
    bats=1.11.1-1 \
    bats-assert=2.1.0-3 \
    bats-support=0.3.0-4 \
    bats-file=0.4.0-1 \
    shellcheck=0.10.0-1 \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

# Install security and system tools (versions pinned for reproducible builds - FINDING-006)
RUN apt-get update && apt-get install -y --no-install-recommends \
    nftables=1.1.3-1 \
    iptables=1.8.11-2 \
    auditd=1:4.0.2-2+b2 \
    rsyslog=8.2504.0-1 \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

# Install Secure Boot and signing tools
RUN apt-get update && apt-get install -y --no-install-recommends \
    sbsigntool=0.9.4-3.2 \
    shim-signed=1.47+15.8-1 \
    systemd-boot-efi=257.9-1~deb13u1 \
    gpg=2.4.7-21+deb13u1+b2 \
    gpg-agent=2.4.7-21+deb13u1+b2 \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

# Create workspace directories
RUN mkdir -p /workspace /build /tmp /output

# Create non-root user for running builds
RUN groupadd -r builder && useradd -r -g builder builder \
    && mkdir -p /home/builder \
    && chown -R builder:builder /workspace /build /tmp /output /home/builder

# Set working directory
WORKDIR /workspace

# Switch to non-root user
USER builder

# Default command
CMD ["/bin/bash"]