FROM stagex/user-alsa-lib@sha256:eeaee84f8012865bb33d68287bccfddc6fd04e9082687b8c31008dd07b8e07b8 AS user-alsa-lib
FROM stagex/core-bash@sha256:ae47fcd4247bef0ca4af762a76cb8871a5c868472cab67eed829a55364a8f1fa AS core-bash
FROM stagex/core-bc@sha256:03e1c729223e9d45f087660f65034b4f6fac91aefb94fb7ccbc85d1ab7e88c1d AS core-bc
FROM stagex/core-busybox@sha256:cac5d773db1c69b832d022c469ccf5f52daf223b91166e6866d42d6983a3b374 AS core-busybox
FROM stagex/user-ccid@sha256:313259fb6b059179ff69f4189c57d98b8d468ebf17f14c6f431d7001c8801e1c AS user-ccid
FROM stagex/user-cpio@sha256:2695e1b42f93ec3ea0545e270f0fda4adca3cb48d0526da01954efae1bce95c4 AS user-cpio
FROM stagex/core-curl@sha256:63a5963a4e7852b5482824953d18ea73c7d192fed654eb1236f8b97a6f67cbcc AS core-curl
FROM stagex/user-dtc@sha256:3877063ca1068d48e0b92fcdf5083b707e009e96a6db4bd3536924c9f440cb08 AS user-dtc
FROM stagex/user-eudev@sha256:709f6f949e93a3a91770b7323fd87eec52714677e4bed88954cadd60506cbce3 AS user-eudev
FROM stagex/user-flashtools@sha256:f3524d889e9476acbe268b289a3e43f5766da9d3d999009b0bb8e6bddcd9dc5c AS user-flashtools
FROM stagex/core-gcc@sha256:125bd6306e7f37e57d377d5a189c0e499388aff42b22cc79acee6097357c617f AS core-gcc
FROM stagex/user-glib@sha256:41fb9409b0bea2421feaee788c88efcf2778f2008634dde00b50f2b6afd2ed11 AS user-glib
FROM stagex/core-gmp@sha256:4387f9389ef656ef2305719ac1dbcc3d92631deb816da4c7101c0bdc75e57564 AS core-gmp
FROM stagex/user-gpg@sha256:92946bb4143ecbd53999cd520fbcb958aecacbac7a85bd58a758be1b57086a9c AS user-gpg
FROM stagex/user-grub@sha256:f3c9ff298c02ee3349496c3b5520079bbd115af0a347525410ba6a34170d4b4c AS user-grub
FROM stagex/user-icepick@sha256:4a63fee5c52067091ab988afb661462bb3773fdeec21b61a1ec89b728bbf3437 AS user-icepick
FROM stagex/user-ipxe@sha256:b98dea039f0a14a614f035d848d9cfa8b9ad472e6dc24b2e3099f2f8ae209abe AS user-ipxe
FROM stagex/user-jq@sha256:ced6213c21b570dde1077ef49966b64cbf83890859eff83f33c82620520b563e AS user-jq
FROM stagex/user-keyfork@sha256:2f108f6cf5aa289407df7b2ff5696d4c1f3efca45ca191da7138ebf10a9b02bf AS user-keyfork
FROM stagex/user-libaio@sha256:3e21cfd5dc07a7300546e4896a81628741c23c4728a68d36e0bb3d8a096f7742 AS user-libaio
FROM stagex/user-libassuan@sha256:dea35799659be7b85e523312c55621007b1918ff3590631155ecf2c699ca470f AS user-libassuan
FROM stagex/core-libffi@sha256:9acd18e59ca11fa727670725e69a976d96f85a00704dea6ad07870bff2bd4e8b AS core-libffi
FROM stagex/user-libgcrypt@sha256:384f0e703afad6f8885ec77fb814ef182a08600a2032183d231fee5c048a7d2d AS user-libgcrypt
FROM stagex/user-libgpg-error@sha256:6d7c09e3a7d055a6722910439c533f2babc8eda24b636bf4dfb2b29a3ed6327a AS user-libgpg-error
FROM stagex/user-libksba@sha256:c165fb5b7949473cb00b0fe59add90663346b33c6c682309ca0fcccdcf78d569 AS user-libksba
FROM stagex/user-libqrencode@sha256:c51271723df184012d7842c3bc2a2a5513121a9911f9d624d1b9b6f9cecd570e AS user-libqrencode
FROM stagex/user-libseccomp@sha256:7a397b5261c24aa745fe9158499e0db1ba21df415354bbbe77c90a6a3fd4c517 AS user-libseccomp
FROM stagex/user-libslirp@sha256:e72ebf587c366e1d0a9a42c74216dd2b9f560d52df3eb8148a2e31821415b082 AS user-libslirp
FROM stagex/user-libtpms@sha256:3fde6f85f3ce637b3d7b98e4fc74c2c57d31adf9c9ca068b3826eb7ebf16f5ba AS user-libtpms
FROM stagex/core-libunwind@sha256:4f3ead61255c1e58e7dc43a33043f297f8730ec88e068a4460e5fff09e503781 AS core-libunwind
FROM stagex/user-libusb@sha256:53d499555164f12d9e87118a6d44e1d07f0b1cc9081a29eb66975662be818a00 AS user-libusb
FROM stagex/user-libzbar@sha256:8b4ec291f772a10f372c538180f889a46837f2dd97756d1949c5c86111241fa9 AS user-libzbar
FROM stagex/core-libzstd@sha256:35ae8f0433cf1472f8fb25e74dc631723e9f458ca3e9544976beb724690adea8 AS core-libzstd
FROM stagex/user-lzo@sha256:9d141a7686fbb027366df80d4f254fb13f4c4524ba4d5cff6ea176b0b4c36cd5 AS user-lzo
FROM stagex/user-mtools@sha256:023169be123693e326d2fd97739fe0efa19638ce616cbcc52476e6f14f0a83cc AS user-mtools
FROM stagex/core-musl@sha256:d5f86324920cfc7fc34f0163502784b73161543ba0a312030a3ddff3ef8ab2f8 AS core-musl
FROM stagex/user-nettle@sha256:249bec1a4273f6461b39ef849d1d8b4ec2d4a3693930f9147cee6c37eef0794a AS user-nettle
FROM stagex/user-npth@sha256:6ac9a90ca714ba01911c1f617553a5b23b96e9e37ec4a21e5ba132c4886a70e9 AS user-npth
FROM stagex/user-numactl@sha256:4046b643293cf9e82f1d29e92c61f0b12210b65987711ddd7c6813f27f3c1bfd AS user-numactl
FROM stagex/user-openpgp-card-tools@sha256:369c13ba0a772b1aef31321c0ebbb2a6fcd512491ace003e48c6f18f258905cc AS user-openpgp-card-tools
FROM stagex/user-opensc@sha256:f8a1b5d07b6b594b964b63a2572fd10b44e79c3699efb97dfefc2f1dde054a6c AS user-opensc
FROM stagex/core-openssl@sha256:8670a22fb76965f31bda1b61cd75ae39a96e1008deffe289a5d94ee4337b1cb2 AS core-openssl
FROM stagex/user-pcsc-lite@sha256:0f06c2e73fabc6f9484bb39362d4084a45ffe88c862764813a62a75840b10cfc AS user-pcsc-lite
FROM stagex/user-pcsc-tools@sha256:366867b9c29664264224db7651b710cd70761b67c41ce9c27b9d2829e18b5a30 AS user-pcsc-tools
FROM stagex/user-qemu@sha256:768024466eb41de11f270c891257814aa6292b44ec2b5da4cff75f0dbcae65c8 AS user-qemu
FROM stagex/user-canokey-qemu@sha256:3f949f099194d2b721914d9d308c699818f83833b07db1d2e504ee16bfdfa348 AS user-canokey-qemu
FROM stagex/user-sdtool@sha256:f4be5c2fe87fa3dd8742f91be5a368b6833ceb7156d33192e5339869629aa06a AS user-sdtool
FROM stagex/user-seabios@sha256:4adf4c3f70a6c69cb1c925a832363547cfb73ef5a7d75ff65885624916aace90 AS user-seabios
FROM stagex/user-sops@sha256:d14c34ca5d537253f673fb0573fc47c9efd73c76e5a6927a820ee5abfadec557 AS user-sops
FROM stagex/core-zlib@sha256:b35b643642153b1620093cfe2963f5fa8e4d194fb2344a5786da5717018976c2 AS core-zlib
FROM stagex/user-sequoia-sq@sha256:b7197adb937e3ee0fc8e8edc041acb836da9b2958cbe4bb3b1797b73b50205f7 AS user-sequoia-sq
FROM stagex/user-sequoia-sq-wot@sha256:7e914c221d65a4cda9683591082e9f5c70d8d31d6a415c1b98e75f4d89f985c5 AS user-sequoia-sq-wot
FROM stagex/core-sqlite3@sha256:3c9318b8fae8471113a229f12cb8956cf8b0119177997ba69c4ead5e97efcdf4 AS core-sqlite3
FROM stagex/user-swtpm@sha256:fc72e5089c08476cfbfd863daf80b3ea86016c27f5c5cf8d497baf9aa0d23a78 AS user-swtpm
FROM stagex/user-syslinux@sha256:6a92128218d68d25d6e10a534776473d805923a318cccb303555f730c7b7410e AS user-syslinux
FROM stagex/user-tpm2-tools@sha256:f25049635ae36e17281c651e0fd6d949abc407185c1013887a0d4feab09ababf AS user-tpm2-tools
FROM stagex/user-tpm2-tss@sha256:58f4d393d6b51746a464ad4eb4a13867c8323c175e0798de9d27be171a088cfa AS user-tpm2-tss
FROM stagex/user-util-linux@sha256:ec5ec2dfd1803dc897a9c0589f12e7ccff3058be4048af3076ff33069f993dd8 AS user-util-linux
FROM stagex/user-xorriso@sha256:6649dab95928e8eeb0199f7bd27852e6fa2682949f3c8f2b7a03978a5ff15b10 AS user-xorriso
FROM stagex/core-xz@sha256:75b657032c8a47eabc3805bae944302c3eeab524e853d6d209285d4347cba0c7 AS core-xz
FROM stagex/user-yq@sha256:47a39bfdeffff4344f41d60aa81671c7fd30c3e5e6d21ced21a05a5d836f3d34 AS user-yq
FROM stagex/user-edk2@sha256:db24be51d35117d264dccfc44f0ca331f59d738083170cd9bb86b49a5c06abff AS user-edk2
FROM stagex/core-ca-certificates@sha256:d6fca6c0080e8e5360cd85fc1c4bd3eab71ce626f40602e38488bfd61fd3e89d AS core-ca-certificates
FROM stagex/user-linux-guest-net@sha256:994b6fe49dd4331b32b0854055bff31b06db5eabdeafb32b2c0d55465b7ccf45 AS user-linux-guest-net
FROM stagex/user-linux-airgap@sha256:c8575c92aa63544ee92a820a97034fcc203abf2671c0e7e21d0c4e20daef8827 AS user-linux-airgap
FROM stagex/user-libimobiledevice-glue@sha256:3ce674285cbc04b694b7e400703868fcaac65401f2f2ca2aa2b720b3e0efee3c AS user-libimobiledevice-glue
FROM stagex/user-libimobiledevice@sha256:fcda68bdc397213fa76bd893472a304b093522aaac28e36f458275b93bb1af34 AS user-libimobiledevice
FROM stagex/user-libplist@sha256:2d776cb4eca3689a8bd6ac755a23f492850bf6c7b0c72e3525db6135e4d6e0bc AS user-libplist
FROM stagex/user-libusb@sha256:53d499555164f12d9e87118a6d44e1d07f0b1cc9081a29eb66975662be818a00 AS user-libusb
FROM stagex/user-libusbmuxd@sha256:1e97f0a2ede0ee5fac9b056d0395e12b77c9f0bf550f9d0c20734ce0617eb51f AS user-libusbmuxd
FROM stagex/user-usbmuxd@sha256:90f687d2368328b76141badc382a21873a5b44d4ddccf851c017caf1e78af418 AS user-usbmuxd

FROM scratch AS base
ARG VERSION development
ARG GIT_TIMESTAMP null
ARG GIT_AUTHOR null
ARG GIT_REF null
ARG GIT_PUBKEY null
COPY --from=core-busybox . /
COPY --from=core-musl . /
COPY --from=core-xz . /
COPY --from=user-xorriso . /
COPY --from=user-cpio . /
COPY --from=user-mtools . /
COPY --from=user-grub . /

FROM base AS dev
COPY --from=core-gcc . /
COPY --from=core-zlib . /
COPY --from=user-glib . /
COPY --from=user-alsa-lib . /
COPY --from=user-lzo . /
COPY --from=user-dtc . /
COPY --from=user-numactl . /
COPY --from=user-libaio . /
COPY --from=user-libseccomp . /
COPY --from=core-libffi . /
COPY --from=core-libzstd . /
COPY --from=user-libslirp . /
COPY --from=user-seabios . /
COPY --from=user-ipxe . /
COPY --from=user-qemu . /
COPY --from=user-canokey-qemu . /
COPY --from=user-swtpm . /
COPY --from=core-openssl . /
COPY --from=core-curl . /
COPY --from=user-libtpms . /
COPY --from=user-tpm2-tss . /
COPY --from=user-tpm2-tools . /
COPY --from=user-edk2 . /

FROM base AS build-guest
COPY --from=user-linux-guest-net /bzImage iso/boot/vmlinuz
COPY --from=core-busybox . initramfs
COPY --from=user-eudev . initramfs
COPY --from=core-musl . initramfs
COPY --from=core-zlib . initramfs
COPY --from=core-openssl . initramfs
COPY --from=core-ca-certificates . initramfs
COPY --from=user-linux-guest-net . initramfs
COPY --from=user-linux-airgap . initramfs
COPY --from=user-libimobiledevice-glue . initramfs
COPY --from=user-libimobiledevice . initramfs
COPY --from=user-libplist . initramfs
COPY --from=user-libusb . initramfs
COPY --from=user-libusbmuxd . initramfs
COPY --from=user-usbmuxd . initramfs

COPY src/guest/rootfs/ initramfs
RUN <<-EOF
    set -eux
    cd initramfs
    mkdir -p home/git
    chmod 755 home
    chown -R 1000:1000 home/git
    find . -exec touch -hcd "@0" "{}" +
    find . -print0 \
    | sort -z \
    | cpio \
        --null \
        --create \
        --verbose \
        --reproducible \
        --format=newc \
    | gzip --best \
    > ../iso/boot/initramfs
EOF
COPY src/guest/config/syslinux.cfg iso/boot/syslinux/
COPY --from=user-syslinux \
    /usr/share/syslinux/isohdpfx.bin \
    /usr/share/syslinux/isolinux.bin \
    /usr/share/syslinux/ldlinux.c32 \
    /usr/share/syslinux/libutil.c32 \
    /usr/share/syslinux/libcom32.c32 \
    /usr/share/syslinux/mboot.c32 \
    iso/boot/syslinux/
ENV SOURCE_DATE_EPOCH=1
RUN <<-EOF
    set -eux
    find iso -exec touch -hcd "@0" "{}" +
    xorrisofs \
        -output guest.img \
        -full-iso9660-filenames \
        -joliet \
        -rational-rock \
        -sysid LINUX \
        -volid "repros" \
        -isohybrid-mbr iso/boot/syslinux/isohdpfx.bin \
        -eltorito-boot boot/syslinux/isolinux.bin \
        -eltorito-catalog boot/syslinux/boot.cat \
        -no-emul-boot \
        -boot-load-size 4 \
        -boot-info-table \
        -no-emul-boot \
        -isohybrid-gpt-basdat \
        -follow-links \
        iso/
EOF

FROM base AS build
COPY --from=user-linux-airgap /bzImage iso/boot/vmlinuz
COPY --from=build-guest /guest.img initramfs/
COPY --from=core-busybox . initramfs
COPY --from=user-eudev . initramfs
COPY --from=core-musl . initramfs
COPY --from=core-zlib . initramfs
COPY --from=user-npth . initramfs
COPY --from=user-libksba . initramfs
COPY --from=user-libgpg-error . initramfs
COPY --from=user-libassuan . initramfs
COPY --from=user-libgcrypt . initramfs
COPY --from=core-bash . initramfs
COPY --from=user-gpg . initramfs
COPY --from=user-jq . initramfs
COPY --from=user-yq . initramfs
COPY --from=core-bc . initramfs
COPY --from=user-flashtools . initramfs
COPY --from=core-curl . initramfs
COPY --from=user-tpm2-tools . initramfs
COPY --from=user-tpm2-tss . initramfs
COPY --from=core-openssl . initramfs
COPY --from=user-libusb . initramfs
COPY --from=user-ccid . initramfs
COPY --from=user-pcsc-lite . initramfs
COPY --from=user-pcsc-tools . initramfs
COPY --from=user-libqrencode . initramfs
COPY --from=core-gmp . initramfs
COPY --from=core-libunwind . initramfs
COPY --from=user-nettle . initramfs
COPY --from=user-opensc . initramfs
COPY --from=user-util-linux . initramfs
COPY --from=user-sops . initramfs
COPY --from=core-gcc /usr/lib/. initramfs/usr/lib/
COPY --from=core-sqlite3 . initramfs
COPY --from=user-sdtool . initramfs
RUN chmod +x initramfs/usr/bin/sdtool
COPY --from=user-openpgp-card-tools . initramfs
COPY --from=user-sequoia-sq . initramfs
COPY --from=user-sequoia-sq-wot . initramfs
COPY --from=user-libslirp . initramfs
COPY --from=user-seabios . initramfs
COPY --from=user-ipxe . initramfs
COPY --from=user-glib . initramfs
COPY --from=user-numactl . initramfs
COPY --from=core-libzstd . initramfs
COPY --from=user-alsa-lib . initramfs
COPY --from=user-lzo . initramfs
COPY --from=user-dtc . initramfs
COPY --from=user-libaio . initramfs
COPY --from=user-libseccomp . initramfs
COPY --from=core-libffi . initramfs
COPY --from=core-libzstd . initramfs
COPY --from=user-libslirp . initramfs
COPY --from=user-seabios . initramfs
COPY --from=user-canokey-qemu . initramfs
COPY --from=user-qemu . initramfs
COPY --from=user-libzbar . initramfs
COPY --from=user-keyfork . initramfs
COPY --from=user-icepick . initramfs
COPY src/host/rootfs/ initramfs
COPY <<-EOF initramfs/etc/environment
    export VERSION="$VERSION"
    export GIT_TIMESTAMP="$GIT_TIMESTAMP"
    export GIT_AUTHOR="$GIT_AUTHOR"
    export GIT_REF="$GIT_REF"
    export GIT_PUBKEY="$GIT_PUBKEY"
EOF
RUN <<-EOF
    set -eux
    cd initramfs
    find . -exec touch -hcd "@0" "{}" +
    find . -print0 \
    | sort -z \
    | cpio \
        --null \
        --create \
        --verbose \
        --reproducible \
        --format=newc \
    | gzip --best \
    > ../iso/boot/initramfs
EOF

## Grub (EFI Boot)
COPY src/host/config/grub.cfg iso/boot/grub/grub.cfg
COPY src/host/config/grub_early.cfg grub_early.cfg
RUN <<-EOF
    set -eux
    mkdir -p efi/boot
    grub-mkimage \
        --config="grub_early.cfg" \
        --prefix="/boot/grub" \
        --output="efi/boot/bootx64.efi" \
        --format="x86_64-efi" \
        --compression="xz" \
        all_video \
        disk \
        part_gpt \
        part_msdos \
        linux \
        normal \
        configfile \
        search \
        search_label \
        efi_gop \
        fat \
        iso9660 \
        gzio \
        serial \
        terminal
    find efi -exec touch -hcd "@0" "{}" +
    mformat -i iso/boot/grub/efi.img -C -f 1440 -N 0 ::
    mcopy -i iso/boot/grub/efi.img -ms efi ::
    touch -md "@0" iso/boot/grub/efi.img
EOF

## Syslinux (BIOS Boot)
COPY src/host/config/syslinux.cfg iso/boot/syslinux/
COPY --from=user-syslinux \
    /usr/share/syslinux/isohdpfx.bin \
    /usr/share/syslinux/isolinux.bin \
    /usr/share/syslinux/ldlinux.c32 \
    /usr/share/syslinux/libutil.c32 \
    /usr/share/syslinux/libcom32.c32 \
    /usr/share/syslinux/mboot.c32 \
    iso/boot/syslinux/

ENV SOURCE_DATE_EPOCH=1
RUN <<-EOF
    set -eux
    dd if=/dev/zero bs=1M count=10 >> user.img
    mformat -v user -i user.img -N 0 ::
    find iso -exec touch -hcd "@0" "{}" +
    xorrisofs \
        -output airgap.iso \
        -full-iso9660-filenames \
        -joliet \
        -rational-rock \
        -sysid LINUX \
        -volid "airgap" \
        -isohybrid-mbr iso/boot/syslinux/isohdpfx.bin \
        -eltorito-boot boot/syslinux/isolinux.bin \
        -eltorito-catalog boot/syslinux/boot.cat \
        -no-emul-boot \
        -boot-load-size 4 \
        -boot-info-table \
        -eltorito-alt-boot \
        -e boot/grub/efi.img \
        -no-emul-boot \
        -isohybrid-gpt-basdat \
        -follow-links \
        -append_partition 3 0xb user.img \
        iso/
EOF

## Minimal Autorun SD card image
COPY sdcard sdcard
RUN <<-EOF
    set -eux
    dd if=/dev/zero of=sdcard.img bs=1M count=32
    mformat -v external -i sdcard.img ::
    mcopy -i sdcard.img -s sdcard/* ::
EOF

FROM scratch AS package
COPY --from=build /sdcard.img /
COPY --from=build /airgap.iso /