radicale: initial commit

Merge branch 'ryansquared/use-stagex-bins' into drgrove/radicale
feat: add plan command
2025-07-13 20:01:05 -07:00 · 2025-07-13 12:59:04 -07:00 · 2025-05-12 13:29:35 -07:00 · 2025-05-12 10:26:21 -07:00 · 2025-05-09 18:00:04 -07:00 · 2025-05-07 07:54:51 -07:00
14 changed files with 434 additions and 16 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -0,0 +1 @@
 *
--- a/Containerfile.tools
+++ b/Containerfile.tools
@ -0,0 +1,45 @@
 # Tools used for managing the stagex stack
 FROM stagex/core-busybox@sha256:cac5d773db1c69b832d022c469ccf5f52daf223b91166e6866d42d6983a3b374 AS core-busybox
 FROM stagex/core-musl@sha256:d5f86324920cfc7fc34f0163502784b73161543ba0a312030a3ddff3ef8ab2f8 AS core-musl
 FROM stagex/core-ca-certificates@sha256:d6fca6c0080e8e5360cd85fc1c4bd3eab71ce626f40602e38488bfd61fd3e89d AS core-ca-certificates
 FROM stagex/core-zlib@sha256:b35b643642153b1620093cfe2963f5fa8e4d194fb2344a5786da5717018976c2 AS core-zlib
 FROM stagex/user-gpg@sha256:92946bb4143ecbd53999cd520fbcb958aecacbac7a85bd58a758be1b57086a9c AS user-gpg
 FROM stagex/user-npth@sha256:6ac9a90ca714ba01911c1f617553a5b23b96e9e37ec4a21e5ba132c4886a70e9 AS user-npth
 FROM stagex/user-libksba@sha256:c165fb5b7949473cb00b0fe59add90663346b33c6c682309ca0fcccdcf78d569 AS user-libksba
 FROM stagex/user-libgpg-error@sha256:6d7c09e3a7d055a6722910439c533f2babc8eda24b636bf4dfb2b29a3ed6327a AS user-libgpg-error
 FROM stagex/user-libassuan@sha256:dea35799659be7b85e523312c55621007b1918ff3590631155ecf2c699ca470f AS user-libassuan
 FROM stagex/user-libgcrypt@sha256:384f0e703afad6f8885ec77fb814ef182a08600a2032183d231fee5c048a7d2d AS user-libgcrypt
 FROM stagex/user-opentofu@sha256:b5053a5966f7ec06ea894db315c4990b73e8bee69798889de747e9a99c32b041 AS user-opentofu
 FROM stagex/user-sops@sha256:72b09ff439f422889af815f19a223b48b3b3fd0701d312a413069cbabcad7a12 AS user-sops
 FROM stagex/user-talosctl@sha256:23ff2d686a0c251db4f8a8f07e9b18c81c64eaa07da97de5a75fccbea3e595c4 AS user-talosctl
 FROM stagex/user-kubectl@sha256:6df028ecb71097c182276cad295f7a68a28f2c8d7fc82ea47fb22a451b11a4ff AS user-kubectl
 FROM stagex/user-kustomize@sha256:9886d6c855f763398a8bf52cd16e07f78cb8dab75396903645612e9cd4094cfa AS user-kustomize
 FROM stagex/user-kustomize-sops@sha256:25040e0adf7dc6806da9996a252dbf7f8f5bb4f0b9a9dd1835035eeaea3861d9 AS user-kustomize-sops
 FROM stagex/user-helm@sha256:e7d2e13db8483f5356b96337308edbd5a0e602cc76c4c5ea5ed730ae6d2b2dcc AS user-helm
 FROM stagex/user-k9s@sha256:eff325c4d000358b2f6ed0f63d61fcea8f98c081395437d0003e7429e0c334b4 AS user-k9s
 FROM scratch
 COPY --from=core-busybox . /
 COPY --from=core-musl . /
 COPY --from=core-ca-certificates . /
 COPY --from=core-zlib . /
 COPY --from=user-npth . /
 COPY --from=user-libksba . /
 COPY --from=user-libgpg-error . /
 COPY --from=user-libassuan . /
 COPY --from=user-libgcrypt . /
 COPY --from=user-gpg . /
 COPY --from=user-opentofu . /
 COPY --from=user-sops . /
 COPY --from=user-talosctl . /
 COPY --from=user-kubectl . /
 COPY --from=user-kustomize . /
 COPY --from=user-kustomize-sops . /
 COPY --from=user-sops . /
 COPY --from=user-helm . /
 COPY --from=user-k9s . /
 RUN mkdir -p /root/.gnupg
 RUN chmod 0700 /root/.gnupg
--- a/61
+++ b/61
@ -1,5 +1,5 @@
-include $(PWD)/src/toolchain/Makefile
+# If using QubesOS, the smart card must be connected directly to the qube,
-include $(PWD)/src/make/tools.mk
+# rather than using a 'vault' qube.
 BACKEND_TF := $(wildcard infra/backend/*.tf)
 MAIN_TF := $(wildcard infra/main/*.tf)
@ -24,25 +24,22 @@ default: \
 	tools \
 	apply
-.PHONY:
+.PHONY: clean
 clean:
 	rm -rf $(CACHE_DIR)
-.PHONY:
+.PHONY: update-tools
 update-tools:
 	./src/make/update.sh
 .PHONY: shell
 shell: out/tools-image.digest
 	$(call run-container, -v ./secrets:/secrets, $(shell cat $<), bin/sh)
 .PHONY: credentials
 credentials: \
 	$(CACHE_DIR)/secrets/credentials.tfvars
 .PHONY:
 shell: toolchain tools
 	$(call toolchain," \
 		HOST_OS=linux \
 		HOST_ARCH=x86_64 \
 		PREFIX=.local \
 		XDG_CONFIG_HOME=/home/build/.config \
 		make -f src/make/tools.mk tools-install \
 		&& PS1='build@distrust-stack\\$$ ' bash --norc \
 	",--interactive)
 $(KEY_DIR)/%.asc:
 	$(call fetch_pgp_key,$(basename $(notdir $@)))
@ -133,6 +130,40 @@ config/$(ENVIRONMENT).tfbackend: | \
 		-state $(ENVIRONMENT).tfstate \
 		'
 out/tools-image.digest: Containerfile.tools | out
 	docker build -f Containerfile.tools -q . > $@
 GPG_TTY ?= $(shell tty)
 define run-container
 	docker run -it $(1) \
 		-e GPG_TTY="$(GPG_TTY)" \
 		-v $(shell gpgconf --list-dirs agent-socket):/root/.gnupg/S.gpg-agent:ro \
 		-v $(shell gpgconf --list-dirs homedir):/root/.gnupg:rw \
 		$(2) \
 		$(3)
 endef
 .PHONY: plan
 plan: out/tools-image.digest
 	$(call run-container, \
 		-v $(PWD)/secrets:/secrets -v $(PWD)/infra:/infra, \
 		$(shell cat $<), \
 		sops exec-env /secrets/$(ENVIRONMENT).enc.env -- \
 		'tofu -chdir=/infra/main plan \
 			-var environment=$(ENVIRONMENT) \
 			-var namespace=$(ENVIRONMENT) \
 			-var region=$(REGION)' \
 	)
 .PHONY: new-apply
 new-apply: out/tools-image.digest 
 	$(call run-container,'\
 		echo $$GPG_AGENT_INFO; \
 		ls -l /S.gpg-agent; \
 		gpg --verbose --list-keys \
 	')
 .PHONY:
 apply: \
 	$(TERRAFORM) \
--- a/infra/main/main.tf
+++ b/infra/main/main.tf
@ -125,7 +125,10 @@ locals {
 # `jq .database_users.value.forgejo | sops --encrypt`
 output "database_users" {
  value = {
-    for db_user in concat(module.digitalocean_database_cluster.database_users, module.digitalocean_mysql_database_cluster.database_users):
+    for db_user in concat(
      values(module.digitalocean_database_cluster.database_users),
      values(module.digitalocean_mysql_database_cluster.database_users),
    ):
    db_user.name => {
      apiVersion = "v1",
      kind = "Secret",
--- a/kustomizations/radicale/README.md
+++ b/kustomizations/radicale/README.md
@ -0,0 +1,13 @@
 # Radicale
 ## Creating an account
 Currently to create a radicale account you will need to generate and hash a password with `htpasswd` and `bcrypt`.
 You can generate your password using a password manager or `openssl` with at least 32 characters.
 ```sh
 htpasswd -Bn <user>@distrust.co
 ```
 You will then need to add the output to users.enc.yaml which is encrypted with SOPS
--- a/kustomizations/radicale/files/config
+++ b/kustomizations/radicale/files/config
@ -0,0 +1,13 @@
 [server]
 hosts = 0.0.0.0:5232
 [auth]
 type = htpasswd
 htpasswd_filename = /config/user
 htpasswd_encryption = bcrypt
 [rights]
 type = owner_only
 [storage]
 filesystem_folder = /var/lib/radicale/collections
--- a/kustomizations/radicale/ingress.yaml
+++ b/kustomizations/radicale/ingress.yaml
@ -0,0 +1,28 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: radicale-ingress
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    cert-manager.io/cluster-issuer: letsencrypt
    external-dns.alpha.kubernetes.io/hostname: radicale.distrust.co
    nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
    nginx.ingress.kubernetes.io/proxy-buffers-number: "8"
 spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - radicale.distrust.co
    secretName: radicale-tls
  rules:
  - host: radicale.distrust.co
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: radicale
            port:
              number: 5232
--- a/kustomizations/radicale/kustomization.yaml
+++ b/kustomizations/radicale/kustomization.yaml
@ -0,0 +1,21 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 labels:
  - pairs:
      app.kubernetes.io/name: radicale
    includeSelectors: true
 resources:
 - ./statefulset.yaml
 - ./service.yaml
 - ./serviceaccount.yaml
 - ./ingress.yaml
 enerators:
 - secret-generator.yaml
 configMapGenerator:
  - name: radicale
    files:
      - config=files/config
 images:
  - name: radicale
    newName: drgrovellc/radicale
    digest: sha256:055e686577ec543b33ff905b09f798a3a178393c14799a85867d86519a8d0a35
--- a/kustomizations/radicale/secret-generator.yaml
+++ b/kustomizations/radicale/secret-generator.yaml
@ -0,0 +1,6 @@
 apiVersion: viaduct.ai/v1
 kind: ksops
 metadata:
  name: radicale-secrets
 files:
  - ./users.enc.yaml
--- a/kustomizations/radicale/service.yaml
+++ b/kustomizations/radicale/service.yaml
@ -0,0 +1,11 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: radicale
 spec:
  type: ClusterIP
  ports:
    - port: 5232
      targetPort: http
      protocol: TCP
      name: http
--- a/kustomizations/radicale/serviceaccount.yaml
+++ b/kustomizations/radicale/serviceaccount.yaml
@ -0,0 +1,5 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: radicale
 automountServiceAccountToken: true
--- a/kustomizations/radicale/statefulset.yaml
+++ b/kustomizations/radicale/statefulset.yaml
@ -0,0 +1,69 @@
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  name: radicale
 spec:
  template:
    spec:
      serviceAccountName: radicale
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
        fsGroup: 1000
      containers:
        - name: radicale
          image: radicale
          env:
            - name: RADICALE_CONFIG
              value: /config/config
          ports:
            - name: http
              containerPort: 5232
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /
              port: http
          readinessProbe:
            httpGet:
              path: /
              port: http
          securityContext:
            readOnlyRootFilesystem: true
            allowPrivilegeEscalation: false
            seccompProfile:
              type: "RuntimeDefault"
            capabilities:
              drop:
                - ALL
          volumeMounts:
            - name: config
              mountPath: /config/config
              subPath: config
            - name: user
              mountPath: /config/user
              subPath: users
            - name: radicale
              mountPath: /var/lib/radicale
      volumes:
        - name: config
          configMap:
            name: radicale
            items:
              - key: config
                path: config
        - name: user
          secret:
            optional: true
            secretName: radicale-users
            items:
              - key: users
                path: users
  volumeClaimTemplates:
    - metadata:
        name: radicale
      spec:
        accessModes: [ "ReadWriteOnce" ]
        resources:
          requests:
            storage: 5Gi
--- a/kustomizations/radicale/users.enc.yaml
+++ b/kustomizations/radicale/users.enc.yaml
@ -0,0 +1,103 @@
 data: ENC[AES256_GCM,data:6uHlO1HW3qJXmwoCkAtvlmVj10NTSzblkYrgT6+OjcY64b7+AAZZtefwNjXvTQ8fDXbbrGAK2SK5Rlbcy08W6Rl/JDKAiomSqmrSfXpszEdumkdciODm2wOosTC6EjRudPpnfliqowisAszNTanH7mocsOClqww6XVAMmtzHKbjzYUeg4Iyz5MOCIrtNHxiA/Eb0UGvtGhbuqgci/zSly6bvzV2eMZl9XtDn1fhKM5IMqFwt5OpSIfOG,iv:Ew42raYQoumx9KQWzlLnBf/75RdwbBXKnoSfEVA38y8=,tag:lRDMH+eRGhfKAQNEsI6HFg==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age: []
    lastmodified: "2025-07-13T19:45:29Z"
    mac: ENC[AES256_GCM,data:6MBapMxTVHBUxGFZdoS8pc682CAzqH49s/m/gl1n94tUc5S3x7YLcB29Ebmj4g5yLCqWLmc7bYbvlfviNrE8WZAKVEQhWd16J4Sl91q2JUmlRDyMJjHzxZEEZaZ7Wc1fgVsbJw0kRTxYGSg+J5rreirYl0IllVh/yFNmy+36yIk=,iv:Bk2EkF4BwJM4oBebOeiUzKExvthvEsLhUdR6iLsEDlk=,tag:+6Skc/pm8t+lXwacO5vG/w==,type:str]
    pgp:
        - created_at: "2025-07-13T06:51:55Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA82rPM2mSf/aARAAjtuwpAk5OCIRUXTwig8V+Md3mzZ5B/mXaEipSL+bz8aK
            Nro9p82GsnMIgHS7qpMwcc53NSNL0wmju3tcB/TaFsRVot1QTcIraPP2saDx02Mm
            wKg0pcqDk55X+htHY1iYZS9JO1bVz7EmJjPsfcEdvBm2JNCjZeNToy7mnjFWBBlu
            OqX0V2qrWcm3lG2HMBUGOHQ8o3iC7OWBTIKSDMx8dJb7L4NlB3LxtfsibmsrvOk1
            AtUXKf6DjjRcRV3LiVFFhswPfbUx9uYrNLQM3g2J5jxyoWHVCLdVqsBGe03zxmlA
            iAglRbYNbhayoWH/1j/10VbtEuRSURKtCPWysaOr+u/UOWpbRi0S3WTkx2E603wC
            k2msofhS8iQv8Dp2Y5zcdFvLnWpCzdXFWPedLE08fKKHkht40Pdh8rq09Y8eepAT
            HUvuaJSfG1/RZX3IRoyHTyFmVrRF1ZEPDxcMKD8Kx3Vn7dfXVO3Bxx7dBTyY4UzO
            Vzx8KJBulCib2jDY0CqBNL50Kgy935rHhBRUlx4MBxhSKnkKHIiXYalINZUxHUxn
            YzztQbxLnOgb94z2dEPEu6xxgSLC40XNY65SzwtEKHkR7QNkyRqm1VXbT6tEpYRg
            VgDKZgBWLQ68G+DDkDbUCkGy4w3umMSfuX8rlNEUG9C0Kk5CXffyKqA8J3+T97bS
            XAGZYbFMTTgpa1Z/vnmAfsr/CUvAUflkgtvJH7wxXVL41a/12IQ/kx1mxMxh3JjS
            0R2phlMwSy5ct1scgJQZIc+fvgjMthNl1b5XqnWE0eRwVduKpi3/uzCZhzXd
            =tMGM
            -----END PGP MESSAGE-----
          fp: 6B61ECD76088748C70590D55E90A401336C8AAA9
        - created_at: "2025-07-13T06:51:55Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMAw95Vf08z8oUARAAzSCXQxhGwwO1cQjgpy539UqhS/3SDqB2c2fAm8rvKMEq
            E8dtU5/Oc5FRhRRWEIP9XeDJlPz9rDn4E3KYa0ZYNUchl75ItHID6oBg3OOSZmIN
            ciVaffQXyRa6pRCjeaQU9VZY67FBbCueBbCe/mYyGZQMfHg4Y2asOIr3qOgYIgnC
            sAZoG2NT+9deabzLY8irLTAM5IMbO59ulM0H7j0IdTLB9D7u+fU7EMg9jQb/J9ha
            IITSh7jGhpNbtJ0neRyUnX26r50JeLY4b1UCAd1HjA5Rycgrx1rXoZbmGB4dFZ0V
            ZiIaGBe/8BF5GGXkHJgO/Y5g+jfpmO6HYV5NrCB049nd82YowK9LkgMNp3V1vPn6
            5RxWsVSV29CyplO6rEq9lH2VHB1HLkboOomklVDyG9mo+jbY3TL/Ak4nWfx+96rV
            JSyAadEtC+HcXN5ECDO+F7uAEDi0isdWF97xgARvjyDezEEyxTA8xWsIpL8LRWjZ
            IBlihxlpyQJ13WSFP6tAp60wO83LLJiC9rvuIBmrCUwKb+LtxUqrWtZnZ8yIsCXk
            V1xqGixSigR3RJvbSzICKdMDuhs+cghiurTkKNE2QG9+NQeees2DUIqURjRM//Av
            6hEJxjH/bJ2JlA1/YIkYkMxc9WpKRXmitVaHpkoFumphVIfA4CbQZo/Nv2LbatDS
            XAHAUl75H53Hf3awGph4kOoykimetr8i14bVM0Kr/jdAxcvJkanScej2huzTHzQK
            ywl3clswBKzhfCBFejdhrrZoKsT1h7Mf23FEwhwP4aMcVZe+iSqoifWXKRM5
            =jFLv
            -----END PGP MESSAGE-----
          fp: 88823A75ECAA786B0FF38B148E401478A3FBEF72
        - created_at: "2025-07-13T06:51:55Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hF4Dr/MjkOzuuRESAQdAEpot/CyllATM3Ycyb5dvalqAbJBHskFKLR7nbFc6Z2kw
            R2XDTbHQ51WSv7teBei+gA9elRjrsx5RfUSh/mC/WrOZvnn4NyHf6cDkjtd3EO1I
            0lwBT732FGcKQEE7CZXoc/AwtCd66OYqwdYiiMm29LuVcW71UlrGkLFPyqQ+y2jb
            Fl00rVXjHLLXFzcEfZf5+JFoPv3JM+h8nXQZEkpKI6Ykw9ZcxagoZyyySYdqtw==
            =ZP5M
            -----END PGP MESSAGE-----
          fp: 3D7C8D39E8C4DF771583D3F0A8A091FD346001CA
        - created_at: "2025-07-13T06:51:55Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA5Wf+FyJ+zFJAQ/7BIqCa7lsEE4tyhxoiA6DBO9/+xP4LlA/CPPCu4zWLb2T
            zy0axtIWtdSAWecWXm0vQ9B+YB0Jbhb69Qj1mrjCgGyM8ckduBxvYlT1qbGREJCW
            CtFqiAvWcDAsKZ3BOxA4GsqU4aGK9KMOZCcFGQx9Bg8CFpOx7gbMFb+VkziA/Dgx
            FGvBmNvtqqdqV7yViUxvYAwb7Buik8e77FCyBc5fxdjGU34/x7AD0jPJcN3Ac0n0
            zqGBaM9ivs3G2R4rq2JVfWOdj/qmrH/P0CWDN8cOB7H37+IpvIjs80RIjguB4OFo
            HxJFviuQ9LGpw8IKj2161iSccuAwhOpHdOLS8C6yzw7SJZncwCDeLlQWVhJb99ae
            Tq23m68KYTkpM6cIT5iG4k/grgkKvqk82YNkMCktPBwsEQ/wxOH9ZQ9Ry1LRtmIF
            BUH33sASnt3A3IAavYQucAcOkYsQJFlaLbeVoVS8J7nXA6xRzv9qaJeeulVIaBpc
            fwSP6mI8mscrSp24F14EcP3n5W6Gr68oEw2qdUi3CFLtr+Ih8T2REWzOJYDIArCM
            cY/tS1WVDDikmzS9aNcEt0okPz6HNaKu7qONby3L9XxSDxZYg4tmV/ZiWIZuvVwL
            6iipL+wYMYk3ot066ewoLqOeZcZH/04P9QgoNwnUaSqsfaIQfPJZCngyCEKdYNXS
            XAGIFLlG48rAKmE7OYuOFQeuwgNpdFb07kaWw64NKTRxTkw0hZjm87CHfdZ3CPnX
            Jp04LP46X74s+SiWmfHM5W21Ub68Li4l135DA3CKiOn+Sq04Q5xh0giSZWHG
            =ikQP
            -----END PGP MESSAGE-----
          fp: F4BF5C81EC78A5DD341C91EEDC4B7D1F52E0BA4D
        - created_at: "2025-07-13T06:51:55Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA8KRInHl7Vz+AQ//blhfF6tdUKH+4HWC2p0hhCBwzZ/eGcDBvk66N4Yvo7w5
            k38fd/kI0EqKecagLNlScnS8mRwhjAaKwUGUjyWYQ5CkVEtb+SG2fAnEU57ju3xV
            ei5P1lBfkcKPR5uSC9vXO/oCg7XHN9fAi67yh1paBhN7azjplm8BGunhFD7PzULO
            b+g9xa1ueC2c4UpLd4rf55Us10tFJ/Id3QK5FhbB1L+Mae+Wjs0sxRN2qPmkiAvu
            ilaPw7PfnztNs3bj6/pzyH1EdaeRIiZzoC+0e9LiA6bBkj4tSfAWEHH84uFYDv98
            gfSe5Lp5DEpoZSy2ecx3XOtCPSKGv8FfeVfwb4EZ/EyYRJDEkOAkEDPIlQs9agy0
            FYOiovwAjVAU2Y/IC5q0lVH4WQZGY/k+EVeu9ZAMHkZ1/TDIxva/WsMM91ja5uWC
            LMRUXJ1TO/LjNI1T9XI20bKkl2WOj0Y/1YVOoJAxTbnkXzsn1xU7Qe7DiehYKl+d
            OE+dNjN/D4DR5NmEfTPmsNEX6Z3sK1GyEOxw19/JM3QHIdjoKw3a15hQjxmM/ksH
            KNEu0YQ/l7CDDnVT7MLDpjx1luoMQ9eW3I3hMAZgxkjkmTk2xeNYTAvDLFmKk2D8
            7MFogZB2o2giaBgFgWB+9KCgzipHSlnIQd//BSvwtL1/GFILSPzLEfOWAXv2zE7S
            XAHdCNhyj7n7zQDwDb5V84QxbUne/D22RY4NpJybMfrXuKW9n2fOD4wxiWZnl6hD
            ieC1qFcETi20i2LzC2M3uJAz/LHVpyLaNNaaIDMZF3gme1yKe3/u46z1WJhX
            =LEyb
            -----END PGP MESSAGE-----
          fp: C92FE5A3FBD58DD3EC5AA26BB10116B8193F2DBD
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/src/make/update.sh
+++ b/src/make/update.sh
@ -0,0 +1,69 @@
 #!/bin/sh
 TARGET="Containerfile.tools"
 SOURCE="https://codeberg.org/stagex/stagex/raw/branch/main/digests"
 STAGES="core user pallet bootstrap"
 TMPFILE="$(mktemp)"
 DIGESTS_TMP="$(mktemp)"
 for stage in $STAGES; do
    curl -fsSL "$SOURCE/$stage.txt" | while read -r digest name; do
        echo "$name $digest" >> "$DIGESTS_TMP"
    done
 done
 while IFS= read -r line; do
    case "$line" in
        FROM*stagex/*)
            full_image="$(printf '%s' "$line" | awk '{print $2}')"
            base="${full_image%@sha256:*}"
            prefix="${base%%stagex/*}"
            registry="${prefix%/}"
            path="stagex/${base#*stagex/}"
            rest="${path#stagex/}"
            if echo "$rest" | grep -q ':'; then
                name="${rest%%:*}"
                tag="${rest#*:}"
            else
                name="$rest"
                tag=""
            fi
            digest="$(awk -v n="$name" '$1==n{print $2; exit}' "$DIGESTS_TMP")"
            if [ -z "$digest" ]; then
                for stage in $STAGES; do
                    staged_name="$stage-$name"
                    digest="$(awk -v n="$staged_name" '$1==n{print $2; exit}' "$DIGESTS_TMP")"
                    if [ -n "$digest" ]; then
                        name="$staged_name"
                        break
                    fi
                done
            fi
            if [ -n "$digest" ]; then
                if [ -n "$registry" ]; then
                    image_ref="$registry/stagex/$name"
                else
                    image_ref="stagex/$name"
                fi
                if [ -n "$tag" ]; then
                    image_ref="$image_ref:$tag"
                fi
                echo "FROM $image_ref@sha256:$digest AS $name" >> "$TMPFILE"
            else
                echo "$line" >> "$TMPFILE"
            fi
            ;;
        *)
            echo "$line" >> "$TMPFILE"
            ;;
    esac
 done < "$TARGET"
 mv "$TMPFILE" "$TARGET"
 rm -f "$DIGESTS_TMP"
Author	SHA1	Message	Date
Danny Grove	0d812dc3a7	radicale: initial commit	2025-07-13 20:01:05 -07:00
Danny Grove	fe05f13179	Merge branch 'ryansquared/use-stagex-bins' into drgrove/radicale	2025-07-13 12:59:04 -07:00
Anton Livaja	32697576a0	feat: add plan command	2025-05-12 13:29:35 -07:00
Anton Livaja	b71f711b3f	feat: use digest to keep track of state of tools image	2025-05-12 10:26:21 -07:00
Anton Livaja	e757eb9363	fix: gpg socket agent path	2025-05-09 18:00:04 -07:00
Anton Livaja	6c95084aa2	feat: add k9s	2025-05-07 07:54:51 -07:00
Anton Livaja	e899a0c11f	feat: update make shell command	2025-05-07 07:45:56 -07:00
Anton Livaja	46c9dbfa8e	feat: update tools container deps and add update script	2025-05-06 18:52:58 -07:00
Ryan Heywood	6f75bb991e	fix issue with concat'ing objects	2025-04-02 17:28:45 -04:00
Ryan Heywood	016dc52f8e	begin transition to stagex	2025-04-02 16:59:29 -04:00