|
| 1 | +# SPDX-License-Identifier: PMPL-1.0-or-later |
| 2 | +# stapeln.toml — Layer-based container build for k9-rs |
| 3 | +# |
| 4 | +# stapeln builds containers as composable layers (German: "to stack"). |
| 5 | +# Each layer is independently cacheable, verifiable, and signable. |
| 6 | + |
| 7 | +[metadata] |
| 8 | +name = "k9-rs" |
| 9 | +version = "0.1.0" |
| 10 | +description = "k9-rs container service" |
| 11 | +author = "Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>" |
| 12 | +license = "PMPL-1.0-or-later" |
| 13 | +registry = "ghcr.io/hyperpolymath" |
| 14 | + |
| 15 | +[build] |
| 16 | +containerfile = "Containerfile" |
| 17 | +context = "." |
| 18 | +runtime = "podman" |
| 19 | + |
| 20 | +# ── Layer Definitions ────────────────────────────────────────── |
| 21 | + |
| 22 | +[layers.base] |
| 23 | +description = "Chainguard Wolfi minimal base" |
| 24 | +from = "cgr.dev/chainguard/wolfi-base:latest" |
| 25 | +cache = true |
| 26 | +verify = true |
| 27 | + |
| 28 | +[layers.toolchain] |
| 29 | +description = "Build tools" |
| 30 | +extends = "base" |
| 31 | +packages = [] |
| 32 | +cache = true |
| 33 | + |
| 34 | +[layers.build] |
| 35 | +description = "k9-rs build" |
| 36 | +extends = "toolchain" |
| 37 | +commands = [] |
| 38 | + |
| 39 | +[layers.runtime] |
| 40 | +description = "Minimal runtime" |
| 41 | +from = "cgr.dev/chainguard/wolfi-base:latest" |
| 42 | +packages = ["ca-certificates", "curl"] |
| 43 | +copy-from = [ |
| 44 | + { layer = "build", src = "/app/", dst = "/app/" }, |
| 45 | +] |
| 46 | +entrypoint = ["/app/k9-rs"] |
| 47 | +user = "nonroot" |
| 48 | + |
| 49 | +# ── Security ─────────────────────────────────────────────────── |
| 50 | + |
| 51 | +[security] |
| 52 | +non-root = true |
| 53 | +read-only-root = false |
| 54 | +no-new-privileges = true |
| 55 | +cap-drop = ["ALL"] |
| 56 | +seccomp-profile = "default" |
| 57 | + |
| 58 | +[security.signing] |
| 59 | +algorithm = "ML-DSA-87" |
| 60 | +provider = "cerro-torre" |
| 61 | + |
| 62 | +[security.sbom] |
| 63 | +format = "spdx-json" |
| 64 | +output = "sbom.spdx.json" |
| 65 | +include-deps = true |
| 66 | + |
| 67 | +# ── Verification ─────────────────────────────────────────────── |
| 68 | + |
| 69 | +[verify] |
| 70 | +vordr = true |
| 71 | +svalinn = true |
| 72 | +scan-on-build = true |
| 73 | +fail-on = ["critical", "high"] |
| 74 | + |
| 75 | +# ── Targets ──────────────────────────────────────────────────── |
| 76 | + |
| 77 | +[targets.development] |
| 78 | +layers = ["base", "chainguard-toolchain", "build"] |
| 79 | +env = { LOG_LEVEL = "debug" } |
| 80 | + |
| 81 | +[targets.production] |
| 82 | +layers = ["runtime"] |
| 83 | +env = { LOG_LEVEL = "info" } |
| 84 | + |
| 85 | +[targets.test] |
| 86 | +layers = ["base", "chainguard-toolchain", "build"] |
| 87 | +env = { LOG_LEVEL = "debug" } |
0 commit comments