bastion/stack/Dockerfile

# Stage 1: Build TypeScript
FROM node:22-alpine AS builder

RUN corepack enable && corepack prepare pnpm@9.15.0 --activate

WORKDIR /app

# Copy workspace config and package manifests
COPY pnpm-workspace.yaml pnpm-lock.yaml package.json tsconfig.base.json tsconfig.json ./
COPY src/shared/package.json src/shared/tsconfig.json src/shared/
COPY src/bastion/package.json src/bastion/tsconfig.json src/bastion/
COPY src/cli/package.json src/cli/tsconfig.json src/cli/

# Install all dependencies
RUN pnpm install --frozen-lockfile

# Copy source code
COPY src/shared/src/ src/shared/src/
COPY src/bastion/src/ src/bastion/src/
COPY src/cli/src/ src/cli/src/

# Build TypeScript
RUN pnpm build

# Stage 2: Production runtime
FROM fedora:43

# Install system dependencies
RUN dnf install -y \
    dnsmasq \
    ipxe-bootimgs-x86 \
    ipxe-bootimgs-aarch64 \
    curl \
    openssh-clients \
    nodejs \
    npm \
    && dnf clean all

# Install pnpm
RUN npm install -g pnpm@9

# Create app directory
WORKDIR /app

# Copy workspace config, manifests, and lockfile
COPY pnpm-workspace.yaml pnpm-lock.yaml package.json ./
COPY src/shared/package.json src/shared/
COPY src/bastion/package.json src/bastion/
COPY src/cli/package.json src/cli/

# Install production dependencies
RUN pnpm install --frozen-lockfile --prod 2>/dev/null || pnpm install --prod

# Copy built output from builder
COPY --from=builder /app/src/shared/dist/ src/shared/dist/
COPY --from=builder /app/src/bastion/dist/ src/bastion/dist/
COPY --from=builder /app/src/cli/dist/ src/cli/dist/

# Create data directories
RUN mkdir -p /data/state /data/tftp /data/http

ENV BASTION_DIR=/data
ENV HTTP_PORT=8080

EXPOSE 8080/tcp
EXPOSE 67/udp
EXPOSE 69/udp
EXPOSE 4011/udp

ENTRYPOINT ["node", "src/cli/dist/index.js", "init", "bastion", "standalone", "start"]
feat: ESLint, shell completions, Docker, nfpm packaging, CI/CD - ESLint with typescript-eslint + prettier (eslint.config.js) - Shell completions for bash and fish (scripts/generate-completions.ts) - Multi-stage Dockerfile for bastion (fedora:43 + dnsmasq + node) - nfpm.yaml for RPM/DEB packaging with bun-compiled binary - Build scripts: build-rpm.sh, build-bastion.sh, publish-rpm/deb.sh - Gitea Actions CI/CD: lint, typecheck, test, build, publish Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-17 21:51:01 +00:00			`# Stage 1: Build TypeScript`
			`FROM node:22-alpine AS builder`

			`RUN corepack enable && corepack prepare pnpm@9.15.0 --activate`

			`WORKDIR /app`

			`# Copy workspace config and package manifests`
			`COPY pnpm-workspace.yaml pnpm-lock.yaml package.json tsconfig.base.json tsconfig.json ./`
			`COPY src/shared/package.json src/shared/tsconfig.json src/shared/`
			`COPY src/bastion/package.json src/bastion/tsconfig.json src/bastion/`
			`COPY src/cli/package.json src/cli/tsconfig.json src/cli/`

			`# Install all dependencies`
			`RUN pnpm install --frozen-lockfile`

			`# Copy source code`
			`COPY src/shared/src/ src/shared/src/`
			`COPY src/bastion/src/ src/bastion/src/`
			`COPY src/cli/src/ src/cli/src/`

			`# Build TypeScript`
			`RUN pnpm build`

			`# Stage 2: Production runtime`
feat: TypeScript bastion rewrite (initial scaffold) Full rewrite of the bash bastion.sh into a TypeScript application: - Fastify HTTP server with typed routes (dispatch, kickstart, API) - Commander CLI (serve, install, list, reprovision) - Kickstart templates as TypeScript template literals (no more heredoc hell) - dnsmasq management via execa subprocess - Merged machine list view (hardware + install info in one table) - Containerized via podman-compose (Dockerfile + docker-compose.yml) - All partition logic preserved (LVM, reprovision detection, role-based) Not yet tested end-to-end — needs VM validation before replacing bash version. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-17 02:55:52 +00:00			`FROM fedora:43`

			`# Install system dependencies`
			`RUN dnf install -y \`
			`dnsmasq \`
			`ipxe-bootimgs-x86 \`
			`ipxe-bootimgs-aarch64 \`
			`curl \`
			`openssh-clients \`
feat: ESLint, shell completions, Docker, nfpm packaging, CI/CD - ESLint with typescript-eslint + prettier (eslint.config.js) - Shell completions for bash and fish (scripts/generate-completions.ts) - Multi-stage Dockerfile for bastion (fedora:43 + dnsmasq + node) - nfpm.yaml for RPM/DEB packaging with bun-compiled binary - Build scripts: build-rpm.sh, build-bastion.sh, publish-rpm/deb.sh - Gitea Actions CI/CD: lint, typecheck, test, build, publish Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-17 21:51:01 +00:00			`nodejs \`
			`npm \`
feat: TypeScript bastion rewrite (initial scaffold) Full rewrite of the bash bastion.sh into a TypeScript application: - Fastify HTTP server with typed routes (dispatch, kickstart, API) - Commander CLI (serve, install, list, reprovision) - Kickstart templates as TypeScript template literals (no more heredoc hell) - dnsmasq management via execa subprocess - Merged machine list view (hardware + install info in one table) - Containerized via podman-compose (Dockerfile + docker-compose.yml) - All partition logic preserved (LVM, reprovision detection, role-based) Not yet tested end-to-end — needs VM validation before replacing bash version. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-17 02:55:52 +00:00			`&& dnf clean all`

feat: ESLint, shell completions, Docker, nfpm packaging, CI/CD - ESLint with typescript-eslint + prettier (eslint.config.js) - Shell completions for bash and fish (scripts/generate-completions.ts) - Multi-stage Dockerfile for bastion (fedora:43 + dnsmasq + node) - nfpm.yaml for RPM/DEB packaging with bun-compiled binary - Build scripts: build-rpm.sh, build-bastion.sh, publish-rpm/deb.sh - Gitea Actions CI/CD: lint, typecheck, test, build, publish Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-17 21:51:01 +00:00			`# Install pnpm`
feat: TypeScript bastion rewrite (initial scaffold) Full rewrite of the bash bastion.sh into a TypeScript application: - Fastify HTTP server with typed routes (dispatch, kickstart, API) - Commander CLI (serve, install, list, reprovision) - Kickstart templates as TypeScript template literals (no more heredoc hell) - dnsmasq management via execa subprocess - Merged machine list view (hardware + install info in one table) - Containerized via podman-compose (Dockerfile + docker-compose.yml) - All partition logic preserved (LVM, reprovision detection, role-based) Not yet tested end-to-end — needs VM validation before replacing bash version. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-17 02:55:52 +00:00			`RUN npm install -g pnpm@9`

			`# Create app directory`
			`WORKDIR /app`

feat: ESLint, shell completions, Docker, nfpm packaging, CI/CD - ESLint with typescript-eslint + prettier (eslint.config.js) - Shell completions for bash and fish (scripts/generate-completions.ts) - Multi-stage Dockerfile for bastion (fedora:43 + dnsmasq + node) - nfpm.yaml for RPM/DEB packaging with bun-compiled binary - Build scripts: build-rpm.sh, build-bastion.sh, publish-rpm/deb.sh - Gitea Actions CI/CD: lint, typecheck, test, build, publish Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-17 21:51:01 +00:00			`# Copy workspace config, manifests, and lockfile`
			`COPY pnpm-workspace.yaml pnpm-lock.yaml package.json ./`
			`COPY src/shared/package.json src/shared/`
			`COPY src/bastion/package.json src/bastion/`
			`COPY src/cli/package.json src/cli/`

			`# Install production dependencies`
			`RUN pnpm install --frozen-lockfile --prod 2>/dev/null \|\| pnpm install --prod`
feat: TypeScript bastion rewrite (initial scaffold) Full rewrite of the bash bastion.sh into a TypeScript application: - Fastify HTTP server with typed routes (dispatch, kickstart, API) - Commander CLI (serve, install, list, reprovision) - Kickstart templates as TypeScript template literals (no more heredoc hell) - dnsmasq management via execa subprocess - Merged machine list view (hardware + install info in one table) - Containerized via podman-compose (Dockerfile + docker-compose.yml) - All partition logic preserved (LVM, reprovision detection, role-based) Not yet tested end-to-end — needs VM validation before replacing bash version. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-17 02:55:52 +00:00
feat: ESLint, shell completions, Docker, nfpm packaging, CI/CD - ESLint with typescript-eslint + prettier (eslint.config.js) - Shell completions for bash and fish (scripts/generate-completions.ts) - Multi-stage Dockerfile for bastion (fedora:43 + dnsmasq + node) - nfpm.yaml for RPM/DEB packaging with bun-compiled binary - Build scripts: build-rpm.sh, build-bastion.sh, publish-rpm/deb.sh - Gitea Actions CI/CD: lint, typecheck, test, build, publish Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-17 21:51:01 +00:00			`# Copy built output from builder`
			`COPY --from=builder /app/src/shared/dist/ src/shared/dist/`
			`COPY --from=builder /app/src/bastion/dist/ src/bastion/dist/`
			`COPY --from=builder /app/src/cli/dist/ src/cli/dist/`
feat: TypeScript bastion rewrite (initial scaffold) Full rewrite of the bash bastion.sh into a TypeScript application: - Fastify HTTP server with typed routes (dispatch, kickstart, API) - Commander CLI (serve, install, list, reprovision) - Kickstart templates as TypeScript template literals (no more heredoc hell) - dnsmasq management via execa subprocess - Merged machine list view (hardware + install info in one table) - Containerized via podman-compose (Dockerfile + docker-compose.yml) - All partition logic preserved (LVM, reprovision detection, role-based) Not yet tested end-to-end — needs VM validation before replacing bash version. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-17 02:55:52 +00:00
			`# Create data directories`
			`RUN mkdir -p /data/state /data/tftp /data/http`

			`ENV BASTION_DIR=/data`
			`ENV HTTP_PORT=8080`

			`EXPOSE 8080/tcp`
			`EXPOSE 67/udp`
			`EXPOSE 69/udp`
			`EXPOSE 4011/udp`

feat: ESLint, shell completions, Docker, nfpm packaging, CI/CD - ESLint with typescript-eslint + prettier (eslint.config.js) - Shell completions for bash and fish (scripts/generate-completions.ts) - Multi-stage Dockerfile for bastion (fedora:43 + dnsmasq + node) - nfpm.yaml for RPM/DEB packaging with bun-compiled binary - Build scripts: build-rpm.sh, build-bastion.sh, publish-rpm/deb.sh - Gitea Actions CI/CD: lint, typecheck, test, build, publish Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-17 21:51:01 +00:00			`ENTRYPOINT ["node", "src/cli/dist/index.js", "init", "bastion", "standalone", "start"]`