c/quicproquo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dc4e4e49a0d24aa375252e787762cede926d62c9
quicproquo/docker/Dockerfile
Chris Nennemann dc4e4e49a0 feat: Phase 9 — developer experience, extensibility, and community growth 
New crates:
- quicproquo-bot: Bot SDK with polling API + JSON pipe mode
- quicproquo-kt: Key Transparency Merkle log (RFC 9162 subset)
- quicproquo-plugin-api: no_std C-compatible plugin vtable API
- quicproquo-gen: scaffolding tool (qpq-gen plugin/bot/rpc/hook)

Server features:
- ServerHooks trait wired into all RPC handlers (enqueue, fetch, auth,
  channel, registration) with plugin rejection support
- Dynamic plugin loader (libloading) with --plugin-dir config
- Delivery proof canary tokens (Ed25519 server signatures on enqueue)
- Key Transparency Merkle log with inclusion proofs on resolveUser

Core library:
- Safety numbers (60-digit HMAC-SHA256 key verification codes)
- Verifiable transcript archive (CBOR + ChaCha20-Poly1305 + hash chain)
- Delivery proof verification utility
- Criterion benchmarks (hybrid KEM, MLS, identity, sealed sender, padding)

Client:
- /verify REPL command for out-of-band key verification
- Full-screen TUI via Ratatui (feature-gated --features tui)
- qpq export / qpq export-verify CLI subcommands
- KT inclusion proof verification on user resolution

Also: ROADMAP Phase 9 added, bot SDK docs, server hooks docs,
crate-responsibilities updated, example plugins (rate_limit, logging).
2026-03-03 22:47:38 +01:00

87 lines
3.4 KiB
Docker
Raw Blame History

# ── Stage 1: Builder ──────────────────────────────────────────────────────────
#
# Uses the official Rust image on Debian Bookworm.
# capnproto is installed here because build.rs invokes `capnp` at compile time.
FROM rust:bookworm AS builder
RUN apt-get update \
&& apt-get install -y --no-install-recommends capnproto \
&& rm -rf /var/lib/apt/lists/*
WORKDIR /build
# Copy manifests first so dependency layers are cached independently of source.
COPY Cargo.toml Cargo.lock ./
COPY crates/quicproquo-core/Cargo.toml crates/quicproquo-core/Cargo.toml
COPY crates/quicproquo-proto/Cargo.toml crates/quicproquo-proto/Cargo.toml
COPY crates/quicproquo-server/Cargo.toml crates/quicproquo-server/Cargo.toml
COPY crates/quicproquo-client/Cargo.toml crates/quicproquo-client/Cargo.toml
COPY crates/quicproquo-p2p/Cargo.toml crates/quicproquo-p2p/Cargo.toml
# Create dummy source files so `cargo build` can resolve the dependency graph
# and cache the compiled dependencies before copying real source.
RUN mkdir -p \
crates/quicproquo-core/src \
crates/quicproquo-proto/src \
crates/quicproquo-server/src \
crates/quicproquo-client/src \
crates/quicproquo-p2p/src \
&& echo 'fn main() {}' > crates/quicproquo-server/src/main.rs \
&& echo 'fn main() {}' > crates/quicproquo-client/src/main.rs \
&& touch crates/quicproquo-core/src/lib.rs \
&& touch crates/quicproquo-proto/src/lib.rs \
&& touch crates/quicproquo-p2p/src/lib.rs
# Schemas must exist before the proto crate's build.rs runs.
COPY schemas/ schemas/
# Build dependencies only (source stubs mean this layer is cache-friendly).
RUN cargo build --release --bin qpq-server 2>/dev/null || true
# Copy real source and build for real.
COPY crates/ crates/
# Touch source to force re-compilation after copying real crates.
RUN touch \
crates/quicproquo-core/src/lib.rs \
crates/quicproquo-proto/src/lib.rs \
crates/quicproquo-p2p/src/lib.rs \
crates/quicproquo-server/src/main.rs \
crates/quicproquo-client/src/main.rs
RUN cargo build --release --bin qpq-server
# ── Stage 2: Runtime ──────────────────────────────────────────────────────────
#
# Minimal Debian Bookworm image — no Rust toolchain, no capnp compiler.
FROM debian:bookworm-slim AS runtime
# ca-certificates is included so future HTTPS calls (e.g. from M6 key sync)
# work without further changes to this stage.
RUN apt-get update \
&& apt-get install -y --no-install-recommends ca-certificates \
&& rm -rf /var/lib/apt/lists/*
COPY --from=builder /build/target/release/qpq-server /usr/local/bin/qpq-server
# Create a dedicated non-root user with a writable data directory.
RUN groupadd --system qpq \
&& useradd --system --gid qpq --no-create-home --shell /usr/sbin/nologin qpq \
&& mkdir -p /var/lib/quicproquo \
&& chown qpq:qpq /var/lib/quicproquo
EXPOSE 7000
ENV RUST_LOG=info \
QPQ_LISTEN=0.0.0.0:7000 \
QPQ_DATA_DIR=/var/lib/quicproquo \
QPQ_TLS_CERT=/var/lib/quicproquo/server-cert.der \
QPQ_TLS_KEY=/var/lib/quicproquo/server-key.der
HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
CMD test -f /var/lib/quicproquo/server-cert.der || exit 1
USER qpq
CMD ["qpq-server"]
Reference in New Issue View Git Blame Copy Permalink