huskies/docker/Dockerfile.base

# huskies-project-base — minimal base for all project containers.
#
# This image provides git, the huskies server binary, and a non-root user.
# It carries no language tooling. Per-stack overlays (docker/stacks/<name>/
# Dockerfile.fragment) layer their toolchains on top of this base.
#
# Prerequisites: build the main `huskies` image first so its binary is
# available as a build source.
#
#   docker build -t huskies -f docker/Dockerfile .
#   docker build -t huskies-project-base -f docker/Dockerfile.base .
#
# To build a stack image (e.g. rust):
#   (echo "FROM huskies-project-base"; \
#    cat docker/stacks/rust/Dockerfile.fragment) | \
#   docker build -t huskies-project-rust -

FROM huskies AS huskies-src

FROM debian:bookworm-slim

RUN apt-get update && apt-get install -y --no-install-recommends \
        git \
        curl \
        ca-certificates \
        libssl3 \
        procps \
        openssh-server \
        sudo \
    && rm -rf /var/lib/apt/lists/*

# Copy the huskies binary and entrypoint from the main image.
COPY --from=huskies-src /usr/local/bin/huskies /usr/local/bin/huskies
COPY --from=huskies-src /usr/local/bin/entrypoint.sh /usr/local/bin/entrypoint.sh

# Non-root user — Claude Code refuses --dangerously-skip-permissions as root.
# -s /bin/bash required for SSH sessions to start a real shell.
RUN groupadd -r huskies \
    && useradd -r -g huskies -m -d /home/huskies -s /bin/bash huskies \
    && mkdir -p /home/huskies/.claude \
    && mkdir -p /home/huskies/.ssh \
    && chmod 700 /home/huskies/.ssh \
    && chown -R huskies:huskies /home/huskies \
    && mkdir -p /workspace \
    && chown huskies:huskies /workspace \
    && git config --global init.defaultBranch master \
    && echo "huskies ALL=(root) NOPASSWD: /usr/sbin/sshd" > /etc/sudoers.d/huskies-sshd \
    && chmod 0440 /etc/sudoers.d/huskies-sshd \
    && mkdir -p /run/sshd \
    && sed -i \
        -e 's/#PasswordAuthentication yes/PasswordAuthentication no/' \
        -e 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/' \
        -e 's/UsePAM yes/UsePAM no/' \
        /etc/ssh/sshd_config

# Shell profile for SSH sessions: land in /workspace and load toolchain paths.
RUN printf 'cd /workspace\n[ -f "$HOME/.cargo/env" ] && . "$HOME/.cargo/env"\n' \
        > /home/huskies/.profile \
    && chown huskies:huskies /home/huskies/.profile

USER huskies
WORKDIR /workspace

EXPOSE 3001 22

ENTRYPOINT ["entrypoint.sh"]
CMD ["huskies", "/workspace"]