Dockerfiles

A collection of production-ready, security-hardened Dockerfiles using multi-stage builds, pinned dependencies, and non-root users.

Available Images

Image	Description
anki	Anki sync server for flashcard synchronization
dnscrypt-proxy	DNSCrypt proxy with encrypted DNS support
paperless-ngx	Paperless-ngx document management system
php-lol	PHP-FPM with Nginx and common extensions (8.1, 8.2, 8.3, 8.4)
pingdom-exporter	Prometheus exporter for Pingdom metrics
pint	Pint – Prometheus rule linter by Cloudflare
python-github-backup	python-github-backup – GitHub repository backup tool
radicale	Radicale CalDAV/CardDAV server
resec	Resec – Redis high-availability agent using Consul
thumbor	Thumbor smart image cropping and resizing service
tor	Tor anonymity network daemon
twemproxy	Twemproxy (nutcracker) – Memcached/Redis proxy

Requirements

• Docker (with Compose)
• hadolint – Dockerfile linter
• dive – Docker image layer analyzer
• container-structure-test – container test framework
• shellcheck – shell script linter
• pre-commit – git hook framework
• Python 3 (for the virtual environment)

Quick Start

Install dependencies, build all images, and start services:

make install
make docker-build
docker-compose up

Building a Single Image

docker-compose build <service>

Testing

Run the full test suite (pre-commit, shellcheck, hadolint, container-structure-test, dive):

make test

Run individual checks:

make dockerfile-lint          # Lint all Dockerfiles with hadolint
make container-structure-test # Run container structure tests
make shellcheck               # Lint shell scripts
make pre-commit               # Run pre-commit hooks
make dive                     # Analyze image layers

Test a single image:

./bin/container-structure-test test \
  --image bdossantos/<service> \
  --config tests/<service>.yaml

Project Structure

.
├── dockerfiles/
│   └── <service>/
│       ├── Dockerfile
│       └── ...                          # service-specific config
├── tests/
│   └── <service>.yaml                   # container-structure-test config
├── scripts/
│   ├── changelog                        # changelog generator
│   ├── container-structure-test-install  # install test framework
│   ├── dive                             # dive analyzer
│   └── dockerfile-lint                  # hadolint wrapper
├── docker-compose.yml                   # development composition
├── docker-compose.ci.yml                # CI composition
└── Makefile                             # build automation

Available Make Targets

Run make help to list all targets:

changelog                      Generate CHANGELOG.md
container-structure-test       Run container-structure-test
container-structure-test-install Install container-structure-test
dive                           Run dive
docker-build                   Build all Dockerfiles
dockerfile-lint                Run hadolint on Dockerfile(s)
install                        Install all the things
pip-install                    Install pip dependencies
pre-commit                     Run pre-commit tests
shellcheck                     Run shellcheck on /scripts directory
test                           Run tests suite
venv                           Create python virtualenv if not exists

Design Principles

• Pinned versions – base images, system packages, and application dependencies are version-pinned for reproducibility
• Multi-stage builds – separate build and runtime stages to minimize image size
• Non-root by default – services run as UID/GID 65534 (nobody/nogroup)
• Read-only containers – images are compatible with read_only: true
• Minimal attack surface – only essential runtime packages are installed