Dockerfile: Multistage build

A builder container FROM golang image fetches xcaddy. Xcaddy builds
caddy. Copy caddy binary from builder to final FROM scratch image.

Golang:1.19.5 because 1.20.0 won't build dependency quic-go yet.
See https://github.com/lucas-clemente/quic-go/wiki/quic-go-and-Go-versions

Author: joshix

Dockerfile

@@ -1,7 +1,14 @@
+FROM golang:1.19.5 AS builder
+RUN mkdir /build
+WORKDIR /build
+RUN go install github.com/caddyserver/xcaddy/cmd/[email protected]
+RUN GOOS=linux GOARCH=amd64 xcaddy build v2.6.2
+
 FROM scratch
 LABEL maintainer="Josh Wood <[email protected]>"
 LABEL caddy_version="2.6.2"
 COPY rootfs /
+COPY --from=builder /build/caddy /bin/caddy
 USER 65534:65534
 EXPOSE 8080
 WORKDIR /var/www/html

README.md

@@ -2,17 +2,17 @@
 
 [![Container Image on Quay](https://quay.io/repository/joshix/caddy/status "Container Image on Quay")][quay-joshix-caddy]
 
-This container image encapsulates a [*Caddy*][caddy] HTTP server. It is built `FROM` the [*scratch* image][scratchimg] and executes a single statically-linked `caddy` binary absent any non-standard [modules][caddons]. It includes a tiny `index.html` landing page so that it can be demonstrated without configuration on any Docker host by invoking e.g., `docker run -d -P joshix/caddy`.
+This container image encapsulates a [*Caddy*][caddy] HTTP server. It is built `FROM` the [*scratch* image][scratchimg] and executes a statically-linked `caddy` binary with no added [modules][caddons]. It includes a tiny `index.html` landing page so that it can be demonstrated without configuration on any container host by invoking e.g., `docker run -d -P joshix/caddy`.
 
 By default this caddy listens on the container's `EXPOSE`d TCP port #8080 and attempts to fulfill requests with files beneath the container's `/var/www/html/`.
 
-Content should be added by binding a host volume over that path, or by `COPY`ing/`ADD`ing files there when `docker build`ing an image based on this one. Adding a `Caddyfile` through the same mechanisms allows configuration of the web server and sites as described in the [Caddy documentation][caddydocs].
+Content should be added by binding a host volume over that path, or by `COPY`ing/`ADD`ing files there when building an image `FROM` this one. Adding a `Caddyfile` through the same mechanisms allows configuration of the web server and sites as described in the [Caddy documentation][caddydocs].
 
 ## Container File System
 
-The file hierarchy beneath `./rootfs/` is `COPY`'d to the container's empty `/`, resulting in this layout:
+The caddy binary produced by the build stage and the file tree beneath `./rootfs/` are `COPY`'d to the container's `/`, resulting in this file hierarchy in the container image:
 
-* `/bin/caddy` - Server executable
+* `/bin/caddy` - Server executable and container `ENTRYPOINT`
 * `/var/www/html/` - Caddy working directory and root of HTTP name space
 * `/var/www/html/Caddyfile` - Default configuration
 * `/var/www/html/index.html` - Default landing page
@@ -101,14 +101,18 @@ $ docker run -d -p 8080:8080 -p 8443:8443 -v ./site:/var/www:ro joshix/caddy
 
 ### Automatic *Let's Encrypt* TLS
 
-Caddy can [automatically acquire and renew TLS keys and certificates][caddyautotls] to secure connections using the *Let's Encrypt* project's ACME protocol. Because this container runs the `caddy` executable as an unprivileged user, it cannot bind privileged ports (port numbers < 1024) without further arrangement. This container is intended for use behind a container network like that provided by Docker or the Kubernetes CNI. Usually TLS termination would occur at the edge of the container host network rather than at the caddy HTTPd.
+Caddy can [automatically acquire and renew TLS keys and certificates][caddyautotls] to secure connections using the *Let's Encrypt* project's ACME protocol. Because this container runs the `caddy` executable as an unprivileged user, it cannot bind privileged ports (port numbers < 1024) without further arrangement. This container is intended for use behind a container network like that provided by Docker or the Kubernetes CNI. Usually TLS termination happens at the edge of the container host network rather than at the HTTPd.
 
-#### Caddyfile Required
+## Cloning this repo
 
-Create a Caddyfile specifying, at minimum, a domain name resolving to the docker host that will arrange for such traffic to be handled by the running caddybox container, and the email address for registration with letsencrypt.
+Versions up to v2.6.2-cb.1 included a caddy binary built outside the container build process. While that is no longer true, and caddy is built in a multi-stage container build, this repo remains large with every previous version having a binary at `rootfs/bin/caddy`.
+
+Work around this with git's shallow clone. This fetches only the given number of revisions. For most new clones of this repo, that number should be 1. Something like `git clone --depth 1 --branch multistage https://github.com/joshix/caddybox` should require only a small download and disk allocation.
 
 ## Building Caddy with xcaddy
 
+Preserved for reference. The build is no longer done out-of-band and the caddy binary is no longer included in this container image source repo. Instead, the xcaddy build tool runs inside a first stage build container in a [multi-stage][multi-stage-build] [Dockerfile][Dockerfile].
+
 <https://github.com/caddyserver/xcaddy>
 
 ```sh
@@ -122,5 +126,7 @@ cp caddy [...]/caddybox/rootfs/bin/caddy
 [caddy]: https://caddyserver.com
 [caddyautotls]: https://caddyserver.com/docs/automatic-https
 [caddydocs]: https://caddyserver.com/docs
+[Dockerfile]: Dockerfile
+[multi-stage-build]: https://docs.docker.com/build/building/multi-stage/
 [quay-joshix-caddy]: https://quay.io/repository/joshix/caddy
 [scratchimg]: https://hub.docker.com/_/scratch/