Refactor to use chainguard images

Also now uses statically compiled alpine ffmpeg and
yt-dlp installed into a chainguard python base image

.dockerignore

@@ -0,0 +1,8 @@
+*.rsa
+announcements/
+announcements-*/
+audio/
+youtube-dl/
+mirror/
+ffmpeg/packages/
+Xmas_Audio.7z

.gitmodules

@@ -1,3 +1,6 @@
 [submodule "src/gopus"]
 	path = src/gopus
 	url = https://github.com/layeh/gopus
+[submodule "static-ffmpeg"]
+	path = static-ffmpeg
+	url = https://github.com/wader/static-ffmpeg.git

Dockerfile

@@ -1,31 +1,28 @@
 # Use an intermediate container for initial building
-FROM golang:1.18-buster AS builder
-RUN apt-get update && apt-get install -y xz-utils upx ca-certificates youtube-dl --no-install-recommends && apt-get clean && rm -rf /var/lib/apt/lists/*
+FROM golang:bullseye AS builder
+RUN apt-get update && apt-get install -y upx ca-certificates --no-install-recommends && apt-get clean && rm -rf /var/lib/apt/lists/*
 
 # Let go packages call C code
 ENV GO111MODULE=on CGO_ENABLED=1 GOAMD64=v3
 WORKDIR /build
-COPY src .
+COPY . .
 RUN GOOS=linux GOARCH=amd64 go build -a -v -ldflags="-extldflags '-static' -s -w" -tags 'osusergo,netgo,static' -asmflags 'all=-trimpath={{.Env.GOPATH}}' .
 
-# Install static ffmpeg
-RUN curl -LO https://johnvansickle.com/ffmpeg/releases/ffmpeg-release-amd64-static.tar.xz && \
-    tar -xJf ffmpeg-release-amd64-static.tar.xz && \
-    mv ffmpeg-5.*-amd64-static/ffmpeg /build && \
-    rm -rf ffmpeg-*-static
-
 # Compress the binary and verify the output using UPX
 # h/t @FiloSottile/Filippo Valsorda: https://blog.filippo.io/shrink-your-go-binaries-with-this-one-weird-trick/
-# RUN upx -kv --ultra-brute /build/ffmpeg
-# RUN upx -kv --ultra-brute /build/trumpet
+RUN upx -v --lzma --best /build/trumpet
 
-# Copy the contents of /dist to the root of a scratch containter
-FROM python:slim
-RUN apt-get update && apt-get install -y youtube-dl --no-install-recommends && apt-get clean && rm -rf /var/lib/apt/lists/*
-COPY --chown=1000:1000 --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
-COPY --chown=1000:1000 --from=builder /build/trumpet /
-COPY --chown=1000:1000 --from=builder /build/ffmpeg /usr/bin
-# RUN mkdir /audio && chown 1000:1000 /audio
-USER 1000
-WORKDIR /
-ENTRYPOINT ["/trumpet"]
+# Copy our binaries to root of yt-dlp chainguard container
+FROM ghcr.io/goproslowyo/chainguard-python-yt-dlp:latest
+COPY --chown=65532:65532 --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --chown=65532:65532 --from=ghcr.io/goproslowyo/ffmpeg-static:latest /ffmpeg /usr/bin/ffmpeg
+COPY --chown=65532:65532 --from=builder /build/trumpet /usr/bin/trumpet
+USER nonroot
+WORKDIR /trumpet
+ENTRYPOINT ["trumpet"]
+LABEL org.opencontainers.image.authors='[email protected]'
+LABEL org.opencontainers.image.description="Trumpet"
+LABEL org.opencontainers.image.licenses='GPL-3.0'
+LABEL org.opencontainers.image.source='https://github.com/goproslowyo/trumpet'
+LABEL org.opencontainers.image.url='https://github.com/users/goproslowyo/packages/container/package/trumpet'
+LABEL org.opencontainers.image.vendor='GoProSlowYo'

Dockerfile.dev

@@ -0,0 +1,22 @@
+# Use an intermediate container for initial building
+FROM golang:bullseye AS builder
+RUN apt-get update && apt-get install -y upx ca-certificates --no-install-recommends && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# Let go packages call C code
+ENV GO111MODULE=on CGO_ENABLED=1 GOAMD64=v3
+WORKDIR /build
+COPY . .
+RUN GOOS=linux GOARCH=amd64 go build -a -v -ldflags="-extldflags '-static' -s -w" -tags 'osusergo,netgo,static' -asmflags 'all=-trimpath={{.Env.GOPATH}}' .
+
+# Compress the binary and verify the output using UPX
+# h/t @FiloSottile/Filippo Valsorda: https://blog.filippo.io/shrink-your-go-binaries-with-this-one-weird-trick/
+# No compression. We're in dev.
+
+# Copy our binaries to root of yt-dlp chainguard container
+FROM ghcr.io/goproslowyo/chainguard-python-yt-dlp:dev
+COPY --chown=65532:65532 --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --chown=65532:65532 --from=ghcr.io/goproslowyo/ffmpeg-static:latest /ffmpeg /usr/bin/ffmpeg
+COPY --chown=65532:65532 --from=builder /build/trumpet /usr/bin/trumpet
+USER nonroot
+WORKDIR /trumpet
+ENTRYPOINT ["trumpet"]

Makefile

@@ -1,5 +1,84 @@
+.PHONY: help
+help:
+	@echo "Make targets for trumpet"
+	@echo "------------------------"
+	@echo "This Makefile is used to build and run the Trumpet application. It includes several targets for building different components of the application, such as yt-dlp, ffmpeg, and the Trumpet application itself. It also includes targets for building and running the application in development mode. Additionally, there are targets for pushing the built images to a container registry and for stopping the running application. The Makefile includes a help target that provides a summary of all available targets."
+	@echo
+	@echo "Usage:"
+	@echo
+	@echo "* Build yt-dlp dev or latest:"
+	@echo "    make build-yt-dlp"
+	@echo "    make build-yt-dlp-dev"
+	@echo
+	@echo "* Build ffmpeg:"
+	@echo "    make build-ffmpeg"
+	@echo
+	@echo "* Build trumpet dev or latest:"
+	@echo "    make build-trumpet"
+	@echo "    make build-trumpet-dev"
+	@echo
+	@echo "* Build dev or latest:"
+	@echo "    make docker-build"
+	@echo "    make docker-build-dev"
+	@echo
+	@echo "* Run trumpet in dev or latest"
+	@echo "    make docker-run"
+	@echo "    make docker-run-debug"
+	@echo
+	@echo "* Stop trumpet:"
+	@echo "    make docker-stop"
+
+
+build-yt-dlp:
+	cd yt-dlp && \
+	docker build -t ghcr.io/goproslowyo/chainguard-python-yt-dlp:latest .
+
+build-yt-dlp-dev:
+	cd yt-dlp && \
+	docker build -f Dockerfile.dev -t ghcr.io/goproslowyo/chainguard-python-yt-dlp:dev .
+
+build-ffmpeg:
+	git submodule update --init --recursive && \
+	cd static-ffmpeg && \
+	git checkout -b trumpet && \
+	git apply ../ffmpeg.patch && \
+	docker build -t ghcr.io/goproslowyo/ffmpeg-static:latest . && \
+	git checkout master && \
+	git checkout -- Dockerfile && \
+	git branch -D trumpet
+
+build-trumpet:
+	cd src && \
+	docker build -f ../Dockerfile -t ghcr.io/goproslowyo/trumpet:latest .
+
+build-trumpet-dev:
+	cd src && \
+	docker build -f ../Dockerfile.dev -t ghcr.io/goproslowyo/trumpet:dev .
+
 docker-build:
-	docker build -t trumpet:latest .
+	$(MAKE) build-yt-dlp && \
+	$(MAKE) build-ffmpeg && \
+	$(MAKE) build-trumpet
+
+
+docker-build-dev:
+	$(MAKE) build-yt-dlp-dev && \
+	$(MAKE) build-ffmpeg && \
+	$(MAKE) build-trumpet-dev
+
+docker-push:
+	docker push ghcr.io/goproslowyo/chainguard-python-yt-dlp:latest && \
+	docker push ghcr.io/goproslowyo/ffmpeg-static:latest && \
+	docker push ghcr.io/goproslowyo/trumpet:latest
 
 docker-run:
-	docker run -itv $PWD/config.json:/config.json -v $PWD/audio:/audio -v $PWD/announcements:/announcements -v $PWD/google-translate-api-credentials.json:/google-translate-api-credentials.json trumpet:latest
+	$(MAKE) docker-build && \
+	docker compose up -d
+
+docker-run-debug:
+	$(MAKE) docker-build-dev && \
+	docker compose -f docker-compose.debug.yml up -d && \
+	docker exec -it trumpet-trumpet-1 bash
+
+docker-stop:
+	docker compose down

docker-compose.debug.yml

@@ -0,0 +1,21 @@
+version: "3"
+services:
+
+  trumpet:
+    image: ghcr.io/goproslowyo/trumpet:dev
+    volumes:
+      - config-data:/trumpet:rw
+    restart: always
+    user: 65532:65532
+    environment:
+      LOGLEVEL: debug
+      LOG_LEVEL: debug
+    # Debug entrypoint
+    entrypoint:
+    - tail
+    - -f
+    - /dev/null
+
+volumes:
+  config-data:
+    driver: local

docker-compose.yml

@@ -0,0 +1,16 @@
+version: "3"
+services:
+
+  trumpet:
+    image: ghcr.io/goproslowyo/trumpet:latest
+    volumes:
+      - config-data:/trumpet:rw
+    restart: always
+    user: 65532:65532
+    environment:
+      LOGLEVEL: debug
+      LOG_LEVEL: debug
+
+volumes:
+  config-data:
+    driver: local

ffmpeg.patch

@@ -0,0 +1,66 @@
+From 7b244b63d2d1d0eaaece03edf3c13337f46963f4 Mon Sep 17 00:00:00 2001
+From: GoProSlowYo <[email protected]>
+Date: Sat, 20 May 2023 17:07:43 -0700
+Subject: [PATCH] Changes for trumpet and compression
+
+---
+ Dockerfile | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/Dockerfile b/Dockerfile
+index e7612cc..7cdeca8 100644
+--- a/Dockerfile
++++ b/Dockerfile
+@@ -1,6 +1,6 @@
+ # bump: alpine /FROM alpine:([\d.]+)/ docker:alpine|^3
+ # bump: alpine link "Release notes" https://alpinelinux.org/posts/Alpine-$LATEST-released.html
+-FROM alpine:3.18.0 AS builder
++FROM alpine:3.18 AS builder
+
+ RUN apk add --no-cache \
+   coreutils \
+@@ -772,6 +772,7 @@ RUN \
+   --disable-debug \
+   --disable-shared \
+   --disable-ffplay \
++  --disable-ffprobe \
+   --enable-static \
+   --enable-gpl \
+   --enable-version3 \
+@@ -900,24 +901,27 @@ RUN \
+ # make sure binaries has no dependencies, is relro, pie and stack nx
+ COPY checkelf /
+ RUN \
+-  /checkelf /usr/local/bin/ffmpeg && \
+-  /checkelf /usr/local/bin/ffprobe
++  /checkelf /usr/local/bin/ffmpeg
++  #/checkelf /usr/local/bin/ffprobe
++
++RUN apk add upx && \
++  upx -v --lzma --best /usr/local/bin/ffmpeg
+
+ FROM scratch AS final1
+-COPY --from=builder /versions.json /usr/local/bin/ffmpeg /usr/local/bin/ffprobe /
++COPY --from=builder /versions.json /usr/local/bin/ffmpeg /
+ COPY --from=builder /usr/local/share/doc/ffmpeg/* /doc/
+ COPY --from=builder /etc/ssl/cert.pem /etc/ssl/cert.pem
+
+ # sanity tests
+ RUN ["/ffmpeg", "-version"]
+-RUN ["/ffprobe", "-version"]
++#RUN ["/ffprobe", "-version"]
+ RUN ["/ffmpeg", "-hide_banner", "-buildconf"]
+ # stack size
+ RUN ["/ffmpeg", "-f", "lavfi", "-i", "testsrc", "-c:v", "libsvtav1", "-t", "100ms", "-f", "null", "-"]
+ # dns
+-RUN ["/ffprobe", "-i", "https://github.com/favicon.ico"]
++#RUN ["/ffprobe", "-i", "https://github.com/favicon.ico"]
+ # tls/https certs
+-RUN ["/ffprobe", "-tls_verify", "1", "-ca_file", "/etc/ssl/cert.pem", "-i", "https://github.com/favicon.ico"]
++#RUN ["/ffprobe", "-tls_verify", "1", "-ca_file", "/etc/ssl/cert.pem", "-i", "https://github.com/favicon.ico"]
+
+ # clamp all files into one layer
+ FROM scratch AS final2
+-- 
+2.39.2
+