Prepare usage of build secrets (#303)

* sort .gitignore and add apt_auth.conf to it * add helper to setup.sh to create apt_auth.conf (user still needs to enter their own credentials) * only create apt_auth.conf in make if it doesn't already exist * add tooling to core dockerfile and makefile to use build secrets * add ignore for hadolint as mounting syntax is currently not supported so far * update to latest docker on travis for buildkit support * documentation * sort gitignore * add dockerfile syntax definition for build args
2025-06-05 23:16:12 +00:00 · 2020-05-22 10:23:09 +02:00 · 2020-05-22 10:23:09 +02:00 · 7a04c93219
commit 7a04c93219
parent 2974903dc5
17 changed files with 119 additions and 63 deletions
--- a/.ci/travis-buildkit.sh
+++ b/.ci/travis-buildkit.sh
@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -euo pipefail
+IFS=$'\n\t'
+
+# update to latest docker for buildkit support
+curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
+sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
+sudo apt-get update
+sudo apt-get -y -o Dpkg::Options::="--force-confnew" install docker-ce
+
+# get base images to pull, as it will otherwise fail in travis
+# git ls-files | xargs awk -F' ' '/^FROM/ { print $2 }' | sort -n | uniq | xargs --max-lines=1 docker pull
+
+docker pull docker/dockerfile:1.0-experimental
+docker pull docker.io/docker/dockerfile-copy:v0.1.9
--- a/.gitignore
+++ b/.gitignore
@ -1,14 +1,14 @@
-.vscode/settings.json
-**/.vscode
 !.travis.yml
-.travis/config.yml
-data/*
-dive.log
 .env
+.travis/config.yml
+.vagrant
+.vscode/settings.json
 *.env
-docker-compose.override.yml
+*.pem
+**/.vscode
+apt_auth.conf
 build.tags
 calendar/kopano-calendar-*/
-*.pem
-apt_auth.conf
-.vagrant
+data/*
+dive.log
+docker-compose.override.yml
--- a/.markdownlint.json
+++ b/.markdownlint.json
@ -0,0 +1,5 @@
+{
+    "MD013": false,
+    "MD026": false,
+    "MD034": false
+}
--- a/.travis.yml
+++ b/.travis.yml
@ -9,6 +9,7 @@ services:
 before_install:
  - sudo rm /usr/local/bin/docker-compose # remove pre-installed docker-compose (too old)
  - bash .ci/setup-tools.sh
+  - .ci/travis-buildkit.sh # upgrade docker for buildkit support
 install:
  - "./version.sh"
  - make lint
--- a/10
+++ b/10
@ -56,7 +56,10 @@ ifdef TRAVIS
 	@echo "fetching previous build to warm up build cache (only on travis)"
 	docker pull  $(docker_repo)/kopano_$(component):builder || true
 endif
-	docker build --rm \
+ifeq (,$(wildcard ./apt_auth.conf))
+	touch apt_auth.conf
+endif
+	DOCKER_BUILDKIT=1 docker build --rm \
 		--build-arg VCS_REF=$(vcs_ref) \
 		--build-arg docker_repo=${docker_repo} \
 		--build-arg KOPANO_CORE_VERSION=${core_download_version} \
@ -76,6 +79,7 @@ endif
 		--build-arg KOPANO_GID=$(KOPANO_GID) \
 		--cache-from $(docker_repo)/kopano_$(component):builder \
 		--cache-from $(docker_repo)/kopano_$(component):latest \
+		--secret id=repocred,src=apt_auth.conf --progress=plain \
 		-t $(docker_repo)/kopano_$(component) $(component)/

 .PHONY: build-simple
@ -94,7 +98,7 @@ ifdef TRAVIS
 	@echo "fetching previous build to warm up build cache (only on travis)"
 	docker pull  $(docker_repo)/kopano_$(component):builder || true
 endif
-	docker build --rm \
+	DOCKER_BUILDKIT=1 docker build --rm \
 		--target builder \
 		--build-arg VCS_REF=$(vcf_ref) \
 		--build-arg docker_repo=${docker_repo} \
@ -159,7 +163,7 @@ build-kdav:
 	component=kdav make build

 build-scheduler:
-	docker pull docker:18.09
+	docker pull docker:19.03
 	component=scheduler make build-simple

 build-ssl:
--- a/README.md
+++ b/README.md
@ -1,4 +1,5 @@
 # (unofficial) Kopano Docker Images
+
 [![Build Status](https://travis-ci.com/zokradonh/kopano-docker.svg?branch=master)](https://travis-ci.com/zokradonh/kopano-docker)

 This repository contains an easy to replicate recipe to spin up a [Kopano](https://kopano.com/) demo environment, which can (through modification of `.env` and possibly `docker-compose.yml`/`docker-compose.override.yml`) also be used for production environments.
@ -7,18 +8,21 @@ This repository contains an easy to replicate recipe to spin up a [Kopano](https

 - make sure that you are running at least Docker 17.06.0 and [Docker Compose](https://docs.docker.com/compose/install/) 1.19.0.
 - clone this repository to your local disk
- run `setup.sh`
-  - this script will ask you a few questions about your environment.
+- run `setup.sh`:
+  - this script will ask you a few questions about your environment
  - If you are just interested in the demo environment you can accept the default values by pressing `Enter` on each question
 - now run `docker-compose up` and you will see how the remaining Docker images are pulled and then everything is started
 - after startup has succeeded you can access the Kopano WebApp by going to `https://kopano.demo/webapp`
- there are already some users created in the demo LDAP. These users all have a password that is identical to the username, e.g. the password for `user1` user `user1`.
+- there are already some users created in the demo LDAP
+  - these users all have a password that is identical to the username, e.g. the password for `user1` user `user1`
+- to build own containers at least Docker 19.03 is required
+  - this is due to the usage of build-time secrets

 If you want to get an impression how the containers interact/relate with each other have a look at the [architecture](ARCHITECTURE.md) description.

-**Note:** There have been reports about the LDAP demo not starting up on MacOS. It is recommended to use a Linux OS if you want to use the bundled LDAP image. 
+**Note:** There have been reports about the LDAP demo not starting up on MacOS. It is recommended to use a Linux OS if you want to use the bundled LDAP image.

-The `docker-compose.yml` file by default pulls Docker containers from https://hub.docker.com/r/zokradonh/kopano_core/ and https://hub.docker.com/r/zokradonh/kopano_webapp/. These images are based on the [Kopano nightly builds](https://download.kopano.io/community/) and will contain the latest version available from the time the image was built.
+The `docker-compose.yml` file by default pulls Docker containers from for example https://hub.docker.com/r/zokradonh/kopano_core/ and https://hub.docker.com/r/zokradonh/kopano_webapp/. These images are based on the [Kopano nightly builds](https://download.kopano.io/community/) and will contain the latest version available from the time the image was built.

 ## Troubleshooting

@ -91,25 +95,30 @@ This project also makes it possible to build Docker images based on the official
 # Docker Repository to push to/pull from
 docker_repo=zokradonh
 COMPOSE_PROJECT_NAME=kopano
+COMPOSE_FILE=docker-compose.yml:docker-compose.ports.yml:docker-compose.db.yml:docker-compose.ldap.yml:docker-compose.mail.yml

-# Modify below to build a different version, than the kopano nightly release
-#KOPANO_CORE_REPOSITORY_URL=https://serial:REPLACE-ME@download.kopano.io/supported/core:/final/Debian_9.0/
-#KOPANO_WEBAPP_REPOSITORY_URL=https://serial:REPLACE-ME@download.kopano.io/supported/webapp:/final/Debian_9.0/
-#KOPANO_WEBAPP_FILES_REPOSITORY_URL=https://serial:REPLACE-ME@download.kopano.io/supported/files:/final/Debian_9.0/
-#KOPANO_WEBAPP_MDM_REPOSITORY_URL=https://serial:REPLACE-ME@download.kopano.io/supported/mdm:/final/Debian_9.0/
-#KOPANO_WEBAPP_SMIME_REPOSITORY_URL=https://serial:REPLACE-ME@download.kopano.io/supported/smime:/final/Debian_9.0/
-#KOPANO_ZPUSH_REPOSITORY_URL=http://repo.z-hub.io/z-push:/final/Debian_9.0/
+# Modify below to build a different version, than the Kopano nightly release
+# credentials for repositories are handled through a file called apt_auth.conf (which will be created through setup.sh or Makefile)
+#KOPANO_CORE_REPOSITORY_URL=https://download.kopano.io/supported/core:/9.x/Debian_10/
+#KOPANO_MEET_REPOSITORY_URL=https://download.kopano.io/supported/meet:/final/Debian_10/
+#KOPANO_WEBAPP_REPOSITORY_URL=https://download.kopano.io/supported/webapp:/final/Debian_10/
+#KOPANO_WEBAPP_FILES_REPOSITORY_URL=https://download.kopano.io/supported/files:/final/Debian_10/
+#KOPANO_WEBAPP_MDM_REPOSITORY_URL=https://download.kopano.io/supported/mdm:/final/Debian_10/
+#KOPANO_WEBAPP_SMIME_REPOSITORY_URL=https://download.kopano.io/supported/smime:/final/Debian_10/
+#KOPANO_ZPUSH_REPOSITORY_URL=http://repo.z-hub.io/z-push:/final/Debian_10/
 #RELEASE_KEY_DOWNLOAD=1
 #DOWNLOAD_COMMUNITY_PACKAGES=0
 ```

-Just uncomment the last four lines and insert your Kopano subscription key where it currently says `REPLACE-ME`. Once this is done a `make build-all` will rebuild the images based on the latest available Kopano release (don't forget to `make tag-core` and `make tag-webapp` your images after building them).
+The credentials for the Kopano package repositories can either be defined through the url itself, e.g. like `https://serial:REPLACE-ME@download.kopano.io/supported/core:/final/Debian_10/` or through an `apt_auth.conf` file. Using `apt_auth.conf` is preferred, since it does not "leak" credentials into the final image.

-If you are running a private Docker Registry then you may also change `docker_repo` to reference your internal registry.
+With the above lines uncommented and credentials in place running `make build-all` will rebuild the images based on the latest available Kopano release (don't forget to `make tag-core` and `make tag-webapp` your images after building them).
+
+If you are running a private Docker Registry then you have to change `docker_repo` to reference your internal registry. Afterward you can run for example `make publish-core` to push the image to your registry.

 ***WARNING***

-The built image includes your subscription key! Do not push this image to any public registry like e.g. https://hub.docker.com!
+When storing the credentials in the url the built image will include your subscription key! Do not push this image to any public registry like e.g. https://hub.docker.com!

 ### When building my own containers, how can I make sure my build works as expected?

--- a/core/Dockerfile
+++ b/core/Dockerfile
@ -1,3 +1,4 @@
+# syntax = docker/dockerfile:1.0-experimental
 ARG docker_repo=zokradonh
 FROM ${docker_repo}/kopano_base

@ -39,9 +40,10 @@ LABEL maintainer=az@zok.xyz \
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]

 # install Kopano Core and refresh ca-certificates
-# hadolint ignore=DL3015
-RUN \
-    # apt key has already been installed in base
+# hadolint currently does not understand the extended buildkit syntax https://github.com/hadolint/hadolint/issues/347
+# hadolint ignore=SC2215,DL3015
+RUN --mount=type=secret,id=repocred,dst=/etc/apt/apt_auth.conf \
+    # apt key for this repo has already been installed in base
    echo "deb [${KOPANO_REPOSITORY_FLAGS}] ${KOPANO_CORE_REPOSITORY_URL} ./" > /etc/apt/sources.list.d/kopano.list; \
    # install
    apt-get update && \
--- a/kdav/Dockerfile
+++ b/kdav/Dockerfile
@ -1,3 +1,4 @@
+# syntax = docker/dockerfile:1.0-experimental
 ARG docker_repo=zokradonh
 FROM composer:1.9 as builder

@ -31,7 +32,9 @@ LABEL maintainer=az@zok.xyz \
    org.label-schema.schema-version="1.0"

 # install Kopano kDAV
-RUN \
+# hadolint ignore=SC2215
+RUN --mount=type=secret,id=repocred,dst=/etc/apt/apt_auth.conf \
+    # apt key for this repo has already been installed in base
    echo "deb [${KOPANO_REPOSITORY_FLAGS}] ${KOPANO_CORE_REPOSITORY_URL} ./" > /etc/apt/sources.list.d/kopano.list; \
    set -x && \
    apt-get update && apt-get install -y --no-install-recommends \
--- a/meet/Dockerfile
+++ b/meet/Dockerfile
@ -1,3 +1,4 @@
+# syntax = docker/dockerfile:1.0-experimental
 ARG docker_repo=zokradonh
 FROM ${docker_repo}/kopano_base:latest

@ -30,8 +31,9 @@ LABEL maintainer=az@zok.xyz \

 SHELL ["/bin/bash", "-o", "pipefail", "-c"]

-# install Kopano Core and refresh ca-certificates
-RUN \
+# hadolint ignore=SC2215
+RUN --mount=type=secret,id=repocred,dst=/etc/apt/apt_auth.conf \
+    # apt key for this repo has already been installed in base
    # community download and package as apt source repository
    . /kopano/helper/create-kopano-repo.sh && \
    if [ ${DOWNLOAD_COMMUNITY_PACKAGES} -eq 1 ]; then \
--- a/php/Dockerfile
+++ b/php/Dockerfile
@ -1,3 +1,4 @@
+# syntax = docker/dockerfile:1.0-experimental
 ARG docker_repo=zokradonh
 FROM ${docker_repo}/kopano_base

@ -28,8 +29,9 @@ LABEL maintainer=az@zok.xyz \
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]

 # add install common php dependencies
-# hadolint ignore=SC2129
-RUN \
+# hadolint ignore=SC2215
+RUN --mount=type=secret,id=repocred,dst=/etc/apt/apt_auth.conf \
+    # apt key for this repo has already been installed in base
    echo "deb [${KOPANO_REPOSITORY_FLAGS}] ${KOPANO_CORE_REPOSITORY_URL} ./" > /etc/apt/sources.list.d/kopano.list; \
    # install
    set -x && \
--- a/playground/Dockerfile
+++ b/playground/Dockerfile
@ -10,7 +10,7 @@ RUN mv kapi/examples/* /web/kapi-playground
 WORKDIR /web/kapi-playground
 RUN rm Makefile && ln -s oidc-client-example.html index.html

-FROM halverneus/static-file-server:v1.7.0
+FROM halverneus/static-file-server:v1.8.0

 ARG CODE_VERSION

@ -26,4 +26,4 @@ LABEL maintainer=az@zok.xyz \
 COPY --from=builder /web /web

 ARG VCS_REF
-LABEL org.label-schema.vcs-ref=$VCS_REF
+LABEL org.label-schema.vcs-ref=$VCS_REF
--- a/python/Dockerfile
+++ b/python/Dockerfile
@ -1,3 +1,4 @@
+# syntax = docker/dockerfile:1.0-experimental
 ARG docker_repo=zokradonh
 FROM ${docker_repo}/kopano_base

@ -27,8 +28,8 @@ LABEL maintainer=az@zok.xyz \

 SHELL ["/bin/bash", "-o", "pipefail", "-c"]

-# hadolint ignore=SC2129
-RUN \
+# hadolint ignore=SC2215
+RUN --mount=type=secret,id=repocred,dst=/etc/apt/apt_auth.conf \
    echo "deb [${KOPANO_REPOSITORY_FLAGS}] ${KOPANO_CORE_REPOSITORY_URL} ./" > /etc/apt/sources.list.d/kopano.list; \
    # install
    set -x && \
--- a/scheduler/Dockerfile
+++ b/scheduler/Dockerfile
@ -1,4 +1,4 @@
-FROM docker:18.09
+FROM docker:19.03

 ENV \
    DOCKERIZE_VERSION=v0.6.1 \
--- a/setup.sh
+++ b/setup.sh
@ -45,6 +45,11 @@ for dockerenv in ldap password-self-service mail db kopano_ssl kopano_server kop
 	touch ./"$dockerenv".env
 done

+if ! grep -q download.kopano.com ./apt_auth.conf 2&> /dev/null; then
+	echo "Adding example entry to local apt_auth.conf"
+	echo "machine download.kopano.com login serial REPLACE-ME" >> ./apt_auth.conf
+fi
+
 if [ ! -e ./.env ]; then
 	PRINT_SETUP_SUCCESS=""

@ -334,13 +339,14 @@ docker_repo=zokradonh
 COMPOSE_PROJECT_NAME=kopano
 COMPOSE_FILE=docker-compose.yml:docker-compose.ports.yml:docker-compose.db.yml:docker-compose.ldap.yml:docker-compose.mail.yml

-# Modify below to build a different version, than the kopano nightly release
-#KOPANO_CORE_REPOSITORY_URL=https://serial:REPLACE-ME@download.kopano.io/supported/core:/9.x/Debian_10/
-#KOPANO_MEET_REPOSITORY_URL=https://serial:REPLACE-ME@download.kopano.io/supported/meet:/final/Debian_10/
-#KOPANO_WEBAPP_REPOSITORY_URL=https://serial:REPLACE-ME@download.kopano.io/supported/webapp:/final/Debian_10/
-#KOPANO_WEBAPP_FILES_REPOSITORY_URL=https://serial:REPLACE-ME@download.kopano.io/supported/files:/final/Debian_10/
-#KOPANO_WEBAPP_MDM_REPOSITORY_URL=https://serial:REPLACE-ME@download.kopano.io/supported/mdm:/final/Debian_10/
-#KOPANO_WEBAPP_SMIME_REPOSITORY_URL=https://serial:REPLACE-ME@download.kopano.io/supported/smime:/final/Debian_10/
+# Modify below to build a different version, than the Kopano nightly release
+# credentials for repositories are handled through a file called apt_auth.conf (which will be created through setup.sh or Makefile)
+#KOPANO_CORE_REPOSITORY_URL=https://download.kopano.io/supported/core:/9.x/Debian_10/
+#KOPANO_MEET_REPOSITORY_URL=https://download.kopano.io/supported/meet:/final/Debian_10/
+#KOPANO_WEBAPP_REPOSITORY_URL=https://download.kopano.io/supported/webapp:/final/Debian_10/
+#KOPANO_WEBAPP_FILES_REPOSITORY_URL=https://download.kopano.io/supported/files:/final/Debian_10/
+#KOPANO_WEBAPP_MDM_REPOSITORY_URL=https://download.kopano.io/supported/mdm:/final/Debian_10/
+#KOPANO_WEBAPP_SMIME_REPOSITORY_URL=https://download.kopano.io/supported/smime:/final/Debian_10/
 #KOPANO_ZPUSH_REPOSITORY_URL=http://repo.z-hub.io/z-push:/final/Debian_10/
 #RELEASE_KEY_DOWNLOAD=1
 #DOWNLOAD_COMMUNITY_PACKAGES=0
@ -354,7 +360,6 @@ ADDITIONAL_KOPANO_WEBAPP_PLUGINS="$ADDITIONAL_KOPANO_WEBAPP_PLUGINS"

 EOF
 else
-
 	if ! grep -q COMPOSE_FILE ./.env; then
 		echo "Adding COMPOSE_FILE setting to .env (for docker-compose.ports.yml)"
 		echo "COMPOSE_FILE=docker-compose.yml:docker-compose.ports.yml" >> ./.env
--- a/utils/Dockerfile
+++ b/utils/Dockerfile
@ -1,3 +1,4 @@
+# syntax = docker/dockerfile:1.0-experimental
 ARG docker_repo=zokradonh
 FROM ${docker_repo}/kopano_core

@ -9,7 +10,9 @@ LABEL maintainer=az@zok.xyz \
    org.label-schema.version=$KOPANO_CORE_VERSION \
    org.label-schema.schema-version="1.0"

-RUN apt-get update && apt-get install --no-install-recommends -y \
+# hadolint ignore=SC2215
+RUN --mount=type=secret,id=repocred,dst=/etc/apt/apt_auth.conf \
+    apt-get update && apt-get install --no-install-recommends -y \
    git \
    iputils-ping \
    kopano-backup \
--- a/webapp/Dockerfile
+++ b/webapp/Dockerfile
@ -1,3 +1,4 @@
+# syntax = docker/dockerfile:1.0-experimental
 ARG docker_repo=zokradonh
 FROM ${docker_repo}/kopano_php

@ -22,12 +23,13 @@ ENV \
    KOPANO_CORE_REPOSITORY_URL=$KOPANO_CORE_REPOSITORY_URL \
    KOPANO_CORE_VERSION=$KOPANO_CORE_VERSION \
    KOPANO_REPOSITORY_FLAGS=$KOPANO_REPOSITORY_FLAGS \
-    RELEASE_KEY_DOWNLOAD=$RELEASE_KEY_DOWNLOAD \
+    KOPANO_WEBAPP_FILES_REPOSITORY_URL=$KOPANO_WEBAPP_FILES_REPOSITORY_URL \
+    KOPANO_WEBAPP_MDM_REPOSITORY_URL=$KOPANO_WEBAPP_MDM_REPOSITORY_URL \
    KOPANO_WEBAPP_REPOSITORY_URL=$KOPANO_WEBAPP_REPOSITORY_URL \
    KOPANO_WEBAPP_SMIME_REPOSITORY_URL=$KOPANO_WEBAPP_SMIME_REPOSITORY_URL \
-    KOPANO_WEBAPP_MDM_REPOSITORY_URL=$KOPANO_WEBAPP_MDM_REPOSITORY_URL \
-    KOPANO_WEBAPP_FILES_REPOSITORY_URL=$KOPANO_WEBAPP_FILES_REPOSITORY_URL \
-    KOPANO_WEBAPP_VERSION=$KOPANO_WEBAPP_VERSION
+    KOPANO_WEBAPP_VERSION=$KOPANO_WEBAPP_VERSION \
+    LANG=en_US.UTF-8 \
+    RELEASE_KEY_DOWNLOAD=$RELEASE_KEY_DOWNLOAD

 LABEL maintainer=az@zok.xyz \
    org.label-schema.name="Kopano WebApp container" \
@ -39,10 +41,11 @@ LABEL maintainer=az@zok.xyz \

 SHELL ["/bin/bash", "-o", "pipefail", "-c"]

-# install Kopano WebApp and refresh ca-certificates
-# hadolint ignore=SC2129
-RUN \
+# install Kopano WebApp
+# hadolint ignore=SC2129,SC2215
+RUN --mount=type=secret,id=repocred,dst=/etc/apt/apt_auth.conf \
    # community download and package as apt source repository
+    # TODO is it neccesary to source this file here? was already sourced before
    . /kopano/helper/create-kopano-repo.sh && \
    if [ ${DOWNLOAD_COMMUNITY_PACKAGES} -eq 1 ]; then \
        dl_and_package_community "webapp" "Debian_10"; \
@ -73,8 +76,6 @@ COPY kweb.cfg /etc/kweb.cfg
 COPY start.sh /kopano/start.sh
 COPY goss* /goss/

-ENV LANG en_US.UTF-8
-
 WORKDIR /kopano/path

 ENTRYPOINT ["/usr/bin/dumb-init", "--"]
--- a/zpush/Dockerfile
+++ b/zpush/Dockerfile
@ -1,3 +1,4 @@
+# syntax = docker/dockerfile:1.0-experimental
 ARG docker_repo=zokradonh
 FROM ${docker_repo}/kopano_base

@ -17,9 +18,10 @@ ENV \
    KOPANO_CORE_REPOSITORY_URL=$KOPANO_CORE_REPOSITORY_URL \
    KOPANO_CORE_VERSION=$KOPANO_CORE_VERSION \
    KOPANO_REPOSITORY_FLAGS=$KOPANO_REPOSITORY_FLAGS \
-    RELEASE_KEY_DOWNLOAD=$RELEASE_KEY_DOWNLOAD \
    KOPANO_ZPUSH_REPOSITORY_URL=$KOPANO_ZPUSH_REPOSITORY_URL \
-    KOPANO_ZPUSH_VERSION=$KOPANO_ZPUSH_VERSION
+    KOPANO_ZPUSH_VERSION=$KOPANO_ZPUSH_VERSION \
+    LANG=en_US.UTF-8 \
+    RELEASE_KEY_DOWNLOAD=$RELEASE_KEY_DOWNLOAD

 LABEL maintainer=az@zok.xyz \
    org.label-schema.name="Kopano Z-Push container" \
@ -32,7 +34,9 @@ LABEL maintainer=az@zok.xyz \
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]

 # install Z-Push
-RUN \
+# TODO secret handling could go away when kopano_php is used as a base image
+# hadolint ignore=SC2215
+RUN --mount=type=secret,id=repocred,dst=/etc/apt/apt_auth.conf \
    echo "deb [${KOPANO_REPOSITORY_FLAGS}] ${KOPANO_CORE_REPOSITORY_URL} ./" > /etc/apt/sources.list.d/kopano.list; \
    # prepare z-push installation
    echo "deb ${KOPANO_ZPUSH_REPOSITORY_URL} /" > /etc/apt/sources.list.d/zpush.list && \
@ -96,8 +100,6 @@ EXPOSE 80/tcp

 COPY start.sh /kopano/start.sh

-ENV LANG en_US.UTF-8
-
 ENTRYPOINT ["/usr/bin/dumb-init", "--"]
 CMD [ "/kopano/start.sh" ]