docker hard image

.github/workflows/docker-publish.yml

@@ -32,10 +32,16 @@ jobs:
         variant:
           - name: standard
             nix_target: cdk-mintd-static
+            dockerfile: Dockerfile.static
             tag_suffix: ""
           - name: ldk-node
             nix_target: cdk-mintd-ldk-static
+            dockerfile: Dockerfile.static
             tag_suffix: "-ldk-node"
+          - name: hardened
+            nix_target: cdk-mintd-static
+            dockerfile: Dockerfile.hardened
+            tag_suffix: "-hardened"
     runs-on: ${{ matrix.arch.runner }}
     timeout-minutes: 120
     permissions:
@@ -66,7 +72,7 @@ jobs:
           nix build .#${{ matrix.variant.nix_target }} -L
           mkdir -p ./docker-build
           cp -f ./result/bin/* ./docker-build/cdk-mintd
-          cp Dockerfile.static ./docker-build/Dockerfile
+          cp ${{ matrix.variant.dockerfile }} ./docker-build/Dockerfile
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -118,6 +124,8 @@ jobs:
             tag_suffix: ""
           - name: ldk-node
             tag_suffix: "-ldk-node"
+          - name: hardened
+            tag_suffix: "-hardened"
 
     steps:
       - name: Login to Docker Hub

Dockerfile.hardened

@@ -0,0 +1,29 @@
+# syntax=docker/dockerfile:1.7
+
+FROM alpine:3.21 AS rootfs
+
+RUN apk add --no-cache ca-certificates && \
+    mkdir -p /data && \
+    chown 10001:10001 /data
+
+FROM scratch
+
+LABEL org.opencontainers.image.title="CDK Mintd Hardened" \
+    org.opencontainers.image.description="Shell-less CDK mintd image with a static binary and scratch runtime"
+
+COPY --from=rootfs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+COPY --from=rootfs --chown=10001:10001 /data /data
+COPY --chown=0:0 --chmod=0555 cdk-mintd /usr/local/bin/cdk-mintd
+
+ENV CDK_MINTD_WORK_DIR=/data \
+    HOME=/data \
+    SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt \
+    SQLITE_TMPDIR=/data \
+    TMPDIR=/data
+
+WORKDIR /data
+USER 10001:10001
+VOLUME ["/data"]
+EXPOSE 8085 9000
+
+ENTRYPOINT ["/usr/local/bin/cdk-mintd"]

crates/cdk-mintd/README.md

@@ -308,6 +308,53 @@ docker-compose --profile ldk-node up
 
 - **`cashubtc/mintd:latest`** - Standard mint with default features
 - **`cashubtc/mintd-ldk-node:latest`** - Mint with LDK Node support
+- **`cashubtc/mintd:latest-hardened`** - Shell-less standard mint image built from `scratch`
+
+### Hardened Image
+
+The hardened image is built from `scratch` and contains only the static `cdk-mintd`
+binary, CA certificates, and `/data`. It has no `/bin/sh`, `curl`, `tar`, package
+manager, or debug tools. The image runs as UID/GID `10001:10001` and defaults the
+CDK work directory to `/data`.
+
+Run it with a read-only root filesystem and a writable `/data` mount:
+
+```bash
+docker run --rm \
+  --read-only \
+  --user 10001:10001 \
+  --cap-drop ALL \
+  --security-opt no-new-privileges:true \
+  --mount type=volume,src=cdk_mintd_data,dst=/data \
+  -p 8085:8085 \
+  -e CDK_MINTD_URL=https://example.com \
+  -e CDK_MINTD_LN_BACKEND=fakewallet \
+  -e CDK_MINTD_LISTEN_HOST=0.0.0.0 \
+  -e CDK_MINTD_LISTEN_PORT=8085 \
+  -e CDK_MINTD_DATABASE=sqlite \
+  -e CDK_MINTD_CACHE_BACKEND=memory \
+  cashubtc/mintd:latest-hardened
+```
+
+Or use the Compose file that applies the same runtime hardening:
+
+```bash
+docker-compose -f docker-compose.hardened.yaml up
+```
+
+The Dockerfile expects a prebuilt Linux static binary named `cdk-mintd` in the
+build context. This matches the release workflow. For a local Linux build with
+Nix:
+
+```bash
+nix build .#cdk-mintd-static
+mkdir -p docker-build
+cp ./result/bin/* ./docker-build/cdk-mintd
+cp Dockerfile.hardened ./docker-build/Dockerfile
+docker build --platform linux/arm64 -t cashubtc/mintd:local-hardened ./docker-build
+```
+
+For amd64, use `--platform linux/amd64` and build the matching static binary.
 
 ### Configuration via Environment Variables