From f7f266b994a1b7d0e3b54e49e640be35b8078bf0 Mon Sep 17 00:00:00 2001
From: Astounds <kirito@disroot.org>
Date: Fri, 29 May 2026 21:28:22 -0500
Subject: Add hardened Docker support and multi-arch CI

Multi-stage Dockerfile (non-root, Tor-ready), compose file, and
entrypoints. Forgejo CI builds linux/amd64+arm64, scans with
checksum-verified Grype, and pins all actions to commit SHA.
Makefile gains venv bootstrap and docker targets; server.py gains
a --bind flag.
---
 Makefile | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

(limited to 'Makefile')

diff --git a/Makefile b/Makefile
index de17745..9805871 100644
--- a/Makefile
+++ b/Makefile
@@ -4,7 +4,7 @@
 .PHONY: help install dev clean test i18n-extract i18n-init i18n-update \
         i18n-compile i18n-stats i18n-clean setup-dev lint format backup \
         restore distclean info check-deps run test-cov i18n-workflow \
-        ensure-venv
+        ensure-venv docker docker-run docker-stop docker-logs docker-clean
 
 # Variables
 SYSTEM_PYTHON := python3
@@ -197,6 +197,31 @@ restore: ## Restore translations from latest backup
 		echo "[ERROR] No backup files found"; \
 	fi
 
+## Docker ---------------------------------------------------------------------
+
+docker: ## Build Docker image
+	@echo "[INFO] Building Docker image..."
+	docker compose build
+	@echo "[SUCCESS] Image built"
+
+docker-run: ## Start container (use ENABLE_TOR=1 for Tor)
+	@echo "[INFO] Starting container..."
+	ENABLE_TOR=$(or $(ENABLE_TOR),0) docker compose up -d
+	@echo "[SUCCESS] Container running at http://localhost:9010"
+
+docker-stop: ## Stop container
+	@echo "[INFO] Stopping container..."
+	docker compose down
+	@echo "[SUCCESS] Container stopped"
+
+docker-logs: ## Show container logs
+	docker compose logs -f
+
+docker-clean: docker-stop ## Remove container, image, and volume
+	@echo "[INFO] Removing Docker artefacts..."
+	docker compose down -v --rmi local
+	@echo "[SUCCESS] Docker artefacts removed"
+
 ## Cleanup --------------------------------------------------------------------
 
 clean: ## Clean temporary files, caches, and release artefacts
-- 
cgit v1.2.3