⚙ Add more apt configs

bdsoha · bdsoha · commit cd98138f6ae4 · 2025-08-31T09:23:38.000+03:00
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -12,8 +12,8 @@ jobs:
     runs-on: ubuntu-latest
     if: github.actor != 'renovate[bot]' && github.actor != 'renovate[bot]'
     steps:
-      - name: 📁 Checkout repository
-        uses: actions/checkout@v4
+      - name: 📥 Checkout repository
+        uses: actions/checkout@v5
 
       - name: 🧹 Lint
         uses: pre-commit/action@v3.0.1
@@ -29,8 +29,8 @@ jobs:
       packages: write
 
     steps:
-      - name: 📁 Checkout repository
-        uses: actions/checkout@v4
+      - name: 📥 Checkout repository
+        uses: actions/checkout@v5
 
       - uses: docker/setup-qemu-action@v3
       - uses: docker/setup-buildx-action@v3
diff --git a/Dockerfile b/Dockerfile
@@ -26,7 +26,7 @@ RUN DEBIAN_FRONTEND=noninteractive \
     "unzip (>=6.0)" \
     "wget (>=1.21)" \
     "zsh (>=5.9)" \
-  && rm -rf /var/lib/apt/lists/*
+  && /usr/libexec/kloudkit/apt-cleanup
 
 ### Add docker group and application user
 RUN groupadd \
diff --git a/README.md b/README.md
@@ -14,13 +14,51 @@
 docker pull ghcr.io/kloudkit/base-image:latest
 ```
 
-Use it as the first `FROM` in any Kloudkit-compatible Dockerfile:
+Use it as the first `FROM` in any KloudKIT-compatible Dockerfile:
 
 ```dockerfile
 FROM ghcr.io/kloudkit/base-image:latest
 # …install your app here…
 ```
 
+## What's Inside
+
+This ultra-minimal base layer provides:
+
+- **Size-optimized Debian** with aggressive cleanup configurations.
+- **Essential tools** like `curl`, `wget`, `gnupg`, and `unzip` pre-installed.
+- **Smart package management** that blocks unnecessary services by default.
+- **Multi-version support** with opt-in access to newer Debian releases.
+- **Security hardening** with sensible defaults for container environments.
+- **User setup** with a non-root `kloud` user ready for your applications.
+
+## Why Use This Base
+
+- **Smaller images:** Extensive file exclusions and package filtering reduce bloat.
+- **Faster builds:**Common tools pre-installed, optimized APT configuration.
+- **Consistent foundation:** All KloudKIT projects start from the same reliable base.
+- **Flexible packaging:** Access to both stable and testing repositories when needed.
+- **Production ready:** Battle-tested configurations used across KloudKIT infrastructure.
+
+## Getting Started
+
+The base image includes everything needed for most containerized applications.
+Simply extend it with your application-specific requirements:
+
+```dockerfile
+FROM ghcr.io/kloudkit/base-image:latest
+
+# Install your application dependencies
+RUN apt-get update && apt-get install -y your-packages
+
+# Copy and configure your application
+COPY . /app
+WORKDIR /app
+
+# Switch to non-root user
+USER kloud
+```
+
 ## License
 
 Released under the [**MIT License**](https://github.com/kloudkit/base-image/blob/main/LICENSE)
diff --git a/src/rootfs/etc/apt/apt.conf.d/99kloudkit b/src/rootfs/etc/apt/apt.conf.d/99kloudkit
@@ -1,10 +1,14 @@
 APT::Keep-Downloaded-Packages "false";
 
 APT::Install-Recommends "false";
+APT::Install-Suggests "false";
 
 Dpkg::Options {
   "--force-confdef";
   "--force-confold";
 }
 
 Acquire::Languages "none";
+
+Dir::Cache::srcpkgcache "";
+Dir::Cache::pkgcache "";
diff --git a/src/rootfs/etc/apt/preferences.d/99-deny-daemons b/src/rootfs/etc/apt/preferences.d/99-deny-daemons
@@ -0,0 +1,3 @@
+Package:      systemd-timesyncd ntp chrony
+Pin:          release *
+Pin-Priority: -1
diff --git a/src/rootfs/etc/apt/preferences.d/99-deny-desktop b/src/rootfs/etc/apt/preferences.d/99-deny-desktop
@@ -0,0 +1,3 @@
+Package:      bluetooth avahi-daemon network-manager* wireless-*
+Pin:          release *
+Pin-Priority: -1
diff --git a/src/rootfs/etc/apt/preferences.d/99-deny-language-pack b/src/rootfs/etc/apt/preferences.d/99-deny-language-pack
diff --git a/src/rootfs/etc/apt/preferences.d/99-deny-mail b/src/rootfs/etc/apt/preferences.d/99-deny-mail
@@ -0,0 +1,3 @@
+Package:      postfix* exim4* sendmail* ssmtp mailutils* mutt*
+Pin:          release *
+Pin-Priority: -1
diff --git a/src/rootfs/etc/apt/preferences.d/99-deny-obsolete b/src/rootfs/etc/apt/preferences.d/99-deny-obsolete
@@ -0,0 +1,3 @@
+Package:      anacron at
+Pin:          release *
+Pin-Priority: -1
diff --git a/src/rootfs/etc/apt/preferences.d/99-deny-printing b/src/rootfs/etc/apt/preferences.d/99-deny-printing
@@ -0,0 +1,3 @@
+Package:      cups* printer-driver-*
+Pin:          release *
+Pin-Priority: -1
diff --git a/src/rootfs/etc/apt/preferences.d/99-deny-x11 b/src/rootfs/etc/apt/preferences.d/99-deny-x11
diff --git a/src/rootfs/etc/apt/preferences.d/99-no-daemons b/src/rootfs/etc/apt/preferences.d/99-no-daemons
diff --git a/src/rootfs/etc/dpkg/dpkg.cfg.d/99kloudkit b/src/rootfs/etc/dpkg/dpkg.cfg.d/99kloudkit
@@ -1,23 +1,35 @@
-# Docs & info pages
+# Pre-compiled Python bytecode (re-created at runtime if needed)
+path-exclude=**/*.pyc
+
+# System directories
+path-exclude=/lib/systemd/system/*
+path-exclude=/usr/lib/systemd/system/*
+path-exclude=/usr/lib/tmpfiles.d/*
+path-exclude=/var/cache/debconf/*
+
+# Documentation & info pages
 path-exclude=/usr/share/bash-completion/*
 path-exclude=/usr/share/bug/*
 path-exclude=/usr/share/doc/*
 path-exclude=/usr/share/doc-base/*
-path-exclude=/usr/share/fonts/X11/*
 path-exclude=/usr/share/help/*
 path-exclude=/usr/share/info/*
 path-exclude=/usr/share/lintian/*
+path-exclude=/usr/share/man/*
+
+# Localization
 path-exclude=/usr/share/locale/*
 path-exclude=/usr/share/locale-langpack/*
-path-exclude=/usr/share/man/*
 
-# Icons, themes & GTK docs (CLI-only images)
+# GUI resources (CLI-only images)
+path-exclude=/usr/share/applications/*
+path-exclude=/usr/share/fonts/X11/*
+path-exclude=/usr/share/gtk-doc/*
 path-exclude=/usr/share/icons/*
+path-exclude=/usr/share/mime/*
+path-exclude=/usr/share/pixmaps/*
 path-exclude=/usr/share/themes/*
-path-exclude=/usr/share/gtk-doc/*
-
-# Pre-compiled Python bytecode (re-created at runtime if needed)
-path-exclude=**/*.pyc
+path-exclude=/usr/share/zoneinfo/*
 
 # Keep only the generic (C/English) files
 path-include=/usr/share/doc/*/copyright
diff --git a/src/rootfs/usr/libexec/kloudkit/apt-cleanup b/src/rootfs/usr/libexec/kloudkit/apt-cleanup
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+apt-get clean
+
+rm -rf \
+  /var/lib/apt/lists/* \
+  /var/tmp/* \
+  /tmp/*
+
+find /var/log -type f -delete

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+Package: systemd-timesyncd ntp chrony`
	`2`	`+Pin: release *`
	`3`	`+Pin-Priority: -1`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+Package: bluetooth avahi-daemon network-manager* wireless-*`
	`2`	`+Pin: release *`
	`3`	`+Pin-Priority: -1`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+Package: postfix* exim4* sendmail* ssmtp mailutils* mutt*`
	`2`	`+Pin: release *`
	`3`	`+Pin-Priority: -1`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+Package: anacron at`
	`2`	`+Pin: release *`
	`3`	`+Pin-Priority: -1`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+Package: cups* printer-driver-*`
	`2`	`+Pin: release *`
	`3`	`+Pin-Priority: -1`