# SPDX-License-Identifier: MIT

#     Copyright (c) 2025 SUSE LLC

# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon.

# The content of THIS FILE IS AUTOGENERATED and should not be manually modified.
# It is maintained by the BCI team and generated by
# https://github.com/SUSE/BCI-dockerfile-generator

# Please submit bugfixes or comments via https://bugs.opensuse.org/
# You can contact the BCI team via https://github.com/SUSE/bci/discussions

#!UseOBSRepositories

#!BuildTag: opensuse/bci/bci-base-fips:%OS_VERSION_ID_SP%-%RELEASE%
#!BuildTag: opensuse/bci/bci-base-fips:%OS_VERSION_ID_SP%
#!BuildTag: opensuse/bci/bci-base-fips:latest

FROM opensuse/tumbleweed:latest

RUN set -euo pipefail; \
    zypper -n install --no-recommends openSUSE-release openSUSE-release-appliance-docker coreutils crypto-policies-scripts; \
    zypper -n clean; \
    rm -rf {/target,}/var/log/{alternatives.log,lastlog,tallylog,zypper.log,zypp/history,YaST2}

# Define labels according to https://en.opensuse.org/Building_derived_containers
# labelprefix=org.opensuse.bci.base-fips
LABEL org.opencontainers.image.title="openSUSE Tumbleweed BCI FIPS-140-3"
LABEL org.opencontainers.image.description="FIPS-140-3 container based on the openSUSE Tumbleweed Base Container Image."
LABEL org.opencontainers.image.version="%OS_VERSION_ID_SP%-%RELEASE%"
LABEL org.opencontainers.image.url="https://www.opensuse.org"
LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="openSUSE Project"
LABEL org.opencontainers.image.source="%SOURCEURL%"
LABEL org.opencontainers.image.ref.name="%OS_VERSION_ID_SP%-%RELEASE%"
LABEL org.opensuse.reference="registry.opensuse.org/opensuse/bci/bci-base-fips:%OS_VERSION_ID_SP%-%RELEASE%"
LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL org.opensuse.lifecycle-url="https://en.opensuse.org/Lifetime#openSUSE_BCI"
LABEL org.opensuse.release-stage="released"
# endlabelprefix
LABEL io.artifacthub.package.readme-url="https://raw.githubusercontent.com/SUSE/BCI-dockerfile-generator/Tumbleweed/base-fips-image/README.md"
LABEL usage="This container should only be used on a FIPS enabled host (fips=1 on kernel cmdline)."
RUN set -euo pipefail; update-crypto-policies --no-reload --set FIPS

ENV GNUTLS_FORCE_FIPS_MODE=1
ENV LIBGCRYPT_FORCE_FIPS_MODE=1
ENV LIBICA_FIPS_FLAG=1
ENV NSS_FIPS=1
ENV OPENSSL_FIPS=1
ENV OPENSSL_FORCE_FIPS_MODE=1