.docker/Dockerfile-hsm
FROM golang:1.22 AS builder
WORKDIR /go/src/github.com/ory/hydra
RUN apt-get update && apt-get upgrade -y &&\
mkdir -p /var/lib/sqlite &&\
mkdir -p ./internal/httpclient
COPY go.mod go.sum ./
COPY internal/httpclient/go.* ./internal/httpclient
ENV GO111MODULE on
ENV CGO_ENABLED 1
RUN go mod download
COPY . .
###############################
FROM builder as build-hydra
RUN go build -tags sqlite,hsm -o /usr/bin/hydra
###############################
FROM builder as test-hsm
ENV HSM_ENABLED=true
ENV HSM_LIBRARY=/usr/lib/softhsm/libsofthsm2.so
ENV HSM_TOKEN_LABEL=hydra
ENV HSM_PIN=1234
RUN apt-get -y install softhsm opensc &&\
pkcs11-tool --module "$HSM_LIBRARY" --slot 0 --init-token --so-pin 0000 --init-pin --pin "$HSM_PIN" --label "$HSM_TOKEN_LABEL" &&\
go test -p 1 -v -failfast -short -tags=sqlite,hsm ./...
###############################
FROM gcr.io/distroless/base-nossl-debian12:debug-nonroot AS runner
ENV HSM_ENABLED=true
ENV HSM_LIBRARY=/usr/lib/softhsm/libsofthsm2.so
ENV HSM_TOKEN_LABEL=hydra
ENV HSM_PIN=1234
RUN apt-get -y install softhsm opensc &&\
pkcs11-tool --module "$HSM_LIBRARY" --slot 0 --init-token --so-pin 0000 --init-pin --pin "$HSM_PIN" --label "$HSM_TOKEN_LABEL"
RUN addgroup -S ory; \
adduser -S ory -G ory -D -h /home/ory -s /bin/nologin; \
chown -R ory:ory /home/ory; \
chown -R ory:ory /var/lib/softhsm/tokens
COPY --from=build-hydra /usr/bin/hydra /usr/bin/hydra
# By creating the sqlite folder as the ory user, the mounted volume will be owned by ory:ory, which
# is required for read/write of SQLite.
RUN mkdir -p /var/lib/sqlite && \
chown ory:ory /var/lib/sqlite
VOLUME /var/lib/sqlite
# Exposing the ory home directory
VOLUME /home/ory
# Declare the standard ports used by hydra (4444 for public service endpoint, 4445 for admin service endpoint)
EXPOSE 4444 4445
USER ory
ENTRYPOINT ["hydra"]
CMD ["serve"]