From d56d8f86a18020dc554e812d1048f38de02bc410 Mon Sep 17 00:00:00 2001
From: Rob van Oostenrijk <robvanoostenrijk@users.noreply.github.com>
Date: Sat, 26 Oct 2024 16:49:31 +0400
Subject: [PATCH] Refactor build action, OpenSSL 3.4.0

---
 .github/workflows/main.yml   |  88 ++++++++++++--
 Dockerfile                   | 213 ++++++++++++++++-----------------
 Dockerfile.body              | 225 +++++++++++++++++++++++++++++++++++
 Dockerfile.head              |   4 +
 Earthfile                    |  25 ----
 extract-artifacts.sh         |  24 ----
 scripts/build-dockerfile.sh  |  16 +++
 scripts/extract-artifacts.sh |  28 +++++
 scripts/update_versions.sh   |  17 +++
 versions.env                 |   5 +
 10 files changed, 479 insertions(+), 166 deletions(-)
 create mode 100644 Dockerfile.body
 create mode 100644 Dockerfile.head
 delete mode 100644 Earthfile
 delete mode 100755 extract-artifacts.sh
 create mode 100755 scripts/build-dockerfile.sh
 create mode 100755 scripts/extract-artifacts.sh
 create mode 100755 scripts/update_versions.sh
 create mode 100644 versions.env

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 602140d..0c5bb75 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -6,16 +6,17 @@ on:
       - '*'
 
 jobs:
-  build-container-and-deploy:
+  build-linux-containers:
     runs-on: ubuntu-latest
+    name: Build Linux Containers
     if: github.event_name == 'push'
     strategy:
       matrix:
         library:
-          - "libressl"
-          - "openssl"
-          - "wolfssl"
-          - "aws-lc"
+          - libressl
+          - openssl
+          - wolfssl
+          - aws-lc
     steps:
       - name: Checkout from GitHub
         uses: actions/checkout@v4
@@ -39,7 +40,7 @@ jobs:
           [ "$VERSION" == "main" ] && VERSION=latest
           echo "VERSION=${VERSION}-${{ matrix.library }}" >> $GITHUB_ENV
       - name: Build and push
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v6
         with:
           build-args: SSL_LIBRARY=${{ matrix.library }}
           context: .
@@ -47,12 +48,77 @@ jobs:
           push: true
           tags: ghcr.io/${{ github.repository }}:${{ matrix.library }},ghcr.io/${{ github.repository }}:${{ env.VERSION }}
       - name: Extract docker build artifacts
-        id: extract_artifacts
+        shell: bash
         run: |
-          ./extract-artifacts.sh ghcr.io/${{ github.repository }} ${{ env.VERSION }} ${{ matrix.library }}
-      - name: Release
-        uses: softprops/action-gh-release@v1
+          ./scripts/extract-artifacts.sh ghcr.io/${{ github.repository }} ${{ env.VERSION }} ${{ matrix.library }}
+      - name: Upload artifacts 
+        uses: actions/upload-artifact@v4
         with:
-          files: |
+          name: haproxy-${{ matrix.library }}
+          path: |
             dist/haproxy-http3-${{ matrix.library }}-linux-amd64.tar.xz
             dist/haproxy-http3-${{ matrix.library }}-linux-arm64.tar.xz
+            dist/version.txt
+          retention-days: 1
+
+  release:
+    needs:
+      - build-linux-containers
+    runs-on: ubuntu-latest
+    name: Create Release
+    steps:
+      - name: Checkout from GitHub
+        uses: actions/checkout@v4
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          pattern: haproxy-*
+      - name: Release Text
+        shell: bash
+        run: |
+          platforms=("linux-amd64" "linux-arm64")
+          libraries=("aws-lc" "libressl" "openssl" "wolfssl")
+
+          git log -1 --no-merges --pretty=%B > ./release.txt
+
+          echo "#### Versions:" >> ./release.txt
+
+          for library in ${libraries[@]}; do
+            VERSION=$(cat ./haproxy-${library}/version.txt | awk '{ print "        " $0 }')
+
+            echo " - haproxy-${library}" >> ./release.txt
+            echo "    <details>" >> ./release.txt
+            echo "      <summary>Version information</summary>" >> ./release.txt
+            echo "" >> ./release.txt
+            echo "${VERSION}" >> ./release.txt
+            echo "    </details>" >> ./release.txt
+          done
+
+          echo "#### SHA256 Checksums:" >> ./release.txt
+
+          for library in ${libraries[@]}; do
+            for platform in ${platforms[@]}; do
+              echo "    haproxy-${library}-${platform}.tar.xz: $(sha256sum ./haproxy-${library}/haproxy-http3-${library}-${platform}.tar.xz | cut -d ' ' -f 1)" >> ./release.txt
+            done
+
+            echo "" >> ./release.txt
+          done
+      - name: Release
+        uses: softprops/action-gh-release@v2
+        with:
+          body_path: ./release.txt
+          files: |
+            ./haproxy-aws-lc/haproxy-http3-aws-lc-linux-amd64.tar.xz
+            ./haproxy-aws-lc/haproxy-http3-aws-lc-linux-arm64.tar.xz
+            ./haproxy-libressl/haproxy-http3-libressl-linux-amd64.tar.xz
+            ./haproxy-libressl/haproxy-http3-libressl-linux-arm64.tar.xz
+            ./haproxy-openssl/haproxy-http3-openssl-linux-amd64.tar.xz
+            ./haproxy-openssl/haproxy-http3-openssl-linux-arm64.tar.xz
+            ./haproxy-wolfssl/haproxy-http3-wolfssl-linux-amd64.tar.xz
+            ./haproxy-wolfssl/haproxy-http3-wolfssl-linux-arm64.tar.xz
+      - name: Remove old packages
+        uses: actions/delete-package-versions@v5
+        with:
+          package-name: 'haproxy-http3'
+          package-type: 'container'
+          min-versions-to-keep: 10
diff --git a/Dockerfile b/Dockerfile
index c8a7a45..6351545 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,14 +1,14 @@
-# syntax=docker/dockerfile:1.4
+# syntax=docker/dockerfile:1
 FROM alpine:latest AS builder
 
 ARG SSL_LIBRARY
 
-ENV OPENSSL_TAG=openssl-3.3.2 \
-    LIBRESSL_TAG=v3.9.2 \
-    AWS_LC_TAG=v1.37.0 \
-    WOLFSSL_TAG=v5.7.2 \
-    LIBSLZ_TAG=v1.2.1 \
-    HAPROXY_VERSION=3.0.5
+ARG AWS_LC_TAG=v1.37.0 \
+	LIBRESSL_TAG=v3.9.2 \
+	OPENSSL_TAG=openssl-3.4.0 \
+	WOLFSSL_TAG=v5.7.2 \
+	LIBSLZ_TAG=v1.2.1 \
+	HAPROXY_VERSION=3.0.5
 
 COPY --link ["scratchfs", "/scratchfs"]
 
@@ -18,29 +18,29 @@ sed -i -r 's/v\d+\.\d+/edge/g' /etc/apk/repositories
 apk update
 apk upgrade --no-interactive --latest
 apk add --no-cache --virtual .build-deps \
-  autoconf \
-  automake \
-  clang \
-  cmake \
-  curl \
-  file \
-  git \
-  go \
-  gnupg \
-  libc-dev \
-  libtool \
-  linux-headers \
-  lua5.4-dev \
-  make \
-  openssl \
-  patch \
-  pcre2-dev \
-  perl \
-  readline-dev \
-  samurai \
-  tar \
-  util-linux-misc \
-  --repository=http://dl-cdn.alpinelinux.org/alpine/edge/main
+	autoconf \
+	automake \
+	clang \
+	cmake \
+	curl \
+	file \
+	git \
+	go \
+	gnupg \
+	libc-dev \
+	libtool \
+	linux-headers \
+	lua5.4-dev \
+	make \
+	openssl \
+	patch \
+	pcre2-dev \
+	perl \
+	readline-dev \
+	samurai \
+	tar \
+	util-linux-misc \
+	--repository=http://dl-cdn.alpinelinux.org/alpine/edge/main
 
 #
 # Prepare destination scratchfs
@@ -78,10 +78,10 @@ if [ "${SSL_LIBRARY}" = "aws-lc" ]; then curl --silent --location https://github
 # WolfSSL
 #
 if [ "${SSL_LIBRARY}" = "wolfssl" ]; then 
-  curl --silent --location -o /usr/src/wolfssl.tar.gz https://github.com/wolfSSL/wolfssl/archive/refs/tags/${WOLFSSL_TAG}-stable.tar.gz
-  mkdir /usr/src/wolfssl
-  tar -xzf /usr/src/wolfssl.tar.gz -C /usr/src/wolfssl --strip-components=1
-  rm /usr/src/wolfssl.tar.gz
+	curl --silent --location -o /usr/src/wolfssl.tar.gz https://github.com/wolfSSL/wolfssl/archive/refs/tags/${WOLFSSL_TAG}-stable.tar.gz
+	mkdir /usr/src/wolfssl
+	tar -xzf /usr/src/wolfssl.tar.gz -C /usr/src/wolfssl --strip-components=1
+	rm /usr/src/wolfssl.tar.gz
 fi
 
 #
@@ -92,67 +92,68 @@ curl --silent --location https://github.com/wtarreau/libslz/archive/refs/tags/${
 #
 # HAProxy
 #
-  curl --silent --location http://www.haproxy.org/download/$(echo ${HAPROXY_VERSION} | cut -f 1-2 -d .)/src/haproxy-${HAPROXY_VERSION}.tar.gz | tar xz -C /usr/src --one-top-level=haproxy --strip-components=1
+curl --silent --location http://www.haproxy.org/download/$(echo ${HAPROXY_VERSION} | cut -f 1-2 -d .)/src/haproxy-${HAPROXY_VERSION}.tar.gz | tar xz -C /usr/src --one-top-level=haproxy --strip-components=1
+
 #
-# OpenSSL+quic1
+# OpenSSL
 #
 if [ "${SSL_LIBRARY}" = "openssl" ]; then
-  cd /usr/src/openssl
-  CC=clang ./Configure no-shared no-tests linux-generic64
-  make -j$(getconf _NPROCESSORS_ONLN) && make install_sw
+	cd /usr/src/openssl
+	CC=clang ./Configure no-shared no-tests linux-generic64
+	make -j$(getconf _NPROCESSORS_ONLN) && make install_sw
 fi
 
 #
 # LibreSSL
 #
 if [ "${SSL_LIBRARY}" = "libressl" ]; then
-  cd /usr/src/libressl
-  ./autogen.sh
-  CC=clang CXX=clang++ ./configure \
-    --disable-shared \
-    --disable-tests \
-    --enable-static
-  make -j$(getconf _NPROCESSORS_ONLN) install
+	cd /usr/src/libressl
+	./autogen.sh
+	CC=clang CXX=clang++ ./configure \
+	--disable-shared \
+	--disable-tests \
+	--enable-static
+make -j$(getconf _NPROCESSORS_ONLN) install
 fi
 
 #
 # AWS-LC
 #
 if [ "${SSL_LIBRARY}" = "aws-lc" ]; then
-  cd /usr/src/aws-lc
-  mkdir -p .openssl/lib .openssl/include
-  ln -sf /usr/src/aws-lc/include/openssl /usr/src/aws-lc/.openssl/include/openssl
-  CC=clang CXX=clang++ cmake -GNinja -B build -DCMAKE_BUILD_TYPE=Release
-  ninja -C build || exit 1
-  cp build/crypto/libcrypto.a build/ssl/libssl.a .openssl/lib
+	cd /usr/src/aws-lc
+	mkdir -p .openssl/lib .openssl/include
+	ln -sf /usr/src/aws-lc/include/openssl /usr/src/aws-lc/.openssl/include/openssl
+	CC=clang CXX=clang++ cmake -GNinja -B build -DCMAKE_BUILD_TYPE=Release
+	ninja -C build || exit 1
+	cp build/crypto/libcrypto.a build/ssl/libssl.a .openssl/lib
 fi
 
 #
 # WolfSSL
 #
 if [ "${SSL_LIBRARY}" = "wolfssl" ]; then
-  cd /usr/src/wolfssl
-  ./autogen.sh
-  CC=clang CXX=clang++ ./configure \
-    --disable-examples \
-    --disable-shared \
-    --enable-static \
-    --enable-alpn \
-    --enable-earlydata \
-    --enable-haproxy \
-    --enable-quic \
-    --enable-tlsv12 \
-    --enable-tls13 \
-    --enable-curve25519 \
-    --enable-ed25519
-  make -j$(getconf _NPROCESSORS_ONLN) install
+	cd /usr/src/wolfssl
+	./autogen.sh
+	CC=clang CXX=clang++ ./configure \
+		--disable-examples \
+		--disable-shared \
+		--enable-static \
+		--enable-alpn \
+		--enable-earlydata \
+		--enable-haproxy \
+		--enable-quic \
+		--enable-tlsv12 \
+		--enable-tls13 \
+		--enable-curve25519 \
+		--enable-ed25519
+	make -j$(getconf _NPROCESSORS_ONLN) install
 fi
 
 #
 # Compile libslz
 #
-  cd /usr/src/libslz
-  make CC=clang static
+cd /usr/src/libslz
+make CC=clang static
 EOF
 
 RUN <<EOF
@@ -165,54 +166,54 @@ cd /usr/src/haproxy
 # Default make options
 # Note: USE_PCRE2_STATIC is implied due to static LD_FLAGS
 MAKE_OPTS=" \
-        TARGET=linux-musl \
-        CPU=generic \
-        CC=clang \
-        CXX=clang \
-        SLZ_INC=/usrc/src/libslz/src \
-        SLZ_LIB=/usr/src/libslz \
-        LUA_INC=/usr/include/lua5.4 \
-        LUA_LIB=/usr/lib/lua5.4 \
-        LUA_LIB_NAME=lua \
-        USE_CPU_AFFINITY=1 \
-        USE_GETADDRINFO=1 \
-        USE_LIBCRYPT=1 \
-        USE_LUA=1 \
-        USE_NS=1 \
-        USE_OPENSSL=1 \
-        USE_PCRE2=1 \
-        USE_PCRE2_JIT=1 \
-        USE_QUIC=1 \
-        USE_TFO=1 \
-        USE_THREAD=1 \
-        "
+		TARGET=linux-musl \
+		CPU=generic \
+		CC=clang \
+		CXX=clang \
+		SLZ_INC=/usrc/src/libslz/src \
+		SLZ_LIB=/usr/src/libslz \
+		LUA_INC=/usr/include/lua5.4 \
+		LUA_LIB=/usr/lib/lua5.4 \
+		LUA_LIB_NAME=lua \
+		USE_CPU_AFFINITY=1 \
+		USE_GETADDRINFO=1 \
+		USE_LIBCRYPT=1 \
+		USE_LUA=1 \
+		USE_NS=1 \
+		USE_OPENSSL=1 \
+		USE_PCRE2=1 \
+		USE_PCRE2_JIT=1 \
+		USE_QUIC=1 \
+		USE_TFO=1 \
+		USE_THREAD=1 \
+		"
 
 if [ "${SSL_LIBRARY}" = "openssl" ]; then
-  MAKE_OPTS_EXTRA=" \
-    USE_QUIC_OPENSSL_COMPAT=1 \
-    "
+MAKE_OPTS_EXTRA=" \
+	USE_QUIC_OPENSSL_COMPAT=1 \
+	"
 fi
 
 if [ "${SSL_LIBRARY}" = "wolfssl" ]; then
-  MAKE_OPTS_EXTRA=" \
-    SSL_INC=/usr/local/include/wolfssl
-    USE_OPENSSL_WOLFSSL=1 \
-    "
+MAKE_OPTS_EXTRA=" \
+	SSL_INC=/usr/local/include/wolfssl
+	USE_OPENSSL_WOLFSSL=1 \
+	"
 fi
 
 if [ "${SSL_LIBRARY}" = "aws-lc" ]; then
-  MAKE_OPTS_EXTRA=" \
-    SSL_INC=/usr/src/aws-lc/.openssl/include \
-    SSL_LIB=/usr/src/aws-lc/.openssl/lib \
-    USE_OPENSSL_AWSLC=1 \
-    "
+MAKE_OPTS_EXTRA=" \
+	SSL_INC=/usr/src/aws-lc/.openssl/include \
+	SSL_LIB=/usr/src/aws-lc/.openssl/lib \
+	USE_OPENSSL_AWSLC=1 \
+	"
 fi
 
 make -j "$(getconf _NPROCESSORS_ONLN)" \
-  $MAKE_OPTS \
-  $MAKE_OPTS_EXTRA \
-  LDFLAGS="-g -w -static -s" \
-  SUBVERS="-http3-${SSL_LIBRARY}"
+	$MAKE_OPTS \
+	$MAKE_OPTS_EXTRA \
+	LDFLAGS="-g -w -static -s" \
+	SUBVERS="-http3-${SSL_LIBRARY}"
 
 make PREFIX=/usr install-bin
 ls -lh /usr/sbin/haproxy
diff --git a/Dockerfile.body b/Dockerfile.body
new file mode 100644
index 0000000..ae77d2e
--- /dev/null
+++ b/Dockerfile.body
@@ -0,0 +1,225 @@
+	HAPROXY_VERSION=3.0.5
+
+COPY --link ["scratchfs", "/scratchfs"]
+
+RUN <<EOF
+set -ex
+sed -i -r 's/v\d+\.\d+/edge/g' /etc/apk/repositories
+apk update
+apk upgrade --no-interactive --latest
+apk add --no-cache --virtual .build-deps \
+	autoconf \
+	automake \
+	clang \
+	cmake \
+	curl \
+	file \
+	git \
+	go \
+	gnupg \
+	libc-dev \
+	libtool \
+	linux-headers \
+	lua5.4-dev \
+	make \
+	openssl \
+	patch \
+	pcre2-dev \
+	perl \
+	readline-dev \
+	samurai \
+	tar \
+	util-linux-misc \
+	--repository=http://dl-cdn.alpinelinux.org/alpine/edge/main
+
+#
+# Prepare destination scratchfs
+#
+# Create self-signed certificate
+openssl req -x509 -newkey rsa:4096 -nodes -keyout /scratchfs/etc/ssl/localhost.pem.key -out /scratchfs/etc/ssl/localhost.pem -days 365 -sha256 -subj "/CN=localhost"
+chown 1000:1000 /scratchfs/etc/ssl/localhost.pem.key /scratchfs/var/lib/haproxy /scratchfs/var/lib/haproxy/stats
+
+#
+# Mozilla CA cert bundle
+#
+curl --silent --location --compressed --output /scratchfs/etc/ssl/cacert.pem https://curl.haxx.se/ca/cacert.pem
+curl --silent --location --compressed --output /scratchfs/etc/ssl/cacert.pem.sha256 https://curl.haxx.se/ca/cacert.pem.sha256
+cd /scratchfs/etc/ssl
+sha256sum -c /scratchfs/etc/ssl/cacert.pem.sha256
+rm /scratchfs/etc/ssl/cacert.pem.sha256
+
+mkdir -p /usr/src
+#
+# OpenSSL library (with QUIC support)
+#
+if [ "${SSL_LIBRARY}" = "openssl" ]; then curl --silent --location https://github.com/openssl/openssl/archive/refs/tags/${OPENSSL_TAG}.tar.gz | tar xz -C /usr/src --one-top-level=openssl --strip-components=1; fi
+
+#
+# LibreSSL
+#
+if [ "${SSL_LIBRARY}" = "libressl" ]; then curl --silent --location https://github.com/libressl-portable/portable/archive/refs/tags/${LIBRESSL_TAG}.tar.gz | tar xz -C /usr/src --one-top-level=libressl --strip-components=1; fi
+
+#
+# AWS-LC
+#
+if [ "${SSL_LIBRARY}" = "aws-lc" ]; then curl --silent --location https://github.com/aws/aws-lc/archive/refs/tags/${AWS_LC_TAG}.tar.gz | tar xz -C /usr/src --one-top-level=aws-lc --strip-components=1; fi
+
+#
+# WolfSSL
+#
+if [ "${SSL_LIBRARY}" = "wolfssl" ]; then 
+	curl --silent --location -o /usr/src/wolfssl.tar.gz https://github.com/wolfSSL/wolfssl/archive/refs/tags/${WOLFSSL_TAG}-stable.tar.gz
+	mkdir /usr/src/wolfssl
+	tar -xzf /usr/src/wolfssl.tar.gz -C /usr/src/wolfssl --strip-components=1
+	rm /usr/src/wolfssl.tar.gz
+fi
+
+#
+# libslz
+#
+curl --silent --location https://github.com/wtarreau/libslz/archive/refs/tags/${LIBSLZ_TAG}.tar.gz | tar xz -C /usr/src --one-top-level=libslz --strip-components=1
+
+#
+# HAProxy
+#
+curl --silent --location http://www.haproxy.org/download/$(echo ${HAPROXY_VERSION} | cut -f 1-2 -d .)/src/haproxy-${HAPROXY_VERSION}.tar.gz | tar xz -C /usr/src --one-top-level=haproxy --strip-components=1
+
+#
+# OpenSSL
+#
+if [ "${SSL_LIBRARY}" = "openssl" ]; then
+	cd /usr/src/openssl
+	CC=clang ./Configure no-shared no-tests linux-generic64
+	make -j$(getconf _NPROCESSORS_ONLN) && make install_sw
+fi
+
+#
+# LibreSSL
+#
+if [ "${SSL_LIBRARY}" = "libressl" ]; then
+	cd /usr/src/libressl
+	./autogen.sh
+	CC=clang CXX=clang++ ./configure \
+	--disable-shared \
+	--disable-tests \
+	--enable-static
+make -j$(getconf _NPROCESSORS_ONLN) install
+fi
+
+#
+# AWS-LC
+#
+if [ "${SSL_LIBRARY}" = "aws-lc" ]; then
+	cd /usr/src/aws-lc
+	mkdir -p .openssl/lib .openssl/include
+	ln -sf /usr/src/aws-lc/include/openssl /usr/src/aws-lc/.openssl/include/openssl
+	CC=clang CXX=clang++ cmake -GNinja -B build -DCMAKE_BUILD_TYPE=Release
+	ninja -C build || exit 1
+	cp build/crypto/libcrypto.a build/ssl/libssl.a .openssl/lib
+fi
+
+#
+# WolfSSL
+#
+if [ "${SSL_LIBRARY}" = "wolfssl" ]; then
+	cd /usr/src/wolfssl
+	./autogen.sh
+	CC=clang CXX=clang++ ./configure \
+		--disable-examples \
+		--disable-shared \
+		--enable-static \
+		--enable-alpn \
+		--enable-earlydata \
+		--enable-haproxy \
+		--enable-quic \
+		--enable-tlsv12 \
+		--enable-tls13 \
+		--enable-curve25519 \
+		--enable-ed25519
+	make -j$(getconf _NPROCESSORS_ONLN) install
+fi
+
+#
+# Compile libslz
+#
+cd /usr/src/libslz
+make CC=clang static
+EOF
+
+RUN <<EOF
+#
+# Compile HAProxy
+#
+set -x
+cd /usr/src/haproxy
+
+# Default make options
+# Note: USE_PCRE2_STATIC is implied due to static LD_FLAGS
+MAKE_OPTS=" \
+		TARGET=linux-musl \
+		CPU=generic \
+		CC=clang \
+		CXX=clang \
+		SLZ_INC=/usrc/src/libslz/src \
+		SLZ_LIB=/usr/src/libslz \
+		LUA_INC=/usr/include/lua5.4 \
+		LUA_LIB=/usr/lib/lua5.4 \
+		LUA_LIB_NAME=lua \
+		USE_CPU_AFFINITY=1 \
+		USE_GETADDRINFO=1 \
+		USE_LIBCRYPT=1 \
+		USE_LUA=1 \
+		USE_NS=1 \
+		USE_OPENSSL=1 \
+		USE_PCRE2=1 \
+		USE_PCRE2_JIT=1 \
+		USE_QUIC=1 \
+		USE_TFO=1 \
+		USE_THREAD=1 \
+		"
+
+if [ "${SSL_LIBRARY}" = "openssl" ]; then
+MAKE_OPTS_EXTRA=" \
+	USE_QUIC_OPENSSL_COMPAT=1 \
+	"
+fi
+
+if [ "${SSL_LIBRARY}" = "wolfssl" ]; then
+MAKE_OPTS_EXTRA=" \
+	SSL_INC=/usr/local/include/wolfssl
+	USE_OPENSSL_WOLFSSL=1 \
+	"
+fi
+
+if [ "${SSL_LIBRARY}" = "aws-lc" ]; then
+MAKE_OPTS_EXTRA=" \
+	SSL_INC=/usr/src/aws-lc/.openssl/include \
+	SSL_LIB=/usr/src/aws-lc/.openssl/lib \
+	USE_OPENSSL_AWSLC=1 \
+	"
+fi
+
+make -j "$(getconf _NPROCESSORS_ONLN)" \
+	$MAKE_OPTS \
+	$MAKE_OPTS_EXTRA \
+	LDFLAGS="-g -w -static -s" \
+	SUBVERS="-http3-${SSL_LIBRARY}"
+
+make PREFIX=/usr install-bin
+ls -lh /usr/sbin/haproxy
+file /usr/sbin/haproxy
+/usr/sbin/haproxy -vv
+
+cp /usr/sbin/haproxy /scratchfs/usr/sbin/
+
+EOF
+
+FROM scratch
+
+COPY --from=builder /scratchfs /
+
+EXPOSE 8080/tcp 8443/tcp 8443/udp
+STOPSIGNAL SIGUSR1
+
+ENTRYPOINT ["/usr/sbin/haproxy"]
+CMD ["-f", "/etc/haproxy/haproxy.cfg"]
diff --git a/Dockerfile.head b/Dockerfile.head
new file mode 100644
index 0000000..9593603
--- /dev/null
+++ b/Dockerfile.head
@@ -0,0 +1,4 @@
+# syntax=docker/dockerfile:1
+FROM alpine:latest AS builder
+
+ARG SSL_LIBRARY
diff --git a/Earthfile b/Earthfile
deleted file mode 100644
index 8828211..0000000
--- a/Earthfile
+++ /dev/null
@@ -1,25 +0,0 @@
-VERSION 0.6
-
-clean:
-	LOCALLY
-	RUN rm -f -R ./dist
-
-build:
-	ARG --required SSL_LIBRARY
-	FROM DOCKERFILE . --SSL_LIBRARY=$SSL_LIBRARY
-	SAVE ARTIFACT /usr/sbin/haproxy
-
-package:
-	ARG --required PLATFORM
-	ARG --required SSL_LIBRARY
-	LOCALLY
-	COPY +build/haproxy dist/haproxy
-	RUN XZ_OPT=-9 tar -C dist -Jcvf dist/haproxy-http3-${SSL_LIBRARY}-${PLATFORM}.tar.xz haproxy \
-	 && rm dist/haproxy
-
-all:
-	ARG SSL_LIBRARY=openssl
-
-	BUILD +clean
-	BUILD --platform=linux/amd64 +package --PLATFORM=amd64 --SSL_LIBRARY=$SSL_LIBRARY
-	BUILD --platform=linux/arm64 +package --PLATFORM=arm64 --SSL_LIBRARY=$SSL_LIBRARY
diff --git a/extract-artifacts.sh b/extract-artifacts.sh
deleted file mode 100755
index c763069..0000000
--- a/extract-artifacts.sh
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/usr/bin/env bash
-
-IMAGE=$1
-VERSION=$2
-LIBRARY=$3
-
-echo "[i] Clean dist folder"
-rm -f -R ./dist
-mkdir -p ./dist
-
-for PLATFORM in linux/amd64 linux/arm64
-do
-    CONTAINER=$(docker create --platform ${PLATFORM} "${IMAGE}:${VERSION}")
-    echo "[i] Created container ${CONTAINER:0:12}"
-
-    echo "[i] Extract assets"
-    docker cp "${CONTAINER}:/usr/sbin/haproxy" ./dist/haproxy
-
-    echo "[i] Create distribution archive"
-    XZ_OPT=-9 tar -C ./dist -Jcvf ./dist/haproxy-http3-${LIBRARY}-${PLATFORM/\//-}.tar.xz haproxy
-
-    echo "[i] Removing container ${CONTAINER:0:12}"
-    docker rm $CONTAINER
-done
diff --git a/scripts/build-dockerfile.sh b/scripts/build-dockerfile.sh
new file mode 100755
index 0000000..23127ae
--- /dev/null
+++ b/scripts/build-dockerfile.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+# Generate Dockerfile
+source versions.env
+
+cat Dockerfile.head > Dockerfile
+
+cat << EOF >> Dockerfile
+
+ARG AWS_LC_TAG=${AWS_LC_TAG} \\
+	LIBRESSL_TAG=${LIBRESSL_TAG} \\
+	OPENSSL_TAG=${OPENSSL_TAG} \\
+	WOLFSSL_TAG=${WOLFSSL_TAG} \\
+	LIBSLZ_TAG=${LIBSLZ_TAG} \\
+EOF
+
+cat Dockerfile.body >> Dockerfile
diff --git a/scripts/extract-artifacts.sh b/scripts/extract-artifacts.sh
new file mode 100755
index 0000000..cb13eeb
--- /dev/null
+++ b/scripts/extract-artifacts.sh
@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+IMAGE=$1
+VERSION=$2
+LIBRARY=$3
+
+echo "[i] Clean dist folder"
+rm -f -R ./dist
+mkdir -p ./dist
+
+for PLATFORM in linux/amd64 linux/arm64
+do
+	CONTAINER=$(docker create --platform ${PLATFORM} "${IMAGE}:${VERSION}")
+	echo "[i] Created container ${CONTAINER:0:12}"
+
+	echo "[i] Extract assets"
+	docker cp "${CONTAINER}:/usr/sbin/haproxy" ./dist/haproxy
+
+	echo "[i] Create distribution archive"
+	XZ_OPT=-9 tar -C ./dist -Jcvf ./dist/haproxy-http3-${LIBRARY}-${PLATFORM/\//-}.tar.xz haproxy
+
+	echo "[i] Removing container ${CONTAINER:0:12}"
+	docker rm $CONTAINER
+done
+
+echo "[i] Grab version information"
+docker pull --platform linux/arm64 "${IMAGE}:${VERSION}"
+docker run --platform linux/arm64 --rm -i --log-driver=none -a stdin -a stdout -a stderr --entrypoint "/usr/sbin/haproxy" "${IMAGE}:${VERSION}" -vv > ./dist/version.txt
diff --git a/scripts/update_versions.sh b/scripts/update_versions.sh
new file mode 100755
index 0000000..b7609b0
--- /dev/null
+++ b/scripts/update_versions.sh
@@ -0,0 +1,17 @@
+
+#!/bin/sh
+
+# Retrieve latest version number tag from a github repository
+get_latest_tag()
+{
+	curl -s "https://api.github.com/repos/${1}/tags" | jq -r --arg v "${2}" 'first(.[] | select(.name | startswith($v))).name' | tr -d -c '0-9.'
+}
+
+# Generate versions.env (shell env format)
+cat <<- EOF >> versions.env
+	AWS_LC_TAG=v$(get_latest_tag aws/aws-lc v)
+	LIBRESSL_TAG=v$(get_latest_tag libressl/portable v)
+	OPENSSL_TAG=openssl-$(get_latest_tag openssl/openssl openssl)
+	WOLFSSL_TAG=v$(get_latest_tag wolfSSL/wolfssl v)
+	LIBSLZ_TAG=v$(get_latest_tag wtarreau/libslz v)
+EOF
diff --git a/versions.env b/versions.env
new file mode 100644
index 0000000..6de286a
--- /dev/null
+++ b/versions.env
@@ -0,0 +1,5 @@
+AWS_LC_TAG=v1.37.0
+LIBRESSL_TAG=v4.0.0
+OPENSSL_TAG=openssl-3.4.0
+WOLFSSL_TAG=v5.7.2
+LIBSLZ_TAG=v1.2.1