From ee2a6b9b60b1b36f1baaf66c16d297da6fc06b15 Mon Sep 17 00:00:00 2001
From: "soroush.asadi" <soroush.asadi@aliasaas.com>
Date: Fri, 12 Jun 2026 16:24:38 +0330
Subject: [PATCH] ci(build): pull Docker Hub base images via Nexus mirror +
 kargadan GOPROXY

Docker Hub blocks Iran (403) on the BUILD base images too (golang/alpine/busybox/
node) once they fall out of cache. Prefix every Docker Hub FROM/COPY --from with
mirror.soroushasadi.com/ (MCR dotnet images are reachable, left as-is). Go builders
also set GOPROXY=mirror.kargadan.ir/repository/go-group/ + GOSUMDB=off so any module/
toolchain fetch avoids the geo-blocked proxy.golang.org.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 Dockerfile                       | 6 +++---
 services/content/Dockerfile      | 2 +-
 services/file/Dockerfile         | 5 +++--
 services/gateway/Dockerfile      | 6 ++++--
 services/identity/Dockerfile     | 2 +-
 services/notification/Dockerfile | 5 +++--
 services/render/Dockerfile       | 5 +++--
 services/studio/Dockerfile       | 2 +-
 8 files changed, 19 insertions(+), 14 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index fbceca6..3499648 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,5 @@
 # ── Stage 1: install dependencies ────────────────────────────────────────────
-FROM node:20-alpine AS deps
+FROM mirror.soroushasadi.com/node:20-alpine AS deps
 RUN apk add --no-cache libc6-compat
 WORKDIR /app
 
@@ -18,7 +18,7 @@ RUN for i in 1 2 3 4 5; do \
     echo "npm ci failed after 5 attempts" && exit 1
 
 # ── Stage 2: build ───────────────────────────────────────────────────────────
-FROM node:20-alpine AS builder
+FROM mirror.soroushasadi.com/node:20-alpine AS builder
 WORKDIR /app
 
 COPY --from=deps /app/node_modules ./node_modules
@@ -51,7 +51,7 @@ ENV NODE_ENV=production
 RUN npm run build
 
 # ── Stage 3: production runner ────────────────────────────────────────────────
-FROM node:20-alpine AS runner
+FROM mirror.soroushasadi.com/node:20-alpine AS runner
 WORKDIR /app
 
 ENV NODE_ENV=production
diff --git a/services/content/Dockerfile b/services/content/Dockerfile
index d42a413..1d96735 100644
--- a/services/content/Dockerfile
+++ b/services/content/Dockerfile
@@ -4,7 +4,7 @@ EXPOSE 8080
 # The .NET base image ships neither wget nor curl, which the container healthcheck needs.
 # Copy a single static busybox binary named `wget` (busybox dispatches on argv[0]).
 # This stays fully offline — no apt/network — matching the vendored Go builds.
-COPY --from=busybox:1.36 /bin/busybox /usr/bin/wget
+COPY --from=mirror.soroushasadi.com/busybox:1.36 /bin/busybox /usr/bin/wget
 
 FROM mcr.microsoft.com/dotnet/sdk:10.0 AS build
 WORKDIR /src
diff --git a/services/file/Dockerfile b/services/file/Dockerfile
index 03b2612..6363e0b 100644
--- a/services/file/Dockerfile
+++ b/services/file/Dockerfile
@@ -1,10 +1,11 @@
-FROM golang:1.25-alpine AS build
+FROM mirror.soroushasadi.com/golang:1.25-alpine AS build
+ENV GOPROXY=https://mirror.kargadan.ir/repository/go-group/ GOSUMDB=off
 WORKDIR /src
 # Dependencies are vendored — build fully offline (proxy.golang.org is geo-blocked from some regions)
 COPY . .
 RUN CGO_ENABLED=0 GOOS=linux go build -mod=vendor -o /file-svc ./cmd/server
 
-FROM alpine:3.20
+FROM mirror.soroushasadi.com/alpine:3.20
 RUN apk add --no-cache ca-certificates tzdata
 COPY --from=build /file-svc /file-svc
 EXPOSE 8080
diff --git a/services/gateway/Dockerfile b/services/gateway/Dockerfile
index 377fe61..ae094f7 100644
--- a/services/gateway/Dockerfile
+++ b/services/gateway/Dockerfile
@@ -1,10 +1,12 @@
-FROM golang:1.25-alpine AS builder
+FROM mirror.soroushasadi.com/golang:1.25-alpine AS builder
+# Go module/toolchain fetches via the kargadan Nexus (proxy.golang.org geo-blocked).
+ENV GOPROXY=https://mirror.kargadan.ir/repository/go-group/ GOSUMDB=off
 WORKDIR /app
 # Dependencies are vendored — build fully offline (proxy.golang.org is geo-blocked from some regions)
 COPY . .
 RUN CGO_ENABLED=0 GOOS=linux go build -mod=vendor -ldflags="-s -w" -o gateway ./cmd/server
 
-FROM alpine:3.20
+FROM mirror.soroushasadi.com/alpine:3.20
 RUN apk add --no-cache ca-certificates tzdata
 WORKDIR /app
 COPY --from=builder /app/gateway .
diff --git a/services/identity/Dockerfile b/services/identity/Dockerfile
index 31160d1..ad9e6dc 100644
--- a/services/identity/Dockerfile
+++ b/services/identity/Dockerfile
@@ -4,7 +4,7 @@ EXPOSE 8080
 # The .NET base image ships neither wget nor curl, which the container healthcheck needs.
 # Copy a single static busybox binary named `wget` (busybox dispatches on argv[0]).
 # This stays fully offline — no apt/network — matching the vendored Go builds.
-COPY --from=busybox:1.36 /bin/busybox /usr/bin/wget
+COPY --from=mirror.soroushasadi.com/busybox:1.36 /bin/busybox /usr/bin/wget
 
 FROM mcr.microsoft.com/dotnet/sdk:10.0 AS build
 WORKDIR /src
diff --git a/services/notification/Dockerfile b/services/notification/Dockerfile
index 682427d..c5ebc36 100644
--- a/services/notification/Dockerfile
+++ b/services/notification/Dockerfile
@@ -1,10 +1,11 @@
-FROM golang:1.25-alpine AS builder
+FROM mirror.soroushasadi.com/golang:1.25-alpine AS builder
+ENV GOPROXY=https://mirror.kargadan.ir/repository/go-group/ GOSUMDB=off
 WORKDIR /app
 # Dependencies are vendored — build fully offline (proxy.golang.org is geo-blocked from some regions)
 COPY . .
 RUN CGO_ENABLED=0 GOOS=linux go build -mod=vendor -ldflags="-s -w" -o notification-svc ./cmd/server
 
-FROM alpine:3.20
+FROM mirror.soroushasadi.com/alpine:3.20
 RUN apk add --no-cache ca-certificates tzdata
 WORKDIR /app
 COPY --from=builder /app/notification-svc .
diff --git a/services/render/Dockerfile b/services/render/Dockerfile
index a99dcbc..c6b7747 100644
--- a/services/render/Dockerfile
+++ b/services/render/Dockerfile
@@ -1,10 +1,11 @@
-FROM golang:1.25-alpine AS builder
+FROM mirror.soroushasadi.com/golang:1.25-alpine AS builder
+ENV GOPROXY=https://mirror.kargadan.ir/repository/go-group/ GOSUMDB=off
 WORKDIR /app
 # Dependencies are vendored — build fully offline (proxy.golang.org is geo-blocked from some regions)
 COPY . .
 RUN CGO_ENABLED=0 GOOS=linux go build -mod=vendor -ldflags="-s -w" -o render-svc ./cmd/server
 
-FROM alpine:3.20
+FROM mirror.soroushasadi.com/alpine:3.20
 RUN apk add --no-cache ca-certificates tzdata
 WORKDIR /app
 COPY --from=builder /app/render-svc .
diff --git a/services/studio/Dockerfile b/services/studio/Dockerfile
index e7b7e53..9e53ff7 100644
--- a/services/studio/Dockerfile
+++ b/services/studio/Dockerfile
@@ -4,7 +4,7 @@ EXPOSE 8080
 # The .NET base image ships neither wget nor curl, which the container healthcheck needs.
 # Copy a single static busybox binary named `wget` (busybox dispatches on argv[0]).
 # This stays fully offline — no apt/network — matching the vendored Go builds.
-COPY --from=busybox:1.36 /bin/busybox /usr/bin/wget
+COPY --from=mirror.soroushasadi.com/busybox:1.36 /bin/busybox /usr/bin/wget
 
 FROM mcr.microsoft.com/dotnet/sdk:10.0 AS build
 WORKDIR /src