diff --git a/2.0/alpine/Dockerfile b/2.0/alpine/Dockerfile
new file mode 100644
index 0000000..ca7bb68
--- /dev/null
+++ b/2.0/alpine/Dockerfile
@@ -0,0 +1,110 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM alpine:3.16
+
+# SOURCE_DATE_EPOCH is consumed by build scripts
+ARG SOURCE_DATE_EPOCH
+
+# runtime dependencies
+RUN set -eux; \
+	apk add --no-cache \
+# @system-ca: https://github.com/docker-library/haproxy/pull/216
+		ca-certificates \
+	;
+
+# roughly, https://git.alpinelinux.org/aports/tree/main/haproxy/haproxy.pre-install?h=3.12-stable
+# On Alpine, useradd still does not recognize SOURCE_DATE_EPOCH to reproduce the "lastchanged" field in /etc/shadow.
+RUN set -eux; \
+	addgroup --gid 99 --system haproxy; \
+	adduser \
+		--disabled-password \
+		--home /var/lib/haproxy \
+		--ingroup haproxy \
+		--no-create-home \
+		--system \
+		--uid 99 \
+		haproxy \
+	; \
+	mkdir /var/lib/haproxy; \
+	chown haproxy:haproxy /var/lib/haproxy
+
+ENV HAPROXY_VERSION 2.0.35
+ENV HAPROXY_URL https://www.haproxy.org/download/2.0/src/haproxy-2.0.35.tar.gz
+ENV HAPROXY_SHA256 95334c52ace9ae139e66d60240633be8bb4eed1babedfcc6cb947092e00c447c
+
+# see https://sources.debian.net/src/haproxy/jessie/debian/rules/ for some helpful navigation of the possible "make" arguments
+RUN set -eux; \
+	\
+	apk add --no-cache --virtual .build-deps=0 \
+		gcc \
+		libc-dev \
+		linux-headers \
+		lua5.3-dev \
+		make \
+		openssl \
+		openssl-dev \
+		pcre2-dev \
+		readline-dev \
+		tar \
+		zlib-dev \
+	; \
+	\
+	wget -O haproxy.tar.gz "$HAPROXY_URL"; \
+	echo "$HAPROXY_SHA256 *haproxy.tar.gz" | sha256sum -c; \
+	mkdir -p /usr/src/haproxy; \
+	tar -xzf haproxy.tar.gz -C /usr/src/haproxy --strip-components=1; \
+	rm haproxy.tar.gz; \
+	\
+	makeOpts=' \
+		TARGET=linux-glibc \
+		USE_GETADDRINFO=1 \
+		USE_LUA=1 LUA_INC=/usr/include/lua5.3 LUA_LIB=/usr/lib/lua5.3 \
+		USE_OPENSSL=1 \
+		USE_PCRE2=1 USE_PCRE2_JIT=1 \
+		USE_ZLIB=1 \
+		\
+		EXTRA_OBJS=" \
+# see https://github.com/docker-library/haproxy/issues/94#issuecomment-505673353 for more details about prometheus support
+			contrib/prometheus-exporter/service-prometheus.o \
+		" \
+	'; \
+	\
+	nproc="$(getconf _NPROCESSORS_ONLN)"; \
+	eval "make -C /usr/src/haproxy -j '$nproc' all $makeOpts"; \
+	eval "make -C /usr/src/haproxy install-bin $makeOpts"; \
+	\
+	mkdir -p /usr/local/etc/haproxy; \
+	cp -R /usr/src/haproxy/examples/errorfiles /usr/local/etc/haproxy/errors; \
+	rm -rf /usr/src/haproxy; \
+	\
+	runDeps="$( \
+		scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
+			| tr ',' '\n' \
+			| sort -u \
+			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
+	)"; \
+	apk add --no-network --virtual .haproxy-rundeps=0 $runDeps; \
+	apk del --no-network .build-deps; \
+	\
+# smoke test
+	haproxy -v
+
+# https://www.haproxy.org/download/1.8/doc/management.txt
+# "4. Stopping and restarting HAProxy"
+# "when the SIGTERM signal is sent to the haproxy process, it immediately quits and all established connections are closed"
+# "graceful stop is triggered when the SIGUSR1 signal is sent to the haproxy process"
+STOPSIGNAL SIGUSR1
+
+COPY docker-entrypoint.sh /usr/local/bin/
+RUN ln -s usr/local/bin/docker-entrypoint.sh / # backwards compat
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# no USER for backwards compatibility (to try to avoid breaking existing users)
+
+# no WORKDIR for backwards compatibility (to try to avoid breaking existing users)
+
+CMD ["haproxy", "-f", "/usr/local/etc/haproxy/haproxy.cfg"]
diff --git a/2.2/Dockerfile b/2.2/Dockerfile
index 3854c00..3aaf071 100644
--- a/2.2/Dockerfile
+++ b/2.2/Dockerfile
@@ -6,6 +6,10 @@
 
 FROM debian:bullseye-slim
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # runtime dependencies
 RUN set -eux; \
 	apt-get update; \
@@ -13,9 +17,12 @@ RUN set -eux; \
 # @system-ca: https://github.com/docker-library/haproxy/pull/216
 		ca-certificates \
 	; \
-	rm -rf /var/lib/apt/lists/*
+	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache
 
 # roughly, https://salsa.debian.org/haproxy-team/haproxy/-/blob/732b97ae286906dea19ab5744cf9cf97c364ac1d/debian/haproxy.postinst#L5-6
+# On Debian, useradd recognizes SOURCE_DATE_EPOCH to reproduce the "lastchanged" field in /etc/shadow.
 RUN set -eux; \
 	groupadd --gid 99 --system haproxy; \
 	useradd \
@@ -48,12 +55,18 @@ RUN set -eux; \
 		zlib1g-dev \
 	; \
 	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\
 	\
 	wget -O haproxy.tar.gz "$HAPROXY_URL"; \
 	echo "$HAPROXY_SHA256 *haproxy.tar.gz" | sha256sum -c; \
 	mkdir -p /usr/src/haproxy; \
 	tar -xzf haproxy.tar.gz -C /usr/src/haproxy --strip-components=1; \
 	rm haproxy.tar.gz; \
+	SOURCE_DATE_EPOCH="$(find /usr/src/haproxy -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \
+	export SOURCE_DATE_EPOCH; \
+# for logging validation/edification
+	date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
 	\
 	makeOpts=' \
 		TARGET=linux-glibc \
@@ -93,6 +106,8 @@ RUN set -eux; \
 		| xargs -r apt-mark manual \
 	; \
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\
 	\
 # smoke test
 	haproxy -v
diff --git a/2.4/Dockerfile b/2.4/Dockerfile
index 64fd842..9039689 100644
--- a/2.4/Dockerfile
+++ b/2.4/Dockerfile
@@ -6,6 +6,10 @@
 
 FROM debian:bookworm-slim
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # runtime dependencies
 RUN set -eux; \
 	apt-get update; \
@@ -13,9 +17,12 @@ RUN set -eux; \
 # @system-ca: https://github.com/docker-library/haproxy/pull/216
 		ca-certificates \
 	; \
-	rm -rf /var/lib/apt/lists/*
+	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache
 
 # roughly, https://salsa.debian.org/haproxy-team/haproxy/-/blob/732b97ae286906dea19ab5744cf9cf97c364ac1d/debian/haproxy.postinst#L5-6
+# On Debian, useradd recognizes SOURCE_DATE_EPOCH to reproduce the "lastchanged" field in /etc/shadow.
 RUN set -eux; \
 	groupadd --gid 99 --system haproxy; \
 	useradd \
@@ -47,12 +54,18 @@ RUN set -eux; \
 		wget \
 	; \
 	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\
 	\
 	wget -O haproxy.tar.gz "$HAPROXY_URL"; \
 	echo "$HAPROXY_SHA256 *haproxy.tar.gz" | sha256sum -c; \
 	mkdir -p /usr/src/haproxy; \
 	tar -xzf haproxy.tar.gz -C /usr/src/haproxy --strip-components=1; \
 	rm haproxy.tar.gz; \
+	SOURCE_DATE_EPOCH="$(find /usr/src/haproxy -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \
+	export SOURCE_DATE_EPOCH; \
+# for logging validation/edification
+	date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
 	\
 	makeOpts=' \
 		TARGET=linux-glibc \
@@ -90,6 +103,8 @@ RUN set -eux; \
 		| xargs -r apt-mark manual \
 	; \
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\
 	\
 # smoke test
 	haproxy -v
diff --git a/2.4/alpine/Dockerfile b/2.4/alpine/Dockerfile
index a5dd0be..1728e0e 100644
--- a/2.4/alpine/Dockerfile
+++ b/2.4/alpine/Dockerfile
@@ -6,6 +6,10 @@
 
 FROM alpine:3.20
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # runtime dependencies
 RUN set -eux; \
 	apk add --no-cache \
@@ -14,6 +18,7 @@ RUN set -eux; \
 	;
 
 # roughly, https://git.alpinelinux.org/aports/tree/main/haproxy/haproxy.pre-install?h=3.12-stable
+# On Alpine, useradd still does not recognize SOURCE_DATE_EPOCH to reproduce the "lastchanged" field in /etc/shadow.
 RUN set -eux; \
 	addgroup --gid 99 --system haproxy; \
 	adduser \
@@ -35,7 +40,7 @@ ENV HAPROXY_SHA256 1cdcfbb3caff8864259e2981039f46f616ff15b6283ca601508325367ab55
 # see https://sources.debian.net/src/haproxy/jessie/debian/rules/ for some helpful navigation of the possible "make" arguments
 RUN set -eux; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		gcc \
 		libc-dev \
 		linux-headers \
@@ -53,6 +58,10 @@ RUN set -eux; \
 	mkdir -p /usr/src/haproxy; \
 	tar -xzf haproxy.tar.gz -C /usr/src/haproxy --strip-components=1; \
 	rm haproxy.tar.gz; \
+	SOURCE_DATE_EPOCH="$(find /usr/src/haproxy -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \
+	export SOURCE_DATE_EPOCH; \
+# for logging validation/edification
+	date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
 	\
 	makeOpts=' \
 		TARGET=linux-musl \
@@ -80,7 +89,7 @@ RUN set -eux; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .haproxy-rundeps $runDeps; \
+	apk add --no-network --virtual .haproxy-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 # smoke test
diff --git a/2.6/Dockerfile b/2.6/Dockerfile
index 64ed554..10fe20b 100644
--- a/2.6/Dockerfile
+++ b/2.6/Dockerfile
@@ -6,6 +6,10 @@
 
 FROM debian:bookworm-slim
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # runtime dependencies
 RUN set -eux; \
 	apt-get update; \
@@ -13,9 +17,12 @@ RUN set -eux; \
 # @system-ca: https://github.com/docker-library/haproxy/pull/216
 		ca-certificates \
 	; \
-	rm -rf /var/lib/apt/lists/*
+	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache
 
 # roughly, https://salsa.debian.org/haproxy-team/haproxy/-/blob/732b97ae286906dea19ab5744cf9cf97c364ac1d/debian/haproxy.postinst#L5-6
+# On Debian, useradd recognizes SOURCE_DATE_EPOCH to reproduce the "lastchanged" field in /etc/shadow.
 RUN set -eux; \
 	groupadd --gid 99 --system haproxy; \
 	useradd \
@@ -47,12 +54,18 @@ RUN set -eux; \
 		wget \
 	; \
 	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\
 	\
 	wget -O haproxy.tar.gz "$HAPROXY_URL"; \
 	echo "$HAPROXY_SHA256 *haproxy.tar.gz" | sha256sum -c; \
 	mkdir -p /usr/src/haproxy; \
 	tar -xzf haproxy.tar.gz -C /usr/src/haproxy --strip-components=1; \
 	rm haproxy.tar.gz; \
+	SOURCE_DATE_EPOCH="$(find /usr/src/haproxy -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \
+	export SOURCE_DATE_EPOCH; \
+# for logging validation/edification
+	date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
 	\
 	makeOpts=' \
 		TARGET=linux-glibc \
@@ -90,6 +103,8 @@ RUN set -eux; \
 		| xargs -r apt-mark manual \
 	; \
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\
 	\
 # smoke test
 	haproxy -v
diff --git a/2.6/alpine/Dockerfile b/2.6/alpine/Dockerfile
index 66f416a..35a2b39 100644
--- a/2.6/alpine/Dockerfile
+++ b/2.6/alpine/Dockerfile
@@ -6,6 +6,10 @@
 
 FROM alpine:3.20
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # runtime dependencies
 RUN set -eux; \
 	apk add --no-cache \
@@ -14,6 +18,7 @@ RUN set -eux; \
 	;
 
 # roughly, https://git.alpinelinux.org/aports/tree/main/haproxy/haproxy.pre-install?h=3.12-stable
+# On Alpine, useradd still does not recognize SOURCE_DATE_EPOCH to reproduce the "lastchanged" field in /etc/shadow.
 RUN set -eux; \
 	addgroup --gid 99 --system haproxy; \
 	adduser \
@@ -35,7 +40,7 @@ ENV HAPROXY_SHA256 be48ee8ff9127c402b4c6cf1445cef7052f2c540ed1eff2dd04af677b8cd9
 # see https://sources.debian.net/src/haproxy/jessie/debian/rules/ for some helpful navigation of the possible "make" arguments
 RUN set -eux; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		gcc \
 		libc-dev \
 		linux-headers \
@@ -53,6 +58,10 @@ RUN set -eux; \
 	mkdir -p /usr/src/haproxy; \
 	tar -xzf haproxy.tar.gz -C /usr/src/haproxy --strip-components=1; \
 	rm haproxy.tar.gz; \
+	SOURCE_DATE_EPOCH="$(find /usr/src/haproxy -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \
+	export SOURCE_DATE_EPOCH; \
+# for logging validation/edification
+	date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
 	\
 	makeOpts=' \
 		TARGET=linux-musl \
@@ -80,7 +89,7 @@ RUN set -eux; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .haproxy-rundeps $runDeps; \
+	apk add --no-network --virtual .haproxy-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 # smoke test
diff --git a/2.8/Dockerfile b/2.8/Dockerfile
index 425524c..64c99ac 100644
--- a/2.8/Dockerfile
+++ b/2.8/Dockerfile
@@ -6,6 +6,10 @@
 
 FROM debian:bookworm-slim
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # runtime dependencies
 RUN set -eux; \
 	apt-get update; \
@@ -13,9 +17,12 @@ RUN set -eux; \
 # @system-ca: https://github.com/docker-library/haproxy/pull/216
 		ca-certificates \
 	; \
-	rm -rf /var/lib/apt/lists/*
+	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache
 
 # roughly, https://salsa.debian.org/haproxy-team/haproxy/-/blob/732b97ae286906dea19ab5744cf9cf97c364ac1d/debian/haproxy.postinst#L5-6
+# On Debian, useradd recognizes SOURCE_DATE_EPOCH to reproduce the "lastchanged" field in /etc/shadow.
 RUN set -eux; \
 	groupadd --gid 99 --system haproxy; \
 	useradd \
@@ -47,12 +54,18 @@ RUN set -eux; \
 		wget \
 	; \
 	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\
 	\
 	wget -O haproxy.tar.gz "$HAPROXY_URL"; \
 	echo "$HAPROXY_SHA256 *haproxy.tar.gz" | sha256sum -c; \
 	mkdir -p /usr/src/haproxy; \
 	tar -xzf haproxy.tar.gz -C /usr/src/haproxy --strip-components=1; \
 	rm haproxy.tar.gz; \
+	SOURCE_DATE_EPOCH="$(find /usr/src/haproxy -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \
+	export SOURCE_DATE_EPOCH; \
+# for logging validation/edification
+	date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
 	\
 	makeOpts=' \
 		TARGET=linux-glibc \
@@ -90,6 +103,8 @@ RUN set -eux; \
 		| xargs -r apt-mark manual \
 	; \
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\
 	\
 # smoke test
 	haproxy -v
diff --git a/2.8/alpine/Dockerfile b/2.8/alpine/Dockerfile
index fb9b2e0..a9248cc 100644
--- a/2.8/alpine/Dockerfile
+++ b/2.8/alpine/Dockerfile
@@ -6,6 +6,10 @@
 
 FROM alpine:3.20
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # runtime dependencies
 RUN set -eux; \
 	apk add --no-cache \
@@ -14,6 +18,7 @@ RUN set -eux; \
 	;
 
 # roughly, https://git.alpinelinux.org/aports/tree/main/haproxy/haproxy.pre-install?h=3.12-stable
+# On Alpine, useradd still does not recognize SOURCE_DATE_EPOCH to reproduce the "lastchanged" field in /etc/shadow.
 RUN set -eux; \
 	addgroup --gid 99 --system haproxy; \
 	adduser \
@@ -35,7 +40,7 @@ ENV HAPROXY_SHA256 7a821478f36f847607f51a51e80f4f890c37af4811d60438e7f63783f6759
 # see https://sources.debian.net/src/haproxy/jessie/debian/rules/ for some helpful navigation of the possible "make" arguments
 RUN set -eux; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		gcc \
 		libc-dev \
 		linux-headers \
@@ -53,6 +58,10 @@ RUN set -eux; \
 	mkdir -p /usr/src/haproxy; \
 	tar -xzf haproxy.tar.gz -C /usr/src/haproxy --strip-components=1; \
 	rm haproxy.tar.gz; \
+	SOURCE_DATE_EPOCH="$(find /usr/src/haproxy -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \
+	export SOURCE_DATE_EPOCH; \
+# for logging validation/edification
+	date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
 	\
 	makeOpts=' \
 		TARGET=linux-musl \
@@ -80,7 +89,7 @@ RUN set -eux; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .haproxy-rundeps $runDeps; \
+	apk add --no-network --virtual .haproxy-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 # smoke test
diff --git a/2.9/Dockerfile b/2.9/Dockerfile
index d40703e..0229fcb 100644
--- a/2.9/Dockerfile
+++ b/2.9/Dockerfile
@@ -6,6 +6,10 @@
 
 FROM debian:bookworm-slim
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # runtime dependencies
 RUN set -eux; \
 	apt-get update; \
@@ -13,9 +17,12 @@ RUN set -eux; \
 # @system-ca: https://github.com/docker-library/haproxy/pull/216
 		ca-certificates \
 	; \
-	rm -rf /var/lib/apt/lists/*
+	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache
 
 # roughly, https://salsa.debian.org/haproxy-team/haproxy/-/blob/732b97ae286906dea19ab5744cf9cf97c364ac1d/debian/haproxy.postinst#L5-6
+# On Debian, useradd recognizes SOURCE_DATE_EPOCH to reproduce the "lastchanged" field in /etc/shadow.
 RUN set -eux; \
 	groupadd --gid 99 --system haproxy; \
 	useradd \
@@ -47,12 +54,18 @@ RUN set -eux; \
 		wget \
 	; \
 	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\
 	\
 	wget -O haproxy.tar.gz "$HAPROXY_URL"; \
 	echo "$HAPROXY_SHA256 *haproxy.tar.gz" | sha256sum -c; \
 	mkdir -p /usr/src/haproxy; \
 	tar -xzf haproxy.tar.gz -C /usr/src/haproxy --strip-components=1; \
 	rm haproxy.tar.gz; \
+	SOURCE_DATE_EPOCH="$(find /usr/src/haproxy -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \
+	export SOURCE_DATE_EPOCH; \
+# for logging validation/edification
+	date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
 	\
 	makeOpts=' \
 		TARGET=linux-glibc \
@@ -90,6 +103,8 @@ RUN set -eux; \
 		| xargs -r apt-mark manual \
 	; \
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\
 	\
 # smoke test
 	haproxy -v
diff --git a/2.9/alpine/Dockerfile b/2.9/alpine/Dockerfile
index fa69e99..05b9663 100644
--- a/2.9/alpine/Dockerfile
+++ b/2.9/alpine/Dockerfile
@@ -6,6 +6,10 @@
 
 FROM alpine:3.20
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # runtime dependencies
 RUN set -eux; \
 	apk add --no-cache \
@@ -14,6 +18,7 @@ RUN set -eux; \
 	;
 
 # roughly, https://git.alpinelinux.org/aports/tree/main/haproxy/haproxy.pre-install?h=3.12-stable
+# On Alpine, useradd still does not recognize SOURCE_DATE_EPOCH to reproduce the "lastchanged" field in /etc/shadow.
 RUN set -eux; \
 	addgroup --gid 99 --system haproxy; \
 	adduser \
@@ -35,7 +40,7 @@ ENV HAPROXY_SHA256 d1a0a56f008a8d2f007bc0c37df6b2952520d1f4dde33b8d3802710e5158c
 # see https://sources.debian.net/src/haproxy/jessie/debian/rules/ for some helpful navigation of the possible "make" arguments
 RUN set -eux; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		gcc \
 		libc-dev \
 		linux-headers \
@@ -53,6 +58,10 @@ RUN set -eux; \
 	mkdir -p /usr/src/haproxy; \
 	tar -xzf haproxy.tar.gz -C /usr/src/haproxy --strip-components=1; \
 	rm haproxy.tar.gz; \
+	SOURCE_DATE_EPOCH="$(find /usr/src/haproxy -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \
+	export SOURCE_DATE_EPOCH; \
+# for logging validation/edification
+	date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
 	\
 	makeOpts=' \
 		TARGET=linux-musl \
@@ -80,7 +89,7 @@ RUN set -eux; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .haproxy-rundeps $runDeps; \
+	apk add --no-network --virtual .haproxy-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 # smoke test
diff --git a/3.0/Dockerfile b/3.0/Dockerfile
index b26cfdc..e700dac 100644
--- a/3.0/Dockerfile
+++ b/3.0/Dockerfile
@@ -6,6 +6,10 @@
 
 FROM debian:bookworm-slim
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # runtime dependencies
 RUN set -eux; \
 	apt-get update; \
@@ -13,9 +17,12 @@ RUN set -eux; \
 # @system-ca: https://github.com/docker-library/haproxy/pull/216
 		ca-certificates \
 	; \
-	rm -rf /var/lib/apt/lists/*
+	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache
 
 # roughly, https://salsa.debian.org/haproxy-team/haproxy/-/blob/732b97ae286906dea19ab5744cf9cf97c364ac1d/debian/haproxy.postinst#L5-6
+# On Debian, useradd recognizes SOURCE_DATE_EPOCH to reproduce the "lastchanged" field in /etc/shadow.
 RUN set -eux; \
 	groupadd --gid 99 --system haproxy; \
 	useradd \
@@ -47,12 +54,18 @@ RUN set -eux; \
 		wget \
 	; \
 	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\
 	\
 	wget -O haproxy.tar.gz "$HAPROXY_URL"; \
 	echo "$HAPROXY_SHA256 *haproxy.tar.gz" | sha256sum -c; \
 	mkdir -p /usr/src/haproxy; \
 	tar -xzf haproxy.tar.gz -C /usr/src/haproxy --strip-components=1; \
 	rm haproxy.tar.gz; \
+	SOURCE_DATE_EPOCH="$(find /usr/src/haproxy -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \
+	export SOURCE_DATE_EPOCH; \
+# for logging validation/edification
+	date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
 	\
 	makeOpts=' \
 		TARGET=linux-glibc \
@@ -90,6 +103,8 @@ RUN set -eux; \
 		| xargs -r apt-mark manual \
 	; \
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\
 	\
 # smoke test
 	haproxy -v
diff --git a/3.0/alpine/Dockerfile b/3.0/alpine/Dockerfile
index 85cf14e..a368fa7 100644
--- a/3.0/alpine/Dockerfile
+++ b/3.0/alpine/Dockerfile
@@ -6,6 +6,10 @@
 
 FROM alpine:3.20
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # runtime dependencies
 RUN set -eux; \
 	apk add --no-cache \
@@ -14,6 +18,7 @@ RUN set -eux; \
 	;
 
 # roughly, https://git.alpinelinux.org/aports/tree/main/haproxy/haproxy.pre-install?h=3.12-stable
+# On Alpine, useradd still does not recognize SOURCE_DATE_EPOCH to reproduce the "lastchanged" field in /etc/shadow.
 RUN set -eux; \
 	addgroup --gid 99 --system haproxy; \
 	adduser \
@@ -35,7 +40,7 @@ ENV HAPROXY_SHA256 fef923c51ddc0ffb3c73b9b95e31e98c82cb9521c64754c5e95c42907406a
 # see https://sources.debian.net/src/haproxy/jessie/debian/rules/ for some helpful navigation of the possible "make" arguments
 RUN set -eux; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		gcc \
 		libc-dev \
 		linux-headers \
@@ -53,6 +58,10 @@ RUN set -eux; \
 	mkdir -p /usr/src/haproxy; \
 	tar -xzf haproxy.tar.gz -C /usr/src/haproxy --strip-components=1; \
 	rm haproxy.tar.gz; \
+	SOURCE_DATE_EPOCH="$(find /usr/src/haproxy -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \
+	export SOURCE_DATE_EPOCH; \
+# for logging validation/edification
+	date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
 	\
 	makeOpts=' \
 		TARGET=linux-musl \
@@ -80,7 +89,7 @@ RUN set -eux; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .haproxy-rundeps $runDeps; \
+	apk add --no-network --virtual .haproxy-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 # smoke test
diff --git a/3.1/Dockerfile b/3.1/Dockerfile
index c013bc0..f279177 100644
--- a/3.1/Dockerfile
+++ b/3.1/Dockerfile
@@ -6,6 +6,10 @@
 
 FROM debian:bookworm-slim
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # runtime dependencies
 RUN set -eux; \
 	apt-get update; \
@@ -13,9 +17,12 @@ RUN set -eux; \
 # @system-ca: https://github.com/docker-library/haproxy/pull/216
 		ca-certificates \
 	; \
-	rm -rf /var/lib/apt/lists/*
+	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache
 
 # roughly, https://salsa.debian.org/haproxy-team/haproxy/-/blob/732b97ae286906dea19ab5744cf9cf97c364ac1d/debian/haproxy.postinst#L5-6
+# On Debian, useradd recognizes SOURCE_DATE_EPOCH to reproduce the "lastchanged" field in /etc/shadow.
 RUN set -eux; \
 	groupadd --gid 99 --system haproxy; \
 	useradd \
@@ -47,12 +54,18 @@ RUN set -eux; \
 		wget \
 	; \
 	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\
 	\
 	wget -O haproxy.tar.gz "$HAPROXY_URL"; \
 	echo "$HAPROXY_SHA256 *haproxy.tar.gz" | sha256sum -c; \
 	mkdir -p /usr/src/haproxy; \
 	tar -xzf haproxy.tar.gz -C /usr/src/haproxy --strip-components=1; \
 	rm haproxy.tar.gz; \
+	SOURCE_DATE_EPOCH="$(find /usr/src/haproxy -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \
+	export SOURCE_DATE_EPOCH; \
+# for logging validation/edification
+	date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
 	\
 	makeOpts=' \
 		TARGET=linux-glibc \
@@ -90,6 +103,8 @@ RUN set -eux; \
 		| xargs -r apt-mark manual \
 	; \
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\
 	\
 # smoke test
 	haproxy -v
diff --git a/3.1/alpine/Dockerfile b/3.1/alpine/Dockerfile
index b43603c..1eae084 100644
--- a/3.1/alpine/Dockerfile
+++ b/3.1/alpine/Dockerfile
@@ -6,6 +6,10 @@
 
 FROM alpine:3.20
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # runtime dependencies
 RUN set -eux; \
 	apk add --no-cache \
@@ -14,6 +18,7 @@ RUN set -eux; \
 	;
 
 # roughly, https://git.alpinelinux.org/aports/tree/main/haproxy/haproxy.pre-install?h=3.12-stable
+# On Alpine, useradd still does not recognize SOURCE_DATE_EPOCH to reproduce the "lastchanged" field in /etc/shadow.
 RUN set -eux; \
 	addgroup --gid 99 --system haproxy; \
 	adduser \
@@ -35,7 +40,7 @@ ENV HAPROXY_SHA256 726b6429dc11317b38a945b81fffdcab4e98aa51361aa678f95bd69d0bf6e
 # see https://sources.debian.net/src/haproxy/jessie/debian/rules/ for some helpful navigation of the possible "make" arguments
 RUN set -eux; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		gcc \
 		libc-dev \
 		linux-headers \
@@ -53,6 +58,10 @@ RUN set -eux; \
 	mkdir -p /usr/src/haproxy; \
 	tar -xzf haproxy.tar.gz -C /usr/src/haproxy --strip-components=1; \
 	rm haproxy.tar.gz; \
+	SOURCE_DATE_EPOCH="$(find /usr/src/haproxy -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \
+	export SOURCE_DATE_EPOCH; \
+# for logging validation/edification
+	date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
 	\
 	makeOpts=' \
 		TARGET=linux-musl \
@@ -80,7 +89,7 @@ RUN set -eux; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .haproxy-rundeps $runDeps; \
+	apk add --no-network --virtual .haproxy-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 # smoke test
diff --git a/Dockerfile.template b/Dockerfile.template
index 9715ae9..c3dbc58 100644
--- a/Dockerfile.template
+++ b/Dockerfile.template
@@ -1,6 +1,10 @@
 {{ if env.variant == "alpine" then ( -}}
 FROM alpine:{{ .alpine }}
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # runtime dependencies
 RUN set -eux; \
 	apk add --no-cache \
@@ -9,6 +13,7 @@ RUN set -eux; \
 	;
 
 # roughly, https://git.alpinelinux.org/aports/tree/main/haproxy/haproxy.pre-install?h=3.12-stable
+# On Alpine, useradd still does not recognize SOURCE_DATE_EPOCH to reproduce the "lastchanged" field in /etc/shadow.
 RUN set -eux; \
 	addgroup --gid 99 --system haproxy; \
 	adduser \
@@ -25,6 +30,10 @@ RUN set -eux; \
 {{ ) else ( -}}
 FROM debian:{{ .debian }}
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
+# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
+ENV SOURCE_DATE_EPOCH 0
+
 # runtime dependencies
 RUN set -eux; \
 	apt-get update; \
@@ -32,9 +41,12 @@ RUN set -eux; \
 # @system-ca: https://github.com/docker-library/haproxy/pull/216
 		ca-certificates \
 	; \
-	rm -rf /var/lib/apt/lists/*
+	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache
 
 # roughly, https://salsa.debian.org/haproxy-team/haproxy/-/blob/732b97ae286906dea19ab5744cf9cf97c364ac1d/debian/haproxy.postinst#L5-6
+# On Debian, useradd recognizes SOURCE_DATE_EPOCH to reproduce the "lastchanged" field in /etc/shadow.
 RUN set -eux; \
 	groupadd --gid 99 --system haproxy; \
 	useradd \
@@ -70,7 +82,7 @@ ENV HAPROXY_SHA256 {{ .sha256 }}
 RUN set -eux; \
 	\
 {{ if env.variant == "alpine" then ( -}}
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		gcc \
 		libc-dev \
 		linux-headers \
@@ -100,6 +112,8 @@ RUN set -eux; \
 {{ ) else "" end -}}
 	; \
 	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\
 {{ ) end -}}
 	\
 	wget -O haproxy.tar.gz "$HAPROXY_URL"; \
@@ -107,6 +121,10 @@ RUN set -eux; \
 	mkdir -p /usr/src/haproxy; \
 	tar -xzf haproxy.tar.gz -C /usr/src/haproxy --strip-components=1; \
 	rm haproxy.tar.gz; \
+	SOURCE_DATE_EPOCH="$(find /usr/src/haproxy -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \
+	export SOURCE_DATE_EPOCH; \
+# for logging validation/edification
+	date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
 	\
 {{
 	def haproxy_target:
@@ -162,7 +180,7 @@ RUN set -eux; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .haproxy-rundeps $runDeps; \
+	apk add --no-network --virtual .haproxy-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 {{ ) else ( -}}
 	apt-mark auto '.*' > /dev/null; \
@@ -176,6 +194,8 @@ RUN set -eux; \
 		| xargs -r apt-mark manual \
 	; \
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\
 {{ ) end -}}
 	\
 # smoke test