From 06b86cbc27f53f977957ff43cbbfce3a962a204d Mon Sep 17 00:00:00 2001
From: ElevenNotes <github@11notes.ch>
Date: Fri, 2 May 2025 09:17:38 +0200
Subject: [PATCH] [upgrade] to latest workflows

---
 .gitattributes               |   1 +
 .github/workflows/docker.yml | 245 +++++++++++++++++++++++++----------
 .github/workflows/readme.yml |  16 +++
 .github/workflows/tags.yml   |  31 ++++-
 .json                        |   4 +-
 README.md                    |   2 +-
 arch.dockerfile              |   5 +-
 compose.yaml                 |  14 +-
 8 files changed, 235 insertions(+), 83 deletions(-)
 create mode 100644 .github/workflows/readme.yml

diff --git a/.gitattributes b/.gitattributes
index 56bbd5d..471fe64 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,2 +1,3 @@
+# default
 *                 text=auto
 *.sh              eol=lf
\ No newline at end of file
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index fd9204f..7fd2917 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -10,6 +10,17 @@ on:
         required: false
         default: 'docker'
 
+      runs-on:
+        description: 'set runs-on for workflow (github or selfhosted)'
+        type: string
+        required: false
+        default: 'ubuntu-22.04'
+
+      build:
+        description: 'set WORKFLOW_BUILD'
+        required: false
+        default: 'true'
+
       release:
         description: 'set WORKFLOW_GITHUB_RELEASE'
         required: false
@@ -19,30 +30,15 @@ on:
         description: 'set WORKFLOW_GITHUB_README'
         required: false
         default: 'false'
-
-      image:
-        description: 'set IMAGE'
-        required: false
-
-      uid:
-        description: 'set IMAGE_UID'
-        required: false
-
-      gid:
-        description: 'set IMAGE_GID'
-        required: false
-
-      semverprefix:
-        description: 'prefix for semver tags'
-        required: false
-
-      semversuffix:
-        description: 'suffix for semver tags'
+        
+      etc:
+        description: 'base64 encoded json string'
         required: false
 
 jobs:
   docker:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ inputs.runs-on }}
+    timeout-minutes: 1440
 
     services:
       registry:
@@ -54,7 +50,6 @@ jobs:
       actions: read
       contents: write
       packages: write
-      security-events: write
 
     steps:   
       - name: init / checkout
@@ -69,12 +64,17 @@ jobs:
           script: |
             const { existsSync, readFileSync } = require('node:fs');
             const { resolve } = require('node:path');
+            const { inspect } = require('node:util');
+            const { Buffer } = require('node:buffer');
             const inputs = `${{ toJSON(github.event.inputs) }}`;
             const opt = {input:{}, dot:{}};            
 
             try{
               if(inputs.length > 0){
                 opt.input = JSON.parse(inputs);
+                if(opt.input?.etc){
+                  opt.input.etc = JSON.parse(Buffer.from(opt.input.etc, 'base64').toString('ascii'));
+                }
               }
             }catch(e){
               core.warning('could not parse github.event.inputs');
@@ -95,27 +95,30 @@ jobs:
               core.setFailed(e);
             }
 
+            core.info(inspect(opt, {showHidden:false, depth:null, colors:true}));
+
             const docker = {
               image:{
-                name:(opt.input?.image || opt.dot.image),
+                name:opt.dot.image,
                 arch:(opt.dot.arch || 'linux/amd64,linux/arm64'),
-                prefix:((opt.input?.semverprefix) ? `${opt.input?.semverprefix}-` : ''),
-                suffix:((opt.input?.semversuffix) ? `-${opt.input?.semversuffix}` : ''),
+                prefix:((opt.input?.etc?.semverprefix) ? `${opt.input?.etc?.semverprefix}-` : ''),
+                suffix:((opt.input?.etc?.semversuffix) ? `-${opt.input?.etc?.semversuffix}` : ''),
                 description:(opt.dot?.readme?.description || ''),
                 tags:[],
               },
               app:{
                 image:opt.dot.image,
                 name:opt.dot.name,
-                version:opt.dot.semver.version,
+                version:(opt.input?.etc?.version || opt.dot.semver.version),
                 root:opt.dot.root,
-                UID:(opt.input?.uid || 1000),
-                GID:(opt.input?.gid || 1000),
+                UID:(opt.input?.etc?.uid || 1000),
+                GID:(opt.input?.etc?.gid || 1000),
                 no_cache:new Date().getTime(),
               },
               cache:{
                 registry:'localhost:5000/',
-              }
+              },
+              tags:[],
             };
 
             docker.cache.name = `${docker.image.name}:${docker.image.prefix}buildcache${docker.image.suffix}`;
@@ -124,21 +127,42 @@ jobs:
             docker.app.suffix = docker.image.suffix;
 
             // setup tags
-              const semver = opt.dot.semver.version.split('.');
-              docker.image.tags.push(`${context.sha.substring(0,7)}`);
-              if(Array.isArray(semver)){
-                if(semver.length >= 1) docker.image.tags.push(`${semver[0]}`);
-                if(semver.length >= 2) docker.image.tags.push(`${semver[0]}.${semver[1]}`);
-                if(semver.length >= 3) docker.image.tags.push(`${semver[0]}.${semver[1]}.${semver[2]}`);
+              if(opt.input?.etc?.dockerfile !== 'arch.dockerfile' && opt.input?.etc?.tag){
+                docker.image.tags.push(`${context.sha.substring(0,7)}`);
+                docker.image.tags.push(opt.input.etc.tag);
+                docker.image.tags.push(`${opt.input.etc.tag}-${docker.app.version}`);
+                docker.cache.name = `${docker.image.name}:buildcache-${opt.input.etc.tag}`;
+              }else if(opt.dot?.semver?.version){
+                const semver = opt.dot.semver.version.split('.');
+                docker.image.tags.push(`${context.sha.substring(0,7)}`);
+                if(Array.isArray(semver)){
+                  if(semver.length >= 1) docker.image.tags.push(`${semver[0]}`);
+                  if(semver.length >= 2) docker.image.tags.push(`${semver[0]}.${semver[1]}`);
+                  if(semver.length >= 3) docker.image.tags.push(`${semver[0]}.${semver[1]}.${semver[2]}`);
+                }
+                if(opt.dot.semver?.stable && new RegExp(opt.dot.semver.stable, 'ig').test(docker.image.tags.join(','))) docker.image.tags.push('stable');
+                if(opt.dot.semver?.latest && new RegExp(opt.dot.semver.latest, 'ig').test(docker.image.tags.join(','))) docker.image.tags.push('latest');
+              }else if(opt.input?.etc?.version && opt.input.etc.version === 'latest'){
+                docker.image.tags.push('latest');
               }
-              if(opt.dot.semver?.stable && new RegExp(opt.dot.semver.stable, 'ig').test(docker.image.tags.join(','))) docker.image.tags.push('stable');
-              if(opt.dot.semver?.latest && new RegExp(opt.dot.semver.latest, 'ig').test(docker.image.tags.join(','))) docker.image.tags.push('latest');
 
-              for(let i=0; i<docker.image.tags.length; i++){
-                docker.image.tags[i] = `${docker.image.name}:${docker.image.prefix}${docker.image.tags[i]}${docker.image.suffix}`;
+              for(const tag of docker.image.tags){
+                docker.tags.push(`${docker.image.name}:${docker.image.prefix}${tag}${docker.image.suffix}`);
+                docker.tags.push(`ghcr.io/${docker.image.name}:${docker.image.prefix}${tag}${docker.image.suffix}`);
+                docker.tags.push(`quay.io/${docker.image.name}:${docker.image.prefix}${tag}${docker.image.suffix}`);
               }
 
             // setup build arguments
+              if(opt.input?.etc?.build?.args){
+                for(const arg in opt.input.etc.build.args){
+                  docker.app[arg] = opt.input.etc.build.args[arg];
+                }
+              }
+              if(opt.dot?.build?.args){
+                for(const arg in opt.dot.build.args){
+                  docker.app[arg] = opt.dot.build.args[arg];
+                }
+              }
               const arguments = [];
               for(const argument in docker.app){
                 arguments.push(`APP_${argument.toUpperCase()}=${docker.app[argument]}`);
@@ -151,38 +175,62 @@ jobs:
 
               core.exportVariable('DOCKER_IMAGE_NAME', docker.image.name);
               core.exportVariable('DOCKER_IMAGE_ARCH', docker.image.arch);
-              core.exportVariable('DOCKER_IMAGE_TAGS', docker.image.tags.join(','));
+              core.exportVariable('DOCKER_IMAGE_TAGS', docker.tags.join(','));
               core.exportVariable('DOCKER_IMAGE_DESCRIPTION', docker.image.description);
               core.exportVariable('DOCKER_IMAGE_ARGUMENTS', arguments.join("\r\n"));
+              core.exportVariable('DOCKER_IMAGE_DOCKERFILE', opt.input?.etc?.dockerfile || 'arch.dockerfile');
 
-              core.exportVariable('WORKFLOW_CREATE_RELEASE', (opt.input?.release || true));
-              core.exportVariable('WORKFLOW_CREATE_README', (opt.input?.readme || true));
-              core.exportVariable('WORKFLOW_GRYPE_FAIL_ON_SEVERITY', (opt.json?.grpye?.fail || true));
-              core.exportVariable('WORKFLOW_GRYPE_SEVERITY_CUTOFF', (opt.json?.grpye?.severity || 'high'));
+              core.exportVariable('WORKFLOW_BUILD', (opt.input?.build === undefined) ? false : opt.input.build);
+              core.exportVariable('WORKFLOW_CREATE_RELEASE', (opt.input?.release === undefined) ? false : opt.input.release);
+              core.exportVariable('WORKFLOW_CREATE_README', (opt.input?.readme === undefined) ? false : opt.input.readme);
+              core.exportVariable('WORKFLOW_GRYPE_FAIL_ON_SEVERITY', (opt.dot?.grype?.fail === undefined) ? true : opt.dot.grype.fail);
+              core.exportVariable('WORKFLOW_GRYPE_SEVERITY_CUTOFF', (opt.dot?.grype?.severity || 'high'));
+              if(opt.dot?.readme?.comparison){
+                core.exportVariable('WORKFLOW_CREATE_COMPARISON', true);
+                core.exportVariable('WORKFLOW_CREATE_COMPARISON_FOREIGN_IMAGE', opt.dot.readme.comparison.image);
+                core.exportVariable('WORKFLOW_CREATE_COMPARISON_IMAGE', `${docker.image.name}:${docker.app.version}`);
+              }
 
 
 
       # DOCKER    
       - name: docker / login to hub
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
         with:
           username: 11notes
           password: ${{ secrets.DOCKER_TOKEN }}
 
+      - name: github / login to ghcr
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
+        with:
+          registry: ghcr.io
+          username: 11notes
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: quay / login to quay
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
+        with:
+          registry: quay.io
+          username: 11notes+github
+          password: ${{ secrets.QUAY_TOKEN }}
+
       - name: docker / setup qemu
+        if: env.WORKFLOW_BUILD == 'true'
         uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a
 
       - name: docker / setup buildx
+        if: env.WORKFLOW_BUILD == 'true'
         uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5
         with:
           driver-opts: network=host
 
       - name: docker / build & push & tag grype
+        if: env.WORKFLOW_BUILD == 'true'
         id: docker-build
         uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d
         with:
           context: .
-          file: arch.dockerfile
+          file: ${{ env.DOCKER_IMAGE_DOCKERFILE }}
           push: true
           platforms: ${{ env.DOCKER_IMAGE_ARCH }}
           cache-from: type=registry,ref=${{ env.DOCKER_CACHE_NAME }}
@@ -193,8 +241,9 @@ jobs:
             ${{ env.DOCKER_CACHE_GRYPE }}
 
       - name: grype / scan
+        if: env.WORKFLOW_BUILD == 'true'
         id: grype
-        uses: anchore/scan-action@abae793926ec39a78ab18002bc7fc45bbbd94342
+        uses: anchore/scan-action@dc6246fcaf83ae86fcc6010b9824c30d7320729e
         with:
           image: ${{ env.DOCKER_CACHE_GRYPE }}
           fail-build: ${{ env.WORKFLOW_GRYPE_FAIL_ON_SEVERITY }}
@@ -204,8 +253,8 @@ jobs:
           cache-db: true
 
       - name: grype / fail
-        if: failure() || steps.grype.outcome == 'failure'
-        uses: anchore/scan-action@abae793926ec39a78ab18002bc7fc45bbbd94342
+        if: env.WORKFLOW_BUILD == 'true' && (failure() || steps.grype.outcome == 'failure')
+        uses: anchore/scan-action@dc6246fcaf83ae86fcc6010b9824c30d7320729e
         with:
           image: ${{ env.DOCKER_CACHE_GRYPE }}
           fail-build: false
@@ -215,10 +264,11 @@ jobs:
           cache-db: true
 
       - name: docker / build & push
+        if: env.WORKFLOW_BUILD == 'true'
         uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d
         with:
           context: .
-          file: arch.dockerfile
+          file: ${{ env.DOCKER_IMAGE_DOCKERFILE }}
           push: true
           sbom: true
           provenance: mode=max
@@ -250,6 +300,12 @@ jobs:
         if: env.WORKFLOW_CREATE_RELEASE == 'true'  && steps.git-log.outcome == 'success'
         id: git-release
         uses: 11notes/action-docker-release@v1
+        # WHY IS THIS ACTION NOT SHA256 PINNED? SECURITY MUCH?!?!?!
+        # ---------------------------------------------------------------------------------
+        # the next step "github / release / create" creates a new release based on the code
+        # in the repo. This code is not modified and can't be modified by this action.
+        # It does create the markdown for the release, which could be abused, but to what
+        # extend? Adding a link to a malicious repo?
         with:
           git_log: ${{ steps.git-log.outputs.commits }}
 
@@ -267,34 +323,72 @@ jobs:
 
 
 
-      # README
-      - name: github / checkout master
+
+      # LICENSE
+      - name: license / update year
         continue-on-error: true
-        run: |         
-          git checkout master
+        uses: actions/github-script@62c3794a3eb6788d9a2a72b219504732c0c9a298
+        with:
+          script: |
+            const { existsSync, readFileSync, writeFileSync } = require('node:fs');
+            const { resolve } = require('node:path');
+            const file = 'LICENSE';
+            const year = new Date().getFullYear();
+            try{
+              const path = resolve(file);
+              if(existsSync(path)){
+                let license = readFileSync(file).toString();
+                if(!new RegExp(`Copyright \\(c\\) ${year} 11notes`, 'i').test(license)){
+                  license = license.replace(/Copyright \(c\) \d{4} /i, `Copyright (c) ${new Date().getFullYear()} `);
+                  writeFileSync(path, license);
+                }
+              }else{
+                throw new Error(`file ${file} does not exist`);
+              }
+            }catch(e){
+              core.setFailed(e);
+            }
+
+
+
+
+      # README
+      - name: github / checkout HEAD
+        continue-on-error: true
+        run: |     
+          git checkout HEAD
+
+      - name: docker / setup comparison images
+        if: env.WORKFLOW_CREATE_COMPARISON == 'true'
+        continue-on-error: true
+        run: |    
+          docker image pull ${{ env.WORKFLOW_CREATE_COMPARISON_IMAGE }}
+          docker image ls --filter "reference=${{ env.WORKFLOW_CREATE_COMPARISON_IMAGE }}" --format json | jq --raw-output '.Size' &> ./comparison.size0.log
+
+          docker image pull ${{ env.WORKFLOW_CREATE_COMPARISON_FOREIGN_IMAGE }}
+          docker image ls --filter "reference=${{ env.WORKFLOW_CREATE_COMPARISON_FOREIGN_IMAGE }}" --format json | jq --raw-output '.Size' &> ./comparison.size1.log
+          
+          docker run --entrypoint "/bin/sh" --rm ${{ env.WORKFLOW_CREATE_COMPARISON_FOREIGN_IMAGE }} -c id &> ./comparison.id.log
 
       - name: github / create README.md
         id: github-readme
         continue-on-error: true
-        if: env.WORKFLOW_CREATE_README == 'true' && steps.docker-build.outcome == 'success'
+        if: env.WORKFLOW_CREATE_README == 'true'
         uses: 11notes/action-docker-readme@v1
+        # WHY IS THIS ACTION NOT SHA256 PINNED? SECURITY MUCH?!?!?!
+        # ---------------------------------------------------------------------------------
+        # the next step "github / commit & push" only adds the README and LICENSE as well as 
+        # compose.yaml to the repository. This does not pose a security risk if this action
+        # would be compromised. The code of the app can't be changed by this action. Since
+        # only the files mentioned are commited to the repo. Sure, someone could make a bad
+        # compose.yaml, but since this serves only as an example I see no harm in that.
         with:
           sarif_file: ${{ steps.grype.outputs.sarif }}
           build_output_metadata: ${{ steps.docker-build.outputs.metadata }}
 
-      - name: github / commit & push
-        continue-on-error: true
-        if: steps.github-readme.outcome == 'success' && hashFiles('README.md') != ''
-        run: |         
-          git config user.name "github-actions[bot]"
-          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git add README.md
-          git commit -m "auto update README.md"
-          git push
-
       - name: docker / push README.md to docker hub
         continue-on-error: true
-        if: steps.github-readme.outcome == 'success' && hashFiles('README.md') != ''
+        if: steps.github-readme.outcome == 'success' && hashFiles('README_NONGITHUB.md') != ''
         uses: christian-korneck/update-container-description-action@d36005551adeaba9698d8d67a296bd16fa91f8e8
         env:
           DOCKER_USER: 11notes
@@ -303,8 +397,25 @@ jobs:
           destination_container_repo: ${{ env.DOCKER_IMAGE_NAME }}
           provider: dockerhub
           short_description: ${{ env.DOCKER_IMAGE_DESCRIPTION }}
-          readme_file: 'README.md'
-      
+          readme_file: 'README_NONGITHUB.md'
+
+      - name: github / commit & push
+        continue-on-error: true
+        if: steps.github-readme.outcome == 'success' && hashFiles('README.md') != ''
+        run: |         
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add README.md
+          if [ -f compose.yaml ]; then
+            git add compose.yaml
+          fi
+          if [ -f LICENSE ]; then
+            git add LICENSE
+          fi
+          git commit -m "github-actions[bot]: update README.md"
+          git push origin HEAD:master
+
+
 
 
       # REPOSITORY SETTINGS
diff --git a/.github/workflows/readme.yml b/.github/workflows/readme.yml
new file mode 100644
index 0000000..068edce
--- /dev/null
+++ b/.github/workflows/readme.yml
@@ -0,0 +1,16 @@
+name: readme
+
+on:
+  workflow_dispatch:
+
+jobs:
+  readme:
+    runs-on: ubuntu-latest
+    steps:
+      - name: update README.md
+        uses: the-actions-org/workflow-dispatch@3133c5d135c7dbe4be4f9793872b6ef331b53bc7
+        with:
+          wait-for-completion: false
+          workflow: docker.yml
+          token: "${{ secrets.REPOSITORY_TOKEN }}"
+          inputs: '{ "build":"false", "release":"false", "readme":"true" }'
\ No newline at end of file
diff --git a/.github/workflows/tags.yml b/.github/workflows/tags.yml
index 8d344aa..b7ed7bb 100644
--- a/.github/workflows/tags.yml
+++ b/.github/workflows/tags.yml
@@ -16,13 +16,26 @@ jobs:
 
   docker-unraid:
     runs-on: ubuntu-latest
-    steps:   
+    steps:  
+      - name: init / base64 nested json
+        uses: actions/github-script@62c3794a3eb6788d9a2a72b219504732c0c9a298
+        with:
+          script: |
+            const { Buffer } = require('node:buffer');
+            const etc = {
+              semversuffix:"unraid",
+              uid:99,
+              gid:100,
+            };
+            core.exportVariable('WORKFLOW_BASE64JSON', Buffer.from(JSON.stringify(etc)).toString('base64'));
+            
       - name: build docker image for unraid community
         uses: the-actions-org/workflow-dispatch@3133c5d135c7dbe4be4f9793872b6ef331b53bc7
         with:
+          wait-for-completion: false
           workflow: docker.yml
           token: "${{ secrets.REPOSITORY_TOKEN }}"
-          inputs: '{ "release":"false", "readme":"false", "uid":"99", "gid":"100", "semversuffix":"unraid", "run-name":"docker-unraid" }'
+          inputs: '{ "release":"false", "readme":"false", "run-name":"unraid", "etc":"${{ env.WORKFLOW_BASE64JSON }}" }'
 
   kms-gui:
     runs-on: ubuntu-latest
@@ -41,6 +54,18 @@ jobs:
     runs-on: ubuntu-latest
     needs: docker-unraid
     steps:   
+      - name: init / base64 nested json
+        uses: actions/github-script@62c3794a3eb6788d9a2a72b219504732c0c9a298
+        with:
+          script: |
+            const { Buffer } = require('node:buffer');
+            const etc = {
+              semversuffix:"unraid",
+              uid:99,
+              gid:100,
+            };
+            core.exportVariable('WORKFLOW_BASE64JSON', Buffer.from(JSON.stringify(etc)).toString('base64'));
+
       - name: build downstream kms gui for unraid community
         uses: the-actions-org/workflow-dispatch@3133c5d135c7dbe4be4f9793872b6ef331b53bc7
         with:
@@ -48,4 +73,4 @@ jobs:
           token: "${{ secrets.REPOSITORY_TOKEN }}"
           repo: 11notes/docker-kms-gui
           ref: master
-          inputs: '{ "release":"false", "readme":"false", "uid":"99", "gid":"100", "semversuffix":"unraid", "run-name":"docker-unraid" }'
\ No newline at end of file
+          inputs: '{ "release":"false", "readme":"false", "run-name":"unraid", "etc":"${{ env.WORKFLOW_BASE64JSON }}" }'
\ No newline at end of file
diff --git a/.json b/.json
index 8a2ad56..981dac9 100644
--- a/.json
+++ b/.json
@@ -4,9 +4,7 @@
   "root":"/kms",
   
   "semver":{
-    "version":"465f4d1",
-    "stable":"465f4d1",
-    "latest":"465f4d1"
+    "version":"465f4d1"
   },
 
   "readme":{
diff --git a/README.md b/README.md
index 1027994..cadb340 100644
--- a/README.md
+++ b/README.md
@@ -135,4 +135,4 @@ slmgr /ato
 # ElevenNotes™️
 This image is provided to you at your own risk. Always make backups before updating an image to a different version. Check the [releases](https://github.com/11notes/docker-kms/releases) for breaking changes. If you have any problems with using this image simply raise an [issue](https://github.com/11notes/docker-kms/issues), thanks. If you have a question or inputs please create a new [discussion](https://github.com/11notes/docker-kms/discussions) instead of an issue. You can find all my other repositories on [github](https://github.com/11notes?tab=repositories).
 
-*created 7.3.2025, 12:11:30 (CET)*
\ No newline at end of file
+*created 7.3.2025, 12:03:55 (CET)*
\ No newline at end of file
diff --git a/arch.dockerfile b/arch.dockerfile
index 879b796..a24fc72 100644
--- a/arch.dockerfile
+++ b/arch.dockerfile
@@ -22,6 +22,7 @@
     ARG APP_ROOT
     ARG APP_UID
     ARG APP_GID
+    ARG APP_NO_CACHE
 
   # :: environment
     ENV APP_IMAGE=${APP_IMAGE}
@@ -36,8 +37,8 @@
     ENV KMS_LOGLEVEL="INFO"
 
   # :: multi-stage
-    COPY --from=util /usr/local/bin/ /usr/local/bin
-    COPY --from=build /git/py-kms/py-kms/ /opt/py-kms
+    COPY --from=util /usr/local/bin /usr/local/bin
+    COPY --from=build /git/py-kms/py-kms /opt/py-kms
 
 # :: Run
   USER root
diff --git a/compose.yaml b/compose.yaml
index caf43f3..0403341 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -1,8 +1,7 @@
 name: "kms"
 services:
-  kms:
+  app:
     image: "11notes/kms:465f4d1"
-    container_name: "kms"
     environment:
       TZ: "Europe/Zurich"
     volumes:
@@ -10,19 +9,20 @@ services:
     ports:
       - "1688:1688/tcp"
     restart: "always"
-  kms-gui:
-    image: "11notes/kms-gui:stable"
+
+  gui:
+    image: "11notes/kms-gui:465f4d1"
     depends_on:
-      kms:
+      app:
         condition: "service_healthy"
         restart: true
-    container_name: "kms-gui"
     environment:
       TZ: "Europe/Zurich"
     volumes:
       - "var:/kms/var"
     ports:
-      - "8080:8080/tcp"
+      - "3000:3000/tcp"
     restart: "always"
+
 volumes:
   var:
\ No newline at end of file