github-actions[bot]: update README.md

.dockerignore

@@ -1,5 +1,7 @@
+# default
 .git*
-*.md
-LICENSE
 maintain/
-project*
+LICENSE
+*.md
+img/
+node_modules/

.gitattributes

@@ -1,2 +1,3 @@
-# Auto detect text files and perform LF normalization
-* text=auto
+# default
+*                 text=auto
+*.sh              eol=lf

.github/workflows/cron.update.yml

@@ -0,0 +1,115 @@
+name: cron-update
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 5 * * *"
+
+jobs:
+  cron-update:
+    runs-on: ubuntu-latest
+
+    permissions:
+      actions: read
+      contents: write
+
+    steps:   
+      - name: init / checkout
+        uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2
+        with:
+          ref: 'master'
+          fetch-depth: 0
+
+      - name: cron-update / get latest version
+        run: |
+          echo "LATEST_VERSION=$(curl -s https://api.github.com/repos/11notes/fork-py-kms/releases/latest | jq -r '.tag_name' | sed 's/v//')" >> "${GITHUB_ENV}"
+          echo "LATEST_TAG=$(git describe --abbrev=0 --tags `git rev-list --tags --max-count=1` | sed 's/v//')" >> "${GITHUB_ENV}"
+
+      - name: cron-update / setup node
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
+        with:
+          node-version: '20'
+      - run: npm i semver
+
+      - name: cron-update / compare latest with current version
+        uses: actions/github-script@62c3794a3eb6788d9a2a72b219504732c0c9a298
+        with:
+          script: |
+            const { existsSync, readFileSync, writeFileSync } = require('node:fs');
+            const { resolve } = require('node:path');
+            const { inspect } = require('node:util');
+            const semver = require('semver')
+            const repository = {dot:{}};
+
+            try{
+              const path = resolve('.json');
+              if(existsSync(path)){
+                try{
+                  repository.dot = JSON.parse(readFileSync(path).toString());
+                }catch(e){
+                  throw new Error('could not parse .json');
+                }
+              }else{
+                throw new Error('.json does not exist');
+              }
+            }catch(e){
+              core.setFailed(e);
+            }
+
+            const latest = semver.valid(semver.coerce('${{ env.LATEST_VERSION }}'));
+            const current = semver.valid(semver.coerce(repository.dot.semver.version));
+            const tag = semver.valid(semver.coerce('${{ env.LATEST_TAG }}'));
+
+            if(latest && latest !== current){
+              core.info(`new ${semver.diff(current, latest)} release found (${latest})!`)
+              repository.dot.semver.version = latest;
+              if(tag){
+                core.exportVariable('WORKFLOW_NEW_TAG', semver.inc(tag, semver.diff(current, latest)));
+              }
+
+              if(repository.dot.semver?.latest){
+                repository.dot.semver.latest = repository.dot.semver.version;
+              }
+
+              if(repository.dot?.readme?.comparison?.image){
+                repository.dot.readme.comparison.image = repository.dot.readme.comparison.image.replace(current, repository.dot.semver.version);
+              }
+
+              try{
+                writeFileSync(resolve('.json'), JSON.stringify(repository.dot, null, 2));
+                core.exportVariable('WORKFLOW_AUTO_UPDATE', true);
+              }catch(e){
+                core.setFailed(e);
+              }
+            }else{
+              core.info('no new release found');
+            }
+
+            core.info(inspect(repository.dot, {showHidden:false, depth:null, colors:true}));
+
+      - name: cron-update / checkout
+        id: checkout
+        if: env.WORKFLOW_AUTO_UPDATE == 'true'
+        run: |         
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add .json
+          git commit -m "[upgrade] ${{ env.LATEST_VERSION }}"
+          git push origin HEAD:master
+
+      - name: cron-update / tag
+        if: env.WORKFLOW_AUTO_UPDATE == 'true' && steps.checkout.outcome == 'success'
+        run: |         
+          SHA256=$(git rev-list --branches --max-count=1)
+          git tag -a v${{ env.WORKFLOW_NEW_TAG }} -m "v${{ env.WORKFLOW_NEW_TAG }}" ${SHA256}
+          git push --follow-tags
+
+      - name: cron-update / build docker image
+        if: env.WORKFLOW_AUTO_UPDATE == 'true' && steps.checkout.outcome == 'success'
+        uses: the-actions-org/workflow-dispatch@3133c5d135c7dbe4be4f9793872b6ef331b53bc7
+        with:
+          workflow: docker.yml
+          wait-for-completion: false
+          token: "${{ secrets.REPOSITORY_TOKEN }}"
+          inputs: '{ "release":"true", "readme":"true" }'
+          ref: "v${{ env.WORKFLOW_NEW_TAG }}"

.github/workflows/cve.yml

@@ -0,0 +1,70 @@
+name: cve
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "30 15 */2 * *"
+
+jobs:
+  cve:
+    runs-on: ubuntu-latest
+    steps:
+      - name: init / checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          ref: ${{ github.ref_name }}
+          fetch-depth: 0
+
+      - name: init / setup environment
+        uses: actions/github-script@62c3794a3eb6788d9a2a72b219504732c0c9a298
+        with:
+          script: |
+            const { existsSync, readFileSync } = require('node:fs');
+            const { resolve } = require('node:path');
+            const { inspect } = require('node:util');
+            const { Buffer } = require('node:buffer');
+            const inputs = `${{ toJSON(github.event.inputs) }}`;
+            const opt = {input:{}, dot:{}};            
+
+            try{
+              if(inputs.length > 0){
+                opt.input = JSON.parse(inputs);
+                if(opt.input?.etc){
+                  opt.input.etc = JSON.parse(Buffer.from(opt.input.etc, 'base64').toString('ascii'));
+                }
+              }
+            }catch(e){
+              core.warning('could not parse github.event.inputs');
+            }
+
+            try{
+              const path = resolve('.json');
+              if(existsSync(path)){
+                try{
+                  opt.dot = JSON.parse(readFileSync(path).toString());
+                }catch(e){
+                  throw new Error('could not parse .json');
+                }
+              }else{
+                throw new Error('.json does not exist');
+              }
+            }catch(e){
+              core.setFailed(e);
+            }
+
+            core.info(inspect(opt, {showHidden:false, depth:null, colors:true}));
+
+            core.exportVariable('WORKFLOW_IMAGE', `${opt.dot.image}:${(opt.dot?.semver?.version === undefined) ? 'rolling' : opt.dot.semver.version}`);
+            core.exportVariable('WORKFLOW_GRYPE_SEVERITY_CUTOFF', (opt.dot?.grype?.severity || 'high'));
+
+
+      - name: grype / scan
+        id: grype
+        uses: anchore/scan-action@dc6246fcaf83ae86fcc6010b9824c30d7320729e
+        with:
+          image: ${{ env.WORKFLOW_IMAGE }}
+          fail-build: true
+          severity-cutoff: ${{ env.WORKFLOW_GRYPE_SEVERITY_CUTOFF }}
+          output-format: 'sarif'
+          by-cve: true
+          cache-db: true

.github/workflows/docker.yml

@@ -1,137 +1,431 @@
-name: create and publish docker image
+name: docker
+run-name: ${{ inputs.run-name }}
 
 on:
   workflow_dispatch:
-  push:
-    tags:
-      - 'v*'
+    inputs:
+      run-name:
+        description: 'set run-name for workflow (multiple calls)'
+        type: string
+        required: false
+        default: 'docker'
 
-env:
-  DOCKER_USERNAME: 11notes
+      runs-on:
+        description: 'set runs-on for workflow (github or selfhosted)'
+        type: string
+        required: false
+        default: 'ubuntu-22.04'
+
+
+      build:
+        description: 'set WORKFLOW_BUILD'
+        required: false
+        default: 'true'
+
+      release:
+        description: 'set WORKFLOW_GITHUB_RELEASE'
+        required: false
+        default: 'false'
+
+      readme:
+        description: 'set WORKFLOW_GITHUB_README'
+        required: false
+        default: 'false'
+        
+      etc:
+        description: 'base64 encoded json string'
+        required: false
 
 jobs:
-  build-and-push-image:
-    runs-on: ubuntu-latest
+  docker:
+    runs-on: ${{ inputs.runs-on }}
+    timeout-minutes: 1440
+
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+
     permissions:
+      actions: read
       contents: write
       packages: write
-      security-events: write
 
     steps:   
       - name: init / checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-
-      - name: init / .json to env
-        uses: rgarcia-phi/json-to-variables@9835d537368468c4e4de5254dc3efeadda183793
         with:
-          filename: '.json'
+          ref: ${{ github.ref_name }}
+          fetch-depth: 0
 
       - name: init / setup environment
-        run: |
-          : # set default arch if not set
-          echo "IMAGE_ARCH=${json_arch:-linux/amd64,linux/arm64}" >> $GITHUB_ENV
-
-          : # create tags for semver, stable and other shenanigans
-          export LOCAL_SHA=$(git rev-parse --short HEAD)
-          export LOCAL_SEMVER_MAJOR=$(awk -F. '{ print $1 }' <<< ${json_version})
-          export LOCAL_SEMVER_MINOR=$(awk -F. '{ print $2 }' <<< ${json_version})
-          export LOCAL_SEMVER_PATCH=$(awk -F. '{ print $3 }' <<< ${json_version})
-          export LOCAL_TAGS="${json_image}:latest"
-          if [ ! -z ${LOCAL_SEMVER_MAJOR} ]; then LOCAL_TAGS="${LOCAL_TAGS},${json_image}:${LOCAL_SEMVER_MAJOR}"; fi
-          if [ ! -z ${LOCAL_SEMVER_MINOR} ]; then LOCAL_TAGS="${LOCAL_TAGS},${json_image}:${LOCAL_SEMVER_MAJOR}.${LOCAL_SEMVER_MINOR}"; fi
-          if [ ! -z ${LOCAL_SEMVER_PATCH} ]; then LOCAL_TAGS="${LOCAL_TAGS},${json_image}:${LOCAL_SEMVER_MAJOR}.${LOCAL_SEMVER_MINOR}.${LOCAL_SEMVER_PATCH}"; fi
-          if echo "${LOCAL_TAGS}" | grep -q "${json_stable}" ; then LOCAL_TAGS="${LOCAL_TAGS},${json_image}:stable"; fi
-          if [ ! -z ${json_tags} ]; then SPECIAL_LOCAL_TAGS=$(echo ${json_tags} | sed 's/,/ /g'); for LOCAL_TAG in ${json_tags}; do LOCAL_TAGS="${LOCAL_TAGS},${json_image}:${LOCAL_TAG}"; done; fi
-          LOCAL_TAGS="${LOCAL_TAGS},${json_image}:${LOCAL_SHA}"
-          echo "IMAGE_TAGS=${LOCAL_TAGS}" >> $GITHUB_ENV
-
-          : # if for whatever reason UID/GID must be changed at build time
-          echo "IMAGE_UID=${json_uid:-1000}" >> $GITHUB_ENV
-          echo "IMAGE_GID=${json_gid:-1000}" >> $GITHUB_ENV
-
-      - name: docker / login to hub
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
+        uses: actions/github-script@62c3794a3eb6788d9a2a72b219504732c0c9a298
         with:
-          username: ${{ env.DOCKER_USERNAME }}
+          script: |
+            const { existsSync, readFileSync } = require('node:fs');
+            const { resolve } = require('node:path');
+            const { inspect } = require('node:util');
+            const { Buffer } = require('node:buffer');
+            const inputs = `${{ toJSON(github.event.inputs) }}`;
+            const opt = {input:{}, dot:{}};            
+
+            try{
+              if(inputs.length > 0){
+                opt.input = JSON.parse(inputs);
+                if(opt.input?.etc){
+                  opt.input.etc = JSON.parse(Buffer.from(opt.input.etc, 'base64').toString('ascii'));
+                }
+              }
+            }catch(e){
+              core.warning('could not parse github.event.inputs');
+            }
+
+            try{
+              const path = resolve('.json');
+              if(existsSync(path)){
+                try{
+                  opt.dot = JSON.parse(readFileSync(path).toString());
+                }catch(e){
+                  throw new Error('could not parse .json');
+                }
+              }else{
+                throw new Error('.json does not exist');
+              }
+            }catch(e){
+              core.setFailed(e);
+            }
+
+            core.info(inspect(opt, {showHidden:false, depth:null, colors:true}));
+
+            const docker = {
+              image:{
+                name:opt.dot.image,
+                arch:(opt.dot.arch || 'linux/amd64,linux/arm64'),
+                prefix:((opt.input?.etc?.semverprefix) ? `${opt.input?.etc?.semverprefix}-` : ''),
+                suffix:((opt.input?.etc?.semversuffix) ? `-${opt.input?.etc?.semversuffix}` : ''),
+                description:(opt.dot?.readme?.description || ''),
+                tags:[],
+              },
+              app:{
+                image:opt.dot.image,
+                name:opt.dot.name,
+                version:(opt.input?.etc?.version || opt.dot?.semver?.version),
+                root:opt.dot.root,
+                UID:(opt.input?.etc?.uid || 1000),
+                GID:(opt.input?.etc?.gid || 1000),
+                no_cache:new Date().getTime(),
+              },
+              cache:{
+                registry:'localhost:5000/',
+              },
+              tags:[],
+            };
+
+            docker.cache.name = `${docker.image.name}:${docker.image.prefix}buildcache${docker.image.suffix}`;
+            docker.cache.grype = `${docker.cache.registry}${docker.image.name}:${docker.image.prefix}grype${docker.image.suffix}`;
+            docker.app.prefix = docker.image.prefix;
+            docker.app.suffix = docker.image.suffix;
+
+            // setup tags
+              if(!opt.dot?.semver?.disable?.rolling){
+                docker.image.tags.push('rolling');
+              }
+              if(opt.input?.etc?.dockerfile !== 'arch.dockerfile' && opt.input?.etc?.tag){
+                docker.image.tags.push(`${context.sha.substring(0,7)}`);
+                docker.image.tags.push(opt.input.etc.tag);
+                docker.image.tags.push(`${opt.input.etc.tag}-${docker.app.version}`);
+                docker.cache.name = `${docker.image.name}:buildcache-${opt.input.etc.tag}`;
+              }else if(docker.app.version !== 'latest'){
+                const semver = docker.app.version.split('.');
+                docker.image.tags.push(`${context.sha.substring(0,7)}`);
+                if(Array.isArray(semver)){
+                  if(semver.length >= 1) docker.image.tags.push(`${semver[0]}`);
+                  if(semver.length >= 2) docker.image.tags.push(`${semver[0]}.${semver[1]}`);
+                  if(semver.length >= 3) docker.image.tags.push(`${semver[0]}.${semver[1]}.${semver[2]}`);
+                }
+                if(opt.dot?.semver?.stable && new RegExp(opt.dot?.semver.stable, 'ig').test(docker.image.tags.join(','))) docker.image.tags.push('stable');
+                if(opt.dot?.semver?.latest && new RegExp(opt.dot?.semver.latest, 'ig').test(docker.image.tags.join(','))) docker.image.tags.push('latest');
+              }else{
+                docker.image.tags.push('latest');
+              }
+
+              for(const tag of docker.image.tags){
+                docker.tags.push(`${docker.image.name}:${docker.image.prefix}${tag}${docker.image.suffix}`);
+                docker.tags.push(`ghcr.io/${docker.image.name}:${docker.image.prefix}${tag}${docker.image.suffix}`);
+                docker.tags.push(`quay.io/${docker.image.name}:${docker.image.prefix}${tag}${docker.image.suffix}`);
+              }
+
+            // setup build arguments
+              if(opt.input?.etc?.build?.args){
+                for(const arg in opt.input.etc.build.args){
+                  docker.app[arg] = opt.input.etc.build.args[arg];
+                }
+              }
+              if(opt.dot?.build?.args){
+                for(const arg in opt.dot.build.args){
+                  docker.app[arg] = opt.dot.build.args[arg];
+                }
+              }
+              const arguments = [];
+              for(const argument in docker.app){
+                arguments.push(`APP_${argument.toUpperCase()}=${docker.app[argument]}`);
+              }
+
+            // export to environment
+              core.exportVariable('DOCKER_CACHE_REGISTRY', docker.cache.registry);
+              core.exportVariable('DOCKER_CACHE_NAME', docker.cache.name);
+              core.exportVariable('DOCKER_CACHE_GRYPE', docker.cache.grype);
+
+              core.exportVariable('DOCKER_IMAGE_NAME', docker.image.name);
+              core.exportVariable('DOCKER_IMAGE_ARCH', docker.image.arch);
+              core.exportVariable('DOCKER_IMAGE_TAGS', docker.tags.join(','));
+              core.exportVariable('DOCKER_IMAGE_DESCRIPTION', docker.image.description);
+              core.exportVariable('DOCKER_IMAGE_ARGUMENTS', arguments.join("\r\n"));
+              core.exportVariable('DOCKER_IMAGE_DOCKERFILE', opt.input?.etc?.dockerfile || 'arch.dockerfile');
+
+              core.exportVariable('WORKFLOW_BUILD', (opt.input?.build === undefined) ? false : opt.input.build);
+              core.exportVariable('WORKFLOW_CREATE_RELEASE', (opt.input?.release === undefined) ? false : opt.input.release);
+              core.exportVariable('WORKFLOW_CREATE_README', (opt.input?.readme === undefined) ? false : opt.input.readme);
+              core.exportVariable('WORKFLOW_GRYPE_FAIL_ON_SEVERITY', (opt.dot?.grype?.fail === undefined) ? true : opt.dot.grype.fail);
+              core.exportVariable('WORKFLOW_GRYPE_SEVERITY_CUTOFF', (opt.dot?.grype?.severity || 'high'));
+              if(opt.dot?.readme?.comparison){
+                core.exportVariable('WORKFLOW_CREATE_COMPARISON', true);
+                core.exportVariable('WORKFLOW_CREATE_COMPARISON_FOREIGN_IMAGE', opt.dot.readme.comparison.image);
+                core.exportVariable('WORKFLOW_CREATE_COMPARISON_IMAGE', `${docker.image.name}:${docker.app.version}`);
+              }
+
+
+
+      # DOCKER    
+      - name: docker / login to hub
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
+        with:
+          username: 11notes
           password: ${{ secrets.DOCKER_TOKEN }}
 
+      - name: github / login to ghcr
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
+        with:
+          registry: ghcr.io
+          username: 11notes
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: quay / login to quay
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
+        with:
+          registry: quay.io
+          username: 11notes+github
+          password: ${{ secrets.QUAY_TOKEN }}
+
       - name: docker / setup qemu
+        if: env.WORKFLOW_BUILD == 'true'
         uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a
 
       - name: docker / setup buildx
+        if: env.WORKFLOW_BUILD == 'true'
         uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5
+        with:
+          driver-opts: network=host
 
-      - name: grype / build & push
+      - name: docker / build image locally
+        if: env.WORKFLOW_BUILD == 'true'
+        id: docker-build
         uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d
         with:
           context: .
-          file: arch.dockerfile
+          file: ${{ env.DOCKER_IMAGE_DOCKERFILE }}
           push: true
-          platforms: ${{ env.IMAGE_ARCH }}
-          cache-from: type=registry,ref=${{ env.json_image }}:buildcache
-          cache-to: type=registry,ref=${{ env.json_image }}:buildcache,mode=max,compression=zstd,force-compression=true
+          platforms: ${{ env.DOCKER_IMAGE_ARCH }}
+          cache-from: type=registry,ref=${{ env.DOCKER_CACHE_NAME }}
+          cache-to: type=registry,ref=${{ env.DOCKER_CACHE_REGISTRY }}${{ env.DOCKER_CACHE_NAME }},mode=max,compression=zstd,force-compression=true
           build-args: |
-            APP_IMAGE=${{ env.json_image }}
-            APP_NAME=${{ env.json_name }}
-            APP_VERSION=${{ env.json_version }}
-            APP_ROOT=${{ env.json_root }}
-            APP_UID=${{ env.IMAGE_UID }}
-            APP_GID=${{ env.IMAGE_GID }}
-            NO_CACHE=$(date +%s)
+            ${{ env.DOCKER_IMAGE_ARGUMENTS }}
           tags: |
-            ${{ env.json_image }}:grype
+            ${{ env.DOCKER_CACHE_GRYPE }}
 
       - name: grype / scan
-        id: scan
-        uses: anchore/scan-action@abae793926ec39a78ab18002bc7fc45bbbd94342
+        if: env.WORKFLOW_BUILD == 'true'
+        id: grype
+        uses: anchore/scan-action@dc6246fcaf83ae86fcc6010b9824c30d7320729e
         with:
-          image: ${{ env.json_image }}:grype
-          severity-cutoff: high
+          image: ${{ env.DOCKER_CACHE_GRYPE }}
+          fail-build: ${{ env.WORKFLOW_GRYPE_FAIL_ON_SEVERITY }}
+          severity-cutoff: ${{ env.WORKFLOW_GRYPE_SEVERITY_CUTOFF }}
+          output-format: 'sarif'
+          by-cve: true
+          cache-db: true
 
-      - name: grype / delete tag
-        if: success() || failure()
-        run: |
-          curl --request DELETE \
-            --url https://hub.docker.com/v2/repositories/${{ env.json_image }}/tags/grype/ \
-            --header 'authorization: jwt ${{ secrets.DOCKER_TOKEN }}' \
-            --header 'content-type: application/json' \
-            --fail
-
-      - name: grype / report / upload
-        uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169
+      - name: grype / fail
+        if: env.WORKFLOW_BUILD == 'true' && (failure() || steps.grype.outcome == 'failure') && steps.docker-build.outcome == 'success'
+        uses: anchore/scan-action@dc6246fcaf83ae86fcc6010b9824c30d7320729e
         with:
-          sarif_file: ${{ steps.scan.outputs.sarif }}
+          image: ${{ env.DOCKER_CACHE_GRYPE }}
+          fail-build: false
+          severity-cutoff: ${{ env.WORKFLOW_GRYPE_SEVERITY_CUTOFF }}
+          output-format: 'table'
+          by-cve: true
+          cache-db: true
 
-      - name: grype / report / print
-        run: cat ${{ steps.scan.outputs.sarif }}
-
-      - name: docker / build & push
+      - name: docker / build image from cache and push to registries
+        if: env.WORKFLOW_BUILD == 'true'
         uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d
         with:
           context: .
-          file: arch.dockerfile
+          file: ${{ env.DOCKER_IMAGE_DOCKERFILE }}
           push: true
           sbom: true
           provenance: mode=max
-          platforms: ${{ env.IMAGE_ARCH }}
-          cache-from: type=registry,ref=${{ env.json_image }}:buildcache
-          cache-to: type=registry,ref=${{ env.json_image }}:buildcache,mode=max,compression=zstd,force-compression=true
+          platforms: ${{ env.DOCKER_IMAGE_ARCH }}
+          cache-from: type=registry,ref=${{ env.DOCKER_CACHE_REGISTRY }}${{ env.DOCKER_CACHE_NAME }}
+          cache-to: type=registry,ref=${{ env.DOCKER_CACHE_NAME }},mode=max,compression=zstd,force-compression=true
           build-args: |
-            APP_IMAGE=${{ env.json_image }}
-            APP_NAME=${{ env.json_name }}
-            APP_VERSION=${{ env.json_version }}
-            APP_ROOT=${{ env.json_root }}
-            APP_UID=${{ env.IMAGE_UID }}
-            APP_GID=${{ env.IMAGE_GID }}
-            NO_CACHE=$(date +%s)
+            ${{ env.DOCKER_IMAGE_ARGUMENTS }}
           tags: |
-            ${{ env.IMAGE_TAGS }}
+            ${{ env.DOCKER_IMAGE_TAGS }}
 
-      - name: github / create release notes
+
+
+      # RELEASE      
+      - name: github / release / log
+        continue-on-error: true
+        id: git-log
+        run: |
+          LOCAL_LAST_TAG=$(git describe --abbrev=0 --tags `git rev-list --tags --skip=1 --max-count=1`)
+          echo "using last tag: ${LOCAL_LAST_TAG}"
+          LOCAL_COMMITS=$(git log ${LOCAL_LAST_TAG}..HEAD --oneline)
+
+          EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
+          echo "commits<<${EOF}" >> ${GITHUB_OUTPUT}
+          echo "${LOCAL_COMMITS}" >> ${GITHUB_OUTPUT}
+          echo "${EOF}" >> ${GITHUB_OUTPUT}
+
+      - name: github / release / markdown
+        if: env.WORKFLOW_CREATE_RELEASE == 'true'  && steps.git-log.outcome == 'success'
+        id: git-release
+        uses: 11notes/action-docker-release@v1
+        # WHY IS THIS ACTION NOT SHA256 PINNED? SECURITY MUCH?!?!?!
+        # ---------------------------------------------------------------------------------
+        # the next step "github / release / create" creates a new release based on the code
+        # in the repo. This code is not modified and can't be modified by this action.
+        # It does create the markdown for the release, which could be abused, but to what
+        # extend? Adding a link to a malicious repo?
+        with:
+          git_log: ${{ steps.git-log.outputs.commits }}
+
+      - name: github / release / create
+        if: env.WORKFLOW_CREATE_RELEASE == 'true' && steps.git-release.outcome == 'success'
+        uses: actions/create-release@4c11c9fe1dcd9636620a16455165783b20fc7ea0
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: gh release create ${{ github.ref_name }} -F RELEASE.md
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ github.ref }}
+          release_name: ${{ github.ref }}
+          body: ${{ steps.git-release.outputs.release }}
+          draft: false
+          prerelease: false
 
+
+
+
+      # LICENSE
+      - name: license / update year
+        continue-on-error: true
+        uses: actions/github-script@62c3794a3eb6788d9a2a72b219504732c0c9a298
+        with:
+          script: |
+            const { existsSync, readFileSync, writeFileSync } = require('node:fs');
+            const { resolve } = require('node:path');
+            const file = 'LICENSE';
+            const year = new Date().getFullYear();
+            try{
+              const path = resolve(file);
+              if(existsSync(path)){
+                let license = readFileSync(file).toString();
+                if(!new RegExp(`Copyright \\(c\\) ${year} 11notes`, 'i').test(license)){
+                  license = license.replace(/Copyright \(c\) \d{4} /i, `Copyright (c) ${new Date().getFullYear()} `);
+                  writeFileSync(path, license);
+                }
+              }else{
+                throw new Error(`file ${file} does not exist`);
+              }
+            }catch(e){
+              core.setFailed(e);
+            }
+
+
+
+
+      # README
+      - name: github / checkout HEAD
+        continue-on-error: true
+        run: |     
+          git checkout HEAD
+
+      - name: docker / setup comparison images
+        if: env.WORKFLOW_CREATE_COMPARISON == 'true'
+        continue-on-error: true
+        run: |    
+          docker image pull ${{ env.WORKFLOW_CREATE_COMPARISON_IMAGE }}
+          docker image ls --filter "reference=${{ env.WORKFLOW_CREATE_COMPARISON_IMAGE }}" --format json | jq --raw-output '.Size' &> ./comparison.size0.log
+
+          docker image pull ${{ env.WORKFLOW_CREATE_COMPARISON_FOREIGN_IMAGE }}
+          docker image ls --filter "reference=${{ env.WORKFLOW_CREATE_COMPARISON_FOREIGN_IMAGE }}" --format json | jq --raw-output '.Size' &> ./comparison.size1.log
+          
+          docker run --entrypoint "/bin/sh" --rm ${{ env.WORKFLOW_CREATE_COMPARISON_FOREIGN_IMAGE }} -c id &> ./comparison.id.log
+
+      - name: github / create README.md
+        id: github-readme
+        continue-on-error: true
+        if: env.WORKFLOW_CREATE_README == 'true'
+        uses: 11notes/action-docker-readme@v1
+        # WHY IS THIS ACTION NOT SHA256 PINNED? SECURITY MUCH?!?!?!
+        # ---------------------------------------------------------------------------------
+        # the next step "github / commit & push" only adds the README and LICENSE as well as 
+        # compose.yaml to the repository. This does not pose a security risk if this action
+        # would be compromised. The code of the app can't be changed by this action. Since
+        # only the files mentioned are commited to the repo. Sure, someone could make a bad
+        # compose.yaml, but since this serves only as an example I see no harm in that.
+        with:
+          sarif_file: ${{ steps.grype.outputs.sarif }}
+          build_output_metadata: ${{ steps.docker-build.outputs.metadata }}
+
+      - name: docker / push README.md to docker hub
+        continue-on-error: true
+        if: steps.github-readme.outcome == 'success' && hashFiles('README_NONGITHUB.md') != ''
+        uses: christian-korneck/update-container-description-action@d36005551adeaba9698d8d67a296bd16fa91f8e8
+        env:
+          DOCKER_USER: 11notes
+          DOCKER_PASS: ${{ secrets.DOCKER_TOKEN }}
+        with:
+          destination_container_repo: ${{ env.DOCKER_IMAGE_NAME }}
+          provider: dockerhub
+          short_description: ${{ env.DOCKER_IMAGE_DESCRIPTION }}
+          readme_file: 'README_NONGITHUB.md'
+
+      - name: github / commit & push
+        continue-on-error: true
+        if: steps.github-readme.outcome == 'success' && hashFiles('README.md') != ''
+        run: |         
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add README.md
+          if [ -f compose.yaml ]; then
+            git add compose.yaml
+          fi
+          if [ -f compose.yml ]; then
+            git add compose.yml
+          fi
+          if [ -f LICENSE ]; then
+            git add LICENSE
+          fi
+          git commit -m "github-actions[bot]: update README.md"
+          git push origin HEAD:master
+
+
+
+
+      # REPOSITORY SETTINGS
       - name: github / update description and set repo defaults
         run: |
           curl --request PATCH \
@@ -139,22 +433,11 @@ jobs:
             --header 'authorization: Bearer ${{ secrets.REPOSITORY_TOKEN }}' \
             --header 'content-type: application/json' \
             --data '{
-              "description":"${{ env.json_description }}",
+              "description":"${{ env.DOCKER_IMAGE_DESCRIPTION }}",
               "homepage":"",
               "has_issues":true,
               "has_discussions":true,
               "has_projects":false,
               "has_wiki":false
             }' \
-            --fail
-
-      - name: docker / push README.md to docker hub
-        uses: christian-korneck/update-container-description-action@d36005551adeaba9698d8d67a296bd16fa91f8e8
-        env:
-          DOCKER_USER: ${{ env.DOCKER_USERNAME }}
-          DOCKER_PASS: ${{ secrets.DOCKER_TOKEN }}
-        with:
-          destination_container_repo: ${{ env.json_image }}
-          provider: dockerhub
-          short_description: ${{ env.json_description }}
-          readme_file: 'README.md'
+            --fail

.github/workflows/readme.yml

@@ -0,0 +1,16 @@
+name: readme
+
+on:
+  workflow_dispatch:
+
+jobs:
+  readme:
+    runs-on: ubuntu-latest
+    steps:
+      - name: update README.md
+        uses: the-actions-org/workflow-dispatch@3133c5d135c7dbe4be4f9793872b6ef331b53bc7
+        with:
+          wait-for-completion: false
+          workflow: docker.yml
+          token: "${{ secrets.REPOSITORY_TOKEN }}"
+          inputs: '{ "build":"false", "release":"false", "readme":"true" }'

.github/workflows/tags.yml

@@ -0,0 +1,102 @@
+name: tags
+on:
+  push:
+    tags:
+      - 'v*'
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    steps:   
+      - name: build docker image
+        uses: the-actions-org/workflow-dispatch@3133c5d135c7dbe4be4f9793872b6ef331b53bc7
+        with:
+          workflow: docker.yml
+          token: "${{ secrets.REPOSITORY_TOKEN }}"
+          inputs: '{ "release":"true", "readme":"true" }'
+
+  docker-unraid:
+    runs-on: ubuntu-latest
+    steps:  
+      - name: init / base64 nested json
+        uses: actions/github-script@62c3794a3eb6788d9a2a72b219504732c0c9a298
+        with:
+          script: |
+            const { Buffer } = require('node:buffer');
+            const etc = {
+              semversuffix:"unraid",
+              uid:99,
+              gid:100,
+            };
+            core.exportVariable('WORKFLOW_BASE64JSON', Buffer.from(JSON.stringify(etc)).toString('base64'));
+            
+      - name: build docker image for unraid community
+        uses: the-actions-org/workflow-dispatch@3133c5d135c7dbe4be4f9793872b6ef331b53bc7
+        with:
+          workflow: docker.yml
+          token: "${{ secrets.REPOSITORY_TOKEN }}"
+          inputs: '{ "release":"false", "readme":"false", "run-name":"unraid", "etc":"${{ env.WORKFLOW_BASE64JSON }}" }'
+
+  kms-gui:
+    runs-on: ubuntu-latest
+    needs: docker
+    steps:   
+      - name: init / base64 nested json
+        uses: actions/github-script@62c3794a3eb6788d9a2a72b219504732c0c9a298
+        with:
+          script: |
+            const { Buffer } = require('node:buffer');
+            (async()=>{
+              try{
+                const master = await fetch('https://raw.githubusercontent.com/11notes/docker-kms/refs/heads/master/.json');
+                const dot = await master.json();
+                const etc = {
+                  version:dot.semver.version,
+                };
+                core.exportVariable('WORKFLOW_BASE64JSON', Buffer.from(JSON.stringify(etc)).toString('base64'));
+              }catch(e){
+                core.setFailed(`workflow failed: ${e}`);
+              }
+            })();
+
+      - name: build downstream kms gui
+        uses: the-actions-org/workflow-dispatch@3133c5d135c7dbe4be4f9793872b6ef331b53bc7
+        with:
+          workflow: docker.yml
+          token: "${{ secrets.REPOSITORY_TOKEN }}"
+          repo: 11notes/docker-kms-gui
+          ref: master
+          inputs: '{ "release":"false", "readme":"true", "etc":"${{ env.WORKFLOW_BASE64JSON }}" }'
+
+  kms-gui-unraid:
+    runs-on: ubuntu-latest
+    needs: docker-unraid
+    steps:   
+      - name: init / base64 nested json
+        uses: actions/github-script@62c3794a3eb6788d9a2a72b219504732c0c9a298
+        with:
+          script: |
+            const { Buffer } = require('node:buffer');
+            (async()=>{
+              try{
+                const master = await fetch('https://raw.githubusercontent.com/11notes/docker-kms/refs/heads/master/.json');
+                const dot = await master.json();
+                const etc = {
+                  version:dot.semver.version,
+                  semversuffix:"unraid",
+                  uid:99,
+                  gid:100,
+                };
+                core.exportVariable('WORKFLOW_BASE64JSON', Buffer.from(JSON.stringify(etc)).toString('base64'));
+              }catch(e){
+                core.setFailed(`workflow failed: ${e}`);
+              }
+            })();
+
+      - name: build downstream kms gui for unraid community
+        uses: the-actions-org/workflow-dispatch@3133c5d135c7dbe4be4f9793872b6ef331b53bc7
+        with:
+          workflow: docker.yml
+          token: "${{ secrets.REPOSITORY_TOKEN }}"
+          repo: 11notes/docker-kms-gui
+          ref: master
+          inputs: '{ "release":"false", "readme":"false", "run-name":"unraid", "etc":"${{ env.WORKFLOW_BASE64JSON }}" }'

.gitignore

@@ -1,2 +1,3 @@
+# default
 maintain/
-project*
+node_modules/

.json

@@ -1,10 +1,18 @@
 {
-  "image":"11notes/kms",
-  "description":"Activate any version of Windows and Office, forever",
-  "name":"kms",
-  "version":"646f476",
-  "root":"/kms",
-  
-  "stable":"646f476",
-  "parent":"11notes/alpine:stable"
+  "image": "11notes/kms",
+  "name": "kms",
+  "root": "/kms",
+  "arch": "linux/amd64,linux/arm64,linux/arm/v7",
+  "semver": {
+    "version": "1.0.3"
+  },
+  "readme": {
+    "description": "Activate any version of Windows and Office, forever",
+    "parent": {
+      "image": "11notes/python:3.13"
+    },
+    "built": {
+      "11notes/py-kms": "https://github.com/11notes/fork-py-kms"
+    }
+  }
 }

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2020 11notes
+Copyright (c) 2025 11notes
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -1,14 +1,16 @@
-![Banner](https://github.com/11notes/defaults/blob/main/static/img/banner.png?raw=true)
+![banner](https://github.com/11notes/defaults/blob/main/static/img/banner.png?raw=true)
 
-# 🏔️ kms on Alpine
-[<img src="https://img.shields.io/badge/github-source-blue?logo=github&color=040308">](https://github.com/11notes/docker-kms)![size](https://img.shields.io/docker/image-size/11notes/kms/646f476?color=0eb305)![version](https://img.shields.io/docker/v/11notes/kms/646f476?color=eb7a09)![pulls](https://img.shields.io/docker/pulls/11notes/kms?color=2b75d6)[<img src="https://img.shields.io/github/issues/11notes/docker-kms?color=7842f5">](https://github.com/11notes/docker-kms/issues)
+# KMS
+![size](https://img.shields.io/docker/image-size/11notes/kms/1.0.3?color=0eb305)![5px](https://github.com/11notes/defaults/blob/main/static/img/transparent5x2px.png?raw=true)![version](https://img.shields.io/docker/v/11notes/kms/1.0.3?color=eb7a09)![5px](https://github.com/11notes/defaults/blob/main/static/img/transparent5x2px.png?raw=true)![pulls](https://img.shields.io/docker/pulls/11notes/kms?color=2b75d6)![5px](https://github.com/11notes/defaults/blob/main/static/img/transparent5x2px.png?raw=true)[<img src="https://img.shields.io/github/issues/11notes/docker-KMS?color=7842f5">](https://github.com/11notes/docker-KMS/issues)![5px](https://github.com/11notes/defaults/blob/main/static/img/transparent5x2px.png?raw=true)![swiss_made](https://img.shields.io/badge/Swiss_Made-FFFFFF?labelColor=FF0000&logo=data:image/svg%2bxml;base64,PHN2ZyB2ZXJzaW9uPSIxIiB3aWR0aD0iNTEyIiBoZWlnaHQ9IjUxMiIgdmlld0JveD0iMCAwIDMyIDMyIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgogIDxyZWN0IHdpZHRoPSIzMiIgaGVpZ2h0PSIzMiIgZmlsbD0idHJhbnNwYXJlbnQiLz4KICA8cGF0aCBkPSJtMTMgNmg2djdoN3Y2aC03djdoLTZ2LTdoLTd2LTZoN3oiIGZpbGw9IiNmZmYiLz4KPC9zdmc+)
 
-**Activate any version of Windows and Office, forever**
+Activate any version of Windows and Office, forever
 
-![slmgr](https://github.com/11notes/docker-kms/blob/main/slmgr.png?raw=true)
+![Windows Server 2025](https://github.com/11notes/docker-KMS/blob/master/img/WindowsSRV2025.png?raw=true)
+
+![Web GUI](https://github.com/11notes/docker-KMS/blob/master/img/webGUICustomIcon.png?raw=true)
 
 # SYNOPSIS 📖
-**What can I do with this?** This image will run a KMS server you can use to activate any version of Windows and Office, forever. If you need a GUI, simply add [11notes/kms-gui](https://github.com/11notes/docker-kms-gui) to your compose.
+**What can I do with this?** This image will run a KMS server you can use to activate any version of Windows and Office, forever.
 
 Works with:
 - Windows Vista 
@@ -39,39 +41,44 @@ Works with:
 ```yaml
 name: "kms"
 services:
-  kms:
-    image: "11notes/kms:646f476"
-    container_name: "kms"
+  app:
+    image: "11notes/kms:1.0.3"
     environment:
       TZ: "Europe/Zurich"
     volumes:
       - "var:/kms/var"
     ports:
       - "1688:1688/tcp"
-    restart: always
-  kms-gui:
-    image: "11notes/kms-gui:latest"
-    container_name: "kms-gui"
+    restart: "always"
+
+  gui:
+    image: "11notes/kms:1.0.3"
+    depends_on:
+      app:
+        condition: "service_healthy"
+        restart: true
     environment:
       TZ: "Europe/Zurich"
     volumes:
       - "var:/kms/var"
     ports:
-      - "8080:8080/tcp"
-    restart: always
+      - "3000:3000/tcp"
+    restart: "always"
+
 volumes:
   var:
 ```
 
-
+# EXAMPLE
 ## Windows Server 2025 Datacenter. List of [GVLK](https://learn.microsoft.com/en-us/windows-server/get-started/kms-client-activation-keys)
 ```cmd
 slmgr /ipk D764K-2NDRG-47T6Q-P8T8W-YP6DF
 ```
-Add your KMS server information to server
+Add your KMS server information to server via registry
 ```powershell
 Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" -Name "KeyManagementServiceName" -Value "KMS_IP"
 Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" -Name "KeyManagementServicePort" -Value "KMS_PORT"
+
 Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" -Name "KeyManagementServiceName" -Value "KMS_IP"
 Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" -Name "KeyManagementServicePort" -Value "KMS_PORT"
 ```
@@ -93,29 +100,51 @@ slmgr /ato
 | Parameter | Value | Default |
 | --- | --- | --- |
 | `TZ` | [Time Zone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) | |
-| `DEBUG` | Show debug messages from image **not** app | |
-| `KMS_IP` | localhost or 127.0.0.1 or a dedicated IP | 0.0.0.0 |
-| `KMS_PORT` | any port > 1024 | 1688 |
+| `DEBUG` | Will activate debug option for container image and app (if available) | |
 | `KMS_LOCALE` | see Microsoft LICD specification | 1033 (en-US) |
-| `KMS_CLIENTCOUNT` | client count >= 25 | 25 |
 | `KMS_ACTIVATIONINTERVAL` | Retry unsuccessful after N minutes | 120 (2 hours) |
 | `KMS_RENEWALINTERVAL` | re-activation after N minutes | 259200 (180 days) |
-| `KMS_LOGLEVEL` | CRITICAL, ERROR, WARNING, INFO, DEBUG, MININFO | INFO |
+
+# MAIN TAGS 🏷️
+These are the main tags for the image. There is also a tag for each commit and its shorthand sha256 value.
+
+* [1.0.3](https://hub.docker.com/r/11notes/kms/tags?name=1.0.3)
+* [1.0.3-unraid](https://hub.docker.com/r/11notes/kms/tags?name=1.0.3-unraid)
+
+### There is no latest tag, what am I supposed to do about updates?
+It is of my opinion that the ```:latest``` tag is dangerous. Many times, I’ve introduced **breaking** changes to my images. This would have messed up everything for some people. If you don’t want to change the tag to the latest [semver](https://semver.org/), simply use the short versions of [semver](https://semver.org/). Instead of using ```:1.0.3``` you can use ```:1``` or ```:1.0```. Since on each new version these tags are updated to the latest version of the software, using them is identical to using ```:latest``` but at least fixed to a major or minor version.
+
+If you still insist on having the bleeding edge release of this app, simply use the ```:rolling``` tag, but be warned! You will get the latest version of the app instantly, regardless of breaking changes or security issues or what so ever. You do this at your own risk!
+
+# REGISTRIES ☁️
+```
+docker pull 11notes/kms:1.0.3
+docker pull ghcr.io/11notes/kms:1.0.3
+docker pull quay.io/11notes/kms:1.0.3
+```
+
+# UNRAID VERSION 🟠
+This image supports unraid by default. Simply add **-unraid** to any tag and the image will run as 99:100 instead of 1000:1000 causing no issues on unraid. Enjoy.
 
 # SOURCE 💾
-* [11notes/kms](https://github.com/11notes/docker-kms)
+* [11notes/kms](https://github.com/11notes/docker-KMS)
 
 # PARENT IMAGE 🏛️
-* [11notes/alpine:stable](https://hub.docker.com/r/11notes/alpine)
+* [11notes/python:3.13](${{ json_readme_parent_url }})
 
 # BUILT WITH 🧰
-* [py-kms](https://github.com/Py-KMS-Organization/py-kms)
-* [alpine](https://alpinelinux.org)
+* [11notes/py-kms](https://github.com/11notes/fork-py-kms)
+* [11notes/util](https://github.com/11notes/docker-util)
 
-# TIPS 📌
-* Use a reverse proxy like Traefik, Nginx, HAproxy to terminate TLS with a valid certificate
-* Use Let’s Encrypt certificates to protect your SSL endpoints
+# GENERAL TIPS 📌
+> [!TIP]
+>* Use a reverse proxy like Traefik, Nginx, HAproxy to terminate TLS and to protect your endpoints
+>* Use Let’s Encrypt DNS-01 challenge to obtain valid SSL certificates for your services
+* Do not expose this image to WAN! You will get notified from Microsoft via your ISP to terminate the service if you do so
 * [Microsoft LICD](https://learn.microsoft.com/en-us/openspecs/office_standards/ms-oe376/6c085406-a698-4e12-9d4d-c3b0ee3dbc4a)
-  
+* Use [11notes/kms-gui](https://github.com/11notes/docker-kms-gui) if you want to see the clients you activated in a nice web GUI
+
 # ElevenNotes™️
-This image is provided to you at your own risk. Always make backups before updating an image to a different version. Check the [releases](https://github.com/11notes/docker-kms/releases) for breaking changes. If you have any problems with using this image simply raise an [issue](https://github.com/11notes/docker-kms/issues), thanks . You can find all my repositories on [github](https://github.com/11notes?tab=repositories).
+This image is provided to you at your own risk. Always make backups before updating an image to a different version. Check the [releases](https://github.com/11notes/docker-kms/releases) for breaking changes. If you have any problems with using this image simply raise an [issue](https://github.com/11notes/docker-kms/issues), thanks. If you have a question or inputs please create a new [discussion](https://github.com/11notes/docker-kms/discussions) instead of an issue. You can find all my other repositories on [github](https://github.com/11notes?tab=repositories).
+
+*created 10.07.2025, 07:54:05 (CET)*

RELEASE.md

@@ -1,2 +0,0 @@
-### 🪄 Features
-* switch to new github workflow and build process

arch.dockerfile

@@ -1,89 +1,113 @@
-# :: Util
-  FROM alpine AS util
+# ╔═════════════════════════════════════════════════════╗
+# ║                       SETUP                         ║
+# ╚═════════════════════════════════════════════════════╝
+  # GLOBAL
+  ARG APP_UID=1000 \
+      APP_GID=1000 \
+      BUILD_SRC=https://github.com/11notes/fork-py-kms.git \
+      BUILD_ROOT=/git/fork-py-kms
 
-  ARG NO_CACHE
+  # :: FOREIGN IMAGES
+  FROM 11notes/util AS util
+
+# ╔═════════════════════════════════════════════════════╗
+# ║                       BUILD                         ║
+# ╚═════════════════════════════════════════════════════╝
+  # :: PY-KMS
+  FROM alpine/git AS build
+  ARG APP_VERSION \
+      BUILD_SRC \
+      BUILD_ROOT
 
   RUN set -ex; \
-    apk --no-cache --update add \
-      git; \
-    git clone https://github.com/11notes/docker-util.git;
-
-# :: Build / redis
-  FROM python:3.12-alpine AS build
-
-  ARG TARGETARCH
-  ARG APP_VERSION
-
-  USER root
+    git clone ${BUILD_SRC} -b next; \
+    cd ${BUILD_ROOT}; \
+    git checkout v${APP_VERSION};
 
   RUN set -ex; \
-    apk --update --no-cache add \
-      git; \
-    mkdir -p /opt/py-kms; \
-    git clone https://github.com/Py-KMS-Organization/py-kms.git; \
-    cd /py-kms/py-kms; \
-    git checkout ${APP_VERSION}; \
-    cp -R /py-kms/py-kms/* /opt/py-kms;
+    cd ${BUILD_ROOT}; \
+    cp -R ${BUILD_ROOT}/docker/docker-py3-kms-minimal/requirements.txt ${BUILD_ROOT}/py-kms/requirements.txt; \
+    cp -R ${BUILD_ROOT}/docker/docker-py3-kms/requirements.txt ${BUILD_ROOT}/py-kms/requirements.gui.txt;
 
-# :: Header
-  FROM 11notes/alpine:stable
+# ╔═════════════════════════════════════════════════════╗
+# ║                       IMAGE                         ║
+# ╚═════════════════════════════════════════════════════╝
+  # :: HEADER
+  FROM 11notes/python:3.13
 
-  # :: arguments
-    ARG TARGETARCH
-    ARG APP_IMAGE
-    ARG APP_NAME
-    ARG APP_VERSION
-    ARG APP_ROOT
+  # :: default arguments
+    ARG TARGETPLATFORM \
+        TARGETOS \
+        TARGETARCH \
+        TARGETVARIANT \
+        APP_IMAGE \
+        APP_NAME \
+        APP_VERSION \
+        APP_ROOT \
+        APP_UID \
+        APP_GID \
+        APP_NO_CACHE
 
-  # :: environment
-    ENV APP_IMAGE=${APP_IMAGE}
-    ENV APP_NAME=${APP_NAME}
-    ENV APP_VERSION=${APP_VERSION}
-    ENV APP_ROOT=${APP_ROOT}
+  # :: default python image
+    ARG PIP_ROOT_USER_ACTION=ignore \
+        PIP_BREAK_SYSTEM_PACKAGES=1 \
+        PIP_DISABLE_PIP_VERSION_CHECK=1 \
+        PIP_NO_CACHE_DIR=1
 
-    ENV KMS_IP=0.0.0.0
-    ENV KMS_PORT=1688
-    ENV KMS_LOCALE=1033
-    ENV KMS_CLIENTCOUNT=26
-    ENV KMS_ACTIVATIONINTERVAL=120
-    ENV KMS_RENEWALINTERVAL=10080
-    ENV KMS_LOGLEVEL="INFO"
+  # :: image specific arguments
+    ARG BUILD_ROOT
+
+  # :: default environment
+    ENV APP_IMAGE=${APP_IMAGE} \
+        APP_NAME=${APP_NAME} \
+        APP_VERSION=${APP_VERSION} \
+        APP_ROOT=${APP_ROOT}
+
+  # :: app specific variables
+    ENV KMS_LOCALE=1033 \
+        KMS_ACTIVATIONINTERVAL=120 \
+        KMS_RENEWALINTERVAL=259200
 
   # :: multi-stage
-    COPY --from=util /docker-util/src/ /usr/local/bin
-    COPY --from=build /opt/py-kms/ /opt/py-kms
+    COPY --from=util /usr/local/bin /usr/local/bin
+    COPY --from=build ${BUILD_ROOT}/py-kms /opt/py-kms
 
-  # :: Run
+# :: RUN
   USER root
 
-  # :: install application
+  # :: install dependencies
     RUN set -ex; \
-      apk --no-cache --update add \
-        python3=3.12.8-r1; \
       apk --no-cache --update --virtual .build add \
         py3-pip;
 
+  # :: install and update application
     RUN set -ex; \
       mkdir -p ${APP_ROOT}/var; \
-      touch /var/log/kms.log; \
-      ln -sf /dev/stdout /var/log/kms.log; \
-      pip3 install --no-cache-dir --break-system-packages \
-        tzlocal \
-        pytz; \
-      apk del --no-network .build;
+      pip3 install -r /opt/py-kms/requirements.txt; \
+      pip3 install pytz; \
+      pip3 list -o | sed 's/pip.*//' | grep . | cut -f1 -d' ' | tr " " "\n" | awk '{if(NR>=3)print}' | cut -d' ' -f1 | xargs -n1 pip3 install -U; \
+      apk del --no-network .build; \
+      rm -rf /usr/lib/python3.13/site-packages/pip;
 
-  # :: copy filesystem changes and set correct permissions
+  # :: copy root filesystem and set correct permissions
     COPY ./rootfs /
     RUN set -ex; \
       chmod +x -R /usr/local/bin; \
-      chown -R 1000:1000 \
-        ${APP_ROOT};
+      chown -R ${APP_UID}:${APP_GID} \
+        ${APP_ROOT} \
+        /opt/py-kms;
 
-# :: Volumes
+  # :: enable unraid support
+    RUN set -ex; \
+      eleven unraid
+
+# :: PERSISTENT DATA
   VOLUME ["${APP_ROOT}/var"]
 
-# :: Monitor
-  HEALTHCHECK --interval=5s --timeout=2s CMD /usr/local/bin/healthcheck.sh || exit 1
+# :: HEALTH
+  HEALTHCHECK --interval=5s --timeout=2s --start-interval=5s \
+    CMD ["/usr/bin/nc", "-z", "localhost", "1688"]
 
-# :: Start
-  USER docker
+# :: EXECUTE
+  USER ${APP_UID}:${APP_GID}
+  ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/entrypoint.sh"]

compose.yaml

@@ -1,24 +1,28 @@
 name: "kms"
 services:
-  kms:
-    image: "11notes/kms:646f476"
-    container_name: "kms"
+  app:
+    image: "11notes/kms:1.0.3"
     environment:
       TZ: "Europe/Zurich"
     volumes:
       - "var:/kms/var"
     ports:
       - "1688:1688/tcp"
-    restart: always
-  kms-gui:
-    image: "11notes/kms-gui:latest"
-    container_name: "kms-gui"
+    restart: "always"
+
+  gui:
+    image: "11notes/kms:1.0.3"
+    depends_on:
+      app:
+        condition: "service_healthy"
+        restart: true
     environment:
       TZ: "Europe/Zurich"
     volumes:
       - "var:/kms/var"
     ports:
-      - "8080:8080/tcp"
-    restart: always
+      - "3000:3000/tcp"
+    restart: "always"
+
 volumes:
   var:

project.md

@@ -0,0 +1,69 @@
+![Windows Server 2025](https://github.com/11notes/docker-${{ json_name }}/blob/master/img/WindowsSRV2025.png?raw=true)
+
+![Web GUI](https://github.com/11notes/docker-${{ json_name }}/blob/master/img/webGUICustomIcon.png?raw=true)
+
+${{ content_synopsis }} This image will run a KMS server you can use to activate any version of Windows and Office, forever.
+
+Works with:
+- Windows Vista 
+- Windows 7 
+- Windows 8
+- Windows 8.1
+- Windows 10
+- Windows 11
+- Windows Server 2008
+- Windows Server 2008 R2
+- Windows Server 2012
+- Windows Server 2012 R2
+- Windows Server 2016
+- Windows Server 2019
+- Windows Server 2022
+- Windows Server 2025
+- Microsoft Office 2010 ( Volume License )
+- Microsoft Office 2013 ( Volume License )
+- Microsoft Office 2016 ( Volume License )
+- Microsoft Office 2019 ( Volume License )
+- Microsoft Office 2021 ( Volume License )
+- Microsoft Office 2024 ( Volume License )
+
+${{ title_volumes }}
+* **${{ json_root }}/var** - Directory of the activation database
+
+${{ content_compose }}
+
+# EXAMPLE
+## Windows Server 2025 Datacenter. List of [GVLK](https://learn.microsoft.com/en-us/windows-server/get-started/kms-client-activation-keys)
+```cmd
+slmgr /ipk D764K-2NDRG-47T6Q-P8T8W-YP6DF
+```
+Add your KMS server information to server via registry
+```powershell
+Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" -Name "KeyManagementServiceName" -Value "KMS_IP"
+Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" -Name "KeyManagementServicePort" -Value "KMS_PORT"
+
+Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" -Name "KeyManagementServiceName" -Value "KMS_IP"
+Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" -Name "KeyManagementServicePort" -Value "KMS_PORT"
+```
+Activate server
+```cmd
+slmgr /ato
+```
+
+${{ content_defaults }}
+| `database` | /kms/var/kms.db | SQlite database holding all client data |
+
+${{ content_environment }}
+| `KMS_LOCALE` | see Microsoft LICD specification | 1033 (en-US) |
+| `KMS_ACTIVATIONINTERVAL` | Retry unsuccessful after N minutes | 120 (2 hours) |
+| `KMS_RENEWALINTERVAL` | re-activation after N minutes | 259200 (180 days) |
+
+${{ content_source }}
+
+${{ content_parent }}
+
+${{ content_built }}
+
+${{ content_tips }}
+* Do not expose this image to WAN! You will get notified from Microsoft via your ISP to terminate the service if you do so
+* [Microsoft LICD](https://learn.microsoft.com/en-us/openspecs/office_standards/ms-oe376/6c085406-a698-4e12-9d4d-c3b0ee3dbc4a)
+* Use [11notes/kms-gui](https://github.com/11notes/docker-kms-gui) if you want to see the clients you activated in a nice web GUI

rootfs/usr/local/bin/entrypoint.sh

@@ -1,18 +1,25 @@
 #!/bin/ash
   if [ -z "${1}" ]; then
+
+    if [ ! -z "${DEBUG}" ]; then
+      KMS_LOGLEVEL="DEBUG"
+      eleven log debug "setting kms log level to DEBUG"
+    else
+      KMS_LOGLEVEL="INFO"
+    fi
+
     cd /opt/py-kms
     set -- "python3" \
       pykms_Server.py \
-      ${KMS_IP} \
-      ${KMS_PORT} \
+      :: \
+      1688 \
       -l ${KMS_LOCALE} \
-      -c ${KMS_CLIENTCOUNT} \
       -a ${KMS_ACTIVATIONINTERVAL} \
       -r ${KMS_RENEWALINTERVAL} \
       -s /kms/var/kms.db \
       -w RANDOM \
       -V ${KMS_LOGLEVEL} \
-      -F /var/log/kms.log \
+      -F STDOUT \
       -y
     
     eleven log start

rootfs/usr/local/bin/healthcheck.sh

@@ -1,2 +0,0 @@
-#!/bin/ash
-  netstat -an | grep -q ${KMS_PORT}