[upgrade] to latest workflow

[feature] add ARM v7
Merge branch 'master' of https://github.com/11notes/docker-kms
2025-10-23 04:52:15 +00:00 · 2025-05-19 09:02:11 +02:00 · 2025-05-19 09:01:59 +02:00 · 2025-05-05 19:48:53 +02:00 · 2025-05-05 19:48:44 +02:00 · 2025-05-05 09:03:42 +00:00
22 changed files with 780 additions and 182 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,6 +1,7 @@
+# default
 .git*
-*.md
-LICENSE
-img/
 maintain/
-project*
+LICENSE
+*.md
+img/
+node_modules/
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,2 +1,3 @@
-# Auto detect text files and perform LF normalization
-* text=auto
+# default
+*                 text=auto
+*.sh              eol=lf
--- a/.github/workflows/cron.update.yml
+++ b/.github/workflows/cron.update.yml
@@ -0,0 +1,115 @@
+name: cron-update
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 5 * * *"
+
+jobs:
+  cron-update:
+    runs-on: ubuntu-latest
+
+    permissions:
+      actions: read
+      contents: write
+
+    steps:   
+      - name: init / checkout
+        uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2
+        with:
+          ref: 'master'
+          fetch-depth: 0
+
+      - name: cron-update / get latest version
+        run: |
+          echo "LATEST_VERSION=$(curl -s https://api.github.com/repos/11notes/fork-py-kms/releases/latest | jq -r '.tag_name' | sed 's/v//')" >> "${GITHUB_ENV}"
+          echo "LATEST_TAG=$(git describe --abbrev=0 --tags `git rev-list --tags --max-count=1` | sed 's/v//')" >> "${GITHUB_ENV}"
+
+      - name: cron-update / setup node
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
+        with:
+          node-version: '20'
+      - run: npm i semver
+
+      - name: cron-update / compare latest with current version
+        uses: actions/github-script@62c3794a3eb6788d9a2a72b219504732c0c9a298
+        with:
+          script: |
+            const { existsSync, readFileSync, writeFileSync } = require('node:fs');
+            const { resolve } = require('node:path');
+            const { inspect } = require('node:util');
+            const semver = require('semver')
+            const repository = {dot:{}};
+
+            try{
+              const path = resolve('.json');
+              if(existsSync(path)){
+                try{
+                  repository.dot = JSON.parse(readFileSync(path).toString());
+                }catch(e){
+                  throw new Error('could not parse .json');
+                }
+              }else{
+                throw new Error('.json does not exist');
+              }
+            }catch(e){
+              core.setFailed(e);
+            }
+
+            const latest = semver.valid(semver.coerce('${{ env.LATEST_VERSION }}'));
+            const current = semver.valid(semver.coerce(repository.dot.semver.version));
+            const tag = semver.valid(semver.coerce('${{ env.LATEST_TAG }}'));
+
+            if(latest && latest !== current){
+              core.info(`new ${semver.diff(current, latest)} release found (${latest})!`)
+              repository.dot.semver.version = latest;
+              if(tag){
+                core.exportVariable('WORKFLOW_NEW_TAG', semver.inc(tag, semver.diff(current, latest)));
+              }
+
+              if(repository.dot.semver?.latest){
+                repository.dot.semver.latest = repository.dot.semver.version;
+              }
+
+              if(repository.dot?.readme?.comparison?.image){
+                repository.dot.readme.comparison.image = repository.dot.readme.comparison.image.replace(current, repository.dot.semver.version);
+              }
+
+              try{
+                writeFileSync(resolve('.json'), JSON.stringify(repository.dot, null, 2));
+                core.exportVariable('WORKFLOW_AUTO_UPDATE', true);
+              }catch(e){
+                core.setFailed(e);
+              }
+            }else{
+              core.info('no new release found');
+            }
+
+            core.info(inspect(repository.dot, {showHidden:false, depth:null, colors:true}));
+
+      - name: cron-update / checkout
+        id: checkout
+        if: env.WORKFLOW_AUTO_UPDATE == 'true'
+        run: |         
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add .json
+          git commit -m "[upgrade] ${{ env.LATEST_VERSION }}"
+          git push origin HEAD:master
+
+      - name: cron-update / tag
+        if: env.WORKFLOW_AUTO_UPDATE == 'true' && steps.checkout.outcome == 'success'
+        run: |         
+          SHA256=$(git rev-list --branches --max-count=1)
+          git tag -a v${{ env.WORKFLOW_NEW_TAG }} -m "v${{ env.WORKFLOW_NEW_TAG }}" ${SHA256}
+          git push --follow-tags
+
+      - name: cron-update / build docker image
+        if: env.WORKFLOW_AUTO_UPDATE == 'true' && steps.checkout.outcome == 'success'
+        uses: the-actions-org/workflow-dispatch@3133c5d135c7dbe4be4f9793872b6ef331b53bc7
+        with:
+          workflow: docker.yml
+          wait-for-completion: false
+          token: "${{ secrets.REPOSITORY_TOKEN }}"
+          inputs: '{ "release":"true", "readme":"true" }'
+          ref: "v${{ env.WORKFLOW_NEW_TAG }}"
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -1,155 +1,427 @@
-name: create and publish docker image
+name: docker
+run-name: ${{ inputs.run-name }}

 on:
  workflow_dispatch:
    inputs:
-      release:
-        description: 'create release or not'
+      run-name:
+        description: 'set run-name for workflow (multiple calls)'
+        type: string
        required: false
-        default: true
-        type: 'boolean'
-  push:
-    tags:
-      - 'v*'
+        default: 'docker'

-env:
-  DOCKER_USERNAME: 11notes
-  RELEASE: true
+      runs-on:
+        description: 'set runs-on for workflow (github or selfhosted)'
+        type: string
+        required: false
+        default: 'ubuntu-22.04'
+
+      build:
+        description: 'set WORKFLOW_BUILD'
+        required: false
+        default: 'true'
+
+      release:
+        description: 'set WORKFLOW_GITHUB_RELEASE'
+        required: false
+        default: 'false'
+
+      readme:
+        description: 'set WORKFLOW_GITHUB_README'
+        required: false
+        default: 'false'
+        
+      etc:
+        description: 'base64 encoded json string'
+        required: false

 jobs:
-  build-and-push-image:
-    runs-on: ubuntu-latest
+  docker:
+    runs-on: ${{ inputs.runs-on }}
+    timeout-minutes: 1440
+
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+
    permissions:
+      actions: read
      contents: write
      packages: write
-      security-events: write

    steps:   
      - name: init / checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-
-      - name: init / .json to env
-        uses: rgarcia-phi/json-to-variables@9835d537368468c4e4de5254dc3efeadda183793
        with:
-          filename: '.json'
+          ref: ${{ github.ref_name }}
+          fetch-depth: 0

      - name: init / setup environment
-        run: |
-          : # set default arch if not set
-          echo "IMAGE_ARCH=${json_arch:-linux/amd64,linux/arm64}" >> $GITHUB_ENV
-
-          : # create tags for semver, stable and other shenanigans
-          export LOCAL_SHA=$(git rev-parse --short HEAD)
-          export LOCAL_SEMVER_MAJOR=$(awk -F. '{ print $1 }' <<< ${json_version})
-          export LOCAL_SEMVER_MINOR=$(awk -F. '{ print $2 }' <<< ${json_version})
-          export LOCAL_SEMVER_PATCH=$(awk -F. '{ print $3 }' <<< ${json_version})
-          export LOCAL_TAGS="${json_image}:${LOCAL_SHA}"
-          if [ ! -z ${LOCAL_SEMVER_MAJOR} ]; then LOCAL_TAGS="${LOCAL_TAGS},${json_image}:${LOCAL_SEMVER_MAJOR}"; fi
-          if [ ! -z ${LOCAL_SEMVER_MINOR} ]; then LOCAL_TAGS="${LOCAL_TAGS},${json_image}:${LOCAL_SEMVER_MAJOR}.${LOCAL_SEMVER_MINOR}"; fi
-          if [ ! -z ${LOCAL_SEMVER_PATCH} ]; then LOCAL_TAGS="${LOCAL_TAGS},${json_image}:${LOCAL_SEMVER_MAJOR}.${LOCAL_SEMVER_MINOR}.${LOCAL_SEMVER_PATCH}"; fi
-          if echo "${LOCAL_TAGS}" | grep -q "${json_stable}" ; then LOCAL_TAGS="${LOCAL_TAGS},${json_image}:stable"; fi
-          if echo "${LOCAL_TAGS}" | grep -q "${json_latest}" ; then LOCAL_TAGS="${LOCAL_TAGS},${json_image}:latest"; fi
-          if [ ! -z ${json_tags} ]; then SPECIAL_LOCAL_TAGS=$(echo ${json_tags} | sed 's/,/ /g'); for LOCAL_TAG in ${json_tags}; do LOCAL_TAGS="${LOCAL_TAGS},${json_image}:${LOCAL_TAG}"; done; fi
-          echo "IMAGE_TAGS=${LOCAL_TAGS}" >> $GITHUB_ENV
-
-          : # if for whatever reason UID/GID must be changed at build time
-          echo "IMAGE_UID=${json_uid:-1000}" >> $GITHUB_ENV
-          echo "IMAGE_GID=${json_gid:-1000}" >> $GITHUB_ENV
-
-          : # echo inputs
-          echo "${{ toJSON(github.event.inputs) }}"
-
-      - name: github / disable release
-        if: ${{ inputs.release != null && inputs.release == false }}
-        run: |
-          echo "RELEASE=false" >> $GITHUB_ENV
-
-      - name: docker / login to hub
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
+        uses: actions/github-script@62c3794a3eb6788d9a2a72b219504732c0c9a298
        with:
-          username: ${{ env.DOCKER_USERNAME }}
+          script: |
+            const { existsSync, readFileSync } = require('node:fs');
+            const { resolve } = require('node:path');
+            const { inspect } = require('node:util');
+            const { Buffer } = require('node:buffer');
+            const inputs = `${{ toJSON(github.event.inputs) }}`;
+            const opt = {input:{}, dot:{}};            
+
+            try{
+              if(inputs.length > 0){
+                opt.input = JSON.parse(inputs);
+                if(opt.input?.etc){
+                  opt.input.etc = JSON.parse(Buffer.from(opt.input.etc, 'base64').toString('ascii'));
+                }
+              }
+            }catch(e){
+              core.warning('could not parse github.event.inputs');
+            }
+
+            try{
+              const path = resolve('.json');
+              if(existsSync(path)){
+                try{
+                  opt.dot = JSON.parse(readFileSync(path).toString());
+                }catch(e){
+                  throw new Error('could not parse .json');
+                }
+              }else{
+                throw new Error('.json does not exist');
+              }
+            }catch(e){
+              core.setFailed(e);
+            }
+
+            core.info(inspect(opt, {showHidden:false, depth:null, colors:true}));
+
+            const docker = {
+              image:{
+                name:opt.dot.image,
+                arch:(opt.dot.arch || 'linux/amd64,linux/arm64'),
+                prefix:((opt.input?.etc?.semverprefix) ? `${opt.input?.etc?.semverprefix}-` : ''),
+                suffix:((opt.input?.etc?.semversuffix) ? `-${opt.input?.etc?.semversuffix}` : ''),
+                description:(opt.dot?.readme?.description || ''),
+                tags:[],
+              },
+              app:{
+                image:opt.dot.image,
+                name:opt.dot.name,
+                version:(opt.input?.etc?.version || opt.dot.semver.version),
+                root:opt.dot.root,
+                UID:(opt.input?.etc?.uid || 1000),
+                GID:(opt.input?.etc?.gid || 1000),
+                no_cache:new Date().getTime(),
+              },
+              cache:{
+                registry:'localhost:5000/',
+              },
+              tags:[],
+            };
+
+            docker.cache.name = `${docker.image.name}:${docker.image.prefix}buildcache${docker.image.suffix}`;
+            docker.cache.grype = `${docker.cache.registry}${docker.image.name}:${docker.image.prefix}grype${docker.image.suffix}`;
+            docker.app.prefix = docker.image.prefix;
+            docker.app.suffix = docker.image.suffix;
+
+            // setup tags
+              if(!opt.dot.semver?.disable?.rolling){
+                docker.image.tags.push('rolling');
+              }
+              if(opt.input?.etc?.dockerfile !== 'arch.dockerfile' && opt.input?.etc?.tag){
+                docker.image.tags.push(`${context.sha.substring(0,7)}`);
+                docker.image.tags.push(opt.input.etc.tag);
+                docker.image.tags.push(`${opt.input.etc.tag}-${docker.app.version}`);
+                docker.cache.name = `${docker.image.name}:buildcache-${opt.input.etc.tag}`;
+              }else if(opt.dot?.semver?.version){
+                const semver = opt.dot.semver.version.split('.');
+                docker.image.tags.push(`${context.sha.substring(0,7)}`);
+                if(Array.isArray(semver)){
+                  if(semver.length >= 1) docker.image.tags.push(`${semver[0]}`);
+                  if(semver.length >= 2) docker.image.tags.push(`${semver[0]}.${semver[1]}`);
+                  if(semver.length >= 3) docker.image.tags.push(`${semver[0]}.${semver[1]}.${semver[2]}`);
+                }
+                if(opt.dot.semver?.stable && new RegExp(opt.dot.semver.stable, 'ig').test(docker.image.tags.join(','))) docker.image.tags.push('stable');
+                if(opt.dot.semver?.latest && new RegExp(opt.dot.semver.latest, 'ig').test(docker.image.tags.join(','))) docker.image.tags.push('latest');
+              }else if(opt.input?.etc?.version && opt.input.etc.version === 'latest'){
+                docker.image.tags.push('latest');
+              }
+
+              for(const tag of docker.image.tags){
+                docker.tags.push(`${docker.image.name}:${docker.image.prefix}${tag}${docker.image.suffix}`);
+                docker.tags.push(`ghcr.io/${docker.image.name}:${docker.image.prefix}${tag}${docker.image.suffix}`);
+                docker.tags.push(`quay.io/${docker.image.name}:${docker.image.prefix}${tag}${docker.image.suffix}`);
+              }
+
+            // setup build arguments
+              if(opt.input?.etc?.build?.args){
+                for(const arg in opt.input.etc.build.args){
+                  docker.app[arg] = opt.input.etc.build.args[arg];
+                }
+              }
+              if(opt.dot?.build?.args){
+                for(const arg in opt.dot.build.args){
+                  docker.app[arg] = opt.dot.build.args[arg];
+                }
+              }
+              const arguments = [];
+              for(const argument in docker.app){
+                arguments.push(`APP_${argument.toUpperCase()}=${docker.app[argument]}`);
+              }
+
+            // export to environment
+              core.exportVariable('DOCKER_CACHE_REGISTRY', docker.cache.registry);
+              core.exportVariable('DOCKER_CACHE_NAME', docker.cache.name);
+              core.exportVariable('DOCKER_CACHE_GRYPE', docker.cache.grype);
+
+              core.exportVariable('DOCKER_IMAGE_NAME', docker.image.name);
+              core.exportVariable('DOCKER_IMAGE_ARCH', docker.image.arch);
+              core.exportVariable('DOCKER_IMAGE_TAGS', docker.tags.join(','));
+              core.exportVariable('DOCKER_IMAGE_DESCRIPTION', docker.image.description);
+              core.exportVariable('DOCKER_IMAGE_ARGUMENTS', arguments.join("\r\n"));
+              core.exportVariable('DOCKER_IMAGE_DOCKERFILE', opt.input?.etc?.dockerfile || 'arch.dockerfile');
+
+              core.exportVariable('WORKFLOW_BUILD', (opt.input?.build === undefined) ? false : opt.input.build);
+              core.exportVariable('WORKFLOW_CREATE_RELEASE', (opt.input?.release === undefined) ? false : opt.input.release);
+              core.exportVariable('WORKFLOW_CREATE_README', (opt.input?.readme === undefined) ? false : opt.input.readme);
+              core.exportVariable('WORKFLOW_GRYPE_FAIL_ON_SEVERITY', (opt.dot?.grype?.fail === undefined) ? true : opt.dot.grype.fail);
+              core.exportVariable('WORKFLOW_GRYPE_SEVERITY_CUTOFF', (opt.dot?.grype?.severity || 'high'));
+              if(opt.dot?.readme?.comparison){
+                core.exportVariable('WORKFLOW_CREATE_COMPARISON', true);
+                core.exportVariable('WORKFLOW_CREATE_COMPARISON_FOREIGN_IMAGE', opt.dot.readme.comparison.image);
+                core.exportVariable('WORKFLOW_CREATE_COMPARISON_IMAGE', `${docker.image.name}:${docker.app.version}`);
+              }
+
+
+
+      # DOCKER    
+      - name: docker / login to hub
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
+        with:
+          username: 11notes
          password: ${{ secrets.DOCKER_TOKEN }}

+      - name: github / login to ghcr
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
+        with:
+          registry: ghcr.io
+          username: 11notes
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: quay / login to quay
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
+        with:
+          registry: quay.io
+          username: 11notes+github
+          password: ${{ secrets.QUAY_TOKEN }}
+
      - name: docker / setup qemu
+        if: env.WORKFLOW_BUILD == 'true'
        uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a

      - name: docker / setup buildx
+        if: env.WORKFLOW_BUILD == 'true'
        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5
+        with:
+          driver-opts: network=host

-      - name: grype / build & push
+      - name: docker / build & push & tag grype
+        if: env.WORKFLOW_BUILD == 'true'
+        id: docker-build
        uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d
        with:
          context: .
-          file: arch.dockerfile
+          file: ${{ env.DOCKER_IMAGE_DOCKERFILE }}
          push: true
-          platforms: ${{ env.IMAGE_ARCH }}
-          cache-from: type=registry,ref=${{ env.json_image }}:buildcache
-          cache-to: type=registry,ref=${{ env.json_image }}:buildcache,mode=max,compression=zstd,force-compression=true
+          platforms: ${{ env.DOCKER_IMAGE_ARCH }}
+          cache-from: type=registry,ref=${{ env.DOCKER_CACHE_NAME }}
+          cache-to: type=registry,ref=${{ env.DOCKER_CACHE_REGISTRY }}${{ env.DOCKER_CACHE_NAME }},mode=max,compression=zstd,force-compression=true
          build-args: |
-            APP_IMAGE=${{ env.json_image }}
-            APP_NAME=${{ env.json_name }}
-            APP_VERSION=${{ env.json_version }}
-            APP_ROOT=${{ env.json_root }}
-            APP_UID=${{ env.IMAGE_UID }}
-            APP_GID=${{ env.IMAGE_GID }}
-            NO_CACHE=$(date +%s)
+            ${{ env.DOCKER_IMAGE_ARGUMENTS }}
          tags: |
-            ${{ env.json_image }}:grype
+            ${{ env.DOCKER_CACHE_GRYPE }}

      - name: grype / scan
-        id: scan
-        uses: anchore/scan-action@abae793926ec39a78ab18002bc7fc45bbbd94342
+        if: env.WORKFLOW_BUILD == 'true'
+        id: grype
+        uses: anchore/scan-action@dc6246fcaf83ae86fcc6010b9824c30d7320729e
        with:
-          image: ${{ env.json_image }}:grype
-          severity-cutoff: high
+          image: ${{ env.DOCKER_CACHE_GRYPE }}
+          fail-build: ${{ env.WORKFLOW_GRYPE_FAIL_ON_SEVERITY }}
+          severity-cutoff: ${{ env.WORKFLOW_GRYPE_SEVERITY_CUTOFF }}
+          output-format: 'sarif'
+          by-cve: true
+          cache-db: true

-      - name: grype / report / print
-        if: success() || failure()
-        run: cat ${{ steps.scan.outputs.sarif }}
-
-      - name: grype / delete tag
-        if: success() || failure()
-        run: |
-          curl --request DELETE \
-            --url https://hub.docker.com/v2/repositories/${{ env.json_image }}/tags/grype/ \
-            --header 'authorization: jwt ${{ secrets.DOCKER_TOKEN }}' \
-            --header 'content-type: application/json' \
-            --fail
-
-      - name: grype / report / upload
-        uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169
+      - name: grype / fail
+        if: env.WORKFLOW_BUILD == 'true' && (failure() || steps.grype.outcome == 'failure')
+        uses: anchore/scan-action@dc6246fcaf83ae86fcc6010b9824c30d7320729e
        with:
-          sarif_file: ${{ steps.scan.outputs.sarif }}
+          image: ${{ env.DOCKER_CACHE_GRYPE }}
+          fail-build: false
+          severity-cutoff: ${{ env.WORKFLOW_GRYPE_SEVERITY_CUTOFF }}
+          output-format: 'table'
+          by-cve: true
+          cache-db: true

      - name: docker / build & push
+        if: env.WORKFLOW_BUILD == 'true'
        uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d
        with:
          context: .
-          file: arch.dockerfile
+          file: ${{ env.DOCKER_IMAGE_DOCKERFILE }}
          push: true
          sbom: true
          provenance: mode=max
-          platforms: ${{ env.IMAGE_ARCH }}
-          cache-from: type=registry,ref=${{ env.json_image }}:buildcache
-          cache-to: type=registry,ref=${{ env.json_image }}:buildcache,mode=max,compression=zstd,force-compression=true
+          platforms: ${{ env.DOCKER_IMAGE_ARCH }}
+          cache-from: type=registry,ref=${{ env.DOCKER_CACHE_REGISTRY }}${{ env.DOCKER_CACHE_NAME }}
+          cache-to: type=registry,ref=${{ env.DOCKER_CACHE_NAME }},mode=max,compression=zstd,force-compression=true
          build-args: |
-            APP_IMAGE=${{ env.json_image }}
-            APP_NAME=${{ env.json_name }}
-            APP_VERSION=${{ env.json_version }}
-            APP_ROOT=${{ env.json_root }}
-            APP_UID=${{ env.IMAGE_UID }}
-            APP_GID=${{ env.IMAGE_GID }}
-            NO_CACHE=$(date +%s)
+            ${{ env.DOCKER_IMAGE_ARGUMENTS }}
          tags: |
-            ${{ env.IMAGE_TAGS }}
+            ${{ env.DOCKER_IMAGE_TAGS }}

-      - name: github / create release notes
-        if: ${{ env.RELEASE == 'true' && hashFiles('RELEASE.md') != '' }}
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+
+      # RELEASE      
+      - name: github / release / log
+        continue-on-error: true
+        id: git-log
        run: |
-          gh release create ${{ github.ref_name }} -F RELEASE.md
+          LOCAL_LAST_TAG=$(git describe --abbrev=0 --tags `git rev-list --tags --skip=1 --max-count=1`)
+          echo "using last tag: ${LOCAL_LAST_TAG}"
+          LOCAL_COMMITS=$(git log ${LOCAL_LAST_TAG}..HEAD --oneline)

+          EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
+          echo "commits<<${EOF}" >> ${GITHUB_OUTPUT}
+          echo "${LOCAL_COMMITS}" >> ${GITHUB_OUTPUT}
+          echo "${EOF}" >> ${GITHUB_OUTPUT}
+
+      - name: github / release / markdown
+        if: env.WORKFLOW_CREATE_RELEASE == 'true'  && steps.git-log.outcome == 'success'
+        id: git-release
+        uses: 11notes/action-docker-release@v1
+        # WHY IS THIS ACTION NOT SHA256 PINNED? SECURITY MUCH?!?!?!
+        # ---------------------------------------------------------------------------------
+        # the next step "github / release / create" creates a new release based on the code
+        # in the repo. This code is not modified and can't be modified by this action.
+        # It does create the markdown for the release, which could be abused, but to what
+        # extend? Adding a link to a malicious repo?
+        with:
+          git_log: ${{ steps.git-log.outputs.commits }}
+
+      - name: github / release / create
+        if: env.WORKFLOW_CREATE_RELEASE == 'true' && steps.git-release.outcome == 'success'
+        uses: actions/create-release@4c11c9fe1dcd9636620a16455165783b20fc7ea0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ github.ref }}
+          release_name: ${{ github.ref }}
+          body: ${{ steps.git-release.outputs.release }}
+          draft: false
+          prerelease: false
+
+
+
+
+      # LICENSE
+      - name: license / update year
+        continue-on-error: true
+        uses: actions/github-script@62c3794a3eb6788d9a2a72b219504732c0c9a298
+        with:
+          script: |
+            const { existsSync, readFileSync, writeFileSync } = require('node:fs');
+            const { resolve } = require('node:path');
+            const file = 'LICENSE';
+            const year = new Date().getFullYear();
+            try{
+              const path = resolve(file);
+              if(existsSync(path)){
+                let license = readFileSync(file).toString();
+                if(!new RegExp(`Copyright \\(c\\) ${year} 11notes`, 'i').test(license)){
+                  license = license.replace(/Copyright \(c\) \d{4} /i, `Copyright (c) ${new Date().getFullYear()} `);
+                  writeFileSync(path, license);
+                }
+              }else{
+                throw new Error(`file ${file} does not exist`);
+              }
+            }catch(e){
+              core.setFailed(e);
+            }
+
+
+
+
+      # README
+      - name: github / checkout HEAD
+        continue-on-error: true
+        run: |     
+          git checkout HEAD
+
+      - name: docker / setup comparison images
+        if: env.WORKFLOW_CREATE_COMPARISON == 'true'
+        continue-on-error: true
+        run: |    
+          docker image pull ${{ env.WORKFLOW_CREATE_COMPARISON_IMAGE }}
+          docker image ls --filter "reference=${{ env.WORKFLOW_CREATE_COMPARISON_IMAGE }}" --format json | jq --raw-output '.Size' &> ./comparison.size0.log
+
+          docker image pull ${{ env.WORKFLOW_CREATE_COMPARISON_FOREIGN_IMAGE }}
+          docker image ls --filter "reference=${{ env.WORKFLOW_CREATE_COMPARISON_FOREIGN_IMAGE }}" --format json | jq --raw-output '.Size' &> ./comparison.size1.log
+          
+          docker run --entrypoint "/bin/sh" --rm ${{ env.WORKFLOW_CREATE_COMPARISON_FOREIGN_IMAGE }} -c id &> ./comparison.id.log
+
+      - name: github / create README.md
+        id: github-readme
+        continue-on-error: true
+        if: env.WORKFLOW_CREATE_README == 'true'
+        uses: 11notes/action-docker-readme@v1
+        # WHY IS THIS ACTION NOT SHA256 PINNED? SECURITY MUCH?!?!?!
+        # ---------------------------------------------------------------------------------
+        # the next step "github / commit & push" only adds the README and LICENSE as well as 
+        # compose.yaml to the repository. This does not pose a security risk if this action
+        # would be compromised. The code of the app can't be changed by this action. Since
+        # only the files mentioned are commited to the repo. Sure, someone could make a bad
+        # compose.yaml, but since this serves only as an example I see no harm in that.
+        with:
+          sarif_file: ${{ steps.grype.outputs.sarif }}
+          build_output_metadata: ${{ steps.docker-build.outputs.metadata }}
+
+      - name: docker / push README.md to docker hub
+        continue-on-error: true
+        if: steps.github-readme.outcome == 'success' && hashFiles('README_NONGITHUB.md') != ''
+        uses: christian-korneck/update-container-description-action@d36005551adeaba9698d8d67a296bd16fa91f8e8
+        env:
+          DOCKER_USER: 11notes
+          DOCKER_PASS: ${{ secrets.DOCKER_TOKEN }}
+        with:
+          destination_container_repo: ${{ env.DOCKER_IMAGE_NAME }}
+          provider: dockerhub
+          short_description: ${{ env.DOCKER_IMAGE_DESCRIPTION }}
+          readme_file: 'README_NONGITHUB.md'
+
+      - name: github / commit & push
+        continue-on-error: true
+        if: steps.github-readme.outcome == 'success' && hashFiles('README.md') != ''
+        run: |         
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add README.md
+          if [ -f compose.yaml ]; then
+            git add compose.yaml
+          fi
+          if [ -f LICENSE ]; then
+            git add LICENSE
+          fi
+          git commit -m "github-actions[bot]: update README.md"
+          git push origin HEAD:master
+
+
+
+
+      # REPOSITORY SETTINGS
      - name: github / update description and set repo defaults
        run: |
          curl --request PATCH \
@@ -157,22 +429,11 @@ jobs:
            --header 'authorization: Bearer ${{ secrets.REPOSITORY_TOKEN }}' \
            --header 'content-type: application/json' \
            --data '{
-              "description":"${{ env.json_description }}",
+              "description":"${{ env.DOCKER_IMAGE_DESCRIPTION }}",
              "homepage":"",
              "has_issues":true,
              "has_discussions":true,
              "has_projects":false,
              "has_wiki":false
            }' \
-            --fail
-
-      - name: docker / push README.md to docker hub
-        uses: christian-korneck/update-container-description-action@d36005551adeaba9698d8d67a296bd16fa91f8e8
-        env:
-          DOCKER_USER: ${{ env.DOCKER_USERNAME }}
-          DOCKER_PASS: ${{ secrets.DOCKER_TOKEN }}
-        with:
-          destination_container_repo: ${{ env.json_image }}
-          provider: dockerhub
-          short_description: ${{ env.json_description }}
-          readme_file: 'README.md'
+            --fail
--- a/.github/workflows/readme.yml
+++ b/.github/workflows/readme.yml
@@ -0,0 +1,16 @@
+name: readme
+
+on:
+  workflow_dispatch:
+
+jobs:
+  readme:
+    runs-on: ubuntu-latest
+    steps:
+      - name: update README.md
+        uses: the-actions-org/workflow-dispatch@3133c5d135c7dbe4be4f9793872b6ef331b53bc7
+        with:
+          wait-for-completion: false
+          workflow: docker.yml
+          token: "${{ secrets.REPOSITORY_TOKEN }}"
+          inputs: '{ "build":"false", "release":"false", "readme":"true" }'
--- a/.github/workflows/tags.yml
+++ b/.github/workflows/tags.yml
@@ -0,0 +1,76 @@
+name: tags
+on:
+  push:
+    tags:
+      - 'v*'
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    steps:   
+      - name: build docker image
+        uses: the-actions-org/workflow-dispatch@3133c5d135c7dbe4be4f9793872b6ef331b53bc7
+        with:
+          workflow: docker.yml
+          token: "${{ secrets.REPOSITORY_TOKEN }}"
+          inputs: '{ "release":"true", "readme":"true" }'
+
+  docker-unraid:
+    runs-on: ubuntu-latest
+    steps:  
+      - name: init / base64 nested json
+        uses: actions/github-script@62c3794a3eb6788d9a2a72b219504732c0c9a298
+        with:
+          script: |
+            const { Buffer } = require('node:buffer');
+            const etc = {
+              semversuffix:"unraid",
+              uid:99,
+              gid:100,
+            };
+            core.exportVariable('WORKFLOW_BASE64JSON', Buffer.from(JSON.stringify(etc)).toString('base64'));
+            
+      - name: build docker image for unraid community
+        uses: the-actions-org/workflow-dispatch@3133c5d135c7dbe4be4f9793872b6ef331b53bc7
+        with:
+          wait-for-completion: false
+          workflow: docker.yml
+          token: "${{ secrets.REPOSITORY_TOKEN }}"
+          inputs: '{ "release":"false", "readme":"false", "run-name":"unraid", "etc":"${{ env.WORKFLOW_BASE64JSON }}" }'
+
+  kms-gui:
+    runs-on: ubuntu-latest
+    needs: docker
+    steps:   
+      - name: build downstream kms gui
+        uses: the-actions-org/workflow-dispatch@3133c5d135c7dbe4be4f9793872b6ef331b53bc7
+        with:
+          workflow: docker.yml
+          token: "${{ secrets.REPOSITORY_TOKEN }}"
+          repo: 11notes/docker-kms-gui
+          ref: master
+          inputs: '{ "release":"false", "readme":"true" }'
+
+  kms-gui-unraid:
+    runs-on: ubuntu-latest
+    needs: docker-unraid
+    steps:   
+      - name: init / base64 nested json
+        uses: actions/github-script@62c3794a3eb6788d9a2a72b219504732c0c9a298
+        with:
+          script: |
+            const { Buffer } = require('node:buffer');
+            const etc = {
+              semversuffix:"unraid",
+              uid:99,
+              gid:100,
+            };
+            core.exportVariable('WORKFLOW_BASE64JSON', Buffer.from(JSON.stringify(etc)).toString('base64'));
+
+      - name: build downstream kms gui for unraid community
+        uses: the-actions-org/workflow-dispatch@3133c5d135c7dbe4be4f9793872b6ef331b53bc7
+        with:
+          workflow: docker.yml
+          token: "${{ secrets.REPOSITORY_TOKEN }}"
+          repo: 11notes/docker-kms-gui
+          ref: master
+          inputs: '{ "release":"false", "readme":"false", "run-name":"unraid", "etc":"${{ env.WORKFLOW_BASE64JSON }}" }'
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
+# default
 maintain/
-project*
+node_modules/
--- a/.json
+++ b/.json
@@ -1,11 +1,20 @@
 {
  "image":"11notes/kms",
-  "description":"Activate any version of Windows and Office, forever",
  "name":"kms",
-  "version":"465f4d1",
  "root":"/kms",
+  "arch":"linux/amd64,linux/arm64,linux/arm/v7",
  
-  "stable":"465f4d1",
-  "latest":"465f4d1",
-  "parent":"11notes/alpine:stable"
+  "semver":{
+    "version":"1.0.0"
+  },
+
+  "readme":{
+    "description":"Activate any version of Windows and Office, forever",
+    "parent":{
+      "image":"11notes/alpine:stable"
+    },
+    "built":{
+      "11notes/py-kms":"https://github.com/11notes/fork-py-kms"
+    }
+  }
 }
--- a/2
+++ b/2
@@ -1,6 +1,6 @@
 MIT License

-Copyright (c) 2020 11notes
+Copyright (c) 2025 11notes

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/README.md
+++ b/README.md
@@ -1,15 +1,16 @@
-![Banner](https://github.com/11notes/defaults/blob/main/static/img/banner.png?raw=true)
+![banner](https://github.com/11notes/defaults/blob/main/static/img/banner.png?raw=true)

-# 🏔️ kms on Alpine
-[<img src="https://img.shields.io/badge/github-source-blue?logo=github&color=040308">](https://github.com/11notes/docker-kms)![size](https://img.shields.io/docker/image-size/11notes/kms/465f4d1?color=0eb305)![version](https://img.shields.io/docker/v/11notes/kms/465f4d1?color=eb7a09)![pulls](https://img.shields.io/docker/pulls/11notes/kms?color=2b75d6)[<img src="https://img.shields.io/github/issues/11notes/docker-kms?color=7842f5">](https://github.com/11notes/docker-kms/issues)
+# KMS
+[<img src="https://img.shields.io/badge/github-source-blue?logo=github&color=040308">](https://github.com/11notes/docker-KMS)![5px](https://github.com/11notes/defaults/blob/main/static/img/transparent5x2px.png?raw=true)![size](https://img.shields.io/docker/image-size/11notes/kms/1.0.0?color=0eb305)![5px](https://github.com/11notes/defaults/blob/main/static/img/transparent5x2px.png?raw=true)![version](https://img.shields.io/docker/v/11notes/kms/1.0.0?color=eb7a09)![5px](https://github.com/11notes/defaults/blob/main/static/img/transparent5x2px.png?raw=true)![pulls](https://img.shields.io/docker/pulls/11notes/kms?color=2b75d6)![5px](https://github.com/11notes/defaults/blob/main/static/img/transparent5x2px.png?raw=true)[<img src="https://img.shields.io/github/issues/11notes/docker-KMS?color=7842f5">](https://github.com/11notes/docker-KMS/issues)![5px](https://github.com/11notes/defaults/blob/main/static/img/transparent5x2px.png?raw=true)![swiss_made](https://img.shields.io/badge/Swiss_Made-FFFFFF?labelColor=FF0000&logo=data:image/svg%2bxml;base64,PHN2ZyB2ZXJzaW9uPSIxIiB3aWR0aD0iNTEyIiBoZWlnaHQ9IjUxMiIgdmlld0JveD0iMCAwIDMyIDMyIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxwYXRoIGQ9Im0wIDBoMzJ2MzJoLTMyeiIgZmlsbD0iI2YwMCIvPjxwYXRoIGQ9Im0xMyA2aDZ2N2g3djZoLTd2N2gtNnYtN2gtN3YtNmg3eiIgZmlsbD0iI2ZmZiIvPjwvc3ZnPg==)

-**Activate any version of Windows and Office, forever**
+Activate any version of Windows and Office, forever

-![activation](https://github.com/11notes/docker-kms/blob/master/img/activation.png "Windows Server 2025 Datacenter")
-![GUI](https://github.com/11notes/docker-kms/blob/master/img/GUI.png "11notes/kms-gui")
+![Windows Server 2025](https://github.com/11notes/docker-KMS/blob/master/img/WindowsSRV2025.png?raw=true)
+
+![Web GUI](https://github.com/11notes/docker-KMS/blob/master/img/webGUICustomIcon.png?raw=true)

 # SYNOPSIS 📖
-**What can I do with this?** This image will run a KMS server you can use to activate any version of Windows and Office, forever. If you need a GUI, simply add [11notes/kms-gui](https://github.com/11notes/docker-kms-gui) to your compose.
+**What can I do with this?** This image will run a KMS server you can use to activate any version of Windows and Office, forever.

 Works with:
 - Windows Vista 
@@ -40,9 +41,8 @@ Works with:
 ```yaml
 name: "kms"
 services:
-  kms:
-    image: "11notes/kms:465f4d1"
-    container_name: "kms"
+  app:
+    image: "11notes/kms:1.0.0"
    environment:
      TZ: "Europe/Zurich"
    volumes:
@@ -50,29 +50,35 @@ services:
    ports:
      - "1688:1688/tcp"
    restart: "always"
-  kms-gui:
-    image: "11notes/kms-gui:latest"
-    container_name: "kms-gui"
+
+  gui:
+    image: "11notes/kms-gui:1.0.0"
+    depends_on:
+      app:
+        condition: "service_healthy"
+        restart: true
    environment:
      TZ: "Europe/Zurich"
    volumes:
      - "var:/kms/var"
    ports:
-      - "8080:8080/tcp"
+      - "3000:3000/tcp"
    restart: "always"
+
 volumes:
  var:
 ```

-
+# EXAMPLE
 ## Windows Server 2025 Datacenter. List of [GVLK](https://learn.microsoft.com/en-us/windows-server/get-started/kms-client-activation-keys)
 ```cmd
 slmgr /ipk D764K-2NDRG-47T6Q-P8T8W-YP6DF
 ```
-Add your KMS server information to server
+Add your KMS server information to server via registry
 ```powershell
 Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" -Name "KeyManagementServiceName" -Value "KMS_IP"
 Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" -Name "KeyManagementServicePort" -Value "KMS_PORT"
+
 Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" -Name "KeyManagementServiceName" -Value "KMS_IP"
 Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" -Name "KeyManagementServicePort" -Value "KMS_PORT"
 ```
@@ -95,29 +101,50 @@ slmgr /ato
 | --- | --- | --- |
 | `TZ` | [Time Zone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) | |
 | `DEBUG` | Will activate debug option for container image and app (if available) | |
-| `KMS_IP` | localhost or 127.0.0.1 or a dedicated IP | 0.0.0.0 |
-| `KMS_PORT` | any port > 1024 | 1688 |
 | `KMS_LOCALE` | see Microsoft LICD specification | 1033 (en-US) |
 | `KMS_CLIENTCOUNT` | client count > 25 | 26 |
 | `KMS_ACTIVATIONINTERVAL` | Retry unsuccessful after N minutes | 120 (2 hours) |
 | `KMS_RENEWALINTERVAL` | re-activation after N minutes | 259200 (180 days) |
 | `KMS_LOGLEVEL` | CRITICAL, ERROR, WARNING, INFO, DEBUG, MININFO | INFO |

+# MAIN TAGS 🏷️
+These are the main tags for the image. There is also a tag for each commit and its shorthand sha256 value.
+
+* [1.0.0](https://hub.docker.com/r/11notes/kms/tags?name=1.0.0)
+* [1.0.0-unraid](https://hub.docker.com/r/11notes/kms/tags?name=1.0.0-unraid)
+
+### There is no latest tag, what am I supposed to do about updates?
+It is of my opinion that the ```:latest``` tag is super dangerous. Many times, I’ve introduced **breaking** changes to my images. This would have messed up everything for some people. If you don’t want to change the tag to the latest [semver](https://semver.org/), simply use the short versions of [semver](https://semver.org/). Instead of using ```:1.0.0``` you can use ```:1``` or ```:1.0```. Since on each new version these tags are updated to the latest version of the software, using them is identical to using ```:latest``` but at least fixed to a major or minor version.
+
+# REGISTRIES ☁️
+```
+docker pull 11notes/kms:1.0.0
+docker pull ghcr.io/11notes/kms:1.0.0
+docker pull quay.io/11notes/kms:1.0.0
+```
+
+${{ title_unraid }}
+This image supports unraid by default. Simply add **-unraid** to any tag and the image will run as 99:100 instead of 1000:1000 causing no issues on unraid. Enjoy.
+
 # SOURCE 💾
-* [11notes/kms](https://github.com/11notes/docker-kms)
+* [11notes/kms](https://github.com/11notes/docker-KMS)

 # PARENT IMAGE 🏛️
 * [11notes/alpine:stable](https://hub.docker.com/r/11notes/alpine)

 # BUILT WITH 🧰
-* [py-kms](https://github.com/Py-KMS-Organization/py-kms)
-* [alpine](https://alpinelinux.org)
+* [11notes/py-kms](https://github.com/11notes/fork-py-kms)
+* [11notes/util](https://github.com/11notes/docker-util)

 # GENERAL TIPS 📌
-* Use a reverse proxy like Traefik, Nginx, HAproxy to terminate TLS and to protect your endpoints
-* Use Let’s Encrypt DNS-01 challenge to obtain valid SSL certificates for your services
+> [!TIP]
+>* Use a reverse proxy like Traefik, Nginx, HAproxy to terminate TLS and to protect your endpoints
+>* Use Let’s Encrypt DNS-01 challenge to obtain valid SSL certificates for your services
 * Do not expose this image to WAN! You will get notified from Microsoft via your ISP to terminate the service if you do so
 * [Microsoft LICD](https://learn.microsoft.com/en-us/openspecs/office_standards/ms-oe376/6c085406-a698-4e12-9d4d-c3b0ee3dbc4a)
-  
+* Use [11notes/kms-gui](https://github.com/11notes/docker-kms-gui) if you want to see the clients you activated in a nice web GUI
+
 # ElevenNotes™️
-This image is provided to you at your own risk. Always make backups before updating an image to a different version. Check the [releases](https://github.com/11notes/docker-kms/releases) for breaking changes. If you have any problems with using this image simply raise an [issue](https://github.com/11notes/docker-kms/issues), thanks. You can find all my repositories on [github](https://github.com/11notes?tab=repositories).
+This image is provided to you at your own risk. Always make backups before updating an image to a different version. Check the [releases](https://github.com/11notes/docker-kms/releases) for breaking changes. If you have any problems with using this image simply raise an [issue](https://github.com/11notes/docker-kms/issues), thanks. If you have a question or inputs please create a new [discussion](https://github.com/11notes/docker-kms/discussions) instead of an issue. You can find all my other repositories on [github](https://github.com/11notes?tab=repositories).
+
+*created 05.05.2025, 11:03:41 (CET)*
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -1,2 +0,0 @@
-### 🚀 Updates
-* switch to branch next on upstream py-kms
--- a/arch.dockerfile
+++ b/arch.dockerfile
@@ -1,15 +1,20 @@
+ARG APP_UID=1000
+ARG APP_GID=1000
+ARG BUILD_ROOT=/git/fork-py-kms
+
 # :: Util
  FROM 11notes/util AS util

 # :: Build / py-kms
  FROM alpine/git AS build
  ARG APP_VERSION
+  ARG BUILD_ROOT
  RUN set -ex; \
-    git clone https://github.com/Py-KMS-Organization/py-kms.git -b next; \
-    cd /git/py-kms; \
-    git checkout ${APP_VERSION}; \
-    cp -R /git/py-kms/docker/docker-py3-kms-minimal/requirements.txt /git/py-kms/py-kms/requirements.txt; \
-    cp -R /git/py-kms/docker/docker-py3-kms/requirements.txt /git/py-kms/py-kms/requirements.gui.txt;
+    git clone https://github.com/11notes/fork-py-kms -b next; \
+    cd ${BUILD_ROOT}; \
+    git checkout v${APP_VERSION}; \
+    cp -R ${BUILD_ROOT}/docker/docker-py3-kms-minimal/requirements.txt ${BUILD_ROOT}/py-kms/requirements.txt; \
+    cp -R ${BUILD_ROOT}/docker/docker-py3-kms/requirements.txt ${BUILD_ROOT}/py-kms/requirements.gui.txt;

 # :: Header
  FROM 11notes/alpine:stable
@@ -20,6 +25,16 @@
    ARG APP_NAME
    ARG APP_VERSION
    ARG APP_ROOT
+    ARG APP_UID
+    ARG APP_GID
+    ARG APP_NO_CACHE
+    ARG BUILD_ROOT
+
+    # :: python image
+      ARG PIP_ROOT_USER_ACTION=ignore
+      ARG PIP_BREAK_SYSTEM_PACKAGES=1
+      ARG PIP_DISABLE_PIP_VERSION_CHECK=1
+      ARG PIP_NO_CACHE_DIR=1

  # :: environment
    ENV APP_IMAGE=${APP_IMAGE}
@@ -27,8 +42,6 @@
    ENV APP_VERSION=${APP_VERSION}
    ENV APP_ROOT=${APP_ROOT}

-    ENV KMS_IP=0.0.0.0
-    ENV KMS_PORT=1688
    ENV KMS_LOCALE=1033
    ENV KMS_CLIENTCOUNT=26
    ENV KMS_ACTIVATIONINTERVAL=120
@@ -36,38 +49,45 @@
    ENV KMS_LOGLEVEL="INFO"

  # :: multi-stage
-    COPY --from=util /usr/local/bin/ /usr/local/bin
-    COPY --from=build /git/py-kms/py-kms/ /opt/py-kms
+    COPY --from=util /usr/local/bin /usr/local/bin
+    COPY --from=build ${BUILD_ROOT}/py-kms /opt/py-kms

-  # :: Run
+# :: Run
  USER root
+  RUN eleven printenv;

  # :: install application
    RUN set -ex; \
      apk --no-cache --update add \
-        python3=3.12.9-r0; \
+        python3; \
      apk --no-cache --update --virtual .build add \
        py3-pip;

    RUN set -ex; \
      mkdir -p ${APP_ROOT}/var; \
-      pip3 install --no-cache-dir -r /opt/py-kms/requirements.txt --break-system-packages; \
-      pip3 install --no-cache-dir pytz --break-system-packages; \
-      apk del --no-network .build;
+      pip3 install -r /opt/py-kms/requirements.txt; \
+      pip3 install pytz; \
+      pip3 list -o | sed 's/pip.*//' | grep . | cut -f1 -d' ' | tr " " "\n" | awk '{if(NR>=3)print}' | cut -d' ' -f1 | xargs -n1 pip3 install -U; \
+      apk del --no-network .build; \
+      rm -rf /usr/lib/python3.12/site-packages/pip;

  # :: copy filesystem changes and set correct permissions
    COPY ./rootfs /
    RUN set -ex; \
      chmod +x -R /usr/local/bin; \
-      chown -R 1000:1000 \
+      chown -R ${APP_UID}:${APP_GID} \
        ${APP_ROOT} \
        /opt/py-kms;

+  # :: support unraid
+    RUN set -ex; \
+      eleven unraid
+
 # :: Volumes
  VOLUME ["${APP_ROOT}/var"]

 # :: Monitor
-  HEALTHCHECK --interval=5s --timeout=2s CMD /usr/local/bin/healthcheck.sh || exit 1
+  HEALTHCHECK --interval=5s --timeout=2s CMD netstat -an | grep -q 1688 || exit 1

 # :: Start
-  USER docker
+  USER ${APP_UID}:${APP_GID}
--- a/compose.yaml
+++ b/compose.yaml
@@ -1,8 +1,7 @@
 name: "kms"
 services:
-  kms:
-    image: "11notes/kms:465f4d1"
-    container_name: "kms"
+  app:
+    image: "11notes/kms:1.0.0"
    environment:
      TZ: "Europe/Zurich"
    volumes:
@@ -10,15 +9,20 @@ services:
    ports:
      - "1688:1688/tcp"
    restart: "always"
-  kms-gui:
-    image: "11notes/kms-gui:latest"
-    container_name: "kms-gui"
+
+  gui:
+    image: "11notes/kms-gui:1.0.0"
+    depends_on:
+      app:
+        condition: "service_healthy"
+        restart: true
    environment:
      TZ: "Europe/Zurich"
    volumes:
      - "var:/kms/var"
    ports:
-      - "8080:8080/tcp"
+      - "3000:3000/tcp"
    restart: "always"
+
 volumes:
  var:
--- a/img/GUI.png
+++ b/img/GUI.png
--- a/img/Office.png
+++ b/img/Office.png
--- a/img/Windows11ENTLTSC.png
+++ b/img/Windows11ENTLTSC.png
--- a/img/WindowsSRV2025.png
+++ b/img/WindowsSRV2025.png
--- a/img/activation.png
+++ b/img/activation.png
--- a/img/webGUICustomIcon.png
+++ b/img/webGUICustomIcon.png
--- a/project.md
+++ b/project.md
@@ -0,0 +1,71 @@
+![Windows Server 2025](https://github.com/11notes/docker-${{ json_name }}/blob/master/img/WindowsSRV2025.png?raw=true)
+
+![Web GUI](https://github.com/11notes/docker-${{ json_name }}/blob/master/img/webGUICustomIcon.png?raw=true)
+
+${{ content_synopsis }} This image will run a KMS server you can use to activate any version of Windows and Office, forever.
+
+Works with:
+- Windows Vista 
+- Windows 7 
+- Windows 8
+- Windows 8.1
+- Windows 10
+- Windows 11
+- Windows Server 2008
+- Windows Server 2008 R2
+- Windows Server 2012
+- Windows Server 2012 R2
+- Windows Server 2016
+- Windows Server 2019
+- Windows Server 2022
+- Windows Server 2025
+- Microsoft Office 2010 ( Volume License )
+- Microsoft Office 2013 ( Volume License )
+- Microsoft Office 2016 ( Volume License )
+- Microsoft Office 2019 ( Volume License )
+- Microsoft Office 2021 ( Volume License )
+- Microsoft Office 2024 ( Volume License )
+
+${{ title_volumes }}
+* **${{ json_root }}/var** - Directory of the activation database
+
+${{ content_compose }}
+
+# EXAMPLE
+## Windows Server 2025 Datacenter. List of [GVLK](https://learn.microsoft.com/en-us/windows-server/get-started/kms-client-activation-keys)
+```cmd
+slmgr /ipk D764K-2NDRG-47T6Q-P8T8W-YP6DF
+```
+Add your KMS server information to server via registry
+```powershell
+Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" -Name "KeyManagementServiceName" -Value "KMS_IP"
+Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" -Name "KeyManagementServicePort" -Value "KMS_PORT"
+
+Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" -Name "KeyManagementServiceName" -Value "KMS_IP"
+Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" -Name "KeyManagementServicePort" -Value "KMS_PORT"
+```
+Activate server
+```cmd
+slmgr /ato
+```
+
+${{ content_defaults }}
+| `database` | /kms/var/kms.db | SQlite database holding all client data |
+
+${{ content_environment }}
+| `KMS_LOCALE` | see Microsoft LICD specification | 1033 (en-US) |
+| `KMS_CLIENTCOUNT` | client count > 25 | 26 |
+| `KMS_ACTIVATIONINTERVAL` | Retry unsuccessful after N minutes | 120 (2 hours) |
+| `KMS_RENEWALINTERVAL` | re-activation after N minutes | 259200 (180 days) |
+| `KMS_LOGLEVEL` | CRITICAL, ERROR, WARNING, INFO, DEBUG, MININFO | INFO |
+
+${{ content_source }}
+
+${{ content_parent }}
+
+${{ content_built }}
+
+${{ content_tips }}
+* Do not expose this image to WAN! You will get notified from Microsoft via your ISP to terminate the service if you do so
+* [Microsoft LICD](https://learn.microsoft.com/en-us/openspecs/office_standards/ms-oe376/6c085406-a698-4e12-9d4d-c3b0ee3dbc4a)
+* Use [11notes/kms-gui](https://github.com/11notes/docker-kms-gui) if you want to see the clients you activated in a nice web GUI
--- a/rootfs/usr/local/bin/entrypoint.sh
+++ b/rootfs/usr/local/bin/entrypoint.sh
@@ -9,8 +9,8 @@
    cd /opt/py-kms
    set -- "python3" \
      pykms_Server.py \
-      ${KMS_IP} \
-      ${KMS_PORT} \
+      0.0.0.0 \
+      1688 \
      -l ${KMS_LOCALE} \
      -c ${KMS_CLIENTCOUNT} \
      -a ${KMS_ACTIVATIONINTERVAL} \
--- a/rootfs/usr/local/bin/healthcheck.sh
+++ b/rootfs/usr/local/bin/healthcheck.sh
@@ -1,2 +0,0 @@
-#!/bin/ash
-  netstat -an | grep -q ${KMS_PORT}
Author	SHA1	Message	Date
ElevenNotes	fce33aa489	[upgrade] to latest workflow	2025-05-19 09:02:11 +02:00
ElevenNotes	b9dd62fa54	[feature] add ARM v7	2025-05-19 09:01:59 +02:00
ElevenNotes	7acd95278f	Merge branch 'master' of https://github.com/11notes/docker-kms	2025-05-05 19:48:53 +02:00
ElevenNotes	f254a289c2	[upgrade] to latest workflows	2025-05-05 19:48:44 +02:00
github-actions[bot]	727bf1f243	github-actions[bot]: update README.md	2025-05-05 09:03:42 +00:00
ElevenNotes	2dcd91990a	[upgrade] switch to fork with semver	2025-05-05 10:58:28 +02:00
ElevenNotes	7519a01ba5	Merge branch 'master' of https://github.com/11notes/docker-kms	2025-05-05 10:41:09 +02:00
ElevenNotes	b4f0d240df	[upgrade] switch to https://github.com/11notes/fork-py-kms with semver	2025-05-05 10:41:01 +02:00
github-actions[bot]	cdb5a78fb4	github-actions[bot]: update README.md	2025-05-02 08:31:31 +00:00
ElevenNotes	4c77d9218e	Merge branch 'master' of https://github.com/11notes/docker-kms	2025-05-02 10:27:28 +02:00
ElevenNotes	c0bf59835e	[fix] invalidate cache	2025-05-02 10:27:18 +02:00
github-actions[bot]	543a33b1bf	github-actions[bot]: update README.md	2025-05-02 08:18:33 +00:00
ElevenNotes	cc8b9eb8ec	Merge branch 'master' of https://github.com/11notes/docker-kms	2025-05-02 10:14:22 +02:00
ElevenNotes	49b56ac50b	[fix] upgrade all BUT pip	2025-05-02 10:13:56 +02:00
github-actions[bot]	84c8141758	github-actions[bot]: update README.md	2025-05-02 08:02:46 +00:00
ElevenNotes	e8aa27002d	[fix] UID/GID defaults	2025-05-02 09:57:31 +02:00
ElevenNotes	c42936bf8c	[fix] --break-system-packages	2025-05-02 09:52:22 +02:00
ElevenNotes	bad0decb4a	Merge branch 'master' of https://github.com/11notes/docker-kms	2025-05-02 09:49:47 +02:00
ElevenNotes	914dacaaf5	[fix] no-cache-dir	2025-05-02 09:49:38 +02:00
github-actions[bot]	6ae34d7b40	github-actions[bot]: update README.md	2025-05-02 07:45:50 +00:00
ElevenNotes	98dd10e9db	Merge branch 'master' of https://github.com/11notes/docker-kms	2025-05-02 09:41:26 +02:00
ElevenNotes	46a338a6eb	[fix] upgrade	2025-05-02 09:41:17 +02:00
github-actions[bot]	bb7d6b68ce	github-actions[bot]: update README.md	2025-05-02 07:27:31 +00:00
ElevenNotes	06b86cbc27	[upgrade] to latest workflows	2025-05-02 09:17:38 +02:00
ElevenNotes	f9031c3b01	Merge branch 'master' of https://github.com/11notes/docker-kms	2025-05-02 08:55:46 +02:00
ElevenNotes	5453f6d93a	updated workflow	2025-03-10 07:08:36 +01:00
github-actions[bot]	607ebb9cf7	auto update README.md	2025-03-07 11:11:30 +00:00
ElevenNotes	62b10178d3	Merge branch 'master' of https://github.com/11notes/docker-kms	2025-03-07 12:08:57 +01:00
ElevenNotes	74f3f1a6d8	[fix] semver.length	2025-03-07 12:08:43 +01:00
github-actions[bot]	9da23cfa1f	auto update README.md	2025-03-07 11:03:55 +00:00
ElevenNotes	88106c5ab3	Merge branch 'master' of https://github.com/11notes/docker-kms	2025-03-07 12:01:02 +01:00
ElevenNotes	3c49769856	[upgrade] docker.yml workflow to new javascript version	2025-03-07 12:00:52 +01:00
github-actions[bot]	0731c67061	auto update README.md	2025-02-21 05:56:22 +00:00
ElevenNotes	5ad13ddfeb	[feature] sql_get_all default sort by lastRequestTime DESC	2025-02-21 06:51:21 +01:00
ElevenNotes	3045fea5a5	[cut] no more static RELEASE.md	2025-02-20 06:53:12 +01:00
ElevenNotes	98df1f7f0a	[feature] new release workflow (no more static RELEASE.md)	2025-02-20 06:52:42 +01:00
ElevenNotes	803d20d5e0	Merge branch 'master' of https://github.com/11notes/docker-kms	2025-02-19 11:25:18 +01:00
ElevenNotes	cb4531c479	add run-name	2025-02-19 11:25:08 +01:00
github-actions[bot]	e340cb2fd5	update README.md	2025-02-19 10:09:40 +00:00
github-actions[bot]	6be75ef815	update README.md	2025-02-19 09:53:13 +00:00
ElevenNotes	26c465e656	Merge branch 'master' of https://github.com/11notes/docker-kms	2025-02-19 10:50:13 +01:00
ElevenNotes	c36ab2d369	add client IP to SQlite database	2025-02-19 10:50:04 +01:00
github-actions[bot]	ea186dd607	update README.md	2025-02-19 08:12:23 +00:00
ElevenNotes	5d47cf0b9f	Merge branch 'master' of https://github.com/11notes/docker-kms	2025-02-19 09:02:05 +01:00
ElevenNotes	bad5f50548	11notes/action-docker-readme@v1.1.2	2025-02-19 09:01:58 +01:00
ElevenNotes	e6bf310706	remove screenshot	2025-02-19 08:31:20 +01:00
github-actions[bot]	b9c5b148a1	update README.md	2025-02-19 00:12:17 +00:00
ElevenNotes	46dab8b24f	new workflow	2025-02-19 00:43:30 +01:00
ElevenNotes	b154c116cc	fix markdown issue	2025-02-14 11:30:36 +01:00
ElevenNotes	66090fdadb	fix healthcheck	2025-02-14 11:22:33 +01:00
ElevenNotes	58910eb75d	update readme	2025-02-12 22:46:00 +01:00
ElevenNotes	06e8f2a63e	typos everywhere ...	2025-02-12 22:13:27 +01:00
ElevenNotes	6ec2821901	try parallel build for normal and unraid image including GUI	2025-02-12 22:00:47 +01:00
ElevenNotes	a3a755b54e	switch to the-actions-org/workflow-dispatch to chain builds	2025-02-12 21:35:53 +01:00
ElevenNotes	dd0025df2d	wrong suffix	2025-02-12 11:57:46 +01:00
ElevenNotes	23231c4cbb	needs: docker	2025-02-12 11:52:02 +01:00
ElevenNotes	28586cccec	add unraid version	2025-02-12 11:44:28 +01:00
ElevenNotes	ce51cbe448	missing image link	2025-02-12 08:35:33 +01:00
ElevenNotes	c5b9d8f1fa	Removed KMS_IP and KMS_PORT	2025-02-12 07:13:12 +01:00
ElevenNotes	bd566a8900	workflow issues	2025-02-10 12:07:24 +01:00
ElevenNotes	58a28d8852	workflow issues	2025-02-10 11:58:11 +01:00
ElevenNotes	44e604d964	release issues	2025-02-10 11:47:06 +01:00
ElevenNotes	c055cc3fb2	add ref:master	2025-02-10 11:35:39 +01:00
ElevenNotes	74661d19d9	add custom KMS DB	2025-02-10 11:19:37 +01:00
ElevenNotes	ad35b06dc0	dispatch failed	2025-02-10 11:10:13 +01:00
ElevenNotes	efccd9cdb3	downstream auto build	2025-02-10 11:05:42 +01:00
ElevenNotes	5c6e416ce4	current activation screenshot	2025-02-10 10:47:44 +01:00
ElevenNotes	48a5ba320c	bump python to always latest	2025-02-10 10:43:05 +01:00