[Docker] [alle OS] Het grote Docker ervaringen en tips topic

runs:
  using: "composite"
  steps:
    - name: 🏗️ Setup Python
      id: setup-python
      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6
      with:
        cache: 'pip'
        cache-dependency-path: 'requirements.txt'

    - name: 👷 Install Python dependencies
      if: steps.setup-python.outputs.cache-hit != 'true'
      shell: bash
      run: pip install -r requirements.txt

    - name: 📦 Setup Ansible Galaxy Cache
      id: ansible-galaxy-cache
      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
      with:
        path: |
          .ansible
          ~/.ansible
        key: ${{ runner.os }}-ansible-${{ hashFiles('**/requirements.yml') }}
        restore-keys: |
          ${{ runner.os }}-ansible-

    - name: 🌌 Install Ansible Galaxy dependencies
      if: steps.ansible-galaxy-cache.outputs.cache-hit != 'true'
      shell: bash
      run: ansible-galaxy install -r requirements.yml

services:
  gitops-forgejo:
    image: codeberg.org/forgejo/forgejo:13@sha256:88858e7f592f82d4f650713c7bed8c0cd792d7f71475a7467c5650a31cd2eda9
    container_name: gitops-forgejo
    restart: unless-stopped

...
...

  gitops-renovate:
    image: renovate/renovate:42.29.4@sha256:aead5ca948dc1a76ed084ab9716fd83e6a8c8626d38b831d1923cdc17fa4d1b6
    container_name: gitops-renovate
    restart: "no"

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "config:best-practices",
    ":automergeMinor",
    "schedule:automergeDaily",
    ":dependencyDashboard"
  ],
  "packageRules": [
    {
      "matchCategories": [
        "docker"
      ],
      "managerFilePatterns": [
        "/(^|/)docker-compose\\.ya?ml$/",
        "/Dockerfile$/"
      ]
    }
  ]
}

WARN: Error updating branch: update failure (repository=alex/infra, branch=renovate/pin-dependencies)

name: Deploy via Ansible

on:
  push:
    branches: [ main ]
  workflow_dispatch:
    inputs:
      version:
        description: "Tag/branch to deploy (default: main)"
        required: false
        default: "main"

jobs:
  deploy:
    runs-on: self-hosted

    steps:
      # 1. Checkout the stack repo (not used directly, only metadata needed)
      - name: Checkout current repo
        uses: actions/checkout@v3

      # 2. Checkout the Ansible infra repo
      - name: Checkout Ansible infra
        uses: actions/checkout@v3
        with:
          repository: infra/ansible        # <-- jouw infra-repo
          path: ansible

      # 3. Run Ansible inside the container
      - name: Run Ansible deploy
        uses: docker://cytopia/ansible:latest
        with:
          entrypoint: ansible-playbook
        env:
          REPO_OWNER: ${{ github.repository_owner }}
          REPO_NAME:  ${{ github.event.repository.name }}
          VERSION:    ${{ github.event.inputs.version }}
        args: >
          -i ansible/hosts
          ansible/deploy.yml

services:
  fail2ban:
    image: lscr.io/linuxserver/fail2ban:latest
    container_name: fail2ban
    cap_add:
      - NET_ADMIN
      - NET_RAW
    network_mode: host
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Brussels
      - VERBOSITY=-vvvv #optional
    volumes:
      - ./config:/config
#     - /var/log:/var/log:ro
      - /docker/emby/library/logs:/remotelogs/emby:ro #optional
      - /docker/jellyseer/config/logs:/remotelogs/jellyseer:ro
#      - /path/to/nextcloud/log:/remotelogs/nextcloud:ro #optional

services:
  emby:
    image: lscr.io/linuxserver/emby:latest
    container_name: emby
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Brussels
    volumes:
      - /docker/emby/library:/config
      - /docker/emby/backup:/backup
      - /DataDisk/Video:/Video
      - /DataDisk/Audio:/Audio
 #     - /opt/vc/lib:/opt/vc/lib #optional
    ports:
      - 192.168.10.155:8096:8096
      - 192.168.10.155:8920:8920 #optional
    devices:
      - /dev/dri:/dev/dri #optional
 #     - /dev/vchiq:/dev/vchiq #optional
 #     - /dev/video10:/dev/video10 #optional
 #     - /dev/video11:/dev/video11 #optional
 #     - /dev/video12:/dev/video12 #optional
    restart: unless-stopped
    networks:
      - docker_lan
networks:
  docker_lan:
    external: true

[DEFAULT]
#banaction = nftables
#banaction_allports = nftables[type=allports]
banaction = iptables-multiport
banaction_allports = iptables-allports

[emby]
enabled = true
port = 8096,443,80
filter = emby
logpath = /remotelogs/emby/embyserver.txt
maxretry = 3
findtime = 600
bantime = 43200
chain   = DOCKER-USER
#chain   = INPUT
action  = %(known/action)s

docker exec -it fail2ban fail2ban-client status emby
Status for the jail: emby
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /remotelogs/emby/embyserver.txt
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

## Version 2023/03/11
# Fail2Ban filter for emby

[INCLUDES]
before = common.conf

[Definition]

_daemon = emby-server

failregex = Server: AUTH-ERROR:\ <HOST>\ -

ignoreregex =

root@vdockersrv:/#  fail2ban-regex /remotelogs/emby/embyserver.txt "http/1.1 Response 401 to ‌‍‍<HOST>"

Running tests
=============

Use   failregex line : http/1.1 Response 401 to ‌‍‍<HOST>
Use         log file : /remotelogs/emby/embyserver.txt
Use         encoding : UTF-8


Results
=======

Failregex: 44 total
|-  #) [# of hits] regular expression
|   1) [44] http/1.1 Response 401 to ‌‍‍<HOST>
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [734] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|  ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-

Lines: 1524 lines, 0 ignored, 44 matched, 1480 missed
[processed in 0.18 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 1480 lines

docker compose up -d
[+] Running 15/15
 ✘ gitops-forgejo Error     Get "https://codeberg...                      14.5s
 ✔ gitops-renovate Pulled                                                 13.6s
   ✔ 20043066d3d5 Already exists                                           0.0s
   ✔ 9e4e033eb30d Pull complete                                            0.3s
   ✔ 018f6c7aaaac Pull complete                                            1.2s
   ✔ 35578b6f2e42 Pull complete                                            1.5s
   ✔ 80dfdc05cfe7 Pull complete                                            2.0s
   ✔ 1eca13f89a5d Pull complete                                            6.1s
   ✔ 8d74e0a459d6 Pull complete                                            6.7s
   ✔ 10316a1eb140 Pull complete                                            6.7s
   ✔ 34b95407a4fa Pull complete                                            6.7s
   ✔ 4e5a0ac21bc5 Pull complete                                           12.3s
   ✔ 064a0d449bd7 Pull complete                                           12.3s
   ✔ 7343cd103162 Pull complete                                           12.4s
   ✔ 4f4fb700ef54 Pull complete                                           12.4s
Error response from daemon: Get "https://codeberg.org/v2/": net/http: TLS handshake timeout

docker exec -it fail2ban fail2ban-client status emby
Status for the jail: emby
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /remotelogs/emby/embyserver.txt
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

  infra-fail2ban:
    image: lscr.io/linuxserver/fail2ban:latest
    container_name: infra-fail2ban
    restart: always
    cap_add:
      - NET_ADMIN
      - NET_RAW
    network_mode: host
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Amsterdam
      - VERBOSITY=-vv #optional
    volumes:
      - $DOCKERDIR/infra/fail2ban/config:/config
      - /var/log:/var/log:ro
#      - /path/to/airsonic/log:/remotelogs/airsonic:ro #optional
#      - /path/to/apache2/log:/remotelogs/apache2:ro #optional
#      - /path/to/authelia/log:/remotelogs/authelia:ro #optional
#      - /path/to/emby/log:/remotelogs/emby:ro #optional
#      - /path/to/filebrowser/log:/remotelogs/filebrowser:ro #optional

  infra-cs-firewall-bouncer:
    image: ghcr.io/shgew/cs-firewall-bouncer-docker:latest
    container_name: infra-cs-firewall-bouncer
    network_mode: host
    cap_add:
      - NET_ADMIN
      - NET_RAW
    security_opt:
      - no-new-privileges:true

iptables_chains:
  - INPUT
  - DOCKER-USER

# forgejo action
pipeline:
  deploy:
    image: python:3.12
    secrets: [ SSH_KEY ]
    commands:
      - pip install ansible community.docker
      - mkdir -p ~/.ssh
      - echo "$SSH_KEY" > ~/.ssh/id_ed25519
      - chmod 600 ~/.ssh/id_ed25519

      - ansible-playbook -i inventory deploy.yml

# Ansible deploy.yml
- hosts: server
  become: yes
  tasks:
    - name: Repo clonen/updaten
      ansible.builtin.git:
        repo: "git@forgejo.example.com:docker-stacks/gitops.git"
        dest: /opt/gitops
        version: main

    - name: Docker Compose pull
      community.docker.docker_compose:
        project_src: /opt/gitops/myapp
        pull: yes

    - name: Docker Compose up
      community.docker.docker_compose:
        project_src: /opt/gitops/myapp
        state: present

┌── .forgejo
│   └── workflows/          → Forgejo Actions workflows
├── group_vars              → Inventory group variables
│   └── .../
├── host_vars               → Host specific variables
│   └── .../
├── roles                   → Ansible Roles directory
│   └── .../
├── inventory.yml           → Ansible inventory

- name: Create Docker Compose Stack directory
  ansible.builtin.file:
    path: "{{ compose_stack_dir }}"
    state: directory
    owner: "{{ compose_stacks_owner }}"
    group: "{{ compose_stacks_group }}"
    mode: "0755"
  register: _compose_directory
  become: true

- name: Template Docker Compose file
  ansible.builtin.template:
    src: "templates/compose.yaml.j2"
    dest: "{{ [_compose_directory.path, 'compose.yaml'] | file_join }}"
    owner: "{{ compose_stacks_owner }}"
    group: "{{ compose_stacks_group }}"
    mode: "0644"
  become: true

# Compose .env  bestand kun je wel gokken :P

- name: Validate Docker Compose stack
  ansible.builtin.command:
    cmd: docker compose config
    chdir: "{{ _compose_directory.path }}"
  register: _docker_compose_config_output
  when: not ansible_check_mode
  failed_when: _docker_compose_config_output.rc != 0
  changed_when: false

- name: Docker Compose up
  community.docker.docker_compose_v2:
    project_src: "{{ _compose_directory.path }}"
    project_name: "{{ compose_stack_name }}"
    state: present
    recreate: "{{ 'always' if compose_recreate else 'auto' }}"
  register: _docker_compose_up_output
  when: not ansible_check_mode

- name: Deploy AdGuard Home
  hosts: docker

  roles:
    - role: adguard_home

chain   = DOCKER-USER
#chain   = INPUT

roles:
  - name: audiobookshelf
    src: https://git.example.com/ansible/audiobookshelf.git
    version: v2.19.4
    scm: git

immich_database_password: "{{ vault_immich_database_password }}"

2025-12-05 06:44:47,938 fail2ban.actions        [154]: NOTICE  [emby] Unban 188.188.135.111
2025-12-05 06:45:07,030 fail2ban.filter         [154]: INFO    [emby] Found 188.188.135.111 - 2025-12-05 06:45:06
2025-12-05 06:45:09,032 fail2ban.filter         [154]: INFO    [emby] Found 188.188.135.111 - 2025-12-05 06:45:08
2025-12-05 06:45:11,034 fail2ban.filter         [154]: INFO    [emby] Found 188.188.135.111 - 2025-12-05 06:45:10
2025-12-05 06:45:11,246 fail2ban.actions        [154]: NOTICE  [emby] Ban 188.188.135.111
2025-12-05 06:45:13,237 fail2ban.filter         [154]: INFO    [emby] Found 188.188.135.111 - 2025-12-05 06:45:13

Chain DOCKER-INTERNAL (1 references)
target     prot opt source               destination

Chain DOCKER-USER (1 references)
target     prot opt source               destination
f2b-emby   tcp  --  anywhere             anywhere             multiport dports 8096,http,https

Chain f2b-emby (1 references)
target     prot opt source               destination
REJECT     all  --  188.188.135.111      anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

services:
  whoami:
    image: traefik/whoami:v1.10.4
    command:
       # It tells whoami to start listening on 2001 instead of 80
       - --port=2001
       - --name=iamfoo

name: Deploy

on:
  workflow_dispatch:

jobs:
  deploy:
    runs-on: docker
    steps:
      - uses: actions/checkout@v4

      - name: Inject SSH key
        run: |
          mkdir -p ~/.ssh
          echo "${{ secrets.DEPLOY_KEY }}" > ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519

      - name: Install modern Ansible + collections
        run: |
          apt-get update
          apt-get install -y python3 python3-pip
          pip install --upgrade pip
          pip install "ansible>=8.0.0"
          ansible-galaxy collection install community.docker
          pip install docker
          ansible --version

      - name: Run Ansible
        run: ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i inventory.ini deploy.yaml

- hosts: domiducus
  #become: true
  vars:
    compose_stack_name: "whoami"
    compose_stack_dir: "/home/stacks/whoami"
    compose_stacks_owner: "home"
    compose_stacks_group: "home"
    compose_recreate: true

  tasks:
    - name: Create directory
      file:
        path: "{{ compose_stack_dir }}"
        state: directory
        owner: "{{ compose_stacks_owner }}"
        group: "{{ compose_stacks_group }}"
        mode: "0755"

    - name: Copy compose file
      ansible.builtin.copy:
        src: docker-compose.yaml       # uit je Git repo
        dest: "{{ compose_stack_dir }}/docker-compose.yml"
        owner: "{{ compose_stacks_owner }}"
        group: "{{ compose_stacks_group }}"
        mode: "0644"

    - name: Copy .env
      ansible.builtin.copy:
        src: .env
        dest: "{{ compose_stack_dir }}/.env"
        mode: "0600"

    - name: Validate compose
      command: docker compose config
      args:
        chdir: "{{ compose_stack_dir }}"
      changed_when: false

    # Tijdelijk ff via shell commando, en niet via docker python module die blijkbaar op de host moet draaien hiervoor
#    - name: Compose up
#      community.docker.docker_compose:
#        project_src: "{{ compose_stack_dir }}"
#        project_name: "{{ compose_stack_name }}"
#        state: present
#        recreate: always
    - name: Compose up
      ansible.builtin.command:
        cmd: docker compose up -d
        chdir: "{{ compose_stack_dir }}"

- name: Assert required variables are set
  ansible.builtin.assert:
    that:
      - docker_compose_version is defined

- name: Uninstall Docker Compose from package manager
  ansible.builtin.package:
    name: "{{ docker_compose_package }}"
    state: absent
  when: >-
    docker_compose_package is defined and
    ansible_facts['pkg_mgr'] is defined and
    ansible_facts['pkg_mgr'] != 'unknown'
  become: true
  failed_when: false

- name: Create Docker plugins directory
  ansible.builtin.file:
    path: "/usr/local/lib/docker/cli-plugins/"
    state: directory
    owner: "{{ ansible_facts['user_id'] }}"
    group: "docker"
    mode: "0755"
  register: docker_plugins_dir
  become: true

- name: Install Docker Compose
  ansible.builtin.get_url:
    url: "{{ docker_compose_release_url }}"
    dest: "{{ [docker_plugins_dir.path, 'docker-compose'] | path_join }}"
    owner: "{{ ansible_facts['user_id'] }}"
    group: "docker"
    mode: "0755"
    checksum: "sha256:{{ docker_compose_release_url }}.sha256"
  notify: "Check Docker Compose Version"

# This should be fairly complete but probably isn't...
docker_compose_arch: >-
  {% if ansible_facts['architecture'] in ['x86-64', 'x86_64'] %}
    x86_64
  {% elif ansible_facts['architecture'] in ['armv6'] %}
    armv6
  {% elif ansible_facts['architecture'] in ['armv7'] %}
    armv7
  {% elif ansible_facts['architecture'] in ['armv8', 'armhf', 'aarch'] %}
    aarch64
  {% else %}
    {{ ansible_facts['architecture'] }}
  {% endif %}

docker_compose_package: >-
  {% if (ansible_facts['pkg_mgr'] | lower) in ['apt', 'rpm'] %}
    docker-compose-plugin
  {% elif (ansible_facts['pkg_mgr'] | lower) in ['pacman', 'dnf'] %}
    docker-compose
  {% elif (ansible_facts['pkg_mgr'] | lower) in ['apk'] %}
    docker-cli-compose
  {% endif %}

# yamllint disable-line rule:line-length
docker_compose_release_url: "https://github.com/docker/compose/releases/download/{{ docker_compose_version | trim }}/docker-compose-linux-{{ docker_compose_arch | trim }}"

- name: Check Docker Compose Version
  ansible.builtin.command: docker compose version
  changed_when: false
  register: docker_compose_version
  failed_when: docker_compose_version.rc != 0

/home/compose/<stack>/<service>/        ← compose + env + scripts

/home/data/<stack>/<service>/git/       ← config UIT GIT
/home/data/<stack>/<service>/runtime/   ← alles wat de service zelf maakt

- name: Assert required variables
  ansible.builtin.assert:
    that:
      - ghost_domain is defined
      - ghost_domain is string

- name: Assert Docker ingress network
  community.docker.docker_network_info:
    name: "{{ ghost_ingress_network }}"
  register: _docker_ingress_network_output
  failed_when: not _docker_ingress_network_output.exists

- name: Create Ghost directories
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    owner: "{{ ghost_user }}"
    group: "{{ ghost_group }}"
    mode: "0755"
  become: true
  loop:
    - "{{ ghost_dir }}"
    - "{{ ghost_uploads_dir }}"
    - "{{ ghost_database_dir }}"

ghost_dir: "{{ [appdata, role_name] | path_join }}"

secrets:
  healthchecks_api_token: "{{ vault_secrets.healtchecks_api_token }}"

vault_secrets:
  healthchecks_api_token: "<jouw token>"

healthchecksio:
  check_uuid: <<blabla>>
  api_token: "{{ secrets.healthchecksio_api_token }}"

services:
  jellyfin:
    image: jellyfin/jellyfin:10.11.4@sha256:aab0b50a3ce43a41621fc7040a379cc57174059aec8f9c17a90176649a0c1ab1
    container_name: jellyfin
    volumes:
      - ${HOST_VOLUME_CONFIG}:/config
      - ${HOST_VOLUME_CACHE}:/cache
      - ${HOST_VOLUME_MEDIA}:/media

HOST_VOLUME_CONFIG="{{ jellyfin__compose_volume_config }}"
HOST_VOLUME_CACHE="{{ jellyfin__compose_volume_cache }}"
HOST_VOLUME_MEDIA="{{ jellyfin__compose_volume_media }}"

repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v6.0.0
    hooks:
      - id: check-shebang-scripts-are-executable
      - id: detect-private-key
      - id: end-of-file-fixer
      - id: trailing-whitespace

  - repo: https://github.com/ansible/ansible-lint
    rev: v25.12.0
    hooks:
      - id: ansible-lint

#jinja2: lstrip_blocks: True, trim_blocks: True
---
{{ ansible_managed | comment }}

name: {{ _compose_stack_name }}

services:
  ghost:
    container_name: ${COMPOSE_PROJECT_NAME}
    image: ghost:6.10.0-alpine
    environment:
      NODE_ENV: production
      url: ${GHOST_URL}
      database__client: mysql
      database__connection__host: database
      database__connection__user: ${DATABASE_USERNAME}
      database__connection__password: ${DATABASE_PASSWORD}
      database__connection__database: ${DATABASE_NAME}
    networks:
      ingress:
      internal:
    volumes:
      - {{ ghost_uploads_dir }}:/var/lib/ghost/content
    depends_on:
      database:
        condition: service_healthy
      {% if not ghost_use_hosted_activitypub %}
      activitypub:
        condition: service_started
        required: false
      {% endif %}
    {% if ghost_docker_options is defined %}
    {{ ghost_docker_options | to_nice_yaml | indent(4) }}
    {%- endif %}
    labels:
      traefik.enable: true
      traefik.http.routers.{{ _compose_stack_name }}.rule: "Host(`{{ ghost_domain }}`)"
      traefik.http.routers.{{ _compose_stack_name }}.middlewares: "anubis@docker"
      traefik.http.routers.{{ _compose_stack_name }}.service: "{{ _compose_stack_name }}"
      traefik.http.services.{{ _compose_stack_name }}.loadbalancer.server.port: "2368"
      {%- if _is_unraid +%}
      net.unraid.docker.icon: https://avatars.githubusercontent.com/u/2452804?s=200&v=4
      net.unraid.docker.managed: ansible
      net.unraid.docker.shell: /bin/bash
      {% endif %}

# group_vars/all/vault.yml
vault_maxmind_api_key: "secret string here..."

# group_vars/all/all.yml
maxmind_api_key: "{{ vault_maxmind_api_key }}"

# host_vars/leetower/maxmind_geoip.yml OF group_vars/docker/maxmind_geoip.yml
maxmind_geoip_api_key: "{{ maxmind_api_key }}"

inventories/
├── development
├── production
│   ├── group_vars
│   │   ├── all
│   │   └── <group>
│   └── host_vars
└── staging
    ├── group_vars
    │   ├── all
    │   └── <group>
    └── host_vars

#!/bin/zsh
# shellcheck shell=zsh
#
# python-venv.zsh - Automatically venv when possible!
# Source: https://dev.to/moniquelive/auto-activate-and-deactivate-python-venv-using-zsh-4dlm
#

python_venv() {
  MYVENV=./.venv

  # when you cd into a folder that contains $MYVENV
  [[ -d $MYVENV ]] && source $MYVENV/bin/activate > /dev/null 2>&1
  # when you cd into a folder that doesn't
  [[ ! -d $MYVENV ]] && deactivate > /dev/null 2>&1
}

autoload -U add-zsh-hook
add-zsh-hook chpwd python_venv

python_venv

{
    // See https://go.microsoft.com/fwlink/?LinkId=733558
    // for the documentation about the tasks.json format
    "version": "2.0.0",
    "tasks": [
        {
            "label": "setup",
            "type": "shell",
            "command": "./setup.sh",
            "runOptions": {
              "runOn": "folderOpen"
            },
            "presentation": {
              "echo": false,
              "reveal": "silent",
              "focus": false,
              "panel": "shared",
              "close": true,
            }
        }
    ]
}

# See https://pre-commit.com for more information
# See https://pre-commit.com/hooks.html for more hooks
repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v6.0.0
    hooks:
      - id: check-shebang-scripts-are-executable
      - id: detect-private-key
      - id: end-of-file-fixer
      - id: trailing-whitespace

  - repo: https://github.com/renovatebot/pre-commit-hooks
    rev: 42.52.4
    hooks:
      - id: renovate-config-validator

  - repo: https://github.com/docker-compose-linter/pre-commit-dclint
    rev: v3.1.0
    hooks:
      - id: dclint

  - repo: https://github.com/ansible/ansible-lint
    rev: v25.12.0
    hooks:
      - id: ansible-lint
        pass_filenames: true

  - repo: https://github.com/mpalmer/action-validator
    rev: v0.8.0
    hooks:
      - id: action-validator

{
  [...]
  "postStartCommand": "pre-commit install"
}

--
version: 3

images:
  base_image:
    name: ghcr.io/ansible/community-ansible-dev-tools:v25.11.0@sha256:c3ee333e84517404d0940e9fd97b247b18cf60e957cbd1bb45e79ca84848beaa

dependencies:
  galaxy: requirements.yml
  python: requirements.txt

additional_build_steps:
  [..]

[..]
    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
      id: docker_buildx
      with:
        platforms: linux/amd64,linux/arm64
[..]
    - name: Build Execution Environment image
      working-directory: .
      run: | 
        ansible-builder build \
          --container-runtime docker \
          --extra-build-cli-args "--load --builder ${{ steps.docker_buildx.outputs.name }} --platform linux/amd64"
[..]

    - name: Build and push
      uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
      with:
        context: context/
        push: ${{ github.ref_type == 'tag' }}
        tags: ${{ steps.docker_meta.outputs.tags }}
        labels: ${{ steps.docker_meta.outputs.labels }}

---
- id: check-platform-constraints
  name: Check platform constraints and update renovate.json
  entry: check-platform-constraints
  language: python
  additional_dependencies: ["packaging>=23.2", "pyyaml"]
  files: ^pyproject\.toml$
  pass_filenames: false
  description: Validates dependencies against platform constraints and updates renovate.json

#!/usr/bin/env python3
"""Validate and enforce platform constraints.

This script:
1. Defines platform constraints as constants
2. Validates dependencies in pyproject.toml against these constraints
3. Updates renovate.json with allowedVersions rules to prevent automated bumps
"""

# Platform compatibility constraints for AAP and RHEL
# These represent the MAXIMUM versions we can use to remain compatible
# with downstream platform packages

# AAP 2.5/2.6 ships ansible-core 2.16.x
ansible-core<2.17

# RHEL 8/9 ships cffi 1.15.x
cffi<1.16

# RHEL 8/9 ships setuptools 65.5.1
setuptools<65.6

# galaxy-importer constraint
packaging<25.0

$(python --version | awk '{print $2}') = $(cat .python-version) ] && echo "true" || echo "false"
# of 
$(python --version | awk '{print $2}') = $(cat .python-version) ] && exit 0 || exit 1