cue.dev/x/dockercompose@v0.1.0

schema.cue raw

   1package dockercompose
   2
   3import "list"
   4
   5// Compose Specification
   6//
   7// The Compose file is a YAML file defining a multi-containers
   8// based application.
   9#Schema: {
  10	@jsonschema(schema="http://json-schema.org/draft-07/schema#")
  11	@jsonschema(id="https://raw.githubusercontent.com/compose-spec/compose-spec/HEAD/schema/compose_spec.json")
  12	close({
  13		// declared for backward compatibility, ignored. Please remove it.
  14		"version"?: string
  15
  16		// define the Compose project name, until user defines one
  17		// explicitly.
  18		"name"?: string
  19
  20		// compose sub-projects to be included.
  21		"include"?: [...#include]
  22
  23		// The services that will be used by your application.
  24		"services"?: close({
  25			{[=~"^[a-zA-Z0-9._-]+$"]: #service}
  26		})
  27
  28		// Language models that will be used by your application.
  29		"models"?: {
  30			{[=~"^[a-zA-Z0-9._-]+$"]: #model}
  31			...
  32		}
  33
  34		// Networks that are shared among multiple services.
  35		"networks"?: {
  36			{[=~"^[a-zA-Z0-9._-]+$"]: #network}
  37			...
  38		}
  39
  40		// Named volumes that are shared among multiple services.
  41		"volumes"?: close({
  42			{[=~"^[a-zA-Z0-9._-]+$"]: #volume}
  43		})
  44
  45		// Secrets that are shared among multiple services.
  46		"secrets"?: close({
  47			{[=~"^[a-zA-Z0-9._-]+$"]: #secret}
  48		})
  49
  50		// Configurations that are shared among multiple services.
  51		"configs"?: close({
  52			{[=~"^[a-zA-Z0-9._-]+$"]: #config}
  53		})
  54
  55		{[=~"^x-" & !~"^(version|name|include|services|models|networks|volumes|secrets|configs)$"]: _}
  56	})
  57
  58	// Block IO limit for a specific device.
  59	#blkio_limit: close({
  60		// Path to the device (e.g., '/dev/sda').
  61		"path"?: string
  62
  63		// Rate limit in bytes per second or IO operations per second.
  64		"rate"?: int | string
  65	})
  66
  67	// Block IO weight for a specific device.
  68	#blkio_weight: close({
  69		// Path to the device (e.g., '/dev/sda').
  70		"path"?: string
  71
  72		// Relative weight for the device, between 10 and 1000.
  73		"weight"?: int | string
  74	})
  75
  76	// Command to run in the container, which can be specified as a
  77	// string (shell form) or array (exec form).
  78	#command: matchN(1, [null, string, [...string]])
  79
  80	// Config configuration for the Compose application.
  81	#config: close({
  82		// Custom name for this config.
  83		"name"?: string
  84
  85		// Inline content of the config.
  86		"content"?: string
  87
  88		// Name of an environment variable from which to get the config
  89		// value.
  90		"environment"?: string
  91
  92		// Path to a file containing the config value.
  93		"file"?: string
  94
  95		// Specifies that this config already exists and was created
  96		// outside of Compose.
  97		"external"?: bool | string | {
  98			// Specifies the name of the external config. Deprecated: use the
  99			// 'name' property instead.
 100			"name"?: string
 101			...
 102		}
 103		"labels"?: #list_or_dict
 104
 105		// Driver to use for templating the config's value.
 106		"template_driver"?: string
 107
 108		{[=~"^x-" & !~"^(name|content|environment|file|external|labels|template_driver)$"]: _}
 109	})
 110
 111	// Deployment configuration for the service.
 112	#deployment: null | close({
 113		// Deployment mode for the service: 'replicated' (default) or
 114		// 'global'.
 115		"mode"?: string
 116
 117		// Endpoint mode for the service: 'vip' (default) or 'dnsrr'.
 118		"endpoint_mode"?: string
 119
 120		// Number of replicas of the service container to run.
 121		"replicas"?: int | string
 122		"labels"?:   #list_or_dict
 123
 124		// Configuration for rolling back a service update.
 125		"rollback_config"?: close({
 126			// The number of containers to rollback at a time. If set to 0,
 127			// all containers rollback simultaneously.
 128			"parallelism"?: int | string
 129
 130			// The time to wait between each container group's rollback (e.g.,
 131			// '1s', '1m30s').
 132			"delay"?: string
 133
 134			// Action to take if a rollback fails: 'continue', 'pause'.
 135			"failure_action"?: string
 136
 137			// Duration to monitor each task for failures after it is created
 138			// (e.g., '1s', '1m30s').
 139			"monitor"?: string
 140
 141			// Failure rate to tolerate during a rollback.
 142			"max_failure_ratio"?: number | string
 143
 144			// Order of operations during rollbacks: 'stop-first' (default) or
 145			// 'start-first'.
 146			"order"?: "start-first" | "stop-first"
 147
 148			{[=~"^x-" & !~"^(parallelism|delay|failure_action|monitor|max_failure_ratio|order)$"]: _}
 149		})
 150
 151		// Configuration for updating a service.
 152		"update_config"?: close({
 153			// The number of containers to update at a time.
 154			"parallelism"?: int | string
 155
 156			// The time to wait between updating a group of containers (e.g.,
 157			// '1s', '1m30s').
 158			"delay"?: string
 159
 160			// Action to take if an update fails: 'continue', 'pause',
 161			// 'rollback'.
 162			"failure_action"?: string
 163
 164			// Duration to monitor each updated task for failures after it is
 165			// created (e.g., '1s', '1m30s').
 166			"monitor"?: string
 167
 168			// Failure rate to tolerate during an update (0 to 1).
 169			"max_failure_ratio"?: number | string
 170
 171			// Order of operations during updates: 'stop-first' (default) or
 172			// 'start-first'.
 173			"order"?: "start-first" | "stop-first"
 174
 175			{[=~"^x-" & !~"^(parallelism|delay|failure_action|monitor|max_failure_ratio|order)$"]: _}
 176		})
 177
 178		// Resource constraints and reservations for the service.
 179		"resources"?: close({
 180			// Resource limits for the service containers.
 181			"limits"?: close({
 182				// Limit for how much of the available CPU resources, as number of
 183				// cores, a container can use.
 184				"cpus"?: number | string
 185
 186				// Limit on the amount of memory a container can allocate (e.g.,
 187				// '1g', '1024m').
 188				"memory"?: string
 189
 190				// Maximum number of PIDs available to the container.
 191				"pids"?: int | string
 192
 193				{[=~"^x-" & !~"^(cpus|memory|pids)$"]: _}
 194			})
 195
 196			// Resource reservations for the service containers.
 197			"reservations"?: close({
 198				// Reservation for how much of the available CPU resources, as
 199				// number of cores, a container can use.
 200				"cpus"?: number | string
 201
 202				// Reservation on the amount of memory a container can allocate
 203				// (e.g., '1g', '1024m').
 204				"memory"?:            string
 205				"generic_resources"?: #generic_resources
 206				"devices"?:           #devices
 207
 208				{[=~"^x-" & !~"^(cpus|memory|generic_resources|devices)$"]: _}
 209			})
 210
 211			{[=~"^x-" & !~"^(limits|reservations)$"]: _}
 212		})
 213
 214		// Restart policy for the service containers.
 215		"restart_policy"?: close({
 216			// Condition for restarting the container: 'none', 'on-failure',
 217			// 'any'.
 218			"condition"?: string
 219
 220			// Delay between restart attempts (e.g., '1s', '1m30s').
 221			"delay"?: string
 222
 223			// Maximum number of restart attempts before giving up.
 224			"max_attempts"?: int | string
 225
 226			// Time window used to evaluate the restart policy (e.g., '1s',
 227			// '1m30s').
 228			"window"?: string
 229
 230			{[=~"^x-" & !~"^(condition|delay|max_attempts|window)$"]: _}
 231		})
 232
 233		// Constraints and preferences for the platform to select a
 234		// physical node to run service containers
 235		"placement"?: close({
 236			// Placement constraints for the service (e.g.,
 237			// 'node.role==manager').
 238			"constraints"?: [...string]
 239
 240			// Placement preferences for the service.
 241			"preferences"?: [...close({
 242				// Spread tasks evenly across values of the specified node label.
 243				"spread"?: string
 244
 245				{[=~"^x-" & !~"^(spread)$"]: _}
 246			})]
 247
 248			// Maximum number of replicas of the service.
 249			"max_replicas_per_node"?: int | string
 250
 251			{[=~"^x-" & !~"^(constraints|preferences|max_replicas_per_node)$"]: _}
 252		})
 253
 254		{[=~"^x-" & !~"^(mode|endpoint_mode|replicas|labels|rollback_config|update_config|resources|restart_policy|placement)$"]: _}
 255	})
 256
 257	// Development configuration for the service, used for development
 258	// workflows.
 259	#development: null | close({
 260		// Configure watch mode for the service, which monitors file
 261		// changes and performs actions in response.
 262		"watch"?: [...close({
 263			"ignore"?:  #string_or_list
 264			"include"?: #string_or_list
 265
 266			// Path to watch for changes.
 267			"path"!: string
 268
 269			// Action to take when a change is detected: rebuild the
 270			// container, sync files, restart the container, sync and
 271			// restart, or sync and execute a command.
 272			"action"!: "rebuild" | "sync" | "restart" | "sync+restart" | "sync+exec"
 273
 274			// Target path in the container for sync operations.
 275			"target"?: string
 276			"exec"?:   #service_hook
 277
 278			// Ensure that an initial synchronization is done before starting
 279			// watch mode for sync+x triggers
 280			"initial_sync"?: bool
 281
 282			{[=~"^x-" & !~"^(ignore|include|path|action|target|exec|initial_sync)$"]: _}
 283		})]
 284
 285		{[=~"^x-" & !~"^(watch)$"]: _}
 286	})
 287
 288	// Device reservations for containers, allowing services to access
 289	// specific hardware devices.
 290	#devices: [...close({
 291		"capabilities"!: #list_of_strings
 292
 293		// Number of devices of this type to reserve.
 294		"count"?:      int | string
 295		"device_ids"?: #list_of_strings
 296
 297		// Device driver to use (e.g., 'nvidia').
 298		"driver"?:  string
 299		"options"?: #list_or_dict
 300
 301		{[=~"^x-" & !~"^(capabilities|count|device_ids|driver|options)$"]: _}
 302	})]
 303
 304	#env_file: matchN(1, [string, [...matchN(1, [string, close({
 305		// Path to the environment file.
 306		"path"!: string
 307
 308		// Format attribute lets you to use an alternative file formats
 309		// for env_file. When not set, env_file is parsed according to
 310		// Compose rules.
 311		"format"?: string
 312
 313		// Whether the file is required. If true and the file doesn't
 314		// exist, an error will be raised.
 315		"required"?: bool | string
 316	})])]])
 317
 318	// Additional hostnames to be defined in the container's
 319	// /etc/hosts file.
 320	#extra_hosts: matchN(1, [close({
 321		{[=~".+"]: matchN(1, [string, [...string]])}
 322	}), list.UniqueItems() & [...string]])
 323
 324	// User-defined resources for services, allowing services to
 325	// reserve specialized hardware resources.
 326	#generic_resources: [...close({
 327		// Specification for discrete (countable) resources.
 328		"discrete_resource_spec"?: close({
 329			// Type of resource (e.g., 'GPU', 'FPGA', 'SSD').
 330			"kind"?: string
 331
 332			// Number of resources of this kind to reserve.
 333			"value"?: number | string
 334
 335			{[=~"^x-" & !~"^(kind|value)$"]: _}
 336		})
 337
 338		{[=~"^x-" & !~"^(discrete_resource_spec)$"]: _}
 339	})]
 340
 341	#gpus: matchN(1, ["all", [...{
 342		"capabilities"?: #list_of_strings
 343
 344		// Number of GPUs to use.
 345		"count"?:      int | string
 346		"device_ids"?: #list_of_strings
 347
 348		// GPU driver to use (e.g., 'nvidia').
 349		"driver"?:  string
 350		"options"?: #list_or_dict
 351		...
 352	}]])
 353
 354	// Configuration options to determine whether the container is
 355	// healthy.
 356	#healthcheck: close({
 357		// Disable any container-specified healthcheck. Set to true to
 358		// disable.
 359		"disable"?: bool | string
 360
 361		// Time between running the check (e.g., '1s', '1m30s'). Default:
 362		// 30s.
 363		"interval"?: string
 364
 365		// Number of consecutive failures needed to consider the container
 366		// as unhealthy. Default: 3.
 367		"retries"?: number | string
 368
 369		// The test to perform to check container health. Can be a string
 370		// or a list. The first item is either NONE, CMD, or CMD-SHELL.
 371		// If it's CMD, the rest of the command is exec'd. If it's
 372		// CMD-SHELL, the rest is run in the shell.
 373		"test"?: matchN(1, [string, [...string]])
 374
 375		// Maximum time to allow one check to run (e.g., '1s', '1m30s').
 376		// Default: 30s.
 377		"timeout"?: string
 378
 379		// Start period for the container to initialize before starting
 380		// health-retries countdown (e.g., '1s', '1m30s'). Default: 0s.
 381		"start_period"?: string
 382
 383		// Time between running the check during the start period (e.g.,
 384		// '1s', '1m30s'). Default: interval value.
 385		"start_interval"?: string
 386
 387		{[=~"^x-" & !~"^(disable|interval|retries|test|timeout|start_period|start_interval)$"]: _}
 388	})
 389
 390	// Compose application or sub-projects to be included.
 391	#include: matchN(1, [string, close({
 392		"path"?:     #string_or_list
 393		"env_file"?: #string_or_list
 394
 395		// Path to resolve relative paths set in the Compose file
 396		"project_directory"?: string
 397	})])
 398
 399	#label_file: matchN(1, [string, [...string]])
 400
 401	// A list of unique string values.
 402	#list_of_strings: list.UniqueItems() & [...string]
 403
 404	// Either a dictionary mapping keys to values, or a list of
 405	// strings.
 406	#list_or_dict: matchN(1, [close({
 407		{[=~".+"]: null | bool | number | string}
 408	}), list.UniqueItems() & [...string]])
 409
 410	// Language Model for the Compose application.
 411	#model: close({
 412		// Custom name for this model.
 413		"name"?: string
 414
 415		// Language Model to run.
 416		"model"!:        string
 417		"context_size"?: int
 418
 419		// Raw runtime flags to pass to the inference engine.
 420		"runtime_flags"?: [...string]
 421
 422		{[=~"^x-" & !~"^(name|model|context_size|runtime_flags)$"]: _}
 423	})
 424
 425	// Network configuration for the Compose application.
 426	#network: null | close({
 427		// Custom name for this network.
 428		"name"?: string
 429
 430		// Specify which driver should be used for this network. Default
 431		// is 'bridge'.
 432		"driver"?: string
 433
 434		// Specify driver-specific options defined as key/value pairs.
 435		"driver_opts"?: {
 436			{[=~"^.+$"]: number | string}
 437			...
 438		}
 439
 440		// Custom IP Address Management configuration for this network.
 441		"ipam"?: close({
 442			// Custom IPAM driver, instead of the default.
 443			"driver"?: string
 444
 445			// List of IPAM configuration blocks.
 446			"config"?: [...close({
 447				// Subnet in CIDR format that represents a network segment.
 448				"subnet"?: string
 449
 450				// Range of IPs from which to allocate container IPs.
 451				"ip_range"?: string
 452
 453				// IPv4 or IPv6 gateway for the subnet.
 454				"gateway"?: string
 455
 456				// Auxiliary IPv4 or IPv6 addresses used by Network driver.
 457				"aux_addresses"?: close({
 458					{[=~"^.+$"]: string}
 459				})
 460
 461				{[=~"^x-" & !~"^(subnet|ip_range|gateway|aux_addresses)$"]: _}
 462			})]
 463
 464			// Driver-specific options for the IPAM driver.
 465			"options"?: close({
 466				{[=~"^.+$"]: string}
 467			})
 468
 469			{[=~"^x-" & !~"^(driver|config|options)$"]: _}
 470		})
 471
 472		// Specifies that this network already exists and was created
 473		// outside of Compose.
 474		"external"?: bool | string | close({
 475			// Specifies the name of the external network. Deprecated: use the
 476			// 'name' property instead.
 477			"name"?: string
 478
 479			{[=~"^x-" & !~"^(name)$"]: _}
 480		})
 481
 482		// Create an externally isolated network.
 483		"internal"?: bool | string
 484
 485		// Enable IPv4 networking.
 486		"enable_ipv4"?: bool | string
 487
 488		// Enable IPv6 networking.
 489		"enable_ipv6"?: bool | string
 490
 491		// If true, standalone containers can attach to this network.
 492		"attachable"?: bool | string
 493		"labels"?:     #list_or_dict
 494
 495		{[=~"^x-" & !~"^(name|driver|driver_opts|ipam|external|internal|enable_ipv4|enable_ipv6|attachable|labels)$"]: _}
 496	})
 497
 498	// Secret configuration for the Compose application.
 499	#secret: close({
 500		// Custom name for this secret.
 501		"name"?: string
 502
 503		// Name of an environment variable from which to get the secret
 504		// value.
 505		"environment"?: string
 506
 507		// Path to a file containing the secret value.
 508		"file"?: string
 509
 510		// Specifies that this secret already exists and was created
 511		// outside of Compose.
 512		"external"?: bool | string | {
 513			// Specifies the name of the external secret.
 514			"name"?: string
 515			...
 516		}
 517		"labels"?: #list_or_dict
 518
 519		// Specify which secret driver should be used for this secret.
 520		"driver"?: string
 521
 522		// Specify driver-specific options.
 523		"driver_opts"?: {
 524			{[=~"^.+$"]: number | string}
 525			...
 526		}
 527
 528		// Driver to use for templating the secret's value.
 529		"template_driver"?: string
 530
 531		{[=~"^x-" & !~"^(name|environment|file|external|labels|driver|driver_opts|template_driver)$"]: _}
 532	})
 533
 534	// Configuration for a service.
 535	#service: close({
 536		"develop"?:     #development
 537		"deploy"?:      #deployment
 538		"annotations"?: #list_or_dict
 539		"attach"?:      bool | string
 540
 541		// Configuration options for building the service's image.
 542		"build"?: matchN(1, [string, close({
 543			// Path to the build context. Can be a relative path or a URL.
 544			"context"?: string
 545
 546			// Name of the Dockerfile to use for building the image.
 547			"dockerfile"?: string
 548
 549			// Inline Dockerfile content to use instead of a Dockerfile from
 550			// the build context.
 551			"dockerfile_inline"?: string
 552
 553			// List of extra privileged entitlements to grant to the build
 554			// process.
 555			"entitlements"?: [...string]
 556			"args"?:   #list_or_dict
 557			"ssh"?:    #list_or_dict
 558			"labels"?: #list_or_dict
 559
 560			// List of sources the image builder should use for cache
 561			// resolution
 562			"cache_from"?: [...string]
 563
 564			// Cache destinations for the build cache.
 565			"cache_to"?: [...string]
 566
 567			// Do not use cache when building the image.
 568			"no_cache"?:            bool | string
 569			"additional_contexts"?: #list_or_dict
 570
 571			// Network mode to use for the build. Options include 'default',
 572			// 'none', 'host', or a network name.
 573			"network"?: string
 574
 575			// Add a provenance attestation
 576			"provenance"?: bool | string
 577
 578			// Add a SBOM attestation
 579			"sbom"?: bool | string
 580
 581			// Always attempt to pull a newer version of the image.
 582			"pull"?: bool | string
 583
 584			// Build stage to target in a multi-stage Dockerfile.
 585			"target"?: string
 586
 587			// Size of /dev/shm for the build container. A string value can
 588			// use suffix like '2g' for 2 gigabytes.
 589			"shm_size"?:    int | string
 590			"extra_hosts"?: #extra_hosts
 591
 592			// Container isolation technology to use for the build process.
 593			"isolation"?: string
 594
 595			// Give extended privileges to the build container.
 596			"privileged"?: bool | string
 597			"secrets"?:    #service_config_or_secret
 598
 599			// Additional tags to apply to the built image.
 600			"tags"?: [...string]
 601			"ulimits"?: #ulimits
 602
 603			// Platforms to build for, e.g., 'linux/amd64', 'linux/arm64', or
 604			// 'windows/amd64'.
 605			"platforms"?: [...string]
 606
 607			{[=~"^x-" & !~"^(context|dockerfile|dockerfile_inline|entitlements|args|ssh|labels|cache_from|cache_to|no_cache|additional_contexts|network|provenance|sbom|pull|target|shm_size|extra_hosts|isolation|privileged|secrets|tags|ulimits|platforms)$"]: _}
 608		})])
 609
 610		// Block IO configuration for the service.
 611		"blkio_config"?: close({
 612			// Limit read rate (bytes per second) from a device.
 613			"device_read_bps"?: [...#blkio_limit]
 614
 615			// Limit read rate (IO per second) from a device.
 616			"device_read_iops"?: [...#blkio_limit]
 617
 618			// Limit write rate (bytes per second) to a device.
 619			"device_write_bps"?: [...#blkio_limit]
 620
 621			// Limit write rate (IO per second) to a device.
 622			"device_write_iops"?: [...#blkio_limit]
 623
 624			// Block IO weight (relative weight) for the service, between 10
 625			// and 1000.
 626			"weight"?: int | string
 627
 628			// Block IO weight (relative weight) for specific devices.
 629			"weight_device"?: [...#blkio_weight]
 630		})
 631
 632		// Add Linux capabilities. For example, 'CAP_SYS_ADMIN',
 633		// 'SYS_ADMIN', or 'NET_ADMIN'.
 634		"cap_add"?: list.UniqueItems() & [...string]
 635
 636		// Drop Linux capabilities. For example, 'CAP_SYS_ADMIN',
 637		// 'SYS_ADMIN', or 'NET_ADMIN'.
 638		"cap_drop"?: list.UniqueItems() & [...string]
 639
 640		// Specify the cgroup namespace to join. Use 'host' to use the
 641		// host's cgroup namespace, or 'private' to use a private cgroup
 642		// namespace.
 643		"cgroup"?: "host" | "private"
 644
 645		// Specify an optional parent cgroup for the container.
 646		"cgroup_parent"?: string
 647		"command"?:       #command
 648		"configs"?:       #service_config_or_secret
 649
 650		// Specify a custom container name, rather than a generated
 651		// default name.
 652		"container_name"?: =~"[a-zA-Z0-9][a-zA-Z0-9_.-]+"
 653
 654		// Number of usable CPUs.
 655		"cpu_count"?: matchN(1, [string, int & >=0])
 656
 657		// Percentage of CPU resources to use.
 658		"cpu_percent"?: matchN(1, [string, int & >=0 & <=100])
 659
 660		// CPU shares (relative weight) for the container.
 661		"cpu_shares"?: number | string
 662
 663		// Limit the CPU CFS (Completely Fair Scheduler) quota.
 664		"cpu_quota"?: number | string
 665
 666		// Limit the CPU CFS (Completely Fair Scheduler) period.
 667		"cpu_period"?: number | string
 668
 669		// Limit the CPU real-time period in microseconds or a duration.
 670		"cpu_rt_period"?: number | string
 671
 672		// Limit the CPU real-time runtime in microseconds or a duration.
 673		"cpu_rt_runtime"?: number | string
 674
 675		// Number of CPUs to use. A floating-point value is supported to
 676		// request partial CPUs.
 677		"cpus"?: number | string
 678
 679		// CPUs in which to allow execution (0-3, 0,1).
 680		"cpuset"?: string
 681
 682		// Configure the credential spec for managed service account.
 683		"credential_spec"?: close({
 684			// The name of the credential spec Config to use.
 685			"config"?: string
 686
 687			// Path to a credential spec file.
 688			"file"?: string
 689
 690			// Path to a credential spec in the Windows registry.
 691			"registry"?: string
 692
 693			{[=~"^x-" & !~"^(config|file|registry)$"]: _}
 694		})
 695
 696		// Express dependency between services. Service dependencies cause
 697		// services to be started in dependency order. The dependent
 698		// service will wait for the dependency to be ready before
 699		// starting.
 700		"depends_on"?: matchN(1, [#list_of_strings, close({
 701			{[=~"^[a-zA-Z0-9._-]+$"]: close({
 702				// Whether to restart dependent services when this service is
 703				// restarted.
 704				"restart"?: bool | string
 705
 706				// Whether the dependency is required for the dependent service to
 707				// start.
 708				"required"?: bool
 709
 710				// Condition to wait for. 'service_started' waits until the
 711				// service has started, 'service_healthy' waits until the service
 712				// is healthy (as defined by its healthcheck),
 713				// 'service_completed_successfully' waits until the service has
 714				// completed successfully.
 715				"condition"!: "service_started" | "service_healthy" | "service_completed_successfully"
 716
 717				{[=~"^x-" & !~"^(restart|required|condition)$"]: _}
 718			})
 719			}
 720		})])
 721		"device_cgroup_rules"?: #list_of_strings
 722
 723		// List of device mappings for the container.
 724		"devices"?: [...matchN(1, [string, close({
 725			// Path on the host to the device.
 726			"source"!: string
 727
 728			// Path in the container where the device will be mapped.
 729			"target"?: string
 730
 731			// Cgroup permissions for the device (rwm).
 732			"permissions"?: string
 733
 734			{[=~"^x-" & !~"^(source|target|permissions)$"]: _}
 735		})])]
 736		"dns"?: #string_or_list
 737
 738		// Custom DNS options to be passed to the container's DNS
 739		// resolver.
 740		"dns_opt"?: list.UniqueItems() & [...string]
 741		"dns_search"?: #string_or_list
 742
 743		// Custom domain name to use for the service container.
 744		"domainname"?:  string
 745		"entrypoint"?:  #command
 746		"env_file"?:    #env_file
 747		"label_file"?:  #label_file
 748		"environment"?: #list_or_dict
 749
 750		// Expose ports without publishing them to the host machine -
 751		// they'll only be accessible to linked services.
 752		"expose"?: list.UniqueItems() & [...number | string]
 753
 754		// Extend another service, in the current file or another file.
 755		"extends"?: matchN(1, [string, close({
 756			// The name of the service to extend.
 757			"service"!: string
 758
 759			// The file path where the service to extend is defined.
 760			"file"?: string
 761		})])
 762
 763		// Specify a service which will not be manage by Compose directly,
 764		// and delegate its management to an external provider.
 765		"provider"?: close({
 766			// External component used by Compose to manage setup and teardown
 767			// lifecycle of the service.
 768			"type"!: string
 769
 770			// Provider-specific options.
 771			"options"?: {
 772				{[=~"^.+$"]: matchN(1, [bool | number | string, [...bool | number | string]])}
 773				...
 774			}
 775
 776			{[=~"^x-" & !~"^(type|options)$"]: _}
 777		})
 778
 779		// Link to services started outside this Compose application.
 780		// Specify services as <service_name>:<alias>.
 781		"external_links"?: list.UniqueItems() & [...string]
 782		"extra_hosts"?: #extra_hosts
 783		"gpus"?:        #gpus
 784
 785		// Add additional groups which user inside the container should be
 786		// member of.
 787		"group_add"?: list.UniqueItems() & [...number | string]
 788		"healthcheck"?: #healthcheck
 789
 790		// Define a custom hostname for the service container.
 791		"hostname"?: string
 792
 793		// Specify the image to start the container from. Can be a
 794		// repository/tag, a digest, or a local image ID.
 795		"image"?: string
 796
 797		// Run as an init process inside the container that forwards
 798		// signals and reaps processes.
 799		"init"?: bool | string
 800
 801		// IPC sharing mode for the service container. Use 'host' to share
 802		// the host's IPC namespace, 'service:[service_name]' to share
 803		// with another service, or 'shareable' to allow other services
 804		// to share this service's IPC namespace.
 805		"ipc"?: string
 806
 807		// Container isolation technology to use. Supported values are
 808		// platform-specific.
 809		"isolation"?: string
 810		"labels"?:    #list_or_dict
 811
 812		// Link to containers in another service. Either specify both the
 813		// service name and a link alias (SERVICE:ALIAS), or just the
 814		// service name.
 815		"links"?: list.UniqueItems() & [...string]
 816
 817		// Logging configuration for the service.
 818		"logging"?: close({
 819			// Logging driver to use, such as 'json-file', 'syslog',
 820			// 'journald', etc.
 821			"driver"?: string
 822
 823			// Options for the logging driver.
 824			"options"?: {
 825				{[=~"^.+$"]: null | number | string}
 826				...
 827			}
 828
 829			{[=~"^x-" & !~"^(driver|options)$"]: _}
 830		})
 831
 832		// Container MAC address to set.
 833		"mac_address"?: string
 834
 835		// Memory limit for the container. A string value can use suffix
 836		// like '2g' for 2 gigabytes.
 837		"mem_limit"?: number | string
 838
 839		// Memory reservation for the container.
 840		"mem_reservation"?: int | string
 841
 842		// Container memory swappiness as percentage (0 to 100).
 843		"mem_swappiness"?: int | string
 844
 845		// Amount of memory the container is allowed to swap to disk. Set
 846		// to -1 to enable unlimited swap.
 847		"memswap_limit"?: number | string
 848
 849		// Network mode. Values can be 'bridge', 'host', 'none',
 850		// 'service:[service name]', or 'container:[container name]'.
 851		"network_mode"?: string
 852
 853		// AI Models to use, referencing entries under the top-level
 854		// models key.
 855		"models"?: matchN(1, [#list_of_strings, {
 856			{[=~"^[a-zA-Z0-9._-]+$"]: close({
 857				// Environment variable set to AI model endpoint.
 858				"endpoint_var"?: string
 859
 860				// Environment variable set to AI model name.
 861				"model_var"?: string
 862
 863				{[=~"^x-" & !~"^(endpoint_var|model_var)$"]: _}
 864			})
 865			}
 866			...
 867		}])
 868
 869		// Networks to join, referencing entries under the top-level
 870		// networks key. Can be a list of network names or a mapping of
 871		// network name to network configuration.
 872		"networks"?: matchN(1, [#list_of_strings, close({
 873			{[=~"^[a-zA-Z0-9._-]+$"]: matchN(1, [close({
 874				"aliases"?: #list_of_strings
 875
 876				// Interface network name used to connect to network
 877				"interface_name"?: string
 878
 879				// Specify a static IPv4 address for this service on this network.
 880				"ipv4_address"?: string
 881
 882				// Specify a static IPv6 address for this service on this network.
 883				"ipv6_address"?: string, "link_local_ips"?: #list_of_strings
 884
 885				// Specify a MAC address for this service on this network.
 886				"mac_address"?: string
 887
 888				// Driver options for this network.
 889				"driver_opts"?: {
 890					{[=~"^.+$"]: number | string}
 891					...
 892				}
 893
 894				// Specify the priority for the network connection.
 895				"priority"?: number
 896
 897				// Specify the gateway priority for the network connection.
 898				"gw_priority"?: number
 899
 900				{[=~"^x-" & !~"^(aliases|interface_name|ipv4_address|ipv6_address|link_local_ips|mac_address|driver_opts|priority|gw_priority)$"]: _}
 901			}), null])
 902			}
 903		})])
 904
 905		// Disable OOM Killer for the container.
 906		"oom_kill_disable"?: bool | string
 907
 908		// Tune host's OOM preferences for the container (accepts -1000 to
 909		// 1000).
 910		"oom_score_adj"?: matchN(1, [string, int & >=-1000 & <=1000])
 911
 912		// PID mode for container.
 913		"pid"?: null | string
 914
 915		// Tune a container's PIDs limit. Set to -1 for unlimited PIDs.
 916		"pids_limit"?: number | string
 917
 918		// Target platform to run on, e.g., 'linux/amd64', 'linux/arm64',
 919		// or 'windows/amd64'.
 920		"platform"?: string
 921
 922		// Expose container ports. Short format
 923		// ([HOST:]CONTAINER[/PROTOCOL]).
 924		"ports"?: list.UniqueItems() & [...matchN(1, [number, string, close({
 925			// A human-readable name for this port mapping.
 926			"name"?: string
 927
 928			// The port binding mode, either 'host' for publishing a host port
 929			// or 'ingress' for load balancing.
 930			"mode"?: string
 931
 932			// The host IP to bind to.
 933			"host_ip"?: string
 934
 935			// The port inside the container.
 936			"target"?: int | string
 937
 938			// The publicly exposed port.
 939			"published"?: int | string
 940
 941			// The port protocol (tcp or udp).
 942			"protocol"?: string
 943
 944			// Application protocol to use with the port (e.g., http, https,
 945			// mysql).
 946			"app_protocol"?: string
 947
 948			{[=~"^x-" & !~"^(name|mode|host_ip|target|published|protocol|app_protocol)$"]: _}
 949		})])]
 950
 951		// Commands to run after the container starts. If any command
 952		// fails, the container stops.
 953		"post_start"?: [...#service_hook]
 954
 955		// Commands to run before the container stops. If any command
 956		// fails, the container stop is aborted.
 957		"pre_stop"?: [...#service_hook]
 958
 959		// Give extended privileges to the service container.
 960		"privileged"?: bool | string
 961		"profiles"?:   #list_of_strings
 962
 963		// Policy for pulling images. Options include: 'always', 'never',
 964		// 'if_not_present', 'missing', 'build', or time-based refresh
 965		// policies.
 966		"pull_policy"?: =~"always|never|build|if_not_present|missing|refresh|daily|weekly|every_([0-9]+[wdhms])+"
 967
 968		// Time after which to refresh the image. Used with
 969		// pull_policy=refresh.
 970		"pull_refresh_after"?: string
 971
 972		// Mount the container's filesystem as read only.
 973		"read_only"?: bool | string
 974
 975		// Restart policy for the service container. Options include:
 976		// 'no', 'always', 'on-failure', and 'unless-stopped'.
 977		"restart"?: string
 978
 979		// Runtime to use for this container, e.g., 'runc'.
 980		"runtime"?: string
 981
 982		// Number of containers to deploy for this service.
 983		"scale"?: int | string
 984
 985		// Override the default labeling scheme for each container.
 986		"security_opt"?: list.UniqueItems() & [...string]
 987
 988		// Size of /dev/shm. A string value can use suffix like '2g' for 2
 989		// gigabytes.
 990		"shm_size"?: number | string
 991		"secrets"?:  #service_config_or_secret
 992		"sysctls"?:  #list_or_dict
 993
 994		// Keep STDIN open even if not attached.
 995		"stdin_open"?: bool | string
 996
 997		// Time to wait for the container to stop gracefully before
 998		// sending SIGKILL (e.g., '1s', '1m30s').
 999		"stop_grace_period"?: string
1000
1001		// Signal to stop the container (e.g., 'SIGTERM', 'SIGINT').
1002		"stop_signal"?: string
1003
1004		// Storage driver options for the container.
1005		"storage_opt"?: {
1006			...
1007		}
1008		"tmpfs"?: #string_or_list
1009
1010		// Allocate a pseudo-TTY to service container.
1011		"tty"?:     bool | string
1012		"ulimits"?: #ulimits
1013
1014		// Bind mount Docker API socket and required auth.
1015		"use_api_socket"?: bool
1016
1017		// Username or UID to run the container process as.
1018		"user"?: string
1019
1020		// UTS namespace to use. 'host' shares the host's UTS namespace.
1021		"uts"?: string
1022
1023		// User namespace to use. 'host' shares the host's user namespace.
1024		"userns_mode"?: string
1025
1026		// Mount host paths or named volumes accessible to the container.
1027		// Short syntax (VOLUME:CONTAINER_PATH[:MODE])
1028		"volumes"?: list.UniqueItems() & [...matchN(1, [string, close({
1029			// The mount type: bind for mounting host directories, volume for
1030			// named volumes, tmpfs for temporary filesystems, cluster for
1031			// cluster volumes, npipe for named pipes, or image for mounting
1032			// from an image.
1033			"type"!: "bind" | "volume" | "tmpfs" | "cluster" | "npipe" | "image"
1034
1035			// The source of the mount, a path on the host for a bind mount, a
1036			// docker image reference for an image mount, or the name of a
1037			// volume defined in the top-level volumes key. Not applicable
1038			// for a tmpfs mount.
1039			"source"?: string
1040
1041			// The path in the container where the volume is mounted.
1042			"target"?: string
1043
1044			// Flag to set the volume as read-only.
1045			"read_only"?: bool | string
1046
1047			// The consistency requirements for the mount. Available values
1048			// are platform specific.
1049			"consistency"?: string
1050
1051			// Configuration specific to bind mounts.
1052			"bind"?: close({
1053				// The propagation mode for the bind mount: 'shared', 'slave',
1054				// 'private', 'rshared', 'rslave', or 'rprivate'.
1055				"propagation"?: string
1056
1057				// Create the host path if it doesn't exist.
1058				"create_host_path"?: bool | string
1059
1060				// Recursively mount the source directory.
1061				"recursive"?: "enabled" | "disabled" | "writable" | "readonly"
1062
1063				// SELinux relabeling options: 'z' for shared content, 'Z' for
1064				// private unshared content.
1065				"selinux"?: "z" | "Z"
1066
1067				{[=~"^x-" & !~"^(propagation|create_host_path|recursive|selinux)$"]: _}
1068			})
1069
1070			// Configuration specific to volume mounts.
1071			"volume"?: close({
1072				"labels"?: #list_or_dict
1073
1074				// Flag to disable copying of data from a container when a volume
1075				// is created.
1076				"nocopy"?: bool | string
1077
1078				// Path within the volume to mount instead of the volume root.
1079				"subpath"?: string
1080
1081				{[=~"^x-" & !~"^(labels|nocopy|subpath)$"]: _}
1082			})
1083
1084			// Configuration specific to tmpfs mounts.
1085			"tmpfs"?: close({
1086				// Size of the tmpfs mount in bytes.
1087				"size"?: matchN(1, [int & >=0, string])
1088
1089				// File mode of the tmpfs in octal.
1090				"mode"?: number | string
1091
1092				{[=~"^x-" & !~"^(size|mode)$"]: _}
1093			})
1094
1095			// Configuration specific to image mounts.
1096			"image"?: close({
1097				// Path within the image to mount instead of the image root.
1098				"subpath"?: string
1099
1100				{[=~"^x-" & !~"^(subpath)$"]: _}
1101			})
1102
1103			{[=~"^x-" & !~"^(type|source|target|read_only|consistency|bind|volume|tmpfs|image)$"]: _}
1104		})])]
1105
1106		// Mount volumes from another service or container. Optionally
1107		// specify read-only access (ro) or read-write (rw).
1108		"volumes_from"?: list.UniqueItems() & [...string]
1109
1110		// The working directory in which the entrypoint or command will
1111		// be run
1112		"working_dir"?: string
1113
1114		{[=~"^x-" & !~"^(develop|deploy|annotations|attach|build|blkio_config|cap_add|cap_drop|cgroup|cgroup_parent|command|configs|container_name|cpu_count|cpu_percent|cpu_shares|cpu_quota|cpu_period|cpu_rt_period|cpu_rt_runtime|cpus|cpuset|credential_spec|depends_on|device_cgroup_rules|devices|dns|dns_opt|dns_search|domainname|entrypoint|env_file|label_file|environment|expose|extends|provider|external_links|extra_hosts|gpus|group_add|healthcheck|hostname|image|init|ipc|isolation|labels|links|logging|mac_address|mem_limit|mem_reservation|mem_swappiness|memswap_limit|network_mode|models|networks|oom_kill_disable|oom_score_adj|pid|pids_limit|platform|ports|post_start|pre_stop|privileged|profiles|pull_policy|pull_refresh_after|read_only|restart|runtime|scale|security_opt|shm_size|secrets|sysctls|stdin_open|stop_grace_period|stop_signal|storage_opt|tmpfs|tty|ulimits|use_api_socket|user|uts|userns_mode|volumes|volumes_from|working_dir)$"]: _}
1115	})
1116
1117	// Configuration for service configs or secrets, defining how they
1118	// are mounted in the container.
1119	#service_config_or_secret: [...matchN(1, [string, close({
1120		// Name of the config or secret as defined in the top-level
1121		// configs or secrets section.
1122		"source"?: string
1123
1124		// Path in the container where the config or secret will be
1125		// mounted. Defaults to /<source> for configs and
1126		// /run/secrets/<source> for secrets.
1127		"target"?: string
1128
1129		// UID of the file in the container. Default is 0 (root).
1130		"uid"?: string
1131
1132		// GID of the file in the container. Default is 0 (root).
1133		"gid"?: string
1134
1135		// File permission mode inside the container, in octal. Default is
1136		// 0444 for configs and 0400 for secrets.
1137		"mode"?: number | string
1138
1139		{[=~"^x-" & !~"^(source|target|uid|gid|mode)$"]: _}
1140	})])]
1141
1142	// Configuration for service lifecycle hooks, which are commands
1143	// executed at specific points in a container's lifecycle.
1144	#service_hook: close({
1145		"command"!: #command
1146
1147		// User to run the command as.
1148		"user"?: string
1149
1150		// Whether to run the command with extended privileges.
1151		"privileged"?: bool | string
1152
1153		// Working directory for the command.
1154		"working_dir"?: string
1155		"environment"?: #list_or_dict
1156
1157		{[=~"^x-" & !~"^(command|user|privileged|working_dir|environment)$"]: _}
1158	})
1159
1160	// Either a single string or a list of strings.
1161	#string_or_list: matchN(1, [string, #list_of_strings])
1162
1163	// Container ulimit options, controlling resource limits for
1164	// processes inside the container.
1165	#ulimits: {
1166		{[=~"^[a-z]+$"]: matchN(1, [int | string, close({
1167			// Hard limit for the ulimit type. This is the maximum allowed
1168			// value.
1169			"hard"!: int | string
1170
1171			// Soft limit for the ulimit type. This is the value that's
1172			// actually enforced.
1173			"soft"!: int | string
1174
1175			{[=~"^x-" & !~"^(hard|soft)$"]: _}
1176		})])
1177		}
1178		...
1179	}
1180
1181	// Volume configuration for the Compose application.
1182	#volume: null | close({
1183		// Custom name for this volume.
1184		"name"?: string
1185
1186		// Specify which volume driver should be used for this volume.
1187		"driver"?: string
1188
1189		// Specify driver-specific options.
1190		"driver_opts"?: {
1191			{[=~"^.+$"]: number | string}
1192			...
1193		}
1194
1195		// Specifies that this volume already exists and was created
1196		// outside of Compose.
1197		"external"?: bool | string | close({
1198			// Specifies the name of the external volume. Deprecated: use the
1199			// 'name' property instead.
1200			"name"?: string
1201
1202			{[=~"^x-" & !~"^(name)$"]: _}
1203		})
1204		"labels"?: #list_or_dict
1205
1206		{[=~"^x-" & !~"^(name|driver|driver_opts|external|labels)$"]: _}
1207	})
1208}