watchdocker v0.1.0

Initial release. Pure-bash Docker Compose auto-updater that runs as a systemd timer instead of a 24/7 container. The bash-native successor to the archived watchtower.

Added

• Core script bin/watchdocker with --dry-run, --once, --verbose, --list, --version, --help
• Non-evaluating YAML config loader (projects, skip_projects, pre_hook, post_hook, prune.{enabled,age})
• Auto-discovery of compose files under /opt, /data, /srv, /home when projects: is unset
• Container-level opt-out via the watchdocker.skip=true label
• Smart-restart: docker compose up -d only when pull actually pulled new layers
• Optional post-update image-prune with configurable age threshold (default 168h)
• Hardened systemd service + weekly timer (ProtectSystem=strict, NoNewPrivileges, empty capability sets, syscall filter)
• Idempotent install.sh that never clobbers existing config
• Smoke-test suite under tests/smoke.sh

Security

• Hook paths validated as absolute, regular, executable, root-owned (when run as root)
• Non-evaluating YAML parse: no eval, no command substitution from config values
• Race-free lockfile via atomic mkdir with stale-PID detection

Tested on

• Ubuntu 26.04 LTS + Docker Engine 29.5.2 (AMD64)
• Ubuntu 25.10 + Docker Engine 29.2.1 (DGX Spark, ARM64)

Full notes in CHANGELOG.md.