use ferretdb:1

Added small note on initial login steps.

.devcontainer/dev.compose.yaml

@@ -0,0 +1,33 @@
+services:
+  dev:
+    image: mcr.microsoft.com/devcontainers/rust:1-1-bullseye
+    volumes:
+      # Mount the root folder that contains .git
+      - ../:/workspace:cached
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /proc:/proc
+      - repos:/etc/komodo/repos
+      - stacks:/etc/komodo/stacks
+    command: sleep infinity
+    ports:
+      - "9121:9121"
+    environment:
+      KOMODO_FIRST_SERVER: http://localhost:8120
+      KOMODO_DATABASE_ADDRESS: db
+      KOMODO_ENABLE_NEW_USERS: true
+      KOMODO_LOCAL_AUTH: true
+      KOMODO_JWT_SECRET: a_random_secret
+    links:
+      - db
+    # ...
+
+  db:
+    extends:
+      file: ../test.compose.yaml
+      service: ferretdb
+
+volumes:
+  data:
+  repo-cache:
+  repos:
+  stacks:

.devcontainer/devcontainer.json

@@ -0,0 +1,46 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the
+// README at: https://github.com/devcontainers/templates/tree/main/src/rust
+{
+	"name": "Komodo",
+	// Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
+	//"image": "mcr.microsoft.com/devcontainers/rust:1-1-bullseye",
+	"dockerComposeFile": ["dev.compose.yaml"],
+	"workspaceFolder": "/workspace",
+  	"service": "dev",
+	// Features to add to the dev container. More info: https://containers.dev/features.
+	"features": {
+		"ghcr.io/devcontainers/features/node:1": {
+			"version": "18.18.0"
+		},
+		"ghcr.io/devcontainers-community/features/deno:1": {
+
+		}
+	},
+
+	// Use 'mounts' to make the cargo cache persistent in a Docker Volume.
+	"mounts": [
+		{
+			"source": "devcontainer-cargo-cache-${devcontainerId}",
+			"target": "/usr/local/cargo",
+			"type": "volume"
+		}
+	],
+
+	// Use 'forwardPorts' to make a list of ports inside the container available locally.
+	"forwardPorts": [
+		9121
+	],
+
+	// Use 'postCreateCommand' to run commands after the container is created.
+	"postCreateCommand": "./.devcontainer/postCreate.sh",
+
+	"runServices": [
+		"db"
+	]
+
+	// Configure tool-specific properties.
+	// "customizations": {},
+
+	// Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root.
+	// "remoteUser": "root"
+}

.devcontainer/postCreate.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+cargo install typeshare-cli

.dockerignore

@@ -5,4 +5,10 @@ LICENSE
 *.code-workspace
 
 */node_modules
-*/dist
+*/dist
+
+creds.toml
+.core-repos
+.repos
+.stacks
+.ssl

.github/FUNDING.yml

@@ -0,0 +1,2 @@
+# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository
+open_collective: komodo

.gitignore

@@ -1,11 +1,11 @@
 target
 /frontend/build
-node_modules
 /lib/ts_client/build
+node_modules
 dist
 .env
 .env.development
+.DS_Store
+
 creds.toml
-core.config.toml
-.syncs
-.stacks
+.komodo

.vscode/extensions.json

@@ -0,0 +1,8 @@
+{
+    "recommendations": [
+        "rust-lang.rust-analyzer",
+        "tamasfe.even-better-toml",
+        "vadimcn.vscode-lldb",
+        "denoland.vscode-deno"
+    ]
+}

.vscode/tasks.json

@@ -0,0 +1,179 @@
+{
+    "version": "2.0.0",
+    "tasks": [
+        {
+            "label": "Run Core",
+            "command": "cargo",
+            "args": [
+                "run",
+                "-p",
+                "komodo_core",
+                "--release"
+            ],
+            "options": {
+                "cwd": "${workspaceFolder}",
+                "env": {
+                    "KOMODO_CONFIG_PATH": "test.core.config.toml"
+                }
+            },
+            "problemMatcher": [
+                "$rustc"
+            ]
+        },
+        {
+            "label": "Build Core",
+            "command": "cargo",
+            "args": [
+                "build",
+                "-p",
+                "komodo_core",
+                "--release"
+            ],
+            "options": {
+                "cwd": "${workspaceFolder}",
+                "env": {
+                    "KOMODO_CONFIG_PATH": "test.core.config.toml"
+                }
+            },
+            "problemMatcher": [
+                "$rustc"
+            ]
+        },
+        {
+            "label": "Run Periphery",
+            "command": "cargo",
+            "args": [
+                "run",
+                "-p",
+                "komodo_periphery",
+                "--release"
+            ],
+            "options": {
+                "cwd": "${workspaceFolder}",
+                "env": {
+                    "KOMODO_CONFIG_PATH": "test.periphery.config.toml"
+                }
+            },
+            "problemMatcher": [
+                "$rustc"
+            ]
+        },
+        {
+            "label": "Build Periphery",
+            "command": "cargo",
+            "args": [
+                "build",
+                "-p",
+                "komodo_periphery",
+                "--release"
+            ],
+            "options": {
+                "cwd": "${workspaceFolder}",
+                "env": {
+                    "KOMODO_CONFIG_PATH": "test.periphery.config.toml"
+                }
+            },
+            "problemMatcher": [
+                "$rustc"
+            ]
+        },
+        {
+            "label": "Run Backend",
+            "dependsOn": [
+                "Run Core",
+                "Run Periphery"
+            ],
+            "problemMatcher": [
+                "$rustc"
+            ]
+        },
+        {
+            "label": "Build TS Client Types",
+            "type": "process",
+            "command": "node",
+            "args": [
+                "./client/core/ts/generate_types.mjs"
+            ],
+            "problemMatcher": []
+        },
+        {
+            "label": "Init TS Client",
+            "type": "shell",
+            "command": "yarn && yarn build && yarn link",
+            "options": {
+                "cwd": "${workspaceFolder}/client/core/ts",
+            },
+            "problemMatcher": []
+        },
+        {
+            "label": "Init Frontend Client",
+            "type": "shell",
+            "command": "yarn link komodo_client && yarn install",
+            "options": {
+                "cwd": "${workspaceFolder}/frontend",
+            },
+            "problemMatcher": []
+        },
+        {
+            "label": "Init Frontend",
+            "dependsOn": [
+                "Build TS Client Types",
+                "Init TS Client",
+                "Init Frontend Client"
+            ],
+            "dependsOrder": "sequence",
+            "problemMatcher": []
+        },
+        {
+            "label": "Build Frontend",
+            "type": "shell",
+            "command": "yarn build",
+            "options": {
+                "cwd": "${workspaceFolder}/frontend",
+            },
+            "problemMatcher": []
+        },
+        {
+            "label": "Prepare Frontend For Run",
+            "type": "shell",
+            "command": "cp -r ./client/core/ts/dist/. frontend/public/client/.",
+            "options": {
+                "cwd": "${workspaceFolder}",
+            },
+            "dependsOn": [
+                "Build TS Client Types",
+                "Build Frontend"
+            ],
+            "dependsOrder": "sequence",
+            "problemMatcher": []
+        },
+        {
+            "label": "Run Frontend",
+            "type": "shell",
+            "command": "yarn dev",
+            "options": {
+                "cwd": "${workspaceFolder}/frontend",
+            },
+            "dependsOn": ["Prepare Frontend For Run"],
+            "problemMatcher": []
+        },
+        {
+            "label": "Init",
+            "dependsOn": [
+                "Build Backend",
+                "Init Frontend"
+            ],
+            "dependsOrder": "sequence",
+            "problemMatcher": []
+        },
+        {
+            "label": "Run Komodo",
+            "dependsOn": [
+                "Run Core",
+                "Run Periphery",
+                "Run Frontend"
+            ],
+            "problemMatcher": []
+        },
+    ]
+  }

Cargo.toml

@@ -1,9 +1,14 @@
 [workspace]
 resolver = "2"
-members = ["bin/*", "lib/*", "client/core/rs", "client/periphery/rs"]
+members = [
+	"bin/*",
+	"lib/*",
+	"client/core/rs",
+	"client/periphery/rs",
+]
 
 [workspace.package]
-version = "1.14.1"
+version = "1.16.12"
 edition = "2021"
 authors = ["mbecker20 <becker.maxh@gmail.com>"]
 license = "GPL-3.0-or-later"
@@ -15,18 +20,20 @@ homepage = "https://komo.do"
 
 [workspace.dependencies]
 # LOCAL
-# komodo_client = "1.14.1"
+# komodo_client = "1.15.6"
 komodo_client = { path = "client/core/rs" }
 periphery_client = { path = "client/periphery/rs" }
+environment_file = { path = "lib/environment_file" }
 formatting = { path = "lib/formatting" }
 command = { path = "lib/command" }
 logger = { path = "lib/logger" }
+cache = { path = "lib/cache" }
 git = { path = "lib/git" }
 
 # MOGH
 run_command = { version = "0.0.6", features = ["async_tokio"] }
-serror = { version = "0.4.6", default-features = false }
-slack = { version = "0.1.0", package = "slack_client_rs" }
+serror = { version = "0.4.7", default-features = false }
+slack = { version = "0.3.0", package = "slack_client_rs", default-features = false, features = ["rustls"] }
 derive_default_builder = "0.1.8"
 derive_empty_traits = "0.1.0"
 merge_config_files = "0.1.5"
@@ -40,50 +47,53 @@ mungos = "1.1.0"
 svi = "1.0.1"
 
 # ASYNC
-tokio = { version = "1.40.0", features = ["full"] }
-reqwest = { version = "0.12.7", features = ["json"] }
-tokio-util = "0.7.11"
-futures = "0.3.30"
-futures-util = "0.3.30"
+reqwest = { version = "0.12.9", default-features = false, features = ["json", "rustls-tls"] }
+tokio = { version = "1.41.1", features = ["full"] }
+tokio-util = "0.7.12"
+futures = "0.3.31"
+futures-util = "0.3.31"
 
 # SERVER
-axum = { version = "0.7.5", features = ["ws", "json"] }
-axum-extra = { version = "0.9.3", features = ["typed-header"] }
-tower-http = { version = "0.5.2", features = ["fs", "cors"] }
-tokio-tungstenite = "0.23.1"
+axum-extra = { version = "0.9.6", features = ["typed-header"] }
+tower-http = { version = "0.6.2", features = ["fs", "cors"] }
+axum-server = { version = "0.7.1", features = ["tls-rustls"] }
+axum = { version = "0.7.9", features = ["ws", "json"] }
+tokio-tungstenite = "0.24.0"
 
 # SER/DE
 ordered_hash_map = { version = "0.4.0", features = ["serde"] }
-serde = { version = "1.0.209", features = ["derive"] }
+serde = { version = "1.0.215", features = ["derive"] }
 strum = { version = "0.26.3", features = ["derive"] }
-serde_json = "1.0.127"
+serde_json = "1.0.133"
 serde_yaml = "0.9.34"
 toml = "0.8.19"
 
 # ERROR
-anyhow = "1.0.86"
-thiserror = "1.0.63"
+anyhow = "1.0.93"
+thiserror = "2.0.3"
 
 # LOGGING
-opentelemetry_sdk = { version = "0.24.1", features = ["rt-tokio"] }
+opentelemetry-otlp = { version = "0.27.0", features = ["tls-roots", "reqwest-rustls"] }
+opentelemetry_sdk = { version = "0.27.0", features = ["rt-tokio"] }
 tracing-subscriber = { version = "0.3.18", features = ["json"] }
-opentelemetry-semantic-conventions = "0.16.0"
-tracing-opentelemetry = "0.25.0"
-opentelemetry-otlp = "0.17.0"
-opentelemetry = "0.24.0"
+opentelemetry-semantic-conventions = "0.27.0"
+tracing-opentelemetry = "0.28.0"
+opentelemetry = "0.27.0"
 tracing = "0.1.40"
 
 # CONFIG
-clap = { version = "4.5.16", features = ["derive"] }
+clap = { version = "4.5.21", features = ["derive"] }
 dotenvy = "0.15.7"
 envy = "0.4.2"
 
-# CRYPTO
-uuid = { version = "1.10.0", features = ["v4", "fast-rng", "serde"] }
+# CRYPTO / AUTH
+uuid = { version = "1.11.0", features = ["v4", "fast-rng", "serde"] }
+openidconnect = "3.5.0"
 urlencoding = "2.1.3"
 nom_pem = "4.0.0"
-bcrypt = "0.15.1"
+bcrypt = "0.16.0"
 base64 = "0.22.1"
+rustls = "0.23.18"
 hmac = "0.12.1"
 sha2 = "0.10.8"
 rand = "0.8.5"
@@ -91,19 +101,19 @@ jwt = "0.16.0"
 hex = "0.4.3"
 
 # SYSTEM
-bollard = "0.17.1"
-sysinfo = "0.31.4"
+bollard = "0.18.1"
+sysinfo = "0.32.0"
 
 # CLOUD
-aws-config = "1.5.5"
-aws-sdk-ec2 = "1.70.0"
-aws-sdk-ecr = "1.42.0"
+aws-config = "1.5.10"
+aws-sdk-ec2 = "1.91.0"
 
 # MISC
-derive_builder = "0.20.1"
-typeshare = "1.0.3"
+derive_builder = "0.20.2"
+typeshare = "1.0.4"
 octorust = "0.7.0"
+dashmap = "6.1.0"
+wildcard = "0.3.0"
 colored = "2.1.0"
-regex = "1.10.6"
-bson = "2.11.0"
-
+regex = "1.11.1"
+bson = "2.13.0"

bin/binaries.Dockerfile

@@ -0,0 +1,27 @@
+## Builds the Komodo Core and Periphery binaries
+## for a specific architecture.
+
+FROM rust:1.82.0-bullseye AS builder
+
+WORKDIR /builder
+COPY Cargo.toml Cargo.lock ./
+COPY ./lib ./lib
+COPY ./client/core/rs ./client/core/rs
+COPY ./client/periphery ./client/periphery
+COPY ./bin/core ./bin/core
+COPY ./bin/periphery ./bin/periphery
+
+# Compile bin
+RUN \
+  cargo build -p komodo_core --release && \
+  cargo build -p komodo_periphery --release
+
+# Copy just the binaries to scratch image
+FROM scratch
+
+COPY --from=builder /builder/target/release/core /core
+COPY --from=builder /builder/target/release/periphery /periphery
+
+LABEL org.opencontainers.image.source=https://github.com/mbecker20/komodo
+LABEL org.opencontainers.image.description="Komodo Periphery"
+LABEL org.opencontainers.image.licenses=GPL-3.0

bin/cli/src/exec.rs

@@ -1,13 +1,21 @@
 use std::time::Duration;
 
 use colored::Colorize;
-use komodo_client::api::execute::Execution;
+use komodo_client::{
+  api::execute::{BatchExecutionResponse, Execution},
+  entities::update::Update,
+};
 
 use crate::{
   helpers::wait_for_enter,
   state::{cli_args, komodo_client},
 };
 
+pub enum ExecutionResult {
+  Single(Update),
+  Batch(BatchExecutionResponse),
+}
+
 pub async fn run(execution: Execution) -> anyhow::Result<()> {
   if matches!(execution, Execution::None(_)) {
     println!("Got 'none' execution. Doing nothing...");
@@ -21,18 +29,36 @@ pub async fn run(execution: Execution) -> anyhow::Result<()> {
     Execution::None(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
+    Execution::RunAction(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchRunAction(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
     Execution::RunProcedure(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
+    Execution::BatchRunProcedure(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
     Execution::RunBuild(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
+    Execution::BatchRunBuild(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
     Execution::CancelBuild(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
     Execution::Deploy(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
+    Execution::BatchDeploy(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PullDeployment(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
     Execution::StartDeployment(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
@@ -51,15 +77,27 @@ pub async fn run(execution: Execution) -> anyhow::Result<()> {
     Execution::DestroyDeployment(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
+    Execution::BatchDestroyDeployment(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
     Execution::CloneRepo(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
+    Execution::BatchCloneRepo(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
     Execution::PullRepo(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
+    Execution::BatchPullRepo(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
     Execution::BuildRepo(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
+    Execution::BatchBuildRepo(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
     Execution::CancelRepoBuild(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
@@ -117,15 +155,36 @@ pub async fn run(execution: Execution) -> anyhow::Result<()> {
     Execution::PruneVolumes(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
+    Execution::PruneDockerBuilders(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PruneBuildx(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
     Execution::PruneSystem(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
     Execution::RunSync(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
+    Execution::CommitSync(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
     Execution::DeployStack(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
+    Execution::BatchDeployStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::DeployStackIfChanged(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchDeployStackIfChanged(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PullStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
     Execution::StartStack(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
@@ -144,6 +203,9 @@ pub async fn run(execution: Execution) -> anyhow::Result<()> {
     Execution::DestroyStack(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
+    Execution::BatchDestroyStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
     Execution::Sleep(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
@@ -156,129 +218,242 @@ pub async fn run(execution: Execution) -> anyhow::Result<()> {
   info!("Running Execution...");
 
   let res = match execution {
-    Execution::RunProcedure(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::RunBuild(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::CancelBuild(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::Deploy(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::StartDeployment(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::RestartDeployment(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::PauseDeployment(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::UnpauseDeployment(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::StopDeployment(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::DestroyDeployment(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::CloneRepo(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::PullRepo(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::BuildRepo(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::CancelRepoBuild(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::StartContainer(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::RestartContainer(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::PauseContainer(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::UnpauseContainer(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::StopContainer(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::DestroyContainer(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::StartAllContainers(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::RestartAllContainers(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::PauseAllContainers(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::UnpauseAllContainers(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::StopAllContainers(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::PruneContainers(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::DeleteNetwork(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::PruneNetworks(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::DeleteImage(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::PruneImages(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::DeleteVolume(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::PruneVolumes(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::PruneSystem(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::RunSync(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::DeployStack(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::StartStack(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::RestartStack(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::PauseStack(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::UnpauseStack(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::StopStack(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::DestroyStack(request) => {
-      komodo_client().execute(request).await
-    }
+    Execution::RunAction(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::BatchRunAction(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Batch),
+    Execution::RunProcedure(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::BatchRunProcedure(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Batch),
+    Execution::RunBuild(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::BatchRunBuild(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Batch),
+    Execution::CancelBuild(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::Deploy(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::BatchDeploy(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Batch),
+    Execution::PullDeployment(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::StartDeployment(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::RestartDeployment(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::PauseDeployment(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::UnpauseDeployment(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::StopDeployment(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::DestroyDeployment(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::BatchDestroyDeployment(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Batch),
+    Execution::CloneRepo(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::BatchCloneRepo(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Batch),
+    Execution::PullRepo(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::BatchPullRepo(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Batch),
+    Execution::BuildRepo(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::BatchBuildRepo(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Batch),
+    Execution::CancelRepoBuild(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::StartContainer(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::RestartContainer(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::PauseContainer(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::UnpauseContainer(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::StopContainer(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::DestroyContainer(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::StartAllContainers(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::RestartAllContainers(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::PauseAllContainers(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::UnpauseAllContainers(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::StopAllContainers(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::PruneContainers(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::DeleteNetwork(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::PruneNetworks(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::DeleteImage(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::PruneImages(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::DeleteVolume(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::PruneVolumes(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::PruneDockerBuilders(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::PruneBuildx(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::PruneSystem(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::RunSync(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::CommitSync(request) => komodo_client()
+      .write(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::DeployStack(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::BatchDeployStack(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Batch),
+    Execution::DeployStackIfChanged(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::BatchDeployStackIfChanged(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Batch),
+    Execution::PullStack(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::StartStack(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::RestartStack(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::PauseStack(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::UnpauseStack(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::StopStack(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::DestroyStack(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Single),
+    Execution::BatchDestroyStack(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(ExecutionResult::Batch),
     Execution::Sleep(request) => {
       let duration =
         Duration::from_millis(request.duration_ms as u64);
@@ -290,7 +465,12 @@ pub async fn run(execution: Execution) -> anyhow::Result<()> {
   };
 
   match res {
-    Ok(update) => println!("\n{}: {update:#?}", "SUCCESS".green()),
+    Ok(ExecutionResult::Single(update)) => {
+      println!("\n{}: {update:#?}", "SUCCESS".green())
+    }
+    Ok(ExecutionResult::Batch(update)) => {
+      println!("\n{}: {update:#?}", "SUCCESS".green())
+    }
     Err(e) => println!("{}\n\n{e:#?}", "ERROR".red()),
   }
 

bin/cli/src/state.rs

@@ -40,7 +40,9 @@ pub fn komodo_client() -> &'static KomodoClient {
           creds
         }
       };
-    futures::executor::block_on(KomodoClient::new(url, key, secret))
-      .expect("failed to initialize Komodo client")
+    futures::executor::block_on(
+      KomodoClient::new(url, key, secret).with_healthcheck(),
+    )
+    .expect("failed to initialize Komodo client")
   })
 }

bin/core/Cargo.toml

@@ -17,8 +17,11 @@ path = "src/main.rs"
 # local
 komodo_client = { workspace = true, features = ["mongo"] }
 periphery_client.workspace = true
+environment_file.workspace = true
 formatting.workspace = true
+command.workspace = true
 logger.workspace = true
+cache.workspace = true
 git.workspace = true
 # mogh
 serror = { workspace = true, features = ["axum"] }
@@ -29,15 +32,15 @@ derive_variants.workspace = true
 mongo_indexed.workspace = true
 resolver_api.workspace = true
 toml_pretty.workspace = true
-run_command.workspace = true
 mungos.workspace = true
 slack.workspace = true
 svi.workspace = true
 # external
+axum-server.workspace = true
 ordered_hash_map.workspace = true
+openidconnect.workspace = true
 urlencoding.workspace = true
 aws-sdk-ec2.workspace = true
-aws-sdk-ecr.workspace = true
 aws-config.workspace = true
 tokio-util.workspace = true
 axum-extra.workspace = true
@@ -46,14 +49,17 @@ serde_json.workspace = true
 serde_yaml.workspace = true
 typeshare.workspace = true
 octorust.workspace = true
+wildcard.workspace = true
+dashmap.workspace = true
 tracing.workspace = true
 reqwest.workspace = true
 futures.workspace = true
 nom_pem.workspace = true
-anyhow.workspace = true
 dotenvy.workspace = true
+anyhow.workspace = true
 bcrypt.workspace = true
 base64.workspace = true
+rustls.workspace = true
 tokio.workspace = true
 serde.workspace = true
 regex.workspace = true

bin/core/Dockerfile

@@ -1,39 +0,0 @@
-# Build Core
-FROM rust:1.80.1-bookworm AS core-builder
-WORKDIR /builder
-COPY . .
-RUN cargo build -p komodo_core --release
-
-# Build Frontend
-FROM node:20.12-alpine AS frontend-builder
-WORKDIR /builder
-COPY ./frontend ./frontend
-COPY ./client/core/ts ./client
-RUN cd client && yarn && yarn build && yarn link
-RUN cd frontend && yarn link @komodo/client && yarn && yarn build
-
-# Final Image
-FROM debian:bookworm-slim
-
-# Install Deps
-RUN apt update && apt install -y git curl unzip ca-certificates && \
-	curl -SL https://github.com/docker/compose/releases/download/v2.29.1/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose && \
-	chmod +x /usr/local/bin/docker-compose && \
-	curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" && \
-	unzip awscliv2.zip && \
-	./aws/install
-	
-# Copy
-COPY ./config_example/core.config.example.toml /config/config.toml
-COPY --from=core-builder /builder/target/release/core /
-COPY --from=frontend-builder /builder/frontend/dist /frontend
-
-# Hint at the port
-EXPOSE 9000
-
-# Label for Ghcr
-LABEL org.opencontainers.image.source=https://github.com/mbecker20/komodo
-LABEL org.opencontainers.image.description="Komodo Core"
-LABEL org.opencontainers.image.licenses=GPL-3.0
-
-CMD ["./core"]

bin/core/aio.Dockerfile

@@ -0,0 +1,55 @@
+## All in one, multi stage compile + runtime Docker build for your architecture.
+
+# Build Core
+FROM rust:1.82.0-bullseye AS core-builder
+
+WORKDIR /builder
+COPY Cargo.toml Cargo.lock ./
+COPY ./lib ./lib
+COPY ./client/core/rs ./client/core/rs
+COPY ./client/periphery ./client/periphery
+COPY ./bin/core ./bin/core
+
+# Compile app
+RUN cargo build -p komodo_core --release
+
+# Build Frontend
+FROM node:20.12-alpine AS frontend-builder
+WORKDIR /builder
+COPY ./frontend ./frontend
+COPY ./client/core/ts ./client
+RUN cd client && yarn && yarn build && yarn link
+RUN cd frontend && yarn link komodo_client && yarn && yarn build
+
+# Final Image
+FROM debian:bullseye-slim
+
+# Install Deps
+RUN apt update && \
+  apt install -y git ca-certificates && \
+  rm -rf /var/lib/apt/lists/*
+
+# Setup an application directory
+WORKDIR /app
+
+# Copy
+COPY ./config/core.config.toml /config/config.toml
+COPY --from=frontend-builder /builder/frontend/dist /app/frontend
+COPY --from=core-builder /builder/target/release/core /usr/local/bin/core
+COPY --from=denoland/deno:bin /deno /usr/local/bin/deno
+
+# Set $DENO_DIR and preload external Deno deps
+ENV DENO_DIR=/action-cache/deno
+RUN mkdir /action-cache && \
+  cd /action-cache && \
+  deno install jsr:@std/yaml jsr:@std/toml
+
+# Hint at the port
+EXPOSE 9120
+
+# Label for Ghcr
+LABEL org.opencontainers.image.source=https://github.com/mbecker20/komodo
+LABEL org.opencontainers.image.description="Komodo Core"
+LABEL org.opencontainers.image.licenses=GPL-3.0
+
+ENTRYPOINT [ "core" ]

bin/core/multi-arch.Dockerfile

@@ -0,0 +1,50 @@
+## Assumes the latest binaries for x86_64 and aarch64 are already built (by binaries.Dockerfile).
+## Sets up the necessary runtime container dependencies for Komodo Core.
+## Since theres no heavy build here, QEMU multi-arch builds are fine for this image.
+
+ARG BINARIES_IMAGE=ghcr.io/mbecker20/komodo-binaries:latest
+ARG FRONTEND_IMAGE=ghcr.io/mbecker20/komodo-frontend:latest
+ARG X86_64_BINARIES=${BINARIES_IMAGE}-x86_64
+ARG AARCH64_BINARIES=${BINARIES_IMAGE}-aarch64
+
+# This is required to work with COPY --from
+FROM ${X86_64_BINARIES} AS x86_64
+FROM ${AARCH64_BINARIES} AS aarch64
+FROM ${FRONTEND_IMAGE} AS frontend
+
+# Final Image
+FROM debian:bullseye-slim
+
+# Install Deps
+RUN apt update && \
+  apt install -y git ca-certificates && \
+  rm -rf /var/lib/apt/lists/*
+
+WORKDIR /app
+
+# Copy both binaries initially, but only keep appropriate one for the TARGETPLATFORM.
+COPY --from=x86_64 /core /app/arch/linux/amd64
+COPY --from=aarch64 /core /app/arch/linux/arm64
+ARG TARGETPLATFORM
+RUN mv /app/arch/${TARGETPLATFORM} /usr/local/bin/core && rm -r /app/arch
+
+# Copy default config / static frontend / deno binary
+COPY ./config/core.config.toml /config/config.toml
+COPY --from=frontend /frontend /app/frontend
+COPY --from=denoland/deno:bin /deno /usr/local/bin/deno
+
+# Set $DENO_DIR and preload external Deno deps
+ENV DENO_DIR=/action-cache/deno
+RUN mkdir /action-cache && \
+  cd /action-cache && \
+  deno install jsr:@std/yaml jsr:@std/toml
+
+# Hint at the port
+EXPOSE 9120
+
+# Label for Ghcr
+LABEL org.opencontainers.image.source=https://github.com/mbecker20/komodo
+LABEL org.opencontainers.image.description="Komodo Core"
+LABEL org.opencontainers.image.licenses=GPL-3.0
+
+ENTRYPOINT [ "core" ]

bin/core/single-arch.Dockerfile

@@ -0,0 +1,44 @@
+## Assumes the latest binaries for the required arch are already built (by binaries.Dockerfile).
+## Sets up the necessary runtime container dependencies for Komodo Core.
+
+ARG BINARIES_IMAGE=ghcr.io/mbecker20/komodo-binaries:latest
+
+# This is required to work with COPY --from
+FROM ${BINARIES_IMAGE} AS binaries
+
+# Build Frontend
+FROM node:20.12-alpine AS frontend-builder
+WORKDIR /builder
+COPY ./frontend ./frontend
+COPY ./client/core/ts ./client
+RUN cd client && yarn && yarn build && yarn link
+RUN cd frontend && yarn link komodo_client && yarn && yarn build
+
+FROM debian:bullseye-slim
+
+# Install Deps
+RUN apt update && \
+	apt install -y git ca-certificates && \
+	rm -rf /var/lib/apt/lists/*
+	
+# Copy
+COPY ./config/core.config.toml /config/config.toml
+COPY --from=frontend-builder /builder/frontend/dist /app/frontend
+COPY --from=binaries /core /usr/local/bin/core
+COPY --from=denoland/deno:bin /deno /usr/local/bin/deno
+
+# Set $DENO_DIR and preload external Deno deps
+ENV DENO_DIR=/action-cache/deno
+RUN mkdir /action-cache && \
+	cd /action-cache && \
+	deno install jsr:@std/yaml jsr:@std/toml
+
+# Hint at the port
+EXPOSE 9120
+
+# Label for Ghcr
+LABEL org.opencontainers.image.source=https://github.com/mbecker20/komodo
+LABEL org.opencontainers.image.description="Komodo Core"
+LABEL org.opencontainers.image.licenses=GPL-3.0
+
+ENTRYPOINT [ "core" ]

bin/core/src/alert/discord.rs

@@ -0,0 +1,213 @@
+use std::sync::OnceLock;
+
+use serde::Serialize;
+
+use super::*;
+
+#[instrument(level = "debug")]
+pub async fn send_alert(
+  url: &str,
+  alert: &Alert,
+) -> anyhow::Result<()> {
+  let level = fmt_level(alert.level);
+  let content = match &alert.data {
+    AlertData::ServerUnreachable {
+      id,
+      name,
+      region,
+      err,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      match alert.level {
+        SeverityLevel::Ok => {
+          format!(
+            "{level} | **{name}**{region} is now **reachable**\n{link}"
+          )
+        }
+        SeverityLevel::Critical => {
+          let err = err
+            .as_ref()
+            .map(|e| format!("\n**error**: {e:#?}"))
+            .unwrap_or_default();
+          format!(
+            "{level} | **{name}**{region} is **unreachable** ❌\n{link}{err}"
+          )
+        }
+        _ => unreachable!(),
+      }
+    }
+    AlertData::ServerCpu {
+      id,
+      name,
+      region,
+      percentage,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      format!(
+        "{level} | **{name}**{region} cpu usage at **{percentage:.1}%**\n{link}"
+      )
+    }
+    AlertData::ServerMem {
+      id,
+      name,
+      region,
+      used_gb,
+      total_gb,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      let percentage = 100.0 * used_gb / total_gb;
+      format!(
+        "{level} | **{name}**{region} memory usage at **{percentage:.1}%** 💾\n\nUsing **{used_gb:.1} GiB** / **{total_gb:.1} GiB**\n{link}"
+      )
+    }
+    AlertData::ServerDisk {
+      id,
+      name,
+      region,
+      path,
+      used_gb,
+      total_gb,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      let percentage = 100.0 * used_gb / total_gb;
+      format!(
+        "{level} | **{name}**{region} disk usage at **{percentage:.1}%** 💿\nmount point: `{path:?}`\nusing **{used_gb:.1} GiB** / **{total_gb:.1} GiB**\n{link}"
+      )
+    }
+    AlertData::ContainerStateChange {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      from,
+      to,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Deployment, id);
+      let to = fmt_docker_container_state(to);
+      format!("📦 Deployment **{name}** is now **{to}**\nserver: **{server_name}**\nprevious: **{from}**\n{link}")
+    }
+    AlertData::DeploymentImageUpdateAvailable {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      image,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Deployment, id);
+      format!("⬆ Deployment **{name}** has an update available\nserver: **{server_name}**\nimage: **{image}**\n{link}")
+    }
+    AlertData::DeploymentAutoUpdated {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      image,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Deployment, id);
+      format!("⬆ Deployment **{name}** was updated automatically ⏫\nserver: **{server_name}**\nimage: **{image}**\n{link}")
+    }
+    AlertData::StackStateChange {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      from,
+      to,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Stack, id);
+      let to = fmt_stack_state(to);
+      format!("🥞 Stack **{name}** is now {to}\nserver: **{server_name}**\nprevious: **{from}**\n{link}")
+    }
+    AlertData::StackImageUpdateAvailable {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      service,
+      image,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Stack, id);
+      format!("⬆ Stack **{name}** has an update available\nserver: **{server_name}**\nservice: **{service}**\nimage: **{image}**\n{link}")
+    }
+    AlertData::StackAutoUpdated {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      images,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Stack, id);
+      let images_label =
+        if images.len() > 1 { "images" } else { "image" };
+      let images = images.join(", ");
+      format!("⬆ Stack **{name}** was updated automatically ⏫\nserver: **{server_name}**\n{images_label}: **{images}**\n{link}")
+    }
+    AlertData::AwsBuilderTerminationFailed {
+      instance_id,
+      message,
+    } => {
+      format!("{level} | Failed to terminated AWS builder instance\ninstance id: **{instance_id}**\n{message}")
+    }
+    AlertData::ResourceSyncPendingUpdates { id, name } => {
+      let link =
+        resource_link(ResourceTargetVariant::ResourceSync, id);
+      format!(
+        "{level} | Pending resource sync updates on **{name}**\n{link}"
+      )
+    }
+    AlertData::BuildFailed { id, name, version } => {
+      let link = resource_link(ResourceTargetVariant::Build, id);
+      format!("{level} | Build **{name}** failed\nversion: **v{version}**\n{link}")
+    }
+    AlertData::RepoBuildFailed { id, name } => {
+      let link = resource_link(ResourceTargetVariant::Repo, id);
+      format!("{level} | Repo build for **{name}** failed\n{link}")
+    }
+    AlertData::None {} => Default::default(),
+  };
+  if !content.is_empty() {
+    send_message(url, &content).await?;
+  }
+  Ok(())
+}
+
+async fn send_message(
+  url: &str,
+  content: &str,
+) -> anyhow::Result<()> {
+  let body = DiscordMessageBody { content };
+
+  let response = http_client()
+    .post(url)
+    .json(&body)
+    .send()
+    .await
+    .context("Failed to send message")?;
+
+  let status = response.status();
+
+  if status.is_success() {
+    Ok(())
+  } else {
+    let text = response.text().await.with_context(|| {
+      format!("Failed to send message to Discord | {status} | failed to get response text")
+    })?;
+    Err(anyhow::anyhow!(
+      "Failed to send message to Discord | {status} | {text}"
+    ))
+  }
+}
+
+fn http_client() -> &'static reqwest::Client {
+  static CLIENT: OnceLock<reqwest::Client> = OnceLock::new();
+  CLIENT.get_or_init(reqwest::Client::new)
+}
+
+#[derive(Serialize)]
+struct DiscordMessageBody<'a> {
+  content: &'a str,
+}

bin/core/src/alert/mod.rs

@@ -0,0 +1,216 @@
+use ::slack::types::Block;
+use anyhow::{anyhow, Context};
+use derive_variants::ExtractVariant;
+use futures::future::join_all;
+use komodo_client::entities::{
+  alert::{Alert, AlertData, SeverityLevel},
+  alerter::*,
+  deployment::DeploymentState,
+  stack::StackState,
+  ResourceTargetVariant,
+};
+use mungos::{find::find_collect, mongodb::bson::doc};
+use tracing::Instrument;
+
+use crate::{config::core_config, state::db_client};
+
+mod discord;
+mod slack;
+
+pub async fn send_alerts(alerts: &[Alert]) {
+  if alerts.is_empty() {
+    return;
+  }
+
+  let span =
+    info_span!("send_alerts", alerts = format!("{alerts:?}"));
+  async {
+    let Ok(alerters) = find_collect(
+      &db_client().alerters,
+      doc! { "config.enabled": true },
+      None,
+    )
+    .await
+    .inspect_err(|e| {
+      error!(
+      "ERROR sending alerts | failed to get alerters from db | {e:#}"
+    )
+    }) else {
+      return;
+    };
+
+    let handles =
+      alerts.iter().map(|alert| send_alert(&alerters, alert));
+
+    join_all(handles).await;
+  }
+  .instrument(span)
+  .await
+}
+
+#[instrument(level = "debug")]
+async fn send_alert(alerters: &[Alerter], alert: &Alert) {
+  if alerters.is_empty() {
+    return;
+  }
+
+  let alert_type = alert.data.extract_variant();
+
+  let handles = alerters.iter().map(|alerter| async {
+    // Don't send if not enabled
+    if !alerter.config.enabled {
+      return Ok(());
+    }
+
+    // Don't send if alert type not configured on the alerter
+    if !alerter.config.alert_types.is_empty()
+      && !alerter.config.alert_types.contains(&alert_type)
+    {
+      return Ok(());
+    }
+
+    // Don't send if resource is in the blacklist
+    if alerter.config.except_resources.contains(&alert.target) {
+      return Ok(());
+    }
+
+    // Don't send if whitelist configured and target is not included
+    if !alerter.config.resources.is_empty()
+      && !alerter.config.resources.contains(&alert.target)
+    {
+      return Ok(());
+    }
+
+    match &alerter.config.endpoint {
+      AlerterEndpoint::Custom(CustomAlerterEndpoint { url }) => {
+        send_custom_alert(url, alert).await.with_context(|| {
+          format!(
+            "failed to send alert to custom alerter {}",
+            alerter.name
+          )
+        })
+      }
+      AlerterEndpoint::Slack(SlackAlerterEndpoint { url }) => {
+        slack::send_alert(url, alert).await.with_context(|| {
+          format!(
+            "failed to send alert to slack alerter {}",
+            alerter.name
+          )
+        })
+      }
+      AlerterEndpoint::Discord(DiscordAlerterEndpoint { url }) => {
+        discord::send_alert(url, alert).await.with_context(|| {
+          format!(
+            "failed to send alert to Discord alerter {}",
+            alerter.name
+          )
+        })
+      }
+    }
+  });
+
+  join_all(handles)
+    .await
+    .into_iter()
+    .filter_map(|res| res.err())
+    .for_each(|e| error!("{e:#}"));
+}
+
+#[instrument(level = "debug")]
+async fn send_custom_alert(
+  url: &str,
+  alert: &Alert,
+) -> anyhow::Result<()> {
+  let res = reqwest::Client::new()
+    .post(url)
+    .json(alert)
+    .send()
+    .await
+    .context("failed at post request to alerter")?;
+  let status = res.status();
+  if !status.is_success() {
+    let text = res
+      .text()
+      .await
+      .context("failed to get response text on alerter response")?;
+    return Err(anyhow!(
+      "post to alerter failed | {status} | {text}"
+    ));
+  }
+  Ok(())
+}
+
+fn fmt_region(region: &Option<String>) -> String {
+  match region {
+    Some(region) => format!(" ({region})"),
+    None => String::new(),
+  }
+}
+
+fn fmt_docker_container_state(state: &DeploymentState) -> String {
+  match state {
+    DeploymentState::Running => String::from("Running ▶️"),
+    DeploymentState::Exited => String::from("Exited 🛑"),
+    DeploymentState::Restarting => String::from("Restarting 🔄"),
+    DeploymentState::NotDeployed => String::from("Not Deployed"),
+    _ => state.to_string(),
+  }
+}
+
+fn fmt_stack_state(state: &StackState) -> String {
+  match state {
+    StackState::Running => String::from("Running ▶️"),
+    StackState::Stopped => String::from("Stopped 🛑"),
+    StackState::Restarting => String::from("Restarting 🔄"),
+    StackState::Down => String::from("Down ⬇️"),
+    _ => state.to_string(),
+  }
+}
+
+fn fmt_level(level: SeverityLevel) -> &'static str {
+  match level {
+    SeverityLevel::Critical => "CRITICAL 🚨",
+    SeverityLevel::Warning => "WARNING ‼️",
+    SeverityLevel::Ok => "OK ✅",
+  }
+}
+
+fn resource_link(
+  resource_type: ResourceTargetVariant,
+  id: &str,
+) -> String {
+  let path = match resource_type {
+    ResourceTargetVariant::System => unreachable!(),
+    ResourceTargetVariant::Build => format!("/builds/{id}"),
+    ResourceTargetVariant::Builder => {
+      format!("/builders/{id}")
+    }
+    ResourceTargetVariant::Deployment => {
+      format!("/deployments/{id}")
+    }
+    ResourceTargetVariant::Stack => {
+      format!("/stacks/{id}")
+    }
+    ResourceTargetVariant::Server => {
+      format!("/servers/{id}")
+    }
+    ResourceTargetVariant::Repo => format!("/repos/{id}"),
+    ResourceTargetVariant::Alerter => {
+      format!("/alerters/{id}")
+    }
+    ResourceTargetVariant::Procedure => {
+      format!("/procedures/{id}")
+    }
+    ResourceTargetVariant::Action => {
+      format!("/actions/{id}")
+    }
+    ResourceTargetVariant::ServerTemplate => {
+      format!("/server-templates/{id}")
+    }
+    ResourceTargetVariant::ResourceSync => {
+      format!("/resource-syncs/{id}")
+    }
+  };
+
+  format!("{}{path}", core_config().host)
+}

bin/core/src/alert/slack.rs

@@ -1,130 +1,7 @@
-use anyhow::{anyhow, Context};
-use derive_variants::ExtractVariant;
-use futures::future::join_all;
-use komodo_client::entities::{
-  alert::{Alert, AlertData, SeverityLevel},
-  alerter::*,
-  deployment::DeploymentState,
-  stack::StackState,
-  ResourceTargetVariant,
-};
-use mungos::{find::find_collect, mongodb::bson::doc};
-use slack::types::Block;
-
-use crate::{config::core_config, state::db_client};
-
-#[instrument]
-pub async fn send_alerts(alerts: &[Alert]) {
-  if alerts.is_empty() {
-    return;
-  }
-
-  let Ok(alerters) = find_collect(
-    &db_client().await.alerters,
-    doc! { "config.enabled": true },
-    None,
-  )
-  .await
-  .inspect_err(|e| {
-    error!(
-      "ERROR sending alerts | failed to get alerters from db | {e:#}"
-    )
-  }) else {
-    return;
-  };
-
-  let handles =
-    alerts.iter().map(|alert| send_alert(&alerters, alert));
-
-  join_all(handles).await;
-}
+use super::*;
 
 #[instrument(level = "debug")]
-async fn send_alert(alerters: &[Alerter], alert: &Alert) {
-  if alerters.is_empty() {
-    return;
-  }
-
-  let alert_type = alert.data.extract_variant();
-
-  let handles = alerters.iter().map(|alerter| async {
-    // Don't send if not enabled
-    if !alerter.config.enabled {
-      return Ok(());
-    }
-
-    // Don't send if alert type not configured on the alerter
-    if !alerter.config.alert_types.is_empty()
-      && !alerter.config.alert_types.contains(&alert_type)
-    {
-      return Ok(());
-    }
-
-    // Don't send if resource is in the blacklist
-    if alerter.config.except_resources.contains(&alert.target) {
-      return Ok(());
-    }
-
-    // Don't send if whitelist configured and target is not included
-    if !alerter.config.resources.is_empty()
-      && !alerter.config.resources.contains(&alert.target)
-    {
-      return Ok(());
-    }
-
-    match &alerter.config.endpoint {
-      AlerterEndpoint::Slack(SlackAlerterEndpoint { url }) => {
-        send_slack_alert(url, alert).await.with_context(|| {
-          format!(
-            "failed to send alert to slack alerter {}",
-            alerter.name
-          )
-        })
-      }
-      AlerterEndpoint::Custom(CustomAlerterEndpoint { url }) => {
-        send_custom_alert(url, alert).await.with_context(|| {
-          format!(
-            "failed to send alert to custom alerter {}",
-            alerter.name
-          )
-        })
-      }
-    }
-  });
-
-  join_all(handles)
-    .await
-    .into_iter()
-    .filter_map(|res| res.err())
-    .for_each(|e| error!("{e:#}"));
-}
-
-#[instrument(level = "debug")]
-async fn send_custom_alert(
-  url: &str,
-  alert: &Alert,
-) -> anyhow::Result<()> {
-  let res = reqwest::Client::new()
-    .post(url)
-    .json(alert)
-    .send()
-    .await
-    .context("failed at post request to alerter")?;
-  let status = res.status();
-  if !status.is_success() {
-    let text = res
-      .text()
-      .await
-      .context("failed to get response text on alerter response")?;
-    return Err(anyhow!(
-      "post to alerter failed | {status} | {text}"
-    ));
-  }
-  Ok(())
-}
-
-#[instrument(level = "debug")]
-async fn send_slack_alert(
+pub async fn send_alert(
   url: &str,
   alert: &Alert,
 ) -> anyhow::Result<()> {
@@ -305,7 +182,7 @@ async fn send_slack_alert(
       ..
     } => {
       let to = fmt_docker_container_state(to);
-      let text = format!("📦 Container *{name}* is now {to}");
+      let text = format!("📦 Container *{name}* is now *{to}*");
       let blocks = vec![
         Block::header(text.clone()),
         Block::section(format!(
@@ -318,6 +195,48 @@ async fn send_slack_alert(
       ];
       (text, blocks.into())
     }
+    AlertData::DeploymentImageUpdateAvailable {
+      id,
+      name,
+      server_name,
+      server_id: _server_id,
+      image,
+    } => {
+      let text =
+        format!("⬆ Deployment *{name}* has an update available");
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(format!(
+          "server: *{server_name}*\nimage: *{image}*",
+        )),
+        Block::section(resource_link(
+          ResourceTargetVariant::Deployment,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::DeploymentAutoUpdated {
+      id,
+      name,
+      server_name,
+      server_id: _server_id,
+      image,
+    } => {
+      let text =
+        format!("⬆ Deployment *{name}* was updated automatically ⏫");
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(format!(
+          "server: *{server_name}*\nimage: *{image}*",
+        )),
+        Block::section(resource_link(
+          ResourceTargetVariant::Deployment,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
     AlertData::StackStateChange {
       name,
       server_name,
@@ -327,11 +246,56 @@ async fn send_slack_alert(
       ..
     } => {
       let to = fmt_stack_state(to);
-      let text = format!("🥞 Stack *{name}* is now {to}");
+      let text = format!("🥞 Stack *{name}* is now *{to}*");
       let blocks = vec![
         Block::header(text.clone()),
         Block::section(format!(
-          "server: {server_name}\nprevious: {from}",
+          "server: *{server_name}*\nprevious: *{from}*",
+        )),
+        Block::section(resource_link(
+          ResourceTargetVariant::Stack,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::StackImageUpdateAvailable {
+      id,
+      name,
+      server_name,
+      server_id: _server_id,
+      service,
+      image,
+    } => {
+      let text = format!("⬆ Stack *{name}* has an update available");
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(format!(
+          "server: *{server_name}*\nservice: *{service}*\nimage: *{image}*",
+        )),
+        Block::section(resource_link(
+          ResourceTargetVariant::Stack,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::StackAutoUpdated {
+      id,
+      name,
+      server_name,
+      server_id: _server_id,
+      images,
+    } => {
+      let text =
+        format!("⬆ Stack *{name}* was updated automatically ⏫");
+      let images_label =
+        if images.len() > 1 { "images" } else { "image" };
+      let images = images.join(", ");
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(format!(
+          "server: *{server_name}*\n{images_label}: *{images}*",
         )),
         Block::section(resource_link(
           ResourceTargetVariant::Stack,
@@ -356,8 +320,9 @@ async fn send_slack_alert(
       (text, blocks.into())
     }
     AlertData::ResourceSyncPendingUpdates { id, name } => {
-      let text =
-        format!("{level} | Pending resource sync updates on {name}");
+      let text = format!(
+        "{level} | Pending resource sync updates on *{name}*"
+      );
       let blocks = vec![
         Block::header(text.clone()),
         Block::section(format!(
@@ -375,20 +340,21 @@ async fn send_slack_alert(
       let blocks = vec![
         Block::header(text.clone()),
         Block::section(format!(
-          "build id: *{id}*\nbuild name: *{name}*\nversion: v{version}",
+          "build name: *{name}*\nversion: *v{version}*",
+        )),
+        Block::section(resource_link(
+          ResourceTargetVariant::Build,
+          id,
         )),
-        Block::section(resource_link(ResourceTargetVariant::Build, id))
       ];
       (text, blocks.into())
     }
     AlertData::RepoBuildFailed { id, name } => {
       let text =
-        format!("{level} | Repo build for {name} has failed");
+        format!("{level} | Repo build for *{name}* has *failed*");
       let blocks = vec![
         Block::header(text.clone()),
-        Block::section(format!(
-          "repo id: *{id}*\nrepo name: *{name}*",
-        )),
+        Block::section(format!("repo name: *{name}*",)),
         Block::section(resource_link(
           ResourceTargetVariant::Repo,
           id,
@@ -399,80 +365,8 @@ async fn send_slack_alert(
     AlertData::None {} => Default::default(),
   };
   if !text.is_empty() {
-    let slack = slack::Client::new(url);
+    let slack = ::slack::Client::new(url);
     slack.send_message(text, blocks).await?;
   }
   Ok(())
 }
-
-fn fmt_region(region: &Option<String>) -> String {
-  match region {
-    Some(region) => format!(" ({region})"),
-    None => String::new(),
-  }
-}
-
-fn fmt_docker_container_state(state: &DeploymentState) -> String {
-  match state {
-    DeploymentState::Running => String::from("Running ▶️"),
-    DeploymentState::Exited => String::from("Exited 🛑"),
-    DeploymentState::Restarting => String::from("Restarting 🔄"),
-    DeploymentState::NotDeployed => String::from("Not Deployed"),
-    _ => state.to_string(),
-  }
-}
-
-fn fmt_stack_state(state: &StackState) -> String {
-  match state {
-    StackState::Running => String::from("Running ▶️"),
-    StackState::Stopped => String::from("Stopped 🛑"),
-    StackState::Restarting => String::from("Restarting 🔄"),
-    StackState::Down => String::from("Down ⬇️"),
-    _ => state.to_string(),
-  }
-}
-
-fn fmt_level(level: SeverityLevel) -> &'static str {
-  match level {
-    SeverityLevel::Critical => "CRITICAL 🚨",
-    SeverityLevel::Warning => "WARNING ‼️",
-    SeverityLevel::Ok => "OK ✅",
-  }
-}
-
-fn resource_link(
-  resource_type: ResourceTargetVariant,
-  id: &str,
-) -> String {
-  let path = match resource_type {
-    ResourceTargetVariant::System => unreachable!(),
-    ResourceTargetVariant::Build => format!("/builds/{id}"),
-    ResourceTargetVariant::Builder => {
-      format!("/builders/{id}")
-    }
-    ResourceTargetVariant::Deployment => {
-      format!("/deployments/{id}")
-    }
-    ResourceTargetVariant::Stack => {
-      format!("/stacks/{id}")
-    }
-    ResourceTargetVariant::Server => {
-      format!("/servers/{id}")
-    }
-    ResourceTargetVariant::Repo => format!("/repos/{id}"),
-    ResourceTargetVariant::Alerter => {
-      format!("/alerters/{id}")
-    }
-    ResourceTargetVariant::Procedure => {
-      format!("/procedures/{id}")
-    }
-    ResourceTargetVariant::ServerTemplate => {
-      format!("/server-templates/{id}")
-    }
-    ResourceTargetVariant::ResourceSync => {
-      format!("/resource-syncs/{id}")
-    }
-  };
-
-  format!("{}{path}", core_config().host)
-}

bin/core/src/api/auth.rs

@@ -16,6 +16,7 @@ use crate::{
     get_user_id_from_headers,
     github::{self, client::github_oauth_client},
     google::{self, client::google_oauth_client},
+    oidc,
   },
   config::core_config,
   helpers::query::get_user,
@@ -39,14 +40,25 @@ pub enum AuthRequest {
 pub fn router() -> Router {
   let mut router = Router::new().route("/", post(handler));
 
+  if core_config().local_auth {
+    info!("🔑 Local Login Enabled");
+  }
+
   if github_oauth_client().is_some() {
+    info!("🔑 Github Login Enabled");
     router = router.nest("/github", github::router())
   }
 
   if google_oauth_client().is_some() {
+    info!("🔑 Github Login Enabled");
     router = router.nest("/google", google::router())
   }
 
+  if core_config().oidc_enabled {
+    info!("🔑 OIDC Login Enabled");
+    router = router.nest("/oidc", oidc::router())
+  }
+
   router
 }
 
@@ -91,6 +103,11 @@ fn login_options_reponse() -> &'static GetLoginOptionsResponse {
       google: config.google_oauth.enabled
         && !config.google_oauth.id.is_empty()
         && !config.google_oauth.secret.is_empty(),
+      oidc: config.oidc_enabled
+        && !config.oidc_provider.is_empty()
+        && !config.oidc_client_id.is_empty()
+        && !config.oidc_client_secret.is_empty(),
+      registration_disabled: config.disable_user_registration,
     }
   })
 }

bin/core/src/api/execute/action.rs

@@ -0,0 +1,328 @@
+use std::{
+  collections::HashSet,
+  path::{Path, PathBuf},
+  str::FromStr,
+  sync::OnceLock,
+};
+
+use anyhow::Context;
+use command::run_komodo_command;
+use komodo_client::{
+  api::{
+    execute::{BatchExecutionResponse, BatchRunAction, RunAction},
+    user::{CreateApiKey, CreateApiKeyResponse, DeleteApiKey},
+  },
+  entities::{
+    action::Action,
+    config::core::CoreConfig,
+    permission::PermissionLevel,
+    update::Update,
+    user::{action_user, User},
+  },
+};
+use mungos::{by_id::update_one_by_id, mongodb::bson::to_document};
+use resolver_api::Resolve;
+use tokio::fs;
+
+use crate::{
+  api::execute::ExecuteRequest,
+  config::core_config,
+  helpers::{
+    interpolate::{
+      add_interp_update_log,
+      interpolate_variables_secrets_into_string,
+    },
+    query::get_variables_and_secrets,
+    random_string,
+    update::update_update,
+  },
+  resource::{self, refresh_action_state_cache},
+  state::{action_states, db_client, State},
+};
+
+impl super::BatchExecute for BatchRunAction {
+  type Resource = Action;
+  fn single_request(action: String) -> ExecuteRequest {
+    ExecuteRequest::RunAction(RunAction { action })
+  }
+}
+
+impl Resolve<BatchRunAction, (User, Update)> for State {
+  #[instrument(name = "BatchRunAction", skip(self, user), fields(user_id = user.id))]
+  async fn resolve(
+    &self,
+    BatchRunAction { pattern }: BatchRunAction,
+    (user, _): (User, Update),
+  ) -> anyhow::Result<BatchExecutionResponse> {
+    super::batch_execute::<BatchRunAction>(&pattern, &user).await
+  }
+}
+
+impl Resolve<RunAction, (User, Update)> for State {
+  #[instrument(name = "RunAction", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    &self,
+    RunAction { action }: RunAction,
+    (user, mut update): (User, Update),
+  ) -> anyhow::Result<Update> {
+    let mut action = resource::get_check_permissions::<Action>(
+      &action,
+      &user,
+      PermissionLevel::Execute,
+    )
+    .await?;
+
+    // get the action state for the action (or insert default).
+    let action_state = action_states()
+      .action
+      .get_or_insert_default(&action.id)
+      .await;
+
+    // This will set action state back to default when dropped.
+    // Will also check to ensure action not already busy before updating.
+    let _action_guard =
+      action_state.update(|state| state.running = true)?;
+
+    update_update(update.clone()).await?;
+
+    let CreateApiKeyResponse { key, secret } = State
+      .resolve(
+        CreateApiKey {
+          name: update.id.clone(),
+          expires: 0,
+        },
+        action_user().to_owned(),
+      )
+      .await?;
+
+    let contents = &mut action.config.file_contents;
+
+    // Wrap the file contents in the execution context.
+    *contents = full_contents(contents, &key, &secret);
+
+    let replacers =
+      interpolate(contents, &mut update, key.clone(), secret.clone())
+        .await?
+        .into_iter()
+        .collect::<Vec<_>>();
+
+    let file = format!("{}.ts", random_string(10));
+    let path = core_config().action_directory.join(&file);
+
+    if let Some(parent) = path.parent() {
+      let _ = fs::create_dir_all(parent).await;
+    }
+
+    fs::write(&path, contents).await.with_context(|| {
+      format!("Failed to write action file to {path:?}")
+    })?;
+
+    let mut res = run_komodo_command(
+      // Keep this stage name as is, the UI will find the latest update log by matching the stage name
+      "Execute Action",
+      None,
+      format!("deno run --allow-all {}", path.display()),
+      false,
+    )
+    .await;
+
+    res.stdout = svi::replace_in_string(&res.stdout, &replacers)
+      .replace(&key, "<ACTION_API_KEY>");
+    res.stderr = svi::replace_in_string(&res.stderr, &replacers)
+      .replace(&secret, "<ACTION_API_SECRET>");
+
+    cleanup_run(file + ".js", &path).await;
+
+    if let Err(e) = State
+      .resolve(DeleteApiKey { key }, action_user().to_owned())
+      .await
+    {
+      warn!(
+        "Failed to delete API key after action execution | {e:#}"
+      );
+    };
+
+    update.logs.push(res);
+    update.finalize();
+
+    // Need to manually update the update before cache refresh,
+    // and before broadcast with update_update.
+    // The Err case of to_document should be unreachable,
+    // but will fail to update cache in that case.
+    if let Ok(update_doc) = to_document(&update) {
+      let _ = update_one_by_id(
+        &db_client().updates,
+        &update.id,
+        mungos::update::Update::Set(update_doc),
+        None,
+      )
+      .await;
+      refresh_action_state_cache().await;
+    }
+
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+async fn interpolate(
+  contents: &mut String,
+  update: &mut Update,
+  key: String,
+  secret: String,
+) -> anyhow::Result<HashSet<(String, String)>> {
+  let mut vars_and_secrets = get_variables_and_secrets().await?;
+
+  vars_and_secrets
+    .secrets
+    .insert(String::from("ACTION_API_KEY"), key);
+  vars_and_secrets
+    .secrets
+    .insert(String::from("ACTION_API_SECRET"), secret);
+
+  let mut global_replacers = HashSet::new();
+  let mut secret_replacers = HashSet::new();
+
+  interpolate_variables_secrets_into_string(
+    &vars_and_secrets,
+    contents,
+    &mut global_replacers,
+    &mut secret_replacers,
+  )?;
+
+  add_interp_update_log(update, &global_replacers, &secret_replacers);
+
+  Ok(secret_replacers)
+}
+
+fn full_contents(contents: &str, key: &str, secret: &str) -> String {
+  let CoreConfig {
+    port, ssl_enabled, ..
+  } = core_config();
+  let protocol = if *ssl_enabled { "https" } else { "http" };
+  let base_url = format!("{protocol}://localhost:{port}");
+  format!(
+    "import {{ KomodoClient }} from '{base_url}/client/lib.js';
+import * as __YAML__ from 'jsr:@std/yaml';
+import * as __TOML__ from 'jsr:@std/toml';
+
+const YAML = {{
+  stringify: __YAML__.stringify,
+  parse: __YAML__.parse,
+  parseAll: __YAML__.parseAll,
+  parseDockerCompose: __YAML__.parse,
+}}
+
+const TOML = {{
+  stringify: __TOML__.stringify,
+  parse: __TOML__.parse,
+  parseResourceToml: __TOML__.parse,
+  parseCargoToml: __TOML__.parse,
+}}
+
+const komodo = KomodoClient('{base_url}', {{
+  type: 'api-key',
+  params: {{ key: '{key}', secret: '{secret}' }}
+}});
+
+async function main() {{
+{contents}
+
+console.log('🦎 Action completed successfully 🦎');
+}}
+
+main()
+.catch(error => {{
+  console.error('🚨 Action exited early with errors 🚨')
+  if (error.status !== undefined && error.result !== undefined) {{
+    console.error('Status:', error.status);
+    console.error(JSON.stringify(error.result, null, 2));
+  }} else {{
+    console.error(JSON.stringify(error, null, 2));
+  }}
+  Deno.exit(1)
+}});"
+  )
+}
+
+/// Cleans up file at given path.
+/// ALSO if $DENO_DIR is set,
+/// will clean up the generated file matching "file"
+async fn cleanup_run(file: String, path: &Path) {
+  if let Err(e) = fs::remove_file(path).await {
+    warn!(
+      "Failed to delete action file after action execution | {e:#}"
+    );
+  }
+  // If $DENO_DIR is set (will be in container),
+  // will clean up the generated file matching "file" (NOT under path)
+  let Some(deno_dir) = deno_dir() else {
+    return;
+  };
+  delete_file(deno_dir.join("gen/file"), file).await;
+}
+
+fn deno_dir() -> Option<&'static Path> {
+  static DENO_DIR: OnceLock<Option<PathBuf>> = OnceLock::new();
+  DENO_DIR
+    .get_or_init(|| {
+      let deno_dir = std::env::var("DENO_DIR").ok()?;
+      PathBuf::from_str(&deno_dir).ok()
+    })
+    .as_deref()
+}
+
+/// file is just the terminating file path,
+/// it may be nested multiple folder under path,
+/// this will find the nested file and delete it.
+/// Assumes the file is only there once.
+fn delete_file(
+  dir: PathBuf,
+  file: String,
+) -> std::pin::Pin<Box<dyn std::future::Future<Output = bool> + Send>>
+{
+  Box::pin(async move {
+    let Ok(mut dir) = fs::read_dir(dir).await else {
+      return false;
+    };
+    // Collect the nested folders for recursing
+    // only after checking all the files in directory.
+    let mut folders = Vec::<PathBuf>::new();
+
+    while let Ok(Some(entry)) = dir.next_entry().await {
+      let Ok(meta) = entry.metadata().await else {
+        continue;
+      };
+      if meta.is_file() {
+        let Ok(name) = entry.file_name().into_string() else {
+          continue;
+        };
+        if name == file {
+          if let Err(e) = fs::remove_file(entry.path()).await {
+            warn!(
+            "Failed to clean up generated file after action execution | {e:#}"
+          );
+          };
+          return true;
+        }
+      } else {
+        folders.push(entry.path());
+      }
+    }
+
+    if folders.len() == 1 {
+      // unwrap ok, folders definitely is not empty
+      let folder = folders.pop().unwrap();
+      delete_file(folder, file).await
+    } else {
+      // Check folders with file.clone
+      for folder in folders {
+        if delete_file(folder, file.clone()).await {
+          return true;
+        }
+      }
+      false
+    }
+  })
+}

bin/core/src/api/execute/build.rs

@@ -4,17 +4,18 @@ use anyhow::{anyhow, Context};
 use formatting::format_serror;
 use futures::future::join_all;
 use komodo_client::{
-  api::execute::{CancelBuild, Deploy, RunBuild},
+  api::execute::{
+    BatchExecutionResponse, BatchRunBuild, CancelBuild, Deploy,
+    RunBuild,
+  },
   entities::{
     alert::{Alert, AlertData, SeverityLevel},
     all_logs_success,
-    build::{Build, ImageRegistry, StandardRegistryConfig},
+    build::{Build, BuildConfig, ImageRegistryConfig},
     builder::{Builder, BuilderConfig},
-    config::core::{AwsEcrConfig, AwsEcrConfigWithCredentials},
     deployment::DeploymentState,
     komodo_timestamp,
     permission::PermissionLevel,
-    to_komodo_name,
     update::{Log, Update},
     user::{auto_redeploy_user, User},
   },
@@ -32,17 +33,15 @@ use resolver_api::Resolve;
 use tokio_util::sync::CancellationToken;
 
 use crate::{
-  cloud::aws::ecr,
-  config::core_config,
+  alert::send_alerts,
   helpers::{
-    alert::send_alerts,
     builder::{cleanup_builder_instance, get_builder_periphery},
     channel::build_cancel_channel,
     git_token,
     interpolate::{
       add_interp_update_log,
-      interpolate_variables_secrets_into_environment,
       interpolate_variables_secrets_into_extra_args,
+      interpolate_variables_secrets_into_string,
       interpolate_variables_secrets_into_system_command,
     },
     query::{get_deployment_state, get_variables_and_secrets},
@@ -55,6 +54,24 @@ use crate::{
 
 use super::ExecuteRequest;
 
+impl super::BatchExecute for BatchRunBuild {
+  type Resource = Build;
+  fn single_request(build: String) -> ExecuteRequest {
+    ExecuteRequest::RunBuild(RunBuild { build })
+  }
+}
+
+impl Resolve<BatchRunBuild, (User, Update)> for State {
+  #[instrument(name = "BatchRunBuild", skip(self, user), fields(user_id = user.id))]
+  async fn resolve(
+    &self,
+    BatchRunBuild { pattern }: BatchRunBuild,
+    (user, _): (User, Update),
+  ) -> anyhow::Result<BatchExecutionResponse> {
+    super::batch_execute::<BatchRunBuild>(&pattern, &user).await
+  }
+}
+
 impl Resolve<RunBuild, (User, Update)> for State {
   #[instrument(name = "RunBuild", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
   async fn resolve(
@@ -68,7 +85,7 @@ impl Resolve<RunBuild, (User, Update)> for State {
       PermissionLevel::Execute,
     )
     .await?;
-    let vars_and_secrets = get_variables_and_secrets().await?;
+    let mut vars_and_secrets = get_variables_and_secrets().await?;
 
     if build.config.builder_id.is_empty() {
       return Err(anyhow!("Must attach builder to RunBuild"));
@@ -89,6 +106,14 @@ impl Resolve<RunBuild, (User, Update)> for State {
     update.version = build.config.version;
     update_update(update.clone()).await?;
 
+    // Add the $VERSION to variables. Use with [[$VERSION]]
+    if !vars_and_secrets.variables.contains_key("$VERSION") {
+      vars_and_secrets.variables.insert(
+        String::from("$VERSION"),
+        build.config.version.to_string(),
+      );
+    }
+
     let git_token = git_token(
       &build.config.git_provider,
       &build.config.git_account,
@@ -99,8 +124,8 @@ impl Resolve<RunBuild, (User, Update)> for State {
       || format!("Failed to get git token in call to db. This is a database error, not a token exisitence error. Stopping run. | {} | {}", build.config.git_provider, build.config.git_account),
     )?;
 
-    let (registry_token, aws_ecr) =
-      validate_account_extract_registry_token_aws_ecr(&build).await?;
+    let registry_token =
+      validate_account_extract_registry_token(&build).await?;
 
     let cancel = CancellationToken::new();
     let cancel_clone = cancel.clone();
@@ -175,7 +200,6 @@ impl Resolve<RunBuild, (User, Update)> for State {
     };
 
     // CLONE REPO
-
     let secret_replacers = if !build.config.skip_secret_interp {
       // Interpolate variables / secrets into pre build command
       let mut global_replacers = HashSet::new();
@@ -245,14 +269,14 @@ impl Resolve<RunBuild, (User, Update)> for State {
         let mut global_replacers = HashSet::new();
         let mut secret_replacers = HashSet::new();
 
-        interpolate_variables_secrets_into_environment(
+        interpolate_variables_secrets_into_string(
           &vars_and_secrets,
           &mut build.config.build_args,
           &mut global_replacers,
           &mut secret_replacers,
         )?;
 
-        interpolate_variables_secrets_into_environment(
+        interpolate_variables_secrets_into_string(
           &vars_and_secrets,
           &mut build.config.secret_args,
           &mut global_replacers,
@@ -282,7 +306,6 @@ impl Resolve<RunBuild, (User, Update)> for State {
           .request(api::build::Build {
             build: build.clone(),
             registry_token,
-            aws_ecr,
             replacers: secret_replacers.into_iter().collect(),
             // Push a commit hash tagged image
             additional_tags: if update.commit_hash.is_empty() {
@@ -317,7 +340,7 @@ impl Resolve<RunBuild, (User, Update)> for State {
 
     update.finalize();
 
-    let db = db_client().await;
+    let db = db_client();
 
     if update.success {
       let _ = db
@@ -403,7 +426,7 @@ async fn handle_early_return(
   // but will fail to update cache in that case.
   if let Ok(update_doc) = to_document(&update) {
     let _ = update_one_by_id(
-      &db_client().await.updates,
+      &db_client().updates,
       &update.id,
       mungos::update::Update::Set(update_doc),
       None,
@@ -436,14 +459,13 @@ async fn handle_early_return(
   Ok(update)
 }
 
-#[instrument(skip_all)]
 pub async fn validate_cancel_build(
   request: &ExecuteRequest,
 ) -> anyhow::Result<()> {
   if let ExecuteRequest::CancelBuild(req) = request {
     let build = resource::get::<Build>(&req.build).await?;
 
-    let db = db_client().await;
+    let db = db_client();
 
     let (latest_build, latest_cancel) = tokio::try_join!(
       db.updates
@@ -526,7 +548,7 @@ impl Resolve<CancelBuild, (User, Update)> for State {
     tokio::spawn(async move {
       tokio::time::sleep(Duration::from_secs(60)).await;
       if let Err(e) = update_one_by_id(
-        &db_client().await.updates,
+        &db_client().updates,
         &update_id,
         doc! { "$set": { "status": "Complete" } },
         None,
@@ -544,7 +566,7 @@ impl Resolve<CancelBuild, (User, Update)> for State {
 #[instrument]
 async fn handle_post_build_redeploy(build_id: &str) {
   let Ok(redeploy_deployments) = find_collect(
-    &db_client().await.deployments,
+    &db_client().deployments,
     doc! {
       "config.image.params.build_id": build_id,
       "config.redeploy_on_build": true
@@ -600,56 +622,24 @@ async fn handle_post_build_redeploy(build_id: &str) {
 }
 
 /// This will make sure that a build with non-none image registry has an account attached,
-/// and will check the core config for a token / aws ecr config matching requirements.
+/// and will check the core config for a token matching requirements.
 /// Otherwise it is left to periphery.
-async fn validate_account_extract_registry_token_aws_ecr(
-  build: &Build,
-) -> anyhow::Result<(Option<String>, Option<AwsEcrConfig>)> {
-  let (domain, account) = match &build.config.image_registry {
-    // Early return for None
-    ImageRegistry::None(_) => return Ok((None, None)),
-    // Early return for AwsEcr
-    ImageRegistry::AwsEcr(label) => {
-      // Note that aws ecr config still only lives in config file
-      let config = core_config()
-        .aws_ecr_registries
-        .iter()
-        .find(|reg| &reg.label == label);
-      let token = match config {
-        Some(AwsEcrConfigWithCredentials {
-          region,
-          access_key_id,
-          secret_access_key,
-          ..
-        }) => {
-          let token = ecr::get_ecr_token(
-            region,
-            access_key_id,
-            secret_access_key,
-          )
-          .await
-          .context("failed to get aws ecr token")?;
-          ecr::maybe_create_repo(
-            &to_komodo_name(&build.name),
-            region.to_string(),
-            access_key_id,
-            secret_access_key,
-          )
-          .await
-          .context("failed to create aws ecr repo")?;
-          Some(token)
-        }
-        None => None,
-      };
-      return Ok((token, config.map(AwsEcrConfig::from)));
-    }
-    ImageRegistry::Standard(StandardRegistryConfig {
-      domain,
-      account,
-      ..
-    }) => (domain.as_str(), account),
-  };
-
+async fn validate_account_extract_registry_token(
+  Build {
+    config:
+      BuildConfig {
+        image_registry:
+          ImageRegistryConfig {
+            domain, account, ..
+          },
+        ..
+      },
+    ..
+  }: &Build,
+) -> anyhow::Result<Option<String>> {
+  if domain.is_empty() {
+    return Ok(None);
+  }
   if account.is_empty() {
     return Err(anyhow!(
       "Must attach account to use registry provider {domain}"
@@ -660,5 +650,5 @@ async fn validate_account_extract_registry_token_aws_ecr(
     || format!("Failed to get registry token in call to db. Stopping run. | {domain} | {account}"),
   )?;
 
-  Ok((registry_token, None))
+  Ok(registry_token)
 }

bin/core/src/api/execute/deployment.rs

@@ -1,16 +1,16 @@
-use std::collections::HashSet;
+use std::{collections::HashSet, sync::OnceLock};
 
 use anyhow::{anyhow, Context};
+use cache::TimeoutCache;
 use formatting::format_serror;
 use komodo_client::{
   api::execute::*,
   entities::{
-    build::{Build, ImageRegistry},
-    config::core::AwsEcrConfig,
+    build::{Build, ImageRegistryConfig},
     deployment::{
       extract_registry_domain, Deployment, DeploymentImage,
     },
-    get_image_name,
+    get_image_name, komodo_timestamp, optional_string,
     permission::PermissionLevel,
     server::Server,
     update::{Log, Update},
@@ -22,14 +22,11 @@ use periphery_client::api;
 use resolver_api::Resolve;
 
 use crate::{
-  cloud::aws::ecr,
-  config::core_config,
   helpers::{
     interpolate::{
       add_interp_update_log,
-      interpolate_variables_secrets_into_container_command,
-      interpolate_variables_secrets_into_environment,
       interpolate_variables_secrets_into_extra_args,
+      interpolate_variables_secrets_into_string,
     },
     periphery_client,
     query::get_variables_and_secrets,
@@ -41,6 +38,30 @@ use crate::{
   state::{action_states, State},
 };
 
+use super::ExecuteRequest;
+
+impl super::BatchExecute for BatchDeploy {
+  type Resource = Deployment;
+  fn single_request(deployment: String) -> ExecuteRequest {
+    ExecuteRequest::Deploy(Deploy {
+      deployment,
+      stop_signal: None,
+      stop_time: None,
+    })
+  }
+}
+
+impl Resolve<BatchDeploy, (User, Update)> for State {
+  #[instrument(name = "BatchDeploy", skip(self, user), fields(user_id = user.id))]
+  async fn resolve(
+    &self,
+    BatchDeploy { pattern }: BatchDeploy,
+    (user, _): (User, Update),
+  ) -> anyhow::Result<BatchExecutionResponse> {
+    super::batch_execute::<BatchDeploy>(&pattern, &user).await
+  }
+}
+
 async fn setup_deployment_execution(
   deployment: &str,
   user: &User,
@@ -53,12 +74,16 @@ async fn setup_deployment_execution(
   .await?;
 
   if deployment.config.server_id.is_empty() {
-    return Err(anyhow!("deployment has no server configured"));
+    return Err(anyhow!("Deployment has no Server configured"));
   }
 
   let server =
     resource::get::<Server>(&deployment.config.server_id).await?;
 
+  if !server.config.enabled {
+    return Err(anyhow!("Attached Server is not enabled"));
+  }
+
   Ok((deployment, server))
 }
 
@@ -90,39 +115,18 @@ impl Resolve<Deploy, (User, Update)> for State {
     // Send update after setting action state, this way frontend gets correct state.
     update_update(update.clone()).await?;
 
-    let periphery = periphery_client(&server)?;
-
-    periphery
-      .health_check()
-      .await
-      .context("Failed server health check, stopping run.")?;
-
     // This block resolves the attached Build to an actual versioned image
-    let (version, registry_token, aws_ecr) = match &deployment
-      .config
-      .image
-    {
+    let (version, registry_token) = match &deployment.config.image {
       DeploymentImage::Build { build_id, version } => {
         let build = resource::get::<Build>(build_id).await?;
-        let image_name = get_image_name(&build, |label| {
-          core_config()
-            .aws_ecr_registries
-            .iter()
-            .find(|reg| &reg.label == label)
-            .map(AwsEcrConfig::from)
-        })
-        .context("failed to create image name")?;
+        let image_name = get_image_name(&build)
+          .context("failed to create image name")?;
         let version = if version.is_none() {
           build.config.version
         } else {
           *version
         };
-        // Remove ending patch if it is 0, this means use latest patch.
-        let version_str = if version.patch == 0 {
-          format!("{}.{}", version.major, version.minor)
-        } else {
-          version.to_string()
-        };
+        let version_str = version.to_string();
         // Potentially add the build image_tag postfix
         let version_str = if build.config.image_tag.is_empty() {
           version_str
@@ -133,45 +137,27 @@ impl Resolve<Deploy, (User, Update)> for State {
         deployment.config.image = DeploymentImage::Image {
           image: format!("{image_name}:{version_str}"),
         };
-        match build.config.image_registry {
-          ImageRegistry::None(_) => (version, None, None),
-          ImageRegistry::AwsEcr(label) => {
-            let config = core_config()
-              .aws_ecr_registries
-              .iter()
-              .find(|reg| reg.label == label)
-              .with_context(|| {
-                format!(
-                  "did not find config for aws ecr registry {label}"
-                )
-              })?;
-            let token = ecr::get_ecr_token(
-              &config.region,
-              &config.access_key_id,
-              &config.secret_access_key,
-            )
-            .await
-            .context("failed to create aws ecr login token")?;
-            (version, Some(token), Some(AwsEcrConfig::from(config)))
-          }
-          ImageRegistry::Standard(params) => {
-            if deployment.config.image_registry_account.is_empty() {
-              deployment.config.image_registry_account =
-                params.account
-            }
-            let token = if !deployment
-              .config
-              .image_registry_account
-              .is_empty()
-            {
-              registry_token(&params.domain, &deployment.config.image_registry_account).await.with_context(
-                || format!("Failed to get git token in call to db. Stopping run. | {} | {}", params.domain, deployment.config.image_registry_account),
-              )?
-            } else {
-              None
-            };
-            (version, token, None)
+        if build.config.image_registry.domain.is_empty() {
+          (version, None)
+        } else {
+          let ImageRegistryConfig {
+            domain, account, ..
+          } = build.config.image_registry;
+          if deployment.config.image_registry_account.is_empty() {
+            deployment.config.image_registry_account = account
           }
+          let token = if !deployment
+            .config
+            .image_registry_account
+            .is_empty()
+          {
+            registry_token(&domain, &deployment.config.image_registry_account).await.with_context(
+              || format!("Failed to get git token in call to db. Stopping run. | {domain} | {}", deployment.config.image_registry_account),
+            )?
+          } else {
+            None
+          };
+          (version, token)
         }
       }
       DeploymentImage::Image { image } => {
@@ -187,7 +173,7 @@ impl Resolve<Deploy, (User, Update)> for State {
         } else {
           None
         };
-        (Version::default(), token, None)
+        (Version::default(), token)
       }
     };
 
@@ -199,13 +185,27 @@ impl Resolve<Deploy, (User, Update)> for State {
       let mut global_replacers = HashSet::new();
       let mut secret_replacers = HashSet::new();
 
-      interpolate_variables_secrets_into_environment(
+      interpolate_variables_secrets_into_string(
         &vars_and_secrets,
         &mut deployment.config.environment,
         &mut global_replacers,
         &mut secret_replacers,
       )?;
 
+      interpolate_variables_secrets_into_string(
+        &vars_and_secrets,
+        &mut deployment.config.ports,
+        &mut global_replacers,
+        &mut secret_replacers,
+      )?;
+
+      interpolate_variables_secrets_into_string(
+        &vars_and_secrets,
+        &mut deployment.config.volumes,
+        &mut global_replacers,
+        &mut secret_replacers,
+      )?;
+
       interpolate_variables_secrets_into_extra_args(
         &vars_and_secrets,
         &mut deployment.config.extra_args,
@@ -213,7 +213,7 @@ impl Resolve<Deploy, (User, Update)> for State {
         &mut secret_replacers,
       )?;
 
-      interpolate_variables_secrets_into_container_command(
+      interpolate_variables_secrets_into_string(
         &vars_and_secrets,
         &mut deployment.config.command,
         &mut global_replacers,
@@ -234,13 +234,12 @@ impl Resolve<Deploy, (User, Update)> for State {
     update.version = version;
     update_update(update.clone()).await?;
 
-    match periphery
+    match periphery_client(&server)?
       .request(api::container::Deploy {
         deployment,
         stop_signal,
         stop_time,
         registry_token,
-        aws_ecr,
         replacers: secret_replacers.into_iter().collect(),
       })
       .await
@@ -248,10 +247,8 @@ impl Resolve<Deploy, (User, Update)> for State {
       Ok(log) => update.logs.push(log),
       Err(e) => {
         update.push_error_log(
-          "deploy container",
-          format_serror(
-            &e.context("failed to deploy container").into(),
-          ),
+          "Deploy Container",
+          format_serror(&e.into()),
         );
       }
     };
@@ -265,6 +262,155 @@ impl Resolve<Deploy, (User, Update)> for State {
   }
 }
 
+/// Wait this long after a pull to allow another pull through
+const PULL_TIMEOUT: i64 = 5_000;
+type ServerId = String;
+type Image = String;
+type PullCache = TimeoutCache<(ServerId, Image), Log>;
+
+fn pull_cache() -> &'static PullCache {
+  static PULL_CACHE: OnceLock<PullCache> = OnceLock::new();
+  PULL_CACHE.get_or_init(Default::default)
+}
+
+pub async fn pull_deployment_inner(
+  deployment: Deployment,
+  server: &Server,
+) -> anyhow::Result<Log> {
+  let (image, account, token) = match deployment.config.image {
+    DeploymentImage::Build { build_id, version } => {
+      let build = resource::get::<Build>(&build_id).await?;
+      let image_name = get_image_name(&build)
+        .context("failed to create image name")?;
+      let version = if version.is_none() {
+        build.config.version.to_string()
+      } else {
+        version.to_string()
+      };
+      // Potentially add the build image_tag postfix
+      let version = if build.config.image_tag.is_empty() {
+        version
+      } else {
+        format!("{version}-{}", build.config.image_tag)
+      };
+      // replace image with corresponding build image.
+      let image = format!("{image_name}:{version}");
+      if build.config.image_registry.domain.is_empty() {
+        (image, None, None)
+      } else {
+        let ImageRegistryConfig {
+          domain, account, ..
+        } = build.config.image_registry;
+        let account =
+          if deployment.config.image_registry_account.is_empty() {
+            account
+          } else {
+            deployment.config.image_registry_account
+          };
+        let token = if !account.is_empty() {
+          registry_token(&domain, &account).await.with_context(
+              || format!("Failed to get git token in call to db. Stopping run. | {domain} | {account}"),
+            )?
+        } else {
+          None
+        };
+        (image, optional_string(&account), token)
+      }
+    }
+    DeploymentImage::Image { image } => {
+      let domain = extract_registry_domain(&image)?;
+      let token = if !deployment
+        .config
+        .image_registry_account
+        .is_empty()
+      {
+        registry_token(&domain, &deployment.config.image_registry_account).await.with_context(
+            || format!("Failed to get git token in call to db. Stopping run. | {domain} | {}", deployment.config.image_registry_account),
+          )?
+      } else {
+        None
+      };
+      (
+        image,
+        optional_string(&deployment.config.image_registry_account),
+        token,
+      )
+    }
+  };
+
+  // Acquire the pull lock for this image on the server
+  let lock = pull_cache()
+    .get_lock((server.id.clone(), image.clone()))
+    .await;
+
+  // Lock the path lock, prevents simultaneous pulls by
+  // ensuring simultaneous pulls will wait for first to finish
+  // and checking cached results.
+  let mut locked = lock.lock().await;
+
+  // Early return from cache if lasted pulled with PULL_TIMEOUT
+  if locked.last_ts + PULL_TIMEOUT > komodo_timestamp() {
+    return locked.clone_res();
+  }
+
+  let res = async {
+    let log = match periphery_client(server)?
+      .request(api::image::PullImage {
+        name: image,
+        account,
+        token,
+      })
+      .await
+    {
+      Ok(log) => log,
+      Err(e) => Log::error("Pull image", format_serror(&e.into())),
+    };
+
+    update_cache_for_server(server).await;
+    anyhow::Ok(log)
+  }
+  .await;
+
+  // Set the cache with results. Any other calls waiting on the lock will
+  // then immediately also use this same result.
+  locked.set(&res, komodo_timestamp());
+
+  res
+}
+
+impl Resolve<PullDeployment, (User, Update)> for State {
+  async fn resolve(
+    &self,
+    PullDeployment { deployment }: PullDeployment,
+    (user, mut update): (User, Update),
+  ) -> anyhow::Result<Update> {
+    let (deployment, server) =
+      setup_deployment_execution(&deployment, &user).await?;
+
+    // get the action state for the deployment (or insert default).
+    let action_state = action_states()
+      .deployment
+      .get_or_insert_default(&deployment.id)
+      .await;
+
+    // Will check to ensure deployment not already busy before updating, and return Err if so.
+    // The returned guard will set the action state back to default when dropped.
+    let _action_guard =
+      action_state.update(|state| state.pulling = true)?;
+
+    // Send update after setting action state, this way frontend gets correct state.
+    update_update(update.clone()).await?;
+
+    let log = pull_deployment_inner(deployment, &server).await?;
+
+    update.logs.push(log);
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
 impl Resolve<StartDeployment, (User, Update)> for State {
   #[instrument(name = "StartDeployment", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
   async fn resolve(
@@ -289,9 +435,7 @@ impl Resolve<StartDeployment, (User, Update)> for State {
     // Send update after setting action state, this way frontend gets correct state.
     update_update(update.clone()).await?;
 
-    let periphery = periphery_client(&server)?;
-
-    let log = match periphery
+    let log = match periphery_client(&server)?
       .request(api::container::StartContainer {
         name: deployment.name,
       })
@@ -337,9 +481,7 @@ impl Resolve<RestartDeployment, (User, Update)> for State {
     // Send update after setting action state, this way frontend gets correct state.
     update_update(update.clone()).await?;
 
-    let periphery = periphery_client(&server)?;
-
-    let log = match periphery
+    let log = match periphery_client(&server)?
       .request(api::container::RestartContainer {
         name: deployment.name,
       })
@@ -387,9 +529,7 @@ impl Resolve<PauseDeployment, (User, Update)> for State {
     // Send update after setting action state, this way frontend gets correct state.
     update_update(update.clone()).await?;
 
-    let periphery = periphery_client(&server)?;
-
-    let log = match periphery
+    let log = match periphery_client(&server)?
       .request(api::container::PauseContainer {
         name: deployment.name,
       })
@@ -435,9 +575,7 @@ impl Resolve<UnpauseDeployment, (User, Update)> for State {
     // Send update after setting action state, this way frontend gets correct state.
     update_update(update.clone()).await?;
 
-    let periphery = periphery_client(&server)?;
-
-    let log = match periphery
+    let log = match periphery_client(&server)?
       .request(api::container::UnpauseContainer {
         name: deployment.name,
       })
@@ -489,9 +627,7 @@ impl Resolve<StopDeployment, (User, Update)> for State {
     // Send update after setting action state, this way frontend gets correct state.
     update_update(update.clone()).await?;
 
-    let periphery = periphery_client(&server)?;
-
-    let log = match periphery
+    let log = match periphery_client(&server)?
       .request(api::container::StopContainer {
         name: deployment.name,
         signal: signal
@@ -519,6 +655,29 @@ impl Resolve<StopDeployment, (User, Update)> for State {
   }
 }
 
+impl super::BatchExecute for BatchDestroyDeployment {
+  type Resource = Deployment;
+  fn single_request(deployment: String) -> ExecuteRequest {
+    ExecuteRequest::DestroyDeployment(DestroyDeployment {
+      deployment,
+      signal: None,
+      time: None,
+    })
+  }
+}
+
+impl Resolve<BatchDestroyDeployment, (User, Update)> for State {
+  #[instrument(name = "BatchDestroyDeployment", skip(self, user), fields(user_id = user.id))]
+  async fn resolve(
+    &self,
+    BatchDestroyDeployment { pattern }: BatchDestroyDeployment,
+    (user, _): (User, Update),
+  ) -> anyhow::Result<BatchExecutionResponse> {
+    super::batch_execute::<BatchDestroyDeployment>(&pattern, &user)
+      .await
+  }
+}
+
 impl Resolve<DestroyDeployment, (User, Update)> for State {
   #[instrument(name = "DestroyDeployment", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
   async fn resolve(
@@ -547,9 +706,7 @@ impl Resolve<DestroyDeployment, (User, Update)> for State {
     // Send update after setting action state, this way frontend gets correct state.
     update_update(update.clone()).await?;
 
-    let periphery = periphery_client(&server)?;
-
-    let log = match periphery
+    let log = match periphery_client(&server)?
       .request(api::container::RemoveContainer {
         name: deployment.name,
         signal: signal

bin/core/src/api/execute/mod.rs

@@ -2,12 +2,16 @@ use std::time::Instant;
 
 use anyhow::{anyhow, Context};
 use axum::{middleware, routing::post, Extension, Router};
+use axum_extra::{headers::ContentType, TypedHeader};
+use derive_variants::{EnumVariants, ExtractVariant};
 use formatting::format_serror;
+use futures::future::join_all;
 use komodo_client::{
   api::execute::*,
   entities::{
     update::{Log, Update},
     user::User,
+    Operation,
   },
 };
 use mungos::by_id::find_one_by_id;
@@ -20,9 +24,11 @@ use uuid::Uuid;
 use crate::{
   auth::auth_request,
   helpers::update::{init_execution_update, update_update},
+  resource::{list_full_for_user_using_pattern, KomodoResource},
   state::{db_client, State},
 };
 
+mod action;
 mod build;
 mod deployment;
 mod procedure;
@@ -32,8 +38,15 @@ mod server_template;
 mod stack;
 mod sync;
 
+pub use {
+  deployment::pull_deployment_inner, stack::pull_stack_inner,
+};
+
 #[typeshare]
-#[derive(Serialize, Deserialize, Debug, Clone, Resolver)]
+#[derive(
+  Serialize, Deserialize, Debug, Clone, Resolver, EnumVariants,
+)]
+#[variant_derive(Debug)]
 #[resolver_target(State)]
 #[resolver_args((User, Update))]
 #[serde(tag = "type", content = "params")]
@@ -57,38 +70,57 @@ pub enum ExecuteRequest {
   PruneImages(PruneImages),
   DeleteVolume(DeleteVolume),
   PruneVolumes(PruneVolumes),
+  PruneDockerBuilders(PruneDockerBuilders),
+  PruneBuildx(PruneBuildx),
   PruneSystem(PruneSystem),
 
   // ==== DEPLOYMENT ====
   Deploy(Deploy),
+  BatchDeploy(BatchDeploy),
+  PullDeployment(PullDeployment),
   StartDeployment(StartDeployment),
   RestartDeployment(RestartDeployment),
   PauseDeployment(PauseDeployment),
   UnpauseDeployment(UnpauseDeployment),
   StopDeployment(StopDeployment),
   DestroyDeployment(DestroyDeployment),
+  BatchDestroyDeployment(BatchDestroyDeployment),
 
   // ==== STACK ====
   DeployStack(DeployStack),
+  BatchDeployStack(BatchDeployStack),
+  DeployStackIfChanged(DeployStackIfChanged),
+  BatchDeployStackIfChanged(BatchDeployStackIfChanged),
+  PullStack(PullStack),
   StartStack(StartStack),
   RestartStack(RestartStack),
   StopStack(StopStack),
   PauseStack(PauseStack),
   UnpauseStack(UnpauseStack),
   DestroyStack(DestroyStack),
+  BatchDestroyStack(BatchDestroyStack),
 
   // ==== BUILD ====
   RunBuild(RunBuild),
+  BatchRunBuild(BatchRunBuild),
   CancelBuild(CancelBuild),
 
   // ==== REPO ====
   CloneRepo(CloneRepo),
+  BatchCloneRepo(BatchCloneRepo),
   PullRepo(PullRepo),
+  BatchPullRepo(BatchPullRepo),
   BuildRepo(BuildRepo),
+  BatchBuildRepo(BatchBuildRepo),
   CancelRepoBuild(CancelRepoBuild),
 
   // ==== PROCEDURE ====
   RunProcedure(RunProcedure),
+  BatchRunProcedure(BatchRunProcedure),
+
+  // ==== ACTION ====
+  RunAction(RunAction),
+  BatchRunAction(BatchRunAction),
 
   // ==== SERVER TEMPLATE ====
   LaunchServer(LaunchServer),
@@ -106,7 +138,25 @@ pub fn router() -> Router {
 async fn handler(
   Extension(user): Extension<User>,
   Json(request): Json<ExecuteRequest>,
-) -> serror::Result<Json<Update>> {
+) -> serror::Result<(TypedHeader<ContentType>, String)> {
+  let res = match inner_handler(request, user).await? {
+    ExecutionResult::Single(update) => serde_json::to_string(&update)
+      .context("Failed to serialize Update")?,
+    ExecutionResult::Batch(res) => res,
+  };
+  Ok((TypedHeader(ContentType::json()), res))
+}
+
+pub enum ExecutionResult {
+  Single(Update),
+  /// The batch contents will be pre serialized here
+  Batch(String),
+}
+
+pub async fn inner_handler(
+  request: ExecuteRequest,
+  user: User,
+) -> anyhow::Result<ExecutionResult> {
   let req_id = Uuid::new_v4();
 
   // need to validate no cancel is active before any update is created.
@@ -114,6 +164,17 @@ async fn handler(
 
   let update = init_execution_update(&request, &user).await?;
 
+  // This will be the case for the Batch exections,
+  // they don't have their own updates.
+  // The batch calls also call "inner_handler" themselves,
+  // and in their case will spawn tasks, so that isn't necessary
+  // here either.
+  if update.operation == Operation::None {
+    return Ok(ExecutionResult::Batch(
+      task(req_id, request, user, update).await?,
+    ));
+  }
+
   let handle =
     tokio::spawn(task(req_id, request, user, update.clone()));
 
@@ -133,7 +194,7 @@ async fn handler(
       };
       let res = async {
         let mut update =
-          find_one_by_id(&db_client().await.updates, &update_id)
+          find_one_by_id(&db_client().updates, &update_id)
             .await
             .context("failed to query to db")?
             .context("no update exists with given id")?;
@@ -149,10 +210,18 @@ async fn handler(
     }
   });
 
-  Ok(Json(update))
+  Ok(ExecutionResult::Single(update))
 }
 
-#[instrument(name = "ExecuteRequest", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+#[instrument(
+  name = "ExecuteRequest",
+  skip(user, update),
+  fields(
+    user_id = user.id,
+    update_id = update.id,
+    request = format!("{:?}", request.extract_variant()))
+  )
+]
 async fn task(
   req_id: Uuid,
   request: ExecuteRequest,
@@ -181,3 +250,40 @@ async fn task(
 
   res
 }
+
+trait BatchExecute {
+  type Resource: KomodoResource;
+  fn single_request(name: String) -> ExecuteRequest;
+}
+
+async fn batch_execute<E: BatchExecute>(
+  pattern: &str,
+  user: &User,
+) -> anyhow::Result<BatchExecutionResponse> {
+  let resources = list_full_for_user_using_pattern::<E::Resource>(
+    pattern,
+    Default::default(),
+    user,
+    &[],
+  )
+  .await?;
+  let futures = resources.into_iter().map(|resource| {
+    let user = user.clone();
+    async move {
+      inner_handler(E::single_request(resource.name.clone()), user)
+        .await
+        .map(|r| {
+          let ExecutionResult::Single(update) = r else {
+            unreachable!()
+          };
+          update
+        })
+        .map_err(|e| BatchExecutionResponseItemErr {
+          name: resource.name,
+          error: e.into(),
+        })
+        .into()
+    }
+  });
+  Ok(join_all(futures).await)
+}

bin/core/src/api/execute/procedure.rs

@@ -2,7 +2,9 @@ use std::pin::Pin;
 
 use formatting::{bold, colored, format_serror, muted, Color};
 use komodo_client::{
-  api::execute::RunProcedure,
+  api::execute::{
+    BatchExecutionResponse, BatchRunProcedure, RunProcedure,
+  },
   entities::{
     permission::PermissionLevel, procedure::Procedure,
     update::Update, user::User,
@@ -18,6 +20,26 @@ use crate::{
   state::{action_states, db_client, State},
 };
 
+use super::ExecuteRequest;
+
+impl super::BatchExecute for BatchRunProcedure {
+  type Resource = Procedure;
+  fn single_request(procedure: String) -> ExecuteRequest {
+    ExecuteRequest::RunProcedure(RunProcedure { procedure })
+  }
+}
+
+impl Resolve<BatchRunProcedure, (User, Update)> for State {
+  #[instrument(name = "BatchRunProcedure", skip(self, user), fields(user_id = user.id))]
+  async fn resolve(
+    &self,
+    BatchRunProcedure { pattern }: BatchRunProcedure,
+    (user, _): (User, Update),
+  ) -> anyhow::Result<BatchExecutionResponse> {
+    super::batch_execute::<BatchRunProcedure>(&pattern, &user).await
+  }
+}
+
 impl Resolve<RunProcedure, (User, Update)> for State {
   #[instrument(name = "RunProcedure", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
   async fn resolve(
@@ -50,7 +72,7 @@ fn resolve_inner(
     // assumes first log is already created
     // and will panic otherwise.
     update.push_simple_log(
-      "execute_procedure",
+      "Execute procedure",
       format!(
         "{}: executing procedure '{}'",
         muted("INFO"),
@@ -80,9 +102,9 @@ fn resolve_inner(
     match res {
       Ok(_) => {
         update.push_simple_log(
-          "execution ok",
+          "Execution ok",
           format!(
-            "{}: the procedure has {} with no errors",
+            "{}: The procedure has {} with no errors",
             muted("INFO"),
             colored("completed", Color::Green)
           ),
@@ -100,7 +122,7 @@ fn resolve_inner(
     // but will fail to update cache in that case.
     if let Ok(update_doc) = to_document(&update) {
       let _ = update_one_by_id(
-        &db_client().await.updates,
+        &db_client().updates,
         &update.id,
         mungos::update::Update::Set(update_doc),
         None,

bin/core/src/api/execute/repo.rs

@@ -3,11 +3,11 @@ use std::{collections::HashSet, future::IntoFuture, time::Duration};
 use anyhow::{anyhow, Context};
 use formatting::format_serror;
 use komodo_client::{
-  api::execute::*,
+  api::{execute::*, write::RefreshRepoCache},
   entities::{
     alert::{Alert, AlertData, SeverityLevel},
     builder::{Builder, BuilderConfig},
-    komodo_timestamp, optional_string,
+    komodo_timestamp,
     permission::PermissionLevel,
     repo::Repo,
     server::Server,
@@ -27,14 +27,14 @@ use resolver_api::Resolve;
 use tokio_util::sync::CancellationToken;
 
 use crate::{
+  alert::send_alerts,
   helpers::{
-    alert::send_alerts,
     builder::{cleanup_builder_instance, get_builder_periphery},
     channel::repo_cancel_channel,
     git_token,
     interpolate::{
       add_interp_update_log,
-      interpolate_variables_secrets_into_environment,
+      interpolate_variables_secrets_into_string,
       interpolate_variables_secrets_into_system_command,
     },
     periphery_client,
@@ -47,6 +47,24 @@ use crate::{
 
 use super::ExecuteRequest;
 
+impl super::BatchExecute for BatchCloneRepo {
+  type Resource = Repo;
+  fn single_request(repo: String) -> ExecuteRequest {
+    ExecuteRequest::CloneRepo(CloneRepo { repo })
+  }
+}
+
+impl Resolve<BatchCloneRepo, (User, Update)> for State {
+  #[instrument(name = "BatchCloneRepo", skip(self, user), fields(user_id = user.id))]
+  async fn resolve(
+    &self,
+    BatchCloneRepo { pattern }: BatchCloneRepo,
+    (user, _): (User, Update),
+  ) -> anyhow::Result<BatchExecutionResponse> {
+    super::batch_execute::<BatchCloneRepo>(&pattern, &user).await
+  }
+}
+
 impl Resolve<CloneRepo, (User, Update)> for State {
   #[instrument(name = "CloneRepo", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
   async fn resolve(
@@ -72,6 +90,10 @@ impl Resolve<CloneRepo, (User, Update)> for State {
 
     update_update(update.clone()).await?;
 
+    if repo.config.server_id.is_empty() {
+      return Err(anyhow!("repo has no server attached"));
+    }
+
     let git_token = git_token(
       &repo.config.git_provider,
       &repo.config.git_account,
@@ -82,10 +104,6 @@ impl Resolve<CloneRepo, (User, Update)> for State {
       || format!("Failed to get git token in call to db. This is a database error, not a token exisitence error. Stopping run. | {} | {}", repo.config.git_provider, repo.config.git_account),
     )?;
 
-    if repo.config.server_id.is_empty() {
-      return Err(anyhow!("repo has no server attached"));
-    }
-
     let server =
       resource::get::<Server>(&repo.config.server_id).await?;
 
@@ -100,7 +118,7 @@ impl Resolve<CloneRepo, (User, Update)> for State {
       .request(api::git::CloneRepo {
         args: (&repo).into(),
         git_token,
-        environment: repo.config.environment,
+        environment: repo.config.env_vars()?,
         env_file_path: repo.config.env_file_path,
         skip_secret_interp: repo.config.skip_secret_interp,
         replacers: secret_replacers.into_iter().collect(),
@@ -123,10 +141,39 @@ impl Resolve<CloneRepo, (User, Update)> for State {
       update_last_pulled_time(&repo.name).await;
     }
 
+    if let Err(e) = State
+      .resolve(RefreshRepoCache { repo: repo.id }, user)
+      .await
+      .context("Failed to refresh repo cache")
+    {
+      update.push_error_log(
+        "Refresh Repo cache",
+        format_serror(&e.into()),
+      );
+    };
+
     handle_server_update_return(update).await
   }
 }
 
+impl super::BatchExecute for BatchPullRepo {
+  type Resource = Repo;
+  fn single_request(repo: String) -> ExecuteRequest {
+    ExecuteRequest::CloneRepo(CloneRepo { repo })
+  }
+}
+
+impl Resolve<BatchPullRepo, (User, Update)> for State {
+  #[instrument(name = "BatchPullRepo", skip(self, user), fields(user_id = user.id))]
+  async fn resolve(
+    &self,
+    BatchPullRepo { pattern }: BatchPullRepo,
+    (user, _): (User, Update),
+  ) -> anyhow::Result<BatchExecutionResponse> {
+    super::batch_execute::<BatchPullRepo>(&pattern, &user).await
+  }
+}
+
 impl Resolve<PullRepo, (User, Update)> for State {
   #[instrument(name = "PullRepo", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
   async fn resolve(
@@ -156,6 +203,16 @@ impl Resolve<PullRepo, (User, Update)> for State {
       return Err(anyhow!("repo has no server attached"));
     }
 
+    let git_token = git_token(
+      &repo.config.git_provider,
+      &repo.config.git_account,
+      |https| repo.config.git_https = https,
+    )
+    .await
+    .with_context(
+      || format!("Failed to get git token in call to db. This is a database error, not a token exisitence error. Stopping run. | {} | {}", repo.config.git_provider, repo.config.git_account),
+    )?;
+
     let server =
       resource::get::<Server>(&repo.config.server_id).await?;
 
@@ -168,12 +225,9 @@ impl Resolve<PullRepo, (User, Update)> for State {
 
     let logs = match periphery
       .request(api::git::PullRepo {
-        name: repo.name.clone(),
-        branch: optional_string(&repo.config.branch),
-        commit: optional_string(&repo.config.commit),
-        path: optional_string(&repo.config.path),
-        on_pull: repo.config.on_pull.into_option(),
-        environment: repo.config.environment,
+        args: (&repo).into(),
+        git_token,
+        environment: repo.config.env_vars()?,
         env_file_path: repo.config.env_file_path,
         skip_secret_interp: repo.config.skip_secret_interp,
         replacers: secret_replacers.into_iter().collect(),
@@ -200,6 +254,17 @@ impl Resolve<PullRepo, (User, Update)> for State {
       update_last_pulled_time(&repo.name).await;
     }
 
+    if let Err(e) = State
+      .resolve(RefreshRepoCache { repo: repo.id }, user)
+      .await
+      .context("Failed to refresh repo cache")
+    {
+      update.push_error_log(
+        "Refresh Repo cache",
+        format_serror(&e.into()),
+      );
+    };
+
     handle_server_update_return(update).await
   }
 }
@@ -214,7 +279,7 @@ async fn handle_server_update_return(
   // but will fail to update cache in that case.
   if let Ok(update_doc) = to_document(&update) {
     let _ = update_one_by_id(
-      &db_client().await.updates,
+      &db_client().updates,
       &update.id,
       mungos::update::Update::Set(update_doc),
       None,
@@ -229,7 +294,6 @@ async fn handle_server_update_return(
 #[instrument]
 async fn update_last_pulled_time(repo_name: &str) {
   let res = db_client()
-    .await
     .repos
     .update_one(
       doc! { "name": repo_name },
@@ -243,6 +307,24 @@ async fn update_last_pulled_time(repo_name: &str) {
   }
 }
 
+impl super::BatchExecute for BatchBuildRepo {
+  type Resource = Repo;
+  fn single_request(repo: String) -> ExecuteRequest {
+    ExecuteRequest::CloneRepo(CloneRepo { repo })
+  }
+}
+
+impl Resolve<BatchBuildRepo, (User, Update)> for State {
+  #[instrument(name = "BatchBuildRepo", skip(self, user), fields(user_id = user.id))]
+  async fn resolve(
+    &self,
+    BatchBuildRepo { pattern }: BatchBuildRepo,
+    (user, _): (User, Update),
+  ) -> anyhow::Result<BatchExecutionResponse> {
+    super::batch_execute::<BatchBuildRepo>(&pattern, &user).await
+  }
+}
+
 impl Resolve<BuildRepo, (User, Update)> for State {
   #[instrument(name = "BuildRepo", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
   async fn resolve(
@@ -363,7 +445,7 @@ impl Resolve<BuildRepo, (User, Update)> for State {
         .request(api::git::CloneRepo {
           args: (&repo).into(),
           git_token,
-          environment: repo.config.environment,
+          environment: repo.config.env_vars()?,
           env_file_path: repo.config.env_file_path,
           skip_secret_interp: repo.config.skip_secret_interp,
           replacers: secret_replacers.into_iter().collect()
@@ -396,7 +478,7 @@ impl Resolve<BuildRepo, (User, Update)> for State {
 
     update.finalize();
 
-    let db = db_client().await;
+    let db = db_client();
 
     if update.success {
       let _ = db
@@ -473,7 +555,7 @@ async fn handle_builder_early_return(
   // but will fail to update cache in that case.
   if let Ok(update_doc) = to_document(&update) {
     let _ = update_one_by_id(
-      &db_client().await.updates,
+      &db_client().updates,
       &update.id,
       mungos::update::Update::Set(update_doc),
       None,
@@ -511,7 +593,7 @@ pub async fn validate_cancel_repo_build(
   if let ExecuteRequest::CancelRepoBuild(req) = request {
     let repo = resource::get::<Repo>(&req.repo).await?;
 
-    let db = db_client().await;
+    let db = db_client();
 
     let (latest_build, latest_cancel) = tokio::try_join!(
       db.updates
@@ -596,7 +678,7 @@ impl Resolve<CancelRepoBuild, (User, Update)> for State {
     tokio::spawn(async move {
       tokio::time::sleep(Duration::from_secs(60)).await;
       if let Err(e) = update_one_by_id(
-        &db_client().await.updates,
+        &db_client().updates,
         &update_id,
         doc! { "$set": { "status": "Complete" } },
         None,
@@ -621,7 +703,7 @@ async fn interpolate(
     let mut global_replacers = HashSet::new();
     let mut secret_replacers = HashSet::new();
 
-    interpolate_variables_secrets_into_environment(
+    interpolate_variables_secrets_into_string(
       &vars_and_secrets,
       &mut repo.config.environment,
       &mut global_replacers,

bin/core/src/api/execute/server.rs

@@ -425,7 +425,7 @@ impl Resolve<RestartAllContainers, (User, Update)> for State {
     update_update(update.clone()).await?;
 
     let logs = periphery_client(&server)?
-      .request(api::container::StartAllContainers {})
+      .request(api::container::RestartAllContainers {})
       .await
       .context("failed to restart all containers on host")?;
 
@@ -520,12 +520,12 @@ impl Resolve<UnpauseAllContainers, (User, Update)> for State {
     // Will check to ensure server not already busy before updating, and return Err if so.
     // The returned guard will set the action state back to default when dropped.
     let _action_guard = action_state
-      .update(|state| state.starting_containers = true)?;
+      .update(|state| state.unpausing_containers = true)?;
 
     update_update(update.clone()).await?;
 
     let logs = periphery_client(&server)?
-      .request(api::container::StartAllContainers {})
+      .request(api::container::UnpauseAllContainers {})
       .await
       .context("failed to unpause all containers on host")?;
 
@@ -941,6 +941,108 @@ impl Resolve<PruneVolumes, (User, Update)> for State {
   }
 }
 
+impl Resolve<PruneDockerBuilders, (User, Update)> for State {
+  #[instrument(name = "PruneDockerBuilders", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    &self,
+    PruneDockerBuilders { server }: PruneDockerBuilders,
+    (user, mut update): (User, Update),
+  ) -> anyhow::Result<Update> {
+    let server = resource::get_check_permissions::<Server>(
+      &server,
+      &user,
+      PermissionLevel::Execute,
+    )
+    .await?;
+
+    // get the action state for the server (or insert default).
+    let action_state = action_states()
+      .server
+      .get_or_insert_default(&server.id)
+      .await;
+
+    // Will check to ensure server not already busy before updating, and return Err if so.
+    // The returned guard will set the action state back to default when dropped.
+    let _action_guard =
+      action_state.update(|state| state.pruning_builders = true)?;
+
+    update_update(update.clone()).await?;
+
+    let periphery = periphery_client(&server)?;
+
+    let log =
+      match periphery.request(api::build::PruneBuilders {}).await {
+        Ok(log) => log,
+        Err(e) => Log::error(
+          "prune builders",
+          format!(
+            "failed to docker builder prune on server {} | {e:#?}",
+            server.name
+          ),
+        ),
+      };
+
+    update.logs.push(log);
+    update_cache_for_server(&server).await;
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<PruneBuildx, (User, Update)> for State {
+  #[instrument(name = "PruneBuildx", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    &self,
+    PruneBuildx { server }: PruneBuildx,
+    (user, mut update): (User, Update),
+  ) -> anyhow::Result<Update> {
+    let server = resource::get_check_permissions::<Server>(
+      &server,
+      &user,
+      PermissionLevel::Execute,
+    )
+    .await?;
+
+    // get the action state for the server (or insert default).
+    let action_state = action_states()
+      .server
+      .get_or_insert_default(&server.id)
+      .await;
+
+    // Will check to ensure server not already busy before updating, and return Err if so.
+    // The returned guard will set the action state back to default when dropped.
+    let _action_guard =
+      action_state.update(|state| state.pruning_buildx = true)?;
+
+    update_update(update.clone()).await?;
+
+    let periphery = periphery_client(&server)?;
+
+    let log =
+      match periphery.request(api::build::PruneBuildx {}).await {
+        Ok(log) => log,
+        Err(e) => Log::error(
+          "prune buildx",
+          format!(
+            "failed to docker buildx prune on server {} | {e:#?}",
+            server.name
+          ),
+        ),
+      };
+
+    update.logs.push(log);
+    update_cache_for_server(&server).await;
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
 impl Resolve<PruneSystem, (User, Update)> for State {
   #[instrument(name = "PruneSystem", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
   async fn resolve(
@@ -975,7 +1077,7 @@ impl Resolve<PruneSystem, (User, Update)> for State {
       Err(e) => Log::error(
         "prune system",
         format!(
-          "failed to docket system prune on server {} | {e:#?}",
+          "failed to docker system prune on server {} | {e:#?}",
           server.name
         ),
       ),

bin/core/src/api/execute/server_template.rs

@@ -34,7 +34,6 @@ impl Resolve<LaunchServer, (User, Update)> for State {
   ) -> anyhow::Result<Update> {
     // validate name isn't already taken by another server
     if db_client()
-      .await
       .servers
       .find_one(doc! {
         "name": &name
@@ -62,6 +61,8 @@ impl Resolve<LaunchServer, (User, Update)> for State {
     let config = match template.config {
       ServerTemplateConfig::Aws(config) => {
         let region = config.region.clone();
+        let use_https = config.use_https;
+        let port = config.port;
         let instance = match launch_ec2_instance(&name, config).await
         {
           Ok(instance) => instance,
@@ -82,14 +83,18 @@ impl Resolve<LaunchServer, (User, Update)> for State {
             instance.ip
           ),
         );
+        let protocol = if use_https { "https" } else { "http" };
         PartialServerConfig {
-          address: format!("http://{}:8120", instance.ip).into(),
+          address: format!("{protocol}://{}:{port}", instance.ip)
+            .into(),
           region: region.into(),
           ..Default::default()
         }
       }
       ServerTemplateConfig::Hetzner(config) => {
         let datacenter = config.datacenter;
+        let use_https = config.use_https;
+        let port = config.port;
         let server = match launch_hetzner_server(&name, config).await
         {
           Ok(server) => server,
@@ -110,8 +115,10 @@ impl Resolve<LaunchServer, (User, Update)> for State {
             server.ip
           ),
         );
+        let protocol = if use_https { "https" } else { "http" };
         PartialServerConfig {
-          address: format!("http://{}:8120", server.ip).into(),
+          address: format!("{protocol}://{}:{port}", server.ip)
+            .into(),
           region: datacenter.as_ref().to_string().into(),
           ..Default::default()
         }

bin/core/src/api/execute/stack.rs

@@ -3,9 +3,12 @@ use std::collections::HashSet;
 use anyhow::Context;
 use formatting::format_serror;
 use komodo_client::{
-  api::execute::*,
+  api::{execute::*, write::RefreshStackCache},
   entities::{
-    permission::PermissionLevel, stack::StackInfo, update::Update,
+    permission::PermissionLevel,
+    server::Server,
+    stack::{Stack, StackInfo},
+    update::{Log, Update},
     user::User,
   },
 };
@@ -17,26 +20,53 @@ use crate::{
   helpers::{
     interpolate::{
       add_interp_update_log,
-      interpolate_variables_secrets_into_environment,
       interpolate_variables_secrets_into_extra_args,
+      interpolate_variables_secrets_into_string,
+      interpolate_variables_secrets_into_system_command,
     },
     periphery_client,
     query::get_variables_and_secrets,
-    stack::{
-      execute::execute_compose, get_stack_and_server,
-      services::extract_services_into_res,
-    },
-    update::update_update,
+    update::{add_update_without_send, update_update},
   },
   monitor::update_cache_for_server,
+  resource,
+  stack::{execute::execute_compose, get_stack_and_server},
   state::{action_states, db_client, State},
 };
 
+use super::ExecuteRequest;
+
+impl super::BatchExecute for BatchDeployStack {
+  type Resource = Stack;
+  fn single_request(stack: String) -> ExecuteRequest {
+    ExecuteRequest::DeployStack(DeployStack {
+      stack,
+      service: None,
+      stop_time: None,
+    })
+  }
+}
+
+impl Resolve<BatchDeployStack, (User, Update)> for State {
+  #[instrument(name = "BatchDeployStack", skip(self, user), fields(user_id = user.id))]
+  async fn resolve(
+    &self,
+    BatchDeployStack { pattern }: BatchDeployStack,
+    (user, _): (User, Update),
+  ) -> anyhow::Result<BatchExecutionResponse> {
+    super::batch_execute::<BatchDeployStack>(&pattern, &user).await
+  }
+}
+
 impl Resolve<DeployStack, (User, Update)> for State {
   #[instrument(name = "DeployStack", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
   async fn resolve(
     &self,
-    DeployStack { stack, stop_time }: DeployStack,
+    DeployStack {
+      stack,
+      service,
+      stop_time,
+    }: DeployStack,
     (user, mut update): (User, Update),
   ) -> anyhow::Result<Update> {
     let (mut stack, server) = get_stack_and_server(
@@ -58,6 +88,13 @@ impl Resolve<DeployStack, (User, Update)> for State {
 
     update_update(update.clone()).await?;
 
+    if let Some(service) = &service {
+      update.logs.push(Log::simple(
+        &format!("Service: {service}"),
+        format!("Execution requested for Stack service {service}"),
+      ))
+    }
+
     let git_token = crate::helpers::git_token(
       &stack.config.git_provider,
       &stack.config.git_account,
@@ -81,7 +118,14 @@ impl Resolve<DeployStack, (User, Update)> for State {
       let mut global_replacers = HashSet::new();
       let mut secret_replacers = HashSet::new();
 
-      interpolate_variables_secrets_into_environment(
+      interpolate_variables_secrets_into_string(
+        &vars_and_secrets,
+        &mut stack.config.file_contents,
+        &mut global_replacers,
+        &mut secret_replacers,
+      )?;
+
+      interpolate_variables_secrets_into_string(
         &vars_and_secrets,
         &mut stack.config.environment,
         &mut global_replacers,
@@ -102,6 +146,13 @@ impl Resolve<DeployStack, (User, Update)> for State {
         &mut secret_replacers,
       )?;
 
+      interpolate_variables_secrets_into_system_command(
+        &vars_and_secrets,
+        &mut stack.config.pre_deploy,
+        &mut global_replacers,
+        &mut secret_replacers,
+      )?;
+
       add_interp_update_log(
         &mut update,
         &global_replacers,
@@ -116,6 +167,7 @@ impl Resolve<DeployStack, (User, Update)> for State {
     let ComposeUpResponse {
       logs,
       deployed,
+      services,
       file_contents,
       missing_files,
       remote_errors,
@@ -124,7 +176,7 @@ impl Resolve<DeployStack, (User, Update)> for State {
     } = periphery_client(&server)?
       .request(ComposeUp {
         stack: stack.clone(),
-        service: None,
+        service,
         git_token,
         registry_token,
         replacers: secret_replacers.into_iter().collect(),
@@ -134,26 +186,15 @@ impl Resolve<DeployStack, (User, Update)> for State {
     update.logs.extend(logs);
 
     let update_info = async {
-      let latest_services = if !file_contents.is_empty() {
-        let mut services = Vec::new();
-        for contents in &file_contents {
-          if let Err(e) = extract_services_into_res(
-            &stack.project_name(true),
-            &contents.contents,
-            &mut services,
-          ) {
-            update.push_error_log(
-              "extract services",
-              format_serror(&e.context(format!("Failed to extract stack services for compose file path {}. Things probably won't work correctly", contents.path)).into())
-            );
-          }
-        }
-        services
-      } else {
+      let latest_services = if services.is_empty() {
         // maybe better to do something else here for services.
         stack.info.latest_services.clone()
+      } else {
+        services
       };
 
+      // This ensures to get the latest project name,
+      // as it may have changed since the last deploy.
       let project_name = stack.project_name(true);
 
       let (
@@ -203,7 +244,6 @@ impl Resolve<DeployStack, (User, Update)> for State {
         .context("failed to serialize stack info to bson")?;
 
       db_client()
-        .await
         .stacks
         .update_one(
           doc! { "name": &stack.name },
@@ -234,6 +274,182 @@ impl Resolve<DeployStack, (User, Update)> for State {
   }
 }
 
+impl super::BatchExecute for BatchDeployStackIfChanged {
+  type Resource = Stack;
+  fn single_request(stack: String) -> ExecuteRequest {
+    ExecuteRequest::DeployStackIfChanged(DeployStackIfChanged {
+      stack,
+      stop_time: None,
+    })
+  }
+}
+
+impl Resolve<BatchDeployStackIfChanged, (User, Update)> for State {
+  #[instrument(name = "BatchDeployStackIfChanged", skip(self, user), fields(user_id = user.id))]
+  async fn resolve(
+    &self,
+    BatchDeployStackIfChanged { pattern }: BatchDeployStackIfChanged,
+    (user, _): (User, Update),
+  ) -> anyhow::Result<BatchExecutionResponse> {
+    super::batch_execute::<BatchDeployStackIfChanged>(&pattern, &user)
+      .await
+  }
+}
+
+impl Resolve<DeployStackIfChanged, (User, Update)> for State {
+  #[instrument(name = "DeployStackIfChanged", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    &self,
+    DeployStackIfChanged { stack, stop_time }: DeployStackIfChanged,
+    (user, mut update): (User, Update),
+  ) -> anyhow::Result<Update> {
+    let stack = resource::get_check_permissions::<Stack>(
+      &stack,
+      &user,
+      PermissionLevel::Execute,
+    )
+    .await?;
+    State
+      .resolve(
+        RefreshStackCache {
+          stack: stack.id.clone(),
+        },
+        user.clone(),
+      )
+      .await?;
+    let stack = resource::get::<Stack>(&stack.id).await?;
+    let changed = match (
+      &stack.info.deployed_contents,
+      &stack.info.remote_contents,
+    ) {
+      (Some(deployed_contents), Some(latest_contents)) => {
+        let changed = || {
+          for latest in latest_contents {
+            let Some(deployed) = deployed_contents
+              .iter()
+              .find(|c| c.path == latest.path)
+            else {
+              return true;
+            };
+            if latest.contents != deployed.contents {
+              return true;
+            }
+          }
+          false
+        };
+        changed()
+      }
+      (None, _) => true,
+      _ => false,
+    };
+
+    if !changed {
+      update.push_simple_log(
+        "Diff compose files",
+        String::from("Deploy cancelled after no changes detected."),
+      );
+      update.finalize();
+      return Ok(update);
+    }
+
+    // Don't actually send it here, let the handler send it after it can set action state.
+    // This is usually done in crate::helpers::update::init_execution_update.
+    update.id = add_update_without_send(&update).await?;
+
+    State
+      .resolve(
+        DeployStack {
+          stack: stack.name,
+          service: None,
+          stop_time,
+        },
+        (user, update),
+      )
+      .await
+  }
+}
+
+pub async fn pull_stack_inner(
+  mut stack: Stack,
+  service: Option<String>,
+  server: &Server,
+  update: Option<&mut Update>,
+) -> anyhow::Result<ComposePullResponse> {
+  if let (Some(service), Some(update)) = (&service, update) {
+    update.logs.push(Log::simple(
+      &format!("Service: {service}"),
+      format!("Execution requested for Stack service {service}"),
+    ))
+  }
+
+  let git_token = crate::helpers::git_token(
+      &stack.config.git_provider,
+      &stack.config.git_account,
+      |https| stack.config.git_https = https,
+    ).await.with_context(
+      || format!("Failed to get git token in call to db. Stopping run. | {} | {}", stack.config.git_provider, stack.config.git_account),
+    )?;
+
+  let registry_token = crate::helpers::registry_token(
+      &stack.config.registry_provider,
+      &stack.config.registry_account,
+    ).await.with_context(
+      || format!("Failed to get registry token in call to db. Stopping run. | {} | {}", stack.config.registry_provider, stack.config.registry_account),
+    )?;
+
+  let res = periphery_client(server)?
+    .request(ComposePull {
+      stack,
+      service,
+      git_token,
+      registry_token,
+    })
+    .await?;
+
+  // Ensure cached stack state up to date by updating server cache
+  update_cache_for_server(server).await;
+
+  Ok(res)
+}
+
+impl Resolve<PullStack, (User, Update)> for State {
+  #[instrument(name = "PullStack", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    &self,
+    PullStack { stack, service }: PullStack,
+    (user, mut update): (User, Update),
+  ) -> anyhow::Result<Update> {
+    let (stack, server) = get_stack_and_server(
+      &stack,
+      &user,
+      PermissionLevel::Execute,
+      true,
+    )
+    .await?;
+
+    // get the action state for the stack (or insert default).
+    let action_state =
+      action_states().stack.get_or_insert_default(&stack.id).await;
+
+    // Will check to ensure stack not already busy before updating, and return Err if so.
+    // The returned guard will set the action state back to default when dropped.
+    let _action_guard =
+      action_state.update(|state| state.pulling = true)?;
+
+    update_update(update.clone()).await?;
+
+    let res =
+      pull_stack_inner(stack, service, &server, Some(&mut update))
+        .await?;
+
+    update.logs.extend(res.logs);
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
 impl Resolve<StartStack, (User, Update)> for State {
   #[instrument(name = "StartStack", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
   async fn resolve(
@@ -335,12 +551,36 @@ impl Resolve<StopStack, (User, Update)> for State {
   }
 }
 
+impl super::BatchExecute for BatchDestroyStack {
+  type Resource = Stack;
+  fn single_request(stack: String) -> ExecuteRequest {
+    ExecuteRequest::DestroyStack(DestroyStack {
+      stack,
+      service: None,
+      remove_orphans: false,
+      stop_time: None,
+    })
+  }
+}
+
+impl Resolve<BatchDestroyStack, (User, Update)> for State {
+  #[instrument(name = "BatchDestroyStack", skip(self, user), fields(user_id = user.id))]
+  async fn resolve(
+    &self,
+    BatchDestroyStack { pattern }: BatchDestroyStack,
+    (user, _): (User, Update),
+  ) -> anyhow::Result<BatchExecutionResponse> {
+    super::batch_execute::<BatchDestroyStack>(&pattern, &user).await
+  }
+}
+
 impl Resolve<DestroyStack, (User, Update)> for State {
   #[instrument(name = "DestroyStack", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
   async fn resolve(
     &self,
     DestroyStack {
       stack,
+      service,
       remove_orphans,
       stop_time,
     }: DestroyStack,
@@ -348,7 +588,7 @@ impl Resolve<DestroyStack, (User, Update)> for State {
   ) -> anyhow::Result<Update> {
     execute_compose::<DestroyStack>(
       &stack,
-      None,
+      service,
       &user,
       |state| state.destroying = true,
       update,

bin/core/src/api/execute/sync.rs

@@ -1,12 +1,12 @@
-use std::collections::HashMap;
+use std::{collections::HashMap, str::FromStr};
 
 use anyhow::{anyhow, Context};
 use formatting::{colored, format_serror, Color};
-use mongo_indexed::doc;
 use komodo_client::{
   api::{execute::RunSync, write::RefreshResourceSyncPending},
   entities::{
     self,
+    action::Action,
     alerter::Alerter,
     build::Build,
     builder::Builder,
@@ -18,35 +18,42 @@ use komodo_client::{
     server::Server,
     server_template::ServerTemplate,
     stack::Stack,
+    sync::ResourceSync,
     update::{Log, Update},
     user::{sync_user, User},
+    ResourceTargetVariant,
   },
 };
-use mungos::{by_id::update_one_by_id, mongodb::bson::to_document};
+use mongo_indexed::doc;
+use mungos::{
+  by_id::update_one_by_id,
+  mongodb::bson::{oid::ObjectId, to_document},
+};
 use resolver_api::Resolve;
 
 use crate::{
-  helpers::{
-    query::get_id_to_tags,
-    sync::{
-      deploy::{
-        build_deploy_cache, deploy_from_cache, SyncDeployParams,
-      },
-      resource::{
-        get_updates_for_execution, AllResourcesById, ResourceSync,
-      },
-    },
-    update::update_update,
-  },
+  helpers::{query::get_id_to_tags, update::update_update},
   resource::{self, refresh_resource_sync_state_cache},
-  state::{db_client, State},
+  state::{action_states, db_client, State},
+  sync::{
+    deploy::{
+      build_deploy_cache, deploy_from_cache, SyncDeployParams,
+    },
+    execute::{get_updates_for_execution, ExecuteResourceSync},
+    remote::RemoteResources,
+    AllResourcesById, ResourceSyncTrait,
+  },
 };
 
 impl Resolve<RunSync, (User, Update)> for State {
   #[instrument(name = "RunSync", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
   async fn resolve(
     &self,
-    RunSync { sync }: RunSync,
+    RunSync {
+      sync,
+      resource_type: match_resource_type,
+      resources: match_resources,
+    }: RunSync,
     (user, mut update): (User, Update),
   ) -> anyhow::Result<Update> {
     let sync = resource::get_check_permissions::<
@@ -54,34 +61,134 @@ impl Resolve<RunSync, (User, Update)> for State {
     >(&sync, &user, PermissionLevel::Execute)
     .await?;
 
-    if sync.config.repo.is_empty() {
-      return Err(anyhow!("resource sync repo not configured"));
-    }
+    // get the action state for the sync (or insert default).
+    let action_state = action_states()
+      .resource_sync
+      .get_or_insert_default(&sync.id)
+      .await;
+
+    // This will set action state back to default when dropped.
+    // Will also check to ensure sync not already busy before updating.
+    let _action_guard =
+      action_state.update(|state| state.syncing = true)?;
 
     // Send update here for FE to recheck action state
     update_update(update.clone()).await?;
 
-    let (res, logs, hash, message) =
-      crate::helpers::sync::remote::get_remote_resources(&sync)
-        .await
-        .context("failed to get remote resources")?;
+    let RemoteResources {
+      resources,
+      logs,
+      hash,
+      message,
+      file_errors,
+      ..
+    } = crate::sync::remote::get_remote_resources(&sync)
+      .await
+      .context("failed to get remote resources")?;
 
     update.logs.extend(logs);
     update_update(update.clone()).await?;
 
-    let resources = res?;
+    if !file_errors.is_empty() {
+      return Err(anyhow!("Found file errors. Cannot execute sync."));
+    }
+
+    let resources = resources?;
 
     let id_to_tags = get_id_to_tags(None).await?;
     let all_resources = AllResourcesById::load().await?;
+    // Convert all match_resources to names
+    let match_resources = match_resources.map(|resources| {
+      resources
+        .into_iter()
+        .filter_map(|name_or_id| {
+          let Some(resource_type) = match_resource_type else {
+            return Some(name_or_id);
+          };
+          match ObjectId::from_str(&name_or_id) {
+            Ok(_) => match resource_type {
+              ResourceTargetVariant::Alerter => all_resources
+                .alerters
+                .get(&name_or_id)
+                .map(|a| a.name.clone()),
+              ResourceTargetVariant::Build => all_resources
+                .builds
+                .get(&name_or_id)
+                .map(|b| b.name.clone()),
+              ResourceTargetVariant::Builder => all_resources
+                .builders
+                .get(&name_or_id)
+                .map(|b| b.name.clone()),
+              ResourceTargetVariant::Deployment => all_resources
+                .deployments
+                .get(&name_or_id)
+                .map(|d| d.name.clone()),
+              ResourceTargetVariant::Procedure => all_resources
+                .procedures
+                .get(&name_or_id)
+                .map(|p| p.name.clone()),
+              ResourceTargetVariant::Action => all_resources
+                .actions
+                .get(&name_or_id)
+                .map(|p| p.name.clone()),
+              ResourceTargetVariant::Repo => all_resources
+                .repos
+                .get(&name_or_id)
+                .map(|r| r.name.clone()),
+              ResourceTargetVariant::Server => all_resources
+                .servers
+                .get(&name_or_id)
+                .map(|s| s.name.clone()),
+              ResourceTargetVariant::ServerTemplate => all_resources
+                .templates
+                .get(&name_or_id)
+                .map(|t| t.name.clone()),
+              ResourceTargetVariant::Stack => all_resources
+                .stacks
+                .get(&name_or_id)
+                .map(|s| s.name.clone()),
+              ResourceTargetVariant::ResourceSync => all_resources
+                .syncs
+                .get(&name_or_id)
+                .map(|s| s.name.clone()),
+              ResourceTargetVariant::System => None,
+            },
+            Err(_) => Some(name_or_id),
+          }
+        })
+        .collect::<Vec<_>>()
+    });
 
     let deployments_by_name = all_resources
       .deployments
       .values()
+      .filter(|deployment| {
+        Deployment::include_resource(
+          &deployment.name,
+          &deployment.config,
+          match_resource_type,
+          match_resources.as_deref(),
+          &deployment.tags,
+          &id_to_tags,
+          &sync.config.match_tags,
+        )
+      })
       .map(|deployment| (deployment.name.clone(), deployment.clone()))
       .collect::<HashMap<_, _>>();
     let stacks_by_name = all_resources
       .stacks
       .values()
+      .filter(|stack| {
+        Stack::include_resource(
+          &stack.name,
+          &stack.config,
+          match_resource_type,
+          match_resources.as_deref(),
+          &stack.tags,
+          &id_to_tags,
+          &sync.config.match_tags,
+        )
+      })
       .map(|stack| (stack.name.clone(), stack.clone()))
       .collect::<HashMap<_, _>>();
 
@@ -94,12 +201,17 @@ impl Resolve<RunSync, (User, Update)> for State {
     })
     .await?;
 
+    let delete = sync.config.managed || sync.config.delete;
+
     let (servers_to_create, servers_to_update, servers_to_delete) =
       get_updates_for_execution::<Server>(
         resources.servers,
-        sync.config.delete,
+        delete,
         &all_resources,
+        match_resource_type,
+        match_resources.as_deref(),
         &id_to_tags,
+        &sync.config.match_tags,
       )
       .await?;
     let (
@@ -108,33 +220,45 @@ impl Resolve<RunSync, (User, Update)> for State {
       deployments_to_delete,
     ) = get_updates_for_execution::<Deployment>(
       resources.deployments,
-      sync.config.delete,
+      delete,
       &all_resources,
+      match_resource_type,
+      match_resources.as_deref(),
       &id_to_tags,
+      &sync.config.match_tags,
     )
     .await?;
     let (stacks_to_create, stacks_to_update, stacks_to_delete) =
       get_updates_for_execution::<Stack>(
         resources.stacks,
-        sync.config.delete,
+        delete,
         &all_resources,
+        match_resource_type,
+        match_resources.as_deref(),
         &id_to_tags,
+        &sync.config.match_tags,
       )
       .await?;
     let (builds_to_create, builds_to_update, builds_to_delete) =
       get_updates_for_execution::<Build>(
         resources.builds,
-        sync.config.delete,
+        delete,
         &all_resources,
+        match_resource_type,
+        match_resources.as_deref(),
         &id_to_tags,
+        &sync.config.match_tags,
       )
       .await?;
     let (repos_to_create, repos_to_update, repos_to_delete) =
       get_updates_for_execution::<Repo>(
         resources.repos,
-        sync.config.delete,
+        delete,
         &all_resources,
+        match_resource_type,
+        match_resources.as_deref(),
         &id_to_tags,
+        &sync.config.match_tags,
       )
       .await?;
     let (
@@ -143,25 +267,45 @@ impl Resolve<RunSync, (User, Update)> for State {
       procedures_to_delete,
     ) = get_updates_for_execution::<Procedure>(
       resources.procedures,
-      sync.config.delete,
+      delete,
       &all_resources,
+      match_resource_type,
+      match_resources.as_deref(),
       &id_to_tags,
+      &sync.config.match_tags,
     )
     .await?;
+    let (actions_to_create, actions_to_update, actions_to_delete) =
+      get_updates_for_execution::<Action>(
+        resources.actions,
+        delete,
+        &all_resources,
+        match_resource_type,
+        match_resources.as_deref(),
+        &id_to_tags,
+        &sync.config.match_tags,
+      )
+      .await?;
     let (builders_to_create, builders_to_update, builders_to_delete) =
       get_updates_for_execution::<Builder>(
         resources.builders,
-        sync.config.delete,
+        delete,
         &all_resources,
+        match_resource_type,
+        match_resources.as_deref(),
         &id_to_tags,
+        &sync.config.match_tags,
       )
       .await?;
     let (alerters_to_create, alerters_to_update, alerters_to_delete) =
       get_updates_for_execution::<Alerter>(
         resources.alerters,
-        sync.config.delete,
+        delete,
         &all_resources,
+        match_resource_type,
+        match_resources.as_deref(),
         &id_to_tags,
+        &sync.config.match_tags,
       )
       .await?;
     let (
@@ -170,9 +314,12 @@ impl Resolve<RunSync, (User, Update)> for State {
       server_templates_to_delete,
     ) = get_updates_for_execution::<ServerTemplate>(
       resources.server_templates,
-      sync.config.delete,
+      delete,
       &all_resources,
+      match_resource_type,
+      match_resources.as_deref(),
       &id_to_tags,
+      &sync.config.match_tags,
     )
     .await?;
     let (
@@ -181,30 +328,50 @@ impl Resolve<RunSync, (User, Update)> for State {
       resource_syncs_to_delete,
     ) = get_updates_for_execution::<entities::sync::ResourceSync>(
       resources.resource_syncs,
-      sync.config.delete,
+      delete,
       &all_resources,
+      match_resource_type,
+      match_resources.as_deref(),
       &id_to_tags,
+      &sync.config.match_tags,
     )
     .await?;
+
     let (
       variables_to_create,
       variables_to_update,
       variables_to_delete,
-    ) = crate::helpers::sync::variables::get_updates_for_execution(
-      resources.variables,
-      sync.config.delete,
-    )
-    .await?;
+    ) = if match_resource_type.is_none()
+      && match_resources.is_none()
+      && sync.config.match_tags.is_empty()
+    {
+      crate::sync::variables::get_updates_for_execution(
+        resources.variables,
+        // Delete doesn't work with variables when match tags are set
+        sync.config.match_tags.is_empty() && delete,
+      )
+      .await?
+    } else {
+      Default::default()
+    };
     let (
       user_groups_to_create,
       user_groups_to_update,
       user_groups_to_delete,
-    ) = crate::helpers::sync::user_groups::get_updates_for_execution(
-      resources.user_groups,
-      sync.config.delete,
-      &all_resources,
-    )
-    .await?;
+    ) = if match_resource_type.is_none()
+      && match_resources.is_none()
+      && sync.config.match_tags.is_empty()
+    {
+      crate::sync::user_groups::get_updates_for_execution(
+        resources.user_groups,
+        // Delete doesn't work with user groups when match tags are set
+        sync.config.match_tags.is_empty() && delete,
+        &all_resources,
+      )
+      .await?
+    } else {
+      Default::default()
+    };
 
     if deploy_cache.is_empty()
       && resource_syncs_to_create.is_empty()
@@ -237,6 +404,9 @@ impl Resolve<RunSync, (User, Update)> for State {
       && procedures_to_create.is_empty()
       && procedures_to_update.is_empty()
       && procedures_to_delete.is_empty()
+      && actions_to_create.is_empty()
+      && actions_to_update.is_empty()
+      && actions_to_delete.is_empty()
       && user_groups_to_create.is_empty()
       && user_groups_to_update.is_empty()
       && user_groups_to_delete.is_empty()
@@ -261,7 +431,7 @@ impl Resolve<RunSync, (User, Update)> for State {
     // No deps
     maybe_extend(
       &mut update.logs,
-      crate::helpers::sync::variables::run_updates(
+      crate::sync::variables::run_updates(
         variables_to_create,
         variables_to_update,
         variables_to_delete,
@@ -270,7 +440,7 @@ impl Resolve<RunSync, (User, Update)> for State {
     );
     maybe_extend(
       &mut update.logs,
-      crate::helpers::sync::user_groups::run_updates(
+      crate::sync::user_groups::run_updates(
         user_groups_to_create,
         user_groups_to_update,
         user_groups_to_delete,
@@ -279,7 +449,7 @@ impl Resolve<RunSync, (User, Update)> for State {
     );
     maybe_extend(
       &mut update.logs,
-      entities::sync::ResourceSync::run_updates(
+      ResourceSync::execute_sync_updates(
         resource_syncs_to_create,
         resource_syncs_to_update,
         resource_syncs_to_delete,
@@ -288,7 +458,7 @@ impl Resolve<RunSync, (User, Update)> for State {
     );
     maybe_extend(
       &mut update.logs,
-      ServerTemplate::run_updates(
+      ServerTemplate::execute_sync_updates(
         server_templates_to_create,
         server_templates_to_update,
         server_templates_to_delete,
@@ -297,7 +467,7 @@ impl Resolve<RunSync, (User, Update)> for State {
     );
     maybe_extend(
       &mut update.logs,
-      Server::run_updates(
+      Server::execute_sync_updates(
         servers_to_create,
         servers_to_update,
         servers_to_delete,
@@ -306,18 +476,27 @@ impl Resolve<RunSync, (User, Update)> for State {
     );
     maybe_extend(
       &mut update.logs,
-      Alerter::run_updates(
+      Alerter::execute_sync_updates(
         alerters_to_create,
         alerters_to_update,
         alerters_to_delete,
       )
       .await,
     );
+    maybe_extend(
+      &mut update.logs,
+      Action::execute_sync_updates(
+        actions_to_create,
+        actions_to_update,
+        actions_to_delete,
+      )
+      .await,
+    );
 
     // Dependent on server
     maybe_extend(
       &mut update.logs,
-      Builder::run_updates(
+      Builder::execute_sync_updates(
         builders_to_create,
         builders_to_update,
         builders_to_delete,
@@ -326,7 +505,7 @@ impl Resolve<RunSync, (User, Update)> for State {
     );
     maybe_extend(
       &mut update.logs,
-      Repo::run_updates(
+      Repo::execute_sync_updates(
         repos_to_create,
         repos_to_update,
         repos_to_delete,
@@ -337,7 +516,7 @@ impl Resolve<RunSync, (User, Update)> for State {
     // Dependant on builder
     maybe_extend(
       &mut update.logs,
-      Build::run_updates(
+      Build::execute_sync_updates(
         builds_to_create,
         builds_to_update,
         builds_to_delete,
@@ -348,7 +527,7 @@ impl Resolve<RunSync, (User, Update)> for State {
     // Dependant on server / build
     maybe_extend(
       &mut update.logs,
-      Deployment::run_updates(
+      Deployment::execute_sync_updates(
         deployments_to_create,
         deployments_to_update,
         deployments_to_delete,
@@ -358,7 +537,7 @@ impl Resolve<RunSync, (User, Update)> for State {
     // stack only depends on server, but maybe will depend on build later.
     maybe_extend(
       &mut update.logs,
-      Stack::run_updates(
+      Stack::execute_sync_updates(
         stacks_to_create,
         stacks_to_update,
         stacks_to_delete,
@@ -369,7 +548,7 @@ impl Resolve<RunSync, (User, Update)> for State {
     // Dependant on everything
     maybe_extend(
       &mut update.logs,
-      Procedure::run_updates(
+      Procedure::execute_sync_updates(
         procedures_to_create,
         procedures_to_update,
         procedures_to_delete,
@@ -380,7 +559,7 @@ impl Resolve<RunSync, (User, Update)> for State {
     // Execute the deploy cache
     deploy_from_cache(deploy_cache, &mut update.logs).await;
 
-    let db = db_client().await;
+    let db = db_client();
 
     if let Err(e) = update_one_by_id(
       &db.resource_syncs,

bin/core/src/api/read/action.rs

@@ -0,0 +1,132 @@
+use anyhow::Context;
+use komodo_client::{
+  api::read::*,
+  entities::{
+    action::{
+      Action, ActionActionState, ActionListItem, ActionState,
+    },
+    permission::PermissionLevel,
+    user::User,
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{
+  helpers::query::get_all_tags,
+  resource,
+  state::{action_state_cache, action_states, State},
+};
+
+impl Resolve<GetAction, User> for State {
+  async fn resolve(
+    &self,
+    GetAction { action }: GetAction,
+    user: User,
+  ) -> anyhow::Result<Action> {
+    resource::get_check_permissions::<Action>(
+      &action,
+      &user,
+      PermissionLevel::Read,
+    )
+    .await
+  }
+}
+
+impl Resolve<ListActions, User> for State {
+  async fn resolve(
+    &self,
+    ListActions { query }: ListActions,
+    user: User,
+  ) -> anyhow::Result<Vec<ActionListItem>> {
+    let all_tags = if query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    resource::list_for_user::<Action>(query, &user, &all_tags).await
+  }
+}
+
+impl Resolve<ListFullActions, User> for State {
+  async fn resolve(
+    &self,
+    ListFullActions { query }: ListFullActions,
+    user: User,
+  ) -> anyhow::Result<ListFullActionsResponse> {
+    let all_tags = if query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    resource::list_full_for_user::<Action>(query, &user, &all_tags)
+      .await
+  }
+}
+
+impl Resolve<GetActionActionState, User> for State {
+  async fn resolve(
+    &self,
+    GetActionActionState { action }: GetActionActionState,
+    user: User,
+  ) -> anyhow::Result<ActionActionState> {
+    let action = resource::get_check_permissions::<Action>(
+      &action,
+      &user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    let action_state = action_states()
+      .action
+      .get(&action.id)
+      .await
+      .unwrap_or_default()
+      .get()?;
+    Ok(action_state)
+  }
+}
+
+impl Resolve<GetActionsSummary, User> for State {
+  async fn resolve(
+    &self,
+    GetActionsSummary {}: GetActionsSummary,
+    user: User,
+  ) -> anyhow::Result<GetActionsSummaryResponse> {
+    let actions = resource::list_full_for_user::<Action>(
+      Default::default(),
+      &user,
+      &[],
+    )
+    .await
+    .context("failed to get actions from db")?;
+
+    let mut res = GetActionsSummaryResponse::default();
+
+    let cache = action_state_cache();
+    let action_states = action_states();
+
+    for action in actions {
+      res.total += 1;
+
+      match (
+        cache.get(&action.id).await.unwrap_or_default(),
+        action_states
+          .action
+          .get(&action.id)
+          .await
+          .unwrap_or_default()
+          .get()?,
+      ) {
+        (_, action_states) if action_states.running => {
+          res.running += 1;
+        }
+        (ActionState::Ok, _) => res.ok += 1,
+        (ActionState::Failed, _) => res.failed += 1,
+        (ActionState::Unknown, _) => res.unknown += 1,
+        // will never come off the cache in the running state, since that comes from action states
+        (ActionState::Running, _) => unreachable!(),
+      }
+    }
+
+    Ok(res)
+  }
+}

bin/core/src/api/read/alert.rs

@@ -3,7 +3,10 @@ use komodo_client::{
   api::read::{
     GetAlert, GetAlertResponse, ListAlerts, ListAlertsResponse,
   },
-  entities::{deployment::Deployment, server::Server, user::User},
+  entities::{
+    deployment::Deployment, server::Server, stack::Stack,
+    sync::ResourceSync, user::User,
+  },
 };
 use mungos::{
   by_id::find_one_by_id,
@@ -30,18 +33,24 @@ impl Resolve<ListAlerts, User> for State {
     if !user.admin && !core_config().transparent_mode {
       let server_ids =
         get_resource_ids_for_user::<Server>(&user).await?;
+      let stack_ids =
+        get_resource_ids_for_user::<Stack>(&user).await?;
       let deployment_ids =
         get_resource_ids_for_user::<Deployment>(&user).await?;
+      let sync_ids =
+        get_resource_ids_for_user::<ResourceSync>(&user).await?;
       query.extend(doc! {
         "$or": [
           { "target.type": "Server", "target.id": { "$in": &server_ids } },
+          { "target.type": "Stack", "target.id": { "$in": &stack_ids } },
           { "target.type": "Deployment", "target.id": { "$in": &deployment_ids } },
+          { "target.type": "ResourceSync", "target.id": { "$in": &sync_ids } },
         ]
       });
     }
 
     let alerts = find_collect(
-      &db_client().await.alerts,
+      &db_client().alerts,
       query,
       FindOptions::builder()
         .sort(doc! { "ts": -1 })
@@ -70,7 +79,7 @@ impl Resolve<GetAlert, User> for State {
     GetAlert { id }: GetAlert,
     _: User,
   ) -> anyhow::Result<GetAlertResponse> {
-    find_one_by_id(&db_client().await.alerts, &id)
+    find_one_by_id(&db_client().alerts, &id)
       .await
       .context("failed to query db for alert")?
       .context("no alert found with given id")

bin/core/src/api/read/alerter.rs

@@ -1,5 +1,4 @@
 use anyhow::Context;
-use mongo_indexed::Document;
 use komodo_client::{
   api::read::*,
   entities::{
@@ -8,10 +7,12 @@ use komodo_client::{
     user::User,
   },
 };
+use mongo_indexed::Document;
 use mungos::mongodb::bson::doc;
 use resolver_api::Resolve;
 
 use crate::{
+  helpers::query::get_all_tags,
   resource,
   state::{db_client, State},
 };
@@ -37,7 +38,12 @@ impl Resolve<ListAlerters, User> for State {
     ListAlerters { query }: ListAlerters,
     user: User,
   ) -> anyhow::Result<Vec<AlerterListItem>> {
-    resource::list_for_user::<Alerter>(query, &user).await
+    let all_tags = if query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    resource::list_for_user::<Alerter>(query, &user, &all_tags).await
   }
 }
 
@@ -47,7 +53,13 @@ impl Resolve<ListFullAlerters, User> for State {
     ListFullAlerters { query }: ListFullAlerters,
     user: User,
   ) -> anyhow::Result<ListFullAlertersResponse> {
-    resource::list_full_for_user::<Alerter>(query, &user).await
+    let all_tags = if query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    resource::list_full_for_user::<Alerter>(query, &user, &all_tags)
+      .await
   }
 }
 
@@ -57,17 +69,17 @@ impl Resolve<GetAlertersSummary, User> for State {
     GetAlertersSummary {}: GetAlertersSummary,
     user: User,
   ) -> anyhow::Result<GetAlertersSummaryResponse> {
-    let query =
-      match resource::get_resource_ids_for_user::<Alerter>(&user)
-        .await?
-      {
-        Some(ids) => doc! {
-          "_id": { "$in": ids }
-        },
-        None => Document::new(),
-      };
+    let query = match resource::get_resource_object_ids_for_user::<
+      Alerter,
+    >(&user)
+    .await?
+    {
+      Some(ids) => doc! {
+        "_id": { "$in": ids }
+      },
+      None => Document::new(),
+    };
     let total = db_client()
-      .await
       .alerters
       .count_documents(query)
       .await

bin/core/src/api/read/build.rs

@@ -22,6 +22,7 @@ use resolver_api::Resolve;
 
 use crate::{
   config::core_config,
+  helpers::query::get_all_tags,
   resource,
   state::{
     action_states, build_state_cache, db_client, github_client, State,
@@ -49,7 +50,12 @@ impl Resolve<ListBuilds, User> for State {
     ListBuilds { query }: ListBuilds,
     user: User,
   ) -> anyhow::Result<Vec<BuildListItem>> {
-    resource::list_for_user::<Build>(query, &user).await
+    let all_tags = if query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    resource::list_for_user::<Build>(query, &user, &all_tags).await
   }
 }
 
@@ -59,7 +65,13 @@ impl Resolve<ListFullBuilds, User> for State {
     ListFullBuilds { query }: ListFullBuilds,
     user: User,
   ) -> anyhow::Result<ListFullBuildsResponse> {
-    resource::list_full_for_user::<Build>(query, &user).await
+    let all_tags = if query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    resource::list_full_for_user::<Build>(query, &user, &all_tags)
+      .await
   }
 }
 
@@ -94,6 +106,7 @@ impl Resolve<GetBuildsSummary, User> for State {
     let builds = resource::list_full_for_user::<Build>(
       Default::default(),
       &user,
+      &[],
     )
     .await
     .context("failed to get all builds")?;
@@ -145,7 +158,6 @@ impl Resolve<GetBuildMonthlyStats, User> for State {
     let open_ts = close_ts - 30 * ONE_DAY_MS;
 
     let mut build_updates = db_client()
-      .await
       .updates
       .find(doc! {
         "start_ts": {
@@ -229,7 +241,7 @@ impl Resolve<ListBuildVersions, User> for State {
     }
 
     let versions = find_collect(
-      &db_client().await.updates,
+      &db_client().updates,
       filter,
       FindOptions::builder()
         .sort(doc! { "_id": -1 })
@@ -253,9 +265,15 @@ impl Resolve<ListCommonBuildExtraArgs, User> for State {
     ListCommonBuildExtraArgs { query }: ListCommonBuildExtraArgs,
     user: User,
   ) -> anyhow::Result<ListCommonBuildExtraArgsResponse> {
-    let builds = resource::list_full_for_user::<Build>(query, &user)
-      .await
-      .context("failed to get resources matching query")?;
+    let all_tags = if query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    let builds =
+      resource::list_full_for_user::<Build>(query, &user, &all_tags)
+        .await
+        .context("failed to get resources matching query")?;
 
     // first collect with guaranteed uniqueness
     let mut res = HashSet::<String>::new();
@@ -328,7 +346,11 @@ impl Resolve<GetBuildWebhookEnabled, User> for State {
       ..
     } = core_config();
 
-    let host = webhook_base_url.as_ref().unwrap_or(host);
+    let host = if webhook_base_url.is_empty() {
+      host
+    } else {
+      webhook_base_url
+    };
     let url = format!("{host}/listener/github/build/{}", build.id);
 
     for webhook in webhooks {

bin/core/src/api/read/builder.rs

@@ -1,5 +1,4 @@
 use anyhow::Context;
-use mongo_indexed::Document;
 use komodo_client::{
   api::read::*,
   entities::{
@@ -8,10 +7,12 @@ use komodo_client::{
     user::User,
   },
 };
+use mongo_indexed::Document;
 use mungos::mongodb::bson::doc;
 use resolver_api::Resolve;
 
 use crate::{
+  helpers::query::get_all_tags,
   resource,
   state::{db_client, State},
 };
@@ -37,7 +38,12 @@ impl Resolve<ListBuilders, User> for State {
     ListBuilders { query }: ListBuilders,
     user: User,
   ) -> anyhow::Result<Vec<BuilderListItem>> {
-    resource::list_for_user::<Builder>(query, &user).await
+    let all_tags = if query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    resource::list_for_user::<Builder>(query, &user, &all_tags).await
   }
 }
 
@@ -47,7 +53,13 @@ impl Resolve<ListFullBuilders, User> for State {
     ListFullBuilders { query }: ListFullBuilders,
     user: User,
   ) -> anyhow::Result<ListFullBuildersResponse> {
-    resource::list_full_for_user::<Builder>(query, &user).await
+    let all_tags = if query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    resource::list_full_for_user::<Builder>(query, &user, &all_tags)
+      .await
   }
 }
 
@@ -57,17 +69,17 @@ impl Resolve<GetBuildersSummary, User> for State {
     GetBuildersSummary {}: GetBuildersSummary,
     user: User,
   ) -> anyhow::Result<GetBuildersSummaryResponse> {
-    let query =
-      match resource::get_resource_ids_for_user::<Builder>(&user)
-        .await?
-      {
-        Some(ids) => doc! {
-          "_id": { "$in": ids }
-        },
-        None => Document::new(),
-      };
+    let query = match resource::get_resource_object_ids_for_user::<
+      Builder,
+    >(&user)
+    .await?
+    {
+      Some(ids) => doc! {
+        "_id": { "$in": ids }
+      },
+      None => Document::new(),
+    };
     let total = db_client()
-      .await
       .builders
       .count_documents(query)
       .await

bin/core/src/api/read/deployment.rs

@@ -19,7 +19,7 @@ use periphery_client::api;
 use resolver_api::Resolve;
 
 use crate::{
-  helpers::periphery_client,
+  helpers::{periphery_client, query::get_all_tags},
   resource,
   state::{action_states, deployment_status_cache, State},
 };
@@ -45,7 +45,13 @@ impl Resolve<ListDeployments, User> for State {
     ListDeployments { query }: ListDeployments,
     user: User,
   ) -> anyhow::Result<Vec<DeploymentListItem>> {
-    resource::list_for_user::<Deployment>(query, &user).await
+    let all_tags = if query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    resource::list_for_user::<Deployment>(query, &user, &all_tags)
+      .await
   }
 }
 
@@ -55,7 +61,15 @@ impl Resolve<ListFullDeployments, User> for State {
     ListFullDeployments { query }: ListFullDeployments,
     user: User,
   ) -> anyhow::Result<ListFullDeploymentsResponse> {
-    resource::list_full_for_user::<Deployment>(query, &user).await
+    let all_tags = if query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    resource::list_full_for_user::<Deployment>(
+      query, &user, &all_tags,
+    )
+    .await
   }
 }
 
@@ -88,7 +102,11 @@ const MAX_LOG_LENGTH: u64 = 5000;
 impl Resolve<GetDeploymentLog, User> for State {
   async fn resolve(
     &self,
-    GetDeploymentLog { deployment, tail }: GetDeploymentLog,
+    GetDeploymentLog {
+      deployment,
+      tail,
+      timestamps,
+    }: GetDeploymentLog,
     user: User,
   ) -> anyhow::Result<Log> {
     let Deployment {
@@ -109,6 +127,7 @@ impl Resolve<GetDeploymentLog, User> for State {
       .request(api::container::GetContainerLog {
         name,
         tail: cmp::min(tail, MAX_LOG_LENGTH),
+        timestamps,
       })
       .await
       .context("failed at call to periphery")
@@ -123,6 +142,7 @@ impl Resolve<SearchDeploymentLog, User> for State {
       terms,
       combinator,
       invert,
+      timestamps,
     }: SearchDeploymentLog,
     user: User,
   ) -> anyhow::Result<Log> {
@@ -146,6 +166,7 @@ impl Resolve<SearchDeploymentLog, User> for State {
         terms,
         combinator,
         invert,
+        timestamps,
       })
       .await
       .context("failed at call to periphery")
@@ -210,6 +231,7 @@ impl Resolve<GetDeploymentsSummary, User> for State {
     let deployments = resource::list_full_for_user::<Deployment>(
       Default::default(),
       &user,
+      &[],
     )
     .await
     .context("failed to get deployments from db")?;
@@ -223,14 +245,17 @@ impl Resolve<GetDeploymentsSummary, User> for State {
         DeploymentState::Running => {
           res.running += 1;
         }
-        DeploymentState::Unknown => {
-          res.unknown += 1;
+        DeploymentState::Exited | DeploymentState::Paused => {
+          res.stopped += 1;
         }
         DeploymentState::NotDeployed => {
           res.not_deployed += 1;
         }
+        DeploymentState::Unknown => {
+          res.unknown += 1;
+        }
         _ => {
-          res.stopped += 1;
+          res.unhealthy += 1;
         }
       }
     }
@@ -244,10 +269,16 @@ impl Resolve<ListCommonDeploymentExtraArgs, User> for State {
     ListCommonDeploymentExtraArgs { query }: ListCommonDeploymentExtraArgs,
     user: User,
   ) -> anyhow::Result<ListCommonDeploymentExtraArgsResponse> {
-    let deployments =
-      resource::list_full_for_user::<Deployment>(query, &user)
-        .await
-        .context("failed to get resources matching query")?;
+    let all_tags = if query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    let deployments = resource::list_full_for_user::<Deployment>(
+      query, &user, &all_tags,
+    )
+    .await
+    .context("failed to get resources matching query")?;
 
     // first collect with guaranteed uniqueness
     let mut res = HashSet::<String>::new();

bin/core/src/api/read/mod.rs

@@ -29,6 +29,7 @@ use crate::{
   resource, state::State,
 };
 
+mod action;
 mod alert;
 mod alerter;
 mod build;
@@ -60,8 +61,6 @@ enum ReadRequest {
   GetVersion(GetVersion),
   #[to_string_resolver]
   GetCoreInfo(GetCoreInfo),
-  #[to_string_resolver]
-  ListAwsEcrLabels(ListAwsEcrLabels),
   ListSecrets(ListSecrets),
   ListGitProvidersFromConfig(ListGitProvidersFromConfig),
   ListDockerRegistriesFromConfig(ListDockerRegistriesFromConfig),
@@ -90,6 +89,13 @@ enum ReadRequest {
   ListProcedures(ListProcedures),
   ListFullProcedures(ListFullProcedures),
 
+  // ==== ACTION ====
+  GetActionsSummary(GetActionsSummary),
+  GetAction(GetAction),
+  GetActionActionState(GetActionActionState),
+  ListActions(ListActions),
+  ListFullActions(ListFullActions),
+
   // ==== SERVER TEMPLATE ====
   GetServerTemplate(GetServerTemplate),
   GetServerTemplatesSummary(GetServerTemplatesSummary),
@@ -113,6 +119,7 @@ enum ReadRequest {
   InspectDockerImage(InspectDockerImage),
   ListDockerImageHistory(ListDockerImageHistory),
   InspectDockerVolume(InspectDockerVolume),
+  ListAllDockerContainers(ListAllDockerContainers),
   #[to_string_resolver]
   ListDockerContainers(ListDockerContainers),
   #[to_string_resolver]
@@ -283,12 +290,15 @@ fn core_info() -> &'static String {
     let info = GetCoreInfoResponse {
       title: config.title.clone(),
       monitoring_interval: config.monitoring_interval,
-      webhook_base_url: config
-        .webhook_base_url
-        .clone()
-        .unwrap_or_else(|| config.host.clone()),
+      webhook_base_url: if config.webhook_base_url.is_empty() {
+        config.host.clone()
+      } else {
+        config.webhook_base_url.clone()
+      },
       transparent_mode: config.transparent_mode,
       ui_write_disabled: config.ui_write_disabled,
+      disable_confirm_dialog: config.disable_confirm_dialog,
+      disable_non_admin_create: config.disable_non_admin_create,
       github_webhook_owners: config
         .github_webhook_app
         .installations
@@ -312,31 +322,6 @@ impl ResolveToString<GetCoreInfo, User> for State {
   }
 }
 
-fn ecr_labels() -> &'static String {
-  static ECR_LABELS: OnceLock<String> = OnceLock::new();
-  ECR_LABELS.get_or_init(|| {
-    serde_json::to_string(
-      &core_config()
-        .aws_ecr_registries
-        .iter()
-        .map(|reg| reg.label.clone())
-        .collect::<Vec<_>>(),
-    )
-    .context("failed to serialize ecr registries")
-    .unwrap()
-  })
-}
-
-impl ResolveToString<ListAwsEcrLabels, User> for State {
-  async fn resolve_to_string(
-    &self,
-    ListAwsEcrLabels {}: ListAwsEcrLabels,
-    _: User,
-  ) -> anyhow::Result<String> {
-    Ok(ecr_labels().to_string())
-  }
-}
-
 impl Resolve<ListSecrets, User> for State {
   async fn resolve(
     &self,
@@ -354,6 +339,7 @@ impl Resolve<ListSecrets, User> for State {
         ResourceTarget::Server(id) => Some(id),
         ResourceTarget::Builder(id) => {
           match resource::get::<Builder>(&id).await?.config {
+            BuilderConfig::Url(_) => None,
             BuilderConfig::Server(config) => Some(config.server_id),
             BuilderConfig::Aws(config) => {
               secrets.extend(config.secrets);
@@ -402,6 +388,7 @@ impl Resolve<ListGitProvidersFromConfig, User> for State {
         }
         ResourceTarget::Builder(id) => {
           match resource::get::<Builder>(&id).await?.config {
+            BuilderConfig::Url(_) => {}
             BuilderConfig::Server(config) => {
               merge_git_providers_for_server(
                 &mut providers,
@@ -426,12 +413,18 @@ impl Resolve<ListGitProvidersFromConfig, User> for State {
     let (builds, repos, syncs) = tokio::try_join!(
       resource::list_full_for_user::<Build>(
         Default::default(),
-        &user
+        &user,
+        &[]
+      ),
+      resource::list_full_for_user::<Repo>(
+        Default::default(),
+        &user,
+        &[]
       ),
-      resource::list_full_for_user::<Repo>(Default::default(), &user),
       resource::list_full_for_user::<ResourceSync>(
         Default::default(),
-        &user
+        &user,
+        &[]
       ),
     )?;
 
@@ -494,6 +487,7 @@ impl Resolve<ListDockerRegistriesFromConfig, User> for State {
         }
         ResourceTarget::Builder(id) => {
           match resource::get::<Builder>(&id).await?.config {
+            BuilderConfig::Url(_) => {}
             BuilderConfig::Server(config) => {
               merge_docker_registries_for_server(
                 &mut registries,

bin/core/src/api/read/permission.rs

@@ -22,7 +22,7 @@ impl Resolve<ListPermissions, User> for State {
     user: User,
   ) -> anyhow::Result<ListPermissionsResponse> {
     find_collect(
-      &db_client().await.permissions,
+      &db_client().permissions,
       doc! {
         "user_target.type": "User",
         "user_target.id": &user.id
@@ -58,7 +58,7 @@ impl Resolve<ListUserTargetPermissions, User> for State {
     }
     let (variant, id) = user_target.extract_variant_id();
     find_collect(
-      &db_client().await.permissions,
+      &db_client().permissions,
       doc! {
         "user_target.type": variant.as_ref(),
         "user_target.id": id

bin/core/src/api/read/procedure.rs

@@ -10,6 +10,7 @@ use komodo_client::{
 use resolver_api::Resolve;
 
 use crate::{
+  helpers::query::get_all_tags,
   resource,
   state::{action_states, procedure_state_cache, State},
 };
@@ -35,7 +36,13 @@ impl Resolve<ListProcedures, User> for State {
     ListProcedures { query }: ListProcedures,
     user: User,
   ) -> anyhow::Result<ListProceduresResponse> {
-    resource::list_for_user::<Procedure>(query, &user).await
+    let all_tags = if query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    resource::list_for_user::<Procedure>(query, &user, &all_tags)
+      .await
   }
 }
 
@@ -45,7 +52,13 @@ impl Resolve<ListFullProcedures, User> for State {
     ListFullProcedures { query }: ListFullProcedures,
     user: User,
   ) -> anyhow::Result<ListFullProceduresResponse> {
-    resource::list_full_for_user::<Procedure>(query, &user).await
+    let all_tags = if query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    resource::list_full_for_user::<Procedure>(query, &user, &all_tags)
+      .await
   }
 }
 
@@ -58,6 +71,7 @@ impl Resolve<GetProceduresSummary, User> for State {
     let procedures = resource::list_full_for_user::<Procedure>(
       Default::default(),
       &user,
+      &[],
     )
     .await
     .context("failed to get procedures from db")?;

bin/core/src/api/read/provider.rs

@@ -1,5 +1,4 @@
 use anyhow::{anyhow, Context};
-use mongo_indexed::{doc, Document};
 use komodo_client::{
   api::read::{
     GetDockerRegistryAccount, GetDockerRegistryAccountResponse,
@@ -9,6 +8,7 @@ use komodo_client::{
   },
   entities::user::User,
 };
+use mongo_indexed::{doc, Document};
 use mungos::{
   by_id::find_one_by_id, find::find_collect,
   mongodb::options::FindOptions,
@@ -28,7 +28,7 @@ impl Resolve<GetGitProviderAccount, User> for State {
         "Only admins can read git provider accounts"
       ));
     }
-    find_one_by_id(&db_client().await.git_accounts, &id)
+    find_one_by_id(&db_client().git_accounts, &id)
       .await
       .context("failed to query db for git provider accounts")?
       .context("did not find git provider account with the given id")
@@ -54,7 +54,7 @@ impl Resolve<ListGitProviderAccounts, User> for State {
       filter.insert("username", username);
     }
     find_collect(
-      &db_client().await.git_accounts,
+      &db_client().git_accounts,
       filter,
       FindOptions::builder()
         .sort(doc! { "domain": 1, "username": 1 })
@@ -76,7 +76,7 @@ impl Resolve<GetDockerRegistryAccount, User> for State {
         "Only admins can read docker registry accounts"
       ));
     }
-    find_one_by_id(&db_client().await.registry_accounts, &id)
+    find_one_by_id(&db_client().registry_accounts, &id)
       .await
       .context("failed to query db for docker registry accounts")?
       .context(
@@ -104,7 +104,7 @@ impl Resolve<ListDockerRegistryAccounts, User> for State {
       filter.insert("username", username);
     }
     find_collect(
-      &db_client().await.registry_accounts,
+      &db_client().registry_accounts,
       filter,
       FindOptions::builder()
         .sort(doc! { "domain": 1, "username": 1 })

bin/core/src/api/read/repo.rs

@@ -12,6 +12,7 @@ use resolver_api::Resolve;
 
 use crate::{
   config::core_config,
+  helpers::query::get_all_tags,
   resource,
   state::{action_states, github_client, repo_state_cache, State},
 };
@@ -37,7 +38,12 @@ impl Resolve<ListRepos, User> for State {
     ListRepos { query }: ListRepos,
     user: User,
   ) -> anyhow::Result<Vec<RepoListItem>> {
-    resource::list_for_user::<Repo>(query, &user).await
+    let all_tags = if query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    resource::list_for_user::<Repo>(query, &user, &all_tags).await
   }
 }
 
@@ -47,7 +53,13 @@ impl Resolve<ListFullRepos, User> for State {
     ListFullRepos { query }: ListFullRepos,
     user: User,
   ) -> anyhow::Result<ListFullReposResponse> {
-    resource::list_full_for_user::<Repo>(query, &user).await
+    let all_tags = if query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    resource::list_full_for_user::<Repo>(query, &user, &all_tags)
+      .await
   }
 }
 
@@ -79,10 +91,13 @@ impl Resolve<GetReposSummary, User> for State {
     GetReposSummary {}: GetReposSummary,
     user: User,
   ) -> anyhow::Result<GetReposSummaryResponse> {
-    let repos =
-      resource::list_full_for_user::<Repo>(Default::default(), &user)
-        .await
-        .context("failed to get repos from db")?;
+    let repos = resource::list_full_for_user::<Repo>(
+      Default::default(),
+      &user,
+      &[],
+    )
+    .await
+    .context("failed to get repos from db")?;
 
     let mut res = GetReposSummaryResponse::default();
 
@@ -188,7 +203,11 @@ impl Resolve<GetRepoWebhooksEnabled, User> for State {
       ..
     } = core_config();
 
-    let host = webhook_base_url.as_ref().unwrap_or(host);
+    let host = if webhook_base_url.is_empty() {
+      host
+    } else {
+      webhook_base_url
+    };
     let clone_url =
       format!("{host}/listener/github/repo/{}/clone", repo.id);
     let pull_url =

bin/core/src/api/read/server.rs

@@ -13,7 +13,7 @@ use komodo_client::{
   entities::{
     deployment::Deployment,
     docker::{
-      container::Container,
+      container::{Container, ContainerListItem},
       image::{Image, ImageHistoryResponseItem},
       network::Network,
       volume::Volume,
@@ -43,8 +43,9 @@ use resolver_api::{Resolve, ResolveToString};
 use tokio::sync::Mutex;
 
 use crate::{
-  helpers::{periphery_client, stack::compose_container_match_regex},
+  helpers::{periphery_client, query::get_all_tags},
   resource,
+  stack::compose_container_match_regex,
   state::{action_states, db_client, server_status_cache, State},
 };
 
@@ -54,9 +55,12 @@ impl Resolve<GetServersSummary, User> for State {
     GetServersSummary {}: GetServersSummary,
     user: User,
   ) -> anyhow::Result<GetServersSummaryResponse> {
-    let servers =
-      resource::list_for_user::<Server>(Default::default(), &user)
-        .await?;
+    let servers = resource::list_for_user::<Server>(
+      Default::default(),
+      &user,
+      &[],
+    )
+    .await?;
     let mut res = GetServersSummaryResponse::default();
     for server in servers {
       res.total += 1;
@@ -118,7 +122,12 @@ impl Resolve<ListServers, User> for State {
     ListServers { query }: ListServers,
     user: User,
   ) -> anyhow::Result<Vec<ServerListItem>> {
-    resource::list_for_user::<Server>(query, &user).await
+    let all_tags = if query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    resource::list_for_user::<Server>(query, &user, &all_tags).await
   }
 }
 
@@ -128,7 +137,13 @@ impl Resolve<ListFullServers, User> for State {
     ListFullServers { query }: ListFullServers,
     user: User,
   ) -> anyhow::Result<ListFullServersResponse> {
-    resource::list_full_for_user::<Server>(query, &user).await
+    let all_tags = if query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    resource::list_full_for_user::<Server>(query, &user, &all_tags)
+      .await
   }
 }
 
@@ -288,7 +303,7 @@ impl ResolveToString<ListSystemProcesses, User> for State {
   }
 }
 
-const STATS_PER_PAGE: i64 = 500;
+const STATS_PER_PAGE: i64 = 200;
 
 impl Resolve<GetHistoricalServerStats, User> for State {
   async fn resolve(
@@ -320,7 +335,7 @@ impl Resolve<GetHistoricalServerStats, User> for State {
     }
 
     let stats = find_collect(
-      &db_client().await.stats,
+      &db_client().stats,
       doc! {
         "sid": server.id,
         "ts": { "$in": ts_vec },
@@ -367,6 +382,40 @@ impl ResolveToString<ListDockerContainers, User> for State {
   }
 }
 
+impl Resolve<ListAllDockerContainers, User> for State {
+  async fn resolve(
+    &self,
+    ListAllDockerContainers { servers }: ListAllDockerContainers,
+    user: User,
+  ) -> anyhow::Result<Vec<ContainerListItem>> {
+    let servers = resource::list_for_user::<Server>(
+      Default::default(),
+      &user,
+      &[],
+    )
+    .await?
+    .into_iter()
+    .filter(|server| {
+      servers.is_empty()
+        || servers.contains(&server.id)
+        || servers.contains(&server.name)
+    });
+
+    let mut containers = Vec::<ContainerListItem>::new();
+
+    for server in servers {
+      let cache = server_status_cache()
+        .get_or_insert_default(&server.id)
+        .await;
+      if let Some(more_containers) = &cache.containers {
+        containers.extend(more_containers.clone());
+      }
+    }
+
+    Ok(containers)
+  }
+}
+
 impl Resolve<InspectDockerContainer, User> for State {
   async fn resolve(
     &self,
@@ -403,6 +452,7 @@ impl Resolve<GetContainerLog, User> for State {
       server,
       container,
       tail,
+      timestamps,
     }: GetContainerLog,
     user: User,
   ) -> anyhow::Result<Log> {
@@ -416,6 +466,7 @@ impl Resolve<GetContainerLog, User> for State {
       .request(periphery::container::GetContainerLog {
         name: container,
         tail: cmp::min(tail, MAX_LOG_LENGTH),
+        timestamps,
       })
       .await
       .context("failed at call to periphery")
@@ -431,6 +482,7 @@ impl Resolve<SearchContainerLog, User> for State {
       terms,
       combinator,
       invert,
+      timestamps,
     }: SearchContainerLog,
     user: User,
   ) -> anyhow::Result<Log> {
@@ -446,6 +498,7 @@ impl Resolve<SearchContainerLog, User> for State {
         terms,
         combinator,
         invert,
+        timestamps,
       })
       .await
       .context("failed at call to periphery")
@@ -486,20 +539,21 @@ impl Resolve<GetResourceMatchingContainer, User> for State {
       for StackServiceNames {
         service_name,
         container_name,
+        ..
       } in stack
         .info
         .deployed_services
         .unwrap_or(stack.info.latest_services)
       {
         let is_match = match compose_container_match_regex(&container_name)
-					.with_context(|| format!("failed to construct container name matching regex for service {service_name}")) 
-				{
-					Ok(regex) => regex,
-					Err(e) => {
-						warn!("{e:#}");
-						continue;
-					}
-				}.is_match(&container);
+          .with_context(|| format!("failed to construct container name matching regex for service {service_name}")) 
+        {
+          Ok(regex) => regex,
+          Err(e) => {
+            warn!("{e:#}");
+            continue;
+          }
+        }.is_match(&container);
 
         if is_match {
           return Ok(GetResourceMatchingContainerResponse {

bin/core/src/api/read/server_template.rs

@@ -1,5 +1,4 @@
 use anyhow::Context;
-use mongo_indexed::Document;
 use komodo_client::{
   api::read::*,
   entities::{
@@ -7,10 +6,12 @@ use komodo_client::{
     user::User,
   },
 };
+use mongo_indexed::Document;
 use mungos::mongodb::bson::doc;
 use resolver_api::Resolve;
 
 use crate::{
+  helpers::query::get_all_tags,
   resource,
   state::{db_client, State},
 };
@@ -36,7 +37,13 @@ impl Resolve<ListServerTemplates, User> for State {
     ListServerTemplates { query }: ListServerTemplates,
     user: User,
   ) -> anyhow::Result<ListServerTemplatesResponse> {
-    resource::list_for_user::<ServerTemplate>(query, &user).await
+    let all_tags = if query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    resource::list_for_user::<ServerTemplate>(query, &user, &all_tags)
+      .await
   }
 }
 
@@ -46,7 +53,15 @@ impl Resolve<ListFullServerTemplates, User> for State {
     ListFullServerTemplates { query }: ListFullServerTemplates,
     user: User,
   ) -> anyhow::Result<ListFullServerTemplatesResponse> {
-    resource::list_full_for_user::<ServerTemplate>(query, &user).await
+    let all_tags = if query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    resource::list_full_for_user::<ServerTemplate>(
+      query, &user, &all_tags,
+    )
+    .await
   }
 }
 
@@ -56,7 +71,7 @@ impl Resolve<GetServerTemplatesSummary, User> for State {
     GetServerTemplatesSummary {}: GetServerTemplatesSummary,
     user: User,
   ) -> anyhow::Result<GetServerTemplatesSummaryResponse> {
-    let query = match resource::get_resource_ids_for_user::<
+    let query = match resource::get_resource_object_ids_for_user::<
       ServerTemplate,
     >(&user)
     .await?
@@ -67,7 +82,6 @@ impl Resolve<GetServerTemplatesSummary, User> for State {
       None => Document::new(),
     };
     let total = db_client()
-      .await
       .server_templates
       .count_documents(query)
       .await

bin/core/src/api/read/stack.rs

@@ -17,8 +17,9 @@ use resolver_api::Resolve;
 
 use crate::{
   config::core_config,
-  helpers::{periphery_client, stack::get_stack_and_server},
+  helpers::{periphery_client, query::get_all_tags},
   resource,
+  stack::get_stack_and_server,
   state::{action_states, github_client, stack_status_cache, State},
 };
 
@@ -69,6 +70,7 @@ impl Resolve<GetStackServiceLog, User> for State {
       stack,
       service,
       tail,
+      timestamps,
     }: GetStackServiceLog,
     user: User,
   ) -> anyhow::Result<GetStackServiceLogResponse> {
@@ -84,6 +86,7 @@ impl Resolve<GetStackServiceLog, User> for State {
         project: stack.project_name(false),
         service,
         tail,
+        timestamps,
       })
       .await
       .context("failed to get stack service log from periphery")
@@ -99,6 +102,7 @@ impl Resolve<SearchStackServiceLog, User> for State {
       terms,
       combinator,
       invert,
+      timestamps,
     }: SearchStackServiceLog,
     user: User,
   ) -> anyhow::Result<SearchStackServiceLogResponse> {
@@ -116,6 +120,7 @@ impl Resolve<SearchStackServiceLog, User> for State {
         terms,
         combinator,
         invert,
+        timestamps,
       })
       .await
       .context("failed to get stack service log from periphery")
@@ -128,9 +133,15 @@ impl Resolve<ListCommonStackExtraArgs, User> for State {
     ListCommonStackExtraArgs { query }: ListCommonStackExtraArgs,
     user: User,
   ) -> anyhow::Result<ListCommonStackExtraArgsResponse> {
-    let stacks = resource::list_full_for_user::<Stack>(query, &user)
-      .await
-      .context("failed to get resources matching query")?;
+    let all_tags = if query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    let stacks =
+      resource::list_full_for_user::<Stack>(query, &user, &all_tags)
+        .await
+        .context("failed to get resources matching query")?;
 
     // first collect with guaranteed uniqueness
     let mut res = HashSet::<String>::new();
@@ -153,9 +164,15 @@ impl Resolve<ListCommonStackBuildExtraArgs, User> for State {
     ListCommonStackBuildExtraArgs { query }: ListCommonStackBuildExtraArgs,
     user: User,
   ) -> anyhow::Result<ListCommonStackBuildExtraArgsResponse> {
-    let stacks = resource::list_full_for_user::<Stack>(query, &user)
-      .await
-      .context("failed to get resources matching query")?;
+    let all_tags = if query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    let stacks =
+      resource::list_full_for_user::<Stack>(query, &user, &all_tags)
+        .await
+        .context("failed to get resources matching query")?;
 
     // first collect with guaranteed uniqueness
     let mut res = HashSet::<String>::new();
@@ -178,7 +195,12 @@ impl Resolve<ListStacks, User> for State {
     ListStacks { query }: ListStacks,
     user: User,
   ) -> anyhow::Result<Vec<StackListItem>> {
-    resource::list_for_user::<Stack>(query, &user).await
+    let all_tags = if query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    resource::list_for_user::<Stack>(query, &user, &all_tags).await
   }
 }
 
@@ -188,7 +210,13 @@ impl Resolve<ListFullStacks, User> for State {
     ListFullStacks { query }: ListFullStacks,
     user: User,
   ) -> anyhow::Result<ListFullStacksResponse> {
-    resource::list_full_for_user::<Stack>(query, &user).await
+    let all_tags = if query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    resource::list_full_for_user::<Stack>(query, &user, &all_tags)
+      .await
   }
 }
 
@@ -223,6 +251,7 @@ impl Resolve<GetStacksSummary, User> for State {
     let stacks = resource::list_full_for_user::<Stack>(
       Default::default(),
       &user,
+      &[],
     )
     .await
     .context("failed to get stacks from db")?;
@@ -236,15 +265,10 @@ impl Resolve<GetStacksSummary, User> for State {
       match cache.get(&stack.id).await.unwrap_or_default().curr.state
       {
         StackState::Running => res.running += 1,
-        StackState::Paused => res.paused += 1,
-        StackState::Stopped => res.stopped += 1,
-        StackState::Restarting => res.restarting += 1,
-        StackState::Created => res.created += 1,
-        StackState::Removing => res.removing += 1,
-        StackState::Dead => res.dead += 1,
-        StackState::Unhealthy => res.unhealthy += 1,
+        StackState::Stopped | StackState::Paused => res.stopped += 1,
         StackState::Down => res.down += 1,
         StackState::Unknown => res.unknown += 1,
+        _ => res.unhealthy += 1,
       }
     }
 
@@ -311,7 +335,11 @@ impl Resolve<GetStackWebhooksEnabled, User> for State {
       ..
     } = core_config();
 
-    let host = webhook_base_url.as_ref().unwrap_or(host);
+    let host = if webhook_base_url.is_empty() {
+      host
+    } else {
+      webhook_base_url
+    };
     let refresh_url =
       format!("{host}/listener/github/stack/{}/refresh", stack.id);
     let deploy_url =

bin/core/src/api/read/sync.rs

@@ -5,8 +5,8 @@ use komodo_client::{
     config::core::CoreConfig,
     permission::PermissionLevel,
     sync::{
-      PendingSyncUpdatesData, ResourceSync, ResourceSyncActionState,
-      ResourceSyncListItem, ResourceSyncState,
+      ResourceSync, ResourceSyncActionState, ResourceSyncListItem,
+      ResourceSyncState,
     },
     user::User,
   },
@@ -15,6 +15,7 @@ use resolver_api::Resolve;
 
 use crate::{
   config::core_config,
+  helpers::query::get_all_tags,
   resource,
   state::{
     action_states, github_client, resource_sync_state_cache, State,
@@ -42,7 +43,13 @@ impl Resolve<ListResourceSyncs, User> for State {
     ListResourceSyncs { query }: ListResourceSyncs,
     user: User,
   ) -> anyhow::Result<Vec<ResourceSyncListItem>> {
-    resource::list_for_user::<ResourceSync>(query, &user).await
+    let all_tags = if query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    resource::list_for_user::<ResourceSync>(query, &user, &all_tags)
+      .await
   }
 }
 
@@ -52,7 +59,15 @@ impl Resolve<ListFullResourceSyncs, User> for State {
     ListFullResourceSyncs { query }: ListFullResourceSyncs,
     user: User,
   ) -> anyhow::Result<ListFullResourceSyncsResponse> {
-    resource::list_full_for_user::<ResourceSync>(query, &user).await
+    let all_tags = if query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    resource::list_full_for_user::<ResourceSync>(
+      query, &user, &all_tags,
+    )
+    .await
   }
 }
 
@@ -88,6 +103,7 @@ impl Resolve<GetResourceSyncsSummary, User> for State {
       resource::list_full_for_user::<ResourceSync>(
         Default::default(),
         &user,
+        &[],
       )
       .await
       .context("failed to get resource_syncs from db")?;
@@ -100,17 +116,18 @@ impl Resolve<GetResourceSyncsSummary, User> for State {
     for resource_sync in resource_syncs {
       res.total += 1;
 
-      match resource_sync.info.pending.data {
-        PendingSyncUpdatesData::Ok(data) => {
-          if !data.no_updates() {
-            res.pending += 1;
-            continue;
-          }
-        }
-        PendingSyncUpdatesData::Err(_) => {
-          res.failed += 1;
-          continue;
-        }
+      if !(resource_sync.info.pending_deploy.to_deploy == 0
+        && resource_sync.info.resource_updates.is_empty()
+        && resource_sync.info.variable_updates.is_empty()
+        && resource_sync.info.user_group_updates.is_empty())
+      {
+        res.pending += 1;
+        continue;
+      } else if resource_sync.info.pending_error.is_some()
+        || !resource_sync.info.remote_errors.is_empty()
+      {
+        res.failed += 1;
+        continue;
       }
 
       match (
@@ -201,7 +218,11 @@ impl Resolve<GetSyncWebhooksEnabled, User> for State {
       ..
     } = core_config();
 
-    let host = webhook_base_url.as_ref().unwrap_or(host);
+    let host = if webhook_base_url.is_empty() {
+      host
+    } else {
+      webhook_base_url
+    };
     let refresh_url =
       format!("{host}/listener/github/sync/{}/refresh", sync.id);
     let sync_url =

bin/core/src/api/read/tag.rs

@@ -1,9 +1,9 @@
 use anyhow::Context;
-use mongo_indexed::doc;
 use komodo_client::{
   api::read::{GetTag, ListTags},
   entities::{tag::Tag, user::User},
 };
+use mongo_indexed::doc;
 use mungos::{find::find_collect, mongodb::options::FindOptions};
 use resolver_api::Resolve;
 
@@ -29,7 +29,7 @@ impl Resolve<ListTags, User> for State {
     _: User,
   ) -> anyhow::Result<Vec<Tag>> {
     find_collect(
-      &db_client().await.tags,
+      &db_client().tags,
       query,
       FindOptions::builder().sort(doc! { "name": 1 }).build(),
     )

bin/core/src/api/read/update.rs

@@ -4,6 +4,7 @@ use anyhow::{anyhow, Context};
 use komodo_client::{
   api::read::{GetUpdate, ListUpdates, ListUpdatesResponse},
   entities::{
+    action::Action,
     alerter::Alerter,
     build::Build,
     builder::Builder,
@@ -104,6 +105,16 @@ impl Resolve<ListUpdates, User> for State {
           })
           .unwrap_or_else(|| doc! { "target.type": "Procedure" });
 
+      let action_query =
+        resource::get_resource_ids_for_user::<Action>(&user)
+          .await?
+          .map(|ids| {
+            doc! {
+              "target.type": "Action", "target.id": { "$in": ids }
+            }
+          })
+          .unwrap_or_else(|| doc! { "target.type": "Action" });
+
       let builder_query =
         resource::get_resource_ids_for_user::<Builder>(&user)
           .await?
@@ -124,27 +135,27 @@ impl Resolve<ListUpdates, User> for State {
           })
           .unwrap_or_else(|| doc! { "target.type": "Alerter" });
 
-      let server_template_query = resource::get_resource_ids_for_user::<ServerTemplate>(
-        &user,
-      )
-      .await?
-      .map(|ids| {
-        doc! {
-          "target.type": "ServerTemplate", "target.id": { "$in": ids }
-        }
-      })
-      .unwrap_or_else(|| doc! { "target.type": "ServerTemplate" });
+      let server_template_query =
+        resource::get_resource_ids_for_user::<ServerTemplate>(&user)
+          .await?
+          .map(|ids| {
+            doc! {
+              "target.type": "ServerTemplate", "target.id": { "$in": ids }
+            }
+          })
+          .unwrap_or_else(|| doc! { "target.type": "ServerTemplate" });
 
-      let resource_sync_query = resource::get_resource_ids_for_user::<ResourceSync>(
-        &user,
-      )
-      .await?
-      .map(|ids| {
-        doc! {
-          "target.type": "ResourceSync", "target.id": { "$in": ids }
-        }
-      })
-      .unwrap_or_else(|| doc! { "target.type": "ResourceSync" });
+      let resource_sync_query =
+        resource::get_resource_ids_for_user::<ResourceSync>(
+          &user,
+        )
+        .await?
+        .map(|ids| {
+          doc! {
+            "target.type": "ResourceSync", "target.id": { "$in": ids }
+          }
+        })
+        .unwrap_or_else(|| doc! { "target.type": "ResourceSync" });
 
       let mut query = query.unwrap_or_default();
       query.extend(doc! {
@@ -155,6 +166,7 @@ impl Resolve<ListUpdates, User> for State {
           build_query,
           repo_query,
           procedure_query,
+          action_query,
           alerter_query,
           builder_query,
           server_template_query,
@@ -164,16 +176,15 @@ impl Resolve<ListUpdates, User> for State {
       query.into()
     };
 
-    let usernames =
-      find_collect(&db_client().await.users, None, None)
-        .await
-        .context("failed to pull users from db")?
-        .into_iter()
-        .map(|u| (u.id, u.username))
-        .collect::<HashMap<_, _>>();
+    let usernames = find_collect(&db_client().users, None, None)
+      .await
+      .context("failed to pull users from db")?
+      .into_iter()
+      .map(|u| (u.id, u.username))
+      .collect::<HashMap<_, _>>();
 
     let updates = find_collect(
-      &db_client().await.updates,
+      &db_client().updates,
       query,
       FindOptions::builder()
         .sort(doc! { "start_ts": -1 })
@@ -224,7 +235,7 @@ impl Resolve<GetUpdate, User> for State {
     GetUpdate { id }: GetUpdate,
     user: User,
   ) -> anyhow::Result<Update> {
-    let update = find_one_by_id(&db_client().await.updates, &id)
+    let update = find_one_by_id(&db_client().updates, &id)
       .await
       .context("failed to query to db")?
       .context("no update exists with given id")?;
@@ -293,6 +304,14 @@ impl Resolve<GetUpdate, User> for State {
         )
         .await?;
       }
+      ResourceTarget::Action(id) => {
+        resource::get_check_permissions::<Action>(
+          id,
+          &user,
+          PermissionLevel::Read,
+        )
+        .await?;
+      }
       ResourceTarget::ServerTemplate(id) => {
         resource::get_check_permissions::<ServerTemplate>(
           id,

bin/core/src/api/read/user.rs

@@ -6,7 +6,7 @@ use komodo_client::{
     ListApiKeysForServiceUserResponse, ListApiKeysResponse,
     ListUsers, ListUsersResponse,
   },
-  entities::user::{User, UserConfig},
+  entities::user::{admin_service_user, User, UserConfig},
 };
 use mungos::{
   by_id::find_one_by_id,
@@ -26,7 +26,14 @@ impl Resolve<GetUsername, User> for State {
     GetUsername { user_id }: GetUsername,
     _: User,
   ) -> anyhow::Result<GetUsernameResponse> {
-    let user = find_one_by_id(&db_client().await.users, &user_id)
+    if let Some(user) = admin_service_user(&user_id) {
+      return Ok(GetUsernameResponse {
+        username: user.username,
+        avatar: None,
+      });
+    }
+
+    let user = find_one_by_id(&db_client().users, &user_id)
       .await
       .context("failed at mongo query for user")?
       .context("no user found with id")?;
@@ -67,7 +74,7 @@ impl Resolve<ListUsers, User> for State {
       return Err(anyhow!("this route is only accessable by admins"));
     }
     let mut users = find_collect(
-      &db_client().await.users,
+      &db_client().users,
       None,
       FindOptions::builder().sort(doc! { "username": 1 }).build(),
     )
@@ -85,7 +92,7 @@ impl Resolve<ListApiKeys, User> for State {
     user: User,
   ) -> anyhow::Result<ListApiKeysResponse> {
     let api_keys = find_collect(
-      &db_client().await.api_keys,
+      &db_client().api_keys,
       doc! { "user_id": &user.id },
       FindOptions::builder().sort(doc! { "name": 1 }).build(),
     )
@@ -117,7 +124,7 @@ impl Resolve<ListApiKeysForServiceUser, User> for State {
       return Err(anyhow!("Given user is not service user"));
     };
     let api_keys = find_collect(
-      &db_client().await.api_keys,
+      &db_client().api_keys,
       doc! { "user_id": &user.id },
       None,
     )

bin/core/src/api/read/user_group.rs

@@ -35,7 +35,6 @@ impl Resolve<GetUserGroup, User> for State {
       filter.insert("users", &user.id);
     }
     db_client()
-      .await
       .user_groups
       .find_one(filter)
       .await
@@ -55,7 +54,7 @@ impl Resolve<ListUserGroups, User> for State {
       filter.insert("users", &user.id);
     }
     find_collect(
-      &db_client().await.user_groups,
+      &db_client().user_groups,
       filter,
       FindOptions::builder().sort(doc! { "name": 1 }).build(),
     )

bin/core/src/api/read/variable.rs

@@ -1,5 +1,4 @@
 use anyhow::Context;
-use mongo_indexed::doc;
 use komodo_client::{
   api::read::{
     GetVariable, GetVariableResponse, ListVariables,
@@ -7,6 +6,7 @@ use komodo_client::{
   },
   entities::user::User,
 };
+use mongo_indexed::doc;
 use mungos::{find::find_collect, mongodb::options::FindOptions};
 use resolver_api::Resolve;
 
@@ -37,7 +37,7 @@ impl Resolve<ListVariables, User> for State {
     user: User,
   ) -> anyhow::Result<ListVariablesResponse> {
     let variables = find_collect(
-      &db_client().await.variables,
+      &db_client().variables,
       None,
       FindOptions::builder().sort(doc! { "name": 1 }).build(),
     )

bin/core/src/api/user.rs

@@ -103,7 +103,7 @@ impl Resolve<PushRecentlyViewed, User> for State {
       }
     };
     update_one_by_id(
-      &db_client().await.users,
+      &db_client().users,
       &user.id,
       mungos::update::Update::Set(update),
       None,
@@ -129,7 +129,7 @@ impl Resolve<SetLastSeenUpdate, User> for State {
     user: User,
   ) -> anyhow::Result<SetLastSeenUpdateResponse> {
     update_one_by_id(
-      &db_client().await.users,
+      &db_client().users,
       &user.id,
       mungos::update::Update::Set(doc! {
         "last_update_view": komodo_timestamp()
@@ -172,7 +172,6 @@ impl Resolve<CreateApiKey, User> for State {
       expires,
     };
     db_client()
-      .await
       .api_keys
       .insert_one(api_key)
       .await
@@ -192,7 +191,7 @@ impl Resolve<DeleteApiKey, User> for State {
     DeleteApiKey { key }: DeleteApiKey,
     user: User,
   ) -> anyhow::Result<DeleteApiKeyResponse> {
-    let client = db_client().await;
+    let client = db_client();
     let key = client
       .api_keys
       .find_one(doc! { "key": &key })

bin/core/src/api/write/action.rs

@@ -0,0 +1,71 @@
+use komodo_client::{
+  api::write::*,
+  entities::{
+    action::Action, permission::PermissionLevel, update::Update,
+    user::User,
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{resource, state::State};
+
+impl Resolve<CreateAction, User> for State {
+  #[instrument(name = "CreateAction", skip(self, user))]
+  async fn resolve(
+    &self,
+    CreateAction { name, config }: CreateAction,
+    user: User,
+  ) -> anyhow::Result<Action> {
+    resource::create::<Action>(&name, config, &user).await
+  }
+}
+
+impl Resolve<CopyAction, User> for State {
+  #[instrument(name = "CopyAction", skip(self, user))]
+  async fn resolve(
+    &self,
+    CopyAction { name, id }: CopyAction,
+    user: User,
+  ) -> anyhow::Result<Action> {
+    let Action { config, .. } = resource::get_check_permissions::<
+      Action,
+    >(
+      &id, &user, PermissionLevel::Write
+    )
+    .await?;
+    resource::create::<Action>(&name, config.into(), &user).await
+  }
+}
+
+impl Resolve<UpdateAction, User> for State {
+  #[instrument(name = "UpdateAction", skip(self, user))]
+  async fn resolve(
+    &self,
+    UpdateAction { id, config }: UpdateAction,
+    user: User,
+  ) -> anyhow::Result<Action> {
+    resource::update::<Action>(&id, config, &user).await
+  }
+}
+
+impl Resolve<RenameAction, User> for State {
+  #[instrument(name = "RenameAction", skip(self, user))]
+  async fn resolve(
+    &self,
+    RenameAction { id, name }: RenameAction,
+    user: User,
+  ) -> anyhow::Result<Update> {
+    resource::rename::<Action>(&id, &name, &user).await
+  }
+}
+
+impl Resolve<DeleteAction, User> for State {
+  #[instrument(name = "DeleteAction", skip(self, user))]
+  async fn resolve(
+    &self,
+    DeleteAction { id }: DeleteAction,
+    user: User,
+  ) -> anyhow::Result<Action> {
+    resource::delete::<Action>(&id, &user).await
+  }
+}

bin/core/src/api/write/alerter.rs

@@ -1,9 +1,8 @@
 use komodo_client::{
-  api::write::{
-    CopyAlerter, CreateAlerter, DeleteAlerter, UpdateAlerter,
-  },
+  api::write::*,
   entities::{
-    alerter::Alerter, permission::PermissionLevel, user::User,
+    alerter::Alerter, permission::PermissionLevel, update::Update,
+    user::User,
   },
 };
 use resolver_api::Resolve;
@@ -59,3 +58,14 @@ impl Resolve<UpdateAlerter, User> for State {
     resource::update::<Alerter>(&id, config, &user).await
   }
 }
+
+impl Resolve<RenameAlerter, User> for State {
+  #[instrument(name = "RenameAlerter", skip(self, user))]
+  async fn resolve(
+    &self,
+    RenameAlerter { id, name }: RenameAlerter,
+    user: User,
+  ) -> anyhow::Result<Update> {
+    resource::rename::<Alerter>(&id, &name, &user).await
+  }
+}

bin/core/src/api/write/build.rs

@@ -1,15 +1,17 @@
 use anyhow::{anyhow, Context};
-use mongo_indexed::doc;
+use git::GitRes;
 use komodo_client::{
   api::write::*,
   entities::{
     build::{Build, BuildInfo, PartialBuildConfig},
     config::core::CoreConfig,
     permission::PermissionLevel,
+    update::Update,
     user::User,
     CloneArgs, NoData,
   },
 };
+use mongo_indexed::doc;
 use mungos::mongodb::bson::to_document;
 use octorust::types::{
   ReposCreateWebhookRequest, ReposCreateWebhookRequestConfig,
@@ -18,7 +20,7 @@ use resolver_api::Resolve;
 
 use crate::{
   config::core_config,
-  helpers::{git_token, random_string},
+  helpers::git_token,
   resource,
   state::{db_client, github_client, State},
 };
@@ -76,6 +78,17 @@ impl Resolve<UpdateBuild, User> for State {
   }
 }
 
+impl Resolve<RenameBuild, User> for State {
+  #[instrument(name = "RenameBuild", skip(self, user))]
+  async fn resolve(
+    &self,
+    RenameBuild { id, name }: RenameBuild,
+    user: User,
+  ) -> anyhow::Result<Update> {
+    resource::rename::<Build>(&id, &name, &user).await
+  }
+}
+
 impl Resolve<RefreshBuildCache, User> for State {
   #[instrument(
     name = "RefreshBuildCache",
@@ -96,40 +109,40 @@ impl Resolve<RefreshBuildCache, User> for State {
     )
     .await?;
 
-    if build.config.repo.is_empty() {
+    if build.config.repo.is_empty()
+      || build.config.git_provider.is_empty()
+    {
       // Nothing to do here
-      return Ok(NoData {})
+      return Ok(NoData {});
     }
 
     let config = core_config();
 
-    let repo_dir = config.repo_directory.join(random_string(10));
     let mut clone_args: CloneArgs = (&build).into();
+    let repo_path =
+      clone_args.unique_path(&core_config().repo_directory)?;
+    clone_args.destination = Some(repo_path.display().to_string());
     // Don't want to run these on core.
     clone_args.on_clone = None;
     clone_args.on_pull = None;
-    clone_args.destination = Some(repo_dir.display().to_string());
 
-    let access_token = match (&clone_args.account, &clone_args.provider)
-    {
-      (None, _) => None,
-      (Some(_), None) => {
-        return Err(anyhow!(
-          "Account is configured, but provider is empty"
-        ))
-      }
-      (Some(username), Some(provider)) => {
-        git_token(provider, username, |https| {
+    let access_token = if let Some(username) = &clone_args.account {
+      git_token(&clone_args.provider, username, |https| {
           clone_args.https = https
         })
         .await
         .with_context(
-          || format!("Failed to get git token in call to db. Stopping run. | {provider} | {username}"),
+          || format!("Failed to get git token in call to db. Stopping run. | {} | {username}", clone_args.provider),
         )?
-      }
+    } else {
+      None
     };
 
-    let (_, latest_hash, latest_message, _) = git::clone(
+    let GitRes {
+      hash: latest_hash,
+      message: latest_message,
+      ..
+    } = git::pull_or_clone(
       clone_args,
       &config.repo_directory,
       access_token,
@@ -153,7 +166,6 @@ impl Resolve<RefreshBuildCache, User> for State {
       .context("failed to serialize build info to bson")?;
 
     db_client()
-      .await
       .builds
       .update_one(
         doc! { "name": &build.name },
@@ -162,12 +174,6 @@ impl Resolve<RefreshBuildCache, User> for State {
       .await
       .context("failed to update build info on db")?;
 
-    if repo_dir.exists() {
-      if let Err(e) = std::fs::remove_dir_all(&repo_dir) {
-        warn!("failed to remove build cache update repo directory | {e:?}")
-      }
-    }
-
     Ok(NoData {})
   }
 }
@@ -232,7 +238,11 @@ impl Resolve<CreateBuildWebhook, User> for State {
       &build.config.webhook_secret
     };
 
-    let host = webhook_base_url.as_ref().unwrap_or(host);
+    let host = if webhook_base_url.is_empty() {
+      host
+    } else {
+      webhook_base_url
+    };
     let url = format!("{host}/listener/github/build/{}", build.id);
 
     for webhook in webhooks {
@@ -338,7 +348,11 @@ impl Resolve<DeleteBuildWebhook, User> for State {
       ..
     } = core_config();
 
-    let host = webhook_base_url.as_ref().unwrap_or(host);
+    let host = if webhook_base_url.is_empty() {
+      host
+    } else {
+      webhook_base_url
+    };
     let url = format!("{host}/listener/github/build/{}", build.id);
 
     for webhook in webhooks {

bin/core/src/api/write/builder.rs

@@ -1,7 +1,8 @@
 use komodo_client::{
   api::write::*,
   entities::{
-    builder::Builder, permission::PermissionLevel, user::User,
+    builder::Builder, permission::PermissionLevel, update::Update,
+    user::User,
   },
 };
 use resolver_api::Resolve;
@@ -57,3 +58,14 @@ impl Resolve<UpdateBuilder, User> for State {
     resource::update::<Builder>(&id, config, &user).await
   }
 }
+
+impl Resolve<RenameBuilder, User> for State {
+  #[instrument(name = "RenameBuilder", skip(self, user))]
+  async fn resolve(
+    &self,
+    RenameBuilder { id, name }: RenameBuilder,
+    user: User,
+  ) -> anyhow::Result<Update> {
+    resource::rename::<Builder>(&id, &name, &user).await
+  }
+}

bin/core/src/api/write/deployment.rs

@@ -2,10 +2,14 @@ use anyhow::{anyhow, Context};
 use komodo_client::{
   api::write::*,
   entities::{
-    deployment::{Deployment, DeploymentState},
+    deployment::{
+      Deployment, DeploymentImage, DeploymentState,
+      PartialDeploymentConfig, RestartMode,
+    },
+    docker::container::RestartPolicyNameEnum,
     komodo_timestamp,
     permission::PermissionLevel,
-    server::Server,
+    server::{Server, ServerState},
     to_komodo_name,
     update::Update,
     user::User,
@@ -13,7 +17,7 @@ use komodo_client::{
   },
 };
 use mungos::{by_id::update_one_by_id, mongodb::bson::doc};
-use periphery_client::api;
+use periphery_client::api::{self, container::InspectContainer};
 use resolver_api::Resolve;
 
 use crate::{
@@ -23,7 +27,7 @@ use crate::{
     update::{add_update, make_update},
   },
   resource,
-  state::{action_states, db_client, State},
+  state::{action_states, db_client, server_status_cache, State},
 };
 
 impl Resolve<CreateDeployment, User> for State {
@@ -55,6 +59,97 @@ impl Resolve<CopyDeployment, User> for State {
   }
 }
 
+impl Resolve<CreateDeploymentFromContainer, User> for State {
+  #[instrument(
+    name = "CreateDeploymentFromContainer",
+    skip(self, user)
+  )]
+  async fn resolve(
+    &self,
+    CreateDeploymentFromContainer { name, server }: CreateDeploymentFromContainer,
+    user: User,
+  ) -> anyhow::Result<Deployment> {
+    let server = resource::get_check_permissions::<Server>(
+      &server,
+      &user,
+      PermissionLevel::Write,
+    )
+    .await?;
+    let cache = server_status_cache()
+      .get_or_insert_default(&server.id)
+      .await;
+    if cache.state != ServerState::Ok {
+      return Err(anyhow!(
+        "Cannot inspect container: server is {:?}",
+        cache.state
+      ));
+    }
+    let container = periphery_client(&server)?
+      .request(InspectContainer { name: name.clone() })
+      .await
+      .context("Failed to inspect container")?;
+
+    let mut config = PartialDeploymentConfig {
+      server_id: server.id.into(),
+      ..Default::default()
+    };
+
+    if let Some(container_config) = container.config {
+      config.image = container_config
+        .image
+        .map(|image| DeploymentImage::Image { image });
+      config.command = container_config.cmd.join(" ").into();
+      config.environment = container_config
+        .env
+        .into_iter()
+        .map(|env| format!("  {env}"))
+        .collect::<Vec<_>>()
+        .join("\n")
+        .into();
+      config.labels = container_config
+        .labels
+        .into_iter()
+        .map(|(key, val)| format!("  {key}: {val}"))
+        .collect::<Vec<_>>()
+        .join("\n")
+        .into();
+    }
+    if let Some(host_config) = container.host_config {
+      config.volumes = host_config
+        .binds
+        .into_iter()
+        .map(|bind| format!("  {bind}"))
+        .collect::<Vec<_>>()
+        .join("\n")
+        .into();
+      config.network = host_config.network_mode;
+      config.ports = host_config
+        .port_bindings
+        .into_iter()
+        .filter_map(|(container, mut host)| {
+          let host = host.pop()?.host_port?;
+          Some(format!("  {host}:{}", container.replace("/tcp", "")))
+        })
+        .collect::<Vec<_>>()
+        .join("\n")
+        .into();
+      config.restart = host_config.restart_policy.map(|restart| {
+        match restart.name {
+          RestartPolicyNameEnum::Always => RestartMode::Always,
+          RestartPolicyNameEnum::No
+          | RestartPolicyNameEnum::Empty => RestartMode::NoRestart,
+          RestartPolicyNameEnum::UnlessStopped => {
+            RestartMode::UnlessStopped
+          }
+          RestartPolicyNameEnum::OnFailure => RestartMode::OnFailure,
+        }
+      });
+    }
+
+    resource::create::<Deployment>(&name, config, &user).await
+  }
+}
+
 impl Resolve<DeleteDeployment, User> for State {
   #[instrument(name = "DeleteDeployment", skip(self, user))]
   async fn resolve(
@@ -108,7 +203,7 @@ impl Resolve<RenameDeployment, User> for State {
 
     if container_state == DeploymentState::Unknown {
       return Err(anyhow!(
-        "cannot rename deployment when container status is unknown"
+        "Cannot rename Deployment when container status is unknown"
       ));
     }
 
@@ -116,7 +211,7 @@ impl Resolve<RenameDeployment, User> for State {
       make_update(&deployment, Operation::RenameDeployment, &user);
 
     update_one_by_id(
-      &db_client().await.deployments,
+      &db_client().deployments,
       &deployment.id,
       mungos::update::Update::Set(
         doc! { "name": &name, "updated_at": komodo_timestamp() },
@@ -124,7 +219,7 @@ impl Resolve<RenameDeployment, User> for State {
       None,
     )
     .await
-    .context("failed to update deployment name on db")?;
+    .context("Failed to update Deployment name on db")?;
 
     if container_state != DeploymentState::NotDeployed {
       let server =
@@ -135,20 +230,19 @@ impl Resolve<RenameDeployment, User> for State {
           new_name: name.clone(),
         })
         .await
-        .context("failed to rename container on server")?;
+        .context("Failed to rename container on server")?;
       update.logs.push(log);
     }
 
     update.push_simple_log(
-      "rename deployment",
+      "Rename Deployment",
       format!(
-        "renamed deployment from {} to {}",
+        "Renamed Deployment from {} to {}",
         deployment.name, name
       ),
     );
     update.finalize();
-
-    add_update(update.clone()).await?;
+    update.id = add_update(update.clone()).await?;
 
     Ok(update)
   }

bin/core/src/api/write/description.rs

@@ -2,7 +2,7 @@ use anyhow::anyhow;
 use komodo_client::{
   api::write::{UpdateDescription, UpdateDescriptionResponse},
   entities::{
-    alerter::Alerter, build::Build, builder::Builder,
+    action::Action, alerter::Alerter, build::Build, builder::Builder,
     deployment::Deployment, procedure::Procedure, repo::Repo,
     server::Server, server_template::ServerTemplate, stack::Stack,
     sync::ResourceSync, user::User, ResourceTarget,
@@ -84,6 +84,14 @@ impl Resolve<UpdateDescription, User> for State {
         )
         .await?;
       }
+      ResourceTarget::Action(id) => {
+        resource::update_description::<Action>(
+          &id,
+          &description,
+          &user,
+        )
+        .await?;
+      }
       ResourceTarget::ServerTemplate(id) => {
         resource::update_description::<ServerTemplate>(
           &id,

bin/core/src/api/write/mod.rs

@@ -13,6 +13,7 @@ use uuid::Uuid;
 
 use crate::{auth::auth_request, state::State};
 
+mod action;
 mod alerter;
 mod build;
 mod builder;
@@ -28,6 +29,7 @@ mod service_user;
 mod stack;
 mod sync;
 mod tag;
+mod user;
 mod user_group;
 mod variable;
 
@@ -40,6 +42,11 @@ mod variable;
 #[resolver_args(User)]
 #[serde(tag = "type", content = "params")]
 pub enum WriteRequest {
+  // ==== USER ====
+  UpdateUserUsername(UpdateUserUsername),
+  UpdateUserPassword(UpdateUserPassword),
+  DeleteUser(DeleteUser),
+
   // ==== SERVICE USER ====
   CreateServiceUser(CreateServiceUser),
   UpdateServiceUserDescription(UpdateServiceUserDescription),
@@ -55,6 +62,7 @@ pub enum WriteRequest {
   SetUsersInUserGroup(SetUsersInUserGroup),
 
   // ==== PERMISSIONS ====
+  UpdateUserAdmin(UpdateUserAdmin),
   UpdateUserBasePermissions(UpdateUserBasePermissions),
   UpdatePermissionOnResourceType(UpdatePermissionOnResourceType),
   UpdatePermissionOnTarget(UpdatePermissionOnTarget),
@@ -72,6 +80,7 @@ pub enum WriteRequest {
   // ==== DEPLOYMENT ====
   CreateDeployment(CreateDeployment),
   CopyDeployment(CopyDeployment),
+  CreateDeploymentFromContainer(CreateDeploymentFromContainer),
   DeleteDeployment(DeleteDeployment),
   UpdateDeployment(UpdateDeployment),
   RenameDeployment(RenameDeployment),
@@ -81,6 +90,7 @@ pub enum WriteRequest {
   CopyBuild(CopyBuild),
   DeleteBuild(DeleteBuild),
   UpdateBuild(UpdateBuild),
+  RenameBuild(RenameBuild),
   RefreshBuildCache(RefreshBuildCache),
   CreateBuildWebhook(CreateBuildWebhook),
   DeleteBuildWebhook(DeleteBuildWebhook),
@@ -90,18 +100,21 @@ pub enum WriteRequest {
   CopyBuilder(CopyBuilder),
   DeleteBuilder(DeleteBuilder),
   UpdateBuilder(UpdateBuilder),
+  RenameBuilder(RenameBuilder),
 
   // ==== SERVER TEMPLATE ====
   CreateServerTemplate(CreateServerTemplate),
   CopyServerTemplate(CopyServerTemplate),
   DeleteServerTemplate(DeleteServerTemplate),
   UpdateServerTemplate(UpdateServerTemplate),
+  RenameServerTemplate(RenameServerTemplate),
 
   // ==== REPO ====
   CreateRepo(CreateRepo),
   CopyRepo(CopyRepo),
   DeleteRepo(DeleteRepo),
   UpdateRepo(UpdateRepo),
+  RenameRepo(RenameRepo),
   RefreshRepoCache(RefreshRepoCache),
   CreateRepoWebhook(CreateRepoWebhook),
   DeleteRepoWebhook(DeleteRepoWebhook),
@@ -111,18 +124,30 @@ pub enum WriteRequest {
   CopyAlerter(CopyAlerter),
   DeleteAlerter(DeleteAlerter),
   UpdateAlerter(UpdateAlerter),
+  RenameAlerter(RenameAlerter),
 
   // ==== PROCEDURE ====
   CreateProcedure(CreateProcedure),
   CopyProcedure(CopyProcedure),
   DeleteProcedure(DeleteProcedure),
   UpdateProcedure(UpdateProcedure),
+  RenameProcedure(RenameProcedure),
+
+  // ==== ACTION ====
+  CreateAction(CreateAction),
+  CopyAction(CopyAction),
+  DeleteAction(DeleteAction),
+  UpdateAction(UpdateAction),
+  RenameAction(RenameAction),
 
   // ==== SYNC ====
   CreateResourceSync(CreateResourceSync),
   CopyResourceSync(CopyResourceSync),
   DeleteResourceSync(DeleteResourceSync),
   UpdateResourceSync(UpdateResourceSync),
+  RenameResourceSync(RenameResourceSync),
+  WriteSyncFileContents(WriteSyncFileContents),
+  CommitSync(CommitSync),
   RefreshResourceSyncPending(RefreshResourceSyncPending),
   CreateSyncWebhook(CreateSyncWebhook),
   DeleteSyncWebhook(DeleteSyncWebhook),
@@ -133,6 +158,7 @@ pub enum WriteRequest {
   DeleteStack(DeleteStack),
   UpdateStack(UpdateStack),
   RenameStack(RenameStack),
+  WriteStackFileContents(WriteStackFileContents),
   RefreshStackCache(RefreshStackCache),
   CreateStackWebhook(CreateStackWebhook),
   DeleteStackWebhook(DeleteStackWebhook),
@@ -185,7 +211,10 @@ async fn handler(
 #[instrument(
   name = "WriteRequest",
   skip(user, request),
-  fields(user_id = user.id, request = format!("{:?}", request.extract_variant()))
+  fields(
+    user_id = user.id,
+    request = format!("{:?}", request.extract_variant())
+  )
 )]
 async fn task(
   req_id: Uuid,

bin/core/src/api/write/permissions.rs

@@ -5,7 +5,8 @@ use komodo_client::{
   api::write::{
     UpdatePermissionOnResourceType,
     UpdatePermissionOnResourceTypeResponse, UpdatePermissionOnTarget,
-    UpdatePermissionOnTargetResponse, UpdateUserBasePermissions,
+    UpdatePermissionOnTargetResponse, UpdateUserAdmin,
+    UpdateUserAdminResponse, UpdateUserBasePermissions,
     UpdateUserBasePermissionsResponse,
   },
   entities::{
@@ -28,6 +29,40 @@ use crate::{
   state::{db_client, State},
 };
 
+impl Resolve<UpdateUserAdmin, User> for State {
+  async fn resolve(
+    &self,
+    UpdateUserAdmin { user_id, admin }: UpdateUserAdmin,
+    super_admin: User,
+  ) -> anyhow::Result<UpdateUserAdminResponse> {
+    if !super_admin.super_admin {
+      return Err(anyhow!("Only super admins can call this method."));
+    }
+    let user = find_one_by_id(&db_client().users, &user_id)
+      .await
+      .context("failed to query mongo for user")?
+      .context("did not find user with given id")?;
+
+    if !user.enabled {
+      return Err(anyhow!("User is disabled. Enable user first."));
+    }
+
+    if user.super_admin {
+      return Err(anyhow!("Cannot update other super admins"));
+    }
+
+    update_one_by_id(
+      &db_client().users,
+      &user_id,
+      doc! { "$set": { "admin": admin } },
+      None,
+    )
+    .await?;
+
+    Ok(UpdateUserAdminResponse {})
+  }
+}
+
 impl Resolve<UpdateUserBasePermissions, User> for State {
   #[instrument(name = "UpdateUserBasePermissions", skip(self, admin))]
   async fn resolve(
@@ -44,13 +79,18 @@ impl Resolve<UpdateUserBasePermissions, User> for State {
       return Err(anyhow!("this method is admin only"));
     }
 
-    let user = find_one_by_id(&db_client().await.users, &user_id)
+    let user = find_one_by_id(&db_client().users, &user_id)
       .await
       .context("failed to query mongo for user")?
       .context("did not find user with given id")?;
-    if user.admin {
+    if user.super_admin {
       return Err(anyhow!(
-        "cannot use this method to update other admins permissions"
+        "Cannot use this method to update super admins permissions"
+      ));
+    }
+    if user.admin && !admin.super_admin {
+      return Err(anyhow!(
+        "Only super admins can use this method to update other admins permissions"
       ));
     }
     let mut update_doc = Document::new();
@@ -65,7 +105,7 @@ impl Resolve<UpdateUserBasePermissions, User> for State {
     }
 
     update_one_by_id(
-      &db_client().await.users,
+      &db_client().users,
       &user_id,
       mungos::update::Update::Set(update_doc),
       None,
@@ -119,7 +159,6 @@ impl Resolve<UpdatePermissionOnResourceType, User> for State {
     match user_target_variant {
       UserTargetVariant::User => {
         db_client()
-          .await
           .users
           .update_one(filter, update)
           .await
@@ -129,7 +168,6 @@ impl Resolve<UpdatePermissionOnResourceType, User> for State {
       }
       UserTargetVariant::UserGroup => {
         db_client()
-          .await
           .user_groups
           .update_one(filter, update)
           .await
@@ -181,7 +219,6 @@ impl Resolve<UpdatePermissionOnTarget, User> for State {
       (user_target_variant.as_ref(), resource_variant.as_ref());
 
     db_client()
-      .await
       .permissions
       .update_one(
         doc! {
@@ -218,7 +255,6 @@ async fn extract_user_target_with_validation(
         Err(_) => doc! { "username": ident },
       };
       let id = db_client()
-        .await
         .users
         .find_one(filter)
         .await
@@ -233,7 +269,6 @@ async fn extract_user_target_with_validation(
         Err(_) => doc! { "name": ident },
       };
       let id = db_client()
-        .await
         .user_groups
         .find_one(filter)
         .await
@@ -260,7 +295,6 @@ async fn extract_resource_target_with_validation(
         Err(_) => doc! { "name": ident },
       };
       let id = db_client()
-        .await
         .builds
         .find_one(filter)
         .await
@@ -275,7 +309,6 @@ async fn extract_resource_target_with_validation(
         Err(_) => doc! { "name": ident },
       };
       let id = db_client()
-        .await
         .builders
         .find_one(filter)
         .await
@@ -290,7 +323,6 @@ async fn extract_resource_target_with_validation(
         Err(_) => doc! { "name": ident },
       };
       let id = db_client()
-        .await
         .deployments
         .find_one(filter)
         .await
@@ -305,7 +337,6 @@ async fn extract_resource_target_with_validation(
         Err(_) => doc! { "name": ident },
       };
       let id = db_client()
-        .await
         .servers
         .find_one(filter)
         .await
@@ -320,7 +351,6 @@ async fn extract_resource_target_with_validation(
         Err(_) => doc! { "name": ident },
       };
       let id = db_client()
-        .await
         .repos
         .find_one(filter)
         .await
@@ -335,7 +365,6 @@ async fn extract_resource_target_with_validation(
         Err(_) => doc! { "name": ident },
       };
       let id = db_client()
-        .await
         .alerters
         .find_one(filter)
         .await
@@ -350,7 +379,6 @@ async fn extract_resource_target_with_validation(
         Err(_) => doc! { "name": ident },
       };
       let id = db_client()
-        .await
         .procedures
         .find_one(filter)
         .await
@@ -359,13 +387,26 @@ async fn extract_resource_target_with_validation(
         .id;
       Ok((ResourceTargetVariant::Procedure, id))
     }
+    ResourceTarget::Action(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .actions
+        .find_one(filter)
+        .await
+        .context("failed to query db for actions")?
+        .context("no matching action found")?
+        .id;
+      Ok((ResourceTargetVariant::Action, id))
+    }
     ResourceTarget::ServerTemplate(ident) => {
       let filter = match ObjectId::from_str(ident) {
         Ok(id) => doc! { "_id": id },
         Err(_) => doc! { "name": ident },
       };
       let id = db_client()
-        .await
         .server_templates
         .find_one(filter)
         .await
@@ -380,7 +421,6 @@ async fn extract_resource_target_with_validation(
         Err(_) => doc! { "name": ident },
       };
       let id = db_client()
-        .await
         .resource_syncs
         .find_one(filter)
         .await
@@ -395,7 +435,6 @@ async fn extract_resource_target_with_validation(
         Err(_) => doc! { "name": ident },
       };
       let id = db_client()
-        .await
         .stacks
         .find_one(filter)
         .await

bin/core/src/api/write/procedure.rs

@@ -1,7 +1,8 @@
 use komodo_client::{
   api::write::*,
   entities::{
-    permission::PermissionLevel, procedure::Procedure, user::User,
+    permission::PermissionLevel, procedure::Procedure,
+    update::Update, user::User,
   },
 };
 use resolver_api::Resolve;
@@ -48,6 +49,17 @@ impl Resolve<UpdateProcedure, User> for State {
   }
 }
 
+impl Resolve<RenameProcedure, User> for State {
+  #[instrument(name = "RenameProcedure", skip(self, user))]
+  async fn resolve(
+    &self,
+    RenameProcedure { id, name }: RenameProcedure,
+    user: User,
+  ) -> anyhow::Result<Update> {
+    resource::rename::<Procedure>(&id, &name, &user).await
+  }
+}
+
 impl Resolve<DeleteProcedure, User> for State {
   #[instrument(name = "DeleteProcedure", skip(self, user))]
   async fn resolve(

bin/core/src/api/write/provider.rs

@@ -47,7 +47,6 @@ impl Resolve<CreateGitProviderAccount, User> for State {
     );
 
     account.id = db_client()
-      .await
       .git_accounts
       .insert_one(&account)
       .await
@@ -118,7 +117,7 @@ impl Resolve<UpdateGitProviderAccount, User> for State {
     let account = to_document(&account).context(
       "failed to serialize partial git provider account to bson",
     )?;
-    let db = db_client().await;
+    let db = db_client();
     update_one_by_id(
       &db.git_accounts,
       &id,
@@ -175,7 +174,7 @@ impl Resolve<DeleteGitProviderAccount, User> for State {
       &user,
     );
 
-    let db = db_client().await;
+    let db = db_client();
     let Some(account) =
       find_one_by_id(&db.git_accounts, &id)
         .await
@@ -237,7 +236,6 @@ impl Resolve<CreateDockerRegistryAccount, User> for State {
     );
 
     account.id = db_client()
-      .await
       .registry_accounts
       .insert_one(&account)
       .await
@@ -310,7 +308,7 @@ impl Resolve<UpdateDockerRegistryAccount, User> for State {
       "failed to serialize partial docker registry account account to bson",
     )?;
 
-    let db = db_client().await;
+    let db = db_client();
     update_one_by_id(
       &db.registry_accounts,
       &id,
@@ -368,7 +366,7 @@ impl Resolve<DeleteDockerRegistryAccount, User> for State {
       &user,
     );
 
-    let db = db_client().await;
+    let db = db_client();
     let Some(account) = find_one_by_id(&db.registry_accounts, &id)
       .await
       .context("failed to query db for git accounts")?

bin/core/src/api/write/repo.rs

@@ -1,26 +1,36 @@
 use anyhow::{anyhow, Context};
-use mongo_indexed::doc;
+use formatting::format_serror;
+use git::GitRes;
 use komodo_client::{
   api::write::*,
   entities::{
     config::core::CoreConfig,
+    komodo_timestamp,
     permission::PermissionLevel,
     repo::{PartialRepoConfig, Repo, RepoInfo},
+    server::Server,
+    to_komodo_name,
+    update::{Log, Update},
     user::User,
-    CloneArgs, NoData,
+    CloneArgs, NoData, Operation,
   },
 };
-use mungos::mongodb::bson::to_document;
+use mongo_indexed::doc;
+use mungos::{by_id::update_one_by_id, mongodb::bson::to_document};
 use octorust::types::{
   ReposCreateWebhookRequest, ReposCreateWebhookRequestConfig,
 };
+use periphery_client::api;
 use resolver_api::Resolve;
 
 use crate::{
   config::core_config,
-  helpers::{git_token, random_string},
+  helpers::{
+    git_token, periphery_client,
+    update::{add_update, make_update},
+  },
   resource,
-  state::{db_client, github_client, State},
+  state::{action_states, db_client, github_client, State},
 };
 
 impl Resolve<CreateRepo, User> for State {
@@ -74,6 +84,81 @@ impl Resolve<UpdateRepo, User> for State {
   }
 }
 
+impl Resolve<RenameRepo, User> for State {
+  #[instrument(name = "RenameRepo", skip(self, user))]
+  async fn resolve(
+    &self,
+    RenameRepo { id, name }: RenameRepo,
+    user: User,
+  ) -> anyhow::Result<Update> {
+    let repo = resource::get_check_permissions::<Repo>(
+      &id,
+      &user,
+      PermissionLevel::Write,
+    )
+    .await?;
+
+    if repo.config.server_id.is_empty()
+      || !repo.config.path.is_empty()
+    {
+      return resource::rename::<Repo>(&repo.id, &name, &user).await;
+    }
+
+    // get the action state for the repo (or insert default).
+    let action_state =
+      action_states().repo.get_or_insert_default(&repo.id).await;
+
+    // Will check to ensure repo not already busy before updating, and return Err if so.
+    // The returned guard will set the action state back to default when dropped.
+    let _action_guard =
+      action_state.update(|state| state.renaming = true)?;
+
+    let name = to_komodo_name(&name);
+
+    let mut update = make_update(&repo, Operation::RenameRepo, &user);
+
+    update_one_by_id(
+      &db_client().repos,
+      &repo.id,
+      mungos::update::Update::Set(
+        doc! { "name": &name, "updated_at": komodo_timestamp() },
+      ),
+      None,
+    )
+    .await
+    .context("Failed to update Repo name on db")?;
+
+    let server =
+      resource::get::<Server>(&repo.config.server_id).await?;
+
+    let log = match periphery_client(&server)?
+      .request(api::git::RenameRepo {
+        curr_name: to_komodo_name(&repo.name),
+        new_name: name.clone(),
+      })
+      .await
+      .context("Failed to rename Repo directory on Server")
+    {
+      Ok(log) => log,
+      Err(e) => Log::error(
+        "Rename Repo directory failure",
+        format_serror(&e.into()),
+      ),
+    };
+
+    update.logs.push(log);
+
+    update.push_simple_log(
+      "Rename Repo",
+      format!("Renamed Repo from {} to {}", repo.name, name),
+    );
+    update.finalize();
+    update.id = add_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
 impl Resolve<RefreshRepoCache, User> for State {
   #[instrument(
     name = "RefreshRepoCache",
@@ -94,42 +179,36 @@ impl Resolve<RefreshRepoCache, User> for State {
     )
     .await?;
 
-    if repo.config.repo.is_empty() {
+    if repo.config.git_provider.is_empty()
+      || repo.config.repo.is_empty()
+    {
       // Nothing to do
       return Ok(NoData {});
     }
 
-    let config = core_config();
-
-    let repo_dir = config.repo_directory.join(random_string(10));
     let mut clone_args: CloneArgs = (&repo).into();
-    // No reason to to the commands here.
+    let repo_path =
+      clone_args.unique_path(&core_config().repo_directory)?;
+    clone_args.destination = Some(repo_path.display().to_string());
+    // Don't want to run these on core.
     clone_args.on_clone = None;
     clone_args.on_pull = None;
-    clone_args.destination = Some(repo_dir.display().to_string());
 
-    let access_token = match (&clone_args.account, &clone_args.provider)
-    {
-      (None, _) => None,
-      (Some(_), None) => {
-        return Err(anyhow!(
-          "Account is configured, but provider is empty"
-        ))
-      }
-      (Some(username), Some(provider)) => {
-        git_token(provider, username, |https| {
+    let access_token = if let Some(username) = &clone_args.account {
+      git_token(&clone_args.provider, username, |https| {
           clone_args.https = https
         })
         .await
         .with_context(
-          || format!("Failed to get git token in call to db. Stopping run. | {provider} | {username}"),
+          || format!("Failed to get git token in call to db. Stopping run. | {} | {username}", clone_args.provider),
         )?
-      }
+    } else {
+      None
     };
 
-    let (_, latest_hash, latest_message, _) = git::clone(
+    let GitRes { hash, message, .. } = git::pull_or_clone(
       clone_args,
-      &config.repo_directory,
+      &core_config().repo_directory,
       access_token,
       &[],
       "",
@@ -137,22 +216,23 @@ impl Resolve<RefreshRepoCache, User> for State {
       &[],
     )
     .await
-    .context("failed to clone repo (the resource) repo")?;
+    .with_context(|| {
+      format!("Failed to update repo at {repo_path:?}")
+    })?;
 
     let info = RepoInfo {
       last_pulled_at: repo.info.last_pulled_at,
       last_built_at: repo.info.last_built_at,
       built_hash: repo.info.built_hash,
       built_message: repo.info.built_message,
-      latest_hash,
-      latest_message,
+      latest_hash: hash,
+      latest_message: message,
     };
 
     let info = to_document(&info)
       .context("failed to serialize repo info to bson")?;
 
     db_client()
-      .await
       .repos
       .update_one(
         doc! { "name": &repo.name },
@@ -161,14 +241,6 @@ impl Resolve<RefreshRepoCache, User> for State {
       .await
       .context("failed to update repo info on db")?;
 
-    if repo_dir.exists() {
-      if let Err(e) = std::fs::remove_dir_all(&repo_dir) {
-        warn!(
-          "failed to remove repo (resource) cache update repo directory | {e:?}"
-        )
-      }
-    }
-
     Ok(NoData {})
   }
 }
@@ -233,7 +305,11 @@ impl Resolve<CreateRepoWebhook, User> for State {
       &repo.config.webhook_secret
     };
 
-    let host = webhook_base_url.as_ref().unwrap_or(host);
+    let host = if webhook_base_url.is_empty() {
+      host
+    } else {
+      webhook_base_url
+    };
     let url = match action {
       RepoWebhookAction::Clone => {
         format!("{host}/listener/github/repo/{}/clone", repo.id)
@@ -350,7 +426,11 @@ impl Resolve<DeleteRepoWebhook, User> for State {
       ..
     } = core_config();
 
-    let host = webhook_base_url.as_ref().unwrap_or(host);
+    let host = if webhook_base_url.is_empty() {
+      host
+    } else {
+      webhook_base_url
+    };
     let url = match action {
       RepoWebhookAction::Clone => {
         format!("{host}/listener/github/repo/{}/clone", repo.id)

bin/core/src/api/write/server.rs

@@ -1,9 +1,7 @@
-use anyhow::Context;
 use formatting::format_serror;
 use komodo_client::{
   api::write::*,
   entities::{
-    komodo_timestamp,
     permission::PermissionLevel,
     server::Server,
     update::{Update, UpdateStatus},
@@ -11,7 +9,6 @@ use komodo_client::{
     Operation,
   },
 };
-use mungos::{by_id::update_one_by_id, mongodb::bson::doc};
 use periphery_client::api;
 use resolver_api::Resolve;
 
@@ -21,7 +18,7 @@ use crate::{
     update::{add_update, make_update, update_update},
   },
   resource,
-  state::{db_client, State},
+  state::State,
 };
 
 impl Resolve<CreateServer, User> for State {
@@ -64,25 +61,7 @@ impl Resolve<RenameServer, User> for State {
     RenameServer { id, name }: RenameServer,
     user: User,
   ) -> anyhow::Result<Update> {
-    let server = resource::get_check_permissions::<Server>(
-      &id,
-      &user,
-      PermissionLevel::Write,
-    )
-    .await?;
-    let mut update =
-      make_update(&server, Operation::RenameServer, &user);
-
-    update_one_by_id(&db_client().await.servers, &id, mungos::update::Update::Set(doc! { "name": &name, "updated_at": komodo_timestamp() }), None)
-      .await
-      .context("failed to update server on db. this name may already be taken.")?;
-    update.push_simple_log(
-      "rename server",
-      format!("renamed server {id} from {} to {name}", server.name),
-    );
-    update.finalize();
-    update.id = add_update(update.clone()).await?;
-    Ok(update)
+    resource::rename::<Server>(&id, &name, &user).await
   }
 }
 

bin/core/src/api/write/server_template.rs

@@ -1,11 +1,11 @@
 use komodo_client::{
   api::write::{
     CopyServerTemplate, CreateServerTemplate, DeleteServerTemplate,
-    UpdateServerTemplate,
+    RenameServerTemplate, UpdateServerTemplate,
   },
   entities::{
     permission::PermissionLevel, server_template::ServerTemplate,
-    user::User,
+    update::Update, user::User,
   },
 };
 use resolver_api::Resolve;
@@ -63,3 +63,14 @@ impl Resolve<UpdateServerTemplate, User> for State {
     resource::update::<ServerTemplate>(&id, config, &user).await
   }
 }
+
+impl Resolve<RenameServerTemplate, User> for State {
+  #[instrument(name = "RenameServerTemplate", skip(self, user))]
+  async fn resolve(
+    &self,
+    RenameServerTemplate { id, name }: RenameServerTemplate,
+    user: User,
+  ) -> anyhow::Result<Update> {
+    resource::rename::<ServerTemplate>(&id, &name, &user).await
+  }
+}

bin/core/src/api/write/service_user.rs

@@ -48,6 +48,7 @@ impl Resolve<CreateServiceUser, User> for State {
       config,
       enabled: true,
       admin: false,
+      super_admin: false,
       create_server_permissions: false,
       create_build_permissions: false,
       last_update_view: 0,
@@ -56,7 +57,6 @@ impl Resolve<CreateServiceUser, User> for State {
       updated_at: komodo_timestamp(),
     };
     user.id = db_client()
-      .await
       .users
       .insert_one(&user)
       .await
@@ -85,7 +85,7 @@ impl Resolve<UpdateServiceUserDescription, User> for State {
     if !user.admin {
       return Err(anyhow!("user not admin"));
     }
-    let db = db_client().await;
+    let db = db_client();
     let service_user = db
       .users
       .find_one(doc! { "username": &username })
@@ -124,11 +124,10 @@ impl Resolve<CreateApiKeyForServiceUser, User> for State {
     if !user.admin {
       return Err(anyhow!("user not admin"));
     }
-    let service_user =
-      find_one_by_id(&db_client().await.users, &user_id)
-        .await
-        .context("failed to query db for user")?
-        .context("no user found with id")?;
+    let service_user = find_one_by_id(&db_client().users, &user_id)
+      .await
+      .context("failed to query db for user")?
+      .context("no user found with id")?;
     let UserConfig::Service { .. } = &service_user.config else {
       return Err(anyhow!("user is not service user"));
     };
@@ -148,7 +147,7 @@ impl Resolve<DeleteApiKeyForServiceUser, User> for State {
     if !user.admin {
       return Err(anyhow!("user not admin"));
     }
-    let db = db_client().await;
+    let db = db_client();
     let api_key = db
       .api_keys
       .find_one(doc! { "key": &key })
@@ -156,7 +155,7 @@ impl Resolve<DeleteApiKeyForServiceUser, User> for State {
       .context("failed to query db for api key")?
       .context("did not find matching api key")?;
     let service_user =
-      find_one_by_id(&db_client().await.users, &api_key.user_id)
+      find_one_by_id(&db_client().users, &api_key.user_id)
         .await
         .context("failed to query db for user")?
         .context("no user found with id")?;

bin/core/src/api/write/stack.rs

@@ -4,39 +4,38 @@ use komodo_client::{
   api::write::*,
   entities::{
     config::core::CoreConfig,
-    komodo_timestamp,
     permission::PermissionLevel,
     server::ServerState,
-    stack::{ComposeContents, PartialStackConfig, Stack, StackInfo},
+    stack::{PartialStackConfig, Stack, StackInfo},
     update::Update,
-    user::User,
-    NoData, Operation,
+    user::{stack_user, User},
+    FileContents, NoData, Operation,
   },
 };
-use mungos::{
-  by_id::update_one_by_id,
-  mongodb::bson::{doc, to_document},
-};
+use mungos::mongodb::bson::{doc, to_document};
 use octorust::types::{
   ReposCreateWebhookRequest, ReposCreateWebhookRequestConfig,
 };
 use periphery_client::api::compose::{
   GetComposeContentsOnHost, GetComposeContentsOnHostResponse,
+  WriteCommitComposeContents, WriteComposeContentsToHost,
 };
 use resolver_api::Resolve;
 
 use crate::{
+  api::execute::pull_stack_inner,
   config::core_config,
   helpers::{
-    periphery_client,
+    git_token, periphery_client,
     query::get_server_with_state,
-    stack::{
-      remote::get_remote_compose_contents,
-      services::extract_services_into_res,
-    },
     update::{add_update, make_update},
   },
   resource,
+  stack::{
+    get_stack_and_server,
+    remote::{get_repo_compose_contents, RemoteComposeContents},
+    services::extract_services_into_res,
+  },
   state::{db_client, github_client, State},
 };
 
@@ -98,33 +97,119 @@ impl Resolve<RenameStack, User> for State {
     RenameStack { id, name }: RenameStack,
     user: User,
   ) -> anyhow::Result<Update> {
-    let stack = resource::get_check_permissions::<Stack>(
-      &id,
+    resource::rename::<Stack>(&id, &name, &user).await
+  }
+}
+
+impl Resolve<WriteStackFileContents, User> for State {
+  async fn resolve(
+    &self,
+    WriteStackFileContents {
+      stack,
+      file_path,
+      contents,
+    }: WriteStackFileContents,
+    user: User,
+  ) -> anyhow::Result<Update> {
+    let (mut stack, server) = get_stack_and_server(
+      &stack,
       &user,
       PermissionLevel::Write,
+      true,
     )
     .await?;
 
+    if !stack.config.files_on_host && stack.config.repo.is_empty() {
+      return Err(anyhow!(
+        "Stack is not configured to use Files on Host or Git Repo, can't write file contents"
+      ));
+    }
+
     let mut update =
-      make_update(&stack, Operation::RenameStack, &user);
+      make_update(&stack, Operation::WriteStackContents, &user);
 
-    update_one_by_id(
-      &db_client().await.stacks,
-      &stack.id,
-      mungos::update::Update::Set(
-        doc! { "name": &name, "updated_at": komodo_timestamp() },
-      ),
-      None,
-    )
-    .await
-    .context("failed to update stack name on db")?;
+    update.push_simple_log("File contents to write", &contents);
+
+    let stack_id = stack.id.clone();
+
+    if stack.config.files_on_host {
+      match periphery_client(&server)?
+        .request(WriteComposeContentsToHost {
+          name: stack.name,
+          run_directory: stack.config.run_directory,
+          file_path,
+          contents,
+        })
+        .await
+        .context("Failed to write contents to host")
+      {
+        Ok(log) => {
+          update.logs.push(log);
+        }
+        Err(e) => {
+          update.push_error_log(
+            "Write file contents",
+            format_serror(&e.into()),
+          );
+        }
+      };
+    } else {
+      let git_token = if !stack.config.git_account.is_empty() {
+        git_token(
+          &stack.config.git_provider,
+          &stack.config.git_account,
+          |https| stack.config.git_https = https,
+        )
+        .await
+        .with_context(|| {
+          format!(
+            "Failed to get git token. | {} | {}",
+            stack.config.git_account, stack.config.git_provider
+          )
+        })?
+      } else {
+        None
+      };
+      match periphery_client(&server)?
+        .request(WriteCommitComposeContents {
+          stack,
+          username: Some(user.username),
+          file_path,
+          contents,
+          git_token,
+        })
+        .await
+        .context("Failed to write contents to host")
+      {
+        Ok(res) => {
+          update.logs.extend(res.logs);
+        }
+        Err(e) => {
+          update.push_error_log(
+            "Write file contents",
+            format_serror(&e.into()),
+          );
+        }
+      };
+    }
+
+    if let Err(e) = State
+      .resolve(
+        RefreshStackCache { stack: stack_id },
+        stack_user().to_owned(),
+      )
+      .await
+      .context(
+        "Failed to refresh stack cache after writing file contents",
+      )
+    {
+      update.push_error_log(
+        "Refresh stack cache",
+        format_serror(&e.into()),
+      );
+    }
 
-    update.push_simple_log(
-      "rename stack",
-      format!("renamed stack from {} to {}", stack.name, name),
-    );
     update.finalize();
-
     add_update(update.clone()).await?;
 
     Ok(update)
@@ -152,10 +237,11 @@ impl Resolve<RefreshStackCache, User> for State {
     .await?;
 
     let file_contents_empty = stack.config.file_contents.is_empty();
+    let repo_empty = stack.config.repo.is_empty();
 
     if !stack.config.files_on_host
       && file_contents_empty
-      && stack.config.repo.is_empty()
+      && repo_empty
     {
       // Nothing to do without one of these
       return Ok(NoData {});
@@ -173,69 +259,70 @@ impl Resolve<RefreshStackCache, User> for State {
       // =============
       // FILES ON HOST
       // =============
-      if stack.config.server_id.is_empty() {
-        (vec![], None, None, None, None)
+      let (server, state) = if stack.config.server_id.is_empty() {
+        (None, ServerState::Disabled)
       } else {
-        let (server, status) =
+        let (server, state) =
           get_server_with_state(&stack.config.server_id).await?;
-        if status != ServerState::Ok {
-          (vec![], None, None, None, None)
-        } else {
-          let GetComposeContentsOnHostResponse { contents, errors } =
-            match periphery_client(&server)?
-              .request(GetComposeContentsOnHost {
-                file_paths: stack.file_paths().to_vec(),
-                name: stack.name.clone(),
-                run_directory: stack.config.run_directory.clone(),
-              })
-              .await
-              .context(
-                "failed to get compose file contents from host",
-              ) {
-              Ok(res) => res,
-              Err(e) => GetComposeContentsOnHostResponse {
-                contents: Default::default(),
-                errors: vec![ComposeContents {
-                  path: stack.config.run_directory.clone(),
-                  contents: format_serror(&e.into()),
-                }],
-              },
-            };
+        (Some(server), state)
+      };
+      if state != ServerState::Ok {
+        (vec![], None, None, None, None)
+      } else if let Some(server) = server {
+        let GetComposeContentsOnHostResponse { contents, errors } =
+          match periphery_client(&server)?
+            .request(GetComposeContentsOnHost {
+              file_paths: stack.file_paths().to_vec(),
+              name: stack.name.clone(),
+              run_directory: stack.config.run_directory.clone(),
+            })
+            .await
+            .context("failed to get compose file contents from host")
+          {
+            Ok(res) => res,
+            Err(e) => GetComposeContentsOnHostResponse {
+              contents: Default::default(),
+              errors: vec![FileContents {
+                path: stack.config.run_directory.clone(),
+                contents: format_serror(&e.into()),
+              }],
+            },
+          };
 
-          let project_name = stack.project_name(true);
+        let project_name = stack.project_name(true);
 
-          let mut services = Vec::new();
+        let mut services = Vec::new();
 
-          for contents in &contents {
-            if let Err(e) = extract_services_into_res(
-              &project_name,
-              &contents.contents,
-              &mut services,
-            ) {
-              warn!(
+        for contents in &contents {
+          if let Err(e) = extract_services_into_res(
+            &project_name,
+            &contents.contents,
+            &mut services,
+          ) {
+            warn!(
                 "failed to extract stack services, things won't works correctly. stack: {} | {e:#}",
                 stack.name
               );
-            }
           }
-
-          (services, Some(contents), Some(errors), None, None)
         }
+
+        (services, Some(contents), Some(errors), None, None)
+      } else {
+        (vec![], None, None, None, None)
       }
-    } else if file_contents_empty {
+    } else if !repo_empty {
       // ================
       // REPO BASED STACK
       // ================
-      let (
-        remote_contents,
-        remote_errors,
-        _,
-        latest_hash,
-        latest_message,
-      ) =
-        get_remote_compose_contents(&stack, Some(&mut missing_files))
-          .await
-          .context("failed to clone remote compose file")?;
+      let RemoteComposeContents {
+        successful: remote_contents,
+        errored: remote_errors,
+        hash: latest_hash,
+        message: latest_message,
+        ..
+      } = get_repo_compose_contents(&stack, Some(&mut missing_files))
+        .await?;
+
       let project_name = stack.project_name(true);
 
       let mut services = Vec::new();
@@ -272,21 +359,21 @@ impl Resolve<RefreshStackCache, User> for State {
         &mut services,
       ) {
         warn!(
-          "failed to extract stack services, things won't works correctly. stack: {} | {e:#}",
+          "Failed to extract Stack services for {}, things may not work correctly. | {e:#}",
           stack.name
         );
-        services.extend(stack.info.latest_services);
+        services.extend(stack.info.latest_services.clone());
       };
       (services, None, None, None, None)
     };
 
     let info = StackInfo {
       missing_files,
-      deployed_services: stack.info.deployed_services,
-      deployed_project_name: stack.info.deployed_project_name,
-      deployed_contents: stack.info.deployed_contents,
-      deployed_hash: stack.info.deployed_hash,
-      deployed_message: stack.info.deployed_message,
+      deployed_services: stack.info.deployed_services.clone(),
+      deployed_project_name: stack.info.deployed_project_name.clone(),
+      deployed_contents: stack.info.deployed_contents.clone(),
+      deployed_hash: stack.info.deployed_hash.clone(),
+      deployed_message: stack.info.deployed_message.clone(),
       latest_services,
       remote_contents,
       remote_errors,
@@ -298,7 +385,6 @@ impl Resolve<RefreshStackCache, User> for State {
       .context("failed to serialize stack info to bson")?;
 
     db_client()
-      .await
       .stacks
       .update_one(
         doc! { "name": &stack.name },
@@ -307,6 +393,23 @@ impl Resolve<RefreshStackCache, User> for State {
       .await
       .context("failed to update stack info on db")?;
 
+    if (stack.config.poll_for_updates || stack.config.auto_update)
+      && !stack.config.server_id.is_empty()
+    {
+      let (server, state) =
+        get_server_with_state(&stack.config.server_id).await?;
+      if state == ServerState::Ok {
+        let name = stack.name.clone();
+        if let Err(e) =
+          pull_stack_inner(stack, None, &server, None).await
+        {
+          warn!(
+            "Failed to pull latest images for Stack {name} | {e:#}",
+          );
+        }
+      }
+    }
+
     Ok(NoData {})
   }
 }
@@ -371,7 +474,11 @@ impl Resolve<CreateStackWebhook, User> for State {
       &stack.config.webhook_secret
     };
 
-    let host = webhook_base_url.as_ref().unwrap_or(host);
+    let host = if webhook_base_url.is_empty() {
+      host
+    } else {
+      webhook_base_url
+    };
     let url = match action {
       StackWebhookAction::Refresh => {
         format!("{host}/listener/github/stack/{}/refresh", stack.id)
@@ -485,7 +592,11 @@ impl Resolve<DeleteStackWebhook, User> for State {
       ..
     } = core_config();
 
-    let host = webhook_base_url.as_ref().unwrap_or(host);
+    let host = if webhook_base_url.is_empty() {
+      host
+    } else {
+      webhook_base_url
+    };
     let url = match action {
       StackWebhookAction::Refresh => {
         format!("{host}/listener/github/stack/{}/refresh", stack.id)

bin/core/src/api/write/sync.rs

@@ -1,13 +1,15 @@
-use std::collections::HashMap;
+use std::{collections::HashMap, path::PathBuf};
 
 use anyhow::{anyhow, Context};
 use formatting::format_serror;
 use komodo_client::{
-  api::write::*,
+  api::{read::ExportAllResourcesToToml, write::*},
   entities::{
     self,
+    action::Action,
     alert::{Alert, AlertData, SeverityLevel},
     alerter::Alerter,
+    all_logs_success,
     build::Build,
     builder::Builder,
     config::core::CoreConfig,
@@ -20,13 +22,12 @@ use komodo_client::{
     server_template::ServerTemplate,
     stack::Stack,
     sync::{
-      PartialResourceSyncConfig, PendingSyncUpdates,
-      PendingSyncUpdatesData, PendingSyncUpdatesDataErr,
-      PendingSyncUpdatesDataOk, ResourceSync,
+      PartialResourceSyncConfig, ResourceSync, ResourceSyncInfo,
     },
-    ResourceTarget,
-    user::User,
-    NoData,
+    to_komodo_name,
+    update::{Log, Update},
+    user::{sync_user, User},
+    CloneArgs, NoData, Operation, ResourceTarget,
   },
 };
 use mungos::{
@@ -37,19 +38,21 @@ use octorust::types::{
   ReposCreateWebhookRequest, ReposCreateWebhookRequestConfig,
 };
 use resolver_api::Resolve;
+use tokio::fs;
 
 use crate::{
+  alert::send_alerts,
   config::core_config,
   helpers::{
-    alert::send_alerts,
     query::get_id_to_tags,
-    sync::{
-      deploy::SyncDeployParams,
-      resource::{get_updates_for_view, AllResourcesById},
-    },
+    update::{add_update, make_update, update_update},
   },
-  resource,
+  resource::{self, refresh_resource_sync_state_cache},
   state::{db_client, github_client, State},
+  sync::{
+    deploy::SyncDeployParams, remote::RemoteResources,
+    view::push_updates_for_view, AllResourcesById,
+  },
 };
 
 impl Resolve<CreateResourceSync, User> for State {
@@ -104,6 +107,297 @@ impl Resolve<UpdateResourceSync, User> for State {
   }
 }
 
+impl Resolve<RenameResourceSync, User> for State {
+  #[instrument(name = "RenameResourceSync", skip(self, user))]
+  async fn resolve(
+    &self,
+    RenameResourceSync { id, name }: RenameResourceSync,
+    user: User,
+  ) -> anyhow::Result<Update> {
+    resource::rename::<ResourceSync>(&id, &name, &user).await
+  }
+}
+
+impl Resolve<WriteSyncFileContents, User> for State {
+  async fn resolve(
+    &self,
+    WriteSyncFileContents {
+      sync,
+      resource_path,
+      file_path,
+      contents,
+    }: WriteSyncFileContents,
+    user: User,
+  ) -> anyhow::Result<Update> {
+    let sync = resource::get_check_permissions::<ResourceSync>(
+      &sync,
+      &user,
+      PermissionLevel::Write,
+    )
+    .await?;
+
+    if !sync.config.files_on_host && sync.config.repo.is_empty() {
+      return Err(anyhow!(
+        "This method is only for files on host, or repo based syncs."
+      ));
+    }
+
+    let mut update =
+      make_update(&sync, Operation::WriteSyncContents, &user);
+
+    update.push_simple_log("File contents", &contents);
+
+    let root = if sync.config.files_on_host {
+      core_config()
+        .sync_directory
+        .join(to_komodo_name(&sync.name))
+    } else {
+      let clone_args: CloneArgs = (&sync).into();
+      clone_args.unique_path(&core_config().repo_directory)?
+    };
+    let file_path =
+      file_path.parse::<PathBuf>().context("Invalid file path")?;
+    let resource_path = resource_path
+      .parse::<PathBuf>()
+      .context("Invalid resource path")?;
+    let full_path = root.join(&resource_path).join(&file_path);
+
+    if let Some(parent) = full_path.parent() {
+      let _ = fs::create_dir_all(parent).await;
+    }
+
+    if let Err(e) =
+      fs::write(&full_path, &contents).await.with_context(|| {
+        format!("Failed to write file contents to {full_path:?}")
+      })
+    {
+      update.push_error_log("Write file", format_serror(&e.into()));
+    } else {
+      update.push_simple_log(
+        "Write file",
+        format!("File written to {full_path:?}"),
+      );
+    };
+
+    if !all_logs_success(&update.logs) {
+      update.finalize();
+      update.id = add_update(update.clone()).await?;
+
+      return Ok(update);
+    }
+
+    if sync.config.files_on_host {
+      if let Err(e) = State
+        .resolve(RefreshResourceSyncPending { sync: sync.name }, user)
+        .await
+      {
+        update
+          .push_error_log("Refresh failed", format_serror(&e.into()));
+      }
+
+      update.finalize();
+      update.id = add_update(update.clone()).await?;
+
+      return Ok(update);
+    }
+
+    let commit_res = git::commit_file(
+      &format!("{}: Commit Resource File", user.username),
+      &root,
+      &resource_path.join(&file_path),
+    )
+    .await;
+
+    update.logs.extend(commit_res.logs);
+
+    if let Err(e) = State
+      .resolve(RefreshResourceSyncPending { sync: sync.name }, user)
+      .await
+    {
+      update
+        .push_error_log("Refresh failed", format_serror(&e.into()));
+    }
+
+    update.finalize();
+    update.id = add_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<CommitSync, User> for State {
+  #[instrument(name = "CommitSync", skip(self, user))]
+  async fn resolve(
+    &self,
+    CommitSync { sync }: CommitSync,
+    user: User,
+  ) -> anyhow::Result<Update> {
+    let sync = resource::get_check_permissions::<
+      entities::sync::ResourceSync,
+    >(&sync, &user, PermissionLevel::Write)
+    .await?;
+
+    let file_contents_empty = sync.config.file_contents_empty();
+
+    let fresh_sync = !sync.config.files_on_host
+      && sync.config.repo.is_empty()
+      && file_contents_empty;
+
+    if !sync.config.managed && !fresh_sync {
+      return Err(anyhow!(
+        "Cannot commit to sync. Enabled 'managed' mode."
+      ));
+    }
+
+    // Get this here so it can fail before update created.
+    let resource_path =
+      if sync.config.files_on_host || !sync.config.repo.is_empty() {
+        let resource_path = sync
+          .config
+          .resource_path
+          .first()
+          .context("Sync does not have resource path configured.")?
+          .parse::<PathBuf>()
+          .context("Invalid resource path")?;
+
+        if resource_path
+          .extension()
+          .context("Resource path missing '.toml' extension")?
+          != "toml"
+        {
+          return Err(anyhow!(
+            "Resource path missing '.toml' extension"
+          ));
+        }
+        Some(resource_path)
+      } else {
+        None
+      };
+
+    let res = State
+      .resolve(
+        ExportAllResourcesToToml {
+          tags: sync.config.match_tags.clone(),
+        },
+        sync_user().to_owned(),
+      )
+      .await?;
+
+    let mut update = make_update(&sync, Operation::CommitSync, &user);
+    update.id = add_update(update.clone()).await?;
+
+    update.logs.push(Log::simple("Resources", res.toml.clone()));
+
+    if sync.config.files_on_host {
+      let Some(resource_path) = resource_path else {
+        // Resource path checked above for files_on_host mode.
+        unreachable!()
+      };
+      let file_path = core_config()
+        .sync_directory
+        .join(to_komodo_name(&sync.name))
+        .join(&resource_path);
+      if let Some(parent) = file_path.parent() {
+        let _ = tokio::fs::create_dir_all(&parent).await;
+      };
+      if let Err(e) = tokio::fs::write(&file_path, &res.toml)
+        .await
+        .with_context(|| {
+          format!("Failed to write resource file to {file_path:?}",)
+        })
+      {
+        update.push_error_log(
+          "Write resource file",
+          format_serror(&e.into()),
+        );
+        update.finalize();
+        add_update(update.clone()).await?;
+        return Ok(update);
+      } else {
+        update.push_simple_log(
+          "Write contents",
+          format!("File contents written to {file_path:?}"),
+        );
+      }
+    } else if !sync.config.repo.is_empty() {
+      let Some(resource_path) = resource_path else {
+        // Resource path checked above for repo mode.
+        unreachable!()
+      };
+      // GIT REPO
+      let args: CloneArgs = (&sync).into();
+      let root = args.unique_path(&core_config().repo_directory)?;
+      match git::write_commit_file(
+        "Commit Sync",
+        &root,
+        &resource_path,
+        &res.toml,
+      )
+      .await
+      {
+        Ok(res) => update.logs.extend(res.logs),
+        Err(e) => {
+          update.push_error_log(
+            "Write resource file",
+            format_serror(&e.into()),
+          );
+          update.finalize();
+          add_update(update.clone()).await?;
+          return Ok(update);
+        }
+      }
+      // ===========
+      // UI DEFINED
+    } else if let Err(e) = db_client()
+      .resource_syncs
+      .update_one(
+        doc! { "name": &sync.name },
+        doc! { "$set": { "config.file_contents": res.toml } },
+      )
+      .await
+      .context("failed to update file_contents on db")
+    {
+      update.push_error_log(
+        "Write resource to database",
+        format_serror(&e.into()),
+      );
+      update.finalize();
+      add_update(update.clone()).await?;
+      return Ok(update);
+    }
+
+    if let Err(e) = State
+      .resolve(RefreshResourceSyncPending { sync: sync.name }, user)
+      .await
+    {
+      update.push_error_log(
+        "Refresh sync pending",
+        format_serror(&(&e).into()),
+      );
+    };
+
+    update.finalize();
+
+    // Need to manually update the update before cache refresh,
+    // and before broadcast with add_update.
+    // The Err case of to_document should be unreachable,
+    // but will fail to update cache in that case.
+    if let Ok(update_doc) = to_document(&update) {
+      let _ = update_one_by_id(
+        &db_client().updates,
+        &update.id,
+        mungos::update::Update::Set(update_doc),
+        None,
+      )
+      .await;
+      refresh_resource_sync_state_cache().await;
+    }
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
 impl Resolve<RefreshResourceSyncPending, User> for State {
   #[instrument(
     name = "RefreshResourceSyncPending",
@@ -117,21 +411,44 @@ impl Resolve<RefreshResourceSyncPending, User> for State {
   ) -> anyhow::Result<ResourceSync> {
     // Even though this is a write request, this doesn't change any config. Anyone that can execute the
     // sync should be able to do this.
-    let sync = resource::get_check_permissions::<
+    let mut sync = resource::get_check_permissions::<
       entities::sync::ResourceSync,
     >(&sync, &user, PermissionLevel::Execute)
     .await?;
 
-    if sync.config.repo.is_empty() {
-      return Err(anyhow!("resource sync repo not configured"));
+    if !sync.config.managed
+      && !sync.config.files_on_host
+      && sync.config.file_contents.is_empty()
+      && sync.config.repo.is_empty()
+    {
+      // Sync not configured, nothing to refresh
+      return Ok(sync);
     }
 
     let res = async {
-      let (res, _, hash, message) =
-        crate::helpers::sync::remote::get_remote_resources(&sync)
-          .await
-          .context("failed to get remote resources")?;
-      let resources = res?;
+      let RemoteResources {
+        resources,
+        files,
+        file_errors,
+        hash,
+        message,
+        ..
+      } = crate::sync::remote::get_remote_resources(&sync)
+        .await
+        .context("failed to get remote resources")?;
+
+      sync.info.remote_contents = files;
+      sync.info.remote_errors = file_errors;
+      sync.info.pending_hash = hash;
+      sync.info.pending_message = message;
+
+      if !sync.info.remote_errors.is_empty() {
+        return Err(anyhow!(
+          "Remote resources have errors. Cannot compute diffs."
+        ));
+      }
+
+      let resources = resources?;
 
       let id_to_tags = get_id_to_tags(None).await?;
       let all_resources = AllResourcesById::load().await?;
@@ -150,155 +467,217 @@ impl Resolve<RefreshResourceSyncPending, User> for State {
         .collect::<HashMap<_, _>>();
 
       let deploy_updates =
-        crate::helpers::sync::deploy::get_updates_for_view(
-          SyncDeployParams {
-            deployments: &resources.deployments,
-            deployment_map: &deployments_by_name,
-            stacks: &resources.stacks,
-            stack_map: &stacks_by_name,
-            all_resources: &all_resources,
-          },
-        )
+        crate::sync::deploy::get_updates_for_view(SyncDeployParams {
+          deployments: &resources.deployments,
+          deployment_map: &deployments_by_name,
+          stacks: &resources.stacks,
+          stack_map: &stacks_by_name,
+          all_resources: &all_resources,
+        })
         .await;
 
-      let data = PendingSyncUpdatesDataOk {
-        server_updates: get_updates_for_view::<Server>(
+      let delete = sync.config.managed || sync.config.delete;
+
+      let mut diffs = Vec::new();
+
+      {
+        push_updates_for_view::<Server>(
           resources.servers,
-          sync.config.delete,
+          delete,
           &all_resources,
+          None,
+          None,
           &id_to_tags,
+          &sync.config.match_tags,
+          &mut diffs,
         )
-        .await
-        .context("failed to get server updates")?,
-        deployment_updates: get_updates_for_view::<Deployment>(
-          resources.deployments,
-          sync.config.delete,
-          &all_resources,
-          &id_to_tags,
-        )
-        .await
-        .context("failed to get deployment updates")?,
-        stack_updates: get_updates_for_view::<Stack>(
+        .await?;
+        push_updates_for_view::<Stack>(
           resources.stacks,
-          sync.config.delete,
+          delete,
           &all_resources,
+          None,
+          None,
           &id_to_tags,
+          &sync.config.match_tags,
+          &mut diffs,
         )
-        .await
-        .context("failed to get stack updates")?,
-        build_updates: get_updates_for_view::<Build>(
+        .await?;
+        push_updates_for_view::<Deployment>(
+          resources.deployments,
+          delete,
+          &all_resources,
+          None,
+          None,
+          &id_to_tags,
+          &sync.config.match_tags,
+          &mut diffs,
+        )
+        .await?;
+        push_updates_for_view::<Build>(
           resources.builds,
-          sync.config.delete,
+          delete,
           &all_resources,
+          None,
+          None,
           &id_to_tags,
+          &sync.config.match_tags,
+          &mut diffs,
         )
-        .await
-        .context("failed to get build updates")?,
-        repo_updates: get_updates_for_view::<Repo>(
+        .await?;
+        push_updates_for_view::<Repo>(
           resources.repos,
-          sync.config.delete,
+          delete,
           &all_resources,
+          None,
+          None,
           &id_to_tags,
+          &sync.config.match_tags,
+          &mut diffs,
         )
-        .await
-        .context("failed to get repo updates")?,
-        procedure_updates: get_updates_for_view::<Procedure>(
+        .await?;
+        push_updates_for_view::<Procedure>(
           resources.procedures,
-          sync.config.delete,
+          delete,
           &all_resources,
+          None,
+          None,
           &id_to_tags,
+          &sync.config.match_tags,
+          &mut diffs,
         )
-        .await
-        .context("failed to get procedure updates")?,
-        alerter_updates: get_updates_for_view::<Alerter>(
-          resources.alerters,
-          sync.config.delete,
+        .await?;
+        push_updates_for_view::<Action>(
+          resources.actions,
+          delete,
           &all_resources,
+          None,
+          None,
           &id_to_tags,
+          &sync.config.match_tags,
+          &mut diffs,
         )
-        .await
-        .context("failed to get alerter updates")?,
-        builder_updates: get_updates_for_view::<Builder>(
+        .await?;
+        push_updates_for_view::<Builder>(
           resources.builders,
-          sync.config.delete,
+          delete,
           &all_resources,
+          None,
+          None,
           &id_to_tags,
+          &sync.config.match_tags,
+          &mut diffs,
         )
-        .await
-        .context("failed to get builder updates")?,
-        server_template_updates:
-          get_updates_for_view::<ServerTemplate>(
-            resources.server_templates,
-            sync.config.delete,
-            &all_resources,
-            &id_to_tags,
-          )
-          .await
-          .context("failed to get server template updates")?,
-        resource_sync_updates: get_updates_for_view::<
-          entities::sync::ResourceSync,
-        >(
+        .await?;
+        push_updates_for_view::<Alerter>(
+          resources.alerters,
+          delete,
+          &all_resources,
+          None,
+          None,
+          &id_to_tags,
+          &sync.config.match_tags,
+          &mut diffs,
+        )
+        .await?;
+        push_updates_for_view::<ServerTemplate>(
+          resources.server_templates,
+          delete,
+          &all_resources,
+          None,
+          None,
+          &id_to_tags,
+          &sync.config.match_tags,
+          &mut diffs,
+        )
+        .await?;
+        push_updates_for_view::<ResourceSync>(
           resources.resource_syncs,
-          sync.config.delete,
+          delete,
           &all_resources,
+          None,
+          None,
           &id_to_tags,
+          &sync.config.match_tags,
+          &mut diffs,
         )
-        .await
-        .context("failed to get resource sync updates")?,
-        variable_updates:
-          crate::helpers::sync::variables::get_updates_for_view(
-            resources.variables,
-            sync.config.delete,
-          )
-          .await
-          .context("failed to get variable updates")?,
-        user_group_updates:
-          crate::helpers::sync::user_groups::get_updates_for_view(
-            resources.user_groups,
-            sync.config.delete,
-            &all_resources,
-          )
-          .await
-          .context("failed to get user group updates")?,
-        deploy_updates,
+        .await?;
+      }
+
+      let variable_updates = if sync.config.match_tags.is_empty() {
+        crate::sync::variables::get_updates_for_view(
+          &resources.variables,
+          delete,
+        )
+        .await?
+      } else {
+        Default::default()
       };
-      anyhow::Ok((hash, message, data))
+
+      let user_group_updates = if sync.config.match_tags.is_empty() {
+        crate::sync::user_groups::get_updates_for_view(
+          resources.user_groups,
+          delete,
+          &all_resources,
+        )
+        .await?
+      } else {
+        Default::default()
+      };
+
+      anyhow::Ok((
+        diffs,
+        deploy_updates,
+        variable_updates,
+        user_group_updates,
+      ))
     }
     .await;
 
-    let (pending, has_updates) = match res {
-      Ok((hash, message, data)) => {
-        let has_updates = !data.no_updates();
-        (
-          PendingSyncUpdates {
-            hash: Some(hash),
-            message: Some(message),
-            data: PendingSyncUpdatesData::Ok(data),
-          },
-          has_updates,
-        )
-      }
+    let (
+      resource_updates,
+      deploy_updates,
+      variable_updates,
+      user_group_updates,
+      pending_error,
+    ) = match res {
+      Ok(res) => (res.0, res.1, res.2, res.3, None),
       Err(e) => (
-        PendingSyncUpdates {
-          hash: None,
-          message: None,
-          data: PendingSyncUpdatesData::Err(
-            PendingSyncUpdatesDataErr {
-              message: format_serror(&e.into()),
-            },
-          ),
-        },
-        false,
+        Default::default(),
+        Default::default(),
+        Default::default(),
+        Default::default(),
+        Some(format_serror(&e.into())),
       ),
     };
 
-    let pending = to_document(&pending)
+    let has_updates = !resource_updates.is_empty()
+      || !deploy_updates.to_deploy == 0
+      || !variable_updates.is_empty()
+      || !user_group_updates.is_empty();
+
+    let info = ResourceSyncInfo {
+      last_sync_ts: sync.info.last_sync_ts,
+      last_sync_hash: sync.info.last_sync_hash,
+      last_sync_message: sync.info.last_sync_message,
+      remote_contents: sync.info.remote_contents,
+      remote_errors: sync.info.remote_errors,
+      pending_hash: sync.info.pending_hash,
+      pending_message: sync.info.pending_message,
+      pending_deploy: deploy_updates,
+      resource_updates,
+      variable_updates,
+      user_group_updates,
+      pending_error,
+    };
+
+    let info = to_document(&info)
       .context("failed to serialize pending to document")?;
 
     update_one_by_id(
-      &db_client().await.resource_syncs,
+      &db_client().resource_syncs,
       &sync.id,
-      doc! { "$set": { "info.pending": pending } },
+      doc! { "$set": { "info": info } },
       None,
     )
     .await?;
@@ -307,9 +686,8 @@ impl Resolve<RefreshResourceSyncPending, User> for State {
     let id = sync.id.clone();
     let name = sync.name.clone();
     tokio::task::spawn(async move {
-      let db = db_client().await;
+      let db = db_client();
       let Some(existing) = db_client()
-        .await
         .alerts
         .find_one(doc! {
           "resolved": false,
@@ -430,7 +808,11 @@ impl Resolve<CreateSyncWebhook, User> for State {
       &sync.config.webhook_secret
     };
 
-    let host = webhook_base_url.as_ref().unwrap_or(host);
+    let host = if webhook_base_url.is_empty() {
+      host
+    } else {
+      webhook_base_url
+    };
     let url = match action {
       SyncWebhookAction::Refresh => {
         format!("{host}/listener/github/sync/{}/refresh", sync.id)
@@ -544,7 +926,11 @@ impl Resolve<DeleteSyncWebhook, User> for State {
       ..
     } = core_config();
 
-    let host = webhook_base_url.as_ref().unwrap_or(host);
+    let host = if webhook_base_url.is_empty() {
+      host
+    } else {
+      webhook_base_url
+    };
     let url = match action {
       SyncWebhookAction::Refresh => {
         format!("{host}/listener/github/sync/{}/refresh", sync.id)

bin/core/src/api/write/tag.rs

@@ -7,7 +7,7 @@ use komodo_client::{
     UpdateTagsOnResourceResponse,
   },
   entities::{
-    alerter::Alerter, build::Build, builder::Builder,
+    action::Action, alerter::Alerter, build::Build, builder::Builder,
     deployment::Deployment, permission::PermissionLevel,
     procedure::Procedure, repo::Repo, server::Server,
     server_template::ServerTemplate, stack::Stack,
@@ -44,7 +44,6 @@ impl Resolve<CreateTag, User> for State {
     };
 
     tag.id = db_client()
-      .await
       .tags
       .insert_one(&tag)
       .await
@@ -72,7 +71,7 @@ impl Resolve<RenameTag, User> for State {
     get_tag_check_owner(&id, &user).await?;
 
     update_one_by_id(
-      &db_client().await.tags,
+      &db_client().tags,
       &id,
       doc! { "$set": { "name": name } },
       None,
@@ -96,6 +95,7 @@ impl Resolve<DeleteTag, User> for State {
     tokio::try_join!(
       resource::remove_tag_from_all::<Server>(&id),
       resource::remove_tag_from_all::<Deployment>(&id),
+      resource::remove_tag_from_all::<Stack>(&id),
       resource::remove_tag_from_all::<Build>(&id),
       resource::remove_tag_from_all::<Repo>(&id),
       resource::remove_tag_from_all::<Builder>(&id),
@@ -104,7 +104,7 @@ impl Resolve<DeleteTag, User> for State {
       resource::remove_tag_from_all::<ServerTemplate>(&id),
     )?;
 
-    delete_one_by_id(&db_client().await.tags, &id, None).await?;
+    delete_one_by_id(&db_client().tags, &id, None).await?;
 
     Ok(tag)
   }
@@ -182,6 +182,15 @@ impl Resolve<UpdateTagsOnResource, User> for State {
         .await?;
         resource::update_tags::<Procedure>(&id, tags, user).await?
       }
+      ResourceTarget::Action(id) => {
+        resource::get_check_permissions::<Action>(
+          &id,
+          &user,
+          PermissionLevel::Write,
+        )
+        .await?;
+        resource::update_tags::<Action>(&id, tags, user).await?
+      }
       ResourceTarget::ServerTemplate(id) => {
         resource::get_check_permissions::<ServerTemplate>(
           &id,

bin/core/src/api/write/user.rs

@@ -0,0 +1,130 @@
+use std::str::FromStr;
+
+use anyhow::{anyhow, Context};
+use komodo_client::{
+  api::write::{
+    DeleteUser, DeleteUserResponse, UpdateUserPassword,
+    UpdateUserPasswordResponse, UpdateUserUsername,
+    UpdateUserUsernameResponse,
+  },
+  entities::{
+    user::{User, UserConfig},
+    NoData,
+  },
+};
+use mungos::mongodb::bson::{doc, oid::ObjectId};
+use resolver_api::Resolve;
+
+use crate::{
+  helpers::hash_password,
+  state::{db_client, State},
+};
+
+//
+
+impl Resolve<UpdateUserUsername, User> for State {
+  async fn resolve(
+    &self,
+    UpdateUserUsername { username }: UpdateUserUsername,
+    user: User,
+  ) -> anyhow::Result<UpdateUserUsernameResponse> {
+    if username.is_empty() {
+      return Err(anyhow!("Username cannot be empty."));
+    }
+    let db = db_client();
+    if db
+      .users
+      .find_one(doc! { "username": &username })
+      .await
+      .context("Failed to query for existing users")?
+      .is_some()
+    {
+      return Err(anyhow!("Username already taken."));
+    }
+    let id = ObjectId::from_str(&user.id)
+      .context("User id not valid ObjectId.")?;
+    db.users
+      .update_one(
+        doc! { "_id": id },
+        doc! { "$set": { "username": username } },
+      )
+      .await
+      .context("Failed to update user username on database.")?;
+    Ok(NoData {})
+  }
+}
+
+//
+
+impl Resolve<UpdateUserPassword, User> for State {
+  async fn resolve(
+    &self,
+    UpdateUserPassword { password }: UpdateUserPassword,
+    user: User,
+  ) -> anyhow::Result<UpdateUserPasswordResponse> {
+    let UserConfig::Local { .. } = user.config else {
+      return Err(anyhow!("User is not local user"));
+    };
+    if password.is_empty() {
+      return Err(anyhow!("Password cannot be empty."));
+    }
+    let id = ObjectId::from_str(&user.id)
+      .context("User id not valid ObjectId.")?;
+    let hashed_password = hash_password(password)?;
+    db_client()
+      .users
+      .update_one(
+        doc! { "_id": id },
+        doc! { "$set": {
+          "config.data.password": hashed_password
+        } },
+      )
+      .await
+      .context("Failed to update user password on database.")?;
+    Ok(NoData {})
+  }
+}
+
+//
+
+impl Resolve<DeleteUser, User> for State {
+  async fn resolve(
+    &self,
+    DeleteUser { user }: DeleteUser,
+    admin: User,
+  ) -> anyhow::Result<DeleteUserResponse> {
+    if !admin.admin {
+      return Err(anyhow!("Calling user is not admin."));
+    }
+    if admin.username == user || admin.id == user {
+      return Err(anyhow!("User cannot delete themselves."));
+    }
+    let query = if let Ok(id) = ObjectId::from_str(&user) {
+      doc! { "_id": id }
+    } else {
+      doc! { "username": user }
+    };
+    let db = db_client();
+    let Some(user) = db
+      .users
+      .find_one(query.clone())
+      .await
+      .context("Failed to query database for users.")?
+    else {
+      return Err(anyhow!("No user found with given id / username"));
+    };
+    if user.super_admin {
+      return Err(anyhow!("Cannot delete a super admin user."));
+    }
+    if user.admin && !admin.super_admin {
+      return Err(anyhow!(
+        "Only a Super Admin can delete an admin user."
+      ));
+    }
+    db.users
+      .delete_one(query)
+      .await
+      .context("Failed to delete user from database")?;
+    Ok(user)
+  }
+}

bin/core/src/api/write/user_group.rs

@@ -33,7 +33,7 @@ impl Resolve<CreateUserGroup, User> for State {
       updated_at: komodo_timestamp(),
       name,
     };
-    let db = db_client().await;
+    let db = db_client();
     let id = db
       .user_groups
       .insert_one(user_group)
@@ -59,7 +59,7 @@ impl Resolve<RenameUserGroup, User> for State {
     if !admin.admin {
       return Err(anyhow!("This call is admin-only"));
     }
-    let db = db_client().await;
+    let db = db_client();
     update_one_by_id(
       &db.user_groups,
       &id,
@@ -85,7 +85,7 @@ impl Resolve<DeleteUserGroup, User> for State {
       return Err(anyhow!("This call is admin-only"));
     }
 
-    let db = db_client().await;
+    let db = db_client();
 
     let ug = find_one_by_id(&db.user_groups, &id)
       .await
@@ -118,7 +118,7 @@ impl Resolve<AddUserToUserGroup, User> for State {
       return Err(anyhow!("This call is admin-only"));
     }
 
-    let db = db_client().await;
+    let db = db_client();
 
     let filter = match ObjectId::from_str(&user) {
       Ok(id) => doc! { "_id": id },
@@ -163,7 +163,7 @@ impl Resolve<RemoveUserFromUserGroup, User> for State {
       return Err(anyhow!("This call is admin-only"));
     }
 
-    let db = db_client().await;
+    let db = db_client();
 
     let filter = match ObjectId::from_str(&user) {
       Ok(id) => doc! { "_id": id },
@@ -205,7 +205,7 @@ impl Resolve<SetUsersInUserGroup, User> for State {
       return Err(anyhow!("This call is admin-only"));
     }
 
-    let db = db_client().await;
+    let db = db_client();
 
     let all_users = find_collect(&db.users, None, None)
       .await

bin/core/src/api/write/variable.rs

@@ -46,7 +46,6 @@ impl Resolve<CreateVariable, User> for State {
     };
 
     db_client()
-      .await
       .variables
       .insert_one(&variable)
       .await
@@ -82,11 +81,10 @@ impl Resolve<UpdateVariableValue, User> for State {
     let variable = get_variable(&name).await?;
 
     if value == variable.value {
-      return Err(anyhow!("no change"));
+      return Ok(variable);
     }
 
     db_client()
-      .await
       .variables
       .update_one(
         doc! { "name": &name },
@@ -133,7 +131,6 @@ impl Resolve<UpdateVariableDescription, User> for State {
       return Err(anyhow!("only admins can update variables"));
     }
     db_client()
-      .await
       .variables
       .update_one(
         doc! { "name": &name },
@@ -156,7 +153,6 @@ impl Resolve<UpdateVariableIsSecret, User> for State {
       return Err(anyhow!("only admins can update variables"));
     }
     db_client()
-      .await
       .variables
       .update_one(
         doc! { "name": &name },
@@ -179,7 +175,6 @@ impl Resolve<DeleteVariable, User> for State {
     }
     let variable = get_variable(&name).await?;
     db_client()
-      .await
       .variables
       .delete_one(doc! { "name": &name })
       .await

bin/core/src/auth/github/mod.rs

@@ -2,11 +2,11 @@ use anyhow::{anyhow, Context};
 use axum::{
   extract::Query, response::Redirect, routing::get, Router,
 };
-use mongo_indexed::Document;
 use komodo_client::entities::{
   komodo_timestamp,
   user::{User, UserConfig},
 };
+use mongo_indexed::Document;
 use mungos::mongodb::bson::doc;
 use reqwest::StatusCode;
 use serde::Deserialize;
@@ -64,12 +64,12 @@ async fn callback(
   let github_user =
     client.get_github_user(&token.access_token).await?;
   let github_id = github_user.id.to_string();
-  let db_client = db_client().await;
+  let db_client = db_client();
   let user = db_client
     .users
     .find_one(doc! { "config.data.github_id": &github_id })
     .await
-    .context("failed at find user query from mongo")?;
+    .context("failed at find user query from database")?;
   let jwt = match user {
     Some(user) => jwt_client()
       .generate(user.id)
@@ -78,11 +78,16 @@ async fn callback(
       let ts = komodo_timestamp();
       let no_users_exist =
         db_client.users.find_one(Document::new()).await?.is_none();
+      let core_config = core_config();
+      if !no_users_exist && core_config.disable_user_registration {
+        return Err(anyhow!("User registration is disabled"));
+      }
       let user = User {
         id: Default::default(),
         username: github_user.login,
-        enabled: no_users_exist || core_config().enable_new_users,
+        enabled: no_users_exist || core_config.enable_new_users,
         admin: no_users_exist,
+        super_admin: no_users_exist,
         create_server_permissions: no_users_exist,
         create_build_permissions: no_users_exist,
         updated_at: ts,

bin/core/src/auth/google/mod.rs

@@ -3,8 +3,8 @@ use async_timing_util::unix_timestamp_ms;
 use axum::{
   extract::Query, response::Redirect, routing::get, Router,
 };
-use mongo_indexed::Document;
 use komodo_client::entities::user::{User, UserConfig};
+use mongo_indexed::Document;
 use mungos::mongodb::bson::doc;
 use reqwest::StatusCode;
 use serde::Deserialize;
@@ -73,7 +73,7 @@ async fn callback(
     .await?;
   let google_user = client.get_google_user(&token.id_token)?;
   let google_id = google_user.id.to_string();
-  let db_client = db_client().await;
+  let db_client = db_client();
   let user = db_client
     .users
     .find_one(doc! { "config.data.google_id": &google_id })
@@ -87,6 +87,10 @@ async fn callback(
       let ts = unix_timestamp_ms() as i64;
       let no_users_exist =
         db_client.users.find_one(Document::new()).await?.is_none();
+      let core_config = core_config();
+      if !no_users_exist && core_config.disable_user_registration {
+        return Err(anyhow!("User registration is disabled"));
+      }
       let user = User {
         id: Default::default(),
         username: google_user
@@ -96,8 +100,9 @@ async fn callback(
           .first()
           .unwrap()
           .to_string(),
-        enabled: no_users_exist || core_config().enable_new_users,
+        enabled: no_users_exist || core_config.enable_new_users,
         admin: no_users_exist,
+        super_admin: no_users_exist,
         create_server_permissions: no_users_exist,
         create_build_permissions: no_users_exist,
         updated_at: ts,

bin/core/src/auth/local.rs

@@ -3,7 +3,6 @@ use std::str::FromStr;
 use anyhow::{anyhow, Context};
 use async_timing_util::unix_timestamp_ms;
 use axum::http::HeaderMap;
-use mongo_indexed::Document;
 use komodo_client::{
   api::auth::{
     CreateLocalUser, CreateLocalUserResponse, LoginLocalUser,
@@ -11,17 +10,16 @@ use komodo_client::{
   },
   entities::user::{User, UserConfig},
 };
+use mongo_indexed::Document;
 use mungos::mongodb::bson::{doc, oid::ObjectId};
 use resolver_api::Resolve;
 
 use crate::{
   config::core_config,
-  state::State,
-  state::{db_client, jwt_client},
+  helpers::hash_password,
+  state::{db_client, jwt_client, State},
 };
 
-const BCRYPT_COST: u32 = 10;
-
 impl Resolve<CreateLocalUser, HeaderMap> for State {
   #[instrument(name = "CreateLocalUser", skip(self))]
   async fn resolve(
@@ -32,30 +30,29 @@ impl Resolve<CreateLocalUser, HeaderMap> for State {
     let core_config = core_config();
 
     if !core_config.local_auth {
-      return Err(anyhow!("local auth is not enabled"));
+      return Err(anyhow!("Local auth is not enabled"));
     }
 
     if username.is_empty() {
-      return Err(anyhow!("username cannot be empty string"));
+      return Err(anyhow!("Username cannot be empty string"));
     }
 
     if ObjectId::from_str(&username).is_ok() {
-      return Err(anyhow!("username cannot be valid ObjectId"));
+      return Err(anyhow!("Username cannot be valid ObjectId"));
     }
 
     if password.is_empty() {
-      return Err(anyhow!("password cannot be empty string"));
+      return Err(anyhow!("Password cannot be empty string"));
     }
 
-    let password = bcrypt::hash(password, BCRYPT_COST)
-      .context("failed to hash password")?;
+    let hashed_password = hash_password(password)?;
 
-    let no_users_exist = db_client()
-      .await
-      .users
-      .find_one(Document::new())
-      .await?
-      .is_none();
+    let no_users_exist =
+      db_client().users.find_one(Document::new()).await?.is_none();
+
+    if !no_users_exist && core_config.disable_user_registration {
+      return Err(anyhow!("User registration is disabled"));
+    }
 
     let ts = unix_timestamp_ms() as i64;
 
@@ -64,17 +61,19 @@ impl Resolve<CreateLocalUser, HeaderMap> for State {
       username,
       enabled: no_users_exist || core_config.enable_new_users,
       admin: no_users_exist,
+      super_admin: no_users_exist,
       create_server_permissions: no_users_exist,
       create_build_permissions: no_users_exist,
       updated_at: ts,
       last_update_view: 0,
       recents: Default::default(),
       all: Default::default(),
-      config: UserConfig::Local { password },
+      config: UserConfig::Local {
+        password: hashed_password,
+      },
     };
 
     let user_id = db_client()
-      .await
       .users
       .insert_one(user)
       .await
@@ -104,7 +103,6 @@ impl Resolve<LoginLocalUser, HeaderMap> for State {
     }
 
     let user = db_client()
-      .await
       .users
       .find_one(doc! { "username": &username })
       .await

bin/core/src/auth/mod.rs

@@ -21,14 +21,15 @@ use self::jwt::JwtClaims;
 pub mod github;
 pub mod google;
 pub mod jwt;
+pub mod oidc;
 
 mod local;
 
 const STATE_PREFIX_LENGTH: usize = 20;
 
-#[derive(Deserialize)]
-pub struct RedirectQuery {
-  pub redirect: Option<String>,
+#[derive(Debug, Deserialize)]
+struct RedirectQuery {
+  redirect: Option<String>,
 }
 
 #[instrument(level = "debug")]
@@ -116,7 +117,6 @@ pub async fn auth_api_key_get_user_id(
   secret: &str,
 ) -> anyhow::Result<String> {
   let key = db_client()
-    .await
     .api_keys
     .find_one(doc! { "key": key })
     .await

bin/core/src/auth/oidc/client.rs

@@ -0,0 +1,67 @@
+use std::sync::OnceLock;
+
+use anyhow::Context;
+use openidconnect::{
+  core::{CoreClient, CoreProviderMetadata},
+  reqwest::async_http_client,
+  ClientId, ClientSecret, IssuerUrl, RedirectUrl,
+};
+
+use crate::config::core_config;
+
+static DEFAULT_OIDC_CLIENT: OnceLock<Option<CoreClient>> =
+  OnceLock::new();
+
+pub fn default_oidc_client() -> Option<&'static CoreClient> {
+  DEFAULT_OIDC_CLIENT
+    .get()
+    .expect("OIDC client get before init")
+    .as_ref()
+}
+
+pub async fn init_default_oidc_client() {
+  let config = core_config();
+  if !config.oidc_enabled
+    || config.oidc_provider.is_empty()
+    || config.oidc_client_id.is_empty()
+    || config.oidc_client_secret.is_empty()
+  {
+    DEFAULT_OIDC_CLIENT
+      .set(None)
+      .expect("Default OIDC client initialized twice");
+    return;
+  }
+  async {
+    // Use OpenID Connect Discovery to fetch the provider metadata.
+    let provider_metadata = CoreProviderMetadata::discover_async(
+      IssuerUrl::new(config.oidc_provider.clone())?,
+      async_http_client,
+    )
+    .await
+    .context(
+      "Failed to get OIDC /.well-known/openid-configuration",
+    )?;
+
+    // Create an OpenID Connect client by specifying the client ID, client secret, authorization URL
+    // and token URL.
+    let client = CoreClient::from_provider_metadata(
+      provider_metadata,
+      ClientId::new(config.oidc_client_id.to_string()),
+      Some(ClientSecret::new(config.oidc_client_secret.to_string())),
+    )
+    // Set the URL the user will be redirected to after the authorization process.
+    .set_redirect_uri(RedirectUrl::new(format!(
+      "{}/auth/oidc/callback",
+      core_config().host
+    ))?);
+
+    DEFAULT_OIDC_CLIENT
+      .set(Some(client))
+      .expect("Default OIDC client initialized twice");
+
+    anyhow::Ok(())
+  }
+  .await
+  .context("Failed to init default OIDC client")
+  .unwrap();
+}

bin/core/src/auth/oidc/mod.rs

@@ -0,0 +1,273 @@
+use std::sync::OnceLock;
+
+use anyhow::{anyhow, Context};
+use axum::{
+  extract::Query, response::Redirect, routing::get, Router,
+};
+use client::default_oidc_client;
+use dashmap::DashMap;
+use komodo_client::entities::{
+  komodo_timestamp,
+  user::{User, UserConfig},
+};
+use mungos::mongodb::bson::{doc, Document};
+use openidconnect::{
+  core::CoreAuthenticationFlow, AccessTokenHash, AuthorizationCode,
+  CsrfToken, Nonce, OAuth2TokenResponse, PkceCodeChallenge,
+  PkceCodeVerifier, Scope, TokenResponse,
+};
+use reqwest::StatusCode;
+use serde::Deserialize;
+use serror::AddStatusCode;
+
+use crate::{
+  config::core_config,
+  state::{db_client, jwt_client},
+};
+
+use super::RedirectQuery;
+
+pub mod client;
+
+/// CSRF tokens can only be used once from the callback,
+/// and must be used within this timeframe
+const CSRF_VALID_FOR_MS: i64 = 120_000; // 2 minutes for user to log in.
+
+type RedirectUrl = Option<String>;
+type CsrfMap =
+  DashMap<String, (PkceCodeVerifier, Nonce, RedirectUrl, i64)>;
+fn csrf_verifier_tokens() -> &'static CsrfMap {
+  static CSRF: OnceLock<CsrfMap> = OnceLock::new();
+  CSRF.get_or_init(Default::default)
+}
+
+pub fn router() -> Router {
+  Router::new()
+    .route(
+      "/login",
+      get(|query| async {
+        login(query).await.status_code(StatusCode::UNAUTHORIZED)
+      }),
+    )
+    .route(
+      "/callback",
+      get(|query| async {
+        callback(query).await.status_code(StatusCode::UNAUTHORIZED)
+      }),
+    )
+}
+
+#[instrument(name = "OidcRedirect", level = "debug")]
+async fn login(
+  Query(RedirectQuery { redirect }): Query<RedirectQuery>,
+) -> anyhow::Result<Redirect> {
+  let client =
+    default_oidc_client().context("OIDC Client not configured")?;
+
+  // Generate a PKCE challenge.
+  let (pkce_challenge, pkce_verifier) =
+    PkceCodeChallenge::new_random_sha256();
+
+  // Generate the authorization URL.
+  let (auth_url, csrf_token, nonce) = client
+    .authorize_url(
+      CoreAuthenticationFlow::AuthorizationCode,
+      CsrfToken::new_random,
+      Nonce::new_random,
+    )
+    .add_scope(Scope::new("openid".to_string()))
+    .add_scope(Scope::new("email".to_string()))
+    .set_pkce_challenge(pkce_challenge)
+    .url();
+
+  // Data inserted here will be matched on callback side for csrf protection.
+  csrf_verifier_tokens().insert(
+    csrf_token.secret().clone(),
+    (
+      pkce_verifier,
+      nonce,
+      redirect,
+      komodo_timestamp() + CSRF_VALID_FOR_MS,
+    ),
+  );
+
+  let config = core_config();
+  let redirect = if !config.oidc_redirect_host.is_empty() {
+    let auth_url = auth_url.as_str();
+    let (protocol, rest) = auth_url
+      .split_once("://")
+      .context("Invalid URL: Missing protocol (eg 'https://')")?;
+    let host = rest
+      .split_once(['/', '?'])
+      .map(|(host, _)| host)
+      .unwrap_or(rest);
+    Redirect::to(&auth_url.replace(
+      &format!("{protocol}://{host}"),
+      &config.oidc_redirect_host,
+    ))
+  } else {
+    Redirect::to(auth_url.as_str())
+  };
+
+  Ok(redirect)
+}
+
+#[derive(Debug, Deserialize)]
+struct CallbackQuery {
+  state: Option<String>,
+  code: Option<String>,
+  error: Option<String>,
+}
+
+#[instrument(name = "OidcCallback", level = "debug")]
+async fn callback(
+  Query(query): Query<CallbackQuery>,
+) -> anyhow::Result<Redirect> {
+  let client =
+    default_oidc_client().context("OIDC Client not configured")?;
+
+  if let Some(e) = query.error {
+    return Err(anyhow!("Provider returned error: {e}"));
+  }
+
+  let code = query.code.context("Provider did not return code")?;
+  let state = CsrfToken::new(
+    query.state.context("Provider did not return state")?,
+  );
+
+  let (_, (pkce_verifier, nonce, redirect, valid_until)) =
+    csrf_verifier_tokens()
+      .remove(state.secret())
+      .context("CSRF Token invalid")?;
+
+  if komodo_timestamp() > valid_until {
+    return Err(anyhow!(
+      "CSRF token invalid (Timed out). The token must be "
+    ));
+  }
+
+  let token_response = client
+    .exchange_code(AuthorizationCode::new(code))
+    // Set the PKCE code verifier.
+    .set_pkce_verifier(pkce_verifier)
+    .request_async(openidconnect::reqwest::async_http_client)
+    .await
+    .context("Failed to get Oauth token")?;
+
+  // Extract the ID token claims after verifying its authenticity and nonce.
+  let id_token = token_response
+    .id_token()
+    .context("OIDC Server did not return an ID token")?;
+
+  // Some providers attach additional audiences, they must be added here
+  // so token verification succeeds.
+  let verifier = client.id_token_verifier();
+  let additional_audiences = &core_config().oidc_additional_audiences;
+  let verifier = if additional_audiences.is_empty() {
+    verifier
+  } else {
+    verifier.set_other_audience_verifier_fn(|aud| {
+      additional_audiences.contains(aud)
+    })
+  };
+
+  let claims = id_token
+    .claims(&verifier, &nonce)
+    .context("Failed to verify token claims")?;
+
+  // Verify the access token hash to ensure that the access token hasn't been substituted for
+  // another user's.
+  if let Some(expected_access_token_hash) = claims.access_token_hash()
+  {
+    let actual_access_token_hash = AccessTokenHash::from_token(
+      token_response.access_token(),
+      &id_token.signing_alg()?,
+    )?;
+    if actual_access_token_hash != *expected_access_token_hash {
+      return Err(anyhow!("Invalid access token"));
+    }
+  }
+
+  let user_id = claims.subject().as_str();
+
+  let db_client = db_client();
+  let user = db_client
+    .users
+    .find_one(doc! {
+      "config.data.provider": &core_config().oidc_provider,
+      "config.data.user_id": user_id
+    })
+    .await
+    .context("failed at find user query from database")?;
+
+  let jwt = match user {
+    Some(user) => jwt_client()
+      .generate(user.id)
+      .context("failed to generate jwt")?,
+    None => {
+      let ts = komodo_timestamp();
+      let no_users_exist =
+        db_client.users.find_one(Document::new()).await?.is_none();
+      let core_config = core_config();
+      if !no_users_exist && core_config.disable_user_registration {
+        return Err(anyhow!("User registration is disabled"));
+      }
+      // Will use preferred_username, then email, then user_id if it isn't available.
+      let username = claims
+        .preferred_username()
+        .map(|username| username.to_string())
+        .unwrap_or_else(|| {
+          let email = claims
+            .email()
+            .map(|email| email.as_str())
+            .unwrap_or(user_id);
+          if core_config.oidc_use_full_email {
+            email
+          } else {
+            email
+              .split_once('@')
+              .map(|(username, _)| username)
+              .unwrap_or(email)
+          }
+          .to_string()
+        });
+      let user = User {
+        id: Default::default(),
+        username,
+        enabled: no_users_exist || core_config.enable_new_users,
+        admin: no_users_exist,
+        super_admin: no_users_exist,
+        create_server_permissions: no_users_exist,
+        create_build_permissions: no_users_exist,
+        updated_at: ts,
+        last_update_view: 0,
+        recents: Default::default(),
+        all: Default::default(),
+        config: UserConfig::Oidc {
+          provider: core_config.oidc_provider.clone(),
+          user_id: user_id.to_string(),
+        },
+      };
+      let user_id = db_client
+        .users
+        .insert_one(user)
+        .await
+        .context("failed to create user on database")?
+        .inserted_id
+        .as_object_id()
+        .context("inserted_id is not ObjectId")?
+        .to_string();
+      jwt_client()
+        .generate(user_id)
+        .context("failed to generate jwt")?
+    }
+  };
+  let exchange_token = jwt_client().create_exchange_token(jwt).await;
+  let redirect_url = if let Some(redirect) = redirect {
+    let splitter = if redirect.contains('?') { '&' } else { '?' };
+    format!("{}{splitter}token={exchange_token}", redirect)
+  } else {
+    format!("{}?token={exchange_token}", core_config().host)
+  };
+  Ok(Redirect::to(&redirect_url))
+}

bin/core/src/cloud/aws/ec2.rs

@@ -19,7 +19,7 @@ use komodo_client::entities::{
   ResourceTarget,
 };
 
-use crate::{config::core_config, helpers::alert::send_alerts};
+use crate::{alert::send_alerts, config::core_config};
 
 const POLL_RATE_SECS: u64 = 2;
 const MAX_POLL_TRIES: usize = 30;
@@ -65,6 +65,7 @@ pub async fn launch_ec2_instance(
     use_public_ip,
     user_data,
     port: _,
+    use_https: _,
   } = config;
   let instance_type = handle_unknown_instance_type(
     InstanceType::from(instance_type.as_str()),
@@ -211,21 +212,37 @@ async fn terminate_ec2_instance_inner(
   Ok(res)
 }
 
+/// Automatically retries 5 times, waiting 2 sec in between
 #[instrument(level = "debug")]
 async fn get_ec2_instance_status(
   client: &Client,
   instance_id: &str,
 ) -> anyhow::Result<Option<InstanceStatus>> {
-  let status = client
-    .describe_instance_status()
-    .instance_ids(instance_id)
-    .send()
+  let mut try_count = 1;
+  loop {
+    match async {
+      anyhow::Ok(
+        client
+          .describe_instance_status()
+          .instance_ids(instance_id)
+          .send()
+          .await
+          .context("failed to describe instance status from aws")?
+          .instance_statuses()
+          .first()
+          .cloned(),
+      )
+    }
     .await
-    .context("failed to get instance status from aws")?
-    .instance_statuses()
-    .first()
-    .cloned();
-  Ok(status)
+    {
+      Ok(res) => return Ok(res),
+      Err(e) if try_count > 4 => return Err(e),
+      Err(_) => {
+        tokio::time::sleep(Duration::from_secs(2)).await;
+        try_count += 1;
+      }
+    }
+  }
 }
 
 #[instrument(level = "debug")]
@@ -247,28 +264,43 @@ async fn get_ec2_instance_state_name(
   Ok(Some(state))
 }
 
+/// Automatically retries 5 times, waiting 2 sec in between
 #[instrument(level = "debug")]
 async fn get_ec2_instance_public_ip(
   client: &Client,
   instance_id: &str,
 ) -> anyhow::Result<String> {
-  let ip = client
-    .describe_instances()
-    .instance_ids(instance_id)
-    .send()
+  let mut try_count = 1;
+  loop {
+    match async {
+      anyhow::Ok(
+        client
+          .describe_instances()
+          .instance_ids(instance_id)
+          .send()
+          .await
+          .context("failed to describe instances from aws")?
+          .reservations()
+          .first()
+          .context("instance reservations is empty")?
+          .instances()
+          .first()
+          .context("instances is empty")?
+          .public_ip_address()
+          .context("instance has no public ip")?
+          .to_string(),
+      )
+    }
     .await
-    .context("failed to get instance status from aws")?
-    .reservations()
-    .first()
-    .context("instance reservations is empty")?
-    .instances()
-    .first()
-    .context("instances is empty")?
-    .public_ip_address()
-    .context("instance has no public ip")?
-    .to_string();
-
-  Ok(ip)
+    {
+      Ok(res) => return Ok(res),
+      Err(e) if try_count > 4 => return Err(e),
+      Err(_) => {
+        tokio::time::sleep(Duration::from_secs(2)).await;
+        try_count += 1;
+      }
+    }
+  }
 }
 
 fn handle_unknown_instance_type(

bin/core/src/cloud/aws/ecr.rs

@@ -1,82 +0,0 @@
-use anyhow::{anyhow, Context};
-use aws_config::{BehaviorVersion, Region};
-use aws_sdk_ecr::Client as EcrClient;
-use run_command::async_run_command;
-
-#[tracing::instrument(skip(access_key_id, secret_access_key))]
-async fn make_ecr_client(
-  region: String,
-  access_key_id: &str,
-  secret_access_key: &str,
-) -> EcrClient {
-  std::env::set_var("AWS_ACCESS_KEY_ID", access_key_id);
-  std::env::set_var("AWS_SECRET_ACCESS_KEY", secret_access_key);
-  let region = Region::new(region);
-  let config = aws_config::defaults(BehaviorVersion::v2024_03_28())
-    .region(region)
-    .load()
-    .await;
-  EcrClient::new(&config)
-}
-
-#[tracing::instrument(skip(access_key_id, secret_access_key))]
-pub async fn maybe_create_repo(
-  repo: &str,
-  region: String,
-  access_key_id: &str,
-  secret_access_key: &str,
-) -> anyhow::Result<()> {
-  let client =
-    make_ecr_client(region, access_key_id, secret_access_key).await;
-
-  let existing = client
-    .describe_repositories()
-    .send()
-    .await
-    .context("failed to describe existing repositories")?
-    .repositories
-    .unwrap_or_default();
-
-  if existing.iter().any(|r| {
-    if let Some(name) = r.repository_name() {
-      name == repo
-    } else {
-      false
-    }
-  }) {
-    return Ok(());
-  };
-
-  client
-    .create_repository()
-    .repository_name(repo)
-    .send()
-    .await
-    .context("failed to create repository")?;
-
-  Ok(())
-}
-
-/// Gets a token docker login.
-///
-/// Requires the aws cli be installed on the host
-#[tracing::instrument(skip(access_key_id, secret_access_key))]
-pub async fn get_ecr_token(
-  region: &str,
-  access_key_id: &str,
-  secret_access_key: &str,
-) -> anyhow::Result<String> {
-  let log = async_run_command(&format!(
-    "AWS_ACCESS_KEY_ID={access_key_id} AWS_SECRET_ACCESS_KEY={secret_access_key} aws ecr get-login-password --region {region}"
-  ))
-  .await;
-
-  if log.success() {
-    Ok(log.stdout)
-  } else {
-    Err(
-      anyhow!("stdout: {} | stderr: {}", log.stdout, log.stderr)
-        .context("failed to get aws ecr login token"),
-    )
-  }
-}

bin/core/src/cloud/aws/mod.rs

@@ -1,2 +1 @@
 pub mod ec2;
-pub mod ecr;

bin/core/src/cloud/hetzner/mod.rs

@@ -66,6 +66,7 @@ pub async fn launch_hetzner_server(
     labels,
     volumes,
     port: _,
+    use_https: _,
   } = config;
   let datacenter = hetzner_datacenter(datacenter);
 

bin/core/src/config.rs

@@ -1,38 +1,18 @@
 use std::sync::OnceLock;
 
 use anyhow::Context;
-use merge_config_files::parse_config_file;
+use environment_file::{
+  maybe_read_item_from_file, maybe_read_list_from_file,
+};
 use komodo_client::entities::{
   config::core::{
-    AwsCredentials, CoreConfig, Env, GithubWebhookAppConfig,
-    GithubWebhookAppInstallationConfig, HetznerCredentials,
-    MongoConfig, OauthCredentials,
+    AwsCredentials, CoreConfig, DatabaseConfig, Env,
+    GithubWebhookAppConfig, GithubWebhookAppInstallationConfig,
+    HetznerCredentials, OauthCredentials,
   },
   logger::LogConfig,
 };
-use serde::Deserialize;
-
-pub fn frontend_path() -> &'static String {
-  #[derive(Deserialize)]
-  struct FrontendEnv {
-    #[serde(default = "default_frontend_path")]
-    komodo_frontend_path: String,
-  }
-
-  fn default_frontend_path() -> String {
-    "/frontend".to_string()
-  }
-
-  static FRONTEND_PATH: OnceLock<String> = OnceLock::new();
-  FRONTEND_PATH.get_or_init(|| {
-    let FrontendEnv {
-      komodo_frontend_path,
-    } = envy::from_env()
-      .context("failed to parse FrontendEnv")
-      .unwrap();
-    komodo_frontend_path
-  })
-}
+use merge_config_files::parse_config_file;
 
 pub fn core_config() -> &'static CoreConfig {
   static CORE_CONFIG: OnceLock<CoreConfig> = OnceLock::new();
@@ -50,7 +30,7 @@ pub fn core_config() -> &'static CoreConfig {
         .unwrap_or_else(|e| {
           panic!("failed at parsing config at {config_path} | {e:#}")
         });
-    let installations = match (env.komodo_github_webhook_app_installations_ids, env.komodo_github_webhook_app_installations_namespaces) {
+    let installations = match (maybe_read_list_from_file(env.komodo_github_webhook_app_installations_ids_file,env.komodo_github_webhook_app_installations_ids), env.komodo_github_webhook_app_installations_namespaces) {
       (Some(ids), Some(namespaces)) => {
         if ids.len() != namespaces.len() {
           panic!("KOMODO_GITHUB_WEBHOOK_APP_INSTALLATIONS_IDS length and KOMODO_GITHUB_WEBHOOK_APP_INSTALLATIONS_NAMESPACES length mismatch. Got {ids:?} and {namespaces:?}")
@@ -71,35 +51,111 @@ pub fn core_config() -> &'static CoreConfig {
         config.github_webhook_app.installations
       }
     };
-    // recreating CoreConfig here makes sure we apply all env overrides.
+
+    // recreating CoreConfig here makes sure apply all env overrides applied.
     CoreConfig {
+      // Secret things overridden with file
+      jwt_secret: maybe_read_item_from_file(env.komodo_jwt_secret_file, env.komodo_jwt_secret).unwrap_or(config.jwt_secret),
+      passkey: maybe_read_item_from_file(env.komodo_passkey_file, env.komodo_passkey)
+        .unwrap_or(config.passkey),
+      webhook_secret: maybe_read_item_from_file(env.komodo_webhook_secret_file, env.komodo_webhook_secret)
+        .unwrap_or(config.webhook_secret),
+      database: DatabaseConfig {
+        uri: maybe_read_item_from_file(env.komodo_database_uri_file,env.komodo_database_uri).unwrap_or(config.database.uri),
+        address: env.komodo_database_address.unwrap_or(config.database.address),
+        username: maybe_read_item_from_file(env.komodo_database_username_file,env
+          .komodo_database_username)
+          .unwrap_or(config.database.username),
+        password: maybe_read_item_from_file(env.komodo_database_password_file,env
+          .komodo_database_password)
+          .unwrap_or(config.database.password),
+        app_name: env
+          .komodo_database_app_name
+          .unwrap_or(config.database.app_name),
+        db_name: env
+          .komodo_database_db_name
+          .unwrap_or(config.database.db_name),
+      },
+      oidc_enabled: env.komodo_oidc_enabled.unwrap_or(config.oidc_enabled),
+      oidc_provider: env.komodo_oidc_provider.unwrap_or(config.oidc_provider),
+      oidc_redirect_host: env.komodo_oidc_redirect_host.unwrap_or(config.oidc_redirect_host),
+      oidc_client_id: maybe_read_item_from_file(env.komodo_oidc_client_id_file,env
+        .komodo_oidc_client_id)
+        .unwrap_or(config.oidc_client_id),
+      oidc_client_secret: maybe_read_item_from_file(env.komodo_oidc_client_secret_file,env
+        .komodo_oidc_client_secret)
+        .unwrap_or(config.oidc_client_secret),
+      oidc_use_full_email: env.komodo_oidc_use_full_email
+        .unwrap_or(config.oidc_use_full_email),
+      oidc_additional_audiences: maybe_read_list_from_file(env.komodo_oidc_additional_audiences_file,env
+        .komodo_oidc_additional_audiences)
+        .unwrap_or(config.oidc_additional_audiences),
+      google_oauth: OauthCredentials {
+        enabled: env
+          .komodo_google_oauth_enabled
+          .unwrap_or(config.google_oauth.enabled),
+        id: maybe_read_item_from_file(env.komodo_google_oauth_id_file,env
+          .komodo_google_oauth_id)
+          .unwrap_or(config.google_oauth.id),
+        secret: maybe_read_item_from_file(env.komodo_google_oauth_secret_file,env
+          .komodo_google_oauth_secret)
+          .unwrap_or(config.google_oauth.secret),
+      },
+      github_oauth: OauthCredentials {
+        enabled: env
+          .komodo_github_oauth_enabled
+          .unwrap_or(config.github_oauth.enabled),
+        id: maybe_read_item_from_file(env.komodo_github_oauth_id_file,env
+          .komodo_github_oauth_id)
+          .unwrap_or(config.github_oauth.id),
+        secret: maybe_read_item_from_file(env.komodo_github_oauth_secret_file,env
+          .komodo_github_oauth_secret)
+          .unwrap_or(config.github_oauth.secret),
+      },
+      aws: AwsCredentials {
+        access_key_id: maybe_read_item_from_file(env.komodo_aws_access_key_id_file, env
+          .komodo_aws_access_key_id)
+          .unwrap_or(config.aws.access_key_id),
+        secret_access_key: maybe_read_item_from_file(env.komodo_aws_secret_access_key_file, env
+          .komodo_aws_secret_access_key)
+          .unwrap_or(config.aws.secret_access_key),
+      },
+      hetzner: HetznerCredentials {
+        token: maybe_read_item_from_file(env.komodo_hetzner_token_file, env
+          .komodo_hetzner_token)
+          .unwrap_or(config.hetzner.token),
+      },
+      github_webhook_app: GithubWebhookAppConfig {
+        app_id: maybe_read_item_from_file(env.komodo_github_webhook_app_app_id_file, env
+          .komodo_github_webhook_app_app_id)
+          .unwrap_or(config.github_webhook_app.app_id),
+        pk_path: env
+          .komodo_github_webhook_app_pk_path
+          .unwrap_or(config.github_webhook_app.pk_path),
+        installations,
+      },
+
+      // Non secrets
       title: env.komodo_title.unwrap_or(config.title),
       host: env.komodo_host.unwrap_or(config.host),
       port: env.komodo_port.unwrap_or(config.port),
-      passkey: env.komodo_passkey.unwrap_or(config.passkey),
-      ensure_server: env.komodo_ensure_server.unwrap_or(config.ensure_server),
-      jwt_secret: env.komodo_jwt_secret.unwrap_or(config.jwt_secret),
+      first_server: env.komodo_first_server.unwrap_or(config.first_server),
+      frontend_path: env.komodo_frontend_path.unwrap_or(config.frontend_path),
       jwt_ttl: env
         .komodo_jwt_ttl
         .unwrap_or(config.jwt_ttl),
+      sync_directory: env
+        .komodo_sync_directory
+        .unwrap_or(config.sync_directory),
       repo_directory: env
         .komodo_repo_directory
-        .map(|dir|
-          dir.parse()
-            .context("failed to parse env komodo_REPO_DIRECTORY as valid path").unwrap())
         .unwrap_or(config.repo_directory),
-      stack_poll_interval: env
-        .komodo_stack_poll_interval
-        .unwrap_or(config.stack_poll_interval),
-      sync_poll_interval: env
-        .komodo_sync_poll_interval
-        .unwrap_or(config.sync_poll_interval),
-      build_poll_interval: env
-        .komodo_build_poll_interval
-        .unwrap_or(config.build_poll_interval),
-      repo_poll_interval: env
-        .komodo_repo_poll_interval
-        .unwrap_or(config.repo_poll_interval),
+      action_directory: env
+        .komodo_action_directory
+        .unwrap_or(config.action_directory),
+      resource_poll_interval: env
+        .komodo_resource_poll_interval
+        .unwrap_or(config.resource_poll_interval),
       monitoring_interval: env
         .komodo_monitoring_interval
         .unwrap_or(config.monitoring_interval),
@@ -109,81 +165,25 @@ pub fn core_config() -> &'static CoreConfig {
       keep_alerts_for_days: env
         .komodo_keep_alerts_for_days
         .unwrap_or(config.keep_alerts_for_days),
-      webhook_secret: env
-        .komodo_webhook_secret
-        .unwrap_or(config.webhook_secret),
       webhook_base_url: env
         .komodo_webhook_base_url
-        .or(config.webhook_base_url),
+        .unwrap_or(config.webhook_base_url),
       transparent_mode: env
         .komodo_transparent_mode
         .unwrap_or(config.transparent_mode),
       ui_write_disabled: env
         .komodo_ui_write_disabled
         .unwrap_or(config.ui_write_disabled),
+      disable_confirm_dialog: env.komodo_disable_confirm_dialog
+        .unwrap_or(config.disable_confirm_dialog),
       enable_new_users: env.komodo_enable_new_users
         .unwrap_or(config.enable_new_users),
-      local_auth: env.komodo_local_auth.unwrap_or(config.local_auth),
-      google_oauth: OauthCredentials {
-        enabled: env
-          .komodo_google_oauth_enabled
-          .unwrap_or(config.google_oauth.enabled),
-        id: env
-          .komodo_google_oauth_id
-          .unwrap_or(config.google_oauth.id),
-        secret: env
-          .komodo_google_oauth_secret
-          .unwrap_or(config.google_oauth.secret),
-      },
-      github_oauth: OauthCredentials {
-        enabled: env
-          .komodo_github_oauth_enabled
-          .unwrap_or(config.github_oauth.enabled),
-        id: env
-          .komodo_github_oauth_id
-          .unwrap_or(config.github_oauth.id),
-        secret: env
-          .komodo_github_oauth_secret
-          .unwrap_or(config.github_oauth.secret),
-      },
-      github_webhook_app: GithubWebhookAppConfig {
-        app_id: env
-          .komodo_github_webhook_app_app_id
-          .unwrap_or(config.github_webhook_app.app_id),
-        pk_path: env
-          .komodo_github_webhook_app_pk_path
-          .unwrap_or(config.github_webhook_app.pk_path),
-        installations,
-      },
-      aws: AwsCredentials {
-        access_key_id: env
-          .komodo_aws_access_key_id
-          .unwrap_or(config.aws.access_key_id),
-        secret_access_key: env
-          .komodo_aws_secret_access_key
-          .unwrap_or(config.aws.secret_access_key),
-      },
-      hetzner: HetznerCredentials {
-        token: env
-          .komodo_hetzner_token
-          .unwrap_or(config.hetzner.token),
-      },
-      mongo: MongoConfig {
-        uri: env.komodo_mongo_uri.or(config.mongo.uri),
-        address: env.komodo_mongo_address.or(config.mongo.address),
-        username: env
-          .komodo_mongo_username
-          .or(config.mongo.username),
-        password: env
-          .komodo_mongo_password
-          .or(config.mongo.password),
-        app_name: env
-          .komodo_mongo_app_name
-          .unwrap_or(config.mongo.app_name),
-        db_name: env
-          .komodo_mongo_db_name
-          .unwrap_or(config.mongo.db_name),
-      },
+      disable_user_registration: env.komodo_disable_user_registration
+        .unwrap_or(config.disable_user_registration),
+      disable_non_admin_create: env.komodo_disable_non_admin_create
+        .unwrap_or(config.disable_non_admin_create),
+      local_auth: env.komodo_local_auth
+        .unwrap_or(config.local_auth),
       logging: LogConfig {
         level: env
           .komodo_logging_level
@@ -193,17 +193,19 @@ pub fn core_config() -> &'static CoreConfig {
           .unwrap_or(config.logging.stdio),
         otlp_endpoint: env
           .komodo_logging_otlp_endpoint
-          .or(config.logging.otlp_endpoint),
+          .unwrap_or(config.logging.otlp_endpoint),
         opentelemetry_service_name: env
           .komodo_logging_opentelemetry_service_name
           .unwrap_or(config.logging.opentelemetry_service_name),
       },
+      ssl_enabled: env.komodo_ssl_enabled.unwrap_or(config.ssl_enabled),
+      ssl_key_file: env.komodo_ssl_key_file.unwrap_or(config.ssl_key_file),
+      ssl_cert_file: env.komodo_ssl_cert_file.unwrap_or(config.ssl_cert_file),
 
       // These can't be overridden on env
       secrets: config.secrets,
       git_providers: config.git_providers,
       docker_registries: config.docker_registries,
-      aws_ecr_registries: config.aws_ecr_registries,
     }
   })
 }

bin/core/src/db.rs

@@ -1,11 +1,11 @@
-use mongo_indexed::{create_index, create_unique_index};
 use komodo_client::entities::{
+  action::Action,
   alert::Alert,
   alerter::Alerter,
   api_key::ApiKey,
   build::Build,
   builder::Builder,
-  config::core::MongoConfig,
+  config::core::DatabaseConfig,
   deployment::Deployment,
   permission::Permission,
   procedure::Procedure,
@@ -22,11 +22,13 @@ use komodo_client::entities::{
   user_group::UserGroup,
   variable::Variable,
 };
+use mongo_indexed::{create_index, create_unique_index};
 use mungos::{
   init::MongoBuilder,
   mongodb::{Collection, Database},
 };
 
+#[derive(Debug)]
 pub struct DbClient {
   pub users: Collection<User>,
   pub user_groups: Collection<UserGroup>,
@@ -46,6 +48,7 @@ pub struct DbClient {
   pub builders: Collection<Builder>,
   pub repos: Collection<Repo>,
   pub procedures: Collection<Procedure>,
+  pub actions: Collection<Action>,
   pub alerters: Collection<Alerter>,
   pub server_templates: Collection<ServerTemplate>,
   pub resource_syncs: Collection<ResourceSync>,
@@ -56,28 +59,33 @@ pub struct DbClient {
 
 impl DbClient {
   pub async fn new(
-    MongoConfig {
+    DatabaseConfig {
       uri,
       address,
       username,
       password,
       app_name,
       db_name,
-    }: &MongoConfig,
+    }: &DatabaseConfig,
   ) -> anyhow::Result<DbClient> {
     let mut client = MongoBuilder::default().app_name(app_name);
 
-    match (uri, address, username, password) {
-      (Some(uri), _, _, _) => {
+    match (
+      !uri.is_empty(),
+      !address.is_empty(),
+      !username.is_empty(),
+      !password.is_empty(),
+    ) {
+      (true, _, _, _) => {
         client = client.uri(uri);
       }
-      (_, Some(address), Some(username), Some(password)) => {
+      (_, true, true, true) => {
         client = client
           .address(address)
           .username(username)
           .password(password);
       }
-      (_, Some(address), _, _) => {
+      (_, true, _, _) => {
         client = client.address(address);
       }
       _ => {
@@ -109,6 +117,7 @@ impl DbClient {
       repos: resource_collection(&db, "Repo").await?,
       alerters: resource_collection(&db, "Alerter").await?,
       procedures: resource_collection(&db, "Procedure").await?,
+      actions: resource_collection(&db, "Action").await?,
       server_templates: resource_collection(&db, "ServerTemplate")
         .await?,
       resource_syncs: resource_collection(&db, "ResourceSync")

bin/core/src/helpers/action_state.rs

@@ -4,7 +4,8 @@ use anyhow::anyhow;
 use komodo_client::{
   busy::Busy,
   entities::{
-    build::BuildActionState, deployment::DeploymentActionState,
+    action::ActionActionState, build::BuildActionState,
+    deployment::DeploymentActionState,
     procedure::ProcedureActionState, repo::RepoActionState,
     server::ServerActionState, stack::StackActionState,
     sync::ResourceSyncActionState,
@@ -22,6 +23,7 @@ pub struct ActionStates {
   pub repo: Cache<String, Arc<ActionState<RepoActionState>>>,
   pub procedure:
     Cache<String, Arc<ActionState<ProcedureActionState>>>,
+  pub action: Cache<String, Arc<ActionState<ActionActionState>>>,
   pub resource_sync:
     Cache<String, Arc<ActionState<ResourceSyncActionState>>>,
   pub stack: Cache<String, Arc<ActionState<StackActionState>>>,

bin/core/src/helpers/build.rs

@@ -1,49 +0,0 @@
-use async_timing_util::{wait_until_timelength, Timelength};
-use komodo_client::{
-  api::write::RefreshBuildCache, entities::user::build_user,
-};
-use mungos::find::find_collect;
-use resolver_api::Resolve;
-
-use crate::{
-  config::core_config,
-  state::{db_client, State},
-};
-
-pub fn spawn_build_refresh_loop() {
-  let interval: Timelength = core_config()
-    .build_poll_interval
-    .try_into()
-    .expect("Invalid build poll interval");
-  tokio::spawn(async move {
-    refresh_builds().await;
-    loop {
-      wait_until_timelength(interval, 2000).await;
-      refresh_builds().await;
-    }
-  });
-}
-
-async fn refresh_builds() {
-  let Ok(builds) =
-    find_collect(&db_client().await.builds, None, None)
-      .await
-      .inspect_err(|e| {
-        warn!("failed to get builds from db in refresh task | {e:#}")
-      })
-  else {
-    return;
-  };
-  for build in builds {
-    State
-      .resolve(
-        RefreshBuildCache { build: build.id },
-        build_user().clone(),
-      )
-      .await
-      .inspect_err(|e| {
-        warn!("failed to refresh build cache in refresh task | build: {} | {e:#}", build.name)
-      })
-      .ok();
-  }
-}

bin/core/src/helpers/builder.rs

@@ -31,7 +31,7 @@ use crate::{
 use super::periphery_client;
 
 const BUILDER_POLL_RATE_SECS: u64 = 2;
-const BUILDER_POLL_MAX_TRIES: usize = 30;
+const BUILDER_POLL_MAX_TRIES: usize = 60;
 
 #[instrument(skip_all, fields(builder_id = builder.id, update_id = update.id))]
 pub async fn get_builder_periphery(
@@ -42,9 +42,35 @@ pub async fn get_builder_periphery(
   update: &mut Update,
 ) -> anyhow::Result<(PeripheryClient, BuildCleanupData)> {
   match builder.config {
+    BuilderConfig::Url(config) => {
+      if config.address.is_empty() {
+        return Err(anyhow!(
+          "Builder has not yet configured an address"
+        ));
+      }
+      let periphery = PeripheryClient::new(
+        config.address,
+        if config.passkey.is_empty() {
+          core_config().passkey.clone()
+        } else {
+          config.passkey
+        },
+        Duration::from_secs(3),
+      );
+      periphery
+        .health_check()
+        .await
+        .context("Url Builder failed health check")?;
+      Ok((
+        periphery,
+        BuildCleanupData::Server {
+          repo_name: resource_name,
+        },
+      ))
+    }
     BuilderConfig::Server(config) => {
       if config.server_id.is_empty() {
-        return Err(anyhow!("builder has not configured a server"));
+        return Err(anyhow!("Builder has not configured a server"));
       }
       let server = resource::get::<Server>(&config.server_id).await?;
       let periphery = periphery_client(&server)?;
@@ -93,9 +119,11 @@ async fn get_aws_builder(
 
   update_update(update.clone()).await?;
 
-  let periphery_address = format!("http://{ip}:{}", config.port);
+  let protocol = if config.use_https { "https" } else { "http" };
+  let periphery_address =
+    format!("{protocol}://{ip}:{}", config.port);
   let periphery =
-    PeripheryClient::new(&periphery_address, &core_config().passkey);
+    PeripheryClient::new(&periphery_address, &core_config().passkey, Duration::from_secs(3));
 
   let start_connect_ts = komodo_timestamp();
   let mut res = Ok(GetVersionResponse {
@@ -191,6 +219,7 @@ pub fn start_aws_builder_log(
     assign_public_ip,
     security_group_ids,
     use_public_ip,
+    use_https,
     ..
   } = config;
 
@@ -206,6 +235,7 @@ pub fn start_aws_builder_log(
     format!("{}: {readable_sec_group_ids}", muted("security groups")),
     format!("{}: {assign_public_ip}", muted("assign public ip")),
     format!("{}: {use_public_ip}", muted("use public ip")),
+    format!("{}: {use_https}", muted("use https")),
   ]
   .join("\n")
 }

bin/core/src/helpers/interpolate.rs

@@ -1,60 +1,10 @@
 use std::collections::HashSet;
 
 use anyhow::Context;
-use komodo_client::entities::{
-  update::Update, EnvironmentVar, SystemCommand,
-};
+use komodo_client::entities::{update::Update, SystemCommand};
 
 use super::query::VariablesAndSecrets;
 
-pub fn interpolate_variables_secrets_into_environment(
-  VariablesAndSecrets { variables, secrets }: &VariablesAndSecrets,
-  environment: &mut Vec<EnvironmentVar>,
-  global_replacers: &mut HashSet<(String, String)>,
-  secret_replacers: &mut HashSet<(String, String)>,
-) -> anyhow::Result<()> {
-  for env in environment {
-    if env.value.is_empty() {
-      continue;
-    }
-
-    // first pass - global variables
-    let (res, more_replacers) = svi::interpolate_variables(
-      &env.value,
-      variables,
-      svi::Interpolator::DoubleBrackets,
-      false,
-    )
-    .with_context(|| {
-      format!(
-        "failed to interpolate global variables into env var '{}'",
-        env.variable
-      )
-    })?;
-    global_replacers.extend(more_replacers);
-
-    // second pass - core secrets
-    let (res, more_replacers) = svi::interpolate_variables(
-      &res,
-      secrets,
-      svi::Interpolator::DoubleBrackets,
-      false,
-    )
-    .with_context(|| {
-      format!(
-        "failed to interpolate core secrets into env var '{}'",
-        env.variable
-      )
-    })?;
-    secret_replacers.extend(more_replacers);
-
-    // set env value with the result
-    env.value = res;
-  }
-
-  Ok(())
-}
-
 pub fn interpolate_variables_secrets_into_extra_args(
   VariablesAndSecrets { variables, secrets }: &VariablesAndSecrets,
   extra_args: &mut Vec<String>,
@@ -101,28 +51,24 @@ pub fn interpolate_variables_secrets_into_extra_args(
   Ok(())
 }
 
-pub fn interpolate_variables_secrets_into_container_command(
+pub fn interpolate_variables_secrets_into_string(
   VariablesAndSecrets { variables, secrets }: &VariablesAndSecrets,
-  command: &mut String,
+  target: &mut String,
   global_replacers: &mut HashSet<(String, String)>,
   secret_replacers: &mut HashSet<(String, String)>,
 ) -> anyhow::Result<()> {
-  if command.is_empty() {
+  if target.is_empty() {
     return Ok(());
   }
 
   // first pass - global variables
   let (res, more_replacers) = svi::interpolate_variables(
-    command,
+    target,
     variables,
     svi::Interpolator::DoubleBrackets,
     false,
   )
-  .with_context(|| {
-    format!(
-      "failed to interpolate global variables into command '{command}'",
-    )
-  })?;
+  .context("Failed to interpolate core variables")?;
   global_replacers.extend(more_replacers);
 
   // second pass - core secrets
@@ -132,15 +78,11 @@ pub fn interpolate_variables_secrets_into_container_command(
     svi::Interpolator::DoubleBrackets,
     false,
   )
-  .with_context(|| {
-    format!(
-      "failed to interpolate core secrets into command '{command}'",
-    )
-  })?;
+  .context("Failed to interpolate core secrets")?;
   secret_replacers.extend(more_replacers);
 
   // set command with the result
-  *command = res;
+  *target = res;
 
   Ok(())
 }

bin/core/src/helpers/mod.rs

@@ -2,10 +2,10 @@ use std::{str::FromStr, time::Duration};
 
 use anyhow::{anyhow, Context};
 use futures::future::join_all;
-use mongo_indexed::Document;
 use komodo_client::{
-  api::write::CreateServer,
+  api::write::{CreateBuilder, CreateServer},
   entities::{
+    builder::{PartialBuilderConfig, PartialServerBuilderConfig},
     komodo_timestamp,
     permission::{Permission, PermissionLevel, UserTarget},
     server::{PartialServerConfig, Server},
@@ -15,6 +15,7 @@ use komodo_client::{
     ResourceTarget,
   },
 };
+use mongo_indexed::Document;
 use mungos::{
   find::find_collect,
   mongodb::bson::{doc, oid::ObjectId, to_document, Bson},
@@ -30,8 +31,6 @@ use crate::{
 };
 
 pub mod action_state;
-pub mod alert;
-pub mod build;
 pub mod builder;
 pub mod cache;
 pub mod channel;
@@ -39,9 +38,6 @@ pub mod interpolate;
 pub mod procedure;
 pub mod prune;
 pub mod query;
-pub mod repo;
-pub mod stack;
-pub mod sync;
 pub mod update;
 
 // pub mod resource;
@@ -58,10 +54,6 @@ pub fn empty_or_only_spaces(word: &str) -> bool {
   true
 }
 
-pub fn random_duration(min_ms: u64, max_ms: u64) -> Duration {
-  Duration::from_millis(thread_rng().gen_range(min_ms..max_ms))
-}
-
 pub fn random_string(length: usize) -> String {
   thread_rng()
     .sample_iter(&Alphanumeric)
@@ -70,6 +62,15 @@ pub fn random_string(length: usize) -> String {
     .collect()
 }
 
+const BCRYPT_COST: u32 = 10;
+pub fn hash_password<P>(password: P) -> anyhow::Result<String>
+where
+  P: AsRef<[u8]>,
+{
+  bcrypt::hash(password, BCRYPT_COST)
+    .context("failed to hash password")
+}
+
 /// First checks db for token, then checks core config.
 /// Only errors if db call errors.
 /// Returns (token, use_https)
@@ -79,7 +80,6 @@ pub async fn git_token(
   mut on_https_found: impl FnMut(bool),
 ) -> anyhow::Result<Option<String>> {
   let db_provider = db_client()
-    .await
     .git_accounts
     .find_one(doc! { "domain": provider_domain, "username": account_username })
     .await
@@ -111,7 +111,6 @@ pub async fn registry_token(
   account_username: &str,
 ) -> anyhow::Result<Option<String>> {
   let provider = db_client()
-    .await
     .registry_accounts
     .find_one(doc! { "domain": provider_domain, "username": account_username })
     .await
@@ -134,34 +133,6 @@ pub async fn registry_token(
   )
 }
 
-#[instrument]
-pub async fn remove_from_recently_viewed<T>(resource: T)
-where
-  T: Into<ResourceTarget> + std::fmt::Debug,
-{
-  let resource: ResourceTarget = resource.into();
-  let (ty, id) = resource.extract_variant_id();
-  if let Err(e) = db_client()
-    .await
-    .users
-    .update_many(
-      doc! {},
-      doc! {
-        "$pull": {
-          "recently_viewed": {
-            "type": ty.to_string(),
-            "id": id,
-          }
-        }
-      },
-    )
-    .await
-    .context("failed to remove resource from users recently viewed")
-  {
-    warn!("{e:#}");
-  }
-}
-
 //
 
 pub fn periphery_client(
@@ -174,6 +145,7 @@ pub fn periphery_client(
   let client = PeripheryClient::new(
     &server.config.address,
     &core_config().passkey,
+    Duration::from_secs(server.config.timeout_seconds as u64),
   );
 
   Ok(client)
@@ -193,7 +165,6 @@ pub async fn create_permission<T>(
   }
   let target: ResourceTarget = target.into();
   if let Err(e) = db_client()
-    .await
     .permissions
     .insert_one(Permission {
       id: Default::default(),
@@ -243,7 +214,6 @@ async fn startup_in_progress_update_cleanup() {
   // This static log won't fail to serialize, unwrap ok.
   let log = to_document(&log).unwrap();
   if let Err(e) = db_client()
-    .await
     .updates
     .update_many(
       doc! { "status": "InProgress" },
@@ -265,7 +235,7 @@ async fn startup_in_progress_update_cleanup() {
 
 /// Run on startup, ensure open alerts pointing to invalid resources are closed.
 async fn startup_open_alert_cleanup() {
-  let db = db_client().await;
+  let db = db_client();
   let Ok(alerts) =
     find_collect(&db.alerts, doc! { "resolved": false }, None)
       .await
@@ -317,39 +287,64 @@ async fn startup_open_alert_cleanup() {
   }
 }
 
-/// Ensures a default server exists with the defined address
-pub async fn ensure_server() {
-  let ensure_server = &core_config().ensure_server;
-  if ensure_server.is_empty() {
+/// Ensures a default server / builder exists with the defined address
+pub async fn ensure_first_server_and_builder() {
+  let first_server = &core_config().first_server;
+  if first_server.is_empty() {
     return;
   }
-  let db = db_client().await;
+  let db = db_client();
   let Ok(server) = db
     .servers
-    .find_one(doc! { "config.address": ensure_server })
+    .find_one(Document::new())
     .await
-    .inspect_err(|e| error!("Failed to initialize 'ensure_server'. Failed to query db. {e:?}"))
+    .inspect_err(|e| error!("Failed to initialize 'first_server'. Failed to query db. {e:?}"))
   else {
     return;
   };
-  if server.is_some() {
-    return;
-  }
-
+  let server = if let Some(server) = server {
+    server
+  } else {
+    match State
+      .resolve(
+        CreateServer {
+          name: format!("server-{}", random_string(5)),
+          config: PartialServerConfig {
+            address: Some(first_server.to_string()),
+            enabled: Some(true),
+            ..Default::default()
+          },
+        },
+        system_user().to_owned(),
+      )
+      .await
+    {
+      Ok(server) => server,
+      Err(e) => {
+        error!("Failed to initialize 'first_server'. Failed to CreateServer. {e:?}");
+        return;
+      }
+    }
+  };
+  let Ok(None) = db.builders
+    .find_one(Document::new()).await
+    .inspect_err(|e| error!("Failed to initialize 'first_builder'. Failed to query db. {e:?}")) else {
+      return;
+    };
   if let Err(e) = State
     .resolve(
-      CreateServer {
-        name: format!("server-{}", random_string(5)),
-        config: PartialServerConfig {
-          address: Some(ensure_server.to_string()),
-          enabled: Some(true),
-          ..Default::default()
-        },
+      CreateBuilder {
+        name: String::from("local"),
+        config: PartialBuilderConfig::Server(
+          PartialServerBuilderConfig {
+            server_id: Some(server.id),
+          },
+        ),
       },
       system_user().to_owned(),
     )
     .await
   {
-    error!("Failed to initialize 'ensure_server'. Failed to CreateServer. {e:?}");
+    error!("Failed to initialize 'first_builder'. Failed to CreateBuilder. {e:?}");
   }
 }

bin/core/src/helpers/procedure.rs

@@ -4,9 +4,14 @@ use anyhow::{anyhow, Context};
 use formatting::{bold, colored, format_serror, muted, Color};
 use futures::future::join_all;
 use komodo_client::{
-  api::execute::Execution,
+  api::execute::*,
   entities::{
+    action::Action,
+    build::Build,
+    deployment::Deployment,
     procedure::Procedure,
+    repo::Repo,
+    stack::Stack,
     update::{Log, Update},
     user::procedure_user,
   },
@@ -17,6 +22,7 @@ use tokio::sync::Mutex;
 
 use crate::{
   api::execute::ExecuteRequest,
+  resource::{list_full_for_user_using_pattern, KomodoResource},
   state::{db_client, State},
 };
 
@@ -34,7 +40,7 @@ pub async fn execute_procedure(
     add_line_to_update(
       update,
       &format!(
-        "{}: executing stage: '{}'",
+        "{}: Executing stage: '{}'",
         muted("INFO"),
         bold(&stage.name)
       ),
@@ -55,7 +61,7 @@ pub async fn execute_procedure(
     .await
     .with_context(|| {
       format!(
-        "failed stage '{}' execution after {:?}",
+        "Failed stage '{}' execution after {:?}",
         bold(&stage.name),
         timer.elapsed(),
       )
@@ -65,7 +71,7 @@ pub async fn execute_procedure(
       &format!(
         "{}: {} stage '{}' execution in {:?}",
         muted("INFO"),
-        colored("finished", Color::Green),
+        colored("Finished", Color::Green),
         bold(&stage.name),
         timer.elapsed()
       ),
@@ -76,22 +82,106 @@ pub async fn execute_procedure(
   Ok(())
 }
 
+#[allow(dependency_on_unit_never_type_fallback)]
 #[instrument(skip(update))]
 async fn execute_stage(
-  executions: Vec<Execution>,
+  _executions: Vec<Execution>,
   parent_id: &str,
   parent_name: &str,
   update: &Mutex<Update>,
 ) -> anyhow::Result<()> {
+  let mut executions = Vec::with_capacity(_executions.capacity());
+  for execution in _executions {
+    match execution {
+      Execution::BatchRunAction(exec) => {
+        extend_batch_exection::<BatchRunAction>(
+          &exec.pattern,
+          &mut executions,
+        )
+        .await?;
+      }
+      Execution::BatchRunProcedure(exec) => {
+        extend_batch_exection::<BatchRunProcedure>(
+          &exec.pattern,
+          &mut executions,
+        )
+        .await?;
+      }
+      Execution::BatchRunBuild(exec) => {
+        extend_batch_exection::<BatchRunBuild>(
+          &exec.pattern,
+          &mut executions,
+        )
+        .await?;
+      }
+      Execution::BatchCloneRepo(exec) => {
+        extend_batch_exection::<BatchCloneRepo>(
+          &exec.pattern,
+          &mut executions,
+        )
+        .await?;
+      }
+      Execution::BatchPullRepo(exec) => {
+        extend_batch_exection::<BatchPullRepo>(
+          &exec.pattern,
+          &mut executions,
+        )
+        .await?;
+      }
+      Execution::BatchBuildRepo(exec) => {
+        extend_batch_exection::<BatchBuildRepo>(
+          &exec.pattern,
+          &mut executions,
+        )
+        .await?;
+      }
+      Execution::BatchDeploy(exec) => {
+        extend_batch_exection::<BatchDeploy>(
+          &exec.pattern,
+          &mut executions,
+        )
+        .await?;
+      }
+      Execution::BatchDestroyDeployment(exec) => {
+        extend_batch_exection::<BatchDestroyDeployment>(
+          &exec.pattern,
+          &mut executions,
+        )
+        .await?;
+      }
+      Execution::BatchDeployStack(exec) => {
+        extend_batch_exection::<BatchDeployStack>(
+          &exec.pattern,
+          &mut executions,
+        )
+        .await?;
+      }
+      Execution::BatchDeployStackIfChanged(exec) => {
+        extend_batch_exection::<BatchDeployStackIfChanged>(
+          &exec.pattern,
+          &mut executions,
+        )
+        .await?;
+      }
+      Execution::BatchDestroyStack(exec) => {
+        extend_batch_exection::<BatchDestroyStack>(
+          &exec.pattern,
+          &mut executions,
+        )
+        .await?;
+      }
+      execution => executions.push(execution),
+    }
+  }
   let futures = executions.into_iter().map(|execution| async move {
     let now = Instant::now();
     add_line_to_update(
       update,
-      &format!("{}: executing: {execution:?}", muted("INFO")),
+      &format!("{}: Executing: {execution:?}", muted("INFO")),
     )
     .await;
     let fail_log = format!(
-      "{}: failed on {execution:?}",
+      "{}: Failed on {execution:?}",
       colored("ERROR", Color::Red)
     );
     let res =
@@ -103,7 +193,7 @@ async fn execute_stage(
       &format!(
         "{}: {} execution in {:?}: {execution:?}",
         muted("INFO"),
-        colored("finished", Color::Green),
+        colored("Finished", Color::Green),
         now.elapsed()
       ),
     )
@@ -140,11 +230,39 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at RunProcedure"),
+          .context("Failed at RunProcedure"),
         &update_id,
       )
       .await?
     }
+    Execution::BatchRunProcedure(_) => {
+      // All batch executions must be expanded in `execute_stage`
+      return Err(anyhow!(
+        "Batch method BatchRunProcedure not implemented correctly"
+      ));
+    }
+    Execution::RunAction(req) => {
+      let req = ExecuteRequest::RunAction(req);
+      let update = init_execution_update(&req, &user).await?;
+      let ExecuteRequest::RunAction(req) = req else {
+        unreachable!()
+      };
+      let update_id = update.id.clone();
+      handle_resolve_result(
+        State
+          .resolve(req, (user, update))
+          .await
+          .context("Failed at RunAction"),
+        &update_id,
+      )
+      .await?
+    }
+    Execution::BatchRunAction(_) => {
+      // All batch executions must be expanded in `execute_stage`
+      return Err(anyhow!(
+        "Batch method BatchRunAction not implemented correctly"
+      ));
+    }
     Execution::RunBuild(req) => {
       let req = ExecuteRequest::RunBuild(req);
       let update = init_execution_update(&req, &user).await?;
@@ -156,11 +274,17 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at RunBuild"),
+          .context("Failed at RunBuild"),
         &update_id,
       )
       .await?
     }
+    Execution::BatchRunBuild(_) => {
+      // All batch executions must be expanded in `execute_stage`
+      return Err(anyhow!(
+        "Batch method BatchRunBuild not implemented correctly"
+      ));
+    }
     Execution::CancelBuild(req) => {
       let req = ExecuteRequest::CancelBuild(req);
       let update = init_execution_update(&req, &user).await?;
@@ -172,7 +296,7 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at CancelBuild"),
+          .context("Failed at CancelBuild"),
         &update_id,
       )
       .await?
@@ -188,7 +312,29 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at Deploy"),
+          .context("Failed at Deploy"),
+        &update_id,
+      )
+      .await?
+    }
+    Execution::BatchDeploy(_) => {
+      // All batch executions must be expanded in `execute_stage`
+      return Err(anyhow!(
+        "Batch method BatchDeploy not implemented correctly"
+      ));
+    }
+    Execution::PullDeployment(req) => {
+      let req = ExecuteRequest::PullDeployment(req);
+      let update = init_execution_update(&req, &user).await?;
+      let ExecuteRequest::PullDeployment(req) = req else {
+        unreachable!()
+      };
+      let update_id = update.id.clone();
+      handle_resolve_result(
+        State
+          .resolve(req, (user, update))
+          .await
+          .context("Failed at PullDeployment"),
         &update_id,
       )
       .await?
@@ -204,7 +350,7 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at StartDeployment"),
+          .context("Failed at StartDeployment"),
         &update_id,
       )
       .await?
@@ -220,7 +366,7 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at RestartDeployment"),
+          .context("Failed at RestartDeployment"),
         &update_id,
       )
       .await?
@@ -236,7 +382,7 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at PauseDeployment"),
+          .context("Failed at PauseDeployment"),
         &update_id,
       )
       .await?
@@ -252,7 +398,7 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at UnpauseDeployment"),
+          .context("Failed at UnpauseDeployment"),
         &update_id,
       )
       .await?
@@ -268,7 +414,7 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at StopDeployment"),
+          .context("Failed at StopDeployment"),
         &update_id,
       )
       .await?
@@ -284,11 +430,17 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at RemoveDeployment"),
+          .context("Failed at RemoveDeployment"),
         &update_id,
       )
       .await?
     }
+    Execution::BatchDestroyDeployment(_) => {
+      // All batch executions must be expanded in `execute_stage`
+      return Err(anyhow!(
+        "Batch method BatchDestroyDeployment not implemented correctly"
+      ));
+    }
     Execution::CloneRepo(req) => {
       let req = ExecuteRequest::CloneRepo(req);
       let update = init_execution_update(&req, &user).await?;
@@ -300,11 +452,17 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at CloneRepo"),
+          .context("Failed at CloneRepo"),
         &update_id,
       )
       .await?
     }
+    Execution::BatchCloneRepo(_) => {
+      // All batch executions must be expanded in `execute_stage`
+      return Err(anyhow!(
+        "Batch method BatchCloneRepo not implemented correctly"
+      ));
+    }
     Execution::PullRepo(req) => {
       let req = ExecuteRequest::PullRepo(req);
       let update = init_execution_update(&req, &user).await?;
@@ -316,11 +474,17 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at PullRepo"),
+          .context("Failed at PullRepo"),
         &update_id,
       )
       .await?
     }
+    Execution::BatchPullRepo(_) => {
+      // All batch executions must be expanded in `execute_stage`
+      return Err(anyhow!(
+        "Batch method BatchPullRepo not implemented correctly"
+      ));
+    }
     Execution::BuildRepo(req) => {
       let req = ExecuteRequest::BuildRepo(req);
       let update = init_execution_update(&req, &user).await?;
@@ -332,11 +496,17 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at BuildRepo"),
+          .context("Failed at BuildRepo"),
         &update_id,
       )
       .await?
     }
+    Execution::BatchBuildRepo(_) => {
+      // All batch executions must be expanded in `execute_stage`
+      return Err(anyhow!(
+        "Batch method BatchBuildRepo not implemented correctly"
+      ));
+    }
     Execution::CancelRepoBuild(req) => {
       let req = ExecuteRequest::CancelRepoBuild(req);
       let update = init_execution_update(&req, &user).await?;
@@ -348,7 +518,7 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at CancelRepoBuild"),
+          .context("Failed at CancelRepoBuild"),
         &update_id,
       )
       .await?
@@ -364,7 +534,7 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at StartContainer"),
+          .context("Failed at StartContainer"),
         &update_id,
       )
       .await?
@@ -380,7 +550,7 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at RestartContainer"),
+          .context("Failed at RestartContainer"),
         &update_id,
       )
       .await?
@@ -396,7 +566,7 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at PauseContainer"),
+          .context("Failed at PauseContainer"),
         &update_id,
       )
       .await?
@@ -412,7 +582,7 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at UnpauseContainer"),
+          .context("Failed at UnpauseContainer"),
         &update_id,
       )
       .await?
@@ -428,7 +598,7 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at StopContainer"),
+          .context("Failed at StopContainer"),
         &update_id,
       )
       .await?
@@ -444,7 +614,7 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at RemoveContainer"),
+          .context("Failed at RemoveContainer"),
         &update_id,
       )
       .await?
@@ -460,7 +630,7 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at StartAllContainers"),
+          .context("Failed at StartAllContainers"),
         &update_id,
       )
       .await?
@@ -476,7 +646,7 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at RestartAllContainers"),
+          .context("Failed at RestartAllContainers"),
         &update_id,
       )
       .await?
@@ -492,7 +662,7 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at PauseAllContainers"),
+          .context("Failed at PauseAllContainers"),
         &update_id,
       )
       .await?
@@ -508,7 +678,7 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at UnpauseAllContainers"),
+          .context("Failed at UnpauseAllContainers"),
         &update_id,
       )
       .await?
@@ -524,7 +694,7 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at StopAllContainers"),
+          .context("Failed at StopAllContainers"),
         &update_id,
       )
       .await?
@@ -540,7 +710,7 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at PruneContainers"),
+          .context("Failed at PruneContainers"),
         &update_id,
       )
       .await?
@@ -556,7 +726,7 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at DeleteNetwork"),
+          .context("Failed at DeleteNetwork"),
         &update_id,
       )
       .await?
@@ -572,7 +742,7 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at PruneNetworks"),
+          .context("Failed at PruneNetworks"),
         &update_id,
       )
       .await?
@@ -588,7 +758,7 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at DeleteImage"),
+          .context("Failed at DeleteImage"),
         &update_id,
       )
       .await?
@@ -604,7 +774,7 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at PruneImages"),
+          .context("Failed at PruneImages"),
         &update_id,
       )
       .await?
@@ -620,7 +790,7 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at DeleteVolume"),
+          .context("Failed at DeleteVolume"),
         &update_id,
       )
       .await?
@@ -636,7 +806,39 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at PruneVolumes"),
+          .context("Failed at PruneVolumes"),
+        &update_id,
+      )
+      .await?
+    }
+    Execution::PruneDockerBuilders(req) => {
+      let req = ExecuteRequest::PruneDockerBuilders(req);
+      let update = init_execution_update(&req, &user).await?;
+      let ExecuteRequest::PruneDockerBuilders(req) = req else {
+        unreachable!()
+      };
+      let update_id = update.id.clone();
+      handle_resolve_result(
+        State
+          .resolve(req, (user, update))
+          .await
+          .context("Failed at PruneDockerBuilders"),
+        &update_id,
+      )
+      .await?
+    }
+    Execution::PruneBuildx(req) => {
+      let req = ExecuteRequest::PruneBuildx(req);
+      let update = init_execution_update(&req, &user).await?;
+      let ExecuteRequest::PruneBuildx(req) = req else {
+        unreachable!()
+      };
+      let update_id = update.id.clone();
+      handle_resolve_result(
+        State
+          .resolve(req, (user, update))
+          .await
+          .context("Failed at PruneBuildx"),
         &update_id,
       )
       .await?
@@ -652,7 +854,7 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at PruneSystem"),
+          .context("Failed at PruneSystem"),
         &update_id,
       )
       .await?
@@ -668,11 +870,16 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at RunSync"),
+          .context("Failed at RunSync"),
         &update_id,
       )
       .await?
     }
+    // Exception: This is a write operation.
+    Execution::CommitSync(req) => State
+      .resolve(req, user)
+      .await
+      .context("Failed at CommitSync")?,
     Execution::DeployStack(req) => {
       let req = ExecuteRequest::DeployStack(req);
       let update = init_execution_update(&req, &user).await?;
@@ -684,7 +891,51 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at DeployStack"),
+          .context("Failed at DeployStack"),
+        &update_id,
+      )
+      .await?
+    }
+    Execution::BatchDeployStack(_) => {
+      // All batch executions must be expanded in `execute_stage`
+      return Err(anyhow!(
+        "Batch method BatchDeployStack not implemented correctly"
+      ));
+    }
+    Execution::DeployStackIfChanged(req) => {
+      let req = ExecuteRequest::DeployStackIfChanged(req);
+      let update = init_execution_update(&req, &user).await?;
+      let ExecuteRequest::DeployStackIfChanged(req) = req else {
+        unreachable!()
+      };
+      let update_id = update.id.clone();
+      handle_resolve_result(
+        State
+          .resolve(req, (user, update))
+          .await
+          .context("Failed at DeployStackIfChanged"),
+        &update_id,
+      )
+      .await?
+    }
+    Execution::BatchDeployStackIfChanged(_) => {
+      // All batch executions must be expanded in `execute_stage`
+      return Err(anyhow!(
+        "Batch method BatchDeployStackIfChanged not implemented correctly"
+      ));
+    }
+    Execution::PullStack(req) => {
+      let req = ExecuteRequest::PullStack(req);
+      let update = init_execution_update(&req, &user).await?;
+      let ExecuteRequest::PullStack(req) = req else {
+        unreachable!()
+      };
+      let update_id = update.id.clone();
+      handle_resolve_result(
+        State
+          .resolve(req, (user, update))
+          .await
+          .context("Failed at PullStack"),
         &update_id,
       )
       .await?
@@ -700,7 +951,7 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at StartStack"),
+          .context("Failed at StartStack"),
         &update_id,
       )
       .await?
@@ -716,7 +967,7 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at RestartStack"),
+          .context("Failed at RestartStack"),
         &update_id,
       )
       .await?
@@ -732,7 +983,7 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at PauseStack"),
+          .context("Failed at PauseStack"),
         &update_id,
       )
       .await?
@@ -748,7 +999,7 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at UnpauseStack"),
+          .context("Failed at UnpauseStack"),
         &update_id,
       )
       .await?
@@ -764,7 +1015,7 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at StopStack"),
+          .context("Failed at StopStack"),
         &update_id,
       )
       .await?
@@ -780,16 +1031,20 @@ async fn execute_execution(
         State
           .resolve(req, (user, update))
           .await
-          .context("failed at DestroyStack"),
+          .context("Failed at DestroyStack"),
         &update_id,
       )
       .await?
     }
+    Execution::BatchDestroyStack(_) => {
+      // All batch executions must be expanded in `execute_stage`
+      return Err(anyhow!(
+        "Batch method BatchDestroyStack not implemented correctly"
+      ));
+    }
     Execution::Sleep(req) => {
-      tokio::time::sleep(Duration::from_millis(
-        req.duration_ms as u64,
-      ))
-      .await;
+      let duration = Duration::from_millis(req.duration_ms as u64);
+      tokio::time::sleep(duration).await;
       Update {
         success: true,
         ..Default::default()
@@ -819,9 +1074,9 @@ async fn handle_resolve_result(
       let log =
         Log::error("execution error", format_serror(&e.into()));
       let mut update =
-        find_one_by_id(&db_client().await.updates, update_id)
+        find_one_by_id(&db_client().updates, update_id)
           .await
-          .context("failed to query to db")?
+          .context("Failed to query to db")?
           .context("no update exists with given id")?;
       update.logs.push(log);
       update.finalize();
@@ -841,6 +1096,125 @@ async fn add_line_to_update(update: &Mutex<Update>, line: &str) {
   let update = lock.clone();
   drop(lock);
   if let Err(e) = update_update(update).await {
-    error!("failed to update an update during procedure | {e:#}");
+    error!("Failed to update an update during procedure | {e:#}");
   };
 }
+
+async fn extend_batch_exection<E: ExtendBatch>(
+  pattern: &str,
+  executions: &mut Vec<Execution>,
+) -> anyhow::Result<()> {
+  let more = list_full_for_user_using_pattern::<E::Resource>(
+    pattern,
+    Default::default(),
+    procedure_user(),
+    &[],
+  )
+  .await?
+  .into_iter()
+  .map(|resource| E::single_execution(resource.name));
+  executions.extend(more);
+  Ok(())
+}
+
+trait ExtendBatch {
+  type Resource: KomodoResource;
+  fn single_execution(name: String) -> Execution;
+}
+
+impl ExtendBatch for BatchRunProcedure {
+  type Resource = Procedure;
+  fn single_execution(procedure: String) -> Execution {
+    Execution::RunProcedure(RunProcedure { procedure })
+  }
+}
+
+impl ExtendBatch for BatchRunAction {
+  type Resource = Action;
+  fn single_execution(action: String) -> Execution {
+    Execution::RunAction(RunAction { action })
+  }
+}
+
+impl ExtendBatch for BatchRunBuild {
+  type Resource = Build;
+  fn single_execution(build: String) -> Execution {
+    Execution::RunBuild(RunBuild { build })
+  }
+}
+
+impl ExtendBatch for BatchCloneRepo {
+  type Resource = Repo;
+  fn single_execution(repo: String) -> Execution {
+    Execution::CloneRepo(CloneRepo { repo })
+  }
+}
+
+impl ExtendBatch for BatchPullRepo {
+  type Resource = Repo;
+  fn single_execution(repo: String) -> Execution {
+    Execution::PullRepo(PullRepo { repo })
+  }
+}
+
+impl ExtendBatch for BatchBuildRepo {
+  type Resource = Repo;
+  fn single_execution(repo: String) -> Execution {
+    Execution::BuildRepo(BuildRepo { repo })
+  }
+}
+
+impl ExtendBatch for BatchDeploy {
+  type Resource = Deployment;
+  fn single_execution(deployment: String) -> Execution {
+    Execution::Deploy(Deploy {
+      deployment,
+      stop_signal: None,
+      stop_time: None,
+    })
+  }
+}
+
+impl ExtendBatch for BatchDestroyDeployment {
+  type Resource = Deployment;
+  fn single_execution(deployment: String) -> Execution {
+    Execution::DestroyDeployment(DestroyDeployment {
+      deployment,
+      signal: None,
+      time: None,
+    })
+  }
+}
+
+impl ExtendBatch for BatchDeployStack {
+  type Resource = Stack;
+  fn single_execution(stack: String) -> Execution {
+    Execution::DeployStack(DeployStack {
+      stack,
+      service: None,
+      stop_time: None,
+    })
+  }
+}
+
+impl ExtendBatch for BatchDeployStackIfChanged {
+  type Resource = Stack;
+  fn single_execution(stack: String) -> Execution {
+    Execution::DeployStackIfChanged(DeployStackIfChanged {
+      stack,
+      stop_time: None,
+    })
+  }
+}
+
+impl ExtendBatch for BatchDestroyStack {
+  type Resource = Stack;
+  fn single_execution(stack: String) -> Execution {
+    Execution::DestroyStack(DestroyStack {
+      stack,
+      service: None,
+      remove_orphans: false,
+      stop_time: None,
+    })
+  }
+}

bin/core/src/helpers/prune.rs

@@ -30,7 +30,7 @@ pub fn spawn_prune_loop() {
 }
 
 async fn prune_images() -> anyhow::Result<()> {
-  let futures = find_collect(&db_client().await.servers, None, None)
+  let futures = find_collect(&db_client().servers, None, None)
     .await
     .context("failed to get servers from db")?
     .into_iter()
@@ -66,13 +66,14 @@ async fn prune_stats() -> anyhow::Result<()> {
     - core_config().keep_stats_for_days as u128 * ONE_DAY_MS)
     as i64;
   let res = db_client()
-    .await
     .stats
     .delete_many(doc! {
       "ts": { "$lt": delete_before_ts }
     })
     .await?;
-  info!("deleted {} stats from db", res.deleted_count);
+  if res.deleted_count > 0 {
+    info!("deleted {} stats from db", res.deleted_count);
+  }
   Ok(())
 }
 
@@ -84,12 +85,13 @@ async fn prune_alerts() -> anyhow::Result<()> {
     - core_config().keep_alerts_for_days as u128 * ONE_DAY_MS)
     as i64;
   let res = db_client()
-    .await
     .alerts
     .delete_many(doc! {
       "ts": { "$lt": delete_before_ts }
     })
     .await?;
-  info!("deleted {} alerts from db", res.deleted_count);
+  if res.deleted_count > 0 {
+    info!("deleted {} alerts from db", res.deleted_count);
+  }
   Ok(())
 }

bin/core/src/helpers/query.rs

@@ -2,6 +2,7 @@ use std::{collections::HashMap, str::FromStr};
 
 use anyhow::{anyhow, Context};
 use komodo_client::entities::{
+  action::Action,
   alerter::Alerter,
   build::Build,
   builder::Builder,
@@ -32,11 +33,10 @@ use mungos::{
 use crate::{
   config::core_config,
   resource::{self, get_user_permission_on_resource},
+  stack::compose_container_match_regex,
   state::{db_client, deployment_status_cache, stack_status_cache},
 };
 
-use super::stack::compose_container_match_regex;
-
 // user: Id or username
 #[instrument(level = "debug")]
 pub async fn get_user(user: &str) -> anyhow::Result<User> {
@@ -44,7 +44,6 @@ pub async fn get_user(user: &str) -> anyhow::Result<User> {
     return Ok(user);
   }
   db_client()
-    .await
     .users
     .find_one(id_or_username_filter(user))
     .await
@@ -104,7 +103,7 @@ pub fn get_stack_state_from_containers(
     })
     .collect::<Vec<_>>();
   let containers = containers.iter().filter(|container| {
-    services.iter().any(|StackServiceNames { service_name, container_name }| {
+    services.iter().any(|StackServiceNames { service_name, container_name, .. }| {
       match compose_container_match_regex(container_name)
         .with_context(|| format!("failed to construct container name matching regex for service {service_name}")) 
       {
@@ -119,7 +118,7 @@ pub fn get_stack_state_from_containers(
   if containers.is_empty() {
     return StackState::Down;
   }
-  if services.len() != containers.len() {
+  if services.len() > containers.len() {
     return StackState::Unhealthy;
   }
   let running = containers.iter().all(|container| {
@@ -184,7 +183,6 @@ pub async fn get_tag(id_or_name: &str) -> anyhow::Result<Tag> {
     Err(_) => doc! { "name": id_or_name },
   };
   db_client()
-    .await
     .tags
     .find_one(query)
     .await
@@ -204,10 +202,18 @@ pub async fn get_tag_check_owner(
   Err(anyhow!("user must be tag owner or admin"))
 }
 
+pub async fn get_all_tags(
+  filter: impl Into<Option<Document>>,
+) -> anyhow::Result<Vec<Tag>> {
+  find_collect(&db_client().tags, filter, None)
+    .await
+    .context("failed to query db for tags")
+}
+
 pub async fn get_id_to_tags(
   filter: impl Into<Option<Document>>,
 ) -> anyhow::Result<HashMap<String, Tag>> {
-  let res = find_collect(&db_client().await.tags, filter, None)
+  let res = find_collect(&db_client().tags, filter, None)
     .await
     .context("failed to query db for tags")?
     .into_iter()
@@ -221,7 +227,7 @@ pub async fn get_user_user_groups(
   user_id: &str,
 ) -> anyhow::Result<Vec<UserGroup>> {
   find_collect(
-    &db_client().await.user_groups,
+    &db_client().user_groups,
     doc! {
       "users": user_id
     },
@@ -286,6 +292,9 @@ pub async fn get_user_permission_on_target(
     ResourceTarget::Procedure(id) => {
       get_user_permission_on_resource::<Procedure>(user, id).await
     }
+    ResourceTarget::Action(id) => {
+      get_user_permission_on_resource::<Action>(user, id).await
+    }
     ResourceTarget::ServerTemplate(id) => {
       get_user_permission_on_resource::<ServerTemplate>(user, id)
         .await
@@ -315,7 +324,6 @@ pub fn id_or_username_filter(id_or_username: &str) -> Document {
 
 pub async fn get_variable(name: &str) -> anyhow::Result<Variable> {
   db_client()
-    .await
     .variables
     .find_one(doc! { "name": &name })
     .await
@@ -331,7 +339,6 @@ pub async fn get_latest_update(
   operation: Operation,
 ) -> anyhow::Result<Option<Update>> {
   db_client()
-    .await
     .updates
     .find_one(doc! {
       "target.type": resource_type.as_ref(),
@@ -354,10 +361,9 @@ pub struct VariablesAndSecrets {
 
 pub async fn get_variables_and_secrets(
 ) -> anyhow::Result<VariablesAndSecrets> {
-  let variables =
-    find_collect(&db_client().await.variables, None, None)
-      .await
-      .context("failed to get all variables from db")?;
+  let variables = find_collect(&db_client().variables, None, None)
+    .await
+    .context("failed to get all variables from db")?;
   let mut secrets = core_config().secrets.clone();
 
   // extend secrets with secret variables

bin/core/src/helpers/repo.rs

@@ -1,48 +0,0 @@
-use async_timing_util::{wait_until_timelength, Timelength};
-use komodo_client::{
-  api::write::RefreshRepoCache, entities::user::repo_user,
-};
-use mungos::find::find_collect;
-use resolver_api::Resolve;
-
-use crate::{
-  config::core_config,
-  state::{db_client, State},
-};
-
-pub fn spawn_repo_refresh_loop() {
-  let interval: Timelength = core_config()
-    .repo_poll_interval
-    .try_into()
-    .expect("Invalid repo poll interval");
-  tokio::spawn(async move {
-    refresh_repos().await;
-    loop {
-      wait_until_timelength(interval, 1000).await;
-      refresh_repos().await;
-    }
-  });
-}
-
-async fn refresh_repos() {
-  let Ok(repos) = find_collect(&db_client().await.repos, None, None)
-    .await
-    .inspect_err(|e| {
-      warn!("failed to get repos from db in refresh task | {e:#}")
-    })
-  else {
-    return;
-  };
-  for repo in repos {
-    State
-      .resolve(
-        RefreshRepoCache { repo: repo.id },
-        repo_user().clone(),
-      )
-      .await
-      .inspect_err(|e| {
-        warn!("failed to refresh repo cache in refresh task | repo: {} | {e:#}", repo.name)
-      })
-      .ok();
-  }
-}

bin/core/src/helpers/stack/mod.rs

@@ -1,101 +0,0 @@
-use anyhow::{anyhow, Context};
-use async_timing_util::{wait_until_timelength, Timelength};
-use komodo_client::{
-  api::write::RefreshStackCache,
-  entities::{
-    permission::PermissionLevel,
-    server::{Server, ServerState},
-    stack::Stack,
-    user::{stack_user, User},
-  },
-};
-use mungos::find::find_collect;
-use regex::Regex;
-use resolver_api::Resolve;
-
-use crate::{
-  config::core_config,
-  resource,
-  state::{db_client, State},
-};
-
-use super::query::get_server_with_state;
-
-pub mod execute;
-pub mod remote;
-pub mod services;
-
-pub fn spawn_stack_refresh_loop() {
-  let interval: Timelength = core_config()
-    .stack_poll_interval
-    .try_into()
-    .expect("Invalid stack poll interval");
-  tokio::spawn(async move {
-    refresh_stacks().await;
-    loop {
-      wait_until_timelength(interval, 3000).await;
-      refresh_stacks().await;
-    }
-  });
-}
-
-async fn refresh_stacks() {
-  let Ok(stacks) =
-    find_collect(&db_client().await.stacks, None, None)
-      .await
-      .inspect_err(|e| {
-        warn!("failed to get stacks from db in refresh task | {e:#}")
-      })
-  else {
-    return;
-  };
-  for stack in stacks {
-    State
-      .resolve(
-        RefreshStackCache { stack: stack.id },
-        stack_user().clone(),
-      )
-      .await
-      .inspect_err(|e| {
-        warn!("failed to refresh stack cache in refresh task | stack: {} | {e:#}", stack.name)
-      })
-      .ok();
-  }
-}
-
-pub async fn get_stack_and_server(
-  stack: &str,
-  user: &User,
-  permission_level: PermissionLevel,
-  block_if_server_unreachable: bool,
-) -> anyhow::Result<(Stack, Server)> {
-  let stack = resource::get_check_permissions::<Stack>(
-    stack,
-    user,
-    permission_level,
-  )
-  .await?;
-
-  if stack.config.server_id.is_empty() {
-    return Err(anyhow!("Stack has no server configured"));
-  }
-
-  let (server, status) =
-    get_server_with_state(&stack.config.server_id).await?;
-  if block_if_server_unreachable && status != ServerState::Ok {
-    return Err(anyhow!(
-      "cannot send action when server is unreachable or disabled"
-    ));
-  }
-
-  Ok((stack, server))
-}
-
-pub fn compose_container_match_regex(
-  container_name: &str,
-) -> anyhow::Result<Regex> {
-  let regex = format!("^{container_name}-?[0-9]*$");
-  Regex::new(&regex).with_context(|| {
-    format!("failed to construct valid regex from {regex}")
-  })
-}

bin/core/src/helpers/stack/remote.rs

@@ -1,126 +0,0 @@
-use std::{
-  fs,
-  path::{Path, PathBuf},
-};
-
-use anyhow::{anyhow, Context};
-use formatting::format_serror;
-use komodo_client::entities::{
-  stack::{ComposeContents, Stack},
-  update::Log,
-  CloneArgs,
-};
-
-use crate::{
-  config::core_config,
-  helpers::{git_token, random_string},
-};
-
-/// Returns Result<(read paths, error paths, logs, short hash, commit message)>
-pub async fn get_remote_compose_contents(
-  stack: &Stack,
-  // Collect any files which are missing in the repo.
-  mut missing_files: Option<&mut Vec<String>>,
-) -> anyhow::Result<(
-  // Successful contents
-  Vec<ComposeContents>,
-  // error contents
-  Vec<ComposeContents>,
-  // logs
-  Vec<Log>,
-  // commit short hash
-  Option<String>,
-  // commit message
-  Option<String>,
-)> {
-  let repo_path =
-    core_config().repo_directory.join(random_string(10));
-
-  let (logs, hash, message) = clone_remote_repo(&repo_path, stack)
-    .await
-    .context("failed to clone stack repo")?;
-
-  let run_directory = repo_path.join(&stack.config.run_directory);
-  // This will remove any intermediate '/./' which can be a problem for some OS.
-  let run_directory = run_directory.components().collect::<PathBuf>();
-
-  let mut oks = Vec::new();
-  let mut errs = Vec::new();
-
-  for path in stack.file_paths() {
-    let file_path = run_directory.join(path);
-    if !file_path.exists() {
-      if let Some(missing_files) = &mut missing_files {
-        missing_files.push(path.to_string());
-      }
-    }
-    // If file does not exist, will show up in err case so the log is handled
-    match fs::read_to_string(&file_path).with_context(|| {
-      format!("failed to read file contents from {file_path:?}")
-    }) {
-      Ok(contents) => oks.push(ComposeContents {
-        path: path.to_string(),
-        contents,
-      }),
-      Err(e) => errs.push(ComposeContents {
-        path: path.to_string(),
-        contents: format_serror(&e.into()),
-      }),
-    }
-  }
-
-  if repo_path.exists() {
-    if let Err(e) = std::fs::remove_dir_all(&repo_path) {
-      warn!("failed to remove stack repo directory | {e:?}")
-    }
-  }
-
-  Ok((oks, errs, logs, hash, message))
-}
-
-/// Returns (logs, hash, message)
-pub async fn clone_remote_repo(
-  repo_path: &Path,
-  stack: &Stack,
-) -> anyhow::Result<(Vec<Log>, Option<String>, Option<String>)> {
-  let mut clone_args: CloneArgs = stack.into();
-
-  let config = core_config();
-
-  let access_token = match (&clone_args.account, &clone_args.provider)
-  {
-    (None, _) => None,
-    (Some(_), None) => {
-      return Err(anyhow!(
-        "Account is configured, but provider is empty"
-      ))
-    }
-    (Some(username), Some(provider)) => {
-      git_token(provider, username, |https| {
-        clone_args.https = https
-      })
-      .await
-      .with_context(
-        || format!("Failed to get git token in call to db. Stopping run. | {provider} | {username}"),
-      )?
-    }
-  };
-
-  // Don't want to run these on core.
-  clone_args.on_clone = None;
-  clone_args.on_pull = None;
-  clone_args.destination = Some(repo_path.display().to_string());
-
-  git::clone(
-    clone_args,
-    &config.repo_directory,
-    access_token,
-    &[],
-    "",
-    None,
-    &[],
-  )
-  .await
-  .context("failed to clone stack repo")
-  .map(|(a, b, c, _)| (a, b, c))
-}

bin/core/src/helpers/stack/services.rs

@@ -1,81 +0,0 @@
-use anyhow::Context;
-use komodo_client::entities::stack::{
-  ComposeContents, ComposeFile, ComposeService, Stack,
-  StackServiceNames,
-};
-
-use crate::helpers::stack::remote::get_remote_compose_contents;
-
-/// Passing fresh will re-extract services from compose file, whether local or remote (repo)
-pub async fn extract_services_from_stack(
-  stack: &Stack,
-  fresh: bool,
-) -> anyhow::Result<Vec<StackServiceNames>> {
-  if !fresh {
-    if let Some(services) = &stack.info.deployed_services {
-      return Ok(services.clone());
-    } else {
-      return Ok(stack.info.latest_services.clone());
-    }
-  }
-
-  let compose_contents = if stack.config.file_contents.is_empty() {
-    let (contents, errors, _, _, _) =
-      get_remote_compose_contents(stack, None).await.context(
-        "failed to get remote compose files to extract services",
-      )?;
-    if !errors.is_empty() {
-      let mut e = anyhow::Error::msg("Trace root");
-      for err in errors {
-        e = e.context(format!("{}: {}", err.path, err.contents));
-      }
-      return Err(
-        e.context("Failed to read one or more remote compose files"),
-      );
-    }
-    contents
-  } else {
-    vec![ComposeContents {
-      path: String::from("compose.yaml"),
-      contents: stack.config.file_contents.clone(),
-    }]
-  };
-
-  let mut res = Vec::new();
-  for ComposeContents { path, contents } in &compose_contents {
-    extract_services_into_res(
-      &stack.project_name(true),
-      contents,
-      &mut res,
-    )
-    .with_context(|| {
-      format!("failed to extract services from file at path: {path}")
-    })?;
-  }
-
-  Ok(res)
-}
-
-pub fn extract_services_into_res(
-  project_name: &str,
-  compose_contents: &str,
-  res: &mut Vec<StackServiceNames>,
-) -> anyhow::Result<()> {
-  let compose = serde_yaml::from_str::<ComposeFile>(compose_contents)
-    .context("failed to parse service names from compose contents")?;
-
-  let services = compose.services.into_iter().map(
-    |(service_name, ComposeService { container_name, .. })| {
-      StackServiceNames {
-        container_name: container_name.unwrap_or_else(|| {
-          format!("{project_name}-{service_name}")
-        }),
-        service_name,
-      }
-    },
-  );
-
-  res.extend(services);
-
-  Ok(())
-}

bin/core/src/helpers/sync/file.rs

@@ -1,84 +0,0 @@
-use std::{fs, path::Path};
-
-use anyhow::{anyhow, Context};
-use formatting::{colored, muted, Color};
-use komodo_client::entities::{toml::ResourcesToml, update::Log};
-use serde::de::DeserializeOwned;
-
-pub fn read_resources(
-  path: &Path,
-) -> anyhow::Result<(ResourcesToml, Log)> {
-  let mut res = ResourcesToml::default();
-  let mut log =
-    format!("{}: reading resources from {path:?}", muted("INFO"));
-  read_resources_recursive(path, &mut res, &mut log).with_context(
-    || format!("failed to read resources from {path:?}"),
-  )?;
-  Ok((res, Log::simple("read remote resources", log)))
-}
-
-fn read_resources_recursive(
-  path: &Path,
-  resources: &mut ResourcesToml,
-  log: &mut String,
-) -> anyhow::Result<()> {
-  let res =
-    fs::metadata(path).context("failed to get path metadata")?;
-  if res.is_file() {
-    if !path
-      .extension()
-      .map(|ext| ext == "toml")
-      .unwrap_or_default()
-    {
-      return Ok(());
-    }
-    let more = parse_toml_file::<ResourcesToml>(path)
-      .context("failed to parse resource file")?;
-
-    log.push('\n');
-    log.push_str(&format!(
-      "{}: {} from {}",
-      muted("INFO"),
-      colored("adding resources", Color::Green),
-      colored(path.display(), Color::Blue)
-    ));
-
-    resources.servers.extend(more.servers);
-    resources.deployments.extend(more.deployments);
-    resources.stacks.extend(more.stacks);
-    resources.builds.extend(more.builds);
-    resources.repos.extend(more.repos);
-    resources.procedures.extend(more.procedures);
-    resources.alerters.extend(more.alerters);
-    resources.builders.extend(more.builders);
-    resources.server_templates.extend(more.server_templates);
-    resources.resource_syncs.extend(more.resource_syncs);
-    resources.user_groups.extend(more.user_groups);
-    resources.variables.extend(more.variables);
-
-    Ok(())
-  } else if res.is_dir() {
-    let directory = fs::read_dir(path)
-      .context("failed to read directory contents")?;
-    for entry in directory.into_iter().flatten() {
-      let path = entry.path();
-      read_resources_recursive(&path, resources, log).with_context(
-        || format!("failed to read resources from {path:?}"),
-      )?;
-    }
-    Ok(())
-  } else {
-    Err(anyhow!("resources path is neither file nor directory"))
-  }
-}
-
-fn parse_toml_file<T: DeserializeOwned>(
-  path: impl AsRef<std::path::Path>,
-) -> anyhow::Result<T> {
-  let contents = std::fs::read_to_string(path)
-    .context("failed to read file contents")?;
-  toml::from_str(&contents)
-    // the error without this comes through with multiple lines (\n) and looks bad
-    .map_err(|e| anyhow!("{e:#}"))
-    .context("failed to parse toml contents")
-}

bin/core/src/helpers/sync/mod.rs

@@ -1,64 +0,0 @@
-use async_timing_util::{wait_until_timelength, Timelength};
-use komodo_client::{
-  api::write::RefreshResourceSyncPending, entities::user::sync_user,
-};
-use mungos::find::find_collect;
-use resolver_api::Resolve;
-
-use crate::{
-  config::core_config,
-  state::{db_client, State},
-};
-
-// pub mod deployment;
-pub mod deploy;
-pub mod remote;
-pub mod resource;
-pub mod user_groups;
-pub mod variables;
-
-mod file;
-mod resources;
-
-pub fn spawn_sync_refresh_loop() {
-  let interval: Timelength = core_config()
-    .sync_poll_interval
-    .try_into()
-    .expect("Invalid sync poll interval");
-  tokio::spawn(async move {
-    refresh_syncs().await;
-    loop {
-      wait_until_timelength(interval, 0).await;
-      refresh_syncs().await;
-    }
-  });
-}
-
-async fn refresh_syncs() {
-  let Ok(syncs) =
-    find_collect(&db_client().await.resource_syncs, None, None)
-      .await
-      .inspect_err(|e| {
-        warn!(
-      "failed to get resource syncs from db in refresh task | {e:#}"
-    )
-      })
-  else {
-    return;
-  };
-  for sync in syncs {
-    if sync.config.repo.is_empty() {
-      continue;
-    }
-    State
-      .resolve(
-        RefreshResourceSyncPending { sync: sync.id },
-        sync_user().clone(),
-      )
-      .await
-      .inspect_err(|e| {
-        warn!("failed to refresh resource sync in refresh task | sync: {} | {e:#}", sync.name)
-      })
-      .ok();
-  }
-}