1.19.5 (#846)

* start 1.19.5

* deploy 1.19.5-dev-1

* avoid execute_and_poll error when update is already complete or has no id

* improve image tagging customization

* 1.19.5 release

.gitignore

@@ -1,6 +1,7 @@
 target
 node_modules
 dist
+deno.lock
 .env
 .env.development
 .DS_Store
@@ -9,5 +10,4 @@ dist
 /frontend/build
 /lib/ts_client/build
 
-creds.toml
 .dev

.kminclude

@@ -0,0 +1 @@
+.dev

Cargo.toml

@@ -8,111 +8,132 @@ members = [
 ]
 
 [workspace.package]
-version = "1.17.0"
+version = "1.19.5"
 edition = "2024"
 authors = ["mbecker20 <becker.maxh@gmail.com>"]
 license = "GPL-3.0-or-later"
 repository = "https://github.com/moghtech/komodo"
 homepage = "https://komo.do"
 
+[profile.release]
+strip = "debuginfo"
+
 [workspace.dependencies]
 # LOCAL
 komodo_client = { path = "client/core/rs" }
 periphery_client = { path = "client/periphery/rs" }
 environment_file = { path = "lib/environment_file" }
+environment = { path = "lib/environment" }
+interpolate = { path = "lib/interpolate" }
 formatting = { path = "lib/formatting" }
+database = { path = "lib/database" }
 response = { path = "lib/response" }
 command = { path = "lib/command" }
+config = { path = "lib/config" }
 logger = { path = "lib/logger" }
 cache = { path = "lib/cache" }
 git = { path = "lib/git" }
 
 # MOGH
 run_command = { version = "0.0.6", features = ["async_tokio"] }
-serror = { version = "0.5.0", default-features = false }
-slack = { version = "0.3.0", package = "slack_client_rs", default-features = false, features = ["rustls"] }
+serror = { version = "0.5.1", default-features = false }
+slack = { version = "0.4.0", package = "slack_client_rs", default-features = false, features = ["rustls"] }
 derive_default_builder = "0.1.8"
 derive_empty_traits = "0.1.0"
-merge_config_files = "0.1.5"
 async_timing_util = "1.0.0"
 partial_derive2 = "0.4.3"
 derive_variants = "1.0.0"
-mongo_indexed = "2.0.1"
+mongo_indexed = "2.0.2"
 resolver_api = "3.0.0"
-toml_pretty = "1.1.2"
-mungos = "3.2.0"
-svi = "1.0.1"
+toml_pretty = "1.2.0"
+mungos = "3.2.2"
+svi = "1.2.0"
 
 # ASYNC
-reqwest = { version = "0.12.15", default-features = false, features = ["json", "rustls-tls-native-roots"] }
-tokio = { version = "1.44.1", features = ["full"] }
-tokio-util = "0.7.14"
+reqwest = { version = "0.12.23", default-features = false, features = ["json", "stream", "rustls-tls-native-roots"] }
+tokio = { version = "1.47.1", features = ["full"] }
+tokio-util = { version = "0.7.16", features = ["io", "codec"] }
+tokio-stream = { version = "0.1.17", features = ["sync"] }
+pin-project-lite = "0.2.16"
 futures = "0.3.31"
 futures-util = "0.3.31"
 arc-swap = "1.7.1"
 
 # SERVER
-axum-extra = { version = "0.10.0", features = ["typed-header"] }
-tower-http = { version = "0.6.2", features = ["fs", "cors"] }
+tokio-tungstenite = { version = "0.27.0", features = ["rustls-tls-native-roots"] }
+axum-extra = { version = "0.10.1", features = ["typed-header"] }
+tower-http = { version = "0.6.6", features = ["fs", "cors"] }
 axum-server = { version = "0.7.2", features = ["tls-rustls"] }
-axum = { version = "0.8.1", features = ["ws", "json", "macros"] }
-tokio-tungstenite = "0.26.2"
+axum = { version = "0.8.4", features = ["ws", "json", "macros"] }
 
 # SER/DE
-ordered_hash_map = { version = "0.4.0", features = ["serde"] }
+ipnetwork = { version = "0.21.1", features = ["serde"] }
+indexmap = { version = "2.11.1", features = ["serde"] }
 serde = { version = "1.0.219", features = ["derive"] }
-strum = { version = "0.27.1", features = ["derive"] }
-serde_json = "1.0.140"
-serde_yaml = "0.9.34"
-toml = "0.8.20"
+strum = { version = "0.27.2", features = ["derive"] }
+bson = { version = "2.15.0" } # must keep in sync with mongodb version
+serde_yaml_ng = "0.10.0"
+serde_json = "1.0.145"
+serde_qs = "0.15.0"
+toml = "0.9.5"
 
 # ERROR
-anyhow = "1.0.97"
-thiserror = "2.0.12"
+anyhow = "1.0.99"
+thiserror = "2.0.16"
 
 # LOGGING
-opentelemetry-otlp = { version = "0.29.0", features = ["tls-roots", "reqwest-rustls"] }
-opentelemetry_sdk = { version = "0.29.0", features = ["rt-tokio"] }
-tracing-subscriber = { version = "0.3.19", features = ["json"] }
-opentelemetry-semantic-conventions = "0.29.0"
-tracing-opentelemetry = "0.30.0"
-opentelemetry = "0.29.0"
+opentelemetry-otlp = { version = "0.30.0", features = ["tls-roots", "reqwest-rustls"] }
+opentelemetry_sdk = { version = "0.30.0", features = ["rt-tokio"] }
+tracing-subscriber = { version = "0.3.20", features = ["json"] }
+opentelemetry-semantic-conventions = "0.30.0"
+tracing-opentelemetry = "0.31.0"
+opentelemetry = "0.30.0"
 tracing = "0.1.41"
 
 # CONFIG
-clap = { version = "4.5.32", features = ["derive"] }
+clap = { version = "4.5.47", features = ["derive"] }
 dotenvy = "0.15.7"
 envy = "0.4.2"
 
 # CRYPTO / AUTH
-uuid = { version = "1.16.0", features = ["v4", "fast-rng", "serde"] }
+uuid = { version = "1.18.1", features = ["v4", "fast-rng", "serde"] }
 jsonwebtoken = { version = "9.3.1", default-features = false }
-openidconnect = "4.0.0"
+openidconnect = "4.0.1"
 urlencoding = "2.1.3"
 nom_pem = "4.0.0"
-bcrypt = "0.17.0"
+bcrypt = "0.17.1"
 base64 = "0.22.1"
-rustls = "0.23.25"
+rustls = "0.23.31"
 hmac = "0.12.1"
-sha2 = "0.10.8"
-rand = "0.9.0"
+sha2 = "0.10.9"
+rand = "0.9.2"
 hex = "0.4.3"
 
 # SYSTEM
-bollard = "0.18.1"
-sysinfo = "0.33.1"
+portable-pty = "0.9.0"
+bollard = "0.19.2"
+sysinfo = "0.37.0"
 
 # CLOUD
-aws-config = "1.6.0"
-aws-sdk-ec2 = "1.118.1"
-aws-credential-types = "1.2.2"
+aws-config = "1.8.6"
+aws-sdk-ec2 = "1.167.0"
+aws-credential-types = "1.2.6"
+
+## CRON
+english-to-cron = "0.1.6"
+chrono-tz = "0.10.4"
+chrono = "0.4.42"
+croner = "3.0.0"
 
 # MISC
+async-compression = { version = "0.4.30", features = ["tokio", "gzip"] }
 derive_builder = "0.20.2"
+comfy-table = "7.2.1"
 typeshare = "1.0.4"
 octorust = "0.10.0"
 dashmap = "6.1.0"
 wildcard = "0.3.0"
 colored = "3.0.0"
-regex = "1.11.1"
-bson = "2.14.0"
+regex = "1.11.2"
+bytes = "1.10.1"
+shell-escape = "0.1.5"

bin/binaries.Dockerfile

@@ -1,7 +1,8 @@
-## Builds the Komodo Core and Periphery binaries
+## Builds the Komodo Core, Periphery, and Util binaries
 ## for a specific architecture.
 
-FROM rust:1.85.1-bullseye AS builder
+FROM rust:1.89.0-bullseye AS builder
+RUN cargo install cargo-strip
 
 WORKDIR /builder
 COPY Cargo.toml Cargo.lock ./
@@ -10,18 +11,22 @@ COPY ./client/core/rs ./client/core/rs
 COPY ./client/periphery ./client/periphery
 COPY ./bin/core ./bin/core
 COPY ./bin/periphery ./bin/periphery
+COPY ./bin/cli ./bin/cli
 
 # Compile bin
 RUN \
   cargo build -p komodo_core --release && \
-  cargo build -p komodo_periphery --release
+  cargo build -p komodo_periphery --release && \
+  cargo build -p komodo_cli --release && \
+  cargo strip
 
 # Copy just the binaries to scratch image
 FROM scratch
 
 COPY --from=builder /builder/target/release/core /core
 COPY --from=builder /builder/target/release/periphery /periphery
+COPY --from=builder /builder/target/release/km /km
 
 LABEL org.opencontainers.image.source=https://github.com/moghtech/komodo
-LABEL org.opencontainers.image.description="Komodo Periphery"
+LABEL org.opencontainers.image.description="Komodo Binaries"
 LABEL org.opencontainers.image.licenses=GPL-3.0

bin/chef.binaries.Dockerfile

@@ -0,0 +1,36 @@
+## Builds the Komodo Core, Periphery, and Util binaries
+## for a specific architecture.
+
+## Uses chef for dependency caching to help speed up back-to-back builds.
+
+FROM lukemathwalker/cargo-chef:latest-rust-1.89.0-bullseye AS chef
+WORKDIR /builder
+
+# Plan just the RECIPE to see if things have changed
+FROM chef AS planner
+COPY . .
+RUN cargo chef prepare --recipe-path recipe.json
+
+FROM chef AS builder
+RUN cargo install cargo-strip
+COPY --from=planner /builder/recipe.json recipe.json
+# Build JUST dependencies - cached layer
+RUN cargo chef cook --release --recipe-path recipe.json
+# NOW copy again (this time into builder) and build app
+COPY . .
+RUN \
+  cargo build --release --bin core && \
+  cargo build --release --bin periphery && \
+  cargo build --release --bin km && \
+  cargo strip
+
+# Copy just the binaries to scratch image
+FROM scratch
+
+COPY --from=builder /builder/target/release/core /core
+COPY --from=builder /builder/target/release/periphery /periphery
+COPY --from=builder /builder/target/release/km /km
+
+LABEL org.opencontainers.image.source=https://github.com/moghtech/komodo
+LABEL org.opencontainers.image.description="Komodo Binaries"
+LABEL org.opencontainers.image.licenses=GPL-3.0

bin/cli/Cargo.toml

@@ -1,30 +1,36 @@
 [package]
 name = "komodo_cli"
-description = "Command line tool to execute Komodo actions"
+description = "Command line tool for Komodo"
 version.workspace = true
 edition.workspace = true
 authors.workspace = true
 license.workspace = true
-homepage.workspace = true
 repository.workspace = true
+homepage.workspace = true
 
 [[bin]]
-name = "komodo"
+name = "km"
 path = "src/main.rs"
 
-# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
-
 [dependencies]
 # local
-# komodo_client = "1.16.12"
+environment_file.workspace = true
 komodo_client.workspace = true
+database.workspace = true
+config.workspace = true
+logger.workspace = true
 # external
-tracing-subscriber.workspace = true
-merge_config_files.workspace = true
-futures.workspace = true
+futures-util.workspace = true
+comfy-table.workspace = true
+serde_json.workspace = true
+serde_qs.workspace = true
+wildcard.workspace = true
 tracing.workspace = true
 colored.workspace = true
+dotenvy.workspace = true
 anyhow.workspace = true
+chrono.workspace = true
 tokio.workspace = true
 serde.workspace = true
 clap.workspace = true
+envy.workspace = true

bin/cli/aio.Dockerfile

@@ -0,0 +1,25 @@
+FROM rust:1.89.0-bullseye AS builder
+RUN cargo install cargo-strip
+
+WORKDIR /builder
+COPY Cargo.toml Cargo.lock ./
+COPY ./lib ./lib
+COPY ./client/core/rs ./client/core/rs
+COPY ./client/periphery ./client/periphery
+COPY ./bin/cli ./bin/cli
+
+# Compile bin
+RUN cargo build -p komodo_cli --release && cargo strip
+
+# Copy binaries to distroless base
+FROM gcr.io/distroless/cc
+
+COPY --from=builder /builder/target/release/km /usr/local/bin/km
+
+ENV KOMODO_CLI_CONFIG_PATHS="/config"
+
+CMD [ "km" ]
+
+LABEL org.opencontainers.image.source=https://github.com/moghtech/komodo
+LABEL org.opencontainers.image.description="Komodo CLI"
+LABEL org.opencontainers.image.licenses=GPL-3.0

bin/cli/docs/copy-database.md

@@ -0,0 +1,135 @@
+# Copy Database Utility
+
+Copy the Komodo database contents between running, mongo-compatible databases.
+Can be used to move between MongoDB / FerretDB, or upgrade from FerretDB v1 to v2.
+
+```yaml
+services:
+
+  copy_database:
+    image: ghcr.io/moghtech/komodo-cli
+    command: km database copy -y
+    environment:
+      KOMODO_DATABASE_URI: mongodb://${KOMODO_DB_USERNAME}:${KOMODO_DB_PASSWORD}@source:27017
+      KOMODO_DATABASE_DB_NAME: ${KOMODO_DATABASE_DB_NAME:-komodo}
+      KOMODO_CLI_DATABASE_TARGET_URI: mongodb://${KOMODO_DB_USERNAME}:${KOMODO_DB_PASSWORD}@target:27017
+      KOMODO_CLI_DATABASE_TARGET_DB_NAME: ${KOMODO_DATABASE_DB_NAME:-komodo}
+
+```
+
+## FerretDB v2 Update Guide
+
+Up to Komodo 1.17.5, users who wanted to use Postgres / Sqlite were instructed to deploy FerretDB v1.
+Now that v2 is out however, v1 will go largely unsupported. Users are recommended to migrate to v2 for
+the best performance and ongoing support / updates, however the internal data structures
+have changed and this cannot be done in-place. 
+
+Also note that FerretDB v2 no longer supports Sqlite, and only supports 
+a [customized Postgres distribution](https://docs.ferretdb.io/installation/documentdb/docker/).
+Nonetheless, it remains a solid option for hosts which [do not support mongo](https://github.com/moghtech/komodo/issues/59).
+
+Also note, the same basic process outlined below can also be used to move between MongoDB and FerretDB, just replace FerretDB v2
+with the database you wish to move to.
+
+### **Step 1**: *Add* the new database to the top of your existing Komodo compose file.
+
+**Don't forget to also add the new volumes.**
+
+```yaml
+## In Komodo compose.yaml
+services:
+  postgres2:
+    # Recommended: Pin to a specific version
+    # https://github.com/FerretDB/documentdb/pkgs/container/postgres-documentdb
+    image: ghcr.io/ferretdb/postgres-documentdb
+    labels:
+      komodo.skip: # Prevent Komodo from stopping with StopAllContainers
+    restart: unless-stopped
+    # ports:
+    #   - 5432:5432
+    volumes:
+      - postgres-data:/var/lib/postgresql/data
+    environment:
+      POSTGRES_USER: ${KOMODO_DB_USERNAME}
+      POSTGRES_PASSWORD: ${KOMODO_DB_PASSWORD}
+      POSTGRES_DB: postgres # Do not change
+
+  ferretdb2:
+    # Recommended: Pin to a specific version
+    # https://github.com/FerretDB/FerretDB/pkgs/container/ferretdb
+    image: ghcr.io/ferretdb/ferretdb
+    labels:
+      komodo.skip: # Prevent Komodo from stopping with StopAllContainers
+    restart: unless-stopped
+    depends_on:
+      - postgres2
+    # ports:
+    #   - 27017:27017
+    volumes:
+      - ferretdb-state:/state
+    environment:
+      FERRETDB_POSTGRESQL_URL: postgres://${KOMODO_DB_USERNAME}:${KOMODO_DB_PASSWORD}@postgres2:5432/postgres
+
+  ...(unchanged)
+
+volumes:
+  ...(unchanged)
+  postgres-data:
+  ferretdb-state:
+```
+
+### **Step 2**: *Add* the database copy utility to Komodo compose file.
+
+The SOURCE_URI points to the existing database, ie the old FerretDB v1, and it depends
+on whether it was deployed using Postgres or Sqlite. The example below uses the Postgres one,
+but if you use Sqlite it should just be something like `mongodb://ferretdb:27017`.
+
+```yaml
+## In Komodo compose.yaml
+services:
+  ...(new database)
+
+  copy_database:
+    image: ghcr.io/moghtech/komodo-cli
+    command: km database copy -y
+    environment:
+      KOMODO_DATABASE_URI: mongodb://${KOMODO_DB_USERNAME}:${KOMODO_DB_PASSWORD}@ferretdb:27017/${KOMODO_DATABASE_DB_NAME:-komodo}?authMechanism=PLAIN
+      KOMODO_DATABASE_DB_NAME: ${KOMODO_DATABASE_DB_NAME:-komodo}
+      KOMODO_CLI_DATABASE_TARGET_URI: mongodb://${KOMODO_DB_USERNAME}:${KOMODO_DB_PASSWORD}@ferretdb2:27017
+      KOMODO_CLI_DATABASE_TARGET_DB_NAME: ${KOMODO_DATABASE_DB_NAME:-komodo}
+
+  ...(unchanged)
+```
+
+### **Step 3**: *Compose Up* the new additions
+
+Run `docker compose -p komodo --env-file compose.env -f xxxxx.compose.yaml up -d`, filling in the name of your compose.yaml.
+This will start up both the old and new database, and copy the data to the new one.
+
+Wait a few moments for the `copy_database` service to finish. When it exits,
+confirm the logs show the data was moved successfully, and move on to the next step.
+
+### **Step 4**: Point Komodo Core to the new database
+
+In your Komodo compose.yaml, first *comment out* the `copy_database` service and old ferretdb v1 service/s.
+Then update the `core` service environment to point to `ferretdb2`.
+
+```yaml
+services:
+  ...
+
+  core:
+    ...(unchanged)
+    environment:
+      KOMODO_DATABASE_ADDRESS: ferretdb2:27017
+      KOMODO_DATABASE_USERNAME: ${KOMODO_DB_USERNAME}
+      KOMODO_DATABASE_PASSWORD: ${KOMODO_DB_PASSWORD}
+```
+
+### **Step 5**: Final *Compose Up*
+
+Repeat the same `docker compose` command as before to apply the changes, and then try navigating to your Komodo web page.
+If it works, congrats, **you are done**. You can clean up the compose file if you would like, removing the old volumes etc.
+
+If it does not work, check the logs for any obvious issues, and if necessary you can undo the previous steps
+to go back to using the previous database.

bin/cli/multi-arch.Dockerfile

@@ -0,0 +1,29 @@
+## Assumes the latest binaries for x86_64 and aarch64 are already built (by binaries.Dockerfile).
+## Since theres no heavy build here, QEMU multi-arch builds are fine for this image.
+
+ARG BINARIES_IMAGE=ghcr.io/moghtech/komodo-binaries:latest
+ARG X86_64_BINARIES=${BINARIES_IMAGE}-x86_64
+ARG AARCH64_BINARIES=${BINARIES_IMAGE}-aarch64
+
+# This is required to work with COPY --from
+FROM ${X86_64_BINARIES} AS x86_64
+FROM ${AARCH64_BINARIES} AS aarch64
+
+FROM debian:bullseye-slim
+
+WORKDIR /app
+
+## Copy both binaries initially, but only keep appropriate one for the TARGETPLATFORM.
+COPY --from=x86_64 /km /app/arch/linux/amd64
+COPY --from=aarch64 /km /app/arch/linux/arm64
+
+ARG TARGETPLATFORM
+RUN mv /app/arch/${TARGETPLATFORM} /usr/local/bin/km && rm -r /app/arch
+
+ENV KOMODO_CLI_CONFIG_PATHS="/config"
+
+CMD [ "km" ]
+
+LABEL org.opencontainers.image.source=https://github.com/moghtech/komodo
+LABEL org.opencontainers.image.description="Komodo CLI"
+LABEL org.opencontainers.image.licenses=GPL-3.0

bin/cli/runfile.toml

@@ -0,0 +1,4 @@
+[install-cli]
+alias = "ic"
+description = "installs the komodo-cli, available on the command line as 'km'"
+cmd = "cargo install --path ."

bin/cli/single-arch.Dockerfile

@@ -0,0 +1,18 @@
+## Assumes the latest binaries for the required arch are already built (by binaries.Dockerfile).
+
+ARG BINARIES_IMAGE=ghcr.io/moghtech/komodo-binaries:latest
+
+# This is required to work with COPY --from
+FROM ${BINARIES_IMAGE} AS binaries
+
+FROM gcr.io/distroless/cc
+
+COPY --from=binaries /km /usr/local/bin/km
+
+ENV KOMODO_CLI_CONFIG_PATHS="/config"
+
+CMD [ "km" ]
+
+LABEL org.opencontainers.image.source=https://github.com/moghtech/komodo
+LABEL org.opencontainers.image.description="Komodo CLI"
+LABEL org.opencontainers.image.licenses=GPL-3.0

bin/cli/src/args.rs

@@ -1,55 +0,0 @@
-use clap::{Parser, Subcommand};
-use komodo_client::api::execute::Execution;
-use serde::Deserialize;
-
-#[derive(Parser, Debug)]
-#[command(version, about, long_about = None)]
-pub struct CliArgs {
-  /// Sync or Exec
-  #[command(subcommand)]
-  pub command: Command,
-
-  /// The path to a creds file.
-  ///
-  /// Note: If each of `url`, `key` and `secret` are passed,
-  /// no file is required at this path.
-  #[arg(long, default_value_t = default_creds())]
-  pub creds: String,
-
-  /// Pass url in args instead of creds file
-  #[arg(long)]
-  pub url: Option<String>,
-  /// Pass api key in args instead of creds file
-  #[arg(long)]
-  pub key: Option<String>,
-  /// Pass api secret in args instead of creds file
-  #[arg(long)]
-  pub secret: Option<String>,
-
-  /// Always continue on user confirmation prompts.
-  #[arg(long, short, default_value_t = false)]
-  pub yes: bool,
-}
-
-fn default_creds() -> String {
-  let home =
-    std::env::var("HOME").unwrap_or_else(|_| String::from("/root"));
-  format!("{home}/.config/komodo/creds.toml")
-}
-
-#[derive(Debug, Clone, Subcommand)]
-pub enum Command {
-  /// Runs an execution
-  Execute {
-    #[command(subcommand)]
-    execution: Execution,
-  },
-  // Room for more
-}
-
-#[derive(Debug, Deserialize)]
-pub struct CredsFile {
-  pub url: String,
-  pub key: String,
-  pub secret: String,
-}

bin/cli/src/command/container.rs

@@ -0,0 +1,312 @@
+use std::collections::{HashMap, HashSet};
+
+use anyhow::Context;
+use colored::Colorize;
+use comfy_table::{Attribute, Cell, Color};
+use futures_util::{
+  FutureExt, TryStreamExt, stream::FuturesUnordered,
+};
+use komodo_client::{
+  api::read::{
+    InspectDockerContainer, ListAllDockerContainers, ListServers,
+  },
+  entities::{
+    config::cli::args::container::{
+      Container, ContainerCommand, InspectContainer,
+    },
+    docker::{
+      self,
+      container::{ContainerListItem, ContainerStateStatusEnum},
+    },
+  },
+};
+
+use crate::{
+  command::{
+    PrintTable, clamp_sha, matches_wildcards, parse_wildcards,
+    print_items,
+  },
+  config::cli_config,
+};
+
+pub async fn handle(container: &Container) -> anyhow::Result<()> {
+  match &container.command {
+    None => list_containers(container).await,
+    Some(ContainerCommand::Inspect(inspect)) => {
+      inspect_container(inspect).await
+    }
+  }
+}
+
+async fn list_containers(
+  Container {
+    all,
+    down,
+    links,
+    reverse,
+    containers: names,
+    images,
+    networks,
+    servers,
+    format,
+    command: _,
+  }: &Container,
+) -> anyhow::Result<()> {
+  let client = super::komodo_client().await?;
+  let (server_map, containers) = tokio::try_join!(
+    client
+      .read(ListServers::default())
+      .map(|res| res.map(|res| res
+        .into_iter()
+        .map(|s| (s.id.clone(), s))
+        .collect::<HashMap<_, _>>())),
+    client.read(ListAllDockerContainers {
+      servers: Default::default()
+    }),
+  )?;
+
+  // (Option<Server Name>, Container)
+  let containers = containers.into_iter().map(|c| {
+    let server = if let Some(server_id) = c.server_id.as_ref()
+      && let Some(server) = server_map.get(server_id)
+    {
+      server
+    } else {
+      return (None, c);
+    };
+    (Some(server.name.as_str()), c)
+  });
+
+  let names = parse_wildcards(names);
+  let servers = parse_wildcards(servers);
+  let images = parse_wildcards(images);
+  let networks = parse_wildcards(networks);
+
+  let mut containers = containers
+    .into_iter()
+    .filter(|(server_name, c)| {
+      let state_check = if *all {
+        true
+      } else if *down {
+        !matches!(c.state, ContainerStateStatusEnum::Running)
+      } else {
+        matches!(c.state, ContainerStateStatusEnum::Running)
+      };
+      let network_check = matches_wildcards(
+        &networks,
+        &c.network_mode
+          .as_deref()
+          .map(|n| vec![n])
+          .unwrap_or_default(),
+      ) || matches_wildcards(
+        &networks,
+        &c.networks.iter().map(String::as_str).collect::<Vec<_>>(),
+      );
+      state_check
+        && network_check
+        && matches_wildcards(&names, &[c.name.as_str()])
+        && matches_wildcards(
+          &servers,
+          &server_name
+            .as_deref()
+            .map(|i| vec![i])
+            .unwrap_or_default(),
+        )
+        && matches_wildcards(
+          &images,
+          &c.image.as_deref().map(|i| vec![i]).unwrap_or_default(),
+        )
+    })
+    .collect::<Vec<_>>();
+  containers.sort_by(|(a_s, a), (b_s, b)| {
+    a.state
+      .cmp(&b.state)
+      .then(a.name.cmp(&b.name))
+      .then(a_s.cmp(b_s))
+      .then(a.network_mode.cmp(&b.network_mode))
+      .then(a.image.cmp(&b.image))
+  });
+  if *reverse {
+    containers.reverse();
+  }
+  print_items(containers, *format, *links)?;
+  Ok(())
+}
+
+pub async fn inspect_container(
+  inspect: &InspectContainer,
+) -> anyhow::Result<()> {
+  let client = super::komodo_client().await?;
+  let (server_map, mut containers) = tokio::try_join!(
+    client
+      .read(ListServers::default())
+      .map(|res| res.map(|res| res
+        .into_iter()
+        .map(|s| (s.id.clone(), s))
+        .collect::<HashMap<_, _>>())),
+    client.read(ListAllDockerContainers {
+      servers: Default::default()
+    }),
+  )?;
+
+  containers.iter_mut().for_each(|c| {
+    let Some(server_id) = c.server_id.as_ref() else {
+      return;
+    };
+    let Some(server) = server_map.get(server_id) else {
+      c.server_id = Some(String::from("Unknown"));
+      return;
+    };
+    c.server_id = Some(server.name.clone());
+  });
+
+  let names = [inspect.container.to_string()];
+  let names = parse_wildcards(&names);
+  let servers = parse_wildcards(&inspect.servers);
+
+  let mut containers = containers
+    .into_iter()
+    .filter(|c| {
+      matches_wildcards(&names, &[c.name.as_str()])
+        && matches_wildcards(
+          &servers,
+          &c.server_id
+            .as_deref()
+            .map(|i| vec![i])
+            .unwrap_or_default(),
+        )
+    })
+    .map(|c| async move {
+      client
+        .read(InspectDockerContainer {
+          container: c.name,
+          server: c.server_id.context("No server...")?,
+        })
+        .await
+    })
+    .collect::<FuturesUnordered<_>>()
+    .try_collect::<Vec<_>>()
+    .await?;
+
+  containers.sort_by(|a, b| a.name.cmp(&b.name));
+
+  match containers.len() {
+    0 => {
+      println!(
+        "{}: Did not find any containers matching '{}'",
+        "INFO".green(),
+        inspect.container.bold()
+      );
+    }
+    1 => {
+      println!("{}", serialize_container(inspect, &containers[0])?);
+    }
+    _ => {
+      let containers = containers
+        .iter()
+        .map(|c| serialize_container(inspect, c))
+        .collect::<anyhow::Result<Vec<_>>>()?
+        .join("\n");
+      println!("{containers}");
+    }
+  }
+
+  Ok(())
+}
+
+fn serialize_container(
+  inspect: &InspectContainer,
+  container: &docker::container::Container,
+) -> anyhow::Result<String> {
+  let res = if inspect.state {
+    serde_json::to_string_pretty(&container.state)
+  } else if inspect.mounts {
+    serde_json::to_string_pretty(&container.mounts)
+  } else if inspect.host_config {
+    serde_json::to_string_pretty(&container.host_config)
+  } else if inspect.config {
+    serde_json::to_string_pretty(&container.config)
+  } else if inspect.network_settings {
+    serde_json::to_string_pretty(&container.network_settings)
+  } else {
+    serde_json::to_string_pretty(container)
+  }
+  .context("Failed to serialize items to JSON")?;
+  Ok(res)
+}
+
+// (Option<Server Name>, Container)
+impl PrintTable for (Option<&'_ str>, ContainerListItem) {
+  fn header(links: bool) -> &'static [&'static str] {
+    if links {
+      &[
+        "Container",
+        "State",
+        "Server",
+        "Ports",
+        "Networks",
+        "Image",
+        "Link",
+      ]
+    } else {
+      &["Container", "State", "Server", "Ports", "Networks", "Image"]
+    }
+  }
+  fn row(self, links: bool) -> Vec<Cell> {
+    let color = match self.1.state {
+      ContainerStateStatusEnum::Running => Color::Green,
+      ContainerStateStatusEnum::Paused => Color::DarkYellow,
+      ContainerStateStatusEnum::Empty => Color::Grey,
+      _ => Color::Red,
+    };
+    let mut networks = HashSet::new();
+    if let Some(network) = self.1.network_mode {
+      networks.insert(network);
+    }
+    for network in self.1.networks {
+      networks.insert(network);
+    }
+    let mut networks = networks.into_iter().collect::<Vec<_>>();
+    networks.sort();
+    let mut ports = self
+      .1
+      .ports
+      .into_iter()
+      .flat_map(|p| p.public_port.map(|p| p.to_string()))
+      .collect::<HashSet<_>>()
+      .into_iter()
+      .collect::<Vec<_>>();
+    ports.sort();
+    let ports = if ports.is_empty() {
+      Cell::new("")
+    } else {
+      Cell::new(format!(":{}", ports.join(", :")))
+    };
+
+    let image = self.1.image.as_deref().unwrap_or("Unknown");
+    let mut res = vec![
+      Cell::new(self.1.name.clone()).add_attribute(Attribute::Bold),
+      Cell::new(self.1.state.to_string())
+        .fg(color)
+        .add_attribute(Attribute::Bold),
+      Cell::new(self.0.unwrap_or("Unknown")),
+      ports,
+      Cell::new(networks.join(", ")),
+      Cell::new(clamp_sha(image)),
+    ];
+    if !links {
+      return res;
+    }
+    let link = if let Some(server_id) = self.1.server_id {
+      format!(
+        "{}/servers/{server_id}/container/{}",
+        cli_config().host,
+        self.1.name
+      )
+    } else {
+      String::new()
+    };
+    res.push(Cell::new(link));
+    res
+  }
+}

bin/cli/src/command/database.rs

@@ -0,0 +1,320 @@
+use std::path::Path;
+
+use anyhow::Context;
+use colored::Colorize;
+use komodo_client::entities::{
+  config::cli::args::database::DatabaseCommand, optional_string,
+};
+
+use crate::{command::sanitize_uri, config::cli_config};
+
+pub async fn handle(command: &DatabaseCommand) -> anyhow::Result<()> {
+  match command {
+    DatabaseCommand::Backup { yes, .. } => backup(*yes).await,
+    DatabaseCommand::Restore {
+      restore_folder,
+      index,
+      yes,
+      ..
+    } => restore(restore_folder.as_deref(), *index, *yes).await,
+    DatabaseCommand::Prune { yes, .. } => prune(*yes).await,
+    DatabaseCommand::Copy { yes, index, .. } => {
+      copy(*index, *yes).await
+    }
+  }
+}
+
+async fn backup(yes: bool) -> anyhow::Result<()> {
+  let config = cli_config();
+
+  println!(
+    "\n🦎  {} Database {} Utility  🦎",
+    "Komodo".bold(),
+    "Backup".green().bold()
+  );
+  println!(
+    "\n{}\n",
+    " - Backup all database contents to gzip compressed files."
+      .dimmed()
+  );
+  if let Some(uri) = optional_string(&config.database.uri) {
+    println!("{}: {}", " - Source URI".dimmed(), sanitize_uri(&uri));
+  }
+  if let Some(address) = optional_string(&config.database.address) {
+    println!("{}: {address}", " - Source Address".dimmed());
+  }
+  if let Some(username) = optional_string(&config.database.username) {
+    println!("{}: {username}", " - Source Username".dimmed());
+  }
+  println!(
+    "{}: {}\n",
+    " - Source Db Name".dimmed(),
+    config.database.db_name,
+  );
+  println!(
+    "{}: {:?}",
+    " - Backups Folder".dimmed(),
+    config.backups_folder
+  );
+  if config.max_backups == 0 {
+    println!(
+      "{}{}",
+      " - Backup pruning".dimmed(),
+      "disabled".red().dimmed()
+    );
+  } else {
+    println!("{}: {}", " - Max Backups".dimmed(), config.max_backups);
+  }
+
+  crate::command::wait_for_enter("start backup", yes)?;
+
+  let db = database::init(&config.database).await?;
+
+  database::utils::backup(&db, &config.backups_folder).await?;
+
+  // Early return if backup pruning disabled
+  if config.max_backups == 0 {
+    return Ok(());
+  }
+
+  // Know that new backup was taken successfully at this point,
+  // safe to prune old backup folders
+
+  prune_inner().await
+}
+
+async fn restore(
+  restore_folder: Option<&Path>,
+  index: bool,
+  yes: bool,
+) -> anyhow::Result<()> {
+  let config = cli_config();
+
+  println!(
+    "\n🦎  {} Database {} Utility  🦎",
+    "Komodo".bold(),
+    "Restore".purple().bold()
+  );
+  println!(
+    "\n{}\n",
+    " - Restores database contents from gzip compressed files."
+      .dimmed()
+  );
+  if let Some(uri) = optional_string(&config.database_target.uri) {
+    println!("{}: {}", " - Target URI".dimmed(), sanitize_uri(&uri));
+  }
+  if let Some(address) =
+    optional_string(&config.database_target.address)
+  {
+    println!("{}: {address}", " - Target Address".dimmed());
+  }
+  if let Some(username) =
+    optional_string(&config.database_target.username)
+  {
+    println!("{}: {username}", " - Target Username".dimmed());
+  }
+  println!(
+    "{}: {}",
+    " - Target Db Name".dimmed(),
+    config.database_target.db_name,
+  );
+  if !index {
+    println!(
+      "{}: {}",
+      " - Target Db Indexing".dimmed(),
+      "DISABLED".red(),
+    );
+  }
+  println!(
+    "\n{}: {:?}",
+    " - Backups Folder".dimmed(),
+    config.backups_folder
+  );
+  if let Some(restore_folder) = restore_folder {
+    println!("{}: {restore_folder:?}", " - Restore Folder".dimmed());
+  }
+
+  crate::command::wait_for_enter("start restore", yes)?;
+
+  let db = if index {
+    database::Client::new(&config.database_target).await?.db
+  } else {
+    database::init(&config.database_target).await?
+  };
+
+  database::utils::restore(
+    &db,
+    &config.backups_folder,
+    restore_folder,
+  )
+  .await
+}
+
+async fn prune(yes: bool) -> anyhow::Result<()> {
+  let config = cli_config();
+
+  println!(
+    "\n🦎  {} Database {} Utility  🦎",
+    "Komodo".bold(),
+    "Backup Prune".cyan().bold()
+  );
+  println!(
+    "\n{}\n",
+    " - Prunes database backup folders when greater than the configured amount."
+      .dimmed()
+  );
+  println!(
+    "{}: {:?}",
+    " - Backups Folder".dimmed(),
+    config.backups_folder
+  );
+  if config.max_backups == 0 {
+    println!(
+      "{}{}",
+      " - Backup pruning".dimmed(),
+      "disabled".red().dimmed()
+    );
+  } else {
+    println!("{}: {}", " - Max Backups".dimmed(), config.max_backups);
+  }
+
+  // Early return if backup pruning disabled
+  if config.max_backups == 0 {
+    info!(
+      "Backup pruning is disabled, enabled using 'max_backups' (KOMODO_CLI_MAX_BACKUPS)"
+    );
+    return Ok(());
+  }
+
+  crate::command::wait_for_enter("start backup prune", yes)?;
+
+  prune_inner().await
+}
+
+async fn prune_inner() -> anyhow::Result<()> {
+  let config = cli_config();
+
+  let mut backups_dir =
+    match tokio::fs::read_dir(&config.backups_folder)
+      .await
+      .context("Failed to read backups folder for prune")
+    {
+      Ok(backups_dir) => backups_dir,
+      Err(e) => {
+        warn!("{e:#}");
+        return Ok(());
+      }
+    };
+
+  let mut backup_folders = Vec::new();
+  loop {
+    match backups_dir.next_entry().await {
+      Ok(Some(entry)) => {
+        let Ok(metadata) = entry.metadata().await else {
+          continue;
+        };
+        if metadata.is_dir() {
+          backup_folders.push(entry.path());
+        }
+      }
+      Ok(None) => break,
+      Err(_) => {
+        continue;
+      }
+    }
+  }
+  // Ordered from oldest -> newest
+  backup_folders.sort();
+
+  let max_backups = config.max_backups as usize;
+  let backup_folders_len = backup_folders.len();
+
+  // Early return if under the backup count threshold
+  if backup_folders_len <= max_backups {
+    info!("No backups to prune");
+    return Ok(());
+  }
+
+  let to_delete =
+    &backup_folders[..(backup_folders_len - max_backups)];
+
+  info!("Pruning old backups: {to_delete:?}");
+
+  for path in to_delete {
+    if let Err(e) =
+      tokio::fs::remove_dir_all(path).await.with_context(|| {
+        format!("Failed to delete backup folder at {path:?}")
+      })
+    {
+      warn!("{e:#}");
+    }
+  }
+
+  Ok(())
+}
+
+async fn copy(index: bool, yes: bool) -> anyhow::Result<()> {
+  let config = cli_config();
+
+  println!(
+    "\n🦎  {} Database {} Utility  🦎",
+    "Komodo".bold(),
+    "Copy".blue().bold()
+  );
+  println!(
+    "\n{}\n",
+    " - Copies database contents to another database.".dimmed()
+  );
+
+  if let Some(uri) = optional_string(&config.database.uri) {
+    println!("{}: {}", " - Source URI".dimmed(), sanitize_uri(&uri));
+  }
+  if let Some(address) = optional_string(&config.database.address) {
+    println!("{}: {address}", " - Source Address".dimmed());
+  }
+  if let Some(username) = optional_string(&config.database.username) {
+    println!("{}: {username}", " - Source Username".dimmed());
+  }
+  println!(
+    "{}: {}\n",
+    " - Source Db Name".dimmed(),
+    config.database.db_name,
+  );
+
+  if let Some(uri) = optional_string(&config.database_target.uri) {
+    println!("{}: {}", " - Target URI".dimmed(), sanitize_uri(&uri));
+  }
+  if let Some(address) =
+    optional_string(&config.database_target.address)
+  {
+    println!("{}: {address}", " - Target Address".dimmed());
+  }
+  if let Some(username) =
+    optional_string(&config.database_target.username)
+  {
+    println!("{}: {username}", " - Target Username".dimmed());
+  }
+  println!(
+    "{}: {}",
+    " - Target Db Name".dimmed(),
+    config.database_target.db_name,
+  );
+  if !index {
+    println!(
+      "{}: {}",
+      " - Target Db Indexing".dimmed(),
+      "DISABLED".red(),
+    );
+  }
+
+  crate::command::wait_for_enter("start copy", yes)?;
+
+  let source_db = database::init(&config.database).await?;
+  let target_db = if index {
+    database::Client::new(&config.database_target).await?.db
+  } else {
+    database::init(&config.database_target).await?
+  };
+
+  database::utils::copy(&source_db, &target_db).await
+}

bin/cli/src/command/execute.rs

@@ -0,0 +1,572 @@
+use std::time::Duration;
+
+use colored::Colorize;
+use futures_util::{StreamExt, stream::FuturesUnordered};
+use komodo_client::{
+  api::execute::{
+    BatchExecutionResponse, BatchExecutionResponseItem, Execution,
+  },
+  entities::{resource_link, update::Update},
+};
+
+use crate::config::cli_config;
+
+enum ExecutionResult {
+  Single(Box<Update>),
+  Batch(BatchExecutionResponse),
+}
+
+pub async fn handle(
+  execution: &Execution,
+  yes: bool,
+) -> anyhow::Result<()> {
+  if matches!(execution, Execution::None(_)) {
+    println!("Got 'none' execution. Doing nothing...");
+    tokio::time::sleep(Duration::from_secs(3)).await;
+    println!("Finished doing nothing. Exiting...");
+    std::process::exit(0);
+  }
+
+  println!("\n{}: Execution", "Mode".dimmed());
+  match execution {
+    Execution::None(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RunAction(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchRunAction(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RunProcedure(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchRunProcedure(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RunBuild(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchRunBuild(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::CancelBuild(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::Deploy(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchDeploy(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PullDeployment(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::StartDeployment(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RestartDeployment(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PauseDeployment(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::UnpauseDeployment(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::StopDeployment(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::DestroyDeployment(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchDestroyDeployment(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::CloneRepo(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchCloneRepo(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PullRepo(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchPullRepo(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BuildRepo(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchBuildRepo(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::CancelRepoBuild(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::StartContainer(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RestartContainer(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PauseContainer(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::UnpauseContainer(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::StopContainer(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::DestroyContainer(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::StartAllContainers(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RestartAllContainers(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PauseAllContainers(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::UnpauseAllContainers(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::StopAllContainers(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PruneContainers(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::DeleteNetwork(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PruneNetworks(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::DeleteImage(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PruneImages(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::DeleteVolume(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PruneVolumes(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PruneDockerBuilders(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PruneBuildx(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PruneSystem(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RunSync(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::CommitSync(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::DeployStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchDeployStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::DeployStackIfChanged(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchDeployStackIfChanged(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PullStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchPullStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::StartStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RestartStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PauseStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::UnpauseStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::StopStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::DestroyStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchDestroyStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RunStackService(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::TestAlerter(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::SendAlert(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::ClearRepoCache(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BackupCoreDatabase(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::GlobalAutoUpdate(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::Sleep(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+  }
+
+  super::wait_for_enter("run execution", yes)?;
+
+  info!("Running Execution...");
+
+  let client = super::komodo_client().await?;
+
+  let res = match execution.clone() {
+    Execution::RunAction(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchRunAction(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::RunProcedure(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchRunProcedure(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::RunBuild(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchRunBuild(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::CancelBuild(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::Deploy(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchDeploy(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::PullDeployment(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::StartDeployment(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RestartDeployment(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::PauseDeployment(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::UnpauseDeployment(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::StopDeployment(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::DestroyDeployment(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchDestroyDeployment(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::CloneRepo(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchCloneRepo(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::PullRepo(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchPullRepo(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::BuildRepo(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchBuildRepo(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::CancelRepoBuild(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::StartContainer(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RestartContainer(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::PauseContainer(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::UnpauseContainer(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::StopContainer(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::DestroyContainer(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::StartAllContainers(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RestartAllContainers(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::PauseAllContainers(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::UnpauseAllContainers(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::StopAllContainers(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::PruneContainers(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::DeleteNetwork(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::PruneNetworks(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::DeleteImage(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::PruneImages(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::DeleteVolume(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::PruneVolumes(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::PruneDockerBuilders(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::PruneBuildx(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::PruneSystem(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RunSync(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::CommitSync(request) => client
+      .write(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::DeployStack(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchDeployStack(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::DeployStackIfChanged(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchDeployStackIfChanged(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::PullStack(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchPullStack(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::StartStack(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RestartStack(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::PauseStack(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::UnpauseStack(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::StopStack(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::DestroyStack(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchDestroyStack(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::RunStackService(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::TestAlerter(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::SendAlert(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::ClearRepoCache(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BackupCoreDatabase(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::GlobalAutoUpdate(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::Sleep(request) => {
+      let duration =
+        Duration::from_millis(request.duration_ms as u64);
+      tokio::time::sleep(duration).await;
+      println!("Finished sleeping!");
+      std::process::exit(0)
+    }
+    Execution::None(_) => unreachable!(),
+  };
+
+  match res {
+    Ok(ExecutionResult::Single(update)) => {
+      poll_update_until_complete(&update).await
+    }
+    Ok(ExecutionResult::Batch(updates)) => {
+      let mut handles = updates
+        .iter()
+        .map(|update| async move {
+          match update {
+            BatchExecutionResponseItem::Ok(update) => {
+              poll_update_until_complete(update).await
+            }
+            BatchExecutionResponseItem::Err(e) => {
+              error!("{e:#?}");
+              Ok(())
+            }
+          }
+        })
+        .collect::<FuturesUnordered<_>>();
+      while let Some(res) = handles.next().await {
+        match res {
+          Ok(()) => {}
+          Err(e) => {
+            error!("{e:#?}");
+          }
+        }
+      }
+      Ok(())
+    }
+    Err(e) => {
+      error!("{e:#?}");
+      Ok(())
+    }
+  }
+}
+
+async fn poll_update_until_complete(
+  update: &Update,
+) -> anyhow::Result<()> {
+  let link = if update.id.is_empty() {
+    let (resource_type, id) = update.target.extract_variant_id();
+    resource_link(&cli_config().host, resource_type, id)
+  } else {
+    format!("{}/updates/{}", cli_config().host, update.id)
+  };
+  println!("Link: '{}'", link.bold());
+
+  let client = super::komodo_client().await?;
+
+  let timer = tokio::time::Instant::now();
+  let update = client.poll_update_until_complete(&update.id).await?;
+  if update.success {
+    println!(
+      "FINISHED in {}: {}",
+      format!("{:.1?}", timer.elapsed()).bold(),
+      "EXECUTION SUCCESSFUL".green(),
+    );
+  } else {
+    eprintln!(
+      "FINISHED in {}: {}",
+      format!("{:.1?}", timer.elapsed()).bold(),
+      "EXECUTION FAILED".red(),
+    );
+  }
+  Ok(())
+}

bin/cli/src/command/mod.rs

@@ -0,0 +1,181 @@
+use std::io::Read;
+
+use anyhow::{Context, anyhow};
+use chrono::TimeZone;
+use colored::Colorize;
+use comfy_table::{Attribute, Cell, Table};
+use komodo_client::{
+  KomodoClient,
+  entities::config::cli::{CliTableBorders, args::CliFormat},
+};
+use serde::Serialize;
+use tokio::sync::OnceCell;
+use wildcard::Wildcard;
+
+use crate::config::cli_config;
+
+pub mod container;
+pub mod database;
+pub mod execute;
+pub mod list;
+pub mod update;
+
+async fn komodo_client() -> anyhow::Result<&'static KomodoClient> {
+  static KOMODO_CLIENT: OnceCell<KomodoClient> =
+    OnceCell::const_new();
+  KOMODO_CLIENT
+    .get_or_try_init(|| async {
+      let config = cli_config();
+      let (Some(key), Some(secret)) =
+        (&config.cli_key, &config.cli_secret)
+      else {
+        return Err(anyhow!(
+          "Must provide both cli_key and cli_secret"
+        ));
+      };
+      KomodoClient::new(&config.host, key, secret)
+        .with_healthcheck()
+        .await
+    })
+    .await
+}
+
+fn wait_for_enter(
+  press_enter_to: &str,
+  skip: bool,
+) -> anyhow::Result<()> {
+  if skip {
+    println!();
+    return Ok(());
+  }
+  println!(
+    "\nPress {} to {}\n",
+    "ENTER".green(),
+    press_enter_to.bold()
+  );
+  let buffer = &mut [0u8];
+  std::io::stdin()
+    .read_exact(buffer)
+    .context("failed to read ENTER")?;
+  Ok(())
+}
+
+/// Sanitizes uris of the form:
+/// `protocol://username:password@address`
+fn sanitize_uri(uri: &str) -> String {
+  // protocol: `mongodb`
+  // credentials_address: `username:password@address`
+  let Some((protocol, credentials_address)) = uri.split_once("://")
+  else {
+    // If no protocol, return as-is
+    return uri.to_string();
+  };
+
+  // credentials: `username:password`
+  let Some((credentials, address)) =
+    credentials_address.split_once('@')
+  else {
+    // If no credentials, return as-is
+    return uri.to_string();
+  };
+
+  match credentials.split_once(':') {
+    Some((username, _)) => {
+      format!("{protocol}://{username}:*****@{address}")
+    }
+    None => {
+      format!("{protocol}://*****@{address}")
+    }
+  }
+}
+
+fn print_items<T: PrintTable + Serialize>(
+  items: Vec<T>,
+  format: CliFormat,
+  links: bool,
+) -> anyhow::Result<()> {
+  match format {
+    CliFormat::Table => {
+      let mut table = Table::new();
+      let preset = {
+        use comfy_table::presets::*;
+        match cli_config().table_borders {
+          None | Some(CliTableBorders::Horizontal) => {
+            UTF8_HORIZONTAL_ONLY
+          }
+          Some(CliTableBorders::Vertical) => UTF8_FULL_CONDENSED,
+          Some(CliTableBorders::Inside) => UTF8_NO_BORDERS,
+          Some(CliTableBorders::Outside) => UTF8_BORDERS_ONLY,
+          Some(CliTableBorders::All) => UTF8_FULL,
+        }
+      };
+      table.load_preset(preset).set_header(
+        T::header(links)
+          .iter()
+          .map(|h| Cell::new(h).add_attribute(Attribute::Bold)),
+      );
+      for item in items {
+        table.add_row(item.row(links));
+      }
+      println!("{table}");
+    }
+    CliFormat::Json => {
+      println!(
+        "{}",
+        serde_json::to_string_pretty(&items)
+          .context("Failed to serialize items to JSON")?
+      );
+    }
+  }
+  Ok(())
+}
+
+trait PrintTable {
+  fn header(links: bool) -> &'static [&'static str];
+  fn row(self, links: bool) -> Vec<Cell>;
+}
+
+fn parse_wildcards(items: &[String]) -> Vec<Wildcard<'_>> {
+  items
+    .iter()
+    .flat_map(|i| {
+      Wildcard::new(i.as_bytes()).inspect_err(|e| {
+        warn!("Failed to parse wildcard: {i} | {e:?}")
+      })
+    })
+    .collect::<Vec<_>>()
+}
+
+fn matches_wildcards(
+  wildcards: &[Wildcard<'_>],
+  items: &[&str],
+) -> bool {
+  if wildcards.is_empty() {
+    return true;
+  }
+  items.iter().any(|item| {
+    wildcards.iter().any(|wc| wc.is_match(item.as_bytes()))
+  })
+}
+
+fn format_timetamp(ts: i64) -> anyhow::Result<String> {
+  let ts = chrono::Local
+    .timestamp_millis_opt(ts)
+    .single()
+    .context("Invalid ts")?
+    .format("%m/%d %H:%M:%S")
+    .to_string();
+  Ok(ts)
+}
+
+fn clamp_sha(maybe_sha: &str) -> String {
+  if maybe_sha.starts_with("sha256:") {
+    maybe_sha[0..20].to_string() + "..."
+  } else {
+    maybe_sha.to_string()
+  }
+}
+
+// fn text_link(link: &str, text: &str) -> String {
+//   format!("\x1b]8;;{link}\x07{text}\x1b]8;;\x07")
+// }

bin/cli/src/command/update/mod.rs

@@ -0,0 +1,43 @@
+use komodo_client::entities::{
+  build::PartialBuildConfig,
+  config::cli::args::update::UpdateCommand,
+  deployment::PartialDeploymentConfig, repo::PartialRepoConfig,
+  server::PartialServerConfig, stack::PartialStackConfig,
+  sync::PartialResourceSyncConfig,
+};
+
+mod resource;
+mod user;
+mod variable;
+
+pub async fn handle(command: &UpdateCommand) -> anyhow::Result<()> {
+  match command {
+    UpdateCommand::Build(update) => {
+      resource::update::<PartialBuildConfig>(update).await
+    }
+    UpdateCommand::Deployment(update) => {
+      resource::update::<PartialDeploymentConfig>(update).await
+    }
+    UpdateCommand::Repo(update) => {
+      resource::update::<PartialRepoConfig>(update).await
+    }
+    UpdateCommand::Server(update) => {
+      resource::update::<PartialServerConfig>(update).await
+    }
+    UpdateCommand::Stack(update) => {
+      resource::update::<PartialStackConfig>(update).await
+    }
+    UpdateCommand::Sync(update) => {
+      resource::update::<PartialResourceSyncConfig>(update).await
+    }
+    UpdateCommand::Variable {
+      name,
+      value,
+      secret,
+      yes,
+    } => variable::update(name, value, *secret, *yes).await,
+    UpdateCommand::User { username, command } => {
+      user::update(username, command).await
+    }
+  }
+}

bin/cli/src/command/update/resource.rs

@@ -0,0 +1,152 @@
+use anyhow::Context;
+use colored::Colorize;
+use komodo_client::{
+  api::write::{
+    UpdateBuild, UpdateDeployment, UpdateRepo, UpdateResourceSync,
+    UpdateServer, UpdateStack,
+  },
+  entities::{
+    build::PartialBuildConfig,
+    config::cli::args::update::UpdateResource,
+    deployment::PartialDeploymentConfig, repo::PartialRepoConfig,
+    server::PartialServerConfig, stack::PartialStackConfig,
+    sync::PartialResourceSyncConfig,
+  },
+};
+use serde::{Serialize, de::DeserializeOwned};
+
+pub async fn update<
+  T: std::fmt::Debug + Serialize + DeserializeOwned + ResourceUpdate,
+>(
+  UpdateResource {
+    resource,
+    update,
+    yes,
+  }: &UpdateResource,
+) -> anyhow::Result<()> {
+  println!("\n{}: Update {}\n", "Mode".dimmed(), T::resource_type());
+  println!(" - {}: {resource}", "Name".dimmed());
+
+  let config = serde_qs::from_str::<T>(update)
+    .context("Failed to deserialize config")?;
+
+  match serde_json::to_string_pretty(&config) {
+    Ok(config) => {
+      println!(" - {}: {config}", "Update".dimmed());
+    }
+    Err(_) => {
+      println!(" - {}: {config:#?}", "Update".dimmed());
+    }
+  }
+
+  crate::command::wait_for_enter("update resource", *yes)?;
+
+  config.apply(resource).await
+}
+
+pub trait ResourceUpdate {
+  fn resource_type() -> &'static str;
+  async fn apply(self, resource: &str) -> anyhow::Result<()>;
+}
+
+impl ResourceUpdate for PartialBuildConfig {
+  fn resource_type() -> &'static str {
+    "Build"
+  }
+  async fn apply(self, resource: &str) -> anyhow::Result<()> {
+    let client = crate::command::komodo_client().await?;
+    client
+      .write(UpdateBuild {
+        id: resource.to_string(),
+        config: self,
+      })
+      .await
+      .context("Failed to update build config")?;
+    Ok(())
+  }
+}
+
+impl ResourceUpdate for PartialDeploymentConfig {
+  fn resource_type() -> &'static str {
+    "Deployment"
+  }
+  async fn apply(self, resource: &str) -> anyhow::Result<()> {
+    let client = crate::command::komodo_client().await?;
+    client
+      .write(UpdateDeployment {
+        id: resource.to_string(),
+        config: self,
+      })
+      .await
+      .context("Failed to update deployment config")?;
+    Ok(())
+  }
+}
+
+impl ResourceUpdate for PartialRepoConfig {
+  fn resource_type() -> &'static str {
+    "Repo"
+  }
+  async fn apply(self, resource: &str) -> anyhow::Result<()> {
+    let client = crate::command::komodo_client().await?;
+    client
+      .write(UpdateRepo {
+        id: resource.to_string(),
+        config: self,
+      })
+      .await
+      .context("Failed to update repo config")?;
+    Ok(())
+  }
+}
+
+impl ResourceUpdate for PartialServerConfig {
+  fn resource_type() -> &'static str {
+    "Server"
+  }
+  async fn apply(self, resource: &str) -> anyhow::Result<()> {
+    let client = crate::command::komodo_client().await?;
+    client
+      .write(UpdateServer {
+        id: resource.to_string(),
+        config: self,
+      })
+      .await
+      .context("Failed to update server config")?;
+    Ok(())
+  }
+}
+
+impl ResourceUpdate for PartialStackConfig {
+  fn resource_type() -> &'static str {
+    "Stack"
+  }
+  async fn apply(self, resource: &str) -> anyhow::Result<()> {
+    let client = crate::command::komodo_client().await?;
+    client
+      .write(UpdateStack {
+        id: resource.to_string(),
+        config: self,
+      })
+      .await
+      .context("Failed to update stack config")?;
+    Ok(())
+  }
+}
+
+impl ResourceUpdate for PartialResourceSyncConfig {
+  fn resource_type() -> &'static str {
+    "Sync"
+  }
+  async fn apply(self, resource: &str) -> anyhow::Result<()> {
+    let client = crate::command::komodo_client().await?;
+    client
+      .write(UpdateResourceSync {
+        id: resource.to_string(),
+        config: self,
+      })
+      .await
+      .context("Failed to update sync config")?;
+    Ok(())
+  }
+}

bin/cli/src/command/update/user.rs

@@ -0,0 +1,122 @@
+use anyhow::Context;
+use colored::Colorize;
+use database::mungos::mongodb::bson::doc;
+use komodo_client::entities::{
+  config::{
+    cli::args::{CliEnabled, update::UpdateUserCommand},
+    empty_or_redacted,
+  },
+  optional_string,
+};
+
+use crate::{command::sanitize_uri, config::cli_config};
+
+pub async fn update(
+  username: &str,
+  command: &UpdateUserCommand,
+) -> anyhow::Result<()> {
+  match command {
+    UpdateUserCommand::Password {
+      password,
+      unsanitized,
+      yes,
+    } => {
+      update_password(username, password, *unsanitized, *yes).await
+    }
+    UpdateUserCommand::SuperAdmin { enabled, yes } => {
+      update_super_admin(username, *enabled, *yes).await
+    }
+  }
+}
+
+async fn update_password(
+  username: &str,
+  password: &str,
+  unsanitized: bool,
+  yes: bool,
+) -> anyhow::Result<()> {
+  println!("\n{}: Update Password\n", "Mode".dimmed());
+  println!(" - {}: {username}", "Username".dimmed());
+  if unsanitized {
+    println!(" - {}: {password}", "Password".dimmed());
+  } else {
+    println!(
+      " - {}: {}",
+      "Password".dimmed(),
+      empty_or_redacted(password)
+    );
+  }
+
+  crate::command::wait_for_enter("update password", yes)?;
+
+  info!("Updating password...");
+
+  let db = database::Client::new(&cli_config().database).await?;
+
+  let user = db
+    .users
+    .find_one(doc! { "username": username })
+    .await
+    .context("Failed to query database for user")?
+    .context("No user found with given username")?;
+
+  db.set_user_password(&user, password).await?;
+
+  info!("Password updated ✅");
+
+  Ok(())
+}
+
+async fn update_super_admin(
+  username: &str,
+  super_admin: CliEnabled,
+  yes: bool,
+) -> anyhow::Result<()> {
+  let config = cli_config();
+
+  println!("\n{}: Update Super Admin\n", "Mode".dimmed());
+  println!(" - {}: {username}", "Username".dimmed());
+  println!(" - {}: {super_admin}\n", "Super Admin".dimmed());
+
+  if let Some(uri) = optional_string(&config.database.uri) {
+    println!("{}: {}", " - Source URI".dimmed(), sanitize_uri(&uri));
+  }
+  if let Some(address) = optional_string(&config.database.address) {
+    println!("{}: {address}", " - Source Address".dimmed());
+  }
+  if let Some(username) = optional_string(&config.database.username) {
+    println!("{}: {username}", " - Source Username".dimmed());
+  }
+  println!(
+    "{}: {}",
+    " - Source Db Name".dimmed(),
+    config.database.db_name,
+  );
+
+  crate::command::wait_for_enter("update super admin", yes)?;
+
+  info!("Updating super admin...");
+
+  let db = database::Client::new(&config.database).await?;
+
+  // Make sure the user exists first before saying it is successful.
+  let user = db
+    .users
+    .find_one(doc! { "username": username })
+    .await
+    .context("Failed to query database for user")?
+    .context("No user found with given username")?;
+
+  let super_admin: bool = super_admin.into();
+  db.users
+    .update_one(
+      doc! { "username": user.username },
+      doc! { "$set": { "super_admin": super_admin } },
+    )
+    .await
+    .context("Failed to update user super admin on db")?;
+
+  info!("Super admin updated ✅");
+
+  Ok(())
+}

bin/cli/src/command/update/variable.rs

@@ -0,0 +1,70 @@
+use anyhow::Context;
+use colored::Colorize;
+use komodo_client::api::{
+  read::GetVariable,
+  write::{
+    CreateVariable, UpdateVariableIsSecret, UpdateVariableValue,
+  },
+};
+
+pub async fn update(
+  name: &str,
+  value: &str,
+  secret: Option<bool>,
+  yes: bool,
+) -> anyhow::Result<()> {
+  println!("\n{}: Update Variable\n", "Mode".dimmed());
+  println!(" - {}:  {name}", "Name".dimmed());
+  println!(" - {}: {value}", "Value".dimmed());
+  if let Some(secret) = secret {
+    println!(" - {}: {secret}", "Is Secret".dimmed());
+  }
+
+  crate::command::wait_for_enter("update variable", yes)?;
+
+  let client = crate::command::komodo_client().await?;
+
+  let Ok(existing) = client
+    .read(GetVariable {
+      name: name.to_string(),
+    })
+    .await
+  else {
+    // Create the variable
+    client
+      .write(CreateVariable {
+        name: name.to_string(),
+        value: value.to_string(),
+        is_secret: secret.unwrap_or_default(),
+        description: Default::default(),
+      })
+      .await
+      .context("Failed to create variable")?;
+    info!("Variable created ✅");
+    return Ok(());
+  };
+
+  client
+    .write(UpdateVariableValue {
+      name: name.to_string(),
+      value: value.to_string(),
+    })
+    .await
+    .context("Failed to update variable 'value'")?;
+  info!("Variable 'value' updated ✅");
+
+  let Some(secret) = secret else { return Ok(()) };
+
+  if secret != existing.is_secret {
+    client
+      .write(UpdateVariableIsSecret {
+        name: name.to_string(),
+        is_secret: secret,
+      })
+      .await
+      .context("Failed to update variable 'is_secret'")?;
+    info!("Variable 'is_secret' updated to {secret} ✅");
+  }
+
+  Ok(())
+}

bin/cli/src/config.rs

@@ -0,0 +1,274 @@
+use std::{path::PathBuf, sync::OnceLock};
+
+use anyhow::Context;
+use clap::Parser;
+use colored::Colorize;
+use environment_file::maybe_read_item_from_file;
+use komodo_client::entities::{
+  config::{
+    DatabaseConfig,
+    cli::{
+      CliConfig, Env,
+      args::{CliArgs, Command, Execute, database::DatabaseCommand},
+    },
+  },
+  logger::LogConfig,
+};
+
+pub fn cli_args() -> &'static CliArgs {
+  static CLI_ARGS: OnceLock<CliArgs> = OnceLock::new();
+  CLI_ARGS.get_or_init(CliArgs::parse)
+}
+
+pub fn cli_env() -> &'static Env {
+  static CLI_ARGS: OnceLock<Env> = OnceLock::new();
+  CLI_ARGS.get_or_init(|| {
+    match envy::from_env()
+      .context("Failed to parse Komodo CLI environment")
+    {
+      Ok(env) => env,
+      Err(e) => {
+        panic!("{e:?}");
+      }
+    }
+  })
+}
+
+pub fn cli_config() -> &'static CliConfig {
+  static CLI_CONFIG: OnceLock<CliConfig> = OnceLock::new();
+  CLI_CONFIG.get_or_init(|| {
+    let args = cli_args();
+    let env = cli_env().clone();
+    let config_paths = args
+      .config_path
+      .clone()
+      .unwrap_or(env.komodo_cli_config_paths);
+    let debug_startup =
+      args.debug_startup.unwrap_or(env.komodo_cli_debug_startup);
+
+    if debug_startup {
+      println!(
+        "{}: Komodo CLI version: {}",
+        "DEBUG".cyan(),
+        env!("CARGO_PKG_VERSION").blue().bold()
+      );
+      println!(
+        "{}: {}: {config_paths:?}",
+        "DEBUG".cyan(),
+        "Config Paths".dimmed(),
+      );
+    }
+
+    let config_keywords = args
+      .config_keyword
+      .clone()
+      .unwrap_or(env.komodo_cli_config_keywords);
+    let config_keywords = config_keywords
+      .iter()
+      .map(String::as_str)
+      .collect::<Vec<_>>();
+    if debug_startup {
+      println!(
+        "{}: {}: {config_keywords:?}",
+        "DEBUG".cyan(),
+        "Config File Keywords".dimmed(),
+      );
+    }
+    let mut unparsed_config = (config::ConfigLoader {
+      paths: &config_paths
+        .iter()
+        .map(PathBuf::as_path)
+        .collect::<Vec<_>>(),
+      match_wildcards: &config_keywords,
+      include_file_name: ".kminclude",
+      merge_nested: env.komodo_cli_merge_nested_config,
+      extend_array: env.komodo_cli_extend_config_arrays,
+      debug_print: debug_startup,
+    })
+    .load::<serde_json::Map<String, serde_json::Value>>()
+    .expect("failed at parsing config from paths");
+    let init_parsed_config = serde_json::from_value::<CliConfig>(
+      serde_json::Value::Object(unparsed_config.clone()),
+    )
+    .context("Failed to parse config")
+    .unwrap();
+
+    let (host, key, secret) = match &args.command {
+      Command::Execute(Execute {
+        host, key, secret, ..
+      }) => (host.clone(), key.clone(), secret.clone()),
+      _ => (None, None, None),
+    };
+
+    let backups_folder = match &args.command {
+      Command::Database {
+        command: DatabaseCommand::Backup { backups_folder, .. },
+      } => backups_folder.clone(),
+      Command::Database {
+        command: DatabaseCommand::Restore { backups_folder, .. },
+      } => backups_folder.clone(),
+      _ => None,
+    };
+    let (uri, address, username, password, db_name) =
+      match &args.command {
+        Command::Database {
+          command:
+            DatabaseCommand::Copy {
+              uri,
+              address,
+              username,
+              password,
+              db_name,
+              ..
+            },
+        } => (
+          uri.clone(),
+          address.clone(),
+          username.clone(),
+          password.clone(),
+          db_name.clone(),
+        ),
+        _ => (None, None, None, None, None),
+      };
+
+    let profile = args
+      .profile
+      .as_ref()
+      .or(init_parsed_config.default_profile.as_ref());
+
+    let unparsed_config = if let Some(profile) = profile
+      && !profile.is_empty()
+    {
+      // Find the profile config,
+      // then merge it with the Default config.
+      let serde_json::Value::Array(profiles) = unparsed_config
+        .remove("profile")
+        .context("Config has no profiles, but a profile is required")
+        .unwrap()
+      else {
+        panic!("`config.profile` is not array");
+      };
+      let Some(profile_config) = profiles.into_iter().find(|p| {
+        let Ok(parsed) =
+          serde_json::from_value::<CliConfig>(p.clone())
+        else {
+          return false;
+        };
+        &parsed.config_profile == profile
+          || parsed
+            .config_aliases
+            .iter()
+            .any(|alias| alias == profile)
+      }) else {
+        panic!("No profile matching '{profile}' was found.");
+      };
+      let serde_json::Value::Object(profile_config) = profile_config
+      else {
+        panic!("Profile config is not Object type.");
+      };
+      config::merge_config(
+        unparsed_config,
+        profile_config.clone(),
+        env.komodo_cli_merge_nested_config,
+        env.komodo_cli_extend_config_arrays,
+      )
+      .unwrap_or(profile_config)
+    } else {
+      unparsed_config
+    };
+    let config = serde_json::from_value::<CliConfig>(
+      serde_json::Value::Object(unparsed_config),
+    )
+    .context("Failed to parse final config")
+    .unwrap();
+    let config_profile = if config.config_profile.is_empty() {
+      String::from("None")
+    } else {
+      config.config_profile
+    };
+
+    CliConfig {
+      config_profile,
+      config_aliases: config.config_aliases,
+      default_profile: config.default_profile,
+      table_borders: env
+        .komodo_cli_table_borders
+        .or(config.table_borders),
+      host: host
+        .or(env.komodo_cli_host)
+        .or(env.komodo_host)
+        .unwrap_or(config.host),
+      cli_key: key.or(env.komodo_cli_key).or(config.cli_key),
+      cli_secret: secret
+        .or(env.komodo_cli_secret)
+        .or(config.cli_secret),
+      backups_folder: backups_folder
+        .or(env.komodo_cli_backups_folder)
+        .unwrap_or(config.backups_folder),
+      max_backups: env
+        .komodo_cli_max_backups
+        .unwrap_or(config.max_backups),
+      database_target: DatabaseConfig {
+        uri: uri
+          .or(env.komodo_cli_database_target_uri)
+          .unwrap_or(config.database_target.uri),
+        address: address
+          .or(env.komodo_cli_database_target_address)
+          .unwrap_or(config.database_target.address),
+        username: username
+          .or(env.komodo_cli_database_target_username)
+          .unwrap_or(config.database_target.username),
+        password: password
+          .or(env.komodo_cli_database_target_password)
+          .unwrap_or(config.database_target.password),
+        db_name: db_name
+          .or(env.komodo_cli_database_target_db_name)
+          .unwrap_or(config.database_target.db_name),
+        app_name: config.database_target.app_name,
+      },
+      database: DatabaseConfig {
+        uri: maybe_read_item_from_file(
+          env.komodo_database_uri_file,
+          env.komodo_database_uri,
+        )
+        .unwrap_or(config.database.uri),
+        address: env
+          .komodo_database_address
+          .unwrap_or(config.database.address),
+        username: maybe_read_item_from_file(
+          env.komodo_database_username_file,
+          env.komodo_database_username,
+        )
+        .unwrap_or(config.database.username),
+        password: maybe_read_item_from_file(
+          env.komodo_database_password_file,
+          env.komodo_database_password,
+        )
+        .unwrap_or(config.database.password),
+        db_name: env
+          .komodo_database_db_name
+          .unwrap_or(config.database.db_name),
+        app_name: config.database.app_name,
+      },
+      cli_logging: LogConfig {
+        level: env
+          .komodo_cli_logging_level
+          .unwrap_or(config.cli_logging.level),
+        stdio: env
+          .komodo_cli_logging_stdio
+          .unwrap_or(config.cli_logging.stdio),
+        pretty: env
+          .komodo_cli_logging_pretty
+          .unwrap_or(config.cli_logging.pretty),
+        location: false,
+        otlp_endpoint: env
+          .komodo_cli_logging_otlp_endpoint
+          .unwrap_or(config.cli_logging.otlp_endpoint),
+        opentelemetry_service_name: env
+          .komodo_cli_logging_opentelemetry_service_name
+          .unwrap_or(config.cli_logging.opentelemetry_service_name),
+      },
+      profile: config.profile,
+    }
+  })
+}

bin/cli/src/exec.rs

@@ -1,485 +0,0 @@
-use std::time::Duration;
-
-use colored::Colorize;
-use komodo_client::{
-  api::execute::{BatchExecutionResponse, Execution},
-  entities::update::Update,
-};
-
-use crate::{
-  helpers::wait_for_enter,
-  state::{cli_args, komodo_client},
-};
-
-pub enum ExecutionResult {
-  Single(Update),
-  Batch(BatchExecutionResponse),
-}
-
-pub async fn run(execution: Execution) -> anyhow::Result<()> {
-  if matches!(execution, Execution::None(_)) {
-    println!("Got 'none' execution. Doing nothing...");
-    tokio::time::sleep(Duration::from_secs(3)).await;
-    println!("Finished doing nothing. Exiting...");
-    std::process::exit(0);
-  }
-
-  println!("\n{}: Execution", "Mode".dimmed());
-  match &execution {
-    Execution::None(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::RunAction(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::BatchRunAction(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::RunProcedure(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::BatchRunProcedure(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::RunBuild(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::BatchRunBuild(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::CancelBuild(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::Deploy(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::BatchDeploy(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::PullDeployment(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::StartDeployment(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::RestartDeployment(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::PauseDeployment(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::UnpauseDeployment(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::StopDeployment(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::DestroyDeployment(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::BatchDestroyDeployment(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::CloneRepo(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::BatchCloneRepo(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::PullRepo(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::BatchPullRepo(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::BuildRepo(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::BatchBuildRepo(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::CancelRepoBuild(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::StartContainer(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::RestartContainer(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::PauseContainer(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::UnpauseContainer(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::StopContainer(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::DestroyContainer(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::StartAllContainers(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::RestartAllContainers(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::PauseAllContainers(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::UnpauseAllContainers(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::StopAllContainers(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::PruneContainers(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::DeleteNetwork(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::PruneNetworks(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::DeleteImage(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::PruneImages(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::DeleteVolume(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::PruneVolumes(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::PruneDockerBuilders(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::PruneBuildx(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::PruneSystem(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::RunSync(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::CommitSync(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::DeployStack(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::BatchDeployStack(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::DeployStackIfChanged(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::BatchDeployStackIfChanged(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::PullStack(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::StartStack(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::RestartStack(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::PauseStack(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::UnpauseStack(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::StopStack(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::DestroyStack(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::BatchDestroyStack(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::TestAlerter(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::Sleep(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-  }
-
-  if !cli_args().yes {
-    wait_for_enter("run execution")?;
-  }
-
-  info!("Running Execution...");
-
-  let res = match execution {
-    Execution::RunAction(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::BatchRunAction(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Batch),
-    Execution::RunProcedure(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::BatchRunProcedure(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Batch),
-    Execution::RunBuild(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::BatchRunBuild(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Batch),
-    Execution::CancelBuild(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::Deploy(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::BatchDeploy(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Batch),
-    Execution::PullDeployment(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::StartDeployment(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::RestartDeployment(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::PauseDeployment(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::UnpauseDeployment(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::StopDeployment(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::DestroyDeployment(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::BatchDestroyDeployment(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Batch),
-    Execution::CloneRepo(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::BatchCloneRepo(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Batch),
-    Execution::PullRepo(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::BatchPullRepo(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Batch),
-    Execution::BuildRepo(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::BatchBuildRepo(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Batch),
-    Execution::CancelRepoBuild(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::StartContainer(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::RestartContainer(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::PauseContainer(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::UnpauseContainer(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::StopContainer(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::DestroyContainer(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::StartAllContainers(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::RestartAllContainers(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::PauseAllContainers(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::UnpauseAllContainers(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::StopAllContainers(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::PruneContainers(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::DeleteNetwork(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::PruneNetworks(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::DeleteImage(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::PruneImages(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::DeleteVolume(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::PruneVolumes(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::PruneDockerBuilders(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::PruneBuildx(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::PruneSystem(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::RunSync(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::CommitSync(request) => komodo_client()
-      .write(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::DeployStack(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::BatchDeployStack(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Batch),
-    Execution::DeployStackIfChanged(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::BatchDeployStackIfChanged(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Batch),
-    Execution::PullStack(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::StartStack(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::RestartStack(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::PauseStack(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::UnpauseStack(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::StopStack(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::DestroyStack(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::BatchDestroyStack(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Batch),
-    Execution::TestAlerter(request) => komodo_client()
-      .execute(request)
-      .await
-      .map(ExecutionResult::Single),
-    Execution::Sleep(request) => {
-      let duration =
-        Duration::from_millis(request.duration_ms as u64);
-      tokio::time::sleep(duration).await;
-      println!("Finished sleeping!");
-      std::process::exit(0)
-    }
-    Execution::None(_) => unreachable!(),
-  };
-
-  match res {
-    Ok(ExecutionResult::Single(update)) => {
-      println!("\n{}: {update:#?}", "SUCCESS".green())
-    }
-    Ok(ExecutionResult::Batch(update)) => {
-      println!("\n{}: {update:#?}", "SUCCESS".green())
-    }
-    Err(e) => println!("{}\n\n{e:#?}", "ERROR".red()),
-  }
-
-  Ok(())
-}

bin/cli/src/helpers.rs

@@ -1,17 +0,0 @@
-use std::io::Read;
-
-use anyhow::Context;
-use colored::Colorize;
-
-pub fn wait_for_enter(press_enter_to: &str) -> anyhow::Result<()> {
-  println!(
-    "\nPress {} to {}\n",
-    "ENTER".green(),
-    press_enter_to.bold()
-  );
-  let buffer = &mut [0u8];
-  std::io::stdin()
-    .read_exact(buffer)
-    .context("failed to read ENTER")?;
-  Ok(())
-}

bin/cli/src/main.rs

@@ -1,32 +1,72 @@
 #[macro_use]
 extern crate tracing;
 
-use colored::Colorize;
-use komodo_client::api::read::GetVersion;
+use anyhow::Context;
+use komodo_client::entities::config::cli::args;
 
-mod args;
-mod exec;
-mod helpers;
-mod state;
+use crate::config::cli_config;
+
+mod command;
+mod config;
+
+async fn app() -> anyhow::Result<()> {
+  dotenvy::dotenv().ok();
+  logger::init(&config::cli_config().cli_logging)?;
+  let args = config::cli_args();
+  let env = config::cli_env();
+  let debug_load =
+    args.debug_startup.unwrap_or(env.komodo_cli_debug_startup);
+
+  match &args.command {
+    args::Command::Config {
+      all_profiles,
+      unsanitized,
+    } => {
+      let mut config = if *unsanitized {
+        cli_config().clone()
+      } else {
+        cli_config().sanitized()
+      };
+      if !*all_profiles {
+        config.profile = Default::default();
+      }
+      if debug_load {
+        println!("\n{config:#?}");
+      } else {
+        println!(
+          "\nCLI Config {}",
+          serde_json::to_string_pretty(&config)
+            .context("Failed to serialize config for pretty print")?
+        );
+      }
+      Ok(())
+    }
+    args::Command::Container(container) => {
+      command::container::handle(container).await
+    }
+    args::Command::Inspect(inspect) => {
+      command::container::inspect_container(inspect).await
+    }
+    args::Command::List(list) => command::list::handle(list).await,
+    args::Command::Execute(args) => {
+      command::execute::handle(&args.execution, args.yes).await
+    }
+    args::Command::Update { command } => {
+      command::update::handle(command).await
+    }
+    args::Command::Database { command } => {
+      command::database::handle(command).await
+    }
+  }
+}
 
 #[tokio::main]
 async fn main() -> anyhow::Result<()> {
-  tracing_subscriber::fmt().with_target(false).init();
-
-  info!(
-    "Komodo CLI version: {}",
-    env!("CARGO_PKG_VERSION").blue().bold()
-  );
-
-  let version =
-    state::komodo_client().read(GetVersion {}).await?.version;
-  info!("Komodo Core version: {}", version.blue().bold());
-
-  match &state::cli_args().command {
-    args::Command::Execute { execution } => {
-      exec::run(execution.to_owned()).await?
-    }
+  let mut term_signal = tokio::signal::unix::signal(
+    tokio::signal::unix::SignalKind::terminate(),
+  )?;
+  tokio::select! {
+    res = tokio::spawn(app()) => res?,
+    _ = term_signal.recv() => Ok(()),
   }
-
-  Ok(())
 }

bin/cli/src/state.rs

@@ -1,48 +0,0 @@
-use std::sync::OnceLock;
-
-use clap::Parser;
-use komodo_client::KomodoClient;
-use merge_config_files::parse_config_file;
-
-pub fn cli_args() -> &'static crate::args::CliArgs {
-  static CLI_ARGS: OnceLock<crate::args::CliArgs> = OnceLock::new();
-  CLI_ARGS.get_or_init(crate::args::CliArgs::parse)
-}
-
-pub fn komodo_client() -> &'static KomodoClient {
-  static KOMODO_CLIENT: OnceLock<KomodoClient> = OnceLock::new();
-  KOMODO_CLIENT.get_or_init(|| {
-    let args = cli_args();
-    let crate::args::CredsFile { url, key, secret } =
-      match (&args.url, &args.key, &args.secret) {
-        (Some(url), Some(key), Some(secret)) => {
-          crate::args::CredsFile {
-            url: url.clone(),
-            key: key.clone(),
-            secret: secret.clone(),
-          }
-        }
-        (url, key, secret) => {
-          let mut creds: crate::args::CredsFile =
-            parse_config_file(cli_args().creds.as_str())
-              .expect("failed to parse Komodo credentials");
-
-          if let Some(url) = url {
-            creds.url.clone_from(url);
-          }
-          if let Some(key) = key {
-            creds.key.clone_from(key);
-          }
-          if let Some(secret) = secret {
-            creds.secret.clone_from(secret);
-          }
-
-          creds
-        }
-      };
-    futures::executor::block_on(
-      KomodoClient::new(url, key, secret).with_healthcheck(),
-    )
-    .expect("failed to initialize Komodo client")
-  })
-}

bin/core/Cargo.toml

@@ -18,28 +18,30 @@ path = "src/main.rs"
 komodo_client = { workspace = true, features = ["mongo"] }
 periphery_client.workspace = true
 environment_file.workspace = true
+interpolate.workspace = true
 formatting.workspace = true
+database.workspace = true
 response.workspace = true
 command.workspace = true
+config.workspace = true
 logger.workspace = true
 cache.workspace = true
 git.workspace = true
 # mogh
 serror = { workspace = true, features = ["axum"] }
-merge_config_files.workspace = true
 async_timing_util.workspace = true
 partial_derive2.workspace = true
 derive_variants.workspace = true
-mongo_indexed.workspace = true
 resolver_api.workspace = true
 toml_pretty.workspace = true
-mungos.workspace = true
 slack.workspace = true
 svi.workspace = true
 # external
 aws-credential-types.workspace = true
-ordered_hash_map.workspace = true
+tokio-tungstenite.workspace = true
+english-to-cron.workspace = true
 openidconnect.workspace = true
+jsonwebtoken.workspace = true
 axum-server.workspace = true
 urlencoding.workspace = true
 aws-sdk-ec2.workspace = true
@@ -48,11 +50,14 @@ tokio-util.workspace = true
 axum-extra.workspace = true
 tower-http.workspace = true
 serde_json.workspace = true
-serde_yaml.workspace = true
+serde_yaml_ng.workspace = true
 typeshare.workspace = true
+chrono-tz.workspace = true
+indexmap.workspace = true
 octorust.workspace = true
 wildcard.workspace = true
 arc-swap.workspace = true
+colored.workspace = true
 dashmap.workspace = true
 tracing.workspace = true
 reqwest.workspace = true
@@ -60,6 +65,8 @@ futures.workspace = true
 nom_pem.workspace = true
 dotenvy.workspace = true
 anyhow.workspace = true
+croner.workspace = true
+chrono.workspace = true
 bcrypt.workspace = true
 base64.workspace = true
 rustls.workspace = true
@@ -73,5 +80,4 @@ envy.workspace = true
 rand.workspace = true
 hmac.workspace = true
 sha2.workspace = true
-jsonwebtoken.workspace = true
 hex.workspace = true

bin/core/aio.Dockerfile

@@ -1,7 +1,8 @@
 ## All in one, multi stage compile + runtime Docker build for your architecture.
 
 # Build Core
-FROM rust:1.85.1-bullseye AS core-builder
+FROM rust:1.89.0-bullseye AS core-builder
+RUN cargo install cargo-strip
 
 WORKDIR /builder
 COPY Cargo.toml Cargo.lock ./
@@ -9,9 +10,12 @@ COPY ./lib ./lib
 COPY ./client/core/rs ./client/core/rs
 COPY ./client/periphery ./client/periphery
 COPY ./bin/core ./bin/core
+COPY ./bin/cli ./bin/cli
 
 # Compile app
-RUN cargo build -p komodo_core --release
+RUN cargo build -p komodo_core --release && \
+  cargo build -p komodo_cli --release && \
+  cargo strip
 
 # Build Frontend
 FROM node:20.12-alpine AS frontend-builder
@@ -24,18 +28,18 @@ RUN cd frontend && yarn link komodo_client && yarn && yarn build
 # Final Image
 FROM debian:bullseye-slim
 
-# Install Deps
-RUN apt update && \
-  apt install -y git ca-certificates && \
-  rm -rf /var/lib/apt/lists/*
+COPY ./bin/core/starship.toml /starship.toml
+COPY ./bin/core/debian-deps.sh .
+RUN sh ./debian-deps.sh && rm ./debian-deps.sh
 
 # Setup an application directory
 WORKDIR /app
 
 # Copy
-COPY ./config/core.config.toml /config/config.toml
+COPY ./config/core.config.toml /config/.default.config.toml
 COPY --from=frontend-builder /builder/frontend/dist /app/frontend
 COPY --from=core-builder /builder/target/release/core /usr/local/bin/core
+COPY --from=core-builder /builder/target/release/km /usr/local/bin/km
 COPY --from=denoland/deno:bin /deno /usr/local/bin/deno
 
 # Set $DENO_DIR and preload external Deno deps
@@ -47,9 +51,13 @@ RUN mkdir /action-cache && \
 # Hint at the port
 EXPOSE 9120
 
+ENV KOMODO_CLI_CONFIG_PATHS="/config"
+# This ensures any `komodo.cli.*` takes precedence over the Core `/config/*config.*`
+ENV KOMODO_CLI_CONFIG_KEYWORDS="*config.*,*komodo.cli*.*"
+
+CMD [ "core" ]
+
 # Label for Ghcr
 LABEL org.opencontainers.image.source=https://github.com/moghtech/komodo
 LABEL org.opencontainers.image.description="Komodo Core"
 LABEL org.opencontainers.image.licenses=GPL-3.0
-
-ENTRYPOINT [ "core" ]

bin/core/debian-deps.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+## Core deps installer
+
+apt-get update
+apt-get install -y git curl ca-certificates iproute2
+
+rm -rf /var/lib/apt/lists/*
+
+# Starship prompt
+curl -sS https://starship.rs/install.sh | sh -s -- --yes --bin-dir /usr/local/bin
+echo 'export STARSHIP_CONFIG=/starship.toml' >> /root/.bashrc
+echo 'eval "$(starship init bash)"' >> /root/.bashrc
+

bin/core/multi-arch.Dockerfile

@@ -15,21 +15,26 @@ FROM ${FRONTEND_IMAGE} AS frontend
 # Final Image
 FROM debian:bullseye-slim
 
-# Install Deps
-RUN apt update && \
-  apt install -y git ca-certificates && \
-  rm -rf /var/lib/apt/lists/*
+COPY ./bin/core/starship.toml /starship.toml
+COPY ./bin/core/debian-deps.sh .
+RUN sh ./debian-deps.sh && rm ./debian-deps.sh
 
 WORKDIR /app
 
-# Copy both binaries initially, but only keep appropriate one for the TARGETPLATFORM.
-COPY --from=x86_64 /core /app/arch/linux/amd64
-COPY --from=aarch64 /core /app/arch/linux/arm64
 ARG TARGETPLATFORM
-RUN mv /app/arch/${TARGETPLATFORM} /usr/local/bin/core && rm -r /app/arch
+
+# Copy both binaries initially, but only keep appropriate one for the TARGETPLATFORM.
+COPY --from=x86_64 /core /app/core/linux/amd64
+COPY --from=aarch64 /core /app/core/linux/arm64
+RUN mv /app/core/${TARGETPLATFORM} /usr/local/bin/core && rm -r /app/core
+
+# Same for util
+COPY --from=x86_64 /km /app/km/linux/amd64
+COPY --from=aarch64 /km /app/km/linux/arm64
+RUN mv /app/km/${TARGETPLATFORM} /usr/local/bin/km && rm -r /app/km
 
 # Copy default config / static frontend / deno binary
-COPY ./config/core.config.toml /config/config.toml
+COPY ./config/core.config.toml /config/.default.config.toml
 COPY --from=frontend /frontend /app/frontend
 COPY --from=denoland/deno:bin /deno /usr/local/bin/deno
 
@@ -42,9 +47,13 @@ RUN mkdir /action-cache && \
 # Hint at the port
 EXPOSE 9120
 
+ENV KOMODO_CLI_CONFIG_PATHS="/config"
+# This ensures any `komodo.cli.*` takes precedence over the Core `/config/*config.*`
+ENV KOMODO_CLI_CONFIG_KEYWORDS="*config.*,*komodo.cli*.*"
+
+CMD [ "core" ]
+
 # Label for Ghcr
 LABEL org.opencontainers.image.source=https://github.com/moghtech/komodo
 LABEL org.opencontainers.image.description="Komodo Core"
 LABEL org.opencontainers.image.licenses=GPL-3.0
-
-CMD [ "core" ]

bin/core/single-arch.Dockerfile

@@ -16,15 +16,15 @@ RUN cd frontend && yarn link komodo_client && yarn && yarn build
 
 FROM debian:bullseye-slim
 
-# Install Deps
-RUN apt update && \
-	apt install -y git ca-certificates && \
-	rm -rf /var/lib/apt/lists/*
+COPY ./bin/core/starship.toml /starship.toml
+COPY ./bin/core/debian-deps.sh .
+RUN sh ./debian-deps.sh && rm ./debian-deps.sh
 	
 # Copy
-COPY ./config/core.config.toml /config/config.toml
+COPY ./config/core.config.toml /config/.default.config.toml
 COPY --from=frontend-builder /builder/frontend/dist /app/frontend
 COPY --from=binaries /core /usr/local/bin/core
+COPY --from=binaries /km /usr/local/bin/km
 COPY --from=denoland/deno:bin /deno /usr/local/bin/deno
 
 # Set $DENO_DIR and preload external Deno deps
@@ -36,9 +36,13 @@ RUN mkdir /action-cache && \
 # Hint at the port
 EXPOSE 9120
 
+ENV KOMODO_CLI_CONFIG_PATHS="/config"
+# This ensures any `komodo.cli.*` takes precedence over the Core `/config/*config.*`
+ENV KOMODO_CLI_CONFIG_KEYWORDS="*config.*,*komodo.cli*.*"
+
+CMD [ "core" ]
+
 # Label for Ghcr
 LABEL org.opencontainers.image.source=https://github.com/moghtech/komodo
 LABEL org.opencontainers.image.description="Komodo Core"
 LABEL org.opencontainers.image.licenses=GPL-3.0
-
-CMD [ "core" ]

bin/core/src/alert/discord.rs

@@ -17,6 +17,28 @@ pub async fn send_alert(
         "{level} | If you see this message, then Alerter **{name}** is **working**\n{link}"
       )
     }
+    AlertData::ServerVersionMismatch {
+      id,
+      name,
+      region,
+      server_version,
+      core_version,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      match alert.level {
+        SeverityLevel::Ok => {
+          format!(
+            "{level} | **{name}**{region} | Periphery version now matches Core version ✅\n{link}"
+          )
+        }
+        _ => {
+          format!(
+            "{level} | **{name}**{region} | Version mismatch detected ⚠️\nPeriphery: **{server_version}** | Core: **{core_version}**\n{link}"
+          )
+        }
+      }
+    }
     AlertData::ServerUnreachable {
       id,
       name,
@@ -189,10 +211,59 @@ pub async fn send_alert(
       let link = resource_link(ResourceTargetVariant::Repo, id);
       format!("{level} | Repo build for **{name}** failed\n{link}")
     }
+    AlertData::ProcedureFailed { id, name } => {
+      let link = resource_link(ResourceTargetVariant::Procedure, id);
+      format!("{level} | Procedure **{name}** failed\n{link}")
+    }
+    AlertData::ActionFailed { id, name } => {
+      let link = resource_link(ResourceTargetVariant::Action, id);
+      format!("{level} | Action **{name}** failed\n{link}")
+    }
+    AlertData::ScheduleRun {
+      resource_type,
+      id,
+      name,
+    } => {
+      let link = resource_link(*resource_type, id);
+      format!(
+        "{level} | **{name}** ({resource_type}) | Scheduled run started 🕝\n{link}"
+      )
+    }
+    AlertData::Custom { message, details } => {
+      format!(
+        "{level} | {message}{}",
+        if details.is_empty() {
+          format_args!("")
+        } else {
+          format_args!("\n{details}")
+        }
+      )
+    }
     AlertData::None {} => Default::default(),
   };
   if !content.is_empty() {
-    send_message(url, &content).await?;
+    let VariablesAndSecrets { variables, secrets } =
+      get_variables_and_secrets().await?;
+    let mut url_interpolated = url.to_string();
+
+    let mut interpolator =
+      Interpolator::new(Some(&variables), &secrets);
+
+    interpolator.interpolate_string(&mut url_interpolated)?;
+
+    send_message(&url_interpolated, &content)
+      .await
+      .map_err(|e| {
+        let replacers = interpolator
+          .secret_replacers
+          .into_iter()
+          .collect::<Vec<_>>();
+        let sanitized_error =
+          svi::replace_in_string(&format!("{e:?}"), &replacers);
+        anyhow::Error::msg(format!(
+          "Error with slack request: {sanitized_error}"
+        ))
+      })?;
   }
   Ok(())
 }

bin/core/src/alert/mod.rs

@@ -1,23 +1,28 @@
 use ::slack::types::Block;
 use anyhow::{Context, anyhow};
+use database::mungos::{find::find_collect, mongodb::bson::doc};
 use derive_variants::ExtractVariant;
 use futures::future::join_all;
+use interpolate::Interpolator;
 use komodo_client::entities::{
   ResourceTargetVariant,
   alert::{Alert, AlertData, AlertDataVariant, SeverityLevel},
   alerter::*,
   deployment::DeploymentState,
+  komodo_timestamp,
   stack::StackState,
 };
-use mungos::{find::find_collect, mongodb::bson::doc};
-use std::collections::HashSet;
 use tracing::Instrument;
 
-use crate::helpers::interpolate::interpolate_variables_secrets_into_string;
 use crate::helpers::query::get_variables_and_secrets;
+use crate::helpers::{
+  maintenance::is_in_maintenance, query::VariablesAndSecrets,
+};
 use crate::{config::core_config, state::db_client};
 
 mod discord;
+mod ntfy;
+mod pushover;
 mod slack;
 
 #[instrument(level = "debug")]
@@ -43,8 +48,9 @@ pub async fn send_alerts(alerts: &[Alert]) {
       return;
     };
 
-    let handles =
-      alerts.iter().map(|alert| send_alert(&alerters, alert));
+    let handles = alerts
+      .iter()
+      .map(|alert| send_alert_to_alerters(&alerters, alert));
 
     join_all(handles).await;
   }
@@ -53,7 +59,7 @@ pub async fn send_alerts(alerts: &[Alert]) {
 }
 
 #[instrument(level = "debug")]
-async fn send_alert(alerters: &[Alerter], alert: &Alert) {
+async fn send_alert_to_alerters(alerters: &[Alerter], alert: &Alert) {
   if alerters.is_empty() {
     return;
   }
@@ -78,6 +84,13 @@ pub async fn send_alert_to_alerter(
     return Ok(());
   }
 
+  if is_in_maintenance(
+    &alerter.config.maintenance_windows,
+    komodo_timestamp(),
+  ) {
+    return Ok(());
+  }
+
   let alert_type = alert.data.extract_variant();
 
   // In the test case, we don't want the filters inside this
@@ -128,6 +141,24 @@ pub async fn send_alert_to_alerter(
         )
       })
     }
+    AlerterEndpoint::Ntfy(NtfyAlerterEndpoint { url, email }) => {
+      ntfy::send_alert(url, email.as_deref(), alert)
+        .await
+        .with_context(|| {
+          format!(
+            "Failed to send alert to ntfy Alerter {}",
+            alerter.name
+          )
+        })
+    }
+    AlerterEndpoint::Pushover(PushoverAlerterEndpoint { url }) => {
+      pushover::send_alert(url, alert).await.with_context(|| {
+        format!(
+          "Failed to send alert to Pushover Alerter {}",
+          alerter.name
+        )
+      })
+    }
   }
 }
 
@@ -136,18 +167,14 @@ async fn send_custom_alert(
   url: &str,
   alert: &Alert,
 ) -> anyhow::Result<()> {
-  let vars_and_secrets = get_variables_and_secrets().await?;
-  let mut global_replacers = HashSet::new();
-  let mut secret_replacers = HashSet::new();
+  let VariablesAndSecrets { variables, secrets } =
+    get_variables_and_secrets().await?;
   let mut url_interpolated = url.to_string();
 
-  // interpolate variables and secrets into the url
-  interpolate_variables_secrets_into_string(
-    &vars_and_secrets,
-    &mut url_interpolated,
-    &mut global_replacers,
-    &mut secret_replacers,
-  )?;
+  let mut interpolator =
+    Interpolator::new(Some(&variables), &secrets);
+
+  interpolator.interpolate_string(&mut url_interpolated)?;
 
   let res = reqwest::Client::new()
     .post(url_interpolated)
@@ -155,13 +182,14 @@ async fn send_custom_alert(
     .send()
     .await
     .map_err(|e| {
-      let replacers =
-        secret_replacers.into_iter().collect::<Vec<_>>();
+      let replacers = interpolator
+        .secret_replacers
+        .into_iter()
+        .collect::<Vec<_>>();
       let sanitized_error =
         svi::replace_in_string(&format!("{e:?}"), &replacers);
       anyhow::Error::msg(format!(
-        "Error with request: {}",
-        sanitized_error
+        "Error with request: {sanitized_error}"
       ))
     })
     .context("failed at post request to alerter")?;
@@ -217,38 +245,244 @@ fn resource_link(
   resource_type: ResourceTargetVariant,
   id: &str,
 ) -> String {
-  let path = match resource_type {
-    ResourceTargetVariant::System => unreachable!(),
-    ResourceTargetVariant::Build => format!("/builds/{id}"),
-    ResourceTargetVariant::Builder => {
-      format!("/builders/{id}")
-    }
-    ResourceTargetVariant::Deployment => {
-      format!("/deployments/{id}")
-    }
-    ResourceTargetVariant::Stack => {
-      format!("/stacks/{id}")
-    }
-    ResourceTargetVariant::Server => {
-      format!("/servers/{id}")
-    }
-    ResourceTargetVariant::Repo => format!("/repos/{id}"),
-    ResourceTargetVariant::Alerter => {
-      format!("/alerters/{id}")
-    }
-    ResourceTargetVariant::Procedure => {
-      format!("/procedures/{id}")
-    }
-    ResourceTargetVariant::Action => {
-      format!("/actions/{id}")
-    }
-    ResourceTargetVariant::ServerTemplate => {
-      format!("/server-templates/{id}")
-    }
-    ResourceTargetVariant::ResourceSync => {
-      format!("/resource-syncs/{id}")
-    }
-  };
-
-  format!("{}{path}", core_config().host)
+  komodo_client::entities::resource_link(
+    &core_config().host,
+    resource_type,
+    id,
+  )
+}
+
+/// Standard message content format
+/// used by Ntfy, Pushover.
+fn standard_alert_content(alert: &Alert) -> String {
+  let level = fmt_level(alert.level);
+  match &alert.data {
+    AlertData::Test { id, name } => {
+      let link = resource_link(ResourceTargetVariant::Alerter, id);
+      format!(
+        "{level} | If you see this message, then Alerter {name} is working\n{link}",
+      )
+    }
+    AlertData::ServerVersionMismatch {
+      id,
+      name,
+      region,
+      server_version,
+      core_version,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      match alert.level {
+        SeverityLevel::Ok => {
+          format!(
+            "{level} | {name}{region} | Periphery version now matches Core version ✅\n{link}"
+          )
+        }
+        _ => {
+          format!(
+            "{level} | {name}{region} | Version mismatch detected ⚠️\nPeriphery: {server_version} | Core: {core_version}\n{link}"
+          )
+        }
+      }
+    }
+    AlertData::ServerUnreachable {
+      id,
+      name,
+      region,
+      err,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      match alert.level {
+        SeverityLevel::Ok => {
+          format!("{level} | {name}{region} is now reachable\n{link}")
+        }
+        SeverityLevel::Critical => {
+          let err = err
+            .as_ref()
+            .map(|e| format!("\nerror: {e:#?}"))
+            .unwrap_or_default();
+          format!(
+            "{level} | {name}{region} is unreachable ❌\n{link}{err}"
+          )
+        }
+        _ => unreachable!(),
+      }
+    }
+    AlertData::ServerCpu {
+      id,
+      name,
+      region,
+      percentage,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      format!(
+        "{level} | {name}{region} cpu usage at {percentage:.1}%\n{link}",
+      )
+    }
+    AlertData::ServerMem {
+      id,
+      name,
+      region,
+      used_gb,
+      total_gb,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      let percentage = 100.0 * used_gb / total_gb;
+      format!(
+        "{level} | {name}{region} memory usage at {percentage:.1}%💾\n\nUsing {used_gb:.1} GiB / {total_gb:.1} GiB\n{link}",
+      )
+    }
+    AlertData::ServerDisk {
+      id,
+      name,
+      region,
+      path,
+      used_gb,
+      total_gb,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      let percentage = 100.0 * used_gb / total_gb;
+      format!(
+        "{level} | {name}{region} disk usage at {percentage:.1}%💿\nmount point: {path:?}\nusing {used_gb:.1} GiB / {total_gb:.1} GiB\n{link}",
+      )
+    }
+    AlertData::ContainerStateChange {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      from,
+      to,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Deployment, id);
+      let to_state = fmt_docker_container_state(to);
+      format!(
+        "📦Deployment {name} is now {to_state}\nserver: {server_name}\nprevious: {from}\n{link}",
+      )
+    }
+    AlertData::DeploymentImageUpdateAvailable {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      image,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Deployment, id);
+      format!(
+        "⬆ Deployment {name} has an update available\nserver: {server_name}\nimage: {image}\n{link}",
+      )
+    }
+    AlertData::DeploymentAutoUpdated {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      image,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Deployment, id);
+      format!(
+        "⬆ Deployment {name} was updated automatically\nserver: {server_name}\nimage: {image}\n{link}",
+      )
+    }
+    AlertData::StackStateChange {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      from,
+      to,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Stack, id);
+      let to_state = fmt_stack_state(to);
+      format!(
+        "🥞 Stack {name} is now {to_state}\nserver: {server_name}\nprevious: {from}\n{link}",
+      )
+    }
+    AlertData::StackImageUpdateAvailable {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      service,
+      image,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Stack, id);
+      format!(
+        "⬆ Stack {name} has an update available\nserver: {server_name}\nservice: {service}\nimage: {image}\n{link}",
+      )
+    }
+    AlertData::StackAutoUpdated {
+      id,
+      name,
+      server_id: _server_id,
+      server_name,
+      images,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Stack, id);
+      let images_label =
+        if images.len() > 1 { "images" } else { "image" };
+      let images_str = images.join(", ");
+      format!(
+        "⬆ Stack {name} was updated automatically ⏫\nserver: {server_name}\n{images_label}: {images_str}\n{link}",
+      )
+    }
+    AlertData::AwsBuilderTerminationFailed {
+      instance_id,
+      message,
+    } => {
+      format!(
+        "{level} | Failed to terminate AWS builder instance\ninstance id: {instance_id}\n{message}",
+      )
+    }
+    AlertData::ResourceSyncPendingUpdates { id, name } => {
+      let link =
+        resource_link(ResourceTargetVariant::ResourceSync, id);
+      format!(
+        "{level} | Pending resource sync updates on {name}\n{link}",
+      )
+    }
+    AlertData::BuildFailed { id, name, version } => {
+      let link = resource_link(ResourceTargetVariant::Build, id);
+      format!(
+        "{level} | Build {name} failed\nversion: v{version}\n{link}",
+      )
+    }
+    AlertData::RepoBuildFailed { id, name } => {
+      let link = resource_link(ResourceTargetVariant::Repo, id);
+      format!("{level} | Repo build for {name} failed\n{link}",)
+    }
+    AlertData::ProcedureFailed { id, name } => {
+      let link = resource_link(ResourceTargetVariant::Procedure, id);
+      format!("{level} | Procedure {name} failed\n{link}")
+    }
+    AlertData::ActionFailed { id, name } => {
+      let link = resource_link(ResourceTargetVariant::Action, id);
+      format!("{level} | Action {name} failed\n{link}")
+    }
+    AlertData::ScheduleRun {
+      resource_type,
+      id,
+      name,
+    } => {
+      let link = resource_link(*resource_type, id);
+      format!(
+        "{level} | {name} ({resource_type}) | Scheduled run started 🕝\n{link}"
+      )
+    }
+    AlertData::Custom { message, details } => {
+      format!(
+        "{level} | {message}{}",
+        if details.is_empty() {
+          format_args!("")
+        } else {
+          format_args!("\n{details}")
+        }
+      )
+    }
+    AlertData::None {} => Default::default(),
+  }
 }

bin/core/src/alert/ntfy.rs

@@ -0,0 +1,56 @@
+use std::sync::OnceLock;
+
+use super::*;
+
+#[instrument(level = "debug")]
+pub async fn send_alert(
+  url: &str,
+  email: Option<&str>,
+  alert: &Alert,
+) -> anyhow::Result<()> {
+  let content = standard_alert_content(alert);
+  if !content.is_empty() {
+    send_message(url, email, content).await?;
+  }
+  Ok(())
+}
+
+async fn send_message(
+  url: &str,
+  email: Option<&str>,
+  content: String,
+) -> anyhow::Result<()> {
+  let mut request = http_client()
+    .post(url)
+    .header("Title", "ntfy Alert")
+    .body(content);
+
+  if let Some(email) = email {
+    request = request.header("X-Email", email);
+  }
+
+  let response =
+    request.send().await.context("Failed to send message")?;
+
+  let status = response.status();
+  if status.is_success() {
+    debug!("ntfy alert sent successfully: {}", status);
+    Ok(())
+  } else {
+    let text = response.text().await.with_context(|| {
+      format!(
+        "Failed to send message to ntfy | {status} | failed to get response text"
+      )
+    })?;
+    Err(anyhow!(
+      "Failed to send message to ntfy | {} | {}",
+      status,
+      text
+    ))
+  }
+}
+
+fn http_client() -> &'static reqwest::Client {
+  static CLIENT: OnceLock<reqwest::Client> = OnceLock::new();
+  CLIENT.get_or_init(reqwest::Client::new)
+}

bin/core/src/alert/pushover.rs

@@ -0,0 +1,55 @@
+use std::sync::OnceLock;
+
+use super::*;
+
+#[instrument(level = "debug")]
+pub async fn send_alert(
+  url: &str,
+  alert: &Alert,
+) -> anyhow::Result<()> {
+  let content = standard_alert_content(alert);
+  if !content.is_empty() {
+    send_message(url, content).await?;
+  }
+  Ok(())
+}
+
+async fn send_message(
+  url: &str,
+  content: String,
+) -> anyhow::Result<()> {
+  // pushover needs all information to be encoded in the URL. At minimum they need
+  // the user key, the application token, and the message (url encoded).
+  // other optional params here: https://pushover.net/api (just add them to the
+  // webhook url along with the application token and the user key).
+  let content = [("message", content)];
+
+  let response = http_client()
+    .post(url)
+    .form(&content)
+    .send()
+    .await
+    .context("Failed to send message")?;
+
+  let status = response.status();
+  if status.is_success() {
+    debug!("pushover alert sent successfully: {}", status);
+    Ok(())
+  } else {
+    let text = response.text().await.with_context(|| {
+      format!(
+        "Failed to send message to pushover | {status} | failed to get response text"
+      )
+    })?;
+    Err(anyhow!(
+      "Failed to send message to pushover | {} | {}",
+      status,
+      text
+    ))
+  }
+}
+
+fn http_client() -> &'static reqwest::Client {
+  static CLIENT: OnceLock<reqwest::Client> = OnceLock::new();
+  CLIENT.get_or_init(reqwest::Client::new)
+}

bin/core/src/alert/slack.rs

@@ -23,6 +23,35 @@ pub async fn send_alert(
       ];
       (text, blocks.into())
     }
+    AlertData::ServerVersionMismatch {
+      id,
+      name,
+      region,
+      server_version,
+      core_version,
+    } => {
+      let region = fmt_region(region);
+      let text = match alert.level {
+        SeverityLevel::Ok => {
+          format!(
+            "{level} | *{name}*{region} | Periphery version now matches Core version ✅"
+          )
+        }
+        _ => {
+          format!(
+            "{level} | *{name}*{region} | Version mismatch detected ⚠️\nPeriphery: {server_version} | Core: {core_version}"
+          )
+        }
+      };
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(resource_link(
+          ResourceTargetVariant::Server,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
     AlertData::ServerUnreachable {
       id,
       name,
@@ -373,9 +402,7 @@ pub async fn send_alert(
       let text = format!("{level} | Build {name} has failed");
       let blocks = vec![
         Block::header(text.clone()),
-        Block::section(format!(
-          "build name: *{name}*\nversion: *v{version}*",
-        )),
+        Block::section(format!("version: *v{version}*",)),
         Block::section(resource_link(
           ResourceTargetVariant::Build,
           id,
@@ -388,7 +415,6 @@ pub async fn send_alert(
         format!("{level} | Repo build for *{name}* has *failed*");
       let blocks = vec![
         Block::header(text.clone()),
-        Block::section(format!("repo name: *{name}*",)),
         Block::section(resource_link(
           ResourceTargetVariant::Repo,
           id,
@@ -396,11 +422,72 @@ pub async fn send_alert(
       ];
       (text, blocks.into())
     }
+    AlertData::ProcedureFailed { id, name } => {
+      let text = format!("{level} | Procedure *{name}* has *failed*");
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(resource_link(
+          ResourceTargetVariant::Procedure,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::ActionFailed { id, name } => {
+      let text = format!("{level} | Action *{name}* has *failed*");
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(resource_link(
+          ResourceTargetVariant::Action,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::ScheduleRun {
+      resource_type,
+      id,
+      name,
+    } => {
+      let text = format!(
+        "{level} | *{name}* ({resource_type}) | Scheduled run started 🕝"
+      );
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(resource_link(*resource_type, id)),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::Custom { message, details } => {
+      let text = format!("{level} | {message}");
+      let blocks =
+        vec![Block::header(text.clone()), Block::section(details)];
+      (text, blocks.into())
+    }
     AlertData::None {} => Default::default(),
   };
   if !text.is_empty() {
-    let slack = ::slack::Client::new(url);
-    slack.send_message(text, blocks).await?;
+    let VariablesAndSecrets { variables, secrets } =
+      get_variables_and_secrets().await?;
+    let mut url_interpolated = url.to_string();
+
+    let mut interpolator =
+      Interpolator::new(Some(&variables), &secrets);
+
+    interpolator.interpolate_string(&mut url_interpolated)?;
+
+    let slack = ::slack::Client::new(url_interpolated);
+    slack.send_message(text, blocks).await.map_err(|e| {
+      let replacers = interpolator
+        .secret_replacers
+        .into_iter()
+        .collect::<Vec<_>>();
+      let sanitized_error =
+        svi::replace_in_string(&format!("{e:?}"), &replacers);
+      anyhow::Error::msg(format!(
+        "Error with slack request: {sanitized_error}"
+      ))
+    })?;
   }
   Ok(())
 }

bin/core/src/api/auth.rs

@@ -1,12 +1,14 @@
 use std::{sync::OnceLock, time::Instant};
 
-use axum::{Router, http::HeaderMap, routing::post};
+use axum::{Router, extract::Path, http::HeaderMap, routing::post};
 use derive_variants::{EnumVariants, ExtractVariant};
 use komodo_client::{api::auth::*, entities::user::User};
+use reqwest::StatusCode;
 use resolver_api::Resolve;
 use response::Response;
 use serde::{Deserialize, Serialize};
-use serror::Json;
+use serde_json::json;
+use serror::{AddStatusCode, Json};
 use typeshare::typeshare;
 use uuid::Uuid;
 
@@ -15,13 +17,16 @@ use crate::{
     get_user_id_from_headers,
     github::{self, client::github_oauth_client},
     google::{self, client::google_oauth_client},
-    oidc,
+    oidc::{self, client::oidc_client},
   },
   config::core_config,
   helpers::query::get_user,
   state::jwt_client,
 };
 
+use super::Variant;
+
+#[derive(Default)]
 pub struct AuthArgs {
   pub headers: HeaderMap,
 }
@@ -38,14 +43,16 @@ pub struct AuthArgs {
 #[allow(clippy::enum_variant_names, clippy::large_enum_variant)]
 pub enum AuthRequest {
   GetLoginOptions(GetLoginOptions),
-  CreateLocalUser(CreateLocalUser),
+  SignUpLocalUser(SignUpLocalUser),
   LoginLocalUser(LoginLocalUser),
   ExchangeForJwt(ExchangeForJwt),
   GetUser(GetUser),
 }
 
 pub fn router() -> Router {
-  let mut router = Router::new().route("/", post(handler));
+  let mut router = Router::new()
+    .route("/", post(handler))
+    .route("/{variant}", post(variant_handler));
 
   if core_config().local_auth {
     info!("🔑 Local Login Enabled");
@@ -57,7 +64,7 @@ pub fn router() -> Router {
   }
 
   if google_oauth_client().is_some() {
-    info!("🔑 Github Login Enabled");
+    info!("🔑 Google Login Enabled");
     router = router.nest("/google", google::router())
   }
 
@@ -69,6 +76,18 @@ pub fn router() -> Router {
   router
 }
 
+async fn variant_handler(
+  headers: HeaderMap,
+  Path(Variant { variant }): Path<Variant>,
+  Json(params): Json<serde_json::Value>,
+) -> serror::Result<axum::response::Response> {
+  let req: AuthRequest = serde_json::from_value(json!({
+    "type": variant,
+    "params": params,
+  }))?;
+  handler(headers, Json(req)).await
+}
+
 #[instrument(name = "AuthHandler", level = "debug", skip(headers))]
 async fn handler(
   headers: HeaderMap,
@@ -97,15 +116,9 @@ fn login_options_reponse() -> &'static GetLoginOptionsResponse {
     let config = core_config();
     GetLoginOptionsResponse {
       local: config.local_auth,
-      github: config.github_oauth.enabled
-        && !config.github_oauth.id.is_empty()
-        && !config.github_oauth.secret.is_empty(),
-      google: config.google_oauth.enabled
-        && !config.google_oauth.id.is_empty()
-        && !config.google_oauth.secret.is_empty(),
-      oidc: config.oidc_enabled
-        && !config.oidc_provider.is_empty()
-        && !config.oidc_client_id.is_empty(),
+      github: github_oauth_client().is_some(),
+      google: google_oauth_client().is_some(),
+      oidc: oidc_client().load().is_some(),
       registration_disabled: config.disable_user_registration,
     }
   })
@@ -127,8 +140,10 @@ impl Resolve<AuthArgs> for ExchangeForJwt {
     self,
     _: &AuthArgs,
   ) -> serror::Result<ExchangeForJwtResponse> {
-    let jwt = jwt_client().redeem_exchange_token(&self.token).await?;
-    Ok(ExchangeForJwtResponse { jwt })
+    jwt_client()
+      .redeem_exchange_token(&self.token)
+      .await
+      .map_err(Into::into)
   }
 }
 
@@ -138,7 +153,11 @@ impl Resolve<AuthArgs> for GetUser {
     self,
     AuthArgs { headers }: &AuthArgs,
   ) -> serror::Result<User> {
-    let user_id = get_user_id_from_headers(headers).await?;
-    Ok(get_user(&user_id).await?)
+    let user_id = get_user_id_from_headers(headers)
+      .await
+      .status_code(StatusCode::UNAUTHORIZED)?;
+    get_user(&user_id)
+      .await
+      .status_code(StatusCode::UNAUTHORIZED)
   }
 }

bin/core/src/api/execute/action.rs

@@ -7,33 +7,42 @@ use std::{
 
 use anyhow::Context;
 use command::run_komodo_command;
+use config::merge_objects;
+use database::mungos::{
+  by_id::update_one_by_id, mongodb::bson::to_document,
+};
+use interpolate::Interpolator;
 use komodo_client::{
   api::{
     execute::{BatchExecutionResponse, BatchRunAction, RunAction},
     user::{CreateApiKey, CreateApiKeyResponse, DeleteApiKey},
   },
   entities::{
-    action::Action, config::core::CoreConfig,
-    permission::PermissionLevel, update::Update, user::action_user,
+    FileFormat, JsonObject,
+    action::Action,
+    alert::{Alert, AlertData, SeverityLevel},
+    config::core::CoreConfig,
+    komodo_timestamp,
+    permission::PermissionLevel,
+    update::Update,
+    user::action_user,
   },
+  parsers::parse_key_value_list,
 };
-use mungos::{by_id::update_one_by_id, mongodb::bson::to_document};
 use resolver_api::Resolve;
 use tokio::fs;
 
 use crate::{
+  alert::send_alerts,
   api::{execute::ExecuteRequest, user::UserArgs},
   config::core_config,
   helpers::{
-    interpolate::{
-      add_interp_update_log,
-      interpolate_variables_secrets_into_string,
-    },
-    query::get_variables_and_secrets,
+    query::{VariablesAndSecrets, get_variables_and_secrets},
     random_string,
     update::update_update,
   },
-  resource::{self, refresh_action_state_cache},
+  permission::get_check_permissions,
+  resource::refresh_action_state_cache,
   state::{action_states, db_client},
 };
 
@@ -42,7 +51,10 @@ use super::ExecuteArgs;
 impl super::BatchExecute for BatchRunAction {
   type Resource = Action;
   fn single_request(action: String) -> ExecuteRequest {
-    ExecuteRequest::RunAction(RunAction { action })
+    ExecuteRequest::RunAction(RunAction {
+      action,
+      args: Default::default(),
+    })
   }
 }
 
@@ -65,10 +77,10 @@ impl Resolve<ExecuteArgs> for RunAction {
     self,
     ExecuteArgs { user, update }: &ExecuteArgs,
   ) -> serror::Result<Update> {
-    let mut action = resource::get_check_permissions::<Action>(
+    let mut action = get_check_permissions::<Action>(
       &self.action,
       user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
     )
     .await?;
 
@@ -80,13 +92,33 @@ impl Resolve<ExecuteArgs> for RunAction {
 
     // This will set action state back to default when dropped.
     // Will also check to ensure action not already busy before updating.
-    let _action_guard =
-      action_state.update(|state| state.running = true)?;
+    let _action_guard = action_state.update_custom(
+      |state| state.running += 1,
+      |state| state.running -= 1,
+      false,
+    )?;
 
     let mut update = update.clone();
 
     update_update(update.clone()).await?;
 
+    let default_args = parse_action_arguments(
+      &action.config.arguments,
+      action.config.arguments_format,
+    )
+    .context("Failed to parse default Action arguments")?;
+
+    let args = merge_objects(
+      default_args,
+      self.args.unwrap_or_default(),
+      true,
+      true,
+    )
+    .context("Failed to merge request args with default args")?;
+
+    let args = serde_json::to_string(&args)
+      .context("Failed to serialize action run arguments")?;
+
     let CreateApiKeyResponse { key, secret } = CreateApiKey {
       name: update.id.clone(),
       expires: 0,
@@ -99,7 +131,7 @@ impl Resolve<ExecuteArgs> for RunAction {
     let contents = &mut action.config.file_contents;
 
     // Wrap the file contents in the execution context.
-    *contents = full_contents(contents, &key, &secret);
+    *contents = full_contents(contents, &args, &key, &secret);
 
     let replacers =
       interpolate(contents, &mut update, key.clone(), secret.clone())
@@ -128,12 +160,18 @@ impl Resolve<ExecuteArgs> for RunAction {
       ""
     };
 
+    let reload = if action.config.reload_deno_deps {
+      " --reload"
+    } else {
+      ""
+    };
+
     let mut res = run_komodo_command(
       // Keep this stage name as is, the UI will find the latest update log by matching the stage name
       "Execute Action",
       None,
       format!(
-        "deno run --allow-all{https_cert_flag} {}",
+        "deno run --allow-all{https_cert_flag}{reload} {}",
         path.display()
       ),
     )
@@ -169,7 +207,7 @@ impl Resolve<ExecuteArgs> for RunAction {
       let _ = update_one_by_id(
         &db_client().updates,
         &update.id,
-        mungos::update::Update::Set(update_doc),
+        database::mungos::update::Update::Set(update_doc),
         None,
       )
       .await;
@@ -178,6 +216,26 @@ impl Resolve<ExecuteArgs> for RunAction {
 
     update_update(update.clone()).await?;
 
+    if !update.success && action.config.failure_alert {
+      warn!("action unsuccessful, alerting...");
+      let target = update.target.clone();
+      tokio::spawn(async move {
+        let alert = Alert {
+          id: Default::default(),
+          target,
+          ts: komodo_timestamp(),
+          resolved_ts: Some(komodo_timestamp()),
+          resolved: true,
+          level: SeverityLevel::Warning,
+          data: AlertData::ActionFailed {
+            id: action.id,
+            name: action.name,
+          },
+        };
+        send_alerts(&[alert]).await
+      });
+    }
+
     Ok(update)
   }
 }
@@ -188,38 +246,38 @@ async fn interpolate(
   key: String,
   secret: String,
 ) -> serror::Result<HashSet<(String, String)>> {
-  let mut vars_and_secrets = get_variables_and_secrets().await?;
+  let VariablesAndSecrets {
+    variables,
+    mut secrets,
+  } = get_variables_and_secrets().await?;
 
-  vars_and_secrets
-    .secrets
-    .insert(String::from("ACTION_API_KEY"), key);
-  vars_and_secrets
-    .secrets
-    .insert(String::from("ACTION_API_SECRET"), secret);
+  secrets.insert(String::from("ACTION_API_KEY"), key);
+  secrets.insert(String::from("ACTION_API_SECRET"), secret);
 
-  let mut global_replacers = HashSet::new();
-  let mut secret_replacers = HashSet::new();
+  let mut interpolator =
+    Interpolator::new(Some(&variables), &secrets);
 
-  interpolate_variables_secrets_into_string(
-    &vars_and_secrets,
-    contents,
-    &mut global_replacers,
-    &mut secret_replacers,
-  )?;
+  interpolator
+    .interpolate_string(contents)?
+    .push_logs(&mut update.logs);
 
-  add_interp_update_log(update, &global_replacers, &secret_replacers);
-
-  Ok(secret_replacers)
+  Ok(interpolator.secret_replacers)
 }
 
-fn full_contents(contents: &str, key: &str, secret: &str) -> String {
+fn full_contents(
+  contents: &str,
+  // Pre-serialized to JSON string.
+  args: &str,
+  key: &str,
+  secret: &str,
+) -> String {
   let CoreConfig {
     port, ssl_enabled, ..
   } = core_config();
   let protocol = if *ssl_enabled { "https" } else { "http" };
   let base_url = format!("{protocol}://localhost:{port}");
   format!(
-    "import {{ KomodoClient }} from '{base_url}/client/lib.js';
+    "import {{ KomodoClient, Types }} from '{base_url}/client/lib.js';
 import * as __YAML__ from 'jsr:@std/yaml';
 import * as __TOML__ from 'jsr:@std/toml';
 
@@ -237,6 +295,8 @@ const TOML = {{
   parseCargoToml: __TOML__.parse,
 }}
 
+const ARGS = {args};
+
 const komodo = KomodoClient('{base_url}', {{
   type: 'api-key',
   params: {{ key: '{key}', secret: '{secret}' }}
@@ -255,7 +315,7 @@ main()
     console.error('Status:', error.status);
     console.error(JSON.stringify(error.result, null, 2));
   }} else {{
-    console.error(JSON.stringify(error, null, 2));
+    console.error(error);
   }}
   Deno.exit(1)
 }});"
@@ -342,3 +402,25 @@ fn delete_file(
     }
   })
 }
+
+fn parse_action_arguments(
+  args: &str,
+  format: FileFormat,
+) -> anyhow::Result<JsonObject> {
+  match format {
+    FileFormat::KeyValue => {
+      let args = parse_key_value_list(args)
+        .context("Failed to parse args as key value list")?
+        .into_iter()
+        .map(|(k, v)| (k, serde_json::Value::String(v)))
+        .collect();
+      Ok(args)
+    }
+    FileFormat::Toml => toml::from_str(args)
+      .context("Failed to parse Toml to Action args"),
+    FileFormat::Yaml => serde_yaml_ng::from_str(args)
+      .context("Failed to parse Yaml to action args"),
+    FileFormat::Json => serde_json::from_str(args)
+      .context("Failed to parse Json to action args"),
+  }
+}

bin/core/src/api/execute/alerter.rs

@@ -1,18 +1,22 @@
+use anyhow::{Context, anyhow};
 use formatting::format_serror;
+use futures::{TryStreamExt, stream::FuturesUnordered};
 use komodo_client::{
-  api::execute::TestAlerter,
+  api::execute::{SendAlert, TestAlerter},
   entities::{
-    alert::{Alert, AlertData, SeverityLevel},
+    alert::{Alert, AlertData, AlertDataVariant, SeverityLevel},
     alerter::Alerter,
     komodo_timestamp,
     permission::PermissionLevel,
   },
 };
+use reqwest::StatusCode;
 use resolver_api::Resolve;
+use serror::AddStatusCodeError;
 
 use crate::{
   alert::send_alert_to_alerter, helpers::update::update_update,
-  resource::get_check_permissions,
+  permission::get_check_permissions, resource::list_full_for_user,
 };
 
 use super::ExecuteArgs;
@@ -26,7 +30,7 @@ impl Resolve<ExecuteArgs> for TestAlerter {
     let alerter = get_check_permissions::<Alerter>(
       &self.alerter,
       user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
     )
     .await?;
 
@@ -71,3 +75,75 @@ impl Resolve<ExecuteArgs> for TestAlerter {
     Ok(update)
   }
 }
+
+//
+
+impl Resolve<ExecuteArgs> for SendAlert {
+  #[instrument(name = "SendAlert", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let alerters = list_full_for_user::<Alerter>(
+      Default::default(),
+      user,
+      PermissionLevel::Execute.into(),
+      &[],
+    )
+    .await?
+    .into_iter()
+    .filter(|a| {
+      a.config.enabled
+        && (self.alerters.is_empty()
+          || self.alerters.contains(&a.name)
+          || self.alerters.contains(&a.id))
+        && (a.config.alert_types.is_empty()
+          || a.config.alert_types.contains(&AlertDataVariant::Custom))
+    })
+    .collect::<Vec<_>>();
+
+    if alerters.is_empty() {
+      return Err(anyhow!(
+        "Could not find any valid alerters to send to, this required Execute permissions on the Alerter"
+      ).status_code(StatusCode::BAD_REQUEST));
+    }
+
+    let mut update = update.clone();
+
+    let ts = komodo_timestamp();
+
+    let alert = Alert {
+      id: Default::default(),
+      ts,
+      resolved: true,
+      level: self.level,
+      target: update.target.clone(),
+      data: AlertData::Custom {
+        message: self.message,
+        details: self.details,
+      },
+      resolved_ts: Some(ts),
+    };
+
+    update.push_simple_log(
+      "Send alert",
+      serde_json::to_string_pretty(&alert)
+        .context("Failed to serialize alert to JSON")?,
+    );
+
+    if let Err(e) = alerters
+      .iter()
+      .map(|alerter| send_alert_to_alerter(alerter, &alert))
+      .collect::<FuturesUnordered<_>>()
+      .try_collect::<Vec<_>>()
+      .await
+    {
+      update.push_error_log("Send Error", format_serror(&e.into()));
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}

bin/core/src/api/execute/build.rs

@@ -1,8 +1,21 @@
-use std::{collections::HashSet, future::IntoFuture, time::Duration};
+use std::{
+  collections::{HashMap, HashSet},
+  future::IntoFuture,
+  time::Duration,
+};
 
 use anyhow::{Context, anyhow};
+use database::mungos::{
+  by_id::update_one_by_id,
+  find::find_collect,
+  mongodb::{
+    bson::{doc, to_bson, to_document},
+    options::FindOneOptions,
+  },
+};
 use formatting::format_serror;
 use futures::future::join_all;
+use interpolate::Interpolator;
 use komodo_client::{
   api::execute::{
     BatchExecutionResponse, BatchRunBuild, CancelBuild, Deploy,
@@ -11,23 +24,16 @@ use komodo_client::{
   entities::{
     alert::{Alert, AlertData, SeverityLevel},
     all_logs_success,
-    build::{Build, BuildConfig, ImageRegistryConfig},
+    build::{Build, BuildConfig},
     builder::{Builder, BuilderConfig},
     deployment::DeploymentState,
-    komodo_timestamp,
+    komodo_timestamp, optional_string,
     permission::PermissionLevel,
+    repo::Repo,
     update::{Log, Update},
     user::auto_redeploy_user,
   },
 };
-use mungos::{
-  by_id::update_one_by_id,
-  find::find_collect,
-  mongodb::{
-    bson::{doc, to_bson, to_document},
-    options::FindOneOptions,
-  },
-};
 use periphery_client::api;
 use resolver_api::Resolve;
 use tokio_util::sync::CancellationToken;
@@ -35,19 +41,17 @@ use tokio_util::sync::CancellationToken;
 use crate::{
   alert::send_alerts,
   helpers::{
+    build_git_token,
     builder::{cleanup_builder_instance, get_builder_periphery},
     channel::build_cancel_channel,
-    git_token,
-    interpolate::{
-      add_interp_update_log,
-      interpolate_variables_secrets_into_extra_args,
-      interpolate_variables_secrets_into_string,
-      interpolate_variables_secrets_into_system_command,
+    query::{
+      VariablesAndSecrets, get_deployment_state,
+      get_variables_and_secrets,
     },
-    query::{get_deployment_state, get_variables_and_secrets},
     registry_token,
     update::{init_execution_update, update_update},
   },
+  permission::get_check_permissions,
   resource::{self, refresh_build_state_cache},
   state::{action_states, db_client},
 };
@@ -80,13 +84,33 @@ impl Resolve<ExecuteArgs> for RunBuild {
     self,
     ExecuteArgs { user, update }: &ExecuteArgs,
   ) -> serror::Result<Update> {
-    let mut build = resource::get_check_permissions::<Build>(
+    let mut build = get_check_permissions::<Build>(
       &self.build,
       user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
     )
     .await?;
-    let mut vars_and_secrets = get_variables_and_secrets().await?;
+
+    let mut repo = if !build.config.files_on_host
+      && !build.config.linked_repo.is_empty()
+    {
+      crate::resource::get::<Repo>(&build.config.linked_repo)
+        .await?
+        .into()
+    } else {
+      None
+    };
+
+    let VariablesAndSecrets {
+      mut variables,
+      secrets,
+    } = get_variables_and_secrets().await?;
+
+    // Add the $VERSION to variables. Use with [[$VERSION]]
+    variables.insert(
+      String::from("$VERSION"),
+      build.config.version.to_string(),
+    );
 
     if build.config.builder_id.is_empty() {
       return Err(anyhow!("Must attach builder to RunBuild").into());
@@ -110,26 +134,11 @@ impl Resolve<ExecuteArgs> for RunBuild {
     update.version = build.config.version;
     update_update(update.clone()).await?;
 
-    // Add the $VERSION to variables. Use with [[$VERSION]]
-    if !vars_and_secrets.variables.contains_key("$VERSION") {
-      vars_and_secrets.variables.insert(
-        String::from("$VERSION"),
-        build.config.version.to_string(),
-      );
-    }
+    let git_token =
+      build_git_token(&mut build, repo.as_mut()).await?;
 
-    let git_token = git_token(
-      &build.config.git_provider,
-      &build.config.git_account,
-      |https| build.config.git_https = https,
-    )
-    .await
-    .with_context(
-      || format!("Failed to get git token in call to db. This is a database error, not a token exisitence error. Stopping run. | {} | {}", build.config.git_provider, build.config.git_account),
-    )?;
-
-    let registry_token =
-      validate_account_extract_registry_token(&build).await?;
+    let registry_tokens =
+      validate_account_extract_registry_tokens(&build).await?;
 
     let cancel = CancellationToken::new();
     let cancel_clone = cancel.clone();
@@ -177,7 +186,6 @@ impl Resolve<ExecuteArgs> for RunBuild {
     });
 
     // GET BUILDER PERIPHERY
-
     let (periphery, cleanup_data) = match get_builder_periphery(
       build.name.clone(),
       Some(build.config.version),
@@ -203,125 +211,94 @@ impl Resolve<ExecuteArgs> for RunBuild {
       }
     };
 
-    // CLONE REPO
+    // INTERPOLATE VARIABLES
     let secret_replacers = if !build.config.skip_secret_interp {
-      // Interpolate variables / secrets into pre build command
-      let mut global_replacers = HashSet::new();
-      let mut secret_replacers = HashSet::new();
+      let mut interpolator =
+        Interpolator::new(Some(&variables), &secrets);
 
-      interpolate_variables_secrets_into_system_command(
-        &vars_and_secrets,
-        &mut build.config.pre_build,
-        &mut global_replacers,
-        &mut secret_replacers,
-      )?;
+      interpolator.interpolate_build(&mut build)?;
 
-      add_interp_update_log(
-        &mut update,
-        &global_replacers,
-        &secret_replacers,
-      );
+      if let Some(repo) = repo.as_mut() {
+        interpolator.interpolate_repo(repo)?;
+      }
 
-      secret_replacers
+      interpolator.push_logs(&mut update.logs);
+
+      interpolator.secret_replacers
     } else {
       Default::default()
     };
 
-    let res = tokio::select! {
-      res = periphery
-        .request(api::git::CloneRepo {
-          args: (&build).into(),
-          git_token,
-          environment: Default::default(),
-          env_file_path: Default::default(),
-          skip_secret_interp: Default::default(),
-          replacers: secret_replacers.into_iter().collect(),
-        }) => res,
-      _ = cancel.cancelled() => {
-        debug!("build cancelled during clone, cleaning up builder");
-        update.push_error_log("build cancelled", String::from("user cancelled build during repo clone"));
-        cleanup_builder_instance(periphery, cleanup_data, &mut update)
-          .await;
-        info!("builder cleaned up");
-        return handle_early_return(update, build.id, build.name, true).await
-      },
-    };
-
-    let commit_message = match res {
-      Ok(res) => {
-        debug!("finished repo clone");
-        update.logs.extend(res.logs);
-        update.commit_hash =
-          res.commit_hash.unwrap_or_default().to_string();
-        res.commit_message.unwrap_or_default()
-      }
-      Err(e) => {
-        warn!("failed build at clone repo | {e:#}");
-        update.push_error_log(
-          "clone repo",
-          format_serror(&e.context("failed to clone repo").into()),
-        );
-        Default::default()
-      }
-    };
-
-    update_update(update.clone()).await?;
-
-    if all_logs_success(&update.logs) {
-      let secret_replacers = if !build.config.skip_secret_interp {
-        // Interpolate variables / secrets into build args
-        let mut global_replacers = HashSet::new();
-        let mut secret_replacers = HashSet::new();
-
-        interpolate_variables_secrets_into_string(
-          &vars_and_secrets,
-          &mut build.config.build_args,
-          &mut global_replacers,
-          &mut secret_replacers,
-        )?;
-
-        interpolate_variables_secrets_into_string(
-          &vars_and_secrets,
-          &mut build.config.secret_args,
-          &mut global_replacers,
-          &mut secret_replacers,
-        )?;
-
-        interpolate_variables_secrets_into_extra_args(
-          &vars_and_secrets,
-          &mut build.config.extra_args,
-          &mut global_replacers,
-          &mut secret_replacers,
-        )?;
-
-        add_interp_update_log(
-          &mut update,
-          &global_replacers,
-          &secret_replacers,
-        );
-
-        secret_replacers
-      } else {
-        Default::default()
+    let commit_message = if !build.config.files_on_host
+      && (!build.config.repo.is_empty()
+        || !build.config.linked_repo.is_empty())
+    {
+      // PULL OR CLONE REPO
+      let res = tokio::select! {
+        res = periphery
+          .request(api::git::PullOrCloneRepo {
+            args: repo.as_ref().map(Into::into).unwrap_or((&build).into()),
+            git_token,
+            environment: Default::default(),
+            env_file_path: Default::default(),
+            on_clone: None,
+            on_pull: None,
+            skip_secret_interp: Default::default(),
+            replacers: Default::default(),
+          }) => res,
+        _ = cancel.cancelled() => {
+          debug!("build cancelled during clone, cleaning up builder");
+          update.push_error_log("build cancelled", String::from("user cancelled build during repo clone"));
+          cleanup_builder_instance(cleanup_data, &mut update)
+            .await;
+          info!("builder cleaned up");
+          return handle_early_return(update, build.id, build.name, true).await
+        },
       };
 
+      let commit_message = match res {
+        Ok(res) => {
+          debug!("finished repo clone");
+          update.logs.extend(res.res.logs);
+          update.commit_hash =
+            res.res.commit_hash.unwrap_or_default().to_string();
+          res.res.commit_message.unwrap_or_default()
+        }
+        Err(e) => {
+          warn!("Failed build at clone repo | {e:#}");
+          update.push_error_log(
+            "Clone Repo",
+            format_serror(&e.context("Failed to clone repo").into()),
+          );
+          Default::default()
+        }
+      };
+
+      update_update(update.clone()).await?;
+
+      Some(commit_message)
+    } else {
+      None
+    };
+
+    if all_logs_success(&update.logs) {
+      // RUN BUILD
       let res = tokio::select! {
         res = periphery
           .request(api::build::Build {
             build: build.clone(),
-            registry_token,
+            repo,
+            registry_tokens,
             replacers: secret_replacers.into_iter().collect(),
-            // Push a commit hash tagged image
-            additional_tags: if update.commit_hash.is_empty() {
-              Default::default()
-            } else {
-              vec![update.commit_hash.clone()]
-            },
+            // To push a commit hash tagged image
+            commit_hash: optional_string(&update.commit_hash),
+            // Unused for now
+            additional_tags: Default::default(),
           }) => res.context("failed at call to periphery to build"),
         _ = cancel.cancelled() => {
           info!("build cancelled during build, cleaning up builder");
           update.push_error_log("build cancelled", String::from("user cancelled build during docker build"));
-          cleanup_builder_instance(periphery, cleanup_data, &mut update)
+          cleanup_builder_instance(cleanup_data, &mut update)
             .await;
           return handle_early_return(update, build.id, build.name, true).await
         },
@@ -365,8 +342,9 @@ impl Resolve<ExecuteArgs> for RunBuild {
     // stop the cancel listening task from going forever
     cancel.cancel();
 
-    cleanup_builder_instance(periphery, cleanup_data, &mut update)
-      .await;
+    // If building on temporary cloud server (AWS),
+    // this will terminate the server.
+    cleanup_builder_instance(cleanup_data, &mut update).await;
 
     // Need to manually update the update before cache refresh,
     // and before broadcast with add_update.
@@ -376,7 +354,7 @@ impl Resolve<ExecuteArgs> for RunBuild {
       let _ = update_one_by_id(
         &db.updates,
         &update.id,
-        mungos::update::Update::Set(update_doc),
+        database::mungos::update::Update::Set(update_doc),
         None,
       )
       .await;
@@ -432,7 +410,7 @@ async fn handle_early_return(
     let _ = update_one_by_id(
       &db_client().updates,
       &update.id,
-      mungos::update::Update::Set(update_doc),
+      database::mungos::update::Update::Set(update_doc),
       None,
     )
     .await;
@@ -515,10 +493,10 @@ impl Resolve<ExecuteArgs> for CancelBuild {
     self,
     ExecuteArgs { user, update }: &ExecuteArgs,
   ) -> serror::Result<Update> {
-    let build = resource::get_check_permissions::<Build>(
+    let build = get_check_permissions::<Build>(
       &self.build,
       user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
     )
     .await?;
 
@@ -589,8 +567,9 @@ async fn handle_post_build_redeploy(build_id: &str) {
     redeploy_deployments
       .into_iter()
       .map(|deployment| async move {
-        let state =
-          get_deployment_state(&deployment).await.unwrap_or_default();
+        let state = get_deployment_state(&deployment.id)
+          .await
+          .unwrap_or_default();
         if state == DeploymentState::Running {
           let req = super::ExecuteRequest::Deploy(Deploy {
             deployment: deployment.id.clone(),
@@ -631,34 +610,48 @@ async fn handle_post_build_redeploy(build_id: &str) {
 /// This will make sure that a build with non-none image registry has an account attached,
 /// and will check the core config for a token matching requirements.
 /// Otherwise it is left to periphery.
-async fn validate_account_extract_registry_token(
+async fn validate_account_extract_registry_tokens(
   Build {
-    config:
-      BuildConfig {
-        image_registry:
-          ImageRegistryConfig {
-            domain, account, ..
-          },
-        ..
-      },
+    config: BuildConfig { image_registry, .. },
     ..
   }: &Build,
-) -> serror::Result<Option<String>> {
-  if domain.is_empty() {
-    return Ok(None);
-  }
-  if account.is_empty() {
-    return Err(
-      anyhow!(
-        "Must attach account to use registry provider {domain}"
-      )
-      .into(),
+  // Maps (domain, account) -> token
+) -> serror::Result<Vec<(String, String, String)>> {
+  let mut res = HashMap::with_capacity(image_registry.capacity());
+
+  for (domain, account) in image_registry
+    .iter()
+    .map(|r| (r.domain.as_str(), r.account.as_str()))
+    // This ensures uniqueness / prevents redundant logins
+    .collect::<HashSet<_>>()
+  {
+    if domain.is_empty() {
+      continue;
+    }
+    if account.is_empty() {
+      return Err(
+        anyhow!(
+          "Must attach account to use registry provider {domain}"
+        )
+        .into(),
+      );
+    }
+    let Some(registry_token) = registry_token(domain, account).await.with_context(
+      || format!("Failed to get registry token in call to db. Stopping run. | {domain} | {account}"),
+    )? else {
+      continue;
+    };
+
+    res.insert(
+      (domain.to_string(), account.to_string()),
+      registry_token,
     );
   }
 
-  let registry_token = registry_token(domain, account).await.with_context(
-    || format!("Failed to get registry token in call to db. Stopping run. | {domain} | {account}"),
-  )?;
-
-  Ok(registry_token)
+  Ok(
+    res
+      .into_iter()
+      .map(|((domain, account), token)| (domain, account, token))
+      .collect(),
+  )
 }

bin/core/src/api/execute/deployment.rs

@@ -1,8 +1,9 @@
-use std::{collections::HashSet, sync::OnceLock};
+use std::sync::OnceLock;
 
 use anyhow::{Context, anyhow};
 use cache::TimeoutCache;
 use formatting::format_serror;
+use interpolate::Interpolator;
 use komodo_client::{
   api::execute::*,
   entities::{
@@ -11,7 +12,7 @@ use komodo_client::{
     deployment::{
       Deployment, DeploymentImage, extract_registry_domain,
     },
-    get_image_name, komodo_timestamp, optional_string,
+    komodo_timestamp, optional_string,
     permission::PermissionLevel,
     server::Server,
     update::{Log, Update},
@@ -23,17 +24,13 @@ use resolver_api::Resolve;
 
 use crate::{
   helpers::{
-    interpolate::{
-      add_interp_update_log,
-      interpolate_variables_secrets_into_extra_args,
-      interpolate_variables_secrets_into_string,
-    },
     periphery_client,
-    query::get_variables_and_secrets,
+    query::{VariablesAndSecrets, get_variables_and_secrets},
     registry_token,
     update::update_update,
   },
   monitor::update_cache_for_server,
+  permission::get_check_permissions,
   resource,
   state::action_states,
 };
@@ -68,10 +65,10 @@ async fn setup_deployment_execution(
   deployment: &str,
   user: &User,
 ) -> anyhow::Result<(Deployment, Server)> {
-  let deployment = resource::get_check_permissions::<Deployment>(
+  let deployment = get_check_permissions::<Deployment>(
     deployment,
     user,
-    PermissionLevel::Execute,
+    PermissionLevel::Execute.into(),
   )
   .await?;
 
@@ -118,8 +115,11 @@ impl Resolve<ExecuteArgs> for Deploy {
     let (version, registry_token) = match &deployment.config.image {
       DeploymentImage::Build { build_id, version } => {
         let build = resource::get::<Build>(build_id).await?;
-        let image_name = get_image_name(&build)
-          .context("failed to create image name")?;
+        let image_names = build.get_image_names();
+        let image_name = image_names
+          .first()
+          .context("No image name could be created")
+          .context("Failed to create image name")?;
         let version = if version.is_none() {
           build.config.version
         } else {
@@ -136,21 +136,27 @@ impl Resolve<ExecuteArgs> for Deploy {
         deployment.config.image = DeploymentImage::Image {
           image: format!("{image_name}:{version_str}"),
         };
-        if build.config.image_registry.domain.is_empty() {
+        let first_registry = build
+          .config
+          .image_registry
+          .first()
+          .unwrap_or(ImageRegistryConfig::static_default());
+        if first_registry.domain.is_empty() {
           (version, None)
         } else {
           let ImageRegistryConfig {
             domain, account, ..
-          } = build.config.image_registry;
+          } = first_registry;
           if deployment.config.image_registry_account.is_empty() {
-            deployment.config.image_registry_account = account
+            deployment.config.image_registry_account =
+              account.to_string();
           }
           let token = if !deployment
             .config
             .image_registry_account
             .is_empty()
           {
-            registry_token(&domain, &deployment.config.image_registry_account).await.with_context(
+            registry_token(domain, &deployment.config.image_registry_account).await.with_context(
               || format!("Failed to get git token in call to db. Stopping run. | {domain} | {}", deployment.config.image_registry_account),
             )?
           } else {
@@ -179,53 +185,17 @@ impl Resolve<ExecuteArgs> for Deploy {
     // interpolate variables / secrets, returning the sanitizing replacers to send to
     // periphery so it may sanitize the final command for safe logging (avoids exposing secret values)
     let secret_replacers = if !deployment.config.skip_secret_interp {
-      let vars_and_secrets = get_variables_and_secrets().await?;
+      let VariablesAndSecrets { variables, secrets } =
+        get_variables_and_secrets().await?;
 
-      let mut global_replacers = HashSet::new();
-      let mut secret_replacers = HashSet::new();
+      let mut interpolator =
+        Interpolator::new(Some(&variables), &secrets);
 
-      interpolate_variables_secrets_into_string(
-        &vars_and_secrets,
-        &mut deployment.config.environment,
-        &mut global_replacers,
-        &mut secret_replacers,
-      )?;
+      interpolator
+        .interpolate_deployment(&mut deployment)?
+        .push_logs(&mut update.logs);
 
-      interpolate_variables_secrets_into_string(
-        &vars_and_secrets,
-        &mut deployment.config.ports,
-        &mut global_replacers,
-        &mut secret_replacers,
-      )?;
-
-      interpolate_variables_secrets_into_string(
-        &vars_and_secrets,
-        &mut deployment.config.volumes,
-        &mut global_replacers,
-        &mut secret_replacers,
-      )?;
-
-      interpolate_variables_secrets_into_extra_args(
-        &vars_and_secrets,
-        &mut deployment.config.extra_args,
-        &mut global_replacers,
-        &mut secret_replacers,
-      )?;
-
-      interpolate_variables_secrets_into_string(
-        &vars_and_secrets,
-        &mut deployment.config.command,
-        &mut global_replacers,
-        &mut secret_replacers,
-      )?;
-
-      add_interp_update_log(
-        &mut update,
-        &global_replacers,
-        &secret_replacers,
-      );
-
-      secret_replacers
+      interpolator.secret_replacers
     } else {
       Default::default()
     };
@@ -252,7 +222,7 @@ impl Resolve<ExecuteArgs> for Deploy {
       }
     };
 
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -279,8 +249,11 @@ pub async fn pull_deployment_inner(
   let (image, account, token) = match deployment.config.image {
     DeploymentImage::Build { build_id, version } => {
       let build = resource::get::<Build>(&build_id).await?;
-      let image_name = get_image_name(&build)
-        .context("failed to create image name")?;
+      let image_names = build.get_image_names();
+      let image_name = image_names
+        .first()
+        .context("No image name could be created")
+        .context("Failed to create image name")?;
       let version = if version.is_none() {
         build.config.version.to_string()
       } else {
@@ -294,26 +267,31 @@ pub async fn pull_deployment_inner(
       };
       // replace image with corresponding build image.
       let image = format!("{image_name}:{version}");
-      if build.config.image_registry.domain.is_empty() {
+      let first_registry = build
+        .config
+        .image_registry
+        .first()
+        .unwrap_or(ImageRegistryConfig::static_default());
+      if first_registry.domain.is_empty() {
         (image, None, None)
       } else {
         let ImageRegistryConfig {
           domain, account, ..
-        } = build.config.image_registry;
+        } = first_registry;
         let account =
           if deployment.config.image_registry_account.is_empty() {
             account
           } else {
-            deployment.config.image_registry_account
+            &deployment.config.image_registry_account
           };
         let token = if !account.is_empty() {
-          registry_token(&domain, &account).await.with_context(
+          registry_token(domain, account).await.with_context(
               || format!("Failed to get git token in call to db. Stopping run. | {domain} | {account}"),
             )?
         } else {
           None
         };
-        (image, optional_string(&account), token)
+        (image, optional_string(account), token)
       }
     }
     DeploymentImage::Image { image } => {
@@ -365,7 +343,7 @@ pub async fn pull_deployment_inner(
       Err(e) => Log::error("Pull image", format_serror(&e.into())),
     };
 
-    update_cache_for_server(server).await;
+    update_cache_for_server(server, true).await;
     anyhow::Ok(log)
   }
   .await;
@@ -450,7 +428,7 @@ impl Resolve<ExecuteArgs> for StartDeployment {
     };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
     update.finalize();
     update_update(update.clone()).await?;
 
@@ -499,7 +477,7 @@ impl Resolve<ExecuteArgs> for RestartDeployment {
     };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
     update.finalize();
     update_update(update.clone()).await?;
 
@@ -546,7 +524,7 @@ impl Resolve<ExecuteArgs> for PauseDeployment {
     };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
     update.finalize();
     update_update(update.clone()).await?;
 
@@ -595,7 +573,7 @@ impl Resolve<ExecuteArgs> for UnpauseDeployment {
     };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
     update.finalize();
     update_update(update.clone()).await?;
 
@@ -650,7 +628,7 @@ impl Resolve<ExecuteArgs> for StopDeployment {
     };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
     update.finalize();
     update_update(update.clone()).await?;
 
@@ -733,7 +711,7 @@ impl Resolve<ExecuteArgs> for DestroyDeployment {
 
     update.logs.push(log);
     update.finalize();
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
     update_update(update.clone()).await?;
 
     Ok(update)

bin/core/src/api/execute/maintenance.rs

@@ -0,0 +1,319 @@
+use std::sync::OnceLock;
+
+use anyhow::{Context, anyhow};
+use command::run_komodo_command;
+use database::mungos::{find::find_collect, mongodb::bson::doc};
+use formatting::{bold, format_serror};
+use komodo_client::{
+  api::execute::{
+    BackupCoreDatabase, ClearRepoCache, GlobalAutoUpdate,
+  },
+  entities::{
+    deployment::DeploymentState, server::ServerState,
+    stack::StackState,
+  },
+};
+use reqwest::StatusCode;
+use resolver_api::Resolve;
+use serror::AddStatusCodeError;
+use tokio::sync::Mutex;
+
+use crate::{
+  api::execute::{
+    ExecuteArgs, pull_deployment_inner, pull_stack_inner,
+  },
+  config::core_config,
+  helpers::update::update_update,
+  state::{
+    db_client, deployment_status_cache, server_status_cache,
+    stack_status_cache,
+  },
+};
+
+/// Makes sure the method can only be called once at a time
+fn clear_repo_cache_lock() -> &'static Mutex<()> {
+  static LOCK: OnceLock<Mutex<()>> = OnceLock::new();
+  LOCK.get_or_init(Default::default)
+}
+
+impl Resolve<ExecuteArgs> for ClearRepoCache {
+  #[instrument(
+    name = "ClearRepoCache",
+    skip(user, update),
+    fields(user_id = user.id, update_id = update.id)
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    if !user.admin {
+      return Err(
+        anyhow!("This method is admin only.")
+          .status_code(StatusCode::FORBIDDEN),
+      );
+    }
+
+    let _lock = clear_repo_cache_lock()
+      .try_lock()
+      .context("Clear already in progress...")?;
+
+    let mut update = update.clone();
+
+    let mut contents =
+      tokio::fs::read_dir(&core_config().repo_directory)
+        .await
+        .context("Failed to read repo cache directory")?;
+
+    loop {
+      let path = match contents
+        .next_entry()
+        .await
+        .context("Failed to read contents at path")
+      {
+        Ok(Some(contents)) => contents.path(),
+        Ok(None) => break,
+        Err(e) => {
+          update.push_error_log(
+            "Read Directory",
+            format_serror(&e.into()),
+          );
+          continue;
+        }
+      };
+      if path.is_dir() {
+        match tokio::fs::remove_dir_all(&path)
+          .await
+          .context("Failed to clear contents at path")
+        {
+          Ok(_) => {}
+          Err(e) => {
+            update.push_error_log(
+              "Clear Directory",
+              format_serror(&e.into()),
+            );
+          }
+        };
+      }
+    }
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+//
+
+/// Makes sure the method can only be called once at a time
+fn backup_database_lock() -> &'static Mutex<()> {
+  static LOCK: OnceLock<Mutex<()>> = OnceLock::new();
+  LOCK.get_or_init(Default::default)
+}
+
+impl Resolve<ExecuteArgs> for BackupCoreDatabase {
+  #[instrument(
+    name = "BackupCoreDatabase",
+    skip(user, update),
+    fields(user_id = user.id, update_id = update.id)
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    if !user.admin {
+      return Err(
+        anyhow!("This method is admin only.")
+          .status_code(StatusCode::FORBIDDEN),
+      );
+    }
+
+    let _lock = backup_database_lock()
+      .try_lock()
+      .context("Backup already in progress...")?;
+
+    let mut update = update.clone();
+
+    update_update(update.clone()).await?;
+
+    let res = run_komodo_command(
+      "Backup Core Database",
+      None,
+      "km database backup --yes",
+    )
+    .await;
+
+    update.logs.push(res);
+    update.finalize();
+
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+//
+
+/// Makes sure the method can only be called once at a time
+fn global_update_lock() -> &'static Mutex<()> {
+  static LOCK: OnceLock<Mutex<()>> = OnceLock::new();
+  LOCK.get_or_init(Default::default)
+}
+
+impl Resolve<ExecuteArgs> for GlobalAutoUpdate {
+  #[instrument(
+    name = "GlobalAutoUpdate",
+    skip(user, update),
+    fields(user_id = user.id, update_id = update.id)
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    if !user.admin {
+      return Err(
+        anyhow!("This method is admin only.")
+          .status_code(StatusCode::FORBIDDEN),
+      );
+    }
+
+    let _lock = global_update_lock()
+      .try_lock()
+      .context("Global update already in progress...")?;
+
+    let mut update = update.clone();
+
+    update_update(update.clone()).await?;
+
+    // This is all done in sequence because there is no rush,
+    // the pulls / deploys happen spaced out to ease the load on system.
+    let servers = find_collect(&db_client().servers, None, None)
+      .await
+      .context("Failed to query for servers from database")?;
+
+    let query = doc! {
+      "$or": [
+        { "config.poll_for_updates": true },
+        { "config.auto_update": true }
+      ]
+    };
+
+    let (stacks, repos) = tokio::try_join!(
+      find_collect(&db_client().stacks, query.clone(), None),
+      find_collect(&db_client().repos, None, None)
+    )
+    .context("Failed to query for resources from database")?;
+
+    let server_status_cache = server_status_cache();
+    let stack_status_cache = stack_status_cache();
+
+    // Will be edited later at update.logs[0]
+    update.push_simple_log("Auto Pull", String::new());
+
+    for stack in stacks {
+      let Some(status) = stack_status_cache.get(&stack.id).await
+      else {
+        continue;
+      };
+      // Only pull running stacks.
+      if !matches!(status.curr.state, StackState::Running) {
+        continue;
+      }
+      if let Some(server) =
+        servers.iter().find(|s| s.id == stack.config.server_id)
+        // This check is probably redundant along with running check
+        // but shouldn't hurt
+        && server_status_cache
+          .get(&server.id)
+          .await
+          .map(|s| matches!(s.state, ServerState::Ok))
+          .unwrap_or_default()
+      {
+        let name = stack.name.clone();
+        let repo = if stack.config.linked_repo.is_empty() {
+          None
+        } else {
+          let Some(repo) =
+            repos.iter().find(|r| r.id == stack.config.linked_repo)
+          else {
+            update.push_error_log(
+              &format!("Pull Stack {name}"),
+              format!(
+                "Did not find any Repo matching {}",
+                stack.config.linked_repo
+              ),
+            );
+            continue;
+          };
+          Some(repo.clone())
+        };
+        if let Err(e) =
+          pull_stack_inner(stack, Vec::new(), server, repo, None)
+            .await
+        {
+          update.push_error_log(
+            &format!("Pull Stack {name}"),
+            format_serror(&e.into()),
+          );
+        } else {
+          if !update.logs[0].stdout.is_empty() {
+            update.logs[0].stdout.push('\n');
+          }
+          update.logs[0]
+            .stdout
+            .push_str(&format!("Pulled Stack {} ✅", bold(name)));
+        }
+      }
+    }
+
+    let deployment_status_cache = deployment_status_cache();
+    let deployments =
+      find_collect(&db_client().deployments, query, None)
+        .await
+        .context("Failed to query for deployments from database")?;
+    for deployment in deployments {
+      let Some(status) =
+        deployment_status_cache.get(&deployment.id).await
+      else {
+        continue;
+      };
+      // Only pull running deployments.
+      if !matches!(status.curr.state, DeploymentState::Running) {
+        continue;
+      }
+      if let Some(server) =
+        servers.iter().find(|s| s.id == deployment.config.server_id)
+        // This check is probably redundant along with running check
+        // but shouldn't hurt
+        && server_status_cache
+          .get(&server.id)
+          .await
+          .map(|s| matches!(s.state, ServerState::Ok))
+          .unwrap_or_default()
+      {
+        let name = deployment.name.clone();
+        if let Err(e) =
+          pull_deployment_inner(deployment, server).await
+        {
+          update.push_error_log(
+            &format!("Pull Deployment {name}"),
+            format_serror(&e.into()),
+          );
+        } else {
+          if !update.logs[0].stdout.is_empty() {
+            update.logs[0].stdout.push('\n');
+          }
+          update.logs[0].stdout.push_str(&format!(
+            "Pulled Deployment {} ✅",
+            bold(name)
+          ));
+        }
+      }
+    }
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}

bin/core/src/api/execute/mod.rs

@@ -1,8 +1,11 @@
 use std::{pin::Pin, time::Instant};
 
 use anyhow::Context;
-use axum::{Extension, Router, middleware, routing::post};
+use axum::{
+  Extension, Router, extract::Path, middleware, routing::post,
+};
 use axum_extra::{TypedHeader, headers::ContentType};
+use database::mungos::by_id::find_one_by_id;
 use derive_variants::{EnumVariants, ExtractVariant};
 use formatting::format_serror;
 use futures::future::join_all;
@@ -10,14 +13,15 @@ use komodo_client::{
   api::execute::*,
   entities::{
     Operation,
+    permission::PermissionLevel,
     update::{Log, Update},
     user::User,
   },
 };
-use mungos::by_id::find_one_by_id;
 use resolver_api::Resolve;
 use response::JsonString;
 use serde::{Deserialize, Serialize};
+use serde_json::json;
 use serror::Json;
 use typeshare::typeshare;
 use uuid::Uuid;
@@ -33,13 +37,15 @@ mod action;
 mod alerter;
 mod build;
 mod deployment;
+mod maintenance;
 mod procedure;
 mod repo;
 mod server;
-mod server_template;
 mod stack;
 mod sync;
 
+use super::Variant;
+
 pub use {
   deployment::pull_deployment_inner, stack::pull_stack_inner,
 };
@@ -82,6 +88,22 @@ pub enum ExecuteRequest {
   PruneBuildx(PruneBuildx),
   PruneSystem(PruneSystem),
 
+  // ==== STACK ====
+  DeployStack(DeployStack),
+  BatchDeployStack(BatchDeployStack),
+  DeployStackIfChanged(DeployStackIfChanged),
+  BatchDeployStackIfChanged(BatchDeployStackIfChanged),
+  PullStack(PullStack),
+  BatchPullStack(BatchPullStack),
+  StartStack(StartStack),
+  RestartStack(RestartStack),
+  StopStack(StopStack),
+  PauseStack(PauseStack),
+  UnpauseStack(UnpauseStack),
+  DestroyStack(DestroyStack),
+  BatchDestroyStack(BatchDestroyStack),
+  RunStackService(RunStackService),
+
   // ==== DEPLOYMENT ====
   Deploy(Deploy),
   BatchDeploy(BatchDeploy),
@@ -94,20 +116,6 @@ pub enum ExecuteRequest {
   DestroyDeployment(DestroyDeployment),
   BatchDestroyDeployment(BatchDestroyDeployment),
 
-  // ==== STACK ====
-  DeployStack(DeployStack),
-  BatchDeployStack(BatchDeployStack),
-  DeployStackIfChanged(DeployStackIfChanged),
-  BatchDeployStackIfChanged(BatchDeployStackIfChanged),
-  PullStack(PullStack),
-  StartStack(StartStack),
-  RestartStack(RestartStack),
-  StopStack(StopStack),
-  PauseStack(PauseStack),
-  UnpauseStack(UnpauseStack),
-  DestroyStack(DestroyStack),
-  BatchDestroyStack(BatchDestroyStack),
-
   // ==== BUILD ====
   RunBuild(RunBuild),
   BatchRunBuild(BatchRunBuild),
@@ -130,22 +138,38 @@ pub enum ExecuteRequest {
   RunAction(RunAction),
   BatchRunAction(BatchRunAction),
 
-  // ==== SERVER TEMPLATE ====
-  LaunchServer(LaunchServer),
-
   // ==== ALERTER ====
   TestAlerter(TestAlerter),
+  SendAlert(SendAlert),
 
   // ==== SYNC ====
   RunSync(RunSync),
+
+  // ==== MAINTENANCE ====
+  ClearRepoCache(ClearRepoCache),
+  BackupCoreDatabase(BackupCoreDatabase),
+  GlobalAutoUpdate(GlobalAutoUpdate),
 }
 
 pub fn router() -> Router {
   Router::new()
     .route("/", post(handler))
+    .route("/{variant}", post(variant_handler))
     .layer(middleware::from_fn(auth_request))
 }
 
+async fn variant_handler(
+  user: Extension<User>,
+  Path(Variant { variant }): Path<Variant>,
+  Json(params): Json<serde_json::Value>,
+) -> serror::Result<(TypedHeader<ContentType>, String)> {
+  let req: ExecuteRequest = serde_json::from_value(json!({
+    "type": variant,
+    "params": params,
+  }))?;
+  handler(user, Json(req)).await
+}
+
 async fn handler(
   Extension(user): Extension<User>,
   Json(request): Json<ExecuteRequest>,
@@ -158,8 +182,11 @@ async fn handler(
   Ok((TypedHeader(ContentType::json()), res))
 }
 
+#[typeshare(serialized_as = "Update")]
+type BoxUpdate = Box<Update>;
+
 pub enum ExecutionResult {
-  Single(Update),
+  Single(BoxUpdate),
   /// The batch contents will be pre serialized here
   Batch(String),
 }
@@ -176,8 +203,10 @@ pub fn inner_handler(
   Box::pin(async move {
     let req_id = Uuid::new_v4();
 
-    // need to validate no cancel is active before any update is created.
+    // Need to validate no cancel is active before any update is created.
+    // This ensures no double update created if Cancel is called more than once for the same request.
     build::validate_cancel_build(&request).await?;
+    repo::validate_cancel_repo_build(&request).await?;
 
     let update = init_execution_update(&request, &user).await?;
 
@@ -192,24 +221,33 @@ pub fn inner_handler(
       ));
     }
 
+    // Spawn a task for the execution which continues
+    // running after this method returns.
     let handle =
       tokio::spawn(task(req_id, request, user, update.clone()));
 
+    // Spawns another task to monitor the first for failures,
+    // and add the log to Update about it (which primary task can't do because it errored out)
     tokio::spawn({
       let update_id = update.id.clone();
       async move {
         let log = match handle.await {
           Ok(Err(e)) => {
             warn!("/execute request {req_id} task error: {e:#}",);
-            Log::error("task error", format_serror(&e.into()))
+            Log::error("Task Error", format_serror(&e.into()))
           }
           Err(e) => {
             warn!("/execute request {req_id} spawn error: {e:?}",);
-            Log::error("spawn error", format!("{e:#?}"))
+            Log::error("Spawn Error", format!("{e:#?}"))
           }
           _ => return,
         };
         let res = async {
+          // Nothing to do if update was never actually created,
+          // which is the case when the id is empty.
+          if update_id.is_empty() {
+            return Ok(());
+          }
           let mut update =
             find_one_by_id(&db_client().updates, &update_id)
               .await
@@ -229,7 +267,7 @@ pub fn inner_handler(
       }
     });
 
-    Ok(ExecutionResult::Single(update))
+    Ok(ExecutionResult::Single(update.into()))
   })
 }
 
@@ -283,6 +321,7 @@ async fn batch_execute<E: BatchExecute>(
     pattern,
     Default::default(),
     user,
+    PermissionLevel::Execute.into(),
     &[],
   )
   .await?;

bin/core/src/api/execute/procedure.rs

@@ -1,22 +1,30 @@
 use std::pin::Pin;
 
+use database::mungos::{
+  by_id::update_one_by_id, mongodb::bson::to_document,
+};
 use formatting::{Color, bold, colored, format_serror, muted};
 use komodo_client::{
   api::execute::{
     BatchExecutionResponse, BatchRunProcedure, RunProcedure,
   },
   entities::{
-    permission::PermissionLevel, procedure::Procedure,
-    update::Update, user::User,
+    alert::{Alert, AlertData, SeverityLevel},
+    komodo_timestamp,
+    permission::PermissionLevel,
+    procedure::Procedure,
+    update::Update,
+    user::User,
   },
 };
-use mungos::{by_id::update_one_by_id, mongodb::bson::to_document};
 use resolver_api::Resolve;
 use tokio::sync::Mutex;
 
 use crate::{
+  alert::send_alerts,
   helpers::{procedure::execute_procedure, update::update_update},
-  resource::{self, refresh_procedure_state_cache},
+  permission::get_check_permissions,
+  resource::refresh_procedure_state_cache,
   state::{action_states, db_client},
 };
 
@@ -65,10 +73,10 @@ fn resolve_inner(
   >,
 > {
   Box::pin(async move {
-    let procedure = resource::get_check_permissions::<Procedure>(
+    let procedure = get_check_permissions::<Procedure>(
       &procedure,
       &user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
     )
     .await?;
 
@@ -128,7 +136,7 @@ fn resolve_inner(
       let _ = update_one_by_id(
         &db_client().updates,
         &update.id,
-        mungos::update::Update::Set(update_doc),
+        database::mungos::update::Update::Set(update_doc),
         None,
       )
       .await;
@@ -137,6 +145,26 @@ fn resolve_inner(
 
     update_update(update.clone()).await?;
 
+    if !update.success && procedure.config.failure_alert {
+      warn!("procedure unsuccessful, alerting...");
+      let target = update.target.clone();
+      tokio::spawn(async move {
+        let alert = Alert {
+          id: Default::default(),
+          target,
+          ts: komodo_timestamp(),
+          resolved_ts: Some(komodo_timestamp()),
+          resolved: true,
+          level: SeverityLevel::Warning,
+          data: AlertData::ProcedureFailed {
+            id: procedure.id,
+            name: procedure.name,
+          },
+        };
+        send_alerts(&[alert]).await
+      });
+    }
+
     Ok(update)
   })
 }

bin/core/src/api/execute/repo.rs

@@ -1,7 +1,15 @@
 use std::{collections::HashSet, future::IntoFuture, time::Duration};
 
 use anyhow::{Context, anyhow};
+use database::mungos::{
+  by_id::update_one_by_id,
+  mongodb::{
+    bson::{doc, to_document},
+    options::FindOneOptions,
+  },
+};
 use formatting::format_serror;
+use interpolate::Interpolator;
 use komodo_client::{
   api::{execute::*, write::RefreshRepoCache},
   entities::{
@@ -14,13 +22,6 @@ use komodo_client::{
     update::{Log, Update},
   },
 };
-use mungos::{
-  by_id::update_one_by_id,
-  mongodb::{
-    bson::{doc, to_document},
-    options::FindOneOptions,
-  },
-};
 use periphery_client::api;
 use resolver_api::Resolve;
 use tokio_util::sync::CancellationToken;
@@ -31,16 +32,11 @@ use crate::{
   helpers::{
     builder::{cleanup_builder_instance, get_builder_periphery},
     channel::repo_cancel_channel,
-    git_token,
-    interpolate::{
-      add_interp_update_log,
-      interpolate_variables_secrets_into_string,
-      interpolate_variables_secrets_into_system_command,
-    },
-    periphery_client,
-    query::get_variables_and_secrets,
+    git_token, periphery_client,
+    query::{VariablesAndSecrets, get_variables_and_secrets},
     update::update_update,
   },
+  permission::get_check_permissions,
   resource::{self, refresh_repo_state_cache},
   state::{action_states, db_client},
 };
@@ -73,10 +69,10 @@ impl Resolve<ExecuteArgs> for CloneRepo {
     self,
     ExecuteArgs { user, update }: &ExecuteArgs,
   ) -> serror::Result<Update> {
-    let mut repo = resource::get_check_permissions::<Repo>(
+    let mut repo = get_check_permissions::<Repo>(
       &self.repo,
       user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
     )
     .await?;
 
@@ -122,16 +118,18 @@ impl Resolve<ExecuteArgs> for CloneRepo {
         git_token,
         environment: repo.config.env_vars()?,
         env_file_path: repo.config.env_file_path,
+        on_clone: repo.config.on_clone.into(),
+        on_pull: repo.config.on_pull.into(),
         skip_secret_interp: repo.config.skip_secret_interp,
         replacers: secret_replacers.into_iter().collect(),
       })
       .await
     {
-      Ok(res) => res.logs,
+      Ok(res) => res.res.logs,
       Err(e) => {
         vec![Log::error(
-          "clone repo",
-          format_serror(&e.context("failed to clone repo").into()),
+          "Clone Repo",
+          format_serror(&e.context("Failed to clone repo").into()),
         )]
       }
     };
@@ -155,14 +153,14 @@ impl Resolve<ExecuteArgs> for CloneRepo {
       );
     };
 
-    handle_server_update_return(update).await
+    handle_repo_update_return(update).await
   }
 }
 
 impl super::BatchExecute for BatchPullRepo {
   type Resource = Repo;
   fn single_request(repo: String) -> ExecuteRequest {
-    ExecuteRequest::CloneRepo(CloneRepo { repo })
+    ExecuteRequest::PullRepo(PullRepo { repo })
   }
 }
 
@@ -185,10 +183,10 @@ impl Resolve<ExecuteArgs> for PullRepo {
     self,
     ExecuteArgs { user, update }: &ExecuteArgs,
   ) -> serror::Result<Update> {
-    let mut repo = resource::get_check_permissions::<Repo>(
+    let mut repo = get_check_permissions::<Repo>(
       &self.repo,
       user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
     )
     .await?;
 
@@ -235,14 +233,15 @@ impl Resolve<ExecuteArgs> for PullRepo {
         git_token,
         environment: repo.config.env_vars()?,
         env_file_path: repo.config.env_file_path,
+        on_pull: repo.config.on_pull.into(),
         skip_secret_interp: repo.config.skip_secret_interp,
         replacers: secret_replacers.into_iter().collect(),
       })
       .await
     {
       Ok(res) => {
-        update.commit_hash = res.commit_hash.unwrap_or_default();
-        res.logs
+        update.commit_hash = res.res.commit_hash.unwrap_or_default();
+        res.res.logs
       }
       Err(e) => {
         vec![Log::error(
@@ -272,12 +271,12 @@ impl Resolve<ExecuteArgs> for PullRepo {
       );
     };
 
-    handle_server_update_return(update).await
+    handle_repo_update_return(update).await
   }
 }
 
 #[instrument(skip_all, fields(update_id = update.id))]
-async fn handle_server_update_return(
+async fn handle_repo_update_return(
   update: Update,
 ) -> serror::Result<Update> {
   // Need to manually update the update before cache refresh,
@@ -288,7 +287,7 @@ async fn handle_server_update_return(
     let _ = update_one_by_id(
       &db_client().updates,
       &update.id,
-      mungos::update::Update::Set(update_doc),
+      database::mungos::update::Update::Set(update_doc),
       None,
     )
     .await;
@@ -340,10 +339,10 @@ impl Resolve<ExecuteArgs> for BuildRepo {
     self,
     ExecuteArgs { user, update }: &ExecuteArgs,
   ) -> serror::Result<Update> {
-    let mut repo = resource::get_check_permissions::<Repo>(
+    let mut repo = get_check_permissions::<Repo>(
       &self.repo,
       user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
     )
     .await?;
 
@@ -456,13 +455,15 @@ impl Resolve<ExecuteArgs> for BuildRepo {
           git_token,
           environment: repo.config.env_vars()?,
           env_file_path: repo.config.env_file_path,
+          on_clone: repo.config.on_clone.into(),
+          on_pull: repo.config.on_pull.into(),
           skip_secret_interp: repo.config.skip_secret_interp,
           replacers: secret_replacers.into_iter().collect()
         }) => res,
       _ = cancel.cancelled() => {
         debug!("build cancelled during clone, cleaning up builder");
         update.push_error_log("build cancelled", String::from("user cancelled build during repo clone"));
-        cleanup_builder_instance(periphery, cleanup_data, &mut update)
+        cleanup_builder_instance(cleanup_data, &mut update)
           .await;
         info!("builder cleaned up");
         return handle_builder_early_return(update, repo.id, repo.name, true).await
@@ -472,14 +473,15 @@ impl Resolve<ExecuteArgs> for BuildRepo {
     let commit_message = match res {
       Ok(res) => {
         debug!("finished repo clone");
-        update.logs.extend(res.logs);
-        update.commit_hash = res.commit_hash.unwrap_or_default();
-        res.commit_message.unwrap_or_default()
+        update.logs.extend(res.res.logs);
+        update.commit_hash = res.res.commit_hash.unwrap_or_default();
+
+        res.res.commit_message.unwrap_or_default()
       }
       Err(e) => {
         update.push_error_log(
-          "clone repo",
-          format_serror(&e.context("failed to clone repo").into()),
+          "Clone Repo",
+          format_serror(&e.context("Failed to clone repo").into()),
         );
         Default::default()
       }
@@ -506,8 +508,9 @@ impl Resolve<ExecuteArgs> for BuildRepo {
     // stop the cancel listening task from going forever
     cancel.cancel();
 
-    cleanup_builder_instance(periphery, cleanup_data, &mut update)
-      .await;
+    // If building on temporary cloud server (AWS),
+    // this will terminate the server.
+    cleanup_builder_instance(cleanup_data, &mut update).await;
 
     // Need to manually update the update before cache refresh,
     // and before broadcast with add_update.
@@ -517,7 +520,7 @@ impl Resolve<ExecuteArgs> for BuildRepo {
       let _ = update_one_by_id(
         &db.updates,
         &update.id,
-        mungos::update::Update::Set(update_doc),
+        database::mungos::update::Update::Set(update_doc),
         None,
       )
       .await;
@@ -566,7 +569,7 @@ async fn handle_builder_early_return(
     let _ = update_one_by_id(
       &db_client().updates,
       &update.id,
-      mungos::update::Update::Set(update_doc),
+      database::mungos::update::Update::Set(update_doc),
       None,
     )
     .await;
@@ -650,10 +653,10 @@ impl Resolve<ExecuteArgs> for CancelRepoBuild {
     self,
     ExecuteArgs { user, update }: &ExecuteArgs,
   ) -> serror::Result<Update> {
-    let repo = resource::get_check_permissions::<Repo>(
+    let repo = get_check_permissions::<Repo>(
       &self.repo,
       user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
     )
     .await?;
 
@@ -710,39 +713,17 @@ async fn interpolate(
   update: &mut Update,
 ) -> anyhow::Result<HashSet<(String, String)>> {
   if !repo.config.skip_secret_interp {
-    let vars_and_secrets = get_variables_and_secrets().await?;
+    let VariablesAndSecrets { variables, secrets } =
+      get_variables_and_secrets().await?;
 
-    let mut global_replacers = HashSet::new();
-    let mut secret_replacers = HashSet::new();
+    let mut interpolator =
+      Interpolator::new(Some(&variables), &secrets);
 
-    interpolate_variables_secrets_into_string(
-      &vars_and_secrets,
-      &mut repo.config.environment,
-      &mut global_replacers,
-      &mut secret_replacers,
-    )?;
+    interpolator
+      .interpolate_repo(repo)?
+      .push_logs(&mut update.logs);
 
-    interpolate_variables_secrets_into_system_command(
-      &vars_and_secrets,
-      &mut repo.config.on_clone,
-      &mut global_replacers,
-      &mut secret_replacers,
-    )?;
-
-    interpolate_variables_secrets_into_system_command(
-      &vars_and_secrets,
-      &mut repo.config.on_pull,
-      &mut global_replacers,
-      &mut secret_replacers,
-    )?;
-
-    add_interp_update_log(
-      update,
-      &global_replacers,
-      &secret_replacers,
-    );
-
-    Ok(secret_replacers)
+    Ok(interpolator.secret_replacers)
   } else {
     Ok(Default::default())
   }

bin/core/src/api/execute/server.rs

@@ -15,7 +15,7 @@ use resolver_api::Resolve;
 use crate::{
   helpers::{periphery_client, update::update_update},
   monitor::update_cache_for_server,
-  resource,
+  permission::get_check_permissions,
   state::action_states,
 };
 
@@ -27,10 +27,10 @@ impl Resolve<ExecuteArgs> for StartContainer {
     self,
     ExecuteArgs { user, update }: &ExecuteArgs,
   ) -> serror::Result<Update> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
     )
     .await?;
 
@@ -66,7 +66,7 @@ impl Resolve<ExecuteArgs> for StartContainer {
     };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -81,10 +81,10 @@ impl Resolve<ExecuteArgs> for RestartContainer {
     self,
     ExecuteArgs { user, update }: &ExecuteArgs,
   ) -> serror::Result<Update> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
     )
     .await?;
 
@@ -122,7 +122,7 @@ impl Resolve<ExecuteArgs> for RestartContainer {
     };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -137,10 +137,10 @@ impl Resolve<ExecuteArgs> for PauseContainer {
     self,
     ExecuteArgs { user, update }: &ExecuteArgs,
   ) -> serror::Result<Update> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
     )
     .await?;
 
@@ -176,7 +176,7 @@ impl Resolve<ExecuteArgs> for PauseContainer {
     };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -191,10 +191,10 @@ impl Resolve<ExecuteArgs> for UnpauseContainer {
     self,
     ExecuteArgs { user, update }: &ExecuteArgs,
   ) -> serror::Result<Update> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
     )
     .await?;
 
@@ -232,7 +232,7 @@ impl Resolve<ExecuteArgs> for UnpauseContainer {
     };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -247,10 +247,10 @@ impl Resolve<ExecuteArgs> for StopContainer {
     self,
     ExecuteArgs { user, update }: &ExecuteArgs,
   ) -> serror::Result<Update> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
     )
     .await?;
 
@@ -288,7 +288,7 @@ impl Resolve<ExecuteArgs> for StopContainer {
     };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -309,10 +309,10 @@ impl Resolve<ExecuteArgs> for DestroyContainer {
       signal,
       time,
     } = self;
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &server,
       user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
     )
     .await?;
 
@@ -350,7 +350,7 @@ impl Resolve<ExecuteArgs> for DestroyContainer {
     };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -365,10 +365,10 @@ impl Resolve<ExecuteArgs> for StartAllContainers {
     self,
     ExecuteArgs { user, update }: &ExecuteArgs,
   ) -> serror::Result<Update> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
     )
     .await?;
 
@@ -401,7 +401,7 @@ impl Resolve<ExecuteArgs> for StartAllContainers {
       );
     }
 
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
     update.finalize();
     update_update(update.clone()).await?;
 
@@ -415,10 +415,10 @@ impl Resolve<ExecuteArgs> for RestartAllContainers {
     self,
     ExecuteArgs { user, update }: &ExecuteArgs,
   ) -> serror::Result<Update> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
     )
     .await?;
 
@@ -453,7 +453,7 @@ impl Resolve<ExecuteArgs> for RestartAllContainers {
       );
     }
 
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
     update.finalize();
     update_update(update.clone()).await?;
 
@@ -467,10 +467,10 @@ impl Resolve<ExecuteArgs> for PauseAllContainers {
     self,
     ExecuteArgs { user, update }: &ExecuteArgs,
   ) -> serror::Result<Update> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
     )
     .await?;
 
@@ -503,7 +503,7 @@ impl Resolve<ExecuteArgs> for PauseAllContainers {
       );
     }
 
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
     update.finalize();
     update_update(update.clone()).await?;
 
@@ -517,10 +517,10 @@ impl Resolve<ExecuteArgs> for UnpauseAllContainers {
     self,
     ExecuteArgs { user, update }: &ExecuteArgs,
   ) -> serror::Result<Update> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
     )
     .await?;
 
@@ -555,7 +555,7 @@ impl Resolve<ExecuteArgs> for UnpauseAllContainers {
       );
     }
 
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
     update.finalize();
     update_update(update.clone()).await?;
 
@@ -569,10 +569,10 @@ impl Resolve<ExecuteArgs> for StopAllContainers {
     self,
     ExecuteArgs { user, update }: &ExecuteArgs,
   ) -> serror::Result<Update> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
     )
     .await?;
 
@@ -605,7 +605,7 @@ impl Resolve<ExecuteArgs> for StopAllContainers {
       );
     }
 
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
     update.finalize();
     update_update(update.clone()).await?;
 
@@ -619,10 +619,10 @@ impl Resolve<ExecuteArgs> for PruneContainers {
     self,
     ExecuteArgs { user, update }: &ExecuteArgs,
   ) -> serror::Result<Update> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
     )
     .await?;
 
@@ -660,7 +660,7 @@ impl Resolve<ExecuteArgs> for PruneContainers {
     };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -675,10 +675,10 @@ impl Resolve<ExecuteArgs> for DeleteNetwork {
     self,
     ExecuteArgs { user, update }: &ExecuteArgs,
   ) -> serror::Result<Update> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
     )
     .await?;
 
@@ -711,7 +711,7 @@ impl Resolve<ExecuteArgs> for DeleteNetwork {
     };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -726,10 +726,10 @@ impl Resolve<ExecuteArgs> for PruneNetworks {
     self,
     ExecuteArgs { user, update }: &ExecuteArgs,
   ) -> serror::Result<Update> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
     )
     .await?;
 
@@ -765,7 +765,7 @@ impl Resolve<ExecuteArgs> for PruneNetworks {
     };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -780,10 +780,10 @@ impl Resolve<ExecuteArgs> for DeleteImage {
     self,
     ExecuteArgs { user, update }: &ExecuteArgs,
   ) -> serror::Result<Update> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
     )
     .await?;
 
@@ -813,7 +813,7 @@ impl Resolve<ExecuteArgs> for DeleteImage {
     };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -828,10 +828,10 @@ impl Resolve<ExecuteArgs> for PruneImages {
     self,
     ExecuteArgs { user, update }: &ExecuteArgs,
   ) -> serror::Result<Update> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
     )
     .await?;
 
@@ -865,7 +865,7 @@ impl Resolve<ExecuteArgs> for PruneImages {
       };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -880,10 +880,10 @@ impl Resolve<ExecuteArgs> for DeleteVolume {
     self,
     ExecuteArgs { user, update }: &ExecuteArgs,
   ) -> serror::Result<Update> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
     )
     .await?;
 
@@ -916,7 +916,7 @@ impl Resolve<ExecuteArgs> for DeleteVolume {
     };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -931,10 +931,10 @@ impl Resolve<ExecuteArgs> for PruneVolumes {
     self,
     ExecuteArgs { user, update }: &ExecuteArgs,
   ) -> serror::Result<Update> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
     )
     .await?;
 
@@ -968,7 +968,7 @@ impl Resolve<ExecuteArgs> for PruneVolumes {
       };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -983,10 +983,10 @@ impl Resolve<ExecuteArgs> for PruneDockerBuilders {
     self,
     ExecuteArgs { user, update }: &ExecuteArgs,
   ) -> serror::Result<Update> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
     )
     .await?;
 
@@ -1020,7 +1020,7 @@ impl Resolve<ExecuteArgs> for PruneDockerBuilders {
       };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -1035,10 +1035,10 @@ impl Resolve<ExecuteArgs> for PruneBuildx {
     self,
     ExecuteArgs { user, update }: &ExecuteArgs,
   ) -> serror::Result<Update> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
     )
     .await?;
 
@@ -1072,7 +1072,7 @@ impl Resolve<ExecuteArgs> for PruneBuildx {
       };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -1087,10 +1087,10 @@ impl Resolve<ExecuteArgs> for PruneSystem {
     self,
     ExecuteArgs { user, update }: &ExecuteArgs,
   ) -> serror::Result<Update> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
     )
     .await?;
 
@@ -1123,7 +1123,7 @@ impl Resolve<ExecuteArgs> for PruneSystem {
     };
 
     update.logs.push(log);
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;

bin/core/src/api/execute/server_template.rs

@@ -1,156 +0,0 @@
-use anyhow::{Context, anyhow};
-use formatting::format_serror;
-use komodo_client::{
-  api::{execute::LaunchServer, write::CreateServer},
-  entities::{
-    permission::PermissionLevel,
-    server::PartialServerConfig,
-    server_template::{ServerTemplate, ServerTemplateConfig},
-    update::Update,
-  },
-};
-use mungos::mongodb::bson::doc;
-use resolver_api::Resolve;
-
-use crate::{
-  api::write::WriteArgs,
-  cloud::{
-    aws::ec2::launch_ec2_instance, hetzner::launch_hetzner_server,
-  },
-  helpers::update::update_update,
-  resource,
-  state::db_client,
-};
-
-use super::ExecuteArgs;
-
-impl Resolve<ExecuteArgs> for LaunchServer {
-  #[instrument(name = "LaunchServer", skip(user, update), fields(user_id = user.id, update_id = update.id))]
-  async fn resolve(
-    self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
-    // validate name isn't already taken by another server
-    if db_client()
-      .servers
-      .find_one(doc! {
-        "name": &self.name
-      })
-      .await
-      .context("failed to query db for servers")?
-      .is_some()
-    {
-      return Err(anyhow!("name is already taken").into());
-    }
-
-    let template = resource::get_check_permissions::<ServerTemplate>(
-      &self.server_template,
-      user,
-      PermissionLevel::Execute,
-    )
-    .await?;
-
-    let mut update = update.clone();
-
-    update.push_simple_log(
-      "launching server",
-      format!("{:#?}", template.config),
-    );
-    update_update(update.clone()).await?;
-
-    let config = match template.config {
-      ServerTemplateConfig::Aws(config) => {
-        let region = config.region.clone();
-        let use_https = config.use_https;
-        let port = config.port;
-        let instance =
-          match launch_ec2_instance(&self.name, config).await {
-            Ok(instance) => instance,
-            Err(e) => {
-              update.push_error_log(
-                "launch server",
-                format!("failed to launch aws instance\n\n{e:#?}"),
-              );
-              update.finalize();
-              update_update(update.clone()).await?;
-              return Ok(update);
-            }
-          };
-        update.push_simple_log(
-          "launch server",
-          format!(
-            "successfully launched server {} on ip {}",
-            self.name, instance.ip
-          ),
-        );
-        let protocol = if use_https { "https" } else { "http" };
-        PartialServerConfig {
-          address: format!("{protocol}://{}:{port}", instance.ip)
-            .into(),
-          region: region.into(),
-          ..Default::default()
-        }
-      }
-      ServerTemplateConfig::Hetzner(config) => {
-        let datacenter = config.datacenter;
-        let use_https = config.use_https;
-        let port = config.port;
-        let server =
-          match launch_hetzner_server(&self.name, config).await {
-            Ok(server) => server,
-            Err(e) => {
-              update.push_error_log(
-                "launch server",
-                format!("failed to launch hetzner server\n\n{e:#?}"),
-              );
-              update.finalize();
-              update_update(update.clone()).await?;
-              return Ok(update);
-            }
-          };
-        update.push_simple_log(
-          "launch server",
-          format!(
-            "successfully launched server {} on ip {}",
-            self.name, server.ip
-          ),
-        );
-        let protocol = if use_https { "https" } else { "http" };
-        PartialServerConfig {
-          address: format!("{protocol}://{}:{port}", server.ip)
-            .into(),
-          region: datacenter.as_ref().to_string().into(),
-          ..Default::default()
-        }
-      }
-    };
-
-    match (CreateServer {
-      name: self.name,
-      config,
-    })
-    .resolve(&WriteArgs { user: user.clone() })
-    .await
-    {
-      Ok(server) => {
-        update.push_simple_log(
-          "create server",
-          format!("created server {} ({})", server.name, server.id),
-        );
-        update.other_data = server.id;
-      }
-      Err(e) => {
-        update.push_error_log(
-          "create server",
-          format_serror(
-            &e.error.context("failed to create server").into(),
-          ),
-        );
-      }
-    };
-
-    update.finalize();
-    update_update(update.clone()).await?;
-    Ok(update)
-  }
-}

bin/core/src/api/execute/stack.rs

@@ -1,34 +1,40 @@
-use std::collections::HashSet;
+use std::{collections::HashSet, str::FromStr};
 
 use anyhow::Context;
+use database::mungos::mongodb::bson::{
+  doc, oid::ObjectId, to_bson, to_document,
+};
 use formatting::format_serror;
+use interpolate::Interpolator;
 use komodo_client::{
   api::{execute::*, write::RefreshStackCache},
   entities::{
+    FileContents,
     permission::PermissionLevel,
+    repo::Repo,
     server::Server,
-    stack::{Stack, StackInfo},
+    stack::{
+      Stack, StackFileRequires, StackInfo, StackRemoteFileContents,
+    },
     update::{Log, Update},
+    user::User,
   },
 };
-use mungos::mongodb::bson::{doc, to_document};
 use periphery_client::api::compose::*;
 use resolver_api::Resolve;
 
 use crate::{
   api::write::WriteArgs,
   helpers::{
-    interpolate::{
-      add_interp_update_log,
-      interpolate_variables_secrets_into_extra_args,
-      interpolate_variables_secrets_into_string,
-      interpolate_variables_secrets_into_system_command,
-    },
     periphery_client,
-    query::get_variables_and_secrets,
-    update::{add_update_without_send, update_update},
+    query::{VariablesAndSecrets, get_variables_and_secrets},
+    stack_git_token,
+    update::{
+      add_update_without_send, init_execution_update, update_update,
+    },
   },
   monitor::update_cache_for_server,
+  permission::get_check_permissions,
   resource,
   stack::{execute::execute_compose, get_stack_and_server},
   state::{action_states, db_client},
@@ -69,11 +75,21 @@ impl Resolve<ExecuteArgs> for DeployStack {
     let (mut stack, server) = get_stack_and_server(
       &self.stack,
       user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
       true,
     )
     .await?;
 
+    let mut repo = if !stack.config.files_on_host
+      && !stack.config.linked_repo.is_empty()
+    {
+      crate::resource::get::<Repo>(&stack.config.linked_repo)
+        .await?
+        .into()
+    } else {
+      None
+    };
+
     // get the action state for the stack (or insert default).
     let action_state =
       action_states().stack.get_or_insert_default(&stack.id).await;
@@ -97,13 +113,8 @@ impl Resolve<ExecuteArgs> for DeployStack {
       ))
     }
 
-    let git_token = crate::helpers::git_token(
-      &stack.config.git_provider,
-      &stack.config.git_account,
-      |https| stack.config.git_https = https,
-    ).await.with_context(
-      || format!("Failed to get git token in call to db. Stopping run. | {} | {}", stack.config.git_provider, stack.config.git_account),
-    )?;
+    let git_token =
+      stack_git_token(&mut stack, repo.as_mut()).await?;
 
     let registry_token = crate::helpers::registry_token(
       &stack.config.registry_provider,
@@ -115,60 +126,21 @@ impl Resolve<ExecuteArgs> for DeployStack {
     // interpolate variables / secrets, returning the sanitizing replacers to send to
     // periphery so it may sanitize the final command for safe logging (avoids exposing secret values)
     let secret_replacers = if !stack.config.skip_secret_interp {
-      let vars_and_secrets = get_variables_and_secrets().await?;
+      let VariablesAndSecrets { variables, secrets } =
+        get_variables_and_secrets().await?;
 
-      let mut global_replacers = HashSet::new();
-      let mut secret_replacers = HashSet::new();
+      let mut interpolator =
+        Interpolator::new(Some(&variables), &secrets);
 
-      interpolate_variables_secrets_into_string(
-        &vars_and_secrets,
-        &mut stack.config.file_contents,
-        &mut global_replacers,
-        &mut secret_replacers,
-      )?;
+      interpolator.interpolate_stack(&mut stack)?;
+      if let Some(repo) = repo.as_mut()
+        && !repo.config.skip_secret_interp
+      {
+        interpolator.interpolate_repo(repo)?;
+      }
+      interpolator.push_logs(&mut update.logs);
 
-      interpolate_variables_secrets_into_string(
-        &vars_and_secrets,
-        &mut stack.config.environment,
-        &mut global_replacers,
-        &mut secret_replacers,
-      )?;
-
-      interpolate_variables_secrets_into_extra_args(
-        &vars_and_secrets,
-        &mut stack.config.extra_args,
-        &mut global_replacers,
-        &mut secret_replacers,
-      )?;
-
-      interpolate_variables_secrets_into_extra_args(
-        &vars_and_secrets,
-        &mut stack.config.build_extra_args,
-        &mut global_replacers,
-        &mut secret_replacers,
-      )?;
-
-      interpolate_variables_secrets_into_system_command(
-        &vars_and_secrets,
-        &mut stack.config.pre_deploy,
-        &mut global_replacers,
-        &mut secret_replacers,
-      )?;
-
-      interpolate_variables_secrets_into_system_command(
-        &vars_and_secrets,
-        &mut stack.config.post_deploy,
-        &mut global_replacers,
-        &mut secret_replacers,
-      )?;
-
-      add_interp_update_log(
-        &mut update,
-        &global_replacers,
-        &secret_replacers,
-      );
-
-      secret_replacers
+      interpolator.secret_replacers
     } else {
       Default::default()
     };
@@ -187,6 +159,7 @@ impl Resolve<ExecuteArgs> for DeployStack {
       .request(ComposeUp {
         stack: stack.clone(),
         services: self.services,
+        repo,
         git_token,
         registry_token,
         replacers: secret_replacers.into_iter().collect(),
@@ -216,7 +189,15 @@ impl Resolve<ExecuteArgs> for DeployStack {
       ) = if deployed {
         (
           Some(latest_services.clone()),
-          Some(file_contents.clone()),
+          Some(
+            file_contents
+              .iter()
+              .map(|f| FileContents {
+                path: f.path.clone(),
+                contents: f.contents.clone(),
+              })
+              .collect(),
+          ),
           compose_config,
           commit_hash.clone(),
           commit_message.clone(),
@@ -279,7 +260,7 @@ impl Resolve<ExecuteArgs> for DeployStack {
     }
 
     // Ensure cached stack state up to date by updating server cache
-    update_cache_for_server(&server).await;
+    update_cache_for_server(&server, true).await;
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -320,96 +301,424 @@ impl Resolve<ExecuteArgs> for DeployStackIfChanged {
     self,
     ExecuteArgs { user, update }: &ExecuteArgs,
   ) -> serror::Result<Update> {
-    let stack = resource::get_check_permissions::<Stack>(
+    let stack = get_check_permissions::<Stack>(
       &self.stack,
       user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
     )
     .await?;
+
     RefreshStackCache {
       stack: stack.id.clone(),
     }
     .resolve(&WriteArgs { user: user.clone() })
     .await?;
+
     let stack = resource::get::<Stack>(&stack.id).await?;
-    let changed = match (
+
+    let action = match (
       &stack.info.deployed_contents,
       &stack.info.remote_contents,
     ) {
       (Some(deployed_contents), Some(latest_contents)) => {
-        let changed = || {
-          for latest in latest_contents {
-            let Some(deployed) = deployed_contents
-              .iter()
-              .find(|c| c.path == latest.path)
-            else {
-              return true;
-            };
-            if latest.contents != deployed.contents {
-              return true;
-            }
-          }
-          false
-        };
-        changed()
+        let services = stack
+          .info
+          .latest_services
+          .iter()
+          .map(|s| s.service_name.clone())
+          .collect::<Vec<_>>();
+        resolve_deploy_if_changed_action(
+          deployed_contents,
+          latest_contents,
+          &services,
+        )
       }
-      (None, _) => true,
-      _ => false,
+      (None, _) => DeployIfChangedAction::FullDeploy,
+      _ => DeployIfChangedAction::Services {
+        deploy: Vec::new(),
+        restart: Vec::new(),
+      },
     };
 
     let mut update = update.clone();
 
-    if !changed {
-      update.push_simple_log(
-        "Diff compose files",
-        String::from("Deploy cancelled after no changes detected."),
-      );
-      update.finalize();
-      return Ok(update);
-    }
+    match action {
+      // Existing path pre 1.19.1
+      DeployIfChangedAction::FullDeploy => {
+        // Don't actually send it here, let the handler send it after it can set action state.
+        // This is usually done in crate::helpers::update::init_execution_update.
+        update.id = add_update_without_send(&update).await?;
 
-    // Don't actually send it here, let the handler send it after it can set action state.
-    // This is usually done in crate::helpers::update::init_execution_update.
-    update.id = add_update_without_send(&update).await?;
+        DeployStack {
+          stack: stack.name,
+          services: Vec::new(),
+          stop_time: self.stop_time,
+        }
+        .resolve(&ExecuteArgs {
+          user: user.clone(),
+          update,
+        })
+        .await
+      }
+      DeployIfChangedAction::FullRestart => {
+        // For git repo based stacks, need to do a
+        // PullStack in order to ensure latest repo contents on the
+        // host before restart.
+        maybe_pull_stack(&stack, Some(&mut update)).await?;
 
-    DeployStack {
-      stack: stack.name,
-      services: Vec::new(),
-      stop_time: self.stop_time,
+        let mut update =
+          restart_services(stack.name, Vec::new(), user).await?;
+
+        if update.success {
+          // Need to update 'info.deployed_contents' with the
+          // latest contents so next check doesn't read the same diff.
+          update_deployed_contents_with_latest(
+            &stack.id,
+            stack.info.remote_contents,
+            &mut update,
+          )
+          .await;
+        }
+
+        Ok(update)
+      }
+      DeployIfChangedAction::Services { deploy, restart } => {
+        match (deploy.is_empty(), restart.is_empty()) {
+          // Both empty, nothing to do
+          (true, true) => {
+            update.push_simple_log(
+              "Diff compose files",
+              String::from(
+                "Deploy cancelled after no changes detected.",
+              ),
+            );
+            update.finalize();
+            Ok(update)
+          }
+          // Only restart
+          (true, false) => {
+            // For git repo based stacks, need to do a
+            // PullStack in order to ensure latest repo contents on the
+            // host before restart. Only necessary if no "deploys" (deploy already pulls stack).
+            maybe_pull_stack(&stack, Some(&mut update)).await?;
+
+            let mut update =
+              restart_services(stack.name, restart, user).await?;
+
+            if update.success {
+              // Need to update 'info.deployed_contents' with the
+              // latest contents so next check doesn't read the same diff.
+              update_deployed_contents_with_latest(
+                &stack.id,
+                stack.info.remote_contents,
+                &mut update,
+              )
+              .await;
+            }
+
+            Ok(update)
+          }
+          // Only deploy
+          (false, true) => {
+            deploy_services(stack.name, deploy, user).await
+          }
+          // Deploy then restart, returning non-db update with executed services.
+          (false, false) => {
+            update.push_simple_log(
+              "Execute Deploys",
+              format!("Deploying: {}", deploy.join(", "),),
+            );
+            // This already updates 'stack.info.deployed_services',
+            // restart doesn't require this again.
+            let deploy_update =
+              deploy_services(stack.name.clone(), deploy, user)
+                .await?;
+            if !deploy_update.success {
+              update.push_error_log(
+                "Execute Deploys",
+                String::from("There was a failure in service deploy"),
+              );
+              update.finalize();
+              return Ok(update);
+            }
+
+            update.push_simple_log(
+              "Execute Restarts",
+              format!("Restarting: {}", restart.join(", "),),
+            );
+            let restart_update =
+              restart_services(stack.name, restart, user).await?;
+            if !restart_update.success {
+              update.push_error_log(
+                "Execute Restarts",
+                String::from(
+                  "There was a failure in a service restart",
+                ),
+              );
+            }
+
+            update.finalize();
+            Ok(update)
+          }
+        }
+      }
     }
+  }
+}
+
+async fn deploy_services(
+  stack: String,
+  services: Vec<String>,
+  user: &User,
+) -> serror::Result<Update> {
+  // The existing update is initialized to DeployStack,
+  // but also has not been created on database.
+  // Setup a new update here.
+  let req = ExecuteRequest::DeployStack(DeployStack {
+    stack,
+    services,
+    stop_time: None,
+  });
+  let update = init_execution_update(&req, user).await?;
+  let ExecuteRequest::DeployStack(req) = req else {
+    unreachable!()
+  };
+  req
     .resolve(&ExecuteArgs {
       user: user.clone(),
       update,
     })
     .await
+}
+
+async fn restart_services(
+  stack: String,
+  services: Vec<String>,
+  user: &User,
+) -> serror::Result<Update> {
+  // The existing update is initialized to DeployStack,
+  // but also has not been created on database.
+  // Setup a new update here.
+  let req =
+    ExecuteRequest::RestartStack(RestartStack { stack, services });
+  let update = init_execution_update(&req, user).await?;
+  let ExecuteRequest::RestartStack(req) = req else {
+    unreachable!()
+  };
+  req
+    .resolve(&ExecuteArgs {
+      user: user.clone(),
+      update,
+    })
+    .await
+}
+
+/// This can safely be called in [DeployStackIfChanged]
+/// when there are ONLY changes to config files requiring restart,
+/// AFTER the restart has been successfully completed.
+///
+/// In the case the if changed action is not FullDeploy,
+/// the only file diff possible is to config files.
+/// Also note either full or service deploy will already update 'deployed_contents'
+/// making this method unnecessary in those cases.
+///
+/// Changes to config files after restart is applied should
+/// be taken as the deployed contents, otherwise next changed check
+/// will restart service again for no reason.
+async fn update_deployed_contents_with_latest(
+  id: &str,
+  contents: Option<Vec<StackRemoteFileContents>>,
+  update: &mut Update,
+) {
+  let Some(contents) = contents else {
+    return;
+  };
+  let contents = contents
+    .into_iter()
+    .map(|f| FileContents {
+      path: f.path,
+      contents: f.contents,
+    })
+    .collect::<Vec<_>>();
+  if let Err(e) = (async {
+    let contents = to_bson(&contents)
+      .context("Failed to serialize contents to bson")?;
+    let id =
+      ObjectId::from_str(id).context("Id is not valid ObjectId")?;
+    db_client()
+      .stacks
+      .update_one(
+        doc! { "_id": id },
+        doc! { "$set": { "info.deployed_contents": contents } },
+      )
+      .await
+      .context("Failed to update stack 'deployed_contents'")?;
+    anyhow::Ok(())
+  })
+  .await
+  {
+    update.push_error_log(
+      "Update content cache",
+      format_serror(&e.into()),
+    );
+    update.finalize();
+    let _ = update_update(update.clone()).await;
   }
 }
 
+enum DeployIfChangedAction {
+  /// Changes to any compose or env files
+  /// always lead to this.
+  FullDeploy,
+  /// If the above is not met, then changes to
+  /// any changed additional file with `requires = "Restart"`
+  /// and empty services array will lead to this.
+  FullRestart,
+  /// If all changed additional files have specific services
+  /// they depend on, collect the final necessary
+  /// services to deploy / restart.
+  /// If eg `deploy` is empty, no services will be redeployed, same for `restart`.
+  /// If both are empty, nothing is to be done.
+  Services {
+    deploy: Vec<String>,
+    restart: Vec<String>,
+  },
+}
+
+fn resolve_deploy_if_changed_action(
+  deployed_contents: &[FileContents],
+  latest_contents: &[StackRemoteFileContents],
+  all_services: &[String],
+) -> DeployIfChangedAction {
+  let mut full_restart = false;
+  let mut deploy = HashSet::<String>::new();
+  let mut restart = HashSet::<String>::new();
+
+  for latest in latest_contents {
+    let Some(deployed) =
+      deployed_contents.iter().find(|c| c.path == latest.path)
+    else {
+      // If file doesn't exist in deployed contents, do full
+      // deploy to align this.
+      return DeployIfChangedAction::FullDeploy;
+    };
+    // Ignore unchanged files
+    if latest.contents == deployed.contents {
+      continue;
+    }
+    match (latest.requires, latest.services.is_empty()) {
+      (StackFileRequires::Redeploy, true) => {
+        // File has requires = "Redeploy" at global level.
+        // Can do early return here.
+        return DeployIfChangedAction::FullDeploy;
+      }
+      (StackFileRequires::Redeploy, false) => {
+        // Requires redeploy on specific services
+        deploy.extend(latest.services.clone());
+      }
+      (StackFileRequires::Restart, true) => {
+        // Services empty -> Full restart
+        full_restart = true;
+      }
+      (StackFileRequires::Restart, false) => {
+        restart.extend(latest.services.clone());
+      }
+      (StackFileRequires::None, _) => {
+        // File can be ignored even with changes.
+        continue;
+      }
+    }
+  }
+
+  match (full_restart, deploy.is_empty()) {
+    // Full restart required with NO deploys needed -> Full Restart
+    (true, true) => DeployIfChangedAction::FullRestart,
+    // Full restart required WITH deploys needed -> Deploy those, restart all others
+    (true, false) => DeployIfChangedAction::Services {
+      restart: all_services
+        .iter()
+        // Only keep ones that don't need deploy
+        .filter(|&s| !deploy.contains(s))
+        .cloned()
+        .collect(),
+      deploy: deploy.into_iter().collect(),
+    },
+    // No full restart needed -> Deploy / restart as. pickedup.
+    (false, _) => DeployIfChangedAction::Services {
+      deploy: deploy.into_iter().collect(),
+      restart: restart.into_iter().collect(),
+    },
+  }
+}
+
+impl super::BatchExecute for BatchPullStack {
+  type Resource = Stack;
+  fn single_request(stack: String) -> ExecuteRequest {
+    ExecuteRequest::PullStack(PullStack {
+      stack,
+      services: Vec::new(),
+    })
+  }
+}
+
+impl Resolve<ExecuteArgs> for BatchPullStack {
+  #[instrument(name = "BatchPullStack", skip(user), fields(user_id = user.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, .. }: &ExecuteArgs,
+  ) -> serror::Result<BatchExecutionResponse> {
+    Ok(
+      super::batch_execute::<BatchPullStack>(&self.pattern, user)
+        .await?,
+    )
+  }
+}
+
+async fn maybe_pull_stack(
+  stack: &Stack,
+  update: Option<&mut Update>,
+) -> anyhow::Result<()> {
+  if stack.config.files_on_host
+    || (stack.config.repo.is_empty()
+      && stack.config.linked_repo.is_empty())
+  {
+    // Not repo based, no pull necessary
+    return Ok(());
+  }
+  let server =
+    resource::get::<Server>(&stack.config.server_id).await?;
+  let repo = if stack.config.repo.is_empty()
+    && !stack.config.linked_repo.is_empty()
+  {
+    Some(resource::get::<Repo>(&stack.config.linked_repo).await?)
+  } else {
+    None
+  };
+  pull_stack_inner(stack.clone(), Vec::new(), &server, repo, update)
+    .await?;
+  Ok(())
+}
+
 pub async fn pull_stack_inner(
   mut stack: Stack,
   services: Vec<String>,
   server: &Server,
+  mut repo: Option<Repo>,
   mut update: Option<&mut Update>,
 ) -> anyhow::Result<ComposePullResponse> {
-  if let Some(update) = update.as_mut() {
-    if !services.is_empty() {
-      update.logs.push(Log::simple(
-        "Service/s",
-        format!(
-          "Execution requested for Stack service/s {}",
-          services.join(", ")
-        ),
-      ))
-    }
+  if let Some(update) = update.as_mut()
+    && !services.is_empty()
+  {
+    update.logs.push(Log::simple(
+      "Service/s",
+      format!(
+        "Execution requested for Stack service/s {}",
+        services.join(", ")
+      ),
+    ))
   }
 
-  let git_token = crate::helpers::git_token(
-      &stack.config.git_provider,
-      &stack.config.git_account,
-      |https| stack.config.git_https = https,
-    ).await.with_context(
-      || format!("Failed to get git token in call to db. Stopping run. | {} | {}", stack.config.git_provider, stack.config.git_account),
-    )?;
+  let git_token = stack_git_token(&mut stack, repo.as_mut()).await?;
 
   let registry_token = crate::helpers::registry_token(
       &stack.config.registry_provider,
@@ -419,46 +728,40 @@ pub async fn pull_stack_inner(
     )?;
 
   // interpolate variables / secrets
-  if !stack.config.skip_secret_interp {
-    let vars_and_secrets = get_variables_and_secrets().await?;
+  let secret_replacers = if !stack.config.skip_secret_interp {
+    let VariablesAndSecrets { variables, secrets } =
+      get_variables_and_secrets().await?;
 
-    let mut global_replacers = HashSet::new();
-    let mut secret_replacers = HashSet::new();
+    let mut interpolator =
+      Interpolator::new(Some(&variables), &secrets);
 
-    interpolate_variables_secrets_into_string(
-      &vars_and_secrets,
-      &mut stack.config.file_contents,
-      &mut global_replacers,
-      &mut secret_replacers,
-    )?;
-
-    interpolate_variables_secrets_into_string(
-      &vars_and_secrets,
-      &mut stack.config.environment,
-      &mut global_replacers,
-      &mut secret_replacers,
-    )?;
-
-    if let Some(update) = update {
-      add_interp_update_log(
-        update,
-        &global_replacers,
-        &secret_replacers,
-      );
+    interpolator.interpolate_stack(&mut stack)?;
+    if let Some(repo) = repo.as_mut()
+      && !repo.config.skip_secret_interp
+    {
+      interpolator.interpolate_repo(repo)?;
     }
+    if let Some(update) = update {
+      interpolator.push_logs(&mut update.logs);
+    }
+    interpolator.secret_replacers
+  } else {
+    Default::default()
   };
 
   let res = periphery_client(server)?
     .request(ComposePull {
       stack,
       services,
+      repo,
       git_token,
       registry_token,
+      replacers: secret_replacers.into_iter().collect(),
     })
     .await?;
 
   // Ensure cached stack state up to date by updating server cache
-  update_cache_for_server(server).await;
+  update_cache_for_server(server, true).await;
 
   Ok(res)
 }
@@ -472,11 +775,21 @@ impl Resolve<ExecuteArgs> for PullStack {
     let (stack, server) = get_stack_and_server(
       &self.stack,
       user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
       true,
     )
     .await?;
 
+    let repo = if !stack.config.files_on_host
+      && !stack.config.linked_repo.is_empty()
+    {
+      crate::resource::get::<Repo>(&stack.config.linked_repo)
+        .await?
+        .into()
+    } else {
+      None
+    };
+
     // get the action state for the stack (or insert default).
     let action_state =
       action_states().stack.get_or_insert_default(&stack.id).await;
@@ -493,6 +806,7 @@ impl Resolve<ExecuteArgs> for PullStack {
       stack,
       self.services,
       &server,
+      repo,
       Some(&mut update),
     )
     .await?;
@@ -644,3 +958,95 @@ impl Resolve<ExecuteArgs> for DestroyStack {
     .map_err(Into::into)
   }
 }
+
+impl Resolve<ExecuteArgs> for RunStackService {
+  #[instrument(name = "RunStackService", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update }: &ExecuteArgs,
+  ) -> serror::Result<Update> {
+    let (mut stack, server) = get_stack_and_server(
+      &self.stack,
+      user,
+      PermissionLevel::Execute.into(),
+      true,
+    )
+    .await?;
+
+    let mut repo = if !stack.config.files_on_host
+      && !stack.config.linked_repo.is_empty()
+    {
+      crate::resource::get::<Repo>(&stack.config.linked_repo)
+        .await?
+        .into()
+    } else {
+      None
+    };
+
+    let action_state =
+      action_states().stack.get_or_insert_default(&stack.id).await;
+
+    let _action_guard =
+      action_state.update(|state| state.deploying = true)?;
+
+    let mut update = update.clone();
+    update_update(update.clone()).await?;
+
+    let git_token =
+      stack_git_token(&mut stack, repo.as_mut()).await?;
+
+    let registry_token = crate::helpers::registry_token(
+      &stack.config.registry_provider,
+      &stack.config.registry_account,
+    ).await.with_context(
+      || format!("Failed to get registry token in call to db. Stopping run. | {} | {}", stack.config.registry_provider, stack.config.registry_account),
+    )?;
+
+    let secret_replacers = if !stack.config.skip_secret_interp {
+      let VariablesAndSecrets { variables, secrets } =
+        get_variables_and_secrets().await?;
+
+      let mut interpolator =
+        Interpolator::new(Some(&variables), &secrets);
+
+      interpolator.interpolate_stack(&mut stack)?;
+      if let Some(repo) = repo.as_mut()
+        && !repo.config.skip_secret_interp
+      {
+        interpolator.interpolate_repo(repo)?;
+      }
+      interpolator.push_logs(&mut update.logs);
+
+      interpolator.secret_replacers
+    } else {
+      Default::default()
+    };
+
+    let log = periphery_client(&server)?
+      .request(ComposeRun {
+        stack,
+        repo,
+        git_token,
+        registry_token,
+        replacers: secret_replacers.into_iter().collect(),
+        service: self.service,
+        command: self.command,
+        no_tty: self.no_tty,
+        no_deps: self.no_deps,
+        detach: self.detach,
+        service_ports: self.service_ports,
+        env: self.env,
+        workdir: self.workdir,
+        user: self.user,
+        entrypoint: self.entrypoint,
+        pull: self.pull,
+      })
+      .await?;
+
+    update.logs.push(log);
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}

bin/core/src/api/execute/sync.rs

@@ -1,6 +1,10 @@
 use std::{collections::HashMap, str::FromStr};
 
 use anyhow::{Context, anyhow};
+use database::mungos::{
+  by_id::update_one_by_id,
+  mongodb::bson::{doc, oid::ObjectId},
+};
 use formatting::{Color, colored, format_serror};
 use komodo_client::{
   api::{execute::RunSync, write::RefreshResourceSyncPending},
@@ -16,24 +20,24 @@ use komodo_client::{
     procedure::Procedure,
     repo::Repo,
     server::Server,
-    server_template::ServerTemplate,
     stack::Stack,
     sync::ResourceSync,
     update::{Log, Update},
     user::sync_user,
   },
 };
-use mongo_indexed::doc;
-use mungos::{by_id::update_one_by_id, mongodb::bson::oid::ObjectId};
 use resolver_api::Resolve;
 
 use crate::{
   api::write::WriteArgs,
-  helpers::{query::get_id_to_tags, update::update_update},
-  resource,
+  helpers::{
+    all_resources::AllResourcesById, query::get_id_to_tags,
+    update::update_update,
+  },
+  permission::get_check_permissions,
   state::{action_states, db_client},
   sync::{
-    AllResourcesById, ResourceSyncTrait,
+    ResourceSyncTrait,
     deploy::{
       SyncDeployParams, build_deploy_cache, deploy_from_cache,
     },
@@ -55,16 +59,26 @@ impl Resolve<ExecuteArgs> for RunSync {
       resource_type: match_resource_type,
       resources: match_resources,
     } = self;
-    let sync = resource::get_check_permissions::<
-      entities::sync::ResourceSync,
-    >(&sync, user, PermissionLevel::Execute)
+    let sync = get_check_permissions::<entities::sync::ResourceSync>(
+      &sync,
+      user,
+      PermissionLevel::Execute.into(),
+    )
     .await?;
 
+    let repo = if !sync.config.files_on_host
+      && !sync.config.linked_repo.is_empty()
+    {
+      crate::resource::get::<Repo>(&sync.config.linked_repo)
+        .await?
+        .into()
+    } else {
+      None
+    };
+
     // get the action state for the sync (or insert default).
-    let action_state = action_states()
-      .resource_sync
-      .get_or_insert_default(&sync.id)
-      .await;
+    let action_state =
+      action_states().sync.get_or_insert_default(&sync.id).await;
 
     // This will set action state back to default when dropped.
     // Will also check to ensure sync not already busy before updating.
@@ -83,9 +97,10 @@ impl Resolve<ExecuteArgs> for RunSync {
       message,
       file_errors,
       ..
-    } = crate::sync::remote::get_remote_resources(&sync)
-      .await
-      .context("failed to get remote resources")?;
+    } =
+      crate::sync::remote::get_remote_resources(&sync, repo.as_ref())
+        .await
+        .context("failed to get remote resources")?;
 
     update.logs.extend(logs);
     update_update(update.clone()).await?;
@@ -142,10 +157,6 @@ impl Resolve<ExecuteArgs> for RunSync {
                 .servers
                 .get(&name_or_id)
                 .map(|s| s.name.clone()),
-              ResourceTargetVariant::ServerTemplate => all_resources
-                .templates
-                .get(&name_or_id)
-                .map(|t| t.name.clone()),
               ResourceTargetVariant::Stack => all_resources
                 .stacks
                 .get(&name_or_id)
@@ -200,7 +211,6 @@ impl Resolve<ExecuteArgs> for RunSync {
       deployment_map: &deployments_by_name,
       stacks: &resources.stacks,
       stack_map: &stacks_by_name,
-      all_resources: &all_resources,
     })
     .await?;
 
@@ -210,7 +220,6 @@ impl Resolve<ExecuteArgs> for RunSync {
       get_updates_for_execution::<Server>(
         resources.servers,
         delete,
-        &all_resources,
         match_resource_type,
         match_resources.as_deref(),
         &id_to_tags,
@@ -224,7 +233,6 @@ impl Resolve<ExecuteArgs> for RunSync {
       get_updates_for_execution::<Stack>(
         resources.stacks,
         delete,
-        &all_resources,
         match_resource_type,
         match_resources.as_deref(),
         &id_to_tags,
@@ -238,7 +246,6 @@ impl Resolve<ExecuteArgs> for RunSync {
       get_updates_for_execution::<Deployment>(
         resources.deployments,
         delete,
-        &all_resources,
         match_resource_type,
         match_resources.as_deref(),
         &id_to_tags,
@@ -252,7 +259,6 @@ impl Resolve<ExecuteArgs> for RunSync {
       get_updates_for_execution::<Build>(
         resources.builds,
         delete,
-        &all_resources,
         match_resource_type,
         match_resources.as_deref(),
         &id_to_tags,
@@ -266,7 +272,6 @@ impl Resolve<ExecuteArgs> for RunSync {
       get_updates_for_execution::<Repo>(
         resources.repos,
         delete,
-        &all_resources,
         match_resource_type,
         match_resources.as_deref(),
         &id_to_tags,
@@ -280,7 +285,6 @@ impl Resolve<ExecuteArgs> for RunSync {
       get_updates_for_execution::<Procedure>(
         resources.procedures,
         delete,
-        &all_resources,
         match_resource_type,
         match_resources.as_deref(),
         &id_to_tags,
@@ -294,7 +298,6 @@ impl Resolve<ExecuteArgs> for RunSync {
       get_updates_for_execution::<Action>(
         resources.actions,
         delete,
-        &all_resources,
         match_resource_type,
         match_resources.as_deref(),
         &id_to_tags,
@@ -308,7 +311,6 @@ impl Resolve<ExecuteArgs> for RunSync {
       get_updates_for_execution::<Builder>(
         resources.builders,
         delete,
-        &all_resources,
         match_resource_type,
         match_resources.as_deref(),
         &id_to_tags,
@@ -322,21 +324,6 @@ impl Resolve<ExecuteArgs> for RunSync {
       get_updates_for_execution::<Alerter>(
         resources.alerters,
         delete,
-        &all_resources,
-        match_resource_type,
-        match_resources.as_deref(),
-        &id_to_tags,
-        &sync.config.match_tags,
-      )
-      .await?
-    } else {
-      Default::default()
-    };
-    let server_template_deltas = if sync.config.include_resources {
-      get_updates_for_execution::<ServerTemplate>(
-        resources.server_templates,
-        delete,
-        &all_resources,
         match_resource_type,
         match_resources.as_deref(),
         &id_to_tags,
@@ -350,7 +337,6 @@ impl Resolve<ExecuteArgs> for RunSync {
       get_updates_for_execution::<entities::sync::ResourceSync>(
         resources.resource_syncs,
         delete,
-        &all_resources,
         match_resource_type,
         match_resources.as_deref(),
         &id_to_tags,
@@ -388,7 +374,6 @@ impl Resolve<ExecuteArgs> for RunSync {
       crate::sync::user_groups::get_updates_for_execution(
         resources.user_groups,
         delete,
-        &all_resources,
       )
       .await?
     } else {
@@ -397,7 +382,6 @@ impl Resolve<ExecuteArgs> for RunSync {
 
     if deploy_cache.is_empty()
       && resource_sync_deltas.no_changes()
-      && server_template_deltas.no_changes()
       && server_deltas.no_changes()
       && deployment_deltas.no_changes()
       && stack_deltas.no_changes()
@@ -451,11 +435,6 @@ impl Resolve<ExecuteArgs> for RunSync {
       &mut update.logs,
       ResourceSync::execute_sync_updates(resource_sync_deltas).await,
     );
-    maybe_extend(
-      &mut update.logs,
-      ServerTemplate::execute_sync_updates(server_template_deltas)
-        .await,
-    );
     maybe_extend(
       &mut update.logs,
       Server::execute_sync_updates(server_deltas).await,

bin/core/src/api/mod.rs

@@ -1,5 +1,11 @@
 pub mod auth;
 pub mod execute;
 pub mod read;
+pub mod terminal;
 pub mod user;
 pub mod write;
+
+#[derive(serde::Deserialize)]
+struct Variant {
+  variant: String,
+}

bin/core/src/api/read/action.rs

@@ -12,6 +12,7 @@ use resolver_api::Resolve;
 
 use crate::{
   helpers::query::get_all_tags,
+  permission::get_check_permissions,
   resource,
   state::{action_state_cache, action_states},
 };
@@ -24,10 +25,10 @@ impl Resolve<ReadArgs> for GetAction {
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<Action> {
     Ok(
-      resource::get_check_permissions::<Action>(
+      get_check_permissions::<Action>(
         &self.action,
         user,
-        PermissionLevel::Read,
+        PermissionLevel::Read.into(),
       )
       .await?,
     )
@@ -45,8 +46,13 @@ impl Resolve<ReadArgs> for ListActions {
       get_all_tags(None).await?
     };
     Ok(
-      resource::list_for_user::<Action>(self.query, user, &all_tags)
-        .await?,
+      resource::list_for_user::<Action>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
     )
   }
 }
@@ -63,7 +69,10 @@ impl Resolve<ReadArgs> for ListFullActions {
     };
     Ok(
       resource::list_full_for_user::<Action>(
-        self.query, user, &all_tags,
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
       )
       .await?,
     )
@@ -75,10 +84,10 @@ impl Resolve<ReadArgs> for GetActionActionState {
     self,
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<ActionActionState> {
-    let action = resource::get_check_permissions::<Action>(
+    let action = get_check_permissions::<Action>(
       &self.action,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.into(),
     )
     .await?;
     let action_state = action_states()
@@ -99,6 +108,7 @@ impl Resolve<ReadArgs> for GetActionsSummary {
     let actions = resource::list_full_for_user::<Action>(
       Default::default(),
       user,
+      PermissionLevel::Read.into(),
       &[],
     )
     .await
@@ -121,8 +131,8 @@ impl Resolve<ReadArgs> for GetActionsSummary {
           .unwrap_or_default()
           .get()?,
       ) {
-        (_, action_states) if action_states.running => {
-          res.running += 1;
+        (_, action_states) if action_states.running > 0 => {
+          res.running += action_states.running;
         }
         (ActionState::Ok, _) => res.ok += 1,
         (ActionState::Failed, _) => res.failed += 1,

bin/core/src/api/read/alert.rs

@@ -1,4 +1,9 @@
 use anyhow::Context;
+use database::mungos::{
+  by_id::find_one_by_id,
+  find::find_collect,
+  mongodb::{bson::doc, options::FindOptions},
+};
 use komodo_client::{
   api::read::{
     GetAlert, GetAlertResponse, ListAlerts, ListAlertsResponse,
@@ -8,15 +13,10 @@ use komodo_client::{
     sync::ResourceSync,
   },
 };
-use mungos::{
-  by_id::find_one_by_id,
-  find::find_collect,
-  mongodb::{bson::doc, options::FindOptions},
-};
 use resolver_api::Resolve;
 
 use crate::{
-  config::core_config, resource::get_resource_ids_for_user,
+  config::core_config, permission::get_resource_ids_for_user,
   state::db_client,
 };
 

bin/core/src/api/read/alerter.rs

@@ -1,4 +1,6 @@
 use anyhow::Context;
+use database::mongo_indexed::Document;
+use database::mungos::mongodb::bson::doc;
 use komodo_client::{
   api::read::*,
   entities::{
@@ -6,12 +8,11 @@ use komodo_client::{
     permission::PermissionLevel,
   },
 };
-use mongo_indexed::Document;
-use mungos::mongodb::bson::doc;
 use resolver_api::Resolve;
 
 use crate::{
-  helpers::query::get_all_tags, resource, state::db_client,
+  helpers::query::get_all_tags, permission::get_check_permissions,
+  resource, state::db_client,
 };
 
 use super::ReadArgs;
@@ -22,10 +23,10 @@ impl Resolve<ReadArgs> for GetAlerter {
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<Alerter> {
     Ok(
-      resource::get_check_permissions::<Alerter>(
+      get_check_permissions::<Alerter>(
         &self.alerter,
         user,
-        PermissionLevel::Read,
+        PermissionLevel::Read.into(),
       )
       .await?,
     )
@@ -43,8 +44,13 @@ impl Resolve<ReadArgs> for ListAlerters {
       get_all_tags(None).await?
     };
     Ok(
-      resource::list_for_user::<Alerter>(self.query, user, &all_tags)
-        .await?,
+      resource::list_for_user::<Alerter>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
     )
   }
 }
@@ -61,7 +67,10 @@ impl Resolve<ReadArgs> for ListFullAlerters {
     };
     Ok(
       resource::list_full_for_user::<Alerter>(
-        self.query, user, &all_tags,
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
       )
       .await?,
     )

bin/core/src/api/read/build.rs

@@ -2,6 +2,10 @@ use std::collections::{HashMap, HashSet};
 
 use anyhow::Context;
 use async_timing_util::unix_timestamp_ms;
+use database::mungos::{
+  find::find_collect,
+  mongodb::{bson::doc, options::FindOptions},
+};
 use futures::TryStreamExt;
 use komodo_client::{
   api::read::*,
@@ -13,15 +17,12 @@ use komodo_client::{
     update::UpdateStatus,
   },
 };
-use mungos::{
-  find::find_collect,
-  mongodb::{bson::doc, options::FindOptions},
-};
 use resolver_api::Resolve;
 
 use crate::{
   config::core_config,
   helpers::query::get_all_tags,
+  permission::get_check_permissions,
   resource,
   state::{
     action_states, build_state_cache, db_client, github_client,
@@ -36,10 +37,10 @@ impl Resolve<ReadArgs> for GetBuild {
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<Build> {
     Ok(
-      resource::get_check_permissions::<Build>(
+      get_check_permissions::<Build>(
         &self.build,
         user,
-        PermissionLevel::Read,
+        PermissionLevel::Read.into(),
       )
       .await?,
     )
@@ -57,8 +58,13 @@ impl Resolve<ReadArgs> for ListBuilds {
       get_all_tags(None).await?
     };
     Ok(
-      resource::list_for_user::<Build>(self.query, user, &all_tags)
-        .await?,
+      resource::list_for_user::<Build>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
     )
   }
 }
@@ -75,7 +81,10 @@ impl Resolve<ReadArgs> for ListFullBuilds {
     };
     Ok(
       resource::list_full_for_user::<Build>(
-        self.query, user, &all_tags,
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
       )
       .await?,
     )
@@ -87,10 +96,10 @@ impl Resolve<ReadArgs> for GetBuildActionState {
     self,
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<BuildActionState> {
-    let build = resource::get_check_permissions::<Build>(
+    let build = get_check_permissions::<Build>(
       &self.build,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.into(),
     )
     .await?;
     let action_state = action_states()
@@ -111,6 +120,7 @@ impl Resolve<ReadArgs> for GetBuildsSummary {
     let builds = resource::list_full_for_user::<Build>(
       Default::default(),
       user,
+      PermissionLevel::Read.into(),
       &[],
     )
     .await
@@ -218,10 +228,10 @@ impl Resolve<ReadArgs> for ListBuildVersions {
       patch,
       limit,
     } = self;
-    let build = resource::get_check_permissions::<Build>(
+    let build = get_check_permissions::<Build>(
       &build,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.into(),
     )
     .await?;
 
@@ -274,7 +284,10 @@ impl Resolve<ReadArgs> for ListCommonBuildExtraArgs {
       get_all_tags(None).await?
     };
     let builds = resource::list_full_for_user::<Build>(
-      self.query, user, &all_tags,
+      self.query,
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
     )
     .await
     .context("failed to get resources matching query")?;
@@ -306,10 +319,10 @@ impl Resolve<ReadArgs> for GetBuildWebhookEnabled {
       });
     };
 
-    let build = resource::get_check_permissions::<Build>(
+    let build = get_check_permissions::<Build>(
       &self.build,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.into(),
     )
     .await?;
 

bin/core/src/api/read/builder.rs

@@ -1,4 +1,6 @@
 use anyhow::Context;
+use database::mongo_indexed::Document;
+use database::mungos::mongodb::bson::doc;
 use komodo_client::{
   api::read::*,
   entities::{
@@ -6,12 +8,11 @@ use komodo_client::{
     permission::PermissionLevel,
   },
 };
-use mongo_indexed::Document;
-use mungos::mongodb::bson::doc;
 use resolver_api::Resolve;
 
 use crate::{
-  helpers::query::get_all_tags, resource, state::db_client,
+  helpers::query::get_all_tags, permission::get_check_permissions,
+  resource, state::db_client,
 };
 
 use super::ReadArgs;
@@ -22,10 +23,10 @@ impl Resolve<ReadArgs> for GetBuilder {
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<Builder> {
     Ok(
-      resource::get_check_permissions::<Builder>(
+      get_check_permissions::<Builder>(
         &self.builder,
         user,
-        PermissionLevel::Read,
+        PermissionLevel::Read.into(),
       )
       .await?,
     )
@@ -43,8 +44,13 @@ impl Resolve<ReadArgs> for ListBuilders {
       get_all_tags(None).await?
     };
     Ok(
-      resource::list_for_user::<Builder>(self.query, user, &all_tags)
-        .await?,
+      resource::list_for_user::<Builder>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
     )
   }
 }
@@ -61,7 +67,10 @@ impl Resolve<ReadArgs> for ListFullBuilders {
     };
     Ok(
       resource::list_full_for_user::<Builder>(
-        self.query, user, &all_tags,
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
       )
       .await?,
     )

bin/core/src/api/read/deployment.rs

@@ -8,19 +8,22 @@ use komodo_client::{
       Deployment, DeploymentActionState, DeploymentConfig,
       DeploymentListItem, DeploymentState,
     },
-    docker::container::ContainerStats,
+    docker::container::{Container, ContainerStats},
     permission::PermissionLevel,
-    server::Server,
+    server::{Server, ServerState},
     update::Log,
   },
 };
-use periphery_client::api;
+use periphery_client::api::{self, container::InspectContainer};
 use resolver_api::Resolve;
 
 use crate::{
   helpers::{periphery_client, query::get_all_tags},
+  permission::get_check_permissions,
   resource,
-  state::{action_states, deployment_status_cache},
+  state::{
+    action_states, deployment_status_cache, server_status_cache,
+  },
 };
 
 use super::ReadArgs;
@@ -31,10 +34,10 @@ impl Resolve<ReadArgs> for GetDeployment {
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<Deployment> {
     Ok(
-      resource::get_check_permissions::<Deployment>(
+      get_check_permissions::<Deployment>(
         &self.deployment,
         user,
-        PermissionLevel::Read,
+        PermissionLevel::Read.into(),
       )
       .await?,
     )
@@ -53,7 +56,10 @@ impl Resolve<ReadArgs> for ListDeployments {
     };
     let only_update_available = self.query.specific.update_available;
     let deployments = resource::list_for_user::<Deployment>(
-      self.query, user, &all_tags,
+      self.query,
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
     )
     .await?;
     let deployments = if only_update_available {
@@ -80,7 +86,10 @@ impl Resolve<ReadArgs> for ListFullDeployments {
     };
     Ok(
       resource::list_full_for_user::<Deployment>(
-        self.query, user, &all_tags,
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
       )
       .await?,
     )
@@ -92,10 +101,10 @@ impl Resolve<ReadArgs> for GetDeploymentContainer {
     self,
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<GetDeploymentContainerResponse> {
-    let deployment = resource::get_check_permissions::<Deployment>(
+    let deployment = get_check_permissions::<Deployment>(
       &self.deployment,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.into(),
     )
     .await?;
     let status = deployment_status_cache()
@@ -126,10 +135,10 @@ impl Resolve<ReadArgs> for GetDeploymentLog {
       name,
       config: DeploymentConfig { server_id, .. },
       ..
-    } = resource::get_check_permissions::<Deployment>(
+    } = get_check_permissions::<Deployment>(
       &deployment,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.logs(),
     )
     .await?;
     if server_id.is_empty() {
@@ -164,10 +173,10 @@ impl Resolve<ReadArgs> for SearchDeploymentLog {
       name,
       config: DeploymentConfig { server_id, .. },
       ..
-    } = resource::get_check_permissions::<Deployment>(
+    } = get_check_permissions::<Deployment>(
       &deployment,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.logs(),
     )
     .await?;
     if server_id.is_empty() {
@@ -188,6 +197,50 @@ impl Resolve<ReadArgs> for SearchDeploymentLog {
   }
 }
 
+impl Resolve<ReadArgs> for InspectDeploymentContainer {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Container> {
+    let InspectDeploymentContainer { deployment } = self;
+    let Deployment {
+      name,
+      config: DeploymentConfig { server_id, .. },
+      ..
+    } = get_check_permissions::<Deployment>(
+      &deployment,
+      user,
+      PermissionLevel::Read.inspect(),
+    )
+    .await?;
+    if server_id.is_empty() {
+      return Err(
+        anyhow!(
+          "Cannot inspect deployment, not attached to any server"
+        )
+        .into(),
+      );
+    }
+    let server = resource::get::<Server>(&server_id).await?;
+    let cache = server_status_cache()
+      .get_or_insert_default(&server.id)
+      .await;
+    if cache.state != ServerState::Ok {
+      return Err(
+        anyhow!(
+          "Cannot inspect container: server is {:?}",
+          cache.state
+        )
+        .into(),
+      );
+    }
+    let res = periphery_client(&server)?
+      .request(InspectContainer { name })
+      .await?;
+    Ok(res)
+  }
+}
+
 impl Resolve<ReadArgs> for GetDeploymentStats {
   async fn resolve(
     self,
@@ -197,10 +250,10 @@ impl Resolve<ReadArgs> for GetDeploymentStats {
       name,
       config: DeploymentConfig { server_id, .. },
       ..
-    } = resource::get_check_permissions::<Deployment>(
+    } = get_check_permissions::<Deployment>(
       &self.deployment,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.into(),
     )
     .await?;
     if server_id.is_empty() {
@@ -222,10 +275,10 @@ impl Resolve<ReadArgs> for GetDeploymentActionState {
     self,
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<DeploymentActionState> {
-    let deployment = resource::get_check_permissions::<Deployment>(
+    let deployment = get_check_permissions::<Deployment>(
       &self.deployment,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.into(),
     )
     .await?;
     let action_state = action_states()
@@ -246,6 +299,7 @@ impl Resolve<ReadArgs> for GetDeploymentsSummary {
     let deployments = resource::list_full_for_user::<Deployment>(
       Default::default(),
       user,
+      PermissionLevel::Read.into(),
       &[],
     )
     .await
@@ -289,7 +343,10 @@ impl Resolve<ReadArgs> for ListCommonDeploymentExtraArgs {
       get_all_tags(None).await?
     };
     let deployments = resource::list_full_for_user::<Deployment>(
-      self.query, user, &all_tags,
+      self.query,
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
     )
     .await
     .context("failed to get resources matching query")?;

bin/core/src/api/read/mod.rs

@@ -1,7 +1,9 @@
 use std::{collections::HashSet, sync::OnceLock, time::Instant};
 
 use anyhow::{Context, anyhow};
-use axum::{Extension, Router, middleware, routing::post};
+use axum::{
+  Extension, Router, extract::Path, middleware, routing::post,
+};
 use komodo_client::{
   api::read::*,
   entities::{
@@ -9,6 +11,7 @@ use komodo_client::{
     build::Build,
     builder::{Builder, BuilderConfig},
     config::{DockerRegistry, GitProvider},
+    permission::PermissionLevel,
     repo::Repo,
     server::Server,
     sync::ResourceSync,
@@ -18,6 +21,7 @@ use komodo_client::{
 use resolver_api::Resolve;
 use response::Response;
 use serde::{Deserialize, Serialize};
+use serde_json::json;
 use serror::Json;
 use typeshare::typeshare;
 use uuid::Uuid;
@@ -27,6 +31,8 @@ use crate::{
   resource,
 };
 
+use super::Variant;
+
 mod action;
 mod alert;
 mod alerter;
@@ -37,8 +43,8 @@ mod permission;
 mod procedure;
 mod provider;
 mod repo;
+mod schedule;
 mod server;
-mod server_template;
 mod stack;
 mod sync;
 mod tag;
@@ -67,7 +73,7 @@ enum ReadRequest {
 
   // ==== USER ====
   GetUsername(GetUsername),
-  GetPermissionLevel(GetPermissionLevel),
+  GetPermission(GetPermission),
   FindUser(FindUser),
   ListUsers(ListUsers),
   ListApiKeys(ListApiKeys),
@@ -93,11 +99,8 @@ enum ReadRequest {
   ListActions(ListActions),
   ListFullActions(ListFullActions),
 
-  // ==== SERVER TEMPLATE ====
-  GetServerTemplate(GetServerTemplate),
-  GetServerTemplatesSummary(GetServerTemplatesSummary),
-  ListServerTemplates(ListServerTemplates),
-  ListFullServerTemplates(ListFullServerTemplates),
+  // ==== SCHEDULE ====
+  ListSchedules(ListSchedules),
 
   // ==== SERVER ====
   GetServersSummary(GetServersSummary),
@@ -116,12 +119,33 @@ enum ReadRequest {
   InspectDockerImage(InspectDockerImage),
   ListDockerImageHistory(ListDockerImageHistory),
   InspectDockerVolume(InspectDockerVolume),
+  GetDockerContainersSummary(GetDockerContainersSummary),
   ListAllDockerContainers(ListAllDockerContainers),
   ListDockerContainers(ListDockerContainers),
   ListDockerNetworks(ListDockerNetworks),
   ListDockerImages(ListDockerImages),
   ListDockerVolumes(ListDockerVolumes),
   ListComposeProjects(ListComposeProjects),
+  ListTerminals(ListTerminals),
+
+  // ==== SERVER STATS ====
+  GetSystemInformation(GetSystemInformation),
+  GetSystemStats(GetSystemStats),
+  ListSystemProcesses(ListSystemProcesses),
+
+  // ==== STACK ====
+  GetStacksSummary(GetStacksSummary),
+  GetStack(GetStack),
+  GetStackActionState(GetStackActionState),
+  GetStackWebhooksEnabled(GetStackWebhooksEnabled),
+  GetStackLog(GetStackLog),
+  SearchStackLog(SearchStackLog),
+  InspectStackContainer(InspectStackContainer),
+  ListStacks(ListStacks),
+  ListFullStacks(ListFullStacks),
+  ListStackServices(ListStackServices),
+  ListCommonStackExtraArgs(ListCommonStackExtraArgs),
+  ListCommonStackBuildExtraArgs(ListCommonStackBuildExtraArgs),
 
   // ==== DEPLOYMENT ====
   GetDeploymentsSummary(GetDeploymentsSummary),
@@ -131,6 +155,7 @@ enum ReadRequest {
   GetDeploymentStats(GetDeploymentStats),
   GetDeploymentLog(GetDeploymentLog),
   SearchDeploymentLog(SearchDeploymentLog),
+  InspectDeploymentContainer(InspectDeploymentContainer),
   ListDeployments(ListDeployments),
   ListFullDeployments(ListFullDeployments),
   ListCommonDeploymentExtraArgs(ListCommonDeploymentExtraArgs),
@@ -162,19 +187,6 @@ enum ReadRequest {
   ListResourceSyncs(ListResourceSyncs),
   ListFullResourceSyncs(ListFullResourceSyncs),
 
-  // ==== STACK ====
-  GetStacksSummary(GetStacksSummary),
-  GetStack(GetStack),
-  GetStackActionState(GetStackActionState),
-  GetStackWebhooksEnabled(GetStackWebhooksEnabled),
-  GetStackLog(GetStackLog),
-  SearchStackLog(SearchStackLog),
-  ListStacks(ListStacks),
-  ListFullStacks(ListFullStacks),
-  ListStackServices(ListStackServices),
-  ListCommonStackExtraArgs(ListCommonStackExtraArgs),
-  ListCommonStackBuildExtraArgs(ListCommonStackBuildExtraArgs),
-
   // ==== BUILDER ====
   GetBuildersSummary(GetBuildersSummary),
   GetBuilder(GetBuilder),
@@ -203,11 +215,6 @@ enum ReadRequest {
   ListAlerts(ListAlerts),
   GetAlert(GetAlert),
 
-  // ==== SERVER STATS ====
-  GetSystemInformation(GetSystemInformation),
-  GetSystemStats(GetSystemStats),
-  ListSystemProcesses(ListSystemProcesses),
-
   // ==== VARIABLE ====
   GetVariable(GetVariable),
   ListVariables(ListVariables),
@@ -222,9 +229,22 @@ enum ReadRequest {
 pub fn router() -> Router {
   Router::new()
     .route("/", post(handler))
+    .route("/{variant}", post(variant_handler))
     .layer(middleware::from_fn(auth_request))
 }
 
+async fn variant_handler(
+  user: Extension<User>,
+  Path(Variant { variant }): Path<Variant>,
+  Json(params): Json<serde_json::Value>,
+) -> serror::Result<axum::response::Response> {
+  let req: ReadRequest = serde_json::from_value(json!({
+    "type": variant,
+    "params": params,
+  }))?;
+  handler(user, Json(req)).await
+}
+
 #[instrument(name = "ReadHandler", level = "debug", skip(user), fields(user_id = user.id))]
 async fn handler(
   Extension(user): Extension<User>,
@@ -269,12 +289,15 @@ fn core_info() -> &'static GetCoreInfoResponse {
       ui_write_disabled: config.ui_write_disabled,
       disable_confirm_dialog: config.disable_confirm_dialog,
       disable_non_admin_create: config.disable_non_admin_create,
+      disable_websocket_reconnect: config.disable_websocket_reconnect,
+      enable_fancy_toml: config.enable_fancy_toml,
       github_webhook_owners: config
         .github_webhook_app
         .installations
         .iter()
         .map(|i| i.namespace.to_string())
         .collect(),
+      timezone: config.timezone.clone(),
     }
   })
 }
@@ -382,16 +405,19 @@ impl Resolve<ReadArgs> for ListGitProvidersFromConfig {
       resource::list_full_for_user::<Build>(
         Default::default(),
         user,
+        PermissionLevel::Read.into(),
         &[]
       ),
       resource::list_full_for_user::<Repo>(
         Default::default(),
         user,
+        PermissionLevel::Read.into(),
         &[]
       ),
       resource::list_full_for_user::<ResourceSync>(
         Default::default(),
         user,
+        PermissionLevel::Read.into(),
         &[]
       ),
     )?;

bin/core/src/api/read/permission.rs

@@ -1,13 +1,13 @@
 use anyhow::{Context, anyhow};
+use database::mungos::{find::find_collect, mongodb::bson::doc};
 use komodo_client::{
   api::read::{
-    GetPermissionLevel, GetPermissionLevelResponse, ListPermissions,
+    GetPermission, GetPermissionResponse, ListPermissions,
     ListPermissionsResponse, ListUserTargetPermissions,
     ListUserTargetPermissionsResponse,
   },
   entities::permission::PermissionLevel,
 };
-use mungos::{find::find_collect, mongodb::bson::doc};
 use resolver_api::Resolve;
 
 use crate::{
@@ -35,13 +35,13 @@ impl Resolve<ReadArgs> for ListPermissions {
   }
 }
 
-impl Resolve<ReadArgs> for GetPermissionLevel {
+impl Resolve<ReadArgs> for GetPermission {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetPermissionLevelResponse> {
+  ) -> serror::Result<GetPermissionResponse> {
     if user.admin {
-      return Ok(PermissionLevel::Write);
+      return Ok(PermissionLevel::Write.all());
     }
     Ok(get_user_permission_on_target(user, &self.target).await?)
   }

bin/core/src/api/read/procedure.rs

@@ -10,6 +10,7 @@ use resolver_api::Resolve;
 
 use crate::{
   helpers::query::get_all_tags,
+  permission::get_check_permissions,
   resource,
   state::{action_states, procedure_state_cache},
 };
@@ -22,10 +23,10 @@ impl Resolve<ReadArgs> for GetProcedure {
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<GetProcedureResponse> {
     Ok(
-      resource::get_check_permissions::<Procedure>(
+      get_check_permissions::<Procedure>(
         &self.procedure,
         user,
-        PermissionLevel::Read,
+        PermissionLevel::Read.into(),
       )
       .await?,
     )
@@ -44,7 +45,10 @@ impl Resolve<ReadArgs> for ListProcedures {
     };
     Ok(
       resource::list_for_user::<Procedure>(
-        self.query, user, &all_tags,
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
       )
       .await?,
     )
@@ -63,7 +67,10 @@ impl Resolve<ReadArgs> for ListFullProcedures {
     };
     Ok(
       resource::list_full_for_user::<Procedure>(
-        self.query, user, &all_tags,
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
       )
       .await?,
     )
@@ -78,6 +85,7 @@ impl Resolve<ReadArgs> for GetProceduresSummary {
     let procedures = resource::list_full_for_user::<Procedure>(
       Default::default(),
       user,
+      PermissionLevel::Read.into(),
       &[],
     )
     .await
@@ -120,10 +128,10 @@ impl Resolve<ReadArgs> for GetProcedureActionState {
     self,
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<GetProcedureActionStateResponse> {
-    let procedure = resource::get_check_permissions::<Procedure>(
+    let procedure = get_check_permissions::<Procedure>(
       &self.procedure,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.into(),
     )
     .await?;
     let action_state = action_states()

bin/core/src/api/read/provider.rs

@@ -1,10 +1,10 @@
 use anyhow::{Context, anyhow};
-use komodo_client::api::read::*;
-use mongo_indexed::{Document, doc};
-use mungos::{
+use database::mongo_indexed::{Document, doc};
+use database::mungos::{
   by_id::find_one_by_id, find::find_collect,
   mongodb::options::FindOptions,
 };
+use komodo_client::api::read::*;
 use resolver_api::Resolve;
 
 use crate::state::db_client;

bin/core/src/api/read/repo.rs

@@ -12,6 +12,7 @@ use resolver_api::Resolve;
 use crate::{
   config::core_config,
   helpers::query::get_all_tags,
+  permission::get_check_permissions,
   resource,
   state::{action_states, github_client, repo_state_cache},
 };
@@ -24,10 +25,10 @@ impl Resolve<ReadArgs> for GetRepo {
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<Repo> {
     Ok(
-      resource::get_check_permissions::<Repo>(
+      get_check_permissions::<Repo>(
         &self.repo,
         user,
-        PermissionLevel::Read,
+        PermissionLevel::Read.into(),
       )
       .await?,
     )
@@ -45,8 +46,13 @@ impl Resolve<ReadArgs> for ListRepos {
       get_all_tags(None).await?
     };
     Ok(
-      resource::list_for_user::<Repo>(self.query, user, &all_tags)
-        .await?,
+      resource::list_for_user::<Repo>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
     )
   }
 }
@@ -63,7 +69,10 @@ impl Resolve<ReadArgs> for ListFullRepos {
     };
     Ok(
       resource::list_full_for_user::<Repo>(
-        self.query, user, &all_tags,
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
       )
       .await?,
     )
@@ -75,10 +84,10 @@ impl Resolve<ReadArgs> for GetRepoActionState {
     self,
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<RepoActionState> {
-    let repo = resource::get_check_permissions::<Repo>(
+    let repo = get_check_permissions::<Repo>(
       &self.repo,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.into(),
     )
     .await?;
     let action_state = action_states()
@@ -99,6 +108,7 @@ impl Resolve<ReadArgs> for GetReposSummary {
     let repos = resource::list_full_for_user::<Repo>(
       Default::default(),
       user,
+      PermissionLevel::Read.into(),
       &[],
     )
     .await
@@ -160,10 +170,10 @@ impl Resolve<ReadArgs> for GetRepoWebhooksEnabled {
       });
     };
 
-    let repo = resource::get_check_permissions::<Repo>(
+    let repo = get_check_permissions::<Repo>(
       &self.repo,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.into(),
     )
     .await?;
 

bin/core/src/api/read/schedule.rs

@@ -0,0 +1,107 @@
+use futures::future::join_all;
+use komodo_client::{
+  api::read::*,
+  entities::{
+    ResourceTarget,
+    action::Action,
+    permission::PermissionLevel,
+    procedure::Procedure,
+    resource::{ResourceQuery, TemplatesQueryBehavior},
+    schedule::Schedule,
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{
+  helpers::query::{get_all_tags, get_last_run_at},
+  resource::list_full_for_user,
+  schedule::get_schedule_item_info,
+};
+
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for ListSchedules {
+  async fn resolve(
+    self,
+    args: &ReadArgs,
+  ) -> serror::Result<Vec<Schedule>> {
+    let all_tags = get_all_tags(None).await?;
+    let (actions, procedures) = tokio::try_join!(
+      list_full_for_user::<Action>(
+        ResourceQuery {
+          names: Default::default(),
+          templates: TemplatesQueryBehavior::Include,
+          tag_behavior: self.tag_behavior,
+          tags: self.tags.clone(),
+          specific: Default::default(),
+        },
+        &args.user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      ),
+      list_full_for_user::<Procedure>(
+        ResourceQuery {
+          names: Default::default(),
+          templates: TemplatesQueryBehavior::Include,
+          tag_behavior: self.tag_behavior,
+          tags: self.tags.clone(),
+          specific: Default::default(),
+        },
+        &args.user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+    )?;
+    let actions = actions.into_iter().map(async |action| {
+      let (next_scheduled_run, schedule_error) =
+        get_schedule_item_info(&ResourceTarget::Action(
+          action.id.clone(),
+        ));
+      let last_run_at =
+        get_last_run_at::<Action>(&action.id).await.unwrap_or(None);
+      Schedule {
+        target: ResourceTarget::Action(action.id),
+        name: action.name,
+        enabled: action.config.schedule_enabled,
+        schedule_format: action.config.schedule_format,
+        schedule: action.config.schedule,
+        schedule_timezone: action.config.schedule_timezone,
+        tags: action.tags,
+        last_run_at,
+        next_scheduled_run,
+        schedule_error,
+      }
+    });
+    let procedures = procedures.into_iter().map(async |procedure| {
+      let (next_scheduled_run, schedule_error) =
+        get_schedule_item_info(&ResourceTarget::Procedure(
+          procedure.id.clone(),
+        ));
+      let last_run_at = get_last_run_at::<Procedure>(&procedure.id)
+        .await
+        .unwrap_or(None);
+      Schedule {
+        target: ResourceTarget::Procedure(procedure.id),
+        name: procedure.name,
+        enabled: procedure.config.schedule_enabled,
+        schedule_format: procedure.config.schedule_format,
+        schedule: procedure.config.schedule,
+        schedule_timezone: procedure.config.schedule_timezone,
+        tags: procedure.tags,
+        last_run_at,
+        next_scheduled_run,
+        schedule_error,
+      }
+    });
+    let (actions, procedures) =
+      tokio::join!(join_all(actions), join_all(procedures));
+
+    Ok(
+      actions
+        .into_iter()
+        .chain(procedures)
+        .filter(|s| !s.schedule.is_empty())
+        .collect(),
+    )
+  }
+}

bin/core/src/api/read/server.rs

@@ -8,30 +8,34 @@ use anyhow::{Context, anyhow};
 use async_timing_util::{
   FIFTEEN_SECONDS_MS, get_timelength_in_ms, unix_timestamp_ms,
 };
+use database::mungos::{
+  find::find_collect,
+  mongodb::{bson::doc, options::FindOptions},
+};
 use komodo_client::{
   api::read::*,
   entities::{
     ResourceTarget,
     deployment::Deployment,
     docker::{
-      container::{Container, ContainerListItem},
+      container::{
+        Container, ContainerListItem, ContainerStateStatusEnum,
+      },
       image::{Image, ImageHistoryResponseItem},
       network::Network,
       volume::Volume,
     },
+    komodo_timestamp,
     permission::PermissionLevel,
     server::{
       Server, ServerActionState, ServerListItem, ServerState,
+      TerminalInfo,
     },
     stack::{Stack, StackServiceNames},
     stats::{SystemInformation, SystemProcess},
     update::Log,
   },
 };
-use mungos::{
-  find::find_collect,
-  mongodb::{bson::doc, options::FindOptions},
-};
 use periphery_client::api::{
   self as periphery,
   container::InspectContainer,
@@ -43,7 +47,11 @@ use resolver_api::Resolve;
 use tokio::sync::Mutex;
 
 use crate::{
-  helpers::{periphery_client, query::get_all_tags},
+  helpers::{
+    periphery_client,
+    query::{get_all_tags, get_system_info},
+  },
+  permission::get_check_permissions,
   resource,
   stack::compose_container_match_regex,
   state::{action_states, db_client, server_status_cache},
@@ -59,15 +67,28 @@ impl Resolve<ReadArgs> for GetServersSummary {
     let servers = resource::list_for_user::<Server>(
       Default::default(),
       user,
+      PermissionLevel::Read.into(),
       &[],
     )
     .await?;
+
+    let core_version = env!("CARGO_PKG_VERSION");
     let mut res = GetServersSummaryResponse::default();
+
     for server in servers {
       res.total += 1;
       match server.info.state {
         ServerState::Ok => {
-          res.healthy += 1;
+          // Check for version mismatch
+          let has_version_mismatch = !server.info.version.is_empty()
+            && server.info.version != "Unknown"
+            && server.info.version != core_version;
+
+          if has_version_mismatch {
+            res.warning += 1;
+          } else {
+            res.healthy += 1;
+          }
         }
         ServerState::NotOk => {
           res.unhealthy += 1;
@@ -86,10 +107,10 @@ impl Resolve<ReadArgs> for GetPeripheryVersion {
     self,
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<GetPeripheryVersionResponse> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.into(),
     )
     .await?;
     let version = server_status_cache()
@@ -107,10 +128,10 @@ impl Resolve<ReadArgs> for GetServer {
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<Server> {
     Ok(
-      resource::get_check_permissions::<Server>(
+      get_check_permissions::<Server>(
         &self.server,
         user,
-        PermissionLevel::Read,
+        PermissionLevel::Read.into(),
       )
       .await?,
     )
@@ -128,8 +149,13 @@ impl Resolve<ReadArgs> for ListServers {
       get_all_tags(None).await?
     };
     Ok(
-      resource::list_for_user::<Server>(self.query, user, &all_tags)
-        .await?,
+      resource::list_for_user::<Server>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
     )
   }
 }
@@ -146,7 +172,10 @@ impl Resolve<ReadArgs> for ListFullServers {
     };
     Ok(
       resource::list_full_for_user::<Server>(
-        self.query, user, &all_tags,
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
       )
       .await?,
     )
@@ -158,10 +187,10 @@ impl Resolve<ReadArgs> for GetServerState {
     self,
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<GetServerStateResponse> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.into(),
     )
     .await?;
     let status = server_status_cache()
@@ -180,10 +209,10 @@ impl Resolve<ReadArgs> for GetServerActionState {
     self,
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<ServerActionState> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.into(),
     )
     .await?;
     let action_state = action_states()
@@ -196,46 +225,18 @@ impl Resolve<ReadArgs> for GetServerActionState {
   }
 }
 
-// This protects the peripheries from spam requests
-const SYSTEM_INFO_EXPIRY: u128 = FIFTEEN_SECONDS_MS;
-type SystemInfoCache =
-  Mutex<HashMap<String, Arc<(SystemInformation, u128)>>>;
-fn system_info_cache() -> &'static SystemInfoCache {
-  static SYSTEM_INFO_CACHE: OnceLock<SystemInfoCache> =
-    OnceLock::new();
-  SYSTEM_INFO_CACHE.get_or_init(Default::default)
-}
-
 impl Resolve<ReadArgs> for GetSystemInformation {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<SystemInformation> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.into(),
     )
     .await?;
-
-    let mut lock = system_info_cache().lock().await;
-    let res = match lock.get(&server.id) {
-      Some(cached) if cached.1 > unix_timestamp_ms() => {
-        cached.0.clone()
-      }
-      _ => {
-        let stats = periphery_client(&server)?
-          .request(periphery::stats::GetSystemInformation {})
-          .await?;
-        lock.insert(
-          server.id,
-          (stats.clone(), unix_timestamp_ms() + SYSTEM_INFO_EXPIRY)
-            .into(),
-        );
-        stats
-      }
-    };
-    Ok(res)
+    get_system_info(&server).await.map_err(Into::into)
   }
 }
 
@@ -244,10 +245,10 @@ impl Resolve<ReadArgs> for GetSystemStats {
     self,
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<GetSystemStatsResponse> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.into(),
     )
     .await?;
     let status =
@@ -276,10 +277,10 @@ impl Resolve<ReadArgs> for ListSystemProcesses {
     self,
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<ListSystemProcessesResponse> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.processes(),
     )
     .await?;
     let mut lock = processes_cache().lock().await;
@@ -315,10 +316,10 @@ impl Resolve<ReadArgs> for GetHistoricalServerStats {
       granularity,
       page,
     } = self;
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &server,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.into(),
     )
     .await?;
     let granularity =
@@ -363,10 +364,10 @@ impl Resolve<ReadArgs> for ListDockerContainers {
     self,
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<ListDockerContainersResponse> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.into(),
     )
     .await?;
     let cache = server_status_cache()
@@ -388,6 +389,7 @@ impl Resolve<ReadArgs> for ListAllDockerContainers {
     let servers = resource::list_for_user::<Server>(
       Default::default(),
       user,
+      PermissionLevel::Read.into(),
       &[],
     )
     .await?
@@ -413,15 +415,55 @@ impl Resolve<ReadArgs> for ListAllDockerContainers {
   }
 }
 
+impl Resolve<ReadArgs> for GetDockerContainersSummary {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<GetDockerContainersSummaryResponse> {
+    let servers = resource::list_full_for_user::<Server>(
+      Default::default(),
+      user,
+      PermissionLevel::Read.into(),
+      &[],
+    )
+    .await
+    .context("failed to get servers from db")?;
+
+    let mut res = GetDockerContainersSummaryResponse::default();
+
+    for server in servers {
+      let cache = server_status_cache()
+        .get_or_insert_default(&server.id)
+        .await;
+
+      if let Some(containers) = &cache.containers {
+        for container in containers {
+          res.total += 1;
+          match container.state {
+            ContainerStateStatusEnum::Created
+            | ContainerStateStatusEnum::Paused
+            | ContainerStateStatusEnum::Exited => res.stopped += 1,
+            ContainerStateStatusEnum::Running => res.running += 1,
+            ContainerStateStatusEnum::Empty => res.unknown += 1,
+            _ => res.unhealthy += 1,
+          }
+        }
+      }
+    }
+
+    Ok(res)
+  }
+}
+
 impl Resolve<ReadArgs> for InspectDockerContainer {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<Container> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.inspect(),
     )
     .await?;
     let cache = server_status_cache()
@@ -458,10 +500,10 @@ impl Resolve<ReadArgs> for GetContainerLog {
       tail,
       timestamps,
     } = self;
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &server,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.logs(),
     )
     .await?;
     let res = periphery_client(&server)?
@@ -489,10 +531,10 @@ impl Resolve<ReadArgs> for SearchContainerLog {
       invert,
       timestamps,
     } = self;
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &server,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.logs(),
     )
     .await?;
     let res = periphery_client(&server)?
@@ -514,10 +556,10 @@ impl Resolve<ReadArgs> for GetResourceMatchingContainer {
     self,
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<GetResourceMatchingContainerResponse> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.into(),
     )
     .await?;
     // first check deployments
@@ -575,10 +617,10 @@ impl Resolve<ReadArgs> for ListDockerNetworks {
     self,
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<ListDockerNetworksResponse> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.into(),
     )
     .await?;
     let cache = server_status_cache()
@@ -597,10 +639,10 @@ impl Resolve<ReadArgs> for InspectDockerNetwork {
     self,
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<Network> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.into(),
     )
     .await?;
     let cache = server_status_cache()
@@ -627,10 +669,10 @@ impl Resolve<ReadArgs> for ListDockerImages {
     self,
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<ListDockerImagesResponse> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.into(),
     )
     .await?;
     let cache = server_status_cache()
@@ -649,10 +691,10 @@ impl Resolve<ReadArgs> for InspectDockerImage {
     self,
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<Image> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.into(),
     )
     .await?;
     let cache = server_status_cache()
@@ -676,10 +718,10 @@ impl Resolve<ReadArgs> for ListDockerImageHistory {
     self,
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<Vec<ImageHistoryResponseItem>> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.into(),
     )
     .await?;
     let cache = server_status_cache()
@@ -706,10 +748,10 @@ impl Resolve<ReadArgs> for ListDockerVolumes {
     self,
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<ListDockerVolumesResponse> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.into(),
     )
     .await?;
     let cache = server_status_cache()
@@ -728,10 +770,10 @@ impl Resolve<ReadArgs> for InspectDockerVolume {
     self,
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<Volume> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.into(),
     )
     .await?;
     let cache = server_status_cache()
@@ -755,10 +797,10 @@ impl Resolve<ReadArgs> for ListComposeProjects {
     self,
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<ListComposeProjectsResponse> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.into(),
     )
     .await?;
     let cache = server_status_cache()
@@ -771,3 +813,66 @@ impl Resolve<ReadArgs> for ListComposeProjects {
     }
   }
 }
+
+#[derive(Default)]
+struct TerminalCacheItem {
+  list: Vec<TerminalInfo>,
+  ttl: i64,
+}
+
+const TERMINAL_CACHE_TIMEOUT: i64 = 30_000;
+
+#[derive(Default)]
+struct TerminalCache(
+  std::sync::Mutex<
+    HashMap<String, Arc<tokio::sync::Mutex<TerminalCacheItem>>>,
+  >,
+);
+
+impl TerminalCache {
+  fn get_or_insert(
+    &self,
+    server_id: String,
+  ) -> Arc<tokio::sync::Mutex<TerminalCacheItem>> {
+    if let Some(cached) =
+      self.0.lock().unwrap().get(&server_id).cloned()
+    {
+      return cached;
+    }
+    let to_cache =
+      Arc::new(tokio::sync::Mutex::new(TerminalCacheItem::default()));
+    self.0.lock().unwrap().insert(server_id, to_cache.clone());
+    to_cache
+  }
+}
+
+fn terminals_cache() -> &'static TerminalCache {
+  static TERMINALS: OnceLock<TerminalCache> = OnceLock::new();
+  TERMINALS.get_or_init(Default::default)
+}
+
+impl Resolve<ReadArgs> for ListTerminals {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<ListTerminalsResponse> {
+    let server = get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Read.terminal(),
+    )
+    .await?;
+    let cache = terminals_cache().get_or_insert(server.id.clone());
+    let mut cache = cache.lock().await;
+    if self.fresh || komodo_timestamp() > cache.ttl {
+      cache.list = periphery_client(&server)?
+        .request(periphery_client::api::terminal::ListTerminals {})
+        .await
+        .context("Failed to get fresh terminal list")?;
+      cache.ttl = komodo_timestamp() + TERMINAL_CACHE_TIMEOUT;
+      Ok(cache.list.clone())
+    } else {
+      Ok(cache.list.clone())
+    }
+  }
+}

bin/core/src/api/read/server_template.rs

@@ -1,97 +0,0 @@
-use anyhow::Context;
-use komodo_client::{
-  api::read::*,
-  entities::{
-    permission::PermissionLevel, server_template::ServerTemplate,
-  },
-};
-use mongo_indexed::Document;
-use mungos::mongodb::bson::doc;
-use resolver_api::Resolve;
-
-use crate::{
-  helpers::query::get_all_tags, resource, state::db_client,
-};
-
-use super::ReadArgs;
-
-impl Resolve<ReadArgs> for GetServerTemplate {
-  async fn resolve(
-    self,
-    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetServerTemplateResponse> {
-    Ok(
-      resource::get_check_permissions::<ServerTemplate>(
-        &self.server_template,
-        user,
-        PermissionLevel::Read,
-      )
-      .await?,
-    )
-  }
-}
-
-impl Resolve<ReadArgs> for ListServerTemplates {
-  async fn resolve(
-    self,
-    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListServerTemplatesResponse> {
-    let all_tags = if self.query.tags.is_empty() {
-      vec![]
-    } else {
-      get_all_tags(None).await?
-    };
-    Ok(
-      resource::list_for_user::<ServerTemplate>(
-        self.query, user, &all_tags,
-      )
-      .await?,
-    )
-  }
-}
-
-impl Resolve<ReadArgs> for ListFullServerTemplates {
-  async fn resolve(
-    self,
-    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListFullServerTemplatesResponse> {
-    let all_tags = if self.query.tags.is_empty() {
-      vec![]
-    } else {
-      get_all_tags(None).await?
-    };
-    Ok(
-      resource::list_full_for_user::<ServerTemplate>(
-        self.query, user, &all_tags,
-      )
-      .await?,
-    )
-  }
-}
-
-impl Resolve<ReadArgs> for GetServerTemplatesSummary {
-  async fn resolve(
-    self,
-    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetServerTemplatesSummaryResponse> {
-    let query = match resource::get_resource_object_ids_for_user::<
-      ServerTemplate,
-    >(user)
-    .await?
-    {
-      Some(ids) => doc! {
-        "_id": { "$in": ids }
-      },
-      None => Document::new(),
-    };
-    let total = db_client()
-      .server_templates
-      .count_documents(query)
-      .await
-      .context("failed to count all server template documents")?;
-    let res = GetServerTemplatesSummaryResponse {
-      total: total as u32,
-    };
-    Ok(res)
-  }
-}

bin/core/src/api/read/stack.rs

@@ -1,25 +1,32 @@
 use std::collections::HashSet;
 
-use anyhow::Context;
+use anyhow::{Context, anyhow};
 use komodo_client::{
   api::read::*,
   entities::{
     config::core::CoreConfig,
+    docker::container::Container,
     permission::PermissionLevel,
+    server::{Server, ServerState},
     stack::{Stack, StackActionState, StackListItem, StackState},
   },
 };
-use periphery_client::api::compose::{
-  GetComposeLog, GetComposeLogSearch,
+use periphery_client::api::{
+  compose::{GetComposeLog, GetComposeLogSearch},
+  container::InspectContainer,
 };
 use resolver_api::Resolve;
 
 use crate::{
   config::core_config,
   helpers::{periphery_client, query::get_all_tags},
+  permission::get_check_permissions,
   resource,
   stack::get_stack_and_server,
-  state::{action_states, github_client, stack_status_cache},
+  state::{
+    action_states, github_client, server_status_cache,
+    stack_status_cache,
+  },
 };
 
 use super::ReadArgs;
@@ -30,10 +37,10 @@ impl Resolve<ReadArgs> for GetStack {
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<Stack> {
     Ok(
-      resource::get_check_permissions::<Stack>(
+      get_check_permissions::<Stack>(
         &self.stack,
         user,
-        PermissionLevel::Read,
+        PermissionLevel::Read.into(),
       )
       .await?,
     )
@@ -45,10 +52,10 @@ impl Resolve<ReadArgs> for ListStackServices {
     self,
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<ListStackServicesResponse> {
-    let stack = resource::get_check_permissions::<Stack>(
+    let stack = get_check_permissions::<Stack>(
       &self.stack,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.into(),
     )
     .await?;
 
@@ -75,9 +82,13 @@ impl Resolve<ReadArgs> for GetStackLog {
       tail,
       timestamps,
     } = self;
-    let (stack, server) =
-      get_stack_and_server(&stack, user, PermissionLevel::Read, true)
-        .await?;
+    let (stack, server) = get_stack_and_server(
+      &stack,
+      user,
+      PermissionLevel::Read.logs(),
+      true,
+    )
+    .await?;
     let res = periphery_client(&server)?
       .request(GetComposeLog {
         project: stack.project_name(false),
@@ -104,9 +115,13 @@ impl Resolve<ReadArgs> for SearchStackLog {
       invert,
       timestamps,
     } = self;
-    let (stack, server) =
-      get_stack_and_server(&stack, user, PermissionLevel::Read, true)
-        .await?;
+    let (stack, server) = get_stack_and_server(
+      &stack,
+      user,
+      PermissionLevel::Read.logs(),
+      true,
+    )
+    .await?;
     let res = periphery_client(&server)?
       .request(GetComposeLogSearch {
         project: stack.project_name(false),
@@ -122,6 +137,60 @@ impl Resolve<ReadArgs> for SearchStackLog {
   }
 }
 
+impl Resolve<ReadArgs> for InspectStackContainer {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> serror::Result<Container> {
+    let InspectStackContainer { stack, service } = self;
+    let stack = get_check_permissions::<Stack>(
+      &stack,
+      user,
+      PermissionLevel::Read.inspect(),
+    )
+    .await?;
+    if stack.config.server_id.is_empty() {
+      return Err(
+        anyhow!("Cannot inspect stack, not attached to any server")
+          .into(),
+      );
+    }
+    let server =
+      resource::get::<Server>(&stack.config.server_id).await?;
+    let cache = server_status_cache()
+      .get_or_insert_default(&server.id)
+      .await;
+    if cache.state != ServerState::Ok {
+      return Err(
+        anyhow!(
+          "Cannot inspect container: server is {:?}",
+          cache.state
+        )
+        .into(),
+      );
+    }
+    let services = &stack_status_cache()
+      .get(&stack.id)
+      .await
+      .unwrap_or_default()
+      .curr
+      .services;
+    let Some(name) = services
+      .iter()
+      .find(|s| s.service == service)
+      .and_then(|s| s.container.as_ref().map(|c| c.name.clone()))
+    else {
+      return Err(anyhow!(
+        "No service found matching '{service}'. Was the stack last deployed manually?"
+      ).into());
+    };
+    let res = periphery_client(&server)?
+      .request(InspectContainer { name })
+      .await?;
+    Ok(res)
+  }
+}
+
 impl Resolve<ReadArgs> for ListCommonStackExtraArgs {
   async fn resolve(
     self,
@@ -133,7 +202,10 @@ impl Resolve<ReadArgs> for ListCommonStackExtraArgs {
       get_all_tags(None).await?
     };
     let stacks = resource::list_full_for_user::<Stack>(
-      self.query, user, &all_tags,
+      self.query,
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
     )
     .await
     .context("failed to get resources matching query")?;
@@ -164,7 +236,10 @@ impl Resolve<ReadArgs> for ListCommonStackBuildExtraArgs {
       get_all_tags(None).await?
     };
     let stacks = resource::list_full_for_user::<Stack>(
-      self.query, user, &all_tags,
+      self.query,
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
     )
     .await
     .context("failed to get resources matching query")?;
@@ -195,9 +270,13 @@ impl Resolve<ReadArgs> for ListStacks {
       get_all_tags(None).await?
     };
     let only_update_available = self.query.specific.update_available;
-    let stacks =
-      resource::list_for_user::<Stack>(self.query, user, &all_tags)
-        .await?;
+    let stacks = resource::list_for_user::<Stack>(
+      self.query,
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
+    )
+    .await?;
     let stacks = if only_update_available {
       stacks
         .into_iter()
@@ -228,7 +307,10 @@ impl Resolve<ReadArgs> for ListFullStacks {
     };
     Ok(
       resource::list_full_for_user::<Stack>(
-        self.query, user, &all_tags,
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
       )
       .await?,
     )
@@ -240,10 +322,10 @@ impl Resolve<ReadArgs> for GetStackActionState {
     self,
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<StackActionState> {
-    let stack = resource::get_check_permissions::<Stack>(
+    let stack = get_check_permissions::<Stack>(
       &self.stack,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.into(),
     )
     .await?;
     let action_state = action_states()
@@ -264,6 +346,7 @@ impl Resolve<ReadArgs> for GetStacksSummary {
     let stacks = resource::list_full_for_user::<Stack>(
       Default::default(),
       user,
+      PermissionLevel::Read.into(),
       &[],
     )
     .await
@@ -302,10 +385,10 @@ impl Resolve<ReadArgs> for GetStackWebhooksEnabled {
       });
     };
 
-    let stack = resource::get_check_permissions::<Stack>(
+    let stack = get_check_permissions::<Stack>(
       &self.stack,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.into(),
     )
     .await?;
 

bin/core/src/api/read/sync.rs

@@ -14,6 +14,7 @@ use resolver_api::Resolve;
 use crate::{
   config::core_config,
   helpers::query::get_all_tags,
+  permission::get_check_permissions,
   resource,
   state::{action_states, github_client},
 };
@@ -26,10 +27,10 @@ impl Resolve<ReadArgs> for GetResourceSync {
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<ResourceSync> {
     Ok(
-      resource::get_check_permissions::<ResourceSync>(
+      get_check_permissions::<ResourceSync>(
         &self.sync,
         user,
-        PermissionLevel::Read,
+        PermissionLevel::Read.into(),
       )
       .await?,
     )
@@ -48,7 +49,10 @@ impl Resolve<ReadArgs> for ListResourceSyncs {
     };
     Ok(
       resource::list_for_user::<ResourceSync>(
-        self.query, user, &all_tags,
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
       )
       .await?,
     )
@@ -67,7 +71,10 @@ impl Resolve<ReadArgs> for ListFullResourceSyncs {
     };
     Ok(
       resource::list_full_for_user::<ResourceSync>(
-        self.query, user, &all_tags,
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
       )
       .await?,
     )
@@ -79,14 +86,14 @@ impl Resolve<ReadArgs> for GetResourceSyncActionState {
     self,
     ReadArgs { user }: &ReadArgs,
   ) -> serror::Result<ResourceSyncActionState> {
-    let sync = resource::get_check_permissions::<ResourceSync>(
+    let sync = get_check_permissions::<ResourceSync>(
       &self.sync,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.into(),
     )
     .await?;
     let action_state = action_states()
-      .resource_sync
+      .sync
       .get(&sync.id)
       .await
       .unwrap_or_default()
@@ -104,6 +111,7 @@ impl Resolve<ReadArgs> for GetResourceSyncsSummary {
       resource::list_full_for_user::<ResourceSync>(
         Default::default(),
         user,
+        PermissionLevel::Read.into(),
         &[],
       )
       .await
@@ -130,7 +138,7 @@ impl Resolve<ReadArgs> for GetResourceSyncsSummary {
         continue;
       }
       if action_states
-        .resource_sync
+        .sync
         .get(&resource_sync.id)
         .await
         .unwrap_or_default()
@@ -160,10 +168,10 @@ impl Resolve<ReadArgs> for GetSyncWebhooksEnabled {
       });
     };
 
-    let sync = resource::get_check_permissions::<ResourceSync>(
+    let sync = get_check_permissions::<ResourceSync>(
       &self.sync,
       user,
-      PermissionLevel::Read,
+      PermissionLevel::Read.into(),
     )
     .await?;
 

bin/core/src/api/read/tag.rs

@@ -1,10 +1,12 @@
 use anyhow::Context;
+use database::mongo_indexed::doc;
+use database::mungos::{
+  find::find_collect, mongodb::options::FindOptions,
+};
 use komodo_client::{
   api::read::{GetTag, ListTags},
   entities::tag::Tag,
 };
-use mongo_indexed::doc;
-use mungos::{find::find_collect, mongodb::options::FindOptions};
 use resolver_api::Resolve;
 
 use crate::{helpers::query::get_tag, state::db_client};

bin/core/src/api/read/toml.rs

@@ -1,4 +1,5 @@
 use anyhow::Context;
+use database::mungos::find::find_collect;
 use komodo_client::{
   api::read::{
     ExportAllResourcesToToml, ExportAllResourcesToTomlResponse,
@@ -9,24 +10,23 @@ use komodo_client::{
     ResourceTarget, action::Action, alerter::Alerter, build::Build,
     builder::Builder, deployment::Deployment,
     permission::PermissionLevel, procedure::Procedure, repo::Repo,
-    resource::ResourceQuery, server::Server,
-    server_template::ServerTemplate, stack::Stack,
+    resource::ResourceQuery, server::Server, stack::Stack,
     sync::ResourceSync, toml::ResourcesToml, user::User,
   },
 };
-use mungos::find::find_collect;
 use resolver_api::Resolve;
 
 use crate::{
   helpers::query::{
     get_all_tags, get_id_to_tags, get_user_user_group_ids,
   },
+  permission::get_check_permissions,
   resource,
   state::db_client,
   sync::{
-    AllResourcesById,
-    toml::{TOML_PRETTY_OPTIONS, ToToml, convert_resource},
-    user_groups::convert_user_groups,
+    toml::{ToToml, convert_resource},
+    user_groups::{convert_user_groups, user_group_to_toml},
+    variables::variable_to_toml,
   },
 };
 
@@ -43,9 +43,10 @@ async fn get_all_targets(
     get_all_tags(None).await?
   };
   targets.extend(
-    resource::list_for_user::<Alerter>(
+    resource::list_full_for_user::<Alerter>(
       ResourceQuery::builder().tags(tags).build(),
       user,
+      PermissionLevel::Read.into(),
       &all_tags,
     )
     .await?
@@ -53,9 +54,10 @@ async fn get_all_targets(
     .map(|resource| ResourceTarget::Alerter(resource.id)),
   );
   targets.extend(
-    resource::list_for_user::<Builder>(
+    resource::list_full_for_user::<Builder>(
       ResourceQuery::builder().tags(tags).build(),
       user,
+      PermissionLevel::Read.into(),
       &all_tags,
     )
     .await?
@@ -63,9 +65,10 @@ async fn get_all_targets(
     .map(|resource| ResourceTarget::Builder(resource.id)),
   );
   targets.extend(
-    resource::list_for_user::<Server>(
+    resource::list_full_for_user::<Server>(
       ResourceQuery::builder().tags(tags).build(),
       user,
+      PermissionLevel::Read.into(),
       &all_tags,
     )
     .await?
@@ -73,9 +76,10 @@ async fn get_all_targets(
     .map(|resource| ResourceTarget::Server(resource.id)),
   );
   targets.extend(
-    resource::list_for_user::<Stack>(
+    resource::list_full_for_user::<Stack>(
       ResourceQuery::builder().tags(tags).build(),
       user,
+      PermissionLevel::Read.into(),
       &all_tags,
     )
     .await?
@@ -83,9 +87,10 @@ async fn get_all_targets(
     .map(|resource| ResourceTarget::Stack(resource.id)),
   );
   targets.extend(
-    resource::list_for_user::<Deployment>(
+    resource::list_full_for_user::<Deployment>(
       ResourceQuery::builder().tags(tags).build(),
       user,
+      PermissionLevel::Read.into(),
       &all_tags,
     )
     .await?
@@ -93,9 +98,10 @@ async fn get_all_targets(
     .map(|resource| ResourceTarget::Deployment(resource.id)),
   );
   targets.extend(
-    resource::list_for_user::<Build>(
+    resource::list_full_for_user::<Build>(
       ResourceQuery::builder().tags(tags).build(),
       user,
+      PermissionLevel::Read.into(),
       &all_tags,
     )
     .await?
@@ -103,9 +109,10 @@ async fn get_all_targets(
     .map(|resource| ResourceTarget::Build(resource.id)),
   );
   targets.extend(
-    resource::list_for_user::<Repo>(
+    resource::list_full_for_user::<Repo>(
       ResourceQuery::builder().tags(tags).build(),
       user,
+      PermissionLevel::Read.into(),
       &all_tags,
     )
     .await?
@@ -113,9 +120,10 @@ async fn get_all_targets(
     .map(|resource| ResourceTarget::Repo(resource.id)),
   );
   targets.extend(
-    resource::list_for_user::<Procedure>(
+    resource::list_full_for_user::<Procedure>(
       ResourceQuery::builder().tags(tags).build(),
       user,
+      PermissionLevel::Read.into(),
       &all_tags,
     )
     .await?
@@ -123,29 +131,21 @@ async fn get_all_targets(
     .map(|resource| ResourceTarget::Procedure(resource.id)),
   );
   targets.extend(
-    resource::list_for_user::<Action>(
+    resource::list_full_for_user::<Action>(
       ResourceQuery::builder().tags(tags).build(),
       user,
+      PermissionLevel::Read.into(),
       &all_tags,
     )
     .await?
     .into_iter()
     .map(|resource| ResourceTarget::Action(resource.id)),
   );
-  targets.extend(
-    resource::list_for_user::<ServerTemplate>(
-      ResourceQuery::builder().tags(tags).build(),
-      user,
-      &all_tags,
-    )
-    .await?
-    .into_iter()
-    .map(|resource| ResourceTarget::ServerTemplate(resource.id)),
-  );
   targets.extend(
     resource::list_full_for_user::<ResourceSync>(
       ResourceQuery::builder().tags(tags).build(),
       user,
+      PermissionLevel::Read.into(),
       &all_tags,
     )
     .await?
@@ -203,18 +203,18 @@ impl Resolve<ReadArgs> for ExportResourcesToToml {
       include_variables,
     } = self;
     let mut res = ResourcesToml::default();
-    let all = AllResourcesById::load().await?;
     let id_to_tags = get_id_to_tags(None).await?;
     let ReadArgs { user } = args;
     for target in targets {
       match target {
         ResourceTarget::Alerter(id) => {
-          let alerter = resource::get_check_permissions::<Alerter>(
+          let mut alerter = get_check_permissions::<Alerter>(
             &id,
             user,
-            PermissionLevel::Read,
+            PermissionLevel::Read.into(),
           )
           .await?;
+          Alerter::replace_ids(&mut alerter);
           res.alerters.push(convert_resource::<Alerter>(
             alerter,
             false,
@@ -223,16 +223,18 @@ impl Resolve<ReadArgs> for ExportResourcesToToml {
           ))
         }
         ResourceTarget::ResourceSync(id) => {
-          let sync = resource::get_check_permissions::<ResourceSync>(
+          let mut sync = get_check_permissions::<ResourceSync>(
             &id,
             user,
-            PermissionLevel::Read,
+            PermissionLevel::Read.into(),
           )
           .await?;
           if sync.config.file_contents.is_empty()
             && (sync.config.files_on_host
-              || !sync.config.repo.is_empty())
+              || !sync.config.repo.is_empty()
+              || !sync.config.linked_repo.is_empty())
           {
+            ResourceSync::replace_ids(&mut sync);
             res.resource_syncs.push(convert_resource::<ResourceSync>(
               sync,
               false,
@@ -241,27 +243,14 @@ impl Resolve<ReadArgs> for ExportResourcesToToml {
             ))
           }
         }
-        ResourceTarget::ServerTemplate(id) => {
-          let template = resource::get_check_permissions::<
-            ServerTemplate,
-          >(&id, user, PermissionLevel::Read)
-          .await?;
-          res.server_templates.push(
-            convert_resource::<ServerTemplate>(
-              template,
-              false,
-              vec![],
-              &id_to_tags,
-            ),
-          )
-        }
         ResourceTarget::Server(id) => {
-          let server = resource::get_check_permissions::<Server>(
+          let mut server = get_check_permissions::<Server>(
             &id,
             user,
-            PermissionLevel::Read,
+            PermissionLevel::Read.into(),
           )
           .await?;
+          Server::replace_ids(&mut server);
           res.servers.push(convert_resource::<Server>(
             server,
             false,
@@ -270,14 +259,13 @@ impl Resolve<ReadArgs> for ExportResourcesToToml {
           ))
         }
         ResourceTarget::Builder(id) => {
-          let mut builder =
-            resource::get_check_permissions::<Builder>(
-              &id,
-              user,
-              PermissionLevel::Read,
-            )
-            .await?;
-          Builder::replace_ids(&mut builder, &all);
+          let mut builder = get_check_permissions::<Builder>(
+            &id,
+            user,
+            PermissionLevel::Read.into(),
+          )
+          .await?;
+          Builder::replace_ids(&mut builder);
           res.builders.push(convert_resource::<Builder>(
             builder,
             false,
@@ -286,13 +274,13 @@ impl Resolve<ReadArgs> for ExportResourcesToToml {
           ))
         }
         ResourceTarget::Build(id) => {
-          let mut build = resource::get_check_permissions::<Build>(
+          let mut build = get_check_permissions::<Build>(
             &id,
             user,
-            PermissionLevel::Read,
+            PermissionLevel::Read.into(),
           )
           .await?;
-          Build::replace_ids(&mut build, &all);
+          Build::replace_ids(&mut build);
           res.builds.push(convert_resource::<Build>(
             build,
             false,
@@ -301,13 +289,13 @@ impl Resolve<ReadArgs> for ExportResourcesToToml {
           ))
         }
         ResourceTarget::Deployment(id) => {
-          let mut deployment = resource::get_check_permissions::<
-            Deployment,
-          >(
-            &id, user, PermissionLevel::Read
+          let mut deployment = get_check_permissions::<Deployment>(
+            &id,
+            user,
+            PermissionLevel::Read.into(),
           )
           .await?;
-          Deployment::replace_ids(&mut deployment, &all);
+          Deployment::replace_ids(&mut deployment);
           res.deployments.push(convert_resource::<Deployment>(
             deployment,
             false,
@@ -316,13 +304,13 @@ impl Resolve<ReadArgs> for ExportResourcesToToml {
           ))
         }
         ResourceTarget::Repo(id) => {
-          let mut repo = resource::get_check_permissions::<Repo>(
+          let mut repo = get_check_permissions::<Repo>(
             &id,
             user,
-            PermissionLevel::Read,
+            PermissionLevel::Read.into(),
           )
           .await?;
-          Repo::replace_ids(&mut repo, &all);
+          Repo::replace_ids(&mut repo);
           res.repos.push(convert_resource::<Repo>(
             repo,
             false,
@@ -331,13 +319,13 @@ impl Resolve<ReadArgs> for ExportResourcesToToml {
           ))
         }
         ResourceTarget::Stack(id) => {
-          let mut stack = resource::get_check_permissions::<Stack>(
+          let mut stack = get_check_permissions::<Stack>(
             &id,
             user,
-            PermissionLevel::Read,
+            PermissionLevel::Read.into(),
           )
           .await?;
-          Stack::replace_ids(&mut stack, &all);
+          Stack::replace_ids(&mut stack);
           res.stacks.push(convert_resource::<Stack>(
             stack,
             false,
@@ -346,13 +334,13 @@ impl Resolve<ReadArgs> for ExportResourcesToToml {
           ))
         }
         ResourceTarget::Procedure(id) => {
-          let mut procedure = resource::get_check_permissions::<
-            Procedure,
-          >(
-            &id, user, PermissionLevel::Read
+          let mut procedure = get_check_permissions::<Procedure>(
+            &id,
+            user,
+            PermissionLevel::Read.into(),
           )
           .await?;
-          Procedure::replace_ids(&mut procedure, &all);
+          Procedure::replace_ids(&mut procedure);
           res.procedures.push(convert_resource::<Procedure>(
             procedure,
             false,
@@ -361,13 +349,13 @@ impl Resolve<ReadArgs> for ExportResourcesToToml {
           ));
         }
         ResourceTarget::Action(id) => {
-          let mut action = resource::get_check_permissions::<Action>(
+          let mut action = get_check_permissions::<Action>(
             &id,
             user,
-            PermissionLevel::Read,
+            PermissionLevel::Read.into(),
           )
           .await?;
-          Action::replace_ids(&mut action, &all);
+          Action::replace_ids(&mut action);
           res.actions.push(convert_resource::<Action>(
             action,
             false,
@@ -379,7 +367,7 @@ impl Resolve<ReadArgs> for ExportResourcesToToml {
       };
     }
 
-    add_user_groups(user_groups, &mut res, &all, args)
+    add_user_groups(user_groups, &mut res, args)
       .await
       .context("failed to add user groups")?;
 
@@ -408,7 +396,6 @@ impl Resolve<ReadArgs> for ExportResourcesToToml {
 async fn add_user_groups(
   user_groups: Vec<String>,
   res: &mut ResourcesToml,
-  all: &AllResourcesById,
   args: &ReadArgs,
 ) -> anyhow::Result<()> {
   let user_groups = ListUserGroups {}
@@ -420,7 +407,7 @@ async fn add_user_groups(
       user_groups.contains(&ug.name) || user_groups.contains(&ug.id)
     });
   let mut ug = Vec::with_capacity(user_groups.size_hint().0);
-  convert_user_groups(user_groups, all, &mut ug).await?;
+  convert_user_groups(user_groups, &mut ug).await?;
   res.user_groups = ug.into_iter().map(|ug| ug.1).collect();
 
   Ok(())
@@ -503,14 +490,6 @@ fn serialize_resources_toml(
     Builder::push_to_toml_string(builder, &mut toml)?;
   }
 
-  for server_template in resources.server_templates {
-    if !toml.is_empty() {
-      toml.push_str("\n\n##\n\n");
-    }
-    toml.push_str("[[server_template]]\n");
-    ServerTemplate::push_to_toml_string(server_template, &mut toml)?;
-  }
-
   for resource_sync in resources.resource_syncs {
     if !toml.is_empty() {
       toml.push_str("\n\n##\n\n");
@@ -523,22 +502,14 @@ fn serialize_resources_toml(
     if !toml.is_empty() {
       toml.push_str("\n\n##\n\n");
     }
-    toml.push_str("[[variable]]\n");
-    toml.push_str(
-      &toml_pretty::to_string(variable, TOML_PRETTY_OPTIONS)
-        .context("failed to serialize variables to toml")?,
-    );
+    toml.push_str(&variable_to_toml(variable)?);
   }
 
-  for user_group in &resources.user_groups {
+  for user_group in resources.user_groups {
     if !toml.is_empty() {
       toml.push_str("\n\n##\n\n");
     }
-    toml.push_str("[[user_group]]\n");
-    toml.push_str(
-      &toml_pretty::to_string(user_group, TOML_PRETTY_OPTIONS)
-        .context("failed to serialize user_groups to toml")?,
-    );
+    toml.push_str(&user_group_to_toml(user_group)?);
   }
 
   Ok(toml)

bin/core/src/api/read/update.rs

@@ -1,6 +1,11 @@
 use std::collections::HashMap;
 
 use anyhow::{Context, anyhow};
+use database::mungos::{
+  by_id::find_one_by_id,
+  find::find_collect,
+  mongodb::{bson::doc, options::FindOptions},
+};
 use komodo_client::{
   api::read::{GetUpdate, ListUpdates, ListUpdatesResponse},
   entities::{
@@ -14,21 +19,19 @@ use komodo_client::{
     procedure::Procedure,
     repo::Repo,
     server::Server,
-    server_template::ServerTemplate,
     stack::Stack,
     sync::ResourceSync,
     update::{Update, UpdateListItem},
     user::User,
   },
 };
-use mungos::{
-  by_id::find_one_by_id,
-  find::find_collect,
-  mongodb::{bson::doc, options::FindOptions},
-};
 use resolver_api::Resolve;
 
-use crate::{config::core_config, resource, state::db_client};
+use crate::{
+  config::core_config,
+  permission::{get_check_permissions, get_resource_ids_for_user},
+  state::db_client,
+};
 
 use super::ReadArgs;
 
@@ -42,18 +45,17 @@ impl Resolve<ReadArgs> for ListUpdates {
     let query = if user.admin || core_config().transparent_mode {
       self.query
     } else {
-      let server_query =
-        resource::get_resource_ids_for_user::<Server>(user)
-          .await?
-          .map(|ids| {
-            doc! {
-              "target.type": "Server", "target.id": { "$in": ids }
-            }
-          })
-          .unwrap_or_else(|| doc! { "target.type": "Server" });
+      let server_query = get_resource_ids_for_user::<Server>(user)
+        .await?
+        .map(|ids| {
+          doc! {
+            "target.type": "Server", "target.id": { "$in": ids }
+          }
+        })
+        .unwrap_or_else(|| doc! { "target.type": "Server" });
 
       let deployment_query =
-        resource::get_resource_ids_for_user::<Deployment>(user)
+        get_resource_ids_for_user::<Deployment>(user)
           .await?
           .map(|ids| {
             doc! {
@@ -62,38 +64,35 @@ impl Resolve<ReadArgs> for ListUpdates {
           })
           .unwrap_or_else(|| doc! { "target.type": "Deployment" });
 
-      let stack_query =
-        resource::get_resource_ids_for_user::<Stack>(user)
-          .await?
-          .map(|ids| {
-            doc! {
-              "target.type": "Stack", "target.id": { "$in": ids }
-            }
-          })
-          .unwrap_or_else(|| doc! { "target.type": "Stack" });
+      let stack_query = get_resource_ids_for_user::<Stack>(user)
+        .await?
+        .map(|ids| {
+          doc! {
+            "target.type": "Stack", "target.id": { "$in": ids }
+          }
+        })
+        .unwrap_or_else(|| doc! { "target.type": "Stack" });
 
-      let build_query =
-        resource::get_resource_ids_for_user::<Build>(user)
-          .await?
-          .map(|ids| {
-            doc! {
-              "target.type": "Build", "target.id": { "$in": ids }
-            }
-          })
-          .unwrap_or_else(|| doc! { "target.type": "Build" });
+      let build_query = get_resource_ids_for_user::<Build>(user)
+        .await?
+        .map(|ids| {
+          doc! {
+            "target.type": "Build", "target.id": { "$in": ids }
+          }
+        })
+        .unwrap_or_else(|| doc! { "target.type": "Build" });
 
-      let repo_query =
-        resource::get_resource_ids_for_user::<Repo>(user)
-          .await?
-          .map(|ids| {
-            doc! {
-              "target.type": "Repo", "target.id": { "$in": ids }
-            }
-          })
-          .unwrap_or_else(|| doc! { "target.type": "Repo" });
+      let repo_query = get_resource_ids_for_user::<Repo>(user)
+        .await?
+        .map(|ids| {
+          doc! {
+            "target.type": "Repo", "target.id": { "$in": ids }
+          }
+        })
+        .unwrap_or_else(|| doc! { "target.type": "Repo" });
 
       let procedure_query =
-        resource::get_resource_ids_for_user::<Procedure>(user)
+        get_resource_ids_for_user::<Procedure>(user)
           .await?
           .map(|ids| {
             doc! {
@@ -102,57 +101,43 @@ impl Resolve<ReadArgs> for ListUpdates {
           })
           .unwrap_or_else(|| doc! { "target.type": "Procedure" });
 
-      let action_query =
-        resource::get_resource_ids_for_user::<Action>(user)
-          .await?
-          .map(|ids| {
-            doc! {
-              "target.type": "Action", "target.id": { "$in": ids }
-            }
-          })
-          .unwrap_or_else(|| doc! { "target.type": "Action" });
-
-      let builder_query =
-        resource::get_resource_ids_for_user::<Builder>(user)
-          .await?
-          .map(|ids| {
-            doc! {
-              "target.type": "Builder", "target.id": { "$in": ids }
-            }
-          })
-          .unwrap_or_else(|| doc! { "target.type": "Builder" });
-
-      let alerter_query =
-        resource::get_resource_ids_for_user::<Alerter>(user)
-          .await?
-          .map(|ids| {
-            doc! {
-              "target.type": "Alerter", "target.id": { "$in": ids }
-            }
-          })
-          .unwrap_or_else(|| doc! { "target.type": "Alerter" });
-
-      let server_template_query =
-        resource::get_resource_ids_for_user::<ServerTemplate>(user)
-          .await?
-          .map(|ids| {
-            doc! {
-              "target.type": "ServerTemplate", "target.id": { "$in": ids }
-            }
-          })
-          .unwrap_or_else(|| doc! { "target.type": "ServerTemplate" });
-
-      let resource_sync_query =
-        resource::get_resource_ids_for_user::<ResourceSync>(
-          user,
-        )
+      let action_query = get_resource_ids_for_user::<Action>(user)
         .await?
         .map(|ids| {
           doc! {
-            "target.type": "ResourceSync", "target.id": { "$in": ids }
+            "target.type": "Action", "target.id": { "$in": ids }
           }
         })
-        .unwrap_or_else(|| doc! { "target.type": "ResourceSync" });
+        .unwrap_or_else(|| doc! { "target.type": "Action" });
+
+      let builder_query = get_resource_ids_for_user::<Builder>(user)
+        .await?
+        .map(|ids| {
+          doc! {
+            "target.type": "Builder", "target.id": { "$in": ids }
+          }
+        })
+        .unwrap_or_else(|| doc! { "target.type": "Builder" });
+
+      let alerter_query = get_resource_ids_for_user::<Alerter>(user)
+        .await?
+        .map(|ids| {
+          doc! {
+            "target.type": "Alerter", "target.id": { "$in": ids }
+          }
+        })
+        .unwrap_or_else(|| doc! { "target.type": "Alerter" });
+
+      let resource_sync_query = get_resource_ids_for_user::<
+        ResourceSync,
+      >(user)
+      .await?
+      .map(|ids| {
+        doc! {
+          "target.type": "ResourceSync", "target.id": { "$in": ids }
+        }
+      })
+      .unwrap_or_else(|| doc! { "target.type": "ResourceSync" });
 
       let mut query = self.query.unwrap_or_default();
       query.extend(doc! {
@@ -166,7 +151,6 @@ impl Resolve<ReadArgs> for ListUpdates {
           action_query,
           alerter_query,
           builder_query,
-          server_template_query,
           resource_sync_query,
         ]
       });
@@ -245,90 +229,82 @@ impl Resolve<ReadArgs> for GetUpdate {
         );
       }
       ResourceTarget::Server(id) => {
-        resource::get_check_permissions::<Server>(
+        get_check_permissions::<Server>(
           id,
           user,
-          PermissionLevel::Read,
+          PermissionLevel::Read.into(),
         )
         .await?;
       }
       ResourceTarget::Deployment(id) => {
-        resource::get_check_permissions::<Deployment>(
+        get_check_permissions::<Deployment>(
           id,
           user,
-          PermissionLevel::Read,
+          PermissionLevel::Read.into(),
         )
         .await?;
       }
       ResourceTarget::Build(id) => {
-        resource::get_check_permissions::<Build>(
+        get_check_permissions::<Build>(
           id,
           user,
-          PermissionLevel::Read,
+          PermissionLevel::Read.into(),
         )
         .await?;
       }
       ResourceTarget::Repo(id) => {
-        resource::get_check_permissions::<Repo>(
+        get_check_permissions::<Repo>(
           id,
           user,
-          PermissionLevel::Read,
+          PermissionLevel::Read.into(),
         )
         .await?;
       }
       ResourceTarget::Builder(id) => {
-        resource::get_check_permissions::<Builder>(
+        get_check_permissions::<Builder>(
           id,
           user,
-          PermissionLevel::Read,
+          PermissionLevel::Read.into(),
         )
         .await?;
       }
       ResourceTarget::Alerter(id) => {
-        resource::get_check_permissions::<Alerter>(
+        get_check_permissions::<Alerter>(
           id,
           user,
-          PermissionLevel::Read,
+          PermissionLevel::Read.into(),
         )
         .await?;
       }
       ResourceTarget::Procedure(id) => {
-        resource::get_check_permissions::<Procedure>(
+        get_check_permissions::<Procedure>(
           id,
           user,
-          PermissionLevel::Read,
+          PermissionLevel::Read.into(),
         )
         .await?;
       }
       ResourceTarget::Action(id) => {
-        resource::get_check_permissions::<Action>(
+        get_check_permissions::<Action>(
           id,
           user,
-          PermissionLevel::Read,
-        )
-        .await?;
-      }
-      ResourceTarget::ServerTemplate(id) => {
-        resource::get_check_permissions::<ServerTemplate>(
-          id,
-          user,
-          PermissionLevel::Read,
+          PermissionLevel::Read.into(),
         )
         .await?;
       }
       ResourceTarget::ResourceSync(id) => {
-        resource::get_check_permissions::<ResourceSync>(
+        get_check_permissions::<ResourceSync>(
           id,
           user,
-          PermissionLevel::Read,
+          PermissionLevel::Read.into(),
         )
         .await?;
       }
       ResourceTarget::Stack(id) => {
-        resource::get_check_permissions::<Stack>(
+        get_check_permissions::<Stack>(
           id,
           user,
-          PermissionLevel::Read,
+          PermissionLevel::Read.into(),
         )
         .await?;
       }

bin/core/src/api/read/user.rs

@@ -1,4 +1,9 @@
 use anyhow::{Context, anyhow};
+use database::mungos::{
+  by_id::find_one_by_id,
+  find::find_collect,
+  mongodb::{bson::doc, options::FindOptions},
+};
 use komodo_client::{
   api::read::{
     FindUser, FindUserResponse, GetUsername, GetUsernameResponse,
@@ -8,11 +13,6 @@ use komodo_client::{
   },
   entities::user::{UserConfig, admin_service_user},
 };
-use mungos::{
-  by_id::find_one_by_id,
-  find::find_collect,
-  mongodb::{bson::doc, options::FindOptions},
-};
 use resolver_api::Resolve;
 
 use crate::{helpers::query::get_user, state::db_client};

bin/core/src/api/read/user_group.rs

@@ -1,14 +1,14 @@
 use std::str::FromStr;
 
 use anyhow::Context;
-use komodo_client::api::read::*;
-use mungos::{
+use database::mungos::{
   find::find_collect,
   mongodb::{
     bson::{Document, doc, oid::ObjectId},
     options::FindOptions,
   },
 };
+use komodo_client::api::read::*;
 use resolver_api::Resolve;
 
 use crate::state::db_client;

bin/core/src/api/read/variable.rs

@@ -1,7 +1,9 @@
 use anyhow::Context;
+use database::mongo_indexed::doc;
+use database::mungos::{
+  find::find_collect, mongodb::options::FindOptions,
+};
 use komodo_client::api::read::*;
-use mongo_indexed::doc;
-use mungos::{find::find_collect, mongodb::options::FindOptions};
 use resolver_api::Resolve;
 
 use crate::{helpers::query::get_variable, state::db_client};

bin/core/src/api/terminal.rs

@@ -0,0 +1,299 @@
+use anyhow::Context;
+use axum::{Extension, Router, middleware, routing::post};
+use komodo_client::{
+  api::terminal::*,
+  entities::{
+    deployment::Deployment, permission::PermissionLevel,
+    server::Server, stack::Stack, user::User,
+  },
+};
+use serror::Json;
+use uuid::Uuid;
+
+use crate::{
+  auth::auth_request, helpers::periphery_client,
+  permission::get_check_permissions, resource::get,
+  state::stack_status_cache,
+};
+
+pub fn router() -> Router {
+  Router::new()
+    .route("/execute", post(execute_terminal))
+    .route("/execute/container", post(execute_container_exec))
+    .route("/execute/deployment", post(execute_deployment_exec))
+    .route("/execute/stack", post(execute_stack_exec))
+    .layer(middleware::from_fn(auth_request))
+}
+
+// =================
+//  ExecuteTerminal
+// =================
+
+async fn execute_terminal(
+  Extension(user): Extension<User>,
+  Json(request): Json<ExecuteTerminalBody>,
+) -> serror::Result<axum::body::Body> {
+  execute_terminal_inner(Uuid::new_v4(), request, user).await
+}
+
+#[instrument(
+  name = "ExecuteTerminal",
+  skip(user),
+  fields(
+    user_id = user.id,
+  )
+)]
+async fn execute_terminal_inner(
+  req_id: Uuid,
+  ExecuteTerminalBody {
+    server,
+    terminal,
+    command,
+  }: ExecuteTerminalBody,
+  user: User,
+) -> serror::Result<axum::body::Body> {
+  info!("/terminal/execute request | user: {}", user.username);
+
+  let res = async {
+    let server = get_check_permissions::<Server>(
+      &server,
+      &user,
+      PermissionLevel::Read.terminal(),
+    )
+    .await?;
+
+    let periphery = periphery_client(&server)?;
+
+    let stream = periphery
+      .execute_terminal(terminal, command)
+      .await
+      .context("Failed to execute command on periphery")?;
+
+    anyhow::Ok(stream)
+  }
+  .await;
+
+  let stream = match res {
+    Ok(stream) => stream,
+    Err(e) => {
+      warn!("/terminal/execute request {req_id} error: {e:#}");
+      return Err(e.into());
+    }
+  };
+
+  Ok(axum::body::Body::from_stream(stream.into_line_stream()))
+}
+
+// ======================
+//  ExecuteContainerExec
+// ======================
+
+async fn execute_container_exec(
+  Extension(user): Extension<User>,
+  Json(request): Json<ExecuteContainerExecBody>,
+) -> serror::Result<axum::body::Body> {
+  execute_container_exec_inner(Uuid::new_v4(), request, user).await
+}
+
+#[instrument(
+  name = "ExecuteContainerExec",
+  skip(user),
+  fields(
+    user_id = user.id,
+  )
+)]
+async fn execute_container_exec_inner(
+  req_id: Uuid,
+  ExecuteContainerExecBody {
+    server,
+    container,
+    shell,
+    command,
+  }: ExecuteContainerExecBody,
+  user: User,
+) -> serror::Result<axum::body::Body> {
+  info!(
+    "/terminal/execute/container request | user: {}",
+    user.username
+  );
+
+  let res = async {
+    let server = get_check_permissions::<Server>(
+      &server,
+      &user,
+      PermissionLevel::Read.terminal(),
+    )
+    .await?;
+
+    let periphery = periphery_client(&server)?;
+
+    let stream = periphery
+      .execute_container_exec(container, shell, command)
+      .await
+      .context(
+        "Failed to execute container exec command on periphery",
+      )?;
+
+    anyhow::Ok(stream)
+  }
+  .await;
+
+  let stream = match res {
+    Ok(stream) => stream,
+    Err(e) => {
+      warn!(
+        "/terminal/execute/container request {req_id} error: {e:#}"
+      );
+      return Err(e.into());
+    }
+  };
+
+  Ok(axum::body::Body::from_stream(stream.into_line_stream()))
+}
+
+// =======================
+//  ExecuteDeploymentExec
+// =======================
+
+async fn execute_deployment_exec(
+  Extension(user): Extension<User>,
+  Json(request): Json<ExecuteDeploymentExecBody>,
+) -> serror::Result<axum::body::Body> {
+  execute_deployment_exec_inner(Uuid::new_v4(), request, user).await
+}
+
+#[instrument(
+  name = "ExecuteDeploymentExec",
+  skip(user),
+  fields(
+    user_id = user.id,
+  )
+)]
+async fn execute_deployment_exec_inner(
+  req_id: Uuid,
+  ExecuteDeploymentExecBody {
+    deployment,
+    shell,
+    command,
+  }: ExecuteDeploymentExecBody,
+  user: User,
+) -> serror::Result<axum::body::Body> {
+  info!(
+    "/terminal/execute/deployment request | user: {}",
+    user.username
+  );
+
+  let res = async {
+    let deployment = get_check_permissions::<Deployment>(
+      &deployment,
+      &user,
+      PermissionLevel::Read.terminal(),
+    )
+    .await?;
+
+    let server = get::<Server>(&deployment.config.server_id).await?;
+
+    let periphery = periphery_client(&server)?;
+
+    let stream = periphery
+      .execute_container_exec(deployment.name, shell, command)
+      .await
+      .context(
+        "Failed to execute container exec command on periphery",
+      )?;
+
+    anyhow::Ok(stream)
+  }
+  .await;
+
+  let stream = match res {
+    Ok(stream) => stream,
+    Err(e) => {
+      warn!(
+        "/terminal/execute/deployment request {req_id} error: {e:#}"
+      );
+      return Err(e.into());
+    }
+  };
+
+  Ok(axum::body::Body::from_stream(stream.into_line_stream()))
+}
+
+// ==================
+//  ExecuteStackExec
+// ==================
+
+async fn execute_stack_exec(
+  Extension(user): Extension<User>,
+  Json(request): Json<ExecuteStackExecBody>,
+) -> serror::Result<axum::body::Body> {
+  execute_stack_exec_inner(Uuid::new_v4(), request, user).await
+}
+
+#[instrument(
+  name = "ExecuteStackExec",
+  skip(user),
+  fields(
+    user_id = user.id,
+  )
+)]
+async fn execute_stack_exec_inner(
+  req_id: Uuid,
+  ExecuteStackExecBody {
+    stack,
+    service,
+    shell,
+    command,
+  }: ExecuteStackExecBody,
+  user: User,
+) -> serror::Result<axum::body::Body> {
+  info!("/terminal/execute/stack request | user: {}", user.username);
+
+  let res = async {
+    let stack = get_check_permissions::<Stack>(
+      &stack,
+      &user,
+      PermissionLevel::Read.terminal(),
+    )
+    .await?;
+
+    let server = get::<Server>(&stack.config.server_id).await?;
+
+    let container = stack_status_cache()
+      .get(&stack.id)
+      .await
+      .context("could not get stack status")?
+      .curr
+      .services
+      .iter()
+      .find(|s| s.service == service)
+      .context("could not find service")?
+      .container
+      .as_ref()
+      .context("could not find service container")?
+      .name
+      .clone();
+
+    let periphery = periphery_client(&server)?;
+
+    let stream = periphery
+      .execute_container_exec(container, shell, command)
+      .await
+      .context(
+        "Failed to execute container exec command on periphery",
+      )?;
+
+    anyhow::Ok(stream)
+  }
+  .await;
+
+  let stream = match res {
+    Ok(stream) => stream,
+    Err(e) => {
+      warn!("/terminal/execute/stack request {req_id} error: {e:#}");
+      return Err(e.into());
+    }
+  };
+
+  Ok(axum::body::Body::from_stream(stream.into_line_stream()))
+}

bin/core/src/api/user.rs

@@ -1,17 +1,22 @@
 use std::{collections::VecDeque, time::Instant};
 
 use anyhow::{Context, anyhow};
-use axum::{Extension, Json, Router, middleware, routing::post};
+use axum::{
+  Extension, Json, Router, extract::Path, middleware, routing::post,
+};
+use database::mongo_indexed::doc;
+use database::mungos::{
+  by_id::update_one_by_id, mongodb::bson::to_bson,
+};
 use derive_variants::EnumVariants;
 use komodo_client::{
   api::user::*,
   entities::{api_key::ApiKey, komodo_timestamp, user::User},
 };
-use mongo_indexed::doc;
-use mungos::{by_id::update_one_by_id, mongodb::bson::to_bson};
 use resolver_api::Resolve;
 use response::Response;
 use serde::{Deserialize, Serialize};
+use serde_json::json;
 use typeshare::typeshare;
 use uuid::Uuid;
 
@@ -21,6 +26,8 @@ use crate::{
   state::db_client,
 };
 
+use super::Variant;
+
 pub struct UserArgs {
   pub user: User,
 }
@@ -43,9 +50,22 @@ enum UserRequest {
 pub fn router() -> Router {
   Router::new()
     .route("/", post(handler))
+    .route("/{variant}", post(variant_handler))
     .layer(middleware::from_fn(auth_request))
 }
 
+async fn variant_handler(
+  user: Extension<User>,
+  Path(Variant { variant }): Path<Variant>,
+  Json(params): Json<serde_json::Value>,
+) -> serror::Result<axum::response::Response> {
+  let req: UserRequest = serde_json::from_value(json!({
+    "type": variant,
+    "params": params,
+  }))?;
+  handler(user, Json(req)).await
+}
+
 #[instrument(name = "UserHandler", level = "debug", skip(user))]
 async fn handler(
   Extension(user): Extension<User>,
@@ -98,7 +118,7 @@ impl Resolve<UserArgs> for PushRecentlyViewed {
     update_one_by_id(
       &db_client().users,
       &user.id,
-      mungos::update::Update::Set(update),
+      database::mungos::update::Update::Set(update),
       None,
     )
     .await
@@ -123,7 +143,7 @@ impl Resolve<UserArgs> for SetLastSeenUpdate {
     update_one_by_id(
       &db_client().users,
       &user.id,
-      mungos::update::Update::Set(doc! {
+      database::mungos::update::Update::Set(doc! {
         "last_update_view": komodo_timestamp()
       }),
       None,

bin/core/src/api/write/action.rs

@@ -6,7 +6,7 @@ use komodo_client::{
 };
 use resolver_api::Resolve;
 
-use crate::resource;
+use crate::{permission::get_check_permissions, resource};
 
 use super::WriteArgs;
 
@@ -16,10 +16,7 @@ impl Resolve<WriteArgs> for CreateAction {
     self,
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<Action> {
-    Ok(
-      resource::create::<Action>(&self.name, self.config, user)
-        .await?,
-    )
+    resource::create::<Action>(&self.name, self.config, user).await
   }
 }
 
@@ -29,17 +26,13 @@ impl Resolve<WriteArgs> for CopyAction {
     self,
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<Action> {
-    let Action { config, .. } =
-      resource::get_check_permissions::<Action>(
-        &self.id,
-        user,
-        PermissionLevel::Write,
-      )
-      .await?;
-    Ok(
-      resource::create::<Action>(&self.name, config.into(), user)
-        .await?,
+    let Action { config, .. } = get_check_permissions::<Action>(
+      &self.id,
+      user,
+      PermissionLevel::Write.into(),
     )
+    .await?;
+    resource::create::<Action>(&self.name, config.into(), user).await
   }
 }
 

bin/core/src/api/write/alerter.rs

@@ -6,7 +6,7 @@ use komodo_client::{
 };
 use resolver_api::Resolve;
 
-use crate::resource;
+use crate::{permission::get_check_permissions, resource};
 
 use super::WriteArgs;
 
@@ -16,10 +16,7 @@ impl Resolve<WriteArgs> for CreateAlerter {
     self,
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<Alerter> {
-    Ok(
-      resource::create::<Alerter>(&self.name, self.config, user)
-        .await?,
-    )
+    resource::create::<Alerter>(&self.name, self.config, user).await
   }
 }
 
@@ -29,17 +26,13 @@ impl Resolve<WriteArgs> for CopyAlerter {
     self,
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<Alerter> {
-    let Alerter { config, .. } =
-      resource::get_check_permissions::<Alerter>(
-        &self.id,
-        user,
-        PermissionLevel::Write,
-      )
-      .await?;
-    Ok(
-      resource::create::<Alerter>(&self.name, config.into(), user)
-        .await?,
+    let Alerter { config, .. } = get_check_permissions::<Alerter>(
+      &self.id,
+      user,
+      PermissionLevel::Write.into(),
     )
+    .await?;
+    resource::create::<Alerter>(&self.name, config.into(), user).await
   }
 }
 

bin/core/src/api/write/build.rs

@@ -1,25 +1,43 @@
+use std::{path::PathBuf, str::FromStr, time::Duration};
+
 use anyhow::{Context, anyhow};
-use git::GitRes;
+use database::mongo_indexed::doc;
+use database::mungos::mongodb::bson::to_document;
+use formatting::format_serror;
 use komodo_client::{
   api::write::*,
   entities::{
-    CloneArgs, NoData,
+    FileContents, NoData, Operation, RepoExecutionArgs,
+    all_logs_success,
     build::{Build, BuildInfo, PartialBuildConfig},
+    builder::{Builder, BuilderConfig},
     config::core::CoreConfig,
     permission::PermissionLevel,
+    repo::Repo,
+    server::ServerState,
     update::Update,
   },
 };
-use mongo_indexed::doc;
-use mungos::mongodb::bson::to_document;
 use octorust::types::{
   ReposCreateWebhookRequest, ReposCreateWebhookRequestConfig,
 };
+use periphery_client::{
+  PeripheryClient,
+  api::build::{
+    GetDockerfileContentsOnHost, WriteDockerfileContentsToHost,
+  },
+};
 use resolver_api::Resolve;
+use tokio::fs;
 
 use crate::{
   config::core_config,
-  helpers::git_token,
+  helpers::{
+    git_token, periphery_client,
+    query::get_server_with_state,
+    update::{add_update, make_update},
+  },
+  permission::get_check_permissions,
   resource,
   state::{db_client, github_client},
 };
@@ -32,10 +50,7 @@ impl Resolve<WriteArgs> for CreateBuild {
     self,
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<Build> {
-    Ok(
-      resource::create::<Build>(&self.name, self.config, user)
-        .await?,
-    )
+    resource::create::<Build>(&self.name, self.config, user).await
   }
 }
 
@@ -45,19 +60,15 @@ impl Resolve<WriteArgs> for CopyBuild {
     self,
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<Build> {
-    let Build { mut config, .. } =
-      resource::get_check_permissions::<Build>(
-        &self.id,
-        user,
-        PermissionLevel::Write,
-      )
-      .await?;
+    let Build { mut config, .. } = get_check_permissions::<Build>(
+      &self.id,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
     // reset version to 0.0.0
     config.version = Default::default();
-    Ok(
-      resource::create::<Build>(&self.name, config.into(), user)
-        .await?,
-    )
+    resource::create::<Build>(&self.name, config.into(), user).await
   }
 }
 
@@ -88,6 +99,223 @@ impl Resolve<WriteArgs> for RenameBuild {
   }
 }
 
+impl Resolve<WriteArgs> for WriteBuildFileContents {
+  #[instrument(name = "WriteBuildFileContents", skip(args))]
+  async fn resolve(self, args: &WriteArgs) -> serror::Result<Update> {
+    let build = get_check_permissions::<Build>(
+      &self.build,
+      &args.user,
+      PermissionLevel::Write.into(),
+    )
+    .await?;
+
+    if !build.config.files_on_host
+      && build.config.repo.is_empty()
+      && build.config.linked_repo.is_empty()
+    {
+      return Err(anyhow!(
+        "Build is not configured to use Files on Host or Git Repo, can't write dockerfile contents"
+      ).into());
+    }
+
+    let mut update =
+      make_update(&build, Operation::WriteDockerfile, &args.user);
+
+    update.push_simple_log("Dockerfile to write", &self.contents);
+
+    if build.config.files_on_host {
+      match get_on_host_periphery(&build)
+        .await?
+        .request(WriteDockerfileContentsToHost {
+          name: build.name,
+          build_path: build.config.build_path,
+          dockerfile_path: build.config.dockerfile_path,
+          contents: self.contents,
+        })
+        .await
+        .context("Failed to write dockerfile contents to host")
+      {
+        Ok(log) => {
+          update.logs.push(log);
+        }
+        Err(e) => {
+          update.push_error_log(
+            "Write Dockerfile Contents",
+            format_serror(&e.into()),
+          );
+        }
+      };
+
+      if !all_logs_success(&update.logs) {
+        update.finalize();
+        update.id = add_update(update.clone()).await?;
+
+        return Ok(update);
+      }
+
+      if let Err(e) =
+        (RefreshBuildCache { build: build.id }).resolve(args).await
+      {
+        update.push_error_log(
+          "Refresh build cache",
+          format_serror(&e.error.into()),
+        );
+      }
+
+      update.finalize();
+      update.id = add_update(update.clone()).await?;
+
+      Ok(update)
+    } else {
+      write_dockerfile_contents_git(self, args, build, update).await
+    }
+  }
+}
+
+async fn write_dockerfile_contents_git(
+  req: WriteBuildFileContents,
+  args: &WriteArgs,
+  build: Build,
+  mut update: Update,
+) -> serror::Result<Update> {
+  let WriteBuildFileContents { build: _, contents } = req;
+
+  let mut repo_args: RepoExecutionArgs = if !build
+    .config
+    .files_on_host
+    && !build.config.linked_repo.is_empty()
+  {
+    (&crate::resource::get::<Repo>(&build.config.linked_repo).await?)
+      .into()
+  } else {
+    (&build).into()
+  };
+  let root = repo_args.unique_path(&core_config().repo_directory)?;
+  repo_args.destination = Some(root.display().to_string());
+
+  let build_path = build
+    .config
+    .build_path
+    .parse::<PathBuf>()
+    .context("Invalid build path")?;
+  let dockerfile_path = build
+    .config
+    .dockerfile_path
+    .parse::<PathBuf>()
+    .context("Invalid dockerfile path")?;
+
+  let full_path = root.join(&build_path).join(&dockerfile_path);
+
+  if let Some(parent) = full_path.parent() {
+    fs::create_dir_all(parent).await.with_context(|| {
+      format!(
+        "Failed to initialize dockerfile parent directory {parent:?}"
+      )
+    })?;
+  }
+
+  let access_token = if let Some(account) = &repo_args.account {
+    git_token(&repo_args.provider, account, |https| repo_args.https = https)
+    .await
+    .with_context(
+      || format!("Failed to get git token in call to db. Stopping run. | {} | {account}", repo_args.provider),
+    )?
+  } else {
+    None
+  };
+
+  // Ensure the folder is initialized as git repo.
+  // This allows a new file to be committed on a branch that may not exist.
+  if !root.join(".git").exists() {
+    git::init_folder_as_repo(
+      &root,
+      &repo_args,
+      access_token.as_deref(),
+      &mut update.logs,
+    )
+    .await;
+
+    if !all_logs_success(&update.logs) {
+      update.finalize();
+      update.id = add_update(update.clone()).await?;
+
+      return Ok(update);
+    }
+  }
+
+  // Save this for later -- repo_args moved next.
+  let branch = repo_args.branch.clone();
+  // Pull latest changes to repo to ensure linear commit history
+  match git::pull_or_clone(
+    repo_args,
+    &core_config().repo_directory,
+    access_token,
+  )
+  .await
+  .context("Failed to pull latest changes before commit")
+  {
+    Ok((res, _)) => update.logs.extend(res.logs),
+    Err(e) => {
+      update.push_error_log("Pull Repo", format_serror(&e.into()));
+      update.finalize();
+      return Ok(update);
+    }
+  };
+
+  if !all_logs_success(&update.logs) {
+    update.finalize();
+    update.id = add_update(update.clone()).await?;
+
+    return Ok(update);
+  }
+
+  if let Err(e) =
+    fs::write(&full_path, &contents).await.with_context(|| {
+      format!("Failed to write dockerfile contents to {full_path:?}")
+    })
+  {
+    update
+      .push_error_log("Write Dockerfile", format_serror(&e.into()));
+  } else {
+    update.push_simple_log(
+      "Write Dockerfile",
+      format!("File written to {full_path:?}"),
+    );
+  };
+
+  if !all_logs_success(&update.logs) {
+    update.finalize();
+    update.id = add_update(update.clone()).await?;
+
+    return Ok(update);
+  }
+
+  let commit_res = git::commit_file(
+    &format!("{}: Commit Dockerfile", args.user.username),
+    &root,
+    &build_path.join(&dockerfile_path),
+    &branch,
+  )
+  .await;
+
+  update.logs.extend(commit_res.logs);
+
+  if let Err(e) = (RefreshBuildCache { build: build.name })
+    .resolve(args)
+    .await
+  {
+    update.push_error_log(
+      "Refresh build cache",
+      format_serror(&e.error.into()),
+    );
+  }
+
+  update.finalize();
+  update.id = add_update(update.clone()).await?;
+
+  Ok(update)
+}
+
 impl Resolve<WriteArgs> for RefreshBuildCache {
   #[instrument(
     name = "RefreshBuildCache",
@@ -100,62 +328,70 @@ impl Resolve<WriteArgs> for RefreshBuildCache {
   ) -> serror::Result<NoData> {
     // Even though this is a write request, this doesn't change any config. Anyone that can execute the
     // build should be able to do this.
-    let build = resource::get_check_permissions::<Build>(
+    let build = get_check_permissions::<Build>(
       &self.build,
       user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
     )
     .await?;
 
-    if build.config.repo.is_empty()
-      || build.config.git_provider.is_empty()
+    let repo = if !build.config.files_on_host
+      && !build.config.linked_repo.is_empty()
     {
-      // Nothing to do here
-      return Ok(NoData {});
-    }
-
-    let config = core_config();
-
-    let mut clone_args: CloneArgs = (&build).into();
-    let repo_path =
-      clone_args.unique_path(&core_config().repo_directory)?;
-    clone_args.destination = Some(repo_path.display().to_string());
-    // Don't want to run these on core.
-    clone_args.on_clone = None;
-    clone_args.on_pull = None;
-
-    let access_token = if let Some(username) = &clone_args.account {
-      git_token(&clone_args.provider, username, |https| {
-          clone_args.https = https
-        })
-        .await
-        .with_context(
-          || format!("Failed to get git token in call to db. Stopping run. | {} | {username}", clone_args.provider),
-        )?
+      crate::resource::get::<Repo>(&build.config.linked_repo)
+        .await?
+        .into()
     } else {
       None
     };
 
-    let GitRes {
-      hash: latest_hash,
-      message: latest_message,
-      ..
-    } = git::pull_or_clone(
-      clone_args,
-      &config.repo_directory,
-      access_token,
-      &[],
-      "",
-      None,
-      &[],
-    )
-    .await
-    .context("failed to clone build repo")?;
+    let (
+      remote_path,
+      remote_contents,
+      remote_error,
+      latest_hash,
+      latest_message,
+    ) = if build.config.files_on_host {
+      // =============
+      // FILES ON HOST
+      // =============
+      match get_on_host_dockerfile(&build).await {
+        Ok(FileContents { path, contents }) => {
+          (Some(path), Some(contents), None, None, None)
+        }
+        Err(e) => {
+          (None, None, Some(format_serror(&e.into())), None, None)
+        }
+      }
+    } else if let Some(repo) = &repo {
+      let Some(res) = get_git_remote(&build, repo.into()).await?
+      else {
+        // Nothing to do here
+        return Ok(NoData {});
+      };
+      res
+    } else if !build.config.repo.is_empty() {
+      let Some(res) = get_git_remote(&build, (&build).into()).await?
+      else {
+        // Nothing to do here
+        return Ok(NoData {});
+      };
+      res
+    } else {
+      // =============
+      // UI BASED FILE
+      // =============
+      (None, None, None, None, None)
+    };
 
     let info = BuildInfo {
       last_built_at: build.info.last_built_at,
       built_hash: build.info.built_hash,
       built_message: build.info.built_message,
+      built_contents: build.info.built_contents,
+      remote_path,
+      remote_contents,
+      remote_error,
       latest_hash,
       latest_message,
     };
@@ -176,6 +412,124 @@ impl Resolve<WriteArgs> for RefreshBuildCache {
   }
 }
 
+async fn get_on_host_periphery(
+  build: &Build,
+) -> anyhow::Result<PeripheryClient> {
+  if build.config.builder_id.is_empty() {
+    return Err(anyhow!("No builder associated with build"));
+  }
+
+  let builder = resource::get::<Builder>(&build.config.builder_id)
+    .await
+    .context("Failed to get builder")?;
+
+  match builder.config {
+    BuilderConfig::Aws(_) => {
+      Err(anyhow!("Files on host doesn't work with AWS builder"))
+    }
+    BuilderConfig::Url(config) => {
+      let periphery = PeripheryClient::new(
+        config.address,
+        config.passkey,
+        Duration::from_secs(3),
+      );
+      periphery.health_check().await?;
+      Ok(periphery)
+    }
+    BuilderConfig::Server(config) => {
+      if config.server_id.is_empty() {
+        return Err(anyhow!(
+          "Builder is type server, but has no server attached"
+        ));
+      }
+      let (server, state) =
+        get_server_with_state(&config.server_id).await?;
+      if state != ServerState::Ok {
+        return Err(anyhow!(
+          "Builder server is disabled or not reachable"
+        ));
+      };
+      periphery_client(&server)
+    }
+  }
+}
+
+/// The successful case will be included as Some(remote_contents).
+/// The error case will be included as Some(remote_error)
+async fn get_on_host_dockerfile(
+  build: &Build,
+) -> anyhow::Result<FileContents> {
+  get_on_host_periphery(build)
+    .await?
+    .request(GetDockerfileContentsOnHost {
+      name: build.name.clone(),
+      build_path: build.config.build_path.clone(),
+      dockerfile_path: build.config.dockerfile_path.clone(),
+    })
+    .await
+}
+
+async fn get_git_remote(
+  build: &Build,
+  mut clone_args: RepoExecutionArgs,
+) -> anyhow::Result<
+  Option<(
+    Option<String>,
+    Option<String>,
+    Option<String>,
+    Option<String>,
+    Option<String>,
+  )>,
+> {
+  if clone_args.provider.is_empty() {
+    // Nothing to do here
+    return Ok(None);
+  }
+  let config = core_config();
+  let repo_path = clone_args.unique_path(&config.repo_directory)?;
+  clone_args.destination = Some(repo_path.display().to_string());
+
+  let access_token = if let Some(username) = &clone_args.account {
+    git_token(&clone_args.provider, username, |https| {
+          clone_args.https = https
+        })
+        .await
+        .with_context(
+          || format!("Failed to get git token in call to db. Stopping run. | {} | {username}", clone_args.provider),
+        )?
+  } else {
+    None
+  };
+
+  let (res, _) = git::pull_or_clone(
+    clone_args,
+    &config.repo_directory,
+    access_token,
+  )
+  .await
+  .context("failed to clone build repo")?;
+
+  let relative_path = PathBuf::from_str(&build.config.build_path)
+    .context("Invalid build path")?
+    .join(&build.config.dockerfile_path);
+
+  let full_path = repo_path.join(&relative_path);
+  let (contents, error) =
+    match fs::read_to_string(&full_path).await.with_context(|| {
+      format!("Failed to read dockerfile contents at {full_path:?}")
+    }) {
+      Ok(contents) => (Some(contents), None),
+      Err(e) => (None, Some(format_serror(&e.into()))),
+    };
+  Ok(Some((
+    Some(relative_path.display().to_string()),
+    contents,
+    error,
+    res.commit_hash,
+    res.commit_message,
+  )))
+}
+
 impl Resolve<WriteArgs> for CreateBuildWebhook {
   #[instrument(name = "CreateBuildWebhook", skip(args))]
   async fn resolve(
@@ -193,10 +547,10 @@ impl Resolve<WriteArgs> for CreateBuildWebhook {
 
     let WriteArgs { user } = args;
 
-    let build = resource::get_check_permissions::<Build>(
+    let build = get_check_permissions::<Build>(
       &self.build,
       user,
-      PermissionLevel::Write,
+      PermissionLevel::Write.into(),
     )
     .await?;
 
@@ -306,10 +660,10 @@ impl Resolve<WriteArgs> for DeleteBuildWebhook {
       );
     };
 
-    let build = resource::get_check_permissions::<Build>(
+    let build = get_check_permissions::<Build>(
       &self.build,
       user,
-      PermissionLevel::Write,
+      PermissionLevel::Write.into(),
     )
     .await?;
 

bin/core/src/api/write/builder.rs

@@ -6,7 +6,7 @@ use komodo_client::{
 };
 use resolver_api::Resolve;
 
-use crate::resource;
+use crate::{permission::get_check_permissions, resource};
 
 use super::WriteArgs;
 
@@ -16,10 +16,7 @@ impl Resolve<WriteArgs> for CreateBuilder {
     self,
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<Builder> {
-    Ok(
-      resource::create::<Builder>(&self.name, self.config, user)
-        .await?,
-    )
+    resource::create::<Builder>(&self.name, self.config, user).await
   }
 }
 
@@ -29,17 +26,13 @@ impl Resolve<WriteArgs> for CopyBuilder {
     self,
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<Builder> {
-    let Builder { config, .. } =
-      resource::get_check_permissions::<Builder>(
-        &self.id,
-        user,
-        PermissionLevel::Write,
-      )
-      .await?;
-    Ok(
-      resource::create::<Builder>(&self.name, config.into(), user)
-        .await?,
+    let Builder { config, .. } = get_check_permissions::<Builder>(
+      &self.id,
+      user,
+      PermissionLevel::Write.into(),
     )
+    .await?;
+    resource::create::<Builder>(&self.name, config.into(), user).await
   }
 }
 

bin/core/src/api/write/deployment.rs

@@ -1,4 +1,5 @@
 use anyhow::{Context, anyhow};
+use database::mungos::{by_id::update_one_by_id, mongodb::bson::doc};
 use komodo_client::{
   api::write::*,
   entities::{
@@ -11,11 +12,10 @@ use komodo_client::{
     komodo_timestamp,
     permission::PermissionLevel,
     server::{Server, ServerState},
-    to_komodo_name,
+    to_container_compatible_name,
     update::Update,
   },
 };
-use mungos::{by_id::update_one_by_id, mongodb::bson::doc};
 use periphery_client::api::{self, container::InspectContainer};
 use resolver_api::Resolve;
 
@@ -25,6 +25,7 @@ use crate::{
     query::get_deployment_state,
     update::{add_update, make_update},
   },
+  permission::get_check_permissions,
   resource,
   state::{action_states, db_client, server_status_cache},
 };
@@ -37,10 +38,8 @@ impl Resolve<WriteArgs> for CreateDeployment {
     self,
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<Deployment> {
-    Ok(
-      resource::create::<Deployment>(&self.name, self.config, user)
-        .await?,
-    )
+    resource::create::<Deployment>(&self.name, self.config, user)
+      .await
   }
 }
 
@@ -51,16 +50,14 @@ impl Resolve<WriteArgs> for CopyDeployment {
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<Deployment> {
     let Deployment { config, .. } =
-      resource::get_check_permissions::<Deployment>(
+      get_check_permissions::<Deployment>(
         &self.id,
         user,
-        PermissionLevel::Write,
+        PermissionLevel::Read.into(),
       )
       .await?;
-    Ok(
-      resource::create::<Deployment>(&self.name, config.into(), user)
-        .await?,
-    )
+    resource::create::<Deployment>(&self.name, config.into(), user)
+      .await
   }
 }
 
@@ -70,10 +67,10 @@ impl Resolve<WriteArgs> for CreateDeploymentFromContainer {
     self,
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<Deployment> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Write,
+      PermissionLevel::Read.inspect().attach(),
     )
     .await?;
     let cache = server_status_cache()
@@ -152,10 +149,7 @@ impl Resolve<WriteArgs> for CreateDeploymentFromContainer {
       });
     }
 
-    Ok(
-      resource::create::<Deployment>(&self.name, config, user)
-        .await?,
-    )
+    resource::create::<Deployment>(&self.name, config, user).await
   }
 }
 
@@ -188,10 +182,10 @@ impl Resolve<WriteArgs> for RenameDeployment {
     self,
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<Update> {
-    let deployment = resource::get_check_permissions::<Deployment>(
+    let deployment = get_check_permissions::<Deployment>(
       &self.id,
       user,
-      PermissionLevel::Write,
+      PermissionLevel::Write.into(),
     )
     .await?;
 
@@ -206,9 +200,10 @@ impl Resolve<WriteArgs> for RenameDeployment {
     let _action_guard =
       action_state.update(|state| state.renaming = true)?;
 
-    let name = to_komodo_name(&self.name);
+    let name = to_container_compatible_name(&self.name);
 
-    let container_state = get_deployment_state(&deployment).await?;
+    let container_state =
+      get_deployment_state(&deployment.id).await?;
 
     if container_state == DeploymentState::Unknown {
       return Err(
@@ -225,7 +220,7 @@ impl Resolve<WriteArgs> for RenameDeployment {
     update_one_by_id(
       &db_client().deployments,
       &deployment.id,
-      mungos::update::Update::Set(
+      database::mungos::update::Update::Set(
         doc! { "name": &name, "updated_at": komodo_timestamp() },
       ),
       None,

bin/core/src/api/write/description.rs

@@ -1,123 +0,0 @@
-use anyhow::anyhow;
-use komodo_client::{
-  api::write::{UpdateDescription, UpdateDescriptionResponse},
-  entities::{
-    ResourceTarget, action::Action, alerter::Alerter, build::Build,
-    builder::Builder, deployment::Deployment, procedure::Procedure,
-    repo::Repo, server::Server, server_template::ServerTemplate,
-    stack::Stack, sync::ResourceSync,
-  },
-};
-use resolver_api::Resolve;
-
-use crate::resource;
-
-use super::WriteArgs;
-
-impl Resolve<WriteArgs> for UpdateDescription {
-  #[instrument(name = "UpdateDescription", skip(user))]
-  async fn resolve(
-    self,
-    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<UpdateDescriptionResponse> {
-    match self.target {
-      ResourceTarget::System(_) => {
-        return Err(
-          anyhow!(
-            "cannot update description of System resource target"
-          )
-          .into(),
-        );
-      }
-      ResourceTarget::Server(id) => {
-        resource::update_description::<Server>(
-          &id,
-          &self.description,
-          user,
-        )
-        .await?;
-      }
-      ResourceTarget::Deployment(id) => {
-        resource::update_description::<Deployment>(
-          &id,
-          &self.description,
-          user,
-        )
-        .await?;
-      }
-      ResourceTarget::Build(id) => {
-        resource::update_description::<Build>(
-          &id,
-          &self.description,
-          user,
-        )
-        .await?;
-      }
-      ResourceTarget::Repo(id) => {
-        resource::update_description::<Repo>(
-          &id,
-          &self.description,
-          user,
-        )
-        .await?;
-      }
-      ResourceTarget::Builder(id) => {
-        resource::update_description::<Builder>(
-          &id,
-          &self.description,
-          user,
-        )
-        .await?;
-      }
-      ResourceTarget::Alerter(id) => {
-        resource::update_description::<Alerter>(
-          &id,
-          &self.description,
-          user,
-        )
-        .await?;
-      }
-      ResourceTarget::Procedure(id) => {
-        resource::update_description::<Procedure>(
-          &id,
-          &self.description,
-          user,
-        )
-        .await?;
-      }
-      ResourceTarget::Action(id) => {
-        resource::update_description::<Action>(
-          &id,
-          &self.description,
-          user,
-        )
-        .await?;
-      }
-      ResourceTarget::ServerTemplate(id) => {
-        resource::update_description::<ServerTemplate>(
-          &id,
-          &self.description,
-          user,
-        )
-        .await?;
-      }
-      ResourceTarget::ResourceSync(id) => {
-        resource::update_description::<ResourceSync>(
-          &id,
-          &self.description,
-          user,
-        )
-        .await?;
-      }
-      ResourceTarget::Stack(id) => {
-        resource::update_description::<Stack>(
-          &id,
-          &self.description,
-          user,
-        )
-        .await?;
-      }
-    }
-    Ok(UpdateDescriptionResponse {})
-  }
-}

bin/core/src/api/write/mod.rs

@@ -1,30 +1,34 @@
 use std::time::Instant;
 
 use anyhow::Context;
-use axum::{Extension, Router, middleware, routing::post};
+use axum::{
+  Extension, Router, extract::Path, middleware, routing::post,
+};
 use derive_variants::{EnumVariants, ExtractVariant};
 use komodo_client::{api::write::*, entities::user::User};
 use resolver_api::Resolve;
 use response::Response;
 use serde::{Deserialize, Serialize};
+use serde_json::json;
 use serror::Json;
 use typeshare::typeshare;
 use uuid::Uuid;
 
 use crate::auth::auth_request;
 
+use super::Variant;
+
 mod action;
 mod alerter;
 mod build;
 mod builder;
 mod deployment;
-mod description;
 mod permissions;
 mod procedure;
 mod provider;
 mod repo;
+mod resource;
 mod server;
-mod server_template;
 mod service_user;
 mod stack;
 mod sync;
@@ -48,6 +52,7 @@ pub struct WriteArgs {
 #[serde(tag = "type", content = "params")]
 pub enum WriteRequest {
   // ==== USER ====
+  CreateLocalUser(CreateLocalUser),
   UpdateUserUsername(UpdateUserUsername),
   UpdateUserPassword(UpdateUserPassword),
   DeleteUser(DeleteUser),
@@ -65,6 +70,7 @@ pub enum WriteRequest {
   AddUserToUserGroup(AddUserToUserGroup),
   RemoveUserFromUserGroup(RemoveUserFromUserGroup),
   SetUsersInUserGroup(SetUsersInUserGroup),
+  SetEveryoneUserGroup(SetEveryoneUserGroup),
 
   // ==== PERMISSIONS ====
   UpdateUserAdmin(UpdateUserAdmin),
@@ -72,15 +78,30 @@ pub enum WriteRequest {
   UpdatePermissionOnResourceType(UpdatePermissionOnResourceType),
   UpdatePermissionOnTarget(UpdatePermissionOnTarget),
 
-  // ==== DESCRIPTION ====
-  UpdateDescription(UpdateDescription),
+  // ==== RESOURCE ====
+  UpdateResourceMeta(UpdateResourceMeta),
 
   // ==== SERVER ====
   CreateServer(CreateServer),
+  CopyServer(CopyServer),
   DeleteServer(DeleteServer),
   UpdateServer(UpdateServer),
   RenameServer(RenameServer),
   CreateNetwork(CreateNetwork),
+  CreateTerminal(CreateTerminal),
+  DeleteTerminal(DeleteTerminal),
+  DeleteAllTerminals(DeleteAllTerminals),
+
+  // ==== STACK ====
+  CreateStack(CreateStack),
+  CopyStack(CopyStack),
+  DeleteStack(DeleteStack),
+  UpdateStack(UpdateStack),
+  RenameStack(RenameStack),
+  WriteStackFileContents(WriteStackFileContents),
+  RefreshStackCache(RefreshStackCache),
+  CreateStackWebhook(CreateStackWebhook),
+  DeleteStackWebhook(DeleteStackWebhook),
 
   // ==== DEPLOYMENT ====
   CreateDeployment(CreateDeployment),
@@ -96,6 +117,7 @@ pub enum WriteRequest {
   DeleteBuild(DeleteBuild),
   UpdateBuild(UpdateBuild),
   RenameBuild(RenameBuild),
+  WriteBuildFileContents(WriteBuildFileContents),
   RefreshBuildCache(RefreshBuildCache),
   CreateBuildWebhook(CreateBuildWebhook),
   DeleteBuildWebhook(DeleteBuildWebhook),
@@ -107,13 +129,6 @@ pub enum WriteRequest {
   UpdateBuilder(UpdateBuilder),
   RenameBuilder(RenameBuilder),
 
-  // ==== SERVER TEMPLATE ====
-  CreateServerTemplate(CreateServerTemplate),
-  CopyServerTemplate(CopyServerTemplate),
-  DeleteServerTemplate(DeleteServerTemplate),
-  UpdateServerTemplate(UpdateServerTemplate),
-  RenameServerTemplate(RenameServerTemplate),
-
   // ==== REPO ====
   CreateRepo(CreateRepo),
   CopyRepo(CopyRepo),
@@ -157,23 +172,11 @@ pub enum WriteRequest {
   CreateSyncWebhook(CreateSyncWebhook),
   DeleteSyncWebhook(DeleteSyncWebhook),
 
-  // ==== STACK ====
-  CreateStack(CreateStack),
-  CopyStack(CopyStack),
-  DeleteStack(DeleteStack),
-  UpdateStack(UpdateStack),
-  RenameStack(RenameStack),
-  WriteStackFileContents(WriteStackFileContents),
-  RefreshStackCache(RefreshStackCache),
-  CreateStackWebhook(CreateStackWebhook),
-  DeleteStackWebhook(DeleteStackWebhook),
-
   // ==== TAG ====
   CreateTag(CreateTag),
   DeleteTag(DeleteTag),
   RenameTag(RenameTag),
   UpdateTagColor(UpdateTagColor),
-  UpdateTagsOnResource(UpdateTagsOnResource),
 
   // ==== VARIABLE ====
   CreateVariable(CreateVariable),
@@ -194,9 +197,22 @@ pub enum WriteRequest {
 pub fn router() -> Router {
   Router::new()
     .route("/", post(handler))
+    .route("/{variant}", post(variant_handler))
     .layer(middleware::from_fn(auth_request))
 }
 
+async fn variant_handler(
+  user: Extension<User>,
+  Path(Variant { variant }): Path<Variant>,
+  Json(params): Json<serde_json::Value>,
+) -> serror::Result<axum::response::Response> {
+  let req: WriteRequest = serde_json::from_value(json!({
+    "type": variant,
+    "params": params,
+  }))?;
+  handler(user, Json(req)).await
+}
+
 async fn handler(
   Extension(user): Extension<User>,
   Json(request): Json<WriteRequest>,
@@ -207,10 +223,6 @@ async fn handler(
     .await
     .context("failure in spawned task");
 
-  if let Err(e) = &res {
-    warn!("/write request {req_id} spawn error: {e:#}");
-  }
-
   res?
 }
 

bin/core/src/api/write/permissions.rs

@@ -1,6 +1,13 @@
 use std::str::FromStr;
 
 use anyhow::{Context, anyhow};
+use database::mungos::{
+  by_id::{find_one_by_id, update_one_by_id},
+  mongodb::{
+    bson::{Document, doc, oid::ObjectId, to_bson},
+    options::UpdateOptions,
+  },
+};
 use komodo_client::{
   api::write::*,
   entities::{
@@ -8,13 +15,6 @@ use komodo_client::{
     permission::{UserTarget, UserTargetVariant},
   },
 };
-use mungos::{
-  by_id::{find_one_by_id, update_one_by_id},
-  mongodb::{
-    bson::{Document, doc, oid::ObjectId},
-    options::UpdateOptions,
-  },
-};
 use resolver_api::Resolve;
 
 use crate::{helpers::query::get_user, state::db_client};
@@ -65,6 +65,10 @@ impl Resolve<WriteArgs> for UpdateUserBasePermissions {
     self,
     WriteArgs { user: admin }: &WriteArgs,
   ) -> serror::Result<UpdateUserBasePermissionsResponse> {
+    if !admin.admin {
+      return Err(anyhow!("this method is admin only").into());
+    }
+
     let UpdateUserBasePermissions {
       user_id,
       enabled,
@@ -72,10 +76,6 @@ impl Resolve<WriteArgs> for UpdateUserBasePermissions {
       create_builds,
     } = self;
 
-    if !admin.admin {
-      return Err(anyhow!("this method is admin only").into());
-    }
-
     let user = find_one_by_id(&db_client().users, &user_id)
       .await
       .context("failed to query mongo for user")?
@@ -107,7 +107,7 @@ impl Resolve<WriteArgs> for UpdateUserBasePermissions {
     update_one_by_id(
       &db_client().users,
       &user_id,
-      mungos::update::Update::Set(update_doc),
+      database::mungos::update::Update::Set(update_doc),
       None,
     )
     .await?;
@@ -122,16 +122,16 @@ impl Resolve<WriteArgs> for UpdatePermissionOnResourceType {
     self,
     WriteArgs { user: admin }: &WriteArgs,
   ) -> serror::Result<UpdatePermissionOnResourceTypeResponse> {
-    let UpdatePermissionOnResourceType {
+    if !admin.admin {
+      return Err(anyhow!("this method is admin only").into());
+    }
+
+    let Self {
       user_target,
       resource_type,
       permission,
     } = self;
 
-    if !admin.admin {
-      return Err(anyhow!("this method is admin only").into());
-    }
-
     // Some extra checks if user target is an actual User
     if let UserTarget::User(user_id) = &user_target {
       let user = get_user(user_id).await?;
@@ -153,9 +153,11 @@ impl Resolve<WriteArgs> for UpdatePermissionOnResourceType {
 
     let id = ObjectId::from_str(&user_target_id)
       .context("id is not ObjectId")?;
-    let field = format!("all.{resource_type}");
     let filter = doc! { "_id": id };
-    let update = doc! { "$set": { &field: permission.as_ref() } };
+    let field = format!("all.{resource_type}");
+    let set =
+      to_bson(&permission).context("permission is not Bson")?;
+    let update = doc! { "$set": { &field: &set } };
 
     match user_target_variant {
       UserTargetVariant::User => {
@@ -164,7 +166,7 @@ impl Resolve<WriteArgs> for UpdatePermissionOnResourceType {
           .update_one(filter, update)
           .await
           .with_context(|| {
-            format!("failed to set {field}: {permission} on db")
+            format!("failed to set {field}: {set} on db")
           })?;
       }
       UserTargetVariant::UserGroup => {
@@ -173,7 +175,7 @@ impl Resolve<WriteArgs> for UpdatePermissionOnResourceType {
           .update_one(filter, update)
           .await
           .with_context(|| {
-            format!("failed to set {field}: {permission} on db")
+            format!("failed to set {field}: {set} on db")
           })?;
       }
     }
@@ -188,19 +190,22 @@ impl Resolve<WriteArgs> for UpdatePermissionOnTarget {
     self,
     WriteArgs { user: admin }: &WriteArgs,
   ) -> serror::Result<UpdatePermissionOnTargetResponse> {
+    if !admin.admin {
+      return Err(anyhow!("this method is admin only").into());
+    }
+
     let UpdatePermissionOnTarget {
       user_target,
       resource_target,
       permission,
     } = self;
 
-    if !admin.admin {
-      return Err(anyhow!("this method is admin only").into());
-    }
-
-    // Some extra checks if user target is an actual User
+    // Some extra checks relevant if user target is an actual User
     if let UserTarget::User(user_id) = &user_target {
       let user = get_user(user_id).await?;
+      if !user.enabled {
+        return Err(anyhow!("user not enabled").into());
+      }
       if user.admin {
         return Err(
           anyhow!(
@@ -209,9 +214,6 @@ impl Resolve<WriteArgs> for UpdatePermissionOnTarget {
           .into(),
         );
       }
-      if !user.enabled {
-        return Err(anyhow!("user not enabled").into());
-      }
     }
 
     let (user_target_variant, user_target_id) =
@@ -223,6 +225,9 @@ impl Resolve<WriteArgs> for UpdatePermissionOnTarget {
     let (user_target_variant, resource_variant) =
       (user_target_variant.as_ref(), resource_variant.as_ref());
 
+    let specific = to_bson(&permission.specific)
+      .context("permission.specific is not valid Bson")?;
+
     db_client()
       .permissions
       .update_one(
@@ -238,7 +243,8 @@ impl Resolve<WriteArgs> for UpdatePermissionOnTarget {
             "user_target.id": user_target_id,
             "resource_target.type": resource_variant,
             "resource_target.id": resource_id,
-            "level": permission.as_ref(),
+            "level": permission.level.as_ref(),
+            "specific": specific
           }
         },
       )
@@ -406,20 +412,6 @@ async fn extract_resource_target_with_validation(
         .id;
       Ok((ResourceTargetVariant::Action, id))
     }
-    ResourceTarget::ServerTemplate(ident) => {
-      let filter = match ObjectId::from_str(ident) {
-        Ok(id) => doc! { "_id": id },
-        Err(_) => doc! { "name": ident },
-      };
-      let id = db_client()
-        .server_templates
-        .find_one(filter)
-        .await
-        .context("failed to query db for server templates")?
-        .context("no matching server template found")?
-        .id;
-      Ok((ResourceTargetVariant::ServerTemplate, id))
-    }
     ResourceTarget::ResourceSync(ident) => {
       let filter = match ObjectId::from_str(ident) {
         Ok(id) => doc! { "_id": id },

bin/core/src/api/write/procedure.rs

@@ -6,7 +6,7 @@ use komodo_client::{
 };
 use resolver_api::Resolve;
 
-use crate::resource;
+use crate::{permission::get_check_permissions, resource};
 
 use super::WriteArgs;
 
@@ -16,10 +16,7 @@ impl Resolve<WriteArgs> for CreateProcedure {
     self,
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<CreateProcedureResponse> {
-    Ok(
-      resource::create::<Procedure>(&self.name, self.config, user)
-        .await?,
-    )
+    resource::create::<Procedure>(&self.name, self.config, user).await
   }
 }
 
@@ -30,16 +27,14 @@ impl Resolve<WriteArgs> for CopyProcedure {
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<CopyProcedureResponse> {
     let Procedure { config, .. } =
-      resource::get_check_permissions::<Procedure>(
+      get_check_permissions::<Procedure>(
         &self.id,
         user,
-        PermissionLevel::Write,
+        PermissionLevel::Write.into(),
       )
       .await?;
-    Ok(
-      resource::create::<Procedure>(&self.name, config.into(), user)
-        .await?,
-    )
+    resource::create::<Procedure>(&self.name, config.into(), user)
+      .await
   }
 }
 

bin/core/src/api/write/provider.rs

@@ -1,4 +1,8 @@
 use anyhow::{Context, anyhow};
+use database::mungos::{
+  by_id::{delete_one_by_id, find_one_by_id, update_one_by_id},
+  mongodb::bson::{doc, to_document},
+};
 use komodo_client::{
   api::write::*,
   entities::{
@@ -6,10 +10,6 @@ use komodo_client::{
     provider::{DockerRegistryAccount, GitProviderAccount},
   },
 };
-use mungos::{
-  by_id::{delete_one_by_id, find_one_by_id, update_one_by_id},
-  mongodb::bson::{doc, to_document},
-};
 use resolver_api::Resolve;
 
 use crate::{
@@ -90,22 +90,22 @@ impl Resolve<WriteArgs> for UpdateGitProviderAccount {
       );
     }
 
-    if let Some(domain) = &self.account.domain {
-      if domain.is_empty() {
-        return Err(
-          anyhow!("cannot update git provider with empty domain")
-            .into(),
-        );
-      }
+    if let Some(domain) = &self.account.domain
+      && domain.is_empty()
+    {
+      return Err(
+        anyhow!("cannot update git provider with empty domain")
+          .into(),
+      );
     }
 
-    if let Some(username) = &self.account.username {
-      if username.is_empty() {
-        return Err(
-          anyhow!("cannot update git provider with empty username")
-            .into(),
-        );
-      }
+    if let Some(username) = &self.account.username
+      && username.is_empty()
+    {
+      return Err(
+        anyhow!("cannot update git provider with empty username")
+          .into(),
+      );
     }
 
     // Ensure update does not change id
@@ -283,26 +283,26 @@ impl Resolve<WriteArgs> for UpdateDockerRegistryAccount {
       );
     }
 
-    if let Some(domain) = &self.account.domain {
-      if domain.is_empty() {
-        return Err(
-          anyhow!(
-            "cannot update docker registry account with empty domain"
-          )
-          .into(),
-        );
-      }
+    if let Some(domain) = &self.account.domain
+      && domain.is_empty()
+    {
+      return Err(
+        anyhow!(
+          "cannot update docker registry account with empty domain"
+        )
+        .into(),
+      );
     }
 
-    if let Some(username) = &self.account.username {
-      if username.is_empty() {
-        return Err(
-          anyhow!(
-            "cannot update docker registry account with empty username"
-          )
-          .into(),
-        );
-      }
+    if let Some(username) = &self.account.username
+      && username.is_empty()
+    {
+      return Err(
+        anyhow!(
+          "cannot update docker registry account with empty username"
+        )
+        .into(),
+      );
     }
 
     self.account.id = None;

bin/core/src/api/write/repo.rs

@@ -1,21 +1,22 @@
 use anyhow::{Context, anyhow};
+use database::mongo_indexed::doc;
+use database::mungos::{
+  by_id::update_one_by_id, mongodb::bson::to_document,
+};
 use formatting::format_serror;
-use git::GitRes;
 use komodo_client::{
   api::write::*,
   entities::{
-    CloneArgs, NoData, Operation,
+    NoData, Operation, RepoExecutionArgs,
     config::core::CoreConfig,
     komodo_timestamp,
     permission::PermissionLevel,
     repo::{PartialRepoConfig, Repo, RepoInfo},
     server::Server,
-    to_komodo_name,
+    to_path_compatible_name,
     update::{Log, Update},
   },
 };
-use mongo_indexed::doc;
-use mungos::{by_id::update_one_by_id, mongodb::bson::to_document};
 use octorust::types::{
   ReposCreateWebhookRequest, ReposCreateWebhookRequestConfig,
 };
@@ -28,6 +29,7 @@ use crate::{
     git_token, periphery_client,
     update::{add_update, make_update},
   },
+  permission::get_check_permissions,
   resource,
   state::{action_states, db_client, github_client},
 };
@@ -40,7 +42,7 @@ impl Resolve<WriteArgs> for CreateRepo {
     self,
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<Repo> {
-    Ok(resource::create::<Repo>(&self.name, self.config, user).await?)
+    resource::create::<Repo>(&self.name, self.config, user).await
   }
 }
 
@@ -50,17 +52,13 @@ impl Resolve<WriteArgs> for CopyRepo {
     self,
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<Repo> {
-    let Repo { config, .. } =
-      resource::get_check_permissions::<Repo>(
-        &self.id,
-        user,
-        PermissionLevel::Write,
-      )
-      .await?;
-    Ok(
-      resource::create::<Repo>(&self.name, config.into(), user)
-        .await?,
+    let Repo { config, .. } = get_check_permissions::<Repo>(
+      &self.id,
+      user,
+      PermissionLevel::Read.into(),
     )
+    .await?;
+    resource::create::<Repo>(&self.name, config.into(), user).await
   }
 }
 
@@ -87,10 +85,10 @@ impl Resolve<WriteArgs> for RenameRepo {
     self,
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<Update> {
-    let repo = resource::get_check_permissions::<Repo>(
+    let repo = get_check_permissions::<Repo>(
       &self.id,
       user,
-      PermissionLevel::Write,
+      PermissionLevel::Write.into(),
     )
     .await?;
 
@@ -111,14 +109,14 @@ impl Resolve<WriteArgs> for RenameRepo {
     let _action_guard =
       action_state.update(|state| state.renaming = true)?;
 
-    let name = to_komodo_name(&self.name);
+    let name = to_path_compatible_name(&self.name);
 
     let mut update = make_update(&repo, Operation::RenameRepo, user);
 
     update_one_by_id(
       &db_client().repos,
       &repo.id,
-      mungos::update::Update::Set(
+      database::mungos::update::Update::Set(
         doc! { "name": &name, "updated_at": komodo_timestamp() },
       ),
       None,
@@ -131,7 +129,7 @@ impl Resolve<WriteArgs> for RenameRepo {
 
     let log = match periphery_client(&server)?
       .request(api::git::RenameRepo {
-        curr_name: to_komodo_name(&repo.name),
+        curr_name: to_path_compatible_name(&repo.name),
         new_name: name.clone(),
       })
       .await
@@ -169,10 +167,10 @@ impl Resolve<WriteArgs> for RefreshRepoCache {
   ) -> serror::Result<NoData> {
     // Even though this is a write request, this doesn't change any config. Anyone that can execute the
     // repo should be able to do this.
-    let repo = resource::get_check_permissions::<Repo>(
+    let repo = get_check_permissions::<Repo>(
       &self.repo,
       user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
     )
     .await?;
 
@@ -183,13 +181,10 @@ impl Resolve<WriteArgs> for RefreshRepoCache {
       return Ok(NoData {});
     }
 
-    let mut clone_args: CloneArgs = (&repo).into();
+    let mut clone_args: RepoExecutionArgs = (&repo).into();
     let repo_path =
       clone_args.unique_path(&core_config().repo_directory)?;
     clone_args.destination = Some(repo_path.display().to_string());
-    // Don't want to run these on core.
-    clone_args.on_clone = None;
-    clone_args.on_pull = None;
 
     let access_token = if let Some(username) = &clone_args.account {
       git_token(&clone_args.provider, username, |https| {
@@ -203,14 +198,10 @@ impl Resolve<WriteArgs> for RefreshRepoCache {
       None
     };
 
-    let GitRes { hash, message, .. } = git::pull_or_clone(
+    let (res, _) = git::pull_or_clone(
       clone_args,
       &core_config().repo_directory,
       access_token,
-      &[],
-      "",
-      None,
-      &[],
     )
     .await
     .with_context(|| {
@@ -222,8 +213,8 @@ impl Resolve<WriteArgs> for RefreshRepoCache {
       last_built_at: repo.info.last_built_at,
       built_hash: repo.info.built_hash,
       built_message: repo.info.built_message,
-      latest_hash: hash,
-      latest_message: message,
+      latest_hash: res.commit_hash,
+      latest_message: res.commit_message,
     };
 
     let info = to_document(&info)
@@ -257,10 +248,10 @@ impl Resolve<WriteArgs> for CreateRepoWebhook {
       );
     };
 
-    let repo = resource::get_check_permissions::<Repo>(
+    let repo = get_check_permissions::<Repo>(
       &self.repo,
       &args.user,
-      PermissionLevel::Write,
+      PermissionLevel::Write.into(),
     )
     .await?;
 
@@ -380,10 +371,10 @@ impl Resolve<WriteArgs> for DeleteRepoWebhook {
       );
     };
 
-    let repo = resource::get_check_permissions::<Repo>(
+    let repo = get_check_permissions::<Repo>(
       &self.repo,
       user,
-      PermissionLevel::Write,
+      PermissionLevel::Write.into(),
     )
     .await?;
 

bin/core/src/api/write/resource.rs

@@ -0,0 +1,68 @@
+use anyhow::anyhow;
+use komodo_client::{
+  api::write::{UpdateResourceMeta, UpdateResourceMetaResponse},
+  entities::{
+    ResourceTarget, action::Action, alerter::Alerter, build::Build,
+    builder::Builder, deployment::Deployment, procedure::Procedure,
+    repo::Repo, server::Server, stack::Stack, sync::ResourceSync,
+  },
+};
+use resolver_api::Resolve;
+
+use crate::resource::{self, ResourceMetaUpdate};
+
+use super::WriteArgs;
+
+impl Resolve<WriteArgs> for UpdateResourceMeta {
+  #[instrument(name = "UpdateResourceMeta", skip(args))]
+  async fn resolve(
+    self,
+    args: &WriteArgs,
+  ) -> serror::Result<UpdateResourceMetaResponse> {
+    let meta = ResourceMetaUpdate {
+      description: self.description,
+      template: self.template,
+      tags: self.tags,
+    };
+    match self.target {
+      ResourceTarget::System(_) => {
+        return Err(
+          anyhow!("cannot update meta of System resource target")
+            .into(),
+        );
+      }
+      ResourceTarget::Server(id) => {
+        resource::update_meta::<Server>(&id, meta, args).await?;
+      }
+      ResourceTarget::Deployment(id) => {
+        resource::update_meta::<Deployment>(&id, meta, args).await?;
+      }
+      ResourceTarget::Build(id) => {
+        resource::update_meta::<Build>(&id, meta, args).await?;
+      }
+      ResourceTarget::Repo(id) => {
+        resource::update_meta::<Repo>(&id, meta, args).await?;
+      }
+      ResourceTarget::Builder(id) => {
+        resource::update_meta::<Builder>(&id, meta, args).await?;
+      }
+      ResourceTarget::Alerter(id) => {
+        resource::update_meta::<Alerter>(&id, meta, args).await?;
+      }
+      ResourceTarget::Procedure(id) => {
+        resource::update_meta::<Procedure>(&id, meta, args).await?;
+      }
+      ResourceTarget::Action(id) => {
+        resource::update_meta::<Action>(&id, meta, args).await?;
+      }
+      ResourceTarget::ResourceSync(id) => {
+        resource::update_meta::<ResourceSync>(&id, meta, args)
+          .await?;
+      }
+      ResourceTarget::Stack(id) => {
+        resource::update_meta::<Stack>(&id, meta, args).await?;
+      }
+    }
+    Ok(UpdateResourceMetaResponse {})
+  }
+}

bin/core/src/api/write/server.rs

@@ -1,10 +1,12 @@
+use anyhow::Context;
 use formatting::format_serror;
 use komodo_client::{
   api::write::*,
   entities::{
-    Operation,
+    NoData, Operation,
     permission::PermissionLevel,
     server::Server,
+    to_docker_compatible_name,
     update::{Update, UpdateStatus},
   },
 };
@@ -16,6 +18,7 @@ use crate::{
     periphery_client,
     update::{add_update, make_update, update_update},
   },
+  permission::get_check_permissions,
   resource,
 };
 
@@ -27,10 +30,24 @@ impl Resolve<WriteArgs> for CreateServer {
     self,
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<Server> {
-    Ok(
-      resource::create::<Server>(&self.name, self.config, user)
-        .await?,
+    resource::create::<Server>(&self.name, self.config, user).await
+  }
+}
+
+impl Resolve<WriteArgs> for CopyServer {
+  #[instrument(name = "CopyServer", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<Server> {
+    let Server { config, .. } = get_check_permissions::<Server>(
+      &self.id,
+      user,
+      PermissionLevel::Read.into(),
     )
+    .await?;
+
+    resource::create::<Server>(&self.name, config.into(), user).await
   }
 }
 
@@ -67,10 +84,10 @@ impl Resolve<WriteArgs> for CreateNetwork {
     self,
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<Update> {
-    let server = resource::get_check_permissions::<Server>(
+    let server = get_check_permissions::<Server>(
       &self.server,
       user,
-      PermissionLevel::Write,
+      PermissionLevel::Write.into(),
     )
     .await?;
 
@@ -83,7 +100,7 @@ impl Resolve<WriteArgs> for CreateNetwork {
 
     match periphery
       .request(api::network::CreateNetwork {
-        name: self.name,
+        name: to_docker_compatible_name(&self.name),
         driver: None,
       })
       .await
@@ -101,3 +118,81 @@ impl Resolve<WriteArgs> for CreateNetwork {
     Ok(update)
   }
 }
+
+impl Resolve<WriteArgs> for CreateTerminal {
+  #[instrument(name = "CreateTerminal", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<NoData> {
+    let server = get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Write.terminal(),
+    )
+    .await?;
+
+    let periphery = periphery_client(&server)?;
+
+    periphery
+      .request(api::terminal::CreateTerminal {
+        name: self.name,
+        command: self.command,
+        recreate: self.recreate,
+      })
+      .await
+      .context("Failed to create terminal on periphery")?;
+
+    Ok(NoData {})
+  }
+}
+
+impl Resolve<WriteArgs> for DeleteTerminal {
+  #[instrument(name = "DeleteTerminal", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<NoData> {
+    let server = get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Write.terminal(),
+    )
+    .await?;
+
+    let periphery = periphery_client(&server)?;
+
+    periphery
+      .request(api::terminal::DeleteTerminal {
+        terminal: self.terminal,
+      })
+      .await
+      .context("Failed to delete terminal on periphery")?;
+
+    Ok(NoData {})
+  }
+}
+
+impl Resolve<WriteArgs> for DeleteAllTerminals {
+  #[instrument(name = "DeleteAllTerminals", skip(user))]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> serror::Result<NoData> {
+    let server = get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Write.terminal(),
+    )
+    .await?;
+
+    let periphery = periphery_client(&server)?;
+
+    periphery
+      .request(api::terminal::DeleteAllTerminals {})
+      .await
+      .context("Failed to delete all terminals on periphery")?;
+
+    Ok(NoData {})
+  }
+}

bin/core/src/api/write/server_template.rs

@@ -1,92 +0,0 @@
-use komodo_client::{
-  api::write::{
-    CopyServerTemplate, CreateServerTemplate, DeleteServerTemplate,
-    RenameServerTemplate, UpdateServerTemplate,
-  },
-  entities::{
-    permission::PermissionLevel, server_template::ServerTemplate,
-    update::Update,
-  },
-};
-use resolver_api::Resolve;
-
-use crate::resource;
-
-use super::WriteArgs;
-
-impl Resolve<WriteArgs> for CreateServerTemplate {
-  #[instrument(name = "CreateServerTemplate", skip(user))]
-  async fn resolve(
-    self,
-    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<ServerTemplate> {
-    Ok(
-      resource::create::<ServerTemplate>(
-        &self.name,
-        self.config,
-        user,
-      )
-      .await?,
-    )
-  }
-}
-
-impl Resolve<WriteArgs> for CopyServerTemplate {
-  #[instrument(name = "CopyServerTemplate", skip(user))]
-  async fn resolve(
-    self,
-    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<ServerTemplate> {
-    let ServerTemplate { config, .. } =
-      resource::get_check_permissions::<ServerTemplate>(
-        &self.id,
-        user,
-        PermissionLevel::Write,
-      )
-      .await?;
-    Ok(
-      resource::create::<ServerTemplate>(
-        &self.name,
-        config.into(),
-        user,
-      )
-      .await?,
-    )
-  }
-}
-
-impl Resolve<WriteArgs> for DeleteServerTemplate {
-  #[instrument(name = "DeleteServerTemplate", skip(args))]
-  async fn resolve(
-    self,
-    args: &WriteArgs,
-  ) -> serror::Result<ServerTemplate> {
-    Ok(resource::delete::<ServerTemplate>(&self.id, args).await?)
-  }
-}
-
-impl Resolve<WriteArgs> for UpdateServerTemplate {
-  #[instrument(name = "UpdateServerTemplate", skip(user))]
-  async fn resolve(
-    self,
-    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<ServerTemplate> {
-    Ok(
-      resource::update::<ServerTemplate>(&self.id, self.config, user)
-        .await?,
-    )
-  }
-}
-
-impl Resolve<WriteArgs> for RenameServerTemplate {
-  #[instrument(name = "RenameServerTemplate", skip(user))]
-  async fn resolve(
-    self,
-    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Update> {
-    Ok(
-      resource::rename::<ServerTemplate>(&self.id, &self.name, user)
-        .await?,
-    )
-  }
-}

bin/core/src/api/write/service_user.rs

@@ -1,6 +1,10 @@
 use std::str::FromStr;
 
 use anyhow::{Context, anyhow};
+use database::mungos::{
+  by_id::find_one_by_id,
+  mongodb::bson::{doc, oid::ObjectId},
+};
 use komodo_client::{
   api::{user::CreateApiKey, write::*},
   entities::{
@@ -8,10 +12,6 @@ use komodo_client::{
     user::{User, UserConfig},
   },
 };
-use mungos::{
-  by_id::find_one_by_id,
-  mongodb::bson::{doc, oid::ObjectId},
-};
 use resolver_api::Resolve;
 
 use crate::{api::user::UserArgs, state::db_client};

bin/core/src/api/write/stack.rs

@@ -1,38 +1,42 @@
+use std::path::PathBuf;
+
 use anyhow::{Context, anyhow};
+use database::mungos::mongodb::bson::{doc, to_document};
 use formatting::format_serror;
 use komodo_client::{
   api::write::*,
   entities::{
-    FileContents, NoData, Operation,
+    FileContents, NoData, Operation, RepoExecutionArgs,
+    all_logs_success,
     config::core::CoreConfig,
     permission::PermissionLevel,
+    repo::Repo,
     server::ServerState,
     stack::{PartialStackConfig, Stack, StackInfo},
     update::Update,
     user::stack_user,
   },
 };
-use mungos::mongodb::bson::{doc, to_document};
 use octorust::types::{
   ReposCreateWebhookRequest, ReposCreateWebhookRequestConfig,
 };
 use periphery_client::api::compose::{
   GetComposeContentsOnHost, GetComposeContentsOnHostResponse,
-  WriteCommitComposeContents, WriteComposeContentsToHost,
+  WriteComposeContentsToHost,
 };
 use resolver_api::Resolve;
 
 use crate::{
-  api::execute::pull_stack_inner,
   config::core_config,
   helpers::{
-    git_token, periphery_client,
+    periphery_client,
     query::get_server_with_state,
+    stack_git_token,
     update::{add_update, make_update},
   },
+  permission::get_check_permissions,
   resource,
   stack::{
-    get_stack_and_server,
     remote::{RemoteComposeContents, get_repo_compose_contents},
     services::extract_services_into_res,
   },
@@ -47,10 +51,7 @@ impl Resolve<WriteArgs> for CreateStack {
     self,
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<Stack> {
-    Ok(
-      resource::create::<Stack>(&self.name, self.config, user)
-        .await?,
-    )
+    resource::create::<Stack>(&self.name, self.config, user).await
   }
 }
 
@@ -60,17 +61,14 @@ impl Resolve<WriteArgs> for CopyStack {
     self,
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<Stack> {
-    let Stack { config, .. } =
-      resource::get_check_permissions::<Stack>(
-        &self.id,
-        user,
-        PermissionLevel::Write,
-      )
-      .await?;
-    Ok(
-      resource::create::<Stack>(&self.name, config.into(), user)
-        .await?,
+    let Stack { config, .. } = get_check_permissions::<Stack>(
+      &self.id,
+      user,
+      PermissionLevel::Read.into(),
     )
+    .await?;
+
+    resource::create::<Stack>(&self.name, config.into(), user).await
   }
 }
 
@@ -112,17 +110,19 @@ impl Resolve<WriteArgs> for WriteStackFileContents {
       file_path,
       contents,
     } = self;
-    let (mut stack, server) = get_stack_and_server(
+    let stack = get_check_permissions::<Stack>(
       &stack,
       user,
-      PermissionLevel::Write,
-      true,
+      PermissionLevel::Write.into(),
     )
     .await?;
 
-    if !stack.config.files_on_host && stack.config.repo.is_empty() {
+    if !stack.config.files_on_host
+      && stack.config.repo.is_empty()
+      && stack.config.linked_repo.is_empty()
+    {
       return Err(anyhow!(
-        "Stack is not configured to use Files on Host or Git Repo, can't write file contents"
+        "Stack is not configured to use Files on Host, Git Repo, or Linked Repo, can't write file contents"
       ).into());
     }
 
@@ -131,90 +131,233 @@ impl Resolve<WriteArgs> for WriteStackFileContents {
 
     update.push_simple_log("File contents to write", &contents);
 
-    let stack_id = stack.id.clone();
-
     if stack.config.files_on_host {
-      match periphery_client(&server)?
-        .request(WriteComposeContentsToHost {
-          name: stack.name,
-          run_directory: stack.config.run_directory,
-          file_path,
-          contents,
-        })
-        .await
-        .context("Failed to write contents to host")
-      {
-        Ok(log) => {
-          update.logs.push(log);
-        }
-        Err(e) => {
-          update.push_error_log(
-            "Write File Contents",
-            format_serror(&e.into()),
-          );
-        }
-      };
-    } else {
-      let git_token = if !stack.config.git_account.is_empty() {
-        git_token(
-          &stack.config.git_provider,
-          &stack.config.git_account,
-          |https| stack.config.git_https = https,
-        )
-        .await
-        .with_context(|| {
-          format!(
-            "Failed to get git token. | {} | {}",
-            stack.config.git_account, stack.config.git_provider
-          )
-        })?
-      } else {
-        None
-      };
-      match periphery_client(&server)?
-        .request(WriteCommitComposeContents {
-          stack,
-          username: Some(user.username.clone()),
-          file_path,
-          contents,
-          git_token,
-        })
-        .await
-        .context("Failed to write contents to host")
-      {
-        Ok(res) => {
-          update.logs.extend(res.logs);
-        }
-        Err(e) => {
-          update.push_error_log(
-            "Write File Contents",
-            format_serror(&e.into()),
-          );
-        }
-      };
-    }
-
-    if let Err(e) = (RefreshStackCache { stack: stack_id })
-      .resolve(&WriteArgs {
-        user: stack_user().to_owned(),
-      })
-      .await
-      .map_err(|e| e.error)
-      .context(
-        "Failed to refresh stack cache after writing file contents",
+      write_stack_file_contents_on_host(
+        stack, file_path, contents, update,
       )
-    {
+      .await
+    } else {
+      write_stack_file_contents_git(
+        stack,
+        &file_path,
+        &contents,
+        &user.username,
+        update,
+      )
+      .await
+    }
+  }
+}
+
+async fn write_stack_file_contents_on_host(
+  stack: Stack,
+  file_path: String,
+  contents: String,
+  mut update: Update,
+) -> serror::Result<Update> {
+  if stack.config.server_id.is_empty() {
+    return Err(anyhow!(
+      "Cannot write file, Files on host Stack has not configured a Server"
+    ).into());
+  }
+  let (server, state) =
+    get_server_with_state(&stack.config.server_id).await?;
+  if state != ServerState::Ok {
+    return Err(
+      anyhow!(
+        "Cannot write file when server is unreachable or disabled"
+      )
+      .into(),
+    );
+  }
+  match periphery_client(&server)?
+    .request(WriteComposeContentsToHost {
+      name: stack.name,
+      run_directory: stack.config.run_directory,
+      file_path,
+      contents,
+    })
+    .await
+    .context("Failed to write contents to host")
+  {
+    Ok(log) => {
+      update.logs.push(log);
+    }
+    Err(e) => {
       update.push_error_log(
-        "Refresh stack cache",
+        "Write File Contents",
         format_serror(&e.into()),
       );
     }
+  };
 
+  if !all_logs_success(&update.logs) {
     update.finalize();
-    add_update(update.clone()).await?;
-
-    Ok(update)
+    update.id = add_update(update.clone()).await?;
+    return Ok(update);
   }
+
+  // Finish with a cache refresh
+  if let Err(e) = (RefreshStackCache { stack: stack.id })
+    .resolve(&WriteArgs {
+      user: stack_user().to_owned(),
+    })
+    .await
+    .map_err(|e| e.error)
+    .context(
+      "Failed to refresh stack cache after writing file contents",
+    )
+  {
+    update.push_error_log(
+      "Refresh stack cache",
+      format_serror(&e.into()),
+    );
+  }
+
+  update.finalize();
+  update.id = add_update(update.clone()).await?;
+
+  Ok(update)
+}
+
+async fn write_stack_file_contents_git(
+  mut stack: Stack,
+  file_path: &str,
+  contents: &str,
+  username: &str,
+  mut update: Update,
+) -> serror::Result<Update> {
+  let mut repo = if !stack.config.linked_repo.is_empty() {
+    crate::resource::get::<Repo>(&stack.config.linked_repo)
+      .await?
+      .into()
+  } else {
+    None
+  };
+  let git_token = stack_git_token(&mut stack, repo.as_mut()).await?;
+
+  let mut repo_args: RepoExecutionArgs = if let Some(repo) = &repo {
+    repo.into()
+  } else {
+    (&stack).into()
+  };
+  let root = repo_args.unique_path(&core_config().repo_directory)?;
+  repo_args.destination = Some(root.display().to_string());
+
+  let file_path = stack
+    .config
+    .run_directory
+    .parse::<PathBuf>()
+    .context("Run directory is not a valid path")?
+    .join(file_path);
+  let full_path =
+    root.join(&file_path).components().collect::<PathBuf>();
+
+  if let Some(parent) = full_path.parent() {
+    tokio::fs::create_dir_all(parent).await.with_context(|| {
+      format!(
+        "Failed to initialize stack file parent directory {parent:?}"
+      )
+    })?;
+  }
+
+  // Ensure the folder is initialized as git repo.
+  // This allows a new file to be committed on a branch that may not exist.
+  if !root.join(".git").exists() {
+    git::init_folder_as_repo(
+      &root,
+      &repo_args,
+      git_token.as_deref(),
+      &mut update.logs,
+    )
+    .await;
+
+    if !all_logs_success(&update.logs) {
+      update.finalize();
+      update.id = add_update(update.clone()).await?;
+      return Ok(update);
+    }
+  }
+
+  // Save this for later -- repo_args moved next.
+  let branch = repo_args.branch.clone();
+  // Pull latest changes to repo to ensure linear commit history
+  match git::pull_or_clone(
+    repo_args,
+    &core_config().repo_directory,
+    git_token,
+  )
+  .await
+  .context("Failed to pull latest changes before commit")
+  {
+    Ok((res, _)) => update.logs.extend(res.logs),
+    Err(e) => {
+      update.push_error_log("Pull Repo", format_serror(&e.into()));
+      update.finalize();
+      return Ok(update);
+    }
+  };
+
+  if !all_logs_success(&update.logs) {
+    update.finalize();
+    update.id = add_update(update.clone()).await?;
+    return Ok(update);
+  }
+
+  if let Err(e) = tokio::fs::write(&full_path, &contents)
+    .await
+    .with_context(|| {
+      format!(
+        "Failed to write compose file contents to {full_path:?}"
+      )
+    })
+  {
+    update.push_error_log("Write File", format_serror(&e.into()));
+  } else {
+    update.push_simple_log(
+      "Write File",
+      format!("File written to {full_path:?}"),
+    );
+  };
+
+  if !all_logs_success(&update.logs) {
+    update.finalize();
+    update.id = add_update(update.clone()).await?;
+
+    return Ok(update);
+  }
+
+  let commit_res = git::commit_file(
+    &format!("{username}: Write Stack File"),
+    &root,
+    &file_path,
+    &branch,
+  )
+  .await;
+
+  update.logs.extend(commit_res.logs);
+
+  // Finish with a cache refresh
+  if let Err(e) = (RefreshStackCache { stack: stack.id })
+    .resolve(&WriteArgs {
+      user: stack_user().to_owned(),
+    })
+    .await
+    .map_err(|e| e.error)
+    .context(
+      "Failed to refresh stack cache after writing file contents",
+    )
+  {
+    update.push_error_log(
+      "Refresh stack cache",
+      format_serror(&e.into()),
+    );
+  }
+
+  update.finalize();
+  update.id = add_update(update.clone()).await?;
+
+  Ok(update)
 }
 
 impl Resolve<WriteArgs> for RefreshStackCache {
@@ -229,15 +372,26 @@ impl Resolve<WriteArgs> for RefreshStackCache {
   ) -> serror::Result<NoData> {
     // Even though this is a write request, this doesn't change any config. Anyone that can execute the
     // stack should be able to do this.
-    let stack = resource::get_check_permissions::<Stack>(
+    let stack = get_check_permissions::<Stack>(
       &self.stack,
       user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
     )
     .await?;
 
+    let repo = if !stack.config.files_on_host
+      && !stack.config.linked_repo.is_empty()
+    {
+      crate::resource::get::<Repo>(&stack.config.linked_repo)
+        .await?
+        .into()
+    } else {
+      None
+    };
+
     let file_contents_empty = stack.config.file_contents.is_empty();
-    let repo_empty = stack.config.repo.is_empty();
+    let repo_empty =
+      stack.config.repo.is_empty() && repo.as_ref().is_none();
 
     if !stack.config.files_on_host
       && file_contents_empty
@@ -272,7 +426,7 @@ impl Resolve<WriteArgs> for RefreshStackCache {
         let GetComposeContentsOnHostResponse { contents, errors } =
           match periphery_client(&server)?
             .request(GetComposeContentsOnHost {
-              file_paths: stack.file_paths().to_vec(),
+              file_paths: stack.all_file_dependencies(),
               name: stack.name.clone(),
               run_directory: stack.config.run_directory.clone(),
             })
@@ -294,6 +448,10 @@ impl Resolve<WriteArgs> for RefreshStackCache {
         let mut services = Vec::new();
 
         for contents in &contents {
+          // Don't include additional files in service parsing
+          if !stack.is_compose_file(&contents.path) {
+            continue;
+          }
           if let Err(e) = extract_services_into_res(
             &project_name,
             &contents.contents,
@@ -320,14 +478,22 @@ impl Resolve<WriteArgs> for RefreshStackCache {
         hash: latest_hash,
         message: latest_message,
         ..
-      } = get_repo_compose_contents(&stack, Some(&mut missing_files))
-        .await?;
+      } = get_repo_compose_contents(
+        &stack,
+        repo.as_ref(),
+        Some(&mut missing_files),
+      )
+      .await?;
 
       let project_name = stack.project_name(true);
 
       let mut services = Vec::new();
 
       for contents in &remote_contents {
+        // Don't include additional files in service parsing
+        if !stack.is_compose_file(&contents.path) {
+          continue;
+        }
         if let Err(e) = extract_services_into_res(
           &project_name,
           &contents.contents,
@@ -394,23 +560,6 @@ impl Resolve<WriteArgs> for RefreshStackCache {
       .await
       .context("failed to update stack info on db")?;
 
-    if (stack.config.poll_for_updates || stack.config.auto_update)
-      && !stack.config.server_id.is_empty()
-    {
-      let (server, state) =
-        get_server_with_state(&stack.config.server_id).await?;
-      if state == ServerState::Ok {
-        let name = stack.name.clone();
-        if let Err(e) =
-          pull_stack_inner(stack, Vec::new(), &server, None).await
-        {
-          warn!(
-            "Failed to pull latest images for Stack {name} | {e:#}",
-          );
-        }
-      }
-    }
-
     Ok(NoData {})
   }
 }
@@ -432,10 +581,10 @@ impl Resolve<WriteArgs> for CreateStackWebhook {
       );
     };
 
-    let stack = resource::get_check_permissions::<Stack>(
+    let stack = get_check_permissions::<Stack>(
       &self.stack,
       user,
-      PermissionLevel::Write,
+      PermissionLevel::Write.into(),
     )
     .await?;
 
@@ -552,10 +701,10 @@ impl Resolve<WriteArgs> for DeleteStackWebhook {
       );
     };
 
-    let stack = resource::get_check_permissions::<Stack>(
+    let stack = get_check_permissions::<Stack>(
       &self.stack,
       user,
-      PermissionLevel::Write,
+      PermissionLevel::Write.into(),
     )
     .await?;
 

bin/core/src/api/write/sync.rs

@@ -1,11 +1,18 @@
-use std::{collections::HashMap, path::PathBuf};
+use std::{
+  collections::HashMap,
+  path::{Path, PathBuf},
+};
 
 use anyhow::{Context, anyhow};
+use database::mungos::{
+  by_id::update_one_by_id,
+  mongodb::bson::{doc, to_document},
+};
 use formatting::format_serror;
 use komodo_client::{
   api::{read::ExportAllResourcesToToml, write::*},
   entities::{
-    self, CloneArgs, NoData, Operation, ResourceTarget,
+    self, NoData, Operation, RepoExecutionArgs, ResourceTarget,
     action::Action,
     alert::{Alert, AlertData, SeverityLevel},
     alerter::Alerter,
@@ -19,41 +26,37 @@ use komodo_client::{
     procedure::Procedure,
     repo::Repo,
     server::Server,
-    server_template::ServerTemplate,
     stack::Stack,
     sync::{
       PartialResourceSyncConfig, ResourceSync, ResourceSyncInfo,
       SyncDeployUpdate,
     },
-    to_komodo_name,
+    to_path_compatible_name,
     update::{Log, Update},
     user::sync_user,
   },
 };
-use mungos::{
-  by_id::update_one_by_id,
-  mongodb::bson::{doc, to_document},
-};
 use octorust::types::{
   ReposCreateWebhookRequest, ReposCreateWebhookRequestConfig,
 };
 use resolver_api::Resolve;
-use tokio::fs;
 
 use crate::{
   alert::send_alerts,
   api::read::ReadArgs,
   config::core_config,
   helpers::{
+    all_resources::AllResourcesById,
     git_token,
     query::get_id_to_tags,
     update::{add_update, make_update, update_update},
   },
+  permission::get_check_permissions,
   resource,
   state::{db_client, github_client},
   sync::{
-    AllResourcesById, deploy::SyncDeployParams,
-    remote::RemoteResources, view::push_updates_for_view,
+    deploy::SyncDeployParams, remote::RemoteResources,
+    view::push_updates_for_view,
   },
 };
 
@@ -65,10 +68,8 @@ impl Resolve<WriteArgs> for CreateResourceSync {
     self,
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<ResourceSync> {
-    Ok(
-      resource::create::<ResourceSync>(&self.name, self.config, user)
-        .await?,
-    )
+    resource::create::<ResourceSync>(&self.name, self.config, user)
+      .await
   }
 }
 
@@ -79,20 +80,14 @@ impl Resolve<WriteArgs> for CopyResourceSync {
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<ResourceSync> {
     let ResourceSync { config, .. } =
-      resource::get_check_permissions::<ResourceSync>(
+      get_check_permissions::<ResourceSync>(
         &self.id,
         user,
-        PermissionLevel::Write,
+        PermissionLevel::Write.into(),
       )
       .await?;
-    Ok(
-      resource::create::<ResourceSync>(
-        &self.name,
-        config.into(),
-        user,
-      )
-      .await?,
-    )
+    resource::create::<ResourceSync>(&self.name, config.into(), user)
+      .await
   }
 }
 
@@ -132,6 +127,52 @@ impl Resolve<WriteArgs> for RenameResourceSync {
   }
 }
 
+impl Resolve<WriteArgs> for WriteSyncFileContents {
+  #[instrument(name = "WriteSyncFileContents", skip(args))]
+  async fn resolve(self, args: &WriteArgs) -> serror::Result<Update> {
+    let sync = get_check_permissions::<ResourceSync>(
+      &self.sync,
+      &args.user,
+      PermissionLevel::Write.into(),
+    )
+    .await?;
+
+    let repo = if !sync.config.files_on_host
+      && !sync.config.linked_repo.is_empty()
+    {
+      crate::resource::get::<Repo>(&sync.config.linked_repo)
+        .await?
+        .into()
+    } else {
+      None
+    };
+
+    if !sync.config.files_on_host
+      && sync.config.repo.is_empty()
+      && sync.config.linked_repo.is_empty()
+    {
+      return Err(
+        anyhow!(
+          "This method is only for 'files on host' or 'repo' based syncs."
+        )
+        .into(),
+      );
+    }
+
+    let mut update =
+      make_update(&sync, Operation::WriteSyncContents, &args.user);
+
+    update.push_simple_log("File contents", &self.contents);
+
+    if sync.config.files_on_host {
+      write_sync_file_contents_on_host(self, args, sync, update).await
+    } else {
+      write_sync_file_contents_git(self, args, sync, repo, update)
+        .await
+    }
+  }
+}
+
 async fn write_sync_file_contents_on_host(
   req: WriteSyncFileContents,
   args: &WriteArgs,
@@ -147,7 +188,7 @@ async fn write_sync_file_contents_on_host(
 
   let root = core_config()
     .sync_directory
-    .join(to_komodo_name(&sync.name));
+    .join(to_path_compatible_name(&sync.name));
   let file_path =
     file_path.parse::<PathBuf>().context("Invalid file path")?;
   let resource_path = resource_path
@@ -156,15 +197,16 @@ async fn write_sync_file_contents_on_host(
   let full_path = root.join(&resource_path).join(&file_path);
 
   if let Some(parent) = full_path.parent() {
-    fs::create_dir_all(parent).await.with_context(|| {
+    tokio::fs::create_dir_all(parent).await.with_context(|| {
       format!(
         "Failed to initialize resource file parent directory {parent:?}"
       )
     })?;
   }
 
-  if let Err(e) =
-    fs::write(&full_path, &contents).await.with_context(|| {
+  if let Err(e) = tokio::fs::write(&full_path, &contents)
+    .await
+    .with_context(|| {
       format!(
         "Failed to write resource file contents to {full_path:?}"
       )
@@ -205,6 +247,7 @@ async fn write_sync_file_contents_git(
   req: WriteSyncFileContents,
   args: &WriteArgs,
   sync: ResourceSync,
+  repo: Option<Repo>,
   mut update: Update,
 ) -> serror::Result<Update> {
   let WriteSyncFileContents {
@@ -214,18 +257,40 @@ async fn write_sync_file_contents_git(
     contents,
   } = req;
 
-  let mut clone_args: CloneArgs = (&sync).into();
-  let root = clone_args.unique_path(&core_config().repo_directory)?;
+  let mut repo_args: RepoExecutionArgs = if let Some(repo) = &repo {
+    repo.into()
+  } else {
+    (&sync).into()
+  };
+  let root = repo_args.unique_path(&core_config().repo_directory)?;
+  repo_args.destination = Some(root.display().to_string());
+
+  let git_token = if let Some(account) = &repo_args.account {
+    git_token(&repo_args.provider, account, |https| repo_args.https = https)
+    .await
+    .with_context(
+      || format!("Failed to get git token in call to db. Stopping run. | {} | {account}", repo_args.provider),
+    )?
+  } else {
+    None
+  };
 
   let file_path =
-    file_path.parse::<PathBuf>().context("Invalid file path")?;
-  let resource_path = resource_path
-    .parse::<PathBuf>()
-    .context("Invalid resource path")?;
-  let full_path = root.join(&resource_path).join(&file_path);
+    file_path.parse::<PathBuf>().with_context(|| {
+      format!("File path is not a valid path: {file_path}")
+    })?;
+  let resource_path =
+    resource_path.parse::<PathBuf>().with_context(|| {
+      format!("Resource path is not a valid path: {resource_path}")
+    })?;
+  let full_path = root
+    .join(&resource_path)
+    .join(&file_path)
+    .components()
+    .collect::<PathBuf>();
 
   if let Some(parent) = full_path.parent() {
-    fs::create_dir_all(parent).await.with_context(|| {
+    tokio::fs::create_dir_all(parent).await.with_context(|| {
       format!(
         "Failed to initialize resource file parent directory {parent:?}"
       )
@@ -235,20 +300,10 @@ async fn write_sync_file_contents_git(
   // Ensure the folder is initialized as git repo.
   // This allows a new file to be committed on a branch that may not exist.
   if !root.join(".git").exists() {
-    let access_token = if let Some(account) = &clone_args.account {
-      git_token(&clone_args.provider, account, |https| clone_args.https = https)
-      .await
-      .with_context(
-        || format!("Failed to get git token in call to db. Stopping run. | {} | {account}", clone_args.provider),
-      )?
-    } else {
-      None
-    };
-
     git::init_folder_as_repo(
       &root,
-      &clone_args,
-      access_token.as_deref(),
+      &repo_args,
+      git_token.as_deref(),
       &mut update.logs,
     )
     .await;
@@ -256,13 +311,38 @@ async fn write_sync_file_contents_git(
     if !all_logs_success(&update.logs) {
       update.finalize();
       update.id = add_update(update.clone()).await?;
-
       return Ok(update);
     }
   }
 
-  if let Err(e) =
-    fs::write(&full_path, &contents).await.with_context(|| {
+  // Save this for later -- repo_args moved next.
+  let branch = repo_args.branch.clone();
+  // Pull latest changes to repo to ensure linear commit history
+  match git::pull_or_clone(
+    repo_args,
+    &core_config().repo_directory,
+    git_token,
+  )
+  .await
+  .context("Failed to pull latest changes before commit")
+  {
+    Ok((res, _)) => update.logs.extend(res.logs),
+    Err(e) => {
+      update.push_error_log("Pull Repo", format_serror(&e.into()));
+      update.finalize();
+      return Ok(update);
+    }
+  };
+
+  if !all_logs_success(&update.logs) {
+    update.finalize();
+    update.id = add_update(update.clone()).await?;
+    return Ok(update);
+  }
+
+  if let Err(e) = tokio::fs::write(&full_path, &contents)
+    .await
+    .with_context(|| {
       format!(
         "Failed to write resource file contents to {full_path:?}"
       )
@@ -287,7 +367,7 @@ async fn write_sync_file_contents_git(
     &format!("{}: Commit Resource File", args.user.username),
     &root,
     &resource_path.join(&file_path),
-    &sync.config.branch,
+    &branch,
   )
   .await;
 
@@ -296,10 +376,14 @@ async fn write_sync_file_contents_git(
   if let Err(e) = (RefreshResourceSyncPending { sync: sync.name })
     .resolve(args)
     .await
+    .map_err(|e| e.error)
+    .context(
+      "Failed to refresh sync pending after writing file contents",
+    )
   {
     update.push_error_log(
-      "Refresh failed",
-      format_serror(&e.error.into()),
+      "Refresh sync pending",
+      format_serror(&e.into()),
     );
   }
 
@@ -309,51 +393,33 @@ async fn write_sync_file_contents_git(
   Ok(update)
 }
 
-impl Resolve<WriteArgs> for WriteSyncFileContents {
-  async fn resolve(self, args: &WriteArgs) -> serror::Result<Update> {
-    let sync = resource::get_check_permissions::<ResourceSync>(
-      &self.sync,
-      &args.user,
-      PermissionLevel::Write,
-    )
-    .await?;
-
-    if !sync.config.files_on_host && sync.config.repo.is_empty() {
-      return Err(
-        anyhow!(
-          "This method is only for 'files on host' or 'repo' based syncs."
-        )
-        .into(),
-      );
-    }
-
-    let mut update =
-      make_update(&sync, Operation::WriteSyncContents, &args.user);
-
-    update.push_simple_log("File contents", &self.contents);
-
-    if sync.config.files_on_host {
-      write_sync_file_contents_on_host(self, args, sync, update).await
-    } else {
-      write_sync_file_contents_git(self, args, sync, update).await
-    }
-  }
-}
-
 impl Resolve<WriteArgs> for CommitSync {
   #[instrument(name = "CommitSync", skip(args))]
   async fn resolve(self, args: &WriteArgs) -> serror::Result<Update> {
     let WriteArgs { user } = args;
 
-    let sync = resource::get_check_permissions::<
-      entities::sync::ResourceSync,
-    >(&self.sync, user, PermissionLevel::Write)
+    let sync = get_check_permissions::<entities::sync::ResourceSync>(
+      &self.sync,
+      user,
+      PermissionLevel::Write.into(),
+    )
     .await?;
 
+    let repo = if !sync.config.files_on_host
+      && !sync.config.linked_repo.is_empty()
+    {
+      crate::resource::get::<Repo>(&sync.config.linked_repo)
+        .await?
+        .into()
+    } else {
+      None
+    };
+
     let file_contents_empty = sync.config.file_contents_empty();
 
     let fresh_sync = !sync.config.files_on_host
       && sync.config.repo.is_empty()
+      && repo.is_none()
       && file_contents_empty;
 
     if !sync.config.managed && !fresh_sync {
@@ -364,29 +430,31 @@ impl Resolve<WriteArgs> for CommitSync {
     }
 
     // Get this here so it can fail before update created.
-    let resource_path =
-      if sync.config.files_on_host || !sync.config.repo.is_empty() {
-        let resource_path = sync
-          .config
-          .resource_path
-          .first()
-          .context("Sync does not have resource path configured.")?
-          .parse::<PathBuf>()
-          .context("Invalid resource path")?;
+    let resource_path = if sync.config.files_on_host
+      || !sync.config.repo.is_empty()
+      || repo.is_some()
+    {
+      let resource_path = sync
+        .config
+        .resource_path
+        .first()
+        .context("Sync does not have resource path configured.")?
+        .parse::<PathBuf>()
+        .context("Invalid resource path")?;
 
-        if resource_path
-          .extension()
-          .context("Resource path missing '.toml' extension")?
-          != "toml"
-        {
-          return Err(
-            anyhow!("Resource path missing '.toml' extension").into(),
-          );
-        }
-        Some(resource_path)
-      } else {
-        None
-      };
+      if resource_path
+        .extension()
+        .context("Resource path missing '.toml' extension")?
+        != "toml"
+      {
+        return Err(
+          anyhow!("Resource path missing '.toml' extension").into(),
+        );
+      }
+      Some(resource_path)
+    } else {
+      None
+    };
 
     let res = ExportAllResourcesToToml {
       include_resources: sync.config.include_resources,
@@ -411,10 +479,10 @@ impl Resolve<WriteArgs> for CommitSync {
       };
       let file_path = core_config()
         .sync_directory
-        .join(to_komodo_name(&sync.name))
+        .join(to_path_compatible_name(&sync.name))
         .join(&resource_path);
       if let Some(parent) = file_path.parent() {
-        fs::create_dir_all(parent)
+        tokio::fs::create_dir_all(parent)
           .await
           .with_context(|| format!("Failed to initialize resource file parent directory {parent:?}"))?;
       };
@@ -437,34 +505,43 @@ impl Resolve<WriteArgs> for CommitSync {
           format!("File contents written to {file_path:?}"),
         );
       }
+    } else if let Some(repo) = &repo {
+      let Some(resource_path) = resource_path else {
+        // Resource path checked above for repo mode.
+        unreachable!()
+      };
+      let args: RepoExecutionArgs = repo.into();
+      if let Err(e) =
+        commit_git_sync(args, &resource_path, &res.toml, &mut update)
+          .await
+      {
+        update.push_error_log(
+          "Write resource file",
+          format_serror(&e.into()),
+        );
+        update.finalize();
+        add_update(update.clone()).await?;
+        return Ok(update);
+      }
     } else if !sync.config.repo.is_empty() {
       let Some(resource_path) = resource_path else {
         // Resource path checked above for repo mode.
         unreachable!()
       };
-      // GIT REPO
-      let args: CloneArgs = (&sync).into();
-      let root = args.unique_path(&core_config().repo_directory)?;
-      match git::write_commit_file(
-        "Commit Sync",
-        &root,
-        &resource_path,
-        &res.toml,
-        &sync.config.branch,
-      )
-      .await
+      let args: RepoExecutionArgs = (&sync).into();
+      if let Err(e) =
+        commit_git_sync(args, &resource_path, &res.toml, &mut update)
+          .await
       {
-        Ok(res) => update.logs.extend(res.logs),
-        Err(e) => {
-          update.push_error_log(
-            "Write resource file",
-            format_serror(&e.into()),
-          );
-          update.finalize();
-          add_update(update.clone()).await?;
-          return Ok(update);
-        }
+        update.push_error_log(
+          "Write resource file",
+          format_serror(&e.into()),
+        );
+        update.finalize();
+        add_update(update.clone()).await?;
+        return Ok(update);
       }
+
       // ===========
       // UI DEFINED
     } else if let Err(e) = db_client()
@@ -502,6 +579,49 @@ impl Resolve<WriteArgs> for CommitSync {
   }
 }
 
+async fn commit_git_sync(
+  mut args: RepoExecutionArgs,
+  resource_path: &Path,
+  toml: &str,
+  update: &mut Update,
+) -> anyhow::Result<()> {
+  let root = args.unique_path(&core_config().repo_directory)?;
+  args.destination = Some(root.display().to_string());
+
+  let access_token = if let Some(account) = &args.account {
+    git_token(&args.provider, account, |https| args.https = https)
+      .await
+      .with_context(
+        || format!("Failed to get git token in call to db. Stopping run. | {} | {account}", args.provider),
+      )?
+  } else {
+    None
+  };
+
+  let (pull_res, _) = git::pull_or_clone(
+    args.clone(),
+    &core_config().repo_directory,
+    access_token,
+  )
+  .await?;
+  update.logs.extend(pull_res.logs);
+  if !all_logs_success(&update.logs) {
+    return Ok(());
+  }
+
+  let res = git::write_commit_file(
+    "Commit Sync",
+    &root,
+    resource_path,
+    toml,
+    &args.branch,
+  )
+  .await?;
+  update.logs.extend(res.logs);
+
+  Ok(())
+}
+
 impl Resolve<WriteArgs> for RefreshResourceSyncPending {
   #[instrument(
     name = "RefreshResourceSyncPending",
@@ -514,15 +634,29 @@ impl Resolve<WriteArgs> for RefreshResourceSyncPending {
   ) -> serror::Result<ResourceSync> {
     // Even though this is a write request, this doesn't change any config. Anyone that can execute the
     // sync should be able to do this.
-    let mut sync = resource::get_check_permissions::<
-      entities::sync::ResourceSync,
-    >(&self.sync, user, PermissionLevel::Execute)
-    .await?;
+    let mut sync =
+      get_check_permissions::<entities::sync::ResourceSync>(
+        &self.sync,
+        user,
+        PermissionLevel::Execute.into(),
+      )
+      .await?;
+
+    let repo = if !sync.config.files_on_host
+      && !sync.config.linked_repo.is_empty()
+    {
+      crate::resource::get::<Repo>(&sync.config.linked_repo)
+        .await?
+        .into()
+    } else {
+      None
+    };
 
     if !sync.config.managed
       && !sync.config.files_on_host
       && sync.config.file_contents.is_empty()
       && sync.config.repo.is_empty()
+      && sync.config.linked_repo.is_empty()
     {
       // Sync not configured, nothing to refresh
       return Ok(sync);
@@ -536,9 +670,12 @@ impl Resolve<WriteArgs> for RefreshResourceSyncPending {
         hash,
         message,
         ..
-      } = crate::sync::remote::get_remote_resources(&sync)
-        .await
-        .context("failed to get remote resources")?;
+      } = crate::sync::remote::get_remote_resources(
+        &sync,
+        repo.as_ref(),
+      )
+      .await
+      .context("failed to get remote resources")?;
 
       sync.info.remote_contents = files;
       sync.info.remote_errors = file_errors;
@@ -579,7 +716,6 @@ impl Resolve<WriteArgs> for RefreshResourceSyncPending {
                 deployment_map: &deployments_by_name,
                 stacks: &resources.stacks,
                 stack_map: &stacks_by_name,
-                all_resources: &all_resources,
               },
             )
             .await;
@@ -589,7 +725,6 @@ impl Resolve<WriteArgs> for RefreshResourceSyncPending {
           push_updates_for_view::<Server>(
             resources.servers,
             delete,
-            &all_resources,
             None,
             None,
             &id_to_tags,
@@ -600,7 +735,6 @@ impl Resolve<WriteArgs> for RefreshResourceSyncPending {
           push_updates_for_view::<Stack>(
             resources.stacks,
             delete,
-            &all_resources,
             None,
             None,
             &id_to_tags,
@@ -611,7 +745,6 @@ impl Resolve<WriteArgs> for RefreshResourceSyncPending {
           push_updates_for_view::<Deployment>(
             resources.deployments,
             delete,
-            &all_resources,
             None,
             None,
             &id_to_tags,
@@ -622,7 +755,6 @@ impl Resolve<WriteArgs> for RefreshResourceSyncPending {
           push_updates_for_view::<Build>(
             resources.builds,
             delete,
-            &all_resources,
             None,
             None,
             &id_to_tags,
@@ -633,7 +765,6 @@ impl Resolve<WriteArgs> for RefreshResourceSyncPending {
           push_updates_for_view::<Repo>(
             resources.repos,
             delete,
-            &all_resources,
             None,
             None,
             &id_to_tags,
@@ -644,7 +775,6 @@ impl Resolve<WriteArgs> for RefreshResourceSyncPending {
           push_updates_for_view::<Procedure>(
             resources.procedures,
             delete,
-            &all_resources,
             None,
             None,
             &id_to_tags,
@@ -655,7 +785,6 @@ impl Resolve<WriteArgs> for RefreshResourceSyncPending {
           push_updates_for_view::<Action>(
             resources.actions,
             delete,
-            &all_resources,
             None,
             None,
             &id_to_tags,
@@ -666,7 +795,6 @@ impl Resolve<WriteArgs> for RefreshResourceSyncPending {
           push_updates_for_view::<Builder>(
             resources.builders,
             delete,
-            &all_resources,
             None,
             None,
             &id_to_tags,
@@ -677,18 +805,6 @@ impl Resolve<WriteArgs> for RefreshResourceSyncPending {
           push_updates_for_view::<Alerter>(
             resources.alerters,
             delete,
-            &all_resources,
-            None,
-            None,
-            &id_to_tags,
-            &sync.config.match_tags,
-            &mut diffs,
-          )
-          .await?;
-          push_updates_for_view::<ServerTemplate>(
-            resources.server_templates,
-            delete,
-            &all_resources,
             None,
             None,
             &id_to_tags,
@@ -699,7 +815,6 @@ impl Resolve<WriteArgs> for RefreshResourceSyncPending {
           push_updates_for_view::<ResourceSync>(
             resources.resource_syncs,
             delete,
-            &all_resources,
             None,
             None,
             &id_to_tags,
@@ -727,7 +842,6 @@ impl Resolve<WriteArgs> for RefreshResourceSyncPending {
         crate::sync::user_groups::get_updates_for_view(
           resources.user_groups,
           delete,
-          &all_resources,
         )
         .await?
       } else {
@@ -828,7 +942,9 @@ impl Resolve<WriteArgs> for RefreshResourceSyncPending {
             .context("failed to open existing pending resource sync updates alert")
             .inspect_err(|e| warn!("{e:#}"))
             .ok();
-          send_alerts(&[alert]).await;
+          if sync.config.pending_alert {
+            send_alerts(&[alert]).await;
+          }
         }
         // CLOSE ALERT
         (Some(existing), false) => {
@@ -873,10 +989,10 @@ impl Resolve<WriteArgs> for CreateSyncWebhook {
       );
     };
 
-    let sync = resource::get_check_permissions::<ResourceSync>(
+    let sync = get_check_permissions::<ResourceSync>(
       &self.sync,
       user,
-      PermissionLevel::Write,
+      PermissionLevel::Write.into(),
     )
     .await?;
 
@@ -993,10 +1109,10 @@ impl Resolve<WriteArgs> for DeleteSyncWebhook {
       );
     };
 
-    let sync = resource::get_check_permissions::<ResourceSync>(
+    let sync = get_check_permissions::<ResourceSync>(
       &self.sync,
       user,
-      PermissionLevel::Write,
+      PermissionLevel::Write.into(),
     )
     .await?;
 

bin/core/src/api/write/tag.rs

@@ -1,35 +1,24 @@
 use std::str::FromStr;
 
 use anyhow::{Context, anyhow};
-use komodo_client::{
-  api::write::{
-    CreateTag, DeleteTag, RenameTag, UpdateTagColor,
-    UpdateTagsOnResource, UpdateTagsOnResourceResponse,
-  },
-  entities::{
-    ResourceTarget,
-    action::Action,
-    alerter::Alerter,
-    build::Build,
-    builder::Builder,
-    deployment::Deployment,
-    permission::PermissionLevel,
-    procedure::Procedure,
-    repo::Repo,
-    server::Server,
-    server_template::ServerTemplate,
-    stack::Stack,
-    sync::ResourceSync,
-    tag::{Tag, TagColor},
-  },
-};
-use mungos::{
+use database::mungos::{
   by_id::{delete_one_by_id, update_one_by_id},
   mongodb::bson::{doc, oid::ObjectId},
 };
+use komodo_client::{
+  api::write::{CreateTag, DeleteTag, RenameTag, UpdateTagColor},
+  entities::{
+    action::Action, alerter::Alerter, build::Build, builder::Builder,
+    deployment::Deployment, procedure::Procedure, repo::Repo,
+    server::Server, stack::Stack, sync::ResourceSync, tag::Tag,
+  },
+};
+use reqwest::StatusCode;
 use resolver_api::Resolve;
+use serror::AddStatusCodeError;
 
 use crate::{
+  config::core_config,
   helpers::query::{get_tag, get_tag_check_owner},
   resource,
   state::db_client,
@@ -43,14 +32,24 @@ impl Resolve<WriteArgs> for CreateTag {
     self,
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<Tag> {
+    if core_config().disable_non_admin_create && !user.admin {
+      return Err(
+        anyhow!("Non admins cannot create tags")
+          .status_code(StatusCode::FORBIDDEN),
+      );
+    }
+
     if ObjectId::from_str(&self.name).is_ok() {
-      return Err(anyhow!("tag name cannot be ObjectId").into());
+      return Err(
+        anyhow!("Tag name cannot be ObjectId")
+          .status_code(StatusCode::BAD_REQUEST),
+      );
     }
 
     let mut tag = Tag {
       id: Default::default(),
       name: self.name,
-      color: TagColor::Slate,
+      color: self.color.unwrap_or_default(),
       owner: user.id.clone(),
     };
 
@@ -124,14 +123,15 @@ impl Resolve<WriteArgs> for DeleteTag {
 
     tokio::try_join!(
       resource::remove_tag_from_all::<Server>(&self.id),
-      resource::remove_tag_from_all::<Deployment>(&self.id),
       resource::remove_tag_from_all::<Stack>(&self.id),
+      resource::remove_tag_from_all::<Deployment>(&self.id),
       resource::remove_tag_from_all::<Build>(&self.id),
       resource::remove_tag_from_all::<Repo>(&self.id),
+      resource::remove_tag_from_all::<Procedure>(&self.id),
+      resource::remove_tag_from_all::<Action>(&self.id),
+      resource::remove_tag_from_all::<ResourceSync>(&self.id),
       resource::remove_tag_from_all::<Builder>(&self.id),
       resource::remove_tag_from_all::<Alerter>(&self.id),
-      resource::remove_tag_from_all::<Procedure>(&self.id),
-      resource::remove_tag_from_all::<ServerTemplate>(&self.id),
     )?;
 
     delete_one_by_id(&db_client().tags, &self.id, None).await?;
@@ -139,122 +139,3 @@ impl Resolve<WriteArgs> for DeleteTag {
     Ok(tag)
   }
 }
-
-impl Resolve<WriteArgs> for UpdateTagsOnResource {
-  #[instrument(name = "UpdateTagsOnResource", skip(args))]
-  async fn resolve(
-    self,
-    args: &WriteArgs,
-  ) -> serror::Result<UpdateTagsOnResourceResponse> {
-    let WriteArgs { user } = args;
-    match self.target {
-      ResourceTarget::System(_) => {
-        return Err(anyhow!("Invalid target type: System").into());
-      }
-      ResourceTarget::Build(id) => {
-        resource::get_check_permissions::<Build>(
-          &id,
-          user,
-          PermissionLevel::Write,
-        )
-        .await?;
-        resource::update_tags::<Build>(&id, self.tags, args).await?;
-      }
-      ResourceTarget::Builder(id) => {
-        resource::get_check_permissions::<Builder>(
-          &id,
-          user,
-          PermissionLevel::Write,
-        )
-        .await?;
-        resource::update_tags::<Builder>(&id, self.tags, args).await?
-      }
-      ResourceTarget::Deployment(id) => {
-        resource::get_check_permissions::<Deployment>(
-          &id,
-          user,
-          PermissionLevel::Write,
-        )
-        .await?;
-        resource::update_tags::<Deployment>(&id, self.tags, args)
-          .await?
-      }
-      ResourceTarget::Server(id) => {
-        resource::get_check_permissions::<Server>(
-          &id,
-          user,
-          PermissionLevel::Write,
-        )
-        .await?;
-        resource::update_tags::<Server>(&id, self.tags, args).await?
-      }
-      ResourceTarget::Repo(id) => {
-        resource::get_check_permissions::<Repo>(
-          &id,
-          user,
-          PermissionLevel::Write,
-        )
-        .await?;
-        resource::update_tags::<Repo>(&id, self.tags, args).await?
-      }
-      ResourceTarget::Alerter(id) => {
-        resource::get_check_permissions::<Alerter>(
-          &id,
-          user,
-          PermissionLevel::Write,
-        )
-        .await?;
-        resource::update_tags::<Alerter>(&id, self.tags, args).await?
-      }
-      ResourceTarget::Procedure(id) => {
-        resource::get_check_permissions::<Procedure>(
-          &id,
-          user,
-          PermissionLevel::Write,
-        )
-        .await?;
-        resource::update_tags::<Procedure>(&id, self.tags, args)
-          .await?
-      }
-      ResourceTarget::Action(id) => {
-        resource::get_check_permissions::<Action>(
-          &id,
-          user,
-          PermissionLevel::Write,
-        )
-        .await?;
-        resource::update_tags::<Action>(&id, self.tags, args).await?
-      }
-      ResourceTarget::ServerTemplate(id) => {
-        resource::get_check_permissions::<ServerTemplate>(
-          &id,
-          user,
-          PermissionLevel::Write,
-        )
-        .await?;
-        resource::update_tags::<ServerTemplate>(&id, self.tags, args)
-          .await?
-      }
-      ResourceTarget::ResourceSync(id) => {
-        resource::get_check_permissions::<ResourceSync>(
-          &id,
-          user,
-          PermissionLevel::Write,
-        )
-        .await?;
-        resource::update_tags::<ResourceSync>(&id, self.tags, args)
-          .await?
-      }
-      ResourceTarget::Stack(id) => {
-        resource::get_check_permissions::<Stack>(
-          &id,
-          user,
-          PermissionLevel::Write,
-        )
-        .await?;
-        resource::update_tags::<Stack>(&id, self.tags, args).await?
-      }
-    };
-    Ok(UpdateTagsOnResourceResponse {})
-  }
-}

bin/core/src/api/write/user.rs

@@ -1,26 +1,107 @@
 use std::str::FromStr;
 
 use anyhow::{Context, anyhow};
+use async_timing_util::unix_timestamp_ms;
+use database::{
+  hash_password,
+  mungos::mongodb::bson::{doc, oid::ObjectId},
+};
 use komodo_client::{
-  api::write::{
-    DeleteUser, DeleteUserResponse, UpdateUserPassword,
-    UpdateUserPasswordResponse, UpdateUserUsername,
-    UpdateUserUsernameResponse,
+  api::write::*,
+  entities::{
+    NoData,
+    user::{User, UserConfig},
   },
-  entities::{NoData, user::UserConfig},
 };
-use mungos::mongodb::bson::{doc, oid::ObjectId};
+use reqwest::StatusCode;
 use resolver_api::Resolve;
+use serror::AddStatusCodeError;
 
-use crate::{
-  config::core_config, helpers::hash_password, state::db_client,
-};
+use crate::{config::core_config, state::db_client};
 
 use super::WriteArgs;
 
 //
 
+impl Resolve<WriteArgs> for CreateLocalUser {
+  #[instrument(name = "CreateLocalUser", skip(admin, self), fields(admin_id = admin.id, username = self.username))]
+  async fn resolve(
+    self,
+    WriteArgs { user: admin }: &WriteArgs,
+  ) -> serror::Result<CreateLocalUserResponse> {
+    if !admin.admin {
+      return Err(
+        anyhow!("This method is admin-only.")
+          .status_code(StatusCode::FORBIDDEN),
+      );
+    }
+
+    if self.username.is_empty() {
+      return Err(anyhow!("Username cannot be empty.").into());
+    }
+
+    if ObjectId::from_str(&self.username).is_ok() {
+      return Err(
+        anyhow!("Username cannot be valid ObjectId").into(),
+      );
+    }
+
+    if self.password.is_empty() {
+      return Err(anyhow!("Password cannot be empty.").into());
+    }
+
+    let db = db_client();
+
+    if db
+      .users
+      .find_one(doc! { "username": &self.username })
+      .await
+      .context("Failed to query for existing users")?
+      .is_some()
+    {
+      return Err(anyhow!("Username already taken.").into());
+    }
+
+    let ts = unix_timestamp_ms() as i64;
+    let hashed_password = hash_password(self.password)?;
+
+    let mut user = User {
+      id: Default::default(),
+      username: self.username,
+      enabled: true,
+      admin: false,
+      super_admin: false,
+      create_server_permissions: false,
+      create_build_permissions: false,
+      updated_at: ts,
+      last_update_view: 0,
+      recents: Default::default(),
+      all: Default::default(),
+      config: UserConfig::Local {
+        password: hashed_password,
+      },
+    };
+
+    user.id = db_client()
+      .users
+      .insert_one(&user)
+      .await
+      .context("failed to create user")?
+      .inserted_id
+      .as_object_id()
+      .context("inserted_id is not ObjectId")?
+      .to_string();
+
+    user.sanitize();
+
+    Ok(user)
+  }
+}
+
+//
+
 impl Resolve<WriteArgs> for UpdateUserUsername {
+  #[instrument(name = "UpdateUserUsername", skip(user), fields(user_id = user.id))]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
@@ -38,6 +119,13 @@ impl Resolve<WriteArgs> for UpdateUserUsername {
     if self.username.is_empty() {
       return Err(anyhow!("Username cannot be empty.").into());
     }
+
+    if ObjectId::from_str(&self.username).is_ok() {
+      return Err(
+        anyhow!("Username cannot be valid ObjectId").into(),
+      );
+    }
+
     let db = db_client();
     if db
       .users
@@ -64,6 +152,7 @@ impl Resolve<WriteArgs> for UpdateUserUsername {
 //
 
 impl Resolve<WriteArgs> for UpdateUserPassword {
+  #[instrument(name = "UpdateUserPassword", skip(user, self), fields(user_id = user.id))]
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
@@ -78,25 +167,7 @@ impl Resolve<WriteArgs> for UpdateUserPassword {
         );
       }
     }
-    let UserConfig::Local { .. } = user.config else {
-      return Err(anyhow!("User is not local user").into());
-    };
-    if self.password.is_empty() {
-      return Err(anyhow!("Password cannot be empty.").into());
-    }
-    let id = ObjectId::from_str(&user.id)
-      .context("User id not valid ObjectId.")?;
-    let hashed_password = hash_password(self.password)?;
-    db_client()
-      .users
-      .update_one(
-        doc! { "_id": id },
-        doc! { "$set": {
-          "config.data.password": hashed_password
-        } },
-      )
-      .await
-      .context("Failed to update user password on database.")?;
+    db_client().set_user_password(user, &self.password).await?;
     Ok(NoData {})
   }
 }
@@ -104,12 +175,16 @@ impl Resolve<WriteArgs> for UpdateUserPassword {
 //
 
 impl Resolve<WriteArgs> for DeleteUser {
+  #[instrument(name = "DeleteUser", skip(admin), fields(user = self.user))]
   async fn resolve(
     self,
     WriteArgs { user: admin }: &WriteArgs,
   ) -> serror::Result<DeleteUserResponse> {
     if !admin.admin {
-      return Err(anyhow!("Calling user is not admin.").into());
+      return Err(
+        anyhow!("This method is admin-only.")
+          .status_code(StatusCode::FORBIDDEN),
+      );
     }
     if admin.username == self.user || admin.id == self.user {
       return Err(anyhow!("User cannot delete themselves.").into());
@@ -145,6 +220,14 @@ impl Resolve<WriteArgs> for DeleteUser {
       .delete_one(query)
       .await
       .context("Failed to delete user from database")?;
+    // Also remove user id from all user groups
+    if let Err(e) = db
+      .user_groups
+      .update_many(doc! {}, doc! { "$pull": { "users": &user.id } })
+      .await
+    {
+      warn!("Failed to remove deleted user from user groups | {e:?}");
+    };
     Ok(user)
   }
 }

bin/core/src/api/write/user_group.rs

@@ -1,38 +1,42 @@
 use std::{collections::HashMap, str::FromStr};
 
 use anyhow::{Context, anyhow};
-use komodo_client::{
-  api::write::{
-    AddUserToUserGroup, CreateUserGroup, DeleteUserGroup,
-    RemoveUserFromUserGroup, RenameUserGroup, SetUsersInUserGroup,
-  },
-  entities::{komodo_timestamp, user_group::UserGroup},
-};
-use mungos::{
+use database::mungos::{
   by_id::{delete_one_by_id, find_one_by_id, update_one_by_id},
   find::find_collect,
   mongodb::bson::{doc, oid::ObjectId},
 };
+use komodo_client::{
+  api::write::*,
+  entities::{komodo_timestamp, user_group::UserGroup},
+};
+use reqwest::StatusCode;
 use resolver_api::Resolve;
+use serror::AddStatusCodeError;
 
 use crate::state::db_client;
 
 use super::WriteArgs;
 
 impl Resolve<WriteArgs> for CreateUserGroup {
+  #[instrument(name = "CreateUserGroup", skip(admin), fields(admin = admin.username))]
   async fn resolve(
     self,
     WriteArgs { user: admin }: &WriteArgs,
   ) -> serror::Result<UserGroup> {
     if !admin.admin {
-      return Err(anyhow!("This call is admin-only").into());
+      return Err(
+        anyhow!("This call is admin-only")
+          .status_code(StatusCode::FORBIDDEN),
+      );
     }
     let user_group = UserGroup {
+      name: self.name,
       id: Default::default(),
+      everyone: Default::default(),
       users: Default::default(),
       all: Default::default(),
       updated_at: komodo_timestamp(),
-      name: self.name,
     };
     let db = db_client();
     let id = db
@@ -53,12 +57,16 @@ impl Resolve<WriteArgs> for CreateUserGroup {
 }
 
 impl Resolve<WriteArgs> for RenameUserGroup {
+  #[instrument(name = "RenameUserGroup", skip(admin), fields(admin = admin.username))]
   async fn resolve(
     self,
     WriteArgs { user: admin }: &WriteArgs,
   ) -> serror::Result<UserGroup> {
     if !admin.admin {
-      return Err(anyhow!("This call is admin-only").into());
+      return Err(
+        anyhow!("This call is admin-only")
+          .status_code(StatusCode::FORBIDDEN),
+      );
     }
     let db = db_client();
     update_one_by_id(
@@ -78,12 +86,16 @@ impl Resolve<WriteArgs> for RenameUserGroup {
 }
 
 impl Resolve<WriteArgs> for DeleteUserGroup {
+  #[instrument(name = "DeleteUserGroup", skip(admin), fields(admin = admin.username))]
   async fn resolve(
     self,
     WriteArgs { user: admin }: &WriteArgs,
   ) -> serror::Result<UserGroup> {
     if !admin.admin {
-      return Err(anyhow!("This call is admin-only").into());
+      return Err(
+        anyhow!("This call is admin-only")
+          .status_code(StatusCode::FORBIDDEN),
+      );
     }
 
     let db = db_client();
@@ -110,12 +122,16 @@ impl Resolve<WriteArgs> for DeleteUserGroup {
 }
 
 impl Resolve<WriteArgs> for AddUserToUserGroup {
+  #[instrument(name = "AddUserToUserGroup", skip(admin), fields(admin = admin.username))]
   async fn resolve(
     self,
     WriteArgs { user: admin }: &WriteArgs,
   ) -> serror::Result<UserGroup> {
     if !admin.admin {
-      return Err(anyhow!("This call is admin-only").into());
+      return Err(
+        anyhow!("This call is admin-only")
+          .status_code(StatusCode::FORBIDDEN),
+      );
     }
 
     let db = db_client();
@@ -153,12 +169,16 @@ impl Resolve<WriteArgs> for AddUserToUserGroup {
 }
 
 impl Resolve<WriteArgs> for RemoveUserFromUserGroup {
+  #[instrument(name = "RemoveUserFromUserGroup", skip(admin), fields(admin = admin.username))]
   async fn resolve(
     self,
     WriteArgs { user: admin }: &WriteArgs,
   ) -> serror::Result<UserGroup> {
     if !admin.admin {
-      return Err(anyhow!("This call is admin-only").into());
+      return Err(
+        anyhow!("This call is admin-only")
+          .status_code(StatusCode::FORBIDDEN),
+      );
     }
 
     let db = db_client();
@@ -196,12 +216,16 @@ impl Resolve<WriteArgs> for RemoveUserFromUserGroup {
 }
 
 impl Resolve<WriteArgs> for SetUsersInUserGroup {
+  #[instrument(name = "SetUsersInUserGroup", skip(admin), fields(admin = admin.username))]
   async fn resolve(
     self,
     WriteArgs { user: admin }: &WriteArgs,
   ) -> serror::Result<UserGroup> {
     if !admin.admin {
-      return Err(anyhow!("This call is admin-only").into());
+      return Err(
+        anyhow!("This call is admin-only")
+          .status_code(StatusCode::FORBIDDEN),
+      );
     }
 
     let db = db_client();
@@ -240,3 +264,39 @@ impl Resolve<WriteArgs> for SetUsersInUserGroup {
     Ok(res)
   }
 }
+
+impl Resolve<WriteArgs> for SetEveryoneUserGroup {
+  #[instrument(name = "SetEveryoneUserGroup", skip(admin), fields(admin = admin.username))]
+  async fn resolve(
+    self,
+    WriteArgs { user: admin }: &WriteArgs,
+  ) -> serror::Result<UserGroup> {
+    if !admin.admin {
+      return Err(
+        anyhow!("This call is admin-only")
+          .status_code(StatusCode::FORBIDDEN),
+      );
+    }
+
+    let db = db_client();
+
+    let filter = match ObjectId::from_str(&self.user_group) {
+      Ok(id) => doc! { "_id": id },
+      Err(_) => doc! { "name": &self.user_group },
+    };
+    db.user_groups
+      .update_one(
+        filter.clone(),
+        doc! { "$set": { "everyone": self.everyone } },
+      )
+      .await
+      .context("failed to set everyone on user group")?;
+    let res = db
+      .user_groups
+      .find_one(filter)
+      .await
+      .context("failed to query db for UserGroups")?
+      .context("no user group with given id")?;
+    Ok(res)
+  }
+}

bin/core/src/api/write/variable.rs

@@ -1,10 +1,12 @@
 use anyhow::{Context, anyhow};
+use database::mungos::mongodb::bson::doc;
 use komodo_client::{
   api::write::*,
   entities::{Operation, ResourceTarget, variable::Variable},
 };
-use mungos::mongodb::bson::doc;
+use reqwest::StatusCode;
 use resolver_api::Resolve;
+use serror::AddStatusCodeError;
 
 use crate::{
   helpers::{
@@ -22,6 +24,13 @@ impl Resolve<WriteArgs> for CreateVariable {
     self,
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<CreateVariableResponse> {
+    if !user.admin {
+      return Err(
+        anyhow!("Only admins can create variables")
+          .status_code(StatusCode::FORBIDDEN),
+      );
+    }
+
     let CreateVariable {
       name,
       value,
@@ -29,10 +38,6 @@ impl Resolve<WriteArgs> for CreateVariable {
       is_secret,
     } = self;
 
-    if !user.admin {
-      return Err(anyhow!("only admins can create variables").into());
-    }
-
     let variable = Variable {
       name,
       value,
@@ -44,7 +49,7 @@ impl Resolve<WriteArgs> for CreateVariable {
       .variables
       .insert_one(&variable)
       .await
-      .context("failed to create variable on db")?;
+      .context("Failed to create variable on db")?;
 
     let mut update = make_update(
       ResourceTarget::system(),
@@ -69,7 +74,10 @@ impl Resolve<WriteArgs> for UpdateVariableValue {
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<UpdateVariableValueResponse> {
     if !user.admin {
-      return Err(anyhow!("only admins can update variables").into());
+      return Err(
+        anyhow!("Only admins can update variables")
+          .status_code(StatusCode::FORBIDDEN),
+      );
     }
 
     let UpdateVariableValue { name, value } = self;
@@ -87,7 +95,7 @@ impl Resolve<WriteArgs> for UpdateVariableValue {
         doc! { "$set": { "value": &value } },
       )
       .await
-      .context("failed to update variable value on db")?;
+      .context("Failed to update variable value on db")?;
 
     let mut update = make_update(
       ResourceTarget::system(),
@@ -107,7 +115,7 @@ impl Resolve<WriteArgs> for UpdateVariableValue {
       )
     };
 
-    update.push_simple_log("update variable value", log);
+    update.push_simple_log("Update Variable Value", log);
     update.finalize();
 
     add_update(update).await?;
@@ -123,7 +131,10 @@ impl Resolve<WriteArgs> for UpdateVariableDescription {
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<UpdateVariableDescriptionResponse> {
     if !user.admin {
-      return Err(anyhow!("only admins can update variables").into());
+      return Err(
+        anyhow!("Only admins can update variables")
+          .status_code(StatusCode::FORBIDDEN),
+      );
     }
     db_client()
       .variables
@@ -132,7 +143,7 @@ impl Resolve<WriteArgs> for UpdateVariableDescription {
         doc! { "$set": { "description": &self.description } },
       )
       .await
-      .context("failed to update variable description on db")?;
+      .context("Failed to update variable description on db")?;
     Ok(get_variable(&self.name).await?)
   }
 }
@@ -144,7 +155,10 @@ impl Resolve<WriteArgs> for UpdateVariableIsSecret {
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<UpdateVariableIsSecretResponse> {
     if !user.admin {
-      return Err(anyhow!("only admins can update variables").into());
+      return Err(
+        anyhow!("Only admins can update variables")
+          .status_code(StatusCode::FORBIDDEN),
+      );
     }
     db_client()
       .variables
@@ -153,7 +167,7 @@ impl Resolve<WriteArgs> for UpdateVariableIsSecret {
         doc! { "$set": { "is_secret": self.is_secret } },
       )
       .await
-      .context("failed to update variable is secret on db")?;
+      .context("Failed to update variable is secret on db")?;
     Ok(get_variable(&self.name).await?)
   }
 }
@@ -164,14 +178,17 @@ impl Resolve<WriteArgs> for DeleteVariable {
     WriteArgs { user }: &WriteArgs,
   ) -> serror::Result<DeleteVariableResponse> {
     if !user.admin {
-      return Err(anyhow!("only admins can delete variables").into());
+      return Err(
+        anyhow!("Only admins can delete variables")
+          .status_code(StatusCode::FORBIDDEN),
+      );
     }
     let variable = get_variable(&self.name).await?;
     db_client()
       .variables
       .delete_one(doc! { "name": &self.name })
       .await
-      .context("failed to delete variable on db")?;
+      .context("Failed to delete variable on db")?;
 
     let mut update = make_update(
       ResourceTarget::system(),
@@ -180,7 +197,7 @@ impl Resolve<WriteArgs> for DeleteVariable {
     );
 
     update
-      .push_simple_log("delete variable", format!("{variable:#?}"));
+      .push_simple_log("Delete Variable", format!("{variable:#?}"));
     update.finalize();
 
     add_update(update).await?;

bin/core/src/auth/github/mod.rs

@@ -2,18 +2,19 @@ use anyhow::{Context, anyhow};
 use axum::{
   Router, extract::Query, response::Redirect, routing::get,
 };
+use database::mongo_indexed::Document;
+use database::mungos::mongodb::bson::doc;
 use komodo_client::entities::{
   komodo_timestamp,
   user::{User, UserConfig},
 };
-use mongo_indexed::Document;
-use mungos::mongodb::bson::doc;
 use reqwest::StatusCode;
 use serde::Deserialize;
 use serror::AddStatusCode;
 
 use crate::{
   config::core_config,
+  helpers::random_string,
   state::{db_client, jwt_client},
 };
 
@@ -82,9 +83,23 @@ async fn callback(
       if !no_users_exist && core_config.disable_user_registration {
         return Err(anyhow!("User registration is disabled"));
       }
+
+      let mut username = github_user.login;
+      // Modify username if it already exists
+      if db_client
+        .users
+        .find_one(doc! { "username": &username })
+        .await
+        .context("Failed to query users collection")?
+        .is_some()
+      {
+        username += "-";
+        username += &random_string(5);
+      };
+
       let user = User {
         id: Default::default(),
-        username: github_user.login,
+        username,
         enabled: no_users_exist || core_config.enable_new_users,
         admin: no_users_exist,
         super_admin: no_users_exist,
@@ -119,7 +134,7 @@ async fn callback(
     format!("{}?token={exchange_token}", core_config().host)
   } else {
     let splitter = if redirect.contains('?') { '&' } else { '?' };
-    format!("{}{splitter}token={exchange_token}", redirect)
+    format!("{redirect}{splitter}token={exchange_token}")
   };
   Ok(Redirect::to(&redirect_url))
 }

bin/core/src/auth/google/client.rs

@@ -187,8 +187,8 @@ impl GoogleOauthClient {
       Ok(body)
     } else {
       let text = res.text().await.context(format!(
-                "method: POST | status: {status} | failed to get response text"
-            ))?;
+        "method: POST | status: {status} | failed to get response text"
+      ))?;
       Err(anyhow!("method: POST | status: {status} | text: {text}"))
     }
   }
@@ -207,5 +207,6 @@ pub struct GoogleUser {
   #[serde(rename = "sub")]
   pub id: String,
   pub email: String,
+  #[serde(default)]
   pub picture: String,
 }

bin/core/src/auth/google/mod.rs

@@ -3,15 +3,16 @@ use async_timing_util::unix_timestamp_ms;
 use axum::{
   Router, extract::Query, response::Redirect, routing::get,
 };
+use database::mongo_indexed::Document;
+use database::mungos::mongodb::bson::doc;
 use komodo_client::entities::user::{User, UserConfig};
-use mongo_indexed::Document;
-use mungos::mongodb::bson::doc;
 use reqwest::StatusCode;
 use serde::Deserialize;
 use serror::AddStatusCode;
 
 use crate::{
   config::core_config,
+  helpers::random_string,
   state::{db_client, jwt_client},
 };
 
@@ -91,15 +92,28 @@ async fn callback(
       if !no_users_exist && core_config.disable_user_registration {
         return Err(anyhow!("User registration is disabled"));
       }
+      let mut username = google_user
+        .email
+        .split('@')
+        .collect::<Vec<&str>>()
+        .first()
+        .unwrap()
+        .to_string();
+      // Modify username if it already exists
+      if db_client
+        .users
+        .find_one(doc! { "username": &username })
+        .await
+        .context("Failed to query users collection")?
+        .is_some()
+      {
+        username += "-";
+        username += &random_string(5);
+      };
+
       let user = User {
         id: Default::default(),
-        username: google_user
-          .email
-          .split('@')
-          .collect::<Vec<&str>>()
-          .first()
-          .unwrap()
-          .to_string(),
+        username,
         enabled: no_users_exist || core_config.enable_new_users,
         admin: no_users_exist,
         super_admin: no_users_exist,
@@ -134,7 +148,7 @@ async fn callback(
     format!("{}?token={exchange_token}", core_config().host)
   } else {
     let splitter = if redirect.contains('?') { '&' } else { '?' };
-    format!("{}{splitter}token={exchange_token}", redirect)
+    format!("{redirect}{splitter}token={exchange_token}")
   };
   Ok(Redirect::to(&redirect_url))
 }

bin/core/src/auth/jwt.rs

@@ -4,17 +4,19 @@ use anyhow::{Context, anyhow};
 use async_timing_util::{
   Timelength, get_timelength_in_ms, unix_timestamp_ms,
 };
+use database::mungos::mongodb::bson::doc;
 use jsonwebtoken::{
   DecodingKey, EncodingKey, Header, Validation, decode, encode,
 };
-use komodo_client::entities::config::core::CoreConfig;
-use mungos::mongodb::bson::doc;
+use komodo_client::{
+  api::auth::JwtResponse, entities::config::core::CoreConfig,
+};
 use serde::{Deserialize, Serialize};
 use tokio::sync::Mutex;
 
 use crate::helpers::random_string;
 
-type ExchangeTokenMap = Mutex<HashMap<String, (String, u128)>>;
+type ExchangeTokenMap = Mutex<HashMap<String, (JwtResponse, u128)>>;
 
 #[derive(Serialize, Deserialize)]
 pub struct JwtClaims {
@@ -51,16 +53,20 @@ impl JwtClient {
     })
   }
 
-  pub fn encode(&self, user_id: String) -> anyhow::Result<String> {
+  pub fn encode(
+    &self,
+    user_id: String,
+  ) -> anyhow::Result<JwtResponse> {
     let iat = unix_timestamp_ms();
     let exp = iat + self.ttl_ms;
     let claims = JwtClaims {
-      id: user_id,
+      id: user_id.clone(),
       iat,
       exp,
     };
-    encode(&self.header, &claims, &self.encoding_key)
-      .context("failed at signing claim")
+    let jwt = encode(&self.header, &claims, &self.encoding_key)
+      .context("failed at signing claim")?;
+    Ok(JwtResponse { user_id, jwt })
   }
 
   pub fn decode(&self, jwt: &str) -> anyhow::Result<JwtClaims> {
@@ -70,7 +76,10 @@ impl JwtClient {
   }
 
   #[instrument(level = "debug", skip_all)]
-  pub async fn create_exchange_token(&self, jwt: String) -> String {
+  pub async fn create_exchange_token(
+    &self,
+    jwt: JwtResponse,
+  ) -> String {
     let exchange_token = random_string(40);
     self.exchange_tokens.lock().await.insert(
       exchange_token.clone(),
@@ -86,7 +95,7 @@ impl JwtClient {
   pub async fn redeem_exchange_token(
     &self,
     exchange_token: &str,
-  ) -> anyhow::Result<String> {
+  ) -> anyhow::Result<JwtResponse> {
     let (jwt, valid_until) = self
       .exchange_tokens
       .lock()