update client to 1.9.0

merge v1 into main

.dockerignore

@@ -1,4 +1,8 @@
 /target
-/config_example
-config.*
-.env
+readme.md
+typeshare.toml
+LICENSE
+*.code-workspace
+
+*/node_modules
+*/dist

.gitignore

@@ -1,12 +1,9 @@
-target
-/frontend/build
-node_modules
-dist
-.env
-.env.development
-
-repos
-config.json
-config.toml
-secrets.json
-secrets.toml
+target
+/frontend/build
+node_modules
+/lib/ts_client/build
+dist
+.env
+.env.development
+creds.toml
+core.config.toml

.vscode/resolver.code-snippets

@@ -0,0 +1,25 @@
+{
+	"resolve": {
+		"scope": "rust",
+		"prefix": "resolve",
+		"body": [
+			"impl Resolve<${1}, User> for State {",
+			"\tasync fn resolve(&self, ${1} { ${0} }: ${1}, _: User) -> anyhow::Result<${2}> {",
+			"\t\ttodo!()",
+			"\t}",
+			"}"
+		]
+	},
+	"static": {
+		"scope": "rust",
+		"prefix": "static",
+		"body": [
+			"fn ${1}() -> &'static ${2} {",
+			"\tstatic ${3}: OnceLock<${2}> = OnceLock::new();",
+			"\t${3}.get_or_init(|| {",
+			"\t\t${0}",
+			"\t})",
+			"}"
+		]
+	}
+}

.vscode/solid.code-snippets

@@ -1,64 +0,0 @@
-{
-	"component": {
-		"scope": "typescriptreact,javascriptreact",
-		"prefix": "comp",
-		"body": [
-			"import { Component } from \"solid-js\";",
-			"",
-			"const ${1:$TM_FILENAME_BASE}: Component<{}> = (p) => {",
-			"\treturn (",
-			"\t\t<div>",
-			"\t\t\t${0}",
-			"\t\t</div>",
-			"\t);",
-			"}",
-			"",
-			"export default ${1:$TM_FILENAME_BASE};"
-		]
-	},
-	"component-with-css": {
-		"scope": "typescriptreact,javascriptreact",
-		"prefix": "css-comp",
-		"body": [
-			"import { Component } from \"solid-js\";",
-			"import s from \"./${1:$TM_FILENAME_BASE}.module.scss\";",
-			"",
-			"const ${2:$TM_FILENAME_BASE}: Component<{}> = (p) => {",
-			"\treturn (",
-			"\t\t<div class={s.${2:$TM_FILENAME_BASE}} >",
-			"\t\t\t${0}",
-			"\t\t</div>",
-			"\t);",
-			"}",
-			"",
-			"export default ${2:$TM_FILENAME_BASE};"
-		]
-	},
-	"context": {
-		"scope": "typescriptreact,javascriptreact",
-		"prefix": "provider",
-		"body": [
-			"import { ParentComponent, createContext, useContext } from \"solid-js\";",
-			"",
-			"const value = () => {",
-			"\treturn {};",
-			"}",
-			"",
-			"export type Value = ReturnType<typeof value>;",
-			"",
-			"const context = createContext<Value>();",
-			"",
-			"export const Provider: ParentComponent<{}> = (p) => {",
-			"\treturn (",
-			"\t\t<context.Provider value={value()}>",
-			"\t\t\t{p.children}",
-			"\t\t</context.Provider>",
-			"\t);",
-			"}",
-			"",
-			"export function useValue() {",
-			"\treturn useContext(context) as Value;",
-			"}"
-		]
-	}
-}

.vscode/tasks.json

@@ -24,14 +24,14 @@
 			"label": "start dev",
 			"dependsOn": [
 				"run core",
-				"yarn: start frontend"
+				"start frontend"
 			],
 			"problemMatcher": []
 		},
 		{
 			"type": "shell",
 			"command": "yarn start",
-			"label": "yarn: start frontend",
+			"label": "start frontend",
 			"options": {
 				"cwd": "${workspaceFolder}/frontend"
 			},
@@ -44,7 +44,7 @@
 			"command": "run",
 			"label": "run core",
 			"options": {
-				"cwd": "${workspaceFolder}/core"
+				"cwd": "${workspaceFolder}/bin/core"
 			},
 			"presentation": {
 				"group": "start"
@@ -55,24 +55,7 @@
 			"command": "run",
 			"label": "run periphery",
 			"options": {
-				"cwd": "${workspaceFolder}/periphery"
-			}
-		},
-		{
-			"type": "shell",
-			"command": "cargo install --path . && if pgrep periphery; then pkill periphery; fi && periphery --daemon --config-path ~/.monitor/local.periphery.config.toml",
-			"label": "run periphery daemon",
-			"options": {
-				"cwd": "${workspaceFolder}/periphery"
-			},
-			"problemMatcher": []
-		},
-		{
-			"type": "cargo",
-			"command": "run",
-			"label": "run cli",
-			"options": {
-				"cwd": "${workspaceFolder}/cli"
+				"cwd": "${workspaceFolder}/bin/periphery"
 			}
 		},
 		{
@@ -80,14 +63,14 @@
 			"command": "run",
 			"label": "run tests",
 			"options": {
-				"cwd": "${workspaceFolder}/tests"
+				"cwd": "${workspaceFolder}/bin/tests"
 			}
 		},
 		{
 			"type": "cargo",
 			"command": "publish",
 			"args": ["--allow-dirty"],
-			"label": "publish monitor types",
+			"label": "publish types",
 			"options": {
 				"cwd": "${workspaceFolder}/lib/types"
 			}
@@ -95,76 +78,14 @@
 		{
 			"type": "cargo",
 			"command": "publish",
-			"label": "publish monitor client",
+			"label": "publish rs client",
 			"options": {
-				"cwd": "${workspaceFolder}/lib/monitor_client"
-			}
-		},
-		{
-			"type": "cargo",
-			"command": "publish",
-			"label": "publish monitor cli",
-			"options": {
-				"cwd": "${workspaceFolder}/cli"
+				"cwd": "${workspaceFolder}/lib/rs_client"
 			}
 		},
 		{
 			"type": "shell",
-			"command": "docker compose up -d",
-			"label": "docker compose up",
-			"options": {
-				"cwd": "${workspaceFolder}/tests"
-			},
-			"problemMatcher": []
-		},
-		{
-			"type": "shell",
-			"command": "docker compose down",
-			"label": "docker compose down",
-			"options": {
-				"cwd": "${workspaceFolder}/tests"
-			},
-			"problemMatcher": []
-		},
-		{
-			"type": "shell",
-			"command": "docker compose build",
-			"label": "docker compose build",
-			"options": {
-				"cwd": "${workspaceFolder}/tests"
-			},
-			"problemMatcher": []
-		},
-		{
-			"type": "shell",
-			"command": "docker compose down && docker compose up -d",
-			"label": "docker compose restart",
-			"options": {
-				"cwd": "${workspaceFolder}/tests"
-			},
-			"problemMatcher": []
-		},
-		{
-			"type": "shell",
-			"command": "docker compose build && docker compose down && docker compose up -d",
-			"label": "docker compose build and restart",
-			"options": {
-				"cwd": "${workspaceFolder}/tests"
-			},
-			"problemMatcher": []
-		},
-		{
-			"type": "shell",
-			"command": "docker compose build periphery",
-			"label": "docker compose build periphery",
-			"options": {
-				"cwd": "${workspaceFolder}/tests"
-			},
-			"problemMatcher": []
-		},
-		{
-			"type": "shell",
-			"command": "typeshare ./lib/types --lang=typescript --output-file=./frontend/src/types.ts && typeshare ./core --lang=typescript --output-file=./frontend/src/util/client_types.ts",
+			"command": "node ./client/ts/generate_types.mjs",
 			"label": "generate typescript types",
 			"problemMatcher": []
 		}

Cargo.toml

@@ -1,14 +1,104 @@
-[workspace]
-
-members = [
-	"cli",
-	"core",
-	"periphery",
-	"tests",
-	"lib/axum_oauth2",
-	"lib/db_client",
-	"lib/helpers",
-	"lib/periphery_client",
-	"lib/types",
-	"lib/monitor_client"
-]
+[workspace]
+resolver = "2"
+members = ["bin/*", "lib/*", "client/core/rs", "client/periphery/rs"]
+
+[workspace.package]
+version = "1.9.0"
+edition = "2021"
+authors = ["mbecker20 <becker.maxh@gmail.com>"]
+license = "GPL-3.0-or-later"
+repository = "https://github.com/mbecker20/monitor"
+homepage = "https://docs.monitor.mogh.tech"
+
+[patch.crates-io]
+monitor_client = { path = "client/core/rs" }
+
+[workspace.dependencies]
+# LOCAL
+monitor_client = "1.9.0"
+periphery_client = { path = "client/periphery/rs" }
+formatting = { path = "lib/formatting" }
+command = { path = "lib/command" }
+logger = { path = "lib/logger" }
+git = { path = "lib/git" }
+
+# MOGH
+run_command = { version = "0.0.6", features = ["async_tokio"] }
+serror = { version = "0.4.3", default-features = false }
+slack = { version = "0.1.0", package = "slack_client_rs" }
+derive_default_builder = "0.1.8"
+derive_empty_traits = "0.1.0"
+merge_config_files = "0.1.5"
+async_timing_util = "0.1.14"
+partial_derive2 = "0.4.3"
+derive_variants = "1.0.0"
+mongo_indexed = "0.3.0"
+resolver_api = "1.1.0"
+toml_pretty = "1.1.2"
+parse_csl = "0.1.0"
+mungos = "0.5.6"
+svi = "1.0.1"
+
+# ASYNC
+tokio = { version = "1.38.0", features = ["full"] }
+reqwest = { version = "0.12.4", features = ["json"] }
+tokio-util = "0.7.11"
+futures = "0.3.30"
+futures-util = "0.3.30"
+
+# SERVER
+axum = { version = "0.7.5", features = ["ws", "json"] }
+axum-extra = { version = "0.9.3", features = ["typed-header"] }
+tower = { version = "0.4.13", features = ["timeout"] }
+tower-http = { version = "0.5.2", features = ["fs", "cors"] }
+tokio-tungstenite = "0.23.1"
+
+# SER/DE
+ordered_hash_map = { version = "0.4.0", features = ["serde"] }
+serde = { version = "1.0.203", features = ["derive"] }
+strum = { version = "0.26.2", features = ["derive"] }
+serde_json = "1.0.117"
+toml = "0.8.14"
+
+# ERROR
+anyhow = "1.0.86"
+thiserror = "1.0.61"
+
+# LOGGING
+opentelemetry_sdk = { version = "0.23.0", features = ["rt-tokio"] }
+tracing-subscriber = { version = "0.3.18", features = ["json"] }
+tracing-opentelemetry = "0.24.0"
+opentelemetry-otlp = "0.16.0"
+opentelemetry = "0.23.0"
+tracing = "0.1.40"
+
+# CONFIG
+clap = { version = "4.5.7", features = ["derive"] }
+dotenv = "0.15.0"
+envy = "0.4.2"
+
+# CRYPTO
+uuid = { version = "1.8.0", features = ["v4", "fast-rng", "serde"] }
+urlencoding = "2.1.3"
+bcrypt = "0.15.1"
+base64 = "0.22.1"
+hmac = "0.12.1"
+sha2 = "0.10.8"
+rand = "0.8.5"
+jwt = "0.16.0"
+hex = "0.4.3"
+
+# SYSTEM
+bollard = "0.16.1"
+sysinfo = "0.30.12"
+
+# CLOUD
+aws-config = "1.5.1"
+aws-sdk-ec2 = "1.51.1"
+aws-sdk-ecr = "1.33.0"
+
+# MISC
+derive_builder = "0.20.0"
+typeshare = "1.0.3"
+colored = "2.1.0"
+bson = "2.11.0"

Dockerfile.core

@@ -1,23 +0,0 @@
-FROM rust:latest as builder
-WORKDIR /builder
-
-COPY ./core ./core
-
-COPY ./lib/types ./lib/types
-COPY ./lib/helpers ./lib/helpers
-
-COPY ./lib/db_client ./lib/db_client
-COPY ./lib/periphery_client ./lib/periphery_client
-COPY ./lib/axum_oauth2 ./lib/axum_oauth2
-
-RUN cd core && cargo build --release
-
-FROM gcr.io/distroless/cc
-
-COPY ./frontend/build /frontend
-
-COPY --from=builder /builder/core/target/release/core /
-
-EXPOSE 9000
-
-CMD ["./core"]

Dockerfile.periphery

@@ -1,22 +0,0 @@
-FROM rust:latest as builder
-WORKDIR /builder
-
-COPY ./periphery ./periphery
-
-COPY ./lib/types ./lib/types
-COPY ./lib/helpers ./lib/helpers
-
-RUN cd periphery && cargo build --release
-
-FROM debian:stable-slim
-
-ARG DEPS_INSTALLER
-
-COPY ./${DEPS_INSTALLER}.sh ./
-RUN sh ./${DEPS_INSTALLER}.sh
-
-COPY --from=builder /builder/periphery/target/release/periphery /usr/local/bin/periphery
-
-EXPOSE 8000
-
-CMD "periphery"

bin/alerter/Cargo.toml

@@ -0,0 +1,23 @@
+[package]
+name = "alerter"
+version.workspace = true
+edition.workspace = true
+authors.workspace = true
+license.workspace = true
+homepage.workspace = true
+repository.workspace = true
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+# local
+monitor_client.workspace = true
+logger.workspace = true
+# external
+tokio.workspace = true
+tracing.workspace = true
+axum.workspace = true
+anyhow.workspace = true
+serde.workspace = true
+dotenv.workspace = true
+envy.workspace = true

bin/alerter/Dockerfile

@@ -0,0 +1,14 @@
+FROM rust:1.71.1 as builder
+WORKDIR /builder
+
+COPY . .
+
+RUN cargo build -p alert_logger --release
+
+FROM gcr.io/distroless/cc
+
+COPY --from=builder /builder/target/release/alert_logger /
+
+EXPOSE 7000
+
+CMD ["./alert_logger"]

bin/alerter/README.md

@@ -0,0 +1,4 @@
+# Alerter
+
+This crate sets up a basic axum server that listens for incoming alert POSTs.
+It can be used as a monitor alerting endpoint, and serves as a template for other custom alerter implementations.

bin/alerter/src/main.rs

@@ -0,0 +1,71 @@
+#[macro_use]
+extern crate tracing;
+
+use std::{net::SocketAddr, str::FromStr};
+
+use anyhow::Context;
+use axum::{routing::post, Json, Router};
+use monitor_client::entities::{
+  alert::Alert, server::stats::SeverityLevel,
+};
+use serde::Deserialize;
+
+#[derive(Deserialize)]
+struct Env {
+  #[serde(default = "default_port")]
+  port: u16,
+}
+
+fn default_port() -> u16 {
+  7000
+}
+
+async fn app() -> anyhow::Result<()> {
+  dotenv::dotenv().ok();
+  logger::init(&Default::default())?;
+
+  let Env { port } =
+    envy::from_env().context("failed to parse env")?;
+
+  let socket_addr = SocketAddr::from_str(&format!("0.0.0.0:{port}"))
+    .context("invalid socket addr")?;
+
+  info!("v {} | {socket_addr}", env!("CARGO_PKG_VERSION"));
+
+  let app = Router::new().route(
+    "/",
+    post(|Json(alert): Json<Alert>| async move {
+      if alert.resolved {
+        info!("Alert Resolved!: {alert:?}");
+        return;
+      }
+      match alert.level {
+        SeverityLevel::Ok => info!("{alert:?}"),
+        SeverityLevel::Warning => warn!("{alert:?}"),
+        SeverityLevel::Critical => error!("{alert:?}"),
+      }
+    }),
+  );
+
+  let listener = tokio::net::TcpListener::bind(socket_addr)
+    .await
+    .context("failed to bind tcp listener")?;
+
+  axum::serve(listener, app).await.context("server crashed")
+}
+
+#[tokio::main]
+async fn main() -> anyhow::Result<()> {
+  let mut term_signal = tokio::signal::unix::signal(
+    tokio::signal::unix::SignalKind::terminate(),
+  )?;
+
+  let app = tokio::spawn(app());
+
+  tokio::select! {
+    res = app => return res?,
+    _ = term_signal.recv() => {},
+  }
+
+  Ok(())
+}

bin/cli/Cargo.toml

@@ -0,0 +1,34 @@
+[package]
+name = "monitor_cli"
+description = "Command line tool to sync monitor resources and execute file defined procedures"
+version.workspace = true
+edition.workspace = true
+authors.workspace = true
+license.workspace = true
+homepage.workspace = true
+repository.workspace = true
+
+[[bin]]
+name = "monitor"
+path = "src/main.rs"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+# local
+monitor_client.workspace = true
+# mogh
+partial_derive2.workspace = true
+# external
+tracing-subscriber.workspace = true
+merge_config_files.workspace = true
+serde_json.workspace = true
+futures.workspace = true
+tracing.workspace = true
+colored.workspace = true
+anyhow.workspace = true
+tokio.workspace = true
+serde.workspace = true
+strum.workspace = true
+toml.workspace = true
+clap.workspace = true

bin/cli/README.md

@@ -0,0 +1,92 @@
+# Monitor CLI
+
+Monitor CLI is a tool to sync monitor resources and execute operations.
+
+## Install
+
+```sh
+cargo install monitor_cli
+```
+
+## Usage
+
+### Credentials
+
+Configure a file `~/.config/monitor/creds.toml` file with contents:
+```toml
+url = "https://your.monitor.address"
+key = "YOUR-API-KEY"
+secret = "YOUR-API-SECRET"
+```
+
+Note. You can specify a different creds file by using `--creds ./other/path.toml`.
+You can also bypass using any file and pass the information using `--url`, `--key`, `--secret`:
+
+```sh
+monitor --url "https://your.monitor.address" --key "YOUR-API-KEY" --secret "YOUR-API-SECRET" ...
+```
+
+### Run Syncs
+
+```sh
+## Sync resources in a single file
+monitor sync ./resources/deployments.toml
+
+## Sync resources gathered across multiple files in a directory
+monitor sync ./resources
+
+## Path defaults to './resources', in this case you can just use:
+monitor sync
+```
+
+#### Manual
+```md
+Runs syncs on resource files
+
+Usage: monitor sync [OPTIONS] [PATH]
+
+Arguments:
+  [PATH]  The path of the resource folder / file Folder paths will recursively incorporate all the resources it finds under the folder [default: ./resources]
+
+Options:
+      --delete  Will delete any resources that aren't included in the resource files
+  -h, --help    Print help
+```
+
+### Run Executions
+
+```sh
+# Triggers an example build
+monitor execute run-build test_build
+```
+
+#### Manual
+```md
+Runs an execution
+
+Usage: monitor execute <COMMAND>
+
+Commands:
+  none                 The "null" execution. Does nothing
+  run-procedure        Runs the target procedure. Response: [Update]
+  run-build            Runs the target build. Response: [Update]
+  deploy               Deploys the container for the target deployment. Response: [Update]
+  start-container      Starts the container for the target deployment. Response: [Update]
+  stop-container       Stops the container for the target deployment. Response: [Update]
+  stop-all-containers  Stops all deployments on the target server. Response: [Update]
+  remove-container     Stops and removes the container for the target deployment. Reponse: [Update]
+  clone-repo           Clones the target repo. Response: [Update]
+  pull-repo            Pulls the target repo. Response: [Update]
+  prune-networks       Prunes the docker networks on the target server. Response: [Update]
+  prune-images         Prunes the docker images on the target server. Response: [Update]
+  prune-containers     Prunes the docker containers on the target server. Response: [Update]
+  help                 Print this message or the help of the given subcommand(s)
+
+Options:
+  -h, --help  Print help
+```
+
+### --yes
+
+You can use `--yes` to avoid any human prompt to continue, for use in automated environments.
+

bin/cli/src/args.rs

@@ -0,0 +1,66 @@
+use clap::{Parser, Subcommand};
+use monitor_client::api::execute::Execution;
+use serde::Deserialize;
+
+#[derive(Parser, Debug)]
+#[command(version, about, long_about = None)]
+pub struct CliArgs {
+  /// Sync or Exec
+  #[command(subcommand)]
+  pub command: Command,
+
+  /// The path to a creds file.
+  ///
+  /// Note: If each of `url`, `key` and `secret` are passed,
+  /// no file is required at this path.
+  #[arg(long, default_value_t = default_creds())]
+  pub creds: String,
+
+  /// Pass url in args instead of creds file
+  #[arg(long)]
+  pub url: Option<String>,
+  /// Pass api key in args instead of creds file
+  #[arg(long)]
+  pub key: Option<String>,
+  /// Pass api secret in args instead of creds file
+  #[arg(long)]
+  pub secret: Option<String>,
+
+  /// Always continue on user confirmation prompts.
+  #[arg(long, short, default_value_t = false)]
+  pub yes: bool,
+}
+
+fn default_creds() -> String {
+  let home = std::env::var("HOME")
+    .expect("no HOME env var. cannot get default config path.");
+  format!("{home}/.config/monitor/creds.toml")
+}
+
+#[derive(Debug, Clone, Subcommand)]
+pub enum Command {
+  /// Runs syncs on resource files
+  Sync {
+    /// The path of the resource folder / file
+    /// Folder paths will recursively incorporate all the resources it finds under the folder
+    #[arg(default_value_t = String::from("./resources"))]
+    path: String,
+
+    /// Will delete any resources that aren't included in the resource files.
+    #[arg(long, default_value_t = false)]
+    delete: bool,
+  },
+
+  /// Runs an execution
+  Execute {
+    #[command(subcommand)]
+    execution: Execution,
+  },
+}
+
+#[derive(Debug, Deserialize)]
+pub struct CredsFile {
+  pub url: String,
+  pub key: String,
+  pub secret: String,
+}

bin/cli/src/exec.rs

@@ -0,0 +1,130 @@
+use std::time::Duration;
+
+use colored::Colorize;
+use monitor_client::api::execute::Execution;
+
+use crate::{
+  helpers::wait_for_enter,
+  state::{cli_args, monitor_client},
+};
+
+pub async fn run(execution: Execution) -> anyhow::Result<()> {
+  if matches!(execution, Execution::None(_)) {
+    println!("Got 'none' execution. Doing nothing...");
+    tokio::time::sleep(Duration::from_secs(3)).await;
+    println!("Finished doing nothing. Exiting...");
+    std::process::exit(0);
+  }
+
+  println!("\n{}: Execution", "Mode".dimmed());
+  match &execution {
+    Execution::None(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RunProcedure(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RunBuild(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::Deploy(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::StartContainer(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::StopContainer(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::StopAllContainers(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RemoveContainer(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::CloneRepo(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PullRepo(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PruneNetworks(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PruneImages(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PruneContainers(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RunSync(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::Sleep(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+  }
+
+  if !cli_args().yes {
+    wait_for_enter("run execution")?;
+  }
+
+  info!("Running Execution...");
+
+  let res = match execution {
+    Execution::RunProcedure(request) => {
+      monitor_client().execute(request).await
+    }
+    Execution::RunBuild(request) => {
+      monitor_client().execute(request).await
+    }
+    Execution::Deploy(request) => {
+      monitor_client().execute(request).await
+    }
+    Execution::StartContainer(request) => {
+      monitor_client().execute(request).await
+    }
+    Execution::StopContainer(request) => {
+      monitor_client().execute(request).await
+    }
+    Execution::StopAllContainers(request) => {
+      monitor_client().execute(request).await
+    }
+    Execution::RemoveContainer(request) => {
+      monitor_client().execute(request).await
+    }
+    Execution::CloneRepo(request) => {
+      monitor_client().execute(request).await
+    }
+    Execution::PullRepo(request) => {
+      monitor_client().execute(request).await
+    }
+    Execution::PruneNetworks(request) => {
+      monitor_client().execute(request).await
+    }
+    Execution::PruneImages(request) => {
+      monitor_client().execute(request).await
+    }
+    Execution::PruneContainers(request) => {
+      monitor_client().execute(request).await
+    }
+    Execution::RunSync(request) => {
+      monitor_client().execute(request).await
+    }
+    Execution::Sleep(request) => {
+      let duration =
+        Duration::from_millis(request.duration_ms as u64);
+      tokio::time::sleep(duration).await;
+      println!("Finished sleeping!");
+      std::process::exit(0)
+    }
+    Execution::None(_) => unreachable!(),
+  };
+
+  match res {
+    Ok(update) => println!("\n{}: {update:#?}", "SUCCESS".green()),
+    Err(e) => println!("{}\n\n{e:#?}", "ERROR".red()),
+  }
+
+  Ok(())
+}

bin/cli/src/helpers.rs

@@ -0,0 +1,17 @@
+use std::io::Read;
+
+use anyhow::Context;
+use colored::Colorize;
+
+pub fn wait_for_enter(press_enter_to: &str) -> anyhow::Result<()> {
+  println!(
+    "\nPress {} to {}\n",
+    "ENTER".green(),
+    press_enter_to.bold()
+  );
+  let buffer = &mut [0u8];
+  std::io::stdin()
+    .read_exact(buffer)
+    .context("failed to read ENTER")?;
+  Ok(())
+}

bin/cli/src/main.rs

@@ -0,0 +1,32 @@
+#[macro_use]
+extern crate tracing;
+
+use colored::Colorize;
+use monitor_client::api::read::GetVersion;
+
+mod args;
+mod exec;
+mod helpers;
+mod maps;
+mod state;
+mod sync;
+
+#[tokio::main]
+async fn main() -> anyhow::Result<()> {
+  tracing_subscriber::fmt().with_target(false).init();
+
+  let version =
+    state::monitor_client().read(GetVersion {}).await?.version;
+  info!("monitor version: {}", version.to_string().blue().bold());
+
+  match &state::cli_args().command {
+    args::Command::Sync { path, delete } => {
+      sync::run(path, *delete).await?
+    }
+    args::Command::Execute { execution } => {
+      exec::run(execution.to_owned()).await?
+    }
+  }
+
+  Ok(())
+}

bin/cli/src/maps.rs

@@ -0,0 +1,328 @@
+use std::{collections::HashMap, sync::OnceLock};
+
+use monitor_client::{
+  api::read,
+  entities::{
+    alerter::Alerter, build::Build, builder::Builder,
+    deployment::Deployment, procedure::Procedure, repo::Repo,
+    server::Server, server_template::ServerTemplate,
+    sync::ResourceSync, tag::Tag, user::User, user_group::UserGroup,
+    variable::Variable,
+  },
+};
+
+use crate::state::monitor_client;
+
+pub fn name_to_build() -> &'static HashMap<String, Build> {
+  static NAME_TO_BUILD: OnceLock<HashMap<String, Build>> =
+    OnceLock::new();
+  NAME_TO_BUILD.get_or_init(|| {
+    futures::executor::block_on(
+      monitor_client().read(read::ListFullBuilds::default()),
+    )
+    .expect("failed to get builds from monitor")
+    .into_iter()
+    .map(|build| (build.name.clone(), build))
+    .collect()
+  })
+}
+
+pub fn id_to_build() -> &'static HashMap<String, Build> {
+  static ID_TO_BUILD: OnceLock<HashMap<String, Build>> =
+    OnceLock::new();
+  ID_TO_BUILD.get_or_init(|| {
+    futures::executor::block_on(
+      monitor_client().read(read::ListFullBuilds::default()),
+    )
+    .expect("failed to get builds from monitor")
+    .into_iter()
+    .map(|build| (build.id.clone(), build))
+    .collect()
+  })
+}
+
+pub fn name_to_deployment() -> &'static HashMap<String, Deployment> {
+  static NAME_TO_DEPLOYMENT: OnceLock<HashMap<String, Deployment>> =
+    OnceLock::new();
+  NAME_TO_DEPLOYMENT.get_or_init(|| {
+    futures::executor::block_on(
+      monitor_client().read(read::ListFullDeployments::default()),
+    )
+    .expect("failed to get deployments from monitor")
+    .into_iter()
+    .map(|deployment| (deployment.name.clone(), deployment))
+    .collect()
+  })
+}
+
+pub fn id_to_deployment() -> &'static HashMap<String, Deployment> {
+  static ID_TO_DEPLOYMENT: OnceLock<HashMap<String, Deployment>> =
+    OnceLock::new();
+  ID_TO_DEPLOYMENT.get_or_init(|| {
+    futures::executor::block_on(
+      monitor_client().read(read::ListFullDeployments::default()),
+    )
+    .expect("failed to get deployments from monitor")
+    .into_iter()
+    .map(|deployment| (deployment.id.clone(), deployment))
+    .collect()
+  })
+}
+
+pub fn name_to_server() -> &'static HashMap<String, Server> {
+  static NAME_TO_SERVER: OnceLock<HashMap<String, Server>> =
+    OnceLock::new();
+  NAME_TO_SERVER.get_or_init(|| {
+    futures::executor::block_on(
+      monitor_client().read(read::ListFullServers::default()),
+    )
+    .expect("failed to get servers from monitor")
+    .into_iter()
+    .map(|server| (server.name.clone(), server))
+    .collect()
+  })
+}
+
+pub fn id_to_server() -> &'static HashMap<String, Server> {
+  static ID_TO_SERVER: OnceLock<HashMap<String, Server>> =
+    OnceLock::new();
+  ID_TO_SERVER.get_or_init(|| {
+    futures::executor::block_on(
+      monitor_client().read(read::ListFullServers::default()),
+    )
+    .expect("failed to get servers from monitor")
+    .into_iter()
+    .map(|server| (server.id.clone(), server))
+    .collect()
+  })
+}
+
+pub fn name_to_builder() -> &'static HashMap<String, Builder> {
+  static NAME_TO_BUILDER: OnceLock<HashMap<String, Builder>> =
+    OnceLock::new();
+  NAME_TO_BUILDER.get_or_init(|| {
+    futures::executor::block_on(
+      monitor_client().read(read::ListFullBuilders::default()),
+    )
+    .expect("failed to get builders from monitor")
+    .into_iter()
+    .map(|builder| (builder.name.clone(), builder))
+    .collect()
+  })
+}
+
+pub fn id_to_builder() -> &'static HashMap<String, Builder> {
+  static ID_TO_BUILDER: OnceLock<HashMap<String, Builder>> =
+    OnceLock::new();
+  ID_TO_BUILDER.get_or_init(|| {
+    futures::executor::block_on(
+      monitor_client().read(read::ListFullBuilders::default()),
+    )
+    .expect("failed to get builders from monitor")
+    .into_iter()
+    .map(|builder| (builder.id.clone(), builder))
+    .collect()
+  })
+}
+
+pub fn name_to_alerter() -> &'static HashMap<String, Alerter> {
+  static NAME_TO_ALERTER: OnceLock<HashMap<String, Alerter>> =
+    OnceLock::new();
+  NAME_TO_ALERTER.get_or_init(|| {
+    futures::executor::block_on(
+      monitor_client().read(read::ListFullAlerters::default()),
+    )
+    .expect("failed to get alerters from monitor")
+    .into_iter()
+    .map(|alerter| (alerter.name.clone(), alerter))
+    .collect()
+  })
+}
+
+pub fn id_to_alerter() -> &'static HashMap<String, Alerter> {
+  static ID_TO_ALERTER: OnceLock<HashMap<String, Alerter>> =
+    OnceLock::new();
+  ID_TO_ALERTER.get_or_init(|| {
+    futures::executor::block_on(
+      monitor_client().read(read::ListFullAlerters::default()),
+    )
+    .expect("failed to get alerters from monitor")
+    .into_iter()
+    .map(|alerter| (alerter.id.clone(), alerter))
+    .collect()
+  })
+}
+
+pub fn name_to_repo() -> &'static HashMap<String, Repo> {
+  static NAME_TO_ALERTER: OnceLock<HashMap<String, Repo>> =
+    OnceLock::new();
+  NAME_TO_ALERTER.get_or_init(|| {
+    futures::executor::block_on(
+      monitor_client().read(read::ListFullRepos::default()),
+    )
+    .expect("failed to get repos from monitor")
+    .into_iter()
+    .map(|repo| (repo.name.clone(), repo))
+    .collect()
+  })
+}
+
+pub fn id_to_repo() -> &'static HashMap<String, Repo> {
+  static ID_TO_ALERTER: OnceLock<HashMap<String, Repo>> =
+    OnceLock::new();
+  ID_TO_ALERTER.get_or_init(|| {
+    futures::executor::block_on(
+      monitor_client().read(read::ListFullRepos::default()),
+    )
+    .expect("failed to get repos from monitor")
+    .into_iter()
+    .map(|repo| (repo.id.clone(), repo))
+    .collect()
+  })
+}
+
+pub fn name_to_procedure() -> &'static HashMap<String, Procedure> {
+  static NAME_TO_PROCEDURE: OnceLock<HashMap<String, Procedure>> =
+    OnceLock::new();
+  NAME_TO_PROCEDURE.get_or_init(|| {
+    futures::executor::block_on(
+      monitor_client().read(read::ListFullProcedures::default()),
+    )
+    .expect("failed to get procedures from monitor")
+    .into_iter()
+    .map(|procedure| (procedure.name.clone(), procedure))
+    .collect()
+  })
+}
+
+pub fn id_to_procedure() -> &'static HashMap<String, Procedure> {
+  static ID_TO_PROCEDURE: OnceLock<HashMap<String, Procedure>> =
+    OnceLock::new();
+  ID_TO_PROCEDURE.get_or_init(|| {
+    futures::executor::block_on(
+      monitor_client().read(read::ListFullProcedures::default()),
+    )
+    .expect("failed to get procedures from monitor")
+    .into_iter()
+    .map(|procedure| (procedure.id.clone(), procedure))
+    .collect()
+  })
+}
+
+pub fn name_to_server_template(
+) -> &'static HashMap<String, ServerTemplate> {
+  static NAME_TO_SERVER_TEMPLATE: OnceLock<
+    HashMap<String, ServerTemplate>,
+  > = OnceLock::new();
+  NAME_TO_SERVER_TEMPLATE.get_or_init(|| {
+    futures::executor::block_on(
+      monitor_client().read(read::ListFullServerTemplates::default()),
+    )
+    .expect("failed to get server templates from monitor")
+    .into_iter()
+    .map(|procedure| (procedure.name.clone(), procedure))
+    .collect()
+  })
+}
+
+pub fn id_to_server_template(
+) -> &'static HashMap<String, ServerTemplate> {
+  static ID_TO_SERVER_TEMPLATE: OnceLock<
+    HashMap<String, ServerTemplate>,
+  > = OnceLock::new();
+  ID_TO_SERVER_TEMPLATE.get_or_init(|| {
+    futures::executor::block_on(
+      monitor_client().read(read::ListFullServerTemplates::default()),
+    )
+    .expect("failed to get server templates from monitor")
+    .into_iter()
+    .map(|procedure| (procedure.id.clone(), procedure))
+    .collect()
+  })
+}
+
+pub fn name_to_resource_sync(
+) -> &'static HashMap<String, ResourceSync> {
+  static NAME_TO_SYNC: OnceLock<HashMap<String, ResourceSync>> =
+    OnceLock::new();
+  NAME_TO_SYNC.get_or_init(|| {
+    futures::executor::block_on(
+      monitor_client().read(read::ListFullResourceSyncs::default()),
+    )
+    .expect("failed to get syncs from monitor")
+    .into_iter()
+    .map(|sync| (sync.name.clone(), sync))
+    .collect()
+  })
+}
+
+pub fn id_to_resource_sync() -> &'static HashMap<String, ResourceSync>
+{
+  static ID_TO_SYNC: OnceLock<HashMap<String, ResourceSync>> =
+    OnceLock::new();
+  ID_TO_SYNC.get_or_init(|| {
+    futures::executor::block_on(
+      monitor_client().read(read::ListFullResourceSyncs::default()),
+    )
+    .expect("failed to get syncs from monitor")
+    .into_iter()
+    .map(|sync| (sync.id.clone(), sync))
+    .collect()
+  })
+}
+
+pub fn name_to_user_group() -> &'static HashMap<String, UserGroup> {
+  static NAME_TO_USER_GROUP: OnceLock<HashMap<String, UserGroup>> =
+    OnceLock::new();
+  NAME_TO_USER_GROUP.get_or_init(|| {
+    futures::executor::block_on(
+      monitor_client().read(read::ListUserGroups::default()),
+    )
+    .expect("failed to get user groups from monitor")
+    .into_iter()
+    .map(|user_group| (user_group.name.clone(), user_group))
+    .collect()
+  })
+}
+
+pub fn name_to_variable() -> &'static HashMap<String, Variable> {
+  static NAME_TO_VARIABLE: OnceLock<HashMap<String, Variable>> =
+    OnceLock::new();
+  NAME_TO_VARIABLE.get_or_init(|| {
+    futures::executor::block_on(
+      monitor_client().read(read::ListVariables::default()),
+    )
+    .expect("failed to get user groups from monitor")
+    .variables
+    .into_iter()
+    .map(|variable| (variable.name.clone(), variable))
+    .collect()
+  })
+}
+
+pub fn id_to_user() -> &'static HashMap<String, User> {
+  static ID_TO_USER: OnceLock<HashMap<String, User>> =
+    OnceLock::new();
+  ID_TO_USER.get_or_init(|| {
+    futures::executor::block_on(
+      monitor_client().read(read::ListUsers::default()),
+    )
+    .expect("failed to get users from monitor")
+    .into_iter()
+    .map(|user| (user.id.clone(), user))
+    .collect()
+  })
+}
+
+pub fn id_to_tag() -> &'static HashMap<String, Tag> {
+  static ID_TO_TAG: OnceLock<HashMap<String, Tag>> = OnceLock::new();
+  ID_TO_TAG.get_or_init(|| {
+    futures::executor::block_on(
+      monitor_client().read(read::ListTags::default()),
+    )
+    .expect("failed to get tags from monitor")
+    .into_iter()
+    .map(|tag| (tag.id.clone(), tag))
+    .collect()
+  })
+}

bin/cli/src/state.rs

@@ -0,0 +1,46 @@
+use std::sync::OnceLock;
+
+use clap::Parser;
+use merge_config_files::parse_config_file;
+use monitor_client::MonitorClient;
+
+pub fn cli_args() -> &'static crate::args::CliArgs {
+  static CLI_ARGS: OnceLock<crate::args::CliArgs> = OnceLock::new();
+  CLI_ARGS.get_or_init(crate::args::CliArgs::parse)
+}
+
+pub fn monitor_client() -> &'static MonitorClient {
+  static MONITOR_CLIENT: OnceLock<MonitorClient> = OnceLock::new();
+  MONITOR_CLIENT.get_or_init(|| {
+    let args = cli_args();
+    let crate::args::CredsFile { url, key, secret } =
+      match (&args.url, &args.key, &args.secret) {
+        (Some(url), Some(key), Some(secret)) => {
+          crate::args::CredsFile {
+            url: url.clone(),
+            key: key.clone(),
+            secret: secret.clone(),
+          }
+        }
+        (url, key, secret) => {
+          let mut creds: crate::args::CredsFile =
+            parse_config_file(cli_args().creds.as_str())
+              .expect("failed to parse monitor credentials");
+
+          if let Some(url) = url {
+            creds.url.clone_from(url);
+          }
+          if let Some(key) = key {
+            creds.key.clone_from(key);
+          }
+          if let Some(secret) = secret {
+            creds.secret.clone_from(secret);
+          }
+
+          creds
+        }
+      };
+    futures::executor::block_on(MonitorClient::new(url, key, secret))
+      .expect("failed to initialize monitor client")
+  })
+}

bin/cli/src/sync/file.rs

@@ -0,0 +1,80 @@
+use std::{
+  fs,
+  path::{Path, PathBuf},
+  str::FromStr,
+};
+
+use anyhow::{anyhow, Context};
+use colored::Colorize;
+use monitor_client::entities::toml::ResourcesToml;
+use serde::de::DeserializeOwned;
+
+pub fn read_resources(path: &str) -> anyhow::Result<ResourcesToml> {
+  let mut res = ResourcesToml::default();
+  let path =
+    PathBuf::from_str(path).context("invalid resources path")?;
+  read_resources_recursive(&path, &mut res)?;
+  Ok(res)
+}
+
+fn read_resources_recursive(
+  path: &Path,
+  resources: &mut ResourcesToml,
+) -> anyhow::Result<()> {
+  let res =
+    fs::metadata(path).context("failed to get path metadata")?;
+  if res.is_file() {
+    if !path
+      .extension()
+      .map(|ext| ext == "toml")
+      .unwrap_or_default()
+    {
+      return Ok(());
+    }
+    let more = match parse_toml_file::<ResourcesToml>(path) {
+      Ok(res) => res,
+      Err(e) => {
+        warn!("failed to parse {:?}. skipping file | {e:#}", path);
+        return Ok(());
+      }
+    };
+    info!(
+      "{} from {}",
+      "adding resources".green().bold(),
+      path.display().to_string().blue().bold()
+    );
+    resources.servers.extend(more.servers);
+    resources.deployments.extend(more.deployments);
+    resources.builds.extend(more.builds);
+    resources.repos.extend(more.repos);
+    resources.procedures.extend(more.procedures);
+    resources.builders.extend(more.builders);
+    resources.alerters.extend(more.alerters);
+    resources.server_templates.extend(more.server_templates);
+    resources.resource_syncs.extend(more.resource_syncs);
+    resources.user_groups.extend(more.user_groups);
+    resources.variables.extend(more.variables);
+    Ok(())
+  } else if res.is_dir() {
+    let directory = fs::read_dir(path)
+      .context("failed to read directory contents")?;
+    for entry in directory.into_iter().flatten() {
+      if let Err(e) =
+        read_resources_recursive(&entry.path(), resources)
+      {
+        warn!("failed to read additional resources at path | {e:#}");
+      }
+    }
+    Ok(())
+  } else {
+    Err(anyhow!("resources path is neither file nor directory"))
+  }
+}
+
+fn parse_toml_file<T: DeserializeOwned>(
+  path: impl AsRef<std::path::Path>,
+) -> anyhow::Result<T> {
+  let contents = std::fs::read_to_string(path)
+    .context("failed to read file contents")?;
+  toml::from_str(&contents).context("failed to parse toml contents")
+}

bin/cli/src/sync/mod.rs

@@ -0,0 +1,174 @@
+use colored::Colorize;
+use monitor_client::entities::{
+  self, alerter::Alerter, build::Build, builder::Builder,
+  deployment::Deployment, procedure::Procedure, repo::Repo,
+  server::Server, server_template::ServerTemplate,
+};
+
+use crate::{helpers::wait_for_enter, state::cli_args};
+
+mod file;
+mod resource;
+mod resources;
+mod user_group;
+mod variables;
+
+use resource::ResourceSync;
+
+pub async fn run(path: &str, delete: bool) -> anyhow::Result<()> {
+  info!("resources path: {}", path.blue().bold());
+  if delete {
+    warn!("Delete mode {}", "enabled".bold());
+  }
+
+  let resources = file::read_resources(path)?;
+
+  info!("computing sync actions...");
+
+  let (server_creates, server_updates, server_deletes) =
+    resource::get_updates::<Server>(resources.servers, delete)?;
+  let (deployment_creates, deployment_updates, deployment_deletes) =
+    resource::get_updates::<Deployment>(
+      resources.deployments,
+      delete,
+    )?;
+  let (build_creates, build_updates, build_deletes) =
+    resource::get_updates::<Build>(resources.builds, delete)?;
+  let (repo_creates, repo_updates, repo_deletes) =
+    resource::get_updates::<Repo>(resources.repos, delete)?;
+  let (procedure_creates, procedure_updates, procedure_deletes) =
+    resource::get_updates::<Procedure>(resources.procedures, delete)?;
+  let (builder_creates, builder_updates, builder_deletes) =
+    resource::get_updates::<Builder>(resources.builders, delete)?;
+  let (alerter_creates, alerter_updates, alerter_deletes) =
+    resource::get_updates::<Alerter>(resources.alerters, delete)?;
+  let (
+    server_template_creates,
+    server_template_updates,
+    server_template_deletes,
+  ) = resource::get_updates::<ServerTemplate>(
+    resources.server_templates,
+    delete,
+  )?;
+  let (
+    resource_sync_creates,
+    resource_sync_updates,
+    resource_sync_deletes,
+  ) = resource::get_updates::<entities::sync::ResourceSync>(
+    resources.resource_syncs,
+    delete,
+  )?;
+
+  let (variable_creates, variable_updates, variable_deletes) =
+    variables::get_updates(resources.variables, delete)?;
+
+  let (user_group_creates, user_group_updates, user_group_deletes) =
+    user_group::get_updates(resources.user_groups, delete).await?;
+
+  if resource_sync_creates.is_empty()
+    && resource_sync_updates.is_empty()
+    && resource_sync_deletes.is_empty()
+    && server_template_creates.is_empty()
+    && server_template_updates.is_empty()
+    && server_template_deletes.is_empty()
+    && server_creates.is_empty()
+    && server_updates.is_empty()
+    && server_deletes.is_empty()
+    && deployment_creates.is_empty()
+    && deployment_updates.is_empty()
+    && deployment_deletes.is_empty()
+    && build_creates.is_empty()
+    && build_updates.is_empty()
+    && build_deletes.is_empty()
+    && builder_creates.is_empty()
+    && builder_updates.is_empty()
+    && builder_deletes.is_empty()
+    && alerter_creates.is_empty()
+    && alerter_updates.is_empty()
+    && alerter_deletes.is_empty()
+    && repo_creates.is_empty()
+    && repo_updates.is_empty()
+    && repo_deletes.is_empty()
+    && procedure_creates.is_empty()
+    && procedure_updates.is_empty()
+    && procedure_deletes.is_empty()
+    && user_group_creates.is_empty()
+    && user_group_updates.is_empty()
+    && user_group_deletes.is_empty()
+    && variable_creates.is_empty()
+    && variable_updates.is_empty()
+    && variable_deletes.is_empty()
+  {
+    info!("{}. exiting.", "nothing to do".green().bold());
+    return Ok(());
+  }
+
+  if !cli_args().yes {
+    wait_for_enter("run sync")?;
+  }
+
+  // No deps
+  entities::sync::ResourceSync::run_updates(
+    resource_sync_creates,
+    resource_sync_updates,
+    resource_sync_deletes,
+  )
+  .await;
+  ServerTemplate::run_updates(
+    server_template_creates,
+    server_template_updates,
+    server_template_deletes,
+  )
+  .await;
+  Server::run_updates(server_creates, server_updates, server_deletes)
+    .await;
+  Alerter::run_updates(
+    alerter_creates,
+    alerter_updates,
+    alerter_deletes,
+  )
+  .await;
+
+  // Dependant on server
+  Builder::run_updates(
+    builder_creates,
+    builder_updates,
+    builder_deletes,
+  )
+  .await;
+  Repo::run_updates(repo_creates, repo_updates, repo_deletes).await;
+
+  // Dependant on builder
+  Build::run_updates(build_creates, build_updates, build_deletes)
+    .await;
+
+  // Dependant on server / build
+  Deployment::run_updates(
+    deployment_creates,
+    deployment_updates,
+    deployment_deletes,
+  )
+  .await;
+
+  // Dependant on everything
+  Procedure::run_updates(
+    procedure_creates,
+    procedure_updates,
+    procedure_deletes,
+  )
+  .await;
+  variables::run_updates(
+    variable_creates,
+    variable_updates,
+    variable_deletes,
+  )
+  .await;
+  user_group::run_updates(
+    user_group_creates,
+    user_group_updates,
+    user_group_deletes,
+  )
+  .await;
+
+  Ok(())
+}

bin/cli/src/sync/resource.rs

@@ -0,0 +1,358 @@
+use std::collections::HashMap;
+
+use colored::Colorize;
+use monitor_client::{
+  api::write::{UpdateDescription, UpdateTagsOnResource},
+  entities::{
+    resource::Resource, toml::ResourceToml, update::ResourceTarget,
+  },
+};
+use partial_derive2::{Diff, FieldDiff, MaybeNone, PartialDiff};
+use serde::Serialize;
+
+use crate::maps::id_to_tag;
+
+pub type ToUpdate<T> = Vec<ToUpdateItem<T>>;
+pub type ToCreate<T> = Vec<ResourceToml<T>>;
+/// Vec of resource names
+pub type ToDelete = Vec<String>;
+
+type UpdatesResult<T> = (ToCreate<T>, ToUpdate<T>, ToDelete);
+
+pub struct ToUpdateItem<T: Default> {
+  pub id: String,
+  pub resource: ResourceToml<T>,
+  pub update_description: bool,
+  pub update_tags: bool,
+}
+
+pub trait ResourceSync: Sized {
+  type Config: Clone
+    + Default
+    + Send
+    + From<Self::PartialConfig>
+    + PartialDiff<Self::PartialConfig, Self::ConfigDiff>
+    + 'static;
+  type Info: Default + 'static;
+  type PartialConfig: std::fmt::Debug
+    + Clone
+    + Send
+    + Default
+    + From<Self::Config>
+    + From<Self::ConfigDiff>
+    + Serialize
+    + MaybeNone
+    + 'static;
+  type ConfigDiff: Diff + MaybeNone;
+
+  fn display() -> &'static str;
+
+  fn resource_target(id: String) -> ResourceTarget;
+
+  fn name_to_resource(
+  ) -> &'static HashMap<String, Resource<Self::Config, Self::Info>>;
+
+  /// Creates the resource and returns created id.
+  async fn create(
+    resource: ResourceToml<Self::PartialConfig>,
+  ) -> anyhow::Result<String>;
+
+  /// Updates the resource at id with the partial config.
+  async fn update(
+    id: String,
+    resource: ResourceToml<Self::PartialConfig>,
+  ) -> anyhow::Result<()>;
+
+  /// Apply any changes to incoming toml partial config
+  /// before it is diffed against existing config
+  fn validate_partial_config(_config: &mut Self::PartialConfig) {}
+
+  /// Diffs the declared toml (partial) against the full existing config.
+  /// Removes all fields from toml (partial) that haven't changed.
+  fn get_diff(
+    original: Self::Config,
+    update: Self::PartialConfig,
+  ) -> anyhow::Result<Self::ConfigDiff>;
+
+  /// Apply any changes to computed config diff
+  /// before logging
+  fn validate_diff(_diff: &mut Self::ConfigDiff) {}
+
+  /// Deletes the target resource
+  async fn delete(id_or_name: String) -> anyhow::Result<()>;
+
+  async fn run_updates(
+    to_create: ToCreate<Self::PartialConfig>,
+    to_update: ToUpdate<Self::PartialConfig>,
+    to_delete: ToDelete,
+  ) {
+    for resource in to_create {
+      let name = resource.name.clone();
+      let tags = resource.tags.clone();
+      let description = resource.description.clone();
+      let id = match Self::create(resource).await {
+        Ok(id) => id,
+        Err(e) => {
+          warn!(
+            "failed to create {} {name} | {e:#}",
+            Self::display(),
+          );
+          continue;
+        }
+      };
+      run_update_tags::<Self>(id.clone(), &name, tags).await;
+      run_update_description::<Self>(id, &name, description).await;
+      info!(
+        "{} {} '{}'",
+        "created".green().bold(),
+        Self::display(),
+        name.bold(),
+      );
+    }
+
+    for ToUpdateItem {
+      id,
+      resource,
+      update_description,
+      update_tags,
+    } in to_update
+    {
+      // Update resource
+      let name = resource.name.clone();
+      let tags = resource.tags.clone();
+      let description = resource.description.clone();
+
+      if update_description {
+        run_update_description::<Self>(
+          id.clone(),
+          &name,
+          description,
+        )
+        .await;
+      }
+
+      if update_tags {
+        run_update_tags::<Self>(id.clone(), &name, tags).await;
+      }
+
+      if !resource.config.is_none() {
+        if let Err(e) = Self::update(id, resource).await {
+          warn!(
+            "failed to update config on {} {name} | {e:#}",
+            Self::display()
+          );
+        } else {
+          info!(
+            "{} {} '{}' configuration",
+            "updated".blue().bold(),
+            Self::display(),
+            name.bold(),
+          );
+        }
+      }
+    }
+
+    for resource in to_delete {
+      if let Err(e) = Self::delete(resource.clone()).await {
+        warn!(
+          "failed to delete {} {resource} | {e:#}",
+          Self::display()
+        );
+      } else {
+        info!(
+          "{} {} '{}'",
+          "deleted".red().bold(),
+          Self::display(),
+          resource.bold(),
+        );
+      }
+    }
+  }
+}
+
+/// Gets all the resources to update, logging along the way.
+pub fn get_updates<Resource: ResourceSync>(
+  resources: Vec<ResourceToml<Resource::PartialConfig>>,
+  delete: bool,
+) -> anyhow::Result<UpdatesResult<Resource::PartialConfig>> {
+  let map = Resource::name_to_resource();
+
+  let mut to_create = ToCreate::<Resource::PartialConfig>::new();
+  let mut to_update = ToUpdate::<Resource::PartialConfig>::new();
+  let mut to_delete = ToDelete::new();
+
+  if delete {
+    for resource in map.values() {
+      if !resources.iter().any(|r| r.name == resource.name) {
+        to_delete.push(resource.name.clone());
+      }
+    }
+  }
+
+  for mut resource in resources {
+    match map.get(&resource.name) {
+      Some(original) => {
+        // First merge toml resource config (partial) onto default resource config.
+        // Makes sure things that aren't defined in toml (come through as None) actually get removed.
+        let config: Resource::Config = resource.config.into();
+        resource.config = config.into();
+
+        Resource::validate_partial_config(&mut resource.config);
+
+        let mut diff = Resource::get_diff(
+          original.config.clone(),
+          resource.config,
+        )?;
+
+        Resource::validate_diff(&mut diff);
+
+        let original_tags = original
+          .tags
+          .iter()
+          .filter_map(|id| {
+            id_to_tag().get(id).map(|t| t.name.clone())
+          })
+          .collect::<Vec<_>>();
+
+        // Only proceed if there are any fields to update,
+        // or a change to tags / description
+        if diff.is_none()
+          && resource.description == original.description
+          && resource.tags == original_tags
+        {
+          continue;
+        }
+
+        println!(
+          "\n{}: {}: '{}'\n-------------------",
+          "UPDATE".blue(),
+          Resource::display(),
+          resource.name.bold(),
+        );
+        let mut lines = Vec::<String>::new();
+        if resource.description != original.description {
+          lines.push(format!(
+            "{}: 'description'\n{}:  {}\n{}:    {}",
+            "field".dimmed(),
+            "from".dimmed(),
+            original.description.red(),
+            "to".dimmed(),
+            resource.description.green()
+          ))
+        }
+        if resource.tags != original_tags {
+          let from = format!("{:?}", original_tags).red();
+          let to = format!("{:?}", resource.tags).green();
+          lines.push(format!(
+            "{}: 'tags'\n{}:  {from}\n{}:    {to}",
+            "field".dimmed(),
+            "from".dimmed(),
+            "to".dimmed(),
+          ));
+        }
+        lines.extend(diff.iter_field_diffs().map(
+          |FieldDiff { field, from, to }| {
+            format!(
+              "{}: '{field}'\n{}:  {}\n{}:    {}",
+              "field".dimmed(),
+              "from".dimmed(),
+              from.red(),
+              "to".dimmed(),
+              to.green()
+            )
+          },
+        ));
+        println!("{}", lines.join("\n-------------------\n"));
+
+        // Minimizes updates through diffing.
+        resource.config = diff.into();
+
+        let update = ToUpdateItem {
+          id: original.id.clone(),
+          update_description: resource.description
+            != original.description,
+          update_tags: resource.tags != original_tags,
+          resource,
+        };
+
+        to_update.push(update);
+      }
+      None => {
+        println!(
+          "\n{}: {}: {}\n{}: {}\n{}: {:?}\n{}: {}",
+          "CREATE".green(),
+          Resource::display(),
+          resource.name.bold().green(),
+          "description".dimmed(),
+          resource.description,
+          "tags".dimmed(),
+          resource.tags,
+          "config".dimmed(),
+          serde_json::to_string_pretty(&resource.config)?
+        );
+        to_create.push(resource);
+      }
+    }
+  }
+
+  for name in &to_delete {
+    println!(
+      "\n{}: {}: '{}'\n-------------------",
+      "DELETE".red(),
+      Resource::display(),
+      name.bold(),
+    );
+  }
+
+  Ok((to_create, to_update, to_delete))
+}
+
+pub async fn run_update_tags<Resource: ResourceSync>(
+  id: String,
+  name: &str,
+  tags: Vec<String>,
+) {
+  // Update tags
+  if let Err(e) = crate::state::monitor_client()
+    .write(UpdateTagsOnResource {
+      target: Resource::resource_target(id),
+      tags,
+    })
+    .await
+  {
+    warn!(
+      "failed to update tags on {} {name} | {e:#}",
+      Resource::display(),
+    );
+  } else {
+    info!(
+      "{} {} '{}' tags",
+      "updated".blue().bold(),
+      Resource::display(),
+      name.bold(),
+    );
+  }
+}
+
+pub async fn run_update_description<Resource: ResourceSync>(
+  id: String,
+  name: &str,
+  description: String,
+) {
+  if let Err(e) = crate::state::monitor_client()
+    .write(UpdateDescription {
+      target: Resource::resource_target(id.clone()),
+      description,
+    })
+    .await
+  {
+    warn!("failed to update resource {id} description | {e:#}");
+  } else {
+    info!(
+      "{} {} '{}' description",
+      "updated".blue().bold(),
+      Resource::display(),
+      name.bold(),
+    );
+  }
+}

bin/cli/src/sync/resources/alerter.rs

@@ -0,0 +1,77 @@
+use partial_derive2::PartialDiff;
+use std::collections::HashMap;
+
+use monitor_client::{
+  api::write::{CreateAlerter, DeleteAlerter, UpdateAlerter},
+  entities::{
+    alerter::{
+      Alerter, AlerterConfig, AlerterConfigDiff, PartialAlerterConfig,
+    },
+    resource::Resource,
+    toml::ResourceToml,
+    update::ResourceTarget,
+  },
+};
+
+use crate::{
+  maps::name_to_alerter, state::monitor_client,
+  sync::resource::ResourceSync,
+};
+
+impl ResourceSync for Alerter {
+  type Config = AlerterConfig;
+  type Info = ();
+  type PartialConfig = PartialAlerterConfig;
+  type ConfigDiff = AlerterConfigDiff;
+
+  fn display() -> &'static str {
+    "alerter"
+  }
+
+  fn resource_target(id: String) -> ResourceTarget {
+    ResourceTarget::Alerter(id)
+  }
+
+  fn name_to_resource(
+  ) -> &'static HashMap<String, Resource<Self::Config, Self::Info>>
+  {
+    name_to_alerter()
+  }
+
+  async fn create(
+    resource: ResourceToml<Self::PartialConfig>,
+  ) -> anyhow::Result<String> {
+    monitor_client()
+      .write(CreateAlerter {
+        name: resource.name,
+        config: resource.config,
+      })
+      .await
+      .map(|res| res.id)
+  }
+
+  async fn update(
+    id: String,
+    resource: ResourceToml<Self::PartialConfig>,
+  ) -> anyhow::Result<()> {
+    monitor_client()
+      .write(UpdateAlerter {
+        id,
+        config: resource.config,
+      })
+      .await?;
+    Ok(())
+  }
+
+  fn get_diff(
+    original: Self::Config,
+    update: Self::PartialConfig,
+  ) -> anyhow::Result<Self::ConfigDiff> {
+    Ok(original.partial_diff(update))
+  }
+
+  async fn delete(id: String) -> anyhow::Result<()> {
+    monitor_client().write(DeleteAlerter { id }).await?;
+    Ok(())
+  }
+}

bin/cli/src/sync/resources/build.rs

@@ -0,0 +1,93 @@
+use std::collections::HashMap;
+
+use monitor_client::{
+  api::write::{CreateBuild, DeleteBuild, UpdateBuild},
+  entities::{
+    build::{
+      Build, BuildConfig, BuildConfigDiff, BuildInfo,
+      PartialBuildConfig,
+    },
+    resource::Resource,
+    toml::ResourceToml,
+    update::ResourceTarget,
+  },
+};
+use partial_derive2::PartialDiff;
+
+use crate::{
+  maps::{id_to_builder, name_to_build},
+  state::monitor_client,
+  sync::resource::ResourceSync,
+};
+
+impl ResourceSync for Build {
+  type Config = BuildConfig;
+  type Info = BuildInfo;
+  type PartialConfig = PartialBuildConfig;
+  type ConfigDiff = BuildConfigDiff;
+
+  fn display() -> &'static str {
+    "build"
+  }
+
+  fn resource_target(id: String) -> ResourceTarget {
+    ResourceTarget::Build(id)
+  }
+
+  fn name_to_resource(
+  ) -> &'static HashMap<String, Resource<Self::Config, Self::Info>>
+  {
+    name_to_build()
+  }
+
+  async fn create(
+    resource: ResourceToml<Self::PartialConfig>,
+  ) -> anyhow::Result<String> {
+    monitor_client()
+      .write(CreateBuild {
+        name: resource.name,
+        config: resource.config,
+      })
+      .await
+      .map(|res| res.id)
+  }
+
+  async fn update(
+    id: String,
+    resource: ResourceToml<Self::PartialConfig>,
+  ) -> anyhow::Result<()> {
+    monitor_client()
+      .write(UpdateBuild {
+        id,
+        config: resource.config,
+      })
+      .await?;
+    Ok(())
+  }
+
+  fn get_diff(
+    mut original: Self::Config,
+    update: Self::PartialConfig,
+  ) -> anyhow::Result<Self::ConfigDiff> {
+    // need to replace the builder id with name
+    original.builder_id = id_to_builder()
+      .get(&original.builder_id)
+      .map(|b| b.name.clone())
+      .unwrap_or_default();
+
+    Ok(original.partial_diff(update))
+  }
+
+  fn validate_diff(diff: &mut Self::ConfigDiff) {
+    if let Some((_, to)) = &diff.version {
+      if to.is_none() {
+        diff.version = None;
+      }
+    }
+  }
+
+  async fn delete(id: String) -> anyhow::Result<()> {
+    monitor_client().write(DeleteBuild { id }).await?;
+    Ok(())
+  }
+}

bin/cli/src/sync/resources/builder.rs

@@ -0,0 +1,86 @@
+use std::collections::HashMap;
+
+use monitor_client::{
+  api::write::{CreateBuilder, DeleteBuilder, UpdateBuilder},
+  entities::{
+    builder::{
+      Builder, BuilderConfig, BuilderConfigDiff, PartialBuilderConfig,
+    },
+    resource::Resource,
+    toml::ResourceToml,
+    update::ResourceTarget,
+  },
+};
+use partial_derive2::PartialDiff;
+
+use crate::{
+  maps::{id_to_server, name_to_builder},
+  state::monitor_client,
+  sync::resource::ResourceSync,
+};
+
+impl ResourceSync for Builder {
+  type Config = BuilderConfig;
+  type Info = ();
+  type PartialConfig = PartialBuilderConfig;
+  type ConfigDiff = BuilderConfigDiff;
+
+  fn display() -> &'static str {
+    "builder"
+  }
+
+  fn resource_target(id: String) -> ResourceTarget {
+    ResourceTarget::Builder(id)
+  }
+
+  fn name_to_resource(
+  ) -> &'static HashMap<String, Resource<Self::Config, Self::Info>>
+  {
+    name_to_builder()
+  }
+
+  async fn create(
+    resource: ResourceToml<Self::PartialConfig>,
+  ) -> anyhow::Result<String> {
+    monitor_client()
+      .write(CreateBuilder {
+        name: resource.name,
+        config: resource.config,
+      })
+      .await
+      .map(|res| res.id)
+  }
+
+  async fn update(
+    id: String,
+    resource: ResourceToml<Self::PartialConfig>,
+  ) -> anyhow::Result<()> {
+    monitor_client()
+      .write(UpdateBuilder {
+        id,
+        config: resource.config,
+      })
+      .await?;
+    Ok(())
+  }
+
+  fn get_diff(
+    mut original: Self::Config,
+    update: Self::PartialConfig,
+  ) -> anyhow::Result<Self::ConfigDiff> {
+    // need to replace server builder id with name
+    if let BuilderConfig::Server(config) = &mut original {
+      config.server_id = id_to_server()
+        .get(&config.server_id)
+        .map(|s| s.name.clone())
+        .unwrap_or_default();
+    }
+
+    Ok(original.partial_diff(update))
+  }
+
+  async fn delete(id: String) -> anyhow::Result<()> {
+    monitor_client().write(DeleteBuilder { id }).await?;
+    Ok(())
+  }
+}

bin/cli/src/sync/resources/deployment.rs

@@ -0,0 +1,98 @@
+use std::collections::HashMap;
+
+use monitor_client::{
+  api::write::{self, DeleteDeployment},
+  entities::{
+    deployment::{
+      Deployment, DeploymentConfig, DeploymentConfigDiff,
+      DeploymentImage, PartialDeploymentConfig,
+    },
+    resource::Resource,
+    toml::ResourceToml,
+    update::ResourceTarget,
+  },
+};
+use partial_derive2::PartialDiff;
+
+use crate::{
+  maps::{id_to_build, id_to_server, name_to_deployment},
+  state::monitor_client,
+  sync::resource::ResourceSync,
+};
+
+impl ResourceSync for Deployment {
+  type Config = DeploymentConfig;
+  type Info = ();
+  type PartialConfig = PartialDeploymentConfig;
+  type ConfigDiff = DeploymentConfigDiff;
+
+  fn display() -> &'static str {
+    "deployment"
+  }
+
+  fn resource_target(id: String) -> ResourceTarget {
+    ResourceTarget::Deployment(id)
+  }
+
+  fn name_to_resource(
+  ) -> &'static HashMap<String, Resource<Self::Config, Self::Info>>
+  {
+    name_to_deployment()
+  }
+
+  async fn create(
+    resource: ResourceToml<Self::PartialConfig>,
+  ) -> anyhow::Result<String> {
+    monitor_client()
+      .write(write::CreateDeployment {
+        name: resource.name,
+        config: resource.config,
+      })
+      .await
+      .map(|res| res.id)
+  }
+
+  async fn update(
+    id: String,
+    resource: ResourceToml<Self::PartialConfig>,
+  ) -> anyhow::Result<()> {
+    monitor_client()
+      .write(write::UpdateDeployment {
+        id,
+        config: resource.config,
+      })
+      .await?;
+    Ok(())
+  }
+
+  fn get_diff(
+    mut original: Self::Config,
+    update: Self::PartialConfig,
+  ) -> anyhow::Result<Self::ConfigDiff> {
+    // need to replace the server id with name
+    original.server_id = id_to_server()
+      .get(&original.server_id)
+      .map(|s| s.name.clone())
+      .unwrap_or_default();
+
+    // need to replace the build id with name
+    if let DeploymentImage::Build { build_id, version } =
+      &original.image
+    {
+      original.image = DeploymentImage::Build {
+        build_id: id_to_build()
+          .get(build_id)
+          .map(|b| b.name.clone())
+          .unwrap_or_default(),
+        version: *version,
+      };
+    }
+
+    Ok(original.partial_diff(update))
+  }
+
+  async fn delete(id: String) -> anyhow::Result<()> {
+    monitor_client().write(DeleteDeployment { id }).await?;
+    Ok(())
+  }
+}

bin/cli/src/sync/resources/mod.rs

@@ -0,0 +1,9 @@
+mod alerter;
+mod build;
+mod builder;
+mod deployment;
+mod procedure;
+mod repo;
+mod server;
+mod server_template;
+mod sync;

bin/cli/src/sync/resources/procedure.rs

@@ -0,0 +1,275 @@
+use std::collections::HashMap;
+
+use colored::Colorize;
+use monitor_client::{
+  api::{
+    execute::Execution,
+    write::{CreateProcedure, DeleteProcedure, UpdateProcedure},
+  },
+  entities::{
+    procedure::{
+      PartialProcedureConfig, Procedure, ProcedureConfig,
+      ProcedureConfigDiff,
+    },
+    resource::Resource,
+    toml::ResourceToml,
+    update::ResourceTarget,
+  },
+};
+use partial_derive2::{MaybeNone, PartialDiff};
+
+use crate::{
+  maps::{
+    id_to_build, id_to_deployment, id_to_procedure, id_to_repo,
+    id_to_resource_sync, id_to_server, name_to_procedure,
+  },
+  state::monitor_client,
+  sync::resource::{
+    run_update_description, run_update_tags, ResourceSync, ToCreate,
+    ToDelete, ToUpdate, ToUpdateItem,
+  },
+};
+
+impl ResourceSync for Procedure {
+  type Config = ProcedureConfig;
+  type Info = ();
+  type PartialConfig = PartialProcedureConfig;
+  type ConfigDiff = ProcedureConfigDiff;
+
+  fn display() -> &'static str {
+    "procedure"
+  }
+
+  fn resource_target(id: String) -> ResourceTarget {
+    ResourceTarget::Procedure(id)
+  }
+
+  fn name_to_resource(
+  ) -> &'static HashMap<String, Resource<Self::Config, Self::Info>>
+  {
+    name_to_procedure()
+  }
+
+  async fn create(
+    resource: ResourceToml<Self::PartialConfig>,
+  ) -> anyhow::Result<String> {
+    monitor_client()
+      .write(CreateProcedure {
+        name: resource.name,
+        config: resource.config,
+      })
+      .await
+      .map(|p| p.id)
+  }
+
+  async fn update(
+    id: String,
+    resource: ResourceToml<Self::PartialConfig>,
+  ) -> anyhow::Result<()> {
+    monitor_client()
+      .write(UpdateProcedure {
+        id,
+        config: resource.config,
+      })
+      .await?;
+    Ok(())
+  }
+
+  async fn run_updates(
+    mut to_create: ToCreate<Self::PartialConfig>,
+    mut to_update: ToUpdate<Self::PartialConfig>,
+    to_delete: ToDelete,
+  ) {
+    for name in to_delete {
+      if let Err(e) = crate::state::monitor_client()
+        .write(DeleteProcedure { id: name.clone() })
+        .await
+      {
+        warn!("failed to delete procedure {name} | {e:#}",);
+      } else {
+        info!(
+          "{} procedure '{}'",
+          "deleted".red().bold(),
+          name.bold(),
+        );
+      }
+    }
+
+    if to_update.is_empty() && to_create.is_empty() {
+      return;
+    }
+
+    for i in 0..10 {
+      let mut to_pull = Vec::new();
+      for ToUpdateItem {
+        id,
+        resource,
+        update_description,
+        update_tags,
+      } in &to_update
+      {
+        // Update resource
+        let name = resource.name.clone();
+        let tags = resource.tags.clone();
+        let description = resource.description.clone();
+        if *update_description {
+          run_update_description::<Procedure>(
+            id.clone(),
+            &name,
+            description,
+          )
+          .await;
+        }
+        if *update_tags {
+          run_update_tags::<Procedure>(id.clone(), &name, tags).await;
+        }
+        if !resource.config.is_none() {
+          if let Err(e) =
+            Self::update(id.clone(), resource.clone()).await
+          {
+            if i == 9 {
+              warn!(
+                "failed to update {} {name} | {e:#}",
+                Self::display()
+              );
+            }
+            continue;
+          }
+        }
+
+        info!("{} {name} updated", Self::display());
+        // have to clone out so to_update is mutable
+        to_pull.push(id.clone());
+      }
+      //
+      to_update.retain(|resource| !to_pull.contains(&resource.id));
+
+      let mut to_pull = Vec::new();
+      for resource in &to_create {
+        let name = resource.name.clone();
+        let tags = resource.tags.clone();
+        let description = resource.description.clone();
+        let id = match Self::create(resource.clone()).await {
+          Ok(id) => id,
+          Err(e) => {
+            if i == 9 {
+              warn!(
+                "failed to create {} {name} | {e:#}",
+                Self::display(),
+              );
+            }
+            continue;
+          }
+        };
+        run_update_tags::<Procedure>(id.clone(), &name, tags).await;
+        run_update_description::<Procedure>(id, &name, description)
+          .await;
+        info!("{} {name} created", Self::display());
+        to_pull.push(name);
+      }
+      to_create.retain(|resource| !to_pull.contains(&resource.name));
+
+      if to_update.is_empty() && to_create.is_empty() {
+        // info!("all procedures synced");
+        return;
+      }
+    }
+    warn!("procedure sync loop exited after max iterations");
+  }
+
+  fn get_diff(
+    mut original: Self::Config,
+    update: Self::PartialConfig,
+  ) -> anyhow::Result<Self::ConfigDiff> {
+    for stage in &mut original.stages {
+      for execution in &mut stage.executions {
+        match &mut execution.execution {
+          Execution::None(_) | Execution::Sleep(_) => {}
+          Execution::RunProcedure(config) => {
+            config.procedure = id_to_procedure()
+              .get(&config.procedure)
+              .map(|p| p.name.clone())
+              .unwrap_or_default();
+          }
+          Execution::RunBuild(config) => {
+            config.build = id_to_build()
+              .get(&config.build)
+              .map(|b| b.name.clone())
+              .unwrap_or_default();
+          }
+          Execution::Deploy(config) => {
+            config.deployment = id_to_deployment()
+              .get(&config.deployment)
+              .map(|d| d.name.clone())
+              .unwrap_or_default();
+          }
+          Execution::StartContainer(config) => {
+            config.deployment = id_to_deployment()
+              .get(&config.deployment)
+              .map(|d| d.name.clone())
+              .unwrap_or_default();
+          }
+          Execution::StopContainer(config) => {
+            config.deployment = id_to_deployment()
+              .get(&config.deployment)
+              .map(|d| d.name.clone())
+              .unwrap_or_default();
+          }
+          Execution::RemoveContainer(config) => {
+            config.deployment = id_to_deployment()
+              .get(&config.deployment)
+              .map(|d| d.name.clone())
+              .unwrap_or_default();
+          }
+          Execution::CloneRepo(config) => {
+            config.repo = id_to_repo()
+              .get(&config.repo)
+              .map(|d| d.name.clone())
+              .unwrap_or_default();
+          }
+          Execution::PullRepo(config) => {
+            config.repo = id_to_repo()
+              .get(&config.repo)
+              .map(|d| d.name.clone())
+              .unwrap_or_default();
+          }
+          Execution::StopAllContainers(config) => {
+            config.server = id_to_server()
+              .get(&config.server)
+              .map(|d| d.name.clone())
+              .unwrap_or_default();
+          }
+          Execution::PruneNetworks(config) => {
+            config.server = id_to_server()
+              .get(&config.server)
+              .map(|d| d.name.clone())
+              .unwrap_or_default();
+          }
+          Execution::PruneImages(config) => {
+            config.server = id_to_server()
+              .get(&config.server)
+              .map(|d| d.name.clone())
+              .unwrap_or_default();
+          }
+          Execution::PruneContainers(config) => {
+            config.server = id_to_server()
+              .get(&config.server)
+              .map(|d| d.name.clone())
+              .unwrap_or_default();
+          }
+          Execution::RunSync(config) => {
+            config.sync = id_to_resource_sync()
+              .get(&config.sync)
+              .map(|s| s.name.clone())
+              .unwrap_or_default();
+          }
+        }
+      }
+    }
+    Ok(original.partial_diff(update))
+  }
+
+  async fn delete(_: String) -> anyhow::Result<()> {
+    unreachable!()
+  }
+}

bin/cli/src/sync/resources/repo.rs

@@ -0,0 +1,84 @@
+use std::collections::HashMap;
+
+use monitor_client::{
+  api::write::{CreateRepo, DeleteRepo, UpdateRepo},
+  entities::{
+    repo::{
+      PartialRepoConfig, Repo, RepoConfig, RepoConfigDiff, RepoInfo,
+    },
+    resource::Resource,
+    toml::ResourceToml,
+    update::ResourceTarget,
+  },
+};
+use partial_derive2::PartialDiff;
+
+use crate::{
+  maps::{id_to_server, name_to_repo},
+  state::monitor_client,
+  sync::resource::ResourceSync,
+};
+
+impl ResourceSync for Repo {
+  type Config = RepoConfig;
+  type Info = RepoInfo;
+  type PartialConfig = PartialRepoConfig;
+  type ConfigDiff = RepoConfigDiff;
+
+  fn display() -> &'static str {
+    "repo"
+  }
+
+  fn resource_target(id: String) -> ResourceTarget {
+    ResourceTarget::Repo(id)
+  }
+
+  fn name_to_resource(
+  ) -> &'static HashMap<String, Resource<Self::Config, Self::Info>>
+  {
+    name_to_repo()
+  }
+
+  async fn create(
+    resource: ResourceToml<Self::PartialConfig>,
+  ) -> anyhow::Result<String> {
+    monitor_client()
+      .write(CreateRepo {
+        name: resource.name,
+        config: resource.config,
+      })
+      .await
+      .map(|res| res.id)
+  }
+
+  async fn update(
+    id: String,
+    resource: ResourceToml<Self::PartialConfig>,
+  ) -> anyhow::Result<()> {
+    monitor_client()
+      .write(UpdateRepo {
+        id,
+        config: resource.config,
+      })
+      .await?;
+    Ok(())
+  }
+
+  fn get_diff(
+    mut original: Self::Config,
+    update: Self::PartialConfig,
+  ) -> anyhow::Result<Self::ConfigDiff> {
+    // Need to replace server id with name
+    original.server_id = id_to_server()
+      .get(&original.server_id)
+      .map(|s| s.name.clone())
+      .unwrap_or_default();
+
+    Ok(original.partial_diff(update))
+  }
+
+  async fn delete(id: String) -> anyhow::Result<()> {
+    monitor_client().write(DeleteRepo { id }).await?;
+    Ok(())
+  }
+}

bin/cli/src/sync/resources/server.rs

@@ -0,0 +1,77 @@
+use std::collections::HashMap;
+
+use monitor_client::{
+  api::write::{CreateServer, DeleteServer, UpdateServer},
+  entities::{
+    resource::Resource,
+    server::{
+      PartialServerConfig, Server, ServerConfig, ServerConfigDiff,
+    },
+    toml::ResourceToml,
+    update::ResourceTarget,
+  },
+};
+use partial_derive2::PartialDiff;
+
+use crate::{
+  maps::name_to_server, state::monitor_client,
+  sync::resource::ResourceSync,
+};
+
+impl ResourceSync for Server {
+  type Config = ServerConfig;
+  type Info = ();
+  type PartialConfig = PartialServerConfig;
+  type ConfigDiff = ServerConfigDiff;
+
+  fn display() -> &'static str {
+    "server"
+  }
+
+  fn resource_target(id: String) -> ResourceTarget {
+    ResourceTarget::Server(id)
+  }
+
+  fn name_to_resource(
+  ) -> &'static HashMap<String, Resource<Self::Config, Self::Info>>
+  {
+    name_to_server()
+  }
+
+  async fn create(
+    resource: ResourceToml<Self::PartialConfig>,
+  ) -> anyhow::Result<String> {
+    monitor_client()
+      .write(CreateServer {
+        name: resource.name,
+        config: resource.config,
+      })
+      .await
+      .map(|res| res.id)
+  }
+
+  async fn update(
+    id: String,
+    resource: ResourceToml<Self::PartialConfig>,
+  ) -> anyhow::Result<()> {
+    monitor_client()
+      .write(UpdateServer {
+        id,
+        config: resource.config,
+      })
+      .await?;
+    Ok(())
+  }
+
+  fn get_diff(
+    original: Self::Config,
+    update: Self::PartialConfig,
+  ) -> anyhow::Result<Self::ConfigDiff> {
+    Ok(original.partial_diff(update))
+  }
+
+  async fn delete(id: String) -> anyhow::Result<()> {
+    monitor_client().write(DeleteServer { id }).await?;
+    Ok(())
+  }
+}

bin/cli/src/sync/resources/server_template.rs

@@ -0,0 +1,80 @@
+use std::collections::HashMap;
+
+use monitor_client::{
+  api::write::{
+    CreateServerTemplate, DeleteServerTemplate, UpdateServerTemplate,
+  },
+  entities::{
+    resource::Resource,
+    server_template::{
+      PartialServerTemplateConfig, ServerTemplate,
+      ServerTemplateConfig, ServerTemplateConfigDiff,
+    },
+    toml::ResourceToml,
+    update::ResourceTarget,
+  },
+};
+use partial_derive2::PartialDiff;
+
+use crate::{
+  maps::name_to_server_template, state::monitor_client,
+  sync::resource::ResourceSync,
+};
+
+impl ResourceSync for ServerTemplate {
+  type Config = ServerTemplateConfig;
+  type Info = ();
+  type PartialConfig = PartialServerTemplateConfig;
+  type ConfigDiff = ServerTemplateConfigDiff;
+
+  fn display() -> &'static str {
+    "server template"
+  }
+
+  fn resource_target(id: String) -> ResourceTarget {
+    ResourceTarget::ServerTemplate(id)
+  }
+
+  fn name_to_resource(
+  ) -> &'static HashMap<String, Resource<Self::Config, Self::Info>>
+  {
+    name_to_server_template()
+  }
+
+  async fn create(
+    resource: ResourceToml<Self::PartialConfig>,
+  ) -> anyhow::Result<String> {
+    monitor_client()
+      .write(CreateServerTemplate {
+        name: resource.name,
+        config: resource.config,
+      })
+      .await
+      .map(|res| res.id)
+  }
+
+  async fn update(
+    id: String,
+    resource: ResourceToml<Self::PartialConfig>,
+  ) -> anyhow::Result<()> {
+    monitor_client()
+      .write(UpdateServerTemplate {
+        id,
+        config: resource.config,
+      })
+      .await?;
+    Ok(())
+  }
+
+  fn get_diff(
+    original: Self::Config,
+    update: Self::PartialConfig,
+  ) -> anyhow::Result<Self::ConfigDiff> {
+    Ok(original.partial_diff(update))
+  }
+
+  async fn delete(id: String) -> anyhow::Result<()> {
+    monitor_client().write(DeleteServerTemplate { id }).await?;
+    Ok(())
+  }
+}

bin/cli/src/sync/resources/sync.rs

@@ -0,0 +1,81 @@
+use std::collections::HashMap;
+
+use monitor_client::{
+  api::write::{
+    CreateResourceSync, DeleteResourceSync, UpdateResourceSync,
+  },
+  entities::{
+    self,
+    resource::Resource,
+    sync::{
+      PartialResourceSyncConfig, ResourceSyncConfig,
+      ResourceSyncConfigDiff, ResourceSyncInfo,
+    },
+    toml::ResourceToml,
+    update::ResourceTarget,
+  },
+};
+use partial_derive2::PartialDiff;
+
+use crate::{
+  maps::name_to_resource_sync, state::monitor_client,
+  sync::resource::ResourceSync,
+};
+
+impl ResourceSync for entities::sync::ResourceSync {
+  type Config = ResourceSyncConfig;
+  type Info = ResourceSyncInfo;
+  type PartialConfig = PartialResourceSyncConfig;
+  type ConfigDiff = ResourceSyncConfigDiff;
+
+  fn display() -> &'static str {
+    "resource sync"
+  }
+
+  fn resource_target(id: String) -> ResourceTarget {
+    ResourceTarget::ResourceSync(id)
+  }
+
+  fn name_to_resource(
+  ) -> &'static HashMap<String, Resource<Self::Config, Self::Info>>
+  {
+    name_to_resource_sync()
+  }
+
+  async fn create(
+    resource: ResourceToml<Self::PartialConfig>,
+  ) -> anyhow::Result<String> {
+    monitor_client()
+      .write(CreateResourceSync {
+        name: resource.name,
+        config: resource.config,
+      })
+      .await
+      .map(|res| res.id)
+  }
+
+  async fn update(
+    id: String,
+    resource: ResourceToml<Self::PartialConfig>,
+  ) -> anyhow::Result<()> {
+    monitor_client()
+      .write(UpdateResourceSync {
+        id,
+        config: resource.config,
+      })
+      .await?;
+    Ok(())
+  }
+
+  fn get_diff(
+    original: Self::Config,
+    update: Self::PartialConfig,
+  ) -> anyhow::Result<Self::ConfigDiff> {
+    Ok(original.partial_diff(update))
+  }
+
+  async fn delete(id: String) -> anyhow::Result<()> {
+    monitor_client().write(DeleteResourceSync { id }).await?;
+    Ok(())
+  }
+}

bin/cli/src/sync/user_group.rs

@@ -0,0 +1,388 @@
+use std::cmp::Ordering;
+
+use anyhow::Context;
+use colored::Colorize;
+use monitor_client::{
+  api::{
+    read::ListUserTargetPermissions,
+    write::{
+      CreateUserGroup, DeleteUserGroup, SetUsersInUserGroup,
+      UpdatePermissionOnTarget,
+    },
+  },
+  entities::{
+    permission::UserTarget,
+    toml::{PermissionToml, UserGroupToml},
+    update::ResourceTarget,
+  },
+};
+
+use crate::maps::{
+  id_to_alerter, id_to_build, id_to_builder, id_to_deployment,
+  id_to_procedure, id_to_repo, id_to_resource_sync, id_to_server,
+  id_to_server_template, id_to_user, name_to_user_group,
+};
+
+pub struct UpdateItem {
+  user_group: UserGroupToml,
+  update_users: bool,
+  update_permissions: bool,
+}
+
+pub struct DeleteItem {
+  id: String,
+  name: String,
+}
+
+pub async fn get_updates(
+  user_groups: Vec<UserGroupToml>,
+  delete: bool,
+) -> anyhow::Result<(
+  Vec<UserGroupToml>,
+  Vec<UpdateItem>,
+  Vec<DeleteItem>,
+)> {
+  let map = name_to_user_group();
+
+  let mut to_create = Vec::<UserGroupToml>::new();
+  let mut to_update = Vec::<UpdateItem>::new();
+  let mut to_delete = Vec::<DeleteItem>::new();
+
+  if delete {
+    for user_group in map.values() {
+      if !user_groups.iter().any(|ug| ug.name == user_group.name) {
+        to_delete.push(DeleteItem {
+          id: user_group.id.clone(),
+          name: user_group.name.clone(),
+        });
+      }
+    }
+  }
+
+  let id_to_user = id_to_user();
+
+  for mut user_group in user_groups {
+    let original = match map.get(&user_group.name).cloned() {
+      Some(original) => original,
+      None => {
+        println!(
+          "\n{}: user group: {}\n{}: {:?}\n{}: {:?}",
+          "CREATE".green(),
+          user_group.name.bold().green(),
+          "users".dimmed(),
+          user_group.users,
+          "permissions".dimmed(),
+          user_group.permissions,
+        );
+        to_create.push(user_group);
+        continue;
+      }
+    };
+
+    let mut original_users = original
+      .users
+      .into_iter()
+      .filter_map(|user_id| {
+        id_to_user.get(&user_id).map(|u| u.username.clone())
+      })
+      .collect::<Vec<_>>();
+
+    let mut original_permissions = crate::state::monitor_client()
+      .read(ListUserTargetPermissions {
+        user_target: UserTarget::UserGroup(original.id),
+      })
+      .await
+      .context("failed to query for existing UserGroup permissions")?
+      .into_iter()
+      .map(|mut p| {
+        // replace the ids with names
+        match &mut p.resource_target {
+          ResourceTarget::System(_) => {}
+          ResourceTarget::Build(id) => {
+            *id = id_to_build()
+              .get(id)
+              .map(|b| b.name.clone())
+              .unwrap_or_default()
+          }
+          ResourceTarget::Builder(id) => {
+            *id = id_to_builder()
+              .get(id)
+              .map(|b| b.name.clone())
+              .unwrap_or_default()
+          }
+          ResourceTarget::Deployment(id) => {
+            *id = id_to_deployment()
+              .get(id)
+              .map(|b| b.name.clone())
+              .unwrap_or_default()
+          }
+          ResourceTarget::Server(id) => {
+            *id = id_to_server()
+              .get(id)
+              .map(|b| b.name.clone())
+              .unwrap_or_default()
+          }
+          ResourceTarget::Repo(id) => {
+            *id = id_to_repo()
+              .get(id)
+              .map(|b| b.name.clone())
+              .unwrap_or_default()
+          }
+          ResourceTarget::Alerter(id) => {
+            *id = id_to_alerter()
+              .get(id)
+              .map(|b| b.name.clone())
+              .unwrap_or_default()
+          }
+          ResourceTarget::Procedure(id) => {
+            *id = id_to_procedure()
+              .get(id)
+              .map(|b| b.name.clone())
+              .unwrap_or_default()
+          }
+          ResourceTarget::ServerTemplate(id) => {
+            *id = id_to_server_template()
+              .get(id)
+              .map(|b| b.name.clone())
+              .unwrap_or_default()
+          }
+          ResourceTarget::ResourceSync(id) => {
+            *id = id_to_resource_sync()
+              .get(id)
+              .map(|b| b.name.clone())
+              .unwrap_or_default()
+          }
+        }
+        PermissionToml {
+          target: p.resource_target,
+          level: p.level,
+        }
+      })
+      .collect::<Vec<_>>();
+
+    original_users.sort();
+    user_group.users.sort();
+
+    user_group.permissions.sort_by(sort_permissions);
+    original_permissions.sort_by(sort_permissions);
+
+    let update_users = user_group.users != original_users;
+    let update_permissions =
+      user_group.permissions != original_permissions;
+
+    // only push update after failed diff
+    if update_users || update_permissions {
+      println!(
+        "\n{}: user group: '{}'\n-------------------",
+        "UPDATE".blue(),
+        user_group.name.bold(),
+      );
+      let mut lines = Vec::<String>::new();
+      if update_users {
+        let adding = user_group
+          .users
+          .iter()
+          .filter(|user| !original_users.contains(user))
+          .map(|user| user.as_str())
+          .collect::<Vec<_>>();
+        let adding = if adding.is_empty() {
+          String::from("None").into()
+        } else {
+          adding.join(", ").green()
+        };
+        let removing = original_users
+          .iter()
+          .filter(|user| !user_group.users.contains(user))
+          .map(|user| user.as_str())
+          .collect::<Vec<_>>();
+        let removing = if removing.is_empty() {
+          String::from("None").into()
+        } else {
+          removing.join(", ").red()
+        };
+        lines.push(format!(
+          "{}:    'users'\n{}: {removing}\n{}:   {adding}",
+          "field".dimmed(),
+          "removing".dimmed(),
+          "adding".dimmed(),
+        ))
+      }
+      if update_permissions {
+        let adding = user_group
+          .permissions
+          .iter()
+          .filter(|permission| {
+            !original_permissions.contains(permission)
+          })
+          .map(|permission| format!("{permission:?}"))
+          .collect::<Vec<_>>();
+        let adding = if adding.is_empty() {
+          String::from("None").into()
+        } else {
+          adding.join(", ").green()
+        };
+        let removing = original_permissions
+          .iter()
+          .filter(|permission| {
+            !user_group.permissions.contains(permission)
+          })
+          .map(|permission| format!("{permission:?}"))
+          .collect::<Vec<_>>();
+        let removing = if removing.is_empty() {
+          String::from("None").into()
+        } else {
+          removing.join(", ").red()
+        };
+        lines.push(format!(
+          "{}:    'permissions'\n{}: {removing}\n{}:   {adding}",
+          "field".dimmed(),
+          "removing".dimmed(),
+          "adding".dimmed()
+        ))
+      }
+      println!("{}", lines.join("\n-------------------\n"));
+      to_update.push(UpdateItem {
+        user_group,
+        update_users,
+        update_permissions,
+      });
+    }
+  }
+
+  for d in &to_delete {
+    println!(
+      "\n{}: user group: '{}'\n-------------------",
+      "DELETE".red(),
+      d.name.bold(),
+    );
+  }
+
+  Ok((to_create, to_update, to_delete))
+}
+
+/// order permissions in deterministic way
+fn sort_permissions(
+  a: &PermissionToml,
+  b: &PermissionToml,
+) -> Ordering {
+  let (a_t, a_id) = a.target.extract_variant_id();
+  let (b_t, b_id) = b.target.extract_variant_id();
+  match (a_t.cmp(&b_t), a_id.cmp(b_id)) {
+    (Ordering::Greater, _) => Ordering::Greater,
+    (Ordering::Less, _) => Ordering::Less,
+    (_, Ordering::Greater) => Ordering::Greater,
+    (_, Ordering::Less) => Ordering::Less,
+    _ => Ordering::Equal,
+  }
+}
+
+pub async fn run_updates(
+  to_create: Vec<UserGroupToml>,
+  to_update: Vec<UpdateItem>,
+  to_delete: Vec<DeleteItem>,
+) {
+  // Create the non-existant user groups
+  for user_group in to_create {
+    // Create the user group
+    if let Err(e) = crate::state::monitor_client()
+      .write(CreateUserGroup {
+        name: user_group.name.clone(),
+      })
+      .await
+    {
+      warn!(
+        "failed to create user group {} | {e:#}",
+        user_group.name
+      );
+      continue;
+    } else {
+      info!(
+        "{} user group '{}'",
+        "created".green().bold(),
+        user_group.name.bold(),
+      );
+    };
+
+    set_users(user_group.name.clone(), user_group.users).await;
+    run_update_permissions(user_group.name, user_group.permissions)
+      .await;
+  }
+
+  // Update the existing user groups
+  for UpdateItem {
+    user_group,
+    update_users,
+    update_permissions,
+  } in to_update
+  {
+    if update_users {
+      set_users(user_group.name.clone(), user_group.users).await;
+    }
+    if update_permissions {
+      run_update_permissions(user_group.name, user_group.permissions)
+        .await;
+    }
+  }
+
+  for user_group in to_delete {
+    if let Err(e) = crate::state::monitor_client()
+      .write(DeleteUserGroup { id: user_group.id })
+      .await
+    {
+      warn!(
+        "failed to delete user group {} | {e:#}",
+        user_group.name
+      );
+    } else {
+      info!(
+        "{} user group '{}'",
+        "deleted".red().bold(),
+        user_group.name.bold(),
+      );
+    }
+  }
+}
+
+async fn set_users(user_group: String, users: Vec<String>) {
+  if let Err(e) = crate::state::monitor_client()
+    .write(SetUsersInUserGroup {
+      user_group: user_group.clone(),
+      users,
+    })
+    .await
+  {
+    warn!("failed to set users in group {user_group} | {e:#}");
+  } else {
+    info!(
+      "{} user group '{}' users",
+      "updated".blue().bold(),
+      user_group.bold(),
+    );
+  }
+}
+
+async fn run_update_permissions(
+  user_group: String,
+  permissions: Vec<PermissionToml>,
+) {
+  for PermissionToml { target, level } in permissions {
+    if let Err(e) = crate::state::monitor_client()
+      .write(UpdatePermissionOnTarget {
+        user_target: UserTarget::UserGroup(user_group.clone()),
+        resource_target: target.clone(),
+        permission: level,
+      })
+      .await
+    {
+      warn!(
+        "failed to set permssion in group {user_group} | target: {target:?} | {e:#}",
+      );
+    } else {
+      info!(
+        "{} user group '{}' permissions",
+        "updated".blue().bold(),
+        user_group.bold(),
+      );
+    }
+  }
+}

bin/cli/src/sync/variables.rs

@@ -0,0 +1,206 @@
+use colored::Colorize;
+use monitor_client::{
+  api::write::{
+    CreateVariable, DeleteVariable, UpdateVariableDescription,
+    UpdateVariableValue,
+  },
+  entities::variable::Variable,
+};
+
+use crate::{maps::name_to_variable, state::monitor_client};
+
+pub struct ToUpdateItem {
+  pub variable: Variable,
+  pub update_value: bool,
+  pub update_description: bool,
+}
+
+pub fn get_updates(
+  variables: Vec<Variable>,
+  delete: bool,
+) -> anyhow::Result<(Vec<Variable>, Vec<ToUpdateItem>, Vec<String>)> {
+  let map = name_to_variable();
+
+  let mut to_create = Vec::<Variable>::new();
+  let mut to_update = Vec::<ToUpdateItem>::new();
+  let mut to_delete = Vec::<String>::new();
+
+  if delete {
+    for variable in map.values() {
+      if !variables.iter().any(|v| v.name == variable.name) {
+        to_delete.push(variable.name.clone());
+      }
+    }
+  }
+
+  for variable in variables {
+    match map.get(&variable.name) {
+      Some(original) => {
+        let item = ToUpdateItem {
+          update_value: original.value != variable.value,
+          update_description: original.description
+            != variable.description,
+          variable,
+        };
+        if !item.update_value && !item.update_description {
+          continue;
+        }
+        println!(
+          "\n{}: variable: '{}'\n-------------------",
+          "UPDATE".blue(),
+          item.variable.name.bold(),
+        );
+
+        let mut lines = Vec::<String>::new();
+
+        if item.update_value {
+          lines.push(format!(
+            "{}: 'value'\n{}:  {}\n{}:    {}",
+            "field".dimmed(),
+            "from".dimmed(),
+            original.value.red(),
+            "to".dimmed(),
+            item.variable.value.green()
+          ))
+        }
+
+        if item.update_description {
+          lines.push(format!(
+            "{}: 'description'\n{}:  {}\n{}:    {}",
+            "field".dimmed(),
+            "from".dimmed(),
+            original.description.red(),
+            "to".dimmed(),
+            item.variable.description.green()
+          ))
+        }
+
+        println!("{}", lines.join("\n-------------------\n"));
+
+        to_update.push(item);
+      }
+      None => {
+        if variable.description.is_empty() {
+          println!(
+            "\n{}: variable: {}\n{}: {}",
+            "CREATE".green(),
+            variable.name.bold().green(),
+            "value".dimmed(),
+            variable.value,
+          );
+        } else {
+          println!(
+            "\n{}: variable: {}\n{}: {}\n{}: {}",
+            "CREATE".green(),
+            variable.name.bold().green(),
+            "description".dimmed(),
+            variable.description,
+            "value".dimmed(),
+            variable.value,
+          );
+        }
+        to_create.push(variable)
+      }
+    }
+  }
+
+  for name in &to_delete {
+    println!(
+      "\n{}: variable: '{}'\n-------------------",
+      "DELETE".red(),
+      name.bold(),
+    );
+  }
+
+  Ok((to_create, to_update, to_delete))
+}
+
+pub async fn run_updates(
+  to_create: Vec<Variable>,
+  to_update: Vec<ToUpdateItem>,
+  to_delete: Vec<String>,
+) {
+  for variable in to_create {
+    if let Err(e) = monitor_client()
+      .write(CreateVariable {
+        name: variable.name.clone(),
+        value: variable.value,
+        description: variable.description,
+      })
+      .await
+    {
+      warn!("failed to create variable {} | {e:#}", variable.name);
+    } else {
+      info!(
+        "{} variable '{}'",
+        "created".green().bold(),
+        variable.name.bold(),
+      );
+    };
+  }
+
+  for ToUpdateItem {
+    variable,
+    update_value,
+    update_description,
+  } in to_update
+  {
+    if update_value {
+      if let Err(e) = monitor_client()
+        .write(UpdateVariableValue {
+          name: variable.name.clone(),
+          value: variable.value,
+        })
+        .await
+      {
+        warn!(
+          "failed to update variable value for {} | {e:#}",
+          variable.name
+        );
+      } else {
+        info!(
+          "{} variable '{}' value",
+          "updated".blue().bold(),
+          variable.name.bold(),
+        );
+      };
+    }
+    if update_description {
+      if let Err(e) = monitor_client()
+        .write(UpdateVariableDescription {
+          name: variable.name.clone(),
+          description: variable.description,
+        })
+        .await
+      {
+        warn!(
+          "failed to update variable description for {} | {e:#}",
+          variable.name
+        );
+      } else {
+        info!(
+          "{} variable '{}' description",
+          "updated".blue().bold(),
+          variable.name.bold(),
+        );
+      };
+    }
+  }
+
+  for variable in to_delete {
+    if let Err(e) = crate::state::monitor_client()
+      .write(DeleteVariable {
+        name: variable.clone(),
+      })
+      .await
+    {
+      warn!("failed to delete variable {variable} | {e:#}",);
+    } else {
+      info!(
+        "{} variable '{}'",
+        "deleted".red().bold(),
+        variable.bold(),
+      );
+    }
+  }
+}

bin/core/Cargo.toml

@@ -0,0 +1,67 @@
+[package]
+name = "monitor_core"
+version.workspace = true
+edition.workspace = true
+authors.workspace = true
+license.workspace = true
+homepage.workspace = true
+repository.workspace = true
+
+[[bin]]
+name = "core"
+path = "src/main.rs"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+# local
+monitor_client = { workspace = true, features = ["mongo"] }
+periphery_client.workspace = true
+formatting.workspace = true
+logger.workspace = true
+git.workspace = true
+# mogh
+serror = { workspace = true, features = ["axum"] }
+merge_config_files.workspace = true
+async_timing_util.workspace = true
+partial_derive2.workspace = true
+derive_variants.workspace = true
+mongo_indexed.workspace = true
+resolver_api.workspace = true
+toml_pretty.workspace = true
+run_command.workspace = true
+parse_csl.workspace = true
+mungos.workspace = true
+slack.workspace = true
+svi.workspace = true
+# external
+ordered_hash_map.workspace = true
+urlencoding.workspace = true
+aws-sdk-ec2.workspace = true
+aws-sdk-ecr.workspace = true
+aws-config.workspace = true
+tokio-util.workspace = true
+axum-extra.workspace = true
+tower-http.workspace = true
+serde_json.workspace = true
+typeshare.workspace = true
+tracing.workspace = true
+reqwest.workspace = true
+futures.workspace = true
+anyhow.workspace = true
+dotenv.workspace = true
+bcrypt.workspace = true
+base64.workspace = true
+tokio.workspace = true
+tower.workspace = true
+serde.workspace = true
+strum.workspace = true
+axum.workspace = true
+toml.workspace = true
+uuid.workspace = true
+envy.workspace = true
+rand.workspace = true
+hmac.workspace = true
+sha2.workspace = true
+jwt.workspace = true
+hex.workspace = true

bin/core/Dockerfile

@@ -0,0 +1,37 @@
+# Build Core
+FROM rust:1.79.0-bookworm as core-builder
+WORKDIR /builder
+COPY . .
+RUN cargo build -p monitor_core --release
+
+# Build Frontend
+FROM node:20.12-alpine as frontend-builder
+WORKDIR /builder
+COPY ./frontend ./frontend
+COPY ./client/core/ts ./client
+RUN cd client && yarn && yarn build && yarn link
+RUN cd frontend && yarn link @monitor/client && yarn && yarn build
+
+# Final Image
+FROM debian:bookworm-slim
+
+# Install Deps
+RUN apt update && apt install -y git curl unzip ca-certificates && \
+	curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" && \
+	unzip awscliv2.zip && \
+	./aws/install
+	
+# Copy
+COPY ./config_example/core.config.example.toml /config/config.toml
+COPY --from=core-builder /builder/target/release/core /
+COPY --from=frontend-builder /builder/frontend/dist /frontend
+
+# Hint at the port
+EXPOSE 9000
+
+# Label for Ghcr
+LABEL org.opencontainers.image.source=https://github.com/mbecker20/monitor
+LABEL org.opencontainers.image.description="A tool to build and deploy software across many servers"
+LABEL org.opencontainers.image.licenses=GPL-3.0
+
+CMD ["./core"]

bin/core/src/api/auth.rs

@@ -0,0 +1,128 @@
+use std::{sync::OnceLock, time::Instant};
+
+use anyhow::anyhow;
+use axum::{http::HeaderMap, routing::post, Router};
+use axum_extra::{headers::ContentType, TypedHeader};
+use monitor_client::{api::auth::*, entities::user::User};
+use resolver_api::{derive::Resolver, Resolve, Resolver};
+use serde::{Deserialize, Serialize};
+use serror::Json;
+use typeshare::typeshare;
+use uuid::Uuid;
+
+use crate::{
+  auth::{
+    get_user_id_from_headers,
+    github::{self, client::github_oauth_client},
+    google::{self, client::google_oauth_client},
+  },
+  config::core_config,
+  helpers::query::get_user,
+  state::{jwt_client, State},
+};
+
+#[typeshare]
+#[derive(Serialize, Deserialize, Debug, Clone, Resolver)]
+#[resolver_target(State)]
+#[resolver_args(HeaderMap)]
+#[serde(tag = "type", content = "params")]
+#[allow(clippy::enum_variant_names, clippy::large_enum_variant)]
+pub enum AuthRequest {
+  GetLoginOptions(GetLoginOptions),
+  CreateLocalUser(CreateLocalUser),
+  LoginLocalUser(LoginLocalUser),
+  ExchangeForJwt(ExchangeForJwt),
+  GetUser(GetUser),
+}
+
+pub fn router() -> Router {
+  let mut router = Router::new().route("/", post(handler));
+
+  if github_oauth_client().is_some() {
+    router = router.nest("/github", github::router())
+  }
+
+  if google_oauth_client().is_some() {
+    router = router.nest("/google", google::router())
+  }
+
+  router
+}
+
+#[instrument(name = "AuthHandler", level = "debug", skip(headers))]
+async fn handler(
+  headers: HeaderMap,
+  Json(request): Json<AuthRequest>,
+) -> serror::Result<(TypedHeader<ContentType>, String)> {
+  let timer = Instant::now();
+  let req_id = Uuid::new_v4();
+  debug!("/auth request {req_id} | METHOD: {}", request.req_type());
+  let res = State.resolve_request(request, headers).await.map_err(
+    |e| match e {
+      resolver_api::Error::Serialization(e) => {
+        anyhow!("{e:?}").context("response serialization error")
+      }
+      resolver_api::Error::Inner(e) => e,
+    },
+  );
+  if let Err(e) = &res {
+    debug!("/auth request {req_id} | error: {e:#}");
+  }
+  let elapsed = timer.elapsed();
+  debug!("/auth request {req_id} | resolve time: {elapsed:?}");
+  Ok((TypedHeader(ContentType::json()), res?))
+}
+
+fn login_options_reponse() -> &'static GetLoginOptionsResponse {
+  static GET_LOGIN_OPTIONS_RESPONSE: OnceLock<
+    GetLoginOptionsResponse,
+  > = OnceLock::new();
+  GET_LOGIN_OPTIONS_RESPONSE.get_or_init(|| {
+    let config = core_config();
+    GetLoginOptionsResponse {
+      local: config.local_auth,
+      github: config.github_oauth.enabled
+        && !config.github_oauth.id.is_empty()
+        && !config.github_oauth.secret.is_empty(),
+      google: config.google_oauth.enabled
+        && !config.google_oauth.id.is_empty()
+        && !config.google_oauth.secret.is_empty(),
+    }
+  })
+}
+
+impl Resolve<GetLoginOptions, HeaderMap> for State {
+  #[instrument(name = "GetLoginOptions", level = "debug", skip(self))]
+  async fn resolve(
+    &self,
+    _: GetLoginOptions,
+    _: HeaderMap,
+  ) -> anyhow::Result<GetLoginOptionsResponse> {
+    Ok(*login_options_reponse())
+  }
+}
+
+impl Resolve<ExchangeForJwt, HeaderMap> for State {
+  #[instrument(name = "ExchangeForJwt", level = "debug", skip(self))]
+  async fn resolve(
+    &self,
+    ExchangeForJwt { token }: ExchangeForJwt,
+    _: HeaderMap,
+  ) -> anyhow::Result<ExchangeForJwtResponse> {
+    let jwt = jwt_client().redeem_exchange_token(&token).await?;
+    let res = ExchangeForJwtResponse { jwt };
+    Ok(res)
+  }
+}
+
+impl Resolve<GetUser, HeaderMap> for State {
+  #[instrument(name = "GetUser", level = "debug", skip(self))]
+  async fn resolve(
+    &self,
+    GetUser {}: GetUser,
+    headers: HeaderMap,
+  ) -> anyhow::Result<User> {
+    let user_id = get_user_id_from_headers(&headers).await?;
+    get_user(&user_id).await
+  }
+}

bin/core/src/api/execute/build.rs

@@ -0,0 +1,800 @@
+use std::{collections::HashSet, time::Duration};
+
+use anyhow::{anyhow, Context};
+use formatting::{format_serror, muted};
+use futures::future::join_all;
+use monitor_client::{
+  api::execute::{
+    CancelBuild, CancelBuildResponse, Deploy, RunBuild,
+  },
+  entities::{
+    alert::{Alert, AlertData},
+    all_logs_success,
+    build::{Build, CloudRegistryConfig, ImageRegistry},
+    builder::{AwsBuilderConfig, Builder, BuilderConfig},
+    config::core::{AwsEcrConfig, AwsEcrConfigWithCredentials},
+    deployment::DeploymentState,
+    monitor_timestamp,
+    permission::PermissionLevel,
+    server::{stats::SeverityLevel, Server},
+    server_template::aws::AwsServerTemplateConfig,
+    to_monitor_name,
+    update::{Log, Update},
+    user::{auto_redeploy_user, User},
+  },
+};
+use mungos::{
+  by_id::update_one_by_id,
+  find::find_collect,
+  mongodb::{
+    bson::{doc, to_bson, to_document},
+    options::FindOneOptions,
+  },
+};
+use periphery_client::{
+  api::{self, GetVersionResponse},
+  PeripheryClient,
+};
+use resolver_api::Resolve;
+use tokio_util::sync::CancellationToken;
+
+use crate::{
+  cloud::{
+    aws::{
+      ec2::{
+        launch_ec2_instance, terminate_ec2_instance_with_retry,
+        Ec2Instance,
+      },
+      ecr,
+    },
+    BuildCleanupData,
+  },
+  config::core_config,
+  helpers::{
+    alert::send_alerts,
+    channel::build_cancel_channel,
+    periphery_client,
+    query::{get_deployment_state, get_global_variables},
+    update::update_update,
+  },
+  resource::{self, refresh_build_state_cache},
+  state::{action_states, db_client, State},
+};
+
+use crate::helpers::update::init_execution_update;
+
+use super::ExecuteRequest;
+
+impl Resolve<RunBuild, (User, Update)> for State {
+  #[instrument(name = "RunBuild", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    &self,
+    RunBuild { build }: RunBuild,
+    (user, mut update): (User, Update),
+  ) -> anyhow::Result<Update> {
+    let mut build = resource::get_check_permissions::<Build>(
+      &build,
+      &user,
+      PermissionLevel::Execute,
+    )
+    .await?;
+
+    let (registry_token, aws_ecr) =
+      validate_account_extract_registry_token_aws_ecr(&build).await?;
+
+    // get the action state for the build (or insert default).
+    let action_state =
+      action_states().build.get_or_insert_default(&build.id).await;
+
+    // This will set action state back to default when dropped.
+    // Will also check to ensure build not already busy before updating.
+    let _action_guard =
+      action_state.update(|state| state.building = true)?;
+
+    build.config.version.increment();
+    update.version = build.config.version;
+    update_update(update.clone()).await?;
+
+    let cancel = CancellationToken::new();
+    let cancel_clone = cancel.clone();
+    let mut cancel_recv =
+      build_cancel_channel().receiver.resubscribe();
+    let build_id = build.id.clone();
+
+    tokio::spawn(async move {
+      let poll = async {
+        loop {
+          let (incoming_build_id, mut update) = tokio::select! {
+            _ = cancel_clone.cancelled() => return Ok(()),
+            id = cancel_recv.recv() => id?
+          };
+          if incoming_build_id == build_id {
+            update.push_simple_log(
+              "cancel acknowledged",
+              "the build cancellation has been queued, it may still take some time",
+            );
+            update.finalize();
+            let id = update.id.clone();
+            if let Err(e) = update_update(update).await {
+              warn!("failed to update Update {id} | {e:#}");
+            }
+            cancel_clone.cancel();
+            return Ok(());
+          }
+        }
+        #[allow(unreachable_code)]
+        anyhow::Ok(())
+      };
+      tokio::select! {
+        _ = cancel_clone.cancelled() => {}
+        _ = poll => {}
+      }
+    });
+
+    // GET BUILDER PERIPHERY
+
+    let (periphery, cleanup_data) =
+      match get_build_builder(&build, &mut update).await {
+        Ok(builder) => {
+          info!("got builder for build");
+          builder
+        }
+        Err(e) => {
+          warn!("failed to get builder | {e:#}");
+          update.logs.push(Log::error(
+            "get builder",
+            format_serror(&e.context("failed to get builder").into()),
+          ));
+          return handle_early_return(update, build.id, build.name)
+            .await;
+        }
+      };
+
+    let core_config = core_config();
+    let variables = get_global_variables().await?;
+
+    // CLONE REPO
+
+    let github_token = core_config
+      .github_accounts
+      .get(&build.config.github_account)
+      .cloned();
+
+    let res = tokio::select! {
+      res = periphery
+        .request(api::git::CloneRepo {
+          args: (&build).into(),
+          github_token,
+        }) => res,
+      _ = cancel.cancelled() => {
+        info!("build cancelled during clone, cleaning up builder");
+        update.push_error_log("build cancelled", String::from("user cancelled build during repo clone"));
+        cleanup_builder_instance(periphery, cleanup_data, &mut update)
+          .await;
+        info!("builder cleaned up");
+        return handle_early_return(update, build.id, build.name).await
+      },
+    };
+
+    match res {
+      Ok(clone_logs) => {
+        info!("finished repo clone");
+        update.logs.extend(clone_logs);
+      }
+      Err(e) => {
+        warn!("failed build at clone repo | {e:#}");
+        update.push_error_log(
+          "clone repo",
+          format_serror(&e.context("failed to clone repo").into()),
+        );
+      }
+    }
+
+    update_update(update.clone()).await?;
+
+    if all_logs_success(&update.logs) {
+      // Interpolate variables / secrets into build args
+      let mut global_replacers = HashSet::new();
+      let mut secret_replacers = HashSet::new();
+      for arg in &mut build.config.build_args {
+        // first pass - global variables
+        let (res, more_replacers) = svi::interpolate_variables(
+          &arg.value,
+          &variables,
+          svi::Interpolator::DoubleBrackets,
+          false,
+        )
+        .context("failed to interpolate global variables")?;
+        global_replacers.extend(more_replacers);
+        // second pass - core secrets
+        let (res, more_replacers) = svi::interpolate_variables(
+          &res,
+          &core_config.secrets,
+          svi::Interpolator::DoubleBrackets,
+          false,
+        )
+        .context("failed to interpolate core secrets")?;
+        secret_replacers.extend(more_replacers);
+        arg.value = res;
+      }
+
+      // Show which variables were interpolated
+      if !global_replacers.is_empty() {
+        update.push_simple_log(
+          "interpolate global variables",
+          global_replacers
+            .into_iter()
+            .map(|(value, variable)| format!("<span class=\"text-muted-foreground\">{variable} =></span> {value}"))
+            .collect::<Vec<_>>()
+            .join("\n"),
+        );
+      }
+      if !secret_replacers.is_empty() {
+        update.push_simple_log(
+          "interpolate core secrets",
+          secret_replacers
+            .iter()
+            .map(|(_, variable)| format!("<span class=\"text-muted-foreground\">replaced:</span> {variable}"))
+            .collect::<Vec<_>>()
+            .join("\n"),
+        );
+      }
+
+      let res = tokio::select! {
+        res = periphery
+          .request(api::build::Build {
+            build: build.clone(),
+            registry_token,
+            aws_ecr,
+            replacers: secret_replacers.into_iter().collect(),
+          }) => res.context("failed at call to periphery to build"),
+        _ = cancel.cancelled() => {
+          info!("build cancelled during build, cleaning up builder");
+          update.push_error_log("build cancelled", String::from("user cancelled build during docker build"));
+          cleanup_builder_instance(periphery, cleanup_data, &mut update)
+            .await;
+          return handle_early_return(update, build.id, build.name).await
+        },
+      };
+
+      match res {
+        Ok(logs) => {
+          info!("finished build");
+          update.logs.extend(logs);
+        }
+        Err(e) => {
+          warn!("error in build | {e:#}");
+          update.push_error_log(
+            "build",
+            format_serror(&e.context("failed to build").into()),
+          )
+        }
+      };
+    }
+
+    update.finalize();
+
+    let db = db_client().await;
+
+    if update.success {
+      let _ = db
+        .builds
+        .update_one(
+          doc! { "name": &build.name },
+          doc! {
+            "$set": {
+              "config.version": to_bson(&build.config.version)
+                .context("failed at converting version to bson")?,
+              "info.last_built_at": monitor_timestamp(),
+            }
+          },
+          None,
+        )
+        .await;
+    }
+
+    // stop the cancel listening task from going forever
+    cancel.cancel();
+
+    cleanup_builder_instance(periphery, cleanup_data, &mut update)
+      .await;
+
+    // Need to manually update the update before cache refresh,
+    // and before broadcast with add_update.
+    // The Err case of to_document should be unreachable,
+    // but will fail to update cache in that case.
+    if let Ok(update_doc) = to_document(&update) {
+      let _ = update_one_by_id(
+        &db.updates,
+        &update.id,
+        mungos::update::Update::Set(update_doc),
+        None,
+      )
+      .await;
+      refresh_build_state_cache().await;
+    }
+
+    update_update(update.clone()).await?;
+
+    if update.success {
+      // don't hold response up for user
+      tokio::spawn(async move {
+        handle_post_build_redeploy(&build.id).await;
+        info!("post build redeploy handled");
+      });
+    } else {
+      let target = update.target.clone();
+      let version = update.version;
+      let err = update.logs.iter().find(|l| !l.success).cloned();
+      tokio::spawn(async move {
+        let alert = Alert {
+          id: Default::default(),
+          target,
+          ts: monitor_timestamp(),
+          resolved_ts: Some(monitor_timestamp()),
+          resolved: true,
+          level: SeverityLevel::Warning,
+          data: AlertData::BuildFailed {
+            id: build.id,
+            name: build.name,
+            err,
+            version,
+          },
+        };
+        send_alerts(&[alert]).await
+      });
+    }
+
+    Ok(update)
+  }
+}
+
+#[instrument(skip(update))]
+async fn handle_early_return(
+  mut update: Update,
+  build_id: String,
+  build_name: String,
+) -> anyhow::Result<Update> {
+  update.finalize();
+  // Need to manually update the update before cache refresh,
+  // and before broadcast with add_update.
+  // The Err case of to_document should be unreachable,
+  // but will fail to update cache in that case.
+  if let Ok(update_doc) = to_document(&update) {
+    let _ = update_one_by_id(
+      &db_client().await.updates,
+      &update.id,
+      mungos::update::Update::Set(update_doc),
+      None,
+    )
+    .await;
+    refresh_build_state_cache().await;
+  }
+  update_update(update.clone()).await?;
+  if !update.success {
+    let target = update.target.clone();
+    let version = update.version;
+    let err = update.logs.iter().find(|l| !l.success).cloned();
+    tokio::spawn(async move {
+      let alert = Alert {
+        id: Default::default(),
+        target,
+        ts: monitor_timestamp(),
+        resolved_ts: Some(monitor_timestamp()),
+        resolved: true,
+        level: SeverityLevel::Warning,
+        data: AlertData::BuildFailed {
+          id: build_id,
+          name: build_name,
+          version,
+          err,
+        },
+      };
+      send_alerts(&[alert]).await
+    });
+  }
+  Ok(update)
+}
+
+#[instrument(skip_all)]
+pub async fn validate_cancel_build(
+  request: &ExecuteRequest,
+) -> anyhow::Result<()> {
+  if let ExecuteRequest::CancelBuild(req) = request {
+    let build = resource::get::<Build>(&req.build).await?;
+
+    let db = db_client().await;
+
+    let (latest_build, latest_cancel) = tokio::try_join!(
+      db.updates.find_one(
+        doc! {
+          "operation": "RunBuild",
+          "target.id": &build.id,
+        },
+        FindOneOptions::builder()
+          .sort(doc! { "start_ts": -1 })
+          .build(),
+      ),
+      db.updates.find_one(
+        doc! {
+          "operation": "CancelBuild",
+          "target.id": &build.id,
+        },
+        FindOneOptions::builder()
+          .sort(doc! { "start_ts": -1 })
+          .build(),
+      )
+    )?;
+
+    match (latest_build, latest_cancel) {
+      (Some(build), Some(cancel)) => {
+        if cancel.start_ts > build.start_ts {
+          return Err(anyhow!("Build has already been cancelled"));
+        }
+      }
+      (None, _) => return Err(anyhow!("No build in progress")),
+      _ => {}
+    };
+  }
+  Ok(())
+}
+
+impl Resolve<CancelBuild, (User, Update)> for State {
+  #[instrument(name = "CancelBuild", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    &self,
+    CancelBuild { build }: CancelBuild,
+    (user, mut update): (User, Update),
+  ) -> anyhow::Result<CancelBuildResponse> {
+    let build = resource::get_check_permissions::<Build>(
+      &build,
+      &user,
+      PermissionLevel::Execute,
+    )
+    .await?;
+
+    // make sure the build is building
+    if !action_states()
+      .build
+      .get(&build.id)
+      .await
+      .and_then(|s| s.get().ok().map(|s| s.building))
+      .unwrap_or_default()
+    {
+      return Err(anyhow!("Build is not building."));
+    }
+
+    update.push_simple_log(
+      "cancel triggered",
+      "the build cancel has been triggered",
+    );
+    update_update(update.clone()).await?;
+
+    let update_id = update.id.clone();
+
+    build_cancel_channel()
+      .sender
+      .lock()
+      .await
+      .send((build.id, update))?;
+
+    // Make sure cancel is set to complete after some time in case
+    // no reciever is there to do it. Prevents update stuck in InProgress.
+    tokio::spawn(async move {
+      tokio::time::sleep(Duration::from_secs(60)).await;
+      if let Err(e) = update_one_by_id(
+        &db_client().await.updates,
+        &update_id,
+        doc! { "$set": { "status": "Complete" } },
+        None,
+      )
+      .await
+      {
+        warn!("failed to set BuildCancel Update status Complete after timeout | {e:#}")
+      }
+    });
+
+    Ok(CancelBuildResponse {})
+  }
+}
+
+const BUILDER_POLL_RATE_SECS: u64 = 2;
+const BUILDER_POLL_MAX_TRIES: usize = 30;
+
+#[instrument(skip_all, fields(build_id = build.id, update_id = update.id))]
+async fn get_build_builder(
+  build: &Build,
+  update: &mut Update,
+) -> anyhow::Result<(PeripheryClient, BuildCleanupData)> {
+  if build.config.builder_id.is_empty() {
+    return Err(anyhow!("build has not configured a builder"));
+  }
+  let builder =
+    resource::get::<Builder>(&build.config.builder_id).await?;
+  match builder.config {
+    BuilderConfig::Server(config) => {
+      if config.server_id.is_empty() {
+        return Err(anyhow!("builder has not configured a server"));
+      }
+      let server = resource::get::<Server>(&config.server_id).await?;
+      let periphery = periphery_client(&server)?;
+      Ok((
+        periphery,
+        BuildCleanupData::Server {
+          repo_name: build.name.clone(),
+        },
+      ))
+    }
+    BuilderConfig::Aws(config) => {
+      get_aws_builder(build, config, update).await
+    }
+  }
+}
+
+#[instrument(skip_all, fields(build_id = build.id, update_id = update.id))]
+async fn get_aws_builder(
+  build: &Build,
+  config: AwsBuilderConfig,
+  update: &mut Update,
+) -> anyhow::Result<(PeripheryClient, BuildCleanupData)> {
+  let start_create_ts = monitor_timestamp();
+
+  let instance_name =
+    format!("BUILDER-{}-v{}", build.name, build.config.version);
+  let Ec2Instance { instance_id, ip } = launch_ec2_instance(
+    &instance_name,
+    AwsServerTemplateConfig::from_builder_config(&config),
+  )
+  .await?;
+
+  info!("ec2 instance launched");
+
+  let log = Log {
+    stage: "start build instance".to_string(),
+    success: true,
+    stdout: start_aws_builder_log(&instance_id, &ip, &config),
+    start_ts: start_create_ts,
+    end_ts: monitor_timestamp(),
+    ..Default::default()
+  };
+
+  update.logs.push(log);
+
+  update_update(update.clone()).await?;
+
+  let periphery_address = format!("http://{ip}:{}", config.port);
+  let periphery =
+    PeripheryClient::new(&periphery_address, &core_config().passkey);
+
+  let start_connect_ts = monitor_timestamp();
+  let mut res = Ok(GetVersionResponse {
+    version: String::new(),
+  });
+  for _ in 0..BUILDER_POLL_MAX_TRIES {
+    let version = periphery
+      .request(api::GetVersion {})
+      .await
+      .context("failed to reach periphery client on builder");
+    if let Ok(GetVersionResponse { version }) = &version {
+      let connect_log = Log {
+        stage: "build instance connected".to_string(),
+        success: true,
+        stdout: format!(
+          "established contact with periphery on builder\nperiphery version: v{}",
+          version
+        ),
+        start_ts: start_connect_ts,
+        end_ts: monitor_timestamp(),
+        ..Default::default()
+      };
+      update.logs.push(connect_log);
+      update_update(update.clone()).await?;
+      return Ok((
+        periphery,
+        BuildCleanupData::Aws {
+          instance_id,
+          region: config.region,
+        },
+      ));
+    }
+    res = version;
+    tokio::time::sleep(Duration::from_secs(BUILDER_POLL_RATE_SECS))
+      .await;
+  }
+
+  // Spawn terminate task in failure case (if loop is passed without return)
+  tokio::spawn(async move {
+    let _ =
+      terminate_ec2_instance_with_retry(config.region, &instance_id)
+        .await;
+  });
+
+  // Unwrap is safe, only way to get here is after check Ok / early return, so it must be err
+  Err(
+    res.err().unwrap().context(
+      "failed to start usable builder. terminating instance.",
+    ),
+  )
+}
+
+#[instrument(skip(periphery, update))]
+async fn cleanup_builder_instance(
+  periphery: PeripheryClient,
+  cleanup_data: BuildCleanupData,
+  update: &mut Update,
+) {
+  match cleanup_data {
+    BuildCleanupData::Server { repo_name } => {
+      let _ = periphery
+        .request(api::git::DeleteRepo { name: repo_name })
+        .await;
+    }
+    BuildCleanupData::Aws {
+      instance_id,
+      region,
+    } => {
+      let _instance_id = instance_id.clone();
+      tokio::spawn(async move {
+        let _ =
+          terminate_ec2_instance_with_retry(region, &_instance_id)
+            .await;
+      });
+      update.push_simple_log(
+        "terminate instance",
+        format!("termination queued for instance id {instance_id}"),
+      );
+    }
+  }
+}
+
+#[instrument]
+async fn handle_post_build_redeploy(build_id: &str) {
+  let Ok(redeploy_deployments) = find_collect(
+    &db_client().await.deployments,
+    doc! {
+      "config.image.params.build_id": build_id,
+      "config.redeploy_on_build": true
+    },
+    None,
+  )
+  .await
+  else {
+    return;
+  };
+
+  let futures =
+    redeploy_deployments
+      .into_iter()
+      .map(|deployment| async move {
+        let state =
+          get_deployment_state(&deployment).await.unwrap_or_default();
+        if state == DeploymentState::Running {
+          let req = super::ExecuteRequest::Deploy(Deploy {
+            deployment: deployment.id.clone(),
+            stop_signal: None,
+            stop_time: None,
+          });
+          let user = auto_redeploy_user().to_owned();
+          let res = async {
+            let update = init_execution_update(&req, &user).await?;
+            State
+              .resolve(
+                Deploy {
+                  deployment: deployment.id.clone(),
+                  stop_signal: None,
+                  stop_time: None,
+                },
+                (user, update),
+              )
+              .await
+          }
+          .await;
+          Some((deployment.id.clone(), res))
+        } else {
+          None
+        }
+      });
+
+  for res in join_all(futures).await {
+    let Some((id, res)) = res else {
+      continue;
+    };
+    if let Err(e) = res {
+      warn!("failed post build redeploy for deployment {id}: {e:#}");
+    }
+  }
+}
+
+fn start_aws_builder_log(
+  instance_id: &str,
+  ip: &str,
+  config: &AwsBuilderConfig,
+) -> String {
+  let AwsBuilderConfig {
+    ami_id,
+    instance_type,
+    volume_gb,
+    subnet_id,
+    assign_public_ip,
+    security_group_ids,
+    use_public_ip,
+    ..
+  } = config;
+
+  let readable_sec_group_ids = security_group_ids.join(", ");
+
+  [
+    format!("{}: {instance_id}", muted("instance id")),
+    format!("{}: {ip}", muted("ip")),
+    format!("{}: {ami_id}", muted("ami id")),
+    format!("{}: {instance_type}", muted("instance type")),
+    format!("{}: {volume_gb} GB", muted("volume size")),
+    format!("{}: {subnet_id}", muted("subnet id")),
+    format!("{}: {readable_sec_group_ids}", muted("security groups")),
+    format!("{}: {assign_public_ip}", muted("assign public ip")),
+    format!("{}: {use_public_ip}", muted("use public ip")),
+  ]
+  .join("\n")
+}
+
+/// This will make sure that a build with non-none image registry has an account attached,
+/// and will check the core config for a token / aws ecr config matching requirements.
+/// Otherwise it is left to periphery.
+async fn validate_account_extract_registry_token_aws_ecr(
+  build: &Build,
+) -> anyhow::Result<(Option<String>, Option<AwsEcrConfig>)> {
+  match &build.config.image_registry {
+    ImageRegistry::None(_) => Ok((None, None)),
+    ImageRegistry::DockerHub(CloudRegistryConfig {
+      account, ..
+    }) => {
+      if account.is_empty() {
+        return Err(anyhow!(
+          "Must attach account to use DockerHub image registry"
+        ));
+      }
+      Ok((core_config().docker_accounts.get(account).cloned(), None))
+    }
+    ImageRegistry::Ghcr(CloudRegistryConfig { account, .. }) => {
+      if account.is_empty() {
+        return Err(anyhow!(
+          "Must attach account to use GithubContainerRegistry"
+        ));
+      }
+      Ok((core_config().github_accounts.get(account).cloned(), None))
+    }
+    ImageRegistry::AwsEcr(label) => {
+      let config = core_config().aws_ecr_registries.get(label);
+      let token = match config {
+        Some(AwsEcrConfigWithCredentials {
+          region,
+          access_key_id,
+          secret_access_key,
+          ..
+        }) => {
+          let token = ecr::get_ecr_token(
+            region,
+            access_key_id,
+            secret_access_key,
+          )
+          .await
+          .context("failed to get aws ecr token")?;
+          ecr::maybe_create_repo(
+            &to_monitor_name(&build.name),
+            region.to_string(),
+            access_key_id,
+            secret_access_key,
+          )
+          .await
+          .context("failed to create aws ecr repo")?;
+          Some(token)
+        }
+        None => None,
+      };
+      Ok((token, config.map(AwsEcrConfig::from)))
+    }
+    ImageRegistry::Custom(_) => {
+      Err(anyhow!("Custom image registry is not implemented"))
+    }
+  }
+}

bin/core/src/api/execute/deployment.rs

@@ -0,0 +1,532 @@
+use std::collections::HashSet;
+
+use anyhow::{anyhow, Context};
+use formatting::format_serror;
+use futures::future::join_all;
+use monitor_client::{
+  api::execute::*,
+  entities::{
+    build::{Build, ImageRegistry},
+    config::core::AwsEcrConfig,
+    deployment::{Deployment, DeploymentImage},
+    get_image_name,
+    permission::PermissionLevel,
+    server::ServerState,
+    update::{Log, Update},
+    user::User,
+    Version,
+  },
+};
+use mungos::{find::find_collect, mongodb::bson::doc};
+use periphery_client::api;
+use resolver_api::Resolve;
+
+use crate::{
+  cloud::aws::ecr,
+  config::core_config,
+  helpers::{
+    periphery_client,
+    query::{get_global_variables, get_server_with_status},
+    update::update_update,
+  },
+  monitor::update_cache_for_server,
+  resource,
+  state::{action_states, db_client, State},
+};
+
+use crate::helpers::update::init_execution_update;
+
+impl Resolve<Deploy, (User, Update)> for State {
+  #[instrument(name = "Deploy", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    &self,
+    Deploy {
+      deployment,
+      stop_signal,
+      stop_time,
+    }: Deploy,
+    (user, mut update): (User, Update),
+  ) -> anyhow::Result<Update> {
+    let mut deployment =
+      resource::get_check_permissions::<Deployment>(
+        &deployment,
+        &user,
+        PermissionLevel::Execute,
+      )
+      .await?;
+
+    if deployment.config.server_id.is_empty() {
+      return Err(anyhow!("deployment has no server configured"));
+    }
+
+    // get the action state for the deployment (or insert default).
+    let action_state = action_states()
+      .deployment
+      .get_or_insert_default(&deployment.id)
+      .await;
+
+    // Will check to ensure deployment not already busy before updating, and return Err if so.
+    // The returned guard will set the action state back to default when dropped.
+    let _action_guard =
+      action_state.update(|state| state.deploying = true)?;
+
+    let (server, status) =
+      get_server_with_status(&deployment.config.server_id).await?;
+    if status != ServerState::Ok {
+      return Err(anyhow!(
+        "cannot send action when server is unreachable or disabled"
+      ));
+    }
+
+    let periphery = periphery_client(&server)?;
+
+    // This block gets the version of the image to deploy in the Build case.
+    // It also gets the name of the image from the build and attaches it directly.
+    let version = match deployment.config.image {
+      DeploymentImage::Build { build_id, version } => {
+        let build = resource::get::<Build>(&build_id).await?;
+        let image_name = get_image_name(&build, |label| {
+          core_config()
+            .aws_ecr_registries
+            .get(label)
+            .map(AwsEcrConfig::from)
+        })
+        .context("failed to create image name")?;
+        let version = if version.is_none() {
+          build.config.version
+        } else {
+          version
+        };
+        // replace image with corresponding build image.
+        deployment.config.image = DeploymentImage::Image {
+          image: format!("{image_name}:{version}"),
+        };
+        // set image registry to match build docker account if it's not overridden by deployment
+        if matches!(
+          &deployment.config.image_registry,
+          ImageRegistry::None(_)
+        ) {
+          deployment.config.image_registry =
+            build.config.image_registry;
+        }
+        version
+      }
+      DeploymentImage::Image { .. } => Version::default(),
+    };
+
+    let variables = get_global_variables().await?;
+    let core_config = core_config();
+
+    // Interpolate variables into environment
+    let mut global_replacers = HashSet::new();
+    let mut secret_replacers = HashSet::new();
+    for env in &mut deployment.config.environment {
+      // first pass - global variables
+      let (res, more_replacers) = svi::interpolate_variables(
+        &env.value,
+        &variables,
+        svi::Interpolator::DoubleBrackets,
+        false,
+      )
+      .context("failed to interpolate global variables")?;
+      global_replacers.extend(more_replacers);
+      // second pass - core secrets
+      let (res, more_replacers) = svi::interpolate_variables(
+        &res,
+        &core_config.secrets,
+        svi::Interpolator::DoubleBrackets,
+        false,
+      )
+      .context("failed to interpolate core secrets")?;
+      secret_replacers.extend(more_replacers);
+
+      // set env value with the result
+      env.value = res;
+    }
+
+    // Show which variables were interpolated
+    if !global_replacers.is_empty() {
+      update.push_simple_log(
+        "interpolate global variables",
+        global_replacers
+          .into_iter()
+          .map(|(value, variable)| format!("<span class=\"text-muted-foreground\">{variable} =></span> {value}"))
+          .collect::<Vec<_>>()
+          .join("\n"),
+      );
+    }
+    if !secret_replacers.is_empty() {
+      update.push_simple_log(
+        "interpolate core secrets",
+        secret_replacers
+          .iter()
+          .map(|(_, variable)| format!("<span class=\"text-muted-foreground\">replaced:</span> {variable}"))
+          .collect::<Vec<_>>()
+          .join("\n"),
+      );
+    }
+
+    update.version = version;
+    update_update(update.clone()).await?;
+
+    let (registry_token, aws_ecr) = match &deployment
+      .config
+      .image_registry
+    {
+      ImageRegistry::None(_) => (None, None),
+      ImageRegistry::DockerHub(params) => (
+        core_config.docker_accounts.get(&params.account).cloned(),
+        None,
+      ),
+      ImageRegistry::Ghcr(params) => (
+        core_config.github_accounts.get(&params.account).cloned(),
+        None,
+      ),
+      ImageRegistry::AwsEcr(label) => {
+        let config = core_config
+          .aws_ecr_registries
+          .get(label)
+          .with_context(|| {
+            format!(
+              "did not find config for aws ecr registry {label}"
+            )
+          })?;
+        (
+          Some(
+            ecr::get_ecr_token(
+              &config.region,
+              &config.access_key_id,
+              &config.secret_access_key,
+            )
+            .await
+            .context("failed to create aws ecr login token")?,
+          ),
+          Some(AwsEcrConfig::from(config)),
+        )
+      }
+      ImageRegistry::Custom(_) => {
+        return Err(anyhow!("Custom ImageRegistry not yet supported"))
+      }
+    };
+
+    match periphery
+      .request(api::container::Deploy {
+        deployment,
+        stop_signal,
+        stop_time,
+        registry_token,
+        aws_ecr,
+        replacers: secret_replacers.into_iter().collect(),
+      })
+      .await
+    {
+      Ok(log) => update.logs.push(log),
+      Err(e) => {
+        update.push_error_log(
+          "deploy container",
+          format_serror(
+            &e.context("failed to deploy container").into(),
+          ),
+        );
+      }
+    };
+
+    update_cache_for_server(&server).await;
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<StartContainer, (User, Update)> for State {
+  #[instrument(name = "StartContainer", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    &self,
+    StartContainer { deployment }: StartContainer,
+    (user, mut update): (User, Update),
+  ) -> anyhow::Result<Update> {
+    let deployment = resource::get_check_permissions::<Deployment>(
+      &deployment,
+      &user,
+      PermissionLevel::Execute,
+    )
+    .await?;
+
+    // get the action state for the deployment (or insert default).
+    let action_state = action_states()
+      .deployment
+      .get_or_insert_default(&deployment.id)
+      .await;
+
+    // Will check to ensure deployment not already busy before updating, and return Err if so.
+    // The returned guard will set the action state back to default when dropped.
+    let _action_guard =
+      action_state.update(|state| state.starting = true)?;
+
+    if deployment.config.server_id.is_empty() {
+      return Err(anyhow!("deployment has no server configured"));
+    }
+
+    let (server, status) =
+      get_server_with_status(&deployment.config.server_id).await?;
+    if status != ServerState::Ok {
+      return Err(anyhow!(
+        "cannot send action when server is unreachable or disabled"
+      ));
+    }
+
+    let periphery = periphery_client(&server)?;
+
+    let log = match periphery
+      .request(api::container::StartContainer {
+        name: deployment.name.clone(),
+      })
+      .await
+    {
+      Ok(log) => log,
+      Err(e) => Log::error(
+        "start container",
+        format_serror(&e.context("failed to start container").into()),
+      ),
+    };
+
+    update.logs.push(log);
+    update_cache_for_server(&server).await;
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<StopContainer, (User, Update)> for State {
+  #[instrument(name = "StopContainer", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    &self,
+    StopContainer {
+      deployment,
+      signal,
+      time,
+    }: StopContainer,
+    (user, mut update): (User, Update),
+  ) -> anyhow::Result<Update> {
+    let deployment = resource::get_check_permissions::<Deployment>(
+      &deployment,
+      &user,
+      PermissionLevel::Execute,
+    )
+    .await?;
+
+    // get the action state for the deployment (or insert default).
+    let action_state = action_states()
+      .deployment
+      .get_or_insert_default(&deployment.id)
+      .await;
+
+    // Will check to ensure deployment not already busy before updating, and return Err if so.
+    // The returned guard will set the action state back to default when dropped.
+    let _action_guard =
+      action_state.update(|state| state.stopping = true)?;
+
+    if deployment.config.server_id.is_empty() {
+      return Err(anyhow!("deployment has no server configured"));
+    }
+
+    let (server, status) =
+      get_server_with_status(&deployment.config.server_id).await?;
+    if status != ServerState::Ok {
+      return Err(anyhow!(
+        "cannot send action when server is unreachable or disabled"
+      ));
+    }
+
+    let periphery = periphery_client(&server)?;
+
+    let log = match periphery
+      .request(api::container::StopContainer {
+        name: deployment.name.clone(),
+        signal: signal
+          .unwrap_or(deployment.config.termination_signal)
+          .into(),
+        time: time
+          .unwrap_or(deployment.config.termination_timeout)
+          .into(),
+      })
+      .await
+    {
+      Ok(log) => log,
+      Err(e) => Log::error(
+        "stop container",
+        format_serror(&e.context("failed to stop container").into()),
+      ),
+    };
+
+    update.logs.push(log);
+    update_cache_for_server(&server).await;
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<StopAllContainers, (User, Update)> for State {
+  #[instrument(name = "StopAllContainers", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    &self,
+    StopAllContainers { server }: StopAllContainers,
+    (user, mut update): (User, Update),
+  ) -> anyhow::Result<Update> {
+    let (server, status) = get_server_with_status(&server).await?;
+    if status != ServerState::Ok {
+      return Err(anyhow!(
+        "cannot send action when server is unreachable or disabled"
+      ));
+    }
+
+    // get the action state for the server (or insert default).
+    let action_state = action_states()
+      .server
+      .get_or_insert_default(&server.id)
+      .await;
+
+    // Will check to ensure server not already busy before updating, and return Err if so.
+    // The returned guard will set the action state back to default when dropped.
+    let _action_guard = action_state
+      .update(|state| state.stopping_containers = true)?;
+
+    let deployments = find_collect(
+      &db_client().await.deployments,
+      doc! {
+        "config.server_id": &server.id
+      },
+      None,
+    )
+    .await
+    .context("failed to find deployments on server")?;
+
+    let futures = deployments.iter().map(|deployment| async {
+      let req = super::ExecuteRequest::StopContainer(StopContainer {
+        deployment: deployment.id.clone(),
+        signal: None,
+        time: None,
+      });
+      (
+        async {
+          let update = init_execution_update(&req, &user).await?;
+          State
+            .resolve(
+              StopContainer {
+                deployment: deployment.id.clone(),
+                signal: None,
+                time: None,
+              },
+              (user.clone(), update),
+            )
+            .await
+        }
+        .await,
+        deployment.name.clone(),
+        deployment.id.clone(),
+      )
+    });
+    let results = join_all(futures).await;
+    let deployment_names = deployments
+      .iter()
+      .map(|d| format!("{} ({})", d.name, d.id))
+      .collect::<Vec<_>>()
+      .join("\n");
+    update.push_simple_log("stopping containers", deployment_names);
+    for (res, name, id) in results {
+      if let Err(e) = res {
+        update.push_error_log(
+          "stop container failure",
+          format_serror(
+            &e.context(format!(
+              "failed to stop container {name} ({id})"
+            ))
+            .into(),
+          ),
+        );
+      }
+    }
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<RemoveContainer, (User, Update)> for State {
+  #[instrument(name = "RemoveContainer", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    &self,
+    RemoveContainer {
+      deployment,
+      signal,
+      time,
+    }: RemoveContainer,
+    (user, mut update): (User, Update),
+  ) -> anyhow::Result<Update> {
+    let deployment = resource::get_check_permissions::<Deployment>(
+      &deployment,
+      &user,
+      PermissionLevel::Execute,
+    )
+    .await?;
+
+    // get the action state for the deployment (or insert default).
+    let action_state = action_states()
+      .deployment
+      .get_or_insert_default(&deployment.id)
+      .await;
+
+    // Will check to ensure deployment not already busy before updating, and return Err if so.
+    // The returned guard will set the action state back to default when dropped.
+    let _action_guard =
+      action_state.update(|state| state.removing = true)?;
+
+    if deployment.config.server_id.is_empty() {
+      return Err(anyhow!("deployment has no server configured"));
+    }
+
+    let (server, status) =
+      get_server_with_status(&deployment.config.server_id).await?;
+    if status != ServerState::Ok {
+      return Err(anyhow!(
+        "cannot send action when server is unreachable or disabled"
+      ));
+    }
+
+    let periphery = periphery_client(&server)?;
+
+    let log = match periphery
+      .request(api::container::RemoveContainer {
+        name: deployment.name.clone(),
+        signal: signal
+          .unwrap_or(deployment.config.termination_signal)
+          .into(),
+        time: time
+          .unwrap_or(deployment.config.termination_timeout)
+          .into(),
+      })
+      .await
+    {
+      Ok(log) => log,
+      Err(e) => Log::error(
+        "stop container",
+        format_serror(&e.context("failed to stop container").into()),
+      ),
+    };
+
+    update.logs.push(log);
+    update.finalize();
+    update_cache_for_server(&server).await;
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}

bin/core/src/api/execute/mod.rs

@@ -0,0 +1,156 @@
+use std::time::Instant;
+
+use anyhow::{anyhow, Context};
+use axum::{middleware, routing::post, Extension, Router};
+use formatting::format_serror;
+use monitor_client::{
+  api::execute::*,
+  entities::{
+    update::{Log, Update},
+    user::User,
+  },
+};
+use mungos::by_id::find_one_by_id;
+use resolver_api::{derive::Resolver, Resolver};
+use serde::{Deserialize, Serialize};
+use serror::Json;
+use typeshare::typeshare;
+use uuid::Uuid;
+
+use crate::{
+  auth::auth_request,
+  helpers::update::{init_execution_update, update_update},
+  state::{db_client, State},
+};
+
+mod build;
+mod deployment;
+mod procedure;
+mod repo;
+mod server;
+mod server_template;
+mod sync;
+
+#[typeshare]
+#[derive(Serialize, Deserialize, Debug, Clone, Resolver)]
+#[resolver_target(State)]
+#[resolver_args((User, Update))]
+#[serde(tag = "type", content = "params")]
+pub enum ExecuteRequest {
+  // ==== SERVER ====
+  PruneContainers(PruneContainers),
+  PruneImages(PruneImages),
+  PruneNetworks(PruneNetworks),
+
+  // ==== DEPLOYMENT ====
+  Deploy(Deploy),
+  StartContainer(StartContainer),
+  StopContainer(StopContainer),
+  StopAllContainers(StopAllContainers),
+  RemoveContainer(RemoveContainer),
+
+  // ==== BUILD ====
+  RunBuild(RunBuild),
+  CancelBuild(CancelBuild),
+
+  // ==== REPO ====
+  CloneRepo(CloneRepo),
+  PullRepo(PullRepo),
+
+  // ==== PROCEDURE ====
+  RunProcedure(RunProcedure),
+
+  // ==== SERVER TEMPLATE ====
+  LaunchServer(LaunchServer),
+
+  // ==== SYNC ====
+  RunSync(RunSync),
+}
+
+pub fn router() -> Router {
+  Router::new()
+    .route("/", post(handler))
+    .layer(middleware::from_fn(auth_request))
+}
+
+async fn handler(
+  Extension(user): Extension<User>,
+  Json(request): Json<ExecuteRequest>,
+) -> serror::Result<Json<Update>> {
+  let req_id = Uuid::new_v4();
+
+  // need to validate no cancel is active before any update is created.
+  build::validate_cancel_build(&request).await?;
+
+  let update = init_execution_update(&request, &user).await?;
+
+  let handle =
+    tokio::spawn(task(req_id, request, user, update.clone()));
+
+  tokio::spawn({
+    let update_id = update.id.clone();
+    async move {
+      let log = match handle.await {
+        Ok(Err(e)) => {
+          warn!("/execute request {req_id} task error: {e:#}",);
+          Log::error("task error", format_serror(&e.into()))
+        }
+        Err(e) => {
+          warn!("/execute request {req_id} spawn error: {e:?}",);
+          Log::error("spawn error", format!("{e:#?}"))
+        }
+        _ => return,
+      };
+      let res = async {
+        let mut update =
+          find_one_by_id(&db_client().await.updates, &update_id)
+            .await
+            .context("failed to query to db")?
+            .context("no update exists with given id")?;
+        update.logs.push(log);
+        update.finalize();
+        update_update(update).await
+      }
+      .await;
+
+      if let Err(e) = res {
+        warn!("failed to update update with task error log | {e:#}");
+      }
+    }
+  });
+
+  Ok(Json(update))
+}
+
+#[instrument(name = "ExecuteRequest", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+async fn task(
+  req_id: Uuid,
+  request: ExecuteRequest,
+  user: User,
+  update: Update,
+) -> anyhow::Result<String> {
+  info!(
+    "/execute request {req_id} | user: {} ({})",
+    user.username, user.id
+  );
+  let timer = Instant::now();
+
+  let res = State
+    .resolve_request(request, (user, update))
+    .await
+    .map_err(|e| match e {
+      resolver_api::Error::Serialization(e) => {
+        anyhow!("{e:?}").context("response serialization error")
+      }
+      resolver_api::Error::Inner(e) => e,
+    });
+
+  if let Err(e) = &res {
+    warn!("/execute request {req_id} error: {e:#}");
+  }
+
+  let elapsed = timer.elapsed();
+  debug!("/execute request {req_id} | resolve time: {elapsed:?}");
+
+  res
+}

bin/core/src/api/execute/procedure.rs

@@ -0,0 +1,114 @@
+use std::pin::Pin;
+
+use formatting::{bold, colored, format_serror, muted, Color};
+use monitor_client::{
+  api::execute::RunProcedure,
+  entities::{
+    permission::PermissionLevel, procedure::Procedure,
+    update::Update, user::User,
+  },
+};
+use mungos::{by_id::update_one_by_id, mongodb::bson::to_document};
+use resolver_api::Resolve;
+use tokio::sync::Mutex;
+
+use crate::{
+  helpers::{procedure::execute_procedure, update::update_update},
+  resource::{self, refresh_procedure_state_cache},
+  state::{action_states, db_client, State},
+};
+
+impl Resolve<RunProcedure, (User, Update)> for State {
+  #[instrument(name = "RunProcedure", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    &self,
+    RunProcedure { procedure }: RunProcedure,
+    (user, update): (User, Update),
+  ) -> anyhow::Result<Update> {
+    resolve_inner(procedure, user, update).await
+  }
+}
+
+fn resolve_inner(
+  procedure: String,
+  user: User,
+  mut update: Update,
+) -> Pin<
+  Box<
+    dyn std::future::Future<Output = anyhow::Result<Update>> + Send,
+  >,
+> {
+  Box::pin(async move {
+    let procedure = resource::get_check_permissions::<Procedure>(
+      &procedure,
+      &user,
+      PermissionLevel::Execute,
+    )
+    .await?;
+
+    // Need to push the initial log, as execute_procedure
+    // assumes first log is already created
+    // and will panic otherwise.
+    update.push_simple_log(
+      "execute_procedure",
+      format!(
+        "{}: executing procedure '{}'",
+        muted("INFO"),
+        bold(&procedure.name)
+      ),
+    );
+
+    // get the action state for the procedure (or insert default).
+    let action_state = action_states()
+      .procedure
+      .get_or_insert_default(&procedure.id)
+      .await;
+
+    // This will set action state back to default when dropped.
+    // Will also check to ensure procedure not already busy before updating.
+    let _action_guard =
+      action_state.update(|state| state.running = true)?;
+
+    let update = Mutex::new(update);
+
+    let res = execute_procedure(&procedure, &update).await;
+
+    let mut update = update.into_inner();
+
+    match res {
+      Ok(_) => {
+        update.push_simple_log(
+          "execution ok",
+          format!(
+            "{}: the procedure has {} with no errors",
+            muted("INFO"),
+            colored("completed", Color::Green)
+          ),
+        );
+      }
+      Err(e) => update
+        .push_error_log("execution error", format_serror(&e.into())),
+    }
+
+    update.finalize();
+
+    // Need to manually update the update before cache refresh,
+    // and before broadcast with add_update.
+    // The Err case of to_document should be unreachable,
+    // but will fail to update cache in that case.
+    if let Ok(update_doc) = to_document(&update) {
+      let _ = update_one_by_id(
+        &db_client().await.updates,
+        &update.id,
+        mungos::update::Update::Set(update_doc),
+        None,
+      )
+      .await;
+      refresh_procedure_state_cache().await;
+    }
+
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  })
+}

bin/core/src/api/execute/repo.rs

@@ -0,0 +1,192 @@
+use anyhow::anyhow;
+use formatting::format_serror;
+use monitor_client::{
+  api::execute::*,
+  entities::{
+    monitor_timestamp, optional_string,
+    permission::PermissionLevel,
+    repo::Repo,
+    server::Server,
+    update::{Log, Update},
+    user::User,
+  },
+};
+use mungos::{
+  by_id::update_one_by_id,
+  mongodb::bson::{doc, to_document},
+};
+use periphery_client::api;
+use resolver_api::Resolve;
+
+use crate::{
+  config::core_config,
+  helpers::{periphery_client, update::update_update},
+  resource::{self, refresh_repo_state_cache},
+  state::{action_states, db_client, State},
+};
+
+impl Resolve<CloneRepo, (User, Update)> for State {
+  #[instrument(name = "CloneRepo", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    &self,
+    CloneRepo { repo }: CloneRepo,
+    (user, mut update): (User, Update),
+  ) -> anyhow::Result<Update> {
+    let repo = resource::get_check_permissions::<Repo>(
+      &repo,
+      &user,
+      PermissionLevel::Execute,
+    )
+    .await?;
+
+    // get the action state for the repo (or insert default).
+    let action_state =
+      action_states().repo.get_or_insert_default(&repo.id).await;
+
+    // This will set action state back to default when dropped.
+    // Will also check to ensure repo not already busy before updating.
+    let _action_guard =
+      action_state.update(|state| state.cloning = true)?;
+
+    if repo.config.server_id.is_empty() {
+      return Err(anyhow!("repo has no server attached"));
+    }
+
+    let server =
+      resource::get::<Server>(&repo.config.server_id).await?;
+
+    let periphery = periphery_client(&server)?;
+
+    let github_token = core_config()
+      .github_accounts
+      .get(&repo.config.github_account)
+      .cloned();
+
+    let logs = match periphery
+      .request(api::git::CloneRepo {
+        args: (&repo).into(),
+        github_token,
+      })
+      .await
+    {
+      Ok(logs) => logs,
+      Err(e) => {
+        vec![Log::error(
+          "clone repo",
+          format_serror(&e.context("failed to clone repo").into()),
+        )]
+      }
+    };
+
+    update.logs.extend(logs);
+    update.finalize();
+
+    if update.success {
+      update_last_pulled_time(&repo.name).await;
+    }
+
+    handle_update_return(update).await
+  }
+}
+
+impl Resolve<PullRepo, (User, Update)> for State {
+  #[instrument(name = "PullRepo", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    &self,
+    PullRepo { repo }: PullRepo,
+    (user, mut update): (User, Update),
+  ) -> anyhow::Result<Update> {
+    let repo = resource::get_check_permissions::<Repo>(
+      &repo,
+      &user,
+      PermissionLevel::Execute,
+    )
+    .await?;
+
+    // get the action state for the repo (or insert default).
+    let action_state =
+      action_states().repo.get_or_insert_default(&repo.id).await;
+
+    // This will set action state back to default when dropped.
+    // Will also check to ensure repo not already busy before updating.
+    let _action_guard =
+      action_state.update(|state| state.pulling = true)?;
+
+    if repo.config.server_id.is_empty() {
+      return Err(anyhow!("repo has no server attached"));
+    }
+
+    let server =
+      resource::get::<Server>(&repo.config.server_id).await?;
+
+    let periphery = periphery_client(&server)?;
+
+    let logs = match periphery
+      .request(api::git::PullRepo {
+        name: repo.name.clone(),
+        branch: optional_string(&repo.config.branch),
+        commit: optional_string(&repo.config.commit),
+        on_pull: repo.config.on_pull.into_option(),
+      })
+      .await
+    {
+      Ok(logs) => logs,
+      Err(e) => {
+        vec![Log::error(
+          "pull repo",
+          format_serror(&e.context("failed to pull repo").into()),
+        )]
+      }
+    };
+
+    update.logs.extend(logs);
+
+    update.finalize();
+
+    if update.success {
+      update_last_pulled_time(&repo.name).await;
+    }
+
+    handle_update_return(update).await
+  }
+}
+
+#[instrument(skip_all, fields(update_id = update.id))]
+async fn handle_update_return(
+  update: Update,
+) -> anyhow::Result<Update> {
+  // Need to manually update the update before cache refresh,
+  // and before broadcast with add_update.
+  // The Err case of to_document should be unreachable,
+  // but will fail to update cache in that case.
+  if let Ok(update_doc) = to_document(&update) {
+    let _ = update_one_by_id(
+      &db_client().await.updates,
+      &update.id,
+      mungos::update::Update::Set(update_doc),
+      None,
+    )
+    .await;
+    refresh_repo_state_cache().await;
+  }
+  update_update(update.clone()).await?;
+  Ok(update)
+}
+
+#[instrument]
+async fn update_last_pulled_time(repo_name: &str) {
+  let res = db_client()
+    .await
+    .repos
+    .update_one(
+      doc! { "name": repo_name },
+      doc! { "$set": { "info.last_pulled_at": monitor_timestamp() } },
+      None,
+    )
+    .await;
+  if let Err(e) = res {
+    warn!(
+      "failed to update repo last_pulled_at | repo: {repo_name} | {e:#}",
+    );
+  }
+}

bin/core/src/api/execute/server.rs

@@ -0,0 +1,175 @@
+use anyhow::Context;
+use formatting::format_serror;
+use monitor_client::{
+  api::execute::*,
+  entities::{
+    monitor_timestamp,
+    permission::PermissionLevel,
+    server::Server,
+    update::{Log, Update, UpdateStatus},
+    user::User,
+  },
+};
+use periphery_client::api;
+use resolver_api::Resolve;
+
+use crate::{
+  helpers::{periphery_client, update::update_update},
+  resource,
+  state::{action_states, State},
+};
+
+impl Resolve<PruneContainers, (User, Update)> for State {
+  #[instrument(name = "PruneContainers", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    &self,
+    PruneContainers { server }: PruneContainers,
+    (user, mut update): (User, Update),
+  ) -> anyhow::Result<Update> {
+    let server = resource::get_check_permissions::<Server>(
+      &server,
+      &user,
+      PermissionLevel::Execute,
+    )
+    .await?;
+
+    // get the action state for the server (or insert default).
+    let action_state = action_states()
+      .server
+      .get_or_insert_default(&server.id)
+      .await;
+
+    // Will check to ensure server not already busy before updating, and return Err if so.
+    // The returned guard will set the action state back to default when dropped.
+    let _action_guard =
+      action_state.update(|state| state.pruning_containers = true)?;
+
+    let periphery = periphery_client(&server)?;
+
+    let log = match periphery
+      .request(api::container::PruneContainers {})
+      .await
+      .context(format!(
+        "failed to prune containers on server {}",
+        server.name
+      )) {
+      Ok(log) => log,
+      Err(e) => Log::error(
+        "prune containers",
+        format_serror(
+          &e.context("failed to prune containers").into(),
+        ),
+      ),
+    };
+
+    update.success = log.success;
+    update.status = UpdateStatus::Complete;
+    update.end_ts = Some(monitor_timestamp());
+    update.logs.push(log);
+
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<PruneNetworks, (User, Update)> for State {
+  #[instrument(name = "PruneNetworks", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    &self,
+    PruneNetworks { server }: PruneNetworks,
+    (user, mut update): (User, Update),
+  ) -> anyhow::Result<Update> {
+    let server = resource::get_check_permissions::<Server>(
+      &server,
+      &user,
+      PermissionLevel::Execute,
+    )
+    .await?;
+
+    // get the action state for the server (or insert default).
+    let action_state = action_states()
+      .server
+      .get_or_insert_default(&server.id)
+      .await;
+
+    // Will check to ensure server not already busy before updating, and return Err if so.
+    // The returned guard will set the action state back to default when dropped.
+    let _action_guard =
+      action_state.update(|state| state.pruning_networks = true)?;
+
+    let periphery = periphery_client(&server)?;
+
+    let log = match periphery
+      .request(api::network::PruneNetworks {})
+      .await
+      .context(format!(
+        "failed to prune networks on server {}",
+        server.name
+      )) {
+      Ok(log) => log,
+      Err(e) => Log::error(
+        "prune networks",
+        format_serror(&e.context("failed to prune networks").into()),
+      ),
+    };
+
+    update.success = log.success;
+    update.status = UpdateStatus::Complete;
+    update.end_ts = Some(monitor_timestamp());
+    update.logs.push(log);
+
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<PruneImages, (User, Update)> for State {
+  #[instrument(name = "PruneImages", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    &self,
+    PruneImages { server }: PruneImages,
+    (user, mut update): (User, Update),
+  ) -> anyhow::Result<Update> {
+    let server = resource::get_check_permissions::<Server>(
+      &server,
+      &user,
+      PermissionLevel::Execute,
+    )
+    .await?;
+
+    // get the action state for the server (or insert default).
+    let action_state = action_states()
+      .server
+      .get_or_insert_default(&server.id)
+      .await;
+
+    // Will check to ensure server not already busy before updating, and return Err if so.
+    // The returned guard will set the action state back to default when dropped.
+    let _action_guard =
+      action_state.update(|state| state.pruning_images = true)?;
+
+    let periphery = periphery_client(&server)?;
+
+    let log =
+      match periphery.request(api::build::PruneImages {}).await {
+        Ok(log) => log,
+        Err(e) => Log::error(
+          "prune images",
+          format!(
+            "failed to prune images on server {} | {e:#?}",
+            server.name
+          ),
+        ),
+      };
+
+    update.logs.push(log);
+
+    update.finalize();
+
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}

bin/core/src/api/execute/server_template.rs

@@ -0,0 +1,144 @@
+use anyhow::{anyhow, Context};
+use formatting::format_serror;
+use monitor_client::{
+  api::{execute::LaunchServer, write::CreateServer},
+  entities::{
+    permission::PermissionLevel,
+    server::PartialServerConfig,
+    server_template::{ServerTemplate, ServerTemplateConfig},
+    update::Update,
+    user::User,
+  },
+};
+use mungos::mongodb::bson::doc;
+use resolver_api::Resolve;
+
+use crate::{
+  cloud::{
+    aws::ec2::launch_ec2_instance, hetzner::launch_hetzner_server,
+  },
+  helpers::update::update_update,
+  resource,
+  state::{db_client, State},
+};
+
+impl Resolve<LaunchServer, (User, Update)> for State {
+  #[instrument(name = "LaunchServer", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    &self,
+    LaunchServer {
+      name,
+      server_template,
+    }: LaunchServer,
+    (user, mut update): (User, Update),
+  ) -> anyhow::Result<Update> {
+    // validate name isn't already taken by another server
+    if db_client()
+      .await
+      .servers
+      .find_one(
+        doc! {
+          "name": &name
+        },
+        None,
+      )
+      .await
+      .context("failed to query db for servers")?
+      .is_some()
+    {
+      return Err(anyhow!("name is already taken"));
+    }
+
+    let template = resource::get_check_permissions::<ServerTemplate>(
+      &server_template,
+      &user,
+      PermissionLevel::Execute,
+    )
+    .await?;
+
+    update.push_simple_log(
+      "launching server",
+      format!("{:#?}", template.config),
+    );
+    update_update(update.clone()).await?;
+
+    let config = match template.config {
+      ServerTemplateConfig::Aws(config) => {
+        let region = config.region.clone();
+        let instance = match launch_ec2_instance(&name, config).await
+        {
+          Ok(instance) => instance,
+          Err(e) => {
+            update.push_error_log(
+              "launch server",
+              format!("failed to launch aws instance\n\n{e:#?}"),
+            );
+            update.finalize();
+            update_update(update.clone()).await?;
+            return Ok(update);
+          }
+        };
+        update.push_simple_log(
+          "launch server",
+          format!(
+            "successfully launched server {name} on ip {}",
+            instance.ip
+          ),
+        );
+        PartialServerConfig {
+          address: format!("http://{}:8120", instance.ip).into(),
+          region: region.into(),
+          ..Default::default()
+        }
+      }
+      ServerTemplateConfig::Hetzner(config) => {
+        let datacenter = config.datacenter;
+        let server = match launch_hetzner_server(&name, config).await
+        {
+          Ok(server) => server,
+          Err(e) => {
+            update.push_error_log(
+              "launch server",
+              format!("failed to launch hetzner server\n\n{e:#?}"),
+            );
+            update.finalize();
+            update_update(update.clone()).await?;
+            return Ok(update);
+          }
+        };
+        update.push_simple_log(
+          "launch server",
+          format!(
+            "successfully launched server {name} on ip {}",
+            server.ip
+          ),
+        );
+        PartialServerConfig {
+          address: format!("http://{}:8120", server.ip).into(),
+          region: datacenter.as_ref().to_string().into(),
+          ..Default::default()
+        }
+      }
+    };
+
+    match self.resolve(CreateServer { name, config }, user).await {
+      Ok(server) => {
+        update.push_simple_log(
+          "create server",
+          format!("created server {} ({})", server.name, server.id),
+        );
+        update.other_data = server.id;
+      }
+      Err(e) => {
+        update.push_error_log(
+          "create server",
+          format_serror(&e.context("failed to create server").into()),
+        );
+      }
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+    Ok(update)
+  }
+}

bin/core/src/api/execute/sync.rs

@@ -0,0 +1,394 @@
+use anyhow::{anyhow, Context};
+use formatting::{colored, format_serror, Color};
+use mongo_indexed::doc;
+use monitor_client::{
+  api::{execute::RunSync, write::RefreshResourceSyncPending},
+  entities::{
+    self,
+    alerter::Alerter,
+    build::Build,
+    builder::Builder,
+    monitor_timestamp,
+    permission::PermissionLevel,
+    procedure::Procedure,
+    repo::Repo,
+    server::Server,
+    server_template::ServerTemplate,
+    update::{Log, Update},
+    user::{sync_user, User},
+  },
+};
+use mungos::{by_id::update_one_by_id, mongodb::bson::to_document};
+use resolver_api::Resolve;
+
+use crate::{
+  helpers::{
+    query::get_id_to_tags,
+    sync::{
+      deployment,
+      resource::{
+        get_updates_for_execution, AllResourcesById, ResourceSync,
+      },
+    },
+    update::update_update,
+  },
+  resource::{self, refresh_resource_sync_state_cache},
+  state::{db_client, State},
+};
+
+impl Resolve<RunSync, (User, Update)> for State {
+  #[instrument(name = "RunSync", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    &self,
+    RunSync { sync }: RunSync,
+    (user, mut update): (User, Update),
+  ) -> anyhow::Result<Update> {
+    let sync = resource::get_check_permissions::<
+      entities::sync::ResourceSync,
+    >(&sync, &user, PermissionLevel::Execute)
+    .await?;
+
+    if sync.config.repo.is_empty() {
+      return Err(anyhow!("resource sync repo not configured"));
+    }
+
+    let (res, logs, hash, message) =
+      crate::helpers::sync::remote::get_remote_resources(&sync)
+        .await
+        .context("failed to get remote resources")?;
+
+    update.logs.extend(logs);
+    update_update(update.clone()).await?;
+
+    let resources = res?;
+
+    let all_resources = AllResourcesById::load().await?;
+    let id_to_tags = get_id_to_tags(None).await?;
+
+    let (servers_to_create, servers_to_update, servers_to_delete) =
+      get_updates_for_execution::<Server>(
+        resources.servers,
+        sync.config.delete,
+        &all_resources,
+        &id_to_tags,
+      )
+      .await?;
+    let (
+      deployments_to_create,
+      deployments_to_update,
+      deployments_to_delete,
+    ) = deployment::get_updates_for_execution(
+      resources.deployments,
+      sync.config.delete,
+      &all_resources,
+      &id_to_tags,
+    )
+    .await?;
+    let (builds_to_create, builds_to_update, builds_to_delete) =
+      get_updates_for_execution::<Build>(
+        resources.builds,
+        sync.config.delete,
+        &all_resources,
+        &id_to_tags,
+      )
+      .await?;
+    let (repos_to_create, repos_to_update, repos_to_delete) =
+      get_updates_for_execution::<Repo>(
+        resources.repos,
+        sync.config.delete,
+        &all_resources,
+        &id_to_tags,
+      )
+      .await?;
+    let (
+      procedures_to_create,
+      procedures_to_update,
+      procedures_to_delete,
+    ) = get_updates_for_execution::<Procedure>(
+      resources.procedures,
+      sync.config.delete,
+      &all_resources,
+      &id_to_tags,
+    )
+    .await?;
+    let (builders_to_create, builders_to_update, builders_to_delete) =
+      get_updates_for_execution::<Builder>(
+        resources.builders,
+        sync.config.delete,
+        &all_resources,
+        &id_to_tags,
+      )
+      .await?;
+    let (alerters_to_create, alerters_to_update, alerters_to_delete) =
+      get_updates_for_execution::<Alerter>(
+        resources.alerters,
+        sync.config.delete,
+        &all_resources,
+        &id_to_tags,
+      )
+      .await?;
+    let (
+      server_templates_to_create,
+      server_templates_to_update,
+      server_templates_to_delete,
+    ) = get_updates_for_execution::<ServerTemplate>(
+      resources.server_templates,
+      sync.config.delete,
+      &all_resources,
+      &id_to_tags,
+    )
+    .await?;
+    let (
+      resource_syncs_to_create,
+      resource_syncs_to_update,
+      resource_syncs_to_delete,
+    ) = get_updates_for_execution::<entities::sync::ResourceSync>(
+      resources.resource_syncs,
+      sync.config.delete,
+      &all_resources,
+      &id_to_tags,
+    )
+    .await?;
+    let (
+      variables_to_create,
+      variables_to_update,
+      variables_to_delete,
+    ) = crate::helpers::sync::variables::get_updates_for_execution(
+      resources.variables,
+      sync.config.delete,
+    )
+    .await?;
+    let (
+      user_groups_to_create,
+      user_groups_to_update,
+      user_groups_to_delete,
+    ) = crate::helpers::sync::user_groups::get_updates_for_execution(
+      resources.user_groups,
+      sync.config.delete,
+      &all_resources,
+    )
+    .await?;
+
+    if resource_syncs_to_create.is_empty()
+      && resource_syncs_to_update.is_empty()
+      && resource_syncs_to_delete.is_empty()
+      && server_templates_to_create.is_empty()
+      && server_templates_to_update.is_empty()
+      && server_templates_to_delete.is_empty()
+      && servers_to_create.is_empty()
+      && servers_to_update.is_empty()
+      && servers_to_delete.is_empty()
+      && deployments_to_create.is_empty()
+      && deployments_to_update.is_empty()
+      && deployments_to_delete.is_empty()
+      && builds_to_create.is_empty()
+      && builds_to_update.is_empty()
+      && builds_to_delete.is_empty()
+      && builders_to_create.is_empty()
+      && builders_to_update.is_empty()
+      && builders_to_delete.is_empty()
+      && alerters_to_create.is_empty()
+      && alerters_to_update.is_empty()
+      && alerters_to_delete.is_empty()
+      && repos_to_create.is_empty()
+      && repos_to_update.is_empty()
+      && repos_to_delete.is_empty()
+      && procedures_to_create.is_empty()
+      && procedures_to_update.is_empty()
+      && procedures_to_delete.is_empty()
+      && user_groups_to_create.is_empty()
+      && user_groups_to_update.is_empty()
+      && user_groups_to_delete.is_empty()
+      && variables_to_create.is_empty()
+      && variables_to_update.is_empty()
+      && variables_to_delete.is_empty()
+    {
+      update.push_simple_log(
+        "No Changes",
+        format!(
+          "{}. exiting.",
+          colored("nothing to do", Color::Green)
+        ),
+      );
+      update.finalize();
+      update_update(update.clone()).await?;
+      return Ok(update);
+    }
+
+    // =================
+
+    // No deps
+    maybe_extend(
+      &mut update.logs,
+      crate::helpers::sync::variables::run_updates(
+        variables_to_create,
+        variables_to_update,
+        variables_to_delete,
+      )
+      .await,
+    );
+    maybe_extend(
+      &mut update.logs,
+      crate::helpers::sync::user_groups::run_updates(
+        user_groups_to_create,
+        user_groups_to_update,
+        user_groups_to_delete,
+      )
+      .await,
+    );
+    maybe_extend(
+      &mut update.logs,
+      entities::sync::ResourceSync::run_updates(
+        resource_syncs_to_create,
+        resource_syncs_to_update,
+        resource_syncs_to_delete,
+      )
+      .await,
+    );
+    maybe_extend(
+      &mut update.logs,
+      ServerTemplate::run_updates(
+        server_templates_to_create,
+        server_templates_to_update,
+        server_templates_to_delete,
+      )
+      .await,
+    );
+    maybe_extend(
+      &mut update.logs,
+      Server::run_updates(
+        servers_to_create,
+        servers_to_update,
+        servers_to_delete,
+      )
+      .await,
+    );
+    maybe_extend(
+      &mut update.logs,
+      Alerter::run_updates(
+        alerters_to_create,
+        alerters_to_update,
+        alerters_to_delete,
+      )
+      .await,
+    );
+
+    // Dependent on server
+    maybe_extend(
+      &mut update.logs,
+      Builder::run_updates(
+        builders_to_create,
+        builders_to_update,
+        builders_to_delete,
+      )
+      .await,
+    );
+    maybe_extend(
+      &mut update.logs,
+      Repo::run_updates(
+        repos_to_create,
+        repos_to_update,
+        repos_to_delete,
+      )
+      .await,
+    );
+
+    // Dependant on builder
+    maybe_extend(
+      &mut update.logs,
+      Build::run_updates(
+        builds_to_create,
+        builds_to_update,
+        builds_to_delete,
+      )
+      .await,
+    );
+
+    // Dependant on server / build
+    if let Some(res) = deployment::run_updates(
+      deployments_to_create,
+      deployments_to_update,
+      deployments_to_delete,
+    )
+    .await
+    {
+      update.logs.extend(res);
+    }
+
+    // Dependant on everything
+    maybe_extend(
+      &mut update.logs,
+      Procedure::run_updates(
+        procedures_to_create,
+        procedures_to_update,
+        procedures_to_delete,
+      )
+      .await,
+    );
+
+    let db = db_client().await;
+
+    if let Err(e) = update_one_by_id(
+      &db.resource_syncs,
+      &sync.id,
+      doc! {
+        "$set": {
+          "info.last_sync_ts": monitor_timestamp(),
+          "info.last_sync_hash": hash,
+          "info.last_sync_message": message,
+        }
+      },
+      None,
+    )
+    .await
+    {
+      warn!(
+        "failed to update resource sync {} info after sync | {e:#}",
+        sync.name
+      )
+    }
+
+    if let Err(e) = State
+      .resolve(
+        RefreshResourceSyncPending { sync: sync.id },
+        sync_user().to_owned(),
+      )
+      .await
+    {
+      warn!("failed to refresh sync {} after run | {e:#}", sync.name);
+      update.push_error_log(
+        "refresh sync",
+        format_serror(
+          &e.context("failed to refresh sync pending after run")
+            .into(),
+        ),
+      );
+    }
+
+    update.finalize();
+
+    // Need to manually update the update before cache refresh,
+    // and before broadcast with add_update.
+    // The Err case of to_document should be unreachable,
+    // but will fail to update cache in that case.
+    if let Ok(update_doc) = to_document(&update) {
+      let _ = update_one_by_id(
+        &db.updates,
+        &update.id,
+        mungos::update::Update::Set(update_doc),
+        None,
+      )
+      .await;
+      refresh_resource_sync_state_cache().await;
+    }
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+fn maybe_extend(logs: &mut Vec<Log>, log: Option<Log>) {
+  if let Some(log) = log {
+    logs.push(log);
+  }
+}

bin/core/src/api/mod.rs

@@ -0,0 +1,5 @@
+pub mod auth;
+pub mod execute;
+pub mod read;
+pub mod user;
+pub mod write;

bin/core/src/api/read/alert.rs

@@ -0,0 +1,84 @@
+use anyhow::Context;
+use monitor_client::{
+  api::read::{
+    GetAlert, GetAlertResponse, ListAlerts, ListAlertsResponse,
+  },
+  entities::{update::ResourceTargetVariant, user::User},
+};
+use mungos::{
+  by_id::find_one_by_id,
+  find::find_collect,
+  mongodb::{bson::doc, options::FindOptions},
+};
+use resolver_api::Resolve;
+
+use crate::{
+  config::core_config,
+  helpers::query::get_resource_ids_for_non_admin,
+  state::{db_client, State},
+};
+
+const NUM_ALERTS_PER_PAGE: u64 = 100;
+
+impl Resolve<ListAlerts, User> for State {
+  async fn resolve(
+    &self,
+    ListAlerts { query, page }: ListAlerts,
+    user: User,
+  ) -> anyhow::Result<ListAlertsResponse> {
+    let mut query = query.unwrap_or_default();
+    if !user.admin && !core_config().transparent_mode {
+      let server_ids = get_resource_ids_for_non_admin(
+        &user.id,
+        ResourceTargetVariant::Server,
+      )
+      .await?;
+      let deployment_ids = get_resource_ids_for_non_admin(
+        &user.id,
+        ResourceTargetVariant::Deployment,
+      )
+      .await?;
+      query.extend(doc! {
+        "$or": [
+          { "target.type": "Server", "target.id": { "$in": &server_ids } },
+          { "target.type": "Deployment", "target.id": { "$in": &deployment_ids } },
+        ]
+      });
+    }
+
+    let alerts = find_collect(
+      &db_client().await.alerts,
+      query,
+      FindOptions::builder()
+        .sort(doc! { "ts": -1 })
+        .limit(NUM_ALERTS_PER_PAGE as i64)
+        .skip(page * NUM_ALERTS_PER_PAGE)
+        .build(),
+    )
+    .await
+    .context("failed to get alerts from db")?;
+
+    let next_page = if alerts.len() < NUM_ALERTS_PER_PAGE as usize {
+      None
+    } else {
+      Some((page + 1) as i64)
+    };
+
+    let res = ListAlertsResponse { next_page, alerts };
+
+    Ok(res)
+  }
+}
+
+impl Resolve<GetAlert, User> for State {
+  async fn resolve(
+    &self,
+    GetAlert { id }: GetAlert,
+    _: User,
+  ) -> anyhow::Result<GetAlertResponse> {
+    find_one_by_id(&db_client().await.alerts, &id)
+      .await
+      .context("failed to query db for alert")?
+      .context("no alert found with given id")
+  }
+}

bin/core/src/api/read/alerter.rs

@@ -0,0 +1,91 @@
+use std::str::FromStr;
+
+use anyhow::Context;
+use monitor_client::{
+  api::read::*,
+  entities::{
+    alerter::{Alerter, AlerterListItem},
+    permission::PermissionLevel,
+    update::ResourceTargetVariant,
+    user::User,
+  },
+};
+use mungos::mongodb::bson::{doc, oid::ObjectId};
+use resolver_api::Resolve;
+
+use crate::{
+  config::core_config,
+  helpers::query::get_resource_ids_for_non_admin,
+  resource,
+  state::{db_client, State},
+};
+
+impl Resolve<GetAlerter, User> for State {
+  async fn resolve(
+    &self,
+    GetAlerter { alerter }: GetAlerter,
+    user: User,
+  ) -> anyhow::Result<Alerter> {
+    resource::get_check_permissions::<Alerter>(
+      &alerter,
+      &user,
+      PermissionLevel::Read,
+    )
+    .await
+  }
+}
+
+impl Resolve<ListAlerters, User> for State {
+  async fn resolve(
+    &self,
+    ListAlerters { query }: ListAlerters,
+    user: User,
+  ) -> anyhow::Result<Vec<AlerterListItem>> {
+    resource::list_for_user::<Alerter>(query, &user).await
+  }
+}
+
+impl Resolve<ListFullAlerters, User> for State {
+  async fn resolve(
+    &self,
+    ListFullAlerters { query }: ListFullAlerters,
+    user: User,
+  ) -> anyhow::Result<ListFullAlertersResponse> {
+    resource::list_full_for_user::<Alerter>(query, &user).await
+  }
+}
+
+impl Resolve<GetAlertersSummary, User> for State {
+  async fn resolve(
+    &self,
+    GetAlertersSummary {}: GetAlertersSummary,
+    user: User,
+  ) -> anyhow::Result<GetAlertersSummaryResponse> {
+    let query = if user.admin || core_config().transparent_mode {
+      None
+    } else {
+      let ids = get_resource_ids_for_non_admin(
+        &user.id,
+        ResourceTargetVariant::Alerter,
+      )
+      .await?
+      .into_iter()
+      .flat_map(|id| ObjectId::from_str(&id))
+      .collect::<Vec<_>>();
+      let query = doc! {
+        "_id": { "$in": ids }
+      };
+      Some(query)
+    };
+    let total = db_client()
+      .await
+      .alerters
+      .count_documents(query, None)
+      .await
+      .context("failed to count all alerter documents")?;
+    let res = GetAlertersSummaryResponse {
+      total: total as u32,
+    };
+    Ok(res)
+  }
+}

bin/core/src/api/read/build.rs

@@ -0,0 +1,312 @@
+use std::{
+  collections::{HashMap, HashSet},
+  sync::OnceLock,
+};
+
+use anyhow::Context;
+use async_timing_util::unix_timestamp_ms;
+use futures::TryStreamExt;
+use monitor_client::{
+  api::read::*,
+  entities::{
+    build::{Build, BuildActionState, BuildListItem, BuildState},
+    permission::PermissionLevel,
+    update::UpdateStatus,
+    user::User,
+    Operation,
+  },
+};
+use mungos::{
+  find::find_collect,
+  mongodb::{bson::doc, options::FindOptions},
+};
+use resolver_api::{Resolve, ResolveToString};
+
+use crate::{
+  config::core_config,
+  resource,
+  state::{action_states, build_state_cache, db_client, State},
+};
+
+impl Resolve<GetBuild, User> for State {
+  async fn resolve(
+    &self,
+    GetBuild { build }: GetBuild,
+    user: User,
+  ) -> anyhow::Result<Build> {
+    resource::get_check_permissions::<Build>(
+      &build,
+      &user,
+      PermissionLevel::Read,
+    )
+    .await
+  }
+}
+
+impl Resolve<ListBuilds, User> for State {
+  async fn resolve(
+    &self,
+    ListBuilds { query }: ListBuilds,
+    user: User,
+  ) -> anyhow::Result<Vec<BuildListItem>> {
+    resource::list_for_user::<Build>(query, &user).await
+  }
+}
+
+impl Resolve<ListFullBuilds, User> for State {
+  async fn resolve(
+    &self,
+    ListFullBuilds { query }: ListFullBuilds,
+    user: User,
+  ) -> anyhow::Result<ListFullBuildsResponse> {
+    resource::list_full_for_user::<Build>(query, &user).await
+  }
+}
+
+impl Resolve<GetBuildActionState, User> for State {
+  async fn resolve(
+    &self,
+    GetBuildActionState { build }: GetBuildActionState,
+    user: User,
+  ) -> anyhow::Result<BuildActionState> {
+    let build = resource::get_check_permissions::<Build>(
+      &build,
+      &user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    let action_state = action_states()
+      .build
+      .get(&build.id)
+      .await
+      .unwrap_or_default()
+      .get()?;
+    Ok(action_state)
+  }
+}
+
+impl Resolve<GetBuildsSummary, User> for State {
+  async fn resolve(
+    &self,
+    GetBuildsSummary {}: GetBuildsSummary,
+    user: User,
+  ) -> anyhow::Result<GetBuildsSummaryResponse> {
+    let builds = resource::list_full_for_user::<Build>(
+      Default::default(),
+      &user,
+    )
+    .await
+    .context("failed to get all builds")?;
+
+    let mut res = GetBuildsSummaryResponse::default();
+
+    let cache = build_state_cache();
+    let action_states = action_states();
+
+    for build in builds {
+      res.total += 1;
+
+      match (
+        cache.get(&build.id).await.unwrap_or_default(),
+        action_states
+          .build
+          .get(&build.id)
+          .await
+          .unwrap_or_default()
+          .get()?,
+      ) {
+        (_, action_states) if action_states.building => {
+          res.building += 1;
+        }
+        (BuildState::Ok, _) => res.ok += 1,
+        (BuildState::Failed, _) => res.failed += 1,
+        (BuildState::Unknown, _) => res.unknown += 1,
+        // will never come off the cache in the building state, since that comes from action states
+        (BuildState::Building, _) => unreachable!(),
+      }
+    }
+
+    Ok(res)
+  }
+}
+
+const ONE_DAY_MS: i64 = 86400000;
+
+impl Resolve<GetBuildMonthlyStats, User> for State {
+  async fn resolve(
+    &self,
+    GetBuildMonthlyStats { page }: GetBuildMonthlyStats,
+    _: User,
+  ) -> anyhow::Result<GetBuildMonthlyStatsResponse> {
+    let curr_ts = unix_timestamp_ms() as i64;
+    let next_day = curr_ts - curr_ts % ONE_DAY_MS + ONE_DAY_MS;
+
+    let close_ts = next_day - page as i64 * 30 * ONE_DAY_MS;
+    let open_ts = close_ts - 30 * ONE_DAY_MS;
+
+    let mut build_updates = db_client()
+      .await
+      .updates
+      .find(
+        doc! {
+          "start_ts": {
+            "$gte": open_ts,
+            "$lt": close_ts
+          },
+          "operation": Operation::RunBuild.to_string(),
+        },
+        None,
+      )
+      .await
+      .context("failed to get updates cursor")?;
+
+    let mut days = HashMap::<i64, BuildStatsDay>::with_capacity(32);
+
+    let mut curr = open_ts;
+
+    while curr < close_ts {
+      let stats = BuildStatsDay {
+        ts: curr as f64,
+        ..Default::default()
+      };
+      days.insert(curr, stats);
+      curr += ONE_DAY_MS;
+    }
+
+    while let Some(update) = build_updates.try_next().await? {
+      if let Some(end_ts) = update.end_ts {
+        let day = update.start_ts - update.start_ts % ONE_DAY_MS;
+        let entry = days.entry(day).or_default();
+        entry.count += 1.0;
+        entry.time += ms_to_hour(end_ts - update.start_ts);
+      }
+    }
+
+    Ok(GetBuildMonthlyStatsResponse::new(
+      days.into_values().collect(),
+    ))
+  }
+}
+
+const MS_TO_HOUR_DIVISOR: f64 = 1000.0 * 60.0 * 60.0;
+fn ms_to_hour(duration: i64) -> f64 {
+  duration as f64 / MS_TO_HOUR_DIVISOR
+}
+
+impl Resolve<GetBuildVersions, User> for State {
+  async fn resolve(
+    &self,
+    GetBuildVersions {
+      build,
+      major,
+      minor,
+      patch,
+      limit,
+    }: GetBuildVersions,
+    user: User,
+  ) -> anyhow::Result<Vec<BuildVersionResponseItem>> {
+    let build = resource::get_check_permissions::<Build>(
+      &build,
+      &user,
+      PermissionLevel::Read,
+    )
+    .await?;
+
+    let mut filter = doc! {
+      "target": {
+        "type": "Build",
+        "id": build.id
+      },
+      "operation": Operation::RunBuild.to_string(),
+      "status": UpdateStatus::Complete.to_string(),
+      "success": true
+    };
+    if let Some(major) = major {
+      filter.insert("version.major", major);
+    }
+    if let Some(minor) = minor {
+      filter.insert("version.minor", minor);
+    }
+    if let Some(patch) = patch {
+      filter.insert("version.patch", patch);
+    }
+
+    let versions = find_collect(
+      &db_client().await.updates,
+      filter,
+      FindOptions::builder()
+        .sort(doc! { "_id": -1 })
+        .limit(limit)
+        .build(),
+    )
+    .await
+    .context("failed to pull versions from mongo")?
+    .into_iter()
+    .map(|u| (u.version, u.start_ts))
+    .filter(|(v, _)| !v.is_none())
+    .map(|(version, ts)| BuildVersionResponseItem { version, ts })
+    .collect();
+    Ok(versions)
+  }
+}
+
+fn github_organizations() -> &'static String {
+  static GITHUB_ORGANIZATIONS: OnceLock<String> = OnceLock::new();
+  GITHUB_ORGANIZATIONS.get_or_init(|| {
+    serde_json::to_string(&core_config().github_organizations)
+      .expect("failed to serialize github organizations")
+  })
+}
+
+impl ResolveToString<ListGithubOrganizations, User> for State {
+  async fn resolve_to_string(
+    &self,
+    ListGithubOrganizations {}: ListGithubOrganizations,
+    _: User,
+  ) -> anyhow::Result<String> {
+    Ok(github_organizations().clone())
+  }
+}
+
+fn docker_organizations() -> &'static String {
+  static DOCKER_ORGANIZATIONS: OnceLock<String> = OnceLock::new();
+  DOCKER_ORGANIZATIONS.get_or_init(|| {
+    serde_json::to_string(&core_config().docker_organizations)
+      .expect("failed to serialize docker organizations")
+  })
+}
+
+impl ResolveToString<ListDockerOrganizations, User> for State {
+  async fn resolve_to_string(
+    &self,
+    ListDockerOrganizations {}: ListDockerOrganizations,
+    _: User,
+  ) -> anyhow::Result<String> {
+    Ok(docker_organizations().clone())
+  }
+}
+
+impl Resolve<ListCommonBuildExtraArgs, User> for State {
+  async fn resolve(
+    &self,
+    ListCommonBuildExtraArgs { query }: ListCommonBuildExtraArgs,
+    user: User,
+  ) -> anyhow::Result<ListCommonBuildExtraArgsResponse> {
+    let builds = resource::list_full_for_user::<Build>(query, &user)
+      .await
+      .context("failed to get resources matching query")?;
+
+    // first collect with guaranteed uniqueness
+    let mut res = HashSet::<String>::new();
+
+    for build in builds {
+      for extra_arg in build.config.extra_args {
+        res.insert(extra_arg);
+      }
+    }
+
+    let mut res = res.into_iter().collect::<Vec<_>>();
+    res.sort();
+    Ok(res)
+  }
+}

bin/core/src/api/read/builder.rs

@@ -0,0 +1,140 @@
+use std::{collections::HashSet, str::FromStr};
+
+use anyhow::Context;
+use monitor_client::{
+  api::read::{self, *},
+  entities::{
+    builder::{Builder, BuilderConfig, BuilderListItem},
+    permission::PermissionLevel,
+    update::ResourceTargetVariant,
+    user::User,
+  },
+};
+use mungos::mongodb::bson::{doc, oid::ObjectId};
+use resolver_api::Resolve;
+
+use crate::{
+  config::core_config,
+  helpers::query::get_resource_ids_for_non_admin,
+  resource,
+  state::{db_client, State},
+};
+
+impl Resolve<GetBuilder, User> for State {
+  async fn resolve(
+    &self,
+    GetBuilder { builder }: GetBuilder,
+    user: User,
+  ) -> anyhow::Result<Builder> {
+    resource::get_check_permissions::<Builder>(
+      &builder,
+      &user,
+      PermissionLevel::Read,
+    )
+    .await
+  }
+}
+
+impl Resolve<ListBuilders, User> for State {
+  async fn resolve(
+    &self,
+    ListBuilders { query }: ListBuilders,
+    user: User,
+  ) -> anyhow::Result<Vec<BuilderListItem>> {
+    resource::list_for_user::<Builder>(query, &user).await
+  }
+}
+
+impl Resolve<ListFullBuilders, User> for State {
+  async fn resolve(
+    &self,
+    ListFullBuilders { query }: ListFullBuilders,
+    user: User,
+  ) -> anyhow::Result<ListFullBuildersResponse> {
+    resource::list_full_for_user::<Builder>(query, &user).await
+  }
+}
+
+impl Resolve<GetBuildersSummary, User> for State {
+  async fn resolve(
+    &self,
+    GetBuildersSummary {}: GetBuildersSummary,
+    user: User,
+  ) -> anyhow::Result<GetBuildersSummaryResponse> {
+    let query = if user.admin || core_config().transparent_mode {
+      None
+    } else {
+      let ids = get_resource_ids_for_non_admin(
+        &user.id,
+        ResourceTargetVariant::Builder,
+      )
+      .await?
+      .into_iter()
+      .flat_map(|id| ObjectId::from_str(&id))
+      .collect::<Vec<_>>();
+      let query = doc! {
+        "_id": { "$in": ids }
+      };
+      Some(query)
+    };
+    let total = db_client()
+      .await
+      .builders
+      .count_documents(query, None)
+      .await
+      .context("failed to count all builder documents")?;
+    let res = GetBuildersSummaryResponse {
+      total: total as u32,
+    };
+    Ok(res)
+  }
+}
+
+impl Resolve<GetBuilderAvailableAccounts, User> for State {
+  async fn resolve(
+    &self,
+    GetBuilderAvailableAccounts { builder }: GetBuilderAvailableAccounts,
+    user: User,
+  ) -> anyhow::Result<GetBuilderAvailableAccountsResponse> {
+    let builder = resource::get_check_permissions::<Builder>(
+      &builder,
+      &user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    let (github, docker) = match builder.config {
+      BuilderConfig::Aws(config) => {
+        (config.github_accounts, config.docker_accounts)
+      }
+      BuilderConfig::Server(config) => {
+        let res = self
+          .resolve(
+            read::GetAvailableAccounts {
+              server: Some(config.server_id),
+            },
+            user,
+          )
+          .await?;
+        (res.github, res.docker)
+      }
+    };
+
+    let mut github_set = HashSet::<String>::new();
+
+    github_set.extend(core_config().github_accounts.keys().cloned());
+    github_set.extend(github);
+
+    let mut github = github_set.into_iter().collect::<Vec<_>>();
+    github.sort();
+
+    let mut docker_set = HashSet::<String>::new();
+
+    docker_set.extend(core_config().docker_accounts.keys().cloned());
+    docker_set.extend(docker);
+
+    let mut docker = docker_set.into_iter().collect::<Vec<_>>();
+    docker.sort();
+
+    Ok(GetBuilderAvailableAccountsResponse { github, docker })
+  }
+}

bin/core/src/api/read/deployment.rs

@@ -0,0 +1,264 @@
+use std::{cmp, collections::HashSet};
+
+use anyhow::{anyhow, Context};
+use monitor_client::{
+  api::read::*,
+  entities::{
+    deployment::{
+      Deployment, DeploymentActionState, DeploymentConfig,
+      DeploymentListItem, DeploymentState, DockerContainerStats,
+    },
+    permission::PermissionLevel,
+    server::Server,
+    update::Log,
+    user::User,
+  },
+};
+use periphery_client::api;
+use resolver_api::Resolve;
+
+use crate::{
+  helpers::periphery_client,
+  resource,
+  state::{action_states, deployment_status_cache, State},
+};
+
+impl Resolve<GetDeployment, User> for State {
+  async fn resolve(
+    &self,
+    GetDeployment { deployment }: GetDeployment,
+    user: User,
+  ) -> anyhow::Result<Deployment> {
+    resource::get_check_permissions::<Deployment>(
+      &deployment,
+      &user,
+      PermissionLevel::Read,
+    )
+    .await
+  }
+}
+
+impl Resolve<ListDeployments, User> for State {
+  async fn resolve(
+    &self,
+    ListDeployments { query }: ListDeployments,
+    user: User,
+  ) -> anyhow::Result<Vec<DeploymentListItem>> {
+    resource::list_for_user::<Deployment>(query, &user).await
+  }
+}
+
+impl Resolve<ListFullDeployments, User> for State {
+  async fn resolve(
+    &self,
+    ListFullDeployments { query }: ListFullDeployments,
+    user: User,
+  ) -> anyhow::Result<ListFullDeploymentsResponse> {
+    resource::list_full_for_user::<Deployment>(query, &user).await
+  }
+}
+
+impl Resolve<GetDeploymentContainer, User> for State {
+  async fn resolve(
+    &self,
+    GetDeploymentContainer { deployment }: GetDeploymentContainer,
+    user: User,
+  ) -> anyhow::Result<GetDeploymentContainerResponse> {
+    let deployment = resource::get_check_permissions::<Deployment>(
+      &deployment,
+      &user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    let status = deployment_status_cache()
+      .get(&deployment.id)
+      .await
+      .unwrap_or_default();
+    let response = GetDeploymentContainerResponse {
+      state: status.curr.state,
+      container: status.curr.container.clone(),
+    };
+    Ok(response)
+  }
+}
+
+const MAX_LOG_LENGTH: u64 = 5000;
+
+impl Resolve<GetLog, User> for State {
+  async fn resolve(
+    &self,
+    GetLog { deployment, tail }: GetLog,
+    user: User,
+  ) -> anyhow::Result<Log> {
+    let Deployment {
+      name,
+      config: DeploymentConfig { server_id, .. },
+      ..
+    } = resource::get_check_permissions::<Deployment>(
+      &deployment,
+      &user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    if server_id.is_empty() {
+      return Ok(Log::default());
+    }
+    let server = resource::get::<Server>(&server_id).await?;
+    periphery_client(&server)?
+      .request(api::container::GetContainerLog {
+        name,
+        tail: cmp::min(tail, MAX_LOG_LENGTH),
+      })
+      .await
+      .context("failed at call to periphery")
+  }
+}
+
+impl Resolve<SearchLog, User> for State {
+  async fn resolve(
+    &self,
+    SearchLog {
+      deployment,
+      terms,
+      combinator,
+      invert,
+    }: SearchLog,
+    user: User,
+  ) -> anyhow::Result<Log> {
+    let Deployment {
+      name,
+      config: DeploymentConfig { server_id, .. },
+      ..
+    } = resource::get_check_permissions::<Deployment>(
+      &deployment,
+      &user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    if server_id.is_empty() {
+      return Ok(Log::default());
+    }
+    let server = resource::get::<Server>(&server_id).await?;
+    periphery_client(&server)?
+      .request(api::container::GetContainerLogSearch {
+        name,
+        terms,
+        combinator,
+        invert,
+      })
+      .await
+      .context("failed at call to periphery")
+  }
+}
+
+impl Resolve<GetDeploymentStats, User> for State {
+  async fn resolve(
+    &self,
+    GetDeploymentStats { deployment }: GetDeploymentStats,
+    user: User,
+  ) -> anyhow::Result<DockerContainerStats> {
+    let Deployment {
+      name,
+      config: DeploymentConfig { server_id, .. },
+      ..
+    } = resource::get_check_permissions::<Deployment>(
+      &deployment,
+      &user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    if server_id.is_empty() {
+      return Err(anyhow!("deployment has no server attached"));
+    }
+    let server = resource::get::<Server>(&server_id).await?;
+    periphery_client(&server)?
+      .request(api::container::GetContainerStats { name })
+      .await
+      .context("failed to get stats from periphery")
+  }
+}
+
+impl Resolve<GetDeploymentActionState, User> for State {
+  async fn resolve(
+    &self,
+    GetDeploymentActionState { deployment }: GetDeploymentActionState,
+    user: User,
+  ) -> anyhow::Result<DeploymentActionState> {
+    let deployment = resource::get_check_permissions::<Deployment>(
+      &deployment,
+      &user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    let action_state = action_states()
+      .deployment
+      .get(&deployment.id)
+      .await
+      .unwrap_or_default()
+      .get()?;
+    Ok(action_state)
+  }
+}
+
+impl Resolve<GetDeploymentsSummary, User> for State {
+  async fn resolve(
+    &self,
+    GetDeploymentsSummary {}: GetDeploymentsSummary,
+    user: User,
+  ) -> anyhow::Result<GetDeploymentsSummaryResponse> {
+    let deployments = resource::list_full_for_user::<Deployment>(
+      Default::default(),
+      &user,
+    )
+    .await
+    .context("failed to get deployments from db")?;
+    let mut res = GetDeploymentsSummaryResponse::default();
+    let status_cache = deployment_status_cache();
+    for deployment in deployments {
+      res.total += 1;
+      let status =
+        status_cache.get(&deployment.id).await.unwrap_or_default();
+      match status.curr.state {
+        DeploymentState::Running => {
+          res.running += 1;
+        }
+        DeploymentState::Unknown => {
+          res.unknown += 1;
+        }
+        DeploymentState::NotDeployed => {
+          res.not_deployed += 1;
+        }
+        _ => {
+          res.stopped += 1;
+        }
+      }
+    }
+    Ok(res)
+  }
+}
+
+impl Resolve<ListCommonDeploymentExtraArgs, User> for State {
+  async fn resolve(
+    &self,
+    ListCommonDeploymentExtraArgs { query }: ListCommonDeploymentExtraArgs,
+    user: User,
+  ) -> anyhow::Result<ListCommonDeploymentExtraArgsResponse> {
+    let deployments =
+      resource::list_full_for_user::<Deployment>(query, &user)
+        .await
+        .context("failed to get resources matching query")?;
+
+    // first collect with guaranteed uniqueness
+    let mut res = HashSet::<String>::new();
+
+    for deployment in deployments {
+      for extra_arg in deployment.config.extra_args {
+        res.insert(extra_arg);
+      }
+    }
+
+    let mut res = res.into_iter().collect::<Vec<_>>();
+    res.sort();
+    Ok(res)
+  }
+}

bin/core/src/api/read/mod.rs

@@ -0,0 +1,244 @@
+use std::time::Instant;
+
+use anyhow::anyhow;
+use axum::{middleware, routing::post, Extension, Router};
+use axum_extra::{headers::ContentType, TypedHeader};
+use monitor_client::{api::read::*, entities::user::User};
+use resolver_api::{derive::Resolver, Resolve, Resolver};
+use serde::{Deserialize, Serialize};
+use serror::Json;
+use typeshare::typeshare;
+use uuid::Uuid;
+
+use crate::{auth::auth_request, config::core_config, state::State};
+
+mod alert;
+mod alerter;
+mod build;
+mod builder;
+mod deployment;
+mod permission;
+mod procedure;
+mod repo;
+mod search;
+mod server;
+mod server_template;
+mod sync;
+mod tag;
+mod toml;
+mod update;
+mod user;
+mod user_group;
+mod variable;
+
+#[typeshare]
+#[derive(Serialize, Deserialize, Debug, Clone, Resolver)]
+#[resolver_target(State)]
+#[resolver_args(User)]
+#[serde(tag = "type", content = "params")]
+enum ReadRequest {
+  GetVersion(GetVersion),
+  GetCoreInfo(GetCoreInfo),
+  GetAvailableAwsEcrLabels(GetAvailableAwsEcrLabels),
+
+  // ==== USER ====
+  ListUsers(ListUsers),
+  GetUsername(GetUsername),
+  ListApiKeys(ListApiKeys),
+  ListApiKeysForServiceUser(ListApiKeysForServiceUser),
+  ListPermissions(ListPermissions),
+  GetPermissionLevel(GetPermissionLevel),
+  ListUserTargetPermissions(ListUserTargetPermissions),
+
+  // ==== USER GROUP ====
+  GetUserGroup(GetUserGroup),
+  ListUserGroups(ListUserGroups),
+
+  // ==== SEARCH ====
+  FindResources(FindResources),
+
+  // ==== PROCEDURE ====
+  GetProceduresSummary(GetProceduresSummary),
+  GetProcedure(GetProcedure),
+  GetProcedureActionState(GetProcedureActionState),
+  ListProcedures(ListProcedures),
+  ListFullProcedures(ListFullProcedures),
+
+  // ==== SERVER TEMPLATE ====
+  GetServerTemplate(GetServerTemplate),
+  ListServerTemplates(ListServerTemplates),
+  ListFullServerTemplates(ListFullServerTemplates),
+  GetServerTemplatesSummary(GetServerTemplatesSummary),
+
+  // ==== SERVER ====
+  GetServersSummary(GetServersSummary),
+  GetServer(GetServer),
+  ListServers(ListServers),
+  ListFullServers(ListFullServers),
+  GetServerState(GetServerState),
+  GetPeripheryVersion(GetPeripheryVersion),
+  GetDockerContainers(GetDockerContainers),
+  GetDockerImages(GetDockerImages),
+  GetDockerNetworks(GetDockerNetworks),
+  GetServerActionState(GetServerActionState),
+  GetHistoricalServerStats(GetHistoricalServerStats),
+  GetAvailableAccounts(GetAvailableAccounts),
+  GetAvailableSecrets(GetAvailableSecrets),
+
+  // ==== DEPLOYMENT ====
+  GetDeploymentsSummary(GetDeploymentsSummary),
+  GetDeployment(GetDeployment),
+  ListDeployments(ListDeployments),
+  ListFullDeployments(ListFullDeployments),
+  GetDeploymentContainer(GetDeploymentContainer),
+  GetDeploymentActionState(GetDeploymentActionState),
+  GetDeploymentStats(GetDeploymentStats),
+  GetLog(GetLog),
+  SearchLog(SearchLog),
+  ListCommonDeploymentExtraArgs(ListCommonDeploymentExtraArgs),
+
+  // ==== BUILD ====
+  GetBuildsSummary(GetBuildsSummary),
+  GetBuild(GetBuild),
+  ListBuilds(ListBuilds),
+  ListFullBuilds(ListFullBuilds),
+  GetBuildActionState(GetBuildActionState),
+  GetBuildMonthlyStats(GetBuildMonthlyStats),
+  GetBuildVersions(GetBuildVersions),
+  ListCommonBuildExtraArgs(ListCommonBuildExtraArgs),
+  #[to_string_resolver]
+  ListGithubOrganizations(ListGithubOrganizations),
+  #[to_string_resolver]
+  ListDockerOrganizations(ListDockerOrganizations),
+
+  // ==== REPO ====
+  GetReposSummary(GetReposSummary),
+  GetRepo(GetRepo),
+  ListRepos(ListRepos),
+  ListFullRepos(ListFullRepos),
+  GetRepoActionState(GetRepoActionState),
+
+  // ==== SYNC ====
+  GetResourceSyncsSummary(GetResourceSyncsSummary),
+  GetResourceSync(GetResourceSync),
+  ListResourceSyncs(ListResourceSyncs),
+  ListFullResourceSyncs(ListFullResourceSyncs),
+  GetResourceSyncActionState(GetResourceSyncActionState),
+
+  // ==== BUILDER ====
+  GetBuildersSummary(GetBuildersSummary),
+  GetBuilder(GetBuilder),
+  ListBuilders(ListBuilders),
+  ListFullBuilders(ListFullBuilders),
+  GetBuilderAvailableAccounts(GetBuilderAvailableAccounts),
+
+  // ==== ALERTER ====
+  GetAlertersSummary(GetAlertersSummary),
+  GetAlerter(GetAlerter),
+  ListAlerters(ListAlerters),
+  ListFullAlerters(ListFullAlerters),
+
+  // ==== TOML ====
+  ExportAllResourcesToToml(ExportAllResourcesToToml),
+  ExportResourcesToToml(ExportResourcesToToml),
+
+  // ==== TAG ====
+  GetTag(GetTag),
+  ListTags(ListTags),
+
+  // ==== UPDATE ====
+  GetUpdate(GetUpdate),
+  ListUpdates(ListUpdates),
+
+  // ==== ALERT ====
+  ListAlerts(ListAlerts),
+  GetAlert(GetAlert),
+
+  // ==== SERVER STATS ====
+  #[to_string_resolver]
+  GetSystemInformation(GetSystemInformation),
+  #[to_string_resolver]
+  GetSystemStats(GetSystemStats),
+  #[to_string_resolver]
+  GetSystemProcesses(GetSystemProcesses),
+
+  // ==== VARIABLE ====
+  GetVariable(GetVariable),
+  ListVariables(ListVariables),
+}
+
+pub fn router() -> Router {
+  Router::new()
+    .route("/", post(handler))
+    .layer(middleware::from_fn(auth_request))
+}
+
+#[instrument(name = "ReadHandler", level = "debug", skip(user), fields(user_id = user.id))]
+async fn handler(
+  Extension(user): Extension<User>,
+  Json(request): Json<ReadRequest>,
+) -> serror::Result<(TypedHeader<ContentType>, String)> {
+  let timer = Instant::now();
+  let req_id = Uuid::new_v4();
+  debug!("/read request | user: {}", user.username);
+  let res =
+    State
+      .resolve_request(request, user)
+      .await
+      .map_err(|e| match e {
+        resolver_api::Error::Serialization(e) => {
+          anyhow!("{e:?}").context("response serialization error")
+        }
+        resolver_api::Error::Inner(e) => e,
+      });
+  if let Err(e) = &res {
+    debug!("/read request {req_id} error: {e:#}");
+  }
+  let elapsed = timer.elapsed();
+  debug!("/read request {req_id} | resolve time: {elapsed:?}");
+  Ok((TypedHeader(ContentType::json()), res?))
+}
+
+impl Resolve<GetVersion, User> for State {
+  #[instrument(name = "GetVersion", level = "debug", skip(self))]
+  async fn resolve(
+    &self,
+    GetVersion {}: GetVersion,
+    _: User,
+  ) -> anyhow::Result<GetVersionResponse> {
+    Ok(GetVersionResponse {
+      version: env!("CARGO_PKG_VERSION").to_string(),
+    })
+  }
+}
+
+impl Resolve<GetCoreInfo, User> for State {
+  #[instrument(name = "GetCoreInfo", level = "debug", skip(self))]
+  async fn resolve(
+    &self,
+    GetCoreInfo {}: GetCoreInfo,
+    _: User,
+  ) -> anyhow::Result<GetCoreInfoResponse> {
+    let config = core_config();
+    Ok(GetCoreInfoResponse {
+      title: config.title.clone(),
+      monitoring_interval: config.monitoring_interval,
+      github_webhook_base_url: config
+        .github_webhook_base_url
+        .clone()
+        .unwrap_or_else(|| config.host.clone()),
+      transparent_mode: config.transparent_mode,
+      ui_write_disabled: config.ui_write_disabled,
+    })
+  }
+}
+
+impl Resolve<GetAvailableAwsEcrLabels, User> for State {
+  async fn resolve(
+    &self,
+    GetAvailableAwsEcrLabels {}: GetAvailableAwsEcrLabels,
+    _: User,
+  ) -> anyhow::Result<GetAvailableAwsEcrLabelsResponse> {
+    Ok(core_config().aws_ecr_registries.keys().cloned().collect())
+  }
+}

bin/core/src/api/read/permission.rs

@@ -0,0 +1,72 @@
+use anyhow::{anyhow, Context};
+use monitor_client::{
+  api::read::{
+    GetPermissionLevel, GetPermissionLevelResponse, ListPermissions,
+    ListPermissionsResponse, ListUserTargetPermissions,
+    ListUserTargetPermissionsResponse,
+  },
+  entities::{permission::PermissionLevel, user::User},
+};
+use mungos::{find::find_collect, mongodb::bson::doc};
+use resolver_api::Resolve;
+
+use crate::{
+  helpers::query::get_user_permission_on_resource,
+  state::{db_client, State},
+};
+
+impl Resolve<ListPermissions, User> for State {
+  async fn resolve(
+    &self,
+    ListPermissions {}: ListPermissions,
+    user: User,
+  ) -> anyhow::Result<ListPermissionsResponse> {
+    find_collect(
+      &db_client().await.permissions,
+      doc! {
+        "user_target.type": "User",
+        "user_target.id": &user.id
+      },
+      None,
+    )
+    .await
+    .context("failed to query db for permissions")
+  }
+}
+
+impl Resolve<GetPermissionLevel, User> for State {
+  async fn resolve(
+    &self,
+    GetPermissionLevel { target }: GetPermissionLevel,
+    user: User,
+  ) -> anyhow::Result<GetPermissionLevelResponse> {
+    if user.admin {
+      return Ok(PermissionLevel::Write);
+    }
+    let (variant, id) = target.extract_variant_id();
+    get_user_permission_on_resource(&user.id, variant, id).await
+  }
+}
+
+impl Resolve<ListUserTargetPermissions, User> for State {
+  async fn resolve(
+    &self,
+    ListUserTargetPermissions { user_target }: ListUserTargetPermissions,
+    user: User,
+  ) -> anyhow::Result<ListUserTargetPermissionsResponse> {
+    if !user.admin {
+      return Err(anyhow!("this method is admin only"));
+    }
+    let (variant, id) = user_target.extract_variant_id();
+    find_collect(
+      &db_client().await.permissions,
+      doc! {
+        "user_target.type": variant.as_ref(),
+        "user_target.id": id
+      },
+      None,
+    )
+    .await
+    .context("failed to query db for permissions")
+  }
+}

bin/core/src/api/read/procedure.rs

@@ -0,0 +1,117 @@
+use anyhow::Context;
+use monitor_client::{
+  api::read::*,
+  entities::{
+    permission::PermissionLevel,
+    procedure::{Procedure, ProcedureState},
+    user::User,
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{
+  resource,
+  state::{action_states, procedure_state_cache, State},
+};
+
+impl Resolve<GetProcedure, User> for State {
+  async fn resolve(
+    &self,
+    GetProcedure { procedure }: GetProcedure,
+    user: User,
+  ) -> anyhow::Result<GetProcedureResponse> {
+    resource::get_check_permissions::<Procedure>(
+      &procedure,
+      &user,
+      PermissionLevel::Read,
+    )
+    .await
+  }
+}
+
+impl Resolve<ListProcedures, User> for State {
+  async fn resolve(
+    &self,
+    ListProcedures { query }: ListProcedures,
+    user: User,
+  ) -> anyhow::Result<ListProceduresResponse> {
+    resource::list_for_user::<Procedure>(query, &user).await
+  }
+}
+
+impl Resolve<ListFullProcedures, User> for State {
+  async fn resolve(
+    &self,
+    ListFullProcedures { query }: ListFullProcedures,
+    user: User,
+  ) -> anyhow::Result<ListFullProceduresResponse> {
+    resource::list_full_for_user::<Procedure>(query, &user).await
+  }
+}
+
+impl Resolve<GetProceduresSummary, User> for State {
+  async fn resolve(
+    &self,
+    GetProceduresSummary {}: GetProceduresSummary,
+    user: User,
+  ) -> anyhow::Result<GetProceduresSummaryResponse> {
+    let procedures = resource::list_full_for_user::<Procedure>(
+      Default::default(),
+      &user,
+    )
+    .await
+    .context("failed to get procedures from db")?;
+
+    let mut res = GetProceduresSummaryResponse::default();
+
+    let cache = procedure_state_cache();
+    let action_states = action_states();
+
+    for procedure in procedures {
+      res.total += 1;
+
+      match (
+        cache.get(&procedure.id).await.unwrap_or_default(),
+        action_states
+          .procedure
+          .get(&procedure.id)
+          .await
+          .unwrap_or_default()
+          .get()?,
+      ) {
+        (_, action_states) if action_states.running => {
+          res.running += 1;
+        }
+        (ProcedureState::Ok, _) => res.ok += 1,
+        (ProcedureState::Failed, _) => res.failed += 1,
+        (ProcedureState::Unknown, _) => res.unknown += 1,
+        // will never come off the cache in the running state, since that comes from action states
+        (ProcedureState::Running, _) => unreachable!(),
+      }
+    }
+
+    Ok(res)
+  }
+}
+
+impl Resolve<GetProcedureActionState, User> for State {
+  async fn resolve(
+    &self,
+    GetProcedureActionState { procedure }: GetProcedureActionState,
+    user: User,
+  ) -> anyhow::Result<GetProcedureActionStateResponse> {
+    let procedure = resource::get_check_permissions::<Procedure>(
+      &procedure,
+      &user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    let action_state = action_states()
+      .procedure
+      .get(&procedure.id)
+      .await
+      .unwrap_or_default()
+      .get()?;
+    Ok(action_state)
+  }
+}

bin/core/src/api/read/repo.rs

@@ -0,0 +1,120 @@
+use anyhow::Context;
+use monitor_client::{
+  api::read::*,
+  entities::{
+    permission::PermissionLevel,
+    repo::{Repo, RepoActionState, RepoListItem, RepoState},
+    user::User,
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{
+  resource,
+  state::{action_states, repo_state_cache, State},
+};
+
+impl Resolve<GetRepo, User> for State {
+  async fn resolve(
+    &self,
+    GetRepo { repo }: GetRepo,
+    user: User,
+  ) -> anyhow::Result<Repo> {
+    resource::get_check_permissions::<Repo>(
+      &repo,
+      &user,
+      PermissionLevel::Read,
+    )
+    .await
+  }
+}
+
+impl Resolve<ListRepos, User> for State {
+  async fn resolve(
+    &self,
+    ListRepos { query }: ListRepos,
+    user: User,
+  ) -> anyhow::Result<Vec<RepoListItem>> {
+    resource::list_for_user::<Repo>(query, &user).await
+  }
+}
+
+impl Resolve<ListFullRepos, User> for State {
+  async fn resolve(
+    &self,
+    ListFullRepos { query }: ListFullRepos,
+    user: User,
+  ) -> anyhow::Result<ListFullReposResponse> {
+    resource::list_full_for_user::<Repo>(query, &user).await
+  }
+}
+
+impl Resolve<GetRepoActionState, User> for State {
+  async fn resolve(
+    &self,
+    GetRepoActionState { repo }: GetRepoActionState,
+    user: User,
+  ) -> anyhow::Result<RepoActionState> {
+    let repo = resource::get_check_permissions::<Repo>(
+      &repo,
+      &user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    let action_state = action_states()
+      .repo
+      .get(&repo.id)
+      .await
+      .unwrap_or_default()
+      .get()?;
+    Ok(action_state)
+  }
+}
+
+impl Resolve<GetReposSummary, User> for State {
+  async fn resolve(
+    &self,
+    GetReposSummary {}: GetReposSummary,
+    user: User,
+  ) -> anyhow::Result<GetReposSummaryResponse> {
+    let repos =
+      resource::list_full_for_user::<Repo>(Default::default(), &user)
+        .await
+        .context("failed to get repos from db")?;
+
+    let mut res = GetReposSummaryResponse::default();
+
+    let cache = repo_state_cache();
+    let action_states = action_states();
+
+    for repo in repos {
+      res.total += 1;
+
+      match (
+        cache.get(&repo.id).await.unwrap_or_default(),
+        action_states
+          .repo
+          .get(&repo.id)
+          .await
+          .unwrap_or_default()
+          .get()?,
+      ) {
+        (_, action_states) if action_states.cloning => {
+          res.cloning += 1;
+        }
+        (_, action_states) if action_states.pulling => {
+          res.pulling += 1;
+        }
+        (RepoState::Ok, _) => res.ok += 1,
+        (RepoState::Failed, _) => res.failed += 1,
+        (RepoState::Unknown, _) => res.unknown += 1,
+        // will never come off the cache in the building state, since that comes from action states
+        (RepoState::Cloning, _) | (RepoState::Pulling, _) => {
+          unreachable!()
+        }
+      }
+    }
+
+    Ok(res)
+  }
+}

bin/core/src/api/read/search.rs

@@ -0,0 +1,83 @@
+use monitor_client::{
+  api::read::{FindResources, FindResourcesResponse},
+  entities::{
+    build::Build, deployment::Deployment, procedure::Procedure,
+    repo::Repo, server::Server, update::ResourceTargetVariant,
+    user::User,
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{resource, state::State};
+
+const FIND_RESOURCE_TYPES: [ResourceTargetVariant; 5] = [
+  ResourceTargetVariant::Server,
+  ResourceTargetVariant::Build,
+  ResourceTargetVariant::Deployment,
+  ResourceTargetVariant::Repo,
+  ResourceTargetVariant::Procedure,
+];
+
+impl Resolve<FindResources, User> for State {
+  async fn resolve(
+    &self,
+    FindResources { query, resources }: FindResources,
+    user: User,
+  ) -> anyhow::Result<FindResourcesResponse> {
+    let mut res = FindResourcesResponse::default();
+    let resource_types = if resources.is_empty() {
+      FIND_RESOURCE_TYPES.to_vec()
+    } else {
+      resources
+        .into_iter()
+        .filter(|r| {
+          !matches!(
+            r,
+            ResourceTargetVariant::System
+              | ResourceTargetVariant::Builder
+              | ResourceTargetVariant::Alerter
+          )
+        })
+        .collect()
+    };
+    for resource_type in resource_types {
+      match resource_type {
+        ResourceTargetVariant::Server => {
+          res.servers = resource::list_for_user_using_document::<
+            Server,
+          >(query.clone(), &user)
+          .await?;
+        }
+        ResourceTargetVariant::Deployment => {
+          res.deployments = resource::list_for_user_using_document::<
+            Deployment,
+          >(query.clone(), &user)
+          .await?;
+        }
+        ResourceTargetVariant::Build => {
+          res.builds =
+            resource::list_for_user_using_document::<Build>(
+              query.clone(),
+              &user,
+            )
+            .await?;
+        }
+        ResourceTargetVariant::Repo => {
+          res.repos = resource::list_for_user_using_document::<Repo>(
+            query.clone(),
+            &user,
+          )
+          .await?;
+        }
+        ResourceTargetVariant::Procedure => {
+          res.procedures = resource::list_for_user_using_document::<
+            Procedure,
+          >(query.clone(), &user)
+          .await?;
+        }
+        _ => {}
+      }
+    }
+    Ok(res)
+  }
+}

bin/core/src/api/read/server.rs

@@ -0,0 +1,451 @@
+use std::{
+  collections::{HashMap, HashSet},
+  sync::{Arc, OnceLock},
+};
+
+use anyhow::{anyhow, Context};
+use async_timing_util::{
+  get_timelength_in_ms, unix_timestamp_ms, FIFTEEN_SECONDS_MS,
+};
+use monitor_client::{
+  api::read::*,
+  entities::{
+    deployment::ContainerSummary,
+    permission::PermissionLevel,
+    server::{
+      docker_image::ImageSummary, docker_network::DockerNetwork,
+      Server, ServerActionState, ServerListItem, ServerState,
+    },
+    user::User,
+  },
+};
+use mungos::{
+  find::find_collect,
+  mongodb::{bson::doc, options::FindOptions},
+};
+use periphery_client::api::{self, GetAccountsResponse};
+use resolver_api::{Resolve, ResolveToString};
+use tokio::sync::Mutex;
+
+use crate::{
+  config::core_config,
+  helpers::periphery_client,
+  resource,
+  state::{action_states, db_client, server_status_cache, State},
+};
+
+impl Resolve<GetServersSummary, User> for State {
+  async fn resolve(
+    &self,
+    GetServersSummary {}: GetServersSummary,
+    user: User,
+  ) -> anyhow::Result<GetServersSummaryResponse> {
+    let servers =
+      resource::list_for_user::<Server>(Default::default(), &user)
+        .await?;
+    let mut res = GetServersSummaryResponse::default();
+    for server in servers {
+      res.total += 1;
+      match server.info.state {
+        ServerState::Ok => {
+          res.healthy += 1;
+        }
+        ServerState::NotOk => {
+          res.unhealthy += 1;
+        }
+        ServerState::Disabled => {
+          res.disabled += 1;
+        }
+      }
+    }
+    Ok(res)
+  }
+}
+
+impl Resolve<GetPeripheryVersion, User> for State {
+  async fn resolve(
+    &self,
+    req: GetPeripheryVersion,
+    user: User,
+  ) -> anyhow::Result<GetPeripheryVersionResponse> {
+    let server = resource::get_check_permissions::<Server>(
+      &req.server,
+      &user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    let version = server_status_cache()
+      .get(&server.id)
+      .await
+      .map(|s| s.version.clone())
+      .unwrap_or(String::from("unknown"));
+    Ok(GetPeripheryVersionResponse { version })
+  }
+}
+
+impl Resolve<GetServer, User> for State {
+  async fn resolve(
+    &self,
+    req: GetServer,
+    user: User,
+  ) -> anyhow::Result<Server> {
+    resource::get_check_permissions::<Server>(
+      &req.server,
+      &user,
+      PermissionLevel::Read,
+    )
+    .await
+  }
+}
+
+impl Resolve<ListServers, User> for State {
+  async fn resolve(
+    &self,
+    ListServers { query }: ListServers,
+    user: User,
+  ) -> anyhow::Result<Vec<ServerListItem>> {
+    resource::list_for_user::<Server>(query, &user).await
+  }
+}
+
+impl Resolve<ListFullServers, User> for State {
+  async fn resolve(
+    &self,
+    ListFullServers { query }: ListFullServers,
+    user: User,
+  ) -> anyhow::Result<ListFullServersResponse> {
+    resource::list_full_for_user::<Server>(query, &user).await
+  }
+}
+
+impl Resolve<GetServerState, User> for State {
+  async fn resolve(
+    &self,
+    GetServerState { server }: GetServerState,
+    user: User,
+  ) -> anyhow::Result<GetServerStateResponse> {
+    let server = resource::get_check_permissions::<Server>(
+      &server,
+      &user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    let status = server_status_cache()
+      .get(&server.id)
+      .await
+      .ok_or(anyhow!("did not find cached status for server"))?;
+    let response = GetServerStateResponse {
+      status: status.state,
+    };
+    Ok(response)
+  }
+}
+
+impl Resolve<GetServerActionState, User> for State {
+  async fn resolve(
+    &self,
+    GetServerActionState { server }: GetServerActionState,
+    user: User,
+  ) -> anyhow::Result<ServerActionState> {
+    let server = resource::get_check_permissions::<Server>(
+      &server,
+      &user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    let action_state = action_states()
+      .server
+      .get(&server.id)
+      .await
+      .unwrap_or_default()
+      .get()?;
+    Ok(action_state)
+  }
+}
+
+// This protects the peripheries from spam requests
+const SYSTEM_INFO_EXPIRY: u128 = FIFTEEN_SECONDS_MS;
+type SystemInfoCache = Mutex<HashMap<String, Arc<(String, u128)>>>;
+fn system_info_cache() -> &'static SystemInfoCache {
+  static SYSTEM_INFO_CACHE: OnceLock<SystemInfoCache> =
+    OnceLock::new();
+  SYSTEM_INFO_CACHE.get_or_init(Default::default)
+}
+
+impl ResolveToString<GetSystemInformation, User> for State {
+  async fn resolve_to_string(
+    &self,
+    GetSystemInformation { server }: GetSystemInformation,
+    user: User,
+  ) -> anyhow::Result<String> {
+    let server = resource::get_check_permissions::<Server>(
+      &server,
+      &user,
+      PermissionLevel::Read,
+    )
+    .await?;
+
+    let mut lock = system_info_cache().lock().await;
+    let res = match lock.get(&server.id) {
+      Some(cached) if cached.1 > unix_timestamp_ms() => {
+        cached.0.clone()
+      }
+      _ => {
+        let stats = periphery_client(&server)?
+          .request(api::stats::GetSystemInformation {})
+          .await?;
+        let res = serde_json::to_string(&stats)?;
+        lock.insert(
+          server.id,
+          (res.clone(), unix_timestamp_ms() + SYSTEM_INFO_EXPIRY)
+            .into(),
+        );
+        res
+      }
+    };
+    Ok(res)
+  }
+}
+
+impl ResolveToString<GetSystemStats, User> for State {
+  async fn resolve_to_string(
+    &self,
+    GetSystemStats { server }: GetSystemStats,
+    user: User,
+  ) -> anyhow::Result<String> {
+    let server = resource::get_check_permissions::<Server>(
+      &server,
+      &user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    let status =
+      server_status_cache().get(&server.id).await.with_context(
+        || format!("did not find status for server at {}", server.id),
+      )?;
+    let stats = status
+      .stats
+      .as_ref()
+      .context("server stats not available")?;
+    let stats = serde_json::to_string(&stats)?;
+    Ok(stats)
+  }
+}
+
+// This protects the peripheries from spam requests
+const PROCESSES_EXPIRY: u128 = FIFTEEN_SECONDS_MS;
+type ProcessesCache = Mutex<HashMap<String, Arc<(String, u128)>>>;
+fn processes_cache() -> &'static ProcessesCache {
+  static PROCESSES_CACHE: OnceLock<ProcessesCache> = OnceLock::new();
+  PROCESSES_CACHE.get_or_init(Default::default)
+}
+
+impl ResolveToString<GetSystemProcesses, User> for State {
+  async fn resolve_to_string(
+    &self,
+    GetSystemProcesses { server }: GetSystemProcesses,
+    user: User,
+  ) -> anyhow::Result<String> {
+    let server = resource::get_check_permissions::<Server>(
+      &server,
+      &user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    let mut lock = processes_cache().lock().await;
+    let res = match lock.get(&server.id) {
+      Some(cached) if cached.1 > unix_timestamp_ms() => {
+        cached.0.clone()
+      }
+      _ => {
+        let stats = periphery_client(&server)?
+          .request(api::stats::GetSystemProcesses {})
+          .await?;
+        let res = serde_json::to_string(&stats)?;
+        lock.insert(
+          server.id,
+          (res.clone(), unix_timestamp_ms() + PROCESSES_EXPIRY)
+            .into(),
+        );
+        res
+      }
+    };
+    Ok(res)
+  }
+}
+
+const STATS_PER_PAGE: i64 = 500;
+
+impl Resolve<GetHistoricalServerStats, User> for State {
+  async fn resolve(
+    &self,
+    GetHistoricalServerStats {
+      server,
+      granularity,
+      page,
+    }: GetHistoricalServerStats,
+    user: User,
+  ) -> anyhow::Result<GetHistoricalServerStatsResponse> {
+    let server = resource::get_check_permissions::<Server>(
+      &server,
+      &user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    let granularity =
+      get_timelength_in_ms(granularity.to_string().parse().unwrap())
+        as i64;
+    let mut ts_vec = Vec::<i64>::new();
+    let curr_ts = unix_timestamp_ms() as i64;
+    let mut curr_ts = curr_ts
+      - curr_ts % granularity
+      - granularity * STATS_PER_PAGE * page as i64;
+    for _ in 0..STATS_PER_PAGE {
+      ts_vec.push(curr_ts);
+      curr_ts -= granularity;
+    }
+
+    let stats = find_collect(
+      &db_client().await.stats,
+      doc! {
+        "sid": server.id,
+        "ts": { "$in": ts_vec },
+      },
+      FindOptions::builder()
+        .sort(doc! { "ts": -1 })
+        .skip(page as u64 * STATS_PER_PAGE as u64)
+        .limit(STATS_PER_PAGE)
+        .build(),
+    )
+    .await
+    .context("failed to pull stats from db")?;
+    let next_page = if stats.len() == STATS_PER_PAGE as usize {
+      Some(page + 1)
+    } else {
+      None
+    };
+    let res = GetHistoricalServerStatsResponse { stats, next_page };
+    Ok(res)
+  }
+}
+
+impl Resolve<GetDockerImages, User> for State {
+  async fn resolve(
+    &self,
+    GetDockerImages { server }: GetDockerImages,
+    user: User,
+  ) -> anyhow::Result<Vec<ImageSummary>> {
+    let server = resource::get_check_permissions::<Server>(
+      &server,
+      &user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    periphery_client(&server)?
+      .request(api::build::GetImageList {})
+      .await
+  }
+}
+
+impl Resolve<GetDockerNetworks, User> for State {
+  async fn resolve(
+    &self,
+    GetDockerNetworks { server }: GetDockerNetworks,
+    user: User,
+  ) -> anyhow::Result<Vec<DockerNetwork>> {
+    let server = resource::get_check_permissions::<Server>(
+      &server,
+      &user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    periphery_client(&server)?
+      .request(api::network::GetNetworkList {})
+      .await
+  }
+}
+
+impl Resolve<GetDockerContainers, User> for State {
+  async fn resolve(
+    &self,
+    GetDockerContainers { server }: GetDockerContainers,
+    user: User,
+  ) -> anyhow::Result<Vec<ContainerSummary>> {
+    let server = resource::get_check_permissions::<Server>(
+      &server,
+      &user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    periphery_client(&server)?
+      .request(api::container::GetContainerList {})
+      .await
+  }
+}
+
+impl Resolve<GetAvailableAccounts, User> for State {
+  async fn resolve(
+    &self,
+    GetAvailableAccounts { server }: GetAvailableAccounts,
+    user: User,
+  ) -> anyhow::Result<GetAvailableAccountsResponse> {
+    let (github, docker) = match server {
+      Some(server) => {
+        let server = resource::get_check_permissions::<Server>(
+          &server,
+          &user,
+          PermissionLevel::Read,
+        )
+        .await?;
+
+        let GetAccountsResponse { github, docker } =
+          periphery_client(&server)?
+            .request(api::GetAccounts {})
+            .await
+            .context("failed to get accounts from periphery")?;
+        (github, docker)
+      }
+      None => Default::default(),
+    };
+
+    let mut github_set = HashSet::<String>::new();
+
+    github_set.extend(core_config().github_accounts.keys().cloned());
+    github_set.extend(github);
+
+    let mut github = github_set.into_iter().collect::<Vec<_>>();
+    github.sort();
+
+    let mut docker_set = HashSet::<String>::new();
+
+    docker_set.extend(core_config().docker_accounts.keys().cloned());
+    docker_set.extend(docker);
+
+    let mut docker = docker_set.into_iter().collect::<Vec<_>>();
+    docker.sort();
+
+    let res = GetAvailableAccountsResponse { github, docker };
+    Ok(res)
+  }
+}
+
+impl Resolve<GetAvailableSecrets, User> for State {
+  async fn resolve(
+    &self,
+    GetAvailableSecrets { server }: GetAvailableSecrets,
+    user: User,
+  ) -> anyhow::Result<GetAvailableSecretsResponse> {
+    let server = resource::get_check_permissions::<Server>(
+      &server,
+      &user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    let mut secrets = periphery_client(&server)?
+      .request(api::GetSecrets {})
+      .await
+      .context("failed to get accounts from periphery")?;
+    secrets.sort();
+    Ok(secrets)
+  }
+}

bin/core/src/api/read/server_template.rs

@@ -0,0 +1,88 @@
+use std::str::FromStr;
+
+use anyhow::Context;
+use monitor_client::{
+  api::read::*,
+  entities::{
+    permission::PermissionLevel, server_template::ServerTemplate,
+    update::ResourceTargetVariant, user::User,
+  },
+};
+use mungos::mongodb::bson::{doc, oid::ObjectId};
+use resolver_api::Resolve;
+
+use crate::{
+  helpers::query::get_resource_ids_for_non_admin,
+  resource,
+  state::{db_client, State},
+};
+
+impl Resolve<GetServerTemplate, User> for State {
+  async fn resolve(
+    &self,
+    GetServerTemplate { server_template }: GetServerTemplate,
+    user: User,
+  ) -> anyhow::Result<GetServerTemplateResponse> {
+    resource::get_check_permissions::<ServerTemplate>(
+      &server_template,
+      &user,
+      PermissionLevel::Read,
+    )
+    .await
+  }
+}
+
+impl Resolve<ListServerTemplates, User> for State {
+  async fn resolve(
+    &self,
+    ListServerTemplates { query }: ListServerTemplates,
+    user: User,
+  ) -> anyhow::Result<ListServerTemplatesResponse> {
+    resource::list_for_user::<ServerTemplate>(query, &user).await
+  }
+}
+
+impl Resolve<ListFullServerTemplates, User> for State {
+  async fn resolve(
+    &self,
+    ListFullServerTemplates { query }: ListFullServerTemplates,
+    user: User,
+  ) -> anyhow::Result<ListFullServerTemplatesResponse> {
+    resource::list_full_for_user::<ServerTemplate>(query, &user).await
+  }
+}
+
+impl Resolve<GetServerTemplatesSummary, User> for State {
+  async fn resolve(
+    &self,
+    GetServerTemplatesSummary {}: GetServerTemplatesSummary,
+    user: User,
+  ) -> anyhow::Result<GetServerTemplatesSummaryResponse> {
+    let query = if user.admin {
+      None
+    } else {
+      let ids = get_resource_ids_for_non_admin(
+        &user.id,
+        ResourceTargetVariant::ServerTemplate,
+      )
+      .await?
+      .into_iter()
+      .flat_map(|id| ObjectId::from_str(&id))
+      .collect::<Vec<_>>();
+      let query = doc! {
+        "_id": { "$in": ids }
+      };
+      Some(query)
+    };
+    let total = db_client()
+      .await
+      .server_templates
+      .count_documents(query, None)
+      .await
+      .context("failed to count all server template documents")?;
+    let res = GetServerTemplatesSummaryResponse {
+      total: total as u32,
+    };
+    Ok(res)
+  }
+}

bin/core/src/api/read/sync.rs

@@ -0,0 +1,139 @@
+use anyhow::Context;
+use monitor_client::{
+  api::read::*,
+  entities::{
+    permission::PermissionLevel,
+    sync::{
+      PendingSyncUpdatesData, ResourceSync, ResourceSyncActionState,
+      ResourceSyncListItem, ResourceSyncState,
+    },
+    user::User,
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{
+  resource,
+  state::{action_states, resource_sync_state_cache, State},
+};
+
+impl Resolve<GetResourceSync, User> for State {
+  async fn resolve(
+    &self,
+    GetResourceSync { sync }: GetResourceSync,
+    user: User,
+  ) -> anyhow::Result<ResourceSync> {
+    resource::get_check_permissions::<ResourceSync>(
+      &sync,
+      &user,
+      PermissionLevel::Read,
+    )
+    .await
+  }
+}
+
+impl Resolve<ListResourceSyncs, User> for State {
+  async fn resolve(
+    &self,
+    ListResourceSyncs { query }: ListResourceSyncs,
+    user: User,
+  ) -> anyhow::Result<Vec<ResourceSyncListItem>> {
+    resource::list_for_user::<ResourceSync>(query, &user).await
+  }
+}
+
+impl Resolve<ListFullResourceSyncs, User> for State {
+  async fn resolve(
+    &self,
+    ListFullResourceSyncs { query }: ListFullResourceSyncs,
+    user: User,
+  ) -> anyhow::Result<ListFullResourceSyncsResponse> {
+    resource::list_full_for_user::<ResourceSync>(query, &user).await
+  }
+}
+
+impl Resolve<GetResourceSyncActionState, User> for State {
+  async fn resolve(
+    &self,
+    GetResourceSyncActionState { sync }: GetResourceSyncActionState,
+    user: User,
+  ) -> anyhow::Result<ResourceSyncActionState> {
+    let sync = resource::get_check_permissions::<ResourceSync>(
+      &sync,
+      &user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    let action_state = action_states()
+      .resource_sync
+      .get(&sync.id)
+      .await
+      .unwrap_or_default()
+      .get()?;
+    Ok(action_state)
+  }
+}
+
+impl Resolve<GetResourceSyncsSummary, User> for State {
+  async fn resolve(
+    &self,
+    GetResourceSyncsSummary {}: GetResourceSyncsSummary,
+    user: User,
+  ) -> anyhow::Result<GetResourceSyncsSummaryResponse> {
+    let resource_syncs =
+      resource::list_full_for_user::<ResourceSync>(
+        Default::default(),
+        &user,
+      )
+      .await
+      .context("failed to get resource_syncs from db")?;
+
+    let mut res = GetResourceSyncsSummaryResponse::default();
+
+    let cache = resource_sync_state_cache();
+    let action_states = action_states();
+
+    for resource_sync in resource_syncs {
+      res.total += 1;
+
+      match resource_sync.info.pending.data {
+        PendingSyncUpdatesData::Ok(data) => {
+          if !data.no_updates() {
+            res.pending += 1;
+            continue;
+          }
+        }
+        PendingSyncUpdatesData::Err(_) => {
+          res.failed += 1;
+          continue;
+        }
+      }
+
+      match (
+        cache.get(&resource_sync.id).await.unwrap_or_default(),
+        action_states
+          .resource_sync
+          .get(&resource_sync.id)
+          .await
+          .unwrap_or_default()
+          .get()?,
+      ) {
+        (_, action_states) if action_states.syncing => {
+          res.syncing += 1;
+        }
+        (ResourceSyncState::Ok, _) => res.ok += 1,
+        (ResourceSyncState::Failed, _) => res.failed += 1,
+        (ResourceSyncState::Unknown, _) => res.unknown += 1,
+        // will never come off the cache in the building state, since that comes from action states
+        (ResourceSyncState::Syncing, _) => {
+          unreachable!()
+        }
+        (ResourceSyncState::Pending, _) => {
+          unreachable!()
+        }
+      }
+    }
+
+    Ok(res)
+  }
+}

bin/core/src/api/read/tag.rs

@@ -0,0 +1,39 @@
+use anyhow::Context;
+use mongo_indexed::doc;
+use monitor_client::{
+  api::read::{GetTag, ListTags},
+  entities::{tag::Tag, user::User},
+};
+use mungos::{find::find_collect, mongodb::options::FindOptions};
+use resolver_api::Resolve;
+
+use crate::{
+  helpers::query::get_tag,
+  state::{db_client, State},
+};
+
+impl Resolve<GetTag, User> for State {
+  async fn resolve(
+    &self,
+    GetTag { tag }: GetTag,
+    _: User,
+  ) -> anyhow::Result<Tag> {
+    get_tag(&tag).await
+  }
+}
+
+impl Resolve<ListTags, User> for State {
+  async fn resolve(
+    &self,
+    ListTags { query }: ListTags,
+    _: User,
+  ) -> anyhow::Result<Vec<Tag>> {
+    find_collect(
+      &db_client().await.tags,
+      query,
+      FindOptions::builder().sort(doc! { "name": 1 }).build(),
+    )
+    .await
+    .context("failed to get tags from db")
+  }
+}

bin/core/src/api/read/toml.rs

@@ -0,0 +1,789 @@
+use std::collections::HashMap;
+
+use anyhow::Context;
+use monitor_client::{
+  api::{
+    execute::Execution,
+    read::{
+      ExportAllResourcesToToml, ExportAllResourcesToTomlResponse,
+      ExportResourcesToToml, ExportResourcesToTomlResponse,
+      GetUserGroup, ListUserTargetPermissions,
+    },
+  },
+  entities::{
+    alerter::Alerter,
+    build::Build,
+    builder::{Builder, BuilderConfig},
+    deployment::{
+      conversions_to_string, term_signal_labels_to_string,
+      Deployment, DeploymentImage,
+    },
+    environment_vars_to_string,
+    permission::{PermissionLevel, UserTarget},
+    procedure::Procedure,
+    repo::Repo,
+    resource::{Resource, ResourceQuery},
+    server::Server,
+    server_template::ServerTemplate,
+    sync::ResourceSync,
+    toml::{
+      PermissionToml, ResourceToml, ResourcesToml, UserGroupToml,
+    },
+    update::ResourceTarget,
+    user::User,
+  },
+};
+use mungos::find::find_collect;
+use ordered_hash_map::OrderedHashMap;
+use partial_derive2::PartialDiff;
+use resolver_api::Resolve;
+use serde_json::Value;
+
+use crate::{
+  helpers::query::get_user_user_group_ids,
+  resource::{self, MonitorResource},
+  state::{db_client, State},
+};
+
+impl Resolve<ExportAllResourcesToToml, User> for State {
+  async fn resolve(
+    &self,
+    ExportAllResourcesToToml { tags }: ExportAllResourcesToToml,
+    user: User,
+  ) -> anyhow::Result<ExportAllResourcesToTomlResponse> {
+    let mut targets = Vec::<ResourceTarget>::new();
+
+    targets.extend(
+      resource::list_for_user::<Alerter>(
+        ResourceQuery::builder().tags(tags.clone()).build(),
+        &user,
+      )
+      .await?
+      .into_iter()
+      .map(|resource| ResourceTarget::Alerter(resource.id)),
+    );
+    targets.extend(
+      resource::list_for_user::<Builder>(
+        ResourceQuery::builder().tags(tags.clone()).build(),
+        &user,
+      )
+      .await?
+      .into_iter()
+      .map(|resource| ResourceTarget::Builder(resource.id)),
+    );
+    targets.extend(
+      resource::list_for_user::<Server>(
+        ResourceQuery::builder().tags(tags.clone()).build(),
+        &user,
+      )
+      .await?
+      .into_iter()
+      .map(|resource| ResourceTarget::Server(resource.id)),
+    );
+    targets.extend(
+      resource::list_for_user::<Deployment>(
+        ResourceQuery::builder().tags(tags.clone()).build(),
+        &user,
+      )
+      .await?
+      .into_iter()
+      .map(|resource| ResourceTarget::Deployment(resource.id)),
+    );
+    targets.extend(
+      resource::list_for_user::<Build>(
+        ResourceQuery::builder().tags(tags.clone()).build(),
+        &user,
+      )
+      .await?
+      .into_iter()
+      .map(|resource| ResourceTarget::Build(resource.id)),
+    );
+    targets.extend(
+      resource::list_for_user::<Repo>(
+        ResourceQuery::builder().tags(tags.clone()).build(),
+        &user,
+      )
+      .await?
+      .into_iter()
+      .map(|resource| ResourceTarget::Repo(resource.id)),
+    );
+    targets.extend(
+      resource::list_for_user::<Procedure>(
+        ResourceQuery::builder().tags(tags.clone()).build(),
+        &user,
+      )
+      .await?
+      .into_iter()
+      .map(|resource| ResourceTarget::Procedure(resource.id)),
+    );
+    targets.extend(
+      resource::list_for_user::<ServerTemplate>(
+        ResourceQuery::builder().tags(tags.clone()).build(),
+        &user,
+      )
+      .await?
+      .into_iter()
+      .map(|resource| ResourceTarget::ServerTemplate(resource.id)),
+    );
+    targets.extend(
+      resource::list_for_user::<ResourceSync>(
+        ResourceQuery::builder().tags(tags).build(),
+        &user,
+      )
+      .await?
+      .into_iter()
+      .map(|resource| ResourceTarget::ResourceSync(resource.id)),
+    );
+
+    let user_groups = if user.admin {
+      find_collect(&db_client().await.user_groups, None, None)
+        .await
+        .context("failed to query db for user groups")?
+        .into_iter()
+        .map(|user_group| user_group.id)
+        .collect()
+    } else {
+      get_user_user_group_ids(&user.id).await?
+    };
+
+    self
+      .resolve(
+        ExportResourcesToToml {
+          targets,
+          user_groups,
+          include_variables: true,
+        },
+        user,
+      )
+      .await
+  }
+}
+
+impl Resolve<ExportResourcesToToml, User> for State {
+  async fn resolve(
+    &self,
+    ExportResourcesToToml {
+      targets,
+      user_groups,
+      include_variables,
+    }: ExportResourcesToToml,
+    user: User,
+  ) -> anyhow::Result<ExportResourcesToTomlResponse> {
+    let mut res = ResourcesToml::default();
+    let names = ResourceNames::new()
+      .await
+      .context("failed to init resource name maps")?;
+    for target in targets {
+      match target {
+        ResourceTarget::Alerter(id) => {
+          let alerter = resource::get_check_permissions::<Alerter>(
+            &id,
+            &user,
+            PermissionLevel::Read,
+          )
+          .await?;
+          res
+            .alerters
+            .push(convert_resource::<Alerter>(alerter, &names.tags))
+        }
+        ResourceTarget::ResourceSync(id) => {
+          let sync = resource::get_check_permissions::<ResourceSync>(
+            &id,
+            &user,
+            PermissionLevel::Read,
+          )
+          .await?;
+          res
+            .resource_syncs
+            .push(convert_resource::<ResourceSync>(sync, &names.tags))
+        }
+        ResourceTarget::ServerTemplate(id) => {
+          let template = resource::get_check_permissions::<
+            ServerTemplate,
+          >(
+            &id, &user, PermissionLevel::Read
+          )
+          .await?;
+          res.server_templates.push(
+            convert_resource::<ServerTemplate>(template, &names.tags),
+          )
+        }
+        ResourceTarget::Server(id) => {
+          let server = resource::get_check_permissions::<Server>(
+            &id,
+            &user,
+            PermissionLevel::Read,
+          )
+          .await?;
+          res
+            .servers
+            .push(convert_resource::<Server>(server, &names.tags))
+        }
+        ResourceTarget::Builder(id) => {
+          let mut builder =
+            resource::get_check_permissions::<Builder>(
+              &id,
+              &user,
+              PermissionLevel::Read,
+            )
+            .await?;
+          // replace server id of builder
+          if let BuilderConfig::Server(config) = &mut builder.config {
+            config.server_id.clone_from(
+              names.servers.get(&id).unwrap_or(&String::new()),
+            )
+          }
+          res
+            .builders
+            .push(convert_resource::<Builder>(builder, &names.tags))
+        }
+        ResourceTarget::Build(id) => {
+          let mut build = resource::get_check_permissions::<Build>(
+            &id,
+            &user,
+            PermissionLevel::Read,
+          )
+          .await?;
+          // replace builder id of build
+          build.config.builder_id.clone_from(
+            names
+              .builders
+              .get(&build.config.builder_id)
+              .unwrap_or(&String::new()),
+          );
+          res
+            .builds
+            .push(convert_resource::<Build>(build, &names.tags))
+        }
+        ResourceTarget::Deployment(id) => {
+          let mut deployment = resource::get_check_permissions::<
+            Deployment,
+          >(
+            &id, &user, PermissionLevel::Read
+          )
+          .await?;
+          // replace deployment server with name
+          deployment.config.server_id.clone_from(
+            names
+              .servers
+              .get(&deployment.config.server_id)
+              .unwrap_or(&String::new()),
+          );
+          // replace deployment build id with name
+          if let DeploymentImage::Build { build_id, .. } =
+            &mut deployment.config.image
+          {
+            build_id.clone_from(
+              names.builds.get(build_id).unwrap_or(&String::new()),
+            );
+          }
+          res.deployments.push(convert_resource::<Deployment>(
+            deployment,
+            &names.tags,
+          ))
+        }
+        ResourceTarget::Repo(id) => {
+          let mut repo = resource::get_check_permissions::<Repo>(
+            &id,
+            &user,
+            PermissionLevel::Read,
+          )
+          .await?;
+          // replace repo server with name
+          repo.config.server_id.clone_from(
+            names
+              .servers
+              .get(&repo.config.server_id)
+              .unwrap_or(&String::new()),
+          );
+          res.repos.push(convert_resource::<Repo>(repo, &names.tags))
+        }
+        ResourceTarget::Procedure(id) => {
+          add_procedure(&id, &mut res, &user, &names)
+            .await
+            .with_context(|| {
+              format!("failed to add procedure {id}")
+            })?;
+        }
+        ResourceTarget::System(_) => continue,
+      };
+    }
+
+    add_user_groups(user_groups, &mut res, &user)
+      .await
+      .context("failed to add user groups")?;
+
+    if include_variables {
+      res.variables =
+        find_collect(&db_client().await.variables, None, None)
+          .await
+          .context("failed to get variables from db")?;
+    }
+
+    let toml = serialize_resources_toml(&res)
+      .context("failed to serialize resources to toml")?;
+
+    Ok(ExportResourcesToTomlResponse { toml })
+  }
+}
+
+async fn add_procedure(
+  id: &str,
+  res: &mut ResourcesToml,
+  user: &User,
+  names: &ResourceNames,
+) -> anyhow::Result<()> {
+  let mut procedure = resource::get_check_permissions::<Procedure>(
+    id,
+    user,
+    PermissionLevel::Read,
+  )
+  .await?;
+
+  for stage in &mut procedure.config.stages {
+    for execution in &mut stage.executions {
+      match &mut execution.execution {
+        Execution::RunProcedure(exec) => exec.procedure.clone_from(
+          names
+            .procedures
+            .get(&exec.procedure)
+            .unwrap_or(&String::new()),
+        ),
+        Execution::RunBuild(exec) => exec.build.clone_from(
+          names.builds.get(&exec.build).unwrap_or(&String::new()),
+        ),
+        Execution::Deploy(exec) => exec.deployment.clone_from(
+          names
+            .deployments
+            .get(&exec.deployment)
+            .unwrap_or(&String::new()),
+        ),
+        Execution::StartContainer(exec) => {
+          exec.deployment.clone_from(
+            names
+              .deployments
+              .get(&exec.deployment)
+              .unwrap_or(&String::new()),
+          )
+        }
+        Execution::StopContainer(exec) => exec.deployment.clone_from(
+          names
+            .deployments
+            .get(&exec.deployment)
+            .unwrap_or(&String::new()),
+        ),
+        Execution::RemoveContainer(exec) => {
+          exec.deployment.clone_from(
+            names
+              .deployments
+              .get(&exec.deployment)
+              .unwrap_or(&String::new()),
+          )
+        }
+        Execution::CloneRepo(exec) => exec.repo.clone_from(
+          names.repos.get(&exec.repo).unwrap_or(&String::new()),
+        ),
+        Execution::PullRepo(exec) => exec.repo.clone_from(
+          names.repos.get(&exec.repo).unwrap_or(&String::new()),
+        ),
+        Execution::StopAllContainers(exec) => exec.server.clone_from(
+          names.servers.get(&exec.server).unwrap_or(&String::new()),
+        ),
+        Execution::PruneNetworks(exec) => exec.server.clone_from(
+          names.servers.get(&exec.server).unwrap_or(&String::new()),
+        ),
+        Execution::PruneImages(exec) => exec.server.clone_from(
+          names.servers.get(&exec.server).unwrap_or(&String::new()),
+        ),
+        Execution::PruneContainers(exec) => exec.server.clone_from(
+          names.servers.get(&exec.server).unwrap_or(&String::new()),
+        ),
+        Execution::RunSync(exec) => exec.sync.clone_from(
+          names.syncs.get(&exec.sync).unwrap_or(&String::new()),
+        ),
+        Execution::Sleep(_) | Execution::None(_) => {}
+      }
+    }
+  }
+
+  res
+    .procedures
+    .push(convert_resource::<Procedure>(procedure, &names.tags));
+  Ok(())
+}
+
+struct ResourceNames {
+  tags: HashMap<String, String>,
+  servers: HashMap<String, String>,
+  builders: HashMap<String, String>,
+  builds: HashMap<String, String>,
+  repos: HashMap<String, String>,
+  deployments: HashMap<String, String>,
+  procedures: HashMap<String, String>,
+  syncs: HashMap<String, String>,
+}
+
+impl ResourceNames {
+  async fn new() -> anyhow::Result<ResourceNames> {
+    let db = db_client().await;
+    Ok(ResourceNames {
+      tags: find_collect(&db.tags, None, None)
+        .await
+        .context("failed to get all tags")?
+        .into_iter()
+        .map(|t| (t.id, t.name))
+        .collect::<HashMap<_, _>>(),
+      servers: find_collect(&db.servers, None, None)
+        .await
+        .context("failed to get all servers")?
+        .into_iter()
+        .map(|t| (t.id, t.name))
+        .collect::<HashMap<_, _>>(),
+      builders: find_collect(&db.builders, None, None)
+        .await
+        .context("failed to get all builders")?
+        .into_iter()
+        .map(|t| (t.id, t.name))
+        .collect::<HashMap<_, _>>(),
+      builds: find_collect(&db.builds, None, None)
+        .await
+        .context("failed to get all builds")?
+        .into_iter()
+        .map(|t| (t.id, t.name))
+        .collect::<HashMap<_, _>>(),
+      repos: find_collect(&db.repos, None, None)
+        .await
+        .context("failed to get all repos")?
+        .into_iter()
+        .map(|t| (t.id, t.name))
+        .collect::<HashMap<_, _>>(),
+      deployments: find_collect(&db.deployments, None, None)
+        .await
+        .context("failed to get all deployments")?
+        .into_iter()
+        .map(|t| (t.id, t.name))
+        .collect::<HashMap<_, _>>(),
+      procedures: find_collect(&db.procedures, None, None)
+        .await
+        .context("failed to get all procedures")?
+        .into_iter()
+        .map(|t| (t.id, t.name))
+        .collect::<HashMap<_, _>>(),
+      syncs: find_collect(&db.resource_syncs, None, None)
+        .await
+        .context("failed to get all resource syncs")?
+        .into_iter()
+        .map(|t| (t.id, t.name))
+        .collect::<HashMap<_, _>>(),
+    })
+  }
+}
+
+async fn add_user_groups(
+  user_groups: Vec<String>,
+  res: &mut ResourcesToml,
+  user: &User,
+) -> anyhow::Result<()> {
+  let db = db_client().await;
+
+  let usernames = find_collect(&db.users, None, None)
+    .await?
+    .into_iter()
+    .map(|user| (user.id, user.username))
+    .collect::<HashMap<_, _>>();
+
+  for user_group in user_groups {
+    let ug = State
+      .resolve(GetUserGroup { user_group }, user.clone())
+      .await?;
+    // this method is admin only, but we already know user can see user group if above does not return Err
+    let permissions = State
+      .resolve(
+        ListUserTargetPermissions {
+          user_target: UserTarget::UserGroup(ug.id),
+        },
+        User {
+          admin: true,
+          ..Default::default()
+        },
+      )
+      .await?
+      .into_iter()
+      .map(|permission| PermissionToml {
+        target: permission.resource_target,
+        level: permission.level,
+      })
+      .collect();
+    res.user_groups.push(UserGroupToml {
+      name: ug.name,
+      users: ug
+        .users
+        .into_iter()
+        .filter_map(|user_id| usernames.get(&user_id).cloned())
+        .collect(),
+      permissions,
+    });
+  }
+  Ok(())
+}
+
+fn convert_resource<R: MonitorResource>(
+  resource: Resource<R::Config, R::Info>,
+  tag_names: &HashMap<String, String>,
+) -> ResourceToml<R::PartialConfig> {
+  // This makes sure all non-necessary (defaulted) fields don't make it into final toml
+  let partial: R::PartialConfig = resource.config.into();
+  let config = R::Config::default().minimize_partial(partial);
+  ResourceToml {
+    name: resource.name,
+    tags: resource
+      .tags
+      .iter()
+      .filter_map(|t| tag_names.get(t).cloned())
+      .collect(),
+    description: resource.description,
+    deploy: false,
+    after: Default::default(),
+    config,
+  }
+}
+
+fn serialize_resources_toml(
+  resources: &ResourcesToml,
+) -> anyhow::Result<String> {
+  let mut res = String::new();
+
+  let options = toml_pretty::Options::default()
+    .tab("  ")
+    .skip_empty_string(true)
+    .max_inline_array_length(30);
+
+  for server in &resources.servers {
+    if !res.is_empty() {
+      res.push_str("\n\n##\n\n");
+    }
+    res.push_str("[[server]]\n");
+    res.push_str(
+      &toml_pretty::to_string(&server, options)
+        .context("failed to serialize servers to toml")?,
+    );
+  }
+
+  for deployment in &resources.deployments {
+    if !res.is_empty() {
+      res.push_str("\n\n##\n\n");
+    }
+    res.push_str("[[deployment]]\n");
+    let mut parsed: OrderedHashMap<String, Value> =
+      serde_json::from_str(&serde_json::to_string(&deployment)?)?;
+    let config = parsed
+      .get_mut("config")
+      .context("deployment has no config?")?
+      .as_object_mut()
+      .context("config is not object?")?;
+    if let Some(DeploymentImage::Build { version, .. }) =
+      &deployment.config.image
+    {
+      let image = config
+        .get_mut("image")
+        .context("deployment has no image")?
+        .get_mut("params")
+        .context("deployment image has no params")?
+        .as_object_mut()
+        .context("deployment image params is not object")?;
+      if version.is_none() {
+        image.remove("version");
+      } else {
+        image.insert(
+          "version".to_string(),
+          Value::String(version.to_string()),
+        );
+      }
+    }
+    if let Some(term_signal_labels) =
+      &deployment.config.term_signal_labels
+    {
+      config.insert(
+        "term_signal_labels".to_string(),
+        Value::String(term_signal_labels_to_string(
+          term_signal_labels,
+        )),
+      );
+    }
+    if let Some(ports) = &deployment.config.ports {
+      config.insert(
+        "ports".to_string(),
+        Value::String(conversions_to_string(ports)),
+      );
+    }
+    if let Some(volumes) = &deployment.config.volumes {
+      config.insert(
+        "volumes".to_string(),
+        Value::String(conversions_to_string(volumes)),
+      );
+    }
+    if let Some(environment) = &deployment.config.environment {
+      config.insert(
+        "environment".to_string(),
+        Value::String(environment_vars_to_string(environment)),
+      );
+    }
+    if let Some(labels) = &deployment.config.labels {
+      config.insert(
+        "labels".to_string(),
+        Value::String(environment_vars_to_string(labels)),
+      );
+    }
+    res.push_str(
+      &toml_pretty::to_string(&parsed, options)
+        .context("failed to serialize deployments to toml")?,
+    );
+  }
+
+  for build in &resources.builds {
+    if !res.is_empty() {
+      res.push_str("\n\n##\n\n");
+    }
+    let mut parsed: OrderedHashMap<String, Value> =
+      serde_json::from_str(&serde_json::to_string(&build)?)?;
+    let config = parsed
+      .get_mut("config")
+      .context("build has no config?")?
+      .as_object_mut()
+      .context("config is not object?")?;
+    if let Some(version) = &build.config.version {
+      config.insert(
+        "version".to_string(),
+        Value::String(version.to_string()),
+      );
+    }
+    if let Some(build_args) = &build.config.build_args {
+      config.insert(
+        "build_args".to_string(),
+        Value::String(environment_vars_to_string(build_args)),
+      );
+    }
+    if let Some(labels) = &build.config.labels {
+      config.insert(
+        "labels".to_string(),
+        Value::String(environment_vars_to_string(labels)),
+      );
+    }
+    res.push_str("[[build]]\n");
+    res.push_str(
+      &toml_pretty::to_string(&parsed, options)
+        .context("failed to serialize builds to toml")?,
+    );
+  }
+
+  for repo in &resources.repos {
+    if !res.is_empty() {
+      res.push_str("\n\n##\n\n");
+    }
+    res.push_str("[[repo]]\n");
+    res.push_str(
+      &toml_pretty::to_string(&repo, options)
+        .context("failed to serialize repos to toml")?,
+    );
+  }
+
+  for procedure in &resources.procedures {
+    if !res.is_empty() {
+      res.push_str("\n\n##\n\n");
+    }
+    let mut parsed: OrderedHashMap<String, Value> =
+      serde_json::from_str(&serde_json::to_string(&procedure)?)?;
+    let config = parsed
+      .get_mut("config")
+      .context("procedure has no config?")?
+      .as_object_mut()
+      .context("config is not object?")?;
+
+    let stages = config
+      .remove("stages")
+      .context("procedure config has no stages")?;
+    let stages = stages.as_array().context("stages is not array")?;
+
+    res.push_str("[[procedure]]\n");
+    res.push_str(
+      &toml_pretty::to_string(&parsed, options)
+        .context("failed to serialize procedures to toml")?,
+    );
+
+    for stage in stages {
+      res.push_str("\n\n[[procedure.config.stage]]\n");
+      res.push_str(
+        &toml_pretty::to_string(stage, options)
+          .context("failed to serialize procedures to toml")?,
+      );
+    }
+  }
+
+  for alerter in &resources.alerters {
+    if !res.is_empty() {
+      res.push_str("\n\n##\n\n");
+    }
+    res.push_str("[[alerter]]\n");
+    res.push_str(
+      &toml_pretty::to_string(&alerter, options)
+        .context("failed to serialize alerters to toml")?,
+    );
+  }
+
+  for builder in &resources.builders {
+    if !res.is_empty() {
+      res.push_str("\n\n##\n\n");
+    }
+    res.push_str("[[builder]]\n");
+    res.push_str(
+      &toml_pretty::to_string(&builder, options)
+        .context("failed to serialize builders to toml")?,
+    );
+  }
+
+  for server_template in &resources.server_templates {
+    if !res.is_empty() {
+      res.push_str("\n\n##\n\n");
+    }
+    res.push_str("[[server_template]]\n");
+    res.push_str(
+      &toml_pretty::to_string(&server_template, options)
+        .context("failed to serialize server_templates to toml")?,
+    );
+  }
+
+  for resource_sync in &resources.resource_syncs {
+    if !res.is_empty() {
+      res.push_str("\n\n##\n\n");
+    }
+    res.push_str("[[resource_sync]]\n");
+    res.push_str(
+      &toml_pretty::to_string(&resource_sync, options)
+        .context("failed to serialize resource_syncs to toml")?,
+    );
+  }
+
+  for variable in &resources.variables {
+    if !res.is_empty() {
+      res.push_str("\n\n##\n\n");
+    }
+    res.push_str("[[variable]]\n");
+    res.push_str(
+      &toml_pretty::to_string(&variable, options)
+        .context("failed to serialize variables to toml")?,
+    );
+  }
+
+  for user_group in &resources.user_groups {
+    if !res.is_empty() {
+      res.push_str("\n\n##\n\n");
+    }
+    res.push_str("[[user_group]]\n");
+    res.push_str(
+      &toml_pretty::to_string(&user_group, options)
+        .context("failed to serialize user_groups to toml")?,
+    );
+  }
+
+  Ok(res)
+}

bin/core/src/api/read/update.rs

@@ -0,0 +1,253 @@
+use std::collections::HashMap;
+
+use anyhow::{anyhow, Context};
+use monitor_client::{
+  api::read::{GetUpdate, ListUpdates, ListUpdatesResponse},
+  entities::{
+    alerter::Alerter,
+    build::Build,
+    builder::Builder,
+    deployment::Deployment,
+    permission::PermissionLevel,
+    procedure::Procedure,
+    repo::Repo,
+    server::Server,
+    server_template::ServerTemplate,
+    sync::ResourceSync,
+    update::{
+      ResourceTarget, ResourceTargetVariant, Update, UpdateListItem,
+    },
+    user::User,
+  },
+};
+use mungos::{
+  by_id::find_one_by_id,
+  find::find_collect,
+  mongodb::{bson::doc, options::FindOptions},
+};
+use resolver_api::Resolve;
+
+use crate::{
+  config::core_config,
+  helpers::query::get_resource_ids_for_non_admin,
+  resource,
+  state::{db_client, State},
+};
+
+const UPDATES_PER_PAGE: i64 = 100;
+
+impl Resolve<ListUpdates, User> for State {
+  async fn resolve(
+    &self,
+    ListUpdates { query, page }: ListUpdates,
+    user: User,
+  ) -> anyhow::Result<ListUpdatesResponse> {
+    let query = if user.admin || core_config().transparent_mode {
+      query
+    } else {
+      let server_ids = get_resource_ids_for_non_admin(
+        &user.id,
+        ResourceTargetVariant::Server,
+      )
+      .await?;
+      let deployment_ids = get_resource_ids_for_non_admin(
+        &user.id,
+        ResourceTargetVariant::Deployment,
+      )
+      .await?;
+      let build_ids = get_resource_ids_for_non_admin(
+        &user.id,
+        ResourceTargetVariant::Build,
+      )
+      .await?;
+      let repo_ids = get_resource_ids_for_non_admin(
+        &user.id,
+        ResourceTargetVariant::Repo,
+      )
+      .await?;
+      let procedure_ids = get_resource_ids_for_non_admin(
+        &user.id,
+        ResourceTargetVariant::Procedure,
+      )
+      .await?;
+      let builder_ids = get_resource_ids_for_non_admin(
+        &user.id,
+        ResourceTargetVariant::Builder,
+      )
+      .await?;
+      let alerter_ids = get_resource_ids_for_non_admin(
+        &user.id,
+        ResourceTargetVariant::Alerter,
+      )
+      .await?;
+      let server_template_ids = get_resource_ids_for_non_admin(
+        &user.id,
+        ResourceTargetVariant::ServerTemplate,
+      )
+      .await?;
+
+      let mut query = query.unwrap_or_default();
+      query.extend(doc! {
+        "$or": [
+          { "target.type": "Server", "target.id": { "$in": &server_ids } },
+          { "target.type": "Deployment", "target.id": { "$in": &deployment_ids } },
+          { "target.type": "Build", "target.id": { "$in": &build_ids } },
+          { "target.type": "Repo", "target.id": { "$in": &repo_ids } },
+          { "target.type": "Procedure", "target.id": { "$in": &procedure_ids } },
+          { "target.type": "Builder", "target.id": { "$in": &builder_ids } },
+          { "target.type": "Alerter", "target.id": { "$in": &alerter_ids } },
+          { "target.type": "ServerTemplate", "target.id": { "$in": &server_template_ids } },
+        ]
+      });
+      query.into()
+    };
+
+    let usernames =
+      find_collect(&db_client().await.users, None, None)
+        .await
+        .context("failed to pull users from db")?
+        .into_iter()
+        .map(|u| (u.id, u.username))
+        .collect::<HashMap<_, _>>();
+
+    let updates = find_collect(
+      &db_client().await.updates,
+      query,
+      FindOptions::builder()
+        .sort(doc! { "start_ts": -1 })
+        .skip(page as u64 * UPDATES_PER_PAGE as u64)
+        .limit(UPDATES_PER_PAGE)
+        .build(),
+    )
+    .await
+    .context("failed to pull updates from db")?
+    .into_iter()
+    .map(|u| {
+      let username = if User::is_service_user(&u.operator) {
+        u.operator.clone()
+      } else {
+        usernames
+          .get(&u.operator)
+          .cloned()
+          .unwrap_or("unknown".to_string())
+      };
+      UpdateListItem {
+        username,
+        id: u.id,
+        operation: u.operation,
+        start_ts: u.start_ts,
+        success: u.success,
+        operator: u.operator,
+        target: u.target,
+        status: u.status,
+        version: u.version,
+        other_data: u.other_data,
+      }
+    })
+    .collect::<Vec<_>>();
+
+    let next_page = if updates.len() == UPDATES_PER_PAGE as usize {
+      Some(page + 1)
+    } else {
+      None
+    };
+
+    Ok(ListUpdatesResponse { updates, next_page })
+  }
+}
+
+impl Resolve<GetUpdate, User> for State {
+  async fn resolve(
+    &self,
+    GetUpdate { id }: GetUpdate,
+    user: User,
+  ) -> anyhow::Result<Update> {
+    let update = find_one_by_id(&db_client().await.updates, &id)
+      .await
+      .context("failed to query to db")?
+      .context("no update exists with given id")?;
+    if user.admin || core_config().transparent_mode {
+      return Ok(update);
+    }
+    match &update.target {
+      ResourceTarget::System(_) => {
+        return Err(anyhow!(
+          "user must be admin to view system updates"
+        ))
+      }
+      ResourceTarget::Server(id) => {
+        resource::get_check_permissions::<Server>(
+          id,
+          &user,
+          PermissionLevel::Read,
+        )
+        .await?;
+      }
+      ResourceTarget::Deployment(id) => {
+        resource::get_check_permissions::<Deployment>(
+          id,
+          &user,
+          PermissionLevel::Read,
+        )
+        .await?;
+      }
+      ResourceTarget::Build(id) => {
+        resource::get_check_permissions::<Build>(
+          id,
+          &user,
+          PermissionLevel::Read,
+        )
+        .await?;
+      }
+      ResourceTarget::Repo(id) => {
+        resource::get_check_permissions::<Repo>(
+          id,
+          &user,
+          PermissionLevel::Read,
+        )
+        .await?;
+      }
+      ResourceTarget::Builder(id) => {
+        resource::get_check_permissions::<Builder>(
+          id,
+          &user,
+          PermissionLevel::Read,
+        )
+        .await?;
+      }
+      ResourceTarget::Alerter(id) => {
+        resource::get_check_permissions::<Alerter>(
+          id,
+          &user,
+          PermissionLevel::Read,
+        )
+        .await?;
+      }
+      ResourceTarget::Procedure(id) => {
+        resource::get_check_permissions::<Procedure>(
+          id,
+          &user,
+          PermissionLevel::Read,
+        )
+        .await?;
+      }
+      ResourceTarget::ServerTemplate(id) => {
+        resource::get_check_permissions::<ServerTemplate>(
+          id,
+          &user,
+          PermissionLevel::Read,
+        )
+        .await?;
+      }
+      ResourceTarget::ResourceSync(id) => {
+        resource::get_check_permissions::<ResourceSync>(
+          id,
+          &user,
+          PermissionLevel::Read,
+        )
+        .await?;
+      }
+    }
+    Ok(update)
+  }
+}

bin/core/src/api/read/user.rs

@@ -0,0 +1,118 @@
+use anyhow::{anyhow, Context};
+use monitor_client::{
+  api::read::{
+    GetUsername, GetUsernameResponse, ListApiKeys,
+    ListApiKeysForServiceUser, ListApiKeysForServiceUserResponse,
+    ListApiKeysResponse, ListUsers, ListUsersResponse,
+  },
+  entities::user::{User, UserConfig},
+};
+use mungos::{
+  by_id::find_one_by_id,
+  find::find_collect,
+  mongodb::{bson::doc, options::FindOptions},
+};
+use resolver_api::Resolve;
+
+use crate::state::{db_client, State};
+
+impl Resolve<GetUsername, User> for State {
+  async fn resolve(
+    &self,
+    GetUsername { user_id }: GetUsername,
+    _: User,
+  ) -> anyhow::Result<GetUsernameResponse> {
+    let user = find_one_by_id(&db_client().await.users, &user_id)
+      .await
+      .context("failed at mongo query for user")?
+      .context("no user found with id")?;
+
+    let avatar = match user.config {
+      UserConfig::Github { avatar, .. } => Some(avatar),
+      UserConfig::Google { avatar, .. } => Some(avatar),
+      _ => None,
+    };
+
+    Ok(GetUsernameResponse {
+      username: user.username,
+      avatar,
+    })
+  }
+}
+
+impl Resolve<ListUsers, User> for State {
+  async fn resolve(
+    &self,
+    ListUsers {}: ListUsers,
+    user: User,
+  ) -> anyhow::Result<ListUsersResponse> {
+    if !user.admin {
+      return Err(anyhow!("this route is only accessable by admins"));
+    }
+    let mut users = find_collect(
+      &db_client().await.users,
+      None,
+      FindOptions::builder().sort(doc! { "username": 1 }).build(),
+    )
+    .await
+    .context("failed to pull users from db")?;
+    users.iter_mut().for_each(|user| user.sanitize());
+    Ok(users)
+  }
+}
+
+impl Resolve<ListApiKeys, User> for State {
+  async fn resolve(
+    &self,
+    ListApiKeys {}: ListApiKeys,
+    user: User,
+  ) -> anyhow::Result<ListApiKeysResponse> {
+    let api_keys = find_collect(
+      &db_client().await.api_keys,
+      doc! { "user_id": &user.id },
+      FindOptions::builder().sort(doc! { "name": 1 }).build(),
+    )
+    .await
+    .context("failed to query db for api keys")?
+    .into_iter()
+    .map(|mut api_keys| {
+      api_keys.sanitize();
+      api_keys
+    })
+    .collect();
+    Ok(api_keys)
+  }
+}
+
+impl Resolve<ListApiKeysForServiceUser, User> for State {
+  async fn resolve(
+    &self,
+    ListApiKeysForServiceUser { user_id }: ListApiKeysForServiceUser,
+    admin: User,
+  ) -> anyhow::Result<ListApiKeysForServiceUserResponse> {
+    if !admin.admin {
+      return Err(anyhow!("This method is admin only."));
+    }
+    let user = find_one_by_id(&db_client().await.users, &user_id)
+      .await
+      .context("failed to query db for users")?
+      .context("user at id not found")?;
+    let UserConfig::Service { .. } = user.config else {
+      return Err(anyhow!("Given user is not service user"));
+    };
+    let api_keys = find_collect(
+      &db_client().await.api_keys,
+      doc! { "user_id": user_id },
+      None,
+    )
+    .await
+    .context("failed to query db for api keys")?
+    .into_iter()
+    .map(|mut api_keys| {
+      api_keys.sanitize();
+      api_keys
+    })
+    .collect();
+    Ok(api_keys)
+  }
+}

bin/core/src/api/read/user_group.rs

@@ -0,0 +1,65 @@
+use std::str::FromStr;
+
+use anyhow::Context;
+use monitor_client::{
+  api::read::{
+    GetUserGroup, GetUserGroupResponse, ListUserGroups,
+    ListUserGroupsResponse,
+  },
+  entities::user::User,
+};
+use mungos::{
+  find::find_collect,
+  mongodb::{
+    bson::{doc, oid::ObjectId, Document},
+    options::FindOptions,
+  },
+};
+use resolver_api::Resolve;
+
+use crate::state::{db_client, State};
+
+impl Resolve<GetUserGroup, User> for State {
+  async fn resolve(
+    &self,
+    GetUserGroup { user_group }: GetUserGroup,
+    user: User,
+  ) -> anyhow::Result<GetUserGroupResponse> {
+    let mut filter = match ObjectId::from_str(&user_group) {
+      Ok(id) => doc! { "_id": id },
+      Err(_) => doc! { "name": &user_group },
+    };
+    // Don't allow non admin users to get UserGroups they aren't a part of.
+    if !user.admin {
+      // Filter for only UserGroups which contain the users id
+      filter.insert("users", &user.id);
+    }
+    db_client()
+      .await
+      .user_groups
+      .find_one(filter, None)
+      .await
+      .context("failed to query db for user groups")?
+      .context("no UserGroup found with given name or id")
+  }
+}
+
+impl Resolve<ListUserGroups, User> for State {
+  async fn resolve(
+    &self,
+    ListUserGroups {}: ListUserGroups,
+    user: User,
+  ) -> anyhow::Result<ListUserGroupsResponse> {
+    let mut filter = Document::new();
+    if !user.admin {
+      filter.insert("users", &user.id);
+    }
+    find_collect(
+      &db_client().await.user_groups,
+      filter,
+      FindOptions::builder().sort(doc! { "name": 1 }).build(),
+    )
+    .await
+    .context("failed to query db for UserGroups")
+  }
+}

bin/core/src/api/read/variable.rs

@@ -0,0 +1,47 @@
+use anyhow::Context;
+use mongo_indexed::doc;
+use monitor_client::{
+  api::read::{
+    GetVariable, GetVariableResponse, ListVariables,
+    ListVariablesResponse,
+  },
+  entities::user::User,
+};
+use mungos::{find::find_collect, mongodb::options::FindOptions};
+use resolver_api::Resolve;
+
+use crate::{
+  config::core_config,
+  helpers::query::get_variable,
+  state::{db_client, State},
+};
+
+impl Resolve<GetVariable, User> for State {
+  async fn resolve(
+    &self,
+    GetVariable { name }: GetVariable,
+    _: User,
+  ) -> anyhow::Result<GetVariableResponse> {
+    get_variable(&name).await
+  }
+}
+
+impl Resolve<ListVariables, User> for State {
+  async fn resolve(
+    &self,
+    ListVariables {}: ListVariables,
+    _: User,
+  ) -> anyhow::Result<ListVariablesResponse> {
+    let variables = find_collect(
+      &db_client().await.variables,
+      None,
+      FindOptions::builder().sort(doc! { "name": 1 }).build(),
+    )
+    .await
+    .context("failed to query db for variables")?;
+    Ok(ListVariablesResponse {
+      variables,
+      secrets: core_config().secrets.keys().cloned().collect(),
+    })
+  }
+}

bin/core/src/api/user.rs

@@ -0,0 +1,225 @@
+use std::{collections::VecDeque, time::Instant};
+
+use anyhow::{anyhow, Context};
+use axum::{middleware, routing::post, Extension, Json, Router};
+use axum_extra::{headers::ContentType, TypedHeader};
+use mongo_indexed::doc;
+use monitor_client::{
+  api::user::{
+    CreateApiKey, CreateApiKeyResponse, DeleteApiKey,
+    DeleteApiKeyResponse, PushRecentlyViewed,
+    PushRecentlyViewedResponse, SetLastSeenUpdate,
+    SetLastSeenUpdateResponse,
+  },
+  entities::{
+    api_key::ApiKey, monitor_timestamp, update::ResourceTarget,
+    user::User,
+  },
+};
+use mungos::{by_id::update_one_by_id, mongodb::bson::to_bson};
+use resolver_api::{derive::Resolver, Resolve, Resolver};
+use serde::{Deserialize, Serialize};
+use typeshare::typeshare;
+use uuid::Uuid;
+
+use crate::{
+  auth::{auth_request, random_string},
+  helpers::query::get_user,
+  state::{db_client, State},
+};
+
+#[typeshare]
+#[derive(Serialize, Deserialize, Debug, Clone, Resolver)]
+#[resolver_target(State)]
+#[resolver_args(User)]
+#[serde(tag = "type", content = "params")]
+enum UserRequest {
+  PushRecentlyViewed(PushRecentlyViewed),
+  SetLastSeenUpdate(SetLastSeenUpdate),
+  CreateApiKey(CreateApiKey),
+  DeleteApiKey(DeleteApiKey),
+}
+
+pub fn router() -> Router {
+  Router::new()
+    .route("/", post(handler))
+    .layer(middleware::from_fn(auth_request))
+}
+
+#[instrument(name = "UserHandler", level = "debug", skip(user))]
+async fn handler(
+  Extension(user): Extension<User>,
+  Json(request): Json<UserRequest>,
+) -> serror::Result<(TypedHeader<ContentType>, String)> {
+  let timer = Instant::now();
+  let req_id = Uuid::new_v4();
+  debug!(
+    "/user request {req_id} | user: {} ({})",
+    user.username, user.id
+  );
+  let res =
+    State
+      .resolve_request(request, user)
+      .await
+      .map_err(|e| match e {
+        resolver_api::Error::Serialization(e) => {
+          anyhow!("{e:?}").context("response serialization error")
+        }
+        resolver_api::Error::Inner(e) => e,
+      });
+  if let Err(e) = &res {
+    warn!("/user request {req_id} error: {e:#}");
+  }
+  let elapsed = timer.elapsed();
+  debug!("/user request {req_id} | resolve time: {elapsed:?}");
+  Ok((TypedHeader(ContentType::json()), res?))
+}
+
+const RECENTLY_VIEWED_MAX: usize = 10;
+
+impl Resolve<PushRecentlyViewed, User> for State {
+  #[instrument(
+    name = "PushRecentlyViewed",
+    level = "debug",
+    skip(self, user)
+  )]
+  async fn resolve(
+    &self,
+    PushRecentlyViewed { resource }: PushRecentlyViewed,
+    user: User,
+  ) -> anyhow::Result<PushRecentlyViewedResponse> {
+    let user = get_user(&user.id).await?;
+
+    let (recents, id, field) = match resource {
+      ResourceTarget::Server(id) => {
+        (user.recent_servers, id, "recent_servers")
+      }
+      ResourceTarget::Deployment(id) => {
+        (user.recent_deployments, id, "recent_deployments")
+      }
+      ResourceTarget::Build(id) => {
+        (user.recent_builds, id, "recent_builds")
+      }
+      ResourceTarget::Repo(id) => {
+        (user.recent_repos, id, "recent_repos")
+      }
+      ResourceTarget::Procedure(id) => {
+        (user.recent_procedures, id, "recent_procedures")
+      }
+      _ => return Ok(PushRecentlyViewedResponse {}),
+    };
+
+    let mut recents = recents
+      .into_iter()
+      .filter(|_id| !id.eq(_id))
+      .take(RECENTLY_VIEWED_MAX - 1)
+      .collect::<VecDeque<_>>();
+    recents.push_front(id);
+    let update = doc! { field: to_bson(&recents)? };
+
+    update_one_by_id(
+      &db_client().await.users,
+      &user.id,
+      mungos::update::Update::Set(update),
+      None,
+    )
+    .await
+    .with_context(|| format!("failed to update {field}"))?;
+
+    Ok(PushRecentlyViewedResponse {})
+  }
+}
+
+impl Resolve<SetLastSeenUpdate, User> for State {
+  #[instrument(
+    name = "SetLastSeenUpdate",
+    level = "debug",
+    skip(self, user)
+  )]
+  async fn resolve(
+    &self,
+    SetLastSeenUpdate {}: SetLastSeenUpdate,
+    user: User,
+  ) -> anyhow::Result<SetLastSeenUpdateResponse> {
+    update_one_by_id(
+      &db_client().await.users,
+      &user.id,
+      mungos::update::Update::Set(doc! {
+        "last_update_view": monitor_timestamp()
+      }),
+      None,
+    )
+    .await
+    .context("failed to update user last_update_view")?;
+    Ok(SetLastSeenUpdateResponse {})
+  }
+}
+
+const SECRET_LENGTH: usize = 40;
+const BCRYPT_COST: u32 = 10;
+
+impl Resolve<CreateApiKey, User> for State {
+  #[instrument(
+    name = "CreateApiKey",
+    level = "debug",
+    skip(self, user)
+  )]
+  async fn resolve(
+    &self,
+    CreateApiKey { name, expires }: CreateApiKey,
+    user: User,
+  ) -> anyhow::Result<CreateApiKeyResponse> {
+    let user = get_user(&user.id).await?;
+
+    let key = format!("K-{}", random_string(SECRET_LENGTH));
+    let secret = format!("S-{}", random_string(SECRET_LENGTH));
+    let secret_hash = bcrypt::hash(&secret, BCRYPT_COST)
+      .context("failed at hashing secret string")?;
+
+    let api_key = ApiKey {
+      name,
+      key: key.clone(),
+      secret: secret_hash,
+      user_id: user.id.clone(),
+      created_at: monitor_timestamp(),
+      expires,
+    };
+    db_client()
+      .await
+      .api_keys
+      .insert_one(api_key, None)
+      .await
+      .context("failed to create api key on db")?;
+    Ok(CreateApiKeyResponse { key, secret })
+  }
+}
+
+impl Resolve<DeleteApiKey, User> for State {
+  #[instrument(
+    name = "DeleteApiKey",
+    level = "debug",
+    skip(self, user)
+  )]
+  async fn resolve(
+    &self,
+    DeleteApiKey { key }: DeleteApiKey,
+    user: User,
+  ) -> anyhow::Result<DeleteApiKeyResponse> {
+    let client = db_client().await;
+    let key = client
+      .api_keys
+      .find_one(doc! { "key": &key }, None)
+      .await
+      .context("failed at db query")?
+      .context("no api key with key found")?;
+    if user.id != key.user_id {
+      return Err(anyhow!("api key does not belong to user"));
+    }
+    client
+      .api_keys
+      .delete_one(doc! { "key": key.key }, None)
+      .await
+      .context("failed to delete api key from db")?;
+    Ok(DeleteApiKeyResponse {})
+  }
+}

bin/core/src/api/write/alerter.rs

@@ -0,0 +1,61 @@
+use monitor_client::{
+  api::write::{
+    CopyAlerter, CreateAlerter, DeleteAlerter, UpdateAlerter,
+  },
+  entities::{
+    alerter::Alerter, permission::PermissionLevel, user::User,
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{resource, state::State};
+
+impl Resolve<CreateAlerter, User> for State {
+  #[instrument(name = "CreateAlerter", skip(self, user))]
+  async fn resolve(
+    &self,
+    CreateAlerter { name, config }: CreateAlerter,
+    user: User,
+  ) -> anyhow::Result<Alerter> {
+    resource::create::<Alerter>(&name, config, &user).await
+  }
+}
+
+impl Resolve<CopyAlerter, User> for State {
+  #[instrument(name = "CopyAlerter", skip(self, user))]
+  async fn resolve(
+    &self,
+    CopyAlerter { name, id }: CopyAlerter,
+    user: User,
+  ) -> anyhow::Result<Alerter> {
+    let Alerter { config, .. } = resource::get_check_permissions::<
+      Alerter,
+    >(
+      &id, &user, PermissionLevel::Write
+    )
+    .await?;
+    resource::create::<Alerter>(&name, config.into(), &user).await
+  }
+}
+
+impl Resolve<DeleteAlerter, User> for State {
+  #[instrument(name = "DeleteAlerter", skip(self, user))]
+  async fn resolve(
+    &self,
+    DeleteAlerter { id }: DeleteAlerter,
+    user: User,
+  ) -> anyhow::Result<Alerter> {
+    resource::delete::<Alerter>(&id, &user).await
+  }
+}
+
+impl Resolve<UpdateAlerter, User> for State {
+  #[instrument(name = "UpdateAlerter", skip(self, user))]
+  async fn resolve(
+    &self,
+    UpdateAlerter { id, config }: UpdateAlerter,
+    user: User,
+  ) -> anyhow::Result<Alerter> {
+    resource::update::<Alerter>(&id, config, &user).await
+  }
+}

bin/core/src/api/write/build.rs

@@ -0,0 +1,58 @@
+use monitor_client::{
+  api::write::*,
+  entities::{build::Build, permission::PermissionLevel, user::User},
+};
+use resolver_api::Resolve;
+
+use crate::{resource, state::State};
+
+impl Resolve<CreateBuild, User> for State {
+  #[instrument(name = "CreateBuild", skip(self, user))]
+  async fn resolve(
+    &self,
+    CreateBuild { name, config }: CreateBuild,
+    user: User,
+  ) -> anyhow::Result<Build> {
+    resource::create::<Build>(&name, config, &user).await
+  }
+}
+
+impl Resolve<CopyBuild, User> for State {
+  #[instrument(name = "CopyBuild", skip(self, user))]
+  async fn resolve(
+    &self,
+    CopyBuild { name, id }: CopyBuild,
+    user: User,
+  ) -> anyhow::Result<Build> {
+    let Build { config, .. } =
+      resource::get_check_permissions::<Build>(
+        &id,
+        &user,
+        PermissionLevel::Write,
+      )
+      .await?;
+    resource::create::<Build>(&name, config.into(), &user).await
+  }
+}
+
+impl Resolve<DeleteBuild, User> for State {
+  #[instrument(name = "DeleteBuild", skip(self, user))]
+  async fn resolve(
+    &self,
+    DeleteBuild { id }: DeleteBuild,
+    user: User,
+  ) -> anyhow::Result<Build> {
+    resource::delete::<Build>(&id, &user).await
+  }
+}
+
+impl Resolve<UpdateBuild, User> for State {
+  #[instrument(name = "UpdateBuild", skip(self, user))]
+  async fn resolve(
+    &self,
+    UpdateBuild { id, config }: UpdateBuild,
+    user: User,
+  ) -> anyhow::Result<Build> {
+    resource::update::<Build>(&id, config, &user).await
+  }
+}

bin/core/src/api/write/builder.rs

@@ -0,0 +1,59 @@
+use monitor_client::{
+  api::write::*,
+  entities::{
+    builder::Builder, permission::PermissionLevel, user::User,
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{resource, state::State};
+
+impl Resolve<CreateBuilder, User> for State {
+  #[instrument(name = "CreateBuilder", skip(self, user))]
+  async fn resolve(
+    &self,
+    CreateBuilder { name, config }: CreateBuilder,
+    user: User,
+  ) -> anyhow::Result<Builder> {
+    resource::create::<Builder>(&name, config, &user).await
+  }
+}
+
+impl Resolve<CopyBuilder, User> for State {
+  #[instrument(name = "CopyBuilder", skip(self, user))]
+  async fn resolve(
+    &self,
+    CopyBuilder { name, id }: CopyBuilder,
+    user: User,
+  ) -> anyhow::Result<Builder> {
+    let Builder { config, .. } = resource::get_check_permissions::<
+      Builder,
+    >(
+      &id, &user, PermissionLevel::Write
+    )
+    .await?;
+    resource::create::<Builder>(&name, config.into(), &user).await
+  }
+}
+
+impl Resolve<DeleteBuilder, User> for State {
+  #[instrument(name = "DeleteBuilder", skip(self, user))]
+  async fn resolve(
+    &self,
+    DeleteBuilder { id }: DeleteBuilder,
+    user: User,
+  ) -> anyhow::Result<Builder> {
+    resource::delete::<Builder>(&id, &user).await
+  }
+}
+
+impl Resolve<UpdateBuilder, User> for State {
+  #[instrument(name = "UpdateBuilder", skip(self, user))]
+  async fn resolve(
+    &self,
+    UpdateBuilder { id, config }: UpdateBuilder,
+    user: User,
+  ) -> anyhow::Result<Builder> {
+    resource::update::<Builder>(&id, config, &user).await
+  }
+}

bin/core/src/api/write/deployment.rs

@@ -0,0 +1,155 @@
+use anyhow::{anyhow, Context};
+use monitor_client::{
+  api::write::*,
+  entities::{
+    deployment::{Deployment, DeploymentState},
+    monitor_timestamp,
+    permission::PermissionLevel,
+    server::Server,
+    to_monitor_name,
+    update::Update,
+    user::User,
+    Operation,
+  },
+};
+use mungos::{by_id::update_one_by_id, mongodb::bson::doc};
+use periphery_client::api;
+use resolver_api::Resolve;
+
+use crate::{
+  helpers::{
+    periphery_client,
+    query::get_deployment_state,
+    update::{add_update, make_update},
+  },
+  resource,
+  state::{action_states, db_client, State},
+};
+
+impl Resolve<CreateDeployment, User> for State {
+  #[instrument(name = "CreateDeployment", skip(self, user))]
+  async fn resolve(
+    &self,
+    CreateDeployment { name, config }: CreateDeployment,
+    user: User,
+  ) -> anyhow::Result<Deployment> {
+    resource::create::<Deployment>(&name, config, &user).await
+  }
+}
+
+impl Resolve<CopyDeployment, User> for State {
+  #[instrument(name = "CopyDeployment", skip(self, user))]
+  async fn resolve(
+    &self,
+    CopyDeployment { name, id }: CopyDeployment,
+    user: User,
+  ) -> anyhow::Result<Deployment> {
+    let Deployment { config, .. } =
+      resource::get_check_permissions::<Deployment>(
+        &id,
+        &user,
+        PermissionLevel::Write,
+      )
+      .await?;
+    resource::create::<Deployment>(&name, config.into(), &user).await
+  }
+}
+
+impl Resolve<DeleteDeployment, User> for State {
+  #[instrument(name = "DeleteDeployment", skip(self, user))]
+  async fn resolve(
+    &self,
+    DeleteDeployment { id }: DeleteDeployment,
+    user: User,
+  ) -> anyhow::Result<Deployment> {
+    resource::delete::<Deployment>(&id, &user).await
+  }
+}
+
+impl Resolve<UpdateDeployment, User> for State {
+  #[instrument(name = "UpdateDeployment", skip(self, user))]
+  async fn resolve(
+    &self,
+    UpdateDeployment { id, config }: UpdateDeployment,
+    user: User,
+  ) -> anyhow::Result<Deployment> {
+    resource::update::<Deployment>(&id, config, &user).await
+  }
+}
+
+impl Resolve<RenameDeployment, User> for State {
+  #[instrument(name = "RenameDeployment", skip(self, user))]
+  async fn resolve(
+    &self,
+    RenameDeployment { id, name }: RenameDeployment,
+    user: User,
+  ) -> anyhow::Result<Update> {
+    let deployment = resource::get_check_permissions::<Deployment>(
+      &id,
+      &user,
+      PermissionLevel::Write,
+    )
+    .await?;
+
+    // get the action state for the deployment (or insert default).
+    let action_state = action_states()
+      .deployment
+      .get_or_insert_default(&deployment.id)
+      .await;
+
+    // Will check to ensure deployment not already busy before updating, and return Err if so.
+    // The returned guard will set the action state back to default when dropped.
+    let _action_guard =
+      action_state.update(|state| state.renaming = true)?;
+
+    let name = to_monitor_name(&name);
+
+    let container_state = get_deployment_state(&deployment).await?;
+
+    if container_state == DeploymentState::Unknown {
+      return Err(anyhow!(
+        "cannot rename deployment when container status is unknown"
+      ));
+    }
+
+    let mut update =
+      make_update(&deployment, Operation::RenameDeployment, &user);
+
+    update_one_by_id(
+      &db_client().await.deployments,
+      &deployment.id,
+      mungos::update::Update::Set(
+        doc! { "name": &name, "updated_at": monitor_timestamp() },
+      ),
+      None,
+    )
+    .await
+    .context("failed to update deployment name on db")?;
+
+    if container_state != DeploymentState::NotDeployed {
+      let server =
+        resource::get::<Server>(&deployment.config.server_id).await?;
+      let log = periphery_client(&server)?
+        .request(api::container::RenameContainer {
+          curr_name: deployment.name.clone(),
+          new_name: name.clone(),
+        })
+        .await
+        .context("failed to rename container on server")?;
+      update.logs.push(log);
+    }
+
+    update.push_simple_log(
+      "rename deployment",
+      format!(
+        "renamed deployment from {} to {}",
+        deployment.name, name
+      ),
+    );
+    update.finalize();
+
+    add_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}

bin/core/src/api/write/description.rs

@@ -0,0 +1,106 @@
+use anyhow::anyhow;
+use monitor_client::{
+  api::write::{UpdateDescription, UpdateDescriptionResponse},
+  entities::{
+    alerter::Alerter, build::Build, builder::Builder,
+    deployment::Deployment, procedure::Procedure, repo::Repo,
+    server::Server, server_template::ServerTemplate,
+    sync::ResourceSync, update::ResourceTarget, user::User,
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{resource, state::State};
+
+impl Resolve<UpdateDescription, User> for State {
+  #[instrument(name = "UpdateDescription", skip(self, user))]
+  async fn resolve(
+    &self,
+    UpdateDescription {
+      target,
+      description,
+    }: UpdateDescription,
+    user: User,
+  ) -> anyhow::Result<UpdateDescriptionResponse> {
+    match target {
+      ResourceTarget::System(_) => {
+        return Err(anyhow!(
+          "cannot update description of System resource target"
+        ))
+      }
+      ResourceTarget::Server(id) => {
+        resource::update_description::<Server>(
+          &id,
+          &description,
+          &user,
+        )
+        .await?;
+      }
+      ResourceTarget::Deployment(id) => {
+        resource::update_description::<Deployment>(
+          &id,
+          &description,
+          &user,
+        )
+        .await?;
+      }
+      ResourceTarget::Build(id) => {
+        resource::update_description::<Build>(
+          &id,
+          &description,
+          &user,
+        )
+        .await?;
+      }
+      ResourceTarget::Repo(id) => {
+        resource::update_description::<Repo>(
+          &id,
+          &description,
+          &user,
+        )
+        .await?;
+      }
+      ResourceTarget::Builder(id) => {
+        resource::update_description::<Builder>(
+          &id,
+          &description,
+          &user,
+        )
+        .await?;
+      }
+      ResourceTarget::Alerter(id) => {
+        resource::update_description::<Alerter>(
+          &id,
+          &description,
+          &user,
+        )
+        .await?;
+      }
+      ResourceTarget::Procedure(id) => {
+        resource::update_description::<Procedure>(
+          &id,
+          &description,
+          &user,
+        )
+        .await?;
+      }
+      ResourceTarget::ServerTemplate(id) => {
+        resource::update_description::<ServerTemplate>(
+          &id,
+          &description,
+          &user,
+        )
+        .await?;
+      }
+      ResourceTarget::ResourceSync(id) => {
+        resource::update_description::<ResourceSync>(
+          &id,
+          &description,
+          &user,
+        )
+        .await?;
+      }
+    }
+    Ok(UpdateDescriptionResponse {})
+  }
+}

bin/core/src/api/write/mod.rs

@@ -0,0 +1,181 @@
+use std::time::Instant;
+
+use anyhow::{anyhow, Context};
+use axum::{middleware, routing::post, Extension, Router};
+use axum_extra::{headers::ContentType, TypedHeader};
+use monitor_client::{api::write::*, entities::user::User};
+use resolver_api::{derive::Resolver, Resolver};
+use serde::{Deserialize, Serialize};
+use serror::Json;
+use typeshare::typeshare;
+use uuid::Uuid;
+
+use crate::{auth::auth_request, state::State};
+
+mod alerter;
+mod build;
+mod builder;
+mod deployment;
+mod description;
+mod permissions;
+mod procedure;
+mod repo;
+mod server;
+mod server_template;
+mod service_user;
+mod sync;
+mod tag;
+mod user_group;
+mod variable;
+
+#[typeshare]
+#[derive(Serialize, Deserialize, Debug, Clone, Resolver)]
+#[resolver_target(State)]
+#[resolver_args(User)]
+#[serde(tag = "type", content = "params")]
+pub enum WriteRequest {
+  // ==== SERVICE USER ====
+  CreateServiceUser(CreateServiceUser),
+  UpdateServiceUserDescription(UpdateServiceUserDescription),
+  CreateApiKeyForServiceUser(CreateApiKeyForServiceUser),
+  DeleteApiKeyForServiceUser(DeleteApiKeyForServiceUser),
+
+  // ==== USER GROUP ====
+  CreateUserGroup(CreateUserGroup),
+  RenameUserGroup(RenameUserGroup),
+  DeleteUserGroup(DeleteUserGroup),
+  AddUserToUserGroup(AddUserToUserGroup),
+  RemoveUserFromUserGroup(RemoveUserFromUserGroup),
+  SetUsersInUserGroup(SetUsersInUserGroup),
+
+  // ==== PERMISSIONS ====
+  UpdateUserBasePermissions(UpdateUserBasePermissions),
+  UpdatePermissionOnTarget(UpdatePermissionOnTarget),
+
+  // ==== DESCRIPTION ====
+  UpdateDescription(UpdateDescription),
+
+  // ==== SERVER ====
+  CreateServer(CreateServer),
+  DeleteServer(DeleteServer),
+  UpdateServer(UpdateServer),
+  RenameServer(RenameServer),
+  CreateNetwork(CreateNetwork),
+  DeleteNetwork(DeleteNetwork),
+
+  // ==== DEPLOYMENT ====
+  CreateDeployment(CreateDeployment),
+  CopyDeployment(CopyDeployment),
+  DeleteDeployment(DeleteDeployment),
+  UpdateDeployment(UpdateDeployment),
+  RenameDeployment(RenameDeployment),
+
+  // ==== BUILD ====
+  CreateBuild(CreateBuild),
+  CopyBuild(CopyBuild),
+  DeleteBuild(DeleteBuild),
+  UpdateBuild(UpdateBuild),
+
+  // ==== BUILDER ====
+  CreateBuilder(CreateBuilder),
+  CopyBuilder(CopyBuilder),
+  DeleteBuilder(DeleteBuilder),
+  UpdateBuilder(UpdateBuilder),
+
+  // ==== SERVER TEMPLATE ====
+  CreateServerTemplate(CreateServerTemplate),
+  CopyServerTemplate(CopyServerTemplate),
+  DeleteServerTemplate(DeleteServerTemplate),
+  UpdateServerTemplate(UpdateServerTemplate),
+
+  // ==== REPO ====
+  CreateRepo(CreateRepo),
+  CopyRepo(CopyRepo),
+  DeleteRepo(DeleteRepo),
+  UpdateRepo(UpdateRepo),
+
+  // ==== ALERTER ====
+  CreateAlerter(CreateAlerter),
+  CopyAlerter(CopyAlerter),
+  DeleteAlerter(DeleteAlerter),
+  UpdateAlerter(UpdateAlerter),
+
+  // ==== PROCEDURE ====
+  CreateProcedure(CreateProcedure),
+  CopyProcedure(CopyProcedure),
+  DeleteProcedure(DeleteProcedure),
+  UpdateProcedure(UpdateProcedure),
+
+  // ==== SYNC ====
+  CreateResourceSync(CreateResourceSync),
+  CopyResourceSync(CopyResourceSync),
+  DeleteResourceSync(DeleteResourceSync),
+  UpdateResourceSync(UpdateResourceSync),
+  RefreshResourceSyncPending(RefreshResourceSyncPending),
+
+  // ==== TAG ====
+  CreateTag(CreateTag),
+  DeleteTag(DeleteTag),
+  RenameTag(RenameTag),
+  UpdateTagsOnResource(UpdateTagsOnResource),
+
+  // ==== VARIABLE ====
+  CreateVariable(CreateVariable),
+  UpdateVariableValue(UpdateVariableValue),
+  UpdateVariableDescription(UpdateVariableDescription),
+  DeleteVariable(DeleteVariable),
+}
+
+pub fn router() -> Router {
+  Router::new()
+    .route("/", post(handler))
+    .layer(middleware::from_fn(auth_request))
+}
+
+async fn handler(
+  Extension(user): Extension<User>,
+  Json(request): Json<WriteRequest>,
+) -> serror::Result<(TypedHeader<ContentType>, String)> {
+  let req_id = Uuid::new_v4();
+
+  let res = tokio::spawn(task(req_id, request, user))
+    .await
+    .context("failure in spawned task");
+
+  if let Err(e) = &res {
+    warn!("/write request {req_id} spawn error: {e:#}");
+  }
+
+  Ok((TypedHeader(ContentType::json()), res??))
+}
+
+#[instrument(name = "WriteRequest", skip(user), fields(user_id = user.id))]
+async fn task(
+  req_id: Uuid,
+  request: WriteRequest,
+  user: User,
+) -> anyhow::Result<String> {
+  info!("/write request | user: {}", user.username);
+
+  let timer = Instant::now();
+
+  let res =
+    State
+      .resolve_request(request, user)
+      .await
+      .map_err(|e| match e {
+        resolver_api::Error::Serialization(e) => {
+          anyhow!("{e:?}").context("response serialization error")
+        }
+        resolver_api::Error::Inner(e) => e,
+      });
+
+  if let Err(e) = &res {
+    warn!("/write request {req_id} error: {e:#}");
+  }
+
+  let elapsed = timer.elapsed();
+  debug!("/write request {req_id} | resolve time: {elapsed:?}");
+
+  res
+}

bin/core/src/api/write/permissions.rs

@@ -0,0 +1,323 @@
+use std::str::FromStr;
+
+use anyhow::{anyhow, Context};
+use monitor_client::{
+  api::write::{
+    UpdatePermissionOnTarget, UpdatePermissionOnTargetResponse,
+    UpdateUserBasePermissions, UpdateUserBasePermissionsResponse,
+  },
+  entities::{
+    permission::{UserTarget, UserTargetVariant},
+    update::{ResourceTarget, ResourceTargetVariant},
+    user::User,
+  },
+};
+use mungos::{
+  by_id::{find_one_by_id, update_one_by_id},
+  mongodb::{
+    bson::{doc, oid::ObjectId, Document},
+    options::UpdateOptions,
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{
+  helpers::query::get_user,
+  state::{db_client, State},
+};
+
+impl Resolve<UpdateUserBasePermissions, User> for State {
+  #[instrument(name = "UpdateUserBasePermissions", skip(self, admin))]
+  async fn resolve(
+    &self,
+    UpdateUserBasePermissions {
+      user_id,
+      enabled,
+      create_servers,
+      create_builds,
+    }: UpdateUserBasePermissions,
+    admin: User,
+  ) -> anyhow::Result<UpdateUserBasePermissionsResponse> {
+    if !admin.admin {
+      return Err(anyhow!("this method is admin only"));
+    }
+    let user = find_one_by_id(&db_client().await.users, &user_id)
+      .await
+      .context("failed to query mongo for user")?
+      .context("did not find user with given id")?;
+    if user.admin {
+      return Err(anyhow!(
+        "cannot use this method to update other admins permissions"
+      ));
+    }
+    let mut update_doc = Document::new();
+    if let Some(enabled) = enabled {
+      update_doc.insert("enabled", enabled);
+    }
+    if let Some(create_servers) = create_servers {
+      update_doc.insert("create_server_permissions", create_servers);
+    }
+    if let Some(create_builds) = create_builds {
+      update_doc.insert("create_build_permissions", create_builds);
+    }
+
+    update_one_by_id(
+      &db_client().await.users,
+      &user_id,
+      mungos::update::Update::Set(update_doc),
+      None,
+    )
+    .await?;
+
+    Ok(UpdateUserBasePermissionsResponse {})
+  }
+}
+
+impl Resolve<UpdatePermissionOnTarget, User> for State {
+  #[instrument(name = "UpdatePermissionOnTarget", skip(self, admin))]
+  async fn resolve(
+    &self,
+    UpdatePermissionOnTarget {
+      user_target,
+      resource_target,
+      permission,
+    }: UpdatePermissionOnTarget,
+    admin: User,
+  ) -> anyhow::Result<UpdatePermissionOnTargetResponse> {
+    if !admin.admin {
+      return Err(anyhow!("this method is admin only"));
+    }
+
+    // Some extra checks if user target is an actual User
+    if let UserTarget::User(user_id) = &user_target {
+      let user = get_user(user_id).await?;
+      if user.admin {
+        return Err(anyhow!(
+          "cannot use this method to update other admins permissions"
+        ));
+      }
+      if !user.enabled {
+        return Err(anyhow!("user not enabled"));
+      }
+    }
+
+    let (user_target_variant, user_target_id) =
+      extract_user_target_with_validation(&user_target).await?;
+    let (resource_variant, resource_id) =
+      extract_resource_target_with_validation(&resource_target)
+        .await?;
+
+    let (user_target_variant, resource_variant) =
+      (user_target_variant.as_ref(), resource_variant.as_ref());
+
+    db_client()
+      .await
+      .permissions
+      .update_one(
+        doc! {
+          "user_target.type": user_target_variant,
+          "user_target.id": &user_target_id,
+          "resource_target.type": resource_variant,
+          "resource_target.id": &resource_id
+        },
+        doc! {
+          "$set": {
+            "user_target.type": user_target_variant,
+            "user_target.id": user_target_id,
+            "resource_target.type": resource_variant,
+            "resource_target.id": resource_id,
+            "level": permission.as_ref(),
+          }
+        },
+        UpdateOptions::builder().upsert(true).build(),
+      )
+      .await?;
+
+    Ok(UpdatePermissionOnTargetResponse {})
+  }
+}
+
+/// checks if inner id is actually a `name`, and replaces it with id if so.
+async fn extract_user_target_with_validation(
+  user_target: &UserTarget,
+) -> anyhow::Result<(UserTargetVariant, String)> {
+  match user_target {
+    UserTarget::User(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "username": ident },
+      };
+      let id = db_client()
+        .await
+        .users
+        .find_one(filter, None)
+        .await
+        .context("failed to query db for users")?
+        .context("no matching user found")?
+        .id;
+      Ok((UserTargetVariant::User, id))
+    }
+    UserTarget::UserGroup(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .await
+        .user_groups
+        .find_one(filter, None)
+        .await
+        .context("failed to query db for user_groups")?
+        .context("no matching user_group found")?
+        .id;
+      Ok((UserTargetVariant::UserGroup, id))
+    }
+  }
+}
+
+/// checks if inner id is actually a `name`, and replaces it with id if so.
+async fn extract_resource_target_with_validation(
+  resource_target: &ResourceTarget,
+) -> anyhow::Result<(ResourceTargetVariant, String)> {
+  match resource_target {
+    ResourceTarget::System(_) => {
+      let res = resource_target.extract_variant_id();
+      Ok((res.0, res.1.clone()))
+    }
+    ResourceTarget::Build(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .await
+        .builds
+        .find_one(filter, None)
+        .await
+        .context("failed to query db for builds")?
+        .context("no matching build found")?
+        .id;
+      Ok((ResourceTargetVariant::Build, id))
+    }
+    ResourceTarget::Builder(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .await
+        .builders
+        .find_one(filter, None)
+        .await
+        .context("failed to query db for builders")?
+        .context("no matching builder found")?
+        .id;
+      Ok((ResourceTargetVariant::Builder, id))
+    }
+    ResourceTarget::Deployment(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .await
+        .deployments
+        .find_one(filter, None)
+        .await
+        .context("failed to query db for deployments")?
+        .context("no matching deployment found")?
+        .id;
+      Ok((ResourceTargetVariant::Deployment, id))
+    }
+    ResourceTarget::Server(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .await
+        .servers
+        .find_one(filter, None)
+        .await
+        .context("failed to query db for servers")?
+        .context("no matching server found")?
+        .id;
+      Ok((ResourceTargetVariant::Server, id))
+    }
+    ResourceTarget::Repo(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .await
+        .repos
+        .find_one(filter, None)
+        .await
+        .context("failed to query db for repos")?
+        .context("no matching repo found")?
+        .id;
+      Ok((ResourceTargetVariant::Repo, id))
+    }
+    ResourceTarget::Alerter(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .await
+        .alerters
+        .find_one(filter, None)
+        .await
+        .context("failed to query db for alerters")?
+        .context("no matching alerter found")?
+        .id;
+      Ok((ResourceTargetVariant::Alerter, id))
+    }
+    ResourceTarget::Procedure(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .await
+        .procedures
+        .find_one(filter, None)
+        .await
+        .context("failed to query db for procedures")?
+        .context("no matching procedure found")?
+        .id;
+      Ok((ResourceTargetVariant::Procedure, id))
+    }
+    ResourceTarget::ServerTemplate(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .await
+        .server_templates
+        .find_one(filter, None)
+        .await
+        .context("failed to query db for server templates")?
+        .context("no matching server template found")?
+        .id;
+      Ok((ResourceTargetVariant::ServerTemplate, id))
+    }
+    ResourceTarget::ResourceSync(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .await
+        .resource_syncs
+        .find_one(filter, None)
+        .await
+        .context("failed to query db for resource syncs")?
+        .context("no matching resource sync found")?
+        .id;
+      Ok((ResourceTargetVariant::ResourceSync, id))
+    }
+  }
+}

bin/core/src/api/write/procedure.rs

@@ -0,0 +1,60 @@
+use monitor_client::{
+  api::write::*,
+  entities::{
+    permission::PermissionLevel, procedure::Procedure, user::User,
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{resource, state::State};
+
+impl Resolve<CreateProcedure, User> for State {
+  #[instrument(name = "CreateProcedure", skip(self, user))]
+  async fn resolve(
+    &self,
+    CreateProcedure { name, config }: CreateProcedure,
+    user: User,
+  ) -> anyhow::Result<CreateProcedureResponse> {
+    resource::create::<Procedure>(&name, config, &user).await
+  }
+}
+
+impl Resolve<CopyProcedure, User> for State {
+  #[instrument(name = "CopyProcedure", skip(self, user))]
+  async fn resolve(
+    &self,
+    CopyProcedure { name, id }: CopyProcedure,
+    user: User,
+  ) -> anyhow::Result<CopyProcedureResponse> {
+    let Procedure { config, .. } =
+      resource::get_check_permissions::<Procedure>(
+        &id,
+        &user,
+        PermissionLevel::Write,
+      )
+      .await?;
+    resource::create::<Procedure>(&name, config.into(), &user).await
+  }
+}
+
+impl Resolve<UpdateProcedure, User> for State {
+  #[instrument(name = "UpdateProcedure", skip(self, user))]
+  async fn resolve(
+    &self,
+    UpdateProcedure { id, config }: UpdateProcedure,
+    user: User,
+  ) -> anyhow::Result<UpdateProcedureResponse> {
+    resource::update::<Procedure>(&id, config, &user).await
+  }
+}
+
+impl Resolve<DeleteProcedure, User> for State {
+  #[instrument(name = "DeleteProcedure", skip(self, user))]
+  async fn resolve(
+    &self,
+    DeleteProcedure { id }: DeleteProcedure,
+    user: User,
+  ) -> anyhow::Result<DeleteProcedureResponse> {
+    resource::delete::<Procedure>(&id, &user).await
+  }
+}

bin/core/src/api/write/repo.rs

@@ -0,0 +1,58 @@
+use monitor_client::{
+  api::write::*,
+  entities::{permission::PermissionLevel, repo::Repo, user::User},
+};
+use resolver_api::Resolve;
+
+use crate::{resource, state::State};
+
+impl Resolve<CreateRepo, User> for State {
+  #[instrument(name = "CreateRepo", skip(self, user))]
+  async fn resolve(
+    &self,
+    CreateRepo { name, config }: CreateRepo,
+    user: User,
+  ) -> anyhow::Result<Repo> {
+    resource::create::<Repo>(&name, config, &user).await
+  }
+}
+
+impl Resolve<CopyRepo, User> for State {
+  #[instrument(name = "CopyRepo", skip(self, user))]
+  async fn resolve(
+    &self,
+    CopyRepo { name, id }: CopyRepo,
+    user: User,
+  ) -> anyhow::Result<Repo> {
+    let Repo { config, .. } =
+      resource::get_check_permissions::<Repo>(
+        &id,
+        &user,
+        PermissionLevel::Write,
+      )
+      .await?;
+    resource::create::<Repo>(&name, config.into(), &user).await
+  }
+}
+
+impl Resolve<DeleteRepo, User> for State {
+  #[instrument(name = "DeleteRepo", skip(self, user))]
+  async fn resolve(
+    &self,
+    DeleteRepo { id }: DeleteRepo,
+    user: User,
+  ) -> anyhow::Result<Repo> {
+    resource::delete::<Repo>(&id, &user).await
+  }
+}
+
+impl Resolve<UpdateRepo, User> for State {
+  #[instrument(name = "UpdateRepo", skip(self, user))]
+  async fn resolve(
+    &self,
+    UpdateRepo { id, config }: UpdateRepo,
+    user: User,
+  ) -> anyhow::Result<Repo> {
+    resource::update::<Repo>(&id, config, &user).await
+  }
+}

bin/core/src/api/write/server.rs

@@ -0,0 +1,165 @@
+use anyhow::Context;
+use formatting::format_serror;
+use monitor_client::{
+  api::write::*,
+  entities::{
+    monitor_timestamp,
+    permission::PermissionLevel,
+    server::Server,
+    update::{Update, UpdateStatus},
+    user::User,
+    Operation,
+  },
+};
+use mungos::{by_id::update_one_by_id, mongodb::bson::doc};
+use periphery_client::api;
+use resolver_api::Resolve;
+
+use crate::{
+  helpers::{
+    periphery_client,
+    update::{add_update, make_update, update_update},
+  },
+  resource,
+  state::{db_client, State},
+};
+
+impl Resolve<CreateServer, User> for State {
+  #[instrument(name = "CreateServer", skip(self, user))]
+  async fn resolve(
+    &self,
+    CreateServer { name, config }: CreateServer,
+    user: User,
+  ) -> anyhow::Result<Server> {
+    resource::create::<Server>(&name, config, &user).await
+  }
+}
+
+impl Resolve<DeleteServer, User> for State {
+  #[instrument(name = "DeleteServer", skip(self, user))]
+  async fn resolve(
+    &self,
+    DeleteServer { id }: DeleteServer,
+    user: User,
+  ) -> anyhow::Result<Server> {
+    resource::delete::<Server>(&id, &user).await
+  }
+}
+
+impl Resolve<UpdateServer, User> for State {
+  #[instrument(name = "UpdateServer", skip(self, user))]
+  async fn resolve(
+    &self,
+    UpdateServer { id, config }: UpdateServer,
+    user: User,
+  ) -> anyhow::Result<Server> {
+    resource::update::<Server>(&id, config, &user).await
+  }
+}
+
+impl Resolve<RenameServer, User> for State {
+  #[instrument(name = "RenameServer", skip(self, user))]
+  async fn resolve(
+    &self,
+    RenameServer { id, name }: RenameServer,
+    user: User,
+  ) -> anyhow::Result<Update> {
+    let server = resource::get_check_permissions::<Server>(
+      &id,
+      &user,
+      PermissionLevel::Write,
+    )
+    .await?;
+    let mut update =
+      make_update(&server, Operation::RenameServer, &user);
+
+    update_one_by_id(&db_client().await.servers, &id, mungos::update::Update::Set(doc! { "name": &name, "updated_at": monitor_timestamp() }), None)
+      .await
+      .context("failed to update server on db. this name may already be taken.")?;
+    update.push_simple_log(
+      "rename server",
+      format!("renamed server {id} from {} to {name}", server.name),
+    );
+    update.finalize();
+    update.id = add_update(update.clone()).await?;
+    Ok(update)
+  }
+}
+
+impl Resolve<CreateNetwork, User> for State {
+  #[instrument(name = "CreateNetwork", skip(self, user))]
+  async fn resolve(
+    &self,
+    CreateNetwork { server, name }: CreateNetwork,
+    user: User,
+  ) -> anyhow::Result<Update> {
+    let server = resource::get_check_permissions::<Server>(
+      &server,
+      &user,
+      PermissionLevel::Write,
+    )
+    .await?;
+
+    let periphery = periphery_client(&server)?;
+
+    let mut update =
+      make_update(&server, Operation::CreateNetwork, &user);
+    update.status = UpdateStatus::InProgress;
+    update.id = add_update(update.clone()).await?;
+
+    match periphery
+      .request(api::network::CreateNetwork { name, driver: None })
+      .await
+    {
+      Ok(log) => update.logs.push(log),
+      Err(e) => update.push_error_log(
+        "create network",
+        format_serror(&e.context("failed to create network").into()),
+      ),
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<DeleteNetwork, User> for State {
+  #[instrument(name = "DeleteNetwork", skip(self, user))]
+  async fn resolve(
+    &self,
+    DeleteNetwork { server, name }: DeleteNetwork,
+    user: User,
+  ) -> anyhow::Result<Update> {
+    let server = resource::get_check_permissions::<Server>(
+      &server,
+      &user,
+      PermissionLevel::Write,
+    )
+    .await?;
+
+    let periphery = periphery_client(&server)?;
+
+    let mut update =
+      make_update(&server, Operation::DeleteNetwork, &user);
+    update.status = UpdateStatus::InProgress;
+    update.id = add_update(update.clone()).await?;
+
+    match periphery
+      .request(api::network::DeleteNetwork { name })
+      .await
+    {
+      Ok(log) => update.logs.push(log),
+      Err(e) => update.push_error_log(
+        "delete network",
+        format_serror(&e.context("failed to delete network").into()),
+      ),
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}

bin/core/src/api/write/server_template.rs

@@ -0,0 +1,65 @@
+use monitor_client::{
+  api::write::{
+    CopyServerTemplate, CreateServerTemplate, DeleteServerTemplate,
+    UpdateServerTemplate,
+  },
+  entities::{
+    permission::PermissionLevel, server_template::ServerTemplate,
+    user::User,
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{resource, state::State};
+
+impl Resolve<CreateServerTemplate, User> for State {
+  #[instrument(name = "CreateServerTemplate", skip(self, user))]
+  async fn resolve(
+    &self,
+    CreateServerTemplate { name, config }: CreateServerTemplate,
+    user: User,
+  ) -> anyhow::Result<ServerTemplate> {
+    resource::create::<ServerTemplate>(&name, config, &user).await
+  }
+}
+
+impl Resolve<CopyServerTemplate, User> for State {
+  #[instrument(name = "CopyServerTemplate", skip(self, user))]
+  async fn resolve(
+    &self,
+    CopyServerTemplate { name, id }: CopyServerTemplate,
+    user: User,
+  ) -> anyhow::Result<ServerTemplate> {
+    let ServerTemplate { config, .. } =
+      resource::get_check_permissions::<ServerTemplate>(
+        &id,
+        &user,
+        PermissionLevel::Write,
+      )
+      .await?;
+    resource::create::<ServerTemplate>(&name, config.into(), &user)
+      .await
+  }
+}
+
+impl Resolve<DeleteServerTemplate, User> for State {
+  #[instrument(name = "DeleteServerTemplate", skip(self, user))]
+  async fn resolve(
+    &self,
+    DeleteServerTemplate { id }: DeleteServerTemplate,
+    user: User,
+  ) -> anyhow::Result<ServerTemplate> {
+    resource::delete::<ServerTemplate>(&id, &user).await
+  }
+}
+
+impl Resolve<UpdateServerTemplate, User> for State {
+  #[instrument(name = "UpdateServerTemplate", skip(self, user))]
+  async fn resolve(
+    &self,
+    UpdateServerTemplate { id, config }: UpdateServerTemplate,
+    user: User,
+  ) -> anyhow::Result<ServerTemplate> {
+    resource::update::<ServerTemplate>(&id, config, &user).await
+  }
+}

bin/core/src/api/write/service_user.rs

@@ -0,0 +1,176 @@
+use std::str::FromStr;
+
+use anyhow::{anyhow, Context};
+use monitor_client::{
+  api::{
+    user::CreateApiKey,
+    write::{
+      CreateApiKeyForServiceUser, CreateApiKeyForServiceUserResponse,
+      CreateServiceUser, CreateServiceUserResponse,
+      DeleteApiKeyForServiceUser, DeleteApiKeyForServiceUserResponse,
+      UpdateServiceUserDescription,
+      UpdateServiceUserDescriptionResponse,
+    },
+  },
+  entities::{
+    monitor_timestamp,
+    user::{User, UserConfig},
+  },
+};
+use mungos::{
+  by_id::find_one_by_id,
+  mongodb::bson::{doc, oid::ObjectId},
+};
+use resolver_api::Resolve;
+
+use crate::state::{db_client, State};
+
+impl Resolve<CreateServiceUser, User> for State {
+  #[instrument(name = "CreateServiceUser", skip(self, user))]
+  async fn resolve(
+    &self,
+    CreateServiceUser {
+      username,
+      description,
+    }: CreateServiceUser,
+    user: User,
+  ) -> anyhow::Result<CreateServiceUserResponse> {
+    if !user.admin {
+      return Err(anyhow!("user not admin"));
+    }
+    if ObjectId::from_str(&username).is_ok() {
+      return Err(anyhow!("username cannot be valid ObjectId"));
+    }
+    let config = UserConfig::Service { description };
+    let mut user = User {
+      id: Default::default(),
+      username,
+      config,
+      enabled: true,
+      admin: false,
+      create_server_permissions: false,
+      create_build_permissions: false,
+      last_update_view: 0,
+      recent_servers: Vec::new(),
+      recent_deployments: Vec::new(),
+      recent_builds: Vec::new(),
+      recent_repos: Vec::new(),
+      recent_procedures: Vec::new(),
+      updated_at: monitor_timestamp(),
+    };
+    user.id = db_client()
+      .await
+      .users
+      .insert_one(&user, None)
+      .await
+      .context("failed to create service user on db")?
+      .inserted_id
+      .as_object_id()
+      .context("inserted id is not object id")?
+      .to_string();
+    Ok(user)
+  }
+}
+
+impl Resolve<UpdateServiceUserDescription, User> for State {
+  #[instrument(
+    name = "UpdateServiceUserDescription",
+    skip(self, user)
+  )]
+  async fn resolve(
+    &self,
+    UpdateServiceUserDescription {
+      username,
+      description,
+    }: UpdateServiceUserDescription,
+    user: User,
+  ) -> anyhow::Result<UpdateServiceUserDescriptionResponse> {
+    if !user.admin {
+      return Err(anyhow!("user not admin"));
+    }
+    let db = db_client().await;
+    let service_user = db
+      .users
+      .find_one(doc! { "username": &username }, None)
+      .await
+      .context("failed to query db for user")?
+      .context("no user with given username")?;
+    let UserConfig::Service { .. } = &service_user.config else {
+      return Err(anyhow!("user is not service user"));
+    };
+    db.users
+      .update_one(
+        doc! { "username": &username },
+        doc! { "$set": { "config.data.description": description } },
+        None,
+      )
+      .await
+      .context("failed to update user on db")?;
+    db.users
+      .find_one(doc! { "username": &username }, None)
+      .await
+      .context("failed to query db for user")?
+      .context("user with username not found")
+  }
+}
+
+impl Resolve<CreateApiKeyForServiceUser, User> for State {
+  #[instrument(name = "CreateApiKeyForServiceUser", skip(self, user))]
+  async fn resolve(
+    &self,
+    CreateApiKeyForServiceUser {
+      user_id,
+      name,
+      expires,
+    }: CreateApiKeyForServiceUser,
+    user: User,
+  ) -> anyhow::Result<CreateApiKeyForServiceUserResponse> {
+    if !user.admin {
+      return Err(anyhow!("user not admin"));
+    }
+    let service_user =
+      find_one_by_id(&db_client().await.users, &user_id)
+        .await
+        .context("failed to query db for user")?
+        .context("no user found with id")?;
+    let UserConfig::Service { .. } = &service_user.config else {
+      return Err(anyhow!("user is not service user"));
+    };
+    self
+      .resolve(CreateApiKey { name, expires }, service_user)
+      .await
+  }
+}
+
+impl Resolve<DeleteApiKeyForServiceUser, User> for State {
+  #[instrument(name = "DeleteApiKeyForServiceUser", skip(self, user))]
+  async fn resolve(
+    &self,
+    DeleteApiKeyForServiceUser { key }: DeleteApiKeyForServiceUser,
+    user: User,
+  ) -> anyhow::Result<DeleteApiKeyForServiceUserResponse> {
+    if !user.admin {
+      return Err(anyhow!("user not admin"));
+    }
+    let db = db_client().await;
+    let api_key = db
+      .api_keys
+      .find_one(doc! { "key": &key }, None)
+      .await
+      .context("failed to query db for api key")?
+      .context("did not find matching api key")?;
+    let service_user =
+      find_one_by_id(&db_client().await.users, &api_key.user_id)
+        .await
+        .context("failed to query db for user")?
+        .context("no user found with id")?;
+    let UserConfig::Service { .. } = &service_user.config else {
+      return Err(anyhow!("user is not service user"));
+    };
+    db.api_keys
+      .delete_one(doc! { "key": key }, None)
+      .await
+      .context("failed to delete api key on db")?;
+    Ok(DeleteApiKeyForServiceUserResponse {})
+  }
+}

bin/core/src/api/write/sync.rs

@@ -0,0 +1,325 @@
+use anyhow::{anyhow, Context};
+use formatting::format_serror;
+use monitor_client::{
+  api::write::*,
+  entities::{
+    self,
+    alert::{Alert, AlertData},
+    alerter::Alerter,
+    build::Build,
+    builder::Builder,
+    monitor_timestamp,
+    permission::PermissionLevel,
+    procedure::Procedure,
+    repo::Repo,
+    server::{stats::SeverityLevel, Server},
+    server_template::ServerTemplate,
+    sync::{
+      PendingSyncUpdates, PendingSyncUpdatesData,
+      PendingSyncUpdatesDataErr, PendingSyncUpdatesDataOk,
+      ResourceSync,
+    },
+    update::ResourceTarget,
+    user::User,
+  },
+};
+use mungos::{
+  by_id::update_one_by_id,
+  mongodb::bson::{doc, to_document},
+};
+use resolver_api::Resolve;
+
+use crate::{
+  helpers::{
+    alert::send_alerts,
+    query::get_id_to_tags,
+    sync::{
+      deployment,
+      resource::{get_updates_for_view, AllResourcesById},
+    },
+  },
+  resource,
+  state::{db_client, State},
+};
+
+impl Resolve<CreateResourceSync, User> for State {
+  #[instrument(name = "CreateResourceSync", skip(self, user))]
+  async fn resolve(
+    &self,
+    CreateResourceSync { name, config }: CreateResourceSync,
+    user: User,
+  ) -> anyhow::Result<ResourceSync> {
+    resource::create::<ResourceSync>(&name, config, &user).await
+  }
+}
+
+impl Resolve<CopyResourceSync, User> for State {
+  #[instrument(name = "CopyResourceSync", skip(self, user))]
+  async fn resolve(
+    &self,
+    CopyResourceSync { name, id }: CopyResourceSync,
+    user: User,
+  ) -> anyhow::Result<ResourceSync> {
+    let ResourceSync { config, .. } =
+      resource::get_check_permissions::<ResourceSync>(
+        &id,
+        &user,
+        PermissionLevel::Write,
+      )
+      .await?;
+    resource::create::<ResourceSync>(&name, config.into(), &user)
+      .await
+  }
+}
+
+impl Resolve<DeleteResourceSync, User> for State {
+  #[instrument(name = "DeleteResourceSync", skip(self, user))]
+  async fn resolve(
+    &self,
+    DeleteResourceSync { id }: DeleteResourceSync,
+    user: User,
+  ) -> anyhow::Result<ResourceSync> {
+    resource::delete::<ResourceSync>(&id, &user).await
+  }
+}
+
+impl Resolve<UpdateResourceSync, User> for State {
+  #[instrument(name = "UpdateResourceSync", skip(self, user))]
+  async fn resolve(
+    &self,
+    UpdateResourceSync { id, config }: UpdateResourceSync,
+    user: User,
+  ) -> anyhow::Result<ResourceSync> {
+    resource::update::<ResourceSync>(&id, config, &user).await
+  }
+}
+
+impl Resolve<RefreshResourceSyncPending, User> for State {
+  async fn resolve(
+    &self,
+    RefreshResourceSyncPending { sync }: RefreshResourceSyncPending,
+    user: User,
+  ) -> anyhow::Result<ResourceSync> {
+    // Even though this is a write request, this doesn't change any config. Anyone that can execute the
+    // sync should be able to do this.
+    let sync = resource::get_check_permissions::<
+      entities::sync::ResourceSync,
+    >(&sync, &user, PermissionLevel::Execute)
+    .await?;
+
+    if sync.config.repo.is_empty() {
+      return Err(anyhow!("resource sync repo not configured"));
+    }
+
+    let res = async {
+      let (res, _, hash, message) =
+        crate::helpers::sync::remote::get_remote_resources(&sync)
+          .await
+          .context("failed to get remote resources")?;
+      let resources = res?;
+
+      let all_resources = AllResourcesById::load().await?;
+      let id_to_tags = get_id_to_tags(None).await?;
+
+      let data = PendingSyncUpdatesDataOk {
+        server_updates: get_updates_for_view::<Server>(
+          resources.servers,
+          sync.config.delete,
+          &all_resources,
+          &id_to_tags,
+        )
+        .await
+        .context("failed to get server updates")?,
+        deployment_updates: deployment::get_updates_for_view(
+          resources.deployments,
+          sync.config.delete,
+          &all_resources,
+          &id_to_tags,
+        )
+        .await
+        .context("failed to get deployment updates")?,
+        build_updates: get_updates_for_view::<Build>(
+          resources.builds,
+          sync.config.delete,
+          &all_resources,
+          &id_to_tags,
+        )
+        .await
+        .context("failed to get build updates")?,
+        repo_updates: get_updates_for_view::<Repo>(
+          resources.repos,
+          sync.config.delete,
+          &all_resources,
+          &id_to_tags,
+        )
+        .await
+        .context("failed to get repo updates")?,
+        procedure_updates: get_updates_for_view::<Procedure>(
+          resources.procedures,
+          sync.config.delete,
+          &all_resources,
+          &id_to_tags,
+        )
+        .await
+        .context("failed to get procedure updates")?,
+        alerter_updates: get_updates_for_view::<Alerter>(
+          resources.alerters,
+          sync.config.delete,
+          &all_resources,
+          &id_to_tags,
+        )
+        .await
+        .context("failed to get alerter updates")?,
+        builder_updates: get_updates_for_view::<Builder>(
+          resources.builders,
+          sync.config.delete,
+          &all_resources,
+          &id_to_tags,
+        )
+        .await
+        .context("failed to get builder updates")?,
+        server_template_updates:
+          get_updates_for_view::<ServerTemplate>(
+            resources.server_templates,
+            sync.config.delete,
+            &all_resources,
+            &id_to_tags,
+          )
+          .await
+          .context("failed to get server template updates")?,
+        resource_sync_updates: get_updates_for_view::<
+          entities::sync::ResourceSync,
+        >(
+          resources.resource_syncs,
+          sync.config.delete,
+          &all_resources,
+          &id_to_tags,
+        )
+        .await
+        .context("failed to get resource sync updates")?,
+        variable_updates:
+          crate::helpers::sync::variables::get_updates_for_view(
+            resources.variables,
+            sync.config.delete,
+          )
+          .await
+          .context("failed to get variable updates")?,
+        user_group_updates:
+          crate::helpers::sync::user_groups::get_updates_for_view(
+            resources.user_groups,
+            sync.config.delete,
+            &all_resources,
+          )
+          .await
+          .context("failed to get user group updates")?,
+      };
+      anyhow::Ok((hash, message, data))
+    }
+    .await;
+
+    let (pending, has_updates) = match res {
+      Ok((hash, message, data)) => {
+        let has_updates = !data.no_updates();
+        (
+          PendingSyncUpdates {
+            hash: Some(hash),
+            message: Some(message),
+            data: PendingSyncUpdatesData::Ok(data),
+          },
+          has_updates,
+        )
+      }
+      Err(e) => (
+        PendingSyncUpdates {
+          hash: None,
+          message: None,
+          data: PendingSyncUpdatesData::Err(
+            PendingSyncUpdatesDataErr {
+              message: format_serror(&e.into()),
+            },
+          ),
+        },
+        false,
+      ),
+    };
+
+    let pending = to_document(&pending)
+      .context("failed to serialize pending to document")?;
+
+    update_one_by_id(
+      &db_client().await.resource_syncs,
+      &sync.id,
+      doc! { "$set": { "info.pending": pending } },
+      None,
+    )
+    .await?;
+
+    // check to update alert
+    let id = sync.id.clone();
+    let name = sync.name.clone();
+    tokio::task::spawn(async move {
+      let db = db_client().await;
+      let Some(existing) = db_client()
+        .await
+        .alerts
+        .find_one(
+          doc! {
+            "resolved": false,
+            "target.type": "ResourceSync",
+            "target.id": &id,
+          },
+          None,
+        )
+        .await
+        .context("failed to query db for alert")
+        .inspect_err(|e| warn!("{e:#}"))
+        .ok()
+      else {
+        return;
+      };
+      match (existing, has_updates) {
+        // OPEN A NEW ALERT
+        (None, true) => {
+          let alert = Alert {
+            id: Default::default(),
+            ts: monitor_timestamp(),
+            resolved: false,
+            level: SeverityLevel::Ok,
+            target: ResourceTarget::ResourceSync(id.clone()),
+            data: AlertData::ResourceSyncPendingUpdates { id, name },
+            resolved_ts: None,
+          };
+          db.alerts
+            .insert_one(&alert, None)
+            .await
+            .context("failed to open existing pending resource sync updates alert")
+            .inspect_err(|e| warn!("{e:#}"))
+            .ok();
+          send_alerts(&[alert]).await;
+        }
+        // CLOSE ALERT
+        (Some(existing), false) => {
+          update_one_by_id(
+            &db.alerts,
+            &existing.id,
+            doc! {
+              "$set": {
+                "resolved": true,
+                "resolved_ts": monitor_timestamp()
+              }
+            },
+            None,
+          )
+          .await
+          .context("failed to close existing pending resource sync updates alert")
+          .inspect_err(|e| warn!("{e:#}"))
+          .ok();
+        }
+        // NOTHING TO DO
+        _ => {}
+      }
+    });
+
+    crate::resource::get::<ResourceSync>(&sync.id).await
+  }
+}

bin/core/src/api/write/tag.rs

@@ -0,0 +1,206 @@
+use std::str::FromStr;
+
+use anyhow::{anyhow, Context};
+use monitor_client::{
+  api::write::{
+    CreateTag, DeleteTag, RenameTag, UpdateTagsOnResource,
+    UpdateTagsOnResourceResponse,
+  },
+  entities::{
+    alerter::Alerter, build::Build, builder::Builder,
+    deployment::Deployment, permission::PermissionLevel,
+    procedure::Procedure, repo::Repo, server::Server,
+    server_template::ServerTemplate, sync::ResourceSync, tag::Tag,
+    update::ResourceTarget, user::User,
+  },
+};
+use mungos::{
+  by_id::{delete_one_by_id, update_one_by_id},
+  mongodb::bson::{doc, oid::ObjectId},
+};
+use resolver_api::Resolve;
+
+use crate::{
+  helpers::query::{get_tag, get_tag_check_owner},
+  resource,
+  state::{db_client, State},
+};
+
+impl Resolve<CreateTag, User> for State {
+  #[instrument(name = "CreateTag", skip(self, user))]
+  async fn resolve(
+    &self,
+    CreateTag { name }: CreateTag,
+    user: User,
+  ) -> anyhow::Result<Tag> {
+    if ObjectId::from_str(&name).is_ok() {
+      return Err(anyhow!("tag name cannot be ObjectId"));
+    }
+
+    let mut tag = Tag {
+      id: Default::default(),
+      name,
+      owner: user.id.clone(),
+    };
+
+    tag.id = db_client()
+      .await
+      .tags
+      .insert_one(&tag, None)
+      .await
+      .context("failed to create tag on db")?
+      .inserted_id
+      .as_object_id()
+      .context("inserted_id is not ObjectId")?
+      .to_string();
+
+    Ok(tag)
+  }
+}
+
+impl Resolve<RenameTag, User> for State {
+  async fn resolve(
+    &self,
+    RenameTag { id, name }: RenameTag,
+    user: User,
+  ) -> anyhow::Result<Tag> {
+    if ObjectId::from_str(&name).is_ok() {
+      return Err(anyhow!("tag name cannot be ObjectId"));
+    }
+
+    get_tag_check_owner(&id, &user).await?;
+
+    update_one_by_id(
+      &db_client().await.tags,
+      &id,
+      doc! { "$set": { "name": name } },
+      None,
+    )
+    .await
+    .context("failed to rename tag on db")?;
+
+    get_tag(&id).await
+  }
+}
+
+impl Resolve<DeleteTag, User> for State {
+  #[instrument(name = "DeleteTag", skip(self, user))]
+  async fn resolve(
+    &self,
+    DeleteTag { id }: DeleteTag,
+    user: User,
+  ) -> anyhow::Result<Tag> {
+    let tag = get_tag_check_owner(&id, &user).await?;
+
+    tokio::try_join!(
+      resource::remove_tag_from_all::<Server>(&id),
+      resource::remove_tag_from_all::<Deployment>(&id),
+      resource::remove_tag_from_all::<Build>(&id),
+      resource::remove_tag_from_all::<Repo>(&id),
+      resource::remove_tag_from_all::<Builder>(&id),
+      resource::remove_tag_from_all::<Alerter>(&id),
+      resource::remove_tag_from_all::<Procedure>(&id),
+      resource::remove_tag_from_all::<ServerTemplate>(&id),
+    )?;
+
+    delete_one_by_id(&db_client().await.tags, &id, None).await?;
+
+    Ok(tag)
+  }
+}
+
+impl Resolve<UpdateTagsOnResource, User> for State {
+  #[instrument(name = "UpdateTagsOnResource", skip(self, user))]
+  async fn resolve(
+    &self,
+    UpdateTagsOnResource { target, tags }: UpdateTagsOnResource,
+    user: User,
+  ) -> anyhow::Result<UpdateTagsOnResourceResponse> {
+    match target {
+      ResourceTarget::System(_) => return Err(anyhow!("")),
+      ResourceTarget::Build(id) => {
+        resource::get_check_permissions::<Build>(
+          &id,
+          &user,
+          PermissionLevel::Write,
+        )
+        .await?;
+        resource::update_tags::<Build>(&id, tags, user).await?;
+      }
+      ResourceTarget::Builder(id) => {
+        resource::get_check_permissions::<Builder>(
+          &id,
+          &user,
+          PermissionLevel::Write,
+        )
+        .await?;
+        resource::update_tags::<Builder>(&id, tags, user).await?
+      }
+      ResourceTarget::Deployment(id) => {
+        resource::get_check_permissions::<Deployment>(
+          &id,
+          &user,
+          PermissionLevel::Write,
+        )
+        .await?;
+        resource::update_tags::<Deployment>(&id, tags, user).await?
+      }
+      ResourceTarget::Server(id) => {
+        resource::get_check_permissions::<Server>(
+          &id,
+          &user,
+          PermissionLevel::Write,
+        )
+        .await?;
+        resource::update_tags::<Server>(&id, tags, user).await?
+      }
+      ResourceTarget::Repo(id) => {
+        resource::get_check_permissions::<Repo>(
+          &id,
+          &user,
+          PermissionLevel::Write,
+        )
+        .await?;
+        resource::update_tags::<Repo>(&id, tags, user).await?
+      }
+      ResourceTarget::Alerter(id) => {
+        resource::get_check_permissions::<Alerter>(
+          &id,
+          &user,
+          PermissionLevel::Write,
+        )
+        .await?;
+        resource::update_tags::<Alerter>(&id, tags, user).await?
+      }
+      ResourceTarget::Procedure(id) => {
+        resource::get_check_permissions::<Procedure>(
+          &id,
+          &user,
+          PermissionLevel::Write,
+        )
+        .await?;
+        resource::update_tags::<Procedure>(&id, tags, user).await?
+      }
+      ResourceTarget::ServerTemplate(id) => {
+        resource::get_check_permissions::<ServerTemplate>(
+          &id,
+          &user,
+          PermissionLevel::Write,
+        )
+        .await?;
+        resource::update_tags::<ServerTemplate>(&id, tags, user)
+          .await?
+      }
+      ResourceTarget::ResourceSync(id) => {
+        resource::get_check_permissions::<ResourceSync>(
+          &id,
+          &user,
+          PermissionLevel::Write,
+        )
+        .await?;
+        resource::update_tags::<ResourceSync>(&id, tags, user).await?
+      }
+    };
+    Ok(UpdateTagsOnResourceResponse {})
+  }
+}

bin/core/src/api/write/user_group.rs

@@ -0,0 +1,245 @@
+use std::{collections::HashMap, str::FromStr};
+
+use anyhow::{anyhow, Context};
+use monitor_client::{
+  api::write::{
+    AddUserToUserGroup, CreateUserGroup, DeleteUserGroup,
+    RemoveUserFromUserGroup, RenameUserGroup, SetUsersInUserGroup,
+  },
+  entities::{monitor_timestamp, user::User, user_group::UserGroup},
+};
+use mungos::{
+  by_id::{delete_one_by_id, find_one_by_id, update_one_by_id},
+  find::find_collect,
+  mongodb::bson::{doc, oid::ObjectId},
+};
+use resolver_api::Resolve;
+
+use crate::state::{db_client, State};
+
+impl Resolve<CreateUserGroup, User> for State {
+  async fn resolve(
+    &self,
+    CreateUserGroup { name }: CreateUserGroup,
+    admin: User,
+  ) -> anyhow::Result<UserGroup> {
+    if !admin.admin {
+      return Err(anyhow!("This call is admin-only"));
+    }
+    let user_group = UserGroup {
+      id: Default::default(),
+      users: Default::default(),
+      updated_at: monitor_timestamp(),
+      name,
+    };
+    let db = db_client().await;
+    let id = db
+      .user_groups
+      .insert_one(user_group, None)
+      .await
+      .context("failed to create UserGroup on db")?
+      .inserted_id
+      .as_object_id()
+      .context("inserted id is not ObjectId")?
+      .to_string();
+    find_one_by_id(&db.user_groups, &id)
+      .await
+      .context("failed to query db for user groups")?
+      .context("user group at id not found")
+  }
+}
+
+impl Resolve<RenameUserGroup, User> for State {
+  async fn resolve(
+    &self,
+    RenameUserGroup { id, name }: RenameUserGroup,
+    admin: User,
+  ) -> anyhow::Result<UserGroup> {
+    if !admin.admin {
+      return Err(anyhow!("This call is admin-only"));
+    }
+    let db = db_client().await;
+    update_one_by_id(
+      &db.user_groups,
+      &id,
+      doc! { "$set": { "name": name } },
+      None,
+    )
+    .await
+    .context("failed to rename UserGroup on db")?;
+    find_one_by_id(&db.user_groups, &id)
+      .await
+      .context("failed to query db for UserGroups")?
+      .context("no user group with given id")
+  }
+}
+
+impl Resolve<DeleteUserGroup, User> for State {
+  async fn resolve(
+    &self,
+    DeleteUserGroup { id }: DeleteUserGroup,
+    admin: User,
+  ) -> anyhow::Result<UserGroup> {
+    if !admin.admin {
+      return Err(anyhow!("This call is admin-only"));
+    }
+
+    let db = db_client().await;
+
+    let ug = find_one_by_id(&db.user_groups, &id)
+      .await
+      .context("failed to query db for UserGroups")?
+      .context("no UserGroup found with given id")?;
+
+    delete_one_by_id(&db.user_groups, &id, None)
+      .await
+      .context("failed to delete UserGroup from db")?;
+
+    db.permissions
+      .delete_many(doc! {
+        "user_target.type": "UserGroup",
+        "user_target.id": id,
+      }, None)
+      .await
+      .context("failed to clean up UserGroups permissions. User Group has been deleted")?;
+
+    Ok(ug)
+  }
+}
+
+impl Resolve<AddUserToUserGroup, User> for State {
+  async fn resolve(
+    &self,
+    AddUserToUserGroup { user_group, user }: AddUserToUserGroup,
+    admin: User,
+  ) -> anyhow::Result<UserGroup> {
+    if !admin.admin {
+      return Err(anyhow!("This call is admin-only"));
+    }
+
+    let db = db_client().await;
+
+    let filter = match ObjectId::from_str(&user) {
+      Ok(id) => doc! { "_id": id },
+      Err(_) => doc! { "username": &user },
+    };
+    let user = db
+      .users
+      .find_one(filter, None)
+      .await
+      .context("failed to query mongo for users")?
+      .context("no matching user found")?;
+
+    let filter = match ObjectId::from_str(&user_group) {
+      Ok(id) => doc! { "_id": id },
+      Err(_) => doc! { "name": &user_group },
+    };
+    db.user_groups
+      .update_one(
+        filter.clone(),
+        doc! { "$addToSet": { "users": &user.id } },
+        None,
+      )
+      .await
+      .context("failed to add user to group on db")?;
+    db.user_groups
+      .find_one(filter, None)
+      .await
+      .context("failed to query db for UserGroups")?
+      .context("no user group with given id")
+  }
+}
+
+impl Resolve<RemoveUserFromUserGroup, User> for State {
+  async fn resolve(
+    &self,
+    RemoveUserFromUserGroup {
+      user_group,
+      user,
+    }: RemoveUserFromUserGroup,
+    admin: User,
+  ) -> anyhow::Result<UserGroup> {
+    if !admin.admin {
+      return Err(anyhow!("This call is admin-only"));
+    }
+
+    let db = db_client().await;
+
+    let filter = match ObjectId::from_str(&user) {
+      Ok(id) => doc! { "_id": id },
+      Err(_) => doc! { "username": &user },
+    };
+    let user = db
+      .users
+      .find_one(filter, None)
+      .await
+      .context("failed to query mongo for users")?
+      .context("no matching user found")?;
+
+    let filter = match ObjectId::from_str(&user_group) {
+      Ok(id) => doc! { "_id": id },
+      Err(_) => doc! { "name": &user_group },
+    };
+    db.user_groups
+      .update_one(
+        filter.clone(),
+        doc! { "$pull": { "users": &user.id } },
+        None,
+      )
+      .await
+      .context("failed to add user to group on db")?;
+    db.user_groups
+      .find_one(filter, None)
+      .await
+      .context("failed to query db for UserGroups")?
+      .context("no user group with given id")
+  }
+}
+
+impl Resolve<SetUsersInUserGroup, User> for State {
+  async fn resolve(
+    &self,
+    SetUsersInUserGroup { user_group, users }: SetUsersInUserGroup,
+    admin: User,
+  ) -> anyhow::Result<UserGroup> {
+    if !admin.admin {
+      return Err(anyhow!("This call is admin-only"));
+    }
+
+    let db = db_client().await;
+
+    let all_users = find_collect(&db.users, None, None)
+      .await
+      .context("failed to query db for users")?
+      .into_iter()
+      .map(|u| (u.username, u.id))
+      .collect::<HashMap<_, _>>();
+
+    // Make sure all users are user ids
+    let users = users
+      .into_iter()
+      .filter_map(|user| match ObjectId::from_str(&user) {
+        Ok(_) => Some(user),
+        Err(_) => all_users.get(&user).cloned(),
+      })
+      .collect::<Vec<_>>();
+
+    let filter = match ObjectId::from_str(&user_group) {
+      Ok(id) => doc! { "_id": id },
+      Err(_) => doc! { "name": &user_group },
+    };
+    db.user_groups
+      .update_one(
+        filter.clone(),
+        doc! { "$set": { "users": users } },
+        None,
+      )
+      .await
+      .context("failed to add user to group on db")?;
+    db.user_groups
+      .find_one(filter, None)
+      .await
+      .context("failed to query db for UserGroups")?
+      .context("no user group with given id")
+  }
+}

bin/core/src/api/write/variable.rs

@@ -0,0 +1,169 @@
+use anyhow::{anyhow, Context};
+use monitor_client::{
+  api::write::{
+    CreateVariable, CreateVariableResponse, DeleteVariable,
+    DeleteVariableResponse, UpdateVariableDescription,
+    UpdateVariableDescriptionResponse, UpdateVariableValue,
+    UpdateVariableValueResponse,
+  },
+  entities::{
+    update::ResourceTarget, user::User, variable::Variable, Operation,
+  },
+};
+use mungos::mongodb::bson::doc;
+use resolver_api::Resolve;
+
+use crate::{
+  helpers::{
+    query::get_variable,
+    update::{add_update, make_update},
+  },
+  state::{db_client, State},
+};
+
+impl Resolve<CreateVariable, User> for State {
+  async fn resolve(
+    &self,
+    CreateVariable {
+      name,
+      value,
+      description,
+    }: CreateVariable,
+    user: User,
+  ) -> anyhow::Result<CreateVariableResponse> {
+    if !user.admin {
+      return Err(anyhow!("only admins can create variables"));
+    }
+
+    let variable = Variable {
+      name,
+      value,
+      description,
+    };
+
+    db_client()
+      .await
+      .variables
+      .insert_one(&variable, None)
+      .await
+      .context("failed to create variable on db")?;
+
+    let mut update = make_update(
+      ResourceTarget::system(),
+      Operation::CreateVariable,
+      &user,
+    );
+
+    update
+      .push_simple_log("create variable", format!("{variable:#?}"));
+    update.finalize();
+
+    add_update(update).await?;
+
+    get_variable(&variable.name).await
+  }
+}
+
+impl Resolve<UpdateVariableValue, User> for State {
+  async fn resolve(
+    &self,
+    UpdateVariableValue { name, value }: UpdateVariableValue,
+    user: User,
+  ) -> anyhow::Result<UpdateVariableValueResponse> {
+    if !user.admin {
+      return Err(anyhow!("only admins can create variables"));
+    }
+
+    let variable = get_variable(&name).await?;
+
+    if value == variable.value {
+      return Err(anyhow!("no change"));
+    }
+
+    db_client()
+      .await
+      .variables
+      .update_one(
+        doc! { "name": &name },
+        doc! { "$set": { "value": &value } },
+        None,
+      )
+      .await
+      .context("failed to update variable value on db")?;
+
+    let mut update = make_update(
+      ResourceTarget::system(),
+      Operation::UpdateVariableValue,
+      &user,
+    );
+
+    update.push_simple_log(
+      "update variable value",
+      format!(
+        "<span class=\"text-muted-foreground\">variable</span>: '{name}'\n<span class=\"text-muted-foreground\">from</span>: <span class=\"text-red-500\">{}</span>\n<span class=\"text-muted-foreground\">to</span>:   <span class=\"text-green-500\">{value}</span>",
+        variable.value
+      ),
+    );
+    update.finalize();
+
+    add_update(update).await?;
+
+    get_variable(&name).await
+  }
+}
+
+impl Resolve<UpdateVariableDescription, User> for State {
+  async fn resolve(
+    &self,
+    UpdateVariableDescription { name, description }: UpdateVariableDescription,
+    user: User,
+  ) -> anyhow::Result<UpdateVariableDescriptionResponse> {
+    if !user.admin {
+      return Err(anyhow!("only admins can create variables"));
+    }
+    db_client()
+      .await
+      .variables
+      .update_one(
+        doc! { "name": &name },
+        doc! { "$set": { "description": &description } },
+        None,
+      )
+      .await
+      .context("failed to update variable description on db")?;
+    get_variable(&name).await
+  }
+}
+
+impl Resolve<DeleteVariable, User> for State {
+  async fn resolve(
+    &self,
+    DeleteVariable { name }: DeleteVariable,
+    user: User,
+  ) -> anyhow::Result<DeleteVariableResponse> {
+    if !user.admin {
+      return Err(anyhow!("only admins can create variables"));
+    }
+    let variable = get_variable(&name).await?;
+    db_client()
+      .await
+      .variables
+      .delete_one(doc! { "name": &name }, None)
+      .await
+      .context("failed to delete variable on db")?;
+
+    let mut update = make_update(
+      ResourceTarget::system(),
+      Operation::DeleteVariable,
+      &user,
+    );
+
+    update
+      .push_simple_log("delete variable", format!("{variable:#?}"));
+    update.finalize();
+
+    add_update(update).await?;
+
+    Ok(variable)
+  }
+}

bin/core/src/auth/github/client.rs

@@ -0,0 +1,229 @@
+use std::sync::OnceLock;
+
+use anyhow::{anyhow, Context};
+use monitor_client::entities::config::core::{
+  CoreConfig, OauthCredentials,
+};
+use reqwest::StatusCode;
+use serde::{de::DeserializeOwned, Deserialize, Serialize};
+use tokio::sync::Mutex;
+
+use crate::{
+  auth::{random_string, STATE_PREFIX_LENGTH},
+  config::core_config,
+};
+
+pub fn github_oauth_client() -> &'static Option<GithubOauthClient> {
+  static GITHUB_OAUTH_CLIENT: OnceLock<Option<GithubOauthClient>> =
+    OnceLock::new();
+  GITHUB_OAUTH_CLIENT
+    .get_or_init(|| GithubOauthClient::new(core_config()))
+}
+
+pub struct GithubOauthClient {
+  http: reqwest::Client,
+  client_id: String,
+  client_secret: String,
+  redirect_uri: String,
+  scopes: String,
+  states: Mutex<Vec<String>>,
+  user_agent: String,
+}
+
+impl GithubOauthClient {
+  pub fn new(
+    CoreConfig {
+      github_oauth:
+        OauthCredentials {
+          enabled,
+          id,
+          secret,
+        },
+      host,
+      ..
+    }: &CoreConfig,
+  ) -> Option<GithubOauthClient> {
+    if !enabled {
+      return None;
+    }
+    if host.is_empty() {
+      warn!("github oauth is enabled, but 'config.host' is not configured");
+      return None;
+    }
+    if id.is_empty() {
+      warn!("github oauth is enabled, but 'config.github_oauth.id' is not configured");
+      return None;
+    }
+    if secret.is_empty() {
+      warn!("github oauth is enabled, but 'config.github_oauth.secret' is not configured");
+      return None;
+    }
+    GithubOauthClient {
+      http: reqwest::Client::new(),
+      client_id: id.clone(),
+      client_secret: secret.clone(),
+      redirect_uri: format!("{host}/auth/github/callback"),
+      user_agent: Default::default(),
+      scopes: Default::default(),
+      states: Default::default(),
+    }
+    .into()
+  }
+
+  #[instrument(level = "debug", skip(self))]
+  pub async fn get_login_redirect_url(
+    &self,
+    redirect: Option<String>,
+  ) -> String {
+    let state_prefix = random_string(STATE_PREFIX_LENGTH);
+    let state = match redirect {
+      Some(redirect) => format!("{state_prefix}{redirect}"),
+      None => state_prefix,
+    };
+    let redirect_url = format!(
+      "https://github.com/login/oauth/authorize?state={state}&client_id={}&redirect_uri={}&scope={}",
+      self.client_id, self.redirect_uri, self.scopes
+    );
+    let mut states = self.states.lock().await;
+    states.push(state);
+    redirect_url
+  }
+
+  #[instrument(level = "debug", skip(self))]
+  pub async fn check_state(&self, state: &str) -> bool {
+    let mut contained = false;
+    self.states.lock().await.retain(|s| {
+      if s.as_str() == state {
+        contained = true;
+        false
+      } else {
+        true
+      }
+    });
+    contained
+  }
+
+  #[instrument(level = "debug", skip(self))]
+  pub async fn get_access_token(
+    &self,
+    code: &str,
+  ) -> anyhow::Result<AccessTokenResponse> {
+    self
+      .post::<(), _>(
+        "https://github.com/login/oauth/access_token",
+        &[
+          ("client_id", self.client_id.as_str()),
+          ("client_secret", self.client_secret.as_str()),
+          ("redirect_uri", self.redirect_uri.as_str()),
+          ("code", code),
+        ],
+        None,
+        None,
+      )
+      .await
+      .context("failed to get github access token using code")
+  }
+
+  #[instrument(level = "debug", skip(self))]
+  pub async fn get_github_user(
+    &self,
+    token: &str,
+  ) -> anyhow::Result<GithubUserResponse> {
+    self
+      .get("https://api.github.com/user", &[], Some(token))
+      .await
+      .context("failed to get github user using access token")
+  }
+
+  #[instrument(level = "debug", skip(self))]
+  async fn get<R: DeserializeOwned>(
+    &self,
+    endpoint: &str,
+    query: &[(&str, &str)],
+    bearer_token: Option<&str>,
+  ) -> anyhow::Result<R> {
+    let mut req = self
+      .http
+      .get(endpoint)
+      .query(query)
+      .header("User-Agent", &self.user_agent);
+
+    if let Some(bearer_token) = bearer_token {
+      req =
+        req.header("Authorization", format!("Bearer {bearer_token}"));
+    }
+
+    let res = req.send().await.context("failed to reach github")?;
+
+    let status = res.status();
+
+    if status == StatusCode::OK {
+      let body = res
+        .json()
+        .await
+        .context("failed to parse body into expected type")?;
+      Ok(body)
+    } else {
+      let text = res.text().await.context(format!(
+        "status: {status} | failed to get response text"
+      ))?;
+      Err(anyhow!("status: {status} | text: {text}"))
+    }
+  }
+
+  async fn post<B: Serialize, R: DeserializeOwned>(
+    &self,
+    endpoint: &str,
+    query: &[(&str, &str)],
+    body: Option<&B>,
+    bearer_token: Option<&str>,
+  ) -> anyhow::Result<R> {
+    let mut req = self
+      .http
+      .post(endpoint)
+      .query(query)
+      .header("Accept", "application/json")
+      .header("User-Agent", &self.user_agent);
+
+    if let Some(body) = body {
+      req = req.json(body);
+    }
+
+    if let Some(bearer_token) = bearer_token {
+      req =
+        req.header("Authorization", format!("Bearer {bearer_token}"));
+    }
+
+    let res = req.send().await.context("failed to reach github")?;
+
+    let status = res.status();
+
+    if status == StatusCode::OK {
+      let body = res
+        .json()
+        .await
+        .context("failed to parse POST body into expected type")?;
+      Ok(body)
+    } else {
+      let text = res.text().await.with_context(|| format!(
+        "method: POST | status: {status} | failed to get response text"
+      ))?;
+      Err(anyhow!("method: POST | status: {status} | text: {text}"))
+    }
+  }
+}
+
+#[derive(Deserialize)]
+pub struct AccessTokenResponse {
+  pub access_token: String,
+  // pub scope: String,
+  // pub token_type: String,
+}
+
+#[derive(Deserialize)]
+pub struct GithubUserResponse {
+  pub login: String,
+  pub id: u128,
+  pub avatar_url: String,
+  // pub email: Option<String>,
+}

bin/core/src/auth/github/mod.rs

@@ -0,0 +1,122 @@
+use anyhow::{anyhow, Context};
+use axum::{
+  extract::Query, response::Redirect, routing::get, Router,
+};
+use monitor_client::entities::{
+  monitor_timestamp,
+  user::{User, UserConfig},
+};
+use mungos::mongodb::bson::doc;
+use reqwest::StatusCode;
+use serde::Deserialize;
+use serror::AddStatusCode;
+
+use crate::{
+  config::core_config,
+  state::{db_client, jwt_client},
+};
+
+use self::client::github_oauth_client;
+
+use super::{RedirectQuery, STATE_PREFIX_LENGTH};
+
+pub mod client;
+
+pub fn router() -> Router {
+  Router::new()
+    .route(
+      "/login",
+      get(|Query(query): Query<RedirectQuery>| async {
+        Redirect::to(
+          &github_oauth_client()
+            .as_ref()
+            // OK: the router is only mounted in case that the client is populated
+            .unwrap()
+            .get_login_redirect_url(query.redirect)
+            .await,
+        )
+      }),
+    )
+    .route(
+      "/callback",
+      get(|query| async {
+        callback(query).await.status_code(StatusCode::UNAUTHORIZED)
+      }),
+    )
+}
+
+#[derive(Debug, Deserialize)]
+struct CallbackQuery {
+  state: String,
+  code: String,
+}
+
+#[instrument(name = "GithubCallback", level = "debug")]
+async fn callback(
+  Query(query): Query<CallbackQuery>,
+) -> anyhow::Result<Redirect> {
+  let client = github_oauth_client().as_ref().unwrap();
+  if !client.check_state(&query.state).await {
+    return Err(anyhow!("state mismatch"));
+  }
+  let token = client.get_access_token(&query.code).await?;
+  let github_user =
+    client.get_github_user(&token.access_token).await?;
+  let github_id = github_user.id.to_string();
+  let db_client = db_client().await;
+  let user = db_client
+    .users
+    .find_one(doc! { "config.data.github_id": &github_id }, None)
+    .await
+    .context("failed at find user query from mongo")?;
+  let jwt = match user {
+    Some(user) => jwt_client()
+      .generate(user.id)
+      .context("failed to generate jwt")?,
+    None => {
+      let ts = monitor_timestamp();
+      let no_users_exist =
+        db_client.users.find_one(None, None).await?.is_none();
+      let user = User {
+        id: Default::default(),
+        username: github_user.login,
+        enabled: no_users_exist,
+        admin: no_users_exist,
+        create_server_permissions: no_users_exist,
+        create_build_permissions: no_users_exist,
+        updated_at: ts,
+        last_update_view: 0,
+        recent_servers: Vec::new(),
+        recent_deployments: Vec::new(),
+        recent_builds: Vec::new(),
+        recent_repos: Vec::new(),
+        recent_procedures: Vec::new(),
+        config: UserConfig::Github {
+          github_id,
+          avatar: github_user.avatar_url,
+        },
+      };
+      let user_id = db_client
+        .users
+        .insert_one(user, None)
+        .await
+        .context("failed to create user on mongo")?
+        .inserted_id
+        .as_object_id()
+        .context("inserted_id is not ObjectId")?
+        .to_string();
+      jwt_client()
+        .generate(user_id)
+        .context("failed to generate jwt")?
+    }
+  };
+  let exchange_token = jwt_client().create_exchange_token(jwt).await;
+  let redirect = &query.state[STATE_PREFIX_LENGTH..];
+  let redirect_url = if redirect.is_empty() {
+    format!("{}?token={exchange_token}", core_config().host)
+  } else {
+    let splitter = if redirect.contains('?') { '&' } else { '?' };
+    format!("{}{splitter}token={exchange_token}", redirect)
+  };
+  Ok(Redirect::to(&redirect_url))
+}

bin/core/src/auth/google/client.rs

@@ -0,0 +1,200 @@
+use std::sync::OnceLock;
+
+use anyhow::{anyhow, Context};
+use jwt::Token;
+use monitor_client::entities::config::core::{
+  CoreConfig, OauthCredentials,
+};
+use reqwest::StatusCode;
+use serde::{de::DeserializeOwned, Deserialize};
+use serde_json::Value;
+use tokio::sync::Mutex;
+
+use crate::{
+  auth::{random_string, STATE_PREFIX_LENGTH},
+  config::core_config,
+};
+
+pub fn google_oauth_client() -> &'static Option<GoogleOauthClient> {
+  static GOOGLE_OAUTH_CLIENT: OnceLock<Option<GoogleOauthClient>> =
+    OnceLock::new();
+  GOOGLE_OAUTH_CLIENT
+    .get_or_init(|| GoogleOauthClient::new(core_config()))
+}
+
+pub struct GoogleOauthClient {
+  http: reqwest::Client,
+  client_id: String,
+  client_secret: String,
+  redirect_uri: String,
+  scopes: String,
+  states: Mutex<Vec<String>>,
+  user_agent: String,
+}
+
+impl GoogleOauthClient {
+  pub fn new(
+    CoreConfig {
+      google_oauth:
+        OauthCredentials {
+          enabled,
+          id,
+          secret,
+        },
+      host,
+      ..
+    }: &CoreConfig,
+  ) -> Option<GoogleOauthClient> {
+    if !enabled {
+      return None;
+    }
+    if host.is_empty() {
+      warn!("google oauth is enabled, but 'config.host' is not configured");
+      return None;
+    }
+    if id.is_empty() {
+      warn!("google oauth is enabled, but 'config.google_oauth.id' is not configured");
+      return None;
+    }
+    if secret.is_empty() {
+      warn!("google oauth is enabled, but 'config.google_oauth.secret' is not configured");
+      return None;
+    }
+    let scopes = urlencoding::encode(
+      &[
+        "https://www.googleapis.com/auth/userinfo.profile",
+        "https://www.googleapis.com/auth/userinfo.email",
+      ]
+      .join(" "),
+    )
+    .to_string();
+    GoogleOauthClient {
+      http: Default::default(),
+      client_id: id.clone(),
+      client_secret: secret.clone(),
+      redirect_uri: format!("{host}/auth/google/callback"),
+      user_agent: String::from("monitor"),
+      states: Default::default(),
+      scopes,
+    }
+    .into()
+  }
+
+  #[instrument(level = "debug", skip(self))]
+  pub async fn get_login_redirect_url(
+    &self,
+    redirect: Option<String>,
+  ) -> String {
+    let state_prefix = random_string(STATE_PREFIX_LENGTH);
+    let state = match redirect {
+      Some(redirect) => format!("{state_prefix}{redirect}"),
+      None => state_prefix,
+    };
+    let redirect_url = format!(
+      "https://accounts.google.com/o/oauth2/v2/auth?response_type=code&state={state}&client_id={}&redirect_uri={}&scope={}",
+      self.client_id, self.redirect_uri, self.scopes
+    );
+    let mut states = self.states.lock().await;
+    states.push(state);
+    redirect_url
+  }
+
+  #[instrument(level = "debug", skip(self))]
+  pub async fn check_state(&self, state: &str) -> bool {
+    let mut contained = false;
+    self.states.lock().await.retain(|s| {
+      if s.as_str() == state {
+        contained = true;
+        false
+      } else {
+        true
+      }
+    });
+    contained
+  }
+
+  #[instrument(level = "debug", skip(self))]
+  pub async fn get_access_token(
+    &self,
+    code: &str,
+  ) -> anyhow::Result<AccessTokenResponse> {
+    self
+      .post::<_>(
+        "https://oauth2.googleapis.com/token",
+        &[
+          ("client_id", self.client_id.as_str()),
+          ("client_secret", self.client_secret.as_str()),
+          ("redirect_uri", self.redirect_uri.as_str()),
+          ("code", code),
+          ("grant_type", "authorization_code"),
+        ],
+        None,
+      )
+      .await
+      .context("failed to get google access token using code")
+  }
+
+  #[instrument(level = "debug", skip(self))]
+  pub fn get_google_user(
+    &self,
+    id_token: &str,
+  ) -> anyhow::Result<GoogleUser> {
+    let t: Token<Value, GoogleUser, jwt::Unverified> =
+      Token::parse_unverified(id_token)
+        .context("failed to parse id_token")?;
+    Ok(t.claims().to_owned())
+  }
+
+  #[instrument(level = "debug", skip(self))]
+  async fn post<R: DeserializeOwned>(
+    &self,
+    endpoint: &str,
+    body: &[(&str, &str)],
+    bearer_token: Option<&str>,
+  ) -> anyhow::Result<R> {
+    let mut req = self
+      .http
+      .post(endpoint)
+      .form(body)
+      .header("Accept", "application/json")
+      .header("User-Agent", &self.user_agent);
+
+    if let Some(bearer_token) = bearer_token {
+      req =
+        req.header("Authorization", format!("Bearer {bearer_token}"));
+    }
+
+    let res = req.send().await.context("failed to reach google")?;
+
+    let status = res.status();
+
+    if status == StatusCode::OK {
+      let body = res
+        .json()
+        .await
+        .context("failed to parse POST body into expected type")?;
+      Ok(body)
+    } else {
+      let text = res.text().await.context(format!(
+                "method: POST | status: {status} | failed to get response text"
+            ))?;
+      Err(anyhow!("method: POST | status: {status} | text: {text}"))
+    }
+  }
+}
+
+#[derive(Deserialize)]
+pub struct AccessTokenResponse {
+  // pub access_token: String,
+  pub id_token: String,
+  // pub scope: String,
+  // pub token_type: String,
+}
+
+#[derive(Deserialize, Clone)]
+pub struct GoogleUser {
+  #[serde(rename = "sub")]
+  pub id: String,
+  pub email: String,
+  pub picture: String,
+}

bin/core/src/auth/google/mod.rs

@@ -0,0 +1,137 @@
+use anyhow::{anyhow, Context};
+use async_timing_util::unix_timestamp_ms;
+use axum::{
+  extract::Query, response::Redirect, routing::get, Router,
+};
+use monitor_client::entities::user::{User, UserConfig};
+use mungos::mongodb::bson::doc;
+use reqwest::StatusCode;
+use serde::Deserialize;
+use serror::AddStatusCode;
+
+use crate::{
+  config::core_config,
+  state::{db_client, jwt_client},
+};
+
+use self::client::google_oauth_client;
+
+use super::{RedirectQuery, STATE_PREFIX_LENGTH};
+
+pub mod client;
+
+pub fn router() -> Router {
+  Router::new()
+    .route(
+      "/login",
+      get(|Query(query): Query<RedirectQuery>| async move {
+        Redirect::to(
+          &google_oauth_client()
+            .as_ref()
+            // OK: its not mounted unless the client is populated
+            .unwrap()
+            .get_login_redirect_url(query.redirect)
+            .await,
+        )
+      }),
+    )
+    .route(
+      "/callback",
+      get(|query| async {
+        callback(query).await.status_code(StatusCode::UNAUTHORIZED)
+      }),
+    )
+}
+
+#[derive(Debug, Deserialize)]
+struct CallbackQuery {
+  state: Option<String>,
+  code: Option<String>,
+  error: Option<String>,
+}
+
+#[instrument(name = "GoogleCallback", level = "debug")]
+async fn callback(
+  Query(query): Query<CallbackQuery>,
+) -> anyhow::Result<Redirect> {
+  // Safe: the method is only called after the client is_some
+  let client = google_oauth_client().as_ref().unwrap();
+  if let Some(error) = query.error {
+    return Err(anyhow!("auth error from google: {error}"));
+  }
+  let state = query
+    .state
+    .context("callback query does not contain state")?;
+  if !client.check_state(&state).await {
+    return Err(anyhow!("state mismatch"));
+  }
+  let token = client
+    .get_access_token(
+      &query.code.context("callback query does not contain code")?,
+    )
+    .await?;
+  let google_user = client.get_google_user(&token.id_token)?;
+  let google_id = google_user.id.to_string();
+  let db_client = db_client().await;
+  let user = db_client
+    .users
+    .find_one(doc! { "config.data.google_id": &google_id }, None)
+    .await
+    .context("failed at find user query from mongo")?;
+  let jwt = match user {
+    Some(user) => jwt_client()
+      .generate(user.id)
+      .context("failed to generate jwt")?,
+    None => {
+      let ts = unix_timestamp_ms() as i64;
+      let no_users_exist =
+        db_client.users.find_one(None, None).await?.is_none();
+      let user = User {
+        id: Default::default(),
+        username: google_user
+          .email
+          .split('@')
+          .collect::<Vec<&str>>()
+          .first()
+          .unwrap()
+          .to_string(),
+        enabled: no_users_exist,
+        admin: no_users_exist,
+        create_server_permissions: no_users_exist,
+        create_build_permissions: no_users_exist,
+        updated_at: ts,
+        last_update_view: 0,
+        recent_servers: Vec::new(),
+        recent_deployments: Vec::new(),
+        recent_builds: Vec::new(),
+        recent_repos: Vec::new(),
+        recent_procedures: Vec::new(),
+        config: UserConfig::Google {
+          google_id,
+          avatar: google_user.picture,
+        },
+      };
+      let user_id = db_client
+        .users
+        .insert_one(user, None)
+        .await
+        .context("failed to create user on mongo")?
+        .inserted_id
+        .as_object_id()
+        .context("inserted_id is not ObjectId")?
+        .to_string();
+      jwt_client()
+        .generate(user_id)
+        .context("failed to generate jwt")?
+    }
+  };
+  let exchange_token = jwt_client().create_exchange_token(jwt).await;
+  let redirect = &state[STATE_PREFIX_LENGTH..];
+  let redirect_url = if redirect.is_empty() {
+    format!("{}?token={exchange_token}", core_config().host)
+  } else {
+    let splitter = if redirect.contains('?') { '&' } else { '?' };
+    format!("{}{splitter}token={exchange_token}", redirect)
+  };
+  Ok(Redirect::to(&redirect_url))
+}

bin/core/src/auth/jwt.rs

@@ -0,0 +1,89 @@
+use std::collections::HashMap;
+
+use anyhow::{anyhow, Context};
+use async_timing_util::{
+  get_timelength_in_ms, unix_timestamp_ms, Timelength,
+};
+use hmac::{Hmac, Mac};
+use jwt::SignWithKey;
+use monitor_client::entities::config::core::CoreConfig;
+use mungos::mongodb::bson::doc;
+use serde::{Deserialize, Serialize};
+use sha2::Sha256;
+use tokio::sync::Mutex;
+
+use super::random_string;
+
+type ExchangeTokenMap = Mutex<HashMap<String, (String, u128)>>;
+
+#[derive(Serialize, Deserialize)]
+pub struct JwtClaims {
+  pub id: String,
+  pub iat: u128,
+  pub exp: u128,
+}
+
+pub struct JwtClient {
+  pub key: Hmac<Sha256>,
+  valid_for_ms: u128,
+  exchange_tokens: ExchangeTokenMap,
+}
+
+impl JwtClient {
+  pub fn new(config: &CoreConfig) -> JwtClient {
+    let key = Hmac::new_from_slice(random_string(40).as_bytes())
+      .expect("failed at taking HmacSha256 of jwt secret");
+    JwtClient {
+      key,
+      valid_for_ms: get_timelength_in_ms(
+        config.jwt_valid_for.to_string().parse().unwrap(),
+      ),
+      exchange_tokens: Default::default(),
+    }
+  }
+
+  pub fn generate(&self, user_id: String) -> anyhow::Result<String> {
+    let iat = unix_timestamp_ms();
+    let exp = iat + self.valid_for_ms;
+    let claims = JwtClaims {
+      id: user_id,
+      iat,
+      exp,
+    };
+    let jwt = claims
+      .sign_with_key(&self.key)
+      .context("failed at signing claim")?;
+    Ok(jwt)
+  }
+
+  #[instrument(level = "debug", skip_all)]
+  pub async fn create_exchange_token(&self, jwt: String) -> String {
+    let exchange_token = random_string(40);
+    self.exchange_tokens.lock().await.insert(
+      exchange_token.clone(),
+      (
+        jwt,
+        unix_timestamp_ms()
+          + get_timelength_in_ms(Timelength::OneMinute),
+      ),
+    );
+    exchange_token
+  }
+  #[instrument(level = "debug", skip(self))]
+  pub async fn redeem_exchange_token(
+    &self,
+    exchange_token: &str,
+  ) -> anyhow::Result<String> {
+    let (jwt, valid_until) = self
+      .exchange_tokens
+      .lock()
+      .await
+      .remove(exchange_token)
+      .context("invalid exchange token: unrecognized")?;
+    if unix_timestamp_ms() < valid_until {
+      Ok(jwt)
+    } else {
+      Err(anyhow!("invalid exchange token: expired"))
+    }
+  }
+}

bin/core/src/auth/local.rs

@@ -0,0 +1,134 @@
+use std::str::FromStr;
+
+use anyhow::{anyhow, Context};
+use async_timing_util::unix_timestamp_ms;
+use axum::http::HeaderMap;
+use monitor_client::{
+  api::auth::{
+    CreateLocalUser, CreateLocalUserResponse, LoginLocalUser,
+    LoginLocalUserResponse,
+  },
+  entities::user::{User, UserConfig},
+};
+use mungos::mongodb::bson::{doc, oid::ObjectId};
+use resolver_api::Resolve;
+
+use crate::{
+  config::core_config,
+  state::State,
+  state::{db_client, jwt_client},
+};
+
+const BCRYPT_COST: u32 = 10;
+
+impl Resolve<CreateLocalUser, HeaderMap> for State {
+  #[instrument(name = "CreateLocalUser", skip(self))]
+  async fn resolve(
+    &self,
+    CreateLocalUser { username, password }: CreateLocalUser,
+    _: HeaderMap,
+  ) -> anyhow::Result<CreateLocalUserResponse> {
+    if !core_config().local_auth {
+      return Err(anyhow!("local auth is not enabled"));
+    }
+
+    if username.is_empty() {
+      return Err(anyhow!("username cannot be empty string"));
+    }
+
+    if ObjectId::from_str(&username).is_ok() {
+      return Err(anyhow!("username cannot be valid ObjectId"));
+    }
+
+    let password = bcrypt::hash(password, BCRYPT_COST)
+      .context("failed to hash password")?;
+
+    let no_users_exist = db_client()
+      .await
+      .users
+      .find_one(None, None)
+      .await?
+      .is_none();
+
+    let ts = unix_timestamp_ms() as i64;
+
+    let user = User {
+      id: Default::default(),
+      username,
+      enabled: no_users_exist,
+      admin: no_users_exist,
+      create_server_permissions: no_users_exist,
+      create_build_permissions: no_users_exist,
+      updated_at: ts,
+      last_update_view: 0,
+      recent_servers: Vec::new(),
+      recent_deployments: Vec::new(),
+      recent_builds: Vec::new(),
+      recent_repos: Vec::new(),
+      recent_procedures: Vec::new(),
+      config: UserConfig::Local { password },
+    };
+
+    let user_id = db_client()
+      .await
+      .users
+      .insert_one(user, None)
+      .await
+      .context("failed to create user")?
+      .inserted_id
+      .as_object_id()
+      .context("inserted_id is not ObjectId")?
+      .to_string();
+
+    let jwt = jwt_client()
+      .generate(user_id)
+      .context("failed to generate jwt for user")?;
+
+    Ok(CreateLocalUserResponse { jwt })
+  }
+}
+
+impl Resolve<LoginLocalUser, HeaderMap> for State {
+  #[instrument(name = "LoginLocalUser", level = "debug", skip(self))]
+  async fn resolve(
+    &self,
+    LoginLocalUser { username, password }: LoginLocalUser,
+    _: HeaderMap,
+  ) -> anyhow::Result<LoginLocalUserResponse> {
+    if !core_config().local_auth {
+      return Err(anyhow!("local auth is not enabled"));
+    }
+
+    let user = db_client()
+      .await
+      .users
+      .find_one(doc! { "username": &username }, None)
+      .await
+      .context("failed at db query for users")?
+      .with_context(|| {
+        format!("did not find user with username {username}")
+      })?;
+
+    let UserConfig::Local {
+      password: user_pw_hash,
+    } = user.config
+    else {
+      return Err(anyhow!(
+        "non-local auth users can not log in with a password"
+      ));
+    };
+
+    let verified = bcrypt::verify(password, &user_pw_hash)
+      .context("failed at verify password")?;
+
+    if !verified {
+      return Err(anyhow!("invalid credentials"));
+    }
+
+    let jwt = jwt_client()
+      .generate(user.id)
+      .context("failed at generating jwt for user")?;
+
+    Ok(LoginLocalUserResponse { jwt })
+  }
+}

bin/core/src/auth/mod.rs

@@ -0,0 +1,165 @@
+use ::jwt::VerifyWithKey;
+use anyhow::{anyhow, Context};
+use async_timing_util::unix_timestamp_ms;
+use axum::{
+  extract::Request, http::HeaderMap, middleware::Next,
+  response::Response,
+};
+use monitor_client::entities::{monitor_timestamp, user::User};
+use mungos::mongodb::bson::doc;
+use rand::{distributions::Alphanumeric, thread_rng, Rng};
+use reqwest::StatusCode;
+use serde::Deserialize;
+use serror::AddStatusCode;
+
+use crate::{
+  helpers::query::get_user,
+  state::{db_client, jwt_client},
+};
+
+use self::jwt::JwtClaims;
+
+pub mod github;
+pub mod google;
+pub mod jwt;
+
+mod local;
+
+const STATE_PREFIX_LENGTH: usize = 20;
+
+#[derive(Deserialize)]
+pub struct RedirectQuery {
+  pub redirect: Option<String>,
+}
+
+#[instrument(level = "debug")]
+pub async fn auth_request(
+  headers: HeaderMap,
+  mut req: Request,
+  next: Next,
+) -> serror::Result<Response> {
+  let user = authenticate_check_enabled(&headers)
+    .await
+    .status_code(StatusCode::UNAUTHORIZED)?;
+  req.extensions_mut().insert(user);
+  Ok(next.run(req).await)
+}
+
+pub fn random_string(length: usize) -> String {
+  thread_rng()
+    .sample_iter(&Alphanumeric)
+    .take(length)
+    .map(char::from)
+    .collect()
+}
+
+#[instrument(level = "debug")]
+pub async fn get_user_id_from_headers(
+  headers: &HeaderMap,
+) -> anyhow::Result<String> {
+  match (
+    headers.get("authorization"),
+    headers.get("x-api-key"),
+    headers.get("x-api-secret"),
+  ) {
+    (Some(jwt), _, _) => {
+      // USE JWT
+      let jwt = jwt.to_str().context("jwt is not str")?;
+      auth_jwt_get_user_id(jwt)
+        .await
+        .context("failed to authenticate jwt")
+    }
+    (None, Some(key), Some(secret)) => {
+      // USE API KEY / SECRET
+      let key = key.to_str().context("key is not str")?;
+      let secret = secret.to_str().context("secret is not str")?;
+      auth_api_key_get_user_id(key, secret)
+        .await
+        .context("failed to authenticate api key")
+    }
+    _ => {
+      // AUTH FAIL
+      Err(anyhow!("must attach either AUTHORIZATION header with jwt OR pass X-API-KEY and X-API-SECRET"))
+    }
+  }
+}
+
+#[instrument(level = "debug")]
+pub async fn authenticate_check_enabled(
+  headers: &HeaderMap,
+) -> anyhow::Result<User> {
+  let user_id = get_user_id_from_headers(headers).await?;
+  let user = get_user(&user_id).await?;
+  if user.enabled {
+    Ok(user)
+  } else {
+    Err(anyhow!("user not enabled"))
+  }
+}
+
+#[instrument(level = "debug")]
+pub async fn auth_jwt_get_user_id(
+  jwt: &str,
+) -> anyhow::Result<String> {
+  let claims: JwtClaims = jwt
+    .verify_with_key(&jwt_client().key)
+    .context("failed to verify claims")?;
+  if claims.exp > unix_timestamp_ms() {
+    Ok(claims.id)
+  } else {
+    Err(anyhow!("token has expired"))
+  }
+}
+
+#[instrument(level = "debug")]
+pub async fn auth_jwt_check_enabled(
+  jwt: &str,
+) -> anyhow::Result<User> {
+  let user_id = auth_jwt_get_user_id(jwt).await?;
+  check_enabled(user_id).await
+}
+
+#[instrument(level = "debug")]
+pub async fn auth_api_key_get_user_id(
+  key: &str,
+  secret: &str,
+) -> anyhow::Result<String> {
+  let key = db_client()
+    .await
+    .api_keys
+    .find_one(doc! { "key": key }, None)
+    .await
+    .context("failed to query db")?
+    .context("no api key matching key")?;
+  if key.expires != 0 && key.expires < monitor_timestamp() {
+    return Err(anyhow!("api key expired"));
+  }
+  if bcrypt::verify(secret, &key.secret)
+    .context("failed to verify secret hash")?
+  {
+    // secret matches
+    Ok(key.user_id)
+  } else {
+    // secret mismatch
+    Err(anyhow!("invalid api secret"))
+  }
+}
+
+#[instrument(level = "debug")]
+pub async fn auth_api_key_check_enabled(
+  key: &str,
+  secret: &str,
+) -> anyhow::Result<User> {
+  let user_id = auth_api_key_get_user_id(key, secret).await?;
+  check_enabled(user_id).await
+}
+
+#[instrument(level = "debug")]
+async fn check_enabled(user_id: String) -> anyhow::Result<User> {
+  let user = get_user(&user_id).await?;
+  if user.enabled {
+    Ok(user)
+  } else {
+    Err(anyhow!("user not enabled"))
+  }
+}

bin/core/src/cloud/aws/ecr.rs

@@ -0,0 +1,82 @@
+use anyhow::{anyhow, Context};
+use aws_config::{BehaviorVersion, Region};
+use aws_sdk_ecr::Client as EcrClient;
+use run_command::async_run_command;
+
+#[tracing::instrument(skip(access_key_id, secret_access_key))]
+async fn make_ecr_client(
+  region: String,
+  access_key_id: &str,
+  secret_access_key: &str,
+) -> EcrClient {
+  std::env::set_var("AWS_ACCESS_KEY_ID", access_key_id);
+  std::env::set_var("AWS_SECRET_ACCESS_KEY", secret_access_key);
+  let region = Region::new(region);
+  let config = aws_config::defaults(BehaviorVersion::v2024_03_28())
+    .region(region)
+    .load()
+    .await;
+  EcrClient::new(&config)
+}
+
+#[tracing::instrument(skip(access_key_id, secret_access_key))]
+pub async fn maybe_create_repo(
+  repo: &str,
+  region: String,
+  access_key_id: &str,
+  secret_access_key: &str,
+) -> anyhow::Result<()> {
+  let client =
+    make_ecr_client(region, access_key_id, secret_access_key).await;
+
+  let existing = client
+    .describe_repositories()
+    .send()
+    .await
+    .context("failed to describe existing repositories")?
+    .repositories
+    .unwrap_or_default();
+
+  if existing.iter().any(|r| {
+    if let Some(name) = r.repository_name() {
+      name == repo
+    } else {
+      false
+    }
+  }) {
+    return Ok(());
+  };
+
+  client
+    .create_repository()
+    .repository_name(repo)
+    .send()
+    .await
+    .context("failed to create repository")?;
+
+  Ok(())
+}
+
+/// Gets a token docker login.
+///
+/// Requires the aws cli be installed on the host
+#[tracing::instrument(skip(access_key_id, secret_access_key))]
+pub async fn get_ecr_token(
+  region: &str,
+  access_key_id: &str,
+  secret_access_key: &str,
+) -> anyhow::Result<String> {
+  let log = async_run_command(&format!(
+    "AWS_ACCESS_KEY_ID={access_key_id} AWS_SECRET_ACCESS_KEY={secret_access_key} aws ecr get-login-password --region {region}"
+  ))
+  .await;
+
+  if log.success() {
+    Ok(log.stdout)
+  } else {
+    Err(
+      anyhow!("stdout: {} | stderr: {}", log.stdout, log.stderr)
+        .context("failed to get aws ecr login token"),
+    )
+  }
+}

bin/core/src/cloud/aws/mod.rs

@@ -0,0 +1,2 @@
+pub mod ec2;
+pub mod ecr;

bin/core/src/cloud/hetzner/client.rs

@@ -0,0 +1,157 @@
+use anyhow::{anyhow, Context};
+use axum::http::{HeaderName, HeaderValue};
+use reqwest::{RequestBuilder, StatusCode};
+use serde::{de::DeserializeOwned, Serialize};
+
+use super::{
+  common::{
+    HetznerActionResponse, HetznerDatacenterResponse,
+    HetznerServerResponse, HetznerVolumeResponse,
+  },
+  create_server::{CreateServerBody, CreateServerResponse},
+  create_volume::{CreateVolumeBody, CreateVolumeResponse},
+};
+
+const BASE_URL: &str = "https://api.hetzner.cloud/v1";
+
+pub struct HetznerClient(reqwest::Client);
+
+impl HetznerClient {
+  pub fn new(token: &str) -> HetznerClient {
+    HetznerClient(
+      reqwest::ClientBuilder::new()
+        .default_headers(
+          [(
+            HeaderName::from_static("authorization"),
+            HeaderValue::from_str(&format!("Bearer {token}"))
+              .unwrap(),
+          )]
+          .into_iter()
+          .collect(),
+        )
+        .build()
+        .context("failed to build Hetzner request client")
+        .unwrap(),
+    )
+  }
+
+  pub async fn get_server(
+    &self,
+    id: i64,
+  ) -> anyhow::Result<HetznerServerResponse> {
+    self.get(&format!("/servers/{id}")).await
+  }
+
+  pub async fn create_server(
+    &self,
+    body: &CreateServerBody,
+  ) -> anyhow::Result<CreateServerResponse> {
+    self.post("/servers", body).await
+  }
+
+  #[allow(unused)]
+  pub async fn delete_server(
+    &self,
+    id: i64,
+  ) -> anyhow::Result<HetznerActionResponse> {
+    self.delete(&format!("/servers/{id}")).await
+  }
+
+  pub async fn get_volume(
+    &self,
+    id: i64,
+  ) -> anyhow::Result<HetznerVolumeResponse> {
+    self.get(&format!("/volumes/{id}")).await
+  }
+
+  pub async fn create_volume(
+    &self,
+    body: &CreateVolumeBody,
+  ) -> anyhow::Result<CreateVolumeResponse> {
+    self.post("/volumes", body).await
+  }
+
+  #[allow(unused)]
+  pub async fn delete_volume(&self, id: i64) -> anyhow::Result<()> {
+    let res = self
+      .0
+      .delete(format!("{BASE_URL}/volumes/{id}"))
+      .send()
+      .await
+      .context("failed at request to delete volume")?;
+
+    let status = res.status();
+
+    if status == StatusCode::NO_CONTENT {
+      Ok(())
+    } else {
+      let text = res
+        .text()
+        .await
+        .context("failed to get response body as text")?;
+      Err(anyhow!("{status} | {text}"))
+    }
+  }
+
+  #[allow(unused)]
+  pub async fn list_datacenters(
+    &self,
+  ) -> anyhow::Result<HetznerDatacenterResponse> {
+    self.get("/datacenters").await
+  }
+
+  async fn get<Res: DeserializeOwned>(
+    &self,
+    path: &str,
+  ) -> anyhow::Result<Res> {
+    let req = self.0.get(format!("{BASE_URL}{path}"));
+    handle_req(req).await.with_context(|| {
+      format!("failed at GET request to Hetzner | path: {path}")
+    })
+  }
+
+  async fn post<Body: Serialize, Res: DeserializeOwned>(
+    &self,
+    path: &str,
+    body: &Body,
+  ) -> anyhow::Result<Res> {
+    let req = self.0.post(format!("{BASE_URL}{path}")).json(&body);
+    handle_req(req).await.with_context(|| {
+      format!("failed at POST request to Hetzner | path: {path}")
+    })
+  }
+
+  #[allow(unused)]
+  async fn delete<Res: DeserializeOwned>(
+    &self,
+    path: &str,
+  ) -> anyhow::Result<Res> {
+    let req = self.0.delete(format!("{BASE_URL}{path}"));
+    handle_req(req).await.with_context(|| {
+      format!("failed at DELETE request to Hetzner | path: {path}")
+    })
+  }
+}
+
+async fn handle_req<Res: DeserializeOwned>(
+  req: RequestBuilder,
+) -> anyhow::Result<Res> {
+  let res = req.send().await?;
+
+  let status = res.status();
+
+  if status.is_success() {
+    res.json().await.context("failed to parse response to json")
+  } else {
+    let text = res
+      .text()
+      .await
+      .context("failed to get response body as text")?;
+    if let Ok(json_error) =
+      serde_json::from_str::<serde_json::Value>(&text)
+    {
+      return Err(anyhow!("{status} | {json_error:?}"));
+    }
+    Err(anyhow!("{status} | {text}"))
+  }
+}

bin/core/src/cloud/hetzner/common.rs

@@ -0,0 +1,277 @@
+use std::collections::HashMap;
+
+use serde::{Deserialize, Serialize};
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct HetznerServerResponse {
+  pub server: HetznerServer,
+}
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct HetznerServer {
+  pub id: i64,
+  pub name: String,
+  pub primary_disk_size: f64,
+  pub image: Option<HetznerImage>,
+  pub private_net: Vec<HetznerPrivateNet>,
+  pub public_net: HetznerPublicNet,
+  pub server_type: HetznerServerTypeDetails,
+  pub status: HetznerServerStatus,
+  #[serde(default)]
+  pub volumes: Vec<i64>,
+}
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct HetznerServerTypeDetails {
+  pub architecture: String,
+  pub cores: i64,
+  pub cpu_type: String,
+  pub description: String,
+  pub disk: f64,
+  pub id: i64,
+  pub memory: f64,
+  pub name: String,
+}
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct HetznerPrivateNet {
+  pub alias_ips: Vec<String>,
+  pub ip: String,
+  pub mac_address: String,
+  pub network: i64,
+}
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct HetznerPublicNet {
+  #[serde(default)]
+  pub firewalls: Vec<HetznerFirewall>,
+  pub floating_ips: Vec<i64>,
+  pub ipv4: Option<HetznerIpv4>,
+}
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct HetznerFirewall {
+  pub id: i64,
+  pub status: String,
+}
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct HetznerIpv4 {
+  pub id: Option<i64>,
+  pub blocked: bool,
+  pub dns_ptr: String,
+  pub ip: String,
+}
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct HetznerImage {
+  pub id: i64,
+  pub description: String,
+  pub name: Option<String>,
+  pub os_flavor: String,
+  pub os_version: Option<String>,
+  pub rapid_deploy: Option<bool>,
+}
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct HetznerActionResponse {
+  pub action: HetznerAction,
+}
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct HetznerAction {
+  pub command: String,
+  pub error: Option<HetznerError>,
+  pub finished: Option<String>,
+  pub id: i64,
+  pub progress: i32,
+  pub resources: Vec<HetznerResource>,
+  pub started: String,
+  pub status: HetznerActionStatus,
+}
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct HetznerError {
+  pub code: String,
+  pub message: String,
+}
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct HetznerResource {
+  pub id: i64,
+  #[serde(rename = "type")]
+  pub ty: String,
+}
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct HetznerVolumeResponse {
+  pub volume: HetznerVolume,
+}
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct HetznerVolume {
+  /// Name of the Resource. Must be unique per Project.
+  pub name: String,
+  /// Point in time when the Resource was created (in ISO-8601 format).
+  pub created: String,
+  /// Filesystem of the Volume if formatted on creation, null if not formatted on creation
+  pub format: Option<HetznerVolumeFormat>,
+  /// ID of the Volume.
+  pub id: i64,
+  /// User-defined labels ( key/value pairs) for the Resource
+  pub labels: HashMap<String, String>,
+  /// Device path on the file system for the Volume
+  pub linux_device: String,
+  /// Protection configuration for the Resource.
+  pub protection: HetznerProtection,
+  /// ID of the Server the Volume is attached to, null if it is not attached at all
+  pub server: Option<i64>,
+  /// Size in GB of the  Volume
+  pub size: i64,
+  /// Current status of the Volume. Allowed: `creating`, `available`
+  pub status: HetznerVolumeStatus,
+}
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct HetznerProtection {
+  /// Prevent the Resource from being deleted.
+  pub delete: bool,
+}
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct HetznerDatacenterResponse {
+  pub datacenters: Vec<HetznerDatacenterDetails>,
+}
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct HetznerDatacenterDetails {
+  pub id: i64,
+  pub name: String,
+  pub location: serde_json::Map<String, serde_json::Value>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub enum HetznerLocation {
+  #[serde(rename = "nbg1")]
+  Nuremberg1,
+  #[serde(rename = "hel1")]
+  Helsinki1,
+  #[serde(rename = "fsn1")]
+  Falkenstein1,
+  #[serde(rename = "ash")]
+  Ashburn,
+  #[serde(rename = "hil")]
+  Hillsboro,
+}
+
+#[derive(Debug, Clone, Copy, Serialize, Deserialize)]
+pub enum HetznerDatacenter {
+  #[serde(rename = "nbg1-dc3")]
+  Nuremberg1Dc3,
+  #[serde(rename = "hel1-dc2")]
+  Helsinki1Dc2,
+  #[serde(rename = "fsn1-dc14")]
+  Falkenstein1Dc14,
+  #[serde(rename = "ash-dc1")]
+  AshburnDc1,
+  #[serde(rename = "hil-dc1")]
+  HillsboroDc1,
+}
+
+impl From<HetznerDatacenter> for HetznerLocation {
+  fn from(value: HetznerDatacenter) -> Self {
+    match value {
+      HetznerDatacenter::Nuremberg1Dc3 => HetznerLocation::Nuremberg1,
+      HetznerDatacenter::Helsinki1Dc2 => HetznerLocation::Helsinki1,
+      HetznerDatacenter::Falkenstein1Dc14 => {
+        HetznerLocation::Falkenstein1
+      }
+      HetznerDatacenter::AshburnDc1 => HetznerLocation::Ashburn,
+      HetznerDatacenter::HillsboroDc1 => HetznerLocation::Hillsboro,
+    }
+  }
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+#[serde(rename_all = "lowercase")]
+pub enum HetznerVolumeFormat {
+  Xfs,
+  Ext4,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+#[serde(rename_all = "lowercase")]
+pub enum HetznerVolumeStatus {
+  Creating,
+  Available,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+#[serde(rename_all = "lowercase")]
+pub enum HetznerServerStatus {
+  Running,
+  Initializing,
+  Starting,
+  Stopping,
+  Off,
+  Deleting,
+  Migrating,
+  Rebuilding,
+  Unknown,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+#[serde(rename_all = "lowercase")]
+pub enum HetznerActionStatus {
+  Running,
+  Success,
+  Error,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+#[serde(rename_all = "UPPERCASE")]
+#[allow(clippy::enum_variant_names)]
+pub enum HetznerServerType {
+  // Shared
+  #[serde(rename = "cx11")]
+  SharedIntel1Core2Ram20Disk,
+  #[serde(rename = "cpx11")]
+  SharedAmd2Core2Ram40Disk,
+  #[serde(rename = "cax11")]
+  SharedArm2Core4Ram40Disk,
+  #[serde(rename = "cx21")]
+  SharedIntel2Core4Ram40Disk,
+  #[serde(rename = "cpx21")]
+  SharedAmd3Core4Ram80Disk,
+  #[serde(rename = "cax21")]
+  SharedArm4Core8Ram80Disk,
+  #[serde(rename = "cx31")]
+  SharedIntel2Core8Ram80Disk,
+  #[serde(rename = "cpx31")]
+  SharedAmd4Core8Ram160Disk,
+  #[serde(rename = "cax31")]
+  SharedArm8Core16Ram160Disk,
+  #[serde(rename = "cx41")]
+  SharedIntel4Core16Ram160Disk,
+  #[serde(rename = "cpx41")]
+  SharedAmd8Core16Ram240Disk,
+  #[serde(rename = "cax41")]
+  SharedArm16Core32Ram320Disk,
+  #[serde(rename = "cx51")]
+  SharedIntel8Core32Ram240Disk,
+  #[serde(rename = "cpx51")]
+  SharedAmd16Core32Ram360Disk,
+  // Dedicated
+  #[serde(rename = "ccx13")]
+  DedicatedAmd2Core8Ram80Disk,
+  #[serde(rename = "ccx23")]
+  DedicatedAmd4Core16Ram160Disk,
+  #[serde(rename = "ccx33")]
+  DedicatedAmd8Core32Ram240Disk,
+  #[serde(rename = "ccx43")]
+  DedicatedAmd16Core64Ram360Disk,
+  #[serde(rename = "ccx53")]
+  DedicatedAmd32Core128Ram600Disk,
+  #[serde(rename = "ccx63")]
+  DedicatedAmd48Core192Ram960Disk,
+}

bin/core/src/cloud/hetzner/create_server.rs

@@ -0,0 +1,76 @@
+use std::collections::HashMap;
+
+use serde::{Deserialize, Serialize};
+
+use super::common::{
+  HetznerAction, HetznerDatacenter, HetznerLocation, HetznerServer,
+  HetznerServerType,
+};
+
+#[derive(Debug, Clone, Serialize)]
+pub struct CreateServerBody {
+  /// Name of the Server to create (must be unique per Project and a valid hostname as per RFC 1123)
+  pub name: String,
+  /// Auto-mount Volumes after attach
+  #[serde(skip_serializing_if = "Option::is_none")]
+  pub automount: Option<bool>,
+  /// ID or name of Datacenter to create Server in (must not be used together with location)
+  #[serde(skip_serializing_if = "Option::is_none")]
+  pub datacenter: Option<HetznerDatacenter>,
+  /// ID or name of Location to create Server in (must not be used together with datacenter)
+  #[serde(skip_serializing_if = "Option::is_none")]
+  pub location: Option<HetznerLocation>,
+  /// Firewalls which should be applied on the Server's public network interface at creation time
+  pub firewalls: Vec<Firewall>,
+  /// ID or name of the Image the Server is created from
+  pub image: String,
+  /// User-defined labels (key-value pairs) for the Resource
+  pub labels: HashMap<String, String>,
+  /// Network IDs which should be attached to the Server private network interface at the creation time
+  pub networks: Vec<i64>,
+  /// ID of the Placement Group the server should be in
+  #[serde(skip_serializing_if = "Option::is_none")]
+  pub placement_group: Option<i64>,
+  /// Public Network options
+  #[serde(skip_serializing_if = "Option::is_none")]
+  pub public_net: Option<PublicNet>,
+  /// ID or name of the Server type this Server should be created with
+  pub server_type: HetznerServerType,
+  /// SSH key IDs ( integer ) or names ( string ) which should be injected into the Server at creation time
+  pub ssh_keys: Vec<String>,
+  /// This automatically triggers a Power on a Server-Server Action after the creation is finished and is returned in the next_actions response object.
+  pub start_after_create: bool,
+  /// Cloud-Init user data to use during Server creation. This field is limited to 32KiB.
+  #[serde(skip_serializing_if = "Option::is_none")]
+  pub user_data: Option<String>,
+  /// Volume IDs which should be attached to the Server at the creation time. Volumes must be in the same Location.
+  pub volumes: Vec<i64>,
+}
+
+#[derive(Debug, Clone, Copy, Serialize)]
+pub struct Firewall {
+  /// ID of the Firewall
+  pub firewall: i64,
+}
+
+#[derive(Debug, Clone, Copy, Serialize)]
+pub struct PublicNet {
+  /// Attach an IPv4 on the public NIC. If false, no IPv4 address will be attached.
+  pub enable_ipv4: bool,
+  /// Attach an IPv6 on the public NIC. If false, no IPv6 address will be attached.
+  pub enable_ipv6: bool,
+  /// ID of the ipv4 Primary IP to use. If omitted and enable_ipv4 is true, a new ipv4 Primary IP will automatically be created.
+  #[serde(skip_serializing_if = "Option::is_none")]
+  pub ipv4: Option<i64>,
+  /// ID of the ipv6 Primary IP to use. If omitted and enable_ipv6 is true, a new ipv6 Primary IP will automatically be created.
+  #[serde(skip_serializing_if = "Option::is_none")]
+  pub ipv6: Option<i64>,
+}
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct CreateServerResponse {
+  pub action: HetznerAction,
+  pub next_actions: Vec<HetznerAction>,
+  pub root_password: Option<String>,
+  pub server: HetznerServer,
+}

bin/core/src/cloud/hetzner/create_volume.rs

@@ -0,0 +1,36 @@
+use std::collections::HashMap;
+
+use serde::{Deserialize, Serialize};
+
+use super::common::{
+  HetznerAction, HetznerLocation, HetznerVolume, HetznerVolumeFormat,
+};
+
+#[derive(Debug, Clone, Serialize)]
+pub struct CreateVolumeBody {
+  /// Name of the volume
+  pub name: String,
+  /// Auto-mount Volume after attach. server must be provided.
+  #[serde(skip_serializing_if = "Option::is_none")]
+  pub automount: Option<bool>,
+  /// Format Volume after creation. One of: xfs, ext4
+  #[serde(skip_serializing_if = "Option::is_none")]
+  pub format: Option<HetznerVolumeFormat>,
+  /// User-defined labels (key-value pairs) for the Resource
+  pub labels: HashMap<String, String>,
+  /// Location to create the Volume in (can be omitted if Server is specified)
+  #[serde(skip_serializing_if = "Option::is_none")]
+  pub location: Option<HetznerLocation>,
+  /// Server to which to attach the Volume once it's created (Volume will be created in the same Location as the server)
+  #[serde(skip_serializing_if = "Option::is_none")]
+  pub server: Option<i64>,
+  /// Size of the Volume in GB
+  pub size: i64,
+}
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct CreateVolumeResponse {
+  pub action: HetznerAction,
+  pub next_actions: Vec<HetznerAction>,
+  pub volume: HetznerVolume,
+}

bin/core/src/cloud/hetzner/mod.rs

@@ -0,0 +1,282 @@
+use std::{
+  sync::{Arc, Mutex, OnceLock},
+  time::Duration,
+};
+
+use anyhow::{anyhow, Context};
+use futures::future::join_all;
+use monitor_client::entities::server_template::hetzner::{
+  HetznerDatacenter, HetznerServerTemplateConfig, HetznerServerType,
+  HetznerVolumeFormat,
+};
+
+use crate::{
+  cloud::hetzner::{
+    common::HetznerServerStatus, create_server::CreateServerBody,
+    create_volume::CreateVolumeBody,
+  },
+  config::core_config,
+};
+
+use self::{client::HetznerClient, common::HetznerVolumeStatus};
+
+mod client;
+mod common;
+mod create_server;
+mod create_volume;
+
+fn hetzner() -> Option<&'static HetznerClient> {
+  static HETZNER_CLIENT: OnceLock<Option<HetznerClient>> =
+    OnceLock::new();
+  HETZNER_CLIENT
+    .get_or_init(|| {
+      let token = &core_config().hetzner.token;
+      (!token.is_empty()).then(|| HetznerClient::new(token))
+    })
+    .as_ref()
+}
+
+pub struct HetznerServerMinimal {
+  pub id: i64,
+  pub ip: String,
+}
+
+const POLL_RATE_SECS: u64 = 3;
+const MAX_POLL_TRIES: usize = 100;
+
+#[instrument]
+pub async fn launch_hetzner_server(
+  name: &str,
+  config: HetznerServerTemplateConfig,
+) -> anyhow::Result<HetznerServerMinimal> {
+  let hetzner =
+    *hetzner().as_ref().context("Hetzner token not configured")?;
+  let HetznerServerTemplateConfig {
+    image,
+    datacenter,
+    private_network_ids,
+    placement_group,
+    enable_public_ipv4,
+    enable_public_ipv6,
+    firewall_ids,
+    server_type,
+    ssh_keys,
+    user_data,
+    use_public_ip,
+    labels,
+    volumes,
+    port: _,
+  } = config;
+  let datacenter = hetzner_datacenter(datacenter);
+
+  // Create volumes and get their ids
+  let mut volume_ids = Vec::new();
+  for volume in volumes {
+    let body = CreateVolumeBody {
+      name: volume.name,
+      format: Some(hetzner_format(volume.format)),
+      location: Some(datacenter.into()),
+      labels: volume.labels,
+      size: volume.size_gb,
+      automount: None,
+      server: None,
+    };
+    let id = hetzner
+      .create_volume(&body)
+      .await
+      .context("failed to create hetzner volume")?
+      .volume
+      .id;
+    volume_ids.push(id);
+  }
+
+  // Make sure volumes are available before continue
+  let vol_ids_poll = Arc::new(Mutex::new(volume_ids.clone()));
+  for _ in 0..MAX_POLL_TRIES {
+    if vol_ids_poll.lock().unwrap().is_empty() {
+      break;
+    }
+    tokio::time::sleep(Duration::from_secs(POLL_RATE_SECS)).await;
+    let ids = vol_ids_poll.lock().unwrap().clone();
+    let futures = ids.into_iter().map(|id| {
+      let vol_ids = vol_ids_poll.clone();
+      async move {
+        let Ok(res) = hetzner.get_volume(id).await else {
+          return;
+        };
+        if matches!(res.volume.status, HetznerVolumeStatus::Available)
+        {
+          vol_ids.lock().unwrap().retain(|_id| *_id != id);
+        }
+      }
+    });
+    join_all(futures).await;
+  }
+  if !vol_ids_poll.lock().unwrap().is_empty() {
+    return Err(anyhow!("Volumes not ready after poll"));
+  }
+
+  let body = CreateServerBody {
+    name: name.to_string(),
+    automount: None,
+    datacenter: Some(datacenter),
+    location: None,
+    firewalls: firewall_ids
+      .into_iter()
+      .map(|firewall| create_server::Firewall { firewall })
+      .collect(),
+    image,
+    labels,
+    networks: private_network_ids,
+    placement_group: (placement_group > 0).then_some(placement_group),
+    public_net: (enable_public_ipv4 || enable_public_ipv6).then_some(
+      create_server::PublicNet {
+        enable_ipv4: enable_public_ipv4,
+        enable_ipv6: enable_public_ipv6,
+        ipv4: None,
+        ipv6: None,
+      },
+    ),
+    server_type: hetzner_server_type(server_type),
+    ssh_keys,
+    start_after_create: true,
+    user_data: (!user_data.is_empty()).then_some(user_data),
+    volumes: volume_ids,
+  };
+
+  let server_id = hetzner
+    .create_server(&body)
+    .await
+    .context("failed to create hetnzer server")?
+    .server
+    .id;
+
+  for _ in 0..MAX_POLL_TRIES {
+    tokio::time::sleep(Duration::from_secs(POLL_RATE_SECS)).await;
+    let Ok(res) = hetzner.get_server(server_id).await else {
+      continue;
+    };
+    if matches!(res.server.status, HetznerServerStatus::Running) {
+      let ip = if use_public_ip {
+        res
+          .server
+          .public_net
+          .ipv4
+          .context("instance does not have public ipv4 attached")?
+          .ip
+      } else {
+        res
+          .server
+          .private_net
+          .first()
+          .context("no private networks attached")?
+          .ip
+          .to_string()
+      };
+      let server = HetznerServerMinimal { id: server_id, ip };
+      return Ok(server);
+    }
+  }
+
+  Err(anyhow!(
+    "failed to verify server running after polling status"
+  ))
+}
+
+fn hetzner_format(
+  format: HetznerVolumeFormat,
+) -> common::HetznerVolumeFormat {
+  match format {
+    HetznerVolumeFormat::Xfs => common::HetznerVolumeFormat::Xfs,
+    HetznerVolumeFormat::Ext4 => common::HetznerVolumeFormat::Ext4,
+  }
+}
+
+fn hetzner_datacenter(
+  datacenter: HetznerDatacenter,
+) -> common::HetznerDatacenter {
+  match datacenter {
+    HetznerDatacenter::Nuremberg1Dc3 => {
+      common::HetznerDatacenter::Nuremberg1Dc3
+    }
+    HetznerDatacenter::Helsinki1Dc2 => {
+      common::HetznerDatacenter::Helsinki1Dc2
+    }
+    HetznerDatacenter::Falkenstein1Dc14 => {
+      common::HetznerDatacenter::Falkenstein1Dc14
+    }
+    HetznerDatacenter::AshburnDc1 => {
+      common::HetznerDatacenter::AshburnDc1
+    }
+    HetznerDatacenter::HillsboroDc1 => {
+      common::HetznerDatacenter::HillsboroDc1
+    }
+  }
+}
+
+fn hetzner_server_type(
+  server_type: HetznerServerType,
+) -> common::HetznerServerType {
+  match server_type {
+    HetznerServerType::SharedIntel1Core2Ram20Disk => {
+      common::HetznerServerType::SharedIntel1Core2Ram20Disk
+    }
+    HetznerServerType::SharedAmd2Core2Ram40Disk => {
+      common::HetznerServerType::SharedAmd2Core2Ram40Disk
+    }
+    HetznerServerType::SharedArm2Core4Ram40Disk => {
+      common::HetznerServerType::SharedArm2Core4Ram40Disk
+    }
+    HetznerServerType::SharedIntel2Core4Ram40Disk => {
+      common::HetznerServerType::SharedIntel2Core4Ram40Disk
+    }
+    HetznerServerType::SharedAmd3Core4Ram80Disk => {
+      common::HetznerServerType::SharedAmd3Core4Ram80Disk
+    }
+    HetznerServerType::SharedArm4Core8Ram80Disk => {
+      common::HetznerServerType::SharedArm4Core8Ram80Disk
+    }
+    HetznerServerType::SharedIntel2Core8Ram80Disk => {
+      common::HetznerServerType::SharedIntel2Core8Ram80Disk
+    }
+    HetznerServerType::SharedAmd4Core8Ram160Disk => {
+      common::HetznerServerType::SharedAmd4Core8Ram160Disk
+    }
+    HetznerServerType::SharedArm8Core16Ram160Disk => {
+      common::HetznerServerType::SharedArm8Core16Ram160Disk
+    }
+    HetznerServerType::SharedIntel4Core16Ram160Disk => {
+      common::HetznerServerType::SharedIntel4Core16Ram160Disk
+    }
+    HetznerServerType::SharedAmd8Core16Ram240Disk => {
+      common::HetznerServerType::SharedAmd8Core16Ram240Disk
+    }
+    HetznerServerType::SharedArm16Core32Ram320Disk => {
+      common::HetznerServerType::SharedArm16Core32Ram320Disk
+    }
+    HetznerServerType::SharedIntel8Core32Ram240Disk => {
+      common::HetznerServerType::SharedIntel8Core32Ram240Disk
+    }
+    HetznerServerType::SharedAmd16Core32Ram360Disk => {
+      common::HetznerServerType::SharedAmd16Core32Ram360Disk
+    }
+    HetznerServerType::DedicatedAmd2Core8Ram80Disk => {
+      common::HetznerServerType::DedicatedAmd2Core8Ram80Disk
+    }
+    HetznerServerType::DedicatedAmd4Core16Ram160Disk => {
+      common::HetznerServerType::DedicatedAmd4Core16Ram160Disk
+    }
+    HetznerServerType::DedicatedAmd8Core32Ram240Disk => {
+      common::HetznerServerType::DedicatedAmd8Core32Ram240Disk
+    }
+    HetznerServerType::DedicatedAmd16Core64Ram360Disk => {
+      common::HetznerServerType::DedicatedAmd16Core64Ram360Disk
+    }
+    HetznerServerType::DedicatedAmd32Core128Ram600Disk => {
+      common::HetznerServerType::DedicatedAmd32Core128Ram600Disk
+    }
+    HetznerServerType::DedicatedAmd48Core192Ram960Disk => {
+      common::HetznerServerType::DedicatedAmd48Core192Ram960Disk
+    }
+  }
+}

bin/core/src/cloud/mod.rs

@@ -0,0 +1,10 @@
+pub mod aws;
+
+#[allow(unused)]
+pub mod hetzner;
+
+#[derive(Debug)]
+pub enum BuildCleanupData {
+  Server { repo_name: String },
+  Aws { instance_id: String, region: String },
+}