Bump version for 2.0.0.rc3

2024-09-23 16:47:06 -07:00
189 changed files with 1114 additions and 6533 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,7 +4,6 @@ on:
    branches:
      - main
  pull_request:
  workflow_dispatch:
 jobs:
  rubocop:
    name: RuboCop
@@ -23,25 +22,22 @@ jobs:
        run: bundle exec rubocop --parallel
  tests:
    strategy:
      fail-fast: false
      matrix:
        ruby-version:
          - "3.1"
          - "3.2"
          - "3.3"
          - "3.4"
        gemfile:
          - Gemfile
          - gemfiles/rails_edge.gemfile
    name: ${{ format('Tests (Ruby {0})', matrix.ruby-version) }}
    runs-on: ubuntu-latest
    continue-on-error: true
    env:
      BUNDLE_GEMFILE: ${{ github.workspace }}/${{ matrix.gemfile }}
    steps:
      - uses: actions/checkout@v4
      - name: Remove gemfile.lock
        run: rm Gemfile.lock
      - name: Install Ruby
        uses: ruby/setup-ruby@v1
        with:
@@ -50,5 +46,3 @@ jobs:
      - name: Run tests
        run: bin/test
        env:
          RUBYOPT: ${{ startsWith(matrix.ruby-version, '3.4.') && '--enable=frozen-string-literal' || '' }}
--- a/10
+++ b/10
@@ -1,4 +1,5 @@
-FROM ruby:3.4-alpine
+# Use the official Ruby 3.2.0 Alpine image as the base image
 FROM ruby:3.2.0-alpine
 # Install docker/buildx-bin
 COPY --from=docker/buildx-bin /buildx /usr/libexec/docker/cli-plugins/docker-buildx
@@ -13,8 +14,9 @@ COPY Gemfile Gemfile.lock kamal.gemspec ./
 COPY lib/kamal/version.rb /kamal/lib/kamal/version.rb
 # Install system dependencies
-RUN apk add --no-cache build-base git docker-cli openssh-client-default yaml-dev \
+RUN apk add --no-cache build-base git docker openrc openssh-client-default \
-    && gem install bundler --version=2.6.5 \
+    && rc-update add docker boot \
    && gem install bundler --version=2.4.3 \
    && bundle install
 # Copy the rest of our application code into the container.
@@ -31,7 +33,7 @@ WORKDIR /workdir
 # Tell git it's safe to access /workdir/.git even if
 # the directory is owned by a different user
-RUN git config --global --add safe.directory '*'
+RUN git config --global --add safe.directory /workdir
 # Set the entrypoint to run the installed binary in /workdir
 # Example:  docker run -it -v "$PWD:/workdir" kamal init
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,158 +1,152 @@
 PATH
  remote: .
  specs:
-    kamal (2.7.0)
+    kamal (2.0.0.rc3)
      activesupport (>= 7.0)
      base64 (~> 0.2)
      bcrypt_pbkdf (~> 1.0)
      concurrent-ruby (~> 1.2)
      dotenv (~> 3.1)
-      ed25519 (~> 1.4)
+      ed25519 (~> 1.2)
-      net-ssh (~> 7.3)
+      net-ssh (~> 7.0)
      sshkit (>= 1.23.0, < 2.0)
      thor (~> 1.3)
-      zeitwerk (>= 2.6.18, < 3.0)
+      zeitwerk (~> 2.5)
 GEM
  remote: https://rubygems.org/
  specs:
-    actionpack (8.0.0.1)
+    actionpack (7.1.3.4)
-      actionview (= 8.0.0.1)
+      actionview (= 7.1.3.4)
-      activesupport (= 8.0.0.1)
+      activesupport (= 7.1.3.4)
      nokogiri (>= 1.8.5)
      racc
      rack (>= 2.2.4)
      rack-session (>= 1.0.1)
      rack-test (>= 0.6.3)
      rails-dom-testing (~> 2.2)
      rails-html-sanitizer (~> 1.6)
-      useragent (~> 0.16)
+    actionview (7.1.3.4)
-    actionview (8.0.0.1)
+      activesupport (= 7.1.3.4)
      activesupport (= 8.0.0.1)
      builder (~> 3.1)
      erubi (~> 1.11)
      rails-dom-testing (~> 2.2)
      rails-html-sanitizer (~> 1.6)
-    activesupport (8.0.0.1)
+    activesupport (7.1.3.4)
      base64
      benchmark (>= 0.3)
      bigdecimal
-      concurrent-ruby (~> 1.0, >= 1.3.1)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
      connection_pool (>= 2.2.5)
      drb
      i18n (>= 1.6, < 2)
      logger (>= 1.4.2)
      minitest (>= 5.1)
-      securerandom (>= 0.3)
+      mutex_m
-      tzinfo (~> 2.0, >= 2.0.5)
+      tzinfo (~> 2.0)
      uri (>= 0.13.1)
    ast (2.4.2)
    base64 (0.2.0)
    bcrypt_pbkdf (1.1.1)
-    benchmark (0.4.0)
+    bcrypt_pbkdf (1.1.1-arm64-darwin)
    bcrypt_pbkdf (1.1.1-x86_64-darwin)
    bigdecimal (3.1.8)
    builder (3.3.0)
-    concurrent-ruby (1.3.4)
+    concurrent-ruby (1.3.3)
    connection_pool (2.4.1)
    crass (1.0.6)
    date (3.4.1)
    debug (1.9.2)
      irb (~> 1.10)
      reline (>= 0.3.8)
-    dotenv (3.1.5)
+    dotenv (3.1.2)
    drb (2.2.1)
-    ed25519 (1.4.0)
+    ed25519 (1.3.0)
    erubi (1.13.0)
-    i18n (1.14.6)
+    i18n (1.14.5)
      concurrent-ruby (~> 1.0)
-    io-console (0.8.0)
+    io-console (0.7.2)
-    irb (1.14.2)
+    irb (1.14.0)
      rdoc (>= 4.0.0)
      reline (>= 0.4.2)
-    json (2.9.0)
+    json (2.7.2)
    language_server-protocol (3.17.0.3)
-    logger (1.6.3)
+    loofah (2.22.0)
    loofah (2.23.1)
      crass (~> 1.0.2)
      nokogiri (>= 1.12.0)
-    minitest (5.25.4)
+    minitest (5.24.1)
-    mocha (2.7.1)
+    mocha (2.4.5)
      ruby2_keywords (>= 0.0.5)
    mutex_m (0.2.0)
    net-scp (4.0.0)
      net-ssh (>= 2.6.5, < 8.0.0)
    net-sftp (4.0.0)
      net-ssh (>= 5.0.0, < 8.0.0)
-    net-ssh (7.3.0)
+    net-ssh (7.2.3)
-    nokogiri (1.18.9-aarch64-linux-musl)
+    nokogiri (1.16.7-arm64-darwin)
      racc (~> 1.4)
-    nokogiri (1.18.9-arm64-darwin)
+    nokogiri (1.16.7-x86_64-darwin)
      racc (~> 1.4)
-    nokogiri (1.18.9-x86_64-darwin)
+    nokogiri (1.16.7-x86_64-linux)
      racc (~> 1.4)
-    nokogiri (1.18.9-x86_64-linux-gnu)
+    parallel (1.25.1)
-      racc (~> 1.4)
+    parser (3.3.4.0)
    nokogiri (1.18.9-x86_64-linux-musl)
      racc (~> 1.4)
    ostruct (0.6.1)
    parallel (1.26.3)
    parser (3.3.6.0)
      ast (~> 2.4.1)
      racc
-    psych (5.2.1)
+    psych (5.1.2)
      date
      stringio
    racc (1.8.1)
-    rack (3.1.16)
+    rack (3.1.7)
-    rack-session (2.1.1)
+    rack-session (2.0.0)
      base64 (>= 0.1.0)
      rack (>= 3.0.0)
    rack-test (2.1.0)
      rack (>= 1.3)
-    rackup (2.2.1)
+    rackup (2.1.0)
      rack (>= 3)
      webrick (~> 1.8)
    rails-dom-testing (2.2.0)
      activesupport (>= 5.0.0)
      minitest
      nokogiri (>= 1.6)
-    rails-html-sanitizer (1.6.2)
+    rails-html-sanitizer (1.6.0)
      loofah (~> 2.21)
-      nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
+      nokogiri (~> 1.14)
-    railties (8.0.0.1)
+    railties (7.1.3.4)
-      actionpack (= 8.0.0.1)
+      actionpack (= 7.1.3.4)
-      activesupport (= 8.0.0.1)
+      activesupport (= 7.1.3.4)
-      irb (~> 1.13)
+      irb
      rackup (>= 1.0.0)
      rake (>= 12.2)
      thor (~> 1.0, >= 1.2.2)
      zeitwerk (~> 2.6)
    rainbow (3.1.1)
    rake (13.2.1)
-    rdoc (6.8.1)
+    rdoc (6.7.0)
      psych (>= 4.0.0)
-    regexp_parser (2.9.3)
+    regexp_parser (2.9.2)
-    reline (0.5.12)
+    reline (0.5.9)
      io-console (~> 0.5)
-    rubocop (1.69.2)
+    rexml (3.3.4)
      strscan
    rubocop (1.65.1)
      json (~> 2.3)
      language_server-protocol (>= 3.17.0)
      parallel (~> 1.10)
      parser (>= 3.3.0.2)
      rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 2.9.3, < 3.0)
+      regexp_parser (>= 2.4, < 3.0)
-      rubocop-ast (>= 1.36.2, < 2.0)
+      rexml (>= 3.2.5, < 4.0)
      rubocop-ast (>= 1.31.1, < 2.0)
      ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 2.4.0, < 4.0)
+      unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.36.2)
+    rubocop-ast (1.32.0)
      parser (>= 3.3.1.0)
-    rubocop-minitest (0.36.0)
+    rubocop-minitest (0.35.1)
      rubocop (>= 1.61, < 2.0)
      rubocop-ast (>= 1.31.1, < 2.0)
-    rubocop-performance (1.23.0)
+    rubocop-performance (1.21.1)
      rubocop (>= 1.48.1, < 2.0)
      rubocop-ast (>= 1.31.1, < 2.0)
-    rubocop-rails (2.27.0)
+    rubocop-rails (2.25.1)
      activesupport (>= 4.2.0)
      rack (>= 1.1)
-      rubocop (>= 1.52.0, < 2.0)
+      rubocop (>= 1.33.0, < 2.0)
      rubocop-ast (>= 1.31.1, < 2.0)
    rubocop-rails-omakase (1.0.0)
      rubocop
@@ -161,30 +155,24 @@ GEM
      rubocop-rails
    ruby-progressbar (1.13.0)
    ruby2_keywords (0.0.5)
-    securerandom (0.4.0)
+    sshkit (1.23.0)
    sshkit (1.23.2)
      base64
      net-scp (>= 1.1.2)
      net-sftp (>= 2.1.2)
      net-ssh (>= 2.8.0)
-      ostruct
+    stringio (3.1.1)
-    stringio (3.1.2)
+    strscan (3.1.0)
-    thor (1.4.0)
+    thor (1.3.1)
    tzinfo (2.0.6)
      concurrent-ruby (~> 1.0)
-    unicode-display_width (3.1.2)
+    unicode-display_width (2.5.0)
-      unicode-emoji (~> 4.0, >= 4.0.4)
+    webrick (1.8.1)
-    unicode-emoji (4.0.4)
+    zeitwerk (2.6.17)
    uri (1.0.3)
    useragent (0.16.11)
    zeitwerk (2.7.1)
 PLATFORMS
  aarch64-linux-musl
  arm64-darwin
  x86_64-darwin
  x86_64-linux
  x86_64-linux-musl
 DEPENDENCIES
  debug
@@ -194,4 +182,4 @@ DEPENDENCIES
  rubocop-rails-omakase
 BUNDLED WITH
-   2.6.5
+   2.4.3
--- a/bin/docs
+++ b/bin/docs
@@ -30,7 +30,6 @@ DOCS = {
  "ssh" => "SSH",
  "sshkit" => "SSHKit"
 }
 DOCS_PATH = "lib/kamal/configuration/docs"
 class DocWriter
  attr_reader :from_file, :to_file, :key, :heading, :body, :output, :in_yaml
@@ -71,7 +70,6 @@ class DocWriter
            generate_line(line, heading: place == :new_section)
            place = :in_section
          else
            output.puts
            output.puts "```yaml"
            output.puts line
            place = :in_yaml
@@ -79,7 +77,6 @@ class DocWriter
        when :in_yaml, :in_empty_line_yaml
          if line =~ /^ *#/
            output.puts "```"
            output.puts
            generate_line(line, heading: place == :in_empty_line_yaml)
            place = :in_section
          elsif line.empty?
@@ -95,12 +92,11 @@ class DocWriter
    def generate_header
      output.puts "---"
      output.puts "# This file has been generated from the Kamal source, do not edit directly."
      output.puts "# Find the source of this file at #{DOCS_PATH}/#{key}.yml in the Kamal repository."
      output.puts "title: #{heading[2..-1]}"
      output.puts "---"
      output.puts
      output.puts heading
      output.puts
    end
    def generate_line(line, heading: false)
@@ -122,11 +118,7 @@ class DocWriter
    end
    def linkify(text)
-      if text == "Configuration overview"
+      text.downcase.gsub(" ", "-")
        "overview"
      else
        text.downcase.gsub(" ", "-")
      end
    end
    def titlify(text)
@@ -134,8 +126,10 @@ class DocWriter
    end
 end
-from_dir = File.join(File.dirname(__FILE__), "../#{DOCS_PATH}")
+from_dir = File.join(File.dirname(__FILE__), "../lib/kamal/configuration/docs")
 to_dir = File.join(kamal_site_repo, "docs/configuration")
 Dir.glob("#{from_dir}/*") do |from_file|
  key = File.basename(from_file, ".yml")
  DocWriter.new(from_file, to_dir).write
 end
--- a/kamal.gemspec
+++ b/kamal.gemspec
@@ -13,11 +13,11 @@ Gem::Specification.new do |spec|
  spec.add_dependency "activesupport", ">= 7.0"
  spec.add_dependency "sshkit", ">= 1.23.0", "< 2.0"
-  spec.add_dependency "net-ssh", "~> 7.3"
+  spec.add_dependency "net-ssh", "~> 7.0"
  spec.add_dependency "thor", "~> 1.3"
  spec.add_dependency "dotenv", "~> 3.1"
-  spec.add_dependency "zeitwerk", ">= 2.6.18", "< 3.0"
+  spec.add_dependency "zeitwerk", "~> 2.5"
-  spec.add_dependency "ed25519", "~> 1.4"
+  spec.add_dependency "ed25519", "~> 1.2"
  spec.add_dependency "bcrypt_pbkdf", "~> 1.0"
  spec.add_dependency "concurrent-ruby", "~> 1.2"
  spec.add_dependency "base64", "~> 0.2"
--- a/lib/kamal/cli.rb
+++ b/lib/kamal/cli.rb
@@ -2,7 +2,6 @@ module Kamal::Cli
  class BootError < StandardError; end
  class HookError < StandardError; end
  class LockError < StandardError; end
  class DependencyError < StandardError; end
 end
 # SSHKit uses instance eval, so we need a global const for ergonomics
--- a/lib/kamal/cli/accessory.rb
+++ b/lib/kamal/cli/accessory.rb
@@ -1,6 +1,3 @@
 require "active_support/core_ext/array/conversions"
 require "concurrent/array"
 class Kamal::Cli::Accessory < Kamal::Cli::Base
  desc "boot [NAME]", "Boot new accessory service on host (use NAME=all to boot all accessories)"
  def boot(name, prepare: true)
@@ -11,29 +8,14 @@ class Kamal::Cli::Accessory < Kamal::Cli::Base
        prepare(name) if prepare
        with_accessory(name) do |accessory, hosts|
          booted_hosts = Concurrent::Array.new
          on(hosts) do |host|
            booted_hosts << host.to_s if capture_with_info(*accessory.info(all: true, quiet: true)).strip.presence
          end
          if booted_hosts.any?
            say "Skipping booting `#{name}` on #{booted_hosts.sort.join(", ")}, a container already exists", :yellow
            hosts -= booted_hosts
          end
          directories(name)
          upload(name)
-          on(hosts) do |host|
+          on(hosts) do
            execute *KAMAL.auditor.record("Booted #{name} accessory"), verbosity: :debug
            execute *accessory.ensure_env_directory
            upload! accessory.secrets_io, accessory.secrets_path, mode: "0600"
-            execute *accessory.run(host: host)
+            execute *accessory.run
            if accessory.running_proxy?
              target = capture_with_info(*accessory.container_id_for(container_name: accessory.service_name, only_running: true)).strip
              execute *accessory.deploy(target: target)
            end
          end
        end
      end
@@ -91,10 +73,6 @@ class Kamal::Cli::Accessory < Kamal::Cli::Base
        on(hosts) do
          execute *KAMAL.auditor.record("Started #{name} accessory"), verbosity: :debug
          execute *accessory.start
          if accessory.running_proxy?
            target = capture_with_info(*accessory.container_id_for(container_name: accessory.service_name, only_running: true)).strip
            execute *accessory.deploy(target: target)
          end
        end
      end
    end
@@ -107,11 +85,6 @@ class Kamal::Cli::Accessory < Kamal::Cli::Base
        on(hosts) do
          execute *KAMAL.auditor.record("Stopped #{name} accessory"), verbosity: :debug
          execute *accessory.stop, raise_on_non_zero_exit: false
          if accessory.running_proxy?
            target = capture_with_info(*accessory.container_id_for(container_name: accessory.service_name, only_running: true)).strip
            execute *accessory.remove if target
          end
        end
      end
    end
@@ -137,37 +110,32 @@ class Kamal::Cli::Accessory < Kamal::Cli::Base
    end
  end
-  desc "exec [NAME] [CMD...]", "Execute a custom command on servers within the accessory container (use --help to show options)"
+  desc "exec [NAME] [CMD]", "Execute a custom command on servers (use --help to show options)"
  option :interactive, aliases: "-i", type: :boolean, default: false, desc: "Execute command over ssh for an interactive shell (use for console/bash)"
  option :reuse, type: :boolean, default: false, desc: "Reuse currently running container instead of starting a new one"
-  def exec(name, *cmd)
+  def exec(name, cmd)
    pre_connect_if_required
    cmd = Kamal::Utils.join_commands(cmd)
    with_accessory(name) do |accessory, hosts|
      case
      when options[:interactive] && options[:reuse]
-        say "Launching interactive command via SSH from existing container...", :magenta
+        say "Launching interactive command with via SSH from existing container...", :magenta
        run_locally { exec accessory.execute_in_existing_container_over_ssh(cmd) }
      when options[:interactive]
        say "Launching interactive command via SSH from new container...", :magenta
        on(accessory.hosts.first) { execute *KAMAL.registry.login }
        run_locally { exec accessory.execute_in_new_container_over_ssh(cmd) }
      when options[:reuse]
        say "Launching command from existing container...", :magenta
-        on(hosts) do |host|
+        on(hosts) do
          execute *KAMAL.auditor.record("Executed cmd '#{cmd}' on #{name} accessory"), verbosity: :debug
-          puts_by_host host, capture_with_info(*accessory.execute_in_existing_container(cmd))
+          capture_with_info(*accessory.execute_in_existing_container(cmd))
        end
      else
        say "Launching command from new container...", :magenta
-        on(hosts) do |host|
+        on(hosts) do
          execute *KAMAL.registry.login
          execute *KAMAL.auditor.record("Executed cmd '#{cmd}' on #{name} accessory"), verbosity: :debug
-          puts_by_host host, capture_with_info(*accessory.execute_in_new_container(cmd))
+          capture_with_info(*accessory.execute_in_new_container(cmd))
        end
      end
    end
@@ -177,7 +145,7 @@ class Kamal::Cli::Accessory < Kamal::Cli::Base
  option :since, aliases: "-s", desc: "Show logs since timestamp (e.g. 2013-01-02T13:23:37Z) or relative (e.g. 42m for 42 minutes)"
  option :lines, type: :numeric, aliases: "-n", desc: "Number of log lines to pull from each server"
  option :grep, aliases: "-g", desc: "Show lines with grep match only (use this to fetch specific requests by id)"
-  option :grep_options, desc: "Additional options supplied to grep"
+  option :grep_options, aliases: "-o", desc: "Additional options supplied to grep"
  option :follow, aliases: "-f", desc: "Follow logs on primary server (or specific host set by --hosts)"
  option :skip_timestamps, type: :boolean, aliases: "-T", desc: "Skip appending timestamps to logging output"
  def logs(name)
@@ -290,7 +258,11 @@ class Kamal::Cli::Accessory < Kamal::Cli::Base
    end
    def accessory_hosts(accessory)
-      KAMAL.accessory_hosts & accessory.hosts
+      if KAMAL.specific_hosts&.any?
        KAMAL.specific_hosts & accessory.hosts
      else
        accessory.hosts
      end
    end
    def remove_accessory(name)
@@ -303,7 +275,7 @@ class Kamal::Cli::Accessory < Kamal::Cli::Base
    def prepare(name)
      with_accessory(name) do |accessory, hosts|
        on(hosts) do
-          execute *KAMAL.registry.login(registry_config: accessory.registry)
+          execute *KAMAL.registry.login
          execute *KAMAL.docker.create_network
        rescue SSHKit::Command::Failed => e
          raise unless e.message.include?("already exists")
--- a/lib/kamal/cli/alias/command.rb
+++ b/lib/kamal/cli/alias/command.rb
@@ -1,7 +1,6 @@
 class Kamal::Cli::Alias::Command < Thor::DynamicCommand
  def run(instance, args = [])
    if (_alias = KAMAL.config.aliases[name])
      KAMAL.reset
      Kamal::Cli::Main.start(Shellwords.split(_alias.command) + ARGV[1..-1])
    else
      super
--- a/lib/kamal/cli/app.rb
+++ b/lib/kamal/cli/app.rb
@@ -7,34 +7,23 @@ class Kamal::Cli::App < Kamal::Cli::Base
        say "Start container with version #{version} (or reboot if already running)...", :magenta
        # Assets are prepared in a separate step to ensure they are on all hosts before booting
-        on(KAMAL.app_hosts) do
+        on(KAMAL.hosts) do
          Kamal::Cli::App::ErrorPages.new(host, self).run
          KAMAL.roles_on(host).each do |role|
-            Kamal::Cli::App::Assets.new(host, role, self).run
+            Kamal::Cli::App::PrepareAssets.new(host, role, self).run
            Kamal::Cli::App::SslCertificates.new(host, role, self).run
          end
        end
        # Primary hosts and roles are returned first, so they can open the barrier
        barrier = Kamal::Cli::Healthcheck::Barrier.new
-        host_boot_groups.each do |hosts|
+        on(KAMAL.hosts, **KAMAL.boot_strategy) do |host|
-          host_list = Array(hosts).join(",")
+          KAMAL.roles_on(host).each do |role|
-          run_hook "pre-app-boot", hosts: host_list
+            Kamal::Cli::App::Boot.new(host, role, self, version, barrier).run
          on(hosts) do |host|
            KAMAL.roles_on(host).each do |role|
              Kamal::Cli::App::Boot.new(host, role, self, version, barrier).run
            end
          end
          run_hook "post-app-boot", hosts: host_list
          sleep KAMAL.config.boot.wait if KAMAL.config.boot.wait
        end
        # Tag once the app booted on all hosts
-        on(KAMAL.app_hosts) do |host|
+        on(KAMAL.hosts) do |host|
          execute *KAMAL.auditor.record("Tagging #{KAMAL.config.absolute_image} as the latest image"), verbosity: :debug
          execute *KAMAL.app.tag_latest_image
        end
@@ -45,7 +34,7 @@ class Kamal::Cli::App < Kamal::Cli::Base
  desc "start", "Start existing app container on servers"
  def start
    with_lock do
-      on(KAMAL.app_hosts) do |host|
+      on(KAMAL.hosts) do |host|
        roles = KAMAL.roles_on(host)
        roles.each do |role|
@@ -68,7 +57,7 @@ class Kamal::Cli::App < Kamal::Cli::Base
  desc "stop", "Stop app container on servers"
  def stop
    with_lock do
-      on(KAMAL.app_hosts) do |host|
+      on(KAMAL.hosts) do |host|
        roles = KAMAL.roles_on(host)
        roles.each do |role|
@@ -79,7 +68,7 @@ class Kamal::Cli::App < Kamal::Cli::Base
            version = capture_with_info(*app.current_running_version, raise_on_non_zero_exit: false).strip
            endpoint = capture_with_info(*app.container_id_for_version(version)).strip
            if endpoint.present?
-              execute *app.remove, raise_on_non_zero_exit: false
+              execute *app.remove(target: endpoint), raise_on_non_zero_exit: false
            end
          end
@@ -92,7 +81,7 @@ class Kamal::Cli::App < Kamal::Cli::Base
  # FIXME: Drop in favor of just containers?
  desc "details", "Show details about app containers"
  def details
-    on(KAMAL.app_hosts) do |host|
+    on(KAMAL.hosts) do |host|
      roles = KAMAL.roles_on(host)
      roles.each do |role|
@@ -105,21 +94,9 @@ class Kamal::Cli::App < Kamal::Cli::Base
  option :interactive, aliases: "-i", type: :boolean, default: false, desc: "Execute command over ssh for an interactive shell (use for console/bash)"
  option :reuse, type: :boolean, default: false, desc: "Reuse currently running container instead of starting a new one"
  option :env, aliases: "-e", type: :hash, desc: "Set environment variables for the command"
  option :detach, type: :boolean, default: false, desc: "Execute command in a detached container"
  def exec(*cmd)
    pre_connect_if_required
    if (incompatible_options = [ :interactive, :reuse ].select { |key| options[:detach] && options[key] }.presence)
      raise ArgumentError, "Detach is not compatible with #{incompatible_options.join(" or ")}"
    end
    if cmd.empty?
      raise ArgumentError, "No command provided. You must specify a command to execute."
    end
    cmd = Kamal::Utils.join_commands(cmd)
    env = options[:env]
    detach = options[:detach]
    case
    when options[:interactive] && options[:reuse]
      say "Get current version of running container...", :magenta unless options[:version]
@@ -132,7 +109,6 @@ class Kamal::Cli::App < Kamal::Cli::Base
      say "Get most recent version available as an image...", :magenta unless options[:version]
      using_version(version_or_latest) do |version|
        say "Launching interactive command with version #{version} via SSH from new container on #{KAMAL.primary_host}...", :magenta
        on(KAMAL.primary_host) { execute *KAMAL.registry.login }
        run_locally do
          exec KAMAL.app(role: KAMAL.primary_role, host: KAMAL.primary_host).execute_in_new_container_over_ssh(cmd, env: env)
        end
@@ -143,7 +119,7 @@ class Kamal::Cli::App < Kamal::Cli::Base
      using_version(options[:version] || current_running_version) do |version|
        say "Launching command with version #{version} from existing container...", :magenta
-        on(KAMAL.app_hosts) do |host|
+        on(KAMAL.hosts) do |host|
          roles = KAMAL.roles_on(host)
          roles.each do |role|
@@ -157,14 +133,12 @@ class Kamal::Cli::App < Kamal::Cli::Base
      say "Get most recent version available as an image...", :magenta unless options[:version]
      using_version(version_or_latest) do |version|
        say "Launching command with version #{version} from new container...", :magenta
-        on(KAMAL.app_hosts) do |host|
+        on(KAMAL.hosts) do |host|
          execute *KAMAL.registry.login
          roles = KAMAL.roles_on(host)
          roles.each do |role|
            execute *KAMAL.auditor.record("Executed cmd '#{cmd}' on app version #{version}"), verbosity: :debug
-            puts_by_host host, capture_with_info(*KAMAL.app(role: role, host: host).execute_in_new_container(cmd, env: env, detach: detach))
+            puts_by_host host, capture_with_info(*KAMAL.app(role: role, host: host).execute_in_new_container(cmd, env: env))
          end
        end
      end
@@ -173,7 +147,7 @@ class Kamal::Cli::App < Kamal::Cli::Base
  desc "containers", "Show app containers on servers"
  def containers
-    on(KAMAL.app_hosts) { |host| puts_by_host host, capture_with_info(*KAMAL.app.list_containers) }
+    on(KAMAL.hosts) { |host| puts_by_host host, capture_with_info(*KAMAL.app.list_containers) }
  end
  desc "stale_containers", "Detect app stale containers"
@@ -182,7 +156,7 @@ class Kamal::Cli::App < Kamal::Cli::Base
    stop = options[:stop]
    with_lock_if_stopping do
-      on(KAMAL.app_hosts) do |host|
+      on(KAMAL.hosts) do |host|
        roles = KAMAL.roles_on(host)
        roles.each do |role|
@@ -205,24 +179,22 @@ class Kamal::Cli::App < Kamal::Cli::Base
  desc "images", "Show app images on servers"
  def images
-    on(KAMAL.app_hosts) { |host| puts_by_host host, capture_with_info(*KAMAL.app.list_images) }
+    on(KAMAL.hosts) { |host| puts_by_host host, capture_with_info(*KAMAL.app.list_images) }
  end
  desc "logs", "Show log lines from app on servers (use --help to show options)"
  option :since, aliases: "-s", desc: "Show lines since timestamp (e.g. 2013-01-02T13:23:37Z) or relative (e.g. 42m for 42 minutes)"
  option :lines, type: :numeric, aliases: "-n", desc: "Number of lines to show from each server"
  option :grep, aliases: "-g", desc: "Show lines with grep match only (use this to fetch specific requests by id)"
-  option :grep_options, desc: "Additional options supplied to grep"
+  option :grep_options, aliases: "-o", desc: "Additional options supplied to grep"
  option :follow, aliases: "-f", desc: "Follow log on primary server (or specific host set by --hosts)"
  option :skip_timestamps, type: :boolean, aliases: "-T", desc: "Skip appending timestamps to logging output"
  option :container_id, desc: "Docker container ID to fetch logs"
  def logs
    # FIXME: Catch when app containers aren't running
    grep = options[:grep]
    grep_options = options[:grep_options]
    since = options[:since]
    container_id = options[:container_id]
    timestamps = !options[:skip_timestamps]
    if options[:follow]
@@ -231,22 +203,22 @@ class Kamal::Cli::App < Kamal::Cli::Base
      run_locally do
        info "Following logs on #{KAMAL.primary_host}..."
-        KAMAL.specific_roles ||= [ KAMAL.primary_role.name ]
+        KAMAL.specific_roles ||= [ "web" ]
        role = KAMAL.roles_on(KAMAL.primary_host).first
        app = KAMAL.app(role: role, host: host)
-        info app.follow_logs(host: KAMAL.primary_host, container_id: container_id, timestamps: timestamps, lines: lines, grep: grep, grep_options: grep_options)
+        info app.follow_logs(host: KAMAL.primary_host, timestamps: timestamps, lines: lines, grep: grep, grep_options: grep_options)
-        exec app.follow_logs(host: KAMAL.primary_host, container_id: container_id, timestamps: timestamps, lines: lines, grep: grep, grep_options: grep_options)
+        exec app.follow_logs(host: KAMAL.primary_host, timestamps: timestamps, lines: lines, grep: grep, grep_options: grep_options)
      end
    else
      lines = options[:lines].presence || ((since || grep) ? nil : 100) # Default to 100 lines if since or grep isn't set
-      on(KAMAL.app_hosts) do |host|
+      on(KAMAL.hosts) do |host|
        roles = KAMAL.roles_on(host)
        roles.each do |role|
          begin
-            puts_by_host host, capture_with_info(*KAMAL.app(role: role, host: host).logs(container_id: container_id, timestamps: timestamps, since: since, lines: lines, grep: grep, grep_options: grep_options))
+            puts_by_host host, capture_with_info(*KAMAL.app(role: role, host: host).logs(timestamps: timestamps, since: since, lines: lines, grep: grep, grep_options: grep_options))
          rescue SSHKit::Command::Failed
            puts_by_host host, "Nothing found"
          end
@@ -261,44 +233,14 @@ class Kamal::Cli::App < Kamal::Cli::Base
      stop
      remove_containers
      remove_images
-      remove_app_directories
+      remove_app_directory
    end
  end
  desc "live", "Set the app to live mode"
  def live
    with_lock do
      on(KAMAL.proxy_hosts) do |host|
        roles = KAMAL.roles_on(host)
        roles.each do |role|
          execute *KAMAL.app(role: role, host: host).live if role.running_proxy?
        end
      end
    end
  end
  desc "maintenance", "Set the app to maintenance mode"
  option :drain_timeout, type: :numeric, desc: "How long to allow in-flight requests to complete (defaults to drain_timeout from config)"
  option :message, type: :string, desc: "Message to display to clients while stopped"
  def maintenance
    maintenance_options = { drain_timeout: options[:drain_timeout] || KAMAL.config.drain_timeout, message: options[:message] }
    with_lock do
      on(KAMAL.proxy_hosts) do |host|
        roles = KAMAL.roles_on(host)
        roles.each do |role|
          execute *KAMAL.app(role: role, host: host).maintenance(**maintenance_options) if role.running_proxy?
        end
      end
    end
  end
  desc "remove_container [VERSION]", "Remove app container with given version from servers", hide: true
  def remove_container(version)
    with_lock do
-      on(KAMAL.app_hosts) do |host|
+      on(KAMAL.hosts) do |host|
        roles = KAMAL.roles_on(host)
        roles.each do |role|
@@ -312,7 +254,7 @@ class Kamal::Cli::App < Kamal::Cli::Base
  desc "remove_containers", "Remove all app containers from servers", hide: true
  def remove_containers
    with_lock do
-      on(KAMAL.app_hosts) do |host|
+      on(KAMAL.hosts) do |host|
        roles = KAMAL.roles_on(host)
        roles.each do |role|
@@ -326,33 +268,30 @@ class Kamal::Cli::App < Kamal::Cli::Base
  desc "remove_images", "Remove all app images from servers", hide: true
  def remove_images
    with_lock do
-      on(KAMAL.app_hosts) do
+      on(KAMAL.hosts) do
        execute *KAMAL.auditor.record("Removed all app images"), verbosity: :debug
        execute *KAMAL.app.remove_images
      end
    end
  end
-  desc "remove_app_directories", "Remove the app directories from servers", hide: true
+  desc "remove_app_directory", "Remove the service directory from servers", hide: true
-  def remove_app_directories
+  def remove_app_directory
    with_lock do
-      on(KAMAL.app_hosts) do |host|
+      on(KAMAL.hosts) do |host|
        roles = KAMAL.roles_on(host)
        roles.each do |role|
-          execute *KAMAL.auditor.record("Removed #{KAMAL.config.app_directory}", role: role), verbosity: :debug
+          execute *KAMAL.auditor.record("Removed #{KAMAL.config.app_directory} on all servers", role: role), verbosity: :debug
          execute *KAMAL.server.remove_app_directory, raise_on_non_zero_exit: false
        end
        execute *KAMAL.auditor.record("Removed #{KAMAL.config.app_directory}"), verbosity: :debug
        execute *KAMAL.app.remove_proxy_app_directory, raise_on_non_zero_exit: false
      end
    end
  end
  desc "version", "Show app version currently running on servers"
  def version
-    on(KAMAL.app_hosts) do |host|
+    on(KAMAL.hosts) do |host|
      role = KAMAL.roles_on(host).first
      puts_by_host host, capture_with_info(*KAMAL.app(role: role, host: host).current_running_version).strip
    end
@@ -393,8 +332,4 @@ class Kamal::Cli::App < Kamal::Cli::Base
        yield
      end
    end
    def host_boot_groups
      KAMAL.config.boot.limit ? KAMAL.app_hosts.each_slice(KAMAL.config.boot.limit).to_a : [ KAMAL.app_hosts ]
    end
 end
--- a/lib/kamal/cli/app/boot.rb
+++ b/lib/kamal/cli/app/boot.rb
@@ -45,7 +45,7 @@ class Kamal::Cli::App::Boot
    def start_new_version
      audit "Booted app version #{version}"
-      hostname = "#{host.to_s[0...51].chomp(".")}-#{SecureRandom.hex(6)}"
+      hostname = "#{host.to_s[0...51].gsub(/\.+$/, '')}-#{SecureRandom.hex(6)}"
      execute *app.ensure_env_directory
      upload! role.secrets_io(host), role.secrets_path, mode: "0600"
@@ -70,7 +70,6 @@ class Kamal::Cli::App::Boot
    def stop_old_version(version)
      execute *app.stop(version: version), raise_on_non_zero_exit: false
      execute *app.clean_up_assets if assets?
      execute *app.clean_up_error_pages if KAMAL.config.error_pages_path
    end
    def release_barrier
@@ -92,7 +91,7 @@ class Kamal::Cli::App::Boot
      if barrier.close
        info "First #{KAMAL.primary_role} container is unhealthy on #{host}, not booting any other roles"
        begin
-          error capture_with_info(*app.logs(container_id: app.container_id_for_version(version)))
+          error capture_with_info(*app.logs(version: version))
          error capture_with_info(*app.container_health_log(version: version))
        rescue SSHKit::Command::Failed
          error "Could not fetch logs for #{version}"
--- a/lib/kamal/cli/app/error_pages.rb
+++ b/lib/kamal/cli/app/error_pages.rb
@@ -1,33 +0,0 @@
 class Kamal::Cli::App::ErrorPages
  ERROR_PAGES_GLOB = "{4??.html,5??.html}"
  attr_reader :host, :sshkit
  delegate :upload!, :execute, to: :sshkit
  def initialize(host, sshkit)
    @host = host
    @sshkit = sshkit
  end
  def run
    if KAMAL.config.error_pages_path
      with_error_pages_tmpdir do |local_error_pages_dir|
        execute *KAMAL.app.create_error_pages_directory
        upload! local_error_pages_dir, KAMAL.config.proxy_boot.error_pages_directory, mode: "0700", recursive: true
      end
    end
  end
  private
    def with_error_pages_tmpdir
      Dir.mktmpdir("kamal-error-pages") do |tmpdir|
        error_pages_dir = File.join(tmpdir, KAMAL.config.version)
        FileUtils.mkdir(error_pages_dir)
        if (files = Dir[File.join(KAMAL.config.error_pages_path, ERROR_PAGES_GLOB)]).any?
          FileUtils.cp(files, error_pages_dir)
          yield error_pages_dir
        end
      end
    end
 end
--- a/lib/kamal/cli/app/prepare_assets.rb
+++ b/lib/kamal/cli/app/prepare_assets.rb
@@ -1,4 +1,4 @@
-class Kamal::Cli::App::Assets
+class Kamal::Cli::App::PrepareAssets
  attr_reader :host, :role, :sshkit
  delegate :execute, :capture_with_info, :info, to: :sshkit
  delegate :assets?, to: :role
--- a/lib/kamal/cli/app/ssl_certificates.rb
+++ b/lib/kamal/cli/app/ssl_certificates.rb
@@ -1,28 +0,0 @@
 class Kamal::Cli::App::SslCertificates
  attr_reader :host, :role, :sshkit
  delegate :execute, :info, :upload!, to: :sshkit
  def initialize(host, role, sshkit)
    @host = host
    @role = role
    @sshkit = sshkit
  end
  def run
    if role.running_proxy? && role.proxy.custom_ssl_certificate?
      info "Writing SSL certificates for #{role.name} on #{host}"
      execute *app.create_ssl_directory
      if cert_content = role.proxy.certificate_pem_content
        upload!(StringIO.new(cert_content), role.proxy.host_tls_cert, mode: "0644")
      end
      if key_content = role.proxy.private_key_pem_content
        upload!(StringIO.new(key_content), role.proxy.host_tls_key, mode: "0644")
      end
    end
  end
  private
    def app
      @app ||= KAMAL.app(role: role, host: host)
    end
 end
--- a/lib/kamal/cli/base.rb
+++ b/lib/kamal/cli/base.rb
@@ -5,7 +5,7 @@ module Kamal::Cli
  class Base < Thor
    include SSHKit::DSL
-    def self.exit_on_failure?() true end
+    def self.exit_on_failure?() false end
    def self.dynamic_command_class() Kamal::Cli::Alias::Command end
    class_option :verbose, type: :boolean, aliases: "-v", desc: "Detailed logging"
@@ -30,7 +30,6 @@ module Kamal::Cli
      else
        super
      end
      initialize_commander unless KAMAL.configured?
    end
@@ -133,13 +132,7 @@ module Kamal::Cli
      def run_hook(hook, **extra_details)
        if !options[:skip_hooks] && KAMAL.hook.hook_exists?(hook)
-          details = {
+          details = { hosts: KAMAL.hosts.join(","), command: command, subcommand: subcommand }
            hosts: KAMAL.hosts.join(","),
            roles: KAMAL.specific_roles&.join(","),
            lock: KAMAL.holding_lock?.to_s,
            command: command,
            subcommand: subcommand
          }.compact
          say "Running the #{hook} hook...", :magenta
          with_env KAMAL.hook.env(**details, **extra_details) do
@@ -153,16 +146,12 @@ module Kamal::Cli
      end
      def on(*args, &block)
        pre_connect_if_required
        super
      end
      def pre_connect_if_required
        if !KAMAL.connected?
          run_hook "pre-connect"
          KAMAL.connected = true
        end
        super
      end
      def command
@@ -205,19 +194,5 @@ module Kamal::Cli
        ENV.clear
        ENV.update(current_env)
      end
      def ensure_docker_installed
        run_locally do
          begin
            execute *KAMAL.builder.ensure_docker_installed
          rescue SSHKit::Command::Failed => e
            error = e.message =~ /command not found/ ?
              "Docker is not installed locally" :
              "Docker buildx plugin is not installed locally"
            raise DependencyError, error
          end
        end
      end
  end
 end
--- a/lib/kamal/cli/build.rb
+++ b/lib/kamal/cli/build.rb
@@ -5,22 +5,15 @@ class Kamal::Cli::Build < Kamal::Cli::Base
  desc "deliver", "Build app and push app image to registry then pull image on servers"
  def deliver
-    invoke :push
+    push
-    invoke :pull
+    pull
  end
  desc "push", "Build and push app image to registry"
  option :output, type: :string, default: "registry", banner: "export_type", desc: "Exported type for the build result, and may be any exported type supported by 'buildx --output'."
  def push
    cli = self
-    # Ensure pre-connect hooks run before the build, they may needed for a remote builder
+    verify_local_dependencies
    # or the pre-build hooks.
    pre_connect_if_required
    ensure_docker_installed
    login_to_registry_locally
    run_hook "pre-build"
    uncommitted_changes = Kamal::Git.uncommitted_changes
@@ -56,7 +49,7 @@ class Kamal::Cli::Build < Kamal::Cli::Base
        end
        # Get the command here to ensure the Dir.chdir doesn't interfere with it
-        push = KAMAL.builder.push(cli.options[:output])
+        push = KAMAL.builder.push
        KAMAL.with_verbosity(:debug) do
          Dir.chdir(KAMAL.config.builder.build_directory) { execute *push }
@@ -67,18 +60,14 @@ class Kamal::Cli::Build < Kamal::Cli::Base
  desc "pull", "Pull app image from registry onto servers"
  def pull
-    login_to_registry_remotely unless KAMAL.registry.local?
+    if (first_hosts = mirror_hosts).any?
-
+      #  Pull on a single host per mirror first to seed them
-    forward_local_registry_port do
+      say "Pulling image on #{first_hosts.join(", ")} to seed the #{"mirror".pluralize(first_hosts.count)}...", :magenta
-      if (first_hosts = mirror_hosts).any?
+      pull_on_hosts(first_hosts)
-        #  Pull on a single host per mirror first to seed them
+      say "Pulling image on remaining hosts...", :magenta
-        say "Pulling image on #{first_hosts.join(", ")} to seed the #{"mirror".pluralize(first_hosts.count)}...", :magenta
+      pull_on_hosts(KAMAL.hosts - first_hosts)
-        pull_on_hosts(first_hosts)
+    else
-        say "Pulling image on remaining hosts...", :magenta
+      pull_on_hosts(KAMAL.hosts)
        pull_on_hosts(KAMAL.app_hosts - first_hosts)
      else
        pull_on_hosts(KAMAL.app_hosts)
      end
    end
  end
@@ -119,42 +108,21 @@ class Kamal::Cli::Build < Kamal::Cli::Base
    end
  end
-  desc "dev", "Build using the working directory, tag it as dirty, and push to local image store."
+  private
-  option :output, type: :string, default: "docker", banner: "export_type", desc: "Exported type for the build result, and may be any exported type supported by 'buildx --output'."
+    def verify_local_dependencies
  def dev
    cli = self
    ensure_docker_installed
    docker_included_files = Set.new(Kamal::Docker.included_files)
    git_uncommitted_files = Set.new(Kamal::Git.uncommitted_files)
    git_untracked_files = Set.new(Kamal::Git.untracked_files)
    docker_uncommitted_files = docker_included_files & git_uncommitted_files
    if docker_uncommitted_files.any?
      say "WARNING: Files with uncommitted changes will be present in the dev container:", :yellow
      docker_uncommitted_files.sort.each { |f| say "  #{f}", :yellow }
      say
    end
    docker_untracked_files = docker_included_files & git_untracked_files
    if docker_untracked_files.any?
      say "WARNING: Untracked files will be present in the dev container:", :yellow
      docker_untracked_files.sort.each { |f| say "  #{f}", :yellow }
      say
    end
    with_env(KAMAL.config.builder.secrets) do
      run_locally do
-        build = KAMAL.builder.push(cli.options[:output], tag_as_dirty: true)
+        begin
-        KAMAL.with_verbosity(:debug) do
+          execute *KAMAL.builder.ensure_local_dependencies_installed
-          execute(*build)
+        rescue SSHKit::Command::Failed => e
          build_error = e.message =~ /command not found/ ?
            "Docker is not installed locally" :
            "Docker buildx plugin is not installed locally"
          raise BuildError, build_error
        end
      end
    end
  end
  private
    def connect_to_remote_host(remote_host)
      remote_uri = URI.parse(remote_host)
      if remote_uri.scheme == "ssh"
@@ -169,9 +137,9 @@ class Kamal::Cli::Build < Kamal::Cli::Base
    end
    def mirror_hosts
-      if KAMAL.app_hosts.many?
+      if KAMAL.hosts.many?
        mirror_hosts = Concurrent::Hash.new
-        on(KAMAL.app_hosts) do |host|
+        on(KAMAL.hosts) do |host|
          first_mirror = capture_with_info(*KAMAL.builder.first_mirror).strip.presence
          mirror_hosts[first_mirror] ||= host.to_s if first_mirror
        rescue SSHKit::Command::Failed => e
@@ -191,30 +159,4 @@ class Kamal::Cli::Build < Kamal::Cli::Base
        execute *KAMAL.builder.validate_image
      end
    end
    def login_to_registry_locally
      run_locally do
        if KAMAL.registry.local?
          execute *KAMAL.registry.setup
        else
          execute *KAMAL.registry.login
        end
      end
    end
    def login_to_registry_remotely
      on(KAMAL.app_hosts) do
        execute *KAMAL.registry.login
      end
    end
    def forward_local_registry_port(&block)
      if KAMAL.config.registry.local?
        Kamal::Cli::PortForwarding.
          new(KAMAL.hosts, KAMAL.config.registry.local_port).
          forward(&block)
      else
        yield
      end
    end
 end
--- a/lib/kamal/cli/main.rb
+++ b/lib/kamal/cli/main.rb
@@ -9,17 +9,21 @@ class Kamal::Cli::Main < Kamal::Cli::Base
        say "Ensure Docker is installed...", :magenta
        invoke "kamal:cli:server:bootstrap", [], invoke_options
-        deploy(boot_accessories: true)
+        invoke "kamal:cli:accessory:boot", [ "all" ], invoke_options
        deploy
      end
    end
  end
  desc "deploy", "Deploy app to servers"
  option :skip_push, aliases: "-P", type: :boolean, default: false, desc: "Skip image build and push"
-  def deploy(boot_accessories: false)
+  def deploy
    runtime = print_runtime do
      invoke_options = deploy_options
      say "Log into image registry...", :magenta
      invoke "kamal:cli:registry:login", [], invoke_options.merge(skip_local: options[:skip_push])
      if options[:skip_push]
        say "Pull app image...", :magenta
        invoke "kamal:cli:build:pull", [], invoke_options
@@ -34,8 +38,6 @@ class Kamal::Cli::Main < Kamal::Cli::Base
        say "Ensure kamal-proxy is running...", :magenta
        invoke "kamal:cli:proxy:boot", [], invoke_options
        invoke "kamal:cli:accessory:boot", [ "all" ], invoke_options if boot_accessories
        say "Detect stale containers...", :magenta
        invoke "kamal:cli:app:stale_containers", [], invoke_options.merge(stop: true)
@@ -49,7 +51,7 @@ class Kamal::Cli::Main < Kamal::Cli::Base
    run_hook "post-deploy", secrets: true, runtime: runtime.round.to_s
  end
-  desc "redeploy", "Deploy app to servers without bootstrapping servers, starting kamal-proxy and pruning"
+  desc "redeploy", "Deploy app to servers without bootstrapping servers, starting kamal-proxy, pruning, and registry login"
  option :skip_push, aliases: "-P", type: :boolean, default: false, desc: "Skip image build and push"
  def redeploy
    runtime = print_runtime do
@@ -133,7 +135,7 @@ class Kamal::Cli::Main < Kamal::Cli::Base
    puts "No documentation found for #{section}"
  end
-  desc "init", "Create config stub in config/deploy.yml and secrets stub in .kamal"
+  desc "init", "Create config stub in config/deploy.yml and env stub in .env"
  option :bundle, type: :boolean, default: false, desc: "Add Kamal to the Gemfile and create a bin/kamal binstub"
  def init
    require "fileutils"
@@ -182,7 +184,7 @@ class Kamal::Cli::Main < Kamal::Cli::Base
        invoke "kamal:cli:app:remove", [], options.without(:confirmed)
        invoke "kamal:cli:proxy:remove", [], options.without(:confirmed)
        invoke "kamal:cli:accessory:remove", [ "all" ], options
-        invoke "kamal:cli:registry:remove", [], options.without(:confirmed).merge(skip_local: true)
+        invoke "kamal:cli:registry:logout", [], options.without(:confirmed).merge(skip_local: true)
      end
    end
  end
@@ -194,10 +196,10 @@ class Kamal::Cli::Main < Kamal::Cli::Base
    confirming "This will replace Traefik with kamal-proxy and restart all accessories" do
      with_lock do
        if options[:rolling]
-          KAMAL.hosts.each do |host|
+          (KAMAL.hosts | KAMAL.accessory_hosts).each do |host|
            KAMAL.with_specific_hosts(host) do
              say "Upgrading #{host}...", :magenta
-              if KAMAL.app_hosts.include?(host)
+              if KAMAL.hosts.include?(host)
                invoke "kamal:cli:proxy:upgrade", [], options.merge(confirmed: true, rolling: false)
                reset_invocation(Kamal::Cli::Proxy)
              end
@@ -253,7 +255,7 @@ class Kamal::Cli::Main < Kamal::Cli::Base
  private
    def container_available?(version)
      begin
-        on(KAMAL.app_hosts) do
+        on(KAMAL.hosts) do
          KAMAL.roles_on(host).each do |role|
            container_id = capture_with_info(*KAMAL.app(role: role, host: host).container_id_for_version(version))
            raise "Container not found" unless container_id.present?
--- a/lib/kamal/cli/port_forwarding.rb
+++ b/lib/kamal/cli/port_forwarding.rb
@@ -1,42 +0,0 @@
 class Kamal::Cli::PortForwarding
 	attr_reader :hosts, :port
 	def initialize(hosts, port)
 		@hosts = hosts
 		@port = port
 	end
 	def forward
 		@done = false
 		forward_ports
 		yield
 	ensure
 		stop
 	end
 	private
 	def stop
 		@done = true
 		@threads.to_a.each(&:join)
 	end
 	def forward_ports
 		@threads = hosts.map do |host|
 			Thread.new do
 				Net::SSH.start(host, KAMAL.config.ssh.user) do |ssh|
 					ssh.forward.remote(port, "127.0.0.1", port)
 					ssh.loop(0.1) do
 						if @done
 							ssh.forward.cancel_remote(port)
 							break
 						else
 							true
 						end
 					end
 				end
 			end
 		end
 	end
 end
--- a/lib/kamal/cli/proxy.rb
+++ b/lib/kamal/cli/proxy.rb
@@ -13,93 +13,14 @@ class Kamal::Cli::Proxy < Kamal::Cli::Base
        version = capture_with_info(*KAMAL.proxy.version).strip.presence
-        if version && Kamal::Utils.older_version?(version, Kamal::Configuration::Proxy::Boot::MINIMUM_VERSION)
+        if version && Kamal::Utils.older_version?(version, Kamal::Configuration::PROXY_MINIMUM_VERSION)
-          raise "kamal-proxy version #{version} is too old, run `kamal proxy reboot` in order to update to at least #{Kamal::Configuration::Proxy::Boot::MINIMUM_VERSION}"
+          raise "kamal-proxy version #{version} is too old, please reboot to update to at least #{Kamal::Configuration::PROXY_MINIMUM_VERSION}"
        end
        execute *KAMAL.proxy.ensure_apps_config_directory
        execute *KAMAL.proxy.start_or_run
      end
    end
  end
  desc "boot_config <set|get|reset>", "Manage kamal-proxy boot configuration"
  option :publish, type: :boolean, default: true, desc: "Publish the proxy ports on the host"
  option :publish_host_ip, type: :string, repeatable: true, default: nil, desc: "Host IP address to bind HTTP/HTTPS traffic to. Defaults to all interfaces"
  option :http_port, type: :numeric, default: Kamal::Configuration::Proxy::Boot::DEFAULT_HTTP_PORT, desc: "HTTP port to publish on the host"
  option :https_port, type: :numeric, default: Kamal::Configuration::Proxy::Boot::DEFAULT_HTTPS_PORT, desc: "HTTPS port to publish on the host"
  option :log_max_size, type: :string, default: Kamal::Configuration::Proxy::Boot::DEFAULT_LOG_MAX_SIZE, desc: "Max size of proxy logs"
  option :registry, type: :string, default: nil, desc: "Registry to use for the proxy image"
  option :repository, type: :string, default: nil, desc: "Repository for the proxy image"
  option :image_version, type: :string, default: nil, desc: "Version of the proxy to run"
  option :metrics_port, type: :numeric, default: nil, desc: "Port to report prometheus metrics on"
  option :debug, type: :boolean, default: false, desc: "Whether to run the proxy in debug mode"
  option :docker_options, type: :array, default: [], desc: "Docker options to pass to the proxy container", banner: "option=value option2=value2"
  def boot_config(subcommand)
    proxy_boot_config = KAMAL.config.proxy_boot
    case subcommand
    when "set"
      boot_options = [
        *(proxy_boot_config.publish_args(options[:http_port], options[:https_port], options[:publish_host_ip]) if options[:publish]),
        *(proxy_boot_config.logging_args(options[:log_max_size])),
        *("--expose=#{options[:metrics_port]}" if options[:metrics_port]),
        *options[:docker_options].map { |option| "--#{option}" }
      ]
      image = [
        options[:registry].presence,
        options[:repository].presence || proxy_boot_config.repository_name,
        proxy_boot_config.image_name
      ].compact.join("/")
      image_version = options[:image_version]
      run_command_options = { debug: options[:debug] || nil, "metrics-port": options[:metrics_port] }.compact
      run_command = "kamal-proxy run #{Kamal::Utils.optionize(run_command_options).join(" ")}" if run_command_options.any?
      on(KAMAL.proxy_hosts) do |host|
        execute(*KAMAL.proxy.ensure_proxy_directory)
        if boot_options != proxy_boot_config.default_boot_options
          upload! StringIO.new(boot_options.join(" ")), proxy_boot_config.options_file
        else
          execute *KAMAL.proxy.reset_boot_options, raise_on_non_zero_exit: false
        end
        if image != proxy_boot_config.image_default
          upload! StringIO.new(image), proxy_boot_config.image_file
        else
          execute *KAMAL.proxy.reset_image, raise_on_non_zero_exit: false
        end
        if image_version
          upload! StringIO.new(image_version), proxy_boot_config.image_version_file
        else
          execute *KAMAL.proxy.reset_image_version, raise_on_non_zero_exit: false
        end
        if run_command
          upload! StringIO.new(run_command), proxy_boot_config.run_command_file
        else
          execute *KAMAL.proxy.reset_run_command, raise_on_non_zero_exit: false
        end
      end
    when "get"
      on(KAMAL.proxy_hosts) do |host|
        puts "Host #{host}: #{capture_with_info(*KAMAL.proxy.boot_config)}"
      end
    when "reset"
      on(KAMAL.proxy_hosts) do |host|
        execute *KAMAL.proxy.reset_boot_options, raise_on_non_zero_exit: false
        execute *KAMAL.proxy.reset_image, raise_on_non_zero_exit: false
        execute *KAMAL.proxy.reset_image_version, raise_on_non_zero_exit: false
        execute *KAMAL.proxy.reset_run_command, raise_on_non_zero_exit: false
      end
    else
      raise ArgumentError, "Unknown boot_config subcommand #{subcommand}"
    end
  end
  desc "reboot", "Reboot proxy on servers (stop container, remove container, start new container)"
  option :rolling, type: :boolean, default: false, desc: "Reboot proxy on hosts in sequence, rather than in parallel"
  option :confirmed, aliases: "-y", type: :boolean, default: false, desc: "Proceed without confirmation question"
@@ -114,12 +35,26 @@ class Kamal::Cli::Proxy < Kamal::Cli::Base
            execute *KAMAL.auditor.record("Rebooted proxy"), verbosity: :debug
            execute *KAMAL.registry.login
            "Stopping and removing Traefik on #{host}, if running..."
            execute *KAMAL.proxy.cleanup_traefik
            "Stopping and removing kamal-proxy on #{host}, if running..."
            execute *KAMAL.proxy.stop, raise_on_non_zero_exit: false
            execute *KAMAL.proxy.remove_container
            execute *KAMAL.proxy.ensure_apps_config_directory
            execute *KAMAL.proxy.run
            KAMAL.roles_on(host).select(&:running_proxy?).each do |role|
              app = KAMAL.app(role: role, host: host)
              version = capture_with_info(*app.current_running_version, raise_on_non_zero_exit: false).strip
              endpoint = capture_with_info(*app.container_id_for_version(version)).strip
              if endpoint.present?
                info "Deploying #{endpoint} for role `#{role}` on #{host}..."
                execute *app.deploy(target: endpoint)
              end
            end
          end
          run_hook "post-proxy-reboot", hosts: host_list
        end
@@ -234,7 +169,6 @@ class Kamal::Cli::Proxy < Kamal::Cli::Base
        stop
        remove_container
        remove_image
        remove_proxy_directory
      end
    end
  end
@@ -259,15 +193,6 @@ class Kamal::Cli::Proxy < Kamal::Cli::Base
    end
  end
  desc "remove_proxy_directory", "Remove the proxy directory from servers", hide: true
  def remove_proxy_directory
    with_lock do
      on(KAMAL.proxy_hosts) do
        execute *KAMAL.proxy.remove_proxy_directory, raise_on_non_zero_exit: false
      end
    end
  end
  private
    def removal_allowed?(force)
      on(KAMAL.proxy_hosts) do |host|
--- a/lib/kamal/cli/registry.rb
+++ b/lib/kamal/cli/registry.rb
@@ -1,27 +1,17 @@
 class Kamal::Cli::Registry < Kamal::Cli::Base
-  desc "setup", "Setup local registry or log in to remote registry locally and remotely"
+  desc "login", "Log in to registry locally and remotely"
  option :skip_local, aliases: "-L", type: :boolean, default: false, desc: "Skip local login"
  option :skip_remote, aliases: "-R", type: :boolean, default: false, desc: "Skip remote login"
-  def setup
+  def login
-    ensure_docker_installed unless options[:skip_local]
+    run_locally    { execute *KAMAL.registry.login } unless options[:skip_local]
-
+    on(KAMAL.hosts) { execute *KAMAL.registry.login } unless options[:skip_remote]
    if KAMAL.registry.local?
      run_locally    { execute *KAMAL.registry.setup } unless options[:skip_local]
    else
      run_locally    { execute *KAMAL.registry.login } unless options[:skip_local]
      on(KAMAL.hosts) { execute *KAMAL.registry.login } unless options[:skip_remote]
    end
  end
-  desc "remove", "Remove local registry or log out of remote registry locally and remotely"
+  desc "logout", "Log out of registry locally and remotely"
  option :skip_local, aliases: "-L", type: :boolean, default: false, desc: "Skip local login"
  option :skip_remote, aliases: "-R", type: :boolean, default: false, desc: "Skip remote login"
-  def remove
+  def logout
-    if KAMAL.registry.local?
+    run_locally    { execute *KAMAL.registry.logout } unless options[:skip_local]
-      run_locally    { execute *KAMAL.registry.remove, raise_on_non_zero_exit: false } unless options[:skip_local]
+    on(KAMAL.hosts) { execute *KAMAL.registry.logout } unless options[:skip_remote]
    else
      run_locally    { execute *KAMAL.registry.logout } unless options[:skip_local]
      on(KAMAL.hosts) { execute *KAMAL.registry.logout } unless options[:skip_remote]
    end
  end
 end
--- a/lib/kamal/cli/secrets.rb
+++ b/lib/kamal/cli/secrets.rb
@@ -1,17 +1,11 @@
 class Kamal::Cli::Secrets < Kamal::Cli::Base
  desc "fetch [SECRETS...]", "Fetch secrets from a vault"
  option :adapter, type: :string, aliases: "-a", required: true, desc: "Which vault adapter to use"
-  option :account, type: :string, required: false, desc: "The account identifier or username"
+  option :account, type: :string, required: true, desc: "The account identifier or username"
  option :from, type: :string, required: false, desc: "A vault or folder to fetch the secrets from"
  option :inline, type: :boolean, required: false, hidden: true
  def fetch(*secrets)
-    adapter = initialize_adapter(options[:adapter])
+    results = adapter(options[:adapter]).fetch(secrets, **options.slice(:account, :from).symbolize_keys)
    if adapter.requires_account? && options[:account].blank?
      return puts "No value provided for required options '--account'"
    end
    results = adapter.fetch(secrets, **options.slice(:account, :from).symbolize_keys)
    return_or_puts JSON.dump(results).shellescape, inline: options[:inline]
  end
@@ -27,15 +21,8 @@ class Kamal::Cli::Secrets < Kamal::Cli::Base
    return_or_puts value, inline: options[:inline]
  end
  desc "print", "Print the secrets (for debugging)"
  def print
    KAMAL.config.secrets.to_h.each do |key, value|
      puts "#{key}=#{value}"
    end
  end
  private
-    def initialize_adapter(adapter)
+    def adapter(adapter)
      Kamal::Secrets::Adapters.lookup(adapter)
    end
--- a/lib/kamal/cli/server.rb
+++ b/lib/kamal/cli/server.rb
@@ -2,10 +2,8 @@ class Kamal::Cli::Server < Kamal::Cli::Base
  desc "exec", "Run a custom command on the server (use --help to show options)"
  option :interactive, type: :boolean, aliases: "-i", default: false, desc: "Run the command interactively (use for console/bash)"
  def exec(*cmd)
    pre_connect_if_required
    cmd = Kamal::Utils.join_commands(cmd)
-    hosts = KAMAL.hosts
+    hosts = KAMAL.hosts | KAMAL.accessory_hosts
    case
    when options[:interactive]
@@ -29,7 +27,7 @@ class Kamal::Cli::Server < Kamal::Cli::Base
    with_lock do
      missing = []
-      on(KAMAL.hosts) do |host|
+      on(KAMAL.hosts | KAMAL.accessory_hosts) do |host|
        unless execute(*KAMAL.docker.installed?, raise_on_non_zero_exit: false)
          if execute(*KAMAL.docker.superuser?, raise_on_non_zero_exit: false)
            info "Missing Docker on #{host}. Installing…"
--- a/lib/kamal/cli/templates/deploy.yml
+++ b/lib/kamal/cli/templates/deploy.yml
@@ -13,33 +13,26 @@ servers:
  #     - 192.168.0.1
  #   cmd: bin/jobs
-# Enable SSL auto certification via Let's Encrypt and allow for multiple apps on a single web server.
+# Enable SSL auto certification via Let's Encrypt (and allow for multiple apps on one server).
-# Remove this section when using multiple web servers and ensure you terminate SSL at your load balancer.
+# Set ssl: false if using something like Cloudflare to terminate SSL (but keep host!).
 #
 # Note: If using Cloudflare, set encryption mode in SSL/TLS setting to "Full" to enable CF-to-app encryption.
 proxy:
  ssl: true
  host: app.example.com
  # Proxy connects to your container on port 80 by default.
  # app_port: 3000
 # Credentials for your image host.
 registry:
  server: localhost:5555
  # Specify the registry server, if you're not using Docker Hub
  # server: registry.digitalocean.com / ghcr.io / ...
-  # username: my-user
+  username: my-user
  # Always use an access token rather than real password (pulled from .kamal/secrets).
-  # password:
+  password:
-  #   - KAMAL_REGISTRY_PASSWORD
+    - KAMAL_REGISTRY_PASSWORD
 # Configure builder setup.
 builder:
  arch: amd64
-  # Pass in additional build args needed for your Dockerfile.
+
  # args:
  #   RUBY_VERSION: <%= ENV["RBENV_VERSION"] || ENV["rvm_ruby_string"] || "#{RUBY_ENGINE}-#{RUBY_ENGINE_VERSION}" %>
 # Inject ENV variables into containers (secrets come from .kamal/secrets).
 #
 # env:
@@ -49,7 +42,7 @@ builder:
 #     - RAILS_MASTER_KEY
 # Aliases are triggered with "bin/kamal <alias>". You can overwrite arguments on invocation:
-# "bin/kamal app logs -r job" will tail logs from the first server in the job section.
+# "bin/kamal logs -r job" will tail logs from the first server in the job section.
 #
 # aliases:
 #   shell: app exec --interactive --reuse "bash"
@@ -94,7 +87,7 @@ builder:
 #     directories:
 #       - data:/var/lib/mysql
 #   redis:
-#     image: valkey/valkey:8
+#     image: redis:7.0
 #     host: 192.168.0.2
 #     port: 6379
 #     directories:
--- a/lib/kamal/cli/templates/sample_hooks/docker-setup.sample
+++ b/lib/kamal/cli/templates/sample_hooks/docker-setup.sample
@@ -1,3 +1,13 @@
-#!/bin/sh
+#!/usr/bin/env ruby
-echo "Docker set up on $KAMAL_HOSTS..."
+# A sample docker-setup hook
 #
 # Sets up a Docker network on defined hosts which can then be used by the application’s containers
 hosts = ENV["KAMAL_HOSTS"].split(",")
 hosts.each do |ip|
  destination = "root@#{ip}"
  puts "Creating a Docker network \"kamal\" on #{destination}"
  `ssh #{destination} docker network create kamal`
 end
--- a/lib/kamal/cli/templates/sample_hooks/post-app-boot.sample
+++ b/lib/kamal/cli/templates/sample_hooks/post-app-boot.sample
@@ -1,3 +0,0 @@
 #!/bin/sh
 echo "Booted app version $KAMAL_VERSION on $KAMAL_HOSTS..."
--- a/lib/kamal/cli/templates/sample_hooks/post-deploy.sample
+++ b/lib/kamal/cli/templates/sample_hooks/post-deploy.sample
@@ -7,7 +7,7 @@
 # KAMAL_PERFORMER
 # KAMAL_VERSION
 # KAMAL_HOSTS
-# KAMAL_ROLES (if set)
+# KAMAL_ROLE (if set)
 # KAMAL_DESTINATION (if set)
 # KAMAL_RUNTIME
--- a/lib/kamal/cli/templates/sample_hooks/pre-app-boot.sample
+++ b/lib/kamal/cli/templates/sample_hooks/pre-app-boot.sample
@@ -1,3 +0,0 @@
 #!/bin/sh
 echo "Booting app version $KAMAL_VERSION on $KAMAL_HOSTS..."
--- a/lib/kamal/cli/templates/sample_hooks/pre-build.sample
+++ b/lib/kamal/cli/templates/sample_hooks/pre-build.sample
@@ -13,7 +13,7 @@
 # KAMAL_PERFORMER
 # KAMAL_VERSION
 # KAMAL_HOSTS
-# KAMAL_ROLES (if set)
+# KAMAL_ROLE (if set)
 # KAMAL_DESTINATION (if set)
 if [ -n "$(git status --porcelain)" ]; then
--- a/lib/kamal/cli/templates/sample_hooks/pre-connect.sample
+++ b/lib/kamal/cli/templates/sample_hooks/pre-connect.sample
@@ -9,7 +9,7 @@
 # KAMAL_PERFORMER
 # KAMAL_VERSION
 # KAMAL_HOSTS
-# KAMAL_ROLES (if set)
+# KAMAL_ROLE (if set)
 # KAMAL_DESTINATION (if set)
 # KAMAL_RUNTIME
--- a/lib/kamal/cli/templates/sample_hooks/pre-deploy.sample
+++ b/lib/kamal/cli/templates/sample_hooks/pre-deploy.sample
@@ -13,7 +13,7 @@
 # KAMAL_HOSTS
 # KAMAL_COMMAND
 # KAMAL_SUBCOMMAND
-# KAMAL_ROLES (if set)
+# KAMAL_ROLE (if set)
 # KAMAL_DESTINATION (if set)
 # Only check the build status for production deployments
@@ -43,7 +43,7 @@ class GithubStatusChecks
  attr_reader :remote_url, :git_sha, :github_client, :combined_status
  def initialize
-    @remote_url = github_repo_from_remote_url
+    @remote_url = `git config --get remote.origin.url`.strip.delete_prefix("https://github.com/")
    @git_sha = `git rev-parse HEAD`.strip
    @github_client = Octokit::Client.new(access_token: ENV["GITHUB_TOKEN"])
    refresh!
@@ -77,29 +77,16 @@ class GithubStatusChecks
      "Build not started..."
    end
  end
  private
    def github_repo_from_remote_url
      url = `git config --get remote.origin.url`.strip.delete_suffix(".git")
      if url.start_with?("https://github.com/")
        url.delete_prefix("https://github.com/")
      elsif url.start_with?("git@github.com:")
        url.delete_prefix("git@github.com:")
      else
        url
      end
    end
 end
 $stdout.sync = true
 puts "Checking build status..."
 attempts = 0
 checks = GithubStatusChecks.new
 begin
  puts "Checking build status..."
  attempts = 0
  checks = GithubStatusChecks.new
  loop do
    case checks.state
    when "success"
--- a/lib/kamal/cli/templates/sample_hooks/pre-proxy-reboot.sample
+++ b/lib/kamal/cli/templates/sample_hooks/pre-proxy-reboot.sample
@@ -1,3 +1,3 @@
 #!/bin/sh
-echo "Rebooting kamal-proxy on $KAMAL_HOSTS..."
+echo "Rebooting Traefik on $KAMAL_HOSTS..."
--- a/lib/kamal/cli/templates/secrets
+++ b/lib/kamal/cli/templates/secrets
@@ -3,7 +3,7 @@
 # password manager, ENV, or a file. DO NOT ENTER RAW CREDENTIALS HERE! This file needs to be safe for git.
 # Option 1: Read secrets from the environment
-# KAMAL_REGISTRY_PASSWORD=$KAMAL_REGISTRY_PASSWORD
+KAMAL_REGISTRY_PASSWORD=$KAMAL_REGISTRY_PASSWORD
 # Option 2: Read secrets via a command
 # RAILS_MASTER_KEY=$(cat config/master.key)
--- a/lib/kamal/commander.rb
+++ b/lib/kamal/commander.rb
@@ -4,24 +4,17 @@ require "active_support/core_ext/object/blank"
 class Kamal::Commander
  attr_accessor :verbosity, :holding_lock, :connected
-  attr_reader :specific_roles, :specific_hosts
+  delegate :hosts, :roles, :primary_host, :primary_role, :roles_on, :proxy_hosts, :accessory_hosts, to: :specifics
  delegate :hosts, :roles, :primary_host, :primary_role, :roles_on, :app_hosts, :proxy_hosts, :accessory_hosts, to: :specifics
  def initialize
    reset
  end
  def reset
    self.verbosity = :info
-    self.holding_lock = ENV["KAMAL_LOCK"] == "true"
+    self.holding_lock = false
    self.connected = false
-    @specifics = @specific_roles = @specific_hosts = nil
+    @specifics = nil
    @config = @config_kwargs = nil
    @commands = {}
  end
  def config
-    @config ||= Kamal::Configuration.create_from(**@config_kwargs.to_h).tap do |config|
+    @config ||= Kamal::Configuration.create_from(**@config_kwargs).tap do |config|
      @config_kwargs = nil
      configure_sshkit_with(config)
    end
@@ -35,6 +28,8 @@ class Kamal::Commander
    @config || @config_kwargs
  end
  attr_reader :specific_roles, :specific_hosts
  def specific_primary!
    @specifics = nil
    if specific_roles.present?
@@ -81,6 +76,11 @@ class Kamal::Commander
    config.accessories&.collect(&:name) || []
  end
  def accessories_on(host)
    config.accessories.select { |accessory| accessory.hosts.include?(host.to_s) }.map(&:name)
  end
  def app(role: nil, host: nil)
    Kamal::Commands::App.new(config, role: role, host: host)
  end
@@ -94,41 +94,42 @@ class Kamal::Commander
  end
  def builder
-    @commands[:builder] ||= Kamal::Commands::Builder.new(config)
+    @builder ||= Kamal::Commands::Builder.new(config)
  end
  def docker
-    @commands[:docker] ||= Kamal::Commands::Docker.new(config)
+    @docker ||= Kamal::Commands::Docker.new(config)
  end
  def hook
-    @commands[:hook] ||= Kamal::Commands::Hook.new(config)
+    @hook ||= Kamal::Commands::Hook.new(config)
  end
  def lock
-    @commands[:lock] ||= Kamal::Commands::Lock.new(config)
+    @lock ||= Kamal::Commands::Lock.new(config)
  end
  def proxy
-    @commands[:proxy] ||= Kamal::Commands::Proxy.new(config)
+    @proxy ||= Kamal::Commands::Proxy.new(config)
  end
  def prune
-    @commands[:prune] ||= Kamal::Commands::Prune.new(config)
+    @prune ||= Kamal::Commands::Prune.new(config)
  end
  def registry
-    @commands[:registry] ||= Kamal::Commands::Registry.new(config)
+    @registry ||= Kamal::Commands::Registry.new(config)
  end
  def server
-    @commands[:server] ||= Kamal::Commands::Server.new(config)
+    @server ||= Kamal::Commands::Server.new(config)
  end
  def alias(name)
    config.aliases[name]
  end
  def with_verbosity(level)
    old_level = self.verbosity
@@ -141,6 +142,14 @@ class Kamal::Commander
    SSHKit.config.output_verbosity = old_level
  end
  def boot_strategy
    if config.boot.limit.present?
      { in: :groups, limit: config.boot.limit, wait: config.boot.wait }
    else
      {}
    end
  end
  def holding_lock?
    self.holding_lock
  end
--- a/lib/kamal/commander/specifics.rb
+++ b/lib/kamal/commander/specifics.rb
@@ -11,17 +11,13 @@ class Kamal::Commander::Specifics
    @primary_role = primary_or_first_role(roles_on(primary_host))
    stable_sort!(roles) { |role| role == primary_role ? 0 : 1 }
-    sort_primary_role_hosts_first!(hosts)
+    stable_sort!(hosts) { |host| roles_on(host).any? { |role| role == primary_role } ? 0 : 1 }
  end
  def roles_on(host)
    roles.select { |role| role.hosts.include?(host.to_s) }
  end
  def app_hosts
    @app_hosts ||= sort_primary_role_hosts_first!(config.app_hosts & specified_hosts)
  end
  def proxy_hosts
    config.proxy_hosts & specified_hosts
  end
@@ -47,16 +43,7 @@ class Kamal::Commander::Specifics
    end
    def specified_hosts
-      specified_hosts = specific_hosts || config.all_hosts
+      (specific_hosts || config.all_hosts) \
-
+        .select { |host| (specific_roles || config.roles).flat_map(&:hosts).include?(host) }
      if (specific_role_hosts = specific_roles&.flat_map(&:hosts)).present?
        specified_hosts.select { |host| specific_role_hosts.include?(host) }
      else
        specified_hosts
      end
    end
    def sort_primary_role_hosts_first!(hosts)
      stable_sort!(hosts) { |host| roles_on(host).any? { |role| role == primary_role } ? 0 : 1 }
    end
 end
--- a/lib/kamal/commands/accessory.rb
+++ b/lib/kamal/commands/accessory.rb
@@ -1,10 +1,8 @@
 class Kamal::Commands::Accessory < Kamal::Commands::Base
  include Proxy
  attr_reader :accessory_config
  delegate :service_name, :image, :hosts, :port, :files, :directories, :cmd,
-           :network_args, :publish_args, :env_args, :volume_args, :label_args, :option_args,
+           :publish_args, :env_args, :volume_args, :label_args, :option_args,
-           :secrets_io, :secrets_path, :env_directory, :proxy, :running_proxy?, :registry,
+           :secrets_io, :secrets_path, :env_directory,
           to: :accessory_config
  def initialize(config, name:)
@@ -12,15 +10,14 @@ class Kamal::Commands::Accessory < Kamal::Commands::Base
    @accessory_config = config.accessory(name)
  end
-  def run(host: nil)
+  def run
    docker :run,
      "--name", service_name,
      "--detach",
      "--restart", "unless-stopped",
-      *network_args,
+      "--network", "kamal",
      *config.logging_args,
      *publish_args,
      *([ "--env", "KAMAL_HOST=\"#{host}\"" ] if host),
      *env_args,
      *volume_args,
      *label_args,
@@ -37,10 +34,11 @@ class Kamal::Commands::Accessory < Kamal::Commands::Base
    docker :container, :stop, service_name
  end
-  def info(all: false, quiet: false)
+  def info
-    docker :ps, *("-a" if all), *("-q" if quiet), *service_filter
+    docker :ps, *service_filter
  end
  def logs(timestamps: true, since: nil, lines: nil, grep: nil, grep_options: nil)
    pipe \
      docker(:logs, service_name, (" --since #{since}" if since), (" --tail #{lines}" if lines), ("--timestamps" if timestamps), "2>&1"),
@@ -54,18 +52,19 @@ class Kamal::Commands::Accessory < Kamal::Commands::Base
        (%(grep "#{grep}"#{" #{grep_options}" if grep_options}) if grep)
  end
  def execute_in_existing_container(*command, interactive: false)
    docker :exec,
-      (docker_interactive_args if interactive),
+      ("-it" if interactive),
      service_name,
      *command
  end
  def execute_in_new_container(*command, interactive: false)
    docker :run,
-      (docker_interactive_args if interactive),
+      ("-it" if interactive),
      "--rm",
-      *network_args,
+      "--network", "kamal",
      *env_args,
      *volume_args,
      image,
@@ -84,6 +83,7 @@ class Kamal::Commands::Accessory < Kamal::Commands::Base
    super command, host: hosts.first
  end
  def ensure_local_file_present(local_file)
    if !local_file.is_a?(StringIO) && !Pathname.new(local_file).exist?
      raise "Missing file: #{local_file}"
--- a/lib/kamal/commands/accessory/proxy.rb
+++ b/lib/kamal/commands/accessory/proxy.rb
@@ -1,16 +0,0 @@
 module Kamal::Commands::Accessory::Proxy
  delegate :container_name, to: :"config.proxy_boot", prefix: :proxy
  def deploy(target:)
    proxy_exec :deploy, service_name, *proxy.deploy_command_args(target: target)
  end
  def remove
    proxy_exec :remove, service_name
  end
  private
    def proxy_exec(*command)
      docker :exec, proxy_container_name, "kamal-proxy", *command
    end
 end
--- a/lib/kamal/commands/app.rb
+++ b/lib/kamal/commands/app.rb
@@ -1,5 +1,5 @@
 class Kamal::Commands::App < Kamal::Commands::Base
-  include Assets, Containers, ErrorPages, Execution, Images, Logging, Proxy
+  include Assets, Containers, Execution, Images, Logging, Proxy
  ACTIVE_DOCKER_STATUSES = [ :running, :restarting ]
@@ -20,9 +20,8 @@ class Kamal::Commands::App < Kamal::Commands::Base
      "--name", container_name,
      "--network", "kamal",
      *([ "--hostname", hostname ] if hostname),
-      "--env", "KAMAL_CONTAINER_NAME=\"#{container_name}\"",
+      "-e", "KAMAL_CONTAINER_NAME=\"#{container_name}\"",
-      "--env", "KAMAL_VERSION=\"#{config.version}\"",
+      "-e", "KAMAL_VERSION=\"#{config.version}\"",
      "--env", "KAMAL_HOST=\"#{host}\"",
      *role.env_args(host),
      *role.logging_args,
      *config.volume_args,
@@ -48,7 +47,7 @@ class Kamal::Commands::App < Kamal::Commands::Base
  end
  def info
-    docker :ps, *container_filter_args
+    docker :ps, *filter_args
  end
@@ -68,7 +67,7 @@ class Kamal::Commands::App < Kamal::Commands::Base
  def list_versions(*docker_args, statuses: nil)
    pipe \
-      docker(:ps, *container_filter_args(statuses: statuses), *docker_args, "--format", '"{{.Names}}"'),
+      docker(:ps, *filter_args(statuses: statuses), *docker_args, "--format", '"{{.Names}}"'),
      extract_version_from_name
  end
@@ -92,15 +91,11 @@ class Kamal::Commands::App < Kamal::Commands::Base
    end
    def latest_container(format:, filters: nil)
-      docker :ps, "--latest", *format, *container_filter_args(statuses: ACTIVE_DOCKER_STATUSES), argumentize("--filter", filters)
+      docker :ps, "--latest", *format, *filter_args(statuses: ACTIVE_DOCKER_STATUSES), argumentize("--filter", filters)
    end
-    def container_filter_args(statuses: nil)
+    def filter_args(statuses: nil)
-      argumentize "--filter", container_filters(statuses: statuses)
+      argumentize "--filter", filters(statuses: statuses)
    end
    def image_filter_args
      argumentize "--filter", image_filters
    end
    def extract_version_from_name
@@ -108,17 +103,13 @@ class Kamal::Commands::App < Kamal::Commands::Base
      %(while read line; do echo ${line##{role.container_prefix}-}; done)
    end
-    def container_filters(statuses: nil)
+    def filters(statuses: nil)
      [ "label=service=#{config.service}" ].tap do |filters|
-        filters << "label=destination=#{config.destination}"
+        filters << "label=destination=#{config.destination}" if config.destination
        filters << "label=role=#{role}" if role
        statuses&.each do |status|
          filters << "status=#{status}"
        end
      end
    end
    def image_filters
      [ "label=service=#{config.service}" ]
    end
 end
--- a/lib/kamal/commands/app/assets.rb
+++ b/lib/kamal/commands/app/assets.rb
@@ -4,10 +4,10 @@ module Kamal::Commands::App::Assets
    combine \
      make_directory(role.asset_extracted_directory),
-      [ *docker(:container, :rm, asset_container, "2> /dev/null"), "|| true" ],
+      [ *docker(:stop, "-t 1", asset_container, "2> /dev/null"), "|| true" ],
-      docker(:container, :create, "--name", asset_container, config.absolute_image),
+      docker(:run, "--name", asset_container, "--detach", "--rm", "--entrypoint", "sleep", config.absolute_image, "1000000"),
-      docker(:container, :cp, "-L", "#{asset_container}:#{role.asset_path}/.", role.asset_extracted_directory),
+      docker(:cp, "-L", "#{asset_container}:#{role.asset_path}/.", role.asset_extracted_directory),
-      docker(:container, :rm, asset_container),
+      docker(:stop, "-t 1", asset_container),
      by: "&&"
  end
--- a/lib/kamal/commands/app/containers.rb
+++ b/lib/kamal/commands/app/containers.rb
@@ -2,7 +2,7 @@ module Kamal::Commands::App::Containers
  DOCKER_HEALTH_LOG_FORMAT    = "'{{json .State.Health}}'"
  def list_containers
-    docker :container, :ls, "--all", *container_filter_args
+    docker :container, :ls, "--all", *filter_args
  end
  def list_container_names
@@ -20,7 +20,7 @@ module Kamal::Commands::App::Containers
  end
  def remove_containers
-    docker :container, :prune, "--force", *container_filter_args
+    docker :container, :prune, "--force", *filter_args
  end
  def container_health_log(version:)
--- a/lib/kamal/commands/app/error_pages.rb
+++ b/lib/kamal/commands/app/error_pages.rb
@@ -1,9 +0,0 @@
 module Kamal::Commands::App::ErrorPages
  def create_error_pages_directory
    make_directory(config.proxy_boot.error_pages_directory)
  end
  def clean_up_error_pages
    [ :find, config.proxy_boot.error_pages_directory, "-mindepth", "1", "-maxdepth", "1", "!", "-name", KAMAL.config.version, "-exec", "rm", "-rf", "{} +" ]
  end
 end
--- a/lib/kamal/commands/app/execution.rb
+++ b/lib/kamal/commands/app/execution.rb
@@ -1,21 +1,19 @@
 module Kamal::Commands::App::Execution
  def execute_in_existing_container(*command, interactive: false, env:)
    docker :exec,
-      (docker_interactive_args if interactive),
+      ("-it" if interactive),
      *argumentize("--env", env),
      container_name,
      *command
  end
-  def execute_in_new_container(*command, interactive: false, detach: false, env:)
+  def execute_in_new_container(*command, interactive: false, env:)
    docker :run,
-      (docker_interactive_args if interactive),
+      ("-it" if interactive),
-      ("--detach" if detach),
+      "--rm",
      ("--rm" unless detach),
      "--network", "kamal",
      *role&.env_args(host),
      *argumentize("--env", env),
      *role.logging_args,
      *config.volume_args,
      *role&.option_args,
      config.absolute_image,
--- a/lib/kamal/commands/app/images.rb
+++ b/lib/kamal/commands/app/images.rb
@@ -4,7 +4,7 @@ module Kamal::Commands::App::Images
  end
  def remove_images
-    docker :image, :prune, "--all", "--force", *image_filter_args
+    docker :image, :prune, "--all", "--force", *filter_args
  end
  def tag_latest_image
--- a/lib/kamal/commands/app/logging.rb
+++ b/lib/kamal/commands/app/logging.rb
@@ -1,28 +1,18 @@
 module Kamal::Commands::App::Logging
-  def logs(container_id: nil, timestamps: true, since: nil, lines: nil, grep: nil, grep_options: nil)
+  def logs(version: nil, timestamps: true, since: nil, lines: nil, grep: nil, grep_options: nil)
    pipe \
-      container_id_command(container_id),
+      version ? container_id_for_version(version) : current_running_container_id,
      "xargs docker logs#{" --timestamps" if timestamps}#{" --since #{since}" if since}#{" --tail #{lines}" if lines} 2>&1",
      ("grep '#{grep}'#{" #{grep_options}" if grep_options}" if grep)
  end
-  def follow_logs(host:, container_id: nil, timestamps: true, lines: nil, grep: nil, grep_options: nil)
+  def follow_logs(host:, timestamps: true, lines: nil, grep: nil, grep_options: nil)
    run_over_ssh \
      pipe(
-        container_id_command(container_id),
+        current_running_container_id,
        "xargs docker logs#{" --timestamps" if timestamps}#{" --tail #{lines}" if lines} --follow 2>&1",
        (%(grep "#{grep}"#{" #{grep_options}" if grep_options}) if grep)
      ),
      host: host
  end
  private
  def container_id_command(container_id)
    case container_id
    when Array then container_id
    when String, Symbol then "echo #{container_id}"
    else current_running_container_id
    end
  end
 end
--- a/lib/kamal/commands/app/proxy.rb
+++ b/lib/kamal/commands/app/proxy.rb
@@ -1,28 +1,12 @@
 module Kamal::Commands::App::Proxy
-  delegate :container_name, to: :"config.proxy_boot", prefix: :proxy
+  delegate :proxy_container_name, to: :config
  def deploy(target:)
    proxy_exec :deploy, role.container_prefix, *role.proxy.deploy_command_args(target: target)
  end
-  def remove
+  def remove(target:)
-    proxy_exec :remove, role.container_prefix
+    proxy_exec :remove, role.container_prefix, *role.proxy.remove_command_args(target: target)
  end
  def live
    proxy_exec :resume, role.container_prefix
  end
  def maintenance(**options)
    proxy_exec :stop, role.container_prefix, *role.proxy.stop_command_args(**options)
  end
  def remove_proxy_app_directory
    remove_directory config.proxy_boot.app_directory
  end
  def create_ssl_directory
    make_directory(File.join(config.proxy_boot.tls_directory, role.name))
  end
  private
--- a/lib/kamal/commands/auditor.rb
+++ b/lib/kamal/commands/auditor.rb
@@ -1,6 +1,5 @@
 class Kamal::Commands::Auditor < Kamal::Commands::Base
  attr_reader :details
  delegate :escape_shell_value, to: Kamal::Utils
  def initialize(config, **details)
    super(config)
@@ -10,8 +9,11 @@ class Kamal::Commands::Auditor < Kamal::Commands::Base
  # Runs remotely
  def record(line, **details)
    combine \
-      make_run_directory,
+      [ :mkdir, "-p", config.run_directory ],
-      append([ :echo, escape_shell_value(audit_line(line, **details)) ], audit_log_file)
+      append(
        [ :echo, audit_tags(**details).except(:version, :service_version, :service).to_s, line ],
        audit_log_file
      )
  end
  def reveal
@@ -28,12 +30,4 @@ class Kamal::Commands::Auditor < Kamal::Commands::Base
    def audit_tags(**details)
      tags(**self.details, **details)
    end
    def make_run_directory
      [ :mkdir, "-p", config.run_directory ]
    end
    def audit_line(line, **details)
      "#{audit_tags(**details).except(:version, :service_version, :service)} #{line}"
    end
 end
--- a/lib/kamal/commands/base.rb
+++ b/lib/kamal/commands/base.rb
@@ -11,7 +11,14 @@ module Kamal::Commands
    end
    def run_over_ssh(*command, host:)
-      "ssh#{ssh_proxy_args}#{ssh_keys_args} -t #{config.ssh.user}@#{host} -p #{config.ssh.port} '#{command.join(" ").gsub("'", "'\\\\''")}'"
+      "ssh".tap do |cmd|
        if config.ssh.proxy && config.ssh.proxy.is_a?(Net::SSH::Proxy::Jump)
          cmd << " -J #{config.ssh.proxy.jump_proxies}"
        elsif config.ssh.proxy && config.ssh.proxy.is_a?(Net::SSH::Proxy::Command)
          cmd << " -o ProxyCommand='#{config.ssh.proxy.command_line_template}'"
        end
        cmd << " -t #{config.ssh.user}@#{host} -p #{config.ssh.port} '#{command.join(" ").gsub("'", "'\\\\''")}'"
      end
    end
    def container_id_for(container_name:, only_running: false)
@@ -34,12 +41,6 @@ module Kamal::Commands
      [ :rm, path ]
    end
    def ensure_docker_installed
      combine \
        ensure_local_docker_installed,
        ensure_local_buildx_installed
    end
    private
      def combine(*commands, by: "&&")
        commands
@@ -68,10 +69,6 @@ module Kamal::Commands
        combine *commands, by: "||"
      end
      def substitute(*commands)
        "\$\(#{commands.join(" ")}\)"
      end
      def xargs(command)
        [ :xargs, command ].flatten
      end
@@ -84,10 +81,6 @@ module Kamal::Commands
        args.compact.unshift :docker
      end
      def pack(*args)
        args.compact.unshift :pack
      end
      def git(*args, path: nil)
        [ :git, *([ "-C", path ] if path), *args.compact ]
      end
@@ -99,36 +92,5 @@ module Kamal::Commands
      def tags(**details)
        Kamal::Tags.from_config(config, **details)
      end
      def ssh_proxy_args
        case config.ssh.proxy
        when Net::SSH::Proxy::Jump
          " -J #{config.ssh.proxy.jump_proxies}"
        when Net::SSH::Proxy::Command
          " -o ProxyCommand='#{config.ssh.proxy.command_line_template}'"
        end
      end
      def ssh_keys_args
        "#{ ssh_keys.join("") if ssh_keys}" + "#{" -o IdentitiesOnly=yes" if config.ssh&.keys_only}"
      end
      def ssh_keys
        config.ssh.keys&.map do |key|
          " -i #{key}"
        end
      end
      def ensure_local_docker_installed
        docker "--version"
      end
      def ensure_local_buildx_installed
        docker :buildx, "version"
      end
      def docker_interactive_args
        STDIN.isatty ? "-it" : "-i"
      end
  end
 end
--- a/lib/kamal/commands/builder.rb
+++ b/lib/kamal/commands/builder.rb
@@ -1,8 +1,8 @@
 require "active_support/core_ext/string/filters"
 class Kamal::Commands::Builder < Kamal::Commands::Base
-  delegate :create, :remove, :dev, :push, :clean, :pull, :info, :inspect_builder, :validate_image, :first_mirror, to: :target
+  delegate :create, :remove, :push, :clean, :pull, :info, :inspect_builder, :validate_image, :first_mirror, to: :target
-  delegate :local?, :remote?, :pack?, :cloud?, to: "config.builder"
+  delegate :local?, :remote?, to: "config.builder"
  include Clone
@@ -17,10 +17,6 @@ class Kamal::Commands::Builder < Kamal::Commands::Base
      else
        remote
      end
    elsif pack?
      pack
    elsif cloud?
      cloud
    else
      local
    end
@@ -38,11 +34,23 @@ class Kamal::Commands::Builder < Kamal::Commands::Base
    @hybrid ||= Kamal::Commands::Builder::Hybrid.new(config)
  end
-  def pack
+
-    @pack ||= Kamal::Commands::Builder::Pack.new(config)
+  def ensure_local_dependencies_installed
    if name.native?
      ensure_local_docker_installed
    else
      combine \
        ensure_local_docker_installed,
        ensure_local_buildx_installed
    end
  end
-  def cloud
+  private
-    @cloud ||= Kamal::Commands::Builder::Cloud.new(config)
+    def ensure_local_docker_installed
-  end
+      docker "--version"
    end
    def ensure_local_buildx_installed
      docker :buildx, "version"
    end
 end
--- a/lib/kamal/commands/builder/base.rb
+++ b/lib/kamal/commands/builder/base.rb
@@ -1,5 +1,3 @@
 require "shellwords"
 class Kamal::Commands::Builder::Base < Kamal::Commands::Base
  class BuilderError < StandardError; end
@@ -8,23 +6,20 @@ class Kamal::Commands::Builder::Base < Kamal::Commands::Base
  delegate :argumentize, to: Kamal::Utils
  delegate \
    :args, :secrets, :dockerfile, :target, :arches, :local_arches, :remote_arches, :remote,
-    :pack?, :pack_builder, :pack_buildpacks,
+    :cache_from, :cache_to, :ssh, :driver, :docker_driver?,
    :cache_from, :cache_to, :ssh, :provenance, :sbom, :driver, :docker_driver?,
    to: :builder_config
  def clean
    docker :image, :rm, "--force", config.absolute_image
  end
-  def push(export_action = "registry", tag_as_dirty: false)
+  def push
    docker :buildx, :build,
-      "--output=type=#{export_action}",
+      "--push",
      *platform_options(arches),
      *([ "--builder", builder_name ] unless docker_driver?),
      *build_tag_options(tag_as_dirty: tag_as_dirty),
      *build_options,
-      build_context,
+      build_context
      "2>&1"
  end
  def pull
@@ -42,11 +37,11 @@ class Kamal::Commands::Builder::Base < Kamal::Commands::Base
  end
  def build_options
-    [ *build_cache, *build_labels, *build_args, *build_secrets, *build_dockerfile, *build_target, *build_ssh, *builder_provenance, *builder_sbom ]
+    [ *build_tags, *build_cache, *build_labels, *build_args, *build_secrets, *build_dockerfile, *build_target, *build_ssh ]
  end
  def build_context
-    Shellwords.escape(config.builder.context)
+    config.builder.context
  end
  def validate_image
@@ -63,14 +58,8 @@ class Kamal::Commands::Builder::Base < Kamal::Commands::Base
  end
  private
-    def build_tag_names(tag_as_dirty: false)
+    def build_tags
-      tag_names = [ config.absolute_image, config.latest_image ]
+      [ "-t", config.absolute_image, "-t", config.latest_image ]
      tag_names.map! { |t| "#{t}-dirty" } if tag_as_dirty
      tag_names
    end
    def build_tag_options(tag_as_dirty: false)
      build_tag_names(tag_as_dirty: tag_as_dirty).flat_map { |name| [ "-t", name ] }
    end
    def build_cache
@@ -94,7 +83,7 @@ class Kamal::Commands::Builder::Base < Kamal::Commands::Base
    def build_dockerfile
      if Pathname.new(File.expand_path(dockerfile)).exist?
-        argumentize "--file", Shellwords.escape(dockerfile)
+        argumentize "--file", dockerfile
      else
        raise BuilderError, "Missing #{dockerfile}"
      end
@@ -108,14 +97,6 @@ class Kamal::Commands::Builder::Base < Kamal::Commands::Base
      argumentize "--ssh", ssh if ssh.present?
    end
    def builder_provenance
      argumentize "--provenance", provenance unless provenance.nil?
    end
    def builder_sbom
      argumentize "--sbom", sbom unless sbom.nil?
    end
    def builder_config
      config.builder
    end
--- a/lib/kamal/commands/builder/clone.rb
+++ b/lib/kamal/commands/builder/clone.rb
@@ -1,31 +1,29 @@
 module Kamal::Commands::Builder::Clone
  extend ActiveSupport::Concern
  included do
    delegate :clone_directory, :build_directory, to: :"config.builder"
  end
  def clone
-    git :clone, escaped_root, "--recurse-submodules", path: config.builder.clone_directory.shellescape
+    git :clone, Kamal::Git.root, "--recurse-submodules", path: clone_directory
  end
  def clone_reset_steps
    [
-      git(:remote, "set-url", :origin, escaped_root, path: escaped_build_directory),
+      git(:remote, "set-url", :origin, Kamal::Git.root, path: build_directory),
-      git(:fetch, :origin, path: escaped_build_directory),
+      git(:fetch, :origin, path: build_directory),
-      git(:reset, "--hard", Kamal::Git.revision, path: escaped_build_directory),
+      git(:reset, "--hard", Kamal::Git.revision, path: build_directory),
-      git(:clean, "-fdx", path: escaped_build_directory),
+      git(:clean, "-fdx", path: build_directory),
-      git(:submodule, :update, "--init", path: escaped_build_directory)
+      git(:submodule, :update, "--init", path: build_directory)
    ]
  end
  def clone_status
-    git :status, "--porcelain", path: escaped_build_directory
+    git :status, "--porcelain", path: build_directory
  end
  def clone_revision
-    git :"rev-parse", :HEAD, path: escaped_build_directory
+    git :"rev-parse", :HEAD, path: build_directory
  end
  def escaped_root
    Kamal::Git.root.shellescape
  end
  def escaped_build_directory
    config.builder.build_directory.shellescape
  end
 end
--- a/lib/kamal/commands/builder/cloud.rb
+++ b/lib/kamal/commands/builder/cloud.rb
@@ -1,22 +0,0 @@
 class Kamal::Commands::Builder::Cloud < Kamal::Commands::Builder::Base
  # Expects `driver` to be of format "cloud docker-org-name/builder-name"
  def create
    docker :buildx, :create, "--driver", driver
  end
  def remove
    docker :buildx, :rm, builder_name
  end
  private
    def builder_name
      driver.gsub(/[ \/]/, "-")
    end
    def inspect_buildx
      pipe \
        docker(:buildx, :inspect, builder_name),
        grep("-q", "Endpoint:.*cloud://.*")
    end
 end
--- a/lib/kamal/commands/builder/local.rb
+++ b/lib/kamal/commands/builder/local.rb
@@ -1,15 +1,6 @@
 class Kamal::Commands::Builder::Local < Kamal::Commands::Builder::Base
  def create
-    return if docker_driver?
+    docker :buildx, :create, "--name", builder_name, "--driver=#{driver}" unless docker_driver?
    options =
      if KAMAL.registry.local?
        "--driver=#{driver} --driver-opt network=host"
      else
        "--driver=#{driver}"
      end
    docker :buildx, :create, "--name", builder_name, options
  end
  def remove
@@ -18,10 +9,6 @@ class Kamal::Commands::Builder::Local < Kamal::Commands::Builder::Base
  private
    def builder_name
-      if KAMAL.registry.local?
+      "kamal-local-#{driver}"
        "kamal-local-registry-#{driver}"
      else
        "kamal-local-#{driver}"
      end
    end
 end
--- a/lib/kamal/commands/builder/pack.rb
+++ b/lib/kamal/commands/builder/pack.rb
@@ -1,46 +0,0 @@
 class Kamal::Commands::Builder::Pack < Kamal::Commands::Builder::Base
  def push(export_action = "registry")
    combine \
      build,
      export(export_action)
  end
  def remove;end
  def info
    pack :builder, :inspect, pack_builder
  end
  alias_method :inspect_builder, :info
  private
    def build
      pack(:build,
        config.repository,
        "--platform", platform,
        "--creation-time", "now",
        "--builder", pack_builder,
        buildpacks,
        "-t", config.absolute_image,
        "-t", config.latest_image,
        "--env", "BP_IMAGE_LABELS=service=#{config.service}",
        *argumentize("--env", args),
        *argumentize("--env", secrets, sensitive: true),
        "--path", build_context)
    end
    def export(export_action)
      return unless export_action == "registry"
      combine \
        docker(:push, config.absolute_image),
        docker(:push, config.latest_image)
    end
    def platform
      "linux/#{local_arches.first}"
    end
    def buildpacks
      (pack_buildpacks << "paketo-buildpacks/image-labels").map { |buildpack| [ "--buildpack", buildpack ] }
    end
 end
--- a/lib/kamal/commands/builder/remote.rb
+++ b/lib/kamal/commands/builder/remote.rb
@@ -19,7 +19,7 @@ class Kamal::Commands::Builder::Remote < Kamal::Commands::Builder::Base
  def inspect_builder
    combine \
-      combine(inspect_buildx, inspect_remote_context),
+      combine inspect_buildx, inspect_remote_context,
      [ "(echo no compatible builder && exit 1)" ],
      by: "||"
  end
--- a/lib/kamal/commands/proxy.rb
+++ b/lib/kamal/commands/proxy.rb
@@ -2,7 +2,15 @@ class Kamal::Commands::Proxy < Kamal::Commands::Base
  delegate :argumentize, :optionize, to: Kamal::Utils
  def run
-    pipe boot_config, xargs(docker_run)
+    docker :run,
      "--name", container_name,
      "--network", "kamal",
      "--detach",
      "--restart", "unless-stopped",
      *config.proxy_publish_args,
      "--volume", "kamal-proxy-config:/home/kamal-proxy/.config/kamal-proxy",
      *config.logging_args,
      config.proxy_image
  end
  def start
@@ -24,7 +32,7 @@ class Kamal::Commands::Proxy < Kamal::Commands::Base
  def version
    pipe \
      docker(:inspect, container_name, "--format '{{.Config.Image}}'"),
-      [ :awk, "-F:", "'{print \$NF}'" ]
+      [ :cut, "-d:", "-f2" ]
  end
  def logs(timestamps: true, since: nil, lines: nil, grep: nil, grep_options: nil)
@@ -57,71 +65,8 @@ class Kamal::Commands::Proxy < Kamal::Commands::Base
      )
  end
  def ensure_proxy_directory
    make_directory config.proxy_boot.host_directory
  end
  def remove_proxy_directory
    remove_directory config.proxy_boot.host_directory
  end
  def ensure_apps_config_directory
    make_directory config.proxy_boot.apps_directory
  end
  def boot_config
    [ :echo, "#{substitute(read_boot_options)} #{substitute(read_image)}:#{substitute(read_image_version)} #{substitute(read_run_command)}" ]
  end
  def read_boot_options
    read_file(config.proxy_boot.options_file, default: config.proxy_boot.default_boot_options.join(" "))
  end
  def read_image
    read_file(config.proxy_boot.image_file, default: config.proxy_boot.image_default)
  end
  def read_image_version
    read_file(config.proxy_boot.image_version_file, default: Kamal::Configuration::Proxy::Boot::MINIMUM_VERSION)
  end
  def read_run_command
    read_file(config.proxy_boot.run_command_file)
  end
  def reset_boot_options
    remove_file config.proxy_boot.options_file
  end
  def reset_image
    remove_file config.proxy_boot.image_file
  end
  def reset_image_version
    remove_file config.proxy_boot.image_version_file
  end
  def reset_run_command
    remove_file config.proxy_boot.run_command_file
  end
  private
    def container_name
-      config.proxy_boot.container_name
+      config.proxy_container_name
    end
    def read_file(file, default: nil)
      combine [ :cat, file, "2>", "/dev/null" ], [ :echo, "\"#{default}\"" ], by: "||"
    end
    def docker_run
      docker \
        :run,
        "--name", container_name,
        "--network", "kamal",
        "--detach",
        "--restart", "unless-stopped",
        "--volume", "kamal-proxy-config:/home/kamal-proxy/.config/kamal-proxy",
        *config.proxy_boot.apps_volume.docker_args
    end
 end
--- a/lib/kamal/commands/registry.rb
+++ b/lib/kamal/commands/registry.rb
@@ -1,38 +1,14 @@
 class Kamal::Commands::Registry < Kamal::Commands::Base
-  def login(registry_config: nil)
+  delegate :registry, to: :config
    registry_config ||= config.registry
    return if registry_config.local?
  def login
    docker :login,
-      registry_config.server,
+      registry.server,
-      "-u", sensitive(Kamal::Utils.escape_shell_value(registry_config.username)),
+      "-u", sensitive(Kamal::Utils.escape_shell_value(registry.username)),
-      "-p", sensitive(Kamal::Utils.escape_shell_value(registry_config.password))
+      "-p", sensitive(Kamal::Utils.escape_shell_value(registry.password))
  end
-  def logout(registry_config: nil)
+  def logout
-    registry_config ||= config.registry
+    docker :logout, registry.server
    docker :logout, registry_config.server
  end
  def setup(registry_config: nil)
    registry_config ||= config.registry
    combine \
      docker(:start, "kamal-docker-registry"),
      docker(:run, "--detach", "-p", "127.0.0.1:#{registry_config.local_port}:5000", "--name", "kamal-docker-registry", "registry:3"),
      by: "||"
  end
  def remove
    combine \
      docker(:stop, "kamal-docker-registry"),
      docker(:rm, "kamal-docker-registry"),
      by: "&&"
  end
  def local?
    config.registry.local?
  end
 end
--- a/lib/kamal/configuration.rb
+++ b/lib/kamal/configuration.rb
@@ -6,18 +6,20 @@ require "erb"
 require "net/ssh/proxy/jump"
 class Kamal::Configuration
-  delegate :service, :labels, :hooks_path, to: :raw_config, allow_nil: true
+  delegate :service, :image, :labels, :hooks_path, to: :raw_config, allow_nil: true
  delegate :argumentize, :optionize, to: Kamal::Utils
  attr_reader :destination, :raw_config, :secrets
-  attr_reader :accessories, :aliases, :boot, :builder, :env, :logging, :proxy, :proxy_boot, :servers, :ssh, :sshkit, :registry
+  attr_reader :accessories, :aliases, :boot, :builder, :env, :logging, :proxy, :servers, :ssh, :sshkit, :registry
  include Validation
  PROXY_MINIMUM_VERSION = "v0.4.0"
  PROXY_HTTP_PORT = 80
  PROXY_HTTPS_PORT = 443
  class << self
    def create_from(config_file:, destination: nil, version: nil)
      ENV["KAMAL_DESTINATION"] = destination
      raw_config = load_config_files(config_file, *destination_config_file(config_file, destination))
      new raw_config, destination: destination, version: version
@@ -32,7 +34,7 @@ class Kamal::Configuration
        if file.exist?
          # Newer Psych doesn't load aliases by default
          load_method = YAML.respond_to?(:unsafe_load) ? :unsafe_load : :load
-          YAML.send(load_method, ERB.new(File.read(file)).result).symbolize_keys
+          YAML.send(load_method, ERB.new(IO.read(file)).result).symbolize_keys
        else
          raise "Configuration file not found in #{file}"
        end
@@ -54,7 +56,7 @@ class Kamal::Configuration
    # Eager load config to validate it, these are first as they have dependencies later on
    @servers = Servers.new(config: self)
-    @registry = Registry.new(config: @raw_config, secrets: secrets)
+    @registry = Registry.new(config: self)
    @accessories = @raw_config.accessories&.keys&.collect { |name| Accessory.new(name, config: self) } || []
    @aliases = @raw_config.aliases&.keys&.to_h { |name| [ name, Alias.new(name, config: self) ] } || {}
@@ -63,8 +65,7 @@ class Kamal::Configuration
    @env = Env.new(config: @raw_config.env || {}, secrets: secrets)
    @logging = Logging.new(logging_config: @raw_config.logging)
-    @proxy = Proxy.new(config: self, proxy_config: @raw_config.proxy, secrets: secrets)
+    @proxy = Proxy.new(config: self, proxy_config: @raw_config.proxy || {})
    @proxy_boot = Proxy::Boot.new(config: self)
    @ssh = Ssh.new(config: self)
    @sshkit = Sshkit.new(config: self)
@@ -78,6 +79,7 @@ class Kamal::Configuration
    ensure_unique_hosts_for_ssl_roles
  end
  def version=(version)
    @declared_version = version
  end
@@ -101,9 +103,6 @@ class Kamal::Configuration
    raw_config.minimum_version
  end
  def service_and_destination
    [ service, destination ].compact.join("-")
  end
  def roles
    servers.roles
@@ -117,14 +116,11 @@ class Kamal::Configuration
    accessories.detect { |a| a.name == name.to_s }
  end
  def all_hosts
    (roles + accessories).flat_map(&:hosts).uniq
  end
  def app_hosts
    roles.flat_map(&:hosts).uniq
  end
  def primary_host
    primary_role&.primary_host
  end
@@ -149,19 +145,8 @@ class Kamal::Configuration
    proxy_roles.flat_map(&:name)
  end
  def proxy_accessories
    accessories.select(&:running_proxy?)
  end
  def proxy_hosts
-    (proxy_roles.flat_map(&:hosts) + proxy_accessories.flat_map(&:hosts)).uniq
+    proxy_roles.flat_map(&:hosts).uniq
  end
  def image
    name = raw_config&.image.presence
    name ||= raw_config&.service if registry.local?
    name
  end
  def repository
@@ -192,6 +177,7 @@ class Kamal::Configuration
    raw_config.retain_containers || 5
  end
  def volume_args
    if raw_config.volumes.present?
      argumentize "--volume", raw_config.volumes
@@ -204,6 +190,7 @@ class Kamal::Configuration
    logging.args
  end
  def readiness_delay
    raw_config.readiness_delay || 7
  end
@@ -216,6 +203,7 @@ class Kamal::Configuration
    raw_config.drain_timeout || 30
  end
  def run_directory
    ".kamal"
  end
@@ -225,7 +213,7 @@ class Kamal::Configuration
  end
  def app_directory
-    File.join apps_directory, service_and_destination
+    File.join apps_directory, [ service, destination ].compact.join("-")
  end
  def env_directory
@@ -236,6 +224,7 @@ class Kamal::Configuration
    File.join app_directory, "assets"
  end
  def hooks_path
    raw_config.hooks_path || ".kamal/hooks"
  end
@@ -244,9 +233,6 @@ class Kamal::Configuration
    raw_config.asset_path
  end
  def error_pages_path
    raw_config.error_pages_path
  end
  def env_tags
    @env_tags ||= if (tags = raw_config.env["tags"])
@@ -260,6 +246,19 @@ class Kamal::Configuration
    env_tags.detect { |t| t.name == name.to_s }
  end
  def proxy_publish_args
    argumentize "--publish", [ "#{PROXY_HTTP_PORT}:#{PROXY_HTTP_PORT}", "#{PROXY_HTTPS_PORT}:#{PROXY_HTTPS_PORT}" ]
  end
  def proxy_image
    "basecamp/kamal-proxy:#{PROXY_MINIMUM_VERSION}"
  end
  def proxy_container_name
    "kamal-proxy"
  end
  def to_h
    {
      roles: role_names,
@@ -289,28 +288,22 @@ class Kamal::Configuration
    end
    def ensure_required_keys_present
-      %i[ service registry ].each do |key|
+      %i[ service image registry servers ].each do |key|
        raise Kamal::ConfigurationError, "Missing required configuration for #{key}" unless raw_config[key].present?
      end
-      raise Kamal::ConfigurationError, "Missing required configuration for image" if image.blank?
+      unless role(primary_role_name).present?
        raise Kamal::ConfigurationError, "The primary_role #{primary_role_name} isn't defined"
      end
-      if raw_config.servers.nil?
+      if primary_role.hosts.empty?
-        raise Kamal::ConfigurationError, "No servers or accessories specified" unless raw_config.accessories.present?
+        raise Kamal::ConfigurationError, "No servers specified for the #{primary_role.name} primary_role"
-      else
+      end
        unless role(primary_role_name).present?
          raise Kamal::ConfigurationError, "The primary_role #{primary_role_name} isn't defined"
        end
-        if primary_role.hosts.empty?
+      unless allow_empty_roles?
-          raise Kamal::ConfigurationError, "No servers specified for the #{primary_role.name} primary_role"
+        roles.each do |role|
-        end
+          if role.hosts.empty?
-
+            raise Kamal::ConfigurationError, "No servers specified for the #{role.name} role. You can ignore this with allow_empty_roles: true"
        unless allow_empty_roles?
          roles.each do |role|
            if role.hosts.empty?
              raise Kamal::ConfigurationError, "No servers specified for the #{role.name} role. You can ignore this with allow_empty_roles: true"
            end
          end
        end
      end
@@ -355,7 +348,7 @@ class Kamal::Configuration
    end
    def ensure_unique_hosts_for_ssl_roles
-      hosts = roles.select(&:ssl?).flat_map { |role| role.proxy.hosts }
+      hosts = roles.select(&:ssl?).map { |role| role.proxy.host }
      duplicates = hosts.tally.filter_map { |host, count| host if count > 1 }
      raise Kamal::ConfigurationError, "Different roles can't share the same host for SSL: #{duplicates.join(", ")}" if duplicates.any?
--- a/lib/kamal/configuration/accessory.rb
+++ b/lib/kamal/configuration/accessory.rb
@@ -1,11 +1,9 @@
 class Kamal::Configuration::Accessory
  include Kamal::Configuration::Validation
  DEFAULT_NETWORK = "kamal"
  delegate :argumentize, :optionize, to: Kamal::Utils
-  attr_reader :name, :env, :proxy, :registry
+  attr_reader :name, :accessory_config, :env
  def initialize(name, config:)
    @name, @config, @accessory_config = name.inquiry, config, config.raw_config["accessories"][name]
@@ -16,11 +14,10 @@ class Kamal::Configuration::Accessory
      context: "accessories/#{name}",
      with: Kamal::Configuration::Validator::Accessory
-    ensure_valid_roles
+    @env = Kamal::Configuration::Env.new \
-
+      config: accessory_config.fetch("env", {}),
-    @env = initialize_env
+      secrets: config.secrets,
-    @proxy = initialize_proxy if running_proxy?
+      context: "accessories/#{name}/env"
    @registry = initialize_registry if accessory_config["registry"].present?
  end
  def service_name
@@ -28,11 +25,11 @@ class Kamal::Configuration::Accessory
  end
  def image
-    [ registry&.server, accessory_config["image"] ].compact.join("/")
+    accessory_config["image"]
  end
  def hosts
-    hosts_from_host || hosts_from_hosts || hosts_from_roles || hosts_from_tags
+    hosts_from_host || hosts_from_hosts || hosts_from_roles
  end
  def port
@@ -41,10 +38,6 @@ class Kamal::Configuration::Accessory
    end
  end
  def network_args
    argumentize "--network", network
  end
  def publish_args
    argumentize "--publish", port if port
  end
@@ -107,34 +100,8 @@ class Kamal::Configuration::Accessory
    accessory_config["cmd"]
  end
  def running_proxy?
    accessory_config["proxy"].present?
  end
  private
-    attr_reader :config, :accessory_config
+    attr_accessor :config
    def initialize_env
      Kamal::Configuration::Env.new \
        config: accessory_config.fetch("env", {}),
        secrets: config.secrets,
        context: "accessories/#{name}/env"
    end
    def initialize_proxy
      Kamal::Configuration::Proxy.new \
        config: config,
        proxy_config: accessory_config["proxy"],
        context: "accessories/#{name}/proxy",
        secrets: config.secrets
    end
    def initialize_registry
      Kamal::Configuration::Registry.new \
        config: accessory_config,
        secrets: config.secrets,
        context: "accessories/#{name}/registry"
    end
    def default_labels
      { "service" => service_name }
@@ -156,7 +123,7 @@ class Kamal::Configuration::Accessory
    end
    def read_dynamic_file(local_file)
-      StringIO.new(ERB.new(File.read(local_file)).result)
+      StringIO.new(ERB.new(IO.read(local_file)).result)
    end
    def expand_remote_file(remote_file)
@@ -202,40 +169,8 @@ class Kamal::Configuration::Accessory
    end
    def hosts_from_roles
-      if accessory_config.key?("role")
+      if accessory_config.key?("roles")
-       config.role(accessory_config["role"])&.hosts
+        accessory_config["roles"].flat_map { |role| config.role(role).hosts }
      elsif accessory_config.key?("roles")
        accessory_config["roles"].flat_map { |role| config.role(role)&.hosts }
      end
    end
    def hosts_from_tags
      if accessory_config.key?("tag")
        extract_hosts_from_config_with_tag(accessory_config["tag"])
      elsif accessory_config.key?("tags")
        accessory_config["tags"].flat_map { |tag| extract_hosts_from_config_with_tag(tag) }
      end
    end
    def extract_hosts_from_config_with_tag(tag)
      if (servers_with_roles = config.raw_config.servers).is_a?(Hash)
        servers_with_roles.flat_map do |role, servers_in_role|
          servers_in_role.filter_map do |host|
            host.keys.first if host.is_a?(Hash) && host.values.first.include?(tag)
          end
        end
      end
    end
    def network
      accessory_config["network"] || DEFAULT_NETWORK
    end
    def ensure_valid_roles
      if accessory_config["roles"] && (missing_roles = accessory_config["roles"] - config.roles.map(&:name)).any?
        raise Kamal::ConfigurationError, "accessories/#{name}: unknown roles #{missing_roles.join(", ")}"
      elsif accessory_config["role"] && !config.role(accessory_config["role"])
        raise Kamal::ConfigurationError, "accessories/#{name}: unknown role #{accessory_config["role"]}"
      end
    end
 end
--- a/lib/kamal/configuration/builder.rb
+++ b/lib/kamal/configuration/builder.rb
@@ -53,18 +53,10 @@ class Kamal::Configuration::Builder
    !local_disabled? && (arches.empty? || local_arches.any?)
  end
  def cloud?
    driver.start_with? "cloud"
  end
  def cached?
    !!builder_config["cache"]
  end
  def pack?
    !!builder_config["pack"]
  end
  def args
    builder_config["args"] || {}
  end
@@ -89,14 +81,6 @@ class Kamal::Configuration::Builder
    builder_config.fetch("driver", "docker-container")
  end
  def pack_builder
    builder_config["pack"]["builder"] if pack?
  end
  def pack_buildpacks
    builder_config["pack"]["buildpacks"] if pack?
  end
  def local_disabled?
    builder_config["local"] == false
  end
@@ -127,14 +111,6 @@ class Kamal::Configuration::Builder
    builder_config["ssh"]
  end
  def provenance
    builder_config["provenance"]
  end
  def sbom
    builder_config["sbom"]
  end
  def git_clone?
    Kamal::Git.used? && builder_config["context"].nil?
  end
@@ -190,7 +166,7 @@ class Kamal::Configuration::Builder
    end
    def cache_to_config_for_registry
-      [ "type=registry", "ref=#{cache_image_ref}", builder_config["cache"]&.fetch("options", nil) ].compact.join(",")
+      [ "type=registry", builder_config["cache"]&.fetch("options", nil), "ref=#{cache_image_ref}" ].compact.join(",")
    end
    def repo_basename
--- a/lib/kamal/configuration/docs/accessory.yml
+++ b/lib/kamal/configuration/docs/accessory.yml
@@ -3,71 +3,48 @@
 # Accessories can be booted on a single host, a list of hosts, or on specific roles.
 # The hosts do not need to be defined in the Kamal servers configuration.
 #
-# Accessories are managed separately from the main service — they are not updated
+# Accessories are managed separately from the main service - they are not updated
-# when you deploy, and they do not have zero-downtime deployments.
+# when you deploy and they do not have zero-downtime deployments.
 #
 # Run `kamal accessory boot <accessory>` to boot an accessory.
 # See `kamal accessory --help` for more information.
 # Configuring accessories
 #
-# First, define the accessory in the `accessories`:
+# First define the accessory in the `accessories`
 accessories:
  mysql:
    # Service name
    #
-    # This is used in the service label and defaults to `<service>-<accessory>`,
+    # This is used in the service label and defaults to `<service>-<accessory>`
-    # where `<service>` is the main service name from the root configuration:
+    # where `<service>` is the main service name from the root configuration
    service: mysql
    # Image
    #
-    # The Docker image to use.
+    # The Docker image to use, prefix with a registry if not using Docker hub
    # Prefix it with its server when using root level registry different from Docker Hub.
    # Define registry directly or via anchors when it differs from root level registry.
    image: mysql:8.0
    # Registry
    #
    # By default accessories use Docker Hub registry.
    # You can specify different registry per accessory with this option.
    # Don't prefix image with this registry server.
    # Use anchors if you need to set the same specific registry for several accessories.
    #
    # ```yml
    # registry:
    #   <<: *specific-registry
    # ```
    #
    # See kamal docs registry for more information:
    registry:
      ...
    # Accessory hosts
    #
-    # Specify one of `host`, `hosts`, `role`, `roles`, `tag` or `tags`:
+    # Specify one  of `host`, `hosts` or `roles`
    host: mysql-db1
    hosts:
      - mysql-db1
      - mysql-db2
    role: mysql
    roles:
      - mysql
    tag: writer
    tags:
      - writer
      - reader
    # Custom command
    #
-    # You can set a custom command to run in the container if you do not want to use the default:
+    # You can set a custom command to run in the container, if you do not want to use the default
    cmd: "bin/mysqld"
    # Port mappings
    #
-    # See [https://docs.docker.com/network/](https://docs.docker.com/network/), and
+    # See https://docs.docker.com/network/, especially note the warning about the security
-    # especially note the warning about the security implications of exposing ports publicly.
+    # implications of exposing ports publicly.
    port: "127.0.0.1:3306:3306"
    # Labels
@@ -75,22 +52,20 @@ accessories:
      app: myapp
    # Options
-    #
+    # These are passed to the Docker run command in the form `--<name> <value>`
    # These are passed to the Docker run command in the form `--<name> <value>`:
    options:
      restart: always
      cpus: 2
    # Environment variables
-    #
+    # See kamal docs env for more information
    # See kamal docs env for more information:
    env:
      ...
    # Copying files
    #
    # You can specify files to mount into the container.
-    # The format is `local:remote`, where `local` is the path to the file on the local machine
+    # The format is `local:remote` where `local` is the path to the file on the local machine
    # and `remote` is the path to the file in the container.
    #
    # They will be uploaded from the local repo to the host and then mounted.
@@ -103,26 +78,13 @@ accessories:
    # Directories
    #
    # You can specify directories to mount into the container. They will be created on the host
-    # before being mounted:
+    # before being mounted
    directories:
      - mysql-logs:/var/log/mysql
    # Volumes
    #
    # Any other volumes to mount, in addition to the files and directories.
-    # They are not created or copied before mounting:
+    # They are not created or copied before mounting
    volumes:
      - /path/to/mysql-logs:/var/log/mysql
    # Network
    #
    # The network the accessory will be attached to.
    #
    # Defaults to kamal:
    network: custom
    # Proxy
    #
    # You can run your accessory behind the Kamal proxy. See kamal docs proxy for more information
    proxy:
      ...
--- a/lib/kamal/configuration/docs/alias.yml
+++ b/lib/kamal/configuration/docs/alias.yml
@@ -5,22 +5,22 @@
 # For example, for a Rails app, you might open a console with:
 #
 # ```shell
-# kamal app exec -i --reuse "bin/rails console"
+# kamal app exec -i -r console "rails console"
 # ```
 #
 # By defining an alias, like this:
 aliases:
-  console: app exec -i --reuse "bin/rails console"
+  console: app exec -r console -i "rails console"
 # You can now open the console with:
 #
 # ```shell
 # kamal console
 # ```
 # Configuring aliases
 #
-# Aliases are defined in the root config under the alias key.
+# Aliases are defined in the root config under the alias key
 #
-# Each alias is named and can only contain lowercase letters, numbers, dashes, and underscores:
+# Each alias is named and can only contain lowercase letters, numbers, dashes and underscores.
 aliases:
  uname: app exec -p -q -r web "uname -a"
--- a/lib/kamal/configuration/docs/boot.yml
+++ b/lib/kamal/configuration/docs/boot.yml
@@ -2,18 +2,18 @@
 #
 # When deploying to large numbers of hosts, you might prefer not to restart your services on every host at the same time.
 #
-# Kamal’s default is to boot new containers on all hosts in parallel. However, you can control this with the boot configuration.
+# Kamal’s default is to boot new containers on all hosts in parallel. But you can control this with the boot configuration.
 # Fixed group sizes
 #
-# Here, we boot 2 hosts at a time with a 10-second gap between each group:
+# Here we boot 2 hosts at a time with a 10 second gap between each group.
 boot:
  limit: 2
  wait: 10
 # Percentage of hosts
 #
-# Here, we boot 25% of the hosts at a time with a 2-second gap between each group:
+# Here we boot 25% of the hosts at a time with a 2 second gap between each group.
 boot:
  limit: 25%
  wait: 2
--- a/lib/kamal/configuration/docs/builder.yml
+++ b/lib/kamal/configuration/docs/builder.yml
@@ -1,8 +1,8 @@
 # Builder
 #
-# The builder configuration controls how the application is built with `docker build`.
+# The builder configuration controls how the application is built with `docker build`
 #
-# See https://kamal-deploy.org/docs/configuration/builder-examples/ for more information.
+# See https://kamal-deploy.org/docs/configuration/builder-examples/ for more information
 # Builder options
 #
@@ -11,15 +11,15 @@ builder:
  # Arch
  #
-  # The architectures to build for — you can set an array or just a single value.
+  # The architectures to build for - you can set an array or just a single value.
  #
-  # Allowed values are `amd64` and `arm64`:
+  # Allowed values are `amd64` and `arm64`
  arch:
    - amd64
  # Remote
  #
-  # The connection string for a remote builder. If supplied, Kamal will use this
+  # The connection string for a remote builder. If supplied Kamal will use this
  # for builds that do not match the local architecture of the deployment host.
  remote: ssh://docker@docker-builder
@@ -28,27 +28,14 @@ builder:
  # If set to false, Kamal will always use the remote builder even when building
  # the local architecture.
  #
-  # Defaults to true:
+  # Defaults to true
  local: true
  # Buildpack configuration
  #
  # The build configuration for using pack to build a Cloud Native Buildpack image.
  #
  # For additional buildpack customization options you can create a project descriptor
  # file(project.toml) that the Pack CLI will automatically use.
  # See https://buildpacks.io/docs/for-app-developers/how-to/build-inputs/use-project-toml/ for more information.
  pack:
    builder: heroku/builder:24
    buildpacks:
      - heroku/ruby
      - heroku/procfile
  # Builder cache
  #
-  # The type must be either 'gha' or 'registry'.
+  # The type must be either 'gha' or 'registry'
  #
-  # The image is only used for registry cache and is not compatible with the Docker driver:
+  # The image is only used for registry cache. Not compatible with the docker driver
  cache:
    type: registry
    options: mode=max
@@ -56,25 +43,25 @@ builder:
  # Build context
  #
-  # If this is not set, then a local Git clone of the repo is used.
+  # If this is not set, then a local git clone of the repo is used.
  # This ensures a clean build with no uncommitted changes.
  #
-  # To use the local checkout instead, you can set the context to `.`, or a path to another directory.
+  # To use the local checkout instead you can set the context to `.`, or a path to another directory.
  context: .
  # Dockerfile
  #
-  # The Dockerfile to use for building, defaults to `Dockerfile`:
+  # The Dockerfile to use for building, defaults to `Dockerfile`
  dockerfile: Dockerfile.production
  # Build target
  #
-  # If not set, then the default target is used:
+  # If not set, then the default target is used
  target: production
-  # Build arguments
+  # Build Arguments
  #
-  # Any additional build arguments, passed to `docker build` with `--build-arg <key>=<value>`:
+  # Any additional build arguments, passed to `docker build` with `--build-arg <key>=<value>`
  args:
    ENVIRONMENT: production
@@ -87,46 +74,33 @@ builder:
  # Build secrets
  #
-  # Values are read from `.kamal/secrets`:
+  # Values are read from .kamal/secrets.
  #
  secrets:
    - SECRET1
    - SECRET2
-  # Referencing build secrets
+  # Referencing Build Secrets
  #
  # ```shell
  # # Copy Gemfiles
  # COPY Gemfile Gemfile.lock ./
  #
  # # Install dependencies, including private repositories via access token
-  # # Then remove bundle cache with exposed GITHUB_TOKEN
+  # # Then remove bundle cache with exposed GITHUB_TOKEN)
  # RUN --mount=type=secret,id=GITHUB_TOKEN \
  #   BUNDLE_GITHUB__COM=x-access-token:$(cat /run/secrets/GITHUB_TOKEN) \
  #   bundle install && \
  #   rm -rf /usr/local/bundle/cache
  # ```
  # SSH
  #
-  # SSH agent socket or keys to expose to the build:
+  # SSH agent socket or keys to expose to the build
  ssh: default=$SSH_AUTH_SOCK
  # Driver
  #
-  # The build driver to use, defaults to `docker-container`:
+  # The build driver to use, defaults to `docker-container`
  driver: docker
  #
  # If you want to use Docker Build Cloud (https://www.docker.com/products/build-cloud/), you can set the driver to:
  driver: cloud org-name/builder-name
  # Provenance
  #
  # It is used to configure provenance attestations for the build result.
  # The value can also be a boolean to enable or disable provenance attestations.
  provenance: mode=max
  # SBOM (Software Bill of Materials)
  #
  # It is used to configure SBOM generation for the build result.
  # The value can also be a boolean to enable or disable SBOM generation.
  sbom: true
--- a/lib/kamal/configuration/docs/configuration.yml
+++ b/lib/kamal/configuration/docs/configuration.yml
@@ -1,13 +1,14 @@
 # Kamal Configuration
 #
-# Configuration is read from the `config/deploy.yml`.
+# Configuration is read from the `config/deploy.yml`
 #
 # Destinations
 #
 # When running commands, you can specify a destination with the `-d` flag,
-# e.g., `kamal deploy -d staging`.
+# e.g. `kamal deploy -d staging`
 #
-# In this case, the configuration will also be read from `config/deploy.staging.yml`
+# In this case the configuration will also be read from `config/deploy.staging.yml`
 # and merged with the base configuration.
 # Extensions
@@ -17,11 +18,10 @@
 # However, you might want to declare a configuration block using YAML anchors
 # and aliases to avoid repetition.
 #
-# You can prefix a configuration section with `x-` to indicate that it is an
+# You can use prefix a configuration section with `x-` to indicate that it is an
 # extension. Kamal will ignore the extension and not raise an error.
 # The service name
 #
 # This is a required value. It is used as the container name prefix.
 service: myapp
@@ -32,153 +32,147 @@ image: my-image
 # Labels
 #
-# Additional labels to add to the container:
+# Additional labels to add to the container
 labels:
  my-label: my-value
 # Volumes
 #
-# Additional volumes to mount into the container:
+# Additional volumes to mount into the container
 volumes:
  - /path/on/host:/path/in/container:ro
 # Registry
 #
-# The Docker registry configuration, see kamal docs registry:
+# The Docker registry configuration, see kamal docs registry
 registry:
  ...
 # Servers
 #
-# The servers to deploy to, optionally with custom roles, see kamal docs servers:
+# The servers to deploy to, optionally with custom roles, see kamal docs servers
 servers:
  ...
 # Environment variables
 #
-# See kamal docs env:
+# See kamal docs env
 env:
  ...
-# Asset path
+# Asset Path
 #
-# Used for asset bridging across deployments, default to `nil`.
+# Used for asset bridging across deployments, default to `nil`
 #
 # If there are changes to CSS or JS files, we may get requests
-# for the old versions on the new container, and vice versa.
+# for the old versions on the new container and vice-versa.
 #
-# To avoid 404s, we can specify an asset path.
+# To avoid 404s we can specify an asset path.
 # Kamal will replace that path in the container with a mapped
 # volume containing both sets of files.
 # This requires that file names change when the contents change
-# (e.g., by including a hash of the contents in the name).
+# (e.g. by including a hash of the contents in the name).
 #
 # To configure this, set the path to the assets:
 asset_path: /path/to/assets
 # Hooks path
 #
-# Path to hooks, defaults to `.kamal/hooks`.
+# Path to hooks, defaults to `.kamal/hooks`
-# See https://kamal-deploy.org/docs/hooks for more information:
+# See https://kamal-deploy.org/docs/hooks for more information
 hooks_path: /user_home/kamal/hooks
 # Error pages
 #
 # A directory relative to the app root to find error pages for the proxy to serve.
 # Any files in the format 4xx.html or 5xx.html will be copied to the hosts.
 error_pages_path: public
 # Require destinations
 #
-# Whether deployments require a destination to be specified, defaults to `false`:
+# Whether deployments require a destination to be specified, defaults to `false`
 require_destination: true
 # Primary role
 #
-# This defaults to `web`, but if you have no web role, you can change this:
+# This defaults to `web`, but if you have no web role, you can change this
 primary_role: workers
 # Allowing empty roles
 #
-# Whether roles with no servers are allowed. Defaults to `false`:
+# Whether roles with no servers are allowed. Defaults to `false`.
 allow_empty_roles: false
 # Retain containers
 #
-# How many old containers and images we retain, defaults to 5:
+# How many old containers and images we retain, defaults to 5
 retain_containers: 3
 # Minimum version
 #
-# The minimum version of Kamal required to deploy this configuration, defaults to `nil`:
+# The minimum version of Kamal required to deploy this configuration, defaults to nil
 minimum_version: 1.3.0
 # Readiness delay
 #
-# Seconds to wait for a container to boot after it is running, default 7.
+# Seconds to wait for a container to boot after is running, default 7
 #
-# This only applies to containers that do not run a proxy or specify a healthcheck:
+# This only applies to containers that do not run a proxy or specify a healthcheck
 readiness_delay: 4
 # Deploy timeout
 #
-# How long to wait for a container to become ready, default 30:
+# How long to wait for a container to become ready, default 30
 deploy_timeout: 10
 # Drain timeout
 #
-# How long to wait for a container to drain, default 30:
+# How long to wait for a containers to drain, default 30
 drain_timeout: 10
 # Run directory
 #
-# Directory to store kamal runtime files in on the host, default `.kamal`:
+# Directory to store kamal runtime files in on the host, default `.kamal`
 run_directory: /etc/kamal
 # SSH options
 #
-# See kamal docs ssh:
+# See kamal docs ssh
 ssh:
  ...
 # Builder options
 #
-# See kamal docs builder:
+# See kamal docs builder
 builder:
  ...
 # Accessories
 #
-# Additional services to run in Docker, see kamal docs accessory:
+# Additionals services to run in Docker, see kamal docs accessory
 accessories:
  ...
 # Proxy
 #
-# Configuration for kamal-proxy, see kamal docs proxy:
+# Configuration for kamal-proxy, see kamal docs proxy
 proxy:
  ...
 # SSHKit
 #
-# See kamal docs sshkit:
+# See kamal docs sshkit
 sshkit:
  ...
 # Boot options
 #
-# See kamal docs boot:
+# See kamal docs boot
 boot:
  ...
 # Logging
 #
-# Docker logging configuration, see kamal docs logging:
+# Docker logging configuration, see kamal docs logging
 logging:
  ...
 # Aliases
 #
-# Alias configuration, see kamal docs alias:
+# Alias configuration, see kamal docs alias
 aliases:
  ...
--- a/lib/kamal/configuration/docs/env.yml
+++ b/lib/kamal/configuration/docs/env.yml
@@ -1,13 +1,13 @@
 # Environment variables
 #
 # Environment variables can be set directly in the Kamal configuration or
-# read from `.kamal/secrets`.
+# read from .kamal/secrets.
 # Reading environment variables from the configuration
 #
 # Environment variables can be set directly in the configuration file.
 #
-# These are passed to the `docker run` command when deploying.
+# These are passed to the docker run command when deploying.
 env:
  DATABASE_HOST: mysql-db1
  DATABASE_PORT: 3306
@@ -16,7 +16,7 @@ env:
 #
 # Kamal uses dotenv to automatically load environment variables set in the `.kamal/secrets` file.
 #
-# If you are using destinations, secrets will instead be read from `.kamal/secrets.<DESTINATION>` if
+# If you are using destinations, secrets will instead be read from `.kamal/secrets-<DESTINATION>` if
 # it exists.
 #
 # Common secrets across all destinations can be set in `.kamal/secrets-common`.
@@ -24,70 +24,38 @@ env:
 # This file can be used to set variables like `KAMAL_REGISTRY_PASSWORD` or database passwords.
 # You can use variable or command substitution in the secrets file.
 #
-# ```shell
+# ```
 # KAMAL_REGISTRY_PASSWORD=$KAMAL_REGISTRY_PASSWORD
 # RAILS_MASTER_KEY=$(cat config/master.key)
 # ```
 #
-# You can also use [secret helpers](../../commands/secrets) for some common password managers.
+# You can also use [secret helpers](../commands/secrets) for some common password managers.
-#
+# ```
 # ```shell
 # SECRETS=$(kamal secrets fetch ...)
 #
 # REGISTRY_PASSWORD=$(kamal secrets extract REGISTRY_PASSWORD $SECRETS)
 # DB_PASSWORD=$(kamal secrets extract DB_PASSWORD $SECRETS)
 # ```
 #
-# If you store secrets directly in `.kamal/secrets`, ensure that it is not checked into version control.
+# If you store secrets directly in .kamal/secrets, ensure that it is not checked into version control.
 #
-# To pass the secrets, you should list them under the `secret` key. When you do this, the
+# To pass the secrets you should list them under the `secret` key. When you do this the
 # other variables need to be moved under the `clear` key.
 #
-# Unlike clear values, secrets are not passed directly to the container
+# Unlike clear values, secrets are not passed directly to the container,
-# but are stored in an env file on the host:
+# but are stored in an env file on the host
 env:
  clear:
    DB_USER: app
  secret:
    - DB_PASSWORD
 # Aliased secrets
 #
 # You can also alias secrets to other secrets using a `:` separator.
 #
 # This is useful when the ENV name is different from the secret name. For example, if you have two
 # places where you need to define the ENV variable `DB_PASSWORD`, but the value is different depending
 # on the context.
 #
 # ```shell
 # SECRETS=$(kamal secrets fetch ...)
 #
 # MAIN_DB_PASSWORD=$(kamal secrets extract MAIN_DB_PASSWORD $SECRETS)
 # SECONDARY_DB_PASSWORD=$(kamal secrets extract SECONDARY_DB_PASSWORD $SECRETS)
 # ```
 env:
  secret:
    - DB_PASSWORD:MAIN_DB_PASSWORD
  tags:
    secondary_db:
      secret:
        - DB_PASSWORD:SECONDARY_DB_PASSWORD
 accessories:
  main_db_accessory:
    env:
      secret:
        - DB_PASSWORD:MAIN_DB_PASSWORD
  secondary_db_accessory:
    env:
      secret:
        - DB_PASSWORD:SECONDARY_DB_PASSWORD
 # Tags
 #
 # Tags are used to add extra env variables to specific hosts.
 # See kamal docs servers for how to tag hosts.
 #
-# Tags are only allowed in the top-level env configuration (i.e., not under a role-specific env).
+# Tags are only allowed in the top level env configuration (i.e not under a role specific env).
 #
 # The env variables can be specified with secret and clear values as explained above.
 env:
--- a/lib/kamal/configuration/docs/logging.yml
+++ b/lib/kamal/configuration/docs/logging.yml
@@ -6,16 +6,16 @@
 #
 # These go under the logging key in the configuration file.
 #
-# This can be specified at the root level or for a specific role.
+# This can be specified in the root level or for a specific role.
 logging:
  # Driver
  #
-  # The logging driver to use, passed to Docker via `--log-driver`:
+  # The logging driver to use, passed to Docker via `--log-driver`
  driver: json-file
  # Options
  #
-  # Any logging options to pass to the driver, passed to Docker via `--log-opt`:
+  # Any logging options to pass to the driver, passed to Docker via `--log-opt`
  options:
    max-size: 100m
--- a/lib/kamal/configuration/docs/proxy.yml
+++ b/lib/kamal/configuration/docs/proxy.yml
@@ -5,101 +5,54 @@
 # application container.
 #
 # The proxy is configured in the root configuration under `proxy`. These are
-# options that are set when deploying the application, not when booting the proxy.
+# options that are set when deploying the application, not when booting the proxy
 #
-# They are application-specific, so they are not shared when multiple applications
+# They are application specific, so are not shared when multiple applications
 # run on the same proxy.
 #
 # The proxy is enabled by default on the primary role, but can be disabled by
 # setting `proxy: false`.
 #
 # It is disabled by default on all other roles, but can be enabled by setting
 # `proxy: true`, or providing a proxy configuration.
 proxy:
-  # Hosts
+  # Host
  #
  # The hosts that will be used to serve the app. The proxy will only route requests
  # to this host to your app.
  #
  # If no hosts are set, then all requests will be forwarded, except for matching
  # requests for other apps deployed on that server that do have a host set.
  #
  # Specify one of `host` or `hosts`.
  host: foo.example.com
  hosts:
    - foo.example.com
    - bar.example.com
  # App port
  #
-  # The port the application container is exposed on.
+  # The port the application container is exposed on
  #
-  # Defaults to 80:
+  # Defaults to 80
  app_port: 3000
  # SSL
  #
  # kamal-proxy can provide automatic HTTPS for your application via Let's Encrypt.
  #
-  # This requires that we are deploying to one server and the host option is set.
+  # This requires that we are deploying to a one server and the host option is set.
-  # The host value must point to the server we are deploying to, and port 443 must be
+  # The host value must point to the server we are deploying to and port 443 must be
  # open for the Let's Encrypt challenge to succeed.
  #
-  # If you set `ssl` to `true`, `kamal-proxy` will stop forwarding headers to your app,
+  # Defaults to false
  # unless you explicitly set `forward_headers: true`
  #
  # Defaults to `false`:
  ssl: true
  # Custom SSL certificate
  #
  # In some cases, using Let's Encrypt for automatic certificate management is not an
  # option, for example if you are running from more than one host.
  #
  # Or you may already have SSL certificates issued by a different Certificate Authority (CA).
  #
  # Kamal supports loading custom SSL certificates directly from secrets. You should
  # pass a hash mapping the `certificate_pem` and `private_key_pem` to the secret names.
  ssl:
    certificate_pem: CERTIFICATE_PEM
    private_key_pem: PRIVATE_KEY_PEM
  # ### Notes
  # - If the certificate or key is missing or invalid, deployments will fail.
  # - Always handle SSL certificates and private keys securely. Avoid hard-coding them in source control.
  # SSL redirect
  #
  # By default, kamal-proxy will redirect all HTTP requests to HTTPS when SSL is enabled.
  # If you prefer that HTTP traffic is passed through to your application (along with
  # HTTPS traffic), you can disable this redirect by setting `ssl_redirect: false`:
  ssl_redirect: false
  # Forward headers
  #
  # Whether to forward the `X-Forwarded-For` and `X-Forwarded-Proto` headers.
  #
  # If you are behind a trusted proxy, you can set this to `true` to forward the headers.
  #
  # By default, kamal-proxy will not forward the headers if the `ssl` option is set to `true`, and
  # will forward them if it is set to `false`.
  forward_headers: true
  # Response timeout
  #
-  # How long to wait for requests to complete before timing out, defaults to 30 seconds:
+  # How long to wait for requests to complete before timing out, defaults to 30 seconds
  response_timeout: 10
  # Path-based routing
  #
  # For applications that split their traffic to different services based on the request path,
  # you can use path-based routing to mount services under different path prefixes.
  path_prefix: '/api'
  # By default, the path prefix will be stripped from the request before it is forwarded upstream.
  # So in the example above, a request to /api/users/123 will be forwarded to web-1 as /users/123.
  # To instead forward the request with the original path (including the prefix),
  # specify --strip-path-prefix=false
  strip_path_prefix: false
  # Healthcheck
  #
-  # When deploying, the proxy will by default hit `/up` once every second until we hit
+  # When deploying, the proxy will by default hit /up once every second until we hit
-  # the deploy timeout, with a 5-second timeout for each request.
+  # the deploy timeout, with a 5 second timeout for each request.
  #
  # Once the app is up, the proxy will stop hitting the healthcheck endpoint.
  healthcheck:
@@ -109,12 +62,12 @@ proxy:
  # Buffering
  #
-  # Whether to buffer request and response bodies in the proxy.
+  # Whether to buffer request and response bodies in the proxy
  #
-  # By default, buffering is enabled with a max request body size of 1GB and no limit
+  # By default buffering is enabled with a max request body size of 1GB and no limit
  # for response size.
  #
-  # You can also set the memory limit for buffering, which defaults to 1MB; anything
+  # You can also set the memory limit for buffering, which defaults to 1MB, anything
  # larger than that is written to disk.
  buffering:
    requests: true
@@ -125,9 +78,9 @@ proxy:
  # Logging
  #
-  # Configure request logging for the proxy.
+  # Configure request logging for the proxy
  # You can specify request and response headers to log.
-  # By default, `Cache-Control`, `Last-Modified`, and `User-Agent` request headers are logged:
+  # By default, Cache-Control, Last-Modified and User-Agent request headers are logged
  logging:
    request_headers:
      - Cache-Control
@@ -136,29 +89,12 @@ proxy:
      - X-Request-ID
      - X-Request-Start
-# Enabling/disabling the proxy on roles
+  # Forward headers
-#
+  #
-# The proxy is enabled by default on the primary role but can be disabled by
+  # Whether to forward the X-Forwarded-For and X-Forwarded-Proto headers.
-# setting `proxy: false` in the primary role's configuration.
+  #
-#
+  # If you are behind a trusted proxy, you can set this to true to forward the headers.
-# ```yaml
+  #
-# servers:
+  # By default kamal-proxy will not forward the headers the ssl option is set to true, and
-#   web:
+  # will forward them if it is set to false.
-#     hosts:
+  forward_headers: true
 #      - ...
 #     proxy: false
 # ```
 #
 # It is disabled by default on all other roles but can be enabled by setting
 # `proxy: true` or providing a proxy configuration for that role.
 #
 # ```yaml
 # servers:
 #   web:
 #     hosts:
 #      - ...
 #   web2:
 #     hosts:
 #      - ...
 #     proxy: true
 # ```
--- a/lib/kamal/configuration/docs/registry.yml
+++ b/lib/kamal/configuration/docs/registry.yml
@@ -1,13 +1,10 @@
 # Registry
 #
-# The default registry is Docker Hub, but you can change it using `registry/server`.
+# The default registry is Docker Hub, but you can change it using registry/server:
 #
-# By default, Docker Hub creates public repositories. To avoid making your images public,
+# A reference to secret (in this case DOCKER_REGISTRY_TOKEN) will look up the secret
-# set up a private repository before deploying, or change the default repository privacy
+# in the local environment.
-# settings to private in your [Docker Hub settings](https://hub.docker.com/repository-settings/default-privacy).
+
 #
 # A reference to a secret (in this case, `DOCKER_REGISTRY_TOKEN`) will look up the secret
 # in the local environment:
 registry:
  server: registry.digitalocean.com
  username:
@@ -16,31 +13,30 @@ registry:
    - DOCKER_REGISTRY_TOKEN
 # Using AWS ECR as the container registry
-#
+# You will need to have the aws CLI installed locally for this to work.
-# You will need to have the AWS CLI installed locally for this to work.
+# AWS ECR’s access token is only valid for 12hrs. In order to not have to manually regenerate the token every time, you can use ERB in the deploy.yml file to shell out to the aws cli command, and obtain the token:
-# AWS ECR’s access token is only valid for 12 hours. In order to avoid having to manually regenerate the token every time, you can use ERB in the `deploy.yml` file to shell out to the AWS CLI command and obtain the token:
+
 registry:
  server: <your aws account id>.dkr.ecr.<your aws region id>.amazonaws.com
  username: AWS
  password: <%= %x(aws ecr get-login-password) %>
 # Using GCP Artifact Registry as the container registry
-#
+# To sign into Artifact Registry, you would need to
 # To sign into Artifact Registry, you need to
 # [create a service account](https://cloud.google.com/iam/docs/service-accounts-create#creating)
 # and [set up roles and permissions](https://cloud.google.com/artifact-registry/docs/access-control#permissions).
-# Normally, assigning the `roles/artifactregistry.writer` role should be sufficient.
+# Normally, assigning a roles/artifactregistry.writer role should be sufficient.
 #
 # Once the service account is ready, you need to generate and download a JSON key and base64 encode it:
 #
 # ```shell
-# base64 -i /path/to/key.json | tr -d "\\n"
+# base64 -i /path/to/key.json | tr -d "\\n")
 # ```
 # You'll then need to set the KAMAL_REGISTRY_PASSWORD secret to that value.
 #
-# You'll then need to set the `KAMAL_REGISTRY_PASSWORD` secret to that value.
+# Use the env variable as password along with _json_key_base64 as username.
 #
 # Use the environment variable as the password along with `_json_key_base64` as the username.
 # Here’s the final configuration:
 registry:
  server: <your registry region>-docker.pkg.dev
  username: _json_key_base64
@@ -50,7 +46,6 @@ registry:
 # Validating the configuration
 #
 # You can validate the configuration by running:
 #
 # ```shell
 # kamal registry login
 # ```
--- a/lib/kamal/configuration/docs/role.yml
+++ b/lib/kamal/configuration/docs/role.yml
@@ -1,21 +1,22 @@
 # Roles
 #
 # Roles are used to configure different types of servers in the deployment.
-# The most common use for this is to run web servers and job servers.
+# The most common use for this is to run a web servers and job servers.
 #
 # Kamal expects there to be a `web` role, unless you set a different `primary_role`
 # in the root configuration.
 # Role configuration
 #
-# Roles are specified under the servers key:
+# Roles are specified under the servers key
 servers:
  # Simple role configuration
  #
  # This can be a list of hosts if you don't need custom configuration for the role.
  #
-  # You can set tags on the hosts for custom env variables (see kamal docs env):
+  # This can be a list of hosts, if you don't need custom configuration for the role.
  #
  # You can set tags on the hosts for custom env variables (see kamal docs env)
  web:
    - 172.1.0.1
    - 172.1.0.2: experiment1
@@ -23,16 +24,16 @@ servers:
  # Custom role configuration
  #
-  # When there are other options to set, the list of hosts goes under the `hosts` key.
+  # When there are other options to set, the list of hosts goes under the `hosts` key
  #
-  # By default, only the primary role uses a proxy.
+  # By default only the primary role uses a proxy.
  #
-  # For other roles, you can set it to `proxy: true` to enable it and inherit the root proxy
+  # For other roles, you can set it to `proxy: true` enable it and inherit the root proxy
  # configuration or provide a map of options to override the root configuration.
  #
  # For the primary role, you can set `proxy: false` to disable the proxy.
  #
-  # You can also set a custom `cmd` to run in the container and overwrite other settings
+  # You can also set a custom cmd to run in the container, and overwrite other settings
  # from the root configuration.
  workers:
    hosts:
--- a/lib/kamal/configuration/docs/servers.yml
+++ b/lib/kamal/configuration/docs/servers.yml
@@ -2,7 +2,7 @@
 #
 # Servers are split into different roles, with each role having its own configuration.
 #
-# For simpler deployments, though, where all servers are identical, you can just specify a list of servers.
+# For simpler deployments though where all servers are identical, you can just specify a list of servers
 # They will be implicitly assigned to the `web` role.
 servers:
  - 172.0.0.1
@@ -19,7 +19,7 @@ servers:
 # Roles
 #
-# For more complex deployments (e.g., if you are running job hosts), you can specify roles and configure each separately (see kamal docs role):
+# For more complex deployments (e.g. if you are running job hosts), you can specify roles, and configure each separately (see kamal docs role)
 servers:
  web:
    ...
--- a/lib/kamal/configuration/docs/ssh.yml
+++ b/lib/kamal/configuration/docs/ssh.yml
@@ -1,9 +1,9 @@
 # SSH configuration
 #
-# Kamal uses SSH to connect and run commands on your hosts.
+# Kamal uses SSH to connect run commands on your hosts.
-# By default, it will attempt to connect to the root user on port 22.
+# By default it will attempt to connect to the root user on port 22
 #
-# If you are using a non-root user, you may need to bootstrap your servers manually before using them with Kamal. On Ubuntu, you’d do:
+# If you are using non-root user, you may need to bootstrap your servers manually, before using them with Kamal. On Ubuntu, you’d do:
 #
 # ```shell
 # sudo apt update
@@ -12,6 +12,7 @@
 # sudo usermod -a -G docker app
 # ```
 # SSH options
 #
 # The options are specified under the ssh key in the configuration file.
@@ -19,52 +20,47 @@ ssh:
  # The SSH user
  #
-  # Defaults to `root`:
+  # Defaults to `root`
  #
  user: app
  # The SSH port
  #
-  # Defaults to 22:
+  # Defaults to 22
  port: "2222"
  # Proxy host
  #
-  # Specified in the form <host> or <user>@<host>:
+  # Specified in the form <host> or <user>@<host>
  proxy: root@proxy-host
  # Proxy command
  #
-  # A custom proxy command, required for older versions of SSH:
+  # A custom proxy command, required for older versions of SSH
  proxy_command: "ssh -W %h:%p user@proxy"
  # Log level
  #
-  # Defaults to `fatal`. Set this to `debug` if you are having SSH connection issues.
+  # Defaults to `fatal`. Set this to debug if you are having
  # SSH connection issues.
  log_level: debug
-  # Keys only
+  # Keys Only
  #
-  # Set to `true` to use only private keys from the `keys` and `key_data` parameters,
+  # Set to true to use only private keys from keys and key_data parameters, 
-  # even if ssh-agent offers more identities. This option is intended for
+  # even if ssh-agent offers more identities. This option is intended for 
-  # situations where ssh-agent offers many different identities or you
+  # situations where ssh-agent offers many different identites or you have 
-  # need to overwrite all identities and force a single one.
+  # a need to overwrite all identites and force a single one.
  keys_only: false
  # Keys
  #
-  # An array of file names of private keys to use for public key
+  # An array of file names of private keys to use for publickey
-  # and host-based authentication:
+  # and hostbased authentication
  keys: [ "~/.ssh/id.pem" ]
-  # Key data
+  # Key Data
  #
  # An array of strings, with each element of the array being
  # a raw private key in PEM format.
  key_data: [ "-----BEGIN OPENSSH PRIVATE KEY-----" ]
  # Config
  #
  # Set to true to load the default OpenSSH config files (~/.ssh/config,
  # /etc/ssh_config), to false ignore config files, or to a file path
  # (or array of paths) to load specific configuration. Defaults to true.
  config: true
--- a/lib/kamal/configuration/docs/sshkit.yml
+++ b/lib/kamal/configuration/docs/sshkit.yml
@@ -2,8 +2,8 @@
 #
 # [SSHKit](https://github.com/capistrano/sshkit) is the SSH toolkit used by Kamal.
 #
-# The default, settings should be sufficient for most use cases, but
+# The default settings should be sufficient for most use cases, but
-# when connecting to a large number of hosts, you may need to adjust.
+# when connecting to a large number of hosts you may need to adjust
 # SSHKit options
 #
@@ -13,11 +13,11 @@ sshkit:
  # Max concurrent starts
  #
  # Creating SSH connections concurrently can be an issue when deploying to many servers.
-  # By default, Kamal will limit concurrent connection starts to 30 at a time.
+  # By default Kamal will limit concurrent connection starts to 30 at a time.
  max_concurrent_starts: 10
  # Pool idle timeout
  #
  # Kamal sets a long idle timeout of 900 seconds on connections to try to avoid
-  # re-connection storms after an idle period, such as building an image or waiting for CI.
+  # re-connection storms after an idle period, like building an image or waiting for CI.
  pool_idle_timeout: 300
--- a/lib/kamal/configuration/env.rb
+++ b/lib/kamal/configuration/env.rb
@@ -1,7 +1,8 @@
 class Kamal::Configuration::Env
  include Kamal::Configuration::Validation
-  attr_reader :context, :clear, :secret_keys
+  attr_reader :context, :secrets
  attr_reader :clear, :secret_keys
  delegate :argumentize, to: Kamal::Utils
  def initialize(config:, secrets:, context: "env")
@@ -17,22 +18,12 @@ class Kamal::Configuration::Env
  end
  def secrets_io
-    Kamal::EnvFile.new(aliased_secrets).to_io
+    Kamal::EnvFile.new(secret_keys.to_h { |key| [ key, secrets[key] ] }).to_io
  end
  def merge(other)
    self.class.new \
      config: { "clear" => clear.merge(other.clear), "secret" => secret_keys | other.secret_keys },
-      secrets: @secrets
+      secrets: secrets
  end
  private
    def aliased_secrets
      secret_keys.to_h { |key| extract_alias(key) }.transform_values { |secret_key| @secrets[secret_key] }
    end
    def extract_alias(key)
      key_name, key_aliased_to = key.split(":", 2)
      [ key_name, key_aliased_to || key_name ]
    end
 end
--- a/lib/kamal/configuration/proxy.rb
+++ b/lib/kamal/configuration/proxy.rb
@@ -6,14 +6,11 @@ class Kamal::Configuration::Proxy
  delegate :argumentize, :optionize, to: Kamal::Utils
-  attr_reader :config, :proxy_config, :role_name, :secrets
+  attr_reader :config, :proxy_config
-  def initialize(config:, proxy_config:, role_name: nil, secrets:, context: "proxy")
+  def initialize(config:, proxy_config:, context: "proxy")
    @config = config
    @proxy_config = proxy_config
    @proxy_config = {} if @proxy_config.nil?
    @role_name = role_name
    @secrets = secrets
    validate! @proxy_config, with: Kamal::Configuration::Validator::Proxy, context: context
  end
@@ -25,50 +22,14 @@ class Kamal::Configuration::Proxy
    proxy_config.fetch("ssl", false)
  end
-  def hosts
+  def host
-    proxy_config["hosts"] || proxy_config["host"]&.split(",") || []
+    proxy_config["host"]
  end
  def custom_ssl_certificate?
    ssl = proxy_config["ssl"]
    return false unless ssl.is_a?(Hash)
    ssl["certificate_pem"].present? && ssl["private_key_pem"].present?
  end
  def certificate_pem_content
    ssl = proxy_config["ssl"]
    return nil unless ssl.is_a?(Hash)
    secrets[ssl["certificate_pem"]]
  end
  def private_key_pem_content
    ssl = proxy_config["ssl"]
    return nil unless ssl.is_a?(Hash)
    secrets[ssl["private_key_pem"]]
  end
  def host_tls_cert
    tls_path(config.proxy_boot.tls_directory, "cert.pem")
  end
  def host_tls_key
    tls_path(config.proxy_boot.tls_directory, "key.pem")
  end
  def container_tls_cert
    tls_path(config.proxy_boot.tls_container_directory, "cert.pem")
  end
  def container_tls_key
    tls_path(config.proxy_boot.tls_container_directory, "key.pem") if custom_ssl_certificate?
  end
  def deploy_options
    {
-      host: hosts,
+      host: proxy_config["host"],
-      tls: ssl? ? true : nil,
+      tls: proxy_config["ssl"],
      "tls-certificate-path": container_tls_cert,
      "tls-private-key-path": container_tls_key,
      "deploy-timeout": seconds_duration(config.deploy_timeout),
      "drain-timeout": seconds_duration(config.drain_timeout),
      "health-check-interval": seconds_duration(proxy_config.dig("healthcheck", "interval")),
@@ -80,45 +41,26 @@ class Kamal::Configuration::Proxy
      "buffer-memory": proxy_config.dig("buffering", "memory"),
      "max-request-body": proxy_config.dig("buffering", "max_request_body"),
      "max-response-body": proxy_config.dig("buffering", "max_response_body"),
      "path-prefix": proxy_config.dig("path_prefix"),
      "strip-path-prefix": proxy_config.dig("strip_path_prefix"),
      "forward-headers": proxy_config.dig("forward_headers"),
      "tls-redirect": proxy_config.dig("ssl_redirect"),
      "log-request-header": proxy_config.dig("logging", "request_headers") || DEFAULT_LOG_REQUEST_HEADERS,
-      "log-response-header": proxy_config.dig("logging", "response_headers"),
+      "log-response-header": proxy_config.dig("logging", "response_headers")
      "error-pages": error_pages
    }.compact
  end
  def deploy_command_args(target:)
-    optionize ({ target: "#{target}:#{app_port}" }).merge(deploy_options), with: "="
+    optionize ({ target: "#{target}:#{app_port}" }).merge(deploy_options)
  end
-  def stop_options(drain_timeout: nil, message: nil)
+  def remove_command_args(target:)
-    {
+    optionize({ target: "#{target}:#{app_port}" })
      "drain-timeout": seconds_duration(drain_timeout),
      message: message
    }.compact
  end
  def stop_command_args(**options)
    optionize stop_options(**options), with: "="
  end
  def merge(other)
-    self.class.new config: config, proxy_config: other.proxy_config.deep_merge(proxy_config), role_name: role_name, secrets: secrets
+    self.class.new config: config, proxy_config: proxy_config.deep_merge(other.proxy_config)
  end
  private
    def tls_path(directory, filename)
      File.join([ directory, role_name, filename ].compact) if custom_ssl_certificate?
    end
    def seconds_duration(value)
      value ? "#{value}s" : nil
    end
    def error_pages
      File.join config.proxy_boot.error_pages_container_directory, config.version if config.error_pages_path
    end
 end
--- a/lib/kamal/configuration/proxy/boot.rb
+++ b/lib/kamal/configuration/proxy/boot.rb
@@ -1,129 +0,0 @@
 class Kamal::Configuration::Proxy::Boot
  MINIMUM_VERSION = "v0.9.0"
  DEFAULT_HTTP_PORT = 80
  DEFAULT_HTTPS_PORT = 443
  DEFAULT_LOG_MAX_SIZE = "10m"
  attr_reader :config
  delegate :argumentize, :optionize, to: Kamal::Utils
  def initialize(config:)
    @config = config
  end
  def publish_args(http_port, https_port, bind_ips = nil)
    ensure_valid_bind_ips(bind_ips)
    (bind_ips || [ nil ]).map do |bind_ip|
      bind_ip = format_bind_ip(bind_ip)
      publish_http = [ bind_ip, http_port, DEFAULT_HTTP_PORT ].compact.join(":")
      publish_https = [ bind_ip, https_port, DEFAULT_HTTPS_PORT ].compact.join(":")
      argumentize "--publish", [ publish_http, publish_https ]
    end.join(" ")
  end
  def logging_args(max_size)
    argumentize "--log-opt", "max-size=#{max_size}" if max_size.present?
  end
  def default_boot_options
    [
      *(publish_args(DEFAULT_HTTP_PORT, DEFAULT_HTTPS_PORT, nil)),
      *(logging_args(DEFAULT_LOG_MAX_SIZE))
    ]
  end
  def repository_name
    "basecamp"
  end
  def image_name
    "kamal-proxy"
  end
  def image_default
    "#{repository_name}/#{image_name}"
  end
  def container_name
    "kamal-proxy"
  end
  def host_directory
    File.join config.run_directory, "proxy"
  end
  def options_file
    File.join host_directory, "options"
  end
  def image_file
    File.join host_directory, "image"
  end
  def image_version_file
    File.join host_directory, "image_version"
  end
  def run_command_file
    File.join host_directory, "run_command"
  end
  def apps_directory
    File.join host_directory, "apps-config"
  end
  def apps_container_directory
    "/home/kamal-proxy/.apps-config"
  end
  def apps_volume
    Kamal::Configuration::Volume.new \
      host_path: apps_directory,
      container_path: apps_container_directory
  end
  def app_directory
    File.join apps_directory, config.service_and_destination
  end
  def app_container_directory
    File.join apps_container_directory, config.service_and_destination
  end
  def error_pages_directory
    File.join app_directory, "error_pages"
  end
  def error_pages_container_directory
    File.join app_container_directory, "error_pages"
  end
  def tls_directory
    File.join app_directory, "tls"
  end
  def tls_container_directory
    File.join app_container_directory, "tls"
  end
  private
    def ensure_valid_bind_ips(bind_ips)
      bind_ips.present? && bind_ips.each do |ip|
        next if ip =~ Resolv::IPv4::Regex || ip =~ Resolv::IPv6::Regex
        raise ArgumentError, "Invalid publish IP address: #{ip}"
      end
      true
    end
    def format_bind_ip(ip)
      # Ensure IPv6 address inside square brackets - e.g. [::1]
      if ip =~ Resolv::IPv6::Regex && ip !~ /\A\[.*\]\z/
        "[#{ip}]"
      else
        ip
      end
    end
 end
--- a/lib/kamal/configuration/registry.rb
+++ b/lib/kamal/configuration/registry.rb
@@ -1,10 +1,12 @@
 class Kamal::Configuration::Registry
  include Kamal::Configuration::Validation
-  def initialize(config:, secrets:, context: "registry")
+  attr_reader :registry_config, :secrets
-    @registry_config = config["registry"] || {}
+
-    @secrets = secrets
+  def initialize(config:)
-    validate! registry_config, context: context, with: Kamal::Configuration::Validator::Registry
+    @registry_config = config.raw_config.registry || {}
    @secrets = config.secrets
    validate! registry_config, with: Kamal::Configuration::Validator::Registry
  end
  def server
@@ -19,17 +21,7 @@ class Kamal::Configuration::Registry
    lookup("password")
  end
  def local?
    server.to_s.match?("^localhost[:$]")
  end
  def local_port
    local? ? (server.split(":").last.to_i || 80) : nil
  end
  private
    attr_reader :registry_config, :secrets
    def lookup(key)
      if registry_config[key].is_a?(Array)
        secrets[registry_config[key].first]
--- a/lib/kamal/configuration/role.rb
+++ b/lib/kamal/configuration/role.rb
@@ -10,7 +10,7 @@ class Kamal::Configuration::Role
  def initialize(name, config:)
    @name, @config = name.inquiry, config
    validate! \
-      role_config,
+      specializations,
      example: validation_yml["servers"]["workers"],
      context: "servers/#{name}",
      with: Kamal::Configuration::Validator::Role
@@ -68,7 +68,7 @@ class Kamal::Configuration::Role
  end
  def proxy
-    @proxy ||= specialized_proxy.merge(config.proxy) if running_proxy?
+    @proxy ||= config.proxy.merge(specialized_proxy) if running_proxy?
  end
  def running_proxy?
@@ -150,8 +150,8 @@ class Kamal::Configuration::Role
  end
  def ensure_one_host_for_ssl
-    if running_proxy? && proxy.ssl? && hosts.size > 1 && !proxy.custom_ssl_certificate?
+    if running_proxy? && proxy.ssl? && hosts.size > 1
-      raise Kamal::ConfigurationError, "SSL is only supported on a single server unless you provide custom certificates, found #{hosts.size} servers for role #{name}"
+      raise Kamal::ConfigurationError, "SSL is only supported on a single server, found #{hosts.size} servers for role #{name}"
    end
  end
@@ -173,8 +173,6 @@ class Kamal::Configuration::Role
        @specialized_proxy = Kamal::Configuration::Proxy.new \
          config: config,
          proxy_config: proxy_config,
          secrets: config.secrets,
          role_name: name,
          context: "servers/#{name}/proxy"
      end
    end
@@ -206,11 +204,11 @@ class Kamal::Configuration::Role
    end
    def specializations
-      @specializations ||= role_config.is_a?(Array) ? {} : role_config
+      if config.raw_config.servers.is_a?(Array) || config.raw_config.servers[name].is_a?(Array)
-    end
+        {}
-
+      else
-    def role_config
+        config.raw_config.servers[name]
-      @role_config ||= config.raw_config.servers.is_a?(Array) ? {} : config.raw_config.servers[name]
+      end
    end
    def custom_labels
--- a/lib/kamal/configuration/servers.rb
+++ b/lib/kamal/configuration/servers.rb
@@ -13,13 +13,6 @@ class Kamal::Configuration::Servers
  private
    def role_names
-      case servers_config
+      servers_config.is_a?(Array) ? [ "web" ] : servers_config.keys.sort
      when Array
        [ "web" ]
      when NilClass
        []
      else
        servers_config.keys.sort
      end
    end
 end
--- a/lib/kamal/configuration/validator.rb
+++ b/lib/kamal/configuration/validator.rb
@@ -27,8 +27,6 @@ class Kamal::Configuration::Validator
              unless key.to_s == "proxy" && boolean?(value.class)
                validate_type! value, *(Array if key == :servers), Hash
              end
            elsif key.to_s == "ssl"
                validate_type! value, TrueClass, FalseClass, Hash
            elsif key == "hosts"
              validate_servers! value
            elsif example_value.is_a?(Array)
@@ -170,22 +168,4 @@ class Kamal::Configuration::Validator
      unknown_keys.reject! { |key| extension?(key) } if allow_extensions?
      unknown_keys_error unknown_keys if unknown_keys.present?
    end
    def validate_labels!(labels)
      return true if labels.blank?
      with_context("labels") do
        labels.each do |key, _|
          with_context(key) do
            error "invalid label. destination, role, and service are reserved labels" if %w[destination role service].include?(key)
          end
        end
      end
    end
    def validate_docker_options!(options)
      if options
        error "Cannot set restart policy in docker options, unless-stopped is required" if options["restart"]
      end
    end
 end
--- a/lib/kamal/configuration/validator/accessory.rb
+++ b/lib/kamal/configuration/validator/accessory.rb
@@ -2,12 +2,8 @@ class Kamal::Configuration::Validator::Accessory < Kamal::Configuration::Validat
  def validate!
    super
-    if (config.keys & [ "host", "hosts", "role", "roles", "tag", "tags" ]).size != 1
+    if (config.keys & [ "host", "hosts", "roles" ]).size != 1
-      error "specify one of `host`, `hosts`, `role`, `roles`, `tag` or `tags`"
+      error "specify one of `host`, `hosts` or `roles`"
    end
    validate_labels!(config["labels"])
    validate_docker_options!(config["options"])
  end
 end
--- a/lib/kamal/configuration/validator/builder.rb
+++ b/lib/kamal/configuration/validator/builder.rb
@@ -8,8 +8,6 @@ class Kamal::Configuration::Validator::Builder < Kamal::Configuration::Validator
    error "Builder arch not set" unless config["arch"].present?
    error "buildpacks only support building for one arch" if config["pack"] && config["arch"].is_a?(Array) && config["arch"].size > 1
    error "Cannot disable local builds, no remote is set" if config["local"] == false && config["remote"].blank?
  end
 end
--- a/lib/kamal/configuration/validator/proxy.rb
+++ b/lib/kamal/configuration/validator/proxy.rb
@@ -3,23 +3,9 @@ class Kamal::Configuration::Validator::Proxy < Kamal::Configuration::Validator
    unless config.nil?
      super
-      if config["host"].blank? && config["hosts"].blank? && config["ssl"]
+      if config["host"].blank? && config["ssl"]
        error "Must set a host to enable automatic SSL"
      end
      if (config.keys & [ "host", "hosts" ]).size > 1
        error "Specify one of 'host' or 'hosts', not both"
      end
      if config["ssl"].is_a?(Hash)
        if config["ssl"]["certificate_pem"].present? && config["ssl"]["private_key_pem"].blank?
          error "Missing private_key_pem setting (required when certificate_pem is present)"
        end
        if config["ssl"]["private_key_pem"].present? && config["ssl"]["certificate_pem"].blank?
          error "Missing certificate_pem setting (required when private_key_pem is present)"
        end
      end
    end
  end
 end
--- a/lib/kamal/configuration/validator/registry.rb
+++ b/lib/kamal/configuration/validator/registry.rb
@@ -15,12 +15,10 @@ class Kamal::Configuration::Validator::Registry < Kamal::Configuration::Validato
      with_context(key) do
        value = config[key]
-        unless config["server"]&.match?("^localhost[:$]")
+        error "is required" unless value.present?
          error "is required" unless value.present?
-          unless value.is_a?(String) || (value.is_a?(Array) && value.size == 1 && value.first.is_a?(String))
+        unless value.is_a?(String) || (value.is_a?(Array) && value.size == 1 && value.first.is_a?(String))
-            error "should be a string or an array with one string (for secret lookup)"
+          error "should be a string or an array with one string (for secret lookup)"
          end
        end
      end
    end
--- a/lib/kamal/configuration/validator/role.rb
+++ b/lib/kamal/configuration/validator/role.rb
@@ -3,11 +3,9 @@ class Kamal::Configuration::Validator::Role < Kamal::Configuration::Validator
    validate_type! config, Array, Hash
    if config.is_a?(Array)
-      validate_servers!(config)
+      validate_servers! "servers", config
    else
      super
      validate_labels!(config["labels"])
      validate_docker_options!(config["options"])
    end
  end
 end
--- a/lib/kamal/configuration/validator/servers.rb
+++ b/lib/kamal/configuration/validator/servers.rb
@@ -1,6 +1,6 @@
 class Kamal::Configuration::Validator::Servers < Kamal::Configuration::Validator
  def validate!
-    validate_type! config, Array, Hash, NilClass
+    validate_type! config, Array, Hash
    validate_servers! config if config.is_a?(Array)
  end
--- a/lib/kamal/docker.rb
+++ b/lib/kamal/docker.rb
@@ -1,31 +0,0 @@
 require "tempfile"
 require "open3"
 require "shellwords"
 module Kamal::Docker
  extend self
  BUILD_CHECK_TAG = "kamal-local-build-check"
  def included_files
    Tempfile.create do |dockerfile|
      dockerfile.write(<<~DOCKERFILE)
        FROM busybox
        COPY . app
        WORKDIR app
        CMD find . -type f | sed "s|^\./||"
      DOCKERFILE
      dockerfile.close
      cmd = "docker buildx build -t=#{BUILD_CHECK_TAG} -f=#{Shellwords.escape(dockerfile.path)} ."
      system(cmd) || raise("failed to build check image")
    end
    cmd = "docker run --rm #{BUILD_CHECK_TAG}"
    out, err, status = Open3.capture3(cmd)
    unless status
      raise "failed to run check image:\n#{err}"
    end
    out.lines.map(&:strip)
  end
 end
--- a/lib/kamal/env_file.rb
+++ b/lib/kamal/env_file.rb
@@ -37,8 +37,6 @@ class Kamal::EnvFile
    def escape_docker_env_file_ascii_value(value)
      # Doublequotes are treated literally in docker env files
      # so remove leading and trailing ones and unescape any others
-      value.to_s.dump[1..-2]
+      value.to_s.dump[1..-2].gsub(/\\"/, "\"")
        .gsub(/\\"/, "\"")
        .gsub(/\\#/, "#")
    end
 end
--- a/lib/kamal/git.rb
+++ b/lib/kamal/git.rb
@@ -24,14 +24,4 @@ module Kamal::Git
  def root
    `git rev-parse --show-toplevel`.strip
  end
  # returns an array of relative path names of files with uncommitted changes
  def uncommitted_files
    `git ls-files --modified`.lines.map(&:strip)
  end
  # returns an array of relative path names of untracked files, including gitignored files
  def untracked_files
    `git ls-files --others`.lines.map(&:strip)
  end
 end
--- a/lib/kamal/secrets.rb
+++ b/lib/kamal/secrets.rb
@@ -1,10 +1,13 @@
 require "dotenv"
 class Kamal::Secrets
  attr_reader :secrets_files
  Kamal::Secrets::Dotenv::InlineCommandSubstitution.install!
  def initialize(destination: nil)
-    @destination = destination
+    @secrets_files = \
      [ ".kamal/secrets-common", ".kamal/secrets#{(".#{destination}" if destination)}" ].select { |f| File.exist?(f) }
    @mutex = Mutex.new
  end
@@ -14,10 +17,10 @@ class Kamal::Secrets
      secrets.fetch(key)
    end
  rescue KeyError
-    if secrets_files.present?
+    if secrets_files
      raise Kamal::ConfigurationError, "Secret '#{key}' not found in #{secrets_files.join(", ")}"
    else
-      raise Kamal::ConfigurationError, "Secret '#{key}' not found, no secret files (#{secrets_filenames.join(", ")}) provided"
+      raise Kamal::ConfigurationError, "Secret '#{key}' not found, no secret files provided"
    end
  end
@@ -25,18 +28,10 @@ class Kamal::Secrets
    secrets
  end
  def secrets_files
    @secrets_files ||= secrets_filenames.select { |f| File.exist?(f) }
  end
  private
    def secrets
      @secrets ||= secrets_files.inject({}) do |secrets, secrets_file|
-        secrets.merge!(::Dotenv.parse(secrets_file, overwrite: true))
+        secrets.merge!(::Dotenv.parse(secrets_file))
      end
    end
    def secrets_filenames
      [ ".kamal/secrets-common", ".kamal/secrets#{(".#{@destination}" if @destination)}" ]
    end
 end
--- a/lib/kamal/secrets/adapters.rb
+++ b/lib/kamal/secrets/adapters.rb
@@ -3,8 +3,6 @@ module Kamal::Secrets::Adapters
  def self.lookup(name)
    name = "one_password" if name.downcase == "1password"
    name = "last_pass" if name.downcase == "lastpass"
    name = "gcp_secret_manager" if name.downcase == "gcp"
    name = "bitwarden_secrets_manager" if name.downcase == "bitwarden-sm"
    adapter_class(name)
  end
--- a/lib/kamal/secrets/adapters/aws_secrets_manager.rb
+++ b/lib/kamal/secrets/adapters/aws_secrets_manager.rb
@@ -1,51 +0,0 @@
 class Kamal::Secrets::Adapters::AwsSecretsManager < Kamal::Secrets::Adapters::Base
  def requires_account?
    false
  end
  private
    def login(_account)
      nil
    end
    def fetch_secrets(secrets, from:, account: nil, session:)
      {}.tap do |results|
        get_from_secrets_manager(prefixed_secrets(secrets, from: from), account: account).each do |secret|
          secret_name = secret["Name"]
          secret_string = JSON.parse(secret["SecretString"])
          secret_string.each do |key, value|
            results["#{secret_name}/#{key}"] = value
          end
        rescue JSON::ParserError
          results["#{secret_name}"] = secret["SecretString"]
        end
      end
    end
    def get_from_secrets_manager(secrets, account: nil)
      args = [ "aws", "secretsmanager", "batch-get-secret-value", "--secret-id-list" ] + secrets.map(&:shellescape)
      args += [ "--profile", account.shellescape ] if account
      args += [ "--output", "json" ]
      cmd = args.join(" ")
      `#{cmd}`.tap do |secrets|
        raise RuntimeError, "Could not read #{secrets} from AWS Secrets Manager" unless $?.success?
        secrets = JSON.parse(secrets)
        return secrets["SecretValues"] unless secrets["Errors"].present?
        raise RuntimeError, secrets["Errors"].map { |error| "#{error['SecretId']}: #{error['Message']}" }.join(" ")
      end
    end
    def check_dependencies!
      raise RuntimeError, "AWS CLI is not installed" unless cli_installed?
    end
    def cli_installed?
      `aws --version 2> /dev/null`
      $?.success?
    end
 end
--- a/lib/kamal/secrets/adapters/base.rb
+++ b/lib/kamal/secrets/adapters/base.rb
@@ -1,17 +1,10 @@
 class Kamal::Secrets::Adapters::Base
  delegate :optionize, to: Kamal::Utils
-  def fetch(secrets, account: nil, from: nil)
+  def fetch(secrets, account:, from: nil)
    raise RuntimeError, "Missing required option '--account'" if requires_account? && account.blank?
    check_dependencies!
    session = login(account)
-    fetch_secrets(secrets, from: from, account: account, session: session)
+    full_secrets = secrets.map { |secret| [ from, secret ].compact.join("/") }
-  end
+    fetch_secrets(full_secrets, account: account, session: session)
  def requires_account?
    true
  end
  private
@@ -22,12 +15,4 @@ class Kamal::Secrets::Adapters::Base
    def fetch_secrets(...)
      raise NotImplementedError
    end
    def check_dependencies!
      raise NotImplementedError
    end
    def prefixed_secrets(secrets, from:)
      secrets.map { |secret| [ from, secret ].compact.join("/") }
    end
 end
--- a/lib/kamal/secrets/adapters/bitwarden.rb
+++ b/lib/kamal/secrets/adapters/bitwarden.rb
@@ -21,35 +21,27 @@ class Kamal::Secrets::Adapters::Bitwarden < Kamal::Secrets::Adapters::Base
      session
    end
-    def fetch_secrets(secrets, from:, account:, session:)
+    def fetch_secrets(secrets, account:, session:)
      {}.tap do |results|
-        items_fields(prefixed_secrets(secrets, from: from)).each do |item, fields|
+        items_fields(secrets).each do |item, fields|
          item_json = run_command("get item #{item.shellescape}", session: session, raw: true)
-          raise RuntimeError, "Could not read #{item} from Bitwarden" unless $?.success?
+          raise RuntimeError, "Could not read #{secret} from Bitwarden" unless $?.success?
          item_json = JSON.parse(item_json)
          if fields.any?
-            results.merge! fetch_secrets_from_fields(fields, item, item_json)
+            fields.each do |field|
-          elsif item_json.dig("login", "password")
+              item_field = item_json["fields"].find { |f| f["name"] == field }
-            results[item] = item_json.dig("login", "password")
+              raise RuntimeError, "Could not find field #{field} in item #{item} in Bitwarden" unless item_field
-          elsif item_json["fields"]&.any?
+              value = item_field["value"]
-            fields = item_json["fields"].pluck("name")
+              results["#{item}/#{field}"] = value
-            results.merge! fetch_secrets_from_fields(fields, item, item_json)
+            end
          else
-            raise RuntimeError, "Item #{item} is not a login type item and no fields were specified"
+            results[item] = item_json["login"]["password"]
          end
        end
      end
    end
    def fetch_secrets_from_fields(fields, item, item_json)
      fields.to_h do |field|
        item_field = item_json["fields"].find { |f| f["name"] == field }
        raise RuntimeError, "Could not find field #{field} in item #{item} in Bitwarden" unless item_field
        value = item_field["value"]
        [ "#{item}/#{field}", value ]
      end
    end
    def items_fields(secrets)
      {}.tap do |items|
        secrets.each do |secret|
@@ -69,13 +61,4 @@ class Kamal::Secrets::Adapters::Bitwarden < Kamal::Secrets::Adapters::Base
      result = `#{full_command}`.strip
      raw ? result : JSON.parse(result)
    end
    def check_dependencies!
      raise RuntimeError, "Bitwarden CLI is not installed" unless cli_installed?
    end
    def cli_installed?
      `bw --version 2> /dev/null`
      $?.success?
    end
 end
--- a/lib/kamal/secrets/adapters/bitwarden_secrets_manager.rb
+++ b/lib/kamal/secrets/adapters/bitwarden_secrets_manager.rb
@@ -1,66 +0,0 @@
 class Kamal::Secrets::Adapters::BitwardenSecretsManager < Kamal::Secrets::Adapters::Base
  def requires_account?
    false
  end
  private
    LIST_ALL_SELECTOR = "all"
    LIST_ALL_FROM_PROJECT_SUFFIX = "/all"
    LIST_COMMAND = "secret list"
    GET_COMMAND = "secret get"
    def fetch_secrets(secrets, from:, account:, session:)
      raise RuntimeError, "You must specify what to retrieve from Bitwarden Secrets Manager" if secrets.length == 0
      secrets = prefixed_secrets(secrets, from: from)
      command, project = extract_command_and_project(secrets)
      {}.tap do |results|
        if command.nil?
          secrets.each do |secret_uuid|
            item_json = run_command("#{GET_COMMAND} #{secret_uuid.shellescape}")
            raise RuntimeError, "Could not read #{secret_uuid} from Bitwarden Secrets Manager" unless $?.success?
            item_json = JSON.parse(item_json)
            results[item_json["key"]] = item_json["value"]
          end
        else
          items_json = run_command(command)
          raise RuntimeError, "Could not read secrets from Bitwarden Secrets Manager" unless $?.success?
          JSON.parse(items_json).each do |item_json|
            results[item_json["key"]] = item_json["value"]
          end
        end
      end
    end
    def extract_command_and_project(secrets)
      if secrets.length == 1
        if secrets[0] == LIST_ALL_SELECTOR
          [ LIST_COMMAND, nil ]
        elsif secrets[0].end_with?(LIST_ALL_FROM_PROJECT_SUFFIX)
          project = secrets[0].split(LIST_ALL_FROM_PROJECT_SUFFIX).first
          [ "#{LIST_COMMAND} #{project.shellescape}", project ]
        end
      end
    end
    def run_command(command, session: nil)
      full_command = [ "bws", command ].join(" ")
      `#{full_command}`
    end
    def login(account)
      run_command("project list")
      raise RuntimeError, "Could not authenticate to Bitwarden Secrets Manager. Did you set a valid access token?" unless $?.success?
    end
    def check_dependencies!
      raise RuntimeError, "Bitwarden Secrets Manager CLI is not installed" unless cli_installed?
    end
    def cli_installed?
      `bws --version 2> /dev/null`
      $?.success?
    end
 end
--- a/lib/kamal/secrets/adapters/doppler.rb
+++ b/lib/kamal/secrets/adapters/doppler.rb
@@ -1,57 +0,0 @@
 class Kamal::Secrets::Adapters::Doppler < Kamal::Secrets::Adapters::Base
  def requires_account?
    false
  end
  private
    def login(*)
      unless loggedin?
        `doppler login -y`
        raise RuntimeError, "Failed to login to Doppler" unless $?.success?
      end
    end
    def loggedin?
      `doppler me --json 2> /dev/null`
      $?.success?
    end
    def fetch_secrets(secrets, from:, **)
      secrets = prefixed_secrets(secrets, from: from)
      flags = secrets_get_flags(secrets)
      secret_names = secrets.collect { |s| s.split("/").last }
      items = `doppler secrets get #{secret_names.map(&:shellescape).join(" ")} --json #{flags}`
      raise RuntimeError, "Could not read #{secrets} from Doppler" unless $?.success?
      items = JSON.parse(items)
      items.transform_values { |value| value["computed"] }
    end
    def secrets_get_flags(secrets)
      unless service_token_set?
        project, config, _ = secrets.first.split("/")
        unless project && config
          raise RuntimeError, "Missing project or config from '--from=project/config' option"
        end
        project_and_config_flags = "-p #{project.shellescape} -c #{config.shellescape}"
      end
    end
    def service_token_set?
      ENV["DOPPLER_TOKEN"] && ENV["DOPPLER_TOKEN"][0, 5] == "dp.st"
    end
    def check_dependencies!
      raise RuntimeError, "Doppler CLI is not installed" unless cli_installed?
    end
    def cli_installed?
      `doppler --version 2> /dev/null`
      $?.success?
    end
 end
--- a/lib/kamal/secrets/adapters/enpass.rb
+++ b/lib/kamal/secrets/adapters/enpass.rb
@@ -1,71 +0,0 @@
 ##
 # Enpass is different from most password managers, in a way that it's offline and doesn't need an account.
 #
 # Usage
 #
 # Fetch all password from FooBar item
 # `kamal secrets fetch --adapter enpass --from /Users/YOUR_USERNAME/Library/Containers/in.sinew.Enpass-Desktop/Data/Documents/Vaults/primary FooBar`
 #
 # Fetch only DB_PASSWORD from FooBar item
 # `kamal secrets fetch --adapter enpass --from /Users/YOUR_USERNAME/Library/Containers/in.sinew.Enpass-Desktop/Data/Documents/Vaults/primary FooBar/DB_PASSWORD`
 class Kamal::Secrets::Adapters::Enpass < Kamal::Secrets::Adapters::Base
  def requires_account?
    false
  end
  private
    def fetch_secrets(secrets, from:, account:, session:)
      secrets_titles = fetch_secret_titles(secrets)
      result = `enpass-cli -json -vault #{from.shellescape} show #{secrets_titles.map(&:shellescape).join(" ")}`.strip
      parse_result_and_take_secrets(result, secrets)
    end
    def check_dependencies!
      raise RuntimeError, "Enpass CLI is not installed" unless cli_installed?
    end
    def cli_installed?
      `enpass-cli version 2> /dev/null`
      $?.success?
    end
    def login(account)
      nil
    end
    def fetch_secret_titles(secrets)
      secrets.reduce(Set.new) do |secret_titles, secret|
        # Sometimes secrets contain a '/', when the intent is to fetch a single password for an item. Example: FooBar/DB_PASSWORD
        # Another case is, when the intent is to fetch all passwords for an item. Example: FooBar (and FooBar may have multiple different passwords)
        key, separator, value = secret.rpartition("/")
        if key.empty?
          secret_titles << value
        else
          secret_titles << key
        end
      end.to_a
    end
    def parse_result_and_take_secrets(unparsed_result, secrets)
      result = JSON.parse(unparsed_result)
      result.reduce({}) do |secrets_with_passwords, item|
        title = item["title"]
        label = item["label"]
        password = item["password"]
        if title && password.present?
          key = [ title, label ].compact.reject(&:empty?).join("/")
          if secrets.include?(title) || secrets.include?(key)
            raise RuntimeError, "#{key} is present more than once" if secrets_with_passwords[key]
            secrets_with_passwords[key] = password
          end
        end
        secrets_with_passwords
      end
    end
 end
--- a/lib/kamal/secrets/adapters/gcp_secret_manager.rb
+++ b/lib/kamal/secrets/adapters/gcp_secret_manager.rb
@@ -1,112 +0,0 @@
 class Kamal::Secrets::Adapters::GcpSecretManager < Kamal::Secrets::Adapters::Base
  private
    def login(account)
      # Since only the account option is passed from the cli, we'll use it for both account and service account
      # impersonation.
      #
      # Syntax:
      # ACCOUNT: USER | USER "|" DELEGATION_CHAIN
      # USER: DEFAULT_USER | EMAIL
      # DELEGATION_CHAIN: EMAIL | EMAIL "," DELEGATION_CHAIN
      # EMAIL: <The email address of the user or service account, like "my-user@example.com" >
      # DEFAULT_USER: "default"
      #
      # Some valid examples:
      # - "my-user@example.com" sets the user
      # - "my-user@example.com|my-service-user@example.com" will use my-user and enable service account impersonation as my-service-user
      # - "default" will use the default user and no impersonation
      # - "default|my-service-user@example.com" will use the default user, and enable service account impersonation as my-service-user
      # - "default|my-service-user@example.com,another-service-user@example.com" same as above, but with an impersonation delegation chain
      unless logged_in?
        `gcloud auth login`
        raise RuntimeError, "could not login to gcloud" unless logged_in?
      end
      nil
    end
    def fetch_secrets(secrets, from:, account:, session:)
      user, service_account = parse_account(account)
      {}.tap do |results|
        secrets_with_metadata(prefixed_secrets(secrets, from: from)).each do |secret, (project, secret_name, secret_version)|
          item_name = "#{project}/#{secret_name}"
          results[item_name] = fetch_secret(project, secret_name, secret_version, user, service_account)
          raise RuntimeError, "Could not read #{item_name} from Google Secret Manager" unless $?.success?
        end
      end
    end
    def fetch_secret(project, secret_name, secret_version, user, service_account)
      secret = run_command(
        "secrets versions access #{secret_version.shellescape} --secret=#{secret_name.shellescape}",
        project: project,
        user: user,
        service_account: service_account
      )
      Base64.decode64(secret.dig("payload", "data"))
    end
    # The secret needs to at least contain a secret name, but project name, and secret version can also be specified.
    #
    # The string "default" can be used to refer to the default project configured for gcloud.
    #
    # The version can be either the string "latest", or a version number.
    #
    # The following formats are valid:
    #
    # - The following are all equivalent, and sets project: default, secret name: my-secret, version: latest
    #   - "my-secret"
    #   - "default/my-secret"
    #   - "default/my-secret/latest"
    #   - "my-secret/latest" in combination with --from=default
    # - "my-secret/123" (only in combination with --from=some-project) -> project: some-project, secret name: my-secret, version: 123
    # - "some-project/my-secret/123" -> project: some-project, secret name: my-secret, version: 123
    def secrets_with_metadata(secrets)
      {}.tap do |items|
        secrets.each do |secret|
          parts = secret.split("/")
          parts.unshift("default") if parts.length == 1
          project = parts.shift
          secret_name = parts.shift
          secret_version = parts.shift || "latest"
          items[secret] = [ project, secret_name, secret_version ]
        end
      end
    end
    def run_command(command, project: "default", user: "default", service_account: nil)
      full_command = [ "gcloud", command ]
      full_command << "--project=#{project.shellescape}" unless project == "default"
      full_command << "--account=#{user.shellescape}" unless user == "default"
      full_command << "--impersonate-service-account=#{service_account.shellescape}" if service_account
      full_command << "--format=json"
      full_command = full_command.join(" ")
      result = `#{full_command}`.strip
      JSON.parse(result)
    end
    def check_dependencies!
      raise RuntimeError, "gcloud CLI is not installed" unless cli_installed?
    end
    def cli_installed?
      `gcloud --version 2> /dev/null`
      $?.success?
    end
    def logged_in?
      JSON.parse(`gcloud auth list --format=json`).any?
    end
    def parse_account(account)
      account.split("|", 2)
    end
    def is_user?(candidate)
      candidate.include?("@")
    end
 end
--- a/lib/kamal/secrets/adapters/last_pass.rb
+++ b/lib/kamal/secrets/adapters/last_pass.rb
@@ -3,7 +3,7 @@ class Kamal::Secrets::Adapters::LastPass < Kamal::Secrets::Adapters::Base
    def login(account)
      unless loggedin?(account)
        `lpass login #{account.shellescape}`
-        raise RuntimeError, "Failed to login to LastPass" unless $?.success?
+        raise RuntimeError, "Failed to login to 1Password" unless $?.success?
      end
    end
@@ -11,10 +11,9 @@ class Kamal::Secrets::Adapters::LastPass < Kamal::Secrets::Adapters::Base
      `lpass status --color never`.strip == "Logged in as #{account}."
    end
-    def fetch_secrets(secrets, from:, account:, session:)
+    def fetch_secrets(secrets, account:, session:)
      secrets = prefixed_secrets(secrets, from: from)
      items = `lpass show #{secrets.map(&:shellescape).join(" ")} --json`
-      raise RuntimeError, "Could not read #{secrets} from LastPass" unless $?.success?
+      raise RuntimeError, "Could not read #{secrets} from 1Password" unless $?.success?
      items = JSON.parse(items)
@@ -24,17 +23,8 @@ class Kamal::Secrets::Adapters::LastPass < Kamal::Secrets::Adapters::Base
        end
        if (missing_items = secrets - results.keys).any?
-          raise RuntimeError, "Could not find #{missing_items.join(", ")} in LastPass"
+          raise RuntimeError, "Could not find #{missing_items.join(", ")} in LassPass"
        end
      end
    end
    def check_dependencies!
      raise RuntimeError, "LastPass CLI is not installed" unless cli_installed?
    end
    def cli_installed?
      `lpass --version 2> /dev/null`
      $?.success?
    end
 end
--- a/lib/kamal/secrets/adapters/one_password.rb
+++ b/lib/kamal/secrets/adapters/one_password.rb
@@ -15,34 +15,18 @@ class Kamal::Secrets::Adapters::OnePassword < Kamal::Secrets::Adapters::Base
      $?.success?
    end
-    def fetch_secrets(secrets, from:, account:, session:)
+    def fetch_secrets(secrets, account:, session:)
      if secrets.blank?
        fetch_all_secrets(from: from, account: account, session: session)
      else
        fetch_specified_secrets(secrets, from: from, account: account, session: session)
      end
    end
    def fetch_specified_secrets(secrets, from:, account:, session:)
      {}.tap do |results|
-        vaults_items_fields(prefixed_secrets(secrets, from: from)).map do |vault, items|
+        vaults_items_fields(secrets).map do |vault, items|
          items.each do |item, fields|
-            fields_json = JSON.parse(op_item_get(vault, item, fields: fields, account: account, session: session))
+            fields_json = JSON.parse(op_item_get(vault, item, fields, account: account, session: session))
            fields_json = [ fields_json ] if fields.one?
-            results.merge!(fields_map(fields_json))
+            fields_json.each do |field_json|
-          end
+              # The reference is in the form `op://vault/item/field[/field]`
-        end
+              field = field_json["reference"].delete_prefix("op://").delete_suffix("/password")
-      end
+              results[field] = field_json["value"]
-    end
+            end
    def fetch_all_secrets(from:, account:, session:)
      {}.tap do |results|
        vault_items(from).each do |vault, items|
          items.each do |item|
            fields_json = JSON.parse(op_item_get(vault, item, account: account, session: session)).fetch("fields")
            results.merge!(fields_map(fields_json))
          end
        end
      end
@@ -66,39 +50,12 @@ class Kamal::Secrets::Adapters::OnePassword < Kamal::Secrets::Adapters::Base
      end
    end
-    def vault_items(from)
+    def op_item_get(vault, item, fields, account:, session:)
-      from = from.delete_prefix("op://")
+      labels = fields.map { |field| "label=#{field}" }.join(",")
-      vault, item = from.split("/")
+      options = to_options(vault: vault, fields: labels, format: "json", account: account, session: session.presence)
      { vault => [ item ] }
    end
-    def fields_map(fields_json)
+      `op item get #{item.shellescape} #{options}`.tap do
-      fields_json.to_h do |field_json|
+        raise RuntimeError, "Could not read #{fields.join(", ")} from #{item} in the #{vault} 1Password vault" unless $?.success?
        # The reference is in the form `op://vault/item/field[/field]`
        field = field_json["reference"].delete_prefix("op://").delete_suffix("/password")
        [ field, field_json["value"] ]
      end
    end
    def op_item_get(vault, item, fields: nil, account:, session:)
      options = { vault: vault, format: "json", account: account, session: session.presence }
      if fields.present?
        labels = fields.map { |field| "label=#{field}" }.join(",")
        options.merge!(fields: labels)
      end
      `op item get #{item.shellescape} #{to_options(**options)}`.tap do
        raise RuntimeError, "Could not read #{"#{fields.join(", ")} " if fields.present?}from #{item} in the #{vault} 1Password vault" unless $?.success?
      end
    end
    def check_dependencies!
      raise RuntimeError, "1Password CLI is not installed" unless cli_installed?
    end
    def cli_installed?
      `op --version 2> /dev/null`
      $?.success?
    end
 end
--- a/lib/kamal/secrets/adapters/passbolt.rb
+++ b/lib/kamal/secrets/adapters/passbolt.rb
@@ -1,130 +0,0 @@
 class Kamal::Secrets::Adapters::Passbolt < Kamal::Secrets::Adapters::Base
  def requires_account?
    false
  end
  private
    def login(*)
      `passbolt verify`
      raise RuntimeError, "Failed to login to Passbolt" unless $?.success?
    end
    def fetch_secrets(secrets, from:, **)
      secrets = prefixed_secrets(secrets, from: from)
      raise ArgumentError, "No secrets given to fetch" if secrets.empty?
      secret_names = secrets.collect { |s| s.split("/").last }
      folders = secrets_get_folders(secrets)
      # build filter conditions for each secret with its corresponding folder
      filter_conditions = []
      secrets.each do |secret|
        parts = secret.split("/")
        secret_name = parts.last
        if parts.size > 1
          # get the folder path without the secret name
          folder_path = parts[0..-2]
          # find the most nested folder for this path
          current_folder = nil
          current_path = []
          folder_path.each do |folder_name|
            current_path << folder_name
            matching_folders = folders.select { |f| get_folder_path(f, folders) == current_path.join("/") }
            current_folder = matching_folders.first if matching_folders.any?
          end
          if current_folder
            filter_conditions << "(Name == #{secret_name.shellescape.inspect} && FolderParentID == #{current_folder["id"].shellescape.inspect})"
          end
        else
          # for root level secrets (no folders)
          filter_conditions << "Name == #{secret_name.shellescape.inspect}"
        end
      end
      filter_condition = filter_conditions.any? ? "--filter '#{filter_conditions.join(" || ")}'" : ""
      items = `passbolt list resources #{filter_condition} #{folders.map { |item| "--folder #{item["id"]}" }.join(" ")} --json`
      raise RuntimeError, "Could not read #{secrets} from Passbolt" unless $?.success?
      items = JSON.parse(items)
      found_names = items.map { |item| item["name"] }
      missing_secrets = secret_names - found_names
      raise RuntimeError, "Could not find the following secrets in Passbolt: #{missing_secrets.join(", ")}" if missing_secrets.any?
      items.to_h { |item| [ item["name"], item["password"] ] }
    end
    def secrets_get_folders(secrets)
      # extract all folder paths (both parent and nested)
      folder_paths = secrets
        .select { |s| s.include?("/") }
        .map { |s| s.split("/")[0..-2] } # get all parts except the secret name
        .uniq
      return [] if folder_paths.empty?
      all_folders = []
      # first get all top-level folders
      parent_folders = folder_paths.map(&:first).uniq
      filter_condition = "--filter '#{parent_folders.map { |name| "Name == #{name.shellescape.inspect}" }.join(" || ")}'"
      fetch_folders = `passbolt list folders #{filter_condition} --json`
      raise RuntimeError, "Could not read folders from Passbolt" unless $?.success?
      parent_folder_items = JSON.parse(fetch_folders)
      all_folders.concat(parent_folder_items)
      # get nested folders for each parent
      folder_paths.each do |path|
        next if path.size <= 1 # skip non-nested folders
        parent = path[0]
        parent_folder = parent_folder_items.find { |f| f["name"] == parent }
        next unless parent_folder
        # for each nested level, get the folders using the parent's ID
        current_parent = parent_folder
        path[1..-1].each do |folder_name|
          filter_condition = "--filter 'Name == #{folder_name.shellescape.inspect} && FolderParentID == #{current_parent["id"].shellescape.inspect}'"
          fetch_nested = `passbolt list folders #{filter_condition} --json`
          next unless $?.success?
          nested_folders = JSON.parse(fetch_nested)
          break if nested_folders.empty?
          all_folders.concat(nested_folders)
          current_parent = nested_folders.first
        end
      end
      # check if we found all required folders
      found_paths = all_folders.map { |f| get_folder_path(f, all_folders) }
      missing_paths = folder_paths.map { |path| path.join("/") } - found_paths
      raise RuntimeError, "Could not find the following folders in Passbolt: #{missing_paths.join(", ")}" if missing_paths.any?
      all_folders
    end
    def get_folder_path(folder, all_folders, path = [])
      path.unshift(folder["name"])
      return path.join("/") if folder["folder_parent_id"].to_s.empty?
      parent = all_folders.find { |f| f["id"] == folder["folder_parent_id"] }
      return path.join("/") unless parent
      get_folder_path(parent, all_folders, path)
    end
    def check_dependencies!
      raise RuntimeError, "Passbolt CLI is not installed" unless cli_installed?
    end
    def cli_installed?
      `passbolt --version 2> /dev/null`
      $?.success?
    end
 end
--- a/lib/kamal/secrets/adapters/test.rb
+++ b/lib/kamal/secrets/adapters/test.rb
@@ -4,11 +4,7 @@ class Kamal::Secrets::Adapters::Test < Kamal::Secrets::Adapters::Base
      true
    end
-    def fetch_secrets(secrets, from:, account:, session:)
+    def fetch_secrets(secrets, account:, session:)
-      prefixed_secrets(secrets, from: from).to_h { |secret| [ secret, secret.reverse ] }
+      secrets.to_h { |secret| [ secret, secret.reverse ] }
    end
    def check_dependencies!
      # no op
    end
 end
--- a/lib/kamal/secrets/dotenv/inline_command_substitution.rb
+++ b/lib/kamal/secrets/dotenv/inline_command_substitution.rb
@@ -4,7 +4,7 @@ class Kamal::Secrets::Dotenv::InlineCommandSubstitution
      ::Dotenv::Parser.substitutions.map! { |sub| sub == ::Dotenv::Substitutions::Command ? self : sub }
    end
-    def call(value, env, overwrite: false)
+    def call(value, _env, overwrite: false)
      # Process interpolated shell commands
      value.gsub(Dotenv::Substitutions::Command.singleton_class::INTERPOLATED_SHELL_COMMAND) do |*|
        # Eliminate opening and closing parentheses
@@ -14,7 +14,6 @@ class Kamal::Secrets::Dotenv::InlineCommandSubstitution
          # Command is escaped, don't replace it.
          $LAST_MATCH_INFO[0][1..]
        else
          command = ::Dotenv::Substitutions::Variable.call(command, env)
          if command =~ /\A\s*kamal\s*secrets\s+/
            # Inline the command
            inline_secrets_command(command)
--- a/Show More
+++ b/Show More
		`@@ -1,3 +0,0 @@`
			`#!/bin/sh`

			`echo "Booted app version $KAMAL_VERSION on $KAMAL_HOSTS..."`
		`@@ -1,3 +0,0 @@`
			`#!/bin/sh`

			`echo "Booting app version $KAMAL_VERSION on $KAMAL_HOSTS..."`
`@@ -1,3 +1,3 @@`
	`#!/bin/sh`	`#!/bin/sh`

	`echo "Rebooting kamal-proxy on $KAMAL_HOSTS..."`	`echo "Rebooting Traefik on $KAMAL_HOSTS..."`