Bump version for 0.14.0

Only require secrets when mutating

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    mrsk (0.13.2)
+    mrsk (0.14.0)
       activesupport (>= 7.0)
       bcrypt_pbkdf (~> 1.0)
       dotenv (~> 2.8)

README.md

@@ -380,6 +380,16 @@ servers:
 
 That'll start the job containers with `docker run ... --cap-add --cpu-count 4 ...`.
 
+### Setting a minimum version
+
+You can set the minimum MRSK version with:
+
+```yaml
+minimum_version: 0.13.3
+```
+
+Note: versions <= 0.13.2 will ignore this setting.
+
 ### Configuring logging
 
 You can configure the logging driver and options passed to Docker using `logging`:
@@ -463,6 +473,37 @@ builder:
   context: ".."
 ```
 
+### Using multistage builder cache
+
+Docker multistage build cache can singlehandedly speed up your builds by a lot. Currently MRSK only supports using the GHA cache or the Registry cache:
+
+```yaml
+# Using GHA cache
+builder:
+  cache:
+    type: gha
+
+# Using Registry cache
+builder:
+  cache:
+    type: registry
+
+# Using Registry cache with different cache image
+builder:
+  cache:
+    type: registry
+    # default image name is <image>-build-cache
+    image: application-cache-image
+
+# Using Registry cache with additinonal cache-to options
+builder:
+  cache:
+    type: registry
+    options: mode=max,image-manifest=true,oci-mediatypes=true
+```
+
+For further insights into build cache optimization, check out documentation on Docker's official website: https://docs.docker.com/build/cache/.
+
 ### Using build secrets for new images
 
 Some images need a secret passed in during build time, like a GITHUB_TOKEN, to give access to private gem repositories. This can be done by having the secret in ENV, then referencing it in the builder configuration:

lib/mrsk/cli/accessory.rb

@@ -1,7 +1,7 @@
 class Mrsk::Cli::Accessory < Mrsk::Cli::Base
   desc "boot [NAME]", "Boot new accessory service on host (use NAME=all to boot all accessories)"
   def boot(name)
-    with_lock do
+    mutating do
       if name == "all"
         MRSK.accessory_names.each { |accessory_name| boot(accessory_name) }
       else
@@ -21,7 +21,7 @@ class Mrsk::Cli::Accessory < Mrsk::Cli::Base
 
   desc "upload [NAME]", "Upload accessory files to host", hide: true
   def upload(name)
-    with_lock do
+    mutating do
       with_accessory(name) do |accessory|
         on(accessory.hosts) do
           accessory.files.each do |(local, remote)|
@@ -38,7 +38,7 @@ class Mrsk::Cli::Accessory < Mrsk::Cli::Base
 
   desc "directories [NAME]", "Create accessory directories on host", hide: true
   def directories(name)
-    with_lock do
+    mutating do
       with_accessory(name) do |accessory|
         on(accessory.hosts) do
           accessory.directories.keys.each do |host_path|
@@ -51,7 +51,7 @@ class Mrsk::Cli::Accessory < Mrsk::Cli::Base
 
   desc "reboot [NAME]", "Reboot existing accessory on host (stop container, remove container, start new container)"
   def reboot(name)
-    with_lock do
+    mutating do
       with_accessory(name) do |accessory|
         stop(name)
         remove_container(name)
@@ -62,7 +62,7 @@ class Mrsk::Cli::Accessory < Mrsk::Cli::Base
 
   desc "start [NAME]", "Start existing accessory container on host"
   def start(name)
-    with_lock do
+    mutating do
       with_accessory(name) do |accessory|
         on(accessory.hosts) do
           execute *MRSK.auditor.record("Started #{name} accessory"), verbosity: :debug
@@ -74,7 +74,7 @@ class Mrsk::Cli::Accessory < Mrsk::Cli::Base
 
   desc "stop [NAME]", "Stop existing accessory container on host"
   def stop(name)
-    with_lock do
+    mutating do
       with_accessory(name) do |accessory|
         on(accessory.hosts) do
           execute *MRSK.auditor.record("Stopped #{name} accessory"), verbosity: :debug
@@ -86,7 +86,7 @@ class Mrsk::Cli::Accessory < Mrsk::Cli::Base
 
   desc "restart [NAME]", "Restart existing accessory container on host"
   def restart(name)
-    with_lock do
+    mutating do
       with_accessory(name) do
         stop(name)
         start(name)
@@ -165,7 +165,7 @@ class Mrsk::Cli::Accessory < Mrsk::Cli::Base
   desc "remove [NAME]", "Remove accessory container, image and data directory from host (use NAME=all to remove all accessories)"
   option :confirmed, aliases: "-y", type: :boolean, default: false, desc: "Proceed without confirmation question"
   def remove(name)
-    with_lock do
+    mutating do
       if name == "all"
         MRSK.accessory_names.each { |accessory_name| remove(accessory_name) }
       else
@@ -183,7 +183,7 @@ class Mrsk::Cli::Accessory < Mrsk::Cli::Base
 
   desc "remove_container [NAME]", "Remove accessory container from host", hide: true
   def remove_container(name)
-    with_lock do
+    mutating do
       with_accessory(name) do |accessory|
         on(accessory.hosts) do
           execute *MRSK.auditor.record("Remove #{name} accessory container"), verbosity: :debug
@@ -195,7 +195,7 @@ class Mrsk::Cli::Accessory < Mrsk::Cli::Base
 
   desc "remove_image [NAME]", "Remove accessory image from host", hide: true
   def remove_image(name)
-    with_lock do
+    mutating do
       with_accessory(name) do |accessory|
         on(accessory.hosts) do
           execute *MRSK.auditor.record("Removed #{name} accessory image"), verbosity: :debug
@@ -207,7 +207,7 @@ class Mrsk::Cli::Accessory < Mrsk::Cli::Base
 
   desc "remove_service_directory [NAME]", "Remove accessory directory used for uploaded files and data directories from host", hide: true
   def remove_service_directory(name)
-    with_lock do
+    mutating do
       with_accessory(name) do |accessory|
         on(accessory.hosts) do
           execute *accessory.remove_service_directory

lib/mrsk/cli/app.rb

@@ -1,7 +1,7 @@
 class Mrsk::Cli::App < Mrsk::Cli::Base
   desc "boot", "Boot app on servers (or reboot app if already running)"
   def boot
-    with_lock do
+    mutating do
       hold_lock_on_error do
         say "Get most recent version available as an image...", :magenta unless options[:version]
         using_version(version_or_latest) do |version|
@@ -43,7 +43,7 @@ class Mrsk::Cli::App < Mrsk::Cli::Base
 
   desc "start", "Start existing app container on servers"
   def start
-    with_lock do
+    mutating do
       on(MRSK.hosts) do |host|
         roles = MRSK.roles_on(host)
 
@@ -57,7 +57,7 @@ class Mrsk::Cli::App < Mrsk::Cli::Base
 
   desc "stop", "Stop app container on servers"
   def stop
-    with_lock do
+    mutating do
       on(MRSK.hosts) do |host|
         roles = MRSK.roles_on(host)
 
@@ -135,7 +135,7 @@ class Mrsk::Cli::App < Mrsk::Cli::Base
   desc "stale_containers", "Detect app stale containers"
   option :stop, aliases: "-s", type: :boolean, default: false, desc: "Stop the stale containers found"
   def stale_containers
-    with_lock do
+    mutating do
       stop = options[:stop]
 
       cli = self
@@ -202,7 +202,7 @@ class Mrsk::Cli::App < Mrsk::Cli::Base
 
   desc "remove", "Remove app containers and images from servers"
   def remove
-    with_lock do
+    mutating do
       stop
       remove_containers
       remove_images
@@ -211,7 +211,7 @@ class Mrsk::Cli::App < Mrsk::Cli::Base
 
   desc "remove_container [VERSION]", "Remove app container with given version from servers", hide: true
   def remove_container(version)
-    with_lock do
+    mutating do
       on(MRSK.hosts) do |host|
         roles = MRSK.roles_on(host)
 
@@ -225,7 +225,7 @@ class Mrsk::Cli::App < Mrsk::Cli::Base
 
   desc "remove_containers", "Remove all app containers from servers", hide: true
   def remove_containers
-    with_lock do
+    mutating do
       on(MRSK.hosts) do |host|
         roles = MRSK.roles_on(host)
 
@@ -239,7 +239,7 @@ class Mrsk::Cli::App < Mrsk::Cli::Base
 
   desc "remove_images", "Remove all app images from servers", hide: true
   def remove_images
-    with_lock do
+    mutating do
       on(MRSK.hosts) do
         execute *MRSK.auditor.record("Removed all app images"), verbosity: :debug
         execute *MRSK.app.remove_images

lib/mrsk/cli/base.rb

@@ -72,28 +72,28 @@ module Mrsk::Cli
         puts "  Finished all in #{sprintf("%.1f seconds", runtime)}"
       end
 
-      def with_lock
-        if MRSK.holding_lock?
+      def mutating
+        return yield if MRSK.holding_lock?
+
+        MRSK.config.ensure_env_available
+
+        run_hook "pre-connect"
+
+        acquire_lock
+
+        begin
           yield
-        else
-          run_hook "pre-connect"
-
-          acquire_lock
-
-          begin
-            yield
-          rescue
-            if MRSK.hold_lock_on_error?
-              error "  \e[31mDeploy lock was not released\e[0m"
-            else
-              release_lock
-            end
-
-            raise
+        rescue
+          if MRSK.hold_lock_on_error?
+            error "  \e[31mDeploy lock was not released\e[0m"
+          else
+            release_lock
           end
 
-          release_lock
+          raise
         end
+
+        release_lock
       end
 
       def acquire_lock

lib/mrsk/cli/build.rb

@@ -3,7 +3,7 @@ class Mrsk::Cli::Build < Mrsk::Cli::Base
 
   desc "deliver", "Build app and push app image to registry then pull image on servers"
   def deliver
-    with_lock do
+    mutating do
       push
       pull
     end
@@ -11,7 +11,7 @@ class Mrsk::Cli::Build < Mrsk::Cli::Base
 
   desc "push", "Build and push app image to registry"
   def push
-    with_lock do
+    mutating do
       cli = self
 
       verify_local_dependencies
@@ -37,7 +37,7 @@ class Mrsk::Cli::Build < Mrsk::Cli::Base
 
   desc "pull", "Pull app image from registry onto servers"
   def pull
-    with_lock do
+    mutating do
       on(MRSK.hosts) do
         execute *MRSK.auditor.record("Pulled image with version #{MRSK.config.version}"), verbosity: :debug
         execute *MRSK.builder.clean, raise_on_non_zero_exit: false
@@ -48,7 +48,7 @@ class Mrsk::Cli::Build < Mrsk::Cli::Base
 
   desc "create", "Create a build setup"
   def create
-    with_lock do
+    mutating do
       run_locally do
         begin
           debug "Using builder: #{MRSK.builder.name}"
@@ -67,7 +67,7 @@ class Mrsk::Cli::Build < Mrsk::Cli::Base
 
   desc "remove", "Remove build setup"
   def remove
-    with_lock do
+    mutating do
       run_locally do
         debug "Using builder: #{MRSK.builder.name}"
         execute *MRSK.builder.remove

lib/mrsk/cli/main.rb

@@ -2,7 +2,7 @@ class Mrsk::Cli::Main < Mrsk::Cli::Base
   desc "setup", "Setup all accessories and deploy app to servers"
   def setup
     print_runtime do
-      with_lock do
+      mutating do
         invoke "mrsk:cli:server:bootstrap"
         invoke "mrsk:cli:accessory:boot", [ "all" ]
         deploy
@@ -14,7 +14,7 @@ class Mrsk::Cli::Main < Mrsk::Cli::Base
   option :skip_push, aliases: "-P", type: :boolean, default: false, desc: "Skip image build and push"
   def deploy
     runtime = print_runtime do
-      with_lock do
+      mutating do
         invoke_options = deploy_options
 
         say "Log into image registry...", :magenta
@@ -53,7 +53,7 @@ class Mrsk::Cli::Main < Mrsk::Cli::Base
   option :skip_push, aliases: "-P", type: :boolean, default: false, desc: "Skip image build and push"
   def redeploy
     runtime = print_runtime do
-      with_lock do
+      mutating do
         invoke_options = deploy_options
 
         if options[:skip_push]
@@ -83,7 +83,7 @@ class Mrsk::Cli::Main < Mrsk::Cli::Base
   def rollback(version)
     rolled_back = false
     runtime = print_runtime do
-      with_lock do
+      mutating do
         invoke_options = deploy_options
 
         MRSK.config.version = version
@@ -180,7 +180,7 @@ class Mrsk::Cli::Main < Mrsk::Cli::Base
   desc "remove", "Remove Traefik, app, accessories, and registry session from servers"
   option :confirmed, aliases: "-y", type: :boolean, default: false, desc: "Proceed without confirmation question"
   def remove
-    with_lock do
+    mutating do
       if options[:confirmed] || ask("This will remove all containers and images. Are you sure?", limited_to: %w( y N ), default: "N") == "y"
         invoke "mrsk:cli:traefik:remove", [], options.without(:confirmed)
         invoke "mrsk:cli:app:remove", [], options.without(:confirmed)

lib/mrsk/cli/prune.rb

@@ -1,7 +1,7 @@
 class Mrsk::Cli::Prune < Mrsk::Cli::Base
   desc "all", "Prune unused images and stopped containers"
   def all
-    with_lock do
+    mutating do
       containers
       images
     end
@@ -9,7 +9,7 @@ class Mrsk::Cli::Prune < Mrsk::Cli::Base
 
   desc "images", "Prune dangling images"
   def images
-    with_lock do
+    mutating do
       on(MRSK.hosts) do
         execute *MRSK.auditor.record("Pruned images"), verbosity: :debug
         execute *MRSK.prune.dangling_images
@@ -20,7 +20,7 @@ class Mrsk::Cli::Prune < Mrsk::Cli::Base
 
   desc "containers", "Prune all stopped containers, except the last 5"
   def containers
-    with_lock do
+    mutating do
       on(MRSK.hosts) do
         execute *MRSK.auditor.record("Pruned containers"), verbosity: :debug
         execute *MRSK.prune.containers

lib/mrsk/cli/templates/sample_hooks/pre-deploy.sample

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/usr/bin/env ruby
 
 # A sample pre-deploy hook
 #
@@ -16,8 +16,6 @@
 # MRSK_ROLE (if set)
 # MRSK_DESTINATION (if set)
 
-#!/usr/bin/env ruby
-
 # Only check the build status for production deployments
 if ENV["MRSK_COMMAND"] == "rollback" || ENV["MRSK_DESTINATION"] != "production"
   exit 0
@@ -41,41 +39,70 @@ def exit_with_error(message)
   exit 1
 end
 
-def first_status_url(combined_status, state)
-  first_status = combined_status[:statuses].find { |status| status[:state] == state }
-  first_status && first_status[:target_url]
+class GithubStatusChecks
+  attr_reader :remote_url, :git_sha, :github_client, :combined_status
+
+  def initialize
+    @remote_url = `git config --get remote.origin.url`.strip.delete_prefix("https://github.com/")
+    @git_sha = `git rev-parse HEAD`.strip
+    @github_client = Octokit::Client.new(access_token: ENV["GITHUB_TOKEN"])
+    refresh!
+  end
+
+  def refresh!
+    @combined_status = github_client.combined_status(remote_url, git_sha)
+  end
+
+  def state
+    combined_status[:state]
+  end
+
+  def first_status_url
+    first_status = combined_status[:statuses].find { |status| status[:state] == state }
+    first_status && first_status[:target_url]
+  end
+
+  def complete_count
+    combined_status[:statuses].count { |status| status[:state] != "pending"}
+  end
+
+  def total_count
+    combined_status[:statuses].count
+  end
+
+  def current_status
+    if total_count > 0
+      "Completed #{complete_count}/#{total_count} checks, see #{first_status_url} ..."
+    else
+      "Build not started..."
+    end
+  end
 end
 
-remote_url = `git config --get remote.origin.url`.strip.delete_prefix("https://github.com/")
-git_sha = `git rev-parse HEAD`.strip
 
-repository = Octokit::Repository.from_url(remote_url)
-github_client = Octokit::Client.new(access_token: ENV["GITHUB_TOKEN"])
+$stdout.sync = true
+
+puts "Checking build status..."
 attempts = 0
+checks = GithubStatusChecks.new
 
 begin
   loop do
-    combined_status = github_client.combined_status(remote_url, git_sha)
-    state = combined_status[:state]
-    first_status_url = first_status_url(combined_status, state)
-
-    case state
+    case checks.state
     when "success"
-      puts "Build passed, see #{first_status_url}"
+      puts "Checks passed, see #{checks.first_status_url}"
       exit 0
     when "failure"
-      exit_with_error "Build failed, see #{first_status_url}"
+      exit_with_error "Checks failed, see #{checks.first_status_url}"
     when "pending"
       attempts += 1
     end
 
-    puts "Waiting #{ATTEMPTS_GAP} more seconds for build to complete#{", see #{first_status_url}" if first_status_url}..."
-
-    if attempts == MAX_ATTEMPTS
-      exit_with_error "Build status is still pending, gave up after #{MAX_ATTEMPTS * ATTEMPTS_GAP} seconds"
-    end
+    exit_with_error "Checks are still pending, gave up after #{MAX_ATTEMPTS * ATTEMPTS_GAP} seconds" if attempts == MAX_ATTEMPTS
 
+    puts checks.current_status
     sleep(ATTEMPTS_GAP)
+    checks.refresh!
   end
 rescue Octokit::NotFound
   exit_with_error "Build status could not be found"

lib/mrsk/cli/traefik.rb

@@ -1,7 +1,7 @@
 class Mrsk::Cli::Traefik < Mrsk::Cli::Base
   desc "boot", "Boot Traefik on servers"
   def boot
-    with_lock do
+    mutating do
       on(MRSK.traefik_hosts) do
         execute *MRSK.registry.login
         execute *MRSK.traefik.run, raise_on_non_zero_exit: false
@@ -11,7 +11,7 @@ class Mrsk::Cli::Traefik < Mrsk::Cli::Base
 
   desc "reboot", "Reboot Traefik on servers (stop container, remove container, start new container)"
   def reboot
-    with_lock do
+    mutating do
       stop
       remove_container
       boot
@@ -20,7 +20,7 @@ class Mrsk::Cli::Traefik < Mrsk::Cli::Base
 
   desc "start", "Start existing Traefik container on servers"
   def start
-    with_lock do
+    mutating do
       on(MRSK.traefik_hosts) do
         execute *MRSK.auditor.record("Started traefik"), verbosity: :debug
         execute *MRSK.traefik.start, raise_on_non_zero_exit: false
@@ -30,7 +30,7 @@ class Mrsk::Cli::Traefik < Mrsk::Cli::Base
 
   desc "stop", "Stop existing Traefik container on servers"
   def stop
-    with_lock do
+    mutating do
       on(MRSK.traefik_hosts) do
         execute *MRSK.auditor.record("Stopped traefik"), verbosity: :debug
         execute *MRSK.traefik.stop, raise_on_non_zero_exit: false
@@ -40,7 +40,7 @@ class Mrsk::Cli::Traefik < Mrsk::Cli::Base
 
   desc "restart", "Restart existing Traefik container on servers"
   def restart
-    with_lock do
+    mutating do
       stop
       start
     end
@@ -77,7 +77,7 @@ class Mrsk::Cli::Traefik < Mrsk::Cli::Base
 
   desc "remove", "Remove Traefik container and image from servers"
   def remove
-    with_lock do
+    mutating do
       stop
       remove_container
       remove_image
@@ -86,7 +86,7 @@ class Mrsk::Cli::Traefik < Mrsk::Cli::Base
 
   desc "remove_container", "Remove Traefik container from servers", hide: true
   def remove_container
-    with_lock do
+    mutating do
       on(MRSK.traefik_hosts) do
         execute *MRSK.auditor.record("Removed traefik container"), verbosity: :debug
         execute *MRSK.traefik.remove_container
@@ -96,7 +96,7 @@ class Mrsk::Cli::Traefik < Mrsk::Cli::Base
 
   desc "remove_image", "Remove Traefik image from servers", hide: true
   def remove_image
-    with_lock do
+    mutating do
       on(MRSK.traefik_hosts) do
         execute *MRSK.auditor.record("Removed traefik image"), verbosity: :debug
         execute *MRSK.traefik.remove_image

lib/mrsk/commands/base.rb

@@ -13,7 +13,11 @@ module Mrsk::Commands
 
     def run_over_ssh(*command, host:)
       "ssh".tap do |cmd|
-        cmd << " -J #{config.ssh_proxy.jump_proxies}" if config.ssh_proxy
+        if config.ssh_proxy && config.ssh_proxy.is_a?(Net::SSH::Proxy::Jump)
+          cmd << " -J #{config.ssh_proxy.jump_proxies}"
+        elsif config.ssh_proxy && config.ssh_proxy.is_a?(Net::SSH::Proxy::Command)
+          cmd << " -o ProxyCommand='#{config.ssh_proxy.command_line_template}'"
+        end
         cmd << " -t #{config.ssh_user}@#{host} '#{command.join(" ")}'"
       end
     end

lib/mrsk/commands/builder.rb

@@ -7,11 +7,13 @@ class Mrsk::Commands::Builder < Mrsk::Commands::Base
 
   def target
     case
-    when config.builder && config.builder["multiarch"] == false
+    when !config.builder.multiarch? && !config.builder.cached?
       native
-    when config.builder && config.builder["local"] && config.builder["remote"]
+    when !config.builder.multiarch? && config.builder.cached?
+      native_cached
+    when config.builder.local? && config.builder.remote?
       multiarch_remote
-    when config.builder && config.builder["remote"]
+    when config.builder.remote?
       native_remote
     else
       multiarch
@@ -22,6 +24,10 @@ class Mrsk::Commands::Builder < Mrsk::Commands::Base
     @native ||= Mrsk::Commands::Builder::Native.new(config)
   end
 
+  def native_cached
+    @native ||= Mrsk::Commands::Builder::Native::Cached.new(config)
+  end
+
   def native_remote
     @native ||= Mrsk::Commands::Builder::Native::Remote.new(config)
   end

lib/mrsk/commands/builder/base.rb

@@ -3,6 +3,7 @@ class Mrsk::Commands::Builder::Base < Mrsk::Commands::Base
   class BuilderError < StandardError; end
 
   delegate :argumentize, to: Mrsk::Utils
+  delegate :args, :secrets, :dockerfile, :local_arch, :local_host, :remote_arch, :remote_host, :cache_from, :cache_to, to: :builder_config
 
   def clean
     docker :image, :rm, "--force", config.absolute_image
@@ -13,11 +14,11 @@ class Mrsk::Commands::Builder::Base < Mrsk::Commands::Base
   end
 
   def build_options
-    [ *build_tags, *build_labels, *build_args, *build_secrets, *build_dockerfile ]
+    [ *build_tags, *build_cache, *build_labels, *build_args, *build_secrets, *build_dockerfile ]
   end
 
   def build_context
-    context
+    config.builder.context
   end
 
 
@@ -26,6 +27,13 @@ class Mrsk::Commands::Builder::Base < Mrsk::Commands::Base
       [ "-t", config.absolute_image, "-t", config.latest_image ]
     end
 
+    def build_cache
+      if cache_to && cache_from
+        ["--cache-to", cache_to,
+          "--cache-from", cache_from]
+      end
+    end
+
     def build_labels
       argumentize "--label", { service: config.service }
     end
@@ -46,19 +54,7 @@ class Mrsk::Commands::Builder::Base < Mrsk::Commands::Base
       end
     end
 
-    def args
-      (config.builder && config.builder["args"]) || {}
-    end
-
-    def secrets
-      (config.builder && config.builder["secrets"]) || []
-    end
-
-    def dockerfile
-      (config.builder && config.builder["dockerfile"]) || "Dockerfile"
-    end
-
-    def context
-      (config.builder && config.builder["context"]) || "."
+    def builder_config
+      config.builder
     end
 end

lib/mrsk/commands/builder/multiarch/remote.rb

@@ -22,17 +22,17 @@ class Mrsk::Commands::Builder::Multiarch::Remote < Mrsk::Commands::Builder::Mult
     end
 
     def create_local_buildx
-      docker :buildx, :create, "--name", builder_name, builder_name_with_arch(local["arch"]), "--platform", "linux/#{local["arch"]}"
+      docker :buildx, :create, "--name", builder_name, builder_name_with_arch(local_arch), "--platform", "linux/#{local_arch}"
     end
 
     def append_remote_buildx
-      docker :buildx, :create, "--append", "--name", builder_name, builder_name_with_arch(remote["arch"]), "--platform", "linux/#{remote["arch"]}"
+      docker :buildx, :create, "--append", "--name", builder_name, builder_name_with_arch(remote_arch), "--platform", "linux/#{remote_arch}"
     end
 
     def create_contexts
       combine \
-        create_context(local["arch"], local["host"]),
-        create_context(remote["arch"], remote["host"])
+        create_context(local_arch, local_host),
+        create_context(remote_arch, remote_host)
     end
 
     def create_context(arch, host)
@@ -41,19 +41,11 @@ class Mrsk::Commands::Builder::Multiarch::Remote < Mrsk::Commands::Builder::Mult
 
     def remove_contexts
       combine \
-        remove_context(local["arch"]),
-        remove_context(remote["arch"])
+        remove_context(local_arch),
+        remove_context(remote_arch)
     end
 
     def remove_context(arch)
       docker :context, :rm, builder_name_with_arch(arch)
     end
-
-    def local
-      config.builder["local"]
-    end
-
-    def remote
-      config.builder["remote"]
-    end
 end

lib/mrsk/commands/builder/native.rb

@@ -1,10 +1,10 @@
 class Mrsk::Commands::Builder::Native < Mrsk::Commands::Builder::Base
   def create
-    # No-op on native
+    # No-op on native without cache
   end
 
   def remove
-    # No-op on native
+    # No-op on native without cache
   end
 
   def push

lib/mrsk/commands/builder/native/cached.rb

@@ -0,0 +1,16 @@
+class Mrsk::Commands::Builder::Native::Cached < Mrsk::Commands::Builder::Native
+  def create
+    docker :buildx, :create, "--use", "--driver=docker-container"
+  end
+
+  def remove
+    docker :buildx, :rm, builder_name
+  end
+
+  def push
+    docker :buildx, :build,
+      "--push",
+      *build_options,
+      build_context
+  end
+end

lib/mrsk/commands/builder/native/remote.rb

@@ -28,29 +28,21 @@ class Mrsk::Commands::Builder::Native::Remote < Mrsk::Commands::Builder::Native
 
 
   private
-    def arch
-      config.builder["remote"]["arch"]
-    end
-
-    def host
-      config.builder["remote"]["host"]
-    end
-
     def builder_name
       "mrsk-#{config.service}-native-remote"
     end
 
     def builder_name_with_arch
-      "#{builder_name}-#{arch}"
+      "#{builder_name}-#{remote_arch}"
     end
 
     def platform
-      "linux/#{arch}"
+      "linux/#{remote_arch}"
     end
 
     def create_context
       docker :context, :create,
-        builder_name_with_arch, "--description", "'#{builder_name} #{arch} native host'", "--docker", "'host=#{host}'"
+        builder_name_with_arch, "--description", "'#{builder_name} #{remote_arch} native host'", "--docker", "'host=#{remote_host}'"
     end
 
     def remove_context

lib/mrsk/commands/traefik.rb

@@ -3,6 +3,9 @@ class Mrsk::Commands::Traefik < Mrsk::Commands::Base
 
   DEFAULT_IMAGE = "traefik:v2.9"
   CONTAINER_PORT = 80
+  DEFAULT_ARGS = {
+    'log.level' => 'DEBUG'
+  }
 
   def run
     docker :run, "--name traefik",
@@ -16,7 +19,6 @@ class Mrsk::Commands::Traefik < Mrsk::Commands::Base
       *docker_options_args,
       image,
       "--providers.docker",
-      "--log.level=DEBUG",
       *cmd_option_args
   end
 
@@ -86,9 +88,9 @@ class Mrsk::Commands::Traefik < Mrsk::Commands::Base
 
     def cmd_option_args
       if args = config.traefik["args"]
-        optionize args, with: "="
+        optionize DEFAULT_ARGS.merge(args), with: "="
       else
-        []
+        optionize DEFAULT_ARGS, with: "="
       end
     end
 

lib/mrsk/configuration.rb

@@ -6,7 +6,7 @@ require "erb"
 require "net/ssh/proxy/jump"
 
 class Mrsk::Configuration
-  delegate :service, :image, :servers, :env, :labels, :registry, :builder, :stop_wait_time, :hooks_path, to: :raw_config, allow_nil: true
+  delegate :service, :image, :servers, :env, :labels, :registry, :stop_wait_time, :hooks_path, to: :raw_config, allow_nil: true
   delegate :argumentize, :argumentize_env_with_secrets, :optionize, to: Mrsk::Utils
 
   attr_accessor :destination
@@ -165,8 +165,12 @@ class Mrsk::Configuration
     raw_config.readiness_delay || 7
   end
 
+  def minimum_version
+    raw_config.minimum_version
+  end
+
   def valid?
-    ensure_required_keys_present && ensure_env_available
+    ensure_required_keys_present && ensure_valid_mrsk_version
   end
 
 
@@ -182,7 +186,7 @@ class Mrsk::Configuration
       env_args: env_args,
       volume_args: volume_args,
       ssh_options: ssh_options,
-      builder: raw_config.builder,
+      builder: builder.to_h,
       accessories: raw_config.accessories,
       logging: logging_args,
       healthcheck: healthcheck
@@ -197,6 +201,18 @@ class Mrsk::Configuration
     raw_config.hooks_path || ".mrsk/hooks"
   end
 
+  def builder
+    Mrsk::Configuration::Builder.new(config: self)
+  end
+
+  # Will raise KeyError if any secret ENVs are missing
+  def ensure_env_available
+    env_args
+    roles.each(&:env_args)
+
+    true
+  end
+
   private
     # Will raise ArgumentError if any required config keys are missing
     def ensure_required_keys_present
@@ -221,14 +237,15 @@ class Mrsk::Configuration
       true
     end
 
-    # Will raise KeyError if any secret ENVs are missing
-    def ensure_env_available
-      env_args
-      roles.each(&:env_args)
+    def ensure_valid_mrsk_version
+      if minimum_version && Gem::Version.new(minimum_version) > Gem::Version.new(Mrsk::VERSION)
+        raise ArgumentError, "Current version is #{Mrsk::VERSION}, minimum required is #{minimum_version}"
+      end
 
       true
     end
 
+
     def role_names
       raw_config.servers.is_a?(Array) ? [ "web" ] : raw_config.servers.keys.sort
     end

lib/mrsk/configuration/builder.rb

@@ -0,0 +1,114 @@
+class Mrsk::Configuration::Builder
+  def initialize(config:)
+    @options = config.raw_config.builder || {}
+    @image = config.image
+    @server = config.registry["server"]
+
+    valid?
+  end
+
+  def to_h
+    @options
+  end
+
+  def multiarch?
+    @options["multiarch"] != false
+  end
+
+  def local?
+    !!@options["local"]
+  end
+
+  def remote?
+    !!@options["remote"]
+  end
+
+  def cached?
+    !!@options["cache"]
+  end
+
+  def args
+    @options["args"] || {}
+  end
+
+  def secrets
+    @options["secrets"] || []
+  end
+
+  def dockerfile
+    @options["dockerfile"] || "Dockerfile"
+  end
+
+  def context
+    @options["context"] || "."
+  end
+
+  def local_arch
+    @options["local"]["arch"] if local?
+  end
+
+  def local_host
+    @options["local"]["host"] if local?
+  end
+
+  def remote_arch
+    @options["remote"]["arch"] if remote?
+  end
+
+  def remote_host
+    @options["remote"]["host"] if remote?
+  end
+
+  def cache_from
+    if cached?
+      case @options["cache"]["type"]
+      when "gha"
+        cache_from_config_for_gha
+      when "registry"
+        cache_from_config_for_registry
+      end
+    end
+  end
+
+  def cache_to
+    if cached?
+      case @options["cache"]["type"]
+      when "gha"
+        cache_to_config_for_gha
+      when "registry"
+        cache_to_config_for_registry
+      end
+    end
+  end
+
+  private
+    def valid?
+      if @options["local"] && !@options["remote"]
+        raise ArgumentError, "You must specify both local and remote builder config for remote multiarch builds"
+      end
+
+      if @options["cache"] && @options["cache"]["type"]
+        raise ArgumentError, "Invalid cache type: #{@options["cache"]["type"]}" unless ["gha", "registry"].include?(@options["cache"]["type"])
+      end
+    end
+
+    def cache_image
+      @options["cache"]&.fetch("image", nil) || "#{@image}-build-cache"
+    end
+
+    def cache_from_config_for_gha
+      "type=gha"
+    end
+
+    def cache_from_config_for_registry
+      [ "type=registry", "ref=#{@server}/#{cache_image}" ].compact.join(",")
+    end
+
+    def cache_to_config_for_gha
+      [ "type=gha", @options["cache"]&.fetch("options", nil)].compact.join(",")
+    end
+
+    def cache_to_config_for_registry
+      [ "type=registry", @options["cache"]&.fetch("options", nil), "ref=#{@server}/#{cache_image}" ].compact.join(",")
+    end
+end

lib/mrsk/version.rb

@@ -1,3 +1,3 @@
 module Mrsk
-  VERSION = "0.13.2"
+  VERSION = "0.14.0"
 end

test/cli/main_test.rb

@@ -116,6 +116,12 @@ class CliMainTest < CliTestCase
     end
   end
 
+  test "deploy with missing secrets" do
+    assert_raises(KeyError) do
+      run_command("deploy", config_file: "deploy_with_secrets")
+    end
+  end
+
   test "redeploy" do
     invoke_options = { "config_file" => "test/fixtures/deploy_simple.yml", "version" => "999", "skip_hooks" => false }
 

test/cli/traefik_test.rb

@@ -4,7 +4,7 @@ class CliTraefikTest < CliTestCase
   test "boot" do
     run_command("boot").tap do |output|
       assert_match "docker login", output
-      assert_match "docker run --name traefik --detach --restart unless-stopped --publish 80:80 --volume /var/run/docker.sock:/var/run/docker.sock --log-opt max-size=\"10m\" #{Mrsk::Commands::Traefik::DEFAULT_IMAGE} --providers.docker --log.level=DEBUG", output
+      assert_match "docker run --name traefik --detach --restart unless-stopped --publish 80:80 --volume /var/run/docker.sock:/var/run/docker.sock --log-opt max-size=\"10m\" #{Mrsk::Commands::Traefik::DEFAULT_IMAGE} --providers.docker --log.level=\"DEBUG\"", output
     end
   end
 

test/commands/app_test.rb

@@ -211,6 +211,10 @@ class CommandsAppTest < ActiveSupport::TestCase
     assert_equal "ssh -J root@2.2.2.2 -t app@1.1.1.1 'ls'", new_command.run_over_ssh("ls", host: "1.1.1.1")
   end
 
+  test "run over ssh with proxy_command" do
+    @config[:ssh] = { "proxy_command" => "ssh -W %h:%p user@proxy-server" }
+    assert_equal "ssh -o ProxyCommand='ssh -W %h:%p user@proxy-server' -t root@1.1.1.1 'ls'", new_command.run_over_ssh("ls", host: "1.1.1.1")
+  end
 
   test "current_running_container_id" do
     assert_equal \

test/commands/builder_test.rb

@@ -6,10 +6,10 @@ class CommandsBuilderTest < ActiveSupport::TestCase
   end
 
   test "target multiarch by default" do
-    builder = new_builder_command
+    builder = new_builder_command(builder: { "cache" => { "type" => "gha" }})
     assert_equal "multiarch", builder.name
     assert_equal \
-      "docker buildx build --push --platform linux/amd64,linux/arm64 --builder mrsk-app-multiarch -t dhh/app:123 -t dhh/app:latest --label service=\"app\" --file Dockerfile .",
+      "docker buildx build --push --platform linux/amd64,linux/arm64 --builder mrsk-app-multiarch -t dhh/app:123 -t dhh/app:latest --cache-to type=gha --cache-from type=gha --label service=\"app\" --file Dockerfile .",
       builder.push.join(" ")
   end
 
@@ -21,19 +21,27 @@ class CommandsBuilderTest < ActiveSupport::TestCase
       builder.push.join(" ")
   end
 
+  test "target native cached when multiarch is off and cache is set" do
+    builder = new_builder_command(builder: { "multiarch" => false, "cache" => { "type" => "gha" }})
+    assert_equal "native/cached", builder.name
+    assert_equal \
+      "docker buildx build --push -t dhh/app:123 -t dhh/app:latest --cache-to type=gha --cache-from type=gha --label service=\"app\" --file Dockerfile .",
+      builder.push.join(" ")
+  end
+
   test "target multiarch remote when local and remote is set" do
-    builder = new_builder_command(builder: { "local" => { }, "remote" => { } })
+    builder = new_builder_command(builder: { "local" => { }, "remote" => { }, "cache" => { "type" => "gha" } })
     assert_equal "multiarch/remote", builder.name
     assert_equal \
-      "docker buildx build --push --platform linux/amd64,linux/arm64 --builder mrsk-app-multiarch-remote -t dhh/app:123 -t dhh/app:latest --label service=\"app\" --file Dockerfile .",
+      "docker buildx build --push --platform linux/amd64,linux/arm64 --builder mrsk-app-multiarch-remote -t dhh/app:123 -t dhh/app:latest --cache-to type=gha --cache-from type=gha --label service=\"app\" --file Dockerfile .",
       builder.push.join(" ")
   end
 
   test "target native remote when only remote is set" do
-    builder = new_builder_command(builder: { "remote" => { "arch" => "amd64" } })
+    builder = new_builder_command(builder: { "remote" => { "arch" => "amd64" }, "cache" => { "type" => "gha" } })
     assert_equal "native/remote", builder.name
     assert_equal \
-      "docker buildx build --push --platform linux/amd64 --builder mrsk-app-native-remote -t dhh/app:123 -t dhh/app:latest --label service=\"app\" --file Dockerfile .",
+      "docker buildx build --push --platform linux/amd64 --builder mrsk-app-native-remote -t dhh/app:123 -t dhh/app:latest --cache-to type=gha --cache-from type=gha --label service=\"app\" --file Dockerfile .",
       builder.push.join(" ")
   end
 

test/commands/traefik_test.rb

@@ -18,67 +18,67 @@ class CommandsTraefikTest < ActiveSupport::TestCase
 
   test "run" do
     assert_equal \
-      "docker run --name traefik --detach --restart unless-stopped --publish 80:80 --volume /var/run/docker.sock:/var/run/docker.sock --log-opt max-size=\"10m\" #{@image} --providers.docker --log.level=DEBUG --accesslog.format=\"json\" --api.insecure --metrics.prometheus.buckets=\"0.1,0.3,1.2,5.0\"",
+      "docker run --name traefik --detach --restart unless-stopped --publish 80:80 --volume /var/run/docker.sock:/var/run/docker.sock --log-opt max-size=\"10m\" #{@image} --providers.docker --log.level=\"DEBUG\" --accesslog.format=\"json\" --api.insecure --metrics.prometheus.buckets=\"0.1,0.3,1.2,5.0\"",
       new_command.run.join(" ")
 
     @config[:traefik]["host_port"] = "8080"
     assert_equal \
-      "docker run --name traefik --detach --restart unless-stopped --publish 8080:80 --volume /var/run/docker.sock:/var/run/docker.sock --log-opt max-size=\"10m\" #{@image} --providers.docker --log.level=DEBUG --accesslog.format=\"json\" --api.insecure --metrics.prometheus.buckets=\"0.1,0.3,1.2,5.0\"",
+      "docker run --name traefik --detach --restart unless-stopped --publish 8080:80 --volume /var/run/docker.sock:/var/run/docker.sock --log-opt max-size=\"10m\" #{@image} --providers.docker --log.level=\"DEBUG\" --accesslog.format=\"json\" --api.insecure --metrics.prometheus.buckets=\"0.1,0.3,1.2,5.0\"",
       new_command.run.join(" ")
   end
 
   test "run with ports configured" do
     assert_equal \
-      "docker run --name traefik --detach --restart unless-stopped --publish 80:80 --volume /var/run/docker.sock:/var/run/docker.sock --log-opt max-size=\"10m\" #{@image} --providers.docker --log.level=DEBUG --accesslog.format=\"json\" --api.insecure --metrics.prometheus.buckets=\"0.1,0.3,1.2,5.0\"",
+      "docker run --name traefik --detach --restart unless-stopped --publish 80:80 --volume /var/run/docker.sock:/var/run/docker.sock --log-opt max-size=\"10m\" #{@image} --providers.docker --log.level=\"DEBUG\" --accesslog.format=\"json\" --api.insecure --metrics.prometheus.buckets=\"0.1,0.3,1.2,5.0\"",
       new_command.run.join(" ")
 
     @config[:traefik]["options"] = {"publish" => %w[9000:9000 9001:9001]}
     assert_equal \
-      "docker run --name traefik --detach --restart unless-stopped --publish 80:80 --volume /var/run/docker.sock:/var/run/docker.sock --log-opt max-size=\"10m\" --publish \"9000:9000\" --publish \"9001:9001\" #{@image} --providers.docker --log.level=DEBUG --accesslog.format=\"json\" --api.insecure --metrics.prometheus.buckets=\"0.1,0.3,1.2,5.0\"",
+      "docker run --name traefik --detach --restart unless-stopped --publish 80:80 --volume /var/run/docker.sock:/var/run/docker.sock --log-opt max-size=\"10m\" --publish \"9000:9000\" --publish \"9001:9001\" #{@image} --providers.docker --log.level=\"DEBUG\" --accesslog.format=\"json\" --api.insecure --metrics.prometheus.buckets=\"0.1,0.3,1.2,5.0\"",
       new_command.run.join(" ")
   end
 
   test "run with volumes configured" do
     assert_equal \
-      "docker run --name traefik --detach --restart unless-stopped --publish 80:80 --volume /var/run/docker.sock:/var/run/docker.sock --log-opt max-size=\"10m\" #{@image} --providers.docker --log.level=DEBUG --accesslog.format=\"json\" --api.insecure --metrics.prometheus.buckets=\"0.1,0.3,1.2,5.0\"",
+      "docker run --name traefik --detach --restart unless-stopped --publish 80:80 --volume /var/run/docker.sock:/var/run/docker.sock --log-opt max-size=\"10m\" #{@image} --providers.docker --log.level=\"DEBUG\" --accesslog.format=\"json\" --api.insecure --metrics.prometheus.buckets=\"0.1,0.3,1.2,5.0\"",
       new_command.run.join(" ")
 
     @config[:traefik]["options"] = {"volume" => %w[./letsencrypt/acme.json:/letsencrypt/acme.json] }
     assert_equal \
-      "docker run --name traefik --detach --restart unless-stopped --publish 80:80 --volume /var/run/docker.sock:/var/run/docker.sock --log-opt max-size=\"10m\" --volume \"./letsencrypt/acme.json:/letsencrypt/acme.json\" #{@image} --providers.docker --log.level=DEBUG --accesslog.format=\"json\" --api.insecure --metrics.prometheus.buckets=\"0.1,0.3,1.2,5.0\"",
+      "docker run --name traefik --detach --restart unless-stopped --publish 80:80 --volume /var/run/docker.sock:/var/run/docker.sock --log-opt max-size=\"10m\" --volume \"./letsencrypt/acme.json:/letsencrypt/acme.json\" #{@image} --providers.docker --log.level=\"DEBUG\" --accesslog.format=\"json\" --api.insecure --metrics.prometheus.buckets=\"0.1,0.3,1.2,5.0\"",
       new_command.run.join(" ")
   end
 
   test "run with several options configured" do
     assert_equal \
-      "docker run --name traefik --detach --restart unless-stopped --publish 80:80 --volume /var/run/docker.sock:/var/run/docker.sock --log-opt max-size=\"10m\" #{@image} --providers.docker --log.level=DEBUG --accesslog.format=\"json\" --api.insecure --metrics.prometheus.buckets=\"0.1,0.3,1.2,5.0\"",
+      "docker run --name traefik --detach --restart unless-stopped --publish 80:80 --volume /var/run/docker.sock:/var/run/docker.sock --log-opt max-size=\"10m\" #{@image} --providers.docker --log.level=\"DEBUG\" --accesslog.format=\"json\" --api.insecure --metrics.prometheus.buckets=\"0.1,0.3,1.2,5.0\"",
       new_command.run.join(" ")
 
     @config[:traefik]["options"] = {"volume" => %w[./letsencrypt/acme.json:/letsencrypt/acme.json], "publish" => %w[8080:8080], "memory" => "512m"}
     assert_equal \
-      "docker run --name traefik --detach --restart unless-stopped --publish 80:80 --volume /var/run/docker.sock:/var/run/docker.sock --log-opt max-size=\"10m\" --volume \"./letsencrypt/acme.json:/letsencrypt/acme.json\" --publish \"8080:8080\" --memory \"512m\" #{@image} --providers.docker --log.level=DEBUG --accesslog.format=\"json\" --api.insecure --metrics.prometheus.buckets=\"0.1,0.3,1.2,5.0\"",
+      "docker run --name traefik --detach --restart unless-stopped --publish 80:80 --volume /var/run/docker.sock:/var/run/docker.sock --log-opt max-size=\"10m\" --volume \"./letsencrypt/acme.json:/letsencrypt/acme.json\" --publish \"8080:8080\" --memory \"512m\" #{@image} --providers.docker --log.level=\"DEBUG\" --accesslog.format=\"json\" --api.insecure --metrics.prometheus.buckets=\"0.1,0.3,1.2,5.0\"",
       new_command.run.join(" ")
   end
 
   test "run with labels configured" do
     assert_equal \
-      "docker run --name traefik --detach --restart unless-stopped --publish 80:80 --volume /var/run/docker.sock:/var/run/docker.sock --log-opt max-size=\"10m\" #{@image} --providers.docker --log.level=DEBUG --accesslog.format=\"json\" --api.insecure --metrics.prometheus.buckets=\"0.1,0.3,1.2,5.0\"",
+      "docker run --name traefik --detach --restart unless-stopped --publish 80:80 --volume /var/run/docker.sock:/var/run/docker.sock --log-opt max-size=\"10m\" #{@image} --providers.docker --log.level=\"DEBUG\" --accesslog.format=\"json\" --api.insecure --metrics.prometheus.buckets=\"0.1,0.3,1.2,5.0\"",
       new_command.run.join(" ")
 
     @config[:traefik]["labels"] = { "traefik.http.routers.dashboard.service" => "api@internal", "traefik.http.routers.dashboard.middlewares" => "auth" }
     assert_equal \
-      "docker run --name traefik --detach --restart unless-stopped --publish 80:80 --volume /var/run/docker.sock:/var/run/docker.sock --log-opt max-size=\"10m\" --label traefik.http.routers.dashboard.service=\"api@internal\" --label traefik.http.routers.dashboard.middlewares=\"auth\" #{@image} --providers.docker --log.level=DEBUG --accesslog.format=\"json\" --api.insecure --metrics.prometheus.buckets=\"0.1,0.3,1.2,5.0\"",
+      "docker run --name traefik --detach --restart unless-stopped --publish 80:80 --volume /var/run/docker.sock:/var/run/docker.sock --log-opt max-size=\"10m\" --label traefik.http.routers.dashboard.service=\"api@internal\" --label traefik.http.routers.dashboard.middlewares=\"auth\" #{@image} --providers.docker --log.level=\"DEBUG\" --accesslog.format=\"json\" --api.insecure --metrics.prometheus.buckets=\"0.1,0.3,1.2,5.0\"",
       new_command.run.join(" ")
   end
 
   test "run with env configured" do
     assert_equal \
-      "docker run --name traefik --detach --restart unless-stopped --publish 80:80 --volume /var/run/docker.sock:/var/run/docker.sock --log-opt max-size=\"10m\" #{@image} --providers.docker --log.level=DEBUG --accesslog.format=\"json\" --api.insecure --metrics.prometheus.buckets=\"0.1,0.3,1.2,5.0\"",
+      "docker run --name traefik --detach --restart unless-stopped --publish 80:80 --volume /var/run/docker.sock:/var/run/docker.sock --log-opt max-size=\"10m\" #{@image} --providers.docker --log.level=\"DEBUG\" --accesslog.format=\"json\" --api.insecure --metrics.prometheus.buckets=\"0.1,0.3,1.2,5.0\"",
       new_command.run.join(" ")
 
     @config[:traefik]["env"] = { "secret" => %w[EXAMPLE_API_KEY] }
     assert_equal \
-      "docker run --name traefik --detach --restart unless-stopped --publish 80:80 --volume /var/run/docker.sock:/var/run/docker.sock -e EXAMPLE_API_KEY=\"456\" --log-opt max-size=\"10m\" #{@image} --providers.docker --log.level=DEBUG --accesslog.format=\"json\" --api.insecure --metrics.prometheus.buckets=\"0.1,0.3,1.2,5.0\"",
+      "docker run --name traefik --detach --restart unless-stopped --publish 80:80 --volume /var/run/docker.sock:/var/run/docker.sock -e EXAMPLE_API_KEY=\"456\" --log-opt max-size=\"10m\" #{@image} --providers.docker --log.level=\"DEBUG\" --accesslog.format=\"json\" --api.insecure --metrics.prometheus.buckets=\"0.1,0.3,1.2,5.0\"",
       new_command.run.join(" ")
   end
 
@@ -86,7 +86,7 @@ class CommandsTraefikTest < ActiveSupport::TestCase
     @config.delete(:traefik)
 
     assert_equal \
-      "docker run --name traefik --detach --restart unless-stopped --publish 80:80 --volume /var/run/docker.sock:/var/run/docker.sock --log-opt max-size=\"10m\" #{Mrsk::Commands::Traefik::DEFAULT_IMAGE} --providers.docker --log.level=DEBUG",
+      "docker run --name traefik --detach --restart unless-stopped --publish 80:80 --volume /var/run/docker.sock:/var/run/docker.sock --log-opt max-size=\"10m\" #{Mrsk::Commands::Traefik::DEFAULT_IMAGE} --providers.docker --log.level=\"DEBUG\"",
       new_command.run.join(" ")
   end
 
@@ -94,7 +94,15 @@ class CommandsTraefikTest < ActiveSupport::TestCase
     @config[:logging] = { "driver" => "local", "options" => { "max-size" => "100m", "max-file" => "3" } }
 
     assert_equal \
-      "docker run --name traefik --detach --restart unless-stopped --publish 80:80 --volume /var/run/docker.sock:/var/run/docker.sock --log-driver \"local\" --log-opt max-size=\"100m\" --log-opt max-file=\"3\" #{@image} --providers.docker --log.level=DEBUG --accesslog.format=\"json\" --api.insecure --metrics.prometheus.buckets=\"0.1,0.3,1.2,5.0\"",
+      "docker run --name traefik --detach --restart unless-stopped --publish 80:80 --volume /var/run/docker.sock:/var/run/docker.sock --log-driver \"local\" --log-opt max-size=\"100m\" --log-opt max-file=\"3\" #{@image} --providers.docker --log.level=\"DEBUG\" --accesslog.format=\"json\" --api.insecure --metrics.prometheus.buckets=\"0.1,0.3,1.2,5.0\"",
+      new_command.run.join(" ")
+  end
+
+  test "run with default args overriden" do
+    @config[:traefik]["args"]["log.level"] = "ERROR"
+
+    assert_equal \
+    "docker run --name traefik --detach --restart unless-stopped --publish 80:80 --volume /var/run/docker.sock:/var/run/docker.sock --log-opt max-size=\"10m\" #{@image} --providers.docker --log.level=\"ERROR\" --accesslog.format=\"json\" --api.insecure --metrics.prometheus.buckets=\"0.1,0.3,1.2,5.0\"",
       new_command.run.join(" ")
   end
 

test/configuration/builder_test.rb

@@ -0,0 +1,151 @@
+require "test_helper"
+
+class ConfigurationBuilderTest < ActiveSupport::TestCase
+  setup do
+    @deploy = {
+      service: "app", image: "dhh/app", registry: { "username" => "dhh", "password" => "secret" },
+      servers: [ "1.1.1.1" ]
+    }
+
+    @config = Mrsk::Configuration.new(@deploy)
+
+    @deploy_with_builder_option = {
+      service: "app", image: "dhh/app", registry: { "username" => "dhh", "password" => "secret" },
+      servers: [ "1.1.1.1" ],
+      builder: {}
+    }
+
+    @config_with_builder_option = Mrsk::Configuration.new(@deploy_with_builder_option)
+  end
+
+  test "multiarch?" do
+    assert_equal true, @config.builder.multiarch?
+  end
+
+  test "setting multiarch to false" do
+    @deploy_with_builder_option[:builder] = { "multiarch" => false }
+
+    assert_equal false, @config_with_builder_option.builder.multiarch?
+  end
+
+  test "local?" do
+    assert_equal false, @config.builder.local?
+  end
+
+  test "remote?" do
+    assert_equal false, @config.builder.remote?
+  end
+
+  test "remote_arch" do
+    assert_nil @config.builder.remote_arch
+  end
+
+  test "remote_host" do
+    assert_nil @config.builder.remote_host
+  end
+
+  test "remote config is missing when local is specified" do
+    @deploy_with_builder_option[:builder] = { "local" => { "arch" => "arm64", "host" => "unix:///Users/<%= `whoami`.strip %>/.docker/run/docker.sock" } }
+
+    assert_raises(ArgumentError) do
+      @config_with_builder_option.builder
+    end
+  end
+
+  test "setting both local and remote configs" do
+    @deploy_with_builder_option[:builder] = {
+      "local" => { "arch" => "arm64", "host" => "unix:///Users/<%= `whoami`.strip %>/.docker/run/docker.sock" },
+      "remote" => { "arch" => "amd64", "host" => "ssh://root@192.168.0.1" }
+    }
+
+    assert_equal true, @config_with_builder_option.builder.local?
+    assert_equal true, @config_with_builder_option.builder.remote?
+
+    assert_equal "amd64", @config_with_builder_option.builder.remote_arch
+    assert_equal "ssh://root@192.168.0.1", @config_with_builder_option.builder.remote_host
+
+    assert_equal "arm64", @config_with_builder_option.builder.local_arch
+    assert_equal "unix:///Users/<%= `whoami`.strip %>/.docker/run/docker.sock", @config_with_builder_option.builder.local_host
+  end
+
+  test "cached?" do
+    assert_equal false, @config.builder.cached?
+  end
+
+  test "invalid cache type specified" do
+    @deploy_with_builder_option[:builder] = { "cache" => { "type" => "invalid" } }
+
+    assert_raises(ArgumentError) do
+      @config_with_builder_option.builder
+    end
+  end
+
+  test "cache_from" do
+    assert_nil @config.builder.cache_from
+  end
+
+  test "cache_to" do
+    assert_nil @config.builder.cache_to
+  end
+
+  test "setting gha cache" do
+    @deploy_with_builder_option[:builder] = { "cache" => { "type" => "gha", "options" => "mode=max" } }
+
+    assert_equal "type=gha", @config_with_builder_option.builder.cache_from
+    assert_equal "type=gha,mode=max", @config_with_builder_option.builder.cache_to
+  end
+
+  test "setting registry cache" do
+    @deploy_with_builder_option[:builder] = { "cache" => { "type" => "registry", "options" => "mode=max,image-manifest=true,oci-mediatypes=true" } }
+
+    assert_equal "type=registry,ref=/dhh/app-build-cache", @config_with_builder_option.builder.cache_from
+    assert_equal "type=registry,mode=max,image-manifest=true,oci-mediatypes=true,ref=/dhh/app-build-cache", @config_with_builder_option.builder.cache_to
+  end
+
+  test "setting registry cache with image" do
+    @deploy_with_builder_option[:builder] = { "cache" => { "type" => "registry", "image" => "mrsk", "options" => "mode=max" } }
+
+    assert_equal "type=registry,ref=/mrsk", @config_with_builder_option.builder.cache_from
+    assert_equal "type=registry,mode=max,ref=/mrsk", @config_with_builder_option.builder.cache_to
+  end
+
+  test "args" do
+    assert_equal({}, @config.builder.args)
+  end
+
+  test "setting args" do
+    @deploy_with_builder_option[:builder] = { "args" => { "key" => "value" } }
+
+    assert_equal({ "key" => "value" }, @config_with_builder_option.builder.args)
+  end
+
+  test "secrets" do
+    assert_equal [], @config.builder.secrets
+  end
+
+  test "setting secrets" do
+    @deploy_with_builder_option[:builder] = { "secrets" => ["GITHUB_TOKEN"] }
+
+    assert_equal ["GITHUB_TOKEN"], @config_with_builder_option.builder.secrets
+  end
+
+  test "dockerfile" do
+    assert_equal "Dockerfile", @config.builder.dockerfile
+  end
+
+  test "setting dockerfile" do
+    @deploy_with_builder_option[:builder] = { "dockerfile" => "Dockerfile.dev" }
+
+    assert_equal "Dockerfile.dev", @config_with_builder_option.builder.dockerfile
+  end
+
+  test "context" do
+    assert_equal ".", @config.builder.context
+  end
+
+  test "setting context" do
+    @deploy_with_builder_option[:builder] = { "context" => ".." }
+
+    assert_equal "..", @config_with_builder_option.builder.context
+  end
+end

test/configuration_test.rb

@@ -166,7 +166,7 @@ class ConfigurationTest < ActiveSupport::TestCase
     assert_raises(KeyError) do
       config = Mrsk::Configuration.new(@deploy.tap { |c| c.merge!({
         env: { "secret" => [ "PASSWORD" ] }
-      }) })
+      }) }).ensure_env_available
     end
   end
 
@@ -266,6 +266,22 @@ class ConfigurationTest < ActiveSupport::TestCase
   end
 
   test "to_h" do
-    assert_equal({ :roles=>["web"], :hosts=>["1.1.1.1", "1.1.1.2"], :primary_host=>"1.1.1.1", :version=>"missing", :repository=>"dhh/app", :absolute_image=>"dhh/app:missing", :service_with_version=>"app-missing", :env_args=>["-e", "REDIS_URL=\"redis://x/y\""], :ssh_options=>{:user=>"root", :auth_methods=>["publickey"]}, :volume_args=>["--volume", "/local/path:/container/path"], :logging=>["--log-opt", "max-size=\"10m\""], :healthcheck=>{"path"=>"/up", "port"=>3000, "max_attempts" => 7 }}, @config.to_h)
+    assert_equal({ :roles=>["web"], :hosts=>["1.1.1.1", "1.1.1.2"], :primary_host=>"1.1.1.1", :version=>"missing", :repository=>"dhh/app", :absolute_image=>"dhh/app:missing", :service_with_version=>"app-missing", :env_args=>["-e", "REDIS_URL=\"redis://x/y\""], :ssh_options=>{:user=>"root", :auth_methods=>["publickey"]}, :volume_args=>["--volume", "/local/path:/container/path"], :builder=>{}, :logging=>["--log-opt", "max-size=\"10m\""], :healthcheck=>{"path"=>"/up", "port"=>3000, "max_attempts" => 7 }}, @config.to_h)
+  end
+
+  test "min version is lower" do
+    config = Mrsk::Configuration.new(@deploy.tap { |c| c.merge!(minimum_version: "0.0.1") })
+    assert_equal "0.0.1", config.minimum_version
+  end
+
+  test "min version is equal" do
+    config = Mrsk::Configuration.new(@deploy.tap { |c| c.merge!(minimum_version: Mrsk::VERSION) })
+    assert_equal Mrsk::VERSION, config.minimum_version
+  end
+
+  test "min version is higher" do
+    assert_raises(ArgumentError) do
+      Mrsk::Configuration.new(@deploy.tap { |c| c.merge!(minimum_version: "10000.0.0") })
+    end
   end
 end

test/fixtures/deploy_with_secrets.yml

@@ -0,0 +1,11 @@
+service: app
+image: dhh/app
+servers:
+  - "1.1.1.1"
+  - "1.1.1.2"
+registry:
+  username: user
+  password: pw
+env:
+  secret:
+    - PASSWORD

test/integration/docker/deployer/Dockerfile

@@ -17,6 +17,7 @@ RUN apt-get update --fix-missing && apt-get install -y docker-ce docker-ce-cli c
 COPY *.sh .
 COPY app/ .
 
+RUN rm -rf /root/.ssh
 RUN ln -s /shared/ssh /root/.ssh
 RUN mkdir -p /etc/docker/certs.d/registry:4443 && ln -s /shared/certs/domain.crt /etc/docker/certs.d/registry:4443/ca.crt
 

test/integration/integration_test.rb

@@ -10,6 +10,13 @@ class IntegrationTest < ActiveSupport::TestCase
   end
 
   teardown do
+    unless passed?
+      [:deployer, :vm1, :vm2, :shared, :load_balancer].each do |container|
+        puts
+        puts "Logs for #{container}:"
+        docker_compose :logs, container
+      end
+    end
     docker_compose "down -t 1"
   end