SSH proxy: allow using a bare hostname without root@

Otherwise we can't connect to the proxy as the local user and we can't
use ~/.ssh/config to set User directives.

Defaulting to root@ is hard to deprecate without introducing new config.
A clean break is probably clearest.

.github/workflows/ci.yml

@@ -30,6 +30,9 @@ jobs:
         gemfile:
           - Gemfile
           - gemfiles/rails_edge.gemfile
+        exclude:
+          - ruby-version: "3.1"
+            gemfile: gemfiles/rails_edge.gemfile
     name: ${{ format('Tests (Ruby {0})', matrix.ruby-version) }}
     runs-on: ubuntu-latest
     continue-on-error: true

Dockerfile

@@ -33,7 +33,7 @@ WORKDIR /workdir
 
 # Tell git it's safe to access /workdir/.git even if
 # the directory is owned by a different user
-RUN git config --global --add safe.directory /workdir
+RUN git config --global --add safe.directory '*'
 
 # Set the entrypoint to run the installed binary in /workdir
 # Example:  docker run -it -v "$PWD:/workdir" kamal init

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    kamal (2.0.0.rc4)
+    kamal (2.1.1)
       activesupport (>= 7.0)
       base64 (~> 0.2)
       bcrypt_pbkdf (~> 1.0)

bin/docs

@@ -30,6 +30,7 @@ DOCS = {
   "ssh" => "SSH",
   "sshkit" => "SSHKit"
 }
+DOCS_PATH = "lib/kamal/configuration/docs"
 
 class DocWriter
   attr_reader :from_file, :to_file, :key, :heading, :body, :output, :in_yaml
@@ -70,6 +71,7 @@ class DocWriter
             generate_line(line, heading: place == :new_section)
             place = :in_section
           else
+            output.puts
             output.puts "```yaml"
             output.puts line
             place = :in_yaml
@@ -77,6 +79,7 @@ class DocWriter
         when :in_yaml, :in_empty_line_yaml
           if line =~ /^ *#/
             output.puts "```"
+            output.puts
             generate_line(line, heading: place == :in_empty_line_yaml)
             place = :in_section
           elsif line.empty?
@@ -92,11 +95,12 @@ class DocWriter
 
     def generate_header
       output.puts "---"
+      output.puts "# This file has been generated from the Kamal source, do not edit directly."
+      output.puts "# Find the source of this file at #{DOCS_PATH}/#{key}.yml in the Kamal repository."
       output.puts "title: #{heading[2..-1]}"
       output.puts "---"
       output.puts
       output.puts heading
-      output.puts
     end
 
     def generate_line(line, heading: false)
@@ -118,7 +122,11 @@ class DocWriter
     end
 
     def linkify(text)
-      text.downcase.gsub(" ", "-")
+      if text == "Configuration overview"
+        "overview"
+      else
+        text.downcase.gsub(" ", "-")
+      end
     end
 
     def titlify(text)
@@ -126,10 +134,8 @@ class DocWriter
     end
 end
 
-from_dir = File.join(File.dirname(__FILE__), "../lib/kamal/configuration/docs")
+from_dir = File.join(File.dirname(__FILE__), "../#{DOCS_PATH}")
 to_dir = File.join(kamal_site_repo, "docs/configuration")
 Dir.glob("#{from_dir}/*") do |from_file|
-  key = File.basename(from_file, ".yml")
-
   DocWriter.new(from_file, to_dir).write
 end

lib/kamal/cli/app.rb

@@ -68,7 +68,7 @@ class Kamal::Cli::App < Kamal::Cli::Base
             version = capture_with_info(*app.current_running_version, raise_on_non_zero_exit: false).strip
             endpoint = capture_with_info(*app.container_id_for_version(version)).strip
             if endpoint.present?
-              execute *app.remove(target: endpoint), raise_on_non_zero_exit: false
+              execute *app.remove, raise_on_non_zero_exit: false
             end
           end
 
@@ -203,7 +203,7 @@ class Kamal::Cli::App < Kamal::Cli::Base
       run_locally do
         info "Following logs on #{KAMAL.primary_host}..."
 
-        KAMAL.specific_roles ||= [ "web" ]
+        KAMAL.specific_roles ||= [ KAMAL.primary_role.name ]
         role = KAMAL.roles_on(KAMAL.primary_host).first
 
         app = KAMAL.app(role: role, host: host)

lib/kamal/cli/secrets.rb

@@ -21,6 +21,13 @@ class Kamal::Cli::Secrets < Kamal::Cli::Base
     return_or_puts value, inline: options[:inline]
   end
 
+  desc "print", "Print the secrets (for debugging)"
+  def print
+    KAMAL.config.secrets.to_h.each do |key, value|
+      puts "#{key}=#{value}"
+    end
+  end
+
   private
     def adapter(adapter)
       Kamal::Secrets::Adapters.lookup(adapter)

lib/kamal/cli/templates/deploy.yml

@@ -18,6 +18,8 @@ servers:
 proxy:
   ssl: true
   host: app.example.com
+  # kamal-proxy connects to your container over port 80, use `app_port` to specify a different port.
+  # app_port: 3000
 
 # Credentials for your image host.
 registry:

lib/kamal/commander/specifics.rb

@@ -43,7 +43,12 @@ class Kamal::Commander::Specifics
     end
 
     def specified_hosts
-      (specific_hosts || config.all_hosts) \
+      specified_hosts = specific_hosts || config.all_hosts
-        .select { |host| (specific_roles || config.roles).flat_map(&:hosts).include?(host) }
+
+      if (specific_role_hosts = specific_roles&.flat_map(&:hosts)).present?
+        specified_hosts.select { |host| specific_role_hosts.include?(host) }
+      else
+        specified_hosts
+      end
     end
 end

lib/kamal/commands/app/proxy.rb

@@ -5,8 +5,8 @@ module Kamal::Commands::App::Proxy
     proxy_exec :deploy, role.container_prefix, *role.proxy.deploy_command_args(target: target)
   end
 
-  def remove(target:)
+  def remove
-    proxy_exec :remove, role.container_prefix, *role.proxy.remove_command_args(target: target)
+    proxy_exec :remove, role.container_prefix
   end
 
   private

lib/kamal/configuration.rb

@@ -14,12 +14,14 @@ class Kamal::Configuration
 
   include Validation
 
-  PROXY_MINIMUM_VERSION = "v0.6.0"
+  PROXY_MINIMUM_VERSION = "v0.7.0"
   PROXY_HTTP_PORT = 80
   PROXY_HTTPS_PORT = 443
 
   class << self
     def create_from(config_file:, destination: nil, version: nil)
+      ENV["KAMAL_DESTINATION"] = destination
+
       raw_config = load_config_files(config_file, *destination_config_file(config_file, destination))
 
       new raw_config, destination: destination, version: version
@@ -360,7 +362,7 @@ class Kamal::Configuration
     end
 
     def ensure_unique_hosts_for_ssl_roles
-      hosts = roles.select(&:ssl?).map { |role| role.proxy.host }
+      hosts = roles.select(&:ssl?).flat_map { |role| role.proxy.hosts }
       duplicates = hosts.tally.filter_map { |host, count| host if count > 1 }
 
       raise Kamal::ConfigurationError, "Different roles can't share the same host for SSL: #{duplicates.join(", ")}" if duplicates.any?

lib/kamal/configuration/docs/accessory.yml

@@ -3,32 +3,32 @@
 # Accessories can be booted on a single host, a list of hosts, or on specific roles.
 # The hosts do not need to be defined in the Kamal servers configuration.
 #
-# Accessories are managed separately from the main service - they are not updated
+# Accessories are managed separately from the main service — they are not updated
-# when you deploy and they do not have zero-downtime deployments.
+# when you deploy, and they do not have zero-downtime deployments.
 #
 # Run `kamal accessory boot <accessory>` to boot an accessory.
 # See `kamal accessory --help` for more information.
 
 # Configuring accessories
 #
-# First define the accessory in the `accessories`
+# First, define the accessory in the `accessories`:
 accessories:
   mysql:
 
     # Service name
     #
-    # This is used in the service label and defaults to `<service>-<accessory>`
+    # This is used in the service label and defaults to `<service>-<accessory>`,
-    # where `<service>` is the main service name from the root configuration
+    # where `<service>` is the main service name from the root configuration:
     service: mysql
 
     # Image
     #
-    # The Docker image to use, prefix with a registry if not using Docker hub
+    # The Docker image to use, prefix it with a registry if not using Docker Hub:
     image: mysql:8.0
 
     # Accessory hosts
     #
-    # Specify one  of `host`, `hosts` or `roles`
+    # Specify one of `host`, `hosts`, or `roles`:
     host: mysql-db1
     hosts:
       - mysql-db1
@@ -38,12 +38,12 @@ accessories:
 
     # Custom command
     #
-    # You can set a custom command to run in the container, if you do not want to use the default
+    # You can set a custom command to run in the container if you do not want to use the default:
     cmd: "bin/mysqld"
 
     # Port mappings
     #
-    # See https://docs.docker.com/network/, especially note the warning about the security
+    # See https://docs.docker.com/network/, and especially note the warning about the security
     # implications of exposing ports publicly.
     port: "127.0.0.1:3306:3306"
 
@@ -52,20 +52,22 @@ accessories:
       app: myapp
 
     # Options
-    # These are passed to the Docker run command in the form `--<name> <value>`
+    #
+    # These are passed to the Docker run command in the form `--<name> <value>`:
     options:
       restart: always
       cpus: 2
 
     # Environment variables
-    # See kamal docs env for more information
+    #
+    # See kamal docs env for more information:
     env:
       ...
 
     # Copying files
     #
     # You can specify files to mount into the container.
-    # The format is `local:remote` where `local` is the path to the file on the local machine
+    # The format is `local:remote`, where `local` is the path to the file on the local machine
     # and `remote` is the path to the file in the container.
     #
     # They will be uploaded from the local repo to the host and then mounted.
@@ -78,13 +80,13 @@ accessories:
     # Directories
     #
     # You can specify directories to mount into the container. They will be created on the host
-    # before being mounted
+    # before being mounted:
     directories:
       - mysql-logs:/var/log/mysql
 
     # Volumes
     #
     # Any other volumes to mount, in addition to the files and directories.
-    # They are not created or copied before mounting
+    # They are not created or copied before mounting:
     volumes:
       - /path/to/mysql-logs:/var/log/mysql

lib/kamal/configuration/docs/alias.yml

@@ -12,15 +12,15 @@
 aliases:
   console: app exec -r console -i "rails console"
 # You can now open the console with:
+#
 # ```shell
 # kamal console
 # ```
 
 # Configuring aliases
 #
-# Aliases are defined in the root config under the alias key
+# Aliases are defined in the root config under the alias key.
 #
-# Each alias is named and can only contain lowercase letters, numbers, dashes and underscores.
+# Each alias is named and can only contain lowercase letters, numbers, dashes, and underscores:
-
 aliases:
   uname: app exec -p -q -r web "uname -a"

lib/kamal/configuration/docs/boot.yml

@@ -2,18 +2,18 @@
 #
 # When deploying to large numbers of hosts, you might prefer not to restart your services on every host at the same time.
 #
-# Kamal’s default is to boot new containers on all hosts in parallel. But you can control this with the boot configuration.
+# Kamal’s default is to boot new containers on all hosts in parallel. However, you can control this with the boot configuration.
 
 # Fixed group sizes
 #
-# Here we boot 2 hosts at a time with a 10 second gap between each group.
+# Here, we boot 2 hosts at a time with a 10-second gap between each group:
 boot:
   limit: 2
   wait: 10
 
 # Percentage of hosts
 #
-# Here we boot 25% of the hosts at a time with a 2 second gap between each group.
+# Here, we boot 25% of the hosts at a time with a 2-second gap between each group:
 boot:
   limit: 25%
   wait: 2

lib/kamal/configuration/docs/builder.yml

@@ -1,8 +1,8 @@
 # Builder
 #
-# The builder configuration controls how the application is built with `docker build`
+# The builder configuration controls how the application is built with `docker build`.
 #
-# See https://kamal-deploy.org/docs/configuration/builder-examples/ for more information
+# See https://kamal-deploy.org/docs/configuration/builder-examples/ for more information.
 
 # Builder options
 #
@@ -11,15 +11,15 @@ builder:
 
   # Arch
   #
-  # The architectures to build for - you can set an array or just a single value.
+  # The architectures to build for — you can set an array or just a single value.
   #
-  # Allowed values are `amd64` and `arm64`
+  # Allowed values are `amd64` and `arm64`:
   arch:
     - amd64
 
   # Remote
   #
-  # The connection string for a remote builder. If supplied Kamal will use this
+  # The connection string for a remote builder. If supplied, Kamal will use this
   # for builds that do not match the local architecture of the deployment host.
   remote: ssh://docker@docker-builder
 
@@ -28,14 +28,14 @@ builder:
   # If set to false, Kamal will always use the remote builder even when building
   # the local architecture.
   #
-  # Defaults to true
+  # Defaults to true:
   local: true
 
   # Builder cache
   #
-  # The type must be either 'gha' or 'registry'
+  # The type must be either 'gha' or 'registry'.
   #
-  # The image is only used for registry cache. Not compatible with the docker driver
+  # The image is only used for registry cache and is not compatible with the Docker driver:
   cache:
     type: registry
     options: mode=max
@@ -43,25 +43,25 @@ builder:
 
   # Build context
   #
-  # If this is not set, then a local git clone of the repo is used.
+  # If this is not set, then a local Git clone of the repo is used.
   # This ensures a clean build with no uncommitted changes.
   #
-  # To use the local checkout instead you can set the context to `.`, or a path to another directory.
+  # To use the local checkout instead, you can set the context to `.`, or a path to another directory.
   context: .
 
   # Dockerfile
   #
-  # The Dockerfile to use for building, defaults to `Dockerfile`
+  # The Dockerfile to use for building, defaults to `Dockerfile`:
   dockerfile: Dockerfile.production
 
   # Build target
   #
-  # If not set, then the default target is used
+  # If not set, then the default target is used:
   target: production
 
-  # Build Arguments
+  # Build arguments
   #
-  # Any additional build arguments, passed to `docker build` with `--build-arg <key>=<value>`
+  # Any additional build arguments, passed to `docker build` with `--build-arg <key>=<value>`:
   args:
     ENVIRONMENT: production
 
@@ -74,33 +74,31 @@ builder:
 
   # Build secrets
   #
-  # Values are read from .kamal/secrets.
+  # Values are read from `.kamal/secrets`:
-  #
   secrets:
     - SECRET1
     - SECRET2
 
-  # Referencing Build Secrets
+  # Referencing build secrets
   #
   # ```shell
   # # Copy Gemfiles
   # COPY Gemfile Gemfile.lock ./
   #
   # # Install dependencies, including private repositories via access token
-  # # Then remove bundle cache with exposed GITHUB_TOKEN)
+  # # Then remove bundle cache with exposed GITHUB_TOKEN
   # RUN --mount=type=secret,id=GITHUB_TOKEN \
   #   BUNDLE_GITHUB__COM=x-access-token:$(cat /run/secrets/GITHUB_TOKEN) \
   #   bundle install && \
   #   rm -rf /usr/local/bundle/cache
   # ```
 
-
   # SSH
   #
-  # SSH agent socket or keys to expose to the build
+  # SSH agent socket or keys to expose to the build:
   ssh: default=$SSH_AUTH_SOCK
 
   # Driver
   #
-  # The build driver to use, defaults to `docker-container`
+  # The build driver to use, defaults to `docker-container`:
   driver: docker

lib/kamal/configuration/docs/configuration.yml

@@ -1,14 +1,13 @@
 # Kamal Configuration
 #
-# Configuration is read from the `config/deploy.yml`
+# Configuration is read from the `config/deploy.yml`.
-#
 
 # Destinations
 #
 # When running commands, you can specify a destination with the `-d` flag,
-# e.g. `kamal deploy -d staging`
+# e.g., `kamal deploy -d staging`.
 #
-# In this case the configuration will also be read from `config/deploy.staging.yml`
+# In this case, the configuration will also be read from `config/deploy.staging.yml`
 # and merged with the base configuration.
 
 # Extensions
@@ -18,10 +17,11 @@
 # However, you might want to declare a configuration block using YAML anchors
 # and aliases to avoid repetition.
 #
-# You can use prefix a configuration section with `x-` to indicate that it is an
+# You can prefix a configuration section with `x-` to indicate that it is an
 # extension. Kamal will ignore the extension and not raise an error.
 
 # The service name
+#
 # This is a required value. It is used as the container name prefix.
 service: myapp
 
@@ -32,147 +32,147 @@ image: my-image
 
 # Labels
 #
-# Additional labels to add to the container
+# Additional labels to add to the container:
 labels:
   my-label: my-value
 
 # Volumes
 #
-# Additional volumes to mount into the container
+# Additional volumes to mount into the container:
 volumes:
   - /path/on/host:/path/in/container:ro
 
 # Registry
 #
-# The Docker registry configuration, see kamal docs registry
+# The Docker registry configuration, see kamal docs registry:
 registry:
   ...
 
 # Servers
 #
-# The servers to deploy to, optionally with custom roles, see kamal docs servers
+# The servers to deploy to, optionally with custom roles, see kamal docs servers:
 servers:
   ...
 
 # Environment variables
 #
-# See kamal docs env
+# See kamal docs env:
 env:
   ...
 
-# Asset Path
+# Asset path
 #
-# Used for asset bridging across deployments, default to `nil`
+# Used for asset bridging across deployments, default to `nil`.
 #
 # If there are changes to CSS or JS files, we may get requests
-# for the old versions on the new container and vice-versa.
+# for the old versions on the new container, and vice versa.
 #
-# To avoid 404s we can specify an asset path.
+# To avoid 404s, we can specify an asset path.
 # Kamal will replace that path in the container with a mapped
 # volume containing both sets of files.
 # This requires that file names change when the contents change
-# (e.g. by including a hash of the contents in the name).
+# (e.g., by including a hash of the contents in the name).
 #
 # To configure this, set the path to the assets:
 asset_path: /path/to/assets
 
 # Hooks path
 #
-# Path to hooks, defaults to `.kamal/hooks`
+# Path to hooks, defaults to `.kamal/hooks`.
-# See https://kamal-deploy.org/docs/hooks for more information
+# See https://kamal-deploy.org/docs/hooks for more information:
 hooks_path: /user_home/kamal/hooks
 
 # Require destinations
 #
-# Whether deployments require a destination to be specified, defaults to `false`
+# Whether deployments require a destination to be specified, defaults to `false`:
 require_destination: true
 
 # Primary role
 #
-# This defaults to `web`, but if you have no web role, you can change this
+# This defaults to `web`, but if you have no web role, you can change this:
 primary_role: workers
 
 # Allowing empty roles
 #
-# Whether roles with no servers are allowed. Defaults to `false`.
+# Whether roles with no servers are allowed. Defaults to `false`:
 allow_empty_roles: false
 
 # Retain containers
 #
-# How many old containers and images we retain, defaults to 5
+# How many old containers and images we retain, defaults to 5:
 retain_containers: 3
 
 # Minimum version
 #
-# The minimum version of Kamal required to deploy this configuration, defaults to nil
+# The minimum version of Kamal required to deploy this configuration, defaults to `nil`:
 minimum_version: 1.3.0
 
 # Readiness delay
 #
-# Seconds to wait for a container to boot after is running, default 7
+# Seconds to wait for a container to boot after it is running, default 7.
 #
-# This only applies to containers that do not run a proxy or specify a healthcheck
+# This only applies to containers that do not run a proxy or specify a healthcheck:
 readiness_delay: 4
 
 # Deploy timeout
 #
-# How long to wait for a container to become ready, default 30
+# How long to wait for a container to become ready, default 30:
 deploy_timeout: 10
 
 # Drain timeout
 #
-# How long to wait for a containers to drain, default 30
+# How long to wait for a container to drain, default 30:
 drain_timeout: 10
 
 # Run directory
 #
-# Directory to store kamal runtime files in on the host, default `.kamal`
+# Directory to store kamal runtime files in on the host, default `.kamal`:
 run_directory: /etc/kamal
 
 # SSH options
 #
-# See kamal docs ssh
+# See kamal docs ssh:
 ssh:
   ...
 
 # Builder options
 #
-# See kamal docs builder
+# See kamal docs builder:
 builder:
   ...
 
 # Accessories
 #
-# Additionals services to run in Docker, see kamal docs accessory
+# Additional services to run in Docker, see kamal docs accessory:
 accessories:
   ...
 
 # Proxy
 #
-# Configuration for kamal-proxy, see kamal docs proxy
+# Configuration for kamal-proxy, see kamal docs proxy:
 proxy:
   ...
 
 # SSHKit
 #
-# See kamal docs sshkit
+# See kamal docs sshkit:
 sshkit:
   ...
 
 # Boot options
 #
-# See kamal docs boot
+# See kamal docs boot:
 boot:
   ...
 
 # Logging
 #
-# Docker logging configuration, see kamal docs logging
+# Docker logging configuration, see kamal docs logging:
 logging:
   ...
 
 # Aliases
 #
-# Alias configuration, see kamal docs alias
+# Alias configuration, see kamal docs alias:
 aliases:
   ...

lib/kamal/configuration/docs/env.yml

@@ -1,13 +1,13 @@
 # Environment variables
 #
 # Environment variables can be set directly in the Kamal configuration or
-# read from .kamal/secrets.
+# read from `.kamal/secrets`.
 
 # Reading environment variables from the configuration
 #
 # Environment variables can be set directly in the configuration file.
 #
-# These are passed to the docker run command when deploying.
+# These are passed to the `docker run` command when deploying.
 env:
   DATABASE_HOST: mysql-db1
   DATABASE_PORT: 3306
@@ -16,7 +16,7 @@ env:
 #
 # Kamal uses dotenv to automatically load environment variables set in the `.kamal/secrets` file.
 #
-# If you are using destinations, secrets will instead be read from `.kamal/secrets-<DESTINATION>` if
+# If you are using destinations, secrets will instead be read from `.kamal/secrets.<DESTINATION>` if
 # it exists.
 #
 # Common secrets across all destinations can be set in `.kamal/secrets-common`.
@@ -24,26 +24,27 @@ env:
 # This file can be used to set variables like `KAMAL_REGISTRY_PASSWORD` or database passwords.
 # You can use variable or command substitution in the secrets file.
 #
-# ```
+# ```shell
 # KAMAL_REGISTRY_PASSWORD=$KAMAL_REGISTRY_PASSWORD
 # RAILS_MASTER_KEY=$(cat config/master.key)
 # ```
 #
-# You can also use [secret helpers](../commands/secrets) for some common password managers.
+# You can also use [secret helpers](../../commands/secrets) for some common password managers.
-# ```
+#
+# ```shell
 # SECRETS=$(kamal secrets fetch ...)
 #
 # REGISTRY_PASSWORD=$(kamal secrets extract REGISTRY_PASSWORD $SECRETS)
 # DB_PASSWORD=$(kamal secrets extract DB_PASSWORD $SECRETS)
 # ```
 #
-# If you store secrets directly in .kamal/secrets, ensure that it is not checked into version control.
+# If you store secrets directly in `.kamal/secrets`, ensure that it is not checked into version control.
 #
-# To pass the secrets you should list them under the `secret` key. When you do this the
+# To pass the secrets, you should list them under the `secret` key. When you do this, the
 # other variables need to be moved under the `clear` key.
 #
-# Unlike clear values, secrets are not passed directly to the container,
+# Unlike clear values, secrets are not passed directly to the container
-# but are stored in an env file on the host
+# but are stored in an env file on the host:
 env:
   clear:
     DB_USER: app
@@ -55,7 +56,7 @@ env:
 # Tags are used to add extra env variables to specific hosts.
 # See kamal docs servers for how to tag hosts.
 #
-# Tags are only allowed in the top level env configuration (i.e not under a role specific env).
+# Tags are only allowed in the top-level env configuration (i.e., not under a role-specific env).
 #
 # The env variables can be specified with secret and clear values as explained above.
 env:

lib/kamal/configuration/docs/logging.yml

@@ -6,16 +6,16 @@
 #
 # These go under the logging key in the configuration file.
 #
-# This can be specified in the root level or for a specific role.
+# This can be specified at the root level or for a specific role.
 logging:
 
   # Driver
   #
-  # The logging driver to use, passed to Docker via `--log-driver`
+  # The logging driver to use, passed to Docker via `--log-driver`:
   driver: json-file
 
   # Options
   #
-  # Any logging options to pass to the driver, passed to Docker via `--log-opt`
+  # Any logging options to pass to the driver, passed to Docker via `--log-opt`:
   options:
     max-size: 100m

lib/kamal/configuration/docs/proxy.yml

@@ -5,54 +5,59 @@
 # application container.
 #
 # The proxy is configured in the root configuration under `proxy`. These are
-# options that are set when deploying the application, not when booting the proxy
+# options that are set when deploying the application, not when booting the proxy.
 #
-# They are application specific, so are not shared when multiple applications
+# They are application-specific, so they are not shared when multiple applications
 # run on the same proxy.
 #
-# The proxy is enabled by default on the primary role, but can be disabled by
+# The proxy is enabled by default on the primary role but can be disabled by
 # setting `proxy: false`.
 #
-# It is disabled by default on all other roles, but can be enabled by setting
+# It is disabled by default on all other roles but can be enabled by setting
-# `proxy: true`, or providing a proxy configuration.
+# `proxy: true` or providing a proxy configuration.
 proxy:
 
-  # Host
+  # Hosts
   #
   # The hosts that will be used to serve the app. The proxy will only route requests
   # to this host to your app.
   #
   # If no hosts are set, then all requests will be forwarded, except for matching
   # requests for other apps deployed on that server that do have a host set.
+  #
+  # Specify one of `host` or `hosts`.
   host: foo.example.com
+  hosts:
+    - foo.example.com
+    - bar.example.com
 
   # App port
   #
-  # The port the application container is exposed on
+  # The port the application container is exposed on.
   #
-  # Defaults to 80
+  # Defaults to 80:
   app_port: 3000
 
   # SSL
   #
   # kamal-proxy can provide automatic HTTPS for your application via Let's Encrypt.
   #
-  # This requires that we are deploying to a one server and the host option is set.
+  # This requires that we are deploying to one server and the host option is set.
-  # The host value must point to the server we are deploying to and port 443 must be
+  # The host value must point to the server we are deploying to, and port 443 must be
   # open for the Let's Encrypt challenge to succeed.
   #
-  # Defaults to false
+  # Defaults to `false`:
   ssl: true
 
   # Response timeout
   #
-  # How long to wait for requests to complete before timing out, defaults to 30 seconds
+  # How long to wait for requests to complete before timing out, defaults to 30 seconds:
   response_timeout: 10
 
   # Healthcheck
   #
-  # When deploying, the proxy will by default hit /up once every second until we hit
+  # When deploying, the proxy will by default hit `/up` once every second until we hit
-  # the deploy timeout, with a 5 second timeout for each request.
+  # the deploy timeout, with a 5-second timeout for each request.
   #
   # Once the app is up, the proxy will stop hitting the healthcheck endpoint.
   healthcheck:
@@ -62,12 +67,12 @@ proxy:
 
   # Buffering
   #
-  # Whether to buffer request and response bodies in the proxy
+  # Whether to buffer request and response bodies in the proxy.
   #
-  # By default buffering is enabled with a max request body size of 1GB and no limit
+  # By default, buffering is enabled with a max request body size of 1GB and no limit
   # for response size.
   #
-  # You can also set the memory limit for buffering, which defaults to 1MB, anything
+  # You can also set the memory limit for buffering, which defaults to 1MB; anything
   # larger than that is written to disk.
   buffering:
     requests: true
@@ -78,9 +83,9 @@ proxy:
 
   # Logging
   #
-  # Configure request logging for the proxy
+  # Configure request logging for the proxy.
   # You can specify request and response headers to log.
-  # By default, Cache-Control, Last-Modified and User-Agent request headers are logged
+  # By default, `Cache-Control`, `Last-Modified`, and `User-Agent` request headers are logged:
   logging:
     request_headers:
       - Cache-Control
@@ -91,10 +96,10 @@ proxy:
 
   # Forward headers
   #
-  # Whether to forward the X-Forwarded-For and X-Forwarded-Proto headers.
+  # Whether to forward the `X-Forwarded-For` and `X-Forwarded-Proto` headers.
   #
-  # If you are behind a trusted proxy, you can set this to true to forward the headers.
+  # If you are behind a trusted proxy, you can set this to `true` to forward the headers.
   #
-  # By default kamal-proxy will not forward the headers the ssl option is set to true, and
+  # By default, kamal-proxy will not forward the headers if the `ssl` option is set to `true`, and
-  # will forward them if it is set to false.
+  # will forward them if it is set to `false`.
   forward_headers: true

lib/kamal/configuration/docs/registry.yml

@@ -1,10 +1,9 @@
 # Registry
 #
-# The default registry is Docker Hub, but you can change it using registry/server:
+# The default registry is Docker Hub, but you can change it using `registry/server`.
 #
-# A reference to secret (in this case DOCKER_REGISTRY_TOKEN) will look up the secret
+# A reference to a secret (in this case, `DOCKER_REGISTRY_TOKEN`) will look up the secret
-# in the local environment.
+# in the local environment:
-
 registry:
   server: registry.digitalocean.com
   username:
@@ -13,30 +12,31 @@ registry:
     - DOCKER_REGISTRY_TOKEN
 
 # Using AWS ECR as the container registry
-# You will need to have the aws CLI installed locally for this to work.
+#
-# AWS ECR’s access token is only valid for 12hrs. In order to not have to manually regenerate the token every time, you can use ERB in the deploy.yml file to shell out to the aws cli command, and obtain the token:
+# You will need to have the AWS CLI installed locally for this to work.
-
+# AWS ECR’s access token is only valid for 12 hours. In order to avoid having to manually regenerate the token every time, you can use ERB in the `deploy.yml` file to shell out to the AWS CLI command and obtain the token:
 registry:
   server: <your aws account id>.dkr.ecr.<your aws region id>.amazonaws.com
   username: AWS
   password: <%= %x(aws ecr get-login-password) %>
 
 # Using GCP Artifact Registry as the container registry
-# To sign into Artifact Registry, you would need to
+#
+# To sign into Artifact Registry, you need to
 # [create a service account](https://cloud.google.com/iam/docs/service-accounts-create#creating)
 # and [set up roles and permissions](https://cloud.google.com/artifact-registry/docs/access-control#permissions).
-# Normally, assigning a roles/artifactregistry.writer role should be sufficient.
+# Normally, assigning the `roles/artifactregistry.writer` role should be sufficient.
 #
 # Once the service account is ready, you need to generate and download a JSON key and base64 encode it:
 #
 # ```shell
-# base64 -i /path/to/key.json | tr -d "\\n")
+# base64 -i /path/to/key.json | tr -d "\\n"
 # ```
-# You'll then need to set the KAMAL_REGISTRY_PASSWORD secret to that value.
 #
-# Use the env variable as password along with _json_key_base64 as username.
+# You'll then need to set the `KAMAL_REGISTRY_PASSWORD` secret to that value.
+#
+# Use the environment variable as the password along with `_json_key_base64` as the username.
 # Here’s the final configuration:
-
 registry:
   server: <your registry region>-docker.pkg.dev
   username: _json_key_base64
@@ -46,6 +46,7 @@ registry:
 # Validating the configuration
 #
 # You can validate the configuration by running:
+#
 # ```shell
 # kamal registry login
 # ```

lib/kamal/configuration/docs/role.yml

@@ -1,22 +1,21 @@
 # Roles
 #
 # Roles are used to configure different types of servers in the deployment.
-# The most common use for this is to run a web servers and job servers.
+# The most common use for this is to run web servers and job servers.
 #
 # Kamal expects there to be a `web` role, unless you set a different `primary_role`
 # in the root configuration.
 
 # Role configuration
 #
-# Roles are specified under the servers key
+# Roles are specified under the servers key:
 servers:
 
   # Simple role configuration
   #
+  # This can be a list of hosts if you don't need custom configuration for the role.
   #
-  # This can be a list of hosts, if you don't need custom configuration for the role.
+  # You can set tags on the hosts for custom env variables (see kamal docs env):
-  #
-  # You can set tags on the hosts for custom env variables (see kamal docs env)
   web:
     - 172.1.0.1
     - 172.1.0.2: experiment1
@@ -24,16 +23,16 @@ servers:
 
   # Custom role configuration
   #
-  # When there are other options to set, the list of hosts goes under the `hosts` key
+  # When there are other options to set, the list of hosts goes under the `hosts` key.
   #
-  # By default only the primary role uses a proxy.
+  # By default, only the primary role uses a proxy.
   #
-  # For other roles, you can set it to `proxy: true` enable it and inherit the root proxy
+  # For other roles, you can set it to `proxy: true` to enable it and inherit the root proxy
   # configuration or provide a map of options to override the root configuration.
   #
   # For the primary role, you can set `proxy: false` to disable the proxy.
   #
-  # You can also set a custom cmd to run in the container, and overwrite other settings
+  # You can also set a custom `cmd` to run in the container and overwrite other settings
   # from the root configuration.
   workers:
     hosts:

lib/kamal/configuration/docs/servers.yml

@@ -2,7 +2,7 @@
 #
 # Servers are split into different roles, with each role having its own configuration.
 #
-# For simpler deployments though where all servers are identical, you can just specify a list of servers
+# For simpler deployments, though, where all servers are identical, you can just specify a list of servers.
 # They will be implicitly assigned to the `web` role.
 servers:
   - 172.0.0.1
@@ -19,7 +19,7 @@ servers:
 
 # Roles
 #
-# For more complex deployments (e.g. if you are running job hosts), you can specify roles, and configure each separately (see kamal docs role)
+# For more complex deployments (e.g., if you are running job hosts), you can specify roles and configure each separately (see kamal docs role):
 servers:
   web:
     ...

lib/kamal/configuration/docs/ssh.yml

@@ -1,9 +1,9 @@
 # SSH configuration
 #
-# Kamal uses SSH to connect run commands on your hosts.
+# Kamal uses SSH to connect and run commands on your hosts.
-# By default it will attempt to connect to the root user on port 22
+# By default, it will attempt to connect to the root user on port 22.
 #
-# If you are using non-root user, you may need to bootstrap your servers manually, before using them with Kamal. On Ubuntu, you’d do:
+# If you are using a non-root user, you may need to bootstrap your servers manually before using them with Kamal. On Ubuntu, you’d do:
 #
 # ```shell
 # sudo apt update
@@ -12,7 +12,6 @@
 # sudo usermod -a -G docker app
 # ```
 
-
 # SSH options
 #
 # The options are specified under the ssh key in the configuration file.
@@ -20,47 +19,52 @@ ssh:
 
   # The SSH user
   #
-  # Defaults to `root`
+  # Defaults to `root`:
-  #
   user: app
 
   # The SSH port
   #
-  # Defaults to 22
+  # Defaults to 22:
   port: "2222"
 
   # Proxy host
   #
   # Specified in the form <host> or <user>@<host>
-  proxy: root@proxy-host
+  proxy: proxy-host
 
   # Proxy command
   #
-  # A custom proxy command, required for older versions of SSH
+  # A custom proxy command, required for older versions of SSH:
   proxy_command: "ssh -W %h:%p user@proxy"
 
   # Log level
   #
-  # Defaults to `fatal`. Set this to debug if you are having
+  # Defaults to `fatal`. Set this to `debug` if you are having SSH connection issues.
-  # SSH connection issues.
   log_level: debug
 
-  # Keys Only
+  # Keys only
   #
-  # Set to true to use only private keys from keys and key_data parameters, 
+  # Set to `true` to use only private keys from the `keys` and `key_data` parameters,
   # even if ssh-agent offers more identities. This option is intended for
-  # situations where ssh-agent offers many different identites or you have 
+  # situations where ssh-agent offers many different identities or you
-  # a need to overwrite all identites and force a single one.
+  # need to overwrite all identities and force a single one.
   keys_only: false
 
   # Keys
   #
-  # An array of file names of private keys to use for publickey
+  # An array of file names of private keys to use for public key
-  # and hostbased authentication
+  # and host-based authentication:
   keys: [ "~/.ssh/id.pem" ]
 
-  # Key Data
+  # Key data
   #
   # An array of strings, with each element of the array being
   # a raw private key in PEM format.
   key_data: [ "-----BEGIN OPENSSH PRIVATE KEY-----" ]
+
+  # Config
+  #
+  # Set to true to load the default OpenSSH config files (~/.ssh/config,
+  # /etc/ssh_config), to false ignore config files, or to a file path
+  # (or array of paths) to load specific configuration. Defaults to true.
+  config: true

lib/kamal/configuration/docs/sshkit.yml

@@ -2,8 +2,8 @@
 #
 # [SSHKit](https://github.com/capistrano/sshkit) is the SSH toolkit used by Kamal.
 #
-# The default settings should be sufficient for most use cases, but
+# The default, settings should be sufficient for most use cases, but
-# when connecting to a large number of hosts you may need to adjust
+# when connecting to a large number of hosts, you may need to adjust.
 
 # SSHKit options
 #
@@ -13,11 +13,11 @@ sshkit:
   # Max concurrent starts
   #
   # Creating SSH connections concurrently can be an issue when deploying to many servers.
-  # By default Kamal will limit concurrent connection starts to 30 at a time.
+  # By default, Kamal will limit concurrent connection starts to 30 at a time.
   max_concurrent_starts: 10
 
   # Pool idle timeout
   #
   # Kamal sets a long idle timeout of 900 seconds on connections to try to avoid
-  # re-connection storms after an idle period, like building an image or waiting for CI.
+  # re-connection storms after an idle period, such as building an image or waiting for CI.
   pool_idle_timeout: 300

lib/kamal/configuration/proxy.rb

@@ -22,14 +22,14 @@ class Kamal::Configuration::Proxy
     proxy_config.fetch("ssl", false)
   end
 
-  def host
+  def hosts
-    proxy_config["host"]
+    proxy_config["hosts"] || proxy_config["host"]&.split(",") || []
   end
 
   def deploy_options
     {
-      host: proxy_config["host"],
+      host: hosts,
-      tls: proxy_config["ssl"] ? true : nil,
+      tls: proxy_config["ssl"],
       "deploy-timeout": seconds_duration(config.deploy_timeout),
       "drain-timeout": seconds_duration(config.drain_timeout),
       "health-check-interval": seconds_duration(proxy_config.dig("healthcheck", "interval")),
@@ -48,11 +48,7 @@ class Kamal::Configuration::Proxy
   end
 
   def deploy_command_args(target:)
-    optionize ({ target: "#{target}:#{app_port}" }).merge(deploy_options)
+    optionize ({ target: "#{target}:#{app_port}" }).merge(deploy_options), with: "="
-  end
-
-  def remove_command_args(target:)
-    optionize({ target: "#{target}:#{app_port}" })
   end
 
   def merge(other)

lib/kamal/configuration/ssh.rb

@@ -19,9 +19,9 @@ class Kamal::Configuration::Ssh
   end
 
   def proxy
-    if (proxy = ssh_config["proxy"])
+    if proxy = ssh_config["proxy"]
-      Net::SSH::Proxy::Jump.new(proxy.include?("@") ? proxy : "root@#{proxy}")
+      Net::SSH::Proxy::Jump.new(proxy)
-    elsif (proxy_command = ssh_config["proxy_command"])
+    elsif proxy_command = ssh_config["proxy_command"]
       Net::SSH::Proxy::Command.new(proxy_command)
     end
   end

lib/kamal/configuration/validator/proxy.rb

@@ -3,9 +3,13 @@ class Kamal::Configuration::Validator::Proxy < Kamal::Configuration::Validator
     unless config.nil?
       super
 
-      if config["host"].blank? && config["ssl"]
+      if config["host"].blank? && config["hosts"].blank? && config["ssl"]
         error "Must set a host to enable automatic SSL"
       end
+
+      if (config.keys & [ "host", "hosts" ]).size > 1
+        error "Specify one of 'host' or 'hosts', not both"
+      end
     end
   end
 end

lib/kamal/secrets/adapters/bitwarden.rb

@@ -35,8 +35,10 @@ class Kamal::Secrets::Adapters::Bitwarden < Kamal::Secrets::Adapters::Base
               value = item_field["value"]
               results["#{item}/#{field}"] = value
             end
+          elsif item_json.dig("login", "password")
+            results[item] = item_json.dig("login", "password")
           else
-            results[item] = item_json["login"]["password"]
+            raise RuntimeError, "Item #{item} is not a login type item and no fields were specified"
           end
         end
       end

lib/kamal/version.rb

@@ -1,3 +1,3 @@
 module Kamal
-  VERSION = "2.0.0.rc4"
+  VERSION = "2.1.1"
 end

test/cli/app_test.rb

@@ -130,7 +130,7 @@ class CliAppTest < CliTestCase
     SSHKit::Backend::Abstract.any_instance.stubs(:execute)
       .with(:docker, :container, :ls, "--all", "--filter", "name=^app-web-latest$", "--quiet", "|", :xargs, :docker, :stop, raise_on_non_zero_exit: false)
     SSHKit::Backend::Abstract.any_instance.expects(:execute)
-      .with(:docker, :exec, "kamal-proxy", "kamal-proxy", :deploy, "app-web", "--target", "\"123:80\"", "--deploy-timeout", "\"1s\"", "--drain-timeout", "\"30s\"", "--buffer-requests", "--buffer-responses", "--log-request-header", "\"Cache-Control\"", "--log-request-header", "\"Last-Modified\"", "--log-request-header", "\"User-Agent\"").raises(SSHKit::Command::Failed.new("Failed to deploy"))
+      .with(:docker, :exec, "kamal-proxy", "kamal-proxy", :deploy, "app-web", "--target=\"123:80\"", "--deploy-timeout=\"1s\"", "--drain-timeout=\"30s\"", "--buffer-requests", "--buffer-responses", "--log-request-header=\"Cache-Control\"", "--log-request-header=\"Last-Modified\"", "--log-request-header=\"User-Agent\"").raises(SSHKit::Command::Failed.new("Failed to deploy"))
 
     stderred do
       run_command("boot", config: :with_roles, host: nil, allow_execute_error: true).tap do |output|
@@ -190,7 +190,7 @@ class CliAppTest < CliTestCase
 
     run_command("start").tap do |output|
       assert_match "docker start app-web-999", output
-      assert_match "docker exec kamal-proxy kamal-proxy deploy app-web --target \"999:80\" --deploy-timeout \"30s\" --drain-timeout \"30s\" --buffer-requests --buffer-responses --log-request-header \"Cache-Control\" --log-request-header \"Last-Modified\"", output
+      assert_match "docker exec kamal-proxy kamal-proxy deploy app-web --target=\"999:80\" --deploy-timeout=\"30s\" --drain-timeout=\"30s\" --buffer-requests --buffer-responses --log-request-header=\"Cache-Control\" --log-request-header=\"Last-Modified\"", output
     end
   end
 
@@ -383,7 +383,7 @@ class CliAppTest < CliTestCase
       assert_match /Renaming container .* to .* as already deployed on 1.1.1.1/, output # Rename
       assert_match /docker rename app-web-latest app-web-latest_replaced_[0-9a-f]{16}/, output
       assert_match /docker run --detach --restart unless-stopped --name app-web-latest --network kamal --hostname 1.1.1.1-[0-9a-f]{12} -e KAMAL_CONTAINER_NAME="app-web-latest" -e KAMAL_VERSION="latest" --env-file .kamal\/apps\/app\/env\/roles\/web.env --log-opt max-size="10m" --label service="app" --label role="web" --label destination dhh\/app:latest/, output
-      assert_match /docker exec kamal-proxy kamal-proxy deploy app-web --target "123:80"/, output
+      assert_match /docker exec kamal-proxy kamal-proxy deploy app-web --target="123:80"/, output
       assert_match "docker container ls --all --filter name=^app-web-123$ --quiet | xargs docker stop", output
     end
   end
@@ -392,8 +392,8 @@ class CliAppTest < CliTestCase
     SSHKit::Backend::Abstract.any_instance.stubs(:capture_with_info).returns("123") # old version
 
     run_command("boot", config: :with_proxy_roles, host: nil).tap do |output|
-      assert_match "docker exec kamal-proxy kamal-proxy deploy app-web --target \"123:80\" --deploy-timeout \"6s\" --drain-timeout \"30s\" --target-timeout \"10s\" --buffer-requests --buffer-responses --log-request-header \"Cache-Control\" --log-request-header \"Last-Modified\" --log-request-header \"User-Agent\"", output
+      assert_match "docker exec kamal-proxy kamal-proxy deploy app-web --target=\"123:80\" --deploy-timeout=\"6s\" --drain-timeout=\"30s\" --target-timeout=\"10s\" --buffer-requests --buffer-responses --log-request-header=\"Cache-Control\" --log-request-header=\"Last-Modified\" --log-request-header=\"User-Agent\"", output
-      assert_match "docker exec kamal-proxy kamal-proxy deploy app-web2 --target \"123:80\" --deploy-timeout \"6s\" --drain-timeout \"30s\" --target-timeout \"15s\" --buffer-requests --buffer-responses --log-request-header \"Cache-Control\" --log-request-header \"Last-Modified\" --log-request-header \"User-Agent\"", output
+      assert_match "docker exec kamal-proxy kamal-proxy deploy app-web2 --target=\"123:80\" --deploy-timeout=\"6s\" --drain-timeout=\"30s\" --target-timeout=\"15s\" --buffer-requests --buffer-responses --log-request-header=\"Cache-Control\" --log-request-header=\"Last-Modified\" --log-request-header=\"User-Agent\"", output
     end
   end
 

test/cli/proxy_test.rb

@@ -58,13 +58,13 @@ class CliProxyTest < CliTestCase
       assert_match "Running docker container stop traefik ; docker container prune --force --filter label=org.opencontainers.image.title=Traefik && docker image prune --all --force --filter label=org.opencontainers.image.title=Traefik on 1.1.1.1", output
       assert_match "docker container prune --force --filter label=org.opencontainers.image.title=kamal-proxy on 1.1.1.1", output
       assert_match "docker run --name kamal-proxy --network kamal --detach --restart unless-stopped --volume kamal-proxy-config:/home/kamal-proxy/.config/kamal-proxy $(cat .kamal/proxy/options || echo \"--publish 80:80 --publish 443:443\") #{KAMAL.config.proxy_image} on 1.1.1.1", output
-      assert_match "docker exec kamal-proxy kamal-proxy deploy app-web --target \"abcdefabcdef:80\" --deploy-timeout \"6s\" --drain-timeout \"30s\" --buffer-requests --buffer-responses --log-request-header \"Cache-Control\" --log-request-header \"Last-Modified\" --log-request-header \"User-Agent\" on 1.1.1.1", output
+      assert_match "docker exec kamal-proxy kamal-proxy deploy app-web --target=\"abcdefabcdef:80\" --deploy-timeout=\"6s\" --drain-timeout=\"30s\" --buffer-requests --buffer-responses --log-request-header=\"Cache-Control\" --log-request-header=\"Last-Modified\" --log-request-header=\"User-Agent\" on 1.1.1.1", output
 
       assert_match "docker container stop kamal-proxy on 1.1.1.2", output
       assert_match "Running docker container stop traefik ; docker container prune --force --filter label=org.opencontainers.image.title=Traefik && docker image prune --all --force --filter label=org.opencontainers.image.title=Traefik on 1.1.1.2", output
       assert_match "docker container prune --force --filter label=org.opencontainers.image.title=kamal-proxy on 1.1.1.2", output
       assert_match "docker run --name kamal-proxy --network kamal --detach --restart unless-stopped --volume kamal-proxy-config:/home/kamal-proxy/.config/kamal-proxy $(cat .kamal/proxy/options || echo \"--publish 80:80 --publish 443:443\") #{KAMAL.config.proxy_image} on 1.1.1.2", output
-      assert_match "docker exec kamal-proxy kamal-proxy deploy app-web --target \"abcdefabcdef:80\" --deploy-timeout \"6s\" --drain-timeout \"30s\" --buffer-requests --buffer-responses --log-request-header \"Cache-Control\" --log-request-header \"Last-Modified\" --log-request-header \"User-Agent\" on 1.1.1.2", output
+      assert_match "docker exec kamal-proxy kamal-proxy deploy app-web --target=\"abcdefabcdef:80\" --deploy-timeout=\"6s\" --drain-timeout=\"30s\" --buffer-requests --buffer-responses --log-request-header=\"Cache-Control\" --log-request-header=\"Last-Modified\" --log-request-header=\"User-Agent\" on 1.1.1.2", output
     end
   end
 
@@ -204,7 +204,7 @@ class CliProxyTest < CliTestCase
       assert_match "/usr/bin/env mkdir -p .kamal/apps/app/env/roles", output
       assert_match "Uploading \"\\n\" to .kamal/apps/app/env/roles/web.env", output
       assert_match %r{docker run --detach --restart unless-stopped --name app-web-latest --network kamal --hostname 1.1.1.1-.* -e KAMAL_CONTAINER_NAME="app-web-latest" -e KAMAL_VERSION="latest" --env-file .kamal/apps/app/env/roles/web.env --log-opt max-size="10m" --label service="app" --label role="web" --label destination dhh/app:latest}, output
-      assert_match "docker exec kamal-proxy kamal-proxy deploy app-web --target \"12345678:80\" --deploy-timeout \"6s\" --drain-timeout \"30s\" --buffer-requests --buffer-responses --log-request-header \"Cache-Control\" --log-request-header \"Last-Modified\" --log-request-header \"User-Agent\"", output
+      assert_match "docker exec kamal-proxy kamal-proxy deploy app-web --target=\"12345678:80\" --deploy-timeout=\"6s\" --drain-timeout=\"30s\" --buffer-requests --buffer-responses --log-request-header=\"Cache-Control\" --log-request-header=\"Last-Modified\" --log-request-header=\"User-Agent\"", output
       assert_match "docker container ls --all --filter name=^app-web-12345678$ --quiet | xargs docker stop", output
       assert_match "docker tag dhh/app:latest dhh/app:latest", output
       assert_match "/usr/bin/env mkdir -p .kamal", output

test/cli/secrets_test.rb

@@ -15,6 +15,12 @@ class CliSecretsTest < CliTestCase
     assert_equal "oof", run_command("extract", "foo", "{\"abc/foo\":\"oof\", \"bar\":\"rab\", \"baz\":\"zab\"}")
   end
 
+  test "print" do
+    with_test_secrets("secrets" => "SECRET1=ABC\nSECRET2=${SECRET1}DEF\n") do
+      assert_equal "SECRET1=ABC\nSECRET2=ABCDEF", run_command("print")
+    end
+  end
+
   private
     def run_command(*command)
       stdouted { Kamal::Cli::Secrets.start([ *command, "-c", "test/fixtures/deploy_with_accessories.yml" ]) }

test/commander_test.rb

@@ -150,6 +150,27 @@ class CommanderTest < ActiveSupport::TestCase
     assert_equal [ "1.1.1.2" ], @kamal.proxy_hosts
   end
 
+  test "accessory hosts without filtering" do
+    configure_with(:deploy_with_single_accessory)
+    assert_equal [ "1.1.1.5" ], @kamal.accessory_hosts
+
+    configure_with(:deploy_with_accessories_on_independent_server)
+    assert_equal [ "1.1.1.5", "1.1.1.1", "1.1.1.2" ], @kamal.accessory_hosts
+  end
+
+  test "accessory hosts with role filtering" do
+    configure_with(:deploy_with_single_accessory)
+    @kamal.specific_roles = [ "web" ]
+    assert_equal [], @kamal.accessory_hosts
+
+    configure_with(:deploy_with_accessories_on_independent_server)
+    @kamal.specific_roles = [ "web" ]
+    assert_equal [ "1.1.1.1", "1.1.1.2" ], @kamal.accessory_hosts
+
+    @kamal.specific_roles = [ "workers" ]
+    assert_equal [], @kamal.accessory_hosts
+  end
+
   private
     def configure_with(variant)
       @kamal = Kamal::Commander.new.tap do |kamal|

test/commands/app_test.rb

@@ -115,14 +115,30 @@ class CommandsAppTest < ActiveSupport::TestCase
 
   test "deploy" do
     assert_equal \
-      "docker exec kamal-proxy kamal-proxy deploy app-web --target \"172.1.0.2:80\" --deploy-timeout \"30s\" --drain-timeout \"30s\" --buffer-requests --buffer-responses --log-request-header \"Cache-Control\" --log-request-header \"Last-Modified\" --log-request-header \"User-Agent\"",
+      "docker exec kamal-proxy kamal-proxy deploy app-web --target=\"172.1.0.2:80\" --deploy-timeout=\"30s\" --drain-timeout=\"30s\" --buffer-requests --buffer-responses --log-request-header=\"Cache-Control\" --log-request-header=\"Last-Modified\" --log-request-header=\"User-Agent\"",
+      new_command.deploy(target: "172.1.0.2").join(" ")
+  end
+
+  test "deploy with SSL" do
+    @config[:proxy] = { "ssl" => true, "host" => "example.com" }
+
+    assert_equal \
+      "docker exec kamal-proxy kamal-proxy deploy app-web --target=\"172.1.0.2:80\" --host=\"example.com\" --tls --deploy-timeout=\"30s\" --drain-timeout=\"30s\" --buffer-requests --buffer-responses --log-request-header=\"Cache-Control\" --log-request-header=\"Last-Modified\" --log-request-header=\"User-Agent\"",
+      new_command.deploy(target: "172.1.0.2").join(" ")
+  end
+
+  test "deploy with SSL targeting multiple hosts" do
+    @config[:proxy] = { "ssl" => true, "hosts" => [ "example.com", "anotherexample.com" ] }
+
+    assert_equal \
+      "docker exec kamal-proxy kamal-proxy deploy app-web --target=\"172.1.0.2:80\" --host=\"example.com\" --host=\"anotherexample.com\" --tls --deploy-timeout=\"30s\" --drain-timeout=\"30s\" --buffer-requests --buffer-responses --log-request-header=\"Cache-Control\" --log-request-header=\"Last-Modified\" --log-request-header=\"User-Agent\"",
       new_command.deploy(target: "172.1.0.2").join(" ")
   end
 
   test "remove" do
     assert_equal \
-      "docker exec kamal-proxy kamal-proxy remove app-web --target \"172.1.0.2:80\"",
+      "docker exec kamal-proxy kamal-proxy remove app-web",
-      new_command.remove(target: "172.1.0.2").join(" ")
+      new_command.remove.join(" ")
   end
 
 
@@ -278,7 +294,7 @@ class CommandsAppTest < ActiveSupport::TestCase
 
   test "run over ssh with proxy" do
     @config[:ssh] = { "proxy" => "2.2.2.2" }
-    assert_equal "ssh -J root@2.2.2.2 -t root@1.1.1.1 -p 22 'ls'", new_command.run_over_ssh("ls", host: "1.1.1.1")
+    assert_equal "ssh -J 2.2.2.2 -t root@1.1.1.1 -p 22 'ls'", new_command.run_over_ssh("ls", host: "1.1.1.1")
   end
 
   test "run over ssh with proxy user" do
@@ -288,7 +304,7 @@ class CommandsAppTest < ActiveSupport::TestCase
 
   test "run over ssh with custom user with proxy" do
     @config[:ssh] = { "user" => "app", "proxy" => "2.2.2.2" }
-    assert_equal "ssh -J root@2.2.2.2 -t app@1.1.1.1 -p 22 'ls'", new_command.run_over_ssh("ls", host: "1.1.1.1")
+    assert_equal "ssh -J 2.2.2.2 -t app@1.1.1.1 -p 22 'ls'", new_command.run_over_ssh("ls", host: "1.1.1.1")
   end
 
   test "run over ssh with proxy_command" do

test/configuration/proxy_test.rb

@@ -13,15 +13,29 @@ class ConfigurationProxyTest < ActiveSupport::TestCase
     assert_equal true, config.proxy.ssl?
   end
 
+  test "ssl with multiple hosts passed via host" do
+    @deploy[:proxy] = { "ssl" => true, "host" => "example.com,anotherexample.com" }
+    assert_equal true, config.proxy.ssl?
+  end
+
+  test "ssl with multiple hosts passed via hosts" do
+    @deploy[:proxy] = { "ssl" => true, "hosts" => [ "example.com", "anotherexample.com" ] }
+    assert_equal true, config.proxy.ssl?
+  end
+
   test "ssl with no host" do
     @deploy[:proxy] = { "ssl" => true }
     assert_raises(Kamal::ConfigurationError) { config.proxy.ssl? }
   end
 
+  test "ssl with both host and hosts" do
+    @deploy[:proxy] = { "ssl" => true, host: "example.com", hosts: [ "anotherexample.com" ] }
+    assert_raises(Kamal::ConfigurationError) { config.proxy.ssl? }
+  end
+
   test "ssl false" do
     @deploy[:proxy] = { "ssl" => false }
     assert_not config.proxy.ssl?
-    assert_not config.proxy.deploy_options.has_key?(:tls)
   end
 
   private

test/configuration/ssh_test.rb

@@ -30,7 +30,7 @@ class ConfigurationSshTest < ActiveSupport::TestCase
 
   test "ssh options with proxy host" do
     config = Kamal::Configuration.new(@deploy.tap { |c| c.merge!(ssh: { "proxy" => "1.2.3.4" }) })
-    assert_equal "root@1.2.3.4", config.ssh.options[:proxy].jump_proxies
+    assert_equal "1.2.3.4", config.ssh.options[:proxy].jump_proxies
   end
 
   test "ssh options with proxy host and user" do

test/configuration_test.rb

@@ -222,6 +222,13 @@ class ConfigurationTest < ActiveSupport::TestCase
     assert_equal "my-user", config.registry.username
   end
 
+  test "destination is loaded into env" do
+    dest_config_file = Pathname.new(File.expand_path("fixtures/deploy_for_dest.yml", __dir__))
+
+    config = Kamal::Configuration.create_from config_file: dest_config_file, destination: "world"
+    assert_equal ENV["KAMAL_DESTINATION"], "world"
+  end
+
   test "destination yml config merge" do
     dest_config_file = Pathname.new(File.expand_path("fixtures/deploy_for_dest.yml", __dir__))
 
@@ -377,4 +384,15 @@ class ConfigurationTest < ActiveSupport::TestCase
 
     assert_equal "Different roles can't share the same host for SSL: foo.example.com", exception.message
   end
+
+  test "two proxy ssl roles with same host in a hosts array" do
+    @deploy_with_roles[:servers]["web"] = { "hosts" => [ "1.1.1.1" ], "proxy" => { "ssl" => true, "hosts" => [ "foo.example.com", "bar.example.com" ] } }
+    @deploy_with_roles[:servers]["workers"] = { "hosts" => [ "1.1.1.1" ], "proxy" => { "ssl" => true, "hosts" => [ "www.example.com", "foo.example.com" ] } }
+
+    exception = assert_raises(Kamal::ConfigurationError) do
+      Kamal::Configuration.new(@deploy_with_roles)
+    end
+
+    assert_equal "Different roles can't share the same host for SSL: foo.example.com", exception.message
+  end
 end

test/fixtures/deploy_with_accessories_on_independent_server.yml

@@ -0,0 +1,38 @@
+service: app
+image: dhh/app
+servers:
+  web:
+    - "1.1.1.1"
+    - "1.1.1.2"
+  workers:
+    - "1.1.1.3"
+    - "1.1.1.4"
+registry:
+  username: user
+  password: pw
+builder:
+  arch: amd64
+
+accessories:
+  mysql:
+    image: mysql:5.7
+    host: 1.1.1.5
+    port: 3306
+    env:
+      clear:
+        MYSQL_ROOT_HOST: '%'
+      secret:
+        - MYSQL_ROOT_PASSWORD
+    files:
+      - test/fixtures/files/my.cnf:/etc/mysql/my.cnf
+    directories:
+      - data:/var/lib/mysql
+  redis:
+    image: redis:latest
+    roles:
+      - web
+    port: 6379
+    directories:
+      - data:/data
+
+readiness_delay: 0

test/fixtures/deploy_with_single_accessory.yml

@@ -0,0 +1,29 @@
+service: app
+image: dhh/app
+servers:
+  web:
+    - "1.1.1.1"
+    - "1.1.1.2"
+  workers:
+    - "1.1.1.3"
+    - "1.1.1.4"
+registry:
+  username: user
+  password: pw
+builder:
+  arch: amd64
+
+accessories:
+  mysql:
+    image: mysql:5.7
+    host: 1.1.1.5
+    port: 3306
+    env:
+      clear:
+        MYSQL_ROOT_HOST: '%'
+      secret:
+        - MYSQL_ROOT_PASSWORD
+    files:
+      - test/fixtures/files/my.cnf:/etc/mysql/my.cnf
+    directories:
+      - data:/var/lib/mysql

test/integration/app_test.rb

@@ -8,7 +8,7 @@ class AppTest < IntegrationTest
 
     kamal :app, :stop
 
-    assert_app_is_down
+    assert_app_not_found
 
     kamal :app, :start
 
@@ -48,7 +48,7 @@ class AppTest < IntegrationTest
 
     kamal :app, :remove
 
-    assert_app_is_down
+    assert_app_not_found
     assert_app_directory_removed
   end
 end

test/integration/docker/deployer/app_with_roles/config/deploy.yml

@@ -15,14 +15,15 @@ readiness_delay: 0
 
 proxy:
   host: localhost
+  ssl: false
   healthcheck:
     interval: 1
     timeout: 1
     path: "/up"
   response_timeout: 2
   buffering:
-    requests: true
+    requests: false
-    responses: true
+    responses: false
     memory: 400_000
     max_request_body: 40_000_000
     max_response_body: 40_000_000

test/integration/integration_test.rb

@@ -50,6 +50,12 @@ class IntegrationTest < ActiveSupport::TestCase
       assert_equal "502", response.code
     end
 
+    def assert_app_not_found
+      response = app_response
+      debug_response_code(response, "404")
+      assert_equal "404", response.code
+    end
+
     def assert_app_is_up(version: nil, app: @app)
       response = app_response(app: app)
       debug_response_code(response, "200")

test/secrets/bitwarden_adapter_test.rb

@@ -13,6 +13,17 @@ class BitwardenAdapterTest < SecretAdapterTestCase
     assert_equal expected_json, json
   end
 
+  test "fetch with no login" do
+    stub_unlocked
+    stub_ticks.with("bw sync").returns("")
+    stub_noteitem
+
+    error = assert_raises RuntimeError do
+      JSON.parse(shellunescape(run_command("fetch", "mynote")))
+    end
+    assert_match(/not a login type item/, error.message)
+  end
+
   test "fetch with from" do
     stub_unlocked
     stub_ticks.with("bw sync").returns("")
@@ -181,6 +192,30 @@ class BitwardenAdapterTest < SecretAdapterTestCase
         JSON
     end
 
+  def stub_noteitem(session: nil)
+    stub_ticks
+      .with("#{"BW_SESSION=#{session} " if session}bw get item mynote")
+      .returns(<<~JSON)
+          {
+            "passwordHistory":null,
+            "revisionDate":"2024-09-28T09:07:27.461Z",
+            "creationDate":"2024-09-28T09:07:00.740Z",
+            "deletedDate":null,
+            "object":"item",
+            "id":"aaaaaaaa-cccc-eeee-0000-222222222222",
+            "organizationId":null,
+            "folderId":null,
+            "type":2,
+            "reprompt":0,
+            "name":"noteitem",
+            "notes":"NOTES",
+            "favorite":false,
+            "secureNote":{"type":0},
+            "collectionIds":[]
+          }
+        JSON
+  end
+
     def stub_myitem
       stub_ticks
         .with("bw get item myitem")