Escape strings for the shell

Whitespaces in strings were interpreted by the shell as new words. Escaping them ensures the shell sees the string as a single value.
Use 127.0.0.1 for ssh tunnel
2025-08-29 23:53:32 +02:00 · 2025-08-29 23:51:23 +02:00 · 2025-08-29 16:55:50 +02:00 · 2025-08-11 16:05:05 +01:00 · 2025-08-11 11:20:23 +01:00 · 2025-07-22 04:31:00 +00:00
126 changed files with 3178 additions and 606 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -26,16 +26,12 @@ jobs:
      fail-fast: false
      matrix:
        ruby-version:
          - "3.1"
          - "3.2"
          - "3.3"
          - "3.4"
        gemfile:
          - Gemfile
          - gemfiles/rails_edge.gemfile
        exclude:
          - ruby-version: "3.1"
            gemfile: gemfiles/rails_edge.gemfile
    name: ${{ format('Tests (Ruby {0})', matrix.ruby-version) }}
    runs-on: ubuntu-latest
    env:
--- a/3
+++ b/3
@@ -13,8 +13,7 @@ COPY Gemfile Gemfile.lock kamal.gemspec ./
 COPY lib/kamal/version.rb /kamal/lib/kamal/version.rb
 # Install system dependencies
-RUN apk add --no-cache build-base git docker openrc openssh-client-default yaml-dev \
+RUN apk add --no-cache build-base git docker-cli openssh-client-default yaml-dev \
    && rc-update add docker boot \
    && gem install bundler --version=2.6.5 \
    && bundle install
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,13 +1,13 @@
 PATH
  remote: .
  specs:
-    kamal (2.5.3)
+    kamal (2.7.0)
      activesupport (>= 7.0)
      base64 (~> 0.2)
      bcrypt_pbkdf (~> 1.0)
      concurrent-ruby (~> 1.2)
      dotenv (~> 3.1)
-      ed25519 (~> 1.2)
+      ed25519 (~> 1.4)
      net-ssh (~> 7.3)
      sshkit (>= 1.23.0, < 2.0)
      thor (~> 1.3)
@@ -60,7 +60,7 @@ GEM
      reline (>= 0.3.8)
    dotenv (3.1.5)
    drb (2.2.1)
-    ed25519 (1.3.0)
+    ed25519 (1.4.0)
    erubi (1.13.0)
    i18n (1.14.6)
      concurrent-ruby (~> 1.0)
@@ -82,15 +82,15 @@ GEM
    net-sftp (4.0.0)
      net-ssh (>= 5.0.0, < 8.0.0)
    net-ssh (7.3.0)
-    nokogiri (1.18.3-aarch64-linux-musl)
+    nokogiri (1.18.9-aarch64-linux-musl)
      racc (~> 1.4)
-    nokogiri (1.18.3-arm64-darwin)
+    nokogiri (1.18.9-arm64-darwin)
      racc (~> 1.4)
-    nokogiri (1.18.3-x86_64-darwin)
+    nokogiri (1.18.9-x86_64-darwin)
      racc (~> 1.4)
-    nokogiri (1.18.3-x86_64-linux-gnu)
+    nokogiri (1.18.9-x86_64-linux-gnu)
      racc (~> 1.4)
-    nokogiri (1.18.3-x86_64-linux-musl)
+    nokogiri (1.18.9-x86_64-linux-musl)
      racc (~> 1.4)
    ostruct (0.6.1)
    parallel (1.26.3)
@@ -101,8 +101,9 @@ GEM
      date
      stringio
    racc (1.8.1)
-    rack (3.1.8)
+    rack (3.1.16)
-    rack-session (2.0.0)
+    rack-session (2.1.1)
      base64 (>= 0.1.0)
      rack (>= 3.0.0)
    rack-test (2.1.0)
      rack (>= 1.3)
@@ -168,13 +169,13 @@ GEM
      net-ssh (>= 2.8.0)
      ostruct
    stringio (3.1.2)
-    thor (1.3.2)
+    thor (1.4.0)
    tzinfo (2.0.6)
      concurrent-ruby (~> 1.0)
    unicode-display_width (3.1.2)
      unicode-emoji (~> 4.0, >= 4.0.4)
    unicode-emoji (4.0.4)
-    uri (1.0.2)
+    uri (1.0.3)
    useragent (0.16.11)
    zeitwerk (2.7.1)
--- a/kamal.gemspec
+++ b/kamal.gemspec
@@ -17,7 +17,7 @@ Gem::Specification.new do |spec|
  spec.add_dependency "thor", "~> 1.3"
  spec.add_dependency "dotenv", "~> 3.1"
  spec.add_dependency "zeitwerk", ">= 2.6.18", "< 3.0"
-  spec.add_dependency "ed25519", "~> 1.2"
+  spec.add_dependency "ed25519", "~> 1.4"
  spec.add_dependency "bcrypt_pbkdf", "~> 1.0"
  spec.add_dependency "concurrent-ruby", "~> 1.2"
  spec.add_dependency "base64", "~> 0.2"
--- a/lib/kamal/cli/accessory.rb
+++ b/lib/kamal/cli/accessory.rb
@@ -1,4 +1,5 @@
 require "active_support/core_ext/array/conversions"
 require "concurrent/array"
 class Kamal::Cli::Accessory < Kamal::Cli::Base
  desc "boot [NAME]", "Boot new accessory service on host (use NAME=all to boot all accessories)"
@@ -10,14 +11,24 @@ class Kamal::Cli::Accessory < Kamal::Cli::Base
        prepare(name) if prepare
        with_accessory(name) do |accessory, hosts|
          booted_hosts = Concurrent::Array.new
          on(hosts) do |host|
            booted_hosts << host.to_s if capture_with_info(*accessory.info(all: true, quiet: true)).strip.presence
          end
          if booted_hosts.any?
            say "Skipping booting `#{name}` on #{booted_hosts.sort.join(", ")}, a container already exists", :yellow
            hosts -= booted_hosts
          end
          directories(name)
          upload(name)
-          on(hosts) do
+          on(hosts) do |host|
            execute *KAMAL.auditor.record("Booted #{name} accessory"), verbosity: :debug
            execute *accessory.ensure_env_directory
            upload! accessory.secrets_io, accessory.secrets_path, mode: "0600"
-            execute *accessory.run
+            execute *accessory.run(host: host)
            if accessory.running_proxy?
              target = capture_with_info(*accessory.container_id_for(container_name: accessory.service_name, only_running: true)).strip
@@ -130,6 +141,8 @@ class Kamal::Cli::Accessory < Kamal::Cli::Base
  option :interactive, aliases: "-i", type: :boolean, default: false, desc: "Execute command over ssh for an interactive shell (use for console/bash)"
  option :reuse, type: :boolean, default: false, desc: "Reuse currently running container instead of starting a new one"
  def exec(name, *cmd)
    pre_connect_if_required
    cmd = Kamal::Utils.join_commands(cmd)
    with_accessory(name) do |accessory, hosts|
      case
@@ -139,6 +152,7 @@ class Kamal::Cli::Accessory < Kamal::Cli::Base
      when options[:interactive]
        say "Launching interactive command via SSH from new container...", :magenta
        on(accessory.hosts.first) { execute *KAMAL.registry.login }
        run_locally { exec accessory.execute_in_new_container_over_ssh(cmd) }
      when options[:reuse]
@@ -151,6 +165,7 @@ class Kamal::Cli::Accessory < Kamal::Cli::Base
      else
        say "Launching command from new container...", :magenta
        on(hosts) do |host|
          execute *KAMAL.registry.login
          execute *KAMAL.auditor.record("Executed cmd '#{cmd}' on #{name} accessory"), verbosity: :debug
          puts_by_host host, capture_with_info(*accessory.execute_in_new_container(cmd))
        end
@@ -275,11 +290,7 @@ class Kamal::Cli::Accessory < Kamal::Cli::Base
    end
    def accessory_hosts(accessory)
-      if KAMAL.specific_hosts&.any?
+      KAMAL.accessory_hosts & accessory.hosts
        KAMAL.specific_hosts & accessory.hosts
      else
        accessory.hosts
      end
    end
    def remove_accessory(name)
--- a/lib/kamal/cli/app.rb
+++ b/lib/kamal/cli/app.rb
@@ -7,9 +7,12 @@ class Kamal::Cli::App < Kamal::Cli::Base
        say "Start container with version #{version} (or reboot if already running)...", :magenta
        # Assets are prepared in a separate step to ensure they are on all hosts before booting
-        on(KAMAL.hosts) do
+        on(KAMAL.app_hosts) do
          Kamal::Cli::App::ErrorPages.new(host, self).run
          KAMAL.roles_on(host).each do |role|
-            Kamal::Cli::App::PrepareAssets.new(host, role, self).run
+            Kamal::Cli::App::Assets.new(host, role, self).run
            Kamal::Cli::App::SslCertificates.new(host, role, self).run
          end
        end
@@ -31,7 +34,7 @@ class Kamal::Cli::App < Kamal::Cli::Base
        end
        # Tag once the app booted on all hosts
-        on(KAMAL.hosts) do |host|
+        on(KAMAL.app_hosts) do |host|
          execute *KAMAL.auditor.record("Tagging #{KAMAL.config.absolute_image} as the latest image"), verbosity: :debug
          execute *KAMAL.app.tag_latest_image
        end
@@ -42,7 +45,7 @@ class Kamal::Cli::App < Kamal::Cli::Base
  desc "start", "Start existing app container on servers"
  def start
    with_lock do
-      on(KAMAL.hosts) do |host|
+      on(KAMAL.app_hosts) do |host|
        roles = KAMAL.roles_on(host)
        roles.each do |role|
@@ -65,7 +68,7 @@ class Kamal::Cli::App < Kamal::Cli::Base
  desc "stop", "Stop app container on servers"
  def stop
    with_lock do
-      on(KAMAL.hosts) do |host|
+      on(KAMAL.app_hosts) do |host|
        roles = KAMAL.roles_on(host)
        roles.each do |role|
@@ -89,7 +92,7 @@ class Kamal::Cli::App < Kamal::Cli::Base
  # FIXME: Drop in favor of just containers?
  desc "details", "Show details about app containers"
  def details
-    on(KAMAL.hosts) do |host|
+    on(KAMAL.app_hosts) do |host|
      roles = KAMAL.roles_on(host)
      roles.each do |role|
@@ -104,10 +107,16 @@ class Kamal::Cli::App < Kamal::Cli::Base
  option :env, aliases: "-e", type: :hash, desc: "Set environment variables for the command"
  option :detach, type: :boolean, default: false, desc: "Execute command in a detached container"
  def exec(*cmd)
    pre_connect_if_required
    if (incompatible_options = [ :interactive, :reuse ].select { |key| options[:detach] && options[key] }.presence)
      raise ArgumentError, "Detach is not compatible with #{incompatible_options.join(" or ")}"
    end
    if cmd.empty?
      raise ArgumentError, "No command provided. You must specify a command to execute."
    end
    cmd = Kamal::Utils.join_commands(cmd)
    env = options[:env]
    detach = options[:detach]
@@ -123,6 +132,7 @@ class Kamal::Cli::App < Kamal::Cli::Base
      say "Get most recent version available as an image...", :magenta unless options[:version]
      using_version(version_or_latest) do |version|
        say "Launching interactive command with version #{version} via SSH from new container on #{KAMAL.primary_host}...", :magenta
        on(KAMAL.primary_host) { execute *KAMAL.registry.login }
        run_locally do
          exec KAMAL.app(role: KAMAL.primary_role, host: KAMAL.primary_host).execute_in_new_container_over_ssh(cmd, env: env)
        end
@@ -133,7 +143,7 @@ class Kamal::Cli::App < Kamal::Cli::Base
      using_version(options[:version] || current_running_version) do |version|
        say "Launching command with version #{version} from existing container...", :magenta
-        on(KAMAL.hosts) do |host|
+        on(KAMAL.app_hosts) do |host|
          roles = KAMAL.roles_on(host)
          roles.each do |role|
@@ -147,7 +157,9 @@ class Kamal::Cli::App < Kamal::Cli::Base
      say "Get most recent version available as an image...", :magenta unless options[:version]
      using_version(version_or_latest) do |version|
        say "Launching command with version #{version} from new container...", :magenta
-        on(KAMAL.hosts) do |host|
+        on(KAMAL.app_hosts) do |host|
          execute *KAMAL.registry.login
          roles = KAMAL.roles_on(host)
          roles.each do |role|
@@ -161,7 +173,7 @@ class Kamal::Cli::App < Kamal::Cli::Base
  desc "containers", "Show app containers on servers"
  def containers
-    on(KAMAL.hosts) { |host| puts_by_host host, capture_with_info(*KAMAL.app.list_containers) }
+    on(KAMAL.app_hosts) { |host| puts_by_host host, capture_with_info(*KAMAL.app.list_containers) }
  end
  desc "stale_containers", "Detect app stale containers"
@@ -170,7 +182,7 @@ class Kamal::Cli::App < Kamal::Cli::Base
    stop = options[:stop]
    with_lock_if_stopping do
-      on(KAMAL.hosts) do |host|
+      on(KAMAL.app_hosts) do |host|
        roles = KAMAL.roles_on(host)
        roles.each do |role|
@@ -193,7 +205,7 @@ class Kamal::Cli::App < Kamal::Cli::Base
  desc "images", "Show app images on servers"
  def images
-    on(KAMAL.hosts) { |host| puts_by_host host, capture_with_info(*KAMAL.app.list_images) }
+    on(KAMAL.app_hosts) { |host| puts_by_host host, capture_with_info(*KAMAL.app.list_images) }
  end
  desc "logs", "Show log lines from app on servers (use --help to show options)"
@@ -229,7 +241,7 @@ class Kamal::Cli::App < Kamal::Cli::Base
    else
      lines = options[:lines].presence || ((since || grep) ? nil : 100) # Default to 100 lines if since or grep isn't set
-      on(KAMAL.hosts) do |host|
+      on(KAMAL.app_hosts) do |host|
        roles = KAMAL.roles_on(host)
        roles.each do |role|
@@ -249,14 +261,44 @@ class Kamal::Cli::App < Kamal::Cli::Base
      stop
      remove_containers
      remove_images
-      remove_app_directory
+      remove_app_directories
    end
  end
  desc "live", "Set the app to live mode"
  def live
    with_lock do
      on(KAMAL.proxy_hosts) do |host|
        roles = KAMAL.roles_on(host)
        roles.each do |role|
          execute *KAMAL.app(role: role, host: host).live if role.running_proxy?
        end
      end
    end
  end
  desc "maintenance", "Set the app to maintenance mode"
  option :drain_timeout, type: :numeric, desc: "How long to allow in-flight requests to complete (defaults to drain_timeout from config)"
  option :message, type: :string, desc: "Message to display to clients while stopped"
  def maintenance
    maintenance_options = { drain_timeout: options[:drain_timeout] || KAMAL.config.drain_timeout, message: options[:message] }
    with_lock do
      on(KAMAL.proxy_hosts) do |host|
        roles = KAMAL.roles_on(host)
        roles.each do |role|
          execute *KAMAL.app(role: role, host: host).maintenance(**maintenance_options) if role.running_proxy?
        end
      end
    end
  end
  desc "remove_container [VERSION]", "Remove app container with given version from servers", hide: true
  def remove_container(version)
    with_lock do
-      on(KAMAL.hosts) do |host|
+      on(KAMAL.app_hosts) do |host|
        roles = KAMAL.roles_on(host)
        roles.each do |role|
@@ -270,7 +312,7 @@ class Kamal::Cli::App < Kamal::Cli::Base
  desc "remove_containers", "Remove all app containers from servers", hide: true
  def remove_containers
    with_lock do
-      on(KAMAL.hosts) do |host|
+      on(KAMAL.app_hosts) do |host|
        roles = KAMAL.roles_on(host)
        roles.each do |role|
@@ -284,30 +326,33 @@ class Kamal::Cli::App < Kamal::Cli::Base
  desc "remove_images", "Remove all app images from servers", hide: true
  def remove_images
    with_lock do
-      on(KAMAL.hosts) do
+      on(KAMAL.app_hosts) do
        execute *KAMAL.auditor.record("Removed all app images"), verbosity: :debug
        execute *KAMAL.app.remove_images
      end
    end
  end
-  desc "remove_app_directory", "Remove the service directory from servers", hide: true
+  desc "remove_app_directories", "Remove the app directories from servers", hide: true
-  def remove_app_directory
+  def remove_app_directories
    with_lock do
-      on(KAMAL.hosts) do |host|
+      on(KAMAL.app_hosts) do |host|
        roles = KAMAL.roles_on(host)
        roles.each do |role|
-          execute *KAMAL.auditor.record("Removed #{KAMAL.config.app_directory} on all servers", role: role), verbosity: :debug
+          execute *KAMAL.auditor.record("Removed #{KAMAL.config.app_directory}", role: role), verbosity: :debug
          execute *KAMAL.server.remove_app_directory, raise_on_non_zero_exit: false
        end
        execute *KAMAL.auditor.record("Removed #{KAMAL.config.app_directory}"), verbosity: :debug
        execute *KAMAL.app.remove_proxy_app_directory, raise_on_non_zero_exit: false
      end
    end
  end
  desc "version", "Show app version currently running on servers"
  def version
-    on(KAMAL.hosts) do |host|
+    on(KAMAL.app_hosts) do |host|
      role = KAMAL.roles_on(host).first
      puts_by_host host, capture_with_info(*KAMAL.app(role: role, host: host).current_running_version).strip
    end
@@ -350,6 +395,6 @@ class Kamal::Cli::App < Kamal::Cli::Base
    end
    def host_boot_groups
-      KAMAL.config.boot.limit ? KAMAL.hosts.each_slice(KAMAL.config.boot.limit).to_a : [ KAMAL.hosts ]
+      KAMAL.config.boot.limit ? KAMAL.app_hosts.each_slice(KAMAL.config.boot.limit).to_a : [ KAMAL.app_hosts ]
    end
 end
--- a/lib/kamal/cli/app/prepare_assets.rb
+++ b/lib/kamal/cli/app/prepare_assets.rb
@@ -1,4 +1,4 @@
-class Kamal::Cli::App::PrepareAssets
+class Kamal::Cli::App::Assets
  attr_reader :host, :role, :sshkit
  delegate :execute, :capture_with_info, :info, to: :sshkit
  delegate :assets?, to: :role
--- a/lib/kamal/cli/app/boot.rb
+++ b/lib/kamal/cli/app/boot.rb
@@ -70,6 +70,7 @@ class Kamal::Cli::App::Boot
    def stop_old_version(version)
      execute *app.stop(version: version), raise_on_non_zero_exit: false
      execute *app.clean_up_assets if assets?
      execute *app.clean_up_error_pages if KAMAL.config.error_pages_path
    end
    def release_barrier
--- a/lib/kamal/cli/app/error_pages.rb
+++ b/lib/kamal/cli/app/error_pages.rb
@@ -0,0 +1,33 @@
 class Kamal::Cli::App::ErrorPages
  ERROR_PAGES_GLOB = "{4??.html,5??.html}"
  attr_reader :host, :sshkit
  delegate :upload!, :execute, to: :sshkit
  def initialize(host, sshkit)
    @host = host
    @sshkit = sshkit
  end
  def run
    if KAMAL.config.error_pages_path
      with_error_pages_tmpdir do |local_error_pages_dir|
        execute *KAMAL.app.create_error_pages_directory
        upload! local_error_pages_dir, KAMAL.config.proxy_boot.error_pages_directory, mode: "0700", recursive: true
      end
    end
  end
  private
    def with_error_pages_tmpdir
      Dir.mktmpdir("kamal-error-pages") do |tmpdir|
        error_pages_dir = File.join(tmpdir, KAMAL.config.version)
        FileUtils.mkdir(error_pages_dir)
        if (files = Dir[File.join(KAMAL.config.error_pages_path, ERROR_PAGES_GLOB)]).any?
          FileUtils.cp(files, error_pages_dir)
          yield error_pages_dir
        end
      end
    end
 end
--- a/lib/kamal/cli/app/ssl_certificates.rb
+++ b/lib/kamal/cli/app/ssl_certificates.rb
@@ -0,0 +1,28 @@
 class Kamal::Cli::App::SslCertificates
  attr_reader :host, :role, :sshkit
  delegate :execute, :info, :upload!, to: :sshkit
  def initialize(host, role, sshkit)
    @host = host
    @role = role
    @sshkit = sshkit
  end
  def run
    if role.running_proxy? && role.proxy.custom_ssl_certificate?
      info "Writing SSL certificates for #{role.name} on #{host}"
      execute *app.create_ssl_directory
      if cert_content = role.proxy.certificate_pem_content
        upload!(StringIO.new(cert_content), role.proxy.host_tls_cert, mode: "0644")
      end
      if key_content = role.proxy.private_key_pem_content
        upload!(StringIO.new(key_content), role.proxy.host_tls_key, mode: "0644")
      end
    end
  end
  private
    def app
      @app ||= KAMAL.app(role: role, host: host)
    end
 end
--- a/lib/kamal/cli/base.rb
+++ b/lib/kamal/cli/base.rb
@@ -133,7 +133,13 @@ module Kamal::Cli
      def run_hook(hook, **extra_details)
        if !options[:skip_hooks] && KAMAL.hook.hook_exists?(hook)
-          details = { hosts: KAMAL.hosts.join(","), command: command, subcommand: subcommand }
+          details = {
            hosts: KAMAL.hosts.join(","),
            roles: KAMAL.specific_roles&.join(","),
            lock: KAMAL.holding_lock?.to_s,
            command: command,
            subcommand: subcommand
          }.compact
          say "Running the #{hook} hook...", :magenta
          with_env KAMAL.hook.env(**details, **extra_details) do
@@ -147,12 +153,16 @@ module Kamal::Cli
      end
      def on(*args, &block)
        pre_connect_if_required
        super
      end
      def pre_connect_if_required
        if !KAMAL.connected?
          run_hook "pre-connect"
          KAMAL.connected = true
        end
        super
      end
      def command
--- a/lib/kamal/cli/build.rb
+++ b/lib/kamal/cli/build.rb
@@ -14,7 +14,13 @@ class Kamal::Cli::Build < Kamal::Cli::Base
  def push
    cli = self
    # Ensure pre-connect hooks run before the build, they may needed for a remote builder
    # or the pre-build hooks.
    pre_connect_if_required
    ensure_docker_installed
    login_to_registry_locally
    run_hook "pre-build"
    uncommitted_changes = Kamal::Git.uncommitted_changes
@@ -61,14 +67,18 @@ class Kamal::Cli::Build < Kamal::Cli::Base
  desc "pull", "Pull app image from registry onto servers"
  def pull
-    if (first_hosts = mirror_hosts).any?
+    login_to_registry_remotely unless KAMAL.registry.local?
-      #  Pull on a single host per mirror first to seed them
+
-      say "Pulling image on #{first_hosts.join(", ")} to seed the #{"mirror".pluralize(first_hosts.count)}...", :magenta
+    forward_local_registry_port do
-      pull_on_hosts(first_hosts)
+      if (first_hosts = mirror_hosts).any?
-      say "Pulling image on remaining hosts...", :magenta
+        #  Pull on a single host per mirror first to seed them
-      pull_on_hosts(KAMAL.hosts - first_hosts)
+        say "Pulling image on #{first_hosts.join(", ")} to seed the #{"mirror".pluralize(first_hosts.count)}...", :magenta
-    else
+        pull_on_hosts(first_hosts)
-      pull_on_hosts(KAMAL.hosts)
+        say "Pulling image on remaining hosts...", :magenta
        pull_on_hosts(KAMAL.app_hosts - first_hosts)
      else
        pull_on_hosts(KAMAL.app_hosts)
      end
    end
  end
@@ -159,9 +169,9 @@ class Kamal::Cli::Build < Kamal::Cli::Base
    end
    def mirror_hosts
-      if KAMAL.hosts.many?
+      if KAMAL.app_hosts.many?
        mirror_hosts = Concurrent::Hash.new
-        on(KAMAL.hosts) do |host|
+        on(KAMAL.app_hosts) do |host|
          first_mirror = capture_with_info(*KAMAL.builder.first_mirror).strip.presence
          mirror_hosts[first_mirror] ||= host.to_s if first_mirror
        rescue SSHKit::Command::Failed => e
@@ -181,4 +191,30 @@ class Kamal::Cli::Build < Kamal::Cli::Base
        execute *KAMAL.builder.validate_image
      end
    end
    def login_to_registry_locally
      run_locally do
        if KAMAL.registry.local?
          execute *KAMAL.registry.setup
        else
          execute *KAMAL.registry.login
        end
      end
    end
    def login_to_registry_remotely
      on(KAMAL.app_hosts) do
        execute *KAMAL.registry.login
      end
    end
    def forward_local_registry_port(&block)
      if KAMAL.config.registry.local?
        Kamal::Cli::PortForwarding.
          new(KAMAL.hosts, KAMAL.config.registry.local_port).
          forward(&block)
      else
        yield
      end
    end
 end
--- a/lib/kamal/cli/main.rb
+++ b/lib/kamal/cli/main.rb
@@ -20,9 +20,6 @@ class Kamal::Cli::Main < Kamal::Cli::Base
    runtime = print_runtime do
      invoke_options = deploy_options
      say "Log into image registry...", :magenta
      invoke "kamal:cli:registry:login", [], invoke_options.merge(skip_local: options[:skip_push])
      if options[:skip_push]
        say "Pull app image...", :magenta
        invoke "kamal:cli:build:pull", [], invoke_options
@@ -52,7 +49,7 @@ class Kamal::Cli::Main < Kamal::Cli::Base
    run_hook "post-deploy", secrets: true, runtime: runtime.round.to_s
  end
-  desc "redeploy", "Deploy app to servers without bootstrapping servers, starting kamal-proxy, pruning, and registry login"
+  desc "redeploy", "Deploy app to servers without bootstrapping servers, starting kamal-proxy and pruning"
  option :skip_push, aliases: "-P", type: :boolean, default: false, desc: "Skip image build and push"
  def redeploy
    runtime = print_runtime do
@@ -185,7 +182,7 @@ class Kamal::Cli::Main < Kamal::Cli::Base
        invoke "kamal:cli:app:remove", [], options.without(:confirmed)
        invoke "kamal:cli:proxy:remove", [], options.without(:confirmed)
        invoke "kamal:cli:accessory:remove", [ "all" ], options
-        invoke "kamal:cli:registry:logout", [], options.without(:confirmed).merge(skip_local: true)
+        invoke "kamal:cli:registry:remove", [], options.without(:confirmed).merge(skip_local: true)
      end
    end
  end
@@ -197,10 +194,10 @@ class Kamal::Cli::Main < Kamal::Cli::Base
    confirming "This will replace Traefik with kamal-proxy and restart all accessories" do
      with_lock do
        if options[:rolling]
-          (KAMAL.hosts | KAMAL.accessory_hosts).each do |host|
+          KAMAL.hosts.each do |host|
            KAMAL.with_specific_hosts(host) do
              say "Upgrading #{host}...", :magenta
-              if KAMAL.hosts.include?(host)
+              if KAMAL.app_hosts.include?(host)
                invoke "kamal:cli:proxy:upgrade", [], options.merge(confirmed: true, rolling: false)
                reset_invocation(Kamal::Cli::Proxy)
              end
@@ -256,7 +253,7 @@ class Kamal::Cli::Main < Kamal::Cli::Base
  private
    def container_available?(version)
      begin
-        on(KAMAL.hosts) do
+        on(KAMAL.app_hosts) do
          KAMAL.roles_on(host).each do |role|
            container_id = capture_with_info(*KAMAL.app(role: role, host: host).container_id_for_version(version))
            raise "Container not found" unless container_id.present?
--- a/lib/kamal/cli/port_forwarding.rb
+++ b/lib/kamal/cli/port_forwarding.rb
@@ -0,0 +1,42 @@
 class Kamal::Cli::PortForwarding
 	attr_reader :hosts, :port
 	def initialize(hosts, port)
 		@hosts = hosts
 		@port = port
 	end
 	def forward
 		@done = false
 		forward_ports
 		yield
 	ensure
 		stop
 	end
 	private
 	def stop
 		@done = true
 		@threads.to_a.each(&:join)
 	end
 	def forward_ports
 		@threads = hosts.map do |host|
 			Thread.new do
 				Net::SSH.start(host, KAMAL.config.ssh.user) do |ssh|
 					ssh.forward.remote(port, "127.0.0.1", port)
 					ssh.loop(0.1) do
 						if @done
 							ssh.forward.cancel_remote(port)
 							break
 						else
 							true
 						end
 					end
 				end
 			end
 		end
 	end
 end
--- a/lib/kamal/cli/proxy.rb
+++ b/lib/kamal/cli/proxy.rb
@@ -13,9 +13,10 @@ class Kamal::Cli::Proxy < Kamal::Cli::Base
        version = capture_with_info(*KAMAL.proxy.version).strip.presence
-        if version && Kamal::Utils.older_version?(version, Kamal::Configuration::PROXY_MINIMUM_VERSION)
+        if version && Kamal::Utils.older_version?(version, Kamal::Configuration::Proxy::Boot::MINIMUM_VERSION)
-          raise "kamal-proxy version #{version} is too old, run `kamal proxy reboot` in order to update to at least #{Kamal::Configuration::PROXY_MINIMUM_VERSION}"
+          raise "kamal-proxy version #{version} is too old, run `kamal proxy reboot` in order to update to at least #{Kamal::Configuration::Proxy::Boot::MINIMUM_VERSION}"
        end
        execute *KAMAL.proxy.ensure_apps_config_directory
        execute *KAMAL.proxy.start_or_run
      end
    end
@@ -24,30 +25,75 @@ class Kamal::Cli::Proxy < Kamal::Cli::Base
  desc "boot_config <set|get|reset>", "Manage kamal-proxy boot configuration"
  option :publish, type: :boolean, default: true, desc: "Publish the proxy ports on the host"
  option :publish_host_ip, type: :string, repeatable: true, default: nil, desc: "Host IP address to bind HTTP/HTTPS traffic to. Defaults to all interfaces"
-  option :http_port, type: :numeric, default: Kamal::Configuration::PROXY_HTTP_PORT, desc: "HTTP port to publish on the host"
+  option :http_port, type: :numeric, default: Kamal::Configuration::Proxy::Boot::DEFAULT_HTTP_PORT, desc: "HTTP port to publish on the host"
-  option :https_port, type: :numeric, default: Kamal::Configuration::PROXY_HTTPS_PORT, desc: "HTTPS port to publish on the host"
+  option :https_port, type: :numeric, default: Kamal::Configuration::Proxy::Boot::DEFAULT_HTTPS_PORT, desc: "HTTPS port to publish on the host"
-  option :log_max_size, type: :string, default: Kamal::Configuration::PROXY_LOG_MAX_SIZE, desc: "Max size of proxy logs"
+  option :log_max_size, type: :string, default: Kamal::Configuration::Proxy::Boot::DEFAULT_LOG_MAX_SIZE, desc: "Max size of proxy logs"
  option :registry, type: :string, default: nil, desc: "Registry to use for the proxy image"
  option :repository, type: :string, default: nil, desc: "Repository for the proxy image"
  option :image_version, type: :string, default: nil, desc: "Version of the proxy to run"
  option :metrics_port, type: :numeric, default: nil, desc: "Port to report prometheus metrics on"
  option :debug, type: :boolean, default: false, desc: "Whether to run the proxy in debug mode"
  option :docker_options, type: :array, default: [], desc: "Docker options to pass to the proxy container", banner: "option=value option2=value2"
  def boot_config(subcommand)
    proxy_boot_config = KAMAL.config.proxy_boot
    case subcommand
    when "set"
      boot_options = [
-        *(KAMAL.config.proxy_publish_args(options[:http_port], options[:https_port], options[:publish_host_ip]) if options[:publish]),
+        *(proxy_boot_config.publish_args(options[:http_port], options[:https_port], options[:publish_host_ip]) if options[:publish]),
-        *(KAMAL.config.proxy_logging_args(options[:log_max_size])),
+        *(proxy_boot_config.logging_args(options[:log_max_size])),
        *("--expose=#{options[:metrics_port]}" if options[:metrics_port]),
        *options[:docker_options].map { |option| "--#{option}" }
      ]
      image = [
        options[:registry].presence,
        options[:repository].presence || proxy_boot_config.repository_name,
        proxy_boot_config.image_name
      ].compact.join("/")
      image_version = options[:image_version]
      run_command_options = { debug: options[:debug] || nil, "metrics-port": options[:metrics_port] }.compact
      run_command = "kamal-proxy run #{Kamal::Utils.optionize(run_command_options).join(" ")}" if run_command_options.any?
      on(KAMAL.proxy_hosts) do |host|
        execute(*KAMAL.proxy.ensure_proxy_directory)
-        upload! StringIO.new(boot_options.join(" ")), KAMAL.config.proxy_options_file
+        if boot_options != proxy_boot_config.default_boot_options
          upload! StringIO.new(boot_options.join(" ")), proxy_boot_config.options_file
        else
          execute *KAMAL.proxy.reset_boot_options, raise_on_non_zero_exit: false
        end
        if image != proxy_boot_config.image_default
          upload! StringIO.new(image), proxy_boot_config.image_file
        else
          execute *KAMAL.proxy.reset_image, raise_on_non_zero_exit: false
        end
        if image_version
          upload! StringIO.new(image_version), proxy_boot_config.image_version_file
        else
          execute *KAMAL.proxy.reset_image_version, raise_on_non_zero_exit: false
        end
        if run_command
          upload! StringIO.new(run_command), proxy_boot_config.run_command_file
        else
          execute *KAMAL.proxy.reset_run_command, raise_on_non_zero_exit: false
        end
      end
    when "get"
      on(KAMAL.proxy_hosts) do |host|
-        puts "Host #{host}: #{capture_with_info(*KAMAL.proxy.get_boot_options)}"
+        puts "Host #{host}: #{capture_with_info(*KAMAL.proxy.boot_config)}"
      end
    when "reset"
      on(KAMAL.proxy_hosts) do |host|
-        execute *KAMAL.proxy.reset_boot_options
+        execute *KAMAL.proxy.reset_boot_options, raise_on_non_zero_exit: false
        execute *KAMAL.proxy.reset_image, raise_on_non_zero_exit: false
        execute *KAMAL.proxy.reset_image_version, raise_on_non_zero_exit: false
        execute *KAMAL.proxy.reset_run_command, raise_on_non_zero_exit: false
      end
    else
      raise ArgumentError, "Unknown boot_config subcommand #{subcommand}"
@@ -71,20 +117,9 @@ class Kamal::Cli::Proxy < Kamal::Cli::Base
            "Stopping and removing kamal-proxy on #{host}, if running..."
            execute *KAMAL.proxy.stop, raise_on_non_zero_exit: false
            execute *KAMAL.proxy.remove_container
            execute *KAMAL.proxy.ensure_apps_config_directory
            execute *KAMAL.proxy.run
            KAMAL.roles_on(host).select(&:running_proxy?).each do |role|
              app = KAMAL.app(role: role, host: host)
              version = capture_with_info(*app.current_running_version, raise_on_non_zero_exit: false).strip
              endpoint = capture_with_info(*app.container_id_for_version(version)).strip
              if endpoint.present?
                info "Deploying #{endpoint} for role `#{role}` on #{host}..."
                execute *app.deploy(target: endpoint)
              end
            end
          end
          run_hook "post-proxy-reboot", hosts: host_list
        end
--- a/lib/kamal/cli/registry.rb
+++ b/lib/kamal/cli/registry.rb
@@ -1,19 +1,27 @@
 class Kamal::Cli::Registry < Kamal::Cli::Base
-  desc "login", "Log in to registry locally and remotely"
+  desc "setup", "Setup local registry or log in to remote registry locally and remotely"
  option :skip_local, aliases: "-L", type: :boolean, default: false, desc: "Skip local login"
  option :skip_remote, aliases: "-R", type: :boolean, default: false, desc: "Skip remote login"
-  def login
+  def setup
    ensure_docker_installed unless options[:skip_local]
-    run_locally    { execute *KAMAL.registry.login } unless options[:skip_local]
+    if KAMAL.registry.local?
-    on(KAMAL.hosts) { execute *KAMAL.registry.login } unless options[:skip_remote]
+      run_locally    { execute *KAMAL.registry.setup } unless options[:skip_local]
    else
      run_locally    { execute *KAMAL.registry.login } unless options[:skip_local]
      on(KAMAL.hosts) { execute *KAMAL.registry.login } unless options[:skip_remote]
    end
  end
-  desc "logout", "Log out of registry locally and remotely"
+  desc "remove", "Remove local registry or log out of remote registry locally and remotely"
  option :skip_local, aliases: "-L", type: :boolean, default: false, desc: "Skip local login"
  option :skip_remote, aliases: "-R", type: :boolean, default: false, desc: "Skip remote login"
-  def logout
+  def remove
-    run_locally    { execute *KAMAL.registry.logout } unless options[:skip_local]
+    if KAMAL.registry.local?
-    on(KAMAL.hosts) { execute *KAMAL.registry.logout } unless options[:skip_remote]
+      run_locally    { execute *KAMAL.registry.remove, raise_on_non_zero_exit: false } unless options[:skip_local]
    else
      run_locally    { execute *KAMAL.registry.logout } unless options[:skip_local]
      on(KAMAL.hosts) { execute *KAMAL.registry.logout } unless options[:skip_remote]
    end
  end
 end
--- a/lib/kamal/cli/server.rb
+++ b/lib/kamal/cli/server.rb
@@ -2,8 +2,10 @@ class Kamal::Cli::Server < Kamal::Cli::Base
  desc "exec", "Run a custom command on the server (use --help to show options)"
  option :interactive, type: :boolean, aliases: "-i", default: false, desc: "Run the command interactively (use for console/bash)"
  def exec(*cmd)
    pre_connect_if_required
    cmd = Kamal::Utils.join_commands(cmd)
-    hosts = KAMAL.hosts | KAMAL.accessory_hosts
+    hosts = KAMAL.hosts
    case
    when options[:interactive]
@@ -27,7 +29,7 @@ class Kamal::Cli::Server < Kamal::Cli::Base
    with_lock do
      missing = []
-      on(KAMAL.hosts | KAMAL.accessory_hosts) do |host|
+      on(KAMAL.hosts) do |host|
        unless execute(*KAMAL.docker.installed?, raise_on_non_zero_exit: false)
          if execute(*KAMAL.docker.superuser?, raise_on_non_zero_exit: false)
            info "Missing Docker on #{host}. Installing…"
--- a/lib/kamal/cli/templates/deploy.yml
+++ b/lib/kamal/cli/templates/deploy.yml
@@ -25,13 +25,14 @@ proxy:
 # Credentials for your image host.
 registry:
  server: localhost:5555
  # Specify the registry server, if you're not using Docker Hub
  # server: registry.digitalocean.com / ghcr.io / ...
-  username: my-user
+  # username: my-user
  # Always use an access token rather than real password (pulled from .kamal/secrets).
-  password:
+  # password:
-    - KAMAL_REGISTRY_PASSWORD
+  #   - KAMAL_REGISTRY_PASSWORD
 # Configure builder setup.
 builder:
@@ -39,7 +40,6 @@ builder:
  # Pass in additional build args needed for your Dockerfile.
  # args:
  #   RUBY_VERSION: <%= ENV["RBENV_VERSION"] || ENV["rvm_ruby_string"] || "#{RUBY_ENGINE}-#{RUBY_ENGINE_VERSION}" %>
 # Inject ENV variables into containers (secrets come from .kamal/secrets).
 #
 # env:
--- a/lib/kamal/cli/templates/sample_hooks/post-deploy.sample
+++ b/lib/kamal/cli/templates/sample_hooks/post-deploy.sample
@@ -7,7 +7,7 @@
 # KAMAL_PERFORMER
 # KAMAL_VERSION
 # KAMAL_HOSTS
-# KAMAL_ROLE (if set)
+# KAMAL_ROLES (if set)
 # KAMAL_DESTINATION (if set)
 # KAMAL_RUNTIME
--- a/lib/kamal/cli/templates/sample_hooks/pre-build.sample
+++ b/lib/kamal/cli/templates/sample_hooks/pre-build.sample
@@ -13,7 +13,7 @@
 # KAMAL_PERFORMER
 # KAMAL_VERSION
 # KAMAL_HOSTS
-# KAMAL_ROLE (if set)
+# KAMAL_ROLES (if set)
 # KAMAL_DESTINATION (if set)
 if [ -n "$(git status --porcelain)" ]; then
--- a/lib/kamal/cli/templates/sample_hooks/pre-connect.sample
+++ b/lib/kamal/cli/templates/sample_hooks/pre-connect.sample
@@ -9,7 +9,7 @@
 # KAMAL_PERFORMER
 # KAMAL_VERSION
 # KAMAL_HOSTS
-# KAMAL_ROLE (if set)
+# KAMAL_ROLES (if set)
 # KAMAL_DESTINATION (if set)
 # KAMAL_RUNTIME
--- a/lib/kamal/cli/templates/sample_hooks/pre-deploy.sample
+++ b/lib/kamal/cli/templates/sample_hooks/pre-deploy.sample
@@ -13,7 +13,7 @@
 # KAMAL_HOSTS
 # KAMAL_COMMAND
 # KAMAL_SUBCOMMAND
-# KAMAL_ROLE (if set)
+# KAMAL_ROLES (if set)
 # KAMAL_DESTINATION (if set)
 # Only check the build status for production deployments
@@ -43,7 +43,7 @@ class GithubStatusChecks
  attr_reader :remote_url, :git_sha, :github_client, :combined_status
  def initialize
-    @remote_url = `git config --get remote.origin.url`.strip.delete_prefix("https://github.com/")
+    @remote_url = github_repo_from_remote_url
    @git_sha = `git rev-parse HEAD`.strip
    @github_client = Octokit::Client.new(access_token: ENV["GITHUB_TOKEN"])
    refresh!
@@ -77,16 +77,29 @@ class GithubStatusChecks
      "Build not started..."
    end
  end
  private
    def github_repo_from_remote_url
      url = `git config --get remote.origin.url`.strip.delete_suffix(".git")
      if url.start_with?("https://github.com/")
        url.delete_prefix("https://github.com/")
      elsif url.start_with?("git@github.com:")
        url.delete_prefix("git@github.com:")
      else
        url
      end
    end
 end
 $stdout.sync = true
 puts "Checking build status..."
 attempts = 0
 checks = GithubStatusChecks.new
 begin
  puts "Checking build status..."
  attempts = 0
  checks = GithubStatusChecks.new
  loop do
    case checks.state
    when "success"
--- a/lib/kamal/cli/templates/secrets
+++ b/lib/kamal/cli/templates/secrets
@@ -3,7 +3,7 @@
 # password manager, ENV, or a file. DO NOT ENTER RAW CREDENTIALS HERE! This file needs to be safe for git.
 # Option 1: Read secrets from the environment
-KAMAL_REGISTRY_PASSWORD=$KAMAL_REGISTRY_PASSWORD
+# KAMAL_REGISTRY_PASSWORD=$KAMAL_REGISTRY_PASSWORD
 # Option 2: Read secrets via a command
 # RAILS_MASTER_KEY=$(cat config/master.key)
--- a/lib/kamal/commander.rb
+++ b/lib/kamal/commander.rb
@@ -5,7 +5,7 @@ require "active_support/core_ext/object/blank"
 class Kamal::Commander
  attr_accessor :verbosity, :holding_lock, :connected
  attr_reader :specific_roles, :specific_hosts
-  delegate :hosts, :roles, :primary_host, :primary_role, :roles_on, :proxy_hosts, :accessory_hosts, to: :specifics
+  delegate :hosts, :roles, :primary_host, :primary_role, :roles_on, :app_hosts, :proxy_hosts, :accessory_hosts, to: :specifics
  def initialize
    reset
@@ -13,7 +13,7 @@ class Kamal::Commander
  def reset
    self.verbosity = :info
-    self.holding_lock = false
+    self.holding_lock = ENV["KAMAL_LOCK"] == "true"
    self.connected = false
    @specifics = @specific_roles = @specific_hosts = nil
    @config = @config_kwargs = nil
@@ -21,7 +21,7 @@ class Kamal::Commander
  end
  def config
-    @config ||= Kamal::Configuration.create_from(**@config_kwargs).tap do |config|
+    @config ||= Kamal::Configuration.create_from(**@config_kwargs.to_h).tap do |config|
      @config_kwargs = nil
      configure_sshkit_with(config)
    end
--- a/lib/kamal/commander/specifics.rb
+++ b/lib/kamal/commander/specifics.rb
@@ -11,13 +11,17 @@ class Kamal::Commander::Specifics
    @primary_role = primary_or_first_role(roles_on(primary_host))
    stable_sort!(roles) { |role| role == primary_role ? 0 : 1 }
-    stable_sort!(hosts) { |host| roles_on(host).any? { |role| role == primary_role } ? 0 : 1 }
+    sort_primary_role_hosts_first!(hosts)
  end
  def roles_on(host)
    roles.select { |role| role.hosts.include?(host.to_s) }
  end
  def app_hosts
    @app_hosts ||= sort_primary_role_hosts_first!(config.app_hosts & specified_hosts)
  end
  def proxy_hosts
    config.proxy_hosts & specified_hosts
  end
@@ -51,4 +55,8 @@ class Kamal::Commander::Specifics
        specified_hosts
      end
    end
    def sort_primary_role_hosts_first!(hosts)
      stable_sort!(hosts) { |host| roles_on(host).any? { |role| role == primary_role } ? 0 : 1 }
    end
 end
--- a/lib/kamal/commands/accessory.rb
+++ b/lib/kamal/commands/accessory.rb
@@ -6,14 +6,13 @@ class Kamal::Commands::Accessory < Kamal::Commands::Base
           :network_args, :publish_args, :env_args, :volume_args, :label_args, :option_args,
           :secrets_io, :secrets_path, :env_directory, :proxy, :running_proxy?, :registry,
           to: :accessory_config
  delegate :proxy_container_name, to: :config
  def initialize(config, name:)
    super(config)
    @accessory_config = config.accessory(name)
  end
-  def run
+  def run(host: nil)
    docker :run,
      "--name", service_name,
      "--detach",
@@ -21,6 +20,7 @@ class Kamal::Commands::Accessory < Kamal::Commands::Base
      *network_args,
      *config.logging_args,
      *publish_args,
      *([ "--env", "KAMAL_HOST=\"#{host}\"" ] if host),
      *env_args,
      *volume_args,
      *label_args,
@@ -37,8 +37,8 @@ class Kamal::Commands::Accessory < Kamal::Commands::Base
    docker :container, :stop, service_name
  end
-  def info
+  def info(all: false, quiet: false)
-    docker :ps, *service_filter
+    docker :ps, *("-a" if all), *("-q" if quiet), *service_filter
  end
  def logs(timestamps: true, since: nil, lines: nil, grep: nil, grep_options: nil)
@@ -56,14 +56,14 @@ class Kamal::Commands::Accessory < Kamal::Commands::Base
  def execute_in_existing_container(*command, interactive: false)
    docker :exec,
-      ("-it" if interactive),
+      (docker_interactive_args if interactive),
      service_name,
      *command
  end
  def execute_in_new_container(*command, interactive: false)
    docker :run,
-      ("-it" if interactive),
+      (docker_interactive_args if interactive),
      "--rm",
      *network_args,
      *env_args,
--- a/lib/kamal/commands/accessory/proxy.rb
+++ b/lib/kamal/commands/accessory/proxy.rb
@@ -1,5 +1,5 @@
 module Kamal::Commands::Accessory::Proxy
-  delegate :proxy_container_name, to: :config
+  delegate :container_name, to: :"config.proxy_boot", prefix: :proxy
  def deploy(target:)
    proxy_exec :deploy, service_name, *proxy.deploy_command_args(target: target)
--- a/lib/kamal/commands/app.rb
+++ b/lib/kamal/commands/app.rb
@@ -1,5 +1,5 @@
 class Kamal::Commands::App < Kamal::Commands::Base
-  include Assets, Containers, Execution, Images, Logging, Proxy
+  include Assets, Containers, ErrorPages, Execution, Images, Logging, Proxy
  ACTIVE_DOCKER_STATUSES = [ :running, :restarting ]
@@ -20,8 +20,9 @@ class Kamal::Commands::App < Kamal::Commands::Base
      "--name", container_name,
      "--network", "kamal",
      *([ "--hostname", hostname ] if hostname),
-      "-e", "KAMAL_CONTAINER_NAME=\"#{container_name}\"",
+      "--env", "KAMAL_CONTAINER_NAME=\"#{container_name}\"",
-      "-e", "KAMAL_VERSION=\"#{config.version}\"",
+      "--env", "KAMAL_VERSION=\"#{config.version}\"",
      "--env", "KAMAL_HOST=\"#{host}\"",
      *role.env_args(host),
      *role.logging_args,
      *config.volume_args,
--- a/lib/kamal/commands/app/error_pages.rb
+++ b/lib/kamal/commands/app/error_pages.rb
@@ -0,0 +1,9 @@
 module Kamal::Commands::App::ErrorPages
  def create_error_pages_directory
    make_directory(config.proxy_boot.error_pages_directory)
  end
  def clean_up_error_pages
    [ :find, config.proxy_boot.error_pages_directory, "-mindepth", "1", "-maxdepth", "1", "!", "-name", KAMAL.config.version, "-exec", "rm", "-rf", "{} +" ]
  end
 end
--- a/lib/kamal/commands/app/execution.rb
+++ b/lib/kamal/commands/app/execution.rb
@@ -1,7 +1,7 @@
 module Kamal::Commands::App::Execution
  def execute_in_existing_container(*command, interactive: false, env:)
    docker :exec,
-      ("-it" if interactive),
+      (docker_interactive_args if interactive),
      *argumentize("--env", env),
      container_name,
      *command
@@ -9,7 +9,7 @@ module Kamal::Commands::App::Execution
  def execute_in_new_container(*command, interactive: false, detach: false, env:)
    docker :run,
-      ("-it" if interactive),
+      (docker_interactive_args if interactive),
      ("--detach" if detach),
      ("--rm" unless detach),
      "--network", "kamal",
--- a/lib/kamal/commands/app/proxy.rb
+++ b/lib/kamal/commands/app/proxy.rb
@@ -1,5 +1,5 @@
 module Kamal::Commands::App::Proxy
-  delegate :proxy_container_name, to: :config
+  delegate :container_name, to: :"config.proxy_boot", prefix: :proxy
  def deploy(target:)
    proxy_exec :deploy, role.container_prefix, *role.proxy.deploy_command_args(target: target)
@@ -9,6 +9,22 @@ module Kamal::Commands::App::Proxy
    proxy_exec :remove, role.container_prefix
  end
  def live
    proxy_exec :resume, role.container_prefix
  end
  def maintenance(**options)
    proxy_exec :stop, role.container_prefix, *role.proxy.stop_command_args(**options)
  end
  def remove_proxy_app_directory
    remove_directory config.proxy_boot.app_directory
  end
  def create_ssl_directory
    make_directory(File.join(config.proxy_boot.tls_directory, role.name))
  end
  private
    def proxy_exec(*command)
      docker :exec, proxy_container_name, "kamal-proxy", *command
--- a/lib/kamal/commands/auditor.rb
+++ b/lib/kamal/commands/auditor.rb
@@ -1,5 +1,6 @@
 class Kamal::Commands::Auditor < Kamal::Commands::Base
  attr_reader :details
  delegate :escape_shell_value, to: Kamal::Utils
  def initialize(config, **details)
    super(config)
@@ -9,11 +10,8 @@ class Kamal::Commands::Auditor < Kamal::Commands::Base
  # Runs remotely
  def record(line, **details)
    combine \
-      [ :mkdir, "-p", config.run_directory ],
+      make_run_directory,
-      append(
+      append([ :echo, escape_shell_value(audit_line(line, **details)) ], audit_log_file)
        [ :echo, audit_tags(**details).except(:version, :service_version, :service).to_s, line ],
        audit_log_file
      )
  end
  def reveal
@@ -30,4 +28,12 @@ class Kamal::Commands::Auditor < Kamal::Commands::Base
    def audit_tags(**details)
      tags(**self.details, **details)
    end
    def make_run_directory
      [ :mkdir, "-p", config.run_directory ]
    end
    def audit_line(line, **details)
      "#{audit_tags(**details).except(:version, :service_version, :service)} #{line}"
    end
 end
--- a/lib/kamal/commands/base.rb
+++ b/lib/kamal/commands/base.rb
@@ -68,6 +68,10 @@ module Kamal::Commands
        combine *commands, by: "||"
      end
      def substitute(*commands)
        "\$\(#{commands.join(" ")}\)"
      end
      def xargs(command)
        [ :xargs, command ].flatten
      end
@@ -80,6 +84,10 @@ module Kamal::Commands
        args.compact.unshift :docker
      end
      def pack(*args)
        args.compact.unshift :pack
      end
      def git(*args, path: nil)
        [ :git, *([ "-C", path ] if path), *args.compact ]
      end
@@ -118,5 +126,9 @@ module Kamal::Commands
      def ensure_local_buildx_installed
        docker :buildx, "version"
      end
      def docker_interactive_args
        STDIN.isatty ? "-it" : "-i"
      end
  end
 end
--- a/lib/kamal/commands/builder.rb
+++ b/lib/kamal/commands/builder.rb
@@ -2,7 +2,7 @@ require "active_support/core_ext/string/filters"
 class Kamal::Commands::Builder < Kamal::Commands::Base
  delegate :create, :remove, :dev, :push, :clean, :pull, :info, :inspect_builder, :validate_image, :first_mirror, to: :target
-  delegate :local?, :remote?, :cloud?, to: "config.builder"
+  delegate :local?, :remote?, :pack?, :cloud?, to: "config.builder"
  include Clone
@@ -17,6 +17,8 @@ class Kamal::Commands::Builder < Kamal::Commands::Base
      else
        remote
      end
    elsif pack?
      pack
    elsif cloud?
      cloud
    else
@@ -36,6 +38,10 @@ class Kamal::Commands::Builder < Kamal::Commands::Base
    @hybrid ||= Kamal::Commands::Builder::Hybrid.new(config)
  end
  def pack
    @pack ||= Kamal::Commands::Builder::Pack.new(config)
  end
  def cloud
    @cloud ||= Kamal::Commands::Builder::Cloud.new(config)
  end
--- a/lib/kamal/commands/builder/base.rb
+++ b/lib/kamal/commands/builder/base.rb
@@ -1,3 +1,5 @@
 require "shellwords"
 class Kamal::Commands::Builder::Base < Kamal::Commands::Base
  class BuilderError < StandardError; end
@@ -6,6 +8,7 @@ class Kamal::Commands::Builder::Base < Kamal::Commands::Base
  delegate :argumentize, to: Kamal::Utils
  delegate \
    :args, :secrets, :dockerfile, :target, :arches, :local_arches, :remote_arches, :remote,
    :pack?, :pack_builder, :pack_buildpacks,
    :cache_from, :cache_to, :ssh, :provenance, :sbom, :driver, :docker_driver?,
    to: :builder_config
@@ -20,7 +23,8 @@ class Kamal::Commands::Builder::Base < Kamal::Commands::Base
      *([ "--builder", builder_name ] unless docker_driver?),
      *build_tag_options(tag_as_dirty: tag_as_dirty),
      *build_options,
-      build_context
+      build_context,
      "2>&1"
  end
  def pull
@@ -42,7 +46,7 @@ class Kamal::Commands::Builder::Base < Kamal::Commands::Base
  end
  def build_context
-    config.builder.context
+    Shellwords.escape(config.builder.context)
  end
  def validate_image
@@ -90,7 +94,7 @@ class Kamal::Commands::Builder::Base < Kamal::Commands::Base
    def build_dockerfile
      if Pathname.new(File.expand_path(dockerfile)).exist?
-        argumentize "--file", dockerfile
+        argumentize "--file", Shellwords.escape(dockerfile)
      else
        raise BuilderError, "Missing #{dockerfile}"
      end
--- a/lib/kamal/commands/builder/local.rb
+++ b/lib/kamal/commands/builder/local.rb
@@ -1,6 +1,15 @@
 class Kamal::Commands::Builder::Local < Kamal::Commands::Builder::Base
  def create
-    docker :buildx, :create, "--name", builder_name, "--driver=#{driver}" unless docker_driver?
+    return if docker_driver?
    options =
      if KAMAL.registry.local?
        "--driver=#{driver} --driver-opt network=host"
      else
        "--driver=#{driver}"
      end
    docker :buildx, :create, "--name", builder_name, options
  end
  def remove
@@ -9,6 +18,10 @@ class Kamal::Commands::Builder::Local < Kamal::Commands::Builder::Base
  private
    def builder_name
-      "kamal-local-#{driver}"
+      if KAMAL.registry.local?
        "kamal-local-registry-#{driver}"
      else
        "kamal-local-#{driver}"
      end
    end
 end
--- a/lib/kamal/commands/builder/pack.rb
+++ b/lib/kamal/commands/builder/pack.rb
@@ -0,0 +1,46 @@
 class Kamal::Commands::Builder::Pack < Kamal::Commands::Builder::Base
  def push(export_action = "registry")
    combine \
      build,
      export(export_action)
  end
  def remove;end
  def info
    pack :builder, :inspect, pack_builder
  end
  alias_method :inspect_builder, :info
  private
    def build
      pack(:build,
        config.repository,
        "--platform", platform,
        "--creation-time", "now",
        "--builder", pack_builder,
        buildpacks,
        "-t", config.absolute_image,
        "-t", config.latest_image,
        "--env", "BP_IMAGE_LABELS=service=#{config.service}",
        *argumentize("--env", args),
        *argumentize("--env", secrets, sensitive: true),
        "--path", build_context)
    end
    def export(export_action)
      return unless export_action == "registry"
      combine \
        docker(:push, config.absolute_image),
        docker(:push, config.latest_image)
    end
    def platform
      "linux/#{local_arches.first}"
    end
    def buildpacks
      (pack_buildpacks << "paketo-buildpacks/image-labels").map { |buildpack| [ "--buildpack", buildpack ] }
    end
 end
--- a/lib/kamal/commands/builder/remote.rb
+++ b/lib/kamal/commands/builder/remote.rb
@@ -19,7 +19,7 @@ class Kamal::Commands::Builder::Remote < Kamal::Commands::Builder::Base
  def inspect_builder
    combine \
-      combine inspect_buildx, inspect_remote_context,
+      combine(inspect_buildx, inspect_remote_context),
      [ "(echo no compatible builder && exit 1)" ],
      by: "||"
  end
--- a/lib/kamal/commands/proxy.rb
+++ b/lib/kamal/commands/proxy.rb
@@ -2,14 +2,7 @@ class Kamal::Commands::Proxy < Kamal::Commands::Base
  delegate :argumentize, :optionize, to: Kamal::Utils
  def run
-    docker :run,
+    pipe boot_config, xargs(docker_run)
      "--name", container_name,
      "--network", "kamal",
      "--detach",
      "--restart", "unless-stopped",
      "--volume", "kamal-proxy-config:/home/kamal-proxy/.config/kamal-proxy",
      "\$\(#{get_boot_options.join(" ")}\)",
      config.proxy_image
  end
  def start
@@ -31,7 +24,7 @@ class Kamal::Commands::Proxy < Kamal::Commands::Base
  def version
    pipe \
      docker(:inspect, container_name, "--format '{{.Config.Image}}'"),
-      [ :cut, "-d:", "-f2" ]
+      [ :awk, "-F:", "'{print \$NF}'" ]
  end
  def logs(timestamps: true, since: nil, lines: nil, grep: nil, grep_options: nil)
@@ -65,23 +58,70 @@ class Kamal::Commands::Proxy < Kamal::Commands::Base
  end
  def ensure_proxy_directory
-    make_directory config.proxy_directory
+    make_directory config.proxy_boot.host_directory
  end
  def remove_proxy_directory
-    remove_directory config.proxy_directory
+    remove_directory config.proxy_boot.host_directory
  end
-  def get_boot_options
+  def ensure_apps_config_directory
-    combine [ :cat, config.proxy_options_file ], [ :echo, "\"#{config.proxy_options_default.join(" ")}\"" ], by: "||"
+    make_directory config.proxy_boot.apps_directory
  end
  def boot_config
    [ :echo, "#{substitute(read_boot_options)} #{substitute(read_image)}:#{substitute(read_image_version)} #{substitute(read_run_command)}" ]
  end
  def read_boot_options
    read_file(config.proxy_boot.options_file, default: config.proxy_boot.default_boot_options.join(" "))
  end
  def read_image
    read_file(config.proxy_boot.image_file, default: config.proxy_boot.image_default)
  end
  def read_image_version
    read_file(config.proxy_boot.image_version_file, default: Kamal::Configuration::Proxy::Boot::MINIMUM_VERSION)
  end
  def read_run_command
    read_file(config.proxy_boot.run_command_file)
  end
  def reset_boot_options
-    remove_file config.proxy_options_file
+    remove_file config.proxy_boot.options_file
  end
  def reset_image
    remove_file config.proxy_boot.image_file
  end
  def reset_image_version
    remove_file config.proxy_boot.image_version_file
  end
  def reset_run_command
    remove_file config.proxy_boot.run_command_file
  end
  private
    def container_name
-      config.proxy_container_name
+      config.proxy_boot.container_name
    end
    def read_file(file, default: nil)
      combine [ :cat, file, "2>", "/dev/null" ], [ :echo, "\"#{default}\"" ], by: "||"
    end
    def docker_run
      docker \
        :run,
        "--name", container_name,
        "--network", "kamal",
        "--detach",
        "--restart", "unless-stopped",
        "--volume", "kamal-proxy-config:/home/kamal-proxy/.config/kamal-proxy",
        *config.proxy_boot.apps_volume.docker_args
    end
 end
--- a/lib/kamal/commands/registry.rb
+++ b/lib/kamal/commands/registry.rb
@@ -2,6 +2,8 @@ class Kamal::Commands::Registry < Kamal::Commands::Base
  def login(registry_config: nil)
    registry_config ||= config.registry
    return if registry_config.local?
    docker :login,
      registry_config.server,
      "-u", sensitive(Kamal::Utils.escape_shell_value(registry_config.username)),
@@ -13,4 +15,24 @@ class Kamal::Commands::Registry < Kamal::Commands::Base
    docker :logout, registry_config.server
  end
  def setup(registry_config: nil)
    registry_config ||= config.registry
    combine \
      docker(:start, "kamal-docker-registry"),
      docker(:run, "--detach", "-p", "127.0.0.1:#{registry_config.local_port}:5000", "--name", "kamal-docker-registry", "registry:3"),
      by: "||"
  end
  def remove
    combine \
      docker(:stop, "kamal-docker-registry"),
      docker(:rm, "kamal-docker-registry"),
      by: "&&"
  end
  def local?
    config.registry.local?
  end
 end
--- a/lib/kamal/configuration.rb
+++ b/lib/kamal/configuration.rb
@@ -6,19 +6,14 @@ require "erb"
 require "net/ssh/proxy/jump"
 class Kamal::Configuration
-  delegate :service, :image, :labels, :hooks_path, to: :raw_config, allow_nil: true
+  delegate :service, :labels, :hooks_path, to: :raw_config, allow_nil: true
  delegate :argumentize, :optionize, to: Kamal::Utils
  attr_reader :destination, :raw_config, :secrets
-  attr_reader :accessories, :aliases, :boot, :builder, :env, :logging, :proxy, :servers, :ssh, :sshkit, :registry
+  attr_reader :accessories, :aliases, :boot, :builder, :env, :logging, :proxy, :proxy_boot, :servers, :ssh, :sshkit, :registry
  include Validation
  PROXY_MINIMUM_VERSION = "v0.8.4"
  PROXY_HTTP_PORT = 80
  PROXY_HTTPS_PORT = 443
  PROXY_LOG_MAX_SIZE = "10m"
  class << self
    def create_from(config_file:, destination: nil, version: nil)
      ENV["KAMAL_DESTINATION"] = destination
@@ -68,7 +63,8 @@ class Kamal::Configuration
    @env = Env.new(config: @raw_config.env || {}, secrets: secrets)
    @logging = Logging.new(logging_config: @raw_config.logging)
-    @proxy = Proxy.new(config: self, proxy_config: @raw_config.proxy || {})
+    @proxy = Proxy.new(config: self, proxy_config: @raw_config.proxy, secrets: secrets)
    @proxy_boot = Proxy::Boot.new(config: self)
    @ssh = Ssh.new(config: self)
    @sshkit = Sshkit.new(config: self)
@@ -105,6 +101,10 @@ class Kamal::Configuration
    raw_config.minimum_version
  end
  def service_and_destination
    [ service, destination ].compact.join("-")
  end
  def roles
    servers.roles
  end
@@ -121,6 +121,10 @@ class Kamal::Configuration
    (roles + accessories).flat_map(&:hosts).uniq
  end
  def app_hosts
    roles.flat_map(&:hosts).uniq
  end
  def primary_host
    primary_role&.primary_host
  end
@@ -145,8 +149,19 @@ class Kamal::Configuration
    proxy_roles.flat_map(&:name)
  end
  def proxy_accessories
    accessories.select(&:running_proxy?)
  end
  def proxy_hosts
-    proxy_roles.flat_map(&:hosts).uniq
+    (proxy_roles.flat_map(&:hosts) + proxy_accessories.flat_map(&:hosts)).uniq
  end
  def image
    name = raw_config&.image.presence
    name ||= raw_config&.service if registry.local?
    name
  end
  def repository
@@ -210,7 +225,7 @@ class Kamal::Configuration
  end
  def app_directory
-    File.join apps_directory, [ service, destination ].compact.join("-")
+    File.join apps_directory, service_and_destination
  end
  def env_directory
@@ -229,6 +244,10 @@ class Kamal::Configuration
    raw_config.asset_path
  end
  def error_pages_path
    raw_config.error_pages_path
  end
  def env_tags
    @env_tags ||= if (tags = raw_config.env["tags"])
      tags.collect { |name, config| Env::Tag.new(name, config: config, secrets: secrets) }
@@ -241,42 +260,6 @@ class Kamal::Configuration
    env_tags.detect { |t| t.name == name.to_s }
  end
  def proxy_publish_args(http_port, https_port, bind_ips = nil)
    ensure_valid_bind_ips(bind_ips)
    (bind_ips || [ nil ]).map do |bind_ip|
      bind_ip = format_bind_ip(bind_ip)
      publish_http = [ bind_ip, http_port, PROXY_HTTP_PORT ].compact.join(":")
      publish_https = [ bind_ip, https_port, PROXY_HTTPS_PORT ].compact.join(":")
      argumentize "--publish", [ publish_http, publish_https ]
    end.join(" ")
  end
  def proxy_logging_args(max_size)
    argumentize "--log-opt", "max-size=#{max_size}" if max_size.present?
  end
  def proxy_options_default
    [ *proxy_publish_args(PROXY_HTTP_PORT, PROXY_HTTPS_PORT), *proxy_logging_args(PROXY_LOG_MAX_SIZE) ]
  end
  def proxy_image
    "basecamp/kamal-proxy:#{PROXY_MINIMUM_VERSION}"
  end
  def proxy_container_name
    "kamal-proxy"
  end
  def proxy_directory
    File.join run_directory, "proxy"
  end
  def proxy_options_file
    File.join proxy_directory, "options"
  end
  def to_h
    {
      roles: role_names,
@@ -306,22 +289,28 @@ class Kamal::Configuration
    end
    def ensure_required_keys_present
-      %i[ service image registry servers ].each do |key|
+      %i[ service registry ].each do |key|
        raise Kamal::ConfigurationError, "Missing required configuration for #{key}" unless raw_config[key].present?
      end
-      unless role(primary_role_name).present?
+      raise Kamal::ConfigurationError, "Missing required configuration for image" if image.blank?
        raise Kamal::ConfigurationError, "The primary_role #{primary_role_name} isn't defined"
      end
-      if primary_role.hosts.empty?
+      if raw_config.servers.nil?
-        raise Kamal::ConfigurationError, "No servers specified for the #{primary_role.name} primary_role"
+        raise Kamal::ConfigurationError, "No servers or accessories specified" unless raw_config.accessories.present?
-      end
+      else
        unless role(primary_role_name).present?
          raise Kamal::ConfigurationError, "The primary_role #{primary_role_name} isn't defined"
        end
-      unless allow_empty_roles?
+        if primary_role.hosts.empty?
-        roles.each do |role|
+          raise Kamal::ConfigurationError, "No servers specified for the #{primary_role.name} primary_role"
-          if role.hosts.empty?
+        end
-            raise Kamal::ConfigurationError, "No servers specified for the #{role.name} role. You can ignore this with allow_empty_roles: true"
+
        unless allow_empty_roles?
          roles.each do |role|
            if role.hosts.empty?
              raise Kamal::ConfigurationError, "No servers specified for the #{role.name} role. You can ignore this with allow_empty_roles: true"
            end
          end
        end
      end
@@ -343,15 +332,6 @@ class Kamal::Configuration
      true
    end
    def ensure_valid_bind_ips(bind_ips)
      bind_ips.present? && bind_ips.each do |ip|
        next if ip =~ Resolv::IPv4::Regex || ip =~ Resolv::IPv6::Regex
        raise ArgumentError, "Invalid publish IP address: #{ip}"
      end
      true
    end
    def ensure_retain_containers_valid
      raise Kamal::ConfigurationError, "Must retain at least 1 container" if retain_containers < 1
@@ -383,15 +363,6 @@ class Kamal::Configuration
      true
    end
    def format_bind_ip(ip)
      # Ensure IPv6 address inside square brackets - e.g. [::1]
      if ip =~ Resolv::IPv6::Regex && ip !~ /\[.*\]/
        "[#{ip}]"
      else
        ip
      end
    end
    def role_names
      raw_config.servers.is_a?(Array) ? [ "web" ] : raw_config.servers.keys.sort
    end
--- a/lib/kamal/configuration/accessory.rb
+++ b/lib/kamal/configuration/accessory.rb
@@ -32,7 +32,7 @@ class Kamal::Configuration::Accessory
  end
  def hosts
-    hosts_from_host || hosts_from_hosts || hosts_from_roles
+    hosts_from_host || hosts_from_hosts || hosts_from_roles || hosts_from_tags
  end
  def port
@@ -125,7 +125,8 @@ class Kamal::Configuration::Accessory
      Kamal::Configuration::Proxy.new \
        config: config,
        proxy_config: accessory_config["proxy"],
-        context: "accessories/#{name}/proxy"
+        context: "accessories/#{name}/proxy",
        secrets: config.secrets
    end
    def initialize_registry
@@ -201,11 +202,31 @@ class Kamal::Configuration::Accessory
    end
    def hosts_from_roles
-      if accessory_config.key?("roles")
+      if accessory_config.key?("role")
       config.role(accessory_config["role"])&.hosts
      elsif accessory_config.key?("roles")
        accessory_config["roles"].flat_map { |role| config.role(role)&.hosts }
      end
    end
    def hosts_from_tags
      if accessory_config.key?("tag")
        extract_hosts_from_config_with_tag(accessory_config["tag"])
      elsif accessory_config.key?("tags")
        accessory_config["tags"].flat_map { |tag| extract_hosts_from_config_with_tag(tag) }
      end
    end
    def extract_hosts_from_config_with_tag(tag)
      if (servers_with_roles = config.raw_config.servers).is_a?(Hash)
        servers_with_roles.flat_map do |role, servers_in_role|
          servers_in_role.filter_map do |host|
            host.keys.first if host.is_a?(Hash) && host.values.first.include?(tag)
          end
        end
      end
    end
    def network
      accessory_config["network"] || DEFAULT_NETWORK
    end
@@ -213,6 +234,8 @@ class Kamal::Configuration::Accessory
    def ensure_valid_roles
      if accessory_config["roles"] && (missing_roles = accessory_config["roles"] - config.roles.map(&:name)).any?
        raise Kamal::ConfigurationError, "accessories/#{name}: unknown roles #{missing_roles.join(", ")}"
      elsif accessory_config["role"] && !config.role(accessory_config["role"])
        raise Kamal::ConfigurationError, "accessories/#{name}: unknown role #{accessory_config["role"]}"
      end
    end
 end
--- a/lib/kamal/configuration/builder.rb
+++ b/lib/kamal/configuration/builder.rb
@@ -61,6 +61,10 @@ class Kamal::Configuration::Builder
    !!builder_config["cache"]
  end
  def pack?
    !!builder_config["pack"]
  end
  def args
    builder_config["args"] || {}
  end
@@ -85,6 +89,14 @@ class Kamal::Configuration::Builder
    builder_config.fetch("driver", "docker-container")
  end
  def pack_builder
    builder_config["pack"]["builder"] if pack?
  end
  def pack_buildpacks
    builder_config["pack"]["buildpacks"] if pack?
  end
  def local_disabled?
    builder_config["local"] == false
  end
--- a/lib/kamal/configuration/docs/accessory.yml
+++ b/lib/kamal/configuration/docs/accessory.yml
@@ -46,13 +46,18 @@ accessories:
    # Accessory hosts
    #
-    # Specify one of `host`, `hosts`, or `roles`:
+    # Specify one of `host`, `hosts`, `role`, `roles`, `tag` or `tags`:
    host: mysql-db1
    hosts:
      - mysql-db1
      - mysql-db2
    role: mysql
    roles:
      - mysql
    tag: writer
    tags:
      - writer
      - reader
    # Custom command
    #
--- a/lib/kamal/configuration/docs/builder.yml
+++ b/lib/kamal/configuration/docs/builder.yml
@@ -31,6 +31,19 @@ builder:
  # Defaults to true:
  local: true
  # Buildpack configuration
  #
  # The build configuration for using pack to build a Cloud Native Buildpack image.
  #
  # For additional buildpack customization options you can create a project descriptor
  # file(project.toml) that the Pack CLI will automatically use.
  # See https://buildpacks.io/docs/for-app-developers/how-to/build-inputs/use-project-toml/ for more information.
  pack:
    builder: heroku/builder:24
    buildpacks:
      - heroku/ruby
      - heroku/procfile
  # Builder cache
  #
  # The type must be either 'gha' or 'registry'.
--- a/lib/kamal/configuration/docs/configuration.yml
+++ b/lib/kamal/configuration/docs/configuration.yml
@@ -82,6 +82,12 @@ asset_path: /path/to/assets
 # See https://kamal-deploy.org/docs/hooks for more information:
 hooks_path: /user_home/kamal/hooks
 # Error pages
 #
 # A directory relative to the app root to find error pages for the proxy to serve.
 # Any files in the format 4xx.html or 5xx.html will be copied to the hosts.
 error_pages_path: public
 # Require destinations
 #
 # Whether deployments require a destination to be specified, defaults to `false`:
--- a/lib/kamal/configuration/docs/env.yml
+++ b/lib/kamal/configuration/docs/env.yml
@@ -51,6 +51,37 @@ env:
  secret:
    - DB_PASSWORD
 # Aliased secrets
 #
 # You can also alias secrets to other secrets using a `:` separator.
 #
 # This is useful when the ENV name is different from the secret name. For example, if you have two
 # places where you need to define the ENV variable `DB_PASSWORD`, but the value is different depending
 # on the context.
 #
 # ```shell
 # SECRETS=$(kamal secrets fetch ...)
 #
 # MAIN_DB_PASSWORD=$(kamal secrets extract MAIN_DB_PASSWORD $SECRETS)
 # SECONDARY_DB_PASSWORD=$(kamal secrets extract SECONDARY_DB_PASSWORD $SECRETS)
 # ```
 env:
  secret:
    - DB_PASSWORD:MAIN_DB_PASSWORD
  tags:
    secondary_db:
      secret:
        - DB_PASSWORD:SECONDARY_DB_PASSWORD
 accessories:
  main_db_accessory:
    env:
      secret:
        - DB_PASSWORD:MAIN_DB_PASSWORD
  secondary_db_accessory:
    env:
      secret:
        - DB_PASSWORD:SECONDARY_DB_PASSWORD
 # Tags
 #
 # Tags are used to add extra env variables to specific hosts.
--- a/lib/kamal/configuration/docs/proxy.yml
+++ b/lib/kamal/configuration/docs/proxy.yml
@@ -10,11 +10,6 @@
 # They are application-specific, so they are not shared when multiple applications
 # run on the same proxy.
 #
 # The proxy is enabled by default on the primary role but can be disabled by
 # setting `proxy: false`.
 #
 # It is disabled by default on all other roles but can be enabled by setting
 # `proxy: true` or providing a proxy configuration.
 proxy:
  # Hosts
@@ -52,6 +47,29 @@ proxy:
  # Defaults to `false`:
  ssl: true
  # Custom SSL certificate
  #
  # In some cases, using Let's Encrypt for automatic certificate management is not an
  # option, for example if you are running from more than one host.
  #
  # Or you may already have SSL certificates issued by a different Certificate Authority (CA).
  #
  # Kamal supports loading custom SSL certificates directly from secrets. You should
  # pass a hash mapping the `certificate_pem` and `private_key_pem` to the secret names.
  ssl:
    certificate_pem: CERTIFICATE_PEM
    private_key_pem: PRIVATE_KEY_PEM
  # ### Notes
  # - If the certificate or key is missing or invalid, deployments will fail.
  # - Always handle SSL certificates and private keys securely. Avoid hard-coding them in source control.
  # SSL redirect
  #
  # By default, kamal-proxy will redirect all HTTP requests to HTTPS when SSL is enabled.
  # If you prefer that HTTP traffic is passed through to your application (along with
  # HTTPS traffic), you can disable this redirect by setting `ssl_redirect: false`:
  ssl_redirect: false
  # Forward headers
  #
  # Whether to forward the `X-Forwarded-For` and `X-Forwarded-Proto` headers.
@@ -67,6 +85,17 @@ proxy:
  # How long to wait for requests to complete before timing out, defaults to 30 seconds:
  response_timeout: 10
  # Path-based routing
  #
  # For applications that split their traffic to different services based on the request path,
  # you can use path-based routing to mount services under different path prefixes.
  path_prefix: '/api'
  # By default, the path prefix will be stripped from the request before it is forwarded upstream.
  # So in the example above, a request to /api/users/123 will be forwarded to web-1 as /users/123.
  # To instead forward the request with the original path (including the prefix),
  # specify --strip-path-prefix=false
  strip_path_prefix: false
  # Healthcheck
  #
  # When deploying, the proxy will by default hit `/up` once every second until we hit
@@ -106,3 +135,30 @@ proxy:
    response_headers:
      - X-Request-ID
      - X-Request-Start
 # Enabling/disabling the proxy on roles
 #
 # The proxy is enabled by default on the primary role but can be disabled by
 # setting `proxy: false` in the primary role's configuration.
 #
 # ```yaml
 # servers:
 #   web:
 #     hosts:
 #      - ...
 #     proxy: false
 # ```
 #
 # It is disabled by default on all other roles but can be enabled by setting
 # `proxy: true` or providing a proxy configuration for that role.
 #
 # ```yaml
 # servers:
 #   web:
 #     hosts:
 #      - ...
 #   web2:
 #     hosts:
 #      - ...
 #     proxy: true
 # ```
--- a/lib/kamal/configuration/env.rb
+++ b/lib/kamal/configuration/env.rb
@@ -1,8 +1,7 @@
 class Kamal::Configuration::Env
  include Kamal::Configuration::Validation
-  attr_reader :context, :secrets
+  attr_reader :context, :clear, :secret_keys
  attr_reader :clear, :secret_keys
  delegate :argumentize, to: Kamal::Utils
  def initialize(config:, secrets:, context: "env")
@@ -18,12 +17,22 @@ class Kamal::Configuration::Env
  end
  def secrets_io
-    Kamal::EnvFile.new(secret_keys.to_h { |key| [ key, secrets[key] ] }).to_io
+    Kamal::EnvFile.new(aliased_secrets).to_io
  end
  def merge(other)
    self.class.new \
      config: { "clear" => clear.merge(other.clear), "secret" => secret_keys | other.secret_keys },
-      secrets: secrets
+      secrets: @secrets
  end
  private
    def aliased_secrets
      secret_keys.to_h { |key| extract_alias(key) }.transform_values { |secret_key| @secrets[secret_key] }
    end
    def extract_alias(key)
      key_name, key_aliased_to = key.split(":", 2)
      [ key_name, key_aliased_to || key_name ]
    end
 end
--- a/lib/kamal/configuration/proxy.rb
+++ b/lib/kamal/configuration/proxy.rb
@@ -6,11 +6,14 @@ class Kamal::Configuration::Proxy
  delegate :argumentize, :optionize, to: Kamal::Utils
-  attr_reader :config, :proxy_config
+  attr_reader :config, :proxy_config, :role_name, :secrets
-  def initialize(config:, proxy_config:, context: "proxy")
+  def initialize(config:, proxy_config:, role_name: nil, secrets:, context: "proxy")
    @config = config
    @proxy_config = proxy_config
    @proxy_config = {} if @proxy_config.nil?
    @role_name = role_name
    @secrets = secrets
    validate! @proxy_config, with: Kamal::Configuration::Validator::Proxy, context: context
  end
@@ -26,10 +29,46 @@ class Kamal::Configuration::Proxy
    proxy_config["hosts"] || proxy_config["host"]&.split(",") || []
  end
  def custom_ssl_certificate?
    ssl = proxy_config["ssl"]
    return false unless ssl.is_a?(Hash)
    ssl["certificate_pem"].present? && ssl["private_key_pem"].present?
  end
  def certificate_pem_content
    ssl = proxy_config["ssl"]
    return nil unless ssl.is_a?(Hash)
    secrets[ssl["certificate_pem"]]
  end
  def private_key_pem_content
    ssl = proxy_config["ssl"]
    return nil unless ssl.is_a?(Hash)
    secrets[ssl["private_key_pem"]]
  end
  def host_tls_cert
    tls_path(config.proxy_boot.tls_directory, "cert.pem")
  end
  def host_tls_key
    tls_path(config.proxy_boot.tls_directory, "key.pem")
  end
  def container_tls_cert
    tls_path(config.proxy_boot.tls_container_directory, "cert.pem")
  end
  def container_tls_key
    tls_path(config.proxy_boot.tls_container_directory, "key.pem") if custom_ssl_certificate?
  end
  def deploy_options
    {
      host: hosts,
-      tls: proxy_config["ssl"].presence,
+      tls: ssl? ? true : nil,
      "tls-certificate-path": container_tls_cert,
      "tls-private-key-path": container_tls_key,
      "deploy-timeout": seconds_duration(config.deploy_timeout),
      "drain-timeout": seconds_duration(config.drain_timeout),
      "health-check-interval": seconds_duration(proxy_config.dig("healthcheck", "interval")),
@@ -41,9 +80,13 @@ class Kamal::Configuration::Proxy
      "buffer-memory": proxy_config.dig("buffering", "memory"),
      "max-request-body": proxy_config.dig("buffering", "max_request_body"),
      "max-response-body": proxy_config.dig("buffering", "max_response_body"),
      "path-prefix": proxy_config.dig("path_prefix"),
      "strip-path-prefix": proxy_config.dig("strip_path_prefix"),
      "forward-headers": proxy_config.dig("forward_headers"),
      "tls-redirect": proxy_config.dig("ssl_redirect"),
      "log-request-header": proxy_config.dig("logging", "request_headers") || DEFAULT_LOG_REQUEST_HEADERS,
-      "log-response-header": proxy_config.dig("logging", "response_headers")
+      "log-response-header": proxy_config.dig("logging", "response_headers"),
      "error-pages": error_pages
    }.compact
  end
@@ -51,12 +94,31 @@ class Kamal::Configuration::Proxy
    optionize ({ target: "#{target}:#{app_port}" }).merge(deploy_options), with: "="
  end
  def stop_options(drain_timeout: nil, message: nil)
    {
      "drain-timeout": seconds_duration(drain_timeout),
      message: message
    }.compact
  end
  def stop_command_args(**options)
    optionize stop_options(**options), with: "="
  end
  def merge(other)
-    self.class.new config: config, proxy_config: proxy_config.deep_merge(other.proxy_config)
+    self.class.new config: config, proxy_config: other.proxy_config.deep_merge(proxy_config), role_name: role_name, secrets: secrets
  end
  private
    def tls_path(directory, filename)
      File.join([ directory, role_name, filename ].compact) if custom_ssl_certificate?
    end
    def seconds_duration(value)
      value ? "#{value}s" : nil
    end
    def error_pages
      File.join config.proxy_boot.error_pages_container_directory, config.version if config.error_pages_path
    end
 end
--- a/lib/kamal/configuration/proxy/boot.rb
+++ b/lib/kamal/configuration/proxy/boot.rb
@@ -0,0 +1,129 @@
 class Kamal::Configuration::Proxy::Boot
  MINIMUM_VERSION = "v0.9.0"
  DEFAULT_HTTP_PORT = 80
  DEFAULT_HTTPS_PORT = 443
  DEFAULT_LOG_MAX_SIZE = "10m"
  attr_reader :config
  delegate :argumentize, :optionize, to: Kamal::Utils
  def initialize(config:)
    @config = config
  end
  def publish_args(http_port, https_port, bind_ips = nil)
    ensure_valid_bind_ips(bind_ips)
    (bind_ips || [ nil ]).map do |bind_ip|
      bind_ip = format_bind_ip(bind_ip)
      publish_http = [ bind_ip, http_port, DEFAULT_HTTP_PORT ].compact.join(":")
      publish_https = [ bind_ip, https_port, DEFAULT_HTTPS_PORT ].compact.join(":")
      argumentize "--publish", [ publish_http, publish_https ]
    end.join(" ")
  end
  def logging_args(max_size)
    argumentize "--log-opt", "max-size=#{max_size}" if max_size.present?
  end
  def default_boot_options
    [
      *(publish_args(DEFAULT_HTTP_PORT, DEFAULT_HTTPS_PORT, nil)),
      *(logging_args(DEFAULT_LOG_MAX_SIZE))
    ]
  end
  def repository_name
    "basecamp"
  end
  def image_name
    "kamal-proxy"
  end
  def image_default
    "#{repository_name}/#{image_name}"
  end
  def container_name
    "kamal-proxy"
  end
  def host_directory
    File.join config.run_directory, "proxy"
  end
  def options_file
    File.join host_directory, "options"
  end
  def image_file
    File.join host_directory, "image"
  end
  def image_version_file
    File.join host_directory, "image_version"
  end
  def run_command_file
    File.join host_directory, "run_command"
  end
  def apps_directory
    File.join host_directory, "apps-config"
  end
  def apps_container_directory
    "/home/kamal-proxy/.apps-config"
  end
  def apps_volume
    Kamal::Configuration::Volume.new \
      host_path: apps_directory,
      container_path: apps_container_directory
  end
  def app_directory
    File.join apps_directory, config.service_and_destination
  end
  def app_container_directory
    File.join apps_container_directory, config.service_and_destination
  end
  def error_pages_directory
    File.join app_directory, "error_pages"
  end
  def error_pages_container_directory
    File.join app_container_directory, "error_pages"
  end
  def tls_directory
    File.join app_directory, "tls"
  end
  def tls_container_directory
    File.join app_container_directory, "tls"
  end
  private
    def ensure_valid_bind_ips(bind_ips)
      bind_ips.present? && bind_ips.each do |ip|
        next if ip =~ Resolv::IPv4::Regex || ip =~ Resolv::IPv6::Regex
        raise ArgumentError, "Invalid publish IP address: #{ip}"
      end
      true
    end
    def format_bind_ip(ip)
      # Ensure IPv6 address inside square brackets - e.g. [::1]
      if ip =~ Resolv::IPv6::Regex && ip !~ /\A\[.*\]\z/
        "[#{ip}]"
      else
        ip
      end
    end
 end
--- a/lib/kamal/configuration/registry.rb
+++ b/lib/kamal/configuration/registry.rb
@@ -19,6 +19,14 @@ class Kamal::Configuration::Registry
    lookup("password")
  end
  def local?
    server.to_s.match?("^localhost[:$]")
  end
  def local_port
    local? ? (server.split(":").last.to_i || 80) : nil
  end
  private
    attr_reader :registry_config, :secrets
--- a/lib/kamal/configuration/role.rb
+++ b/lib/kamal/configuration/role.rb
@@ -68,7 +68,7 @@ class Kamal::Configuration::Role
  end
  def proxy
-    @proxy ||= config.proxy.merge(specialized_proxy) if running_proxy?
+    @proxy ||= specialized_proxy.merge(config.proxy) if running_proxy?
  end
  def running_proxy?
@@ -150,8 +150,8 @@ class Kamal::Configuration::Role
  end
  def ensure_one_host_for_ssl
-    if running_proxy? && proxy.ssl? && hosts.size > 1
+    if running_proxy? && proxy.ssl? && hosts.size > 1 && !proxy.custom_ssl_certificate?
-      raise Kamal::ConfigurationError, "SSL is only supported on a single server, found #{hosts.size} servers for role #{name}"
+      raise Kamal::ConfigurationError, "SSL is only supported on a single server unless you provide custom certificates, found #{hosts.size} servers for role #{name}"
    end
  end
@@ -173,6 +173,8 @@ class Kamal::Configuration::Role
        @specialized_proxy = Kamal::Configuration::Proxy.new \
          config: config,
          proxy_config: proxy_config,
          secrets: config.secrets,
          role_name: name,
          context: "servers/#{name}/proxy"
      end
    end
--- a/lib/kamal/configuration/servers.rb
+++ b/lib/kamal/configuration/servers.rb
@@ -13,6 +13,13 @@ class Kamal::Configuration::Servers
  private
    def role_names
-      servers_config.is_a?(Array) ? [ "web" ] : servers_config.keys.sort
+      case servers_config
      when Array
        [ "web" ]
      when NilClass
        []
      else
        servers_config.keys.sort
      end
    end
 end
--- a/lib/kamal/configuration/validator.rb
+++ b/lib/kamal/configuration/validator.rb
@@ -27,6 +27,8 @@ class Kamal::Configuration::Validator
              unless key.to_s == "proxy" && boolean?(value.class)
                validate_type! value, *(Array if key == :servers), Hash
              end
            elsif key.to_s == "ssl"
                validate_type! value, TrueClass, FalseClass, Hash
            elsif key == "hosts"
              validate_servers! value
            elsif example_value.is_a?(Array)
@@ -168,4 +170,22 @@ class Kamal::Configuration::Validator
      unknown_keys.reject! { |key| extension?(key) } if allow_extensions?
      unknown_keys_error unknown_keys if unknown_keys.present?
    end
    def validate_labels!(labels)
      return true if labels.blank?
      with_context("labels") do
        labels.each do |key, _|
          with_context(key) do
            error "invalid label. destination, role, and service are reserved labels" if %w[destination role service].include?(key)
          end
        end
      end
    end
    def validate_docker_options!(options)
      if options
        error "Cannot set restart policy in docker options, unless-stopped is required" if options["restart"]
      end
    end
 end
--- a/lib/kamal/configuration/validator/accessory.rb
+++ b/lib/kamal/configuration/validator/accessory.rb
@@ -2,8 +2,12 @@ class Kamal::Configuration::Validator::Accessory < Kamal::Configuration::Validat
  def validate!
    super
-    if (config.keys & [ "host", "hosts", "roles" ]).size != 1
+    if (config.keys & [ "host", "hosts", "role", "roles", "tag", "tags" ]).size != 1
-      error "specify one of `host`, `hosts` or `roles`"
+      error "specify one of `host`, `hosts`, `role`, `roles`, `tag` or `tags`"
    end
    validate_labels!(config["labels"])
    validate_docker_options!(config["options"])
  end
 end
--- a/lib/kamal/configuration/validator/builder.rb
+++ b/lib/kamal/configuration/validator/builder.rb
@@ -8,6 +8,8 @@ class Kamal::Configuration::Validator::Builder < Kamal::Configuration::Validator
    error "Builder arch not set" unless config["arch"].present?
    error "buildpacks only support building for one arch" if config["pack"] && config["arch"].is_a?(Array) && config["arch"].size > 1
    error "Cannot disable local builds, no remote is set" if config["local"] == false && config["remote"].blank?
  end
 end
--- a/lib/kamal/configuration/validator/proxy.rb
+++ b/lib/kamal/configuration/validator/proxy.rb
@@ -10,6 +10,16 @@ class Kamal::Configuration::Validator::Proxy < Kamal::Configuration::Validator
      if (config.keys & [ "host", "hosts" ]).size > 1
        error "Specify one of 'host' or 'hosts', not both"
      end
      if config["ssl"].is_a?(Hash)
        if config["ssl"]["certificate_pem"].present? && config["ssl"]["private_key_pem"].blank?
          error "Missing private_key_pem setting (required when certificate_pem is present)"
        end
        if config["ssl"]["private_key_pem"].present? && config["ssl"]["certificate_pem"].blank?
          error "Missing certificate_pem setting (required when private_key_pem is present)"
        end
      end
    end
  end
 end
--- a/lib/kamal/configuration/validator/registry.rb
+++ b/lib/kamal/configuration/validator/registry.rb
@@ -15,10 +15,12 @@ class Kamal::Configuration::Validator::Registry < Kamal::Configuration::Validato
      with_context(key) do
        value = config[key]
-        error "is required" unless value.present?
+        unless config["server"]&.match?("^localhost[:$]")
          error "is required" unless value.present?
-        unless value.is_a?(String) || (value.is_a?(Array) && value.size == 1 && value.first.is_a?(String))
+          unless value.is_a?(String) || (value.is_a?(Array) && value.size == 1 && value.first.is_a?(String))
-          error "should be a string or an array with one string (for secret lookup)"
+            error "should be a string or an array with one string (for secret lookup)"
          end
        end
      end
    end
--- a/lib/kamal/configuration/validator/role.rb
+++ b/lib/kamal/configuration/validator/role.rb
@@ -6,6 +6,8 @@ class Kamal::Configuration::Validator::Role < Kamal::Configuration::Validator
      validate_servers!(config)
    else
      super
      validate_labels!(config["labels"])
      validate_docker_options!(config["options"])
    end
  end
 end
--- a/lib/kamal/configuration/validator/servers.rb
+++ b/lib/kamal/configuration/validator/servers.rb
@@ -1,6 +1,6 @@
 class Kamal::Configuration::Validator::Servers < Kamal::Configuration::Validator
  def validate!
-    validate_type! config, Array, Hash
+    validate_type! config, Array, Hash, NilClass
    validate_servers! config if config.is_a?(Array)
  end
--- a/lib/kamal/docker.rb
+++ b/lib/kamal/docker.rb
@@ -1,5 +1,6 @@
 require "tempfile"
 require "open3"
 require "shellwords"
 module Kamal::Docker
  extend self
@@ -15,7 +16,7 @@ module Kamal::Docker
      DOCKERFILE
      dockerfile.close
-      cmd = "docker buildx build -t=#{BUILD_CHECK_TAG} -f=#{dockerfile.path} ."
+      cmd = "docker buildx build -t=#{BUILD_CHECK_TAG} -f=#{Shellwords.escape(dockerfile.path)} ."
      system(cmd) || raise("failed to build check image")
    end
--- a/lib/kamal/secrets/adapters/aws_secrets_manager.rb
+++ b/lib/kamal/secrets/adapters/aws_secrets_manager.rb
@@ -26,6 +26,7 @@ class Kamal::Secrets::Adapters::AwsSecretsManager < Kamal::Secrets::Adapters::Ba
    def get_from_secrets_manager(secrets, account: nil)
      args = [ "aws", "secretsmanager", "batch-get-secret-value", "--secret-id-list" ] + secrets.map(&:shellescape)
      args += [ "--profile", account.shellescape ] if account
      args += [ "--output", "json" ]
      cmd = args.join(" ")
      `#{cmd}`.tap do |secrets|
--- a/lib/kamal/secrets/adapters/bitwarden_secrets_manager.rb
+++ b/lib/kamal/secrets/adapters/bitwarden_secrets_manager.rb
@@ -6,8 +6,8 @@ class Kamal::Secrets::Adapters::BitwardenSecretsManager < Kamal::Secrets::Adapte
  private
    LIST_ALL_SELECTOR = "all"
    LIST_ALL_FROM_PROJECT_SUFFIX = "/all"
-    LIST_COMMAND = "secret list -o env"
+    LIST_COMMAND = "secret list"
-    GET_COMMAND = "secret get -o env"
+    GET_COMMAND = "secret get"
    def fetch_secrets(secrets, from:, account:, session:)
      raise RuntimeError, "You must specify what to retrieve from Bitwarden Secrets Manager" if secrets.length == 0
@@ -18,17 +18,17 @@ class Kamal::Secrets::Adapters::BitwardenSecretsManager < Kamal::Secrets::Adapte
      {}.tap do |results|
        if command.nil?
          secrets.each do |secret_uuid|
-            secret = run_command("#{GET_COMMAND} #{secret_uuid.shellescape}")
+            item_json = run_command("#{GET_COMMAND} #{secret_uuid.shellescape}")
            raise RuntimeError, "Could not read #{secret_uuid} from Bitwarden Secrets Manager" unless $?.success?
-            key, value = parse_secret(secret)
+            item_json = JSON.parse(item_json)
-            results[key] = value
+            results[item_json["key"]] = item_json["value"]
          end
        else
-          secrets = run_command(command)
+          items_json = run_command(command)
          raise RuntimeError, "Could not read secrets from Bitwarden Secrets Manager" unless $?.success?
-          secrets.split("\n").each do |secret|
+
-            key, value = parse_secret(secret)
+          JSON.parse(items_json).each do |item_json|
-            results[key] = value
+            results[item_json["key"]] = item_json["value"]
          end
        end
      end
@@ -45,19 +45,13 @@ class Kamal::Secrets::Adapters::BitwardenSecretsManager < Kamal::Secrets::Adapte
      end
    end
    def parse_secret(secret)
      key, value = secret.split("=", 2)
      value = value.gsub(/^"|"$/, "")
      [ key, value ]
    end
    def run_command(command, session: nil)
      full_command = [ "bws", command ].join(" ")
      `#{full_command}`
    end
    def login(account)
-      run_command("run 'echo OK'")
+      run_command("project list")
      raise RuntimeError, "Could not authenticate to Bitwarden Secrets Manager. Did you set a valid access token?" unless $?.success?
    end
--- a/lib/kamal/secrets/adapters/one_password.rb
+++ b/lib/kamal/secrets/adapters/one_password.rb
@@ -16,17 +16,33 @@ class Kamal::Secrets::Adapters::OnePassword < Kamal::Secrets::Adapters::Base
    end
    def fetch_secrets(secrets, from:, account:, session:)
      if secrets.blank?
        fetch_all_secrets(from: from, account: account, session: session)
      else
        fetch_specified_secrets(secrets, from: from, account: account, session: session)
      end
    end
    def fetch_specified_secrets(secrets, from:, account:, session:)
      {}.tap do |results|
        vaults_items_fields(prefixed_secrets(secrets, from: from)).map do |vault, items|
          items.each do |item, fields|
-            fields_json = JSON.parse(op_item_get(vault, item, fields, account: account, session: session))
+            fields_json = JSON.parse(op_item_get(vault, item, fields: fields, account: account, session: session))
            fields_json = [ fields_json ] if fields.one?
-            fields_json.each do |field_json|
+            results.merge!(fields_map(fields_json))
-              # The reference is in the form `op://vault/item/field[/field]`
+          end
-              field = field_json["reference"].delete_prefix("op://").delete_suffix("/password")
+        end
-              results[field] = field_json["value"]
+      end
-            end
+    end
    def fetch_all_secrets(from:, account:, session:)
      {}.tap do |results|
        vault_items(from).each do |vault, items|
          items.each do |item|
            fields_json = JSON.parse(op_item_get(vault, item, account: account, session: session)).fetch("fields")
            results.merge!(fields_map(fields_json))
          end
        end
      end
@@ -50,12 +66,30 @@ class Kamal::Secrets::Adapters::OnePassword < Kamal::Secrets::Adapters::Base
      end
    end
-    def op_item_get(vault, item, fields, account:, session:)
+    def vault_items(from)
-      labels = fields.map { |field| "label=#{field}" }.join(",")
+      from = from.delete_prefix("op://")
-      options = to_options(vault: vault, fields: labels, format: "json", account: account, session: session.presence)
+      vault, item = from.split("/")
      { vault => [ item ] }
    end
-      `op item get #{item.shellescape} #{options}`.tap do
+    def fields_map(fields_json)
-        raise RuntimeError, "Could not read #{fields.join(", ")} from #{item} in the #{vault} 1Password vault" unless $?.success?
+      fields_json.to_h do |field_json|
        # The reference is in the form `op://vault/item/field[/field]`
        field = field_json["reference"].delete_prefix("op://").delete_suffix("/password")
        [ field, field_json["value"] ]
      end
    end
    def op_item_get(vault, item, fields: nil, account:, session:)
      options = { vault: vault, format: "json", account: account, session: session.presence }
      if fields.present?
        labels = fields.map { |field| "label=#{field}" }.join(",")
        options.merge!(fields: labels)
      end
      `op item get #{item.shellescape} #{to_options(**options)}`.tap do
        raise RuntimeError, "Could not read #{"#{fields.join(", ")} " if fields.present?}from #{item} in the #{vault} 1Password vault" unless $?.success?
      end
    end
--- a/lib/kamal/secrets/adapters/passbolt.rb
+++ b/lib/kamal/secrets/adapters/passbolt.rb
@@ -0,0 +1,130 @@
 class Kamal::Secrets::Adapters::Passbolt < Kamal::Secrets::Adapters::Base
  def requires_account?
    false
  end
  private
    def login(*)
      `passbolt verify`
      raise RuntimeError, "Failed to login to Passbolt" unless $?.success?
    end
    def fetch_secrets(secrets, from:, **)
      secrets = prefixed_secrets(secrets, from: from)
      raise ArgumentError, "No secrets given to fetch" if secrets.empty?
      secret_names = secrets.collect { |s| s.split("/").last }
      folders = secrets_get_folders(secrets)
      # build filter conditions for each secret with its corresponding folder
      filter_conditions = []
      secrets.each do |secret|
        parts = secret.split("/")
        secret_name = parts.last
        if parts.size > 1
          # get the folder path without the secret name
          folder_path = parts[0..-2]
          # find the most nested folder for this path
          current_folder = nil
          current_path = []
          folder_path.each do |folder_name|
            current_path << folder_name
            matching_folders = folders.select { |f| get_folder_path(f, folders) == current_path.join("/") }
            current_folder = matching_folders.first if matching_folders.any?
          end
          if current_folder
            filter_conditions << "(Name == #{secret_name.shellescape.inspect} && FolderParentID == #{current_folder["id"].shellescape.inspect})"
          end
        else
          # for root level secrets (no folders)
          filter_conditions << "Name == #{secret_name.shellescape.inspect}"
        end
      end
      filter_condition = filter_conditions.any? ? "--filter '#{filter_conditions.join(" || ")}'" : ""
      items = `passbolt list resources #{filter_condition} #{folders.map { |item| "--folder #{item["id"]}" }.join(" ")} --json`
      raise RuntimeError, "Could not read #{secrets} from Passbolt" unless $?.success?
      items = JSON.parse(items)
      found_names = items.map { |item| item["name"] }
      missing_secrets = secret_names - found_names
      raise RuntimeError, "Could not find the following secrets in Passbolt: #{missing_secrets.join(", ")}" if missing_secrets.any?
      items.to_h { |item| [ item["name"], item["password"] ] }
    end
    def secrets_get_folders(secrets)
      # extract all folder paths (both parent and nested)
      folder_paths = secrets
        .select { |s| s.include?("/") }
        .map { |s| s.split("/")[0..-2] } # get all parts except the secret name
        .uniq
      return [] if folder_paths.empty?
      all_folders = []
      # first get all top-level folders
      parent_folders = folder_paths.map(&:first).uniq
      filter_condition = "--filter '#{parent_folders.map { |name| "Name == #{name.shellescape.inspect}" }.join(" || ")}'"
      fetch_folders = `passbolt list folders #{filter_condition} --json`
      raise RuntimeError, "Could not read folders from Passbolt" unless $?.success?
      parent_folder_items = JSON.parse(fetch_folders)
      all_folders.concat(parent_folder_items)
      # get nested folders for each parent
      folder_paths.each do |path|
        next if path.size <= 1 # skip non-nested folders
        parent = path[0]
        parent_folder = parent_folder_items.find { |f| f["name"] == parent }
        next unless parent_folder
        # for each nested level, get the folders using the parent's ID
        current_parent = parent_folder
        path[1..-1].each do |folder_name|
          filter_condition = "--filter 'Name == #{folder_name.shellescape.inspect} && FolderParentID == #{current_parent["id"].shellescape.inspect}'"
          fetch_nested = `passbolt list folders #{filter_condition} --json`
          next unless $?.success?
          nested_folders = JSON.parse(fetch_nested)
          break if nested_folders.empty?
          all_folders.concat(nested_folders)
          current_parent = nested_folders.first
        end
      end
      # check if we found all required folders
      found_paths = all_folders.map { |f| get_folder_path(f, all_folders) }
      missing_paths = folder_paths.map { |path| path.join("/") } - found_paths
      raise RuntimeError, "Could not find the following folders in Passbolt: #{missing_paths.join(", ")}" if missing_paths.any?
      all_folders
    end
    def get_folder_path(folder, all_folders, path = [])
      path.unshift(folder["name"])
      return path.join("/") if folder["folder_parent_id"].to_s.empty?
      parent = all_folders.find { |f| f["id"] == folder["folder_parent_id"] }
      return path.join("/") unless parent
      get_folder_path(parent, all_folders, path)
    end
    def check_dependencies!
      raise RuntimeError, "Passbolt CLI is not installed" unless cli_installed?
    end
    def cli_installed?
      `passbolt --version 2> /dev/null`
      $?.success?
    end
 end
--- a/lib/kamal/secrets/dotenv/inline_command_substitution.rb
+++ b/lib/kamal/secrets/dotenv/inline_command_substitution.rb
@@ -4,7 +4,7 @@ class Kamal::Secrets::Dotenv::InlineCommandSubstitution
      ::Dotenv::Parser.substitutions.map! { |sub| sub == ::Dotenv::Substitutions::Command ? self : sub }
    end
-    def call(value, _env, overwrite: false)
+    def call(value, env, overwrite: false)
      # Process interpolated shell commands
      value.gsub(Dotenv::Substitutions::Command.singleton_class::INTERPOLATED_SHELL_COMMAND) do |*|
        # Eliminate opening and closing parentheses
@@ -14,6 +14,7 @@ class Kamal::Secrets::Dotenv::InlineCommandSubstitution
          # Command is escaped, don't replace it.
          $LAST_MATCH_INFO[0][1..]
        else
          command = ::Dotenv::Substitutions::Variable.call(command, env)
          if command =~ /\A\s*kamal\s*secrets\s+/
            # Inline the command
            inline_secrets_command(command)
--- a/lib/kamal/version.rb
+++ b/lib/kamal/version.rb
@@ -1,3 +1,3 @@
 module Kamal
-  VERSION = "2.5.3"
+  VERSION = "2.7.0"
 end
--- a/test/cli/accessory_test.rb
+++ b/test/cli/accessory_test.rb
@@ -15,7 +15,7 @@ class CliAccessoryTest < CliTestCase
    run_command("boot", "mysql").tap do |output|
      assert_match "docker login private.registry -u [REDACTED] -p [REDACTED] on 1.1.1.3", output
-      assert_match "docker run --name app-mysql --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --publish 3306:3306 --env MYSQL_ROOT_HOST=\"%\" --env-file .kamal/apps/app/env/accessories/mysql.env --volume $PWD/app-mysql/etc/mysql/my.cnf:/etc/mysql/my.cnf --volume $PWD/app-mysql/data:/var/lib/mysql --label service=\"app-mysql\" private.registry/mysql:5.7 on 1.1.1.3", output
+      assert_match "docker run --name app-mysql --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --publish 3306:3306 --env KAMAL_HOST=\"1.1.1.3\" --env MYSQL_ROOT_HOST=\"%\" --env-file .kamal/apps/app/env/accessories/mysql.env --volume $PWD/app-mysql/etc/mysql/my.cnf:/etc/mysql/my.cnf --volume $PWD/app-mysql/data:/var/lib/mysql --label service=\"app-mysql\" private.registry/mysql:5.7 on 1.1.1.3", output
    end
  end
@@ -35,10 +35,10 @@ class CliAccessoryTest < CliTestCase
      assert_match /docker network create kamal.*on 1.1.1.1/, output
      assert_match /docker network create kamal.*on 1.1.1.2/, output
      assert_match /docker network create kamal.*on 1.1.1.3/, output
-      assert_match "docker run --name app-mysql --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --publish 3306:3306 --env MYSQL_ROOT_HOST=\"%\" --env-file .kamal/apps/app/env/accessories/mysql.env --volume $PWD/app-mysql/etc/mysql/my.cnf:/etc/mysql/my.cnf --volume $PWD/app-mysql/data:/var/lib/mysql --label service=\"app-mysql\" private.registry/mysql:5.7 on 1.1.1.3", output
+      assert_match "docker run --name app-mysql --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --publish 3306:3306 --env KAMAL_HOST=\"1.1.1.3\" --env MYSQL_ROOT_HOST=\"%\" --env-file .kamal/apps/app/env/accessories/mysql.env --volume $PWD/app-mysql/etc/mysql/my.cnf:/etc/mysql/my.cnf --volume $PWD/app-mysql/data:/var/lib/mysql --label service=\"app-mysql\" private.registry/mysql:5.7 on 1.1.1.3", output
-      assert_match "docker run --name app-redis --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --publish 6379:6379 --env-file .kamal/apps/app/env/accessories/redis.env --volume $PWD/app-redis/data:/data --label service=\"app-redis\" redis:latest on 1.1.1.1", output
+      assert_match "docker run --name app-redis --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --publish 6379:6379 --env KAMAL_HOST=\"1.1.1.1\" --env-file .kamal/apps/app/env/accessories/redis.env --volume $PWD/app-redis/data:/data --label service=\"app-redis\" redis:latest on 1.1.1.1", output
-      assert_match "docker run --name app-redis --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --publish 6379:6379 --env-file .kamal/apps/app/env/accessories/redis.env --volume $PWD/app-redis/data:/data --label service=\"app-redis\" redis:latest on 1.1.1.2", output
+      assert_match "docker run --name app-redis --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --publish 6379:6379 --env KAMAL_HOST=\"1.1.1.2\" --env-file .kamal/apps/app/env/accessories/redis.env --volume $PWD/app-redis/data:/data --label service=\"app-redis\" redis:latest on 1.1.1.2", output
-      assert_match "docker run --name custom-box --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --env-file .kamal/apps/app/env/accessories/busybox.env --label service=\"custom-box\" other.registry/busybox:latest on 1.1.1.3", output
+      assert_match "docker run --name custom-box --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --env KAMAL_HOST=\"1.1.1.3\" --env-file .kamal/apps/app/env/accessories/busybox.env --label service=\"custom-box\" other.registry/busybox:latest on 1.1.1.3", output
    end
  end
@@ -115,6 +115,7 @@ class CliAccessoryTest < CliTestCase
  test "exec" do
    run_command("exec", "mysql", "mysql -v").tap do |output|
      assert_match "docker login private.registry -u [REDACTED] -p [REDACTED]", output
      assert_match "Launching command from new container", output
      assert_match "mysql -v", output
    end
@@ -214,8 +215,8 @@ class CliAccessoryTest < CliTestCase
    run_command("boot", "redis", "--hosts", "1.1.1.1").tap do |output|
      assert_match "docker login private.registry -u [REDACTED] -p [REDACTED] on 1.1.1.1", output
      assert_no_match "docker login private.registry -u [REDACTED] -p [REDACTED] on 1.1.1.2", output
-      assert_match "docker run --name app-redis --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --publish 6379:6379 --env-file .kamal/apps/app/env/accessories/redis.env --volume $PWD/app-redis/data:/data --label service=\"app-redis\" redis:latest on 1.1.1.1", output
+      assert_match "docker run --name app-redis --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --publish 6379:6379 --env KAMAL_HOST=\"1.1.1.1\" --env-file .kamal/apps/app/env/accessories/redis.env --volume $PWD/app-redis/data:/data --label service=\"app-redis\" redis:latest on 1.1.1.1", output
-      assert_no_match "docker run --name app-redis --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --publish 6379:6379 --env-file .kamal/apps/app/env/accessories/redis.env --volume $PWD/app-redis/data:/data --label service=\"app-redis\" redis:latest on 1.1.1.2", output
+      assert_no_match /docker run --name app-redis .* on 1.1.1.2/, output
    end
  end
@@ -226,8 +227,8 @@ class CliAccessoryTest < CliTestCase
    run_command("boot", "redis", "--hosts", "1.1.1.1,1.1.1.3").tap do |output|
      assert_match "docker login private.registry -u [REDACTED] -p [REDACTED] on 1.1.1.1", output
      assert_no_match "docker login private.registry -u [REDACTED] -p [REDACTED] on 1.1.1.3", output
-      assert_match "docker run --name app-redis --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --publish 6379:6379 --env-file .kamal/apps/app/env/accessories/redis.env --volume $PWD/app-redis/data:/data --label service=\"app-redis\" redis:latest on 1.1.1.1", output
+      assert_match "docker run --name app-redis --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --publish 6379:6379 --env KAMAL_HOST=\"1.1.1.1\" --env-file .kamal/apps/app/env/accessories/redis.env --volume $PWD/app-redis/data:/data --label service=\"app-redis\" redis:latest on 1.1.1.1", output
-      assert_no_match "docker run --name app-redis --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --publish 6379:6379 --env-file .kamal/apps/app/env/accessories/redis.env --volume $PWD/app-redis/data:/data --label service=\"app-redis\" redis:latest on 1.1.1.3", output
+      assert_no_match /docker run --name app-redis .* on 1.1.1.3/, output
    end
  end
@@ -236,7 +237,7 @@ class CliAccessoryTest < CliTestCase
      assert_match "Upgrading all accessories on 1.1.1.3,1.1.1.1,1.1.1.2...", output
      assert_match "docker network create kamal on 1.1.1.3", output
      assert_match "docker container stop app-mysql on 1.1.1.3", output
-      assert_match "docker run --name app-mysql --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --publish 3306:3306 --env MYSQL_ROOT_HOST="%" --env-file .kamal/apps/app/env/accessories/mysql.env --volume $PWD/app-mysql/etc/mysql/my.cnf:/etc/mysql/my.cnf --volume $PWD/app-mysql/data:/var/lib/mysql --label service=\"app-mysql\" private.registry/mysql:5.7 on 1.1.1.3", output
+      assert_match "docker run --name app-mysql --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --publish 3306:3306 --env KAMAL_HOST=\"1.1.1.3\" --env MYSQL_ROOT_HOST="%" --env-file .kamal/apps/app/env/accessories/mysql.env --volume $PWD/app-mysql/etc/mysql/my.cnf:/etc/mysql/my.cnf --volume $PWD/app-mysql/data:/var/lib/mysql --label service=\"app-mysql\" private.registry/mysql:5.7 on 1.1.1.3", output
      assert_match "Upgraded all accessories on 1.1.1.3,1.1.1.1,1.1.1.2...", output
    end
  end
@@ -246,11 +247,24 @@ class CliAccessoryTest < CliTestCase
      assert_match "Upgrading all accessories on 1.1.1.3...", output
      assert_match "docker network create kamal on 1.1.1.3", output
      assert_match "docker container stop app-mysql on 1.1.1.3", output
-      assert_match "docker run --name app-mysql --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --publish 3306:3306 --env MYSQL_ROOT_HOST="%" --env-file .kamal/apps/app/env/accessories/mysql.env --volume $PWD/app-mysql/etc/mysql/my.cnf:/etc/mysql/my.cnf --volume $PWD/app-mysql/data:/var/lib/mysql --label service=\"app-mysql\" private.registry/mysql:5.7 on 1.1.1.3", output
+      assert_match "docker run --name app-mysql --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --publish 3306:3306 --env KAMAL_HOST=\"1.1.1.3\" --env MYSQL_ROOT_HOST="%" --env-file .kamal/apps/app/env/accessories/mysql.env --volume $PWD/app-mysql/etc/mysql/my.cnf:/etc/mysql/my.cnf --volume $PWD/app-mysql/data:/var/lib/mysql --label service=\"app-mysql\" private.registry/mysql:5.7 on 1.1.1.3", output
      assert_match "Upgraded all accessories on 1.1.1.3", output
    end
  end
  test "boot with web role filter" do
    run_command("boot", "redis", "-r", "web").tap do |output|
      assert_match "docker run --name app-redis --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --publish 6379:6379 --env KAMAL_HOST=\"1.1.1.1\" --env-file .kamal/apps/app/env/accessories/redis.env --volume $PWD/app-redis/data:/data --label service=\"app-redis\" redis:latest on 1.1.1.1", output
      assert_match "docker run --name app-redis --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --publish 6379:6379 --env KAMAL_HOST=\"1.1.1.2\" --env-file .kamal/apps/app/env/accessories/redis.env --volume $PWD/app-redis/data:/data --label service=\"app-redis\" redis:latest on 1.1.1.2", output
    end
  end
  test "boot with workers role filter" do
    run_command("boot", "redis", "-r", "workers").tap do |output|
      assert_no_match "docker run", output
    end
  end
  private
    def run_command(*command)
      stdouted { Kamal::Cli::Accessory.start([ *command, "-c", "test/fixtures/deploy_with_accessories_with_different_registries.yml" ]) }
--- a/test/cli/app_test.rb
+++ b/test/cli/app_test.rb
@@ -104,7 +104,7 @@ class CliAppTest < CliTestCase
    run_command("boot", config: :with_env_tags).tap do |output|
      assert_match "docker tag dhh/app:latest dhh/app:latest", output
-      assert_match %r{docker run --detach --restart unless-stopped --name app-web-latest --network kamal --hostname 1.1.1.1-[0-9a-f]{12} -e KAMAL_CONTAINER_NAME="app-web-latest" -e KAMAL_VERSION="latest" --env TEST="root" --env EXPERIMENT="disabled" --env SITE="site1"}, output
+      assert_match %r{docker run --detach --restart unless-stopped --name app-web-latest --network kamal --hostname 1.1.1.1-[0-9a-f]{12} --env KAMAL_CONTAINER_NAME="app-web-latest" --env KAMAL_VERSION="latest" --env KAMAL_HOST="1.1.1.1" --env TEST="root" --env EXPERIMENT="disabled" --env SITE="site1"}, output
      assert_match "docker container ls --all --filter name=^app-web-123$ --quiet | xargs docker stop", output
    end
  end
@@ -192,6 +192,49 @@ class CliAppTest < CliTestCase
    Thread.report_on_exception = true
  end
  test "boot with only workers" do
    Object.any_instance.stubs(:sleep)
    SSHKit::Backend::Abstract.any_instance.stubs(:capture_with_info).returns("123") # old version
    SSHKit::Backend::Abstract.any_instance.expects(:capture_with_info)
      .with(:docker, :container, :ls, "--all", "--filter", "name=^app-workers-latest$", "--quiet", "|", :xargs, :docker, :inspect, "--format", "'{{if .State.Health}}{{.State.Health.Status}}{{else}}{{.State.Status}}{{end}}'")
      .returns("running").at_least_once # workers health check
    run_command("boot", config: :with_only_workers, host: nil).tap do |output|
      assert_match /First workers container is healthy on 1.1.1.\d, booting any other roles/, output
      assert_no_match "kamal-proxy", output
    end
  end
  test "boot with error pages" do
    with_error_pages(directory: "public") do
      stub_running
      run_command("boot", config: :with_error_pages).tap do |output|
        assert_match /Uploading .*kamal-error-pages.*\/latest to \.kamal\/proxy\/apps-config\/app\/error_pages/, output
        assert_match "docker tag dhh/app:latest dhh/app:latest", output
        assert_match /docker run --detach --restart unless-stopped --name app-web-latest --network kamal --hostname 1.1.1.1-[0-9a-f]{12} /, output
        assert_match "docker container ls --all --filter name=^app-web-123$ --quiet | xargs docker stop", output
        assert_match "Running /usr/bin/env find .kamal/proxy/apps-config/app/error_pages -mindepth 1 -maxdepth 1 ! -name latest -exec rm -rf {} + on 1.1.1.1", output
      end
    end
  end
  test "boot with custom ssl certificate" do
    Kamal::Configuration::Proxy.any_instance.stubs(:custom_ssl_certificate?).returns(true)
    Kamal::Configuration::Proxy.any_instance.stubs(:certificate_pem_content).returns("CERTIFICATE CONTENT")
    Kamal::Configuration::Proxy.any_instance.stubs(:private_key_pem_content).returns("PRIVATE KEY CONTENT")
    stub_running
    run_command("boot", config: :with_proxy).tap do |output|
      assert_match "Writing SSL certificates for web on 1.1.1.1", output
      assert_match "mkdir -p .kamal/proxy/apps-config/app/tls", output
      assert_match "Uploading \"CERTIFICATE CONTENT\" to .kamal/proxy/apps-config/app/tls/web/cert.pem", output
      assert_match "--tls-certificate-path=\"/home/kamal-proxy/.apps-config/app/tls/web/cert.pem\"", output
      assert_match "--tls-private-key-path=\"/home/kamal-proxy/.apps-config/app/tls/web/key.pem\"", output
    end
  end
  test "start" do
    SSHKit::Backend::Abstract.any_instance.stubs(:capture_with_info).returns("999") # old version
@@ -244,9 +287,11 @@ class CliAppTest < CliTestCase
  test "remove" do
    run_command("remove").tap do |output|
-      assert_match /#{Regexp.escape("sh -c 'docker ps --latest --quiet --filter label=service=app --filter label=destination= --filter label=role=web --filter status=running --filter status=restarting --filter ancestor=$(docker image ls --filter reference=dhh/app:latest --format '\\''{{.ID}}'\\'') ; docker ps --latest --quiet --filter label=service=app --filter label=destination= --filter label=role=web --filter status=running --filter status=restarting' | head -1 | xargs docker stop")}/, output
+      assert_match "sh -c 'docker ps --latest --quiet --filter label=service=app --filter label=destination= --filter label=role=web --filter status=running --filter status=restarting --filter ancestor=$(docker image ls --filter reference=dhh/app:latest --format '\\''{{.ID}}'\\'') ; docker ps --latest --quiet --filter label=service=app --filter label=destination= --filter label=role=web --filter status=running --filter status=restarting' | head -1 | xargs docker stop", output
-      assert_match /#{Regexp.escape("docker container prune --force --filter label=service=app")}/, output
+      assert_match "docker container prune --force --filter label=service=app", output
-      assert_match /#{Regexp.escape("docker image prune --all --force --filter label=service=app")}/, output
+      assert_match "docker image prune --all --force --filter label=service=app", output
      assert_match "rm -r .kamal/apps/app on 1.1.1.1", output
      assert_match "rm -r .kamal/proxy/apps-config/app on 1.1.1.1", output
    end
  end
@@ -268,12 +313,27 @@ class CliAppTest < CliTestCase
    end
  end
  test "remove_app_directories" do
    run_command("remove_app_directories").tap do |output|
      assert_match "rm -r .kamal/apps/app on 1.1.1.1", output
      assert_match "rm -r .kamal/proxy/apps-config/app on 1.1.1.1", output
    end
  end
  test "exec" do
    run_command("exec", "ruby -v").tap do |output|
      assert_match "docker login -u [REDACTED] -p [REDACTED]", output
      assert_match "docker run --rm --network kamal --env-file .kamal/apps/app/env/roles/web.env --log-opt max-size=\"10m\" dhh/app:latest ruby -v", output
    end
  end
  test "exec without command fails" do
    error = assert_raises(ArgumentError, "Exec requires a command to be specified") do
      run_command("exec")
    end
    assert_equal "No command provided. You must specify a command to execute.", error.message
  end
  test "exec separate arguments" do
    run_command("exec", "ruby", " -v").tap do |output|
      assert_match "docker run --rm --network kamal --env-file .kamal/apps/app/env/roles/web.env --log-opt max-size=\"10m\" dhh/app:latest ruby -v", output
@@ -312,21 +372,45 @@ class CliAppTest < CliTestCase
  end
  test "exec interactive" do
    Kamal::Commands::Hook.any_instance.stubs(:hook_exists?).returns(true)
    SSHKit::Backend::Abstract.any_instance.expects(:exec)
      .with("ssh -t root@1.1.1.1 -p 22 'docker run -it --rm --network kamal --env-file .kamal/apps/app/env/roles/web.env --log-opt max-size=\"10m\" dhh/app:latest ruby -v'")
-    run_command("exec", "-i", "ruby -v").tap do |output|
+
-      assert_match "Get most recent version available as an image...", output
+    stub_stdin_tty do
-      assert_match "Launching interactive command with version latest via SSH from new container on 1.1.1.1...", output
+      run_command("exec", "-i", "ruby -v").tap do |output|
        assert_hook_ran "pre-connect", output
        assert_match "docker login -u [REDACTED] -p [REDACTED]", output
        assert_match "Get most recent version available as an image...", output
        assert_match "Launching interactive command with version latest via SSH from new container on 1.1.1.1...", output
      end
    end
  end
  test "exec interactive with reuse" do
    Kamal::Commands::Hook.any_instance.stubs(:hook_exists?).returns(true)
    SSHKit::Backend::Abstract.any_instance.expects(:exec)
      .with("ssh -t root@1.1.1.1 -p 22 'docker exec -it app-web-999 ruby -v'")
-    run_command("exec", "-i", "--reuse", "ruby -v").tap do |output|
+
-      assert_match "Get current version of running container...", output
+    stub_stdin_tty do
-      assert_match "Running /usr/bin/env sh -c 'docker ps --latest --format '\\''{{.Names}}'\\'' --filter label=service=app --filter label=destination= --filter label=role=web --filter status=running --filter status=restarting --filter ancestor=$(docker image ls --filter reference=dhh/app:latest --format '\\''{{.ID}}'\\'') ; docker ps --latest --format '\\''{{.Names}}'\\'' --filter label=service=app --filter label=destination= --filter label=role=web --filter status=running --filter status=restarting' | head -1 | while read line; do echo ${line#app-web-}; done on 1.1.1.1", output
+      run_command("exec", "-i", "--reuse", "ruby -v").tap do |output|
-      assert_match "Launching interactive command with version 999 via SSH from existing container on 1.1.1.1...", output
+        assert_hook_ran "pre-connect", output
        assert_match "Get current version of running container...", output
        assert_match "Running /usr/bin/env sh -c 'docker ps --latest --format '\\''{{.Names}}'\\'' --filter label=service=app --filter label=destination= --filter label=role=web --filter status=running --filter status=restarting --filter ancestor=$(docker image ls --filter reference=dhh/app:latest --format '\\''{{.ID}}'\\'') ; docker ps --latest --format '\\''{{.Names}}'\\'' --filter label=service=app --filter label=destination= --filter label=role=web --filter status=running --filter status=restarting' | head -1 | while read line; do echo ${line#app-web-}; done on 1.1.1.1", output
        assert_match "Launching interactive command with version 999 via SSH from existing container on 1.1.1.1...", output
      end
    end
  end
  test "exec interactive with pipe on STDIN" do
    Kamal::Commands::Hook.any_instance.stubs(:hook_exists?).returns(true)
    SSHKit::Backend::Abstract.any_instance.expects(:exec)
      .with("ssh -t root@1.1.1.1 -p 22 'docker exec -i app-web-999 ruby -v'")
    stub_stdin_file do
      run_command("exec", "-i", "--reuse", "ruby -v").tap do |output|
        assert_hook_ran "pre-connect", output
        assert_match "Launching interactive command with version 999 via SSH from existing container on 1.1.1.1...", output
      end
    end
  end
@@ -422,7 +506,7 @@ class CliAppTest < CliTestCase
    run_command("boot", config: :with_proxy).tap do |output|
      assert_match /Renaming container .* to .* as already deployed on 1.1.1.1/, output # Rename
      assert_match /docker rename app-web-latest app-web-latest_replaced_[0-9a-f]{16}/, output
-      assert_match /docker run --detach --restart unless-stopped --name app-web-latest --network kamal --hostname 1.1.1.1-[0-9a-f]{12} -e KAMAL_CONTAINER_NAME="app-web-latest" -e KAMAL_VERSION="latest" --env-file .kamal\/apps\/app\/env\/roles\/web.env --log-opt max-size="10m" --label service="app" --label role="web" --label destination dhh\/app:latest/, output
+      assert_match /docker run --detach --restart unless-stopped --name app-web-latest --network kamal --hostname 1.1.1.1-[0-9a-f]{12} --env KAMAL_CONTAINER_NAME="app-web-latest" --env KAMAL_VERSION="latest" --env KAMAL_HOST="1.1.1.1" --env-file .kamal\/apps\/app\/env\/roles\/web.env --log-opt max-size="10m" --label service="app" --label role="web" --label destination dhh\/app:latest/, output
      assert_match /docker exec kamal-proxy kamal-proxy deploy app-web --target="123:80"/, output
      assert_match "docker container ls --all --filter name=^app-web-123$ --quiet | xargs docker stop", output
    end
@@ -437,6 +521,24 @@ class CliAppTest < CliTestCase
    end
  end
  test "live" do
    run_command("live").tap do |output|
      assert_match "docker exec kamal-proxy kamal-proxy resume app-web on 1.1.1.1", output
    end
  end
  test "maintenance" do
    run_command("maintenance").tap do |output|
      assert_match "docker exec kamal-proxy kamal-proxy stop app-web --drain-timeout=\"30s\" on 1.1.1.1", output
    end
  end
  test "maintenance with options" do
    run_command("maintenance", "--message", "Hello", "--drain_timeout", "10").tap do |output|
      assert_match "docker exec kamal-proxy kamal-proxy stop app-web --drain-timeout=\"10s\" --message=\"Hello\" on 1.1.1.1", output
    end
  end
  private
    def run_command(*command, config: :with_accessories, host: "1.1.1.1", allow_execute_error: false)
      stdouted do
--- a/test/cli/build_test.rb
+++ b/test/cli/build_test.rb
@@ -21,11 +21,30 @@ class CliBuildTest < CliTestCase
        .returns("")
      run_command("push", "--verbose").tap do |output|
        assert_hook_ran "pre-connect", output
        assert_hook_ran "pre-build", output
        assert_match /Cloning repo into build directory/, output
        assert_match /git -C #{Dir.tmpdir}\/kamal-clones\/app-#{pwd_sha} clone #{Dir.pwd}/, output
        assert_match /docker --version && docker buildx version/, output
-        assert_match /docker buildx build --output=type=registry --platform linux\/amd64 --builder kamal-local-docker-container -t dhh\/app:999 -t dhh\/app:latest --label service="app" --file Dockerfile \. as .*@localhost/, output
+        assert_match /docker buildx build --output=type=registry --platform linux\/amd64 --builder kamal-local-docker-container -t dhh\/app:999 -t dhh\/app:latest --label service="app" --file Dockerfile \. 2>&1 as .*@localhost/, output
      end
    end
  end
  test "push with remote builder checks both the builder and the remote context" do
    with_build_directory do |build_directory|
      Kamal::Commands::Hook.any_instance.stubs(:hook_exists?).returns(true)
      SSHKit::Backend::Abstract.any_instance.expects(:capture_with_info)
        .with(:git, "-C", anything, :"rev-parse", :HEAD)
        .returns(Kamal::Git.revision)
      SSHKit::Backend::Abstract.any_instance.expects(:capture_with_info)
        .with(:git, "-C", anything, :status, "--porcelain")
        .returns("")
      run_command("push", "--verbose", fixture: :with_remote_builder).tap do |output|
        assert_match "docker buildx inspect kamal-remote-ssh---app-1-1-1-5 | grep -q Endpoint:.*kamal-remote-ssh---app-1-1-1-5-context && docker context inspect kamal-remote-ssh---app-1-1-1-5-context --format '{{.Endpoints.docker.Host}}' | grep -xq ssh://app@1.1.1.5 || (echo no compatible builder && exit 1)", output
      end
    end
  end
@@ -47,7 +66,7 @@ class CliBuildTest < CliTestCase
        assert_match /Cloning repo into build directory/, output
        assert_match /git -C #{Dir.tmpdir}\/kamal-clones\/app-#{pwd_sha} clone #{Dir.pwd}/, output
        assert_match /docker --version && docker buildx version/, output
-        assert_match /docker buildx build --output=type=docker --platform linux\/amd64 --builder kamal-local-docker-container -t dhh\/app:999 -t dhh\/app:latest --label service="app" --file Dockerfile \. as .*@localhost/, output
+        assert_match /docker buildx build --output=type=docker --platform linux\/amd64 --builder kamal-local-docker-container -t dhh\/app:999 -t dhh\/app:latest --label service="app" --file Dockerfile \. 2>&1 as .*@localhost/, output
      end
    end
  end
@@ -57,6 +76,7 @@ class CliBuildTest < CliTestCase
      stub_setup
      SSHKit::Backend::Abstract.any_instance.expects(:execute).with(:docker, "--version", "&&", :docker, :buildx, "version")
      SSHKit::Backend::Abstract.any_instance.stubs(:execute).with { |*args| args[0..1] == [ :docker, :login ] }
      SSHKit::Backend::Abstract.any_instance.expects(:execute)
        .with(:git, "-C", "#{Dir.tmpdir}/kamal-clones/app-#{pwd_sha}", :clone, Dir.pwd, "--recurse-submodules")
@@ -70,7 +90,7 @@ class CliBuildTest < CliTestCase
      SSHKit::Backend::Abstract.any_instance.expects(:execute).with(:git, "-C", build_directory, :submodule, :update, "--init")
      SSHKit::Backend::Abstract.any_instance.expects(:execute)
-        .with(:docker, :buildx, :build, "--output=type=registry", "--platform", "linux/amd64", "--builder", "kamal-local-docker-container", "-t", "dhh/app:999", "-t", "dhh/app:latest", "--label", "service=\"app\"", "--file", "Dockerfile", ".")
+        .with(:docker, :buildx, :build, "--output=type=registry", "--platform", "linux/amd64", "--builder", "kamal-local-docker-container", "-t", "dhh/app:999", "-t", "dhh/app:latest", "--label", "service=\"app\"", "--file", "Dockerfile", ".", "2>&1")
      SSHKit::Backend::Abstract.any_instance.expects(:capture_with_info)
        .with(:git, "-C", anything, :"rev-parse", :HEAD)
@@ -94,7 +114,7 @@ class CliBuildTest < CliTestCase
      assert_no_match /Cloning repo into build directory/, output
      assert_hook_ran "pre-build", output
      assert_match /docker --version && docker buildx version/, output
-      assert_match /docker buildx build --output=type=registry --platform linux\/amd64 --builder kamal-local-docker-container -t dhh\/app:999 -t dhh\/app:latest --label service="app" --file Dockerfile . as .*@localhost/, output
+      assert_match /docker buildx build --output=type=registry --platform linux\/amd64 --builder kamal-local-docker-container -t dhh\/app:999 -t dhh\/app:latest --label service="app" --file Dockerfile . 2>&1 as .*@localhost/, output
    end
  end
@@ -103,6 +123,7 @@ class CliBuildTest < CliTestCase
      stub_setup
      SSHKit::Backend::Abstract.any_instance.expects(:execute).with(:docker, "--version", "&&", :docker, :buildx, "version")
      SSHKit::Backend::Abstract.any_instance.stubs(:execute).with { |*args| args[0..1] == [ :docker, :login ] }
      SSHKit::Backend::Abstract.any_instance.expects(:execute)
        .with(:git, "-C", "#{Dir.tmpdir}/kamal-clones/app-#{pwd_sha}", :clone, Dir.pwd, "--recurse-submodules")
@@ -132,6 +153,48 @@ class CliBuildTest < CliTestCase
    end
  end
  test "push without builder for local registry" do
    with_build_directory do |build_directory|
      stub_setup
      SSHKit::Backend::Abstract.any_instance.expects(:execute)
        .with(:docker, "--version", "&&", :docker, :buildx, "version")
      SSHKit::Backend::Abstract.any_instance.stubs(:execute)
        .with { |*args| args[0..1] == [ :docker, :login ] }
      SSHKit::Backend::Abstract.any_instance.expects(:execute)
      .with(:docker, :start, "kamal-docker-registry", "||", :docker, :run, "--detach", "-p", "127.0.0.1:5000:5000", "--name", "kamal-docker-registry", "registry:3")
      SSHKit::Backend::Abstract.any_instance.expects(:execute)
        .with(:docker, :buildx, :rm, "kamal-local-registry-docker-container")
      SSHKit::Backend::Abstract.any_instance.expects(:execute)
        .with(:docker, :buildx, :create, "--name", "kamal-local-registry-docker-container", "--driver=docker-container --driver-opt network=host")
      SSHKit::Backend::Abstract.any_instance.expects(:execute)
        .with(:docker, :buildx, :inspect, "kamal-local-registry-docker-container")
        .raises(SSHKit::Command::Failed.new("no builder"))
      SSHKit::Backend::Abstract.any_instance.expects(:execute).with { |*args| args.first.to_s.start_with?("git") }
      SSHKit::Backend::Abstract.any_instance.expects(:capture_with_info)
        .with(:git, "-C", anything, :"rev-parse", :HEAD)
        .returns(Kamal::Git.revision)
      SSHKit::Backend::Abstract.any_instance.expects(:capture_with_info)
        .with(:git, "-C", anything, :status, "--porcelain")
        .returns("")
      SSHKit::Backend::Abstract.any_instance.expects(:execute)
        .with(:docker, :buildx, :build, "--output=type=registry", "--platform", "linux/amd64", "--builder", "kamal-local-registry-docker-container", "-t", "localhost:5000/dhh/app:999", "-t", "localhost:5000/dhh/app:latest", "--label", "service=\"app\"", "--file", "Dockerfile", ".", "2>&1")
      run_command("push", fixture: :with_local_registry_and_accessories).tap do |output|
        assert_match /WARN Missing compatible builder, so creating a new one first/, output
      end
    end
  end
  test "push without builder" do
    with_build_directory do |build_directory|
      stub_setup
@@ -139,6 +202,9 @@ class CliBuildTest < CliTestCase
      SSHKit::Backend::Abstract.any_instance.expects(:execute)
        .with(:docker, "--version", "&&", :docker, :buildx, "version")
      SSHKit::Backend::Abstract.any_instance.stubs(:execute)
        .with { |*args| args[0..1] == [ :docker, :login ] }
      SSHKit::Backend::Abstract.any_instance.expects(:execute)
        .with(:docker, :buildx, :rm, "kamal-local-docker-container")
@@ -160,7 +226,7 @@ class CliBuildTest < CliTestCase
        .returns("")
      SSHKit::Backend::Abstract.any_instance.expects(:execute)
-        .with(:docker, :buildx, :build, "--output=type=registry", "--platform", "linux/amd64", "--builder", "kamal-local-docker-container", "-t", "dhh/app:999", "-t", "dhh/app:latest", "--label", "service=\"app\"", "--file", "Dockerfile", ".")
+        .with(:docker, :buildx, :build, "--output=type=registry", "--platform", "linux/amd64", "--builder", "kamal-local-docker-container", "-t", "dhh/app:999", "-t", "dhh/app:latest", "--label", "service=\"app\"", "--file", "Dockerfile", ".", "2>&1")
      run_command("push").tap do |output|
        assert_match /WARN Missing compatible builder, so creating a new one first/, output
@@ -302,7 +368,7 @@ class CliBuildTest < CliTestCase
      run_command("dev", "--verbose").tap do |output|
        assert_no_match(/Cloning repo into build directory/, output)
        assert_match(/docker --version && docker buildx version/, output)
-        assert_match(/docker buildx build --output=type=docker --platform linux\/amd64 --builder kamal-local-docker-container -t dhh\/app:999-dirty -t dhh\/app:latest-dirty --label service="app" --file Dockerfile \. as .*@localhost/, output)
+        assert_match(/docker buildx build --output=type=docker --platform linux\/amd64 --builder kamal-local-docker-container -t dhh\/app:999-dirty -t dhh\/app:latest-dirty --label service="app" --file Dockerfile \. 2>&1 as .*@localhost/, output)
      end
    end
  end
@@ -314,14 +380,14 @@ class CliBuildTest < CliTestCase
      run_command("dev", "--output=local", "--verbose").tap do |output|
        assert_no_match(/Cloning repo into build directory/, output)
        assert_match(/docker --version && docker buildx version/, output)
-        assert_match(/docker buildx build --output=type=local --platform linux\/amd64 --builder kamal-local-docker-container -t dhh\/app:999-dirty -t dhh\/app:latest-dirty --label service="app" --file Dockerfile \. as .*@localhost/, output)
+        assert_match(/docker buildx build --output=type=local --platform linux\/amd64 --builder kamal-local-docker-container -t dhh\/app:999-dirty -t dhh\/app:latest-dirty --label service="app" --file Dockerfile \. 2>&1 as .*@localhost/, output)
      end
    end
  end
  private
    def run_command(*command, fixture: :with_accessories)
-      stdouted { Kamal::Cli::Build.start([ *command, "-c", "test/fixtures/deploy_#{fixture}.yml" ]) }
+      stdouted { stderred { Kamal::Cli::Build.start([ *command, "-c", "test/fixtures/deploy_#{fixture}.yml" ]) } }
    end
    def stub_dependency_checks
--- a/test/cli/main_test.rb
+++ b/test/cli/main_test.rb
@@ -21,7 +21,6 @@ class CliMainTest < CliTestCase
    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:server:bootstrap", [], invoke_options)
    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:accessory:boot", [ "all" ], invoke_options)
    # deploy
    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:registry:login", [], invoke_options.merge(skip_local: true))
    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:build:pull", [], invoke_options)
    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:proxy:boot", [], invoke_options)
    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:app:stale_containers", [], invoke_options.merge(stop: true))
@@ -32,7 +31,6 @@ class CliMainTest < CliTestCase
      assert_match /Ensure Docker is installed.../, output
      # deploy
      assert_match /Acquiring the deploy lock/, output
      assert_match /Log into image registry/, output
      assert_match /Pull app image/, output
      assert_match /Ensure kamal-proxy is running/, output
      assert_match /Detect stale containers/, output
@@ -41,11 +39,34 @@ class CliMainTest < CliTestCase
    end
  end
  test "deploy with local registry" do
    with_test_secrets("secrets" => "DB_PASSWORD=secret") do
      invoke_options = { "config_file" => "test/fixtures/deploy_with_local_registry.yml", "version" => "999", "skip_hooks" => false, "verbose" => true }
      Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:build:deliver", [], invoke_options)
      Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:proxy:boot", [], invoke_options)
      Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:app:stale_containers", [], invoke_options.merge(stop: true))
      Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:app:boot", [], invoke_options)
      Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:prune:all", [], invoke_options)
      Kamal::Commands::Hook.any_instance.stubs(:hook_exists?).returns(true)
      run_command("deploy", "--verbose", config_file: "deploy_with_local_registry").tap do |output|
        assert_hook_ran "pre-connect", output
        assert_match /Build and push app image/, output
        assert_hook_ran "pre-deploy", output
        assert_match /Ensure kamal-proxy is running/, output
        assert_match /Detect stale containers/, output
        assert_match /Prune old containers and images/, output
        assert_hook_ran "post-deploy", output
      end
    end
  end
  test "deploy" do
    with_test_secrets("secrets" => "DB_PASSWORD=secret") do
      invoke_options = { "config_file" => "test/fixtures/deploy_simple.yml", "version" => "999", "skip_hooks" => false, "verbose" => true }
      Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:registry:login", [], invoke_options.merge(skip_local: false))
      Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:build:deliver", [], invoke_options)
      Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:proxy:boot", [], invoke_options)
      Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:app:stale_containers", [], invoke_options.merge(stop: true))
@@ -56,7 +77,6 @@ class CliMainTest < CliTestCase
      run_command("deploy", "--verbose").tap do |output|
        assert_hook_ran "pre-connect", output
        assert_match /Log into image registry/, output
        assert_match /Build and push app image/, output
        assert_hook_ran "pre-deploy", output
        assert_match /Ensure kamal-proxy is running/, output
@@ -70,7 +90,6 @@ class CliMainTest < CliTestCase
  test "deploy with skip_push" do
    invoke_options = { "config_file" => "test/fixtures/deploy_simple.yml", "version" => "999", "skip_hooks" => false }
    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:registry:login", [], invoke_options.merge(skip_local: true))
    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:build:pull", [], invoke_options)
    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:proxy:boot", [], invoke_options)
    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:app:stale_containers", [], invoke_options.merge(stop: true))
@@ -79,7 +98,6 @@ class CliMainTest < CliTestCase
    run_command("deploy", "--skip_push").tap do |output|
      assert_match /Acquiring the deploy lock/, output
      assert_match /Log into image registry/, output
      assert_match /Pull app image/, output
      assert_match /Ensure kamal-proxy is running/, output
      assert_match /Detect stale containers/, output
@@ -122,6 +140,32 @@ class CliMainTest < CliTestCase
    end
  end
  test "deploy when inheriting lock" do
    Thread.report_on_exception = false
    invoke_options = { "config_file" => "test/fixtures/deploy_simple.yml", "version" => "999", "skip_hooks" => false }
    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:build:deliver", [], invoke_options)
    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:proxy:boot", [], invoke_options)
    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:app:stale_containers", [], invoke_options.merge(stop: true))
    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:app:boot", [], invoke_options)
    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:prune:all", [], invoke_options)
    Kamal::Commands::Hook.any_instance.stubs(:hook_exists?).returns(true)
    with_kamal_lock_env do
      KAMAL.reset
      run_command("deploy").tap do |output|
        assert_no_match /Acquiring the deploy lock/, output
        assert_match /Build and push app image/, output
        assert_match /Ensure kamal-proxy is running/, output
        assert_match /Detect stale containers/, output
        assert_match /Prune old containers and images/, output
        assert_no_match /Releasing the deploy lock/, output
      end
    end
  end
  test "deploy error when locking" do
    Thread.report_on_exception = false
@@ -153,11 +197,11 @@ class CliMainTest < CliTestCase
    end
  end
-  test "deploy errors during outside section leave remove lock" do
+  test "deploy errors during outside section leave remote lock" do
-    invoke_options = { "config_file" => "test/fixtures/deploy_simple.yml", "version" => "999", "skip_hooks" => false, :skip_local => false }
+    invoke_options = { "config_file" => "test/fixtures/deploy_simple.yml", "version" => "999", "skip_hooks" => false }
    Kamal::Cli::Main.any_instance.expects(:invoke)
-      .with("kamal:cli:registry:login", [], invoke_options.merge(skip_local: false))
+      .with("kamal:cli:build:deliver", [], invoke_options)
      .raises(RuntimeError)
    assert_not KAMAL.holding_lock?
@@ -170,7 +214,6 @@ class CliMainTest < CliTestCase
  test "deploy with skipped hooks" do
    invoke_options = { "config_file" => "test/fixtures/deploy_simple.yml", "version" => "999", "skip_hooks" => true }
    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:registry:login", [], invoke_options.merge(skip_local: false))
    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:build:deliver", [], invoke_options)
    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:proxy:boot", [], invoke_options)
    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:app:stale_containers", [], invoke_options.merge(stop: true))
@@ -185,7 +228,6 @@ class CliMainTest < CliTestCase
  test "deploy with missing secrets" do
    invoke_options = { "config_file" => "test/fixtures/deploy_with_secrets.yml", "version" => "999", "skip_hooks" => false }
    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:registry:login", [], invoke_options.merge(skip_local: false))
    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:build:deliver", [], invoke_options)
    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:proxy:boot", [], invoke_options)
    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:app:stale_containers", [], invoke_options.merge(stop: true))
@@ -284,6 +326,16 @@ class CliMainTest < CliTestCase
    end
  end
  test "remove" do
    options = { "config_file" => "test/fixtures/deploy_simple.yml", "skip_hooks" => false, "confirmed" => true }
    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:proxy:remove", [], options)
    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:app:remove", [], options)
    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:accessory:remove", [ "all" ], options)
    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:registry:remove", [], options.merge(skip_local: true))
    run_command("remove", "-y")
  end
  test "details" do
    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:proxy:details")
    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:app:details")
@@ -570,4 +622,11 @@ class CliMainTest < CliTestCase
    def assert_file(file, content)
      assert_match content, File.read(file)
    end
    def with_kamal_lock_env
      ENV["KAMAL_LOCK"] = "true"
      yield
    ensure
      ENV.delete("KAMAL_LOCK")
    end
 end
--- a/test/cli/proxy_test.rb
+++ b/test/cli/proxy_test.rb
@@ -4,25 +4,26 @@ class CliProxyTest < CliTestCase
  test "boot" do
    run_command("boot").tap do |output|
      assert_match "docker login", output
-      assert_match "docker run --name kamal-proxy --network kamal --detach --restart unless-stopped --volume kamal-proxy-config:/home/kamal-proxy/.config/kamal-proxy $(cat .kamal/proxy/options || echo \"--publish 80:80 --publish 443:443 --log-opt max-size=10m\") #{KAMAL.config.proxy_image}", output
+      assert_match "mkdir -p .kamal/proxy/apps-config", output
      assert_match "echo $(cat .kamal/proxy/options 2> /dev/null || echo \"--publish 80:80 --publish 443:443 --log-opt max-size=10m\") $(cat .kamal/proxy/image 2> /dev/null || echo \"basecamp/kamal-proxy\"):$(cat .kamal/proxy/image_version 2> /dev/null || echo \"#{Kamal::Configuration::Proxy::Boot::MINIMUM_VERSION}\") $(cat .kamal/proxy/run_command 2> /dev/null || echo \"\") | xargs docker run --name kamal-proxy --network kamal --detach --restart unless-stopped --volume kamal-proxy-config:/home/kamal-proxy/.config/kamal-proxy", output
    end
  end
  test "boot old version" do
    Thread.report_on_exception = false
    SSHKit::Backend::Abstract.any_instance.expects(:capture_with_info)
-      .with(:docker, :inspect, "kamal-proxy", "--format '{{.Config.Image}}'", "|", :cut, "-d:", "-f2")
+      .with(:docker, :inspect, "kamal-proxy", "--format '{{.Config.Image}}'", "|", :awk, "-F:", "'{print $NF}'")
      .returns("v0.0.1")
      .at_least_once
    exception = assert_raises do
      run_command("boot").tap do |output|
        assert_match "docker login", output
-        assert_match "docker run --name kamal-proxy --network kamal --detach --restart unless-stopped --volume kamal-proxy-config:/home/kamal-proxy/.config/kamal-proxy $(cat .kamal/proxy/options || echo \"--publish 80:80 --publish 443:443 --log-opt max-size=10m\") #{KAMAL.config.proxy_image}", output
+        assert_match "echo $(cat .kamal/proxy/options 2> /dev/null || echo \"--publish 80:80 --publish 443:443 --log-opt max-size=10m\") $(cat .kamal/proxy/image 2> /dev/null || echo \"basecamp/kamal-proxy\"):$(cat .kamal/proxy/image_version 2> /dev/null || echo \"#{Kamal::Configuration::Proxy::Boot::MINIMUM_VERSION}\") $(cat .kamal/proxy/run_command 2> /dev/null || echo \"\") | xargs docker run --name kamal-proxy --network kamal --detach --restart unless-stopped --volume kamal-proxy-config:/home/kamal-proxy/.config/kamal-proxy", output
      end
    end
-    assert_includes exception.message, "kamal-proxy version v0.0.1 is too old, run `kamal proxy reboot` in order to update to at least #{Kamal::Configuration::PROXY_MINIMUM_VERSION}"
+    assert_includes exception.message, "kamal-proxy version v0.0.1 is too old, run `kamal proxy reboot` in order to update to at least #{Kamal::Configuration::Proxy::Boot::MINIMUM_VERSION}"
  ensure
    Thread.report_on_exception = false
  end
@@ -30,53 +31,33 @@ class CliProxyTest < CliTestCase
  test "boot correct version" do
    Thread.report_on_exception = false
    SSHKit::Backend::Abstract.any_instance.expects(:capture_with_info)
-      .with(:docker, :inspect, "kamal-proxy", "--format '{{.Config.Image}}'", "|", :cut, "-d:", "-f2")
+      .with(:docker, :inspect, "kamal-proxy", "--format '{{.Config.Image}}'", "|", :awk, "-F:", "'{print $NF}'")
-      .returns(Kamal::Configuration::PROXY_MINIMUM_VERSION)
+      .returns(Kamal::Configuration::Proxy::Boot::MINIMUM_VERSION)
      .at_least_once
    run_command("boot").tap do |output|
      assert_match "docker login", output
-      assert_match "docker container start kamal-proxy || docker run --name kamal-proxy --network kamal --detach --restart unless-stopped --volume kamal-proxy-config:/home/kamal-proxy/.config/kamal-proxy $(cat .kamal/proxy/options || echo \"--publish 80:80 --publish 443:443 --log-opt max-size=10m\") #{KAMAL.config.proxy_image}", output
+      assert_match "docker container start kamal-proxy || echo $(cat .kamal/proxy/options 2> /dev/null || echo \"--publish 80:80 --publish 443:443 --log-opt max-size=10m\") $(cat .kamal/proxy/image 2> /dev/null || echo \"basecamp/kamal-proxy\"):$(cat .kamal/proxy/image_version 2> /dev/null || echo \"#{Kamal::Configuration::Proxy::Boot::MINIMUM_VERSION}\") $(cat .kamal/proxy/run_command 2> /dev/null || echo \"\") | xargs docker run --name kamal-proxy --network kamal --detach --restart unless-stopped --volume kamal-proxy-config:/home/kamal-proxy/.config/kamal-proxy", output
    end
  ensure
    Thread.report_on_exception = false
  end
  test "reboot" do
    SSHKit::Backend::Abstract.any_instance.expects(:capture_with_info)
      .with(:docker, :container, :ls, "--all", "--filter", "name=^app-web-123$", "--quiet")
      .returns("abcdefabcdef")
      .at_least_once
    SSHKit::Backend::Abstract.any_instance.expects(:capture_with_info)
      .with { |*args| args[0..1] == [ :sh, "-c" ] }
      .returns("123")
      .at_least_once
    run_command("reboot", "-y").tap do |output|
      assert_match "docker container stop kamal-proxy on 1.1.1.1", output
      assert_match "docker container prune --force --filter label=org.opencontainers.image.title=kamal-proxy on 1.1.1.1", output
-      assert_match "docker run --name kamal-proxy --network kamal --detach --restart unless-stopped --volume kamal-proxy-config:/home/kamal-proxy/.config/kamal-proxy $(cat .kamal/proxy/options || echo \"--publish 80:80 --publish 443:443 --log-opt max-size=10m\") #{KAMAL.config.proxy_image} on 1.1.1.1", output
+      assert_match "mkdir -p .kamal/proxy/apps-config on 1.1.1.1", output
-      assert_match "docker exec kamal-proxy kamal-proxy deploy app-web --target=\"abcdefabcdef:80\" --deploy-timeout=\"6s\" --drain-timeout=\"30s\" --buffer-requests --buffer-responses --log-request-header=\"Cache-Control\" --log-request-header=\"Last-Modified\" --log-request-header=\"User-Agent\" on 1.1.1.1", output
+      assert_match "echo $(cat .kamal/proxy/options 2> /dev/null || echo \"--publish 80:80 --publish 443:443 --log-opt max-size=10m\") $(cat .kamal/proxy/image 2> /dev/null || echo \"basecamp/kamal-proxy\"):$(cat .kamal/proxy/image_version 2> /dev/null || echo \"#{Kamal::Configuration::Proxy::Boot::MINIMUM_VERSION}\") $(cat .kamal/proxy/run_command 2> /dev/null || echo \"\") | xargs docker run --name kamal-proxy --network kamal --detach --restart unless-stopped --volume kamal-proxy-config:/home/kamal-proxy/.config/kamal-proxy --volume $(pwd)/.kamal/proxy/apps-config:/home/kamal-proxy/.apps-config on 1.1.1.1", output
      assert_match "docker container stop kamal-proxy on 1.1.1.2", output
      assert_match "docker container prune --force --filter label=org.opencontainers.image.title=kamal-proxy on 1.1.1.2", output
-      assert_match "docker run --name kamal-proxy --network kamal --detach --restart unless-stopped --volume kamal-proxy-config:/home/kamal-proxy/.config/kamal-proxy $(cat .kamal/proxy/options || echo \"--publish 80:80 --publish 443:443 --log-opt max-size=10m\") #{KAMAL.config.proxy_image} on 1.1.1.2", output
+      assert_match "mkdir -p .kamal/proxy/apps-config on 1.1.1.1", output
-      assert_match "docker exec kamal-proxy kamal-proxy deploy app-web --target=\"abcdefabcdef:80\" --deploy-timeout=\"6s\" --drain-timeout=\"30s\" --buffer-requests --buffer-responses --log-request-header=\"Cache-Control\" --log-request-header=\"Last-Modified\" --log-request-header=\"User-Agent\" on 1.1.1.2", output
+      assert_match "echo $(cat .kamal/proxy/options 2> /dev/null || echo \"--publish 80:80 --publish 443:443 --log-opt max-size=10m\") $(cat .kamal/proxy/image 2> /dev/null || echo \"basecamp/kamal-proxy\"):$(cat .kamal/proxy/image_version 2> /dev/null || echo \"#{Kamal::Configuration::Proxy::Boot::MINIMUM_VERSION}\") $(cat .kamal/proxy/run_command 2> /dev/null || echo \"\") | xargs docker run --name kamal-proxy --network kamal --detach --restart unless-stopped --volume kamal-proxy-config:/home/kamal-proxy/.config/kamal-proxy --volume $(pwd)/.kamal/proxy/apps-config:/home/kamal-proxy/.apps-config on 1.1.1.2", output
    end
  end
  test "reboot --rolling" do
    SSHKit::Backend::Abstract.any_instance.expects(:capture_with_info)
      .with(:docker, :container, :ls, "--all", "--filter", "name=^app-web-123$", "--quiet")
      .returns("abcdefabcdef")
      .at_least_once
    SSHKit::Backend::Abstract.any_instance.expects(:capture_with_info)
      .with { |*args| args[0..1] == [ :sh, "-c" ] }
      .returns("123")
      .at_least_once
    run_command("reboot", "--rolling", "-y").tap do |output|
      assert_match "Running docker container prune --force --filter label=org.opencontainers.image.title=kamal-proxy on 1.1.1.1", output
    end
@@ -179,8 +160,8 @@ class CliProxyTest < CliTestCase
    SSHKit::Backend::Abstract.any_instance.stubs(:capture_with_info).returns("12345678")
    SSHKit::Backend::Abstract.any_instance.expects(:capture_with_info)
-      .with(:docker, :inspect, "kamal-proxy", "--format '{{.Config.Image}}'", "|", :cut, "-d:", "-f2")
+      .with(:docker, :inspect, "kamal-proxy", "--format '{{.Config.Image}}'", "|", :awk, "-F:", "'{print $NF}'")
-      .returns(Kamal::Configuration::PROXY_MINIMUM_VERSION)
+      .returns(Kamal::Configuration::Proxy::Boot::MINIMUM_VERSION)
    SSHKit::Backend::Abstract.any_instance.expects(:capture_with_info)
      .with(:docker, :container, :ls, "--all", "--filter", "name=^app-workers-latest$", "--quiet", "|", :xargs, :docker, :inspect, "--format", "'{{if .State.Health}}{{.State.Health.Status}}{{else}}{{.State.Status}}{{end}}'")
@@ -196,12 +177,12 @@ class CliProxyTest < CliTestCase
      assert_match "/usr/bin/env mkdir -p .kamal", output
      assert_match "docker network create kamal", output
      assert_match "docker login -u [REDACTED] -p [REDACTED]", output
-      assert_match "docker container start kamal-proxy || docker run --name kamal-proxy --network kamal --detach --restart unless-stopped --volume kamal-proxy-config:/home/kamal-proxy/.config/kamal-proxy $(cat .kamal/proxy/options || echo \"--publish 80:80 --publish 443:443 --log-opt max-size=10m\") basecamp/kamal-proxy:#{Kamal::Configuration::PROXY_MINIMUM_VERSION}", output
+      assert_match "docker container start kamal-proxy || echo $(cat .kamal/proxy/options 2> /dev/null || echo \"--publish 80:80 --publish 443:443 --log-opt max-size=10m\") $(cat .kamal/proxy/image 2> /dev/null || echo \"basecamp/kamal-proxy\"):$(cat .kamal/proxy/image_version 2> /dev/null || echo \"#{Kamal::Configuration::Proxy::Boot::MINIMUM_VERSION}\") $(cat .kamal/proxy/run_command 2> /dev/null || echo \"\") | xargs docker run --name kamal-proxy --network kamal --detach --restart unless-stopped --volume kamal-proxy-config:/home/kamal-proxy/.config/kamal-proxy", output
      assert_match "/usr/bin/env mkdir -p .kamal", output
      assert_match %r{docker rename app-web-latest app-web-latest_replaced_.*}, output
      assert_match "/usr/bin/env mkdir -p .kamal/apps/app/env/roles", output
      assert_match "Uploading \"\\n\" to .kamal/apps/app/env/roles/web.env", output
-      assert_match %r{docker run --detach --restart unless-stopped --name app-web-latest --network kamal --hostname 1.1.1.1-.* -e KAMAL_CONTAINER_NAME="app-web-latest" -e KAMAL_VERSION="latest" --env-file .kamal/apps/app/env/roles/web.env --log-opt max-size="10m" --label service="app" --label role="web" --label destination dhh/app:latest}, output
+      assert_match %r{docker run --detach --restart unless-stopped --name app-web-latest --network kamal --hostname 1.1.1.1-.* --env KAMAL_CONTAINER_NAME="app-web-latest" --env KAMAL_VERSION="latest" --env KAMAL_HOST="1.1.1.1" --env-file .kamal/apps/app/env/roles/web.env --log-opt max-size="10m" --label service="app" --label role="web" --label destination dhh/app:latest}, output
      assert_match "docker exec kamal-proxy kamal-proxy deploy app-web --target=\"12345678:80\" --deploy-timeout=\"6s\" --drain-timeout=\"30s\" --buffer-requests --buffer-responses --log-request-header=\"Cache-Control\" --log-request-header=\"Last-Modified\" --log-request-header=\"User-Agent\"", output
      assert_match "docker container ls --all --filter name=^app-web-12345678$ --quiet | xargs docker stop", output
      assert_match "docker tag dhh/app:latest dhh/app:latest", output
@@ -218,8 +199,8 @@ class CliProxyTest < CliTestCase
    SSHKit::Backend::Abstract.any_instance.stubs(:capture_with_info).returns("12345678")
    SSHKit::Backend::Abstract.any_instance.expects(:capture_with_info)
-      .with(:docker, :inspect, "kamal-proxy", "--format '{{.Config.Image}}'", "|", :cut, "-d:", "-f2")
+      .with(:docker, :inspect, "kamal-proxy", "--format '{{.Config.Image}}'", "|", :awk, "-F:", "'{print $NF}'")
-      .returns(Kamal::Configuration::PROXY_MINIMUM_VERSION)
+      .returns(Kamal::Configuration::Proxy::Boot::MINIMUM_VERSION)
    SSHKit::Backend::Abstract.any_instance.expects(:capture_with_info)
      .with(:docker, :container, :ls, "--all", "--filter", "name=^app-workers-latest$", "--quiet", "|", :xargs, :docker, :inspect, "--format", "'{{if .State.Health}}{{.State.Health.Status}}{{else}}{{.State.Status}}{{end}}'")
@@ -238,7 +219,10 @@ class CliProxyTest < CliTestCase
    run_command("boot_config", "set").tap do |output|
      %w[ 1.1.1.1 1.1.1.2 ].each do |host|
        assert_match "Running /usr/bin/env mkdir -p .kamal/proxy on #{host}", output
-        assert_match "Uploading \"--publish 80:80 --publish 443:443 --log-opt max-size=10m\" to .kamal/proxy/options on #{host}", output
+        assert_match "Running /usr/bin/env rm .kamal/proxy/options on #{host}", output
        assert_match "Running /usr/bin/env rm .kamal/proxy/image on #{host}", output
        assert_match "Running /usr/bin/env rm .kamal/proxy/image_version on #{host}", output
        assert_match "Running /usr/bin/env rm .kamal/proxy/run_command on #{host}", output
      end
    end
  end
@@ -248,6 +232,9 @@ class CliProxyTest < CliTestCase
      %w[ 1.1.1.1 1.1.1.2 ].each do |host|
        assert_match "Running /usr/bin/env mkdir -p .kamal/proxy on #{host}", output
        assert_match "Uploading \"--log-opt max-size=10m\" to .kamal/proxy/options on #{host}", output
        assert_match "Running /usr/bin/env rm .kamal/proxy/image on #{host}", output
        assert_match "Running /usr/bin/env rm .kamal/proxy/image_version on #{host}", output
        assert_match "Running /usr/bin/env rm .kamal/proxy/run_command on #{host}", output
      end
    end
  end
@@ -257,6 +244,9 @@ class CliProxyTest < CliTestCase
      %w[ 1.1.1.1 1.1.1.2 ].each do |host|
        assert_match "Running /usr/bin/env mkdir -p .kamal/proxy on #{host}", output
        assert_match "Uploading \"--publish 80:80 --publish 443:443 --log-opt max-size=100m\" to .kamal/proxy/options on #{host}", output
        assert_match "Running /usr/bin/env rm .kamal/proxy/image on #{host}", output
        assert_match "Running /usr/bin/env rm .kamal/proxy/image_version on #{host}", output
        assert_match "Running /usr/bin/env rm .kamal/proxy/run_command on #{host}", output
      end
    end
  end
@@ -266,6 +256,9 @@ class CliProxyTest < CliTestCase
      %w[ 1.1.1.1 1.1.1.2 ].each do |host|
        assert_match "Running /usr/bin/env mkdir -p .kamal/proxy on #{host}", output
        assert_match "Uploading \"--publish 80:80 --publish 443:443\" to .kamal/proxy/options on #{host}", output
        assert_match "Running /usr/bin/env rm .kamal/proxy/image on #{host}", output
        assert_match "Running /usr/bin/env rm .kamal/proxy/image_version on #{host}", output
        assert_match "Running /usr/bin/env rm .kamal/proxy/run_command on #{host}", output
      end
    end
  end
@@ -310,19 +303,81 @@ class CliProxyTest < CliTestCase
      %w[ 1.1.1.1 1.1.1.2 ].each do |host|
        assert_match "Running /usr/bin/env mkdir -p .kamal/proxy on #{host}", output
        assert_match "Uploading \"--publish 80:80 --publish 443:443 --log-opt max-size=10m --label=foo=bar --add_host=thishost:thathost\" to .kamal/proxy/options on #{host}", output
        assert_match "Running /usr/bin/env rm .kamal/proxy/image on #{host}", output
        assert_match "Running /usr/bin/env rm .kamal/proxy/image_version on #{host}", output
        assert_match "Running /usr/bin/env rm .kamal/proxy/run_command on #{host}", output
      end
    end
  end
  test "boot_config set registry" do
    run_command("boot_config", "set", "--registry", "myreg").tap do |output|
      %w[ 1.1.1.1 1.1.1.2 ].each do |host|
        assert_match "Running /usr/bin/env mkdir -p .kamal/proxy on #{host}", output
        assert_match "Running /usr/bin/env rm .kamal/proxy/options on #{host}", output
        assert_match "Uploading \"myreg/basecamp/kamal-proxy\" to .kamal/proxy/image on #{host}", output
        assert_match "Running /usr/bin/env rm .kamal/proxy/image_version on #{host}", output
        assert_match "Running /usr/bin/env rm .kamal/proxy/run_command on #{host}", output
      end
    end
  end
  test "boot_config set repository" do
    run_command("boot_config", "set", "--repository", "myrepo").tap do |output|
      %w[ 1.1.1.1 1.1.1.2 ].each do |host|
        assert_match "Running /usr/bin/env mkdir -p .kamal/proxy on #{host}", output
        assert_match "Running /usr/bin/env rm .kamal/proxy/options on #{host}", output
        assert_match "Uploading \"myrepo/kamal-proxy\" to .kamal/proxy/image on #{host}", output
        assert_match "Running /usr/bin/env rm .kamal/proxy/image_version on #{host}", output
        assert_match "Running /usr/bin/env rm .kamal/proxy/run_command on #{host}", output
      end
    end
  end
  test "boot_config set image_version" do
    run_command("boot_config", "set", "--image_version", "0.9.9").tap do |output|
      %w[ 1.1.1.1 1.1.1.2 ].each do |host|
        assert_match "Running /usr/bin/env mkdir -p .kamal/proxy on #{host}", output
        assert_match "Running /usr/bin/env rm .kamal/proxy/options on #{host}", output
        assert_match "Running /usr/bin/env rm .kamal/proxy/image on #{host}", output
        assert_match "Uploading \"0.9.9\" to .kamal/proxy/image_version on #{host}", output
        assert_match "Running /usr/bin/env rm .kamal/proxy/run_command on #{host}", output
      end
    end
  end
  test "boot_config set run_command" do
    run_command("boot_config", "set", "--metrics_port", "9000", "--debug", "true").tap do |output|
      %w[ 1.1.1.1 1.1.1.2 ].each do |host|
        assert_match "Running /usr/bin/env mkdir -p .kamal/proxy on #{host}", output
        assert_match "Uploading \"--publish 80:80 --publish 443:443 --log-opt max-size=10m --expose=9000\" to .kamal/proxy/options on #{host}", output
        assert_match "Running /usr/bin/env rm .kamal/proxy/image on #{host}", output
        assert_match "Running /usr/bin/env rm .kamal/proxy/image_version on #{host}", output
        assert_match "Uploading \"kamal-proxy run --debug --metrics-port \\\"9000\\\"\" to .kamal/proxy/run_command on #{host}", output
      end
    end
  end
  test "boot_config set all" do
    run_command("boot_config", "set", "--docker_options", "label=foo=bar", "--registry", "myreg", "--repository", "myrepo", "--image_version", "0.9.9", "--metrics_port", "9000", "--debug", "true").tap do |output|
      %w[ 1.1.1.1 1.1.1.2 ].each do |host|
        assert_match "Uploading \"--publish 80:80 --publish 443:443 --log-opt max-size=10m --expose=9000 --label=foo=bar\" to .kamal/proxy/options on #{host}", output
        assert_match "Uploading \"myreg/myrepo/kamal-proxy\" to .kamal/proxy/image on #{host}", output
        assert_match "Uploading \"0.9.9\" to .kamal/proxy/image_version on #{host}", output
        assert_match "Uploading \"kamal-proxy run --debug --metrics-port \\\"9000\\\"\" to .kamal/proxy/run_command on #{host}", output
      end
    end
  end
  test "boot_config get" do
    SSHKit::Backend::Abstract.any_instance.expects(:capture_with_info)
-      .with(:cat, ".kamal/proxy/options", "||", :echo, "\"--publish 80:80 --publish 443:443 --log-opt max-size=10m\"")
+      .with(:echo, "$(cat .kamal/proxy/options 2> /dev/null || echo \"--publish 80:80 --publish 443:443 --log-opt max-size=10m\") $(cat .kamal/proxy/image 2> /dev/null || echo \"basecamp/kamal-proxy\"):$(cat .kamal/proxy/image_version 2> /dev/null || echo \"#{Kamal::Configuration::Proxy::Boot::MINIMUM_VERSION}\") $(cat .kamal/proxy/run_command 2> /dev/null || echo \"\")")
-      .returns("--publish 80:80 --publish 8443:443 --label=foo=bar")
+      .returns("--publish 80:80 --publish 8443:443 --label=foo=bar basecamp/kamal-proxy:v1.0.0")
      .twice
    run_command("boot_config", "get").tap do |output|
-      assert_match "Host 1.1.1.1: --publish 80:80 --publish 8443:443 --label=foo=bar", output
+      assert_match "Host 1.1.1.1: --publish 80:80 --publish 8443:443 --label=foo=bar basecamp/kamal-proxy:v1.0.0", output
-      assert_match "Host 1.1.1.2: --publish 80:80 --publish 8443:443 --label=foo=bar", output
+      assert_match "Host 1.1.1.2: --publish 80:80 --publish 8443:443 --label=foo=bar basecamp/kamal-proxy:v1.0.0", output
    end
  end
--- a/test/cli/registry_test.rb
+++ b/test/cli/registry_test.rb
@@ -1,55 +1,55 @@
 require_relative "cli_test_case"
 class CliRegistryTest < CliTestCase
-  test "login" do
+  test "setup" do
-    run_command("login").tap do |output|
+    run_command("setup").tap do |output|
      assert_match /docker login -u \[REDACTED\] -p \[REDACTED\] as .*@localhost/, output
      assert_match /docker login -u \[REDACTED\] -p \[REDACTED\] on 1.1.1.\d/, output
    end
  end
-  test "login skip local" do
+  test "setup skip local" do
-    run_command("login", "-L").tap do |output|
+    run_command("setup", "-L").tap do |output|
      assert_no_match /docker login -u \[REDACTED\] -p \[REDACTED\] as .*@localhost/, output
      assert_match /docker login -u \[REDACTED\] -p \[REDACTED\] on 1.1.1.\d/, output
    end
  end
-  test "login skip remote" do
+  test "setup skip remote" do
-    run_command("login", "-R").tap do |output|
+    run_command("setup", "-R").tap do |output|
      assert_match /docker login -u \[REDACTED\] -p \[REDACTED\] as .*@localhost/, output
      assert_no_match /docker login -u \[REDACTED\] -p \[REDACTED\] on 1.1.1.\d/, output
    end
  end
-  test "logout" do
+  test "remove" do
-    run_command("logout").tap do |output|
+    run_command("remove").tap do |output|
      assert_match /docker logout as .*@localhost/, output
      assert_match /docker logout on 1.1.1.\d/, output
    end
  end
-  test "logout skip local" do
+  test "remove skip local" do
-    run_command("logout", "-L").tap do |output|
+    run_command("remove", "-L").tap do |output|
      assert_no_match /docker logout as .*@localhost/, output
      assert_match /docker logout on 1.1.1.\d/, output
    end
  end
-  test "logout skip remote" do
+  test "remove skip remote" do
-    run_command("logout", "-R").tap do |output|
+    run_command("remove", "-R").tap do |output|
      assert_match /docker logout as .*@localhost/, output
      assert_no_match /docker logout on 1.1.1.\d/, output
    end
  end
-  test "login with no docker" do
+  test "setup with no docker" do
    stub_setup
    SSHKit::Backend::Abstract.any_instance.stubs(:execute)
      .with(:docker, "--version", "&&", :docker, :buildx, "version")
      .raises(SSHKit::Command::Failed.new("command not found"))
-    assert_raises(Kamal::Cli::DependencyError) { run_command("login") }
+    assert_raises(Kamal::Cli::DependencyError) { run_command("setup") }
  end
  test "allow remote login with no docker" do
@@ -61,12 +61,23 @@ class CliRegistryTest < CliTestCase
    SSHKit::Backend::Abstract.any_instance.stubs(:execute)
      .with { |*args| args[0..1] == [ :docker, :login ] }
-    assert_nothing_raised { run_command("login", "--skip-local") }
+    assert_nothing_raised { run_command("setup", "--skip-local") }
  end
  test "setup local registry" do
    run_command("setup", fixture: :with_local_registry).tap do |output|
      assert_match /docker start kamal-docker-registry || docker run --detach -p 127.0.0.1:5000:5000 --name kamal-docker-registry registry:2 as .*@localhost/, output
    end
  end
  test "remove local registry" do
    run_command("remove", fixture: :with_local_registry).tap do |output|
      assert_match /docker stop kamal-docker-registry && docker rm kamal-docker-registry as .*@localhost/, output
    end
  end
  private
-    def run_command(*command)
+    def run_command(*command, fixture: :with_accessories)
-      stdouted { Kamal::Cli::Registry.start([ *command, "-c", "test/fixtures/deploy_with_accessories.yml" ]) }
+      stdouted { Kamal::Cli::Registry.start([ *command, "-c", "test/fixtures/deploy_#{fixture}.yml" ]) }
    end
 end
--- a/test/commander_test.rb
+++ b/test/commander_test.rb
@@ -149,6 +149,12 @@ class CommanderTest < ActiveSupport::TestCase
    assert_equal [], @kamal.accessory_hosts
  end
  test "primary role hosts are first" do
    configure_with(:deploy_with_roles_workers_primary)
    assert_equal [ "1.1.1.1", "1.1.1.2", "1.1.1.3", "1.1.1.4" ], @kamal.hosts
    assert_equal [ "1.1.1.1", "1.1.1.2", "1.1.1.3", "1.1.1.4" ], @kamal.app_hosts
  end
  private
    def configure_with(variant)
      @kamal = Kamal::Commander.new.tap do |kamal|
--- a/test/commands/accessory_test.rb
+++ b/test/commands/accessory_test.rb
@@ -118,14 +118,21 @@ class CommandsAccessoryTest < ActiveSupport::TestCase
  test "execute in new container over ssh" do
    new_command(:mysql).stub(:run_over_ssh, ->(cmd) { cmd.join(" ") }) do
      assert_match %r{docker run -it --rm --network kamal --env MYSQL_ROOT_HOST=\"%\" --env-file .kamal/apps/app/env/accessories/mysql.env private.registry/mysql:8.0 mysql -u root},
-        new_command(:mysql).execute_in_new_container_over_ssh("mysql", "-u", "root")
+        stub_stdin_tty { new_command(:mysql).execute_in_new_container_over_ssh("mysql", "-u", "root") }
    end
  end
  test "execute in existing container over ssh" do
    new_command(:mysql).stub(:run_over_ssh, ->(cmd) { cmd.join(" ") }) do
      assert_match %r{docker exec -it app-mysql mysql -u root},
-        new_command(:mysql).execute_in_existing_container_over_ssh("mysql", "-u", "root")
+        stub_stdin_tty { new_command(:mysql).execute_in_existing_container_over_ssh("mysql", "-u", "root") }
    end
  end
  test "execute in existing container with piped input over ssh" do
    new_command(:mysql).stub(:run_over_ssh, ->(cmd) { cmd.join(" ") }) do
      assert_match %r{docker exec -i app-mysql mysql -u root},
        stub_stdin_file { new_command(:mysql).execute_in_existing_container_over_ssh("mysql", "-u", "root") }
    end
  end
--- a/test/commands/app_test.rb
+++ b/test/commands/app_test.rb
@@ -13,13 +13,13 @@ class CommandsAppTest < ActiveSupport::TestCase
  test "run" do
    assert_equal \
-      "docker run --detach --restart unless-stopped --name app-web-999 --network kamal -e KAMAL_CONTAINER_NAME=\"app-web-999\" -e KAMAL_VERSION=\"999\" --env-file .kamal/apps/app/env/roles/web.env --log-opt max-size=\"10m\" --label service=\"app\" --label role=\"web\" --label destination dhh/app:999",
+      "docker run --detach --restart unless-stopped --name app-web-999 --network kamal --env KAMAL_CONTAINER_NAME=\"app-web-999\" --env KAMAL_VERSION=\"999\" --env KAMAL_HOST=\"1.1.1.1\" --env-file .kamal/apps/app/env/roles/web.env --log-opt max-size=\"10m\" --label service=\"app\" --label role=\"web\" --label destination dhh/app:999",
      new_command.run.join(" ")
  end
  test "run with hostname" do
    assert_equal \
-      "docker run --detach --restart unless-stopped --name app-web-999 --network kamal --hostname myhost -e KAMAL_CONTAINER_NAME=\"app-web-999\" -e KAMAL_VERSION=\"999\" --env-file .kamal/apps/app/env/roles/web.env --log-opt max-size=\"10m\" --label service=\"app\" --label role=\"web\" --label destination dhh/app:999",
+      "docker run --detach --restart unless-stopped --name app-web-999 --network kamal --hostname myhost --env KAMAL_CONTAINER_NAME=\"app-web-999\" --env KAMAL_VERSION=\"999\" --env KAMAL_HOST=\"1.1.1.1\" --env-file .kamal/apps/app/env/roles/web.env --log-opt max-size=\"10m\" --label service=\"app\" --label role=\"web\" --label destination dhh/app:999",
      new_command.run(hostname: "myhost").join(" ")
  end
@@ -27,14 +27,14 @@ class CommandsAppTest < ActiveSupport::TestCase
    @config[:volumes] = [ "/local/path:/container/path" ]
    assert_equal \
-      "docker run --detach --restart unless-stopped --name app-web-999 --network kamal -e KAMAL_CONTAINER_NAME=\"app-web-999\" -e KAMAL_VERSION=\"999\" --env-file .kamal/apps/app/env/roles/web.env --log-opt max-size=\"10m\" --volume /local/path:/container/path --label service=\"app\" --label role=\"web\" --label destination dhh/app:999",
+      "docker run --detach --restart unless-stopped --name app-web-999 --network kamal --env KAMAL_CONTAINER_NAME=\"app-web-999\" --env KAMAL_VERSION=\"999\" --env KAMAL_HOST=\"1.1.1.1\" --env-file .kamal/apps/app/env/roles/web.env --log-opt max-size=\"10m\" --volume /local/path:/container/path --label service=\"app\" --label role=\"web\" --label destination dhh/app:999",
      new_command.run.join(" ")
  end
  test "run with custom options" do
    @config[:servers] = { "web" => [ "1.1.1.1" ], "jobs" => { "hosts" => [ "1.1.1.2" ], "cmd" => "bin/jobs", "options" => { "mount" => "somewhere", "cap-add" => true } } }
    assert_equal \
-      "docker run --detach --restart unless-stopped --name app-jobs-999 --network kamal -e KAMAL_CONTAINER_NAME=\"app-jobs-999\" -e KAMAL_VERSION=\"999\" --env-file .kamal/apps/app/env/roles/jobs.env --log-opt max-size=\"10m\" --label service=\"app\" --label role=\"jobs\" --label destination --mount \"somewhere\" --cap-add dhh/app:999 bin/jobs",
+      "docker run --detach --restart unless-stopped --name app-jobs-999 --network kamal --env KAMAL_CONTAINER_NAME=\"app-jobs-999\" --env KAMAL_VERSION=\"999\" --env KAMAL_HOST=\"1.1.1.2\" --env-file .kamal/apps/app/env/roles/jobs.env --log-opt max-size=\"10m\" --label service=\"app\" --label role=\"jobs\" --label destination --mount \"somewhere\" --cap-add dhh/app:999 bin/jobs",
      new_command(role: "jobs", host: "1.1.1.2").run.join(" ")
  end
@@ -42,7 +42,7 @@ class CommandsAppTest < ActiveSupport::TestCase
    @config[:logging] = { "driver" => "local", "options" => { "max-size" => "100m", "max-file" => "3" } }
    assert_equal \
-      "docker run --detach --restart unless-stopped --name app-web-999 --network kamal -e KAMAL_CONTAINER_NAME=\"app-web-999\" -e KAMAL_VERSION=\"999\" --env-file .kamal/apps/app/env/roles/web.env --log-driver \"local\" --log-opt max-size=\"100m\" --log-opt max-file=\"3\" --label service=\"app\" --label role=\"web\" --label destination dhh/app:999",
+      "docker run --detach --restart unless-stopped --name app-web-999 --network kamal --env KAMAL_CONTAINER_NAME=\"app-web-999\" --env KAMAL_VERSION=\"999\" --env KAMAL_HOST=\"1.1.1.1\" --env-file .kamal/apps/app/env/roles/web.env --log-driver \"local\" --log-opt max-size=\"100m\" --log-opt max-file=\"3\" --label service=\"app\" --label role=\"web\" --label destination dhh/app:999",
      new_command.run.join(" ")
  end
@@ -51,7 +51,7 @@ class CommandsAppTest < ActiveSupport::TestCase
    @config[:servers] = { "web" => { "hosts" => [ "1.1.1.1" ], "logging" => { "driver" => "local", "options" => { "max-size" => "100m" } } } }
    assert_equal \
-      "docker run --detach --restart unless-stopped --name app-web-999 --network kamal -e KAMAL_CONTAINER_NAME=\"app-web-999\" -e KAMAL_VERSION=\"999\" --env-file .kamal/apps/app/env/roles/web.env --log-driver \"local\" --log-opt max-size=\"100m\" --log-opt max-file=\"3\" --label service=\"app\" --label role=\"web\" --label destination dhh/app:999",
+      "docker run --detach --restart unless-stopped --name app-web-999 --network kamal --env KAMAL_CONTAINER_NAME=\"app-web-999\" --env KAMAL_VERSION=\"999\" --env KAMAL_HOST=\"1.1.1.1\" --env-file .kamal/apps/app/env/roles/web.env --log-driver \"local\" --log-opt max-size=\"100m\" --log-opt max-file=\"3\" --label service=\"app\" --label role=\"web\" --label destination dhh/app:999",
      new_command.run.join(" ")
  end
@@ -60,7 +60,7 @@ class CommandsAppTest < ActiveSupport::TestCase
    @config[:env]["tags"] = { "tag1" => { "ENV1" => "value1" } }
    assert_equal \
-      "docker run --detach --restart unless-stopped --name app-web-999 --network kamal -e KAMAL_CONTAINER_NAME=\"app-web-999\" -e KAMAL_VERSION=\"999\" --env ENV1=\"value1\" --env-file .kamal/apps/app/env/roles/web.env --log-opt max-size=\"10m\" --label service=\"app\" --label role=\"web\" --label destination dhh/app:999",
+      "docker run --detach --restart unless-stopped --name app-web-999 --network kamal --env KAMAL_CONTAINER_NAME=\"app-web-999\" --env KAMAL_VERSION=\"999\" --env KAMAL_HOST=\"1.1.1.1\" --env ENV1=\"value1\" --env-file .kamal/apps/app/env/roles/web.env --log-opt max-size=\"10m\" --label service=\"app\" --label role=\"web\" --label destination dhh/app:999",
      new_command.run.join(" ")
  end
@@ -149,8 +149,6 @@ class CommandsAppTest < ActiveSupport::TestCase
      new_command.remove.join(" ")
  end
  test "logs" do
    assert_equal \
      "sh -c 'docker ps --latest --quiet --filter label=service=app --filter label=destination= --filter label=role=web --filter status=running --filter status=restarting --filter ancestor=$(docker image ls --filter reference=dhh/app:latest --format '\\''{{.ID}}'\\'') ; docker ps --latest --quiet --filter label=service=app --filter label=destination= --filter label=role=web --filter status=running --filter status=restarting' | head -1 | xargs docker logs --timestamps 2>&1",
@@ -288,7 +286,7 @@ class CommandsAppTest < ActiveSupport::TestCase
  test "execute in new container over ssh" do
    assert_match %r{docker run -it --rm --network kamal --env-file .kamal/apps/app/env/roles/web.env --log-opt max-size="10m" dhh/app:999 bin/rails c},
-      new_command.execute_in_new_container_over_ssh("bin/rails", "c", env: {})
+      stub_stdin_tty { new_command.execute_in_new_container_over_ssh("bin/rails", "c", env: {}) }
  end
  test "execute in new container over ssh with tags" do
@@ -296,18 +294,23 @@ class CommandsAppTest < ActiveSupport::TestCase
    @config[:env]["tags"] = { "tag1" => { "ENV1" => "value1" } }
    assert_equal "ssh -t root@1.1.1.1 -p 22 'docker run -it --rm --network kamal --env ENV1=\"value1\" --env-file .kamal/apps/app/env/roles/web.env --log-opt max-size=\"10m\" dhh/app:999 bin/rails c'",
-      new_command.execute_in_new_container_over_ssh("bin/rails", "c", env: {})
+      stub_stdin_tty { new_command.execute_in_new_container_over_ssh("bin/rails", "c", env: {}) }
  end
  test "execute in new container with custom options over ssh" do
    @config[:servers] = { "web" => { "hosts" => [ "1.1.1.1" ], "options" => { "mount" => "somewhere", "cap-add" => true } } }
    assert_match %r{docker run -it --rm --network kamal --env-file .kamal/apps/app/env/roles/web.env --log-opt max-size=\"10m\" --mount \"somewhere\" --cap-add dhh/app:999 bin/rails c},
-      new_command.execute_in_new_container_over_ssh("bin/rails", "c", env: {})
+      stub_stdin_tty { new_command.execute_in_new_container_over_ssh("bin/rails", "c", env: {}) }
  end
  test "execute in existing container over ssh" do
    assert_match %r{docker exec -it app-web-999 bin/rails c},
-      new_command.execute_in_existing_container_over_ssh("bin/rails", "c", env: {})
+      stub_stdin_tty { new_command.execute_in_existing_container_over_ssh("bin/rails", "c", env: {}) }
  end
  test "execute in existing container with piped input over ssh" do
    assert_match %r{docker exec -i app-web-999 bin/rails c},
      stub_stdin_file { new_command.execute_in_existing_container_over_ssh("bin/rails", "c", env: {}) }
  end
  test "run over ssh" do
@@ -497,6 +500,30 @@ class CommandsAppTest < ActiveSupport::TestCase
    ], new_command(asset_path: "/public/assets").clean_up_assets
  end
  test "live" do
    assert_equal \
      "docker exec kamal-proxy kamal-proxy resume app-web",
      new_command.live.join(" ")
  end
  test "maintenance" do
    assert_equal \
      "docker exec kamal-proxy kamal-proxy stop app-web",
      new_command.maintenance.join(" ")
  end
  test "maintenance with options" do
    assert_equal \
      "docker exec kamal-proxy kamal-proxy stop app-web --drain-timeout=\"10s\" --message=\"Hi\"",
      new_command.maintenance(drain_timeout: 10, message: "Hi").join(" ")
  end
  test "remove_proxy_app_directory" do
    assert_equal \
      "rm -r .kamal/proxy/apps-config/app",
      new_command.remove_proxy_app_directory.join(" ")
  end
  private
    def new_command(role: "web", host: "1.1.1.1", **additional_config)
      config = Kamal::Configuration.new(@config.merge(additional_config), destination: @destination, version: "999")
--- a/test/commands/auditor_test.rb
+++ b/test/commands/auditor_test.rb
@@ -20,8 +20,7 @@ class CommandsAuditorTest < ActiveSupport::TestCase
    assert_equal [
      :mkdir, "-p", ".kamal", "&&",
      :echo,
-      "[#{@recorded_at}] [#{@performer}]",
+      "\"[#{@recorded_at}] [#{@performer}] app removed container\"",
      "app removed container",
      ">>", ".kamal/app-audit.log"
    ], @auditor.record("app removed container")
  end
@@ -31,8 +30,7 @@ class CommandsAuditorTest < ActiveSupport::TestCase
      assert_equal [
        :mkdir, "-p", ".kamal", "&&",
        :echo,
-        "[#{@recorded_at}] [#{@performer}] [staging]",
+        "\"[#{@recorded_at}] [#{@performer}] [staging] app removed container\"",
        "app removed container",
        ">>", ".kamal/app-staging-audit.log"
      ], auditor.record("app removed container")
    end
@@ -43,8 +41,7 @@ class CommandsAuditorTest < ActiveSupport::TestCase
      assert_equal [
        :mkdir, "-p", ".kamal", "&&",
        :echo,
-        "[#{@recorded_at}] [#{@performer}] [web]",
+        "\"[#{@recorded_at}] [#{@performer}] [web] app removed container\"",
        "app removed container",
        ">>", ".kamal/app-audit.log"
      ], auditor.record("app removed container")
    end
@@ -54,8 +51,7 @@ class CommandsAuditorTest < ActiveSupport::TestCase
    assert_equal [
      :mkdir, "-p", ".kamal", "&&",
      :echo,
-      "[#{@recorded_at}] [#{@performer}] [value]",
+      "\"[#{@recorded_at}] [#{@performer}] [value] app removed container\"",
      "app removed container",
      ">>", ".kamal/app-audit.log"
    ], @auditor.record("app removed container", detail: "value")
  end
--- a/test/commands/builder_test.rb
+++ b/test/commands/builder_test.rb
@@ -9,7 +9,7 @@ class CommandsBuilderTest < ActiveSupport::TestCase
    builder = new_builder_command(builder: { "cache" => { "type" => "gha" } })
    assert_equal "local", builder.name
    assert_equal \
-      "docker buildx build --output=type=registry --platform linux/amd64 --builder kamal-local-docker-container -t dhh/app:123 -t dhh/app:latest --cache-to type=gha --cache-from type=gha --label service=\"app\" --file Dockerfile .",
+      "docker buildx build --output=type=registry --platform linux/amd64 --builder kamal-local-docker-container -t dhh/app:123 -t dhh/app:latest --cache-to type=gha --cache-from type=gha --label service=\"app\" --file Dockerfile . 2>&1",
      builder.push.join(" ")
  end
@@ -17,7 +17,7 @@ class CommandsBuilderTest < ActiveSupport::TestCase
    builder = new_builder_command(builder: { "arch" => [ "amd64" ] })
    assert_equal "local", builder.name
    assert_equal \
-      "docker buildx build --output=type=registry --platform linux/amd64 --builder kamal-local-docker-container -t dhh/app:123 -t dhh/app:latest --label service=\"app\" --file Dockerfile .",
+      "docker buildx build --output=type=registry --platform linux/amd64 --builder kamal-local-docker-container -t dhh/app:123 -t dhh/app:latest --label service=\"app\" --file Dockerfile . 2>&1",
      builder.push.join(" ")
  end
@@ -25,7 +25,7 @@ class CommandsBuilderTest < ActiveSupport::TestCase
    builder = new_builder_command(builder: { "cache" => { "type" => "gha" } })
    assert_equal "local", builder.name
    assert_equal \
-      "docker buildx build --output=type=registry --platform linux/amd64 --builder kamal-local-docker-container -t dhh/app:123 -t dhh/app:latest --cache-to type=gha --cache-from type=gha --label service=\"app\" --file Dockerfile .",
+      "docker buildx build --output=type=registry --platform linux/amd64 --builder kamal-local-docker-container -t dhh/app:123 -t dhh/app:latest --cache-to type=gha --cache-from type=gha --label service=\"app\" --file Dockerfile . 2>&1",
      builder.push.join(" ")
  end
@@ -33,7 +33,7 @@ class CommandsBuilderTest < ActiveSupport::TestCase
    builder = new_builder_command(builder: { "arch" => [ "amd64", "arm64" ], "remote" => "ssh://app@127.0.0.1", "cache" => { "type" => "gha" } })
    assert_equal "hybrid", builder.name
    assert_equal \
-      "docker buildx build --output=type=registry --platform linux/amd64,linux/arm64 --builder kamal-hybrid-docker-container-ssh---app-127-0-0-1 -t dhh/app:123 -t dhh/app:latest --cache-to type=gha --cache-from type=gha --label service=\"app\" --file Dockerfile .",
+      "docker buildx build --output=type=registry --platform linux/amd64,linux/arm64 --builder kamal-hybrid-docker-container-ssh---app-127-0-0-1 -t dhh/app:123 -t dhh/app:latest --cache-to type=gha --cache-from type=gha --label service=\"app\" --file Dockerfile . 2>&1",
      builder.push.join(" ")
  end
@@ -41,7 +41,7 @@ class CommandsBuilderTest < ActiveSupport::TestCase
    builder = new_builder_command(builder: { "arch" => [ "amd64", "arm64" ], "remote" => "ssh://app@127.0.0.1", "cache" => { "type" => "gha" }, "local" => false })
    assert_equal "remote", builder.name
    assert_equal \
-      "docker buildx build --output=type=registry --platform linux/amd64,linux/arm64 --builder kamal-remote-ssh---app-127-0-0-1 -t dhh/app:123 -t dhh/app:latest --cache-to type=gha --cache-from type=gha --label service=\"app\" --file Dockerfile .",
+      "docker buildx build --output=type=registry --platform linux/amd64,linux/arm64 --builder kamal-remote-ssh---app-127-0-0-1 -t dhh/app:123 -t dhh/app:latest --cache-to type=gha --cache-from type=gha --label service=\"app\" --file Dockerfile . 2>&1",
      builder.push.join(" ")
  end
@@ -49,7 +49,7 @@ class CommandsBuilderTest < ActiveSupport::TestCase
    builder = new_builder_command(builder: { "arch" => [ "#{remote_arch}" ], "remote" => "ssh://app@host", "cache" => { "type" => "gha" } })
    assert_equal "remote", builder.name
    assert_equal \
-      "docker buildx build --output=type=registry --platform linux/#{remote_arch} --builder kamal-remote-ssh---app-host -t dhh/app:123 -t dhh/app:latest --cache-to type=gha --cache-from type=gha --label service=\"app\" --file Dockerfile .",
+      "docker buildx build --output=type=registry --platform linux/#{remote_arch} --builder kamal-remote-ssh---app-host -t dhh/app:123 -t dhh/app:latest --cache-to type=gha --cache-from type=gha --label service=\"app\" --file Dockerfile . 2>&1",
      builder.push.join(" ")
  end
@@ -57,15 +57,41 @@ class CommandsBuilderTest < ActiveSupport::TestCase
    builder = new_builder_command(builder: { "arch" => [ "#{local_arch}" ], "remote" => "ssh://app@host", "cache" => { "type" => "gha" } })
    assert_equal "local", builder.name
    assert_equal \
-      "docker buildx build --output=type=registry --platform linux/#{local_arch} --builder kamal-local-docker-container -t dhh/app:123 -t dhh/app:latest --cache-to type=gha --cache-from type=gha --label service=\"app\" --file Dockerfile .",
+      "docker buildx build --output=type=registry --platform linux/#{local_arch} --builder kamal-local-docker-container -t dhh/app:123 -t dhh/app:latest --cache-to type=gha --cache-from type=gha --label service=\"app\" --file Dockerfile . 2>&1",
      builder.push.join(" ")
  end
  test "target pack when pack is set" do
    builder = new_builder_command(image: "dhh/app", builder: { "arch" => "amd64", "pack" => { "builder" => "heroku/builder:24", "buildpacks" => [ "heroku/ruby", "heroku/procfile" ] } })
    assert_equal "pack", builder.name
    assert_equal \
      "pack build dhh/app --platform linux/amd64 --creation-time now --builder heroku/builder:24 --buildpack heroku/ruby --buildpack heroku/procfile --buildpack paketo-buildpacks/image-labels -t dhh/app:123 -t dhh/app:latest --env BP_IMAGE_LABELS=service=app --path . && docker push dhh/app:123 && docker push dhh/app:latest",
      builder.push.join(" ")
  end
  test "pack build args passed as env" do
    builder = new_builder_command(image: "dhh/app", builder: { "args" => { "a" => 1, "b" => 2 }, "arch" => "amd64", "pack" => { "builder" => "heroku/builder:24", "buildpacks" => [ "heroku/ruby", "heroku/procfile" ] } })
    assert_equal \
      "pack build dhh/app --platform linux/amd64 --creation-time now --builder heroku/builder:24 --buildpack heroku/ruby --buildpack heroku/procfile --buildpack paketo-buildpacks/image-labels -t dhh/app:123 -t dhh/app:latest --env BP_IMAGE_LABELS=service=app --env a=\"1\" --env b=\"2\" --path . && docker push dhh/app:123 && docker push dhh/app:latest",
    builder.push.join(" ")
  end
  test "pack build secrets as env" do
    with_test_secrets("secrets" => "token_a=foo\ntoken_b=bar") do
      builder = new_builder_command(image: "dhh/app", builder: { "secrets" => [ "token_a", "token_b" ], "arch" => "amd64", "pack" => { "builder" => "heroku/builder:24", "buildpacks" => [ "heroku/ruby", "heroku/procfile" ] } })
      assert_equal \
        "pack build dhh/app --platform linux/amd64 --creation-time now --builder heroku/builder:24 --buildpack heroku/ruby --buildpack heroku/procfile --buildpack paketo-buildpacks/image-labels -t dhh/app:123 -t dhh/app:latest --env BP_IMAGE_LABELS=service=app --env token_a=\"foo\" --env token_b=\"bar\" --path . && docker push dhh/app:123 && docker push dhh/app:latest",
      builder.push.join(" ")
    end
  end
  test "cloud builder" do
    builder = new_builder_command(builder: { "arch" => [ "#{local_arch}" ], "driver" => "cloud docker-org-name/builder-name" })
    assert_equal "cloud", builder.name
    assert_equal \
-      "docker buildx build --output=type=registry --platform linux/#{local_arch} --builder cloud-docker-org-name-builder-name -t dhh/app:123 -t dhh/app:latest --label service=\"app\" --file Dockerfile .",
+      "docker buildx build --output=type=registry --platform linux/#{local_arch} --builder cloud-docker-org-name-builder-name -t dhh/app:123 -t dhh/app:latest --label service=\"app\" --file Dockerfile . 2>&1",
      builder.push.join(" ")
  end
@@ -112,14 +138,14 @@ class CommandsBuilderTest < ActiveSupport::TestCase
  test "build context" do
    builder = new_builder_command(builder: { "context" => ".." })
    assert_equal \
-      "docker buildx build --output=type=registry --platform linux/amd64 --builder kamal-local-docker-container -t dhh/app:123 -t dhh/app:latest --label service=\"app\" --file Dockerfile ..",
+      "docker buildx build --output=type=registry --platform linux/amd64 --builder kamal-local-docker-container -t dhh/app:123 -t dhh/app:latest --label service=\"app\" --file Dockerfile .. 2>&1",
      builder.push.join(" ")
  end
  test "push with build args" do
    builder = new_builder_command(builder: { "args" => { "a" => 1, "b" => 2 } })
    assert_equal \
-      "docker buildx build --output=type=registry --platform linux/amd64 --builder kamal-local-docker-container -t dhh/app:123 -t dhh/app:latest --label service=\"app\" --build-arg a=\"1\" --build-arg b=\"2\" --file Dockerfile .",
+      "docker buildx build --output=type=registry --platform linux/amd64 --builder kamal-local-docker-container -t dhh/app:123 -t dhh/app:latest --label service=\"app\" --build-arg a=\"1\" --build-arg b=\"2\" --file Dockerfile . 2>&1",
      builder.push.join(" ")
  end
@@ -128,7 +154,7 @@ class CommandsBuilderTest < ActiveSupport::TestCase
      FileUtils.touch("Dockerfile")
      builder = new_builder_command(builder: { "secrets" => [ "a", "b" ] })
      assert_equal \
-        "docker buildx build --output=type=registry --platform linux/amd64 --builder kamal-local-docker-container -t dhh/app:123 -t dhh/app:latest --label service=\"app\" --secret id=\"a\" --secret id=\"b\" --file Dockerfile .",
+        "docker buildx build --output=type=registry --platform linux/amd64 --builder kamal-local-docker-container -t dhh/app:123 -t dhh/app:latest --label service=\"app\" --secret id=\"a\" --secret id=\"b\" --file Dockerfile . 2>&1",
        builder.push.join(" ")
    end
  end
@@ -148,35 +174,35 @@ class CommandsBuilderTest < ActiveSupport::TestCase
  test "context build" do
    builder = new_builder_command(builder: { "context" => "./foo" })
    assert_equal \
-      "docker buildx build --output=type=registry --platform linux/amd64 --builder kamal-local-docker-container -t dhh/app:123 -t dhh/app:latest --label service=\"app\" --file Dockerfile ./foo",
+      "docker buildx build --output=type=registry --platform linux/amd64 --builder kamal-local-docker-container -t dhh/app:123 -t dhh/app:latest --label service=\"app\" --file Dockerfile ./foo 2>&1",
      builder.push.join(" ")
  end
  test "push with provenance" do
    builder = new_builder_command(builder: { "provenance" => "mode=max" })
    assert_equal \
-      "docker buildx build --output=type=registry --platform linux/amd64 --builder kamal-local-docker-container -t dhh/app:123 -t dhh/app:latest --label service=\"app\" --file Dockerfile --provenance mode=max .",
+      "docker buildx build --output=type=registry --platform linux/amd64 --builder kamal-local-docker-container -t dhh/app:123 -t dhh/app:latest --label service=\"app\" --file Dockerfile --provenance mode=max . 2>&1",
      builder.push.join(" ")
  end
  test "push with provenance false" do
    builder = new_builder_command(builder: { "provenance" => false })
    assert_equal \
-      "docker buildx build --output=type=registry --platform linux/amd64 --builder kamal-local-docker-container -t dhh/app:123 -t dhh/app:latest --label service=\"app\" --file Dockerfile --provenance false .",
+      "docker buildx build --output=type=registry --platform linux/amd64 --builder kamal-local-docker-container -t dhh/app:123 -t dhh/app:latest --label service=\"app\" --file Dockerfile --provenance false . 2>&1",
      builder.push.join(" ")
  end
  test "push with sbom" do
    builder = new_builder_command(builder: { "sbom" => true })
    assert_equal \
-      "docker buildx build --output=type=registry --platform linux/amd64 --builder kamal-local-docker-container -t dhh/app:123 -t dhh/app:latest --label service=\"app\" --file Dockerfile --sbom true .",
+      "docker buildx build --output=type=registry --platform linux/amd64 --builder kamal-local-docker-container -t dhh/app:123 -t dhh/app:latest --label service=\"app\" --file Dockerfile --sbom true . 2>&1",
      builder.push.join(" ")
  end
  test "push with sbom false" do
    builder = new_builder_command(builder: { "sbom" => false })
    assert_equal \
-      "docker buildx build --output=type=registry --platform linux/amd64 --builder kamal-local-docker-container -t dhh/app:123 -t dhh/app:latest --label service=\"app\" --file Dockerfile --sbom false .",
+      "docker buildx build --output=type=registry --platform linux/amd64 --builder kamal-local-docker-container -t dhh/app:123 -t dhh/app:latest --label service=\"app\" --file Dockerfile --sbom false . 2>&1",
      builder.push.join(" ")
  end
@@ -202,7 +228,11 @@ class CommandsBuilderTest < ActiveSupport::TestCase
  private
    def new_builder_command(additional_config = {})
-      Kamal::Commands::Builder.new(Kamal::Configuration.new(@config.deep_merge(additional_config), version: "123"))
+      Kamal::Configuration.new(@config.deep_merge(additional_config), version: "123").then do |config|
        KAMAL.reset
        KAMAL.stubs(:config).returns(config)
        Kamal::Commands::Builder.new(config)
      end
    end
    def local_arch
--- a/test/commands/proxy_test.rb
+++ b/test/commands/proxy_test.rb
@@ -15,7 +15,7 @@ class CommandsProxyTest < ActiveSupport::TestCase
  test "run" do
    assert_equal \
-      "docker run --name kamal-proxy --network kamal --detach --restart unless-stopped --volume kamal-proxy-config:/home/kamal-proxy/.config/kamal-proxy $(cat .kamal/proxy/options || echo \"--publish 80:80 --publish 443:443 --log-opt max-size=10m\") basecamp/kamal-proxy:#{Kamal::Configuration::PROXY_MINIMUM_VERSION}",
+      "echo $(cat .kamal/proxy/options 2> /dev/null || echo \"--publish 80:80 --publish 443:443 --log-opt max-size=10m\") $(cat .kamal/proxy/image 2> /dev/null || echo \"basecamp/kamal-proxy\"):$(cat .kamal/proxy/image_version 2> /dev/null || echo \"#{Kamal::Configuration::Proxy::Boot::MINIMUM_VERSION}\") $(cat .kamal/proxy/run_command 2> /dev/null || echo \"\") | xargs docker run --name kamal-proxy --network kamal --detach --restart unless-stopped --volume kamal-proxy-config:/home/kamal-proxy/.config/kamal-proxy --volume $(pwd)/.kamal/proxy/apps-config:/home/kamal-proxy/.apps-config",
      new_command.run.join(" ")
  end
@@ -23,7 +23,7 @@ class CommandsProxyTest < ActiveSupport::TestCase
    @config.delete(:proxy)
    assert_equal \
-      "docker run --name kamal-proxy --network kamal --detach --restart unless-stopped --volume kamal-proxy-config:/home/kamal-proxy/.config/kamal-proxy $(cat .kamal/proxy/options || echo \"--publish 80:80 --publish 443:443 --log-opt max-size=10m\") basecamp/kamal-proxy:#{Kamal::Configuration::PROXY_MINIMUM_VERSION}",
+      "echo $(cat .kamal/proxy/options 2> /dev/null || echo \"--publish 80:80 --publish 443:443 --log-opt max-size=10m\") $(cat .kamal/proxy/image 2> /dev/null || echo \"basecamp/kamal-proxy\"):$(cat .kamal/proxy/image_version 2> /dev/null || echo \"#{Kamal::Configuration::Proxy::Boot::MINIMUM_VERSION}\") $(cat .kamal/proxy/run_command 2> /dev/null || echo \"\") | xargs docker run --name kamal-proxy --network kamal --detach --restart unless-stopped --volume kamal-proxy-config:/home/kamal-proxy/.config/kamal-proxy --volume $(pwd)/.kamal/proxy/apps-config:/home/kamal-proxy/.apps-config",
      new_command.run.join(" ")
  end
@@ -101,7 +101,7 @@ class CommandsProxyTest < ActiveSupport::TestCase
  test "version" do
    assert_equal \
-      "docker inspect kamal-proxy --format '{{.Config.Image}}' | cut -d: -f2",
+      "docker inspect kamal-proxy --format '{{.Config.Image}}' | awk -F: '{print $NF}'",
      new_command.version.join(" ")
  end
@@ -111,10 +111,28 @@ class CommandsProxyTest < ActiveSupport::TestCase
      new_command.ensure_proxy_directory.join(" ")
  end
-  test "get_boot_options" do
+  test "read_boot_options" do
    assert_equal \
-      "cat .kamal/proxy/options || echo \"--publish 80:80 --publish 443:443 --log-opt max-size=10m\"",
+      "cat .kamal/proxy/options 2> /dev/null || echo \"--publish 80:80 --publish 443:443 --log-opt max-size=10m\"",
-      new_command.get_boot_options.join(" ")
+      new_command.read_boot_options.join(" ")
  end
  test "read_image" do
    assert_equal \
      "cat .kamal/proxy/image 2> /dev/null || echo \"basecamp/kamal-proxy\"",
      new_command.read_image.join(" ")
  end
  test "read_image_version" do
    assert_equal \
      "cat .kamal/proxy/image_version 2> /dev/null || echo \"#{Kamal::Configuration::Proxy::Boot::MINIMUM_VERSION}\"",
      new_command.read_image_version.join(" ")
  end
  test "read_run_command" do
    assert_equal \
      "cat .kamal/proxy/run_command 2> /dev/null || echo \"\"",
      new_command.read_run_command.join(" ")
  end
  test "reset_boot_options" do
@@ -123,6 +141,30 @@ class CommandsProxyTest < ActiveSupport::TestCase
      new_command.reset_boot_options.join(" ")
  end
  test "reset_image" do
    assert_equal \
      "rm .kamal/proxy/image",
      new_command.reset_image.join(" ")
  end
  test "reset_image_version" do
    assert_equal \
      "rm .kamal/proxy/image_version",
      new_command.reset_image_version.join(" ")
  end
  test "ensure_apps_config_directory" do
    assert_equal \
      "mkdir -p .kamal/proxy/apps-config",
      new_command.ensure_apps_config_directory.join(" ")
  end
  test "reset_run_command" do
    assert_equal \
      "rm .kamal/proxy/run_command",
      new_command.reset_run_command.join(" ")
  end
  private
    def new_command
      Kamal::Commands::Proxy.new(Kamal::Configuration.new(@config, version: "123"))
--- a/test/commands/registry_test.rb
+++ b/test/commands/registry_test.rb
@@ -85,6 +85,15 @@ class CommandsRegistryTest < ActiveSupport::TestCase
      registry.logout(registry_config: accessory_registry_config).join(" ")
  end
  test "registry setup" do
    @config[:registry] = { "server" => "localhost:5000" }
    assert_equal "docker start kamal-docker-registry || docker run --detach -p 127.0.0.1:5000:5000 --name kamal-docker-registry registry:3", registry.setup.join(" ")
  end
  test "registry remove" do
    assert_equal "docker stop kamal-docker-registry && docker rm kamal-docker-registry", registry.remove.join(" ")
  end
  private
    def registry
      Kamal::Commands::Registry.new main_config
--- a/test/configuration/accessory_test.rb
+++ b/test/configuration/accessory_test.rb
@@ -7,8 +7,8 @@ class ConfigurationAccessoryTest < ActiveSupport::TestCase
      image: "dhh/app",
      registry: { "username" => "dhh", "password" => "secret" },
      servers: {
-        "web" => [ "1.1.1.1", "1.1.1.2" ],
+        "web" => [ { "1.1.1.1" => "writer" }, { "1.1.1.2" => "reader" } ],
-        "workers" => [ "1.1.1.3", "1.1.1.4" ]
+        "workers" => [ { "1.1.1.3" => "writer" }, "1.1.1.4" ]
      },
      builder: { "arch" => "amd64" },
      env: { "REDIS_URL" => "redis://x/y" },
@@ -55,7 +55,7 @@ class ConfigurationAccessoryTest < ActiveSupport::TestCase
          "service" => "custom-monitoring",
          "image" => "monitoring:latest",
          "registry" => { "server" => "other.registry", "username" => "user", "password" => "pw" },
-          "roles" => [ "web" ],
+          "role" => "web",
          "port" => "4321:4321",
          "labels" => {
            "cache" => "true"
@@ -70,6 +70,14 @@ class ConfigurationAccessoryTest < ActiveSupport::TestCase
          "proxy" => {
            "host" => "monitoring.example.com"
          }
        },
        "proxy" => {
          "image" => "proxy:latest",
          "tags" => [ "writer", "reader" ]
        },
        "logger" => {
          "image" => "logger:latest",
          "tag" => "writer"
        }
      }
    }
@@ -107,6 +115,8 @@ class ConfigurationAccessoryTest < ActiveSupport::TestCase
    assert_equal [ "1.1.1.5" ], @config.accessory(:mysql).hosts
    assert_equal [ "1.1.1.6", "1.1.1.7" ], @config.accessory(:redis).hosts
    assert_equal [ "1.1.1.1", "1.1.1.2" ], @config.accessory(:monitoring).hosts
    assert_equal [ "1.1.1.1", "1.1.1.3", "1.1.1.2" ], @config.accessory(:proxy).hosts
    assert_equal [ "1.1.1.1", "1.1.1.3" ], @config.accessory(:logger).hosts
  end
  test "missing host" do
@@ -117,14 +127,14 @@ class ConfigurationAccessoryTest < ActiveSupport::TestCase
    end
  end
-  test "setting host, hosts and roles" do
+  test "setting host, hosts, roles and tags" do
    @deploy[:accessories]["mysql"]["hosts"] = [ "mysql-db1" ]
    @deploy[:accessories]["mysql"]["roles"] = [ "db" ]
    exception = assert_raises(Kamal::ConfigurationError) do
      Kamal::Configuration.new(@deploy)
    end
-    assert_equal "accessories/mysql: specify one of `host`, `hosts` or `roles`", exception.message
+    assert_equal "accessories/mysql: specify one of `host`, `hosts`, `role`, `roles`, `tag` or `tags`", exception.message
  end
  test "all hosts" do
@@ -187,4 +197,12 @@ class ConfigurationAccessoryTest < ActiveSupport::TestCase
    assert @config.accessory(:monitoring).running_proxy?
    assert_equal [ "monitoring.example.com" ], @config.accessory(:monitoring).proxy.hosts
  end
  test "can't set restart in options" do
    @deploy[:accessories]["mysql"]["options"] = { "restart" => "always" }
    assert_raises Kamal::ConfigurationError, "servers/workers: Cannot set restart policy in docker options, unless-stopped is required" do
      Kamal::Configuration.new(@deploy)
    end
  end
 end
--- a/test/configuration/builder_test.rb
+++ b/test/configuration/builder_test.rb
@@ -16,6 +16,23 @@ class ConfigurationBuilderTest < ActiveSupport::TestCase
    assert_equal false, config.builder.remote?
  end
  test "pack?" do
    assert_not config.builder.pack?
  end
  test "pack? with pack builder" do
    @deploy[:builder] = { "arch" => "arm64", "pack" => { "builder" => "heroku/builder:24" } }
    assert config.builder.pack?
  end
  test "pack details" do
    @deploy[:builder] = { "arch" => "amd64", "pack" => { "builder" => "heroku/builder:24", "buildpacks" => [ "heroku/ruby", "heroku/procfile" ] } }
    assert_equal "heroku/builder:24", config.builder.pack_builder
    assert_equal [ "heroku/ruby", "heroku/procfile" ], config.builder.pack_buildpacks
  end
  test "remote" do
    assert_nil config.builder.remote
  end
--- a/test/configuration/env/tags_test.rb
+++ b/test/configuration/env/tags_test.rb
@@ -92,7 +92,25 @@ class ConfigurationEnvTagsTest < ActiveSupport::TestCase
      }
      config = Kamal::Configuration.new(deploy)
-      assert_equal "hello", config.role("web").env("1.1.1.1").secrets["PASSWORD"]
+      assert_equal "PASSWORD=hello\n", config.role("web").env("1.1.1.1").secrets_io.string
    end
  end
  test "aliased tag secret env" do
    with_test_secrets("secrets" => "PASSWORD=hello\nALIASED_PASSWORD=aliased_hello") do
      deploy = {
        service: "app", image: "dhh/app", registry: { "username" => "dhh", "password" => "secret" },
        servers: [ { "1.1.1.1" => "secrets" } ],
        builder: { "arch" => "amd64" },
        env: {
          "tags" => {
            "secrets" => { "secret" => [ "PASSWORD:ALIASED_PASSWORD" ] }
          }
        }
      }
      config = Kamal::Configuration.new(deploy)
      assert_equal "PASSWORD=aliased_hello\n", config.role("web").env("1.1.1.1").secrets_io.string
    end
  end
--- a/test/configuration/env_test.rb
+++ b/test/configuration/env_test.rb
@@ -48,6 +48,20 @@ class ConfigurationEnvTest < ActiveSupport::TestCase
    end
  end
  test "aliased secrets" do
    with_test_secrets("secrets" => "ALIASED_PASSWORD=hello") do
      config = {
        "secret" => [ "PASSWORD:ALIASED_PASSWORD" ],
        "clear" => {}
      }
      assert_config \
        config: config,
        clear: {},
        secrets: { "PASSWORD" => "hello" }
    end
  end
  private
    def assert_config(config:, clear: {}, secrets: {})
      env = Kamal::Configuration::Env.new config: config, secrets: Kamal::Secrets.new
--- a/test/configuration/proxy/boot_test.rb
+++ b/test/configuration/proxy/boot_test.rb
@@ -0,0 +1,31 @@
 require "test_helper"
 class ConfigurationProxyBootTest < ActiveSupport::TestCase
  setup do
    ENV["RAILS_MASTER_KEY"] = "456"
    ENV["VERSION"] = "missing"
    @deploy = {
      service: "app", image: "dhh/app",
      registry: { "username" => "dhh", "password" => "secret" },
      builder: { "arch" => "amd64" },
      env: { "REDIS_URL" => "redis://x/y" },
      servers: [ "1.1.1.1", "1.1.1.2" ],
      volumes: [ "/local/path:/container/path" ]
    }
    @config = Kamal::Configuration.new(@deploy)
    @proxy_boot_config = @config.proxy_boot
  end
  test "proxy directories" do
    assert_equal ".kamal/proxy/apps-config", @proxy_boot_config.apps_directory
    assert_equal "/home/kamal-proxy/.apps-config", @proxy_boot_config.apps_container_directory
    assert_equal ".kamal/proxy/apps-config/app", @proxy_boot_config.app_directory
    assert_equal "/home/kamal-proxy/.apps-config/app", @proxy_boot_config.app_container_directory
    assert_equal ".kamal/proxy/apps-config/app/error_pages", @proxy_boot_config.error_pages_directory
    assert_equal "/home/kamal-proxy/.apps-config/app/error_pages", @proxy_boot_config.error_pages_container_directory
    assert_equal ".kamal/proxy/apps-config/app/tls", @proxy_boot_config.tls_directory
    assert_equal "/home/kamal-proxy/.apps-config/app/tls", @proxy_boot_config.tls_container_directory
  end
 end
--- a/test/configuration/proxy_test.rb
+++ b/test/configuration/proxy_test.rb
@@ -38,6 +38,73 @@ class ConfigurationProxyTest < ActiveSupport::TestCase
    assert_not config.proxy.ssl?
  end
  test "false not allowed" do
    @deploy[:proxy] = false
    assert_raises(Kamal::ConfigurationError, "proxy: should be a hash") do
      config.proxy
    end
  end
  test "ssl with certificate and private key from secrets" do
    with_test_secrets("secrets" => "CERT_PEM=certificate\nKEY_PEM=private_key") do
      @deploy[:proxy] = {
        "ssl" => {
          "certificate_pem" => "CERT_PEM",
          "private_key_pem" => "KEY_PEM"
        },
        "host" => "example.com"
      }
      proxy = config.proxy
      assert_equal ".kamal/proxy/apps-config/app/tls/cert.pem", proxy.host_tls_cert
      assert_equal ".kamal/proxy/apps-config/app/tls/key.pem", proxy.host_tls_key
      assert_equal "/home/kamal-proxy/.apps-config/app/tls/cert.pem", proxy.container_tls_cert
      assert_equal "/home/kamal-proxy/.apps-config/app/tls/key.pem", proxy.container_tls_key
    end
  end
  test "deploy options with custom ssl certificates" do
    with_test_secrets("secrets" => "CERT_PEM=certificate\nKEY_PEM=private_key") do
      @deploy[:proxy] = {
        "ssl" => {
          "certificate_pem" => "CERT_PEM",
          "private_key_pem" => "KEY_PEM"
        },
        "host" => "example.com"
      }
      proxy = config.proxy
      options = proxy.deploy_options
      assert_equal true, options[:tls]
      assert_equal "/home/kamal-proxy/.apps-config/app/tls/cert.pem", options[:"tls-certificate-path"]
      assert_equal "/home/kamal-proxy/.apps-config/app/tls/key.pem", options[:"tls-private-key-path"]
    end
  end
  test "ssl with certificate and no private key" do
    with_test_secrets("secrets" => "CERT_PEM=certificate") do
      @deploy[:proxy] = {
        "ssl" => {
          "certificate_pem" => "CERT_PEM"
        },
        "host" => "example.com"
      }
      assert_raises(Kamal::ConfigurationError) { config.proxy.ssl? }
    end
  end
  test "ssl with private key and no certificate" do
    with_test_secrets("secrets" => "KEY_PEM=private_key") do
      @deploy[:proxy] = {
        "ssl" => {
          "private_key_pem" => "KEY_PEM"
        },
        "host" => "example.com"
      }
      assert_raises(Kamal::ConfigurationError) { config.proxy.ssl? }
    end
  end
  private
    def config
      Kamal::Configuration.new(@deploy)
--- a/test/configuration/role_test.rb
+++ b/test/configuration/role_test.rb
@@ -258,6 +258,14 @@ class ConfigurationRoleTest < ActiveSupport::TestCase
    assert_equal "18s", config_with_roles.role(:workers).proxy.deploy_options[:"target-timeout"]
  end
  test "can't set restart in options" do
    @deploy_with_roles[:servers]["workers"]["options"] = { "restart" => "always" }
    assert_raises Kamal::ConfigurationError, "servers/workers: Cannot set restart policy in docker options, unless-stopped is required" do
      Kamal::Configuration.new(@deploy_with_roles)
    end
  end
  private
    def config
      Kamal::Configuration.new(@deploy)
--- a/test/configuration/validation_test.rb
+++ b/test/configuration/validation_test.rb
@@ -42,6 +42,7 @@ class ConfigurationValidationTest < ActiveSupport::TestCase
    assert_error "servers/web/options: should be a hash", servers: { "web" => { "options" => "" } }
    assert_error "servers/web/logging/options: should be a hash", servers: { "web" => { "logging" => { "options" => "" } } }
    assert_error "servers/web/logging/driver: should be a string", servers: { "web" => { "logging" => { "driver" => [] } } }
    assert_error "servers/web/labels/service: invalid label. destination, role, and service are reserved labels", servers: { "web" => { "labels" => { "service" => "foo" } } }
    assert_error "servers/web/labels: should be a hash", servers: { "web" => { "labels" => [] } }
    assert_error "servers/web/env: should be a hash", servers: { "web" => { "env" => [] } }
    assert_error "servers/web/env: tags are only allowed in the root env", servers: { "web" => { "hosts" => [ "1.1.1.1" ], "env" => { "tags" => {} } } }
@@ -58,6 +59,7 @@ class ConfigurationValidationTest < ActiveSupport::TestCase
    assert_error "accessories/accessory1: should be a hash", accessories: { "accessory1" => [] }
    assert_error "accessories/accessory1: unknown key: unknown", accessories: { "accessory1" => { "unknown" => "baz" } }
    assert_error "accessories/accessory1/options: should be a hash", accessories: { "accessory1" => { "options" => [] } }
    assert_error "accessories/accessory1/labels/destination: invalid label. destination, role, and service are reserved labels", accessories: { "accessory1" => { "host" => "host", "labels" => { "destination" => "foo" } } }
    assert_error "accessories/accessory1/host: should be a string", accessories: { "accessory1" => { "host" => [] } }
    assert_error "accessories/accessory1/env: should be a hash", accessories: { "accessory1" => { "env" => [] } }
    assert_error "accessories/accessory1/env: tags are only allowed in the root env", accessories: { "accessory1" => { "host" => "host", "env" => { "tags" => {} } } }
@@ -94,6 +96,7 @@ class ConfigurationValidationTest < ActiveSupport::TestCase
    assert_error "builder/arch: should be an array or a string", builder: { "arch" => {} }
    assert_error "builder/args: should be a hash", builder: { "args" => [ "foo" ] }
    assert_error "builder/cache/options: should be a string", builder: { "cache" => { "options" => [] } }
    assert_error "builder: buildpacks only support building for one arch", builder: { "arch" => [ "amd64", "arm64" ], "pack" => { "builder" => "heroku/builder:24" } }
  end
  private
--- a/test/configuration_test.rb
+++ b/test/configuration_test.rb
@@ -30,7 +30,7 @@ class ConfigurationTest < ActiveSupport::TestCase
  %i[ service image registry ].each do |key|
    test "#{key} config required" do
      assert_raise(Kamal::ConfigurationError) do
-        Kamal::Configuration.new @deploy.tap { _1.delete key }
+        Kamal::Configuration.new @deploy.tap { |config| config.delete key }
      end
    end
  end
@@ -38,21 +38,49 @@ class ConfigurationTest < ActiveSupport::TestCase
  %w[ username password ].each do |key|
    test "registry #{key} required" do
      assert_raise(Kamal::ConfigurationError) do
-        Kamal::Configuration.new @deploy.tap { _1[:registry].delete key }
+        Kamal::Configuration.new @deploy.tap { |config| config[:registry].delete key }
      end
    end
  end
  test "image uses service name if registry is local" do
    assert_equal "app", Kamal::Configuration.new(@deploy.tap {
      _1[:registry] = { "server" => "localhost:5000" }
      _1.delete(:image)
    }).image
  end
  test "image uses image if registry is local" do
    assert_equal "dhh/app", Kamal::Configuration.new(@deploy.tap {
      _1[:registry] = { "server" => "localhost:5000" }
    }).image
  end
  test "service name valid" do
    assert_nothing_raised do
-      Kamal::Configuration.new(@deploy.tap { _1[:service] = "hey-app1_primary" })
+      Kamal::Configuration.new(@deploy.tap { |config| config[:service] = "hey-app1_primary" })
-      Kamal::Configuration.new(@deploy.tap { _1[:service] = "MyApp" })
+      Kamal::Configuration.new(@deploy.tap { |config| config[:service] = "MyApp" })
    end
  end
  test "service name invalid" do
    assert_raise(Kamal::ConfigurationError) do
-      Kamal::Configuration.new @deploy.tap { _1[:service] = "app.com" }
+      Kamal::Configuration.new @deploy.tap { |config| config[:service] = "app.com" }
    end
  end
  test "servers required" do
    assert_raise(Kamal::ConfigurationError) do
      Kamal::Configuration.new @deploy.tap { |config| config.delete(:servers) }
    end
  end
  test "servers not required with accessories" do
    assert_nothing_raised do
      @deploy.delete(:servers)
      @deploy[:accessories] = { "foo" => { "image" => "foo/bar", "host" => "1.1.1.1" } }
      Kamal::Configuration.new(@deploy)
    end
  end
@@ -250,7 +278,7 @@ class ConfigurationTest < ActiveSupport::TestCase
  test "destination required" do
    dest_config_file = Pathname.new(File.expand_path("fixtures/deploy_for_required_dest.yml", __dir__))
-    assert_raises(Kamal::ConfigurationError) do
+    assert_raises(ArgumentError, "You must specify a destination") do
      config = Kamal::Configuration.create_from config_file: dest_config_file
    end
@@ -371,7 +399,7 @@ class ConfigurationTest < ActiveSupport::TestCase
      Kamal::Configuration.new(@deploy_with_roles)
    end
-    assert_equal "SSL is only supported on a single server, found 2 servers for role workers", exception.message
+    assert_equal "SSL is only supported on a single server unless you provide custom certificates, found 2 servers for role workers", exception.message
  end
  test "two proxy ssl roles with same host" do
--- a/test/fixtures/deploy_with_error_pages.yml
+++ b/test/fixtures/deploy_with_error_pages.yml
@@ -0,0 +1,11 @@
 service: app
 image: dhh/app
 servers:
  - "1.1.1.1"
  - "1.1.1.2"
 registry:
  username: user
  password: pw
 builder:
  arch: amd64
 error_pages_path: public
--- a/test/fixtures/deploy_with_local_registry.yml
+++ b/test/fixtures/deploy_with_local_registry.yml
@@ -0,0 +1,10 @@
 service: app
 image: dhh/app
 servers:
 web:
  - '1.1.1.1'
  - '1.1.1.2'
 registry:
  server: localhost:5000
 builder:
  arch: amd64
--- a/test/fixtures/deploy_with_local_registry_and_accessories.yml
+++ b/test/fixtures/deploy_with_local_registry_and_accessories.yml
@@ -0,0 +1,45 @@
 service: app
 image: dhh/app
 servers:
  web:
    - '1.1.1.1'
    - '1.1.1.2'
  workers:
    - '1.1.1.3'
    - '1.1.1.4'
 registry:
  server: localhost:5000
 builder:
  arch: amd64
 accessories:
  mysql:
    image: mysql:5.7
    host: 1.1.1.3
    port: 3306
    env:
      clear:
        MYSQL_ROOT_HOST: '%'
      secret:
        - MYSQL_ROOT_PASSWORD
    files:
      - test/fixtures/files/my.cnf:/etc/mysql/my.cnf
    directories:
      - data:/var/lib/mysql
  redis:
    image: redis:latest
    roles:
      - web
    port: 6379
    directories:
      - data:/data
  busybox:
    service: custom-box
    image: busybox:latest
    host: 1.1.1.3
    registry:
      server: other.registry
      username: other_user
      password: other_pw
 readiness_delay: 0
--- a/test/fixtures/deploy_with_only_workers.yml
+++ b/test/fixtures/deploy_with_only_workers.yml
--- a/test/fixtures/deploy_with_roles_workers_primary.yml
+++ b/test/fixtures/deploy_with_roles_workers_primary.yml
@@ -0,0 +1,19 @@
 service: app
 image: dhh/app
 servers:
  workers:
    - 1.1.1.1
    - 1.1.1.2
  web:
    - 1.1.1.3
    - 1.1.1.4
 env:
  REDIS_URL: redis://x/y
 registry:
  server: registry.digitalocean.com
  username: user
  password: pw
 builder:
  arch: amd64
 deploy_timeout: 1
 primary_role: workers
--- a/test/integration/accessory_test.rb
+++ b/test/integration/accessory_test.rb
@@ -17,10 +17,39 @@ class AccessoryTest < IntegrationTest
    logs = kamal :accessory, :logs, :busybox, capture: true
    assert_match /Starting busybox.../, logs
    boot = kamal :accessory, :boot, :busybox, capture: true
    assert_match /Skipping booting `busybox` on vm1, vm2, a container already exists/, boot
    kamal :accessory, :remove, :busybox, "-y"
    assert_accessory_not_running :busybox
  end
  test "proxied: boot, stop, start, restart, logs, remove" do
    @app = "app_with_proxied_accessory"
    kamal :proxy, :boot
    kamal :accessory, :boot, :netcat
    assert_accessory_running :netcat
    assert_netcat_is_up
    kamal :accessory, :stop, :netcat
    assert_accessory_not_running :netcat
    assert_netcat_not_found
    kamal :accessory, :start, :netcat
    assert_accessory_running :netcat
    assert_netcat_is_up
    kamal :accessory, :restart, :netcat
    assert_accessory_running :netcat
    assert_netcat_is_up
    kamal :accessory, :remove, :netcat, "-y"
    assert_accessory_not_running :netcat
    assert_netcat_not_found
  end
  private
    def assert_accessory_running(name)
      assert_match /registry:4443\/busybox:1.36.0   "sh -c 'echo \\"Start/, accessory_details(name)
@@ -33,4 +62,25 @@ class AccessoryTest < IntegrationTest
    def accessory_details(name)
      kamal :accessory, :details, name, capture: true
    end
    def assert_netcat_is_up
      response = netcat_response
      debug_response_code(response, "200")
      assert_equal "200", response.code
    end
    def assert_netcat_not_found
      response = netcat_response
      debug_response_code(response, "404")
      assert_equal "404", response.code
    end
    def netcat_response
      uri = URI.parse("http://127.0.0.1:12345/up")
      http = Net::HTTP.new(uri.host, uri.port)
      request = Net::HTTP::Get.new(uri)
      request["Host"] = "netcat"
      http.request(request)
    end
 end
--- a/test/integration/app_test.rb
+++ b/test/integration/app_test.rb
@@ -29,14 +29,14 @@ class AppTest < IntegrationTest
    images = kamal :app, :images, capture: true
    assert_match "App Host: vm1", images
    assert_match "App Host: vm2", images
-    assert_match /registry:4443\/app\s+#{latest_app_version}/, images
+    assert_match /localhost:5000\/app\s+#{latest_app_version}/, images
-    assert_match /registry:4443\/app\s+latest/, images
+    assert_match /localhost:5000\/app\s+latest/, images
    containers = kamal :app, :containers, capture: true
    assert_match "App Host: vm1", containers
    assert_match "App Host: vm2", containers
-    assert_match "registry:4443/app:#{latest_app_version}", containers
+    assert_match "localhost:5000/app:#{latest_app_version}", containers
-    assert_match "registry:4443/app:latest", containers
+    assert_match "localhost:5000/app:latest", containers
    exec_output = kamal :app, :exec, :ps, capture: true
    assert_match "App Host: vm1", exec_output
@@ -48,9 +48,36 @@ class AppTest < IntegrationTest
    assert_match "App Host: vm1", exec_output
    assert_match /1 root      0:\d\d nginx/, exec_output
    kamal :app, :maintenance
    assert_app_in_maintenance
    kamal :app, :live
    assert_app_is_up
    kamal :app, :remove
    assert_app_not_found
    assert_app_directory_removed
  end
  test "custom error pages" do
    @app = "app_with_roles"
    kamal :deploy
    assert_app_is_up
    kamal :app, :maintenance
    assert_app_in_maintenance message: "Custom Maintenance Page"
    kamal :app, :live
    kamal :app, :maintenance, "--message", "\"Testing Maintence Mode\""
    assert_app_in_maintenance message: "Custom Maintenance Page: Testing Maintence Mode"
    second_version = update_app_rev
    kamal :redeploy
    kamal :app, :maintenance
    assert_app_in_maintenance message: "Custom Maintenance Page"
  end
 end
--- a/test/integration/docker-compose.yml
+++ b/test/integration/docker-compose.yml
@@ -41,6 +41,8 @@ services:
      context: docker/vm
    volumes:
      - shared:/shared
    ports:
      - "22443:443"
  vm2:
    privileged: true
@@ -61,6 +63,7 @@ services:
      context: docker/load_balancer
    ports:
      - "12345:80"
      - "12443:443"
    depends_on:
      - vm1
      - vm2
--- a/test/integration/docker/deployer/Dockerfile
+++ b/test/integration/docker/deployer/Dockerfile
@@ -18,6 +18,7 @@ RUN apt-get update --fix-missing && apt-get install -y docker-ce docker-ce-cli c
 COPY *.sh .
 COPY app/ app/
 COPY app_with_custom_certificate/ app_with_custom_certificate/
 COPY app_with_roles/ app_with_roles/
 COPY app_with_traefik/ app_with_traefik/
 COPY app_with_proxied_accessory/ app_with_proxied_accessory/
@@ -29,6 +30,7 @@ RUN mkdir -p /etc/docker/certs.d/registry:4443 && ln -s /shared/certs/domain.crt
 RUN git config --global user.email "deployer@example.com"
 RUN git config --global user.name "Deployer"
 RUN cd app && git init && git add . && git commit -am "Initial version"
 RUN cd app_with_custom_certificate && git init && git add . && git commit -am "Initial version"
 RUN cd app_with_roles && git init && git add . && git commit -am "Initial version"
 RUN cd app_with_traefik && git init && git add . && git commit -am "Initial version"
 RUN cd app_with_proxied_accessory && git init && git add . && git commit -am "Initial version"
--- a/test/integration/docker/deployer/app/.kamal/hooks/pre-connect
+++ b/test/integration/docker/deployer/app/.kamal/hooks/pre-connect
@@ -1,4 +1,5 @@
 #!/bin/sh
 echo "About to lock..."
 env
 mkdir -p /tmp/${TEST_ID} && touch /tmp/${TEST_ID}/pre-connect
--- a/Show More
+++ b/Show More