Fix typo

Instead of using `kamal envify` to generate the .env file, we now assume
that it will be in place for us.

Options in place of `kamal envify`:
1. Pre-generate the .env file
2. Create the env file in the `.pre-init` hook
3. Log into a secret store/check you are logged in in the pre-init hook
   Then use .dotenv command and variable substitution to interpolate the
   secrets.

.github/workflows/ci.yml

@@ -24,25 +24,12 @@ jobs:
     strategy:
       matrix:
         ruby-version:
-          - "2.7"
           - "3.1"
           - "3.2"
           - "3.3"
         gemfile:
           - Gemfile
-          - gemfiles/ruby_2.7.gemfile
           - gemfiles/rails_edge.gemfile
-        exclude:
-          - ruby-version: "2.7"
-            gemfile: Gemfile
-          - ruby-version: "2.7"
-            gemfile: gemfiles/rails_edge.gemfile
-          - ruby-version: "3.1"
-            gemfile: gemfiles/ruby_2.7.gemfile
-          - ruby-version: "3.2"
-            gemfile: gemfiles/ruby_2.7.gemfile
-          - ruby-version: "3.3"
-            gemfile: gemfiles/ruby_2.7.gemfile
     name: ${{ format('Tests (Ruby {0})', matrix.ruby-version) }}
     runs-on: ubuntu-latest
     continue-on-error: true

Dockerfile

@@ -1,7 +1,7 @@
 # Use the official Ruby 3.2.0 Alpine image as the base image
 FROM ruby:3.2.0-alpine
 
-# Install  docker/buildx-bin
+# Install docker/buildx-bin
 COPY --from=docker/buildx-bin /buildx /usr/libexec/docker/cli-plugins/docker-buildx
 
 # Set the working directory to /kamal
@@ -14,7 +14,7 @@ COPY Gemfile Gemfile.lock kamal.gemspec ./
 COPY lib/kamal/version.rb /kamal/lib/kamal/version.rb
 
 # Install system dependencies
-RUN apk add --no-cache --update build-base git docker openrc openssh-client-default \
+RUN apk add --no-cache build-base git docker openrc openssh-client-default \
     && rc-update add docker boot \
     && gem install bundler --version=2.4.3 \
     && bundle install

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    kamal (1.7.3)
+    kamal (1.8.1)
       activesupport (>= 7.0)
       base64 (~> 0.2)
       bcrypt_pbkdf (~> 1.0)
@@ -9,9 +9,8 @@ PATH
       dotenv (~> 2.8)
       ed25519 (~> 1.2)
       net-ssh (~> 7.0)
-      sshkit (>= 1.22.2, < 2.0)
+      sshkit (>= 1.23.0, < 2.0)
       thor (~> 1.2)
-      x25519 (~> 1.0, >= 1.0.10)
       zeitwerk (~> 2.5)
 
 GEM
@@ -154,9 +153,8 @@ GEM
       rubocop-rails
     ruby-progressbar (1.13.0)
     ruby2_keywords (0.0.5)
-    sshkit (1.22.2)
+    sshkit (1.23.0)
       base64
-      mutex_m
       net-scp (>= 1.1.2)
       net-sftp (>= 2.1.2)
       net-ssh (>= 2.8.0)
@@ -166,7 +164,6 @@ GEM
       concurrent-ruby (~> 1.0)
     unicode-display_width (2.5.0)
     webrick (1.8.1)
-    x25519 (1.0.10)
     zeitwerk (2.6.12)
 
 PLATFORMS

gemfiles/ruby_2.7.gemfile

@@ -1,6 +0,0 @@
-source 'https://rubygems.org'
-git_source(:github) { |repo| "https://github.com/#{repo}.git" }
-
-gemspec path: "../"
-
-gem "nokogiri", "~> 1.15.0"

kamal.gemspec

@@ -12,13 +12,12 @@ Gem::Specification.new do |spec|
   spec.executables = %w[ kamal ]
 
   spec.add_dependency "activesupport", ">= 7.0"
-  spec.add_dependency "sshkit", ">= 1.22.2", "< 2.0"
+  spec.add_dependency "sshkit", ">= 1.23.0", "< 2.0"
   spec.add_dependency "net-ssh", "~> 7.0"
   spec.add_dependency "thor", "~> 1.2"
   spec.add_dependency "dotenv", "~> 2.8"
   spec.add_dependency "zeitwerk", "~> 2.5"
   spec.add_dependency "ed25519", "~> 1.2"
-  spec.add_dependency "x25519", "~> 1.0", ">= 1.0.10"
   spec.add_dependency "bcrypt_pbkdf", "~> 1.0"
   spec.add_dependency "concurrent-ruby", "~> 1.2"
   spec.add_dependency "base64", "~> 0.2"

lib/kamal/cli/base.rb

@@ -22,28 +22,48 @@ module Kamal::Cli
 
     class_option :skip_hooks, aliases: "-H", type: :boolean, default: false, desc: "Don't run hooks"
 
+    @@ran_pre_init_hook = false
+    class << self
+      def ran_pre_init_hook
+        @@ran_pre_init_hook
+      end
+
+      def ran_pre_init_hook=(value)
+        @@ran_pre_init_hook = value
+      end
+    end
+
     def initialize(*)
       super
       @original_env = ENV.to_h.dup
-      load_envs
+      run_pre_init_hook
+      load_env
       initialize_commander(options_with_subcommand_class_options)
     end
 
     private
-      def load_envs
+      def load_env
         if destination = options[:destination]
-          Dotenv.load(".env.#{destination}", ".env")
+          if File.exist?(".kamal/.env.#{destination}") || File.exist?(".kamal/.env")
+            Dotenv.load(".kamal/.env.#{destination}", ".kamal/.env")
+          else
+            loading_files = [ (".env" if File.exist?(".env")), (".env.#{destination}" if File.exist?(".env.#{destination}")) ].compact
+            if loading_files.any?
+              warn "Loading #{loading_files.join(" and ")} from the project root, in future they will be loaded from .kamal/"
+              Dotenv.load(".env.#{destination}", ".env")
+            end
+          end
         else
-          Dotenv.load(".env")
+          if File.exist?(".kamal/.env")
+            Dotenv.load(".kamal/.env")
+          elsif File.exist?(".env")
+            $stderr.puts caller
+            warn "Loading .env from the project root, in future it will be loaded then from .kamal/.env"
+            Dotenv.load(".env")
+          end
         end
       end
 
-      def reload_envs
-        ENV.clear
-        ENV.update(@original_env)
-        load_envs
-      end
-
       def options_with_subcommand_class_options
         options.merge(@_initializer.last[:class_options] || {})
       end
@@ -140,8 +160,23 @@ module Kamal::Cli
         end
       end
 
+      def run_pre_init_hook
+        unless self.class.ran_pre_init_hook
+          hook = "pre-init"
+          if run_hook?(hook)
+            say "Running the #{hook} hook...", :magenta
+            run_locally do
+              execute *Kamal::Hooks.file(hook), verbosity: :debug
+            rescue SSHKit::Command::Failed => e
+              raise HookError.new("Hook `#{hook}` failed:\n#{e.message}")
+            end
+          end
+          self.class.ran_pre_init_hook = true
+        end
+      end
+
       def run_hook(hook, **extra_details)
-        if !options[:skip_hooks] && KAMAL.hook.hook_exists?(hook)
+        if run_hook?(hook)
           details = { hosts: KAMAL.hosts.join(","), command: command, subcommand: subcommand }
 
           say "Running the #{hook} hook...", :magenta
@@ -153,6 +188,10 @@ module Kamal::Cli
         end
       end
 
+      def run_hook?(hook)
+        !options[:skip_hooks] && Kamal::Hooks.exists?(hook)
+      end
+
       def on(*args, &block)
         if !KAMAL.connected?
           run_hook "pre-connect"

lib/kamal/cli/build.rb

@@ -59,11 +59,14 @@ class Kamal::Cli::Build < Kamal::Cli::Base
 
   desc "pull", "Pull app image from registry onto servers"
   def pull
-    on(KAMAL.hosts) do
-      execute *KAMAL.auditor.record("Pulled image with version #{KAMAL.config.version}"), verbosity: :debug
-      execute *KAMAL.builder.clean, raise_on_non_zero_exit: false
-      execute *KAMAL.builder.pull
-      execute *KAMAL.builder.validate_image
+    if (first_hosts = mirror_hosts).any?
+      #  Pull on a single host per mirror first to seed them
+      say "Pulling image on #{first_hosts.join(", ")} to seed the #{"mirror".pluralize(first_hosts.count)}...", :magenta
+      pull_on_hosts(first_hosts)
+      say "Pulling image on remaining hosts...", :magenta
+      pull_on_hosts(KAMAL.hosts - first_hosts)
+    else
+      pull_on_hosts(KAMAL.hosts)
     end
   end
 
@@ -131,4 +134,28 @@ class Kamal::Cli::Build < Kamal::Cli::Base
         end
       end
     end
+
+    def mirror_hosts
+      if KAMAL.hosts.many?
+        mirror_hosts = Concurrent::Hash.new
+        on(KAMAL.hosts) do |host|
+          first_mirror = capture_with_info(*KAMAL.builder.first_mirror).strip.presence
+          mirror_hosts[first_mirror] ||= host.to_s if first_mirror
+        rescue SSHKit::Command::Failed => e
+          raise unless e.message =~ /error calling index: reflect: slice index out of range/
+        end
+        mirror_hosts.values
+      else
+        []
+      end
+    end
+
+    def pull_on_hosts(hosts)
+      on(hosts) do
+        execute *KAMAL.auditor.record("Pulled image with version #{KAMAL.config.version}"), verbosity: :debug
+        execute *KAMAL.builder.clean, raise_on_non_zero_exit: false
+        execute *KAMAL.builder.pull
+        execute *KAMAL.builder.validate_image
+      end
+    end
 end

lib/kamal/cli/main.rb

@@ -10,7 +10,6 @@ class Kamal::Cli::Main < Kamal::Cli::Base
         invoke "kamal:cli:server:bootstrap", [], invoke_options
 
         say "Evaluate and push env files...", :magenta
-        invoke "kamal:cli:main:envify", [], invoke_options
         invoke "kamal:cli:env:push", [], invoke_options
 
         invoke "kamal:cli:accessory:boot", [ "all" ], invoke_options
@@ -179,29 +178,6 @@ class Kamal::Cli::Main < Kamal::Cli::Base
     end
   end
 
-  desc "envify", "Create .env by evaluating .env.erb (or .env.staging.erb -> .env.staging when using -d staging)"
-  option :skip_push, aliases: "-P", type: :boolean, default: false, desc: "Skip .env file push"
-  def envify
-    if destination = options[:destination]
-      env_template_path = ".env.#{destination}.erb"
-      env_path          = ".env.#{destination}"
-    else
-      env_template_path = ".env.erb"
-      env_path          = ".env"
-    end
-
-    if Pathname.new(File.expand_path(env_template_path)).exist?
-      File.write(env_path, ERB.new(File.read(env_template_path), trim_mode: "-").result, perm: 0600)
-
-      unless options[:skip_push]
-        reload_envs
-        invoke "kamal:cli:env:push", options
-      end
-    else
-      puts "Skipping envify (no #{env_template_path} exist)"
-    end
-  end
-
   desc "remove", "Remove Traefik, app, accessories, and registry session from servers"
   option :confirmed, aliases: "-y", type: :boolean, default: false, desc: "Proceed without confirmation question"
   def remove

lib/kamal/commands/builder.rb

@@ -2,7 +2,7 @@ require "active_support/core_ext/string/filters"
 
 class Kamal::Commands::Builder < Kamal::Commands::Base
   delegate :create, :remove, :push, :clean, :pull, :info, :context_hosts, :config_context_hosts, :validate_image,
-    to: :target
+           :first_mirror, to: :target
 
   include Clone
 

lib/kamal/commands/builder/base.rb

@@ -40,6 +40,10 @@ class Kamal::Commands::Builder::Base < Kamal::Commands::Base
     []
   end
 
+  def first_mirror
+    docker(:info, "--format '{{index .RegistryConfig.Mirrors 0}}'")
+  end
+
   private
     def build_tags
       [ "-t", config.absolute_image, "-t", config.latest_image ]

lib/kamal/commands/builder/clone.rb

@@ -6,7 +6,7 @@ module Kamal::Commands::Builder::Clone
   end
 
   def clone
-    git :clone, Kamal::Git.root, "--recurse-submodules", path: clone_directory
+    git :clone, Kamal::Git.root, path: clone_directory
   end
 
   def clone_reset_steps
@@ -14,8 +14,7 @@ module Kamal::Commands::Builder::Clone
       git(:remote, "set-url", :origin, Kamal::Git.root, path: build_directory),
       git(:fetch, :origin, path: build_directory),
       git(:reset, "--hard", Kamal::Git.revision, path: build_directory),
-      git(:clean, "-fdx", path: build_directory),
-      git(:submodule, :update, "--init", path: build_directory)
+      git(:clean, "-fdx", path: build_directory)
     ]
   end
 

lib/kamal/commands/hook.rb

@@ -1,14 +1,5 @@
 class Kamal::Commands::Hook < Kamal::Commands::Base
   def run(hook, **details)
-    [ hook_file(hook), env: tags(**details).env ]
+    [ Kamal::Hooks.file(hook), env: tags(**details).env ]
   end
-
-  def hook_exists?(hook)
-    Pathname.new(hook_file(hook)).exist?
-  end
-
-  private
-    def hook_file(hook)
-      File.join(config.hooks_path, hook)
-    end
 end

lib/kamal/configuration.rb

@@ -7,7 +7,7 @@ require "erb"
 require "net/ssh/proxy/jump"
 
 class Kamal::Configuration
-  delegate :service, :image, :labels, :stop_wait_time, :hooks_path, to: :raw_config, allow_nil: true
+  delegate :service, :image, :labels, :stop_wait_time, to: :raw_config, allow_nil: true
   delegate :argumentize, :optionize, to: Kamal::Utils
 
   attr_reader :destination, :raw_config
@@ -47,7 +47,7 @@ class Kamal::Configuration
     @destination = destination
     @declared_version = version
 
-    validate! raw_config, example: validation_yml.symbolize_keys, context: ""
+    validate! raw_config, example: validation_yml.symbolize_keys, context: "", with: Kamal::Configuration::Validator::Configuration
 
     # Eager load config to validate it, these are first as they have dependencies later on
     @servers = Servers.new(config: self)
@@ -208,10 +208,6 @@ class Kamal::Configuration
     end
   end
 
-  def hooks_path
-    raw_config.hooks_path || ".kamal/hooks"
-  end
-
   def asset_path
     raw_config.asset_path
   end

lib/kamal/configuration/docs/configuration.yml

@@ -2,13 +2,24 @@
 #
 # Configuration is read from the `config/deploy.yml`
 #
+
+# Destinations
+#
 # When running commands, you can specify a destination with the `-d` flag,
 # e.g. `kamal deploy -d staging`
 #
 # In this case the configuration will also be read from `config/deploy.staging.yml`
 # and merged with the base configuration.
+
+# Extensions
 #
-# The available configuration options are explained below.
+# Kamal will not accept unrecognized keys in the configuration file.
+#
+# However, you might want to declare a configuration block using YAML anchors
+# and aliases to avoid repetition.
+#
+# You can use prefix a configuration section with `x-` to indicate that it is an
+# extension. Kamal will ignore the extension and not raise an error.
 
 # The service name
 # This is a required value. It is used as the container name prefix.
@@ -63,10 +74,6 @@ env:
 # To configure this, set the path to the assets:
 asset_path: /path/to/assets
 
-# Path to hooks, defaults to `.kamal/hooks`
-# See https://kamal-deploy.org/docs/hooks for more information
-hooks_path: /user_home/kamal/hooks
-
 # Require destinations
 #
 # Whether deployments require a destination to be specified, defaults to `false`

lib/kamal/configuration/docs/env.yml

@@ -24,14 +24,14 @@ env:
 # KAMAL_REGISTRY_PASSWORD=pw
 # DB_PASSWORD=secret123
 # ```
-# See https://kamal-deploy.org/docs/commands/envify/ for how to use generated .env files.
+# See https://kamal-deploy.org/docs/commands/env/ for how to use generated .env files.
 #
 # To pass the secrets you should list them under the `secret` key. When you do this the
 # other variables need to be moved under the `clear` key.
 #
-# Unlike clear valies, secrets are not passed directly to the container,
+# Unlike clear values, secrets are not passed directly to the container,
 # but are stored in an env file on the host
-# The file is not updated when deploying, only when running `kamal envify` or `kamal env push`.
+# The file is not updated when deploying, only when running `kamal env push`.
 env:
   clear:
     DB_USER: app

lib/kamal/configuration/docs/ssh.yml

@@ -44,3 +44,23 @@ ssh:
   # Defaults to `fatal`. Set this to debug if you are having
   # SSH connection issues.
   log_level: debug
+
+  # Keys Only
+  #
+  # Set to true to use only private keys from keys and key_data parameters, 
+  # even if ssh-agent offers more identities. This option is intended for 
+  # situations where ssh-agent offers many different identites or you have 
+  # a need to overwrite all identites and force a single one.
+  keys_only: false
+
+  # Keys
+  #
+  # An array of file names of private keys to use for publickey
+  # and hostbased authentication
+  keys: [ "~/.ssh/id.pem" ]
+
+  # Key Data
+  #
+  # An array of strings, with each element of the array being
+  # a raw private key in PEM format.
+  key_data: [ "-----BEGIN OPENSSH PRIVATE KEY-----" ]

lib/kamal/configuration/ssh.rb

@@ -26,8 +26,20 @@ class Kamal::Configuration::Ssh
     end
   end
 
+  def keys_only
+    ssh_config["keys_only"]
+  end
+
+  def keys
+    ssh_config["keys"]
+  end
+
+  def key_data
+    ssh_config["key_data"]
+  end
+
   def options
-    { user: user, port: port, proxy: proxy, logger: logger, keepalive: true, keepalive_interval: 30 }.compact
+    { user: user, port: port, proxy: proxy, logger: logger, keepalive: true, keepalive_interval: 30, keys_only: keys_only, keys: keys, key_data: key_data }.compact
   end
 
   def to_h

lib/kamal/configuration/validator.rb

@@ -15,11 +15,10 @@ class Kamal::Configuration::Validator
     def validate_against_example!(validation_config, example)
       validate_type! validation_config, Hash
 
-      if (unknown_keys = validation_config.keys - example.keys).any?
-        unknown_keys_error unknown_keys
-      end
+      check_unknown_keys! validation_config, example
 
       validation_config.each do |key, value|
+        next if extension?(key)
         with_context(key) do
           example_value = example[key]
 
@@ -137,4 +136,18 @@ class Kamal::Configuration::Validator
     ensure
       @context = old_context
     end
+
+    def allow_extensions?
+      false
+    end
+
+    def extension?(key)
+      key.to_s.start_with?("x-")
+    end
+
+    def check_unknown_keys!(config, example)
+      unknown_keys = config.keys - example.keys
+      unknown_keys.reject! { |key| extension?(key) } if allow_extensions?
+      unknown_keys_error unknown_keys if unknown_keys.present?
+    end
 end

lib/kamal/configuration/validator/configuration.rb

@@ -0,0 +1,6 @@
+class Kamal::Configuration::Validator::Configuration < Kamal::Configuration::Validator
+  private
+    def allow_extensions?
+      true
+    end
+end

lib/kamal/git.rb

@@ -9,6 +9,10 @@ module Kamal::Git
     `git config user.name`.strip
   end
 
+  def email
+    `git config user.email`.strip
+  end
+
   def revision
     `git rev-parse HEAD`.strip
   end

lib/kamal/tags.rb

@@ -10,7 +10,7 @@ class Kamal::Tags
 
     def default_tags(config)
       { recorded_at: Time.now.utc.iso8601,
-        performer: `whoami`.chomp,
+        performer: Kamal::Git.email.presence || `whoami`.chomp,
         destination: config.destination,
         version: config.version,
         service_version: service_version(config),

lib/kamal/version.rb

@@ -1,3 +1,3 @@
 module Kamal
-  VERSION = "1.7.3"
+  VERSION = "1.8.1"
 end

test/cli/build_test.rb

@@ -10,7 +10,7 @@ class CliBuildTest < CliTestCase
 
   test "push" do
     with_build_directory do |build_directory|
-      Kamal::Commands::Hook.any_instance.stubs(:hook_exists?).returns(true)
+      Kamal::Hooks.stubs(:exists?).returns(true)
       hook_variables = { version: 999, service_version: "app@999", hosts: "1.1.1.1,1.1.1.2,1.1.1.3,1.1.1.4", command: "build", subcommand: "push" }
 
       SSHKit::Backend::Abstract.any_instance.expects(:capture_with_info)
@@ -42,7 +42,7 @@ class CliBuildTest < CliTestCase
       SSHKit::Backend::Abstract.any_instance.expects(:execute).with(:docker, "--version", "&&", :docker, :buildx, "version")
 
       SSHKit::Backend::Abstract.any_instance.expects(:execute)
-        .with(:git, "-C", "#{Dir.tmpdir}/kamal-clones/app-#{pwd_sha}", :clone, Dir.pwd, "--recurse-submodules")
+        .with(:git, "-C", "#{Dir.tmpdir}/kamal-clones/app-#{pwd_sha}", :clone, Dir.pwd)
         .raises(SSHKit::Command::Failed.new("fatal: destination path 'kamal' already exists and is not an empty directory"))
         .then
         .returns(true)
@@ -50,7 +50,6 @@ class CliBuildTest < CliTestCase
       SSHKit::Backend::Abstract.any_instance.expects(:execute).with(:git, "-C", build_directory, :fetch, :origin)
       SSHKit::Backend::Abstract.any_instance.expects(:execute).with(:git, "-C", build_directory, :reset, "--hard", Kamal::Git.revision)
       SSHKit::Backend::Abstract.any_instance.expects(:execute).with(:git, "-C", build_directory, :clean, "-fdx")
-      SSHKit::Backend::Abstract.any_instance.expects(:execute).with(:git, "-C", build_directory, :submodule, :update, "--init")
 
       SSHKit::Backend::Abstract.any_instance.expects(:execute)
         .with(:docker, :buildx, :build, "--push", "--platform", "linux/amd64,linux/arm64", "--builder", "kamal-app-multiarch", "-t", "dhh/app:999", "-t", "dhh/app:latest", "--label", "service=\"app\"", "--file", "Dockerfile", ".")
@@ -71,7 +70,7 @@ class CliBuildTest < CliTestCase
   end
 
   test "push without clone" do
-    Kamal::Commands::Hook.any_instance.stubs(:hook_exists?).returns(true)
+    Kamal::Hooks.stubs(:exists?).returns(true)
     hook_variables = { version: 999, service_version: "app@999", hosts: "1.1.1.1,1.1.1.2,1.1.1.3,1.1.1.4", command: "build", subcommand: "push" }
 
     run_command("push", "--verbose", fixture: :without_clone).tap do |output|
@@ -89,7 +88,7 @@ class CliBuildTest < CliTestCase
       SSHKit::Backend::Abstract.any_instance.expects(:execute).with(:docker, "--version", "&&", :docker, :buildx, "version")
 
       SSHKit::Backend::Abstract.any_instance.expects(:execute)
-        .with(:git, "-C", "#{Dir.tmpdir}/kamal-clones/app-#{pwd_sha}", :clone, Dir.pwd, "--recurse-submodules")
+        .with(:git, "-C", "#{Dir.tmpdir}/kamal-clones/app-#{pwd_sha}", :clone, Dir.pwd)
         .raises(SSHKit::Command::Failed.new("fatal: destination path 'kamal' already exists and is not an empty directory"))
         .then
         .returns(true)
@@ -170,12 +169,41 @@ class CliBuildTest < CliTestCase
 
   test "pull" do
     run_command("pull").tap do |output|
+      assert_match /docker info --format '{{index .RegistryConfig.Mirrors 0}}'/, output
       assert_match /docker image rm --force dhh\/app:999/, output
       assert_match /docker pull dhh\/app:999/, output
       assert_match "docker inspect -f '{{ .Config.Labels.service }}' dhh/app:999 | grep -x app || (echo \"Image dhh/app:999 is missing the 'service' label\" && exit 1)", output
     end
   end
 
+  test "pull with mirror" do
+    SSHKit::Backend::Abstract.any_instance.expects(:capture_with_info)
+      .with(:docker, :info, "--format '{{index .RegistryConfig.Mirrors 0}}'")
+      .returns("registry-mirror.example.com")
+      .at_least_once
+
+    run_command("pull").tap do |output|
+      assert_match /Pulling image on 1\.1\.1\.\d to seed the mirror\.\.\./, output
+      assert_match "Pulling image on remaining hosts...", output
+      assert_equal 4, output.scan(/docker pull dhh\/app:999/).size, output
+      assert_match "docker inspect -f '{{ .Config.Labels.service }}' dhh/app:999 | grep -x app || (echo \"Image dhh/app:999 is missing the 'service' label\" && exit 1)", output
+    end
+  end
+
+  test "pull with mirrors" do
+    SSHKit::Backend::Abstract.any_instance.expects(:capture_with_info)
+      .with(:docker, :info, "--format '{{index .RegistryConfig.Mirrors 0}}'")
+      .returns("registry-mirror.example.com", "registry-mirror2.example.com")
+      .at_least_once
+
+    run_command("pull").tap do |output|
+      assert_match /Pulling image on 1\.1\.1\.\d, 1\.1\.1\.\d to seed the mirrors\.\.\./, output
+      assert_match "Pulling image on remaining hosts...", output
+      assert_equal 4, output.scan(/docker pull dhh\/app:999/).size, output
+      assert_match "docker inspect -f '{{ .Config.Labels.service }}' dhh/app:999 | grep -x app || (echo \"Image dhh/app:999 is missing the 'service' label\" && exit 1)", output
+    end
+  end
+
   test "create" do
     run_command("create").tap do |output|
       assert_match /docker buildx create --use --name kamal-app-multiarch/, output

test/cli/cli_test_case.rb

@@ -18,7 +18,7 @@ class CliTestCase < ActiveSupport::TestCase
   private
     def fail_hook(hook)
       @executions = []
-      Kamal::Commands::Hook.any_instance.stubs(:hook_exists?).returns(true)
+      Kamal::Hooks.stubs(:exists?).returns(true)
 
       SSHKit::Backend::Abstract.any_instance.stubs(:execute)
         .with { |*args| @executions << args; args != [ ".kamal/hooks/#{hook}" ] }
@@ -42,12 +42,13 @@ class CliTestCase < ActiveSupport::TestCase
     end
 
     def assert_hook_ran(hook, output, version:, service_version:, hosts:, command:, subcommand: nil, runtime: false)
-      performer = `whoami`.strip
+      whoami = `whoami`.chomp
+      performer = Kamal::Git.email.presence || whoami
       service = service_version.split("@").first
 
       assert_match "Running the #{hook} hook...\n", output
 
-      expected = %r{Running\s/usr/bin/env\s\.kamal/hooks/#{hook}\sas\s#{performer}@localhost\n\s
+      expected = %r{Running\s/usr/bin/env\s\.kamal/hooks/#{hook}\sas\s#{whoami}@localhost\n\s
         DEBUG\s\[[0-9a-f]*\]\sCommand:\s\(\sexport\s
         KAMAL_RECORDED_AT=\"\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\dZ\"\s
         KAMAL_PERFORMER=\"#{performer}\"\s

test/cli/main_test.rb

@@ -1,11 +1,13 @@
 require_relative "cli_test_case"
 
 class CliMainTest < CliTestCase
+  setup { @original_env = ENV.to_h.dup }
+  teardown { ENV.clear; ENV.update @original_env }
+
   test "setup" do
     invoke_options = { "config_file" => "test/fixtures/deploy_simple.yml", "version" => "999", "skip_hooks" => false }
 
     Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:server:bootstrap", [], invoke_options)
-    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:main:envify", [], invoke_options)
     Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:env:push", [], invoke_options)
     Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:accessory:boot", [ "all" ], invoke_options)
     Kamal::Cli::Main.any_instance.expects(:deploy)
@@ -21,7 +23,6 @@ class CliMainTest < CliTestCase
 
     Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:server:bootstrap", [], invoke_options)
     Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:env:push", [], invoke_options)
-    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:main:envify", [], invoke_options)
     Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:accessory:boot", [ "all" ], invoke_options)
     # deploy
     Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:registry:login", [], invoke_options.merge(skip_local: true))
@@ -55,10 +56,11 @@ class CliMainTest < CliTestCase
     Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:app:boot", [], invoke_options)
     Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:prune:all", [], invoke_options)
 
-    Kamal::Commands::Hook.any_instance.stubs(:hook_exists?).returns(true)
+    Kamal::Hooks.stubs(:exists?).returns(true)
     hook_variables = { version: 999, service_version: "app@999", hosts: "1.1.1.1,1.1.1.2", command: "deploy" }
 
     run_command("deploy", "--verbose").tap do |output|
+      assert_match "Running the pre-init hook...", output
       assert_hook_ran "pre-connect", output, **hook_variables
       assert_match /Log into image registry/, output
       assert_match /Build and push app image/, output
@@ -122,6 +124,11 @@ class CliMainTest < CliTestCase
       .with(:docker, :buildx, :inspect, "kamal-app-multiarch", "> /dev/null")
       .returns("")
 
+    SSHKit::Backend::Abstract.any_instance.expects(:capture_with_info)
+      .with(:docker, :info, "--format '{{index .RegistryConfig.Mirrors 0}}'")
+      .returns("")
+      .at_least_once
+
     assert_raises(Kamal::Cli::LockError) do
       run_command("deploy")
     end
@@ -155,6 +162,11 @@ class CliMainTest < CliTestCase
       .with(:docker, :buildx, :inspect, "kamal-app-multiarch", "> /dev/null")
       .returns("")
 
+    SSHKit::Backend::Abstract.any_instance.expects(:capture_with_info)
+      .with(:docker, :info, "--format '{{index .RegistryConfig.Mirrors 0}}'")
+      .returns("")
+      .at_least_once
+
     assert_raises(SSHKit::Runner::ExecuteError) do
       run_command("deploy")
     end
@@ -224,7 +236,7 @@ class CliMainTest < CliTestCase
     Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:app:stale_containers", [], invoke_options.merge(stop: true))
     Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:app:boot", [], invoke_options)
 
-    Kamal::Commands::Hook.any_instance.stubs(:hook_exists?).returns(true)
+    Kamal::Hooks.stubs(:exists?).returns(true)
 
     hook_variables = { version: 999, service_version: "app@999", hosts: "1.1.1.1,1.1.1.2", command: "redeploy" }
 
@@ -285,7 +297,7 @@ class CliMainTest < CliTestCase
       .with(:docker, :container, :ls, "--all", "--filter", "name=^app-web-version-to-rollback$", "--quiet", "|", :xargs, :docker, :inspect, "--format", "'{{if .State.Health}}{{.State.Health.Status}}{{else}}{{.State.Status}}{{end}}'")
       .returns("unhealthy").at_least_once # health check
 
-    Kamal::Commands::Hook.any_instance.stubs(:hook_exists?).returns(true)
+    Kamal::Hooks.stubs(:exists?).returns(true)
     hook_variables = { version: 123, service_version: "app@123", hosts: "1.1.1.1,1.1.1.2,1.1.1.3,1.1.1.4", command: "rollback" }
 
     run_command("rollback", "--verbose", "123", config_file: "deploy_with_accessories").tap do |output|
@@ -383,7 +395,7 @@ class CliMainTest < CliTestCase
   end
 
   test "init" do
-    Pathname.any_instance.expects(:exist?).returns(false).times(3)
+    Pathname.any_instance.expects(:exist?).returns(false).times(4)
     Pathname.any_instance.stubs(:mkpath)
     FileUtils.stubs(:mkdir_p)
     FileUtils.stubs(:cp_r)
@@ -396,7 +408,7 @@ class CliMainTest < CliTestCase
   end
 
   test "init with existing config" do
-    Pathname.any_instance.expects(:exist?).returns(true).times(3)
+    Pathname.any_instance.expects(:exist?).returns(true).times(4)
 
     run_command("init").tap do |output|
       assert_match /Config file already exists in config\/deploy.yml \(remove first to create a new one\)/, output
@@ -404,7 +416,7 @@ class CliMainTest < CliTestCase
   end
 
   test "init with bundle option" do
-    Pathname.any_instance.expects(:exist?).returns(false).times(4)
+    Pathname.any_instance.expects(:exist?).returns(false).times(5)
     Pathname.any_instance.stubs(:mkpath)
     FileUtils.stubs(:mkdir_p)
     FileUtils.stubs(:cp_r)
@@ -421,7 +433,7 @@ class CliMainTest < CliTestCase
   end
 
   test "init with bundle option and existing binstub" do
-    Pathname.any_instance.expects(:exist?).returns(true).times(4)
+    Pathname.any_instance.expects(:exist?).returns(true).times(5)
     Pathname.any_instance.stubs(:mkpath)
     FileUtils.stubs(:mkdir_p)
     FileUtils.stubs(:cp_r)
@@ -433,43 +445,6 @@ class CliMainTest < CliTestCase
     end
   end
 
-  test "envify" do
-    with_test_dot_env_erb(contents: "HELLO=<%= 'world' %>") do
-      run_command("envify")
-      assert_equal("HELLO=world", File.read(".env"))
-    end
-  end
-
-  test "envify with blank line trimming" do
-    file = <<~EOF
-      HELLO=<%= 'world' %>
-      <% if true -%>
-      KEY=value
-      <% end  -%>
-    EOF
-
-    with_test_dot_env_erb(contents: file) do
-      run_command("envify")
-      assert_equal("HELLO=world\nKEY=value\n", File.read(".env"))
-    end
-  end
-
-  test "envify with destination" do
-    with_test_dot_env_erb(contents: "HELLO=<%= 'world' %>", file: ".env.world.erb") do
-      run_command("envify", "-d", "world", config_file: "deploy_for_dest")
-      assert_equal "HELLO=world", File.read(".env.world")
-    end
-  end
-
-  test "envify with skip_push" do
-    Pathname.any_instance.expects(:exist?).returns(true).times(1)
-    File.expects(:read).with(".env.erb").returns("HELLO=<%= 'world' %>")
-    File.expects(:write).with(".env", "HELLO=world", perm: 0600)
-
-    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:env:push").never
-    run_command("envify", "--skip-push")
-  end
-
   test "remove with confirmation" do
     run_command("remove", "-y", config_file: "deploy_with_accessories").tap do |output|
       assert_match /docker container stop traefik/, output
@@ -522,14 +497,19 @@ class CliMainTest < CliTestCase
       stdouted { Kamal::Cli::Main.start([ *command, "-c", "test/fixtures/#{config_file}.yml" ]) }
     end
 
-    def with_test_dot_env_erb(contents:, file: ".env.erb")
+    def with_test_dotenv(**files)
       Dir.mktmpdir do |dir|
         fixtures_dup = File.join(dir, "test")
         FileUtils.mkdir_p(fixtures_dup)
         FileUtils.cp_r("test/fixtures/", fixtures_dup)
 
         Dir.chdir(dir) do
-          File.write(file, contents)
+          FileUtils.mkdir_p(".kamal")
+          Dir.chdir(".kamal") do
+            files.each do |filename, contents|
+              File.binwrite(filename.to_s, contents)
+            end
+          end
           yield
         end
       end

test/cli/server_test.rb

@@ -40,7 +40,8 @@ class CliServerTest < CliTestCase
     SSHKit::Backend::Abstract.any_instance.expects(:execute).with('[ "${EUID:-$(id -u)}" -eq 0 ] || command -v sudo >/dev/null || command -v su >/dev/null', raise_on_non_zero_exit: false).returns(true).at_least_once
     SSHKit::Backend::Abstract.any_instance.expects(:execute).with(:sh, "-c", "'curl -fsSL https://get.docker.com || wget -O - https://get.docker.com || echo \"exit 1\"'", "|", :sh).at_least_once
     SSHKit::Backend::Abstract.any_instance.expects(:execute).with(:mkdir, "-p", ".kamal").returns("").at_least_once
-    Kamal::Commands::Hook.any_instance.stubs(:hook_exists?).returns(true)
+    Kamal::Hooks.stubs(:exists?).returns(true)
+    SSHKit::Backend::Abstract.any_instance.expects(:execute).with(".kamal/hooks/pre-init", anything).at_least_once
     SSHKit::Backend::Abstract.any_instance.expects(:execute).with(".kamal/hooks/pre-connect", anything).at_least_once
     SSHKit::Backend::Abstract.any_instance.expects(:execute).with(".kamal/hooks/docker-setup", anything).at_least_once
 

test/commands/auditor_test.rb

@@ -12,7 +12,7 @@ class CommandsAuditorTest < ActiveSupport::TestCase
     }
 
     @auditor = new_command
-    @performer = `whoami`.strip
+    @performer = Kamal::Git.email.presence || `whoami`.chomp
     @recorded_at = Time.now.utc.iso8601
   end
 

test/commands/builder_test.rb

@@ -200,6 +200,11 @@ class CommandsBuilderTest < ActiveSupport::TestCase
     assert_equal [ "unix:///var/run/docker.sock", "ssh://host" ], command.config_context_hosts
   end
 
+  test "mirror count" do
+    command = new_builder_command
+    assert_equal "docker info --format '{{index .RegistryConfig.Mirrors 0}}'", command.first_mirror.join(" ")
+  end
+
   private
     def new_builder_command(additional_config = {})
       Kamal::Commands::Builder.new(Kamal::Configuration.new(@config.merge(additional_config), version: "123"))

test/commands/hook_test.rb

@@ -11,7 +11,7 @@ class CommandsHookTest < ActiveSupport::TestCase
       traefik: { "args" => { "accesslog.format" => "json", "metrics.prometheus.buckets" => "0.1,0.3,1.2,5.0" } }
     }
 
-    @performer = `whoami`.strip
+    @performer = Kamal::Git.email.presence || `whoami`.chomp
     @recorded_at = Time.now.utc.iso8601
   end
 
@@ -28,6 +28,7 @@ class CommandsHookTest < ActiveSupport::TestCase
   end
 
   test "run with custom hooks_path" do
+    ENV["KAMAL_HOOKS_PATH"] = "custom/hooks/path"
     assert_equal [
       "custom/hooks/path/foo",
       { env: {
@@ -36,7 +37,9 @@ class CommandsHookTest < ActiveSupport::TestCase
         "KAMAL_VERSION" => "123",
         "KAMAL_SERVICE_VERSION" => "app@123",
         "KAMAL_SERVICE" => "app" } }
-    ], new_command(hooks_path: "custom/hooks/path").run("foo")
+    ], new_command.run("foo")
+  ensure
+    ENV.delete("KAMAL_HOOKS_PATH")
   end
 
   private

test/configuration/validation_test.rb

@@ -6,7 +6,7 @@ class ConfigurationValidationTest < ActiveSupport::TestCase
   end
 
   test "wrong root types" do
-    [ :service, :image, :asset_path, :hooks_path, :primary_role, :minimum_version, :run_directory ].each do |key|
+    [ :service, :image, :asset_path, :primary_role, :minimum_version, :run_directory ].each do |key|
       assert_error "#{key}: should be a string", **{ key => [] }
     end
 

test/configuration_test.rb

@@ -344,4 +344,12 @@ class ConfigurationTest < ActiveSupport::TestCase
 
     assert_raises(Kamal::ConfigurationError) { Kamal::Configuration.new(@deploy_with_roles.merge(retain_containers: 0)) }
   end
+
+  test "extensions" do
+    dest_config_file = Pathname.new(File.expand_path("fixtures/deploy_with_extensions.yml", __dir__))
+
+    config = Kamal::Configuration.create_from config_file: dest_config_file
+    assert_equal config.role(:web_tokyo).running_traefik?, true
+    assert_equal config.role(:web_chicago).running_traefik?, true
+  end
 end

test/fixtures/deploy_with_extensions.yml

@@ -0,0 +1,24 @@
+
+x-web: &web
+  traefik: true
+
+service: app
+image: dhh/app
+servers:
+  web_chicago:
+    <<: *web
+    hosts:
+      - 1.1.1.1
+      - 1.1.1.2
+  web_tokyo:
+    <<: *web
+    hosts:
+      - 1.1.1.3
+      - 1.1.1.4
+env:
+  REDIS_URL: redis://x/y
+registry:
+  server: registry.digitalocean.com
+  username: user
+  password: pw
+primary_role: web_tokyo

test/integration/accessory_test.rb

@@ -2,8 +2,6 @@ require_relative "integration_test"
 
 class AccessoryTest < IntegrationTest
   test "boot, stop, start, restart, logs, remove" do
-    kamal :envify
-
     kamal :accessory, :boot, :busybox
     assert_accessory_running :busybox
 

test/integration/app_test.rb

@@ -2,8 +2,6 @@ require_relative "integration_test"
 
 class AppTest < IntegrationTest
   test "stop, start, boot, logs, images, containers, exec, remove" do
-    kamal :envify
-
     kamal :deploy
 
     assert_app_is_up

test/integration/broken_deploy_test.rb

@@ -4,8 +4,6 @@ class BrokenDeployTest < IntegrationTest
   test "deploying a bad image" do
     @app = "app_with_roles"
 
-    kamal :envify
-
     first_version = latest_app_version
 
     kamal :deploy

test/integration/docker/deployer/app/.env.erb

@@ -1,2 +0,0 @@
-SECRET_TOKEN='1234 with "中文"'
-SECRET_TAG='TAGME'

test/integration/docker/deployer/app_with_roles/.env.erb

@@ -1 +0,0 @@
-SECRET_TOKEN='1234 with "中文"'

test/integration/lock_test.rb

@@ -2,8 +2,6 @@ require_relative "integration_test"
 
 class LockTest < IntegrationTest
   test "acquire, release, status" do
-    kamal :envify
-
     kamal :lock, :acquire, "-m 'Integration Tests'"
 
     status = kamal :lock, :status, capture: true

test/integration/main_test.rb

@@ -1,8 +1,8 @@
 require_relative "integration_test"
 
 class MainTest < IntegrationTest
-  test "envify, deploy, redeploy, rollback, details and audit" do
-    kamal :envify
+  test "env push, deploy, redeploy, rollback, details and audit" do
+    kamal :env, :push
     assert_env_files
     remove_local_env_file
 
@@ -12,19 +12,19 @@ class MainTest < IntegrationTest
 
     kamal :deploy
     assert_app_is_up version: first_version
-    assert_hooks_ran "pre-connect", "pre-build", "pre-deploy", "post-deploy"
+    assert_hooks_ran "pre-init", "pre-connect", "pre-build", "pre-deploy", "post-deploy"
     assert_envs version: first_version
 
     second_version = update_app_rev
 
     kamal :redeploy
     assert_app_is_up version: second_version
-    assert_hooks_ran "pre-connect", "pre-build", "pre-deploy", "post-deploy"
+    assert_hooks_ran "pre-init", "pre-connect", "pre-build", "pre-deploy", "post-deploy"
 
     assert_accumulated_assets first_version, second_version
 
     kamal :rollback, first_version
-    assert_hooks_ran "pre-connect", "pre-deploy", "post-deploy"
+    assert_hooks_ran "pre-init", "pre-connect", "pre-deploy", "post-deploy"
     assert_app_is_up version: first_version
 
     details = kamal :details, capture: true
@@ -45,7 +45,7 @@ class MainTest < IntegrationTest
   test "app with roles" do
     @app = "app_with_roles"
 
-    kamal :envify
+    kamal :env, :push
 
     version = latest_app_version
 
@@ -54,7 +54,7 @@ class MainTest < IntegrationTest
     kamal :deploy
 
     assert_app_is_up version: version
-    assert_hooks_ran "pre-connect", "pre-build", "pre-deploy", "post-deploy"
+    assert_hooks_ran "pre-init", "pre-connect", "pre-build", "pre-deploy", "post-deploy"
     assert_container_running host: :vm3, name: "app-workers-#{version}"
 
     second_version = update_app_rev
@@ -87,7 +87,7 @@ class MainTest < IntegrationTest
     kamal :remove, "-y"
     assert_no_images_or_containers
 
-    kamal :envify
+    kamal :env, :push
     kamal :setup
     assert_images_and_containers
 
@@ -97,7 +97,7 @@ class MainTest < IntegrationTest
 
   private
     def assert_local_env_file(contents)
-      assert_equal contents, deployer_exec("cat .env", capture: true)
+      assert_equal contents, deployer_exec("cat .kamal/.env", capture: true)
     end
 
     def assert_envs(version:)
@@ -127,7 +127,7 @@ class MainTest < IntegrationTest
     end
 
     def remove_local_env_file
-      deployer_exec("rm .env")
+      deployer_exec("rm .kamal/.env")
     end
 
     def assert_remote_env_file(contents, vm:)

test/integration/traefik_test.rb

@@ -2,8 +2,6 @@ require_relative "integration_test"
 
 class TraefikTest < IntegrationTest
   test "boot, reboot, stop, start, restart, logs, remove" do
-    kamal :envify
-
     kamal :traefik, :boot
     assert_traefik_running
 

test/test_helper.rb

@@ -26,6 +26,10 @@ end
 class ActiveSupport::TestCase
   include ActiveSupport::Testing::Stream
 
+  setup do
+    Kamal::Cli::Base.ran_pre_init_hook = false
+  end
+
   private
     def stdouted
       capture(:stdout) { yield }.strip