use GIT_TAG to override Version

docker: update & use build cache
dir2config: templates: 'default' fn
2024-01-07 11:10:45 +01:00 · 2024-01-07 10:56:42 +01:00 · 2024-01-06 18:20:03 +01:00 · 2023-12-17 17:29:17 +01:00 · 2023-12-17 14:40:48 +01:00 · 2023-11-27 15:46:58 +01:00
78 changed files with 20803 additions and 1637 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -0,0 +1,2 @@
+tmp
+dist
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,8 @@
 *.sw[po]
 modd-local.conf
+/tmp
+/test-dir2config
+/config.yaml
+/dist
+/go.work
+/go.work.sum
--- a/38
+++ b/38
@ -1,23 +1,33 @@
 # ------------------------------------------------------------------------
-from mcluseau/golang-builder:1.17.3 as build
+from golang:1.21.5-bullseye as build
+
+run apt-get update && apt-get install -y git
+
+workdir /src
+
+copy go.mod go.sum ./
+run \
+  --mount=type=cache,id=gomod,target=/go/pkg/mod \
+  --mount=type=cache,id=gobuild,target=/root/.cache/go-build \
+  go mod download
+
+arg GIT_TAG
+
+copy . ./
+run \
+  --mount=type=cache,id=gomod,target=/go/pkg/mod \
+  --mount=type=cache,id=gobuild,target=/root/.cache/go-build \
+ go test ./... && \
+ hack/build ./...

 # ------------------------------------------------------------------------
-from debian:stretch
+from debian:bullseye
 entrypoint ["/bin/dkl-local-server"]

 env _uncache 1
 run apt-get update \
- && apt-get install -y genisoimage gdisk dosfstools util-linux udev \
+ && yes |apt-get install -y genisoimage gdisk dosfstools util-linux udev binutils systemd \
+ grub2 grub-pc-bin grub-efi-amd64-bin ca-certificates curl openssh-client \
 && apt-get clean

-run yes |apt-get install -y grub2 grub-pc-bin grub-efi-amd64-bin \
- && apt-get clean
-
-run apt-get install -y ca-certificates curl openssh-client \
- && apt-get clean
-
-run curl -L https://github.com/vmware/govmomi/releases/download/v0.21.0/govc_linux_amd64.gz | gunzip > /bin/govc && chmod +x /bin/govc
-
-copy upload-vmware.sh govc.env /var/lib/direktil/
-
-copy --from=build /go/bin/ /bin/
+copy --from=build /src/dist/ /bin/
--- a/cmd/dkl-dir2config/assemble.go
+++ b/cmd/dkl-dir2config/assemble.go
@ -0,0 +1,138 @@
+package main
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"log"
+	"os"
+	"strings"
+
+	"gopkg.in/yaml.v2"
+)
+
+func mergeIn(tgt, add map[any]any) {
+mergeLoop:
+	for k, v := range add {
+		switch v := v.(type) {
+		case map[any]any:
+			if tgtV, ok := tgt[k]; ok {
+				switch tgtV := tgtV.(type) {
+				case map[any]any:
+					mergeIn(tgtV, v)
+					continue mergeLoop
+				}
+			}
+		}
+
+		tgt[k] = v
+	}
+}
+
+func assemble(path string) (yamlBytes []byte, err error) {
+	obj := map[any]any{}
+
+	if Debug {
+		log.Printf("assemble %q", path)
+	}
+
+	err = eachFragment(path, searchList, func(r io.Reader) (err error) {
+		m := map[any]any{}
+		err = yaml.NewDecoder(r).Decode(&m)
+		if err != nil {
+			return
+		}
+
+		mergeIn(obj, m)
+		return
+	})
+	if err != nil {
+		err = fmt.Errorf("failed to assemble %q: %w", path, err)
+		return
+	}
+
+	yamlBytes, err = yaml.Marshal(obj)
+	if err != nil {
+		return
+	}
+
+	if Debug {
+		log.Printf("assemble %q result:\n%s", path, yamlBytes)
+	}
+
+	return
+}
+
+func eachFragment(path string, searchList []FS, walk func(io.Reader) error) (err error) {
+	var r io.ReadCloser
+
+	for len(searchList) != 0 {
+		fs := searchList[0]
+
+		r, err = fs.Open(path + ".yaml")
+		if os.IsNotExist(err) {
+			searchList = searchList[1:]
+			continue
+		}
+
+		if err != nil {
+			return
+		}
+
+		// found and open
+		break
+	}
+
+	if r == nil {
+		err = fmt.Errorf("%s: %w", path, os.ErrNotExist)
+		return
+	}
+
+	ba, err := io.ReadAll(r)
+	r.Close()
+
+	if err != nil {
+		return
+	}
+
+	if Debug {
+		log.Print("fragment:\n", string(ba))
+	}
+
+	in := bytes.NewBuffer(ba)
+
+	for {
+		var line string
+		line, err = in.ReadString('\n')
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return
+		}
+
+		line = strings.TrimSpace(line)
+		if len(line) == 0 {
+			continue
+		}
+
+		includePath, found := strings.CutPrefix(line, "#!include ")
+		if !found {
+			continue // or break?
+		}
+
+		includePath = strings.TrimSpace(includePath)
+		if Debug {
+			log.Print("#!include ", includePath)
+		}
+		err = eachFragment(includePath, searchList, walk)
+		if err != nil {
+			err = fmt.Errorf("include %q: %w", includePath, err)
+			return
+		}
+	}
+
+	in = bytes.NewBuffer(ba)
+	err = walk(in)
+	return
+}
--- a/cmd/dkl-dir2config/fs.go
+++ b/cmd/dkl-dir2config/fs.go
@ -0,0 +1,34 @@
+package main
+
+import (
+	"io"
+	iofs "io/fs"
+)
+
+type FS interface {
+	Open(path string) (io.ReadCloser, error)
+	List(path string) ([]string, error)
+}
+
+type fsFS struct{ iofs.FS }
+
+func (fs fsFS) Open(path string) (io.ReadCloser, error) {
+	return fs.FS.Open(path)
+}
+
+func (fs fsFS) List(path string) (entries []string, err error) {
+	dirEnts, err := iofs.ReadDir(fs.FS, path)
+	if err != nil {
+		return
+	}
+
+	entries = make([]string, 0, len(dirEnts))
+	for _, ent := range dirEnts {
+		if ent.IsDir() {
+			continue
+		}
+		entries = append(entries, ent.Name())
+	}
+
+	return
+}
--- a/cmd/dkl-dir2config/git.go
+++ b/cmd/dkl-dir2config/git.go
@ -0,0 +1,38 @@
+package main
+
+import (
+	"io"
+	"sort"
+
+	"github.com/go-git/go-git/v5/plumbing/object"
+)
+
+type gitFS struct{ *object.Tree }
+
+func (fs gitFS) Open(path string) (r io.ReadCloser, err error) {
+	f, err := fs.Tree.File(path)
+	if err != nil {
+		return
+	}
+	return f.Reader()
+}
+
+func (fs gitFS) List(path string) (entries []string, err error) {
+	tree, err := fs.Tree.Tree(path)
+	if err != nil {
+		return
+	}
+
+	entries = make([]string, 0, len(tree.Entries))
+
+	for _, ent := range tree.Entries {
+		if !ent.Mode.IsFile() {
+			continue
+		}
+
+		entries = append(entries, ent.Name)
+	}
+
+	sort.Strings(entries)
+	return
+}
--- a/cmd/dkl-dir2config/main.go
+++ b/cmd/dkl-dir2config/main.go
@ -2,27 +2,41 @@ package main

 import (
 	"flag"
+	"io/fs"
 	"log"
 	"os"
+	"path/filepath"

+	"github.com/go-git/go-git/v5"
+	"github.com/go-git/go-git/v5/plumbing"
 	yaml "gopkg.in/yaml.v2"
-	"novit.nc/direktil/pkg/localconfig"

-	"novit.nc/direktil/local-server/pkg/clustersconfig"
+	"novit.tech/direktil/pkg/localconfig"
+
+	"novit.tech/direktil/local-server/pkg/clustersconfig"
 )

+var Version = "dev"
+
 var (
+	Debug = false
+
 	dir     = flag.String("in", ".", "Source directory")
 	outPath = flag.String("out", "config.yaml", "Output file")
-	defaultsPath = flag.String("defaults", "defaults", "Path to the defaults")
+
+	base fs.FS

 	src *clustersconfig.Config
 	dst *localconfig.Config
 )

+func init() {
+	flag.BoolVar(&Debug, "debug", Debug, "debug")
+}
+
 func loadSrc() {
 	var err error
-	src, err = clustersconfig.FromDir(*dir, *defaultsPath)
+	src, err = clustersconfig.FromDir(read, assemble, listBase, listMerged)
 	if err != nil {
 		log.Fatal("failed to load config from dir: ", err)
 	}
@ -33,6 +47,16 @@ func main() {

 	log.SetFlags(log.Ltime | log.Lmicroseconds | log.Lshortfile)

+	base = os.DirFS(*dir)
+	searchList = append(searchList, fsFS{base})
+
+	openIncludes()
+
+	if false {
+		assemble("hosts/m1")
+		log.Fatal("--- debug: end ---")
+	}
+
 	loadSrc()

 	dst = &localconfig.Config{
@ -44,14 +68,11 @@ func main() {
 		dst.Clusters = append(dst.Clusters, &localconfig.Cluster{
 			Name:   cluster.Name,
 			Addons: renderAddons(cluster),
-			BootstrapPods: renderBootstrapPodsDS(cluster),
 		})
 	}

 	// ----------------------------------------------------------------------
 	for _, host := range src.Hosts {
-		loadSrc() // FIXME ugly fix of some template caching or something
-
 		log.Print("rendering host ", host.Name)
 		ctx, err := newRenderContext(host, src)

@ -70,9 +91,9 @@ func main() {
 		}
 		ips = append(ips, host.IPs...)

-		if ctx.Group.Versions["modules"] == "" {
+		if ctx.Host.Versions["modules"] == "" {
 			// default modules' version to kernel's version
-			ctx.Group.Versions["modules"] = ctx.Group.Kernel
+			ctx.Host.Versions["modules"] = ctx.Host.Kernel
 		}

 		dst.Hosts = append(dst.Hosts, &localconfig.Host{
@ -86,12 +107,13 @@ func main() {
 			MACs: macs,
 			IPs:  ips,

-			IPXE: ctx.Group.IPXE, // TODO render
+			IPXE: ctx.Host.IPXE, // TODO render

-			Kernel:   ctx.Group.Kernel,
-			Initrd:   ctx.Group.Initrd,
-			Versions: ctx.Group.Versions,
+			Kernel:   ctx.Host.Kernel,
+			Initrd:   ctx.Host.Initrd,
+			Versions: ctx.Host.Versions,

+			BootstrapConfig: ctx.BootstrapConfig(),
 			Config:          ctx.Config(),
 		})
 	}
@ -104,8 +126,83 @@ func main() {

 	defer out.Close()

+	out.Write([]byte("# dkl-dir2config " + Version + "\n"))
+
 	if err = yaml.NewEncoder(out).Encode(dst); err != nil {
 		log.Fatal("failed to render output: ", err)
 	}

 }
+
+func cfgPath(subPath string) string { return filepath.Join(*dir, subPath) }
+
+func openIncludes() {
+	includesFile, err := base.Open("includes.yaml")
+
+	if os.IsNotExist(err) {
+		return
+	}
+	if err != nil {
+		log.Fatal("failed to open includes: ", err)
+	}
+
+	includes := make([]struct {
+		Path   string
+		Branch string
+		Tag    string
+	}, 0)
+
+	err = yaml.NewDecoder(includesFile).Decode(&includes)
+	if err != nil {
+		log.Fatal("failed to parse includes: ", err)
+	}
+
+	for _, include := range includes {
+		switch {
+		case include.Branch != "" || include.Tag != "":
+			p := cfgPath(include.Path) // FIXME parse git path to allow remote repos
+
+			var rev plumbing.Revision
+
+			switch {
+			case include.Branch != "":
+				log.Printf("opening include path %q as git, branch %q", p, include.Branch)
+				rev = plumbing.Revision(plumbing.NewBranchReferenceName(include.Branch))
+
+			case include.Tag != "":
+				log.Printf("opening include path %q as git, tag %q", p, include.Branch)
+				rev = plumbing.Revision(plumbing.NewTagReferenceName(include.Branch))
+			}
+
+			repo, err := git.PlainOpen(p)
+			if err != nil {
+				log.Fatal("failed to open: ", err)
+			}
+
+			revH, err := repo.ResolveRevision(rev)
+			if err != nil {
+				log.Fatalf("failed to resolve revision %s: %v", rev, err)
+			}
+
+			log.Print("  -> resolved to commit ", *revH)
+
+			commit, err := repo.CommitObject(*revH)
+			if err != nil {
+				log.Fatal("failed to get commit object: ", err)
+			}
+
+			tree, err := commit.Tree()
+			if err != nil {
+				log.Fatal("failed to open git tree: ", err)
+			}
+
+			searchList = append(searchList, gitFS{tree})
+
+		default:
+			p := cfgPath(include.Path)
+			log.Printf("opening include path %q as raw dir", p)
+
+			searchList = append(searchList, fsFS{os.DirFS(p)})
+		}
+	}
+}
--- a/cmd/dkl-dir2config/render-cluster.go
+++ b/cmd/dkl-dir2config/render-cluster.go
@ -3,21 +3,18 @@ package main
 import (
 	"bytes"
 	"fmt"
-	"io"
 	"log"
 	"path"

-	yaml "gopkg.in/yaml.v2"
-
-	"novit.nc/direktil/local-server/pkg/clustersconfig"
+	"novit.tech/direktil/local-server/pkg/clustersconfig"
 )

 func clusterFuncs(clusterSpec *clustersconfig.Cluster) map[string]interface{} {
 	cluster := clusterSpec.Name

 	return map[string]interface{}{
-		"password": func(name string) (s string) {
-			return fmt.Sprintf("{{ password %q %q }}", cluster, name)
+		"password": func(name, hash string) (s string) {
+			return fmt.Sprintf("{{ password %q %q %q | quote }}", cluster, name, hash)
 		},

 		"token": func(name string) (s string) {
@ -55,7 +52,7 @@ func clusterFuncs(clusterSpec *clustersconfig.Cluster) map[string]interface{} {

 		"hosts_by_group": func(group string) (hosts []interface{}) {
 			for _, host := range src.Hosts {
-				if host.Group == group {
+				if host.Cluster == cluster && host.Group == group {
 					hosts = append(hosts, asMap(host))
 				}
 			}
@ -104,12 +101,18 @@ func renderAddons(cluster *clustersconfig.Cluster) string {
 		return ""
 	}

-	addons := src.Addons[cluster.Addons]
+	buf := new(bytes.Buffer)
+
+	for _, addonSet := range cluster.Addons {
+		addons := src.Addons[addonSet]
 		if addons == nil {
-		log.Fatalf("cluster %q: no addons with name %q", cluster.Name, cluster.Addons)
+			log.Fatalf("cluster %q: no addons with name %q", cluster.Name, addonSet)
 		}

-	return string(renderClusterTemplates(cluster, "addons", addons))
+		buf.Write(renderClusterTemplates(cluster, "addons", addons))
+	}
+
+	return buf.String()
 }

 type namePod struct {
@ -117,106 +120,3 @@ type namePod struct {
 	Name      string
 	Pod       map[string]interface{}
 }
-
-func renderBootstrapPods(cluster *clustersconfig.Cluster) (pods []namePod) {
-	if cluster.BootstrapPods == "" {
-		return nil
-	}
-
-	bootstrapPods := src.BootstrapPods[cluster.BootstrapPods]
-	if bootstrapPods == nil {
-		log.Fatalf("no bootstrap pods template named %q", cluster.BootstrapPods)
-	}
-
-	// render bootstrap pods
-	parts := bytes.Split(renderClusterTemplates(cluster, "bootstrap-pods", bootstrapPods), []byte("\n---\n"))
-	for _, part := range parts {
-		buf := bytes.NewBuffer(part)
-		dec := yaml.NewDecoder(buf)
-
-		for n := 0; ; n++ {
-			str := buf.String()
-
-			podMap := map[string]interface{}{}
-			err := dec.Decode(podMap)
-
-			if err == io.EOF {
-				break
-			} else if err != nil {
-				log.Fatalf("bootstrap pod %d: failed to parse: %v\n%s", n, err, str)
-			}
-
-			if len(podMap) == 0 {
-				continue
-			}
-
-			if podMap["metadata"] == nil {
-				log.Fatalf("bootstrap pod %d: no metadata\n%s", n, buf.String())
-			}
-
-			md := podMap["metadata"].(map[interface{}]interface{})
-
-			namespace := md["namespace"].(string)
-			name := md["name"].(string)
-
-			pods = append(pods, namePod{namespace, name, podMap})
-		}
-	}
-
-	return
-}
-
-func renderBootstrapPodsDS(cluster *clustersconfig.Cluster) string {
-	buf := &bytes.Buffer{}
-	enc := yaml.NewEncoder(buf)
-	for _, namePod := range renderBootstrapPods(cluster) {
-		pod := namePod.Pod
-
-		md := pod["metadata"].(map[interface{}]interface{})
-		labels := md["labels"]
-
-		if labels == nil {
-			labels = map[string]interface{}{
-				"app": namePod.Name,
-			}
-			md["labels"] = labels
-		}
-
-		ann := md["annotations"]
-		annotations := map[interface{}]interface{}{}
-		if ann != nil {
-			annotations = ann.(map[interface{}]interface{})
-		}
-		annotations["node.kubernetes.io/bootstrap-checkpoint"] = "true"
-
-		md["annotations"] = annotations
-
-		delete(md, "name")
-		delete(md, "namespace")
-
-		err := enc.Encode(map[string]interface{}{
-			"apiVersion": "apps/v1",
-			"kind":       "DaemonSet",
-			"metadata": map[string]interface{}{
-				"namespace": namePod.Namespace,
-				"name":      namePod.Name,
-				"labels":    labels,
-			},
-			"spec": map[string]interface{}{
-				"minReadySeconds": 60,
-				"selector": map[string]interface{}{
-					"matchLabels": labels,
-				},
-				"template": map[string]interface{}{
-					"metadata": pod["metadata"],
-					"spec":     pod["spec"],
-				},
-			},
-		})
-
-		if err != nil {
-			panic(err)
-		}
-	}
-	return buf.String()
-}
--- a/cmd/dkl-dir2config/render-context.go
+++ b/cmd/dkl-dir2config/render-context.go
@ -5,14 +5,17 @@ import (
 	"crypto/sha1"
 	"encoding/hex"
 	"fmt"
+	"io"
 	"log"
 	"path"
 	"reflect"
+	"strings"

 	yaml "gopkg.in/yaml.v2"

-	"novit.nc/direktil/local-server/pkg/clustersconfig"
-	"novit.nc/direktil/pkg/config"
+	"novit.tech/direktil/pkg/config"
+
+	"novit.tech/direktil/local-server/pkg/clustersconfig"
 )

 type renderContext struct {
@ -20,9 +23,10 @@ type renderContext struct {
 	Annotations map[string]string

 	Host    *clustersconfig.Host
-	Group              *clustersconfig.Group
 	Cluster *clustersconfig.Cluster
-	Vars               map[string]interface{}
+	Vars    map[string]any
+
+	BootstrapConfigTemplate *clustersconfig.Template
 	ConfigTemplate          *clustersconfig.Template
 	StaticPodsTemplate      *clustersconfig.Template

@ -36,32 +40,25 @@ func newRenderContext(host *clustersconfig.Host, cfg *clustersconfig.Config) (ct
 		return
 	}

-	group := cfg.Group(host.Group)
-	if group == nil {
-		err = fmt.Errorf("no group named %q", host.Group)
-		return
-	}
+	vars := make(map[string]any)

-	vars := make(map[string]interface{})
-
-	for _, oVars := range []map[string]interface{}{
+	for _, oVars := range []map[string]any{
 		cluster.Vars,
-		group.Vars,
 		host.Vars,
 	} {
 		mapMerge(vars, oVars)
 	}

 	return &renderContext{
-		Labels:      mergeLabels(cluster.Labels, group.Labels, host.Labels),
-		Annotations: mergeLabels(cluster.Annotations, group.Annotations, host.Annotations),
+		Labels:      mergeLabels(cluster.Labels, host.Labels),
+		Annotations: mergeLabels(cluster.Annotations, host.Annotations),

 		Host:    host,
-		Group:              group,
 		Cluster: cluster,
 		Vars:    vars,
-		ConfigTemplate:     cfg.ConfigTemplate(group.Config),
-		StaticPodsTemplate: cfg.StaticPodsTemplate(group.StaticPods),
+
+		BootstrapConfigTemplate: cfg.ConfigTemplate(host.BootstrapConfig),
+		ConfigTemplate:          cfg.ConfigTemplate(host.Config),

 		clusterConfig: cfg,
 	}, nil
@ -125,8 +122,6 @@ func (ctx *renderContext) Name() string {
 	switch {
 	case ctx.Host != nil:
 		return "host:" + ctx.Host.Name
-	case ctx.Group != nil:
-		return "group:" + ctx.Group.Name
 	case ctx.Cluster != nil:
 		return "cluster:" + ctx.Cluster.Name
 	default:
@ -134,47 +129,35 @@ func (ctx *renderContext) Name() string {
 	}
 }

-func (ctx *renderContext) Config() string {
-	if ctx.ConfigTemplate == nil {
-		log.Fatalf("no such config: %q", ctx.Group.Config)
+func (ctx *renderContext) BootstrapConfig() string {
+	if ctx.BootstrapConfigTemplate == nil {
+		log.Fatalf("no such (bootstrap) config: %q", ctx.Host.BootstrapConfig)
+	}
+	return ctx.renderConfig(ctx.BootstrapConfigTemplate)
 }

+func (ctx *renderContext) Config() string {
+	if ctx.ConfigTemplate == nil {
+		log.Fatalf("no such config: %q", ctx.Host.Config)
+	}
+	return ctx.renderConfig(ctx.ConfigTemplate)
+}
+
+func (ctx *renderContext) renderConfig(configTemplate *clustersconfig.Template) string {
+	buf := new(strings.Builder)
+	ctx.renderConfigTo(buf, configTemplate)
+	return buf.String()
+}
+
+func (ctx *renderContext) renderConfigTo(buf io.Writer, configTemplate *clustersconfig.Template) {
 	ctxName := ctx.Name()

 	ctxMap := ctx.asMap()

-	templateFuncs := ctx.templateFuncs(ctxMap)
-
-	render := func(what string, t *clustersconfig.Template) (s string, err error) {
-		buf := &bytes.Buffer{}
-		err = t.Execute(ctxName, what, buf, ctxMap, templateFuncs)
-		if err != nil {
-			log.Printf("host %s: failed to render %s [%q]: %v", ctx.Host.Name, what, t.Name, err)
-			return
-		}
-
-		s = buf.String()
-		return
-	}
-
 	extraFuncs := ctx.templateFuncs(ctxMap)

-	extraFuncs["static_pods"] = func() (string, error) {
-		name := ctx.Group.StaticPods
-		if len(name) == 0 {
-			return "", fmt.Errorf("group %q has no static pods defined", ctx.Group.Name)
-		}
-
-		t := ctx.clusterConfig.StaticPodsTemplate(name)
-		if t == nil {
-			return "", fmt.Errorf("no static pods template named %q", name)
-		}
-
-		return render("static-pods", t)
-	}
-
-	extraFuncs["bootstrap_pods_files"] = func(dir string) (string, error) {
-		namePods := renderBootstrapPods(ctx.Cluster)
+	extraFuncs["static_pods_files"] = func(dir string) (string, error) {
+		namePods := ctx.renderStaticPods()

 		defs := make([]config.FileDef, 0)

@ -183,7 +166,7 @@ func (ctx *renderContext) Config() string {

 			ba, err := yaml.Marshal(namePod.Pod)
 			if err != nil {
-				return "", fmt.Errorf("bootstrap pod %s: failed to render: %v", name, err)
+				return "", fmt.Errorf("static pod %s: failed to render: %v", name, err)
 			}

 			defs = append(defs, config.FileDef{
@ -202,28 +185,11 @@ func (ctx *renderContext) Config() string {
 		return hex.EncodeToString(ba[:])
 	}

-	buf := bytes.NewBuffer(make([]byte, 0, 4096))
-	if err := ctx.ConfigTemplate.Execute(ctxName, "config", buf, ctxMap, extraFuncs); err != nil {
-		log.Fatalf("failed to render config %q for host %q: %v", ctx.Group.Config, ctx.Host.Name, err)
+	extraFuncs["version"] = func() string { return Version }
+
+	if err := configTemplate.Execute(ctxName, "config", buf, ctxMap, extraFuncs); err != nil {
+		log.Fatalf("failed to render config %q for host %q: %v", ctx.Host.Config, ctx.Host.Name, err)
 	}
-
-	return buf.String()
-}
-
-func (ctx *renderContext) StaticPods() (ba []byte, err error) {
-	if ctx.StaticPodsTemplate == nil {
-		log.Fatalf("no such static-pods: %q", ctx.Group.StaticPods)
-	}
-
-	ctxMap := ctx.asMap()
-
-	buf := bytes.NewBuffer(make([]byte, 0, 4096))
-	if err = ctx.StaticPodsTemplate.Execute(ctx.Name(), "static-pods", buf, ctxMap, ctx.templateFuncs(ctxMap)); err != nil {
-		return
-	}
-
-	ba = buf.Bytes()
-	return
 }

 func (ctx *renderContext) templateFuncs(ctxMap map[string]interface{}) map[string]interface{} {
@ -268,6 +234,24 @@ func (ctx *renderContext) templateFuncs(ctxMap map[string]interface{}) map[strin

 	funcs := clusterFuncs(ctx.Cluster)
 	for k, v := range map[string]interface{}{
+		"default": func(value, defaultValue any) any {
+			switch v := value.(type) {
+			case string:
+				if v != "" {
+					return v
+				}
+			case int, int8, int16, int32, int64, uint, uint8, uint16, uint32, float32, float64:
+				if v != 0 {
+					return v
+				}
+
+			default:
+				if v != nil {
+					return v
+				}
+			}
+			return defaultValue
+		},
 		"tls_key": func(name string) (string, error) {
 			return getKeyCert(name, "tls_key")
 		},
@ -281,8 +265,11 @@ func (ctx *renderContext) templateFuncs(ctxMap map[string]interface{}) map[strin
 		},

 		"ssh_host_keys": func(dir string) (s string) {
-			return fmt.Sprintf("{{ ssh_host_keys %q %q %q}}",
-				dir, cluster, ctx.Host.Name)
+			return fmt.Sprintf("{{ ssh_host_keys %q %q \"\"}}",
+				dir, cluster)
+		},
+		"host_download_token": func() (s string) {
+			return "{{ host_download_token }}"
 		},

 		"hosts_of_group": func() (hosts []interface{}) {
--- a/cmd/dkl-dir2config/render-host.go
+++ b/cmd/dkl-dir2config/render-host.go
@ -0,0 +1,77 @@
+package main
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"log"
+
+	yaml "gopkg.in/yaml.v2"
+	"novit.tech/direktil/local-server/pkg/clustersconfig"
+)
+
+func (ctx *renderContext) renderStaticPods() (pods []namePod) {
+	if ctx.Host.StaticPods == "" {
+		return
+	}
+
+	staticPods, ok := src.StaticPods[ctx.Host.StaticPods]
+	if !ok {
+		log.Fatalf("no static pods template named %q", ctx.Host.StaticPods)
+	}
+
+	// render static pods
+	parts := bytes.Split(ctx.renderHostTemplates("static-pods", staticPods), []byte("\n---\n"))
+	for _, part := range parts {
+		buf := bytes.NewBuffer(part)
+		dec := yaml.NewDecoder(buf)
+
+		for n := 0; ; n++ {
+			str := buf.String()
+
+			podMap := map[string]interface{}{}
+			err := dec.Decode(podMap)
+
+			if err == io.EOF {
+				break
+			} else if err != nil {
+				log.Fatalf("static pod %d: failed to parse: %v\n%s", n, err, str)
+			}
+
+			if len(podMap) == 0 {
+				continue
+			}
+
+			if podMap["metadata"] == nil {
+				log.Fatalf("static pod %d: no metadata\n%s", n, buf.String())
+			}
+
+			md := podMap["metadata"].(map[interface{}]interface{})
+
+			namespace := md["namespace"].(string)
+			name := md["name"].(string)
+
+			pods = append(pods, namePod{namespace, name, podMap})
+		}
+	}
+
+	return
+}
+
+func (ctx *renderContext) renderHostTemplates(setName string,
+	templates []*clustersconfig.Template) []byte {
+
+	log.Print("rendering host templates in ", setName)
+
+	buf := &bytes.Buffer{}
+
+	for _, t := range templates {
+		log.Print("- template: ", setName, ": ", t.Name)
+		fmt.Fprintf(buf, "---\n# %s: %s\n", setName, t.Name)
+
+		ctx.renderConfigTo(buf, t)
+		fmt.Fprintln(buf)
+	}
+
+	return buf.Bytes()
+}
--- a/cmd/dkl-dir2config/search-list.go
+++ b/cmd/dkl-dir2config/search-list.go
@ -0,0 +1,60 @@
+package main
+
+import (
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"sort"
+)
+
+var searchList = make([]FS, 0)
+
+// read the first file matching path in the search list
+func read(path string) (ba []byte, err error) {
+	for _, fs := range searchList {
+		var r io.ReadCloser
+		r, err = fs.Open(path)
+		if os.IsNotExist(err) {
+			continue
+		}
+		if err != nil {
+			return
+		}
+
+		defer r.Close()
+		return ioutil.ReadAll(r)
+	}
+
+	err = fmt.Errorf("%s: %w", path, os.ErrNotExist)
+	return
+}
+
+func listBase(path string) ([]string, error) {
+	return fsFS{base}.List(path)
+}
+
+func listMerged(path string) (entries []string, err error) {
+	seen := map[string]bool{}
+	for _, fs := range searchList {
+		var fsEnts []string
+		fsEnts, err = fs.List(path)
+		if os.IsNotExist(err) {
+			err = nil
+			continue
+		}
+		if err != nil {
+			return
+		}
+
+		for _, ent := range fsEnts {
+			if !seen[ent] {
+				entries = append(entries, ent)
+				seen[ent] = true
+			}
+		}
+	}
+
+	sort.Strings(entries)
+	return
+}
--- a/cmd/dkl-local-server/auth.go
+++ b/cmd/dkl-local-server/auth.go
@ -1,22 +1,14 @@
 package main

 import (
-	"flag"
 	"log"
 	"net/http"
 )

-var (
-	hostsToken = flag.String("hosts-token", "", "Token to give to access /hosts (open is none)")
-	adminToken = flag.String("admin-token", "", "Token to give to access to admin actions (open is none)")
-)
-
-func authorizeHosts(r *http.Request) bool {
-	return authorizeToken(r, *hostsToken)
-}
+var adminToken string

 func authorizeAdmin(r *http.Request) bool {
-	return authorizeToken(r, *adminToken)
+	return authorizeToken(r, adminToken)
 }

 func authorizeToken(r *http.Request, token string) bool {
@ -26,11 +18,28 @@ func authorizeToken(r *http.Request, token string) bool {
 	}

 	reqToken := r.Header.Get("Authorization")
-
+	if reqToken != "" {
 		return reqToken == "Bearer "+token
 	}

+	return r.URL.Query().Get("token") == token
+}
+
 func forbidden(w http.ResponseWriter, r *http.Request) {
-	log.Printf("denied access to %s from %s", r.RequestURI, r.RemoteAddr)
+	log.Printf("denied access to %s from %s", r.URL.Path, r.RemoteAddr)
 	http.Error(w, "Forbidden", http.StatusForbidden)
 }
+
+func requireToken(token string, handler http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		if !authorizeToken(req, token) {
+			forbidden(w, req)
+			return
+		}
+		handler.ServeHTTP(w, req)
+	})
+}
+
+func requireAdmin(handler http.Handler) http.Handler {
+	return requireToken(adminToken, handler)
+}
--- a/cmd/dkl-local-server/boot-img.go
+++ b/cmd/dkl-local-server/boot-img.go
@ -3,6 +3,7 @@ package main
 import (
 	"archive/tar"
 	"compress/gzip"
+	"flag"
 	"fmt"
 	"io"
 	"io/ioutil"
@ -56,8 +57,10 @@ func buildBootImgGZ(out io.Writer, ctx *renderContext) (err error) {
 	return
 }

+var grubSupportVersion = flag.String("grub-support", "1.0.1", "GRUB support version")
+
 func setupBootImage(bootImg *os.File, ctx *renderContext) (err error) {
-	path, err := ctx.distFetch("grub-support", "1.0.0")
+	path, err := ctx.distFetch("grub-support", *grubSupportVersion)
 	if err != nil {
 		return
 	}
--- a/cmd/dkl-local-server/boot-iso.go
+++ b/cmd/dkl-local-server/boot-iso.go
@ -8,28 +8,25 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"strconv"
+
+	"github.com/cespare/xxhash"
 )

-func buildBootISO(out io.Writer, ctx *renderContext) error {
-	tempDir, err := ioutil.TempDir("/tmp", "iso-")
+func buildBootISO(out io.Writer, ctx *renderContext) (err error) {
+	tempDir, err := ioutil.TempDir("/tmp", "iso-v2-")
 	if err != nil {
-		return err
+		return
 	}

 	defer os.RemoveAll(tempDir)

-	cp := func(src, dst string) error {
-		log.Printf("iso: adding %s as %s", src, dst)
-		in, err := os.Open(src)
-		if err != nil {
-			return err
-		}
-
-		defer in.Close()
+	buildRes := func(build func(out io.Writer, ctx *renderContext) error, dst string) (err error) {
+		log.Printf("iso-v2: building %s", dst)

 		outPath := filepath.Join(tempDir, dst)

-		if err := os.MkdirAll(filepath.Dir(outPath), 0755); err != nil {
+		if err = os.MkdirAll(filepath.Dir(outPath), 0755); err != nil {
 			return err
 		}

@ -37,32 +34,55 @@ func buildBootISO(out io.Writer, ctx *renderContext) error {
 		if err != nil {
 			return err
 		}
-
 		defer out.Close()

-		_, err = io.Copy(out, in)
+		err = build(out, ctx)
+		if err != nil {
+			return
+		}
+
 		return err
 	}

-	err = func() error {
+	err = func() (err error) {
 		// grub

-		if err := os.MkdirAll(filepath.Join(tempDir, "grub"), 0755); err != nil {
-			return err
+		if err = os.MkdirAll(filepath.Join(tempDir, "grub"), 0755); err != nil {
+			return
 		}
+
+		// create a tag file
+		bootstrapBytes, _, err := ctx.BootstrapConfig()
+		if err != nil {
+			return
+		}
+
+		h := xxhash.New()
+		fmt.Fprintln(h, ctx.Host.Kernel)
+		h.Write(bootstrapBytes)
+
+		tag := "dkl-" + strconv.FormatUint(h.Sum64(), 32) + ".tag"
+
+		f, err := os.Create(filepath.Join(tempDir, tag))
+		if err != nil {
+			return
+		}
+		f.Write([]byte("direktil marker file\n"))
+		f.Close()
+
 		err = ioutil.WriteFile(filepath.Join(tempDir, "grub", "grub.cfg"), []byte(`
-search --set=root --file /config.yaml
+search --set=root --file /`+tag+`

 insmod all_video
 set timeout=3

 menuentry "Direktil" {
-    linux  /vmlinuz direktil.boot=DEVNAME=sr0 direktil.boot.fs=iso9660 `+ctx.CmdLine+`
+    linux  /vmlinuz `+ctx.CmdLine+`
    initrd /initrd
 }
 `), 0644)
 		if err != nil {
-			return err
+			return
 		}

 		coreImgPath := filepath.Join(tempDir, "grub", "core.img")
@ -117,50 +137,9 @@ menuentry "Direktil" {
 		return err
 	}

-	// config
-	cfgBytes, cfg, err := ctx.Config()
-	if err != nil {
-		return err
-	}
-
-	ioutil.WriteFile(filepath.Join(tempDir, "config.yaml"), cfgBytes, 0600)
-
 	// kernel and initrd
-	type distCopy struct {
-		Src []string
-		Dst string
-	}
-
-	copies := []distCopy{
-		{Src: []string{"kernels", ctx.Host.Kernel}, Dst: "vmlinuz"},
-		{Src: []string{"initrd", ctx.Host.Initrd}, Dst: "initrd"},
-	}
-
-	// layers
-	for _, layer := range cfg.Layers {
-		layerVersion := ctx.Host.Versions[layer]
-		if layerVersion == "" {
-			return fmt.Errorf("layer %q not mapped to a version", layer)
-		}
-
-		copies = append(copies,
-			distCopy{
-				Src: []string{"layers", layer, layerVersion},
-				Dst: filepath.Join("current", "layers", layer+".fs"),
-			})
-	}
-
-	for _, copy := range copies {
-		outPath, err := ctx.distFetch(copy.Src...)
-		if err != nil {
-			return err
-		}
-
-		err = cp(outPath, copy.Dst)
-		if err != nil {
-			return err
-		}
-	}
+	buildRes(fetchKernel, "vmlinuz")
+	buildRes(buildInitrd, "initrd")

 	// build the ISO
 	mkisofs, err := exec.LookPath("genisoimage")
--- a/cmd/dkl-local-server/boot-tar.go
+++ b/cmd/dkl-local-server/boot-tar.go
@ -2,11 +2,13 @@ package main

 import (
 	"archive/tar"
-	"fmt"
+	"bytes"
 	"io"
+	"io/ioutil"
 	"log"
 	"os"
-	"path/filepath"
+
+	"novit.tech/direktil/local-server/pkg/utf16"
 )

 func rmTempFile(f *os.File) {
@ -21,7 +23,7 @@ func buildBootTar(out io.Writer, ctx *renderContext) (err error) {
 	defer arch.Close()

 	archAdd := func(path string, ba []byte) (err error) {
-		err = arch.WriteHeader(&tar.Header{Name: path, Size: int64(len(ba))})
+		err = arch.WriteHeader(&tar.Header{Name: path, Mode: 0640, Size: int64(len(ba))})
 		if err != nil {
 			return
 		}
@ -29,70 +31,95 @@ func buildBootTar(out io.Writer, ctx *renderContext) (err error) {
 		return
 	}

-	// config
-	cfgBytes, cfg, err := ctx.Config()
+	// kernel
+	kernelPath, err := ctx.distFetch("kernels", ctx.Host.Kernel)
 	if err != nil {
-		return err
+		return
 	}

-	archAdd("config.yaml", cfgBytes)
-
-	// add "current" elements
-	type distCopy struct {
-		Src []string
-		Dst string
-	}
-
-	// kernel and initrd
-	copies := []distCopy{
-		{Src: []string{"kernels", ctx.Host.Kernel}, Dst: "current/vmlinuz"},
-		{Src: []string{"initrd", ctx.Host.Initrd}, Dst: "current/initrd"},
-	}
-
-	// layers
-	for _, layer := range cfg.Layers {
-		layerVersion := ctx.Host.Versions[layer]
-		if layerVersion == "" {
-			return fmt.Errorf("layer %q not mapped to a version", layer)
-		}
-
-		copies = append(copies,
-			distCopy{
-				Src: []string{"layers", layer, layerVersion},
-				Dst: filepath.Join("current", "layers", layer+".fs"),
-			})
-	}
-
-	for _, copy := range copies {
-		outPath, err := ctx.distFetch(copy.Src...)
+	kernelBytes, err := ioutil.ReadFile(kernelPath)
 	if err != nil {
-			return err
+		return
 	}

-		f, err := os.Open(outPath)
+	err = archAdd("current/vmlinuz", kernelBytes)
 	if err != nil {
-			return err
+		return
 	}

-		defer f.Close()
-
-		stat, err := f.Stat()
+	// initrd
+	initrd := new(bytes.Buffer)
+	err = buildInitrd(initrd, ctx)
 	if err != nil {
-			return err
+		return
 	}

-		if err = arch.WriteHeader(&tar.Header{
-			Name: copy.Dst,
-			Size: stat.Size(),
-		}); err != nil {
-			return err
-		}
-
-		_, err = io.Copy(arch, f)
+	err = archAdd("current/initrd", initrd.Bytes())
 	if err != nil {
-			return err
-		}
+		return
 	}

+	// done
+	return nil
+}
+
+func buildBootEFITar(out io.Writer, ctx *renderContext) (err error) {
+	arch := tar.NewWriter(out)
+	defer arch.Close()
+
+	archAdd := func(path string, ba []byte) (err error) {
+		err = arch.WriteHeader(&tar.Header{Name: path, Mode: 0640, Size: int64(len(ba))})
+		if err != nil {
+			return
+		}
+		_, err = arch.Write(ba)
+		return
+	}
+
+	const (
+		prefix    = "EFI/dkl/"
+		efiPrefix = "\\EFI\\dkl\\"
+	)
+
+	// boot.csv
+	// -> annoyingly it's UTF-16...
+	bootCsvBytes := utf16.FromUTF8([]byte("" +
+		"current_kernel.efi,dkl current,initrd=" + efiPrefix + "current_initrd.img,Direktil current\n" +
+		"previous_kernel.efi,dkl previous,initrd=" + efiPrefix + "previous_initrd.img,Direktil previous\n"))
+
+	err = archAdd(prefix+"BOOT.CSV", []byte(bootCsvBytes))
+	if err != nil {
+		return
+	}
+
+	// kernel
+	kernelPath, err := ctx.distFetch("kernels", ctx.Host.Kernel)
+	if err != nil {
+		return
+	}
+
+	kernelBytes, err := ioutil.ReadFile(kernelPath)
+	if err != nil {
+		return
+	}
+
+	err = archAdd(prefix+"current_kernel.efi", kernelBytes)
+	if err != nil {
+		return
+	}
+
+	// initrd
+	initrd := new(bytes.Buffer)
+	err = buildInitrd(initrd, ctx)
+	if err != nil {
+		return
+	}
+
+	err = archAdd(prefix+"current_initrd.img", initrd.Bytes())
+	if err != nil {
+		return
+	}
+
+	// done
 	return nil
 }
--- a/cmd/dkl-local-server/bootv2.go
+++ b/cmd/dkl-local-server/bootv2.go
@ -0,0 +1,142 @@
+package main
+
+import (
+	"archive/tar"
+	"encoding/json"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"os"
+
+	yaml "gopkg.in/yaml.v2"
+
+	"novit.tech/direktil/pkg/cpiocat"
+)
+
+func renderBootstrapConfig(w http.ResponseWriter, r *http.Request, ctx *renderContext, asJson bool) (err error) {
+	log.Printf("sending bootstrap config for %q", ctx.Host.Name)
+
+	_, cfg, err := ctx.BootstrapConfig()
+	if err != nil {
+		return err
+	}
+
+	if asJson {
+		err = json.NewEncoder(w).Encode(cfg)
+	} else {
+		err = yaml.NewEncoder(w).Encode(cfg)
+	}
+
+	return nil
+}
+
+func buildInitrd(out io.Writer, ctx *renderContext) (err error) {
+	_, cfg, err := ctx.Config()
+	if err != nil {
+		return
+	}
+
+	cat := cpiocat.New(out)
+
+	// initrd
+	initrdPath, err := ctx.distFetch("initrd", ctx.Host.Initrd)
+	if err != nil {
+		return
+	}
+	cat.AppendArchFile(initrdPath)
+
+	// embedded layers (modules)
+	for _, layer := range cfg.Layers {
+		switch layer {
+		case "modules":
+
+			layerVersion := ctx.Host.Versions[layer]
+			modulesPath, err := ctx.distFetch("layers", layer, layerVersion)
+			if err != nil {
+				return err
+			}
+
+			cat.AppendFile(modulesPath, "modules.sqfs")
+		}
+	}
+
+	// config
+	cfgBytes, _, err := ctx.BootstrapConfig()
+	if err != nil {
+		return
+	}
+	cat.AppendBytes(cfgBytes, "config.yaml", 0600)
+
+	// ssh keys
+	// FIXME we want a bootstrap-stage key instead of the real host key
+	for _, format := range []string{"rsa", "dsa", "ecdsa", "ed25519"} {
+		cat.AppendBytes(cfg.FileContent("/etc/ssh/ssh_host_"+format+"_key"), "id_"+format, 0600)
+	}
+
+	return cat.Close()
+}
+
+func buildBootstrap(out io.Writer, ctx *renderContext) (err error) {
+	arch := tar.NewWriter(out)
+	defer arch.Close()
+
+	// config
+	cfgBytes, cfg, err := ctx.Config()
+	if err != nil {
+		return err
+	}
+
+	err = arch.WriteHeader(&tar.Header{Name: "config.yaml", Size: int64(len(cfgBytes))})
+	if err != nil {
+		return
+	}
+
+	_, err = arch.Write(cfgBytes)
+	if err != nil {
+		return
+	}
+
+	// layers
+	for _, layer := range cfg.Layers {
+		if layer == "modules" {
+			continue // modules are with the kernel in boot v2
+		}
+
+		layerVersion := ctx.Host.Versions[layer]
+		if layerVersion == "" {
+			return fmt.Errorf("layer %q not mapped to a version", layer)
+		}
+
+		outPath, err := ctx.distFetch("layers", layer, layerVersion)
+		if err != nil {
+			return err
+		}
+
+		f, err := os.Open(outPath)
+		if err != nil {
+			return err
+		}
+
+		defer f.Close()
+
+		stat, err := f.Stat()
+		if err != nil {
+			return err
+		}
+
+		if err = arch.WriteHeader(&tar.Header{
+			Name: layer + ".fs",
+			Size: stat.Size(),
+		}); err != nil {
+			return err
+		}
+
+		_, err = io.Copy(arch, f)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
--- a/cmd/dkl-local-server/cas-cleaner.go
+++ b/cmd/dkl-local-server/cas-cleaner.go
@ -12,13 +12,15 @@ var (
 )

 func casCleaner() {
-	for {
+	for range time.Tick(*cacheCleanDelay) {
+		if !wPublicState.Get().Store.Open {
+			continue
+		}
+
 		err := cleanCAS()
 		if err != nil {
 			log.Print("warn: couldn't clean cache: ", err)
 		}
-
-		time.Sleep(*cacheCleanDelay)
 	}
 }

--- a/cmd/dkl-local-server/cluster-render-context.go
+++ b/cmd/dkl-local-server/cluster-render-context.go
@ -1,31 +1,88 @@
 package main

 import (
+	"crypto/rand"
+	"encoding/base32"
 	"encoding/json"
 	"fmt"
 	"log"
 	"path"
+	"strconv"
+	"strings"

+	cfsslconfig "github.com/cloudflare/cfssl/config"
 	"github.com/cloudflare/cfssl/csr"
 	yaml "gopkg.in/yaml.v2"
-	"novit.nc/direktil/pkg/config"
+
+	"novit.tech/direktil/pkg/bootstrapconfig"
+	"novit.tech/direktil/pkg/config"
 )

-var templateFuncs = map[string]interface{}{
-	"password": func(cluster, name string) (password string, err error) {
-		password = secretData.Password(cluster, name)
-		if len(password) == 0 {
-			err = fmt.Errorf("password %q not defined for cluster %q", name, cluster)
+func templateFuncs(sslCfg *cfsslconfig.Config) map[string]any {
+	getKeyCert := func(cluster, caName, name, profile, label, reqJson string) (kc KeyCert, err error) {
+		certReq := &csr.CertificateRequest{
+			KeyRequest: csr.NewKeyRequest(),
 		}
+
+		err = json.Unmarshal([]byte(reqJson), certReq)
+		if err != nil {
+			log.Print("CSR unmarshal failed on: ", reqJson)
 			return
+		}
+
+		return getUsableKeyCert(cluster, caName, name, profile, label, certReq, sslCfg)
+	}
+
+	hash := func(plain, seed []byte, hashAlg string) (hashed string, err error) {
+		switch hashAlg {
+		case "sha512crypt":
+			return sha512crypt(plain, seed)
+
+		case "bootstrap":
+			return bootstrapconfig.JoinSeedAndHash(seed, bootstrapconfig.PasswordHashFromSeed(seed, plain)), nil
+
+		default:
+			return "", fmt.Errorf("unknown hash alg: %q", hashAlg)
+		}
+	}
+
+	return map[string]any{
+		"quote": strconv.Quote,
+
+		"password": func(cluster, name, hashAlg string) (password string, err error) {
+			key := cluster + "/" + name
+
+			seed, err := seeds.GetOrCreate(key, func() (seed []byte, err error) {
+				seed = make([]byte, 16)
+				_, err = rand.Read(seed)
+				return
+			})
+
+			if err != nil {
+				return "", fmt.Errorf("failed to get seed: %w", err)
+			}
+
+			password, err = clusterPasswords.GetOrCreate(key, func() (password string, err error) {
+				raw := make([]byte, 10)
+				_, err = rand.Read(raw)
+				if err != nil {
+					return "", fmt.Errorf("failed to generate password: %w", err)
+				}
+
+				password = strings.ToLower(base32.StdEncoding.WithPadding(base32.NoPadding).EncodeToString(raw))
+				return
+			})
+			if err != nil {
+				return
+			}
+
+			return hash([]byte(password), seed, hashAlg)
 		},

-	"token": func(cluster, name string) (s string, err error) {
-		return secretData.Token(cluster, name)
-	},
+		"token": getOrCreateClusterToken,

 		"ca_key": func(cluster, name string) (s string, err error) {
-		ca, err := secretData.CA(cluster, name)
+			ca, err := getUsableClusterCA(cluster, name)
 			if err != nil {
 				return
 			}
@ -35,7 +92,7 @@ var templateFuncs = map[string]interface{}{
 		},

 		"ca_crt": func(cluster, name string) (s string, err error) {
-		ca, err := secretData.CA(cluster, name)
+			ca, err := getUsableClusterCA(cluster, name)
 			if err != nil {
 				return
 			}
@ -45,7 +102,7 @@ var templateFuncs = map[string]interface{}{
 		},

 		"ca_dir": func(cluster, name string) (s string, err error) {
-		ca, err := secretData.CA(cluster, name)
+			ca, err := getUsableClusterCA(cluster, name)
 			if err != nil {
 				return
 			}
@ -87,7 +144,7 @@ var templateFuncs = map[string]interface{}{
 		},

 		"tls_dir": func(dir, cluster, caName, name, profile, label, reqJson string) (s string, err error) {
-		ca, err := secretData.CA(cluster, caName)
+			ca, err := getUsableClusterCA(cluster, caName)
 			if err != nil {
 				return
 			}
@ -115,47 +172,7 @@ var templateFuncs = map[string]interface{}{
 				},
 			})
 		},
-
-	"ssh_host_keys": func(dir, cluster, host string) (s string, err error) {
-		pairs, err := secretData.SSHKeyPairs(cluster, host)
-		if err != nil {
-			return
 	}
-
-		files := make([]config.FileDef, 0, len(pairs)*2)
-
-		for _, pair := range pairs {
-			basePath := path.Join(dir, "ssh_host_"+pair.Type+"_key")
-			files = append(files, []config.FileDef{
-				{
-					Path:    basePath,
-					Mode:    0600,
-					Content: pair.Private,
-				},
-				{
-					Path:    basePath + ".pub",
-					Mode:    0644,
-					Content: pair.Public,
-				},
-			}...)
-		}
-
-		return asYaml(files)
-	},
-}
-
-func getKeyCert(cluster, caName, name, profile, label, reqJson string) (kc *KeyCert, err error) {
-	certReq := &csr.CertificateRequest{
-		KeyRequest: csr.NewBasicKeyRequest(),
-	}
-
-	err = json.Unmarshal([]byte(reqJson), certReq)
-	if err != nil {
-		log.Print("CSR unmarshal failed on: ", reqJson)
-		return
-	}
-
-	return secretData.KeyCert(cluster, caName, name, profile, label, certReq)
 }

 func asYaml(v interface{}) (string, error) {
--- a/cmd/dkl-local-server/data.go
+++ b/cmd/dkl-local-server/data.go
@ -4,7 +4,7 @@ import (
 	"flag"
 	"path/filepath"

-	"novit.nc/direktil/pkg/localconfig"
+	"novit.tech/direktil/pkg/localconfig"
 )

 var (
--- a/cmd/dkl-local-server/host-download-tokens.go
+++ b/cmd/dkl-local-server/host-download-tokens.go
@ -0,0 +1,3 @@
+package main
+
+var hostDownloadTokens = KVSecrets[string]{"hosts/download-tokens"}
--- a/cmd/dkl-local-server/httperr.go
+++ b/cmd/dkl-local-server/httperr.go
@ -0,0 +1,16 @@
+package main
+
+import (
+	"net/http"
+
+	"m.cluseau.fr/go/httperr"
+)
+
+var (
+	ErrNotFound     = httperr.NotFound
+	ErrUnauthorized = httperr.StdStatus(http.StatusUnauthorized)
+	ErrForbidden    = httperr.StdStatus(http.StatusForbidden)
+	ErrInternal     = httperr.StdStatus(http.StatusInternalServerError)
+	ErrInvalidToken = httperr.NewStd(1000, http.StatusForbidden, "invalid token")
+	ErrStoreLocked  = httperr.NewStd(1001, http.StatusServiceUnavailable, "store is locked")
+)
--- a/cmd/dkl-local-server/initrd.go
+++ b/cmd/dkl-local-server/initrd.go
@ -2,13 +2,9 @@ package main

 import (
 	"encoding/json"
-	"fmt"
-	"io"
 	"log"
 	"net/http"
-	"os"

-	cpio "github.com/cavaliercoder/go-cpio"
 	yaml "gopkg.in/yaml.v2"
 )

@ -28,84 +24,3 @@ func renderConfig(w http.ResponseWriter, r *http.Request, ctx *renderContext, as

 	return nil
 }
-
-func buildInitrd(out io.Writer, ctx *renderContext) error {
-	_, cfg, err := ctx.Config()
-
-	if err != nil {
-		return err
-	}
-
-	// send initrd basis
-	initrdPath, err := ctx.distFetch("initrd", ctx.Host.Initrd)
-	if err != nil {
-		return err
-	}
-
-	err = writeFile(out, initrdPath)
-	if err != nil {
-		return err
-	}
-
-	// and our extra archive
-	archive := cpio.NewWriter(out)
-
-	// - required dirs
-	for _, dir := range []string{
-		"boot",
-		"boot/current",
-		"boot/current/layers",
-	} {
-		archive.WriteHeader(&cpio.Header{
-			Name: dir,
-			Mode: 0600 | cpio.ModeDir,
-		})
-	}
-
-	// - the layers
-	for _, layer := range cfg.Layers {
-		layerVersion := ctx.Host.Versions[layer]
-		if layerVersion == "" {
-			return fmt.Errorf("layer %q not mapped to a version", layer)
-		}
-
-		path, err := ctx.distFetch("layers", layer, layerVersion)
-		if err != nil {
-			return err
-		}
-
-		stat, err := os.Stat(path)
-		if err != nil {
-			return err
-		}
-
-		archive.WriteHeader(&cpio.Header{
-			Name: "boot/current/layers/" + layer + ".fs",
-			Mode: 0600,
-			Size: stat.Size(),
-		})
-
-		if err = writeFile(archive, path); err != nil {
-			return err
-		}
-	}
-
-	// - the configuration
-	ba, err := yaml.Marshal(cfg)
-	if err != nil {
-		return err
-	}
-
-	archive.WriteHeader(&cpio.Header{
-		Name: "boot/config.yaml",
-		Mode: 0600,
-		Size: int64(len(ba)),
-	})
-
-	archive.Write(ba)
-
-	// finalize the archive
-	archive.Flush()
-	archive.Close()
-	return nil
-}
--- a/cmd/dkl-local-server/kernel.go
+++ b/cmd/dkl-local-server/kernel.go
@ -1,8 +1,10 @@
 package main

 import (
+	"io"
 	"log"
 	"net/http"
+	"os"
 )

 func renderKernel(w http.ResponseWriter, r *http.Request, ctx *renderContext) error {
@ -15,3 +17,19 @@ func renderKernel(w http.ResponseWriter, r *http.Request, ctx *renderContext) er
 	http.ServeFile(w, r, path)
 	return nil
 }
+
+func fetchKernel(out io.Writer, ctx *renderContext) (err error) {
+	path, err := ctx.distFetch("kernels", ctx.Host.Kernel)
+	if err != nil {
+		return err
+	}
+
+	in, err := os.Open(path)
+	if err != nil {
+		return
+	}
+	defer in.Close()
+
+	_, err = io.Copy(out, in)
+	return
+}
--- a/cmd/dkl-local-server/main.go
+++ b/cmd/dkl-local-server/main.go
@ -4,25 +4,33 @@ import (
 	"flag"
 	"log"
 	"net/http"
+	"os"
 	"path/filepath"

 	restful "github.com/emicklei/go-restful"
 	swaggerui "github.com/mcluseau/go-swagger-ui"
-	"novit.nc/direktil/pkg/cas"
+	"m.cluseau.fr/go/watchable/streamsse"

-	"novit.nc/direktil/local-server/pkg/apiutils"
+	"novit.tech/direktil/pkg/cas"
+
+	dlshtml "novit.tech/direktil/local-server/html"
+	"novit.tech/direktil/local-server/pkg/apiutils"
 )

 const (
 	etcDir = "/etc/direktil"
 )

+var Version = "dev"
+
 var (
 	address    = flag.String("address", ":7606", "HTTP listen address")
 	tlsAddress = flag.String("tls-address", "", "HTTPS listen address")
 	certFile   = flag.String("tls-cert", etcDir+"/server.crt", "Server TLS certificate")
 	keyFile    = flag.String("tls-key", etcDir+"/server.key", "Server TLS key")

+	autoUnlock = flag.String("auto-unlock", "", "Auto-unlock store (testing only!) env: DLS_AUTO_UNLOCK")
+
 	casStore cas.Store
 )

@ -35,6 +43,31 @@ func main() {
 		log.Fatal("no listen address given")
 	}

+	log.Print("Direktil local-server version ", Version)
+	wPublicState.Change(func(s *PublicState) { s.ServerVersion = Version })
+
+	computeUIHash()
+
+	openSecretStore()
+
+	{
+		autoUnlock := *autoUnlock
+		if autoUnlock == "" {
+			autoUnlock = os.Getenv("DLS_AUTO_UNLOCK")
+		}
+		if autoUnlock != "" {
+			log.Printf("auto-unlocking the store")
+			err := unlockSecretStore("test", []byte(autoUnlock))
+			if err.Any() {
+				log.Fatal(err)
+			}
+
+			log.Print("store auto-unlocked, token is ", adminToken)
+		}
+
+		os.Setenv("DLS_AUTO_UNLOCK", "")
+	}
+
 	casStore = cas.NewDir(filepath.Join(*dataDir, "cache"))
 	go casCleaner()

@ -44,6 +77,13 @@ func main() {

 	swaggerui.HandleAt("/swagger-ui/")

+	staticHandler := http.FileServer(http.FS(dlshtml.FS))
+	http.Handle("/favicon.ico", staticHandler)
+	http.Handle("/ui/", staticHandler)
+
+	http.Handle("/public-state", streamsse.StreamHandler(wPublicState))
+	http.Handle("/state", requireAdmin(streamsse.StreamHandler(wState)))
+
 	if *address != "" {
 		log.Print("HTTP listening on ", *address)
 		go log.Fatal(http.ListenAndServe(*address, nil))
--- a/cmd/dkl-local-server/render-context.go
+++ b/cmd/dkl-local-server/render-context.go
@ -4,10 +4,12 @@ import (
 	"bytes"
 	"crypto/sha256"
 	"encoding/hex"
+	"fmt"
 	"io"
 	"log"
 	"net/http"
 	"net/url"
+	"path"
 	"path/filepath"
 	"text/template"

@ -15,15 +17,17 @@ import (
 	restful "github.com/emicklei/go-restful"
 	yaml "gopkg.in/yaml.v2"

-	"novit.nc/direktil/pkg/config"
-	"novit.nc/direktil/pkg/localconfig"
+	"novit.tech/direktil/pkg/config"
+	"novit.tech/direktil/pkg/localconfig"
+
+	bsconfig "novit.tech/direktil/pkg/bootstrapconfig"
 )

 var cmdlineParam = restful.QueryParameter("cmdline", "Linux kernel cmdline addition")

 type renderContext struct {
 	Host      *localconfig.Host
-	SSLConfig string
+	SSLConfig *cfsslconfig.Config

 	// Linux kernel extra cmdline
 	CmdLine string `yaml:"-"`
@ -59,12 +63,7 @@ func renderCtx(w http.ResponseWriter, r *http.Request, ctx *renderContext, what
 	return nil
 }

-var prevSSLConfig = "-"
-
-func newRenderContext(host *localconfig.Host, cfg *localconfig.Config) (ctx *renderContext, err error) {
-	if prevSSLConfig != cfg.SSLConfig {
-		var sslCfg *cfsslconfig.Config
-
+func sslConfigFromLocalConfig(cfg *localconfig.Config) (sslCfg *cfsslconfig.Config, err error) {
 	if len(cfg.SSLConfig) == 0 {
 		sslCfg = &cfsslconfig.Config{}
 	} else {
@ -73,25 +72,53 @@ func newRenderContext(host *localconfig.Host, cfg *localconfig.Config) (ctx *ren
 			return
 		}
 	}
+	return
+}

-		err = loadSecretData(sslCfg)
+func newRenderContext(host *localconfig.Host, cfg *localconfig.Config) (ctx *renderContext, err error) {
+	sslCfg, err := sslConfigFromLocalConfig(cfg)
 	if err != nil {
 		return
 	}

-		prevSSLConfig = cfg.SSLConfig
-	}
-
 	return &renderContext{
-		SSLConfig: cfg.SSLConfig,
 		Host:      host,
+		SSLConfig: sslCfg,
 	}, nil
 }

 func (ctx *renderContext) Config() (ba []byte, cfg *config.Config, err error) {
+	ba, err = ctx.render(ctx.Host.Config)
+	if err != nil {
+		return
+	}
+
+	cfg = &config.Config{}
+	if err = yaml.Unmarshal(ba, cfg); err != nil {
+		return
+	}
+
+	return
+}
+
+func (ctx *renderContext) BootstrapConfig() (ba []byte, cfg *bsconfig.Config, err error) {
+	ba, err = ctx.render(ctx.Host.BootstrapConfig)
+	if err != nil {
+		return
+	}
+
+	cfg = &bsconfig.Config{}
+	if err = yaml.Unmarshal(ba, cfg); err != nil {
+		return
+	}
+
+	return
+}
+
+func (ctx *renderContext) render(templateText string) (ba []byte, err error) {
 	tmpl, err := template.New(ctx.Host.Name + "/config").
-		Funcs(templateFuncs).
-		Parse(ctx.Host.Config)
+		Funcs(ctx.TemplateFuncs()).
+		Parse(templateText)

 	if err != nil {
 		return
@ -102,21 +129,7 @@ func (ctx *renderContext) Config() (ba []byte, cfg *config.Config, err error) {
 		return
 	}

-	if secretData.Changed() {
-		err = secretData.Save()
-		if err != nil {
-			return
-		}
-	}
-
 	ba = buf.Bytes()
-
-	cfg = &config.Config{}
-
-	if err = yaml.Unmarshal(buf.Bytes(), cfg); err != nil {
-		return
-	}
-
 	return
 }

@ -157,3 +170,69 @@ func asMap(v interface{}) map[string]interface{} {

 	return result
 }
+
+func (ctx *renderContext) TemplateFuncs() map[string]any {
+	funcs := templateFuncs(ctx.SSLConfig)
+
+	for name, method := range map[string]any{
+		"ssh_host_keys": func(dir, cluster, host string) (s string, err error) {
+			if host == "" {
+				host = ctx.Host.Name
+			}
+			if host != ctx.Host.Name {
+				err = fmt.Errorf("wrong host name")
+				return
+			}
+
+			pairs, err := getSSHKeyPairs(host)
+			if err != nil {
+				return
+			}
+
+			files := make([]config.FileDef, 0, len(pairs)*2)
+
+			for _, pair := range pairs {
+				basePath := path.Join(dir, "ssh_host_"+pair.Type+"_key")
+				files = append(files, []config.FileDef{
+					{
+						Path:    basePath,
+						Mode:    0600,
+						Content: pair.Private,
+					},
+					{
+						Path:    basePath + ".pub",
+						Mode:    0644,
+						Content: pair.Public,
+					},
+				}...)
+			}
+
+			return asYaml(files)
+		},
+		"host_download_token": func() (token string, err error) {
+			key := ctx.Host.Name
+			token, found, err := hostDownloadTokens.Get(key)
+			if err != nil {
+				return
+			}
+
+			if !found {
+				token, err = newToken(32)
+				if err != nil {
+					return
+				}
+
+				err = hostDownloadTokens.Put(key, token)
+				if err != nil {
+					return
+				}
+			}
+
+			return
+		},
+	} {
+		funcs[name] = method
+	}
+
+	return funcs
+}
--- a/cmd/dkl-local-server/secret-store.go
+++ b/cmd/dkl-local-server/secret-store.go
@ -0,0 +1,350 @@
+package main
+
+import (
+	"encoding/json"
+	"log"
+	"net/http"
+	"os"
+	"path/filepath"
+	"sort"
+	"strings"
+	"sync"
+
+	restful "github.com/emicklei/go-restful"
+	"m.cluseau.fr/go/httperr"
+
+	"novit.tech/direktil/local-server/secretstore"
+)
+
+var secStore *secretstore.Store
+
+func secStoreRoot() string            { return filepath.Join(*dataDir, "secrets") }
+func secStorePath(name string) string { return filepath.Join(secStoreRoot(), name) }
+func secKeysStorePath() string        { return secStorePath(".keys") }
+
+func openSecretStore() {
+	var err error
+
+	keysPath := secKeysStorePath()
+
+	if err := os.MkdirAll(filepath.Dir(filepath.Dir(keysPath)), 0755); err != nil {
+		log.Fatal("failed to create dirs: ", err)
+	}
+
+	if err := os.MkdirAll(filepath.Dir(keysPath), 0700); err != nil {
+		log.Fatal("failed to secret store dir: ", err)
+	}
+
+	secStore, err = secretstore.Open(keysPath)
+
+	switch {
+	case err == nil:
+		wPublicState.Change(func(v *PublicState) {
+			v.Store.New = false
+			v.Store.Open = false
+		})
+
+	case os.IsNotExist(err):
+		secStore = secretstore.New()
+		wPublicState.Change(func(v *PublicState) {
+			v.Store.New = true
+			v.Store.Open = false
+		})
+
+	default:
+		log.Fatal("failed to open keys store: ", err)
+	}
+}
+
+var (
+	unlockMutex = sync.Mutex{}
+
+	ErrStoreAlreadyUnlocked = httperr.NewStd(1, http.StatusConflict, "store already unlocked")
+	ErrInvalidPassphrase    = httperr.NewStd(2, http.StatusBadRequest, "invalid passphrase")
+)
+
+func unlockSecretStore(name string, passphrase []byte) (err httperr.Error) {
+	unlockMutex.Lock()
+	defer unlockMutex.Unlock()
+
+	if secStore.Unlocked() {
+		return ErrStoreAlreadyUnlocked
+	}
+
+	if secStore.IsNew() {
+		err := secStore.Init(name, passphrase)
+		if err != nil {
+			return httperr.Internal(err)
+		}
+
+		err = secStore.SaveTo(secKeysStorePath())
+		if err != nil {
+			log.Print("secret store save error: ", err)
+			secStore.Close()
+
+			return httperr.Internal(err)
+		}
+
+	} else {
+		if !secStore.Unlock([]byte(passphrase)) {
+			return ErrInvalidPassphrase
+		}
+	}
+
+	token := ""
+	if err := readSecret("admin-token", &token); err != nil {
+		if !os.IsNotExist(err) {
+			log.Print("failed to read admin token: ", err)
+			secStore.Close()
+
+			return httperr.Internal(err)
+		}
+
+		token, err = newToken(32)
+		if err != nil {
+			secStore.Close()
+			return httperr.Internal(err)
+		}
+
+		err = writeSecret("admin-token", token)
+		if err != nil {
+			log.Print("write error: ", err)
+			secStore.Close()
+
+			return httperr.Internal(err)
+		}
+
+		log.Print("wrote new admin token")
+	}
+
+	adminToken = token
+
+	{
+		token, err := newToken(16)
+		if err != nil {
+			secStore.Close()
+			return httperr.Internal(err)
+		}
+
+		wState.Change(func(v *State) {
+			v.Store.DownloadToken = token
+		})
+	}
+
+	wPublicState.Change(func(v *PublicState) {
+		v.Store.New = false
+		v.Store.Open = true
+	})
+
+	go updateState()
+	go migrateSecrets()
+
+	return
+}
+
+func readSecret(name string, value any) (err error) {
+	f, err := os.Open(secStorePath(name + ".data"))
+	if err != nil {
+		return
+	}
+
+	defer f.Close()
+
+	in, err := secStore.NewReader(f)
+	if err != nil {
+		return
+	}
+
+	return json.NewDecoder(in).Decode(value)
+}
+
+func writeSecret(name string, value any) (err error) {
+	path := secStorePath(name + ".data.new")
+
+	if err = os.MkdirAll(filepath.Dir(path), 0700); err != nil {
+		return
+	}
+
+	f, err := os.Create(path)
+	if err != nil {
+		return
+	}
+
+	err = func() (err error) {
+		defer f.Close()
+
+		out, err := secStore.NewWriter(f)
+		if err != nil {
+			return
+		}
+
+		return json.NewEncoder(out).Encode(value)
+	}()
+
+	if err != nil {
+		return
+	}
+
+	err = os.Rename(f.Name(), secStorePath(name+".data"))
+	if err != nil {
+		return
+	}
+
+	go updateState()
+	return
+}
+
+var secL sync.Mutex
+
+func updateSecret[T any](name string, update func(*T)) (err error) {
+	secL.Lock()
+	defer secL.Unlock()
+
+	v := new(T)
+	err = readSecret(name, v)
+	if err != nil {
+		if !os.IsNotExist(err) {
+			return
+		}
+		err = nil
+	}
+
+	update(v)
+
+	return writeSecret(name, *v)
+}
+
+func updateSecretWithKey[T any](name, key string, update func(v *T)) (err error) {
+	secL.Lock()
+	defer secL.Unlock()
+
+	kvs := map[string]*T{}
+
+	err = readSecret(name, &kvs)
+	if err != nil {
+		if !os.IsNotExist(err) {
+			return
+		}
+		err = nil
+	}
+
+	update(kvs[key])
+
+	return writeSecret(name, kvs)
+}
+
+type KVSecrets[T any] struct{ Name string }
+
+func (s KVSecrets[T]) Data() (kvs map[string]T, err error) {
+	kvs = make(map[string]T)
+	err = readSecret(s.Name, &kvs)
+	if err != nil {
+		if !os.IsNotExist(err) {
+			return
+		}
+		err = nil
+	}
+	return
+}
+
+func (s KVSecrets[T]) Keys(prefix string) (keys []string, err error) {
+	kvs, err := s.Data()
+	if err != nil {
+		return
+	}
+
+	keys = make([]string, 0, len(kvs))
+
+	for k := range kvs {
+		if !strings.HasPrefix(k, prefix) {
+			continue
+		}
+		keys = append(keys, k[len(prefix):])
+	}
+
+	sort.Strings(keys)
+
+	return
+}
+
+func (s KVSecrets[T]) Get(key string) (v T, found bool, err error) {
+	kvs, err := s.Data()
+	if err != nil {
+		return
+	}
+
+	v, found = kvs[key]
+	return
+}
+
+func (s KVSecrets[T]) Put(key string, v T) (err error) {
+	secL.Lock()
+	defer secL.Unlock()
+
+	kvs, err := s.Data()
+	if err != nil {
+		return
+	}
+
+	kvs[key] = v
+	err = writeSecret(s.Name, kvs)
+	return
+}
+
+func (s KVSecrets[T]) GetOrCreate(key string, create func() (T, error)) (v T, err error) {
+	v, found, err := s.Get(key)
+	if err != nil {
+		return
+	}
+
+	if !found {
+		v, err = create()
+		if err != nil {
+			return
+		}
+
+		err = s.Put(key, v)
+	}
+
+	return
+}
+
+func (s KVSecrets[T]) WsList(resp *restful.Response, prefix string) {
+	keys, err := s.Keys(prefix)
+	if err != nil {
+		wsError(resp, err)
+		return
+	}
+
+	resp.WriteEntity(keys)
+}
+
+func (s KVSecrets[T]) WsGet(resp *restful.Response, key string) {
+	keys, found, err := s.Get(key)
+	if err != nil {
+		wsError(resp, err)
+		return
+	}
+
+	if !found {
+		wsNotFound(resp)
+		return
+	}
+
+	resp.WriteEntity(keys)
+}
+
+func (s KVSecrets[T]) WsPut(req *restful.Request, resp *restful.Response, key string) {
+	v := new(T)
+	err := req.ReadEntity(v)
+	if err != nil {
+		wsBadRequest(resp, err.Error())
+		return
+	}
+
+	err = s.Put(key, *v)
+	if err != nil {
+		wsError(resp, err)
+		return
+	}
+}
--- a/cmd/dkl-local-server/secrets-migrate.go
+++ b/cmd/dkl-local-server/secrets-migrate.go
@ -0,0 +1,88 @@
+package main
+
+import (
+	"log"
+	"os"
+
+	cfsslconfig "github.com/cloudflare/cfssl/config"
+)
+
+func migrateSecrets() {
+	if _, err := os.Stat(secretDataPath()); err != nil {
+		if os.IsNotExist(err) {
+			return
+		}
+
+		log.Print("not migrating old secrets: ", err)
+
+		return
+	}
+
+	log.Print("migrating old secrets")
+
+	log := log.New(log.Default().Writer(), "secrets migration: ", log.Flags()|log.Lmsgprefix)
+
+	// load secrets
+	cfg, err := readConfig()
+	if err != nil {
+		log.Fatal(err)
+		return
+	}
+
+	var sslCfg *cfsslconfig.Config
+
+	if len(cfg.SSLConfig) == 0 {
+		sslCfg = &cfsslconfig.Config{}
+	} else {
+		sslCfg, err = cfsslconfig.LoadConfig([]byte(cfg.SSLConfig))
+		if err != nil {
+			return
+		}
+	}
+
+	secretData, err := loadSecretData(sslCfg)
+	if err != nil {
+		log.Fatal(err)
+		return
+	}
+
+	for clusterName, cluster := range secretData.clusters {
+		for k, v := range cluster.Tokens {
+			err = clusterTokens.Put(clusterName+"/"+k, v)
+			if err != nil {
+				log.Fatal(err)
+				return
+			}
+		}
+
+		for k, v := range cluster.Passwords {
+			err = clusterPasswords.Put(clusterName+"/"+k, v)
+			if err != nil {
+				log.Fatal(err)
+				return
+			}
+		}
+
+		for caName, ca := range cluster.CAs {
+			clusterCAs.Put(clusterName+"/"+caName, CA{Key: ca.Key, Cert: ca.Cert})
+
+			for signedName, signed := range ca.Signed {
+				err = clusterCASignedKeys.Put(clusterName+"/"+caName+"/"+signedName, *signed)
+				if err != nil {
+					log.Fatal(err)
+				}
+			}
+		}
+
+		for hostName, pairs := range cluster.SSHKeyPairs {
+			err = sshHostKeys.Put(hostName, pairs)
+			if err != nil {
+				log.Fatal(err)
+			}
+		}
+	}
+
+	if err := os.Rename(secretDataPath(), secretDataPath()+".migrated"); err != nil {
+		log.Fatal("failed to rename migrated secrets: ", err)
+	}
+}
--- a/cmd/dkl-local-server/secrets.go
+++ b/cmd/dkl-local-server/secrets.go
@ -1,46 +1,20 @@
 package main

 import (
-	"crypto"
-	"crypto/rand"
-	"crypto/x509"
-	"encoding/base32"
 	"encoding/json"
 	"errors"
-	"fmt"
 	"io/ioutil"
-	"net"
 	"os"
 	"path/filepath"
-	"sort"
-	"sync"
 	"time"

-	"github.com/cespare/xxhash"
 	"github.com/cloudflare/cfssl/certinfo"
 	"github.com/cloudflare/cfssl/config"
-	"github.com/cloudflare/cfssl/csr"
-	"github.com/cloudflare/cfssl/helpers"
-	"github.com/cloudflare/cfssl/initca"
 	"github.com/cloudflare/cfssl/log"
-	"github.com/cloudflare/cfssl/signer"
-	"github.com/cloudflare/cfssl/signer/local"
-	"k8s.io/apimachinery/pkg/util/validation"
-	"k8s.io/apimachinery/pkg/util/validation/field"
-)
-
-var (
-	secretData *SecretData
-	DontSave   = false
 )

 type SecretData struct {
-	l sync.Mutex
-
-	prevHash uint64
-
 	clusters map[string]*ClusterSecrets
-	changed  bool
 	config   *config.Config
 }

@ -51,13 +25,6 @@ type ClusterSecrets struct {
 	SSHKeyPairs map[string][]SSHKeyPair
 }

-type CA struct {
-	Key  []byte
-	Cert []byte
-
-	Signed map[string]*KeyCert
-}
-
 type KeyCert struct {
 	Key     []byte
 	Cert    []byte
@ -68,21 +35,18 @@ func secretDataPath() string {
 	return filepath.Join(*dataDir, "secret-data.json")
 }

-func loadSecretData(config *config.Config) (err error) {
+func loadSecretData(config *config.Config) (sd *SecretData, err error) {
 	log.Info("Loading secret data")

-	sd := &SecretData{
+	sd = &SecretData{
 		clusters: make(map[string]*ClusterSecrets),
-		changed:  false,
 		config:   config,
 	}

 	ba, err := ioutil.ReadFile(secretDataPath())
 	if err != nil {
 		if os.IsNotExist(err) {
-			sd.changed = true
 			err = nil
-			secretData = sd
 			return
 		}
 		return
@ -92,209 +56,6 @@ func loadSecretData(config *config.Config) (err error) {
 		return
 	}

-	sd.prevHash = xxhash.Sum64(ba)
-
-	secretData = sd
-	return
-}
-
-func (sd *SecretData) Changed() bool {
-	return sd.changed
-}
-
-func (sd *SecretData) Save() (err error) {
-	if DontSave {
-		return
-	}
-
-	sd.l.Lock()
-	defer sd.l.Unlock()
-
-	ba, err := json.Marshal(sd.clusters)
-	if err != nil {
-		return
-	}
-
-	h := xxhash.Sum64(ba)
-	if h == sd.prevHash {
-		return
-	}
-
-	log.Info("Saving secret data")
-	err = ioutil.WriteFile(secretDataPath(), ba, 0600)
-
-	if err == nil {
-		sd.prevHash = h
-	}
-
-	return
-}
-
-func newClusterSecrets() *ClusterSecrets {
-	return &ClusterSecrets{
-		CAs:       make(map[string]*CA),
-		Tokens:    make(map[string]string),
-		Passwords: make(map[string]string),
-	}
-}
-
-func (sd *SecretData) cluster(name string) (cs *ClusterSecrets) {
-	cs, ok := sd.clusters[name]
-	if ok {
-		return
-	}
-
-	sd.l.Lock()
-	defer sd.l.Unlock()
-
-	log.Info("secret-data: new cluster: ", name)
-
-	cs = newClusterSecrets()
-	sd.clusters[name] = cs
-	sd.changed = true
-	return
-}
-
-func (sd *SecretData) Passwords(cluster string) (passwords []string) {
-	cs := sd.cluster(cluster)
-
-	passwords = make([]string, 0, len(cs.Passwords))
-	for name := range cs.Passwords {
-		passwords = append(passwords, name)
-	}
-
-	sort.Strings(passwords)
-
-	return
-}
-
-func (sd *SecretData) Password(cluster, name string) (password string) {
-	cs := sd.cluster(cluster)
-
-	if cs.Passwords == nil {
-		cs.Passwords = make(map[string]string)
-	}
-
-	password = cs.Passwords[name]
-	return
-}
-
-func (sd *SecretData) SetPassword(cluster, name, password string) {
-	cs := sd.cluster(cluster)
-
-	if cs.Passwords == nil {
-		cs.Passwords = make(map[string]string)
-	}
-
-	cs.Passwords[name] = password
-	sd.changed = true
-}
-
-func (sd *SecretData) Token(cluster, name string) (token string, err error) {
-	cs := sd.cluster(cluster)
-
-	token = cs.Tokens[name]
-	if token != "" {
-		return
-	}
-
-	sd.l.Lock()
-	defer sd.l.Unlock()
-
-	log.Info("secret-data: new token in cluster ", cluster, ": ", name)
-
-	b := make([]byte, 16)
-	_, err = rand.Read(b)
-	if err != nil {
-		return
-	}
-
-	token = base32.StdEncoding.WithPadding(base32.NoPadding).EncodeToString(b)
-
-	cs.Tokens[name] = token
-	sd.changed = true
-	return
-}
-
-func (sd *SecretData) RenewCACert(cluster, name string) (err error) {
-	cs := sd.cluster(cluster)
-
-	ca := cs.CAs[name]
-
-	var cert *x509.Certificate
-	cert, err = helpers.ParseCertificatePEM(ca.Cert)
-	if err != nil {
-		return
-	}
-
-	var signer crypto.Signer
-	signer, err = helpers.ParsePrivateKeyPEM(ca.Key)
-	if err != nil {
-		return
-	}
-
-	newCert, err := initca.RenewFromSigner(cert, signer)
-	if err != nil {
-		return
-	}
-
-	sd.l.Lock()
-	defer sd.l.Unlock()
-
-	cs.CAs[name].Cert = newCert
-	sd.changed = true
-
-	return
-}
-
-func (sd *SecretData) CA(cluster, name string) (ca *CA, err error) {
-	cs := sd.cluster(cluster)
-
-	ca, ok := cs.CAs[name]
-	if ok {
-		checkErr := checkCertUsable(ca.Cert)
-		if checkErr != nil {
-			log.Infof("secret-data cluster %s: CA %s: regenerating certificate: %v", cluster, name, checkErr)
-
-			err = sd.RenewCACert(cluster, name)
-		}
-
-		return
-	}
-
-	sd.l.Lock()
-	defer sd.l.Unlock()
-
-	log.Info("secret-data: new CA in cluster ", cluster, ": ", name)
-
-	req := &csr.CertificateRequest{
-		CN: "Direktil Local Server",
-		KeyRequest: &csr.BasicKeyRequest{
-			A: "ecdsa",
-			S: 521, // 256, 384, 521
-		},
-		Names: []csr.Name{
-			{
-				C: "NC",
-				O: "novit.nc",
-			},
-		},
-	}
-
-	cert, _, key, err := initca.New(req)
-	if err != nil {
-		return
-	}
-
-	ca = &CA{
-		Key:    key,
-		Cert:   cert,
-		Signed: make(map[string]*KeyCert),
-	}
-
-	cs.CAs[name] = ca
-	sd.changed = true
-
 	return
 }

@ -313,104 +74,3 @@ func checkCertUsable(certPEM []byte) error {

 	return nil
 }
-
-func (sd *SecretData) KeyCert(cluster, caName, name, profile, label string, req *csr.CertificateRequest) (kc *KeyCert, err error) {
-	for idx, host := range req.Hosts {
-		if ip := net.ParseIP(host); ip != nil {
-			// valid IP (v4 or v6)
-			continue
-		}
-
-		if host == "*" {
-			continue
-		}
-
-		if errs := validation.IsDNS1123Subdomain(host); len(errs) == 0 {
-			continue
-		}
-		if errs := validation.IsWildcardDNS1123Subdomain(host); len(errs) == 0 {
-			continue
-		}
-
-		path := field.NewPath(cluster, name, "hosts").Index(idx)
-		return nil, fmt.Errorf("%v: %q is not an IP or FQDN", path, host)
-	}
-
-	if req.CA != nil {
-		err = errors.New("no CA section allowed here")
-		return
-	}
-
-	ca, err := sd.CA(cluster, caName)
-	if err != nil {
-		return
-	}
-
-	logPrefix := fmt.Sprintf("secret-data: cluster %s: CA %s:", cluster, caName)
-
-	rh := hash(req)
-	kc, ok := ca.Signed[name]
-	if ok && rh == kc.ReqHash {
-		err = checkCertUsable(kc.Cert)
-		if err == nil {
-			return
-		}
-		log.Infof("%s regenerating certificate: ", err)
-
-	} else if ok {
-		log.Infof("%s CSR changed for %s: hash=%q previous=%q", name, rh, kc.ReqHash)
-	} else {
-		log.Infof("%s new CSR for %s", logPrefix, name)
-	}
-
-	sd.l.Lock()
-	defer sd.l.Unlock()
-
-	sgr, err := ca.Signer(sd.config.Signing)
-	if err != nil {
-		return
-	}
-
-	generator := &csr.Generator{Validator: func(_ *csr.CertificateRequest) error { return nil }}
-
-	csr, key, err := generator.ProcessRequest(req)
-	if err != nil {
-		return
-	}
-
-	signReq := signer.SignRequest{
-		Request: string(csr),
-		Profile: profile,
-		Label:   label,
-	}
-
-	cert, err := sgr.Sign(signReq)
-	if err != nil {
-		return
-	}
-
-	kc = &KeyCert{
-		Key:     key,
-		Cert:    cert,
-		ReqHash: rh,
-	}
-
-	ca.Signed[name] = kc
-	sd.changed = true
-
-	return
-}
-
-func (ca *CA) Signer(policy *config.Signing) (result *local.Signer, err error) {
-	caCert, err := helpers.ParseCertificatePEM(ca.Cert)
-	if err != nil {
-		return
-	}
-
-	caKey, err := helpers.ParsePrivateKeyPEM(ca.Key)
-	if err != nil {
-		return
-	}
-
-	return local.NewSigner(caKey, caCert, signer.DefaultSigAlgo(caKey), policy)
-}
--- a/cmd/dkl-local-server/sha512crypt.go
+++ b/cmd/dkl-local-server/sha512crypt.go
@ -0,0 +1,39 @@
+package main
+
+import (
+	"encoding/base64"
+
+	crypthash "github.com/sergeymakinen/go-crypt/hash"
+	"github.com/sergeymakinen/go-crypt/sha512"
+)
+
+// for some reason, no implementation of crypt's sha512 is clean enough :(
+
+func sha512crypt(password, seed []byte) (string, error) {
+	// loose salt entropy because of character restriction in the salt
+	salt := []byte(base64.RawStdEncoding.EncodeToString(seed))[:sha512.MaxSaltLength]
+	// - base64 allows '+' where the salt accepts '.'
+	for i, c := range salt {
+		if c == '+' {
+			salt[i] = '.'
+		}
+	}
+
+	scheme := struct {
+		HashPrefix string
+		Rounds     uint32 `hash:"param:rounds,omitempty"`
+		Salt       []byte
+		Sum        [86]byte
+	}{
+		HashPrefix: sha512.Prefix,
+		Rounds:     sha512.DefaultRounds,
+		Salt:       salt,
+	}
+
+	key, err := sha512.Key([]byte(password), scheme.Salt, scheme.Rounds)
+	if err != nil {
+		return "", err
+	}
+	crypthash.LittleEndianEncoding.Encode(scheme.Sum[:], key)
+	return crypthash.Marshal(scheme)
+}
--- a/cmd/dkl-local-server/ssh-secrets.go
+++ b/cmd/dkl-local-server/ssh-secrets.go
@ -15,34 +15,16 @@ import (
 	"os/exec"
 )

+var sshHostKeys = KVSecrets[[]SSHKeyPair]{"hosts/ssh-host-keys"}
+
 type SSHKeyPair struct {
 	Type    string
 	Public  string
 	Private string
 }

-func (sd *SecretData) SSHKeyPairs(cluster, host string) (pairs []SSHKeyPair, err error) {
-	cs := sd.cluster(cluster)
-
-	if cs.SSHKeyPairs == nil {
-		cs.SSHKeyPairs = map[string][]SSHKeyPair{}
-	}
-
-	outFile, err := ioutil.TempFile("/tmp", "dls-key.")
-	if err != nil {
-		return
-	}
-
-	outPath := outFile.Name()
-
-	removeTemp := func() {
-		os.Remove(outPath)
-		os.Remove(outPath + ".pub")
-	}
-
-	defer removeTemp()
-
-	pairs = cs.SSHKeyPairs[host]
+func getSSHKeyPairs(host string) (pairs []SSHKeyPair, err error) {
+	pairs, _, err = sshHostKeys.Get(host)

 	didGenerate := false

@ -59,17 +41,30 @@ genLoop:
 			}
 		}

-		didGenerate = true
+		err = func() (err error) {
+			outFile, err := ioutil.TempFile("/tmp", "dls-key.")
+			if err != nil {
+				return
+			}
+
+			outPath := outFile.Name()
+
+			removeTemp := func() {
+				os.Remove(outPath)
+				os.Remove(outPath + ".pub")
+			}

 			removeTemp()
+			defer removeTemp()

 			var out, privKey, pubKey []byte

-		out, err = exec.Command("ssh-keygen",
+			cmd := exec.Command("ssh-keygen",
 				"-N", "",
 				"-C", "root@"+host,
 				"-f", outPath,
-			"-t", keyType).CombinedOutput()
+				"-t", keyType)
+			out, err = cmd.CombinedOutput()
 			if err != nil {
 				err = fmt.Errorf("ssh-keygen failed: %v: %s", err, string(out))
 				return
@ -80,25 +75,31 @@ genLoop:
 				return
 			}

-		os.Remove(outPath)
-
 			pubKey, err = ioutil.ReadFile(outPath + ".pub")
 			if err != nil {
 				return
 			}

-		os.Remove(outPath + ".pub")
-
 			pairs = append(pairs, SSHKeyPair{
 				Type:    keyType,
 				Public:  string(pubKey),
 				Private: string(privKey),
 			})
+			didGenerate = true
+
+			return
+		}()
+
+		if err != nil {
+			return
+		}
 	}

 	if didGenerate {
-		cs.SSHKeyPairs[host] = pairs
-		err = sd.Save()
+		err = sshHostKeys.Put(host, pairs)
+		if err != nil {
+			return
+		}
 	}

 	return
--- a/cmd/dkl-local-server/ssh-secrets_test.go
+++ b/cmd/dkl-local-server/ssh-secrets_test.go
@ -2,16 +2,9 @@ package main

 import "testing"

-func init() {
-	DontSave = true
-}
-
 func TestSSHKeyGet(t *testing.T) {
-	sd := &SecretData{
-		clusters: make(map[string]*ClusterSecrets),
-	}
-
-	if _, err := sd.SSHKeyPairs("test", "host"); err != nil {
-		t.Error(err)
-	}
+	// TODO needs fake secret store
+	// if _, err := getSSHKeyPairs("host"); err != nil {
+	// 	t.Error(err)
+	// }
 }
--- a/cmd/dkl-local-server/state.go
+++ b/cmd/dkl-local-server/state.go
@ -0,0 +1,138 @@
+package main
+
+import (
+	"log"
+
+	"m.cluseau.fr/go/watchable"
+	"novit.tech/direktil/pkg/localconfig"
+)
+
+type PublicState struct {
+	ServerVersion string
+	UIHash        string
+	Store         struct {
+		New  bool
+		Open bool
+	}
+}
+
+var wPublicState = watchable.New[PublicState]()
+
+type State struct {
+	HasConfig bool
+
+	Store struct {
+		DownloadToken string
+		KeyNames      []string
+	}
+
+	Clusters []ClusterState
+	Hosts    []HostState
+	Config   *localconfig.Config
+
+	Downloads map[string]DownloadSpec
+}
+
+type ClusterState struct {
+	Name      string
+	Addons    bool
+	Passwords []string
+	Tokens    []string
+	CAs       []CAState
+}
+
+type HostState struct {
+	Name    string
+	Cluster string
+	IPs     []string
+}
+
+type CAState struct {
+	Name   string
+	Signed []string
+}
+
+var wState = watchable.New[State]()
+
+func init() {
+	wState.Set(State{Downloads: map[string]DownloadSpec{}})
+}
+
+func updateState() {
+	log.Print("updating state")
+
+	// store key names
+	keyNames := make([]string, 0, len(secStore.Keys))
+	for _, key := range secStore.Keys {
+		keyNames = append(keyNames, key.Name)
+	}
+
+	// config
+	cfg, err := readConfig()
+	if err != nil {
+		wState.Change(func(v *State) { v.HasConfig = false; v.Config = nil; v.Store.KeyNames = keyNames })
+		return
+	}
+
+	if secStore.IsNew() || !secStore.Unlocked() {
+		wState.Change(func(v *State) { v.HasConfig = false; v.Config = nil; v.Store.KeyNames = keyNames })
+		return
+	}
+
+	// remove heavy data
+	clusters := make([]ClusterState, 0, len(cfg.Clusters))
+	for _, cluster := range cfg.Clusters {
+		c := ClusterState{
+			Name:   cluster.Name,
+			Addons: len(cluster.Addons) != 0,
+		}
+
+		c.Passwords, err = clusterPasswords.Keys(c.Name + "/")
+		if err != nil {
+			log.Print("failed to read cluster passwords: ", err)
+		}
+		c.Tokens, err = clusterTokens.Keys(c.Name + "/")
+		if err != nil {
+			log.Print("failed to read cluster tokens: ", err)
+		}
+
+		caNames, err := clusterCAs.Keys(c.Name + "/")
+		if err != nil {
+			log.Print("failed to read cluster CAs: ", err)
+		}
+		for _, caName := range caNames {
+			ca := CAState{Name: caName}
+
+			signedNames, err := clusterCASignedKeys.Keys(c.Name + "/" + caName + "/")
+			if err != nil {
+				log.Print("failed to read cluster CA signed keys: ", err)
+			}
+			for _, signedName := range signedNames {
+				ca.Signed = append(ca.Signed, signedName)
+			}
+
+			c.CAs = append(c.CAs, ca)
+		}
+
+		clusters = append(clusters, c)
+	}
+
+	hosts := make([]HostState, 0, len(cfg.Hosts))
+	for _, host := range cfg.Hosts {
+		h := HostState{
+			Name:    host.Name,
+			Cluster: host.ClusterName,
+			IPs:     host.IPs,
+		}
+
+		hosts = append(hosts, h)
+	}
+
+	// done
+	wState.Change(func(v *State) {
+		v.HasConfig = true
+		v.Store.KeyNames = keyNames
+		v.Clusters = clusters
+		v.Hosts = hosts
+	})
+}
--- a/cmd/dkl-local-server/tls-ca.go
+++ b/cmd/dkl-local-server/tls-ca.go
@ -0,0 +1,178 @@
+package main
+
+import (
+	"crypto"
+	"errors"
+	"fmt"
+	"log"
+	"net"
+
+	"github.com/cloudflare/cfssl/config"
+	"github.com/cloudflare/cfssl/csr"
+	"github.com/cloudflare/cfssl/helpers"
+	"github.com/cloudflare/cfssl/initca"
+	"github.com/cloudflare/cfssl/signer"
+	"github.com/cloudflare/cfssl/signer/local"
+	"k8s.io/apimachinery/pkg/util/validation"
+)
+
+type CA struct {
+	Key  []byte
+	Cert []byte
+
+	Signed map[string]*KeyCert
+}
+
+func (ca *CA) Init() (err error) {
+	req := ca.newReq()
+
+	cert, _, key, err := initca.New(req)
+	if err != nil {
+		err = fmt.Errorf("initca: %w", err)
+		return
+	}
+
+	ca.Key = key
+	ca.Cert = cert
+
+	return
+}
+
+func (ca *CA) RenewCert() (err error) {
+	var signer crypto.Signer
+	signer, err = helpers.ParsePrivateKeyPEM(ca.Key)
+	if err != nil {
+		return
+	}
+
+	newCert, _, err := initca.NewFromSigner(ca.newReq(), signer)
+	if err != nil {
+		return
+	}
+
+	ca.Cert = newCert
+
+	return
+}
+
+func (_ CA) newReq() *csr.CertificateRequest {
+	return &csr.CertificateRequest{
+		CN: "Direktil Local Server",
+		KeyRequest: &csr.KeyRequest{
+			A: "ecdsa",
+			S: 521, // 256, 384, 521
+		},
+		Names: []csr.Name{
+			{
+				O: "novit.io",
+			},
+		},
+	}
+}
+
+func (ca CA) Signer(policy *config.Signing) (result *local.Signer, err error) {
+	caCert, err := helpers.ParseCertificatePEM(ca.Cert)
+	if err != nil {
+		return
+	}
+
+	caKey, err := helpers.ParsePrivateKeyPEM(ca.Key)
+	if err != nil {
+		return
+	}
+
+	return local.NewSigner(caKey, caCert, signer.DefaultSigAlgo(caKey), policy)
+}
+
+func getUsableKeyCert(cluster, caName, name, profile, label string, req *csr.CertificateRequest, cfg *config.Config) (kc KeyCert, err error) {
+	log := log.New(log.Default().Writer(), cluster+": CA "+caName+": ", log.Flags()|log.Lmsgprefix)
+
+	ca, err := getUsableClusterCA(cluster, caName)
+	if err != nil {
+		return
+	}
+
+	for _, host := range req.Hosts {
+		if ip := net.ParseIP(host); ip != nil {
+			// valid IP (v4 or v6)
+			continue
+		}
+
+		if host == "*" {
+			continue
+		}
+
+		if errs := validation.IsDNS1123Subdomain(host); len(errs) == 0 {
+			continue
+		}
+		if errs := validation.IsWildcardDNS1123Subdomain(host); len(errs) == 0 {
+			continue
+		}
+
+		err = fmt.Errorf("%q is not an IP or FQDN", host)
+		return
+	}
+
+	if req.CA != nil {
+		err = errors.New("no CA section allowed here")
+		return
+	}
+
+	rh := hash(req)
+
+	key := cluster + "/" + caName + "/" + name
+
+	kc, found, err := clusterCASignedKeys.Get(key)
+	if err != nil {
+		return
+	}
+
+	if found {
+		if rh == kc.ReqHash {
+			err = checkCertUsable(kc.Cert)
+			if err == nil {
+				return // all good, no need to create or renew
+			}
+
+			log.Print("regenerating certificate: ", err)
+
+		} else {
+			log.Printf("CSR changed for %s: hash=%q previous=%q", name, rh, kc.ReqHash)
+		}
+	} else {
+		log.Print("new CSR for ", name)
+	}
+
+	sgr, err := ca.Signer(cfg.Signing)
+	if err != nil {
+		return
+	}
+
+	generator := &csr.Generator{Validator: func(_ *csr.CertificateRequest) error { return nil }}
+
+	csr, tlsKey, err := generator.ProcessRequest(req)
+	if err != nil {
+		return
+	}
+
+	signReq := signer.SignRequest{
+		Request: string(csr),
+		Profile: profile,
+		Label:   label,
+	}
+
+	cert, err := sgr.Sign(signReq)
+	if err != nil {
+		return
+	}
+
+	kc = KeyCert{
+		Key:     tlsKey,
+		Cert:    cert,
+		ReqHash: rh,
+	}
+
+	err = clusterCASignedKeys.Put(key, kc)
+
+	return
+}
--- a/cmd/dkl-local-server/token.go
+++ b/cmd/dkl-local-server/token.go
@ -0,0 +1,24 @@
+package main
+
+import (
+	"crypto/rand"
+	"encoding/base32"
+	"log"
+	"net/http"
+
+	"m.cluseau.fr/go/httperr"
+)
+
+func newToken(sizeInBytes int) (token string, err error) {
+	randBytes := make([]byte, sizeInBytes)
+
+	_, err = rand.Read(randBytes)
+	if err != nil {
+		log.Print("rand read error: ", err)
+		err = httperr.New(http.StatusInternalServerError, err)
+		return
+	}
+
+	token = base32.StdEncoding.WithPadding(base32.NoPadding).EncodeToString(randBytes)
+	return
+}
--- a/cmd/dkl-local-server/ui.go
+++ b/cmd/dkl-local-server/ui.go
@ -0,0 +1,45 @@
+package main
+
+import (
+	"encoding/base32"
+	"io"
+	"io/fs"
+	"log"
+	"strings"
+
+	"github.com/cespare/xxhash"
+	dlshtml "novit.tech/direktil/local-server/html"
+)
+
+func computeUIHash() {
+	xxh := xxhash.New()
+
+	err := fs.WalkDir(dlshtml.FS, "ui", func(path string, entry fs.DirEntry, walkErr error) (err error) {
+		if walkErr != nil {
+			err = walkErr
+			return
+		}
+
+		if entry.IsDir() {
+			return
+		}
+
+		f, err := dlshtml.FS.Open(path)
+		if err != nil {
+			return
+		}
+		defer f.Close()
+
+		io.Copy(xxh, f)
+
+		return nil
+	})
+
+	if err != nil {
+		log.Fatal("failed to hash UI: ", err)
+	}
+
+	h := strings.ToLower(base32.HexEncoding.WithPadding(base32.NoPadding).EncodeToString(xxh.Sum(nil)))[:5]
+	log.Printf("UI hash: %s", h)
+	wPublicState.Change(func(v *PublicState) { v.UIHash = h })
+}
--- a/cmd/dkl-local-server/upstream.go
+++ b/cmd/dkl-local-server/upstream.go
@ -19,7 +19,7 @@ import (
 )

 var (
-	upstreamURL = flag.String("upstream", "https://direktil.novit.nc/dist", "Upstream server for dist elements")
+	upstreamURL = flag.String("upstream", "https://dkl.novit.io/dist", "Upstream server for dist elements")
 )

 func (ctx *renderContext) distFetch(path ...string) (outPath string, err error) {
--- a/cmd/dkl-local-server/ws-auth.go
+++ b/cmd/dkl-local-server/ws-auth.go
@ -7,24 +7,20 @@ import (
 )

 func adminAuth(req *restful.Request, resp *restful.Response, chain *restful.FilterChain) {
-	tokenAuth(req, resp, chain, *adminToken)
-}
-
-func hostsAuth(req *restful.Request, resp *restful.Response, chain *restful.FilterChain) {
-	tokenAuth(req, resp, chain, *hostsToken, *adminToken)
+	tokenAuth(req, resp, chain, adminToken)
 }

 func tokenAuth(req *restful.Request, resp *restful.Response, chain *restful.FilterChain, allowedTokens ...string) {
 	token := getToken(req)

 	for _, allowedToken := range allowedTokens {
-		if allowedToken == "" || token == allowedToken {
+		if allowedToken != "" && token == allowedToken {
 			chain.ProcessFilter(req, resp)
 			return
 		}
 	}

-	resp.WriteErrorString(401, "401: Not Authorized")
+	wsError(resp, ErrUnauthorized)
 	return
 }

@ -33,8 +29,12 @@ func getToken(req *restful.Request) string {

 	token := req.HeaderParameter("Authorization")

+	if token == "" {
+		return req.QueryParameter("token")
+	}
+
 	if !strings.HasPrefix(token, bearerPrefix) {
-		return ""
+		return token
 	}

 	return token[len(bearerPrefix):]
--- a/cmd/dkl-local-server/ws-cluster-cas.go
+++ b/cmd/dkl-local-server/ws-cluster-cas.go
@ -0,0 +1,83 @@
+package main
+
+import (
+	"fmt"
+
+	"github.com/cloudflare/cfssl/log"
+	restful "github.com/emicklei/go-restful"
+)
+
+var clusterCAs = newClusterSecretKV[CA]("CAs")
+
+func wsClusterCAs(req *restful.Request, resp *restful.Response) {
+	clusterName := req.PathParameter("cluster-name")
+	clusterCAs.WsList(resp, clusterName+"/")
+}
+
+func wsClusterCA(req *restful.Request, resp *restful.Response) {
+	clusterName := req.PathParameter("cluster-name")
+	name := req.PathParameter("ca-name")
+
+	clusterCAs.WsGet(resp, clusterName+"/"+name)
+}
+
+func getUsableClusterCA(cluster, name string) (ca CA, err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("cluster %s CA %s: %w", cluster, name, err)
+		}
+	}()
+
+	key := cluster + "/" + name
+
+	ca, found, err := clusterCAs.Get(key)
+	if err != nil {
+		return
+	}
+
+	if !found {
+		log.Info("new CA in cluster ", cluster, ": ", name)
+
+		err = ca.Init()
+		if err != nil {
+			return
+		}
+
+		err = clusterCAs.Put(key, ca)
+		if err != nil {
+			return
+		}
+
+		return
+	}
+
+	checkErr := checkCertUsable(ca.Cert)
+	if checkErr != nil {
+		log.Infof("cluster %s: CA %s: regenerating certificate: %v", cluster, name, checkErr)
+
+		err = ca.RenewCert()
+		if err != nil {
+			err = fmt.Errorf("renew: %w", err)
+		}
+
+		err = clusterCAs.Put(key, ca)
+	}
+
+	return
+}
+
+var clusterCASignedKeys = newClusterSecretKV[KeyCert]("CA-signed-keys")
+
+func wsClusterCASignedKeys(req *restful.Request, resp *restful.Response) {
+	clusterName := req.PathParameter("cluster-name")
+	caName := req.PathParameter("ca-name")
+	clusterCASignedKeys.WsList(resp, clusterName+"/"+caName+"/")
+}
+
+func wsClusterCASignedKey(req *restful.Request, resp *restful.Response) {
+	clusterName := req.PathParameter("cluster-name")
+	caName := req.PathParameter("ca-name")
+	name := req.PathParameter("signed-name")
+
+	clusterCASignedKeys.WsGet(resp, clusterName+"/"+caName+"/"+name)
+}
--- a/cmd/dkl-local-server/ws-cluster-passwords.go
+++ b/cmd/dkl-local-server/ws-cluster-passwords.go
@ -0,0 +1,32 @@
+package main
+
+import (
+	restful "github.com/emicklei/go-restful"
+)
+
+var seeds = newClusterSecretKV[[]byte]("seeds")
+
+var clusterPasswords = newClusterSecretKV[string]("passwords")
+
+func wsClusterPasswords(req *restful.Request, resp *restful.Response) {
+	clusterName := req.PathParameter("cluster-name")
+	clusterPasswords.WsList(resp, clusterName+"/")
+}
+
+func wsClusterPassword(req *restful.Request, resp *restful.Response) {
+	clusterName := req.PathParameter("cluster-name")
+	name := req.PathParameter("password-name")
+
+	clusterPasswords.WsGet(resp, clusterName+"/"+name)
+}
+
+func wsClusterSetPassword(req *restful.Request, resp *restful.Response) {
+	cluster := wsReadCluster(req, resp)
+	if cluster == nil {
+		return
+	}
+
+	name := req.PathParameter("password-name")
+
+	clusterPasswords.WsPut(req, resp, cluster.Name+"/"+name)
+}
--- a/cmd/dkl-local-server/ws-cluster-tokens.go
+++ b/cmd/dkl-local-server/ws-cluster-tokens.go
@ -0,0 +1,43 @@
+package main
+
+import (
+	"crypto/rand"
+	"encoding/base32"
+
+	restful "github.com/emicklei/go-restful"
+)
+
+var clusterTokens = newClusterSecretKV[string]("tokens")
+
+func getOrCreateClusterToken(cluster, name string) (token string, err error) {
+	key := cluster + "/" + name
+
+	token, found, err := clusterTokens.Get(key)
+
+	if err != nil || found {
+		return
+	}
+
+	b := make([]byte, 16)
+	_, err = rand.Read(b)
+	if err != nil {
+		return
+	}
+
+	token = base32.StdEncoding.WithPadding(base32.NoPadding).EncodeToString(b)
+
+	err = clusterTokens.Put(key, token)
+	return
+}
+
+func wsClusterTokens(req *restful.Request, resp *restful.Response) {
+	clusterName := req.PathParameter("cluster-name")
+	clusterTokens.WsList(resp, clusterName+"/")
+}
+
+func wsClusterToken(req *restful.Request, resp *restful.Response) {
+	clusterName := req.PathParameter("cluster-name")
+	name := req.PathParameter("token-name")
+
+	clusterTokens.WsGet(resp, clusterName+"/"+name)
+}
--- a/cmd/dkl-local-server/ws-clusters.go
+++ b/cmd/dkl-local-server/ws-clusters.go
@ -2,13 +2,22 @@ package main

 import (
 	"log"
-	"sort"
+	"net/url"
+	"strconv"

 	restful "github.com/emicklei/go-restful"

-	"novit.nc/direktil/pkg/localconfig"
+	"novit.tech/direktil/local-server/pkg/mime"
+	"novit.tech/direktil/pkg/localconfig"
 )

+var clusterSecretKVs = []string{}
+
+func newClusterSecretKV[T any](name string) KVSecrets[T] {
+	clusterSecretKVs = append(clusterSecretKVs, name)
+	return KVSecrets[T]{"clusters/" + name}
+}
+
 func wsListClusters(req *restful.Request, resp *restful.Response) {
 	cfg := wsReadConfig(resp)
 	if cfg == nil {
@ -33,7 +42,7 @@ func wsReadCluster(req *restful.Request, resp *restful.Response) (cluster *local

 	cluster = cfg.Cluster(clusterName)
 	if cluster == nil {
-		wsNotFound(req, resp)
+		wsNotFound(resp)
 		return
 	}

@ -57,152 +66,58 @@ func wsClusterAddons(req *restful.Request, resp *restful.Response) {

 	if len(cluster.Addons) == 0 {
 		log.Printf("cluster %q has no addons defined", cluster.Name)
-		wsNotFound(req, resp)
+		wsNotFound(resp)
 		return
 	}

-	wsRender(resp, cluster.Addons, cluster)
-}
-
-func wsClusterPasswords(req *restful.Request, resp *restful.Response) {
-	cluster := wsReadCluster(req, resp)
-	if cluster == nil {
+	cfg := wsReadConfig(resp)
+	if cfg == nil {
 		return
 	}

-	resp.WriteEntity(secretData.Passwords(cluster.Name))
-}
-
-func wsClusterPassword(req *restful.Request, resp *restful.Response) {
-	cluster := wsReadCluster(req, resp)
-	if cluster == nil {
-		return
-	}
-
-	name := req.PathParameter("password-name")
-
-	resp.WriteEntity(secretData.Password(cluster.Name, name))
-}
-
-func wsClusterSetPassword(req *restful.Request, resp *restful.Response) {
-	cluster := wsReadCluster(req, resp)
-	if cluster == nil {
-		return
-	}
-
-	name := req.PathParameter("password-name")
-
-	var password string
-	if err := req.ReadEntity(&password); err != nil {
-		wsError(resp, err) // FIXME this is a BadRequest
-		return
-	}
-
-	secretData.SetPassword(cluster.Name, name, password)
-
-	if err := secretData.Save(); err != nil {
-		wsError(resp, err)
-		return
-	}
-}
-
-func wsClusterToken(req *restful.Request, resp *restful.Response) {
-	cluster := wsReadCluster(req, resp)
-	if cluster == nil {
-		return
-	}
-
-	name := req.PathParameter("token-name")
-
-	token, err := secretData.Token(cluster.Name, name)
+	sslCfg, err := sslConfigFromLocalConfig(cfg)
 	if err != nil {
 		wsError(resp, err)
 		return
 	}

-	resp.WriteEntity(token)
-}
-
-func wsClusterBootstrapPods(req *restful.Request, resp *restful.Response) {
-	cluster := wsReadCluster(req, resp)
-	if cluster == nil {
-		return
-	}
-
-	if len(cluster.BootstrapPods) == 0 {
-		log.Printf("cluster %q has no bootstrap pods defined", cluster.Name)
-		wsNotFound(req, resp)
-		return
-	}
-
-	wsRender(resp, cluster.BootstrapPods, cluster)
-}
-
-func wsClusterCAs(req *restful.Request, resp *restful.Response) {
-	cs := secretData.clusters[req.PathParameter("cluster-name")]
-	if cs == nil {
-		wsNotFound(req, resp)
-		return
-	}
-
-	keys := make([]string, 0, len(cs.CAs))
-	for k := range cs.CAs {
-		keys = append(keys, k)
-	}
-
-	sort.Strings(keys)
-
-	resp.WriteJson(keys, restful.MIME_JSON)
+	wsRender(resp, sslCfg, cluster.Addons, cluster)
 }

 func wsClusterCACert(req *restful.Request, resp *restful.Response) {
-	cs := secretData.clusters[req.PathParameter("cluster-name")]
-	if cs == nil {
-		wsNotFound(req, resp)
-		return
-	}
-
-	ca := cs.CAs[req.PathParameter("ca-name")]
-	if ca == nil {
-		wsNotFound(req, resp)
+	clusterName := req.PathParameter("cluster-name")
+	caName := req.PathParameter("ca-name")
+
+	ca, found, err := clusterCAs.Get(clusterName + "/" + caName)
+	if err != nil {
+		wsError(resp, err)
+		return
+	}
+	if !found {
+		wsNotFound(resp)
 		return
 	}

+	resp.Header().Set("Content-Type", mime.CERT)
 	resp.Write(ca.Cert)
 }

 func wsClusterSignedCert(req *restful.Request, resp *restful.Response) {
-	cs := secretData.clusters[req.PathParameter("cluster-name")]
-	if cs == nil {
-		wsNotFound(req, resp)
-		return
-	}
-
-	ca := cs.CAs[req.PathParameter("ca-name")]
-	if ca == nil {
-		wsNotFound(req, resp)
-		return
-	}
-
+	clusterName := req.PathParameter("cluster-name")
+	caName := req.PathParameter("ca-name")
 	name := req.QueryParameter("name")

-	if name == "" {
-		keys := make([]string, 0, len(ca.Signed))
-		for k := range ca.Signed {
-			keys = append(keys, k)
+	kc, found, err := clusterCASignedKeys.Get(clusterName + "/" + caName + "/" + name)
+	if err != nil {
+		wsError(resp, err)
+		return
 	}
-
-		sort.Strings(keys)
-
-		resp.WriteJson(keys, restful.MIME_JSON)
-		return
-	}
-
-	kc := ca.Signed[name]
-	if kc == nil {
-		wsNotFound(req, resp)
+	if !found {
+		wsNotFound(resp)
 		return
 	}

+	resp.AddHeader("Content-Type", mime.CERT)
+	resp.AddHeader("Content-Disposition", "attachment; filename="+strconv.Quote(clusterName+"_"+caName+"_"+url.PathEscape(name)+".crt"))
 	resp.Write(kc.Cert)
 }
--- a/cmd/dkl-local-server/ws-configs.go
+++ b/cmd/dkl-local-server/ws-configs.go
@ -18,7 +18,10 @@ func wsUploadConfig(req *restful.Request, resp *restful.Response) {

 	if err != nil {
 		wsError(resp, err)
+		return
 	}
+
+	resp.WriteEntity(true)
 }

 func writeNewConfig(reader io.Reader) (err error) {
@ -38,13 +41,22 @@ func writeNewConfig(reader io.Reader) (err error) {
 	cfgPath := configFilePath()
 	in, err := os.Open(cfgPath)

-	if err == nil {
+	if err != nil {
+		if os.IsNotExist(err) {
+			// nothing to backup
+		} else {
+			return // real error
+		}
+	} else {
 		err = backupCurrentConfig(in)
-	} else if !os.IsNotExist(err) {
+		if err != nil {
 			return
 		}
+	}

 	err = os.Rename(out.Name(), cfgPath)
+
+	updateState()
 	return
 }

--- a/cmd/dkl-local-server/ws-downloads.go
+++ b/cmd/dkl-local-server/ws-downloads.go
@ -0,0 +1,151 @@
+package main
+
+import (
+	"crypto/rand"
+	"encoding/base32"
+	"log"
+	"net/http"
+	"strconv"
+	"time"
+
+	restful "github.com/emicklei/go-restful"
+	"m.cluseau.fr/go/cow"
+)
+
+type DownloadSpec struct {
+	Kind   string
+	Name   string
+	Assets []string
+
+	createdAt time.Time
+}
+
+func wsAuthorizeDownload(req *restful.Request, resp *restful.Response) {
+	var spec DownloadSpec
+
+	if err := req.ReadEntity(&spec); err != nil {
+		wsError(resp, err)
+		return
+	}
+
+	if spec.Kind == "" || spec.Name == "" || len(spec.Assets) == 0 {
+		resp.WriteErrorString(http.StatusBadRequest, "missing data")
+		return
+	}
+
+	randBytes := make([]byte, 32)
+	_, err := rand.Read(randBytes)
+	if err != nil {
+		wsError(resp, err)
+		return
+	}
+
+	token := base32.StdEncoding.WithPadding(base32.NoPadding).EncodeToString(randBytes)
+
+	spec.createdAt = time.Now()
+
+	wState.Change(func(v *State) {
+		cow.MapSet(&v.Downloads, token, spec)
+	})
+
+	log.Printf("download token created for %s %q, assets %q", spec.Kind, spec.Name, spec.Assets)
+
+	resp.WriteAsJson(token)
+}
+
+func wsDownload(req *restful.Request, resp *restful.Response) {
+	token := req.PathParameter("token")
+	asset := req.PathParameter("asset")
+
+	if token == "" || asset == "" {
+		wsNotFound(resp)
+		return
+	}
+
+	var spec DownloadSpec
+	found := false
+	wState.Change(func(v *State) {
+		var ok bool
+		spec, ok = v.Downloads[token]
+		if !ok {
+			return
+		}
+
+		newAssets := make([]string, 0, len(spec.Assets))
+		for _, a := range spec.Assets {
+			if a == asset {
+				found = true
+			} else {
+				newAssets = append(newAssets, a)
+			}
+		}
+
+		if !found {
+			wsNotFound(resp)
+			return
+		}
+
+		cow.Map(&v.Downloads)
+
+		if len(newAssets) == 0 {
+			delete(v.Downloads, token)
+		} else {
+			spec.Assets = newAssets
+			v.Downloads[token] = spec
+		}
+	})
+
+	if !found {
+		wsNotFound(resp)
+		return
+	}
+
+	log.Printf("download via token: %s %q asset %q", spec.Kind, spec.Name, asset)
+
+	cfg, err := readConfig()
+	if err != nil {
+		wsError(resp, err)
+		return
+	}
+
+	setHeader := func(ext string) {
+		resp.AddHeader("Content-Disposition", "attachment; filename="+strconv.Quote(spec.Kind+"_"+spec.Name+"_"+asset+ext))
+	}
+
+	switch spec.Kind {
+	case "cluster":
+		cluster := cfg.ClusterByName(spec.Name)
+		if cluster == nil {
+			wsNotFound(resp)
+			return
+		}
+
+		switch asset {
+		case "addons":
+			setHeader(".yaml")
+			resp.Write([]byte(cluster.Addons))
+
+		default:
+			wsNotFound(resp)
+		}
+
+	case "host":
+		host := cfg.Host(spec.Name)
+		if host == nil {
+			wsNotFound(resp)
+			return
+		}
+
+		switch asset {
+		case "config", "bootstrap-config":
+			setHeader(".yaml")
+		default:
+			setHeader("")
+		}
+
+		renderHost(resp.ResponseWriter, req.Request, asset, host, cfg)
+
+	default:
+		wsNotFound(resp)
+	}
+}
--- a/cmd/dkl-local-server/ws-host.go
+++ b/cmd/dkl-local-server/ws-host.go
@ -8,25 +8,28 @@ import (

 	restful "github.com/emicklei/go-restful"

-	"novit.nc/direktil/local-server/pkg/mime"
-	"novit.nc/direktil/pkg/localconfig"
+	"novit.tech/direktil/pkg/localconfig"
+
+	"novit.tech/direktil/local-server/pkg/mime"
 )

-var trustXFF = flag.Bool("trust-xff", true, "Trust the X-Forwarded-For header")
+var (
+	allowDetectedHost = flag.Bool("allow-detected-host", false, "Allow access to host assets from its IP (insecure but enables unattended netboot)")
+	trustXFF          = flag.Bool("trust-xff", false, "Trust the X-Forwarded-For header")
+)

 type wsHost struct {
-	prefix  string
 	hostDoc string
-	getHost func(req *restful.Request) string
+	getHost func(req *restful.Request) (hostName string, err error)
 }

-func (ws *wsHost) register(rws *restful.WebService, alterRB func(*restful.RouteBuilder)) {
+func (ws wsHost) register(rws *restful.WebService, alterRB func(*restful.RouteBuilder)) {
 	b := func(what string) *restful.RouteBuilder {
-		return rws.GET(ws.prefix + "/" + what).To(ws.render)
+		return rws.GET("/" + what).To(ws.render)
 	}

 	for _, rb := range []*restful.RouteBuilder{
-		rws.GET(ws.prefix).To(ws.get).
+		rws.GET("").To(ws.get).
 			Doc("Get the "+ws.hostDoc+"'s details").
 			Returns(200, "OK", localconfig.Host{}),

@ -55,6 +58,9 @@ func (ws *wsHost) register(rws *restful.WebService, alterRB func(*restful.RouteB
 		b("boot.tar").
 			Produces(mime.TAR).
 			Doc("Get the " + ws.hostDoc + "'s /boot archive (ie: for metal upgrades)"),
+		b("boot-efi.tar").
+			Produces(mime.TAR).
+			Doc("Get the " + ws.hostDoc + "'s /boot archive (ie: for metal upgrades)"),

 		// read-only ISO support
 		b("boot.iso").
@ -67,27 +73,42 @@ func (ws *wsHost) register(rws *restful.WebService, alterRB func(*restful.RouteB
 			Produces(mime.IPXE).
 			Doc("Get the " + ws.hostDoc + "'s IPXE code (for netboot)"),

+		// boot support
 		b("kernel").
 			Produces(mime.OCTET).
 			Doc("Get the " + ws.hostDoc + "'s kernel (ie: for netboot)"),
-
 		b("initrd").
 			Produces(mime.OCTET).
 			Doc("Get the " + ws.hostDoc + "'s initial RAM disk (ie: for netboot)"),
+
+		// - bootstrap config
+		b("bootstrap-config").
+			Produces(mime.YAML).
+			Doc("Get the " + ws.hostDoc + "'s bootstrap configuration"),
+		b("bootstrap-config.json").
+			Doc("Get the " + ws.hostDoc + "'s bootstrap configuration (as JSON)"),
+		// - bootstrap
+		b("bootstrap.tar").
+			Produces(mime.TAR).
+			Doc("Get the " + ws.hostDoc + "'s bootstrap seed archive"),
 	} {
 		alterRB(rb)
 		rws.Route(rb)
 	}
 }

-func (ws *wsHost) host(req *restful.Request, resp *restful.Response) (host *localconfig.Host, cfg *localconfig.Config) {
-	hostname := ws.getHost(req)
+func (ws wsHost) host(req *restful.Request, resp *restful.Response) (host *localconfig.Host, cfg *localconfig.Config) {
+	hostname, err := ws.getHost(req)
+	if err != nil {
+		wsError(resp, err)
+		return
+	}
 	if hostname == "" {
-		wsNotFound(req, resp)
+		wsNotFound(resp)
 		return
 	}

-	cfg, err := readConfig()
+	cfg, err = readConfig()
 	if err != nil {
 		wsError(resp, err)
 		return
@ -96,13 +117,13 @@ func (ws *wsHost) host(req *restful.Request, resp *restful.Response) (host *loca
 	host = cfg.Host(hostname)
 	if host == nil {
 		log.Print("no host named ", hostname)
-		wsNotFound(req, resp)
+		wsNotFound(resp)
 		return
 	}
 	return
 }

-func (ws *wsHost) get(req *restful.Request, resp *restful.Response) {
+func (ws wsHost) get(req *restful.Request, resp *restful.Response) {
 	host, _ := ws.host(req, resp)
 	if host == nil {
 		return
@ -111,7 +132,7 @@ func (ws *wsHost) get(req *restful.Request, resp *restful.Response) {
 	resp.WriteEntity(host)
 }

-func (ws *wsHost) render(req *restful.Request, resp *restful.Response) {
+func (ws wsHost) render(req *restful.Request, resp *restful.Response) {
 	host, cfg := ws.host(req, resp)
 	if host == nil {
 		return
@ -143,21 +164,26 @@ func renderHost(w http.ResponseWriter, r *http.Request, what string, host *local
 	case "kernel":
 		err = renderKernel(w, r, ctx)

+	// boot v2
+	case "bootstrap-config":
+		err = renderBootstrapConfig(w, r, ctx, false)
+	case "bootstrap-config.json":
+		err = renderBootstrapConfig(w, r, ctx, true)
 	case "initrd":
 		err = renderCtx(w, r, ctx, what, buildInitrd)
-
+	case "bootstrap.tar":
+		err = renderCtx(w, r, ctx, what, buildBootstrap)
 	case "boot.iso":
 		err = renderCtx(w, r, ctx, what, buildBootISO)
-
 	case "boot.tar":
 		err = renderCtx(w, r, ctx, what, buildBootTar)
+	case "boot-efi.tar":
+		err = renderCtx(w, r, ctx, what, buildBootEFITar)

 	case "boot.img":
 		err = renderCtx(w, r, ctx, what, buildBootImg)
-
 	case "boot.img.gz":
 		err = renderCtx(w, r, ctx, what, buildBootImgGZ)
-
 	case "boot.img.lz4":
 		err = renderCtx(w, r, ctx, what, buildBootImgLZ4)

--- a/cmd/dkl-local-server/ws-public.go
+++ b/cmd/dkl-local-server/ws-public.go
@ -0,0 +1,195 @@
+package main
+
+import (
+	"archive/tar"
+	"bytes"
+	"io"
+	"io/fs"
+	"log"
+	"net/http"
+	"os"
+	"path/filepath"
+
+	restful "github.com/emicklei/go-restful"
+	"m.cluseau.fr/go/httperr"
+	"novit.tech/direktil/local-server/secretstore"
+)
+
+type NamedPassphrase struct {
+	Name       string
+	Passphrase []byte
+}
+
+func wsUnlockStore(req *restful.Request, resp *restful.Response) {
+	np := NamedPassphrase{}
+	err := req.ReadEntity(&np)
+	if err != nil {
+		resp.WriteError(http.StatusBadRequest, err)
+		return
+	}
+
+	defer secretstore.Memzero(np.Passphrase)
+
+	if secStore.IsNew() {
+		if len(np.Name) == 0 {
+			wsBadRequest(resp, "no name given")
+			return
+		}
+	}
+
+	if len(np.Passphrase) == 0 {
+		wsBadRequest(resp, "no passphrase given")
+		return
+	}
+
+	if secStore.Unlocked() {
+		if secStore.HasKey(np.Passphrase) {
+			resp.WriteEntity(adminToken)
+		} else {
+			wsError(resp, ErrUnauthorized)
+		}
+		return
+	}
+
+	if err := unlockSecretStore(np.Name, np.Passphrase); err.Any() {
+		err.WriteJSON(resp.ResponseWriter)
+		return
+	}
+
+	resp.WriteEntity(adminToken)
+}
+
+func wsStoreDownload(req *restful.Request, resp *restful.Response) {
+	token := req.QueryParameter("token")
+	if token != wState.Get().Store.DownloadToken {
+		wsError(resp, ErrInvalidToken)
+		return
+	}
+
+	buf := new(bytes.Buffer)
+	arch := tar.NewWriter(buf)
+
+	root := os.DirFS(secStoreRoot())
+
+	err := fs.WalkDir(root, ".", func(path string, d fs.DirEntry, readErr error) (err error) {
+		if readErr != nil {
+			err = readErr
+			return
+		}
+
+		if path == "." {
+			return
+		}
+
+		fi, err := d.Info()
+		if err != nil {
+			return
+		}
+
+		hdr, err := tar.FileInfoHeader(fi, "")
+		if err != nil {
+			return
+		}
+
+		hdr.Name = path
+		hdr.Uid = 0
+		hdr.Gid = 0
+
+		err = arch.WriteHeader(hdr)
+		if err != nil {
+			return
+		}
+
+		if fi.IsDir() {
+			return
+		}
+
+		f, err := root.Open(path)
+		if err != nil {
+			return
+		}
+		defer f.Close()
+
+		io.Copy(arch, f)
+
+		return
+	})
+
+	if err != nil {
+		wsError(resp, err)
+		return
+	}
+
+	err = arch.Close()
+	if err != nil {
+		wsError(resp, err)
+		return
+	}
+
+	buf.WriteTo(resp)
+}
+
+func wsStoreUpload(req *restful.Request, resp *restful.Response) {
+	if !secStore.IsNew() {
+		wsError(resp, httperr.BadRequest("store is not new"))
+		return
+	}
+
+	buf := new(bytes.Buffer)
+
+	_, err := io.Copy(buf, req.Request.Body)
+	if err != nil {
+		wsError(resp, err)
+		return
+	}
+
+	arch := tar.NewReader(buf)
+
+	root := secStoreRoot()
+
+	for {
+		hdr, err := arch.Next()
+		if err == io.EOF {
+			err = nil
+			break
+		} else if err != nil {
+			wsError(resp, err)
+			return
+		}
+
+		log.Print(hdr.Name)
+
+		fullPath := filepath.Join(root, hdr.Name)
+
+		switch {
+		case hdr.FileInfo().IsDir():
+			err = os.MkdirAll(fullPath, 0700)
+			if err != nil {
+				wsError(resp, err)
+				return
+			}
+
+		default:
+			content, err := io.ReadAll(io.LimitReader(arch, hdr.Size))
+			if err != nil {
+				wsError(resp, err)
+				return
+			}
+
+			err = os.WriteFile(fullPath, content, 0600)
+			if err != nil {
+				wsError(resp, err)
+				return
+			}
+		}
+	}
+
+	if err != nil {
+		wsError(resp, err)
+		return
+	}
+
+	openSecretStore()
+
+	resp.WriteEntity(map[string]any{"ok": true})
+}
--- a/cmd/dkl-local-server/ws-store.go
+++ b/cmd/dkl-local-server/ws-store.go
@ -0,0 +1,80 @@
+package main
+
+import (
+	"strconv"
+	"strings"
+
+	restful "github.com/emicklei/go-restful"
+	"novit.tech/direktil/local-server/secretstore"
+)
+
+func wsStoreAddKey(req *restful.Request, resp *restful.Response) {
+	np := NamedPassphrase{}
+
+	err := req.ReadEntity(&np)
+	if err != nil {
+		wsBadRequest(resp, err.Error())
+		return
+	}
+
+	np.Name = strings.TrimSpace(np.Name)
+
+	if len(np.Name) == 0 {
+		wsBadRequest(resp, "no name given")
+		return
+	}
+
+	if len(np.Passphrase) == 0 {
+		wsBadRequest(resp, "no passphrase given")
+		return
+	}
+
+	secStore.AddKey(np.Name, np.Passphrase)
+	defer updateState()
+
+	for _, k := range secStore.Keys {
+		if k.Name == np.Name {
+			wsBadRequest(resp, "there's already a passphrase named "+strconv.Quote(np.Name))
+			return
+		}
+	}
+
+	err = secStore.SaveTo(secKeysStorePath())
+	if err != nil {
+		wsError(resp, err)
+		return
+	}
+}
+
+func wsStoreDelKey(req *restful.Request, resp *restful.Response) {
+	name := ""
+
+	err := req.ReadEntity(&name)
+	if err != nil {
+		wsBadRequest(resp, err.Error())
+		return
+	}
+
+	newKeys := make([]secretstore.KeyEntry, 0, len(secStore.Keys))
+	for _, k := range secStore.Keys {
+		if k.Name == name {
+			continue
+		}
+
+		newKeys = append(newKeys, k)
+	}
+
+	if len(newKeys) == 0 {
+		wsBadRequest(resp, "can't remove the last key from the store")
+		return
+	}
+
+	secStore.Keys = newKeys
+	defer updateState()
+
+	err = secStore.SaveTo(secKeysStorePath())
+	if err != nil {
+		wsError(resp, err)
+		return
+	}
+}
--- a/cmd/dkl-local-server/ws.go
+++ b/cmd/dkl-local-server/ws.go
@ -1,6 +1,7 @@
 package main

 import (
+	"errors"
 	"fmt"
 	"log"
 	"net"
@ -8,73 +9,121 @@ import (
 	"strings"
 	"text/template"

+	cfsslconfig "github.com/cloudflare/cfssl/config"
 	"github.com/emicklei/go-restful"
+	"m.cluseau.fr/go/httperr"

-	"novit.nc/direktil/local-server/pkg/mime"
-	"novit.nc/direktil/pkg/localconfig"
+	"novit.tech/direktil/pkg/localconfig"
+
+	"novit.tech/direktil/local-server/pkg/mime"
 )

 func registerWS(rest *restful.Container) {
-	// Admin-level APIs
+	// public-level APIs
+	{
 		ws := &restful.WebService{}
-	ws.Filter(adminAuth).
-		HeaderParameter("Authorization", "Admin bearer token")
+		ws.
+			Path("/public").
+			Produces(mime.JSON).
+			Consumes(mime.JSON).
+			Route(ws.POST("/unlock-store").To(wsUnlockStore).
+				Reads(NamedPassphrase{}).
+				Writes("").
+				Doc("Try to unlock the store")).
+			Route(ws.GET("/store.tar").To(wsStoreDownload).
+				Produces(mime.TAR).
+				Param(ws.QueryParameter("token", "the download token")).
+				Doc("Fetch the encrypted store")).
+			Route(ws.POST("/store.tar").To(wsStoreUpload).
+				Consumes(mime.TAR).
+				Doc("Upload an existing store")).
+			Route(ws.GET("/downloads/{token}/{asset}").To(wsDownload).
+				Param(ws.PathParameter("token", "the download token")).
+				Param(ws.PathParameter("asset", "the requested asset")).
+				Doc("Fetch an asset via a download token"))
+
+		rest.Add(ws)
+	}
+
+	// Admin-level APIs
+	ws := (&restful.WebService{}).
+		Filter(requireSecStore).
+		Filter(adminAuth).
+		Param(restful.HeaderParameter("Authorization", "Admin bearer token").Required(true)).
+		Produces(mime.JSON)
+
+	// - store management
+	ws.Route(ws.POST("/store/add-key").To(wsStoreAddKey).
+		Consumes(mime.JSON).Reads(NamedPassphrase{}).
+		Doc("Add an unlock key to the store"))
+	ws.Route(ws.POST("/store/delete-key").To(wsStoreDelKey).
+		Consumes(mime.JSON).Reads("").
+		Doc("Remove an unlock key to the store (by its name)"))
+
+	// - downloads
+	ws.Route(ws.POST("/authorize-download").To(wsAuthorizeDownload).
+		Consumes(mime.JSON).Reads(DownloadSpec{}).
+		Produces(mime.JSON).
+		Doc("Create a download token for the given download"))

 	// - configs API
 	ws.Route(ws.POST("/configs").To(wsUploadConfig).
+		Consumes(mime.YAML).Param(ws.BodyParameter("config", "The new full configuration")).
+		Produces(mime.JSON).Writes(true).
 		Doc("Upload a new current configuration, archiving the previous one"))

 	// - clusters API
 	ws.Route(ws.GET("/clusters").To(wsListClusters).
 		Doc("List clusters"))

-	ws.Route(ws.GET("/clusters/{cluster-name}").To(wsCluster).
-		Doc("Get cluster details"))
+	const (
+		GET = http.MethodGet
+		PUT = http.MethodPut
+	)

-	ws.Route(ws.GET("/clusters/{cluster-name}/addons").To(wsClusterAddons).
+	cluster := func(method, subPath string) *restful.RouteBuilder {
+		return ws.Method(method).Path("/clusters/{cluster-name}" + subPath).
+			Param(ws.PathParameter("cluster-name", "name of the cluster"))
+	}
+
+	for _, builder := range []*restful.RouteBuilder{
+		cluster(GET, "").To(wsCluster).
+			Doc("Get cluster details"),
+
+		cluster(GET, "/addons").To(wsClusterAddons).
 			Produces(mime.YAML).
 			Doc("Get cluster addons").
 			Returns(http.StatusOK, "OK", nil).
-		Returns(http.StatusNotFound, "The cluster does not exists or does not have addons defined", nil))
+			Returns(http.StatusNotFound, "The cluster does not exists or does not have addons defined", nil),

-	ws.Route(ws.GET("/clusters/{cluster-name}/bootstrap-pods").To(wsClusterBootstrapPods).
-		Produces(mime.YAML).
-		Doc("Get cluster bootstrap pods YAML definitions").
-		Returns(http.StatusOK, "OK", nil).
-		Returns(http.StatusNotFound, "The cluster does not exists or does not have bootstrap pods defined", nil))
+		cluster(GET, "/tokens").To(wsClusterTokens).
+			Doc("List cluster's tokens"),
+		cluster(GET, "/tokens/{token-name}").To(wsClusterToken).
+			Doc("Get cluster's token"),

-	ws.Route(ws.GET("/clusters/{cluster-name}/passwords").To(wsClusterPasswords).
-		Doc("List cluster's passwords"))
-	ws.Route(ws.GET("/clusters/{cluster-name}/passwords/{password-name}").To(wsClusterPassword).
-		Doc("Get cluster's password"))
-	ws.Route(ws.PUT("/clusters/{cluster-name}/passwords/{password-name}").To(wsClusterSetPassword).
-		Doc("Set cluster's password"))
+		cluster(GET, "/passwords").To(wsClusterPasswords).
+			Doc("List cluster's passwords"),
+		cluster(GET, "/passwords/{password-name}").To(wsClusterPassword).
+			Doc("Get cluster's password"),
+		cluster(PUT, "/passwords/{password-name}").To(wsClusterSetPassword).
+			Doc("Set cluster's password"),

-	ws.Route(ws.GET("/clusters/{cluster-name}/ca").To(wsClusterCAs).
-		Doc("Get cluster CAs"))
-	ws.Route(ws.GET("/clusters/{cluster-name}/ca/{ca-name}/certificate").To(wsClusterCACert).
+		cluster(GET, "/CAs").To(wsClusterCAs).
+			Doc("Get cluster CAs"),
+		cluster(GET, "/CAs/{ca-name}/certificate").To(wsClusterCACert).
 			Produces(mime.CACERT).
-		Doc("Get cluster CA's certificate"))
-	ws.Route(ws.GET("/clusters/{cluster-name}/ca/{ca-name}/signed").To(wsClusterSignedCert).
+			Doc("Get cluster CA's certificate"),
+		cluster(GET, "/CAs/{ca-name}/signed").To(wsClusterSignedCert).
 			Produces(mime.CERT).
 			Param(ws.QueryParameter("name", "signed reference name").Required(true)).
-		Doc("Get cluster's certificate signed by the CA"))
-
-	ws.Route(ws.GET("/clusters/{cluster-name}/tokens/{token-name}").To(wsClusterToken).
-		Doc("Get cluster's token"))
+			Doc("Get cluster's certificate signed by the CA"),
+	} {
+		ws.Route(builder)
+	}

 	ws.Route(ws.GET("/hosts").To(wsListHosts).
 		Doc("List hosts"))

-	(&wsHost{
-		prefix:  "/hosts/{host-name}",
-		hostDoc: "given host",
-		getHost: func(req *restful.Request) string {
-			return req.PathParameter("host-name")
-		},
-	}).register(ws, func(rb *restful.RouteBuilder) {
-	})
-
 	ws.Route(ws.GET("/ssh-acls").To(wsSSH_ACL_List))
 	ws.Route(ws.GET("/ssh-acls/{acl-name}").To(wsSSH_ACL_Get))
 	ws.Route(ws.PUT("/ssh-acls/{acl-name}").To(wsSSH_ACL_Set))
@ -82,10 +131,28 @@ func registerWS(rest *restful.Container) {
 	rest.Add(ws)

 	// Hosts API
-	ws = &restful.WebService{}
-	ws.Path("/me")
-	ws.Filter(hostsAuth).
-		HeaderParameter("Authorization", "Host or admin bearer token")
+	ws = (&restful.WebService{}).
+		Filter(requireSecStore).
+		Filter(adminAuth).
+		Path("/hosts/{host-name}").
+		Param(ws.HeaderParameter("Authorization", "Host or admin bearer token"))
+
+	(&wsHost{
+		hostDoc: "given host",
+		getHost: func(req *restful.Request) (string, error) {
+			return req.PathParameter("host-name"), nil
+		},
+	}).register(ws, func(rb *restful.RouteBuilder) {
+		rb.Param(ws.PathParameter("host-name", "host's name"))
+	})
+
+	rest.Add(ws)
+
+	// Detected host API
+	ws = (&restful.WebService{}).
+		Filter(requireSecStore).
+		Path("/me").
+		Param(ws.HeaderParameter("Authorization", "Host or admin bearer token"))

 	(&wsHost{
 		hostDoc: "detected host",
@ -94,10 +161,51 @@ func registerWS(rest *restful.Container) {
 		rb.Notes("In this case, the host is detected from the remote IP")
 	})

+	// Hosts by token API
+	ws = (&restful.WebService{}).
+		Filter(requireSecStore).
+		Path("/hosts-by-token/{host-token}").
+		Param(ws.PathParameter("host-token", "host's download token"))
+
+	(&wsHost{
+		hostDoc: "token's host",
+		getHost: func(req *restful.Request) (host string, err error) {
+			reqToken := req.PathParameter("host-token")
+
+			data, err := hostDownloadTokens.Data()
+			if err != nil {
+				return
+			}
+
+			for h, token := range data {
+				if token == reqToken {
+					host = h
+					return
+				}
+			}
+
+			return
+		},
+	}).register(ws, func(rb *restful.RouteBuilder) {
+		rb.Notes("In this case, the host is detected from the token")
+	})
+
 	rest.Add(ws)
 }

-func detectHost(req *restful.Request) string {
+func requireSecStore(req *restful.Request, resp *restful.Response, chain *restful.FilterChain) {
+	if !secStore.Unlocked() {
+		wsError(resp, ErrStoreLocked)
+		return
+	}
+	chain.ProcessFilter(req, resp)
+}
+
+func detectHost(req *restful.Request) (hostName string, err error) {
+	if !*allowDetectedHost {
+		return
+	}
+
 	r := req.Request
 	remoteAddr := r.RemoteAddr

@ -115,17 +223,17 @@ func detectHost(req *restful.Request) string {

 	cfg, err := readConfig()
 	if err != nil {
-		return ""
+		return
 	}

 	host := cfg.HostByIP(hostIP)

 	if host == nil {
 		log.Print("no host found for IP ", hostIP)
-		return ""
+		return
 	}

-	return host.Name
+	return host.Name, nil
 }

 func wsReadConfig(resp *restful.Response) *localconfig.Config {
@ -139,19 +247,28 @@ func wsReadConfig(resp *restful.Response) *localconfig.Config {
 	return cfg
 }

-func wsNotFound(req *restful.Request, resp *restful.Response) {
-	http.NotFound(resp.ResponseWriter, req.Request)
+func wsNotFound(resp *restful.Response) {
+	wsError(resp, ErrNotFound)
+}
+
+func wsBadRequest(resp *restful.Response, err string) {
+	httperr.New(http.StatusBadRequest, errors.New(err)).WriteJSON(resp.ResponseWriter)
 }

 func wsError(resp *restful.Response, err error) {
 	log.Output(2, fmt.Sprint("request failed: ", err))
-	resp.WriteErrorString(
-		http.StatusInternalServerError,
-		http.StatusText(http.StatusInternalServerError))
+
+	switch err := err.(type) {
+	case httperr.Error:
+		err.WriteJSON(resp.ResponseWriter)
+
+	default:
+		httperr.Internal(err).WriteJSON(resp.ResponseWriter)
+	}
 }

-func wsRender(resp *restful.Response, tmplStr string, value interface{}) {
-	tmpl, err := template.New("wsRender").Funcs(templateFuncs).Parse(tmplStr)
+func wsRender(resp *restful.Response, sslCfg *cfsslconfig.Config, tmplStr string, value interface{}) {
+	tmpl, err := template.New("wsRender").Funcs(templateFuncs(sslCfg)).Parse(tmplStr)
 	if err != nil {
 		wsError(resp, err)
 		return
--- a/gen-api-js.sh
+++ b/gen-api-js.sh
@ -0,0 +1 @@
+docker run --rm --net=host --user $(id -u) -v ${PWD}:/local swaggerapi/swagger-codegen-cli generate -i http://[::1]:7606/swagger.json -l javascript -o /local/js/api/
--- a/go.mod
+++ b/go.mod
@ -1,55 +1,81 @@
-module novit.nc/direktil/local-server
+module novit.tech/direktil/local-server

-go 1.17
+go 1.21

 require (
-	github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e
 	github.com/cespare/xxhash v1.1.0
-	github.com/cloudflare/cfssl v0.0.0-20181213083726-b94e044bb51e
-	github.com/dustin/go-humanize v1.0.0
-	github.com/emicklei/go-restful v2.10.0+incompatible
-	github.com/emicklei/go-restful-openapi v1.2.0
+	github.com/cloudflare/cfssl v1.6.4
+	github.com/dustin/go-humanize v1.0.1
+	github.com/emicklei/go-restful v2.16.0+incompatible
+	github.com/emicklei/go-restful-openapi v1.4.1
+	github.com/go-git/go-git/v5 v5.10.0
 	github.com/mcluseau/go-swagger-ui v0.0.0-20191019002626-fd9128c24a34
-	github.com/miolini/datacounter v1.0.1
+	github.com/miolini/datacounter v1.0.3
 	github.com/oklog/ulid v1.3.1
-	github.com/pierrec/lz4 v2.3.0+incompatible
+	github.com/pierrec/lz4 v2.6.1+incompatible
+	github.com/sergeymakinen/go-crypt v1.0.0-beta.0
+	golang.org/x/crypto v0.14.0
 	gopkg.in/src-d/go-billy.v4 v4.3.2
 	gopkg.in/src-d/go-git.v4 v4.13.1
-	gopkg.in/yaml.v2 v2.2.4
-	k8s.io/apimachinery v0.0.0-20191203211716-adc6f4cd9e7d
-	novit.nc/direktil/pkg v0.0.0-20191211161950-96b0448b84c2
+	gopkg.in/yaml.v2 v2.4.0
+	k8s.io/apimachinery v0.28.3
+	m.cluseau.fr/go v0.0.0-20230809064045-12c5a121c766
+	novit.tech/direktil/pkg v0.0.0-20230201224712-5e39572dc50e
 )

+replace github.com/zmap/zlint/v3 => github.com/zmap/zlint/v3 v3.3.1
+
 require (
-	github.com/PuerkitoBio/purell v1.1.1 // indirect
-	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
-	github.com/emirpasic/gods v1.12.0 // indirect
+	dario.cat/mergo v1.0.0 // indirect
+	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c // indirect
+	github.com/acomagu/bufpipe v1.0.4 // indirect
+	github.com/cavaliergopher/cpio v1.0.1 // indirect
+	github.com/cloudflare/circl v1.3.6 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
+	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/frankban/quicktest v1.5.0 // indirect
-	github.com/go-openapi/jsonpointer v0.19.3 // indirect
-	github.com/go-openapi/jsonreference v0.19.3 // indirect
-	github.com/go-openapi/spec v0.19.3 // indirect
-	github.com/go-openapi/swag v0.19.5 // indirect
-	github.com/gobuffalo/envy v1.7.1 // indirect
-	github.com/gobuffalo/packd v0.3.0 // indirect
+	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
+	github.com/go-git/go-billy/v5 v5.5.0 // indirect
+	github.com/go-logr/logr v1.3.0 // indirect
+	github.com/go-openapi/jsonpointer v0.20.0 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
+	github.com/go-openapi/spec v0.20.9 // indirect
+	github.com/go-openapi/swag v0.22.4 // indirect
+	github.com/gobuffalo/envy v1.10.2 // indirect
+	github.com/gobuffalo/packd v1.0.2 // indirect
 	github.com/gobuffalo/packr v1.30.1 // indirect
-	github.com/golang/protobuf v1.3.2 // indirect
-	github.com/google/certificate-transparency-go v1.0.21 // indirect
-	github.com/google/go-cmp v0.3.1 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/google/certificate-transparency-go v1.1.7 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
-	github.com/joho/godotenv v1.3.0 // indirect
-	github.com/json-iterator/go v1.1.8 // indirect
-	github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd // indirect
-	github.com/mailru/easyjson v0.7.0 // indirect
+	github.com/jmoiron/sqlx v1.3.5 // indirect
+	github.com/joho/godotenv v1.5.1 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/kevinburke/ssh_config v1.2.0 // indirect
+	github.com/kisielk/sqlstruct v0.0.0-20210630145711-dae28ed37023 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.1 // indirect
-	github.com/rogpeppe/go-internal v1.5.0 // indirect
-	github.com/sergi/go-diff v1.0.0 // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/pjbgf/sha1cd v0.3.0 // indirect
+	github.com/rogpeppe/go-internal v1.11.0 // indirect
+	github.com/sergi/go-diff v1.3.1 // indirect
+	github.com/skeema/knownhosts v1.2.1 // indirect
 	github.com/src-d/gcfg v1.4.0 // indirect
-	github.com/xanzy/ssh-agent v0.2.1 // indirect
-	golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 // indirect
-	golang.org/x/net v0.0.0-20191014212845-da9a3fd4c582 // indirect
-	golang.org/x/sys v0.0.0-20191018095205-727590c5006e // indirect
-	golang.org/x/text v0.3.2 // indirect
+	github.com/weppos/publicsuffix-go v0.30.2-0.20230730094716-a20f9abcc222 // indirect
+	github.com/xanzy/ssh-agent v0.3.3 // indirect
+	github.com/zmap/zcrypto v0.0.0-20231102161736-a55ea7b96dbc // indirect
+	github.com/zmap/zlint/v3 v3.1.0 // indirect
+	golang.org/x/mod v0.13.0 // indirect
+	golang.org/x/net v0.17.0 // indirect
+	golang.org/x/sys v0.13.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
+	golang.org/x/tools v0.14.0 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
+	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/klog/v2 v2.110.1 // indirect
+	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -1,270 +1,429 @@
+cloud.google.com/go/compute/metadata v0.2.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
+dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
+dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
+github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
+github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
+github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
 github.com/OneOfOne/xxhash v1.2.2 h1:KMrpdQIwFcEqXDklaen+P1axHaj9BSKzvpUUfnHldSE=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
-github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
+github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8/go.mod h1:I0gYDMZ6Z5GRU7l58bNFSkPTFN6Yl12dsUlAZ8xy98g=
+github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c h1:kMFnB0vCcX7IL/m9Y5LO+KQYv+t1CQOiFe6+SV2J7bE=
+github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
 github.com/PuerkitoBio/purell v1.1.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
-github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tNFfI=
-github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
-github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
-github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M=
 github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
+github.com/acomagu/bufpipe v1.0.4 h1:e3H4WUzM3npvo5uv95QuJM3cQspFNtFBzvJ2oNjKIDQ=
+github.com/acomagu/bufpipe v1.0.4/go.mod h1:mxdxdup/WdsKVreO5GpW4+M/1CE2sMG4jeGJ2sYmHc4=
 github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7 h1:uSoVVbwJiQipAclBbw+8quDsfcvFjOpI5iCf4p/cqCs=
 github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7/go.mod h1:6zEj6s6u/ghQa61ZWa/C2Aw3RkjiTBOix7dkqa1VLIs=
-github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo4JG6LR5AXSUEsOjtdm0kw0FtQtMJA=
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
+github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
+github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
-github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e h1:hHg27A0RSSp2Om9lubZpiMgVbvn39bsUmW9U5h0twqc=
-github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e/go.mod h1:oDpT4efm8tSYHXV5tHSdRvBet/b/QzxZ+XyyPehvm3A=
+github.com/bwesterb/go-ristretto v1.2.0/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
+github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
+github.com/cavaliergopher/cpio v1.0.1 h1:KQFSeKmZhv0cr+kawA3a0xTQCU4QxXF1vhU7P7av2KM=
+github.com/cavaliergopher/cpio v1.0.1/go.mod h1:pBdaqQjnvXxdS/6CvNDwIANIFSP0xRKI16PX4xejRQc=
 github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
-github.com/cloudflare/cfssl v0.0.0-20181213083726-b94e044bb51e h1:Qux+lbuMaRzkQyTdzgtz8MgzPtzmaPQy6DXmxpdxT3U=
-github.com/cloudflare/cfssl v0.0.0-20181213083726-b94e044bb51e/go.mod h1:yMWuSON2oQp+43nFtAV/uvKQIFpSPerB57DCt9t8sSA=
+github.com/cloudflare/cfssl v1.6.4 h1:NMOvfrEjFfC63K3SGXgAnFdsgkmiq4kATme5BfcqrO8=
+github.com/cloudflare/cfssl v1.6.4/go.mod h1:8b3CQMxfWPAeom3zBnGJ6sd+G1NkL5TXqmDXacb+1J0=
+github.com/cloudflare/circl v1.1.0/go.mod h1:prBCrKB9DV4poKZY1l9zBXg2QJY7mvgRvtMxxK7fi4I=
+github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
+github.com/cloudflare/circl v1.3.6 h1:/xbKIqSHbZXHwkhbrhrt2YOHIwYJlXH94E3tI/gDlUg=
+github.com/cloudflare/circl v1.3.6/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
 github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
-github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
+github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
-github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo=
-github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
-github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
-github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
+github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
+github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
+github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a h1:mATvB/9r/3gvcejNsXKSkQ6lcIaNec2nyfOdlTBR2lU=
+github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM=
 github.com/emicklei/go-restful v2.9.6+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
-github.com/emicklei/go-restful v2.10.0+incompatible h1:l6Soi8WCOOVAeCo4W98iBFC6Og7/X8bpRt51oNLZ2C8=
-github.com/emicklei/go-restful v2.10.0+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
-github.com/emicklei/go-restful-openapi v1.2.0 h1:ohRZ1yEZERGzqaozBgxa3A0lt6c6KF14xhs3IL9ECwg=
-github.com/emicklei/go-restful-openapi v1.2.0/go.mod h1:cy7o3Ge8ZWZ5E90mpEY81sJZZFs2pkuYcLvfngYy1l0=
-github.com/emirpasic/gods v1.12.0 h1:QAUIPSaCu4G+POclxeqb3F+WPpdKqFGlw36+yOzGlrg=
+github.com/emicklei/go-restful v2.16.0+incompatible h1:rgqiKNjTnFQA6kkhFe16D8epTksy9HQ1MyrbDXSdYhM=
+github.com/emicklei/go-restful v2.16.0+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
+github.com/emicklei/go-restful-openapi v1.4.1 h1:SocVTIQWnXyit4dotTrwmncBAjtRaBmfcHjo3XGcCm4=
+github.com/emicklei/go-restful-openapi v1.4.1/go.mod h1:kWQ8rQMVQ6G6lePwjDveJ00KjAUr/jq6z1X8DrDP3Gc=
 github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o=
-github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
+github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
+github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84=
+github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/frankban/quicktest v1.5.0 h1:Tb4jWdSpdjKzTUicPnY61PZxKbDoGa7ABbrReT3gQVY=
 github.com/frankban/quicktest v1.5.0/go.mod h1:jaStnuzAqU1AJdCO0l53JDCJrVDKcS03DbaAcR7Ks/o=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/gliderlabs/ssh v0.2.2 h1:6zsha5zo/TWhRhwqCD3+EarCAgZ2yN28ipRnGPnwkI0=
 github.com/gliderlabs/ssh v0.2.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
-github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
-github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0=
+github.com/gliderlabs/ssh v0.3.5 h1:OcaySEmAQJgyYcArR+gGGTHCyE7nvhEMTlYY+Dp8CpY=
+github.com/gliderlabs/ssh v0.3.5/go.mod h1:8XB4KraRrX39qHhT6yxPsHedjA08I/uBVwj4xC+/+z4=
+github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
+github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
+github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+mTU=
+github.com/go-git/go-billy/v5 v5.5.0/go.mod h1:hmexnoNsr2SJU1Ju67OaNz5ASJY3+sHgFRpCtpDCKow=
+github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
+github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
+github.com/go-git/go-git/v5 v5.10.0 h1:F0x3xXrAWmhwtzoCokU4IMPcBdncG+HAAqi9FcOOjbQ=
+github.com/go-git/go-git/v5 v5.10.0/go.mod h1:1FOZ/pQnqw24ghP2n7cunVl0ON55BsjPYvhWHvZGhoo=
+github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY=
+github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-openapi/jsonpointer v0.0.0-20180322222829-3a0015ad55fa/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0=
-github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg=
-github.com/go-openapi/jsonpointer v0.19.3 h1:gihV7YNZK1iK6Tgwwsxo2rJbD1GTbdm72325Bq8FI3w=
 github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
-github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg=
+github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
+github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
+github.com/go-openapi/jsonpointer v0.20.0 h1:ESKJdU9ASRfaPNOPRx12IUyA1vn3R9GiE3KYD14BXdQ=
+github.com/go-openapi/jsonpointer v0.20.0/go.mod h1:6PGzBjjIIumbLYysB73Klnms1mwnU4G3YHOECG3CedA=
 github.com/go-openapi/jsonreference v0.0.0-20180322222742-3fb327e6747d/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg=
-github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc=
-github.com/go-openapi/jsonreference v0.19.3 h1:5cxNfTy0UVC3X8JL5ymxzyoUZmo8iZb+jeTWn7tUa8o=
-github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8=
-github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc=
+github.com/go-openapi/jsonreference v0.20.0/go.mod h1:Ag74Ico3lPc+zR+qjn4XBUmXymS4zJbYVCZmcgkasdo=
+github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
+github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
 github.com/go-openapi/spec v0.0.0-20180415031709-bcff419492ee/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc=
-github.com/go-openapi/spec v0.19.3 h1:0XRyw8kguri6Yw4SxhsQA/atC88yqrk0+G4YhI2wabc=
-github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo=
-github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I=
+github.com/go-openapi/spec v0.20.9 h1:xnlYNQAwKd2VQRRfwTEI0DcK+2cbuvI/0c7jx3gA8/8=
+github.com/go-openapi/spec v0.20.9/go.mod h1:2OpW+JddWPrpXSCIX8eOx7lZ5iyuWj3RYR6VaaBKcWA=
 github.com/go-openapi/swag v0.0.0-20180405201759-811b1089cde9/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I=
-github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
-github.com/go-openapi/swag v0.19.5 h1:lTz6Ys4CmqqCQmZPBlbQENR1/GucA2bzYTE12Pw4tFY=
 github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
+github.com/go-openapi/swag v0.19.15/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
+github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
+github.com/go-openapi/swag v0.22.4 h1:QLMzNJnMGPRNDCbySlcj1x01tzU8/9LTTL9hZZZogBU=
+github.com/go-openapi/swag v0.22.4/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
+github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
+github.com/go-sql-driver/mysql v1.7.1 h1:lUIinVbN1DY0xBg0eMOzmmtGoHwWBbvnWubQUrtU8EI=
+github.com/go-sql-driver/mysql v1.7.1/go.mod h1:OXbVy3sEdcQ2Doequ6Z5BW6fXNQTmx+9S1MCJN5yJMI=
 github.com/gobuffalo/envy v1.7.0/go.mod h1:n7DRkBerg/aorDM8kbduw5dN3oXGswK5liaSCx4T5NI=
-github.com/gobuffalo/envy v1.7.1 h1:OQl5ys5MBea7OGCdvPbBJWRgnhC/fGona6QKfvFeau8=
 github.com/gobuffalo/envy v1.7.1/go.mod h1:FurDp9+EDPE4aIUS3ZLyD+7/9fpx7YRt/ukY6jIHf0w=
+github.com/gobuffalo/envy v1.10.2 h1:EIi03p9c3yeuRCFPOKcSfajzkLb3hrRjEpHGI8I2Wo4=
+github.com/gobuffalo/envy v1.10.2/go.mod h1:qGAGwdvDsaEtPhfBzb3o0SfDea8ByGn9j8bKmVft9z8=
 github.com/gobuffalo/logger v1.0.0/go.mod h1:2zbswyIUa45I+c+FLXuWl9zSWEiVuthsk8ze5s8JvPs=
-github.com/gobuffalo/packd v0.3.0 h1:eMwymTkA1uXsqxS0Tpoop3Lc0u3kTfiMBE6nKtQU4g4=
 github.com/gobuffalo/packd v0.3.0/go.mod h1:zC7QkmNkYVGKPw4tHpBQ+ml7W/3tIebgeo1b36chA3Q=
+github.com/gobuffalo/packd v1.0.2 h1:Yg523YqnOxGIWCp69W12yYBKsoChwI7mtu6ceM9Bwfw=
+github.com/gobuffalo/packd v1.0.2/go.mod h1:sUc61tDqGMXON80zpKGp92lDb86Km28jfvX7IAyxFT8=
 github.com/gobuffalo/packr v1.30.1 h1:hu1fuVR3fXEZR7rXNW3h8rqSML8EVAf6KNm0NKO/wKg=
 github.com/gobuffalo/packr v1.30.1/go.mod h1:ljMyFO2EcrnzsHsN99cvbq055Y9OhRrIaviy289eRuk=
 github.com/gobuffalo/packr/v2 v2.5.1/go.mod h1:8f9c96ITobJlPzI44jj+4tHnEKNt0xXWSVlXRN9X1Iw=
-github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
-github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs=
-github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/google/certificate-transparency-go v1.0.21 h1:Yf1aXowfZ2nuboBsg7iYGLmwsOARdV86pfH3g95wXmE=
-github.com/google/certificate-transparency-go v1.0.21/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/google/certificate-transparency-go v1.1.7 h1:IASD+NtgSTJLPdzkthwvAG1ZVbF2WtFg4IvoA68XGSw=
+github.com/google/certificate-transparency-go v1.1.7/go.mod h1:FSSBo8fyMVgqptbfF6j5p/XNdgQftAhSmXcIxV9iphE=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.3.1 h1:Xye71clBPdm5HgqGwUkwhbynsUJZhDbS20FvLhQ2izg=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
+github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-github/v50 v50.2.0/go.mod h1:VBY8FB6yPIjrtKhozXv4FQupxKLS6H4m6xFZlT43q8Q=
+github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
-github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
-github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
-github.com/joho/godotenv v1.3.0 h1:Zjp+RcGpHhGlrMbJzXTrZZPrWj+1vfm90La1wgB6Bhc=
+github.com/jmoiron/sqlx v1.3.5 h1:vFFPA71p1o5gAeqtEAwLU4dnX2napprKtHr7PYIcN3g=
+github.com/jmoiron/sqlx v1.3.5/go.mod h1:nRVWtLre0KfCLJvgxzCsLVMogSvQ1zNJtpYr2Ccp0mQ=
 github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg=
-github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
-github.com/json-iterator/go v1.1.8 h1:QiWkFLKq0T7mpzwOTu6BzNDbfTE8OLrYhVKYMLF46Ok=
-github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/joho/godotenv v1.4.0/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
+github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
+github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
+github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
+github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/karrick/godirwalk v1.10.12/go.mod h1:RoGL9dQei4vP9ilrpETWE8CLOZ1kiN0LhBygSwrAsHA=
-github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd h1:Coekwdh0v2wtGp9Gmz1Ze3eVRAWJMLokvN3QjdzCHLY=
 github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
-github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
+github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
+github.com/kisielk/sqlstruct v0.0.0-20210630145711-dae28ed37023 h1:/pb3UJ+3ZtSEUKWnufwsoVF7f0AX5ytPULbTwHMgbq4=
+github.com/kisielk/sqlstruct v0.0.0-20210630145711-dae28ed37023/go.mod h1:yyMNCyc/Ib3bDTKd379tNMpB/7/H5TjM2Y9QJ5THLbE=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA=
 github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw=
-github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
+github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
+github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
-github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20180323154445-8b799c424f57/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.7.0 h1:aizVhC/NAAcKWb+5QsU1iNOZb4Yws5UO2I+aIprQITM=
-github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs=
+github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
+github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/matryer/is v1.2.0 h1:92UTHpy8CDwaJ08GqLDzhhuixiBUUD1p3AU6PHddz4A=
+github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA=
+github.com/mattn/go-sqlite3 v1.14.6/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
+github.com/mattn/go-sqlite3 v1.14.17 h1:mCRHCLDUBXgpKAqIKsaAaAsrAlbkeomtRFKXh2L6YIM=
+github.com/mattn/go-sqlite3 v1.14.17/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg=
 github.com/mcluseau/go-swagger-ui v0.0.0-20191019002626-fd9128c24a34 h1:F3u4DKQ4T30mlBNFmSGzTqdkmVqbfVORv34ZRvc7PuE=
 github.com/mcluseau/go-swagger-ui v0.0.0-20191019002626-fd9128c24a34/go.mod h1:lcyE8C83VRamH/oTpikU4+yVCCxLthWgDOqjHSsu+ZY=
-github.com/miolini/datacounter v1.0.1 h1:4hs8Sc03o2jADLol/aWgesWS565mV9h8314QGA+gss4=
-github.com/miolini/datacounter v1.0.1/go.mod h1:C45dc2hBumHjDpEU64IqPwR6TDyPVpzOqqRTN7zmBUA=
+github.com/miolini/datacounter v1.0.3 h1:tanOZPVblGXQl7/bSZWoEM8l4KK83q24qwQLMrO/HOA=
+github.com/miolini/datacounter v1.0.3/go.mod h1:C45dc2hBumHjDpEU64IqPwR6TDyPVpzOqqRTN7zmBUA=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI=
-github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/mreiferson/go-httpclient v0.0.0-20160630210159-31f0106b4474/go.mod h1:OQA4XLvDbMgS8P0CevmM4m9Q3Jq4phKUzcocxuGJ5m8=
+github.com/mreiferson/go-httpclient v0.0.0-20201222173833-5e475fde3a4d/go.mod h1:OQA4XLvDbMgS8P0CevmM4m9Q3Jq4phKUzcocxuGJ5m8=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4=
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
-github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
-github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
+github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
+github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M=
+github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
 github.com/pelletier/go-buffruneio v0.2.0/go.mod h1:JkE26KsDizTr40EUHkXVtNPvgGtbSNq5BcowyYOWdKo=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
-github.com/pierrec/lz4 v2.3.0+incompatible h1:CZzRn4Ut9GbUkHlQ7jqBXeZQV41ZSKWFc302ZU6lUTk=
-github.com/pierrec/lz4 v2.3.0+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
-github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
+github.com/pierrec/lz4 v2.6.1+incompatible h1:9UY3+iC23yxF0UfGaYrGplQ+79Rg+h/q9FV9ix19jjM=
+github.com/pierrec/lz4 v2.6.1+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
+github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4=
+github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI=
+github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.3.2/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
-github.com/rogpeppe/go-internal v1.5.0 h1:Usqs0/lDK/NqTkvrmKSwA/3XkZAs7ZAW/eLeQ2MVBTw=
 github.com/rogpeppe/go-internal v1.5.0/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
+github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
+github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
+github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
-github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ=
+github.com/sergeymakinen/go-crypt v1.0.0-beta.0 h1:HuBziMWVOJp9mWuErOMPL80B4m5pIhCWJpljJ8nfRc4=
+github.com/sergeymakinen/go-crypt v1.0.0-beta.0/go.mod h1:Dx6xnD19bCVaMSWdfKNnsO6b0R6/0CJKCTR4cUMgYnU=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
+github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=
+github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I=
+github.com/sirupsen/logrus v1.3.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
+github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/skeema/knownhosts v1.2.1 h1:SHWdIUa82uGZz+F+47k8SY4QhhI291cXCpopT1lK2AQ=
+github.com/skeema/knownhosts v1.2.1/go.mod h1:xYbVRSPxqBZFrdmDyMmsOs+uX1UZC3nTN3ThzgDxUwo=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72 h1:qLC7fQah7D6K1B0ujays3HV9gkFtllcxhzImRR7ArPQ=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
 github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
 github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU=
 github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
-github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
-github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
 github.com/src-d/gcfg v1.4.0 h1:xXbNR5AlLSA315x2UO+fTSSAXCDf+Ar38/6oyGbDKQ4=
 github.com/src-d/gcfg v1.4.0/go.mod h1:p/UMsR43ujA89BJY9duynAwIpvqEujIH/jFlfL7jWoI=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
-github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
 github.com/ulikunitz/xz v0.5.6/go.mod h1:2bypXElzHzzJZwzH67Y6wb67pO62Rzfn7BSiF4ABRW8=
-github.com/xanzy/ssh-agent v0.2.1 h1:TCbipTQL2JiiCprBWx9frJ2eJlCYT00NmctrHxVAr70=
+github.com/weppos/publicsuffix-go v0.13.0/go.mod h1:z3LCPQ38eedDQSwmsSRW4Y7t2L8Ln16JPQ02lHAdn5k=
+github.com/weppos/publicsuffix-go v0.15.1-0.20220329081811-9a40b608a236/go.mod h1:HYux0V0Zi04bHNwOHy4cXJVz/TQjYonnF6aoYhj+3QE=
+github.com/weppos/publicsuffix-go v0.30.2-0.20230730094716-a20f9abcc222 h1:h2JizvZl9aIj6za9S5AyrkU+OzIS4CetQthH/ejO+lg=
+github.com/weppos/publicsuffix-go v0.30.2-0.20230730094716-a20f9abcc222/go.mod h1:s41lQh6dIsDWIC1OWh7ChWJXLH0zkJ9KHZVqA7vHyuQ=
 github.com/xanzy/ssh-agent v0.2.1/go.mod h1:mLlQY/MoOhWBj+gOGMQkOeiEvkx+8pJSI+0Bx9h2kr4=
+github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
+github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
 github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+github.com/zmap/rc2 v0.0.0-20131011165748-24b9757f5521/go.mod h1:3YZ9o3WnatTIZhuOtot4IcUfzoKVjUHqu6WALIyI0nE=
+github.com/zmap/rc2 v0.0.0-20190804163417-abaa70531248/go.mod h1:3YZ9o3WnatTIZhuOtot4IcUfzoKVjUHqu6WALIyI0nE=
+github.com/zmap/zcertificate v0.0.0-20180516150559-0e3d58b1bac4/go.mod h1:5iU54tB79AMBcySS0R2XIyZBAVmeHranShAFELYx7is=
+github.com/zmap/zcertificate v0.0.1/go.mod h1:q0dlN54Jm4NVSSuzisusQY0hqDWvu92C+TWveAxiVWk=
+github.com/zmap/zcrypto v0.0.0-20201211161100-e54a5822fb7e/go.mod h1:aPM7r+JOkfL+9qSB4KbYjtoEzJqUK50EXkkJabeNJDQ=
+github.com/zmap/zcrypto v0.0.0-20220402174210-599ec18ecbac/go.mod h1:egdRkzUylATvPkWMpebZbXhv0FMEMJGX/ur0D3Csk2s=
+github.com/zmap/zcrypto v0.0.0-20231102161736-a55ea7b96dbc h1:M16IhYXubdOZFY7GYNw3xR8uceY4UTxa9ofk3+VAnFw=
+github.com/zmap/zcrypto v0.0.0-20231102161736-a55ea7b96dbc/go.mod h1:Z2SNNuFhO+AAsezbGEHTWeW30hHv5niUYT3fwJ61Nl0=
+github.com/zmap/zlint/v3 v3.3.1 h1:IrIY2Qd2Wr9ZHhdQ3mszehSydz+x6OROClztMEK+2bU=
+github.com/zmap/zlint/v3 v3.3.1/go.mod h1:fPCW5acxhqw4HU1Vm0t9oFEPo1/uH9hI0sci/Z++hEI=
+golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190621222207-cc06ce4a13d4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 h1:ObdrDkeb4kJdCP557AjRjq69pTHfNouLtWZG7j9rPN8=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20201124201722-c8d3bf9c5392/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
+golang.org/x/crypto v0.0.0-20201208171446-5f87f3452ae9/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
+golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.0.0-20220321153916-2c7772ba3064/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
+golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
+golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio=
+golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
+golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.13.0 h1:I/DsJXRlw/8l/0c24sM9yb0T4z9liZTduXvdAWYiysY=
+golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180530234432-1e491301e022/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20191014212845-da9a3fd4c582 h1:p9xBe/w/OzkeYVKm234g55gMdD1nSIooTir5kV11kfA=
-golang.org/x/net v0.0.0-20191014212845-da9a3fd4c582/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20220412020605-290c469a71a5/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA=
+golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
+golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
+golang.org/x/oauth2 v0.6.0/go.mod h1:ycmewcwgD4Rpr3eZJLSB4Kyyljb3qDh40vJ8STE5HKw=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ=
+golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190221075227-b4e8571b14e0/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190515120540-06a5c4944438/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191018095205-727590c5006e h1:ZtoklVMHQy6BFRHkbG6JzK+S6rX82//Yeok1vMlizfQ=
-golang.org/x/sys v0.0.0-20191018095205-727590c5006e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210608053332-aa57babbf139/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
+golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o=
+golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek=
+golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190624180213-70d37148ca0c/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190729092621-ff9f1409240a/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/tools v0.14.0 h1:jvNa2pY0M4r62jkRQ6RwEZZyPcymeL9XZMLBbV7U2nc=
+golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw=
+gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
+google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
+google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
-gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
-gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/src-d/go-billy.v4 v4.3.2 h1:0SQA1pRztfTFx2miS8sA97XvooFeNOmvUenF4o0EcVg=
 gopkg.in/src-d/go-billy.v4 v4.3.2/go.mod h1:nDjArDMp+XMs1aFAESLRjfGSgfvoYN0hDfzEk0GjC98=
 gopkg.in/src-d/go-git-fixtures.v3 v3.5.0 h1:ivZFOIltbce2Mo8IjzUHAFoq/IylO9WHhNOAJK+LsJg=
 gopkg.in/src-d/go-git-fixtures.v3 v3.5.0/go.mod h1:dLBcvytrw/TYZsNTWCnkNF2DSIlzWYqTe3rJR56Ac7g=
 gopkg.in/src-d/go-git.v4 v4.13.1 h1:SRtFyV8Kxc0UP7aCHcijOMQGPxHSmMOPrzulQWolkYE=
 gopkg.in/src-d/go-git.v4 v4.13.1/go.mod h1:nx5NYcxdKxq5fpltdHnPa2Exj4Sx0EclMWZQbYDu2z8=
-gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
 gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-k8s.io/apimachinery v0.0.0-20191203211716-adc6f4cd9e7d h1:q+OZmYewHJeMCzwpHkXlNTtk5bvaUMPCikKvf77RBlo=
-k8s.io/apimachinery v0.0.0-20191203211716-adc6f4cd9e7d/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg=
-k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
-k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
-k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
-k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E=
-novit.nc/direktil/pkg v0.0.0-20191211161950-96b0448b84c2 h1:LN3K19gAJ1GamJXkzXAQmjbl8xCV7utqdxTTrM89MMc=
-novit.nc/direktil/pkg v0.0.0-20191211161950-96b0448b84c2/go.mod h1:zwTVO6U0tXFEaga73megQIBK7yVIKZJVePaIh/UtdfU=
-sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI=
-sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
+gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+k8s.io/apimachinery v0.28.3 h1:B1wYx8txOaCQG0HmYF6nbpU8dg6HvA06x5tEffvOe7A=
+k8s.io/apimachinery v0.28.3/go.mod h1:uQTKmIqs+rAYaq+DFaoD2X7pcjLOqbQX2AOiO0nIpb8=
+k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0=
+k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo=
+k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=
+k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+m.cluseau.fr/go v0.0.0-20230809064045-12c5a121c766 h1:JRzMBDbUwrTTGDJaJSH0ap4vRL0Q9CN1bG8a6n49eaQ=
+m.cluseau.fr/go v0.0.0-20230809064045-12c5a121c766/go.mod h1:BMv3aOSYpupuiiG3Ch3ND88aB5CfAks3YZuRLE8j1ls=
+novit.nc/direktil/pkg v0.0.0-20220221171542-fd3ce3a1491b/go.mod h1:zwTVO6U0tXFEaga73megQIBK7yVIKZJVePaIh/UtdfU=
+novit.tech/direktil/pkg v0.0.0-20230201224712-5e39572dc50e h1:eQFbzcuB4wOSrnOhkcN30hFDCIack40VkIoqVRbWnWc=
+novit.tech/direktil/pkg v0.0.0-20230201224712-5e39572dc50e/go.mod h1:2Mir5x1eT/e295WeFGzzXa4siunKX4z+rmNPfVsXS0k=
--- a/govc.env
+++ b/govc.env
@ -1,8 +0,0 @@
-export GOVC_DATACENTER=
-export GOVC_PASSWORD=
-export GOVC_URL=
-export GOVC_USERNAME=
-export GOVC_INSECURE=1
-export GOVC_DATASTORE=
-export NOVIT_VM_FOLDER=
-export NOVIT_ISO_FOLDER=
--- a/hack/build
+++ b/hack/build
@ -0,0 +1,3 @@
+#! /bin/sh
+set -ex
+go build -o dist/ -trimpath -ldflags "-X main.Version=${GIT_TAG:-$(git describe --always --dirty)}" $*
--- a/hack/docker-build
+++ b/hack/docker-build
@ -0,0 +1,8 @@
+#! /bin/bash
+set -ex
+case "$1" in
+commit) tag=$(git describe --always --dirty) ;;
+"")     tag=latest ;;
+*)      tag=$1 ;;
+esac
+docker build -t novit.tech/direktil/local-server:$tag .
--- a/hack/install
+++ b/hack/install
@ -0,0 +1,4 @@
+#! /bin/sh
+set -ex
+go install -trimpath -ldflags "-X main.Version=$(git describe --always --dirty)" \
+    ./cmd/dkl-dir2config
--- a/html/favicon.ico
+++ b/html/favicon.ico
--- a/html/html.go
+++ b/html/html.go
@ -0,0 +1,6 @@
+package dlshtml
+
+import "embed"
+
+//go:embed favicon.ico ui
+var FS embed.FS
--- a/html/ui/app.css
+++ b/html/ui/app.css
@ -0,0 +1,23 @@
+
+.downloads {
+    display: flex;
+    align-content: stretch;
+}
+
+.downloads > * {
+    margin-left: 6pt;
+}
+.downloads > *:first-child {
+    margin-left: 0;
+}
+
+.downloads > div {
+    display: flex;
+    flex-flow: column;
+    max-height: 100pt;
+    overflow: auto;
+}
+
+.cluster {
+    max-width: 50%;
+}
--- a/html/ui/index.html
+++ b/html/ui/index.html
@ -0,0 +1,116 @@
+<!doctype html>
+<html>
+<head>
+<title>Direktil Local Server</title>
+<style>
+@import url('./style.css');
+@import url('./app.css');
+</style>
+<script src="js/jsonpatch.min.js" crossorigin="anonymous"></script>
+<script src="js/app.js" type="module" defer></script>
+<body>
+
+<div id="app">
+<header>
+    <div id="logo">
+        <img src="/favicon.ico" />
+        <span>Direktil Local Server</span>
+    </div>
+    <div class="utils">
+        <span id="login-hdr" v-if="session.token">
+            Logged in
+            <button class="link" @click="copyText(session.token)">&#x1F5D0;</button>
+        </span>
+
+        <span>server <code>{{ serverVersion || '-----' }}</code></span>
+        <span>ui     <code>{{ uiHash || '-----' }}</code></span>
+
+        <span :class="publicState ? 'green' : 'red'">&#x1F5F2;</span>
+    </div>
+</header>
+
+<div class="error" v-if="error">
+    <button class="btn-close" @click="error=null">&times;</button>
+    <div class="code" v-if="error.code">{{ error.code }}</div>
+    <div class="message">{{ error.message }}</div>
+</div>
+
+<template v-if="!publicState">
+    <p>Not connected.</p>
+</template>
+<template v-else-if="publicState.Store.New">
+    <p>Store is new.</p>
+    <p>Option 1: initialize a new store</p>
+    <form @submit="unlockStore">
+        <input type="text"     v-model="forms.store.name"  name="name" placeholder="Name" /><br/>
+        <input type="password" v-model="forms.store.pass1" name="passphrase" required placeholder="Passphrase" />
+        <input type="password" v-model="forms.store.pass2" required placeholder="Passphrase confirmation" />
+        <input type="submit" value="initialize" :disabled="!forms.store.pass1 || forms.store.pass1 != forms.store.pass2" />
+    </form>
+    <p>Option 2: upload a previously downloaded store</p>
+    <form @submit="uploadStore">
+        <input type="file" ref="storeUpload" />
+        <input type="submit" value="upload" />
+    </form>
+</template>
+<template v-else-if="!publicState.Store.Open">
+    <p>Store is not open.</p>
+    <form @submit="unlockStore">
+        <input type="password" name="passphrase" v-model="forms.store.pass1" required placeholder="Passphrase" />
+        <input type="submit" value="unlock" :disabled="!forms.store.pass1" />
+    </form>
+</template>
+<template v-else-if="!state">
+    <p v-if="!session.token">Not logged in.</p>
+    <p v-else>Invalid token</p>
+
+    <form @submit="setToken">
+        <input type="password" v-model="forms.setToken" required placeholder="Token" />
+        <input type="submit" value="set token"/>
+    </form>
+</template>
+<template v-else>
+  <div v-if="state.Clusters" id="clusters">
+    <h2>Clusters</h2>
+
+    <div class="sheets">
+        <Cluster v-for="c in state.Clusters" :cluster="c" :token="session.token" :state="state" />
+    </div>
+  </div>
+
+  <div v-if="state.Hosts" id="hosts">
+    <h2>Hosts</h2>
+
+    <div class="sheets">
+        <Host v-for="h in state.Hosts" :host="h" :token="session.token" :state="state" />
+    </div>
+  </div>
+
+  <h2>Admin actions</h2>
+  <h3>Config</h3>
+  <form @submit="uploadConfig">
+      <input type="file" ref="configUpload" required />
+      <input type="submit" value="upload config" />
+  </form>
+  <h3>Store</h3>
+  <p><a :href="'/public/store.tar?token='+state.Store.DownloadToken" target="_blank">Download</a></p>
+  <form @submit="storeAddKey" action="/store/add-key">
+      <p>Add an unlock phrase:</p>
+      <input type="text"     v-model="forms.store.name"  name="name" required placeholder="Name" /><br/>
+      <input type="password" v-model="forms.store.pass1" name="passphrase" autocomplete="new-password" required placeholder="Phrase" />
+      <input type="password" v-model="forms.store.pass2" autocomplete="new-password" required placeholder="Phrase confirmation" />
+      <input type="submit" value="add unlock phrase" :disabled="!forms.store.pass1 || forms.store.pass1 != forms.store.pass2" />
+  </form>
+  <form @submit="storeDelKey" action="/store/delete-key">
+      <p>Remove an unlock phrase:</p>
+      <input type="text" v-model="forms.delKey.name"  name="name" required placeholder="Name" />
+      <input type="submit" value="remove unlock phrase" />
+
+      <p v-if="state.Store.KeyNames">Available names:
+        <template v-for="k,i in state.Store.KeyNames">{{i?", ":""}}<code @click="forms.delKey.name=k">{{k}}</code></template>.</p>
+  </form>
+</template>
+</div>
+
+</body>
+</html>
--- a/html/ui/js/Cluster.js
+++ b/html/ui/js/Cluster.js
@ -0,0 +1,35 @@
+
+import Downloads from './Downloads.js';
+import GetCopy from './GetCopy.js';
+
+export default {
+    components: { Downloads, GetCopy },
+    props: [ 'cluster', 'token', 'state' ],
+    template: `
+<div class="cluster">
+  <div class="title">Cluster {{ cluster.Name }}</div>
+  <div class="section">Tokens</div>
+  <section class="links">
+    <GetCopy v-for="n in cluster.Tokens" :token="token" :name="n" :href="'/clusters/'+cluster.Name+'/tokens/'+n" />
+  </section>
+  <div class="section">Passwords</div>
+  <section class="links">
+    <GetCopy v-for="n in cluster.Passwords" :token="token" :name="n" :href="'/clusters/'+cluster.Name+'/passwords/'+n" />
+  </section>
+  <div class="section">Downloads</div>
+  <section class="downloads">
+    <Downloads :token="token" :state="state" kind="cluster" :name="cluster.Name" />
+  </section>
+  <div class="section">CAs</div>
+  <table><tr><th>Name</th><th>Certificate</th><th>Signed certificates</th></tr>
+  <tr v-for="ca in cluster.CAs">
+    <td>{{ ca.Name }}</td>
+    <td><GetCopy :token="token" name="cert" :href="'/clusters/'+cluster.Name+'/CAs/'+ca.Name+'/certificate'" /></td>
+    <td><template v-for="signed in ca.Signed">
+      {{" "}}
+      <GetCopy :token="token" :name="signed" :href="'/clusters/'+cluster.Name+'/CAs/'+ca.Name+'/signed?name='+signed" />
+    </template></td>
+  </tr></table>
+</div>
+`
+}
--- a/html/ui/js/Downloads.js
+++ b/html/ui/js/Downloads.js
@ -0,0 +1,64 @@
+
+export default {
+    props: [ 'kind', 'name', 'token', 'state' ],
+    data() {
+        return { createDisabled: false, selectedAssets: {} }
+    },
+    computed: {
+        availableAssets() {
+            return {
+                cluster: ['addons'],
+                host: [
+                    "kernel",
+                    "initrd",
+                    "bootstrap.tar",
+                    "boot.img.lz4",
+                    "boot.iso",
+                    "config",
+                    "bootstrap-config",
+                    "boot.tar",
+                    "boot-efi.tar",
+                    "boot.img.gz",
+                    "boot.img",
+                    "ipxe",
+                ],
+            }[this.kind]
+        },
+        downloads() {
+            let ret = []
+            Object.entries(this.state.Downloads)
+              .filter(e => { let d=e[1]; return d.Kind == this.kind && d.Name == this.name })
+              .forEach(e => {
+                let token= e[0], d = e[1]
+                d.Assets.forEach(asset => {
+                    ret.push({name: asset, url: '/public/downloads/'+token+'/'+asset})
+                })
+              })
+          return ret
+        },
+        assets() {
+            return this.availableAssets.filter(a => this.selectedAssets[a])
+        },
+    },
+    methods: {
+        createToken() {
+            event.preventDefault()
+            this.createDisabled = true
+
+            fetch('/authorize-download', {
+                method: 'POST',
+                body: JSON.stringify({Kind: this.kind, Name: this.name, Assets: this.assets}),
+                headers: { 'Authorization': 'Bearer ' + this.token, 'Content-Type': 'application/json' },
+            }).then((resp) => resp.json())
+              .then((token) => { this.selectedAssets = {}; this.createDisabled = false })
+              .catch((e) => { alert('failed to create link'); this.createDisabled = false })
+        },
+    },
+    template: `<div class="downloads">
+  <div class="options">
+    <span v-for="asset in availableAssets"><label><input type="checkbox" v-model="selectedAssets[asset]" />&nbsp;{{ asset }}</label></span>
+  </div>
+  <button :disabled="createDisabled || assets.length==0" @click="createToken">+</button>
+  <div><a v-for="d in downloads" target="_blank" :href="d.url">{{ d.name }}</a></div>
+</div>`
+}
--- a/html/ui/js/GetCopy.js
+++ b/html/ui/js/GetCopy.js
@ -0,0 +1,32 @@
+export default {
+    props: [ 'name', 'href', 'token' ],
+    data() { return {showCopied: false} },
+    template: `<span class="notif"><div v-if="showCopied">copied!</div><a :href="href" @click="fetchAndSave()">{{name}}</a>&nbsp;<a href="#" class="copy" @click="fetchAndCopy()">&#x1F5D0;</a></span>`,
+    methods: {
+        fetch() {
+            event.preventDefault()
+            return fetch(this.href, {
+                method: 'GET',
+                headers: { 'Authorization': 'Bearer ' + this.token },
+            })
+        },
+        handleFetchError(e) {
+            console.log("failed to get value:", e)
+            alert('failed to get value')
+        },
+        fetchAndSave() {
+            this.fetch().then(resp => resp.blob()).then((value) => {
+                window.open(URL.createObjectURL(value), "_blank")
+            }).catch(this.handleFetchError)
+        },
+        fetchAndCopy() {
+            this.fetch()
+            .then((resp) => resp.headers.get("content-type") == "application/json" ? resp.json() : resp.text())
+            .then((value) => {
+                window.navigator.clipboard.writeText(value)
+                this.showCopied = true
+                setTimeout(() => { this.showCopied = false }, 1000)
+            }).catch(this.handleFetchError)
+        },
+    },
+}
--- a/html/ui/js/Host.js
+++ b/html/ui/js/Host.js
@ -0,0 +1,21 @@
+
+import Downloads from './Downloads.js';
+
+export default {
+    components: { Downloads },
+    props: [ 'host', 'token', 'state' ],
+    template: `
+<div class="host">
+  <div class="title">Host {{ host.Name }}</div>
+  <section>
+    <template v-for="ip in host.IPs">
+        {{ ip }}
+    </template>
+  </section>
+  <div class="section">Downloads</div>
+  <section>
+    <Downloads :token="token" :state="state" kind="host" :name="host.Name" />
+  </section>
+</div>
+`
+}
--- a/html/ui/js/app.js
+++ b/html/ui/js/app.js
@ -0,0 +1,199 @@
+
+import { createApp } from './vue.esm-browser.js';
+
+import Cluster from './Cluster.js';
+import Host    from './Host.js';
+
+createApp({
+    components: { Cluster, Host },
+    data() {
+        return {
+            forms: {
+                store: {},
+                storeUpload: {},
+                delKey: {},
+            },
+            session: {},
+            error: null,
+            publicState: null,
+            serverVersion: null,
+            uiHash: null,
+            watchingState: false,
+            state: null,
+        }
+    },
+    mounted() {
+        this.session = JSON.parse(sessionStorage.state || "{}")
+        this.watchPublicState()
+    },
+    watch: {
+        session: {
+            deep: true,
+            handler(v) {
+                sessionStorage.state = JSON.stringify(v)
+
+                if (v.token && !this.watchingState) {
+                    this.watchState()
+                    this.watchingState = true
+                }
+            }
+        },
+        publicState: {
+            deep: true,
+            handler(v) {
+                if (v) {
+                    this.serverVersion = v.ServerVersion
+                    if (this.uiHash && v.UIHash != this.uiHash) {
+                        console.log("reloading")
+                        location.reload()
+                    } else {
+                        this.uiHash = v.UIHash
+                    }
+                }
+            },
+        }
+    },
+
+    methods: {
+        copyText(text) {
+            event.preventDefault()
+            window.navigator.clipboard.writeText(text)
+        },
+        setToken() {
+            event.preventDefault()
+            this.session.token = this.forms.setToken
+            this.forms.setToken = null
+        },
+        uploadStore() {
+            event.preventDefault()
+            this.apiPost('/public/store.tar', this.$refs.storeUpload.files[0], (v) => {
+                this.forms.store = {}
+            }, "application/tar")
+        },
+        namedPassphrase(name, passphrase) {
+            return {Name: this.forms.store.name, Passphrase: btoa(this.forms.store.pass1)}
+        },
+        storeAddKey() {
+            this.apiPost('/store/add-key', this.namedPassphrase(), (v) => {
+                this.forms.store = {}
+            })
+        },
+        storeDelKey() {
+            let name = this.forms.delKey.name
+
+            if (!confirm("Remove key named "+JSON.stringify(name)+"?")) {
+                return
+            }
+            this.apiPost('/store/delete-key', name , (v) => {
+                this.forms.delKey = {}
+            })
+        },
+        unlockStore() {
+            this.apiPost('/public/unlock-store', this.namedPassphrase(), (v) => {
+                this.forms.store = {}
+
+                if (v) {
+                    this.session.token = v
+                    if (!this.watchingState) {
+                        this.watchState()
+                        this.watchingState = true
+                    }
+                }
+            })
+        },
+        uploadConfig() {
+            event.preventDefault()
+            this.apiPost('/configs', this.$refs.configUpload.files[0], (v) => {}, "text/vnd.yaml")
+        },
+        apiPost(action, data, onload, contentType = 'application/json') {
+            event.preventDefault()
+
+            if (data === undefined) {
+                throw("action " + action + ": no data")
+            }
+
+            /* TODO
+            fetch(action, {
+                method: 'POST',
+                body: JSON.stringify(data),
+            })
+              .then((response) => response.json())
+              .then((result) => onload)
+            // */
+
+            var xhr = new XMLHttpRequest()
+
+            xhr.responseType = 'json'
+            // TODO spinner, pending action notification, or something
+            xhr.onerror = () => {
+                // this.actionResults.splice(idx, 1, {...item, done: true, failed: true })
+            }
+            xhr.onload = (r) => {
+                if (xhr.status != 200) {
+                    this.error = xhr.response
+                    return
+                }
+                // this.actionResults.splice(idx, 1, {...item, done: true, resp: xhr.responseText})
+                this.error = null
+                if (onload) {
+                    onload(xhr.response)
+                }
+            }
+
+            xhr.open("POST", action)
+            xhr.setRequestHeader('Accept', 'application/json')
+            xhr.setRequestHeader('Content-Type', contentType)
+            if (this.session.token) {
+                xhr.setRequestHeader('Authorization', 'Bearer '+this.session.token)
+            }
+
+            if (contentType == "application/json") {
+                xhr.send(JSON.stringify(data))
+            } else {
+                xhr.send(data)
+            }
+        },
+        download(url) {
+            event.target.target = '_blank'
+            event.target.href = this.downloadLink(url)
+        },
+        downloadLink(url) {
+            // TODO once-shot download link
+            return url + '?token=' + this.session.token
+        },
+        watchPublicState() {
+            this.watchStream('publicState', '/public-state')
+        },
+        watchState() {
+            this.watchStream('state', '/state', true)
+        },
+        watchStream(field, path, withToken) {
+            let evtSrc = new EventSource(path + (withToken ? '?token='+this.session.token : ''));
+            evtSrc.onmessage = (e) => {
+                let update = JSON.parse(e.data)
+
+                console.log("watch "+path+":", update)
+
+                if (update.err) {
+                    console.log("watch error from server:", err)
+                }
+                if (update.set) {
+                    this[field] = update.set
+                }
+                if (update.p) { // patch
+                    new jsonpatch.JSONPatch(update.p, true).apply(this[field])
+                }
+            }
+            evtSrc.onerror = (e) => {
+                // console.log("event source " + path + " error:", e)
+                if (evtSrc) evtSrc.close()
+
+                this[field] = null
+
+                window.setTimeout(() => { this.watchStream(field, path, withToken) }, 1000)
+            }
+        },
+    }
+
+}).mount('#app')
+
--- a/html/ui/js/jsonpatch.min.js
+++ b/html/ui/js/jsonpatch.min.js
--- a/html/ui/js/vue.esm-browser.js
+++ b/html/ui/js/vue.esm-browser.js
--- a/html/ui/style.css
+++ b/html/ui/style.css
@ -0,0 +1,152 @@
+body {
+    background: white;
+}
+
+button[disabled] {
+    opacity: 0.5;
+}
+
+a[href], a[href]:visited, button.link {
+    border: none;
+    color: blue;
+    background: none;
+    cursor: pointer;
+    text-decoration: none;
+}
+
+table {
+    border-collapse: collapse;
+}
+th, td {
+    border-left:   dotted 1pt;
+    border-right:  dotted 1pt;
+    border-bottom: dotted 1pt;
+    padding: 2pt 4pt;
+}
+tr:first-child > th {
+    border-top: dotted 1pt;
+}
+th, tr:last-child > td {
+    border-bottom: solid 1pt;
+}
+
+.flat > * { margin-left: 1ex; }
+.flat > *:first-child { margin-left: 0; }
+
+.green { color: green; }
+.red   { color: red; }
+
+@media (prefers-color-scheme: dark) {
+  body {
+    background: black;
+    color: orange;
+  }
+  button, input[type=submit] {
+    background: #333;
+    color: #eee;
+  }
+  a[href], a[href]:visited, button.link {
+    border: none;
+    color: #31b0fa;
+  }
+
+  .red { color: #c00; }
+}
+
+header {
+    display: flex;
+    align-items: center;
+    border-bottom: 2pt solid;
+    margin: 0 0 1em 0;
+    padding: 1ex;
+    justify-content: space-between;
+}
+#logo > img {
+    vertical-align: middle;
+}
+header .utils > * {
+    margin-left: 1ex;
+}
+
+.error {
+    display: flex;
+    position: relative;
+    background: rgba(255,0,0,0.2);
+    border: 1pt solid red;
+    justify-content: space-between;
+    align-items: center;
+}
+.error .btn-close,
+.error .code {
+    background: #600;
+    color: white;
+    font-weight: bold;
+    border: none;
+    align-self: stretch;
+    padding: 1ex 1em;
+}
+.error .code {
+    order: 1;
+
+    display: flex;
+    align-items: center;
+    text-align: center;
+}
+.error .message {
+    order: 2;
+    padding: 1ex 2em;
+}
+.error .btn-close {
+    order: 3;
+}
+
+.sheets {
+    display: flex;
+    align-items: stretch;
+}
+.sheets > div {
+    margin: 0 1ex;
+    border: 1pt solid;
+    border-radius: 6pt;
+}
+.sheets .title {
+    text-align: center;
+    font-weight: bold;
+    font-size: large;
+    padding: 2pt 6pt;
+    background: rgba(127,127,127,0.5);
+}
+.sheets .section {
+    padding: 2pt 6pt 2pt 6pt;
+    font-weight: bold;
+    border-top: 1px dotted;
+}
+.sheets section {
+    margin: 2pt 6pt 6pt 6pt;
+}
+.sheets > *:last-child > table:last-child > tr:last-child > td {
+    border-bottom: none;
+}
+
+.notif {
+    display: inline-block;
+    position: relative;
+}
+.notif > div:first-child {
+    position: absolute;
+    min-width: 100%; height: 100%;
+    background: white;
+    opacity: 75%;
+    text-align: center;
+}
+
+.links > * { margin-left: 1ex; }
+.links > *:first-child { margin-left: 0; }
+
+@media (prefers-color-scheme: dark) {
+  .notif > div:first-child {
+    background: black;
+  }
+}
+
+.copy { font-size: small; }
--- a/2
+++ b/2
@ -0,0 +1,2 @@
+#! /bin/sh
+go install -trimpath ./cmd/...
--- a/modd.conf
+++ b/modd.conf
@ -1,10 +1,26 @@
-**/*.go go.mod go.sum Dockerfile {
+modd.conf {}
+
+**/*.go go.mod go.sum {
  prep: go test ./...
-  prep: go install -trimpath ./cmd/...
-  prep: docker build --build-arg GOPROXY=$GOPROXY -t dls .
+  prep: mkdir -p dist
+  prep: hack/build ./...
+  #prep: docker build --build-arg GOPROXY=$GOPROXY -t dls .
  #daemon +sigterm: /var/lib/direktil/test-run
 }

+html/**/* {
+  prep: hack/build ./cmd/dkl-local-server
+}
+
+dist/dkl-local-server {
+  prep: mkdir -p tmp
+  #daemon +sigterm: dist/dkl-local-server -data tmp -auto-unlock test
+}
+
+dist/dkl-dir2config {
+  prep: dist/dkl-dir2config --debug --in test-dir2config
+}
+
 **/*.proto !dist/**/* {
  prep: for mod in @mods; do protoc -I ./ --go_out=plugins=grpc,paths=source_relative:. $mod; done
 }
--- a/pkg/clustersconfig/clustersconfig.go
+++ b/pkg/clustersconfig/clustersconfig.go
@ -25,11 +25,9 @@ var (

 type Config struct {
 	Hosts        []*Host
-	Groups        []*Group
 	Clusters     []*Cluster
 	Configs      []*Template
-	StaticPods    []*Template            `yaml:"static_pods"`
-	BootstrapPods map[string][]*Template `yaml:"bootstrap_pods"`
+	StaticPods   map[string][]*Template `yaml:"static_pods"`
 	Addons       map[string][]*Template
 	SSLConfig    string         `yaml:"ssl_config"`
 	CertRequests []*CertRequest `yaml:"cert_requests"`
@ -89,15 +87,6 @@ func (c *Config) HostByMAC(mac string) *Host {
 	return nil
 }

-func (c *Config) Group(name string) *Group {
-	for _, group := range c.Groups {
-		if group.Name == name {
-			return group
-		}
-	}
-	return nil
-}
-
 func (c *Config) Cluster(name string) *Cluster {
 	for _, cluster := range c.Clusters {
 		if cluster.Name == name {
@ -116,15 +105,6 @@ func (c *Config) ConfigTemplate(name string) *Template {
 	return nil
 }

-func (c *Config) StaticPodsTemplate(name string) *Template {
-	for _, s := range c.StaticPods {
-		if s.Name == name {
-			return s
-		}
-	}
-	return nil
-}
-
 func (c *Config) CSR(name string) *CertRequest {
 	for _, s := range c.CertRequests {
 		if s.Name == name {
@ -146,17 +126,19 @@ func (c *Config) SaveTo(path string) error {
 type Template struct {
 	Name     string
 	Template string
-
-	parsedTemplate *template.Template
 }

 func (t *Template) Execute(contextName, elementName string, wr io.Writer, data interface{}, extraFuncs map[string]interface{}) error {
-	if t.parsedTemplate == nil {
 	var templateFuncs = map[string]interface{}{
 		"indent": func(indent, s string) (indented string) {
 			indented = indent + strings.Replace(s, "\n", "\n"+indent, -1)
 			return
 		},
+		"yaml": func(v any) (s string, err error) {
+			ba, err := yaml.Marshal(v)
+			s = string(ba)
+			return
+		},
 	}

 	for name, f := range extraFuncs {
@ -169,8 +151,6 @@ func (t *Template) Execute(contextName, elementName string, wr io.Writer, data i
 	if err != nil {
 		return err
 	}
-		t.parsedTemplate = tmpl
-	}

 	if *templateDetailsDir != "" {
 		templateID++
@ -204,7 +184,7 @@ func (t *Template) Execute(contextName, elementName string, wr io.Writer, data i
 		wr = io.MultiWriter(wr, out)
 	}

-	return t.parsedTemplate.Execute(wr, data)
+	return tmpl.Execute(wr, data)
 }

 // Host represents a host served by this server.
@ -220,24 +200,16 @@ type Host struct {
 	IPs     []string
 	Cluster string
 	Group   string
-	Vars    Vars
-}

-// Group represents a group of hosts and provides their configuration.
-type Group struct {
-	WithRev
-
-	Name        string
-	Labels      map[string]string
-	Annotations map[string]string
-
-	Master     bool
 	IPXE            string
 	Kernel          string
 	Initrd          string
+	BootstrapConfig string `yaml:"bootstrap_config"`
 	Config          string
-	StaticPods string `yaml:"static_pods"`
 	Versions        map[string]string
+
+	StaticPods string `yaml:"static_pods"`
+
 	Vars Vars
 }

@ -253,12 +225,12 @@ type Cluster struct {
 	Annotations map[string]string

 	Domain  string
-	Addons        string
-	BootstrapPods string `yaml:"bootstrap_pods"`
+	Addons  []string
 	Subnets struct {
 		Services string
 		Pods     string
 	}
+
 	Vars Vars
 }

@ -273,7 +245,7 @@ func (c *Cluster) DNSSvcIP() net.IP {
 func (c *Cluster) NthSvcIP(n byte) net.IP {
 	_, cidr, err := net.ParseCIDR(c.Subnets.Services)
 	if err != nil {
-		panic(fmt.Errorf("Invalid services CIDR: %v", err))
+		panic(fmt.Errorf("invalid services CIDR: %v", err))
 	}

 	ip := cidr.IP
--- a/pkg/clustersconfig/dir.go
+++ b/pkg/clustersconfig/dir.go
@ -3,7 +3,6 @@ package clustersconfig
 import (
 	"fmt"
 	"io/ioutil"
-	"log"
 	"os"
 	"path"
 	"path/filepath"
@ -15,40 +14,38 @@ import (
 // Debug enables debug logs from this package.
 var Debug = false

-func FromDir(dirPath, defaultsPath string) (*Config, error) {
-	if Debug {
-		log.Printf("loading config from dir %s (defaults from %s)", dirPath, defaultsPath)
-	}
+func FromDir(
+	read func(path string) ([]byte, error),
+	assemble func(path string) ([]byte, error),
+	listBase func(path string) ([]string, error),
+	listMerged func(path string) ([]string, error),
+) (*Config, error) {

-	defaults, err := NewDefaults(defaultsPath)
+	load := func(dir, name string, out any) (err error) {
+		ba, err := assemble(filepath.Join(dir, name))
 		if err != nil {
-		return nil, fmt.Errorf("failed to load defaults: %v", err)
+			return
 		}
-
-	store := &dirStore{dirPath}
-	load := func(dir, name string, out Rev) error {
-		ba, err := store.Get(path.Join(dir, name))
+		err = yaml.UnmarshalStrict(ba, out)
 		if err != nil {
-			return fmt.Errorf("failed to load %s/%s from dir: %v", dir, name, err)
-		}
-		if err = defaults.Load(dir, ".yaml", out, ba); err != nil {
-			return fmt.Errorf("failed to enrich %s/%s from defaults: %v", dir, name, err)
+			return
 		}
 		return nil
 	}

 	config := &Config{
 		Addons:     make(map[string][]*Template),
-		BootstrapPods: make(map[string][]*Template),
+		StaticPods: make(map[string][]*Template),
 	}

 	// load clusters
-	names, err := store.List("clusters")
+	names, err := listBase("clusters")
 	if err != nil {
 		return nil, fmt.Errorf("failed to list clusters: %v", err)
 	}

 	for _, name := range names {
+		name, _ = strings.CutSuffix(name, ".yaml")
 		cluster := &Cluster{Name: name}
 		if err := load("clusters", name, cluster); err != nil {
 			return nil, err
@ -57,98 +54,14 @@ func FromDir(dirPath, defaultsPath string) (*Config, error) {
 		config.Clusters = append(config.Clusters, cluster)
 	}

-	// load groups
-	names, err = store.List("groups")
-	if err != nil {
-		return nil, fmt.Errorf("failed to list groups: %v", err)
-	}
-
-	read := func(rev, filePath string) (data []byte, fromDefaults bool, err error) {
-		data, err = store.Get(filePath)
-		if err != nil {
-			err = fmt.Errorf("faild to read %s: %v", filePath, err)
-			return
-		}
-
-		if data != nil {
-			return // ok
-		}
-
-		if len(rev) == 0 {
-			err = fmt.Errorf("entry not found: %s", filePath)
-			return
-		}
-
-		data, err = defaults.ReadAll(rev, filePath+".yaml")
-		if err != nil {
-			err = fmt.Errorf("failed to read %s:%s: %v", rev, filePath, err)
-			return
-		}
-
-		fromDefaults = true
-		return
-	}
-
-	template := func(rev, dir, name string, templates *[]*Template) (ref string, err error) {
-		ref = name
-		if len(name) == 0 {
-			return
-		}
-
-		ba, fromDefaults, err := read(rev, path.Join(dir, name))
-		if err != nil {
-			return
-		}
-
-		if fromDefaults {
-			ref = rev + ":" + name
-		}
-
-		if !hasTemplate(ref, *templates) {
-			if Debug {
-				log.Printf("new template in %s: %s", dir, ref)
-			}
-
-			*templates = append(*templates, &Template{
-				Name:     ref,
-				Template: string(ba),
-			})
-		}
-
-		return
-	}
-
-	for _, name := range names {
-		group := &Group{Name: name}
-		if err := load("groups", name, group); err != nil {
-			return nil, err
-		}
-
-		group.Config, err = template(group.Rev(), "configs", group.Config, &config.Configs)
-		if err != nil {
-			return nil, fmt.Errorf("failed to load config for group %q: %v", name, err)
-		}
-
-		if Debug {
-			log.Printf("group %q: config=%q static_pods=%q",
-				group.Name, group.Config, group.StaticPods)
-		}
-
-		group.StaticPods, err = template(group.Rev(), "static-pods", group.StaticPods, &config.StaticPods)
-		if err != nil {
-			return nil, fmt.Errorf("failed to load static pods for group %q: %v", name, err)
-		}
-
-		config.Groups = append(config.Groups, group)
-	}
-
 	// load hosts
-	names, err = store.List("hosts")
+	names, err = listBase("hosts")
 	if err != nil {
 		return nil, fmt.Errorf("failed to list hosts: %v", err)
 	}

 	for _, name := range names {
+		name, _ = strings.CutSuffix(name, ".yaml")
 		o := &Host{Name: name}
 		if err := load("hosts", name, o); err != nil {
 			return nil, err
@ -158,28 +71,20 @@ func FromDir(dirPath, defaultsPath string) (*Config, error) {
 	}

 	// load config templates
-	loadTemplates := func(rev, dir string, templates *[]*Template) error {
-		names, err := store.List(dir)
+	loadTemplates := func(dir string, templates *[]*Template) error {
+		names, err := listMerged(dir)
 		if err != nil {
 			return fmt.Errorf("failed to list %s: %v", dir, err)
 		}

-		if len(rev) != 0 {
-			var defaultsNames []string
-			defaultsNames, err = defaults.List(rev, dir)
-			if err != nil {
-				return fmt.Errorf("failed to list %s:%s: %v", rev, dir, err)
-			}
+		for _, fullName := range names {
+			name, _ := strings.CutSuffix(fullName, ".yaml")

-			names = append(names, defaultsNames...)
-		}
-
-		for _, name := range names {
 			if hasTemplate(name, *templates) {
 				continue
 			}

-			ba, _, err := read(rev, path.Join(dir, name))
+			ba, err := read(path.Join(dir, fullName))
 			if err != nil {
 				return err
 			}
@ -193,53 +98,57 @@ func FromDir(dirPath, defaultsPath string) (*Config, error) {
 		return nil
 	}

+	loadTemplates("configs", &config.Configs)
+
 	// cluster addons
 	for _, cluster := range config.Clusters {
-		addonSet := cluster.Addons
-		if len(addonSet) == 0 {
+		addonSets := cluster.Addons
+		if len(addonSets) == 0 {
 			continue
 		}

+		for _, addonSet := range addonSets {
 			if _, ok := config.Addons[addonSet]; ok {
 				continue
 			}

 			templates := make([]*Template, 0)
-		if err = loadTemplates(cluster.Rev(), path.Join("addons", addonSet), &templates); err != nil {
+			if err = loadTemplates(path.Join("addons", addonSet), &templates); err != nil {
 				return nil, err
 			}

 			config.Addons[addonSet] = templates
 		}
+	}

-	// cluster bootstrap pods
-	for _, cluster := range config.Clusters {
-		bpSet := cluster.BootstrapPods
+	// cluster static pods
+	for _, host := range config.Hosts {
+		bpSet := host.StaticPods
 		if bpSet == "" {
 			continue
 		}

-		if _, ok := config.BootstrapPods[bpSet]; ok {
+		if _, ok := config.StaticPods[bpSet]; ok {
 			continue
 		}

 		templates := make([]*Template, 0)
-		if err = loadTemplates(cluster.Rev(), path.Join("bootstrap-pods", bpSet), &templates); err != nil {
+		if err = loadTemplates(path.Join("static-pods", bpSet), &templates); err != nil {
 			return nil, err
 		}

-		config.BootstrapPods[bpSet] = templates
+		config.StaticPods[bpSet] = templates
 	}

 	// load SSL configuration
-	if ba, err := ioutil.ReadFile(filepath.Join(dirPath, "ssl-config.json")); err == nil {
+	if ba, err := read("ssl-config.json"); err == nil {
 		config.SSLConfig = string(ba)

 	} else if !os.IsNotExist(err) {
 		return nil, err
 	}

-	if ba, err := ioutil.ReadFile(filepath.Join(dirPath, "cert-requests.yaml")); err == nil {
+	if ba, err := read("cert-requests.yaml"); err == nil {
 		reqs := make([]*CertRequest, 0)
 		if err = yaml.Unmarshal(ba, &reqs); err != nil {
 			return nil, err
--- a/pkg/initrdconfig/config.go
+++ b/pkg/initrdconfig/config.go
@ -0,0 +1,61 @@
+package config
+
+type Config struct {
+	AntiPhishingCode string `json:"anti_phishing_code"`
+
+	Keymap  string
+	Modules string
+
+	Auths []Auth
+
+	Networks []struct {
+		Name       string
+		Interfaces []struct {
+			Var     string
+			N       int
+			Regexps []string
+		}
+		Script string
+	}
+
+	LVM       []LvmVG
+	Bootstrap Bootstrap
+}
+
+type Auth struct {
+	Name     string
+	SSHKey   string `yaml:"sshKey"`
+	Password string `yaml:"password"`
+}
+
+type LvmVG struct {
+	VG  string
+	PVs struct {
+		N       int
+		Regexps []string
+	}
+
+	Defaults struct {
+		FS   string
+		Raid *RaidConfig
+	}
+
+	LVs []struct {
+		Name    string
+		Crypt   string
+		FS      string
+		Raid    *RaidConfig
+		Size    string
+		Extents string
+	}
+}
+
+type RaidConfig struct {
+	Mirrors int
+	Stripes int
+}
+
+type Bootstrap struct {
+	Dev  string
+	Seed string
+}
--- a/pkg/mime/mime.go
+++ b/pkg/mime/mime.go
@ -1,6 +1,7 @@
 package mime

 const (
+	JSON   = "application/json"
 	YAML   = "text/vnd.yaml"
 	TAR    = "application/tar"
 	DISK   = "application/x-diskimage"
--- a/pkg/utf16/utf16.go
+++ b/pkg/utf16/utf16.go
@ -0,0 +1,29 @@
+package utf16
+
+import (
+	"encoding/binary"
+    "fmt"
+	"unicode/utf8"
+)
+
+func FromUTF8(data []byte) (res []byte) {
+    endian := binary.LittleEndian
+
+	res = make([]byte, (len(data)+1)*2)
+
+    res = res[:2]
+    endian.PutUint16(res, 0xfeff)
+
+	for len(data) > 0 {
+		r, size := utf8.DecodeRune(data)
+		if r > 65535 {
+            panic(fmt.Errorf("r=0x%x > 0xffff", r))
+        }
+
+		slen := len(res)
+		res = res[:slen+2]
+		endian.PutUint16(res[slen:], uint16(r))
+		data = data[size:]
+	}
+	return
+}
--- a/secretstore/io.go
+++ b/secretstore/io.go
@ -0,0 +1,30 @@
+package secretstore
+
+import (
+	"crypto/rand"
+	"encoding/binary"
+	"fmt"
+	"io"
+)
+
+func readFull(in io.Reader, ba []byte) (err error) {
+	_, err = io.ReadFull(in, ba)
+	return
+}
+
+func read[T any](in io.Reader) (v T, err error) {
+	err = binary.Read(in, binary.BigEndian, &v)
+	return
+}
+
+var readSize = read[uint16]
+
+func randRead(ba []byte) (err error) {
+	err = readFull(rand.Reader, ba)
+	if err != nil {
+		err = fmt.Errorf("failed to read random bytes: %w", err)
+		return
+	}
+
+	return
+}
--- a/secretstore/mem.go
+++ b/secretstore/mem.go
@ -0,0 +1,9 @@
+package secretstore
+
+func Memzero(ba []byte) { memzero(ba) }
+
+func memzero(ba []byte) {
+	for i := range ba {
+		ba[i] = 0
+	}
+}
--- a/secretstore/reader.go
+++ b/secretstore/reader.go
@ -0,0 +1,68 @@
+package secretstore
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"io"
+)
+
+func (s *Store) NewReader(reader io.Reader) (r io.Reader, err error) {
+	iv := [aes.BlockSize]byte{}
+
+	err = readFull(reader, iv[:])
+	if err != nil {
+		return
+	}
+
+	r = storeReader{reader, s.NewDecrypter(iv)}
+	return
+}
+
+type storeReader struct {
+	reader    io.Reader
+	decrypter cipher.Stream
+}
+
+func (r storeReader) Read(ba []byte) (n int, err error) {
+	n, err = r.reader.Read(ba)
+
+	if n > 0 {
+		r.decrypter.XORKeyStream(ba[:n], ba[:n])
+	}
+
+	return
+}
+
+func (s *Store) NewWriter(writer io.Writer) (r io.Writer, err error) {
+	iv := [aes.BlockSize]byte{}
+
+	if err = randRead(iv[:]); err != nil {
+		return
+	}
+
+	_, err = writer.Write(iv[:])
+	if err != nil {
+		return
+	}
+
+	r = storeWriter{writer, s.NewEncrypter(iv)}
+	return
+}
+
+type storeWriter struct {
+	writer    io.Writer
+	encrypter cipher.Stream
+}
+
+func (r storeWriter) Write(ba []byte) (n int, err error) {
+	if len(ba) == 0 {
+		return
+	}
+
+	encBA := make([]byte, len(ba))
+	r.encrypter.XORKeyStream(encBA, ba)
+
+	n, err = r.writer.Write(encBA)
+
+	return
+}
--- a/secretstore/secret-store.go
+++ b/secretstore/secret-store.go
@ -0,0 +1,278 @@
+package secretstore
+
+import (
+	"bufio"
+	"bytes"
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/sha512"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"os"
+	"strconv"
+	"syscall"
+
+	"golang.org/x/crypto/argon2"
+)
+
+type Store struct {
+	Salt [aes.BlockSize]byte
+	Keys []KeyEntry
+
+	unlocked bool
+	key      [32]byte
+}
+
+type KeyEntry struct {
+	Name   string
+	Hash   [64]byte
+	EncKey [32]byte
+}
+
+func New() (s *Store) {
+	s = &Store{}
+	syscall.Mlock(s.key[:])
+	return
+}
+
+func Open(path string) (s *Store, err error) {
+	f, err := os.Open(path)
+	if err != nil {
+		return
+	}
+
+	defer f.Close()
+
+	s = New()
+	_, err = s.ReadFrom(bufio.NewReader(f))
+
+	return
+}
+
+func (s *Store) SaveTo(path string) (err error) {
+	f, err := os.OpenFile(path, syscall.O_CREAT|syscall.O_TRUNC|syscall.O_WRONLY, 0600)
+	if err != nil {
+		return
+	}
+
+	defer f.Close()
+
+	out := bufio.NewWriter(f)
+
+	_, err = s.WriteTo(out)
+	if err != nil {
+		return
+	}
+
+	err = out.Flush()
+	if err != nil {
+		return
+	}
+
+	return
+}
+
+func (s *Store) Close() {
+	memzero(s.key[:])
+	syscall.Munlock(s.key[:])
+	s.unlocked = false
+}
+
+func (s *Store) IsNew() bool {
+	return len(s.Keys) == 0
+}
+
+func (s *Store) Unlocked() bool {
+	return s.unlocked
+}
+
+func (s *Store) Init(name string, passphrase []byte) (err error) {
+	err = randRead(s.key[:])
+	if err != nil {
+		return
+	}
+	err = randRead(s.Salt[:])
+	if err != nil {
+		return
+	}
+
+	s.AddKey(name, passphrase)
+
+	s.unlocked = true
+
+	return
+}
+
+var jsonFormatHdr = []byte("{json}")
+
+func (s *Store) ReadFrom(in io.Reader) (n int64, err error) {
+	memzero(s.key[:])
+	s.unlocked = false
+
+	defer func() {
+		if err != nil {
+			log.Output(2, fmt.Sprintf("failed after %d bytes", n))
+		}
+	}()
+
+	readFull := func(ba []byte) {
+		var nr int
+		nr, err = io.ReadFull(in, ba)
+		n += int64(nr)
+	}
+
+	// read the file's start (json header or start of salt)
+
+	readFull(s.Salt[:len(jsonFormatHdr)])
+	if err != nil {
+		return
+	}
+
+	if !bytes.Equal(s.Salt[:len(jsonFormatHdr)], jsonFormatHdr) {
+		// old key file
+
+		// finish reading the salt
+		readFull(s.Salt[len(jsonFormatHdr):])
+		if err != nil {
+			return
+		}
+
+		// read the (encrypted) keys
+		s.Keys = make([]KeyEntry, 0)
+		for {
+			k := KeyEntry{Name: "key-" + strconv.Itoa(len(s.Keys))}
+			readFull(k.Hash[:])
+			if err != nil {
+				if err == io.EOF {
+					err = nil
+				}
+				return
+			}
+			readFull(k.EncKey[:])
+			if err != nil {
+				return
+			}
+
+			s.Keys = append(s.Keys, k)
+		}
+	}
+
+	err = json.NewDecoder(in).Decode(s)
+	return
+}
+
+func (s *Store) WriteTo(out io.Writer) (n int64, err error) {
+	_, err = out.Write(jsonFormatHdr)
+	if err != nil {
+		return
+	}
+	err = json.NewEncoder(out).Encode(s)
+	return
+}
+
+var ErrNoSuchKey = errors.New("no such key")
+
+func (s *Store) HasKey(passphrase []byte) bool {
+	key, hash := s.keyPairFromPassword(passphrase)
+	defer memzero(key[:])
+
+	for _, k := range s.Keys {
+		if k.Hash == hash {
+			return true
+		}
+	}
+
+	return false
+}
+
+func (s *Store) Unlock(passphrase []byte) (ok bool) {
+	key, hash := s.keyPairFromPassword(passphrase)
+	defer memzero(key[:])
+
+	var idx = -1
+	for i := range s.Keys {
+		if hash == s.Keys[i].Hash {
+			idx = i
+			break
+		}
+	}
+
+	if idx == -1 {
+		return
+	}
+
+	s.decryptTo(s.key[:], s.Keys[idx].EncKey[:], &key)
+
+	s.unlocked = true
+	return true
+}
+
+func (s *Store) AddKey(name string, passphrase []byte) {
+	key, hash := s.keyPairFromPassword(passphrase)
+	memzero(passphrase)
+
+	defer memzero(key[:])
+
+	k := KeyEntry{Name: name, Hash: hash}
+
+	encKey := s.encrypt(s.key[:], &key)
+	copy(k.EncKey[:], encKey)
+
+	s.Keys = append(s.Keys, k)
+}
+
+func (s *Store) keyPairFromPassword(password []byte) (key [32]byte, hash [64]byte) {
+	keySlice := argon2.IDKey(password, s.Salt[:], 1, 64*1024, 4, 32)
+
+	copy(key[:], keySlice)
+	memzero(keySlice)
+
+	hash = sha512.Sum512(key[:])
+
+	return
+}
+
+func (s *Store) NewEncrypter(iv [aes.BlockSize]byte) cipher.Stream {
+	if !s.unlocked {
+		panic("not unlocked")
+	}
+	return newEncrypter(iv, &s.key)
+}
+
+func (s *Store) NewDecrypter(iv [aes.BlockSize]byte) cipher.Stream {
+	if !s.unlocked {
+		panic("not unlocked")
+	}
+	return newDecrypter(iv, &s.key)
+}
+
+func (s *Store) encrypt(src []byte, key *[32]byte) (dst []byte) {
+	dst = make([]byte, len(src))
+	newEncrypter(s.Salt, key).XORKeyStream(dst, src)
+	return
+}
+
+func (s *Store) decryptTo(dst []byte, src []byte, key *[32]byte) {
+	newDecrypter(s.Salt, key).XORKeyStream(dst, src)
+}
+
+func newEncrypter(iv [aes.BlockSize]byte, key *[32]byte) cipher.Stream {
+	c, err := aes.NewCipher(key[:])
+	if err != nil {
+		panic(fmt.Errorf("failed to init AES: %w", err))
+	}
+
+	return cipher.NewCFBEncrypter(c, iv[:])
+}
+
+func newDecrypter(iv [aes.BlockSize]byte, key *[32]byte) cipher.Stream {
+	c, err := aes.NewCipher(key[:])
+	if err != nil {
+		panic(fmt.Errorf("failed to init AES: %w", err))
+	}
+
+	return cipher.NewCFBDecrypter(c, iv[:])
+}
--- a/upload-vmware.sh
+++ b/upload-vmware.sh
@ -1,27 +0,0 @@
-set -e
-
-dir=/var/lib/direktil/
-PATH=$PATH:$dir
-cd $dir
-
-if [ ! -f govc.env ]; then
-    echo ERROR: govc.env file not found in dir $dir ; exit 1
-fi
-source govc.env
-
-if [ $# != 2 ]; then
-    echo "Usage: $0 <VM_NAME> <NOVIT_HOST>" ; exit 1
-fi
-
-if [[ -z $NOVIT_VM_FOLDER || -z $NOVIT_ISO_FOLDER ]]; then
-    echo "ERROR: All GOVC env vars (including NOVIT_VM_FOLDER and NOVIT_ISO_FOLDER) must be provided" ; exit 1
-fi
-
-VM=$1
-HOST=$2
-
-govc vm.power -off "$NOVIT_VM_FOLDER/$VM" || true
-sleep 5
-curl localhost:7606/hosts/$HOST/boot.iso | govc datastore.upload - "$NOVIT_ISO_FOLDER/$VM.iso"
-sleep 5
-govc vm.power -on "$NOVIT_VM_FOLDER/$VM"
Author	SHA1	Message	Date
Mikaël Cluseau	f59eca6724	use GIT_TAG to override Version	2024-01-07 11:10:45 +01:00
Mikaël Cluseau	b5b7272603	docker: update & use build cache	2024-01-07 10:56:42 +01:00
Mikaël Cluseau	4f48866daa	dir2config: templates: 'default' fn	2024-01-06 18:20:03 +01:00
Mikaël Cluseau	b616b710cb	hashes passwords support	2023-12-17 17:29:17 +01:00
Mikaël Cluseau	c02f701c04	ssh: load more host key formats than rsa	2023-12-17 14:40:48 +01:00
Mikaël Cluseau	7f429a863d	clear initrd-v2 flag, use config	2023-11-27 15:46:58 +01:00
Mikaël Cluseau	29ed01a19f	hack: +install +docker-build	2023-11-27 13:52:44 +01:00
Mikaël Cluseau	07e9dccd06	dir2config: add version	2023-11-25 16:47:20 +01:00
Mikaël Cluseau	40d08139db	public/unlock-store: idempotent call for passphrases This allows the user to call it even after the store has been unlock in order to get the admin token.	2023-11-09 08:59:30 +01:00
Mikaël Cluseau	efa6193954	update Dockerfile to use hack/build	2023-11-07 15:17:47 +01:00
Mikaël Cluseau	f7b708ce4b	add server version/commit in logs and UI	2023-11-04 13:53:00 +01:00
Mikaël Cluseau	41897c00b4	go mod update	2023-11-04 13:24:57 +01:00
Mikaël Cluseau	ee5629643c	named passphrases (+deletion by name)	2023-09-10 16:47:54 +02:00
Mikaël Cluseau	34afe03818	cleanup old boot v1 code	2023-08-20 11:13:51 +02:00
Mikaël Cluseau	25c2d20c19	ui: better ordering	2023-08-19 21:19:50 +02:00
Mikaël Cluseau	c338522b33	allow store upload, + upload UIs for store and config	2023-08-19 21:17:23 +02:00
Mikaël Cluseau	b6fa941fcc	cleanup	2023-05-22 19:16:11 +02:00
Mikaël Cluseau	7619998d8f	dockerignore more	2023-05-22 19:05:33 +02:00
Mikaël Cluseau	b6e7c55704	cleanup hosts ws	2023-05-18 19:55:52 +02:00
Mikaël Cluseau	4ed50e3b78	upgrade dockerfile	2023-05-15 19:34:51 +02:00
Mikaël Cluseau	dac6613646	fix code vs status in store errors	2023-05-15 19:27:36 +02:00
Mikaël Cluseau	a8ccb6990b	fix last refs to bootstrap-pods	2023-05-15 16:54:29 +02:00
Mikaël Cluseau	b1cdb30622	boostrap pods -> static pods	2023-05-15 16:22:04 +02:00
Mikaël Cluseau	50bb60823f	yaml render func	2023-05-15 15:54:23 +02:00
Mikaël Cluseau	482d3c83ba	host_by_group: scope in cluster	2023-05-15 15:54:16 +02:00
Mikaël Cluseau	74abbf9eda	cluster: addons as list	2023-05-15 14:47:53 +02:00
Mikaël Cluseau	76c1861017	bump deps	2023-05-01 16:33:56 +02:00
Mikaël Cluseau	0d0494b825	dir2config: switch to includes instead of ad-hoc defaults	2023-05-01 16:09:54 +02:00
Mikaël Cluseau	c6320049ff	bump go	2023-04-16 22:54:19 +02:00
Mikaël Cluseau	9e56acfc9a	chore: simplify	2023-04-11 15:14:03 +02:00
Mikaël Cluseau	6197369e04	go bump	2023-03-22 20:45:28 +01:00
Mikaël Cluseau	d950bc6996	go mod tidy	2023-03-07 14:46:47 +01:00
Mikaël Cluseau	18dc85d6fb	missing notfound	2023-02-21 10:39:57 +01:00
Mikaël Cluseau	26953cf703	secrets migration	2023-02-15 08:49:34 +01:00
Mikaël Cluseau	1f03315897	log fix	2023-02-13 18:34:45 +01:00
Mikaël Cluseau	5a6c0fa3d8	rework not found	2023-02-13 18:07:10 +01:00
Mikaël Cluseau	4acdf88785	misc fixes	2023-02-13 17:31:37 +01:00
Mikaël Cluseau	bde41c9859	host download tokens	2023-02-13 17:08:17 +01:00
Mikaël Cluseau	1e3ac9a0fb	store download & add key	2023-02-13 13:21:45 +01:00
Mikaël Cluseau	1672b901d4	cosmestic	2023-02-12 18:59:14 +01:00
Mikaël Cluseau	11f3c953e2	migration to new secrets nearly complete	2023-02-12 15:18:42 +01:00
Mikaël Cluseau	3bc20e95cc	secrets migration & restitution	2023-02-12 11:58:26 +01:00
Mikaël Cluseau	1aefc5d2b7	go.mod: go 1.20	2023-02-09 08:58:48 +01:00
Mikaël Cluseau	5c432e3b42	go mod update	2023-02-07 21:31:02 +01:00
Mikaël Cluseau	b6c714fac7	downloads API, UI	2023-02-07 21:29:19 +01:00
Mikaël Cluseau	e44303eab9	go mod update	2023-02-02 17:08:56 +01:00
Mikaël Cluseau	2a9295e8e8	bump initrdv2	2023-02-02 00:32:38 +01:00
Mikaël Cluseau	52ffbe9727	go mod update	2023-01-27 12:01:56 +01:00
Mikaël Cluseau	811a3bddfd	renew: don't use Renew, just create a new cert	2023-01-27 06:42:39 +01:00
Mikaël Cluseau	227c341f6b	renew: hande more error cases	2023-01-27 06:25:51 +01:00
Mikaël Cluseau	153c37b591	secrets: more verbose errors	2023-01-27 06:13:05 +01:00
Mikaël Cluseau	4ff85eaeb3	remove bootstrap pods from cluster, and render in hosts' context	2023-01-16 18:17:11 +01:00
Mikaël Cluseau	76e02c6f31	allow configuration of grub-support version	2022-12-22 00:28:54 +01:00
Mikaël Cluseau	93b32eb52a	dockerfile: go 1.19.0	2022-08-05 16:06:36 +02:00
Mikaël Cluseau	0fcd219268	boot-v2.iso: initial commit	2022-07-21 16:03:39 +02:00
Mikaël Cluseau	18d3c42fc7	boot efi	2022-05-31 11:57:21 +02:00
Mikaël Cluseau	645c617956	migrate boot.tar to initrd-v2	2022-05-31 09:52:43 +02:00
Mikaël Cluseau	dacfc8c6ce	upgrade deps	2022-04-28 10:01:21 +02:00
Mikaël Cluseau	16a0ff0823	bootv2 support	2022-04-28 03:33:19 +02:00
				`@ -0,0 +1 @@`
				`docker run --rm --net=host --user $(id -u) -v ${PWD}:/local swaggerapi/swagger-codegen-cli generate -i http://[::1]:7606/swagger.json -l javascript -o /local/js/api/`