nicklasfrahm
diff --git a/.editorconfig b/.editorconfig
@@ -15,3 +15,6 @@ trim_trailing_whitespace = false
 [Makefile]
 indent_style = tab
 indent_size = 4
+
+[*{D,d}ockerfile]
+indent_size = 4
diff --git a/.github/auto-merge.yml b/.github/auto-merge.yml
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,15 +1,22 @@
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
 version: 2
 updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "daily"
-
+      interval: "weekly"
+    commit-message:
+      prefix: "chore(ci)"
+    groups:
+      actions:
+        patterns:
+          - "*"
   - package-ecosystem: "gomod"
     directory: "/"
     schedule:
-      interval: "daily"
+      interval: "weekly"
+    commit-message:
+      prefix: "fix(deps)"
+    groups:
+      gomodules:
+        patterns:
+          - "*"
diff --git a/.github/workflows/binaries.yml b/.github/workflows/binaries.yml
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -0,0 +1,174 @@
+name: Build
+
+on:
+  workflow_dispatch:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+  pull_request_target:
+    types: [opened, synchronize, reopened, ready_for_review]
+  push:
+
+env:
+  CONTAINER_REGISTRY: ghcr.io
+  CONTAINER_IMAGE: ghcr.io/${{ github.repository }}
+  PLATFORMS: linux/amd64,linux/arm64
+
+jobs:
+  binaries:
+    name: Binaries
+    # pull_request_target: Only "dependabot[bot]" is allowed to access secrets.
+    # pull_request: All other forks are running without access to secrets.
+    runs-on: ubuntu-latest
+    if: |
+      (github.event_name == 'pull_request_target' && github.actor == 'dependabot[bot]') ||
+      (github.event_name != 'pull_request_target' && github.actor != 'dependabot[bot]')
+    strategy:
+      fail-fast: false
+      matrix:
+        platform:
+          - linux/amd64
+          - linux/arm64
+          - linux/arm
+          - darwin/amd64
+          - darwin/arm64
+          - windows/amd64
+    steps:
+      - name: Clone repository
+        if: ${{ github.event_name != 'pull_request_target' }}
+        uses: actions/checkout@v4
+
+        # Allow "dependabot[bot]" to verify its changes with access to secrets and modified code.
+      - name: Clone repository for Dependabot
+        if: ${{ github.event_name == 'pull_request_target' }}
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Set up Go compiler
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          check-latest: true
+
+      - name: Fetch version from git history
+        if: github.ref_protected == true
+        uses: codfish/semantic-release-action@v3
+        id: semantic
+        with:
+          dry-run: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build binary
+        if: github.ref_protected == true
+        run: VERSION=v${{ steps.semantic.outputs.release-version }} UPX=-9 PLATFORM=${{ matrix.platform }} make build
+
+      - name: Build binary
+        if: github.ref_protected == false
+        run: UPX=-9 PLATFORM=${{ matrix.platform }} make build
+
+      - name: Format platform
+        id: platform
+        run: |
+          echo "platform=$(echo ${{ matrix.platform }} | tr "/" "-")" >>"$GITHUB_OUTPUT"
+
+      - name: Upload binary
+        uses: actions/upload-artifact@v4
+        with:
+          name: binary-${{ steps.platform.outputs.platform }}
+          path: bin/*
+
+  container:
+    name: Container
+    runs-on: ubuntu-latest
+    if: |
+      (github.event_name == 'pull_request_target' && github.actor == 'dependabot[bot]') ||
+      (github.event_name != 'pull_request_target' && github.actor != 'dependabot[bot]')
+    steps:
+      - name: Clone repository
+        if: ${{ github.event_name != 'pull_request_target' }}
+        uses: actions/checkout@v4
+
+        # Allow "dependabot[bot]" to verify its changes with access to secrets and modified code.
+      - name: Clone repository for Dependabot
+        if: ${{ github.event_name == 'pull_request_target' }}
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Fetch version from git history
+        uses: codfish/semantic-release-action@v3
+        id: semantic
+        with:
+          dry-run: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Generate container metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.CONTAINER_IMAGE }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=tag
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=raw,value=v${{ steps.semantic.outputs.release-version }},enable=${{ steps.semantic.outputs.new-release-published }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.CONTAINER_REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push container image
+        uses: docker/build-push-action@v6
+        with:
+          file: build/package/Dockerfile
+          cache-from: type=registry,ref=${{ env.CONTAINER_IMAGE }}:main
+          cache-to: type=inline
+          platforms: ${{ env.PLATFORMS }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          push: ${{ steps.semantic.outputs.new-release-published }}
+          build-args: |
+            VERSION=v${{ steps.semantic.outputs.release-version }}
+
+  auto-merge:
+    name: Auto-merge
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]'
+    needs: [binaries, container]
+    steps:
+      - uses: ahmadnassri/action-dependabot-auto-merge@v2
+        with:
+          github-token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
+          target: all
+
+  release:
+    name: Release
+    if: github.ref_protected == true && github.event_name == 'push'
+    needs: [binaries, container]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Clone repository
+        uses: actions/checkout@v4
+
+      - name: Download release artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: release
+          pattern: binary-*
+          merge-multiple: true
+
+      - name: Create release
+        uses: codfish/semantic-release-action@v3
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,12 @@
 # Ignore compiled binaries.
 bin/
+
+# Ignore Vagrant state.
+.vagrant/
+
+# Ignore downloaded Helm charts.
+deploy/demo/**/charts
+
+# Ignore cosign keys.
+*.key
+*.pub
diff --git a/Makefile b/Makefile
@@ -16,11 +16,67 @@ build: bin/$(TARGET)-$(SUFFIX)
 
 bin/$(TARGET)-$(SUFFIX): $(SOURCES)
 	@mkdir -p $(@D)
-	GOOS=$(GOOS) GOARCH=$(GOARCH) go build $(BUILD_FLAGS) -o $@ main.go
+	CGO_ENABLED=0 GOOS=$(GOOS) GOARCH=$(GOARCH) go build $(BUILD_FLAGS) -o $@ main.go
 ifdef UPX
 	upx -qq $(UPX) $@
 endif
 
+.PHONY: vagrant-up
+vagrant-up:
+	cd deploy/vagrant; vagrant up
+
+.PHONY: vagrant-down
+vagrant-down:
+	cd deploy/vagrant; vagrant destroy -f
+
+/usr/local/bin/$(TARGET): bin/$(TARGET)-$(SUFFIX)
+	@sudo cp $^ $@
+	@sudo chmod 755 $@
+
+.PHONY: install
+install: /usr/local/bin/$(TARGET)
+
+.PHONY: uninstall
+uninstall:
+	@sudo rm -f /usr/local/bin/$(TARGET)
+
+.PHONY: docker
+docker:
+	@docker build \
+	  -t $(TARGET):latest \
+	  -t $(TARGET):$(VERSION) \
+	  --build-arg VERSION=$(VERSION) \
+	  -f build/package/Dockerfile .
+	@if command -v trivy >/dev/null; then trivy image $(TARGET); fi
+
 .PHONY: clean
 clean:
 	@rm -rvf bin
+
+.PHONY: demo-up
+demo-up: install
+	@echo -n "\e[35m==>\e[0m "
+	k3se up deploy/demo/k3se.yaml
+	@echo -n "\e[35m==>\e[0m "
+	kubectx admin@k3se.nicklasfrahm.xyz
+	@echo -n "\e[35m==>\e[0m "
+	kubectl create ns traefik --dry-run=client -o yaml | kubectl apply -f -
+	@echo -n "\e[35m==>\e[0m "
+	helm dependency update deploy/demo/traefik
+	@echo -n "\e[35m==>\e[0m "
+	helm upgrade --install traefik deploy/demo/traefik --namespace traefik
+	@echo -n "\e[35m==>\e[0m "
+	kubectl create ns cert-manager --dry-run=client -o yaml | kubectl apply -f -
+	@echo -n "\e[35m==>\e[0m "
+	helm dependency update deploy/demo/cert-manager
+	@echo -n "\e[35m==>\e[0m "
+	helm upgrade --install cert-manager deploy/demo/cert-manager --namespace cert-manager
+	@echo -n "\e[35m==>\e[0m "
+	kubectl apply -f deploy/demo/clusterissuers
+	@echo -n "\e[35m==>\e[0m "
+	kubectl apply -f deploy/demo/app
+
+.PHONY: demo-down
+demo-down:
+	@echo -n "\e[35m==>\e[0m "
+	k3se down deploy/demo/k3se.yaml