Pythoner6
diff --git a/‎.github/workflows/demo.yaml
+4 b/‎.github/workflows/demo.yaml
+4
diff --git a/‎cue.mod/pkg/pythoner6.dev/c8s/c8s.cue
+14 b/‎cue.mod/pkg/pythoner6.dev/c8s/c8s.cue
+14
diff --git a/‎flake.nix
+14-4 b/‎flake.nix
+14-4
diff --git a/‎k8s/attic/attic.cue
+45-3 b/‎k8s/attic/attic.cue
+45-3
diff --git a/‎k8s/common.cue
+2 b/‎k8s/common.cue
+2
diff --git a/‎src/attic-token-service/Cargo.lock
+90 b/‎src/attic-token-service/Cargo.lock
+90
diff --git a/‎src/attic-token-service/Cargo.toml
+1 b/‎src/attic-token-service/Cargo.toml
+1
@@ -32,6 +32,10 @@ jobs:
           ACTOR=${ACTOR,,}
           source tools/scripts/oci_helpers.sh
           crane auth login -u "$ACTOR" --password-stdin <<< "$TOKEN" "ghcr.io" 
+          readarray -t images <<< "$(find result/images -maxdepth 1 -mindepth 1 -type d)"
+          for image in "${images[@]}"; do
+            crane push "$image" "$BASE_URL/netserv/$(basename image):latest"
+          done
           readarray -t charts <<< "$(find result/charts -maxdepth 1 -mindepth 1 -type d)"
           for chart in "${charts[@]}"; do
             crane push "$chart" "$BASE_URL/charts/$(get_chart_name "$chart"):$(get_chart_version "$chart")"
 
@@ -56,6 +56,15 @@ ChartsDef=#Charts: {
   }
 }
 
+ImagesDef=#Images: {
+  #in: string
+  for name, digest in yaml.Unmarshal(#in) & {[_]: string} {
+    (name): {
+      "digest": digest
+    }
+  }
+}
+
 #Namespace: corev1.#Namespace & {
   #name: string
   metadata: name: #name
@@ -137,6 +146,7 @@ ChartsDef=#Charts: {
   #defaultResourceNamespace: #Namespace
   #repo: string
   #charts: string
+  #images: string
   #chartsRepo: helmrepository.#HelmRepository
 
   let chartsRepo = #chartsRepo & {metadata: namespace: #defaultKustomizationNamespace.metadata.name}
@@ -146,6 +156,10 @@ ChartsDef=#Charts: {
     #repo: chartsRepo
   }
 
+  #Images: ImagesDef & {
+    #in: #images
+  }
+
   kustomizations: #Kustomizations & {
     #appName: this.#appName
     #defaultKustomizationNamespace: this.#defaultKustomizationNamespace
 
@@ -14,6 +14,7 @@
         kubeVersion = "v1.29.0";
 
         cue = import ./tools/cue.nix {inherit pkgs kubeVersion;};
+        oci = import ./tools/oci.nix {inherit pkgs;};
         utils = import ./tools/utils.nix {inherit pkgs;};
 
         versions = builtins.fromJSON (builtins.readFile ./versions.json);
@@ -136,10 +137,16 @@
               flux-components.components."flux-components.yaml" = flux-manifests;
               cilium.gateway-crds."crds.yaml" = gateway-crds;
             };
+            images = {
+              attic-token-service = attic-token-service-image;
+            };
           };
           ociImages = cue.images {
             name = "oci";
             inherit charts;
+            images = {
+              attic-token-service = attic-token-service-image;
+            };
             src = default;
           };
           elector = pkgs.buildGoModule {
@@ -229,10 +236,13 @@
               };
             };
           };
-          attic-token-service-image = pkgs.dockerTools.buildLayeredImage {
-            name = "attic-token-service-image";
-            contents = [ attic-token-service ];
-            config.Cmd = [ "attic-token-service" ];
+          attic-token-service-image = oci.fromDockerArchive {
+            name = "attic-token-service-image-oci";
+            src = pkgs.dockerTools.buildLayeredImage {
+              name = "attic-token-service-image";
+              contents = [ attic-token-service ];
+              config.Cmd = [ "attic-token-service" ];
+            };
           };
         };
         devShells = {
 
@@ -32,6 +32,7 @@ kustomizations: $default: "manifest": {
     kind: "ExternalSecret"
     spec: {
       refreshInterval: "0"
+      template: data: HS256_SECRET: "{{ .password }}"
       dataFrom: [{sourceRef: generatorRef: {
         apiVersion: secretGenerator.apiVersion
         kind: secretGenerator.kind
@@ -43,9 +44,8 @@ kustomizations: $default: "manifest": {
     metadata: name: "attic-server"
     data: "gen-config.sh": """
       cat <<EOF > /config/server.toml
-
       api-endpoint = "https://attic.home.josephmartin.org/"
-      token-hs256-secret-base64 = "$(cat /secrets/password)"
+      token-hs256-secret-base64 = "$(cat /secrets/HS256_SECRET)"
       [database]
       [chunking]
       nar-size-threshold = 65536 # chunk files that are 64 KiB or larger
@@ -159,6 +159,48 @@ kustomizations: $default: "manifest": {
       }]
     }
   }
+  tokenServiceDeployment="attic-token-service": this=(appsv1.#Deployment & {
+    metadata: labels: app: this.metadata.name
+    spec: {
+      replicas: 1
+      selector: matchLabels: app: template.metadata.labels.app
+      template: {
+        metadata: labels: app: this.metadata.labels.app
+        spec: {
+          containers: [{
+            name: this.metadata.name
+            image: "ghcr.io/pythoner6/netserv/attic-token-service@\(#Images["attic-token-service"].digest)"
+            ports: [{ containerPort: 8080 }]
+            env: [{
+              name: "OIDC_URL"
+              value: "https://gitlab.home.josephmartin.org"
+            },{
+              name: "AUDIENCE"
+              value: "https://\(domain)"
+            },{
+              name: "LISTEN_PORT"
+              value: "8080"
+            },{
+              name: "LISTEN_ADDRESS"
+              value: "0.0.0.0"
+            }]
+            envFrom: [{ secretRef: name: secret.metadata.name }]
+          }]
+        }
+      }
+    }
+  })
+  tokenService: corev1.#Service & {
+    metadata: name: "attic-token-service"
+    spec: {
+      selector: app: tokenServiceDeployment.spec.template.metadata.labels.app
+      ports: [{
+        protocol: "TCP"
+        port: 80
+        targetPort: 8080
+      }]
+    }
+  }
   cert="attic-cert": this=(certificates.#Certificate & {
     spec: {
       secretName: this.metadata.name
@@ -196,7 +238,7 @@ kustomizations: $default: "manifest": {
           }
         }]
         backendRefs: [{
-          name: "attic-token-service"
+          name: tokenService.metadata.name
           port: 80
         }]
       },{
 
@@ -17,6 +17,7 @@ c8s.#Default & {
   #defaultResourceNamespace: _ | *#AppNamespace
   #repo: "ghcr.io/pythoner6/netserv"
   #charts: _ @tag(charts)
+  #images: _ @tag(images)
   #chartsRepo: helmrepository.#HelmRepository & {
     metadata: name: "netserv-ghcr"
     spec: {
@@ -27,4 +28,5 @@ c8s.#Default & {
 }
 
 #Charts: c8s.#Charts
+#Images: c8s.#Images
 #fluxResources: c8s.#FluxResources
@@ -15,6 +15,7 @@ serde = "1.0"
 serde_json = "1.0"
 chrono = "0.4"
 base64 = "0.21"
+env_logger = "0.11"
 
 [profile.release]
 opt-level = "z"