From ff6a360b44e05bf79bdd3b9601ffdabfeea3dc37 Mon Sep 17 00:00:00 2001
From: ab77 <anton@balena.io>
Date: Tue, 25 May 2021 11:40:20 -0700
Subject: [PATCH] Initial commit * balenaCloud application used to configure
 balenaOS from supported metadata services * attempts to retrieve config.json
 payload from user-data and runs os-config * typically used with preload
 workflow * tested in AWS/EC2 * deployments orchestrated using balenaCI
 "docker" repository type/workflow * uses balenaCloud builders to push
 releases to both staging and production environments * all secrets encrypted
 at rest using git-secret(.io) workflow

Change-Type: patch
---
 .balena/balena.yml                            |   5 +++
 .balena/secrets/id_ed25519.pub                |   1 +
 .balena/secrets/id_ed25519.secret             | Bin 0 -> 1538 bytes
 .../production/balena_api_token.txt.secret    | Bin 0 -> 1311 bytes
 .../staging/balena_api_token.txt.secret       | Bin 0 -> 1311 bytes
 .gitignore                                    |   5 +++
 .gitsecret/keys/pubring.kbx                   | Bin 0 -> 5935 bytes
 .gitsecret/keys/pubring.kbx~                  | Bin 0 -> 3476 bytes
 .gitsecret/keys/trustdb.gpg                   | Bin 0 -> 1200 bytes
 .gitsecret/paths/mapping.cfg                  |   3 ++
 .resinci.yml                                  |  23 ++++++++++++
 Dockerfile                                    |  18 ++++++++++
 Dockerfile.template                           |  10 ++++++
 README.md                                     |  33 ++++++++++++++++++
 balena.sh                                     |  33 ++++++++++++++++++
 repo.yml                                      |   2 ++
 16 files changed, 133 insertions(+)
 create mode 100644 .balena/balena.yml
 create mode 100644 .balena/secrets/id_ed25519.pub
 create mode 100644 .balena/secrets/id_ed25519.secret
 create mode 100644 .balena/secrets/production/balena_api_token.txt.secret
 create mode 100644 .balena/secrets/staging/balena_api_token.txt.secret
 create mode 100644 .gitignore
 create mode 100644 .gitsecret/keys/pubring.kbx
 create mode 100644 .gitsecret/keys/pubring.kbx~
 create mode 100644 .gitsecret/keys/trustdb.gpg
 create mode 100644 .gitsecret/paths/mapping.cfg
 create mode 100644 .resinci.yml
 create mode 100644 Dockerfile
 create mode 100644 Dockerfile.template
 create mode 100644 README.md
 create mode 100755 balena.sh
 create mode 100644 repo.yml

diff --git a/.balena/balena.yml b/.balena/balena.yml
new file mode 100644
index 0000000..cb5c31a
--- /dev/null
+++ b/.balena/balena.yml
@@ -0,0 +1,5 @@
+---
+build-secrets:
+  global:
+    - source: id_ed25519
+      dest: id_ed25519
diff --git a/.balena/secrets/id_ed25519.pub b/.balena/secrets/id_ed25519.pub
new file mode 100644
index 0000000..202df67
--- /dev/null
+++ b/.balena/secrets/id_ed25519.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2R77+XZKfO0NnZGA0SPEZeGimopF/q4wJOwRxauM3F os-config
diff --git a/.balena/secrets/id_ed25519.secret b/.balena/secrets/id_ed25519.secret
new file mode 100644
index 0000000000000000000000000000000000000000..eea04c58015443c359c14f61b3253eb3df832622
GIT binary patch
literal 1538
zcmV+d2L1Vk0gMAL;%QPN+%}8>3;?Bb>WhU&9jT8ii4x1U8ScucWkXKa1TwmnF^HMH
zF@OgJ$~R$pVabYp++xE&Eaqd!R2tLxSQ*}x8E{+J_}m$y#YP8uFa5G4QPh~ZI~}OJ
zY$UnS^JgUsR2KD?m-M{Ac1x@)4h-)GFUy<#1jAyNriL)<KrI77X75Z!<9tmYG;x=X
z>)7kXcv&=8S7N<PQePA}FiA*HI{5Kft}~1Mympv&P$jX`eaodhM$$U}U9t(=jbP4}
zCVp_FA$Ww%_A6F3QuIV5yf0ET$!z@}hUw{j5R{3TR0!k!R2Q`|ebnPi4f3=SsoSf;
zw8$r`fA9tJ;PRHNC@S;200hm6fsTt9;algqF82$~dq-3$5xH@Hqg8DJk}&W&*PEFq
zwL1Q4x3?i3b31q0iVBpL&g{f$PpF$kRv7Jgt{4*<Fqg88yDzk9jjEwNmjPh()1Evy
z)WN2SXPhi66wuIba=7}^wA(TyNUWfU54;+9hdgsAq<rVPMx#fjK4OId3<Ld2y`+s)
zy7&PH{wwq}&cHV?vR-Z6jVaMX=o?sQ_H~Mp(d4RSJQ^tFqL`1AyaQZa5wuU~J{QKp
z)pt~2*30^4YHxA)OEZl{ydG7poW^Zg){eFdN=q?d3tFan2~S-S?F2WL9d=dA+5NdB
zSbvN!Y1)2*vqEGj#VHl_#*P0T=ti3<{EA_4lRJEE<v3BA(_l%WyK!;j5;<;|v^$qF
z>Z;vd^X>i4<PM!@!<J{n2!$C6H;!aGS2(^wZ0I!Qft$kNW4(EDKuukids>9v2_t)y
ztY1JiJ%3SpS&$Qo02Y#XJ!ITGNy}Lf4#NtZE)|~EzvnO54dbDT&a~%1p5e`lDhq-U
zcZC8A18r3&b(*#IECCPpI$gHSvn;d8WrsL+g0P`~dWj)^USXqZKGD;-bItUP4W>)t
zmnFJ8Pb_e#6DTLhOP<`TsDCDBl&$RiG+~Ot<9N2=Gp^-id#rxzXtlk&*_|!)*rapz
z?W$W;62Kf-H8&P;PI88UMRT{w1C@>015C%CO{#p%TGU70MZw}k>OS(Vq0KF+J77^b
zD4aU9*VR#`>e|H#RP0aGN=sE#at?K-=KI`=3J4S=HtZdfLWfpy;FhNN!fwB<t!Ha4
zXgu9@iFg-d92vG2I#Q4F7~~_O%9-Xi03cwiFk=k@MqH2)oUtB%hF89ELN)<#YMnh8
znb>v(xBa*tmE<IvT?-);82*0IHG|k{?zDDo?bgx)#7AE5I|_lZD$>R--hs6Hqb+5F
zbqfcv;_W52M&gL*8ElH5b^?CZo?ZWgrPeJ(`m{c6y6Q<j)igkP;Z>@%=6ejCz`}XF
zKHq$>6vt@-ks$b$F`HD2@^$o^SKVr{a)-XjBLYgBQV%Zc9_`v$g*^3EF^18QYW|U8
zJvC3HaIB|JK^%wp3;01m{kEcFTTiJUS1w<Ow3)p?(H+RuJvN@8(`?n>LVeDEg$m0x
z1yB-CP6Xtvz*qZR;WWlaWC4tkg`(X1J&bl&&jL<0KZ-Uy)o05#aF&H3Rz2^7^vR70
z1b+R;*V#_ez>@*1`Ce#vnoSqER^`Glx#}7tzjNe@B>uhpriTb5&ty@gLYL*3SYXh0
zgMH!!Vv7<E@8r3X%AZkLP}uX;l^;+7_rt)NQ>N?=+{aupvtQ9Zb;BUz*hq^kmg&RR
z#)_k#3f}=Za>Cd*XNR18NFOGhb{`HuALgJl2h*p5`lJOCXDm2@dZ%9V@Y#p|gIQf_
zI{eHRtQYFW()!4c3I^2!Jn0Y0d2eh~!P{k?38u*Mq--2J{JisxY_zHJ6i8D&r3jBE
zvL}92!kS+pvd1|M;Q&~Mh79t3SL!}4hEY<B2G*|WNUO=NW_u{rS+#Sko>Pm;{%mk|
z?pHn!)Ed|_wZyGJBT7&Z#5B5wnNk|!TH&aq!k<Rqw9g9?CzFPRsTNQMC+<)h{~95Z
ot|rSs>KVof(Fsn^_M+{$3}S$?qkd8h2!pkL<0jiTn!WPgGaGaES^xk5

literal 0
HcmV?d00001

diff --git a/.balena/secrets/production/balena_api_token.txt.secret b/.balena/secrets/production/balena_api_token.txt.secret
new file mode 100644
index 0000000000000000000000000000000000000000..bb367ee0f506533174371fe7b80d0640aacb5312
GIT binary patch
literal 1311
zcmV+)1>pLH0gMAL;%QPN+%}8>3;>;TM6=->iq8B7f=1#3$V#XhGIV=FW49jF$==|#
zwA2ePq{B}~Y}|yD5U%cm=a*Fp(hx4>J8k)`v#nN6=N|RI(jcheb~RP~H0;TcsWSFm
zzlEe)mIZpWJ!~5OymGxLUpn@eq7)MEX-~&mIb?sjHeJn-I_2s#CWgAFO*i^*4$mO6
zM0DKT7@hJl#H58-pxsyBt!Y$tyXi9OoVAVX)c5^W^Mu<Hmvn);e{t=!AR`urai1;5
z40k07nf)+^nG=eNir8TxxMk0RXPf!-A|J}<*c(|`(>yqBIr9}8+E7yPYQzLZi}$%Z
zSNoF(C7eQjChaoW>=b*f=pgU7GEF?!x5leBdP~3Nnhop~oECQ2eq1PRUD_XZ;$tgX
zy>{MLnhk;7;)5MsM#1*V4z+Uyr4+TtoQ;{dAg*3H9Is)ZL&fZ2+{EwQmzlE}^xMGO
z0du)tx{ETSl@EjB3mbfJdqS|E1S1*{l;(E(0Y8kkd(F3Wr@cq>f`Ekq3<Ld2y`+s)
zy7&PH|6*uRJXcFgenPhJzc^x=+l`l`7LeFms%f0;3wweW#J43Cxh9MeWox>3Q_wOz
z`yI<9f30}-JwCznJ%#RBSb4FDgtt*)X{h&!H^<=aC@9r<gIUN5j~qP4D+Su9wt-{a
zZ$NZ>TithG&Z##lamy;q^}RMXC;XV#ZoZ`fmp9}(@c5@Ow!+Z_TGp6ZoFWC>4UoqE
zTemfRAje{du9^u6(=;-jZJ4zSJRoMco`u~*ykhP7?OFbgpUkST2?p{@VA6pFv_$q{
z%N)KCh%Dq>MKP@pm&pf&HpSZ5YY4GmrAjyKgF_mptsBB@S|+Q~*J!og#U5aNM3u&<
z?S%pi18r3&b(*#IECCPycKli+fmL`QrSDTqsFuUoi7Ht(V4S0)n^ok!7AVUiyjnL0
z#o&h_{S~1IvH-{HWd*sgkrRsL=nJwY{We&4c0_Yo_zV@S02X>U#q(7ZL*ma|)|~_e
zTR)n=>cpZ8!yq&!H|2)yth8Y<R9Nx<#f`7}ilZ>JSflsE{=1~XRpK+5>R_I&>%b`J
zjJ7&?bk1U0N55(+#U1UMbNZ|;?<c|t?zo{l-#f7*R4UnXPnlWs!e+mpXGJHp)(b12
zu8SVVn0;sJCPi-$f@~fYh*M9V&|`jw4~b-%yQqXUeg|31!P*vDZ|ZsVU3SYUq^$3)
zHCbStrOGK+Fox`Yw3!cESJPwLPlX*hzuoSlFBVE4JamCyy6ruJg+-oy(!sPryZ5Nk
z18YjSyfW0P1Lw3B%%T&@oZP_qL!bC+Tyco?CF5f1MvGrh2~M#(ue0Lu2;*q$om7QO
z|LAu}2~x82F~~Y&HR=7>Lw=BaL93Lu&)S7l90H4*@^;4Z-ampc36U*FfCVU1sWmB?
z2lgH}@Y&}ebrb1-t#`ibI%h2>ng41=<aezcz=l^J;_y2l@sCF&Ns99sen}mR<#;ly
zr5CF)z&E}+rKZ3>+2ySH7pX{#aIZPf`X+H@x=K8MWA9K#I>M~L{i=ZnV=fEbbh!98
zwpgt0`i{M-(r^L6Iw{+6dAPJ-hS7fjh|+Bxv+xC=%ICpP2C~n78Q-wz^-$}wR>Km#
zRMS%UE(;QbaO9}@Zr;m=f9TQ%zf0Y(9Xj}*#?r5*Fbc}}J*7Zcs|pI8yu(cx2Vn4X
VyM;9os<zzl(0{1{C;BtvvQg)rny>%>

literal 0
HcmV?d00001

diff --git a/.balena/secrets/staging/balena_api_token.txt.secret b/.balena/secrets/staging/balena_api_token.txt.secret
new file mode 100644
index 0000000000000000000000000000000000000000..329f1dbfe748bea978ccf4099c7f220b76295023
GIT binary patch
literal 1311
zcmV+)1>pLH0gMAL;%QPN+%}8>3;r$gd<7v5m9!K}km-=u->jQVR2}ayD0Uc3f_mZw
z__ym~BDqs&dyFm{c+u%GpT}Hz<Hkh-DVXKW5*Xy(gDu)kaC_F*7Z|81DB0IxX`=Q=
zR}4x8-T5(IJQ}S+lB|8L>&PWN#*Un`4?3EP9_ZBGLRF3?)#{z}m0}2}h<LfcqG;8a
z_OT)&Mnb;s8oh`8QMcw^0_UyM;Rr;qu+J{L@cdC0KZ0_h6jPIevPFwyH;a>=h_D?!
zT^ny~9*T8*aB4yxpAUl-;Sb9UV6jPUCRfZ@Nzd1j{!FiE{lp!JzZL_rz{Z`4N^U{_
zKZd*9yL5q<zXRNvKsDqdRC%^fql)n2e#1KrE9!`1SdE~zC8d(HcM+AGAlbo7OUWOm
zYDcs?p^>QmsYx;P4g-yAifcQ!>aJ_C)Ew39TWyU3>Fj(7tKcMq+x(7t`owiygZJiM
zS-3O?S{cbRrlO&yZ$j^Fx$t{RMyq-qRkyi<ndH@4Msokonn?&KPy>Yl3<Ld2y`+s)
zy7&PH|5<1XR%^lNPw0CZL?B4vxzr0fcH#*FW#uu?dPp;J*(HXx2V(!v=@~iNnT$A&
zN0$BpkOuURB5ihf+s5W@Rb*b!HE2JrAmplBpLrsXf*}kOWT6TXuF6{H`sg&Kk}Y1w
zsJh<!5f+^3LppR+g3!Aj1`li6_SV+`UdjmbA`yD?LQa*Xz7mzEe46Bxv|p{#sg$d#
z*A0p8psd7}g0;y0`5?=Bl2yA^j=R&ZtAtfnRNOSZrD|0jw{!N%(k`tC=`^IW$kaY>
zwIta`0q!)qZ9cPqaYWLll&?~Jkl^|7NKIw@JqaWvm~4>5L$xKunyAc`-4TXZ_F&{{
ziG>0T18r3&b(*#IECCPyTuPG(Ta~VuZ3r|YRJDX_l0-7+{8*KXETpjJQwJTGNYs4|
zHPVR7sw@}SR?AwR*x~?KB-RV4J^Wu7<W6Y0Wf7b-o(h<TfNe45VJXx76s3`j`a*DH
z0#@y&?2dBzfbAh)gW?H1zglK+6P(HTQEO<|2NFvn|BrAORH;R|mFokHhEU}gYkXna
zjEJ%(HO)7{cwZ08eQEN0Wlhe>01oP3k`nh6y5-Yg)$Dl*nj3quWIOKQzv$3Y)3SVN
zpveRCuVyX&?M<TQtfzDdJ%RF<beJAKb~m1w3tfm0wUi#hk@mU_LBjRYneB93jAuZ0
zsFz4}lmpB^MSCoia^ktK-mMjT5~?yhf5M6kdC@idaj_wabUC>dJS&oarq?e{*S38$
zaczAQ#8c{qo!gorCS|AubxQU%j}_GE`{U!J38UzJv%y6L@ON1k)vMt&>3o_V9?gAj
zQE`64!&)9<R_#k~dLCd7nOILHtVy7x23?y~;JFriTa&{tbSxYG2?!Z(e`e|oU!g;w
zdMJ1pF6vi`-`lO%e~k8AM`RVm+3y*ooY5}DZ4@EAe&*cGiQ)LlJG&NJz<d$i;^!_~
zC!VJPrd{tW7=4o32aFUn$3p}EBa>E7Y<2G>VUHQI7rFc0_Y%$1%oi+YYdszk+$n}o
z!>u8(8klHY(r^I=rM&@vTosdO9t!pho3I)g>6ZUR3tARKyWQV1Kk^shzF8zaRJ&2&
zP`AugLijXwOaSk3KKg(ft^%&K6scE1t<NCL{V5;}JCRe_cU&bI6X~u7+VR88s{8}l
V1$S^+jha_R)=J0vo;sC>z>yyvhOGbq

literal 0
HcmV?d00001

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..9301a1a
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,5 @@
+.gitsecret/keys/random_seed
+!*.secret
+.balena/secrets/staging/balena_api_token.txt
+.balena/secrets/production/balena_api_token.txt
+.balena/secrets/id_ed25519
diff --git a/.gitsecret/keys/pubring.kbx b/.gitsecret/keys/pubring.kbx
new file mode 100644
index 0000000000000000000000000000000000000000..a39a8a985e5c6271db3042b52a4a3e7bfe25c47b
GIT binary patch
literal 5935
zcmai11yodRx1JfgOG2pu1VMV}?(Pmjx_f4j7U^zj0R^N>q)R|jgprUTRQPC+1_6h<
zpug+8|6SjI|97o(&U^OW?^$P^_ldIs000;W1c20JjqL$9!?M~k?)JEy{~lQLAmFdr
zQvd)<1porjh#ek>t_*}{))9xku2$pzlGwuIbW;Jotx_6g)m{os=RKchEa6^q(q;N0
z7=IHMzs=nYAOIf#0MXsdynfw-0O-H2|L64Q4YGj==$0}uvp{^n<|{$eOQu@$(ycH?
z;fShU82SU{xd#1|DO>8q{HZP09Hukv0_Cr=qf@q;_s*YgU(Cm=4J1s2S<+OhEN6mc
z;7iU`e$+qIsw|-&8kgV51O}~k#*q(<?Q*EqKLmCB_{ne2Uy>eJ@lkuFX-sG_kgSbW
z>&WwnW4ol3N*js3BnlgsXip79qYV?D&y*yGYz5ow>iLF~9(6^eaR1Qo<K)tdvu~xT
zi#sQLY$);QgO=B<>-wm>wwnUIP4Kt@y;{e+xCedR<zUzJ#wWlzdcI_N-}W69yCkP{
z#czbC9wVPM0qfY_P8vYMC^w0HrsD(tf@f9?;~Ui%M%8OG9O;#>jGCu&XNDe~BDjl_
zv+V2JjpIL8`9M^BcMhr&csjO>CfFL4T=%M8n8`xKl(toLx&v3~YMO#y*yf~ywwxXI
zl4_Zrr$pbMwhEnp@^0@@QKwIUryfg3SQHM&8tD^vR>b14+rsBhzBuirLbJVIKX4MV
z>ZHUf2C{uDo(BO)fB<0K&F(pPI{d~1pux-9%GJ)@N=^mLY5=pd1;ahSwstm9KTkLq
zc5}6Z!@w}O2lOW6<PP?Pdf0l~z&Sl&+`pG`+IYCzcz8o$c3>qZxU#o37;5L~0du-p
z;l~CR|6L^g_cAUg56OSM0O&VfVt`}lWI$|yFa-npKY<bhbPFC3H5vvU4mK7DlN=WZ
z8xMp|0YU?U=zt)~X8>Fr;y(!P8p8)Pe0|FUvkKswB$2qo%rUz7S97TSiRw6HYK!^2
zvw_DK^}fE7!MZW<zM)k{#!INwU2jW^HztCL03xCS<n}>JLvh;r7o!%REO$vIi~U4*
z1oLEknu}>8i%w}Z$`XG|JSnfg()(rmh)oDu0cV_3`!L8d-ZAM5kI@(sQ(J}2duLY4
zjQk*7bHN`GpivlgI&&yBi3Rmiuhns<)D3CLFTnF@G7SXEzCs0=&)}P;dc`}Lr<tw!
zB9y7>i$y|<KU9*6<$!7cE`?f&f!6_9&FkWkVhV;acI+9xW^rP)Vq(`*U$s{7i8N@;
zN(LIExks&95E~_S5RW~x{fhh6!eT{bGAs9g<an}9bhT{4&~WOq0Uj4iBA5JVF9;Lz
zy<lZbDdjD`;~_1}Lok$bFq@i*0fc8U^t2}cs6%wR5;s>WnYw$*bOc~d3d!St4k--e
zgqP~W^uEscan010Llie#mju>vw9t4cR2q%&gi0Fk=01Q*7NTg=8+q$60cbb)0<`|k
z`}HkB4lmOh^dYyWUpC%_cP%gD<gHh}QZ~WN_7ybiQe&@v{?0zc(Vy}9khYQSklp03
z1V{q5@DGOX4ee<zaoB!FP%wI*i__)1JA}B<q+qvzBSk7_DxM*LVCGMyXY3`YF)US@
z32j+WHAYTpJzWlNwrA`mukR>tHy+X3oRp=<*KVQ^A~H;+nuE&zH1=w_Qp&;V_k#0f
zv?6K!f_j|rzh)9qUQe9hT}|#Hg(Z{R@TAv3H;?@g)bOMhAqBb=V<c8+?674BMHFAp
zy~sy1%MvpIiIl$Gpk<NhY>k(5^8$vlJCwW{YIu~~4PCnOlRB^hjoe)0JJQi8$K}A!
zwQvNaV(<9A;OjR>etc?1^E8&4ck%U!xeRd_s&;LpsY0=Asik7r<Bs=*xUjCrDJ|`2
zFPXG}=u2M}#@dBvMjuwUy|RZRERj+?)wJ_`+BQlS<ZQg>^s>%NJ7JDOnMBO~k!7oc
zsWxrZ`XZ0<Qrqq|>%<!ll<Z#B%ZmKseGIS(o$7{Y;QvB2{Qpg;gh6~jo4r2-sjkJX
z(bN=JqVOL7K8!X1O(9pgIb=sk*rQnNbi&k6HO2rkx6Lihily4EBU1UaHA!Y9OgCs~
zv6d0N`MCt4ris}r_cdr?YlQ9{A>sQ5o%4tC(FO%WI~lbu%NEEWu2U49#X{GVf6JmH
zDs-dDJ+|zehR)Bd6W?}zbdVq9(6%iqAi=r0Y5YN4ds5*m7PcMFrU=~ijc&Ej157d9
zZw>luWJ57hgQVi*8?fdC(Te@DNFV{VO(gIXwW>%Ug!xRgiI|KqF=ZC+9J<@8ur@;;
z7Wo9g61G@0AQzh}v{psxAn09Wz{;XQ1~4w05{2=ZkkeI9iAshvz^6-I6i9sMSAsD{
z$xW;=`OTp|n}(1HV~Gs|Y999R8mOw%=$D~q>uo1XwO!rU+Rj{Gj#c~K;Vk`fF>lKB
zt+-ZM`>UAzr{j(8f!@~m9N`vKiU-w7!jJMm2X5HbGJ4GuDKXuqR1Hnb+&xQwIgulQ
zuvSdMda<CC7dEO=e+XsQBcEe)5h$1~Yj-~CeVr+%MO_X6U}XPo?HE|M*1nF6>JHLs
zP|ke_BK!3GSo1NPyy=bBf^YTKISzo3y`po~v)z=wRP8KI&~H1t3ICh51M_bpOt;lH
zPy0{So_L$i1`?o~AH*u$plY$GE4qBtgB}z+PCak1u(VIXz-%dm%`C!j@5@64i*oEj
zqiWq$wlo5Y?#*Y0Dq*Ezq?{x&SMcsn=Z&-9ChrwWLUyzpRcOk)+CU>k_$c*_$#zc(
z9nA;P(eL_GWVjE`I0pGcIm8P&)grv`A#iwdyzwC{8q`lMg40N+Ct@EOv%hVe*JvG3
zD7{^-t`{c1U=lEp$^TOQ`x;NIeIp7}wKQQvY}jWjzva=8UJAieiio3i(a4gdiVOQd
z*hQo@)K9-F<zq`f73N?t<6VNLYl0V_L^7`C{awA&ArOBKM_CE06*8}2GAFHTfrpy?
zwT^E68%HN7dPhGcH-&$)RwfyDxQ9Df*3Q+#*3Q<>-NgeeZgm@y{_TtZWQO{`%uw=%
zqyMyx7@*tFeQSm|XuS@A|IZTt?0gFgHehI=D5&&YfwKVFmiv?VN~Pd_WR-$OEh{`^
ze$!@p0?(t6WZ3t4lVmZaL~zAE7r2ifM_zJfC*Y9fIL;3=T0e|I>ZdP)*N1?U_CiJb
zp8R;@CP3s&C&L|cVa1`sjjh>4oeuqe5{Gdq=^@q0@XFFF8#egDQaLh=QKn^8ma&0h
zLHVap6U!_*k$y0R>9t@JH`PVRl<J0~gt?>O2g4&cWC*%1rTlHt_QKr3eq(naJ!%$5
zb(6Ew^`kw4lMm)<TGSQVqgd;+CZ#GRt4Gff*&j=4?dQ<>#n{N+aemJpbk|jWZd1T9
z=!D@_8jz6!EoK-!;X5vltK#J|2+JP^wf>D)q`HPd2Mjk2xaorn`Z9b^H0dz}`+_5>
z&!MyAN$ttBtOJE4EdimxN7D$Tk@>D39_8zSy&Nm{ljcyPy*r-XP`gcV4YRyPA*&X)
zf$}^3Pj4q=IY?hrnx0j6^za8#-;+`Nz%EQDSUsT2#E-sGF5okMhI_E=nFB5xjKoop
zpZY!ma4hbsrDC6c0$Y||o+G2<{C23xlVVHqDYi>y)BtfOO1`;CTvO4yet`g&%AJ>f
zSr{im6I3Vb9W5Q5DV4RZhc!9yULWU!WyK`-Ww~$u<B&!;1xT7rh93|IqsA7he7N2#
z^`RP{EXmkz{aPmGuDvmr?pD`O425s!`+r%2_%BOf`7dz8{|&cWWB3Cr9Cd6!jxDZ^
z7D1&j?t#wBC}EaznXB0Y3BNla|Mv4|E=&}0WFp{}JNG2y!br1vo*0=wFN|qrV3Wwj
zFJDd792=qiz>`ovSJuOK6fA+>xAS_uyj;p%y|;EZ+h=<3vC=qGlnZC#S!ob2P463p
zzUa;G+egm1)P;+_t4$0TJM5270JZItcSqA=!E}p^!C?PYmv38(Os<AbSD=q<a@Qnc
z(XEKB2+Bl;Vk&LP-Pfu)JsBBlmu|<`<%dFc0m<5)=6s9J@zl1cKGJHa*PDpdB;p99
zpf=*G9Xc|Q%OEDVC-!yh;<Arb>r~bm4hQde^71rP@2Bok3g2*=#KT@5yg#s#<O}QM
z@O4z3p6eDPE&{D1lMjRd0G!;vg&7CuR+!7$%+;^t)oBO58DVD!bpS7xFZFIz6nrbC
z+H~!Yh@J~Bt;M~nbTfG1ozr;2aTESGVFuj_Gw*Hne-`GLtlM-phydL}aIzFg49JL$
zixi|-*>STZXZBV4Inj1ZEGx!91|y7UEq78t;g3C2p?UfYfMs$<5Qb$z<a7!*Kdxed
zJnru42vZc4($4N-Z?O@qY+dydGTRC-`k^PC_jNh3sWR(}*%N`&U|$1IXU|1`+o#*I
zl5K`&f;LyrGb59o7JZ;cu@&!UVvkCuO3a}zgMYlkQ7(K%WY{@^@lDNQZgVlamW)8`
z@z~t}G;1TBawt9R=X%1cpv79R<7azLqzoae+ukhm6HQILiU%2XUV7#Yyu(wnWAXjr
zW(j*p4wj4f9cSh|huY)94&O3tt*fQvCndd)9Ou58LoJd|#YQ~ZMxI<D6VpUfg%y;0
zdkQX!_-7`N7^;KrY*}-3E;)U3VpFO}i%`*3o7N0-?6jF-h-bR1L+X<hnWz;wWEpSX
z(ykz2PJcVxi*(Q?QFH!5UxGG+xP5`8-Dmn7-u}HyNO+^w{ZRE4!&C4|igD9>GexJ@
zjGc|EQW^Kk8^e}jwVl^^;8ivH``@>}kmRukei1(5bNz5sgYJUg&?@qwCWE7r07yOK
zB;ONiruf(Rx{W~l;eA)DGgkZ|!?NtfZ<4tx601==a-E)|s6$MdNx4t2F3?1HF2X#A
zPP%uimX~sub&5q2uXp-8;(6E&0`EFA#b>bQL8Yxsmdn7`vik)ISM!xd|71+Oa#m1R
z53q)lgSVY4SPts#4`!A9)dqsq_2qB+Hk;eL&40Ejkmij|;r{B`{t46=pj+_$m!9np
z17sJ8t}XBw145Y9KGLY937}Pw`Jcw-w9Gjc1y@}@YMEI{i{W`gWF8^+n!hUy(QNfT
zO{u|eSvt{*ySnc%E{Wz@;@W5Z*t=<>pU#RS^=S0!4DQNxEfvhh51H+)?MIKkHPD;0
zYFHfUk?Y~>xg#Xg$5y+rK)8VfKFJiyae*Wh|K)1g?c<qSR=|~X>NyoDUnD%B&eEen
zvqCoH^ERz!V{6udfTju8{|)aFYu1u4))Xp0Cy3Yq-P;s%=PaE-p$_$&+$kT^&`7<N
zt|@9HxMJ2gQF6j~zQ7z9B^V~U*AW<0hZNv;KOa2##LoOO_ra*dsXF*IN##xf-9Wz_
z_uEcwp4F_2I*oaD`4d%J5AaB^3`>BA48xZ<<`af)=D-=mwapU$Q{3``vpp{3X|_jS
zXG>a7csonz>K+!JY{uftxTI-b`K@3v<{I!-QR>qgH-2BJ49Dw6v`G;qJPJA9=_i+2
zLcdI5lCIZJO+?emP-A?@dZEuQfj=MjikOb#q~WLpl-#S3xdN6t%6GoPL?|}WyjQdj
z*(z605^QvBq}L-BqfL@U{J49`B+By%W2<7yftq|y5ZAtgvL=?jKfTczPiTy}RQ=mA
zWcRF8;Cd^7Hio;9+JT-?!CJ43p03VVfotF{tmq);2=7wUlBpK;R|e-rmYIYwZ9Ssp
zkCL|jty}H>*PSOa#-ZFM3_7C8Bq6!m9~-9UhX!VQKdz3BBPwLPkjIlNyoGY?^GFiG
ztkCcRPtl)-Lv?}{0oL*22>z_6S@x1Xwruu1jHgc-EF?ZDAiuC8hn9<QAFOjHwgstm
zXS$V!&1{z6NzAaI5Kb;#oE?EmjBr^xM@u5Gq2lvjg<@>KDn&|ku!WO7Pg1Wxgk%*@
zo51-)aMPq~pm_+LXXF{io@PgC#BOY|%tB<Renl%m^^nJ#Wr3I^fy8U#&|Y(x0gvfh
zUcXbra5AcvCZ9{<KJk}PEyCc9xd$Io^QigF_#YcrBp2lE?s}<^mP*C_@cl}RNm8dQ
zNeI5MWTEd4FSd;dXE_@;wWb|}A7hH51xs`&90WV?@Cwfh@oZaaCC3!6Ay~D+l)W`>
z)f`>)^Vx!@5PBl@WjZCbAXMj^LDS-<7`oi~6O!ElCkU73Mt*~Tc#=8m89U|98?%7U
z+_NdqQ!=cwjTATO7cVJ4{s3a9JTyxtVB=CY%m{U-AAH?jC$vDGFF0_%2z$&Cv?9vF
zX;_<?r)Ff5?(UtmGd5MAl##Binh!}j5D~h=_foFS@`K~fSp*UH{+mol`st;>SZcQF
z`{^86ztj526<ZnslMU^%sE~!SZ*rKIn%;zChM9eNcB!3Dn;D9cFG~Bo;tTo_`KKDc
ze^5YzH$N!2zk1gHPiTJitbYW>AdTpX;jJ#r_Ry>0v{r-<+eSU+NE`>cN!x{x=_6ka
z!5Spm?G;tJT=4!BYe!W_GtAL!CXQ<UxQE?AMOrc+w<Fo~ox`3jZY;@7Vtj{RJ|5q2
zto=2znldYZ)SThbK{!zkf<E!<KD+OhX@}Upy_u6W^E-o?ONvBTnhDHblfAC$qpMw<
zmlY7VLMHcYJk6Iee@FAae3EdwG8R71$LP<4m3%B7PzfbNguIj}9GyNWy8?yQp=a1@
z<cGxVY<oZa0ToA=?&HyuXKv!c?&0YiHF1vR*sz6fhe|2<7)lrG+uow_Ge|n&wVr48
zkjwGT?21ky*mPl4+n^02#}WSu$w!Dkmwx^X2hlnqR0EJ-H*XSnPN$lxe?d<wc;c!S
zJeQB*&8v;^^HM<Is)1c8V#?GJr8lUi=OM{@WUNKH9ho*8<~nGY`<LBf-SHTs2dj)r
z$F7@$e^>cZEi0bq%VmC#6<zs~)uj<+BdXY^M(-|CF@WopeVZ)%ehCKNc_V>zOf(ys
zYQgs(??2tM&Kdl+;E>EjN^+8^Q@UtnPSzt;b_cIk+>`nK;WUNp9)=o`=DYJObb3h=
zo__oqBxqP@UR%jsm*uQWc}nv$h29s-7h%ElS%;U{K>Gcs3+So4b|T|ij~Km5-bIi<
tZ6@HXH`Z}F*L4Meue(lDQ~wA`Zt9OTbhN8FtjEaJm7Z2wwQ8Q;{{h$cPQm~H

literal 0
HcmV?d00001

diff --git a/.gitsecret/keys/pubring.kbx~ b/.gitsecret/keys/pubring.kbx~
new file mode 100644
index 0000000000000000000000000000000000000000..e402a7453a0a1e05bd683846e4896f55e5760850
GIT binary patch
literal 3476
zcmai#2UJtZ8pm%!D4{AyQHr66AUz;G1R}k65J737lRy$Wh``dDh=_oS6e&VPSwa;A
zr7I#us)Z#|rK6$&<ON;NzW2_)w{y<DGxwYCn=|Lm|35zf0AL^x05(F|djQntOmt2?
zd=AGy8~rpG^kZ}x0O$<>Fu<p_^(pp4_iwomkHp?18p*uLXq5G)X21@!^ajMtXJd2Z
zcE^OuWM;iBh2JQqQN!wobJPX`m;nGRKph4C_yz-zAN_y5e(fL+ln!y$N}dEU14~7U
zl)J(;PUXvSLdx;gPw|k``crk*S)=Z}8FxmP#qx!}niuN7MGcI)o1WOcys|f)X4IWN
z9OukeWkAk_X%S|9s>66c8&x~w`bp$RT9Hw6t*M;dFV`fEYR`ZlfBvT6p-`3+dH;p^
zhx(UFGm#w4VrJU`+mb6~<vix&kXcpy5TfN;Bn^L@@^r2SCww{DZOtn5H}>te_$-;v
zCSg+2R;eCMd=FE1SuffmF7%rPPWmkjV9fn>PP#=8*_<?b{3P{sXL}{gFNYKinmQ?e
zRXen0)c~F8oum7XbqD+WwJET`5aewFVomf%YzTkaR4BaSA~>{2+_NLjPe|re71=e6
z6-@MA*cp^5y?WE5w#7c}b#(~bAar%JI$iehvfZ#aNzZS+`j#UKuBNwQV9_2qC-9&?
z`j&hCHSn^J=Xz$1@b#=DkujIp>EI{p7fM<~A_A;LAIBv^CFj|LF=B%=eg5xXzY2x6
zlq*d>4g3sEzxfcUcE39><kIyh;3x<HJ*1wVXMpEVJpgrqt}cFPjLSI#n3xS7?G7Vg
zVeV)*Tvz}BhNt#u0v?7ZU~$wLZwxE|hjkBfBS>NKGC#|t+^`roY!D8QhUs||^n+Ys
zICKCO?@g@;6Njn)Ow#<TOxhc(@#hA>KlPFfdI{kGF#yV3f{?!xB`x?+JYZfLS|%t1
zJ(!M@5z4>>hH!ytKwtq7nEMLA2tD#k!EG;@fx5T9%i>)k<VTJoj-8SmnE9h2*5ixe
z5PWp`)NX5?Y$)YfZL6RwDN@AN<;IP>IOOpl=Sz>yE9wGlY=z@1n~im)*$Z#%8bfYk
zH1sZQWMBqQjihD!I*>#y%83+b=4JKF+g(*bcUzvj#n2Q=rFysYft}O5GT+GBy&R`A
zHxLh6okTivZswT24<C#$DNfv(*g}rb;{uIqEHK=bF^zW$nL_FvB0;DkN|e(Cv%|H(
zG;gPD$NA7feV*D<mDtk$Dt5Je@B_fN*eoORAmV1jf_j3Qj%_kp;zp=rsv5tV+QH~s
zvk%N{CVY-%-J~R$0hh+X#WFM;yY9GgU&K{et)xQhgUILn0I}h=#w9!r^kE)=-J4a}
zSD?AYntmq`Um=`T*%&$$(@5^cQ}m<7jn3P^WoKe{IwC+8Y&#!Pr^+?1t?dYJ1E(@$
zZYx}e7e`7F%B}HMZzsZ}Cu%C;x=T&7XBVJmG_qU<Bs(UhGScya(>RS{3V#ks?japO
zL)911^q21!mK7xf9Uee>{V%^+eDYfxnGC(XP*tRVo-Qv`(Xq`)f_VLjM~qjv(7_fz
zNqkG<{2%G?bOz<mf*<QzvVBt-!t8J`NT;v&{*z;@jJV8b|A=i}9v>drUO+MTo8A?P
zGRjMOL%v~i6qrbxUtTMa&zKjGvM(1pAlJ^s_IrNT?8O6rRX7_5o!*1Zs;+Da;<<9}
z9^x~_=?Z?8>@GzsDZ(EU8I-_aZ$eu=My0rHM23)g59E*Ch@te2n6Yv}kU|Ocu_=Ad
zF<goA9VZelOpp;15gFW}?O?J>Ql81(sp+$}s8wz`6C);WnYuPh?GX!np-Dl3{V~lX
ziWfQZbq!$<et-Rwh~m9R+hOuXcGG;$rpKABk4W1>1*_NGG<jm_-FcD85~-gyl%(ko
zhPa*4{QJUYAjs@notG`j69Z?6%|#xBLFaL#ERla&-rP;^5~sM_?n#u->}s5sQZC!6
z@PvxFo@;K+L~E6cOxK!EG+3nBc9*SvuSKc+@O?6<9>PO48tfm8#{BPwO7CF?nmxkd
z<Hlw(CiV4^WjfE8MezI)G&%+P4Kb^F%Ggr1onePC!(<!y)QXIz7`<V;g-X@srcABp
zah6fNGc`hxhU*Ac)ANo+n0Z`rQ@rIdC1nwt*6A(nB%8wC)f+Xw<V)jG(mND^OYhr8
z!y9M3D6xyxn3RfLK7laDR%Z9<fgT00XY-2cS%lQml6}9r`H0S2dIq%Yk_y4^ktI>-
zG@Y8|yE^N6j^1Qs54$?&BEBJA_5Mah0*HmzEdjJcnbT!aqPwD6e}scIBWsf26T8-=
zGe5x@mk<ny#?6#;pGzrFny+T}R17My5fe4x0PHJ9Rq^uYIR%KLsv0qMgt4+)g@}&|
zdU&D4bHnq(VN;aX4lx|c^lE*;gEJj+HipK0))kOEtCg$B=I<hAE4d5g6r+!ieKhaR
z+#YrKUEQprr6~E%<slL#GRT!#^0!OXx|>8j<qNmLoBj;0T2>9iS;_4VJazSCnU2{%
zygA1~_$E5mTD7RGTW*HPUxq?=Xy?1_MJnc@(7OXc2f63Wcq;*bHt#RA)6yTJePKMY
zJ<6<3zu*j*<JI*~rWeJv9jJFL?C`$zNd*Q`-v#`v+?O=>4O>got((76!~cPH&>d<-
z_%NHg+W$g(#^H1xhy~)bnW95g)l5lSQsn^lBsgV=ciQIt>;{+MDQ6{yQ!0Wd-kj07
zRLM|mN3^^qp3TD5zI4UbAg(-)UFxXTcS8HCUDD*ckrTxl@Ktk?0bgZXGx&K4GsSpu
zq$L1hVR||#=}A|Xmdxf?$sUDRN%dkWqxe8(IDv3A&3+4?1n%NhfszEQR6JsnH&*O#
zlUyT;HCHN)t>U!bpO5IyRk&;Xab7mXgG8Y-EKgrl>kC=F(|DoRDvRYZSN!&ZYC>7&
z{XLIJ{9b}9F3h?u>qTQ14_!~R&~cXf1D0E_RBn8q4)+Vnfy2Wky-*034;+Ef9NuOJ
zXU~{+)p+@LEpC6Iob(FQ^Vj)1v<hos2v`gZh4#a`qutRMUo1@B<uIiAlZ$@`L+c+f
z)S!Cw?~aiceE7Q$VF;yp>IwWmB>p=2Mo|W!x4R^&d{;-RaJ;$T+mY`Eg(3;nIwmz@
zgqZ0ix3OU+Z1K^)(ChUYrQC?<`y0}*P6ep8#>8sGmguL{Fz`TaA1!;BwF*<`Ac6fU
zPPH@m^CSPWY(4^7GRb=`k_IviruDozxQ|~_Y4<g-$X3B3=fFIC&n;*Dgg7Cs#yONw
zo#1=@Z%Xx|lMpuRXfB5X#d;Z@y_iwMMK6Stmtw!|HUZv?+d%5Sn{nTB^7L3->&{7>
zgc>eMRr$T}7?hI7`#F@f#dhe{gv=uiktnN^k_lZY?5<&+t#9n@JiMmYJ;2BPw5OKN
zdPRK^EXoE6anU6ALDD}mLj832ufRorIjHF`y^b53*gVEFW`mYO7{PD)PN-&Hgfr|(
zW_EhEmIc>*8AEw;Y4EeKo_*mEKW^u=X2ryPuX{b;MdC|Ctlj#tfFK-t3HIQWwn?#=
z8H0`f6YE#M52Ga6Z&f*bB|h#@h~zz?rQ0u|ETBm2wiH%?e5gDdGW3;klN^u_tLRC9
z>S&LCd=7Y(w$<=Rj0NM#n&c@C0jYOerm|V?M_;A1X${y69!u12s8=`Db*+8R!pMV>
zJ4sfC#+!m4qJok%lX8(a7p&+<x}RA?`<?HP$m~~!-nke<B5;8<#kCZGR6H+(Qq`G-
zr^tRHGe@R9df`AT`M8I@wB>SJZ!%YC>$5+Rp#B31qW>T_=AUvq1j8>`L5&%Je0N3*
zGnOi4#!ZX6iOQmtTHhx(5n;!`;VrvYe1*AEIaFYc$4(&5#j)S)2)1*&UYy({D2^y#
zuAIAO`tmt{zifK#R7HpUb~FOgxq5G?vJ#0gep<7Z7c#bfQEx~%(N`+tYk8C$-_u7r
zok>d{SGIi$c#CI3=jsJ%S0yff0cu)Cjt^v~zyxN5qG924zVDW2g#B#2zk^?hpF23J
zmee%39M7F0SjuCrv3AcezvIRYqkaER2bEh&=!mQ40Z#HWK54w}lumXcF7Q$OT;`GZ
zaYggNw`j<Cq_j<PK}X8Hlo@h}OVjAhuTV+3p{wLEoYgnW*(~|KY{Z$TvP{2Zr6C{J
VDjDi!I5yR;cBBNnFn)DY>0iIq(w6`L

literal 0
HcmV?d00001

diff --git a/.gitsecret/keys/trustdb.gpg b/.gitsecret/keys/trustdb.gpg
new file mode 100644
index 0000000000000000000000000000000000000000..9009cffdaf382878663e4774593c54e697753c78
GIT binary patch
literal 1200
zcmZQfFGy!*W@Ke#Vqi#Eo6yaG9WZiX7sn7CRfiEIV1dza84VXu2#lr!%F+P<?0^Jn

literal 0
HcmV?d00001

diff --git a/.gitsecret/paths/mapping.cfg b/.gitsecret/paths/mapping.cfg
new file mode 100644
index 0000000..e73fa58
--- /dev/null
+++ b/.gitsecret/paths/mapping.cfg
@@ -0,0 +1,3 @@
+.balena/secrets/staging/balena_api_token.txt:68ce4c1e6b4a9a453d42607ade05d426d77b173693736a89fdd8c838b72e87e5
+.balena/secrets/production/balena_api_token.txt:757a166ccd17922b1c64e4ad68908a85e3d5aafff1c1d05558a66e3f280b2df6
+.balena/secrets/id_ed25519:02d11afd52ecd19500051e1fa97ff9cac5f01e401bb77a436e3c839d36f852be
diff --git a/.resinci.yml b/.resinci.yml
new file mode 100644
index 0000000..9d52283
--- /dev/null
+++ b/.resinci.yml
@@ -0,0 +1,23 @@
+---
+docker:
+  builds:
+    - path: .
+      dockerfile: Dockerfile
+      docker_repo: balena-push
+      publish: false
+      args:
+        - RESINRC_RESIN_URL=balena-staging.com
+        - BALENA_APPS=[{"app":"cloud-config-aarch64","type":"generic-aarch64"},{"app":"cloud-config-amd64","type":"generic"}]
+      secrets:
+        - id: balena-api-token
+          src: .balena/secrets/staging/balena_api_token.txt
+    - path: .
+      dockerfile: Dockerfile
+      docker_repo: balena-push
+      publish: false
+      args:
+        - RESINRC_RESIN_URL=balena-cloud.com
+        - BALENA_APPS=[{"app":"cloud-config-aarch64","type":"generic-aarch64"},{"app":"cloud-config-amd64","type":"generic"}]
+      secrets:
+        - id: balena-api-token
+          src: .balena/secrets/production/balena_api_token.txt
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..d73028f
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,18 @@
+# syntax=docker/dockerfile:1
+
+# https://github.com/product-os/ci-images/tree/master/pipelines/balena
+FROM resinci/balena-x86_64-ubuntu
+
+ARG BALENA_APPS
+ARG RESINRC_RESIN_URL
+
+WORKDIR /tmp/build
+
+COPY . ./
+
+RUN --mount=type=secret,id=balena-api-token set -eu \
+    && sha="$(git rev-parse --short HEAD)" \
+    && balena login --token "$(cat < /run/secrets/balena-api-token)" \
+    && org="$(balena whoami | grep USERNAME | cut -c 11-)" \
+    && (echo "${BALENA_APPS}" | jq -r --arg org "${org}" '.[] | .app + " -o " + $org + " --type " + .type' | xargs -n 5 balena app create || true) \
+    && echo "${BALENA_APPS}" | jq -r --arg org "${org}" --arg sha "${sha}" '.[] | $org + "/" + .app + " --release-tag git-commit " + $sha' | xargs -n 4 balena push
diff --git a/Dockerfile.template b/Dockerfile.template
new file mode 100644
index 0000000..db07b29
--- /dev/null
+++ b/Dockerfile.template
@@ -0,0 +1,10 @@
+FROM balenalib/%%BALENA_ARCH%%-alpine
+
+RUN set -eu && install_packages openssh-client \
+    && mkdir -p /root/.ssh \
+    && ([ -f /run/secrets/id_ed25519 ] && cat < /run/secrets/id_ed25519 > /root/.ssh/id_ed25519) \
+    && ([ -f /root/.ssh/id_ed25519 ] && chmod 600 /root/.ssh/id_ed25519)
+
+COPY balena.sh /usr/local/bin/
+
+CMD [ "balena.sh" ]
\ No newline at end of file
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..10a08cf
--- /dev/null
+++ b/README.md
@@ -0,0 +1,33 @@
+# cloud-config
+> balenaCloud app which is usually preloaded into a balenaOS image to automatically join devices to the cloud using `config.json` data passed in from supported provider metadata service
+
+## create keys
+> [update](https://github.com/product-os/balena-concourse/tree/master/provision/app/console) local GPG keyring with public keys from GitHub
+
+	git secret whoknows && git secret reveal -f
+
+	[ -f .balena/secrets/id_ed25519 ] \
+	  || ssh-keygen -o -a 100 -t ed25519 -f .balena/secrets/id_ed25519 -C 'os-config' -N ''
+
+	PRIKEY_ED25519=$(cat .balena/secrets/id_ed25519 | openssl base64 | tr -d '\n')
+
+	PUBKEY_ED25519=$(cat .balena/secrets/id_ed25519.pub)
+	
+	git secret add .balena/secrets/id_ed25519
+	
+	git secret hide
+
+
+## deploy (manually)
+> (e.g) staging
+
+    git secret reveal -f
+
+    image="$(yq e '.docker.builds[] | select(.args[]=="*staging*").docker_repo' .resinci.yml)"
+
+    for ev in "$(yq e '.docker.builds[] | select(.args[]=="*staging*").args[]' .resinci.yml | sed 's/"/\\"/g')"; do eval export "${ev}"; done
+
+    docker build -t ${image} \
+      --build-arg "BALENA_APPS=${BALENA_APPS}" \
+      --build-arg RESINRC_RESIN_URL \
+      --secret id=balena-api-token,src=.balena/secrets/staging/balena_api_token.txt .
diff --git a/balena.sh b/balena.sh
new file mode 100755
index 0000000..9d0cbef
--- /dev/null
+++ b/balena.sh
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+
+set -e
+
+metadata_urls=( \
+  'http://169.254.169.254/latest/user-data' \
+  'http://169.254.169.254/metadata/v1/user-data' \
+  'https://metadata.platformequinix.com/userdata' \
+)
+
+curl_with_opts() {
+    curl --fail --silent --connect-timeout 3 "$@"
+}
+
+ssh_with_opts() {
+    ssh -p 22222 \
+      "root@$(ip route | awk '/balena0|br-[0-9a-fA-F]/ { print $7 }' | head -n 1)" \
+      -o 'StrictHostKeyChecking=no' \
+      -o 'UserKnownHostsFile=/dev/null' \
+      "$@"
+}
+
+config_from_metadata() {
+    #shellcheck disable=SC2034,SC2039 # /bin/sh is a symbolic link to bash on balenaOS
+    for url in "${metadata_urls[@]}"; do
+        user_data="$(curl_with_opts "${url}")"
+        [ -n "${user_data}" ] && echo "${user_data}" && break
+    done
+}
+
+ssh_with_opts "os-config join '$(config_from_metadata)'"
+
+exec balena-idle "$@"
diff --git a/repo.yml b/repo.yml
new file mode 100644
index 0000000..545c520
--- /dev/null
+++ b/repo.yml
@@ -0,0 +1,2 @@
+---
+type: "docker"