vooon · vooon · Apr 4, 2026 · Apr 3, 2026 · Apr 3, 2026 · Apr 4, 2026
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -35,3 +35,35 @@ jobs:
           GOARCH: ${{ matrix.goarch }}
           CGO_ENABLED: 0
         run: go build -trimpath ./cmd/...
+
+  docker-dev:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - name: Build local dev container
+        run: docker build -f Dockerfile.dev .
+
+  goreleaser-snapshot:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          cache: true
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Validate GoReleaser snapshot
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          version: "~> v2"
+          args: release --snapshot --clean --skip=publish
+        env:
+          IMAGE_REPO: ghcr.io/${{ github.repository }}
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
@@ -0,0 +1,33 @@
+name: E2E Tests
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+concurrency:
+  group: e2e-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  e2e:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
+      - name: Set up Go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Run e2e tests
+        run: go test -tags=e2e -v -timeout=5m -count=1 ./tests/e2e/...
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -22,58 +22,31 @@ jobs:
         uses: actions/checkout@v6
         with:
           fetch-depth: 0
+
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
           cache: true
-      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v7
-        with:
-          version: "~> v2"
-          args: release --clean
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-  container-image:
-    runs-on: ubuntu-latest
-    needs: goreleaser
-    timeout-minutes: 30
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v6
-        with:
-          images: |
-            ghcr.io/${{ github.repository }}
-          tags: |
-            type=ref,event=tag
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=sha
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v4
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
-      - name: Build and push to registry
-        uses: docker/build-push-action@v7
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v7
         with:
-          push: true
-          context: .
-          file: ./Dockerfile
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          platforms: linux/amd64,linux/arm64
-          provenance: true
-          sbom: true
+          version: "~> v2"
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          IMAGE_REPO: ghcr.io/${{ github.repository }}
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -42,6 +42,30 @@ archives:
       - LICENSE
       - README.md
 
+dockers_v2:
+  - id: zoneomatic-container
+    dockerfile: Dockerfile
+    ids:
+      - zoneomatic
+    images:
+      - "{{ .Env.IMAGE_REPO }}"
+    tags:
+      - "{{ .Tag }}"
+      - "{{ .Version }}"
+      - "{{ .Major }}.{{ .Minor }}"
+      - "sha-{{ .ShortCommit }}"
+    labels:
+      org.opencontainers.image.description: "Zone-o-matic DNS API Server"
+      org.opencontainers.image.created: "{{ .Date }}"
+      org.opencontainers.image.name: "zoneomatic"
+      org.opencontainers.image.revision: "{{ .FullCommit }}"
+      org.opencontainers.image.source: "{{ .GitURL }}"
+      org.opencontainers.image.title: "zoneomatic"
+      org.opencontainers.image.version: "{{ .Version }}"
+    platforms:
+      - linux/amd64
+      - linux/arm64
+
 changelog:
   sort: asc
   filters:

diff --git a/Dockerfile b/Dockerfile
@@ -1,16 +1,8 @@
-FROM ghcr.io/goreleaser/goreleaser-cross:v1.26 AS builder
-
-WORKDIR /build
-
-COPY . .
-
-RUN goreleaser build --snapshot --single-target
-
 FROM scratch
 
-LABEL org.opencontainers.image.description="Zone-o-matic DNS API Server"
+ARG TARGETPLATFORM
 
-COPY --from=builder /build/dist/zoneomatic*/zoneomatic /zoneomatic
+COPY $TARGETPLATFORM/zoneomatic /zoneomatic
 
 EXPOSE 9999
 

diff --git a/Dockerfile.dev b/Dockerfile.dev
@@ -0,0 +1,17 @@
+FROM ghcr.io/goreleaser/goreleaser-cross:v1.26 AS builder
+
+WORKDIR /build
+
+COPY . .
+
+RUN goreleaser build --snapshot --single-target
+
+FROM scratch
+
+LABEL org.opencontainers.image.description="Zone-o-matic DNS API Server"
+
+COPY --from=builder /build/dist/zoneomatic*/zoneomatic /zoneomatic
+
+EXPOSE 9999
+
+ENTRYPOINT ["/zoneomatic"]
diff --git a/internal/htpasswd/middleware.go b/internal/htpasswd/middleware.go
@@ -1,7 +1,9 @@
 package htpasswd
 
 import (
+	"encoding/base64"
 	"net/http"
+	"strings"
 
 	"github.com/go-fuego/fuego"
 )
@@ -36,3 +38,55 @@ func NewBasicAuthMiddleware(ht HTPasswd) func(http.Handler) http.Handler {
 		})
 	}
 }
+
+func NewAPIKeyMiddleware(ht HTPasswd) func(http.Handler) http.Handler {
+	return NewAPIKeyMiddlewareWithUnauthorized(ht, func(w http.ResponseWriter, _ *http.Request) {
+		err := fuego.HTTPError{
+			Title:  "unauthorized access",
+			Detail: "wrong api key",
+			Status: http.StatusUnauthorized,
+		}
+
+		fuego.SendJSONError(w, nil, err)
+	})
+}
+
+func NewAPIKeyMiddlewareWithUnauthorized(ht HTPasswd, onUnauthorized func(http.ResponseWriter, *http.Request)) func(http.Handler) http.Handler {
+	return func(h http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			user, password, ok := r.BasicAuth()
+			if ok {
+				ok, _ = ht.Authenticate(user, password)
+			} else {
+				ok = AuthenticateAPIKeyHeader(ht, r.Header.Get("X-API-Key"))
+			}
+
+			if ok {
+				h.ServeHTTP(w, r)
+				return
+			}
+
+			onUnauthorized(w, r)
+		})
+	}
+}
+
+func AuthenticateAPIKeyHeader(ht HTPasswd, headerValue string) bool {
+	headerValue = strings.TrimSpace(headerValue)
+	if headerValue == "" {
+		return false
+	}
+
+	decoded, err := base64.StdEncoding.DecodeString(headerValue)
+	if err != nil {
+		return false
+	}
+
+	user, password, ok := strings.Cut(string(decoded), ":")
+	if !ok || user == "" {
+		return false
+	}
+
+	ok, _ = ht.Authenticate(user, password)
+	return ok
+}