From 55c35fc8401534ebedfdc74f8bec64b903cc3dab Mon Sep 17 00:00:00 2001
From: Jason Volk <jason@zemos.net>
Date: Tue, 3 Jun 2025 19:00:00 +0000
Subject: [PATCH] docker: Simplify build/install; dedup cargo commands; enable
 gc.

Signed-off-by: Jason Volk <jason@zemos.net>
---
 .github/workflows/README.md     |  2 +-
 .github/workflows/bake.yml      |  4 +-
 .github/workflows/main.yml      | 20 +++++---
 docker/Dockerfile.cargo         |  8 ----
 docker/Dockerfile.cargo.deb     |  9 ----
 docker/Dockerfile.cargo.deps    | 12 +----
 docker/Dockerfile.cargo.install | 81 ---------------------------------
 docker/Dockerfile.cargo.rpm     |  9 +---
 docker/Dockerfile.complement    |  2 -
 docker/Dockerfile.cookware      |  7 +--
 docker/Dockerfile.diner         |  3 --
 docker/Dockerfile.ingredients   |  8 ++--
 docker/Dockerfile.install       | 21 +++++++++
 docker/Dockerfile.kitchen       |  1 -
 docker/Dockerfile.rocksdb       | 10 +---
 docker/README.md                | 48 +------------------
 docker/bake.hcl                 | 48 ++++++++-----------
 17 files changed, 66 insertions(+), 227 deletions(-)
 delete mode 100644 docker/Dockerfile.cargo.install
 create mode 100644 docker/Dockerfile.install

diff --git a/.github/workflows/README.md b/.github/workflows/README.md
index 23a81de0..53636563 100644
--- a/.github/workflows/README.md
+++ b/.github/workflows/README.md
@@ -3,7 +3,7 @@
 The release pipeline `Main` (main.yml) and its subroutines defined in the other yamls form a high-level
 description for the underlying self-hosted build system in  `/docker`. In other words, this is a sort of
 terminal, a "thin-client" with a display and a keyboard for our docker mainframe. We minimize
-vendor-lockin and duplication with other frameworks by limiting everything here to only what is
+vendor-lockin and duplication with other services by limiting everything here to only what is
 essential for driving the docker builder.
 
 Though we slightly relax the above by specifying details of the actual CI pipeline, the 
diff --git a/.github/workflows/bake.yml b/.github/workflows/bake.yml
index 04408685..73f6b06a 100644
--- a/.github/workflows/bake.yml
+++ b/.github/workflows/bake.yml
@@ -121,7 +121,7 @@ jobs:
         docker/bake.sh "${{matrix.bake_target}}"
 
     # Optionally extract an inner artifact
-    - name: Extract Artifact
+    - name: Extract Inner Artifact
       if: >
         !failure() && !cancelled()
         && fromJSON(inputs.artifact)[matrix.bake_target].dst
@@ -139,7 +139,7 @@ jobs:
         docker cp "$cid:$src" "_artifact/$dst"
 
     # Optionally extract the image itself as an artifact.
-    - name: Extract Image
+    - name: Extract Image Artifact
       if: >
         !failure() && !cancelled()
         && fromJSON(inputs.artifact)[matrix.bake_target].dst
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 57579f1a..811311bf 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -30,7 +30,8 @@ jobs:
         [
           {"cargo_profile": "release-debuginfo", "rust_toolchain": "nightly"},
           {"cargo_profile": "release-max-perf", "rust_toolchain": "stable"},
-          {"cargo_profile": "release-max-perf", "feat_set": "none"}
+          {"cargo_profile": "release-max-perf", "feat_set": "none"},
+          {"cargo_profile": "test", "rust_toolchain": "stable", "feat_set": "none"}
         ]
 
     outputs:
@@ -56,12 +57,17 @@ jobs:
         set -e
         cat <<EOF > ./buildkitd.toml
           [system]
-          platformsCacheMaxAge = "504h"
-
+            platformsCacheMaxAge = "504h"
           [worker.oci]
-          enabled = true
-          rootless = true
-          gc = false
+            enabled = true
+            rootless = true
+            gc = true
+          [[worker.oci.gcpolicy]]
+            reservedSpace = "384GB"
+            maxUsedSpace = "768GB"
+            keepDuration = "504h"
+            filters = ["label!=cache==pin"]
+            all = true
         EOF
 
         docker buildx create \
@@ -160,7 +166,7 @@ jobs:
       !failure() && !cancelled()
 
     name: Publish
-    needs: [init, test, package]
+    needs: [package, test]
     uses: ./.github/workflows/publish.yml
     with:
       docker_repo: ${{vars.DOCKER_REPO}}
diff --git a/docker/Dockerfile.cargo b/docker/Dockerfile.cargo
index b11f0482..38e9511b 100644
--- a/docker/Dockerfile.cargo
+++ b/docker/Dockerfile.cargo
@@ -7,9 +7,6 @@ ARG RUSTUP_HOME
 ARG CARGO_HOME
 ARG CARGO_TARGET
 ARG CARGO_TARGET_DIR
-ARG cargo_tgt_dst
-ARG cargo_tgt_sub
-ARG cargo_tgt_cache
 ARG cargo_profile
 ARG cargo_features
 ARG cargo_spec_features
@@ -27,11 +24,6 @@ RUN \
 --mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=shared,ro \
 --mount=type=cache,dst=${CARGO_HOME}/registry,sharing=shared,ro \
 --mount=type=cache,dst=${CARGO_HOME}/git,sharing=shared,ro \
---mount=type=cache,dst=${CARGO_TARGET_DIR},id=${cargo_tgt_dst},sharing=locked \
---mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/deps,id=${cargo_tgt_cache}/deps,sharing=locked \
---mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/build,id=${cargo_tgt_cache}/build,sharing=locked \
---mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/incremental,id=${cargo_tgt_cache}/incremental,sharing=locked \
---mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/.fingerprint,id=${cargo_tgt_cache}/fingerprint,sharing=locked \
 <<EOF
     set -eux
     rustup run ${rust_toolchain} \
diff --git a/docker/Dockerfile.cargo.deb b/docker/Dockerfile.cargo.deb
index c666d4e5..0ea67c97 100644
--- a/docker/Dockerfile.cargo.deb
+++ b/docker/Dockerfile.cargo.deb
@@ -7,9 +7,6 @@ ARG RUSTUP_HOME
 ARG CARGO_HOME
 ARG CARGO_TARGET
 ARG CARGO_TARGET_DIR
-ARG cargo_tgt_dst
-ARG cargo_tgt_sub
-ARG cargo_tgt_cache
 ARG cargo_profile
 ARG cargo_features
 ARG cargo_spec_features
@@ -24,12 +21,6 @@ RUN \
 --mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=shared,ro \
 --mount=type=cache,dst=${CARGO_HOME}/registry,sharing=shared,ro \
 --mount=type=cache,dst=${CARGO_HOME}/git,sharing=shared,ro \
---mount=type=cache,dst=${CARGO_TARGET_DIR},id=${cargo_tgt_dst},sharing=locked \
---mount=type=cache,dst=${CARGO_TARGET_DIR}/debian,id=${cargo_tgt_dst}/debian,sharing=locked \
---mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/deps,id=${cargo_tgt_cache}/deps,sharing=locked \
---mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/build,id=${cargo_tgt_cache}/build,sharing=locked \
---mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/incremental,id=${cargo_tgt_cache}/incremental,sharing=locked \
---mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/.fingerprint,id=${cargo_tgt_cache}/fingerprint,sharing=locked \
 <<EOF
     set -eux
     mkdir -p "${pkg_dir}"
diff --git a/docker/Dockerfile.cargo.deps b/docker/Dockerfile.cargo.deps
index 7032823d..d20d7c3b 100644
--- a/docker/Dockerfile.cargo.deps
+++ b/docker/Dockerfile.cargo.deps
@@ -7,9 +7,6 @@ ARG RUSTUP_HOME
 ARG CARGO_HOME
 ARG CARGO_TARGET
 ARG CARGO_TARGET_DIR
-ARG cargo_tgt_dst
-ARG cargo_tgt_sub
-ARG cargo_tgt_cache
 ARG CARGO_BUILD_RUSTFLAGS
 ARG CARGO_PROFILE_TEST_DEBUG
 ARG CARGO_PROFILE_TEST_BUILD_OVERRIDE_DEBUG
@@ -34,8 +31,6 @@ COPY --link --from=rocksdb . .
 WORKDIR /usr/src/tuwunel
 COPY --link --from=recipe recipe.json .
 
-ENV CARGO_TARGET_DIR="${CARGO_TARGET_DIR}"
-ENV CARGO_BUILD_RUSTFLAGS="${CARGO_BUILD_RUSTFLAGS}"
 ENV CARGO_PROFILE_TEST_DEBUG="${CARGO_PROFILE_TEST_DEBUG}"
 ENV CARGO_PROFILE_TEST_BUILD_OVERRIDE_DEBUG="${CARGO_PROFILE_TEST_BUILD_OVERRIDE_DEBUG}"
 ENV CARGO_PROFILE_TEST_INCREMENTAL="${CARGO_PROFILE_TEST_INCREMENTAL}"
@@ -44,15 +39,12 @@ ENV CARGO_PROFILE_BENCH_BUILD_OVERRIDE_DEBUG="${CARGO_PROFILE_BENCH_BUILD_OVERRI
 ENV CARGO_PROFILE_BENCH_LTO="${CARGO_PROFILE_BENCH_LTO}"
 ENV CARGO_PROFILE_RELEASE_BUILD_OVERRIDE_DEBUG="${CARGO_PROFILE_RELEASE_BUILD_OVERRIDE_DEBUG}"
 ENV CARGO_PROFILE_RELEASE_LTO="${CARGO_PROFILE_RELEASE_LTO}"
+ENV CARGO_BUILD_RUSTFLAGS="${CARGO_BUILD_RUSTFLAGS}"
+ENV CARGO_TARGET_DIR="${CARGO_TARGET_DIR}"
 RUN \
 --mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=shared,ro \
 --mount=type=cache,dst=${CARGO_HOME}/registry,sharing=shared,ro \
 --mount=type=cache,dst=${CARGO_HOME}/git,sharing=shared,ro \
---mount=type=cache,dst=${CARGO_TARGET_DIR},id=${cargo_tgt_dst},sharing=locked \
---mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/deps,id=${cargo_tgt_cache}/deps,sharing=locked \
---mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/build,id=${cargo_tgt_cache}/build,sharing=locked \
---mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/incremental,id=${cargo_tgt_cache}/incremental,sharing=locked \
---mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/.fingerprint,id=${cargo_tgt_cache}/fingerprint,sharing=locked \
 <<EOF
     set -eux
     rustup run ${rust_toolchain} \
diff --git a/docker/Dockerfile.cargo.install b/docker/Dockerfile.cargo.install
deleted file mode 100644
index e5932b4e..00000000
--- a/docker/Dockerfile.cargo.install
+++ /dev/null
@@ -1,81 +0,0 @@
-# syntax = docker/dockerfile:1.11-labs
-
-FROM input AS installer
-ARG sys_target
-ARG rust_toolchain
-ARG RUSTUP_HOME
-ARG CARGO_HOME
-ARG CARGO_TARGET
-ARG CARGO_TARGET_DIR
-ARG cargo_tgt_dst
-ARG cargo_tgt_sub
-ARG cargo_tgt_cache
-ARG cargo_profile
-ARG cargo_features
-ARG cargo_spec_features
-ARG cargo_args=""
-ARG crate_path="src/main"
-ARG crate_ident=""
-ARG install_temp="/usr/src/tuwunel/install"
-
-WORKDIR /
-COPY --link --from=input . .
-
-WORKDIR /usr/lib/${sys_target}
-COPY --link --from=rocksdb . .
-
-WORKDIR /usr/src/tuwunel
-RUN \
---mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=shared,ro \
---mount=type=cache,dst=${CARGO_HOME}/registry,sharing=shared,ro \
---mount=type=cache,dst=${CARGO_HOME}/git,sharing=shared,ro \
---mount=type=cache,dst=${CARGO_TARGET_DIR},id=${cargo_tgt_dst},sharing=locked \
---mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/deps,id=${cargo_tgt_cache}/deps,sharing=locked \
---mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/build,id=${cargo_tgt_cache}/build,sharing=locked \
---mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/incremental,id=${cargo_tgt_cache}/incremental,sharing=locked \
---mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/.fingerprint,id=${cargo_tgt_cache}/fingerprint,sharing=locked \
-<<EOF
-    set -eux
-    case "$cargo_profile" in
-            "dev") profile_dir="debug";;
-           "test") profile_dir="debug";;
-        "release") profile_dir="release";;
-          "bench") profile_dir="release";;
-                *) profile_dir="$cargo_profile";;
-    esac
-
-    rustup run ${rust_toolchain} \
-        cargo install \
-            --frozen \
-            --no-track \
-            "${cargo_spec_features}" \
-            --features "${cargo_features}" \
-            --profile "${cargo_profile}" \
-            --target "${CARGO_TARGET}" \
-            --target-dir "${CARGO_TARGET_DIR}" \
-            --root "${install_temp}" \
-            --path "${crate_path}" \
-            ${cargo_args} \
-            ${crate_ident}
-EOF
-RUN [ -f "${install_temp}/bin/tuwunel" ]
-
-
-FROM input AS install
-ARG sys_target
-ARG CARGO_INSTALL_ROOT
-ARG install_temp="/usr/src/tuwunel/install"
-
-RUN \
---mount=type=bind,from=output,src=${install_temp},dst=/mnt/install \
-<<EOF
-    set -eux
-    cp -ndR --preserve=all -t ${CARGO_INSTALL_ROOT} /mnt/install/*
-EOF
-ENV bin_path="${CARGO_INSTALL_ROOT}/bin/tuwunel"
-RUN <<EOF
-    set -eux
-    ldd -v ${bin_path} || echo "static"
-    du -h ${bin_path}
-    sha1sum ${bin_path}
-EOF
diff --git a/docker/Dockerfile.cargo.rpm b/docker/Dockerfile.cargo.rpm
index 499f4dc5..ab9e0358 100644
--- a/docker/Dockerfile.cargo.rpm
+++ b/docker/Dockerfile.cargo.rpm
@@ -2,14 +2,12 @@
 
 FROM input AS rpm
 ARG sys_target
+ARG rust_target
 ARG rust_toolchain
 ARG RUSTUP_HOME
 ARG CARGO_HOME
 ARG CARGO_TARGET
 ARG CARGO_TARGET_DIR
-ARG cargo_tgt_dst
-ARG cargo_tgt_sub
-ARG cargo_tgt_cache
 ARG cargo_profile
 ARG cargo_features
 ARG cargo_spec_features
@@ -24,11 +22,6 @@ RUN \
 --mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=shared,ro \
 --mount=type=cache,dst=${CARGO_HOME}/registry,sharing=shared,ro \
 --mount=type=cache,dst=${CARGO_HOME}/git,sharing=shared,ro \
---mount=type=cache,dst=${CARGO_TARGET_DIR},id=${cargo_tgt_dst},sharing=locked \
---mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/deps,id=${cargo_tgt_cache}/deps,sharing=locked \
---mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/build,id=${cargo_tgt_cache}/build,sharing=locked \
---mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/incremental,id=${cargo_tgt_cache}/incremental,sharing=locked \
---mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/.fingerprint,id=${cargo_tgt_cache}/fingerprint,sharing=locked \
 <<EOF
 	set -eux
 	mkdir -p "${pkg_dir}"
diff --git a/docker/Dockerfile.complement b/docker/Dockerfile.complement
index f38d4fdb..70f5d32c 100644
--- a/docker/Dockerfile.complement
+++ b/docker/Dockerfile.complement
@@ -8,7 +8,6 @@ WORKDIR /
 COPY --link --from=input . .
 
 RUN \
---mount=type=cache,dst=/var/lock/uwu/local,sharing=locked \
 --mount=type=cache,dst=${var_cache},sharing=locked \
 --mount=type=cache,dst=${var_lib_apt},sharing=locked \
 <<EOF
@@ -157,7 +156,6 @@ ARG complement_run=".*"
 
 WORKDIR /
 RUN \
---mount=type=cache,dst=/var/lock/uwu/local,sharing=locked \
 --mount=type=cache,dst=${var_cache},sharing=locked \
 --mount=type=cache,dst=${var_lib_apt},sharing=locked \
 --mount=type=cache,dst=/go/pkg/mod/cache,sharing=locked \
diff --git a/docker/Dockerfile.cookware b/docker/Dockerfile.cookware
index a1a9847a..16285bb7 100644
--- a/docker/Dockerfile.cookware
+++ b/docker/Dockerfile.cookware
@@ -13,9 +13,7 @@ COPY --link --from=input . .
 
 ENV CARGO_TARGET="${rust_target}"
 WORKDIR /opt
-RUN \
---mount=type=cache,dst=/var/lock/uwu/local,sharing=locked \
-<<EOF
+RUN <<EOF
     set -eux
 
     url="https://static.rust-lang.org/rustup/archive/${rustup_version}/${rust_target}/rustup-init"
@@ -26,7 +24,6 @@ EOF
 ENV RUSTUP_HOME="${RUSTUP_HOME}"
 ENV CARGO_HOME="${CARGO_HOME}"
 RUN \
---mount=type=cache,dst=/var/lock/uwu/local,sharing=locked \
 --mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=locked \
 --mount=type=cache,dst=${CARGO_HOME}/registry,sharing=locked \
 --mount=type=cache,dst=${CARGO_HOME}/git,sharing=locked \
@@ -59,7 +56,6 @@ WORKDIR /
 COPY --link --from=input . .
 
 RUN \
---mount=type=cache,dst=/var/lock/uwu/local,sharing=locked \
 --mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=locked \
 --mount=type=cache,dst=${CARGO_HOME}/registry,sharing=locked \
 --mount=type=cache,dst=${CARGO_HOME}/git,sharing=locked \
@@ -73,7 +69,6 @@ RUN \
 EOF
 
 RUN \
---mount=type=cache,dst=/var/lock/uwu/local,sharing=locked \
 --mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=locked \
 --mount=type=cache,dst=${CARGO_HOME}/registry,sharing=locked \
 --mount=type=cache,dst=${CARGO_HOME}/git,sharing=locked \
diff --git a/docker/Dockerfile.diner b/docker/Dockerfile.diner
index 203ae9ce..ef700232 100644
--- a/docker/Dockerfile.diner
+++ b/docker/Dockerfile.diner
@@ -16,7 +16,6 @@ COPY --link --from=input . .
 
 ENV packages="ca-certificates ${packages}"
 RUN \
---mount=type=cache,dst=/var/lock/uwu/local,sharing=locked \
 --mount=type=cache,dst=${var_cache},sharing=locked \
 --mount=type=cache,dst=${var_lib_apt},sharing=locked \
 <<EOF
@@ -39,7 +38,6 @@ WORKDIR /
 COPY --link --from=input . .
 
 RUN \
---mount=type=cache,dst=/var/lock/uwu/local,sharing=locked \
 --mount=type=cache,dst=${var_cache},sharing=locked \
 --mount=type=cache,dst=${var_lib_apt},sharing=locked \
 <<EOF
@@ -56,7 +54,6 @@ WORKDIR /
 COPY --link --from=input . .
 
 RUN \
---mount=type=cache,dst=/var/lock/uwu/local,sharing=locked \
 --mount=type=cache,dst=${var_cache},sharing=locked \
 --mount=type=cache,dst=${var_lib_apt},sharing=locked \
 <<EOF
diff --git a/docker/Dockerfile.ingredients b/docker/Dockerfile.ingredients
index 1c575dbc..a32d2439 100644
--- a/docker/Dockerfile.ingredients
+++ b/docker/Dockerfile.ingredients
@@ -8,9 +8,7 @@ COPY --link --from=input . .
 
 ADD --link --keep-git-dir . /usr/src/tuwunel
 WORKDIR /usr/src/tuwunel
-RUN \
---mount=type=cache,dst=/var/lock/uwu/local,sharing=locked \
-<<EOF
+RUN <<EOF
     set -eux
     git reset \
         --hard \
@@ -43,7 +41,6 @@ ENV JEMALLOC_OVERRIDE="${JEMALLOC_OVERRIDE}"
 #ENV ZSTD_SYS_USE_PKG_CONFIG="${ZSTD_SYS_USE_PKG_CONFIG}"
 ENV ROCKSDB_LIB_DIR="${ROCKSDB_LIB_DIR}"
 RUN \
---mount=type=cache,dst=/var/lock/uwu/local,sharing=locked \
 --mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=locked \
 --mount=type=cache,dst=${CARGO_HOME}/registry,sharing=locked \
 --mount=type=cache,dst=${CARGO_HOME}/git,sharing=locked \
@@ -69,10 +66,11 @@ ARG RUSTUP_HOME
 ARG CARGO_HOME
 ARG CARGO_TARGET
 
+WORKDIR /
+COPY --link --from=input . .
 
 WORKDIR /usr/src/tuwunel
 RUN \
---mount=type=cache,dst=/var/lock/uwu/local,sharing=locked \
 --mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=locked \
 --mount=type=cache,dst=${CARGO_HOME}/registry,sharing=locked \
 --mount=type=cache,dst=${CARGO_HOME}/git,sharing=locked \
diff --git a/docker/Dockerfile.install b/docker/Dockerfile.install
new file mode 100644
index 00000000..0089644d
--- /dev/null
+++ b/docker/Dockerfile.install
@@ -0,0 +1,21 @@
+# syntax = docker/dockerfile:1.11-labs
+
+FROM input AS install
+ARG rust_target
+ARG CARGO_TARGET_DIR
+ARG cargo_target_profile
+ARG install_prefix
+
+WORKDIR /
+COPY --link --from=input . .
+
+WORKDIR ${install_prefix}
+ENV src_path="${CARGO_TARGET_DIR}/${rust_target}/${cargo_target_profile}/tuwunel"
+ENV dst_path="${install_prefix}/bin/tuwunel"
+COPY --from=bins $src_path $dst_path
+RUN <<EOF
+    set -eux
+    ldd -v ${dst_path} || true
+    du -h ${dst_path}
+    sha1sum ${dst_path}
+EOF
diff --git a/docker/Dockerfile.kitchen b/docker/Dockerfile.kitchen
index 6bde4a75..65945f0a 100644
--- a/docker/Dockerfile.kitchen
+++ b/docker/Dockerfile.kitchen
@@ -25,7 +25,6 @@ ${packages} \
 "
 
 RUN  \
---mount=type=cache,dst=/var/lock/uwu/local,sharing=locked \
 --mount=type=cache,dst=${var_cache},sharing=locked \
 --mount=type=cache,dst=${var_lib_apt},sharing=locked \
 <<EOF
diff --git a/docker/Dockerfile.rocksdb b/docker/Dockerfile.rocksdb
index 7cf7380e..ba584cf4 100644
--- a/docker/Dockerfile.rocksdb
+++ b/docker/Dockerfile.rocksdb
@@ -8,10 +8,7 @@ COPY --link --from=input . .
 WORKDIR /usr/src
 COPY --link --from=recipe rocksdb.url .
 
-RUN \
---mount=type=cache,dst=/var/lock/uwu/local,sharing=locked \
---mount=type=cache,dst=/var/lock/uwu/rocksdb,sharing=locked \
-<<EOF
+RUN <<EOF
     set -eux
     submodule="librocksdb-sys/rocksdb"
     url="$(cat rocksdb.url)"
@@ -47,10 +44,7 @@ WORKDIR /usr/src/rocksdb/librocksdb-sys/rocksdb
 ENV CC="clang"
 ENV CXX="clang++"
 ENV nprocs=${nprocs}
-RUN \
---mount=type=cache,dst=/var/lock/uwu/local,sharing=locked \
---mount=type=cache,dst=/var/lock/uwu/rocksdb,sharing=locked \
-<<EOF
+RUN <<EOF
     set -eux
 
     cmake -H. -Bbuild \
diff --git a/docker/README.md b/docker/README.md
index 5cf7928a..d8366b06 100644
--- a/docker/README.md
+++ b/docker/README.md
@@ -36,21 +36,7 @@ this step.
 2. You will need to create a builder. There are a few complications that must be explained here
 so please be patient.
 
-	1. Caches are being evicted in ways that I didn't expect, for example, rust is installed in a
-	cache mount which might have been a bad idea. I have disabled GC because an unlucky eviction
-	has massive repercussions. This is my buildkitd config in `~/.config/buildkit/buildkitd.toml`
-
-	```
-	[worker.oci]
-	enabled = true
-	rootless = true
-	gc = false
-
-	[system]
-	platformsCacheMaxAge = "504h"
-	```
-
-	2. Some unsavory options are required for some targets. It might be possible to omit these if
+	- Some unsavory options are required for some targets. It might be possible to omit these if
 	you're not building the full tree. Otherwise I've included them in the create command below.
 
 		- To run the complement compliance suite we need the `--allow-insecure-entitlement network.host`.
@@ -64,7 +50,6 @@ so please be patient.
 		--name owo \
 		--bootstrap \
 		--driver docker-container \
-		--buildkitd-config ~/.config/buildkit/buildkitd.toml \
 		--buildkitd-flags "$BKD_FLAGS"
 	```
 
@@ -96,34 +81,3 @@ choose `actor/repo/branch` with the expectation of one build at a time under tho
 constraints. Some external caching might need to be contrived between builders for
 deduplication but with care such that malicious actors cannot poison data used
 by other actors, otherwise it defeats the purpose of builder isolation.
-
-#### On Target Caches
-
-The challenge here is to get all aspects of the target directory perfectly optimal
-within the many constraints including cargo issues and our goals. This is highly complex
-because we have to provide each image being built with a safe environment yet share as
-much as possible between builds. This includes maximum reuse of prior builds but without
-unnecessary dirtying or more serious unexpected conflicts.
-
-We first create a hausdorff space based on builds which could never benefit from sharing
-and would always be unsound (even silently) if they came into contact; so all cache id's
-are prefixed by the matrix components:
-`${sys_name}/${sys_version}/${rust_target}/${rust_toolchain}/${cargo_profile}`. This is
-important because we can simplify the mount path inside the image which is important for
-the absolute paths generated by fingerprints and dependency files. We need to keep those
-the same if any builds expect to share them.
-
-The top-level of target directory is immediately partitioned by cargo into different
-profiles. Note that we already imposed separation based on profile but we still have to
-deal with that subdirectory in the mount, which has special-cases for the dev, test, and
-bench profiles. These directories at their top-level are the final artifact area which is
-not concurrency safe and there are open issues in cargo for explicit artifact directories.
-Within these unsafe directories are sub-directories which contain hash-sharded components
-making them safe again for shared caching, so long as the path to them remains consistent
-for all images mounting.
-
-As you can see this is already getting very complicated. If this is done wrong lots of
-different bad things can happen such as broken builds from bad conflicts, constant
-rebuilds from modest conflicts, or over-use of resources from too much separation.
-
-TODO
diff --git a/docker/bake.hcl b/docker/bake.hcl
index d8904666..76c91b9f 100644
--- a/docker/bake.hcl
+++ b/docker/bake.hcl
@@ -2,8 +2,10 @@ variable "CI" {}
 variable "GITHUB_ACTOR" {}
 variable "GITHUB_REPOSITORY" {}
 variable "GITHUB_REF" {}
-variable "GITHUB_REF_SHA" {}
 variable "GITHUB_REF_NAME" {}
+variable "GITHUB_REF_SHA" {
+    default = "HEAD"
+}
 
 variable "acct" {
     default = "${GITHUB_ACTOR}"
@@ -41,7 +43,7 @@ variable "feat_sets" {
 variable "cargo_profiles" {
     default = "[\"test\", \"release\"]"
 }
-variable "cargo_install_root" {
+variable "install_prefix" {
     default = "/usr"
 }
 
@@ -112,7 +114,7 @@ variable "image_compress_level" {
     default = 11
 }
 variable "cache_compress_level" {
-    default = 6
+    default = 7
 }
 
 # Use the cargo-chef layering strategy to separate and pre-build dependencies
@@ -589,40 +591,23 @@ target "install" {
     tags = [
         elem_tag("install", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest"),
     ]
-    target = "install"
     labels = install_labels
-    output = ["type=docker,compression=zstd,mode=min,compression-level=${image_compress_level}"]
+    output = ["type=docker,compression=zstd,mode=min,compression-level=${cache_compress_level}"]
     cache_to = ["type=local,compression=zstd,mode=min,compression-level=${cache_compress_level}"]
+    dockerfile = "${docker_dir}/Dockerfile.install"
+    target = "install"
     matrix = cargo_rust_feat_sys
     inherits = [
-        elem("installer", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
+        elem("build-bins", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
     ]
     contexts = {
         input = elem("target:diner", [feat_set, sys_name, sys_version, sys_target])
-        output = elem("target:installer", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+        bins = elem("target:build-bins", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
         #docs = elem("target:docs", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
         #book = elem("target:book", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
     }
-}
-
-target "installer" {
-    name = elem("installer", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
-    tags = [
-        elem_tag("installer", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest"),
-    ]
-    target = "installer"
-    dockerfile = "${docker_dir}/Dockerfile.cargo.install"
-    matrix = cargo_rust_feat_sys
-    inherits = [
-        elem("deps-build-bins", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
-        elem("cargo", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
-    ]
-    contexts = {
-        input = elem("target:deps-build-bins", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
-    }
     args = {
-        cargo_args = "--bins"
-        CARGO_INSTALL_ROOT = cargo_install_root
+        install_prefix = install_prefix
     }
 }
 
@@ -1120,10 +1105,14 @@ target "deps-base" {
         cargo_profile = cargo_profile
         cook_args = "--all-targets --no-build"
 
+        # Base path
         CARGO_TARGET_DIR = "${cargo_tgt_dir_base}"
-        cargo_tgt_cache = "${cargo_tgt_dir_base}/${sys_name}/${sys_version}/${rust_target}/${rust_toolchain}/${cargo_profile}/_shared_cache"
-        cargo_tgt_dst = "${cargo_tgt_dir_base}/${sys_name}/${sys_version}/${rust_target}/${rust_toolchain}/${cargo_profile}/${feat_set}"
-        cargo_tgt_sub = (
+        # cache key for unique artifact area
+        cargo_target_artifact = "${cargo_tgt_dir_base}/${sys_name}/${sys_version}/${rust_target}/${rust_toolchain}/${cargo_profile}/${feat_set}/${git_ref_sha}"
+        # cache key for hashed subdirs
+        cargo_target_share = "${cargo_tgt_dir_base}/${sys_name}/${sys_version}/${rust_target}/${rust_toolchain}/${cargo_profile}/_shared_cache"
+        # cased name of profile subdir within target complex
+        cargo_target_profile = (
             (cargo_profile == "dev" || cargo_profile == "test")? "debug":
             (cargo_profile == "release" || cargo_profile == "bench")? "release":
             cargo_profile
@@ -1313,6 +1302,7 @@ target "ingredients" {
     ]
     target =  "ingredients"
     dockerfile = "${docker_dir}/Dockerfile.ingredients"
+    cache_to = ["type=local,compression=zstd,mode=min,compression-level=${cache_compress_level}"]
     matrix = rust_feat_sys
     inherits = [
         elem("source", [feat_set, sys_name, sys_version, sys_target]),