Major Refactoring, Client can now be used as a library

app/client/certs.go

@@ -0,0 +1,93 @@
+package client
+
+import (
+	"fmt"
+	"path/filepath"
+
+	"git.nevets.tech/Keys/certman/app/shared"
+	"git.nevets.tech/Keys/certman/client"
+	"git.nevets.tech/Keys/certman/common"
+	"github.com/go-git/go-billy/v5/memfs"
+	"github.com/go-git/go-git/v5/storage/memory"
+	"github.com/spf13/cobra"
+)
+
+var (
+	renewCertSubCmd = &cobra.Command{
+		Use:   "renew",
+		Short: "Renews a domains certificate",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return renewCert(args[0])
+		},
+	}
+
+	updateCertLinkSubCmd = &cobra.Command{
+		Use:   "update-link",
+		Short: "Update linked certificates",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return updateLinks(args[0])
+		},
+	}
+
+	decryptCertsSubCmd = &cobra.Command{
+		Use:   "decrypt [certPath] [cryptoKey]",
+		Short: "Decrypt certificates",
+		Args:  cobra.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return client.DecryptCertificates(args[0], args[1])
+		},
+	}
+)
+
+func init() {
+	renewCertSubCmd.AddCommand(updateCertLinkSubCmd, decryptCertsSubCmd)
+	shared.CertCmd.AddCommand(renewCertSubCmd)
+}
+
+func renewCert(domain string) error {
+	gitWorkspace := &common.GitWorkspace{
+		Domain:  domain,
+		Storage: memory.NewStorage(),
+		FS:      memfs.New(),
+	}
+	config := shared.Config()
+	domainConfig, exists := shared.DomainStore().Get(domain)
+	if !exists {
+		return shared.ErrConfigNotFound
+	}
+	if err := client.PullCerts(config, domainConfig, gitWorkspace); err != nil {
+		return err
+	}
+	certsDir := common.CertsDir(config, domainConfig)
+	return client.DecryptAndWriteCertificates(certsDir, config, domainConfig, gitWorkspace)
+}
+
+func updateLinks(domain string) error {
+	domainConfig, exists := shared.DomainStore().Get(domain)
+	if !exists {
+		return fmt.Errorf("domain %s does not exist", domain)
+	}
+
+	certsDir := shared.DomainCertsDirWConf(domain, domainConfig)
+
+	certLinks := domainConfig.Certificates.CertSymlinks
+	for _, certLink := range certLinks {
+		err := common.LinkFile(filepath.Join(certsDir, domain+".crt"), certLink, domain, ".crt")
+		if err != nil {
+			fmt.Printf("Error linking cert %s to %s: %v", certLink, domain, err)
+			continue
+		}
+	}
+
+	keyLinks := domainConfig.Certificates.KeySymlinks
+	for _, keyLink := range keyLinks {
+		err := common.LinkFile(filepath.Join(certsDir, domain+".crt"), keyLink, domain, ".key")
+		if err != nil {
+			fmt.Printf("Error linking cert %s to %s: %v", keyLink, domain, err)
+			continue
+		}
+	}
+	return nil
+}

app/client/client.go

@@ -0,0 +1 @@
+package client

app/client/daemon.go

@@ -0,0 +1,168 @@
+package client
+
+import (
+	"fmt"
+	"io"
+	"log"
+	"path/filepath"
+	"strings"
+
+	appShared "git.nevets.tech/Keys/certman/app/shared"
+	"git.nevets.tech/Keys/certman/client"
+	"git.nevets.tech/Keys/certman/common"
+	"github.com/go-git/go-billy/v5/memfs"
+	"github.com/go-git/go-git/v5/storage/memory"
+)
+
+type Daemon struct{}
+
+func (d *Daemon) Init() {
+	fmt.Println("Starting CertManager in client mode...")
+	err := appShared.LoadDomainConfigs()
+	if err != nil {
+		log.Fatalf("Error loading domain configs: %v", err)
+	}
+
+	d.Tick()
+}
+
+func (d *Daemon) Tick() {
+	fmt.Println("tick!")
+
+	// Get local copy of configs
+	config := appShared.Config()
+	localDomainConfigs := appShared.DomainStore().Snapshot()
+
+	// Loop over all domain configs (domains)
+	for domainStr, domainConfig := range localDomainConfigs {
+		// Skip non-enabled domains
+		if !domainConfig.Domain.Enabled {
+			continue
+		}
+
+		// Skip domains with up-to-date commit hashes
+		// If the repo doesn't exist, we can't check for a remote commit, so stop the rest of the check
+		repoExists := domainConfig.Internal.RepoExists
+		if repoExists {
+			var dataRoot string
+			if domainConfig.Certificates.DataRoot == "" {
+				config.Certificates.DataRoot = domainStr
+			} else {
+				dataRoot = domainConfig.Certificates.DataRoot
+			}
+			localHash, err := client.LocalCommitHash(domainStr, dataRoot)
+			if err != nil {
+				fmt.Printf("No local commit hash found for domain %s\n", domainStr)
+			}
+			gitSource, err := common.StrToGitSource(appShared.Config().Git.Host)
+			if err != nil {
+				fmt.Printf("Error getting git source for domain %s: %v\n", domainStr, err)
+				continue
+			}
+			remoteHash, err := client.RemoteCommitHash(domainStr, gitSource, config, domainConfig)
+			if err != nil {
+				fmt.Printf("Error getting remote commit hash for domain %s: %v\n", domainStr, err)
+			}
+			// If both hashes are blank (errored), break
+			// If localHash equals remoteHash (local is up-to-date), skip
+			if !(localHash == "" && remoteHash == "") && localHash == remoteHash {
+				fmt.Printf("Domain %s is up to date. Skipping...\n", domainStr)
+				continue
+			}
+		}
+
+		gitWorkspace := &common.GitWorkspace{
+			Storage: memory.NewStorage(),
+			FS:      memfs.New(),
+		}
+		// Ex: https://git.example.com/Org/Repo-suffix.git
+		// Clones repo and stores in gitWorkspace, skip if clone fails (doesn't exist?)
+		repoUrl := appShared.Config().Git.Server + "/" + config.Git.OrgName + "/" + domainStr + domainConfig.Repo.RepoSuffix + ".git"
+		err := common.CloneRepo(repoUrl, gitWorkspace, common.Client, config)
+		if err != nil {
+			fmt.Printf("Error cloning domain repo %s: %v\n", domainStr, err)
+			continue
+		}
+
+		certsDir := appShared.DomainCertsDirWConf(domainStr, domainConfig)
+
+		// Get files in repo
+		fileInfos, err := gitWorkspace.FS.ReadDir("/")
+		if err != nil {
+			fmt.Printf("Error reading directory in memFS on domain %s: %v\n", domainStr, err)
+			continue
+		}
+		// Iterate over files, filtering by .crpt (encrypted) files in case other files were accidentally added
+		for _, fileInfo := range fileInfos {
+			if strings.HasSuffix(fileInfo.Name(), ".crpt") {
+				filename, _ := strings.CutSuffix(fileInfo.Name(), ".crpt")
+				file, err := gitWorkspace.FS.Open(fileInfo.Name())
+				if err != nil {
+					fmt.Printf("Error opening file in memFS on domain %s: %v\n", domainStr, err)
+					continue
+				}
+				fileBytes, err := io.ReadAll(file)
+				if err != nil {
+					fmt.Printf("Error reading file in memFS on domain %s: %v\n", domainStr, err)
+					file.Close()
+					continue
+				}
+				err = file.Close()
+				if err != nil {
+					fmt.Printf("Error closing file on domain %s: %v\n", domainStr, err)
+					continue
+				}
+
+				err = common.DecryptFileFromBytes(domainConfig.Certificates.CryptoKey, fileBytes, filepath.Join(certsDir, filename), nil)
+				if err != nil {
+					fmt.Printf("Error decrypting file %s in domain %s: %v\n", filename, domainStr, err)
+					continue
+				}
+
+				headRef, err := gitWorkspace.Repo.Head()
+				if err != nil {
+					fmt.Printf("Error getting head reference for domain %s: %v\n", domainStr, err)
+					continue
+				}
+
+				err = common.WriteCommitHash(headRef.Hash().String(), config, domainConfig)
+				if err != nil {
+					fmt.Printf("Error writing commit hash: %v\n", err)
+					continue
+				}
+
+				certLinks := domainConfig.Certificates.CertSymlinks
+				for _, certLink := range certLinks {
+					err = common.LinkFile(filepath.Join(certsDir, domainStr+".crt"), certLink, domainStr, ".crt")
+					if err != nil {
+						fmt.Printf("Error linking cert %s to %s: %v\n", certLink, domainStr, err)
+						continue
+					}
+				}
+
+				keyLinks := domainConfig.Certificates.KeySymlinks
+				for _, keyLink := range keyLinks {
+					err = common.LinkFile(filepath.Join(certsDir, domainStr+".key"), keyLink, domainStr, ".key")
+					if err != nil {
+						fmt.Printf("Error linking cert %s to %s: %v\n", keyLink, domainStr, err)
+						continue
+					}
+				}
+			}
+		}
+	}
+}
+
+func (d *Daemon) Reload() {
+	fmt.Println("Reloading configs...")
+
+	err := appShared.LoadDomainConfigs()
+	if err != nil {
+		fmt.Printf("Error loading domain configs: %v\n", err)
+		return
+	}
+}
+
+func (d *Daemon) Stop() {
+	fmt.Println("Shutting down client")
+}

app/client/grpc.go

@@ -0,0 +1,49 @@
+package client
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"time"
+
+	"git.nevets.tech/Keys/certman/app/shared"
+	pb "git.nevets.tech/Keys/certman/proto/v1"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+)
+
+func SendHook(domain string) {
+	conn, err := grpc.NewClient(
+		"unix:///run/certman.sock",
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
+	)
+	if err != nil {
+		log.Fatalf("fail to dial: %v", err)
+	}
+	defer conn.Close()
+	client := pb.NewHookServiceClient(conn)
+
+	hooks, err := shared.PostPullHooks(domain)
+	if err != nil {
+		fmt.Printf("Error getting hooks: %v\n", err)
+		return
+	}
+
+	for _, hook := range hooks {
+		sendHook(client, hook)
+	}
+}
+
+func sendHook(client pb.HookServiceClient, hook *pb.Hook) {
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+	res, err := client.ExecuteHook(ctx, &pb.ExecuteHookRequest{Hook: hook})
+	if err != nil {
+		fmt.Printf("Error executing hook: %v\n", err)
+		return
+	}
+
+	if res.GetError() != "" {
+		fmt.Printf("Error executing hook: %s\n", res.GetError())
+	}
+}

app/executor/commands.go

@@ -0,0 +1,37 @@
+package executor
+
+import (
+	"fmt"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/spf13/cobra"
+)
+
+var (
+	executorServer *Server
+
+	ExecutorCmd = &cobra.Command{
+		Use:   "executor",
+		Short: "Privileged daemon",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return startExecutorCmd()
+		},
+	}
+)
+
+func startExecutorCmd() error {
+	executorServer = &Server{}
+
+	sigCh := make(chan os.Signal, 1)
+	signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
+	go func() {
+		<-sigCh
+		executorServer.Stop()
+	}()
+	if err := executorServer.Start(); err != nil {
+		return fmt.Errorf("failed to start executor server: %w", err)
+	}
+	return nil
+}

app/executor/executor.go

@@ -0,0 +1,43 @@
+package executor
+
+import (
+	"fmt"
+	"net"
+	"sync"
+
+	pb "git.nevets.tech/Keys/certman/proto/v1"
+	"github.com/coreos/go-systemd/v22/activation"
+	"google.golang.org/grpc"
+)
+
+type Server struct {
+	listener net.Listener
+	wg       sync.WaitGroup
+}
+
+func (s *Server) Start() error {
+	listeners, err := activation.Listeners()
+	if err != nil {
+		return fmt.Errorf("systemd activation listeners: %v", err)
+	}
+	if len(listeners) != 1 {
+		return fmt.Errorf("systemd activation listeners: expected 1, got %d", len(listeners))
+	}
+
+	s.listener = listeners[0]
+	srv := grpc.NewServer()
+	pb.RegisterHookServiceServer(srv, &hookServer{})
+
+	err = srv.Serve(s.listener)
+	if err != nil {
+		return fmt.Errorf("error creating grpc listener: %v", err)
+	}
+	fmt.Printf("Started gRPC server on %s\n", s.listener.Addr())
+	return nil
+}
+
+func (s *Server) Stop() {
+	if s.listener != nil {
+		_ = s.listener.Close()
+	}
+}

app/executor/hook.go

@@ -0,0 +1,73 @@
+package executor
+
+import (
+	"context"
+	"errors"
+	"os"
+	"os/exec"
+	"syscall"
+	"time"
+
+	"git.nevets.tech/Keys/certman/common"
+	pb "git.nevets.tech/Keys/certman/proto/v1"
+)
+
+type hookServer struct {
+	pb.UnimplementedHookServiceServer
+}
+
+func (s *hookServer) ExecuteHook(ctx context.Context, req *pb.ExecuteHookRequest) (*pb.ExecuteHookResponse, error) {
+	h := req.GetHook()
+	if h == nil {
+		return &pb.ExecuteHookResponse{Error: "missing hook"}, nil
+	}
+
+	// Minimal validation
+	if len(h.GetCommand()) == 0 {
+		return &pb.ExecuteHookResponse{Error: "command is empty"}, nil
+	}
+
+	// Timeout
+	timeout := time.Duration(h.GetTimeoutSeconds()) * time.Second
+	if timeout <= 0 {
+		timeout = 30 * time.Second
+	}
+	ctx, cancel := context.WithTimeout(ctx, timeout)
+	defer cancel()
+
+	// Build command
+	cmdArgs := h.GetCommand()
+	cmd := exec.CommandContext(ctx, cmdArgs[0], cmdArgs[1:]...)
+	if cwd := h.GetCwd(); cwd != "" {
+		cmd.Dir = cwd
+	}
+
+	// Env: inherit current + overlay provided
+	env := os.Environ()
+	for k, v := range h.GetEnv() {
+		env = append(env, k+"="+v)
+	}
+	cmd.Env = env
+
+	// Run as user/group if specified (Linux/Unix)
+	if h.GetUser() != "" || h.GetGroup() != "" {
+		cred, err := common.MakeCredential(h.GetUser(), h.GetGroup())
+		if err != nil {
+			return &pb.ExecuteHookResponse{Error: brief(err)}, nil
+		}
+		cmd.SysProcAttr = &syscall.SysProcAttr{
+			Credential: cred,
+		}
+	}
+
+	// We’re intentionally NOT returning stdout/stderr; only a brief error on failure.
+	if err := cmd.Run(); err != nil {
+		// If context deadline hit, make the error message short and explicit.
+		if errors.Is(ctx.Err(), context.DeadlineExceeded) {
+			return &pb.ExecuteHookResponse{Error: "hook timed out"}, nil
+		}
+		return &pb.ExecuteHookResponse{Error: brief(err)}, nil
+	}
+
+	return &pb.ExecuteHookResponse{Error: ""}, nil
+}

app/executor/util.go

@@ -0,0 +1,8 @@
+package executor
+
+import "fmt"
+
+// brief tries to keep errors short and non-leaky.
+func brief(err error) string {
+	return fmt.Sprintf("hook failed: %v", err)
+}

app/server/certs.go

@@ -0,0 +1,125 @@
+package server
+
+import (
+	"fmt"
+	"path/filepath"
+	"time"
+
+	"git.nevets.tech/Keys/certman/app/shared"
+	"git.nevets.tech/Keys/certman/common"
+	"git.nevets.tech/Keys/certman/server"
+	"github.com/go-git/go-billy/v5/memfs"
+	"github.com/go-git/go-git/v5/storage/memory"
+	"github.com/spf13/cobra"
+)
+
+var (
+	noPush          bool
+	renewCertSubCmd = &cobra.Command{
+		Use:   "renew",
+		Short: "Renews a domains certificate",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return renewCertCmd(args[0], noPush)
+		},
+	}
+)
+
+func init() {
+	renewCertSubCmd.Flags().BoolVar(&noPush, "no-push", false, "Don't push certs to repo, renew locally only [server mode only]")
+	shared.CertCmd.AddCommand(renewCertSubCmd)
+}
+
+func renewCertCmd(domain string, noPush bool) error {
+	if err := shared.LoadConfig(); err != nil {
+		return err
+	}
+	if err := shared.LoadDomainConfigs(); err != nil {
+		return err
+	}
+	mgr, err := server.NewACMEManager(shared.Config())
+	if err != nil {
+		return err
+	}
+	err = renewCerts(domain, noPush, mgr)
+	if err != nil {
+		return err
+	}
+	// return ReloadDaemonCmd() // Not sure if this is necessary
+	return nil
+}
+
+func renewCerts(domain string, noPush bool, mgr *server.ACMEManager) error {
+	config := shared.Config()
+	domainConfig, exists := shared.DomainStore().Get(domain)
+	if !exists {
+		return fmt.Errorf("domain %s does not exist", domain)
+	}
+
+	_, err := mgr.RenewForDomain(domain)
+	if err != nil {
+		// if no existing cert, obtain instead
+		_, err = mgr.ObtainForDomain(domain, config, domainConfig)
+		if err != nil {
+			return fmt.Errorf("error obtaining domain certificates for domain %s: %v", domain, err)
+		}
+	}
+
+	domainConfig.Internal.LastIssued = time.Now().UTC().Unix()
+	err = shared.WriteDomainConfig(domainConfig)
+	if err != nil {
+		return fmt.Errorf("error saving domain config %s: %v", domain, err)
+	}
+
+	err = common.EncryptFileXChaCha(domainConfig.Certificates.CryptoKey, filepath.Join(mgr.CertsRoot, domain, domain+".crt"), filepath.Join(mgr.CertsRoot, domain, domain+".crt.crpt"), nil)
+	if err != nil {
+		return fmt.Errorf("error encrypting domain cert for domain %s: %v", domain, err)
+	}
+	err = common.EncryptFileXChaCha(domainConfig.Certificates.CryptoKey, filepath.Join(mgr.CertsRoot, domain, domain+".key"), filepath.Join(mgr.CertsRoot, domain, domain+".key.crpt"), nil)
+	if err != nil {
+		return fmt.Errorf("error encrypting domain key for domain %s: %v", domain, err)
+	}
+
+	if !noPush {
+		giteaClient := common.CreateGiteaClient(config)
+		if giteaClient == nil {
+			return fmt.Errorf("error creating gitea client for domain %s: %v", domain, err)
+		}
+		gitWorkspace := &common.GitWorkspace{
+			Storage: memory.NewStorage(),
+			FS:      memfs.New(),
+		}
+
+		var repoUrl string
+		if !domainConfig.Internal.RepoExists {
+			repoUrl = common.CreateGiteaRepo(domain, giteaClient, config, domainConfig)
+			if repoUrl == "" {
+				return fmt.Errorf("error creating Gitea repo for domain %s", domain)
+			}
+			domainConfig.Internal.RepoExists = true
+			err = shared.WriteDomainConfig(domainConfig)
+			if err != nil {
+				return fmt.Errorf("error saving domain config %s: %v", domain, err)
+			}
+
+			err = common.InitRepo(repoUrl, gitWorkspace)
+			if err != nil {
+				return fmt.Errorf("error initializing repo for domain %s: %v", domain, err)
+			}
+		} else {
+			repoUrl = config.Git.Server + "/" + config.Git.OrgName + "/" + domain + domainConfig.Repo.RepoSuffix + ".git"
+			err = common.CloneRepo(repoUrl, gitWorkspace, common.Server, config)
+			if err != nil {
+				return fmt.Errorf("error cloning repo for domain %s: %v", domain, err)
+			}
+		}
+
+		err = common.AddAndPushCerts(domain, gitWorkspace, config, domainConfig)
+		if err != nil {
+			return fmt.Errorf("error pushing certificates for domain %s: %v", domain, err)
+		}
+		fmt.Printf("Successfully pushed certificates for domain %s\n", domain)
+	}
+
+	return nil
+}

app/server/daemon.go

@@ -0,0 +1,168 @@
+package server
+
+import (
+	"fmt"
+	"log"
+	"path/filepath"
+	"sync"
+	"time"
+
+	appShared "git.nevets.tech/Keys/certman/app/shared"
+	"git.nevets.tech/Keys/certman/common"
+	"git.nevets.tech/Keys/certman/server"
+	"github.com/go-git/go-billy/v5/memfs"
+	"github.com/go-git/go-git/v5/storage/memory"
+)
+
+type Daemon struct {
+	ACMEManager *server.ACMEManager
+	TickMu      sync.Mutex
+	MgrMu       sync.Mutex
+}
+
+func (d *Daemon) loadACMEManager() error {
+	d.MgrMu.Lock()
+	defer d.MgrMu.Unlock()
+
+	if d.ACMEManager == nil {
+		var err error
+		d.ACMEManager, err = server.NewACMEManager(appShared.Config())
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (d *Daemon) Init() {
+	fmt.Println("Starting CertManager in server mode...")
+	err := appShared.LoadDomainConfigs()
+	if err != nil {
+		log.Fatalf("Error loading domain configs: %v", err)
+	}
+
+	d.Tick()
+}
+
+func (d *Daemon) Tick() {
+	d.TickMu.Lock()
+	defer d.TickMu.Unlock()
+	fmt.Println("Tick!")
+
+	if err := d.loadACMEManager(); err != nil {
+		fmt.Printf("Error getting acme manager: %v\n", err)
+		return
+	}
+
+	now := time.Now().UTC()
+
+	config := appShared.Config()
+	localDomainConfigs := appShared.DomainStore().Snapshot()
+
+	for domainStr, domainConfig := range localDomainConfigs {
+		if !domainConfig.Domain.Enabled {
+			continue
+		}
+		renewPeriod := domainConfig.Certificates.RenewPeriod
+		lastIssued := time.Unix(domainConfig.Internal.LastIssued, 0).UTC()
+		renewalDue := lastIssued.AddDate(0, 0, renewPeriod)
+		if now.After(renewalDue) {
+			//TODO extra check if certificate expiry (create cache?)
+			_, err := d.ACMEManager.RenewForDomain(domainStr)
+			if err != nil {
+				// if no existing cert, obtain instead
+				_, err = d.ACMEManager.ObtainForDomain(domainStr, appShared.Config(), domainConfig)
+				if err != nil {
+					fmt.Printf("Error obtaining domain certificates for domain %s: %v\n", domainStr, err)
+					continue
+				}
+			}
+
+			domainConfig.Internal.LastIssued = time.Now().UTC().Unix()
+			err = appShared.WriteDomainConfig(domainConfig)
+			if err != nil {
+				fmt.Printf("Error saving domain config %s: %v\n", domainStr, err)
+				continue
+			}
+
+			err = common.EncryptFileXChaCha(domainConfig.Certificates.CryptoKey, filepath.Join(d.ACMEManager.CertsRoot, domainStr, domainStr+".crt"), filepath.Join(d.ACMEManager.CertsRoot, domainStr, domainStr+".crt.crpt"), nil)
+			if err != nil {
+				fmt.Printf("Error encrypting domain cert for domain %s: %v\n", domainStr, err)
+				continue
+			}
+			err = common.EncryptFileXChaCha(domainConfig.Certificates.CryptoKey, filepath.Join(d.ACMEManager.CertsRoot, domainStr, domainStr+".key"), filepath.Join(d.ACMEManager.CertsRoot, domainStr, domainStr+".key.crpt"), nil)
+			if err != nil {
+				fmt.Printf("Error encrypting domain key for domain %s: %v\n", domainStr, err)
+				continue
+			}
+
+			giteaClient := common.CreateGiteaClient(config)
+			if giteaClient == nil {
+				fmt.Printf("Error creating gitea client for domain %s: %v\n", domainStr, err)
+				continue
+			}
+			gitWorkspace := &common.GitWorkspace{
+				Storage: memory.NewStorage(),
+				FS:      memfs.New(),
+			}
+
+			var repoUrl string
+			if !domainConfig.Internal.RepoExists {
+				repoUrl = common.CreateGiteaRepo(domainStr, giteaClient, config, domainConfig)
+				if repoUrl == "" {
+					fmt.Printf("Error creating Gitea repo for domain %s\n", domainStr)
+					continue
+				}
+				domainConfig.Internal.RepoExists = true
+				err = appShared.WriteDomainConfig(domainConfig)
+				if err != nil {
+					fmt.Printf("Error saving domain config %s: %v\n", domainStr, err)
+					continue
+				}
+
+				err = common.InitRepo(repoUrl, gitWorkspace)
+				if err != nil {
+					fmt.Printf("Error initializing repo for domain %s: %v\n", domainStr, err)
+					continue
+				}
+			} else {
+				repoUrl = appShared.Config().Git.Server + "/" + appShared.Config().Git.OrgName + "/" + domainStr + domainConfig.Repo.RepoSuffix + ".git"
+				err = common.CloneRepo(repoUrl, gitWorkspace, common.Server, config)
+				if err != nil {
+					fmt.Printf("Error cloning repo for domain %s: %v\n", domainStr, err)
+					continue
+				}
+			}
+
+			err = common.AddAndPushCerts(domainStr, gitWorkspace, config, domainConfig)
+			if err != nil {
+				fmt.Printf("Error pushing certificates for domain %s: %v\n", domainStr, err)
+				continue
+			}
+			fmt.Printf("Successfully pushed certificates for domain %s\n", domainStr)
+		}
+	}
+	if err := appShared.SaveDomainConfigs(); err != nil {
+		fmt.Printf("Error saving domain configs: %v\n", err)
+	}
+}
+
+func (d *Daemon) Reload() {
+	fmt.Println("Reloading configs...")
+	err := appShared.LoadDomainConfigs()
+
+	if err != nil {
+		fmt.Printf("Error loading domain configs: %v\n", err)
+		return
+	}
+
+	d.MgrMu.Lock()
+	d.ACMEManager = nil
+	d.MgrMu.Unlock()
+
+	fmt.Println("Successfully reloaded configs")
+}
+
+func (d *Daemon) Stop() {
+	fmt.Println("Shutting down server")
+}

app/server/server.go

@@ -0,0 +1 @@
+package server

app/shared/certs.go

@@ -0,0 +1,15 @@
+package shared
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var (
+	CertCmd = &cobra.Command{
+		Use:   "cert",
+		Short: "Certificate management",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return cmd.Help()
+		},
+	}
+)

app/shared/commands.go

@@ -0,0 +1,191 @@
+package shared
+
+import (
+	"fmt"
+	"log"
+	"os"
+	"os/exec"
+	"os/user"
+	"strconv"
+	"strings"
+
+	"git.nevets.tech/Keys/certman/common"
+	"github.com/spf13/cobra"
+)
+
+var (
+	VersionCmd = basicCmd("version", "Show version", versionCmd)
+	NewKeyCmd  = basicCmd("gen-key", "Generates encryption key", newKeyCmd)
+	DevCmd     = basicCmd("dev", "Dev Function", devCmd)
+
+	domainCertDir string
+	NewDomainCmd  = &cobra.Command{
+		Use:           "new-domain",
+		Short:         "Create config and directories for new domain",
+		Args:          cobra.ExactArgs(1),
+		SilenceUsage:  true,
+		SilenceErrors: true,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			dirOverridden := cmd.Flags().Changed("dir")
+			return newDomainCmd(args[0], domainCertDir, dirOverridden)
+		},
+	}
+
+	modeFlag        string
+	thinInstallFlag bool
+	InstallCmd      = &cobra.Command{
+		Use:   "install",
+		Short: "Create certman files and directories",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			switch modeFlag {
+			case "server", "client":
+				return installCmd(thinInstallFlag, modeFlag)
+			default:
+				return fmt.Errorf("invalid --mode %q (must be server or client)", modeFlag)
+			}
+		},
+	}
+)
+
+func init() {
+	NewDomainCmd.Flags().StringVar(&domainCertDir, "dir", "/var/local/certman/certificates/", "Alternate directory for certificates")
+
+	InstallCmd.Flags().StringVar(&modeFlag, "mode", "client", "CertManager mode [server, client]")
+	InstallCmd.Flags().BoolVarP(&thinInstallFlag, "thin", "t", false, "Thin install (skip creating dirs)")
+}
+
+func devCmd(cmd *cobra.Command, args []string) {
+	testDomain := "lunamc.org"
+	err := LoadConfig()
+	if err != nil {
+		log.Fatalf("Error loading configuration: %v\n", err)
+	}
+	err = LoadDomainConfigs()
+	if err != nil {
+		log.Fatalf("Error loading configs: %v\n", err)
+	}
+
+	fmt.Println(testDomain)
+}
+
+func versionCmd(cmd *cobra.Command, args []string) {
+	fmt.Printf("CertManager (certman) - Steven Tracey\nVersion: %s build-%s\n",
+		common.Version, common.Build,
+	)
+}
+
+func newKeyCmd(cmd *cobra.Command, args []string) {
+	key, err := common.GenerateKey()
+	if err != nil {
+		log.Fatalf("%v", err)
+	}
+	fmt.Printf(key)
+}
+
+func newDomainCmd(domain, domainDir string, dirOverridden bool) error {
+	//TODO add config option for "overridden dir"
+	if !common.IsValidFQDN(domain) {
+		return fmt.Errorf("invalid FQDN: %q", domain)
+	}
+
+	err := LoadConfig()
+	if err != nil {
+		return err
+	}
+
+	fmt.Printf("Creating new domain %s\n", domain)
+	err = CreateDomainConfig(domain)
+	if err != nil {
+		return err
+	}
+	CreateDomainCertsDir(domain, domainDir, dirOverridden)
+
+	certmanUser, err := user.Lookup("certman")
+	if err != nil {
+		return fmt.Errorf("error getting user certman: %v", err)
+	}
+	uid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Uid))
+	if err != nil {
+		return err
+	}
+	gid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Gid))
+	if err != nil {
+		return err
+	}
+	err = common.ChownRecursive("/etc/certman/domains", uid, gid)
+	if err != nil {
+		return err
+	}
+	err = common.ChownRecursive("/var/local/certman", uid, gid)
+	if err != nil {
+		return err
+	}
+
+	fmt.Println("Successfully created domain entry for " + domain + "\nUpdate config file as needed in /etc/certman/domains/" + domain + ".conf\n")
+	return nil
+}
+
+func installCmd(isThin bool, mode string) error {
+	if !isThin {
+		if os.Geteuid() != 0 {
+			return fmt.Errorf("installation must be run as root")
+		}
+
+		MakeDirs()
+		CreateConfig(mode)
+
+		err := LoadConfig()
+		if err != nil {
+			return err
+		}
+
+		f, err := os.OpenFile("/var/run/certman.pid", os.O_RDONLY|os.O_CREATE, 0755)
+		if err != nil {
+			return fmt.Errorf("error creating pid file: %v", err)
+		}
+		err = f.Close()
+		if err != nil {
+			return fmt.Errorf("error closing pid file: %v", err)
+		}
+
+		newUserCmd := exec.Command("useradd", "-d", "/var/local/certman", "-U", "-r", "-s", "/sbin/nologin", "certman")
+		if output, err := newUserCmd.CombinedOutput(); err != nil {
+			if !strings.Contains(err.Error(), "exit status 9") {
+				return fmt.Errorf("error creating user: %v: output %s", err, output)
+			}
+		}
+		newGroupCmd := exec.Command("groupadd", "-r", "-U", "certman", "certsock")
+		if output, err := newGroupCmd.CombinedOutput(); err != nil {
+			if !strings.Contains(err.Error(), "exit status 9") {
+				return fmt.Errorf("error creating group: %v: output %s", err, output)
+			}
+		}
+		certmanUser, err := user.Lookup("certman")
+		if err != nil {
+			return fmt.Errorf("error getting user certman: %v", err)
+		}
+		uid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Uid))
+		if err != nil {
+			return err
+		}
+		gid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Gid))
+		if err != nil {
+			return err
+		}
+		err = common.ChownRecursive("/etc/certman", uid, gid)
+		if err != nil {
+			return fmt.Errorf("error changing uid/gid: %v", err)
+		}
+		err = common.ChownRecursive("/var/local/certman", uid, gid)
+		if err != nil {
+			return fmt.Errorf("error changing uid/gid: %v", err)
+		}
+		err = os.Chown("/var/run/certman.pid", uid, gid)
+		if err != nil {
+			return fmt.Errorf("error changing uid/gid: %v", err)
+		}
+	} else {
+		CreateConfig(mode)
+	}
+	return nil
+}

app/shared/config.go

@@ -0,0 +1,358 @@
+package shared
+
+import (
+	"errors"
+	"fmt"
+	"log"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+
+	"git.nevets.tech/Keys/certman/common"
+	pb "git.nevets.tech/Keys/certman/proto/v1"
+	"github.com/google/uuid"
+	"github.com/pelletier/go-toml/v2"
+	"github.com/spf13/viper"
+)
+
+var (
+	ErrBlankConfigEntry = errors.New("blank config entry")
+	ErrConfigNotFound   = errors.New("config file not found")
+)
+
+type DomainConfigStore struct {
+	mu      sync.RWMutex
+	configs map[string]*common.DomainConfig
+}
+
+func NewDomainConfigStore() *DomainConfigStore {
+	return &DomainConfigStore{
+		configs: make(map[string]*common.DomainConfig),
+	}
+}
+
+func (s *DomainConfigStore) Get(domain string) (*common.DomainConfig, bool) {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	v, ok := s.configs[domain]
+	return v, ok
+}
+
+func (s *DomainConfigStore) Set(domain string, v *common.DomainConfig) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	s.configs[domain] = v
+}
+
+// Swap atomically replaces the entire config map (used during reload).
+func (s *DomainConfigStore) Swap(newConfigs map[string]*common.DomainConfig) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	s.configs = newConfigs
+}
+
+// Snapshot returns a shallow copy safe to iterate without holding the lock.
+func (s *DomainConfigStore) Snapshot() map[string]*common.DomainConfig {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	snap := make(map[string]*common.DomainConfig, len(s.configs))
+	for k, v := range s.configs {
+		snap[k] = v
+	}
+	return snap
+}
+
+// ---------------------------------------------------------------------------
+//  Global state
+// ---------------------------------------------------------------------------
+
+var (
+	config      *common.AppConfig
+	configMu    sync.RWMutex
+	domainStore = NewDomainConfigStore()
+)
+
+func Config() *common.AppConfig {
+	configMu.RLock()
+	defer configMu.RUnlock()
+	return config
+}
+
+func DomainStore() *DomainConfigStore {
+	domainStore.mu.RLock()
+	defer domainStore.mu.RUnlock()
+	return domainStore
+}
+
+// ---------------------------------------------------------------------------
+//  Loading
+// ---------------------------------------------------------------------------
+
+// LoadConfig reads the main certman.conf into config.
+func LoadConfig() error {
+	vConfig := viper.New()
+	vConfig.SetConfigFile("/etc/certman/certman.conf")
+	vConfig.SetConfigType("toml")
+	if err := vConfig.ReadInConfig(); err != nil {
+		return err
+	}
+
+	if vConfig.GetString("App.mode") == "server" {
+		vConfig.SetConfigType("toml")
+		vConfig.SetConfigFile("/etc/certman/server.conf")
+		if err := vConfig.MergeInConfig(); err != nil {
+			return err
+		}
+	}
+	if err := vConfig.Unmarshal(&config); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// LoadDomainConfigs reads every .conf file in the domains directory.
+func LoadDomainConfigs() error {
+	dir := "/etc/certman/domains/"
+	entries, err := os.ReadDir(dir)
+	if err != nil {
+		return fmt.Errorf("reading domain config dir: %w", err)
+	}
+
+	temp := make(map[string]*common.DomainConfig)
+
+	for _, entry := range entries {
+		if entry.IsDir() || filepath.Ext(entry.Name()) != ".conf" {
+			continue
+		}
+
+		path := filepath.Join(dir, entry.Name())
+		v := viper.New()
+		v.SetConfigFile(path)
+		v.SetConfigType("toml")
+
+		if err := v.ReadInConfig(); err != nil {
+			return fmt.Errorf("loading %s: %w", path, err)
+		}
+
+		domain := v.GetString("domain.domain_name")
+		if domain == "" {
+			return fmt.Errorf("%s: missing domain.domain_name", path)
+		}
+
+		if _, exists := temp[domain]; exists {
+			fmt.Printf("Duplicate domain in %s, skipping...\n", path)
+			continue
+		}
+		cfg := &common.DomainConfig{}
+		if err = v.Unmarshal(cfg); err != nil {
+			return fmt.Errorf("unmarshaling %s: %w", path, err)
+		}
+		temp[domain] = cfg
+	}
+
+	domainStore.Swap(temp)
+	return nil
+}
+
+// ---------------------------------------------------------------------------
+//  Saving
+// ---------------------------------------------------------------------------
+
+func WriteConfig(filePath string, config *common.AppConfig) error {
+	buf, err := toml.Marshal(&config)
+	if err != nil {
+		return fmt.Errorf("marshaling config: %w", err)
+	}
+	if err = os.WriteFile(filePath, buf, 0640); err != nil {
+		return fmt.Errorf("write config file: %w", err)
+	}
+
+	return nil
+}
+
+func WriteDomainConfig(config *common.DomainConfig) error {
+	buf, err := toml.Marshal(config)
+	if err != nil {
+		return fmt.Errorf("marshaling domain config: %w", err)
+	}
+	configPath := filepath.Join("/etc/certman/domains", config.Domain.DomainName+".conf")
+	if err = os.WriteFile(configPath, buf, 0640); err != nil {
+		return fmt.Errorf("write config file: %w", err)
+	}
+
+	return nil
+}
+
+// SaveDomainConfigs writes every loaded domain config back to disk.
+func SaveDomainConfigs() error {
+	for _, v := range domainStore.Snapshot() {
+		err := WriteDomainConfig(v)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// ---------------------------------------------------------------------------
+// Domain Specific Lookups
+// ---------------------------------------------------------------------------
+
+func PostPullHooks(domain string) ([]*pb.Hook, error) {
+	var hooks []*pb.Hook
+	if err := viper.UnmarshalKey("Hooks.PostPull", hooks); err != nil {
+		return nil, err
+	}
+	return hooks, nil
+}
+
+// ---------------------------------------------------------------------------
+//  Directory bootstrapping
+// ---------------------------------------------------------------------------
+
+func MakeDirs() {
+	dirs := []struct {
+		path string
+		perm os.FileMode
+	}{
+		{"/etc/certman", 0755},
+		{"/etc/certman/domains", 0755},
+		{"/var/local/certman", 0750},
+	}
+
+	for _, d := range dirs {
+		if err := os.MkdirAll(d.path, d.perm); err != nil {
+			log.Fatalf("Unable to create directory %s: %v", d.path, err)
+		}
+	}
+}
+
+func CreateConfig(mode string) {
+	content := strings.NewReplacer(
+		"{mode}", mode,
+	).Replace(defaultConfig)
+	createFile("/etc/certman/certman.conf", 0640, []byte(content))
+
+	switch mode {
+	case "server":
+		content = strings.NewReplacer(
+			"{uuid}", uuid.New().String(),
+		).Replace(defaultServerConfig)
+		createFile("/etc/certman/server.conf", 640, []byte(content))
+	}
+}
+
+func CreateDomainConfig(domain string) error {
+	key, err := common.GenerateKey()
+	if err != nil {
+		return fmt.Errorf("unable to generate key: %v", err)
+	}
+	localConfig := Config()
+
+	var content string
+	switch localConfig.App.Mode {
+	case "server":
+		content = strings.NewReplacer(
+			"{domain}", domain,
+			"{key}", key,
+		).Replace(defaultServerDomainConfig)
+	case "client":
+		content = strings.NewReplacer(
+			"{domain}", domain,
+			"{key}", key,
+		).Replace(defaultClientDomainConfig)
+	default:
+		return fmt.Errorf("unknown certman mode: %v", localConfig.App.Mode)
+	}
+
+	path := filepath.Join("/etc/certman/domains", domain+".conf")
+	createFile(path, 0640, []byte(content))
+	return nil
+}
+
+func CreateDomainCertsDir(domain string, dir string, dirOverride bool) {
+	var target string
+	if dirOverride {
+		target = filepath.Join(dir, domain)
+	} else {
+		target = filepath.Join("/var/local/certman/certificates", domain)
+	}
+
+	if err := os.MkdirAll(target, 0750); err != nil {
+		if os.IsExist(err) {
+			fmt.Println("Directory already exists...")
+			return
+		}
+		log.Fatalf("Error creating certificate directory for %s: %v", domain, err)
+	}
+}
+
+const defaultConfig = `[App]
+mode = '{mode}'
+tick_rate = 2
+
+[Git]
+host = 'gitea'
+server = 'https://gitea.instance.com'
+username = 'User'
+api_token = 'xxxxxxxxxxxxxxxxxxxxxxxxx'
+org_name = 'org'
+
+[Certificates]
+data_root = '/var/local/certman'
+`
+
+const defaultServerConfig = `[App]
+uuid = '{uuid}'
+
+[Certificates]
+email = 'User@example.com'
+ca_dir_url = 'https://acme-v02.api.letsencrypt.org/directory'
+
+[Cloudflare]
+cf_email = 'email@example.com'
+cf_api_key = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxx'`
+
+const defaultServerDomainConfig = `[Certificates]
+data_root = ''
+expiry = 90
+request_method = 'dns-01'
+renew_period = 30
+subdomains = []
+crypto_key = '{key}'
+
+[Domain]
+domain_name = '{domain}'
+enabled = true
+dns_server = 'default'
+
+[Repo]
+repo_suffix = '-certificates'
+
+[Internal]
+last_issued = 0
+repo_exists = false
+status = 'clean'
+`
+
+const defaultClientDomainConfig = `[Certificates]
+data_root = ''
+cert_symlinks = []
+key_symlinks = []
+crypto_key = '{key}'
+
+[Domain]
+domain_name = '{domain}'
+enabled = true
+
+[Hooks.PostPull]
+command = []
+cwd = "/dev/null"
+timeout_seconds = 30
+env = { "FOO" = "bar" }
+
+[Repo]
+repo_suffix = '-certificates'
+`

app/shared/daemon.go

@@ -0,0 +1,191 @@
+package shared
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"os"
+	"os/signal"
+	"sync"
+	"syscall"
+	"time"
+
+	"git.nevets.tech/Keys/certman/common"
+	"github.com/spf13/cobra"
+)
+
+type Daemon interface {
+	Init()
+	Tick()
+	Reload()
+	Stop()
+}
+
+var (
+	ctx    context.Context
+	cancel context.CancelFunc
+	wg     sync.WaitGroup
+
+	DaemonCmd = &cobra.Command{
+		Use:   "daemon",
+		Short: "Daemon management",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return cmd.Help()
+		},
+	}
+)
+
+func init() {
+	DaemonCmd.AddCommand(&cobra.Command{
+		Use:   "stop",
+		Short: "stop the daemon",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return stopDaemonCmd()
+		},
+	})
+
+	DaemonCmd.AddCommand(&cobra.Command{
+		Use:   "reload",
+		Short: "reload daemon configs",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return reloadDaemonCmd()
+		},
+	})
+
+	DaemonCmd.AddCommand(&cobra.Command{
+		Use:   "tick",
+		Short: "Manually triggers daemon tick",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return tickDaemonCmd()
+		},
+	})
+
+	DaemonCmd.AddCommand(&cobra.Command{
+		Use:   "status",
+		Short: "Show daemon status",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return daemonStatusCmd()
+		},
+	})
+}
+
+func RunDaemonCmd(daemon Daemon) error {
+	err := common.CreateOrUpdatePIDFile("/var/run/certman.pid")
+	if err != nil {
+		if errors.Is(err, common.ErrorPIDInUse) {
+			return fmt.Errorf("daemon process is already running")
+		}
+		return fmt.Errorf("error creating pidfile: %v", err)
+	}
+
+	ctx, cancel = context.WithCancel(context.Background())
+
+	// Check if main config exists
+	if _, err := os.Stat("/etc/certman/certman.conf"); os.IsNotExist(err) {
+		return fmt.Errorf("main config file not found, please run 'certman --install', then properly configure /etc/certman/certman.conf")
+	} else if err != nil {
+		return fmt.Errorf("error opening /etc/certman/certman.conf: %v", err)
+	}
+	err = LoadConfig()
+	if err != nil {
+		return fmt.Errorf("error loading configuration: %v", err)
+	}
+	localConfig := Config()
+
+	// Setup SIGINT and SIGTERM listeners
+	sigChannel := make(chan os.Signal, 1)
+	signal.Notify(sigChannel, syscall.SIGINT, syscall.SIGTERM)
+	defer signal.Stop(sigChannel)
+
+	reloadSigChan := make(chan os.Signal, 1)
+	signal.Notify(reloadSigChan, syscall.SIGHUP)
+	defer signal.Stop(reloadSigChan)
+
+	tickSigChan := make(chan os.Signal, 1)
+	signal.Notify(tickSigChan, syscall.SIGUSR1)
+	defer signal.Stop(tickSigChan)
+
+	tickRate := localConfig.App.TickRate
+	ticker := time.NewTicker(time.Duration(tickRate) * time.Hour)
+	defer ticker.Stop()
+
+	wg.Add(1)
+	go func() {
+		daemon.Init()
+		defer wg.Done()
+		for {
+			select {
+			case <-ctx.Done():
+				daemon.Stop()
+				return
+			case <-reloadSigChan:
+				daemon.Reload()
+			case <-ticker.C:
+				daemon.Tick()
+			case <-tickSigChan:
+				daemon.Tick()
+			}
+		}
+	}()
+
+	// Cleanup on stop
+	sig := <-sigChannel
+	fmt.Printf("Program terminated with %v\n", sig.String())
+
+	stop()
+	wg.Wait()
+	return nil
+}
+
+func stop() {
+	cancel()
+	common.ClearPIDFile()
+}
+
+func stopDaemonCmd() error {
+	proc, err := common.DaemonProcess()
+	if err != nil {
+		return fmt.Errorf("error getting daemon process: %v", err)
+	}
+
+	err = proc.Signal(syscall.SIGTERM)
+	if err != nil {
+		return fmt.Errorf("error sending SIGTERM to daemon PID: %v", err)
+	}
+	return nil
+}
+
+func reloadDaemonCmd() error {
+	proc, err := common.DaemonProcess()
+	if err != nil {
+		return fmt.Errorf("error getting daemon process: %v", err)
+	}
+
+	err = proc.Signal(syscall.SIGHUP)
+	if err != nil {
+		return fmt.Errorf("error sending SIGHUP to daemon PID: %v", err)
+	}
+	return nil
+}
+
+func tickDaemonCmd() error {
+	proc, err := common.DaemonProcess()
+	if err != nil {
+		return fmt.Errorf("error getting daemon process: %v", err)
+	}
+
+	err = proc.Signal(syscall.SIGUSR1)
+	if err != nil {
+		return fmt.Errorf("error sending SIGUSR1 to daemon PID: %v", err)
+	}
+	return nil
+}
+
+func daemonStatusCmd() error {
+	fmt.Println("Not implemented :/")
+	return nil
+}

app/shared/install.go

@@ -0,0 +1 @@
+package shared

app/shared/util.go

@@ -0,0 +1,72 @@
+package shared
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"git.nevets.tech/Keys/certman/common"
+	"github.com/spf13/cobra"
+)
+
+func createFile(fileName string, filePermission os.FileMode, data []byte) {
+	fileInfo, err := os.Stat(fileName)
+	if err != nil {
+		if os.IsNotExist(err) {
+			file, err := os.Create(fileName)
+			if err != nil {
+				fmt.Println("Error creating configuration file: ", err)
+				os.Exit(1)
+			}
+			defer file.Close()
+
+			_, err = file.Write(data)
+			if err != nil {
+				fmt.Println("Error writing to file: ", err)
+				os.Exit(1)
+			}
+			err = file.Chmod(filePermission)
+			if err != nil {
+				fmt.Println("Error changing file permission: ", err)
+			}
+		} else {
+			fmt.Println("Error opening configuration file: ", err)
+			os.Exit(1)
+		}
+	} else {
+		if fileInfo.Size() == 0 {
+			file, err := os.Create(fileName)
+			if err != nil {
+				fmt.Println("Error creating configuration file: ", err)
+				os.Exit(1)
+			}
+			defer file.Close()
+
+			_, err = file.Write(data)
+			if err != nil {
+				fmt.Println("Error writing to file:", err)
+				os.Exit(1)
+			}
+		}
+	}
+}
+
+// DomainCertsDirWConf Can return ErrBlankConfigEntry or other errors
+func DomainCertsDirWConf(domain string, domainConfig *common.DomainConfig) string {
+	var effectiveDataRoot string
+	if domainConfig.Certificates.DataRoot == "" {
+		effectiveDataRoot = config.Certificates.DataRoot
+	} else {
+		effectiveDataRoot = domainConfig.Certificates.DataRoot
+	}
+
+	return filepath.Join(effectiveDataRoot, "certificates", domain)
+}
+
+func basicCmd(use, short string, commandFunc func(cmd *cobra.Command, args []string)) *cobra.Command {
+	return &cobra.Command{
+		Use:   use,
+		Short: short,
+		Run:   commandFunc,
+	}
+}