[CI-SKIP] Upload current

2026-04-24 10:37:46 -04:00
parent 6aacbfbb71
commit fb1abd6211
12 changed files with 519 additions and 579 deletions
--- a/app/server/daemon.go
+++ b/app/server/daemon.go
@@ -12,8 +12,6 @@ import (
 	appShared "git.nevets.tech/Steven/certman/app"
 	"git.nevets.tech/Steven/certman/common"
 	"git.nevets.tech/Steven/certman/server"
-	"github.com/go-git/go-billy/v5/memfs"
-	"github.com/go-git/go-git/v5/storage/memory"
 )

 type Daemon struct {
@@ -69,91 +67,92 @@ func (d *Daemon) Tick() {
 		renewPeriod := domainConfig.Certificates.RenewPeriod
 		lastIssued := time.Unix(domainConfig.Internal.LastIssued, 0).UTC()
 		renewalDue := lastIssued.AddDate(0, 0, renewPeriod)
-		if now.After(renewalDue) {
-			//TODO extra check if certificate expiry (create cache?)
-			_, err := d.ACMEManager.RenewForDomain(domainStr)
-			if err != nil {
-				if errors.Is(err, os.ErrNotExist) {
-					// if no existing cert, obtain instead
-					_, err = d.ACMEManager.ObtainForDomain(domainStr, appShared.Config(), domainConfig)
-					if err != nil {
-						fmt.Printf("Error obtaining domain certificates for domain %s: %v\n", domainStr, err)
-						continue
-					}
-				}
-				fmt.Printf("Error: %v\n", err)
-				continue
-			}
+		if !now.After(renewalDue) {
+			continue
+		}

-			domainConfig.Internal.LastIssued = time.Now().UTC().Unix()
-			err = appShared.WriteDomainConfig(domainConfig)
-			if err != nil {
-				fmt.Printf("Error saving domain config %s: %v\n", domainStr, err)
-				continue
-			}
-
-			err = common.EncryptFileXChaCha(domainConfig.Certificates.CryptoKey, filepath.Join(d.ACMEManager.CertsRoot, domainStr, domainStr+".crt"), filepath.Join(d.ACMEManager.CertsRoot, domainStr, domainStr+".crt.crpt"), nil)
-			if err != nil {
-				fmt.Printf("Error encrypting domain cert for domain %s: %v\n", domainStr, err)
-				continue
-			}
-			err = common.EncryptFileXChaCha(domainConfig.Certificates.CryptoKey, filepath.Join(d.ACMEManager.CertsRoot, domainStr, domainStr+".key"), filepath.Join(d.ACMEManager.CertsRoot, domainStr, domainStr+".key.crpt"), nil)
-			if err != nil {
-				fmt.Printf("Error encrypting domain key for domain %s: %v\n", domainStr, err)
-				continue
-			}
-
-			giteaClient := common.CreateGiteaClient(config)
-			if giteaClient == nil {
-				fmt.Printf("Error creating gitea client for domain %s: %v\n", domainStr, err)
-				continue
-			}
-			gitWorkspace := &common.GitWorkspace{
-				Storage: memory.NewStorage(),
-				FS:      memfs.New(),
-			}
-
-			var repoUrl string
-			if !domainConfig.Internal.RepoExists {
-				repoUrl = common.CreateGiteaRepo(domainStr, giteaClient, config, domainConfig)
-				if repoUrl == "" {
-					fmt.Printf("Error creating Gitea repo for domain %s\n", domainStr)
-					continue
-				}
-				domainConfig.Internal.RepoExists = true
-				err = appShared.WriteDomainConfig(domainConfig)
-				if err != nil {
-					fmt.Printf("Error saving domain config %s: %v\n", domainStr, err)
-					continue
-				}
-
-				err = common.InitRepo(repoUrl, gitWorkspace)
-				if err != nil {
-					fmt.Printf("Error initializing repo for domain %s: %v\n", domainStr, err)
+		//TODO extra check if certificate expiry (create cache?)
+		if _, err := d.ACMEManager.RenewForDomain(domainStr); err != nil {
+			if errors.Is(err, os.ErrNotExist) {
+				if _, err := d.ACMEManager.ObtainForDomain(domainStr, config, domainConfig); err != nil {
+					fmt.Printf("Error obtaining domain certificates for domain %s: %v\n", domainStr, err)
 					continue
 				}
 			} else {
-				repoUrl = appShared.Config().Git.Server + "/" + appShared.Config().Git.OrgName + "/" + domainStr + domainConfig.Repo.RepoSuffix + ".git"
-				err = common.CloneRepo(repoUrl, gitWorkspace, common.Server, config)
-				if err != nil {
-					fmt.Printf("Error cloning repo for domain %s: %v\n", domainStr, err)
-					continue
-				}
-			}
-
-			err = common.AddAndPushCerts(domainStr, gitWorkspace, config, domainConfig)
-			if err != nil {
-				fmt.Printf("Error pushing certificates for domain %s: %v\n", domainStr, err)
+				fmt.Printf("Error: %v\n", err)
 				continue
 			}
-			fmt.Printf("Successfully pushed certificates for domain %s\n", domainStr)
 		}
+
+		domainConfig.Internal.LastIssued = time.Now().UTC().Unix()
+		if err := appShared.WriteDomainConfig(domainConfig); err != nil {
+			fmt.Printf("Error saving domain config %s: %v\n", domainStr, err)
+			continue
+		}
+
+		certsDir := filepath.Join(d.ACMEManager.CertsRoot, domainStr)
+		if err := common.EncryptFileXChaCha(domainConfig.Certificates.CryptoKey, filepath.Join(certsDir, domainStr+".crt"), filepath.Join(certsDir, domainStr+".crt.crpt"), nil); err != nil {
+			fmt.Printf("Error encrypting domain cert for domain %s: %v\n", domainStr, err)
+			continue
+		}
+		if err := common.EncryptFileXChaCha(domainConfig.Certificates.CryptoKey, filepath.Join(certsDir, domainStr+".key"), filepath.Join(certsDir, domainStr+".key.crpt"), nil); err != nil {
+			fmt.Printf("Error encrypting domain key for domain %s: %v\n", domainStr, err)
+			continue
+		}
+
+		ws, err := prepareServerWorkspace(config, domainConfig, domainStr)
+		if err != nil {
+			fmt.Printf("Error preparing git workspace for domain %s: %v\n", domainStr, err)
+			continue
+		}
+
+		if err := server.AddAndPushCerts(ws, certsDir, config); err != nil {
+			fmt.Printf("Error pushing certificates for domain %s: %v\n", domainStr, err)
+			continue
+		}
+		fmt.Printf("Successfully pushed certificates for domain %s\n", domainStr)
 	}
 	if err := appShared.SaveDomainConfigs(); err != nil {
 		fmt.Printf("Error saving domain configs: %v\n", err)
 	}
 }

+// prepareServerWorkspace creates or clones the domain's remote repo into a
+// fresh in-memory workspace. If the repo is being cloned, it verifies that
+// SERVER_ID matches this server's UUID (or is absent, in which case the
+// domain is adopted on the next push).
+func prepareServerWorkspace(config *common.AppConfig, domainConfig *common.DomainConfig, domain string) (*common.GitWorkspace, error) {
+	if !domainConfig.Internal.RepoExists {
+		url, err := server.CreateRepo(config, domainConfig, domain)
+		if err != nil {
+			return nil, fmt.Errorf("create remote repo: %w", err)
+		}
+		domainConfig.Internal.RepoExists = true
+		if err := appShared.WriteDomainConfig(domainConfig); err != nil {
+			return nil, fmt.Errorf("save domain config: %w", err)
+		}
+		ws := common.NewGitWorkspace(domain, url)
+		if err := common.InitRepo(ws); err != nil {
+			return nil, fmt.Errorf("init workspace: %w", err)
+		}
+		return ws, nil
+	}
+
+	url := common.RepoURL(config, domainConfig, domain)
+	ws := common.NewGitWorkspace(domain, url)
+	if err := common.CloneRepo(ws, config); err != nil {
+		return nil, fmt.Errorf("clone: %w", err)
+	}
+	owned, err := server.VerifyOwnership(ws, config.App.UUID)
+	if err != nil {
+		return nil, err
+	}
+	if !owned {
+		fmt.Printf("Adopting unclaimed repo for domain %s\n", domain)
+	}
+	return ws, nil
+}
+
 func (d *Daemon) Reload() {
 	fmt.Println("Reloading configs...")
 	err := appShared.LoadDomainConfigs()