[CI-SKIP] Upload current

common/util.go

@@ -11,8 +11,6 @@ import (
 	"strconv"
 	"strings"
 	"syscall"
-
-	"code.gitea.io/sdk/gitea"
 )
 
 var (
@@ -21,13 +19,6 @@ var (
 	ErrBlankCert  = errors.New("cert is blank")
 )
 
-type Domain struct {
-	name        *string
-	config      *AppConfig
-	description *string
-	gtClient    *gitea.Client
-}
-
 // 0x01
 func createPIDFile() {
 	file, err := os.Create("/var/run/certman.pid")
@@ -293,6 +284,22 @@ func MakeCredential(username, groupname string) (*syscall.Credential, error) {
 	return &syscall.Credential{Uid: uid, Gid: gid}, nil
 }
 
+// CertsDir returns the on-disk directory where a domain's encrypted and
+// decrypted certificate files live, along with the client's sync-state
+// `hash` marker. A per-domain data_root override (domainConfig.Certificates.DataRoot)
+// is used as-is; otherwise the path is <config.data_root>/certificates/<domain>.
+// This is the single source of truth for that convention — callers should
+// not assemble the path themselves.
+func CertsDir(config *AppConfig, domainConfig *DomainConfig, domain string) string {
+	if domainConfig != nil && domainConfig.Certificates.DataRoot != "" {
+		return domainConfig.Certificates.DataRoot
+	}
+	if config == nil {
+		return filepath.Join("certificates", domain)
+	}
+	return filepath.Join(config.Certificates.DataRoot, "certificates", domain)
+}
+
 func EffectiveDataRoot(config *AppConfig, domainConfig *DomainConfig) string {
 	if config == nil {
 		return ""