Steven/certman
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 3 Wiki Activity

Compare commits

base: Steven:v1.0.0
Branches Tags
Steven:master
Steven:v1.1.2-beta Steven:v1.1.1-beta Steven:v1.1.0-beta Steven:v1.0.2-beta Steven:v1.0.1-beta Steven:v1.0.0
...
compare: Steven:v1.0.1-beta
Branches Tags
Steven:master
Steven:v1.1.2-beta Steven:v1.1.1-beta Steven:v1.1.0-beta Steven:v1.0.2-beta Steven:v1.0.1-beta Steven:v1.0.0

2 Commits
v1.0.0 ... v1.0.1-bet

Author SHA1 Message Date
Steven Tracey
45495f4b47 Major refactoring 2026-03-04 18:28:52 +01:00
Steven Tracey
2cbab1a0a2 Major refactoring, updated config structure 2026-02-28 00:59:11 +01:00
32 changed files with 1756 additions and 763 deletions
Expand all files Collapse all files

15
Makefile
View File

@@ -1,12 +1,19 @@
VERSION := 1.0.0
VERSION := 1.0.1-beta
BUILD := $(shell git rev-parse --short HEAD)
GO := go
BUILD_FLAGS := -buildmode=pie -trimpath
LDFLAGS := -linkmode=external -extldflags="-Wl,-z,relro,-z,now"
LDFLAGS := -linkmode=external -extldflags="-Wl,-z,relro,-z,now" -X git.nevets.tech/Keys/CertManager/internal.Version=$(VERSION) -X git.nevets.tech/Keys/CertManager/internal.Build=$(BUILD)
build:
$(GO) build $(BUILD_FLAGS) -ldflags='$(LDFLAGS)' -o ./certman .
.PHONY: proto build stage
proto:
@protoc --go_out=./proto --go-grpc_out=./proto proto/hook.proto
@protoc --go_out=./proto --go-grpc_out=./proto proto/symlink.proto
build: proto
$(GO) build $(BUILD_FLAGS) -ldflags="$(LDFLAGS)" -o ./certman .
@cp ./certman ./certman-$(VERSION)-amd64
stage: build

15
certman-exec.service Normal file
View File

@@ -0,0 +1,15 @@
[Unit]
Description=CertMan Executor daemon
Requires=certman.socket
After=network.target
[Service]
ExecStart=/usr/local/bin/certman executor
User=root
Group=root
KillSignal=SIGTERM
TimeoutStopSec=30
[Install]
WantedBy=multi-user.target

12
certman.socket Normal file
View File

@@ -0,0 +1,12 @@
[Unit]
Description=certman hook daemon socket
[Socket]
ListenStream=/run/certman.sock
SocketUser=root
SocketGroup=certsock
SocketMode=0660
RemoveOnStop=true
[Install]
WantedBy=sockets.target

44
client.go → client/client.go
View File

@@ -1,4 +1,4 @@
package main
package client
import (
"fmt"
@@ -7,24 +7,26 @@ import (
"path/filepath"
"strings"
"git.nevets.tech/Keys/CertManager/internal"
"github.com/go-git/go-billy/v5/memfs"
"github.com/go-git/go-git/v5/storage/memory"
)
func initClient() {
err := LoadDomainConfigs()
func Init() {
err := internal.LoadDomainConfigs()
if err != nil {
log.Fatalf("Error loading domain configs: %v", err)
}
clientTick()
Tick()
}
func clientTick() {
func Tick() {
fmt.Println("Tick!")
// Get local copy of domain configs
localDomainConfigs := domainStore.Snapshot()
// Get local copy of configs
config := internal.Config()
localDomainConfigs := internal.DomainStore().Snapshot()
// Loop over all domain configs (domains)
for domainStr, domainConfig := range localDomainConfigs {
@@ -37,16 +39,16 @@ func clientTick() {
// If the repo doesn't exist, we can't check for a remote commit, so stop the rest of the check
repoExists := domainConfig.GetBool("Internal.repo_exists")
if repoExists {
localHash, err := getLocalCommitHash(domainStr)
localHash, err := internal.LocalCommitHash(domainStr)
if err != nil {
fmt.Printf("No local commit hash found for domain %s\n", domainStr)
}
gitSource, err := strToGitSource(config.GetString("Git.host"))
gitSource, err := internal.StrToGitSource(internal.Config().GetString("Git.host"))
if err != nil {
fmt.Printf("Error getting git source for domain %s: %v\n", domainStr, err)
continue
}
remoteHash, err := getRemoteCommitHash(domainStr, gitSource)
remoteHash, err := internal.RemoteCommitHash(domainStr, gitSource)
if err != nil {
fmt.Printf("Error getting remote commit hash for domain %s: %v\n", domainStr, err)
}
@@ -58,20 +60,20 @@ func clientTick() {
}
}
gitWorkspace := &GitWorkspace{
gitWorkspace := &internal.GitWorkspace{
Storage: memory.NewStorage(),
FS: memfs.New(),
}
// Ex: https://git.example.com/Org/Repo-suffix.git
// Clones repo and stores in gitWorkspace, skip if clone fails (doesn't exist?)
repoUrl := config.GetString("Git.server") + "/" + config.GetString("Git.org_name") + "/" + domainStr + domainConfig.GetString("Repo.repo_suffix") + ".git"
err := cloneRepo(repoUrl, gitWorkspace)
repoUrl := internal.Config().GetString("Git.server") + "/" + config.GetString("Git.org_name") + "/" + domainStr + domainConfig.GetString("Repo.repo_suffix") + ".git"
err := internal.CloneRepo(repoUrl, gitWorkspace, internal.Client)
if err != nil {
fmt.Printf("Error cloning domain repo %s: %v\n", domainStr, err)
continue
}
certsDir, err := getDomainCertsDirWConf(domainStr, domainConfig)
certsDir, err := internal.DomainCertsDirWConf(domainStr, domainConfig)
if err != nil {
fmt.Printf("Error getting certificates dir for domain %s: %v\n", domainStr, err)
continue
@@ -104,7 +106,7 @@ func clientTick() {
continue
}
err = DecryptFileFromBytes(domainConfig.GetString("Certificates.crypto_key"), fileBytes, filepath.Join(certsDir, filename), nil)
err = internal.DecryptFileFromBytes(domainConfig.GetString("Certificates.crypto_key"), fileBytes, filepath.Join(certsDir, filename), nil)
if err != nil {
fmt.Printf("Error decrypting file %s in domain %s: %v\n", filename, domainStr, err)
continue
@@ -116,7 +118,7 @@ func clientTick() {
continue
}
err = writeCommitHash(headRef.Hash().String(), domainConfig)
err = internal.WriteCommitHash(headRef.Hash().String(), domainConfig)
if err != nil {
fmt.Printf("Error writing commit hash: %v\n", err)
continue
@@ -124,7 +126,7 @@ func clientTick() {
certLinks := domainConfig.GetStringSlice("Certificates.cert_symlinks")
for _, certLink := range certLinks {
err = linkFile(filepath.Join(certsDir, domainStr+".crt"), certLink, domainStr, ".crt")
err = internal.LinkFile(filepath.Join(certsDir, domainStr+".crt"), certLink, domainStr, ".crt")
if err != nil {
fmt.Printf("Error linking cert %s to %s: %v\n", certLink, domainStr, err)
continue
@@ -133,7 +135,7 @@ func clientTick() {
keyLinks := domainConfig.GetStringSlice("Certificates.key_symlinks")
for _, keyLink := range keyLinks {
err = linkFile(filepath.Join(certsDir, domainStr+".crt"), keyLink, domainStr, ".key")
err = internal.LinkFile(filepath.Join(certsDir, domainStr+".key"), keyLink, domainStr, ".key")
if err != nil {
fmt.Printf("Error linking cert %s to %s: %v\n", keyLink, domainStr, err)
continue
@@ -144,16 +146,16 @@ func clientTick() {
}
}
func reloadClient() {
func Reload() {
fmt.Println("Reloading configs...")
err := LoadDomainConfigs()
err := internal.LoadDomainConfigs()
if err != nil {
fmt.Printf("Error loading domain configs: %v\n", err)
return
}
}
func stopClient() {
func Stop() {
fmt.Println("Shutting down client")
}

57
client/grpc.go Normal file
View File

@@ -0,0 +1,57 @@
package client
import (
"context"
"flag"
"fmt"
"log"
"time"
"git.nevets.tech/Keys/CertManager/internal"
pb "git.nevets.tech/Keys/CertManager/proto/v1"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials/insecure"
)
var (
tls = flag.Bool("tls", false, "Connection uses TLS if true, else plain TCP")
caFile = flag.String("ca_file", "", "The file containing the CA root cert file")
serverAddr = flag.String("addr", "localhost:50051", "The server address in the format of host:port")
serverHostOverride = flag.String("server_host_override", "x.test.example.com", "The server name used to verify the hostname returned by the TLS handshake")
)
func SendHook(domain string) {
conn, err := grpc.NewClient(
"unix:///run/certman.sock",
grpc.WithTransportCredentials(insecure.NewCredentials()),
)
if err != nil {
log.Fatalf("fail to dial: %v", err)
}
defer conn.Close()
client := pb.NewHookServiceClient(conn)
hooks, err := internal.PostPullHooks(domain)
if err != nil {
fmt.Printf("Error getting hooks: %v\n", err)
return
}
for _, hook := range hooks {
sendHook(client, hook)
}
}
func sendHook(client pb.HookServiceClient, hook *pb.Hook) {
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
defer cancel()
res, err := client.ExecuteHook(ctx, &pb.ExecuteHookRequest{Hook: hook})
if err != nil {
fmt.Printf("Error executing hook: %v\n", err)
return
}
if res.GetError() != "" {
fmt.Printf("Error executing hook: %s\n", res.GetError())
}
}

494
commands.go
View File

@@ -1,494 +0,0 @@
package main
import (
"context"
"errors"
"fmt"
"io"
"log"
"os"
"os/exec"
"os/signal"
"os/user"
"path/filepath"
"strconv"
"strings"
"syscall"
"time"
"github.com/go-git/go-billy/v5/memfs"
"github.com/go-git/go-git/v5/storage/memory"
"github.com/spf13/cobra"
)
func devFunc(cmd *cobra.Command, args []string) {
testDomain := "lunamc.org"
//config, err = ezconf.LoadConfiguration("/etc/certman/certman.conf")
err := LoadConfig("/etc/certman/certman.conf")
if err != nil {
log.Fatalf("Error loading configuration: %v\n", err)
}
err = LoadDomainConfigs()
if err != nil {
log.Fatalf("Error loading configs: %v\n", err)
}
fmt.Println(testDomain)
}
func versionResponse(cmd *cobra.Command, args []string) {
fmt.Println("CertManager (certman) - Steven Tracey\nVersion: " + version + " build-" + build)
}
func newKey(cmd *cobra.Command, args []string) {
key, err := GenerateKey()
if err != nil {
log.Fatalf("%v", err)
}
fmt.Printf(key)
}
func newDomain(domain, domainDir string, dirOverridden bool) error {
//TODO add config option for "overriden dir"
fmt.Printf("Creating new domain %s\n", domain)
err := createNewDomainConfig(domain)
if err != nil {
return err
}
createNewDomainCertsDir(domain, domainDir, dirOverridden)
certmanUser, err := user.Lookup("certman")
if err != nil {
return fmt.Errorf("error getting user certman: %v", err)
}
uid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Uid))
if err != nil {
return err
}
gid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Gid))
if err != nil {
return err
}
err = ChownRecursive("/etc/certman/domains", uid, gid)
if err != nil {
return err
}
err = ChownRecursive("/var/local/certman", uid, gid)
if err != nil {
return err
}
fmt.Println("Successfully created domain entry for " + domain + "\nUpdate config file as needed in /etc/certman/domains/" + domain + ".conf\n")
return nil
}
func install(isThin bool, mode string) error {
if !isThin {
if os.Geteuid() != 0 {
return fmt.Errorf("installation must be run as root")
}
makeDirs()
createNewConfig(mode)
f, err := os.OpenFile("/var/run/certman.pid", os.O_RDONLY|os.O_CREATE, 0755)
if err != nil {
return fmt.Errorf("error creating pid file: %v", err)
}
err = f.Close()
if err != nil {
return fmt.Errorf("error closing pid file: %v", err)
}
newUserCmd := exec.Command("useradd", "-d", "/var/local/certman", "-U", "-r", "-s", "/sbin/nologin", "certman")
if output, err := newUserCmd.CombinedOutput(); err != nil {
return fmt.Errorf("error creating user: %v: output %s", err, output)
}
certmanUser, err := user.Lookup("certman")
if err != nil {
return fmt.Errorf("error getting user certman: %v", err)
}
uid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Uid))
if err != nil {
return err
}
gid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Gid))
if err != nil {
return err
}
err = ChownRecursive("/etc/certman", uid, gid)
if err != nil {
return fmt.Errorf("error changing uid/gid: %v", err)
}
err = ChownRecursive("/var/local/certman", uid, gid)
if err != nil {
return fmt.Errorf("error changing uid/gid: %v", err)
}
err = os.Chown("/var/run/certman.pid", uid, gid)
if err != nil {
return fmt.Errorf("error changing uid/gid: %v", err)
}
} else {
createNewConfig(mode)
}
return nil
}
func renewCertFunc(domain string, noPush bool) error {
err := LoadConfig("/etc/certman/certman.conf")
if err != nil {
return err
}
err = LoadDomainConfigs()
if err != nil {
return err
}
switch config.GetString("App.mode") {
case "server":
mgr, err = NewACMEManager()
if err != nil {
return err
}
err = renewCerts(domain, noPush)
if err != nil {
return err
}
return reloadDaemon()
case "client":
return pullCerts(domain)
default:
return fmt.Errorf("invalid operating mode %s", config.GetString("App.mode"))
}
}
func renewCerts(domain string, noPush bool) error {
_, err := mgr.RenewForDomain(domain)
if err != nil {
// if no existing cert, obtain instead
_, err = mgr.ObtainForDomain(domain)
if err != nil {
return fmt.Errorf("error obtaining domain certificates for domain %s: %v", domain, err)
}
}
domainConfig, exists := domainStore.Get(domain)
if !exists {
return fmt.Errorf("domain %s does not exist", domain)
}
domainConfig.Set("Internal.last_issued", time.Now().UTC().Unix())
err = WriteDomainConfig(domainConfig)
if err != nil {
return fmt.Errorf("error saving domain config %s: %v", domain, err)
}
err = EncryptFileXChaCha(domainConfig.GetString("Certificates.crypto_key"), filepath.Join(mgr.certsRoot, domain, domain+".crt"), filepath.Join(mgr.certsRoot, domain, domain+".crt.crpt"), nil)
if err != nil {
return fmt.Errorf("error encrypting domain cert for domain %s: %v", domain, err)
}
err = EncryptFileXChaCha(domainConfig.GetString("Certificates.crypto_key"), filepath.Join(mgr.certsRoot, domain, domain+".key"), filepath.Join(mgr.certsRoot, domain, domain+".key.crpt"), nil)
if err != nil {
return fmt.Errorf("error encrypting domain key for domain %s: %v", domain, err)
}
if !noPush {
giteaClient := createGiteaClient()
if giteaClient == nil {
return fmt.Errorf("error creating gitea client for domain %s: %v", domain, err)
}
gitWorkspace := &GitWorkspace{
Storage: memory.NewStorage(),
FS: memfs.New(),
}
var repoUrl string
if !domainConfig.GetBool("Internal.repo_exists") {
repoUrl = createGiteaRepo(domain, giteaClient)
if repoUrl == "" {
return fmt.Errorf("error creating Gitea repo for domain %s", domain)
}
domainConfig.Set("Internal.repo_exists", true)
err = WriteDomainConfig(domainConfig)
if err != nil {
return fmt.Errorf("error saving domain config %s: %v", domain, err)
}
err = initRepo(repoUrl, gitWorkspace)
if err != nil {
return fmt.Errorf("error initializing repo for domain %s: %v", domain, err)
}
} else {
repoUrl = config.GetString("Git.server") + "/" + config.GetString("Git.org_name") + "/" + domain + domainConfig.GetString("Repo.repo_suffix") + ".git"
err = cloneRepo(repoUrl, gitWorkspace)
if err != nil {
return fmt.Errorf("error cloning repo for domain %s: %v", domain, err)
}
}
err = addAndPushCerts(domain, gitWorkspace)
if err != nil {
return fmt.Errorf("error pushing certificates for domain %s: %v", domain, err)
}
fmt.Printf("Successfully pushed certificates for domain %s\n", domain)
}
return nil
}
func pullCerts(domain string) error {
gitWorkspace := &GitWorkspace{
Storage: memory.NewStorage(),
FS: memfs.New(),
}
domainConfig, exists := domainStore.Get(domain)
if !exists {
return fmt.Errorf("domain %s does not exist", domain)
}
// Ex: https://git.example.com/Org/Repo-suffix.git
// Clones repo and stores in gitWorkspace, skip if clone fails (doesn't exist?)
repoUrl := config.GetString("Git.server") + "/" + config.GetString("Git.org_name") + "/" + domain + domainConfig.GetString("Repo.repo_suffix") + ".git"
err := cloneRepo(repoUrl, gitWorkspace)
if err != nil {
return fmt.Errorf("Error cloning domain repo %s: %v\n", domain, err)
}
certsDir, err := getDomainCertsDirWConf(domain, domainConfig)
if err != nil {
return fmt.Errorf("Error getting certificates dir for domain %s: %v\n", domain, err)
}
// Get files in repo
fileInfos, err := gitWorkspace.FS.ReadDir("/")
if err != nil {
return fmt.Errorf("Error reading directory in memFS on domain %s: %v\n", domain, err)
}
// Iterate over files, filtering by .crpt (encrypted) files in case other files were accidentally added
for _, fileInfo := range fileInfos {
if strings.HasSuffix(fileInfo.Name(), ".crpt") {
filename, _ := strings.CutSuffix(fileInfo.Name(), ".crpt")
file, err := gitWorkspace.FS.Open(fileInfo.Name())
if err != nil {
fmt.Printf("Error opening file in memFS on domain %s: %v\n", domain, err)
continue
}
fileBytes, err := io.ReadAll(file)
if err != nil {
fmt.Printf("Error reading file in memFS on domain %s: %v\n", domain, err)
file.Close()
continue
}
err = file.Close()
if err != nil {
fmt.Printf("Error closing file on domain %s: %v\n", domain, err)
continue
}
err = DecryptFileFromBytes(domainConfig.GetString("Certificates.crypto_key"), fileBytes, filepath.Join(certsDir, filename), nil)
if err != nil {
fmt.Printf("Error decrypting file %s in domain %s: %v\n", filename, domain, err)
continue
}
headRef, err := gitWorkspace.Repo.Head()
if err != nil {
fmt.Printf("Error getting head reference for domain %s: %v\n", domain, err)
continue
}
err = writeCommitHash(headRef.Hash().String(), domainConfig)
if err != nil {
fmt.Printf("Error writing commit hash: %v\n", err)
continue
}
certLinks := domainConfig.GetStringSlice("Certificates.cert_symlinks")
for _, certLink := range certLinks {
if certLink == "" {
continue
}
linkInfo, err := os.Stat(certLink)
if err != nil {
if !os.IsNotExist(err) {
fmt.Printf("Error stating cert link %s: %v\n", certLink, err)
continue
}
}
if linkInfo.IsDir() {
certLink = filepath.Join(certLink, domain+".crt")
}
err = os.Link(filepath.Join(certsDir, domain+".crt"), certLink)
if err != nil {
fmt.Printf("Error linking cert %s to %s: %v\n", certLink, domain, err)
continue
}
}
keyLinks := domainConfig.GetStringSlice("Certificates.key_symlinks")
for _, keyLink := range keyLinks {
if keyLink == "" {
continue
}
linkInfo, err := os.Stat(keyLink)
if err != nil {
if !os.IsNotExist(err) {
fmt.Printf("Error stating key link %s: %v\n", keyLink, err)
continue
}
}
if linkInfo.IsDir() {
keyLink = filepath.Join(keyLink, domain+".crt")
}
err = os.Link(filepath.Join(certsDir, domain+".crt"), keyLink)
if err != nil {
fmt.Printf("Error linking cert %s to %s: %v\n", keyLink, domain, err)
continue
}
}
}
}
return nil
}
func runDaemon() error {
err := createOrUpdatePIDFile("/var/run/certman.pid")
if err != nil {
if errors.Is(err, ErrorPIDInUse) {
return fmt.Errorf("daemon process is already running")
}
return fmt.Errorf("error creating pidfile: %v", err)
}
ctx, cancel = context.WithCancel(context.Background())
// Check if main config exists
if _, err := os.Stat(configFile); os.IsNotExist(err) {
return fmt.Errorf("main config file not found, please run 'certman --install', then properly configure /etc/certman/certman.conf")
} else if err != nil {
return fmt.Errorf("error opening %s: %v", configFile, err)
}
err = LoadConfig(configFile)
if err != nil {
return fmt.Errorf("error loading configuration: %v", err)
}
// Setup SIGINT and SIGTERM listeners
sigChannel := make(chan os.Signal, 1)
signal.Notify(sigChannel, syscall.SIGINT, syscall.SIGTERM)
defer signal.Stop(sigChannel)
reloadSigChan := make(chan os.Signal, 1)
signal.Notify(reloadSigChan, syscall.SIGHUP)
defer signal.Stop(reloadSigChan)
tickSigChan := make(chan os.Signal, 1)
signal.Notify(tickSigChan, syscall.SIGUSR1)
defer signal.Stop(tickSigChan)
tickRate := config.GetInt("App.tick_rate")
ticker := time.NewTicker(time.Duration(tickRate) * time.Hour)
defer ticker.Stop()
wg.Add(1)
if config.GetString("App.mode") == "server" {
fmt.Println("Starting CertManager in server mode...")
// Server Task loop
go func() {
initServer()
defer wg.Done()
for {
select {
case <-ctx.Done():
stopServer()
return
case <-reloadSigChan:
reloadServer()
case <-ticker.C:
serverTick()
case <-tickSigChan:
serverTick()
}
}
}()
} else if config.GetString("App.mode") == "client" {
fmt.Println("Starting CertManager in client mode...")
// Client Task loop
go func() {
initClient()
defer wg.Done()
for {
select {
case <-ctx.Done():
stopClient()
return
case <-reloadSigChan:
reloadClient()
case <-ticker.C:
clientTick()
}
}
}()
} else {
return fmt.Errorf("invalid operating mode \"" + config.GetString("App.mode") + "\"")
}
// Cleanup on stop
sig := <-sigChannel
fmt.Printf("Program terminated with %v\n", sig.String())
stop()
wg.Wait()
return nil
}
func stop() {
cancel()
clearPIDFile()
}
func stopDaemon() error {
proc, err := getDaemonProcess()
if err != nil {
return fmt.Errorf("error getting daemon process: %v", err)
}
err = proc.Signal(syscall.SIGTERM)
if err != nil {
return fmt.Errorf("error sending SIGTERM to daemon PID: %v", err)
}
return nil
}
func reloadDaemon() error {
proc, err := getDaemonProcess()
if err != nil {
return fmt.Errorf("error getting daemon process: %v", err)
}
err = proc.Signal(syscall.SIGHUP)
if err != nil {
return fmt.Errorf("error sending SIGHUP to daemon PID: %v", err)
}
return nil
}
func tickDaemon() error {
proc, err := getDaemonProcess()
if err != nil {
return fmt.Errorf("error getting daemon process: %v", err)
}
err = proc.Signal(syscall.SIGUSR1)
if err != nil {
return fmt.Errorf("error sending SIGUSR1 to daemon PID: %v", err)
}
return nil
}
func statusDaemon() error {
fmt.Println("Not implemented :/")
return nil
}

37
commands/basic.go Normal file
View File

@@ -0,0 +1,37 @@
package commands
import (
"fmt"
"log"
"git.nevets.tech/Keys/CertManager/internal"
"github.com/spf13/cobra"
)
func DevCmd(cmd *cobra.Command, args []string) {
testDomain := "lunamc.org"
err := internal.LoadConfig()
if err != nil {
log.Fatalf("Error loading configuration: %v\n", err)
}
err = internal.LoadDomainConfigs()
if err != nil {
log.Fatalf("Error loading configs: %v\n", err)
}
fmt.Println(testDomain)
}
func VersionCmd(cmd *cobra.Command, args []string) {
fmt.Printf("CertManager (certman) - Steven Tracey\nVersion: %s build-%s\n",
internal.Version, internal.Build,
)
}
func NewKeyCmd(cmd *cobra.Command, args []string) {
key, err := internal.GenerateKey()
if err != nil {
log.Fatalf("%v", err)
}
fmt.Printf(key)
}

266
commands/certs.go Normal file
View File

@@ -0,0 +1,266 @@
package commands
import (
"fmt"
"io"
"os"
"path/filepath"
"strings"
"time"
"git.nevets.tech/Keys/CertManager/internal"
"github.com/go-git/go-billy/v5/memfs"
"github.com/go-git/go-git/v5/storage/memory"
)
var mgr *internal.ACMEManager
func RenewCertCmd(domain string, noPush bool, certmanMode internal.CertManMode) error {
err := internal.LoadConfig()
if err != nil {
return err
}
err = internal.LoadDomainConfigs()
if err != nil {
return err
}
switch internal.Config().GetString("App.mode") {
case "server":
mgr, err = internal.NewACMEManager()
if err != nil {
return err
}
err = renewCerts(domain, noPush, certmanMode)
if err != nil {
return err
}
return ReloadDaemonCmd()
case "client":
return pullCerts(domain, certmanMode)
default:
return fmt.Errorf("invalid operating mode %s", internal.Config().GetString("App.mode"))
}
}
func renewCerts(domain string, noPush bool, certmanMode internal.CertManMode) error {
_, err := mgr.RenewForDomain(domain)
if err != nil {
// if no existing cert, obtain instead
_, err = mgr.ObtainForDomain(domain)
if err != nil {
return fmt.Errorf("error obtaining domain certificates for domain %s: %v", domain, err)
}
}
domainConfig, exists := internal.DomainStore().Get(domain)
if !exists {
return fmt.Errorf("domain %s does not exist", domain)
}
domainConfig.Set("Internal.last_issued", time.Now().UTC().Unix())
err = internal.WriteDomainConfig(domainConfig)
if err != nil {
return fmt.Errorf("error saving domain config %s: %v", domain, err)
}
err = internal.EncryptFileXChaCha(domainConfig.GetString("Certificates.crypto_key"), filepath.Join(mgr.CertsRoot, domain, domain+".crt"), filepath.Join(mgr.CertsRoot, domain, domain+".crt.crpt"), nil)
if err != nil {
return fmt.Errorf("error encrypting domain cert for domain %s: %v", domain, err)
}
err = internal.EncryptFileXChaCha(domainConfig.GetString("Certificates.crypto_key"), filepath.Join(mgr.CertsRoot, domain, domain+".key"), filepath.Join(mgr.CertsRoot, domain, domain+".key.crpt"), nil)
if err != nil {
return fmt.Errorf("error encrypting domain key for domain %s: %v", domain, err)
}
if !noPush {
giteaClient := internal.CreateGiteaClient()
if giteaClient == nil {
return fmt.Errorf("error creating gitea client for domain %s: %v", domain, err)
}
gitWorkspace := &internal.GitWorkspace{
Storage: memory.NewStorage(),
FS: memfs.New(),
}
var repoUrl string
if !domainConfig.GetBool("Internal.repo_exists") {
repoUrl = internal.CreateGiteaRepo(domain, giteaClient)
if repoUrl == "" {
return fmt.Errorf("error creating Gitea repo for domain %s", domain)
}
domainConfig.Set("Internal.repo_exists", true)
err = internal.WriteDomainConfig(domainConfig)
if err != nil {
return fmt.Errorf("error saving domain config %s: %v", domain, err)
}
err = internal.InitRepo(repoUrl, gitWorkspace)
if err != nil {
return fmt.Errorf("error initializing repo for domain %s: %v", domain, err)
}
} else {
repoUrl = internal.Config().GetString("Git.server") + "/" + internal.Config().GetString("Git.org_name") + "/" + domain + domainConfig.GetString("Repo.repo_suffix") + ".git"
err = internal.CloneRepo(repoUrl, gitWorkspace, certmanMode)
if err != nil {
return fmt.Errorf("error cloning repo for domain %s: %v", domain, err)
}
}
err = internal.AddAndPushCerts(domain, gitWorkspace)
if err != nil {
return fmt.Errorf("error pushing certificates for domain %s: %v", domain, err)
}
fmt.Printf("Successfully pushed certificates for domain %s\n", domain)
}
return nil
}
func pullCerts(domain string, certmanMode internal.CertManMode) error {
gitWorkspace := &internal.GitWorkspace{
Storage: memory.NewStorage(),
FS: memfs.New(),
}
domainConfig, exists := internal.DomainStore().Get(domain)
if !exists {
return fmt.Errorf("domain %s does not exist", domain)
}
// Ex: https://git.example.com/Org/Repo-suffix.git
// Clones repo and stores in gitWorkspace, skip if clone fails (doesn't exist?)
repoUrl := internal.Config().GetString("Git.server") + "/" + internal.Config().GetString("Git.org_name") + "/" + domain + domainConfig.GetString("Repo.repo_suffix") + ".git"
err := internal.CloneRepo(repoUrl, gitWorkspace, certmanMode)
if err != nil {
return fmt.Errorf("Error cloning domain repo %s: %v\n", domain, err)
}
certsDir, err := internal.DomainCertsDirWConf(domain, domainConfig)
if err != nil {
return fmt.Errorf("Error getting certificates dir for domain %s: %v\n", domain, err)
}
// Get files in repo
fileInfos, err := gitWorkspace.FS.ReadDir("/")
if err != nil {
return fmt.Errorf("Error reading directory in memFS on domain %s: %v\n", domain, err)
}
// Iterate over files, filtering by .crpt (encrypted) files in case other files were accidentally added
for _, fileInfo := range fileInfos {
if strings.HasSuffix(fileInfo.Name(), ".crpt") {
filename, _ := strings.CutSuffix(fileInfo.Name(), ".crpt")
file, err := gitWorkspace.FS.Open(fileInfo.Name())
if err != nil {
fmt.Printf("Error opening file in memFS on domain %s: %v\n", domain, err)
continue
}
fileBytes, err := io.ReadAll(file)
if err != nil {
fmt.Printf("Error reading file in memFS on domain %s: %v\n", domain, err)
file.Close()
continue
}
err = file.Close()
if err != nil {
fmt.Printf("Error closing file on domain %s: %v\n", domain, err)
continue
}
err = internal.DecryptFileFromBytes(domainConfig.GetString("Certificates.crypto_key"), fileBytes, filepath.Join(certsDir, filename), nil)
if err != nil {
fmt.Printf("Error decrypting file %s in domain %s: %v\n", filename, domain, err)
continue
}
headRef, err := gitWorkspace.Repo.Head()
if err != nil {
fmt.Printf("Error getting head reference for domain %s: %v\n", domain, err)
continue
}
err = internal.WriteCommitHash(headRef.Hash().String(), domainConfig)
if err != nil {
fmt.Printf("Error writing commit hash: %v\n", err)
continue
}
certLinks := domainConfig.GetStringSlice("Certificates.cert_symlinks")
for _, certLink := range certLinks {
if certLink == "" {
continue
}
linkInfo, err := os.Stat(certLink)
if err != nil {
if !os.IsNotExist(err) {
fmt.Printf("Error stating cert link %s: %v\n", certLink, err)
continue
}
}
if linkInfo.IsDir() {
certLink = filepath.Join(certLink, domain+".crt")
}
err = os.Link(filepath.Join(certsDir, domain+".crt"), certLink)
if err != nil {
fmt.Printf("Error linking cert %s to %s: %v\n", certLink, domain, err)
continue
}
}
keyLinks := domainConfig.GetStringSlice("Certificates.key_symlinks")
for _, keyLink := range keyLinks {
if keyLink == "" {
continue
}
linkInfo, err := os.Stat(keyLink)
if err != nil {
if !os.IsNotExist(err) {
fmt.Printf("Error stating key link %s: %v\n", keyLink, err)
continue
}
}
if linkInfo.IsDir() {
keyLink = filepath.Join(keyLink, domain+".crt")
}
err = os.Link(filepath.Join(certsDir, domain+".crt"), keyLink)
if err != nil {
fmt.Printf("Error linking cert %s to %s: %v\n", keyLink, domain, err)
continue
}
}
}
}
return nil
}
func UpdateLinksCmd(domain string) error {
domainConfig, exists := internal.DomainStore().Get(domain)
if !exists {
return fmt.Errorf("domain %s does not exist", domain)
}
certsDir, err := internal.DomainCertsDirWConf(domain, domainConfig)
if err != nil {
return fmt.Errorf("error getting certificates dir for domain %s: %v", domain, err)
}
certLinks := domainConfig.GetStringSlice("Certificates.cert_symlinks")
for _, certLink := range certLinks {
err = internal.LinkFile(filepath.Join(certsDir, domain+".crt"), certLink, domain, ".crt")
if err != nil {
fmt.Printf("Error linking cert %s to %s: %v", certLink, domain, err)
continue
}
}
keyLinks := domainConfig.GetStringSlice("Certificates.key_symlinks")
for _, keyLink := range keyLinks {
err = internal.LinkFile(filepath.Join(certsDir, domain+".crt"), keyLink, domain, ".key")
if err != nil {
fmt.Printf("Error linking cert %s to %s: %v", keyLink, domain, err)
continue
}
}
return nil
}

164
commands/daemon.go Normal file
View File

@@ -0,0 +1,164 @@
package commands
import (
"context"
"errors"
"fmt"
"os"
"os/signal"
"sync"
"syscall"
"time"
"git.nevets.tech/Keys/CertManager/client"
"git.nevets.tech/Keys/CertManager/internal"
"git.nevets.tech/Keys/CertManager/server"
)
var (
ctx context.Context
cancel context.CancelFunc
wg sync.WaitGroup
)
func RunDaemonCmd() error {
err := internal.CreateOrUpdatePIDFile("/var/run/certman.pid")
if err != nil {
if errors.Is(err, internal.ErrorPIDInUse) {
return fmt.Errorf("daemon process is already running")
}
return fmt.Errorf("error creating pidfile: %v", err)
}
ctx, cancel = context.WithCancel(context.Background())
// Check if main config exists
if _, err := os.Stat("/etc/certman/certman.conf"); os.IsNotExist(err) {
return fmt.Errorf("main config file not found, please run 'certman --install', then properly configure /etc/certman/certman.conf")
} else if err != nil {
return fmt.Errorf("error opening /etc/certman/certman.conf: %v", err)
}
err = internal.LoadConfig()
if err != nil {
return fmt.Errorf("error loading configuration: %v", err)
}
// Setup SIGINT and SIGTERM listeners
sigChannel := make(chan os.Signal, 1)
signal.Notify(sigChannel, syscall.SIGINT, syscall.SIGTERM)
defer signal.Stop(sigChannel)
reloadSigChan := make(chan os.Signal, 1)
signal.Notify(reloadSigChan, syscall.SIGHUP)
defer signal.Stop(reloadSigChan)
tickSigChan := make(chan os.Signal, 1)
signal.Notify(tickSigChan, syscall.SIGUSR1)
defer signal.Stop(tickSigChan)
tickRate := internal.Config().GetInt("App.tick_rate")
ticker := time.NewTicker(time.Duration(tickRate) * time.Hour)
defer ticker.Stop()
wg.Add(1)
if internal.Config().GetString("App.mode") == "server" {
fmt.Println("Starting CertManager in server mode...")
// Server Task loop
go func() {
server.Init()
defer wg.Done()
for {
select {
case <-ctx.Done():
server.Stop()
return
case <-reloadSigChan:
server.Reload()
case <-ticker.C:
server.Tick()
case <-tickSigChan:
server.Tick()
}
}
}()
} else if internal.Config().GetString("App.mode") == "client" {
fmt.Println("Starting CertManager in client mode...")
// Client Task loop
go func() {
client.Init()
defer wg.Done()
for {
select {
case <-ctx.Done():
client.Stop()
return
case <-reloadSigChan:
client.Reload()
case <-ticker.C:
client.Tick()
case <-tickSigChan:
client.Tick()
}
}
}()
} else {
return fmt.Errorf("invalid operating mode \"" + internal.Config().GetString("App.mode") + "\"")
}
// Cleanup on stop
sig := <-sigChannel
fmt.Printf("Program terminated with %v\n", sig.String())
stop()
wg.Wait()
return nil
}
func stop() {
cancel()
internal.ClearPIDFile()
}
func StopDaemonCmd() error {
proc, err := internal.DaemonProcess()
if err != nil {
return fmt.Errorf("error getting daemon process: %v", err)
}
err = proc.Signal(syscall.SIGTERM)
if err != nil {
return fmt.Errorf("error sending SIGTERM to daemon PID: %v", err)
}
return nil
}
func ReloadDaemonCmd() error {
proc, err := internal.DaemonProcess()
if err != nil {
return fmt.Errorf("error getting daemon process: %v", err)
}
err = proc.Signal(syscall.SIGHUP)
if err != nil {
return fmt.Errorf("error sending SIGHUP to daemon PID: %v", err)
}
return nil
}
func TickDaemonCmd() error {
proc, err := internal.DaemonProcess()
if err != nil {
return fmt.Errorf("error getting daemon process: %v", err)
}
err = proc.Signal(syscall.SIGUSR1)
if err != nil {
return fmt.Errorf("error sending SIGUSR1 to daemon PID: %v", err)
}
return nil
}
func DaemonStatusCmd() error {
fmt.Println("Not implemented :/")
return nil
}

27
commands/executor.go Normal file
View File

@@ -0,0 +1,27 @@
package commands
import (
"fmt"
"os"
"os/signal"
"syscall"
"git.nevets.tech/Keys/CertManager/executor"
)
var executorServer *executor.Server
func StartExecutorCmd() error {
executorServer = &executor.Server{}
sigCh := make(chan os.Signal, 1)
signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
go func() {
<-sigCh
executorServer.Stop()
}()
if err := executorServer.Start(); err != nil {
return fmt.Errorf("failed to start executor server: %w", err)
}
return nil
}

116
commands/install.go Normal file
View File

@@ -0,0 +1,116 @@
package commands
import (
"fmt"
"os"
"os/exec"
"os/user"
"strconv"
"strings"
"git.nevets.tech/Keys/CertManager/internal"
)
func NewDomainCmd(domain, domainDir string, dirOverridden bool) error {
//TODO add config option for "overriden dir"
err := internal.LoadConfig()
if err != nil {
return err
}
fmt.Printf("Creating new domain %s\n", domain)
err = internal.CreateDomainConfig(domain)
if err != nil {
return err
}
internal.CreateDomainCertsDir(domain, domainDir, dirOverridden)
certmanUser, err := user.Lookup("certman")
if err != nil {
return fmt.Errorf("error getting user certman: %v", err)
}
uid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Uid))
if err != nil {
return err
}
gid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Gid))
if err != nil {
return err
}
err = internal.ChownRecursive("/etc/certman/domains", uid, gid)
if err != nil {
return err
}
err = internal.ChownRecursive("/var/local/certman", uid, gid)
if err != nil {
return err
}
fmt.Println("Successfully created domain entry for " + domain + "\nUpdate config file as needed in /etc/certman/domains/" + domain + ".conf\n")
return nil
}
func InstallCmd(isThin bool, mode string) error {
if !isThin {
if os.Geteuid() != 0 {
return fmt.Errorf("installation must be run as root")
}
internal.MakeDirs()
internal.CreateConfig(mode)
err := internal.LoadConfig()
if err != nil {
return err
}
f, err := os.OpenFile("/var/run/certman.pid", os.O_RDONLY|os.O_CREATE, 0755)
if err != nil {
return fmt.Errorf("error creating pid file: %v", err)
}
err = f.Close()
if err != nil {
return fmt.Errorf("error closing pid file: %v", err)
}
newUserCmd := exec.Command("useradd", "-d", "/var/local/certman", "-U", "-r", "-s", "/sbin/nologin", "certman")
if output, err := newUserCmd.CombinedOutput(); err != nil {
if !strings.Contains(err.Error(), "exit status 9") {
return fmt.Errorf("error creating user: %v: output %s", err, output)
}
}
newGroupCmd := exec.Command("groupadd", "-r", "-U", "certman", "certsock")
if output, err := newGroupCmd.CombinedOutput(); err != nil {
if !strings.Contains(err.Error(), "exit status 9") {
return fmt.Errorf("error creating group: %v: output %s", err, output)
}
}
certmanUser, err := user.Lookup("certman")
if err != nil {
return fmt.Errorf("error getting user certman: %v", err)
}
uid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Uid))
if err != nil {
return err
}
gid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Gid))
if err != nil {
return err
}
err = internal.ChownRecursive("/etc/certman", uid, gid)
if err != nil {
return fmt.Errorf("error changing uid/gid: %v", err)
}
err = internal.ChownRecursive("/var/local/certman", uid, gid)
if err != nil {
return fmt.Errorf("error changing uid/gid: %v", err)
}
err = os.Chown("/var/run/certman.pid", uid, gid)
if err != nil {
return fmt.Errorf("error changing uid/gid: %v", err)
}
} else {
internal.CreateConfig(mode)
}
return nil
}

17
example.config.conf
View File

@@ -1,17 +0,0 @@
[App]
mode = {mode}
[Git]
host = gitea
server = https://gitea.instance.com
username = user
org_name = org
template_name = template
[Certificates]
email = user@example.com
data_root = /var/local/certman
request_method = dns
[Cloudflare]
cf_email = email@example.com

19
example.domainconfig.conf
View File

@@ -1,19 +0,0 @@
[Domain]
domain_name = {domain}
; default (use system dns) or IPv4 Address (1.1.1.1)
dns_server = default
; optionally use /path/to/directory
file_location = default
[Certificates]
subdomains =
expiry = 90
cert_symlink =
key_symlink =
[Repo]
repo_suffix = -certificates
; Don't change setting below here unless you know what you're doing!
[Internal]
last_issued = never

43
executor/executor.go Normal file
View File

@@ -0,0 +1,43 @@
package executor
import (
"fmt"
"net"
"sync"
pb "git.nevets.tech/Keys/CertManager/proto/v1"
"github.com/coreos/go-systemd/v22/activation"
"google.golang.org/grpc"
)
type Server struct {
listener net.Listener
wg sync.WaitGroup
}
func (s *Server) Start() error {
listeners, err := activation.Listeners()
if err != nil {
return fmt.Errorf("systemd activation listeners: %v", err)
}
if len(listeners) != 1 {
return fmt.Errorf("systemd activation listeners: expected 1, got %d", len(listeners))
}
s.listener = listeners[0]
srv := grpc.NewServer()
pb.RegisterHookServiceServer(srv, &hookServer{})
err = srv.Serve(s.listener)
if err != nil {
return fmt.Errorf("error creating grpc listener: %v", err)
}
fmt.Printf("Started gRPC server on %s\n", s.listener.Addr())
return nil
}
func (s *Server) Stop() {
if s.listener != nil {
_ = s.listener.Close()
}
}

73
executor/hook.go Normal file
View File

@@ -0,0 +1,73 @@
package executor
import (
"context"
"errors"
"os"
"os/exec"
"syscall"
"time"
"git.nevets.tech/Keys/CertManager/internal"
pb "git.nevets.tech/Keys/CertManager/proto/v1"
)
type hookServer struct {
pb.UnimplementedHookServiceServer
}
func (s *hookServer) ExecuteHook(ctx context.Context, req *pb.ExecuteHookRequest) (*pb.ExecuteHookResponse, error) {
h := req.GetHook()
if h == nil {
return &pb.ExecuteHookResponse{Error: "missing hook"}, nil
}
// Minimal validation
if len(h.GetCommand()) == 0 {
return &pb.ExecuteHookResponse{Error: "command is empty"}, nil
}
// Timeout
timeout := time.Duration(h.GetTimeoutSeconds()) * time.Second
if timeout <= 0 {
timeout = 30 * time.Second
}
ctx, cancel := context.WithTimeout(ctx, timeout)
defer cancel()
// Build command
cmdArgs := h.GetCommand()
cmd := exec.CommandContext(ctx, cmdArgs[0], cmdArgs[1:]...)
if cwd := h.GetCwd(); cwd != "" {
cmd.Dir = cwd
}
// Env: inherit current + overlay provided
env := os.Environ()
for k, v := range h.GetEnv() {
env = append(env, k+"="+v)
}
cmd.Env = env
// Run as user/group if specified (Linux/Unix)
if h.GetUser() != "" || h.GetGroup() != "" {
cred, err := internal.MakeCredential(h.GetUser(), h.GetGroup())
if err != nil {
return &pb.ExecuteHookResponse{Error: brief(err)}, nil
}
cmd.SysProcAttr = &syscall.SysProcAttr{
Credential: cred,
}
}
// Were intentionally NOT returning stdout/stderr; only a brief error on failure.
if err := cmd.Run(); err != nil {
// If context deadline hit, make the error message short and explicit.
if errors.Is(ctx.Err(), context.DeadlineExceeded) {
return &pb.ExecuteHookResponse{Error: "hook timed out"}, nil
}
return &pb.ExecuteHookResponse{Error: brief(err)}, nil
}
return &pb.ExecuteHookResponse{Error: ""}, nil
}

8
executor/util.go Normal file
View File

@@ -0,0 +1,8 @@
package executor
import "fmt"
// brief tries to keep errors short and non-leaky.
func brief(err error) string {
return fmt.Sprintf("hook failed: %v", err)
}

8
go.mod
View File

@@ -1,17 +1,19 @@
module main
module git.nevets.tech/Keys/CertManager
go 1.25.0
require (
code.gitea.io/sdk/gitea v0.23.2
github.com/coreos/go-systemd/v22 v22.7.0
github.com/go-acme/lego/v4 v4.32.0
github.com/go-git/go-billy/v5 v5.8.0
github.com/go-git/go-git/v5 v5.17.0
github.com/google/go-github/v55 v55.0.0
github.com/google/uuid v1.6.0
github.com/spf13/cobra v1.10.2
github.com/spf13/viper v1.21.0
golang.org/x/crypto v0.48.0
google.golang.org/grpc v1.78.0
google.golang.org/protobuf v1.36.11
)
require (
@@ -30,7 +32,6 @@ require (
github.com/go-jose/go-jose/v4 v4.1.3 // indirect
github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
github.com/google/go-querystring v1.2.0 // indirect
github.com/hashicorp/go-version v1.8.0 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
@@ -54,5 +55,6 @@ require (
golang.org/x/sys v0.41.0 // indirect
golang.org/x/text v0.34.0 // indirect
golang.org/x/tools v0.42.0 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20 // indirect
gopkg.in/warnings.v0 v0.1.2 // indirect
)

35
go.sum
View File

@@ -15,8 +15,12 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPd
github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
github.com/cloudflare/circl v1.6.3 h1:9GPOhQGF9MCYUeXyMYlqTR6a5gTrgR/fBLXvUgtVcg8=
github.com/cloudflare/circl v1.6.3/go.mod h1:2eXP6Qfat4O/Yhh8BznvKnJ+uzEoTQ6jVKJRn81BiS4=
github.com/coreos/go-systemd/v22 v22.7.0 h1:LAEzFkke61DFROc7zNLX/WA2i5J8gYqe0rSj9KI28KA=
github.com/coreos/go-systemd/v22 v22.7.0/go.mod h1:xNUYtjHu2EDXbsxz1i41wouACIwT7Ybq9o0BQhMwD0w=
github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
github.com/cyphar/filepath-securejoin v0.6.1 h1:5CeZ1jPXEiYt3+Z6zqprSAgSWiggmpVyciv8syjIpVE=
github.com/cyphar/filepath-securejoin v0.6.1/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc=
@@ -50,17 +54,18 @@ github.com/go-git/go-git/v5 v5.17.0 h1:AbyI4xf+7DsjINHMu35quAh4wJygKBKBuXVjV/pxe
github.com/go-git/go-git/v5 v5.17.0/go.mod h1:f82C4YiLx+Lhi8eHxltLeGC5uBTXSFa6PC5WW9o4SjI=
github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
github.com/go-viper/mapstructure/v2 v2.5.0 h1:vM5IJoUAy3d7zRSVtIwQgBj7BiWtMPfmPEgAXnvj1Ro=
github.com/go-viper/mapstructure/v2 v2.5.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=
github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw=
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
github.com/google/go-github/v55 v55.0.0 h1:4pp/1tNMB9X/LuAhs5i0KQAE40NmiR/y6prLNb9x9cg=
github.com/google/go-github/v55 v55.0.0/go.mod h1:JLahOTA1DnXzhxEymmFF5PP2tSS9JVNj68mSZNDwskA=
github.com/google/go-querystring v1.2.0 h1:yhqkPbu2/OH+V9BfpCVPZkNmUXhb2gBxJArfhIxNtP0=
github.com/google/go-querystring v1.2.0/go.mod h1:8IFJqpSRITyJ8QhQ13bmbeMBDfmeEJZD5A0egEOmkqU=
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/hashicorp/go-version v1.8.0 h1:KAkNb1HAiZd1ukkxDFGmokVZe1Xy9HG6NUp+bPle2i4=
@@ -123,6 +128,18 @@ github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8
github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48=
go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8=
go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0=
go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs=
go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E=
go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg=
go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM=
go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA=
go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI=
go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA=
go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@@ -163,6 +180,14 @@ golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20 h1:Jr5R2J6F6qWyzINc+4AM8t5pfUz6beZpHp678GNrMbE=
google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc=
google.golang.org/grpc v1.78.0/go.mod h1:I47qjTo4OKbMkjA/aOOwxDIiPSBofUtQUI5EfpWvW7U=
google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=

69
acme_manager.go → internal/acme_manager.go
View File

@@ -1,5 +1,4 @@
// acme_manager.go
package main
package internal
import (
"crypto"
@@ -28,14 +27,14 @@ import (
// Thread safety for your domain config map
// (assumes you already have these globals elsewhere)
// ---------------------------------------------
// var mu sync.RWMutex
// var MU sync.RWMutex
// var domainConfigs map[string]*ezconf.Configuration
// var config *ezconf.Configuration
//
// func getDomainConfig(domain string) (*ezconf.Configuration, bool) { ... }
// ---------------------------------------------
// ACME account user (file-backed)
// ACME account User (file-backed)
// ---------------------------------------------
type fileUser struct {
@@ -54,14 +53,14 @@ func (u *fileUser) GetPrivateKey() crypto.PrivateKey { return u.privateKe
// ---------------------------------------------
type ACMEManager struct {
mu sync.Mutex // serializes lego client ops + account writes
client *lego.Client
user *fileUser
MU sync.Mutex // serializes lego Client ops + account writes
Client *lego.Client
User *fileUser
// root dirs
dataRoot string // e.g. /var/local/certman
accountRoot string // e.g. /var/local/certman/accounts
certsRoot string // e.g. /var/local/certman/certificates
CertsRoot string // e.g. /var/local/certman/certificates
}
// DomainRuntimeConfig has domain-specific runtime settings derived from main+domain config.
@@ -89,7 +88,7 @@ type StoredCertMeta struct {
// Public API
// ---------------------------------------------
// NewACMEManager initializes a long-lived lego client using:
// NewACMEManager initializes a long-lived lego Client using:
// - file-backed account
// - persistent ECDSA P-256 account key
// - Lets Encrypt production by default (from config fallback)
@@ -104,20 +103,20 @@ func NewACMEManager() (*ACMEManager, error) {
mgr := &ACMEManager{
dataRoot: dataRoot,
accountRoot: filepath.Join(dataRoot, "accounts"),
certsRoot: filepath.Join(dataRoot, "certificates"),
CertsRoot: filepath.Join(dataRoot, "certificates"),
}
if err := os.MkdirAll(mgr.accountRoot, 0o700); err != nil {
return nil, fmt.Errorf("create account root: %w", err)
}
if err := os.MkdirAll(mgr.certsRoot, 0o700); err != nil {
if err := os.MkdirAll(mgr.CertsRoot, 0o700); err != nil {
return nil, fmt.Errorf("create certs root: %w", err)
}
// Create/load file-backed account user
// Create/load file-backed account User
user, err := loadOrCreateACMEUser(mgr.accountRoot, email)
if err != nil {
return nil, fmt.Errorf("load/create acme user: %w", err)
return nil, fmt.Errorf("load/create acme User: %w", err)
}
// Cloudflare provider (DNS-01 only).
@@ -147,20 +146,20 @@ func NewACMEManager() (*ACMEManager, error) {
return nil, fmt.Errorf("set dns-01 provider: %w", err)
}
mgr.client = client
mgr.user = user
mgr.Client = client
mgr.User = user
// Register account only on first run
if mgr.user.Registration == nil {
reg, err := mgr.client.Registration.Register(registration.RegisterOptions{
if mgr.User.Registration == nil {
reg, err := mgr.Client.Registration.Register(registration.RegisterOptions{
TermsOfServiceAgreed: true,
})
if err != nil {
return nil, fmt.Errorf("acme registration: %w", err)
}
mgr.user.Registration = reg
if err := saveACMEUser(mgr.accountRoot, mgr.user); err != nil {
return nil, fmt.Errorf("save acme user registration: %w", err)
mgr.User.Registration = reg
if err := saveACMEUser(mgr.accountRoot, mgr.User); err != nil {
return nil, fmt.Errorf("save acme User registration: %w", err)
}
}
@@ -184,10 +183,10 @@ func (m *ACMEManager) ObtainForDomain(domainKey string) (*certificate.Resource,
Bundle: true,
}
m.mu.Lock()
defer m.mu.Unlock()
m.MU.Lock()
defer m.MU.Unlock()
res, err := m.client.Certificate.Obtain(req)
res, err := m.Client.Certificate.Obtain(req)
if err != nil {
return nil, fmt.Errorf("obtain %q: %w", domainKey, err)
}
@@ -201,8 +200,8 @@ func (m *ACMEManager) ObtainForDomain(domainKey string) (*certificate.Resource,
// RenewForDomain renews an existing stored cert for a domain key.
func (m *ACMEManager) RenewForDomain(domainKey string) (*certificate.Resource, error) {
m.mu.Lock()
defer m.mu.Unlock()
m.MU.Lock()
defer m.MU.Unlock()
existing, err := m.loadStoredResource(domainKey)
if err != nil {
@@ -210,7 +209,7 @@ func (m *ACMEManager) RenewForDomain(domainKey string) (*certificate.Resource, e
}
// RenewWithOptions is preferred in newer lego versions.
renewed, err := m.client.Certificate.RenewWithOptions(*existing, &certificate.RenewOptions{
renewed, err := m.Client.Certificate.RenewWithOptions(*existing, &certificate.RenewOptions{
Bundle: true,
})
if err != nil {
@@ -226,8 +225,8 @@ func (m *ACMEManager) RenewForDomain(domainKey string) (*certificate.Resource, e
// GetCertPaths returns disk paths for the domain's cert material.
func (m *ACMEManager) GetCertPaths(domainKey string) (certPEM, keyPEM string) {
base := sanitizeDomainKey(domainKey)
dir := filepath.Join(m.certsRoot, base)
base := SanitizeDomainKey(domainKey)
dir := filepath.Join(m.CertsRoot, base)
return filepath.Join(dir, base+".crt"),
filepath.Join(dir, base+".key")
}
@@ -450,7 +449,7 @@ func loadACMEUser(accountRoot string) (*fileUser, error) {
func saveACMEUser(accountRoot string, u *fileUser) error {
if u == nil {
return errors.New("nil user")
return errors.New("nil User")
}
if err := os.MkdirAll(accountRoot, 0o700); err != nil {
return err
@@ -525,8 +524,8 @@ func (m *ACMEManager) saveCertFiles(domainKey string, res *certificate.Resource,
return errors.New("nil certificate resource")
}
base := sanitizeDomainKey(domainKey)
dir := filepath.Join(m.certsRoot, base)
base := SanitizeDomainKey(domainKey)
dir := filepath.Join(m.CertsRoot, base)
if err := os.MkdirAll(dir, 0o700); err != nil {
return err
}
@@ -599,8 +598,8 @@ func (m *ACMEManager) saveCertFiles(domainKey string, res *certificate.Resource,
}
func (m *ACMEManager) loadStoredResource(domainKey string) (*certificate.Resource, error) {
base := sanitizeDomainKey(domainKey)
dir := filepath.Join(m.certsRoot, base)
base := SanitizeDomainKey(domainKey)
dir := filepath.Join(m.CertsRoot, base)
raw, err := os.ReadFile(filepath.Join(dir, base+".json"))
if err != nil {
return nil, err
@@ -623,8 +622,8 @@ func (m *ACMEManager) loadStoredResource(domainKey string) (*certificate.Resourc
}
func (m *ACMEManager) loadMeta(domainKey string) (*StoredCertMeta, error) {
base := sanitizeDomainKey(domainKey)
dir := filepath.Join(m.certsRoot, base)
base := SanitizeDomainKey(domainKey)
dir := filepath.Join(m.CertsRoot, base)
raw, err := os.ReadFile(filepath.Join(dir, base+".meta.json"))
if err != nil {
return nil, err

6
internal/buildinfo.go Normal file
View File

@@ -0,0 +1,6 @@
package internal
var (
Version = "dev"
Build = "local"
)

161
config.go → internal/config.go
View File

@@ -1,4 +1,4 @@
package main
package internal
import (
"bytes"
@@ -10,6 +10,7 @@ import (
"strings"
"sync"
pb "git.nevets.tech/Keys/CertManager/proto/v1"
"github.com/google/uuid"
"github.com/spf13/viper"
)
@@ -67,19 +68,48 @@ func (s *DomainConfigStore) Snapshot() map[string]*viper.Viper {
var (
config *viper.Viper
configMu sync.RWMutex
domainStore = NewDomainConfigStore()
)
func Config() *viper.Viper {
configMu.RLock()
defer configMu.RUnlock()
return config
}
func DomainStore() *DomainConfigStore {
domainStore.mu.RLock()
defer domainStore.mu.RUnlock()
return domainStore
}
// ---------------------------------------------------------------------------
// Loading
// ---------------------------------------------------------------------------
// LoadConfig reads the main certman.conf into config.
func LoadConfig(path string) error {
func LoadConfig() error {
config = viper.New()
config.SetConfigFile(path)
config.SetConfigFile("/etc/certman/certman.conf")
config.SetConfigType("toml")
return config.ReadInConfig()
err := config.ReadInConfig()
if err != nil {
return err
}
switch config.GetString("App.mode") {
case "server":
config.SetConfigType("toml")
config.SetConfigFile("server.conf")
return config.MergeInConfig()
case "Client":
config.SetConfigType("toml")
config.SetConfigFile("Client.conf")
return config.MergeInConfig()
}
return nil
}
// LoadDomainConfigs reads every .conf file in the domains directory.
@@ -157,6 +187,18 @@ func SaveDomainConfigs() error {
return nil
}
// ---------------------------------------------------------------------------
// Domain Specific Lookups
// ---------------------------------------------------------------------------
func PostPullHooks(domain string) ([]*pb.Hook, error) {
var hooks []*pb.Hook
if err := viper.UnmarshalKey("Hooks.PostPull", hooks); err != nil {
return nil, err
}
return hooks, nil
}
// ---------------------------------------------------------------------------
// Effective lookups (domain → global fallback)
// ---------------------------------------------------------------------------
@@ -223,7 +265,7 @@ func EffectiveBool(domainCfg *viper.Viper, key string) bool {
// Directory bootstrapping
// ---------------------------------------------------------------------------
func makeDirs() {
func MakeDirs() {
dirs := []struct {
path string
perm os.FileMode
@@ -240,31 +282,49 @@ func makeDirs() {
}
}
func createNewConfig(mode string) {
func CreateConfig(mode string) {
content := strings.NewReplacer(
"{mode}", mode,
"{uuid}", uuid.New().String(),
).Replace(defaultConfig)
createFile("/etc/certman/certman.conf", 0640, []byte(content))
switch mode {
case "server":
content = strings.NewReplacer(
"{uuid}", uuid.New().String(),
).Replace(defaultServerConfig)
createFile("/etc/certman/server.conf", 640, []byte(content))
}
}
func createNewDomainConfig(domain string) error {
func CreateDomainConfig(domain string) error {
key, err := GenerateKey()
if err != nil {
return fmt.Errorf("unable to generate key: %v", err)
}
content := strings.NewReplacer(
"{domain}", domain,
"{key}", key,
).Replace(defaultDomainConfig)
var content string
switch Config().GetString("App.mode") {
case "server":
content = strings.NewReplacer(
"{domain}", domain,
"{key}", key,
).Replace(defaultServerDomainConfig)
case "client":
content = strings.NewReplacer(
"{domain}", domain,
"{key}", key,
).Replace(defaultClientDomainConfig)
default:
return fmt.Errorf("unknown certman mode: %v", Config().GetString("App.mode"))
}
path := filepath.Join("/etc/certman/domains", domain+".conf")
createFile(path, 0640, []byte(content))
return nil
}
func createNewDomainCertsDir(domain string, dir string, dirOverride bool) {
func CreateDomainCertsDir(domain string, dir string, dirOverride bool) {
var target string
if dirOverride {
target = filepath.Join(dir, domain)
@@ -286,49 +346,74 @@ func createNewDomainCertsDir(domain string, dir string, dirOverride bool) {
// ---------------------------------------------------------------------------
const defaultConfig = `[App]
mode = "{mode}"
mode = '{mode}'
tick_rate = 2
uuid = "{uuid}"
[Git]
host = "gitea"
server = "https://gitea.instance.com"
username = "user"
api_token = "xxxxxxxxxxxxxxxxxxxxxxxxx"
org_name = "org"
host = 'gitea'
server = 'https://gitea.instance.com'
username = 'User'
api_token = 'xxxxxxxxxxxxxxxxxxxxxxxxx'
org_name = 'org'
[Certificates]
email = "user@example.com"
data_root = "/var/local/certman"
ca_dir_url = "https://acme-v02.api.letsencrypt.org/directory"
[Cloudflare]
cf_email = "email@example.com"
cf_api_key = "xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
data_root = '/var/local/certman'
`
const defaultDomainConfig = `[Domain]
domain_name = "{domain}"
enabled = true
dns_server = "default"
const defaultServerConfig = `[App]
uuid = '{uuid}'
[Certificates]
data_root = ""
email = 'User@example.com'
data_root = '/var/local/certman'
ca_dir_url = 'https://acme-v02.api.letsencrypt.org/directory'
[Cloudflare]
cf_email = 'email@example.com'
cf_api_key = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxx'`
const defaultClientConfig = ``
const defaultServerDomainConfig = `[Domain]
domain_name = '{domain}'
enabled = true
dns_server = 'default'
[Certificates]
data_root = ''
expiry = 90
request_method = "dns-01"
request_method = 'dns-01'
renew_period = 30
subdomains = []
cert_symlinks = []
key_symlinks = []
crypto_key = "{key}"
crypto_key = '{key}'
[Repo]
repo_suffix = "-certificates"
repo_suffix = '-certificates'
[Internal]
last_issued = 0
repo_exists = false
status = "clean"
status = 'clean'
`
const defaultClientDomainConfig = `[Certificates]
data_root = ''
cert_symlinks = []
key_symlinks = []
crypto_key = '{key}'
[Domain]
domain_name = '{domain}'
enabled = true
[Hooks.PostPull]
command = []
cwd = "/dev/null"
timeout_seconds = 30
env = { "FOO" = "bar" }
[Repo]
repo_suffix = '-certificates'
`
const readme = ``

2
crypto.go → internal/crypto.go
View File

@@ -1,4 +1,4 @@
package main
package internal
import (
"crypto/rand"

125
git.go → internal/git.go
View File

@@ -1,7 +1,6 @@
package main
package internal
import (
"context"
"errors"
"fmt"
"io"
@@ -17,10 +16,16 @@ import (
"github.com/go-git/go-git/v5/plumbing/object"
"github.com/go-git/go-git/v5/plumbing/transport/http"
"github.com/go-git/go-git/v5/storage/memory"
"github.com/google/go-github/v55/github"
"github.com/spf13/viper"
)
type CertManMode int
const (
Server CertManMode = iota
Client
)
type GitWorkspace struct {
Repo *git.Repository
Storage *memory.Storage
@@ -48,7 +53,7 @@ var GitSourceName = map[GitSource]string{
CodeCommit: "code-commit",
}
func strToGitSource(s string) (GitSource, error) {
func StrToGitSource(s string) (GitSource, error) {
for k, v := range GitSourceName {
if v == s {
return k, nil
@@ -57,11 +62,11 @@ func strToGitSource(s string) (GitSource, error) {
return GitSource(0), errors.New("invalid gitsource name")
}
func createGithubClient() *github.Client {
return github.NewClient(nil).WithAuthToken(config.GetString("Git.api_token"))
}
//func createGithubClient() *github.Client {
// return github.NewClient(nil).WithAuthToken(config.GetString("Git.api_token"))
//}
func createGiteaClient() *gitea.Client {
func CreateGiteaClient() *gitea.Client {
client, err := gitea.NewClient(config.GetString("Git.server"), gitea.SetToken(config.GetString("Git.api_token")))
if err != nil {
fmt.Printf("Error connecting to gitea instance: %v\n", err)
@@ -70,30 +75,30 @@ func createGiteaClient() *gitea.Client {
return client
}
func createGithubRepo(domain *Domain, client *github.Client) string {
name := domain.name
owner := domain.config.GetString("Repo.owner")
description := domain.description
private := true
includeAllBranches := false
//func createGithubRepo(domain *Domain, Client *github.Client) string {
// name := domain.name
// owner := domain.config.GetString("Repo.owner")
// description := domain.description
// private := true
// includeAllBranches := false
//
// ctx := context.Background()
// template := &github.TemplateRepoRequest{
// Name: name,
// Owner: &owner,
// Description: description,
// Private: &private,
// IncludeAllBranches: &includeAllBranches,
// }
// repo, _, err := Client.Repositories.CreateFromTemplate(ctx, config.GetString("Git.org_name"), config.GetString("Git.template_name"), template)
// if err != nil {
// fmt.Println("Error creating repository from template,", err)
// return ""
// }
// return *repo.CloneURL
//}
ctx := context.Background()
template := &github.TemplateRepoRequest{
Name: name,
Owner: &owner,
Description: description,
Private: &private,
IncludeAllBranches: &includeAllBranches,
}
repo, _, err := client.Repositories.CreateFromTemplate(ctx, config.GetString("Git.org_name"), config.GetString("Git.template_name"), template)
if err != nil {
fmt.Println("Error creating repository from template,", err)
return ""
}
return *repo.CloneURL
}
func createGiteaRepo(domain string, giteaClient *gitea.Client) string {
func CreateGiteaRepo(domain string, giteaClient *gitea.Client) string {
domainConfig, exists := domainStore.Get(domain)
if !exists {
fmt.Printf("Domain %s config does not exist\n", domain)
@@ -121,7 +126,7 @@ func createGiteaRepo(domain string, giteaClient *gitea.Client) string {
return giteaRepo.CloneURL
}
func initRepo(url string, ws *GitWorkspace) error {
func InitRepo(url string, ws *GitWorkspace) error {
var err error
ws.Repo, err = git.Init(ws.Storage, ws.FS)
if err != nil {
@@ -147,7 +152,7 @@ func initRepo(url string, ws *GitWorkspace) error {
return nil
}
func cloneRepo(url string, ws *GitWorkspace) error {
func CloneRepo(url string, ws *GitWorkspace, certmanMode CertManMode) error {
creds := &http.BasicAuth{
Username: config.GetString("Git.username"),
Password: config.GetString("Git.api_token"),
@@ -163,33 +168,35 @@ func cloneRepo(url string, ws *GitWorkspace) error {
fmt.Printf("Error getting worktree from cloned repo: %v\n", err)
return err
}
serverIdFile, err := ws.FS.OpenFile("/SERVER_ID", os.O_RDWR, 0640)
if err != nil {
if os.IsNotExist(err) {
fmt.Printf("Server ID file not found for %s, adopting domain\n", url)
return nil
if certmanMode == Server {
serverIdFile, err := ws.FS.OpenFile("/SERVER_ID", os.O_RDWR, 0640)
if err != nil {
if os.IsNotExist(err) {
fmt.Printf("Server ID file not found for %s, adopting domain\n", url)
return nil
}
return err
}
serverIdBytes, err := io.ReadAll(serverIdFile)
if err != nil {
return err
}
serverId := strings.TrimSpace(string(serverIdBytes))
if serverId != config.GetString("App.uuid") {
return fmt.Errorf("domain is already managed by server with uuid %s", serverId)
}
return err
}
serverIdBytes, err := io.ReadAll(serverIdFile)
if err != nil {
return err
}
serverId := strings.TrimSpace(string(serverIdBytes))
if serverId != config.GetString("App.uuid") {
return fmt.Errorf("domain is already managed by server with uuid %s", serverId)
}
return nil
}
func addAndPushCerts(domain string, ws *GitWorkspace) error {
func AddAndPushCerts(domain string, ws *GitWorkspace) error {
domainConfig, exists := domainStore.Get(domain)
if !exists {
fmt.Printf("Domain %s config does not exist\n", domain)
return ErrConfigNotFound
}
certsDir, err := getDomainCertsDirWConf(domain, domainConfig)
certsDir, err := DomainCertsDirWConf(domain, domainConfig)
if err != nil {
if errors.Is(err, ErrConfigNotFound) {
fmt.Printf("Domain %s config not found: %v\n", domain, err)
@@ -301,8 +308,8 @@ func addAndPushCerts(domain string, ws *GitWorkspace) error {
return nil
}
func writeCommitHash(hash string, domainConfig *viper.Viper) error {
certsDir, err := getDomainCertsDirWOnlyConf(domainConfig)
func WriteCommitHash(hash string, domainConfig *viper.Viper) error {
certsDir, err := DomainCertsDirWOnlyConf(domainConfig)
if err != nil {
if errors.Is(err, ErrConfigNotFound) {
return err
@@ -318,8 +325,8 @@ func writeCommitHash(hash string, domainConfig *viper.Viper) error {
return nil
}
func getLocalCommitHash(domain string) (string, error) {
certsDir, err := getDomainCertsDir(domain)
func LocalCommitHash(domain string) (string, error) {
certsDir, err := DomainCertsDir(domain)
if err != nil {
if errors.Is(err, ErrConfigNotFound) {
fmt.Printf("Domain %s config not found: %v\n", domain, err)
@@ -330,15 +337,17 @@ func getLocalCommitHash(domain string) (string, error) {
data, err := os.ReadFile(filepath.Join(certsDir, "hash"))
if err != nil {
fmt.Printf("Error reading file for domain %s: %v\n", domain, err)
return "", err
if !os.IsNotExist(err) {
fmt.Printf("Error reading file for domain %s: %v\n", domain, err)
return "", err
}
}
return strings.TrimSpace(string(data)), nil
}
func getRemoteCommitHash(domain string, gitSource GitSource) (string, error) {
domainConfig, exists := domainStore.Get(domain)
func RemoteCommitHash(domain string, gitSource GitSource) (string, error) {
domainConfig, exists := DomainStore().Get(domain)
if !exists {
fmt.Printf("Domain %s config does not exist\n", domain)
return "", ErrConfigNotFound
@@ -354,7 +363,7 @@ func getRemoteCommitHash(domain string, gitSource GitSource) (string, error) {
}
func getRemoteCommitHashGitea(org, repo, branchName string) (string, error) {
giteaClient := createGiteaClient()
giteaClient := CreateGiteaClient()
branch, _, err := giteaClient.GetRepoBranch(org, repo, branchName)
if err != nil {
fmt.Printf("Error getting repo branch: %v\n", err)

1
internal/grpc.go Normal file
View File

@@ -0,0 +1 @@
package internal

107
util.go → internal/util.go
View File

@@ -1,17 +1,17 @@
package main
package internal
import (
"errors"
"fmt"
"io/fs"
"os"
"os/user"
"path/filepath"
"strconv"
"strings"
"syscall"
"code.gitea.io/sdk/gitea"
"github.com/google/go-github/v55/github"
"github.com/spf13/viper"
)
@@ -25,7 +25,6 @@ type Domain struct {
name *string
config *viper.Viper
description *string
ghClient *github.Client
gtClient *gitea.Client
}
@@ -44,7 +43,7 @@ func createPIDFile() {
}
// 0x02
func clearPIDFile() {
func ClearPIDFile() {
file, err := os.OpenFile("/var/run/certman.pid", os.O_RDWR|os.O_CREATE, 0644)
if err != nil {
fmt.Printf("0x02: Error opening PID file: %v\n", err)
@@ -60,7 +59,7 @@ func clearPIDFile() {
}
// 0x03
func createOrUpdatePIDFile(filename string) error {
func CreateOrUpdatePIDFile(filename string) error {
pidBytes, err := os.ReadFile(filename)
if err != nil {
fmt.Printf("0x03: Error reading PID file: %v\n", err)
@@ -142,7 +141,7 @@ func isProcessActive(pid int) (bool, error) {
}
// 0x05
func getDaemonProcess() (*os.Process, error) {
func DaemonProcess() (*os.Process, error) {
pidBytes, err := os.ReadFile("/var/run/certman.pid")
if err != nil {
fmt.Printf("0x05: Error getting PID from /var/run/certman.pid: %v\n", err)
@@ -209,24 +208,29 @@ func createFile(fileName string, filePermission os.FileMode, data []byte) {
}
}
func linkFile(source, target, domain, extension string) error {
func LinkFile(source, target, domain, extension string) error {
if target == "" {
return ErrBlankCert
}
linkInfo, err := os.Stat(target)
if err != nil {
if !os.IsNotExist(err) {
return err
if os.IsNotExist(err) {
err = os.Symlink(source, target)
if err != nil {
return err
}
return nil
}
return err
}
if linkInfo.IsDir() {
target = filepath.Join(target, domain+extension)
err = os.Symlink(source, target)
if err != nil {
return err
}
}
err = os.Symlink(source, target)
if err != nil {
return err
}
return nil
}
@@ -252,24 +256,24 @@ func insert(a []string, index int, value string) []string {
return a
}
func sanitizeDomainKey(s string) string {
func SanitizeDomainKey(s string) string {
s = strings.TrimSpace(strings.ToLower(s))
r := strings.NewReplacer("/", "_", "\\", "_", " ", "_", ":", "_")
return r.Replace(s)
}
// getDomainCertsDir Can return ErrBlankConfigEntry, ErrConfigNotFound, or other errors
func getDomainCertsDir(domain string) (string, error) {
// DomainCertsDir Can return ErrBlankConfigEntry, ErrConfigNotFound, or other errors
func DomainCertsDir(domain string) (string, error) {
domainConfig, exists := domainStore.Get(domain)
if !exists {
return "", ErrConfigNotFound
}
return getDomainCertsDirWConf(domain, domainConfig)
return DomainCertsDirWConf(domain, domainConfig)
}
// getDomainCertsDir Can return ErrBlankConfigEntry or other errors
func getDomainCertsDirWConf(domain string, domainConfig *viper.Viper) (string, error) {
// DomainCertsDirWConf Can return ErrBlankConfigEntry or other errors
func DomainCertsDirWConf(domain string, domainConfig *viper.Viper) (string, error) {
effectiveDataRoot, err := EffectiveString(domainConfig, "Certificates.data_root")
if err != nil {
return "", err
@@ -278,9 +282,9 @@ func getDomainCertsDirWConf(domain string, domainConfig *viper.Viper) (string, e
return filepath.Join(effectiveDataRoot, "certificates", domain), nil
}
func getDomainCertsDirWOnlyConf(domainConfig *viper.Viper) (string, error) {
func DomainCertsDirWOnlyConf(domainConfig *viper.Viper) (string, error) {
domain := domainConfig.GetString("Domain.domain_name")
return getDomainCertsDirWConf(domain, domainConfig)
return DomainCertsDirWConf(domain, domainConfig)
}
func ChownRecursive(path string, uid, gid int) error {
@@ -292,3 +296,64 @@ func ChownRecursive(path string, uid, gid int) error {
return os.Chown(name, uid, gid)
})
}
func LookupGID(group string) (int, error) {
g, err := user.LookupGroup(group)
if err != nil {
return 0, err
}
return strconv.Atoi(g.Gid)
}
// MakeCredential resolves username/groupname to uid/gid for syscall.Credential.
// Note: actually *using* different credentials typically requires the server
// process to have appropriate privileges (often root).
func MakeCredential(username, groupname string) (*syscall.Credential, error) {
var uid, gid uint32
var haveUID, haveGID bool
if username != "" {
u, err := user.Lookup(username)
if err != nil {
return nil, fmt.Errorf("unknown user")
}
parsed, err := strconv.ParseUint(u.Uid, 10, 32)
if err != nil {
return nil, fmt.Errorf("bad uid")
}
uid = uint32(parsed)
haveUID = true
// If group not explicitly provided, default to user's primary group.
if groupname == "" && u.Gid != "" {
parsedG, err := strconv.ParseUint(u.Gid, 10, 32)
if err == nil {
gid = uint32(parsedG)
haveGID = true
}
}
}
if groupname != "" {
g, err := user.LookupGroup(groupname)
if err != nil {
return nil, fmt.Errorf("unknown group")
}
parsed, err := strconv.ParseUint(g.Gid, 10, 32)
if err != nil {
return nil, fmt.Errorf("bad gid")
}
gid = uint32(parsed)
haveGID = true
}
// If only group was provided, keep current uid.
if !haveUID {
uid = uint32(os.Getuid())
}
if !haveGID {
gid = uint32(os.Getgid())
}
return &syscall.Credential{Uid: uid, Gid: gid}, nil
}

54
main.go
View File

@@ -1,24 +1,16 @@
package main
import (
"context"
"fmt"
"os"
"regexp"
"sync"
"git.nevets.tech/Keys/CertManager/commands"
"git.nevets.tech/Keys/CertManager/internal"
"github.com/spf13/cobra"
)
var version = "1.0.0"
var build = "1"
var (
configFile string
ctx context.Context
cancel context.CancelFunc
wg sync.WaitGroup
)
var configFile string
var fqdnRegex = regexp.MustCompile(`^(?i:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z]{2,}$`)
@@ -36,9 +28,9 @@ func main() {
rootCmd.PersistentFlags().StringVarP(&configFile, "config", "c", "/etc/certman/certman.conf", "Configuration file")
rootCmd.AddCommand(basicCmd("version", "Show version", versionResponse))
rootCmd.AddCommand(basicCmd("gen-key", "Generates encryption key", newKey))
rootCmd.AddCommand(basicCmd("dev", "Dev Function", devFunc))
rootCmd.AddCommand(basicCmd("version", "Show version", commands.VersionCmd))
rootCmd.AddCommand(basicCmd("gen-key", "Generates encryption key", commands.NewKeyCmd))
rootCmd.AddCommand(basicCmd("dev", "Dev Function", commands.DevCmd))
var domainCertDir string
newDomainCmd := &cobra.Command{
@@ -49,7 +41,7 @@ func main() {
SilenceErrors: true,
RunE: func(cmd *cobra.Command, args []string) error {
dirOverridden := cmd.Flags().Changed("dir")
return newDomain(args[0], domainCertDir, dirOverridden)
return commands.NewDomainCmd(args[0], domainCertDir, dirOverridden)
},
}
newDomainCmd.Flags().StringVar(&domainCertDir, "dir", "/var/local/certman/certificates/", "Alternate directory for certificates")
@@ -65,7 +57,7 @@ func main() {
RunE: func(cmd *cobra.Command, args []string) error {
switch modeFlag {
case "server", "client":
return install(thinInstallFlag, modeFlag)
return commands.InstallCmd(thinInstallFlag, modeFlag)
default:
return fmt.Errorf("invalid --mode %q (must be server or client)", modeFlag)
}
@@ -89,14 +81,32 @@ func main() {
Short: "Renews a domains certificate",
Args: cobra.ExactArgs(1),
RunE: func(cmd *cobra.Command, args []string) error {
return renewCertFunc(args[0], noPush)
return commands.RenewCertCmd(args[0], noPush, internal.Server)
},
}
renewCertCmd.Flags().BoolVar(&noPush, "no-push", false, "Don't push certs to repo, renew locally only [server mode only]")
certCmd.AddCommand(renewCertCmd)
updateCertLinkCmd := &cobra.Command{
Use: "update-link",
Short: "Update linked certificates",
Args: cobra.ExactArgs(1),
RunE: func(cmd *cobra.Command, args []string) error {
return commands.UpdateLinksCmd(args[0])
},
}
certCmd.AddCommand(updateCertLinkCmd)
rootCmd.AddCommand(certCmd)
rootCmd.AddCommand(&cobra.Command{
Use: "executor",
Short: "Privileged daemon",
RunE: func(cmd *cobra.Command, args []string) error {
return commands.StartExecutorCmd()
},
})
daemonCmd := &cobra.Command{
Use: "daemon",
Short: "Daemon management",
@@ -110,7 +120,7 @@ func main() {
Short: "Start the daemon",
Args: cobra.NoArgs,
RunE: func(cmd *cobra.Command, args []string) error {
return runDaemon()
return commands.RunDaemonCmd()
},
})
@@ -119,7 +129,7 @@ func main() {
Short: "Stop the daemon",
Args: cobra.NoArgs,
RunE: func(cmd *cobra.Command, args []string) error {
return stopDaemon()
return commands.StopDaemonCmd()
},
})
@@ -128,7 +138,7 @@ func main() {
Short: "Reload daemon configs",
Args: cobra.NoArgs,
RunE: func(cmd *cobra.Command, args []string) error {
return reloadDaemon()
return commands.ReloadDaemonCmd()
},
})
@@ -137,7 +147,7 @@ func main() {
Short: "Manually triggers daemon tick",
Args: cobra.NoArgs,
RunE: func(cmd *cobra.Command, args []string) error {
return tickDaemon()
return commands.TickDaemonCmd()
},
})
@@ -146,7 +156,7 @@ func main() {
Short: "Show daemon status",
Args: cobra.NoArgs,
RunE: func(cmd *cobra.Command, args []string) error {
return statusDaemon()
return commands.DaemonStatusCmd()
},
})

27
proto/hook.proto Normal file
View File

@@ -0,0 +1,27 @@
syntax = "proto3";
package hooks.v1;
option go_package = "/v1";
service HookService {
rpc ExecuteHook(ExecuteHookRequest) returns (ExecuteHookResponse);
}
message Hook {
string name = 1;
repeated string command = 2;
string user = 3;
string group = 4;
string cwd = 5;
int32 timeout_seconds = 6;
map<string, string> env = 7;
}
message ExecuteHookRequest {
Hook hook = 1;
}
message ExecuteHookResponse {
string error = 1;
}

5
proto/symlink.proto Normal file
View File

@@ -0,0 +1,5 @@
syntax = "proto3";
package hooks.v1;
option go_package = "/v1";

280
proto/v1/hook.pb.go Normal file
View File

@@ -0,0 +1,280 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.36.11
// protoc v6.30.2
// source: proto/hook.proto
package v1
import (
protoreflect "google.golang.org/protobuf/reflect/protoreflect"
protoimpl "google.golang.org/protobuf/runtime/protoimpl"
reflect "reflect"
sync "sync"
unsafe "unsafe"
)
const (
// Verify that this generated code is sufficiently up-to-date.
_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
// Verify that runtime/protoimpl is sufficiently up-to-date.
_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
)
type Hook struct {
state protoimpl.MessageState `protogen:"open.v1"`
Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
Command []string `protobuf:"bytes,2,rep,name=command,proto3" json:"command,omitempty"`
User string `protobuf:"bytes,3,opt,name=user,proto3" json:"user,omitempty"`
Group string `protobuf:"bytes,4,opt,name=group,proto3" json:"group,omitempty"`
Cwd string `protobuf:"bytes,5,opt,name=cwd,proto3" json:"cwd,omitempty"`
TimeoutSeconds int32 `protobuf:"varint,6,opt,name=timeout_seconds,json=timeoutSeconds,proto3" json:"timeout_seconds,omitempty"`
Env map[string]string `protobuf:"bytes,7,rep,name=env,proto3" json:"env,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
unknownFields protoimpl.UnknownFields
sizeCache protoimpl.SizeCache
}
func (x *Hook) Reset() {
*x = Hook{}
mi := &file_proto_hook_proto_msgTypes[0]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
func (x *Hook) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*Hook) ProtoMessage() {}
func (x *Hook) ProtoReflect() protoreflect.Message {
mi := &file_proto_hook_proto_msgTypes[0]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use Hook.ProtoReflect.Descriptor instead.
func (*Hook) Descriptor() ([]byte, []int) {
return file_proto_hook_proto_rawDescGZIP(), []int{0}
}
func (x *Hook) GetName() string {
if x != nil {
return x.Name
}
return ""
}
func (x *Hook) GetCommand() []string {
if x != nil {
return x.Command
}
return nil
}
func (x *Hook) GetUser() string {
if x != nil {
return x.User
}
return ""
}
func (x *Hook) GetGroup() string {
if x != nil {
return x.Group
}
return ""
}
func (x *Hook) GetCwd() string {
if x != nil {
return x.Cwd
}
return ""
}
func (x *Hook) GetTimeoutSeconds() int32 {
if x != nil {
return x.TimeoutSeconds
}
return 0
}
func (x *Hook) GetEnv() map[string]string {
if x != nil {
return x.Env
}
return nil
}
type ExecuteHookRequest struct {
state protoimpl.MessageState `protogen:"open.v1"`
Hook *Hook `protobuf:"bytes,1,opt,name=hook,proto3" json:"hook,omitempty"`
unknownFields protoimpl.UnknownFields
sizeCache protoimpl.SizeCache
}
func (x *ExecuteHookRequest) Reset() {
*x = ExecuteHookRequest{}
mi := &file_proto_hook_proto_msgTypes[1]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
func (x *ExecuteHookRequest) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*ExecuteHookRequest) ProtoMessage() {}
func (x *ExecuteHookRequest) ProtoReflect() protoreflect.Message {
mi := &file_proto_hook_proto_msgTypes[1]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use ExecuteHookRequest.ProtoReflect.Descriptor instead.
func (*ExecuteHookRequest) Descriptor() ([]byte, []int) {
return file_proto_hook_proto_rawDescGZIP(), []int{1}
}
func (x *ExecuteHookRequest) GetHook() *Hook {
if x != nil {
return x.Hook
}
return nil
}
type ExecuteHookResponse struct {
state protoimpl.MessageState `protogen:"open.v1"`
Error string `protobuf:"bytes,1,opt,name=error,proto3" json:"error,omitempty"`
unknownFields protoimpl.UnknownFields
sizeCache protoimpl.SizeCache
}
func (x *ExecuteHookResponse) Reset() {
*x = ExecuteHookResponse{}
mi := &file_proto_hook_proto_msgTypes[2]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
func (x *ExecuteHookResponse) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*ExecuteHookResponse) ProtoMessage() {}
func (x *ExecuteHookResponse) ProtoReflect() protoreflect.Message {
mi := &file_proto_hook_proto_msgTypes[2]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use ExecuteHookResponse.ProtoReflect.Descriptor instead.
func (*ExecuteHookResponse) Descriptor() ([]byte, []int) {
return file_proto_hook_proto_rawDescGZIP(), []int{2}
}
func (x *ExecuteHookResponse) GetError() string {
if x != nil {
return x.Error
}
return ""
}
var File_proto_hook_proto protoreflect.FileDescriptor
const file_proto_hook_proto_rawDesc = "" +
"\n" +
"\x10proto/hook.proto\x12\bhooks.v1\"\xfc\x01\n" +
"\x04Hook\x12\x12\n" +
"\x04name\x18\x01 \x01(\tR\x04name\x12\x18\n" +
"\acommand\x18\x02 \x03(\tR\acommand\x12\x12\n" +
"\x04user\x18\x03 \x01(\tR\x04user\x12\x14\n" +
"\x05group\x18\x04 \x01(\tR\x05group\x12\x10\n" +
"\x03cwd\x18\x05 \x01(\tR\x03cwd\x12'\n" +
"\x0ftimeout_seconds\x18\x06 \x01(\x05R\x0etimeoutSeconds\x12)\n" +
"\x03env\x18\a \x03(\v2\x17.hooks.v1.Hook.EnvEntryR\x03env\x1a6\n" +
"\bEnvEntry\x12\x10\n" +
"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
"\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"8\n" +
"\x12ExecuteHookRequest\x12\"\n" +
"\x04hook\x18\x01 \x01(\v2\x0e.hooks.v1.HookR\x04hook\"+\n" +
"\x13ExecuteHookResponse\x12\x14\n" +
"\x05error\x18\x01 \x01(\tR\x05error2Y\n" +
"\vHookService\x12J\n" +
"\vExecuteHook\x12\x1c.hooks.v1.ExecuteHookRequest\x1a\x1d.hooks.v1.ExecuteHookResponseB\x05Z\x03/v1b\x06proto3"
var (
file_proto_hook_proto_rawDescOnce sync.Once
file_proto_hook_proto_rawDescData []byte
)
func file_proto_hook_proto_rawDescGZIP() []byte {
file_proto_hook_proto_rawDescOnce.Do(func() {
file_proto_hook_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_proto_hook_proto_rawDesc), len(file_proto_hook_proto_rawDesc)))
})
return file_proto_hook_proto_rawDescData
}
var file_proto_hook_proto_msgTypes = make([]protoimpl.MessageInfo, 4)
var file_proto_hook_proto_goTypes = []any{
(*Hook)(nil), // 0: hooks.v1.Hook
(*ExecuteHookRequest)(nil), // 1: hooks.v1.ExecuteHookRequest
(*ExecuteHookResponse)(nil), // 2: hooks.v1.ExecuteHookResponse
nil, // 3: hooks.v1.Hook.EnvEntry
}
var file_proto_hook_proto_depIdxs = []int32{
3, // 0: hooks.v1.Hook.env:type_name -> hooks.v1.Hook.EnvEntry
0, // 1: hooks.v1.ExecuteHookRequest.hook:type_name -> hooks.v1.Hook
1, // 2: hooks.v1.HookService.ExecuteHook:input_type -> hooks.v1.ExecuteHookRequest
2, // 3: hooks.v1.HookService.ExecuteHook:output_type -> hooks.v1.ExecuteHookResponse
3, // [3:4] is the sub-list for method output_type
2, // [2:3] is the sub-list for method input_type
2, // [2:2] is the sub-list for extension type_name
2, // [2:2] is the sub-list for extension extendee
0, // [0:2] is the sub-list for field type_name
}
func init() { file_proto_hook_proto_init() }
func file_proto_hook_proto_init() {
if File_proto_hook_proto != nil {
return
}
type x struct{}
out := protoimpl.TypeBuilder{
File: protoimpl.DescBuilder{
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: unsafe.Slice(unsafe.StringData(file_proto_hook_proto_rawDesc), len(file_proto_hook_proto_rawDesc)),
NumEnums: 0,
NumMessages: 4,
NumExtensions: 0,
NumServices: 1,
},
GoTypes: file_proto_hook_proto_goTypes,
DependencyIndexes: file_proto_hook_proto_depIdxs,
MessageInfos: file_proto_hook_proto_msgTypes,
}.Build()
File_proto_hook_proto = out.File
file_proto_hook_proto_goTypes = nil
file_proto_hook_proto_depIdxs = nil
}

121
proto/v1/hook_grpc.pb.go Normal file
View File

@@ -0,0 +1,121 @@
// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
// versions:
// - protoc-gen-go-grpc v1.6.0
// - protoc v6.30.2
// source: proto/hook.proto
package v1
import (
context "context"
grpc "google.golang.org/grpc"
codes "google.golang.org/grpc/codes"
status "google.golang.org/grpc/status"
)
// This is a compile-time assertion to ensure that this generated file
// is compatible with the grpc package it is being compiled against.
// Requires gRPC-Go v1.64.0 or later.
const _ = grpc.SupportPackageIsVersion9
const (
HookService_ExecuteHook_FullMethodName = "/hooks.v1.HookService/ExecuteHook"
)
// HookServiceClient is the client API for HookService service.
//
// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
type HookServiceClient interface {
ExecuteHook(ctx context.Context, in *ExecuteHookRequest, opts ...grpc.CallOption) (*ExecuteHookResponse, error)
}
type hookServiceClient struct {
cc grpc.ClientConnInterface
}
func NewHookServiceClient(cc grpc.ClientConnInterface) HookServiceClient {
return &hookServiceClient{cc}
}
func (c *hookServiceClient) ExecuteHook(ctx context.Context, in *ExecuteHookRequest, opts ...grpc.CallOption) (*ExecuteHookResponse, error) {
cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
out := new(ExecuteHookResponse)
err := c.cc.Invoke(ctx, HookService_ExecuteHook_FullMethodName, in, out, cOpts...)
if err != nil {
return nil, err
}
return out, nil
}
// HookServiceServer is the server API for HookService service.
// All implementations must embed UnimplementedHookServiceServer
// for forward compatibility.
type HookServiceServer interface {
ExecuteHook(context.Context, *ExecuteHookRequest) (*ExecuteHookResponse, error)
mustEmbedUnimplementedHookServiceServer()
}
// UnimplementedHookServiceServer must be embedded to have
// forward compatible implementations.
//
// NOTE: this should be embedded by value instead of pointer to avoid a nil
// pointer dereference when methods are called.
type UnimplementedHookServiceServer struct{}
func (UnimplementedHookServiceServer) ExecuteHook(context.Context, *ExecuteHookRequest) (*ExecuteHookResponse, error) {
return nil, status.Error(codes.Unimplemented, "method ExecuteHook not implemented")
}
func (UnimplementedHookServiceServer) mustEmbedUnimplementedHookServiceServer() {}
func (UnimplementedHookServiceServer) testEmbeddedByValue() {}
// UnsafeHookServiceServer may be embedded to opt out of forward compatibility for this service.
// Use of this interface is not recommended, as added methods to HookServiceServer will
// result in compilation errors.
type UnsafeHookServiceServer interface {
mustEmbedUnimplementedHookServiceServer()
}
func RegisterHookServiceServer(s grpc.ServiceRegistrar, srv HookServiceServer) {
// If the following call panics, it indicates UnimplementedHookServiceServer was
// embedded by pointer and is nil. This will cause panics if an
// unimplemented method is ever invoked, so we test this at initialization
// time to prevent it from happening at runtime later due to I/O.
if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
t.testEmbeddedByValue()
}
s.RegisterService(&HookService_ServiceDesc, srv)
}
func _HookService_ExecuteHook_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
in := new(ExecuteHookRequest)
if err := dec(in); err != nil {
return nil, err
}
if interceptor == nil {
return srv.(HookServiceServer).ExecuteHook(ctx, in)
}
info := &grpc.UnaryServerInfo{
Server: srv,
FullMethod: HookService_ExecuteHook_FullMethodName,
}
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
return srv.(HookServiceServer).ExecuteHook(ctx, req.(*ExecuteHookRequest))
}
return interceptor(ctx, in, info, handler)
}
// HookService_ServiceDesc is the grpc.ServiceDesc for HookService service.
// It's only intended for direct use with grpc.RegisterService,
// and not to be introspected or modified (even as a copy)
var HookService_ServiceDesc = grpc.ServiceDesc{
ServiceName: "hooks.v1.HookService",
HandlerType: (*HookServiceServer)(nil),
Methods: []grpc.MethodDesc{
{
MethodName: "ExecuteHook",
Handler: _HookService_ExecuteHook_Handler,
},
},
Streams: []grpc.StreamDesc{},
Metadata: "proto/hook.proto",
}

59
proto/v1/symlink.pb.go Normal file
View File

@@ -0,0 +1,59 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.36.11
// protoc v6.30.2
// source: proto/symlink.proto
package v1
import (
protoreflect "google.golang.org/protobuf/reflect/protoreflect"
protoimpl "google.golang.org/protobuf/runtime/protoimpl"
reflect "reflect"
unsafe "unsafe"
)
const (
// Verify that this generated code is sufficiently up-to-date.
_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
// Verify that runtime/protoimpl is sufficiently up-to-date.
_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
)
var File_proto_symlink_proto protoreflect.FileDescriptor
const file_proto_symlink_proto_rawDesc = "" +
"\n" +
"\x13proto/symlink.proto\x12\bhooks.v1B\x05Z\x03/v1b\x06proto3"
var file_proto_symlink_proto_goTypes = []any{}
var file_proto_symlink_proto_depIdxs = []int32{
0, // [0:0] is the sub-list for method output_type
0, // [0:0] is the sub-list for method input_type
0, // [0:0] is the sub-list for extension type_name
0, // [0:0] is the sub-list for extension extendee
0, // [0:0] is the sub-list for field type_name
}
func init() { file_proto_symlink_proto_init() }
func file_proto_symlink_proto_init() {
if File_proto_symlink_proto != nil {
return
}
type x struct{}
out := protoimpl.TypeBuilder{
File: protoimpl.DescBuilder{
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: unsafe.Slice(unsafe.StringData(file_proto_symlink_proto_rawDesc), len(file_proto_symlink_proto_rawDesc)),
NumEnums: 0,
NumMessages: 0,
NumExtensions: 0,
NumServices: 0,
},
GoTypes: file_proto_symlink_proto_goTypes,
DependencyIndexes: file_proto_symlink_proto_depIdxs,
}.Build()
File_proto_symlink_proto = out.File
file_proto_symlink_proto_goTypes = nil
file_proto_symlink_proto_depIdxs = nil
}

52
server.go → server/server.go
View File

@@ -1,4 +1,4 @@
package main
package server
import (
"fmt"
@@ -7,23 +7,24 @@ import (
"sync"
"time"
"git.nevets.tech/Keys/CertManager/internal"
"github.com/go-git/go-billy/v5/memfs"
"github.com/go-git/go-git/v5/storage/memory"
)
var (
tickMu sync.Mutex
mgr *ACMEManager
mgr *internal.ACMEManager
mgrMu sync.Mutex
)
func getACMEManager() (*ACMEManager, error) {
func getACMEManager() (*internal.ACMEManager, error) {
mgrMu.Lock()
defer mgrMu.Unlock()
if mgr == nil {
var err error
mgr, err = NewACMEManager()
mgr, err = internal.NewACMEManager()
if err != nil {
return nil, err
}
@@ -31,21 +32,22 @@ func getACMEManager() (*ACMEManager, error) {
return mgr, nil
}
func initServer() {
err := LoadDomainConfigs()
func Init() {
err := internal.LoadDomainConfigs()
if err != nil {
log.Fatalf("Error loading domain configs: %v", err)
}
serverTick()
Tick()
}
func serverTick() {
func Tick() {
tickMu.Lock()
defer tickMu.Unlock()
fmt.Println("Tick!")
mgr, err := getACMEManager()
var err error
mgr, err = getACMEManager()
if err != nil {
fmt.Printf("Error getting acme manager: %v\n", err)
return
@@ -53,7 +55,7 @@ func serverTick() {
now := time.Now().UTC()
localDomainConfigs := domainStore.Snapshot()
localDomainConfigs := internal.DomainStore().Snapshot()
for domainStr, domainConfig := range localDomainConfigs {
if !domainConfig.GetBool("Domain.enabled") {
@@ -75,62 +77,62 @@ func serverTick() {
}
domainConfig.Set("Internal.last_issued", time.Now().UTC().Unix())
err = WriteDomainConfig(domainConfig)
err = internal.WriteDomainConfig(domainConfig)
if err != nil {
fmt.Printf("Error saving domain config %s: %v\n", domainStr, err)
continue
}
err = EncryptFileXChaCha(domainConfig.GetString("Certificates.crypto_key"), filepath.Join(mgr.certsRoot, domainStr, domainStr+".crt"), filepath.Join(mgr.certsRoot, domainStr, domainStr+".crt.crpt"), nil)
err = internal.EncryptFileXChaCha(domainConfig.GetString("Certificates.crypto_key"), filepath.Join(mgr.CertsRoot, domainStr, domainStr+".crt"), filepath.Join(mgr.CertsRoot, domainStr, domainStr+".crt.crpt"), nil)
if err != nil {
fmt.Printf("Error encrypting domain cert for domain %s: %v\n", domainStr, err)
continue
}
err = EncryptFileXChaCha(domainConfig.GetString("Certificates.crypto_key"), filepath.Join(mgr.certsRoot, domainStr, domainStr+".key"), filepath.Join(mgr.certsRoot, domainStr, domainStr+".key.crpt"), nil)
err = internal.EncryptFileXChaCha(domainConfig.GetString("Certificates.crypto_key"), filepath.Join(mgr.CertsRoot, domainStr, domainStr+".key"), filepath.Join(mgr.CertsRoot, domainStr, domainStr+".key.crpt"), nil)
if err != nil {
fmt.Printf("Error encrypting domain key for domain %s: %v\n", domainStr, err)
continue
}
giteaClient := createGiteaClient()
giteaClient := internal.CreateGiteaClient()
if giteaClient == nil {
fmt.Printf("Error creating gitea client for domain %s: %v\n", domainStr, err)
continue
}
gitWorkspace := &GitWorkspace{
gitWorkspace := &internal.GitWorkspace{
Storage: memory.NewStorage(),
FS: memfs.New(),
}
var repoUrl string
if !domainConfig.GetBool("Internal.repo_exists") {
repoUrl = createGiteaRepo(domainStr, giteaClient)
repoUrl = internal.CreateGiteaRepo(domainStr, giteaClient)
if repoUrl == "" {
fmt.Printf("Error creating Gitea repo for domain %s\n", domainStr)
continue
}
domainConfig.Set("Internal.repo_exists", true)
err = WriteDomainConfig(domainConfig)
err = internal.WriteDomainConfig(domainConfig)
if err != nil {
fmt.Printf("Error saving domain config %s: %v\n", domainStr, err)
continue
}
err = initRepo(repoUrl, gitWorkspace)
err = internal.InitRepo(repoUrl, gitWorkspace)
if err != nil {
fmt.Printf("Error initializing repo for domain %s: %v\n", domainStr, err)
continue
}
} else {
repoUrl = config.GetString("Git.server") + "/" + config.GetString("Git.org_name") + "/" + domainStr + domainConfig.GetString("Repo.repo_suffix") + ".git"
err = cloneRepo(repoUrl, gitWorkspace)
repoUrl = internal.Config().GetString("Git.server") + "/" + internal.Config().GetString("Git.org_name") + "/" + domainStr + domainConfig.GetString("Repo.repo_suffix") + ".git"
err = internal.CloneRepo(repoUrl, gitWorkspace, internal.Server)
if err != nil {
fmt.Printf("Error cloning repo for domain %s: %v\n", domainStr, err)
continue
}
}
err = addAndPushCerts(domainStr, gitWorkspace)
err = internal.AddAndPushCerts(domainStr, gitWorkspace)
if err != nil {
fmt.Printf("Error pushing certificates for domain %s: %v\n", domainStr, err)
continue
@@ -138,15 +140,15 @@ func serverTick() {
fmt.Printf("Successfully pushed certificates for domain %s\n", domainStr)
}
}
err = SaveDomainConfigs()
err = internal.SaveDomainConfigs()
if err != nil {
fmt.Printf("Error saving domain configs: %v\n", err)
}
}
func reloadServer() {
func Reload() {
fmt.Println("Reloading configs...")
err := LoadDomainConfigs()
err := internal.LoadDomainConfigs()
if err != nil {
fmt.Printf("Error loading domain configs: %v\n", err)
@@ -160,6 +162,6 @@ func reloadServer() {
fmt.Println("Successfully reloaded configs")
}
func stopServer() {
func Stop() {
fmt.Println("Shutting down server")
}