Added release on build, fixed subdomains with new toml configs, and added trimmed build target

.gitea/workflows/build.yml

@@ -0,0 +1,85 @@
+name: Build (artifact)
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ "master" ]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: https://github.com/actions/checkout@v4
+
+      - name: Setup Go
+        uses: https://github.com/actions/setup-go@v5
+        with:
+          go-version: "1.25"
+
+      - name: Install protoc
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y protobuf-compiler
+
+      - name: Install Go protobuf plugins
+        run: |
+          go install google.golang.org/protobuf/cmd/protoc-gen-go@latest
+          go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest
+          echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
+
+      - name: Read VERSION from Makefile
+        shell: bash
+        run: |
+          VERSION="$(awk -F':=' '/^VERSION[[:space:]]*:=/ {gsub(/[[:space:]]/,"",$2); print $2; exit}' Makefile)"
+          if [ -z "$VERSION" ]; then
+            echo "Failed to read VERSION from Makefile" >&2
+            exit 1
+          fi
+          echo "VERSION=$VERSION" >> $GITHUB_ENV
+
+      - name: Get latest commit message
+        run: echo "COMMIT_MSG=$(git log -1 --pretty=%s)" >> $GITHUB_ENV
+
+      - name: Build
+        run: make build
+
+      - name: Upload artifact
+        uses: https://github.com/actions/upload-artifact@v3
+        with:
+          name: certman-${{ env.VERSION }}-amd64.zip
+          path: certman-${{ env.VERSION }}-amd64
+          if-no-files-found: error
+
+      - name: Create release and upload binary
+        run: |
+            # Create the release
+            RELEASE_RESPONSE=$(curl --fail --silent --show-error \
+              -X POST \
+              -H "Authorization: token ${{ secrets.RELEASE_TOKEN }}" \
+              -H "Content-Type: application/json" \
+              -d '{
+                "tag_name": "v${{ env.VERSION }}",
+                "name": "v${{ env.VERSION }}",
+                "body": "${{ env.COMMIT_MSG }}",
+                "draft": false,
+                "prerelease": false
+              }' \
+              "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases")
+            
+            # Extract the release ID
+            RELEASE_ID=$(echo "$RELEASE_RESPONSE" | jq -r '.id')
+            if [ -z "$RELEASE_ID" ] || [ "$RELEASE_ID" = "null" ]; then
+              echo "Failed to create release" >&2
+              echo "$RELEASE_RESPONSE" >&2
+              exit 1
+            fi
+            
+            # Upload the binary as a release attachment
+            curl --fail --silent --show-error \
+              -X POST \
+              -H "Authorization: token ${{ secrets.RELEASE_TOKEN }}" \
+              -H "Content-Type: application/octet-stream" \
+              --upload-file "certman-${{ env.VERSION }}-amd64" \
+              "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/$RELEASE_ID/assets?name=certman-${{ env.VERSION }}-amd64"

Makefile

@@ -1,12 +1,23 @@
-VERSION := 1.0.0
+VERSION := 1.0.2-beta
+BUILD := $(shell git rev-parse --short HEAD)
 
 GO := go
 
 BUILD_FLAGS := -buildmode=pie -trimpath
-LDFLAGS := -linkmode=external -extldflags="-Wl,-z,relro,-z,now"
+LDFLAGS := -linkmode=external -extldflags="-Wl,-z,relro,-z,now" -X git.nevets.tech/Keys/CertManager/internal.Version=$(VERSION) -X git.nevets.tech/Keys/CertManager/internal.Build=$(BUILD)
 
-build:
-	$(GO) build $(BUILD_FLAGS) -ldflags='$(LDFLAGS)' -o ./certman .
+.PHONY: proto build debug stage
+
+proto:
+	@protoc --go_out=./proto --go-grpc_out=./proto proto/hook.proto
+	@protoc --go_out=./proto --go-grpc_out=./proto proto/symlink.proto
+
+build: proto
+	$(GO) build $(BUILD_FLAGS) -ldflags="-s -w $(LDFLAGS)" -o ./certman .
+	@cp ./certman ./certman-$(VERSION)-amd64
+
+debug: proto
+	$(GO) build $(BUILD_FLAGS) -ldflags="$(LDFLAGS)" -o ./certman .
 	@cp ./certman ./certman-$(VERSION)-amd64
 
 stage: build

certman-exec.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=CertMan Executor daemon
+Requires=certman.socket
+After=network.target
+
+[Service]
+ExecStart=/usr/local/bin/certman executor
+User=root
+Group=root
+
+KillSignal=SIGTERM
+TimeoutStopSec=30
+
+[Install]
+WantedBy=multi-user.target

certman.socket

@@ -0,0 +1,12 @@
+[Unit]
+Description=certman hook daemon socket
+
+[Socket]
+ListenStream=/run/certman.sock
+SocketUser=root
+SocketGroup=certsock
+SocketMode=0660
+RemoveOnStop=true
+
+[Install]
+WantedBy=sockets.target

client/client.go

@@ -1,4 +1,4 @@
-package main
+package client
 
 import (
 	"fmt"
@@ -7,24 +7,26 @@ import (
 	"path/filepath"
 	"strings"
 
+	"git.nevets.tech/Keys/CertManager/internal"
 	"github.com/go-git/go-billy/v5/memfs"
 	"github.com/go-git/go-git/v5/storage/memory"
 )
 
-func initClient() {
-	err := LoadDomainConfigs()
+func Init() {
+	err := internal.LoadDomainConfigs()
 	if err != nil {
 		log.Fatalf("Error loading domain configs: %v", err)
 	}
 
-	clientTick()
+	Tick()
 }
 
-func clientTick() {
+func Tick() {
 	fmt.Println("Tick!")
 
-	// Get local copy of domain configs
-	localDomainConfigs := domainStore.Snapshot()
+	// Get local copy of configs
+	config := internal.Config()
+	localDomainConfigs := internal.DomainStore().Snapshot()
 
 	// Loop over all domain configs (domains)
 	for domainStr, domainConfig := range localDomainConfigs {
@@ -37,16 +39,16 @@ func clientTick() {
 		// If the repo doesn't exist, we can't check for a remote commit, so stop the rest of the check
 		repoExists := domainConfig.GetBool("Internal.repo_exists")
 		if repoExists {
-			localHash, err := getLocalCommitHash(domainStr)
+			localHash, err := internal.LocalCommitHash(domainStr)
 			if err != nil {
 				fmt.Printf("No local commit hash found for domain %s\n", domainStr)
 			}
-			gitSource, err := strToGitSource(config.GetString("Git.host"))
+			gitSource, err := internal.StrToGitSource(internal.Config().GetString("Git.host"))
 			if err != nil {
 				fmt.Printf("Error getting git source for domain %s: %v\n", domainStr, err)
 				continue
 			}
-			remoteHash, err := getRemoteCommitHash(domainStr, gitSource)
+			remoteHash, err := internal.RemoteCommitHash(domainStr, gitSource)
 			if err != nil {
 				fmt.Printf("Error getting remote commit hash for domain %s: %v\n", domainStr, err)
 			}
@@ -58,20 +60,20 @@ func clientTick() {
 			}
 		}
 
-		gitWorkspace := &GitWorkspace{
+		gitWorkspace := &internal.GitWorkspace{
 			Storage: memory.NewStorage(),
 			FS:      memfs.New(),
 		}
 		// Ex: https://git.example.com/Org/Repo-suffix.git
 		// Clones repo and stores in gitWorkspace, skip if clone fails (doesn't exist?)
-		repoUrl := config.GetString("Git.server") + "/" + config.GetString("Git.org_name") + "/" + domainStr + domainConfig.GetString("Repo.repo_suffix") + ".git"
-		err := cloneRepo(repoUrl, gitWorkspace)
+		repoUrl := internal.Config().GetString("Git.server") + "/" + config.GetString("Git.org_name") + "/" + domainStr + domainConfig.GetString("Repo.repo_suffix") + ".git"
+		err := internal.CloneRepo(repoUrl, gitWorkspace, internal.Client)
 		if err != nil {
 			fmt.Printf("Error cloning domain repo %s: %v\n", domainStr, err)
 			continue
 		}
 
-		certsDir, err := getDomainCertsDirWConf(domainStr, domainConfig)
+		certsDir, err := internal.DomainCertsDirWConf(domainStr, domainConfig)
 		if err != nil {
 			fmt.Printf("Error getting certificates dir for domain %s: %v\n", domainStr, err)
 			continue
@@ -104,7 +106,7 @@ func clientTick() {
 					continue
 				}
 
-				err = DecryptFileFromBytes(domainConfig.GetString("Certificates.crypto_key"), fileBytes, filepath.Join(certsDir, filename), nil)
+				err = internal.DecryptFileFromBytes(domainConfig.GetString("Certificates.crypto_key"), fileBytes, filepath.Join(certsDir, filename), nil)
 				if err != nil {
 					fmt.Printf("Error decrypting file %s in domain %s: %v\n", filename, domainStr, err)
 					continue
@@ -116,7 +118,7 @@ func clientTick() {
 					continue
 				}
 
-				err = writeCommitHash(headRef.Hash().String(), domainConfig)
+				err = internal.WriteCommitHash(headRef.Hash().String(), domainConfig)
 				if err != nil {
 					fmt.Printf("Error writing commit hash: %v\n", err)
 					continue
@@ -124,7 +126,7 @@ func clientTick() {
 
 				certLinks := domainConfig.GetStringSlice("Certificates.cert_symlinks")
 				for _, certLink := range certLinks {
-					err = linkFile(filepath.Join(certsDir, domainStr+".crt"), certLink, domainStr, ".crt")
+					err = internal.LinkFile(filepath.Join(certsDir, domainStr+".crt"), certLink, domainStr, ".crt")
 					if err != nil {
 						fmt.Printf("Error linking cert %s to %s: %v\n", certLink, domainStr, err)
 						continue
@@ -133,7 +135,7 @@ func clientTick() {
 
 				keyLinks := domainConfig.GetStringSlice("Certificates.key_symlinks")
 				for _, keyLink := range keyLinks {
-					err = linkFile(filepath.Join(certsDir, domainStr+".crt"), keyLink, domainStr, ".key")
+					err = internal.LinkFile(filepath.Join(certsDir, domainStr+".key"), keyLink, domainStr, ".key")
 					if err != nil {
 						fmt.Printf("Error linking cert %s to %s: %v\n", keyLink, domainStr, err)
 						continue
@@ -144,16 +146,16 @@ func clientTick() {
 	}
 }
 
-func reloadClient() {
+func Reload() {
 	fmt.Println("Reloading configs...")
 
-	err := LoadDomainConfigs()
+	err := internal.LoadDomainConfigs()
 	if err != nil {
 		fmt.Printf("Error loading domain configs: %v\n", err)
 		return
 	}
 }
 
-func stopClient() {
+func Stop() {
 	fmt.Println("Shutting down client")
 }

client/grpc.go

@@ -0,0 +1,49 @@
+package client
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"time"
+
+	"git.nevets.tech/Keys/CertManager/internal"
+	pb "git.nevets.tech/Keys/CertManager/proto/v1"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+)
+
+func SendHook(domain string) {
+	conn, err := grpc.NewClient(
+		"unix:///run/certman.sock",
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
+	)
+	if err != nil {
+		log.Fatalf("fail to dial: %v", err)
+	}
+	defer conn.Close()
+	client := pb.NewHookServiceClient(conn)
+
+	hooks, err := internal.PostPullHooks(domain)
+	if err != nil {
+		fmt.Printf("Error getting hooks: %v\n", err)
+		return
+	}
+
+	for _, hook := range hooks {
+		sendHook(client, hook)
+	}
+}
+
+func sendHook(client pb.HookServiceClient, hook *pb.Hook) {
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+	res, err := client.ExecuteHook(ctx, &pb.ExecuteHookRequest{Hook: hook})
+	if err != nil {
+		fmt.Printf("Error executing hook: %v\n", err)
+		return
+	}
+
+	if res.GetError() != "" {
+		fmt.Printf("Error executing hook: %s\n", res.GetError())
+	}
+}

commands.go

@@ -1,494 +0,0 @@
-package main
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"io"
-	"log"
-	"os"
-	"os/exec"
-	"os/signal"
-	"os/user"
-	"path/filepath"
-	"strconv"
-	"strings"
-	"syscall"
-	"time"
-
-	"github.com/go-git/go-billy/v5/memfs"
-	"github.com/go-git/go-git/v5/storage/memory"
-	"github.com/spf13/cobra"
-)
-
-func devFunc(cmd *cobra.Command, args []string) {
-	testDomain := "lunamc.org"
-	//config, err = ezconf.LoadConfiguration("/etc/certman/certman.conf")
-	err := LoadConfig("/etc/certman/certman.conf")
-	if err != nil {
-		log.Fatalf("Error loading configuration: %v\n", err)
-	}
-	err = LoadDomainConfigs()
-	if err != nil {
-		log.Fatalf("Error loading configs: %v\n", err)
-	}
-
-	fmt.Println(testDomain)
-}
-
-func versionResponse(cmd *cobra.Command, args []string) {
-	fmt.Println("CertManager (certman) - Steven Tracey\nVersion: " + version + " build-" + build)
-}
-
-func newKey(cmd *cobra.Command, args []string) {
-	key, err := GenerateKey()
-	if err != nil {
-		log.Fatalf("%v", err)
-	}
-	fmt.Printf(key)
-}
-
-func newDomain(domain, domainDir string, dirOverridden bool) error {
-	//TODO add config option for "overriden dir"
-	fmt.Printf("Creating new domain %s\n", domain)
-	err := createNewDomainConfig(domain)
-	if err != nil {
-		return err
-	}
-	createNewDomainCertsDir(domain, domainDir, dirOverridden)
-
-	certmanUser, err := user.Lookup("certman")
-	if err != nil {
-		return fmt.Errorf("error getting user certman: %v", err)
-	}
-	uid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Uid))
-	if err != nil {
-		return err
-	}
-	gid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Gid))
-	if err != nil {
-		return err
-	}
-	err = ChownRecursive("/etc/certman/domains", uid, gid)
-	if err != nil {
-		return err
-	}
-	err = ChownRecursive("/var/local/certman", uid, gid)
-	if err != nil {
-		return err
-	}
-
-	fmt.Println("Successfully created domain entry for " + domain + "\nUpdate config file as needed in /etc/certman/domains/" + domain + ".conf\n")
-	return nil
-}
-
-func install(isThin bool, mode string) error {
-	if !isThin {
-		if os.Geteuid() != 0 {
-			return fmt.Errorf("installation must be run as root")
-		}
-
-		makeDirs()
-		createNewConfig(mode)
-
-		f, err := os.OpenFile("/var/run/certman.pid", os.O_RDONLY|os.O_CREATE, 0755)
-		if err != nil {
-			return fmt.Errorf("error creating pid file: %v", err)
-		}
-		err = f.Close()
-		if err != nil {
-			return fmt.Errorf("error closing pid file: %v", err)
-		}
-
-		newUserCmd := exec.Command("useradd", "-d", "/var/local/certman", "-U", "-r", "-s", "/sbin/nologin", "certman")
-		if output, err := newUserCmd.CombinedOutput(); err != nil {
-			return fmt.Errorf("error creating user: %v: output %s", err, output)
-		}
-		certmanUser, err := user.Lookup("certman")
-		if err != nil {
-			return fmt.Errorf("error getting user certman: %v", err)
-		}
-		uid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Uid))
-		if err != nil {
-			return err
-		}
-		gid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Gid))
-		if err != nil {
-			return err
-		}
-		err = ChownRecursive("/etc/certman", uid, gid)
-		if err != nil {
-			return fmt.Errorf("error changing uid/gid: %v", err)
-		}
-		err = ChownRecursive("/var/local/certman", uid, gid)
-		if err != nil {
-			return fmt.Errorf("error changing uid/gid: %v", err)
-		}
-		err = os.Chown("/var/run/certman.pid", uid, gid)
-		if err != nil {
-			return fmt.Errorf("error changing uid/gid: %v", err)
-		}
-	} else {
-		createNewConfig(mode)
-	}
-	return nil
-}
-
-func renewCertFunc(domain string, noPush bool) error {
-	err := LoadConfig("/etc/certman/certman.conf")
-	if err != nil {
-		return err
-	}
-	err = LoadDomainConfigs()
-	if err != nil {
-		return err
-	}
-	switch config.GetString("App.mode") {
-	case "server":
-		mgr, err = NewACMEManager()
-		if err != nil {
-			return err
-		}
-		err = renewCerts(domain, noPush)
-		if err != nil {
-			return err
-		}
-		return reloadDaemon()
-	case "client":
-		return pullCerts(domain)
-	default:
-		return fmt.Errorf("invalid operating mode %s", config.GetString("App.mode"))
-	}
-}
-
-func renewCerts(domain string, noPush bool) error {
-	_, err := mgr.RenewForDomain(domain)
-	if err != nil {
-		// if no existing cert, obtain instead
-		_, err = mgr.ObtainForDomain(domain)
-		if err != nil {
-			return fmt.Errorf("error obtaining domain certificates for domain %s: %v", domain, err)
-		}
-	}
-
-	domainConfig, exists := domainStore.Get(domain)
-	if !exists {
-		return fmt.Errorf("domain %s does not exist", domain)
-	}
-
-	domainConfig.Set("Internal.last_issued", time.Now().UTC().Unix())
-	err = WriteDomainConfig(domainConfig)
-	if err != nil {
-		return fmt.Errorf("error saving domain config %s: %v", domain, err)
-	}
-
-	err = EncryptFileXChaCha(domainConfig.GetString("Certificates.crypto_key"), filepath.Join(mgr.certsRoot, domain, domain+".crt"), filepath.Join(mgr.certsRoot, domain, domain+".crt.crpt"), nil)
-	if err != nil {
-		return fmt.Errorf("error encrypting domain cert for domain %s: %v", domain, err)
-	}
-	err = EncryptFileXChaCha(domainConfig.GetString("Certificates.crypto_key"), filepath.Join(mgr.certsRoot, domain, domain+".key"), filepath.Join(mgr.certsRoot, domain, domain+".key.crpt"), nil)
-	if err != nil {
-		return fmt.Errorf("error encrypting domain key for domain %s: %v", domain, err)
-	}
-
-	if !noPush {
-		giteaClient := createGiteaClient()
-		if giteaClient == nil {
-			return fmt.Errorf("error creating gitea client for domain %s: %v", domain, err)
-		}
-		gitWorkspace := &GitWorkspace{
-			Storage: memory.NewStorage(),
-			FS:      memfs.New(),
-		}
-
-		var repoUrl string
-		if !domainConfig.GetBool("Internal.repo_exists") {
-			repoUrl = createGiteaRepo(domain, giteaClient)
-			if repoUrl == "" {
-				return fmt.Errorf("error creating Gitea repo for domain %s", domain)
-			}
-			domainConfig.Set("Internal.repo_exists", true)
-			err = WriteDomainConfig(domainConfig)
-			if err != nil {
-				return fmt.Errorf("error saving domain config %s: %v", domain, err)
-			}
-
-			err = initRepo(repoUrl, gitWorkspace)
-			if err != nil {
-				return fmt.Errorf("error initializing repo for domain %s: %v", domain, err)
-			}
-		} else {
-			repoUrl = config.GetString("Git.server") + "/" + config.GetString("Git.org_name") + "/" + domain + domainConfig.GetString("Repo.repo_suffix") + ".git"
-			err = cloneRepo(repoUrl, gitWorkspace)
-			if err != nil {
-				return fmt.Errorf("error cloning repo for domain %s: %v", domain, err)
-			}
-		}
-
-		err = addAndPushCerts(domain, gitWorkspace)
-		if err != nil {
-			return fmt.Errorf("error pushing certificates for domain %s: %v", domain, err)
-		}
-		fmt.Printf("Successfully pushed certificates for domain %s\n", domain)
-	}
-
-	return nil
-}
-
-func pullCerts(domain string) error {
-	gitWorkspace := &GitWorkspace{
-		Storage: memory.NewStorage(),
-		FS:      memfs.New(),
-	}
-
-	domainConfig, exists := domainStore.Get(domain)
-	if !exists {
-		return fmt.Errorf("domain %s does not exist", domain)
-	}
-
-	// Ex: https://git.example.com/Org/Repo-suffix.git
-	// Clones repo and stores in gitWorkspace, skip if clone fails (doesn't exist?)
-	repoUrl := config.GetString("Git.server") + "/" + config.GetString("Git.org_name") + "/" + domain + domainConfig.GetString("Repo.repo_suffix") + ".git"
-	err := cloneRepo(repoUrl, gitWorkspace)
-	if err != nil {
-		return fmt.Errorf("Error cloning domain repo %s: %v\n", domain, err)
-	}
-
-	certsDir, err := getDomainCertsDirWConf(domain, domainConfig)
-	if err != nil {
-		return fmt.Errorf("Error getting certificates dir for domain %s: %v\n", domain, err)
-	}
-
-	// Get files in repo
-	fileInfos, err := gitWorkspace.FS.ReadDir("/")
-	if err != nil {
-		return fmt.Errorf("Error reading directory in memFS on domain %s: %v\n", domain, err)
-	}
-	// Iterate over files, filtering by .crpt (encrypted) files in case other files were accidentally added
-	for _, fileInfo := range fileInfos {
-		if strings.HasSuffix(fileInfo.Name(), ".crpt") {
-			filename, _ := strings.CutSuffix(fileInfo.Name(), ".crpt")
-			file, err := gitWorkspace.FS.Open(fileInfo.Name())
-			if err != nil {
-				fmt.Printf("Error opening file in memFS on domain %s: %v\n", domain, err)
-				continue
-			}
-			fileBytes, err := io.ReadAll(file)
-			if err != nil {
-				fmt.Printf("Error reading file in memFS on domain %s: %v\n", domain, err)
-				file.Close()
-				continue
-			}
-			err = file.Close()
-			if err != nil {
-				fmt.Printf("Error closing file on domain %s: %v\n", domain, err)
-				continue
-			}
-
-			err = DecryptFileFromBytes(domainConfig.GetString("Certificates.crypto_key"), fileBytes, filepath.Join(certsDir, filename), nil)
-			if err != nil {
-				fmt.Printf("Error decrypting file %s in domain %s: %v\n", filename, domain, err)
-				continue
-			}
-
-			headRef, err := gitWorkspace.Repo.Head()
-			if err != nil {
-				fmt.Printf("Error getting head reference for domain %s: %v\n", domain, err)
-				continue
-			}
-
-			err = writeCommitHash(headRef.Hash().String(), domainConfig)
-			if err != nil {
-				fmt.Printf("Error writing commit hash: %v\n", err)
-				continue
-			}
-
-			certLinks := domainConfig.GetStringSlice("Certificates.cert_symlinks")
-			for _, certLink := range certLinks {
-				if certLink == "" {
-					continue
-				}
-				linkInfo, err := os.Stat(certLink)
-				if err != nil {
-					if !os.IsNotExist(err) {
-						fmt.Printf("Error stating cert link %s: %v\n", certLink, err)
-						continue
-					}
-				}
-				if linkInfo.IsDir() {
-					certLink = filepath.Join(certLink, domain+".crt")
-				}
-
-				err = os.Link(filepath.Join(certsDir, domain+".crt"), certLink)
-				if err != nil {
-					fmt.Printf("Error linking cert %s to %s: %v\n", certLink, domain, err)
-					continue
-				}
-			}
-
-			keyLinks := domainConfig.GetStringSlice("Certificates.key_symlinks")
-			for _, keyLink := range keyLinks {
-				if keyLink == "" {
-					continue
-				}
-				linkInfo, err := os.Stat(keyLink)
-				if err != nil {
-					if !os.IsNotExist(err) {
-						fmt.Printf("Error stating key link %s: %v\n", keyLink, err)
-						continue
-					}
-				}
-				if linkInfo.IsDir() {
-					keyLink = filepath.Join(keyLink, domain+".crt")
-				}
-
-				err = os.Link(filepath.Join(certsDir, domain+".crt"), keyLink)
-				if err != nil {
-					fmt.Printf("Error linking cert %s to %s: %v\n", keyLink, domain, err)
-					continue
-				}
-			}
-		}
-	}
-	return nil
-}
-
-func runDaemon() error {
-	err := createOrUpdatePIDFile("/var/run/certman.pid")
-	if err != nil {
-		if errors.Is(err, ErrorPIDInUse) {
-			return fmt.Errorf("daemon process is already running")
-		}
-		return fmt.Errorf("error creating pidfile: %v", err)
-	}
-
-	ctx, cancel = context.WithCancel(context.Background())
-
-	// Check if main config exists
-	if _, err := os.Stat(configFile); os.IsNotExist(err) {
-		return fmt.Errorf("main config file not found, please run 'certman --install', then properly configure /etc/certman/certman.conf")
-	} else if err != nil {
-		return fmt.Errorf("error opening %s: %v", configFile, err)
-	}
-	err = LoadConfig(configFile)
-	if err != nil {
-		return fmt.Errorf("error loading configuration: %v", err)
-	}
-
-	// Setup SIGINT and SIGTERM listeners
-	sigChannel := make(chan os.Signal, 1)
-	signal.Notify(sigChannel, syscall.SIGINT, syscall.SIGTERM)
-	defer signal.Stop(sigChannel)
-
-	reloadSigChan := make(chan os.Signal, 1)
-	signal.Notify(reloadSigChan, syscall.SIGHUP)
-	defer signal.Stop(reloadSigChan)
-
-	tickSigChan := make(chan os.Signal, 1)
-	signal.Notify(tickSigChan, syscall.SIGUSR1)
-	defer signal.Stop(tickSigChan)
-
-	tickRate := config.GetInt("App.tick_rate")
-	ticker := time.NewTicker(time.Duration(tickRate) * time.Hour)
-	defer ticker.Stop()
-
-	wg.Add(1)
-	if config.GetString("App.mode") == "server" {
-		fmt.Println("Starting CertManager in server mode...")
-		// Server Task loop
-		go func() {
-			initServer()
-			defer wg.Done()
-			for {
-				select {
-				case <-ctx.Done():
-					stopServer()
-					return
-				case <-reloadSigChan:
-					reloadServer()
-				case <-ticker.C:
-					serverTick()
-				case <-tickSigChan:
-					serverTick()
-				}
-			}
-		}()
-	} else if config.GetString("App.mode") == "client" {
-		fmt.Println("Starting CertManager in client mode...")
-		// Client Task loop
-		go func() {
-			initClient()
-			defer wg.Done()
-			for {
-				select {
-				case <-ctx.Done():
-					stopClient()
-					return
-				case <-reloadSigChan:
-					reloadClient()
-				case <-ticker.C:
-					clientTick()
-				}
-			}
-		}()
-	} else {
-		return fmt.Errorf("invalid operating mode \"" + config.GetString("App.mode") + "\"")
-	}
-
-	// Cleanup on stop
-	sig := <-sigChannel
-	fmt.Printf("Program terminated with %v\n", sig.String())
-
-	stop()
-	wg.Wait()
-	return nil
-}
-
-func stop() {
-	cancel()
-	clearPIDFile()
-}
-
-func stopDaemon() error {
-	proc, err := getDaemonProcess()
-	if err != nil {
-		return fmt.Errorf("error getting daemon process: %v", err)
-	}
-
-	err = proc.Signal(syscall.SIGTERM)
-	if err != nil {
-		return fmt.Errorf("error sending SIGTERM to daemon PID: %v", err)
-	}
-	return nil
-}
-
-func reloadDaemon() error {
-	proc, err := getDaemonProcess()
-	if err != nil {
-		return fmt.Errorf("error getting daemon process: %v", err)
-	}
-
-	err = proc.Signal(syscall.SIGHUP)
-	if err != nil {
-		return fmt.Errorf("error sending SIGHUP to daemon PID: %v", err)
-	}
-	return nil
-}
-
-func tickDaemon() error {
-	proc, err := getDaemonProcess()
-	if err != nil {
-		return fmt.Errorf("error getting daemon process: %v", err)
-	}
-
-	err = proc.Signal(syscall.SIGUSR1)
-	if err != nil {
-		return fmt.Errorf("error sending SIGUSR1 to daemon PID: %v", err)
-	}
-	return nil
-}
-
-func statusDaemon() error {
-	fmt.Println("Not implemented :/")
-	return nil
-}

commands/basic.go

@@ -0,0 +1,37 @@
+package commands
+
+import (
+	"fmt"
+	"log"
+
+	"git.nevets.tech/Keys/CertManager/internal"
+	"github.com/spf13/cobra"
+)
+
+func DevCmd(cmd *cobra.Command, args []string) {
+	testDomain := "lunamc.org"
+	err := internal.LoadConfig()
+	if err != nil {
+		log.Fatalf("Error loading configuration: %v\n", err)
+	}
+	err = internal.LoadDomainConfigs()
+	if err != nil {
+		log.Fatalf("Error loading configs: %v\n", err)
+	}
+
+	fmt.Println(testDomain)
+}
+
+func VersionCmd(cmd *cobra.Command, args []string) {
+	fmt.Printf("CertManager (certman) - Steven Tracey\nVersion: %s build-%s\n",
+		internal.Version, internal.Build,
+	)
+}
+
+func NewKeyCmd(cmd *cobra.Command, args []string) {
+	key, err := internal.GenerateKey()
+	if err != nil {
+		log.Fatalf("%v", err)
+	}
+	fmt.Printf(key)
+}

commands/certs.go

@@ -0,0 +1,266 @@
+package commands
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"git.nevets.tech/Keys/CertManager/internal"
+	"github.com/go-git/go-billy/v5/memfs"
+	"github.com/go-git/go-git/v5/storage/memory"
+)
+
+var mgr *internal.ACMEManager
+
+func RenewCertCmd(domain string, noPush bool, certmanMode internal.CertManMode) error {
+	err := internal.LoadConfig()
+	if err != nil {
+		return err
+	}
+	err = internal.LoadDomainConfigs()
+	if err != nil {
+		return err
+	}
+	switch internal.Config().GetString("App.mode") {
+	case "server":
+		mgr, err = internal.NewACMEManager()
+		if err != nil {
+			return err
+		}
+		err = renewCerts(domain, noPush, certmanMode)
+		if err != nil {
+			return err
+		}
+		return ReloadDaemonCmd()
+	case "client":
+		return pullCerts(domain, certmanMode)
+	default:
+		return fmt.Errorf("invalid operating mode %s", internal.Config().GetString("App.mode"))
+	}
+}
+
+func renewCerts(domain string, noPush bool, certmanMode internal.CertManMode) error {
+	_, err := mgr.RenewForDomain(domain)
+	if err != nil {
+		// if no existing cert, obtain instead
+		_, err = mgr.ObtainForDomain(domain)
+		if err != nil {
+			return fmt.Errorf("error obtaining domain certificates for domain %s: %v", domain, err)
+		}
+	}
+
+	domainConfig, exists := internal.DomainStore().Get(domain)
+	if !exists {
+		return fmt.Errorf("domain %s does not exist", domain)
+	}
+
+	domainConfig.Set("Internal.last_issued", time.Now().UTC().Unix())
+	err = internal.WriteDomainConfig(domainConfig)
+	if err != nil {
+		return fmt.Errorf("error saving domain config %s: %v", domain, err)
+	}
+
+	err = internal.EncryptFileXChaCha(domainConfig.GetString("Certificates.crypto_key"), filepath.Join(mgr.CertsRoot, domain, domain+".crt"), filepath.Join(mgr.CertsRoot, domain, domain+".crt.crpt"), nil)
+	if err != nil {
+		return fmt.Errorf("error encrypting domain cert for domain %s: %v", domain, err)
+	}
+	err = internal.EncryptFileXChaCha(domainConfig.GetString("Certificates.crypto_key"), filepath.Join(mgr.CertsRoot, domain, domain+".key"), filepath.Join(mgr.CertsRoot, domain, domain+".key.crpt"), nil)
+	if err != nil {
+		return fmt.Errorf("error encrypting domain key for domain %s: %v", domain, err)
+	}
+
+	if !noPush {
+		giteaClient := internal.CreateGiteaClient()
+		if giteaClient == nil {
+			return fmt.Errorf("error creating gitea client for domain %s: %v", domain, err)
+		}
+		gitWorkspace := &internal.GitWorkspace{
+			Storage: memory.NewStorage(),
+			FS:      memfs.New(),
+		}
+
+		var repoUrl string
+		if !domainConfig.GetBool("Internal.repo_exists") {
+			repoUrl = internal.CreateGiteaRepo(domain, giteaClient)
+			if repoUrl == "" {
+				return fmt.Errorf("error creating Gitea repo for domain %s", domain)
+			}
+			domainConfig.Set("Internal.repo_exists", true)
+			err = internal.WriteDomainConfig(domainConfig)
+			if err != nil {
+				return fmt.Errorf("error saving domain config %s: %v", domain, err)
+			}
+
+			err = internal.InitRepo(repoUrl, gitWorkspace)
+			if err != nil {
+				return fmt.Errorf("error initializing repo for domain %s: %v", domain, err)
+			}
+		} else {
+			repoUrl = internal.Config().GetString("Git.server") + "/" + internal.Config().GetString("Git.org_name") + "/" + domain + domainConfig.GetString("Repo.repo_suffix") + ".git"
+			err = internal.CloneRepo(repoUrl, gitWorkspace, certmanMode)
+			if err != nil {
+				return fmt.Errorf("error cloning repo for domain %s: %v", domain, err)
+			}
+		}
+
+		err = internal.AddAndPushCerts(domain, gitWorkspace)
+		if err != nil {
+			return fmt.Errorf("error pushing certificates for domain %s: %v", domain, err)
+		}
+		fmt.Printf("Successfully pushed certificates for domain %s\n", domain)
+	}
+
+	return nil
+}
+
+func pullCerts(domain string, certmanMode internal.CertManMode) error {
+	gitWorkspace := &internal.GitWorkspace{
+		Storage: memory.NewStorage(),
+		FS:      memfs.New(),
+	}
+
+	domainConfig, exists := internal.DomainStore().Get(domain)
+	if !exists {
+		return fmt.Errorf("domain %s does not exist", domain)
+	}
+
+	// Ex: https://git.example.com/Org/Repo-suffix.git
+	// Clones repo and stores in gitWorkspace, skip if clone fails (doesn't exist?)
+	repoUrl := internal.Config().GetString("Git.server") + "/" + internal.Config().GetString("Git.org_name") + "/" + domain + domainConfig.GetString("Repo.repo_suffix") + ".git"
+	err := internal.CloneRepo(repoUrl, gitWorkspace, certmanMode)
+	if err != nil {
+		return fmt.Errorf("Error cloning domain repo %s: %v\n", domain, err)
+	}
+
+	certsDir, err := internal.DomainCertsDirWConf(domain, domainConfig)
+	if err != nil {
+		return fmt.Errorf("Error getting certificates dir for domain %s: %v\n", domain, err)
+	}
+
+	// Get files in repo
+	fileInfos, err := gitWorkspace.FS.ReadDir("/")
+	if err != nil {
+		return fmt.Errorf("Error reading directory in memFS on domain %s: %v\n", domain, err)
+	}
+	// Iterate over files, filtering by .crpt (encrypted) files in case other files were accidentally added
+	for _, fileInfo := range fileInfos {
+		if strings.HasSuffix(fileInfo.Name(), ".crpt") {
+			filename, _ := strings.CutSuffix(fileInfo.Name(), ".crpt")
+			file, err := gitWorkspace.FS.Open(fileInfo.Name())
+			if err != nil {
+				fmt.Printf("Error opening file in memFS on domain %s: %v\n", domain, err)
+				continue
+			}
+			fileBytes, err := io.ReadAll(file)
+			if err != nil {
+				fmt.Printf("Error reading file in memFS on domain %s: %v\n", domain, err)
+				file.Close()
+				continue
+			}
+			err = file.Close()
+			if err != nil {
+				fmt.Printf("Error closing file on domain %s: %v\n", domain, err)
+				continue
+			}
+
+			err = internal.DecryptFileFromBytes(domainConfig.GetString("Certificates.crypto_key"), fileBytes, filepath.Join(certsDir, filename), nil)
+			if err != nil {
+				fmt.Printf("Error decrypting file %s in domain %s: %v\n", filename, domain, err)
+				continue
+			}
+
+			headRef, err := gitWorkspace.Repo.Head()
+			if err != nil {
+				fmt.Printf("Error getting head reference for domain %s: %v\n", domain, err)
+				continue
+			}
+
+			err = internal.WriteCommitHash(headRef.Hash().String(), domainConfig)
+			if err != nil {
+				fmt.Printf("Error writing commit hash: %v\n", err)
+				continue
+			}
+
+			certLinks := domainConfig.GetStringSlice("Certificates.cert_symlinks")
+			for _, certLink := range certLinks {
+				if certLink == "" {
+					continue
+				}
+				linkInfo, err := os.Stat(certLink)
+				if err != nil {
+					if !os.IsNotExist(err) {
+						fmt.Printf("Error stating cert link %s: %v\n", certLink, err)
+						continue
+					}
+				}
+				if linkInfo.IsDir() {
+					certLink = filepath.Join(certLink, domain+".crt")
+				}
+
+				err = os.Link(filepath.Join(certsDir, domain+".crt"), certLink)
+				if err != nil {
+					fmt.Printf("Error linking cert %s to %s: %v\n", certLink, domain, err)
+					continue
+				}
+			}
+
+			keyLinks := domainConfig.GetStringSlice("Certificates.key_symlinks")
+			for _, keyLink := range keyLinks {
+				if keyLink == "" {
+					continue
+				}
+				linkInfo, err := os.Stat(keyLink)
+				if err != nil {
+					if !os.IsNotExist(err) {
+						fmt.Printf("Error stating key link %s: %v\n", keyLink, err)
+						continue
+					}
+				}
+				if linkInfo.IsDir() {
+					keyLink = filepath.Join(keyLink, domain+".crt")
+				}
+
+				err = os.Link(filepath.Join(certsDir, domain+".crt"), keyLink)
+				if err != nil {
+					fmt.Printf("Error linking cert %s to %s: %v\n", keyLink, domain, err)
+					continue
+				}
+			}
+		}
+	}
+	return nil
+}
+
+func UpdateLinksCmd(domain string) error {
+	domainConfig, exists := internal.DomainStore().Get(domain)
+	if !exists {
+		return fmt.Errorf("domain %s does not exist", domain)
+	}
+
+	certsDir, err := internal.DomainCertsDirWConf(domain, domainConfig)
+	if err != nil {
+		return fmt.Errorf("error getting certificates dir for domain %s: %v", domain, err)
+	}
+
+	certLinks := domainConfig.GetStringSlice("Certificates.cert_symlinks")
+	for _, certLink := range certLinks {
+		err = internal.LinkFile(filepath.Join(certsDir, domain+".crt"), certLink, domain, ".crt")
+		if err != nil {
+			fmt.Printf("Error linking cert %s to %s: %v", certLink, domain, err)
+			continue
+		}
+	}
+
+	keyLinks := domainConfig.GetStringSlice("Certificates.key_symlinks")
+	for _, keyLink := range keyLinks {
+		err = internal.LinkFile(filepath.Join(certsDir, domain+".crt"), keyLink, domain, ".key")
+		if err != nil {
+			fmt.Printf("Error linking cert %s to %s: %v", keyLink, domain, err)
+			continue
+		}
+	}
+	return nil
+}

commands/daemon.go

@@ -0,0 +1,164 @@
+package commands
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"os"
+	"os/signal"
+	"sync"
+	"syscall"
+	"time"
+
+	"git.nevets.tech/Keys/CertManager/client"
+	"git.nevets.tech/Keys/CertManager/internal"
+	"git.nevets.tech/Keys/CertManager/server"
+)
+
+var (
+	ctx    context.Context
+	cancel context.CancelFunc
+	wg     sync.WaitGroup
+)
+
+func RunDaemonCmd() error {
+	err := internal.CreateOrUpdatePIDFile("/var/run/certman.pid")
+	if err != nil {
+		if errors.Is(err, internal.ErrorPIDInUse) {
+			return fmt.Errorf("daemon process is already running")
+		}
+		return fmt.Errorf("error creating pidfile: %v", err)
+	}
+
+	ctx, cancel = context.WithCancel(context.Background())
+
+	// Check if main config exists
+	if _, err := os.Stat("/etc/certman/certman.conf"); os.IsNotExist(err) {
+		return fmt.Errorf("main config file not found, please run 'certman --install', then properly configure /etc/certman/certman.conf")
+	} else if err != nil {
+		return fmt.Errorf("error opening /etc/certman/certman.conf: %v", err)
+	}
+	err = internal.LoadConfig()
+	if err != nil {
+		return fmt.Errorf("error loading configuration: %v", err)
+	}
+
+	// Setup SIGINT and SIGTERM listeners
+	sigChannel := make(chan os.Signal, 1)
+	signal.Notify(sigChannel, syscall.SIGINT, syscall.SIGTERM)
+	defer signal.Stop(sigChannel)
+
+	reloadSigChan := make(chan os.Signal, 1)
+	signal.Notify(reloadSigChan, syscall.SIGHUP)
+	defer signal.Stop(reloadSigChan)
+
+	tickSigChan := make(chan os.Signal, 1)
+	signal.Notify(tickSigChan, syscall.SIGUSR1)
+	defer signal.Stop(tickSigChan)
+
+	tickRate := internal.Config().GetInt("App.tick_rate")
+	ticker := time.NewTicker(time.Duration(tickRate) * time.Hour)
+	defer ticker.Stop()
+
+	wg.Add(1)
+	if internal.Config().GetString("App.mode") == "server" {
+		fmt.Println("Starting CertManager in server mode...")
+		// Server Task loop
+		go func() {
+			server.Init()
+			defer wg.Done()
+			for {
+				select {
+				case <-ctx.Done():
+					server.Stop()
+					return
+				case <-reloadSigChan:
+					server.Reload()
+				case <-ticker.C:
+					server.Tick()
+				case <-tickSigChan:
+					server.Tick()
+				}
+			}
+		}()
+	} else if internal.Config().GetString("App.mode") == "client" {
+		fmt.Println("Starting CertManager in client mode...")
+		// Client Task loop
+		go func() {
+			client.Init()
+			defer wg.Done()
+			for {
+				select {
+				case <-ctx.Done():
+					client.Stop()
+					return
+				case <-reloadSigChan:
+					client.Reload()
+				case <-ticker.C:
+					client.Tick()
+				case <-tickSigChan:
+					client.Tick()
+				}
+			}
+		}()
+	} else {
+		return fmt.Errorf("invalid operating mode \"" + internal.Config().GetString("App.mode") + "\"")
+	}
+
+	// Cleanup on stop
+	sig := <-sigChannel
+	fmt.Printf("Program terminated with %v\n", sig.String())
+
+	stop()
+	wg.Wait()
+	return nil
+}
+
+func stop() {
+	cancel()
+	internal.ClearPIDFile()
+}
+
+func StopDaemonCmd() error {
+	proc, err := internal.DaemonProcess()
+	if err != nil {
+		return fmt.Errorf("error getting daemon process: %v", err)
+	}
+
+	err = proc.Signal(syscall.SIGTERM)
+	if err != nil {
+		return fmt.Errorf("error sending SIGTERM to daemon PID: %v", err)
+	}
+	return nil
+}
+
+func ReloadDaemonCmd() error {
+	proc, err := internal.DaemonProcess()
+	if err != nil {
+		return fmt.Errorf("error getting daemon process: %v", err)
+	}
+
+	err = proc.Signal(syscall.SIGHUP)
+	if err != nil {
+		return fmt.Errorf("error sending SIGHUP to daemon PID: %v", err)
+	}
+	return nil
+}
+
+func TickDaemonCmd() error {
+	proc, err := internal.DaemonProcess()
+	if err != nil {
+		return fmt.Errorf("error getting daemon process: %v", err)
+	}
+
+	err = proc.Signal(syscall.SIGUSR1)
+	if err != nil {
+		return fmt.Errorf("error sending SIGUSR1 to daemon PID: %v", err)
+	}
+	return nil
+}
+
+func DaemonStatusCmd() error {
+	fmt.Println("Not implemented :/")
+	return nil
+}

commands/executor.go

@@ -0,0 +1,27 @@
+package commands
+
+import (
+	"fmt"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"git.nevets.tech/Keys/CertManager/executor"
+)
+
+var executorServer *executor.Server
+
+func StartExecutorCmd() error {
+	executorServer = &executor.Server{}
+
+	sigCh := make(chan os.Signal, 1)
+	signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
+	go func() {
+		<-sigCh
+		executorServer.Stop()
+	}()
+	if err := executorServer.Start(); err != nil {
+		return fmt.Errorf("failed to start executor server: %w", err)
+	}
+	return nil
+}

commands/install.go

@@ -0,0 +1,116 @@
+package commands
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"os/user"
+	"strconv"
+	"strings"
+
+	"git.nevets.tech/Keys/CertManager/internal"
+)
+
+func NewDomainCmd(domain, domainDir string, dirOverridden bool) error {
+	//TODO add config option for "overriden dir"
+	err := internal.LoadConfig()
+	if err != nil {
+		return err
+	}
+
+	fmt.Printf("Creating new domain %s\n", domain)
+	err = internal.CreateDomainConfig(domain)
+	if err != nil {
+		return err
+	}
+	internal.CreateDomainCertsDir(domain, domainDir, dirOverridden)
+
+	certmanUser, err := user.Lookup("certman")
+	if err != nil {
+		return fmt.Errorf("error getting user certman: %v", err)
+	}
+	uid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Uid))
+	if err != nil {
+		return err
+	}
+	gid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Gid))
+	if err != nil {
+		return err
+	}
+	err = internal.ChownRecursive("/etc/certman/domains", uid, gid)
+	if err != nil {
+		return err
+	}
+	err = internal.ChownRecursive("/var/local/certman", uid, gid)
+	if err != nil {
+		return err
+	}
+
+	fmt.Println("Successfully created domain entry for " + domain + "\nUpdate config file as needed in /etc/certman/domains/" + domain + ".conf\n")
+	return nil
+}
+
+func InstallCmd(isThin bool, mode string) error {
+	if !isThin {
+		if os.Geteuid() != 0 {
+			return fmt.Errorf("installation must be run as root")
+		}
+
+		internal.MakeDirs()
+		internal.CreateConfig(mode)
+
+		err := internal.LoadConfig()
+		if err != nil {
+			return err
+		}
+
+		f, err := os.OpenFile("/var/run/certman.pid", os.O_RDONLY|os.O_CREATE, 0755)
+		if err != nil {
+			return fmt.Errorf("error creating pid file: %v", err)
+		}
+		err = f.Close()
+		if err != nil {
+			return fmt.Errorf("error closing pid file: %v", err)
+		}
+
+		newUserCmd := exec.Command("useradd", "-d", "/var/local/certman", "-U", "-r", "-s", "/sbin/nologin", "certman")
+		if output, err := newUserCmd.CombinedOutput(); err != nil {
+			if !strings.Contains(err.Error(), "exit status 9") {
+				return fmt.Errorf("error creating user: %v: output %s", err, output)
+			}
+		}
+		newGroupCmd := exec.Command("groupadd", "-r", "-U", "certman", "certsock")
+		if output, err := newGroupCmd.CombinedOutput(); err != nil {
+			if !strings.Contains(err.Error(), "exit status 9") {
+				return fmt.Errorf("error creating group: %v: output %s", err, output)
+			}
+		}
+		certmanUser, err := user.Lookup("certman")
+		if err != nil {
+			return fmt.Errorf("error getting user certman: %v", err)
+		}
+		uid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Uid))
+		if err != nil {
+			return err
+		}
+		gid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Gid))
+		if err != nil {
+			return err
+		}
+		err = internal.ChownRecursive("/etc/certman", uid, gid)
+		if err != nil {
+			return fmt.Errorf("error changing uid/gid: %v", err)
+		}
+		err = internal.ChownRecursive("/var/local/certman", uid, gid)
+		if err != nil {
+			return fmt.Errorf("error changing uid/gid: %v", err)
+		}
+		err = os.Chown("/var/run/certman.pid", uid, gid)
+		if err != nil {
+			return fmt.Errorf("error changing uid/gid: %v", err)
+		}
+	} else {
+		internal.CreateConfig(mode)
+	}
+	return nil
+}

example.config.conf

@@ -1,17 +0,0 @@
-[App]
-mode = {mode}
-
-[Git]
-host = gitea
-server = https://gitea.instance.com
-username = user
-org_name = org
-template_name = template
-
-[Certificates]
-email = user@example.com
-data_root = /var/local/certman
-request_method = dns
-
-[Cloudflare]
-cf_email = email@example.com

example.domainconfig.conf

@@ -1,19 +0,0 @@
-[Domain]
-domain_name = {domain}
-; default (use system dns) or IPv4 Address (1.1.1.1)
-dns_server = default
-; optionally use /path/to/directory
-file_location = default
-
-[Certificates]
-subdomains =
-expiry = 90
-cert_symlink =
-key_symlink =
-
-[Repo]
-repo_suffix = -certificates
-
-; Don't change setting below here unless you know what you're doing!
-[Internal]
-last_issued = never

executor/executor.go

@@ -0,0 +1,43 @@
+package executor
+
+import (
+	"fmt"
+	"net"
+	"sync"
+
+	pb "git.nevets.tech/Keys/CertManager/proto/v1"
+	"github.com/coreos/go-systemd/v22/activation"
+	"google.golang.org/grpc"
+)
+
+type Server struct {
+	listener net.Listener
+	wg       sync.WaitGroup
+}
+
+func (s *Server) Start() error {
+	listeners, err := activation.Listeners()
+	if err != nil {
+		return fmt.Errorf("systemd activation listeners: %v", err)
+	}
+	if len(listeners) != 1 {
+		return fmt.Errorf("systemd activation listeners: expected 1, got %d", len(listeners))
+	}
+
+	s.listener = listeners[0]
+	srv := grpc.NewServer()
+	pb.RegisterHookServiceServer(srv, &hookServer{})
+
+	err = srv.Serve(s.listener)
+	if err != nil {
+		return fmt.Errorf("error creating grpc listener: %v", err)
+	}
+	fmt.Printf("Started gRPC server on %s\n", s.listener.Addr())
+	return nil
+}
+
+func (s *Server) Stop() {
+	if s.listener != nil {
+		_ = s.listener.Close()
+	}
+}

executor/hook.go

@@ -0,0 +1,73 @@
+package executor
+
+import (
+	"context"
+	"errors"
+	"os"
+	"os/exec"
+	"syscall"
+	"time"
+
+	"git.nevets.tech/Keys/CertManager/internal"
+	pb "git.nevets.tech/Keys/CertManager/proto/v1"
+)
+
+type hookServer struct {
+	pb.UnimplementedHookServiceServer
+}
+
+func (s *hookServer) ExecuteHook(ctx context.Context, req *pb.ExecuteHookRequest) (*pb.ExecuteHookResponse, error) {
+	h := req.GetHook()
+	if h == nil {
+		return &pb.ExecuteHookResponse{Error: "missing hook"}, nil
+	}
+
+	// Minimal validation
+	if len(h.GetCommand()) == 0 {
+		return &pb.ExecuteHookResponse{Error: "command is empty"}, nil
+	}
+
+	// Timeout
+	timeout := time.Duration(h.GetTimeoutSeconds()) * time.Second
+	if timeout <= 0 {
+		timeout = 30 * time.Second
+	}
+	ctx, cancel := context.WithTimeout(ctx, timeout)
+	defer cancel()
+
+	// Build command
+	cmdArgs := h.GetCommand()
+	cmd := exec.CommandContext(ctx, cmdArgs[0], cmdArgs[1:]...)
+	if cwd := h.GetCwd(); cwd != "" {
+		cmd.Dir = cwd
+	}
+
+	// Env: inherit current + overlay provided
+	env := os.Environ()
+	for k, v := range h.GetEnv() {
+		env = append(env, k+"="+v)
+	}
+	cmd.Env = env
+
+	// Run as user/group if specified (Linux/Unix)
+	if h.GetUser() != "" || h.GetGroup() != "" {
+		cred, err := internal.MakeCredential(h.GetUser(), h.GetGroup())
+		if err != nil {
+			return &pb.ExecuteHookResponse{Error: brief(err)}, nil
+		}
+		cmd.SysProcAttr = &syscall.SysProcAttr{
+			Credential: cred,
+		}
+	}
+
+	// We’re intentionally NOT returning stdout/stderr; only a brief error on failure.
+	if err := cmd.Run(); err != nil {
+		// If context deadline hit, make the error message short and explicit.
+		if errors.Is(ctx.Err(), context.DeadlineExceeded) {
+			return &pb.ExecuteHookResponse{Error: "hook timed out"}, nil
+		}
+		return &pb.ExecuteHookResponse{Error: brief(err)}, nil
+	}
+
+	return &pb.ExecuteHookResponse{Error: ""}, nil
+}

executor/util.go

@@ -0,0 +1,8 @@
+package executor
+
+import "fmt"
+
+// brief tries to keep errors short and non-leaky.
+func brief(err error) string {
+	return fmt.Sprintf("hook failed: %v", err)
+}

go.mod

@@ -1,17 +1,19 @@
-module main
+module git.nevets.tech/Keys/CertManager
 
 go 1.25.0
 
 require (
 	code.gitea.io/sdk/gitea v0.23.2
+	github.com/coreos/go-systemd/v22 v22.7.0
 	github.com/go-acme/lego/v4 v4.32.0
 	github.com/go-git/go-billy/v5 v5.8.0
 	github.com/go-git/go-git/v5 v5.17.0
-	github.com/google/go-github/v55 v55.0.0
 	github.com/google/uuid v1.6.0
 	github.com/spf13/cobra v1.10.2
 	github.com/spf13/viper v1.21.0
 	golang.org/x/crypto v0.48.0
+	google.golang.org/grpc v1.78.0
+	google.golang.org/protobuf v1.36.11
 )
 
 require (
@@ -30,7 +32,6 @@ require (
 	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
 	github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
-	github.com/google/go-querystring v1.2.0 // indirect
 	github.com/hashicorp/go-version v1.8.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
@@ -54,5 +55,6 @@ require (
 	golang.org/x/sys v0.41.0 // indirect
 	golang.org/x/text v0.34.0 // indirect
 	golang.org/x/tools v0.42.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 )

go.sum

@@ -15,8 +15,12 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPd
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
 github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cloudflare/circl v1.6.3 h1:9GPOhQGF9MCYUeXyMYlqTR6a5gTrgR/fBLXvUgtVcg8=
 github.com/cloudflare/circl v1.6.3/go.mod h1:2eXP6Qfat4O/Yhh8BznvKnJ+uzEoTQ6jVKJRn81BiS4=
+github.com/coreos/go-systemd/v22 v22.7.0 h1:LAEzFkke61DFROc7zNLX/WA2i5J8gYqe0rSj9KI28KA=
+github.com/coreos/go-systemd/v22 v22.7.0/go.mod h1:xNUYtjHu2EDXbsxz1i41wouACIwT7Ybq9o0BQhMwD0w=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/cyphar/filepath-securejoin v0.6.1 h1:5CeZ1jPXEiYt3+Z6zqprSAgSWiggmpVyciv8syjIpVE=
 github.com/cyphar/filepath-securejoin v0.6.1/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc=
@@ -50,17 +54,18 @@ github.com/go-git/go-git/v5 v5.17.0 h1:AbyI4xf+7DsjINHMu35quAh4wJygKBKBuXVjV/pxe
 github.com/go-git/go-git/v5 v5.17.0/go.mod h1:f82C4YiLx+Lhi8eHxltLeGC5uBTXSFa6PC5WW9o4SjI=
 github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
 github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-viper/mapstructure/v2 v2.5.0 h1:vM5IJoUAy3d7zRSVtIwQgBj7BiWtMPfmPEgAXnvj1Ro=
 github.com/go-viper/mapstructure/v2 v2.5.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw=
-github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/google/go-github/v55 v55.0.0 h1:4pp/1tNMB9X/LuAhs5i0KQAE40NmiR/y6prLNb9x9cg=
-github.com/google/go-github/v55 v55.0.0/go.mod h1:JLahOTA1DnXzhxEymmFF5PP2tSS9JVNj68mSZNDwskA=
-github.com/google/go-querystring v1.2.0 h1:yhqkPbu2/OH+V9BfpCVPZkNmUXhb2gBxJArfhIxNtP0=
-github.com/google/go-querystring v1.2.0/go.mod h1:8IFJqpSRITyJ8QhQ13bmbeMBDfmeEJZD5A0egEOmkqU=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/hashicorp/go-version v1.8.0 h1:KAkNb1HAiZd1ukkxDFGmokVZe1Xy9HG6NUp+bPle2i4=
@@ -123,6 +128,18 @@ github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8
 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
 github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
 github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
+go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48=
+go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8=
+go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0=
+go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs=
+go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E=
+go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg=
+go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM=
+go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA=
+go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI=
+go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@@ -163,6 +180,14 @@ golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
 golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
+gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
+gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20 h1:Jr5R2J6F6qWyzINc+4AM8t5pfUz6beZpHp678GNrMbE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
+google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc=
+google.golang.org/grpc v1.78.0/go.mod h1:I47qjTo4OKbMkjA/aOOwxDIiPSBofUtQUI5EfpWvW7U=
+google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=

internal/acme_manager.go

@@ -1,5 +1,4 @@
-// acme_manager.go
-package main
+package internal
 
 import (
 	"crypto"
@@ -28,14 +27,14 @@ import (
 // Thread safety for your domain config map
 // (assumes you already have these globals elsewhere)
 // ---------------------------------------------
-// var mu sync.RWMutex
+// var MU sync.RWMutex
 // var domainConfigs map[string]*ezconf.Configuration
 // var config *ezconf.Configuration
 //
 // func getDomainConfig(domain string) (*ezconf.Configuration, bool) { ... }
 
 // ---------------------------------------------
-// ACME account user (file-backed)
+// ACME account User (file-backed)
 // ---------------------------------------------
 
 type fileUser struct {
@@ -54,14 +53,14 @@ func (u *fileUser) GetPrivateKey() crypto.PrivateKey        { return u.privateKe
 // ---------------------------------------------
 
 type ACMEManager struct {
-	mu     sync.Mutex // serializes lego client ops + account writes
-	client *lego.Client
-	user   *fileUser
+	MU     sync.Mutex // serializes lego Client ops + account writes
+	Client *lego.Client
+	User   *fileUser
 
 	// root dirs
 	dataRoot    string // e.g. /var/local/certman
 	accountRoot string // e.g. /var/local/certman/accounts
-	certsRoot   string // e.g. /var/local/certman/certificates
+	CertsRoot   string // e.g. /var/local/certman/certificates
 }
 
 // DomainRuntimeConfig has domain-specific runtime settings derived from main+domain config.
@@ -89,7 +88,7 @@ type StoredCertMeta struct {
 // Public API
 // ---------------------------------------------
 
-// NewACMEManager initializes a long-lived lego client using:
+// NewACMEManager initializes a long-lived lego Client using:
 // - file-backed account
 // - persistent ECDSA P-256 account key
 // - Let’s Encrypt production by default (from config fallback)
@@ -104,20 +103,20 @@ func NewACMEManager() (*ACMEManager, error) {
 	mgr := &ACMEManager{
 		dataRoot:    dataRoot,
 		accountRoot: filepath.Join(dataRoot, "accounts"),
-		certsRoot:   filepath.Join(dataRoot, "certificates"),
+		CertsRoot:   filepath.Join(dataRoot, "certificates"),
 	}
 
 	if err := os.MkdirAll(mgr.accountRoot, 0o700); err != nil {
 		return nil, fmt.Errorf("create account root: %w", err)
 	}
-	if err := os.MkdirAll(mgr.certsRoot, 0o700); err != nil {
+	if err := os.MkdirAll(mgr.CertsRoot, 0o700); err != nil {
 		return nil, fmt.Errorf("create certs root: %w", err)
 	}
 
-	// Create/load file-backed account user
+	// Create/load file-backed account User
 	user, err := loadOrCreateACMEUser(mgr.accountRoot, email)
 	if err != nil {
-		return nil, fmt.Errorf("load/create acme user: %w", err)
+		return nil, fmt.Errorf("load/create acme User: %w", err)
 	}
 
 	// Cloudflare provider (DNS-01 only).
@@ -147,20 +146,20 @@ func NewACMEManager() (*ACMEManager, error) {
 		return nil, fmt.Errorf("set dns-01 provider: %w", err)
 	}
 
-	mgr.client = client
-	mgr.user = user
+	mgr.Client = client
+	mgr.User = user
 
 	// Register account only on first run
-	if mgr.user.Registration == nil {
-		reg, err := mgr.client.Registration.Register(registration.RegisterOptions{
+	if mgr.User.Registration == nil {
+		reg, err := mgr.Client.Registration.Register(registration.RegisterOptions{
 			TermsOfServiceAgreed: true,
 		})
 		if err != nil {
 			return nil, fmt.Errorf("acme registration: %w", err)
 		}
-		mgr.user.Registration = reg
-		if err := saveACMEUser(mgr.accountRoot, mgr.user); err != nil {
-			return nil, fmt.Errorf("save acme user registration: %w", err)
+		mgr.User.Registration = reg
+		if err := saveACMEUser(mgr.accountRoot, mgr.User); err != nil {
+			return nil, fmt.Errorf("save acme User registration: %w", err)
 		}
 	}
 
@@ -184,10 +183,10 @@ func (m *ACMEManager) ObtainForDomain(domainKey string) (*certificate.Resource,
 		Bundle:  true,
 	}
 
-	m.mu.Lock()
-	defer m.mu.Unlock()
+	m.MU.Lock()
+	defer m.MU.Unlock()
 
-	res, err := m.client.Certificate.Obtain(req)
+	res, err := m.Client.Certificate.Obtain(req)
 	if err != nil {
 		return nil, fmt.Errorf("obtain %q: %w", domainKey, err)
 	}
@@ -201,8 +200,8 @@ func (m *ACMEManager) ObtainForDomain(domainKey string) (*certificate.Resource,
 
 // RenewForDomain renews an existing stored cert for a domain key.
 func (m *ACMEManager) RenewForDomain(domainKey string) (*certificate.Resource, error) {
-	m.mu.Lock()
-	defer m.mu.Unlock()
+	m.MU.Lock()
+	defer m.MU.Unlock()
 
 	existing, err := m.loadStoredResource(domainKey)
 	if err != nil {
@@ -210,7 +209,7 @@ func (m *ACMEManager) RenewForDomain(domainKey string) (*certificate.Resource, e
 	}
 
 	// RenewWithOptions is preferred in newer lego versions.
-	renewed, err := m.client.Certificate.RenewWithOptions(*existing, &certificate.RenewOptions{
+	renewed, err := m.Client.Certificate.RenewWithOptions(*existing, &certificate.RenewOptions{
 		Bundle: true,
 	})
 	if err != nil {
@@ -226,8 +225,8 @@ func (m *ACMEManager) RenewForDomain(domainKey string) (*certificate.Resource, e
 
 // GetCertPaths returns disk paths for the domain's cert material.
 func (m *ACMEManager) GetCertPaths(domainKey string) (certPEM, keyPEM string) {
-	base := sanitizeDomainKey(domainKey)
-	dir := filepath.Join(m.certsRoot, base)
+	base := SanitizeDomainKey(domainKey)
+	dir := filepath.Join(m.CertsRoot, base)
 	return filepath.Join(dir, base+".crt"),
 		filepath.Join(dir, base+".key")
 }
@@ -260,8 +259,7 @@ func buildDomainRuntimeConfig(domainKey string) (*DomainRuntimeConfig, error) {
 
 	requestMethod := domainCfg.GetString("Certificates.request_method")
 
-	subdomains := domainCfg.GetString("Certificates.subdomains")
-	subdomainArray := parseCSVLines(subdomains)
+	subdomainArray := domainCfg.GetStringSlice("Certificates.subdomains")
 
 	return &DomainRuntimeConfig{
 		DomainName:    domainName,
@@ -450,7 +448,7 @@ func loadACMEUser(accountRoot string) (*fileUser, error) {
 
 func saveACMEUser(accountRoot string, u *fileUser) error {
 	if u == nil {
-		return errors.New("nil user")
+		return errors.New("nil User")
 	}
 	if err := os.MkdirAll(accountRoot, 0o700); err != nil {
 		return err
@@ -525,8 +523,8 @@ func (m *ACMEManager) saveCertFiles(domainKey string, res *certificate.Resource,
 		return errors.New("nil certificate resource")
 	}
 
-	base := sanitizeDomainKey(domainKey)
-	dir := filepath.Join(m.certsRoot, base)
+	base := SanitizeDomainKey(domainKey)
+	dir := filepath.Join(m.CertsRoot, base)
 	if err := os.MkdirAll(dir, 0o700); err != nil {
 		return err
 	}
@@ -599,8 +597,8 @@ func (m *ACMEManager) saveCertFiles(domainKey string, res *certificate.Resource,
 }
 
 func (m *ACMEManager) loadStoredResource(domainKey string) (*certificate.Resource, error) {
-	base := sanitizeDomainKey(domainKey)
-	dir := filepath.Join(m.certsRoot, base)
+	base := SanitizeDomainKey(domainKey)
+	dir := filepath.Join(m.CertsRoot, base)
 	raw, err := os.ReadFile(filepath.Join(dir, base+".json"))
 	if err != nil {
 		return nil, err
@@ -623,8 +621,8 @@ func (m *ACMEManager) loadStoredResource(domainKey string) (*certificate.Resourc
 }
 
 func (m *ACMEManager) loadMeta(domainKey string) (*StoredCertMeta, error) {
-	base := sanitizeDomainKey(domainKey)
-	dir := filepath.Join(m.certsRoot, base)
+	base := SanitizeDomainKey(domainKey)
+	dir := filepath.Join(m.CertsRoot, base)
 	raw, err := os.ReadFile(filepath.Join(dir, base+".meta.json"))
 	if err != nil {
 		return nil, err

internal/buildinfo.go

@@ -0,0 +1,6 @@
+package internal
+
+var (
+	Version = "dev"
+	Build   = "local"
+)

internal/config.go

@@ -1,4 +1,4 @@
-package main
+package internal
 
 import (
 	"bytes"
@@ -10,6 +10,7 @@ import (
 	"strings"
 	"sync"
 
+	pb "git.nevets.tech/Keys/CertManager/proto/v1"
 	"github.com/google/uuid"
 	"github.com/spf13/viper"
 )
@@ -67,19 +68,43 @@ func (s *DomainConfigStore) Snapshot() map[string]*viper.Viper {
 
 var (
 	config      *viper.Viper
+	configMu    sync.RWMutex
 	domainStore = NewDomainConfigStore()
 )
 
+func Config() *viper.Viper {
+	configMu.RLock()
+	defer configMu.RUnlock()
+	return config
+}
+
+func DomainStore() *DomainConfigStore {
+	domainStore.mu.RLock()
+	defer domainStore.mu.RUnlock()
+	return domainStore
+}
+
 // ---------------------------------------------------------------------------
 //  Loading
 // ---------------------------------------------------------------------------
 
 // LoadConfig reads the main certman.conf into config.
-func LoadConfig(path string) error {
+func LoadConfig() error {
 	config = viper.New()
-	config.SetConfigFile(path)
+	config.SetConfigFile("/etc/certman/certman.conf")
 	config.SetConfigType("toml")
-	return config.ReadInConfig()
+	err := config.ReadInConfig()
+	if err != nil {
+		return err
+	}
+
+	if config.GetString("App.mode") == "server" {
+		config.SetConfigType("toml")
+		config.SetConfigFile("/etc/certman/server.conf")
+		return config.MergeInConfig()
+	}
+
+	return nil
 }
 
 // LoadDomainConfigs reads every .conf file in the domains directory.
@@ -138,12 +163,8 @@ func WriteConfig(filePath string, config *viper.Viper) error {
 	return nil
 }
 
-func WriteMainConfig() error {
-	return WriteConfig("/etc/certman/certman.conf", config)
-}
-
 func WriteDomainConfig(config *viper.Viper) error {
-	return WriteConfig(config.GetString("Domain.domain_name"), config)
+	return WriteConfig(filepath.Join("/etc/certman/domains", config.GetString("Domain.domain_name")+".conf"), config)
 }
 
 // SaveDomainConfigs writes every loaded domain config back to disk.
@@ -157,6 +178,18 @@ func SaveDomainConfigs() error {
 	return nil
 }
 
+// ---------------------------------------------------------------------------
+// Domain Specific Lookups
+// ---------------------------------------------------------------------------
+
+func PostPullHooks(domain string) ([]*pb.Hook, error) {
+	var hooks []*pb.Hook
+	if err := viper.UnmarshalKey("Hooks.PostPull", hooks); err != nil {
+		return nil, err
+	}
+	return hooks, nil
+}
+
 // ---------------------------------------------------------------------------
 //  Effective lookups (domain → global fallback)
 // ---------------------------------------------------------------------------
@@ -223,7 +256,7 @@ func EffectiveBool(domainCfg *viper.Viper, key string) bool {
 //  Directory bootstrapping
 // ---------------------------------------------------------------------------
 
-func makeDirs() {
+func MakeDirs() {
 	dirs := []struct {
 		path string
 		perm os.FileMode
@@ -240,31 +273,49 @@ func makeDirs() {
 	}
 }
 
-func createNewConfig(mode string) {
+func CreateConfig(mode string) {
 	content := strings.NewReplacer(
 		"{mode}", mode,
-		"{uuid}", uuid.New().String(),
 	).Replace(defaultConfig)
 	createFile("/etc/certman/certman.conf", 0640, []byte(content))
+
+	switch mode {
+	case "server":
+		content = strings.NewReplacer(
+			"{uuid}", uuid.New().String(),
+		).Replace(defaultServerConfig)
+		createFile("/etc/certman/server.conf", 640, []byte(content))
+	}
 }
 
-func createNewDomainConfig(domain string) error {
+func CreateDomainConfig(domain string) error {
 	key, err := GenerateKey()
 	if err != nil {
 		return fmt.Errorf("unable to generate key: %v", err)
 	}
 
-	content := strings.NewReplacer(
-		"{domain}", domain,
-		"{key}", key,
-	).Replace(defaultDomainConfig)
+	var content string
+	switch Config().GetString("App.mode") {
+	case "server":
+		content = strings.NewReplacer(
+			"{domain}", domain,
+			"{key}", key,
+		).Replace(defaultServerDomainConfig)
+	case "client":
+		content = strings.NewReplacer(
+			"{domain}", domain,
+			"{key}", key,
+		).Replace(defaultClientDomainConfig)
+	default:
+		return fmt.Errorf("unknown certman mode: %v", Config().GetString("App.mode"))
+	}
 
 	path := filepath.Join("/etc/certman/domains", domain+".conf")
 	createFile(path, 0640, []byte(content))
 	return nil
 }
 
-func createNewDomainCertsDir(domain string, dir string, dirOverride bool) {
+func CreateDomainCertsDir(domain string, dir string, dirOverride bool) {
 	var target string
 	if dirOverride {
 		target = filepath.Join(dir, domain)
@@ -286,49 +337,74 @@ func createNewDomainCertsDir(domain string, dir string, dirOverride bool) {
 // ---------------------------------------------------------------------------
 
 const defaultConfig = `[App]
-mode = "{mode}"
+mode = '{mode}'
 tick_rate = 2
-uuid = "{uuid}"
 
 [Git]
-host = "gitea"
-server = "https://gitea.instance.com"
-username = "user"
-api_token = "xxxxxxxxxxxxxxxxxxxxxxxxx"
-org_name = "org"
+host = 'gitea'
+server = 'https://gitea.instance.com'
+username = 'User'
+api_token = 'xxxxxxxxxxxxxxxxxxxxxxxxx'
+org_name = 'org'
 
 [Certificates]
-email = "user@example.com"
-data_root = "/var/local/certman"
-ca_dir_url = "https://acme-v02.api.letsencrypt.org/directory"
-
-[Cloudflare]
-cf_email = "email@example.com"
-cf_api_key = "xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+data_root = '/var/local/certman'
 `
 
-const defaultDomainConfig = `[Domain]
-domain_name = "{domain}"
-enabled = true
-dns_server = "default"
+const defaultServerConfig = `[App]
+uuid = '{uuid}'
 
 [Certificates]
-data_root = ""
+email = 'User@example.com'
+data_root = '/var/local/certman'
+ca_dir_url = 'https://acme-v02.api.letsencrypt.org/directory'
+
+[Cloudflare]
+cf_email = 'email@example.com'
+cf_api_key = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxx'`
+
+const defaultClientConfig = ``
+
+const defaultServerDomainConfig = `[Domain]
+domain_name = '{domain}'
+enabled = true
+dns_server = 'default'
+
+[Certificates]
+data_root = ''
 expiry = 90
-request_method = "dns-01"
+request_method = 'dns-01'
 renew_period = 30
 subdomains = []
-cert_symlinks = []
-key_symlinks = []
-crypto_key = "{key}"
+crypto_key = '{key}'
 
 [Repo]
-repo_suffix = "-certificates"
+repo_suffix = '-certificates'
 
 [Internal]
 last_issued = 0
 repo_exists = false
-status = "clean"
+status = 'clean'
+`
+
+const defaultClientDomainConfig = `[Certificates]
+data_root = ''
+cert_symlinks = []
+key_symlinks = []
+crypto_key = '{key}'
+
+[Domain]
+domain_name = '{domain}'
+enabled = true
+
+[Hooks.PostPull]
+command = []
+cwd = "/dev/null"
+timeout_seconds = 30
+env = { "FOO" = "bar" }
+
+[Repo]
+repo_suffix = '-certificates'
 `
 
 const readme = ``

internal/crypto.go

@@ -1,4 +1,4 @@
-package main
+package internal
 
 import (
 	"crypto/rand"

internal/git.go

@@ -1,7 +1,6 @@
-package main
+package internal
 
 import (
-	"context"
 	"errors"
 	"fmt"
 	"io"
@@ -17,10 +16,16 @@ import (
 	"github.com/go-git/go-git/v5/plumbing/object"
 	"github.com/go-git/go-git/v5/plumbing/transport/http"
 	"github.com/go-git/go-git/v5/storage/memory"
-	"github.com/google/go-github/v55/github"
 	"github.com/spf13/viper"
 )
 
+type CertManMode int
+
+const (
+	Server CertManMode = iota
+	Client
+)
+
 type GitWorkspace struct {
 	Repo     *git.Repository
 	Storage  *memory.Storage
@@ -48,7 +53,7 @@ var GitSourceName = map[GitSource]string{
 	CodeCommit: "code-commit",
 }
 
-func strToGitSource(s string) (GitSource, error) {
+func StrToGitSource(s string) (GitSource, error) {
 	for k, v := range GitSourceName {
 		if v == s {
 			return k, nil
@@ -57,11 +62,11 @@ func strToGitSource(s string) (GitSource, error) {
 	return GitSource(0), errors.New("invalid gitsource name")
 }
 
-func createGithubClient() *github.Client {
-	return github.NewClient(nil).WithAuthToken(config.GetString("Git.api_token"))
-}
+//func createGithubClient() *github.Client {
+//	return github.NewClient(nil).WithAuthToken(config.GetString("Git.api_token"))
+//}
 
-func createGiteaClient() *gitea.Client {
+func CreateGiteaClient() *gitea.Client {
 	client, err := gitea.NewClient(config.GetString("Git.server"), gitea.SetToken(config.GetString("Git.api_token")))
 	if err != nil {
 		fmt.Printf("Error connecting to gitea instance: %v\n", err)
@@ -70,30 +75,30 @@ func createGiteaClient() *gitea.Client {
 	return client
 }
 
-func createGithubRepo(domain *Domain, client *github.Client) string {
-	name := domain.name
-	owner := domain.config.GetString("Repo.owner")
-	description := domain.description
-	private := true
-	includeAllBranches := false
+//func createGithubRepo(domain *Domain, Client *github.Client) string {
+//	name := domain.name
+//	owner := domain.config.GetString("Repo.owner")
+//	description := domain.description
+//	private := true
+//	includeAllBranches := false
+//
+//	ctx := context.Background()
+//	template := &github.TemplateRepoRequest{
+//		Name:               name,
+//		Owner:              &owner,
+//		Description:        description,
+//		Private:            &private,
+//		IncludeAllBranches: &includeAllBranches,
+//	}
+//	repo, _, err := Client.Repositories.CreateFromTemplate(ctx, config.GetString("Git.org_name"), config.GetString("Git.template_name"), template)
+//	if err != nil {
+//		fmt.Println("Error creating repository from template,", err)
+//		return ""
+//	}
+//	return *repo.CloneURL
+//}
 
-	ctx := context.Background()
-	template := &github.TemplateRepoRequest{
-		Name:               name,
-		Owner:              &owner,
-		Description:        description,
-		Private:            &private,
-		IncludeAllBranches: &includeAllBranches,
-	}
-	repo, _, err := client.Repositories.CreateFromTemplate(ctx, config.GetString("Git.org_name"), config.GetString("Git.template_name"), template)
-	if err != nil {
-		fmt.Println("Error creating repository from template,", err)
-		return ""
-	}
-	return *repo.CloneURL
-}
-
-func createGiteaRepo(domain string, giteaClient *gitea.Client) string {
+func CreateGiteaRepo(domain string, giteaClient *gitea.Client) string {
 	domainConfig, exists := domainStore.Get(domain)
 	if !exists {
 		fmt.Printf("Domain %s config does not exist\n", domain)
@@ -121,7 +126,7 @@ func createGiteaRepo(domain string, giteaClient *gitea.Client) string {
 	return giteaRepo.CloneURL
 }
 
-func initRepo(url string, ws *GitWorkspace) error {
+func InitRepo(url string, ws *GitWorkspace) error {
 	var err error
 	ws.Repo, err = git.Init(ws.Storage, ws.FS)
 	if err != nil {
@@ -147,7 +152,7 @@ func initRepo(url string, ws *GitWorkspace) error {
 	return nil
 }
 
-func cloneRepo(url string, ws *GitWorkspace) error {
+func CloneRepo(url string, ws *GitWorkspace, certmanMode CertManMode) error {
 	creds := &http.BasicAuth{
 		Username: config.GetString("Git.username"),
 		Password: config.GetString("Git.api_token"),
@@ -163,33 +168,35 @@ func cloneRepo(url string, ws *GitWorkspace) error {
 		fmt.Printf("Error getting worktree from cloned repo: %v\n", err)
 		return err
 	}
-	serverIdFile, err := ws.FS.OpenFile("/SERVER_ID", os.O_RDWR, 0640)
-	if err != nil {
-		if os.IsNotExist(err) {
-			fmt.Printf("Server ID file not found for %s, adopting domain\n", url)
-			return nil
+	if certmanMode == Server {
+		serverIdFile, err := ws.FS.OpenFile("/SERVER_ID", os.O_RDWR, 0640)
+		if err != nil {
+			if os.IsNotExist(err) {
+				fmt.Printf("Server ID file not found for %s, adopting domain\n", url)
+				return nil
+			}
+			return err
+		}
+		serverIdBytes, err := io.ReadAll(serverIdFile)
+		if err != nil {
+			return err
+		}
+		serverId := strings.TrimSpace(string(serverIdBytes))
+		if serverId != config.GetString("App.uuid") {
+			return fmt.Errorf("domain is already managed by server with uuid %s", serverId)
 		}
-		return err
-	}
-	serverIdBytes, err := io.ReadAll(serverIdFile)
-	if err != nil {
-		return err
-	}
-	serverId := strings.TrimSpace(string(serverIdBytes))
-	if serverId != config.GetString("App.uuid") {
-		return fmt.Errorf("domain is already managed by server with uuid %s", serverId)
 	}
 	return nil
 }
 
-func addAndPushCerts(domain string, ws *GitWorkspace) error {
+func AddAndPushCerts(domain string, ws *GitWorkspace) error {
 	domainConfig, exists := domainStore.Get(domain)
 	if !exists {
 		fmt.Printf("Domain %s config does not exist\n", domain)
 		return ErrConfigNotFound
 	}
 
-	certsDir, err := getDomainCertsDirWConf(domain, domainConfig)
+	certsDir, err := DomainCertsDirWConf(domain, domainConfig)
 	if err != nil {
 		if errors.Is(err, ErrConfigNotFound) {
 			fmt.Printf("Domain %s config not found: %v\n", domain, err)
@@ -301,8 +308,8 @@ func addAndPushCerts(domain string, ws *GitWorkspace) error {
 	return nil
 }
 
-func writeCommitHash(hash string, domainConfig *viper.Viper) error {
-	certsDir, err := getDomainCertsDirWOnlyConf(domainConfig)
+func WriteCommitHash(hash string, domainConfig *viper.Viper) error {
+	certsDir, err := DomainCertsDirWOnlyConf(domainConfig)
 	if err != nil {
 		if errors.Is(err, ErrConfigNotFound) {
 			return err
@@ -318,8 +325,8 @@ func writeCommitHash(hash string, domainConfig *viper.Viper) error {
 	return nil
 }
 
-func getLocalCommitHash(domain string) (string, error) {
-	certsDir, err := getDomainCertsDir(domain)
+func LocalCommitHash(domain string) (string, error) {
+	certsDir, err := DomainCertsDir(domain)
 	if err != nil {
 		if errors.Is(err, ErrConfigNotFound) {
 			fmt.Printf("Domain %s config not found: %v\n", domain, err)
@@ -330,15 +337,17 @@ func getLocalCommitHash(domain string) (string, error) {
 
 	data, err := os.ReadFile(filepath.Join(certsDir, "hash"))
 	if err != nil {
-		fmt.Printf("Error reading file for domain %s: %v\n", domain, err)
-		return "", err
+		if !os.IsNotExist(err) {
+			fmt.Printf("Error reading file for domain %s: %v\n", domain, err)
+			return "", err
+		}
 	}
 
 	return strings.TrimSpace(string(data)), nil
 }
 
-func getRemoteCommitHash(domain string, gitSource GitSource) (string, error) {
-	domainConfig, exists := domainStore.Get(domain)
+func RemoteCommitHash(domain string, gitSource GitSource) (string, error) {
+	domainConfig, exists := DomainStore().Get(domain)
 	if !exists {
 		fmt.Printf("Domain %s config does not exist\n", domain)
 		return "", ErrConfigNotFound
@@ -354,7 +363,7 @@ func getRemoteCommitHash(domain string, gitSource GitSource) (string, error) {
 }
 
 func getRemoteCommitHashGitea(org, repo, branchName string) (string, error) {
-	giteaClient := createGiteaClient()
+	giteaClient := CreateGiteaClient()
 	branch, _, err := giteaClient.GetRepoBranch(org, repo, branchName)
 	if err != nil {
 		fmt.Printf("Error getting repo branch: %v\n", err)

internal/grpc.go

@@ -0,0 +1 @@
+package internal

internal/util.go

@@ -1,17 +1,17 @@
-package main
+package internal
 
 import (
 	"errors"
 	"fmt"
 	"io/fs"
 	"os"
+	"os/user"
 	"path/filepath"
 	"strconv"
 	"strings"
 	"syscall"
 
 	"code.gitea.io/sdk/gitea"
-	"github.com/google/go-github/v55/github"
 	"github.com/spf13/viper"
 )
 
@@ -25,7 +25,6 @@ type Domain struct {
 	name        *string
 	config      *viper.Viper
 	description *string
-	ghClient    *github.Client
 	gtClient    *gitea.Client
 }
 
@@ -44,7 +43,7 @@ func createPIDFile() {
 }
 
 // 0x02
-func clearPIDFile() {
+func ClearPIDFile() {
 	file, err := os.OpenFile("/var/run/certman.pid", os.O_RDWR|os.O_CREATE, 0644)
 	if err != nil {
 		fmt.Printf("0x02: Error opening PID file: %v\n", err)
@@ -60,7 +59,7 @@ func clearPIDFile() {
 }
 
 // 0x03
-func createOrUpdatePIDFile(filename string) error {
+func CreateOrUpdatePIDFile(filename string) error {
 	pidBytes, err := os.ReadFile(filename)
 	if err != nil {
 		fmt.Printf("0x03: Error reading PID file: %v\n", err)
@@ -142,7 +141,7 @@ func isProcessActive(pid int) (bool, error) {
 }
 
 // 0x05
-func getDaemonProcess() (*os.Process, error) {
+func DaemonProcess() (*os.Process, error) {
 	pidBytes, err := os.ReadFile("/var/run/certman.pid")
 	if err != nil {
 		fmt.Printf("0x05: Error getting PID from /var/run/certman.pid: %v\n", err)
@@ -209,24 +208,29 @@ func createFile(fileName string, filePermission os.FileMode, data []byte) {
 	}
 }
 
-func linkFile(source, target, domain, extension string) error {
+func LinkFile(source, target, domain, extension string) error {
 	if target == "" {
 		return ErrBlankCert
 	}
 	linkInfo, err := os.Stat(target)
 	if err != nil {
-		if !os.IsNotExist(err) {
-			return err
+		if os.IsNotExist(err) {
+			err = os.Symlink(source, target)
+			if err != nil {
+				return err
+			}
+			return nil
 		}
+		return err
 	}
 	if linkInfo.IsDir() {
 		target = filepath.Join(target, domain+extension)
+		err = os.Symlink(source, target)
+		if err != nil {
+			return err
+		}
 	}
 
-	err = os.Symlink(source, target)
-	if err != nil {
-		return err
-	}
 	return nil
 }
 
@@ -252,24 +256,24 @@ func insert(a []string, index int, value string) []string {
 	return a
 }
 
-func sanitizeDomainKey(s string) string {
+func SanitizeDomainKey(s string) string {
 	s = strings.TrimSpace(strings.ToLower(s))
 	r := strings.NewReplacer("/", "_", "\\", "_", " ", "_", ":", "_")
 	return r.Replace(s)
 }
 
-// getDomainCertsDir Can return ErrBlankConfigEntry, ErrConfigNotFound, or other errors
-func getDomainCertsDir(domain string) (string, error) {
+// DomainCertsDir Can return ErrBlankConfigEntry, ErrConfigNotFound, or other errors
+func DomainCertsDir(domain string) (string, error) {
 	domainConfig, exists := domainStore.Get(domain)
 	if !exists {
 		return "", ErrConfigNotFound
 	}
 
-	return getDomainCertsDirWConf(domain, domainConfig)
+	return DomainCertsDirWConf(domain, domainConfig)
 }
 
-// getDomainCertsDir Can return ErrBlankConfigEntry or other errors
-func getDomainCertsDirWConf(domain string, domainConfig *viper.Viper) (string, error) {
+// DomainCertsDirWConf Can return ErrBlankConfigEntry or other errors
+func DomainCertsDirWConf(domain string, domainConfig *viper.Viper) (string, error) {
 	effectiveDataRoot, err := EffectiveString(domainConfig, "Certificates.data_root")
 	if err != nil {
 		return "", err
@@ -278,9 +282,9 @@ func getDomainCertsDirWConf(domain string, domainConfig *viper.Viper) (string, e
 	return filepath.Join(effectiveDataRoot, "certificates", domain), nil
 }
 
-func getDomainCertsDirWOnlyConf(domainConfig *viper.Viper) (string, error) {
+func DomainCertsDirWOnlyConf(domainConfig *viper.Viper) (string, error) {
 	domain := domainConfig.GetString("Domain.domain_name")
-	return getDomainCertsDirWConf(domain, domainConfig)
+	return DomainCertsDirWConf(domain, domainConfig)
 }
 
 func ChownRecursive(path string, uid, gid int) error {
@@ -292,3 +296,64 @@ func ChownRecursive(path string, uid, gid int) error {
 		return os.Chown(name, uid, gid)
 	})
 }
+
+func LookupGID(group string) (int, error) {
+	g, err := user.LookupGroup(group)
+	if err != nil {
+		return 0, err
+	}
+	return strconv.Atoi(g.Gid)
+}
+
+// MakeCredential resolves username/groupname to uid/gid for syscall.Credential.
+// Note: actually *using* different credentials typically requires the server
+// process to have appropriate privileges (often root).
+func MakeCredential(username, groupname string) (*syscall.Credential, error) {
+	var uid, gid uint32
+	var haveUID, haveGID bool
+
+	if username != "" {
+		u, err := user.Lookup(username)
+		if err != nil {
+			return nil, fmt.Errorf("unknown user")
+		}
+		parsed, err := strconv.ParseUint(u.Uid, 10, 32)
+		if err != nil {
+			return nil, fmt.Errorf("bad uid")
+		}
+		uid = uint32(parsed)
+		haveUID = true
+
+		// If group not explicitly provided, default to user's primary group.
+		if groupname == "" && u.Gid != "" {
+			parsedG, err := strconv.ParseUint(u.Gid, 10, 32)
+			if err == nil {
+				gid = uint32(parsedG)
+				haveGID = true
+			}
+		}
+	}
+
+	if groupname != "" {
+		g, err := user.LookupGroup(groupname)
+		if err != nil {
+			return nil, fmt.Errorf("unknown group")
+		}
+		parsed, err := strconv.ParseUint(g.Gid, 10, 32)
+		if err != nil {
+			return nil, fmt.Errorf("bad gid")
+		}
+		gid = uint32(parsed)
+		haveGID = true
+	}
+
+	// If only group was provided, keep current uid.
+	if !haveUID {
+		uid = uint32(os.Getuid())
+	}
+	if !haveGID {
+		gid = uint32(os.Getgid())
+	}
+
+	return &syscall.Credential{Uid: uid, Gid: gid}, nil
+}

main.go

@@ -1,24 +1,16 @@
 package main
 
 import (
-	"context"
 	"fmt"
 	"os"
 	"regexp"
-	"sync"
 
+	"git.nevets.tech/Keys/CertManager/commands"
+	"git.nevets.tech/Keys/CertManager/internal"
 	"github.com/spf13/cobra"
 )
 
-var version = "1.0.0"
-var build = "1"
-
-var (
-	configFile string
-	ctx        context.Context
-	cancel     context.CancelFunc
-	wg         sync.WaitGroup
-)
+var configFile string
 
 var fqdnRegex = regexp.MustCompile(`^(?i:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z]{2,}$`)
 
@@ -36,9 +28,9 @@ func main() {
 
 	rootCmd.PersistentFlags().StringVarP(&configFile, "config", "c", "/etc/certman/certman.conf", "Configuration file")
 
-	rootCmd.AddCommand(basicCmd("version", "Show version", versionResponse))
-	rootCmd.AddCommand(basicCmd("gen-key", "Generates encryption key", newKey))
-	rootCmd.AddCommand(basicCmd("dev", "Dev Function", devFunc))
+	rootCmd.AddCommand(basicCmd("version", "Show version", commands.VersionCmd))
+	rootCmd.AddCommand(basicCmd("gen-key", "Generates encryption key", commands.NewKeyCmd))
+	rootCmd.AddCommand(basicCmd("dev", "Dev Function", commands.DevCmd))
 
 	var domainCertDir string
 	newDomainCmd := &cobra.Command{
@@ -49,7 +41,7 @@ func main() {
 		SilenceErrors: true,
 		RunE: func(cmd *cobra.Command, args []string) error {
 			dirOverridden := cmd.Flags().Changed("dir")
-			return newDomain(args[0], domainCertDir, dirOverridden)
+			return commands.NewDomainCmd(args[0], domainCertDir, dirOverridden)
 		},
 	}
 	newDomainCmd.Flags().StringVar(&domainCertDir, "dir", "/var/local/certman/certificates/", "Alternate directory for certificates")
@@ -65,7 +57,7 @@ func main() {
 		RunE: func(cmd *cobra.Command, args []string) error {
 			switch modeFlag {
 			case "server", "client":
-				return install(thinInstallFlag, modeFlag)
+				return commands.InstallCmd(thinInstallFlag, modeFlag)
 			default:
 				return fmt.Errorf("invalid --mode %q (must be server or client)", modeFlag)
 			}
@@ -89,14 +81,32 @@ func main() {
 		Short: "Renews a domains certificate",
 		Args:  cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return renewCertFunc(args[0], noPush)
+			return commands.RenewCertCmd(args[0], noPush, internal.Server)
 		},
 	}
 	renewCertCmd.Flags().BoolVar(&noPush, "no-push", false, "Don't push certs to repo, renew locally only [server mode only]")
 	certCmd.AddCommand(renewCertCmd)
 
+	updateCertLinkCmd := &cobra.Command{
+		Use:   "update-link",
+		Short: "Update linked certificates",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return commands.UpdateLinksCmd(args[0])
+		},
+	}
+	certCmd.AddCommand(updateCertLinkCmd)
+
 	rootCmd.AddCommand(certCmd)
 
+	rootCmd.AddCommand(&cobra.Command{
+		Use:   "executor",
+		Short: "Privileged daemon",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return commands.StartExecutorCmd()
+		},
+	})
+
 	daemonCmd := &cobra.Command{
 		Use:   "daemon",
 		Short: "Daemon management",
@@ -110,7 +120,7 @@ func main() {
 		Short: "Start the daemon",
 		Args:  cobra.NoArgs,
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return runDaemon()
+			return commands.RunDaemonCmd()
 		},
 	})
 
@@ -119,7 +129,7 @@ func main() {
 		Short: "Stop the daemon",
 		Args:  cobra.NoArgs,
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return stopDaemon()
+			return commands.StopDaemonCmd()
 		},
 	})
 
@@ -128,7 +138,7 @@ func main() {
 		Short: "Reload daemon configs",
 		Args:  cobra.NoArgs,
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return reloadDaemon()
+			return commands.ReloadDaemonCmd()
 		},
 	})
 
@@ -137,7 +147,7 @@ func main() {
 		Short: "Manually triggers daemon tick",
 		Args:  cobra.NoArgs,
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return tickDaemon()
+			return commands.TickDaemonCmd()
 		},
 	})
 
@@ -146,7 +156,7 @@ func main() {
 		Short: "Show daemon status",
 		Args:  cobra.NoArgs,
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return statusDaemon()
+			return commands.DaemonStatusCmd()
 		},
 	})
 

proto/hook.proto

@@ -0,0 +1,27 @@
+syntax = "proto3";
+
+package hooks.v1;
+
+option go_package = "/v1";
+
+service HookService {
+  rpc ExecuteHook(ExecuteHookRequest) returns (ExecuteHookResponse);
+}
+
+message Hook {
+  string name = 1;
+  repeated string command = 2;
+  string user = 3;
+  string group = 4;
+  string cwd = 5;
+  int32 timeout_seconds = 6;
+  map<string, string> env = 7;
+}
+
+message ExecuteHookRequest {
+  Hook hook = 1;
+}
+
+message ExecuteHookResponse {
+  string error = 1;
+}

proto/symlink.proto

@@ -0,0 +1,5 @@
+syntax = "proto3";
+
+package hooks.v1;
+
+option go_package = "/v1";

proto/v1/hook.pb.go

@@ -0,0 +1,280 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.36.11
+// 	protoc        v6.30.2
+// source: proto/hook.proto
+
+package v1
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+	unsafe "unsafe"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type Hook struct {
+	state          protoimpl.MessageState `protogen:"open.v1"`
+	Name           string                 `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	Command        []string               `protobuf:"bytes,2,rep,name=command,proto3" json:"command,omitempty"`
+	User           string                 `protobuf:"bytes,3,opt,name=user,proto3" json:"user,omitempty"`
+	Group          string                 `protobuf:"bytes,4,opt,name=group,proto3" json:"group,omitempty"`
+	Cwd            string                 `protobuf:"bytes,5,opt,name=cwd,proto3" json:"cwd,omitempty"`
+	TimeoutSeconds int32                  `protobuf:"varint,6,opt,name=timeout_seconds,json=timeoutSeconds,proto3" json:"timeout_seconds,omitempty"`
+	Env            map[string]string      `protobuf:"bytes,7,rep,name=env,proto3" json:"env,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
+	unknownFields  protoimpl.UnknownFields
+	sizeCache      protoimpl.SizeCache
+}
+
+func (x *Hook) Reset() {
+	*x = Hook{}
+	mi := &file_proto_hook_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *Hook) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Hook) ProtoMessage() {}
+
+func (x *Hook) ProtoReflect() protoreflect.Message {
+	mi := &file_proto_hook_proto_msgTypes[0]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Hook.ProtoReflect.Descriptor instead.
+func (*Hook) Descriptor() ([]byte, []int) {
+	return file_proto_hook_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *Hook) GetName() string {
+	if x != nil {
+		return x.Name
+	}
+	return ""
+}
+
+func (x *Hook) GetCommand() []string {
+	if x != nil {
+		return x.Command
+	}
+	return nil
+}
+
+func (x *Hook) GetUser() string {
+	if x != nil {
+		return x.User
+	}
+	return ""
+}
+
+func (x *Hook) GetGroup() string {
+	if x != nil {
+		return x.Group
+	}
+	return ""
+}
+
+func (x *Hook) GetCwd() string {
+	if x != nil {
+		return x.Cwd
+	}
+	return ""
+}
+
+func (x *Hook) GetTimeoutSeconds() int32 {
+	if x != nil {
+		return x.TimeoutSeconds
+	}
+	return 0
+}
+
+func (x *Hook) GetEnv() map[string]string {
+	if x != nil {
+		return x.Env
+	}
+	return nil
+}
+
+type ExecuteHookRequest struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Hook          *Hook                  `protobuf:"bytes,1,opt,name=hook,proto3" json:"hook,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *ExecuteHookRequest) Reset() {
+	*x = ExecuteHookRequest{}
+	mi := &file_proto_hook_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ExecuteHookRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ExecuteHookRequest) ProtoMessage() {}
+
+func (x *ExecuteHookRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_proto_hook_proto_msgTypes[1]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ExecuteHookRequest.ProtoReflect.Descriptor instead.
+func (*ExecuteHookRequest) Descriptor() ([]byte, []int) {
+	return file_proto_hook_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *ExecuteHookRequest) GetHook() *Hook {
+	if x != nil {
+		return x.Hook
+	}
+	return nil
+}
+
+type ExecuteHookResponse struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Error         string                 `protobuf:"bytes,1,opt,name=error,proto3" json:"error,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *ExecuteHookResponse) Reset() {
+	*x = ExecuteHookResponse{}
+	mi := &file_proto_hook_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ExecuteHookResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ExecuteHookResponse) ProtoMessage() {}
+
+func (x *ExecuteHookResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_proto_hook_proto_msgTypes[2]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ExecuteHookResponse.ProtoReflect.Descriptor instead.
+func (*ExecuteHookResponse) Descriptor() ([]byte, []int) {
+	return file_proto_hook_proto_rawDescGZIP(), []int{2}
+}
+
+func (x *ExecuteHookResponse) GetError() string {
+	if x != nil {
+		return x.Error
+	}
+	return ""
+}
+
+var File_proto_hook_proto protoreflect.FileDescriptor
+
+const file_proto_hook_proto_rawDesc = "" +
+	"\n" +
+	"\x10proto/hook.proto\x12\bhooks.v1\"\xfc\x01\n" +
+	"\x04Hook\x12\x12\n" +
+	"\x04name\x18\x01 \x01(\tR\x04name\x12\x18\n" +
+	"\acommand\x18\x02 \x03(\tR\acommand\x12\x12\n" +
+	"\x04user\x18\x03 \x01(\tR\x04user\x12\x14\n" +
+	"\x05group\x18\x04 \x01(\tR\x05group\x12\x10\n" +
+	"\x03cwd\x18\x05 \x01(\tR\x03cwd\x12'\n" +
+	"\x0ftimeout_seconds\x18\x06 \x01(\x05R\x0etimeoutSeconds\x12)\n" +
+	"\x03env\x18\a \x03(\v2\x17.hooks.v1.Hook.EnvEntryR\x03env\x1a6\n" +
+	"\bEnvEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"8\n" +
+	"\x12ExecuteHookRequest\x12\"\n" +
+	"\x04hook\x18\x01 \x01(\v2\x0e.hooks.v1.HookR\x04hook\"+\n" +
+	"\x13ExecuteHookResponse\x12\x14\n" +
+	"\x05error\x18\x01 \x01(\tR\x05error2Y\n" +
+	"\vHookService\x12J\n" +
+	"\vExecuteHook\x12\x1c.hooks.v1.ExecuteHookRequest\x1a\x1d.hooks.v1.ExecuteHookResponseB\x05Z\x03/v1b\x06proto3"
+
+var (
+	file_proto_hook_proto_rawDescOnce sync.Once
+	file_proto_hook_proto_rawDescData []byte
+)
+
+func file_proto_hook_proto_rawDescGZIP() []byte {
+	file_proto_hook_proto_rawDescOnce.Do(func() {
+		file_proto_hook_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_proto_hook_proto_rawDesc), len(file_proto_hook_proto_rawDesc)))
+	})
+	return file_proto_hook_proto_rawDescData
+}
+
+var file_proto_hook_proto_msgTypes = make([]protoimpl.MessageInfo, 4)
+var file_proto_hook_proto_goTypes = []any{
+	(*Hook)(nil),                // 0: hooks.v1.Hook
+	(*ExecuteHookRequest)(nil),  // 1: hooks.v1.ExecuteHookRequest
+	(*ExecuteHookResponse)(nil), // 2: hooks.v1.ExecuteHookResponse
+	nil,                         // 3: hooks.v1.Hook.EnvEntry
+}
+var file_proto_hook_proto_depIdxs = []int32{
+	3, // 0: hooks.v1.Hook.env:type_name -> hooks.v1.Hook.EnvEntry
+	0, // 1: hooks.v1.ExecuteHookRequest.hook:type_name -> hooks.v1.Hook
+	1, // 2: hooks.v1.HookService.ExecuteHook:input_type -> hooks.v1.ExecuteHookRequest
+	2, // 3: hooks.v1.HookService.ExecuteHook:output_type -> hooks.v1.ExecuteHookResponse
+	3, // [3:4] is the sub-list for method output_type
+	2, // [2:3] is the sub-list for method input_type
+	2, // [2:2] is the sub-list for extension type_name
+	2, // [2:2] is the sub-list for extension extendee
+	0, // [0:2] is the sub-list for field type_name
+}
+
+func init() { file_proto_hook_proto_init() }
+func file_proto_hook_proto_init() {
+	if File_proto_hook_proto != nil {
+		return
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_proto_hook_proto_rawDesc), len(file_proto_hook_proto_rawDesc)),
+			NumEnums:      0,
+			NumMessages:   4,
+			NumExtensions: 0,
+			NumServices:   1,
+		},
+		GoTypes:           file_proto_hook_proto_goTypes,
+		DependencyIndexes: file_proto_hook_proto_depIdxs,
+		MessageInfos:      file_proto_hook_proto_msgTypes,
+	}.Build()
+	File_proto_hook_proto = out.File
+	file_proto_hook_proto_goTypes = nil
+	file_proto_hook_proto_depIdxs = nil
+}

proto/v1/hook_grpc.pb.go

@@ -0,0 +1,121 @@
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+// versions:
+// - protoc-gen-go-grpc v1.6.0
+// - protoc             v6.30.2
+// source: proto/hook.proto
+
+package v1
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+// Requires gRPC-Go v1.64.0 or later.
+const _ = grpc.SupportPackageIsVersion9
+
+const (
+	HookService_ExecuteHook_FullMethodName = "/hooks.v1.HookService/ExecuteHook"
+)
+
+// HookServiceClient is the client API for HookService service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+type HookServiceClient interface {
+	ExecuteHook(ctx context.Context, in *ExecuteHookRequest, opts ...grpc.CallOption) (*ExecuteHookResponse, error)
+}
+
+type hookServiceClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewHookServiceClient(cc grpc.ClientConnInterface) HookServiceClient {
+	return &hookServiceClient{cc}
+}
+
+func (c *hookServiceClient) ExecuteHook(ctx context.Context, in *ExecuteHookRequest, opts ...grpc.CallOption) (*ExecuteHookResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(ExecuteHookResponse)
+	err := c.cc.Invoke(ctx, HookService_ExecuteHook_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// HookServiceServer is the server API for HookService service.
+// All implementations must embed UnimplementedHookServiceServer
+// for forward compatibility.
+type HookServiceServer interface {
+	ExecuteHook(context.Context, *ExecuteHookRequest) (*ExecuteHookResponse, error)
+	mustEmbedUnimplementedHookServiceServer()
+}
+
+// UnimplementedHookServiceServer must be embedded to have
+// forward compatible implementations.
+//
+// NOTE: this should be embedded by value instead of pointer to avoid a nil
+// pointer dereference when methods are called.
+type UnimplementedHookServiceServer struct{}
+
+func (UnimplementedHookServiceServer) ExecuteHook(context.Context, *ExecuteHookRequest) (*ExecuteHookResponse, error) {
+	return nil, status.Error(codes.Unimplemented, "method ExecuteHook not implemented")
+}
+func (UnimplementedHookServiceServer) mustEmbedUnimplementedHookServiceServer() {}
+func (UnimplementedHookServiceServer) testEmbeddedByValue()                     {}
+
+// UnsafeHookServiceServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to HookServiceServer will
+// result in compilation errors.
+type UnsafeHookServiceServer interface {
+	mustEmbedUnimplementedHookServiceServer()
+}
+
+func RegisterHookServiceServer(s grpc.ServiceRegistrar, srv HookServiceServer) {
+	// If the following call panics, it indicates UnimplementedHookServiceServer was
+	// embedded by pointer and is nil.  This will cause panics if an
+	// unimplemented method is ever invoked, so we test this at initialization
+	// time to prevent it from happening at runtime later due to I/O.
+	if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
+		t.testEmbeddedByValue()
+	}
+	s.RegisterService(&HookService_ServiceDesc, srv)
+}
+
+func _HookService_ExecuteHook_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ExecuteHookRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(HookServiceServer).ExecuteHook(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: HookService_ExecuteHook_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(HookServiceServer).ExecuteHook(ctx, req.(*ExecuteHookRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+// HookService_ServiceDesc is the grpc.ServiceDesc for HookService service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var HookService_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "hooks.v1.HookService",
+	HandlerType: (*HookServiceServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "ExecuteHook",
+			Handler:    _HookService_ExecuteHook_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "proto/hook.proto",
+}

proto/v1/symlink.pb.go

@@ -0,0 +1,59 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.36.11
+// 	protoc        v6.30.2
+// source: proto/symlink.proto
+
+package v1
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	unsafe "unsafe"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+var File_proto_symlink_proto protoreflect.FileDescriptor
+
+const file_proto_symlink_proto_rawDesc = "" +
+	"\n" +
+	"\x13proto/symlink.proto\x12\bhooks.v1B\x05Z\x03/v1b\x06proto3"
+
+var file_proto_symlink_proto_goTypes = []any{}
+var file_proto_symlink_proto_depIdxs = []int32{
+	0, // [0:0] is the sub-list for method output_type
+	0, // [0:0] is the sub-list for method input_type
+	0, // [0:0] is the sub-list for extension type_name
+	0, // [0:0] is the sub-list for extension extendee
+	0, // [0:0] is the sub-list for field type_name
+}
+
+func init() { file_proto_symlink_proto_init() }
+func file_proto_symlink_proto_init() {
+	if File_proto_symlink_proto != nil {
+		return
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_proto_symlink_proto_rawDesc), len(file_proto_symlink_proto_rawDesc)),
+			NumEnums:      0,
+			NumMessages:   0,
+			NumExtensions: 0,
+			NumServices:   0,
+		},
+		GoTypes:           file_proto_symlink_proto_goTypes,
+		DependencyIndexes: file_proto_symlink_proto_depIdxs,
+	}.Build()
+	File_proto_symlink_proto = out.File
+	file_proto_symlink_proto_goTypes = nil
+	file_proto_symlink_proto_depIdxs = nil
+}

server/server.go

@@ -1,4 +1,4 @@
-package main
+package server
 
 import (
 	"fmt"
@@ -7,23 +7,24 @@ import (
 	"sync"
 	"time"
 
+	"git.nevets.tech/Keys/CertManager/internal"
 	"github.com/go-git/go-billy/v5/memfs"
 	"github.com/go-git/go-git/v5/storage/memory"
 )
 
 var (
 	tickMu sync.Mutex
-	mgr    *ACMEManager
+	mgr    *internal.ACMEManager
 	mgrMu  sync.Mutex
 )
 
-func getACMEManager() (*ACMEManager, error) {
+func getACMEManager() (*internal.ACMEManager, error) {
 	mgrMu.Lock()
 	defer mgrMu.Unlock()
 
 	if mgr == nil {
 		var err error
-		mgr, err = NewACMEManager()
+		mgr, err = internal.NewACMEManager()
 		if err != nil {
 			return nil, err
 		}
@@ -31,21 +32,22 @@ func getACMEManager() (*ACMEManager, error) {
 	return mgr, nil
 }
 
-func initServer() {
-	err := LoadDomainConfigs()
+func Init() {
+	err := internal.LoadDomainConfigs()
 	if err != nil {
 		log.Fatalf("Error loading domain configs: %v", err)
 	}
 
-	serverTick()
+	Tick()
 }
 
-func serverTick() {
+func Tick() {
 	tickMu.Lock()
 	defer tickMu.Unlock()
 	fmt.Println("Tick!")
 
-	mgr, err := getACMEManager()
+	var err error
+	mgr, err = getACMEManager()
 	if err != nil {
 		fmt.Printf("Error getting acme manager: %v\n", err)
 		return
@@ -53,7 +55,7 @@ func serverTick() {
 
 	now := time.Now().UTC()
 
-	localDomainConfigs := domainStore.Snapshot()
+	localDomainConfigs := internal.DomainStore().Snapshot()
 
 	for domainStr, domainConfig := range localDomainConfigs {
 		if !domainConfig.GetBool("Domain.enabled") {
@@ -75,62 +77,62 @@ func serverTick() {
 			}
 
 			domainConfig.Set("Internal.last_issued", time.Now().UTC().Unix())
-			err = WriteDomainConfig(domainConfig)
+			err = internal.WriteDomainConfig(domainConfig)
 			if err != nil {
 				fmt.Printf("Error saving domain config %s: %v\n", domainStr, err)
 				continue
 			}
 
-			err = EncryptFileXChaCha(domainConfig.GetString("Certificates.crypto_key"), filepath.Join(mgr.certsRoot, domainStr, domainStr+".crt"), filepath.Join(mgr.certsRoot, domainStr, domainStr+".crt.crpt"), nil)
+			err = internal.EncryptFileXChaCha(domainConfig.GetString("Certificates.crypto_key"), filepath.Join(mgr.CertsRoot, domainStr, domainStr+".crt"), filepath.Join(mgr.CertsRoot, domainStr, domainStr+".crt.crpt"), nil)
 			if err != nil {
 				fmt.Printf("Error encrypting domain cert for domain %s: %v\n", domainStr, err)
 				continue
 			}
-			err = EncryptFileXChaCha(domainConfig.GetString("Certificates.crypto_key"), filepath.Join(mgr.certsRoot, domainStr, domainStr+".key"), filepath.Join(mgr.certsRoot, domainStr, domainStr+".key.crpt"), nil)
+			err = internal.EncryptFileXChaCha(domainConfig.GetString("Certificates.crypto_key"), filepath.Join(mgr.CertsRoot, domainStr, domainStr+".key"), filepath.Join(mgr.CertsRoot, domainStr, domainStr+".key.crpt"), nil)
 			if err != nil {
 				fmt.Printf("Error encrypting domain key for domain %s: %v\n", domainStr, err)
 				continue
 			}
 
-			giteaClient := createGiteaClient()
+			giteaClient := internal.CreateGiteaClient()
 			if giteaClient == nil {
 				fmt.Printf("Error creating gitea client for domain %s: %v\n", domainStr, err)
 				continue
 			}
-			gitWorkspace := &GitWorkspace{
+			gitWorkspace := &internal.GitWorkspace{
 				Storage: memory.NewStorage(),
 				FS:      memfs.New(),
 			}
 
 			var repoUrl string
 			if !domainConfig.GetBool("Internal.repo_exists") {
-				repoUrl = createGiteaRepo(domainStr, giteaClient)
+				repoUrl = internal.CreateGiteaRepo(domainStr, giteaClient)
 				if repoUrl == "" {
 					fmt.Printf("Error creating Gitea repo for domain %s\n", domainStr)
 					continue
 				}
 				domainConfig.Set("Internal.repo_exists", true)
-				err = WriteDomainConfig(domainConfig)
+				err = internal.WriteDomainConfig(domainConfig)
 				if err != nil {
 					fmt.Printf("Error saving domain config %s: %v\n", domainStr, err)
 					continue
 				}
 
-				err = initRepo(repoUrl, gitWorkspace)
+				err = internal.InitRepo(repoUrl, gitWorkspace)
 				if err != nil {
 					fmt.Printf("Error initializing repo for domain %s: %v\n", domainStr, err)
 					continue
 				}
 			} else {
-				repoUrl = config.GetString("Git.server") + "/" + config.GetString("Git.org_name") + "/" + domainStr + domainConfig.GetString("Repo.repo_suffix") + ".git"
-				err = cloneRepo(repoUrl, gitWorkspace)
+				repoUrl = internal.Config().GetString("Git.server") + "/" + internal.Config().GetString("Git.org_name") + "/" + domainStr + domainConfig.GetString("Repo.repo_suffix") + ".git"
+				err = internal.CloneRepo(repoUrl, gitWorkspace, internal.Server)
 				if err != nil {
 					fmt.Printf("Error cloning repo for domain %s: %v\n", domainStr, err)
 					continue
 				}
 			}
 
-			err = addAndPushCerts(domainStr, gitWorkspace)
+			err = internal.AddAndPushCerts(domainStr, gitWorkspace)
 			if err != nil {
 				fmt.Printf("Error pushing certificates for domain %s: %v\n", domainStr, err)
 				continue
@@ -138,15 +140,15 @@ func serverTick() {
 			fmt.Printf("Successfully pushed certificates for domain %s\n", domainStr)
 		}
 	}
-	err = SaveDomainConfigs()
+	err = internal.SaveDomainConfigs()
 	if err != nil {
 		fmt.Printf("Error saving domain configs: %v\n", err)
 	}
 }
 
-func reloadServer() {
+func Reload() {
 	fmt.Println("Reloading configs...")
-	err := LoadDomainConfigs()
+	err := internal.LoadDomainConfigs()
 
 	if err != nil {
 		fmt.Printf("Error loading domain configs: %v\n", err)
@@ -160,6 +162,6 @@ func reloadServer() {
 	fmt.Println("Successfully reloaded configs")
 }
 
-func stopServer() {
+func Stop() {
 	fmt.Println("Shutting down server")
 }