Steven/certman
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 3 Wiki Activity

Compare commits

base: Steven:v1.0.0
Branches Tags
Steven:master
Steven:v1.1.2-beta Steven:v1.1.1-beta Steven:v1.1.0-beta Steven:v1.0.2-beta Steven:v1.0.1-beta Steven:v1.0.0
...
compare: Steven:v1.1.1-beta
Branches Tags
Steven:master
Steven:v1.1.2-beta Steven:v1.1.1-beta Steven:v1.1.0-beta Steven:v1.0.2-beta Steven:v1.0.1-beta Steven:v1.0.0

10 Commits
v1.0.0 ... v1.1.1-bet

Author SHA1 Message Date
Steven Tracey
f09d9cc359 [CI-SKIP] Fix go.mod
All checks were successful
Build (artifact) / build (push) Has been skipped
Details
2026-03-16 22:48:47 +01:00
Steven Tracey
2414dc64c6 Fix CI
All checks were successful
Build (artifact) / build (push) Successful in 1m9s
Details
2026-03-16 21:54:24 +01:00
Steven Tracey
e0f68788c0 Major Refactoring, Client can now be used as a library
Some checks failed
Build (artifact) / build (push) Failing after 1m3s
Details
2026-03-16 21:48:32 +01:00
Steven Tracey
e6a2ba2f8b [CI-SKIP] Update README a lil, add CI SKIP feature to gitea workflow
All checks were successful
Build (artifact) / build (push) Has been skipped
Details
2026-03-08 23:14:40 +01:00
Steven Tracey
41b3a76c3b Added release on build, fixed subdomains with new toml configs, and added trimmed build target
All checks were successful
Build (artifact) / build (push) Successful in 25s
Details
2026-03-08 22:45:49 +01:00
Steven Tracey
a9c1529f9d Downgrade upload-artifact from v4 to v3
All checks were successful
Build (artifact) / build (push) Successful in 1m7s
Details
2026-03-08 22:05:54 +01:00
Steven Tracey
693c324eb0 Fixed gitea actions file to use fill github paths 2026-03-08 21:29:49 +01:00
Steven Tracey
e806470b11 Fixed relative path saving configs in wrong dir 2026-03-08 20:17:24 +01:00
Steven Tracey
45495f4b47 Major refactoring 2026-03-04 18:28:52 +01:00
Steven Tracey
2cbab1a0a2 Major refactoring, updated config structure 2026-02-28 00:59:11 +01:00
52 changed files with 2789 additions and 1595 deletions
Expand all files Collapse all files

86
.gitea/workflows/build.yml Normal file
View File

@@ -0,0 +1,86 @@
name: Build (artifact)
on:
workflow_dispatch:
push:
branches: [ "master" ]
jobs:
build:
runs-on: ubuntu-latest
if: "!contains(github.event.head_commit.message, '[CI-SKIP]')"
steps:
- name: Checkout
uses: https://github.com/actions/checkout@v4
- name: Setup Go
uses: https://github.com/actions/setup-go@v5
with:
go-version: "1.25"
- name: Install protoc
run: |
sudo apt-get update
sudo apt-get install -y protobuf-compiler
- name: Install Go protobuf plugins
run: |
go install google.golang.org/protobuf/cmd/protoc-gen-go@latest
go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest
echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
- name: Read VERSION from Makefile
shell: bash
run: |
VERSION="$(awk -F':=' '/^VERSION[[:space:]]*:=/ {gsub(/[[:space:]]/,"",$2); print $2; exit}' Makefile)"
if [ -z "$VERSION" ]; then
echo "Failed to read VERSION from Makefile" >&2
exit 1
fi
echo "VERSION=$VERSION" >> $GITHUB_ENV
- name: Get latest commit message
run: echo "COMMIT_MSG=$(git log -1 --pretty=%s)" >> $GITHUB_ENV
- name: Build
run: make build
- name: Upload artifact
uses: https://github.com/actions/upload-artifact@v3
with:
name: certman-${{ env.VERSION }}-amd64.zip
path: bin/
if-no-files-found: error
- name: Create release and upload binary
run: |
BODY=$(jq -n --arg tag "v${{ env.VERSION }}" --arg msg "$COMMIT_MSG" \
'{tag_name: $tag, name: $tag, body: $msg, draft: false, prerelease: false}')
# Create the release
RELEASE_RESPONSE=$(curl --fail --silent --show-error \
-X POST \
-H "Authorization: token ${{ secrets.RELEASE_TOKEN }}" \
-H "Content-Type: application/json" \
-d "$BODY" \
"${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases")
# Extract the release ID
RELEASE_ID=$(echo "$RELEASE_RESPONSE" | jq -r '.id')
if [ -z "$RELEASE_ID" ] || [ "$RELEASE_ID" = "null" ]; then
echo "Failed to create release" >&2
echo "$RELEASE_RESPONSE" >&2
exit 1
fi
# Upload the binaries as release attachments
for binary in bin/*; do
FILENAME=$(basename "$binary")
echo "Uploading $FILENAME..."
curl --fail --silent --show-error \
-X POST \
-H "Authorization: token ${{ secrets.RELEASE_TOKEN }}" \
-H "Content-Type: application/octet-stream" \
--upload-file "$binary" \
"${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/$RELEASE_ID/assets?name=$FILENAME"
done

3
.gitignore vendored
View File

@@ -128,4 +128,5 @@ $RECYCLE.BIN/
config.ini
certman
certman-*-amd64
certman-*-amd64
bin/

34
Makefile
View File

@@ -1,12 +1,38 @@
VERSION := 1.0.0
VERSION := 1.1.1-beta
BUILD := $(shell git rev-parse --short HEAD)
GO := go
BUILD_FLAGS := -buildmode=pie -trimpath
LDFLAGS := -linkmode=external -extldflags="-Wl,-z,relro,-z,now"
LDFLAGS := -linkmode=external -extldflags="-Wl,-z,relro,-z,now" -X git.nevets.tech/Keys/certman/common.Version=$(VERSION) -X git.nevets.tech/Keys/certman/common.Build=$(BUILD)
build:
$(GO) build $(BUILD_FLAGS) -ldflags='$(LDFLAGS)' -o ./certman .
.PHONY: proto bundle client server executor build debug stage
proto:
@protoc --go_out=./proto --go-grpc_out=./proto proto/hook.proto
@protoc --go_out=./proto --go-grpc_out=./proto proto/symlink.proto
bundle: proto
@echo "Building Bundled Certman"
$(GO) build $(BUILD_FLAGS) -ldflags="-s -w $(LDFLAGS)" -o ./bin/certman-$(VERSION)-amd64 ./cmd/bundle
client: proto
@echo "Building Certman Client"
$(GO) build $(BUILD_FLAGS) -ldflags="-s -w $(LDFLAGS)" -o ./bin/certman-client-$(VERSION)-amd64 ./cmd/client
server: proto
@echo "Building Certman Server"
$(GO) build $(BUILD_FLAGS) -ldflags="-s -w $(LDFLAGS)" -o ./bin/certman-server-$(VERSION)-amd64 ./cmd/server
executor: proto
@echo "Building Certman Executor"
$(GO) build $(BUILD_FLAGS) -ldflags="-s -w $(LDFLAGS)" -o ./bin/certman-executor-$(VERSION)-amd64 ./cmd/executor
build: proto bundle client server executor
@echo "All binaries successfully built"
debug: proto
$(GO) build $(BUILD_FLAGS) -ldflags="$(LDFLAGS)" -o ./certman .
@cp ./certman ./certman-$(VERSION)-amd64
stage: build

21
README.md
View File

@@ -1,2 +1,23 @@
# CertManager
### Features to Add
- Integrations as modules (systemd integration, generic commands, docker integration)
- Dedicated builds for server, client, and executor(?)
## Quick Start
## Daemonizing CertManager
The `install` command creates the certman user, directories, and runs chown on the created dirs
### Server
```bash
sudo certman install -mode server
sudo certman new-domain example.com
```
### Client
```bash
sudo certman install -mode client
sudo certman new-domain example.com
```

93
app/client/certs.go Normal file
View File

@@ -0,0 +1,93 @@
package client
import (
"fmt"
"path/filepath"
"git.nevets.tech/Keys/certman/app/shared"
"git.nevets.tech/Keys/certman/client"
"git.nevets.tech/Keys/certman/common"
"github.com/go-git/go-billy/v5/memfs"
"github.com/go-git/go-git/v5/storage/memory"
"github.com/spf13/cobra"
)
var (
renewCertSubCmd = &cobra.Command{
Use: "renew",
Short: "Renews a domains certificate",
Args: cobra.ExactArgs(1),
RunE: func(cmd *cobra.Command, args []string) error {
return renewCert(args[0])
},
}
updateCertLinkSubCmd = &cobra.Command{
Use: "update-link",
Short: "Update linked certificates",
Args: cobra.ExactArgs(1),
RunE: func(cmd *cobra.Command, args []string) error {
return updateLinks(args[0])
},
}
decryptCertsSubCmd = &cobra.Command{
Use: "decrypt [certPath] [cryptoKey]",
Short: "Decrypt certificates",
Args: cobra.ExactArgs(2),
RunE: func(cmd *cobra.Command, args []string) error {
return client.DecryptCertificates(args[0], args[1])
},
}
)
func init() {
renewCertSubCmd.AddCommand(updateCertLinkSubCmd, decryptCertsSubCmd)
shared.CertCmd.AddCommand(renewCertSubCmd)
}
func renewCert(domain string) error {
gitWorkspace := &common.GitWorkspace{
Domain: domain,
Storage: memory.NewStorage(),
FS: memfs.New(),
}
config := shared.Config()
domainConfig, exists := shared.DomainStore().Get(domain)
if !exists {
return shared.ErrConfigNotFound
}
if err := client.PullCerts(config, domainConfig, gitWorkspace); err != nil {
return err
}
certsDir := common.CertsDir(config, domainConfig)
return client.DecryptAndWriteCertificates(certsDir, config, domainConfig, gitWorkspace)
}
func updateLinks(domain string) error {
domainConfig, exists := shared.DomainStore().Get(domain)
if !exists {
return fmt.Errorf("domain %s does not exist", domain)
}
certsDir := shared.DomainCertsDirWConf(domain, domainConfig)
certLinks := domainConfig.Certificates.CertSymlinks
for _, certLink := range certLinks {
err := common.LinkFile(filepath.Join(certsDir, domain+".crt"), certLink, domain, ".crt")
if err != nil {
fmt.Printf("Error linking cert %s to %s: %v", certLink, domain, err)
continue
}
}
keyLinks := domainConfig.Certificates.KeySymlinks
for _, keyLink := range keyLinks {
err := common.LinkFile(filepath.Join(certsDir, domain+".crt"), keyLink, domain, ".key")
if err != nil {
fmt.Printf("Error linking cert %s to %s: %v", keyLink, domain, err)
continue
}
}
return nil
}

1
app/client/client.go Normal file
View File

@@ -0,0 +1 @@
package client

69
client.go → app/client/daemon.go
View File

@@ -1,4 +1,4 @@
package main
package client
import (
"fmt"
@@ -7,46 +7,59 @@ import (
"path/filepath"
"strings"
appShared "git.nevets.tech/Keys/certman/app/shared"
"git.nevets.tech/Keys/certman/client"
"git.nevets.tech/Keys/certman/common"
"github.com/go-git/go-billy/v5/memfs"
"github.com/go-git/go-git/v5/storage/memory"
)
func initClient() {
err := LoadDomainConfigs()
type Daemon struct{}
func (d *Daemon) Init() {
fmt.Println("Starting CertManager in client mode...")
err := appShared.LoadDomainConfigs()
if err != nil {
log.Fatalf("Error loading domain configs: %v", err)
}
clientTick()
d.Tick()
}
func clientTick() {
fmt.Println("Tick!")
func (d *Daemon) Tick() {
fmt.Println("tick!")
// Get local copy of domain configs
localDomainConfigs := domainStore.Snapshot()
// Get local copy of configs
config := appShared.Config()
localDomainConfigs := appShared.DomainStore().Snapshot()
// Loop over all domain configs (domains)
for domainStr, domainConfig := range localDomainConfigs {
// Skip non-enabled domains
if !domainConfig.GetBool("Domain.enabled") {
if !domainConfig.Domain.Enabled {
continue
}
// Skip domains with up-to-date commit hashes
// If the repo doesn't exist, we can't check for a remote commit, so stop the rest of the check
repoExists := domainConfig.GetBool("Internal.repo_exists")
repoExists := domainConfig.Internal.RepoExists
if repoExists {
localHash, err := getLocalCommitHash(domainStr)
var dataRoot string
if domainConfig.Certificates.DataRoot == "" {
config.Certificates.DataRoot = domainStr
} else {
dataRoot = domainConfig.Certificates.DataRoot
}
localHash, err := client.LocalCommitHash(domainStr, dataRoot)
if err != nil {
fmt.Printf("No local commit hash found for domain %s\n", domainStr)
}
gitSource, err := strToGitSource(config.GetString("Git.host"))
gitSource, err := common.StrToGitSource(appShared.Config().Git.Host)
if err != nil {
fmt.Printf("Error getting git source for domain %s: %v\n", domainStr, err)
continue
}
remoteHash, err := getRemoteCommitHash(domainStr, gitSource)
remoteHash, err := client.RemoteCommitHash(domainStr, gitSource, config, domainConfig)
if err != nil {
fmt.Printf("Error getting remote commit hash for domain %s: %v\n", domainStr, err)
}
@@ -58,24 +71,20 @@ func clientTick() {
}
}
gitWorkspace := &GitWorkspace{
gitWorkspace := &common.GitWorkspace{
Storage: memory.NewStorage(),
FS: memfs.New(),
}
// Ex: https://git.example.com/Org/Repo-suffix.git
// Clones repo and stores in gitWorkspace, skip if clone fails (doesn't exist?)
repoUrl := config.GetString("Git.server") + "/" + config.GetString("Git.org_name") + "/" + domainStr + domainConfig.GetString("Repo.repo_suffix") + ".git"
err := cloneRepo(repoUrl, gitWorkspace)
repoUrl := appShared.Config().Git.Server + "/" + config.Git.OrgName + "/" + domainStr + domainConfig.Repo.RepoSuffix + ".git"
err := common.CloneRepo(repoUrl, gitWorkspace, common.Client, config)
if err != nil {
fmt.Printf("Error cloning domain repo %s: %v\n", domainStr, err)
continue
}
certsDir, err := getDomainCertsDirWConf(domainStr, domainConfig)
if err != nil {
fmt.Printf("Error getting certificates dir for domain %s: %v\n", domainStr, err)
continue
}
certsDir := appShared.DomainCertsDirWConf(domainStr, domainConfig)
// Get files in repo
fileInfos, err := gitWorkspace.FS.ReadDir("/")
@@ -104,7 +113,7 @@ func clientTick() {
continue
}
err = DecryptFileFromBytes(domainConfig.GetString("Certificates.crypto_key"), fileBytes, filepath.Join(certsDir, filename), nil)
err = common.DecryptFileFromBytes(domainConfig.Certificates.CryptoKey, fileBytes, filepath.Join(certsDir, filename), nil)
if err != nil {
fmt.Printf("Error decrypting file %s in domain %s: %v\n", filename, domainStr, err)
continue
@@ -116,24 +125,24 @@ func clientTick() {
continue
}
err = writeCommitHash(headRef.Hash().String(), domainConfig)
err = common.WriteCommitHash(headRef.Hash().String(), config, domainConfig)
if err != nil {
fmt.Printf("Error writing commit hash: %v\n", err)
continue
}
certLinks := domainConfig.GetStringSlice("Certificates.cert_symlinks")
certLinks := domainConfig.Certificates.CertSymlinks
for _, certLink := range certLinks {
err = linkFile(filepath.Join(certsDir, domainStr+".crt"), certLink, domainStr, ".crt")
err = common.LinkFile(filepath.Join(certsDir, domainStr+".crt"), certLink, domainStr, ".crt")
if err != nil {
fmt.Printf("Error linking cert %s to %s: %v\n", certLink, domainStr, err)
continue
}
}
keyLinks := domainConfig.GetStringSlice("Certificates.key_symlinks")
keyLinks := domainConfig.Certificates.KeySymlinks
for _, keyLink := range keyLinks {
err = linkFile(filepath.Join(certsDir, domainStr+".crt"), keyLink, domainStr, ".key")
err = common.LinkFile(filepath.Join(certsDir, domainStr+".key"), keyLink, domainStr, ".key")
if err != nil {
fmt.Printf("Error linking cert %s to %s: %v\n", keyLink, domainStr, err)
continue
@@ -144,16 +153,16 @@ func clientTick() {
}
}
func reloadClient() {
func (d *Daemon) Reload() {
fmt.Println("Reloading configs...")
err := LoadDomainConfigs()
err := appShared.LoadDomainConfigs()
if err != nil {
fmt.Printf("Error loading domain configs: %v\n", err)
return
}
}
func stopClient() {
func (d *Daemon) Stop() {
fmt.Println("Shutting down client")
}

49
app/client/grpc.go Normal file
View File

@@ -0,0 +1,49 @@
package client
import (
"context"
"fmt"
"log"
"time"
"git.nevets.tech/Keys/certman/app/shared"
pb "git.nevets.tech/Keys/certman/proto/v1"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials/insecure"
)
func SendHook(domain string) {
conn, err := grpc.NewClient(
"unix:///run/certman.sock",
grpc.WithTransportCredentials(insecure.NewCredentials()),
)
if err != nil {
log.Fatalf("fail to dial: %v", err)
}
defer conn.Close()
client := pb.NewHookServiceClient(conn)
hooks, err := shared.PostPullHooks(domain)
if err != nil {
fmt.Printf("Error getting hooks: %v\n", err)
return
}
for _, hook := range hooks {
sendHook(client, hook)
}
}
func sendHook(client pb.HookServiceClient, hook *pb.Hook) {
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
defer cancel()
res, err := client.ExecuteHook(ctx, &pb.ExecuteHookRequest{Hook: hook})
if err != nil {
fmt.Printf("Error executing hook: %v\n", err)
return
}
if res.GetError() != "" {
fmt.Printf("Error executing hook: %s\n", res.GetError())
}
}

37
app/executor/commands.go Normal file
View File

@@ -0,0 +1,37 @@
package executor
import (
"fmt"
"os"
"os/signal"
"syscall"
"github.com/spf13/cobra"
)
var (
executorServer *Server
ExecutorCmd = &cobra.Command{
Use: "executor",
Short: "Privileged daemon",
RunE: func(cmd *cobra.Command, args []string) error {
return startExecutorCmd()
},
}
)
func startExecutorCmd() error {
executorServer = &Server{}
sigCh := make(chan os.Signal, 1)
signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
go func() {
<-sigCh
executorServer.Stop()
}()
if err := executorServer.Start(); err != nil {
return fmt.Errorf("failed to start executor server: %w", err)
}
return nil
}

43
app/executor/executor.go Normal file
View File

@@ -0,0 +1,43 @@
package executor
import (
"fmt"
"net"
"sync"
pb "git.nevets.tech/Keys/certman/proto/v1"
"github.com/coreos/go-systemd/v22/activation"
"google.golang.org/grpc"
)
type Server struct {
listener net.Listener
wg sync.WaitGroup
}
func (s *Server) Start() error {
listeners, err := activation.Listeners()
if err != nil {
return fmt.Errorf("systemd activation listeners: %v", err)
}
if len(listeners) != 1 {
return fmt.Errorf("systemd activation listeners: expected 1, got %d", len(listeners))
}
s.listener = listeners[0]
srv := grpc.NewServer()
pb.RegisterHookServiceServer(srv, &hookServer{})
err = srv.Serve(s.listener)
if err != nil {
return fmt.Errorf("error creating grpc listener: %v", err)
}
fmt.Printf("Started gRPC server on %s\n", s.listener.Addr())
return nil
}
func (s *Server) Stop() {
if s.listener != nil {
_ = s.listener.Close()
}
}

73
app/executor/hook.go Normal file
View File

@@ -0,0 +1,73 @@
package executor
import (
"context"
"errors"
"os"
"os/exec"
"syscall"
"time"
"git.nevets.tech/Keys/certman/common"
pb "git.nevets.tech/Keys/certman/proto/v1"
)
type hookServer struct {
pb.UnimplementedHookServiceServer
}
func (s *hookServer) ExecuteHook(ctx context.Context, req *pb.ExecuteHookRequest) (*pb.ExecuteHookResponse, error) {
h := req.GetHook()
if h == nil {
return &pb.ExecuteHookResponse{Error: "missing hook"}, nil
}
// Minimal validation
if len(h.GetCommand()) == 0 {
return &pb.ExecuteHookResponse{Error: "command is empty"}, nil
}
// Timeout
timeout := time.Duration(h.GetTimeoutSeconds()) * time.Second
if timeout <= 0 {
timeout = 30 * time.Second
}
ctx, cancel := context.WithTimeout(ctx, timeout)
defer cancel()
// Build command
cmdArgs := h.GetCommand()
cmd := exec.CommandContext(ctx, cmdArgs[0], cmdArgs[1:]...)
if cwd := h.GetCwd(); cwd != "" {
cmd.Dir = cwd
}
// Env: inherit current + overlay provided
env := os.Environ()
for k, v := range h.GetEnv() {
env = append(env, k+"="+v)
}
cmd.Env = env
// Run as user/group if specified (Linux/Unix)
if h.GetUser() != "" || h.GetGroup() != "" {
cred, err := common.MakeCredential(h.GetUser(), h.GetGroup())
if err != nil {
return &pb.ExecuteHookResponse{Error: brief(err)}, nil
}
cmd.SysProcAttr = &syscall.SysProcAttr{
Credential: cred,
}
}
// Were intentionally NOT returning stdout/stderr; only a brief error on failure.
if err := cmd.Run(); err != nil {
// If context deadline hit, make the error message short and explicit.
if errors.Is(ctx.Err(), context.DeadlineExceeded) {
return &pb.ExecuteHookResponse{Error: "hook timed out"}, nil
}
return &pb.ExecuteHookResponse{Error: brief(err)}, nil
}
return &pb.ExecuteHookResponse{Error: ""}, nil
}

8
app/executor/util.go Normal file
View File

@@ -0,0 +1,8 @@
package executor
import "fmt"
// brief tries to keep errors short and non-leaky.
func brief(err error) string {
return fmt.Sprintf("hook failed: %v", err)
}

125
app/server/certs.go Normal file
View File

@@ -0,0 +1,125 @@
package server
import (
"fmt"
"path/filepath"
"time"
"git.nevets.tech/Keys/certman/app/shared"
"git.nevets.tech/Keys/certman/common"
"git.nevets.tech/Keys/certman/server"
"github.com/go-git/go-billy/v5/memfs"
"github.com/go-git/go-git/v5/storage/memory"
"github.com/spf13/cobra"
)
var (
noPush bool
renewCertSubCmd = &cobra.Command{
Use: "renew",
Short: "Renews a domains certificate",
Args: cobra.ExactArgs(1),
RunE: func(cmd *cobra.Command, args []string) error {
return renewCertCmd(args[0], noPush)
},
}
)
func init() {
renewCertSubCmd.Flags().BoolVar(&noPush, "no-push", false, "Don't push certs to repo, renew locally only [server mode only]")
shared.CertCmd.AddCommand(renewCertSubCmd)
}
func renewCertCmd(domain string, noPush bool) error {
if err := shared.LoadConfig(); err != nil {
return err
}
if err := shared.LoadDomainConfigs(); err != nil {
return err
}
mgr, err := server.NewACMEManager(shared.Config())
if err != nil {
return err
}
err = renewCerts(domain, noPush, mgr)
if err != nil {
return err
}
// return ReloadDaemonCmd() // Not sure if this is necessary
return nil
}
func renewCerts(domain string, noPush bool, mgr *server.ACMEManager) error {
config := shared.Config()
domainConfig, exists := shared.DomainStore().Get(domain)
if !exists {
return fmt.Errorf("domain %s does not exist", domain)
}
_, err := mgr.RenewForDomain(domain)
if err != nil {
// if no existing cert, obtain instead
_, err = mgr.ObtainForDomain(domain, config, domainConfig)
if err != nil {
return fmt.Errorf("error obtaining domain certificates for domain %s: %v", domain, err)
}
}
domainConfig.Internal.LastIssued = time.Now().UTC().Unix()
err = shared.WriteDomainConfig(domainConfig)
if err != nil {
return fmt.Errorf("error saving domain config %s: %v", domain, err)
}
err = common.EncryptFileXChaCha(domainConfig.Certificates.CryptoKey, filepath.Join(mgr.CertsRoot, domain, domain+".crt"), filepath.Join(mgr.CertsRoot, domain, domain+".crt.crpt"), nil)
if err != nil {
return fmt.Errorf("error encrypting domain cert for domain %s: %v", domain, err)
}
err = common.EncryptFileXChaCha(domainConfig.Certificates.CryptoKey, filepath.Join(mgr.CertsRoot, domain, domain+".key"), filepath.Join(mgr.CertsRoot, domain, domain+".key.crpt"), nil)
if err != nil {
return fmt.Errorf("error encrypting domain key for domain %s: %v", domain, err)
}
if !noPush {
giteaClient := common.CreateGiteaClient(config)
if giteaClient == nil {
return fmt.Errorf("error creating gitea client for domain %s: %v", domain, err)
}
gitWorkspace := &common.GitWorkspace{
Storage: memory.NewStorage(),
FS: memfs.New(),
}
var repoUrl string
if !domainConfig.Internal.RepoExists {
repoUrl = common.CreateGiteaRepo(domain, giteaClient, config, domainConfig)
if repoUrl == "" {
return fmt.Errorf("error creating Gitea repo for domain %s", domain)
}
domainConfig.Internal.RepoExists = true
err = shared.WriteDomainConfig(domainConfig)
if err != nil {
return fmt.Errorf("error saving domain config %s: %v", domain, err)
}
err = common.InitRepo(repoUrl, gitWorkspace)
if err != nil {
return fmt.Errorf("error initializing repo for domain %s: %v", domain, err)
}
} else {
repoUrl = config.Git.Server + "/" + config.Git.OrgName + "/" + domain + domainConfig.Repo.RepoSuffix + ".git"
err = common.CloneRepo(repoUrl, gitWorkspace, common.Server, config)
if err != nil {
return fmt.Errorf("error cloning repo for domain %s: %v", domain, err)
}
}
err = common.AddAndPushCerts(domain, gitWorkspace, config, domainConfig)
if err != nil {
return fmt.Errorf("error pushing certificates for domain %s: %v", domain, err)
}
fmt.Printf("Successfully pushed certificates for domain %s\n", domain)
}
return nil
}

168
app/server/daemon.go Normal file
View File

@@ -0,0 +1,168 @@
package server
import (
"fmt"
"log"
"path/filepath"
"sync"
"time"
appShared "git.nevets.tech/Keys/certman/app/shared"
"git.nevets.tech/Keys/certman/common"
"git.nevets.tech/Keys/certman/server"
"github.com/go-git/go-billy/v5/memfs"
"github.com/go-git/go-git/v5/storage/memory"
)
type Daemon struct {
ACMEManager *server.ACMEManager
TickMu sync.Mutex
MgrMu sync.Mutex
}
func (d *Daemon) loadACMEManager() error {
d.MgrMu.Lock()
defer d.MgrMu.Unlock()
if d.ACMEManager == nil {
var err error
d.ACMEManager, err = server.NewACMEManager(appShared.Config())
if err != nil {
return err
}
}
return nil
}
func (d *Daemon) Init() {
fmt.Println("Starting CertManager in server mode...")
err := appShared.LoadDomainConfigs()
if err != nil {
log.Fatalf("Error loading domain configs: %v", err)
}
d.Tick()
}
func (d *Daemon) Tick() {
d.TickMu.Lock()
defer d.TickMu.Unlock()
fmt.Println("Tick!")
if err := d.loadACMEManager(); err != nil {
fmt.Printf("Error getting acme manager: %v\n", err)
return
}
now := time.Now().UTC()
config := appShared.Config()
localDomainConfigs := appShared.DomainStore().Snapshot()
for domainStr, domainConfig := range localDomainConfigs {
if !domainConfig.Domain.Enabled {
continue
}
renewPeriod := domainConfig.Certificates.RenewPeriod
lastIssued := time.Unix(domainConfig.Internal.LastIssued, 0).UTC()
renewalDue := lastIssued.AddDate(0, 0, renewPeriod)
if now.After(renewalDue) {
//TODO extra check if certificate expiry (create cache?)
_, err := d.ACMEManager.RenewForDomain(domainStr)
if err != nil {
// if no existing cert, obtain instead
_, err = d.ACMEManager.ObtainForDomain(domainStr, appShared.Config(), domainConfig)
if err != nil {
fmt.Printf("Error obtaining domain certificates for domain %s: %v\n", domainStr, err)
continue
}
}
domainConfig.Internal.LastIssued = time.Now().UTC().Unix()
err = appShared.WriteDomainConfig(domainConfig)
if err != nil {
fmt.Printf("Error saving domain config %s: %v\n", domainStr, err)
continue
}
err = common.EncryptFileXChaCha(domainConfig.Certificates.CryptoKey, filepath.Join(d.ACMEManager.CertsRoot, domainStr, domainStr+".crt"), filepath.Join(d.ACMEManager.CertsRoot, domainStr, domainStr+".crt.crpt"), nil)
if err != nil {
fmt.Printf("Error encrypting domain cert for domain %s: %v\n", domainStr, err)
continue
}
err = common.EncryptFileXChaCha(domainConfig.Certificates.CryptoKey, filepath.Join(d.ACMEManager.CertsRoot, domainStr, domainStr+".key"), filepath.Join(d.ACMEManager.CertsRoot, domainStr, domainStr+".key.crpt"), nil)
if err != nil {
fmt.Printf("Error encrypting domain key for domain %s: %v\n", domainStr, err)
continue
}
giteaClient := common.CreateGiteaClient(config)
if giteaClient == nil {
fmt.Printf("Error creating gitea client for domain %s: %v\n", domainStr, err)
continue
}
gitWorkspace := &common.GitWorkspace{
Storage: memory.NewStorage(),
FS: memfs.New(),
}
var repoUrl string
if !domainConfig.Internal.RepoExists {
repoUrl = common.CreateGiteaRepo(domainStr, giteaClient, config, domainConfig)
if repoUrl == "" {
fmt.Printf("Error creating Gitea repo for domain %s\n", domainStr)
continue
}
domainConfig.Internal.RepoExists = true
err = appShared.WriteDomainConfig(domainConfig)
if err != nil {
fmt.Printf("Error saving domain config %s: %v\n", domainStr, err)
continue
}
err = common.InitRepo(repoUrl, gitWorkspace)
if err != nil {
fmt.Printf("Error initializing repo for domain %s: %v\n", domainStr, err)
continue
}
} else {
repoUrl = appShared.Config().Git.Server + "/" + appShared.Config().Git.OrgName + "/" + domainStr + domainConfig.Repo.RepoSuffix + ".git"
err = common.CloneRepo(repoUrl, gitWorkspace, common.Server, config)
if err != nil {
fmt.Printf("Error cloning repo for domain %s: %v\n", domainStr, err)
continue
}
}
err = common.AddAndPushCerts(domainStr, gitWorkspace, config, domainConfig)
if err != nil {
fmt.Printf("Error pushing certificates for domain %s: %v\n", domainStr, err)
continue
}
fmt.Printf("Successfully pushed certificates for domain %s\n", domainStr)
}
}
if err := appShared.SaveDomainConfigs(); err != nil {
fmt.Printf("Error saving domain configs: %v\n", err)
}
}
func (d *Daemon) Reload() {
fmt.Println("Reloading configs...")
err := appShared.LoadDomainConfigs()
if err != nil {
fmt.Printf("Error loading domain configs: %v\n", err)
return
}
d.MgrMu.Lock()
d.ACMEManager = nil
d.MgrMu.Unlock()
fmt.Println("Successfully reloaded configs")
}
func (d *Daemon) Stop() {
fmt.Println("Shutting down server")
}

1
app/server/server.go Normal file
View File

@@ -0,0 +1 @@
package server

15
app/shared/certs.go Normal file
View File

@@ -0,0 +1,15 @@
package shared
import (
"github.com/spf13/cobra"
)
var (
CertCmd = &cobra.Command{
Use: "cert",
Short: "Certificate management",
RunE: func(cmd *cobra.Command, args []string) error {
return cmd.Help()
},
}
)

191
app/shared/commands.go Normal file
View File

@@ -0,0 +1,191 @@
package shared
import (
"fmt"
"log"
"os"
"os/exec"
"os/user"
"strconv"
"strings"
"git.nevets.tech/Keys/certman/common"
"github.com/spf13/cobra"
)
var (
VersionCmd = basicCmd("version", "Show version", versionCmd)
NewKeyCmd = basicCmd("gen-key", "Generates encryption key", newKeyCmd)
DevCmd = basicCmd("dev", "Dev Function", devCmd)
domainCertDir string
NewDomainCmd = &cobra.Command{
Use: "new-domain",
Short: "Create config and directories for new domain",
Args: cobra.ExactArgs(1),
SilenceUsage: true,
SilenceErrors: true,
RunE: func(cmd *cobra.Command, args []string) error {
dirOverridden := cmd.Flags().Changed("dir")
return newDomainCmd(args[0], domainCertDir, dirOverridden)
},
}
modeFlag string
thinInstallFlag bool
InstallCmd = &cobra.Command{
Use: "install",
Short: "Create certman files and directories",
RunE: func(cmd *cobra.Command, args []string) error {
switch modeFlag {
case "server", "client":
return installCmd(thinInstallFlag, modeFlag)
default:
return fmt.Errorf("invalid --mode %q (must be server or client)", modeFlag)
}
},
}
)
func init() {
NewDomainCmd.Flags().StringVar(&domainCertDir, "dir", "/var/local/certman/certificates/", "Alternate directory for certificates")
InstallCmd.Flags().StringVar(&modeFlag, "mode", "client", "CertManager mode [server, client]")
InstallCmd.Flags().BoolVarP(&thinInstallFlag, "thin", "t", false, "Thin install (skip creating dirs)")
}
func devCmd(cmd *cobra.Command, args []string) {
testDomain := "lunamc.org"
err := LoadConfig()
if err != nil {
log.Fatalf("Error loading configuration: %v\n", err)
}
err = LoadDomainConfigs()
if err != nil {
log.Fatalf("Error loading configs: %v\n", err)
}
fmt.Println(testDomain)
}
func versionCmd(cmd *cobra.Command, args []string) {
fmt.Printf("CertManager (certman) - Steven Tracey\nVersion: %s build-%s\n",
common.Version, common.Build,
)
}
func newKeyCmd(cmd *cobra.Command, args []string) {
key, err := common.GenerateKey()
if err != nil {
log.Fatalf("%v", err)
}
fmt.Printf(key)
}
func newDomainCmd(domain, domainDir string, dirOverridden bool) error {
//TODO add config option for "overridden dir"
if !common.IsValidFQDN(domain) {
return fmt.Errorf("invalid FQDN: %q", domain)
}
err := LoadConfig()
if err != nil {
return err
}
fmt.Printf("Creating new domain %s\n", domain)
err = CreateDomainConfig(domain)
if err != nil {
return err
}
CreateDomainCertsDir(domain, domainDir, dirOverridden)
certmanUser, err := user.Lookup("certman")
if err != nil {
return fmt.Errorf("error getting user certman: %v", err)
}
uid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Uid))
if err != nil {
return err
}
gid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Gid))
if err != nil {
return err
}
err = common.ChownRecursive("/etc/certman/domains", uid, gid)
if err != nil {
return err
}
err = common.ChownRecursive("/var/local/certman", uid, gid)
if err != nil {
return err
}
fmt.Println("Successfully created domain entry for " + domain + "\nUpdate config file as needed in /etc/certman/domains/" + domain + ".conf\n")
return nil
}
func installCmd(isThin bool, mode string) error {
if !isThin {
if os.Geteuid() != 0 {
return fmt.Errorf("installation must be run as root")
}
MakeDirs()
CreateConfig(mode)
err := LoadConfig()
if err != nil {
return err
}
f, err := os.OpenFile("/var/run/certman.pid", os.O_RDONLY|os.O_CREATE, 0755)
if err != nil {
return fmt.Errorf("error creating pid file: %v", err)
}
err = f.Close()
if err != nil {
return fmt.Errorf("error closing pid file: %v", err)
}
newUserCmd := exec.Command("useradd", "-d", "/var/local/certman", "-U", "-r", "-s", "/sbin/nologin", "certman")
if output, err := newUserCmd.CombinedOutput(); err != nil {
if !strings.Contains(err.Error(), "exit status 9") {
return fmt.Errorf("error creating user: %v: output %s", err, output)
}
}
newGroupCmd := exec.Command("groupadd", "-r", "-U", "certman", "certsock")
if output, err := newGroupCmd.CombinedOutput(); err != nil {
if !strings.Contains(err.Error(), "exit status 9") {
return fmt.Errorf("error creating group: %v: output %s", err, output)
}
}
certmanUser, err := user.Lookup("certman")
if err != nil {
return fmt.Errorf("error getting user certman: %v", err)
}
uid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Uid))
if err != nil {
return err
}
gid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Gid))
if err != nil {
return err
}
err = common.ChownRecursive("/etc/certman", uid, gid)
if err != nil {
return fmt.Errorf("error changing uid/gid: %v", err)
}
err = common.ChownRecursive("/var/local/certman", uid, gid)
if err != nil {
return fmt.Errorf("error changing uid/gid: %v", err)
}
err = os.Chown("/var/run/certman.pid", uid, gid)
if err != nil {
return fmt.Errorf("error changing uid/gid: %v", err)
}
} else {
CreateConfig(mode)
}
return nil
}

276
config.go → app/shared/config.go
View File

@@ -1,7 +1,6 @@
package main
package shared
import (
"bytes"
"errors"
"fmt"
"log"
@@ -10,7 +9,10 @@ import (
"strings"
"sync"
"git.nevets.tech/Keys/certman/common"
pb "git.nevets.tech/Keys/certman/proto/v1"
"github.com/google/uuid"
"github.com/pelletier/go-toml/v2"
"github.com/spf13/viper"
)
@@ -21,40 +23,40 @@ var (
type DomainConfigStore struct {
mu sync.RWMutex
configs map[string]*viper.Viper
configs map[string]*common.DomainConfig
}
func NewDomainConfigStore() *DomainConfigStore {
return &DomainConfigStore{
configs: make(map[string]*viper.Viper),
configs: make(map[string]*common.DomainConfig),
}
}
func (s *DomainConfigStore) Get(domain string) (*viper.Viper, bool) {
func (s *DomainConfigStore) Get(domain string) (*common.DomainConfig, bool) {
s.mu.RLock()
defer s.mu.RUnlock()
v, ok := s.configs[domain]
return v, ok
}
func (s *DomainConfigStore) Set(domain string, v *viper.Viper) {
func (s *DomainConfigStore) Set(domain string, v *common.DomainConfig) {
s.mu.Lock()
defer s.mu.Unlock()
s.configs[domain] = v
}
// Swap atomically replaces the entire config map (used during reload).
func (s *DomainConfigStore) Swap(newConfigs map[string]*viper.Viper) {
func (s *DomainConfigStore) Swap(newConfigs map[string]*common.DomainConfig) {
s.mu.Lock()
defer s.mu.Unlock()
s.configs = newConfigs
}
// Snapshot returns a shallow copy safe to iterate without holding the lock.
func (s *DomainConfigStore) Snapshot() map[string]*viper.Viper {
func (s *DomainConfigStore) Snapshot() map[string]*common.DomainConfig {
s.mu.RLock()
defer s.mu.RUnlock()
snap := make(map[string]*viper.Viper, len(s.configs))
snap := make(map[string]*common.DomainConfig, len(s.configs))
for k, v := range s.configs {
snap[k] = v
}
@@ -66,20 +68,48 @@ func (s *DomainConfigStore) Snapshot() map[string]*viper.Viper {
// ---------------------------------------------------------------------------
var (
config *viper.Viper
config *common.AppConfig
configMu sync.RWMutex
domainStore = NewDomainConfigStore()
)
func Config() *common.AppConfig {
configMu.RLock()
defer configMu.RUnlock()
return config
}
func DomainStore() *DomainConfigStore {
domainStore.mu.RLock()
defer domainStore.mu.RUnlock()
return domainStore
}
// ---------------------------------------------------------------------------
// Loading
// ---------------------------------------------------------------------------
// LoadConfig reads the main certman.conf into config.
func LoadConfig(path string) error {
config = viper.New()
config.SetConfigFile(path)
config.SetConfigType("toml")
return config.ReadInConfig()
func LoadConfig() error {
vConfig := viper.New()
vConfig.SetConfigFile("/etc/certman/certman.conf")
vConfig.SetConfigType("toml")
if err := vConfig.ReadInConfig(); err != nil {
return err
}
if vConfig.GetString("App.mode") == "server" {
vConfig.SetConfigType("toml")
vConfig.SetConfigFile("/etc/certman/server.conf")
if err := vConfig.MergeInConfig(); err != nil {
return err
}
}
if err := vConfig.Unmarshal(&config); err != nil {
return err
}
return nil
}
// LoadDomainConfigs reads every .conf file in the domains directory.
@@ -90,7 +120,7 @@ func LoadDomainConfigs() error {
return fmt.Errorf("reading domain config dir: %w", err)
}
temp := make(map[string]*viper.Viper)
temp := make(map[string]*common.DomainConfig)
for _, entry := range entries {
if entry.IsDir() || filepath.Ext(entry.Name()) != ".conf" {
@@ -115,7 +145,11 @@ func LoadDomainConfigs() error {
fmt.Printf("Duplicate domain in %s, skipping...\n", path)
continue
}
temp[domain] = v
cfg := &common.DomainConfig{}
if err = v.Unmarshal(cfg); err != nil {
return fmt.Errorf("unmarshaling %s: %w", path, err)
}
temp[domain] = cfg
}
domainStore.Swap(temp)
@@ -126,30 +160,35 @@ func LoadDomainConfigs() error {
// Saving
// ---------------------------------------------------------------------------
func WriteConfig(filePath string, config *viper.Viper) error {
var buf bytes.Buffer
if err := config.WriteConfigTo(&buf); err != nil {
return fmt.Errorf("marshal config: %w", err)
func WriteConfig(filePath string, config *common.AppConfig) error {
buf, err := toml.Marshal(&config)
if err != nil {
return fmt.Errorf("marshaling config: %w", err)
}
if err := os.WriteFile(filePath, buf.Bytes(), 0640); err != nil {
if err = os.WriteFile(filePath, buf, 0640); err != nil {
return fmt.Errorf("write config file: %w", err)
}
return nil
}
func WriteMainConfig() error {
return WriteConfig("/etc/certman/certman.conf", config)
}
func WriteDomainConfig(config *common.DomainConfig) error {
buf, err := toml.Marshal(config)
if err != nil {
return fmt.Errorf("marshaling domain config: %w", err)
}
configPath := filepath.Join("/etc/certman/domains", config.Domain.DomainName+".conf")
if err = os.WriteFile(configPath, buf, 0640); err != nil {
return fmt.Errorf("write config file: %w", err)
}
func WriteDomainConfig(config *viper.Viper) error {
return WriteConfig(config.GetString("Domain.domain_name"), config)
return nil
}
// SaveDomainConfigs writes every loaded domain config back to disk.
func SaveDomainConfigs() error {
for domain, v := range domainStore.Snapshot() {
err := WriteConfig("/etc/certman/domains/"+domain+".conf", v)
for _, v := range domainStore.Snapshot() {
err := WriteDomainConfig(v)
if err != nil {
return err
}
@@ -158,72 +197,22 @@ func SaveDomainConfigs() error {
}
// ---------------------------------------------------------------------------
// Effective lookups (domain → global fallback)
// Domain Specific Lookups
// ---------------------------------------------------------------------------
// EffectiveString looks up a key in the domain config first, falling back to
// the global config. Keys use dot notation matching INI sections, e.g.
// "certificates.data_root".
func EffectiveString(domainCfg *viper.Viper, key string) (string, error) {
if domainCfg != nil {
val := strings.TrimSpace(domainCfg.GetString(key))
if val != "" {
return val, nil
}
func PostPullHooks(domain string) ([]*pb.Hook, error) {
var hooks []*pb.Hook
if err := viper.UnmarshalKey("Hooks.PostPull", hooks); err != nil {
return nil, err
}
if config == nil {
return "", ErrConfigNotFound
}
val := strings.TrimSpace(config.GetString(key))
if val == "" {
return "", ErrBlankConfigEntry
}
return val, nil
}
// MustEffectiveString is like EffectiveString but logs a fatal error on failure.
func MustEffectiveString(domainCfg *viper.Viper, key string) string {
val, err := EffectiveString(domainCfg, key)
if err != nil {
log.Fatalf("Config key %q: %v", key, err)
}
return val
}
// EffectiveInt returns an int with domain → global fallback. Returns the
// fallback value if the key is missing or zero in both configs.
func EffectiveInt(domainCfg *viper.Viper, key string, fallback int) int {
if domainCfg != nil {
if val := domainCfg.GetInt(key); val != 0 {
return val
}
}
if config != nil {
if val := config.GetInt(key); val != 0 {
return val
}
}
return fallback
}
// EffectiveBool returns a bool with domain → global fallback.
func EffectiveBool(domainCfg *viper.Viper, key string) bool {
if domainCfg != nil && domainCfg.IsSet(key) {
return domainCfg.GetBool(key)
}
if config != nil {
return config.GetBool(key)
}
return false
return hooks, nil
}
// ---------------------------------------------------------------------------
// Directory bootstrapping
// ---------------------------------------------------------------------------
func makeDirs() {
func MakeDirs() {
dirs := []struct {
path string
perm os.FileMode
@@ -240,31 +229,50 @@ func makeDirs() {
}
}
func createNewConfig(mode string) {
func CreateConfig(mode string) {
content := strings.NewReplacer(
"{mode}", mode,
"{uuid}", uuid.New().String(),
).Replace(defaultConfig)
createFile("/etc/certman/certman.conf", 0640, []byte(content))
switch mode {
case "server":
content = strings.NewReplacer(
"{uuid}", uuid.New().String(),
).Replace(defaultServerConfig)
createFile("/etc/certman/server.conf", 640, []byte(content))
}
}
func createNewDomainConfig(domain string) error {
key, err := GenerateKey()
func CreateDomainConfig(domain string) error {
key, err := common.GenerateKey()
if err != nil {
return fmt.Errorf("unable to generate key: %v", err)
}
localConfig := Config()
content := strings.NewReplacer(
"{domain}", domain,
"{key}", key,
).Replace(defaultDomainConfig)
var content string
switch localConfig.App.Mode {
case "server":
content = strings.NewReplacer(
"{domain}", domain,
"{key}", key,
).Replace(defaultServerDomainConfig)
case "client":
content = strings.NewReplacer(
"{domain}", domain,
"{key}", key,
).Replace(defaultClientDomainConfig)
default:
return fmt.Errorf("unknown certman mode: %v", localConfig.App.Mode)
}
path := filepath.Join("/etc/certman/domains", domain+".conf")
createFile(path, 0640, []byte(content))
return nil
}
func createNewDomainCertsDir(domain string, dir string, dirOverride bool) {
func CreateDomainCertsDir(domain string, dir string, dirOverride bool) {
var target string
if dirOverride {
target = filepath.Join(dir, domain)
@@ -281,54 +289,70 @@ func createNewDomainCertsDir(domain string, dir string, dirOverride bool) {
}
}
// ---------------------------------------------------------------------------
// Default config templates
// ---------------------------------------------------------------------------
const defaultConfig = `[App]
mode = "{mode}"
mode = '{mode}'
tick_rate = 2
uuid = "{uuid}"
[Git]
host = "gitea"
server = "https://gitea.instance.com"
username = "user"
api_token = "xxxxxxxxxxxxxxxxxxxxxxxxx"
org_name = "org"
host = 'gitea'
server = 'https://gitea.instance.com'
username = 'User'
api_token = 'xxxxxxxxxxxxxxxxxxxxxxxxx'
org_name = 'org'
[Certificates]
email = "user@example.com"
data_root = "/var/local/certman"
ca_dir_url = "https://acme-v02.api.letsencrypt.org/directory"
[Cloudflare]
cf_email = "email@example.com"
cf_api_key = "xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
data_root = '/var/local/certman'
`
const defaultDomainConfig = `[Domain]
domain_name = "{domain}"
enabled = true
dns_server = "default"
const defaultServerConfig = `[App]
uuid = '{uuid}'
[Certificates]
data_root = ""
email = 'User@example.com'
ca_dir_url = 'https://acme-v02.api.letsencrypt.org/directory'
[Cloudflare]
cf_email = 'email@example.com'
cf_api_key = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxx'`
const defaultServerDomainConfig = `[Certificates]
data_root = ''
expiry = 90
request_method = "dns-01"
request_method = 'dns-01'
renew_period = 30
subdomains = []
cert_symlinks = []
key_symlinks = []
crypto_key = "{key}"
crypto_key = '{key}'
[Domain]
domain_name = '{domain}'
enabled = true
dns_server = 'default'
[Repo]
repo_suffix = "-certificates"
repo_suffix = '-certificates'
[Internal]
last_issued = 0
repo_exists = false
status = "clean"
status = 'clean'
`
const readme = ``
const defaultClientDomainConfig = `[Certificates]
data_root = ''
cert_symlinks = []
key_symlinks = []
crypto_key = '{key}'
[Domain]
domain_name = '{domain}'
enabled = true
[Hooks.PostPull]
command = []
cwd = "/dev/null"
timeout_seconds = 30
env = { "FOO" = "bar" }
[Repo]
repo_suffix = '-certificates'
`

191
app/shared/daemon.go Normal file
View File

@@ -0,0 +1,191 @@
package shared
import (
"context"
"errors"
"fmt"
"os"
"os/signal"
"sync"
"syscall"
"time"
"git.nevets.tech/Keys/certman/common"
"github.com/spf13/cobra"
)
type Daemon interface {
Init()
Tick()
Reload()
Stop()
}
var (
ctx context.Context
cancel context.CancelFunc
wg sync.WaitGroup
DaemonCmd = &cobra.Command{
Use: "daemon",
Short: "Daemon management",
RunE: func(cmd *cobra.Command, args []string) error {
return cmd.Help()
},
}
)
func init() {
DaemonCmd.AddCommand(&cobra.Command{
Use: "stop",
Short: "stop the daemon",
Args: cobra.NoArgs,
RunE: func(cmd *cobra.Command, args []string) error {
return stopDaemonCmd()
},
})
DaemonCmd.AddCommand(&cobra.Command{
Use: "reload",
Short: "reload daemon configs",
Args: cobra.NoArgs,
RunE: func(cmd *cobra.Command, args []string) error {
return reloadDaemonCmd()
},
})
DaemonCmd.AddCommand(&cobra.Command{
Use: "tick",
Short: "Manually triggers daemon tick",
Args: cobra.NoArgs,
RunE: func(cmd *cobra.Command, args []string) error {
return tickDaemonCmd()
},
})
DaemonCmd.AddCommand(&cobra.Command{
Use: "status",
Short: "Show daemon status",
Args: cobra.NoArgs,
RunE: func(cmd *cobra.Command, args []string) error {
return daemonStatusCmd()
},
})
}
func RunDaemonCmd(daemon Daemon) error {
err := common.CreateOrUpdatePIDFile("/var/run/certman.pid")
if err != nil {
if errors.Is(err, common.ErrorPIDInUse) {
return fmt.Errorf("daemon process is already running")
}
return fmt.Errorf("error creating pidfile: %v", err)
}
ctx, cancel = context.WithCancel(context.Background())
// Check if main config exists
if _, err := os.Stat("/etc/certman/certman.conf"); os.IsNotExist(err) {
return fmt.Errorf("main config file not found, please run 'certman --install', then properly configure /etc/certman/certman.conf")
} else if err != nil {
return fmt.Errorf("error opening /etc/certman/certman.conf: %v", err)
}
err = LoadConfig()
if err != nil {
return fmt.Errorf("error loading configuration: %v", err)
}
localConfig := Config()
// Setup SIGINT and SIGTERM listeners
sigChannel := make(chan os.Signal, 1)
signal.Notify(sigChannel, syscall.SIGINT, syscall.SIGTERM)
defer signal.Stop(sigChannel)
reloadSigChan := make(chan os.Signal, 1)
signal.Notify(reloadSigChan, syscall.SIGHUP)
defer signal.Stop(reloadSigChan)
tickSigChan := make(chan os.Signal, 1)
signal.Notify(tickSigChan, syscall.SIGUSR1)
defer signal.Stop(tickSigChan)
tickRate := localConfig.App.TickRate
ticker := time.NewTicker(time.Duration(tickRate) * time.Hour)
defer ticker.Stop()
wg.Add(1)
go func() {
daemon.Init()
defer wg.Done()
for {
select {
case <-ctx.Done():
daemon.Stop()
return
case <-reloadSigChan:
daemon.Reload()
case <-ticker.C:
daemon.Tick()
case <-tickSigChan:
daemon.Tick()
}
}
}()
// Cleanup on stop
sig := <-sigChannel
fmt.Printf("Program terminated with %v\n", sig.String())
stop()
wg.Wait()
return nil
}
func stop() {
cancel()
common.ClearPIDFile()
}
func stopDaemonCmd() error {
proc, err := common.DaemonProcess()
if err != nil {
return fmt.Errorf("error getting daemon process: %v", err)
}
err = proc.Signal(syscall.SIGTERM)
if err != nil {
return fmt.Errorf("error sending SIGTERM to daemon PID: %v", err)
}
return nil
}
func reloadDaemonCmd() error {
proc, err := common.DaemonProcess()
if err != nil {
return fmt.Errorf("error getting daemon process: %v", err)
}
err = proc.Signal(syscall.SIGHUP)
if err != nil {
return fmt.Errorf("error sending SIGHUP to daemon PID: %v", err)
}
return nil
}
func tickDaemonCmd() error {
proc, err := common.DaemonProcess()
if err != nil {
return fmt.Errorf("error getting daemon process: %v", err)
}
err = proc.Signal(syscall.SIGUSR1)
if err != nil {
return fmt.Errorf("error sending SIGUSR1 to daemon PID: %v", err)
}
return nil
}
func daemonStatusCmd() error {
fmt.Println("Not implemented :/")
return nil
}

1
app/shared/install.go Normal file
View File

@@ -0,0 +1 @@
package shared

72
app/shared/util.go Normal file
View File

@@ -0,0 +1,72 @@
package shared
import (
"fmt"
"os"
"path/filepath"
"git.nevets.tech/Keys/certman/common"
"github.com/spf13/cobra"
)
func createFile(fileName string, filePermission os.FileMode, data []byte) {
fileInfo, err := os.Stat(fileName)
if err != nil {
if os.IsNotExist(err) {
file, err := os.Create(fileName)
if err != nil {
fmt.Println("Error creating configuration file: ", err)
os.Exit(1)
}
defer file.Close()
_, err = file.Write(data)
if err != nil {
fmt.Println("Error writing to file: ", err)
os.Exit(1)
}
err = file.Chmod(filePermission)
if err != nil {
fmt.Println("Error changing file permission: ", err)
}
} else {
fmt.Println("Error opening configuration file: ", err)
os.Exit(1)
}
} else {
if fileInfo.Size() == 0 {
file, err := os.Create(fileName)
if err != nil {
fmt.Println("Error creating configuration file: ", err)
os.Exit(1)
}
defer file.Close()
_, err = file.Write(data)
if err != nil {
fmt.Println("Error writing to file:", err)
os.Exit(1)
}
}
}
}
// DomainCertsDirWConf Can return ErrBlankConfigEntry or other errors
func DomainCertsDirWConf(domain string, domainConfig *common.DomainConfig) string {
var effectiveDataRoot string
if domainConfig.Certificates.DataRoot == "" {
effectiveDataRoot = config.Certificates.DataRoot
} else {
effectiveDataRoot = domainConfig.Certificates.DataRoot
}
return filepath.Join(effectiveDataRoot, "certificates", domain)
}
func basicCmd(use, short string, commandFunc func(cmd *cobra.Command, args []string)) *cobra.Command {
return &cobra.Command{
Use: use,
Short: short,
Run: commandFunc,
}
}

109
client/certificates.go Normal file
View File

@@ -0,0 +1,109 @@
package client
import (
"fmt"
"io"
"os"
"path/filepath"
"strings"
"git.nevets.tech/Keys/certman/common"
)
func PullCerts(config *common.AppConfig, domainConfig *common.DomainConfig, gitWorkspace *common.GitWorkspace) error {
// Ex: https://git.example.com/Org/Repo-suffix.git
// Clones repo and stores in gitWorkspace, skip if clone fails (doesn't exist?)
repoUrl := config.Git.Server + "/" + config.Git.OrgName + "/" + gitWorkspace.Domain + domainConfig.Repo.RepoSuffix + ".git"
err := common.CloneRepo(repoUrl, gitWorkspace, common.Client, config)
if err != nil {
return fmt.Errorf("Error cloning domain repo %s: %v\n", gitWorkspace.Domain, err)
}
return nil
}
func DecryptAndWriteCertificates(certsDir string, config *common.AppConfig, domainConfig *common.DomainConfig, gitWorkspace *common.GitWorkspace) error {
// Get files in repo
fileInfos, err := gitWorkspace.FS.ReadDir("/")
if err != nil {
return fmt.Errorf("Error reading directory in memFS on domain %s: %v\n", gitWorkspace.Domain, err)
}
// Iterate over files, filtering by .crpt (encrypted) files in case other files were accidentally added
for _, fileInfo := range fileInfos {
if strings.HasSuffix(fileInfo.Name(), ".crpt") {
filename, _ := strings.CutSuffix(fileInfo.Name(), ".crpt")
file, err := gitWorkspace.FS.Open(fileInfo.Name())
if err != nil {
fmt.Printf("Error opening file in memFS on domain %s: %v\n", gitWorkspace.Domain, err)
continue
}
fileBytes, err := io.ReadAll(file)
if err != nil {
fmt.Printf("Error reading file in memFS on domain %s: %v\n", gitWorkspace.Domain, err)
file.Close()
continue
}
err = file.Close()
if err != nil {
fmt.Printf("Error closing file on domain %s: %v\n", gitWorkspace.Domain, err)
continue
}
err = common.DecryptFileFromBytes(domainConfig.Certificates.CryptoKey, fileBytes, filepath.Join(certsDir, filename), nil)
if err != nil {
fmt.Printf("Error decrypting file %s in domain %s: %v\n", filename, gitWorkspace.Domain, err)
continue
}
headRef, err := gitWorkspace.Repo.Head()
if err != nil {
fmt.Printf("Error getting head reference for domain %s: %v\n", gitWorkspace.Domain, err)
continue
}
err = common.WriteCommitHash(headRef.Hash().String(), config, domainConfig)
if err != nil {
fmt.Printf("Error writing commit hash: %v\n", err)
continue
}
}
}
return nil
}
func DecryptCertificates(certPath, cryptoKey string) error {
// Get files in repo
fileInfos, err := os.ReadDir(certPath)
if err != nil {
return fmt.Errorf("error reading directory: %v", err)
}
// Iterate over files, filtering by .crpt (encrypted) files in case other files were accidentally added
for _, fileInfo := range fileInfos {
if strings.HasSuffix(fileInfo.Name(), ".crpt") {
filename, _ := strings.CutSuffix(fileInfo.Name(), ".crpt")
file, err := os.OpenFile(fileInfo.Name(), os.O_RDONLY, 0640)
if err != nil {
fmt.Printf("Error opening file: %v\n", err)
continue
}
fileBytes, err := io.ReadAll(file)
if err != nil {
fmt.Printf("Error reading file: %v\n", err)
file.Close()
continue
}
err = file.Close()
if err != nil {
fmt.Printf("Error closing file: %v\n", err)
continue
}
err = common.DecryptFileFromBytes(cryptoKey, fileBytes, filepath.Join(certPath, filename), nil)
if err != nil {
fmt.Printf("Error decrypting file %s: %v\n", filename, err)
continue
}
}
}
return nil
}

44
client/git.go Normal file
View File

@@ -0,0 +1,44 @@
package client
import (
"errors"
"fmt"
"os"
"path/filepath"
"strings"
"git.nevets.tech/Keys/certman/common"
)
func LocalCommitHash(domain string, certsDir string) (string, error) {
data, err := os.ReadFile(filepath.Join(certsDir, "hash"))
if err != nil {
if !os.IsNotExist(err) {
fmt.Printf("Error reading file for domain %s: %v\n", domain, err)
return "", err
}
}
return strings.TrimSpace(string(data)), nil
}
func RemoteCommitHash(domain string, gitSource common.GitSource, config *common.AppConfig, domainConfig *common.DomainConfig) (string, error) {
switch gitSource {
case common.Gitea:
return getRemoteCommitHashGitea(config.Git.OrgName, domain+domainConfig.Repo.RepoSuffix, "master", config)
default:
fmt.Printf("Unimplemented git source %v\n", gitSource)
return "", errors.New("unimplemented git source")
}
}
func getRemoteCommitHashGitea(org, repo, branchName string, config *common.AppConfig) (string, error) {
giteaClient := common.CreateGiteaClient(config)
branch, _, err := giteaClient.GetRepoBranch(org, repo, branchName)
if err != nil {
fmt.Printf("Error getting repo branch: %v\n", err)
return "", err
}
//TODO catch repo not found as ErrRepoNotInit
return branch.Commit.ID, nil
}

41
cmd/bundle/main.go Normal file
View File

@@ -0,0 +1,41 @@
package main
import (
"fmt"
"os"
"git.nevets.tech/Keys/certman/app/executor"
"git.nevets.tech/Keys/certman/app/shared"
"github.com/spf13/cobra"
)
//TODO create logic for gh vs gt repos
func main() {
rootCmd := &cobra.Command{
Use: "certman",
Short: "CertMan",
Long: "Certificate Manager",
RunE: func(cmd *cobra.Command, args []string) error {
return cmd.Help()
},
}
rootCmd.AddCommand(shared.VersionCmd)
rootCmd.AddCommand(shared.NewKeyCmd)
rootCmd.AddCommand(shared.DevCmd)
rootCmd.AddCommand(shared.NewDomainCmd)
rootCmd.AddCommand(shared.InstallCmd)
rootCmd.AddCommand(shared.CertCmd)
rootCmd.AddCommand(executor.ExecutorCmd)
rootCmd.AddCommand(shared.DaemonCmd)
if err := rootCmd.Execute(); err != nil {
fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
}

18
cmd/client/commands.go Normal file
View File

@@ -0,0 +1,18 @@
package main
import (
"git.nevets.tech/Keys/certman/app/client"
"git.nevets.tech/Keys/certman/app/shared"
"github.com/spf13/cobra"
)
func init() {
shared.DaemonCmd.AddCommand(&cobra.Command{
Use: "start",
Short: "Start the daemon",
Args: cobra.NoArgs,
RunE: func(cmd *cobra.Command, args []string) error {
return shared.RunDaemonCmd(&client.Daemon{})
},
})
}

36
cmd/client/main.go Normal file
View File

@@ -0,0 +1,36 @@
package main
import (
"fmt"
"os"
"git.nevets.tech/Keys/certman/app/shared"
"github.com/spf13/cobra"
)
func main() {
rootCmd := &cobra.Command{
Use: "certman",
Short: "CertMan",
Long: "Certificate Manager",
RunE: func(cmd *cobra.Command, args []string) error {
return cmd.Help()
},
}
rootCmd.AddCommand(shared.VersionCmd)
rootCmd.AddCommand(shared.NewKeyCmd)
rootCmd.AddCommand(shared.DevCmd)
rootCmd.AddCommand(shared.NewDomainCmd)
rootCmd.AddCommand(shared.InstallCmd)
rootCmd.AddCommand(shared.CertCmd)
rootCmd.AddCommand(shared.DaemonCmd)
if err := rootCmd.Execute(); err != nil {
fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
}

7
cmd/executor/main.go Normal file
View File

@@ -0,0 +1,7 @@
package main
import "fmt"
func main() {
fmt.Println("Hello Executor")
}

18
cmd/server/commands.go Normal file
View File

@@ -0,0 +1,18 @@
package main
import (
"git.nevets.tech/Keys/certman/app/server"
"git.nevets.tech/Keys/certman/app/shared"
"github.com/spf13/cobra"
)
func init() {
shared.DaemonCmd.AddCommand(&cobra.Command{
Use: "start",
Short: "Start the daemon",
Args: cobra.NoArgs,
RunE: func(cmd *cobra.Command, args []string) error {
return shared.RunDaemonCmd(&server.Daemon{})
},
})
}

7
cmd/server/main.go Normal file
View File

@@ -0,0 +1,7 @@
package main
import "fmt"
func main() {
fmt.Println("Hello server")
}

494
commands.go
View File

@@ -1,494 +0,0 @@
package main
import (
"context"
"errors"
"fmt"
"io"
"log"
"os"
"os/exec"
"os/signal"
"os/user"
"path/filepath"
"strconv"
"strings"
"syscall"
"time"
"github.com/go-git/go-billy/v5/memfs"
"github.com/go-git/go-git/v5/storage/memory"
"github.com/spf13/cobra"
)
func devFunc(cmd *cobra.Command, args []string) {
testDomain := "lunamc.org"
//config, err = ezconf.LoadConfiguration("/etc/certman/certman.conf")
err := LoadConfig("/etc/certman/certman.conf")
if err != nil {
log.Fatalf("Error loading configuration: %v\n", err)
}
err = LoadDomainConfigs()
if err != nil {
log.Fatalf("Error loading configs: %v\n", err)
}
fmt.Println(testDomain)
}
func versionResponse(cmd *cobra.Command, args []string) {
fmt.Println("CertManager (certman) - Steven Tracey\nVersion: " + version + " build-" + build)
}
func newKey(cmd *cobra.Command, args []string) {
key, err := GenerateKey()
if err != nil {
log.Fatalf("%v", err)
}
fmt.Printf(key)
}
func newDomain(domain, domainDir string, dirOverridden bool) error {
//TODO add config option for "overriden dir"
fmt.Printf("Creating new domain %s\n", domain)
err := createNewDomainConfig(domain)
if err != nil {
return err
}
createNewDomainCertsDir(domain, domainDir, dirOverridden)
certmanUser, err := user.Lookup("certman")
if err != nil {
return fmt.Errorf("error getting user certman: %v", err)
}
uid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Uid))
if err != nil {
return err
}
gid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Gid))
if err != nil {
return err
}
err = ChownRecursive("/etc/certman/domains", uid, gid)
if err != nil {
return err
}
err = ChownRecursive("/var/local/certman", uid, gid)
if err != nil {
return err
}
fmt.Println("Successfully created domain entry for " + domain + "\nUpdate config file as needed in /etc/certman/domains/" + domain + ".conf\n")
return nil
}
func install(isThin bool, mode string) error {
if !isThin {
if os.Geteuid() != 0 {
return fmt.Errorf("installation must be run as root")
}
makeDirs()
createNewConfig(mode)
f, err := os.OpenFile("/var/run/certman.pid", os.O_RDONLY|os.O_CREATE, 0755)
if err != nil {
return fmt.Errorf("error creating pid file: %v", err)
}
err = f.Close()
if err != nil {
return fmt.Errorf("error closing pid file: %v", err)
}
newUserCmd := exec.Command("useradd", "-d", "/var/local/certman", "-U", "-r", "-s", "/sbin/nologin", "certman")
if output, err := newUserCmd.CombinedOutput(); err != nil {
return fmt.Errorf("error creating user: %v: output %s", err, output)
}
certmanUser, err := user.Lookup("certman")
if err != nil {
return fmt.Errorf("error getting user certman: %v", err)
}
uid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Uid))
if err != nil {
return err
}
gid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Gid))
if err != nil {
return err
}
err = ChownRecursive("/etc/certman", uid, gid)
if err != nil {
return fmt.Errorf("error changing uid/gid: %v", err)
}
err = ChownRecursive("/var/local/certman", uid, gid)
if err != nil {
return fmt.Errorf("error changing uid/gid: %v", err)
}
err = os.Chown("/var/run/certman.pid", uid, gid)
if err != nil {
return fmt.Errorf("error changing uid/gid: %v", err)
}
} else {
createNewConfig(mode)
}
return nil
}
func renewCertFunc(domain string, noPush bool) error {
err := LoadConfig("/etc/certman/certman.conf")
if err != nil {
return err
}
err = LoadDomainConfigs()
if err != nil {
return err
}
switch config.GetString("App.mode") {
case "server":
mgr, err = NewACMEManager()
if err != nil {
return err
}
err = renewCerts(domain, noPush)
if err != nil {
return err
}
return reloadDaemon()
case "client":
return pullCerts(domain)
default:
return fmt.Errorf("invalid operating mode %s", config.GetString("App.mode"))
}
}
func renewCerts(domain string, noPush bool) error {
_, err := mgr.RenewForDomain(domain)
if err != nil {
// if no existing cert, obtain instead
_, err = mgr.ObtainForDomain(domain)
if err != nil {
return fmt.Errorf("error obtaining domain certificates for domain %s: %v", domain, err)
}
}
domainConfig, exists := domainStore.Get(domain)
if !exists {
return fmt.Errorf("domain %s does not exist", domain)
}
domainConfig.Set("Internal.last_issued", time.Now().UTC().Unix())
err = WriteDomainConfig(domainConfig)
if err != nil {
return fmt.Errorf("error saving domain config %s: %v", domain, err)
}
err = EncryptFileXChaCha(domainConfig.GetString("Certificates.crypto_key"), filepath.Join(mgr.certsRoot, domain, domain+".crt"), filepath.Join(mgr.certsRoot, domain, domain+".crt.crpt"), nil)
if err != nil {
return fmt.Errorf("error encrypting domain cert for domain %s: %v", domain, err)
}
err = EncryptFileXChaCha(domainConfig.GetString("Certificates.crypto_key"), filepath.Join(mgr.certsRoot, domain, domain+".key"), filepath.Join(mgr.certsRoot, domain, domain+".key.crpt"), nil)
if err != nil {
return fmt.Errorf("error encrypting domain key for domain %s: %v", domain, err)
}
if !noPush {
giteaClient := createGiteaClient()
if giteaClient == nil {
return fmt.Errorf("error creating gitea client for domain %s: %v", domain, err)
}
gitWorkspace := &GitWorkspace{
Storage: memory.NewStorage(),
FS: memfs.New(),
}
var repoUrl string
if !domainConfig.GetBool("Internal.repo_exists") {
repoUrl = createGiteaRepo(domain, giteaClient)
if repoUrl == "" {
return fmt.Errorf("error creating Gitea repo for domain %s", domain)
}
domainConfig.Set("Internal.repo_exists", true)
err = WriteDomainConfig(domainConfig)
if err != nil {
return fmt.Errorf("error saving domain config %s: %v", domain, err)
}
err = initRepo(repoUrl, gitWorkspace)
if err != nil {
return fmt.Errorf("error initializing repo for domain %s: %v", domain, err)
}
} else {
repoUrl = config.GetString("Git.server") + "/" + config.GetString("Git.org_name") + "/" + domain + domainConfig.GetString("Repo.repo_suffix") + ".git"
err = cloneRepo(repoUrl, gitWorkspace)
if err != nil {
return fmt.Errorf("error cloning repo for domain %s: %v", domain, err)
}
}
err = addAndPushCerts(domain, gitWorkspace)
if err != nil {
return fmt.Errorf("error pushing certificates for domain %s: %v", domain, err)
}
fmt.Printf("Successfully pushed certificates for domain %s\n", domain)
}
return nil
}
func pullCerts(domain string) error {
gitWorkspace := &GitWorkspace{
Storage: memory.NewStorage(),
FS: memfs.New(),
}
domainConfig, exists := domainStore.Get(domain)
if !exists {
return fmt.Errorf("domain %s does not exist", domain)
}
// Ex: https://git.example.com/Org/Repo-suffix.git
// Clones repo and stores in gitWorkspace, skip if clone fails (doesn't exist?)
repoUrl := config.GetString("Git.server") + "/" + config.GetString("Git.org_name") + "/" + domain + domainConfig.GetString("Repo.repo_suffix") + ".git"
err := cloneRepo(repoUrl, gitWorkspace)
if err != nil {
return fmt.Errorf("Error cloning domain repo %s: %v\n", domain, err)
}
certsDir, err := getDomainCertsDirWConf(domain, domainConfig)
if err != nil {
return fmt.Errorf("Error getting certificates dir for domain %s: %v\n", domain, err)
}
// Get files in repo
fileInfos, err := gitWorkspace.FS.ReadDir("/")
if err != nil {
return fmt.Errorf("Error reading directory in memFS on domain %s: %v\n", domain, err)
}
// Iterate over files, filtering by .crpt (encrypted) files in case other files were accidentally added
for _, fileInfo := range fileInfos {
if strings.HasSuffix(fileInfo.Name(), ".crpt") {
filename, _ := strings.CutSuffix(fileInfo.Name(), ".crpt")
file, err := gitWorkspace.FS.Open(fileInfo.Name())
if err != nil {
fmt.Printf("Error opening file in memFS on domain %s: %v\n", domain, err)
continue
}
fileBytes, err := io.ReadAll(file)
if err != nil {
fmt.Printf("Error reading file in memFS on domain %s: %v\n", domain, err)
file.Close()
continue
}
err = file.Close()
if err != nil {
fmt.Printf("Error closing file on domain %s: %v\n", domain, err)
continue
}
err = DecryptFileFromBytes(domainConfig.GetString("Certificates.crypto_key"), fileBytes, filepath.Join(certsDir, filename), nil)
if err != nil {
fmt.Printf("Error decrypting file %s in domain %s: %v\n", filename, domain, err)
continue
}
headRef, err := gitWorkspace.Repo.Head()
if err != nil {
fmt.Printf("Error getting head reference for domain %s: %v\n", domain, err)
continue
}
err = writeCommitHash(headRef.Hash().String(), domainConfig)
if err != nil {
fmt.Printf("Error writing commit hash: %v\n", err)
continue
}
certLinks := domainConfig.GetStringSlice("Certificates.cert_symlinks")
for _, certLink := range certLinks {
if certLink == "" {
continue
}
linkInfo, err := os.Stat(certLink)
if err != nil {
if !os.IsNotExist(err) {
fmt.Printf("Error stating cert link %s: %v\n", certLink, err)
continue
}
}
if linkInfo.IsDir() {
certLink = filepath.Join(certLink, domain+".crt")
}
err = os.Link(filepath.Join(certsDir, domain+".crt"), certLink)
if err != nil {
fmt.Printf("Error linking cert %s to %s: %v\n", certLink, domain, err)
continue
}
}
keyLinks := domainConfig.GetStringSlice("Certificates.key_symlinks")
for _, keyLink := range keyLinks {
if keyLink == "" {
continue
}
linkInfo, err := os.Stat(keyLink)
if err != nil {
if !os.IsNotExist(err) {
fmt.Printf("Error stating key link %s: %v\n", keyLink, err)
continue
}
}
if linkInfo.IsDir() {
keyLink = filepath.Join(keyLink, domain+".crt")
}
err = os.Link(filepath.Join(certsDir, domain+".crt"), keyLink)
if err != nil {
fmt.Printf("Error linking cert %s to %s: %v\n", keyLink, domain, err)
continue
}
}
}
}
return nil
}
func runDaemon() error {
err := createOrUpdatePIDFile("/var/run/certman.pid")
if err != nil {
if errors.Is(err, ErrorPIDInUse) {
return fmt.Errorf("daemon process is already running")
}
return fmt.Errorf("error creating pidfile: %v", err)
}
ctx, cancel = context.WithCancel(context.Background())
// Check if main config exists
if _, err := os.Stat(configFile); os.IsNotExist(err) {
return fmt.Errorf("main config file not found, please run 'certman --install', then properly configure /etc/certman/certman.conf")
} else if err != nil {
return fmt.Errorf("error opening %s: %v", configFile, err)
}
err = LoadConfig(configFile)
if err != nil {
return fmt.Errorf("error loading configuration: %v", err)
}
// Setup SIGINT and SIGTERM listeners
sigChannel := make(chan os.Signal, 1)
signal.Notify(sigChannel, syscall.SIGINT, syscall.SIGTERM)
defer signal.Stop(sigChannel)
reloadSigChan := make(chan os.Signal, 1)
signal.Notify(reloadSigChan, syscall.SIGHUP)
defer signal.Stop(reloadSigChan)
tickSigChan := make(chan os.Signal, 1)
signal.Notify(tickSigChan, syscall.SIGUSR1)
defer signal.Stop(tickSigChan)
tickRate := config.GetInt("App.tick_rate")
ticker := time.NewTicker(time.Duration(tickRate) * time.Hour)
defer ticker.Stop()
wg.Add(1)
if config.GetString("App.mode") == "server" {
fmt.Println("Starting CertManager in server mode...")
// Server Task loop
go func() {
initServer()
defer wg.Done()
for {
select {
case <-ctx.Done():
stopServer()
return
case <-reloadSigChan:
reloadServer()
case <-ticker.C:
serverTick()
case <-tickSigChan:
serverTick()
}
}
}()
} else if config.GetString("App.mode") == "client" {
fmt.Println("Starting CertManager in client mode...")
// Client Task loop
go func() {
initClient()
defer wg.Done()
for {
select {
case <-ctx.Done():
stopClient()
return
case <-reloadSigChan:
reloadClient()
case <-ticker.C:
clientTick()
}
}
}()
} else {
return fmt.Errorf("invalid operating mode \"" + config.GetString("App.mode") + "\"")
}
// Cleanup on stop
sig := <-sigChannel
fmt.Printf("Program terminated with %v\n", sig.String())
stop()
wg.Wait()
return nil
}
func stop() {
cancel()
clearPIDFile()
}
func stopDaemon() error {
proc, err := getDaemonProcess()
if err != nil {
return fmt.Errorf("error getting daemon process: %v", err)
}
err = proc.Signal(syscall.SIGTERM)
if err != nil {
return fmt.Errorf("error sending SIGTERM to daemon PID: %v", err)
}
return nil
}
func reloadDaemon() error {
proc, err := getDaemonProcess()
if err != nil {
return fmt.Errorf("error getting daemon process: %v", err)
}
err = proc.Signal(syscall.SIGHUP)
if err != nil {
return fmt.Errorf("error sending SIGHUP to daemon PID: %v", err)
}
return nil
}
func tickDaemon() error {
proc, err := getDaemonProcess()
if err != nil {
return fmt.Errorf("error getting daemon process: %v", err)
}
err = proc.Signal(syscall.SIGUSR1)
if err != nil {
return fmt.Errorf("error sending SIGUSR1 to daemon PID: %v", err)
}
return nil
}
func statusDaemon() error {
fmt.Println("Not implemented :/")
return nil
}

6
common/buildinfo.go Normal file
View File

@@ -0,0 +1,6 @@
package common
var (
Version = "dev"
Build = "local"
)

71
common/config.go Normal file
View File

@@ -0,0 +1,71 @@
package common
// ---------------------------------------------------------------------------
// Default config templates
// ---------------------------------------------------------------------------
type AppConfig struct {
App App `mapstructure:"app" toml:"app"`
Certificates Certificates `mapstructure:"certificates" toml:"certificates"`
Cloudflare Cloudflare `mapstructure:"cloudflare" toml:"cloudflare"`
Git Git `mapstructure:"git" toml:"git"`
}
type App struct {
Mode string `mapstructure:"mode" toml:"mode"`
TickRate int `mapstructure:"tick_rate" toml:"tick_rate"`
UUID string `mapstructure:"uuid" toml:"uuid"`
}
type Git struct {
Host string `mapstructure:"host" toml:"host"`
Server string `mapstructure:"server" toml:"server"`
Username string `mapstructure:"username" toml:"username"`
APIToken string `mapstructure:"api_token" toml:"api_token"`
OrgName string `mapstructure:"org_name" toml:"org_name"`
}
type Certificates struct {
DataRoot string `mapstructure:"data_root" toml:"data_root"`
Email string `mapstructure:"email" toml:"email"`
CADirURL string `mapstructure:"ca_dir_url" toml:"ca_dir_url"`
}
type Cloudflare struct {
CFEmail string `mapstructure:"cf_email" toml:"cf_email"`
CFAPIKey string `mapstructure:"cf_api_key" toml:"cf_api_key"`
}
type DomainConfig struct {
Domain DomainCfg `mapstructure:"domain" toml:"domain"`
Certificates DomainCerts `mapstructure:"certificates" toml:"certificates"`
Repo Repo `mapstructure:"repo" toml:"repo"`
Internal Internal `mapstructure:"shared" toml:"shared"`
}
type DomainCfg struct {
DomainName string `mapstructure:"domain_name" toml:"domain_name"`
Enabled bool `mapstructure:"enabled" toml:"enabled"`
DNSServer string `mapstructure:"dns_server" toml:"dns_server"`
}
type DomainCerts struct {
DataRoot string `mapstructure:"data_root" toml:"data_root"`
RequestMethod string `mapstructure:"request_method" toml:"request_method"`
CryptoKey string `mapstructure:"crypto_key" toml:"crypto_key"`
Expiry int `mapstructure:"expiry" toml:"expiry"`
RenewPeriod int `mapstructure:"renew_period" toml:"renew_period"`
SubDomains []string `mapstructure:"sub_domains" toml:"sub_domains"`
CertSymlinks []string `mapstructure:"cert_symlinks" toml:"cert_symlinks"`
KeySymlinks []string `mapstructure:"key_symlinks" toml:"key_symlinks"`
}
type Repo struct {
RepoSuffix string `mapstructure:"repo_suffix" toml:"repo_suffix"`
}
type Internal struct {
LastIssued int64 `mapstructure:"last_issued" toml:"last_issued"`
RepoExists bool `mapstructure:"repo_exists" toml:"repo_exists"`
Status string `mapstructure:"status" toml:"status"`
}

35
crypto.go → common/crypto.go
View File

@@ -1,4 +1,4 @@
package main
package common
import (
"crypto/rand"
@@ -68,39 +68,6 @@ func EncryptFileXChaCha(keyB64, inPath, outPath string, aad []byte) error {
return nil
}
func DecryptFileXChaCha(keyB64, inPath, outPath string, aad []byte) error {
key, err := decodeKey(keyB64)
if err != nil {
return err
}
aead, err := chacha20poly1305.NewX(key)
if err != nil {
return fmt.Errorf("new aead: %w", err)
}
in, err := os.ReadFile(inPath)
if err != nil {
return fmt.Errorf("read input: %w", err)
}
if len(in) < chacha20poly1305.NonceSizeX {
return errors.New("ciphertext too short")
}
nonce := in[:chacha20poly1305.NonceSizeX]
ciphertext := in[chacha20poly1305.NonceSizeX:]
plaintext, err := aead.Open(nil, nonce, ciphertext, aad)
if err != nil {
return fmt.Errorf("decrypt/auth failed: %w", err)
}
if err := os.WriteFile(outPath, plaintext, 0640); err != nil {
return fmt.Errorf("write output: %w", err)
}
return nil
}
func DecryptFileFromBytes(keyB64 string, inBytes []byte, outPath string, aad []byte) error {
key, err := decodeKey(keyB64)
if err != nil {

311
common/git.go Normal file
View File

@@ -0,0 +1,311 @@
package common
import (
"errors"
"fmt"
"io"
"os"
"path/filepath"
"strings"
"time"
"code.gitea.io/sdk/gitea"
"github.com/go-git/go-billy/v5"
"github.com/go-git/go-git/v5"
gitconf "github.com/go-git/go-git/v5/config"
"github.com/go-git/go-git/v5/plumbing/object"
"github.com/go-git/go-git/v5/plumbing/transport/http"
"github.com/go-git/go-git/v5/storage/memory"
)
type CertManMode int
const (
Server CertManMode = iota
Client
)
type GitWorkspace struct {
Domain string
Repo *git.Repository
Storage *memory.Storage
FS billy.Filesystem
WorkTree *git.Worktree
}
type GitSource int
const (
Github GitSource = iota
Gitlab
Gitea
Gogs
Bitbucket
CodeCommit
)
var GitSourceName = map[GitSource]string{
Github: "github",
Gitlab: "gitlab",
Gitea: "gitea",
Gogs: "gogs",
Bitbucket: "bitbucket",
CodeCommit: "code-commit",
}
func StrToGitSource(s string) (GitSource, error) {
for k, v := range GitSourceName {
if v == s {
return k, nil
}
}
return GitSource(0), errors.New("invalid gitsource name")
}
//func createGithubClient() *github.Client {
// return github.NewClient(nil).WithAuthToken(config.GetString("Git.api_token"))
//}
func CreateGiteaClient(config *AppConfig) *gitea.Client {
client, err := gitea.NewClient(config.Git.Server, gitea.SetToken(config.Git.APIToken))
if err != nil {
fmt.Printf("Error connecting to gitea instance: %v\n", err)
return nil
}
return client
}
//func createGithubRepo(domain *Domain, Client *github.Client) string {
// name := domain.name
// owner := domain.config.GetString("Repo.owner")
// description := domain.description
// private := true
// includeAllBranches := false
//
// ctx := context.Background()
// template := &github.TemplateRepoRequest{
// Name: name,
// Owner: &owner,
// Description: description,
// Private: &private,
// IncludeAllBranches: &includeAllBranches,
// }
// repo, _, err := Client.Repositories.CreateFromTemplate(ctx, config.GetString("Git.org_name"), config.GetString("Git.template_name"), template)
// if err != nil {
// fmt.Println("Error creating repository from template,", err)
// return ""
// }
// return *repo.CloneURL
//}
func CreateGiteaRepo(domain string, giteaClient *gitea.Client, config *AppConfig, domainConfig *DomainConfig) string {
options := gitea.CreateRepoOption{
Name: domain + domainConfig.Repo.RepoSuffix,
Description: "Certificate storage for " + domain,
Private: true,
IssueLabels: "",
AutoInit: false,
Template: false,
Gitignores: "",
License: "",
Readme: "",
DefaultBranch: "master",
TrustModel: gitea.TrustModelDefault,
}
giteaRepo, _, err := giteaClient.CreateOrgRepo(config.Git.OrgName, options)
if err != nil {
fmt.Printf("Error creating repo: %v\n", err)
return ""
}
return giteaRepo.CloneURL
}
func InitRepo(url string, ws *GitWorkspace) error {
var err error
ws.Repo, err = git.Init(ws.Storage, ws.FS)
if err != nil {
fmt.Printf("Error initializing local repo: %v\n", err)
return err
}
_, err = ws.Repo.CreateRemote(&gitconf.RemoteConfig{
Name: "origin",
URLs: []string{url},
})
if err != nil && !errors.Is(err, git.ErrRemoteExists) {
fmt.Printf("Error creating remote origin repo: %v\n", err)
return err
}
ws.WorkTree, err = ws.Repo.Worktree()
if err != nil {
fmt.Printf("Error getting worktree from local repo: %v\n", err)
return err
}
return nil
}
func CloneRepo(url string, ws *GitWorkspace, certmanMode CertManMode, config *AppConfig) error {
creds := &http.BasicAuth{
Username: config.Git.Username,
Password: config.Git.APIToken,
}
var err error
ws.Repo, err = git.Clone(ws.Storage, ws.FS, &git.CloneOptions{URL: url, Auth: creds})
if err != nil {
fmt.Printf("Error cloning repo: %v\n", err)
}
ws.WorkTree, err = ws.Repo.Worktree()
if err != nil {
fmt.Printf("Error getting worktree from cloned repo: %v\n", err)
return err
}
if certmanMode == Server {
serverIdFile, err := ws.FS.OpenFile("/SERVER_ID", os.O_RDWR, 0640)
if err != nil {
if os.IsNotExist(err) {
fmt.Printf("server ID file not found for %s, adopting domain\n", url)
return nil
}
return err
}
serverIdBytes, err := io.ReadAll(serverIdFile)
if err != nil {
return err
}
serverId := strings.TrimSpace(string(serverIdBytes))
if serverId != config.App.UUID {
return fmt.Errorf("domain is already managed by server with uuid %s", serverId)
}
}
return nil
}
func AddAndPushCerts(domain string, ws *GitWorkspace, config *AppConfig, domainConfig *DomainConfig) error {
var dataRoot string
if domainConfig.Certificates.DataRoot == "" {
dataRoot = config.Certificates.DataRoot
} else {
dataRoot = domainConfig.Certificates.DataRoot
}
certFiles, err := os.ReadDir(dataRoot)
if err != nil {
fmt.Printf("Error reading from directory: %v\n", err)
return err
}
for _, entry := range certFiles {
if strings.HasSuffix(entry.Name(), ".crpt") {
file, err := ws.FS.Create(entry.Name())
if err != nil {
fmt.Printf("Error copying file to memfs: %v\n", err)
return err
}
certFile, err := os.ReadFile(filepath.Join(dataRoot, entry.Name()))
if err != nil {
fmt.Printf("Error reading file to memfs: %v\n", err)
file.Close()
return err
}
_, err = file.Write(certFile)
if err != nil {
fmt.Printf("Error writing to memfs: %v\n", err)
file.Close()
return err
}
_, err = ws.WorkTree.Add(file.Name())
if err != nil {
fmt.Printf("Error adding file %v: %v\n", file.Name(), err)
file.Close()
return err
}
err = file.Close()
if err != nil {
fmt.Printf("Error closing file: %v\n", err)
}
}
file, err := ws.FS.Create("/SERVER_ID")
if err != nil {
fmt.Printf("Error creating file in memfs: %v\n", err)
return err
}
_, err = file.Write([]byte(config.App.UUID))
if err != nil {
fmt.Printf("Error writing to memfs: %v\n", err)
file.Close()
return err
}
_, err = ws.WorkTree.Add(file.Name())
if err != nil {
fmt.Printf("Error adding file %v: %v\n", file.Name(), err)
file.Close()
return err
}
err = file.Close()
if err != nil {
fmt.Printf("Error closing file: %v\n", err)
}
}
status, err := ws.WorkTree.Status()
if err != nil {
fmt.Printf("Error getting repo status: %v\n", err)
return err
}
if status.IsClean() {
fmt.Printf("Repository is clean, skipping commit...\n")
return nil
}
fmt.Println("Work Tree Status:\n" + status.String())
signature := &object.Signature{
Name: "Cert Manager",
Email: config.Certificates.Email,
When: time.Now(),
}
_, err = ws.WorkTree.Commit("Update "+domain+" @ "+time.Now().Format("Mon Jan _2 2006 15:04:05 MST"), &git.CommitOptions{Author: signature, Committer: signature})
if err != nil {
fmt.Printf("Error committing certs: %v\n", err)
return err
}
creds := &http.BasicAuth{
Username: config.Git.Username,
Password: config.Git.APIToken,
}
err = ws.Repo.Push(&git.PushOptions{
Auth: creds,
Force: true,
RemoteName: "origin",
RefSpecs: []gitconf.RefSpec{
"refs/heads/master:refs/heads/master",
},
})
if err != nil {
fmt.Printf("Error pushing to origin: %v\n", err)
return err
}
fmt.Println("Successfully uploaded to " + config.Git.Server + "/" + config.Git.OrgName + "/" + domain + domainConfig.Repo.RepoSuffix + ".git")
return nil
}
func WriteCommitHash(hash string, config *AppConfig, domainConfig *DomainConfig) error {
var dataRoot string
if domainConfig.Certificates.DataRoot == "" {
dataRoot = config.Certificates.DataRoot
} else {
dataRoot = domainConfig.Certificates.DataRoot
}
err := os.WriteFile(filepath.Join(dataRoot, "hash"), []byte(hash), 0644)
if err != nil {
return err
}
return nil
}

191
util.go → common/util.go
View File

@@ -1,18 +1,18 @@
package main
package common
import (
"errors"
"fmt"
"io/fs"
"os"
"os/user"
"path/filepath"
"regexp"
"strconv"
"strings"
"syscall"
"code.gitea.io/sdk/gitea"
"github.com/google/go-github/v55/github"
"github.com/spf13/viper"
)
var (
@@ -23,9 +23,8 @@ var (
type Domain struct {
name *string
config *viper.Viper
config *AppConfig
description *string
ghClient *github.Client
gtClient *gitea.Client
}
@@ -44,7 +43,7 @@ func createPIDFile() {
}
// 0x02
func clearPIDFile() {
func ClearPIDFile() {
file, err := os.OpenFile("/var/run/certman.pid", os.O_RDWR|os.O_CREATE, 0644)
if err != nil {
fmt.Printf("0x02: Error opening PID file: %v\n", err)
@@ -60,7 +59,7 @@ func clearPIDFile() {
}
// 0x03
func createOrUpdatePIDFile(filename string) error {
func CreateOrUpdatePIDFile(filename string) error {
pidBytes, err := os.ReadFile(filename)
if err != nil {
fmt.Printf("0x03: Error reading PID file: %v\n", err)
@@ -142,7 +141,7 @@ func isProcessActive(pid int) (bool, error) {
}
// 0x05
func getDaemonProcess() (*os.Process, error) {
func DaemonProcess() (*os.Process, error) {
pidBytes, err := os.ReadFile("/var/run/certman.pid")
if err != nil {
fmt.Printf("0x05: Error getting PID from /var/run/certman.pid: %v\n", err)
@@ -169,68 +168,33 @@ func getDaemonProcess() (*os.Process, error) {
return proc, nil
}
func createFile(fileName string, filePermission os.FileMode, data []byte) {
fileInfo, err := os.Stat(fileName)
if err != nil {
if os.IsNotExist(err) {
file, err := os.Create(fileName)
if err != nil {
fmt.Println("Error creating configuration file: ", err)
os.Exit(1)
}
_, err = file.Write(data)
if err != nil {
fmt.Println("Error writing to file: ", err)
os.Exit(1)
}
err = file.Chmod(filePermission)
if err != nil {
fmt.Println("Error changing file permission: ", err)
}
} else {
fmt.Println("Error opening configuration file: ", err)
os.Exit(1)
}
} else {
if fileInfo.Size() == 0 {
file, err := os.Create(fileName)
if err != nil {
fmt.Println("Error creating configuration file: ", err)
os.Exit(1)
}
_, err = file.Write(data)
if err != nil {
fmt.Println("Error writing to file:", err)
os.Exit(1)
}
}
}
}
func linkFile(source, target, domain, extension string) error {
func LinkFile(source, target, domain, extension string) error {
if target == "" {
return ErrBlankCert
}
linkInfo, err := os.Stat(target)
if err != nil {
if !os.IsNotExist(err) {
return err
if os.IsNotExist(err) {
err = os.Symlink(source, target)
if err != nil {
return err
}
return nil
}
return err
}
if linkInfo.IsDir() {
target = filepath.Join(target, domain+extension)
err = os.Symlink(source, target)
if err != nil {
return err
}
}
err = os.Symlink(source, target)
if err != nil {
return err
}
return nil
}
func fileExists(path string) bool {
func FileExists(path string) bool {
_, err := os.Stat(path)
return err == nil
}
@@ -252,37 +216,12 @@ func insert(a []string, index int, value string) []string {
return a
}
func sanitizeDomainKey(s string) string {
func SanitizeDomainKey(s string) string {
s = strings.TrimSpace(strings.ToLower(s))
r := strings.NewReplacer("/", "_", "\\", "_", " ", "_", ":", "_")
return r.Replace(s)
}
// getDomainCertsDir Can return ErrBlankConfigEntry, ErrConfigNotFound, or other errors
func getDomainCertsDir(domain string) (string, error) {
domainConfig, exists := domainStore.Get(domain)
if !exists {
return "", ErrConfigNotFound
}
return getDomainCertsDirWConf(domain, domainConfig)
}
// getDomainCertsDir Can return ErrBlankConfigEntry or other errors
func getDomainCertsDirWConf(domain string, domainConfig *viper.Viper) (string, error) {
effectiveDataRoot, err := EffectiveString(domainConfig, "Certificates.data_root")
if err != nil {
return "", err
}
return filepath.Join(effectiveDataRoot, "certificates", domain), nil
}
func getDomainCertsDirWOnlyConf(domainConfig *viper.Viper) (string, error) {
domain := domainConfig.GetString("Domain.domain_name")
return getDomainCertsDirWConf(domain, domainConfig)
}
func ChownRecursive(path string, uid, gid int) error {
return filepath.WalkDir(path, func(name string, d fs.DirEntry, err error) error {
if err != nil {
@@ -292,3 +231,91 @@ func ChownRecursive(path string, uid, gid int) error {
return os.Chown(name, uid, gid)
})
}
func LookupGID(group string) (int, error) {
g, err := user.LookupGroup(group)
if err != nil {
return 0, err
}
return strconv.Atoi(g.Gid)
}
// MakeCredential resolves username/groupname to uid/gid for syscall.Credential.
// Note: actually *using* different credentials typically requires the server
// process to have appropriate privileges (often root).
func MakeCredential(username, groupname string) (*syscall.Credential, error) {
var uid, gid uint32
var haveUID, haveGID bool
if username != "" {
u, err := user.Lookup(username)
if err != nil {
return nil, fmt.Errorf("unknown user")
}
parsed, err := strconv.ParseUint(u.Uid, 10, 32)
if err != nil {
return nil, fmt.Errorf("bad uid")
}
uid = uint32(parsed)
haveUID = true
// If group not explicitly provided, default to user's primary group.
if groupname == "" && u.Gid != "" {
parsedG, err := strconv.ParseUint(u.Gid, 10, 32)
if err == nil {
gid = uint32(parsedG)
haveGID = true
}
}
}
if groupname != "" {
g, err := user.LookupGroup(groupname)
if err != nil {
return nil, fmt.Errorf("unknown group")
}
parsed, err := strconv.ParseUint(g.Gid, 10, 32)
if err != nil {
return nil, fmt.Errorf("bad gid")
}
gid = uint32(parsed)
haveGID = true
}
// If only group was provided, keep current uid.
if !haveUID {
uid = uint32(os.Getuid())
}
if !haveGID {
gid = uint32(os.Getgid())
}
return &syscall.Credential{Uid: uid, Gid: gid}, nil
}
func CertsDir(config *AppConfig, domainConfig *DomainConfig) string {
if config == nil {
return ""
}
if domainConfig == nil {
return ""
}
if domainConfig.Certificates.DataRoot == "" {
if config.Certificates.DataRoot == "" {
workDir, err := os.Getwd()
if err != nil {
return "./"
}
return workDir
}
return config.Certificates.DataRoot
}
return domainConfig.Certificates.DataRoot
}
var fqdnRegex = regexp.MustCompile(`^(?i:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z]{2,}$`)
func IsValidFQDN(domain string) bool {
return len(domain) <= 253 && fqdnRegex.MatchString(domain)
}

17
example.config.conf
View File

@@ -1,17 +0,0 @@
[App]
mode = {mode}
[Git]
host = gitea
server = https://gitea.instance.com
username = user
org_name = org
template_name = template
[Certificates]
email = user@example.com
data_root = /var/local/certman
request_method = dns
[Cloudflare]
cf_email = email@example.com

19
example.domainconfig.conf
View File

@@ -1,19 +0,0 @@
[Domain]
domain_name = {domain}
; default (use system dns) or IPv4 Address (1.1.1.1)
dns_server = default
; optionally use /path/to/directory
file_location = default
[Certificates]
subdomains =
expiry = 90
cert_symlink =
key_symlink =
[Repo]
repo_suffix = -certificates
; Don't change setting below here unless you know what you're doing!
[Internal]
last_issued = never

365
git.go
View File

@@ -1,365 +0,0 @@
package main
import (
"context"
"errors"
"fmt"
"io"
"os"
"path/filepath"
"strings"
"time"
"code.gitea.io/sdk/gitea"
"github.com/go-git/go-billy/v5"
"github.com/go-git/go-git/v5"
gitconf "github.com/go-git/go-git/v5/config"
"github.com/go-git/go-git/v5/plumbing/object"
"github.com/go-git/go-git/v5/plumbing/transport/http"
"github.com/go-git/go-git/v5/storage/memory"
"github.com/google/go-github/v55/github"
"github.com/spf13/viper"
)
type GitWorkspace struct {
Repo *git.Repository
Storage *memory.Storage
FS billy.Filesystem
WorkTree *git.Worktree
}
type GitSource int
const (
Github GitSource = iota
Gitlab
Gitea
Gogs
Bitbucket
CodeCommit
)
var GitSourceName = map[GitSource]string{
Github: "github",
Gitlab: "gitlab",
Gitea: "gitea",
Gogs: "gogs",
Bitbucket: "bitbucket",
CodeCommit: "code-commit",
}
func strToGitSource(s string) (GitSource, error) {
for k, v := range GitSourceName {
if v == s {
return k, nil
}
}
return GitSource(0), errors.New("invalid gitsource name")
}
func createGithubClient() *github.Client {
return github.NewClient(nil).WithAuthToken(config.GetString("Git.api_token"))
}
func createGiteaClient() *gitea.Client {
client, err := gitea.NewClient(config.GetString("Git.server"), gitea.SetToken(config.GetString("Git.api_token")))
if err != nil {
fmt.Printf("Error connecting to gitea instance: %v\n", err)
return nil
}
return client
}
func createGithubRepo(domain *Domain, client *github.Client) string {
name := domain.name
owner := domain.config.GetString("Repo.owner")
description := domain.description
private := true
includeAllBranches := false
ctx := context.Background()
template := &github.TemplateRepoRequest{
Name: name,
Owner: &owner,
Description: description,
Private: &private,
IncludeAllBranches: &includeAllBranches,
}
repo, _, err := client.Repositories.CreateFromTemplate(ctx, config.GetString("Git.org_name"), config.GetString("Git.template_name"), template)
if err != nil {
fmt.Println("Error creating repository from template,", err)
return ""
}
return *repo.CloneURL
}
func createGiteaRepo(domain string, giteaClient *gitea.Client) string {
domainConfig, exists := domainStore.Get(domain)
if !exists {
fmt.Printf("Domain %s config does not exist\n", domain)
return ""
}
options := gitea.CreateRepoOption{
Name: domain + domainConfig.GetString("Repo.repo_suffix"),
Description: "Certificate storage for " + domain,
Private: true,
IssueLabels: "",
AutoInit: false,
Template: false,
Gitignores: "",
License: "",
Readme: "",
DefaultBranch: "master",
TrustModel: gitea.TrustModelDefault,
}
giteaRepo, _, err := giteaClient.CreateOrgRepo(config.GetString("Git.org_name"), options)
if err != nil {
fmt.Printf("Error creating repo: %v\n", err)
return ""
}
return giteaRepo.CloneURL
}
func initRepo(url string, ws *GitWorkspace) error {
var err error
ws.Repo, err = git.Init(ws.Storage, ws.FS)
if err != nil {
fmt.Printf("Error initializing local repo: %v\n", err)
return err
}
_, err = ws.Repo.CreateRemote(&gitconf.RemoteConfig{
Name: "origin",
URLs: []string{url},
})
if err != nil && !errors.Is(err, git.ErrRemoteExists) {
fmt.Printf("Error creating remote origin repo: %v\n", err)
return err
}
ws.WorkTree, err = ws.Repo.Worktree()
if err != nil {
fmt.Printf("Error getting worktree from local repo: %v\n", err)
return err
}
return nil
}
func cloneRepo(url string, ws *GitWorkspace) error {
creds := &http.BasicAuth{
Username: config.GetString("Git.username"),
Password: config.GetString("Git.api_token"),
}
var err error
ws.Repo, err = git.Clone(ws.Storage, ws.FS, &git.CloneOptions{URL: url, Auth: creds})
if err != nil {
fmt.Printf("Error cloning repo: %v\n", err)
}
ws.WorkTree, err = ws.Repo.Worktree()
if err != nil {
fmt.Printf("Error getting worktree from cloned repo: %v\n", err)
return err
}
serverIdFile, err := ws.FS.OpenFile("/SERVER_ID", os.O_RDWR, 0640)
if err != nil {
if os.IsNotExist(err) {
fmt.Printf("Server ID file not found for %s, adopting domain\n", url)
return nil
}
return err
}
serverIdBytes, err := io.ReadAll(serverIdFile)
if err != nil {
return err
}
serverId := strings.TrimSpace(string(serverIdBytes))
if serverId != config.GetString("App.uuid") {
return fmt.Errorf("domain is already managed by server with uuid %s", serverId)
}
return nil
}
func addAndPushCerts(domain string, ws *GitWorkspace) error {
domainConfig, exists := domainStore.Get(domain)
if !exists {
fmt.Printf("Domain %s config does not exist\n", domain)
return ErrConfigNotFound
}
certsDir, err := getDomainCertsDirWConf(domain, domainConfig)
if err != nil {
if errors.Is(err, ErrConfigNotFound) {
fmt.Printf("Domain %s config not found: %v\n", domain, err)
return err
}
fmt.Printf("Error getting domain %s certs dir: %v\n", domain, err)
}
certFiles, err := os.ReadDir(certsDir)
if err != nil {
fmt.Printf("Error reading from directory: %v\n", err)
return err
}
for _, entry := range certFiles {
if strings.HasSuffix(entry.Name(), ".crpt") {
file, err := ws.FS.Create(entry.Name())
if err != nil {
fmt.Printf("Error copying file to memfs: %v\n", err)
return err
}
certFile, err := os.ReadFile(filepath.Join(certsDir, entry.Name()))
if err != nil {
fmt.Printf("Error reading file to memfs: %v\n", err)
file.Close()
return err
}
_, err = file.Write(certFile)
if err != nil {
fmt.Printf("Error writing to memfs: %v\n", err)
file.Close()
return err
}
_, err = ws.WorkTree.Add(file.Name())
if err != nil {
fmt.Printf("Error adding file %v: %v\n", file.Name(), err)
file.Close()
return err
}
err = file.Close()
if err != nil {
fmt.Printf("Error closing file: %v\n", err)
}
}
file, err := ws.FS.Create("/SERVER_ID")
if err != nil {
fmt.Printf("Error creating file in memfs: %v\n", err)
return err
}
_, err = file.Write([]byte(config.GetString("App.uuid")))
if err != nil {
fmt.Printf("Error writing to memfs: %v\n", err)
file.Close()
return err
}
_, err = ws.WorkTree.Add(file.Name())
if err != nil {
fmt.Printf("Error adding file %v: %v\n", file.Name(), err)
file.Close()
return err
}
err = file.Close()
if err != nil {
fmt.Printf("Error closing file: %v\n", err)
}
}
status, err := ws.WorkTree.Status()
if err != nil {
fmt.Printf("Error getting repo status: %v\n", err)
return err
}
if status.IsClean() {
fmt.Printf("Repository is clean, skipping commit...\n")
return nil
}
fmt.Println("Work Tree Status:\n" + status.String())
signature := &object.Signature{
Name: "Cert Manager",
Email: config.GetString("Certificates.email"),
When: time.Now(),
}
_, err = ws.WorkTree.Commit("Update "+domain+" @ "+time.Now().Format("Mon Jan _2 2006 15:04:05 MST"), &git.CommitOptions{Author: signature, Committer: signature})
if err != nil {
fmt.Printf("Error committing certs: %v\n", err)
return err
}
creds := &http.BasicAuth{
Username: config.GetString("Git.username"),
Password: config.GetString("Git.api_token"),
}
err = ws.Repo.Push(&git.PushOptions{
Auth: creds,
Force: true,
RemoteName: "origin",
RefSpecs: []gitconf.RefSpec{
"refs/heads/master:refs/heads/master",
},
})
if err != nil {
fmt.Printf("Error pushing to origin: %v\n", err)
return err
}
fmt.Println("Successfully uploaded to " + config.GetString("Git.server") + "/" + config.GetString("Git.org_name") + "/" + domain + domainConfig.GetString("Repo.repo_suffix") + ".git")
return nil
}
func writeCommitHash(hash string, domainConfig *viper.Viper) error {
certsDir, err := getDomainCertsDirWOnlyConf(domainConfig)
if err != nil {
if errors.Is(err, ErrConfigNotFound) {
return err
}
return err
}
err = os.WriteFile(filepath.Join(certsDir, "hash"), []byte(hash), 0644)
if err != nil {
return err
}
return nil
}
func getLocalCommitHash(domain string) (string, error) {
certsDir, err := getDomainCertsDir(domain)
if err != nil {
if errors.Is(err, ErrConfigNotFound) {
fmt.Printf("Domain %s config not found: %v\n", domain, err)
return "", err
}
fmt.Printf("Error getting domain %s certs dir: %v\n", domain, err)
}
data, err := os.ReadFile(filepath.Join(certsDir, "hash"))
if err != nil {
fmt.Printf("Error reading file for domain %s: %v\n", domain, err)
return "", err
}
return strings.TrimSpace(string(data)), nil
}
func getRemoteCommitHash(domain string, gitSource GitSource) (string, error) {
domainConfig, exists := domainStore.Get(domain)
if !exists {
fmt.Printf("Domain %s config does not exist\n", domain)
return "", ErrConfigNotFound
}
switch gitSource {
case Gitea:
return getRemoteCommitHashGitea(config.GetString("Git.org_name"), domain+domainConfig.GetString("Repo.repo_suffix"), "master")
default:
fmt.Printf("Unimplemented git source %v\n", gitSource)
return "", errors.New("unimplemented git source")
}
}
func getRemoteCommitHashGitea(org, repo, branchName string) (string, error) {
giteaClient := createGiteaClient()
branch, _, err := giteaClient.GetRepoBranch(org, repo, branchName)
if err != nil {
fmt.Printf("Error getting repo branch: %v\n", err)
return "", err
}
//TODO catch repo not found as ErrRepoNotInit
return branch.Commit.ID, nil
}

8
go.mod
View File

@@ -1,17 +1,19 @@
module main
module git.nevets.tech/Steven/certman
go 1.25.0
require (
code.gitea.io/sdk/gitea v0.23.2
github.com/coreos/go-systemd/v22 v22.7.0
github.com/go-acme/lego/v4 v4.32.0
github.com/go-git/go-billy/v5 v5.8.0
github.com/go-git/go-git/v5 v5.17.0
github.com/google/go-github/v55 v55.0.0
github.com/google/uuid v1.6.0
github.com/spf13/cobra v1.10.2
github.com/spf13/viper v1.21.0
golang.org/x/crypto v0.48.0
google.golang.org/grpc v1.78.0
google.golang.org/protobuf v1.36.11
)
require (
@@ -30,7 +32,6 @@ require (
github.com/go-jose/go-jose/v4 v4.1.3 // indirect
github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
github.com/google/go-querystring v1.2.0 // indirect
github.com/hashicorp/go-version v1.8.0 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
@@ -54,5 +55,6 @@ require (
golang.org/x/sys v0.41.0 // indirect
golang.org/x/text v0.34.0 // indirect
golang.org/x/tools v0.42.0 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20 // indirect
gopkg.in/warnings.v0 v0.1.2 // indirect
)

35
go.sum
View File

@@ -15,8 +15,12 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPd
github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
github.com/cloudflare/circl v1.6.3 h1:9GPOhQGF9MCYUeXyMYlqTR6a5gTrgR/fBLXvUgtVcg8=
github.com/cloudflare/circl v1.6.3/go.mod h1:2eXP6Qfat4O/Yhh8BznvKnJ+uzEoTQ6jVKJRn81BiS4=
github.com/coreos/go-systemd/v22 v22.7.0 h1:LAEzFkke61DFROc7zNLX/WA2i5J8gYqe0rSj9KI28KA=
github.com/coreos/go-systemd/v22 v22.7.0/go.mod h1:xNUYtjHu2EDXbsxz1i41wouACIwT7Ybq9o0BQhMwD0w=
github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
github.com/cyphar/filepath-securejoin v0.6.1 h1:5CeZ1jPXEiYt3+Z6zqprSAgSWiggmpVyciv8syjIpVE=
github.com/cyphar/filepath-securejoin v0.6.1/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc=
@@ -50,17 +54,18 @@ github.com/go-git/go-git/v5 v5.17.0 h1:AbyI4xf+7DsjINHMu35quAh4wJygKBKBuXVjV/pxe
github.com/go-git/go-git/v5 v5.17.0/go.mod h1:f82C4YiLx+Lhi8eHxltLeGC5uBTXSFa6PC5WW9o4SjI=
github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
github.com/go-viper/mapstructure/v2 v2.5.0 h1:vM5IJoUAy3d7zRSVtIwQgBj7BiWtMPfmPEgAXnvj1Ro=
github.com/go-viper/mapstructure/v2 v2.5.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=
github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw=
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
github.com/google/go-github/v55 v55.0.0 h1:4pp/1tNMB9X/LuAhs5i0KQAE40NmiR/y6prLNb9x9cg=
github.com/google/go-github/v55 v55.0.0/go.mod h1:JLahOTA1DnXzhxEymmFF5PP2tSS9JVNj68mSZNDwskA=
github.com/google/go-querystring v1.2.0 h1:yhqkPbu2/OH+V9BfpCVPZkNmUXhb2gBxJArfhIxNtP0=
github.com/google/go-querystring v1.2.0/go.mod h1:8IFJqpSRITyJ8QhQ13bmbeMBDfmeEJZD5A0egEOmkqU=
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/hashicorp/go-version v1.8.0 h1:KAkNb1HAiZd1ukkxDFGmokVZe1Xy9HG6NUp+bPle2i4=
@@ -123,6 +128,18 @@ github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8
github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48=
go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8=
go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0=
go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs=
go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E=
go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg=
go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM=
go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA=
go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI=
go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA=
go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@@ -163,6 +180,14 @@ golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20 h1:Jr5R2J6F6qWyzINc+4AM8t5pfUz6beZpHp678GNrMbE=
google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc=
google.golang.org/grpc v1.78.0/go.mod h1:I47qjTo4OKbMkjA/aOOwxDIiPSBofUtQUI5EfpWvW7U=
google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=

171
main.go
View File

@@ -1,171 +0,0 @@
package main
import (
"context"
"fmt"
"os"
"regexp"
"sync"
"github.com/spf13/cobra"
)
var version = "1.0.0"
var build = "1"
var (
configFile string
ctx context.Context
cancel context.CancelFunc
wg sync.WaitGroup
)
var fqdnRegex = regexp.MustCompile(`^(?i:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z]{2,}$`)
//TODO create logic for gh vs gt repos
func main() {
rootCmd := &cobra.Command{
Use: "certman",
Short: "CertMan",
Long: "Certificate Manager",
RunE: func(cmd *cobra.Command, args []string) error {
return cmd.Help()
},
}
rootCmd.PersistentFlags().StringVarP(&configFile, "config", "c", "/etc/certman/certman.conf", "Configuration file")
rootCmd.AddCommand(basicCmd("version", "Show version", versionResponse))
rootCmd.AddCommand(basicCmd("gen-key", "Generates encryption key", newKey))
rootCmd.AddCommand(basicCmd("dev", "Dev Function", devFunc))
var domainCertDir string
newDomainCmd := &cobra.Command{
Use: "new-domain",
Short: "Create config and directories for new domain",
Args: cobra.ExactArgs(1),
SilenceUsage: true,
SilenceErrors: true,
RunE: func(cmd *cobra.Command, args []string) error {
dirOverridden := cmd.Flags().Changed("dir")
return newDomain(args[0], domainCertDir, dirOverridden)
},
}
newDomainCmd.Flags().StringVar(&domainCertDir, "dir", "/var/local/certman/certificates/", "Alternate directory for certificates")
rootCmd.AddCommand(newDomainCmd)
var (
modeFlag string
thinInstallFlag bool
)
installCmd := &cobra.Command{
Use: "install",
Short: "Create certman files and directories",
RunE: func(cmd *cobra.Command, args []string) error {
switch modeFlag {
case "server", "client":
return install(thinInstallFlag, modeFlag)
default:
return fmt.Errorf("invalid --mode %q (must be server or client)", modeFlag)
}
},
}
installCmd.Flags().StringVar(&modeFlag, "mode", "client", "CertManager mode [server, client]")
installCmd.Flags().BoolVarP(&thinInstallFlag, "thin", "t", false, "Thin install (skip creating dirs)")
rootCmd.AddCommand(installCmd)
certCmd := &cobra.Command{
Use: "cert",
Short: "Certificate management",
RunE: func(cmd *cobra.Command, args []string) error {
return cmd.Help()
},
}
var noPush bool
renewCertCmd := &cobra.Command{
Use: "renew",
Short: "Renews a domains certificate",
Args: cobra.ExactArgs(1),
RunE: func(cmd *cobra.Command, args []string) error {
return renewCertFunc(args[0], noPush)
},
}
renewCertCmd.Flags().BoolVar(&noPush, "no-push", false, "Don't push certs to repo, renew locally only [server mode only]")
certCmd.AddCommand(renewCertCmd)
rootCmd.AddCommand(certCmd)
daemonCmd := &cobra.Command{
Use: "daemon",
Short: "Daemon management",
RunE: func(cmd *cobra.Command, args []string) error {
return cmd.Help()
},
}
daemonCmd.AddCommand(&cobra.Command{
Use: "start",
Short: "Start the daemon",
Args: cobra.NoArgs,
RunE: func(cmd *cobra.Command, args []string) error {
return runDaemon()
},
})
daemonCmd.AddCommand(&cobra.Command{
Use: "stop",
Short: "Stop the daemon",
Args: cobra.NoArgs,
RunE: func(cmd *cobra.Command, args []string) error {
return stopDaemon()
},
})
daemonCmd.AddCommand(&cobra.Command{
Use: "reload",
Short: "Reload daemon configs",
Args: cobra.NoArgs,
RunE: func(cmd *cobra.Command, args []string) error {
return reloadDaemon()
},
})
daemonCmd.AddCommand(&cobra.Command{
Use: "tick",
Short: "Manually triggers daemon tick",
Args: cobra.NoArgs,
RunE: func(cmd *cobra.Command, args []string) error {
return tickDaemon()
},
})
daemonCmd.AddCommand(&cobra.Command{
Use: "status",
Short: "Show daemon status",
Args: cobra.NoArgs,
RunE: func(cmd *cobra.Command, args []string) error {
return statusDaemon()
},
})
rootCmd.AddCommand(daemonCmd)
if err := rootCmd.Execute(); err != nil {
fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
}
func basicCmd(use, short string, commandFunc func(cmd *cobra.Command, args []string)) *cobra.Command {
return &cobra.Command{
Use: use,
Short: short,
Run: commandFunc,
}
}
func IsValidFQDN(domain string) bool {
return len(domain) <= 253 && fqdnRegex.MatchString(domain)
}

27
proto/hook.proto Normal file
View File

@@ -0,0 +1,27 @@
syntax = "proto3";
package hooks.v1;
option go_package = "/v1";
service HookService {
rpc ExecuteHook(ExecuteHookRequest) returns (ExecuteHookResponse);
}
message Hook {
string name = 1;
repeated string command = 2;
string user = 3;
string group = 4;
string cwd = 5;
int32 timeout_seconds = 6;
map<string, string> env = 7;
}
message ExecuteHookRequest {
Hook hook = 1;
}
message ExecuteHookResponse {
string error = 1;
}

5
proto/symlink.proto Normal file
View File

@@ -0,0 +1,5 @@
syntax = "proto3";
package hooks.v1;
option go_package = "/v1";

280
proto/v1/hook.pb.go Normal file
View File

@@ -0,0 +1,280 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.36.11
// protoc v6.30.2
// source: proto/hook.proto
package v1
import (
protoreflect "google.golang.org/protobuf/reflect/protoreflect"
protoimpl "google.golang.org/protobuf/runtime/protoimpl"
reflect "reflect"
sync "sync"
unsafe "unsafe"
)
const (
// Verify that this generated code is sufficiently up-to-date.
_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
// Verify that runtime/protoimpl is sufficiently up-to-date.
_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
)
type Hook struct {
state protoimpl.MessageState `protogen:"open.v1"`
Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
Command []string `protobuf:"bytes,2,rep,name=command,proto3" json:"command,omitempty"`
User string `protobuf:"bytes,3,opt,name=user,proto3" json:"user,omitempty"`
Group string `protobuf:"bytes,4,opt,name=group,proto3" json:"group,omitempty"`
Cwd string `protobuf:"bytes,5,opt,name=cwd,proto3" json:"cwd,omitempty"`
TimeoutSeconds int32 `protobuf:"varint,6,opt,name=timeout_seconds,json=timeoutSeconds,proto3" json:"timeout_seconds,omitempty"`
Env map[string]string `protobuf:"bytes,7,rep,name=env,proto3" json:"env,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
unknownFields protoimpl.UnknownFields
sizeCache protoimpl.SizeCache
}
func (x *Hook) Reset() {
*x = Hook{}
mi := &file_proto_hook_proto_msgTypes[0]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
func (x *Hook) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*Hook) ProtoMessage() {}
func (x *Hook) ProtoReflect() protoreflect.Message {
mi := &file_proto_hook_proto_msgTypes[0]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use Hook.ProtoReflect.Descriptor instead.
func (*Hook) Descriptor() ([]byte, []int) {
return file_proto_hook_proto_rawDescGZIP(), []int{0}
}
func (x *Hook) GetName() string {
if x != nil {
return x.Name
}
return ""
}
func (x *Hook) GetCommand() []string {
if x != nil {
return x.Command
}
return nil
}
func (x *Hook) GetUser() string {
if x != nil {
return x.User
}
return ""
}
func (x *Hook) GetGroup() string {
if x != nil {
return x.Group
}
return ""
}
func (x *Hook) GetCwd() string {
if x != nil {
return x.Cwd
}
return ""
}
func (x *Hook) GetTimeoutSeconds() int32 {
if x != nil {
return x.TimeoutSeconds
}
return 0
}
func (x *Hook) GetEnv() map[string]string {
if x != nil {
return x.Env
}
return nil
}
type ExecuteHookRequest struct {
state protoimpl.MessageState `protogen:"open.v1"`
Hook *Hook `protobuf:"bytes,1,opt,name=hook,proto3" json:"hook,omitempty"`
unknownFields protoimpl.UnknownFields
sizeCache protoimpl.SizeCache
}
func (x *ExecuteHookRequest) Reset() {
*x = ExecuteHookRequest{}
mi := &file_proto_hook_proto_msgTypes[1]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
func (x *ExecuteHookRequest) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*ExecuteHookRequest) ProtoMessage() {}
func (x *ExecuteHookRequest) ProtoReflect() protoreflect.Message {
mi := &file_proto_hook_proto_msgTypes[1]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use ExecuteHookRequest.ProtoReflect.Descriptor instead.
func (*ExecuteHookRequest) Descriptor() ([]byte, []int) {
return file_proto_hook_proto_rawDescGZIP(), []int{1}
}
func (x *ExecuteHookRequest) GetHook() *Hook {
if x != nil {
return x.Hook
}
return nil
}
type ExecuteHookResponse struct {
state protoimpl.MessageState `protogen:"open.v1"`
Error string `protobuf:"bytes,1,opt,name=error,proto3" json:"error,omitempty"`
unknownFields protoimpl.UnknownFields
sizeCache protoimpl.SizeCache
}
func (x *ExecuteHookResponse) Reset() {
*x = ExecuteHookResponse{}
mi := &file_proto_hook_proto_msgTypes[2]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
func (x *ExecuteHookResponse) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*ExecuteHookResponse) ProtoMessage() {}
func (x *ExecuteHookResponse) ProtoReflect() protoreflect.Message {
mi := &file_proto_hook_proto_msgTypes[2]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use ExecuteHookResponse.ProtoReflect.Descriptor instead.
func (*ExecuteHookResponse) Descriptor() ([]byte, []int) {
return file_proto_hook_proto_rawDescGZIP(), []int{2}
}
func (x *ExecuteHookResponse) GetError() string {
if x != nil {
return x.Error
}
return ""
}
var File_proto_hook_proto protoreflect.FileDescriptor
const file_proto_hook_proto_rawDesc = "" +
"\n" +
"\x10proto/hook.proto\x12\bhooks.v1\"\xfc\x01\n" +
"\x04Hook\x12\x12\n" +
"\x04name\x18\x01 \x01(\tR\x04name\x12\x18\n" +
"\acommand\x18\x02 \x03(\tR\acommand\x12\x12\n" +
"\x04user\x18\x03 \x01(\tR\x04user\x12\x14\n" +
"\x05group\x18\x04 \x01(\tR\x05group\x12\x10\n" +
"\x03cwd\x18\x05 \x01(\tR\x03cwd\x12'\n" +
"\x0ftimeout_seconds\x18\x06 \x01(\x05R\x0etimeoutSeconds\x12)\n" +
"\x03env\x18\a \x03(\v2\x17.hooks.v1.Hook.EnvEntryR\x03env\x1a6\n" +
"\bEnvEntry\x12\x10\n" +
"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
"\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"8\n" +
"\x12ExecuteHookRequest\x12\"\n" +
"\x04hook\x18\x01 \x01(\v2\x0e.hooks.v1.HookR\x04hook\"+\n" +
"\x13ExecuteHookResponse\x12\x14\n" +
"\x05error\x18\x01 \x01(\tR\x05error2Y\n" +
"\vHookService\x12J\n" +
"\vExecuteHook\x12\x1c.hooks.v1.ExecuteHookRequest\x1a\x1d.hooks.v1.ExecuteHookResponseB\x05Z\x03/v1b\x06proto3"
var (
file_proto_hook_proto_rawDescOnce sync.Once
file_proto_hook_proto_rawDescData []byte
)
func file_proto_hook_proto_rawDescGZIP() []byte {
file_proto_hook_proto_rawDescOnce.Do(func() {
file_proto_hook_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_proto_hook_proto_rawDesc), len(file_proto_hook_proto_rawDesc)))
})
return file_proto_hook_proto_rawDescData
}
var file_proto_hook_proto_msgTypes = make([]protoimpl.MessageInfo, 4)
var file_proto_hook_proto_goTypes = []any{
(*Hook)(nil), // 0: hooks.v1.Hook
(*ExecuteHookRequest)(nil), // 1: hooks.v1.ExecuteHookRequest
(*ExecuteHookResponse)(nil), // 2: hooks.v1.ExecuteHookResponse
nil, // 3: hooks.v1.Hook.EnvEntry
}
var file_proto_hook_proto_depIdxs = []int32{
3, // 0: hooks.v1.Hook.env:type_name -> hooks.v1.Hook.EnvEntry
0, // 1: hooks.v1.ExecuteHookRequest.hook:type_name -> hooks.v1.Hook
1, // 2: hooks.v1.HookService.ExecuteHook:input_type -> hooks.v1.ExecuteHookRequest
2, // 3: hooks.v1.HookService.ExecuteHook:output_type -> hooks.v1.ExecuteHookResponse
3, // [3:4] is the sub-list for method output_type
2, // [2:3] is the sub-list for method input_type
2, // [2:2] is the sub-list for extension type_name
2, // [2:2] is the sub-list for extension extendee
0, // [0:2] is the sub-list for field type_name
}
func init() { file_proto_hook_proto_init() }
func file_proto_hook_proto_init() {
if File_proto_hook_proto != nil {
return
}
type x struct{}
out := protoimpl.TypeBuilder{
File: protoimpl.DescBuilder{
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: unsafe.Slice(unsafe.StringData(file_proto_hook_proto_rawDesc), len(file_proto_hook_proto_rawDesc)),
NumEnums: 0,
NumMessages: 4,
NumExtensions: 0,
NumServices: 1,
},
GoTypes: file_proto_hook_proto_goTypes,
DependencyIndexes: file_proto_hook_proto_depIdxs,
MessageInfos: file_proto_hook_proto_msgTypes,
}.Build()
File_proto_hook_proto = out.File
file_proto_hook_proto_goTypes = nil
file_proto_hook_proto_depIdxs = nil
}

121
proto/v1/hook_grpc.pb.go Normal file
View File

@@ -0,0 +1,121 @@
// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
// versions:
// - protoc-gen-go-grpc v1.6.0
// - protoc v6.30.2
// source: proto/hook.proto
package v1
import (
context "context"
grpc "google.golang.org/grpc"
codes "google.golang.org/grpc/codes"
status "google.golang.org/grpc/status"
)
// This is a compile-time assertion to ensure that this generated file
// is compatible with the grpc package it is being compiled against.
// Requires gRPC-Go v1.64.0 or later.
const _ = grpc.SupportPackageIsVersion9
const (
HookService_ExecuteHook_FullMethodName = "/hooks.v1.HookService/ExecuteHook"
)
// HookServiceClient is the client API for HookService service.
//
// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
type HookServiceClient interface {
ExecuteHook(ctx context.Context, in *ExecuteHookRequest, opts ...grpc.CallOption) (*ExecuteHookResponse, error)
}
type hookServiceClient struct {
cc grpc.ClientConnInterface
}
func NewHookServiceClient(cc grpc.ClientConnInterface) HookServiceClient {
return &hookServiceClient{cc}
}
func (c *hookServiceClient) ExecuteHook(ctx context.Context, in *ExecuteHookRequest, opts ...grpc.CallOption) (*ExecuteHookResponse, error) {
cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
out := new(ExecuteHookResponse)
err := c.cc.Invoke(ctx, HookService_ExecuteHook_FullMethodName, in, out, cOpts...)
if err != nil {
return nil, err
}
return out, nil
}
// HookServiceServer is the server API for HookService service.
// All implementations must embed UnimplementedHookServiceServer
// for forward compatibility.
type HookServiceServer interface {
ExecuteHook(context.Context, *ExecuteHookRequest) (*ExecuteHookResponse, error)
mustEmbedUnimplementedHookServiceServer()
}
// UnimplementedHookServiceServer must be embedded to have
// forward compatible implementations.
//
// NOTE: this should be embedded by value instead of pointer to avoid a nil
// pointer dereference when methods are called.
type UnimplementedHookServiceServer struct{}
func (UnimplementedHookServiceServer) ExecuteHook(context.Context, *ExecuteHookRequest) (*ExecuteHookResponse, error) {
return nil, status.Error(codes.Unimplemented, "method ExecuteHook not implemented")
}
func (UnimplementedHookServiceServer) mustEmbedUnimplementedHookServiceServer() {}
func (UnimplementedHookServiceServer) testEmbeddedByValue() {}
// UnsafeHookServiceServer may be embedded to opt out of forward compatibility for this service.
// Use of this interface is not recommended, as added methods to HookServiceServer will
// result in compilation errors.
type UnsafeHookServiceServer interface {
mustEmbedUnimplementedHookServiceServer()
}
func RegisterHookServiceServer(s grpc.ServiceRegistrar, srv HookServiceServer) {
// If the following call panics, it indicates UnimplementedHookServiceServer was
// embedded by pointer and is nil. This will cause panics if an
// unimplemented method is ever invoked, so we test this at initialization
// time to prevent it from happening at runtime later due to I/O.
if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
t.testEmbeddedByValue()
}
s.RegisterService(&HookService_ServiceDesc, srv)
}
func _HookService_ExecuteHook_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
in := new(ExecuteHookRequest)
if err := dec(in); err != nil {
return nil, err
}
if interceptor == nil {
return srv.(HookServiceServer).ExecuteHook(ctx, in)
}
info := &grpc.UnaryServerInfo{
Server: srv,
FullMethod: HookService_ExecuteHook_FullMethodName,
}
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
return srv.(HookServiceServer).ExecuteHook(ctx, req.(*ExecuteHookRequest))
}
return interceptor(ctx, in, info, handler)
}
// HookService_ServiceDesc is the grpc.ServiceDesc for HookService service.
// It's only intended for direct use with grpc.RegisterService,
// and not to be introspected or modified (even as a copy)
var HookService_ServiceDesc = grpc.ServiceDesc{
ServiceName: "hooks.v1.HookService",
HandlerType: (*HookServiceServer)(nil),
Methods: []grpc.MethodDesc{
{
MethodName: "ExecuteHook",
Handler: _HookService_ExecuteHook_Handler,
},
},
Streams: []grpc.StreamDesc{},
Metadata: "proto/hook.proto",
}

59
proto/v1/symlink.pb.go Normal file
View File

@@ -0,0 +1,59 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.36.11
// protoc v6.30.2
// source: proto/symlink.proto
package v1
import (
protoreflect "google.golang.org/protobuf/reflect/protoreflect"
protoimpl "google.golang.org/protobuf/runtime/protoimpl"
reflect "reflect"
unsafe "unsafe"
)
const (
// Verify that this generated code is sufficiently up-to-date.
_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
// Verify that runtime/protoimpl is sufficiently up-to-date.
_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
)
var File_proto_symlink_proto protoreflect.FileDescriptor
const file_proto_symlink_proto_rawDesc = "" +
"\n" +
"\x13proto/symlink.proto\x12\bhooks.v1B\x05Z\x03/v1b\x06proto3"
var file_proto_symlink_proto_goTypes = []any{}
var file_proto_symlink_proto_depIdxs = []int32{
0, // [0:0] is the sub-list for method output_type
0, // [0:0] is the sub-list for method input_type
0, // [0:0] is the sub-list for extension type_name
0, // [0:0] is the sub-list for extension extendee
0, // [0:0] is the sub-list for field type_name
}
func init() { file_proto_symlink_proto_init() }
func file_proto_symlink_proto_init() {
if File_proto_symlink_proto != nil {
return
}
type x struct{}
out := protoimpl.TypeBuilder{
File: protoimpl.DescBuilder{
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: unsafe.Slice(unsafe.StringData(file_proto_symlink_proto_rawDesc), len(file_proto_symlink_proto_rawDesc)),
NumEnums: 0,
NumMessages: 0,
NumExtensions: 0,
NumServices: 0,
},
GoTypes: file_proto_symlink_proto_goTypes,
DependencyIndexes: file_proto_symlink_proto_depIdxs,
}.Build()
File_proto_symlink_proto = out.File
file_proto_symlink_proto_goTypes = nil
file_proto_symlink_proto_depIdxs = nil
}

165
server.go
View File

@@ -1,165 +0,0 @@
package main
import (
"fmt"
"log"
"path/filepath"
"sync"
"time"
"github.com/go-git/go-billy/v5/memfs"
"github.com/go-git/go-git/v5/storage/memory"
)
var (
tickMu sync.Mutex
mgr *ACMEManager
mgrMu sync.Mutex
)
func getACMEManager() (*ACMEManager, error) {
mgrMu.Lock()
defer mgrMu.Unlock()
if mgr == nil {
var err error
mgr, err = NewACMEManager()
if err != nil {
return nil, err
}
}
return mgr, nil
}
func initServer() {
err := LoadDomainConfigs()
if err != nil {
log.Fatalf("Error loading domain configs: %v", err)
}
serverTick()
}
func serverTick() {
tickMu.Lock()
defer tickMu.Unlock()
fmt.Println("Tick!")
mgr, err := getACMEManager()
if err != nil {
fmt.Printf("Error getting acme manager: %v\n", err)
return
}
now := time.Now().UTC()
localDomainConfigs := domainStore.Snapshot()
for domainStr, domainConfig := range localDomainConfigs {
if !domainConfig.GetBool("Domain.enabled") {
continue
}
renewPeriod := domainConfig.GetInt("Certificates.renew_period")
lastIssued := time.Unix(domainConfig.GetInt64("Internal.last_issued"), 0).UTC()
renewalDue := lastIssued.AddDate(0, 0, renewPeriod)
if now.After(renewalDue) {
//TODO extra check if certificate expiry (create cache?)
_, err = mgr.RenewForDomain(domainStr)
if err != nil {
// if no existing cert, obtain instead
_, err = mgr.ObtainForDomain(domainStr)
if err != nil {
fmt.Printf("Error obtaining domain certificates for domain %s: %v\n", domainStr, err)
continue
}
}
domainConfig.Set("Internal.last_issued", time.Now().UTC().Unix())
err = WriteDomainConfig(domainConfig)
if err != nil {
fmt.Printf("Error saving domain config %s: %v\n", domainStr, err)
continue
}
err = EncryptFileXChaCha(domainConfig.GetString("Certificates.crypto_key"), filepath.Join(mgr.certsRoot, domainStr, domainStr+".crt"), filepath.Join(mgr.certsRoot, domainStr, domainStr+".crt.crpt"), nil)
if err != nil {
fmt.Printf("Error encrypting domain cert for domain %s: %v\n", domainStr, err)
continue
}
err = EncryptFileXChaCha(domainConfig.GetString("Certificates.crypto_key"), filepath.Join(mgr.certsRoot, domainStr, domainStr+".key"), filepath.Join(mgr.certsRoot, domainStr, domainStr+".key.crpt"), nil)
if err != nil {
fmt.Printf("Error encrypting domain key for domain %s: %v\n", domainStr, err)
continue
}
giteaClient := createGiteaClient()
if giteaClient == nil {
fmt.Printf("Error creating gitea client for domain %s: %v\n", domainStr, err)
continue
}
gitWorkspace := &GitWorkspace{
Storage: memory.NewStorage(),
FS: memfs.New(),
}
var repoUrl string
if !domainConfig.GetBool("Internal.repo_exists") {
repoUrl = createGiteaRepo(domainStr, giteaClient)
if repoUrl == "" {
fmt.Printf("Error creating Gitea repo for domain %s\n", domainStr)
continue
}
domainConfig.Set("Internal.repo_exists", true)
err = WriteDomainConfig(domainConfig)
if err != nil {
fmt.Printf("Error saving domain config %s: %v\n", domainStr, err)
continue
}
err = initRepo(repoUrl, gitWorkspace)
if err != nil {
fmt.Printf("Error initializing repo for domain %s: %v\n", domainStr, err)
continue
}
} else {
repoUrl = config.GetString("Git.server") + "/" + config.GetString("Git.org_name") + "/" + domainStr + domainConfig.GetString("Repo.repo_suffix") + ".git"
err = cloneRepo(repoUrl, gitWorkspace)
if err != nil {
fmt.Printf("Error cloning repo for domain %s: %v\n", domainStr, err)
continue
}
}
err = addAndPushCerts(domainStr, gitWorkspace)
if err != nil {
fmt.Printf("Error pushing certificates for domain %s: %v\n", domainStr, err)
continue
}
fmt.Printf("Successfully pushed certificates for domain %s\n", domainStr)
}
}
err = SaveDomainConfigs()
if err != nil {
fmt.Printf("Error saving domain configs: %v\n", err)
}
}
func reloadServer() {
fmt.Println("Reloading configs...")
err := LoadDomainConfigs()
if err != nil {
fmt.Printf("Error loading domain configs: %v\n", err)
return
}
mgrMu.Lock()
mgr = nil
mgrMu.Unlock()
fmt.Println("Successfully reloaded configs")
}
func stopServer() {
fmt.Println("Shutting down server")
}

139
acme_manager.go → server/acme_manager.go
View File

@@ -1,5 +1,4 @@
// acme_manager.go
package main
package server
import (
"crypto"
@@ -17,6 +16,7 @@ import (
"sync"
"time"
"git.nevets.tech/Keys/certman/common"
"github.com/go-acme/lego/v4/certcrypto"
"github.com/go-acme/lego/v4/certificate"
"github.com/go-acme/lego/v4/lego"
@@ -28,14 +28,14 @@ import (
// Thread safety for your domain config map
// (assumes you already have these globals elsewhere)
// ---------------------------------------------
// var mu sync.RWMutex
// var MU sync.RWMutex
// var domainConfigs map[string]*ezconf.Configuration
// var config *ezconf.Configuration
//
// func getDomainConfig(domain string) (*ezconf.Configuration, bool) { ... }
// ---------------------------------------------
// ACME account user (file-backed)
// ACME account User (file-backed)
// ---------------------------------------------
type fileUser struct {
@@ -54,14 +54,14 @@ func (u *fileUser) GetPrivateKey() crypto.PrivateKey { return u.privateKe
// ---------------------------------------------
type ACMEManager struct {
mu sync.Mutex // serializes lego client ops + account writes
client *lego.Client
user *fileUser
MU sync.Mutex // serializes lego Client ops + account writes
Client *lego.Client
User *fileUser
// root dirs
dataRoot string // e.g. /var/local/certman
accountRoot string // e.g. /var/local/certman/accounts
certsRoot string // e.g. /var/local/certman/certificates
CertsRoot string // e.g. /var/local/certman/certificates
}
// DomainRuntimeConfig has domain-specific runtime settings derived from main+domain config.
@@ -89,40 +89,40 @@ type StoredCertMeta struct {
// Public API
// ---------------------------------------------
// NewACMEManager initializes a long-lived lego client using:
// NewACMEManager initializes a long-lived lego Client using:
// - file-backed account
// - persistent ECDSA P-256 account key
// - Lets Encrypt production by default (from config fallback)
// - Cloudflare DNS-01 only
func NewACMEManager() (*ACMEManager, error) {
func NewACMEManager(config *common.AppConfig) (*ACMEManager, error) {
// Pull effective (main-only) certificate settings.
email := config.GetString("Certificates.email")
dataRoot := config.GetString("Certificates.data_root")
caDirURL := config.GetString("Certificates.ca_dir_url")
email := config.Certificates.Email
dataRoot := config.Certificates.DataRoot
caDirURL := config.Certificates.CADirURL
// Build manager paths
mgr := &ACMEManager{
dataRoot: dataRoot,
accountRoot: filepath.Join(dataRoot, "accounts"),
certsRoot: filepath.Join(dataRoot, "certificates"),
CertsRoot: filepath.Join(dataRoot, "certificates"),
}
if err := os.MkdirAll(mgr.accountRoot, 0o700); err != nil {
return nil, fmt.Errorf("create account root: %w", err)
}
if err := os.MkdirAll(mgr.certsRoot, 0o700); err != nil {
if err := os.MkdirAll(mgr.CertsRoot, 0o700); err != nil {
return nil, fmt.Errorf("create certs root: %w", err)
}
// Create/load file-backed account user
// Create/load file-backed account User
user, err := loadOrCreateACMEUser(mgr.accountRoot, email)
if err != nil {
return nil, fmt.Errorf("load/create acme user: %w", err)
return nil, fmt.Errorf("load/create acme User: %w", err)
}
// Cloudflare provider (DNS-01 only).
// lego Cloudflare provider expects env vars (CLOUDFLARE_EMAIL/CLOUDFLARE_API_KEY or tokens). :contentReference[oaicite:2]{index=2}
restoreEnv, err := setCloudflareEnvFromMainConfig()
restoreEnv, err := setCloudflareEnvFromMainConfig(config)
if err != nil {
return nil, err
}
@@ -147,20 +147,20 @@ func NewACMEManager() (*ACMEManager, error) {
return nil, fmt.Errorf("set dns-01 provider: %w", err)
}
mgr.client = client
mgr.user = user
mgr.Client = client
mgr.User = user
// Register account only on first run
if mgr.user.Registration == nil {
reg, err := mgr.client.Registration.Register(registration.RegisterOptions{
if mgr.User.Registration == nil {
reg, err := mgr.Client.Registration.Register(registration.RegisterOptions{
TermsOfServiceAgreed: true,
})
if err != nil {
return nil, fmt.Errorf("acme registration: %w", err)
}
mgr.user.Registration = reg
if err := saveACMEUser(mgr.accountRoot, mgr.user); err != nil {
return nil, fmt.Errorf("save acme user registration: %w", err)
mgr.User.Registration = reg
if err := saveACMEUser(mgr.accountRoot, mgr.User); err != nil {
return nil, fmt.Errorf("save acme User registration: %w", err)
}
}
@@ -168,8 +168,8 @@ func NewACMEManager() (*ACMEManager, error) {
}
// ObtainForDomain obtains a new cert for a configured domain and saves it to disk.
func (m *ACMEManager) ObtainForDomain(domainKey string) (*certificate.Resource, error) {
rcfg, err := buildDomainRuntimeConfig(domainKey)
func (m *ACMEManager) ObtainForDomain(domainKey string, config *common.AppConfig, domainConfig *common.DomainConfig) (*certificate.Resource, error) {
rcfg, err := buildDomainRuntimeConfig(config, domainConfig)
if err != nil {
return nil, err
}
@@ -184,10 +184,10 @@ func (m *ACMEManager) ObtainForDomain(domainKey string) (*certificate.Resource,
Bundle: true,
}
m.mu.Lock()
defer m.mu.Unlock()
m.MU.Lock()
defer m.MU.Unlock()
res, err := m.client.Certificate.Obtain(req)
res, err := m.Client.Certificate.Obtain(req)
if err != nil {
return nil, fmt.Errorf("obtain %q: %w", domainKey, err)
}
@@ -201,8 +201,8 @@ func (m *ACMEManager) ObtainForDomain(domainKey string) (*certificate.Resource,
// RenewForDomain renews an existing stored cert for a domain key.
func (m *ACMEManager) RenewForDomain(domainKey string) (*certificate.Resource, error) {
m.mu.Lock()
defer m.mu.Unlock()
m.MU.Lock()
defer m.MU.Unlock()
existing, err := m.loadStoredResource(domainKey)
if err != nil {
@@ -210,7 +210,7 @@ func (m *ACMEManager) RenewForDomain(domainKey string) (*certificate.Resource, e
}
// RenewWithOptions is preferred in newer lego versions.
renewed, err := m.client.Certificate.RenewWithOptions(*existing, &certificate.RenewOptions{
renewed, err := m.Client.Certificate.RenewWithOptions(*existing, &certificate.RenewOptions{
Bundle: true,
})
if err != nil {
@@ -226,8 +226,8 @@ func (m *ACMEManager) RenewForDomain(domainKey string) (*certificate.Resource, e
// GetCertPaths returns disk paths for the domain's cert material.
func (m *ACMEManager) GetCertPaths(domainKey string) (certPEM, keyPEM string) {
base := sanitizeDomainKey(domainKey)
dir := filepath.Join(m.certsRoot, base)
base := common.SanitizeDomainKey(domainKey)
dir := filepath.Join(m.CertsRoot, base)
return filepath.Join(dir, base+".crt"),
filepath.Join(dir, base+".key")
}
@@ -236,32 +236,28 @@ func (m *ACMEManager) GetCertPaths(domainKey string) (certPEM, keyPEM string) {
// Domain runtime config assembly
// ---------------------------------------------
func buildDomainRuntimeConfig(domainKey string) (*DomainRuntimeConfig, error) {
domainCfg, exists := domainStore.Get(domainKey)
if !exists {
return nil, fmt.Errorf("domain config not found for %q", domainKey)
}
func buildDomainRuntimeConfig(config *common.AppConfig, domainConfig *common.DomainConfig) (*DomainRuntimeConfig, error) {
domainName := domainConfig.Domain.DomainName
domainName := domainCfg.GetString("Domain.domain_name")
email := config.GetString("Certificates.email")
email := config.Certificates.Email
// domain override data_root can be blank -> main fallback
dataRoot, err := EffectiveString(domainCfg, "Certificates.data_root")
if err != nil {
return nil, err
var dataRoot string
if domainConfig.Certificates.DataRoot == "" {
dataRoot = config.Certificates.DataRoot
} else {
dataRoot = domainConfig.Certificates.DataRoot
}
caDirURL := config.GetString("Certificates.ca_dir_url")
caDirURL := config.Certificates.CADirURL
expiry := domainCfg.GetInt("Certificates.expiry")
expiry := domainConfig.Certificates.Expiry
renewPeriod := domainCfg.GetInt("Certificates.renew_period")
renewPeriod := domainConfig.Certificates.RenewPeriod
requestMethod := domainCfg.GetString("Certificates.request_method")
requestMethod := domainConfig.Certificates.RequestMethod
subdomains := domainCfg.GetString("Certificates.subdomains")
subdomainArray := parseCSVLines(subdomains)
subdomainArray := domainConfig.Certificates.SubDomains
return &DomainRuntimeConfig{
DomainName: domainName,
@@ -275,21 +271,6 @@ func buildDomainRuntimeConfig(domainKey string) (*DomainRuntimeConfig, error) {
}, nil
}
func parseCSVLines(raw string) []string {
// supports comma-separated and newline-separated lists
fields := strings.FieldsFunc(raw, func(r rune) bool {
return r == ',' || r == '\n' || r == '\r'
})
out := make([]string, 0, len(fields))
for _, f := range fields {
s := strings.TrimSpace(f)
if s != "" {
out = append(out, s)
}
}
return out
}
// If subdomains contains ["www","api"], returns ["example.com","www.example.com","api.example.com"].
// If a subdomain entry looks like a full FQDN already, it is used as-is.
func buildDomainList(baseDomain string, subs []string) []string {
@@ -345,11 +326,11 @@ func buildDomainList(baseDomain string, subs []string) []string {
// Cloudflare env setup from main config
// ---------------------------------------------
func setCloudflareEnvFromMainConfig() (restore func(), err error) {
func setCloudflareEnvFromMainConfig(config *common.AppConfig) (restore func(), err error) {
// Your current defaults show legacy email + API key fields.
// Prefer API tokens in the future if you add them. Cloudflare provider supports both styles. :contentReference[oaicite:3]{index=3}
cfEmail := config.GetString("Cloudflare.cf_email")
cfAPIKey := config.GetString("Cloudflare.cf_api_key")
cfEmail := config.Cloudflare.CFEmail
cfAPIKey := config.Cloudflare.CFAPIKey
// Save prior env values so we can restore them after provider creation.
prevEmail, hadEmail := os.LookupEnv("CLOUDFLARE_EMAIL")
@@ -389,8 +370,8 @@ func loadOrCreateACMEUser(accountRoot, email string) (*fileUser, error) {
accountJSON := filepath.Join(accountRoot, "account.json")
accountKey := filepath.Join(accountRoot, "account.key.pem")
jsonExists := fileExists(accountJSON)
keyExists := fileExists(accountKey)
jsonExists := common.FileExists(accountJSON)
keyExists := common.FileExists(accountKey)
switch {
case jsonExists && keyExists:
@@ -450,7 +431,7 @@ func loadACMEUser(accountRoot string) (*fileUser, error) {
func saveACMEUser(accountRoot string, u *fileUser) error {
if u == nil {
return errors.New("nil user")
return errors.New("nil User")
}
if err := os.MkdirAll(accountRoot, 0o700); err != nil {
return err
@@ -525,8 +506,8 @@ func (m *ACMEManager) saveCertFiles(domainKey string, res *certificate.Resource,
return errors.New("nil certificate resource")
}
base := sanitizeDomainKey(domainKey)
dir := filepath.Join(m.certsRoot, base)
base := common.SanitizeDomainKey(domainKey)
dir := filepath.Join(m.CertsRoot, base)
if err := os.MkdirAll(dir, 0o700); err != nil {
return err
}
@@ -599,8 +580,8 @@ func (m *ACMEManager) saveCertFiles(domainKey string, res *certificate.Resource,
}
func (m *ACMEManager) loadStoredResource(domainKey string) (*certificate.Resource, error) {
base := sanitizeDomainKey(domainKey)
dir := filepath.Join(m.certsRoot, base)
base := common.SanitizeDomainKey(domainKey)
dir := filepath.Join(m.CertsRoot, base)
raw, err := os.ReadFile(filepath.Join(dir, base+".json"))
if err != nil {
return nil, err
@@ -623,8 +604,8 @@ func (m *ACMEManager) loadStoredResource(domainKey string) (*certificate.Resourc
}
func (m *ACMEManager) loadMeta(domainKey string) (*StoredCertMeta, error) {
base := sanitizeDomainKey(domainKey)
dir := filepath.Join(m.certsRoot, base)
base := common.SanitizeDomainKey(domainKey)
dir := filepath.Join(m.CertsRoot, base)
raw, err := os.ReadFile(filepath.Join(dir, base+".meta.json"))
if err != nil {
return nil, err

1
server/git.go Normal file
View File

@@ -0,0 +1 @@
package server

15
systemd/certman-exec.service Normal file
View File

@@ -0,0 +1,15 @@
[Unit]
Description=CertMan Executor daemon
Requires=certman.socket
After=network.target
[Service]
ExecStart=/usr/local/bin/certman executor
User=root
Group=root
KillSignal=SIGTERM
TimeoutStopSec=30
[Install]
WantedBy=multi-user.target

0
certman.service → systemd/certman.service
View File

12
systemd/certman.socket Normal file
View File

@@ -0,0 +1,12 @@
[Unit]
Description=certman hook daemon socket
[Socket]
ListenStream=/run/certman.sock
SocketUser=root
SocketGroup=certsock
SocketMode=0660
RemoveOnStop=true
[Install]
WantedBy=sockets.target