[CI-SKIP] Upload current

.gitea/workflows/build.yml

@@ -0,0 +1,86 @@
+name: Build (artifact)
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ "master" ]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    if: "!contains(github.event.head_commit.message, '[CI-SKIP]')"
+
+    steps:
+      - name: Checkout
+        uses: https://github.com/actions/checkout@v4
+
+      - name: Setup Go
+        uses: https://github.com/actions/setup-go@v5
+        with:
+          go-version: "1.25"
+
+      - name: Install protoc
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y protobuf-compiler
+
+      - name: Install Go protobuf plugins
+        run: |
+          go install google.golang.org/protobuf/cmd/protoc-gen-go@latest
+          go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest
+          echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
+
+      - name: Read VERSION from Makefile
+        shell: bash
+        run: |
+          VERSION="$(awk -F':=' '/^VERSION[[:space:]]*:=/ {gsub(/[[:space:]]/,"",$2); print $2; exit}' Makefile)"
+          if [ -z "$VERSION" ]; then
+            echo "Failed to read VERSION from Makefile" >&2
+            exit 1
+          fi
+          echo "VERSION=$VERSION" >> $GITHUB_ENV
+
+      - name: Get latest commit message
+        run: echo "COMMIT_MSG=$(git log -1 --pretty=%s)" >> $GITHUB_ENV
+
+      - name: Build
+        run: make build
+
+      - name: Upload artifact
+        uses: https://github.com/actions/upload-artifact@v3
+        with:
+          name: certman-${{ env.VERSION }}-amd64.zip
+          path: bin/
+          if-no-files-found: error
+
+      - name: Create release and upload binary
+        run: |
+            BODY=$(jq -n --arg tag "v${{ env.VERSION }}" --arg msg "$COMMIT_MSG" \
+              '{tag_name: $tag, name: $tag, body: $msg, draft: false, prerelease: false}')
+            # Create the release
+            RELEASE_RESPONSE=$(curl --fail --silent --show-error \
+              -X POST \
+              -H "Authorization: token ${{ secrets.RELEASE_TOKEN }}" \
+              -H "Content-Type: application/json" \
+              -d "$BODY" \
+              "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases")
+            
+            # Extract the release ID
+            RELEASE_ID=$(echo "$RELEASE_RESPONSE" | jq -r '.id')
+            if [ -z "$RELEASE_ID" ] || [ "$RELEASE_ID" = "null" ]; then
+              echo "Failed to create release" >&2
+              echo "$RELEASE_RESPONSE" >&2
+              exit 1
+            fi
+            
+            # Upload the binaries as release attachments
+            for binary in bin/*; do
+              FILENAME=$(basename "$binary")
+              echo "Uploading $FILENAME..."
+              curl --fail --silent --show-error \
+                -X POST \
+                -H "Authorization: token ${{ secrets.RELEASE_TOKEN }}" \
+                -H "Content-Type: application/octet-stream" \
+                --upload-file "$binary" \
+                "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/$RELEASE_ID/assets?name=$FILENAME"
+            done

.gitignore

@@ -129,3 +129,4 @@ $RECYCLE.BIN/
 config.ini
 certman
 certman-*-amd64
+bin/

Makefile

@@ -1,18 +1,37 @@
-VERSION := 1.0.1-beta
+VERSION := 1.1.5-beta-claude
 BUILD := $(shell git rev-parse --short HEAD)
 
 GO := go
 
 BUILD_FLAGS := -buildmode=pie -trimpath
-LDFLAGS := -linkmode=external -extldflags="-Wl,-z,relro,-z,now" -X git.nevets.tech/Keys/CertManager/internal.Version=$(VERSION) -X git.nevets.tech/Keys/CertManager/internal.Build=$(BUILD)
+LDFLAGS := -linkmode=external -extldflags="-Wl,-z,relro,-z,now" -X git.nevets.tech/Keys/certman/common.Version=$(VERSION) -X git.nevets.tech/Keys/certman/common.Build=$(BUILD)
 
-.PHONY: proto build stage
+.PHONY: proto bundle client server executor build debug stage
 
 proto:
 	@protoc --go_out=./proto --go-grpc_out=./proto proto/hook.proto
 	@protoc --go_out=./proto --go-grpc_out=./proto proto/symlink.proto
 
-build: proto
+bundle: proto
+	@echo "Building Bundled Certman"
+	$(GO) build $(BUILD_FLAGS) -ldflags="-s -w $(LDFLAGS)" -o ./bin/certman-$(VERSION)-amd64 ./app/bundle
+
+client: proto
+	@echo "Building Certman Client"
+	$(GO) build $(BUILD_FLAGS) -ldflags="-s -w $(LDFLAGS)" -o ./bin/certman-client-$(VERSION)-amd64 ./app/client
+
+server: proto
+	@echo "Building Certman Server"
+	$(GO) build $(BUILD_FLAGS) -ldflags="-s -w $(LDFLAGS)" -o ./bin/certman-server-$(VERSION)-amd64 ./app/server
+
+executor: proto
+	@echo "Building Certman Executor"
+	$(GO) build $(BUILD_FLAGS) -ldflags="-s -w $(LDFLAGS)" -o ./bin/certman-executor-$(VERSION)-amd64 ./app/executor
+
+build: proto bundle client server executor
+	@echo "All binaries successfully built"
+
+debug: proto
 	$(GO) build $(BUILD_FLAGS) -ldflags="$(LDFLAGS)" -o ./certman .
 	@cp ./certman ./certman-$(VERSION)-amd64
 

README.md

@@ -1,2 +1,32 @@
 # CertManager
 
+### Features to Add
+ - Integrations as modules (systemd integration, generic commands, docker integration)
+ - Dedicated builds for server, client, and executor(?)
+
+## Quick Start
+
+## Daemonizing CertManager
+The `install` command creates the certman user, directories, and runs chown on the created dirs
+
+### Server
+
+```bash
+sudo certman install -mode server
+sudo certman new-domain example.com
+```
+
+### Client
+```bash
+sudo certman install -mode client
+sudo certman new-domain example.com
+```
+
+### TODO
+ - Add systemd units during install
+ - Add update command to pull from latest release
+
+
+## Scratch Board
+- Server Flow
+  - Read from 

app/bundle/main.go

@@ -0,0 +1,40 @@
+package main
+
+import (
+	"fmt"
+	"os"
+
+	"git.nevets.tech/Steven/certman/app"
+	"github.com/spf13/cobra"
+)
+
+//TODO create logic for gh vs gt repos
+
+func main() {
+	rootCmd := &cobra.Command{
+		Use:   "certman",
+		Short: "CertMan",
+		Long:  "Certificate Manager",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return cmd.Help()
+		},
+	}
+
+	rootCmd.AddCommand(app.VersionCmd)
+	rootCmd.AddCommand(app.NewKeyCmd)
+	rootCmd.AddCommand(app.DevCmd)
+
+	rootCmd.AddCommand(app.NewDomainCmd)
+	rootCmd.AddCommand(app.InstallCmd)
+
+	rootCmd.AddCommand(app.CertCmd)
+
+	//rootCmd.AddCommand(executor.ExecutorCmd)
+
+	rootCmd.AddCommand(app.DaemonCmd)
+
+	if err := rootCmd.Execute(); err != nil {
+		fmt.Fprintln(os.Stderr, err)
+		os.Exit(1)
+	}
+}

app/certs.go

@@ -0,0 +1,15 @@
+package app
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var (
+	CertCmd = &cobra.Command{
+		Use:   "cert",
+		Short: "Certificate management",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return cmd.Help()
+		},
+	}
+)

app/client/certs.go

@@ -0,0 +1,68 @@
+package main
+
+import (
+	"fmt"
+
+	"git.nevets.tech/Steven/certman/app"
+	"git.nevets.tech/Steven/certman/client"
+	"git.nevets.tech/Steven/certman/common"
+	"github.com/spf13/cobra"
+)
+
+var (
+	renewCertSubCmd = &cobra.Command{
+		Use:   "renew",
+		Short: "Renews a domains certificate",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return renewCert(args[0])
+		},
+	}
+
+	updateCertLinkSubCmd = &cobra.Command{
+		Use:   "update-link",
+		Short: "Update linked certificates",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return updateLinks(args[0])
+		},
+	}
+
+	decryptCertsSubCmd = &cobra.Command{
+		Use:   "decrypt [certPath] [cryptoKey]",
+		Short: "Decrypt certificates",
+		Args:  cobra.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return client.DecryptCertificates(args[0], args[1])
+		},
+	}
+)
+
+func init() {
+	renewCertSubCmd.AddCommand(updateCertLinkSubCmd, decryptCertsSubCmd)
+	app.CertCmd.AddCommand(renewCertSubCmd)
+}
+
+func renewCert(domain string) error {
+	config := app.Config()
+	domainConfig, exists := app.DomainStore().Get(domain)
+	if !exists {
+		return app.ErrConfigNotFound
+	}
+	url := common.RepoURL(config, domainConfig, domain)
+	ws := common.NewGitWorkspace(domain, url)
+	if err := common.CloneRepo(ws, config); err != nil {
+		return fmt.Errorf("clone %s: %w", domain, err)
+	}
+	certsDir := common.CertsDir(config, domainConfig, domain)
+	return client.DecryptAndWriteCertificates(certsDir, domainConfig, ws)
+}
+
+func updateLinks(domain string) error {
+	domainConfig, exists := app.DomainStore().Get(domain)
+	if !exists {
+		return fmt.Errorf("domain %s does not exist", domain)
+	}
+	certsDir := common.CertsDir(app.Config(), domainConfig, domain)
+	return client.UpdateSymlinks(domain, domainConfig, certsDir)
+}

app/client/commands.go

@@ -0,0 +1,17 @@
+package main
+
+import (
+	"git.nevets.tech/Steven/certman/app"
+	"github.com/spf13/cobra"
+)
+
+func init() {
+	app.DaemonCmd.AddCommand(&cobra.Command{
+		Use:   "start",
+		Short: "Start the daemon",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return app.RunDaemonCmd(&Daemon{})
+		},
+	})
+}

app/client/daemon.go

@@ -0,0 +1,87 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"log"
+
+	"git.nevets.tech/Steven/certman/app"
+	"git.nevets.tech/Steven/certman/client"
+	"git.nevets.tech/Steven/certman/common"
+)
+
+type Daemon struct{}
+
+func (d *Daemon) Init() {
+	fmt.Println("Starting CertManager in client mode...")
+	if err := app.LoadDomainConfigs(); err != nil {
+		log.Fatalf("Error loading domain configs: %v", err)
+	}
+	d.Tick()
+}
+
+func (d *Daemon) Tick() {
+	fmt.Println("tick!")
+
+	config := app.Config()
+	localDomainConfigs := app.DomainStore().Snapshot()
+
+	for domainStr, domainConfig := range localDomainConfigs {
+		if !domainConfig.Domain.Enabled {
+			continue
+		}
+
+		certsDir := common.CertsDir(config, domainConfig, domainStr)
+
+		// Short-circuit when the local copy already matches the remote HEAD.
+		// Only useful once the server has provisioned the repo; otherwise
+		// the RemoteCommitHash call returns ErrRepoNotFound and we skip
+		// this tick entirely (nothing to pull yet).
+		if domainConfig.Internal.RepoExists {
+			localHash, err := client.LocalCommitHash(certsDir)
+			if err != nil {
+				fmt.Printf("Error reading local hash for %s: %v\n", domainStr, err)
+			}
+			remoteHash, err := client.RemoteCommitHash(config, domainConfig, domainStr)
+			if err != nil {
+				if errors.Is(err, common.ErrRepoNotFound) {
+					fmt.Printf("Remote repo not yet provisioned for %s; skipping\n", domainStr)
+					continue
+				}
+				fmt.Printf("Error getting remote hash for %s: %v\n", domainStr, err)
+				continue
+			}
+			if localHash != "" && localHash == remoteHash {
+				fmt.Printf("Domain %s is up to date. Skipping...\n", domainStr)
+				continue
+			}
+		}
+
+		url := common.RepoURL(config, domainConfig, domainStr)
+		ws := common.NewGitWorkspace(domainStr, url)
+		if err := common.CloneRepo(ws, config); err != nil {
+			fmt.Printf("Error cloning domain repo %s: %v\n", domainStr, err)
+			continue
+		}
+
+		if err := client.DecryptAndWriteCertificates(certsDir, domainConfig, ws); err != nil {
+			fmt.Printf("Error decrypting certificates for %s: %v\n", domainStr, err)
+			continue
+		}
+		if err := client.UpdateSymlinks(domainStr, domainConfig, certsDir); err != nil {
+			fmt.Printf("Error updating symlinks for %s: %v\n", domainStr, err)
+			continue
+		}
+	}
+}
+
+func (d *Daemon) Reload() {
+	fmt.Println("Reloading configs...")
+	if err := app.LoadDomainConfigs(); err != nil {
+		fmt.Printf("Error loading domain configs: %v\n", err)
+	}
+}
+
+func (d *Daemon) Stop() {
+	fmt.Println("Shutting down client")
+}

app/client/grpc.go

@@ -1,25 +1,17 @@
-package client
+package main
 
 import (
 	"context"
-	"flag"
 	"fmt"
 	"log"
 	"time"
 
-	"git.nevets.tech/Keys/CertManager/internal"
-	pb "git.nevets.tech/Keys/CertManager/proto/v1"
+	"git.nevets.tech/Steven/certman/app"
+	pb "git.nevets.tech/Steven/certman/proto/v1"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"
 )
 
-var (
-	tls                = flag.Bool("tls", false, "Connection uses TLS if true, else plain TCP")
-	caFile             = flag.String("ca_file", "", "The file containing the CA root cert file")
-	serverAddr         = flag.String("addr", "localhost:50051", "The server address in the format of host:port")
-	serverHostOverride = flag.String("server_host_override", "x.test.example.com", "The server name used to verify the hostname returned by the TLS handshake")
-)
-
 func SendHook(domain string) {
 	conn, err := grpc.NewClient(
 		"unix:///run/certman.sock",
@@ -31,7 +23,7 @@ func SendHook(domain string) {
 	defer conn.Close()
 	client := pb.NewHookServiceClient(conn)
 
-	hooks, err := internal.PostPullHooks(domain)
+	hooks, err := app.PostPullHooks(domain)
 	if err != nil {
 		fmt.Printf("Error getting hooks: %v\n", err)
 		return

app/client/main.go

@@ -0,0 +1,36 @@
+package main
+
+import (
+	"fmt"
+	"os"
+
+	"git.nevets.tech/Steven/certman/app"
+	"github.com/spf13/cobra"
+)
+
+func main() {
+	rootCmd := &cobra.Command{
+		Use:   "certman",
+		Short: "CertMan",
+		Long:  "Certificate Manager",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return cmd.Help()
+		},
+	}
+
+	rootCmd.AddCommand(app.VersionCmd)
+	rootCmd.AddCommand(app.NewKeyCmd)
+	rootCmd.AddCommand(app.DevCmd)
+
+	rootCmd.AddCommand(app.NewDomainCmd)
+	rootCmd.AddCommand(app.InstallCmd)
+
+	rootCmd.AddCommand(app.CertCmd)
+
+	rootCmd.AddCommand(app.DaemonCmd)
+
+	if err := rootCmd.Execute(); err != nil {
+		fmt.Fprintln(os.Stderr, err)
+		os.Exit(1)
+	}
+}

app/commands.go

@@ -0,0 +1,191 @@
+package app
+
+import (
+	"fmt"
+	"log"
+	"os"
+	"os/exec"
+	"os/user"
+	"strconv"
+	"strings"
+
+	"git.nevets.tech/Steven/certman/common"
+	"github.com/spf13/cobra"
+)
+
+var (
+	VersionCmd = basicCmd("version", "Show version", versionCmd)
+	NewKeyCmd  = basicCmd("gen-key", "Generates encryption key", newKeyCmd)
+	DevCmd     = basicCmd("dev", "Dev Function", devCmd)
+
+	domainCertDir string
+	NewDomainCmd  = &cobra.Command{
+		Use:           "new-domain",
+		Short:         "Create config and directories for new domain",
+		Args:          cobra.ExactArgs(1),
+		SilenceUsage:  true,
+		SilenceErrors: true,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			dirOverridden := cmd.Flags().Changed("dir")
+			return newDomainCmd(args[0], domainCertDir, dirOverridden)
+		},
+	}
+
+	modeFlag        string
+	thinInstallFlag bool
+	InstallCmd      = &cobra.Command{
+		Use:   "install",
+		Short: "Create certman files and directories",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			switch modeFlag {
+			case "server", "client":
+				return installCmd(thinInstallFlag, modeFlag)
+			default:
+				return fmt.Errorf("invalid --mode %q (must be server or client)", modeFlag)
+			}
+		},
+	}
+)
+
+func init() {
+	NewDomainCmd.Flags().StringVar(&domainCertDir, "dir", "/var/local/certman/certificates/", "Alternate directory for certificates")
+
+	InstallCmd.Flags().StringVar(&modeFlag, "mode", "client", "CertManager mode [server, client]")
+	InstallCmd.Flags().BoolVarP(&thinInstallFlag, "thin", "t", false, "Thin install (skip creating dirs)")
+}
+
+func devCmd(cmd *cobra.Command, args []string) {
+	testDomain := "lunamc.org"
+	err := LoadConfig()
+	if err != nil {
+		log.Fatalf("Error loading configuration: %v\n", err)
+	}
+	err = LoadDomainConfigs()
+	if err != nil {
+		log.Fatalf("Error loading configs: %v\n", err)
+	}
+
+	fmt.Println(testDomain)
+}
+
+func versionCmd(cmd *cobra.Command, args []string) {
+	fmt.Printf("CertManager (certman) - Steven Tracey\nVersion: %s build-%s\n",
+		common.Version, common.Build,
+	)
+}
+
+func newKeyCmd(cmd *cobra.Command, args []string) {
+	key, err := common.GenerateKey()
+	if err != nil {
+		log.Fatalf("%v", err)
+	}
+	fmt.Printf(key)
+}
+
+func newDomainCmd(domain, domainDir string, dirOverridden bool) error {
+	//TODO add config option for "overridden dir"
+	if !common.IsValidFQDN(domain) {
+		return fmt.Errorf("invalid FQDN: %q", domain)
+	}
+
+	err := LoadConfig()
+	if err != nil {
+		return err
+	}
+
+	fmt.Printf("Creating new domain %s\n", domain)
+	err = CreateDomainConfig(domain)
+	if err != nil {
+		return err
+	}
+	CreateDomainCertsDir(domain, domainDir, dirOverridden)
+
+	certmanUser, err := user.Lookup("certman")
+	if err != nil {
+		return fmt.Errorf("error getting user certman: %v", err)
+	}
+	uid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Uid))
+	if err != nil {
+		return err
+	}
+	gid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Gid))
+	if err != nil {
+		return err
+	}
+	err = common.ChownRecursive("/etc/certman/domains", uid, gid)
+	if err != nil {
+		return err
+	}
+	err = common.ChownRecursive("/var/local/certman", uid, gid)
+	if err != nil {
+		return err
+	}
+
+	fmt.Println("Successfully created domain entry for " + domain + "\nUpdate config file as needed in /etc/certman/domains/" + domain + ".conf\n")
+	return nil
+}
+
+func installCmd(isThin bool, mode string) error {
+	if !isThin {
+		if os.Geteuid() != 0 {
+			return fmt.Errorf("installation must be run as root")
+		}
+
+		MakeDirs()
+		CreateConfig(mode)
+
+		err := LoadConfig()
+		if err != nil {
+			return err
+		}
+
+		f, err := os.OpenFile("/var/run/certman.pid", os.O_RDONLY|os.O_CREATE, 0755)
+		if err != nil {
+			return fmt.Errorf("error creating pid file: %v", err)
+		}
+		err = f.Close()
+		if err != nil {
+			return fmt.Errorf("error closing pid file: %v", err)
+		}
+
+		newUserCmd := exec.Command("useradd", "-d", "/var/local/certman", "-U", "-r", "-s", "/sbin/nologin", "certman")
+		if output, err := newUserCmd.CombinedOutput(); err != nil {
+			if !strings.Contains(err.Error(), "exit status 9") {
+				return fmt.Errorf("error creating user: %v: output %s", err, output)
+			}
+		}
+		newGroupCmd := exec.Command("groupadd", "-r", "-U", "certman", "certsock")
+		if output, err := newGroupCmd.CombinedOutput(); err != nil {
+			if !strings.Contains(err.Error(), "exit status 9") {
+				return fmt.Errorf("error creating group: %v: output %s", err, output)
+			}
+		}
+		certmanUser, err := user.Lookup("certman")
+		if err != nil {
+			return fmt.Errorf("error getting user certman: %v", err)
+		}
+		uid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Uid))
+		if err != nil {
+			return err
+		}
+		gid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Gid))
+		if err != nil {
+			return err
+		}
+		err = common.ChownRecursive("/etc/certman", uid, gid)
+		if err != nil {
+			return fmt.Errorf("error changing uid/gid: %v", err)
+		}
+		err = common.ChownRecursive("/var/local/certman", uid, gid)
+		if err != nil {
+			return fmt.Errorf("error changing uid/gid: %v", err)
+		}
+		err = os.Chown("/var/run/certman.pid", uid, gid)
+		if err != nil {
+			return fmt.Errorf("error changing uid/gid: %v", err)
+		}
+	} else {
+		CreateConfig(mode)
+	}
+	return nil
+}

app/config.go

@@ -1,7 +1,6 @@
-package internal
+package app
 
 import (
-	"bytes"
 	"errors"
 	"fmt"
 	"log"
@@ -10,8 +9,10 @@ import (
 	"strings"
 	"sync"
 
-	pb "git.nevets.tech/Keys/CertManager/proto/v1"
+	"git.nevets.tech/Steven/certman/common"
+	pb "git.nevets.tech/Steven/certman/proto/v1"
 	"github.com/google/uuid"
+	"github.com/pelletier/go-toml/v2"
 	"github.com/spf13/viper"
 )
 
@@ -22,40 +23,40 @@ var (
 
 type DomainConfigStore struct {
 	mu      sync.RWMutex
-	configs map[string]*viper.Viper
+	configs map[string]*common.DomainConfig
 }
 
 func NewDomainConfigStore() *DomainConfigStore {
 	return &DomainConfigStore{
-		configs: make(map[string]*viper.Viper),
+		configs: make(map[string]*common.DomainConfig),
 	}
 }
 
-func (s *DomainConfigStore) Get(domain string) (*viper.Viper, bool) {
+func (s *DomainConfigStore) Get(domain string) (*common.DomainConfig, bool) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	v, ok := s.configs[domain]
 	return v, ok
 }
 
-func (s *DomainConfigStore) Set(domain string, v *viper.Viper) {
+func (s *DomainConfigStore) Set(domain string, v *common.DomainConfig) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	s.configs[domain] = v
 }
 
 // Swap atomically replaces the entire config map (used during reload).
-func (s *DomainConfigStore) Swap(newConfigs map[string]*viper.Viper) {
+func (s *DomainConfigStore) Swap(newConfigs map[string]*common.DomainConfig) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	s.configs = newConfigs
 }
 
 // Snapshot returns a shallow copy safe to iterate without holding the lock.
-func (s *DomainConfigStore) Snapshot() map[string]*viper.Viper {
+func (s *DomainConfigStore) Snapshot() map[string]*common.DomainConfig {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
-	snap := make(map[string]*viper.Viper, len(s.configs))
+	snap := make(map[string]*common.DomainConfig, len(s.configs))
 	for k, v := range s.configs {
 		snap[k] = v
 	}
@@ -67,20 +68,18 @@ func (s *DomainConfigStore) Snapshot() map[string]*viper.Viper {
 // ---------------------------------------------------------------------------
 
 var (
-	config      *viper.Viper
+	config      *common.AppConfig
 	configMu    sync.RWMutex
 	domainStore = NewDomainConfigStore()
 )
 
-func Config() *viper.Viper {
+func Config() *common.AppConfig {
 	configMu.RLock()
 	defer configMu.RUnlock()
 	return config
 }
 
 func DomainStore() *DomainConfigStore {
-	domainStore.mu.RLock()
-	defer domainStore.mu.RUnlock()
 	return domainStore
 }
 
@@ -90,23 +89,22 @@ func DomainStore() *DomainConfigStore {
 
 // LoadConfig reads the main certman.conf into config.
 func LoadConfig() error {
-	config = viper.New()
-	config.SetConfigFile("/etc/certman/certman.conf")
-	config.SetConfigType("toml")
-	err := config.ReadInConfig()
-	if err != nil {
+	vConfig := viper.New()
+	vConfig.SetConfigFile("/etc/certman/certman.conf")
+	vConfig.SetConfigType("toml")
+	if err := vConfig.ReadInConfig(); err != nil {
 		return err
 	}
 
-	switch config.GetString("App.mode") {
-	case "server":
-		config.SetConfigType("toml")
-		config.SetConfigFile("server.conf")
-		return config.MergeInConfig()
-	case "Client":
-		config.SetConfigType("toml")
-		config.SetConfigFile("Client.conf")
-		return config.MergeInConfig()
+	if vConfig.GetString("App.mode") == "server" {
+		vConfig.SetConfigType("toml")
+		vConfig.SetConfigFile("/etc/certman/server.conf")
+		if err := vConfig.MergeInConfig(); err != nil {
+			return err
+		}
+	}
+	if err := vConfig.Unmarshal(&config); err != nil {
+		return err
 	}
 
 	return nil
@@ -120,7 +118,7 @@ func LoadDomainConfigs() error {
 		return fmt.Errorf("reading domain config dir: %w", err)
 	}
 
-	temp := make(map[string]*viper.Viper)
+	temp := make(map[string]*common.DomainConfig)
 
 	for _, entry := range entries {
 		if entry.IsDir() || filepath.Ext(entry.Name()) != ".conf" {
@@ -145,7 +143,11 @@ func LoadDomainConfigs() error {
 			fmt.Printf("Duplicate domain in %s, skipping...\n", path)
 			continue
 		}
-		temp[domain] = v
+		cfg := &common.DomainConfig{}
+		if err = v.Unmarshal(cfg); err != nil {
+			return fmt.Errorf("unmarshaling %s: %w", path, err)
+		}
+		temp[domain] = cfg
 	}
 
 	domainStore.Swap(temp)
@@ -156,30 +158,35 @@ func LoadDomainConfigs() error {
 //  Saving
 // ---------------------------------------------------------------------------
 
-func WriteConfig(filePath string, config *viper.Viper) error {
-	var buf bytes.Buffer
-	if err := config.WriteConfigTo(&buf); err != nil {
-		return fmt.Errorf("marshal config: %w", err)
+func WriteConfig(filePath string, config *common.AppConfig) error {
+	buf, err := toml.Marshal(&config)
+	if err != nil {
+		return fmt.Errorf("marshaling config: %w", err)
 	}
-
-	if err := os.WriteFile(filePath, buf.Bytes(), 0640); err != nil {
+	if err = os.WriteFile(filePath, buf, 0640); err != nil {
 		return fmt.Errorf("write config file: %w", err)
 	}
+
 	return nil
 }
 
-func WriteMainConfig() error {
-	return WriteConfig("/etc/certman/certman.conf", config)
-}
+func WriteDomainConfig(config *common.DomainConfig) error {
+	buf, err := toml.Marshal(config)
+	if err != nil {
+		return fmt.Errorf("marshaling domain config: %w", err)
+	}
+	configPath := filepath.Join("/etc/certman/domains", config.Domain.DomainName+".conf")
+	if err = os.WriteFile(configPath, buf, 0640); err != nil {
+		return fmt.Errorf("write config file: %w", err)
+	}
 
-func WriteDomainConfig(config *viper.Viper) error {
-	return WriteConfig(config.GetString("Domain.domain_name"), config)
+	return nil
 }
 
 // SaveDomainConfigs writes every loaded domain config back to disk.
 func SaveDomainConfigs() error {
-	for domain, v := range domainStore.Snapshot() {
-		err := WriteConfig("/etc/certman/domains/"+domain+".conf", v)
+	for _, v := range domainStore.Snapshot() {
+		err := WriteDomainConfig(v)
 		if err != nil {
 			return err
 		}
@@ -199,68 +206,6 @@ func PostPullHooks(domain string) ([]*pb.Hook, error) {
 	return hooks, nil
 }
 
-// ---------------------------------------------------------------------------
-//  Effective lookups (domain → global fallback)
-// ---------------------------------------------------------------------------
-
-// EffectiveString looks up a key in the domain config first, falling back to
-// the global config. Keys use dot notation matching INI sections, e.g.
-// "certificates.data_root".
-func EffectiveString(domainCfg *viper.Viper, key string) (string, error) {
-	if domainCfg != nil {
-		val := strings.TrimSpace(domainCfg.GetString(key))
-		if val != "" {
-			return val, nil
-		}
-	}
-
-	if config == nil {
-		return "", ErrConfigNotFound
-	}
-
-	val := strings.TrimSpace(config.GetString(key))
-	if val == "" {
-		return "", ErrBlankConfigEntry
-	}
-	return val, nil
-}
-
-// MustEffectiveString is like EffectiveString but logs a fatal error on failure.
-func MustEffectiveString(domainCfg *viper.Viper, key string) string {
-	val, err := EffectiveString(domainCfg, key)
-	if err != nil {
-		log.Fatalf("Config key %q: %v", key, err)
-	}
-	return val
-}
-
-// EffectiveInt returns an int with domain → global fallback. Returns the
-// fallback value if the key is missing or zero in both configs.
-func EffectiveInt(domainCfg *viper.Viper, key string, fallback int) int {
-	if domainCfg != nil {
-		if val := domainCfg.GetInt(key); val != 0 {
-			return val
-		}
-	}
-	if config != nil {
-		if val := config.GetInt(key); val != 0 {
-			return val
-		}
-	}
-	return fallback
-}
-
-// EffectiveBool returns a bool with domain → global fallback.
-func EffectiveBool(domainCfg *viper.Viper, key string) bool {
-	if domainCfg != nil && domainCfg.IsSet(key) {
-		return domainCfg.GetBool(key)
-	}
-	if config != nil {
-		return config.GetBool(key)
-	}
-	return false
-}
-
 // ---------------------------------------------------------------------------
 //  Directory bootstrapping
 // ---------------------------------------------------------------------------
@@ -298,13 +243,14 @@ func CreateConfig(mode string) {
 }
 
 func CreateDomainConfig(domain string) error {
-	key, err := GenerateKey()
+	key, err := common.GenerateKey()
 	if err != nil {
 		return fmt.Errorf("unable to generate key: %v", err)
 	}
+	localConfig := Config()
 
 	var content string
-	switch Config().GetString("App.mode") {
+	switch localConfig.App.Mode {
 	case "server":
 		content = strings.NewReplacer(
 			"{domain}", domain,
@@ -316,7 +262,7 @@ func CreateDomainConfig(domain string) error {
 			"{key}", key,
 		).Replace(defaultClientDomainConfig)
 	default:
-		return fmt.Errorf("unknown certman mode: %v", Config().GetString("App.mode"))
+		return fmt.Errorf("unknown certman mode: %v", localConfig.App.Mode)
 	}
 
 	path := filepath.Join("/etc/certman/domains", domain+".conf")
@@ -341,10 +287,6 @@ func CreateDomainCertsDir(domain string, dir string, dirOverride bool) {
 	}
 }
 
-// ---------------------------------------------------------------------------
-//  Default config templates
-// ---------------------------------------------------------------------------
-
 const defaultConfig = `[App]
 mode = '{mode}'
 tick_rate = 2
@@ -365,21 +307,13 @@ uuid = '{uuid}'
 
 [Certificates]
 email = 'User@example.com'
-data_root = '/var/local/certman'
 ca_dir_url = 'https://acme-v02.api.letsencrypt.org/directory'
 
 [Cloudflare]
 cf_email = 'email@example.com'
 cf_api_key = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxx'`
 
-const defaultClientConfig = ``
-
-const defaultServerDomainConfig = `[Domain]
-domain_name = '{domain}'
-enabled = true
-dns_server = 'default'
-
-[Certificates]
+const defaultServerDomainConfig = `[Certificates]
 data_root = ''
 expiry = 90
 request_method = 'dns-01'
@@ -387,6 +321,11 @@ renew_period = 30
 subdomains = []
 crypto_key = '{key}'
 
+[Domain]
+domain_name = '{domain}'
+enabled = true
+dns_server = 'default'
+
 [Repo]
 repo_suffix = '-certificates'
 
@@ -415,5 +354,3 @@ env = { "FOO" = "bar" }
 [Repo]
 repo_suffix = '-certificates'
 `
-
-const readme = ``

app/daemon.go

@@ -1,4 +1,4 @@
-package commands
+package app
 
 import (
 	"context"
@@ -10,21 +10,73 @@ import (
 	"syscall"
 	"time"
 
-	"git.nevets.tech/Keys/CertManager/client"
-	"git.nevets.tech/Keys/CertManager/internal"
-	"git.nevets.tech/Keys/CertManager/server"
+	"git.nevets.tech/Steven/certman/common"
+	"github.com/spf13/cobra"
 )
 
+type Daemon interface {
+	Init()
+	Tick()
+	Reload()
+	Stop()
+}
+
 var (
 	ctx    context.Context
 	cancel context.CancelFunc
 	wg     sync.WaitGroup
+
+	DaemonCmd = &cobra.Command{
+		Use:   "daemon",
+		Short: "Daemon management",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return cmd.Help()
+		},
+	}
 )
 
-func RunDaemonCmd() error {
-	err := internal.CreateOrUpdatePIDFile("/var/run/certman.pid")
+func init() {
+	DaemonCmd.AddCommand(&cobra.Command{
+		Use:   "stop",
+		Short: "stop the daemon",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return stopDaemonCmd()
+		},
+	})
+
+	DaemonCmd.AddCommand(&cobra.Command{
+		Use:   "reload",
+		Short: "reload daemon configs",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return reloadDaemonCmd()
+		},
+	})
+
+	DaemonCmd.AddCommand(&cobra.Command{
+		Use:   "tick",
+		Short: "Manually triggers daemon tick",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return tickDaemonCmd()
+		},
+	})
+
+	DaemonCmd.AddCommand(&cobra.Command{
+		Use:   "status",
+		Short: "Show daemon status",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return daemonStatusCmd()
+		},
+	})
+}
+
+func RunDaemonCmd(daemon Daemon) error {
+	err := common.CreateOrUpdatePIDFile("/var/run/certman.pid")
 	if err != nil {
-		if errors.Is(err, internal.ErrorPIDInUse) {
+		if errors.Is(err, common.ErrorPIDInUse) {
 			return fmt.Errorf("daemon process is already running")
 		}
 		return fmt.Errorf("error creating pidfile: %v", err)
@@ -38,10 +90,11 @@ func RunDaemonCmd() error {
 	} else if err != nil {
 		return fmt.Errorf("error opening /etc/certman/certman.conf: %v", err)
 	}
-	err = internal.LoadConfig()
+	err = LoadConfig()
 	if err != nil {
 		return fmt.Errorf("error loading configuration: %v", err)
 	}
+	localConfig := Config()
 
 	// Setup SIGINT and SIGTERM listeners
 	sigChannel := make(chan os.Signal, 1)
@@ -56,54 +109,28 @@ func RunDaemonCmd() error {
 	signal.Notify(tickSigChan, syscall.SIGUSR1)
 	defer signal.Stop(tickSigChan)
 
-	tickRate := internal.Config().GetInt("App.tick_rate")
+	tickRate := localConfig.App.TickRate
 	ticker := time.NewTicker(time.Duration(tickRate) * time.Hour)
 	defer ticker.Stop()
 
 	wg.Add(1)
-	if internal.Config().GetString("App.mode") == "server" {
-		fmt.Println("Starting CertManager in server mode...")
-		// Server Task loop
-		go func() {
-			server.Init()
-			defer wg.Done()
-			for {
-				select {
-				case <-ctx.Done():
-					server.Stop()
-					return
-				case <-reloadSigChan:
-					server.Reload()
-				case <-ticker.C:
-					server.Tick()
-				case <-tickSigChan:
-					server.Tick()
-				}
+	go func() {
+		daemon.Init()
+		defer wg.Done()
+		for {
+			select {
+			case <-ctx.Done():
+				daemon.Stop()
+				return
+			case <-reloadSigChan:
+				daemon.Reload()
+			case <-ticker.C:
+				daemon.Tick()
+			case <-tickSigChan:
+				daemon.Tick()
 			}
-		}()
-	} else if internal.Config().GetString("App.mode") == "client" {
-		fmt.Println("Starting CertManager in client mode...")
-		// Client Task loop
-		go func() {
-			client.Init()
-			defer wg.Done()
-			for {
-				select {
-				case <-ctx.Done():
-					client.Stop()
-					return
-				case <-reloadSigChan:
-					client.Reload()
-				case <-ticker.C:
-					client.Tick()
-				case <-tickSigChan:
-					client.Tick()
-				}
-			}
-		}()
-	} else {
-		return fmt.Errorf("invalid operating mode \"" + internal.Config().GetString("App.mode") + "\"")
-	}
+		}
+	}()
 
 	// Cleanup on stop
 	sig := <-sigChannel
@@ -116,11 +143,11 @@ func RunDaemonCmd() error {
 
 func stop() {
 	cancel()
-	internal.ClearPIDFile()
+	common.ClearPIDFile()
 }
 
-func StopDaemonCmd() error {
-	proc, err := internal.DaemonProcess()
+func stopDaemonCmd() error {
+	proc, err := common.DaemonProcess()
 	if err != nil {
 		return fmt.Errorf("error getting daemon process: %v", err)
 	}
@@ -132,8 +159,8 @@ func StopDaemonCmd() error {
 	return nil
 }
 
-func ReloadDaemonCmd() error {
-	proc, err := internal.DaemonProcess()
+func reloadDaemonCmd() error {
+	proc, err := common.DaemonProcess()
 	if err != nil {
 		return fmt.Errorf("error getting daemon process: %v", err)
 	}
@@ -145,8 +172,8 @@ func ReloadDaemonCmd() error {
 	return nil
 }
 
-func TickDaemonCmd() error {
-	proc, err := internal.DaemonProcess()
+func tickDaemonCmd() error {
+	proc, err := common.DaemonProcess()
 	if err != nil {
 		return fmt.Errorf("error getting daemon process: %v", err)
 	}
@@ -158,7 +185,7 @@ func TickDaemonCmd() error {
 	return nil
 }
 
-func DaemonStatusCmd() error {
+func daemonStatusCmd() error {
 	fmt.Println("Not implemented :/")
 	return nil
 }

app/executor/commands.go

@@ -1,4 +1,4 @@
-package commands
+package main
 
 import (
 	"fmt"
@@ -6,13 +6,23 @@ import (
 	"os/signal"
 	"syscall"
 
-	"git.nevets.tech/Keys/CertManager/executor"
+	"github.com/spf13/cobra"
 )
 
-var executorServer *executor.Server
+var (
+	executorServer *Server
 
-func StartExecutorCmd() error {
-	executorServer = &executor.Server{}
+	ExecutorCmd = &cobra.Command{
+		Use:   "executor",
+		Short: "Privileged daemon",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return startExecutorCmd()
+		},
+	}
+)
+
+func startExecutorCmd() error {
+	executorServer = &Server{}
 
 	sigCh := make(chan os.Signal, 1)
 	signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)

app/executor/executor.go

@@ -1,11 +1,11 @@
-package executor
+package main
 
 import (
 	"fmt"
 	"net"
 	"sync"
 
-	pb "git.nevets.tech/Keys/CertManager/proto/v1"
+	pb "git.nevets.tech/Steven/certman/proto/v1"
 	"github.com/coreos/go-systemd/v22/activation"
 	"google.golang.org/grpc"
 )

app/executor/hook.go

@@ -1,4 +1,4 @@
-package executor
+package main
 
 import (
 	"context"
@@ -8,8 +8,8 @@ import (
 	"syscall"
 	"time"
 
-	"git.nevets.tech/Keys/CertManager/internal"
-	pb "git.nevets.tech/Keys/CertManager/proto/v1"
+	"git.nevets.tech/Steven/certman/common"
+	pb "git.nevets.tech/Steven/certman/proto/v1"
 )
 
 type hookServer struct {
@@ -51,7 +51,7 @@ func (s *hookServer) ExecuteHook(ctx context.Context, req *pb.ExecuteHookRequest
 
 	// Run as user/group if specified (Linux/Unix)
 	if h.GetUser() != "" || h.GetGroup() != "" {
-		cred, err := internal.MakeCredential(h.GetUser(), h.GetGroup())
+		cred, err := common.MakeCredential(h.GetUser(), h.GetGroup())
 		if err != nil {
 			return &pb.ExecuteHookResponse{Error: brief(err)}, nil
 		}

app/executor/main.go

@@ -0,0 +1,7 @@
+package main
+
+import "fmt"
+
+func main() {
+	fmt.Println("Hello Executor")
+}

app/executor/util.go

@@ -1,4 +1,4 @@
-package executor
+package main
 
 import "fmt"
 

app/server/certs.go

@@ -0,0 +1,85 @@
+package main
+
+import (
+	"fmt"
+	"path/filepath"
+	"time"
+
+	"git.nevets.tech/Steven/certman/app"
+	"git.nevets.tech/Steven/certman/common"
+	"git.nevets.tech/Steven/certman/server"
+	"github.com/spf13/cobra"
+)
+
+var (
+	noPush          bool
+	renewCertSubCmd = &cobra.Command{
+		Use:   "renew",
+		Short: "Renews a domains certificate",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return renewCertCmd(args[0], noPush)
+		},
+	}
+)
+
+func init() {
+	renewCertSubCmd.Flags().BoolVar(&noPush, "no-push", false, "Don't push certs to repo, renew locally only [server mode only]")
+	app.CertCmd.AddCommand(renewCertSubCmd)
+}
+
+func renewCertCmd(domain string, noPush bool) error {
+	if err := app.LoadConfig(); err != nil {
+		return err
+	}
+	if err := app.LoadDomainConfigs(); err != nil {
+		return err
+	}
+	mgr, err := server.NewACMEManager(app.Config())
+	if err != nil {
+		return err
+	}
+	return renewCerts(domain, noPush, mgr)
+}
+
+func renewCerts(domain string, noPush bool, mgr *server.ACMEManager) error {
+	config := app.Config()
+	domainConfig, exists := app.DomainStore().Get(domain)
+	if !exists {
+		return fmt.Errorf("domain %s does not exist", domain)
+	}
+
+	if _, err := mgr.RenewForDomain(domain); err != nil {
+		// If the domain has no stored resource yet, fall through to Obtain.
+		if _, err := mgr.ObtainForDomain(domain, config, domainConfig); err != nil {
+			return fmt.Errorf("error obtaining domain certificates for domain %s: %v", domain, err)
+		}
+	}
+
+	domainConfig.Internal.LastIssued = time.Now().UTC().Unix()
+	if err := app.WriteDomainConfig(domainConfig); err != nil {
+		return fmt.Errorf("error saving domain config %s: %v", domain, err)
+	}
+
+	certsDir := filepath.Join(mgr.CertsRoot, domain)
+	if err := common.EncryptFileXChaCha(domainConfig.Certificates.CryptoKey, filepath.Join(certsDir, domain+".crt"), filepath.Join(certsDir, domain+".crt.crpt"), nil); err != nil {
+		return fmt.Errorf("error encrypting domain cert for domain %s: %v", domain, err)
+	}
+	if err := common.EncryptFileXChaCha(domainConfig.Certificates.CryptoKey, filepath.Join(certsDir, domain+".key"), filepath.Join(certsDir, domain+".key.crpt"), nil); err != nil {
+		return fmt.Errorf("error encrypting domain key for domain %s: %v", domain, err)
+	}
+
+	if noPush {
+		return nil
+	}
+
+	ws, err := prepareServerWorkspace(config, domainConfig, domain)
+	if err != nil {
+		return fmt.Errorf("prepare workspace for %s: %w", domain, err)
+	}
+	if err := server.AddAndPushCerts(ws, certsDir, config); err != nil {
+		return fmt.Errorf("push certificates for %s: %w", domain, err)
+	}
+	fmt.Printf("Successfully pushed certificates for domain %s\n", domain)
+	return nil
+}

app/server/commands.go

@@ -0,0 +1,17 @@
+package main
+
+import (
+	"git.nevets.tech/Steven/certman/app"
+	"github.com/spf13/cobra"
+)
+
+func init() {
+	app.DaemonCmd.AddCommand(&cobra.Command{
+		Use:   "start",
+		Short: "Start the daemon",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return app.RunDaemonCmd(&Daemon{})
+		},
+	})
+}

app/server/daemon.go

@@ -0,0 +1,174 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"log"
+	"os"
+	"path/filepath"
+	"sync"
+	"time"
+
+	appShared "git.nevets.tech/Steven/certman/app"
+	"git.nevets.tech/Steven/certman/common"
+	"git.nevets.tech/Steven/certman/server"
+)
+
+type Daemon struct {
+	ACMEManager *server.ACMEManager
+	TickMu      sync.Mutex
+	MgrMu       sync.Mutex
+}
+
+func (d *Daemon) loadACMEManager() error {
+	d.MgrMu.Lock()
+	defer d.MgrMu.Unlock()
+
+	if d.ACMEManager == nil {
+		var err error
+		d.ACMEManager, err = server.NewACMEManager(appShared.Config())
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (d *Daemon) Init() {
+	fmt.Println("Starting CertManager in server mode...")
+	err := appShared.LoadDomainConfigs()
+	if err != nil {
+		log.Fatalf("Error loading domain configs: %v", err)
+	}
+
+	d.Tick()
+}
+
+func (d *Daemon) Tick() {
+	d.TickMu.Lock()
+	defer d.TickMu.Unlock()
+	fmt.Println("Tick!")
+
+	if err := d.loadACMEManager(); err != nil {
+		fmt.Printf("Error getting acme manager: %v\n", err)
+		return
+	}
+
+	now := time.Now().UTC()
+
+	config := appShared.Config()
+	localDomainConfigs := appShared.DomainStore().Snapshot()
+
+	for domainStr, domainConfig := range localDomainConfigs {
+		if !domainConfig.Domain.Enabled {
+			continue
+		}
+		//TODO: have renewPeriod logic default to use certificate expiry if available
+		renewPeriod := domainConfig.Certificates.RenewPeriod
+		lastIssued := time.Unix(domainConfig.Internal.LastIssued, 0).UTC()
+		renewalDue := lastIssued.AddDate(0, 0, renewPeriod)
+		if !now.After(renewalDue) {
+			continue
+		}
+
+		//TODO extra check if certificate expiry (create cache?)
+		if _, err := d.ACMEManager.RenewForDomain(domainStr); err != nil {
+			if errors.Is(err, os.ErrNotExist) {
+				if _, err := d.ACMEManager.ObtainForDomain(domainStr, config, domainConfig); err != nil {
+					fmt.Printf("Error obtaining domain certificates for domain %s: %v\n", domainStr, err)
+					continue
+				}
+			} else {
+				fmt.Printf("Error: %v\n", err)
+				continue
+			}
+		}
+
+		domainConfig.Internal.LastIssued = time.Now().UTC().Unix()
+		if err := appShared.WriteDomainConfig(domainConfig); err != nil {
+			fmt.Printf("Error saving domain config %s: %v\n", domainStr, err)
+			continue
+		}
+
+		certsDir := filepath.Join(d.ACMEManager.CertsRoot, domainStr)
+		if err := common.EncryptFileXChaCha(domainConfig.Certificates.CryptoKey, filepath.Join(certsDir, domainStr+".crt"), filepath.Join(certsDir, domainStr+".crt.crpt"), nil); err != nil {
+			fmt.Printf("Error encrypting domain cert for domain %s: %v\n", domainStr, err)
+			continue
+		}
+		if err := common.EncryptFileXChaCha(domainConfig.Certificates.CryptoKey, filepath.Join(certsDir, domainStr+".key"), filepath.Join(certsDir, domainStr+".key.crpt"), nil); err != nil {
+			fmt.Printf("Error encrypting domain key for domain %s: %v\n", domainStr, err)
+			continue
+		}
+
+		ws, err := prepareServerWorkspace(config, domainConfig, domainStr)
+		if err != nil {
+			fmt.Printf("Error preparing git workspace for domain %s: %v\n", domainStr, err)
+			continue
+		}
+
+		if err := server.AddAndPushCerts(ws, certsDir, config); err != nil {
+			fmt.Printf("Error pushing certificates for domain %s: %v\n", domainStr, err)
+			continue
+		}
+		fmt.Printf("Successfully pushed certificates for domain %s\n", domainStr)
+	}
+	if err := appShared.SaveDomainConfigs(); err != nil {
+		fmt.Printf("Error saving domain configs: %v\n", err)
+	}
+}
+
+// prepareServerWorkspace creates or clones the domain's remote repo into a
+// fresh in-memory workspace. If the repo is being cloned, it verifies that
+// SERVER_ID matches this server's UUID (or is absent, in which case the
+// domain is adopted on the next push).
+func prepareServerWorkspace(config *common.AppConfig, domainConfig *common.DomainConfig, domain string) (*common.GitWorkspace, error) {
+	if !domainConfig.Internal.RepoExists {
+		url, err := server.CreateRepo(config, domainConfig, domain)
+		if err != nil {
+			return nil, fmt.Errorf("create remote repo: %w", err)
+		}
+		domainConfig.Internal.RepoExists = true
+		if err := appShared.WriteDomainConfig(domainConfig); err != nil {
+			return nil, fmt.Errorf("save domain config: %w", err)
+		}
+		ws := common.NewGitWorkspace(domain, url)
+		if err := common.InitRepo(ws); err != nil {
+			return nil, fmt.Errorf("init workspace: %w", err)
+		}
+		return ws, nil
+	}
+
+	url := common.RepoURL(config, domainConfig, domain)
+	ws := common.NewGitWorkspace(domain, url)
+	if err := common.CloneRepo(ws, config); err != nil {
+		return nil, fmt.Errorf("clone: %w", err)
+	}
+	owned, err := server.VerifyOwnership(ws, config.App.UUID)
+	if err != nil {
+		return nil, err
+	}
+	if !owned {
+		fmt.Printf("Adopting unclaimed repo for domain %s\n", domain)
+	}
+	return ws, nil
+}
+
+func (d *Daemon) Reload() {
+	fmt.Println("Reloading configs...")
+	err := appShared.LoadDomainConfigs()
+
+	if err != nil {
+		fmt.Printf("Error loading domain configs: %v\n", err)
+		return
+	}
+
+	d.MgrMu.Lock()
+	d.ACMEManager = nil
+	d.MgrMu.Unlock()
+
+	fmt.Println("Successfully reloaded configs")
+}
+
+func (d *Daemon) Stop() {
+	fmt.Println("Shutting down server")
+}

app/server/main.go

@@ -0,0 +1,7 @@
+package main
+
+import "fmt"
+
+func main() {
+	fmt.Println("Hello server")
+}

app/util.go

@@ -0,0 +1,58 @@
+package app
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/spf13/cobra"
+)
+
+func createFile(fileName string, filePermission os.FileMode, data []byte) {
+	fileInfo, err := os.Stat(fileName)
+	if err != nil {
+		if os.IsNotExist(err) {
+			file, err := os.Create(fileName)
+			if err != nil {
+				fmt.Println("Error creating configuration file: ", err)
+				os.Exit(1)
+			}
+			defer file.Close()
+
+			_, err = file.Write(data)
+			if err != nil {
+				fmt.Println("Error writing to file: ", err)
+				os.Exit(1)
+			}
+			err = file.Chmod(filePermission)
+			if err != nil {
+				fmt.Println("Error changing file permission: ", err)
+			}
+		} else {
+			fmt.Println("Error opening configuration file: ", err)
+			os.Exit(1)
+		}
+	} else {
+		if fileInfo.Size() == 0 {
+			file, err := os.Create(fileName)
+			if err != nil {
+				fmt.Println("Error creating configuration file: ", err)
+				os.Exit(1)
+			}
+			defer file.Close()
+
+			_, err = file.Write(data)
+			if err != nil {
+				fmt.Println("Error writing to file:", err)
+				os.Exit(1)
+			}
+		}
+	}
+}
+
+func basicCmd(use, short string, commandFunc func(cmd *cobra.Command, args []string)) *cobra.Command {
+	return &cobra.Command{
+		Use:   use,
+		Short: short,
+		Run:   commandFunc,
+	}
+}

client/certificates.go

@@ -0,0 +1,128 @@
+package client
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"git.nevets.tech/Steven/certman/common"
+)
+
+// DecryptAndWriteCertificates walks the workspace's root directory, decrypts
+// every *.crpt file using the domain's crypto key, and writes the cleartext
+// output into certsDir.
+//
+// On a fully successful pass it records the current HEAD commit SHA via
+// WriteCommitHash, so the next tick can short-circuit when nothing changed.
+// Per-file failures are collected and returned together; the commit-hash
+// marker is only written when every file decrypted cleanly, so a partial
+// sync never masquerades as up-to-date on the next tick.
+func DecryptAndWriteCertificates(certsDir string, domainConfig *common.DomainConfig, ws *common.GitWorkspace) error {
+	entries, err := ws.FS.ReadDir("/")
+	if err != nil {
+		return fmt.Errorf("read workspace root: %w", err)
+	}
+
+	var errs []error
+	var wrote int
+	for _, entry := range entries {
+		name := entry.Name()
+		if !strings.HasSuffix(name, ".crpt") {
+			continue
+		}
+		plainName, _ := strings.CutSuffix(name, ".crpt")
+
+		data, err := readWorkspaceFile(ws, name)
+		if err != nil {
+			errs = append(errs, fmt.Errorf("%s: %w", name, err))
+			continue
+		}
+		if err := common.DecryptFileFromBytes(domainConfig.Certificates.CryptoKey, data, filepath.Join(certsDir, plainName), nil); err != nil {
+			errs = append(errs, fmt.Errorf("%s: decrypt: %w", name, err))
+			continue
+		}
+		wrote++
+	}
+
+	if len(errs) > 0 {
+		return errors.Join(errs...)
+	}
+	if wrote == 0 {
+		return nil
+	}
+
+	head, err := ws.Repo.Head()
+	if err != nil {
+		return fmt.Errorf("get repo head: %w", err)
+	}
+	return WriteCommitHash(certsDir, head.Hash().String())
+}
+
+// DecryptCertificates is a standalone utility that decrypts every *.crpt
+// file in an on-disk directory. It is used by the `cert decrypt` CLI command
+// and does not touch git state.
+func DecryptCertificates(certPath, cryptoKey string) error {
+	entries, err := os.ReadDir(certPath)
+	if err != nil {
+		return fmt.Errorf("read %s: %w", certPath, err)
+	}
+	var errs []error
+	for _, entry := range entries {
+		name := entry.Name()
+		if !strings.HasSuffix(name, ".crpt") {
+			continue
+		}
+		plainName, _ := strings.CutSuffix(name, ".crpt")
+
+		data, err := os.ReadFile(filepath.Join(certPath, name))
+		if err != nil {
+			errs = append(errs, fmt.Errorf("%s: %w", name, err))
+			continue
+		}
+		if err := common.DecryptFileFromBytes(cryptoKey, data, filepath.Join(certPath, plainName), nil); err != nil {
+			errs = append(errs, fmt.Errorf("%s: decrypt: %w", name, err))
+			continue
+		}
+	}
+	if len(errs) > 0 {
+		return errors.Join(errs...)
+	}
+	return nil
+}
+
+// UpdateSymlinks refreshes every configured cert and key symlink so it
+// points at the domain's current cert/key files under certsDir. It reports
+// all link failures together rather than stopping at the first one.
+func UpdateSymlinks(domain string, domainConfig *common.DomainConfig, certsDir string) error {
+	var errs []error
+	for _, link := range domainConfig.Certificates.CertSymlinks {
+		if err := common.LinkFile(filepath.Join(certsDir, domain+".crt"), link, domain, ".crt"); err != nil {
+			errs = append(errs, fmt.Errorf("cert link %s: %w", link, err))
+		}
+	}
+	for _, link := range domainConfig.Certificates.KeySymlinks {
+		if err := common.LinkFile(filepath.Join(certsDir, domain+".key"), link, domain, ".key"); err != nil {
+			errs = append(errs, fmt.Errorf("key link %s: %w", link, err))
+		}
+	}
+	if len(errs) > 0 {
+		return errors.Join(errs...)
+	}
+	return nil
+}
+
+func readWorkspaceFile(ws *common.GitWorkspace, name string) ([]byte, error) {
+	f, err := ws.FS.Open(name)
+	if err != nil {
+		return nil, fmt.Errorf("open: %w", err)
+	}
+	defer f.Close()
+	data, err := io.ReadAll(f)
+	if err != nil {
+		return nil, fmt.Errorf("read: %w", err)
+	}
+	return data, nil
+}

client/client.go

@@ -1,161 +0,0 @@
-package client
-
-import (
-	"fmt"
-	"io"
-	"log"
-	"path/filepath"
-	"strings"
-
-	"git.nevets.tech/Keys/CertManager/internal"
-	"github.com/go-git/go-billy/v5/memfs"
-	"github.com/go-git/go-git/v5/storage/memory"
-)
-
-func Init() {
-	err := internal.LoadDomainConfigs()
-	if err != nil {
-		log.Fatalf("Error loading domain configs: %v", err)
-	}
-
-	Tick()
-}
-
-func Tick() {
-	fmt.Println("Tick!")
-
-	// Get local copy of configs
-	config := internal.Config()
-	localDomainConfigs := internal.DomainStore().Snapshot()
-
-	// Loop over all domain configs (domains)
-	for domainStr, domainConfig := range localDomainConfigs {
-		// Skip non-enabled domains
-		if !domainConfig.GetBool("Domain.enabled") {
-			continue
-		}
-
-		// Skip domains with up-to-date commit hashes
-		// If the repo doesn't exist, we can't check for a remote commit, so stop the rest of the check
-		repoExists := domainConfig.GetBool("Internal.repo_exists")
-		if repoExists {
-			localHash, err := internal.LocalCommitHash(domainStr)
-			if err != nil {
-				fmt.Printf("No local commit hash found for domain %s\n", domainStr)
-			}
-			gitSource, err := internal.StrToGitSource(internal.Config().GetString("Git.host"))
-			if err != nil {
-				fmt.Printf("Error getting git source for domain %s: %v\n", domainStr, err)
-				continue
-			}
-			remoteHash, err := internal.RemoteCommitHash(domainStr, gitSource)
-			if err != nil {
-				fmt.Printf("Error getting remote commit hash for domain %s: %v\n", domainStr, err)
-			}
-			// If both hashes are blank (errored), break
-			// If localHash equals remoteHash (local is up-to-date), skip
-			if !(localHash == "" && remoteHash == "") && localHash == remoteHash {
-				fmt.Printf("Domain %s is up to date. Skipping...\n", domainStr)
-				continue
-			}
-		}
-
-		gitWorkspace := &internal.GitWorkspace{
-			Storage: memory.NewStorage(),
-			FS:      memfs.New(),
-		}
-		// Ex: https://git.example.com/Org/Repo-suffix.git
-		// Clones repo and stores in gitWorkspace, skip if clone fails (doesn't exist?)
-		repoUrl := internal.Config().GetString("Git.server") + "/" + config.GetString("Git.org_name") + "/" + domainStr + domainConfig.GetString("Repo.repo_suffix") + ".git"
-		err := internal.CloneRepo(repoUrl, gitWorkspace, internal.Client)
-		if err != nil {
-			fmt.Printf("Error cloning domain repo %s: %v\n", domainStr, err)
-			continue
-		}
-
-		certsDir, err := internal.DomainCertsDirWConf(domainStr, domainConfig)
-		if err != nil {
-			fmt.Printf("Error getting certificates dir for domain %s: %v\n", domainStr, err)
-			continue
-		}
-
-		// Get files in repo
-		fileInfos, err := gitWorkspace.FS.ReadDir("/")
-		if err != nil {
-			fmt.Printf("Error reading directory in memFS on domain %s: %v\n", domainStr, err)
-			continue
-		}
-		// Iterate over files, filtering by .crpt (encrypted) files in case other files were accidentally added
-		for _, fileInfo := range fileInfos {
-			if strings.HasSuffix(fileInfo.Name(), ".crpt") {
-				filename, _ := strings.CutSuffix(fileInfo.Name(), ".crpt")
-				file, err := gitWorkspace.FS.Open(fileInfo.Name())
-				if err != nil {
-					fmt.Printf("Error opening file in memFS on domain %s: %v\n", domainStr, err)
-					continue
-				}
-				fileBytes, err := io.ReadAll(file)
-				if err != nil {
-					fmt.Printf("Error reading file in memFS on domain %s: %v\n", domainStr, err)
-					file.Close()
-					continue
-				}
-				err = file.Close()
-				if err != nil {
-					fmt.Printf("Error closing file on domain %s: %v\n", domainStr, err)
-					continue
-				}
-
-				err = internal.DecryptFileFromBytes(domainConfig.GetString("Certificates.crypto_key"), fileBytes, filepath.Join(certsDir, filename), nil)
-				if err != nil {
-					fmt.Printf("Error decrypting file %s in domain %s: %v\n", filename, domainStr, err)
-					continue
-				}
-
-				headRef, err := gitWorkspace.Repo.Head()
-				if err != nil {
-					fmt.Printf("Error getting head reference for domain %s: %v\n", domainStr, err)
-					continue
-				}
-
-				err = internal.WriteCommitHash(headRef.Hash().String(), domainConfig)
-				if err != nil {
-					fmt.Printf("Error writing commit hash: %v\n", err)
-					continue
-				}
-
-				certLinks := domainConfig.GetStringSlice("Certificates.cert_symlinks")
-				for _, certLink := range certLinks {
-					err = internal.LinkFile(filepath.Join(certsDir, domainStr+".crt"), certLink, domainStr, ".crt")
-					if err != nil {
-						fmt.Printf("Error linking cert %s to %s: %v\n", certLink, domainStr, err)
-						continue
-					}
-				}
-
-				keyLinks := domainConfig.GetStringSlice("Certificates.key_symlinks")
-				for _, keyLink := range keyLinks {
-					err = internal.LinkFile(filepath.Join(certsDir, domainStr+".key"), keyLink, domainStr, ".key")
-					if err != nil {
-						fmt.Printf("Error linking cert %s to %s: %v\n", keyLink, domainStr, err)
-						continue
-					}
-				}
-			}
-		}
-	}
-}
-
-func Reload() {
-	fmt.Println("Reloading configs...")
-
-	err := internal.LoadDomainConfigs()
-	if err != nil {
-		fmt.Printf("Error loading domain configs: %v\n", err)
-		return
-	}
-}
-
-func Stop() {
-	fmt.Println("Shutting down client")
-}

client/git.go

@@ -0,0 +1,51 @@
+package client
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"git.nevets.tech/Steven/certman/common"
+)
+
+// hashFile is the filename inside a domain's local data root that records
+// the last remote commit SHA the client successfully synced from. The daemon
+// compares it against the remote HEAD to decide whether a sync is needed.
+const hashFile = "hash"
+
+// defaultBranch is the branch the client tracks on the remote repo.
+const defaultBranch = "master"
+
+// WriteCommitHash persists hash to <certsDir>/hash. Call it after a
+// successful sync so the next tick can skip a no-op.
+func WriteCommitHash(certsDir, hash string) error {
+	return os.WriteFile(filepath.Join(certsDir, hashFile), []byte(hash), 0o644)
+}
+
+// LocalCommitHash returns the commit SHA recorded at <certsDir>/hash. A
+// missing file is not an error: it returns "" so a fresh client falls
+// through to the full sync path.
+func LocalCommitHash(certsDir string) (string, error) {
+	data, err := os.ReadFile(filepath.Join(certsDir, hashFile))
+	if err != nil {
+		if errors.Is(err, os.ErrNotExist) {
+			return "", nil
+		}
+		return "", fmt.Errorf("read hash file: %w", err)
+	}
+	return strings.TrimSpace(string(data)), nil
+}
+
+// RemoteCommitHash returns the current HEAD commit SHA of the domain's repo
+// on the configured git host. It returns common.ErrRepoNotFound if the repo
+// does not exist yet, letting the daemon handle the "not provisioned" case
+// without string-matching errors.
+func RemoteCommitHash(config *common.AppConfig, domainConfig *common.DomainConfig, domain string) (string, error) {
+	provider, err := common.ProviderFor(config)
+	if err != nil {
+		return "", err
+	}
+	return provider.HeadCommit(domain, defaultBranch, domainConfig)
+}

commands/basic.go

@@ -1,37 +0,0 @@
-package commands
-
-import (
-	"fmt"
-	"log"
-
-	"git.nevets.tech/Keys/CertManager/internal"
-	"github.com/spf13/cobra"
-)
-
-func DevCmd(cmd *cobra.Command, args []string) {
-	testDomain := "lunamc.org"
-	err := internal.LoadConfig()
-	if err != nil {
-		log.Fatalf("Error loading configuration: %v\n", err)
-	}
-	err = internal.LoadDomainConfigs()
-	if err != nil {
-		log.Fatalf("Error loading configs: %v\n", err)
-	}
-
-	fmt.Println(testDomain)
-}
-
-func VersionCmd(cmd *cobra.Command, args []string) {
-	fmt.Printf("CertManager (certman) - Steven Tracey\nVersion: %s build-%s\n",
-		internal.Version, internal.Build,
-	)
-}
-
-func NewKeyCmd(cmd *cobra.Command, args []string) {
-	key, err := internal.GenerateKey()
-	if err != nil {
-		log.Fatalf("%v", err)
-	}
-	fmt.Printf(key)
-}

commands/certs.go

@@ -1,266 +0,0 @@
-package commands
-
-import (
-	"fmt"
-	"io"
-	"os"
-	"path/filepath"
-	"strings"
-	"time"
-
-	"git.nevets.tech/Keys/CertManager/internal"
-	"github.com/go-git/go-billy/v5/memfs"
-	"github.com/go-git/go-git/v5/storage/memory"
-)
-
-var mgr *internal.ACMEManager
-
-func RenewCertCmd(domain string, noPush bool, certmanMode internal.CertManMode) error {
-	err := internal.LoadConfig()
-	if err != nil {
-		return err
-	}
-	err = internal.LoadDomainConfigs()
-	if err != nil {
-		return err
-	}
-	switch internal.Config().GetString("App.mode") {
-	case "server":
-		mgr, err = internal.NewACMEManager()
-		if err != nil {
-			return err
-		}
-		err = renewCerts(domain, noPush, certmanMode)
-		if err != nil {
-			return err
-		}
-		return ReloadDaemonCmd()
-	case "client":
-		return pullCerts(domain, certmanMode)
-	default:
-		return fmt.Errorf("invalid operating mode %s", internal.Config().GetString("App.mode"))
-	}
-}
-
-func renewCerts(domain string, noPush bool, certmanMode internal.CertManMode) error {
-	_, err := mgr.RenewForDomain(domain)
-	if err != nil {
-		// if no existing cert, obtain instead
-		_, err = mgr.ObtainForDomain(domain)
-		if err != nil {
-			return fmt.Errorf("error obtaining domain certificates for domain %s: %v", domain, err)
-		}
-	}
-
-	domainConfig, exists := internal.DomainStore().Get(domain)
-	if !exists {
-		return fmt.Errorf("domain %s does not exist", domain)
-	}
-
-	domainConfig.Set("Internal.last_issued", time.Now().UTC().Unix())
-	err = internal.WriteDomainConfig(domainConfig)
-	if err != nil {
-		return fmt.Errorf("error saving domain config %s: %v", domain, err)
-	}
-
-	err = internal.EncryptFileXChaCha(domainConfig.GetString("Certificates.crypto_key"), filepath.Join(mgr.CertsRoot, domain, domain+".crt"), filepath.Join(mgr.CertsRoot, domain, domain+".crt.crpt"), nil)
-	if err != nil {
-		return fmt.Errorf("error encrypting domain cert for domain %s: %v", domain, err)
-	}
-	err = internal.EncryptFileXChaCha(domainConfig.GetString("Certificates.crypto_key"), filepath.Join(mgr.CertsRoot, domain, domain+".key"), filepath.Join(mgr.CertsRoot, domain, domain+".key.crpt"), nil)
-	if err != nil {
-		return fmt.Errorf("error encrypting domain key for domain %s: %v", domain, err)
-	}
-
-	if !noPush {
-		giteaClient := internal.CreateGiteaClient()
-		if giteaClient == nil {
-			return fmt.Errorf("error creating gitea client for domain %s: %v", domain, err)
-		}
-		gitWorkspace := &internal.GitWorkspace{
-			Storage: memory.NewStorage(),
-			FS:      memfs.New(),
-		}
-
-		var repoUrl string
-		if !domainConfig.GetBool("Internal.repo_exists") {
-			repoUrl = internal.CreateGiteaRepo(domain, giteaClient)
-			if repoUrl == "" {
-				return fmt.Errorf("error creating Gitea repo for domain %s", domain)
-			}
-			domainConfig.Set("Internal.repo_exists", true)
-			err = internal.WriteDomainConfig(domainConfig)
-			if err != nil {
-				return fmt.Errorf("error saving domain config %s: %v", domain, err)
-			}
-
-			err = internal.InitRepo(repoUrl, gitWorkspace)
-			if err != nil {
-				return fmt.Errorf("error initializing repo for domain %s: %v", domain, err)
-			}
-		} else {
-			repoUrl = internal.Config().GetString("Git.server") + "/" + internal.Config().GetString("Git.org_name") + "/" + domain + domainConfig.GetString("Repo.repo_suffix") + ".git"
-			err = internal.CloneRepo(repoUrl, gitWorkspace, certmanMode)
-			if err != nil {
-				return fmt.Errorf("error cloning repo for domain %s: %v", domain, err)
-			}
-		}
-
-		err = internal.AddAndPushCerts(domain, gitWorkspace)
-		if err != nil {
-			return fmt.Errorf("error pushing certificates for domain %s: %v", domain, err)
-		}
-		fmt.Printf("Successfully pushed certificates for domain %s\n", domain)
-	}
-
-	return nil
-}
-
-func pullCerts(domain string, certmanMode internal.CertManMode) error {
-	gitWorkspace := &internal.GitWorkspace{
-		Storage: memory.NewStorage(),
-		FS:      memfs.New(),
-	}
-
-	domainConfig, exists := internal.DomainStore().Get(domain)
-	if !exists {
-		return fmt.Errorf("domain %s does not exist", domain)
-	}
-
-	// Ex: https://git.example.com/Org/Repo-suffix.git
-	// Clones repo and stores in gitWorkspace, skip if clone fails (doesn't exist?)
-	repoUrl := internal.Config().GetString("Git.server") + "/" + internal.Config().GetString("Git.org_name") + "/" + domain + domainConfig.GetString("Repo.repo_suffix") + ".git"
-	err := internal.CloneRepo(repoUrl, gitWorkspace, certmanMode)
-	if err != nil {
-		return fmt.Errorf("Error cloning domain repo %s: %v\n", domain, err)
-	}
-
-	certsDir, err := internal.DomainCertsDirWConf(domain, domainConfig)
-	if err != nil {
-		return fmt.Errorf("Error getting certificates dir for domain %s: %v\n", domain, err)
-	}
-
-	// Get files in repo
-	fileInfos, err := gitWorkspace.FS.ReadDir("/")
-	if err != nil {
-		return fmt.Errorf("Error reading directory in memFS on domain %s: %v\n", domain, err)
-	}
-	// Iterate over files, filtering by .crpt (encrypted) files in case other files were accidentally added
-	for _, fileInfo := range fileInfos {
-		if strings.HasSuffix(fileInfo.Name(), ".crpt") {
-			filename, _ := strings.CutSuffix(fileInfo.Name(), ".crpt")
-			file, err := gitWorkspace.FS.Open(fileInfo.Name())
-			if err != nil {
-				fmt.Printf("Error opening file in memFS on domain %s: %v\n", domain, err)
-				continue
-			}
-			fileBytes, err := io.ReadAll(file)
-			if err != nil {
-				fmt.Printf("Error reading file in memFS on domain %s: %v\n", domain, err)
-				file.Close()
-				continue
-			}
-			err = file.Close()
-			if err != nil {
-				fmt.Printf("Error closing file on domain %s: %v\n", domain, err)
-				continue
-			}
-
-			err = internal.DecryptFileFromBytes(domainConfig.GetString("Certificates.crypto_key"), fileBytes, filepath.Join(certsDir, filename), nil)
-			if err != nil {
-				fmt.Printf("Error decrypting file %s in domain %s: %v\n", filename, domain, err)
-				continue
-			}
-
-			headRef, err := gitWorkspace.Repo.Head()
-			if err != nil {
-				fmt.Printf("Error getting head reference for domain %s: %v\n", domain, err)
-				continue
-			}
-
-			err = internal.WriteCommitHash(headRef.Hash().String(), domainConfig)
-			if err != nil {
-				fmt.Printf("Error writing commit hash: %v\n", err)
-				continue
-			}
-
-			certLinks := domainConfig.GetStringSlice("Certificates.cert_symlinks")
-			for _, certLink := range certLinks {
-				if certLink == "" {
-					continue
-				}
-				linkInfo, err := os.Stat(certLink)
-				if err != nil {
-					if !os.IsNotExist(err) {
-						fmt.Printf("Error stating cert link %s: %v\n", certLink, err)
-						continue
-					}
-				}
-				if linkInfo.IsDir() {
-					certLink = filepath.Join(certLink, domain+".crt")
-				}
-
-				err = os.Link(filepath.Join(certsDir, domain+".crt"), certLink)
-				if err != nil {
-					fmt.Printf("Error linking cert %s to %s: %v\n", certLink, domain, err)
-					continue
-				}
-			}
-
-			keyLinks := domainConfig.GetStringSlice("Certificates.key_symlinks")
-			for _, keyLink := range keyLinks {
-				if keyLink == "" {
-					continue
-				}
-				linkInfo, err := os.Stat(keyLink)
-				if err != nil {
-					if !os.IsNotExist(err) {
-						fmt.Printf("Error stating key link %s: %v\n", keyLink, err)
-						continue
-					}
-				}
-				if linkInfo.IsDir() {
-					keyLink = filepath.Join(keyLink, domain+".crt")
-				}
-
-				err = os.Link(filepath.Join(certsDir, domain+".crt"), keyLink)
-				if err != nil {
-					fmt.Printf("Error linking cert %s to %s: %v\n", keyLink, domain, err)
-					continue
-				}
-			}
-		}
-	}
-	return nil
-}
-
-func UpdateLinksCmd(domain string) error {
-	domainConfig, exists := internal.DomainStore().Get(domain)
-	if !exists {
-		return fmt.Errorf("domain %s does not exist", domain)
-	}
-
-	certsDir, err := internal.DomainCertsDirWConf(domain, domainConfig)
-	if err != nil {
-		return fmt.Errorf("error getting certificates dir for domain %s: %v", domain, err)
-	}
-
-	certLinks := domainConfig.GetStringSlice("Certificates.cert_symlinks")
-	for _, certLink := range certLinks {
-		err = internal.LinkFile(filepath.Join(certsDir, domain+".crt"), certLink, domain, ".crt")
-		if err != nil {
-			fmt.Printf("Error linking cert %s to %s: %v", certLink, domain, err)
-			continue
-		}
-	}
-
-	keyLinks := domainConfig.GetStringSlice("Certificates.key_symlinks")
-	for _, keyLink := range keyLinks {
-		err = internal.LinkFile(filepath.Join(certsDir, domain+".crt"), keyLink, domain, ".key")
-		if err != nil {
-			fmt.Printf("Error linking cert %s to %s: %v", keyLink, domain, err)
-			continue
-		}
-	}
-	return nil
-}

commands/install.go

@@ -1,116 +0,0 @@
-package commands
-
-import (
-	"fmt"
-	"os"
-	"os/exec"
-	"os/user"
-	"strconv"
-	"strings"
-
-	"git.nevets.tech/Keys/CertManager/internal"
-)
-
-func NewDomainCmd(domain, domainDir string, dirOverridden bool) error {
-	//TODO add config option for "overriden dir"
-	err := internal.LoadConfig()
-	if err != nil {
-		return err
-	}
-
-	fmt.Printf("Creating new domain %s\n", domain)
-	err = internal.CreateDomainConfig(domain)
-	if err != nil {
-		return err
-	}
-	internal.CreateDomainCertsDir(domain, domainDir, dirOverridden)
-
-	certmanUser, err := user.Lookup("certman")
-	if err != nil {
-		return fmt.Errorf("error getting user certman: %v", err)
-	}
-	uid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Uid))
-	if err != nil {
-		return err
-	}
-	gid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Gid))
-	if err != nil {
-		return err
-	}
-	err = internal.ChownRecursive("/etc/certman/domains", uid, gid)
-	if err != nil {
-		return err
-	}
-	err = internal.ChownRecursive("/var/local/certman", uid, gid)
-	if err != nil {
-		return err
-	}
-
-	fmt.Println("Successfully created domain entry for " + domain + "\nUpdate config file as needed in /etc/certman/domains/" + domain + ".conf\n")
-	return nil
-}
-
-func InstallCmd(isThin bool, mode string) error {
-	if !isThin {
-		if os.Geteuid() != 0 {
-			return fmt.Errorf("installation must be run as root")
-		}
-
-		internal.MakeDirs()
-		internal.CreateConfig(mode)
-
-		err := internal.LoadConfig()
-		if err != nil {
-			return err
-		}
-
-		f, err := os.OpenFile("/var/run/certman.pid", os.O_RDONLY|os.O_CREATE, 0755)
-		if err != nil {
-			return fmt.Errorf("error creating pid file: %v", err)
-		}
-		err = f.Close()
-		if err != nil {
-			return fmt.Errorf("error closing pid file: %v", err)
-		}
-
-		newUserCmd := exec.Command("useradd", "-d", "/var/local/certman", "-U", "-r", "-s", "/sbin/nologin", "certman")
-		if output, err := newUserCmd.CombinedOutput(); err != nil {
-			if !strings.Contains(err.Error(), "exit status 9") {
-				return fmt.Errorf("error creating user: %v: output %s", err, output)
-			}
-		}
-		newGroupCmd := exec.Command("groupadd", "-r", "-U", "certman", "certsock")
-		if output, err := newGroupCmd.CombinedOutput(); err != nil {
-			if !strings.Contains(err.Error(), "exit status 9") {
-				return fmt.Errorf("error creating group: %v: output %s", err, output)
-			}
-		}
-		certmanUser, err := user.Lookup("certman")
-		if err != nil {
-			return fmt.Errorf("error getting user certman: %v", err)
-		}
-		uid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Uid))
-		if err != nil {
-			return err
-		}
-		gid, err := strconv.Atoi(strings.TrimSpace(certmanUser.Gid))
-		if err != nil {
-			return err
-		}
-		err = internal.ChownRecursive("/etc/certman", uid, gid)
-		if err != nil {
-			return fmt.Errorf("error changing uid/gid: %v", err)
-		}
-		err = internal.ChownRecursive("/var/local/certman", uid, gid)
-		if err != nil {
-			return fmt.Errorf("error changing uid/gid: %v", err)
-		}
-		err = os.Chown("/var/run/certman.pid", uid, gid)
-		if err != nil {
-			return fmt.Errorf("error changing uid/gid: %v", err)
-		}
-	} else {
-		internal.CreateConfig(mode)
-	}
-	return nil
-}

common/buildinfo.go

@@ -1,4 +1,4 @@
-package internal
+package common
 
 var (
 	Version = "dev"

common/config.go

@@ -0,0 +1,71 @@
+package common
+
+// ---------------------------------------------------------------------------
+//  Default config templates
+// ---------------------------------------------------------------------------
+
+type AppConfig struct {
+	App          App          `mapstructure:"app" toml:"app"`
+	Certificates Certificates `mapstructure:"certificates" toml:"certificates"`
+	Cloudflare   Cloudflare   `mapstructure:"cloudflare" toml:"cloudflare"`
+	Git          Git          `mapstructure:"git" toml:"git"`
+}
+
+type App struct {
+	Mode     string `mapstructure:"mode" toml:"mode"`
+	TickRate int    `mapstructure:"tick_rate" toml:"tick_rate"`
+	UUID     string `mapstructure:"uuid" toml:"uuid"`
+}
+
+type Git struct {
+	Host     string `mapstructure:"host" toml:"host"`
+	Server   string `mapstructure:"server" toml:"server"`
+	Username string `mapstructure:"username" toml:"username"`
+	APIToken string `mapstructure:"api_token" toml:"api_token"`
+	OrgName  string `mapstructure:"org_name" toml:"org_name"`
+}
+
+type Certificates struct {
+	DataRoot string `mapstructure:"data_root" toml:"data_root"`
+	Email    string `mapstructure:"email" toml:"email"`
+	CADirURL string `mapstructure:"ca_dir_url" toml:"ca_dir_url"`
+}
+
+type Cloudflare struct {
+	CFEmail  string `mapstructure:"cf_email" toml:"cf_email"`
+	CFAPIKey string `mapstructure:"cf_api_key" toml:"cf_api_key"`
+}
+
+type DomainConfig struct {
+	Domain       DomainCfg   `mapstructure:"domain" toml:"domain"`
+	Certificates DomainCerts `mapstructure:"certificates" toml:"certificates"`
+	Repo         Repo        `mapstructure:"repo" toml:"repo"`
+	Internal     Internal    `mapstructure:"shared" toml:"shared"`
+}
+
+type DomainCfg struct {
+	DomainName string `mapstructure:"domain_name" toml:"domain_name"`
+	Enabled    bool   `mapstructure:"enabled" toml:"enabled"`
+	DNSServer  string `mapstructure:"dns_server" toml:"dns_server"`
+}
+
+type DomainCerts struct {
+	DataRoot      string   `mapstructure:"data_root" toml:"data_root"`
+	RequestMethod string   `mapstructure:"request_method" toml:"request_method"`
+	CryptoKey     string   `mapstructure:"crypto_key" toml:"crypto_key"`
+	Expiry        int      `mapstructure:"expiry" toml:"expiry"`
+	RenewPeriod   int      `mapstructure:"renew_period" toml:"renew_period"`
+	SubDomains    []string `mapstructure:"sub_domains" toml:"sub_domains"`
+	CertSymlinks  []string `mapstructure:"cert_symlinks" toml:"cert_symlinks"`
+	KeySymlinks   []string `mapstructure:"key_symlinks" toml:"key_symlinks"`
+}
+
+type Repo struct {
+	RepoSuffix string `mapstructure:"repo_suffix" toml:"repo_suffix"`
+}
+
+type Internal struct {
+	LastIssued int64  `mapstructure:"last_issued" toml:"last_issued"`
+	RepoExists bool   `mapstructure:"repo_exists" toml:"repo_exists"`
+	Status     string `mapstructure:"status" toml:"status"`
+}

common/crypto.go

@@ -1,4 +1,4 @@
-package internal
+package common
 
 import (
 	"crypto/rand"
@@ -68,39 +68,6 @@ func EncryptFileXChaCha(keyB64, inPath, outPath string, aad []byte) error {
 	return nil
 }
 
-func DecryptFileXChaCha(keyB64, inPath, outPath string, aad []byte) error {
-	key, err := decodeKey(keyB64)
-	if err != nil {
-		return err
-	}
-
-	aead, err := chacha20poly1305.NewX(key)
-	if err != nil {
-		return fmt.Errorf("new aead: %w", err)
-	}
-
-	in, err := os.ReadFile(inPath)
-	if err != nil {
-		return fmt.Errorf("read input: %w", err)
-	}
-	if len(in) < chacha20poly1305.NonceSizeX {
-		return errors.New("ciphertext too short")
-	}
-
-	nonce := in[:chacha20poly1305.NonceSizeX]
-	ciphertext := in[chacha20poly1305.NonceSizeX:]
-
-	plaintext, err := aead.Open(nil, nonce, ciphertext, aad)
-	if err != nil {
-		return fmt.Errorf("decrypt/auth failed: %w", err)
-	}
-
-	if err := os.WriteFile(outPath, plaintext, 0640); err != nil {
-		return fmt.Errorf("write output: %w", err)
-	}
-	return nil
-}
-
 func DecryptFileFromBytes(keyB64 string, inBytes []byte, outPath string, aad []byte) error {
 	key, err := decodeKey(keyB64)
 	if err != nil {

common/git.go

@@ -0,0 +1,127 @@
+package common
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/go-git/go-billy/v5"
+	"github.com/go-git/go-billy/v5/memfs"
+	"github.com/go-git/go-git/v5"
+	gitconf "github.com/go-git/go-git/v5/config"
+	"github.com/go-git/go-git/v5/plumbing/transport/http"
+	"github.com/go-git/go-git/v5/storage/memory"
+)
+
+// GitWorkspace is an in-memory git working tree for a single domain's
+// certificate repository. It is the shared primitive that both client and
+// server modes operate on: client mode clones and reads, server mode
+// init/clones and pushes. The struct carries no mode-specific state.
+type GitWorkspace struct {
+	Domain   string
+	URL      string
+	Storage  *memory.Storage
+	FS       billy.Filesystem
+	Repo     *git.Repository
+	WorkTree *git.Worktree
+}
+
+// GitSource identifies a supported git repository host.
+type GitSource int
+
+const (
+	Github GitSource = iota
+	Gitlab
+	Gitea
+	Gogs
+	Bitbucket
+	CodeCommit
+)
+
+// GitSourceName maps GitSource to the string used in the app config's
+// git.host field.
+var GitSourceName = map[GitSource]string{
+	Github:     "github",
+	Gitlab:     "gitlab",
+	Gitea:      "gitea",
+	Gogs:       "gogs",
+	Bitbucket:  "bitbucket",
+	CodeCommit: "code-commit",
+}
+
+// StrToGitSource parses a config string (e.g. "gitea") into a GitSource.
+func StrToGitSource(s string) (GitSource, error) {
+	for k, v := range GitSourceName {
+		if v == s {
+			return k, nil
+		}
+	}
+	return 0, fmt.Errorf("invalid git source %q", s)
+}
+
+// ErrRepoNotFound is returned by RepoProvider implementations when a domain's
+// repository does not exist on the remote. Callers use it to distinguish
+// "repo hasn't been created yet" from transport or auth failures.
+var ErrRepoNotFound = errors.New("repository not found")
+
+// NewGitWorkspace returns a workspace with an in-memory filesystem and storage
+// wired up. Call InitRepo (for a brand-new remote) or CloneRepo (for an
+// existing one) to populate Repo and WorkTree.
+func NewGitWorkspace(domain, url string) *GitWorkspace {
+	return &GitWorkspace{
+		Domain:  domain,
+		URL:     url,
+		Storage: memory.NewStorage(),
+		FS:      memfs.New(),
+	}
+}
+
+// RepoURL builds the canonical clone URL for a domain's certificate repo. It
+// is the single authoritative place for the "<server>/<org>/<domain><suffix>.git"
+// pattern so callers do not assemble URLs by hand.
+func RepoURL(config *AppConfig, domainConfig *DomainConfig, domain string) string {
+	return config.Git.Server + "/" + config.Git.OrgName + "/" + domain + domainConfig.Repo.RepoSuffix + ".git"
+}
+
+// InitRepo initializes an empty local repository in ws and registers origin
+// pointed at ws.URL. Use this on the first push for a new domain; use
+// CloneRepo on subsequent runs.
+func InitRepo(ws *GitWorkspace) error {
+	repo, err := git.Init(ws.Storage, ws.FS)
+	if err != nil {
+		return fmt.Errorf("git init: %w", err)
+	}
+	if _, err := repo.CreateRemote(&gitconf.RemoteConfig{
+		Name: "origin",
+		URLs: []string{ws.URL},
+	}); err != nil && !errors.Is(err, git.ErrRemoteExists) {
+		return fmt.Errorf("add remote: %w", err)
+	}
+	wt, err := repo.Worktree()
+	if err != nil {
+		return fmt.Errorf("get worktree: %w", err)
+	}
+	ws.Repo = repo
+	ws.WorkTree = wt
+	return nil
+}
+
+// CloneRepo clones ws.URL into ws using the git credentials from config. It
+// performs no ownership or mode-specific checks: server mode must follow up
+// with server.VerifyOwnership before pushing.
+func CloneRepo(ws *GitWorkspace, config *AppConfig) error {
+	auth := &http.BasicAuth{
+		Username: config.Git.Username,
+		Password: config.Git.APIToken,
+	}
+	repo, err := git.Clone(ws.Storage, ws.FS, &git.CloneOptions{URL: ws.URL, Auth: auth})
+	if err != nil {
+		return fmt.Errorf("git clone %s: %w", ws.URL, err)
+	}
+	wt, err := repo.Worktree()
+	if err != nil {
+		return fmt.Errorf("get worktree: %w", err)
+	}
+	ws.Repo = repo
+	ws.WorkTree = wt
+	return nil
+}

common/provider_gitea.go

@@ -0,0 +1,55 @@
+package common
+
+import (
+	"fmt"
+	"net/http"
+
+	"code.gitea.io/sdk/gitea"
+)
+
+// giteaProvider implements RepoProvider against a Gitea instance.
+type giteaProvider struct {
+	config *AppConfig
+	client *gitea.Client
+}
+
+func newGiteaProvider(config *AppConfig) (*giteaProvider, error) {
+	client, err := gitea.NewClient(config.Git.Server, gitea.SetToken(config.Git.APIToken))
+	if err != nil {
+		return nil, fmt.Errorf("connect gitea %s: %w", config.Git.Server, err)
+	}
+	return &giteaProvider{config: config, client: client}, nil
+}
+
+// CreateRepo creates a private org repo named "<domain><repo_suffix>" and
+// returns its clone URL.
+func (p *giteaProvider) CreateRepo(domain string, domainConfig *DomainConfig) (string, error) {
+	name := domain + domainConfig.Repo.RepoSuffix
+	opts := gitea.CreateRepoOption{
+		Name:          name,
+		Description:   "Certificate storage for " + domain,
+		Private:       true,
+		AutoInit:      false,
+		DefaultBranch: "master",
+		TrustModel:    gitea.TrustModelDefault,
+	}
+	repo, _, err := p.client.CreateOrgRepo(p.config.Git.OrgName, opts)
+	if err != nil {
+		return "", fmt.Errorf("create gitea repo %s/%s: %w", p.config.Git.OrgName, name, err)
+	}
+	return repo.CloneURL, nil
+}
+
+// HeadCommit returns the commit ID of branch in the domain's repo. A 404
+// from Gitea (repo or branch missing) is mapped to ErrRepoNotFound.
+func (p *giteaProvider) HeadCommit(domain, branch string, domainConfig *DomainConfig) (string, error) {
+	name := domain + domainConfig.Repo.RepoSuffix
+	b, resp, err := p.client.GetRepoBranch(p.config.Git.OrgName, name, branch)
+	if err != nil {
+		if resp != nil && resp.Response != nil && resp.StatusCode == http.StatusNotFound {
+			return "", ErrRepoNotFound
+		}
+		return "", fmt.Errorf("gitea branch %s/%s@%s: %w", p.config.Git.OrgName, name, branch, err)
+	}
+	return b.Commit.ID, nil
+}

common/repo_provider.go

@@ -0,0 +1,33 @@
+package common
+
+import "fmt"
+
+// RepoProvider abstracts the remote git host (Gitea, GitHub, etc.) so the
+// client and server packages stay host-agnostic. Provider-specific code lives
+// in a single file per host (e.g. provider_gitea.go) that implements this
+// interface. Adding a new host is a matter of adding a new file and a case
+// in ProviderFor; no caller needs to change.
+type RepoProvider interface {
+	// CreateRepo creates a new private domain repo on the remote and returns
+	// its canonical clone URL.
+	CreateRepo(domain string, domainConfig *DomainConfig) (string, error)
+
+	// HeadCommit returns the commit SHA at the tip of branch for the domain's
+	// repo. It returns ErrRepoNotFound if either the repo or the branch does
+	// not exist, so callers can treat "not created yet" as a non-fatal state.
+	HeadCommit(domain, branch string, domainConfig *DomainConfig) (string, error)
+}
+
+// ProviderFor returns a RepoProvider matching config.Git.Host.
+func ProviderFor(config *AppConfig) (RepoProvider, error) {
+	source, err := StrToGitSource(config.Git.Host)
+	if err != nil {
+		return nil, err
+	}
+	switch source {
+	case Gitea:
+		return newGiteaProvider(config)
+	default:
+		return nil, fmt.Errorf("git source %q is not implemented", config.Git.Host)
+	}
+}

common/util.go

@@ -1,4 +1,4 @@
-package internal
+package common
 
 import (
 	"errors"
@@ -7,12 +7,10 @@ import (
 	"os"
 	"os/user"
 	"path/filepath"
+	"regexp"
 	"strconv"
 	"strings"
 	"syscall"
-
-	"code.gitea.io/sdk/gitea"
-	"github.com/spf13/viper"
 )
 
 var (
@@ -21,13 +19,6 @@ var (
 	ErrBlankCert  = errors.New("cert is blank")
 )
 
-type Domain struct {
-	name        *string
-	config      *viper.Viper
-	description *string
-	gtClient    *gitea.Client
-}
-
 // 0x01
 func createPIDFile() {
 	file, err := os.Create("/var/run/certman.pid")
@@ -168,46 +159,6 @@ func DaemonProcess() (*os.Process, error) {
 	return proc, nil
 }
 
-func createFile(fileName string, filePermission os.FileMode, data []byte) {
-	fileInfo, err := os.Stat(fileName)
-	if err != nil {
-		if os.IsNotExist(err) {
-			file, err := os.Create(fileName)
-			if err != nil {
-				fmt.Println("Error creating configuration file: ", err)
-				os.Exit(1)
-			}
-
-			_, err = file.Write(data)
-			if err != nil {
-				fmt.Println("Error writing to file: ", err)
-				os.Exit(1)
-			}
-			err = file.Chmod(filePermission)
-			if err != nil {
-				fmt.Println("Error changing file permission: ", err)
-			}
-		} else {
-			fmt.Println("Error opening configuration file: ", err)
-			os.Exit(1)
-		}
-	} else {
-		if fileInfo.Size() == 0 {
-			file, err := os.Create(fileName)
-			if err != nil {
-				fmt.Println("Error creating configuration file: ", err)
-				os.Exit(1)
-			}
-
-			_, err = file.Write(data)
-			if err != nil {
-				fmt.Println("Error writing to file:", err)
-				os.Exit(1)
-			}
-		}
-	}
-}
-
 func LinkFile(source, target, domain, extension string) error {
 	if target == "" {
 		return ErrBlankCert
@@ -234,7 +185,7 @@ func LinkFile(source, target, domain, extension string) error {
 	return nil
 }
 
-func fileExists(path string) bool {
+func FileExists(path string) bool {
 	_, err := os.Stat(path)
 	return err == nil
 }
@@ -262,31 +213,6 @@ func SanitizeDomainKey(s string) string {
 	return r.Replace(s)
 }
 
-// DomainCertsDir Can return ErrBlankConfigEntry, ErrConfigNotFound, or other errors
-func DomainCertsDir(domain string) (string, error) {
-	domainConfig, exists := domainStore.Get(domain)
-	if !exists {
-		return "", ErrConfigNotFound
-	}
-
-	return DomainCertsDirWConf(domain, domainConfig)
-}
-
-// DomainCertsDirWConf Can return ErrBlankConfigEntry or other errors
-func DomainCertsDirWConf(domain string, domainConfig *viper.Viper) (string, error) {
-	effectiveDataRoot, err := EffectiveString(domainConfig, "Certificates.data_root")
-	if err != nil {
-		return "", err
-	}
-
-	return filepath.Join(effectiveDataRoot, "certificates", domain), nil
-}
-
-func DomainCertsDirWOnlyConf(domainConfig *viper.Viper) (string, error) {
-	domain := domainConfig.GetString("Domain.domain_name")
-	return DomainCertsDirWConf(domain, domainConfig)
-}
-
 func ChownRecursive(path string, uid, gid int) error {
 	return filepath.WalkDir(path, func(name string, d fs.DirEntry, err error) error {
 		if err != nil {
@@ -357,3 +283,46 @@ func MakeCredential(username, groupname string) (*syscall.Credential, error) {
 
 	return &syscall.Credential{Uid: uid, Gid: gid}, nil
 }
+
+// CertsDir returns the on-disk directory where a domain's encrypted and
+// decrypted certificate files live, along with the client's sync-state
+// `hash` marker. A per-domain data_root override (domainConfig.Certificates.DataRoot)
+// is used as-is; otherwise the path is <config.data_root>/certificates/<domain>.
+// This is the single source of truth for that convention — callers should
+// not assemble the path themselves.
+func CertsDir(config *AppConfig, domainConfig *DomainConfig, domain string) string {
+	if domainConfig != nil && domainConfig.Certificates.DataRoot != "" {
+		return domainConfig.Certificates.DataRoot
+	}
+	if config == nil {
+		return filepath.Join("certificates", domain)
+	}
+	return filepath.Join(config.Certificates.DataRoot, "certificates", domain)
+}
+
+func EffectiveDataRoot(config *AppConfig, domainConfig *DomainConfig) string {
+	if config == nil {
+		return ""
+	}
+	if domainConfig == nil {
+		return ""
+	}
+
+	if domainConfig.Certificates.DataRoot == "" {
+		if config.Certificates.DataRoot == "" {
+			workDir, err := os.Getwd()
+			if err != nil {
+				return "./"
+			}
+			return workDir
+		}
+		return config.Certificates.DataRoot
+	}
+	return domainConfig.Certificates.DataRoot
+}
+
+var fqdnRegex = regexp.MustCompile(`^(?i:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z]{2,}$`)
+
+func IsValidFQDN(domain string) bool {
+	return len(domain) <= 253 && fqdnRegex.MatchString(domain)
+}

go.mod

@@ -1,4 +1,4 @@
-module git.nevets.tech/Keys/CertManager
+module git.nevets.tech/Steven/certman
 
 go 1.25.0
 

internal/git.go

@@ -1,374 +0,0 @@
-package internal
-
-import (
-	"errors"
-	"fmt"
-	"io"
-	"os"
-	"path/filepath"
-	"strings"
-	"time"
-
-	"code.gitea.io/sdk/gitea"
-	"github.com/go-git/go-billy/v5"
-	"github.com/go-git/go-git/v5"
-	gitconf "github.com/go-git/go-git/v5/config"
-	"github.com/go-git/go-git/v5/plumbing/object"
-	"github.com/go-git/go-git/v5/plumbing/transport/http"
-	"github.com/go-git/go-git/v5/storage/memory"
-	"github.com/spf13/viper"
-)
-
-type CertManMode int
-
-const (
-	Server CertManMode = iota
-	Client
-)
-
-type GitWorkspace struct {
-	Repo     *git.Repository
-	Storage  *memory.Storage
-	FS       billy.Filesystem
-	WorkTree *git.Worktree
-}
-
-type GitSource int
-
-const (
-	Github GitSource = iota
-	Gitlab
-	Gitea
-	Gogs
-	Bitbucket
-	CodeCommit
-)
-
-var GitSourceName = map[GitSource]string{
-	Github:     "github",
-	Gitlab:     "gitlab",
-	Gitea:      "gitea",
-	Gogs:       "gogs",
-	Bitbucket:  "bitbucket",
-	CodeCommit: "code-commit",
-}
-
-func StrToGitSource(s string) (GitSource, error) {
-	for k, v := range GitSourceName {
-		if v == s {
-			return k, nil
-		}
-	}
-	return GitSource(0), errors.New("invalid gitsource name")
-}
-
-//func createGithubClient() *github.Client {
-//	return github.NewClient(nil).WithAuthToken(config.GetString("Git.api_token"))
-//}
-
-func CreateGiteaClient() *gitea.Client {
-	client, err := gitea.NewClient(config.GetString("Git.server"), gitea.SetToken(config.GetString("Git.api_token")))
-	if err != nil {
-		fmt.Printf("Error connecting to gitea instance: %v\n", err)
-		return nil
-	}
-	return client
-}
-
-//func createGithubRepo(domain *Domain, Client *github.Client) string {
-//	name := domain.name
-//	owner := domain.config.GetString("Repo.owner")
-//	description := domain.description
-//	private := true
-//	includeAllBranches := false
-//
-//	ctx := context.Background()
-//	template := &github.TemplateRepoRequest{
-//		Name:               name,
-//		Owner:              &owner,
-//		Description:        description,
-//		Private:            &private,
-//		IncludeAllBranches: &includeAllBranches,
-//	}
-//	repo, _, err := Client.Repositories.CreateFromTemplate(ctx, config.GetString("Git.org_name"), config.GetString("Git.template_name"), template)
-//	if err != nil {
-//		fmt.Println("Error creating repository from template,", err)
-//		return ""
-//	}
-//	return *repo.CloneURL
-//}
-
-func CreateGiteaRepo(domain string, giteaClient *gitea.Client) string {
-	domainConfig, exists := domainStore.Get(domain)
-	if !exists {
-		fmt.Printf("Domain %s config does not exist\n", domain)
-		return ""
-	}
-	options := gitea.CreateRepoOption{
-		Name:          domain + domainConfig.GetString("Repo.repo_suffix"),
-		Description:   "Certificate storage for " + domain,
-		Private:       true,
-		IssueLabels:   "",
-		AutoInit:      false,
-		Template:      false,
-		Gitignores:    "",
-		License:       "",
-		Readme:        "",
-		DefaultBranch: "master",
-		TrustModel:    gitea.TrustModelDefault,
-	}
-
-	giteaRepo, _, err := giteaClient.CreateOrgRepo(config.GetString("Git.org_name"), options)
-	if err != nil {
-		fmt.Printf("Error creating repo: %v\n", err)
-		return ""
-	}
-	return giteaRepo.CloneURL
-}
-
-func InitRepo(url string, ws *GitWorkspace) error {
-	var err error
-	ws.Repo, err = git.Init(ws.Storage, ws.FS)
-	if err != nil {
-		fmt.Printf("Error initializing local repo: %v\n", err)
-		return err
-	}
-
-	_, err = ws.Repo.CreateRemote(&gitconf.RemoteConfig{
-		Name: "origin",
-		URLs: []string{url},
-	})
-	if err != nil && !errors.Is(err, git.ErrRemoteExists) {
-		fmt.Printf("Error creating remote origin repo: %v\n", err)
-		return err
-	}
-
-	ws.WorkTree, err = ws.Repo.Worktree()
-	if err != nil {
-		fmt.Printf("Error getting worktree from local repo: %v\n", err)
-		return err
-	}
-
-	return nil
-}
-
-func CloneRepo(url string, ws *GitWorkspace, certmanMode CertManMode) error {
-	creds := &http.BasicAuth{
-		Username: config.GetString("Git.username"),
-		Password: config.GetString("Git.api_token"),
-	}
-	var err error
-	ws.Repo, err = git.Clone(ws.Storage, ws.FS, &git.CloneOptions{URL: url, Auth: creds})
-	if err != nil {
-		fmt.Printf("Error cloning repo: %v\n", err)
-	}
-
-	ws.WorkTree, err = ws.Repo.Worktree()
-	if err != nil {
-		fmt.Printf("Error getting worktree from cloned repo: %v\n", err)
-		return err
-	}
-	if certmanMode == Server {
-		serverIdFile, err := ws.FS.OpenFile("/SERVER_ID", os.O_RDWR, 0640)
-		if err != nil {
-			if os.IsNotExist(err) {
-				fmt.Printf("Server ID file not found for %s, adopting domain\n", url)
-				return nil
-			}
-			return err
-		}
-		serverIdBytes, err := io.ReadAll(serverIdFile)
-		if err != nil {
-			return err
-		}
-		serverId := strings.TrimSpace(string(serverIdBytes))
-		if serverId != config.GetString("App.uuid") {
-			return fmt.Errorf("domain is already managed by server with uuid %s", serverId)
-		}
-	}
-	return nil
-}
-
-func AddAndPushCerts(domain string, ws *GitWorkspace) error {
-	domainConfig, exists := domainStore.Get(domain)
-	if !exists {
-		fmt.Printf("Domain %s config does not exist\n", domain)
-		return ErrConfigNotFound
-	}
-
-	certsDir, err := DomainCertsDirWConf(domain, domainConfig)
-	if err != nil {
-		if errors.Is(err, ErrConfigNotFound) {
-			fmt.Printf("Domain %s config not found: %v\n", domain, err)
-			return err
-		}
-		fmt.Printf("Error getting domain %s certs dir: %v\n", domain, err)
-	}
-
-	certFiles, err := os.ReadDir(certsDir)
-	if err != nil {
-		fmt.Printf("Error reading from directory: %v\n", err)
-		return err
-	}
-	for _, entry := range certFiles {
-		if strings.HasSuffix(entry.Name(), ".crpt") {
-			file, err := ws.FS.Create(entry.Name())
-			if err != nil {
-				fmt.Printf("Error copying file to memfs: %v\n", err)
-				return err
-			}
-			certFile, err := os.ReadFile(filepath.Join(certsDir, entry.Name()))
-			if err != nil {
-				fmt.Printf("Error reading file to memfs: %v\n", err)
-				file.Close()
-				return err
-			}
-			_, err = file.Write(certFile)
-			if err != nil {
-				fmt.Printf("Error writing to memfs: %v\n", err)
-				file.Close()
-				return err
-			}
-			_, err = ws.WorkTree.Add(file.Name())
-			if err != nil {
-				fmt.Printf("Error adding file %v: %v\n", file.Name(), err)
-				file.Close()
-				return err
-			}
-			err = file.Close()
-			if err != nil {
-				fmt.Printf("Error closing file: %v\n", err)
-			}
-		}
-
-		file, err := ws.FS.Create("/SERVER_ID")
-		if err != nil {
-			fmt.Printf("Error creating file in memfs: %v\n", err)
-			return err
-		}
-		_, err = file.Write([]byte(config.GetString("App.uuid")))
-		if err != nil {
-			fmt.Printf("Error writing to memfs: %v\n", err)
-			file.Close()
-			return err
-		}
-		_, err = ws.WorkTree.Add(file.Name())
-		if err != nil {
-			fmt.Printf("Error adding file %v: %v\n", file.Name(), err)
-			file.Close()
-			return err
-		}
-		err = file.Close()
-		if err != nil {
-			fmt.Printf("Error closing file: %v\n", err)
-		}
-
-	}
-
-	status, err := ws.WorkTree.Status()
-	if err != nil {
-		fmt.Printf("Error getting repo status: %v\n", err)
-		return err
-	}
-	if status.IsClean() {
-		fmt.Printf("Repository is clean, skipping commit...\n")
-		return nil
-	}
-
-	fmt.Println("Work Tree Status:\n" + status.String())
-	signature := &object.Signature{
-		Name:  "Cert Manager",
-		Email: config.GetString("Certificates.email"),
-		When:  time.Now(),
-	}
-	_, err = ws.WorkTree.Commit("Update "+domain+" @ "+time.Now().Format("Mon Jan _2 2006 15:04:05 MST"), &git.CommitOptions{Author: signature, Committer: signature})
-	if err != nil {
-		fmt.Printf("Error committing certs: %v\n", err)
-		return err
-	}
-	creds := &http.BasicAuth{
-		Username: config.GetString("Git.username"),
-		Password: config.GetString("Git.api_token"),
-	}
-	err = ws.Repo.Push(&git.PushOptions{
-		Auth:       creds,
-		Force:      true,
-		RemoteName: "origin",
-		RefSpecs: []gitconf.RefSpec{
-			"refs/heads/master:refs/heads/master",
-		},
-	})
-	if err != nil {
-		fmt.Printf("Error pushing to origin: %v\n", err)
-		return err
-	}
-
-	fmt.Println("Successfully uploaded to " + config.GetString("Git.server") + "/" + config.GetString("Git.org_name") + "/" + domain + domainConfig.GetString("Repo.repo_suffix") + ".git")
-
-	return nil
-}
-
-func WriteCommitHash(hash string, domainConfig *viper.Viper) error {
-	certsDir, err := DomainCertsDirWOnlyConf(domainConfig)
-	if err != nil {
-		if errors.Is(err, ErrConfigNotFound) {
-			return err
-		}
-		return err
-	}
-
-	err = os.WriteFile(filepath.Join(certsDir, "hash"), []byte(hash), 0644)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func LocalCommitHash(domain string) (string, error) {
-	certsDir, err := DomainCertsDir(domain)
-	if err != nil {
-		if errors.Is(err, ErrConfigNotFound) {
-			fmt.Printf("Domain %s config not found: %v\n", domain, err)
-			return "", err
-		}
-		fmt.Printf("Error getting domain %s certs dir: %v\n", domain, err)
-	}
-
-	data, err := os.ReadFile(filepath.Join(certsDir, "hash"))
-	if err != nil {
-		if !os.IsNotExist(err) {
-			fmt.Printf("Error reading file for domain %s: %v\n", domain, err)
-			return "", err
-		}
-	}
-
-	return strings.TrimSpace(string(data)), nil
-}
-
-func RemoteCommitHash(domain string, gitSource GitSource) (string, error) {
-	domainConfig, exists := DomainStore().Get(domain)
-	if !exists {
-		fmt.Printf("Domain %s config does not exist\n", domain)
-		return "", ErrConfigNotFound
-	}
-
-	switch gitSource {
-	case Gitea:
-		return getRemoteCommitHashGitea(config.GetString("Git.org_name"), domain+domainConfig.GetString("Repo.repo_suffix"), "master")
-	default:
-		fmt.Printf("Unimplemented git source %v\n", gitSource)
-		return "", errors.New("unimplemented git source")
-	}
-}
-
-func getRemoteCommitHashGitea(org, repo, branchName string) (string, error) {
-	giteaClient := CreateGiteaClient()
-	branch, _, err := giteaClient.GetRepoBranch(org, repo, branchName)
-	if err != nil {
-		fmt.Printf("Error getting repo branch: %v\n", err)
-		return "", err
-	}
-	//TODO catch repo not found as ErrRepoNotInit
-	return branch.Commit.ID, nil
-}

internal/grpc.go

@@ -1 +0,0 @@
-package internal

main.go

@@ -1,181 +0,0 @@
-package main
-
-import (
-	"fmt"
-	"os"
-	"regexp"
-
-	"git.nevets.tech/Keys/CertManager/commands"
-	"git.nevets.tech/Keys/CertManager/internal"
-	"github.com/spf13/cobra"
-)
-
-var configFile string
-
-var fqdnRegex = regexp.MustCompile(`^(?i:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z]{2,}$`)
-
-//TODO create logic for gh vs gt repos
-
-func main() {
-	rootCmd := &cobra.Command{
-		Use:   "certman",
-		Short: "CertMan",
-		Long:  "Certificate Manager",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			return cmd.Help()
-		},
-	}
-
-	rootCmd.PersistentFlags().StringVarP(&configFile, "config", "c", "/etc/certman/certman.conf", "Configuration file")
-
-	rootCmd.AddCommand(basicCmd("version", "Show version", commands.VersionCmd))
-	rootCmd.AddCommand(basicCmd("gen-key", "Generates encryption key", commands.NewKeyCmd))
-	rootCmd.AddCommand(basicCmd("dev", "Dev Function", commands.DevCmd))
-
-	var domainCertDir string
-	newDomainCmd := &cobra.Command{
-		Use:           "new-domain",
-		Short:         "Create config and directories for new domain",
-		Args:          cobra.ExactArgs(1),
-		SilenceUsage:  true,
-		SilenceErrors: true,
-		RunE: func(cmd *cobra.Command, args []string) error {
-			dirOverridden := cmd.Flags().Changed("dir")
-			return commands.NewDomainCmd(args[0], domainCertDir, dirOverridden)
-		},
-	}
-	newDomainCmd.Flags().StringVar(&domainCertDir, "dir", "/var/local/certman/certificates/", "Alternate directory for certificates")
-	rootCmd.AddCommand(newDomainCmd)
-
-	var (
-		modeFlag        string
-		thinInstallFlag bool
-	)
-	installCmd := &cobra.Command{
-		Use:   "install",
-		Short: "Create certman files and directories",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			switch modeFlag {
-			case "server", "client":
-				return commands.InstallCmd(thinInstallFlag, modeFlag)
-			default:
-				return fmt.Errorf("invalid --mode %q (must be server or client)", modeFlag)
-			}
-		},
-	}
-	installCmd.Flags().StringVar(&modeFlag, "mode", "client", "CertManager mode [server, client]")
-	installCmd.Flags().BoolVarP(&thinInstallFlag, "thin", "t", false, "Thin install (skip creating dirs)")
-	rootCmd.AddCommand(installCmd)
-
-	certCmd := &cobra.Command{
-		Use:   "cert",
-		Short: "Certificate management",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			return cmd.Help()
-		},
-	}
-
-	var noPush bool
-	renewCertCmd := &cobra.Command{
-		Use:   "renew",
-		Short: "Renews a domains certificate",
-		Args:  cobra.ExactArgs(1),
-		RunE: func(cmd *cobra.Command, args []string) error {
-			return commands.RenewCertCmd(args[0], noPush, internal.Server)
-		},
-	}
-	renewCertCmd.Flags().BoolVar(&noPush, "no-push", false, "Don't push certs to repo, renew locally only [server mode only]")
-	certCmd.AddCommand(renewCertCmd)
-
-	updateCertLinkCmd := &cobra.Command{
-		Use:   "update-link",
-		Short: "Update linked certificates",
-		Args:  cobra.ExactArgs(1),
-		RunE: func(cmd *cobra.Command, args []string) error {
-			return commands.UpdateLinksCmd(args[0])
-		},
-	}
-	certCmd.AddCommand(updateCertLinkCmd)
-
-	rootCmd.AddCommand(certCmd)
-
-	rootCmd.AddCommand(&cobra.Command{
-		Use:   "executor",
-		Short: "Privileged daemon",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			return commands.StartExecutorCmd()
-		},
-	})
-
-	daemonCmd := &cobra.Command{
-		Use:   "daemon",
-		Short: "Daemon management",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			return cmd.Help()
-		},
-	}
-
-	daemonCmd.AddCommand(&cobra.Command{
-		Use:   "start",
-		Short: "Start the daemon",
-		Args:  cobra.NoArgs,
-		RunE: func(cmd *cobra.Command, args []string) error {
-			return commands.RunDaemonCmd()
-		},
-	})
-
-	daemonCmd.AddCommand(&cobra.Command{
-		Use:   "stop",
-		Short: "Stop the daemon",
-		Args:  cobra.NoArgs,
-		RunE: func(cmd *cobra.Command, args []string) error {
-			return commands.StopDaemonCmd()
-		},
-	})
-
-	daemonCmd.AddCommand(&cobra.Command{
-		Use:   "reload",
-		Short: "Reload daemon configs",
-		Args:  cobra.NoArgs,
-		RunE: func(cmd *cobra.Command, args []string) error {
-			return commands.ReloadDaemonCmd()
-		},
-	})
-
-	daemonCmd.AddCommand(&cobra.Command{
-		Use:   "tick",
-		Short: "Manually triggers daemon tick",
-		Args:  cobra.NoArgs,
-		RunE: func(cmd *cobra.Command, args []string) error {
-			return commands.TickDaemonCmd()
-		},
-	})
-
-	daemonCmd.AddCommand(&cobra.Command{
-		Use:   "status",
-		Short: "Show daemon status",
-		Args:  cobra.NoArgs,
-		RunE: func(cmd *cobra.Command, args []string) error {
-			return commands.DaemonStatusCmd()
-		},
-	})
-
-	rootCmd.AddCommand(daemonCmd)
-
-	if err := rootCmd.Execute(); err != nil {
-		fmt.Fprintln(os.Stderr, err)
-		os.Exit(1)
-	}
-}
-
-func basicCmd(use, short string, commandFunc func(cmd *cobra.Command, args []string)) *cobra.Command {
-	return &cobra.Command{
-		Use:   use,
-		Short: short,
-		Run:   commandFunc,
-	}
-}
-
-func IsValidFQDN(domain string) bool {
-	return len(domain) <= 253 && fqdnRegex.MatchString(domain)
-}

server/acme_manager.go

@@ -1,4 +1,4 @@
-package internal
+package server
 
 import (
 	"crypto"
@@ -16,6 +16,7 @@ import (
 	"sync"
 	"time"
 
+	"git.nevets.tech/Steven/certman/common"
 	"github.com/go-acme/lego/v4/certcrypto"
 	"github.com/go-acme/lego/v4/certificate"
 	"github.com/go-acme/lego/v4/lego"
@@ -93,11 +94,11 @@ type StoredCertMeta struct {
 // - persistent ECDSA P-256 account key
 // - Let’s Encrypt production by default (from config fallback)
 // - Cloudflare DNS-01 only
-func NewACMEManager() (*ACMEManager, error) {
+func NewACMEManager(config *common.AppConfig) (*ACMEManager, error) {
 	// Pull effective (main-only) certificate settings.
-	email := config.GetString("Certificates.email")
-	dataRoot := config.GetString("Certificates.data_root")
-	caDirURL := config.GetString("Certificates.ca_dir_url")
+	email := config.Certificates.Email
+	dataRoot := config.Certificates.DataRoot
+	caDirURL := config.Certificates.CADirURL
 
 	// Build manager paths
 	mgr := &ACMEManager{
@@ -121,7 +122,7 @@ func NewACMEManager() (*ACMEManager, error) {
 
 	// Cloudflare provider (DNS-01 only).
 	// lego Cloudflare provider expects env vars (CLOUDFLARE_EMAIL/CLOUDFLARE_API_KEY or tokens). :contentReference[oaicite:2]{index=2}
-	restoreEnv, err := setCloudflareEnvFromMainConfig()
+	restoreEnv, err := setCloudflareEnvFromMainConfig(config)
 	if err != nil {
 		return nil, err
 	}
@@ -167,8 +168,8 @@ func NewACMEManager() (*ACMEManager, error) {
 }
 
 // ObtainForDomain obtains a new cert for a configured domain and saves it to disk.
-func (m *ACMEManager) ObtainForDomain(domainKey string) (*certificate.Resource, error) {
-	rcfg, err := buildDomainRuntimeConfig(domainKey)
+func (m *ACMEManager) ObtainForDomain(domainKey string, config *common.AppConfig, domainConfig *common.DomainConfig) (*certificate.Resource, error) {
+	rcfg, err := buildDomainRuntimeConfig(config, domainConfig)
 	if err != nil {
 		return nil, err
 	}
@@ -225,7 +226,7 @@ func (m *ACMEManager) RenewForDomain(domainKey string) (*certificate.Resource, e
 
 // GetCertPaths returns disk paths for the domain's cert material.
 func (m *ACMEManager) GetCertPaths(domainKey string) (certPEM, keyPEM string) {
-	base := SanitizeDomainKey(domainKey)
+	base := common.SanitizeDomainKey(domainKey)
 	dir := filepath.Join(m.CertsRoot, base)
 	return filepath.Join(dir, base+".crt"),
 		filepath.Join(dir, base+".key")
@@ -235,32 +236,23 @@ func (m *ACMEManager) GetCertPaths(domainKey string) (certPEM, keyPEM string) {
 // Domain runtime config assembly
 // ---------------------------------------------
 
-func buildDomainRuntimeConfig(domainKey string) (*DomainRuntimeConfig, error) {
-	domainCfg, exists := domainStore.Get(domainKey)
-	if !exists {
-		return nil, fmt.Errorf("domain config not found for %q", domainKey)
-	}
+func buildDomainRuntimeConfig(config *common.AppConfig, domainConfig *common.DomainConfig) (*DomainRuntimeConfig, error) {
+	domainName := domainConfig.Domain.DomainName
 
-	domainName := domainCfg.GetString("Domain.domain_name")
-
-	email := config.GetString("Certificates.email")
+	email := config.Certificates.Email
 
 	// domain override data_root can be blank -> main fallback
-	dataRoot, err := EffectiveString(domainCfg, "Certificates.data_root")
-	if err != nil {
-		return nil, err
-	}
+	dataRoot := common.EffectiveDataRoot(config, domainConfig)
 
-	caDirURL := config.GetString("Certificates.ca_dir_url")
+	caDirURL := config.Certificates.CADirURL
 
-	expiry := domainCfg.GetInt("Certificates.expiry")
+	expiry := domainConfig.Certificates.Expiry
 
-	renewPeriod := domainCfg.GetInt("Certificates.renew_period")
+	renewPeriod := domainConfig.Certificates.RenewPeriod
 
-	requestMethod := domainCfg.GetString("Certificates.request_method")
+	requestMethod := domainConfig.Certificates.RequestMethod
 
-	subdomains := domainCfg.GetString("Certificates.subdomains")
-	subdomainArray := parseCSVLines(subdomains)
+	subdomainArray := domainConfig.Certificates.SubDomains
 
 	return &DomainRuntimeConfig{
 		DomainName:    domainName,
@@ -274,21 +266,6 @@ func buildDomainRuntimeConfig(domainKey string) (*DomainRuntimeConfig, error) {
 	}, nil
 }
 
-func parseCSVLines(raw string) []string {
-	// supports comma-separated and newline-separated lists
-	fields := strings.FieldsFunc(raw, func(r rune) bool {
-		return r == ',' || r == '\n' || r == '\r'
-	})
-	out := make([]string, 0, len(fields))
-	for _, f := range fields {
-		s := strings.TrimSpace(f)
-		if s != "" {
-			out = append(out, s)
-		}
-	}
-	return out
-}
-
 // If subdomains contains ["www","api"], returns ["example.com","www.example.com","api.example.com"].
 // If a subdomain entry looks like a full FQDN already, it is used as-is.
 func buildDomainList(baseDomain string, subs []string) []string {
@@ -344,11 +321,11 @@ func buildDomainList(baseDomain string, subs []string) []string {
 // Cloudflare env setup from main config
 // ---------------------------------------------
 
-func setCloudflareEnvFromMainConfig() (restore func(), err error) {
+func setCloudflareEnvFromMainConfig(config *common.AppConfig) (restore func(), err error) {
 	// Your current defaults show legacy email + API key fields.
 	// Prefer API tokens in the future if you add them. Cloudflare provider supports both styles. :contentReference[oaicite:3]{index=3}
-	cfEmail := config.GetString("Cloudflare.cf_email")
-	cfAPIKey := config.GetString("Cloudflare.cf_api_key")
+	cfEmail := config.Cloudflare.CFEmail
+	cfAPIKey := config.Cloudflare.CFAPIKey
 
 	// Save prior env values so we can restore them after provider creation.
 	prevEmail, hadEmail := os.LookupEnv("CLOUDFLARE_EMAIL")
@@ -388,8 +365,8 @@ func loadOrCreateACMEUser(accountRoot, email string) (*fileUser, error) {
 	accountJSON := filepath.Join(accountRoot, "account.json")
 	accountKey := filepath.Join(accountRoot, "account.key.pem")
 
-	jsonExists := fileExists(accountJSON)
-	keyExists := fileExists(accountKey)
+	jsonExists := common.FileExists(accountJSON)
+	keyExists := common.FileExists(accountKey)
 
 	switch {
 	case jsonExists && keyExists:
@@ -524,7 +501,7 @@ func (m *ACMEManager) saveCertFiles(domainKey string, res *certificate.Resource,
 		return errors.New("nil certificate resource")
 	}
 
-	base := SanitizeDomainKey(domainKey)
+	base := common.SanitizeDomainKey(domainKey)
 	dir := filepath.Join(m.CertsRoot, base)
 	if err := os.MkdirAll(dir, 0o700); err != nil {
 		return err
@@ -598,10 +575,13 @@ func (m *ACMEManager) saveCertFiles(domainKey string, res *certificate.Resource,
 }
 
 func (m *ACMEManager) loadStoredResource(domainKey string) (*certificate.Resource, error) {
-	base := SanitizeDomainKey(domainKey)
+	base := common.SanitizeDomainKey(domainKey)
 	dir := filepath.Join(m.CertsRoot, base)
 	raw, err := os.ReadFile(filepath.Join(dir, base+".json"))
 	if err != nil {
+		if errors.Is(err, os.ErrNotExist) {
+			return nil, os.ErrNotExist
+		}
 		return nil, err
 	}
 
@@ -622,7 +602,7 @@ func (m *ACMEManager) loadStoredResource(domainKey string) (*certificate.Resourc
 }
 
 func (m *ACMEManager) loadMeta(domainKey string) (*StoredCertMeta, error) {
-	base := SanitizeDomainKey(domainKey)
+	base := common.SanitizeDomainKey(domainKey)
 	dir := filepath.Join(m.CertsRoot, base)
 	raw, err := os.ReadFile(filepath.Join(dir, base+".meta.json"))
 	if err != nil {

server/git.go

@@ -0,0 +1,156 @@
+package server
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"git.nevets.tech/Steven/certman/common"
+	"github.com/go-git/go-git/v5"
+	gitconf "github.com/go-git/go-git/v5/config"
+	"github.com/go-git/go-git/v5/plumbing/object"
+	"github.com/go-git/go-git/v5/plumbing/transport/http"
+)
+
+// serverIDFile is the filename inside the domain's git repo that records
+// which server (by config.App.UUID) owns the repo. Only the owning server
+// pushes to it; other servers must refuse.
+const serverIDFile = "SERVER_ID"
+
+// pushBranch is the branch server mode pushes to. The Gitea repo is created
+// with this as its default branch; the client tracks the same name.
+const pushBranch = "master"
+
+// CreateRepo provisions the domain's remote repo via the configured provider
+// and returns its clone URL.
+func CreateRepo(config *common.AppConfig, domainConfig *common.DomainConfig, domain string) (string, error) {
+	provider, err := common.ProviderFor(config)
+	if err != nil {
+		return "", err
+	}
+	return provider.CreateRepo(domain, domainConfig)
+}
+
+// VerifyOwnership reads SERVER_ID from the cloned workspace and compares it
+// against uuid. It returns:
+//
+//	(true,  nil)   — SERVER_ID matches uuid (we own this repo).
+//	(false, nil)   — SERVER_ID is missing (repo is unclaimed; safe to adopt).
+//	(false, err)   — SERVER_ID names a different server (refuse to push).
+//
+// The caller decides what to do with an unclaimed repo; adoption must be an
+// explicit decision, not a silent fall-through. AddAndPushCerts re-writes
+// SERVER_ID on every push, so the first successful push after adoption
+// claims the repo for this server.
+func VerifyOwnership(ws *common.GitWorkspace, uuid string) (bool, error) {
+	f, err := ws.FS.Open(serverIDFile)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return false, nil
+		}
+		return false, fmt.Errorf("open SERVER_ID: %w", err)
+	}
+	defer f.Close()
+
+	raw, err := io.ReadAll(f)
+	if err != nil {
+		return false, fmt.Errorf("read SERVER_ID: %w", err)
+	}
+	existing := strings.TrimSpace(string(raw))
+	if existing == uuid {
+		return true, nil
+	}
+	return false, fmt.Errorf("domain is owned by server %q", existing)
+}
+
+// AddAndPushCerts stages every *.crpt file from dataRoot into the workspace,
+// (re-)writes SERVER_ID with config.App.UUID, commits any resulting change,
+// and pushes to origin/<pushBranch>. If nothing changed the call is a no-op
+// and returns nil without pushing.
+func AddAndPushCerts(ws *common.GitWorkspace, dataRoot string, config *common.AppConfig) error {
+	if err := stageCerts(ws, dataRoot); err != nil {
+		return err
+	}
+	if err := stageFile(ws, serverIDFile, []byte(config.App.UUID)); err != nil {
+		return fmt.Errorf("stage SERVER_ID: %w", err)
+	}
+
+	status, err := ws.WorkTree.Status()
+	if err != nil {
+		return fmt.Errorf("get worktree status: %w", err)
+	}
+	if status.IsClean() {
+		return nil
+	}
+
+	sig := &object.Signature{
+		Name:  "Cert Manager",
+		Email: config.Certificates.Email,
+		When:  time.Now(),
+	}
+	msg := fmt.Sprintf("Update %s @ %s", ws.Domain, time.Now().Format("Mon Jan _2 2006 15:04:05 MST"))
+	if _, err := ws.WorkTree.Commit(msg, &git.CommitOptions{Author: sig, Committer: sig}); err != nil {
+		return fmt.Errorf("commit: %w", err)
+	}
+
+	err = ws.Repo.Push(&git.PushOptions{
+		Auth: &http.BasicAuth{
+			Username: config.Git.Username,
+			Password: config.Git.APIToken,
+		},
+		Force:      true,
+		RemoteName: "origin",
+		RefSpecs:   []gitconf.RefSpec{gitconf.RefSpec("refs/heads/" + pushBranch + ":refs/heads/" + pushBranch)},
+	})
+	if err != nil {
+		return fmt.Errorf("push %s: %w", ws.URL, err)
+	}
+	return nil
+}
+
+// stageCerts copies every *.crpt file in dataRoot into the workspace
+// filesystem and adds it to the work tree.
+func stageCerts(ws *common.GitWorkspace, dataRoot string) error {
+	entries, err := os.ReadDir(dataRoot)
+	if err != nil {
+		return fmt.Errorf("read %s: %w", dataRoot, err)
+	}
+	for _, entry := range entries {
+		name := entry.Name()
+		if !strings.HasSuffix(name, ".crpt") {
+			continue
+		}
+		body, err := os.ReadFile(filepath.Join(dataRoot, name))
+		if err != nil {
+			return fmt.Errorf("read %s: %w", name, err)
+		}
+		if err := stageFile(ws, name, body); err != nil {
+			return fmt.Errorf("stage %s: %w", name, err)
+		}
+	}
+	return nil
+}
+
+// stageFile writes body to name in the workspace filesystem and adds it to
+// the work tree. It is the single point where workspace-relative paths are
+// constructed, so Create and Add always agree on the path.
+func stageFile(ws *common.GitWorkspace, name string, body []byte) error {
+	f, err := ws.FS.Create(name)
+	if err != nil {
+		return fmt.Errorf("create: %w", err)
+	}
+	if _, err := f.Write(body); err != nil {
+		f.Close()
+		return fmt.Errorf("write: %w", err)
+	}
+	if err := f.Close(); err != nil {
+		return fmt.Errorf("close: %w", err)
+	}
+	if _, err := ws.WorkTree.Add(f.Name()); err != nil {
+		return fmt.Errorf("git add: %w", err)
+	}
+	return nil
+}

server/server.go

@@ -1,167 +0,0 @@
-package server
-
-import (
-	"fmt"
-	"log"
-	"path/filepath"
-	"sync"
-	"time"
-
-	"git.nevets.tech/Keys/CertManager/internal"
-	"github.com/go-git/go-billy/v5/memfs"
-	"github.com/go-git/go-git/v5/storage/memory"
-)
-
-var (
-	tickMu sync.Mutex
-	mgr    *internal.ACMEManager
-	mgrMu  sync.Mutex
-)
-
-func getACMEManager() (*internal.ACMEManager, error) {
-	mgrMu.Lock()
-	defer mgrMu.Unlock()
-
-	if mgr == nil {
-		var err error
-		mgr, err = internal.NewACMEManager()
-		if err != nil {
-			return nil, err
-		}
-	}
-	return mgr, nil
-}
-
-func Init() {
-	err := internal.LoadDomainConfigs()
-	if err != nil {
-		log.Fatalf("Error loading domain configs: %v", err)
-	}
-
-	Tick()
-}
-
-func Tick() {
-	tickMu.Lock()
-	defer tickMu.Unlock()
-	fmt.Println("Tick!")
-
-	var err error
-	mgr, err = getACMEManager()
-	if err != nil {
-		fmt.Printf("Error getting acme manager: %v\n", err)
-		return
-	}
-
-	now := time.Now().UTC()
-
-	localDomainConfigs := internal.DomainStore().Snapshot()
-
-	for domainStr, domainConfig := range localDomainConfigs {
-		if !domainConfig.GetBool("Domain.enabled") {
-			continue
-		}
-		renewPeriod := domainConfig.GetInt("Certificates.renew_period")
-		lastIssued := time.Unix(domainConfig.GetInt64("Internal.last_issued"), 0).UTC()
-		renewalDue := lastIssued.AddDate(0, 0, renewPeriod)
-		if now.After(renewalDue) {
-			//TODO extra check if certificate expiry (create cache?)
-			_, err = mgr.RenewForDomain(domainStr)
-			if err != nil {
-				// if no existing cert, obtain instead
-				_, err = mgr.ObtainForDomain(domainStr)
-				if err != nil {
-					fmt.Printf("Error obtaining domain certificates for domain %s: %v\n", domainStr, err)
-					continue
-				}
-			}
-
-			domainConfig.Set("Internal.last_issued", time.Now().UTC().Unix())
-			err = internal.WriteDomainConfig(domainConfig)
-			if err != nil {
-				fmt.Printf("Error saving domain config %s: %v\n", domainStr, err)
-				continue
-			}
-
-			err = internal.EncryptFileXChaCha(domainConfig.GetString("Certificates.crypto_key"), filepath.Join(mgr.CertsRoot, domainStr, domainStr+".crt"), filepath.Join(mgr.CertsRoot, domainStr, domainStr+".crt.crpt"), nil)
-			if err != nil {
-				fmt.Printf("Error encrypting domain cert for domain %s: %v\n", domainStr, err)
-				continue
-			}
-			err = internal.EncryptFileXChaCha(domainConfig.GetString("Certificates.crypto_key"), filepath.Join(mgr.CertsRoot, domainStr, domainStr+".key"), filepath.Join(mgr.CertsRoot, domainStr, domainStr+".key.crpt"), nil)
-			if err != nil {
-				fmt.Printf("Error encrypting domain key for domain %s: %v\n", domainStr, err)
-				continue
-			}
-
-			giteaClient := internal.CreateGiteaClient()
-			if giteaClient == nil {
-				fmt.Printf("Error creating gitea client for domain %s: %v\n", domainStr, err)
-				continue
-			}
-			gitWorkspace := &internal.GitWorkspace{
-				Storage: memory.NewStorage(),
-				FS:      memfs.New(),
-			}
-
-			var repoUrl string
-			if !domainConfig.GetBool("Internal.repo_exists") {
-				repoUrl = internal.CreateGiteaRepo(domainStr, giteaClient)
-				if repoUrl == "" {
-					fmt.Printf("Error creating Gitea repo for domain %s\n", domainStr)
-					continue
-				}
-				domainConfig.Set("Internal.repo_exists", true)
-				err = internal.WriteDomainConfig(domainConfig)
-				if err != nil {
-					fmt.Printf("Error saving domain config %s: %v\n", domainStr, err)
-					continue
-				}
-
-				err = internal.InitRepo(repoUrl, gitWorkspace)
-				if err != nil {
-					fmt.Printf("Error initializing repo for domain %s: %v\n", domainStr, err)
-					continue
-				}
-			} else {
-				repoUrl = internal.Config().GetString("Git.server") + "/" + internal.Config().GetString("Git.org_name") + "/" + domainStr + domainConfig.GetString("Repo.repo_suffix") + ".git"
-				err = internal.CloneRepo(repoUrl, gitWorkspace, internal.Server)
-				if err != nil {
-					fmt.Printf("Error cloning repo for domain %s: %v\n", domainStr, err)
-					continue
-				}
-			}
-
-			err = internal.AddAndPushCerts(domainStr, gitWorkspace)
-			if err != nil {
-				fmt.Printf("Error pushing certificates for domain %s: %v\n", domainStr, err)
-				continue
-			}
-			fmt.Printf("Successfully pushed certificates for domain %s\n", domainStr)
-		}
-	}
-	err = internal.SaveDomainConfigs()
-	if err != nil {
-		fmt.Printf("Error saving domain configs: %v\n", err)
-	}
-}
-
-func Reload() {
-	fmt.Println("Reloading configs...")
-	err := internal.LoadDomainConfigs()
-
-	if err != nil {
-		fmt.Printf("Error loading domain configs: %v\n", err)
-		return
-	}
-
-	mgrMu.Lock()
-	mgr = nil
-	mgrMu.Unlock()
-
-	fmt.Println("Successfully reloaded configs")
-}
-
-func Stop() {
-	fmt.Println("Shutting down server")
-}