Add config file and rework cli parsing and passing of config values (#263)

Co-authored-by: 6543 <6543@obermui.de>
Reviewed-on: https://codeberg.org/Codeberg/pages-server/pulls/263
Reviewed-by: 6543 <6543@obermui.de>
Co-authored-by: crapStone <me@crapstone.dev>
Co-committed-by: crapStone <me@crapstone.dev>

server/acme/client.go

@@ -0,0 +1,26 @@
+package acme
+
+import (
+	"errors"
+	"fmt"
+
+	"codeberg.org/codeberg/pages/config"
+	"codeberg.org/codeberg/pages/server/cache"
+	"codeberg.org/codeberg/pages/server/certificates"
+)
+
+var ErrAcmeMissConfig = errors.New("ACME client has wrong config")
+
+func CreateAcmeClient(cfg config.ACMEConfig, enableHTTPServer bool, challengeCache cache.ICache) (*certificates.AcmeClient, error) {
+	// check config
+	if (!cfg.AcceptTerms || cfg.DNSProvider == "") && cfg.APIEndpoint != "https://acme.mock.directory" {
+		return nil, fmt.Errorf("%w: you must set $ACME_ACCEPT_TERMS and $DNS_PROVIDER, unless $ACME_API is set to https://acme.mock.directory", ErrAcmeMissConfig)
+	}
+	if cfg.EAB_HMAC != "" && cfg.EAB_KID == "" {
+		return nil, fmt.Errorf("%w: ACME_EAB_HMAC also needs ACME_EAB_KID to be set", ErrAcmeMissConfig)
+	} else if cfg.EAB_HMAC == "" && cfg.EAB_KID != "" {
+		return nil, fmt.Errorf("%w: ACME_EAB_KID also needs ACME_EAB_HMAC to be set", ErrAcmeMissConfig)
+	}
+
+	return certificates.NewAcmeClient(cfg, enableHTTPServer, challengeCache)
+}

server/cache/interface.go

@@ -2,7 +2,8 @@ package cache
 
 import "time"
 
-type SetGetKey interface {
+// ICache is an interface that defines how the pages server interacts with the cache.
+type ICache interface {
 	Set(key string, value interface{}, ttl time.Duration) error
 	Get(key string) (interface{}, bool)
 	Remove(key string)

server/cache/memory.go

@@ -2,6 +2,6 @@ package cache
 
 import "github.com/OrlovEvgeny/go-mcache"
 
-func NewKeyValueCache() SetGetKey {
+func NewInMemoryCache() ICache {
 	return mcache.New()
 }

server/certificates/acme_client.go

@@ -10,6 +10,7 @@ import (
 	"github.com/reugn/equalizer"
 	"github.com/rs/zerolog/log"
 
+	"codeberg.org/codeberg/pages/config"
 	"codeberg.org/codeberg/pages/server/cache"
 )
 
@@ -28,8 +29,8 @@ type AcmeClient struct {
 	acmeClientCertificateLimitPerUser map[string]*equalizer.TokenBucket
 }
 
-func NewAcmeClient(acmeAccountConf, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID, dnsProvider string, acmeAcceptTerms, enableHTTPServer, acmeUseRateLimits bool, challengeCache cache.SetGetKey) (*AcmeClient, error) {
-	acmeConfig, err := setupAcmeConfig(acmeAccountConf, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID, acmeAcceptTerms)
+func NewAcmeClient(cfg config.ACMEConfig, enableHTTPServer bool, challengeCache cache.ICache) (*AcmeClient, error) {
+	acmeConfig, err := setupAcmeConfig(cfg)
 	if err != nil {
 		return nil, err
 	}
@@ -54,7 +55,7 @@ func NewAcmeClient(acmeAccountConf, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID,
 	if err != nil {
 		log.Error().Err(err).Msg("Can't create ACME client, continuing with mock certs only")
 	} else {
-		if dnsProvider == "" {
+		if cfg.DNSProvider == "" {
 			// using mock server, don't use wildcard certs
 			err := mainDomainAcmeClient.Challenge.SetTLSALPN01Provider(AcmeTLSChallengeProvider{challengeCache})
 			if err != nil {
@@ -62,7 +63,7 @@ func NewAcmeClient(acmeAccountConf, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID,
 			}
 		} else {
 			// use DNS-Challenge https://go-acme.github.io/lego/dns/
-			provider, err := dns.NewDNSChallengeProviderByName(dnsProvider)
+			provider, err := dns.NewDNSChallengeProviderByName(cfg.DNSProvider)
 			if err != nil {
 				return nil, fmt.Errorf("can not create DNS Challenge provider: %w", err)
 			}
@@ -76,7 +77,7 @@ func NewAcmeClient(acmeAccountConf, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID,
 		legoClient:              acmeClient,
 		dnsChallengerLegoClient: mainDomainAcmeClient,
 
-		acmeUseRateLimits: acmeUseRateLimits,
+		acmeUseRateLimits: cfg.UseRateLimits,
 
 		obtainLocks: sync.Map{},
 

server/certificates/acme_config.go

@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"os"
 
+	"codeberg.org/codeberg/pages/config"
 	"github.com/go-acme/lego/v4/certcrypto"
 	"github.com/go-acme/lego/v4/lego"
 	"github.com/go-acme/lego/v4/registration"
@@ -16,21 +17,27 @@ import (
 
 const challengePath = "/.well-known/acme-challenge/"
 
-func setupAcmeConfig(configFile, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID string, acmeAcceptTerms bool) (*lego.Config, error) {
+func setupAcmeConfig(cfg config.ACMEConfig) (*lego.Config, error) {
 	var myAcmeAccount AcmeAccount
 	var myAcmeConfig *lego.Config
 
-	if account, err := os.ReadFile(configFile); err == nil {
-		log.Info().Msgf("found existing acme account config file '%s'", configFile)
+	if cfg.AccountConfigFile == "" {
+		return nil, fmt.Errorf("invalid acme config file: '%s'", cfg.AccountConfigFile)
+	}
+
+	if account, err := os.ReadFile(cfg.AccountConfigFile); err == nil {
+		log.Info().Msgf("found existing acme account config file '%s'", cfg.AccountConfigFile)
 		if err := json.Unmarshal(account, &myAcmeAccount); err != nil {
 			return nil, err
 		}
+
 		myAcmeAccount.Key, err = certcrypto.ParsePEMPrivateKey([]byte(myAcmeAccount.KeyPEM))
 		if err != nil {
 			return nil, err
 		}
+
 		myAcmeConfig = lego.NewConfig(&myAcmeAccount)
-		myAcmeConfig.CADirURL = acmeAPI
+		myAcmeConfig.CADirURL = cfg.APIEndpoint
 		myAcmeConfig.Certificate.KeyType = certcrypto.RSA2048
 
 		// Validate Config
@@ -39,6 +46,7 @@ func setupAcmeConfig(configFile, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID stri
 			log.Info().Err(err).Msg("config validation failed, you might just delete the config file and let it recreate")
 			return nil, fmt.Errorf("acme config validation failed: %w", err)
 		}
+
 		return myAcmeConfig, nil
 	} else if !os.IsNotExist(err) {
 		return nil, err
@@ -51,20 +59,20 @@ func setupAcmeConfig(configFile, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID stri
 		return nil, err
 	}
 	myAcmeAccount = AcmeAccount{
-		Email:  acmeMail,
+		Email:  cfg.Email,
 		Key:    privateKey,
 		KeyPEM: string(certcrypto.PEMEncode(privateKey)),
 	}
 	myAcmeConfig = lego.NewConfig(&myAcmeAccount)
-	myAcmeConfig.CADirURL = acmeAPI
+	myAcmeConfig.CADirURL = cfg.APIEndpoint
 	myAcmeConfig.Certificate.KeyType = certcrypto.RSA2048
 	tempClient, err := lego.NewClient(myAcmeConfig)
 	if err != nil {
 		log.Error().Err(err).Msg("Can't create ACME client, continuing with mock certs only")
 	} else {
 		// accept terms & log in to EAB
-		if acmeEabKID == "" || acmeEabHmac == "" {
-			reg, err := tempClient.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: acmeAcceptTerms})
+		if cfg.EAB_KID == "" || cfg.EAB_HMAC == "" {
+			reg, err := tempClient.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: cfg.AcceptTerms})
 			if err != nil {
 				log.Error().Err(err).Msg("Can't register ACME account, continuing with mock certs only")
 			} else {
@@ -72,9 +80,9 @@ func setupAcmeConfig(configFile, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID stri
 			}
 		} else {
 			reg, err := tempClient.Registration.RegisterWithExternalAccountBinding(registration.RegisterEABOptions{
-				TermsOfServiceAgreed: acmeAcceptTerms,
-				Kid:                  acmeEabKID,
-				HmacEncoded:          acmeEabHmac,
+				TermsOfServiceAgreed: cfg.AcceptTerms,
+				Kid:                  cfg.EAB_KID,
+				HmacEncoded:          cfg.EAB_HMAC,
 			})
 			if err != nil {
 				log.Error().Err(err).Msg("Can't register ACME account, continuing with mock certs only")
@@ -89,8 +97,8 @@ func setupAcmeConfig(configFile, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID stri
 				log.Error().Err(err).Msg("json.Marshalfailed, waiting for manual restart to avoid rate limits")
 				select {}
 			}
-			log.Info().Msgf("new acme account created. write to config file '%s'", configFile)
-			err = os.WriteFile(configFile, acmeAccountJSON, 0o600)
+			log.Info().Msgf("new acme account created. write to config file '%s'", cfg.AccountConfigFile)
+			err = os.WriteFile(cfg.AccountConfigFile, acmeAccountJSON, 0o600)
 			if err != nil {
 				log.Error().Err(err).Msg("os.WriteFile failed, waiting for manual restart to avoid rate limits")
 				select {}

server/certificates/cached_challengers.go

@@ -15,7 +15,7 @@ import (
 )
 
 type AcmeTLSChallengeProvider struct {
-	challengeCache cache.SetGetKey
+	challengeCache cache.ICache
 }
 
 // make sure AcmeTLSChallengeProvider match Provider interface
@@ -31,7 +31,7 @@ func (a AcmeTLSChallengeProvider) CleanUp(domain, _, _ string) error {
 }
 
 type AcmeHTTPChallengeProvider struct {
-	challengeCache cache.SetGetKey
+	challengeCache cache.ICache
 }
 
 // make sure AcmeHTTPChallengeProvider match Provider interface
@@ -46,7 +46,7 @@ func (a AcmeHTTPChallengeProvider) CleanUp(domain, token, _ string) error {
 	return nil
 }
 
-func SetupHTTPACMEChallengeServer(challengeCache cache.SetGetKey, sslPort uint) http.HandlerFunc {
+func SetupHTTPACMEChallengeServer(challengeCache cache.ICache, sslPort uint) http.HandlerFunc {
 	// handle custom-ssl-ports to be added on https redirects
 	portPart := ""
 	if sslPort != 443 {

server/certificates/certificates.go

@@ -31,7 +31,7 @@ func TLSConfig(mainDomainSuffix string,
 	giteaClient *gitea.Client,
 	acmeClient *AcmeClient,
 	firstDefaultBranch string,
-	keyCache, challengeCache, dnsLookupCache, canonicalDomainCache cache.SetGetKey,
+	keyCache, challengeCache, dnsLookupCache, canonicalDomainCache cache.ICache,
 	certDB database.CertDB,
 ) *tls.Config {
 	return &tls.Config{

server/dns/dns.go

@@ -15,7 +15,7 @@ var defaultPagesRepo = "pages"
 
 // GetTargetFromDNS searches for CNAME or TXT entries on the request domain ending with MainDomainSuffix.
 // If everything is fine, it returns the target data.
-func GetTargetFromDNS(domain, mainDomainSuffix, firstDefaultBranch string, dnsLookupCache cache.SetGetKey) (targetOwner, targetRepo, targetBranch string) {
+func GetTargetFromDNS(domain, mainDomainSuffix, firstDefaultBranch string, dnsLookupCache cache.ICache) (targetOwner, targetRepo, targetBranch string) {
 	// Get CNAME or TXT
 	var cname string
 	var err error

server/gitea/cache.go

@@ -74,7 +74,7 @@ type writeCacheReader struct {
 	buffer         *bytes.Buffer
 	rileResponse   *FileResponse
 	cacheKey       string
-	cache          cache.SetGetKey
+	cache          cache.ICache
 	hasError       bool
 }
 
@@ -99,7 +99,7 @@ func (t *writeCacheReader) Close() error {
 	return t.originalReader.Close()
 }
 
-func (f FileResponse) CreateCacheReader(r io.ReadCloser, cache cache.SetGetKey, cacheKey string) io.ReadCloser {
+func (f FileResponse) CreateCacheReader(r io.ReadCloser, cache cache.ICache, cacheKey string) io.ReadCloser {
 	if r == nil || cache == nil || cacheKey == "" {
 		log.Error().Msg("could not create CacheReader")
 		return nil

server/gitea/client.go

@@ -16,6 +16,7 @@ import (
 	"code.gitea.io/sdk/gitea"
 	"github.com/rs/zerolog/log"
 
+	"codeberg.org/codeberg/pages/config"
 	"codeberg.org/codeberg/pages/server/cache"
 	"codeberg.org/codeberg/pages/server/version"
 )
@@ -44,7 +45,7 @@ const (
 
 type Client struct {
 	sdkClient     *gitea.Client
-	responseCache cache.SetGetKey
+	responseCache cache.ICache
 
 	giteaRoot string
 
@@ -55,24 +56,21 @@ type Client struct {
 	defaultMimeType    string
 }
 
-func NewClient(giteaRoot, giteaAPIToken string, respCache cache.SetGetKey, followSymlinks, supportLFS bool) (*Client, error) {
-	rootURL, err := url.Parse(giteaRoot)
+func NewClient(cfg config.GiteaConfig, respCache cache.ICache) (*Client, error) {
+	rootURL, err := url.Parse(cfg.Root)
 	if err != nil {
 		return nil, err
 	}
-	giteaRoot = strings.Trim(rootURL.String(), "/")
+	giteaRoot := strings.Trim(rootURL.String(), "/")
 
 	stdClient := http.Client{Timeout: 10 * time.Second}
 
-	// TODO: pass down
-	var (
-		forbiddenMimeTypes map[string]bool
-		defaultMimeType    string
-	)
-
-	if forbiddenMimeTypes == nil {
-		forbiddenMimeTypes = make(map[string]bool)
+	forbiddenMimeTypes := make(map[string]bool, len(cfg.ForbiddenMimeTypes))
+	for _, mimeType := range cfg.ForbiddenMimeTypes {
+		forbiddenMimeTypes[mimeType] = true
 	}
+
+	defaultMimeType := cfg.DefaultMimeType
 	if defaultMimeType == "" {
 		defaultMimeType = "application/octet-stream"
 	}
@@ -80,7 +78,7 @@ func NewClient(giteaRoot, giteaAPIToken string, respCache cache.SetGetKey, follo
 	sdk, err := gitea.NewClient(
 		giteaRoot,
 		gitea.SetHTTPClient(&stdClient),
-		gitea.SetToken(giteaAPIToken),
+		gitea.SetToken(cfg.Token),
 		gitea.SetUserAgent("pages-server/"+version.Version),
 	)
 
@@ -90,8 +88,8 @@ func NewClient(giteaRoot, giteaAPIToken string, respCache cache.SetGetKey, follo
 
 		giteaRoot: giteaRoot,
 
-		followSymlinks: followSymlinks,
-		supportLFS:     supportLFS,
+		followSymlinks: cfg.FollowSymlinks,
+		supportLFS:     cfg.LFSEnabled,
 
 		forbiddenMimeTypes: forbiddenMimeTypes,
 		defaultMimeType:    defaultMimeType,

server/handler/handler.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/rs/zerolog/log"
 
+	"codeberg.org/codeberg/pages/config"
 	"codeberg.org/codeberg/pages/html"
 	"codeberg.org/codeberg/pages/server/cache"
 	"codeberg.org/codeberg/pages/server/context"
@@ -19,11 +20,10 @@ const (
 )
 
 // Handler handles a single HTTP request to the web server.
-func Handler(mainDomainSuffix, rawDomain string,
+func Handler(
+	cfg config.ServerConfig,
 	giteaClient *gitea.Client,
-	blacklistedPaths, allowedCorsDomains []string,
-	defaultPagesBranches []string,
-	dnsLookupCache, canonicalDomainCache, redirectsCache cache.SetGetKey,
+	dnsLookupCache, canonicalDomainCache, redirectsCache cache.ICache,
 ) http.HandlerFunc {
 	return func(w http.ResponseWriter, req *http.Request) {
 		log := log.With().Strs("Handler", []string{req.Host, req.RequestURI}).Logger()
@@ -39,8 +39,8 @@ func Handler(mainDomainSuffix, rawDomain string,
 
 		trimmedHost := ctx.TrimHostPort()
 
-		// Add HSTS for RawDomain and MainDomainSuffix
-		if hsts := getHSTSHeader(trimmedHost, mainDomainSuffix, rawDomain); hsts != "" {
+		// Add HSTS for RawDomain and MainDomain
+		if hsts := getHSTSHeader(trimmedHost, cfg.MainDomain, cfg.RawDomain); hsts != "" {
 			ctx.RespWriter.Header().Set("Strict-Transport-Security", hsts)
 		}
 
@@ -62,7 +62,7 @@ func Handler(mainDomainSuffix, rawDomain string,
 		}
 
 		// Block blacklisted paths (like ACME challenges)
-		for _, blacklistedPath := range blacklistedPaths {
+		for _, blacklistedPath := range cfg.BlacklistedPaths {
 			if strings.HasPrefix(ctx.Path(), blacklistedPath) {
 				html.ReturnErrorPage(ctx, "requested path is blacklisted", http.StatusForbidden)
 				return
@@ -71,7 +71,7 @@ func Handler(mainDomainSuffix, rawDomain string,
 
 		// Allow CORS for specified domains
 		allowCors := false
-		for _, allowedCorsDomain := range allowedCorsDomains {
+		for _, allowedCorsDomain := range cfg.AllowedCorsDomains {
 			if strings.EqualFold(trimmedHost, allowedCorsDomain) {
 				allowCors = true
 				break
@@ -85,28 +85,28 @@ func Handler(mainDomainSuffix, rawDomain string,
 		// Prepare request information to Gitea
 		pathElements := strings.Split(strings.Trim(ctx.Path(), "/"), "/")
 
-		if rawDomain != "" && strings.EqualFold(trimmedHost, rawDomain) {
+		if cfg.RawDomain != "" && strings.EqualFold(trimmedHost, cfg.RawDomain) {
 			log.Debug().Msg("raw domain request detected")
 			handleRaw(log, ctx, giteaClient,
-				mainDomainSuffix,
+				cfg.MainDomain,
 				trimmedHost,
 				pathElements,
 				canonicalDomainCache, redirectsCache)
-		} else if strings.HasSuffix(trimmedHost, mainDomainSuffix) {
+		} else if strings.HasSuffix(trimmedHost, cfg.MainDomain) {
 			log.Debug().Msg("subdomain request detected")
 			handleSubDomain(log, ctx, giteaClient,
-				mainDomainSuffix,
-				defaultPagesBranches,
+				cfg.MainDomain,
+				cfg.PagesBranches,
 				trimmedHost,
 				pathElements,
 				canonicalDomainCache, redirectsCache)
 		} else {
 			log.Debug().Msg("custom domain request detected")
 			handleCustomDomain(log, ctx, giteaClient,
-				mainDomainSuffix,
+				cfg.MainDomain,
 				trimmedHost,
 				pathElements,
-				defaultPagesBranches[0],
+				cfg.PagesBranches[0],
 				dnsLookupCache, canonicalDomainCache, redirectsCache)
 		}
 	}

server/handler/handler_custom_domain.go

@@ -19,7 +19,7 @@ func handleCustomDomain(log zerolog.Logger, ctx *context.Context, giteaClient *g
 	trimmedHost string,
 	pathElements []string,
 	firstDefaultBranch string,
-	dnsLookupCache, canonicalDomainCache, redirectsCache cache.SetGetKey,
+	dnsLookupCache, canonicalDomainCache, redirectsCache cache.ICache,
 ) {
 	// Serve pages from custom domains
 	targetOwner, targetRepo, targetBranch := dns.GetTargetFromDNS(trimmedHost, mainDomainSuffix, firstDefaultBranch, dnsLookupCache)

server/handler/handler_raw_domain.go

@@ -19,7 +19,7 @@ func handleRaw(log zerolog.Logger, ctx *context.Context, giteaClient *gitea.Clie
 	mainDomainSuffix string,
 	trimmedHost string,
 	pathElements []string,
-	canonicalDomainCache, redirectsCache cache.SetGetKey,
+	canonicalDomainCache, redirectsCache cache.ICache,
 ) {
 	// Serve raw content from RawDomain
 	log.Debug().Msg("raw domain")

server/handler/handler_sub_domain.go

@@ -21,7 +21,7 @@ func handleSubDomain(log zerolog.Logger, ctx *context.Context, giteaClient *gite
 	defaultPagesBranches []string,
 	trimmedHost string,
 	pathElements []string,
-	canonicalDomainCache, redirectsCache cache.SetGetKey,
+	canonicalDomainCache, redirectsCache cache.ICache,
 ) {
 	// Serve pages from subdomains of MainDomainSuffix
 	log.Debug().Msg("main domain suffix")

server/handler/handler_test.go

@@ -6,23 +6,30 @@ import (
 	"testing"
 	"time"
 
+	"codeberg.org/codeberg/pages/config"
 	"codeberg.org/codeberg/pages/server/cache"
 	"codeberg.org/codeberg/pages/server/gitea"
 	"github.com/rs/zerolog/log"
 )
 
 func TestHandlerPerformance(t *testing.T) {
-	giteaClient, _ := gitea.NewClient("https://codeberg.org", "", cache.NewKeyValueCache(), false, false)
-	testHandler := Handler(
-		"codeberg.page", "raw.codeberg.org",
-		giteaClient,
-		[]string{"/.well-known/acme-challenge/"},
-		[]string{"raw.codeberg.org", "fonts.codeberg.org", "design.codeberg.org"},
-		[]string{"pages"},
-		cache.NewKeyValueCache(),
-		cache.NewKeyValueCache(),
-		cache.NewKeyValueCache(),
-	)
+	cfg := config.GiteaConfig{
+		Root:           "https://codeberg.org",
+		Token:          "",
+		LFSEnabled:     false,
+		FollowSymlinks: false,
+	}
+	giteaClient, _ := gitea.NewClient(cfg, cache.NewInMemoryCache())
+	serverCfg := config.ServerConfig{
+		MainDomain: "codeberg.page",
+		RawDomain:  "raw.codeberg.page",
+		BlacklistedPaths: []string{
+			"/.well-known/acme-challenge/",
+		},
+		AllowedCorsDomains: []string{"raw.codeberg.org", "fonts.codeberg.org", "design.codeberg.org"},
+		PagesBranches:      []string{"pages"},
+	}
+	testHandler := Handler(serverCfg, giteaClient, cache.NewInMemoryCache(), cache.NewInMemoryCache(), cache.NewInMemoryCache())
 
 	testCase := func(uri string, status int) {
 		t.Run(uri, func(t *testing.T) {

server/handler/try.go

@@ -17,8 +17,8 @@ import (
 func tryUpstream(ctx *context.Context, giteaClient *gitea.Client,
 	mainDomainSuffix, trimmedHost string,
 	options *upstream.Options,
-	canonicalDomainCache cache.SetGetKey,
-	redirectsCache cache.SetGetKey,
+	canonicalDomainCache cache.ICache,
+	redirectsCache cache.ICache,
 ) {
 	// check if a canonical domain exists on a request on MainDomain
 	if strings.HasSuffix(trimmedHost, mainDomainSuffix) && !options.ServeRaw {

server/startup.go

@@ -0,0 +1,141 @@
+package server
+
+import (
+	"context"
+	"crypto/tls"
+	"encoding/json"
+	"fmt"
+	"net"
+	"net/http"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
+	"github.com/urfave/cli/v2"
+
+	cmd "codeberg.org/codeberg/pages/cli"
+	"codeberg.org/codeberg/pages/config"
+	"codeberg.org/codeberg/pages/server/acme"
+	"codeberg.org/codeberg/pages/server/cache"
+	"codeberg.org/codeberg/pages/server/certificates"
+	"codeberg.org/codeberg/pages/server/gitea"
+	"codeberg.org/codeberg/pages/server/handler"
+)
+
+// Serve sets up and starts the web server.
+func Serve(ctx *cli.Context) error {
+	// initialize logger with Trace, overridden later with actual level
+	log.Logger = zerolog.New(zerolog.ConsoleWriter{Out: os.Stderr}).With().Timestamp().Logger().Level(zerolog.TraceLevel)
+
+	cfg, err := config.ReadConfig(ctx)
+	if err != nil {
+		log.Error().Err(err).Msg("could not read config")
+	}
+
+	config.MergeConfig(ctx, cfg)
+
+	// Initialize the logger.
+	logLevel, err := zerolog.ParseLevel(cfg.LogLevel)
+	if err != nil {
+		return err
+	}
+	log.Logger = zerolog.New(zerolog.ConsoleWriter{Out: os.Stderr}).With().Timestamp().Logger().Level(logLevel)
+
+	foo, _ := json.Marshal(cfg)
+	log.Trace().RawJSON("config", foo).Msg("starting server with config")
+
+	listeningSSLAddress := fmt.Sprintf("%s:%d", cfg.Server.Host, cfg.Server.Port)
+	listeningHTTPAddress := fmt.Sprintf("%s:%d", cfg.Server.Host, cfg.Server.HttpPort)
+
+	if cfg.Server.RawDomain != "" {
+		cfg.Server.AllowedCorsDomains = append(cfg.Server.AllowedCorsDomains, cfg.Server.RawDomain)
+	}
+
+	// Make sure MainDomain has a leading dot
+	if !strings.HasPrefix(cfg.Server.MainDomain, ".") {
+		// TODO make this better
+		cfg.Server.MainDomain = "." + cfg.Server.MainDomain
+	}
+
+	if len(cfg.Server.PagesBranches) == 0 {
+		return fmt.Errorf("no default branches set (PAGES_BRANCHES)")
+	}
+
+	// Init ssl cert database
+	certDB, closeFn, err := cmd.OpenCertDB(ctx)
+	if err != nil {
+		return err
+	}
+	defer closeFn()
+
+	keyCache := cache.NewInMemoryCache()
+	challengeCache := cache.NewInMemoryCache()
+	// canonicalDomainCache stores canonical domains
+	canonicalDomainCache := cache.NewInMemoryCache()
+	// dnsLookupCache stores DNS lookups for custom domains
+	dnsLookupCache := cache.NewInMemoryCache()
+	// redirectsCache stores redirects in _redirects files
+	redirectsCache := cache.NewInMemoryCache()
+	// clientResponseCache stores responses from the Gitea server
+	clientResponseCache := cache.NewInMemoryCache()
+
+	giteaClient, err := gitea.NewClient(cfg.Gitea, clientResponseCache)
+	if err != nil {
+		return fmt.Errorf("could not create new gitea client: %v", err)
+	}
+
+	acmeClient, err := acme.CreateAcmeClient(cfg.ACME, cfg.Server.HttpServerEnabled, challengeCache)
+	if err != nil {
+		return err
+	}
+
+	if err := certificates.SetupMainDomainCertificates(cfg.Server.MainDomain, acmeClient, certDB); err != nil {
+		return err
+	}
+
+	// Create listener for SSL connections
+	log.Info().Msgf("Create TCP listener for SSL on %s", listeningSSLAddress)
+	listener, err := net.Listen("tcp", listeningSSLAddress)
+	if err != nil {
+		return fmt.Errorf("couldn't create listener: %v", err)
+	}
+
+	// Setup listener for SSL connections
+	listener = tls.NewListener(listener, certificates.TLSConfig(
+		cfg.Server.MainDomain,
+		giteaClient,
+		acmeClient,
+		cfg.Server.PagesBranches[0],
+		keyCache, challengeCache, dnsLookupCache, canonicalDomainCache,
+		certDB,
+	))
+
+	interval := 12 * time.Hour
+	certMaintainCtx, cancelCertMaintain := context.WithCancel(context.Background())
+	defer cancelCertMaintain()
+	go certificates.MaintainCertDB(certMaintainCtx, interval, acmeClient, cfg.Server.MainDomain, certDB)
+
+	if cfg.Server.HttpServerEnabled {
+		// Create handler for http->https redirect and http acme challenges
+		httpHandler := certificates.SetupHTTPACMEChallengeServer(challengeCache, uint(cfg.Server.Port))
+
+		// Create listener for http and start listening
+		go func() {
+			log.Info().Msgf("Start HTTP server listening on %s", listeningHTTPAddress)
+			err := http.ListenAndServe(listeningHTTPAddress, httpHandler)
+			if err != nil {
+				log.Error().Err(err).Msg("Couldn't start HTTP server")
+			}
+		}()
+	}
+
+	// Create ssl handler based on settings
+	sslHandler := handler.Handler(cfg.Server, giteaClient, dnsLookupCache, canonicalDomainCache, redirectsCache)
+
+	// Start the ssl listener
+	log.Info().Msgf("Start SSL server using TCP listener on %s", listener.Addr())
+
+	return http.Serve(listener, sslHandler)
+}

server/upstream/domains.go

@@ -17,7 +17,7 @@ var canonicalDomainCacheTimeout = 15 * time.Minute
 const canonicalDomainConfig = ".domains"
 
 // CheckCanonicalDomain returns the canonical domain specified in the repo (using the `.domains` file).
-func (o *Options) CheckCanonicalDomain(giteaClient *gitea.Client, actualDomain, mainDomainSuffix string, canonicalDomainCache cache.SetGetKey) (domain string, valid bool) {
+func (o *Options) CheckCanonicalDomain(giteaClient *gitea.Client, actualDomain, mainDomainSuffix string, canonicalDomainCache cache.ICache) (domain string, valid bool) {
 	// Check if this request is cached.
 	if cachedValue, ok := canonicalDomainCache.Get(o.TargetOwner + "/" + o.TargetRepo + "/" + o.TargetBranch); ok {
 		domains := cachedValue.([]string)

server/upstream/redirects.go

@@ -23,7 +23,7 @@ var redirectsCacheTimeout = 10 * time.Minute
 const redirectsConfig = "_redirects"
 
 // getRedirects returns redirects specified in the _redirects file.
-func (o *Options) getRedirects(giteaClient *gitea.Client, redirectsCache cache.SetGetKey) []Redirect {
+func (o *Options) getRedirects(giteaClient *gitea.Client, redirectsCache cache.ICache) []Redirect {
 	var redirects []Redirect
 	cacheKey := o.TargetOwner + "/" + o.TargetRepo + "/" + o.TargetBranch
 
@@ -63,7 +63,7 @@ func (o *Options) getRedirects(giteaClient *gitea.Client, redirectsCache cache.S
 	return redirects
 }
 
-func (o *Options) matchRedirects(ctx *context.Context, giteaClient *gitea.Client, redirects []Redirect, redirectsCache cache.SetGetKey) (final bool) {
+func (o *Options) matchRedirects(ctx *context.Context, giteaClient *gitea.Client, redirects []Redirect, redirectsCache cache.ICache) (final bool) {
 	if len(redirects) > 0 {
 		for _, redirect := range redirects {
 			reqUrl := ctx.Req.RequestURI

server/upstream/upstream.go

@@ -53,7 +53,7 @@ type Options struct {
 }
 
 // Upstream requests a file from the Gitea API at GiteaRoot and writes it to the request context.
-func (o *Options) Upstream(ctx *context.Context, giteaClient *gitea.Client, redirectsCache cache.SetGetKey) bool {
+func (o *Options) Upstream(ctx *context.Context, giteaClient *gitea.Client, redirectsCache cache.ICache) bool {
 	log := log.With().Strs("upstream", []string{o.TargetOwner, o.TargetRepo, o.TargetBranch, o.TargetPath}).Logger()
 
 	if o.TargetOwner == "" || o.TargetRepo == "" {