first commit

2026-06-15 13:58:45 +01:00
commit c9868b2108
55 changed files with 11076 additions and 0 deletions
@@ -0,0 +1,24 @@
+# Build stage
+FROM golang:1.26 AS builder
+
+WORKDIR /app
+
+# Download dependencies first (layer cache)
+COPY go.mod go.sum ./
+RUN go mod download
+
+# Copy source and build
+COPY . .
+
+ARG VERSION=dev
+RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w -X main.Version=${VERSION}" -o /keymanager-server ./cmd
+
+# Runtime stage
+FROM scratch
+
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --from=builder /keymanager-server /keymanager-server
+
+EXPOSE 8080 9090
+
+ENTRYPOINT ["/keymanager-server"]
@@ -0,0 +1,71 @@
+package main
+
+import (
+	"log"
+	"os"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/mrhid6/keymanager/server/internal/api"
+	"github.com/mrhid6/keymanager/server/internal/db"
+	grpcserver "github.com/mrhid6/keymanager/server/internal/grpc"
+	"github.com/mrhid6/keymanager/server/internal/services"
+)
+
+func main() {
+	mongoURI := getEnv("MONGO_URI", "mongodb://localhost:27017")
+	dbName := getEnv("MONGO_DB", "keymanager")
+
+	if err := db.Connect(mongoURI, dbName); err != nil {
+		log.Fatalf("failed to connect to MongoDB: %v", err)
+	}
+	log.Println("connected to MongoDB")
+
+	// Background goroutine to mark offline servers
+	go func() {
+		ticker := time.NewTicker(2 * time.Minute)
+		defer ticker.Stop()
+		for range ticker.C {
+			if err := services.MarkOfflineServers(5 * time.Minute); err != nil {
+				log.Printf("mark offline error: %v", err)
+			}
+		}
+	}()
+
+	// Start gRPC server
+	go func() {
+		if err := grpcserver.StartGRPC(9090); err != nil {
+			log.Fatalf("gRPC server error: %v", err)
+		}
+	}()
+
+	// Start REST server
+	r := gin.Default()
+	r.Use(corsMiddleware())
+	api.RegisterRoutes(r)
+
+	log.Println("REST server listening on :8080")
+	if err := r.Run(":8080"); err != nil {
+		log.Fatalf("REST server error: %v", err)
+	}
+}
+
+func corsMiddleware() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		c.Header("Access-Control-Allow-Origin", "*")
+		c.Header("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
+		c.Header("Access-Control-Allow-Headers", "Content-Type, Authorization")
+		if c.Request.Method == "OPTIONS" {
+			c.AbortWithStatus(204)
+			return
+		}
+		c.Next()
+	}
+}
+
+func getEnv(key, fallback string) string {
+	if v := os.Getenv(key); v != "" {
+		return v
+	}
+	return fallback
+}
@@ -0,0 +1,47 @@
+module github.com/mrhid6/keymanager/server
+
+go 1.26
+
+require (
+	github.com/gin-gonic/gin v1.10.0
+	github.com/google/uuid v1.6.0
+	go.mongodb.org/mongo-driver/v2 v2.2.2
+	google.golang.org/grpc v1.64.0
+)
+
+require (
+	github.com/bytedance/sonic v1.11.6 // indirect
+	github.com/bytedance/sonic/loader v0.1.1 // indirect
+	github.com/cloudwego/base64x v0.1.4 // indirect
+	github.com/cloudwego/iasm v0.2.0 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.3 // indirect
+	github.com/gin-contrib/sse v0.1.0 // indirect
+	github.com/go-playground/locales v0.14.1 // indirect
+	github.com/go-playground/universal-translator v0.18.1 // indirect
+	github.com/go-playground/validator/v10 v10.20.0 // indirect
+	github.com/goccy/go-json v0.10.2 // indirect
+	github.com/golang/snappy v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/klauspost/compress v1.16.7 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.7 // indirect
+	github.com/leodido/go-urn v1.4.0 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
+	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
+	github.com/ugorji/go/codec v1.2.12 // indirect
+	github.com/xdg-go/pbkdf2 v1.0.0 // indirect
+	github.com/xdg-go/scram v1.1.2 // indirect
+	github.com/xdg-go/stringprep v1.0.4 // indirect
+	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
+	golang.org/x/arch v0.8.0 // indirect
+	golang.org/x/crypto v0.33.0 // indirect
+	golang.org/x/net v0.25.0 // indirect
+	golang.org/x/sync v0.11.0 // indirect
+	golang.org/x/sys v0.30.0 // indirect
+	golang.org/x/text v0.22.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240521202816-d264139d666e // indirect
+	google.golang.org/protobuf v1.34.2 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)
@@ -0,0 +1,133 @@
+github.com/bytedance/sonic v1.11.6 h1:oUp34TzMlL+OY1OUWxHqsdkgC/Zfc85zGqw9siXjrc0=
+github.com/bytedance/sonic v1.11.6/go.mod h1:LysEHSvpvDySVdC2f87zGWf6CIKJcAvqab1ZaiQtds4=
+github.com/bytedance/sonic/loader v0.1.1 h1:c+e5Pt1k/cy5wMveRDyk2X4B9hF4g7an8N3zCYjJFNM=
+github.com/bytedance/sonic/loader v0.1.1/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU=
+github.com/cloudwego/base64x v0.1.4 h1:jwCgWpFanWmN8xoIUHa2rtzmkd5J2plF/dnLS6Xd/0Y=
+github.com/cloudwego/base64x v0.1.4/go.mod h1:0zlkT4Wn5C6NdauXdJRhSKRlJvmclQ1hhJgA0rcu/8w=
+github.com/cloudwego/iasm v0.2.0 h1:1KNIy1I1H9hNNFEEH3DVnI4UujN+1zjpuk6gwHLTssg=
+github.com/cloudwego/iasm v0.2.0/go.mod h1:8rXZaNYT2n95jn+zTI1sDr+IgcD2GVs0nlbbQPiEFhY=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/gabriel-vasile/mimetype v1.4.3 h1:in2uUcidCuFcDKtdcBxlR0rJ1+fsokWf+uqxgUFjbI0=
+github.com/gabriel-vasile/mimetype v1.4.3/go.mod h1:d8uq/6HKRL6CGdk+aubisF/M5GcPfT7nKyLpA0lbSSk=
+github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE=
+github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI=
+github.com/gin-gonic/gin v1.10.0 h1:nTuyha1TYqgedzytsKYqna+DfLos46nTv2ygFy86HFU=
+github.com/gin-gonic/gin v1.10.0/go.mod h1:4PMNQiOhvDRa013RKVbsiNwoyezlm2rm0uX/T7kzp5Y=
+github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
+github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
+github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
+github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
+github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
+github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
+github.com/go-playground/validator/v10 v10.20.0 h1:K9ISHbSaI0lyB2eWMPJo+kOS/FBExVwjEviJTixqxL8=
+github.com/go-playground/validator/v10 v10.20.0/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM=
+github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU=
+github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
+github.com/golang/snappy v1.0.0 h1:Oy607GVXHs7RtbggtPBnr2RmDArIsAefDwvrdWvRhGs=
+github.com/golang/snappy v1.0.0/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/klauspost/compress v1.16.7 h1:2mk3MPGNzKyxErAw8YaohYh69+pa4sIQSC0fPGCFR9I=
+github.com/klauspost/compress v1.16.7/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
+github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
+github.com/klauspost/cpuid/v2 v2.2.7 h1:ZWSB3igEs+d0qvnxR/ZBzXVmxkgt8DdzP6m9pfuVLDM=
+github.com/klauspost/cpuid/v2 v2.2.7/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
+github.com/knz/go-libedit v1.10.1/go.mod h1:MZTVkCWyz0oBc7JOWP3wNAzd002ZbM/5hgShxwh4x8M=
+github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
+github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM=
+github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
+github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
+github.com/ugorji/go/codec v1.2.12 h1:9LC83zGrHhuUA9l16C9AHXAqEV/2wBQ4nkvumAE65EE=
+github.com/ugorji/go/codec v1.2.12/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
+github.com/xdg-go/pbkdf2 v1.0.0 h1:Su7DPu48wXMwC3bs7MCNG+z4FhcyEuz5dlvchbq0B0c=
+github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
+github.com/xdg-go/scram v1.1.2 h1:FHX5I5B4i4hKRVRBCFRxq1iQRej7WO3hhBuJf+UUySY=
+github.com/xdg-go/scram v1.1.2/go.mod h1:RT/sEzTbU5y00aCK8UOx6R7YryM0iF1N2MOmC3kKLN4=
+github.com/xdg-go/stringprep v1.0.4 h1:XLI/Ng3O1Atzq0oBs3TWm+5ZVgkq2aqdlvP9JtoZ6c8=
+github.com/xdg-go/stringprep v1.0.4/go.mod h1:mPGuuIYwz7CmR2bT9j4GbQqutWS1zV24gijq1dTyGkM=
+github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 h1:ilQV1hzziu+LLM3zUTJ0trRztfwgjqKnBWNtSRkbmwM=
+github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78/go.mod h1:aL8wCCfTfSfmXjznFBSZNN13rSJjlIOI1fUNAtF7rmI=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+go.mongodb.org/mongo-driver/v2 v2.2.2 h1:9cYuS3fl1Xhqwpfazso10V7BHQD58kCgtzhfAmJYz9c=
+go.mongodb.org/mongo-driver/v2 v2.2.2/go.mod h1:qQkDMhCGWl3FN509DfdPd4GRBLU/41zqF/k8eTRceps=
+golang.org/x/arch v0.0.0-20210923205945-b76863e36670/go.mod h1:5om86z9Hs0C8fWVUuoMHwpExlXzs5Tkyp9hOrfG7pp8=
+golang.org/x/arch v0.8.0 h1:3wRIsP3pM4yUptoR96otTUOXI367OS0+c9eeRi9doIc=
+golang.org/x/arch v0.8.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
+golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
+golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
+golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
+golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
+golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
+golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240521202816-d264139d666e h1:Elxv5MwEkCI9f5SkoL6afed6NTdxaGoAo39eANBwHL8=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240521202816-d264139d666e/go.mod h1:EfXuqaE1J41VCDicxHzUDm+8rk+7ZdXzHV0IhO/I6s0=
+google.golang.org/grpc v1.64.0 h1:KH3VH9y/MgNQg1dE7b3XfVK0GsPSIzJwdF617gUSbvY=
+google.golang.org/grpc v1.64.0/go.mod h1:oxjF8E3FBnjp+/gVFYdWacaLDx9na1aqy9oovLpxQYg=
+google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
+google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+nullprogram.com/x/optparse v1.0.0/go.mod h1:KdyPE+Igbe0jQUrVfMqDMeJQIJZEuyV7pjYmp6pbG50=
+rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4=
@@ -0,0 +1,293 @@
+package api
+
+import (
+	"fmt"
+	"net/http"
+	"os"
+
+	"github.com/gin-gonic/gin"
+	"github.com/mrhid6/keymanager/server/internal/models"
+	"github.com/mrhid6/keymanager/server/internal/services"
+)
+
+func RegisterRoutes(r *gin.Engine) {
+	r.GET("/install", handleInstallScript)
+
+	api := r.Group("/api")
+	{
+		api.GET("/servers", listServers)
+		api.POST("/servers", createServer)
+		api.GET("/servers/new", newServer)
+		api.POST("/servers/new", newServer)
+		api.GET("/servers/:id", getServer)
+		api.DELETE("/servers/:id", deleteServer)
+		api.POST("/servers/:id/generate-key", generateKey)
+
+		api.GET("/keys", listKeys)
+		api.POST("/keys", createKey)
+		api.GET("/keys/:id", getKey)
+		api.POST("/keys/:id/assign", assignKey)
+		api.DELETE("/keys/:id/assign/:serverId", revokeAssignment)
+	}
+}
+
+func listServers(c *gin.Context) {
+	servers, err := services.ListServers()
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	c.JSON(http.StatusOK, servers)
+}
+
+func createServer(c *gin.Context) {
+	s, token, err := services.CreateServer()
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	c.JSON(http.StatusCreated, gin.H{
+		"server":    s,
+		"token":     token,
+		"server_id": s.ServerID,
+	})
+}
+
+func newServer(c *gin.Context) {
+	s, token, err := services.CreateServer()
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	giteaHost := os.Getenv("GITEA_HOST")
+	if giteaHost == "" {
+		giteaHost = "gitea.example.com"
+	}
+	host := os.Getenv("PUBLIC_HOST")
+	if host == "" {
+		host = "keymanager.example.com"
+	}
+
+	installCmd := fmt.Sprintf(
+		`curl -fsSL "https://%s/install?server_id=%s&token=%s" | bash`,
+		host, s.ServerID, token,
+	)
+
+	c.JSON(http.StatusOK, gin.H{
+		"server_id":       s.ServerID,
+		"pre_reg_token":   token,
+		"install_command": installCmd,
+	})
+}
+
+func getServer(c *gin.Context) {
+	id := c.Param("id")
+	s, err := services.GetServer(id)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "server not found"})
+		return
+	}
+
+	assignments, _ := services.GetAssignmentsWithKeysForServer(id)
+
+	// Build response matching ServerWithKeys shape expected by frontend
+	type serverResponse struct {
+		*models.Server
+		Keys interface{} `json:"keys"`
+	}
+	c.JSON(http.StatusOK, serverResponse{
+		Server: s,
+		Keys:   assignments,
+	})
+}
+
+func deleteServer(c *gin.Context) {
+	id := c.Param("id")
+	if err := services.DeleteServer(id); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	c.JSON(http.StatusOK, gin.H{"deleted": true})
+}
+
+func generateKey(c *gin.Context) {
+	// The agent triggers key generation itself; this endpoint signals
+	// the intent by returning the server so the caller knows to wait
+	// for the agent to upload via gRPC UploadGeneratedKey.
+	id := c.Param("id")
+	s, err := services.GetServer(id)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "server not found"})
+		return
+	}
+	c.JSON(http.StatusOK, gin.H{
+		"message":   "agent will generate and upload key on next poll",
+		"server_id": s.ServerID,
+	})
+}
+
+func listKeys(c *gin.Context) {
+	keys, err := services.ListKeys()
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	c.JSON(http.StatusOK, keys)
+}
+
+func createKey(c *gin.Context) {
+	var body struct {
+		Label     string `json:"label" binding:"required"`
+		PublicKey string `json:"public_key" binding:"required"`
+	}
+	if err := c.ShouldBindJSON(&body); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	key, err := services.CreateKey(body.Label, body.PublicKey, "uploaded", "")
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	c.JSON(http.StatusCreated, key)
+}
+
+func getKey(c *gin.Context) {
+	id := c.Param("id")
+	key, err := services.GetKey(id)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "key not found"})
+		return
+	}
+
+	assignments, _ := services.GetAssignmentsWithServers(id)
+	c.JSON(http.StatusOK, gin.H{
+		"key":         key,
+		"assignments": assignments,
+	})
+}
+
+func assignKey(c *gin.Context) {
+	keyID := c.Param("id")
+	var body struct {
+		ServerID string `json:"server_id" binding:"required"`
+	}
+	if err := c.ShouldBindJSON(&body); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	a, err := services.AssignKey(keyID, body.ServerID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	c.JSON(http.StatusCreated, a)
+}
+
+func revokeAssignment(c *gin.Context) {
+	keyID := c.Param("id")
+	serverID := c.Param("serverId")
+
+	if err := services.RevokeAssignment(keyID, serverID); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	c.JSON(http.StatusOK, gin.H{"revoked": true})
+}
+
+func handleInstallScript(c *gin.Context) {
+	serverID := c.Query("server_id")
+	token := c.Query("token")
+
+	giteaHost := os.Getenv("GITEA_HOST")
+	if giteaHost == "" {
+		giteaHost = "gitea.example.com"
+	}
+	publicHost := os.Getenv("PUBLIC_HOST")
+	if publicHost == "" {
+		publicHost = "keymanager.example.com"
+	}
+
+	script := fmt.Sprintf(`#!/usr/bin/env bash
+set -euo pipefail
+
+SERVER_ID="%s"
+TOKEN="%s"
+GITEA_HOST="%s"
+KM_HOST="%s"
+
+ARCH=$(uname -m)
+case "$ARCH" in
+  x86_64)  ARCH="amd64" ;;
+  aarch64) ARCH="arm64" ;;
+  *) echo "Unsupported architecture: $ARCH" >&2; exit 1 ;;
+esac
+
+# Get latest agent release tag
+LATEST=$(curl -fsSL "https://${GITEA_HOST}/api/v1/repos/mrhid6/keymanager/releases?limit=10" \
+  | grep -o '"tag_name":"agent/v[^"]*"' | head -1 | sed 's/"tag_name":"//;s/"//')
+
+if [ -z "$LATEST" ]; then
+  echo "Could not determine latest agent version" >&2
+  exit 1
+fi
+
+VERSION="${LATEST#agent/}"
+BINARY_URL="https://${GITEA_HOST}/mrhid6/keymanager/releases/download/${LATEST}/keymanager-agent-linux-${ARCH}"
+CHECKSUM_URL="https://${GITEA_HOST}/mrhid6/keymanager/releases/download/${LATEST}/checksums.txt"
+
+echo "Installing keymanager-agent ${VERSION} (${ARCH})..."
+
+curl -fsSL -o /tmp/keymanager-agent "${BINARY_URL}"
+curl -fsSL -o /tmp/checksums.txt "${CHECKSUM_URL}"
+
+cd /tmp
+EXPECTED=$(grep "keymanager-agent-linux-${ARCH}" checksums.txt | awk '{print $1}')
+ACTUAL=$(sha256sum keymanager-agent | awk '{print $1}')
+if [ "$EXPECTED" != "$ACTUAL" ]; then
+  echo "Checksum mismatch!" >&2
+  exit 1
+fi
+
+install -m 0755 /tmp/keymanager-agent /usr/local/bin/keymanager-agent
+
+mkdir -p /etc/keymanager
+chmod 0700 /etc/keymanager
+
+cat > /etc/keymanager/config.yaml <<EOF
+server_url: "${KM_HOST}:9090"
+server_id: "${SERVER_ID}"
+pre_reg_token: "${TOKEN}"
+agent_token: ""
+poll_interval: 30s
+tls: true
+EOF
+chmod 0600 /etc/keymanager/config.yaml
+
+cat > /etc/systemd/system/keymanager-agent.service <<EOF
+[Unit]
+Description=KeyManager Agent
+After=network.target
+
+[Service]
+ExecStart=/usr/local/bin/keymanager-agent
+Restart=always
+RestartSec=10
+User=root
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+systemctl daemon-reload
+systemctl enable --now keymanager-agent
+
+echo "keymanager-agent installed and started."
+`, serverID, token, giteaHost, publicHost)
+
+	c.Header("Content-Type", "text/x-shellscript")
+	c.String(http.StatusOK, script)
+}
@@ -0,0 +1,34 @@
+package db
+
+import (
+	"context"
+	"time"
+
+	"go.mongodb.org/mongo-driver/v2/mongo"
+	"go.mongodb.org/mongo-driver/v2/mongo/options"
+)
+
+var Client *mongo.Client
+var Database *mongo.Database
+
+func Connect(uri, dbName string) error {
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	client, err := mongo.Connect(options.Client().ApplyURI(uri))
+	if err != nil {
+		return err
+	}
+
+	if err := client.Ping(ctx, nil); err != nil {
+		return err
+	}
+
+	Client = client
+	Database = client.Database(dbName)
+	return nil
+}
+
+func Col(name string) *mongo.Collection {
+	return Database.Collection(name)
+}
@@ -0,0 +1,20 @@
+package grpcserver
+
+import (
+	"encoding/json"
+)
+
+// JSONCodec is a gRPC codec that uses JSON encoding.
+type JSONCodec struct{}
+
+func (JSONCodec) Marshal(v interface{}) ([]byte, error) {
+	return json.Marshal(v)
+}
+
+func (JSONCodec) Unmarshal(data []byte, v interface{}) error {
+	return json.Unmarshal(data, v)
+}
+
+func (JSONCodec) Name() string {
+	return "proto" // override default proto codec name so gRPC uses it
+}
@@ -0,0 +1,171 @@
+// Hand-written gRPC bindings for keymanager.proto using JSON codec.
+// To use: register the JSON codec before creating gRPC servers/clients.
+
+package pb
+
+import (
+	"context"
+
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+// Message types
+
+type RegisterRequest struct {
+	ServerId    string `json:"server_id"`
+	PreRegToken string `json:"pre_reg_token"`
+	Hostname    string `json:"hostname"`
+	IpAddress   string `json:"ip_address"`
+	OsInfo      string `json:"os_info"`
+}
+
+type RegisterResponse struct {
+	AgentToken string `json:"agent_token"`
+}
+
+type SyncRequest struct {
+	ServerId   string `json:"server_id"`
+	AgentToken string `json:"agent_token"`
+}
+
+type SyncResponse struct {
+	PublicKeys []string `json:"public_keys"`
+}
+
+type UploadKeyRequest struct {
+	ServerId   string `json:"server_id"`
+	AgentToken string `json:"agent_token"`
+	PublicKey  string `json:"public_key"`
+	Label      string `json:"label"`
+}
+
+type UploadKeyResponse struct {
+	KeyId string `json:"key_id"`
+}
+
+// Server interface
+
+type KeyManagerServer interface {
+	Register(context.Context, *RegisterRequest) (*RegisterResponse, error)
+	SyncKeys(context.Context, *SyncRequest) (*SyncResponse, error)
+	UploadGeneratedKey(context.Context, *UploadKeyRequest) (*UploadKeyResponse, error)
+}
+
+type UnimplementedKeyManagerServer struct{}
+
+func (UnimplementedKeyManagerServer) Register(context.Context, *RegisterRequest) (*RegisterResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Register not implemented")
+}
+
+func (UnimplementedKeyManagerServer) SyncKeys(context.Context, *SyncRequest) (*SyncResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method SyncKeys not implemented")
+}
+
+func (UnimplementedKeyManagerServer) UploadGeneratedKey(context.Context, *UploadKeyRequest) (*UploadKeyResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method UploadGeneratedKey not implemented")
+}
+
+// Client interface
+
+type KeyManagerClient interface {
+	Register(ctx context.Context, in *RegisterRequest, opts ...grpc.CallOption) (*RegisterResponse, error)
+	SyncKeys(ctx context.Context, in *SyncRequest, opts ...grpc.CallOption) (*SyncResponse, error)
+	UploadGeneratedKey(ctx context.Context, in *UploadKeyRequest, opts ...grpc.CallOption) (*UploadKeyResponse, error)
+}
+
+type keyManagerClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewKeyManagerClient(cc grpc.ClientConnInterface) KeyManagerClient {
+	return &keyManagerClient{cc}
+}
+
+func (c *keyManagerClient) Register(ctx context.Context, in *RegisterRequest, opts ...grpc.CallOption) (*RegisterResponse, error) {
+	out := new(RegisterResponse)
+	if err := c.cc.Invoke(ctx, "/keymanager.v1.KeyManager/Register", in, out, opts...); err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *keyManagerClient) SyncKeys(ctx context.Context, in *SyncRequest, opts ...grpc.CallOption) (*SyncResponse, error) {
+	out := new(SyncResponse)
+	if err := c.cc.Invoke(ctx, "/keymanager.v1.KeyManager/SyncKeys", in, out, opts...); err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *keyManagerClient) UploadGeneratedKey(ctx context.Context, in *UploadKeyRequest, opts ...grpc.CallOption) (*UploadKeyResponse, error) {
+	out := new(UploadKeyResponse)
+	if err := c.cc.Invoke(ctx, "/keymanager.v1.KeyManager/UploadGeneratedKey", in, out, opts...); err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// Server registration
+
+func RegisterKeyManagerServer(s grpc.ServiceRegistrar, srv KeyManagerServer) {
+	s.RegisterService(&KeyManager_ServiceDesc, srv)
+}
+
+var KeyManager_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "keymanager.v1.KeyManager",
+	HandlerType: (*KeyManagerServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{MethodName: "Register", Handler: _KeyManager_Register_Handler},
+		{MethodName: "SyncKeys", Handler: _KeyManager_SyncKeys_Handler},
+		{MethodName: "UploadGeneratedKey", Handler: _KeyManager_UploadGeneratedKey_Handler},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "keymanager/v1/keymanager.proto",
+}
+
+func _KeyManager_Register_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(RegisterRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(KeyManagerServer).Register(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{Server: srv, FullMethod: "/keymanager.v1.KeyManager/Register"}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(KeyManagerServer).Register(ctx, req.(*RegisterRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _KeyManager_SyncKeys_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SyncRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(KeyManagerServer).SyncKeys(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{Server: srv, FullMethod: "/keymanager.v1.KeyManager/SyncKeys"}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(KeyManagerServer).SyncKeys(ctx, req.(*SyncRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _KeyManager_UploadGeneratedKey_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(UploadKeyRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(KeyManagerServer).UploadGeneratedKey(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{Server: srv, FullMethod: "/keymanager.v1.KeyManager/UploadGeneratedKey"}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(KeyManagerServer).UploadGeneratedKey(ctx, req.(*UploadKeyRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
@@ -0,0 +1,81 @@
+package grpcserver
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"net"
+
+	"github.com/mrhid6/keymanager/server/internal/grpc/pb"
+	"github.com/mrhid6/keymanager/server/internal/services"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/encoding"
+	"google.golang.org/grpc/status"
+)
+
+func init() {
+	encoding.RegisterCodec(JSONCodec{})
+}
+
+type keyManagerServer struct {
+	pb.UnimplementedKeyManagerServer
+}
+
+func (s *keyManagerServer) Register(ctx context.Context, req *pb.RegisterRequest) (*pb.RegisterResponse, error) {
+	agentToken, err := services.RegisterServer(req.ServerId, req.PreRegToken, req.Hostname, req.IpAddress, req.OsInfo)
+	if err != nil {
+		return nil, status.Errorf(codes.InvalidArgument, "registration failed: %v", err)
+	}
+	return &pb.RegisterResponse{AgentToken: agentToken}, nil
+}
+
+func (s *keyManagerServer) SyncKeys(ctx context.Context, req *pb.SyncRequest) (*pb.SyncResponse, error) {
+	srv, err := services.ValidateAgentToken(req.ServerId, req.AgentToken)
+	if err != nil {
+		return nil, status.Errorf(codes.Unauthenticated, "invalid agent token")
+	}
+
+	if err := services.UpdateServerLastSeen(srv.ServerID); err != nil {
+		log.Printf("failed to update last seen for %s: %v", srv.ServerID, err)
+	}
+
+	keys, err := services.BuildAuthorizedKeys(req.ServerId)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to build authorized keys: %v", err)
+	}
+
+	return &pb.SyncResponse{PublicKeys: keys}, nil
+}
+
+func (s *keyManagerServer) UploadGeneratedKey(ctx context.Context, req *pb.UploadKeyRequest) (*pb.UploadKeyResponse, error) {
+	srv, err := services.ValidateAgentToken(req.ServerId, req.AgentToken)
+	if err != nil {
+		return nil, status.Errorf(codes.Unauthenticated, "invalid agent token")
+	}
+
+	key, err := services.CreateKey(req.Label, req.PublicKey, "generated", srv.ServerID)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to store key: %v", err)
+	}
+
+	// Auto-assign to the generating server
+	if _, err := services.AssignKey(key.KeyID, srv.ServerID); err != nil {
+		log.Printf("failed to auto-assign generated key: %v", err)
+	}
+
+	return &pb.UploadKeyResponse{KeyId: key.KeyID}, nil
+}
+
+func StartGRPC(port int) error {
+	lis, err := net.Listen("tcp", fmt.Sprintf(":%d", port))
+	if err != nil {
+		return fmt.Errorf("failed to listen: %w", err)
+	}
+
+	s := grpc.NewServer()
+	pb.RegisterKeyManagerServer(s, &keyManagerServer{})
+
+	log.Printf("gRPC server listening on :%d", port)
+	return s.Serve(lis)
+}
@@ -0,0 +1,15 @@
+package models
+
+import (
+	"time"
+
+	"go.mongodb.org/mongo-driver/v2/bson"
+)
+
+type Assignment struct {
+	ID         bson.ObjectID `bson:"_id,omitempty" json:"_id,omitempty"`
+	KeyID      string             `bson:"key_id" json:"key_id"`
+	ServerID   string             `bson:"server_id" json:"server_id"`
+	AssignedAt time.Time          `bson:"assigned_at" json:"assigned_at"`
+	RevokedAt  *time.Time         `bson:"revoked_at,omitempty" json:"revoked_at,omitempty"`
+}
@@ -0,0 +1,18 @@
+package models
+
+import (
+	"time"
+
+	"go.mongodb.org/mongo-driver/v2/bson"
+)
+
+type Key struct {
+	ID                  bson.ObjectID `bson:"_id,omitempty" json:"_id,omitempty"`
+	KeyID               string             `bson:"key_id" json:"key_id"`
+	Label               string             `bson:"label" json:"label"`
+	PublicKey           string             `bson:"public_key" json:"public_key"`
+	Fingerprint         string             `bson:"fingerprint" json:"fingerprint"`
+	Source              string             `bson:"source" json:"source"` // uploaded | generated
+	GeneratedByServerID string             `bson:"generated_by_server_id,omitempty" json:"generated_by_server_id,omitempty"`
+	CreatedAt           time.Time          `bson:"created_at" json:"created_at"`
+}
@@ -0,0 +1,21 @@
+package models
+
+import (
+	"time"
+
+	"go.mongodb.org/mongo-driver/v2/bson"
+)
+
+type Server struct {
+	ID             bson.ObjectID `bson:"_id,omitempty" json:"_id,omitempty"`
+	ServerID       string             `bson:"server_id" json:"server_id"`
+	Hostname       string             `bson:"hostname" json:"hostname"`
+	IPAddress      string             `bson:"ip_address" json:"ip_address"`
+	OSInfo         string             `bson:"os_info" json:"os_info"`
+	PreRegToken    string             `bson:"pre_reg_token,omitempty" json:"pre_reg_token,omitempty"`
+	PreRegExpires  *time.Time         `bson:"pre_reg_expires,omitempty" json:"pre_reg_expires,omitempty"`
+	AgentTokenHash string             `bson:"agent_token_hash,omitempty" json:"-"`
+	Status         string             `bson:"status" json:"status"`
+	LastSeen       *time.Time         `bson:"last_seen,omitempty" json:"last_seen,omitempty"`
+	CreatedAt      time.Time          `bson:"created_at" json:"created_at"`
+}
@@ -0,0 +1,209 @@
+package services
+
+import (
+	"context"
+	"crypto/md5"
+	"encoding/base64"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/mrhid6/keymanager/server/internal/db"
+	"github.com/mrhid6/keymanager/server/internal/models"
+	"go.mongodb.org/mongo-driver/v2/bson"
+)
+
+func computeFingerprint(pubKey string) string {
+	parts := strings.Fields(pubKey)
+	if len(parts) < 2 {
+		return ""
+	}
+	raw, err := base64.StdEncoding.DecodeString(parts[1])
+	if err != nil {
+		return ""
+	}
+	sum := md5.Sum(raw)
+	var pairs []string
+	for _, b := range sum {
+		pairs = append(pairs, fmt.Sprintf("%02x", b))
+	}
+	return "MD5:" + strings.Join(pairs, ":")
+}
+
+func CreateKey(label, publicKey, source, generatedByServerID string) (*models.Key, error) {
+	key := &models.Key{
+		KeyID:               uuid.NewString(),
+		Label:               label,
+		PublicKey:           publicKey,
+		Fingerprint:         computeFingerprint(publicKey),
+		Source:              source,
+		GeneratedByServerID: generatedByServerID,
+		CreatedAt:           time.Now(),
+	}
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	_, err := db.Col("keys").InsertOne(ctx, key)
+	if err != nil {
+		return nil, err
+	}
+	return key, nil
+}
+
+func GetKey(keyID string) (*models.Key, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	var key models.Key
+	err := db.Col("keys").FindOne(ctx, bson.M{"key_id": keyID}).Decode(&key)
+	if err != nil {
+		return nil, err
+	}
+	return &key, nil
+}
+
+func ListKeys() ([]models.Key, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	cursor, err := db.Col("keys").Find(ctx, bson.M{})
+	if err != nil {
+		return nil, err
+	}
+	defer cursor.Close(ctx)
+
+	var keys []models.Key
+	if err := cursor.All(ctx, &keys); err != nil {
+		return nil, err
+	}
+	return keys, nil
+}
+
+func DeleteKey(keyID string) error {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	_, err := db.Col("keys").DeleteOne(ctx, bson.M{"key_id": keyID})
+	return err
+}
+
+func AssignKey(keyID, serverID string) (*models.Assignment, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	// Check if already assigned and active
+	var existing models.Assignment
+	err := db.Col("assignments").FindOne(ctx, bson.M{
+		"key_id":     keyID,
+		"server_id":  serverID,
+		"revoked_at": nil,
+	}).Decode(&existing)
+	if err == nil {
+		return &existing, nil
+	}
+
+	a := &models.Assignment{
+		KeyID:      keyID,
+		ServerID:   serverID,
+		AssignedAt: time.Now(),
+	}
+	_, err = db.Col("assignments").InsertOne(ctx, a)
+	if err != nil {
+		return nil, err
+	}
+	return a, nil
+}
+
+func RevokeAssignment(keyID, serverID string) error {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	now := time.Now()
+	_, err := db.Col("assignments").UpdateOne(ctx,
+		bson.M{"key_id": keyID, "server_id": serverID, "revoked_at": nil},
+		bson.M{"$set": bson.M{"revoked_at": now}},
+	)
+	return err
+}
+
+func GetAssignmentsForKey(keyID string) ([]models.Assignment, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	cursor, err := db.Col("assignments").Find(ctx, bson.M{"key_id": keyID, "revoked_at": nil})
+	if err != nil {
+		return nil, err
+	}
+	defer cursor.Close(ctx)
+
+	var assignments []models.Assignment
+	if err := cursor.All(ctx, &assignments); err != nil {
+		return nil, err
+	}
+	return assignments, nil
+}
+
+type AssignmentWithServer struct {
+	models.Assignment `bson:",inline"`
+	Server            *models.Server `json:"server,omitempty"`
+}
+
+func GetAssignmentsWithServers(keyID string) ([]AssignmentWithServer, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	cursor, err := db.Col("assignments").Find(ctx, bson.M{"key_id": keyID})
+	if err != nil {
+		return nil, err
+	}
+	defer cursor.Close(ctx)
+
+	var assignments []models.Assignment
+	if err := cursor.All(ctx, &assignments); err != nil {
+		return nil, err
+	}
+
+	result := make([]AssignmentWithServer, 0, len(assignments))
+	for _, a := range assignments {
+		item := AssignmentWithServer{Assignment: a}
+		var srv models.Server
+		if err := db.Col("servers").FindOne(ctx, bson.M{"server_id": a.ServerID}).Decode(&srv); err == nil {
+			item.Server = &srv
+		}
+		result = append(result, item)
+	}
+	return result, nil
+}
+
+type AssignmentWithKey struct {
+	models.Assignment `bson:",inline"`
+	Key               *models.Key `json:"key,omitempty"`
+}
+
+func GetAssignmentsWithKeysForServer(serverID string) ([]AssignmentWithKey, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	cursor, err := db.Col("assignments").Find(ctx, bson.M{"server_id": serverID})
+	if err != nil {
+		return nil, err
+	}
+	defer cursor.Close(ctx)
+
+	var assignments []models.Assignment
+	if err := cursor.All(ctx, &assignments); err != nil {
+		return nil, err
+	}
+
+	result := make([]AssignmentWithKey, 0, len(assignments))
+	for _, a := range assignments {
+		item := AssignmentWithKey{Assignment: a}
+		var key models.Key
+		if err := db.Col("keys").FindOne(ctx, bson.M{"key_id": a.KeyID}).Decode(&key); err == nil {
+			item.Key = &key
+		}
+		result = append(result, item)
+	}
+	return result, nil
+}
@@ -0,0 +1,193 @@
+package services
+
+import (
+	"context"
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/mrhid6/keymanager/server/internal/db"
+	"github.com/mrhid6/keymanager/server/internal/models"
+	"go.mongodb.org/mongo-driver/v2/bson"
+	"go.mongodb.org/mongo-driver/v2/mongo/options"
+)
+
+func generateToken(n int) (string, error) {
+	b := make([]byte, n)
+	if _, err := rand.Read(b); err != nil {
+		return "", err
+	}
+	return hex.EncodeToString(b), nil
+}
+
+func HashToken(token string) string {
+	sum := sha256.Sum256([]byte(token))
+	return hex.EncodeToString(sum[:])
+}
+
+func CreateServer() (*models.Server, string, error) {
+	token, err := generateToken(32)
+	if err != nil {
+		return nil, "", err
+	}
+	expires := time.Now().Add(time.Hour)
+	s := &models.Server{
+		ServerID:      uuid.NewString(),
+		PreRegToken:   token,
+		PreRegExpires: &expires,
+		Status:        "pending",
+		CreatedAt:     time.Now(),
+	}
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	_, err = db.Col("servers").InsertOne(ctx, s)
+	if err != nil {
+		return nil, "", err
+	}
+	return s, token, nil
+}
+
+func GetServer(serverID string) (*models.Server, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	var s models.Server
+	err := db.Col("servers").FindOne(ctx, bson.M{"server_id": serverID}).Decode(&s)
+	if err != nil {
+		return nil, err
+	}
+	return &s, nil
+}
+
+func GetServerByPreRegToken(token string) (*models.Server, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	var s models.Server
+	err := db.Col("servers").FindOne(ctx, bson.M{
+		"pre_reg_token":   token,
+		"pre_reg_expires": bson.M{"$gt": time.Now()},
+	}).Decode(&s)
+	if err != nil {
+		return nil, err
+	}
+	return &s, nil
+}
+
+func RegisterServer(serverID, preRegToken, hostname, ipAddress, osInfo string) (string, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	var s models.Server
+	err := db.Col("servers").FindOne(ctx, bson.M{
+		"server_id":       serverID,
+		"pre_reg_token":   preRegToken,
+		"pre_reg_expires": bson.M{"$gt": time.Now()},
+	}).Decode(&s)
+	if err != nil {
+		return "", fmt.Errorf("invalid or expired pre-registration token")
+	}
+
+	agentToken, err := generateToken(32)
+	if err != nil {
+		return "", err
+	}
+	tokenHash := HashToken(agentToken)
+	now := time.Now()
+
+	_, err = db.Col("servers").UpdateOne(ctx,
+		bson.M{"server_id": serverID},
+		bson.M{"$set": bson.M{
+			"hostname":         hostname,
+			"ip_address":       ipAddress,
+			"os_info":          osInfo,
+			"agent_token_hash": tokenHash,
+			"status":           "active",
+			"last_seen":        now,
+			"pre_reg_token":    "",
+			"pre_reg_expires":  nil,
+		}},
+	)
+	if err != nil {
+		return "", err
+	}
+	return agentToken, nil
+}
+
+func ValidateAgentToken(serverID, agentToken string) (*models.Server, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	tokenHash := HashToken(agentToken)
+	var s models.Server
+	err := db.Col("servers").FindOne(ctx, bson.M{
+		"server_id":        serverID,
+		"agent_token_hash": tokenHash,
+	}).Decode(&s)
+	if err != nil {
+		return nil, fmt.Errorf("invalid agent token")
+	}
+	return &s, nil
+}
+
+func UpdateServerLastSeen(serverID string) error {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	now := time.Now()
+	_, err := db.Col("servers").UpdateOne(ctx,
+		bson.M{"server_id": serverID},
+		bson.M{"$set": bson.M{"last_seen": now, "status": "active"}},
+	)
+	return err
+}
+
+func ListServers() ([]models.Server, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	opts := options.Find().SetSort(bson.D{{Key: "created_at", Value: -1}})
+	cursor, err := db.Col("servers").Find(ctx, bson.M{}, opts)
+	if err != nil {
+		return nil, err
+	}
+	defer cursor.Close(ctx)
+
+	var servers []models.Server
+	if err := cursor.All(ctx, &servers); err != nil {
+		return nil, err
+	}
+	return servers, nil
+}
+
+func DeleteServer(serverID string) error {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	_, err := db.Col("servers").DeleteOne(ctx, bson.M{"server_id": serverID})
+	if err != nil {
+		return err
+	}
+	// Also remove assignments
+	_, err = db.Col("assignments").DeleteMany(ctx, bson.M{"server_id": serverID})
+	return err
+}
+
+func MarkOfflineServers(threshold time.Duration) error {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	cutoff := time.Now().Add(-threshold)
+	_, err := db.Col("servers").UpdateMany(ctx,
+		bson.M{
+			"status":    "active",
+			"last_seen": bson.M{"$lt": cutoff},
+		},
+		bson.M{"$set": bson.M{"status": "offline"}},
+	)
+	return err
+}
@@ -0,0 +1,40 @@
+package services
+
+import (
+	"context"
+	"time"
+
+	"github.com/mrhid6/keymanager/server/internal/db"
+	"github.com/mrhid6/keymanager/server/internal/models"
+	"go.mongodb.org/mongo-driver/v2/bson"
+)
+
+func BuildAuthorizedKeys(serverID string) ([]string, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	cursor, err := db.Col("assignments").Find(ctx, bson.M{
+		"server_id":  serverID,
+		"revoked_at": nil,
+	})
+	if err != nil {
+		return nil, err
+	}
+	defer cursor.Close(ctx)
+
+	var assignments []models.Assignment
+	if err := cursor.All(ctx, &assignments); err != nil {
+		return nil, err
+	}
+
+	var lines []string
+	for _, a := range assignments {
+		var key models.Key
+		err := db.Col("keys").FindOne(ctx, bson.M{"key_id": a.KeyID}).Decode(&key)
+		if err != nil {
+			continue
+		}
+		lines = append(lines, key.PublicKey)
+	}
+	return lines, nil
+}