feat: add certificate management module and schedule auto-renewal cron

infra_cli/cert.py

@@ -0,0 +1,40 @@
+from .ssh import SSHClient
+
+class CertificateManager:
+    def __init__(self, config):
+        # Certificate manager is on la-vmh-11 (LXC 11215)
+        node = config.get_node('la-vmh-11')
+        if not node:
+            raise ValueError("Node 'la-vmh-11' not found in config")
+        
+        self.host = node['host']
+        self.password = node.get('pass')
+        self.user = config.get('proxmox.user', 'root')
+        self.ssh_key = config.get('proxmox.ssh_key_path')
+        self.client = SSHClient(self.host, self.user, self.ssh_key, self.password)
+        self.lxc_id = "11215"
+        self.shared_path = "/shared-certs"
+
+    def exec_cert(self, cmd):
+        return self.client.run(f"pct exec {self.lxc_id} -- {cmd}")
+
+    def list_certs(self):
+        res = self.exec_cert(f"ls -lh {self.shared_path}")
+        return res.stdout
+
+    def renew(self, force=False):
+        script_path = "/root/local-config/infra-cert-mgr/scripts/dynamic-san-manager.sh"
+        cmd = f"bash {script_path}"
+        if force:
+            cmd += " --force-update"
+        
+        res = self.exec_cert(cmd)
+        if res.returncode != 0:
+            raise RuntimeError(f"Certificate renewal failed: {res.stderr}")
+        return res.stdout
+
+    def check_expiry(self):
+        # Checks expiry of the main wildcard cert
+        cmd = f"openssl x509 -enddate -noout -in {self.shared_path}/loopaware.com.pem"
+        res = self.exec_cert(cmd)
+        return res.stdout.strip()