Add SQLite persistence and write-through gRPC mutations

Database (internal/db) stores listeners, routes, and firewall rules with
WAL mode, foreign keys, and idempotent migrations. First run seeds from
TOML config; subsequent runs load from DB as source of truth.

gRPC admin API now writes to the database before updating in-memory state
(write-through cache pattern). Adds snapshot command for VACUUM INTO
backups. Refactors firewall.New to accept raw rule slices instead of
config struct for flexibility.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/config/config.go

@@ -10,12 +10,17 @@ import (
 
 type Config struct {
 	Listeners []Listener `toml:"listeners"`
+	Database  Database   `toml:"database"`
 	GRPC      GRPC       `toml:"grpc"`
 	Firewall  Firewall   `toml:"firewall"`
 	Proxy     Proxy      `toml:"proxy"`
 	Log       Log        `toml:"log"`
 }
 
+type Database struct {
+	Path string `toml:"path"`
+}
+
 type GRPC struct {
 	Addr     string `toml:"addr"`
 	TLSCert  string `toml:"tls_cert"`
@@ -80,18 +85,15 @@ func Load(path string) (*Config, error) {
 }
 
 func (c *Config) validate() error {
-	if len(c.Listeners) == 0 {
-		return fmt.Errorf("at least one listener is required")
+	if c.Database.Path == "" {
+		return fmt.Errorf("database.path is required")
 	}
 
+	// Validate listeners if provided (used for seeding on first run).
 	for i, l := range c.Listeners {
 		if l.Addr == "" {
 			return fmt.Errorf("listener %d: addr is required", i)
 		}
-		if len(l.Routes) == 0 {
-			return fmt.Errorf("listener %d (%s): at least one route is required", i, l.Addr)
-		}
-
 		seen := make(map[string]bool)
 		for j, r := range l.Routes {
 			if r.Hostname == "" {

internal/config/config_test.go

@@ -11,6 +11,9 @@ func TestLoadValid(t *testing.T) {
 	path := filepath.Join(dir, "test.toml")
 
 	data := `
+[database]
+path = "/tmp/test.db"
+
 [[listeners]]
 addr = ":443"
 
@@ -49,11 +52,37 @@ level = "info"
 	}
 }
 
-func TestLoadNoListeners(t *testing.T) {
+func TestLoadNoDatabasePath(t *testing.T) {
 	dir := t.TempDir()
 	path := filepath.Join(dir, "test.toml")
 
 	data := `
+[[listeners]]
+addr = ":443"
+
+  [[listeners.routes]]
+  hostname = "example.com"
+  backend = "127.0.0.1:8443"
+`
+	if err := os.WriteFile(path, []byte(data), 0600); err != nil {
+		t.Fatalf("write config: %v", err)
+	}
+
+	_, err := Load(path)
+	if err == nil {
+		t.Fatal("expected error for missing database path")
+	}
+}
+
+func TestLoadNoListenersValid(t *testing.T) {
+	dir := t.TempDir()
+	path := filepath.Join(dir, "test.toml")
+
+	// No listeners is valid — DB may already have them.
+	data := `
+[database]
+path = "/tmp/test.db"
+
 [log]
 level = "info"
 `
@@ -62,26 +91,8 @@ level = "info"
 	}
 
 	_, err := Load(path)
-	if err == nil {
-		t.Fatal("expected error for missing listeners")
-	}
-}
-
-func TestLoadNoRoutes(t *testing.T) {
-	dir := t.TempDir()
-	path := filepath.Join(dir, "test.toml")
-
-	data := `
-[[listeners]]
-addr = ":443"
-`
-	if err := os.WriteFile(path, []byte(data), 0600); err != nil {
-		t.Fatalf("write config: %v", err)
-	}
-
-	_, err := Load(path)
-	if err == nil {
-		t.Fatal("expected error for missing routes")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
 	}
 }
 
@@ -90,6 +101,9 @@ func TestLoadDuplicateHostnames(t *testing.T) {
 	path := filepath.Join(dir, "test.toml")
 
 	data := `
+[database]
+path = "/tmp/test.db"
+
 [[listeners]]
 addr = ":443"
 
@@ -116,6 +130,9 @@ func TestLoadGeoIPRequiredWithCountries(t *testing.T) {
 	path := filepath.Join(dir, "test.toml")
 
 	data := `
+[database]
+path = "/tmp/test.db"
+
 [[listeners]]
 addr = ":443"
 
@@ -141,6 +158,9 @@ func TestLoadMultipleListeners(t *testing.T) {
 	path := filepath.Join(dir, "test.toml")
 
 	data := `
+[database]
+path = "/tmp/test.db"
+
 [[listeners]]
 addr = ":443"
 

internal/db/db.go

@@ -0,0 +1,63 @@
+package db
+
+import (
+	"database/sql"
+	"fmt"
+	"os"
+
+	_ "modernc.org/sqlite"
+)
+
+// Store wraps a SQLite database connection for mc-proxy persistence.
+type Store struct {
+	db *sql.DB
+}
+
+// Open opens (or creates) the SQLite database at path with WAL mode,
+// foreign keys, and a busy timeout. The file is created with 0600 permissions.
+func Open(path string) (*Store, error) {
+	// Ensure the file has restrictive permissions if it doesn't exist.
+	if _, err := os.Stat(path); os.IsNotExist(err) {
+		f, err := os.OpenFile(path, os.O_CREATE|os.O_RDWR, 0600)
+		if err != nil {
+			return nil, fmt.Errorf("creating database file: %w", err)
+		}
+		f.Close()
+	}
+
+	db, err := sql.Open("sqlite", path)
+	if err != nil {
+		return nil, fmt.Errorf("opening database: %w", err)
+	}
+
+	// Apply connection pragmas.
+	pragmas := []string{
+		"PRAGMA journal_mode = WAL",
+		"PRAGMA foreign_keys = ON",
+		"PRAGMA busy_timeout = 5000",
+	}
+	for _, p := range pragmas {
+		if _, err := db.Exec(p); err != nil {
+			db.Close()
+			return nil, fmt.Errorf("setting pragma %q: %w", p, err)
+		}
+	}
+
+	return &Store{db: db}, nil
+}
+
+// Close closes the database connection.
+func (s *Store) Close() error {
+	return s.db.Close()
+}
+
+// IsEmpty returns true if the listeners table has no rows.
+// Used to determine if the database needs seeding from config.
+func (s *Store) IsEmpty() (bool, error) {
+	var count int
+	err := s.db.QueryRow("SELECT COUNT(*) FROM listeners").Scan(&count)
+	if err != nil {
+		return false, err
+	}
+	return count == 0, nil
+}

internal/db/db_test.go

@@ -0,0 +1,331 @@
+package db
+
+import (
+	"path/filepath"
+	"testing"
+
+	"git.wntrmute.dev/kyle/mc-proxy/internal/config"
+)
+
+func openTestDB(t *testing.T) *Store {
+	t.Helper()
+	dir := t.TempDir()
+	store, err := Open(filepath.Join(dir, "test.db"))
+	if err != nil {
+		t.Fatalf("open: %v", err)
+	}
+	if err := store.Migrate(); err != nil {
+		t.Fatalf("migrate: %v", err)
+	}
+	t.Cleanup(func() { store.Close() })
+	return store
+}
+
+func TestMigrate(t *testing.T) {
+	store := openTestDB(t)
+
+	// Running migrate again should be idempotent.
+	if err := store.Migrate(); err != nil {
+		t.Fatalf("second migrate: %v", err)
+	}
+}
+
+func TestIsEmpty(t *testing.T) {
+	store := openTestDB(t)
+
+	empty, err := store.IsEmpty()
+	if err != nil {
+		t.Fatalf("is empty: %v", err)
+	}
+	if !empty {
+		t.Fatal("expected empty database")
+	}
+
+	if _, err := store.CreateListener(":443"); err != nil {
+		t.Fatalf("create listener: %v", err)
+	}
+
+	empty, err = store.IsEmpty()
+	if err != nil {
+		t.Fatalf("is empty: %v", err)
+	}
+	if empty {
+		t.Fatal("expected non-empty database")
+	}
+}
+
+func TestListenerCRUD(t *testing.T) {
+	store := openTestDB(t)
+
+	id, err := store.CreateListener(":443")
+	if err != nil {
+		t.Fatalf("create: %v", err)
+	}
+	if id == 0 {
+		t.Fatal("expected non-zero ID")
+	}
+
+	listeners, err := store.ListListeners()
+	if err != nil {
+		t.Fatalf("list: %v", err)
+	}
+	if len(listeners) != 1 {
+		t.Fatalf("got %d listeners, want 1", len(listeners))
+	}
+	if listeners[0].Addr != ":443" {
+		t.Fatalf("got addr %q, want %q", listeners[0].Addr, ":443")
+	}
+
+	l, err := store.GetListenerByAddr(":443")
+	if err != nil {
+		t.Fatalf("get by addr: %v", err)
+	}
+	if l.ID != id {
+		t.Fatalf("got ID %d, want %d", l.ID, id)
+	}
+
+	if err := store.DeleteListener(id); err != nil {
+		t.Fatalf("delete: %v", err)
+	}
+
+	listeners, err = store.ListListeners()
+	if err != nil {
+		t.Fatalf("list after delete: %v", err)
+	}
+	if len(listeners) != 0 {
+		t.Fatalf("got %d listeners after delete, want 0", len(listeners))
+	}
+}
+
+func TestListenerDuplicateAddr(t *testing.T) {
+	store := openTestDB(t)
+
+	if _, err := store.CreateListener(":443"); err != nil {
+		t.Fatalf("first create: %v", err)
+	}
+	if _, err := store.CreateListener(":443"); err == nil {
+		t.Fatal("expected error for duplicate addr")
+	}
+}
+
+func TestRouteCRUD(t *testing.T) {
+	store := openTestDB(t)
+
+	listenerID, err := store.CreateListener(":443")
+	if err != nil {
+		t.Fatalf("create listener: %v", err)
+	}
+
+	routeID, err := store.CreateRoute(listenerID, "example.com", "127.0.0.1:8443")
+	if err != nil {
+		t.Fatalf("create route: %v", err)
+	}
+	if routeID == 0 {
+		t.Fatal("expected non-zero route ID")
+	}
+
+	routes, err := store.ListRoutes(listenerID)
+	if err != nil {
+		t.Fatalf("list routes: %v", err)
+	}
+	if len(routes) != 1 {
+		t.Fatalf("got %d routes, want 1", len(routes))
+	}
+	if routes[0].Hostname != "example.com" {
+		t.Fatalf("got hostname %q, want %q", routes[0].Hostname, "example.com")
+	}
+
+	if err := store.DeleteRoute(listenerID, "example.com"); err != nil {
+		t.Fatalf("delete route: %v", err)
+	}
+
+	routes, err = store.ListRoutes(listenerID)
+	if err != nil {
+		t.Fatalf("list after delete: %v", err)
+	}
+	if len(routes) != 0 {
+		t.Fatalf("got %d routes after delete, want 0", len(routes))
+	}
+}
+
+func TestRouteDuplicateHostname(t *testing.T) {
+	store := openTestDB(t)
+
+	listenerID, _ := store.CreateListener(":443")
+	if _, err := store.CreateRoute(listenerID, "example.com", "127.0.0.1:8443"); err != nil {
+		t.Fatalf("first create: %v", err)
+	}
+	if _, err := store.CreateRoute(listenerID, "example.com", "127.0.0.1:9443"); err == nil {
+		t.Fatal("expected error for duplicate hostname on same listener")
+	}
+}
+
+func TestRouteCascadeDelete(t *testing.T) {
+	store := openTestDB(t)
+
+	listenerID, _ := store.CreateListener(":443")
+	store.CreateRoute(listenerID, "a.example.com", "127.0.0.1:8443")
+	store.CreateRoute(listenerID, "b.example.com", "127.0.0.1:9443")
+
+	if err := store.DeleteListener(listenerID); err != nil {
+		t.Fatalf("delete listener: %v", err)
+	}
+
+	routes, err := store.ListRoutes(listenerID)
+	if err != nil {
+		t.Fatalf("list routes: %v", err)
+	}
+	if len(routes) != 0 {
+		t.Fatalf("got %d routes after cascade delete, want 0", len(routes))
+	}
+}
+
+func TestFirewallRuleCRUD(t *testing.T) {
+	store := openTestDB(t)
+
+	id, err := store.CreateFirewallRule("ip", "192.0.2.1")
+	if err != nil {
+		t.Fatalf("create: %v", err)
+	}
+	if id == 0 {
+		t.Fatal("expected non-zero ID")
+	}
+
+	if _, err := store.CreateFirewallRule("cidr", "198.51.100.0/24"); err != nil {
+		t.Fatalf("create cidr: %v", err)
+	}
+	if _, err := store.CreateFirewallRule("country", "CN"); err != nil {
+		t.Fatalf("create country: %v", err)
+	}
+
+	rules, err := store.ListFirewallRules()
+	if err != nil {
+		t.Fatalf("list: %v", err)
+	}
+	if len(rules) != 3 {
+		t.Fatalf("got %d rules, want 3", len(rules))
+	}
+
+	if err := store.DeleteFirewallRule("ip", "192.0.2.1"); err != nil {
+		t.Fatalf("delete: %v", err)
+	}
+
+	rules, err = store.ListFirewallRules()
+	if err != nil {
+		t.Fatalf("list after delete: %v", err)
+	}
+	if len(rules) != 2 {
+		t.Fatalf("got %d rules after delete, want 2", len(rules))
+	}
+}
+
+func TestFirewallRuleDuplicate(t *testing.T) {
+	store := openTestDB(t)
+
+	if _, err := store.CreateFirewallRule("ip", "192.0.2.1"); err != nil {
+		t.Fatalf("first create: %v", err)
+	}
+	if _, err := store.CreateFirewallRule("ip", "192.0.2.1"); err == nil {
+		t.Fatal("expected error for duplicate rule")
+	}
+}
+
+func TestSeed(t *testing.T) {
+	store := openTestDB(t)
+
+	listeners := []config.Listener{
+		{
+			Addr: ":443",
+			Routes: []config.Route{
+				{Hostname: "a.example.com", Backend: "127.0.0.1:8443"},
+				{Hostname: "b.example.com", Backend: "127.0.0.1:9443"},
+			},
+		},
+		{
+			Addr: ":8443",
+			Routes: []config.Route{
+				{Hostname: "c.example.com", Backend: "127.0.0.1:18443"},
+			},
+		},
+	}
+
+	fw := config.Firewall{
+		BlockedIPs:       []string{"192.0.2.1"},
+		BlockedCIDRs:     []string{"198.51.100.0/24"},
+		BlockedCountries: []string{"cn", "KP"},
+	}
+
+	if err := store.Seed(listeners, fw); err != nil {
+		t.Fatalf("seed: %v", err)
+	}
+
+	dbListeners, err := store.ListListeners()
+	if err != nil {
+		t.Fatalf("list listeners: %v", err)
+	}
+	if len(dbListeners) != 2 {
+		t.Fatalf("got %d listeners, want 2", len(dbListeners))
+	}
+
+	routes, err := store.ListRoutes(dbListeners[0].ID)
+	if err != nil {
+		t.Fatalf("list routes: %v", err)
+	}
+	if len(routes) != 2 {
+		t.Fatalf("got %d routes for listener 0, want 2", len(routes))
+	}
+
+	rules, err := store.ListFirewallRules()
+	if err != nil {
+		t.Fatalf("list firewall rules: %v", err)
+	}
+	if len(rules) != 4 {
+		t.Fatalf("got %d firewall rules, want 4", len(rules))
+	}
+}
+
+func TestSnapshot(t *testing.T) {
+	store := openTestDB(t)
+
+	store.CreateListener(":443")
+
+	dest := filepath.Join(t.TempDir(), "backup.db")
+	if err := store.Snapshot(dest); err != nil {
+		t.Fatalf("snapshot: %v", err)
+	}
+
+	// Open the snapshot and verify.
+	backup, err := Open(dest)
+	if err != nil {
+		t.Fatalf("open backup: %v", err)
+	}
+	defer backup.Close()
+
+	if err := backup.Migrate(); err != nil {
+		t.Fatalf("migrate backup: %v", err)
+	}
+
+	listeners, err := backup.ListListeners()
+	if err != nil {
+		t.Fatalf("list from backup: %v", err)
+	}
+	if len(listeners) != 1 {
+		t.Fatalf("backup has %d listeners, want 1", len(listeners))
+	}
+}
+
+func TestDeleteNonexistent(t *testing.T) {
+	store := openTestDB(t)
+
+	if err := store.DeleteListener(999); err == nil {
+		t.Fatal("expected error deleting nonexistent listener")
+	}
+
+	if err := store.DeleteRoute(999, "example.com"); err == nil {
+		t.Fatal("expected error deleting nonexistent route")
+	}
+
+	if err := store.DeleteFirewallRule("ip", "1.2.3.4"); err == nil {
+		t.Fatal("expected error deleting nonexistent firewall rule")
+	}
+}

internal/db/firewall.go

@@ -0,0 +1,57 @@
+package db
+
+import "fmt"
+
+// FirewallRule is a database firewall rule record.
+type FirewallRule struct {
+	ID    int64
+	Type  string // "ip", "cidr", "country"
+	Value string
+}
+
+// ListFirewallRules returns all firewall rules.
+func (s *Store) ListFirewallRules() ([]FirewallRule, error) {
+	rows, err := s.db.Query("SELECT id, type, value FROM firewall_rules ORDER BY type, value")
+	if err != nil {
+		return nil, fmt.Errorf("querying firewall rules: %w", err)
+	}
+	defer rows.Close()
+
+	var rules []FirewallRule
+	for rows.Next() {
+		var r FirewallRule
+		if err := rows.Scan(&r.ID, &r.Type, &r.Value); err != nil {
+			return nil, fmt.Errorf("scanning firewall rule: %w", err)
+		}
+		rules = append(rules, r)
+	}
+	return rules, rows.Err()
+}
+
+// CreateFirewallRule inserts a firewall rule and returns its ID.
+func (s *Store) CreateFirewallRule(ruleType, value string) (int64, error) {
+	result, err := s.db.Exec(
+		"INSERT INTO firewall_rules (type, value) VALUES (?, ?)",
+		ruleType, value,
+	)
+	if err != nil {
+		return 0, fmt.Errorf("inserting firewall rule: %w", err)
+	}
+	return result.LastInsertId()
+}
+
+// DeleteFirewallRule deletes a firewall rule by type and value.
+func (s *Store) DeleteFirewallRule(ruleType, value string) error {
+	result, err := s.db.Exec(
+		"DELETE FROM firewall_rules WHERE type = ? AND value = ?",
+		ruleType, value,
+	)
+	if err != nil {
+		return fmt.Errorf("deleting firewall rule: %w", err)
+	}
+	n, _ := result.RowsAffected()
+	if n == 0 {
+		return fmt.Errorf("firewall rule (%s, %s) not found", ruleType, value)
+	}
+	return nil
+}

internal/db/listeners.go

@@ -0,0 +1,61 @@
+package db
+
+import "fmt"
+
+// Listener is a database listener record.
+type Listener struct {
+	ID   int64
+	Addr string
+}
+
+// ListListeners returns all listeners.
+func (s *Store) ListListeners() ([]Listener, error) {
+	rows, err := s.db.Query("SELECT id, addr FROM listeners ORDER BY id")
+	if err != nil {
+		return nil, fmt.Errorf("querying listeners: %w", err)
+	}
+	defer rows.Close()
+
+	var listeners []Listener
+	for rows.Next() {
+		var l Listener
+		if err := rows.Scan(&l.ID, &l.Addr); err != nil {
+			return nil, fmt.Errorf("scanning listener: %w", err)
+		}
+		listeners = append(listeners, l)
+	}
+	return listeners, rows.Err()
+}
+
+// CreateListener inserts a listener and returns its ID.
+func (s *Store) CreateListener(addr string) (int64, error) {
+	result, err := s.db.Exec("INSERT INTO listeners (addr) VALUES (?)", addr)
+	if err != nil {
+		return 0, fmt.Errorf("inserting listener: %w", err)
+	}
+	return result.LastInsertId()
+}
+
+// DeleteListener deletes a listener by ID. Routes are cascade-deleted.
+func (s *Store) DeleteListener(id int64) error {
+	result, err := s.db.Exec("DELETE FROM listeners WHERE id = ?", id)
+	if err != nil {
+		return fmt.Errorf("deleting listener: %w", err)
+	}
+	n, _ := result.RowsAffected()
+	if n == 0 {
+		return fmt.Errorf("listener %d not found", id)
+	}
+	return nil
+}
+
+// GetListenerByAddr returns a listener by its address.
+func (s *Store) GetListenerByAddr(addr string) (Listener, error) {
+	var l Listener
+	err := s.db.QueryRow("SELECT id, addr FROM listeners WHERE addr = ?", addr).
+		Scan(&l.ID, &l.Addr)
+	if err != nil {
+		return Listener{}, fmt.Errorf("querying listener by addr %q: %w", addr, err)
+	}
+	return l, nil
+}

internal/db/migrations.go

@@ -0,0 +1,93 @@
+package db
+
+import (
+	"database/sql"
+	"fmt"
+)
+
+type migration struct {
+	version int
+	name    string
+	fn      func(tx *sql.Tx) error
+}
+
+var migrations = []migration{
+	{1, "create_core_tables", migrate001CreateCoreTables},
+}
+
+// Migrate runs all unapplied migrations sequentially.
+func (s *Store) Migrate() error {
+	// Ensure the migration tracking table exists.
+	_, err := s.db.Exec(`
+		CREATE TABLE IF NOT EXISTS schema_migrations (
+			version INTEGER PRIMARY KEY,
+			applied TEXT NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ', 'now'))
+		)
+	`)
+	if err != nil {
+		return fmt.Errorf("creating schema_migrations table: %w", err)
+	}
+
+	var current int
+	err = s.db.QueryRow("SELECT COALESCE(MAX(version), 0) FROM schema_migrations").Scan(&current)
+	if err != nil {
+		return fmt.Errorf("querying current migration version: %w", err)
+	}
+
+	for _, m := range migrations {
+		if m.version <= current {
+			continue
+		}
+
+		tx, err := s.db.Begin()
+		if err != nil {
+			return fmt.Errorf("beginning migration %d (%s): %w", m.version, m.name, err)
+		}
+
+		if err := m.fn(tx); err != nil {
+			tx.Rollback()
+			return fmt.Errorf("running migration %d (%s): %w", m.version, m.name, err)
+		}
+
+		if _, err := tx.Exec("INSERT INTO schema_migrations (version) VALUES (?)", m.version); err != nil {
+			tx.Rollback()
+			return fmt.Errorf("recording migration %d (%s): %w", m.version, m.name, err)
+		}
+
+		if err := tx.Commit(); err != nil {
+			return fmt.Errorf("committing migration %d (%s): %w", m.version, m.name, err)
+		}
+	}
+
+	return nil
+}
+
+func migrate001CreateCoreTables(tx *sql.Tx) error {
+	stmts := []string{
+		`CREATE TABLE IF NOT EXISTS listeners (
+			id   INTEGER PRIMARY KEY,
+			addr TEXT NOT NULL UNIQUE
+		)`,
+		`CREATE TABLE IF NOT EXISTS routes (
+			id          INTEGER PRIMARY KEY,
+			listener_id INTEGER NOT NULL REFERENCES listeners(id) ON DELETE CASCADE,
+			hostname    TEXT NOT NULL,
+			backend     TEXT NOT NULL,
+			UNIQUE(listener_id, hostname)
+		)`,
+		`CREATE INDEX IF NOT EXISTS idx_routes_listener ON routes(listener_id)`,
+		`CREATE TABLE IF NOT EXISTS firewall_rules (
+			id    INTEGER PRIMARY KEY,
+			type  TEXT NOT NULL CHECK(type IN ('ip', 'cidr', 'country')),
+			value TEXT NOT NULL,
+			UNIQUE(type, value)
+		)`,
+	}
+
+	for _, stmt := range stmts {
+		if _, err := tx.Exec(stmt); err != nil {
+			return err
+		}
+	}
+	return nil
+}

internal/db/routes.go

@@ -0,0 +1,61 @@
+package db
+
+import "fmt"
+
+// Route is a database route record.
+type Route struct {
+	ID         int64
+	ListenerID int64
+	Hostname   string
+	Backend    string
+}
+
+// ListRoutes returns all routes for a listener.
+func (s *Store) ListRoutes(listenerID int64) ([]Route, error) {
+	rows, err := s.db.Query(
+		"SELECT id, listener_id, hostname, backend FROM routes WHERE listener_id = ? ORDER BY hostname",
+		listenerID,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("querying routes: %w", err)
+	}
+	defer rows.Close()
+
+	var routes []Route
+	for rows.Next() {
+		var r Route
+		if err := rows.Scan(&r.ID, &r.ListenerID, &r.Hostname, &r.Backend); err != nil {
+			return nil, fmt.Errorf("scanning route: %w", err)
+		}
+		routes = append(routes, r)
+	}
+	return routes, rows.Err()
+}
+
+// CreateRoute inserts a route and returns its ID.
+func (s *Store) CreateRoute(listenerID int64, hostname, backend string) (int64, error) {
+	result, err := s.db.Exec(
+		"INSERT INTO routes (listener_id, hostname, backend) VALUES (?, ?, ?)",
+		listenerID, hostname, backend,
+	)
+	if err != nil {
+		return 0, fmt.Errorf("inserting route: %w", err)
+	}
+	return result.LastInsertId()
+}
+
+// DeleteRoute deletes a route by listener ID and hostname.
+func (s *Store) DeleteRoute(listenerID int64, hostname string) error {
+	result, err := s.db.Exec(
+		"DELETE FROM routes WHERE listener_id = ? AND hostname = ?",
+		listenerID, hostname,
+	)
+	if err != nil {
+		return fmt.Errorf("deleting route: %w", err)
+	}
+	n, _ := result.RowsAffected()
+	if n == 0 {
+		return fmt.Errorf("route %q not found on listener %d", hostname, listenerID)
+	}
+	return nil
+}

internal/db/seed.go

@@ -0,0 +1,56 @@
+package db
+
+import (
+	"fmt"
+	"strings"
+
+	"git.wntrmute.dev/kyle/mc-proxy/internal/config"
+)
+
+// Seed populates the database from TOML config data. Only called when the
+// database is empty (first run).
+func (s *Store) Seed(listeners []config.Listener, fw config.Firewall) error {
+	tx, err := s.db.Begin()
+	if err != nil {
+		return fmt.Errorf("beginning seed transaction: %w", err)
+	}
+	defer tx.Rollback()
+
+	for _, l := range listeners {
+		result, err := tx.Exec("INSERT INTO listeners (addr) VALUES (?)", l.Addr)
+		if err != nil {
+			return fmt.Errorf("seeding listener %q: %w", l.Addr, err)
+		}
+		listenerID, _ := result.LastInsertId()
+
+		for _, r := range l.Routes {
+			_, err := tx.Exec(
+				"INSERT INTO routes (listener_id, hostname, backend) VALUES (?, ?, ?)",
+				listenerID, strings.ToLower(r.Hostname), r.Backend,
+			)
+			if err != nil {
+				return fmt.Errorf("seeding route %q on listener %q: %w", r.Hostname, l.Addr, err)
+			}
+		}
+	}
+
+	for _, ip := range fw.BlockedIPs {
+		if _, err := tx.Exec("INSERT INTO firewall_rules (type, value) VALUES ('ip', ?)", ip); err != nil {
+			return fmt.Errorf("seeding blocked IP %q: %w", ip, err)
+		}
+	}
+
+	for _, cidr := range fw.BlockedCIDRs {
+		if _, err := tx.Exec("INSERT INTO firewall_rules (type, value) VALUES ('cidr', ?)", cidr); err != nil {
+			return fmt.Errorf("seeding blocked CIDR %q: %w", cidr, err)
+		}
+	}
+
+	for _, code := range fw.BlockedCountries {
+		if _, err := tx.Exec("INSERT INTO firewall_rules (type, value) VALUES ('country', ?)", strings.ToUpper(code)); err != nil {
+			return fmt.Errorf("seeding blocked country %q: %w", code, err)
+		}
+	}
+
+	return tx.Commit()
+}

internal/db/snapshot.go

@@ -0,0 +1,12 @@
+package db
+
+import "fmt"
+
+// Snapshot creates a consistent backup of the database using VACUUM INTO.
+func (s *Store) Snapshot(destPath string) error {
+	_, err := s.db.Exec("VACUUM INTO ?", destPath)
+	if err != nil {
+		return fmt.Errorf("snapshot to %q: %w", destPath, err)
+	}
+	return nil
+}

internal/firewall/firewall.go

@@ -8,7 +8,6 @@ import (
 
 	"github.com/oschwald/maxminddb-golang"
 
-	"git.wntrmute.dev/kyle/mc-proxy/internal/config"
 )
 
 type geoIPRecord struct {
@@ -27,15 +26,15 @@ type Firewall struct {
 	mu               sync.RWMutex // protects all mutable state
 }
 
-// New creates a Firewall from the given configuration.
-func New(cfg config.Firewall) (*Firewall, error) {
+// New creates a Firewall from raw rule lists and an optional GeoIP database path.
+func New(geoIPPath string, ips, cidrs, countries []string) (*Firewall, error) {
 	f := &Firewall{
 		blockedIPs:       make(map[netip.Addr]struct{}),
 		blockedCountries: make(map[string]struct{}),
-		geoDBPath:        cfg.GeoIPDB,
+		geoDBPath:        geoIPPath,
 	}
 
-	for _, ip := range cfg.BlockedIPs {
+	for _, ip := range ips {
 		addr, err := netip.ParseAddr(ip)
 		if err != nil {
 			return nil, fmt.Errorf("invalid blocked IP %q: %w", ip, err)
@@ -43,7 +42,7 @@ func New(cfg config.Firewall) (*Firewall, error) {
 		f.blockedIPs[addr] = struct{}{}
 	}
 
-	for _, cidr := range cfg.BlockedCIDRs {
+	for _, cidr := range cidrs {
 		prefix, err := netip.ParsePrefix(cidr)
 		if err != nil {
 			return nil, fmt.Errorf("invalid blocked CIDR %q: %w", cidr, err)
@@ -51,12 +50,12 @@ func New(cfg config.Firewall) (*Firewall, error) {
 		f.blockedCIDRs = append(f.blockedCIDRs, prefix)
 	}
 
-	for _, code := range cfg.BlockedCountries {
+	for _, code := range countries {
 		f.blockedCountries[strings.ToUpper(code)] = struct{}{}
 	}
 
-	if len(f.blockedCountries) > 0 {
-		if err := f.loadGeoDB(cfg.GeoIPDB); err != nil {
+	if len(f.blockedCountries) > 0 && geoIPPath != "" {
+		if err := f.loadGeoDB(geoIPPath); err != nil {
 			return nil, fmt.Errorf("loading GeoIP database: %w", err)
 		}
 	}

internal/firewall/firewall_test.go

@@ -3,12 +3,10 @@ package firewall
 import (
 	"net/netip"
 	"testing"
-
-	"git.wntrmute.dev/kyle/mc-proxy/internal/config"
 )
 
 func TestEmptyFirewall(t *testing.T) {
-	fw, err := New(config.Firewall{})
+	fw, err := New("", nil, nil, nil)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -24,9 +22,7 @@ func TestEmptyFirewall(t *testing.T) {
 }
 
 func TestIPBlocking(t *testing.T) {
-	fw, err := New(config.Firewall{
-		BlockedIPs: []string{"192.0.2.1", "2001:db8::dead"},
-	})
+	fw, err := New("", []string{"192.0.2.1", "2001:db8::dead"}, nil, nil)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -51,9 +47,7 @@ func TestIPBlocking(t *testing.T) {
 }
 
 func TestCIDRBlocking(t *testing.T) {
-	fw, err := New(config.Firewall{
-		BlockedCIDRs: []string{"198.51.100.0/24", "2001:db8::/32"},
-	})
+	fw, err := New("", nil, []string{"198.51.100.0/24", "2001:db8::/32"}, nil)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -79,15 +73,12 @@ func TestCIDRBlocking(t *testing.T) {
 }
 
 func TestIPv4MappedIPv6(t *testing.T) {
-	fw, err := New(config.Firewall{
-		BlockedIPs: []string{"192.0.2.1"},
-	})
+	fw, err := New("", []string{"192.0.2.1"}, nil, nil)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
 	defer fw.Close()
 
-	// IPv4-mapped IPv6 representation of 192.0.2.1.
 	addr := netip.MustParseAddr("::ffff:192.0.2.1")
 	if !fw.Blocked(addr) {
 		t.Fatal("expected IPv4-mapped IPv6 address to be blocked")
@@ -95,28 +86,21 @@ func TestIPv4MappedIPv6(t *testing.T) {
 }
 
 func TestInvalidIP(t *testing.T) {
-	_, err := New(config.Firewall{
-		BlockedIPs: []string{"not-an-ip"},
-	})
+	_, err := New("", []string{"not-an-ip"}, nil, nil)
 	if err == nil {
 		t.Fatal("expected error for invalid IP")
 	}
 }
 
 func TestInvalidCIDR(t *testing.T) {
-	_, err := New(config.Firewall{
-		BlockedCIDRs: []string{"not-a-cidr"},
-	})
+	_, err := New("", nil, []string{"not-a-cidr"}, nil)
 	if err == nil {
 		t.Fatal("expected error for invalid CIDR")
 	}
 }
 
 func TestCombinedRules(t *testing.T) {
-	fw, err := New(config.Firewall{
-		BlockedIPs:   []string{"10.0.0.1"},
-		BlockedCIDRs: []string{"192.168.0.0/16"},
-	})
+	fw, err := New("", []string{"10.0.0.1"}, []string{"192.168.0.0/16"}, nil)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -126,10 +110,10 @@ func TestCombinedRules(t *testing.T) {
 		addr    string
 		blocked bool
 	}{
-		{"10.0.0.1", true},   // IP match
-		{"10.0.0.2", false},  // no match
-		{"192.168.1.1", true}, // CIDR match
-		{"172.16.0.1", false}, // no match
+		{"10.0.0.1", true},
+		{"10.0.0.2", false},
+		{"192.168.1.1", true},
+		{"172.16.0.1", false},
 	}
 
 	for _, tt := range tests {
@@ -139,3 +123,30 @@ func TestCombinedRules(t *testing.T) {
 		}
 	}
 }
+
+func TestRuntimeMutation(t *testing.T) {
+	fw, err := New("", nil, nil, nil)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	defer fw.Close()
+
+	addr := netip.MustParseAddr("10.0.0.1")
+	if fw.Blocked(addr) {
+		t.Fatal("should not be blocked initially")
+	}
+
+	if err := fw.AddIP("10.0.0.1"); err != nil {
+		t.Fatalf("add IP: %v", err)
+	}
+	if !fw.Blocked(addr) {
+		t.Fatal("should be blocked after AddIP")
+	}
+
+	if err := fw.RemoveIP("10.0.0.1"); err != nil {
+		t.Fatalf("remove IP: %v", err)
+	}
+	if fw.Blocked(addr) {
+		t.Fatal("should not be blocked after RemoveIP")
+	}
+}

internal/grpcserver/grpcserver.go

@@ -8,6 +8,7 @@ import (
 	"log/slog"
 	"net"
 	"os"
+	"strings"
 
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
@@ -17,6 +18,7 @@ import (
 
 	pb "git.wntrmute.dev/kyle/mc-proxy/gen/mc-proxy/v1"
 	"git.wntrmute.dev/kyle/mc-proxy/internal/config"
+	"git.wntrmute.dev/kyle/mc-proxy/internal/db"
 	"git.wntrmute.dev/kyle/mc-proxy/internal/server"
 )
 
@@ -24,11 +26,12 @@ import (
 type AdminServer struct {
 	pb.UnimplementedProxyAdminServer
 	srv    *server.Server
+	store  *db.Store
 	logger *slog.Logger
 }
 
 // New creates a gRPC server with TLS and optional mTLS.
-func New(cfg config.GRPC, srv *server.Server, logger *slog.Logger) (*grpc.Server, net.Listener, error) {
+func New(cfg config.GRPC, srv *server.Server, store *db.Store, logger *slog.Logger) (*grpc.Server, net.Listener, error) {
 	cert, err := tls.LoadX509KeyPair(cfg.TLSCert, cfg.TLSKey)
 	if err != nil {
 		return nil, nil, fmt.Errorf("loading TLS keypair: %w", err)
@@ -39,7 +42,6 @@ func New(cfg config.GRPC, srv *server.Server, logger *slog.Logger) (*grpc.Server
 		MinVersion:   tls.VersionTLS13,
 	}
 
-	// mTLS: require and verify client certificates.
 	if cfg.ClientCA != "" {
 		caCert, err := os.ReadFile(cfg.ClientCA)
 		if err != nil {
@@ -58,6 +60,7 @@ func New(cfg config.GRPC, srv *server.Server, logger *slog.Logger) (*grpc.Server
 
 	admin := &AdminServer{
 		srv:    srv,
+		store:  store,
 		logger: logger,
 	}
 	pb.RegisterProxyAdminServer(grpcServer, admin)
@@ -90,7 +93,7 @@ func (a *AdminServer) ListRoutes(_ context.Context, req *pb.ListRoutesRequest) (
 	return resp, nil
 }
 
-// AddRoute adds a route to a listener's route table.
+// AddRoute writes to the database first, then updates in-memory state.
 func (a *AdminServer) AddRoute(_ context.Context, req *pb.AddRouteRequest) (*pb.AddRouteResponse, error) {
 	if req.Route == nil {
 		return nil, status.Error(codes.InvalidArgument, "route is required")
@@ -104,15 +107,23 @@ func (a *AdminServer) AddRoute(_ context.Context, req *pb.AddRouteRequest) (*pb.
 		return nil, err
 	}
 
-	if err := ls.AddRoute(req.Route.Hostname, req.Route.Backend); err != nil {
+	hostname := strings.ToLower(req.Route.Hostname)
+
+	// Write-through: DB first, then memory.
+	if _, err := a.store.CreateRoute(ls.ID, hostname, req.Route.Backend); err != nil {
 		return nil, status.Errorf(codes.AlreadyExists, "%v", err)
 	}
 
-	a.logger.Info("route added", "listener", ls.Addr, "hostname", req.Route.Hostname, "backend", req.Route.Backend)
+	if err := ls.AddRoute(hostname, req.Route.Backend); err != nil {
+		// DB succeeded but memory failed (should not happen since DB enforces uniqueness).
+		a.logger.Error("inconsistency: DB write succeeded but memory update failed", "error", err)
+	}
+
+	a.logger.Info("route added", "listener", ls.Addr, "hostname", hostname, "backend", req.Route.Backend)
 	return &pb.AddRouteResponse{}, nil
 }
 
-// RemoveRoute removes a route from a listener's route table.
+// RemoveRoute writes to the database first, then updates in-memory state.
 func (a *AdminServer) RemoveRoute(_ context.Context, req *pb.RemoveRouteRequest) (*pb.RemoveRouteResponse, error) {
 	if req.Hostname == "" {
 		return nil, status.Error(codes.InvalidArgument, "hostname is required")
@@ -123,11 +134,17 @@ func (a *AdminServer) RemoveRoute(_ context.Context, req *pb.RemoveRouteRequest)
 		return nil, err
 	}
 
-	if err := ls.RemoveRoute(req.Hostname); err != nil {
+	hostname := strings.ToLower(req.Hostname)
+
+	if err := a.store.DeleteRoute(ls.ID, hostname); err != nil {
 		return nil, status.Errorf(codes.NotFound, "%v", err)
 	}
 
-	a.logger.Info("route removed", "listener", ls.Addr, "hostname", req.Hostname)
+	if err := ls.RemoveRoute(hostname); err != nil {
+		a.logger.Error("inconsistency: DB delete succeeded but memory update failed", "error", err)
+	}
+
+	a.logger.Info("route removed", "listener", ls.Addr, "hostname", hostname)
 	return &pb.RemoveRouteResponse{}, nil
 }
 
@@ -158,61 +175,74 @@ func (a *AdminServer) GetFirewallRules(_ context.Context, _ *pb.GetFirewallRules
 	return &pb.GetFirewallRulesResponse{Rules: rules}, nil
 }
 
-// AddFirewallRule adds a firewall rule.
+// AddFirewallRule writes to the database first, then updates in-memory state.
 func (a *AdminServer) AddFirewallRule(_ context.Context, req *pb.AddFirewallRuleRequest) (*pb.AddFirewallRuleResponse, error) {
 	if req.Rule == nil {
 		return nil, status.Error(codes.InvalidArgument, "rule is required")
 	}
 
-	fw := a.srv.Firewall()
-	switch req.Rule.Type {
-	case pb.FirewallRuleType_FIREWALL_RULE_TYPE_IP:
-		if err := fw.AddIP(req.Rule.Value); err != nil {
-			return nil, status.Errorf(codes.InvalidArgument, "%v", err)
-		}
-	case pb.FirewallRuleType_FIREWALL_RULE_TYPE_CIDR:
-		if err := fw.AddCIDR(req.Rule.Value); err != nil {
-			return nil, status.Errorf(codes.InvalidArgument, "%v", err)
-		}
-	case pb.FirewallRuleType_FIREWALL_RULE_TYPE_COUNTRY:
-		if req.Rule.Value == "" {
-			return nil, status.Error(codes.InvalidArgument, "country code is required")
-		}
-		fw.AddCountry(req.Rule.Value)
-	default:
-		return nil, status.Error(codes.InvalidArgument, "unknown rule type")
+	ruleType, err := protoRuleTypeToString(req.Rule.Type)
+	if err != nil {
+		return nil, err
 	}
 
-	a.logger.Info("firewall rule added", "type", req.Rule.Type, "value", req.Rule.Value)
+	if req.Rule.Value == "" {
+		return nil, status.Error(codes.InvalidArgument, "value is required")
+	}
+
+	// Write-through: DB first, then memory.
+	if _, err := a.store.CreateFirewallRule(ruleType, req.Rule.Value); err != nil {
+		return nil, status.Errorf(codes.AlreadyExists, "%v", err)
+	}
+
+	fw := a.srv.Firewall()
+	switch ruleType {
+	case "ip":
+		if err := fw.AddIP(req.Rule.Value); err != nil {
+			a.logger.Error("inconsistency: DB write succeeded but memory update failed", "error", err)
+		}
+	case "cidr":
+		if err := fw.AddCIDR(req.Rule.Value); err != nil {
+			a.logger.Error("inconsistency: DB write succeeded but memory update failed", "error", err)
+		}
+	case "country":
+		fw.AddCountry(req.Rule.Value)
+	}
+
+	a.logger.Info("firewall rule added", "type", ruleType, "value", req.Rule.Value)
 	return &pb.AddFirewallRuleResponse{}, nil
 }
 
-// RemoveFirewallRule removes a firewall rule.
+// RemoveFirewallRule writes to the database first, then updates in-memory state.
 func (a *AdminServer) RemoveFirewallRule(_ context.Context, req *pb.RemoveFirewallRuleRequest) (*pb.RemoveFirewallRuleResponse, error) {
 	if req.Rule == nil {
 		return nil, status.Error(codes.InvalidArgument, "rule is required")
 	}
 
-	fw := a.srv.Firewall()
-	switch req.Rule.Type {
-	case pb.FirewallRuleType_FIREWALL_RULE_TYPE_IP:
-		if err := fw.RemoveIP(req.Rule.Value); err != nil {
-			return nil, status.Errorf(codes.InvalidArgument, "%v", err)
-		}
-	case pb.FirewallRuleType_FIREWALL_RULE_TYPE_CIDR:
-		if err := fw.RemoveCIDR(req.Rule.Value); err != nil {
-			return nil, status.Errorf(codes.InvalidArgument, "%v", err)
-		}
-	case pb.FirewallRuleType_FIREWALL_RULE_TYPE_COUNTRY:
-		if req.Rule.Value == "" {
-			return nil, status.Error(codes.InvalidArgument, "country code is required")
-		}
-		fw.RemoveCountry(req.Rule.Value)
-	default:
-		return nil, status.Error(codes.InvalidArgument, "unknown rule type")
+	ruleType, err := protoRuleTypeToString(req.Rule.Type)
+	if err != nil {
+		return nil, err
 	}
 
-	a.logger.Info("firewall rule removed", "type", req.Rule.Type, "value", req.Rule.Value)
+	if err := a.store.DeleteFirewallRule(ruleType, req.Rule.Value); err != nil {
+		return nil, status.Errorf(codes.NotFound, "%v", err)
+	}
+
+	fw := a.srv.Firewall()
+	switch ruleType {
+	case "ip":
+		if err := fw.RemoveIP(req.Rule.Value); err != nil {
+			a.logger.Error("inconsistency: DB delete succeeded but memory update failed", "error", err)
+		}
+	case "cidr":
+		if err := fw.RemoveCIDR(req.Rule.Value); err != nil {
+			a.logger.Error("inconsistency: DB delete succeeded but memory update failed", "error", err)
+		}
+	case "country":
+		fw.RemoveCountry(req.Rule.Value)
+	}
+
+	a.logger.Info("firewall rule removed", "type", ruleType, "value", req.Rule.Value)
 	return &pb.RemoveFirewallRuleResponse{}, nil
 }
 
@@ -244,3 +274,16 @@ func (a *AdminServer) findListener(addr string) (*server.ListenerState, error) {
 	}
 	return nil, status.Errorf(codes.NotFound, "listener %q not found", addr)
 }
+
+func protoRuleTypeToString(t pb.FirewallRuleType) (string, error) {
+	switch t {
+	case pb.FirewallRuleType_FIREWALL_RULE_TYPE_IP:
+		return "ip", nil
+	case pb.FirewallRuleType_FIREWALL_RULE_TYPE_CIDR:
+		return "cidr", nil
+	case pb.FirewallRuleType_FIREWALL_RULE_TYPE_COUNTRY:
+		return "country", nil
+	default:
+		return "", status.Error(codes.InvalidArgument, "unknown rule type")
+	}
+}

internal/server/server.go

@@ -19,6 +19,7 @@ import (
 
 // ListenerState holds the mutable state for a single proxy listener.
 type ListenerState struct {
+	ID                int64 // database primary key
 	Addr              string
 	routes            map[string]string // lowercase hostname → backend addr
 	mu                sync.RWMutex
@@ -75,6 +76,13 @@ func (ls *ListenerState) lookupRoute(hostname string) (string, bool) {
 	return backend, ok
 }
 
+// ListenerData holds the data needed to construct a ListenerState.
+type ListenerData struct {
+	ID     int64
+	Addr   string
+	Routes map[string]string // lowercase hostname → backend
+}
+
 // Server is the mc-proxy server. It manages listeners, firewall evaluation,
 // SNI-based routing, and bidirectional proxying.
 type Server struct {
@@ -82,27 +90,19 @@ type Server struct {
 	fw        *firewall.Firewall
 	listeners []*ListenerState
 	logger    *slog.Logger
-	wg        sync.WaitGroup // tracks active connections
+	wg        sync.WaitGroup
 	startedAt time.Time
 	version   string
 }
 
-// New creates a Server from the given configuration.
-func New(cfg *config.Config, logger *slog.Logger, version string) (*Server, error) {
-	fw, err := firewall.New(cfg.Firewall)
-	if err != nil {
-		return nil, fmt.Errorf("initializing firewall: %w", err)
-	}
-
+// New creates a Server from pre-loaded data.
+func New(cfg *config.Config, fw *firewall.Firewall, listenerData []ListenerData, logger *slog.Logger, version string) *Server {
 	var listeners []*ListenerState
-	for _, lcfg := range cfg.Listeners {
-		routes := make(map[string]string, len(lcfg.Routes))
-		for _, r := range lcfg.Routes {
-			routes[strings.ToLower(r.Hostname)] = r.Backend
-		}
+	for _, ld := range listenerData {
 		listeners = append(listeners, &ListenerState{
-			Addr:   lcfg.Addr,
-			routes: routes,
+			ID:     ld.ID,
+			Addr:   ld.Addr,
+			routes: ld.Routes,
 		})
 	}
 
@@ -112,7 +112,7 @@ func New(cfg *config.Config, logger *slog.Logger, version string) (*Server, erro
 		listeners: listeners,
 		logger:    logger,
 		version:   version,
-	}, nil
+	}
 }
 
 // Firewall returns the server's firewall for use by the gRPC admin API.
@@ -162,23 +162,19 @@ func (s *Server) Run(ctx context.Context) error {
 		netListeners = append(netListeners, ln)
 	}
 
-	// Start accept loops.
 	for i, ln := range netListeners {
 		ln := ln
 		ls := s.listeners[i]
 		go s.serve(ctx, ln, ls)
 	}
 
-	// Block until shutdown signal.
 	<-ctx.Done()
 	s.logger.Info("shutting down")
 
-	// Stop accepting new connections.
 	for _, ln := range netListeners {
 		ln.Close()
 	}
 
-	// Wait for in-flight connections with a timeout.
 	done := make(chan struct{})
 	go func() {
 		s.wg.Wait()