Deploy sgardd to rift and add persistent remote config.

Deployment: Dockerfile + docker-compose for sgardd on rift behind mc-proxy
(L4 SNI passthrough on :9443, multiplexed with metacrypt gRPC). TLS via
Metacrypt-issued cert, SSH-key auth.

CLI: `sgard remote set/show` saves addr, TLS, and CA path to
<repo>/remote.yaml so push/pull work without flags.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

cmd/sgard/main.go

@@ -37,28 +37,49 @@ func defaultRepo() string {
 	return filepath.Join(home, ".sgard")
 }
 
-// resolveRemote returns the remote address from flag, env, or repo config file.
-func resolveRemote() (string, error) {
-	if remoteFlag != "" {
-		return remoteFlag, nil
+// resolveRemoteConfig returns the effective remote address, TLS flag, and CA
+// path by merging CLI flags, environment, and the saved remote.yaml config.
+// CLI flags take precedence, then env, then the saved config.
+func resolveRemoteConfig() (addr string, useTLS bool, caPath string, err error) {
+	// Start with saved config as baseline.
+	saved, _ := loadRemoteConfig()
+
+	// Address: flag > env > saved > legacy file.
+	addr = remoteFlag
+	if addr == "" {
+		addr = os.Getenv("SGARD_REMOTE")
 	}
-	if env := os.Getenv("SGARD_REMOTE"); env != "" {
-		return env, nil
+	if addr == "" && saved != nil {
+		addr = saved.Addr
 	}
-	// Try <repo>/remote file.
-	data, err := os.ReadFile(filepath.Join(repoFlag, "remote"))
-	if err == nil {
-		addr := strings.TrimSpace(string(data))
-		if addr != "" {
-			return addr, nil
+	if addr == "" {
+		data, ferr := os.ReadFile(filepath.Join(repoFlag, "remote"))
+		if ferr == nil {
+			addr = strings.TrimSpace(string(data))
 		}
 	}
-	return "", fmt.Errorf("no remote configured; use --remote, SGARD_REMOTE, or create %s/remote", repoFlag)
+	if addr == "" {
+		return "", false, "", fmt.Errorf("no remote configured; use 'sgard remote set' or --remote")
+	}
+
+	// TLS: flag wins if explicitly set, otherwise use saved.
+	useTLS = tlsFlag
+	if !useTLS && saved != nil {
+		useTLS = saved.TLS
+	}
+
+	// CA: flag wins if set, otherwise use saved.
+	caPath = tlsCAFlag
+	if caPath == "" && saved != nil {
+		caPath = saved.TLSCA
+	}
+
+	return addr, useTLS, caPath, nil
 }
 
 // dialRemote creates a gRPC client with token-based auth and auto-renewal.
 func dialRemote(ctx context.Context) (*client.Client, func(), error) {
-	addr, err := resolveRemote()
+	addr, useTLS, caPath, err := resolveRemoteConfig()
 	if err != nil {
 		return nil, nil, err
 	}
@@ -72,16 +93,16 @@ func dialRemote(ctx context.Context) (*client.Client, func(), error) {
 	creds := client.NewTokenCredentials(cachedToken)
 
 	var transportCreds grpc.DialOption
-	if tlsFlag {
+	if useTLS {
 		tlsCfg := &tls.Config{MinVersion: tls.VersionTLS12}
-		if tlsCAFlag != "" {
-			caPEM, err := os.ReadFile(tlsCAFlag)
+		if caPath != "" {
+			caPEM, err := os.ReadFile(caPath)
 			if err != nil {
 				return nil, nil, fmt.Errorf("reading CA cert: %w", err)
 			}
 			pool := x509.NewCertPool()
 			if !pool.AppendCertsFromPEM(caPEM) {
-				return nil, nil, fmt.Errorf("failed to parse CA cert %s", tlsCAFlag)
+				return nil, nil, fmt.Errorf("failed to parse CA cert %s", caPath)
 			}
 			tlsCfg.RootCAs = pool
 		}

cmd/sgard/prune.go

@@ -13,7 +13,7 @@ var pruneCmd = &cobra.Command{
 	Short: "Remove orphaned blobs not referenced by the manifest",
 	Long:  "Remove orphaned blobs locally, or on the remote server with --remote.",
 	RunE: func(cmd *cobra.Command, args []string) error {
-		addr, _ := resolveRemote()
+		addr, _, _, _ := resolveRemoteConfig()
 
 		if addr != "" {
 			return pruneRemote()

cmd/sgard/remote.go

@@ -0,0 +1,97 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/spf13/cobra"
+	"gopkg.in/yaml.v3"
+)
+
+type remoteConfig struct {
+	Addr  string `yaml:"addr"`
+	TLS   bool   `yaml:"tls"`
+	TLSCA string `yaml:"tls_ca,omitempty"`
+}
+
+func remoteConfigPath() string {
+	return filepath.Join(repoFlag, "remote.yaml")
+}
+
+func loadRemoteConfig() (*remoteConfig, error) {
+	data, err := os.ReadFile(remoteConfigPath())
+	if err != nil {
+		return nil, err
+	}
+	var cfg remoteConfig
+	if err := yaml.Unmarshal(data, &cfg); err != nil {
+		return nil, fmt.Errorf("parsing remote config: %w", err)
+	}
+	return &cfg, nil
+}
+
+func saveRemoteConfig(cfg *remoteConfig) error {
+	data, err := yaml.Marshal(cfg)
+	if err != nil {
+		return fmt.Errorf("encoding remote config: %w", err)
+	}
+	return os.WriteFile(remoteConfigPath(), data, 0o644)
+}
+
+var remoteCmd = &cobra.Command{
+	Use:   "remote",
+	Short: "Manage default remote server",
+}
+
+var remoteSetCmd = &cobra.Command{
+	Use:   "set <addr>",
+	Short: "Set the default remote address",
+	Args:  cobra.ExactArgs(1),
+	RunE: func(cmd *cobra.Command, args []string) error {
+		cfg := &remoteConfig{
+			Addr:  args[0],
+			TLS:   tlsFlag,
+			TLSCA: tlsCAFlag,
+		}
+		if err := saveRemoteConfig(cfg); err != nil {
+			return err
+		}
+		fmt.Printf("Remote set: %s", cfg.Addr)
+		if cfg.TLS {
+			fmt.Print(" (TLS")
+			if cfg.TLSCA != "" {
+				fmt.Printf(", CA: %s", cfg.TLSCA)
+			}
+			fmt.Print(")")
+		}
+		fmt.Println()
+		return nil
+	},
+}
+
+var remoteShowCmd = &cobra.Command{
+	Use:   "show",
+	Short: "Show the configured remote",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		cfg, err := loadRemoteConfig()
+		if err != nil {
+			if os.IsNotExist(err) {
+				fmt.Println("No remote configured.")
+				return nil
+			}
+			return err
+		}
+		fmt.Printf("addr:   %s\n", cfg.Addr)
+		fmt.Printf("tls:    %v\n", cfg.TLS)
+		if cfg.TLSCA != "" {
+			fmt.Printf("tls-ca: %s\n", cfg.TLSCA)
+		}
+		return nil
+	},
+}
+
+func init() {
+	remoteCmd.AddCommand(remoteSetCmd, remoteShowCmd)
+	rootCmd.AddCommand(remoteCmd)
+}