chore(aur): improve AUR SSH key handling logic

* Improve SSH key handling with support for raw, escaped, and base64-encoded keys
* Add validation for AUR_SSH_KEY to ensure it's a valid private key
* Update SSH command options for better security and reliability

.gitea/workflows/release.yml

@@ -4,6 +4,11 @@ on:
   push:
     tags:
       - 'v*'
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Tag to release (e.g. v1.2.3)'
+        required: true
 
 jobs:
   test:
@@ -35,7 +40,7 @@ jobs:
 
       - name: Build release binaries
         run: |
-          VERSION="${GITHUB_REF_NAME}"
+          VERSION="${{ github.event.inputs.tag || github.ref_name }}"
           for target in "linux/amd64" "linux/arm64" "darwin/amd64" "darwin/arm64" "windows/amd64"; do
             GOOS="${target%/*}"
             GOARCH="${target#*/}"
@@ -49,9 +54,236 @@ jobs:
           done
 
       - name: Create release and upload assets
-        uses: softprops/action-gh-release@v2
-        with:
-          files: unitdore-*
-          generate_release_notes: true
+        run: |
+          TAG="${{ github.event.inputs.tag || github.ref_name }}"
+          API="${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/releases"
+
+          # Collect commits since the previous tag (or last 20 if no prior tag)
+          PREV_TAG=$(git tag --sort=-version:refname | grep -v "^${TAG}$" | head -1)
+          if [ -n "$PREV_TAG" ]; then
+            RANGE="${PREV_TAG}..${TAG}"
+          else
+            RANGE="HEAD~20..HEAD"
+          fi
+          NOTES=$(git log "$RANGE" --pretty=format:"- %s" --no-merges)
+          BODY="## What's changed"$'\n'"${NOTES}"
+
+          # Escape for JSON
+          BODY_JSON=$(printf '%s' "$BODY" | python3 -c 'import json,sys; print(json.dumps(sys.stdin.read()))')
+
+          RELEASE=$(curl -s -X POST "$API" \
+            -H "Authorization: token ${GITHUB_TOKEN}" \
+            -H "Content-Type: application/json" \
+            -d "{\"tag_name\":\"${TAG}\",\"name\":\"${TAG}\",\"body\":${BODY_JSON}}")
+
+          UPLOAD_URL=$(echo "$RELEASE" | grep -o '"upload_url":"[^"]*"' | cut -d'"' -f4)
+          if [ -z "$UPLOAD_URL" ]; then
+            echo "Failed to create release: $RELEASE"
+            exit 1
+          fi
+
+          for f in unitdore-*; do
+            echo "Uploading $f..."
+            curl -s -X POST "${UPLOAD_URL}?name=${f}" \
+              -H "Authorization: token ${GITHUB_TOKEN}" \
+              -H "Content-Type: application/octet-stream" \
+              --data-binary "@${f}" > /dev/null
+          done
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  pkg-aur:
+    needs: release
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Publish to AUR
+        env:
+          AUR_SSH_KEY: ${{ secrets.AUR_SSH_KEY }}
+        run: |
+          set -euo pipefail
+
+          VERSION="${{ github.event.inputs.tag || github.ref_name }}"
+          PKGVER="${VERSION#v}"
+          AUR_KEY_PATH="$HOME/.ssh/aur"
+          AUR_KNOWN_HOSTS="$HOME/.ssh/known_hosts"
+
+          # Setup SSH for AUR
+          mkdir -p ~/.ssh
+          chmod 700 ~/.ssh
+
+          if [ -z "${AUR_SSH_KEY:-}" ]; then
+            echo "AUR_SSH_KEY is empty"
+            exit 1
+          fi
+
+          # Support raw multiline keys, escaped \\n secrets, or base64-encoded keys.
+          CLEAN_AUR_SSH_KEY="$(printf '%s' "$AUR_SSH_KEY" | tr -d '\r')"
+          if printf '%s' "$CLEAN_AUR_SSH_KEY" | grep -q "^-----BEGIN .*PRIVATE KEY-----$"; then
+            printf '%s\n' "$CLEAN_AUR_SSH_KEY" > "$AUR_KEY_PATH"
+          elif printf '%s' "$CLEAN_AUR_SSH_KEY" | grep -q '\\n'; then
+            printf '%b\n' "$CLEAN_AUR_SSH_KEY" > "$AUR_KEY_PATH"
+          else
+            if printf '%s' "$CLEAN_AUR_SSH_KEY" | tr -d '[:space:]' | base64 --decode > "$AUR_KEY_PATH" 2>/dev/null; then
+              :
+            else
+              printf '%s\n' "$CLEAN_AUR_SSH_KEY" > "$AUR_KEY_PATH"
+            fi
+          fi
+          chmod 600 "$AUR_KEY_PATH"
+
+          if ! ssh-keygen -y -f "$AUR_KEY_PATH" >/dev/null 2>&1; then
+            echo "AUR_SSH_KEY is not a valid private key."
+            echo "Store it as a raw private key, an escaped private key with \\n, or a base64-encoded private key."
+            exit 1
+          fi
+
+          ssh-keyscan -t rsa,ed25519 aur.archlinux.org >> "$AUR_KNOWN_HOSTS"
+          chmod 644 "$AUR_KNOWN_HOSTS"
+
+          # Clone AUR repo
+          GIT_SSH_COMMAND="ssh -o IdentitiesOnly=yes -o StrictHostKeyChecking=yes -o UserKnownHostsFile=$AUR_KNOWN_HOSTS -i $AUR_KEY_PATH" \
+            git clone ssh://aur@aur.archlinux.org/unitdore.git aur-repo
+
+          # Compute SHA256 of the release tarball (same URL the PKGBUILD will download)
+          SHA=$(curl -fsSL "https://git.warky.dev/wdevs/unitdore/archive/v${PKGVER}.zip" | sha256sum | cut -d' ' -f1)
+
+          # Update PKGBUILD — keep remote source URL, only bump version and checksum
+          sed -e "s/^pkgver=.*/pkgver=${PKGVER}/" \
+              -e "s/^pkgrel=.*/pkgrel=1/" \
+              -e "s/^sha256sums=.*/sha256sums=('${SHA}')/" \
+              pkg/arch/PKGBUILD > aur-repo/PKGBUILD
+
+          # Generate .SRCINFO inside an Arch container (docker cp avoids DinD volume mount issues)
+          CID=$(docker run -d archlinux:latest sleep infinity)
+          docker cp aur-repo/PKGBUILD $CID:/build/PKGBUILD || (docker exec $CID mkdir -p /build && docker cp aur-repo/PKGBUILD $CID:/build/PKGBUILD)
+          docker exec $CID bash -c "
+            pacman -Sy --noconfirm base-devel &&
+            useradd -m builder &&
+            chown -R builder:builder /build &&
+            runuser -u builder -- bash -c 'cd /build && makepkg --printsrcinfo > .SRCINFO'
+          "
+          docker cp $CID:/build/.SRCINFO aur-repo/.SRCINFO
+          docker rm -f $CID
+
+          # Commit and push to AUR master
+          cd aur-repo
+          git config user.email "hein@warky.dev"
+          git config user.name "Hein"
+          git add PKGBUILD .SRCINFO
+          git commit -m "Update to v${PKGVER}"
+          GIT_SSH_COMMAND="ssh -o IdentitiesOnly=yes -o StrictHostKeyChecking=yes -o UserKnownHostsFile=$AUR_KNOWN_HOSTS -i $AUR_KEY_PATH" \
+            git push origin HEAD:master
+
+  pkg-deb:
+    needs: release
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Build Debian packages
+        run: |
+          VERSION="${{ github.event.inputs.tag || github.ref_name }}"
+          PKGVER="${VERSION#v}"
+
+          for GOARCH in amd64 arm64; do
+            GOOS=linux GOARCH=$GOARCH go build \
+              -trimpath \
+              -ldflags "-X main.version=${PKGVER}" \
+              -o unitdore .
+
+            PKGDIR="unitdore_${PKGVER}_${GOARCH}"
+            mkdir -p "${PKGDIR}/DEBIAN"
+            mkdir -p "${PKGDIR}/usr/bin"
+            mkdir -p "${PKGDIR}/usr/share/man/man1"
+            mkdir -p "${PKGDIR}/etc/unitdore"
+
+            install -m755 unitdore "${PKGDIR}/usr/bin/unitdore"
+            install -m644 docs/unitdore.1 "${PKGDIR}/usr/share/man/man1/unitdore.1"
+
+            sed -e "s/VERSION/${PKGVER}/" \
+                -e "s/ARCH/${GOARCH}/" \
+                pkg/debian/control > "${PKGDIR}/DEBIAN/control"
+
+            dpkg-deb --build --root-owner-group "${PKGDIR}"
+            echo "Built ${PKGDIR}.deb"
+          done
+
+      - name: Upload to release
+        run: |
+          TAG="${{ github.event.inputs.tag || github.ref_name }}"
+          RELEASE=$(curl -s "${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/releases/tags/${TAG}" \
+            -H "Authorization: token ${GITHUB_TOKEN}")
+          UPLOAD_URL=$(echo "$RELEASE" | grep -o '"upload_url":"[^"]*"' | cut -d'"' -f4)
+          for f in *.deb; do
+            FNAME=$(basename "$f")
+            echo "Uploading $FNAME..."
+            curl -s -X POST "${UPLOAD_URL}?name=${FNAME}" \
+              -H "Authorization: token ${GITHUB_TOKEN}" \
+              -H "Content-Type: application/octet-stream" \
+              --data-binary "@${f}" > /dev/null
+          done
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  pkg-rpm:
+    needs: release
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Build RPM
+        run: |
+          VERSION="${{ github.event.inputs.tag || github.ref_name }}"
+          PKGVER="${VERSION#v}"
+
+          # Source tarball — prefix=unitdore-VERSION/ matches RPM %autosetup convention
+          git archive --format=tar.gz --prefix=unitdore-${PKGVER}/ HEAD \
+            > unitdore-${PKGVER}.tar.gz
+
+          # Patch spec version
+          sed -i "s/^Version:.*/Version:        ${PKGVER}/" pkg/centos/unitdore.spec
+
+          mkdir -p pkg/centos/out
+          docker run --rm \
+            -v "$PWD:/workspace" \
+            -v "$PWD/pkg/centos/out:/out" \
+            -w /workspace \
+            rockylinux:9 \
+            bash -c "
+              dnf install -y rpm-build git curl &&
+              GO_VER=\$(grep '^go ' /workspace/go.mod | awk '{print \$2}') &&
+              curl -fsSL https://go.dev/dl/go\${GO_VER}.linux-amd64.tar.gz | tar -C /usr/local -xz &&
+              export PATH=\$PATH:/usr/local/go/bin &&
+              mkdir -p ~/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS} &&
+              cp unitdore-${PKGVER}.tar.gz ~/rpmbuild/SOURCES/ &&
+              cp pkg/centos/unitdore.spec ~/rpmbuild/SPECS/ &&
+              rpmbuild --nodeps -ba ~/rpmbuild/SPECS/unitdore.spec &&
+              find ~/rpmbuild/RPMS -name '*.rpm' -exec cp {} /out/ \;
+            "
+
+      - name: Upload to release
+        run: |
+          TAG="${{ github.event.inputs.tag || github.ref_name }}"
+          RELEASE=$(curl -s "${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/releases/tags/${TAG}" \
+            -H "Authorization: token ${GITHUB_TOKEN}")
+          UPLOAD_URL=$(echo "$RELEASE" | grep -o '"upload_url":"[^"]*"' | cut -d'"' -f4)
+          for f in pkg/centos/out/*.rpm; do
+            FNAME=$(basename "$f")
+            echo "Uploading $FNAME..."
+            curl -s -X POST "${UPLOAD_URL}?name=${FNAME}" \
+              -H "Authorization: token ${GITHUB_TOKEN}" \
+              -H "Content-Type: application/octet-stream" \
+              --data-binary "@${f}" > /dev/null
+          done
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Makefile

@@ -12,16 +12,18 @@ all: build
 build:
 	go build $(LDFLAGS) -o $(BINARY) .
 
-## install: install binary and create config dir
+## install: install binary, man page, and create config dir
 install: build
 	install -Dm755 $(BINARY) $(INSTALL_DIR)/$(BINARY)
+	install -Dm644 docs/unitdore.1 /usr/share/man/man1/unitdore.1
 	mkdir -p $(CONFIG_DIR)
 	@echo "Installed to $(INSTALL_DIR)/$(BINARY)"
 	@echo "Config dir: $(CONFIG_DIR)"
 
-## uninstall: remove binary
+## uninstall: remove binary and man page
 uninstall:
 	rm -f $(INSTALL_DIR)/$(BINARY)
+	rm -f /usr/share/man/man1/unitdore.1
 	@echo "Removed $(INSTALL_DIR)/$(BINARY)"
 
 ## test: run all unit tests

cmd/edit.go

@@ -21,7 +21,15 @@ func init() {
 func runEdit(cmd *cobra.Command, args []string) error {
 	editor := os.Getenv("EDITOR")
 	if editor == "" {
-		editor = "vi"
+		for _, e := range []string{"nvim", "nano", "vi"} {
+			if _, err := exec.LookPath(e); err == nil {
+				editor = e
+				break
+			}
+		}
+	}
+	if editor == "" {
+		return fmt.Errorf("no editor found; set $EDITOR")
 	}
 	c := exec.Command(editor, configPath)
 	c.Stdin = os.Stdin

cmd/install.go

@@ -31,7 +31,7 @@ func runInstall(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	prefix, suffix := cfg.Prefix, cfg.Suffix
+	prefix, suffix, serviceUser := cfg.Prefix, cfg.Suffix, cfg.EffectiveServiceUser()
 	installed := 0
 	skipped := 0
 	removed := 0
@@ -57,7 +57,7 @@ func runInstall(cmd *cobra.Command, args []string) error {
 		}
 
 		if dryRun {
-			content, err := systemd.Generate(u, prefix, suffix)
+			content, err := systemd.Generate(u, prefix, suffix, serviceUser)
 			if err != nil {
 				fmt.Printf("  ✗ %s: %v\n", u.Name, err)
 				continue
@@ -68,7 +68,7 @@ func runInstall(cmd *cobra.Command, args []string) error {
 			continue
 		}
 
-		if err := systemd.Install(u, prefix, suffix); err != nil {
+		if err := systemd.Install(u, prefix, suffix, serviceUser); err != nil {
 			fmt.Printf("  ✗ failed: %s: %v\n", u.Name, err)
 		} else {
 			path, _ := systemd.UnitPath(u, prefix, suffix)

cmd/list.go

@@ -0,0 +1,89 @@
+package cmd
+
+import (
+	"fmt"
+	"sort"
+	"strings"
+
+	"github.com/spf13/cobra"
+	"github.com/warkanum/unitdore/config"
+	"github.com/warkanum/unitdore/systemd"
+)
+
+var listCmd = &cobra.Command{
+	Use:   "list",
+	Short: "List all tracked units with service file locations",
+	RunE:  runList,
+}
+
+func init() {
+	rootCmd.AddCommand(listCmd)
+}
+
+func runList(cmd *cobra.Command, args []string) error {
+	cfg, err := config.Load(configPath)
+	if err != nil {
+		return err
+	}
+
+	if len(cfg.Units) == 0 {
+		fmt.Println("No units tracked. Run 'unitdore syncup' to discover containers.")
+		return nil
+	}
+
+	units := make([]config.Unit, len(cfg.Units))
+	copy(units, cfg.Units)
+	sort.Slice(units, func(i, j int) bool {
+		if units[i].Order != units[j].Order {
+			return units[i].Order < units[j].Order
+		}
+		return units[i].Name < units[j].Name
+	})
+
+	prefix, suffix := cfg.Prefix, cfg.Suffix
+
+	type row struct{ name, runtime, enabled, installed, path string }
+
+	rows := make([]row, 0, len(units))
+	for _, u := range units {
+		enabled := "yes"
+		if !u.Enabled {
+			enabled = "no"
+		}
+
+		installed := "no"
+		unitPath := "—"
+		if p, err := systemd.UnitPath(u, prefix, suffix); err == nil {
+			unitPath = p
+			if systemd.IsInstalled(u, prefix, suffix) {
+				installed = "yes"
+			}
+		}
+
+		rows = append(rows, row{u.Name, u.Runtime, enabled, installed, unitPath})
+	}
+
+	cols := []string{"NAME", "RUNTIME", "ENABLED", "INSTALLED", "SERVICE FILE"}
+	widths := make([]int, len(cols))
+	for i, c := range cols {
+		widths[i] = len(c)
+	}
+	for _, r := range rows {
+		vals := []string{r.name, r.runtime, r.enabled, r.installed, r.path}
+		for i, v := range vals {
+			if len(v) > widths[i] {
+				widths[i] = len(v)
+			}
+		}
+	}
+
+	fmt.Println()
+	printRow(cols, widths)
+	fmt.Println(strings.Repeat("─", totalWidth(widths)))
+	for _, r := range rows {
+		printRow([]string{r.name, r.runtime, r.enabled, r.installed, r.path}, widths)
+	}
+	fmt.Println()
+
+	return nil
+}

cmd/start.go

@@ -0,0 +1,46 @@
+package cmd
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"github.com/warkanum/unitdore/config"
+	"github.com/warkanum/unitdore/systemd"
+)
+
+var startCmd = &cobra.Command{
+	Use:   "start <name>",
+	Short: "Start a unit by name",
+	Args:  cobra.ExactArgs(1),
+	RunE:  runStart,
+}
+
+func init() {
+	rootCmd.AddCommand(startCmd)
+}
+
+func runStart(cmd *cobra.Command, args []string) error {
+	cfg, err := config.Load(configPath)
+	if err != nil {
+		return err
+	}
+
+	name := args[0]
+	u := cfg.FindUnit(name)
+	if u == nil {
+		return fmt.Errorf("unit %q not found", name)
+	}
+
+	prefix, suffix := cfg.Prefix, cfg.Suffix
+
+	if !systemd.IsInstalled(*u, prefix, suffix) {
+		return fmt.Errorf("%s is not installed — run 'unitdore install' first", name)
+	}
+
+	fmt.Printf("  ▶ starting %s...\n", systemd.ServiceName(*u, prefix, suffix))
+	if err := systemd.Start(*u, prefix, suffix); err != nil {
+		return err
+	}
+	fmt.Printf("  ✓ started: %s\n", name)
+	return nil
+}

cmd/startall.go

@@ -9,19 +9,19 @@ import (
 	"github.com/warkanum/unitdore/systemd"
 )
 
-var activeCmd = &cobra.Command{
-	Use:   "active",
+var startallCmd = &cobra.Command{
+	Use:   "startall",
 	Short: "Enable and start all installed, enabled units",
-	Long: `Active runs 'systemctl enable --now' for all enabled units that have
+	Long: `Startall runs 'systemctl enable --now' for all enabled units that have
 been installed. Units must be installed first via 'unitdore install'.`,
-	RunE: runActive,
+	RunE: runStartall,
 }
 
 func init() {
-	rootCmd.AddCommand(activeCmd)
+	rootCmd.AddCommand(startallCmd)
 }
 
-func runActive(cmd *cobra.Command, args []string) error {
+func runStartall(cmd *cobra.Command, args []string) error {
 	cfg, err := config.Load(configPath)
 	if err != nil {
 		return err
@@ -29,7 +29,6 @@ func runActive(cmd *cobra.Command, args []string) error {
 
 	prefix, suffix := cfg.Prefix, cfg.Suffix
 
-	// Sort by order then name for deterministic startup sequence
 	units := make([]config.Unit, len(cfg.Units))
 	copy(units, cfg.Units)
 	sort.Slice(units, func(i, j int) bool {
@@ -50,7 +49,7 @@ func runActive(cmd *cobra.Command, args []string) error {
 			fmt.Printf("  ! %s: not installed — run 'unitdore install' first\n", u.Name)
 			continue
 		}
-		fmt.Printf("  ▶ enabling: %s...\n", systemd.ServiceName(u, prefix, suffix))
+		fmt.Printf("  ▶ starting: %s...\n", systemd.ServiceName(u, prefix, suffix))
 		if err := systemd.Enable(u, prefix, suffix); err != nil {
 			fmt.Printf("  ✗ failed: %s: %v\n", u.Name, err)
 			failed++

cmd/stop.go

@@ -0,0 +1,46 @@
+package cmd
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"github.com/warkanum/unitdore/config"
+	"github.com/warkanum/unitdore/systemd"
+)
+
+var stopCmd = &cobra.Command{
+	Use:   "stop <name>",
+	Short: "Stop a unit by name",
+	Args:  cobra.ExactArgs(1),
+	RunE:  runStop,
+}
+
+func init() {
+	rootCmd.AddCommand(stopCmd)
+}
+
+func runStop(cmd *cobra.Command, args []string) error {
+	cfg, err := config.Load(configPath)
+	if err != nil {
+		return err
+	}
+
+	name := args[0]
+	u := cfg.FindUnit(name)
+	if u == nil {
+		return fmt.Errorf("unit %q not found", name)
+	}
+
+	prefix, suffix := cfg.Prefix, cfg.Suffix
+
+	if !systemd.IsInstalled(*u, prefix, suffix) {
+		return fmt.Errorf("%s is not installed", name)
+	}
+
+	fmt.Printf("  ■ stopping %s...\n", systemd.ServiceName(*u, prefix, suffix))
+	if err := systemd.Stop(*u, prefix, suffix); err != nil {
+		return err
+	}
+	fmt.Printf("  ✓ stopped: %s\n", name)
+	return nil
+}

cmd/stopall.go

@@ -0,0 +1,60 @@
+package cmd
+
+import (
+	"fmt"
+	"sort"
+
+	"github.com/spf13/cobra"
+	"github.com/warkanum/unitdore/config"
+	"github.com/warkanum/unitdore/systemd"
+)
+
+var stopallCmd = &cobra.Command{
+	Use:   "stopall",
+	Short: "Stop and disable all running managed units",
+	Long:  `Stopall runs 'systemctl disable --now' for all enabled, installed units.`,
+	RunE:  runStopall,
+}
+
+func init() {
+	rootCmd.AddCommand(stopallCmd)
+}
+
+func runStopall(cmd *cobra.Command, args []string) error {
+	cfg, err := config.Load(configPath)
+	if err != nil {
+		return err
+	}
+
+	prefix, suffix := cfg.Prefix, cfg.Suffix
+
+	// Reverse order for shutdown
+	units := make([]config.Unit, len(cfg.Units))
+	copy(units, cfg.Units)
+	sort.Slice(units, func(i, j int) bool {
+		if units[i].Order != units[j].Order {
+			return units[i].Order > units[j].Order
+		}
+		return units[i].Name > units[j].Name
+	})
+
+	stopped := 0
+	failed := 0
+
+	for _, u := range units {
+		if !systemd.IsInstalled(u, prefix, suffix) {
+			continue
+		}
+		fmt.Printf("  ■ stopping: %s...\n", systemd.ServiceName(u, prefix, suffix))
+		if err := systemd.Disable(u, prefix, suffix); err != nil {
+			fmt.Printf("  ✗ failed: %s: %v\n", u.Name, err)
+			failed++
+		} else {
+			fmt.Printf("  ✓ stopped: %s\n", u.Name)
+			stopped++
+		}
+	}
+
+	fmt.Printf("\nDone. Stopped: %d  Failed: %d\n", stopped, failed)
+	return nil
+}

cmd/syncup.go

@@ -31,6 +31,7 @@ func runSyncup(cmd *cobra.Command, args []string) error {
 	}
 
 	added := 0
+	unchanged := 0
 	discovered := map[string]bool{}
 
 	// Discover running containers across all runtimes
@@ -51,6 +52,8 @@ func runSyncup(cmd *cobra.Command, args []string) error {
 			if cfg.AddUnit(unit) {
 				fmt.Printf("  + added: %s (%s)\n", c.Name, c.Runtime)
 				added++
+			} else {
+				unchanged++
 			}
 		}
 	}
@@ -86,6 +89,6 @@ func runSyncup(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	fmt.Printf("\nDone. Added: %d  Disabled: %d  Re-enabled: %d\n", added, disabled, reenabled)
+	fmt.Printf("\nDone. Added: %d  Unchanged: %d  Disabled: %d  Re-enabled: %d\n", added, unchanged, disabled, reenabled)
 	return nil
 }

cmd/uninstall.go

@@ -0,0 +1,55 @@
+package cmd
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"github.com/warkanum/unitdore/config"
+	"github.com/warkanum/unitdore/systemd"
+)
+
+var uninstallCmd = &cobra.Command{
+	Use:   "uninstall <name>",
+	Short: "Disable, stop, and remove the service file for a unit",
+	Args:  cobra.ExactArgs(1),
+	RunE:  runUninstall,
+}
+
+func init() {
+	rootCmd.AddCommand(uninstallCmd)
+}
+
+func runUninstall(cmd *cobra.Command, args []string) error {
+	cfg, err := config.Load(configPath)
+	if err != nil {
+		return err
+	}
+
+	name := args[0]
+	u := cfg.FindUnit(name)
+	if u == nil {
+		return fmt.Errorf("unit %q not found", name)
+	}
+
+	prefix, suffix := cfg.Prefix, cfg.Suffix
+
+	if !systemd.IsInstalled(*u, prefix, suffix) {
+		return fmt.Errorf("%s is not installed", name)
+	}
+
+	svcName := systemd.ServiceName(*u, prefix, suffix)
+
+	fmt.Printf("  ■ disabling %s...\n", svcName)
+	if err := systemd.Disable(*u, prefix, suffix); err != nil {
+		return fmt.Errorf("disabling unit: %w", err)
+	}
+
+	path, _ := systemd.UnitPath(*u, prefix, suffix)
+	fmt.Printf("  ✗ removing %s...\n", path)
+	if err := systemd.Uninstall(*u, prefix, suffix); err != nil {
+		return fmt.Errorf("removing service file: %w", err)
+	}
+
+	fmt.Printf("  ✓ uninstalled: %s\n", name)
+	return nil
+}

cmd/update.go

@@ -0,0 +1,77 @@
+package cmd
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"github.com/warkanum/unitdore/config"
+	"github.com/warkanum/unitdore/systemd"
+)
+
+var (
+	updateOrder   int
+	updateEnable  bool
+	updateDisable bool
+)
+
+var updateCmd = &cobra.Command{
+	Use:   "update <name>",
+	Short: "Update a unit's config and recreate its service file",
+	Args:  cobra.ExactArgs(1),
+	RunE:  runUpdate,
+}
+
+func init() {
+	updateCmd.Flags().IntVar(&updateOrder, "order", 0, "set startup order")
+	updateCmd.Flags().BoolVar(&updateEnable, "enable", false, "enable the unit")
+	updateCmd.Flags().BoolVar(&updateDisable, "disable", false, "disable the unit")
+	rootCmd.AddCommand(updateCmd)
+}
+
+func runUpdate(cmd *cobra.Command, args []string) error {
+	if updateEnable && updateDisable {
+		return errors.New("--enable and --disable are mutually exclusive")
+	}
+
+	cfg, err := config.Load(configPath)
+	if err != nil {
+		return err
+	}
+
+	name := args[0]
+	u := cfg.FindUnit(name)
+	if u == nil {
+		return fmt.Errorf("unit %q not found", name)
+	}
+
+	if cmd.Flags().Changed("order") {
+		u.Order = updateOrder
+		fmt.Printf("  order → %d\n", u.Order)
+	}
+	if updateEnable {
+		u.Enabled = true
+		u.DisabledReason = ""
+		fmt.Printf("  enabled\n")
+	}
+	if updateDisable {
+		u.Enabled = false
+		fmt.Printf("  disabled\n")
+	}
+
+	if err := cfg.Save(configPath); err != nil {
+		return err
+	}
+
+	prefix, suffix, serviceUser := cfg.Prefix, cfg.Suffix, cfg.EffectiveServiceUser()
+
+	if systemd.IsInstalled(*u, prefix, suffix) {
+		if err := systemd.Install(*u, prefix, suffix, serviceUser); err != nil {
+			return fmt.Errorf("recreating service file: %w", err)
+		}
+		path, _ := systemd.UnitPath(*u, prefix, suffix)
+		fmt.Printf("  ✓ service file recreated: %s\n", path)
+	}
+
+	return nil
+}

config/config.go

@@ -3,6 +3,7 @@ package config
 import (
 	"fmt"
 	"os"
+	"os/user"
 	"path/filepath"
 
 	"gopkg.in/yaml.v3"
@@ -24,9 +25,21 @@ type Unit struct {
 
 // Config is the root config structure.
 type Config struct {
-	Units  []Unit `yaml:"units"`
-	Prefix string `yaml:"prefix,omitempty"` // prepended to generated service name, e.g. "prod-"
-	Suffix string `yaml:"suffix,omitempty"` // appended to generated service name, e.g. "-svc"
+	Units       []Unit `yaml:"units"`
+	Prefix      string `yaml:"prefix,omitempty"`       // prepended to generated service name, e.g. "prod-"
+	Suffix      string `yaml:"suffix,omitempty"`       // appended to generated service name, e.g. "-svc"
+	ServiceUser string `yaml:"service_user,omitempty"` // User= in [Service] section; defaults to "unitdore"
+}
+
+// EffectiveServiceUser returns the configured service user, or the current OS user if unset.
+func (c *Config) EffectiveServiceUser() string {
+	if c.ServiceUser != "" {
+		return c.ServiceUser
+	}
+	if u, err := user.Current(); err == nil {
+		return u.Username
+	}
+	return "root"
 }
 
 // Load reads and parses the config file at path.

docs/unitdore.1

@@ -0,0 +1,143 @@
+.TH UNITDORE 1 "2026-04-08" "0.1.0" "User Commands"
+.SH NAME
+unitdore \- manage container units via systemd
+.SH SYNOPSIS
+.B unitdore
+[\fB\-\-config\fR \fIpath\fR]
+\fIcommand\fR
+[\fIarguments\fR]
+.SH DESCRIPTION
+.B unitdore
+bridges your container runtime (Podman, Docker) and systemd.
+It discovers running containers, stores them in a config file, and generates
+and manages systemd \fI.service\fR units for each one.
+.SH OPTIONS
+.TP
+.BR \-\-config " " \fIpath\fR
+Path to the units config file. Default: \fI/etc/unitdore/units.yaml\fR
+.SH COMMANDS
+.TP
+.B syncup
+Query all available runtimes for running containers and add any new ones to
+the config. Reconciles existing entries: if a configured unit's container no
+longer exists it is marked disabled with a reason.
+.TP
+.B install
+Generate \fI.service\fR files for all enabled units and write them to the
+appropriate systemd directory. Use \fB\-\-dry\-run\fR to preview without writing.
+.TP
+.B uninstall \fIname\fR
+Disable, stop, and remove the service file for a specific unit.
+.TP
+.B startall
+Run \fBsystemctl enable \-\-now\fR for all enabled, installed units in startup
+order.
+.TP
+.B stopall
+Run \fBsystemctl disable \-\-now\fR for all installed units in reverse startup
+order.
+.TP
+.B start \fIname\fR
+Start a specific unit by name (\fBsystemctl start\fR).
+.TP
+.B stop \fIname\fR
+Stop a specific unit by name (\fBsystemctl stop\fR).
+.TP
+.B update \fIname\fR
+Update a unit's config and recreate its service file.
+.RS
+.TP
+.BR \-\-order " " \fIn\fR
+Set the startup order.
+.TP
+.B \-\-enable
+Enable the unit.
+.TP
+.B \-\-disable
+Disable the unit.
+.RE
+.TP
+.B status
+Print a summary table of all managed units showing runtime, user, enabled
+state, installed state, systemd active state, and disabled reason.
+.TP
+.B list
+Print a table of all tracked units including the path to each service file.
+.TP
+.B edit
+Open the units config file in \fB$EDITOR\fR. Falls back to \fBnvim\fR,
+\fBnano\fR, \fBvi\fR in that order.
+.SH CONFIG FILE
+.B Location:
+\fI/etc/unitdore/units.yaml\fR
+.PP
+.nf
+prefix: ""         # prepended to all service names, e.g. "prod-"
+suffix: ""         # appended to all service names, e.g. "-svc"
+service_user: ""   # User= in [Service]; defaults to current OS user
+
+units:
+  - name: nginx
+    runtime: podman       # podman | docker
+    user: ""              # empty = system unit; set for rootless user unit
+    command: ""           # optional: override ExecStart
+    order: 1              # startup order (lower = earlier)
+    delay: 0s             # delay after previous order group
+    enabled: true
+    disabled_reason: ""   # auto-set by syncup reconciliation
+.fi
+.SH GENERATED SERVICE FILES
+System units are written to \fI/etc/systemd/system/\fR and user units to
+\fI~/.config/systemd/user/\fR.
+Service names follow the pattern:
+.PP
+.RS
+\fBunitdore-\fR[\fIprefix\fR]\fIname\fR[\fIsuffix\fR]\fB.service\fR
+.RE
+.SH EXAMPLES
+Discover containers and install their service files:
+.PP
+.RS
+.nf
+sudo unitdore syncup
+sudo unitdore install
+sudo unitdore startall
+.fi
+.RE
+.PP
+Preview generated service files without writing:
+.PP
+.RS
+sudo unitdore install \-\-dry\-run
+.RE
+.PP
+Start a single container unit:
+.PP
+.RS
+sudo unitdore start nginx
+.RE
+.PP
+Change startup order and re\-apply service file:
+.PP
+.RS
+sudo unitdore update nginx \-\-order 2
+.RE
+.SH FILES
+.TP
+.I /etc/unitdore/units.yaml
+Default configuration file.
+.TP
+.I /etc/systemd/system/unitdore-*.service
+Generated system unit files.
+.TP
+.I ~/.config/systemd/user/unitdore-*.service
+Generated rootless user unit files.
+.SH REQUIREMENTS
+systemd; Podman and/or Docker (only installed runtimes are used).
+Root is required for system units; the relevant user for rootless units.
+.SH SEE ALSO
+.BR systemctl (1),
+.BR podman (1),
+.BR docker (1)
+.SH AUTHORS
+Hein (Warky Devs) \(em https://warky.dev

go.mod

@@ -1,6 +1,6 @@
 module github.com/warkanum/unitdore
 
-go 1.26.1
+go 1.23.0
 
 require (
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect

pkg/arch/PKGBUILD

@@ -0,0 +1,44 @@
+# Maintainer: Hein (Warky Devs) <hein@warky.dev>
+pkgname=unitdore
+pkgver=0.1.0
+pkgrel=1
+pkgdesc="A door you open and close for container units — manage containers via systemd"
+arch=('x86_64' 'aarch64')
+url="https://git.warky.dev/wdevs/unitdore"
+license=('MIT')
+depends=('systemd')
+optdepends=(
+    'podman: Podman container runtime support'
+    'docker: Docker container runtime support'
+)
+makedepends=('go')
+backup=('etc/unitdore/units.yaml')
+source=("$pkgname-$pkgver.zip::$url/archive/v$pkgver.zip")
+sha256sums=('SKIP')
+
+build() {
+    cd "$pkgname-v$pkgver"
+    export CGO_ENABLED=0
+    go build \
+        -trimpath \
+        -ldflags "-X main.version=$pkgver" \
+        -o "$pkgname" .
+}
+
+check() {
+    cd "$pkgname-v$pkgver"
+    go test ./...
+}
+
+package() {
+    cd "$pkgname-v$pkgver"
+
+    # Binary
+    install -Dm755 "$pkgname" "$pkgdir/usr/bin/$pkgname"
+
+    # Man page
+    install -Dm644 docs/unitdore.1 "$pkgdir/usr/share/man/man1/unitdore.1"
+
+    # Default config dir
+    install -dm755 "$pkgdir/etc/unitdore"
+}

pkg/centos/unitdore.spec

@@ -0,0 +1,45 @@
+Name:           unitdore
+Version:        0.1.0
+Release:        1%{?dist}
+Summary:        Manage container units via systemd
+
+License:        MIT
+URL:            https://git.warky.dev/wdevs/unitdore
+Source0:        %{name}-%{version}.tar.gz
+
+BuildRequires:  golang >= 1.23
+Requires:       systemd
+
+%description
+Unitdore bridges your container runtime (Podman, Docker) and systemd.
+It discovers running containers, stores them in a config file, and generates
+and manages systemd .service units for each one.
+
+%prep
+%autosetup
+
+%build
+export CGO_ENABLED=0
+go build \
+    -trimpath \
+    -ldflags "-X main.version=%{version}" \
+    -o %{name} .
+
+%install
+# Binary
+install -Dm755 %{name} %{buildroot}%{_bindir}/%{name}
+
+# Man page
+install -Dm644 docs/unitdore.1 %{buildroot}%{_mandir}/man1/unitdore.1
+
+# Config dir
+install -dm755 %{buildroot}%{_sysconfdir}/unitdore
+
+%files
+%{_bindir}/%{name}
+%{_mandir}/man1/unitdore.1*
+%dir %{_sysconfdir}/unitdore
+
+%changelog
+* Tue Apr 08 2026 Hein (Warky Devs) <hein@warky.dev> - 0.1.0-1
+- Initial package

pkg/debian/control

@@ -0,0 +1,10 @@
+Package: unitdore
+Version: VERSION
+Architecture: ARCH
+Maintainer: Hein (Warky Devs) <hein@warky.dev>
+Depends: systemd
+Recommends: podman | docker.io
+Description: A door you open and close for container units
+ Unitdore bridges your container runtime (Podman, Docker) and systemd.
+ It discovers running containers, stores them in a config file, and generates
+ and manages systemd .service units for each one.

runtime/docker.go

@@ -68,9 +68,9 @@ func (d *Docker) Exists(name string) (bool, error) {
 		return false, nil
 	}
 
-	out, err := exec.Command(bin, "ps", "-a", "--format", "{{.Names}}").Output()
+	out, err := exec.Command(bin, "ps", "--format", "{{.Names}}").Output()
 	if err != nil {
-		return false, fmt.Errorf("docker ps -a: %w", err)
+		return false, fmt.Errorf("docker ps: %w", err)
 	}
 
 	for _, line := range strings.Split(string(out), "\n") {

runtime/podman.go

@@ -15,7 +15,7 @@ type podmanContainer struct {
 	ID      string   `json:"Id"`
 	Names   []string `json:"Names"`
 	Image   string   `json:"Image"`
-	Command string   `json:"Command"`
+	Command []string `json:"Command"`
 	State   string   `json:"State"`
 }
 
@@ -55,7 +55,7 @@ func (p *Podman) ListRunning() ([]Container, error) {
 		containers = append(containers, Container{
 			Name:    name,
 			Image:   c.Image,
-			Command: c.Command,
+			Command: strings.Join(c.Command, " "),
 			Runtime: "podman",
 		})
 	}
@@ -68,9 +68,9 @@ func (p *Podman) Exists(name string) (bool, error) {
 		return false, nil
 	}
 
-	out, err := exec.Command(bin, "ps", "-a", "--format", "{{.Names}}").Output()
+	out, err := exec.Command(bin, "ps", "--format", "{{.Names}}").Output()
 	if err != nil {
-		return false, fmt.Errorf("podman ps -a: %w", err)
+		return false, fmt.Errorf("podman ps: %w", err)
 	}
 
 	for _, line := range strings.Split(string(out), "\n") {

systemd/generator.go

@@ -17,6 +17,7 @@ After=network.target
 
 [Service]
 Type=simple
+User={{.ServiceUser}}
 ExecStart={{.ExecStart}}
 ExecStop={{.ExecStop}}
 Restart=on-failure
@@ -49,6 +50,7 @@ type templateData struct {
 	Unit        config.Unit
 	ExecStart   string
 	ExecStop    string
+	ServiceUser string
 }
 
 // ServiceName returns the systemd service name for a unit, with optional prefix/suffix.
@@ -57,7 +59,7 @@ func ServiceName(u config.Unit, prefix, suffix string) string {
 }
 
 // Generate produces the .service file content for a unit.
-func Generate(u config.Unit, prefix, suffix string) (string, error) {
+func Generate(u config.Unit, prefix, suffix, serviceUser string) (string, error) {
 	execStart, execStop := buildExecCommands(u)
 
 	data := templateData{
@@ -65,6 +67,7 @@ func Generate(u config.Unit, prefix, suffix string) (string, error) {
 		Unit:        u,
 		ExecStart:   execStart,
 		ExecStop:    execStop,
+		ServiceUser: serviceUser,
 	}
 
 	tmplStr := systemUnitTemplate

systemd/generator_test.go

@@ -35,7 +35,7 @@ func TestGenerate_SystemUnit(t *testing.T) {
 		Enabled: true,
 	}
 
-	content, err := Generate(u, "", "")
+	content, err := Generate(u, "", "", "unitdore")
 	if err != nil {
 		t.Fatalf("Generate() error: %v", err)
 	}
@@ -70,7 +70,7 @@ func TestGenerate_UserUnit(t *testing.T) {
 		Enabled: true,
 	}
 
-	content, err := Generate(u, "", "")
+	content, err := Generate(u, "", "", "unitdore")
 	if err != nil {
 		t.Fatalf("Generate() error: %v", err)
 	}
@@ -101,7 +101,7 @@ func TestGenerate_CustomCommand(t *testing.T) {
 		Enabled: true,
 	}
 
-	content, err := Generate(u, "", "")
+	content, err := Generate(u, "", "", "unitdore")
 	if err != nil {
 		t.Fatalf("Generate() error: %v", err)
 	}
@@ -118,7 +118,7 @@ func TestGenerate_DockerRuntime(t *testing.T) {
 		Enabled: true,
 	}
 
-	content, err := Generate(u, "", "")
+	content, err := Generate(u, "", "", "unitdore")
 	if err != nil {
 		t.Fatalf("Generate() error: %v", err)
 	}
@@ -138,7 +138,7 @@ func TestGenerate_UnknownRuntime(t *testing.T) {
 		Enabled: true,
 	}
 
-	content, err := Generate(u, "", "")
+	content, err := Generate(u, "", "", "unitdore")
 	if err != nil {
 		t.Fatalf("Generate() should not error on unknown runtime: %v", err)
 	}
@@ -155,7 +155,7 @@ func TestGenerate_WithPrefixSuffix(t *testing.T) {
 		Enabled: true,
 	}
 
-	content, err := Generate(u, "prod-", "-web")
+	content, err := Generate(u, "prod-", "-web", "unitdore")
 	if err != nil {
 		t.Fatalf("Generate() error: %v", err)
 	}

systemd/manager.go

@@ -27,8 +27,8 @@ func UnitPath(u config.Unit, prefix, suffix string) (string, error) {
 }
 
 // Install writes the .service file for a unit and reloads systemd.
-func Install(u config.Unit, prefix, suffix string) error {
-	content, err := Generate(u, prefix, suffix)
+func Install(u config.Unit, prefix, suffix, serviceUser string) error {
+	content, err := Generate(u, prefix, suffix, serviceUser)
 	if err != nil {
 		return err
 	}
@@ -73,6 +73,16 @@ func Disable(u config.Unit, prefix, suffix string) error {
 	return systemctl(u.User, "disable", "--now", ServiceName(u, prefix, suffix))
 }
 
+// Start starts a unit without enabling it.
+func Start(u config.Unit, prefix, suffix string) error {
+	return systemctl(u.User, "start", ServiceName(u, prefix, suffix))
+}
+
+// Stop stops a unit without disabling it.
+func Stop(u config.Unit, prefix, suffix string) error {
+	return systemctl(u.User, "stop", ServiceName(u, prefix, suffix))
+}
+
 // Status returns the ActiveState of a unit ("active", "inactive", "failed", "unknown").
 func Status(u config.Unit, prefix, suffix string) string {
 	args := []string{"show", "-p", "ActiveState", "--value", ServiceName(u, prefix, suffix)}