init

15 files changed, 1758 insertions, 0 deletions

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..c23b850
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,19 @@
+# Binaries
+deploy
+*.exe
+*.dll
+*.so
+*.dylib
+
+# Test binary
+*.test
+
+# Go workspace file
+go.work
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
diff --git a/DESIGN_SPEC.md b/DESIGN_SPEC.md
new file mode 100644
index 0000000..e8bb197
--- /dev/null
+++ b/DESIGN_SPEC.md
@@ -0,0 +1,586 @@
+# VPS Deployment CLI - Design Spec
+
+## Overview
+Standalone CLI tool for deploying Go apps and static sites to a VPS with automatic HTTPS via Caddy.
+
+## Server Setup (One-time)
+
+### Build and Install the Deploy CLI on Your Laptop
+```bash
+# Clone and build the deploy CLI
+git clone <this-repo> deploy
+cd deploy
+go build -o ~/bin/deploy ./cmd/deploy
+# Or: go install ./cmd/deploy (if ~/go/bin is in your PATH)
+
+# Initialize a fresh VPS (one-time)
+deploy init --host user@your-vps-ip
+
+# The CLI will SSH into the VPS and:
+# - Detect OS (Ubuntu/Debian supported)
+# - Install Caddy from official repository
+# - Configure Caddy to import `/etc/caddy/sites-enabled/*`
+# - Create `/etc/deploy/env/` directory for env files
+# - Create `/etc/caddy/sites-enabled/` directory
+# - Enable and start Caddy service
+# - Verify installation
+#
+# State is stored locally at ~/.config/deploy/state.json
+```
+
+## CLI Commands
+
+All commands run from your laptop and use `--host` to specify the VPS.
+
+### Initialize VPS (One-time Setup)
+```bash
+# On a fresh VPS, run this once to install all dependencies
+deploy init --host user@your-vps-ip
+
+# This will SSH to the VPS and:
+# - Install Caddy
+# - Configure Caddy to use sites-enabled pattern
+# - Create /etc/deploy/env/ directory for env files
+# - Enable and start Caddy
+#
+# State is stored locally at ~/.config/deploy/state.json
+```
+
+### Deploy Go App
+```bash
+# Build locally, then deploy
+deploy --host user@vps-ip --domain api.example.com
+
+# With custom name (defaults to directory name or binary name)
+deploy --host user@vps-ip --name myapi --domain api.example.com
+
+# Deploy specific binary
+deploy --host user@vps-ip --binary ./myapp --domain api.example.com
+
+# With environment variables
+deploy --host user@vps-ip --domain api.example.com --env DB_HOST=localhost --env API_KEY=secret
+
+# Or from env file
+deploy --host user@vps-ip --domain api.example.com --env-file .env.production
+```
+
+### Deploy Static Site
+```bash
+# Deploy current directory
+deploy --host user@vps-ip --static --domain example.com
+
+# Deploy specific directory
+deploy --host user@vps-ip --static --dir ./dist --domain example.com
+
+# With custom name
+deploy --host user@vps-ip --static --name mysite --dir ./build --domain example.com
+```
+
+### Management Commands
+```bash
+# List all deployed apps/sites
+deploy list --host user@vps-ip
+
+# Remove deployment
+deploy remove myapp --host user@vps-ip
+
+# View logs
+deploy logs myapp --host user@vps-ip
+
+# Restart app
+deploy restart myapp --host user@vps-ip
+
+# View status
+deploy status myapp --host user@vps-ip
+
+# Set/update environment variables
+deploy env myapi --host user@vps-ip --set DB_HOST=localhost --set API_KEY=secret
+
+# View environment variables (secrets are masked)
+deploy env myapi --host user@vps-ip
+
+# Load from file
+deploy env myapi --host user@vps-ip --file .env.production
+
+# Remove specific env var
+deploy env myapi --host user@vps-ip --unset API_KEY
+```
+
+### Optional: Config File
+```bash
+# Create ~/.config/deploy/config to avoid typing --host every time
+mkdir -p ~/.config/deploy
+cat > ~/.config/deploy/config <<EOF
+host: user@your-vps-ip
+EOF
+
+# Now you can omit --host flag
+deploy --domain api.example.com
+deploy list
+```
+
+## Deployment Workflow
+
+### Initial VPS Setup
+```bash
+# 1. Build the deploy CLI (in this repo)
+cd /path/to/deploy-repo
+go build -o ~/bin/deploy ./cmd/deploy
+
+# 2. Initialize fresh VPS from your laptop
+deploy init --host user@your-vps-ip
+# This SSHs to VPS, installs Caddy, creates directories
+
+# 3. Optional: Create config file to avoid typing --host
+mkdir -p ~/.config/deploy
+echo "host: user@your-vps-ip" > ~/.config/deploy/config
+
+# Done! VPS is ready for deployments
+```
+
+### Go Apps
+```bash
+# 1. Build locally
+GOOS=linux GOARCH=amd64 go build -o myapp
+
+# 2. Deploy from laptop (with config file)
+deploy --binary ./myapp --domain api.example.com
+
+# Or specify host explicitly
+deploy --host user@vps-ip --binary ./myapp --domain api.example.com
+# CLI will: scp binary to VPS, set up systemd, configure Caddy, start service
+```
+
+### Static Sites
+```bash
+# 1. Build locally
+npm run build
+
+# 2. Deploy from laptop
+deploy --static --dir ./dist --domain example.com
+# CLI will: rsync files to VPS, configure Caddy
+```
+
+## App Requirements
+
+### Go Apps Must:
+- Listen on HTTP (standard `http.ListenAndServe`)
+- Accept port via env var `PORT` or flag `--port`
+- Bind to `localhost` or `127.0.0.1` only (Caddy will handle external traffic)
+
+**Example main.go:**
+```go
+package main
+
+import (
+    "flag"
+    "fmt"
+    "net/http"
+    "os"
+)
+
+func main() {
+    port := flag.String("port", os.Getenv("PORT"), "port to listen on")
+    flag.Parse()
+    
+    if *port == "" {
+        *port = "8080" // fallback for local dev
+    }
+    
+    http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+        w.Write([]byte("Hello World"))
+    })
+    
+    addr := "127.0.0.1:" + *port
+    fmt.Printf("Listening on %s\n", addr)
+    http.ListenAndServe(addr, nil)
+}
+```
+
+## CLI Implementation
+
+### How It Works
+The CLI is a single binary that runs on your laptop and orchestrates deployments via SSH:
+
+1. **Connect**: Uses SSH to connect to VPS (via `--host` flag or config file)
+2. **Transfer**: Copies files to VPS using scp (binaries) or rsync (static sites)
+3. **Execute**: Runs commands on VPS over SSH to:
+   - Create system users
+   - Install systemd units
+   - Generate Caddy configs
+   - Manage services
+4. **Verify**: Checks deployment status and returns results
+
+### Package Structure
+```
+deploy/
+├── cmd/deploy/
+│   └── main.go           # CLI entry point
+├── internal/
+│   ├── ssh/
+│   │   └── ssh.go        # SSH connection & command execution
+│   ├── init/
+│   │   └── init.go       # VPS initialization logic
+│   ├── app/
+│   │   └── app.go        # Go app deployment logic
+│   ├── static/
+│   │   └── static.go     # Static site deployment logic
+│   ├── systemd/
+│   │   └── systemd.go    # Systemd operations
+│   ├── caddy/
+│   │   └── caddy.go      # Caddy config generation
+│   └── config/
+│       └── config.go     # Deployment metadata & port allocation
+└── templates/
+    ├── service.tmpl      # Systemd unit template
+    ├── app.caddy.tmpl    # Caddy config for apps
+    └── static.caddy.tmpl # Caddy config for static sites
+```
+
+### Deployment State (Laptop)
+All deployment state stored locally at `~/.config/deploy/state.json`:
+```json
+{
+  "hosts": {
+    "user@vps-ip": {
+      "next_port": 8003,
+      "apps": {
+        "myapi": {
+          "type": "app",
+          "domain": "api.example.com",
+          "port": 8001,
+          "env": {
+            "DB_HOST": "localhost",
+            "DB_PORT": "5432",
+            "API_KEY": "secret123",
+            "ENVIRONMENT": "production"
+          }
+        },
+        "anotherapp": {
+          "type": "app",
+          "domain": "another.example.com",
+          "port": 8002,
+          "env": {}
+        },
+        "mysite": {
+          "type": "static",
+          "domain": "example.com"
+        }
+      }
+    }
+  }
+}
+```
+
+### Environment Files (VPS)
+Environment variables written to `/etc/deploy/env/{appname}.env` on VPS for systemd to read:
+```bash
+# /etc/deploy/env/myapi.env (generated from state.json)
+PORT=8001
+DB_HOST=localhost
+DB_PORT=5432
+API_KEY=secret123
+ENVIRONMENT=production
+```
+
+### CLI Behavior
+
+**Host Resolution:**
+- CLI runs on your laptop, connects to VPS via SSH
+- Host specified via `--host user@vps-ip` flag
+- Or read from `~/.config/deploy/config` file if present
+- All operations execute on remote VPS over SSH
+- Files transferred via scp/rsync
+
+**Init Command:**
+- Detects OS (Ubuntu 20.04+, Debian 11+)
+- Checks if Caddy is already installed (skip if present)
+- Installs Caddy via official APT repository
+- Creates `/etc/caddy/Caddyfile` with `import /etc/caddy/sites-enabled/*`
+- Creates directory structure: `/etc/deploy/env/`, `/etc/caddy/sites-enabled/`
+- Enables and starts Caddy
+- Runs health check (verify Caddy is running)
+- Initializes local state file at `~/.config/deploy/state.json` if not present
+- Outputs success message with next steps
+
+**Smart Defaults:**
+- App name: infer from `--name` flag, or binary filename, or current directory
+- Binary: use `--binary` flag to specify path, or look for binary in current directory
+- Port: auto-allocate next available port (starting from 8001)
+- Working directory: `/var/lib/{appname}`
+- System user: `{appname}`
+- Binary location: `/usr/local/bin/{appname}`
+
+**Port Management:**
+- Automatically allocates next available port from 8001+
+- Tracks allocations in local `~/.config/deploy/state.json`
+- User can override with `--port` flag if desired
+- Prevents port conflicts
+
+**Validation:**
+- Check if domain is already in use (check local state)
+- Verify binary exists and is executable (for apps)
+- Confirm Caddy is installed and running
+- Check for port conflicts (check local state)
+- Require root/sudo on VPS
+
+**State Management:**
+- All deployment state lives on laptop at `~/.config/deploy/state.json`
+- VPS is "dumb" - just runs Caddy, systemd, and deployed apps
+- `deploy list` is instant (no SSH needed, reads local state)
+- Easy to recreate VPS from scratch by redeploying all apps from local state
+- Can manage multiple VPSes from one laptop
+- State backed up with your laptop backups
+- Trade-off: State can drift if VPS is manually modified (user should use CLI only)
+
+### Installation Steps (Go Apps)
+
+All steps executed remotely on VPS via SSH:
+
+1. Detect app name from `--name` flag, or binary filename, or current directory
+2. SCP binary from laptop to VPS temp directory
+3. Allocate port (auto-assign next available or use `--port` override)
+4. Create system user (e.g., `myapp`)
+5. Create working directory (`/var/lib/myapp`)
+6. Copy binary to `/usr/local/bin/myapp`
+7. Create env file at `/etc/deploy/env/myapp.env` with PORT and any user-provided vars
+8. Set env file permissions (0600, owned by app user)
+9. Generate systemd unit at `/etc/systemd/system/myapp.service` with EnvironmentFile
+10. Generate Caddy config at `/etc/caddy/sites-enabled/myapp.caddy` pointing to localhost:port
+11. Update local state at `~/.config/deploy/state.json` (on laptop)
+12. Enable and start service
+13. Reload Caddy
+
+### Installation Steps (Static Sites)
+
+All steps executed remotely on VPS via SSH:
+
+1. Detect site name from `--name` flag or directory name
+2. Rsync files from laptop to VPS `/var/www/{sitename}`
+3. Set ownership to `www-data:www-data`
+4. Generate Caddy config at `/etc/caddy/sites-enabled/{sitename}.caddy`
+5. Update local state at `~/.config/deploy/state.json` (on laptop)
+6. Reload Caddy
+
+## File Structure
+
+### On Laptop
+```
+~/.config/deploy/state.json       # All deployment state (apps, ports, env vars)
+~/.config/deploy/config           # Optional: default host configuration
+```
+
+### On VPS
+```
+/usr/local/bin/myapp              # Go binary
+/var/lib/myapp/                   # Working directory
+/etc/systemd/system/myapp.service # Systemd unit
+/etc/caddy/sites-enabled/myapp.caddy  # Caddy config
+/etc/deploy/env/myapp.env         # Environment variables (0600 permissions)
+
+/var/www/mysite/                  # Static site files
+/etc/caddy/sites-enabled/mysite.caddy # Caddy config
+```
+
+## Templates
+
+### systemd unit (`service.tmpl`)
+```ini
+[Unit]
+Description={{.Name}}
+After=network.target
+
+[Service]
+Type=simple
+User={{.User}}
+WorkingDirectory={{.WorkDir}}
+EnvironmentFile={{.EnvFile}}
+ExecStart={{.BinaryPath}} --port={{.Port}}
+Restart=always
+RestartSec=5s
+NoNewPrivileges=true
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
+```
+
+### Caddy config for Go apps (`app.caddy.tmpl`)
+```
+{{.Domain}} {
+    reverse_proxy 127.0.0.1:{{.Port}}
+}
+```
+
+### Caddy config for static sites (`static.caddy.tmpl`)
+```
+{{.Domain}} {
+    root * {{.RootDir}}
+    file_server
+    encode gzip
+}
+```
+
+## Optional Helper Module
+
+For apps that want minimal boilerplate:
+
+```go
+// github.com/yourusername/deploy/httpserver
+
+package httpserver
+
+import (
+    "flag"
+    "fmt"
+    "net/http"
+    "os"
+)
+
+// ListenAndServe starts HTTP server on PORT env var or --port flag
+func ListenAndServe(handler http.Handler) error {
+    port := flag.String("port", os.Getenv("PORT"), "port to listen on")
+    flag.Parse()
+    
+    if *port == "" {
+        *port = "8080" // fallback for local dev
+    }
+    
+    addr := "127.0.0.1:" + *port
+    fmt.Printf("Listening on %s\n", addr)
+    return http.ListenAndServe(addr, handler)
+}
+```
+
+## Example Usage Scenarios
+
+### Scenario 1: New Go API (Fresh VPS)
+```bash
+# ONE-TIME: Initialize fresh VPS from your laptop
+deploy init --host user@your-vps-ip
+# Installs Caddy, sets up directory structure
+
+# Optional: Save host to config
+mkdir -p ~/.config/deploy
+echo "host: user@your-vps-ip" > ~/.config/deploy/config
+
+# Develop locally
+mkdir myapi && cd myapi
+go mod init myapi
+
+# Write standard HTTP app
+cat > main.go <<'EOF'
+package main
+import (
+    "flag"
+    "fmt"
+    "net/http"
+    "os"
+)
+func main() {
+    port := flag.String("port", os.Getenv("PORT"), "port to listen on")
+    flag.Parse()
+    if *port == "" {
+        *port = "8080"
+    }
+    
+    http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+        w.Write([]byte("Hello World"))
+    })
+    
+    addr := "127.0.0.1:" + *port
+    fmt.Printf("Listening on %s\n", addr)
+    http.ListenAndServe(addr, nil)
+}
+EOF
+
+# Build and deploy from laptop
+GOOS=linux GOARCH=amd64 go build
+deploy --binary ./myapi --domain api.example.com
+# CLI: SCPs binary to VPS, creates systemd service, configures Caddy
+
+# Later, add environment variables from laptop
+deploy env myapi --set DB_HOST=localhost --set DB_PORT=5432
+# Service automatically restarts to pick up new env vars
+```
+
+### Scenario 2: React/Vue/etc Static Site
+```bash
+# Build
+npm run build
+
+# Deploy from laptop
+deploy --static --dir ./dist --domain example.com --name mysite
+# CLI rsyncs files to VPS, configures Caddy
+```
+
+### Scenario 3: Update Existing Deployment
+```bash
+# Rebuild
+GOOS=linux GOARCH=amd64 go build
+
+# Redeploy (same command, it will update)
+deploy --binary ./myapi --domain api.example.com
+# CLI detects existing deployment, stops service, updates binary, restarts
+# Keeps same port allocation
+```
+
+### Scenario 4: Multiple Apps
+```bash
+# Deploy first app from laptop
+deploy --binary api1 --domain api1.example.com  # Gets port 8001
+
+# Deploy second app
+deploy --binary api2 --domain api2.example.com  # Gets port 8002
+
+# Deploy third app
+deploy --binary api3 --domain api3.example.com  # Gets port 8003
+
+# View all deployments from laptop
+deploy list
+# Output:
+# api1    app     api1.example.com    :8001   running
+# api2    app     api2.example.com    :8002   running
+# api3    app     api3.example.com    :8003   running
+```
+
+## Security Considerations
+
+- Run each Go app as dedicated system user
+- Use systemd security hardening (NoNewPrivileges, PrivateTmp, ProtectSystem)
+- Static sites served as www-data
+- Caddy automatically handles TLS cert management
+- Environment files stored at `/etc/deploy/env/{app}.env` with 0600 permissions
+- Env files owned by the app's system user
+- `deploy env` command masks sensitive values when displaying (shows `API_KEY=***`)
+- Consider using external secret management for production (out of scope for v1)
+
+## Features
+
+✓ Single command deployment from anywhere
+✓ Automatic HTTPS via Caddy + Let's Encrypt
+✓ Automatic port allocation (no manual tracking needed)
+✓ Standard HTTP - write apps the normal way
+✓ Environment variable management (set via CLI or .env files)
+✓ Secure env file storage (0600 permissions)
+✓ Systemd process management with auto-restart
+✓ Support for multiple apps/sites on one VPS
+✓ Manage multiple VPSes from one laptop
+✓ State stored locally (VPS is stateless and easily recreatable)
+✓ Security hardening by default
+✓ Update existing deployments with same command
+✓ Clean removal with `deploy remove`
+✓ View logs/status of any deployment
+✓ Minimal app requirements (just accept PORT env/flag)
+
+## Out of Scope (for v1)
+
+- Database setup/management
+- Secrets encryption at rest (env files are protected by file permissions)
+- Secret rotation automation
+- Log rotation (systemd journald handles this)
+- Monitoring/alerting
+- Blue/green or zero-downtime deployments
+- Automatic updates/CI integration
+- Custom systemd unit modifications
+- Non-Caddy web servers
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..8125bc9
--- /dev/null
+++ b/README.md
@@ -0,0 +1,221 @@
+# Deploy - VPS Deployment CLI
+
+Simple CLI tool for deploying Go apps and static sites to a VPS with automatic HTTPS via Caddy.
+
+## Features
+
+- Single command deployment from your laptop
+- Automatic HTTPS via Caddy + Let's Encrypt
+- Automatic port allocation (no manual tracking)
+- Environment variable management
+- Systemd process management with auto-restart
+- Support for multiple apps/sites on one VPS
+- State stored locally (VPS is stateless and easily recreatable)
+- Zero dependencies on VPS (just installs Caddy)
+
+## Installation
+
+```bash
+# Build the CLI
+go build -o ~/bin/deploy ./cmd/deploy
+
+# Or install to GOPATH
+go install ./cmd/deploy
+```
+
+## Quick Start
+
+### 1. Initialize Your VPS (One-time)
+
+```bash
+# Initialize a fresh VPS
+deploy init --host user@your-vps-ip
+```
+
+This will:
+- Install Caddy
+- Configure Caddy for automatic HTTPS
+- Create necessary directories
+- Set up the VPS for deployments
+
+### 2. Deploy a Go App
+
+```bash
+# Build your app for Linux
+GOOS=linux GOARCH=amd64 go build -o myapp
+
+# Deploy it
+deploy deploy --host user@vps-ip --binary ./myapp --domain api.example.com
+
+# With environment variables
+deploy deploy --host user@vps-ip --binary ./myapp --domain api.example.com \
+  --env DB_HOST=localhost \
+  --env API_KEY=secret
+
+# Or from an env file
+deploy deploy --host user@vps-ip --binary ./myapp --domain api.example.com \
+  --env-file .env.production
+```
+
+### 3. Deploy a Static Site
+
+```bash
+# Build your site
+npm run build
+
+# Deploy it
+deploy deploy --host user@vps-ip --static --dir ./dist --domain example.com
+```
+
+## App Requirements
+
+Your Go app must:
+1. Listen on HTTP (not HTTPS - Caddy handles that)
+2. Accept port via `--port` flag or `PORT` environment variable
+3. Bind to `localhost` or `127.0.0.1` only
+
+Example:
+
+```go
+package main
+
+import (
+    "flag"
+    "fmt"
+    "net/http"
+    "os"
+)
+
+func main() {
+    port := flag.String("port", os.Getenv("PORT"), "port to listen on")
+    flag.Parse()
+
+    if *port == "" {
+        *port = "8080" // fallback for local dev
+    }
+
+    http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+        w.Write([]byte("Hello World"))
+    })
+
+    addr := "127.0.0.1:" + *port
+    fmt.Printf("Listening on %s\n", addr)
+    http.ListenAndServe(addr, nil)
+}
+```
+
+## Commands
+
+### Initialize VPS
+```bash
+deploy init --host user@vps-ip
+```
+
+### Deploy App/Site
+```bash
+# Go app
+deploy deploy --host user@vps-ip --binary ./myapp --domain api.example.com
+
+# Static site
+deploy deploy --host user@vps-ip --static --dir ./dist --domain example.com
+
+# Custom name (defaults to binary/directory name)
+deploy deploy --host user@vps-ip --name myapi --binary ./myapp --domain api.example.com
+```
+
+### List Deployments
+```bash
+deploy list --host user@vps-ip
+```
+
+### Manage Deployments
+```bash
+# View logs
+deploy logs myapp --host user@vps-ip
+
+# View status
+deploy status myapp --host user@vps-ip
+
+# Restart app
+deploy restart myapp --host user@vps-ip
+
+# Remove deployment
+deploy remove myapp --host user@vps-ip
+```
+
+### Environment Variables
+```bash
+# View current env vars (secrets are masked)
+deploy env myapi --host user@vps-ip
+
+# Set env vars
+deploy env myapi --host user@vps-ip --set DB_HOST=localhost --set API_KEY=secret
+
+# Load from file
+deploy env myapi --host user@vps-ip --file .env.production
+
+# Unset env var
+deploy env myapi --host user@vps-ip --unset API_KEY
+```
+
+## Configuration
+
+Create `~/.config/deploy/config` to avoid typing `--host` every time:
+
+```
+host: user@your-vps-ip
+```
+
+Then you can omit the `--host` flag:
+
+```bash
+deploy list
+deploy deploy --binary ./myapp --domain api.example.com
+```
+
+## How It Works
+
+1. **State on Laptop**: All deployment state lives at `~/.config/deploy/state.json` on your laptop
+2. **SSH Orchestration**: The CLI uses SSH to run commands on your VPS
+3. **File Transfer**: Binaries transferred via SCP, static sites via rsync
+4. **Caddy for HTTPS**: Caddy automatically handles HTTPS certificates
+5. **Systemd for Processes**: Apps run as systemd services with auto-restart
+6. **Dumb VPS**: The VPS is stateless - you can recreate it by redeploying from local state
+
+## File Structure
+
+### On Laptop
+```
+~/.config/deploy/state.json    # All deployment state
+~/.config/deploy/config        # Optional: default host
+```
+
+### On VPS
+```
+/usr/local/bin/myapp                   # Go binary
+/var/lib/myapp/                        # Working directory
+/etc/systemd/system/myapp.service      # Systemd unit
+/etc/caddy/sites-enabled/myapp.caddy   # Caddy config
+/etc/deploy/env/myapp.env              # Environment variables
+
+/var/www/mysite/                       # Static site files
+/etc/caddy/sites-enabled/mysite.caddy  # Caddy config
+```
+
+## Security
+
+- Each Go app runs as dedicated system user
+- Systemd security hardening enabled (NoNewPrivileges, PrivateTmp)
+- Static sites served as www-data
+- Caddy automatically manages TLS certificates
+- Environment files stored with 0600 permissions
+- Secrets masked when displaying environment variables
+
+## Supported OS
+
+- Ubuntu 20.04+
+- Debian 11+
+
+## License
+
+MIT
diff --git a/go.mod b/go.mod
new file mode 100644
index 0000000..0d29deb
--- /dev/null
+++ b/go.mod
@@ -0,0 +1,7 @@
+module github.com/bdw/deploy
+
+go 1.21
+
+require golang.org/x/crypto v0.31.0
+
+require golang.org/x/sys v0.28.0 // indirect
diff --git a/go.sum b/go.sum
new file mode 100644
index 0000000..7fa4005
--- /dev/null
+++ b/go.sum
@@ -0,0 +1,6 @@
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
diff --git a/internal/config/config.go b/internal/config/config.go
new file mode 100644
index 0000000..8651aa8
--- /dev/null
+++ b/internal/config/config.go
@@ -0,0 +1,65 @@
+package config
+
+import (
+        "bufio"
+        "os"
+        "path/filepath"
+        "strings"
+)
+
+// Config represents the user's configuration
+type Config struct {
+        Host string
+}
+
+// Load reads config from ~/.config/deploy/config
+func Load() (*Config, error) {
+        path := configPath()
+
+        // If file doesn't exist, return empty config
+        if _, err := os.Stat(path); os.IsNotExist(err) {
+                return &Config{}, nil
+        }
+
+        file, err := os.Open(path)
+        if err != nil {
+                return nil, err
+        }
+        defer file.Close()
+
+        cfg := &Config{}
+        scanner := bufio.NewScanner(file)
+        for scanner.Scan() {
+                line := strings.TrimSpace(scanner.Text())
+                if line == "" || strings.HasPrefix(line, "#") {
+                        continue
+                }
+
+                parts := strings.SplitN(line, ":", 2)
+                if len(parts) != 2 {
+                        continue
+                }
+
+                key := strings.TrimSpace(parts[0])
+                value := strings.TrimSpace(parts[1])
+
+                switch key {
+                case "host":
+                        cfg.Host = value
+                }
+        }
+
+        if err := scanner.Err(); err != nil {
+                return nil, err
+        }
+
+        return cfg, nil
+}
+
+func configPath() string {
+        home, err := os.UserHomeDir()
+        if err != nil {
+                return ".deploy-config"
+        }
+        return filepath.Join(home, ".config", "deploy", "config")
+}
diff --git a/internal/ssh/client.go b/internal/ssh/client.go
new file mode 100644
index 0000000..1cd336c
--- /dev/null
+++ b/internal/ssh/client.go
@@ -0,0 +1,357 @@
+package ssh
+
+import (
+        "bufio"
+        "bytes"
+        "fmt"
+        "net"
+        "os"
+        "os/exec"
+        "path/filepath"
+        "strings"
+
+        "golang.org/x/crypto/ssh"
+        "golang.org/x/crypto/ssh/agent"
+)
+
+// Client represents an SSH connection to a remote host
+type Client struct {
+        host   string
+        client *ssh.Client
+}
+
+// sshConfig holds SSH configuration for a host
+type sshConfig struct {
+        Host         string
+        HostName     string
+        User         string
+        Port         string
+        IdentityFile string
+}
+
+// Connect establishes an SSH connection to the remote host
+// Supports both SSH config aliases (e.g., "myserver") and user@host format
+func Connect(host string) (*Client, error) {
+        var user, addr string
+        var identityFile string
+
+        // Try to read SSH config first
+        cfg, err := readSSHConfig(host)
+        if err == nil && cfg.HostName != "" {
+                // Use SSH config
+                user = cfg.User
+                addr = cfg.HostName
+                if cfg.Port != "" {
+                        addr = addr + ":" + cfg.Port
+                } else {
+                        addr = addr + ":22"
+                }
+                identityFile = cfg.IdentityFile
+        } else {
+                // Fall back to parsing user@host format
+                parts := strings.SplitN(host, "@", 2)
+                if len(parts) != 2 {
+                        return nil, fmt.Errorf("host '%s' not found in SSH config and not in user@host format", host)
+                }
+                user = parts[0]
+                addr = parts[1]
+
+                // Add default port if not specified
+                if !strings.Contains(addr, ":") {
+                        addr = addr + ":22"
+                }
+        }
+
+        // Build authentication methods
+        var authMethods []ssh.AuthMethod
+
+        // Try identity file from SSH config first
+        if identityFile != "" {
+                if authMethod, err := publicKeyFromFile(identityFile); err == nil {
+                        authMethods = append(authMethods, authMethod)
+                }
+        }
+
+        // Try SSH agent
+        if authMethod, err := sshAgent(); err == nil {
+                authMethods = append(authMethods, authMethod)
+        }
+
+        // Try default key files
+        if authMethod, err := publicKeyFile(); err == nil {
+                authMethods = append(authMethods, authMethod)
+        }
+
+        if len(authMethods) == 0 {
+                return nil, fmt.Errorf("no SSH authentication method available")
+        }
+
+        config := &ssh.ClientConfig{
+                User:            user,
+                Auth:            authMethods,
+                HostKeyCallback: ssh.InsecureIgnoreHostKey(), // TODO: Consider using known_hosts
+        }
+
+        client, err := ssh.Dial("tcp", addr, config)
+        if err != nil {
+                return nil, fmt.Errorf("failed to connect to %s: %w", host, err)
+        }
+
+        return &Client{
+                host:   host,
+                client: client,
+        }, nil
+}
+
+// Close closes the SSH connection
+func (c *Client) Close() error {
+        return c.client.Close()
+}
+
+// Run executes a command on the remote host and returns the output
+func (c *Client) Run(cmd string) (string, error) {
+        session, err := c.client.NewSession()
+        if err != nil {
+                return "", err
+        }
+        defer session.Close()
+
+        var stdout, stderr bytes.Buffer
+        session.Stdout = &stdout
+        session.Stderr = &stderr
+
+        if err := session.Run(cmd); err != nil {
+                return "", fmt.Errorf("command failed: %w\nstderr: %s", err, stderr.String())
+        }
+
+        return stdout.String(), nil
+}
+
+// RunSudo executes a command with sudo on the remote host
+func (c *Client) RunSudo(cmd string) (string, error) {
+        return c.Run("sudo " + cmd)
+}
+
+// Upload copies a local file to the remote host using scp
+func (c *Client) Upload(localPath, remotePath string) error {
+        // Use external scp command for simplicity
+        // Format: scp -o StrictHostKeyChecking=no localPath user@host:remotePath
+        cmd := exec.Command("scp", "-o", "StrictHostKeyChecking=no", localPath, c.host+":"+remotePath)
+
+        var stderr bytes.Buffer
+        cmd.Stderr = &stderr
+
+        if err := cmd.Run(); err != nil {
+                return fmt.Errorf("scp failed: %w\nstderr: %s", err, stderr.String())
+        }
+
+        return nil
+}
+
+// UploadDir copies a local directory to the remote host using rsync
+func (c *Client) UploadDir(localDir, remoteDir string) error {
+        // Use rsync for directory uploads
+        // Format: rsync -avz --delete localDir/ user@host:remoteDir/
+        localDir = strings.TrimSuffix(localDir, "/") + "/"
+        remoteDir = strings.TrimSuffix(remoteDir, "/") + "/"
+
+        cmd := exec.Command("rsync", "-avz", "--delete",
+                "-e", "ssh -o StrictHostKeyChecking=no",
+                localDir, c.host+":"+remoteDir)
+
+        var stderr bytes.Buffer
+        cmd.Stderr = &stderr
+
+        if err := cmd.Run(); err != nil {
+                return fmt.Errorf("rsync failed: %w\nstderr: %s", err, stderr.String())
+        }
+
+        return nil
+}
+
+// WriteFile creates a file with the given content on the remote host
+func (c *Client) WriteFile(remotePath, content string) error {
+        session, err := c.client.NewSession()
+        if err != nil {
+                return err
+        }
+        defer session.Close()
+
+        // Use cat to write content to file
+        cmd := fmt.Sprintf("cat > %s", remotePath)
+        session.Stdin = strings.NewReader(content)
+
+        var stderr bytes.Buffer
+        session.Stderr = &stderr
+
+        if err := session.Run(cmd); err != nil {
+                return fmt.Errorf("write file failed: %w\nstderr: %s", err, stderr.String())
+        }
+
+        return nil
+}
+
+// WriteSudoFile creates a file with the given content using sudo
+func (c *Client) WriteSudoFile(remotePath, content string) error {
+        session, err := c.client.NewSession()
+        if err != nil {
+                return err
+        }
+        defer session.Close()
+
+        // Use sudo tee to write content to file
+        cmd := fmt.Sprintf("sudo tee %s > /dev/null", remotePath)
+        session.Stdin = strings.NewReader(content)
+
+        var stderr bytes.Buffer
+        session.Stderr = &stderr
+
+        if err := session.Run(cmd); err != nil {
+                return fmt.Errorf("write file with sudo failed: %w\nstderr: %s", err, stderr.String())
+        }
+
+        return nil
+}
+
+// readSSHConfig reads and parses the SSH config file for a given host
+func readSSHConfig(host string) (*sshConfig, error) {
+        home, err := os.UserHomeDir()
+        if err != nil {
+                return nil, err
+        }
+
+        configPath := filepath.Join(home, ".ssh", "config")
+        file, err := os.Open(configPath)
+        if err != nil {
+                return nil, err
+        }
+        defer file.Close()
+
+        cfg := &sshConfig{}
+        var currentHost string
+        var matchedHost bool
+
+        scanner := bufio.NewScanner(file)
+        for scanner.Scan() {
+                line := strings.TrimSpace(scanner.Text())
+
+                // Skip comments and empty lines
+                if line == "" || strings.HasPrefix(line, "#") {
+                        continue
+                }
+
+                fields := strings.Fields(line)
+                if len(fields) < 2 {
+                        continue
+                }
+
+                key := strings.ToLower(fields[0])
+                value := fields[1]
+
+                // Expand ~ in paths
+                if strings.HasPrefix(value, "~/") {
+                        value = filepath.Join(home, value[2:])
+                }
+
+                switch key {
+                case "host":
+                        currentHost = value
+                        if currentHost == host {
+                                matchedHost = true
+                                cfg.Host = host
+                        } else {
+                                matchedHost = false
+                        }
+                case "hostname":
+                        if matchedHost {
+                                cfg.HostName = value
+                        }
+                case "user":
+                        if matchedHost {
+                                cfg.User = value
+                        }
+                case "port":
+                        if matchedHost {
+                                cfg.Port = value
+                        }
+                case "identityfile":
+                        if matchedHost {
+                                cfg.IdentityFile = value
+                        }
+                }
+        }
+
+        if err := scanner.Err(); err != nil {
+                return nil, err
+        }
+
+        if cfg.Host == "" {
+                return nil, fmt.Errorf("host %s not found in SSH config", host)
+        }
+
+        return cfg, nil
+}
+
+// sshAgent returns an auth method using SSH agent
+func sshAgent() (ssh.AuthMethod, error) {
+        socket := os.Getenv("SSH_AUTH_SOCK")
+        if socket == "" {
+                return nil, fmt.Errorf("SSH_AUTH_SOCK not set")
+        }
+
+        conn, err := net.Dial("unix", socket)
+        if err != nil {
+                return nil, fmt.Errorf("failed to connect to SSH agent: %w", err)
+        }
+
+        agentClient := agent.NewClient(conn)
+        return ssh.PublicKeysCallback(agentClient.Signers), nil
+}
+
+// publicKeyFromFile returns an auth method from a specific private key file
+func publicKeyFromFile(keyPath string) (ssh.AuthMethod, error) {
+        key, err := os.ReadFile(keyPath)
+        if err != nil {
+                return nil, err
+        }
+
+        signer, err := ssh.ParsePrivateKey(key)
+        if err != nil {
+                return nil, err
+        }
+
+        return ssh.PublicKeys(signer), nil
+}
+
+// publicKeyFile returns an auth method using a private key file
+func publicKeyFile() (ssh.AuthMethod, error) {
+        home, err := os.UserHomeDir()
+        if err != nil {
+                return nil, err
+        }
+
+        // Try common key locations
+        keyPaths := []string{
+                filepath.Join(home, ".ssh", "id_rsa"),
+                filepath.Join(home, ".ssh", "id_ed25519"),
+                filepath.Join(home, ".ssh", "id_ecdsa"),
+        }
+
+        for _, keyPath := range keyPaths {
+                if _, err := os.Stat(keyPath); err == nil {
+                        key, err := os.ReadFile(keyPath)
+                        if err != nil {
+                                continue
+                        }
+
+                        signer, err := ssh.ParsePrivateKey(key)
+                        if err != nil {
+                                continue
+                        }
+
+                        return ssh.PublicKeys(signer), nil
+                }
+        }
+
+        return nil, fmt.Errorf("no SSH private key found")
+}
diff --git a/internal/state/state.go b/internal/state/state.go
new file mode 100644
index 0000000..c7c7dd4
--- /dev/null
+++ b/internal/state/state.go
@@ -0,0 +1,146 @@
+package state
+
+import (
+        "encoding/json"
+        "fmt"
+        "os"
+        "path/filepath"
+)
+
+// State represents the entire local deployment state
+type State struct {
+        Hosts map[string]*Host `json:"hosts"`
+}
+
+// Host represents deployment state for a single VPS
+type Host struct {
+        NextPort int             `json:"next_port"`
+        Apps     map[string]*App `json:"apps"`
+}
+
+// App represents a deployed application or static site
+type App struct {
+        Type   string            `json:"type"` // "app" or "static"
+        Domain string            `json:"domain"`
+        Port   int               `json:"port,omitempty"` // only for type="app"
+        Env    map[string]string `json:"env,omitempty"`  // only for type="app"
+}
+
+const (
+        startPort = 8001
+)
+
+// Load reads state from ~/.config/deploy/state.json
+func Load() (*State, error) {
+        path := statePath()
+
+        // If file doesn't exist, return empty state
+        if _, err := os.Stat(path); os.IsNotExist(err) {
+                return &State{
+                        Hosts: make(map[string]*Host),
+                }, nil
+        }
+
+        data, err := os.ReadFile(path)
+        if err != nil {
+                return nil, fmt.Errorf("failed to read state file: %w", err)
+        }
+
+        var state State
+        if err := json.Unmarshal(data, &state); err != nil {
+                return nil, fmt.Errorf("failed to parse state file: %w", err)
+        }
+
+        // Initialize maps if nil
+        if state.Hosts == nil {
+                state.Hosts = make(map[string]*Host)
+        }
+
+        return &state, nil
+}
+
+// Save writes state to ~/.config/deploy/state.json
+func (s *State) Save() error {
+        path := statePath()
+
+        // Ensure directory exists
+        dir := filepath.Dir(path)
+        if err := os.MkdirAll(dir, 0755); err != nil {
+                return fmt.Errorf("failed to create config directory: %w", err)
+        }
+
+        data, err := json.MarshalIndent(s, "", "  ")
+        if err != nil {
+                return fmt.Errorf("failed to marshal state: %w", err)
+        }
+
+        if err := os.WriteFile(path, data, 0600); err != nil {
+                return fmt.Errorf("failed to write state file: %w", err)
+        }
+
+        return nil
+}
+
+// GetHost returns the host state, creating it if it doesn't exist
+func (s *State) GetHost(host string) *Host {
+        if s.Hosts[host] == nil {
+                s.Hosts[host] = &Host{
+                        NextPort: startPort,
+                        Apps:     make(map[string]*App),
+                }
+        }
+        if s.Hosts[host].Apps == nil {
+                s.Hosts[host].Apps = make(map[string]*App)
+        }
+        return s.Hosts[host]
+}
+
+// AllocatePort returns the next available port for a host
+func (s *State) AllocatePort(host string) int {
+        h := s.GetHost(host)
+        port := h.NextPort
+        h.NextPort++
+        return port
+}
+
+// AddApp adds or updates an app in the state
+func (s *State) AddApp(host, name string, app *App) {
+        h := s.GetHost(host)
+        h.Apps[name] = app
+}
+
+// RemoveApp removes an app from the state
+func (s *State) RemoveApp(host, name string) error {
+        h := s.GetHost(host)
+        if _, exists := h.Apps[name]; !exists {
+                return fmt.Errorf("app %s not found", name)
+        }
+        delete(h.Apps, name)
+        return nil
+}
+
+// GetApp returns an app from the state
+func (s *State) GetApp(host, name string) (*App, error) {
+        h := s.GetHost(host)
+        app, exists := h.Apps[name]
+        if !exists {
+                return nil, fmt.Errorf("app %s not found", name)
+        }
+        return app, nil
+}
+
+// ListApps returns all apps for a host
+func (s *State) ListApps(host string) map[string]*App {
+        h := s.GetHost(host)
+        return h.Apps
+}
+
+// statePath returns the path to the state file
+func statePath() string {
+        home, err := os.UserHomeDir()
+        if err != nil {
+                // Fallback to current directory (should rarely happen)
+                return ".deploy-state.json"
+        }
+        return filepath.Join(home, ".config", "deploy", "state.json")
+}
diff --git a/internal/templates/templates.go b/internal/templates/templates.go
new file mode 100644
index 0000000..d90163d
--- /dev/null
+++ b/internal/templates/templates.go
@@ -0,0 +1,82 @@
+package templates
+
+import (
+        "bytes"
+        "text/template"
+)
+
+var serviceTemplate = `[Unit]
+Description={{.Name}}
+After=network.target
+
+[Service]
+Type=simple
+User={{.User}}
+WorkingDirectory={{.WorkDir}}
+EnvironmentFile={{.EnvFile}}
+ExecStart={{.BinaryPath}} --port={{.Port}}
+Restart=always
+RestartSec=5s
+NoNewPrivileges=true
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
+`
+
+var appCaddyTemplate = `{{.Domain}} {
+    reverse_proxy 127.0.0.1:{{.Port}}
+}
+`
+
+var staticCaddyTemplate = `{{.Domain}} {
+    root * {{.RootDir}}
+    file_server
+    encode gzip
+}
+`
+
+// SystemdService generates a systemd service unit file
+func SystemdService(data map[string]string) (string, error) {
+        tmpl, err := template.New("service").Parse(serviceTemplate)
+        if err != nil {
+                return "", err
+        }
+
+        var buf bytes.Buffer
+        if err := tmpl.Execute(&buf, data); err != nil {
+                return "", err
+        }
+
+        return buf.String(), nil
+}
+
+// AppCaddy generates a Caddy config for a Go app
+func AppCaddy(data map[string]string) (string, error) {
+        tmpl, err := template.New("caddy").Parse(appCaddyTemplate)
+        if err != nil {
+                return "", err
+        }
+
+        var buf bytes.Buffer
+        if err := tmpl.Execute(&buf, data); err != nil {
+                return "", err
+        }
+
+        return buf.String(), nil
+}
+
+// StaticCaddy generates a Caddy config for a static site
+func StaticCaddy(data map[string]string) (string, error) {
+        tmpl, err := template.New("caddy").Parse(staticCaddyTemplate)
+        if err != nil {
+                return "", err
+        }
+
+        var buf bytes.Buffer
+        if err := tmpl.Execute(&buf, data); err != nil {
+                return "", err
+        }
+
+        return buf.String(), nil
+}
diff --git a/templates/app.caddy.tmpl b/templates/app.caddy.tmpl
new file mode 100644
index 0000000..505d1d9
--- /dev/null
+++ b/templates/app.caddy.tmpl
@@ -0,0 +1,3 @@
+{{.Domain}} {
+    reverse_proxy 127.0.0.1:{{.Port}}
+}
diff --git a/templates/service.tmpl b/templates/service.tmpl
new file mode 100644
index 0000000..87389f0
--- /dev/null
+++ b/templates/service.tmpl
@@ -0,0 +1,17 @@
+[Unit]
+Description={{.Name}}
+After=network.target
+
+[Service]
+Type=simple
+User={{.User}}
+WorkingDirectory={{.WorkDir}}
+EnvironmentFile={{.EnvFile}}
+ExecStart={{.BinaryPath}} --port={{.Port}}
+Restart=always
+RestartSec=5s
+NoNewPrivileges=true
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/templates/static.caddy.tmpl b/templates/static.caddy.tmpl
new file mode 100644
index 0000000..d04f6b0
--- /dev/null
+++ b/templates/static.caddy.tmpl
@@ -0,0 +1,5 @@
+{{.Domain}} {
+    root * {{.RootDir}}
+    file_server
+    encode gzip
+}
diff --git a/test/example-website/about.html b/test/example-website/about.html
new file mode 100644
index 0000000..93cba92
--- /dev/null
+++ b/test/example-website/about.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>About - Deploy Test</title>
+    <link rel="stylesheet" href="style.css">
+</head>
+<body>
+    <header>
+        <nav>
+            <h1>Deploy Test</h1>
+            <ul>
+                <li><a href="index.html">Home</a></li>
+                <li><a href="about.html">About</a></li>
+            </ul>
+        </nav>
+    </header>
+
+    <main>
+        <section class="about">
+            <h2>About This Site</h2>
+            <p>This is a test website created to demonstrate the deploy tool's static site deployment capabilities.</p>
+
+            <h3>Features</h3>
+            <ul>
+                <li>Simple HTML/CSS structure</li>
+                <li>Multiple pages for testing navigation</li>
+                <li>Responsive design</li>
+                <li>Clean and minimal styling</li>
+            </ul>
+
+            <h3>Deployment Command</h3>
+            <pre><code>./deploy deploy --host peerfile --static --dir ./test/example-website --domain example.com</code></pre>
+        </section>
+    </main>
+
+    <footer>
+        <p>&copy; 2025 Deploy Test. Built for testing purposes.</p>
+    </footer>
+</body>
+</html>
diff --git a/test/example-website/index.html b/test/example-website/index.html
new file mode 100644
index 0000000..735ae73
--- /dev/null
+++ b/test/example-website/index.html
@@ -0,0 +1,46 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Example Website - Deploy Test</title>
+    <link rel="stylesheet" href="style.css">
+</head>
+<body>
+    <header>
+        <nav>
+            <h1>Deploy Test</h1>
+            <ul>
+                <li><a href="index.html">Home</a></li>
+                <li><a href="about.html">About</a></li>
+            </ul>
+        </nav>
+    </header>
+
+    <main>
+        <section class="hero">
+            <h2>Welcome to the Example Website</h2>
+            <p>This is a simple static website for testing the deploy tool.</p>
+        </section>
+
+        <section class="features">
+            <div class="feature">
+                <h3>Fast Deployment</h3>
+                <p>Deploy your static sites in seconds with a single command.</p>
+            </div>
+            <div class="feature">
+                <h3>HTTPS Enabled</h3>
+                <p>Automatic SSL certificates with Caddy.</p>
+            </div>
+            <div class="feature">
+                <h3>Simple Management</h3>
+                <p>Easy-to-use CLI for managing your deployments.</p>
+            </div>
+        </section>
+    </main>
+
+    <footer>
+        <p>&copy; 2025 Deploy Test. Built for testing purposes.</p>
+    </footer>
+</body>
+</html>
diff --git a/test/example-website/style.css b/test/example-website/style.css
new file mode 100644
index 0000000..da7fd1c
--- /dev/null
+++ b/test/example-website/style.css
@@ -0,0 +1,156 @@
+* {
+    margin: 0;
+    padding: 0;
+    box-sizing: border-box;
+}
+
+body {
+    font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif;
+    line-height: 1.6;
+    color: #333;
+    background: #f5f5f5;
+}
+
+header {
+    background: #2c3e50;
+    color: white;
+    padding: 1rem 0;
+    box-shadow: 0 2px 5px rgba(0,0,0,0.1);
+}
+
+nav {
+    max-width: 1200px;
+    margin: 0 auto;
+    padding: 0 2rem;
+    display: flex;
+    justify-content: space-between;
+    align-items: center;
+}
+
+nav h1 {
+    font-size: 1.5rem;
+}
+
+nav ul {
+    list-style: none;
+    display: flex;
+    gap: 2rem;
+}
+
+nav a {
+    color: white;
+    text-decoration: none;
+    transition: opacity 0.3s;
+}
+
+nav a:hover {
+    opacity: 0.8;
+}
+
+main {
+    max-width: 1200px;
+    margin: 2rem auto;
+    padding: 0 2rem;
+}
+
+.hero {
+    background: white;
+    padding: 3rem;
+    border-radius: 8px;
+    box-shadow: 0 2px 10px rgba(0,0,0,0.1);
+    text-align: center;
+    margin-bottom: 2rem;
+}
+
+.hero h2 {
+    font-size: 2.5rem;
+    margin-bottom: 1rem;
+    color: #2c3e50;
+}
+
+.hero p {
+    font-size: 1.2rem;
+    color: #666;
+}
+
+.features {
+    display: grid;
+    grid-template-columns: repeat(auto-fit, minmax(300px, 1fr));
+    gap: 2rem;
+    margin: 2rem 0;
+}
+
+.feature {
+    background: white;
+    padding: 2rem;
+    border-radius: 8px;
+    box-shadow: 0 2px 10px rgba(0,0,0,0.1);
+}
+
+.feature h3 {
+    color: #2c3e50;
+    margin-bottom: 0.5rem;
+}
+
+.feature p {
+    color: #666;
+}
+
+.about {
+    background: white;
+    padding: 3rem;
+    border-radius: 8px;
+    box-shadow: 0 2px 10px rgba(0,0,0,0.1);
+}
+
+.about h2 {
+    color: #2c3e50;
+    margin-bottom: 1rem;
+}
+
+.about h3 {
+    color: #34495e;
+    margin-top: 2rem;
+    margin-bottom: 0.5rem;
+}
+
+.about ul {
+    margin-left: 2rem;
+    margin-bottom: 1rem;
+}
+
+.about pre {
+    background: #f5f5f5;
+    padding: 1rem;
+    border-radius: 4px;
+    overflow-x: auto;
+    margin-top: 1rem;
+}
+
+.about code {
+    font-family: 'Courier New', monospace;
+    font-size: 0.9rem;
+}
+
+footer {
+    background: #2c3e50;
+    color: white;
+    text-align: center;
+    padding: 2rem;
+    margin-top: 4rem;
+}
+
+@media (max-width: 768px) {
+    nav {
+        flex-direction: column;
+        gap: 1rem;
+    }
+
+    .hero h2 {
+        font-size: 2rem;
+    }
+
+    .features {
+        grid-template-columns: 1fr;
+    }
+}