The beautiful thing about the mariadb/galera multimaster database approach is: Each cit-server talking to a database server instance --- running on the same box citadel is --- thinks it's the only server running. The fact that citadel has that wonderful 'go threading' call, and has sorted through all the transaction/multiple cursors thing makes citserver threads running on different boxes seem not different to any one citserver thread than a local one. When a system goes down it's no different than a few threads stopping, when it comes back it seems like there are more threads handling the load.
Certainly in prep for some approach such as this: When moving the config structure to key/data model: Use the BIOS box uuid (or if that's blank create one and store it in /etc/citadel/something.conf), then cause all the entries that are specific to one instance use that UUID as part of the key. It wouldn't harm matters for a single instance and would be backend database agnostic.
Surveying the landscape out there, I can't help but have the feeling that creating a version of cit-server with these high-availability features makes creating some sort of consortium of developers and High Availability users where the users pay dues of some sort so they could gain comfort about the long term future of the package. I see many packages out there that change the licensing structure to 'the honor system', others go the closed source route for the add-in package I don't know what the answer is, but I do feel confident the people using the HA system wouldn't deploy it without having some assurance the package would be kept current going forward, and would much rather pay for that comfort as the expense of hiring internal tech staff to stay current enough to step in at need would be 10x more expensive.