Merge branch 'dev' into feature/ssh_scp

2026-01-05 21:12:09 +08:00 · 2022-05-14 15:43:26 +08:00
parent b37bf06de8 a551619de6
commit ed58f32052
34 changed files with 1532 additions and 566 deletions
--- a/deploy/mailcow.sh
+++ b/deploy/mailcow.sh
@@ -20,18 +20,23 @@ mailcow_deploy() {
  _debug _cca "$_cca"
  _debug _cfullchain "$_cfullchain"

-  _mailcow_path="${DEPLOY_MAILCOW_PATH}"
+  _getdeployconf DEPLOY_MAILCOW_PATH
+  _getdeployconf DEPLOY_MAILCOW_RELOAD

-  if [ -z "$_mailcow_path" ]; then
+  _debug DEPLOY_MAILCOW_PATH "$DEPLOY_MAILCOW_PATH"
+  _debug DEPLOY_MAILCOW_RELOAD "$DEPLOY_MAILCOW_RELOAD"
+
+  if [ -z "$DEPLOY_MAILCOW_PATH" ]; then
    _err "Mailcow path is not found, please define DEPLOY_MAILCOW_PATH."
    return 1
  fi

-  #Tests if _ssl_path is the mailcow root directory.
-  if [ -f "${_mailcow_path}/generate_config.sh" ]; then
-    _ssl_path="${_mailcow_path}/data/assets/ssl/"
-  else
-    _ssl_path="${_mailcow_path}"
+  _savedeployconf DEPLOY_MAILCOW_PATH "$DEPLOY_MAILCOW_PATH"
+  [ -n "$DEPLOY_MAILCOW_RELOAD" ] && _savedeployconf DEPLOY_MAILCOW_RELOAD "$DEPLOY_MAILCOW_RELOAD"
+
+  _ssl_path="$DEPLOY_MAILCOW_PATH"
+  if [ -f "$DEPLOY_MAILCOW_PATH/generate_config.sh" ]; then
+    _ssl_path="$DEPLOY_MAILCOW_PATH/data/assets/ssl/"
  fi

  if [ ! -d "$_ssl_path" ]; then
@@ -40,16 +45,15 @@ mailcow_deploy() {
  fi

  # ECC or RSA
-  if [ -z "${Le_Keylength}" ]; then
-    Le_Keylength=""
-  fi
-  if _isEccKey "${Le_Keylength}"; then
+  length=$(_readdomainconf Le_Keylength)
+  if _isEccKey "$length"; then
    _info "ECC key type detected"
    _cert_name_prefix="ecdsa-"
  else
    _info "RSA key type detected"
    _cert_name_prefix=""
  fi
+
  _info "Copying key and cert"
  _real_key="$_ssl_path/${_cert_name_prefix}key.pem"
  if ! cat "$_ckey" >"$_real_key"; then
@@ -63,7 +67,7 @@ mailcow_deploy() {
    return 1
  fi

-  DEFAULT_MAILCOW_RELOAD="docker restart $(docker ps -qaf name=postfix-mailcow); docker restart $(docker ps -qaf name=nginx-mailcow); docker restart $(docker ps -qaf name=dovecot-mailcow)"
+  DEFAULT_MAILCOW_RELOAD="docker restart \$(docker ps --quiet --filter name=nginx-mailcow --filter name=dovecot-mailcow)"
  _reload="${DEPLOY_MAILCOW_RELOAD:-$DEFAULT_MAILCOW_RELOAD}"

  _info "Run reload: $_reload"
--- a/deploy/routeros.sh
+++ b/deploy/routeros.sh
@@ -23,6 +23,7 @@
 # ```sh
 # export ROUTER_OS_USERNAME=certuser
 # export ROUTER_OS_HOST=router.example.com
+# export ROUTER_OS_PORT=22
 #
 # acme.sh --deploy -d ftp.example.com --deploy-hook routeros
 # ```
@@ -48,6 +49,16 @@
 # One optional thing to do as well is to create a script that updates
 # all the required services and run that script in a single command.
 #
+# To adopt parameters to `scp` and/or `ssh` set the optional
+# `ROUTER_OS_SSH_CMD` and `ROUTER_OS_SCP_CMD` variables accordingly,
+# see ssh(1) and scp(1) for parameters to those commands.
+#
+# Example:
+# ```ssh
+# export ROUTER_OS_SSH_CMD="ssh -i /acme.sh/.ssh/router.example.com -o UserKnownHostsFile=/acme.sh/.ssh/known_hosts"
+# export ROUTER_OS_SCP_CMD="scp -i /acme.sh/.ssh/router.example.com -o UserKnownHostsFile=/acme.sh/.ssh/known_hosts"
+# ````
+#
 # returns 0 means success, otherwise error.

 ########  Public functions #####################
@@ -59,6 +70,7 @@ routeros_deploy() {
  _ccert="$3"
  _cca="$4"
  _cfullchain="$5"
+  _err_code=0

  _debug _cdomain "$_cdomain"
  _debug _ckey "$_ckey"
@@ -80,6 +92,27 @@ routeros_deploy() {
    return 1
  fi

+  _getdeployconf ROUTER_OS_PORT
+
+  if [ -z "$ROUTER_OS_PORT" ]; then
+    _debug "Using default port 22 as ROUTER_OS_PORT, please set if not correct."
+    ROUTER_OS_PORT=22
+  fi
+
+  _getdeployconf ROUTER_OS_SSH_CMD
+
+  if [ -z "$ROUTER_OS_SSH_CMD" ]; then
+    _debug "Use default ssh setup."
+    ROUTER_OS_SSH_CMD="ssh -p $ROUTER_OS_PORT"
+  fi
+
+  _getdeployconf ROUTER_OS_SCP_CMD
+
+  if [ -z "$ROUTER_OS_SCP_CMD" ]; then
+    _debug "USe default scp setup."
+    ROUTER_OS_SCP_CMD="scp -P $ROUTER_OS_PORT"
+  fi
+
  _getdeployconf ROUTER_OS_ADDITIONAL_SERVICES

  if [ -z "$ROUTER_OS_ADDITIONAL_SERVICES" ]; then
@@ -89,16 +122,26 @@ routeros_deploy() {

  _savedeployconf ROUTER_OS_HOST "$ROUTER_OS_HOST"
  _savedeployconf ROUTER_OS_USERNAME "$ROUTER_OS_USERNAME"
+  _savedeployconf ROUTER_OS_PORT "$ROUTER_OS_PORT"
+  _savedeployconf ROUTER_OS_SSH_CMD "$ROUTER_OS_SSH_CMD"
+  _savedeployconf ROUTER_OS_SCP_CMD "$ROUTER_OS_SCP_CMD"
  _savedeployconf ROUTER_OS_ADDITIONAL_SERVICES "$ROUTER_OS_ADDITIONAL_SERVICES"

-  _info "Trying to push key '$_ckey' to router"
-  scp "$_ckey" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.key"
-  _info "Trying to push cert '$_cfullchain' to router"
-  scp "$_cfullchain" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.cer"
-  DEPLOY_SCRIPT_CMD="/system script add name=\"LE Cert Deploy - $_cdomain\" owner=admin policy=ftp,read,write,password,sensitive \
-source=\"## generated by routeros deploy script in acme.sh;\
-\n/certificate remove [ find name=$_cdomain.cer_0 ];\
+  # push key to routeros
+  if ! _scp_certificate "$_ckey" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.key"; then
+    return $_err_code
+  fi
+
+  # push certificate chain to routeros
+  if ! _scp_certificate "$_cfullchain" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.cer"; then
+    return $_err_code
+  fi
+
+  DEPLOY_SCRIPT_CMD="/system script add name=\"LE Cert Deploy - $_cdomain\" owner=$ROUTER_OS_USERNAME \
+comment=\"generated by routeros deploy script in acme.sh\" \
+source=\"/certificate remove [ find name=$_cdomain.cer_0 ];\
 \n/certificate remove [ find name=$_cdomain.cer_1 ];\
+\n/certificate remove [ find name=$_cdomain.cer_2 ];\
 \ndelay 1;\
 \n/certificate import file-name=$_cdomain.cer passphrase=\\\"\\\";\
 \n/certificate import file-name=$_cdomain.key passphrase=\\\"\\\";\
@@ -110,12 +153,51 @@ source=\"## generated by routeros deploy script in acme.sh;\
 \n$ROUTER_OS_ADDITIONAL_SERVICES;\
 \n\"
 "
-  # shellcheck disable=SC2029
-  ssh "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" "$DEPLOY_SCRIPT_CMD"
-  # shellcheck disable=SC2029
-  ssh "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" "/system script run \"LE Cert Deploy - $_cdomain\""
-  # shellcheck disable=SC2029
-  ssh "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" "/system script remove \"LE Cert Deploy - $_cdomain\""
+
+  if ! _ssh_remote_cmd "$DEPLOY_SCRIPT_CMD"; then
+    return $_err_code
+  fi
+
+  if ! _ssh_remote_cmd "/system script run \"LE Cert Deploy - $_cdomain\""; then
+    return $_err_code
+  fi
+
+  if ! _ssh_remote_cmd "/system script remove \"LE Cert Deploy - $_cdomain\""; then
+    return $_err_code
+  fi

  return 0
 }
+
+# inspired by deploy/ssh.sh
+_ssh_remote_cmd() {
+  _cmd="$1"
+  _secure_debug "Remote commands to execute: $_cmd"
+  _info "Submitting sequence of commands to routeros"
+  # quotations in bash cmd below intended.  Squash travis spellcheck error
+  # shellcheck disable=SC2029
+  $ROUTER_OS_SSH_CMD "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" "$_cmd"
+  _err_code="$?"
+
+  if [ "$_err_code" != "0" ]; then
+    _err "Error code $_err_code returned from routeros"
+  fi
+
+  return $_err_code
+}
+
+_scp_certificate() {
+  _src="$1"
+  _dst="$2"
+  _secure_debug "scp '$_src' to '$_dst'"
+  _info "Push key '$_src' to routeros"
+
+  $ROUTER_OS_SCP_CMD "$_src" "$_dst"
+  _err_code="$?"
+
+  if [ "$_err_code" != "0" ]; then
+    _err "Error code $_err_code returned from scp"
+  fi
+
+  return $_err_code
+}
--- a/deploy/synology_dsm.sh
+++ b/deploy/synology_dsm.sh
@@ -94,7 +94,12 @@ synology_dsm_deploy() {

  otp_code=""
  if [ -n "$SYNO_TOTP_SECRET" ]; then
-    otp_code="$(oathtool --base32 --totp "${SYNO_TOTP_SECRET}" 2>/dev/null)"
+    if _exists oathtool; then
+      otp_code="$(oathtool --base32 --totp "${SYNO_TOTP_SECRET}" 2>/dev/null)"
+    else
+      _err "oathtool could not be found, install oathtool to use SYNO_TOTP_SECRET"
+      return 1
+    fi
  fi

  if [ -n "$SYNO_DID" ]; then
--- a/deploy/truenas.sh
+++ b/deploy/truenas.sh
@@ -38,7 +38,7 @@ truenas_deploy() {
  _getdeployconf DEPLOY_TRUENAS_APIKEY

  if [ -z "$DEPLOY_TRUENAS_APIKEY" ]; then
-    _err "TrueNAS Api Key is not found, please define DEPLOY_TRUENAS_APIKEY."
+    _err "TrueNAS API key not found, please set the DEPLOY_TRUENAS_APIKEY environment variable."
    return 1
  fi
  _secure_debug2 DEPLOY_TRUENAS_APIKEY "$DEPLOY_TRUENAS_APIKEY"
@@ -62,15 +62,14 @@ truenas_deploy() {

  _info "Testing Connection TrueNAS"
  _response=$(_get "$_api_url/system/state")
-  _info "TrueNAS System State: $_response."
+  _info "TrueNAS system state: $_response."

  if [ -z "$_response" ]; then
    _err "Unable to authenticate to $_api_url."
-    _err 'Check your Connection and set DEPLOY_TRUENAS_HOSTNAME="192.168.178.x".'
-    _err 'or'
-    _err 'set DEPLOY_TRUENAS_HOSTNAME="<truenas_dnsname>".'
-    _err 'Check your Connection and set DEPLOY_TRUENAS_SCHEME="https".'
-    _err "Check your Api Key."
+    _err 'Check your connection settings are correct, e.g.'
+    _err 'DEPLOY_TRUENAS_HOSTNAME="192.168.x.y" or DEPLOY_TRUENAS_HOSTNAME="truenas.example.com".'
+    _err 'DEPLOY_TRUENAS_SCHEME="https" or DEPLOY_TRUENAS_SCHEME="http".'
+    _err "Verify your TrueNAS API key is valid and set correctly, e.g. DEPLOY_TRUENAS_APIKEY=xxxx...."
    return 1
  fi

@@ -78,7 +77,7 @@ truenas_deploy() {
  _savedeployconf DEPLOY_TRUENAS_HOSTNAME "$DEPLOY_TRUENAS_HOSTNAME"
  _savedeployconf DEPLOY_TRUENAS_SCHEME "$DEPLOY_TRUENAS_SCHEME"

-  _info "Getting active certificate from TrueNAS"
+  _info "Getting current active certificate from TrueNAS"
  _response=$(_get "$_api_url/system/general")
  _active_cert_id=$(echo "$_response" | grep -B2 '"name":' | grep 'id' | tr -d -- '"id: ,')
  _active_cert_name=$(echo "$_response" | grep '"name":' | sed -n 's/.*: "\(.\{1,\}\)",$/\1/p')
@@ -88,14 +87,14 @@ truenas_deploy() {
  _debug Active_UI_http_redirect "$_param_httpsredirect"

  if [ "$DEPLOY_TRUENAS_SCHEME" = "http" ] && [ "$_param_httpsredirect" = "true" ]; then
-    _info "http Redirect active"
+    _info "HTTP->HTTPS redirection is enabled"
    _info "Setting DEPLOY_TRUENAS_SCHEME to 'https'"
    DEPLOY_TRUENAS_SCHEME="https"
    _api_url="$DEPLOY_TRUENAS_SCHEME://$DEPLOY_TRUENAS_HOSTNAME/api/v2.0"
    _savedeployconf DEPLOY_TRUENAS_SCHEME "$DEPLOY_TRUENAS_SCHEME"
  fi

-  _info "Upload new certifikate to TrueNAS"
+  _info "Uploading new certificate to TrueNAS"
  _certname="Letsencrypt_$(_utc_date | tr ' ' '_' | tr -d -- ':')"
  _debug3 _certname "$_certname"

@@ -104,30 +103,30 @@ truenas_deploy() {

  _debug3 _add_cert_result "$_add_cert_result"

-  _info "Getting Certificate list to get new Cert ID"
+  _info "Fetching list of installed certificates"
  _cert_list=$(_get "$_api_url/system/general/ui_certificate_choices")
  _cert_id=$(echo "$_cert_list" | grep "$_certname" | sed -n 's/.*"\([0-9]\{1,\}\)".*$/\1/p')

  _debug3 _cert_id "$_cert_id"

-  _info "Activate Certificate ID: $_cert_id"
+  _info "Current activate certificate ID: $_cert_id"
  _activateData="{\"ui_certificate\": \"${_cert_id}\"}"
  _activate_result="$(_post "$_activateData" "$_api_url/system/general" "" "PUT" "application/json")"

  _debug3 _activate_result "$_activate_result"

-  _info "Check if WebDAV certificate is the same as the WEB UI"
+  _info "Checking if WebDAV certificate is the same as the TrueNAS web UI"
  _webdav_list=$(_get "$_api_url/webdav")
  _webdav_cert_id=$(echo "$_webdav_list" | grep '"certssl":' | tr -d -- '"certsl: ,')

  if [ "$_webdav_cert_id" = "$_active_cert_id" ]; then
-    _info "Update the WebDAV Certificate"
+    _info "Updating the WebDAV certificate"
    _debug _webdav_cert_id "$_webdav_cert_id"
    _webdav_data="{\"certssl\": \"${_cert_id}\"}"
    _activate_webdav_cert="$(_post "$_webdav_data" "$_api_url/webdav" "" "PUT" "application/json")"
-    _webdav_new_cert_id=$(echo "$_activate_webdav_cert" | _json_decode | sed -n 's/.*: \([0-9]\{1,\}\) }$/\1/p')
+    _webdav_new_cert_id=$(echo "$_activate_webdav_cert" | _json_decode | grep '"certssl":' | sed -n 's/.*: \([0-9]\{1,\}\),\{0,1\}$/\1/p')
    if [ "$_webdav_new_cert_id" -eq "$_cert_id" ]; then
-      _info "WebDAV Certificate update successfully"
+      _info "WebDAV certificate updated successfully"
    else
      _err "Unable to set WebDAV certificate"
      _debug3 _activate_webdav_cert "$_activate_webdav_cert"
@@ -136,21 +135,21 @@ truenas_deploy() {
    fi
    _debug3 _webdav_new_cert_id "$_webdav_new_cert_id"
  else
-    _info "WebDAV certificate not set or not the same as Web UI"
+    _info "WebDAV certificate is not configured or is not the same as TrueNAS web UI"
  fi

-  _info "Check if FTP certificate is the same as the WEB UI"
+  _info "Checking if FTP certificate is the same as the TrueNAS web UI"
  _ftp_list=$(_get "$_api_url/ftp")
  _ftp_cert_id=$(echo "$_ftp_list" | grep '"ssltls_certificate":' | tr -d -- '"certislfa:_ ,')

  if [ "$_ftp_cert_id" = "$_active_cert_id" ]; then
-    _info "Update the FTP Certificate"
+    _info "Updating the FTP certificate"
    _debug _ftp_cert_id "$_ftp_cert_id"
    _ftp_data="{\"ssltls_certificate\": \"${_cert_id}\"}"
    _activate_ftp_cert="$(_post "$_ftp_data" "$_api_url/ftp" "" "PUT" "application/json")"
-    _ftp_new_cert_id=$(echo "$_activate_ftp_cert" | _json_decode | sed -n 's/.*: \([0-9]\{1,\}\) }$/\1/p')
+    _ftp_new_cert_id=$(echo "$_activate_ftp_cert" | _json_decode | grep '"ssltls_certificate":' | sed -n 's/.*: \([0-9]\{1,\}\),\{0,1\}$/\1/p')
    if [ "$_ftp_new_cert_id" -eq "$_cert_id" ]; then
-      _info "FTP Certificate update successfully"
+      _info "FTP certificate updated successfully"
    else
      _err "Unable to set FTP certificate"
      _debug3 _activate_ftp_cert "$_activate_ftp_cert"
@@ -159,22 +158,45 @@ truenas_deploy() {
    fi
    _debug3 _activate_ftp_cert "$_activate_ftp_cert"
  else
-    _info "FTP certificate not set or not the same as Web UI"
+    _info "FTP certificate is not configured or is not the same as TrueNAS web UI"
  fi

-  _info "Delete old Certificate"
+  _info "Checking if S3 certificate is the same as the TrueNAS web UI"
+  _s3_list=$(_get "$_api_url/s3")
+  _s3_cert_id=$(echo "$_s3_list" | grep '"certificate":' | tr -d -- '"certifa:_ ,')
+
+  if [ "$_s3_cert_id" = "$_active_cert_id" ]; then
+    _info "Updating the S3 certificate"
+    _debug _s3_cert_id "$_s3_cert_id"
+    _s3_data="{\"certificate\": \"${_cert_id}\"}"
+    _activate_s3_cert="$(_post "$_s3_data" "$_api_url/s3" "" "PUT" "application/json")"
+    _s3_new_cert_id=$(echo "$_activate_s3_cert" | _json_decode | grep '"certificate":' | sed -n 's/.*: \([0-9]\{1,\}\),\{0,1\}$/\1/p')
+    if [ "$_s3_new_cert_id" -eq "$_cert_id" ]; then
+      _info "S3 certificate updated successfully"
+    else
+      _err "Unable to set S3 certificate"
+      _debug3 _activate_s3_cert "$_activate_s3_cert"
+      _debug3 _s3_new_cert_id "$_s3_new_cert_id"
+      return 1
+    fi
+    _debug3 _activate_s3_cert "$_activate_s3_cert"
+  else
+    _info "S3 certificate is not configured or is not the same as TrueNAS web UI"
+  fi
+
+  _info "Deleting old certificate"
  _delete_result="$(_post "" "$_api_url/certificate/id/$_active_cert_id" "" "DELETE" "application/json")"

  _debug3 _delete_result "$_delete_result"

-  _info "Reload WebUI from TrueNAS"
+  _info "Reloading TrueNAS web UI"
  _restart_UI=$(_get "$_api_url/system/general/ui_restart")
  _debug2 _restart_UI "$_restart_UI"

  if [ -n "$_add_cert_result" ] && [ -n "$_activate_result" ]; then
    return 0
  else
-    _err "Certupdate was not succesfull, please use --debug"
+    _err "Certificate update was not succesful, please try again with --debug"
    return 1
  fi
 }