You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

123 lines
4.1 KiB

  1. #!/usr/bin/env bash
  2. # Deploy certificates to a proxmox virtual environment node using the API.
  3. #
  4. # Environment variables that can be set are:
  5. # `DEPLOY_PROXMOXVE_SERVER`: The hostname of the proxmox ve node. Defaults to
  6. # _cdomain.
  7. # `DEPLOY_PROXMOXVE_SERVER_PORT`: The port number the management interface is on.
  8. # Defaults to 8006.
  9. # `DEPLOY_PROXMOXVE_NODE_NAME`: The name of the node we'll be connecting to.
  10. # Defaults to the host portion of the server
  11. # domain name.
  12. # `DEPLOY_PROXMOXVE_USER`: The user we'll connect as. Defaults to root.
  13. # `DEPLOY_PROXMOXVE_USER_REALM`: The authentication realm the user authenticates
  14. # with. Defaults to pam.
  15. # `DEPLOY_PROXMOXVE_API_TOKEN_NAME`: The name of the API token created for the
  16. # user account. Defaults to acme.
  17. # `DEPLOY_PROXMOXVE_API_TOKEN_KEY`: The API token. Required.
  18. proxmoxve_deploy(){
  19. _cdomain="$1"
  20. _ckey="$2"
  21. _ccert="$3"
  22. _cca="$4"
  23. _cfullchain="$5"
  24. _debug _cdomain "$_cdomain"
  25. _debug _ckey "$_ckey"
  26. _debug _ccert "$_ccert"
  27. _debug _cca "$_cca"
  28. _debug _cfullchain "$_cfullchain"
  29. # "Sane" defaults.
  30. _target_hostname="$_cdomain"
  31. if [ ! -z "$DEPLOY_PROXMOXVE_SERVER" ];then
  32. _target_hostname="$DEPLOY_PROXMOXVE_SERVER"
  33. fi
  34. _target_port="8006"
  35. if [ ! -z "$DEPLOY_PROXMOXVE_SERVER_PORT" ];then
  36. _target_port="$DEPLOY_PROXMOXVE_SERVER_PORT"
  37. fi
  38. if [ ! -z "$DEPLOY_PROXMOXVE_NODE_NAME" ];then
  39. _node_name="$DEPLOY_PROXMOXVE_NODE_NAME"
  40. else
  41. _node_name=$(echo "$_target_hostname"|cut -d. -f1)
  42. fi
  43. # Complete URL.
  44. _target_url="https://${_target_hostname}:${_target_port}/api2/json/nodes/${_node_name}/certificates/custom"
  45. # More "sane" defaults.
  46. _proxmoxve_user="root"
  47. if [ ! -z "$_proxmoxve_user" ];then
  48. _proxmoxve_user="$DEPLOY_PROXMOXVE_USER"
  49. fi
  50. _proxmoxve_user_realm="pam"
  51. if [ ! -z "$DEPLOY_PROXMOXVE_USER_REALM" ];then
  52. _proxmoxve_user_realm="$DEPLOY_PROXMOXVE_USER_REALM"
  53. fi
  54. _proxmoxve_api_token_name="acme"
  55. if [ ! -z "$DEPLOY_PROXMOXVE_API_TOKEN_NAME" ];then
  56. _proxmoxve_api_token_name="$DEPLOY_PROXMOXVE_API_TOKEN_NAME"
  57. fi
  58. # This is required.
  59. _proxmoxve_api_token_key="$DEPLOY_PROXMOXVE_API_TOKEN_KEY"
  60. if [ -z "$_proxmoxve_api_token_key" ];then
  61. _err "API key not provided."
  62. return 1
  63. fi
  64. # PVE API Token header value. Used in "Authorization: PVEAPIToken".
  65. _proxmoxve_header_api_token="${_proxmoxve_user}@${_proxmoxve_user_realm}!${_proxmoxve_api_token_name}=${_proxmoxve_api_token_key}"
  66. # Generate the data file curl will pass as the data.
  67. _proxmoxve_temp_data="/tmp/proxmoxve_api/$_cdomain"
  68. _proxmoxve_temp_data_file="$_proxmoxve_temp_data/body.json"
  69. # We delete this directory at the end of the script to avoid any conflicts.
  70. if [ ! -d "$_proxmoxve_temp_data" ];then
  71. mkdir -p "$_proxmoxve_temp_data"
  72. # Set to 700 since this file will contain the private key contents.
  73. chmod 700 "$_proxmoxve_temp_data"
  74. fi
  75. # Ugly. I hate putting heredocs inside functions because heredocs don't account
  76. # for whitespace correctly but it _does_ work and is several times cleaner
  77. # than anything else I had here.
  78. #
  79. # This creates a temporary data file that curl will use as the data being
  80. # posted to the webserver.
  81. cat << HEREDOC > "$_proxmoxve_temp_data_file"
  82. {
  83. "certificates": "$(cat $_cfullchain|tr '\n' ':'|sed 's/:/\\n/g')",
  84. "key": "$(cat $_ckey|tr '\n' ':'|sed 's/:/\\n/g')",
  85. "node":"$_node_name",
  86. "restart":"1",
  87. "force":"1"
  88. }
  89. HEREDOC
  90. # Push certificates to server.
  91. #
  92. # --insecure is to ignore certificate errors.
  93. # --fail is to fail the script if the http return code is not 200.
  94. if curl -X "POST" --header "Content-Type: application/json" \
  95. --header "Authorization: PVEAPIToken=${_proxmoxve_header_api_token}" \
  96. --data "@${_proxmoxve_temp_data_file}" \
  97. --insecure --fail \
  98. "${_target_url}"
  99. then
  100. _info "Successfully updated certificate for $_cdomain."
  101. rm -r "$_proxmoxve_temp_data"
  102. return 0
  103. else
  104. _err "Unable to update certificate for $_cdomain."
  105. rm -r "$_proxmoxve_temp_data"
  106. return 1
  107. fi
  108. }