From 014a7814260025cac0aa7d3c0e95ac2cfb4d5230 Mon Sep 17 00:00:00 2001 From: invario <67800603+invario@users.noreply.github.com> Date: Sun, 6 Jul 2025 20:12:10 -0400 Subject: [PATCH 1/2] Create localcopy deploy-hook Deploy-hook to very simply copy files to set directories and then execute whatever reloadcmd the admin needs afterwards. This can be useful for configurations where the "multideploy" hook (in development) is used or when an admin wants ACME.SH to renew certs but needs to manually configure deployment via an external script (e.g. The deploy-freenas script for TrueNAS Core/Scale https://github.com/danb35/deploy-freenas/ Signed-off-by: invario <67800603+invario@users.noreply.github.com> --- deploy/localcopy.sh | 100 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 100 insertions(+) create mode 100644 deploy/localcopy.sh diff --git a/deploy/localcopy.sh b/deploy/localcopy.sh new file mode 100644 index 00000000..3b4fc219 --- /dev/null +++ b/deploy/localcopy.sh @@ -0,0 +1,100 @@ +#!/usr/bin/env sh + +# Deploy-hook to very simply copy files to set directories and then +# execute whatever reloadcmd the admin needs afterwards. This can be +# useful for configurations where the "multideploy" hook (in development) +# is used or when an admin wants ACME.SH to renew certs but needs to +# manually configure deployment via an external script +# (e.g. The deploy-freenas script for TrueNAS Core/Scale +# https://github.com/danb35/deploy-freenas/ ) +# +# +# Environment variables to be utilized are as follows: +# +# DEPLOY_LOCALCOPY_CERTIFICATE - /path/to/target/cert.cer +# DEPLOY_LOCALCOPY_CERTKEY - /path/to/target/cert.key +# DEPLOY_LOCALCOPY_FULLCHAIN - /path/to/target/fullchain.cer +# DEPLOY_LOCALCOPY_CA - /path/to/target/ca.cer +# DEPLOY_LOCALCOPY_RELOADCMD - "echo 'this is my cmd'" + +######## Public functions ##################### + +#domain keyfile certfile cafile fullchain +localcopy_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + _getdeployconf DEPLOY_LOCALCOPY_CERTIFICATE + _getdeployconf DEPLOY_LOCALCOPY_CERTKEY + _getdeployconf DEPLOY_LOCALCOPY_FULLCHAIN + _getdeployconf DEPLOY_LOCALCOPY_CA + _getdeployconf DEPLOY_LOCALCOPY_RELOADCMD + + if [ "$DEPLOY_LOCALCOPY_CERTIFICATE" ]; then + _info "Copying certificate" + _debug "Copying $_ccert to $DEPLOY_LOCALCOPY_CERTIFICATE" + if ! eval "cp $_ccert $DEPLOY_LOCALCOPY_CERTIFICATE"; then + _err "Failed to copy certificate, aborting." + return 1 + fi + _savedeployconf DEPLOY_LOCALCOPY_CERTIFICATE "$DEPLOY_LOCALCOPY_CERTIFICATE" + fi + + if [ "$DEPLOY_LOCALCOPY_CERTKEY" ]; then + _info "Copying certificate key" + _debug "Copying $_ckey to $DEPLOY_LOCALCOPY_CERTKEY" + if ! eval "cp $_ckey $DEPLOY_LOCALCOPY_CERTKEY"; then + _err "Failed to copy certificate key, aborting." + return 1 + fi + _savedeployconf DEPLOY_LOCALCOPY_CERTKEY "$DEPLOY_LOCALCOPY_CERTKEY" + fi + + if [ "$DEPLOY_LOCALCOPY_FULLCHAIN" ]; then + _info "Copying fullchain" + _debug "Copying $_cfullchain to $DEPLOY_LOCALCOPY_FULLCHAIN" + if ! eval "cp $_cfullchain $DEPLOY_LOCALCOPY_FULLCHAIN"; then + _err "Failed to copy fullchain, aborting." + return 1 + fi + _savedeployconf DEPLOY_LOCALCOPY_FULLCHAIN "$DEPLOY_LOCALCOPY_FULLCHAIN" + fi + + if [ "$DEPLOY_LOCALCOPY_CA" ]; then + _info "Copying CA" + _debug "Copying $_cca to $DEPLOY_LOCALCOPY_CA" + if ! eval "cp $_cca $DEPLOY_LOCALCOPY_CA"; then + _err "Failed to copy CA, aborting." + return 1 + fi + _savedeployconf DEPLOY_LOCALCOPY_CA "$DEPLOY_LOCALCOPY_CA" + fi + + _reload=$DEPLOY_LOCALCOPY_RELOADCMD + _debug "Running reloadcmd $_reload" + + if [ -z "$_reload" ]; then + _info "Reloadcmd not provided, skipping." + else + _info "Reloading" + if eval "$_reload"; then + _info "Reload successful." + _savedeployconf DEPLOY_LOCALCOPY_RELOADCMD "$DEPLOY_LOCALCOPY_RELOADCMD" "base64" + else + _err "Reload failed." + return 1 + fi + fi + + _info "$(__green "'localcopy' deploy success")" + return 0 +} From 3252e0ce2e26fae5cc50edd9f61bd2b7a96b15b3 Mon Sep 17 00:00:00 2001 From: invario <67800603+invario@users.noreply.github.com> Date: Mon, 28 Jul 2025 12:14:12 -0400 Subject: [PATCH 2/2] Add outputs for PFX and PEM Signed-off-by: invario <67800603+invario@users.noreply.github.com> --- deploy/localcopy.sh | 52 +++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 50 insertions(+), 2 deletions(-) diff --git a/deploy/localcopy.sh b/deploy/localcopy.sh index 3b4fc219..38ae9599 100644 --- a/deploy/localcopy.sh +++ b/deploy/localcopy.sh @@ -8,13 +8,17 @@ # (e.g. The deploy-freenas script for TrueNAS Core/Scale # https://github.com/danb35/deploy-freenas/ ) # +# If the same file is configured for the certificate key +# and the certificate and/or full chain, a combined PEM file will +# be output instead. # # Environment variables to be utilized are as follows: # -# DEPLOY_LOCALCOPY_CERTIFICATE - /path/to/target/cert.cer # DEPLOY_LOCALCOPY_CERTKEY - /path/to/target/cert.key +# DEPLOY_LOCALCOPY_CERTIFICATE - /path/to/target/cert.cer # DEPLOY_LOCALCOPY_FULLCHAIN - /path/to/target/fullchain.cer # DEPLOY_LOCALCOPY_CA - /path/to/target/ca.cer +# DEPLOY_LOCALCOPY_PFX - /path/to/target/cert.pfx # DEPLOY_LOCALCOPY_RELOADCMD - "echo 'this is my cmd'" ######## Public functions ##################### @@ -26,18 +30,53 @@ localcopy_deploy() { _ccert="$3" _cca="$4" _cfullchain="$5" + _cpfx="$6" _debug _cdomain "$_cdomain" _debug _ckey "$_ckey" _debug _ccert "$_ccert" _debug _cca "$_cca" _debug _cfullchain "$_cfullchain" + _debug _cpfx "$_cpfx" _getdeployconf DEPLOY_LOCALCOPY_CERTIFICATE _getdeployconf DEPLOY_LOCALCOPY_CERTKEY _getdeployconf DEPLOY_LOCALCOPY_FULLCHAIN _getdeployconf DEPLOY_LOCALCOPY_CA _getdeployconf DEPLOY_LOCALCOPY_RELOADCMD + _getdeployconf DEPLOY_LOCALCOPY_PFX + _combined_target="" + _combined_srccert="" + + if [ "$DEPLOY_LOCALCOPY_CERTKEY" ] && + { [ "$DEPLOY_LOCALCOPY_CERTKEY" = "$DEPLOY_LOCALCOPY_FULLCHAIN" ] || + [ "$DEPLOY_LOCALCOPY_CERTKEY" = "$DEPLOY_LOCALCOPY_CERTIFICATE" ]; }; then + + _combined_target="$DEPLOY_LOCALCOPY_CERTKEY" + _savedeployconf DEPLOY_LOCALCOPY_CERTKEY "$DEPLOY_LOCALCOPY_CERTKEY" + + if [ "$DEPLOY_LOCALCOPY_CERTKEY" = "$DEPLOY_LOCALCOPY_CERTIFICATE" ]; then + _combined_srccert="$_ccert" + _savedeployconf DEPLOY_LOCALCOPY_CERTIFICATE "$DEPLOY_LOCALCOPY_CERTIFICATE" + DEPLOY_LOCALCOPY_CERTIFICATE="" + fi + if [ "$DEPLOY_LOCALCOPY_CERTKEY" = "$DEPLOY_LOCALCOPY_FULLCHAIN" ]; then + _combined_srccert="$_cfullchain" + _savedeployconf DEPLOY_LOCALCOPY_FULLCHAIN "$DEPLOY_LOCALCOPY_FULLCHAIN" + DEPLOY_LOCALCOPY_FULLCHAIN="" + fi + DEPLOY_LOCALCOPY_CERTKEY="" + _info "Creating combined PEM at $_combined_target" + _tmpfile="$(mktemp)" + if ! cat "$_combined_srccert" "$_ckey" >"$_tmpfile"; then + _err "Failed to build combined PEM file" + return 1 + fi + if ! mv "$_tmpfile" "$_combined_target"; then + _err "Failed to move combined PEM into place" + return 1 + fi + fi if [ "$DEPLOY_LOCALCOPY_CERTIFICATE" ]; then _info "Copying certificate" @@ -46,7 +85,6 @@ localcopy_deploy() { _err "Failed to copy certificate, aborting." return 1 fi - _savedeployconf DEPLOY_LOCALCOPY_CERTIFICATE "$DEPLOY_LOCALCOPY_CERTIFICATE" fi if [ "$DEPLOY_LOCALCOPY_CERTKEY" ]; then @@ -79,6 +117,16 @@ localcopy_deploy() { _savedeployconf DEPLOY_LOCALCOPY_CA "$DEPLOY_LOCALCOPY_CA" fi + if [ "$DEPLOY_LOCALCOPY_PFX" ]; then + _info "Copying PFX" + _debug "Copying $_cpfx to $DEPLOY_LOCALCOPY_PFX" + if ! eval "cp $_cpfx $DEPLOY_LOCALCOPY_PFX"; then + _err "Failed to copy PFX, aborting." + return 1 + fi + _savedeployconf DEPLOY_LOCALCOPY_PFX "$DEPLOY_LOCALCOPY_PFX" + fi + _reload=$DEPLOY_LOCALCOPY_RELOADCMD _debug "Running reloadcmd $_reload"