From cbc3acd33a331b333cf1cb68656098a8f7ca999d Mon Sep 17 00:00:00 2001
From: medmunds <medmunds@gmail.com>
Date: Mon, 28 Dec 2020 15:39:47 -0800
Subject: [PATCH] fix: unifi deploy hook also update Cloud Key nginx certs

When running on a Unifi Cloud Key device, also deploy to
/etc/ssl/private/cloudkey.{crt,key} and reload nginx. This
makes the new cert available for the Cloud Key management
app running via nginx on port 443 (as well as the port 8443
Unifi Controller app the deploy hook already supported).

Fixes #3326
---
 deploy/unifi.sh | 82 +++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 65 insertions(+), 17 deletions(-)

diff --git a/deploy/unifi.sh b/deploy/unifi.sh
index 184aa62e..e2606537 100644
--- a/deploy/unifi.sh
+++ b/deploy/unifi.sh
@@ -4,10 +4,16 @@
 
 #returns 0 means success, otherwise error.
 
+# Settings for Unifi Controller:
 #DEPLOY_UNIFI_KEYSTORE="/usr/lib/unifi/data/keystore"
 #DEPLOY_UNIFI_KEYPASS="aircontrolenterprise"
 #DEPLOY_UNIFI_RELOAD="service unifi restart"
 
+# Additional settings for Unifi Cloud Key:
+#DEPLOY_UNIFI_CLOUDKEY=yes
+#DEPLOY_UNIFI_CLOUDKEY_CERTDIR="/etc/ssl/private"
+#DEPLOY_UNIFI_RELOAD="service unifi restart && service nginx restart"
+
 ########  Public functions #####################
 
 #domain keyfile certfile cafile fullchain
@@ -29,11 +35,22 @@ unifi_deploy() {
     return 1
   fi
 
+  DEFAULT_DEPLOY_UNIFI_CLOUDKEY_CERTDIR="/etc/ssl/private"
+  _cloudkey_certdir="${DEPLOY_UNIFI_CLOUDKEY_CERTDIR:-$DEFAULT_DEPLOY_UNIFI_CLOUDKEY_CERTDIR}"
+  DEFAULT_DEPLOY_UNIFI_CLOUDKEY="no"
+  if [ -f "${_cloudkey_certdir}/cloudkey.key" ]; then
+    DEFAULT_DEPLOY_UNIFI_CLOUDKEY="yes"
+  fi
+  _cloudkey_deploy="${DEPLOY_UNIFI_CLOUDKEY:-$DEFAULT_DEPLOY_UNIFI_CLOUDKEY}"
+
   DEFAULT_UNIFI_KEYSTORE="/usr/lib/unifi/data/keystore"
   _unifi_keystore="${DEPLOY_UNIFI_KEYSTORE:-$DEFAULT_UNIFI_KEYSTORE}"
   DEFAULT_UNIFI_KEYPASS="aircontrolenterprise"
   _unifi_keypass="${DEPLOY_UNIFI_KEYPASS:-$DEFAULT_UNIFI_KEYPASS}"
   DEFAULT_UNIFI_RELOAD="service unifi restart"
+  if [ "$_cloudkey_deploy" = "yes" ]; then
+    DEFAULT_UNIFI_RELOAD="service nginx restart && ${DEFAULT_UNIFI_RELOAD}"
+  fi
   _reload="${DEPLOY_UNIFI_RELOAD:-$DEFAULT_UNIFI_RELOAD}"
 
   _debug _unifi_keystore "$_unifi_keystore"
@@ -51,6 +68,19 @@ unifi_deploy() {
     return 1
   fi
 
+  _debug _cloudkey_deploy "$_cloudkey_deploy"
+  _debug _cloudkey_certdir "$_cloudkey_certdir"
+  if [ "$_cloudkey_deploy" = "yes" ]; then
+    if [ ! -d "$_cloudkey_certdir" ]; then
+      _err "The directory $_cloudkey_certdir is missing or invalid; please define DEPLOY_UNIFI_CLOUDKEY_CERTDIR"
+      return 1
+    fi
+    if [ ! -w "$_cloudkey_certdir" ]; then
+      _err "The directory $_cloudkey_certdir is not writable; please check permissions"
+      return 1
+    fi
+  fi
+
   _info "Generate import pkcs12"
   _import_pkcs12="$(_mktemp)"
   _toPkcs "$_import_pkcs12" "$_ckey" "$_ccert" "$_cca" "$_unifi_keypass" unifi root
@@ -72,29 +102,47 @@ unifi_deploy() {
     return 1
   fi
 
+  if [ "$_cloudkey_deploy" = "yes" ]; then
+    _info "Install Cloud Key certificate: $_cloudkey_certdir"
+    cp "$_cfullchain" "${_cloudkey_certdir}/cloudkey.crt"
+    cp "$_ckey" "${_cloudkey_certdir}/cloudkey.key"
+    (cd "$_cloudkey_certdir" && tar -cf cert.tar cloudkey.crt cloudkey.key unifi.keystore.jks)
+    _info "Install Cloud Key certificate success!"
+  fi
+
   _info "Run reload: $_reload"
   if eval "$_reload"; then
     _info "Reload success!"
-    if [ "$DEPLOY_UNIFI_KEYSTORE" ]; then
-      _savedomainconf DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE"
-    else
-      _cleardomainconf DEPLOY_UNIFI_KEYSTORE
-    fi
-    if [ "$DEPLOY_UNIFI_KEYPASS" ]; then
-      _savedomainconf DEPLOY_UNIFI_KEYPASS "$DEPLOY_UNIFI_KEYPASS"
-    else
-      _cleardomainconf DEPLOY_UNIFI_KEYPASS
-    fi
-    if [ "$DEPLOY_UNIFI_RELOAD" ]; then
-      _savedomainconf DEPLOY_UNIFI_RELOAD "$DEPLOY_UNIFI_RELOAD"
-    else
-      _cleardomainconf DEPLOY_UNIFI_RELOAD
-    fi
-    return 0
   else
     _err "Reload error"
     return 1
   fi
-  return 0
 
+  if [ "$DEPLOY_UNIFI_KEYSTORE" ]; then
+    _savedomainconf DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE"
+  else
+    _cleardomainconf DEPLOY_UNIFI_KEYSTORE
+  fi
+  if [ "$DEPLOY_UNIFI_KEYPASS" ]; then
+    _savedomainconf DEPLOY_UNIFI_KEYPASS "$DEPLOY_UNIFI_KEYPASS"
+  else
+    _cleardomainconf DEPLOY_UNIFI_KEYPASS
+  fi
+  if [ "$DEPLOY_UNIFI_RELOAD" ]; then
+    _savedomainconf DEPLOY_UNIFI_RELOAD "$DEPLOY_UNIFI_RELOAD"
+  else
+    _cleardomainconf DEPLOY_UNIFI_RELOAD
+  fi
+  if [ "$DEPLOY_UNIFI_CLOUDKEY" ]; then
+    _savedomainconf DEPLOY_UNIFI_CLOUDKEY "$DEPLOY_UNIFI_CLOUDKEY"
+  else
+    _cleardomainconf DEPLOY_UNIFI_CLOUDKEY
+  fi
+  if [ "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR" ]; then
+    _savedomainconf DEPLOY_UNIFI_CLOUDKEY_CERTDIR "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR"
+  else
+    _cleardomainconf DEPLOY_UNIFI_CLOUDKEY_CERTDIR
+  fi
+
+  return 0
 }