#!/usr/bin/env bash set -o nounset set -o errexit mkdir -p ~/.ssh cp /opt/id_rsa ~/.ssh/id_rsa chmod 600 ~/.ssh/id_rsa if [ "${HOSTNAME}" == "truenas" ]; then printf -v truenas_api_key %q "$TRUENAS_API_KEY" elif [ "${HOSTNAME}" == "truenas-remote" ]; then printf -v truenas_api_key %q "$TRUENAS_REMOTE_API_KEY" fi printf -v cert_deploy_minio_enabled_str %q "$CERTS_DEPLOY_MINIO_ENABLED" printf -v cert_deploy_postgresql_enabled_str %q "$CERTS_DEPLOY_POSTGRESQL_ENABLED" printf -v pushover_api_token_str %q "$PUSHOVER_API_TOKEN" printf -v pushover_user_key_str %q "$PUSHOVER_USER_KEY" printf -v secret_domain_str %q "$SECRET_DOMAIN" scp -o StrictHostKeyChecking=no /app/truenas-certs-deploy.py homelab@${HOSTNAME}.${SECRET_DOMAIN}:${TRUENAS_HOME}/scripts/certificates_deploy.py ssh -o StrictHostKeyChecking=no homelab@${HOSTNAME}.${SECRET_DOMAIN} "/bin/bash -s $truenas_api_key $cert_deploy_minio_enabled_str $cert_deploy_postgresql_enabled_str $pushover_api_token_str $pushover_user_key_str $secret_domain_str" << 'EOF' set -o nounset set -o errexit PUSHOVER_API_TOKEN=$4 PUSHOVER_USER_KEY=$5 SECRET_DOMAIN=$6 # Variables TARGET=$(hostname) DAYS=21 CERTIFICATE_PATH="${HOME}/letsencrypt/${SECRET_DOMAIN}" SCRIPT_PATH="${HOME}/scripts" export CERTS_DEPLOY_API_KEY=$1 export CERTS_DEPLOY_PRIVATE_KEY_PATH=${CERTIFICATE_PATH}/key.pem export CERTS_DEPLOY_FULLCHAIN_PATH=${CERTIFICATE_PATH}/fullchain.pem if [ "$2" == "True" ]; then export CERTS_DEPLOY_MINIO_ENABLED=$2 fi CERTS_DEPLOY_MINIO_CERT_PATH=/mnt/storage/iocage/jails/minio_v2/root/home/minio/certs if [ "$3" == "True" ]; then export CERTS_DEPLOY_POSTGRESQL_ENABLED=$3 fi CERTS_DEPLOY_POSTGRESQL_PATH=/mnt/apps/postgresql # Check if cert is older than 69 days result=$(find ${CERTS_DEPLOY_PRIVATE_KEY_PATH} -mtime +69) if [[ "$result" == "${CERTS_DEPLOY_PRIVATE_KEY_PATH}" ]]; then echo "ERROR - Certificate is older than 69 days" echo "ERROR - Verify than it has been renewed by ACME client on opnsense and that the upload automation has been executed" curl -s \ --form-string "token=${PUSHOVER_API_TOKEN}" \ --form-string "user=${PUSHOVER_USER_KEY}" \ --form-string "message=Certificate on $TARGET is older than 69 days. Verify than it has been renewed by ACME client on opnsense and that the upload automation has been executed" \ https://api.pushover.net/1/messages.json else echo "INFO checking if $TARGET expires in less than $DAYS days" set +o errexit openssl x509 -checkend $(( 24*3600*$DAYS )) -noout -in <(openssl s_client -showcerts -connect $TARGET:443 /dev/null | openssl x509 -outform PEM) if [[ $? -ne 0 ]]; then set -o errexit echo "INFO - Certificate expires in less than $DAYS days" echo "INFO - Deploying new certificate" # Deploy certificate (truenas UI) python ${SCRIPT_PATH}/certificates_deploy.py # Copy certificates (minio) if [ "CERTS_DEPLOY_MINIO_ENABLED" == "True" ]; then cp -pr ${CERTS_DEPLOY_PRIVATE_KEY_PATH} ${CERTS_DEPLOY_MINIO_CERT_PATH}/private.key cp -pr ${CERTS_DEPLOY_FULLCHAIN_PATH} ${CERTS_DEPLOY_MINIO_CERT_PATH}/public.crt iocage exec minio_v2 'service minio restart' fi # Copy certificates (postgresql) if [ "CERTS_DEPLOY_POSTGRESQL_ENABLED" == "True" ]; then pg_data_dirs=$(find /mnt/{{ postgresql_pool_name }}/postgresql -type d -maxdepth 1 -name '*data*' -exec basename {} \;) for i in $pg_data_dirs; do cp -pr ${CERTS_DEPLOY_PRIVATE_KEY_PATH} ${CERTS_DEPLOY_POSTGRESQL_PATH}/$i/server.key cp -pr ${CERTS_DEPLOY_FULLCHAIN_PATH} ${CERTS_DEPLOY_POSTGRESQL_PATH}/$i/server.crt iocage exec postgresql_v${i: -2} 'service postgresql reload' done fi curl -s \ --form-string "token=${PUSHOVER_API_TOKEN}" \ --form-string "user=${PUSHOVER_USER_KEY}" \ --form-string "message=New Let's Encrypt certificate deployed on $TARGET." \ https://api.pushover.net/1/messages.json else echo "INFO - Certificate expires in more than $DAYS days" fi fi EOF