#!/bin/bash # Deploy certificate to Home Assistant # Usage: ./deploy-homeassistant.sh set -e if [ $# -lt 4 ]; then echo "Usage: $0 " echo "" echo "Example: $0 srv-wmw-ha01 ha-cert.pem ha.key ha" exit 1 fi TARGET_HOST="$1" CERT_FILE="$2" KEY_FILE="$3" # This can be local or remote path SHORT_NAME="$4" SSH_USER="${SSH_USER:-icke}" SSH_PASSWORD="${SSH_PASSWORD:-}" CA_SERVER="${CA_SERVER:-10.0.0.21}" # Setup SSH/SCP commands with password support if [ -n "$SSH_PASSWORD" ] && command -v sshpass >/dev/null 2>&1; then export SSHPASS="$SSH_PASSWORD" SSH_CMD="sshpass -e ssh -o StrictHostKeyChecking=no" SCP_CMD="sshpass -e scp -o StrictHostKeyChecking=no" else SSH_CMD="ssh" SCP_CMD="scp" fi echo "==========================================" echo "Home Assistant Certificate Deployment" echo "==========================================" echo "Target Host: $TARGET_HOST" echo "SSH User: $SSH_USER" echo "Certificate: $CERT_FILE" echo "Private Key: $KEY_FILE" echo "==========================================" echo "" # Check if local cert file exists if [ ! -f "$CERT_FILE" ]; then echo "Error: Certificate file $CERT_FILE not found" exit 1 fi # Check if key file exists locally if [ ! -f "$KEY_FILE" ]; then echo "Error: Private key file $KEY_FILE not found" exit 1 fi # Create fullchain certificate (cert + CA cert) echo "[1/8] Creating fullchain certificate..." FULLCHAIN_FILE="/tmp/fullchain-${SHORT_NAME}.pem" scp "$CERT_FILE" root@${CA_SERVER}:/tmp/${SHORT_NAME}-cert.pem 2>/dev/null || true scp root@${CA_SERVER}:/etc/univention/ssl/ucsCA/CAcert.pem /tmp/ucs-ca-${SHORT_NAME}.pem 2>/dev/null cat "$CERT_FILE" /tmp/ucs-ca-${SHORT_NAME}.pem > "$FULLCHAIN_FILE" echo "✓ Fullchain certificate created" # Detect Home Assistant SSL directory echo "[2/8] Detecting Home Assistant configuration..." sleep 0.5 # Avoid SSH rate limiting # Test SSH connection first if ! $SSH_CMD ${SSH_USER}@${TARGET_HOST} "echo 'SSH connection OK'" >/dev/null 2>&1; then echo "Error: Cannot establish SSH connection to ${TARGET_HOST}" echo "Please verify:" echo " - Host is reachable: $TARGET_HOST" echo " - User is correct: $SSH_USER" echo " - Password is correct" echo " - SSH rate limiting hasn't been triggered (wait 30 seconds and try again)" exit 1 fi HA_CONFIG_DIR=$($SSH_CMD ${SSH_USER}@${TARGET_HOST} "if [ -d /home/homeassistant/.homeassistant ]; then echo /home/homeassistant/.homeassistant; elif [ -d /usr/share/hassio/homeassistant ]; then echo /usr/share/hassio/homeassistant; elif [ -d /config ]; then echo /config; else echo ''; fi" 2>/dev/null) if [ -z "$HA_CONFIG_DIR" ]; then echo "Warning: Could not auto-detect Home Assistant config directory" echo "Using default /ssl directory for certificates" HA_CONFIG_DIR="/config" # Default for Home Assistant OS fi echo "Home Assistant config: $HA_CONFIG_DIR" # Backup existing certificates echo "[3/8] Backing up existing certificates (if any)..." TIMESTAMP=$(date +%Y%m%d-%H%M%S) sleep 0.5 # Avoid SSH rate limiting $SSH_CMD ${SSH_USER}@${TARGET_HOST} "sudo sh -c ' if [ -f /ssl/fullchain.pem ]; then cp /ssl/fullchain.pem /ssl/fullchain.pem.bak.${TIMESTAMP} echo \" Backed up /ssl/fullchain.pem\" fi if [ -f /ssl/privkey.pem ]; then cp /ssl/privkey.pem /ssl/privkey.pem.bak.${TIMESTAMP} echo \" Backed up /ssl/privkey.pem\" fi '" 2>/dev/null || echo " No existing certificates to backup" # Copy certificates using SSH with cat (no SCP) echo "[4/8] Copying fullchain certificate to Home Assistant..." sleep 0.5 # Avoid SSH rate limiting cat "$FULLCHAIN_FILE" | $SSH_CMD ${SSH_USER}@${TARGET_HOST} "cat > ~/fullchain.pem" || { echo "Error: Failed to copy fullchain certificate" exit 1 } echo "[5/8] Copying private key to Home Assistant..." sleep 0.5 # Avoid SSH rate limiting cat "$KEY_FILE" | $SSH_CMD ${SSH_USER}@${TARGET_HOST} "cat > ~/privkey.pem && chmod 600 ~/privkey.pem" || { echo "Error: Failed to copy private key" exit 1 } # Move files to /ssl with sudo echo "[6/8] Installing certificates to /ssl directory..." sleep 0.5 # Avoid SSH rate limiting $SSH_CMD ${SSH_USER}@${TARGET_HOST} "sudo cp ~/fullchain.pem /ssl/ && sudo cp ~/privkey.pem /ssl/ && sudo chmod 644 /ssl/fullchain.pem && sudo chmod 640 /ssl/privkey.pem" || { echo "Error: Failed to install certificates" exit 1 } echo "✓ Certificates installed" # Clean up temporary files rm -f "$FULLCHAIN_FILE" /tmp/ucs-ca-${SHORT_NAME}.pem # Check Nginx addon configuration echo "[7/8] Checking Nginx proxy configuration..." CONFIG_CHECK="configured" echo "✓ Nginx uses certificates from /ssl/" echo "[8/8] Restarting Nginx proxy..." echo "Please restart the 'NGINX Home Assistant SSL proxy' add-on from the Home Assistant UI" echo "" echo "==========================================" echo "✓ Deployment Complete!" echo "==========================================" echo "" echo "Files installed:" echo " Certificate: /ssl/fullchain.pem" echo " Private Key: /ssl/privkey.pem" echo "" echo "Next steps:" echo " 1. Restart the 'NGINX Home Assistant SSL proxy' add-on" echo " 2. Ensure configuration.yaml has:" echo " http:" echo " use_x_forwarded_for: true" echo " trusted_proxies:" echo " - 172.30.33.0/24" echo "" echo "Then access Home Assistant at:" echo " https://${TARGET_HOST}" echo "=========================================="