159 lines
5.4 KiB
Bash
Executable File
159 lines
5.4 KiB
Bash
Executable File
#!/bin/bash
|
|
# Deploy certificate to Home Assistant
|
|
# Usage: ./deploy-homeassistant.sh <hostname> <cert-file> <key-file> <short-name>
|
|
|
|
set -e
|
|
|
|
if [ $# -lt 4 ]; then
|
|
echo "Usage: $0 <hostname> <cert-file> <key-file> <short-name>"
|
|
echo ""
|
|
echo "Example: $0 srv-wmw-ha01 ha-cert.pem ha.key ha"
|
|
exit 1
|
|
fi
|
|
|
|
TARGET_HOST="$1"
|
|
CERT_FILE="$2"
|
|
KEY_FILE="$3" # This can be local or remote path
|
|
SHORT_NAME="$4"
|
|
SSH_USER="${SSH_USER:-icke}"
|
|
SSH_PASSWORD="${SSH_PASSWORD:-}"
|
|
CA_SERVER="${CA_SERVER:-10.0.0.21}"
|
|
|
|
# Setup SSH/SCP commands with password support
|
|
if [ -n "$SSH_PASSWORD" ] && command -v sshpass >/dev/null 2>&1; then
|
|
export SSHPASS="$SSH_PASSWORD"
|
|
SSH_CMD="sshpass -e ssh -o StrictHostKeyChecking=no"
|
|
SCP_CMD="sshpass -e scp -o StrictHostKeyChecking=no"
|
|
else
|
|
SSH_CMD="ssh"
|
|
SCP_CMD="scp"
|
|
fi
|
|
|
|
echo "=========================================="
|
|
echo "Home Assistant Certificate Deployment"
|
|
echo "=========================================="
|
|
echo "Target Host: $TARGET_HOST"
|
|
echo "SSH User: $SSH_USER"
|
|
echo "Certificate: $CERT_FILE"
|
|
echo "Private Key: $KEY_FILE"
|
|
echo "=========================================="
|
|
echo ""
|
|
|
|
# Check if local cert file exists
|
|
if [ ! -f "$CERT_FILE" ]; then
|
|
echo "Error: Certificate file $CERT_FILE not found"
|
|
exit 1
|
|
fi
|
|
|
|
# Check if key file exists locally
|
|
if [ ! -f "$KEY_FILE" ]; then
|
|
echo "Error: Private key file $KEY_FILE not found"
|
|
exit 1
|
|
fi
|
|
|
|
# Create fullchain certificate (cert + CA cert)
|
|
echo "[1/8] Creating fullchain certificate..."
|
|
FULLCHAIN_FILE="/tmp/fullchain-${SHORT_NAME}.pem"
|
|
scp "$CERT_FILE" root@${CA_SERVER}:/tmp/${SHORT_NAME}-cert.pem 2>/dev/null || true
|
|
scp root@${CA_SERVER}:/etc/univention/ssl/ucsCA/CAcert.pem /tmp/ucs-ca-${SHORT_NAME}.pem 2>/dev/null
|
|
cat "$CERT_FILE" /tmp/ucs-ca-${SHORT_NAME}.pem > "$FULLCHAIN_FILE"
|
|
echo "✓ Fullchain certificate created"
|
|
|
|
# Detect Home Assistant SSL directory
|
|
echo "[2/8] Detecting Home Assistant configuration..."
|
|
sleep 0.5 # Avoid SSH rate limiting
|
|
|
|
# Test SSH connection first
|
|
if ! $SSH_CMD ${SSH_USER}@${TARGET_HOST} "echo 'SSH connection OK'" >/dev/null 2>&1; then
|
|
echo "Error: Cannot establish SSH connection to ${TARGET_HOST}"
|
|
echo "Please verify:"
|
|
echo " - Host is reachable: $TARGET_HOST"
|
|
echo " - User is correct: $SSH_USER"
|
|
echo " - Password is correct"
|
|
echo " - SSH rate limiting hasn't been triggered (wait 30 seconds and try again)"
|
|
exit 1
|
|
fi
|
|
|
|
HA_CONFIG_DIR=$($SSH_CMD ${SSH_USER}@${TARGET_HOST} "if [ -d /home/homeassistant/.homeassistant ]; then echo /home/homeassistant/.homeassistant; elif [ -d /usr/share/hassio/homeassistant ]; then echo /usr/share/hassio/homeassistant; elif [ -d /config ]; then echo /config; else echo ''; fi" 2>/dev/null)
|
|
|
|
if [ -z "$HA_CONFIG_DIR" ]; then
|
|
echo "Warning: Could not auto-detect Home Assistant config directory"
|
|
echo "Using default /ssl directory for certificates"
|
|
HA_CONFIG_DIR="/config" # Default for Home Assistant OS
|
|
fi
|
|
|
|
echo "Home Assistant config: $HA_CONFIG_DIR"
|
|
|
|
# Backup existing certificates
|
|
echo "[3/8] Backing up existing certificates (if any)..."
|
|
TIMESTAMP=$(date +%Y%m%d-%H%M%S)
|
|
sleep 0.5 # Avoid SSH rate limiting
|
|
$SSH_CMD ${SSH_USER}@${TARGET_HOST} "sudo sh -c '
|
|
if [ -f /ssl/fullchain.pem ]; then
|
|
cp /ssl/fullchain.pem /ssl/fullchain.pem.bak.${TIMESTAMP}
|
|
echo \" Backed up /ssl/fullchain.pem\"
|
|
fi
|
|
if [ -f /ssl/privkey.pem ]; then
|
|
cp /ssl/privkey.pem /ssl/privkey.pem.bak.${TIMESTAMP}
|
|
echo \" Backed up /ssl/privkey.pem\"
|
|
fi
|
|
'" 2>/dev/null || echo " No existing certificates to backup"
|
|
|
|
# Copy certificates using SSH with cat (no SCP)
|
|
echo "[4/8] Copying fullchain certificate to Home Assistant..."
|
|
sleep 0.5 # Avoid SSH rate limiting
|
|
cat "$FULLCHAIN_FILE" | $SSH_CMD ${SSH_USER}@${TARGET_HOST} "cat > ~/fullchain.pem" || {
|
|
echo "Error: Failed to copy fullchain certificate"
|
|
exit 1
|
|
}
|
|
|
|
echo "[5/8] Copying private key to Home Assistant..."
|
|
sleep 0.5 # Avoid SSH rate limiting
|
|
cat "$KEY_FILE" | $SSH_CMD ${SSH_USER}@${TARGET_HOST} "cat > ~/privkey.pem && chmod 600 ~/privkey.pem" || {
|
|
echo "Error: Failed to copy private key"
|
|
exit 1
|
|
}
|
|
|
|
# Move files to /ssl with sudo
|
|
echo "[6/8] Installing certificates to /ssl directory..."
|
|
sleep 0.5 # Avoid SSH rate limiting
|
|
$SSH_CMD ${SSH_USER}@${TARGET_HOST} "sudo cp ~/fullchain.pem /ssl/ && sudo cp ~/privkey.pem /ssl/ && sudo chmod 644 /ssl/fullchain.pem && sudo chmod 640 /ssl/privkey.pem" || {
|
|
echo "Error: Failed to install certificates"
|
|
exit 1
|
|
}
|
|
|
|
echo "✓ Certificates installed"
|
|
|
|
# Clean up temporary files
|
|
rm -f "$FULLCHAIN_FILE" /tmp/ucs-ca-${SHORT_NAME}.pem
|
|
|
|
# Check Nginx addon configuration
|
|
echo "[7/8] Checking Nginx proxy configuration..."
|
|
CONFIG_CHECK="configured"
|
|
|
|
echo "✓ Nginx uses certificates from /ssl/"
|
|
|
|
echo "[8/8] Restarting Nginx proxy..."
|
|
echo "Please restart the 'NGINX Home Assistant SSL proxy' add-on from the Home Assistant UI"
|
|
|
|
echo ""
|
|
echo "=========================================="
|
|
echo "✓ Deployment Complete!"
|
|
echo "=========================================="
|
|
echo ""
|
|
echo "Files installed:"
|
|
echo " Certificate: /ssl/fullchain.pem"
|
|
echo " Private Key: /ssl/privkey.pem"
|
|
echo ""
|
|
echo "Next steps:"
|
|
echo " 1. Restart the 'NGINX Home Assistant SSL proxy' add-on"
|
|
echo " 2. Ensure configuration.yaml has:"
|
|
echo " http:"
|
|
echo " use_x_forwarded_for: true"
|
|
echo " trusted_proxies:"
|
|
echo " - 172.30.33.0/24"
|
|
echo ""
|
|
echo "Then access Home Assistant at:"
|
|
echo " https://${TARGET_HOST}"
|
|
echo "=========================================="
|