Refactor some code, add support for Radius certificates

kchristensen · Oct 11, 2021 · 10e6d74 · 10e6d74
1 parent 70ec163
commit 10e6d74
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 28 deletions.
diff --git a/on_boot.d/99-udm-le.sh b/on_boot.d/99-udm-le.sh
@@ -7,5 +7,5 @@ if [ ! -f /etc/cron.d/udm-le ]; then
 	# Sleep for 5 minutes to avoid restarting
 	# services during system startup.
 	sleep 300
-	sh ${UDM_LE_PATH}/udm-le.sh bootrenew
+	RESTART_SERVICES=true sh ${UDM_LE_PATH}/udm-le.sh renew
 fi
diff --git a/udm-le.env b/udm-le.env
@@ -8,9 +8,12 @@ CERT_EMAIL='[email protected]'
 # The FQDN of your UDMP (comma separated fqdns are supported)
 CERT_HOSTS='whatever.hostname.com,*.whatever.anotherhostname.com'
 
-# Enable updating Captive Portal certificate as well as device certificate
+# Enable updating Captive Portal support
 ENABLE_CAPTIVE='no'
 
+# Enable updating Radius support
+ENABLE_RADIUS='no'
+
 #
 # DNS provider configuration
 # See README.md file for more details
@@ -64,5 +67,6 @@ UDM_LE_PATH='/mnt/data/udm-le'
 
 # These should only change if Unifi-OS core changes require it
 CERT_IMPORT_CMD='java -jar /usr/lib/unifi/lib/ace.jar import_key_cert'
-UBIOS_CERT_PATH='/mnt/data/unifi-os/unifi-core/config'
+UBIOS_CONTROLLER_CERT_PATH='/mnt/data/unifi-os/unifi-core/config'
+UBIOS_RADIUS_CERT_PATH='/mnt/data/udapi-config/raddb/certs'
 UNIFIOS_CERT_PATH='/data/unifi-core/config'
diff --git a/udm-le.sh b/udm-le.sh
@@ -8,27 +8,46 @@ set -e
 # Setup variables for later
 DOCKER_VOLUMES="-v ${UDM_LE_PATH}/lego/:/.lego/"
 LEGO_ARGS="--dns ${DNS_PROVIDER} --email ${CERT_EMAIL} --key-type rsa2048"
-NEW_CERT=""
+RESTART_SERVICES=${RESTART_SERVICES:-false}
 
-add_captive() {
-	# Import the certificate for the captive portal
-	if [ "$ENABLE_CAPTIVE" == "yes" ]; then
-		podman exec -it unifi-os ${CERT_IMPORT_CMD} ${UNIFIOS_CERT_PATH}/unifi-core.key ${UNIFIOS_CERT_PATH}/unifi-core.crt
-	fi
-}
+deploy_certs() {
+	# Deploy certificates for the controller and optionally for the captive portal and radius server
 
-deploy_cert() {
 	# Re-write CERT_NAME if it is a wildcard cert. Replace * with _
 	LEGO_CERT_NAME=${CERT_NAME/\*/_}
 	if [ "$(find -L "${UDM_LE_PATH}"/lego -type f -name "${LEGO_CERT_NAME}".crt -mmin -5)" ]; then
 		echo 'New certificate was generated, time to deploy it'
-		# Controller certificate
-		cp -f ${UDM_LE_PATH}/lego/certificates/${LEGO_CERT_NAME}.crt ${UBIOS_CERT_PATH}/unifi-core.crt
-		cp -f ${UDM_LE_PATH}/lego/certificates/${LEGO_CERT_NAME}.key ${UBIOS_CERT_PATH}/unifi-core.key
-		chmod 644 ${UBIOS_CERT_PATH}/unifi-core.*
-		NEW_CERT="yes"
+
+		cp -f ${UDM_LE_PATH}/lego/certificates/${LEGO_CERT_NAME}.crt ${UBIOS_CONTROLLER_CERT_PATH}/unifi-core.crt
+		cp -f ${UDM_LE_PATH}/lego/certificates/${LEGO_CERT_NAME}.key ${UBIOS_CONTROLLER_CERT_PATH}/unifi-core.key
+		chmod 644 ${UBIOS_CONTROLLER_CERT_PATH}/unifi-core.crt ${UBIOS_CONTROLLER_CERT_PATH}/unifi-core.key
+
+		if [ "$ENABLE_CAPTIVE" == "yes" ]; then
+			podman exec -it unifi-os ${CERT_IMPORT_CMD} ${UNIFIOS_CERT_PATH}/unifi-core.key ${UNIFIOS_CERT_PATH}/unifi-core.crt
+		fi
+
+		if [ "$ENABLE_RADIUS" == "yes" ]; then
+			cp -f ${UDM_LE_PATH}/lego/certificates/${LEGO_CERT_NAME}.crt ${UBIOS_RADIUS_CERT_PATH}/server.pem
+			cp -f ${UDM_LE_PATH}/lego/certificates/${LEGO_CERT_NAME}.key ${UBIOS_RADIUS_CERT_PATH}/server-key.pem
+			chmod 600 ${UBIOS_RADIUS_CERT_PATH}/server.pem ${UBIOS_RADIUS_CERT_PATH}/server-key.pem
+		fi
+
+		RESTART_SERVICES=true
+	fi
+}
+
+restart_services() {
+	# Restart services if certificates have been deployed, or we're forcing it on the command line
+	if [ "${RESTART_SERVICES}" == true ]; then
+		echo 'Restarting UniFi OS'
+		unifi-os restart &>/dev/null
+
+		if [ "$ENABLE_RADIUS" == "yes" ]; then
+			echo 'Restarting Radius server'
+			rc.radius restart &>/dev/null
+		fi
 	else
-		echo 'No new certificate was found, exiting without restart'
+		echo 'RESTART_SERVICES is false, skipping service restarts'
 	fi
 }
 
@@ -79,21 +98,14 @@ initial)
 	fi
 
 	echo 'Attempting initial certificate generation'
-	${PODMAN_CMD} ${LEGO_ARGS} --accept-tos run && deploy_cert && add_captive && unifi-os restart &>/dev/null
+	${PODMAN_CMD} ${LEGO_ARGS} --accept-tos run && deploy_certs && restart_services
 	;;
 renew)
 	echo 'Attempting certificate renewal'
-	${PODMAN_CMD} ${LEGO_ARGS} renew --days 60 && deploy_cert
-	if [ "${NEW_CERT}" = "yes" ]; then
-		add_captive && unifi-os restart &>/dev/null
-	fi
-	;;
-bootrenew)
-	echo 'Attempting certificate renewal on boot'
-	${PODMAN_CMD} ${LEGO_ARGS} renew --days 60 && deploy_cert && add_captive && unifi-os restart &>/dev/null
+	${PODMAN_CMD} ${LEGO_ARGS} renew --days 60 && deploy_certs && restart_services
 	;;
-testdeploy)
+test_deploy)
 	echo 'Attempting to deploy certificate'
-	deploy_cert
+	deploy_certs
 	;;
 esac