Merge pull request #11 from danb35/use-config-file

Use config file

Author: danb35

.gitignore

@@ -0,0 +1 @@
+deploy_config

README.md

@@ -2,14 +2,25 @@
 
 deploy-freenas.py is a Python script to deploy TLS certificates to a FreeNAS server using the FreeNAS API.  This should ensure that the certificate data is properly stored in the configuration database, and that all appropriate services use this certificate.  It's intended to be called from a Let's Encrypt client like [acme.sh](https://github.com/Neilpang/acme.sh) after the certificate is issued, so that the entire process of issuance (or renewal) and deployment can be automated.
 
+# Installation
+This script can run on any machine running Python 3 that has network access to your FreeNAS server, but in most cases it's best to run it directly on the FreeNAS box.  Change to a convenient directory and run `git clone https://github.com/danb35/deploy-freenas`.
+
 # Usage
 
-There are no command-line arguments to deploy-freenas.py; the relevant configuration needs to be made in the script itself.  The required changes are mostly self-explanatory, but are as follows:
-* PRIVATEKEY_PATH is the path to your TLS private key
-* FULLCHAIN_PATH is the path to concatenation of your certificate and the issuer's certificate.  With most ACME clients, this file is saved as fullchain.pem or fullchain.cer.
-* USER should always be "root"
-* PASSWORD needs to be the root password for your FreeNAS server
-* DOMAIN_NAME is the FQDN of your FreeNAS server
-* PROTOCOL is the protocol used to connect to the API.  If your FreeNAS server is configured to use HTTPS with a trusted certificate, it can be set to "https://".  Otherwise, set it to "http://".
+There are no command-line arguments to deploy-freenas.py; the relevant configuration takes place in the `deploy_config` file.  You can create this file either by copying `depoy_config.example` from this repository, or directly using your preferred text editor.  Its format is as follows:
+
+```
+[deploy]
+password = YourReallySecureRootPassword
+cert_fqdn = foo.bar.baz
+connect_host = baz.bar.foo
+verify = false
+privkey_path = /some/other/path
+fullchain_path = /some/other/other/path
+protocol = https://
+port = 443
+```
 
+Everything but the password is optional, and the defaults are documented in `depoy_config.example`.
 
+Once you've prepared `deploy_config`, you can run `deploy_freenas.py`.  The intended use is that it would be called by your ACME client after issuing a certificate.  With acme.sh, for example, you'd add `--deploy-hook "/path/to/deploy_freenas.py"` to your command.

deploy_config.example

@@ -0,0 +1,38 @@
+# Configuration file for deploy_freenas.py
+
+[deploy]
+# This is the only line that is mandatory
+# Set it to your FreeNAS root password
+password = YourSuperSecurePassword#@#$*
+
+# Everything below here is optional
+
+# cert_fqdn specifies the FQDN used for your certificate.  Default is your system hostname
+# cert_fqdn = foo.bar.baz
+
+# connect_host specifies the hostname the script should attempt to connect to, to deploy the cert. 
+# Default is localhost (assuming the script is running on your FreeNAS box)
+# connect_host = baz.bar.foo
+
+# verify sets whether the script will attempt to verify the server's certificate with a HTTPS
+# connection.  Set to true if you're using a HTTPS connection to a remote host.  If connect_host
+# is set to localhost (or is unset), set to false.  Default is false.
+# verify = false
+
+# privkey_path is the path to the certificate private key on your system.  Default
+# assumes you're using acme.sh:
+# /root/.acme.sh/cert_fqdn/cert_fqdn.key
+# privkey_path = /some/other/path
+
+# fullchain_path is the path to the full chain (leaf cert + intermediate certs)
+# on your system.  Default assumes you're using acme.sh:
+# /root/.acme.sh/cert_fqdn/fullchain.cer
+# fullchain_path = /some/other/other/path
+
+# protocol sets the connection protocol, http or https.  Include '://' at the end.
+# Default is http
+# protocol = https://
+
+# port sets the port to use to connect.  Default is 80.  If protocol is https,
+# this MUST be set to your https port.
+# port = 443

deploy_freenas.py

@@ -19,20 +19,26 @@
 import json
 import requests
 import subprocess
+import configparser
+import socket
 from datetime import datetime
 from urllib3.exceptions import InsecureRequestWarning
 requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
 
-DOMAIN_NAME = "your_fqdn"
-PASSWORD = "ReallySecurePassword"
+config = configparser.ConfigParser()
+config.read('deploy_config')
+deploy = config['deploy']
 
 USER = "root"
-FREENAS_ADDRESS = "localhost"
-VERIFY = False # Or True (Caution! False disables certificate checking)
-PRIVATEKEY_PATH = "/root/.acme.sh/" + DOMAIN_NAME + "/" + DOMAIN_NAME + ".key"
-FULLCHAIN_PATH = "/root/.acme.sh/" + DOMAIN_NAME + "/fullchain.cer"
-PROTOCOL = 'http://'
-PORT = '80'
+PASSWORD = deploy.get('password')
+
+DOMAIN_NAME = deploy.get('cert_fqdn',socket.gethostname())
+FREENAS_ADDRESS = deploy.get('connect_host','localhost')
+VERIFY = deploy.getboolean('verify',fallback=False)
+PRIVATEKEY_PATH = deploy.get('privkey_path',"/root/.acme.sh/" + DOMAIN_NAME + "/" + DOMAIN_NAME + ".key")
+FULLCHAIN_PATH = deploy.get('fullchain_path',"/root/.acme.sh/" + DOMAIN_NAME + "/fullchain.cer")
+PROTOCOL = deploy.get('protocol','http://')
+PORT = deploy.get('port','80')
 now = datetime.now()
 cert = "letsencrypt-%s-%s-%s-%s" %(now.year, now.strftime('%m'), now.strftime('%d'), ''.join(c for c in now.strftime('%X') if
 c.isdigit()))