From 8a2f673903f4386ab3f1e19f012222d713620fca Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20Bie=C3=9Fmann?= <andreas@biessmann.org>
Date: Sat, 19 Feb 2022 13:42:32 +0100
Subject: [PATCH 1/3] deploy/routeros.sh: make ssh/scp configurable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In order to modify ssh/scp commands make them configurable via
environment variables.

Signed-off-by: Andreas Bießmann <andreas@biessmann.org>
---
 deploy/routeros.sh | 36 +++++++++++++++++++++++++++++++-----
 1 file changed, 31 insertions(+), 5 deletions(-)

diff --git a/deploy/routeros.sh b/deploy/routeros.sh
index 456107c8..b25bd100 100644
--- a/deploy/routeros.sh
+++ b/deploy/routeros.sh
@@ -49,6 +49,16 @@
 # One optional thing to do as well is to create a script that updates
 # all the required services and run that script in a single command.
 #
+# To adopt parameters to `scp` and/or `ssh` set the optional
+# `ROUTER_OS_SSH_CMD` and `ROUTER_OS_SCP_CMD` variables accordingly,
+# see ssh(1) and scp(1) for parameters to those commands.
+#
+# Example:
+# ```ssh
+# export ROUTER_OS_SSH_CMD="ssh -i /acme.sh/.ssh/router.example.com -o UserKnownHostsFile=/acme.sh/.ssh/known_hosts"
+# export ROUTER_OS_SCP_CMD="scp -i /acme.sh/.ssh/router.example.com -o UserKnownHostsFile=/acme.sh/.ssh/known_hosts"
+# ````
+#
 # returns 0 means success, otherwise error.
 
 ########  Public functions #####################
@@ -88,6 +98,20 @@ routeros_deploy() {
     ROUTER_OS_PORT=22
   fi
 
+  _getdeployconf ROUTER_OS_SSH_CMD
+
+  if [ -z "$ROUTER_OS_SSH_CMD" ]; then
+    _debug "Use default ssh setup."
+    ROUTER_OS_SSH_CMD="ssh -p $ROUTER_OS_PORT"
+  fi
+
+  _getdeployconf ROUTER_OS_SCP_CMD
+
+  if [ -z "$ROUTER_OS_SCP_CMD" ]; then
+    _debug "USe default scp setup."
+    ROUTER_OS_SCP_CMD="scp -P $ROUTER_OS_PORT"
+  fi
+
   _getdeployconf ROUTER_OS_ADDITIONAL_SERVICES
 
   if [ -z "$ROUTER_OS_ADDITIONAL_SERVICES" ]; then
@@ -98,12 +122,14 @@ routeros_deploy() {
   _savedeployconf ROUTER_OS_HOST "$ROUTER_OS_HOST"
   _savedeployconf ROUTER_OS_USERNAME "$ROUTER_OS_USERNAME"
   _savedeployconf ROUTER_OS_PORT "$ROUTER_OS_PORT"
+  _savedeployconf ROUTER_OS_SSH_CMD "$ROUTER_OS_SSH_CMD"
+  _savedeployconf ROUTER_OS_SCP_CMD "$ROUTER_OS_SCP_CMD"
   _savedeployconf ROUTER_OS_ADDITIONAL_SERVICES "$ROUTER_OS_ADDITIONAL_SERVICES"
 
   _info "Trying to push key '$_ckey' to router"
-  scp -P "$ROUTER_OS_PORT" "$_ckey" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.key"
+  $ROUTER_OS_SCP_CMD "$_ckey" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.key"
   _info "Trying to push cert '$_cfullchain' to router"
-  scp -P "$ROUTER_OS_PORT" "$_cfullchain" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.cer"
+  $ROUTER_OS_SCP_CMD "$_cfullchain" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.cer"
   DEPLOY_SCRIPT_CMD="/system script add name=\"LE Cert Deploy - $_cdomain\" owner=admin policy=ftp,read,write,password,sensitive \
 source=\"## generated by routeros deploy script in acme.sh;\
 \n/certificate remove [ find name=$_cdomain.cer_0 ];\
@@ -120,11 +146,11 @@ source=\"## generated by routeros deploy script in acme.sh;\
 \n\"
 "
   # shellcheck disable=SC2029
-  ssh -p "$ROUTER_OS_PORT" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" "$DEPLOY_SCRIPT_CMD"
+  $ROUTER_OS_SSH_CMD "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" "$DEPLOY_SCRIPT_CMD"
   # shellcheck disable=SC2029
-  ssh -p "$ROUTER_OS_PORT" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" "/system script run \"LE Cert Deploy - $_cdomain\""
+  $ROUTER_OS_SSH_CMD "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" "/system script run \"LE Cert Deploy - $_cdomain\""
   # shellcheck disable=SC2029
-  ssh -p "$ROUTER_OS_PORT" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" "/system script remove \"LE Cert Deploy - $_cdomain\""
+  $ROUTER_OS_SSH_CMD "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" "/system script remove \"LE Cert Deploy - $_cdomain\""
 
   return 0
 }

From 92e4ecce3b94ead392e0e1283ba14ce8bbad4bbb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20Bie=C3=9Fmann?= <andreas@biessmann.org>
Date: Sat, 19 Feb 2022 13:44:51 +0100
Subject: [PATCH 2/3] deploy/routeros.sh: remove all certificates
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

As the script is applying the fullchain which includes three certificates,
delete all of them before applying updated certificate.

Signed-off-by: Andreas Bießmann <andreas@biessmann.org>
---
 deploy/routeros.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/deploy/routeros.sh b/deploy/routeros.sh
index b25bd100..3c74f592 100644
--- a/deploy/routeros.sh
+++ b/deploy/routeros.sh
@@ -134,6 +134,7 @@ routeros_deploy() {
 source=\"## generated by routeros deploy script in acme.sh;\
 \n/certificate remove [ find name=$_cdomain.cer_0 ];\
 \n/certificate remove [ find name=$_cdomain.cer_1 ];\
+\n/certificate remove [ find name=$_cdomain.cer_2 ];\
 \ndelay 1;\
 \n/certificate import file-name=$_cdomain.cer passphrase=\\\"\\\";\
 \n/certificate import file-name=$_cdomain.key passphrase=\\\"\\\";\

From c46ceb06b49ae32a3c51d88756941fa94642dbe7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20Bie=C3=9Fmann?= <andreas@biessmann.org>
Date: Sat, 19 Feb 2022 13:56:07 +0100
Subject: [PATCH 3/3] deploy/routeros.sh: change DEPLOY_SCRIPT_CMD
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This set the owner of script to ssh user, have the comment line in script
as real comment and removes policy since this is set from current user,
at least for RouterOS 7.x.

Signed-off-by: Andreas Bießmann <andreas@biessmann.org>
---
 deploy/routeros.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/deploy/routeros.sh b/deploy/routeros.sh
index 3c74f592..b2b18c5e 100644
--- a/deploy/routeros.sh
+++ b/deploy/routeros.sh
@@ -130,9 +130,9 @@ routeros_deploy() {
   $ROUTER_OS_SCP_CMD "$_ckey" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.key"
   _info "Trying to push cert '$_cfullchain' to router"
   $ROUTER_OS_SCP_CMD "$_cfullchain" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.cer"
-  DEPLOY_SCRIPT_CMD="/system script add name=\"LE Cert Deploy - $_cdomain\" owner=admin policy=ftp,read,write,password,sensitive \
-source=\"## generated by routeros deploy script in acme.sh;\
-\n/certificate remove [ find name=$_cdomain.cer_0 ];\
+  DEPLOY_SCRIPT_CMD="/system script add name=\"LE Cert Deploy - $_cdomain\" owner=$ROUTER_OS_USER \
+comment=\"generated by routeros deploy script in acme.sh\" \
+source=\"/certificate remove [ find name=$_cdomain.cer_0 ];\
 \n/certificate remove [ find name=$_cdomain.cer_1 ];\
 \n/certificate remove [ find name=$_cdomain.cer_2 ];\
 \ndelay 1;\