Consolidate scripts

Author: danb35

Diff for: README.md

@@ -0,0 +1,7 @@
+# Deploy TLS Certificates to FreeNAS/TrueNAS
+This repository contains scripts to automate deployment of a TLS certificate to your FreeNAS (11.1 or newer) or TrueNAS server.  Due to a complete overhaul of the API in more recent versions of TrueNAS, this repo contains two different scripts, each with its own README.
+
+* If you're using FreeNAS, or TrueNAS CORE, use `deploy_freenas.py`. [README](README_freenas.md).  This will also work with TrueNAS SCALE through 24.10, but as SCALE introduced a websocket API, the other script is recommended.
+* If you're using TrueNAS SCALE or Community Edition (as of 25.04), use `deploy_truenas.py`. [README](README_truenas.md)
+* I've had no reports of compatibility, pro or con, with any version of TrueNAS Enterprise.  I expect the `_freenas` version will work with FreeBSD-based TrueNAS Enterprise installations, while the `_truenas` version will work with Linux-based installations, but I'm afraid you're largely on your own.
+

Diff for: README_freenas.md

@@ -0,0 +1,49 @@
+# deploy-freenas
+
+deploy_freenas.py is a Python script to deploy TLS certificates to a FreeNAS/TrueNAS (Core) server using the FreeNAS/TrueNAS API.  This should ensure that the certificate data is properly stored in the configuration database, and that all appropriate services use this certificate.  Its original intent was to be called from a Let's Encrypt client like [acme.sh](https://github.com/Neilpang/acme.sh) after the certificate is issued, so that the entire process of issuance (or renewal) and deployment can be automated.  However, it can be used with certificates from any source, whether a different ACME-based certificate authority or otherwise.
+
+Since this script was developed, acme.sh has added a [deployment script](https://github.com/acmesh-official/acme.sh/wiki/deployhooks#25-deploy-the-cert-on-truenas-core-server) which can deploy newly-issued certs to your TrueNAS system, so you may not need this script.  However, it isn't clear whether the acme.sh deployment script handles the services covered by this script (S3, FTP, WebDAV, Apps for SCALE).
+
+# Installation
+This script can run on any machine running Python 3 that has network access to your FreeNAS/TrueNAS server, but in most cases it's best to run it directly on the FreeNAS/TrueNAS box.  Change to a convenient directory and run `git clone https://github.com/danb35/deploy-freenas`.
+
+If you're not running this script on your Free/TrueNAS server itself, you'll need to make sure that the Python `requests` module is available (it's there by default in Free/TrueNAS).  How you'll do that will depend on the OS you're using wherever you're running the script.
+
+# Usage
+
+The relevant configuration takes place in the `deploy_config` file.  You can create this file either by copying `deploy_config_freenas.example` from this repository, or directly using your preferred text editor.  Its format is as follows:
+
+```
+[deploy]
+password = YourReallySecureRootPassword
+cert_fqdn = foo.bar.baz
+connect_host = baz.bar.foo
+verify = false
+privkey_path = /some/other/path
+fullchain_path = /some/other/other/path
+protocol = https://
+port = 443
+ui_certificate_enabled = false
+s3_enabled = false
+ftp_enabled = false
+webdav_enabled = false
+apps_enabled = false
+apps_only_matching_san = false
+cert_base_name = letsencrypt
+```
+
+Everything but `password` (or `api_key`) is optional, and the defaults are documented in `deploy_config.example`.
+
+On TrueNAS (Core) 12.0 and up you should use API key authentication instead of password authentication.
+[Generate a new API token in the UI](https://www.truenas.com/docs/hub/additional-topics/api/#creating-api-keys) first, then add it as `api_key` to the config, which replaces the `password` field:
+```
+api_key = 1-DXcZ19sZoZFdGATIidJ8vMP6dxk3nHWz3XX876oxS7FospAGMQjkOft0h4itJDSP
+```
+
+Once you've prepared `deploy_config`, you can run `deploy_freenas.py`.  The intended use is that it would be called by your ACME client after issuing a certificate.  With acme.sh, for example, you'd add `--reloadcmd "/path/to/deploy_freenas.py"` to your command.
+
+There is an optional paramter, `-c` or `--config`, that lets you specify the path to your configuration file. By default the script will try to use `deploy_config` in the script working directoy:
+
+```
+/path/to/deploy_freenas.py --config /somewhere/else/deploy_config
+```

Diff for: README_truenas.md

@@ -1,8 +1,8 @@
 # deploy-freenas
 
-deploy-freenas.py is a Python script to deploy TLS certificates to a TrueNAS SCALE server using the TrueNAS Websocket API.  This should ensure that the certificate data is properly stored in the configuration database, and that all appropriate services use this certificate.  Its original intent was to be called from an ACME client like [acme.sh](https://github.com/acmesh-official/acme.sh) after the certificate is issued, so that the entire process of issuance (or renewal) and deployment can be automated.  However, it can be used with certificates from any source, whether a different ACME-based certificate authority or otherwise.
+deploy_truenas.py is a Python script to deploy TLS certificates to a TrueNAS SCALE/Community Edition server using the TrueNAS Websocket API.  This should ensure that the certificate data is properly stored in the configuration database, and that all appropriate services use this certificate.  Its original intent was to be called from an ACME client like [acme.sh](https://github.com/acmesh-official/acme.sh) after the certificate is issued, so that the entire process of issuance (or renewal) and deployment can be automated.  However, it can be used with certificates from any source, whether a different ACME-based certificate authority or otherwise.
 
-Since this script was developed, acme.sh has added a [deployment script](https://github.com/acmesh-official/acme.sh/wiki/deployhooks#25-deploy-the-cert-on-truenas-core-server) which can deploy newly-issued certs to your TrueNAS system, so you may not need this script.  However, it isn't clear whether the acme.sh deployment script handles the services covered by this script (S3, FTP, WebDAV, Apps for SCALE).
+Since this script was developed, acme.sh has added a [deployment script](https://github.com/acmesh-official/acme.sh/wiki/deployhooks#25-deploy-the-cert-on-truenas-core-server) which can deploy newly-issued certs to your TrueNAS system, so you may not need this script.  However, it isn't clear whether the acme.sh deployment script handles the services covered by this script (S3, FTP, WebDAV, Apps for SCALE).  `acme.sh` also has a separate deployment script for the websocket API, but again, its capabilities compared to this one are unknown.
 
 # WORK IN PROGRESS
 This version of this script is a work in progress, and has had minimal testing.
@@ -37,7 +37,7 @@ Then clone this repository as described above.  Your system should be prepared t
 
 # Usage
 
-The relevant configuration takes place in the `deploy_config` file.  You can create this file either by copying `deploy_config.example` from this repository, or directly using your preferred text editor.  Its format is as follows:
+The relevant configuration takes place in the `deploy_config` file.  You can create this file either by copying `deploy_config_truenas.example` from this repository, or directly using your preferred text editor.  Its format is as follows:
 
 ```
 [deploy]
@@ -60,10 +60,10 @@ An API key is required for authentication.  [Generate a new API token in the UI]
 api_key = 1-DXcZ19sZoZFdGATIidJ8vMP6dxk3nHWz3XX876oxS7FospAGMQjkOft0h4itJDSP
 ```
 
-Once you've prepared `deploy_config`, you can run `deploy_freenas.py`.  The intended use is that it would be called by your ACME client after issuing a certificate.  With acme.sh, for example, you'd add `--reloadcmd "/path/to/deploy_freenas.py"` to your command.
+Once you've prepared `deploy_config`, you can run `deploy_truenas.py`.  The intended use is that it would be called by your ACME client after issuing a certificate.  With acme.sh, for example, you'd add `--reloadcmd "/path/to/deploy_truenas.py"` to your command.
 
 There is an optional paramter, `-c` or `--config`, that lets you specify the path to your configuration file. By default the script will try to use `deploy_config` in the script working directoy:
 
 ```
-/path/to/deploy_freenas.py --config /somewhere/else/deploy_config
+/path/to/deploy_truenas.py --config /somewhere/else/deploy_config
 ```

Diff for: deploy_config_freenas.example

@@ -0,0 +1,63 @@
+# Configuration file for deploy_freenas.py
+
+[deploy]
+# Choose one of the following authentication methods, "api_key" or "password" (comment out the other one).
+# Auth via API keys is highly recommended, but is only available from TrueNAS (Core) 12.0 up.
+# You can generate a new API key in the web interface under "Settings" (upper right) > "API Keys".
+# api_key = YourNewlyGeneratedAPIKey#@#$*
+# If you are on FreeNAS 11 or lower, set this to your FreeNAS root password
+password = YourSuperSecurePassword#@#$*
+
+# Everything below here is optional
+
+# cert_fqdn specifies the FQDN used for your certificate.  Default is your system hostname
+# cert_fqdn = foo.bar.baz
+
+# connect_host specifies the hostname the script should attempt to connect to, to deploy the cert.
+# Default is localhost (assuming the script is running on your FreeNAS box)
+# connect_host = baz.bar.foo
+
+# verify sets whether the script will attempt to verify the server's certificate with a HTTPS
+# connection.  Set to true if you're using a HTTPS connection to a remote host.  If connect_host
+# is set to localhost (or is unset), set to false.  Default is false.
+# verify = false
+
+# privkey_path is the path to the certificate private key on your system.  Default
+# assumes you're using acme.sh:
+# /root/.acme.sh/cert_fqdn/cert_fqdn.key or /root/.acme.sh/cert_fqdn_ecc/cert_fqdn.key
+# privkey_path = /some/other/path
+
+# fullchain_path is the path to the full chain (leaf cert + intermediate certs)
+# on your system.  Default assumes you're using acme.sh:
+# /root/.acme.sh/cert_fqdn/fullchain.cer or /root/.acme.sh/cert_fqdn_ecc/fullchain.cer
+# fullchain_path = /some/other/other/path
+
+# protocol sets the connection protocol, http or https.  Include '://' at the end.
+# Default is http
+# protocol = https://
+
+# port sets the port to use to connect.  Default is 80.  If protocol is https,
+# this MUST be set to your https port.
+# port = 443
+
+# set ui_certificate_enabled to false if you want to skip using the new cerificate for the UI. Default is true.
+# ui_certificate_enabled = false
+
+# set s3_enabled to true if you have the S3 service enabled on your FreeNAS. Default is false.
+# s3_enabled = true
+
+# set ftp_enabled to true if you have the FTP service enabled on your FreeNAS. Default is false.
+# ftp_enabled = true
+
+# set webdav_enabled to true if you have the WEBDAV service enabled on your FreeNAS. Default is false.
+# webdav_enabled = true
+
+# set apps_enabled to true if you want to update your TrueNAS SCALE chart applications to use the new certificate. Default is false.
+# apps_enabled = true
+
+# only update TrueNAS SCALE chart applications where the san of the current and the new cert matches. Default is false.
+#apps_only_matching_san = true
+
+# Certificates will be given a name with a timestamp, by default it will be
+# letsencrypt-yyyy-mm-dd-hhmmss.  You can change the first part if you like.
+# cert_base_name = something_else