mikrotik checks

2025-10-27 07:12:15 +01:00
parent 7fc8b3894c
commit 5a37e451a5
2 changed files with 348 additions and 205 deletions
--- a/config.ini.example
+++ b/config.ini.example
@@ -1,11 +1,19 @@
+# ╔═══════════════════════════════════════════════════════════╗
+# ║              CertPusher Configuration File                ║
+# ║      SSL Certificate Distribution Configuration           ║
+# ╚═══════════════════════════════════════════════════════════╝
+
 [global]
-# Path to source SSL certificate (fullchain recommended)
+# Global source certificate and private key
 source_cert_path = /etc/letsencrypt/live/example.com/fullchain.pem
+source_key_path = /etc/letsencrypt/live/example.com/privkey.pem

 # Default SSH key for all hosts (can be overridden per host)
 default_ssh_key = /root/.ssh/id_rsa

-# ==================== MIKROTIK DEVICES ====================
+# ═══════════════════════════════════════════════════════════
+# MIKROTIK DEVICES
+# ═══════════════════════════════════════════════════════════

 [mikrotik_router]
 type = mikrotik
@@ -13,26 +21,26 @@ hostname = 172.16.0.1
 port = 51022
 username = admin
 ssh_key_path = /root/.ssh/id_rsa_proxy
-# For MikroTik, you need to provide the private key separately
-source_key_path = /etc/letsencrypt/live/example.com/privkey.pem
-# Note: check_url not used for MikroTik
+# Check certificate before upload (default: true)
+check_before_upload = true

 [mikrotik_switch]
 type = mikrotik
 hostname = 192.168.1.50
 port = 22
 username = admin
-source_key_path = /etc/letsencrypt/live/example.com/privkey.pem
+# Always upload without checking
+check_before_upload = false

-# ==================== PROXMOX SERVERS ====================
+# ═══════════════════════════════════════════════════════════
+# PROXMOX VE SERVERS
+# ═══════════════════════════════════════════════════════════

 [proxmox1]
 type = proxmox
 hostname = 10.87.2.150
 port = 11922
 username = root
-# For Proxmox, source_key_path can be auto-derived or specified
-source_key_path = /etc/letsencrypt/live/npm-3/privkey.pem
 check_url = https://10.87.2.150:8006

 [proxmox2]
@@ -40,20 +48,19 @@ type = proxmox
 hostname = 10.87.2.151
 port = 11922
 username = root
-source_key_path = /etc/letsencrypt/live/npm-3/privkey.pem
 check_url = https://10.87.2.151:8006

-# ==================== HOME ASSISTANT ====================
+# ═══════════════════════════════════════════════════════════
+# HOME ASSISTANT INSTALLATIONS
+# ═══════════════════════════════════════════════════════════

 [homeassistant_supervised]
 type = standard
 hostname = 192.168.1.100
 port = 22
 username = root
-# Home Assistant Supervised stores SSL in /ssl/ directory
 remote_cert_path = /usr/share/hassio/ssl/fullchain.pem
-additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/usr/share/hassio/ssl/privkey.pem
-# Home Assistant needs to be restarted via ha command
+remote_key_path = /usr/share/hassio/ssl/privkey.pem
 post_upload_command = ha core restart
 check_url = https://homeassistant.local:8123

@@ -63,9 +70,8 @@ hostname = 192.168.1.101
 port = 22
 username = homeassistant
 ssh_key_path = /root/.ssh/homeassistant_key
-# Home Assistant Core uses the config directory
 remote_cert_path = /home/homeassistant/.homeassistant/fullchain.pem
-additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/home/homeassistant/.homeassistant/privkey.pem
+remote_key_path = /home/homeassistant/.homeassistant/privkey.pem
 post_upload_command = sudo systemctl restart home-assistant@homeassistant
 check_url = https://192.168.1.101:8123

@@ -74,10 +80,8 @@ type = standard
 hostname = 192.168.1.102
 port = 22
 username = root
-# Home Assistant in Docker - certificate goes to mounted config volume
 remote_cert_path = /opt/homeassistant/config/fullchain.pem
-additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/opt/homeassistant/config/privkey.pem
-# Restart Docker container
+remote_key_path = /opt/homeassistant/config/privkey.pem
 post_upload_command = docker restart homeassistant
 check_url = https://ha.example.com:8123

@@ -86,26 +90,24 @@ type = standard
 hostname = 192.168.1.103
 port = 22
 username = root
-# Home Assistant OS (HassOS) - using SSH add-on
 remote_cert_path = /ssl/fullchain.pem
-additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/ssl/privkey.pem
+remote_key_path = /ssl/privkey.pem
 post_upload_command = ha core restart
 check_url = https://192.168.1.103:8123

-# ==================== HOME ASSISTANT WITH NGINX PROXY ====================
-
 [homeassistant_nginx_proxy]
 type = standard
 hostname = 192.168.1.104
 port = 22
 username = root
-# When using nginx as reverse proxy for Home Assistant
 remote_cert_path = /etc/nginx/ssl/homeassistant/fullchain.pem
-additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/etc/nginx/ssl/homeassistant/privkey.pem
+remote_key_path = /etc/nginx/ssl/homeassistant/privkey.pem
 post_upload_command = nginx -t && systemctl reload nginx
 check_url = https://ha.example.com

-# ==================== STANDARD WEB SERVERS ====================
+# ═══════════════════════════════════════════════════════════
+# WEB SERVERS (NGINX & APACHE)
+# ═══════════════════════════════════════════════════════════

 [webserver_nginx]
 type = standard
@@ -113,7 +115,7 @@ hostname = 192.168.1.110
 port = 22
 username = root
 remote_cert_path = /etc/nginx/ssl/fullchain.pem
-additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/etc/nginx/ssl/privkey.pem
+remote_key_path = /etc/nginx/ssl/privkey.pem
 post_upload_command = nginx -t && systemctl reload nginx
 check_url = https://example.com

@@ -124,11 +126,13 @@ port = 2222
 username = admin
 ssh_key_path = /root/.ssh/webserver_key
 remote_cert_path = /etc/apache2/ssl/fullchain.pem
-additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/etc/apache2/ssl/privkey.pem
+remote_key_path = /etc/apache2/ssl/privkey.pem
 post_upload_command = apachectl configtest && systemctl reload apache2
 check_url = https://subdomain.example.com

-# ==================== MAIL SERVERS ====================
+# ═══════════════════════════════════════════════════════════
+# MAIL SERVERS (POSTFIX/DOVECOT)
+# ═══════════════════════════════════════════════════════════

 [mailserver_postfix]
 type = standard
@@ -136,18 +140,21 @@ hostname = mail.example.com
 port = 22
 username = root
 remote_cert_path = /etc/postfix/ssl/cert.pem
-additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/etc/postfix/ssl/privkey.pem
+remote_key_path = /etc/postfix/ssl/privkey.pem
 post_upload_command = systemctl restart postfix && systemctl restart dovecot
+check_url = https://mail.example.com:587

-# ==================== DOCKER / CONTAINER HOSTS ====================
+# ═══════════════════════════════════════════════════════════
+# DOCKER / CONTAINER PLATFORMS
+# ═══════════════════════════════════════════════════════════

 [docker_traefik]
 type = standard
 hostname = 10.0.0.60
 port = 22
 username = root
-remote_cert_path = /opt/docker/traefik/certs/cert.pem
-additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/opt/docker/traefik/certs/key.pem
+remote_cert_path = /opt/docker/traefik/certs/fullchain.pem
+remote_key_path = /opt/docker/traefik/certs/privkey.pem
 post_upload_command = docker restart traefik
 check_url = https://traefik.example.com

@@ -156,12 +163,14 @@ type = standard
 hostname = 10.0.0.61
 port = 22
 username = root
-remote_cert_path = /opt/docker/nginx-proxy-manager/letsencrypt/live/npm-1/fullchain.pem
-additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/opt/docker/nginx-proxy-manager/letsencrypt/live/npm-1/privkey.pem
+remote_cert_path = /opt/docker/npm/ssl/fullchain.pem
+remote_key_path = /opt/docker/npm/ssl/privkey.pem
 post_upload_command = docker exec nginx-proxy-manager nginx -s reload
 check_url = https://npm.example.com

-# ==================== STORAGE / NAS ====================
+# ═══════════════════════════════════════════════════════════
+# STORAGE / NAS DEVICES
+# ═══════════════════════════════════════════════════════════

 [truenas_scale]
 type = standard
@@ -169,7 +178,7 @@ hostname = 10.0.0.70
 port = 22
 username = root
 remote_cert_path = /etc/certificates/truenas_cert.crt
-additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/etc/certificates/truenas_cert.key
+remote_key_path = /etc/certificates/truenas_cert.key
 post_upload_command = midclt call system.general.ui_restart
 check_url = https://truenas.local

@@ -179,54 +188,51 @@ hostname = 10.0.0.71
 port = 22
 username = root
 remote_cert_path = /usr/syno/etc/certificate/system/default/fullchain.pem
-additional_files = /etc/letsencrypt/live/example.com/privkey.pem:/usr/syno/etc/certificate/system/default/privkey.pem
+remote_key_path = /usr/syno/etc/certificate/system/default/privkey.pem
 post_upload_command = /usr/syno/sbin/synoservicectl --reload nginx
 check_url = https://synology.local:5001

+# ═══════════════════════════════════════════════════════════
+# HOSTS WITH CUSTOM CERTIFICATES
+# ═══════════════════════════════════════════════════════════

-# ==================== MAIL SERVER WITH CUSTOM CERTIFICATE ====================
-# This server uses mail.company.com certificate
-
-[mailserver]
+[mailserver_custom_domain]
 type = standard
 hostname = mail.company.com
 port = 22
 username = root
-# Override: use mail-specific certificate
+# Override global certificate with domain-specific cert
 source_cert_path = /etc/letsencrypt/live/mail.company.com/fullchain.pem
+source_key_path = /etc/letsencrypt/live/mail.company.com/privkey.pem
 remote_cert_path = /etc/postfix/ssl/cert.pem
-additional_files = /etc/letsencrypt/live/mail.company.com/privkey.pem:/etc/postfix/ssl/privkey.pem
+remote_key_path = /etc/postfix/ssl/privkey.pem
 post_upload_command = systemctl restart postfix && systemctl restart dovecot
 check_url = https://mail.company.com:465

-# ==================== SUBDOMAIN WITH CUSTOM CERTIFICATE ====================
-# This server uses subdomain.org certificate
-
-[api_server]
+[api_server_subdomain]
 type = standard
 hostname = 192.168.1.200
 port = 22
 username = ubuntu
 ssh_key_path = /root/.ssh/api_key
-# Override: use api-specific certificate
+# API server with its own certificate
 source_cert_path = /etc/letsencrypt/live/api.subdomain.org/fullchain.pem
+source_key_path = /etc/letsencrypt/live/api.subdomain.org/privkey.pem
 remote_cert_path = /etc/nginx/ssl/api/fullchain.pem
-additional_files = /etc/letsencrypt/live/api.subdomain.org/privkey.pem:/etc/nginx/ssl/api/privkey.pem
+remote_key_path = /etc/nginx/ssl/api/privkey.pem
 post_upload_command = systemctl reload nginx
 check_url = https://api.subdomain.org

-# ==================== CLIENT SITE WITH CUSTOM CERTIFICATE ====================
-# Client's own domain and certificate
-
 [client_website]
 type = standard
 hostname = 203.0.113.50
 port = 2222
 username = admin
-# Override: use client-specific certificate
+# Client's own domain and certificate
 source_cert_path = /etc/letsencrypt/live/client-domain.com/fullchain.pem
+source_key_path = /etc/letsencrypt/live/client-domain.com/privkey.pem
 remote_cert_path = /var/www/ssl/fullchain.pem
-additional_files = /etc/letsencrypt/live/client-domain.com/privkey.pem:/var/www/ssl/privkey.pem
+remote_key_path = /var/www/ssl/privkey.pem
 post_upload_command = systemctl reload apache2
 check_url = https://www.client-domain.com

@@ -236,21 +242,62 @@ hostname = 203.0.113.51
 port = 22
 username = admin
 ssh_key_path = /root/.ssh/client_key
-# Override: use client-specific certificate
+# Client's MikroTik with custom certificate
 source_cert_path = /etc/letsencrypt/live/client-domain.com/fullchain.pem
 source_key_path = /etc/letsencrypt/live/client-domain.com/privkey.pem
+check_before_upload = true

-# ==================== DEVELOPMENT SERVER ====================
-# Dev server with staging certificate
+# ═══════════════════════════════════════════════════════════
+# DEVELOPMENT / STAGING SERVERS
+# ═══════════════════════════════════════════════════════════

 [dev_server]
 type = standard
 hostname = dev.local
 port = 22
 username = developer
-# Override: use staging certificate for testing
+# Dev server with staging certificate
 source_cert_path = /etc/letsencrypt-staging/live/dev.example.com/fullchain.pem
+source_key_path = /etc/letsencrypt-staging/live/dev.example.com/privkey.pem
 remote_cert_path = /opt/app/ssl/fullchain.pem
-additional_files = /etc/letsencrypt-staging/live/dev.example.com/privkey.pem:/opt/app/ssl/privkey.pem
+remote_key_path = /opt/app/ssl/privkey.pem
 post_upload_command = docker-compose restart nginx
-# No check_url - always upload to dev
+# No check_url - always upload to dev environment
+
+# ═══════════════════════════════════════════════════════════
+# ADVANCED EXAMPLES
+# ═══════════════════════════════════════════════════════════
+
+[nginx_with_chain]
+type = standard
+hostname = 192.168.1.120
+port = 22
+username = root
+remote_cert_path = /etc/nginx/ssl/cert.pem
+remote_key_path = /etc/nginx/ssl/private/key.pem
+# Upload additional chain file
+additional_files = /etc/letsencrypt/live/example.com/chain.pem:/etc/nginx/ssl/chain.pem
+post_upload_command = nginx -t && systemctl reload nginx
+check_url = https://example.com
+
+[apache_separate_dirs]
+type = standard
+hostname = 192.168.1.121
+port = 22
+username = root
+# Certificate and key in completely different directories
+remote_cert_path = /etc/ssl/certs/apache-cert.pem
+remote_key_path = /etc/ssl/private/apache-key.pem
+post_upload_command = apachectl configtest && systemctl reload apache2
+
+[multi_service_host]
+type = standard
+hostname = 192.168.1.130
+port = 22
+username = root
+remote_cert_path = /etc/ssl/certs/fullchain.pem
+remote_key_path = /etc/ssl/private/privkey.pem
+# Deploy cert to multiple services
+additional_files = /etc/letsencrypt/live/example.com/fullchain.pem:/opt/app1/ssl/cert.pem,/etc/letsencrypt/live/example.com/privkey.pem:/opt/app1/ssl/key.pem,/etc/letsencrypt/live/example.com/fullchain.pem:/opt/app2/ssl/cert.pem
+post_upload_command = systemctl reload nginx && systemctl restart app1 && systemctl restart app2
+check_url = https://example.com