Merge branch 'dev' into deployhook-docker

2025-12-15 15:04:01 +08:00 · 2025-02-15 20:24:05 +01:00
parent 449c542d5a 6dbe49089e
commit a7e3b0d184
22 changed files with 1469 additions and 146 deletions
--- a/deploy/proxmoxbs.sh
+++ b/deploy/proxmoxbs.sh
@@ -0,0 +1,120 @@
+#!/usr/bin/env sh
+
+# Deploy certificates to a proxmox backup server using the API.
+#
+# Environment variables that can be set are:
+# `DEPLOY_PROXMOXBS_SERVER`: The hostname of the proxmox backup server. Defaults to
+#                            _cdomain.
+# `DEPLOY_PROXMOXBS_SERVER_PORT`: The port number the management interface is on.
+#                                 Defaults to 8007.
+# `DEPLOY_PROXMOXBS_USER`: The user we'll connect as. Defaults to root.
+# `DEPLOY_PROXMOXBS_USER_REALM`: The authentication realm the user authenticates
+#                                with. Defaults to pam.
+# `DEPLOY_PROXMOXBS_API_TOKEN_NAME`: The name of the API token created for the
+#                                    user account. Defaults to acme.
+# `DEPLOY_PROXMOXBS_API_TOKEN_KEY`: The API token. Required.
+
+proxmoxbs_deploy() {
+  _cdomain="$1"
+  _ckey="$2"
+  _ccert="$3"
+  _cca="$4"
+  _cfullchain="$5"
+
+  _debug _cdomain "$_cdomain"
+  _debug2 _ckey "$_ckey"
+  _debug _ccert "$_ccert"
+  _debug _cca "$_cca"
+  _debug _cfullchain "$_cfullchain"
+
+  # "Sane" defaults.
+  _getdeployconf DEPLOY_PROXMOXBS_SERVER
+  if [ -z "$DEPLOY_PROXMOXBS_SERVER" ]; then
+    _target_hostname="$_cdomain"
+  else
+    _target_hostname="$DEPLOY_PROXMOXBS_SERVER"
+    _savedeployconf DEPLOY_PROXMOXBS_SERVER "$DEPLOY_PROXMOXBS_SERVER"
+  fi
+  _debug2 DEPLOY_PROXMOXBS_SERVER "$_target_hostname"
+
+  _getdeployconf DEPLOY_PROXMOXBS_SERVER_PORT
+  if [ -z "$DEPLOY_PROXMOXBS_SERVER_PORT" ]; then
+    _target_port="8007"
+  else
+    _target_port="$DEPLOY_PROXMOXBS_SERVER_PORT"
+    _savedeployconf DEPLOY_PROXMOXBS_SERVER_PORT "$DEPLOY_PROXMOXBS_SERVER_PORT"
+  fi
+  _debug2 DEPLOY_PROXMOXBS_SERVER_PORT "$_target_port"
+
+  # Complete URL.
+  _target_url="https://${_target_hostname}:${_target_port}/api2/json/nodes/localhost/certificates/custom"
+  _debug TARGET_URL "$_target_url"
+
+  # More "sane" defaults.
+  _getdeployconf DEPLOY_PROXMOXBS_USER
+  if [ -z "$DEPLOY_PROXMOXBS_USER" ]; then
+    _proxmoxbs_user="root"
+  else
+    _proxmoxbs_user="$DEPLOY_PROXMOXBS_USER"
+    _savedeployconf DEPLOY_PROXMOXBS_USER "$DEPLOY_PROXMOXBS_USER"
+  fi
+  _debug2 DEPLOY_PROXMOXBS_USER "$_proxmoxbs_user"
+
+  _getdeployconf DEPLOY_PROXMOXBS_USER_REALM
+  if [ -z "$DEPLOY_PROXMOXBS_USER_REALM" ]; then
+    _proxmoxbs_user_realm="pam"
+  else
+    _proxmoxbs_user_realm="$DEPLOY_PROXMOXBS_USER_REALM"
+    _savedeployconf DEPLOY_PROXMOXBS_USER_REALM "$DEPLOY_PROXMOXBS_USER_REALM"
+  fi
+  _debug2 DEPLOY_PROXMOXBS_USER_REALM "$_proxmoxbs_user_realm"
+
+  _getdeployconf DEPLOY_PROXMOXBS_API_TOKEN_NAME
+  if [ -z "$DEPLOY_PROXMOXBS_API_TOKEN_NAME" ]; then
+    _proxmoxbs_api_token_name="acme"
+  else
+    _proxmoxbs_api_token_name="$DEPLOY_PROXMOXBS_API_TOKEN_NAME"
+    _savedeployconf DEPLOY_PROXMOXBS_API_TOKEN_NAME "$DEPLOY_PROXMOXBS_API_TOKEN_NAME"
+  fi
+  _debug2 DEPLOY_PROXMOXBS_API_TOKEN_NAME "$_proxmoxbs_api_token_name"
+
+  # This is required.
+  _getdeployconf DEPLOY_PROXMOXBS_API_TOKEN_KEY
+  if [ -z "$DEPLOY_PROXMOXBS_API_TOKEN_KEY" ]; then
+    _err "API key not provided."
+    return 1
+  else
+    _proxmoxbs_api_token_key="$DEPLOY_PROXMOXBS_API_TOKEN_KEY"
+    _savedeployconf DEPLOY_PROXMOXBS_API_TOKEN_KEY "$DEPLOY_PROXMOXBS_API_TOKEN_KEY"
+  fi
+  _debug2 DEPLOY_PROXMOXBS_API_TOKEN_KEY "$_proxmoxbs_api_token_key"
+
+  # PBS API Token header value. Used in "Authorization: PBSAPIToken".
+  _proxmoxbs_header_api_token="${_proxmoxbs_user}@${_proxmoxbs_user_realm}!${_proxmoxbs_api_token_name}:${_proxmoxbs_api_token_key}"
+  _debug2 "Auth Header" "$_proxmoxbs_header_api_token"
+
+  # Ugly. I hate putting heredocs inside functions because heredocs don't
+  # account for whitespace correctly but it _does_ work and is several times
+  # cleaner than anything else I had here.
+  #
+  # This dumps the json payload to a variable that should be passable to the
+  # _psot function.
+  _json_payload=$(
+    cat <<HEREDOC
+{
+  "certificates": "$(tr '\n' ':' <"$_cfullchain" | sed 's/:/\\n/g')",
+  "key": "$(tr '\n' ':' <"$_ckey" | sed 's/:/\\n/g')",
+  "node":"localhost",
+  "restart":true,
+  "force":true
+}
+HEREDOC
+  )
+  _debug2 Payload "$_json_payload"
+
+  _info "Push certificates to server"
+  export HTTPS_INSECURE=1
+  export _H1="Authorization: PBSAPIToken=${_proxmoxbs_header_api_token}"
+  _post "$_json_payload" "$_target_url" "" POST "application/json"
+
+}
--- a/deploy/truenas.sh
+++ b/deploy/truenas.sh
@@ -217,7 +217,7 @@ truenas_deploy() {
          _app_id=$(echo "$_app_id_list" | sed -n "${i}p")
          _app_config="$(_post "\"$_app_id\"" "$_api_url/app/config" "" "POST" "application/json")"
          # Check if the app use the same certificate TrueNAS web UI
-          _app_active_cert_config=$(echo "$_app_config" | _json_decode | jq -r ".ix_certificates[\"$_active_cert_id\"]")
+          _app_active_cert_config=$(echo "$_app_config" | tr -d '\000-\037' | _json_decode | jq -r ".ix_certificates[\"$_active_cert_id\"]")
          if [ "$_app_active_cert_config" != "null" ]; then
            _info "Updating certificate from $_active_cert_id to $_cert_id for app: $_app_id"
            #Replace the old certificate id with the new one in path
--- a/deploy/truenas_ws.sh
+++ b/deploy/truenas_ws.sh
@@ -0,0 +1,294 @@
+#!/usr/bin/env sh
+
+# TrueNAS deploy script for SCALE/CORE using websocket
+# It is recommend to use a wildcard certificate
+#
+# Websocket Documentation: https://www.truenas.com/docs/api/scale_websocket_api.html
+#
+# Tested with TrueNAS Scale - Electric Eel 24.10
+# Changes certificate in the following services:
+#  - Web UI
+#  - FTP
+#  - iX Apps
+#
+# The following environment variables must be set:
+# ------------------------------------------------
+#
+# # API KEY
+# # Use the folowing URL to create a new API token: <TRUENAS_HOSTNAME OR IP>/ui/apikeys
+# export DEPLOY_TRUENAS_APIKEY="<API_KEY_GENERATED_IN_THE_WEB_UI"
+#
+
+### Private functions
+
+# Call websocket method
+# Usage:
+#   _ws_response=$(_ws_call "math.dummycalc" "'{"x": 4, "y": 5}'")
+#   _info "$_ws_response"
+#
+# Output:
+#   {"z": 9}
+#
+# Arguments:
+#   $@ - midclt arguments for call
+#
+# Returns:
+#   JSON/JOBID
+_ws_call() {
+  _debug "_ws_call arg1" "$1"
+  _debug "_ws_call arg2" "$2"
+  _debug "_ws_call arg3" "$3"
+  if [ $# -eq 3 ]; then
+    _ws_response=$(midclt -K "$DEPLOY_TRUENAS_APIKEY" call "$1" "$2" "$3")
+  fi
+  if [ $# -eq 2 ]; then
+    _ws_response=$(midclt -K "$DEPLOY_TRUENAS_APIKEY" call "$1" "$2")
+  fi
+  if [ $# -eq 1 ]; then
+    _ws_response=$(midclt -K "$DEPLOY_TRUENAS_APIKEY" call "$1")
+  fi
+  _debug "_ws_response" "$_ws_response"
+  printf "%s" "$_ws_response"
+  return 0
+}
+
+# Check argument is a number
+# Usage:
+#
+# Output:
+#   n/a
+#
+# Arguments:
+#   $1 - Anything
+#
+# Returns:
+#   0: true
+#   1: false
+_ws_check_jobid() {
+  case "$1" in
+  [0-9]*)
+    return 0
+    ;;
+  esac
+  return 1
+}
+
+# Wait for job to finish and return result as JSON
+# Usage:
+#   _ws_result=$(_ws_get_job_result "$_ws_jobid")
+#   _new_certid=$(printf "%s" "$_ws_result" | jq -r '."id"')
+#
+# Output:
+#   JSON result of the job
+#
+# Arguments:
+#   $1 - JobID
+#
+# Returns:
+#   n/a
+_ws_get_job_result() {
+  while true; do
+    sleep 2
+    _ws_response=$(_ws_call "core.get_jobs" "[[\"id\", \"=\", $1]]")
+    if [ "$(printf "%s" "$_ws_response" | jq -r '.[]."state"')" != "RUNNING" ]; then
+      _ws_result="$(printf "%s" "$_ws_response" | jq '.[]."result"')"
+      _debug "_ws_result" "$_ws_result"
+      printf "%s" "$_ws_result"
+      _ws_error="$(printf "%s" "$_ws_response" | jq '.[]."error"')"
+      if [ "$_ws_error" != "null" ]; then
+        _err "Job $1 failed:"
+        _err "$_ws_error"
+        return 7
+      fi
+      break
+    fi
+  done
+  return 0
+}
+
+########################
+### Public functions ###
+########################
+
+# truenas_ws_deploy
+#
+# Deploy new certificate to TrueNAS services
+#
+# Arguments
+#  1: Domain
+#  2: Key-File
+#  3: Certificate-File
+#  4: CA-File
+#  5: FullChain-File
+# Returns:
+#  0: Success
+#  1: Missing API Key
+#  2: TrueNAS not ready
+#  3: Not a JobID
+#  4: FTP cert error
+#  5: WebUI cert error
+#  6: Job error
+#  7: WS call error
+# 10: No CORE or SCALE detected
+#
+truenas_ws_deploy() {
+  _domain="$1"
+  _file_key="$2"
+  _file_cert="$3"
+  _file_ca="$4"
+  _file_fullchain="$5"
+  _debug _domain "$_domain"
+  _debug _file_key "$_file_key"
+  _debug _file_cert "$_file_cert"
+  _debug _file_ca "$_file_ca"
+  _debug _file_fullchain "$_file_fullchain"
+
+  ########## Environment check
+
+  _info "Checking environment variables..."
+  _getdeployconf DEPLOY_TRUENAS_APIKEY
+  # Check API Key
+  if [ -z "$DEPLOY_TRUENAS_APIKEY" ]; then
+    _err "TrueNAS API key not found, please set the DEPLOY_TRUENAS_APIKEY environment variable."
+    return 1
+  fi
+  _secure_debug2 DEPLOY_TRUENAS_APIKEY "$DEPLOY_TRUENAS_APIKEY"
+  _info "Environment variables: OK"
+
+  ########## Health check
+
+  _info "Checking TrueNAS health..."
+  _ws_response=$(_ws_call "system.ready" | tr '[:lower:]' '[:upper:]')
+  _ws_ret=$?
+  if [ $_ws_ret -gt 0 ]; then
+    _err "Error calling system.ready:"
+    _err "$_ws_response"
+    return $_ws_ret
+  fi
+
+  if [ "$_ws_response" != "TRUE" ]; then
+    _err "TrueNAS is not ready."
+    _err "Please check environment variables DEPLOY_TRUENAS_APIKEY, DEPLOY_TRUENAS_HOSTNAME and DEPLOY_TRUENAS_PROTOCOL."
+    _err "Verify API key."
+    return 2
+  fi
+  _savedeployconf DEPLOY_TRUENAS_APIKEY "$DEPLOY_TRUENAS_APIKEY"
+  _info "TrueNAS health: OK"
+
+  ########## System info
+
+  _info "Gather system info..."
+  _ws_response=$(_ws_call "system.info")
+  _truenas_system=$(printf "%s" "$_ws_response" | jq -r '."version"' | cut -d '-' -f 2 | tr '[:lower:]' '[:upper:]')
+  _truenas_version=$(printf "%s" "$_ws_response" | jq -r '."version"' | cut -d '-' -f 3)
+  _info "TrueNAS system: $_truenas_system"
+  _info "TrueNAS version: $_truenas_version"
+  if [ "$_truenas_system" != "SCALE" ] && [ "$_truenas_system" != "CORE" ]; then
+    _err "Cannot gather TrueNAS system. Nor CORE oder SCALE detected."
+    return 10
+  fi
+
+  ########## Gather current certificate
+
+  _info "Gather current WebUI certificate..."
+  _ws_response="$(_ws_call "system.general.config")"
+  _ui_certificate_id=$(printf "%s" "$_ws_response" | jq -r '."ui_certificate"."id"')
+  _ui_certificate_name=$(printf "%s" "$_ws_response" | jq -r '."ui_certificate"."name"')
+  _info "Current WebUI certificate ID: $_ui_certificate_id"
+  _info "Current WebUI certificate name: $_ui_certificate_name"
+
+  ########## Upload new certificate
+
+  _info "Upload new certificate..."
+  _certname="acme_$(_utc_date | tr -d '\-\:' | tr ' ' '_')"
+  _info "New WebUI certificate name: $_certname"
+  _debug _certname "$_certname"
+  _ws_jobid=$(_ws_call "certificate.create" "{\"name\": \"${_certname}\", \"create_type\": \"CERTIFICATE_CREATE_IMPORTED\", \"certificate\": \"$(_json_encode <"$_file_fullchain")\", \"privatekey\": \"$(_json_encode <"$_file_key")\", \"passphrase\": \"\"}")
+  _debug "_ws_jobid" "$_ws_jobid"
+  if ! _ws_check_jobid "$_ws_jobid"; then
+    _err "No JobID returned from websocket method."
+    return 3
+  fi
+  _ws_result=$(_ws_get_job_result "$_ws_jobid")
+  _ws_ret=$?
+  if [ $_ws_ret -gt 0 ]; then
+    return $_ws_ret
+  fi
+  _debug "_ws_result" "$_ws_result"
+  _new_certid=$(printf "%s" "$_ws_result" | jq -r '."id"')
+  _info "New certificate ID: $_new_certid"
+
+  ########## FTP
+
+  _info "Replace FTP certificate..."
+  _ws_response=$(_ws_call "ftp.update" "{\"ssltls_certificate\": $_new_certid}")
+  _ftp_certid=$(printf "%s" "$_ws_response" | jq -r '."ssltls_certificate"')
+  if [ "$_ftp_certid" != "$_new_certid" ]; then
+    _err "Cannot set FTP certificate."
+    _debug "_ws_response" "$_ws_response"
+    return 4
+  fi
+
+  ########## ix Apps (SCALE only)
+
+  if [ "$_truenas_system" = "SCALE" ]; then
+    _info "Replace app certificates..."
+    _ws_response=$(_ws_call "app.query")
+    for _app_name in $(printf "%s" "$_ws_response" | jq -r '.[]."name"'); do
+      _info "Checking app $_app_name..."
+      _ws_response=$(_ws_call "app.config" "$_app_name")
+      if [ "$(printf "%s" "$_ws_response" | jq -r '."network" | has("certificate_id")')" = "true" ]; then
+        _info "App has certificate option, setup new certificate..."
+        _info "App will be redeployed after updating the certificate."
+        _ws_jobid=$(_ws_call "app.update" "$_app_name" "{\"values\": {\"network\": {\"certificate_id\": $_new_certid}}}")
+        _debug "_ws_jobid" "$_ws_jobid"
+        if ! _ws_check_jobid "$_ws_jobid"; then
+          _err "No JobID returned from websocket method."
+          return 3
+        fi
+        _ws_result=$(_ws_get_job_result "$_ws_jobid")
+        _ws_ret=$?
+        if [ $_ws_ret -gt 0 ]; then
+          return $_ws_ret
+        fi
+        _debug "_ws_result" "$_ws_result"
+        _info "App certificate replaced."
+      else
+        _info "App has no certificate option, skipping..."
+      fi
+    done
+  fi
+
+  ########## WebUI
+
+  _info "Replace WebUI certificate..."
+  _ws_response=$(_ws_call "system.general.update" "{\"ui_certificate\": $_new_certid}")
+  _changed_certid=$(printf "%s" "$_ws_response" | jq -r '."ui_certificate"."id"')
+  if [ "$_changed_certid" != "$_new_certid" ]; then
+    _err "WebUI certificate change error.."
+    return 5
+  else
+    _info "WebUI certificate replaced."
+  fi
+  _info "Restarting WebUI..."
+  _ws_response=$(_ws_call "system.general.ui_restart")
+  _info "Waiting for UI restart..."
+  sleep 6
+
+  ########## Certificates
+
+  _info "Deleting old certificate..."
+  _ws_jobid=$(_ws_call "certificate.delete" "$_ui_certificate_id")
+  if ! _ws_check_jobid "$_ws_jobid"; then
+    _err "No JobID returned from websocket method."
+    return 3
+  fi
+  _ws_result=$(_ws_get_job_result "$_ws_jobid")
+  _ws_ret=$?
+  if [ $_ws_ret -gt 0 ]; then
+    return $_ws_ret
+  fi
+
+  _info "Have a nice day...bye!"
+
+}
--- a/deploy/unifi.sh
+++ b/deploy/unifi.sh
@@ -30,7 +30,9 @@
 # Keystore password (built into Unifi Controller, not a user-set password):
 #DEPLOY_UNIFI_KEYPASS="aircontrolenterprise"
 # Command to restart Unifi Controller:
-#DEPLOY_UNIFI_RELOAD="service unifi restart"
+# DEPLOY_UNIFI_RELOAD="systemctl restart unifi"
+# System Properties file location for controller
+#DEPLOY_UNIFI_SYSTEM_PROPERTIES="/usr/lib/unifi/data/system.properties"
 #
 # Settings for Unifi Cloud Key Gen1 (nginx admin pages):
 # Directory where cloudkey.crt and cloudkey.key live:
@@ -43,7 +45,7 @@
 # Directory where unifi-core.crt and unifi-core.key live:
 #DEPLOY_UNIFI_CORE_CONFIG="/data/unifi-core/config/"
 # Command to restart unifi-core:
-#DEPLOY_UNIFI_RELOAD="systemctl restart unifi-core"
+# DEPLOY_UNIFI_OS_RELOAD="systemctl restart unifi-core"
 #
 # At least one of DEPLOY_UNIFI_KEYSTORE, DEPLOY_UNIFI_CLOUDKEY_CERTDIR,
 # or DEPLOY_UNIFI_CORE_CONFIG must exist to receive the deployed certs.
@@ -69,12 +71,16 @@ unifi_deploy() {
  _getdeployconf DEPLOY_UNIFI_CLOUDKEY_CERTDIR
  _getdeployconf DEPLOY_UNIFI_CORE_CONFIG
  _getdeployconf DEPLOY_UNIFI_RELOAD
+  _getdeployconf DEPLOY_UNIFI_SYSTEM_PROPERTIES
+  _getdeployconf DEPLOY_UNIFI_OS_RELOAD

  _debug2 DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE"
  _debug2 DEPLOY_UNIFI_KEYPASS "$DEPLOY_UNIFI_KEYPASS"
  _debug2 DEPLOY_UNIFI_CLOUDKEY_CERTDIR "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR"
  _debug2 DEPLOY_UNIFI_CORE_CONFIG "$DEPLOY_UNIFI_CORE_CONFIG"
  _debug2 DEPLOY_UNIFI_RELOAD "$DEPLOY_UNIFI_RELOAD"
+  _debug2 DEPLOY_UNIFI_OS_RELOAD "$DEPLOY_UNIFI_OS_RELOAD"
+  _debug2 DEPLOY_UNIFI_SYSTEM_PROPERTIES "$DEPLOY_UNIFI_SYSTEM_PROPERTIES"

  # Space-separated list of environments detected and installed:
  _services_updated=""
@@ -135,33 +141,53 @@ unifi_deploy() {
      cp -f "$_import_pkcs12" "$_unifi_keystore"
    fi

+    # correct file ownership according to the directory, the keystore is placed in
+    _unifi_keystore_dir=$(dirname "${_unifi_keystore}")
+    _unifi_keystore_dir_owner=$(find "${_unifi_keystore_dir}" -maxdepth 0 -printf '%u\n')
+    _unifi_keystore_owner=$(find "${_unifi_keystore}" -maxdepth 0 -printf '%u\n')
+    if ! [ "${_unifi_keystore_owner}" = "${_unifi_keystore_dir_owner}" ]; then
+      _debug "Changing keystore owner to ${_unifi_keystore_dir_owner}"
+      chown "$_unifi_keystore_dir_owner" "${_unifi_keystore}" >/dev/null 2>&1 # fail quietly if we're not running as root
+    fi
+
    # Update unifi service for certificate cipher compatibility
+    _unifi_system_properties="${DEPLOY_UNIFI_SYSTEM_PROPERTIES:-/usr/lib/unifi/data/system.properties}"
    if ${ACME_OPENSSL_BIN:-openssl} pkcs12 \
      -in "$_import_pkcs12" \
      -password pass:aircontrolenterprise \
      -nokeys | ${ACME_OPENSSL_BIN:-openssl} x509 -text \
      -noout | grep -i "signature" | grep -iq ecdsa >/dev/null 2>&1; then
-      cp -f /usr/lib/unifi/data/system.properties /usr/lib/unifi/data/system.properties_original
-      _info "Updating system configuration for cipher compatibility."
-      _info "Saved original system config to /usr/lib/unifi/data/system.properties_original"
-      sed -i '/unifi\.https\.ciphers/d' /usr/lib/unifi/data/system.properties
-      echo "unifi.https.ciphers=ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES128-GCM-SHA256" >>/usr/lib/unifi/data/system.properties
-      sed -i '/unifi\.https\.sslEnabledProtocols/d' /usr/lib/unifi/data/system.properties
-      echo "unifi.https.sslEnabledProtocols=TLSv1.3,TLSv1.2" >>/usr/lib/unifi/data/system.properties
-      _info "System configuration updated."
+      if [ -f "$(dirname "${DEPLOY_UNIFI_KEYSTORE}")/system.properties" ]; then
+        _unifi_system_properties="$(dirname "${DEPLOY_UNIFI_KEYSTORE}")/system.properties"
+      else
+        _unifi_system_properties="/usr/lib/unifi/data/system.properties"
+      fi
+      if [ -f "${_unifi_system_properties}" ]; then
+        cp -f "${_unifi_system_properties}" "${_unifi_system_properties}"_original
+        _info "Updating system configuration for cipher compatibility."
+        _info "Saved original system config to ${_unifi_system_properties}_original"
+        sed -i '/unifi\.https\.ciphers/d' "${_unifi_system_properties}"
+        echo "unifi.https.ciphers=ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES128-GCM-SHA256" >>"${_unifi_system_properties}"
+        sed -i '/unifi\.https\.sslEnabledProtocols/d' "${_unifi_system_properties}"
+        echo "unifi.https.sslEnabledProtocols=TLSv1.3,TLSv1.2" >>"${_unifi_system_properties}"
+        _info "System configuration updated."
+      fi
    fi

    rm "$_import_pkcs12"

    # Restarting unifi-core will bring up unifi, doing it out of order results in
    # a certificate error, and breaks wifiman.
-    # Restart if we aren't doing unifi-core, otherwise stop for later restart.
-    if systemctl -q is-active unifi; then
-      if [ ! -f "${DEPLOY_UNIFI_CORE_CONFIG:-/data/unifi-core/config}/unifi-core.key" ]; then
-        _reload_cmd="${_reload_cmd:+$_reload_cmd && }systemctl restart unifi"
-      else
-        _reload_cmd="${_reload_cmd:+$_reload_cmd && }systemctl stop unifi"
-      fi
+    # Restart if we aren't doing Unifi OS (e.g. unifi-core service), otherwise stop for later restart.
+    _unifi_reload="${DEPLOY_UNIFI_RELOAD:-systemctl restart unifi}"
+    if [ ! -f "${DEPLOY_UNIFI_CORE_CONFIG:-/data/unifi-core/config}/unifi-core.key" ]; then
+      _reload_cmd="${_reload_cmd:+$_reload_cmd && }$_unifi_reload"
+    else
+      _info "Stopping Unifi Controller for later restart."
+      _unifi_stop=$(echo "${_unifi_reload}" | sed -e 's/restart/stop/')
+      $_unifi_stop
+      _reload_cmd="${_reload_cmd:+$_reload_cmd && }$_unifi_reload"
+      _info "Unifi Controller stopped."
    fi
    _services_updated="${_services_updated} unifi"
    _info "Install Unifi Controller certificate success!"
@@ -181,13 +207,24 @@ unifi_deploy() {
      return 1
    fi
    # Cloud Key expects to load the keystore from /etc/ssl/private/unifi.keystore.jks.
-    # Normally /usr/lib/unifi/data/keystore is a symlink there (so the keystore was
-    # updated above), but if not, we don't know how to handle this installation:
-    if ! cmp -s "$_unifi_keystore" "${_cloudkey_certdir}/unifi.keystore.jks"; then
-      _err "Unsupported Cloud Key configuration: keystore not found at '${_cloudkey_certdir}/unifi.keystore.jks'"
-      return 1
+    # It appears that unifi won't start if this is a symlink, so we'll copy it instead.
+
+    # if ! cmp -s "$_unifi_keystore" "${_cloudkey_certdir}/unifi.keystore.jks"; then
+    #   _err "Unsupported Cloud Key configuration: keystore not found at '${_cloudkey_certdir}/unifi.keystore.jks'"
+    #   return 1
+    # fi
+
+    _info "Updating ${_cloudkey_certdir}/unifi.keystore.jks"
+    if [ -e "${_cloudkey_certdir}/unifi.keystore.jks" ]; then
+      if [ -L "${_cloudkey_certdir}/unifi.keystore.jks" ]; then
+        rm -f "${_cloudkey_certdir}/unifi.keystore.jks"
+      else
+        mv "${_cloudkey_certdir}/unifi.keystore.jks" "${_cloudkey_certdir}/unifi.keystore.jks_original"
+      fi
    fi

+    cp "${_unifi_keystore}" "${_cloudkey_certdir}/unifi.keystore.jks"
+
    cat "$_cfullchain" >"${_cloudkey_certdir}/cloudkey.crt"
    cat "$_ckey" >"${_cloudkey_certdir}/cloudkey.key"
    (cd "$_cloudkey_certdir" && tar -cf cert.tar cloudkey.crt cloudkey.key unifi.keystore.jks)
@@ -215,14 +252,14 @@ unifi_deploy() {
    # Save the existing certs in case something goes wrong.
    cp -f "${_unifi_core_config}"/unifi-core.crt "${_unifi_core_config}"/unifi-core_original.crt
    cp -f "${_unifi_core_config}"/unifi-core.key "${_unifi_core_config}"/unifi-core_original.key
-    _info "Previous certificate and key saved to ${_unifi_core_config}/unifi-core_original.crt/key."
+    _info "Previous certificate and key saved to ${_unifi_core_config}/unifi-core_original.crt.key."

    cat "$_cfullchain" >"${_unifi_core_config}/unifi-core.crt"
    cat "$_ckey" >"${_unifi_core_config}/unifi-core.key"

-    if systemctl -q is-active unifi-core; then
-      _reload_cmd="${_reload_cmd:+$_reload_cmd && }systemctl restart unifi-core"
-    fi
+    _unifi_os_reload="${DEPLOY_UNIFI_OS_RELOAD:-systemctl restart unifi-core}"
+    _reload_cmd="${_reload_cmd:+$_reload_cmd && }$_unifi_os_reload"
+
    _info "Install UnifiOS certificate success!"
    _services_updated="${_services_updated} unifi-core"
  elif [ "$DEPLOY_UNIFI_CORE_CONFIG" ]; then
@@ -261,6 +298,8 @@ unifi_deploy() {
  _savedeployconf DEPLOY_UNIFI_CLOUDKEY_CERTDIR "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR"
  _savedeployconf DEPLOY_UNIFI_CORE_CONFIG "$DEPLOY_UNIFI_CORE_CONFIG"
  _savedeployconf DEPLOY_UNIFI_RELOAD "$DEPLOY_UNIFI_RELOAD"
+  _savedeployconf DEPLOY_UNIFI_OS_RELOAD "$DEPLOY_UNIFI_OS_RELOAD"
+  _savedeployconf DEPLOY_UNIFI_SYSTEM_PROPERTIES "$DEPLOY_UNIFI_SYSTEM_PROPERTIES"

  return 0
 }