udm-le/udm-le.env at main · kchristensen/udm-le · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
#
# Required configuration
#

# Email for LetsEncrypt certificate issuance
CERT_EMAIL="your@email.com"

# The FQDN of your UDMP (comma separated fqdns are supported)
CERT_HOSTS="whatever.hostname.com,*.whatever.anotherhostname.com"

# The number of days left on a certificate before renewal
CERT_DAYS_BEFORE_RENEWAL="30"

# Enable updating certificate keystore used by Captive Portal and WiFiman as well as device certificate
ENABLE_CAPTIVE="no"

# Import only the server certificate for use with Captive Portal and WiFiman.
# WiFiman requires a single certificate in the .crt file and does not work if
# the full chain is imported as this includes the CA intermediate certificates.
# Setting NO_BUNDLE="yes" only has effect if ENABLE_CAPTIVE="yes".
# WARNING: Experimental support. Not serving the full certificate chain may result in
# some clients not being able to connect to Captive Portal if they do not already have
# a cached copy of the CA intermediate certificate(s) and are unable to download them.
NO_BUNDLE="no"

# Enable updating EUS Certificate
ENABLE_EUS_CERTS="yes"

# Defines the key type to be used.
# Lego supported values are: RSA2048, RSA3072, RSA4096, RSA8192, EC256 and EC384, however
# using values other than RSA2048 is known to cause issues with UniFiOS.
#
# For up to date support, refer to:
# https://github.com/go-acme/lego/blob/0ab907c183d7b9371c7cf35336a54eb3cfd27634/cmd/setup.go#L96
KEY_TYPE="RSA2048"

# Enable updating Radius support
ENABLE_RADIUS="no"

# Disable support for CNAME resolution. When false, allows resolving _acme-challenge.* if you
# have a CNAME pointing to a different domain. This is generally not something people need, so leave
# this alone unless you've explicitly set up a CNAME and understand the implications.
LEGO_DISABLE_CNAME_SUPPORT=true

# The DNS resolver used to verify records. Change this to a public DNS resolver if you have
# modified your UDM's upstream DNS servers to point to an internal resolver that is the
# authoritative name server for any domain that you are trying to request certificates for.
DNS_RESOLVER="127.0.0.1:53"

#
# DNS provider configuration
# See README.md file for more details
#

# AWS Route53
#DNS_PROVIDER="route53"
#AWS_ACCESS_KEY_ID=""
#AWS_SECRET_ACCESS_KEY=""
#AWS_REGION=""
#AWS_HOSTED_ZONE_ID=""

# Azure
#DNS_PROVIDER="azure"
#AZURE_CLIENT_ID=""
#AZURE_CLIENT_SECRET_FILE="/data/udm-le/.secrets/client-secret.txt"
#AZURE_ENVIRONMENT="public"
#AZURE_RESOURCE_GROUP="udm-le"
#AZURE_SUBSCRIPTION_ID="00000000-0000-0000-0000-000000000000"
#AZURE_TENANT_ID=""

# CloudFlare
DNS_PROVIDER="cloudflare"
CLOUDFLARE_DNS_API_TOKEN="YOUR_CLOUDFLARE_API_TOKEN"

# Digital Ocean
# Note: Quoting your DO_AUTH_TOKEN below seems to cause issues
#DNS_PROVIDER="digitalocean"
#DO_AUTH_TOKEN="AUTH_TOKEN"

# DuckDNS
#DNS_PROVIDER="duckdns"
#DUCKDNS_TOKEN="AUTH_TOKEN"

# Google Cloud DNS
# Note: The default path for the service account file is /root/.secrets
#DNS_PROVIDER="gcloud"
#GCE_SERVICE_ACCOUNT_FILE="/data/udm-le/.secrets/sa.json"
#GCE_PROPAGATION_TIMEOUT="3600"

# Google Domains
#DNS_PROVIDER="googledomains"
#GOOGLE_DOMAINS_ACCESS_TOKEN="ACCESS_TOKEN"

# Linode DNS
#DNS_PROVIDER="linode"
#LINODE_TOKEN=""
#LINODE_PROPAGATION_TIMEOUT="120"

# Loopia
#DNS_PROVIDER="loopia"
#LOOPIA_API_USER="YOUR_API_USER@loopiaapi"
#LOOPIA_API_PASSWORD="YOUR_API_PASSWORD"

# Gandi Live DNS (v5)
# Gandi PAT https://docs.gandi.net/en/managing_an_organization/organizations/personal_access_token.html#
# LEGO Reference https://go-acme.github.io/lego/dns/gandiv5/
#DNS_PROVIDER="gandiv5"
#GANDIV5_API_KEY="AUTH_TOKEN"                           # DEPRECATED
#GANDIV5_PERSONAL_ACCESS_TOKEN="PERSONAL_ACCESS_TOKEN"  # Replace with your Gandi Personal Access Token
#GANDIV5_HTTP_TIMEOUT="10"                              # API request timeout in seconds (Default: 10)
#GANDIV5_POLLING_INTERVAL="20"                          # Time between DNS propagation check in seconds (Default: 20)
#GANDIV5_PROPAGATION_TIMEOUT="1200"                     # Maximum waiting time for DNS propagation in seconds (Default: 1200)
#GANDIV5_TTL="300"                                      # The TTL of the TXT record used for the DNS challenge in seconds (Default: 300)

# Name.com
# Note: You need to use the your name.com username and not the api key name.
#DNS_PROVIDER="namedotcom"
#NAMECOM_USERNAME="YOUR_NAMECOM_USERNAME"
#NAMECOM_API_TOKEN="YOUR_NAMECOM_API_TOKEN"

# Oracle Cloud Infrastructure (OCI) DNS
#
# DO NOT WRAP ANY OF THE OCI_ VARIABLES IN QUOTES! See README.md for details.
#
#DNS_PROVIDER="oraclecloud"
# If OCI_PRIVKEY_FILE is password protected, uncomment the following line:
#OCI_PRIVKEY_PASS=password
#OCI_PRIVKEY_FILE=/data/udm-le/.secrets/oci_api_key.pem
# The following values can be found in ~/.oci/config after
#OCI_PUBKEY_FINGERPRINT=00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
#OCI_TENANCY_OCID=ocid1.tenancy.oc1..secret
#OCI_COMPARTMENT_OCID=ocid1.compartment.oc1..secret
#OCI_USER_OCID=ocid1.user.oc1..secret
#OCI_REGION=us-ashburn-1

# Zonomi
#DNS_PROVIDER="zonomi"
#ZONOMI_API_KEY="AUTH_TOKEN"

#
# Change stuff below at your own risk
#

# Extra arguments to pass to LEGO
# For example, to pass --dns.propagation-disable-ans to disable Authoritative Name Server (ANS) checking.
EXTRA_ARGS=""

# DNS_RESOLVERS supports a host:port if you need to override system DNS
DNS_RESOLVERS=""

# Changing below requires changing line 7 of udm-le.sh, as well as the paths within systemd service files
UDM_LE_PATH="/data/udm-le"

# LetsEncrypt Configuration
LEGO_VERSION="4.23.1"
LEGO_SHA1="77c99b2bf920a7520832c1d2af4efa64bc650549"
LEGO_DOWNLOAD_URL="https://github.com/go-acme/lego/releases/download/v${LEGO_VERSION}/lego_v${LEGO_VERSION}_linux_arm64.tar.gz"
LEGO_BINARY="${UDM_LE_PATH}/lego"
LEGO_PATH="${UDM_LE_PATH}/.lego"

# Java Configuration
JAVA_BINARY="/usr/bin/java"

# These should only change if Unifi-OS core changes require it
CERT_IMPORT_CMD="java -jar /usr/lib/unifi/lib/ace.jar import_key_cert"
UBIOS_CONTROLLER_CERT_PATH="/data/unifi-core/config"
UBIOS_RADIUS_CERT_PATH="/etc/freeradius/3.0/certs"
UNIFIOS_CERT_PATH="/data/unifi-core/config"
UNIFIOS_EUS_CERT_PATH="/data/eus_certificates"
UNIFIOS_KEYSTORE_CERT_ALIAS="unifi"
UNIFIOS_KEYSTORE_PASSWORD="aircontrolenterprise"
UNIFIOS_KEYSTORE_PATH="/usr/lib/unifi/data"