SebastianStork/nixos-config
1
0
Fork 0
mirror of https://github.com/SebastianStork/nixos-config.git synced 2026-03-22 15:29:07 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

scripts: Move nebula scripts into subdirectory

Browse source
This commit is contained in:
SebastianStork 2026-02-06 21:42:59 +01:00
parent b94ff46b24
commit 0f69eb0355
Signed by: SebastianStork
SSH key fingerprint: SHA256:tRrGdjYOwgHxpSc/wTOZQZEjxcb15P0tyXRsbAfd+2Q
3 changed files with 11 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

31
scripts/nebula/regen-all-host-certs.nix Normal file
View file

@ -0,0 +1,31 @@
{ self', pkgs, ... }:
pkgs.writeShellApplication {
name = "nebula-regen-all-host-certs";
runtimeInputs = [
pkgs.bitwarden-cli
pkgs.jq
self'.packages.nebula-regen-host-cert
];
text = ''
hosts="$(nix eval .#nixosConfigurations --apply 'builtins.attrNames' --json | jq -r '.[]')"
if ! declare -px BW_SESSION >/dev/null 2>&1; then
BW_SESSION="$(bw unlock --raw || bw login --raw)"
export BW_SESSION
fi
ca_key="$(mktemp)"
chmod 600 "$ca_key"
trap 'rm -f "$ca_key"' EXIT
bw get notes 'nebula ca-key' > "$ca_key"
for host in $hosts; do
echo "Regenerating certificate for $host..."
nebula-regen-host-cert "$host" "$ca_key"
done
echo "Done!"
'';
}

41
scripts/nebula/regen-host-cert.nix Normal file
View file

@ -0,0 +1,41 @@
{ pkgs, ... }:
pkgs.writeShellApplication {
name = "nebula-regen-host-cert";
runtimeInputs = [
pkgs.nebula
pkgs.bitwarden-cli
];
text = ''
if [[ $# -lt 1 ]] || [[ $# -gt 2 ]]; then
echo "Usage: $0 <host> [<ca-key-path>]"
exit 1
fi
host="$1"
address="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.networking.overlay.cidr")"
groups="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.groups" --apply 'builtins.concatStringsSep ","')"
ca_cert='modules/system/services/nebula/ca.crt'
host_pub="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.publicKeyPath")"
host_cert="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.certificatePath")"
host_cert="''${host_cert#*-source/}"
if [[ $# -eq 2 ]]; then
ca_key="$2"
else
if ! declare -px BW_SESSION >/dev/null 2>&1; then
BW_SESSION="$(bw unlock --raw || bw login --raw)"
export BW_SESSION
fi
ca_key="$(mktemp)"
chmod 600 "$ca_key"
trap 'rm -f "$ca_key"' EXIT
bw get notes 'nebula ca-key' > "$ca_key"
fi
rm -f "$host_cert"
nebula-cert sign -name "$host" -networks "$address" -groups "$groups" -ca-crt "$ca_cert" -ca-key "$ca_key" -in-pub "$host_pub" -out-crt "$host_cert"
'';
}