diff --git a/flake-parts/dev-shells.nix b/flake-parts/dev-shells.nix
index 6d8ac6a..ebc5ad8 100644
--- a/flake-parts/dev-shells.nix
+++ b/flake-parts/dev-shells.nix
@@ -30,6 +30,7 @@ _: {
             pkgs.nebula
             pkgs.bitwarden-cli
             self'.packages.nebula-regen-host-cert
+            self'.packages.nebula-regen-all-host-certs
           ];
 
           shellHook = ''
diff --git a/flake-parts/scripts.nix b/flake-parts/scripts.nix
index 62fecf0..c2a0782 100644
--- a/flake-parts/scripts.nix
+++ b/flake-parts/scripts.nix
@@ -1,13 +1,18 @@
 { self, ... }:
 {
   perSystem =
-    { pkgs, lib, ... }:
+    {
+      self',
+      pkgs,
+      lib,
+      ...
+    }:
     {
       packages =
         "${self}/scripts"
         |> builtins.readDir
         |> lib.attrNames
         |> lib.map (name: name |> lib.removeSuffix ".nix")
-        |> self.lib.genAttrs (name: import "${self}/scripts/${name}.nix" { inherit pkgs; });
+        |> self.lib.genAttrs (name: import "${self}/scripts/${name}.nix" { inherit self' pkgs lib; });
     };
 }
diff --git a/scripts/install-anywhere.nix b/scripts/install-anywhere.nix
index 10be289..ca0b4f2 100644
--- a/scripts/install-anywhere.nix
+++ b/scripts/install-anywhere.nix
@@ -1,4 +1,4 @@
-{ pkgs }:
+{ pkgs , ...}:
 pkgs.writeShellApplication {
   name = "install-anywhere";
 
diff --git a/scripts/nebula-regen-all-host-certs.nix b/scripts/nebula-regen-all-host-certs.nix
new file mode 100644
index 0000000..db09d6c
--- /dev/null
+++ b/scripts/nebula-regen-all-host-certs.nix
@@ -0,0 +1,30 @@
+{ self', pkgs, lib, ... }:
+pkgs.writeShellApplication {
+  name = "nebula-regen-all-host-certs";
+
+  runtimeInputs = [
+    pkgs.bitwarden-cli
+    pkgs.jq
+  ];
+
+  text = ''
+    hosts="$(nix eval .#nixosConfigurations --apply 'builtins.attrNames' --json | jq -r '.[]')"
+
+    if ! declare -px BW_SESSION >/dev/null 2>&1; then
+      BW_SESSION="$(bw unlock --raw || bw login --raw)"
+      export BW_SESSION
+    fi
+
+    ca_key="$(mktemp)"
+    chmod 600 "$ca_key"
+    trap 'rm -f "$ca_key"' EXIT
+    bw get notes 'nebula ca-key' > "$ca_key"
+
+    for host in $hosts; do
+      echo "Regenerating certificate for $host..."
+      ${lib.getExe self'.packages.nebula-regen-host-cert} "$host" "$ca_key"
+    done
+
+    echo "Done!"
+  '';
+}
diff --git a/scripts/nebula-regen-host-cert.nix b/scripts/nebula-regen-host-cert.nix
index 4e706f8..bfac5c8 100644
--- a/scripts/nebula-regen-host-cert.nix
+++ b/scripts/nebula-regen-host-cert.nix
@@ -1,4 +1,4 @@
-{ pkgs }:
+{ pkgs, ... }:
 pkgs.writeShellApplication {
   name = "nebula-regen-host-cert";