From b36627095af39eec1c68c073f22579695349a3de Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Thu, 5 Feb 2026 20:46:31 +0100 Subject: [PATCH] Add script `nebula-regen-host-cert` --- flake-parts/nebula.nix | 36 +++++++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/flake-parts/nebula.nix b/flake-parts/nebula.nix index 2a7c427..813c8cb 100644 --- a/flake-parts/nebula.nix +++ b/flake-parts/nebula.nix @@ -1,11 +1,12 @@ _: { perSystem = - { pkgs, ... }: + { self', pkgs, ... }: { devShells.nebula = pkgs.mkShellNoCC { packages = [ pkgs.nebula pkgs.bitwarden-cli + self'.packages.nebula-regen-host-cert ]; shellHook = '' @@ -15,5 +16,38 @@ _: { fi ''; }; + + packages.nebula-regen-host-cert = pkgs.writeShellApplication { + name = "nebula-regen-host-cert"; + runtimeInputs = [ + pkgs.nebula + pkgs.bitwarden-cli + ]; + text = '' + if [[ $# -ne 1 ]]; then + echo "Usage: $0 " + exit 1 + fi + + host="$1" + address="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.networking.overlay.cidr")" + ca_cert='modules/system/services/nebula/ca.crt' + host_pub="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.publicKeyPath")" + host_cert="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.certificatePath")" + host_cert="''${host_cert#*-source/}" + + if ! declare -px BW_SESSION >/dev/null 2>&1; then + BW_SESSION="$(bw unlock --raw || bw login --raw)" + fi + + ca_key="$(mktemp)" + chmod 600 "$ca_key" + trap 'rm -f "$ca_key"' EXIT + bw get notes 'nebula ca-key' > "$ca_key" + + rm -f "$host_cert" + nebula-cert sign -name "$host" -networks "$address" -ca-crt "$ca_cert" -ca-key "$ca_key" -in-pub "$host_pub" -out-crt "$host_cert" + ''; + }; }; }