Add script nebula-regen-host-cert

2026-03-22 21:19:07 +01:00 · 2026-02-05 20:46:31 +01:00 · 2026-02-05 20:46:31 +01:00 · b36627095a
commit b36627095a
parent f8b30ac57b
1 changed files with 35 additions and 1 deletions
--- a/flake-parts/nebula.nix
+++ b/flake-parts/nebula.nix
@ -1,11 +1,12 @@
 _: {
  perSystem =
-    { pkgs, ... }:
+    { self', pkgs, ... }:
    {
      devShells.nebula = pkgs.mkShellNoCC {
        packages = [
          pkgs.nebula
          pkgs.bitwarden-cli
+          self'.packages.nebula-regen-host-cert
        ];

        shellHook = ''
@ -15,5 +16,38 @@ _: {
          fi
        '';
      };
+
+      packages.nebula-regen-host-cert = pkgs.writeShellApplication {
+        name = "nebula-regen-host-cert";
+        runtimeInputs = [
+          pkgs.nebula
+          pkgs.bitwarden-cli
+        ];
+        text = ''
+          if [[ $# -ne 1 ]]; then
+            echo "Usage: $0 <host>"
+            exit 1
+          fi
+
+          host="$1"
+          address="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.networking.overlay.cidr")"
+          ca_cert='modules/system/services/nebula/ca.crt'
+          host_pub="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.publicKeyPath")"
+          host_cert="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.certificatePath")"
+          host_cert="''${host_cert#*-source/}"
+
+          if ! declare -px BW_SESSION >/dev/null 2>&1; then
+            BW_SESSION="$(bw unlock --raw || bw login --raw)"
+          fi
+
+          ca_key="$(mktemp)"
+          chmod 600 "$ca_key"
+          trap 'rm -f "$ca_key"' EXIT
+          bw get notes 'nebula ca-key' > "$ca_key"
+
+          rm -f "$host_cert"
+          nebula-cert sign -name "$host" -networks "$address" -ca-crt "$ca_cert" -ca-key "$ca_key" -in-pub "$host_pub" -out-crt "$host_cert"
+        '';
+      };
    };
 }