From d45f8cd2972253741c42584720c59a07c0034564 Mon Sep 17 00:00:00 2001
From: SebastianStork <git@sstork.dev>
Date: Thu, 5 Feb 2026 21:59:54 +0100
Subject: [PATCH] scripts: Let `nebula-regen-host-cert` optionally accept the
 ca key as an argument

---
 scripts/nebula-regen-host-cert.nix | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/scripts/nebula-regen-host-cert.nix b/scripts/nebula-regen-host-cert.nix
index 1d6e75d..4e706f8 100644
--- a/scripts/nebula-regen-host-cert.nix
+++ b/scripts/nebula-regen-host-cert.nix
@@ -8,8 +8,8 @@ pkgs.writeShellApplication {
   ];
 
   text = ''
-    if [[ $# -ne 1 ]]; then
-      echo "Usage: $0 <host>"
+    if [[ $# -lt 1 ]] || [[ $# -gt 2 ]]; then
+      echo "Usage: $0 <host> [<ca-key-path>]"
       exit 1
     fi
 
@@ -20,15 +20,19 @@ pkgs.writeShellApplication {
     host_cert="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.certificatePath")"
     host_cert="''${host_cert#*-source/}"
 
-    if ! declare -px BW_SESSION >/dev/null 2>&1; then
-      BW_SESSION="$(bw unlock --raw || bw login --raw)"
-      export BW_SESSION
-    fi
+    if [[ $# -eq 2 ]]; then
+      ca_key="$2"
+    else
+      if ! declare -px BW_SESSION >/dev/null 2>&1; then
+        BW_SESSION="$(bw unlock --raw || bw login --raw)"
+        export BW_SESSION
+      fi
 
-    ca_key="$(mktemp)"
-    chmod 600 "$ca_key"
-    trap 'rm -f "$ca_key"' EXIT
-    bw get notes 'nebula ca-key' > "$ca_key"
+      ca_key="$(mktemp)"
+      chmod 600 "$ca_key"
+      trap 'rm -f "$ca_key"' EXIT
+      bw get notes 'nebula ca-key' > "$ca_key"
+    fi
 
     rm -f "$host_cert"
     nebula-cert sign -name "$host" -networks "$address" -ca-crt "$ca_cert" -ca-key "$ca_key" -in-pub "$host_pub" -out-crt "$host_cert"