diff --git a/flake-parts/dev-shells.nix b/flake-parts/dev-shells.nix index 6d8ac6a..ebc5ad8 100644 --- a/flake-parts/dev-shells.nix +++ b/flake-parts/dev-shells.nix @@ -30,6 +30,7 @@ _: { pkgs.nebula pkgs.bitwarden-cli self'.packages.nebula-regen-host-cert + self'.packages.nebula-regen-all-host-certs ]; shellHook = '' diff --git a/flake-parts/scripts.nix b/flake-parts/scripts.nix index 62fecf0..c2a0782 100644 --- a/flake-parts/scripts.nix +++ b/flake-parts/scripts.nix @@ -1,13 +1,18 @@ { self, ... }: { perSystem = - { pkgs, lib, ... }: + { + self', + pkgs, + lib, + ... + }: { packages = "${self}/scripts" |> builtins.readDir |> lib.attrNames |> lib.map (name: name |> lib.removeSuffix ".nix") - |> self.lib.genAttrs (name: import "${self}/scripts/${name}.nix" { inherit pkgs; }); + |> self.lib.genAttrs (name: import "${self}/scripts/${name}.nix" { inherit self' pkgs lib; }); }; } diff --git a/scripts/install-anywhere.nix b/scripts/install-anywhere.nix index 10be289..17e5c0b 100644 --- a/scripts/install-anywhere.nix +++ b/scripts/install-anywhere.nix @@ -1,4 +1,4 @@ -{ pkgs }: +{ pkgs, ... }: pkgs.writeShellApplication { name = "install-anywhere"; @@ -17,6 +17,7 @@ pkgs.writeShellApplication { host="$1" destination="$2" root="$(mktemp --directory)" + trap 'rm -rf "$root"' EXIT impermanence="$(nix eval ".#nixosConfigurations.$host.config.custom.persistence.enable")" if [ "$impermanence" = true ]; then @@ -51,7 +52,5 @@ pkgs.writeShellApplication { --extra-files "$root" \ --flake ".#$host" \ --target-host "$destination" - - rm -rf "$root" ''; } diff --git a/scripts/nebula-regen-all-host-certs.nix b/scripts/nebula-regen-all-host-certs.nix new file mode 100644 index 0000000..469d25b --- /dev/null +++ b/scripts/nebula-regen-all-host-certs.nix @@ -0,0 +1,35 @@ +{ + self', + pkgs, + lib, + ... +}: +pkgs.writeShellApplication { + name = "nebula-regen-all-host-certs"; + + runtimeInputs = [ + pkgs.bitwarden-cli + pkgs.jq + ]; + + text = '' + hosts="$(nix eval .#nixosConfigurations --apply 'builtins.attrNames' --json | jq -r '.[]')" + + if ! declare -px BW_SESSION >/dev/null 2>&1; then + BW_SESSION="$(bw unlock --raw || bw login --raw)" + export BW_SESSION + fi + + ca_key="$(mktemp)" + chmod 600 "$ca_key" + trap 'rm -f "$ca_key"' EXIT + bw get notes 'nebula ca-key' > "$ca_key" + + for host in $hosts; do + echo "Regenerating certificate for $host..." + ${lib.getExe self'.packages.nebula-regen-host-cert} "$host" "$ca_key" + done + + echo "Done!" + ''; +} diff --git a/scripts/nebula-regen-host-cert.nix b/scripts/nebula-regen-host-cert.nix index 1d6e75d..bfac5c8 100644 --- a/scripts/nebula-regen-host-cert.nix +++ b/scripts/nebula-regen-host-cert.nix @@ -1,4 +1,4 @@ -{ pkgs }: +{ pkgs, ... }: pkgs.writeShellApplication { name = "nebula-regen-host-cert"; @@ -8,8 +8,8 @@ pkgs.writeShellApplication { ]; text = '' - if [[ $# -ne 1 ]]; then - echo "Usage: $0 " + if [[ $# -lt 1 ]] || [[ $# -gt 2 ]]; then + echo "Usage: $0 []" exit 1 fi @@ -20,15 +20,19 @@ pkgs.writeShellApplication { host_cert="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.certificatePath")" host_cert="''${host_cert#*-source/}" - if ! declare -px BW_SESSION >/dev/null 2>&1; then - BW_SESSION="$(bw unlock --raw || bw login --raw)" - export BW_SESSION - fi + if [[ $# -eq 2 ]]; then + ca_key="$2" + else + if ! declare -px BW_SESSION >/dev/null 2>&1; then + BW_SESSION="$(bw unlock --raw || bw login --raw)" + export BW_SESSION + fi - ca_key="$(mktemp)" - chmod 600 "$ca_key" - trap 'rm -f "$ca_key"' EXIT - bw get notes 'nebula ca-key' > "$ca_key" + ca_key="$(mktemp)" + chmod 600 "$ca_key" + trap 'rm -f "$ca_key"' EXIT + bw get notes 'nebula ca-key' > "$ca_key" + fi rm -f "$host_cert" nebula-cert sign -name "$host" -networks "$address" -ca-crt "$ca_cert" -ca-key "$ca_key" -in-pub "$host_pub" -out-crt "$host_cert"