From d45f8cd2972253741c42584720c59a07c0034564 Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Thu, 5 Feb 2026 21:59:54 +0100 Subject: [PATCH 1/3] scripts: Let `nebula-regen-host-cert` optionally accept the ca key as an argument --- scripts/nebula-regen-host-cert.nix | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/scripts/nebula-regen-host-cert.nix b/scripts/nebula-regen-host-cert.nix index 1d6e75d..4e706f8 100644 --- a/scripts/nebula-regen-host-cert.nix +++ b/scripts/nebula-regen-host-cert.nix @@ -8,8 +8,8 @@ pkgs.writeShellApplication { ]; text = '' - if [[ $# -ne 1 ]]; then - echo "Usage: $0 " + if [[ $# -lt 1 ]] || [[ $# -gt 2 ]]; then + echo "Usage: $0 []" exit 1 fi @@ -20,15 +20,19 @@ pkgs.writeShellApplication { host_cert="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.certificatePath")" host_cert="''${host_cert#*-source/}" - if ! declare -px BW_SESSION >/dev/null 2>&1; then - BW_SESSION="$(bw unlock --raw || bw login --raw)" - export BW_SESSION - fi + if [[ $# -eq 2 ]]; then + ca_key="$2" + else + if ! declare -px BW_SESSION >/dev/null 2>&1; then + BW_SESSION="$(bw unlock --raw || bw login --raw)" + export BW_SESSION + fi - ca_key="$(mktemp)" - chmod 600 "$ca_key" - trap 'rm -f "$ca_key"' EXIT - bw get notes 'nebula ca-key' > "$ca_key" + ca_key="$(mktemp)" + chmod 600 "$ca_key" + trap 'rm -f "$ca_key"' EXIT + bw get notes 'nebula ca-key' > "$ca_key" + fi rm -f "$host_cert" nebula-cert sign -name "$host" -networks "$address" -ca-crt "$ca_cert" -ca-key "$ca_key" -in-pub "$host_pub" -out-crt "$host_cert" From 2c76d2369291a002c1c66e959ef5e834f17345f8 Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Thu, 5 Feb 2026 22:08:33 +0100 Subject: [PATCH 2/3] scripts: Add `nebula-regen-all-host-certs` --- flake-parts/dev-shells.nix | 1 + flake-parts/scripts.nix | 9 ++++++-- scripts/install-anywhere.nix | 2 +- scripts/nebula-regen-all-host-certs.nix | 30 +++++++++++++++++++++++++ scripts/nebula-regen-host-cert.nix | 2 +- 5 files changed, 40 insertions(+), 4 deletions(-) create mode 100644 scripts/nebula-regen-all-host-certs.nix diff --git a/flake-parts/dev-shells.nix b/flake-parts/dev-shells.nix index 6d8ac6a..ebc5ad8 100644 --- a/flake-parts/dev-shells.nix +++ b/flake-parts/dev-shells.nix @@ -30,6 +30,7 @@ _: { pkgs.nebula pkgs.bitwarden-cli self'.packages.nebula-regen-host-cert + self'.packages.nebula-regen-all-host-certs ]; shellHook = '' diff --git a/flake-parts/scripts.nix b/flake-parts/scripts.nix index 62fecf0..c2a0782 100644 --- a/flake-parts/scripts.nix +++ b/flake-parts/scripts.nix @@ -1,13 +1,18 @@ { self, ... }: { perSystem = - { pkgs, lib, ... }: + { + self', + pkgs, + lib, + ... + }: { packages = "${self}/scripts" |> builtins.readDir |> lib.attrNames |> lib.map (name: name |> lib.removeSuffix ".nix") - |> self.lib.genAttrs (name: import "${self}/scripts/${name}.nix" { inherit pkgs; }); + |> self.lib.genAttrs (name: import "${self}/scripts/${name}.nix" { inherit self' pkgs lib; }); }; } diff --git a/scripts/install-anywhere.nix b/scripts/install-anywhere.nix index 10be289..ca0b4f2 100644 --- a/scripts/install-anywhere.nix +++ b/scripts/install-anywhere.nix @@ -1,4 +1,4 @@ -{ pkgs }: +{ pkgs , ...}: pkgs.writeShellApplication { name = "install-anywhere"; diff --git a/scripts/nebula-regen-all-host-certs.nix b/scripts/nebula-regen-all-host-certs.nix new file mode 100644 index 0000000..db09d6c --- /dev/null +++ b/scripts/nebula-regen-all-host-certs.nix @@ -0,0 +1,30 @@ +{ self', pkgs, lib, ... }: +pkgs.writeShellApplication { + name = "nebula-regen-all-host-certs"; + + runtimeInputs = [ + pkgs.bitwarden-cli + pkgs.jq + ]; + + text = '' + hosts="$(nix eval .#nixosConfigurations --apply 'builtins.attrNames' --json | jq -r '.[]')" + + if ! declare -px BW_SESSION >/dev/null 2>&1; then + BW_SESSION="$(bw unlock --raw || bw login --raw)" + export BW_SESSION + fi + + ca_key="$(mktemp)" + chmod 600 "$ca_key" + trap 'rm -f "$ca_key"' EXIT + bw get notes 'nebula ca-key' > "$ca_key" + + for host in $hosts; do + echo "Regenerating certificate for $host..." + ${lib.getExe self'.packages.nebula-regen-host-cert} "$host" "$ca_key" + done + + echo "Done!" + ''; +} diff --git a/scripts/nebula-regen-host-cert.nix b/scripts/nebula-regen-host-cert.nix index 4e706f8..bfac5c8 100644 --- a/scripts/nebula-regen-host-cert.nix +++ b/scripts/nebula-regen-host-cert.nix @@ -1,4 +1,4 @@ -{ pkgs }: +{ pkgs, ... }: pkgs.writeShellApplication { name = "nebula-regen-host-cert"; From ec0d5b839ed7cf9ca9cff24180821cfd636b5248 Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Thu, 5 Feb 2026 22:55:20 +0100 Subject: [PATCH 3/3] scripts: Use trap to clean up temp directory --- scripts/install-anywhere.nix | 5 ++--- scripts/nebula-regen-all-host-certs.nix | 7 ++++++- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/scripts/install-anywhere.nix b/scripts/install-anywhere.nix index ca0b4f2..17e5c0b 100644 --- a/scripts/install-anywhere.nix +++ b/scripts/install-anywhere.nix @@ -1,4 +1,4 @@ -{ pkgs , ...}: +{ pkgs, ... }: pkgs.writeShellApplication { name = "install-anywhere"; @@ -17,6 +17,7 @@ pkgs.writeShellApplication { host="$1" destination="$2" root="$(mktemp --directory)" + trap 'rm -rf "$root"' EXIT impermanence="$(nix eval ".#nixosConfigurations.$host.config.custom.persistence.enable")" if [ "$impermanence" = true ]; then @@ -51,7 +52,5 @@ pkgs.writeShellApplication { --extra-files "$root" \ --flake ".#$host" \ --target-host "$destination" - - rm -rf "$root" ''; } diff --git a/scripts/nebula-regen-all-host-certs.nix b/scripts/nebula-regen-all-host-certs.nix index db09d6c..469d25b 100644 --- a/scripts/nebula-regen-all-host-certs.nix +++ b/scripts/nebula-regen-all-host-certs.nix @@ -1,4 +1,9 @@ -{ self', pkgs, lib, ... }: +{ + self', + pkgs, + lib, + ... +}: pkgs.writeShellApplication { name = "nebula-regen-all-host-certs";