scripts: Use trap to clean up temp directory

flake-parts/dev-shells.nix

@@ -30,6 +30,7 @@ _: {
             pkgs.nebula
             pkgs.bitwarden-cli
             self'.packages.nebula-regen-host-cert
+            self'.packages.nebula-regen-all-host-certs
           ];
 
           shellHook = ''

flake-parts/scripts.nix

@@ -1,13 +1,18 @@
 { self, ... }:
 {
   perSystem =
-    { pkgs, lib, ... }:
+    {
+      self',
+      pkgs,
+      lib,
+      ...
+    }:
     {
       packages =
         "${self}/scripts"
         |> builtins.readDir
         |> lib.attrNames
         |> lib.map (name: name |> lib.removeSuffix ".nix")
-        |> self.lib.genAttrs (name: import "${self}/scripts/${name}.nix" { inherit pkgs; });
+        |> self.lib.genAttrs (name: import "${self}/scripts/${name}.nix" { inherit self' pkgs lib; });
     };
 }

scripts/install-anywhere.nix

@@ -1,4 +1,4 @@
-{ pkgs }:
+{ pkgs, ... }:
 pkgs.writeShellApplication {
   name = "install-anywhere";
 
@@ -17,6 +17,7 @@ pkgs.writeShellApplication {
     host="$1"
     destination="$2"
     root="$(mktemp --directory)"
+    trap 'rm -rf "$root"' EXIT
 
     impermanence="$(nix eval ".#nixosConfigurations.$host.config.custom.persistence.enable")"
     if [ "$impermanence" = true ]; then
@@ -51,7 +52,5 @@ pkgs.writeShellApplication {
       --extra-files "$root" \
       --flake ".#$host" \
       --target-host "$destination"
-
-    rm -rf "$root"
   '';
 }

scripts/nebula-regen-all-host-certs.nix

@@ -0,0 +1,35 @@
+{
+  self',
+  pkgs,
+  lib,
+  ...
+}:
+pkgs.writeShellApplication {
+  name = "nebula-regen-all-host-certs";
+
+  runtimeInputs = [
+    pkgs.bitwarden-cli
+    pkgs.jq
+  ];
+
+  text = ''
+    hosts="$(nix eval .#nixosConfigurations --apply 'builtins.attrNames' --json | jq -r '.[]')"
+
+    if ! declare -px BW_SESSION >/dev/null 2>&1; then
+      BW_SESSION="$(bw unlock --raw || bw login --raw)"
+      export BW_SESSION
+    fi
+
+    ca_key="$(mktemp)"
+    chmod 600 "$ca_key"
+    trap 'rm -f "$ca_key"' EXIT
+    bw get notes 'nebula ca-key' > "$ca_key"
+
+    for host in $hosts; do
+      echo "Regenerating certificate for $host..."
+      ${lib.getExe self'.packages.nebula-regen-host-cert} "$host" "$ca_key"
+    done
+
+    echo "Done!"
+  '';
+}

scripts/nebula-regen-host-cert.nix

@@ -1,4 +1,4 @@
-{ pkgs }:
+{ pkgs, ... }:
 pkgs.writeShellApplication {
   name = "nebula-regen-host-cert";
 
@@ -8,8 +8,8 @@ pkgs.writeShellApplication {
   ];
 
   text = ''
-    if [[ $# -ne 1 ]]; then
-      echo "Usage: $0 <host>"
+    if [[ $# -lt 1 ]] || [[ $# -gt 2 ]]; then
+      echo "Usage: $0 <host> [<ca-key-path>]"
       exit 1
     fi
 
@@ -20,6 +20,9 @@ pkgs.writeShellApplication {
     host_cert="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.certificatePath")"
     host_cert="''${host_cert#*-source/}"
 
+    if [[ $# -eq 2 ]]; then
+      ca_key="$2"
+    else
       if ! declare -px BW_SESSION >/dev/null 2>&1; then
         BW_SESSION="$(bw unlock --raw || bw login --raw)"
         export BW_SESSION
@@ -29,6 +32,7 @@ pkgs.writeShellApplication {
       chmod 600 "$ca_key"
       trap 'rm -f "$ca_key"' EXIT
       bw get notes 'nebula ca-key' > "$ca_key"
+    fi
 
     rm -f "$host_cert"
     nebula-cert sign -name "$host" -networks "$address" -ca-crt "$ca_cert" -ca-key "$ca_key" -in-pub "$host_pub" -out-crt "$host_cert"