#!/usr/bin/env bash # fail on errors set -eo pipefail die() { echo -e >&2 "$@" exit 1 } # read arguments while [[ $# -gt 0 ]]; do case $1 in -n|--name) I_NAME="$2" shift # past argument shift # past value ;; -h|--network) I_NETWORK="$2" shift # past argument shift # past value ;; -i|--internal) I_GROUPS="internal" shift # past argument ;; *) shift # past argument ;; esac done # check arguments [ -z "$I_NAME" -o -z "$I_NETWORK" ] \ && die "usage: $0 -n|--name -h|--network [-i|--internal]\n" \ "+ note: network cidr should match lighthouse.\n" \ "+ ex: for an ip of 10.13.1.1, use 10.13.1.1/16" # operate from root of repository SCRIPT_DIR="$(dirname "$0")" ROOT_DIR="$(realpath "$SCRIPT_DIR/..")" pushd "$ROOT_DIR" > /dev/null # constants CA_KEY_PATH="./secrets/ca.key" CA_CRT_PATH="./nixos/keys/ca.crt" CA_KEY_DECR_PATH="./secrets/.decrypted~ca.key" # output OUT_CRT_PATH="${I_NAME}.crt" OUT_KEY_PATH="${I_NAME}.key" # decrypt ca echo "Decrypting CA.." sops -d --output "$CA_KEY_DECR_PATH" "$CA_KEY_PATH" # generate key echo "Generating keys.." nebula-cert sign \ -duration 17520h0m0s \ -name "$I_NAME" \ -networks "$I_NETWORK" \ -groups "$I_GROUPS" \ -ca-crt "$CA_CRT_PATH" \ -ca-key "$CA_KEY_DECR_PATH" \ -out-crt "$OUT_CRT_PATH" \ -out-key "$OUT_KEY_PATH" # delete decrypted key echo "Removing decrypted CA.." rm "$CA_KEY_DECR_PATH" # we are done popd >/dev/null echo -e "Generated VPN keys.\n" \ "(Delete *.key file once it's added as a secret)"