#!/usr/bin/env bash

# fail on errors
set -euo pipefail

# operate from root of repository
SCRIPT_DIR="$(dirname "$0")"
ROOT_DIR="$(realpath "$SCRIPT_DIR/..")"
pushd "$ROOT_DIR" > /dev/null

# constants
KEY_PATH="./secrets/ca.key"
CRT_PATH="./nixos/keys/ca.crt"

# move old files
[ ! -f "$KEY_PATH" ] || mv "${KEY_PATH}" "${KEY_PATH}.old"
[ ! -f "$CRT_PATH" ] || mv "${CRT_PATH}" "${CRT_PATH}.old"

# generate ca
nebula-cert ca             \
    -duration 35040h0m0s   \
    -name minfra           \
    -networks 10.13.0.0/16 \
    -out-crt "$CRT_PATH"   \
    -out-key "$KEY_PATH"

# encrypt ca key
encrypt_fail() {
    echo "failed to encrypt ca key with sops!"
    rm "$KEY_PATH"
    rm "$CRT_PATH"
}
sops -i -e "$KEY_PATH" || encrypt_fail

# done
popd >/dev/null
echo -e "Generated new VPN CA.\n" \
        "(Don't forget to regenerate node keys)"