78 lines
1.7 KiB
Bash
Executable File
78 lines
1.7 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
# fail on errors
|
|
set -eo pipefail
|
|
|
|
die() {
|
|
echo -e >&2 "$@"
|
|
exit 1
|
|
}
|
|
|
|
# read arguments
|
|
while [[ $# -gt 0 ]]; do
|
|
case $1 in
|
|
-n|--name)
|
|
I_NAME="$2"
|
|
shift # past argument
|
|
shift # past value
|
|
;;
|
|
-h|--network)
|
|
I_NETWORK="$2"
|
|
shift # past argument
|
|
shift # past value
|
|
;;
|
|
-i|--internal)
|
|
I_GROUPS="internal"
|
|
shift # past argument
|
|
;;
|
|
*)
|
|
shift # past argument
|
|
;;
|
|
esac
|
|
done
|
|
|
|
# check arguments
|
|
[ -z "$I_NAME" -o -z "$I_NETWORK" ] \
|
|
&& die "usage: $0 -n|--name <name> -h|--network <network> [-i|--internal]\n" \
|
|
"+ note: network cidr should match lighthouse.\n" \
|
|
"+ ex: for an ip of 10.13.1.1, use 10.13.1.1/16"
|
|
|
|
# operate from root of repository
|
|
SCRIPT_DIR="$(dirname "$0")"
|
|
ROOT_DIR="$(realpath "$SCRIPT_DIR/..")"
|
|
pushd "$ROOT_DIR" > /dev/null
|
|
|
|
# constants
|
|
CA_KEY_PATH="./secrets/ca.key"
|
|
CA_CRT_PATH="./nixos/keys/ca.crt"
|
|
CA_KEY_DECR_PATH="./secrets/.decrypted~ca.key"
|
|
|
|
# output
|
|
OUT_CRT_PATH="${I_NAME}.crt"
|
|
OUT_KEY_PATH="${I_NAME}.key"
|
|
|
|
# decrypt ca
|
|
echo "Decrypting CA.."
|
|
sops -d --output "$CA_KEY_DECR_PATH" "$CA_KEY_PATH"
|
|
|
|
# generate key
|
|
echo "Generating keys.."
|
|
nebula-cert sign \
|
|
-duration 17520h0m0s \
|
|
-name "$I_NAME" \
|
|
-networks "$I_NETWORK" \
|
|
-groups "$I_GROUPS" \
|
|
-ca-crt "$CA_CRT_PATH" \
|
|
-ca-key "$CA_KEY_DECR_PATH" \
|
|
-out-crt "$OUT_CRT_PATH" \
|
|
-out-key "$OUT_KEY_PATH"
|
|
|
|
# delete decrypted key
|
|
echo "Removing decrypted CA.."
|
|
rm "$CA_KEY_DECR_PATH"
|
|
|
|
# we are done
|
|
popd >/dev/null
|
|
echo -e "Generated VPN keys.\n" \
|
|
"(Delete *.key file once it's added as a secret)"
|