39 lines
853 B
Bash
Executable File
39 lines
853 B
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
# fail on errors
|
|
set -euo pipefail
|
|
|
|
# operate from root of repository
|
|
SCRIPT_DIR="$(dirname "$0")"
|
|
ROOT_DIR="$(realpath "$SCRIPT_DIR/..")"
|
|
pushd "$ROOT_DIR" > /dev/null
|
|
|
|
# constants
|
|
KEY_PATH="./secrets/ca.key"
|
|
CRT_PATH="./nixos/keys/ca.crt"
|
|
|
|
# move old files
|
|
[ ! -f "$KEY_PATH" ] || mv "${KEY_PATH}" "${KEY_PATH}.old"
|
|
[ ! -f "$CRT_PATH" ] || mv "${CRT_PATH}" "${CRT_PATH}.old"
|
|
|
|
# generate ca
|
|
nebula-cert ca \
|
|
-duration 35040h0m0s \
|
|
-name minfra \
|
|
-networks 10.13.0.0/16 \
|
|
-out-crt "$CRT_PATH" \
|
|
-out-key "$KEY_PATH"
|
|
|
|
# encrypt ca key
|
|
encrypt_fail() {
|
|
echo "failed to encrypt ca key with sops!"
|
|
rm "$KEY_PATH"
|
|
rm "$CRT_PATH"
|
|
}
|
|
sops -i -e "$KEY_PATH" || encrypt_fail
|
|
|
|
# done
|
|
popd >/dev/null
|
|
echo -e "Generated new VPN CA.\n" \
|
|
"(Don't forget to regenerate node keys)"
|