]> Git — Sourcephile - sourcephile-nix.git/blob - share/nebula/sourcephile.fr/sign.sh
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
nebula: improve integration
[sourcephile-nix.git] / share / nebula / sourcephile.fr / sign.sh
1 #!/usr/bin/env bash
2 dir=${0%/*}
3 set -eux
4 host=$1
5 num=$2
6 groups=${3-}
7
8 umask 177
9 caKey=$(mktemp /dev/shm/secret.XXXXXXX)
10 trap 'chmod 600 $caKey; shred --remove=unlink $caKey' EXIT
11 gpg --batch --decrypt "$dir/ca.key.gpg" > "$caKey"
12
13 #nix shell nixpkgs#nebula -c \
14 nebula-cert sign \
15 -name "$host.sourcephile.fr" \
16 -ip "10.0.0.${num}/16" \
17 --groups "sourcephile,intra${groups:+,$groups}" \
18 -ca-crt "$dir/ca.crt" \
19 -ca-key "$caKey" \
20 -in-pub "$dir/$host.pub" \
21 -out-crt "$dir/$host.crt"
NixOS configurations for Sourcephile's infrastructure