]> Git — Sourcephile - sourcephile-nix.git/blob - share/nebula/sourcephile.fr/sign.sh
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
nebula: enable service
[sourcephile-nix.git] / share / nebula / sourcephile.fr / sign.sh
1 #!/usr/bin/env bash
2 dir=${0%/*}
3 set -eux
4 host=$1
5 num=$2
6
7 umask 177
8 caKey=$(mktemp /dev/shm/secret.XXXXXXX)
9 trap 'chmod 600 $caKey; shred --remove=unlink $caKey' EXIT
10 gpg --batch --decrypt "$dir/ca.key.gpg" > "$caKey"
11
12 nix shell nixpkgs#nebula -c \
13 nebula-cert sign \
14 -name "$host.sourcephile.fr" \
15 -ip "10.0.0.${num}/16" \
16 --groups "sourcephile,intra" \
17 -ca-crt "$dir/ca.crt" \
18 -ca-key "$caKey" \
19 -in-pub "$dir/$host.pub" \
20 -out-crt "$dir/$host.crt"
NixOS configurations for Sourcephile's infrastructure