#!/usr/bin/env bash
dir=${0%/*}
set -eux
host=$1
num=$2
groups=${3-}

umask 177
caKey=$(mktemp /dev/shm/secret.XXXXXXX)
trap 'chmod 600 $caKey; shred --remove=unlink $caKey' EXIT
gpg --batch --decrypt "$dir/ca.key.gpg" > "$caKey"

#nix shell nixpkgs#nebula -c \
nebula-cert sign \
  -name "$host.sourcephile.fr" \
  -ip "10.0.0.${num}/16" \
  --groups "sourcephile,intra${groups:+,$groups}" \
  -ca-crt "$dir/ca.crt" \
  -ca-key "$caKey" \
  -in-pub "$dir/$host.pub" \
  -out-crt "$dir/$host.crt"
nebula-cert verify \
  -ca "$dir/ca.crt" \
  -crt "$dir/$host.crt"