67 lines
1.9 KiB
Nix
67 lines
1.9 KiB
Nix
|
{
|
||
|
lib,
|
||
|
pkgs,
|
||
|
...
|
||
|
}: let
|
||
|
inherit (pkgs) writeShellScriptBin;
|
||
|
inherit (lib.lists) forEach;
|
||
|
inherit (lib.strings) concatStringsSep;
|
||
|
inherit (builtins) attrNames;
|
||
|
|
||
|
wireguardData = import ../data/chaosInternalWireGuard.nix;
|
||
|
wireguardHosts = wireguardData.hosts;
|
||
|
|
||
|
kvPathForHost = host: "/private-public-keys/wireguard/chaos-internal/${host}";
|
||
|
in rec {
|
||
|
initAllScript = writeShellScriptBin "wg-keys-init-all" (let
|
||
|
vault = "${pkgs.vault-bin}/bin/vault";
|
||
|
in ''
|
||
|
|
||
|
PUBKEYS_FILE=$1
|
||
|
if [ -z "$PUBKEYS_FILE" ]; then
|
||
|
echo "please provide path to file with pubkeys"
|
||
|
exit 1
|
||
|
fi
|
||
|
|
||
|
${concatStringsSep "\n" (forEach (attrNames wireguardHosts) (hostName: ''
|
||
|
echo "{}" | ${vault} kv put "${kvPathForHost hostName}" - 2>/dev/null
|
||
|
''))}
|
||
|
|
||
|
${concatStringsSep "\n" (forEach (attrNames wireguardHosts) (hostName: ''
|
||
|
echo "Deploying keys for ${hostName}"
|
||
|
|
||
|
"${genInitScript hostName}/bin/wg-keys-init-${hostName}" "$PUBKEYS_FILE"
|
||
|
''))}
|
||
|
'');
|
||
|
|
||
|
genInitScript = systemHostName: (writeShellScriptBin "wg-keys-init-${systemHostName}" (let
|
||
|
vault = "${pkgs.vault-bin}/bin/vault";
|
||
|
jq = "${pkgs.jq}/bin/jq";
|
||
|
wg = "${pkgs.wireguard-tools}/bin/wg";
|
||
|
sponge = "${pkgs.moreutils}/bin/sponge";
|
||
|
in ''
|
||
|
|
||
|
PUBKEYS_FILE=$1
|
||
|
if [ -z "$PUBKEYS_FILE" ]; then
|
||
|
echo "please provide path to file with pubkeys"
|
||
|
exit 1
|
||
|
fi
|
||
|
|
||
|
PRIVATE=$(${wg} genkey)
|
||
|
PUBLIC=$(echo "$PRIVATE" | ${wg} pubkey)
|
||
|
|
||
|
TMP_DIR=$(mktemp -d)
|
||
|
pushd "$TMP_DIR"
|
||
|
echo "{}" > currentHost.json
|
||
|
${jq} ".public = \"$PUBLIC\"" currentHost.json | ${sponge} currentHost.json
|
||
|
${jq} ".private = \"$PRIVATE\"" currentHost.json | ${sponge} currentHost.json
|
||
|
cat currentHost.json | ${vault} kv put "${kvPathForHost systemHostName}" - 2>/dev/null
|
||
|
cat currentHost.json | jq
|
||
|
popd
|
||
|
|
||
|
rm -rf "$TMP_DIR"
|
||
|
|
||
|
${jq} ".\"${systemHostName}\" = \"$PUBLIC\"" "$PUBKEYS_FILE" | ${sponge} "$PUBKEYS_FILE"
|
||
|
''));
|
||
|
}
|