{ lib, pkgs, ... }: let inherit (pkgs) writeShellScriptBin; inherit (lib.lists) forEach; inherit (lib.strings) concatStringsSep; inherit (builtins) attrNames; wireguardData = import ../data/wireguard/chaosInternalWireGuard.nix; wireguardHosts = wireguardData.hosts; kvPathForHost = host: "/private-public-keys/wireguard/chaos-internal/${host}"; in rec { initAllScript = writeShellScriptBin "wg-keys-init-all" (let vault = "${pkgs.vault-bin}/bin/vault"; in '' PUBKEYS_FILE=$1 if [ -z "$PUBKEYS_FILE" ]; then echo "please provide path to file with pubkeys" exit 1 fi ${concatStringsSep "\n" (forEach (attrNames wireguardHosts) (hostName: '' echo "{}" | ${vault} kv put "${kvPathForHost hostName}" - 2>/dev/null ''))} ${concatStringsSep "\n" (forEach (attrNames wireguardHosts) (hostName: '' echo "Deploying keys for ${hostName}" "${genInitScript hostName}/bin/wg-keys-init-${hostName}" "$PUBKEYS_FILE" ''))} ''); genInitScript = systemHostName: (writeShellScriptBin "wg-keys-init-${systemHostName}" (let vault = "${pkgs.vault-bin}/bin/vault"; jq = "${pkgs.jq}/bin/jq"; wg = "${pkgs.wireguard-tools}/bin/wg"; sponge = "${pkgs.moreutils}/bin/sponge"; in '' PUBKEYS_FILE=$1 if [ -z "$PUBKEYS_FILE" ]; then echo "please provide path to file with pubkeys" exit 1 fi PRIVATE=$(${wg} genkey) PUBLIC=$(echo "$PRIVATE" | ${wg} pubkey) TMP_DIR=$(mktemp -d) pushd "$TMP_DIR" echo "{}" > currentHost.json ${jq} ".public = \"$PUBLIC\"" currentHost.json | ${sponge} currentHost.json ${jq} ".private = \"$PRIVATE\"" currentHost.json | ${sponge} currentHost.json cat currentHost.json | ${vault} kv put "${kvPathForHost systemHostName}" - 2>/dev/null cat currentHost.json | jq popd rm -rf "$TMP_DIR" ${jq} ".\"${systemHostName}\" = \"$PUBLIC\"" "$PUBKEYS_FILE" | ${sponge} "$PUBKEYS_FILE" '')); }