#!/bin/bash

# Author: Landon Dyck
# Generates and encrypts a new certificate for a nebula host. Calls unlock.sh so you don't
# have to enter your password twice, but will honor an unlock.sh called outside the script.
# Don't forget to add the host and ip address in ansible/group_vars/all/nebula.yml
# 
# Usage: $ ./nebula_cert.sh ip_address hostname
# * ip_address: the ip address of the host. Make sure it's in the correct /24 network
# * hostname: the hostname of the host. If I need to explain more, you probably should
#             not use this

. $(dirname "$0")/unlock.sh
ca_crt=roles/nebula/files/ca.crt
ca_key=roles/nebula/files/ca.key
client_key=roles/nebula/files/certs/$2.key
client_crt=roles/nebula/files/certs/$2.crt


cd ansible/
ansible-vault decrypt roles/nebula/files/ca.*
nebula-cert sign \
  -ip "$1/24" \
  -name $2 \
  -out-key $client_key \
  -out-crt $client_crt  \
  -ca-crt $ca_crt  \
  -ca-key $ca_key
read -p "Press [Enter] key to complete encryption"
ansible-vault encrypt roles/nebula/files/certs/$2.* roles/nebula/files/ca.*