#!/bin/bash

# Author: Landon Dyck
# Nebula CAs expire, and creating a new one is a hassle. This creates a new CA certificate,
# then recreates each certificate for the hosts in ansible/group_vars/nebula.yml. Once
# the new certificates are deployed, the old ones cannot be used. Caution should be taken
# to avoid breaking the network.
# 
# Usage: $ ./nebula_new_ca.sh

SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
create_cert="$SCRIPT_DIR/nebula_cert.sh"
$SCRIPT_DIR/unlock.sh

ca_key=ansible/roles/nebula/files/ca.key
ca_crt=ansible/roles/nebula/files/ca.crt

nebula-cert ca \
  -duration 26280h \
  -name 'Code Monkey Software LLC' \
  -out-crt $ca_crt \
  -out-key $ca_key


NEBULA_CLIENTS=$(yq '.nebula.clients | keys' ansible/group_vars/all/nebula.yml -o c | tr "," "\n")

for client in $NEBULA_CLIENTS
do
  ip=$(yq ".nebula.clients.$client.ip" ansible/group_vars/all/nebula.yml)
  $create_cert $ip $client
done