Last active
November 11, 2023 10:58
-
-
Save sefidel/e32d533898f84ac9d822027d1a927f34 to your computer and use it in GitHub Desktop.
Sign all mullvad nodes for use in a locked tailnet.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
set -euo pipefail | |
die () { | |
echo >&2 "$@" | |
exit 1 | |
} | |
echo "This script will blindly sign all nodes with name '*.mullvad.ts.net.'." | |
read -p "If you wish to proceed, please enter 'Yes, I wish to proceed': " confirm | |
case $confirm in | |
"Yes, I wish to proceed") echo "Confirmed.";; | |
*) die "Exiting.";; | |
esac | |
ts_lock_json=$(tailscale lock status --json) | |
# No 'neat' way to suppress 'true|false' output from jq. | |
# TODO: Redirect output to /dev/null? | |
(jq -e '.Enabled' <<< $ts_lock_json) || die "Tailnet lock is disabled!" | |
public_key=$(jq -r '.PublicKey' <<< $ts_lock_json) | |
echo "Will sign mullvad nodes with $public_key" | |
sleep 1 | |
echo "----------------------------------------" | |
# Loop through unsigned nodes | |
jq -c '.FilteredPeers.[]' <<< $ts_lock_json | while read peer; do | |
name=$(jq -r '.Name' <<< $peer) | |
if [[ ! $name =~ .*".mullvad.ts.net." ]]; then | |
echo "$name is not a Mullvad node, skipping" | |
continue | |
fi | |
nodekey=$(jq -r '.NodeKey' <<< $peer) | |
echo "Signing $name ($nodekey) with $public_key" | |
tailscale lock sign $nodekey $public_key | |
done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment