env.sh: implement prod cert generation
diff --git a/env.sh b/env.sh
index 206ae5b..d580d71 100644
--- a/env.sh
+++ b/env.sh
@@ -25,6 +25,48 @@
     )
 }
 
+hscloud-node-push-certs() {
+    (
+        set -e
+
+        if [ -z "$1" ]; then
+            echo >&2 "Usage: hscloud-node-push-certs node.fqdn.com"
+            exit 1
+        fi
+        fqdn="$1"
+
+        echo "Checking node livenes..."
+        ssh root@$fqdn uname -a
+
+        echo "Checking if node already has key..."
+        ssh root@$fqdn stat /opt/hscloud/node.key || (
+            echo "Generating key..."
+            ssh root@$fqdn -- mkdir -p /opt/hscloud
+            ssh root@$fqdn -- nix-shell -p openssl --command "\"openssl genrsa -out /opt/hscloud/node.key 4096\"" 
+            ssh root@$fqdn -- chmod 400 /opt/hscloud/node.key
+        )
+
+        echo "Checking if node already has cert..."
+        ssh root@$fqdn stat /opt/hscloud/node.crt && exit 0
+        echo "No cert, will generate..."
+
+        cd "$hscloud_root"
+        secrets="$hscloud_root/secrets"
+        ca="$secrets/plain/ca.key"
+        [ ! -f "$ca" ] && ( scripts/secretstore decrypt "$secrets/cipher/ca.key" > $ca )
+
+        ssh root@$fqdn -- nix-shell -p openssl --command "\"openssl req -new -key /opt/hscloud/node.key -out /opt/hscloud/node.csr -subj '/C=PL/ST=Mazowieckie/L=Mazowieckie/O=Stowarzyszenie Warszawski Hackerspace/OU=Node Bootstrap Certificate/CN=" $fqdn "'\""
+        scp root@$fqdn:/opt/hscloud/node.csr .
+        openssl x509 -req -in node.csr -CA data/ca.crt -CAkey "$ca" -CAcreateserial -out "data/${fqdn}.crt"
+
+        scp "data/${fqdn}.crt" root@$fqdn:/opt/hscloud/node.crt
+        scp "data/ca.crt" root@$fqdn:/opt/hscloud/ca.crt
+        ssh root@$fqdn -- chmod 444 /opt/hscloud/node.crt /opt/hscloud/ca.crt
+        rm node.csr
+    )
+}
+
 echo "Now playing:"
 echo "  hscloud-dc      - run docker-compose"
 echo "  hscloud-pki-dev - generate dev PKI certs"
+echo "  hscloud-node-push-certs - push a node cert to the node"