feat(telegram): split connector into home validator + remote bot (mTLS bot-link) #96
+8
-1
@@ -57,5 +57,12 @@ openssl x509 -req -in bot.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
|
||||
-extfile <(printf "extendedKeyUsage=clientAuth\nkeyUsage=critical,digitalSignature\n")
|
||||
|
||||
rm -f gateway.csr bot.csr ca.srl
|
||||
chmod 600 ./*.key
|
||||
# The gateway and bot run on distroless **nonroot** (UID 65532) and bind-mount this
|
||||
# dir read-only; a key owned by the deploy user must still be readable by that UID, so
|
||||
# the leaves are world-readable (0644, like the .crt files). These are ephemeral
|
||||
# TEST certificates regenerated every deploy on the trusted runner host; production
|
||||
# keys come from PROD_ secrets, not this script. The CA key never enters a container —
|
||||
# keep it owner-only.
|
||||
chmod 644 ./ca.crt ./gateway.crt ./gateway.key ./bot.crt ./bot.key
|
||||
chmod 600 ./ca.key
|
||||
echo "gen-certs: wrote ca.crt, gateway.crt/key (CN=${gw_name}), bot.crt/key to $dir"
|
||||
|
||||
Reference in New Issue
Block a user