feat(telegram): split connector into home validator + remote bot (mTLS bot-link) #96

Merged
developer merged 2 commits from feature/telegram-egress-botlink into development 2026-06-21 05:35:02 +00:00
Showing only changes of commit 860cfeb30f - Show all commits
+8 -1
View File
@@ -57,5 +57,12 @@ openssl x509 -req -in bot.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
-extfile <(printf "extendedKeyUsage=clientAuth\nkeyUsage=critical,digitalSignature\n") -extfile <(printf "extendedKeyUsage=clientAuth\nkeyUsage=critical,digitalSignature\n")
rm -f gateway.csr bot.csr ca.srl rm -f gateway.csr bot.csr ca.srl
chmod 600 ./*.key # The gateway and bot run on distroless **nonroot** (UID 65532) and bind-mount this
# dir read-only; a key owned by the deploy user must still be readable by that UID, so
# the leaves are world-readable (0644, like the .crt files). These are ephemeral
# TEST certificates regenerated every deploy on the trusted runner host; production
# keys come from PROD_ secrets, not this script. The CA key never enters a container —
# keep it owner-only.
chmod 644 ./ca.crt ./gateway.crt ./gateway.key ./bot.crt ./bot.key
chmod 600 ./ca.key
echo "gen-certs: wrote ca.crt, gateway.crt/key (CN=${gw_name}), bot.crt/key to $dir" echo "gen-certs: wrote ca.crt, gateway.crt/key (CN=${gw_name}), bot.crt/key to $dir"