6aeb529f13
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 10s
CI / integration (pull_request) Successful in 15s
CI / ui (pull_request) Successful in 53s
CI / gate (pull_request) Successful in 1s
CI / deploy (pull_request) Failing after 2m6s
Move all Telegram egress off the main host. The single connector held the bot token, long-polled Telegram and answered the gateway/backend over the trusted internal network, so the whole component (including login validation) shared fate with its VPN sidecar. Split it into two binaries that share the token: - cmd/validator (home, no VPN): Mini App initData + Login Widget HMAC only, never calls the Bot API. The gateway dials it for Telegram auth, so game login is now independent of Telegram reachability. - cmd/bot (remote): Bot API long-poll + sendMessage, the only component reaching Telegram. It holds no inbound port — it dials the gateway over a new reverse mTLS bot-link (pkg/proto/botlink/v1) and executes the send commands the gateway pushes. The gateway funnels sends to the bot-link: out-of-app push is fire-and-forget (at-most-once, dropped if no bot is connected); the backend admin broadcasts reach a gateway-served relay that forwards them and awaits the bot's ack (SendToUser/SendToGameChannel contract preserved). mTLS (pkg/mtls) is the one inter-service link that leaves the trusted segment; validator<->gateway and the relay stay plaintext internal. The bot is Telegram-rate-limited. One bot now; the gateway bot registry, an owns_updates flag and per-command ids leave seams for N later. Webhook rejected (one URL per token, adds inbound + a static address). The unified test contour runs the split (the bot keeps its VPN sidecar and dials the gateway by its internal name; bot-link certs from deploy/gen-certs.sh, generated in CI). The prod wiring — the bot on a separate host (no VPN), the gateway bot-link port published, PROD_ certs with scheduled rotation, an SSH deploy of both hosts together — is the deferred final stage (PRERELEASE.md TX, Stage 18). Docs: ARCHITECTURE, PRERELEASE (phase TX), platform/telegram + gateway + backend + deploy READMEs, FUNCTIONAL(+ru), CLAUDE.md, .env.example.
62 lines
2.3 KiB
Bash
Executable File
62 lines
2.3 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Generate the bot-link mTLS material for the TEST contour: a private CA, a gateway
|
|
# server leaf and a bot client leaf. The gateway requires the leaf + the bot the
|
|
# client leaf to bring up the reverse bot-link; the CA signs both so each peer trusts
|
|
# only the other.
|
|
#
|
|
# Production certificates come from PROD_ secrets, NOT this script. Private keys never
|
|
# leave the host/secrets; deploy/certs/ is gitignored. The script is idempotent: it
|
|
# reuses an existing CA + leaves unless --force is passed (rotation re-mints the
|
|
# leaves from the same long-lived CA).
|
|
#
|
|
# Usage:
|
|
# deploy/gen-certs.sh [--force] [dir]
|
|
# Env:
|
|
# BOTLINK_GATEWAY_NAME gateway certificate SAN/CN (default: gateway, the compose
|
|
# service name the bot dials in the test contour)
|
|
set -euo pipefail
|
|
|
|
force=0
|
|
dir=""
|
|
for arg in "$@"; do
|
|
case "$arg" in
|
|
--force) force=1 ;;
|
|
*) dir="$arg" ;;
|
|
esac
|
|
done
|
|
dir="${dir:-$(cd "$(dirname "$0")" && pwd)/certs}"
|
|
gw_name="${BOTLINK_GATEWAY_NAME:-gateway}"
|
|
|
|
mkdir -p "$dir"
|
|
cd "$dir"
|
|
|
|
if [[ -f gateway.crt && -f bot.crt && "$force" -ne 1 ]]; then
|
|
echo "gen-certs: certificates already present in $dir (use --force to rotate the leaves)"
|
|
exit 0
|
|
fi
|
|
|
|
# CA: long-lived (10y), reused across leaf rotations.
|
|
if [[ ! -f ca.crt || ! -f ca.key ]]; then
|
|
openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes \
|
|
-keyout ca.key -out ca.crt -days 3650 -subj "/CN=scrabble-botlink-ca"
|
|
echo "gen-certs: created CA"
|
|
fi
|
|
|
|
# Gateway server leaf (SAN matches the name the bot dials).
|
|
openssl req -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes \
|
|
-keyout gateway.key -out gateway.csr -subj "/CN=${gw_name}"
|
|
openssl x509 -req -in gateway.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
|
|
-out gateway.crt -days 825 \
|
|
-extfile <(printf "subjectAltName=DNS:%s,DNS:localhost\nextendedKeyUsage=serverAuth\nkeyUsage=critical,digitalSignature\n" "$gw_name")
|
|
|
|
# Bot client leaf.
|
|
openssl req -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes \
|
|
-keyout bot.key -out bot.csr -subj "/CN=scrabble-bot"
|
|
openssl x509 -req -in bot.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
|
|
-out bot.crt -days 825 \
|
|
-extfile <(printf "extendedKeyUsage=clientAuth\nkeyUsage=critical,digitalSignature\n")
|
|
|
|
rm -f gateway.csr bot.csr ca.srl
|
|
chmod 600 ./*.key
|
|
echo "gen-certs: wrote ca.crt, gateway.crt/key (CN=${gw_name}), bot.crt/key to $dir"
|