veza/scripts/generate-ssl-cert.sh

#!/usr/bin/env bash
# Generate a self-signed SSL certificate for local/staging HAProxy.
# For production, use Let's Encrypt or your CA.
# Usage: ./scripts/generate-ssl-cert.sh [domain]

set -e

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
SSL_DIR="$REPO_ROOT/config/ssl"
DOMAIN="${1:-veza.local}"

mkdir -p "$SSL_DIR"
cd "$SSL_DIR"

echo "Generating self-signed certificate for $DOMAIN..."
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout key.pem -out cert.pem \
  -subj "/CN=$DOMAIN"

cat cert.pem key.pem > veza.pem
echo "Created config/ssl/veza.pem"
echo "Add key.pem and cert.pem to .gitignore if not already excluded."
fix(infra): HAProxy HTTPS and stats security P1.1 - Enable HTTPS in HAProxy for production: - HTTP to HTTPS redirect (301) - HTTPS frontend on port 443 with veza.pem - config/ssl/ structure with README and generate-ssl-cert.sh - docker-compose.prod.yml volume for certs P1.3 - Restrict HAProxy stats to internal network: - ACL from_internal (127.0.0.1, 172.20.0.0/16) - stats admin if from_internal Also: remove errorfile directives (use HAProxy built-in defaults) 2026-02-15 14:58:51 +00:00			`#!/usr/bin/env bash`
			`# Generate a self-signed SSL certificate for local/staging HAProxy.`
			`# For production, use Let's Encrypt or your CA.`
			`# Usage: ./scripts/generate-ssl-cert.sh [domain]`

			`set -e`

			`SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"`
			`REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"`
			`SSL_DIR="$REPO_ROOT/config/ssl"`
			`DOMAIN="${1:-veza.local}"`

			`mkdir -p "$SSL_DIR"`
			`cd "$SSL_DIR"`

			`echo "Generating self-signed certificate for $DOMAIN..."`
			`openssl req -x509 -nodes -days 365 -newkey rsa:2048 \`
			`-keyout key.pem -out cert.pem \`
			`-subj "/CN=$DOMAIN"`

			`cat cert.pem key.pem > veza.pem`
			`echo "Created config/ssl/veza.pem"`
			`echo "Add key.pem and cert.pem to .gitignore if not already excluded."`