From b99f60c7e5d808033ea1dc838c83d3ad183ad70e Mon Sep 17 00:00:00 2001
From: d3m0k1d <d3m0k1d1337@gmail.com>
Date: Sat, 4 Apr 2026 02:39:46 +0300
Subject: [PATCH] fix: dockerfiles and add generate certs script

---
 agent/dockerfile                  |  2 +-
 backend/dockerfile                |  4 +-
 backend/scripts/generate-certs.sh | 98 +++++++++++++++++++++++++++++++
 3 files changed, 101 insertions(+), 3 deletions(-)
 create mode 100644 backend/scripts/generate-certs.sh

diff --git a/agent/dockerfile b/agent/dockerfile
index 73acc13..67ce9f4 100644
--- a/agent/dockerfile
+++ b/agent/dockerfile
@@ -11,7 +11,7 @@ COPY . .
 ENV CGO_ENABLED=0
 RUN --mount=type=cache,target=/go/pkg/mod \
   --mount=type=cache,target=/root/.cache/go-build \
-  go build -ldflags "-s -w" -o agent ./cmd/main.go
+  go build -ldflags "-s -w" -o agent ./main.go
 
 FROM debian:bookworm-slim
 
diff --git a/backend/dockerfile b/backend/dockerfile
index 2d24bc4..1e7340d 100644
--- a/backend/dockerfile
+++ b/backend/dockerfile
@@ -15,8 +15,8 @@ FROM alpine:3.23.0
 RUN apk add --no-cache curl openssl bash
 
 COPY --from=builder /app/backend .
-COPY --from=builder /app/scripts /etc/mnemosyne/scripts
-RUN chmod +x /etc/mnemosyne/scripts/generate-certs.sh
+#COPY --from=builder /app/scripts /etc/mnemosyne/scripts
+#RUN chmod +x /etc/mnemosyne/scripts/generate-certs.sh
 
 EXPOSE 8080
 HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ "curl --fail http://localhost:8080/health" ]
diff --git a/backend/scripts/generate-certs.sh b/backend/scripts/generate-certs.sh
new file mode 100644
index 0000000..ef3af7c
--- /dev/null
+++ b/backend/scripts/generate-certs.sh
@@ -0,0 +1,98 @@
+#!/bin/bash
+# Скрипт генерации SSL сертификатов для mTLS gRPC
+
+set -e
+
+CERT_DIR="${1:-/etc/mnemosyne/ssl}"
+DAYS_VALID=365
+
+echo "Generating CA and server certificates in ${CERT_DIR}..."
+
+# Создаём директорию
+mkdir -p "${CERT_DIR}"
+
+# Если сертификаты уже есть и не пустые - не перегенерируем
+if [ -s "${CERT_DIR}/ca.crt" ] && [ -s "${CERT_DIR}/server.crt" ] && [ -s "${CERT_DIR}/server.key" ]; then
+    echo "Certificates already exist, skipping generation."
+    exit 0
+fi
+
+# Если файлы существуют но пустые - удаляем их для перегенерации
+rm -f "${CERT_DIR}/ca.crt" "${CERT_DIR}/ca.key" "${CERT_DIR}/server.crt" "${CERT_DIR}/server.key" "${CERT_DIR}/server.csr"
+
+# Генерация CA
+echo "Generating CA..."
+openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out "${CERT_DIR}/ca.key"
+openssl req -x509 -new -nodes -sha256 -days ${DAYS_VALID} \
+    -key "${CERT_DIR}/ca.key" \
+    -out "${CERT_DIR}/ca.crt" \
+    -subj "/CN=Mnemosyne Root CA"
+
+# Генерация серверного сертификата
+echo "Generating server certificate..."
+openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out "${CERT_DIR}/server.key"
+openssl req -new -sha256 \
+    -key "${CERT_DIR}/server.key" \
+    -out "${CERT_DIR}/server.csr" \
+    -subj "/CN=${SERVER_CN:-localhost}"
+
+# Создаём конфиг для server SAN
+# Поддержка переменных окружения:
+#   SERVER_SAN_DNS - список DNS имен через запятую (например: localhost,backend,myserver.example.com)
+#   SERVER_SAN_IP - список IP адресов через запятую (например: 127.0.0.1,192.168.1.100)
+cat > "${CERT_DIR}/server.ext" <<EOF
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+
+[alt_names]
+EOF
+
+# Добавляем DNS SAN
+dns_idx=1
+IFS=',' read -ra DNS_NAMES <<< "${SERVER_SAN_DNS:-localhost,backend}"
+for dns_name in "${DNS_NAMES[@]}"; do
+    dns_name=$(echo "$dns_name" | xargs)  # trim whitespace
+    if [ -n "$dns_name" ]; then
+        echo "DNS.${dns_idx} = ${dns_name}" >> "${CERT_DIR}/server.ext"
+        ((dns_idx++))
+    fi
+done
+
+# Добавляем wildcard для localhost если есть
+echo "DNS.${dns_idx} = *.localhost" >> "${CERT_DIR}/server.ext"
+((dns_idx++))
+
+# Добавляем IP SAN
+ip_idx=1
+IFS=',' read -ra IP_ADDRS <<< "${SERVER_SAN_IP:-127.0.0.1}"
+for ip_addr in "${IP_ADDRS[@]}"; do
+    ip_addr=$(echo "$ip_addr" | xargs)  # trim whitespace
+    if [ -n "$ip_addr" ]; then
+        echo "IP.${ip_idx} = ${ip_addr}" >> "${CERT_DIR}/server.ext"
+        ((ip_idx++))
+    fi
+done
+
+openssl x509 -req -sha256 -days ${DAYS_VALID} \
+    -in "${CERT_DIR}/server.csr" \
+    -CA "${CERT_DIR}/ca.crt" \
+    -CAkey "${CERT_DIR}/ca.key" \
+    -CAcreateserial \
+    -out "${CERT_DIR}/server.crt" \
+    -extfile "${CERT_DIR}/server.ext"
+
+# Очистка лишних файлов
+rm -f "${CERT_DIR}/server.ext"
+
+# Установка прав
+chmod 600 "${CERT_DIR}"/*.key
+chmod 644 "${CERT_DIR}"/*.crt
+
+echo "Certificates generated successfully!"
+echo "  CA:     ${CERT_DIR}/ca.crt"
+echo "  Server: ${CERT_DIR}/server.crt + ${CERT_DIR}/server.key"
+echo "  SAN DNS: ${SERVER_SAN_DNS:-localhost,backend}"
+echo "  SAN IP:  ${SERVER_SAN_IP:-127.0.0.1}"