%% SSL options for TLS distribution (-proto_dist inet_tls).
%%
%% Mutual TLS between BEAM nodes: each node presents a cert and verifies the
%% peer's cert against our distribution CA. With this in place, a stolen Erlang
%% cookie is NOT enough to join the cluster — a peer must also hold a key/cert
%% signed by dist-ca.pem.
%%
%% Cert paths point at a Secret mounted read-only at /app/dist-certs (see the
%% k8s manifest). Same cert/key is fine for all pods (they're peers of one
%% service); verify_peer + the shared CA is what provides authentication.
%%
%% Docs: https://www.erlang.org/doc/apps/ssl/ssl_distribution.html
[
{server, [
{certfile, "/app/dist-certs/dist-cert.pem"},
{keyfile, "/app/dist-certs/dist-key.pem"},
{cacertfile, "/app/dist-certs/dist-ca.pem"},
{verify, verify_peer},
{fail_if_no_peer_cert, true},
{secure_renegotiate, true},
{versions, ['tlsv1.3', 'tlsv1.2']}
]},
{client, [
{certfile, "/app/dist-certs/dist-cert.pem"},
{keyfile, "/app/dist-certs/dist-key.pem"},
{cacertfile, "/app/dist-certs/dist-ca.pem"},
{verify, verify_peer},
{secure_renegotiate, true},
{versions, ['tlsv1.3', 'tlsv1.2']}
]}
].