Expand description
mTLS HTTP client construction for the control plane.
Exposes build_client only — used by main.rs for the bootstrap +
enroll path and by the runtime workers via the Client they receive
at spawn.
Event-stream POSTs (RFC-0005 §4.2) live in
runtime/workers/longpoll.rs and the outbound-queue drainer; they
construct their own request shapes against
nixfleet_proto::agent_wire directly.
The read_client_key_as_pem helper survives because the SSH
host-key → PKCS#8 conversion footgun it documents remains
load-bearing on agent first-boot.
Constants§
Functions§
- build_
client - TLS-only mode (None cert/key) supported but production always wires both.
- read_
client_ 🔒key_ as_ pem - Return PEM bytes that
reqwest::Identity::from_pemaccepts. FOOTGUN: the agent’s client key is the host SSH key, which is OpenSSH format - neither reqwest nor rustls parses it. We extract the 32-byte ed25519 seed and re-emit as PKCS#8 PEM. PEM inputs pass through unchanged.