colibri/scripts/clawdie-backup.env.example

# clawdie-backup-pull config — copy to ~/.config/clawdie-backup/backup.env (chmod 600).
# This file is GITIGNORED on purpose: it holds the source host + the age recipient.
# Keep real hosts/keys out of the repo.

# rsync source = the Vultr box's read-only dumps dir, reached over Tailscale.
# Use a Tailscale name (not a public IP), and a read-only/forced-command SSH key.
BACKUP_SRC="user@vultr-tailnet-name:/var/backups/clawdie/"

# Local snapshot root on domedog (plenty of room; ~1-2 GB per snapshot).
BACKUP_DEST="$HOME/clawdie-backups"

# How many dated snapshots to keep (e.g. 14 daily).
BACKUP_KEEP="14"

# age recipient for encryption-at-rest. Either a public key string:
#   BACKUP_AGE_RECIPIENT="age1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
# or a path to a recipients file (one age pubkey per line):
#   BACKUP_AGE_RECIPIENT="$HOME/.config/clawdie-backup/recipients.txt"
# The private key stays OFF this host (operator holds it) so a domedog compromise
# can't decrypt the vault backup.
BACKUP_AGE_RECIPIENT=""

# Optional: report backup health to the Colibri board by transitioning a task.
# COLIBRI_SOCKET="$HOME/.colibri/colibri.sock"
# BACKUP_TASK_ID="<uuid of a scheduled 'backup' task assigned to domedog>"
feat(backup): domedog-side pull script for Forgejo+Vault (off-box independence) Addresses HOST-MATRIX §4 backup-independence: the Vultr box (Forgejo+Vaultwarden) is a single point of failure for backups AND secrets. This pulls its dumps to domedog (already paid, on-tailnet, 51G free) — zero new cost. - PULL direction: a compromised Vultr can't reach into / destroy the backup history - verifies integrity (forgejo dump zip + vault sqlite PRAGMA integrity_check) - encrypts at rest with age (vault dump = secret material; private key stays off-host) - dated snapshots + retention (versioned, not a single overwritten mirror) - opt-in Colibri board status (transition a task done/failed = backup health signal) - config (host + age recipient) lives in ~/.config (gitignored); no hosts/keys in repo Vultr side stays responsible only for producing consistent dumps (forgejo dump + sqlite .backup) and exposing them read-only. bash -n clean. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-20 10:52:26 +02:00			`# clawdie-backup-pull config — copy to ~/.config/clawdie-backup/backup.env (chmod 600).`
			`# This file is GITIGNORED on purpose: it holds the source host + the age recipient.`
			`# Keep real hosts/keys out of the repo.`

			`# rsync source = the Vultr box's read-only dumps dir, reached over Tailscale.`
			`# Use a Tailscale name (not a public IP), and a read-only/forced-command SSH key.`
			`BACKUP_SRC="user@vultr-tailnet-name:/var/backups/clawdie/"`

			`# Local snapshot root on domedog (plenty of room; ~1-2 GB per snapshot).`
			`BACKUP_DEST="$HOME/clawdie-backups"`

			`# How many dated snapshots to keep (e.g. 14 daily).`
			`BACKUP_KEEP="14"`

			`# age recipient for encryption-at-rest. Either a public key string:`
			`# BACKUP_AGE_RECIPIENT="age1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"`
			`# or a path to a recipients file (one age pubkey per line):`
			`# BACKUP_AGE_RECIPIENT="$HOME/.config/clawdie-backup/recipients.txt"`
			`# The private key stays OFF this host (operator holds it) so a domedog compromise`
			`# can't decrypt the vault backup.`
			`BACKUP_AGE_RECIPIENT=""`

			`# Optional: report backup health to the Colibri board by transitioning a task.`
			`# COLIBRI_SOCKET="$HOME/.colibri/colibri.sock"`
			`# BACKUP_TASK_ID="<uuid of a scheduled 'backup' task assigned to domedog>"`