feat(backup): domedog-side pull script for Forgejo+Vault #106

Merged

clawdie merged 1 commit from feat/backup-pull-domedog into main 2026-06-20 14:28:08 +02:00

Conversation 0 Commits 1 Files changed 2 +144

clawdie commented 2026-06-20 10:52:53 +02:00

Owner

Copy link

What

scripts/clawdie-backup-pull.sh — domedog-side pull of the Vultr Forgejo + Vaultwarden dumps, closing the HOST-MATRIX §4 backup-independence gap (that one Vultr box is a SPOF for both backups and all secrets).

Zero new cost: domedog is already paid, on the tailnet, with 51 GB free (~1–2 GB/snapshot).

Design (the four tightenings from review)

1. Pull, not push — a compromised Vultr can't reach into or destroy the backup history; the script only ever reads from the remote (no --delete, no writes back).
2. Verify — unzip -t the forgejo dump zip + PRAGMA integrity_check the vault SQLite before trusting it.
3. Encrypt at rest — age (the vault dump is secret material); the private key stays off domedog, so a domedog compromise can't decrypt it. Warns loudly + 0600 if age isn't configured.
4. Versioned retention — dated snapshots, keep N (not a single overwritten mirror), so corruption/ransomware can't clobber good history.

Plus: opt-in Colibri board status (transition a task done/failed = backup health signal — the observability win from option (a)), single-run flock, and no hosts/keys in the repo (config lives in ~/.config/clawdie-backup/backup.env, gitignored; .env.example documents it).

Vultr side (separate, its responsibility)

Produce consistent dumps and expose them read-only: forgejo dump (repos + DB + config — a raw rsync of the data dir would risk an inconsistent SQLite copy and could miss an external DB = all issues/PRs) and sqlite3 … ".backup" for the vault DB + the rest of its data dir.

Tests

bash -n clean. (shellcheck not installed in CI env.)

Scope notes

• Solves the Vultr-box gap. osa's own runtime state (ZFS, .env) is a separate §4 item still open.
• Confirm domedog's provider ≠ Vultr for true independence (domedog provider is still TBD in the matrix).

🤖 Generated with Claude Code

## What `scripts/clawdie-backup-pull.sh` — domedog-side **pull** of the Vultr Forgejo + Vaultwarden dumps, closing the HOST-MATRIX §4 backup-independence gap (that one Vultr box is a SPOF for both backups *and* all secrets). Zero new cost: domedog is already paid, on the tailnet, with 51 GB free (~1–2 GB/snapshot). ## Design (the four tightenings from review) 1. **Pull, not push** — a compromised Vultr can't reach into or destroy the backup history; the script only ever *reads* from the remote (no `--delete`, no writes back). 2. **Verify** — `unzip -t` the `forgejo dump` zip + `PRAGMA integrity_check` the vault SQLite before trusting it. 3. **Encrypt at rest** — `age` (the vault dump is secret material); the private key stays off domedog, so a domedog compromise can't decrypt it. Warns loudly + 0600 if age isn't configured. 4. **Versioned retention** — dated snapshots, keep N (not a single overwritten mirror), so corruption/ransomware can't clobber good history. Plus: **opt-in Colibri board status** (transition a task `done`/`failed` = backup health signal — the observability win from option (a)), single-run `flock`, and **no hosts/keys in the repo** (config lives in `~/.config/clawdie-backup/backup.env`, gitignored; `.env.example` documents it). ## Vultr side (separate, its responsibility) Produce consistent dumps and expose them read-only: `forgejo dump` (repos + DB + config — a raw rsync of the data dir would risk an inconsistent SQLite copy and could miss an external DB = all issues/PRs) and `sqlite3 … ".backup"` for the vault DB + the rest of its data dir. ## Tests `bash -n` clean. (shellcheck not installed in CI env.) ## Scope notes - Solves the Vultr-box gap. **osa's own runtime state (ZFS, `.env`) is a separate §4 item still open.** - Confirm domedog's provider ≠ Vultr for true independence (domedog provider is still `TBD` in the matrix). 🤖 Generated with [Claude Code](https://claude.com/claude-code)

clawdie added 1 commit 2026-06-20 10:52:56 +02:00

feat(backup): domedog-side pull script for Forgejo+Vault (off-box independence) ... 6bf2951fec

Addresses HOST-MATRIX §4 backup-independence: the Vultr box (Forgejo+Vaultwarden)
is a single point of failure for backups AND secrets. This pulls its dumps to
domedog (already paid, on-tailnet, 51G free) — zero new cost.

- PULL direction: a compromised Vultr can't reach into / destroy the backup history
- verifies integrity (forgejo dump zip + vault sqlite PRAGMA integrity_check)
- encrypts at rest with age (vault dump = secret material; private key stays off-host)
- dated snapshots + retention (versioned, not a single overwritten mirror)
- opt-in Colibri board status (transition a task done/failed = backup health signal)
- config (host + age recipient) lives in ~/.config (gitignored); no hosts/keys in repo

Vultr side stays responsible only for producing consistent dumps (forgejo dump +
sqlite .backup) and exposing them read-only. bash -n clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

clawdie merged commit 3bc61bfe00 into main 2026-06-20 14:28:08 +02:00

clawdie deleted branch feat/backup-pull-domedog 2026-06-20 14:28:08 +02:00

clawdie referenced this pull request from a commit 2026-06-20 14:28:09 +02:00

Merge pull request 'feat(backup): domedog-side pull script for Forgejo+Vault' (#106) from feat/backup-pull-domedog into main

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

first-proof blocker

gates the first proven end-to-end

  

hardening

security/robustness follow-up, not a first-proof gate

No labels

first-proof blocker

hardening

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: clawdie/colibri#106

No description provided.