# clawdie-backup-pull config — copy to ~/.config/clawdie-backup/backup.env (chmod 600).
# This file is GITIGNORED on purpose: it holds the source host + the age recipient.
# Keep real hosts/keys out of the repo.

# rsync source = the Vultr box's read-only dumps dir, reached over Tailscale.
# Use a Tailscale name (not a public IP), and a read-only/forced-command SSH key.
BACKUP_SRC="user@vultr-tailnet-name:/var/backups/clawdie/"

# Local snapshot root on domedog (plenty of room; ~1-2 GB per snapshot).
BACKUP_DEST="$HOME/clawdie-backups"

# How many dated snapshots to keep (e.g. 14 daily).
BACKUP_KEEP="14"

# age recipient for encryption-at-rest. Either a public key string:
#   BACKUP_AGE_RECIPIENT="age1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
# or a path to a recipients file (one age pubkey per line):
#   BACKUP_AGE_RECIPIENT="$HOME/.config/clawdie-backup/recipients.txt"
# The private key stays OFF this host (operator holds it) so a domedog compromise
# can't decrypt the vault backup.
BACKUP_AGE_RECIPIENT=""

# Optional: report backup health to the Colibri board by transitioning a task.
# COLIBRI_SOCKET="$HOME/.colibri/colibri.sock"
# BACKUP_TASK_ID="<uuid of a scheduled 'backup' task assigned to domedog>"