Close the known gap: backup bundles were uploaded unencrypted, relying
solely on destination access control. Now every data artifact is
age-encrypted on the VM before upload and decrypted on restore.
- backup-remote.sh: assemble rustfs blobs into rustfs-blobs.tar.zst (so the
whole bundle is one encrypted unit), then age -r <recipient> each artifact
to <name>.age and drop the plaintext. MANIFEST.json stays cleartext — it
is the inventory + integrity gate and carries no secrets; it records each
artifact's PLAINTEXT sha256 so restore verifies after decrypt.
- restore-remote.sh: materialise the age identity to a 0600 file, decrypt
each .age, then run the existing sha + scratch-restore asserts; add a
rustfs-blobs extract+assert.
- backup.sh / restore.sh: pass the public recipient (arg) / secret identity
(stdin, never argv) from passphrase-encrypted config.
- provision/index.ts: install age + zstd on the VM via cloud-init so a fresh
DR VM (T13) has the backup tools from first boot.
- Pulumi.foundation.yaml: seed backup.ageRecipient (public) + backup.ageIdentity
(secure:). The identity lives in config so {repo + passphrase} can decrypt a
bundle even after total Vault loss (CONTRACT_004 §4.3).
Validated live: encrypted backup + restore-verify PASS from both RustFS and
offsite; bucket shows only *.age + cleartext MANIFEST.json.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
109 lines
4.7 KiB
TypeScript
109 lines
4.7 KiB
TypeScript
// provision/index.ts — Phase 0: provision the throwaway foundation TEST VM.
|
|
//
|
|
// Isolated stack (platformName "foundation-test" → no name collision with the
|
|
// production olsicloud4-* resources). Uses the vendored @olsitec/pulumi-hetzner
|
|
// HetznerDeployment for one cx22, adds a firewall, and installs Docker via the
|
|
// module's cloud-init lateCommands.
|
|
//
|
|
// GOTCHA (VENDORED.md): the module's cloud-init moves SSH to PORT 222 and creates
|
|
// root + andiolsi users. The firewall + the Docker-over-SSH provider use :222.
|
|
//
|
|
// Token comes from ENV (export HCLOUD_TOKEN="$(pass olsicloud4/HCLOUD_TOKEN)"),
|
|
// never committed.
|
|
import * as pulumi from "@pulumi/pulumi";
|
|
import * as hcloud from "@pulumi/hcloud";
|
|
import { HetznerDeployment } from "@olsitec/pulumi-hetzner";
|
|
import * as os from "os";
|
|
|
|
const token = process.env.HCLOUD_TOKEN;
|
|
if (!token) {
|
|
throw new Error(
|
|
'HCLOUD_TOKEN env required: export HCLOUD_TOKEN="$(pass olsicloud4/HCLOUD_TOKEN)"',
|
|
);
|
|
}
|
|
|
|
const platformName = "foundation-test";
|
|
const datacenter = "hel1-dc2"; // cx33 only orderable in Helsinki (eu-central zone)
|
|
// Dedicated throwaway key: the operator's id_rsa pubkey is already registered in
|
|
// the project (olsicloud4-ssh-key) and Hetzner rejects duplicate key CONTENT, so
|
|
// the test VM uses its own ed25519 key. SSH/Docker-over-SSH use the matching
|
|
// private key (~/.ssh/foundation-test_ed25519) on port 222.
|
|
const sshKeyPath =
|
|
process.env.FOUNDATION_TEST_SSH_PUBKEY ||
|
|
`${os.homedir()}/.ssh/foundation-test_ed25519.pub`;
|
|
|
|
// Install Docker CE on Debian 12 (runs in cloud-init runcmd, after base packages).
|
|
const dockerInstall = [
|
|
"install -m 0755 -d /etc/apt/keyrings",
|
|
"curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc",
|
|
"chmod a+r /etc/apt/keyrings/docker.asc",
|
|
'echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian bookworm stable" > /etc/apt/sources.list.d/docker.list',
|
|
"apt-get update",
|
|
"apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin",
|
|
"systemctl enable --now docker",
|
|
"touch /root/.provision-done",
|
|
];
|
|
|
|
// Host tools the backup/restore path runs directly on the VM (not in a container):
|
|
// `zstd` (forgejo-repos + rustfs-blobs compression) and `age` (CONTRACT_004 §4.3
|
|
// at-rest encryption). `jq` is already in the cloud-init base packages. Declaring
|
|
// them here means a fresh DR VM (T13) has them from first boot — do not rely on
|
|
// them being present incidentally.
|
|
const backupTools = ["zstd", "age"];
|
|
|
|
const dep = new HetznerDeployment(platformName, {
|
|
platformName,
|
|
hcloudToken: token,
|
|
sshKeyPath,
|
|
datacenter,
|
|
servers: [
|
|
{
|
|
name: "foundation-test",
|
|
hostname: "foundation-test",
|
|
type: "cx33", // 4c/8G/80GB (Helsinki); cx22 legacy, cx33 not in nbg1
|
|
image: "debian-12",
|
|
labels: { purpose: "foundation-test", ephemeral: "true" },
|
|
cloudInitConfig: { extraPackages: backupTools, lateCommands: dockerInstall },
|
|
},
|
|
],
|
|
});
|
|
|
|
// Own provider for the firewall (the module's provider is internal/private).
|
|
const provider = new hcloud.Provider("foundation-test-hcloud", { token });
|
|
|
|
const firewall = new hcloud.Firewall(
|
|
"foundation-test-fw",
|
|
{
|
|
name: "foundation-test-fw",
|
|
rules: [
|
|
// SSH — cloud-init moves sshd to 222 (VENDORED.md gotcha)
|
|
{ direction: "in", protocol: "tcp", port: "222", sourceIps: ["0.0.0.0/0", "::/0"] },
|
|
// Caddy HTTP/HTTPS
|
|
{ direction: "in", protocol: "tcp", port: "80", sourceIps: ["0.0.0.0/0", "::/0"] },
|
|
{ direction: "in", protocol: "tcp", port: "443", sourceIps: ["0.0.0.0/0", "::/0"] },
|
|
// Forgejo git-over-SSH (CONTRACT_001 forgeSshPort)
|
|
{ direction: "in", protocol: "tcp", port: "2222", sourceIps: ["0.0.0.0/0", "::/0"] },
|
|
// Forgejo git-over-SSH on :22 too — the VM's admin sshd is on 222, so :22 is
|
|
// free for the canonical git endpoint, making the scp-form clone
|
|
// `git@git.olsitec.net:olsitec/...` work (Forgejo sshd ForceCommands `serv`).
|
|
{ direction: "in", protocol: "tcp", port: "22", sourceIps: ["0.0.0.0/0", "::/0"] },
|
|
{ direction: "in", protocol: "icmp", sourceIps: ["0.0.0.0/0", "::/0"] },
|
|
],
|
|
},
|
|
{ provider },
|
|
);
|
|
|
|
new hcloud.FirewallAttachment(
|
|
"foundation-test-fw-attach",
|
|
{
|
|
firewallId: firewall.id.apply((id) => Number(id)),
|
|
serverIds: [dep.servers[0].id.apply((id) => Number(id))],
|
|
},
|
|
{ provider },
|
|
);
|
|
|
|
// Outputs consumed by the foundation test stack + the operator.
|
|
export const serverName = dep.serverInfo[0].name;
|
|
export const publicIp = dep.serverInfo[0].publicIp;
|
|
export const sshCommand = pulumi.interpolate`ssh -p 222 root@${dep.serverInfo[0].publicIp}`;
|
|
export const dockerHost = pulumi.interpolate`ssh://root@${dep.serverInfo[0].publicIp}:222`;
|