P0: gate external backup SSH targets during Nexus host-key rotation #4
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
User story: So that I can rotate the host SSH identity without breaking backups, the rotation workflow must prove every required external backup target is ready before old access is retired.
Part of the "Host-key rotation lifecycle & safety" arc.
Priority: P0 / maximum.
Problem
The Nexus host SSH/age identity rotation can retire the old
~/.ssh/hostkey before external backup-critical SSH targets have been updated to trust the new key.Managed VMs and Forgejo git-over-SSH are checked by the rotation flow, but external SSH targets used by backups are currently manual follow-up. If those steps are missed, the timer can keep firing while backup jobs fail at SSH authentication or offsite upload.
Goal
Make
nexus-host-keytreat external backup SSH targets as first-class rotation gates. The script should be as automatic as possible and print exact operator commands for any human-only step.Required behavior
nexus-host-key stage, print the staged public key and exact instructions to authorize it on required external backup targets before activation.nexus-host-key activate, verify the staged key works against required external backup targets before swapping~/.ssh/host.nexus-host-key retire, refuse or strongly gate retirement unless required external backup targets have been proven with the installed new key.Concrete target classes
At minimum cover:
Prefer deriving these from identity/deployment data or a small declarative allowlist, so future external backup-critical hosts cannot be missed. Do not include managed VMs that are already covered by the VM verification loop.
Suggested implementation shape
nexus-host-key.echo 'ssh-ed25519 ...' >> ~/.ssh/authorized_keysfallback;.ssh/authorized_keyswhen SSH/password access is available, otherwise print provider-support request text with the staged public key.ssh -F /dev/null -i <staged-key> -o IdentitiesOnly=yes -o BatchMode=yes ... trueor an equivalent target-specific no-op.--accept-unverified-external-host <name>, requiring typed confirmation and recording the exact abandoned target in output.Acceptance criteria
nexus-host-key stageoutput contains exact setup commands for the external service VPS and offsite backup destination using the staged public key.nexus-host-key activateproves the staged key against required external backup targets, or stops with actionable recovery instructions.nexus-host-key retireproves the installed new key against required external backup targets, or stops with a named human gate.Validation commands
bash tests/nexus-host-key.shnix flake checkDesign note: this should use a registry, not hardcoded external hosts.
Suggested contract:
Example shape, with placeholder names only:
nexus-host-keyshould consume the registry generically:authorizedKeysPath;This keeps the public
nexustool general while allowing private deployments to declare their own backup-critical external trust targets.Drafted a dev plan for this: https://forge.anarch.diy/allod/strategy/src/branch/master/dev-plans/nexus-external-backup-ssh-rotation-gates.md (in
allod/strategy,dev-plans/nexus-external-backup-ssh-rotation-gates.md).Shape, following the registry design note above: the
externalSshTrustTargetsregistry lives insecrets/identity.nixreferencing existingsshHostsaliases, with synthetic entries in the public template; generic gate logic (stage prints per-target setup commands, activate proves the staged key before the~/.ssh/hostswap, retire proves the installed key first), the--accept-unverified-external-hostoverride, tests, and runbook land innexus. Two PRs —allod/secrets(Refs allod/nexus#4) andallod/nexus(Closes allod/nexus#4, no-ops on an empty registry so landing order is not load-bearing).Proving the gates against the real service-backup VPS and offsite destination stays a human-only validation step. A review-prompt pass on the plan is next.