docs: Phase 2 capture side — REPORT/CONTEXT/README for v0.53.x recovery unit
REPORT overwritten (secret-free recovery unit: design, what shipped, golden deploy mechanism, live 9201 validation incl. NO_LEAK grep). CONTEXT dated entry. README: recovery-unit subsection + flagged the stale restic/secondary paths section. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -349,6 +349,35 @@ Path computation is centralized in `backup/paths.go` via the `FelhomDataDir = "f
|
||||
- `SecondaryInfraPath(drivePath)` → `<drive>/felhom-data/backups/secondary/_infra/`
|
||||
- `InfraBackupDir(mountPath)` → `<drive>/.felhom-infra-backup/` (**unchanged** — stays at drive root for DR scanner)
|
||||
|
||||
> **⚠️ Stale:** the restic/secondary helpers above (`PrimaryResticRepoPath`, `SecondaryResticRepoPath`,
|
||||
> `AppSecondaryRsyncPath`, `SecondaryInfraPath`) describe the pre-strip layout — restic/cross-drive was
|
||||
> removed in slice 8C. This section is rewritten when Tier 2 (Phase 3) lands.
|
||||
|
||||
#### Per-app recovery unit (Phase 2, v0.53.x) — SECRET-FREE
|
||||
|
||||
Each app's `backups/primary/<app>/` is a self-contained, recreatable **recovery unit**:
|
||||
|
||||
```
|
||||
backups/primary/<app>/
|
||||
├── compose/ docker-compose.yml + .felhom.yml + a SECRET-STRIPPED app.yaml
|
||||
├── db-dumps/ app-consistent DB dump(s)
|
||||
├── volume-dumps/ named-volume tars
|
||||
└── manifest.json image pins, secret env-var NAMES, data_key names, checksums, secret_source
|
||||
```
|
||||
|
||||
- **Secret-free by design.** The unit stores **no secret value, no data-encrypting key, and not the
|
||||
Docker image** — only the pinned image tag(s) (re-pulled on restore) and the *names* of the secret /
|
||||
`data_key` env vars. Rationale: app.yaml + the encryption key live on the guest rootfs → already in
|
||||
the PBS whole-guest snapshot, and the hub is deliberately zero-knowledge. Restore recovers the
|
||||
original secrets from the guest's own app.yaml (live, or via PBS) and **regenerates nothing**; for a
|
||||
`data_key` app it **fails closed** (refuse + warn) if the key can't be recovered.
|
||||
- Helpers: `RecoveryUnitPath` / `RecoveryUnitComposePath` / `RecoveryUnitManifestPath`
|
||||
(`internal/appbackup/paths.go`). Capture: `Manager.CaptureRecoveryUnit` (`internal/backup/recovery_unit.go`),
|
||||
run from the daily DB dump and the periodic `RefreshCache` (idempotent checksum-skip). The non-secret
|
||||
env comes from `StackDataProvider.GetStackRecoveryInfo` (excludes secret-named + encrypted values, so
|
||||
the capture never touches a secret). `data_key` fields are marked in `.felhom.yml`
|
||||
(`DeployField.DataKey`).
|
||||
|
||||
**Phase 1 — Database Dumps** (`internal/backup/dbdump.go`, scheduled 02:30)
|
||||
|
||||
- **Auto-discovery** of PostgreSQL and MariaDB containers via `docker ps` + `docker inspect`
|
||||
|
||||
Reference in New Issue
Block a user