generated from coulomb/repo-seed
Add draft catalog lane for railiance backup offsite credentials.
Points at CCR-2026-0004 OpenBao path; playbook documents bao login and fetch shapes for railiance-backup and forgejo-backup tooling.
This commit is contained in:
@@ -257,6 +257,24 @@ entries:
|
||||
exec_capable: true
|
||||
lane: secret
|
||||
|
||||
- id: railiance-backup-offsite-lane
|
||||
title: Railiance offsite backup Nextcloud WebDAV credentials
|
||||
need_keywords: [railiance, backup, nextcloud, webdav, offsite, age, forgejo-backup, NC_WEBDAV_TOKEN, file drop]
|
||||
owner_repo: railiance-platform
|
||||
subsystem: OpenBao + Nextcloud
|
||||
warden_executes: false
|
||||
wiki_ref: wiki/playbooks/railiance-backup-offsite-lane.md#worker-checklist
|
||||
canon_ref: railiance-platform/docs/workload-kv-access-lanes.md
|
||||
reviewed: "2026-07-07"
|
||||
status: draft
|
||||
# CCR-2026-0004: policy + OIDC role applied; values provisioned 2026-07-07.
|
||||
# Promote to active after positive/negative caller verification.
|
||||
auth_method: "caller's own OpenBao token (OIDC netkingdom role railiance-backup-workload-kv-read)"
|
||||
path_template: "platform/workloads/railiance/backup/offsite-lane"
|
||||
fetch_command: "bao kv get -field=<FIELD> platform/workloads/railiance/backup/offsite-lane"
|
||||
exec_capable: true
|
||||
lane: secret
|
||||
|
||||
# --- draft: owner path not yet shipped; hidden from default lookup ---
|
||||
|
||||
- id: object-storage-sts
|
||||
|
||||
59
wiki/playbooks/railiance-backup-offsite-lane.md
Normal file
59
wiki/playbooks/railiance-backup-offsite-lane.md
Normal file
@@ -0,0 +1,59 @@
|
||||
# Railiance Offsite Backup Lane
|
||||
|
||||
Date: 2026-07-07
|
||||
Catalog: `railiance-backup-offsite-lane` (status `draft`, `resolvable: false` until verified)
|
||||
Owner: `railiance-platform` (CCR-2026-0004)
|
||||
|
||||
Nextcloud WebDAV upload token and URL for age-encrypted offsite backups (Option A).
|
||||
Used by `railiance-backup` (workstation) and `forgejo-backup` (platform).
|
||||
|
||||
---
|
||||
|
||||
## OpenBao pointers
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Mount | `platform` |
|
||||
| Path | `platform/workloads/railiance/backup/offsite-lane` |
|
||||
| Fields | `NC_WEBDAV_TOKEN`, `NC_WEBDAV_URL`, `AGE_PRIVATE_KEY` |
|
||||
| Policy | `workload-kv-read-railiance-backup-offsite-lane` |
|
||||
| OIDC role | `railiance-backup-workload-kv-read` (`groups=net-kingdom-admins`) |
|
||||
|
||||
---
|
||||
|
||||
## Worker checklist
|
||||
|
||||
1. **Login** (caller identity — ops-warden adds no credential):
|
||||
|
||||
```bash
|
||||
bao login -method=oidc -path=netkingdom role=railiance-backup-workload-kv-read
|
||||
```
|
||||
|
||||
2. **Export for a backup run** (value streams to your shell — never paste into chat):
|
||||
|
||||
```bash
|
||||
export RAILIANCE_BACKUP_NC_TOKEN=$(
|
||||
bao kv get -field=NC_WEBDAV_TOKEN platform/workloads/railiance/backup/offsite-lane
|
||||
)
|
||||
export RAILIANCE_BACKUP_NC_WEBDAV_URL=$(
|
||||
bao kv get -field=NC_WEBDAV_URL platform/workloads/railiance/backup/offsite-lane
|
||||
)
|
||||
```
|
||||
|
||||
3. **Or proxy via warden access** (after catalog promotion):
|
||||
|
||||
```bash
|
||||
warden access railiance-backup-offsite-lane --no-policy --fetch --field NC_WEBDAV_TOKEN
|
||||
```
|
||||
|
||||
4. **Run backup**:
|
||||
|
||||
```bash
|
||||
# workstation custodian DB + config
|
||||
bin/railiance backup
|
||||
|
||||
# Forgejo production (from railiance-platform checkout)
|
||||
tools/cmd/forgejo-backup
|
||||
```
|
||||
|
||||
`AGE_PRIVATE_KEY` in the same path is recovery escrow — fetch only for restore drills.
|
||||
Reference in New Issue
Block a user