hippogrief/pobsync
1
0
Fork 0
Code Issues 21 Pull Requests Actions Packages Projects Releases 3 Wiki Activity

(feature) Generate filesystem-backed SSH credentials

Browse Source 
Add filesystem-backed SSH credentials for the native systemd deployment
path. Generated keys are stored below POBSYNC_HOME with 0600
permissions, while Django keeps the public key, fingerprint, path, and
selection metadata.

Add a Django SSH key generation view, delete action for unused generated
keys, and a management command used by the installer to ensure a default
backup key exists.

Update runtime config to use generated key paths directly as IdentityFile,
extend host checks to verify key readability, and keep legacy uploaded
keys available for compatibility.
This commit is contained in:
Peter van Arkel
2026-05-19 19:41:40 +02:00
parent ccacad3d37
commit df3dcc47c9
18 changed files with 483 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
README.md
View File

@@ -46,6 +46,7 @@ The installer will, by default:
- create `/var/lib/pobsync`, `/var/log/pobsync`, and the backup root
- install Python dependencies
- run migrations and collect static files
- generate a default SSH key for the service user if one does not exist yet
- install and start `pobsync-web`, `pobsync-worker`, and `pobsync-scheduler`
- guide you through the first login and setup steps
@@ -141,16 +142,21 @@ The UI includes:
## SSH Keys
SSH keys can be managed from `/ssh-credentials/`. Add a private key, optionally paste `known_hosts` entries, and select
the credential either as the global default or as a per-host override.
SSH keys can be managed from `/ssh-credentials/`. The recommended flow is to generate keys from Django or during the
installer. pobsync stores the private key on disk under `POBSYNC_HOME`, keeps the public key visible in the UI, and lets
you select a credential either as the global default or as a per-host override.
When a backup starts, the worker writes the selected key to:
Generated private keys are stored at:
```
$POBSYNC_HOME/state/ssh-credentials/<id>/identity
```
The key file is written with `0600` permissions and injected into the rsync SSH command with `IdentityFile`.
The key file is written with `0600` permissions and injected into the rsync SSH command with `IdentityFile`. Copy the
public key shown in Django to the target host's `authorized_keys`.
Existing private keys can still be added manually, but generated filesystem keys are preferred for native systemd
production installs.
## Updates