(feature) Generate filesystem-backed SSH credentials

Add filesystem-backed SSH credentials for the native systemd deployment path. Generated keys are stored below POBSYNC_HOME with 0600 permissions, while Django keeps the public key, fingerprint, path, and selection metadata. Add a Django SSH key generation view, delete action for unused generated keys, and a management command used by the installer to ensure a default backup key exists. Update runtime config to use generated key paths directly as IdentityFile, extend host checks to verify key readability, and keep legacy uploaded keys available for compatibility.
2026-05-19 19:41:40 +02:00
parent ccacad3d37
commit df3dcc47c9
18 changed files with 483 additions and 24 deletions
--- a/src/pobsync_backend/tests/test_django_config_source.py
+++ b/src/pobsync_backend/tests/test_django_config_source.py
@@ -115,3 +115,21 @@ class DjangoConfigSourceTests(TestCase):
            self.assertFalse(global_identity_file.exists())

        self.assertIn(f"-oIdentityFile={host_identity_file}", cfg["ssh"]["options"])
+
+    def test_filesystem_ssh_credential_uses_existing_key_path(self) -> None:
+        with TemporaryDirectory() as tmp:
+            identity_file = Path(tmp) / "identity"
+            identity_file.write_text("PRIVATE KEY\n", encoding="utf-8")
+            identity_file.chmod(0o600)
+            credential = SshCredential.objects.create(name="backup-key", key_path=str(identity_file), public_key="PUBLIC")
+            GlobalConfig.objects.create(
+                name="default",
+                backup_root="/backups",
+                pobsync_home="/opt/pobsync",
+                default_ssh_credential=credential,
+            )
+            HostConfig.objects.create(host="web-01", address="web-01.example.test")
+
+            cfg = DjangoConfigSource().effective_config_for_host("web-01")
+
+        self.assertIn(f"-oIdentityFile={identity_file}", cfg["ssh"]["options"])