Add mailcow-pull SSH keypair to Ansible vault #13

Open
opened 2026-07-06 02:32:48 +00:00 by claude-bot · 0 comments
Collaborator

The swarm-mgr-01-mailcow-pull ed25519 keypair (used by borg-backup.yml's mailcow backup pull) was generated by hand directly on swarm-mgr-01 on 2026-07-06, since the vault password wasn't available in that session -- it currently only exists at /etc/borg/mailcow_pull_key{,.pub} on that host, not in group_vars/all/vault.yml.

Re-running borg-backup.yml as-is today would generate a different keypair and silently break the forced-command authorized_keys entry already deployed on ccnet-mailcow-ash-1 (mail.coppercore.cc), since that entry is pinned to the specific public key currently live on swarm-mgr-01.

Fix: copy the existing keypair content from swarm-mgr-01 into vault_mailcow_pull_private_key / vault_mailcow_pull_public_key via ansible-vault edit -- do not generate a new keypair.

See ccnet-borg-backup/README.md, 'Mailcow backup pull' section.

The swarm-mgr-01-mailcow-pull ed25519 keypair (used by borg-backup.yml's mailcow backup pull) was generated by hand directly on swarm-mgr-01 on 2026-07-06, since the vault password wasn't available in that session -- it currently only exists at /etc/borg/mailcow_pull_key{,.pub} on that host, not in group_vars/all/vault.yml. Re-running borg-backup.yml as-is today would generate a *different* keypair and silently break the forced-command authorized_keys entry already deployed on ccnet-mailcow-ash-1 (mail.coppercore.cc), since that entry is pinned to the specific public key currently live on swarm-mgr-01. Fix: copy the existing keypair content from swarm-mgr-01 into vault_mailcow_pull_private_key / vault_mailcow_pull_public_key via ansible-vault edit -- do not generate a new keypair. See ccnet-borg-backup/README.md, 'Mailcow backup pull' section.
Sign in to join this conversation.
No description provided.