Add mailcow-pull SSH keypair to Ansible vault #13
Labels
No labels
blocked
borg-backup
ceph
forgejo
in-progress
infra
netdata
nextcloud
p:high
p:low
p:medium
searxng
service-onboard
swarm-nodes
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
copper/ccnet-prod-devops#13
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
The swarm-mgr-01-mailcow-pull ed25519 keypair (used by borg-backup.yml's mailcow backup pull) was generated by hand directly on swarm-mgr-01 on 2026-07-06, since the vault password wasn't available in that session -- it currently only exists at /etc/borg/mailcow_pull_key{,.pub} on that host, not in group_vars/all/vault.yml.
Re-running borg-backup.yml as-is today would generate a different keypair and silently break the forced-command authorized_keys entry already deployed on ccnet-mailcow-ash-1 (mail.coppercore.cc), since that entry is pinned to the specific public key currently live on swarm-mgr-01.
Fix: copy the existing keypair content from swarm-mgr-01 into vault_mailcow_pull_private_key / vault_mailcow_pull_public_key via ansible-vault edit -- do not generate a new keypair.
See ccnet-borg-backup/README.md, 'Mailcow backup pull' section.