drop restic repo encryption; rely on TLS + append-only + LUKS
User credentials now serve HTTP basic auth only. Repos init with --insecure-no-password. Removes: - RESTIC_PASSWORD env in client subprocess - Per-repo password coordination story - Multi-key restic setup (user key + operator-master key) - Two-password recovery edge cases Operator-side prune now runs over the filesystem path (-r /srv/.../<user>/) which bypasses rest-server's HTTP-layer append-only enforcement. No password needed at all. Protection model stays: - TLS in transit (reverse proxy) - HTTP basic per-user (htpasswd) for read/write authorization - --private-repos for per-user URL isolation - --append-only for client-side delete protection - LUKS / disk-level for at-rest encryption (operator's responsibility) Verified end-to-end on john: pull → push → restore round-trip works, DELETE on bogus snapshot still returns 403 (append-only intact), operator can read repo via filesystem path (prune-mode access works). 33 pytest still green.
This commit is contained in:
@@ -48,7 +48,9 @@ def test_missing_scheme_rejected():
|
||||
_restic_repo("cloud.tm.center", "u", "p")
|
||||
|
||||
|
||||
def test_env_contains_password():
|
||||
env = _restic_env("hunter2")
|
||||
assert env["RESTIC_PASSWORD"] == "hunter2"
|
||||
assert "RESTIC_PROGRESS_FPS" in env
|
||||
def test_env_does_not_contain_password():
|
||||
"""Repos use --insecure-no-password; RESTIC_PASSWORD must NOT appear in env
|
||||
or it would silently switch repos into encrypted mode."""
|
||||
env = _restic_env()
|
||||
assert "RESTIC_PASSWORD" not in env
|
||||
assert env["RESTIC_PROGRESS_FPS"] == "0"
|
||||
|
||||
Reference in New Issue
Block a user