@matthesketh/fleet 1.8.1 → 1.11.0

package/dist/core/backup/statuspage.js

@@ -0,0 +1,145 @@
+/** read-only backup status dashboard. rendered to static html by a systemd
+ *  timer and served at the /backups route (ip-restricted in nginx). */
+/** how long after the expected cadence a backup is considered stale.
+ *  generous — covers the timer's randomised delay plus a missed run. */
+function stalenessThresholdMs(schedule) {
+    const hour = 3_600_000;
+    if (schedule === 'hourly')
+        return 3 * hour;
+    if (schedule === 'weekly')
+        return 8.5 * 24 * hour;
+    if (schedule.includes('00/3'))
+        return 7 * hour;
+    if (schedule.includes('00/6'))
+        return 13 * hour;
+    if (schedule.includes('00/12'))
+        return 25 * hour;
+    // daily and anything unrecognised
+    return 28 * hour;
+}
+export function healthOf(entry, now = Date.now()) {
+    if (entry.disabled)
+        return 'disabled';
+    if (!entry.lastSnapshotAt || entry.snapshotCount === 0)
+        return 'missing';
+    const age = now - new Date(entry.lastSnapshotAt).getTime();
+    return age > stalenessThresholdMs(entry.schedule) ? 'stale' : 'ok';
+}
+export function humanBytes(n) {
+    if (n === null)
+        return '—';
+    if (n < 1024)
+        return `${n} B`;
+    if (n < 1024 ** 2)
+        return `${(n / 1024).toFixed(1)} KB`;
+    if (n < 1024 ** 3)
+        return `${(n / 1024 ** 2).toFixed(1)} MB`;
+    return `${(n / 1024 ** 3).toFixed(2)} GB`;
+}
+export function relativeTime(iso, now = Date.now()) {
+    if (!iso)
+        return 'never';
+    const diff = now - new Date(iso).getTime();
+    const min = Math.floor(diff / 60_000);
+    if (min < 1)
+        return 'just now';
+    if (min < 60)
+        return `${min}m ago`;
+    const hr = Math.floor(min / 60);
+    if (hr < 48)
+        return `${hr}h ago`;
+    return `${Math.floor(hr / 24)}d ago`;
+}
+function esc(s) {
+    return s.replace(/[&<>"]/g, c => ({ '&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;' }[c]));
+}
+/** renders the full standalone html page. no external assets — inline css so
+ *  it works as a flat file behind nginx. */
+export function renderStatusHtml(report, now = Date.now()) {
+    const apps = [...report.apps].sort((a, b) => a.app.localeCompare(b.app));
+    const counts = { ok: 0, stale: 0, missing: 0, disabled: 0 };
+    for (const a of apps)
+        counts[healthOf(a, now)]++;
+    const totalBytes = apps.reduce((s, a) => s + (a.totalSize ?? 0), 0);
+    const rows = apps.map(a => {
+        const h = healthOf(a, now);
+        return `      <tr class="h-${h}">
+        <td class="dot"><span class="d d-${h}" title="${h}"></span></td>
+        <td class="app">${esc(a.app)}</td>
+        <td>${esc(a.schedule)}</td>
+        <td class="num">${a.snapshotCount}</td>
+        <td>${esc(relativeTime(a.lastSnapshotAt, now))}</td>
+        <td class="num">${humanBytes(a.totalSize)}</td>
+      </tr>`;
+    }).join('\n');
+    return `<!doctype html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<meta http-equiv="refresh" content="300">
+<title>fleet backups</title>
+<style>
+  :root { color-scheme: dark; }
+  * { box-sizing: border-box; }
+  body {
+    margin: 0; padding: 2rem;
+    background: #0d1117; color: #c9d1d9;
+    font: 14px/1.5 ui-monospace, SFMono-Regular, Menlo, monospace;
+  }
+  h1 { font-size: 1.1rem; margin: 0 0 0.25rem; color: #e6edf3; }
+  .meta { color: #8b949e; margin-bottom: 1.25rem; font-size: 0.8rem; }
+  .badges { display: flex; gap: 0.5rem; flex-wrap: wrap; margin-bottom: 1.25rem; }
+  .badge {
+    padding: 0.3rem 0.7rem; border-radius: 6px; font-size: 0.8rem;
+    background: #161b22; border: 1px solid #30363d;
+  }
+  .badge b { color: #e6edf3; }
+  .badge.ok b { color: #3fb950; }
+  .badge.stale b { color: #d29922; }
+  .badge.missing b { color: #f85149; }
+  table { border-collapse: collapse; width: 100%; max-width: 880px; }
+  th, td { text-align: left; padding: 0.45rem 0.8rem; border-bottom: 1px solid #21262d; }
+  th { color: #8b949e; font-weight: 600; font-size: 0.78rem; text-transform: uppercase; letter-spacing: 0.04em; }
+  td.num { text-align: right; font-variant-numeric: tabular-nums; }
+  td.app { color: #e6edf3; }
+  td.dot { width: 1.5rem; }
+  .d { display: inline-block; width: 9px; height: 9px; border-radius: 50%; }
+  .d-ok { background: #3fb950; }
+  .d-stale { background: #d29922; }
+  .d-missing { background: #f85149; }
+  .d-disabled { background: #484f58; }
+  tr.h-stale td.app { color: #d29922; }
+  tr.h-missing td.app { color: #f85149; }
+  tr.h-disabled { opacity: 0.5; }
+  tfoot td { border-top: 2px solid #30363d; border-bottom: none; color: #8b949e; padding-top: 0.7rem; }
+</style>
+</head>
+<body>
+  <h1>fleet backups</h1>
+  <div class="meta">
+    generated ${esc(report.generatedAt)} ·
+    backend <b>${esc(report.backend)}</b> ·
+    ${report.appendOnly ? 'append-only enforced' : 'append-only OFF'}
+  </div>
+  <div class="badges">
+    <span class="badge ok"><b>${counts.ok}</b> ok</span>
+    <span class="badge stale"><b>${counts.stale}</b> stale</span>
+    <span class="badge missing"><b>${counts.missing}</b> missing</span>
+    <span class="badge"><b>${counts.disabled}</b> disabled</span>
+  </div>
+  <table>
+    <thead>
+      <tr><th></th><th>app</th><th>schedule</th><th>snaps</th><th>last</th><th>size</th></tr>
+    </thead>
+    <tbody>
+${rows}
+    </tbody>
+    <tfoot>
+      <tr><td colspan="3">${apps.length} apps</td><td class="num"></td><td></td><td class="num">${humanBytes(totalBytes)}</td></tr>
+    </tfoot>
+  </table>
+</body>
+</html>
+`;
+}

package/dist/core/backup/system.d.ts

@@ -0,0 +1,24 @@
+import { AppBackupConfig } from './types.js';
+/** the `system` pseudo-app: os, infra config, all the things needed to rebuild
+ * this host from a fresh ubuntu install + the data on the backup vps. */
+export declare const SYSTEM_PATHS: string[];
+export declare const ROOT_HOME_PATHS: string[];
+/** excludes for root-home and user-home: claude code regeneratable state
+ *  (sessions, plugin caches, telemetry) and tool caches that take GBs but
+ *  contain nothing the user authored. credentials.json, settings, hooks,
+ *  skills, plans, mcp.json all stay. */
+export declare const HOME_EXCLUDES: string[];
+/** the operator's home-dir paths worth backing up — dotfiles and agent
+ *  state, never app working directories. derived from the configured home. */
+export declare function userHomePaths(homeDir: string): string[];
+export declare const USER_HOME_EXCLUDES: string[];
+export declare function systemConfig(): AppBackupConfig;
+export declare function rootHomeConfig(): AppBackupConfig;
+/** shared-cluster dumps. these are safety nets — they capture every database
+ *  in the shared container as one big stream. per-app preDump entries are
+ *  preferred for routine restore granularity (run hourly), but these run
+ *  daily and catch DBs the per-app list doesn't enumerate. */
+export declare function sharedPostgresConfig(): AppBackupConfig;
+export declare function sharedMysqlConfig(): AppBackupConfig;
+export declare function sharedMongoConfig(): AppBackupConfig;
+export declare function userHomeConfig(): AppBackupConfig;

package/dist/core/backup/system.js

@@ -0,0 +1,209 @@
+import { loadOperator } from '../operator.js';
+import { DEFAULT_RETENTION } from './config.js';
+/** the `system` pseudo-app: os, infra config, all the things needed to rebuild
+ * this host from a fresh ubuntu install + the data on the backup vps. */
+export const SYSTEM_PATHS = [
+    '/etc/nginx',
+    '/etc/letsencrypt',
+    '/etc/systemd/system',
+    '/etc/systemd/resolved.conf.d',
+    '/etc/fleet',
+    '/etc/iptables',
+    '/etc/truewaf',
+    '/etc/modsecurity',
+    '/etc/ssh',
+    '/etc/sudoers',
+    '/etc/sudoers.d',
+    '/etc/fail2ban',
+    '/etc/cron.d',
+    '/etc/crontab',
+    '/etc/netplan',
+    '/etc/hosts',
+    '/etc/hostname',
+    '/etc/timezone',
+    '/etc/apt/sources.list',
+    '/etc/apt/sources.list.d',
+    '/etc/apt/keyrings',
+    '/etc/sysctl.conf',
+    '/etc/sysctl.d',
+    '/etc/security',
+    '/etc/php',
+    '/etc/guardian',
+    '/etc/cloud',
+    '/etc/default',
+    '/etc/ntpsec',
+    '/etc/logrotate.d',
+    '/etc/docker/daemon.json',
+    '/etc/nftables.conf',
+    '/var/lib/fleet',
+    '/var/lib/letsencrypt',
+    '/var/lib/fail2ban',
+    '/usr/local/bin',
+    '/usr/local/sbin',
+    '/opt/coreruleset',
+    '/root/firewall',
+];
+export const ROOT_HOME_PATHS = [
+    '/root/.ssh',
+    '/root/.docker/config.json',
+    '/root/.docker/.token_seed',
+    '/root/.secrets',
+    '/root/.gnupg',
+    '/root/.aws',
+    '/root/.gcloud',
+    '/root/.azure',
+    '/root/.kube',
+    '/root/.gitconfig',
+    '/root/.npmrc',
+    '/root/.bashrc',
+    '/root/.bash_profile',
+    '/root/.bash_history',
+    '/root/.claude',
+    '/root/.claude.json',
+    '/root/.mcp.json',
+    '/root/.gmail-mcp/tokens',
+    '/root/.cargo/credentials.toml',
+    '/root/.cargo/config.toml',
+    '/root/.pm2/dump.pm2',
+    '/root/.pm2/module_conf.json',
+];
+/** excludes for root-home and user-home: claude code regeneratable state
+ *  (sessions, plugin caches, telemetry) and tool caches that take GBs but
+ *  contain nothing the user authored. credentials.json, settings, hooks,
+ *  skills, plans, mcp.json all stay. */
+export const HOME_EXCLUDES = [
+    '**/.claude/projects',
+    '**/.claude/plugins/data',
+    '**/.claude/plugins/cache',
+    '**/.claude/plugins/marketplaces',
+    '**/.claude/plugins/install-counts-cache.json',
+    '**/.claude/file-history',
+    '**/.claude/paste-cache',
+    '**/.claude/telemetry',
+    '**/.claude/todos',
+    '**/.claude/tasks',
+    '**/.claude/backups',
+    '**/.claude/session-env',
+    '**/.claude/sessions',
+    '**/.claude/cache',
+    '**/.claude/debug',
+    '**/.claude/shell-snapshots',
+    '**/.claude/usage-data',
+    '**/.claude/cc-counter',
+    '**/.claude/statsig',
+    '**/.claude/stats-cache.json',
+    '**/.claude/history.jsonl',
+    '**/.claude/ide',
+    '**/.claude/downloads',
+    '**/.claude/mcp-needs-auth-cache.json',
+    '**/.claude/.last-cleanup',
+    '**/.claude/hooks/.last_test_run_*',
+    '*.log',
+];
+/** the operator's home-dir paths worth backing up — dotfiles and agent
+ *  state, never app working directories. derived from the configured home. */
+export function userHomePaths(homeDir) {
+    return [
+        `${homeDir}/.ssh`,
+        `${homeDir}/.gitconfig`,
+        `${homeDir}/.docker/config.json`,
+        `${homeDir}/.config/gh`,
+        `${homeDir}/.config/op`,
+        `${homeDir}/.aws`,
+        `${homeDir}/.gnupg`,
+        `${homeDir}/.terraform.d`,
+        `${homeDir}/.claude`,
+        `${homeDir}/.claude.json`,
+        `${homeDir}/.mcp.json`,
+        `${homeDir}/.bashrc`,
+        `${homeDir}/.bash_history`,
+        `${homeDir}/.profile`,
+        `${homeDir}/.local/bin`,
+    ];
+}
+export const USER_HOME_EXCLUDES = [
+    ...HOME_EXCLUDES,
+    '*.cache',
+    '.npm',
+    '.yarn',
+    '.cargo/registry',
+    '.cargo/git',
+    '.gradle/caches',
+    '.local/share',
+    'node_modules',
+];
+export function systemConfig() {
+    return {
+        app: 'system',
+        schedule: 'daily',
+        paths: SYSTEM_PATHS,
+        exclude: ['*.log', '*.pid', '.cache'],
+        retention: DEFAULT_RETENTION,
+    };
+}
+export function rootHomeConfig() {
+    return {
+        app: 'root-home',
+        schedule: 'daily',
+        paths: ROOT_HOME_PATHS,
+        exclude: HOME_EXCLUDES,
+        retention: DEFAULT_RETENTION,
+    };
+}
+/** shared-cluster dumps. these are safety nets — they capture every database
+ *  in the shared container as one big stream. per-app preDump entries are
+ *  preferred for routine restore granularity (run hourly), but these run
+ *  daily and catch DBs the per-app list doesn't enumerate. */
+export function sharedPostgresConfig() {
+    return {
+        app: 'shared-postgres',
+        schedule: 'daily',
+        paths: [],
+        exclude: [],
+        // postgres_user=postgres is set in compose env; pg_dumpall uses unix-socket
+        // peer auth so no password needed inside the container.
+        preDump: { type: 'postgres', container: 'shared-postgres', user: 'postgres' },
+        retention: { daily: 14, weekly: 8, monthly: 12 },
+    };
+}
+export function sharedMysqlConfig() {
+    return {
+        app: 'shared-mysql',
+        schedule: 'daily',
+        paths: [],
+        exclude: [],
+        // shared-mysql uses docker secrets — password lives at the file path below,
+        // not in an env var.
+        preDump: {
+            type: 'mysql',
+            container: 'shared-mysql',
+            user: 'root',
+            passwordFile: '/run/secrets/mysql_root_password',
+        },
+        retention: { daily: 14, weekly: 8, monthly: 12 },
+    };
+}
+export function sharedMongoConfig() {
+    return {
+        app: 'shared-mongodb',
+        schedule: 'daily',
+        paths: [],
+        exclude: [],
+        preDump: {
+            type: 'mongo',
+            container: 'shared-mongodb',
+            user: 'root',
+            passwordFile: '/run/secrets/mongo_root_password',
+        },
+        retention: { daily: 14, weekly: 8, monthly: 12 },
+    };
+}
+export function userHomeConfig() {
+    return {
+        app: 'user-home',
+        schedule: 'daily',
+        paths: userHomePaths(loadOperator().homeDir),
+        exclude: USER_HOME_EXCLUDES,
+        retention: DEFAULT_RETENTION,
+    };
+}

package/dist/core/backup/totp.d.ts

@@ -0,0 +1,16 @@
+/** new random 20-byte secret, base32-encoded for authenticator apps. */
+export declare function generateSecret(): string;
+/** the 6-digit TOTP code for a base32 secret at a given epoch-ms time. */
+export declare function totpCode(secretB32: string, atMs?: number): string;
+/** true if `code` is valid for the secret within a +/-1 step window. */
+export declare function verifyTotp(secretB32: string, code: string, atMs?: number): boolean;
+/** otpauth:// enrolment URI — paste into 1Password or an authenticator app. */
+export declare function totpUri(secretB32: string, label: string, issuer: string): string;
+export interface SessionPayload {
+    /** epoch-ms expiry. */
+    exp: number;
+}
+/** signs a session payload as `<body>.<hmac>` (hmac-sha256). */
+export declare function signSession(payload: SessionPayload, secret: string): string;
+/** verifies a session cookie; returns the payload or null if invalid/expired. */
+export declare function verifySession(cookie: string, secret: string, nowMs?: number): SessionPayload | null;

package/dist/core/backup/totp.js

@@ -0,0 +1,116 @@
+import { createHmac, randomBytes, timingSafeEqual } from 'node:crypto';
+const B32 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
+function base32Encode(buf) {
+    let bits = 0;
+    let value = 0;
+    let out = '';
+    for (const byte of buf) {
+        value = (value << 8) | byte;
+        bits += 8;
+        while (bits >= 5) {
+            out += B32[(value >>> (bits - 5)) & 31];
+            bits -= 5;
+        }
+    }
+    if (bits > 0)
+        out += B32[(value << (5 - bits)) & 31];
+    return out;
+}
+function base32Decode(s) {
+    const clean = s.replace(/=+$/, '').toUpperCase().replace(/\s/g, '');
+    let bits = 0;
+    let value = 0;
+    const out = [];
+    for (const c of clean) {
+        const idx = B32.indexOf(c);
+        if (idx === -1)
+            throw new Error(`invalid base32 char: ${c}`);
+        value = (value << 5) | idx;
+        bits += 5;
+        if (bits >= 8) {
+            out.push((value >>> (bits - 8)) & 0xff);
+            bits -= 8;
+        }
+    }
+    return Buffer.from(out);
+}
+function hotp(secret, counter) {
+    const buf = Buffer.alloc(8);
+    buf.writeBigUInt64BE(BigInt(counter));
+    const hmac = createHmac('sha1', secret).update(buf).digest();
+    const offset = hmac[hmac.length - 1] & 0x0f;
+    const bin = ((hmac[offset] & 0x7f) << 24) |
+        ((hmac[offset + 1] & 0xff) << 16) |
+        ((hmac[offset + 2] & 0xff) << 8) |
+        (hmac[offset + 3] & 0xff);
+    return (bin % 1_000_000).toString().padStart(6, '0');
+}
+function timingSafeEqualStr(a, b) {
+    const ba = Buffer.from(a);
+    const bb = Buffer.from(b);
+    if (ba.length !== bb.length)
+        return false;
+    return timingSafeEqual(ba, bb);
+}
+/** new random 20-byte secret, base32-encoded for authenticator apps. */
+export function generateSecret() {
+    return base32Encode(randomBytes(20));
+}
+/** the 6-digit TOTP code for a base32 secret at a given epoch-ms time. */
+export function totpCode(secretB32, atMs = Date.now()) {
+    const counter = Math.floor(atMs / 1000 / 30);
+    return hotp(base32Decode(secretB32), counter);
+}
+/** true if `code` is valid for the secret within a +/-1 step window. */
+export function verifyTotp(secretB32, code, atMs = Date.now()) {
+    if (!/^\d{6}$/.test(code))
+        return false;
+    const secret = base32Decode(secretB32);
+    const counter = Math.floor(atMs / 1000 / 30);
+    for (let w = -1; w <= 1; w++) {
+        if (timingSafeEqualStr(hotp(secret, counter + w), code))
+            return true;
+    }
+    return false;
+}
+/** otpauth:// enrolment URI — paste into 1Password or an authenticator app. */
+export function totpUri(secretB32, label, issuer) {
+    const l = encodeURIComponent(label);
+    const i = encodeURIComponent(issuer);
+    return `otpauth://totp/${i}:${l}?secret=${secretB32}&issuer=${i}&period=30&digits=6&algorithm=SHA1`;
+}
+function b64url(buf) {
+    return buf.toString('base64').replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+function b64urlDecode(s) {
+    return Buffer.from(s.replace(/-/g, '+').replace(/_/g, '/'), 'base64');
+}
+/** signs a session payload as `<body>.<hmac>` (hmac-sha256). */
+export function signSession(payload, secret) {
+    const body = b64url(Buffer.from(JSON.stringify(payload)));
+    const sig = b64url(createHmac('sha256', secret).update(body).digest());
+    return `${body}.${sig}`;
+}
+/** verifies a session cookie; returns the payload or null if invalid/expired. */
+export function verifySession(cookie, secret, nowMs = Date.now()) {
+    const parts = cookie.split('.');
+    if (parts.length !== 2)
+        return null;
+    const [body, sig] = parts;
+    const expected = b64url(createHmac('sha256', secret).update(body).digest());
+    if (!timingSafeEqualStr(sig, expected))
+        return null;
+    let payload;
+    try {
+        payload = JSON.parse(b64urlDecode(body).toString('utf-8'));
+    }
+    catch {
+        return null;
+    }
+    if (payload === null || typeof payload !== 'object')
+        return null;
+    const exp = payload.exp;
+    if (typeof exp !== 'number' || exp < nowMs)
+        return null;
+    return { exp };
+}

package/dist/core/backup/types.d.ts

@@ -0,0 +1,70 @@
+export type Retention = {
+    hourly?: number;
+    daily?: number;
+    weekly?: number;
+    monthly?: number;
+    yearly?: number;
+};
+export type Schedule = 'hourly' | '*-*-* 00/3:00:00' | '*-*-* 00/6:00:00' | '*-*-* 00/12:00:00' | 'daily' | 'weekly';
+export type DumpType = 'postgres' | 'mysql' | 'mongo' | 'redis';
+export interface DumpHook {
+    type: DumpType;
+    container: string;
+    /** for postgres/mysql: database name. for mongo: optional db filter. for redis: ignored. */
+    db?: string;
+    /** literal user value passed to the dump tool. takes precedence over userEnv.
+     *  defaults sensibly per type (postgres: $POSTGRES_USER, mysql: root, mongo: root). */
+    user?: string;
+    /** port the db listens on inside the container. only used for redis (which
+     *  has a default of 6379 but glitchtip et al re-bind to non-standard ports). */
+    port?: number;
+    /** path inside the container that holds the password (docker secrets pattern).
+     *  preferred over passwordEnv because shared-* containers use _FILE secrets. */
+    passwordFile?: string;
+    /** shell command executed on the HOST (outside the container) whose stdout
+     *  becomes the password. used when the secret lives in a host .env file that
+     *  was consumed by docker-compose at startup but is no longer present in
+     *  the container. fleet runs as root so it can read those files. */
+    passwordHostCommand?: string;
+    /** env var name in the container that holds the user. legacy. */
+    userEnv?: string;
+    /** env var name in the container that holds the password. legacy. */
+    passwordEnv?: string;
+}
+export interface AppBackupConfig {
+    /** the app name as known to fleet (or `system`, `root-home`, `user-home` for pseudo-apps). */
+    app: string;
+    /** systemd OnCalendar expression. */
+    schedule: Schedule;
+    /** filesystem paths to include. */
+    paths: string[];
+    /** glob patterns to exclude. */
+    exclude: string[];
+    /** named docker volumes to dump alongside fs paths. */
+    volumes?: string[];
+    /** db dump to run before snapshot. */
+    preDump?: DumpHook;
+    /** post-snapshot cmd to run inside the host (rare). */
+    postHook?: string;
+    /** retention policy applied after every snapshot via restic forget --prune. */
+    retention: Retention;
+    /** disable: skip this app entirely. */
+    disabled?: boolean;
+}
+export interface SnapshotInfo {
+    id: string;
+    shortId: string;
+    time: string;
+    hostname: string;
+    paths: string[];
+    tags: string[];
+    sizeBytes?: number;
+}
+export interface RepoStats {
+    totalSize: number;
+    totalFileCount: number;
+    snapshotCount: number;
+}
+export declare const PSEUDO_APPS: readonly ["system", "root-home", "user-home", "shared-postgres", "shared-mysql", "shared-mongodb"];
+export type PseudoApp = typeof PSEUDO_APPS[number];
+export declare function isPseudoApp(name: string): name is PseudoApp;

package/dist/core/backup/types.js

@@ -0,0 +1,7 @@
+export const PSEUDO_APPS = [
+    'system', 'root-home', 'user-home',
+    'shared-postgres', 'shared-mysql', 'shared-mongodb',
+];
+export function isPseudoApp(name) {
+    return PSEUDO_APPS.includes(name);
+}

package/dist/core/backup/unlock.d.ts

@@ -0,0 +1,19 @@
+import { FleetError } from '../errors.js';
+/** absolute path to the age recipient public key. */
+export declare function agePubPath(): string;
+/** systemd credstore entry holding the age identity. */
+export declare function ageKeyCred(): string;
+/** absolute path to the age unlock helper script. */
+export declare function unlockScript(): string;
+export declare class UnlockError extends FleetError {
+}
+/** path to the per-app age-encrypted restic password file. */
+export declare function vaultPath(app: string): string;
+/** path the running fleet binary points restic at as RESTIC_PASSWORD_COMMAND. */
+export declare function passwordCommandFor(app: string): string;
+/** returns the age public key (the recipient we encrypt restic passwords to). */
+export declare function readPubKey(): string;
+/** generate a random base64 password and age-encrypt it to the vault file. */
+export declare function generateAndStorePassword(app: string): void;
+/** read+decrypt the restic password for an app (held in memory only). */
+export declare function fetchPassword(app: string): string;

package/dist/core/backup/unlock.js

@@ -0,0 +1,69 @@
+import { existsSync } from 'node:fs';
+import { join } from 'node:path';
+import { requireEnv } from '../env.js';
+import { FleetError } from '../errors.js';
+import { execSafe } from '../exec.js';
+import { backupVaultDir } from './config.js';
+/** absolute path to the age recipient public key. */
+export function agePubPath() { return requireEnv('FLEET_BACKUP_AGE_PUB'); }
+/** systemd credstore entry holding the age identity. */
+export function ageKeyCred() { return requireEnv('FLEET_BACKUP_AGE_KEY_CRED'); }
+/** absolute path to the age unlock helper script. */
+export function unlockScript() { return requireEnv('FLEET_BACKUP_UNLOCK_SCRIPT'); }
+export class UnlockError extends FleetError {
+}
+/** path to the per-app age-encrypted restic password file. */
+export function vaultPath(app) {
+    return join(backupVaultDir(), `${app}.age`);
+}
+/** path the running fleet binary points restic at as RESTIC_PASSWORD_COMMAND. */
+export function passwordCommandFor(app) {
+    return `/usr/local/sbin/fleet-restic-app-key.sh ${app}`;
+}
+/** returns the age public key (the recipient we encrypt restic passwords to). */
+export function readPubKey() {
+    const pubPath = agePubPath();
+    if (!existsSync(pubPath)) {
+        throw new UnlockError(`age public key not found at ${pubPath}. run fleet backup init.`);
+    }
+    const r = execSafe('cat', [pubPath], { timeout: 2_000 });
+    if (!r.ok)
+        throw new UnlockError(`failed reading ${pubPath}: ${r.stderr}`);
+    const pub = r.stdout.trim();
+    if (!pub.startsWith('age1'))
+        throw new UnlockError(`malformed age pubkey at ${pubPath}`);
+    return pub;
+}
+/** generate a random base64 password and age-encrypt it to the vault file. */
+export function generateAndStorePassword(app) {
+    const dir = backupVaultDir();
+    if (!existsSync(dir)) {
+        execSafe('mkdir', ['-p', '--mode=700', dir], { timeout: 2_000 });
+    }
+    const pub = readPubKey();
+    // pipe: openssl rand -base64 48 | tr -d \n | age -e -r <pub> > vault
+    const out = vaultPath(app);
+    const r = execSafe('sh', ['-c', `openssl rand -base64 48 | tr -d '\\n' | age -e -r ${pub} > ${shellEscape(out)} && chmod 600 ${shellEscape(out)}`], { timeout: 10_000 });
+    if (!r.ok)
+        throw new UnlockError(`vault write failed: ${r.stderr}`);
+}
+/** read+decrypt the restic password for an app (held in memory only). */
+export function fetchPassword(app) {
+    if (!existsSync(vaultPath(app))) {
+        throw new UnlockError(`no vault entry for app ${app}. run: fleet backup init ${app}`);
+    }
+    const keyCred = ageKeyCred();
+    if (!existsSync(keyCred)) {
+        throw new UnlockError(`age key credential not found at ${keyCred}. setup incomplete.`);
+    }
+    const r = execSafe('sh', ['-c', `${shellEscape(unlockScript())} | age -d -i /dev/stdin ${shellEscape(vaultPath(app))}`], { timeout: 5_000 });
+    if (!r.ok)
+        throw new UnlockError(`password decrypt failed: ${r.stderr}`);
+    const pass = r.stdout;
+    if (!pass)
+        throw new UnlockError(`decrypted password empty`);
+    return pass;
+}
+function shellEscape(s) {
+    return `'${s.replace(/'/g, "'\\''")}'`;
+}