# Cloud Host Backup Plan ## Security Architecture ### Current Setup - **astyanax** (local): `b2:lmd005` - single repo, all hosts mixed - **andromache** (cloud): manual backup via script to `b2:lmd005:desktop-arch` ### Recommended Setup #### 1. Repository Isolation Each host gets its own restic repository in a separate subdirectory: ``` b2:lmd005:astyanax/ # restic repo for astyanax b2:lmd005:andromache/ # restic repo for andromache b2:lmd005:/ # restic repo for each host ``` **Benefits:** - Cryptographic isolation (different restic keys per repo) - Can't accidentally prune/delete other hosts' backups - Easier to restore/manage individual hosts - Can use B2 lifecycle rules per subdirectory #### 2. Credential Isolation Each host gets its own B2 Application Key restricted to its subdirectory: ``` B2 Key for astyanax: access to `lmd005:astyanax/*` B2 Key for andromache: access to `lmd005:andromache/*` ``` **Security benefits:** - If host is compromised, attacker only accesses that host's backups - Cannot delete/read other hosts' backups - Principle of least privilege #### 3. Cloud Host Strategy (No B2 credentials on cloud hosts) For cloud hosts like andromache: ``` andromache (cloud) --[SFTP]--> astyanax (local) --[B2]--> b2:lmd005:andromache/ ``` - **andromache**: SSH access only, no B2 credentials - **astyanax**: Pulls backups via SFTP from andromache, pushes to B2 - **B2 credentials**: Only stored on trusted local machine (astyanax) ## Implementation Plan ### ✅ Phase 1: Update astyanax backup - Change repository from `b2:lmd005` to `b2:lmd005:astyanax/` ✅ - Create new restic repo - Migrate old snapshots if needed - Update to use host-specific B2 key (when available) ### ✅ Phase 2: Implement cloud host backups - Use SFTP-based module to pull from andromache ✅ - Store in `b2:lmd005:andromache/` ✅ - No B2 credentials on andromache ✅ - Daily automated backups ✅ ### Phase 3: Cleanup old backups - Clean up old `desktop-arch` snapshots - Remove old mixed repo (once migration complete) ## Questions 1. Do you want to migrate existing astyanax snapshots to the new subdirectory, or start fresh? 2. Should astyanax have a master/admin B2 key to manage all backups, or just its own?