feat: add cross-host SSH trust, state-aware teardown, and configurable migration polling

- Add setup/cross_host_ssh.sh to establish ed25519 SSH trust between Unraid and Fedora (required by backup/restore scripts for direct SCP) - Add ssh_key and authorized_key cleanup handlers to setup/cleanup.sh - Rewrite phase8 cutover to mark GitHub repos as mirrors instead of archiving them (archived repos reject push mirror writes), with a JSON state snapshot of pre-cutover settings (description, homepage, wiki, projects, Pages) for exact restoration on teardown - Rewrite phase8 teardown to restore from state snapshot with fallback to legacy "— was:" description parsing - Make migration polling configurable via MIGRATION_POLL_INTERVAL_SEC and MIGRATION_POLL_TIMEOUT_SEC in .env (was hardcoded 120s/3s) - Fix preflight SSL validation: check SSL_MODE instead of always requiring SSL_EMAIL, add conditional checks per SSL_MODE - Add preflight checks 23-24: cross-host SSH connectivity - Add --start-from range validation and cross_host_ssh.sh to run_all.sh Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-28 20:50:41 -05:00
parent dc08375ad0
commit 316d318b5e
8 changed files with 509 additions and 31 deletions
--- a/setup/cleanup.sh
+++ b/setup/cleanup.sh
@@ -166,6 +166,27 @@ cleanup_xcode_cli() {
  sudo rm -rf /Library/Developer/CommandLineTools 2>/dev/null || log_warn "Failed to remove Xcode CLI Tools (may need sudo)"
 }

+cleanup_ssh_key() {
+  local host_key="$1" path="$2"
+  if [[ "$DRY_RUN" == "true" ]]; then
+    log_info "[dry-run] Would remove SSH key pair on ${host_key}: ${path}"
+    return 0
+  fi
+  log_info "Removing SSH key pair on ${host_key}: ${path}"
+  # No single quotes around path — tilde must expand on the remote shell
+  ssh_exec "$host_key" "rm -f ${path} ${path}.pub" 2>/dev/null || log_warn "Failed to remove SSH key on ${host_key}"
+}
+
+cleanup_authorized_key() {
+  local host_key="$1" marker="$2"
+  if [[ "$DRY_RUN" == "true" ]]; then
+    log_info "[dry-run] Would remove authorized_key entry '${marker}' on ${host_key}"
+    return 0
+  fi
+  log_info "Removing authorized_key entry '${marker}' on ${host_key}"
+  ssh_exec "$host_key" "sed -i '/# ${marker}/d' ~/.ssh/authorized_keys" 2>/dev/null || log_warn "Failed to remove authorized_key '${marker}' on ${host_key}"
+}
+
 # ---------------------------------------------------------------------------
 # Map host names to SSH host keys for remote operations
 # ---------------------------------------------------------------------------
@@ -269,6 +290,30 @@ for host in "${HOSTS[@]}"; do
          FAILED=$((FAILED + 1))
        fi
        ;;
+      ssh_key)
+        if [[ -z "$ssh_key" ]]; then
+          log_warn "Cannot clean up ssh_key '$target' — no SSH key for host '$host'"
+          FAILED=$((FAILED + 1))
+          continue
+        fi
+        if cleanup_ssh_key "$ssh_key" "$target"; then
+          CLEANED=$((CLEANED + 1))
+        else
+          FAILED=$((FAILED + 1))
+        fi
+        ;;
+      authorized_key)
+        if [[ -z "$ssh_key" ]]; then
+          log_warn "Cannot clean up authorized_key '$target' — no SSH key for host '$host'"
+          FAILED=$((FAILED + 1))
+          continue
+        fi
+        if cleanup_authorized_key "$ssh_key" "$target"; then
+          CLEANED=$((CLEANED + 1))
+        else
+          FAILED=$((FAILED + 1))
+        fi
+        ;;
      *)
        log_warn "Unknown action type '${action_type}' for target '${target}' — skipping"
        FAILED=$((FAILED + 1))