#!/usr/bin/env bash set -euo pipefail # ============================================================================= # setup/cross_host_ssh.sh — Establish SSH trust between Unraid and Fedora # # The backup/restore scripts do direct SCP between these hosts. This script # generates ed25519 key pairs on each remote (if missing) and distributes # public keys to the other host's authorized_keys. # # Runs from MacBook — orchestrates via SSH to both remotes. # Idempotent: skips key generation if keys exist, skips authorized_keys # entries if already present. # ============================================================================= SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" # shellcheck source=../lib/common.sh # shellcheck disable=SC1091 source "${SCRIPT_DIR}/../lib/common.sh" load_env require_vars UNRAID_IP UNRAID_SSH_USER UNRAID_SSH_PORT \ FEDORA_IP FEDORA_SSH_USER FEDORA_SSH_PORT log_info "=== Cross-Host SSH Trust Setup ===" # --------------------------------------------------------------------------- # Verify MacBook can reach both hosts first # --------------------------------------------------------------------------- log_info "Verifying MacBook can reach both hosts..." if ! ssh_check UNRAID; then log_error "Cannot SSH to Unraid — run setup/unraid.sh first" exit 1 fi if ! ssh_check FEDORA; then log_error "Cannot SSH to Fedora — run setup/fedora.sh first" exit 1 fi log_success "MacBook can reach both hosts" # --------------------------------------------------------------------------- # Manifest — track key generation and authorized_keys entries for rollback. # We record to both hosts' manifests since each gets a key pair AND an # authorized_keys entry (from the other host). # --------------------------------------------------------------------------- manifest_init "unraid" manifest_init "fedora" # Comment markers appended to authorized_keys entries so cleanup can # identify and remove exactly the lines this script added. UNRAID_KEY_MARKER="gitea-migration-from-unraid" FEDORA_KEY_MARKER="gitea-migration-from-fedora" # --------------------------------------------------------------------------- # Step 1: Generate SSH key pair on Unraid (if not present) # Uses ed25519 — modern, fast, small keys. No passphrase (automation key). # --------------------------------------------------------------------------- log_info "Checking SSH key on Unraid..." if ssh_exec UNRAID "test -f ~/.ssh/id_ed25519" 2>/dev/null; then log_success "Unraid already has an ed25519 key — skipping generation" else log_info "Generating ed25519 key pair on Unraid..." ssh_exec UNRAID "mkdir -p ~/.ssh && chmod 700 ~/.ssh && ssh-keygen -t ed25519 -N '' -f ~/.ssh/id_ed25519 -C '${UNRAID_SSH_USER}@unraid-gitea-migration'" # shellcheck disable=SC2088 # tilde is intentionally literal — expanded by remote shell manifest_record "unraid" "ssh_key" "~/.ssh/id_ed25519" log_success "Unraid SSH key generated" fi # --------------------------------------------------------------------------- # Step 2: Generate SSH key pair on Fedora (if not present) # --------------------------------------------------------------------------- log_info "Checking SSH key on Fedora..." if ssh_exec FEDORA "test -f ~/.ssh/id_ed25519" 2>/dev/null; then log_success "Fedora already has an ed25519 key — skipping generation" else log_info "Generating ed25519 key pair on Fedora..." ssh_exec FEDORA "mkdir -p ~/.ssh && chmod 700 ~/.ssh && ssh-keygen -t ed25519 -N '' -f ~/.ssh/id_ed25519 -C '${FEDORA_SSH_USER}@fedora-gitea-migration'" # shellcheck disable=SC2088 # tilde is intentionally literal — expanded by remote shell manifest_record "fedora" "ssh_key" "~/.ssh/id_ed25519" log_success "Fedora SSH key generated" fi # --------------------------------------------------------------------------- # Step 3: Distribute Unraid's public key to Fedora's authorized_keys # The key line gets a comment marker so cleanup.sh can identify and remove it. # --------------------------------------------------------------------------- log_info "Distributing Unraid's public key to Fedora..." UNRAID_PUBKEY=$(ssh_exec UNRAID "cat ~/.ssh/id_ed25519.pub") if [[ -z "$UNRAID_PUBKEY" ]]; then log_error "Failed to read Unraid's public key" exit 1 fi if ssh_exec FEDORA "grep -qF '${UNRAID_KEY_MARKER}' ~/.ssh/authorized_keys 2>/dev/null"; then log_success "Unraid's key already in Fedora's authorized_keys — skipping" else ssh_exec FEDORA "mkdir -p ~/.ssh && chmod 700 ~/.ssh && printf '%s %s\n' '${UNRAID_PUBKEY}' '# ${UNRAID_KEY_MARKER}' >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys" manifest_record "fedora" "authorized_key" "${UNRAID_KEY_MARKER}" log_success "Unraid's public key added to Fedora's authorized_keys" fi # --------------------------------------------------------------------------- # Step 4: Distribute Fedora's public key to Unraid's authorized_keys # --------------------------------------------------------------------------- log_info "Distributing Fedora's public key to Unraid..." FEDORA_PUBKEY=$(ssh_exec FEDORA "cat ~/.ssh/id_ed25519.pub") if [[ -z "$FEDORA_PUBKEY" ]]; then log_error "Failed to read Fedora's public key" exit 1 fi if ssh_exec UNRAID "grep -qF '${FEDORA_KEY_MARKER}' ~/.ssh/authorized_keys 2>/dev/null"; then log_success "Fedora's key already in Unraid's authorized_keys — skipping" else ssh_exec UNRAID "mkdir -p ~/.ssh && chmod 700 ~/.ssh && printf '%s %s\n' '${FEDORA_PUBKEY}' '# ${FEDORA_KEY_MARKER}' >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys" manifest_record "unraid" "authorized_key" "${FEDORA_KEY_MARKER}" log_success "Fedora's public key added to Unraid's authorized_keys" fi # --------------------------------------------------------------------------- # Step 5: Verify cross-host SSH connectivity # Uses the same test commands as preflight checks 23-24 to ensure the # exact path the backup/restore scripts will use actually works. # --------------------------------------------------------------------------- log_info "Verifying Unraid → Fedora SSH..." if ssh_exec UNRAID "ssh -o ConnectTimeout=10 -o StrictHostKeyChecking=accept-new -o BatchMode=yes -p '${FEDORA_SSH_PORT:-22}' '${FEDORA_SSH_USER}@${FEDORA_IP}' true" &>/dev/null; then log_success "Unraid → Fedora SSH works" else log_error "Unraid → Fedora SSH failed after key distribution" log_error "Check that ${FEDORA_SSH_USER}@${FEDORA_IP}:${FEDORA_SSH_PORT:-22} accepts key auth" exit 1 fi log_info "Verifying Fedora → Unraid SSH..." if ssh_exec FEDORA "ssh -o ConnectTimeout=10 -o StrictHostKeyChecking=accept-new -o BatchMode=yes -p '${UNRAID_SSH_PORT:-22}' '${UNRAID_SSH_USER}@${UNRAID_IP}' true" &>/dev/null; then log_success "Fedora → Unraid SSH works" else log_error "Fedora → Unraid SSH failed after key distribution" log_error "Check that ${UNRAID_SSH_USER}@${UNRAID_IP}:${UNRAID_SSH_PORT:-22} accepts key auth" exit 1 fi # --------------------------------------------------------------------------- # Summary # --------------------------------------------------------------------------- log_success "Cross-host SSH trust established" log_info " Unraid → Fedora: backup/backup_primary.sh can SCP dumps" log_info " Fedora → Unraid: backup/restore_to_primary.sh can SCP archives"