feat(02-01): add config backup env vars, NATS event, device SSH fields, migration, metrics

- Config: CONFIG_BACKUP_INTERVAL (21600s), CONFIG_BACKUP_MAX_CONCURRENT (10), CONFIG_BACKUP_COMMAND_TIMEOUT (60s) - NATS: ConfigSnapshotEvent type, PublishConfigSnapshot method, config.snapshot.> stream subject - Device: SSHPort/SSHHostKeyFingerprint fields, UpdateSSHHostKey method, updated queries/scans - Migration 028: ssh_port, ssh_host_key_fingerprint, timestamp columns with poller_user grants - Metrics: ConfigBackupTotal (counter), ConfigBackupDuration (histogram), ConfigBackupActive (gauge) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-12 20:48:12 -05:00
parent f1abb75cab
commit 4ae39d2cb3
5 changed files with 162 additions and 4 deletions
--- a/backend/alembic/versions/028_device_ssh_host_key.py
+++ b/backend/alembic/versions/028_device_ssh_host_key.py
@@ -0,0 +1,64 @@
+"""Add SSH host key columns to devices table.
+
+Adds columns for SSH config backup support:
+- ssh_port: SSH port override (default 22)
+- ssh_host_key_fingerprint: TOFU host key fingerprint (SHA256:base64)
+- ssh_host_key_first_seen: when the host key was first observed
+- ssh_host_key_last_verified: when the host key was last verified
+
+Grants UPDATE on SSH columns to poller_user for TOFU persistence.
+
+Revision ID: 028
+Revises: 027
+Create Date: 2026-03-13
+"""
+
+revision = "028"
+down_revision = "027"
+branch_labels = None
+depends_on = None
+
+from alembic import op
+import sqlalchemy as sa
+
+
+def upgrade() -> None:
+    conn = op.get_bind()
+
+    conn.execute(sa.text(
+        "ALTER TABLE devices ADD COLUMN ssh_port INTEGER DEFAULT 22"
+    ))
+    conn.execute(sa.text(
+        "ALTER TABLE devices ADD COLUMN ssh_host_key_fingerprint TEXT"
+    ))
+    conn.execute(sa.text(
+        "ALTER TABLE devices ADD COLUMN ssh_host_key_first_seen TIMESTAMPTZ"
+    ))
+    conn.execute(sa.text(
+        "ALTER TABLE devices ADD COLUMN ssh_host_key_last_verified TIMESTAMPTZ"
+    ))
+
+    # Grant poller_user UPDATE on SSH columns for TOFU host key persistence
+    conn.execute(sa.text(
+        "GRANT UPDATE (ssh_host_key_fingerprint, ssh_host_key_first_seen, ssh_host_key_last_verified) ON devices TO poller_user"
+    ))
+
+
+def downgrade() -> None:
+    conn = op.get_bind()
+
+    conn.execute(sa.text(
+        "REVOKE UPDATE (ssh_host_key_fingerprint, ssh_host_key_first_seen, ssh_host_key_last_verified) ON devices FROM poller_user"
+    ))
+    conn.execute(sa.text(
+        "ALTER TABLE devices DROP COLUMN ssh_host_key_last_verified"
+    ))
+    conn.execute(sa.text(
+        "ALTER TABLE devices DROP COLUMN ssh_host_key_first_seen"
+    ))
+    conn.execute(sa.text(
+        "ALTER TABLE devices DROP COLUMN ssh_host_key_fingerprint"
+    ))
+    conn.execute(sa.text(
+        "ALTER TABLE devices DROP COLUMN ssh_port"
+    ))