feat(M1): Project scaffolding, DB schema, core infrastructure

- Initialize Rust workspace with 7 crates (pm-web, pm-worker, pm-core, pm-agent-client, pm-auth, pm-ca, pm-reports) - React + TypeScript + Vite + MUI frontend scaffold - Full PostgreSQL schema: all 17 tables with indexes and constraints - pm-core: config (TOML+env), db (SQLx pool + migrations), error (unified AppError + JSON envelope), request_id (ULID middleware), logging (tracing JSON/pretty) - pm-web: Axum skeleton, /status/health endpoint, static file serving - pm-worker: Tokio skeleton, heartbeat writer, schema version check - Embedded sqlx migrations with advisory lock (single-writer) - systemd unit files, setup.sh, build-frontend.sh - config.example.toml with all configuration keys - docs/runbooks/restore.md - cargo check passes with zero warnings Closes M1.
2026-04-23 15:55:53 +00:00
parent 3eb7fd9f95
commit da5a94d838
50 changed files with 6139 additions and 3 deletions
--- a/docs/runbooks/restore.md
+++ b/docs/runbooks/restore.md
@ -0,0 +1,76 @@
+# Linux Patch Manager — Backup & Restore Runbook
+
+## Overview
+
+This runbook covers backup and restoration of the Linux Patch Manager.
+The application state lives in:
+- PostgreSQL database (`patch_manager`)
+- Internal CA private key (`/etc/patch-manager/ca/ca.key`)
+- JWT signing key (`/etc/patch-manager/jwt/signing.pem`)
+- Application config (`/etc/patch-manager/config.toml`)
+- Operator-supplied TLS cert/key (if using `operator_supplied` strategy)
+
+## Backup
+
+### 1. Database
+```bash
+pg_dump -U patch_manager -Fc patch_manager > patch_manager_$(date +%Y%m%d_%H%M%S).dump
+```
+
+### 2. Configuration and Keys
+```bash
+tar -czf patch_manager_config_$(date +%Y%m%d_%H%M%S).tar.gz \
+    /etc/patch-manager/
+```
+> **Security:** The archive contains private keys. Encrypt before storing:
+> `gpg --symmetric patch_manager_config_*.tar.gz`
+
+### 3. Recommended Backup Schedule
+- Database: daily pg_dump, retained 30 days
+- Config/keys: on every change, retained indefinitely (encrypted)
+
+## Restore
+
+### Prerequisites
+- Fresh Ubuntu 24.04 host
+- Run `scripts/setup.sh` to create user, directories, and PostgreSQL
+
+### 1. Restore Configuration and Keys
+```bash
+tar -xzf patch_manager_config_<timestamp>.tar.gz -C /
+chown -R patch-manager:patch-manager /etc/patch-manager/
+chmod 600 /etc/patch-manager/ca/ca.key
+chmod 600 /etc/patch-manager/jwt/signing.pem
+```
+
+### 2. Restore Database
+```bash
+# Create empty database (if not already created by setup.sh)
+sudo -u postgres createdb -O patch_manager patch_manager
+
+# Restore
+pg_restore -U patch_manager -d patch_manager -Fc patch_manager_<timestamp>.dump
+```
+
+### 3. Install and Start Services
+```bash
+# Install binaries
+cp pm-web pm-worker /usr/local/bin/
+
+# Install frontend
+scripts/build-frontend.sh
+
+# Start services
+systemctl enable --now patch-manager-web patch-manager-worker
+```
+
+### 4. Verify
+```bash
+curl -k https://localhost/status/health
+# Expected: {"status": "healthy", ...}
+```
+
+## Notes
+- Migrations run automatically on web process startup.
+- The CA private key is the most critical secret — losing it requires re-issuing all mTLS certificates.
+- JWT signing key rotation is handled automatically every 90 days; no manual intervention needed.