LOcked key method on backup linode

from="PROD_IP_HERE",command="/usr/local/bin/run-backup.sh",no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB3... (rest of your key)

Create a simple script at /usr/local/bin/run-backup.sh on the backup machine:

#!/bin/bash
# 1. Sync the Gitea Database (assuming it was dumped to a file)
# 2. Re-run the Git Clone/Pull for your radar & website projects
cd /path/to/backup/folder
git pull origin main || git clone http://your-gitea-url/repo.git .

# Optional: Log the backup time
echo "Backup successful: $(date)" >> /var/log/backup_history.log


from="PROD_IP",command="/usr/share/doc/rsync/scripts/rrsync -ro /mnt/backups/ilovearthur/",restrict ssh-rsa AAAAB3...

#!/bin/bash
# Sync critical system and user data
rsync -az --delete /etc /var /home root@backup.ilovearthur.org:/





Wrapper script on backup server

#!/bin/bash
case "$SSH_ORIGINAL_COMMAND" in
    rsync*)
        # Allows rsync to only touch the designated backup folder
        $SSH_ORIGINAL_COMMAND
        ;;
    "git-sync")
        # Custom command to refresh your Gitea mirrors
        cd /home/backups/radar-repo
        git pull || git clone http://your-gitea-url/repo.git .
        ;;
    *)
        echo "Access Denied: Command not permitted."
        exit 1
        ;;
esac

Authorized keys file:

from="PROD_IP",command="/usr/local/bin/backup-handler.sh",no-agent-forwarding,no-port-forwarding,no-pty ssh-rsa AAAAB3...


from="192.0.2.1,2001:db8::1",command="/usr/local/bin/backup-handler.sh",no-pty ... [your-ssh-key]