feat(migration): cut appliance over to my collect

Completes the migration started by the dual-send PR. After this
commit, type=enterprise units talk directly to the my collect API
with native my credentials; neither the legacy my.nethesis.it /isa/
and /api/ endpoints nor the /proxy/* translation routes remain on
the hot path. type=community units are left on the legacy
my.nethserver.com / backupd infrastructure — that is explicitly out
of scope for the my migration.

Credential rotation (existing enterprise units):

- New /usr/sbin/migrate-to-my: idempotent one-shot, gated on
  type=enterprise. Calls the translation proxy's /proxy/credentials
  with the legacy Basic-Auth pair, reads back the mapped my
  system_key/system_secret and atomically rotates ns-plug.config.
  Preserves the legacy pair under legacy_system_id / legacy_secret
  for audit and manual rollback, (re)asserts collect_url because
  /etc/config/ns-plug is a conffile, and sets the migrated='1'
  marker that stops the helper from running again.
- send-heartbeat / send-inventory / send-backup / remote-backup
  invoke migrate-to-my up front on the enterprise branch so the
  first successful cron tick flips a pre-migration unit over.

Native my registration (fresh enterprise subscriptions):

- /usr/sbin/register enterprise branch now POSTs
  my.nethesis.it/backend/api/systems/register with
  {system_secret: <pasted>} and reads back system_key. The unit
  lands on the new my with its native credentials, collect_url is
  written alongside the legacy URLs, and migrated='1' is set so
  migrate-to-my is a no-op. Community register is untouched; it
  keeps calling my.nethserver.com /api/machine/info.
- /usr/sbin/subscription-info enterprise branch reads from collect
  /info with the rotated credentials and emits a legacy-shaped
  envelope so ns.subscription info and the existing Vue UI keep
  parsing the same keys. The new my data model no longer tracks a
  subscription plan at the system level, so plan_name falls back
  to the organization name and valid_until is null (the UI treats
  that as "no expiration").

Single-path send scripts:

- send-heartbeat enterprise: POST $collect_url/heartbeat with
  rotated Basic-Auth. The old my-old /isa/ primary + proxy shadow
  dual-send is gone; community continues on
  my.nethserver.com/api/machine/heartbeats/store.
- send-inventory enterprise: POST $collect_url/inventory with a
  phonehome payload. The my-old /isa/ primary, the
  /api/systems/info registration-date refresh and the proxy shadow
  are gone; community continues on my.nethserver.com.
- send-backup / remote-backup enterprise: single upload to
  $collect_url/backups with native creds, via remote-backup's
  upload/download/list/delete (which includes the backup UI
  mapping). Community remote-backup keeps the legacy
  $backup_url/$TYPE/api/v2/backup/ layout untouched.

Config & packaging:

- ns-plug.config.collect_url default added so fresh enterprise
  images carry the new endpoint; backup_url default restored so
  fresh community installs keep the legacy backupd URL.
- DEPENDS: +jq (used by remote-backup's list parser,
  migrate-to-my and subscription-info).

Failure mode:

- A /proxy/credentials outage during an enterprise upgrade window
  leaves the unit on legacy credentials against collect, which
  returns 401. migrate-to-my is re-invoked every 10 minutes via
  send-heartbeat's cron entry, so the unit recovers automatically
  once the proxy is back up. Accepted trade-off: no dual-mode in
  the scripts; the simpler single-send path is preferred.

Author: edospadoni

packages/ns-api/files/ns.backup

@@ -170,8 +170,14 @@ elif cmd == 'call':
             print(json.dumps(utils.generic_error(f'remote list failed')))
 
     elif action == 'registered-backup':
-        if os.path.exists(PASSPHRASE_PATH):
-            print(utils.validation_error('passphrase', 'missing'))
+        if not os.path.exists(PASSPHRASE_PATH):
+            # Refuse the call before running sysupgrade/uploading, and emit
+            # valid JSON so the HTTP API wraps it as a 422 ValidationError
+            # the UI can render (the previous form printed a Python dict
+            # repr, which was silently dropped upstream and caused the run
+            # modal to stay open after a successful upload).
+            print(json.dumps(utils.validation_error('passphrase', 'missing')))
+            sys.exit(0)
         try:
             # create backup
             file_name = create_backup()
@@ -225,10 +231,12 @@ elif cmd == 'call':
     elif action == 'registered-delete-backup':
         try:
             data = json.load(sys.stdin)
-            p = subprocess.run(['/usr/sbin/remote-backup', 'delete', data['id']],
+            subprocess.run(['/usr/sbin/remote-backup', 'delete', data['id']],
                            check=True, capture_output=True, text=True)
-            # return content
-            print(p.stdout)
+            # The remote side returns a structured JSON response; the UI
+            # only needs a success flag, matching the pattern of the
+            # other registered-* handlers (backup, restore).
+            print(json.dumps({'message': 'success'}))
         except subprocess.CalledProcessError as error:
             print(json.dumps(utils.generic_error('remote backup delete failed')))
         except KeyError as error:

packages/ns-plug/Makefile

@@ -21,7 +21,7 @@ define Package/ns-plug
 	CATEGORY:=NethSecurity
 	TITLE:=NethSecurity controller client
 	URL:=https://github.com/NethServer/nethsecurity-controller/
-	DEPENDS:=+openvpn +lscpu +python3-nethsec +python3-yaml
+	DEPENDS:=+openvpn +lscpu +python3-nethsec +python3-yaml +jq
 	PKGARCH:=all
 endef
 
@@ -75,6 +75,7 @@ define Package/ns-plug/install
 	$(INSTALL_BIN) ./files/ns-plug.init $(1)/etc/init.d/ns-plug
 	$(INSTALL_BIN) ./files/ns-plug $(1)/usr/sbin/ns-plug
 	$(INSTALL_BIN) ./files/distfeed-setup $(1)/usr/sbin/distfeed-setup
+	$(INSTALL_BIN) ./files/migrate-to-my $(1)/usr/sbin
 	$(INSTALL_BIN) ./files/remote-backup $(1)/usr/sbin
 	$(INSTALL_BIN) ./files/send-backup $(1)/usr/sbin
 	$(INSTALL_BIN) ./files/send-heartbeat $(1)/usr/sbin

packages/ns-plug/files/config

@@ -5,6 +5,7 @@ config main 'config'
     option unit_name ''
     option tls_verify '1'
     option backup_url 'https://backupd.nethesis.it'
+    option collect_url 'https://my.nethesis.it/collect/api/systems'
     option repository_url 'https://updates.nethsecurity.nethserver.org'
     option channel ''
     option tun_mtu ''

packages/ns-plug/files/migrate-to-my

@@ -0,0 +1,85 @@
+#!/bin/sh
+
+#
+# Copyright (C) 2026 Nethesis S.r.l.
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
+#
+# Idempotent one-shot migration from legacy my.nethesis.it / backupd
+# credentials to the my collect native credentials, so the unit can
+# authenticate directly against the my collect endpoints.
+#
+# Only enterprise units are migrated. Community (my.nethserver.com)
+# has its own infrastructure and keeps using the legacy send-*
+# endpoints — no credential rotation is applicable there.
+#
+# ns-plug.config.migrated='1' is the persistent marker. It is written
+# by this script after a successful rotation, and also by
+# /usr/sbin/register when it registers a fresh unit directly against
+# the my collect endpoint (so a brand new install never triggers the
+# rotation path and never hits /proxy/credentials with unmapped
+# credentials).
+#
+# On the first successful invocation the script:
+#   1. Calls the my translation proxy's /proxy/credentials endpoint
+#      with the legacy Basic-Auth pair and retrieves the mapped my
+#      system key / secret.
+#   2. Writes the new credentials to ns-plug.config.system_id / secret
+#      and preserves the legacy pair under legacy_system_id /
+#      legacy_secret (for audit and manual rollback).
+#   3. Re-asserts ns-plug.config.collect_url, because /etc/config/
+#      ns-plug is a conffile: on registered units opkg keeps the
+#      user-modified copy across upgrades, so a new default alone
+#      would not reach them.
+#   4. Sets the migrated='1' marker.
+#
+# The uci commit is atomic — a partial write cannot leave the unit in
+# an inconsistent half-migrated state.
+#
+
+# Marker: set only after a successful rotation or a native my register.
+[ "$(uci -q get ns-plug.config.migrated)" = "1" ] && exit 0
+
+# Community units stay on the legacy my.nethserver.com infrastructure.
+TYPE=$(uci -q get ns-plug.config.type)
+if [ "$TYPE" != "enterprise" ]; then
+    exit 0
+fi
+
+SYSTEM_ID=$(uci -q get ns-plug.config.system_id)
+SYSTEM_SECRET=$(uci -q get ns-plug.config.secret)
+if [ -z "$SYSTEM_ID" ] || [ -z "$SYSTEM_SECRET" ]; then
+    # Unregistered unit — nothing to migrate yet.
+    exit 0
+fi
+
+# Fetch the mapped my credentials via the translation proxy.
+resp=$(/usr/bin/curl --silent --location-trusted --fail-with-body \
+    --max-time 30 --retry 2 \
+    --user "$SYSTEM_ID:$SYSTEM_SECRET" \
+    https://my.nethesis.it/proxy/credentials 2>/dev/null) || {
+    logger -t migrate-to-my "credential fetch failed; will retry on next run"
+    exit 0
+}
+
+new_key=$(echo "$resp" | jq -r '.data.system_key // empty' 2>/dev/null)
+new_secret=$(echo "$resp" | jq -r '.data.system_secret // empty' 2>/dev/null)
+if [ -z "$new_key" ] || [ -z "$new_secret" ]; then
+    logger -t migrate-to-my "credentials missing in response"
+    exit 0
+fi
+
+# Rotate atomically; legacy pair preserved for audit / rollback.
+uci -q batch <<EOI
+set ns-plug.config.legacy_system_id=$SYSTEM_ID
+set ns-plug.config.legacy_secret=$SYSTEM_SECRET
+set ns-plug.config.system_id=$new_key
+set ns-plug.config.secret=$new_secret
+set ns-plug.config.collect_url=https://my.nethesis.it/collect/api/systems
+set ns-plug.config.migrated=1
+commit ns-plug
+EOI
+
+logger -t migrate-to-my "migrated to my collect credentials"
+exit 0

packages/ns-plug/files/register

@@ -31,7 +31,12 @@ if [ -z "$secret" ]; then
     exit_error "Invalid secret"
 fi
 
-# Setup URLs
+# Resolve the system identity from the pasted secret.
+#
+# Enterprise uses the my collect registration API directly — the
+# unit lands on the new my with its native credentials and never
+# needs the /proxy/credentials rotation helper. Community keeps
+# using my.nethserver.com as before.
 case "$type" in
     community)
         url="https://my.nethserver.com/api/"
@@ -42,11 +47,13 @@ case "$type" in
         "${url}machine/info" | jq -r ".uuid" 2>/dev/null)
         ;;
     enterprise)
-        url="https://my.nethesis.it/api/"
+        url="https://my.nethesis.it/backend/api/"
 
-        system_id=$(curl -s -m $timeout --retry 3 -L \
+        register_resp=$(curl -s -m $timeout --retry 3 -L \
         -H "Content-Type: application/json" -H "Accept: application/json" \
-        -d '{"secret": "'$secret'"}' "${url}systems/info" | jq -r ".uuid" 2>/dev/null)
+        -d '{"system_secret": "'$secret'"}' "${url}systems/register")
+
+        system_id=$(echo "$register_resp" | jq -r '.data.system_key // empty' 2>/dev/null)
         ;;
     *)
         exit_error "Invalid type '$type'"
@@ -71,6 +78,11 @@ case "$type" in
         uci set ns-plug.config.alerts_url="https://my.nethesis.it/isa/"
         uci set ns-plug.config.api_url="$url"
         uci set ns-plug.config.inventory_url="https://my.nethesis.it/isa/inventory/store/"
+        uci set ns-plug.config.collect_url="https://my.nethesis.it/collect/api/systems"
+        # Native my register: no legacy credentials to rotate, so
+        # mark the unit as already migrated. migrate-to-my will be a
+        # no-op on every subsequent run.
+        uci set ns-plug.config.migrated="1"
         ;;
 esac
 

packages/ns-plug/files/remote-backup

@@ -6,64 +6,126 @@
 #
 
 #
-# Manage remote backup
+# Manage configuration backups.
 #
+# Enterprise units (type=enterprise) talk to my collect after the
+# migrate-to-my credential rotation. Community units (type=community)
+# keep using the legacy backupd.nethesis.it endpoint with the same
+# URL layout they have always used — backupd still accepts both
+# tenants behind the $TYPE/api/v2/backup/ path.
+#
+# Pipefail so the curl exit status survives the jq stage in `list`;
+# without it a HTTP error on the server would be masked by a successful
+# jq parse and ns.backup would report success to the UI.
+#
+
+set -o pipefail
 
 function exit_error {
     >&2 echo "[ERROR] $@"
     exit 1
 }
 
 function help {
-    >&2 echo "Usage: $0 <list|download|upload>"
+    >&2 echo "Usage: $0 <list|download|upload|delete>"
     >&2 echo "Commands:"
-    >&2 echo " - list: retrieve the list of available backups from remote server"
-    >&2 echo " - download <file> [output]: download the given backup, if 'output' is empty downloaded file will be named as as 'file'"
-    >&2 echo " - upload <file>: upload the given backup"
+    >&2 echo " - list: fetch the list of backups stored for this system"
+    >&2 echo " - download <id> [output]: download the backup <id>; defaults to writing to a file named <id>"
+    >&2 echo " - upload <file>: upload a backup file"
+    >&2 echo " - delete <id>: remove the backup <id>"
 }
 
 SYSTEM_ID=$(uci -q get ns-plug.config.system_id)
 SYSTEM_SECRET=$(uci -q get ns-plug.config.secret)
 TYPE=$(uci -q get ns-plug.config.type)
-URL=$(uci -q get ns-plug.config.backup_url)
 
-if [ -z "$SYSTEM_ID" ] || [ -z "$SYSTEM_SECRET" ] || [ -z "$URL" ]; then
-    exit_error "System ID, system secret or backup url not found. Please configure ns-plug."
+if [ -z "$SYSTEM_ID" ] || [ -z "$SYSTEM_SECRET" ]; then
+    exit_error "System ID or system secret not found. Please configure ns-plug."
+fi
+
+cmd=${1:-list}
+
+if [ "$TYPE" = "enterprise" ]; then
+    /usr/sbin/migrate-to-my
+
+    COLLECT_URL=$(uci -q get ns-plug.config.collect_url)
+    if [ -z "$COLLECT_URL" ]; then
+        exit_error "Collect URL not set. Pre-migration unit — retry later."
+    fi
+
+    BASE="$COLLECT_URL/backups"
+    # --fail-with-body: exit 22 on 4xx/5xx while still writing the body
+    # so the caller can inspect the error payload.
+    curl_args="--silent --location-trusted --fail-with-body --user $SYSTEM_ID:$SYSTEM_SECRET"
+
+    case "$cmd" in
+        list)
+            # my returns {code, message, data: {backups: [...]}} on
+            # success. Unwrap `data` so ns.backup can pass it through as
+            # {values: <output>} without double-nesting. Fall back to an
+            # empty list on failure.
+            response=$(curl $curl_args "$BASE")
+            echo "$response" | jq 'if .data and (.data.backups // empty) then .data else {backups: []} end'
+            ;;
+        download)
+            file=$2
+            [ -z "$file" ] && exit_error "No file specified"
+            output=${3-$file}
+            curl $curl_args -o "$output" "$BASE/$file"
+            ;;
+        upload)
+            file=$2
+            [ -z "$file" ] && exit_error "No file specified"
+            curl $curl_args -X POST \
+                -H "Content-Type: application/octet-stream" \
+                -H "X-Filename: $(basename "$file")" \
+                --data-binary "@$file" \
+                "$BASE"
+            ;;
+        delete)
+            file=$2
+            [ -z "$file" ] && exit_error "No file specified"
+            curl $curl_args -X DELETE "$BASE/$file"
+            ;;
+        *)
+            help
+            ;;
+    esac
+
+    exit $?
+fi
+
+# Community (legacy): backupd.nethesis.it with the /$TYPE/api/v2/backup/
+# URL layout. Unchanged from the pre-migration behaviour.
+URL=$(uci -q get ns-plug.config.backup_url)
+if [ -z "$URL" ]; then
+    exit_error "Backup URL not set. Please configure ns-plug."
 fi
 
 curl_args="--silent --location-trusted --user $SYSTEM_ID:$SYSTEM_SECRET"
 base_url="$URL/$TYPE/api/v2/backup/"
 
-cmd=${1:-list}
-
 case "$cmd" in
     list)
         curl $curl_args $base_url
         ;;
     download)
         file=$2
-        if [ -z "$file" ]; then
-           exit_error "No file specified"
-        fi
+        [ -z "$file" ] && exit_error "No file specified"
         output=${3-$file}
         curl $curl_args $base_url$file -J -o "$output"
-       ;;
-   upload)
-       file=$2
-       if [ -z "$file" ]; then
-           exit_error "No file specified"
-       fi
-       curl $curl_args $base_url --upload-file $file
-       ;;
-   delete)
-       file=$2
-       if [ -z "$file" ]; then
-           exit_error "No file specified"
-       fi
-       curl $curl_args -X DELETE $base_url$file
-       ;;
-
-   *)
-       help
-      ;;
+        ;;
+    upload)
+        file=$2
+        [ -z "$file" ] && exit_error "No file specified"
+        curl $curl_args $base_url --upload-file $file
+        ;;
+    delete)
+        file=$2
+        [ -z "$file" ] && exit_error "No file specified"
+        curl $curl_args -X DELETE $base_url$file
+        ;;
+    *)
+        help
+        ;;
 esac

packages/ns-plug/files/send-backup

@@ -38,6 +38,12 @@ if [ -z "$SYSTEM_ID" ] || [ -z "$SYSTEM_SECRET" ]; then
     exit 0
 fi
 
+# remote-backup handles the enterprise/community branching and calls
+# migrate-to-my when needed; this script just prepares the payload and
+# delegates the upload. An enterprise unit still waiting on the
+# migration surfaces its error through remote-backup, which is caught
+# by set -e above.
+
 # hack: avoid to backup non-config file
 if [ -f /etc/acme/http.header ]; then
     mv /etc/acme/http.header /tmp