feat(migration): move to new my

[edospadoni]

Summary

Final migration PR that takes the ns8 cluster off backupd.nethesis.it, off my-old (/api/, /isa/) and off the my.nethesis.it/proxy/* translation layer, and moves it onto the my collect API with its own native credentials. nscom clusters keep using the legacy my.nethserver.com / backupd.nethesis.it infrastructure — that is explicitly out of scope for the my migration.

What it does

• New /var/lib/nethserver/cluster/bin/migrate-to-my (bash, idempotent, nsent-only). Runs at the top of every send-cluster-backup / send-heartbeat / send-inventory invocation.

  1. Calls the translation proxy's /proxy/credentials with the legacy Basic-Auth pair.
  2. Atomically HSETs cluster/subscription in Redis with the new system_key / system_secret.
  3. Preserves the legacy pair under legacy_system_id / legacy_auth_token, asserts collect_url, stamps migrated_at and sets migrated='1'.

• set-subscription.subscribe_nsent now POSTs my.nethesis.it/backend/api/systems/register, stores the returned system_key as system_id, writes collect_url + migrated='1' so a fresh subscription lands natively on the new my without any rotation.

• set-subscription.terminate_nsent routes /api/Utils/freekey through the preserved legacy_* pair when available, so migrated clusters can still release their slot on my-old at unregister time.

• get-subscription.fetch_subscription_info_nsent reads from collect /info with the rotated credentials and synthesises the legacy envelope the UI consumes — plan / expiration fall back to the organization name / null because the new my data model no longer tracks a subscription plan per system. Pre-migration clusters get a "pending" snapshot instead of a 500.

• send-cluster-backup, send-heartbeat, send-inventory: single POST per script to $collect_url/{backups,heartbeat,inventory} on the nsent branch. nscom branches are byte-for-byte untouched.

• Migration fingerprint in phonehome. print-phonehome now emits a facts.migration block with:

  • from_legacy_system_id: the pre-rotation UUID when the cluster was migrated through the proxy, null on fresh natively-subscribed clusters.
  • migrated_at: ISO 8601 timestamp of the rotation, null on fresh clusters.

  This lets my count how many legacy clusters have completed the rotation and decide when backupd.nethesis.it and the translation proxy can be decommissioned.

Resilience

A /proxy/credentials outage during an nsent cluster's upgrade window leaves the cluster on legacy credentials against collect, which returns 401. migrate-to-my is re-invoked every time one of the send-* services fires, so the cluster recovers automatically on the first successful rotation once the proxy is back up. Accepted trade-off: no dual-mode in the scripts, the simpler single-send path is preferred.

Blocking / coordination

Warning

Do not merge this PR until my is in production.
Once this ships, nsent clusters stop talking to my-old and backupd entirely.

Requires in order:

1. feat(backup): configuration backup service (collect ingest + backend UI API) my#81 merged and deployed to production.
2. feat(backup): dual-send cluster backup to my-new proxy #1146 (dual-send on ns8-core) merged and released.
3. This PR merged and released.

Matching pair on the nethsecurity side: NethServer/nethsecurity#1609 (cutover) + NethServer/nethsecurity-ui#746 (UI consumption).

Post-merge operational follow-up

• Monitor /proxy/credentials success rate during the cluster upgrade rollout.
• On the my admin side, count inventories where facts.migration.from_legacy_system_id != null. When this count equals the rows in proxy_mappings, every legacy cluster has rotated and backupd.nethesis.it + the translation proxy can be decommissioned.

Tracking issue: NethServer/my#83.