linderhof/playbooks/storage_box.yml

---
# Configure a Hetzner Storage Box for restic backups.
# Run once before the first restic deployment (enable_restic: true).
#
# Prerequisites:
#   - restic_storagebox_id set in config.yml
#   - hetzner_robot_user / hetzner_robot_password set in vault.yml
#
# What it does:
#   1. Generates an SSH key pair in LINDERHOF_DIR (skips if already present)
#   2. Fetches storage box details from Robot API (derives restic_user / restic_host)
#   3. Enables SSH access on the storage box
#   4. Uploads the public key (replaces any existing key with the same label)
#   5. Writes LINDERHOF_DIR/group_vars/all/storagebox.yml — loaded automatically
#      by Ansible on subsequent runs, no manual config edits required

- name: Configure Hetzner Storage Box for restic backups
  hosts: localhost
  connection: local
  gather_facts: false
  become: false

  roles:
    - role: storage_box
      tags: storage_box
Add storage_box playbook and fix HCLOUD_TOKEN extraction - Add storage_box role: generates SSH key pair, creates Hetzner Storage Box with known password, installs public key via install-ssh-key, writes storagebox.yml to stack config. Idempotent: skips key install if SSH key auth already works. - Add deploy.yml: one-shot playbook chaining provision → dns → storage_box → bootstrap → site for fresh deployments - Fix .envrc HCLOUD_TOKEN extraction stripping surrounding quotes from vault YAML values - Add restic_storagebox_password to vault template and setup.sh prompt - Add sshpass to README prerequisites Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-03-01 17:43:14 -07:00			`---`
			`# Configure a Hetzner Storage Box for restic backups.`
			`# Run once before the first restic deployment (enable_restic: true).`
			`#`
			`# Prerequisites:`
			`# - restic_storagebox_id set in config.yml`
			`# - hetzner_robot_user / hetzner_robot_password set in vault.yml`
			`#`
			`# What it does:`
			`# 1. Generates an SSH key pair in LINDERHOF_DIR (skips if already present)`
			`# 2. Fetches storage box details from Robot API (derives restic_user / restic_host)`
			`# 3. Enables SSH access on the storage box`
			`# 4. Uploads the public key (replaces any existing key with the same label)`
			`# 5. Writes LINDERHOF_DIR/group_vars/all/storagebox.yml — loaded automatically`
			`# by Ansible on subsequent runs, no manual config edits required`

			`- name: Configure Hetzner Storage Box for restic backups`
			`hosts: localhost`
			`connection: local`
			`gather_facts: false`
			`become: false`

			`roles:`
			`- role: storage_box`
			`tags: storage_box`