linderhof/roles/restic/defaults/main.yml

restic_backend_type: "sftp"
restic_password: ""
# restic_repo: set explicitly when restic_backend_type is not 'sftp'

# SFTP backend: path to the SSH private key on the controller and on the target server
# Both are written by storage_box.yml — no need to set these manually
restic_local_key_path: "{{ lookup('env', 'LINDERHOF_DIR') }}/restic_backup"
restic_ssh_key: /root/.ssh/restic_backup

restic_backup_paths: >-
  {{
    ['/etc/letsencrypt', '/srv/caddy']
    + (['/etc/nebula'] if (enable_nebula | default(false)) else [])
    + (['/srv/forgejo'] if (enable_forgejo | default(false)) else [])
    + (['/srv/goaccess'] if (enable_goaccess | default(false)) else [])
    + (['/srv/mail'] if (enable_mail | default(false)) else [])
    + (['/srv/monitoring'] if (enable_monitoring | default(false)) else [])
    + (['/srv/tuwunel'] if (enable_tuwunel | default(false)) else [])
    + (['/srv/radicale'] if (enable_radicale | default(false)) else [])
    + (['/srv/diun'] if (enable_diun | default(false)) else [])
  }}

restic_exclude_patterns:
  - "**/tmp"
  - "**/cache"
  - "**/*.gz"

restic_backup_time: "02:00:00"
restic_prune_time: "04:00:00"

restic_retention:
  daily: 7
  weekly: 4
  monthly: 6
initial commit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-27 15:09:25 -07:00			`restic_backend_type: "sftp"`
			`restic_password: ""`
			`# restic_repo: set explicitly when restic_backend_type is not 'sftp'`

Add storage_box playbook and fix HCLOUD_TOKEN extraction - Add storage_box role: generates SSH key pair, creates Hetzner Storage Box with known password, installs public key via install-ssh-key, writes storagebox.yml to stack config. Idempotent: skips key install if SSH key auth already works. - Add deploy.yml: one-shot playbook chaining provision → dns → storage_box → bootstrap → site for fresh deployments - Fix .envrc HCLOUD_TOKEN extraction stripping surrounding quotes from vault YAML values - Add restic_storagebox_password to vault template and setup.sh prompt - Add sshpass to README prerequisites Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-03-01 17:43:14 -07:00			`# SFTP backend: path to the SSH private key on the controller and on the target server`
			`# Both are written by storage_box.yml — no need to set these manually`
			`restic_local_key_path: "{{ lookup('env', 'LINDERHOF_DIR') }}/restic_backup"`
			`restic_ssh_key: /root/.ssh/restic_backup`

initial commit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-27 15:09:25 -07:00			`restic_backup_paths: >-`
			`{{`
			`['/etc/letsencrypt', '/srv/caddy']`
			`+ (['/etc/nebula'] if (enable_nebula \| default(false)) else [])`
			`+ (['/srv/forgejo'] if (enable_forgejo \| default(false)) else [])`
			`+ (['/srv/goaccess'] if (enable_goaccess \| default(false)) else [])`
			`+ (['/srv/mail'] if (enable_mail \| default(false)) else [])`
			`+ (['/srv/monitoring'] if (enable_monitoring \| default(false)) else [])`
			`+ (['/srv/tuwunel'] if (enable_tuwunel \| default(false)) else [])`
			`+ (['/srv/radicale'] if (enable_radicale \| default(false)) else [])`
			`+ (['/srv/diun'] if (enable_diun \| default(false)) else [])`
			`}}`

			`restic_exclude_patterns:`
			`- "**/tmp"`
			`- "**/cache"`
			`- "*/.gz"`

			`restic_backup_time: "02:00:00"`
			`restic_prune_time: "04:00:00"`

			`restic_retention:`
			`daily: 7`
			`weekly: 4`
			`monthly: 6`