linderhof/roles/restic/tasks/backend_sftp.yml

---
- name: Deploy Restic SSH key
  ansible.builtin.copy:
    src: "{{ restic_local_key_path }}"
    dest: "{{ restic_ssh_key }}"
    owner: root
    group: root
    mode: '0600'

- name: Ensure restic repo directory exists on Storage Box
  ansible.builtin.shell: |
    ssh -i {{ restic_ssh_key }} -o BatchMode=yes -o StrictHostKeyChecking=no -p {{ restic_ssh_port }} {{ restic_user }}@{{ restic_host }} \
    "mkdir -p {{ restic_remote_path }} && chmod 700 {{ restic_remote_path }}" < /dev/null
  changed_when: false

- name: Write the ssh config for the root user
  # TODO: this replaces roots config and should be much smarter, safe for me currently
  template:
    src: restic-ssh-config.j2
    dest: /root/.ssh/config
    mode: "0644"

- name: Initialize restic repo on Storage Box (if needed)
  ansible.builtin.shell: |
    source /etc/restic/restic.env
    restic snapshots > /dev/null 2>&1 || restic init
    touch /etc/restic/.initialized
  args:
    creates: /etc/restic/.initialized
initial commit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-27 15:09:25 -07:00			`---`
			`- name: Deploy Restic SSH key`
			`ansible.builtin.copy:`
Add storage_box playbook and fix HCLOUD_TOKEN extraction - Add storage_box role: generates SSH key pair, creates Hetzner Storage Box with known password, installs public key via install-ssh-key, writes storagebox.yml to stack config. Idempotent: skips key install if SSH key auth already works. - Add deploy.yml: one-shot playbook chaining provision → dns → storage_box → bootstrap → site for fresh deployments - Fix .envrc HCLOUD_TOKEN extraction stripping surrounding quotes from vault YAML values - Add restic_storagebox_password to vault template and setup.sh prompt - Add sshpass to README prerequisites Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-03-01 17:43:14 -07:00			`src: "{{ restic_local_key_path }}"`
			`dest: "{{ restic_ssh_key }}"`
initial commit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-27 15:09:25 -07:00			`owner: root`
			`group: root`
			`mode: '0600'`

			`- name: Ensure restic repo directory exists on Storage Box`
			`ansible.builtin.shell: \|`
			`ssh -i {{ restic_ssh_key }} -o BatchMode=yes -o StrictHostKeyChecking=no -p {{ restic_ssh_port }} {{ restic_user }}@{{ restic_host }} \`
			`"mkdir -p {{ restic_remote_path }} && chmod 700 {{ restic_remote_path }}" < /dev/null`
			`changed_when: false`

			`- name: Write the ssh config for the root user`
			`# TODO: this replaces roots config and should be much smarter, safe for me currently`
			`template:`
			`src: restic-ssh-config.j2`
			`dest: /root/.ssh/config`
			`mode: "0644"`

			`- name: Initialize restic repo on Storage Box (if needed)`
			`ansible.builtin.shell: \|`
			`source /etc/restic/restic.env`
			`restic snapshots > /dev/null 2>&1 \|\| restic init`
			`touch /etc/restic/.initialized`
			`args:`
			`creates: /etc/restic/.initialized`