linderhof/roles/storage_box/tasks/main.yml

---
- name: Generate restic SSH key pair
  ansible.builtin.command:
    cmd: >-
      ssh-keygen -t ed25519
      -f {{ restic_local_key_path }}
      -N ""
      -C "restic-{{ server_name }}"
    creates: "{{ restic_local_key_path }}"
  check_mode: false

- name: Check if SSH public key exists
  ansible.builtin.stat:
    path: "{{ restic_local_key_path }}.pub"
  register: ssh_pub_key_stat

- name: Read SSH public key
  ansible.builtin.slurp:
    src: "{{ restic_local_key_path }}.pub"
  register: ssh_pub_key_raw
  when: ssh_pub_key_stat.stat.exists

- name: Set public key fact
  ansible.builtin.set_fact:
    restic_ssh_pub_key: "{{ ssh_pub_key_raw.content | b64decode | trim }}"
  when: ssh_pub_key_stat.stat.exists

- name: Configure Hetzner Storage Box
  hetzner.hcloud.storage_box:
    name: "{{ restic_storagebox_name }}"
    storage_box_type: "{{ restic_storagebox_type | default(omit) }}"
    location: "{{ restic_storagebox_location | default(omit) }}"
    password: "{{ restic_storagebox_password }}"
    api_token: "{{ hcloud_token }}"
    access_settings:
      ssh_enabled: true
    state: present
  register: storagebox_result
  when: ssh_pub_key_stat.stat.exists

- name: Check SSH key auth on Storage Box
  ansible.builtin.shell: |
    echo "bye" | sftp -i {{ restic_local_key_path }} \
    -o BatchMode=yes -o StrictHostKeyChecking=no \
    -P 23 \
    {{ storagebox_result.hcloud_storage_box.username }}@{{ storagebox_result.hcloud_storage_box.server }}
  register: ssh_key_check
  failed_when: false
  changed_when: false
  when: ssh_pub_key_stat.stat.exists

- name: Install SSH public key on Storage Box
  ansible.builtin.shell: |
    cat {{ restic_local_key_path }}.pub | \
    sshpass -p "{{ restic_storagebox_password }}" \
    ssh -o StrictHostKeyChecking=no -p 23 \
    {{ storagebox_result.hcloud_storage_box.username }}@{{ storagebox_result.hcloud_storage_box.server }} \
    install-ssh-key
  no_log: true
  when: ssh_pub_key_stat.stat.exists and ssh_key_check.rc != 0

- name: Write storagebox.yml to stack config directory
  ansible.builtin.copy:
    content: |
      ---
      # Storage box config — written automatically by storage_box.yml, do not edit manually
      restic_user: {{ storagebox_result.hcloud_storage_box.username }}
      restic_host: {{ storagebox_result.hcloud_storage_box.server }}
      restic_ssh_port: {{ restic_ssh_port }}
      restic_remote_path: {{ restic_remote_path }}
      restic_ssh_key: {{ restic_ssh_key }}
      restic_local_key_path: {{ restic_local_key_path }}
    dest: "{{ lookup('env', 'ANSIBLE_INVENTORY') | dirname }}/group_vars/all/storagebox.yml"
    mode: "0600"
  when: ssh_pub_key_stat.stat.exists

- name: Print connection info
  ansible.builtin.debug:
    msg:
      - "Storage box configured successfully"
      - "User: {{ storagebox_result.hcloud_storage_box.username }}"
      - "Host: {{ storagebox_result.hcloud_storage_box.server }}"
      - "Remote path: {{ restic_remote_path }}"
      - "Local key: {{ restic_local_key_path }}"
      - "Next: set enable_restic: true and run site.yml or restic.yml"
  when: ssh_pub_key_stat.stat.exists
Add storage_box playbook and fix HCLOUD_TOKEN extraction - Add storage_box role: generates SSH key pair, creates Hetzner Storage Box with known password, installs public key via install-ssh-key, writes storagebox.yml to stack config. Idempotent: skips key install if SSH key auth already works. - Add deploy.yml: one-shot playbook chaining provision → dns → storage_box → bootstrap → site for fresh deployments - Fix .envrc HCLOUD_TOKEN extraction stripping surrounding quotes from vault YAML values - Add restic_storagebox_password to vault template and setup.sh prompt - Add sshpass to README prerequisites Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-03-01 17:43:14 -07:00			`---`
			`- name: Generate restic SSH key pair`
			`ansible.builtin.command:`
			`cmd: >-`
			`ssh-keygen -t ed25519`
			`-f {{ restic_local_key_path }}`
			`-N ""`
			`-C "restic-{{ server_name }}"`
			`creates: "{{ restic_local_key_path }}"`
			`check_mode: false`

			`- name: Check if SSH public key exists`
			`ansible.builtin.stat:`
			`path: "{{ restic_local_key_path }}.pub"`
			`register: ssh_pub_key_stat`

			`- name: Read SSH public key`
			`ansible.builtin.slurp:`
			`src: "{{ restic_local_key_path }}.pub"`
			`register: ssh_pub_key_raw`
			`when: ssh_pub_key_stat.stat.exists`

			`- name: Set public key fact`
			`ansible.builtin.set_fact:`
			`restic_ssh_pub_key: "{{ ssh_pub_key_raw.content \| b64decode \| trim }}"`
			`when: ssh_pub_key_stat.stat.exists`

			`- name: Configure Hetzner Storage Box`
			`hetzner.hcloud.storage_box:`
			`name: "{{ restic_storagebox_name }}"`
			`storage_box_type: "{{ restic_storagebox_type \| default(omit) }}"`
			`location: "{{ restic_storagebox_location \| default(omit) }}"`
			`password: "{{ restic_storagebox_password }}"`
			`api_token: "{{ hcloud_token }}"`
			`access_settings:`
			`ssh_enabled: true`
			`state: present`
			`register: storagebox_result`
			`when: ssh_pub_key_stat.stat.exists`

			`- name: Check SSH key auth on Storage Box`
			`ansible.builtin.shell: \|`
			`echo "bye" \| sftp -i {{ restic_local_key_path }} \`
			`-o BatchMode=yes -o StrictHostKeyChecking=no \`
			`-P 23 \`
			`{{ storagebox_result.hcloud_storage_box.username }}@{{ storagebox_result.hcloud_storage_box.server }}`
			`register: ssh_key_check`
			`failed_when: false`
			`changed_when: false`
			`when: ssh_pub_key_stat.stat.exists`

			`- name: Install SSH public key on Storage Box`
			`ansible.builtin.shell: \|`
			`cat {{ restic_local_key_path }}.pub \| \`
			`sshpass -p "{{ restic_storagebox_password }}" \`
			`ssh -o StrictHostKeyChecking=no -p 23 \`
			`{{ storagebox_result.hcloud_storage_box.username }}@{{ storagebox_result.hcloud_storage_box.server }} \`
			`install-ssh-key`
			`no_log: true`
			`when: ssh_pub_key_stat.stat.exists and ssh_key_check.rc != 0`

			`- name: Write storagebox.yml to stack config directory`
			`ansible.builtin.copy:`
			`content: \|`
			`---`
			`# Storage box config — written automatically by storage_box.yml, do not edit manually`
			`restic_user: {{ storagebox_result.hcloud_storage_box.username }}`
			`restic_host: {{ storagebox_result.hcloud_storage_box.server }}`
			`restic_ssh_port: {{ restic_ssh_port }}`
			`restic_remote_path: {{ restic_remote_path }}`
			`restic_ssh_key: {{ restic_ssh_key }}`
			`restic_local_key_path: {{ restic_local_key_path }}`
			`dest: "{{ lookup('env', 'ANSIBLE_INVENTORY') \| dirname }}/group_vars/all/storagebox.yml"`
			`mode: "0600"`
			`when: ssh_pub_key_stat.stat.exists`

			`- name: Print connection info`
			`ansible.builtin.debug:`
			`msg:`
			`- "Storage box configured successfully"`
			`- "User: {{ storagebox_result.hcloud_storage_box.username }}"`
			`- "Host: {{ storagebox_result.hcloud_storage_box.server }}"`
			`- "Remote path: {{ restic_remote_path }}"`
			`- "Local key: {{ restic_local_key_path }}"`
			`- "Next: set enable_restic: true and run site.yml or restic.yml"`
			`when: ssh_pub_key_stat.stat.exists`