Fix storage_box SSH key installation and deploy ordering

- Always run install-ssh-key (drop unreliable sftp idempotency check that was bypassed by SSH agent forwarding) - Use sshpass -e (env var) instead of -p to avoid shell quoting issues with special characters in passwords - Add -o IdentitiesOnly=yes to prevent agent keys interfering - Add reachable_externally: true to access_settings (was being reset to false on every run) - Remove storage_box.yml from deploy.yml chain — Ansible loads group_vars at startup so storagebox.yml must exist before deploy.yml - Document storage_box.yml as a prerequisite step in README, CLAUDE.md, and setup.sh next steps Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-01 21:14:45 -07:00 · 2026-03-01 21:14:45 -07:00 · 16da843131
commit 16da843131
parent db70b4ba06
5 changed files with 20 additions and 22 deletions
--- a/roles/storage_box/tasks/main.yml
+++ b/roles/storage_box/tasks/main.yml
@ -34,30 +34,22 @@
    api_token: "{{ hcloud_token }}"
    access_settings:
      ssh_enabled: true
+      reachable_externally: true
    state: present
  register: storagebox_result
  when: ssh_pub_key_stat.stat.exists

- name: Check SSH key auth on Storage Box
-  ansible.builtin.shell: |
-    echo "bye" | sftp -i {{ restic_local_key_path }} \
-    -o BatchMode=yes -o StrictHostKeyChecking=no \
-    -P 23 \
-    {{ storagebox_result.hcloud_storage_box.username }}@{{ storagebox_result.hcloud_storage_box.server }}
-  register: ssh_key_check
-  failed_when: false
-  changed_when: false
-  when: ssh_pub_key_stat.stat.exists
-
 - name: Install SSH public key on Storage Box
  ansible.builtin.shell: |
    cat {{ restic_local_key_path }}.pub | \
-    sshpass -p "{{ restic_storagebox_password }}" \
-    ssh -o StrictHostKeyChecking=no -p 23 \
+    sshpass -e \
+    ssh -o StrictHostKeyChecking=no -o IdentitiesOnly=yes -p 23 \
    {{ storagebox_result.hcloud_storage_box.username }}@{{ storagebox_result.hcloud_storage_box.server }} \
    install-ssh-key
+  environment:
+    SSHPASS: "{{ restic_storagebox_password }}"
  no_log: true
-  when: ssh_pub_key_stat.stat.exists and ssh_key_check.rc != 0
+  when: ssh_pub_key_stat.stat.exists

 - name: Write storagebox.yml to stack config directory
  ansible.builtin.copy: