Add storage_box playbook and fix HCLOUD_TOKEN extraction

- Add storage_box role: generates SSH key pair, creates Hetzner Storage
  Box with known password, installs public key via install-ssh-key,
  writes storagebox.yml to stack config. Idempotent: skips key install
  if SSH key auth already works.
- Add deploy.yml: one-shot playbook chaining provision → dns →
  storage_box → bootstrap → site for fresh deployments
- Fix .envrc HCLOUD_TOKEN extraction stripping surrounding quotes from
  vault YAML values
- Add restic_storagebox_password to vault template and setup.sh prompt
- Add sshpass to README prerequisites

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

inventory/group_vars/all/config.yml.setup

@@ -137,11 +137,17 @@ grafana_root_url: "https://{{ grafana_domain }}"
 # Restic (encrypted backups)
 # ============================================================
 restic_backend_type: "sftp"
+# Storage box name in Hetzner Cloud (https://console.hetzner.cloud)
+restic_storagebox_name: "$restic_storagebox_name"
+# To create a new storage box via storage_box.yml (rather than adopting an existing one):
+# restic_storagebox_type: bx11
+# restic_storagebox_location: $hcloud_location
+# The following are written automatically by storage_box.yml — do not edit manually
 # restic_host: "uXXXXXX.your-storagebox.de"
 # restic_user: uXXXXXX
 # restic_ssh_port: 23
 # restic_remote_path: "backups/$server_name"
-# restic_ssh_key: "/root/.ssh/island_restic_backup"
+# restic_ssh_key: "/root/.ssh/restic_backup"
 
 # ============================================================
 # GoAccess (web analytics)

inventory/group_vars/all/vault.yml.setup

@@ -51,6 +51,7 @@ diun_email_password: "$notifications_mail_password"
 # restic
 # password generated with: openssl rand -base64 32
 restic_password: "$restic_password"
+restic_storagebox_password: "$restic_storagebox_password"
 
 # fail2ban (optional — IPs/CIDRs to whitelist)
 # fail2ban_ignoreip: "your-home-ip/32"