Add storage_box playbook and fix HCLOUD_TOKEN extraction

- Add storage_box role: generates SSH key pair, creates Hetzner Storage
  Box with known password, installs public key via install-ssh-key,
  writes storagebox.yml to stack config. Idempotent: skips key install
  if SSH key auth already works.
- Add deploy.yml: one-shot playbook chaining provision → dns →
  storage_box → bootstrap → site for fresh deployments
- Fix .envrc HCLOUD_TOKEN extraction stripping surrounding quotes from
  vault YAML values
- Add restic_storagebox_password to vault template and setup.sh prompt
- Add sshpass to README prerequisites

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

playbooks/deploy.yml

@@ -0,0 +1,27 @@
+---
+# Full first-time deployment — provisions and deploys everything in one shot.
+# Usage: ansible-playbook playbooks/deploy.yml
+#
+# Prerequisites: run setup.sh first, then review config.yml, vault.yml, dns.yml
+#
+# This playbook is intended for initial deployments only. After the first run,
+# bootstrap will fail (root SSH is disabled) — use site.yml for subsequent deploys.
+#
+# dkim_sync.yml is intentionally excluded: it requires the mail server to be
+# fully running and keys generated. Run it manually after confirming mail is up:
+#   ansible-playbook playbooks/dkim_sync.yml
+
+- import_playbook: provision.yml
+- import_playbook: dns.yml
+- import_playbook: storage_box.yml
+
+# Refresh inventory so the newly provisioned server IP is visible to subsequent plays
+- name: Refresh inventory
+  hosts: localhost
+  connection: local
+  gather_facts: false
+  tasks:
+    - meta: refresh_inventory
+
+- import_playbook: bootstrap.yml
+- import_playbook: site.yml