Add storage_box playbook and fix HCLOUD_TOKEN extraction

- Add storage_box role: generates SSH key pair, creates Hetzner Storage
  Box with known password, installs public key via install-ssh-key,
  writes storagebox.yml to stack config. Idempotent: skips key install
  if SSH key auth already works.
- Add deploy.yml: one-shot playbook chaining provision → dns →
  storage_box → bootstrap → site for fresh deployments
- Fix .envrc HCLOUD_TOKEN extraction stripping surrounding quotes from
  vault YAML values
- Add restic_storagebox_password to vault template and setup.sh prompt
- Add sshpass to README prerequisites

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

playbooks/storage_box.yml

@@ -0,0 +1,25 @@
+---
+# Configure a Hetzner Storage Box for restic backups.
+# Run once before the first restic deployment (enable_restic: true).
+#
+# Prerequisites:
+#   - restic_storagebox_id set in config.yml
+#   - hetzner_robot_user / hetzner_robot_password set in vault.yml
+#
+# What it does:
+#   1. Generates an SSH key pair in LINDERHOF_DIR (skips if already present)
+#   2. Fetches storage box details from Robot API (derives restic_user / restic_host)
+#   3. Enables SSH access on the storage box
+#   4. Uploads the public key (replaces any existing key with the same label)
+#   5. Writes LINDERHOF_DIR/group_vars/all/storagebox.yml — loaded automatically
+#      by Ansible on subsequent runs, no manual config edits required
+
+- name: Configure Hetzner Storage Box for restic backups
+  hosts: localhost
+  connection: local
+  gather_facts: false
+  become: false
+
+  roles:
+    - role: storage_box
+      tags: storage_box