Matthias Johnson
16da843131
- Always run install-ssh-key (drop unreliable sftp idempotency check that was bypassed by SSH agent forwarding) - Use sshpass -e (env var) instead of -p to avoid shell quoting issues with special characters in passwords - Add -o IdentitiesOnly=yes to prevent agent keys interfering - Add reachable_externally: true to access_settings (was being reset to false on every run) - Remove storage_box.yml from deploy.yml chain — Ansible loads group_vars at startup so storagebox.yml must exist before deploy.yml - Document storage_box.yml as a prerequisite step in README, CLAUDE.md, and setup.sh next steps Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
78 lines
2.7 KiB
YAML
78 lines
2.7 KiB
YAML
---
|
|
- name: Generate restic SSH key pair
|
|
ansible.builtin.command:
|
|
cmd: >-
|
|
ssh-keygen -t ed25519
|
|
-f {{ restic_local_key_path }}
|
|
-N ""
|
|
-C "restic-{{ server_name }}"
|
|
creates: "{{ restic_local_key_path }}"
|
|
check_mode: false
|
|
|
|
- name: Check if SSH public key exists
|
|
ansible.builtin.stat:
|
|
path: "{{ restic_local_key_path }}.pub"
|
|
register: ssh_pub_key_stat
|
|
|
|
- name: Read SSH public key
|
|
ansible.builtin.slurp:
|
|
src: "{{ restic_local_key_path }}.pub"
|
|
register: ssh_pub_key_raw
|
|
when: ssh_pub_key_stat.stat.exists
|
|
|
|
- name: Set public key fact
|
|
ansible.builtin.set_fact:
|
|
restic_ssh_pub_key: "{{ ssh_pub_key_raw.content | b64decode | trim }}"
|
|
when: ssh_pub_key_stat.stat.exists
|
|
|
|
- name: Configure Hetzner Storage Box
|
|
hetzner.hcloud.storage_box:
|
|
name: "{{ restic_storagebox_name }}"
|
|
storage_box_type: "{{ restic_storagebox_type | default(omit) }}"
|
|
location: "{{ restic_storagebox_location | default(omit) }}"
|
|
password: "{{ restic_storagebox_password }}"
|
|
api_token: "{{ hcloud_token }}"
|
|
access_settings:
|
|
ssh_enabled: true
|
|
reachable_externally: true
|
|
state: present
|
|
register: storagebox_result
|
|
when: ssh_pub_key_stat.stat.exists
|
|
|
|
- name: Install SSH public key on Storage Box
|
|
ansible.builtin.shell: |
|
|
cat {{ restic_local_key_path }}.pub | \
|
|
sshpass -e \
|
|
ssh -o StrictHostKeyChecking=no -o IdentitiesOnly=yes -p 23 \
|
|
{{ storagebox_result.hcloud_storage_box.username }}@{{ storagebox_result.hcloud_storage_box.server }} \
|
|
install-ssh-key
|
|
environment:
|
|
SSHPASS: "{{ restic_storagebox_password }}"
|
|
no_log: true
|
|
when: ssh_pub_key_stat.stat.exists
|
|
|
|
- name: Write storagebox.yml to stack config directory
|
|
ansible.builtin.copy:
|
|
content: |
|
|
---
|
|
# Storage box config — written automatically by storage_box.yml, do not edit manually
|
|
restic_user: {{ storagebox_result.hcloud_storage_box.username }}
|
|
restic_host: {{ storagebox_result.hcloud_storage_box.server }}
|
|
restic_ssh_port: {{ restic_ssh_port }}
|
|
restic_remote_path: {{ restic_remote_path }}
|
|
restic_ssh_key: {{ restic_ssh_key }}
|
|
restic_local_key_path: {{ restic_local_key_path }}
|
|
dest: "{{ lookup('env', 'ANSIBLE_INVENTORY') | dirname }}/group_vars/all/storagebox.yml"
|
|
mode: "0600"
|
|
when: ssh_pub_key_stat.stat.exists
|
|
|
|
- name: Print connection info
|
|
ansible.builtin.debug:
|
|
msg:
|
|
- "Storage box configured successfully"
|
|
- "User: {{ storagebox_result.hcloud_storage_box.username }}"
|
|
- "Host: {{ storagebox_result.hcloud_storage_box.server }}"
|
|
- "Remote path: {{ restic_remote_path }}"
|
|
- "Local key: {{ restic_local_key_path }}"
|
|
- "Next: set enable_restic: true and run site.yml or restic.yml"
|
|
when: ssh_pub_key_stat.stat.exists
|