Matthias Johnson
db70b4ba06
- Add storage_box role: generates SSH key pair, creates Hetzner Storage Box with known password, installs public key via install-ssh-key, writes storagebox.yml to stack config. Idempotent: skips key install if SSH key auth already works. - Add deploy.yml: one-shot playbook chaining provision → dns → storage_box → bootstrap → site for fresh deployments - Fix .envrc HCLOUD_TOKEN extraction stripping surrounding quotes from vault YAML values - Add restic_storagebox_password to vault template and setup.sh prompt - Add sshpass to README prerequisites Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
34 lines
1.2 KiB
YAML
34 lines
1.2 KiB
YAML
restic_backend_type: "sftp"
|
|
restic_password: ""
|
|
# restic_repo: set explicitly when restic_backend_type is not 'sftp'
|
|
|
|
# SFTP backend: path to the SSH private key on the controller and on the target server
|
|
# Both are written by storage_box.yml — no need to set these manually
|
|
restic_local_key_path: "{{ lookup('env', 'LINDERHOF_DIR') }}/restic_backup"
|
|
restic_ssh_key: /root/.ssh/restic_backup
|
|
|
|
restic_backup_paths: >-
|
|
{{
|
|
['/etc/letsencrypt', '/srv/caddy']
|
|
+ (['/etc/nebula'] if (enable_nebula | default(false)) else [])
|
|
+ (['/srv/forgejo'] if (enable_forgejo | default(false)) else [])
|
|
+ (['/srv/goaccess'] if (enable_goaccess | default(false)) else [])
|
|
+ (['/srv/mail'] if (enable_mail | default(false)) else [])
|
|
+ (['/srv/monitoring'] if (enable_monitoring | default(false)) else [])
|
|
+ (['/srv/tuwunel'] if (enable_tuwunel | default(false)) else [])
|
|
+ (['/srv/radicale'] if (enable_radicale | default(false)) else [])
|
|
+ (['/srv/diun'] if (enable_diun | default(false)) else [])
|
|
}}
|
|
|
|
restic_exclude_patterns:
|
|
- "**/tmp"
|
|
- "**/cache"
|
|
- "**/*.gz"
|
|
|
|
restic_backup_time: "02:00:00"
|
|
restic_prune_time: "04:00:00"
|
|
|
|
restic_retention:
|
|
daily: 7
|
|
weekly: 4
|
|
monthly: 6
|