Add backup role and manage_ssh_keys role

- Borgmatic backup role driven by per-host config in group_vars/all/backup.yml
- manage_ssh_keys role with add/remove paths; remove_ssh_key_playbook.yml uses it

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

roles/backup/tasks/main.yml

@@ -0,0 +1,30 @@
+---
+- name: Skip hosts without backup config
+  ansible.builtin.debug:
+    msg: "No entry in backup_hosts for {{ inventory_hostname }}; skipping backup role."
+  when: inventory_hostname not in (backup_hosts | default({}))
+
+- name: Configure borgmatic
+  when: inventory_hostname in (backup_hosts | default({}))
+  block:
+
+    - name: Install borgmatic
+      ansible.builtin.package:
+        name: borgmatic
+        state: present
+
+    - name: Ensure /etc/borgmatic exists
+      ansible.builtin.file:
+        path: /etc/borgmatic
+        state: directory
+        owner: root
+        group: root
+        mode: '0750'
+
+    - name: Deploy borgmatic config
+      ansible.builtin.template:
+        src: borgmatic.yaml.j2
+        dest: /etc/borgmatic/config.yaml
+        owner: root
+        group: root
+        mode: '0640'

roles/backup/templates/borgmatic.yaml.j2

@@ -0,0 +1,3 @@
+#jinja2: trim_blocks: True, lstrip_blocks: True
+# Managed by Ansible — do not edit by hand.
+{{ backup_hosts[inventory_hostname] | to_nice_yaml(indent=2, width=1000) }}