Add backup role and manage_ssh_keys role

- Borgmatic backup role driven by per-host config in group_vars/all/backup.yml
- manage_ssh_keys role with add/remove paths; remove_ssh_key_playbook.yml uses it

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

backup.yml

@@ -0,0 +1,8 @@
+---
+- name: Install borgmatic and deploy per-host config
+  hosts: all
+  become: true
+  tags: never,backup
+
+  roles:
+    - role: backup

group_vars/all/backup.yml

@@ -0,0 +1,15 @@
+---
+# Per-host borgmatic config. Keys must match inventory_hostname.
+# Hosts not listed here are skipped by the `backup` role.
+# The value under each host is rendered verbatim as the borgmatic
+# config file (see https://torsion.org/borgmatic/docs/reference/configuration/).
+backup_hosts: {}
+  # jim:
+  #   source_directories:
+  #     - /home
+  #     - /etc
+  #   repositories:
+  #     - path: ssh://user@backup.example.com/./backups/jim
+  #   keep_daily: 7
+  #   keep_weekly: 4
+  #   keep_monthly: 6

remove_ssh_key_playbook.yml

@@ -0,0 +1,6 @@
+- name: Remove SSH key
+  hosts: all
+  become: yes
+  roles:
+    - role: manage_ssh_keys
+      remove_user: true

roles/backup/tasks/main.yml

@@ -0,0 +1,30 @@
+---
+- name: Skip hosts without backup config
+  ansible.builtin.debug:
+    msg: "No entry in backup_hosts for {{ inventory_hostname }}; skipping backup role."
+  when: inventory_hostname not in (backup_hosts | default({}))
+
+- name: Configure borgmatic
+  when: inventory_hostname in (backup_hosts | default({}))
+  block:
+
+    - name: Install borgmatic
+      ansible.builtin.package:
+        name: borgmatic
+        state: present
+
+    - name: Ensure /etc/borgmatic exists
+      ansible.builtin.file:
+        path: /etc/borgmatic
+        state: directory
+        owner: root
+        group: root
+        mode: '0750'
+
+    - name: Deploy borgmatic config
+      ansible.builtin.template:
+        src: borgmatic.yaml.j2
+        dest: /etc/borgmatic/config.yaml
+        owner: root
+        group: root
+        mode: '0640'

roles/backup/templates/borgmatic.yaml.j2

@@ -0,0 +1,3 @@
+#jinja2: trim_blocks: True, lstrip_blocks: True
+# Managed by Ansible — do not edit by hand.
+{{ backup_hosts[inventory_hostname] | to_nice_yaml(indent=2, width=1000) }}

roles/manage_ssh_keys/tasks/add_ssh_key.yml

@@ -0,0 +1,4 @@
+- name: Add user and authorized key
+  authorized_keys:
+    user: "{{ user }}"
+    key: "{{ key }}"

roles/manage_ssh_keys/tasks/main.yml

@@ -0,0 +1,5 @@
+- include_tasks: add_ssh_key.yml
+  when: add_user | default(false)
+
+- include_tasks: remove_ssh_key.yml
+  when: remove_user | default(false)

roles/manage_ssh_keys/tasks/remove_ssh_key.yml

@@ -0,0 +1,10 @@
+- name: Remove authorized key
+  authorized_keys:
+    user: "{{ user }}"
+    key: "{{ key }}"
+    state: absent
+
+- name: Ensure user is absent
+  user:
+    name: "{{ user }}"
+    state: absent