borg_passphrase is required (Semaphore secret, same across hosts).
The role writes it to /etc/borgmatic/passphrase (0600 root) and
configures borgmatic to use BORG_PASSCOMMAND=cat /etc/borgmatic/passphrase,
and runs `borg init --encryption=repokey-blake2` with BORG_PASSPHRASE in
the env. no_log on the tasks that touch the passphrase.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The URI was wrong — BorgWarehouse uses a single shared SSH user
(`borgwarehouse`) and routes by the repo id in the path, so the form
is `ssh://<borgSshHost>/./<repo.id>` (not per-repo user with /./repos).
Role now also trusts the borg server's SSH host key in root's
known_hosts and runs `borg init --encryption=none` (idempotent — treats
"already exists" as success) so first backups don't need manual prep.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
backup role now logs into borgcontroller and creates (or looks up) a
repository with alias=inventory_hostname, registering root's pubkey and
the requested storageSize. The resulting SSH URI is injected into the
borgmatic config so each host gets a remote-managed repo without manual
config.
backup_hosts entries gain a `storage_size_gb` field (stripped before
templating) and lose the manual `repositories` entry — the role fills it.
borgcontroller_{username,password} are expected from Semaphore secrets.
Also gitignores .claude/ local state.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
jakub
