jakub
54e111338d
borg_passphrase is required (Semaphore secret, same across hosts). The role writes it to /etc/borgmatic/passphrase (0600 root) and configures borgmatic to use BORG_PASSCOMMAND=cat /etc/borgmatic/passphrase, and runs `borg init --encryption=repokey-blake2` with BORG_PASSPHRASE in the env. no_log on the tasks that touch the passphrase. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>