Add BorgBase offsite backup repository (#142)

## Summary
- Adds BorgBase as a second borgmatic repository for offsite backups (US region, append-only)
- SSH key managed via 1Password, deployed to indri by Ansible
- Borgmatic `ssh_command` configured to use the dedicated BorgBase key
- BorgBase host key pinned in known_hosts via Ansible

## Post-merge deployment steps
1. Provision borgmatic: `mise run provision-indri -- --tags borgmatic`
2. Initialize the BorgBase repo: `ssh indri 'mise x -- borgmatic init --encryption repokey --repository borgbase-offsite'`
3. Export and store the borg repokey: `ssh indri 'borg key export ssh://k04ljcd7@k04ljcd7.repo.borgbase.com/./repo'` → save to 1Password
4. Verify first backup: `ssh indri 'mise x -- borgmatic create --repository borgbase-offsite --verbosity 1'`

## BorgBase setup (already done)
- Account created, API token in 1Password (`borgbase` item in blumeops vault)
- SSH keypair generated, stored in 1Password, public key uploaded to BorgBase (ID: 200815)
- Repository `indri-borgmatic` created (ID: k04ljcd7, US region, append-only, 2-day alert)

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/142

ansible/playbooks/indri.yml

@@ -22,6 +22,22 @@
       no_log: true
       tags: [borgmatic]
 
+    - name: Fetch BorgBase SSH private key
+      ansible.builtin.command:
+        cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/noiobufntsxyzageu7mvlp2nbe/ssh-private-key"
+      delegate_to: localhost
+      register: _borgbase_ssh_key
+      changed_when: false
+      no_log: true
+      check_mode: false
+      tags: [borgmatic]
+
+    - name: Set BorgBase SSH key fact
+      ansible.builtin.set_fact:
+        borgbase_ssh_private_key: "{{ _borgbase_ssh_key.stdout }}"
+      no_log: true
+      tags: [borgmatic]
+
     # Forgejo secrets
     - name: Fetch forgejo LFS JWT secret
       ansible.builtin.command:

ansible/roles/borgmatic/defaults/main.yml

@@ -17,12 +17,19 @@ borgmatic_source_directories:
   - /Users/erichblume/.config/borgmatic
   - /Users/erichblume/Documents
 
-# Backup repository
+# Backup repositories
 borgmatic_repositories:
   - path: /Volumes/backups/borg/
     label: sifaka-borg-backups
     encryption: repokey
     append_only: true
+  - path: ssh://k04ljcd7@k04ljcd7.repo.borgbase.com/./repo
+    label: borgbase-offsite
+    encryption: repokey
+    append_only: true
+
+# BorgBase SSH key (fetched from 1Password in playbook pre_tasks)
+borgmatic_borgbase_ssh_key_path: /Users/erichblume/.ssh/borgbase_ed25519
 
 # Exclude patterns
 borgmatic_exclude_patterns: []

ansible/roles/borgmatic/tasks/main.yml

@@ -19,6 +19,20 @@
     mode: '0600'
   no_log: true
 
+# BorgBase offsite backup - SSH key and host verification
+- name: Deploy BorgBase SSH private key
+  ansible.builtin.copy:
+    content: "{{ borgbase_ssh_private_key }}\n"
+    dest: "{{ borgmatic_borgbase_ssh_key_path }}"
+    mode: '0600'
+  no_log: true
+
+- name: Add BorgBase host key to known_hosts
+  ansible.builtin.known_hosts:
+    name: k04ljcd7.repo.borgbase.com
+    key: "k04ljcd7.repo.borgbase.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGU0mISTyHBw9tBs6SuhSq8tvNM8m9eifQxM+88TowPO"
+    state: present
+
 - name: Deploy borgmatic configuration
   ansible.builtin.template:
     src: config.yaml.j2

ansible/roles/borgmatic/templates/borgmatic.plist.j2

@@ -23,7 +23,7 @@
 		<string>create</string>
 	</array>
 	<key>RunAtLoad</key>
-	<true/>
+	<false/>
 	<key>StandardErrorPath</key>
 	<string>{{ borgmatic_log_dir }}/mcquack.borgmatic.err.log</string>
 	<key>StandardOutPath</key>

ansible/roles/borgmatic/templates/config.yaml.j2

@@ -31,6 +31,8 @@ exclude_patterns:
 
 encryption_passcommand: {{ borgmatic_encryption_passcommand }}
 
+ssh_command: ssh -o IdentitiesOnly=yes -i {{ borgmatic_borgbase_ssh_key_path }}
+
 # Retention policy
 keep_daily: {{ borgmatic_keep_daily }}
 keep_monthly: {{ borgmatic_keep_monthly }}

docs/changelog.d/feature-borgbase-offsite-backup.feature.md

@@ -0,0 +1 @@
+Add BorgBase offsite backup repository for 3-2-1 backup strategy