fix(setup-pgbackrest): Sanitize pgbackrest wrapper script arguments

The pgbackrest wrapper script now sanitizes arguments passed to it.
This change removes potentially sensitive or command-injection-vulnerable arguments such as `--cmd`, `--repo-host-cmd`, and `--config` before executing the pgbackrest command. This enhances security by preventing accidental exposure of sensitive information.

Author: hunleyd

ansible/tasks/setup-pgbackrest.yml

@@ -75,7 +75,9 @@
   ansible.builtin.copy:
     content: |
       #!/bin/bash
-      exec sudo -u pgbackrest /var/lib/pgbackrest/.nix-profile/bin/pgbackrest "$@"
+      _raw_args="$@"
+      _sanitized_args=$(echo $_raw_args | sed -e 's/--cmd=[^ ]*//g; s/--repo-host-cmd=[^ ]*//g; s/--config=[^ ]*//g' )
+      exec sudo -u pgbackrest /var/lib/pgbackrest/.nix-profile/bin/pgbackrest "$_sanitized_args"
     dest: '/usr/bin/pgbackrest'
     group: 'root'
     mode: '0755'