copr-keygen: better backup script

We need to have YYYY-MM-DD in file name to actually have correct
incremental backups.  Since we don't overwrite the old backup files now
and we have different filename each day, let's remove the old backup
files and keep only the last one (this is to mimic what happens with DB
backups on copr frontend, which runs
roles/postgresql_server/files/backup-database).

While on it, let's double-quote variable uses.

Per advice in:
https://pagure.io/fedora-infrastructure/issue/8904

roles/copr/keygen/files/backup_keyring.sh

@@ -4,8 +4,20 @@
 # root gpg keychain should have PUBLIC key with `user email` admin@fedoraproject.org
 
 PATH_TO_KEYRING_DIR="/var/lib/copr-keygen"
-OUTPUT_FILE="/backup/copr_keygen_keyring.tar.gz.gpg"
+BACKUP_DIR=/backup
+OUTPUT_FILE="$BACKUP_DIR/copr_keygen_keyring_$(date -I).tar.gz.gpg"
 
-tar --exclude="*agent*" -czPf - $PATH_TO_KEYRING_DIR |
-  gpg2 --output $OUTPUT_FILE.tmp --encrypt --recipient admin@fedoraproject.org --always-trust &&
-  mv $OUTPUT_FILE.tmp $OUTPUT_FILE
+tar --exclude="*agent*" -czPf - "$PATH_TO_KEYRING_DIR" \
+    | gpg2 --output "$OUTPUT_FILE".tmp --encrypt \
+           --recipient admin@fedoraproject.org --always-trust \
+&& mv "$OUTPUT_FILE.tmp" "$OUTPUT_FILE"
+
+# shell pattern matching provides sorted output
+previous=
+for file in "$BACKUP_DIR"/*; do
+    if test -n "$previous"; then
+        echo >&2 "removing $file"
+        rm "$file"
+    fi
+    previous=$file
+done