From 572022b557913b7ff0dfac7e89c54a1286ec6d4c Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sat, 29 Mar 2025 09:34:17 -0500
Subject: [PATCH] restic: Trust dch-root-ca certificate

Since the MinIO server that Restic uses to store snapshots has a
certificate signed by the DCH CA, we need to trust the root certificate
in order to communicate with it.  Existing servers already had this CA
trusted by the `pyrocufflink.yml` playbook, but new servers are not
(usually) AD domain members anymore, so we need to be explicit now.
---
 restic.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/restic.yml b/restic.yml
index c014776..5246a60 100644
--- a/restic.yml
+++ b/restic.yml
@@ -1,5 +1,10 @@
 - hosts: restic
   roles:
+  - role: trustca
+    ca: dch-root-ca-r2
+    tags:
+    - trustca
+    - dch-root-ca
   - role: restic
     tags:
     - restic