restic: Trust dch-root-ca certificate

Since the MinIO server that Restic uses to store snapshots has a
certificate signed by the DCH CA, we need to trust the root certificate
in order to communicate with it.  Existing servers already had this CA
trusted by the `pyrocufflink.yml` playbook, but new servers are not
(usually) AD domain members anymore, so we need to be explicit now.

restic.yml

@@ -1,5 +1,10 @@
 - hosts: restic
   roles:
+  - role: trustca
+    ca: dch-root-ca-r2
+    tags:
+    - trustca
+    - dch-root-ca
   - role: restic
     tags:
     - restic