Enable borgmatic timer and generate root SSH key for borg server

The role now ensures the systemd timer is running (so backups actually
fire on the schedule borgmatic ships by default) and generates an
ed25519 key for root that can be authorized on the remote borg server.

Also adds a testipaclient entry to backup_hosts.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

group_vars/all/backup.yml

@@ -3,13 +3,13 @@
 # Hosts not listed here are skipped by the `backup` role.
 # The value under each host is rendered verbatim as the borgmatic
 # config file (see https://torsion.org/borgmatic/docs/reference/configuration/).
-backup_hosts: {}
-  # jim:
-  #   source_directories:
-  #     - /home
-  #     - /etc
-  #   repositories:
-  #     - path: ssh://user@backup.example.com/./backups/jim
-  #   keep_daily: 7
-  #   keep_weekly: 4
-  #   keep_monthly: 6
+backup_hosts:
+  testipaclient:
+    source_directories:
+      - /home/jakub
+    repositories:
+      - path: /var/backups/borg/jakub-home
+        label: jakub-home
+    keep_daily: 7
+    keep_weekly: 4
+    keep_monthly: 6

roles/backup/tasks/main.yml

@@ -28,3 +28,22 @@
         owner: root
         group: root
         mode: '0640'
+
+    - name: Ensure root has an SSH key for the borg server
+      ansible.builtin.user:
+        name: root
+        generate_ssh_key: true
+        ssh_key_type: ed25519
+        ssh_key_file: .ssh/id_ed25519
+        ssh_key_comment: "borgmatic@{{ inventory_hostname }}"
+      register: root_ssh
+
+    - name: Show root's SSH public key (add this to the borg server's authorized_keys)
+      ansible.builtin.debug:
+        msg: "{{ root_ssh.ssh_public_key }}"
+
+    - name: Enable and start borgmatic timer
+      ansible.builtin.systemd:
+        name: borgmatic.timer
+        enabled: true
+        state: started