From 4275f2e8fef7b498a65e1f8f8acd88c6da35b90c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakub=20=C5=BD=C3=A1=C4=8Dek?= <jakub@zacekj.cz>
Date: Fri, 15 May 2026 19:49:58 +0200
Subject: [PATCH] Enable borgmatic timer and generate root SSH key for borg
 server

The role now ensures the systemd timer is running (so backups actually
fire on the schedule borgmatic ships by default) and generates an
ed25519 key for root that can be authorized on the remote borg server.

Also adds a testipaclient entry to backup_hosts.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 group_vars/all/backup.yml   | 20 ++++++++++----------
 roles/backup/tasks/main.yml | 19 +++++++++++++++++++
 2 files changed, 29 insertions(+), 10 deletions(-)

diff --git a/group_vars/all/backup.yml b/group_vars/all/backup.yml
index b14726a..2b91d52 100644
--- a/group_vars/all/backup.yml
+++ b/group_vars/all/backup.yml
@@ -3,13 +3,13 @@
 # Hosts not listed here are skipped by the `backup` role.
 # The value under each host is rendered verbatim as the borgmatic
 # config file (see https://torsion.org/borgmatic/docs/reference/configuration/).
-backup_hosts: {}
-  # jim:
-  #   source_directories:
-  #     - /home
-  #     - /etc
-  #   repositories:
-  #     - path: ssh://user@backup.example.com/./backups/jim
-  #   keep_daily: 7
-  #   keep_weekly: 4
-  #   keep_monthly: 6
+backup_hosts:
+  testipaclient:
+    source_directories:
+      - /home/jakub
+    repositories:
+      - path: /var/backups/borg/jakub-home
+        label: jakub-home
+    keep_daily: 7
+    keep_weekly: 4
+    keep_monthly: 6
diff --git a/roles/backup/tasks/main.yml b/roles/backup/tasks/main.yml
index d2020c6..ebfa3f4 100644
--- a/roles/backup/tasks/main.yml
+++ b/roles/backup/tasks/main.yml
@@ -28,3 +28,22 @@
         owner: root
         group: root
         mode: '0640'
+
+    - name: Ensure root has an SSH key for the borg server
+      ansible.builtin.user:
+        name: root
+        generate_ssh_key: true
+        ssh_key_type: ed25519
+        ssh_key_file: .ssh/id_ed25519
+        ssh_key_comment: "borgmatic@{{ inventory_hostname }}"
+      register: root_ssh
+
+    - name: Show root's SSH public key (add this to the borg server's authorized_keys)
+      ansible.builtin.debug:
+        msg: "{{ root_ssh.ssh_public_key }}"
+
+    - name: Enable and start borgmatic timer
+      ansible.builtin.systemd:
+        name: borgmatic.timer
+        enabled: true
+        state: started