[Unit]
Description=Make a backup of the system using Restic
After=syslog.target
After=network.target

[Service]
Type=simple
DynamicUser=true
StateDirectory=restic
CacheDirectory=restic
Environment=RESTIC_REPOSITORY_FILE=/var/lib/restic/rest-server RESTIC_PASSWORD_FILE=/var/lib/restic/backup-key
ExecStart=restic backup --exclude-file=/var/lib/restic/exclude --cache-dir $CACHE_DIRECTORY /

# Allow Restic to bypass file read permission checks and directory read and execute permission checks
AmbientCapabilities=CAP_DAC_READ_SEARCH

[Install]
WantedBy=multi-user.target