eliasp/restic@.service

## restic@.service
[Unit]
Description=Backup %I using 'restic'
ConditionFileNotEmpty=/etc/restic/%i/restic.env
ConditionPathExists=/etc/restic/%i/backup.exclude

[Service]
# /run, /tmp are intentionally not --exclude'd as those are tmpfs anyways and therefore already excluded by --one-file-system
ExecStart=/usr/local/bin/restic backup --cache-dir=/var/cache/restic/%i --one-file-system --exclude-file=/etc/restic/%i/backup.exclude --exclude=/var/cache/* --exclude=/var/tmp/* --exclude=/home/*/.cache/* /
Type=simple
EnvironmentFile=/etc/restic/%i/restic.env
DynamicUser=yes
PrivateTmp=no
PrivateDevices=yes
CacheDirectory=restic/%i
CacheDirectoryMode=0700
ConfigurationDirectory=restic/%i
ConfigurationDirectoryMode=0700
LogsDirectory=restic/%i
SystemCallFilter=@basic-io @default @file-system @io-event @network-io @process @signal getrandom ioctl sched_getaffinity
SystemCallErrorNumber=EPERM
AmbientCapabilities=CAP_DAC_READ_SEARCH
IPAccounting=yes
IOSchedulingClass=idle
CPUSchedulingPolicy=idle
	[Unit]
	Description=Backup %I using 'restic'
	ConditionFileNotEmpty=/etc/restic/%i/restic.env
	ConditionPathExists=/etc/restic/%i/backup.exclude

	[Service]
	# /run, /tmp are intentionally not --exclude'd as those are tmpfs anyways and therefore already excluded by --one-file-system
	ExecStart=/usr/local/bin/restic backup --cache-dir=/var/cache/restic/%i --one-file-system --exclude-file=/etc/restic/%i/backup.exclude --exclude=/var/cache/* --exclude=/var/tmp/* --exclude=/home//.cache/ /
	Type=simple
	EnvironmentFile=/etc/restic/%i/restic.env
	DynamicUser=yes
	PrivateTmp=no
	PrivateDevices=yes
	CacheDirectory=restic/%i
	CacheDirectoryMode=0700
	ConfigurationDirectory=restic/%i
	ConfigurationDirectoryMode=0700
	LogsDirectory=restic/%i
	SystemCallFilter=@basic-io @default @file-system @io-event @network-io @process @signal getrandom ioctl sched_getaffinity
	SystemCallErrorNumber=EPERM
	AmbientCapabilities=CAP_DAC_READ_SEARCH
	IPAccounting=yes
	IOSchedulingClass=idle
	CPUSchedulingPolicy=idle