Linux: best practice, setting up restic system account etc


I have some best practice questions about setting up restic on a linux file server. I’ve searched the forum and the docs for answers, but haven’t uncovered them yet.

We are investigating alternatives to our current propitiatory cloud-based backup system. We need to back up a file server and (less critically) some user directories on laptops. Cloud backup is not our only backup strategy, but it is run multiple times during the working day and is probably the preferred means of restoring files because of ease of use.

Restic is one of the solutions that we are looking at. Our file server runs Debian (12 - current stable), and data is stored in ZFS pools (set to create snapshots every 5-min), with files served to users using Samba. Our cloud back end will be GCP (nearline storage buckets with unlimited object versioning - nothing is permanently deleted until a 7 year rule kicks in).

I’m looking for some best practice hints/tips on setting up restic on the server. For example, is it recommended to create a service account (no home directory) for restic, and then place the cache directory in ‘/opt/restic/cache’ or similar? What permissions does the restic user need - presumably read/write access to the cache directory, but is there anything else (I intend on locking this account down with minimal access to anything else)? Presumably only the restic user will need access to the cache directory, and it will be happy with read-only access to the files it is backing up so it cannot modify them if the system account is ever compromised?

I note that the docs say that restic doesn’t follow symlinks or backup some metadata such as atime. As file owner/group IDs and create/modify times are not included in the examples of metadata that is not backed up, is it the case that these are included? [EDIT: Just realised that the manual has more information on what restic does with metadata than the guide I was reading on the website.]

That’s it for now, and thanks in advance to anyone that responds!

Restic needs write access to a tmp folder and a cache directory, see Manual — restic 0.16.4 documentation .

You might want to take a look at the running without root docs: Examples — restic 0.16.4 documentation .