Alternatively, you might put your backup server behind a firewall, have it initiate the backup via ssh and use a reverse ssh tunnel you create only during backup to encrypt the whole thing like so:
ssh -R 1337:127.0.0.1:8000 user@host-to-be-backed-up "/usr/local/bin/restic -r rest:http://user:pass@localhost:1337/repo-name backup /path-to-be-backed-up --no-scan --password-command='echo $RESTIC_PASSWORD'"
All you need in this scenario is the backup server’s ssh pubkey in the authorized_keys file on the machine to be backed up and the restic repo password also stays on the backup server (e.g. in the backup script). rest-server in append-only mode and there is no way for the client machine to even reach the backup server.