Tested March 2026<\/strong> | restic 0.18.1 on Ubuntu 24.04 and Rocky Linux 10.1. Backends verified: self-hosted MinIO, AWS S3 (eu-west-1), and Google Cloud Storage. Works on any Linux distribution with systemd.<\/em><\/p>\n\n\n\n Restic is a single static binary with zero dependencies. Distribution package managers often ship older versions, so the recommended approach is to grab the latest release directly from GitHub. This works on any Linux distribution.<\/p>\n\n\n\n Pull the latest version number from the GitHub API:<\/p>\n\n\n\n At the time of writing, this returns:<\/p>\n\n\n\n Download, extract, and install the binary:<\/p>\n\n\n\n On RHEL-based distributions with SELinux enforcing, fix the file context so systemd can execute it later:<\/p>\n\n\n\n Verify the installation:<\/p>\n\n\n\n The output confirms the installed version:<\/p>\n\n\n\n The Restic works with any S3-compatible object store, local repositories, SFTP, and native cloud provider APIs. Pick one backend below, complete its setup, then continue to “Initialize the Repository” where the workflow is the same regardless of which option you chose.<\/p>\n\n\n\n MinIO provides an S3-compatible API on your own hardware. If you already have an AWS S3 bucket, Backblaze B2 account, or Wasabi subscription, skip this entire section. The restic commands in the rest of the guide work identically regardless of the S3 provider.<\/p>\n\n\n\n Run these steps on the MinIO server (10.0.1.51 in this example). MinIO distributes a single static binary, so installation is straightforward:<\/p>\n\n\n\n On distributions with SELinux enforcing (RHEL, Rocky, AlmaLinux, Fedora), the downloaded binary carries a The relabeling output confirms the context change:<\/p>\n\n\n\n Skip this step on distributions using AppArmor (Ubuntu, Debian, SUSE) since AppArmor does not enforce file context labels on binaries this way.<\/p>\n\n\n\n Create a dedicated user and data directory for MinIO:<\/p>\n\n\n\n Create the environment file with MinIO credentials:<\/p>\n\n\n\n Set these values:<\/p>\n\n\n\n Lock down permissions on that file since it contains credentials:<\/p>\n\n\n\n Now create the systemd unit file:<\/p>\n\n\n\n Paste this unit file:<\/p>\n\n\n\n On Rocky Linux, set the correct SELinux context on the data directory as well:<\/p>\n\n\n\n Enable and start MinIO:<\/p>\n\n\n\n Check the service status:<\/p>\n\n\n\n The service should show active (running) with MinIO listening on ports 9000 (API) and 9001 (console).<\/p>\n\n\n\n Open the firewall ports. On distributions using firewalld (RHEL, Rocky, AlmaLinux, Fedora):<\/p>\n\n\n\n On distributions using ufw (Ubuntu, Debian):<\/p>\n\n\n\n Install the MinIO client ( On SELinux distributions, apply the same context fix:<\/p>\n\n\n\n Configure the alias and create a bucket for restic:<\/p>\n\n\n\n The bucket creation confirms with:<\/p>\n\n\n\n The MinIO Object Browser at Inside the Restic supports AWS S3 natively. The setup involves creating a dedicated S3 bucket, an IAM user with minimal permissions, and passing the credentials to restic.<\/p>\n\n\n\n From any machine with the AWS CLI configured, create the bucket in your preferred region:<\/p>\n\n\n\n Create a dedicated IAM user for restic (never use your root account credentials for automated backups):<\/p>\n\n\n\n Attach an inline policy that limits this user to the backup bucket only:<\/p>\n\n\n\n Generate access keys for the new user:<\/p>\n\n\n\n Save the Once restic initializes and backs up data, the S3 bucket contains the encrypted repository structure:<\/p>\n\n\n\n Restic also has native Google Cloud Storage support. The authentication uses a service account key file rather than environment variables.<\/p>\n\n\n\n From a machine with the Create a dedicated service account for restic:<\/p>\n\n\n\n Grant the service account permission to read and write objects in the backup bucket:<\/p>\n\n\n\n Generate a JSON key file and copy it to the backup client:<\/p>\n\n\n\n Transfer the key file to the backup client and secure it:<\/p>\n\n\n\n The GCS bucket in the Cloud Storage browser shows the same restic repository layout after initialization:<\/p>\n\n\n\n With your storage backend ready, the restic commands from here forward are identical regardless of which option you chose.<\/p>\n\n\n\n Back on the backup client (10.0.1.50), set the environment variables that restic needs to connect to the storage backend and encrypt the repository. The specific variables depend on which backend you configured above.<\/p>\n\n\n\n For MinIO:<\/p>\n\n\n\n For AWS S3:<\/p>\n\n\n\n For Google Cloud Storage:<\/p>\n\n\n\n All backends need the encryption password:<\/p>\n\n\n\n Critical:<\/strong> the Initialize the repository:<\/p>\n\n\n\n Restic creates the repository structure inside the S3 bucket:<\/p>\n\n\n\n With the repository initialized, run a backup of the directories you want to protect. This example backs up Restic scans, deduplicates, encrypts, and uploads the data. The verbose output shows exactly what happened:<\/p>\n\n\n\n All 81 files (44.749 MiB) were encrypted and stored. The “stored” size is nearly identical because random binary data does not compress, which is expected. Text-heavy directories like List all snapshots in the repository:<\/p>\n\n\n\n The snapshot table shows the ID, timestamp, hostname, tags, and paths:<\/p>\n\n\n\n Restic’s block-level deduplication is where it really shines. On subsequent runs, only new and changed blocks get uploaded. To demonstrate, modify an existing file and add a new one:<\/p>\n\n\n\n Now run the backup again:<\/p>\n\n\n\n The difference is dramatic compared to the initial backup:<\/p>\n\n\n\n Out of 82 files totaling 45 MiB, restic transferred only 234 KiB. It recognized the 80 unchanged files from the parent snapshot and skipped them entirely. This is what makes restic practical for daily automated backups: the network and storage cost after the first run is minimal.<\/p>\n\n\n\n Restoring an entire snapshot takes a single command. Specify the target directory where restic should write the restored files (it recreates the original directory structure inside it):<\/p>\n\n\n\n The restore completes almost instantly for this dataset:<\/p>\n\n\n\n Verify the restored files match the originals:<\/p>\n\n\n\n No output from diff means every file matches. You can also use For partial restores, use the This pulls just the configs directory without touching anything else. Useful when a single config file gets corrupted and you need it back quickly.<\/p>\n\n\n\n Without a retention policy, the repository grows indefinitely. The Restic evaluates each snapshot against the retention rules and reports the outcome:<\/p>\n\n\n\n Since we only have two snapshots, nothing was removed. Once you accumulate more than 7 daily snapshots, the oldest ones outside the retention window get pruned automatically. Run this command after every backup (the systemd timer in the next section handles this).<\/p>\n\n\n\n Restic can verify the internal consistency of a repository regardless of backend. Run this periodically (weekly is a good starting point) to catch corruption before you need to restore:<\/p>\n\n\n\n A healthy repository shows:<\/p>\n\n\n\n For a deeper check that re-reads and verifies every data blob (slower, uses bandwidth on cloud backends):<\/p>\n\n\n\n Use the quick Manual backups are backups that don’t happen. A systemd timer runs the backup on a schedule, retries on failure, and logs everything to journald. Start by storing the credentials in a secure environment file.<\/p>\n\n\n\n Create the environment file:<\/p>\n\n\n\n Add the repository credentials matching your chosen backend. For MinIO:<\/p>\n\n\n\n For AWS S3, use your IAM access key and the S3 repository URL instead:<\/p>\n\n\n\n For GCS, point to the service account key file and set the project ID:<\/p>\n\n\n\n Lock down the file permissions so only root can read it:<\/p>\n\n\n\n Create the backup service unit:<\/p>\n\n\n\n The service runs restic backup and then prunes old snapshots in a single shot:<\/p>\n\n\n\n The Create the timer:<\/p>\n\n\n\n Add the timer configuration:<\/p>\n\n\n\n The Enable and start the timer:<\/p>\n\n\n\n Verify the timer is scheduled:<\/p>\n\n\n\n The output shows when the next backup will trigger:<\/p>\n\n\n\n To test the backup immediately without waiting for the schedule:<\/p>\n\n\n\n Check the journal output to confirm the backup and pruning completed successfully. Any errors (network timeouts, permission issues, wrong credentials) appear here.<\/p>\n\n\n\n All the backends covered in this guide (MinIO, AWS S3, Google Cloud Storage) use the same restic commands for backup, restore, and maintenance. The choice comes down to cost, control, and where your infrastructure lives.<\/p>\n\n\n\nPrerequisites<\/h2>\n\n\n\n
\n
systemd<\/code> works: Ubuntu, Debian, Rocky, AlmaLinux, RHEL, Fedora, SUSE, Arch, etc.<\/li>\nwget<\/code>, bzip2<\/code>, and curl<\/code> for downloading binaries<\/li>\nInstall Restic<\/h2>\n\n\n\n
VER=$(curl -sL https:\/\/api.github.com\/repos\/restic\/restic\/releases\/latest | grep tag_name | head -1 | sed 's\/.*\"v\\([^\"]*\\)\".*\/\\1\/')\necho $VER<\/code><\/pre>\n\n\n\n0.18.1<\/code><\/pre>\n\n\n\nwget https:\/\/github.com\/restic\/restic\/releases\/download\/v${VER}\/restic_${VER}_linux_amd64.bz2\nbunzip2 restic_${VER}_linux_amd64.bz2\nsudo mv restic_${VER}_linux_amd64 \/usr\/local\/bin\/restic\nsudo chmod +x \/usr\/local\/bin\/restic<\/code><\/pre>\n\n\n\nsudo restorecon -v \/usr\/local\/bin\/restic<\/code><\/pre>\n\n\n\nrestic version<\/code><\/pre>\n\n\n\nrestic 0.18.1 compiled with go1.25.1 on linux\/amd64<\/code><\/pre>\n\n\n\n$VER<\/code> variable ensures you always get the latest stable release. When a new version ships, re-run the same commands to upgrade.<\/p>\n\n\n\nPrepare Your Storage Backend<\/h2>\n\n\n\n
Option A: Self-Hosted MinIO<\/h3>\n\n\n\n
wget https:\/\/dl.min.io\/server\/minio\/release\/linux-amd64\/minio\nsudo mv minio \/usr\/local\/bin\/minio\nsudo chmod +x \/usr\/local\/bin\/minio<\/code><\/pre>\n\n\n\nFix SELinux Context for MinIO<\/h4>\n\n\n\n
user_tmp_t<\/code> context. Without fixing this, systemd refuses to execute it with exit code 203 and a “Permission denied” entry in journalctl. The fix is a single restorecon command:<\/p>\n\n\n\nsudo restorecon -v \/usr\/local\/bin\/minio<\/code><\/pre>\n\n\n\nRelabeled \/usr\/local\/bin\/minio from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:bin_t:s0<\/code><\/pre>\n\n\n\nCreate the MinIO Service<\/h4>\n\n\n\n
sudo useradd -r -s \/sbin\/nologin minio-user\nsudo mkdir -p \/data\/minio\nsudo chown minio-user:minio-user \/data\/minio<\/code><\/pre>\n\n\n\nsudo vi \/etc\/default\/minio<\/code><\/pre>\n\n\n\nMINIO_ROOT_USER=minioadmin\nMINIO_ROOT_PASSWORD=your-minio-password\nMINIO_VOLUMES=\"\/data\/minio\"\nMINIO_OPTS=\"--console-address :9001\"<\/code><\/pre>\n\n\n\nsudo chmod 600 \/etc\/default\/minio<\/code><\/pre>\n\n\n\nsudo vi \/etc\/systemd\/system\/minio.service<\/code><\/pre>\n\n\n\n[Unit]\nDescription=MinIO Object Storage\nAfter=network-online.target\nWants=network-online.target\n\n[Service]\nType=notify\nUser=minio-user\nGroup=minio-user\nEnvironmentFile=\/etc\/default\/minio\nExecStart=\/usr\/local\/bin\/minio server $MINIO_VOLUMES $MINIO_OPTS\nRestart=always\nRestartSec=5\nLimitNOFILE=65536\n\n[Install]\nWantedBy=multi-user.target<\/code><\/pre>\n\n\n\nsudo semanage fcontext -a -t bin_t \"\/usr\/local\/bin\/minio\"\nsudo restorecon -v \/usr\/local\/bin\/minio<\/code><\/pre>\n\n\n\nsudo systemctl daemon-reload\nsudo systemctl enable --now minio<\/code><\/pre>\n\n\n\nsudo systemctl status minio<\/code><\/pre>\n\n\n\nsudo firewall-cmd --permanent --add-port=9000\/tcp --add-port=9001\/tcp\nsudo firewall-cmd --reload<\/code><\/pre>\n\n\n\nsudo ufw allow 9000\/tcp\nsudo ufw allow 9001\/tcp<\/code><\/pre>\n\n\n\nCreate the Backup Bucket<\/h4>\n\n\n\n
mc<\/code>) to manage buckets from the command line:<\/p>\n\n\n\nwget https:\/\/dl.min.io\/client\/mc\/release\/linux-amd64\/mc\nsudo mv mc \/usr\/local\/bin\/mc\nsudo chmod +x \/usr\/local\/bin\/mc<\/code><\/pre>\n\n\n\nsudo restorecon -v \/usr\/local\/bin\/mc<\/code><\/pre>\n\n\n\nmc alias set local http:\/\/127.0.0.1:9000 minioadmin your-minio-password\nmc mb local\/restic-backup<\/code><\/pre>\n\n\n\nBucket created successfully `local\/restic-backup`.<\/code><\/pre>\n\n\n\nhttp:\/\/10.0.1.51:9001<\/code> shows the bucket. After restic initializes and runs a backup, the repository structure appears as directories (config, data, index, keys, snapshots):<\/p>\n\n\n\n![\"MinIO](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/03\/minio-restic-repo.png\" "\\"\\"")
<\/figure>\n\n\n\ndata\/<\/code> directory, restic stores encrypted and deduplicated chunks in hex-prefixed subdirectories. These files are opaque without the encryption password:<\/p>\n\n\n\n![\"Restic](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/03\/minio-restic-data.png\" "\\"\\"")
<\/figure>\n\n\n\nOption B: AWS S3<\/h3>\n\n\n\n
Create an S3 Bucket and IAM User<\/h4>\n\n\n\n
aws s3 mb s3:\/\/your-restic-backup --region eu-west-1<\/code><\/pre>\n\n\n\naws iam create-user --user-name restic-backup<\/code><\/pre>\n\n\n\naws iam put-user-policy --user-name restic-backup --policy-name restic-s3-policy --policy-document '{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\"s3:ListBucket\", \"s3:GetBucketLocation\"],\n \"Resource\": \"arn:aws:s3:::your-restic-backup\"\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\"s3:GetObject\", \"s3:PutObject\", \"s3:DeleteObject\"],\n \"Resource\": \"arn:aws:s3:::your-restic-backup\/*\"\n }\n ]\n}'<\/code><\/pre>\n\n\n\naws iam create-access-key --user-name restic-backup<\/code><\/pre>\n\n\n\nAccessKeyId<\/code> and SecretAccessKey<\/code> from the output. You will need both on the backup client.<\/p>\n\n\n\n![\"AWS](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/03\/aws-s3-bucket-contents.png\" "\\"\\"")
<\/figure>\n\n\n\nOption C: Google Cloud Storage<\/h3>\n\n\n\n
Create a GCS Bucket and Service Account<\/h4>\n\n\n\n
gcloud<\/code> CLI, create the bucket:<\/p>\n\n\n\ngcloud storage buckets create gs:\/\/your-restic-backup --location=europe-west1 --project=your-project-id<\/code><\/pre>\n\n\n\ngcloud iam service-accounts create restic-backup \\\n --display-name=\"Restic Backup Service Account\" \\\n --project=your-project-id<\/code><\/pre>\n\n\n\ngcloud storage buckets add-iam-policy-binding gs:\/\/your-restic-backup \\\n --member=\"serviceAccount:restic-backup@your-project-id.iam.gserviceaccount.com\" \\\n --role=\"roles\/storage.objectAdmin\"<\/code><\/pre>\n\n\n\ngcloud iam service-accounts keys create restic-gcs-key.json \\\n --iam-account=restic-backup@your-project-id.iam.gserviceaccount.com<\/code><\/pre>\n\n\n\nscp restic-gcs-key.json root@10.0.1.50:\/etc\/restic-gcs-key.json\nssh root@10.0.1.50 \"chmod 600 \/etc\/restic-gcs-key.json\"<\/code><\/pre>\n\n\n\n![\"Google](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/03\/gcp-gcs-bucket-contents.png\" "\\"\\"")
<\/figure>\n\n\n\nInitialize the Restic Repository<\/h2>\n\n\n\n
export AWS_ACCESS_KEY_ID=minioadmin\nexport AWS_SECRET_ACCESS_KEY=your-minio-password\nexport RESTIC_REPOSITORY=s3:http:\/\/10.0.1.51:9000\/restic-backup<\/code><\/pre>\n\n\n\nexport AWS_ACCESS_KEY_ID=your-access-key-id\nexport AWS_SECRET_ACCESS_KEY=your-secret-access-key\nexport RESTIC_REPOSITORY=s3:s3.eu-west-1.amazonaws.com\/your-restic-backup<\/code><\/pre>\n\n\n\nexport GOOGLE_APPLICATION_CREDENTIALS=\/etc\/restic-gcs-key.json\nexport GOOGLE_PROJECT_ID=your-project-id\nexport RESTIC_REPOSITORY=gs:your-restic-backup:\/<\/code><\/pre>\n\n\n\nexport RESTIC_PASSWORD=your-restic-encryption-password<\/code><\/pre>\n\n\n\nRESTIC_PASSWORD<\/code> is the encryption key for every snapshot in this repository. If you lose it, the backups become unrecoverable. Store it in a password manager or a secure vault, not just in a shell history.<\/p>\n\n\n\nrestic init<\/code><\/pre>\n\n\n\ncreated restic repository d4fa81b8e9 at s3:http:\/\/10.0.1.51:9000\/restic-backup\n\nPlease note that knowledge of your password is required to access\nthe repository. Losing your password means that your data is\nirrecoverably lost.<\/code><\/pre>\n\n\n\nCreate Your First Backup<\/h2>\n\n\n\n
\/srv\/data<\/code> and \/etc<\/code>:<\/p>\n\n\n\nrestic backup \/srv\/data \/etc --tag initial --verbose<\/code><\/pre>\n\n\n\nopen repository\nrepository d4fa81b8 opened (version 2, compression level auto)\nlock repository\nno parent snapshot found, will read all files\nload index files\n\nstart scan on [\/srv\/data \/etc]\nstart backup on [\/srv\/data \/etc]\n\nFiles: 81 new, 0 changed, 0 unmodified\nDirs: 7 new, 0 changed, 0 unmodified\nAdded to the repository: 44.779 MiB (44.765 MiB stored)\n\nprocessed 81 files, 44.749 MiB in 0:01\nsnapshot 02a654d5 saved<\/code><\/pre>\n\n\n\n\/etc<\/code> typically compress to 30-50% of original size.<\/p>\n\n\n\nrestic snapshots<\/code><\/pre>\n\n\n\nrepository d4fa81b8 opened (version 2, compression level auto)\nID Time Host Tags Paths\n-----------------------------------------------------------------------\n02a654d5 2026-03-28 14:22:01 backup01 initial \/srv\/data\n \/etc\n-----------------------------------------------------------------------\n1 snapshots<\/code><\/pre>\n\n\n\nIncremental Backups and Deduplication<\/h2>\n\n\n\n
echo \"updated config\" | sudo tee -a \/srv\/data\/configs\/app.conf\ndd if=\/dev\/urandom of=\/srv\/data\/newfile.bin bs=1K count=200 2>\/dev\/null<\/code><\/pre>\n\n\n\nrestic backup \/srv\/data \/etc --verbose<\/code><\/pre>\n\n\n\nrepository d4fa81b8 opened (version 2, compression level auto)\nlock repository\nusing parent snapshot 02a654d5\n\nFiles: 1 new, 1 changed, 80 unmodified\nDirs: 0 new, 2 changed, 5 unmodified\nAdded to the repository: 234.370 KiB (213.473 KiB stored)\n\nprocessed 82 files, 44.944 MiB in 0:00\nsnapshot 7b3e91f2 saved<\/code><\/pre>\n\n\n\nRestore from Backup<\/h2>\n\n\n\n
restic restore latest --target \/tmp\/restore-test<\/code><\/pre>\n\n\n\nrepository d4fa81b8 opened (version 2, compression level auto)\nrestoring snapshot 7b3e91f2 of [\/srv\/data \/etc] at 2026-03-28 14:25:33\nSummary: Restored 88 files\/dirs (44.944 MiB) in 0:00<\/code><\/pre>\n\n\n\ndiff -r \/srv\/data \/tmp\/restore-test\/srv\/data<\/code><\/pre>\n\n\n\nrestic diff<\/code> to compare two snapshots directly if you need to see what changed between backups.<\/p>\n\n\n\n--include<\/code> flag to extract only specific paths:<\/p>\n\n\n\nrestic restore latest --target \/tmp\/partial --include \"\/srv\/data\/configs\/\"<\/code><\/pre>\n\n\n\nRetention and Pruning<\/h2>\n\n\n\n
restic forget<\/code> command marks old snapshots for removal based on your retention rules, and --prune<\/code> reclaims the storage immediately. A sensible starting policy keeps 7 daily, 4 weekly, and 6 monthly snapshots:<\/p>\n\n\n\nrestic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 6 --prune<\/code><\/pre>\n\n\n\nrepository d4fa81b8 opened (version 2, compression level auto)\nApplying Policy: keep 7 daily, 4 weekly, 6 monthly snapshots\n\nkeep 2 snapshots:\nID Time Host Tags Reasons Paths\n---------------------------------------------------------------------------------\n02a654d5 2026-03-28 14:22:01 backup01 initial daily snapshot \/srv\/data, \/etc\n7b3e91f2 2026-03-28 14:25:33 backup01 daily snapshot \/srv\/data, \/etc\n---------------------------------------------------------------------------------\n2 snapshots\n\nno snapshots were removed, running prune\ncounting files in repo\n[0:00] 100.00% 8 \/ 8 packs\n\nfinding old index files\nsaved new indexes as [4a8b2c1d]\n\ndone<\/code><\/pre>\n\n\n\nVerify Repository Integrity<\/h2>\n\n\n\n
restic check<\/code><\/pre>\n\n\n\nusing temporary cache in \/tmp\/restic-check-cache-1547467285\ncreate exclusive lock for repository\nload indexes\ncheck all packs\ncheck snapshots, trees and blobs\n[0:00] 100.00% 1 \/ 1 snapshots\nno errors were found<\/code><\/pre>\n\n\n\nrestic check --read-data<\/code><\/pre>\n\n\n\ncheck<\/code> daily or weekly. Reserve --read-data<\/code> for monthly verification since it downloads and re-verifies every chunk in the repository.<\/p>\n\n\n\nAutomate with Systemd Timer<\/h2>\n\n\n\n
sudo vi \/etc\/restic-env<\/code><\/pre>\n\n\n\nAWS_ACCESS_KEY_ID=minioadmin\nAWS_SECRET_ACCESS_KEY=your-minio-password\nRESTIC_PASSWORD=your-restic-encryption-password\nRESTIC_REPOSITORY=s3:http:\/\/10.0.1.51:9000\/restic-backup<\/code><\/pre>\n\n\n\nAWS_ACCESS_KEY_ID=your-access-key-id\nAWS_SECRET_ACCESS_KEY=your-secret-access-key\nRESTIC_PASSWORD=your-restic-encryption-password\nRESTIC_REPOSITORY=s3:s3.eu-west-1.amazonaws.com\/your-restic-backup<\/code><\/pre>\n\n\n\nGOOGLE_APPLICATION_CREDENTIALS=\/etc\/restic-gcs-key.json\nGOOGLE_PROJECT_ID=your-project-id\nRESTIC_PASSWORD=your-restic-encryption-password\nRESTIC_REPOSITORY=gs:your-restic-backup:\/<\/code><\/pre>\n\n\n\nsudo chmod 600 \/etc\/restic-env<\/code><\/pre>\n\n\n\nsudo vi \/etc\/systemd\/system\/restic-backup.service<\/code><\/pre>\n\n\n\n[Unit]\nDescription=Restic Backup to S3\nAfter=network-online.target\nWants=network-online.target\n\n[Service]\nType=oneshot\nEnvironmentFile=\/etc\/restic-env\nExecStart=\/usr\/local\/bin\/restic backup \/srv\/data \/etc --tag automated\nExecStartPost=\/usr\/local\/bin\/restic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 6 --prune\nNice=10\nIOSchedulingClass=best-effort\nIOSchedulingPriority=7<\/code><\/pre>\n\n\n\nNice<\/code> and IOSchedulingPriority<\/code> settings keep the backup from starving other processes on a busy server.<\/p>\n\n\n\nsudo vi \/etc\/systemd\/system\/restic-backup.timer<\/code><\/pre>\n\n\n\n[Unit]\nDescription=Run Restic Backup Daily\n\n[Timer]\nOnCalendar=*-*-* 03:00:00\nRandomizedDelaySec=600\nPersistent=true\n\n[Install]\nWantedBy=timers.target<\/code><\/pre>\n\n\n\nPersistent=true<\/code> setting ensures the backup runs on next boot if the server was powered off at 3 AM. The 10-minute random delay prevents multiple servers from hammering the S3 backend simultaneously.<\/p>\n\n\n\nsudo systemctl daemon-reload\nsudo systemctl enable --now restic-backup.timer<\/code><\/pre>\n\n\n\nsystemctl list-timers restic-backup.timer<\/code><\/pre>\n\n\n\nNEXT LEFT LAST PASSED UNIT ACTIVATES\nSun 2026-03-29 03:00:00 UTC 12h left n\/a n\/a restic-backup.timer restic-backup.service\n\n1 timers listed.<\/code><\/pre>\n\n\n\nsudo systemctl start restic-backup.service\njournalctl -u restic-backup.service --no-pager -n 20<\/code><\/pre>\n\n\n\nChoosing a Storage Backend<\/h2>\n\n\n\n