* General
Backups are managed with =restic= and are stored locally and also on a Google Cloud Storage Bucket. These are two different backups, they are executed at different time, and there should be no assumptions that they are identical.

There's a single password for all the repositories, it's managed with =agenix=, and the file is under secrets (=restic_password.age=).
** Remote backup
Access to the bucket is managed via service account. Each machine has its own repository.

The service account key is stored in JSON and also encrypted with =agenix=.

| bucket          | [[https://console.cloud.google.com/storage/browser/fcuny-infra-backups;tab=objects?forceOnBucketsSortingFiltering=true&hl=en&inv=1&invt=Ab2J4Q&project=fcuny-infra&prefix=&forceOnObjectsSortingFiltering=false][fcuny-infra-backups]] |
| project         | fcuny-infra         |
| service account | [[https://console.cloud.google.com/iam-admin/serviceaccounts/details/118261378048653759345?inv=1&invt=Ab2J-w&project=fcuny-infra&supportedpurview=project][restic]]              |

* Managing backups
The path to the repository and the password file are exported as environment variables, to make it easier to interact with the backups.