feat: add Restic backup stack with Backrest UI

Added comprehensive backup solution to The Falcon infrastructure:

- **Restic Stack** (restic.pivoine.art):
  - Backrest web UI for managing restic backups
  - Automated scheduled backups with retention policies
  - Real-time backup status and monitoring
  - Restore capabilities via web interface

- **Backup Configuration**:
  - Target: /mnt/hidrive/users/valknar/Backup
  - Backs up all critical Docker volumes read-only:
    - PostgreSQL, Redis, Directus (uploads/bundle)
    - Awesome, Gotify, Scrapy (data/code)
    - n8n workflows, Filestash state
    - Linkwarden bookmarks/search index
    - Let's Encrypt SSL certificates

- **Infrastructure Updates**:
  - Added RESTIC_* environment variables to arty.yml
  - Updated compose.yaml to include restic stack
  - Updated README.md and CLAUDE.md documentation
  - Configured Traefik routing with SSL

All volumes mounted read-only to backup container for safety.
Backrest data persisted across: data, config, cache, tmp volumes.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

CLAUDE.md

@@ -20,6 +20,8 @@ Root `compose.yaml` uses Docker Compose's `include` directive to orchestrate mul
 - **n8n**: Workflow automation platform (PostgreSQL)
 - **stash**: Filestash web-based file manager
 - **links**: Linkwarden bookmark manager (PostgreSQL + Meilisearch)
+- **restic**: Backrest backup system with restic backend
+- **sablier**: Dynamic scaling plugin for Traefik
 - **vpn**: WireGuard VPN (wg-easy)
 
 All services connect to a single external Docker network (`falcon_network` by default, defined by `$NETWORK_NAME`).
@@ -195,6 +197,33 @@ Linkwarden bookmark manager with full-text search:
 - `LINKS_NEXTAUTH_SECRET`: NextAuth.js secret for session encryption
 - `LINKS_MEILI_MASTER_KEY`: Meilisearch master key for API authentication
 
+### Restic (restic/compose.yaml)
+Backrest backup system with restic backend:
+- **backrest**: Backrest web UI exposed at `restic.pivoine.art:9898`
+  - Web-based interface for managing restic backups
+  - Automated scheduled backups with retention policies
+  - Support for multiple backup plans and repositories
+  - Real-time backup status and history
+  - Restore capabilities via web UI
+  - Data persisted in `backrest_data`, `backrest_config`, `backrest_cache` volumes
+
+**Backup Configuration**:
+- **Backup Target**: `/mnt/hidrive/users/valknar/Backup` (mounted to container as `/repos`)
+- **Volumes Backed Up** (all mounted read-only to `/volumes/`):
+  - `core_postgres_data` - PostgreSQL database files
+  - `core_redis_data` - Redis data
+  - `directus_uploads` - Directus media files
+  - `directus_bundle` - Directus extensions
+  - `awesome_data` - AWSM SQLite database
+  - `gotify_data` - Gotify notifications
+  - `scrapyd_data`, `scrapy_code` - Scrapy spider data
+  - `n8n_data` - n8n workflow configurations
+  - `filestash_data` - Filestash state
+  - `linkwarden_data`, `linkwarden_meili_data` - Linkwarden bookmarks and search index
+  - `letsencrypt_data` - SSL certificates
+
+**Important**: The backup destination path must be accessible from the container. For HiDrive, ensure the mount point exists on the host and is properly mounted before starting the backup service.
+
 ## Important Environment Variables
 
 Key variables defined in `arty.yml` and overridden in `.env`:
@@ -218,6 +247,7 @@ Each service uses named volumes prefixed with project name:
 - `n8n_n8n_data`: n8n workflow data
 - `stash_filestash_data`: Filestash configuration and state
 - `links_data`, `links_meili_data`: Linkwarden bookmarks and Meilisearch index
+- `restic_data`, `restic_config`, `restic_cache`, `restic_tmp`: Backrest backup system
 - `proxy_letsencrypt_data`: SSL certificates
 
 Volumes can be inspected with: