Add restic backup stack with daily systemd timer

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

README.md

@@ -20,6 +20,12 @@ Each stack is independently deployable with its own `compose.yml` and `.env`. Al
 | `sexy` | pivoine.art website | directus, frontend, redis, db |
 | `vaultwarden` | Password manager | vaultwarden |
 
+## Tools
+
+| Directory | Description |
+|---|---|
+| `_backup` | Daily restic backups to HiDrive (host script + systemd timer) |
+
 ## Deployment
 
 ```bash
@@ -34,6 +40,32 @@ ssh vps 'cd ~/stacks/<stack> && docker compose up -d'
 
 All stacks share the external `falcon_network` Docker network for inter-service communication (e.g. traefik routing, mailpit SMTP).
 
+## Backup
+
+The `_backup` stack runs a daily restic backup at 3:00 AM. It dumps all Postgres databases, then backs up the entire `.data/` directory to HiDrive. Retention: 7 daily, 4 weekly, 6 monthly snapshots. Notifications go to Mattermost.
+
+```bash
+# Deploy backup stack
+rsync -avz _backup/ vps:~/stacks/_backup/
+
+# Initialize restic repo (first time only)
+ssh vps 'source ~/stacks/_backup/.env && restic init -r /mnt/hidrive/users/valknar/Backup/stacks'
+
+# Install systemd units
+ssh vps 'ln -sf ~/stacks/_backup/stacks-backup.service /etc/systemd/system/ && \
+         ln -sf ~/stacks/_backup/stacks-backup.timer /etc/systemd/system/ && \
+         systemctl daemon-reload && systemctl enable --now stacks-backup.timer'
+
+# Manual test run
+ssh vps '~/stacks/_backup/backup.sh'
+
+# Check timer status
+ssh vps 'systemctl status stacks-backup.timer'
+
+# View snapshots
+ssh vps 'source ~/stacks/_backup/.env && restic -r /mnt/hidrive/users/valknar/Backup/stacks snapshots'
+```
+
 ## Data
 
 Persistent data is stored in `~/stacks/.data/<stack>/` on the VPS using bind mounts. Database stacks use dedicated Postgres instances with simple credentials.