fix: restic backups should run as root

hosts/sire/guests/paperless.nix

@@ -116,7 +116,6 @@ in {
 
   backups.storageBoxes.dusk = {
     subuser = "paperless";
-    user = "paperless";
     paths = [paperlessBackupDir];
   };
 }

hosts/sire/guests/samba.nix

@@ -349,7 +349,6 @@ in {
 
   backups.storageBoxes.dusk = {
     subuser = "samba";
-    user = "root";
     paths = ["/bunker"];
   };
 }

hosts/ward/guests/radicale.nix

@@ -85,7 +85,6 @@ in {
 
   backups.storageBoxes.dusk = {
     subuser = "radicale";
-    user = "radicale";
     paths = ["/var/lib/radicale"];
   };
 }

hosts/ward/guests/vaultwarden.nix

@@ -86,7 +86,6 @@ in {
 
   backups.storageBoxes.dusk = {
     subuser = "vaultwarden";
-    user = "vaultwarden";
     paths = [config.services.vaultwarden.backupDir];
   };
 }

modules/backups.nix

@@ -29,11 +29,6 @@ in {
           type = types.str;
         };
 
-        user = mkOption {
-          description = "The user as which restic should run.";
-          type = types.str;
-        };
-
         paths = mkOption {
           description = "The paths to backup.";
           type = types.listOf types.path;
@@ -58,8 +53,13 @@ in {
             sshAgeSecret = "restic-ssh-privkey";
           };
 
-          # We need to backup stuff from other users, so run as root.
+          # A) We need to backup stuff from other users, so run as root.
-          inherit (boxCfg) user paths;
+          # B) We also need to be root because the ssh key will only
+          #    be accessible to root so whatever service is running cannot
+          #    just access our backup server.
+          user = "root";
+
+          inherit (boxCfg) paths;
           timerConfig = {
             OnCalendar = "06:15";
             RandomizedDelaySec = "3h";