From d9fcbe68addf5a02661fa9f09de979fb63e69346 Mon Sep 17 00:00:00 2001
From: John Lancaster <32917998+jsl12@users.noreply.github.com>
Date: Tue, 17 Mar 2026 12:43:40 -0500
Subject: [PATCH] restic mtls opts

---
 modules/services/restic/restic.nix | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/modules/services/restic/restic.nix b/modules/services/restic/restic.nix
index f624feb..4ddcca8 100644
--- a/modules/services/restic/restic.nix
+++ b/modules/services/restic/restic.nix
@@ -33,16 +33,18 @@
           RESTIC_CACERT = caCert;
           RESTIC_TLS_CLIENT_CERT = mtlsClientCert;
         };
+        
+        # This is necessary because the restic service in home manager doesn't otherwise expose these options.
+        systemd.user.services."restic-backups-${cfg.repoName}".Service.Environment = [
+          "RESTIC_CACERT=${caCert}"
+          "RESTIC_TLS_CLIENT_CERT=${mtlsClientCert}"
+        ];
 
         services.restic = {
           enable = true;
           backups.${cfg.repoName} = {
             repository = resticRepository;
             passwordFile = cfg.passwordFile;
-            extraBackupArgs = [
-              "--tls-client-cert ${mtlsClientCert}"
-              "--cacert ${caCert}"
-            ];
             paths = cfg.paths;
             timerConfig = {
               OnCalendar = "00:05";
@@ -83,6 +85,7 @@
             ];
           };
         };
+
       };
     };
 }
\ No newline at end of file