What’s best practice depends on needs and priorities. The Arch Linux packager favored security by using a user named duplicati
. Possibly it still does. I don’t have Arch. Original change was below:
duplicati.service should run as duplicati user now.
Discussion of pros, cons, and ways to get access.
Installing Duplicati on Linux (Arch / Manjaro) “Running Duplicati as root / changing server parameters”
To get to your http,http files, I suppose you could change your systemd config to that, but I’m not sure what the downside of that would be. You could also remove systemd User= and Group= lines, but the downside of that is more access than Duplicati needs, so more potential damage if an attacker gets it.
Compromise might be to have Duplicati run User=duplicati Group=http, or the solution Arch packager favors (see comment) might be to add duplicati
group to the Nextcloud directory as an extra group.
I think the packages created by Duplicati project either run as root (typical of Duplicati Server), or the user who did a manual launch of TrayIcon (e.g. to back up personal files already owned by that user).