ctucx.git: nixfiles

machines/wanderduene: add rclone-restic-server

diff --git a/machines/wanderduene/configuration.nix b/machines/wanderduene/configuration.nix
@@ -10,6 +10,8 @@
     ../../configurations/linux/services/prometheus-exporters.nix
     ../../configurations/linux/services/dns.nix
 
+    ./rclone-restic-server.nix
+
     ./3proxy.nix
 #    ./reverse-proxy-lollo.nix
 #    ./reverse-proxy-stasicontainer.nix

diff --git a/machines/wanderduene/rclone-restic-server.nix b/machines/wanderduene/rclone-restic-server.nix
@@ -0,0 +1,73 @@
+{ pkgs, lib, config, ... }:
+
+{
+
+  dns.zones."ctu.cx".subdomains."restic.${config.networking.hostName}".CNAME = [ "${config.networking.hostName}.ctu.cx." ];
+
+  users.groups.rclone-restic-server = {};
+  users.users.rclone-restic-server = {
+    isSystemUser = true;
+    home         = "/var/lib/rclone-restic-server";
+    group        = "rclone-restic-server";
+  };
+
+  age.secrets = {
+    rclone-config = {
+      file  = ../../secrets/wanderduene/rclone-config.age;
+      owner = "rclone-restic-server";
+    };
+
+    restic-server-htpasswd = {
+      file  = ../../secrets/wanderduene/restic-server-htpasswd.age;
+      owner = "nginx";
+    };
+  };
+
+  systemd.services.rclone-restic-server = {
+    wantedBy  = [ "multi-user.target" ];
+    wants     = [ "network-online.target" ];
+    after     = [ "network-online.target" ];
+    onFailure = [ "email-notify@%i.service" ];
+    serviceConfig = {
+      User = "rclone-restic-server";
+      Group = "rclone-restic-server";
+      Restart = "always";
+      RestartSec = "5";
+
+      KillMode = "mixed";
+      KillSignal = "SIGTERM";
+      TimeoutStopSec = "5s";
+
+      ExecReload = "/bin/kill -USR1 $MAINPID";
+      ExecStart = "${pkgs.rclone}/bin/rclone --config ${config.age.secrets.rclone-config.path} serve restic --append-only --addr 127.0.0.1:8000 hetzner-storage:";
+
+      PrivateTmp = true;
+      PrivateDevices = true;
+      ProtectHome = true;
+      ProtectSystem = "full";
+
+      CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
+      AmbientCapabilities = "CAP_NET_BIND_SERVICE";
+      NoNewPrivileges = true;
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."restic.${config.networking.hostName}.ctu.cx" = {
+      enableACME = true;
+      forceSSL   = true;
+      kTLS       = true;
+      locations."/" = {
+        proxyPass   = "http://127.0.0.1:8000/";
+        extraConfig = ''
+          client_max_body_size 10G;
+          auth_basic           Auth;
+          auth_basic_user_file ${config.age.secrets.restic-server-htpasswd.path};
+        '';
+      };
+    };
+  };
+
+
+}+
\ No newline at end of file

diff --git a/secrets/restic-server/wanderduene.age b/secrets/restic-server/wanderduene.age
@@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> X25519 2UkpqWpnY+kcY37/2o3T9v+B/12GbHt5hX+6So4OOSQ
+fc7pOAoEcnty77Ct0J6jti5Fbx2DLhi41BSXwJl39FQ
+-> ssh-ed25519 V0uUrw bGk1RMq8zrXA9TnxvpSfA9lJmdk6YwLr6dR6bGIWAhM
+1qTNmqeAW3mPeeLzsLszRgYE+apdZLRGKve+RMyHTHU
+-> ssh-ed25519 NrwbpQ vOn3ASWYFExBrTk5+4UQbJ1I7iaMeUcJyqh+Y/J8ZUY
+6s8nwJrexACx8AnCWmjeQQVJaHvN2A/RhI4CEUPBIzY
+-> ssh-ed25519 1rccKw 3BR3nyeU23WSrx4Pg1id1tfix0RXut2IrvtxvutiwnE
+CdMJCh4zPlak0XW90MbBAi7nY4++SzJslFRbRaTe634
+-> ssh-ed25519 2LuoZg gJVO8cNUVrYrSqg7qnZQNaPznCcr8P2LFEHbU/zaii0
+iT4DP0UDXsQ3gc1/BIxWhGOiAAUCp73rFrQBywU36BY
+-> LI>-grease
+bXSWLrPoYfK0NASMpKIFxUtAjuWMzTN6pryaaa8DbS0KLruD7ReBTPaIv6RPQZAI
+Q6JO
+--- EikkH8m+ANalGirpW/hnpajHga5KqyilnhNpq/E2pHs
+>i�)��J	Z���pp�I#N����Ӗ����Q�D�*�k��d����(�.�O��$�8��rb-ս'G���vMk�ߎ_���ϣ��@����+
\ No newline at end of file

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
@@ -18,6 +18,7 @@ in {
 
   "restic-server/lollo.age".publicKeys                        = [ leah trabbi hector lollo lollo-old ];
   "restic-server/hector.age".publicKeys                       = [ leah trabbi hector lollo lollo-old ];
+  "restic-server/wanderduene.age".publicKeys                  = [ leah trabbi hector lollo lollo-old ];
 
 
   "blechkasten/syncthing/key.age".publicKeys                  = [ leah blechkasten ];

@@ -71,6 +72,9 @@ in {
   "trabbi/mail/password-mail-zug.network.age".publicKeys            = [ leah trabbi ];
   "trabbi/mail/password-hi-f2k1.de.age".publicKeys                  = [ leah trabbi ];
 
+
   "wanderduene/wireguard-privkey.age".publicKeys                    = [ leah wanderduene ];
+  "wanderduene/restic-server-htpasswd.age".publicKeys               = [ leah wanderduene ];
+  "wanderduene/rclone-config.age".publicKeys                        = [ leah wanderduene ];
 
 }

diff --git a/secrets/wanderduene/rclone-config.age b/secrets/wanderduene/rclone-config.age  Binary files differ.

diff --git a/secrets/wanderduene/restic-server-htpasswd.age b/secrets/wanderduene/restic-server-htpasswd.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 atrjd9uY3vKsGCxhPuBz4giuhkVcxwi0Ab/MZ061Enk
+i0VEIvLcaRCkSsDvzhqTdOlALZc7664cITI2WJ4P3ZU
+-> ssh-ed25519 sh8POQ oVxAn5GjKKRgtAw85fHoVkvJG5F/DpAmF6EP+9d/Zjc
+6wf1LXAsL2nPh+aSrkfNxvsvwjmpD/gt+gdGzKi6+o0
+-> mO-grease \P HSJr}
+1Kt5m1LDpnXxM2ipj/KgZRUHZ4Cry16SEeaVsKfzQW/hA2/X+QvI8AjgTRqAoxzD
+LMWH9WaE3fdRxcjGLCjB1wKx+lLL7VUfBBUSX2Nqc27trmz4JoaN4wHIHRaucOko
+M8cc
+--- EpzIksT//Fw2zmMc8YkA7fsCo9gzX6homJeBwH2L9eo
+y&��t��]�]�$>bD8��X�4�L���Bl;u��O:HG�(s��D3yR�zv�
�IX�w�XI�^J���+
\ No newline at end of file