1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
{ config, lib, pkgs, ...}:
let
cfg = config.ctucxConfig.services.resticServer;
in {
options = {
ctucxConfig.services.resticServer = {
enable = lib.mkEnableOption "restic server";
};
};
config = lib.mkIf cfg.enable {
age.secrets.restic-server-htpasswd = {
file = ./. + "/../../../secrets/${config.networking.hostName}/restic-server-htpasswd.age";
owner = "nginx";
};
dns.zones."ctu.cx".subdomains."restic.${config.networking.hostName}".CNAME = [ "${config.networking.hostName}.ctu.cx." ];
systemd.services.restic-rest-server.onFailure = [ "email-notify@%i.service" ];
services = {
restic.server = {
enable = true;
listenAddress = "[::1]:8000";
appendOnly = true;
extraFlags = [ "--no-auth" ];
dataDir = "/var/lib/restic";
};
nginx = {
enable = true;
virtualHosts."restic.${config.networking.hostName}.ctu.cx" = {
enableACME = lib.mkDefault true;
forceSSL = lib.mkDefault true;
kTLS = lib.mkDefault true;
locations."/" = {
proxyPass = "http://${toString config.services.restic.server.listenAddress}/";
extraConfig = ''
client_max_body_size 10G;
auth_basic Auth;
auth_basic_user_file ${config.age.secrets.restic-server-htpasswd.path};
'';
};
};
};
};
};
}