nixos-config/machines/vueko/services/restic.nix

66 lines
1.8 KiB
Nix
Raw Normal View History

# SPDX-FileCopyrightText: 2022 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, pkgs, ... }:
{
sops.secrets = {
restic-rclone-ssh-key = {
sopsFile = ../secrets.yaml;
owner = "restic-rclone";
};
restic-htpasswd = {
sopsFile = ../secrets.yaml;
owner = "restic-rclone";
};
};
users.users.restic-rclone = {
isSystemUser = true;
group = "restic-rclone";
};
users.groups.restic-rclone = { };
systemd.services."rclone-restic-server" = {
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = "restic-rclone";
SupplementaryGroups = [ "keys" ];
ExecStart = "${pkgs.rclone}/bin/rclone serve restic :sftp,user=u313368-sub4,host=u313368-sub4.your-storagebox.de,port=23,key_file=${config.sops.secrets.restic-rclone-ssh-key.path}: --private-repos --htpasswd ${config.sops.secrets.restic-htpasswd.path} --append-only";
Restart = "on-failure";
CapabilityBoundingSet = null;
LockPersonality = true;
MemoryDenyWriteExecute = true;
PrivateDevices = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
};
};
services.nginx.virtualHosts."restic.sbruder.de" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:8080/";
extraConfig = ''
client_max_body_size 50M;
'';
};
}