{ config, pkgs, ... }:

{
  sops.secrets = {
    restic-rclone-ssh-key = {
      sopsFile = ../secrets.yaml;
      owner = "restic-rclone";
    };
    restic-htpasswd = {
      sopsFile = ../secrets.yaml;
      owner = "restic-rclone";
    };
  };

  users.users.restic-rclone = {
    isSystemUser = true;
    group = "restic-rclone";
  };
  users.groups.restic-rclone = { };

  systemd.services."rclone-restic-server" = {
    after = [ "network.target" ];
    wantedBy = [ "multi-user.target" ];

    serviceConfig = {
      User = "restic-rclone";
      SupplementaryGroups = [ "keys" ];
      ExecStart = "${pkgs.rclone}/bin/rclone serve restic :sftp,user=u313368-sub4,host=u313368-sub4.your-storagebox.de,port=23,key_file=${config.sops.secrets.restic-rclone-ssh-key.path}: --private-repos --htpasswd ${config.sops.secrets.restic-htpasswd.path} --append-only";
      Restart = "on-failure";

      CapabilityBoundingSet = null;
      LockPersonality = true;
      MemoryDenyWriteExecute = true;
      PrivateDevices = true;
      PrivateUsers = true;
      ProtectClock = true;
      ProtectControlGroups = true;
      ProtectHome = true;
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
      RestrictNamespaces = true;
      RestrictRealtime = true;
      SystemCallArchitectures = "native";
      SystemCallFilter = "@system-service";
    };
  };

  services.nginx.virtualHosts."restic.sbruder.de" = {
    enableACME = true;
    forceSSL = true;

    locations."/".proxyPass = "http://127.0.0.1:8080/";

    extraConfig = ''
      client_max_body_size 50M;
    '';
  };
}