enable restic rest server on hypervisor

machines/Home-Hypervisor/default.nix

@@ -39,6 +39,7 @@ in {
     nixosProfiles.matrix
     nixosProfiles.atticd
     nixosProfiles.attic
+    nixosProfiles.restic-server
 
     (import nixosProfiles.blocky {
       inherit config;

machines/Home-Hypervisor/dns-mapping.nix

@@ -49,6 +49,7 @@
         "prowlarr.ataraxiadev.com" = "ataraxiadev.com";
         "qbit.ataraxiadev.com" = "ataraxiadev.com";
         "radarr.ataraxiadev.com" = "ataraxiadev.com";
+        "restic.ataraxiadev.com" = "ataraxiadev.com";
         "shoko.ataraxiadev.com" = "ataraxiadev.com";
         "sonarr.ataraxiadev.com" = "ataraxiadev.com";
         "sonarrtv.ataraxiadev.com" = "ataraxiadev.com";

profiles/servers/restic-server.nix

@@ -0,0 +1,34 @@
+{ config, pkgs, lib, ... }:
+let
+  resticPort = 8010;
+  fqdn = "restic.ataraxiadev.com";
+  certFile = "${config.security.acme.certs.${fqdn}.directory}/fullchain.pem";
+  keyFile = "${config.security.acme.certs.${fqdn}.directory}/key.pem";
+in {
+  secrets.restic-htpasswd = {
+    services = [ "restic-rest-server.service" ];
+    owner = "restic:restic";
+  };
+
+  security.acme.certs.${fqdn} = {
+    webroot = "/var/lib/acme/acme-challenge";
+    postRun = "systemctl reload restic-rest-server";
+    group = "restic";
+  };
+
+  networking.firewall.allowedTCPPorts = [ resticPort ];
+  networking.firewall.allowPing = true;
+  services.restic.server = {
+    enable = true;
+    dataDir = "/media/nas/backups/restic";
+    listenAddress = ":${toString resticPort}";
+    # appendOnly = true;
+    privateRepos = true;
+    prometheus = true;
+    extraFlags = [
+      "--prometheus-no-auth"
+      "--htpasswd-file=${config.secrets.restic-htpasswd.decrypted}"
+      "--tls" "--tls-cert=${certFile}" "--tls-key=${keyFile}"
+    ];
+  };
+}