From 683b7fb52f45aa586a972b5cb48941ef48b9e74a Mon Sep 17 00:00:00 2001
From: Dmitriy Kholkin <ataraxiadev@ataraxiadev.com>
Date: Tue, 27 Jun 2023 23:08:20 +0300
Subject: [PATCH] enable restic rest server on hypervisor

---
 machines/Home-Hypervisor/default.nix     |  1 +
 machines/Home-Hypervisor/dns-mapping.nix |  1 +
 profiles/servers/restic-server.nix       | 34 ++++++++++++++++++++++++
 3 files changed, 36 insertions(+)
 create mode 100644 profiles/servers/restic-server.nix

diff --git a/machines/Home-Hypervisor/default.nix b/machines/Home-Hypervisor/default.nix
index 78c3417..5b3c5ab 100644
--- a/machines/Home-Hypervisor/default.nix
+++ b/machines/Home-Hypervisor/default.nix
@@ -39,6 +39,7 @@ in {
     nixosProfiles.matrix
     nixosProfiles.atticd
     nixosProfiles.attic
+    nixosProfiles.restic-server
 
     (import nixosProfiles.blocky {
       inherit config;
diff --git a/machines/Home-Hypervisor/dns-mapping.nix b/machines/Home-Hypervisor/dns-mapping.nix
index 4249b2a..269cd33 100644
--- a/machines/Home-Hypervisor/dns-mapping.nix
+++ b/machines/Home-Hypervisor/dns-mapping.nix
@@ -49,6 +49,7 @@
         "prowlarr.ataraxiadev.com" = "ataraxiadev.com";
         "qbit.ataraxiadev.com" = "ataraxiadev.com";
         "radarr.ataraxiadev.com" = "ataraxiadev.com";
+        "restic.ataraxiadev.com" = "ataraxiadev.com";
         "shoko.ataraxiadev.com" = "ataraxiadev.com";
         "sonarr.ataraxiadev.com" = "ataraxiadev.com";
         "sonarrtv.ataraxiadev.com" = "ataraxiadev.com";
diff --git a/profiles/servers/restic-server.nix b/profiles/servers/restic-server.nix
new file mode 100644
index 0000000..c747114
--- /dev/null
+++ b/profiles/servers/restic-server.nix
@@ -0,0 +1,34 @@
+{ config, pkgs, lib, ... }:
+let
+  resticPort = 8010;
+  fqdn = "restic.ataraxiadev.com";
+  certFile = "${config.security.acme.certs.${fqdn}.directory}/fullchain.pem";
+  keyFile = "${config.security.acme.certs.${fqdn}.directory}/key.pem";
+in {
+  secrets.restic-htpasswd = {
+    services = [ "restic-rest-server.service" ];
+    owner = "restic:restic";
+  };
+
+  security.acme.certs.${fqdn} = {
+    webroot = "/var/lib/acme/acme-challenge";
+    postRun = "systemctl reload restic-rest-server";
+    group = "restic";
+  };
+
+  networking.firewall.allowedTCPPorts = [ resticPort ];
+  networking.firewall.allowPing = true;
+  services.restic.server = {
+    enable = true;
+    dataDir = "/media/nas/backups/restic";
+    listenAddress = ":${toString resticPort}";
+    # appendOnly = true;
+    privateRepos = true;
+    prometheus = true;
+    extraFlags = [
+      "--prometheus-no-auth"
+      "--htpasswd-file=${config.secrets.restic-htpasswd.decrypted}"
+      "--tls" "--tls-cert=${certFile}" "--tls-key=${keyFile}"
+    ];
+  };
+}
\ No newline at end of file