zaphyra's git: nixfiles

config/nixos/modules/websites: add `restic.novus.infra.zaphyra.eu` (and enable on host `novus`)

diff --git a/config/nixos/modules/websites/restic.novus.infra.zaphyra.eu.nix b/config/nixos/modules/websites/restic.novus.infra.zaphyra.eu.nix
@@ -0,0 +1,62 @@
+{
+  povSelf,
+  hostConfig,
+  config,
+  lib,
+  dnsNix,
+  ...
+}:
+
+let
+  inherit (lib) types;
+  cfg = lib.getAttrFromPath povSelf config;
+
+in
+{
+
+  options = {
+    enable = {
+      type = types.bool;
+      default = false;
+    };
+    domain = {
+      type = types.str;
+      default = "zaphyra.eu";
+    };
+    subdomain = {
+      type = types.str;
+      default = "restic.${config.networking.hostName}.infra";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    dns.zones."${cfg.domain}".subdomains."${cfg.subdomain}".CNAME = [ "${config.networking.fqdn}." ];
+
+    sops.secrets = {
+      rcloneConfig = { };
+      resticServerHtpasswd = {
+        owner = "nginx";
+      };
+    };
+
+    modules.services.rcloneResticServer = {
+      enable = true;
+      configFile = config.sops.secrets.rcloneConfig.path;
+      nginx = {
+        enable = true;
+        domain = "${cfg.subdomain}.${cfg.domain}";
+        basicAuthFile = config.sops.secrets.resticServerHtpasswd.path;
+      };
+    };
+
+    services.nginx = {
+      enable = true;
+      virtualHosts."${cfg.subdomain}.${cfg.domain}" = {
+        useACMEHost = "${config.networking.fqdn}";
+        forceSSL = true;
+        kTLS = true;
+      };
+    };
+  };
+
+}

diff --git a/hosts/novus/default.nix b/hosts/novus/default.nix
@@ -53,6 +53,10 @@
           };
         };
 
+        websites = {
+          "restic.novus.infra.zaphyra.eu".enable = true;
+        };
+
         users.katja.enable = true;
       };
 

diff --git a/secrets/common.yaml b/secrets/common.yaml
@@ -1,4 +1,6 @@
 katjaPassword: ENC[AES256_GCM,data:JrW2Pyd3rkvc3qz59m9ftHFOTX0GM9uNEkfRIoIdyJv3xLLG2JNRoL+mUm2/fzhaAyfHCX6xxt7yXuy0,iv:Qir8r6omlkeG22z2AoO4p4XwLPMGAhXrB2IOrcMkoUM=,tag:9jlRV6Xj4GjvyY4dZ6KNhA==,type:str]
+resticEnv:
+    novus: ENC[AES256_GCM,data:KTTd0UMQiOHrrFIbY9pIJWO9MVIFWs2pvjm4Vo46CE/CrgGfxJur5uYtxHvR94bwaoLXd8RpdlONSRzbShQlH0xE86C/MyRNWiZR5QLyWj6YwzFd+DSdHQD0h0AlRviZY/vFze1EJRPZ0d6XCMJBX+aTizVSxw==,iv:pSfa9Kgpwq/wqn6nOKozgEy2h9C22oVWSCA7X07aW1w=,tag:+aD8wh33mA9hqQ1TKT1m8w==,type:str]
 sops:
     kms: []
     gcp_kms: []

@@ -32,8 +34,8 @@ sops:
             Ti9mMzB1Ri9LbnhVYnB4S1ZRdktreEEKNCi9wEdj4qruCrL+pdq8D8Q/mTimBLaR
             pQIFd6SZLf93PnOiza/9xfhAMYqjk5EIL49jVVZ9m5OOMGOzGn9HiA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-21T10:21:20Z"
-    mac: ENC[AES256_GCM,data:B/s3mTdeFWVsMJwE3DmMEzN9/WC3V0MgWXDIdEDsuWX000Bjy4GnDAKiBZAwqj2DEsPjOsaxVa5QqHOOfY6D0Ld/IbFgJ4+7TOz9qstRV37G2gjCB5IS770jL/snxRXpmqZzWTvpBsJcQAyqONx6tXW2aIfw94YB+7ut3+jHupY=,iv:fCIF7iK+OlLcBujOxkKRR5sp6zf19LTYD74Fz+NOe4Q=,tag:Ha9k9v4JY/el61inZbMXFQ==,type:str]
+    lastmodified: "2025-05-22T22:49:04Z"
+    mac: ENC[AES256_GCM,data:UkVp3IEknRO5/JcfdqX19imbukjpwZ5p12hrKhyI6nJjiIr8oFhrc2l50knyhx6qWmywzg0RUIxFMmqTrDlkXij+XgHa6L4BidpMBoZSWmQ/LH9uVPTm8KcHU/YI4+C39XcKSXlyXG6f09q8COl7RFnH3dJEsBtarEnGfjO8wMQ=,iv:O4kCZeFMCMrOuCmCcxmRSdugY7ZX9gpVrt3LC6Mus88=,tag:tEO8QqwElRZxg4OT6qAnKA==,type:str]
     pgp:
         - created_at: "2025-05-21T10:21:09Z"
           enc: |-

diff --git a/secrets/novus.yaml b/secrets/novus.yaml
@@ -1,4 +1,6 @@
 acmeTSIGKey: ENC[AES256_GCM,data:a34wyBRoW3Mo6Mep66wi99xfuZLecCrDgpH4EFy4T8PpHYnhR/pLubXVzZpwouKrC+g0E+3hyBR6Bmc/1arKmQ==,iv:938iHOR2NwCjZEBQpjhnCEG11DcxtfeBLGmRh06LaRg=,tag:uhMkBrc9G7inEBg7ddWvZg==,type:str]
+resticServerHtpasswd: ENC[AES256_GCM,data:cjva4AXQw37feKs1wFl5o0pLJjfkW5sh5U8jZ2gWUYBlMQgBmdhYAuUwcR8jvismBafL6gSW4esvxPnBpcZC5yTP7TwQh/f18pouaTVH,iv:LJkvhOgTNt065K5kQNlP6zQUTK0bqd9smTIt7meUA4c=,tag:CkzAqsoKOXIdtTgqdOxORA==,type:str]
+rcloneConfig: ENC[AES256_GCM,data:ELWBEt1akcyQkL+bZN6HfkSvaARMEVKqwN0gZuzJv7zrdnd35nLJu/aAU2tSqsuPK8T7B+J3VqpLYuKZALHTOwm6dzOLnM8tBuBEO/Qy0Fb2wzj/U4/LHo1XBwAZC4pO4seyWi07IxfiafcPQ2YdZyoJcGzLXnmpOCTOn3C09C6foaIaOGBlh8weBIyKpCNM9YhjljyID9MoWFAc3+PCuASrHssSapTSX8gIgylgD37YiFY2s6ICZKCsa+TxXF6DD2qfnnf3zGNpozTMcH4bThaGB2BcqUPspylApAEIbig4jxFb/jb7PLy63E5WGpsskGYF5CT3zbzaNgYzaFZZdlZcBUcX3BUU37qXPAaRZg2f7NJopAdFlG0u8SPqetIrOikwSdL157+0WuixhPqHFC0S0erQ3fSSrXyhbhrt5kG+MO1LK34CS1aB/UZEnd2LYIJtGscH9QQMd6J7I1pW3Lgq6onS5/hE77G5mGXAKiVdLKu9E65C6X1PnUl2PwkvnioAPtMJ6bfzELEdfuD79kPq9P4HnDG1geP7Sv+BUCKzdZ+mTct7LNqXlA7hd18tAgYvt1LFumq7KV0lX3JqUGZdqSrhDJU6SYudN/BYRaPrvWCabCxJ1HzjM6lKynEuXuq41Y9RrEaekJv4/yJA33x5G+rq2CPnQEHjMu05rwXRGiCrOHCiPtPioxPFvAn5nZsZruPCZII8hKhC8Bno/aAgnVA3Ud29Ddvl9a3Rh8XCTKXpeg==,iv:Zq7DGFKxBw5tmEXXK8W7Aun1Gk78iwgju6NJJZcwBe0=,tag:3a0hn76gMiEX1imuQT0qaQ==,type:str]
 sops:
     kms: []
     gcp_kms: []

@@ -14,8 +16,8 @@ sops:
             N0dBZExjdWpSVDJmYlFmOHluZEJUWkUKhkWONhK0LiVhAY+pdemXOBHtBALV65ZP
             EClQs/bns2HUF4E5Lc6mv8WvogFNhm/TLGYX/sOWSvAYExRNiHtssQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-21T10:30:19Z"
-    mac: ENC[AES256_GCM,data:V5M4wAn+CL1pJvWTC1sXIGorR3cFgIXrTKI40orO7FOqkisod6KB5ln5bVZ+OU61NzwdDUPqYXms8qlnwJzRVglAEqceCd7bnmiOPWPQWpLDZY602QPNW1UXkKfHM9BaLT84lnown8Gqt9JTAAo23ZyOtBjP9MUT3FvgRAvRMw0=,iv:lGgu4dJzjsw9g1vro34VSowD6+IXap+hDDE2uYbTaWs=,tag:fwSuJZSMVRTdqaDABWx3OA==,type:str]
+    lastmodified: "2025-05-22T07:59:22Z"
+    mac: ENC[AES256_GCM,data:KVDR3eVJJM8y/aD3+EFGkyiM4T1W06PQeufmk8j1TMp71KuZVw/xqxCKiIUiDN9OC4fQ5EI7+WXfVgsPrcSQXnjx8J9CRlSyzNMa+99bMt4jms98c5QU1Jf4PFfqQ9FxBy+AIEyEjcPHKs458oMVaoOROjkIpWMc0hSGfZZha/A=,iv:XoiYFlCoqEiTmhkwLJ3bVjO2xnhukea3AzRXZJ8dkUY=,tag:oyb538WsxNAy/DxThJ4leQ==,type:str]
     pgp:
         - created_at: "2025-05-21T10:26:58Z"
           enc: |-