zaphyra's git: nixfiles

zaphyra and void's nixfiles

commit 92ce7e40b4f4244206fd26cb5c3ac658bf2b218e
parent aa94843fd8abd3ea83a97fe87226e59b69cfc895
Author: Katja (zaphyra) <git@ctu.cx>
Date: Fri, 23 May 2025 11:17:11 +0200

config/nixos/modules/services: add `rcloneResticServer`

1 file changed, 94 insertions(+), 0 deletions(-)
A
config/nixos/modules/services/rcloneResticServer.nix
|
94
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
diff --git a/config/nixos/modules/services/rcloneResticServer.nix b/config/nixos/modules/services/rcloneResticServer.nix
@@ -0,0 +1,94 @@
+{
+  povSelf,
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  inherit (lib) types;
+  cfg = lib.getAttrFromPath povSelf config;
+
+in
+{
+
+  options = {
+    enable = {
+      type = types.bool;
+      default = false;
+    };
+    port = {
+      type = types.port;
+      default = 8000;
+    };
+    configFile = {
+      type = types.str;
+    };
+    nginx = {
+      enable = {
+        type = types.bool;
+        default = false;
+      };
+      domain = {
+        type = types.str;
+      };
+      basicAuthFile = {
+        type = types.nullOr types.str;
+        default = null;
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.rcloneResticServer = {
+      wantedBy = [ "multi-user.target" ];
+      wants = [ "network-online.target" ];
+      after = [ "network-online.target" ];
+      onFailure = [ "ntfysh-notify-failure@%i.service" ];
+      serviceConfig = {
+        DynamicUser = true;
+        User = "rclone-restic-server";
+        Group = "rclone-restic-server";
+        Restart = "always";
+        RestartSec = "5";
+
+        LoadCredential = "rclone.conf:${cfg.configFile}";
+
+        KillMode = "mixed";
+        KillSignal = "SIGTERM";
+        TimeoutStopSec = "5s";
+
+        ExecReload = "/bin/kill -USR1 $MAINPID";
+        ExecStart = "${pkgs.rclone}/bin/rclone --config \${CREDENTIALS_DIRECTORY}/rclone.conf serve restic --append-only --addr [::1]:${toString cfg.port} restic:";
+
+        PrivateTmp = true;
+        PrivateDevices = true;
+        ProtectHome = true;
+        ProtectSystem = "full";
+
+        CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
+        AmbientCapabilities = "CAP_NET_BIND_SERVICE";
+        NoNewPrivileges = true;
+      };
+    };
+
+    services.nginx = {
+      enable = true;
+      virtualHosts."${cfg.nginx.domain}" = {
+        locations."/" = {
+          proxyPass = "http://[::1]:${toString cfg.port}/";
+          extraConfig =
+            ''
+              client_max_body_size 10G;
+            ''
+            + lib.optionalString (cfg.nginx.basicAuthFile != null) ''
+              auth_basic           Auth;
+              auth_basic_user_file ${cfg.nginx.basicAuthFile};
+            '';
+        };
+      };
+    };
+
+  };
+
+}