{ povSelf, config, lib, pkgs, ... }: let inherit (lib) types; cfg = lib.getAttrFromPath povSelf config; in { options = { enable = { type = types.bool; default = false; }; port = { type = types.port; default = 8000; }; configFile = { type = types.str; }; nginx = { enable = { type = types.bool; default = false; }; domain = { type = types.str; }; basicAuthFile = { type = types.nullOr types.str; default = null; }; }; }; config = lib.mkIf cfg.enable { systemd.services.rcloneResticServer = { wantedBy = [ "multi-user.target" ]; wants = [ "network-online.target" ]; after = [ "network-online.target" ]; onFailure = [ "ntfysh-notify-failure@%i.service" ]; serviceConfig = { DynamicUser = true; User = "rclone-restic-server"; Group = "rclone-restic-server"; Restart = "always"; RestartSec = "5"; LoadCredential = "rclone.conf:${cfg.configFile}"; KillMode = "mixed"; KillSignal = "SIGTERM"; TimeoutStopSec = "5s"; ExecReload = "/bin/kill -USR1 $MAINPID"; ExecStart = "${pkgs.rclone}/bin/rclone --config \${CREDENTIALS_DIRECTORY}/rclone.conf serve restic --append-only --addr [::1]:${toString cfg.port} restic:"; PrivateTmp = true; PrivateDevices = true; ProtectHome = true; ProtectSystem = "full"; CapabilityBoundingSet = "CAP_NET_BIND_SERVICE"; AmbientCapabilities = "CAP_NET_BIND_SERVICE"; NoNewPrivileges = true; }; }; services.nginx = { enable = true; virtualHosts."${cfg.nginx.domain}" = { locations."/" = { proxyPass = "http://[::1]:${toString cfg.port}/"; extraConfig = '' client_max_body_size 10G; '' + lib.optionalString (cfg.nginx.basicAuthFile != null) '' auth_basic Auth; auth_basic_user_file ${cfg.nginx.basicAuthFile}; ''; }; }; }; }; }