1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
{
povSelf,
config,
lib,
pkgs,
...
}:
let
inherit (lib) types;
cfg = lib.getAttrFromPath povSelf config;
in
{
options = {
enable = {
type = types.bool;
default = false;
};
port = {
type = types.port;
default = 8000;
};
configFile = {
type = types.str;
};
nginx = {
enable = {
type = types.bool;
default = false;
};
domain = {
type = types.str;
};
basicAuthFile = {
type = types.nullOr types.str;
default = null;
};
};
};
config = lib.mkIf cfg.enable {
systemd.services.rcloneResticServer = {
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
onFailure = [ "ntfysh-notify-failure@%i.service" ];
serviceConfig = {
DynamicUser = true;
User = "rclone-restic-server";
Group = "rclone-restic-server";
Restart = "always";
RestartSec = "5";
LoadCredential = "rclone.conf:${cfg.configFile}";
KillMode = "mixed";
KillSignal = "SIGTERM";
TimeoutStopSec = "5s";
ExecReload = "/bin/kill -USR1 $MAINPID";
ExecStart = "${pkgs.rclone}/bin/rclone --config \${CREDENTIALS_DIRECTORY}/rclone.conf serve restic --append-only --addr [::1]:${toString cfg.port} restic:";
PrivateTmp = true;
PrivateDevices = true;
ProtectHome = true;
ProtectSystem = "full";
CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
NoNewPrivileges = true;
};
};
services.nginx = {
enable = true;
virtualHosts."${cfg.nginx.domain}" = {
locations."/" = {
proxyPass = "http://[::1]:${toString cfg.port}/";
extraConfig =
''
client_max_body_size 10G;
''
+ lib.optionalString (cfg.nginx.basicAuthFile != null) ''
auth_basic Auth;
auth_basic_user_file ${cfg.nginx.basicAuthFile};
'';
};
};
};
};
}