resticBackupTarget.nix

1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 
26 
27 
28 
29 
30 
31 
32 
33 
34 
35 
36 
37 
38 
39 
40 
41 
42 
43 
44 
45 
46 
47 
48 
49 
50 
51 
52 
53 
{
  config,
  lib,
  pkgs,
  ...
}:
let
  inherit (lib) types;
  cfg = config.zpha.profiles.resticBackupTarget;

in
{

  options.zpha.profiles.resticBackupTarget = {
    enable = lib.mkEnableOption "this machine to be used as restic backup target";
    path = lib.mkOption {
      type = types.path;
    };
    keys = lib.mkOption {
      type = with types; attrsOf str;
      default = { };
    };
  };

  config = lib.mkIf cfg.enable {
    dns.zones."fc9f.de".subdomains."restic-target".CNAME = lib.mkIf (
      config.networking.hostName == "cuvier"
    ) [ "${config.networking.fqdn}." ];

    users = {
      groups.restic = { };
      users.restic = {
        uid = 1002;
        isNormalUser = true;
        group = "restic";
        extraGroups = [
          "ssh"
          "nix"
        ];
        home = cfg.path;
        maid.packages = with pkgs; [
          restic
          rclone
        ];
        openssh.authorizedKeys.keys = lib.mapAttrsToList (
          repo: key:
          ''restrict,command="${lib.getExe pkgs.rclone} serve restic --stdio --append-only --verbose ${cfg.path}/${repo}" ${key}''
        ) cfg.keys;
      };
    };
  };

}