{ secrets, pkgs, lib, config, ... }: { dns.zones."katja.wtf".subdomains."restic.${config.networking.hostName}.infra".CNAME = [ "${config.networking.hostName}.infra.katja.wtf." ]; users.groups.rclone-restic-server = {}; users.users.rclone-restic-server = { isSystemUser = true; home = "/var/lib/rclone-restic-server"; group = "rclone-restic-server"; }; age.secrets = { rcloneConfig = { file = secrets."${config.networking.hostName}".rcloneConfig; owner = "rclone-restic-server"; }; resticServerHtpasswd = { file = secrets."${config.networking.hostName}".resticServerHtpasswd; owner = "nginx"; }; }; systemd.services.rclone-restic-server = { wantedBy = [ "multi-user.target" ]; wants = [ "network-online.target" ]; after = [ "network-online.target" ]; onFailure = [ "ntfysh-notify-failure@%i.service" ]; serviceConfig = { User = "rclone-restic-server"; Group = "rclone-restic-server"; Restart = "always"; RestartSec = "5"; KillMode = "mixed"; KillSignal = "SIGTERM"; TimeoutStopSec = "5s"; ExecReload = "/bin/kill -USR1 $MAINPID"; ExecStart = "${pkgs.rclone}/bin/rclone --config ${config.age.secrets.rcloneConfig.path} serve restic --append-only --addr [::1]:8000 hetzner-storage:"; PrivateTmp = true; PrivateDevices = true; ProtectHome = true; ProtectSystem = "full"; CapabilityBoundingSet = "CAP_NET_BIND_SERVICE"; AmbientCapabilities = "CAP_NET_BIND_SERVICE"; NoNewPrivileges = true; }; }; services.nginx = { enable = true; virtualHosts."restic.${config.networking.fqdn}" = { useACMEHost = "${config.networking.fqdn}"; forceSSL = true; kTLS = true; locations."/" = { proxyPass = "http://[::1]:8000/"; extraConfig = '' client_max_body_size 10G; auth_basic Auth; auth_basic_user_file ${config.age.secrets.resticServerHtpasswd.path}; ''; }; }; }; }