mirror of
https://github.com/kmein/niveum
synced 2026-03-16 10:11:08 +01:00
38 lines
1.1 KiB
Nix
38 lines
1.1 KiB
Nix
{ pkgs, lib, ... }:
|
|
let
|
|
niveumLib = import <niveum/lib>;
|
|
inherit (niveumLib) retiolumAddresses restic;
|
|
firewall = niveumLib.firewall lib;
|
|
dataDir = "/backup/restic";
|
|
in
|
|
{
|
|
services.restic.server = {
|
|
enable = true;
|
|
appendOnly = true;
|
|
inherit dataDir;
|
|
prometheus = true;
|
|
extraFlags = [ "--no-auth" ]; # auth is done via firewall
|
|
listenAddress = ":${toString restic.port}";
|
|
};
|
|
|
|
environment.systemPackages = [
|
|
(pkgs.writers.writeDashBin "restic-niveum" ''
|
|
${pkgs.restic}/bin/restic -r ${toString dataDir} -p ${<secrets/restic/password>} "$@"
|
|
'')
|
|
];
|
|
|
|
networking.firewall =
|
|
let
|
|
dport = restic.port;
|
|
protocol = "tcp";
|
|
rules = [
|
|
(firewall.accept { inherit dport protocol; source = retiolumAddresses.kabsa.ipv4; })
|
|
(firewall.accept { inherit dport protocol; source = retiolumAddresses.manakish.ipv4; })
|
|
(firewall.accept { inherit dport protocol; source = retiolumAddresses.makanek.ipv4; })
|
|
];
|
|
in {
|
|
extraCommands = firewall.addRules rules;
|
|
extraStopCommands = firewall.removeRules rules;
|
|
};
|
|
}
|