From 244519f406f22a5d09522bc629fd0358f6d1aafc Mon Sep 17 00:00:00 2001 From: John Lancaster <32917998+jsl12@users.noreply.github.com> Date: Thu, 16 Apr 2026 17:31:57 -0500 Subject: [PATCH] rest server --- modules/hosts/soteria/secrets.yaml | 5 +++-- modules/hosts/soteria/soteria.nix | 19 +++++++++++++++++-- 2 files changed, 20 insertions(+), 4 deletions(-) diff --git a/modules/hosts/soteria/secrets.yaml b/modules/hosts/soteria/secrets.yaml index d3cad01..388ea9d 100644 --- a/modules/hosts/soteria/secrets.yaml +++ b/modules/hosts/soteria/secrets.yaml @@ -8,6 +8,7 @@ forgejo: #ENC[AES256_GCM,data:ZqwgnKjaolJtjcy287fnDOkb/oSLnBpfWfsTeVPwbIE8YLRSoPP4gbCnHJBLq+TJNNI=,iv:zTvw4ZS6C1ifUwOijNLuTfUQ3JM+5gj1X2f/s8MwWXc=,tag:Y1yKlL+jIRHVBulGlSErog==,type:comment] jwt_secret: ENC[AES256_GCM,data:e59MlATOorsTIQjtTUKfX5Yo3CVsbbfuKczp1gh1m2D1kkZK3ORFztYpjg==,iv:JH3PVUmXToiThEKDkDJ8MGVMAPlIEgPSWhru+9WgNjk=,tag:FfDpaCPejpw6kGDkxJwDWw==,type:str] lfs_jwt_secret: ENC[AES256_GCM,data:xi9PEKFUGRyc3YOg3JM3KrrENi9xsbeBjiz4R16SK5WDafoGFLazN6KRJQ==,iv:1IhPyQDwA8tZ22pfZJiU8TRTCLCHC/HAnKdmSGDfvcM=,tag:rLdREVSKBm67rt8ayN16Vw==,type:str] +restic_password: ENC[AES256_GCM,data:u7QOZXJkxVG4J75K5nphb2uJGdz6jbWuVSsKKu+41fshp7cVoRijtr/Cs02LjVse,iv:bt1W2FeBTG6ypBFYzMPXPIkYTSn0uHURY2ui6MRgYY8=,tag:DObAMws/zQcM+UKUe9EECA==,type:str] sops: age: - recipient: age1ykcs39e62pz3xu6cedg8ea685kv5d5qsrhgkndygzm8rx30xd5ys5t3qxt @@ -37,7 +38,7 @@ sops: Yjd0MUcxcExvWVpCOUR3MkdZdGQyWUkKnru0Y2A98+0Mps7EtVK7ct3vPqIGveUt E5fzpcKvdefzObrx7BPTwJ19t2fZg/dSi7HKwx3vmKZSzyQaqJOzsg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-04-02T03:47:52Z" - mac: ENC[AES256_GCM,data:NvCF78rzYOv2Ulf3TLB4eKtYEqNkfSzPBPRXcpTTO9QoSH3axdapkhUzsSq2d30RV/F/PLMbMaERMgW1SFT0Uikvk0s5ALmwN29MMwA6BMyup5bzOQeOIxOoeYrKOeqCJdI3ZhtqV/ebvyTebVI7Q6Jw0QKf+9SW2RfYGFJkKF0=,iv:VSoGZkzSzI9SPnvrzyIgWgW/teRNiFlf5fdmHKVg2TE=,tag:qm/jUdQ63MdWUxBDJ9kxww==,type:str] + lastmodified: "2026-04-04T23:18:43Z" + mac: ENC[AES256_GCM,data:qBgeli5lHb4pyA8nAADBuRBAaq8VbAIsFI37OZtgnbnoHW2crxo3YC+EknaIYnZpZ48kwVhQS5lGRjI6JsWWhTH3+LVAhTmS2Qj/pZTD/JDLK6XJGXS4U9nB7m9aGYyW8gFCy9/DfoJWGsS//+ZmUikKPfd5kMZgh1zGoYCIGug=,iv:h+2fA+bO2SMCNrEslP36x3BPRaIy25cU/DNX8CYSC6A=,tag:RvVyUZ4ONRaKaqGiT31eUQ==,type:str] unencrypted_suffix: _unencrypted version: 3.12.2 diff --git a/modules/hosts/soteria/soteria.nix b/modules/hosts/soteria/soteria.nix index 351c77e..cb587b3 100644 --- a/modules/hosts/soteria/soteria.nix +++ b/modules/hosts/soteria/soteria.nix @@ -47,8 +47,8 @@ in ]; lifetime = "12h"; renew.onCalendar = "*:3/15"; - renew.reloadUnits = [ "forgejo.service" ]; - certReaders = [ config.services.forgejo.user "postgres" ]; + renew.reloadUnits = [ "forgejo.service" "restic-rest-server.service" ]; + certReaders = [ config.services.forgejo.user "restic" ]; }; forgejo = { enable = true; @@ -57,11 +57,25 @@ in port = 443; }; + networking.firewall.allowedTCPPorts = [ 8000 ]; + services.restic.server = { + enable = true; + privateRepos = true; + listenAddress = "0.0.0.0:8000"; + extraFlags = [ + "--no-auth" + "--tls" + "--tls-cert=${config.mtls.certFile}" + "--tls-key=${config.mtls.keyFile}" + ]; + }; + loginText.extraServiceStatus = { Docker = "docker"; "mTLS Renewal" = "mtls-renew.timer"; Forgejo = "forgejo.service"; "Forgejo Backup" = "forgejo-dump.timer"; + "Restic REST Server" = "restic-rest-server.service"; }; step-ssh-host.hostname = hostname; @@ -79,6 +93,7 @@ in environment.systemPackages = [ inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.janus-ca inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.my-neovim + inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.jsl-zsh ]; }) ];