rest server

modules/hosts/soteria/secrets.yaml

@@ -8,6 +8,7 @@ forgejo:
     #ENC[AES256_GCM,data:ZqwgnKjaolJtjcy287fnDOkb/oSLnBpfWfsTeVPwbIE8YLRSoPP4gbCnHJBLq+TJNNI=,iv:zTvw4ZS6C1ifUwOijNLuTfUQ3JM+5gj1X2f/s8MwWXc=,tag:Y1yKlL+jIRHVBulGlSErog==,type:comment]
     jwt_secret: ENC[AES256_GCM,data:e59MlATOorsTIQjtTUKfX5Yo3CVsbbfuKczp1gh1m2D1kkZK3ORFztYpjg==,iv:JH3PVUmXToiThEKDkDJ8MGVMAPlIEgPSWhru+9WgNjk=,tag:FfDpaCPejpw6kGDkxJwDWw==,type:str]
     lfs_jwt_secret: ENC[AES256_GCM,data:xi9PEKFUGRyc3YOg3JM3KrrENi9xsbeBjiz4R16SK5WDafoGFLazN6KRJQ==,iv:1IhPyQDwA8tZ22pfZJiU8TRTCLCHC/HAnKdmSGDfvcM=,tag:rLdREVSKBm67rt8ayN16Vw==,type:str]
+restic_password: ENC[AES256_GCM,data:u7QOZXJkxVG4J75K5nphb2uJGdz6jbWuVSsKKu+41fshp7cVoRijtr/Cs02LjVse,iv:bt1W2FeBTG6ypBFYzMPXPIkYTSn0uHURY2ui6MRgYY8=,tag:DObAMws/zQcM+UKUe9EECA==,type:str]
 sops:
     age:
         - recipient: age1ykcs39e62pz3xu6cedg8ea685kv5d5qsrhgkndygzm8rx30xd5ys5t3qxt
@@ -37,7 +38,7 @@ sops:
             Yjd0MUcxcExvWVpCOUR3MkdZdGQyWUkKnru0Y2A98+0Mps7EtVK7ct3vPqIGveUt
             E5fzpcKvdefzObrx7BPTwJ19t2fZg/dSi7HKwx3vmKZSzyQaqJOzsg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-04-02T03:47:52Z"
-    mac: ENC[AES256_GCM,data:NvCF78rzYOv2Ulf3TLB4eKtYEqNkfSzPBPRXcpTTO9QoSH3axdapkhUzsSq2d30RV/F/PLMbMaERMgW1SFT0Uikvk0s5ALmwN29MMwA6BMyup5bzOQeOIxOoeYrKOeqCJdI3ZhtqV/ebvyTebVI7Q6Jw0QKf+9SW2RfYGFJkKF0=,iv:VSoGZkzSzI9SPnvrzyIgWgW/teRNiFlf5fdmHKVg2TE=,tag:qm/jUdQ63MdWUxBDJ9kxww==,type:str]
+    lastmodified: "2026-04-04T23:18:43Z"
+    mac: ENC[AES256_GCM,data:qBgeli5lHb4pyA8nAADBuRBAaq8VbAIsFI37OZtgnbnoHW2crxo3YC+EknaIYnZpZ48kwVhQS5lGRjI6JsWWhTH3+LVAhTmS2Qj/pZTD/JDLK6XJGXS4U9nB7m9aGYyW8gFCy9/DfoJWGsS//+ZmUikKPfd5kMZgh1zGoYCIGug=,iv:h+2fA+bO2SMCNrEslP36x3BPRaIy25cU/DNX8CYSC6A=,tag:RvVyUZ4ONRaKaqGiT31eUQ==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.12.2

modules/hosts/soteria/soteria.nix

@@ -47,8 +47,8 @@ in
           ];
           lifetime = "12h";
           renew.onCalendar = "*:3/15";
-          renew.reloadUnits = [ "forgejo.service" ];
-          certReaders = [ config.services.forgejo.user "postgres" ];
+          renew.reloadUnits = [ "forgejo.service" "restic-rest-server.service" ];
+          certReaders = [ config.services.forgejo.user "restic" ];
         };
         forgejo = {
           enable = true;
@@ -57,11 +57,25 @@ in
           port = 443;
         };
 
+        networking.firewall.allowedTCPPorts = [ 8000 ];
+        services.restic.server = {
+          enable = true;
+          privateRepos = true;
+          listenAddress = "0.0.0.0:8000";
+          extraFlags = [
+            "--no-auth"
+            "--tls"
+            "--tls-cert=${config.mtls.certFile}"
+            "--tls-key=${config.mtls.keyFile}"
+          ];
+        };
+
         loginText.extraServiceStatus = {
           Docker = "docker";
           "mTLS Renewal" = "mtls-renew.timer";
           Forgejo = "forgejo.service";
           "Forgejo Backup" = "forgejo-dump.timer";
+          "Restic REST Server" = "restic-rest-server.service";
         };
 
         step-ssh-host.hostname = hostname;
@@ -79,6 +93,7 @@ in
         environment.systemPackages = [
           inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.janus-ca
           inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.my-neovim
+          inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.jsl-zsh
         ];
       })
     ];