diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 0ed820a32ac..805d83c7ce3 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -306,6 +306,7 @@ ceph = 288; duplicati = 289; monetdb = 290; + restic = 291; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -580,6 +581,7 @@ ceph = 288; duplicati = 289; monetdb = 290; + restic = 291; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 505c5497d36..26804d3682d 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -167,6 +167,7 @@ ./services/backup/mysql-backup.nix ./services/backup/postgresql-backup.nix ./services/backup/restic.nix + ./services/backup/restic-rest-server.nix ./services/backup/rsnapshot.nix ./services/backup/tarsnap.nix ./services/backup/znapzend.nix diff --git a/nixos/modules/services/backup/restic-rest-server.nix b/nixos/modules/services/backup/restic-rest-server.nix new file mode 100644 index 00000000000..d4b47a09941 --- /dev/null +++ b/nixos/modules/services/backup/restic-rest-server.nix @@ -0,0 +1,107 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.restic.server; +in +{ + meta.maintainers = [ maintainers.bachp ]; + + options.services.restic.server = { + enable = mkEnableOption "Restic REST Server"; + + listenAddress = mkOption { + default = ":8000"; + example = "127.0.0.1:8080"; + type = types.str; + description = "Listen on a specific IP address and port."; + }; + + dataDir = mkOption { + default = "/var/lib/restic"; + type = types.path; + description = "The directory for storing the restic repository."; + }; + + appendOnly = mkOption { + default = false; + type = types.bool; + description = '' + Enable append only mode. + This mode allows creation of new backups but prevents deletion and modification of existing backups. + This can be useful when backing up systems that have a potential of being hacked. + ''; + }; + + privateRepos = mkOption { + default = false; + type = types.bool; + description = '' + Enable private repos. + Grants access only when a subdirectory with the same name as the user is specified in the repository URL. + ''; + }; + + prometheus = mkOption { + default = false; + type = types.bool; + description = "Enable Prometheus metrics at /metrics."; + }; + + extraFlags = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Extra commandline options to pass to Restic REST server. + ''; + }; + + package = mkOption { + default = pkgs.restic-rest-server; + defaultText = "pkgs.restic-rest-server"; + type = types.package; + description = "Restic REST server package to use."; + }; + }; + + config = mkIf cfg.enable { + systemd.services.restic-rest-server = { + description = "Restic REST Server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = '' + ${cfg.package}/bin/rest-server \ + --listen ${cfg.listenAddress} \ + --path ${cfg.dataDir} \ + ${optionalString cfg.appendOnly "--append-only"} \ + ${optionalString cfg.privateRepos "--private-repos"} \ + ${optionalString cfg.prometheus "--prometheus"} \ + ${escapeShellArgs cfg.extraFlags} \ + ''; + Type = "simple"; + User = "restic"; + Group = "restic"; + + # Security hardening + ReadWritePaths = [ cfg.dataDir ]; + PrivateTmp = true; + ProtectSystem = "strict"; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + PrivateDevices = true; + }; + }; + + users.extraUsers.restic = { + group = "restic"; + home = cfg.dataDir; + createHome = true; + uid = config.ids.uids.restic; + }; + + users.extraGroups.restic.gid = config.ids.uids.restic; + }; +}