drone: add restic rest server

modules/nixos/services/homeserver/restic/backups.nix

@@ -1,7 +1,10 @@
 { config, pkgs, lib, ... }:
 
 {
-  sops.secrets."restic/password" = {};
+  sops.secrets = {
+    "restic/password" = {};
+    "restic/rest-auth.env" = {};
+  };
 
   systemd.services = {
     db-backup = {
@@ -49,7 +52,8 @@
       '';
 
       initialize = true;
-      repository = "/mnt/external/backup/restic";
+      repository = "rest:http://localhost:8001/drone";
+      environmentFile = config.sops.secrets."restic/rest-auth.env".path;
       passwordFile = config.sops.secrets."restic/password".path;
       timerConfig = {
         OnCalendar = "03:00";

modules/nixos/services/homeserver/restic/default.nix

@@ -3,5 +3,6 @@
 {
   imports = [
     ./backups.nix
+    ./rest-server.nix
   ];
 }

modules/nixos/services/homeserver/restic/rest-server.nix

@@ -0,0 +1,28 @@
+{ config, ... }:
+
+{
+  sops.secrets."restic/rest-server/.htpasswd" = {
+    owner = "restic";
+    group = "restic";
+  };
+
+  services.caddy.virtualHosts."restic.taild5f7e6.ts.net".extraConfig =
+  assert config.services.caddy.enable;
+  ''
+    import default-settings
+
+    bind tailscale/restic
+
+    reverse_proxy localhost:8001
+  '';
+
+  services.restic.server = {
+    enable = true;
+    dataDir = "/mnt/external/backup/restic";
+    listenAddress = "127.0.0.1:8001";
+    htpasswd-file = config.sops.secrets."restic/rest-server/.htpasswd".path;
+
+    privateRepos = true;
+    appendOnly = true;
+  };
+}