Commit b7c8e22e authored by Gabe Venberg's avatar Gabe Venberg Committed by Pascal Bach
Browse files

nixos/restic-rest-server: add htpasswd-file setting 

in the restic rest-server, you can set the file to use in place of
$datadir/.htpasswd with the --htpasswd-file option. However, this was
unusable from the module with extraConfig, due to systemd hardening.
Adding a dedicated option fixes this.
parent dc585df3

nixos/modules/services/backup/restic-rest-server.nix

+8 −0
Original line number Diff line number Diff line
@@ -36,6 +36,12 @@ in 
      '';

    };



    htpasswd-file = lib.mkOption {

      default = null;

      type = lib.types.nullOr lib.types.path;

      description = "The path to the servers .htpasswd file. Defaults to {dataDir}/htpasswd.";

    };



    privateRepos = lib.mkOption {

      default = false;

      type = lib.types.bool;
@@ -84,6 +90,7 @@ in 
        ExecStart = ''

          ${cfg.package}/bin/rest-server \

          --path ${cfg.dataDir} \

          --htpasswd-file ${cfg.htpasswd-file} \

          ${lib.optionalString cfg.appendOnly "--append-only"} \

          ${lib.optionalString cfg.privateRepos "--private-repos"} \

          ${lib.optionalString cfg.prometheus "--prometheus"} \
@@ -112,6 +119,7 @@ in 
        ProtectControlGroups = true;

        PrivateDevices = true;

        ReadWritePaths = [ cfg.dataDir ];

        ReadOnlyPaths = [ cfg.htpasswd-file ];

        RemoveIPC = true;

        RestrictAddressFamilies = "none";

        RestrictNamespaces = true;