4 files changed, 53 insertions, 7 deletions
diff --git a/regenerate-secrets.sh b/regenerate-secrets.sh
index 3441b960..2aafb7ee 100755
--- a/regenerate-secrets.sh
+++ b/regenerate-secrets.sh
@@ -32,6 +32,7 @@ for repo in vin-grafana timo-laptop timo-phone timo-sync; do
 done
 
 store_restic lud lud-nextcloud
+store_restic lud lud-git
 
 store lud www/nextcloud/database tw/system/files/nextcloud-database-password.enc
 
diff --git a/tw/services/secrets.scm b/tw/services/secrets.scm
index 1895700d..9eda4b51 100644
--- a/tw/services/secrets.scm
+++ b/tw/services/secrets.scm
@@ -10,8 +10,7 @@
   #:use-module (srfi srfi-1)
   #:export (secrets-service-type
             secrets-configuration
-            secret
-            encsecret-program))
+            secret))
 
 (define-configuration/no-serialization secret
   (encrypted-file file-like "The file in the Guix store containing the
diff --git a/tw/system/files/restic/lud-git.enc b/tw/system/files/restic/lud-git.enc
new file mode 100644
index 00000000..015fa5c3
--- /dev/null
+++ b/tw/system/files/restic/lud-git.enc
@@ -0,0 +1,7 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHBESlBiZyBnSkdV
+Tmt3T2pCZTdSWHFZMGI2c0lLd0R5dnE4NGcwbUJobS9aYnFEVWtVCi8zd0xkSjJk
+YStxcC9PWGtZUlRaS281YW02RjhYdGJtcjAySzZLOWtseDAKLS0tIEM1UW56bGR6
+b3haS3kzMnlXZ2VrRFd5OUc0Mm5CWjRKRzlLbzl5N0lMOXMKf7quMXK2HGks23Q7
+LvahP/G0htJ/ETOXyGf+VMgfzvRKRhfuTpKeURHjgW9BGb614Q==
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/system/lud.scm b/tw/system/lud.scm
index 2b2b08e1..2c8c7fef 100644
--- a/tw/system/lud.scm
+++ b/tw/system/lud.scm
@@ -9,6 +9,7 @@
   #:use-module (tw services nextcloud)
   #:use-module (tw services matrix)
   #:use-module (tw services media)
+  #:use-module (tw services restic)
   #:use-module (tw services secrets)
   #:use-module (tw services web)
   #:use-module (tw system))
@@ -64,7 +65,9 @@
               `(("ira"   ; for Duplicity backups
                  ,(local-file "files/kitchen-pc.pub")
                  ,(local-file "files/wilken-laptop.pub"))
-                ("timo"
+                ("git"
+                 ,(local-file "files/timo.pub")
+                 ,(local-file "files/timo-phone-gpg.pub")
                  ,(local-file "files/timo-phone-password-store.pub"))))
 
             (service tor-service-type)
@@ -87,12 +90,16 @@
                ;; git://lud.wg/~user/repo.git => /home/user/src/repo.git
                (user-path "src")))
 
+            ;; Serve public-access git repos over HTTPS and private ones over SSH only.
             (service cgit-service-type
               (cgit-configuration
                (branch-sort "age")
+               (root-title "Timo Wilken's Git repositories")
+               (root-desc "Projects written by me, contributed to by me, or \
+that I just want to host somewhere.")
                ;; (root-readme "")  ; TODO
-               ;; (root-title "")   ; TODO
                (repository-directory "/srv/git")
+               (strict-export "git-daemon-export-ok")  ; require presence of this file to show repo
                (remove-suffix? #t)  ; remove trailing .git in name and URL
                (clone-prefix '("https://git.twilken.net/"
                                "git@git.twilken.net:"))
@@ -111,6 +118,32 @@
                      (domains '("git.twilken.net"))
                      (deploy-hook %nginx-cert-deploy-hook))))
 
+            (simple-service 'git-backups restic-backup-service-type
+              (list (restic-scheduled-backup
+                     (schedule #~"0 3 * * *")
+                     (paths '("/srv/git"))
+                     (repo (restic-local-repository
+                            (path "/var/backups/git")))
+                     (password (restic-password-source
+                                (type 'file)
+                                (name "/etc/restic/lud-git"))))))
+
+            (simple-service 'git-backups-cleanup restic-cleanup-service-type
+              (list (restic-scheduled-cleanup
+                     (schedule #~"0 4 * * *")
+                     (repo (restic-local-repository
+                            (path "/var/backups/git")))
+                     (password (restic-password-source
+                                (type 'file)
+                                (name "/etc/restic/lud-git")))
+                     (keep-daily 30)
+                     (keep-monthly -1))))
+
+            (simple-service 'git-secrets secrets-service-type
+              (list (secret
+                     (encrypted-file (local-file "files/restic/lud-git.enc"))
+                     (destination "/etc/restic/lud-git"))))
+
             ;; Transmission (torrents)
             (service transmission-daemon-service-type
               (transmission-daemon-configuration
@@ -211,12 +244,18 @@ innodb_io_capacity = 4000
              (comment "Syncthing service")
              (group "syncthing")
              (home-directory "/var/data/syncthing"))
+            (user-account
+             (system? #t)
+             (name "git")
+             (comment "Git hosting service")
+             (group "git")
+             (home-directory "/srv/git"))
             %server-base-user-accounts))
 
+    ;; Groups are NOT implict from the user-accounts that mention them.
     (groups
-     (cons* (user-group  ; This is NOT implict from the "syncthing" user.
-             (system? #t)
-             (name "syncthing"))
+     (cons* (user-group (system? #t) (name "syncthing"))
+            (user-group (system? #t) (name "git"))
             %base-groups))
 
     ;; Use the UEFI variant of GRUB with the EFI System Partition mounted