From 5ddf8241ec2eb8faed264781fedc927e62a3c20d Mon Sep 17 00:00:00 2001
From: Timo Wilken
Date: Thu, 20 Apr 2023 23:39:07 +0200
Subject: Draft of restic server deployment

---
 tw/services/restic.scm |  3 ++-
 tw/system.scm          | 14 +++++++++-----
 tw/system/vin.scm      | 15 ++++++++++++++-
 3 files changed, 25 insertions(+), 7 deletions(-)

diff --git a/tw/services/restic.scm b/tw/services/restic.scm
index 637c7104..c0c09552 100644
--- a/tw/services/restic.scm
+++ b/tw/services/restic.scm
@@ -22,7 +22,8 @@ using @code{htpasswd-file}.")
   (restic-server (package restic-rest-server) "The restic REST server package to use.")
   (bind-address (string ":8000") "The listen address (including port) to bind to.")
   (htpasswd-file (maybe-string #f) "Location of @code{.htpasswd} file
-(default: @code{REPOSITORY-PATH/.htpasswd}).")
+(default: @code{REPOSITORY-PATH/.htpasswd}).  Use @code{htpasswd} from the
+@code{httpd} package to create and/or update this file.")
   (auth? (boolean #t) "Whether to authenticate users at all (using .htpasswd).")
   (verify-upload? (boolean #t) "Whether to verify the integrity of uploaded
 data.  @emph{Do not disable} unless the restic server is to be run on a very
diff --git a/tw/system.scm b/tw/system.scm
index c9904e24..0b738038 100644
--- a/tw/system.scm
+++ b/tw/system.scm
@@ -43,6 +43,14 @@
     ("vin.twilken.net" . 22022)
     ("pi3.twilken.net" . 51022)))
 
+(export server-wireguard-address)
+(define* (server-wireguard-address host-name #:optional (port ""))
+  (string-replace-substring
+   (car   ; get the IPv4 address
+    (wireguard-peer-allowed-ips
+     (assoc-ref %wireguard-peers host-name)))
+   "/32" port))
+
 (define-public (server-base-services host-name)
   (cons*
    ;; SSH login, allowing access only for me.  To give more public keys
@@ -61,11 +69,7 @@
    (service prometheus-node-exporter-service-type
      (prometheus-node-exporter-configuration
       (web-listen-address
-       (string-replace-substring
-        (car   ; get the IPv4 address
-         (wireguard-peer-allowed-ips
-          (assoc-ref %wireguard-peers host-name)))
-        "/32" ":9100"))))
+       (server-wireguard-address host-name ":9100"))))
 
    (simple-service 'disk-maintenance mcron-service-type
      (list #~(job "0 2 * * *" "guix gc -d 2w")
diff --git a/tw/system/vin.scm b/tw/system/vin.scm
index e8baec57..e74d0df6 100644
--- a/tw/system/vin.scm
+++ b/tw/system/vin.scm
@@ -4,6 +4,7 @@
   #:use-module (gnu system locale)
   #:use-module (gnu system nss)
   #:use-module (guix gexp)
+  #:use-module (tw services restic)
   #:use-module (tw system))
 
 ;; The device's BIOS does not support UEFI, sadly.  It also doesn't recognise
@@ -40,7 +41,19 @@
 
     ;; Below is the list of system services.  To search for available
     ;; services, run 'guix system search KEYWORD' in a terminal.
-    (services (server-base-services host-name))
+    (services
+     (cons*
+      (service restic-server-service-type
+        (restic-server-configuration
+         (repository-path "/var/backups/restic")
+         (bind-address
+          (server-wireguard-address host-name ":8181"))
+         (append-only? #t)  ; run cleanup jobs separately, using plain restic
+         (private-repos-only? #t)  ; require /user/ path prefix
+         (prometheus? #t)
+         (prometheus-auth? #f)))
+
+      (server-base-services host-name)))
 
     ;; The list of user accounts ('root' is implicit).
     (users %server-base-user-accounts)
-- 
cgit v1.2.3