{ ... }:

{
  services.restic.server = {
    enable = true;
    privateRepos = true;
    dataDir = "/mnt/clerie-backup/cyan";
    listenAddress = "[::1]:43242";
  };

  # restic rest server does not support --htpasswd-file in the current version of nixpkgs
  # until then we copy the secrets to the common location
  sops.secrets.restic-server-cyan-htpasswd = {
    path = "/mnt/clerie-backup/cyan/.htpasswd";
    owner = "restic";
    group = "restic";
  };

  services.nginx.virtualHosts."cyan.backup.clerie.de" = {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://[::1]:43242/";
      extraConfig = ''
        client_max_body_size 10G;
      '';
    };
  };
}