{ ... }:

{
  services.restic.server = {
    enable = true;
    privateRepos = true;
    dataDir = "/data/backup";
    listenAddress = "[::]:43242";
  };

  # restic rest server does not support --htpasswd-file in the current version of nixpkgs
  # until then we copy the secrets to the common location
  sops.secrets.restic-server-backup-htpasswd = {
    path = "/data/backup/.htpasswd";
    owner = "restic";
    group = "restic";
  };

  networking.firewall.interfaces.wg-b-palladium.allowedTCPPorts = [ 43242 ];
}