Resolved files.nix merge conflict

backup/restic.nix

@@ -3,33 +3,30 @@ let
   cfg = config.services.userdata;
 in
 {
-  services.restic.backups = {
-    options = {
-      passwordFile = "/etc/restic/resticPasswd";
-      repository = "s3:s3.anazonaws.com/${cfg.backblaze.bucket}";
-      initialize = true;
-      paths = [
-        "/var/dkim"
-        "/var/vmail"
-      ];
-      timerConfig = {
-        OnCalendar = [ "daily" ];
+
+  systemd = {
+    services = {
+      "restic-backup" = {
+        description = "Userdata restic backup trigger";
+        serviceConfig = {
+          Type = "simple";
+          User = "restic";
+          ExecStart = "${pkgs.restic}/bin/restic -o rclone.args="serve restic --stdio" -r rclone:backblaze:${cfg.backblaze.bucket}:/sfbackup --verbose --json backup /var";
+        };
+      };
+    };
+    timers = {
+      "restic-scheduled-backup" = {
+        wantedBy = [ "timers.target" ];
+        partOf = [ "restic-backup.service" ];
+        timerConfig = {
+          OnCalendar = "daily";
+        };
       };
-      user = "restic";
-      pruneOpts = [
-        "--keep-daily 5"
-      ];
     };
   };
   users.users.restic = {
     isNormalUser = false;
     isSystemUser = true;
   };
-  environment.etc."restic/resticPasswd".text = ''
-    ${cfg.resticPassword}
-  '';
-  environment.etc."restic/s3Passwd".text = ''
-    AWS_ACCESS_KEY_ID=${cfg.backblaze.accountId}
-    AWS_SECRET_ACCESS_KEY=${cfg.backblaze.accountKey}
-  '';
 }

files.nix

@@ -14,17 +14,24 @@ in
         CLOUDFLARE_DNS_API_TOKEN=${cfg.cloudflare.apiKey}
         CLOUDFLARE_ZONE_API_TOKEN=${cfg.cloudflare.apiKey}
       '';
+      rcloneConfig = builtins.replaceStrings [ "\n" "\"" "\\" ] [ "\\n" "\\\"" "\\\\" ] ''
+        [backblaze]
+        type = b2
+        account = ${cfg.backblaze.accountId}
+        key = ${cfg.backblaze.accountKey}
+      '';
     in
     [
-      "d /var/restic 0660 restic - - -"
-      "d /var/bitwarden 0777 bitwarden_rs bitwarden_rs -"
-      "d /var/bitwarden/backup 0777 bitwarden_rs bitwarden_rs -"
-      "d /var/lib/pleroma 0600 pleroma pleroma - -"
-      "f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -"
-      "f /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
-      "f /var/restic/restic-repo-password 0660 restic - - ${resticPass}"
-      "f /var/nextcloud-db-pass 0440 nextcloud nextcloud - ${nextcloudDBPass}"
-      "f /var/nextcloud-admin-pass 0440 nextcloud nextcloud - ${nextcloudAdminPass}"
-      "f /var/cloudflareCredentials.ini 0440 nginx acmerecievers - ${cloudflareCredentials}"
+      (if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 bitwarden_rs bitwarden_rs -" else "")
+      (if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 bitwarden_rs bitwarden_rs -" else "")
+      (if cfg.pleroma.enable then "d /var/lib/pleroma 0700 pleroma pleroma - -" else "")
+      "d /var/lib/restic 0600 restic - - -"
+      "f+ /var/lib/restic/pass 0400 restic - - ${resticPass}"
+      "f+ /root/.config/rclone/rclone.conf 0400 root root - ${rcloneConfig}"
+      (if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "")
+      "f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
+      (if cfg.nextcloud.enable then "f+ /var/lib/nextcloud/db-pass 0440 nextcloud nextcloud - ${nextcloudDBPass}" else "")
+      (if cfg.nextcloud.enable then "f+ /var/lib/nextcloud/admin-pass 0440 nextcloud nextcloud - ${nextcloudAdminPass}" else "")
+      "f+ /var/lib/cloudflare/Credentials.ini 0440 nginx acmerecievers - ${cloudflareCredentials}"
     ];
-}
+}

webserver/nginx.nix

@@ -1,4 +1,4 @@
-{ pkgs, config, ... }:
+{ pkgs, config, lib, ... }:
 let
   domain = config.services.userdata.domain;
 in
@@ -11,6 +11,7 @@ in
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
     clientMaxBodySize = "1024m";
+    sslProtocols = lib.mkForce "TLSv1.2 TLSv1.3";
 
     virtualHosts = {
       "${domain}" = {