weilite/{restic,ocis}: add

machines/weilite/services/cloudflared.nix

@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+{
+  services.cloudflared = {
+    enable = true;
+    tunnels =
+      {
+      };
+  };
+}

machines/weilite/services/ocis.nix

@@ -1,36 +1,35 @@
 { config, pkgs, ... }:
 {
-  sops = {
-    secrets = {
-      "ocis/env" = {
-        sopsFile = ../secrets.yaml;
-      };
-    };
-  };
-
   services.ocis = {
     enable = true;
-    package = pkgs.ocis-bin;
+    package = pkgs.ocis;
     stateDir = "/var/lib/ocis";
     url = "https://drive.xinyang.life:8443";
     address = "127.0.0.1";
     port = 9200;
+    configDir = "/var/lib/ocis/config";
     environment = {
       OCIS_INSECURE = "false";
-      OCIS_LOG_LEVEL = "trace";
+      PROXY_TLS = "false";
+      OCIS_LOG_LEVEL = "debug";
       OCIS_LOG_PRETTY = "true";
-      # For reverse proxy. Disable tls.
-      OCIS_PROXY_TLS = "false";
-      WEB_OIDC_CLIENT_ID = "owncloud";
-      WEB_OIDC_ISSUER = "https://auth.xinyang.life/oauth2/openid/owncloud";
+      PROXY_AUTOPROVISION_ACCOUNTS = "true";
+      PROXY_USER_OIDC_CLAIM = "preferred_username";
+      PROXY_OIDC_ISSUER = "https://auth.xinyang.life/oauth2/openid/owncloud";
+      PROXY_OIDC_REWRITE_WELLKNOWN = "false";
+      PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD = "none";
       OCIS_EXCLUDE_RUN_SERVICES = "idp";
-      PROXY_OIDC_REWRITE_WELLKNOWN = "true";
+      WEB_HTTP_ADDR = "127.0.0.1:12345";
+      WEB_OIDC_METADATA_URL = "https://auth.xinyang.life/oauth2/openid/owncloud/.well-known/openid-configuration";
+      WEB_OIDC_AUTHORITY = "https://auth.xinyang.life/oauth2/openid/owncloud";
+      WEB_OIDC_CLIENT_ID = "owncloud";
     };
+    # environmentFile = config.sops.secrets."ocis/env".path;
   };
 
-  networking.allowedTCPPorts = [ 8443 ];
-
+  networking.firewall.allowedTCPPorts = [ 8443 ];
   services.caddy.virtualHosts."${config.services.ocis.url}".extraConfig = ''
-    reverse_proxy ${config.services.ocis.address}:${config.services.ocis.address}
+    redir /.well-known/openid-configuration https://auth.xinyang.life/oauth2/openid/owncloud-android/.well-known/openid-configuration permanent
+    reverse_proxy ${config.services.ocis.address}:${toString config.services.ocis.port}
   '';
 }

machines/weilite/services/restic.nix

@@ -1,16 +1,43 @@
 { config, ... }:
+let
+  mkPrune = user: host: {
+    name = "${user}-${host}-prune";
+    value = {
+      user = "restic";
+      repository = "/var/lib/restic/${user}/${host}";
+      passwordFile = "/var/lib/restic/localpass";
+      timerConfig = {
+        OnCalendar = "02:05";
+        RandomizedDelaySec = "1h";
+      };
+      pruneOpts = [
+        "--keep-daily 7"
+        "--keep-weekly 5"
+        "--keep-monthly 12"
+        "--keep-yearly 75"
+      ];
+    };
+
+  };
+in
 {
   services.restic.server = {
     enable = true;
     dataDir = "/var/lib/restic";
     listenAddress = "127.0.0.1:19573";
-    privateRepos = "true";
+    privateRepos = true;
     extraFlags = [
       "--append-only"
+      "--prometheus-no-auth"
     ];
   };
 
-  networking.allowedTCPPorts = [ 8443 ];
+  services.restic.backups = builtins.listToAttrs [
+    (mkPrune "xin" "calcite")
+    (mkPrune "xin" "massicot")
+  ];
+
+  networking.firewall.allowedTCPPorts = [ 8443 ];
 
   services.caddy.virtualHosts."https://backup.xinyang.life:8443".extraConfig = ''
     reverse_proxy ${config.services.restic.server.listenAddress}