nixos/restic-rest-server: add htpasswd-file setting

in the restic rest-server, you can set the file to use in place of
$datadir/.htpasswd with the --htpasswd-file option. However, this was
unusable from the module with extraConfig, due to systemd hardening.
Adding a dedicated option fixes this.

Author: gabevenberg

nixos/modules/services/backup/restic-rest-server.nix

@@ -36,6 +36,12 @@ in
       '';
     };
 
+    htpasswd-file = lib.mkOption {
+      default = null;
+      type = lib.types.nullOr lib.types.path;
+      description = "The path to the servers .htpasswd file. Defaults to {dataDir}/htpasswd.";
+    };
+
     privateRepos = lib.mkOption {
       default = false;
       type = lib.types.bool;
@@ -84,6 +90,7 @@ in
         ExecStart = ''
           ${cfg.package}/bin/rest-server \
           --path ${cfg.dataDir} \
+          --htpasswd-file ${cfg.htpasswd-file} \
           ${lib.optionalString cfg.appendOnly "--append-only"} \
           ${lib.optionalString cfg.privateRepos "--private-repos"} \
           ${lib.optionalString cfg.prometheus "--prometheus"} \
@@ -112,6 +119,7 @@ in
         ProtectControlGroups = true;
         PrivateDevices = true;
         ReadWritePaths = [ cfg.dataDir ];
+        ReadOnlyPaths = [ cfg.htpasswd-file ];
         RemoveIPC = true;
         RestrictAddressFamilies = "none";
         RestrictNamespaces = true;