From 07e68b9fe754bc427e837bd8f78dae72061d96f7 Mon Sep 17 00:00:00 2001
From: tvories <taylor@tmtech.me>
Date: Thu, 18 Dec 2025 23:52:59 -0700
Subject: [PATCH 1/5] feat: add support for a cacert configuration as well as
 allowing the user to skip tls validation

---
 .../repository-forms/rest-repository-form.tsx | 39 +++++++++++++++++++
 app/client/modules/repositories/tabs/info.tsx | 24 ++++++++++++
 app/schemas/restic.ts                         |  2 +
 .../repositories/repositories.service.ts      |  3 ++
 app/server/utils/restic.ts                    | 17 ++++++++
 5 files changed, 85 insertions(+)

diff --git a/app/client/modules/repositories/components/repository-forms/rest-repository-form.tsx b/app/client/modules/repositories/components/repository-forms/rest-repository-form.tsx
index 401b099c..e99e44ef 100644
--- a/app/client/modules/repositories/components/repository-forms/rest-repository-form.tsx
+++ b/app/client/modules/repositories/components/repository-forms/rest-repository-form.tsx
@@ -9,6 +9,8 @@ import {
 } from "../../../../components/ui/form";
 import { Input } from "../../../../components/ui/input";
 import { SecretInput } from "../../../../components/ui/secret-input";
+import { Textarea } from "../../../../components/ui/textarea";
+import { Checkbox } from "../../../../components/ui/checkbox";
 import type { RepositoryFormValues } from "../create-repository-form";
 
 type Props = {
@@ -74,6 +76,43 @@ export const RestRepositoryForm = ({ form }: Props) => {
 					</FormItem>
 				)}
 			/>
+			<FormField
+				control={form.control}
+				name="cacert"
+				render={({ field }) => (
+					<FormItem>
+						<FormLabel>CA Certificate (Optional)</FormLabel>
+						<FormControl>
+							<Textarea
+								placeholder="-----BEGIN CERTIFICATE-----&#10;...&#10;-----END CERTIFICATE-----"
+								rows={6}
+								{...field}
+							/>
+						</FormControl>
+						<FormDescription>
+							Custom CA certificate for self-signed certificates (PEM format). https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html#rest-server
+						</FormDescription>
+						<FormMessage />
+					</FormItem>
+				)}
+			/>
+			<FormField
+				control={form.control}
+				name="insecureTls"
+				render={({ field }) => (
+					<FormItem className="flex flex-row items-start space-x-3 space-y-0 rounded-md border p-4">
+						<FormControl>
+							<Checkbox checked={field.value ?? false} onCheckedChange={field.onChange} />
+						</FormControl>
+						<div className="space-y-1 leading-none">
+							<FormLabel>Skip TLS Certificate Verification</FormLabel>
+							<FormDescription>
+								Disable TLS certificate verification. This is insecure and should only be used for testing. To trust a self-signed certificate without skipping verification, paste the CA certificate in the CA Certificate field.
+							</FormDescription>
+						</div>
+					</FormItem>
+				)}
+			/>
 		</>
 	);
 };
diff --git a/app/client/modules/repositories/tabs/info.tsx b/app/client/modules/repositories/tabs/info.tsx
index 64d641b9..c5b6697b 100644
--- a/app/client/modules/repositories/tabs/info.tsx
+++ b/app/client/modules/repositories/tabs/info.tsx
@@ -116,6 +116,30 @@ export const RepositoryInfoTabContent = ({ repository }: Props) => {
 									{repository.lastChecked ? new Date(repository.lastChecked).toLocaleString() : "Never"}
 								</p>
 							</div>
+							{repository.type === "rest" && (
+								<>
+									<div>
+										<div className="text-sm font-medium text-muted-foreground">CA Certificate</div>
+										<p className="mt-1 text-sm">
+											{repository.config.cacert ? (
+												<span className="text-green-500">configured</span>
+											) : (
+												<span className="text-muted-foreground">not configured</span>
+											)}
+										</p>
+									</div>
+									<div>
+										<div className="text-sm font-medium text-muted-foreground">TLS Certificate Validation</div>
+										<p className="mt-1 text-sm">
+											{repository.config.insecureTls ? (
+												<span className="text-red-500">disabled</span>
+											) : (
+												<span className="text-green-500">enabled</span>
+											)}
+										</p>
+									</div>
+								</>
+							)}
 						</div>
 					</div>
 
diff --git a/app/schemas/restic.ts b/app/schemas/restic.ts
index 0ae46710..1b41a5a7 100644
--- a/app/schemas/restic.ts
+++ b/app/schemas/restic.ts
@@ -68,6 +68,8 @@ export const restRepositoryConfigSchema = type({
 	username: "string?",
 	password: "string?",
 	path: "string?",
+	cacert: "string?",
+	insecureTls: "boolean?",
 }).and(baseRepositoryConfigSchema);
 
 export const sftpRepositoryConfigSchema = type({
diff --git a/app/server/modules/repositories/repositories.service.ts b/app/server/modules/repositories/repositories.service.ts
index cdd8bb1d..01b1983a 100644
--- a/app/server/modules/repositories/repositories.service.ts
+++ b/app/server/modules/repositories/repositories.service.ts
@@ -53,6 +53,9 @@ const encryptConfig = async (config: RepositoryConfig): Promise<RepositoryConfig
 			if (config.password) {
 				encryptedConfig.password = await cryptoUtils.sealSecret(config.password);
 			}
+			if (config.cacert) {
+				encryptedConfig.cacert = await cryptoUtils.sealSecret(config.cacert);
+			}
 			break;
 		case "sftp":
 			encryptedConfig.privateKey = await cryptoUtils.sealSecret(config.privateKey);
diff --git a/app/server/utils/restic.ts b/app/server/utils/restic.ts
index a4880431..8768c162 100644
--- a/app/server/utils/restic.ts
+++ b/app/server/utils/restic.ts
@@ -155,6 +155,15 @@ export const buildEnv = async (config: RepositoryConfig) => {
 			if (config.password) {
 				env.RESTIC_REST_PASSWORD = await cryptoUtils.resolveSecret(config.password);
 			}
+			if (config.cacert) {
+				const decryptedCert = await cryptoUtils.resolveSecret(config.cacert);
+				const certPath = path.join("/tmp", `rest-server-cacert-${crypto.randomBytes(8).toString("hex")}.pem`);
+				await fs.writeFile(certPath, decryptedCert, { mode: 0o600 });
+				env.RESTIC_CACERT = certPath;
+			}
+			if (config.insecureTls) {
+				env._REST_INSECURE_TLS = "true";
+			}
 			break;
 		}
 		case "sftp": {
@@ -876,6 +885,10 @@ export const cleanupTemporaryKeys = async (config: RepositoryConfig, env: Record
 	} else if (config.backend === "gcs" && env.GOOGLE_APPLICATION_CREDENTIALS) {
 		await fs.unlink(env.GOOGLE_APPLICATION_CREDENTIALS).catch(() => {});
 	}
+
+	if (config.backend === "rest" && env.RESTIC_CACERT) {
+		await fs.unlink(env.RESTIC_CACERT).catch(() => {});
+	}
 };
 
 export const addCommonArgs = (args: string[], env: Record<string, string>) => {
@@ -884,6 +897,10 @@ export const addCommonArgs = (args: string[], env: Record<string, string>) => {
 	if (env._SFTP_SSH_ARGS) {
 		args.push("-o", `sftp.args=${env._SFTP_SSH_ARGS}`);
 	}
+
+	if (env._REST_INSECURE_TLS === "true") {
+		args.push("--insecure-tls");
+	}
 };
 
 export const restic = {

From e78af76beb2178f0a7c089400a4dbf59f398e7ec Mon Sep 17 00:00:00 2001
From: tvories <taylor@tmtech.me>
Date: Fri, 19 Dec 2025 17:29:05 -0700
Subject: [PATCH 2/5] feat: added additional validation, moved field location,
 made skip tls and ca certificate mutually exclusive with tooltips

---
 .../components/create-repository-form.tsx     |   1 +
 .../repository-forms/rest-repository-form.tsx | 185 ++++++++++++++----
 app/schemas/restic.ts                         |  42 +++-
 3 files changed, 190 insertions(+), 38 deletions(-)

diff --git a/app/client/modules/repositories/components/create-repository-form.tsx b/app/client/modules/repositories/components/create-repository-form.tsx
index 08fa6e0b..01a2d270 100644
--- a/app/client/modules/repositories/components/create-repository-form.tsx
+++ b/app/client/modules/repositories/components/create-repository-form.tsx
@@ -72,6 +72,7 @@ export const CreateRepositoryForm = ({
 	const form = useForm<RepositoryFormValues>({
 		resolver: arktypeResolver(cleanSchema as unknown as typeof formSchema),
 		defaultValues: initialValues,
+		mode: "onTouched",
 		resetOptions: {
 			keepDefaultValues: true,
 			keepDirtyValues: false,
diff --git a/app/client/modules/repositories/components/repository-forms/rest-repository-form.tsx b/app/client/modules/repositories/components/repository-forms/rest-repository-form.tsx
index e99e44ef..d0ff8395 100644
--- a/app/client/modules/repositories/components/repository-forms/rest-repository-form.tsx
+++ b/app/client/modules/repositories/components/repository-forms/rest-repository-form.tsx
@@ -1,3 +1,4 @@
+import { useState, useRef } from "react";
 import type { UseFormReturn } from "react-hook-form";
 import {
 	FormControl,
@@ -11,6 +12,7 @@ import { Input } from "../../../../components/ui/input";
 import { SecretInput } from "../../../../components/ui/secret-input";
 import { Textarea } from "../../../../components/ui/textarea";
 import { Checkbox } from "../../../../components/ui/checkbox";
+import { Tooltip, TooltipContent, TooltipTrigger } from "../../../../components/ui/tooltip";
 import type { RepositoryFormValues } from "../create-repository-form";
 
 type Props = {
@@ -18,6 +20,13 @@ type Props = {
 };
 
 export const RestRepositoryForm = ({ form }: Props) => {
+	const insecureTls = form.watch("insecureTls");
+	const cacert = form.watch("cacert");
+	const [showCertTooltip, setShowCertTooltip] = useState(false);
+	const [tooltipPos, setTooltipPos] = useState({ x: 0, y: 0 });
+	const tooltipTimeoutRef = useRef<NodeJS.Timeout | null>(null);
+	const tooltipHideTimeoutRef = useRef<NodeJS.Timeout | null>(null);
+
 	return (
 		<>
 			<FormField
@@ -34,6 +43,145 @@ export const RestRepositoryForm = ({ form }: Props) => {
 					</FormItem>
 				)}
 			/>
+			<FormField
+				control={form.control}
+				name="insecureTls"
+				render={({ field }) => (
+					<FormItem className="flex flex-row items-start space-x-3 space-y-0 rounded-md border p-4">
+						<FormControl>
+							<Tooltip delayDuration={500}>
+								<TooltipTrigger asChild>
+									<div>
+										<Checkbox
+											checked={field.value ?? false}
+											disabled={!!cacert}
+											onCheckedChange={(checked) => {
+												field.onChange(checked);
+												if (checked) {
+													form.setValue("cacert", "");
+												}
+											}}
+										/>
+									</div>
+								</TooltipTrigger>
+								{cacert && (
+									<TooltipContent>
+										<p className="max-w-xs">
+											This option is disabled because a CA certificate is provided. Remove the CA certificate to skip
+											TLS validation instead.
+										</p>
+									</TooltipContent>
+								)}
+							</Tooltip>
+						</FormControl>
+						<div className="space-y-1 leading-none">
+							<FormLabel>Skip TLS Certificate Verification</FormLabel>
+							<FormDescription>
+								Disable TLS certificate verification if rest server is https and uses a self-signed certificate. This is
+								insecure and should only be used for testing.
+							</FormDescription>
+						</div>
+					</FormItem>
+				)}
+			/>
+			<FormField
+				control={form.control}
+				name="cacert"
+				render={({ field }) => (
+					<FormItem>
+						<FormLabel>CA Certificate (Optional)</FormLabel>
+						<FormControl>
+							<div className="relative">
+								<Textarea
+									placeholder="-----BEGIN CERTIFICATE-----&#10;...&#10;-----END CERTIFICATE-----"
+									rows={6}
+									disabled={insecureTls}
+									{...field}
+									value={insecureTls ? "" : field.value}
+									onChange={(e) => {
+										field.onChange(e);
+										if (e.target.value) {
+											form.setValue("insecureTls", false);
+										}
+									}}
+									onPointerEnter={(e) => {
+										if (insecureTls && !showCertTooltip) {
+											const rect = e.currentTarget.getBoundingClientRect();
+											setTooltipPos({
+												x: e.clientX - rect.left,
+												y: e.clientY - rect.top,
+											});
+
+											// Clear any existing timeout
+											if (tooltipTimeoutRef.current) {
+												clearTimeout(tooltipTimeoutRef.current);
+											}
+
+											// Set new timeout to show tooltip after 500ms
+											tooltipTimeoutRef.current = setTimeout(() => {
+												setShowCertTooltip(true);
+											}, 500);
+										}
+									}}
+									onPointerMove={(e) => {
+										if (insecureTls && !showCertTooltip) {
+											const rect = e.currentTarget.getBoundingClientRect();
+											setTooltipPos({
+												x: e.clientX - rect.left,
+												y: e.clientY - rect.top,
+											});
+										}
+									}}
+									onPointerLeave={() => {
+										// Clear show timeout if still waiting
+										if (tooltipTimeoutRef.current) {
+											clearTimeout(tooltipTimeoutRef.current);
+											tooltipTimeoutRef.current = null;
+										}
+
+										// Clear any existing hide timeout
+										if (tooltipHideTimeoutRef.current) {
+											clearTimeout(tooltipHideTimeoutRef.current);
+										}
+
+										// Set timeout to hide tooltip after 500ms
+										tooltipHideTimeoutRef.current = setTimeout(() => {
+											setShowCertTooltip(false);
+										}, 500);
+									}}
+								/>
+								{insecureTls && showCertTooltip && (
+									<div
+										className="pointer-events-none absolute z-50 rounded-md bg-foreground px-3 py-1.5 text-xs text-background shadow-md"
+										style={{
+											left: `${tooltipPos.x}px`,
+											top: `${tooltipPos.y - 40}px`,
+											transform: "translateX(-50%)",
+										}}
+									>
+										<p className="max-w-xs text-balance">
+											CA certificate is disabled because TLS validation is being skipped. Uncheck "Skip TLS Certificate
+											Verification" to provide a custom CA certificate.
+										</p>
+									</div>
+								)}
+							</div>
+						</FormControl>
+						<FormDescription>
+							Custom CA certificate for self-signed certificates (PEM format).{" "}
+							<a
+								href="https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html#rest-server"
+								target="_blank"
+								rel="noopener noreferrer"
+								className="text-primary hover:underline"
+							>
+								Learn more
+							</a>
+						</FormDescription>
+						<FormMessage />
+					</FormItem>
+				)}
+			/>
 			<FormField
 				control={form.control}
 				name="path"
@@ -76,43 +224,6 @@ export const RestRepositoryForm = ({ form }: Props) => {
 					</FormItem>
 				)}
 			/>
-			<FormField
-				control={form.control}
-				name="cacert"
-				render={({ field }) => (
-					<FormItem>
-						<FormLabel>CA Certificate (Optional)</FormLabel>
-						<FormControl>
-							<Textarea
-								placeholder="-----BEGIN CERTIFICATE-----&#10;...&#10;-----END CERTIFICATE-----"
-								rows={6}
-								{...field}
-							/>
-						</FormControl>
-						<FormDescription>
-							Custom CA certificate for self-signed certificates (PEM format). https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html#rest-server
-						</FormDescription>
-						<FormMessage />
-					</FormItem>
-				)}
-			/>
-			<FormField
-				control={form.control}
-				name="insecureTls"
-				render={({ field }) => (
-					<FormItem className="flex flex-row items-start space-x-3 space-y-0 rounded-md border p-4">
-						<FormControl>
-							<Checkbox checked={field.value ?? false} onCheckedChange={field.onChange} />
-						</FormControl>
-						<div className="space-y-1 leading-none">
-							<FormLabel>Skip TLS Certificate Verification</FormLabel>
-							<FormDescription>
-								Disable TLS certificate verification. This is insecure and should only be used for testing. To trust a self-signed certificate without skipping verification, paste the CA certificate in the CA Certificate field.
-							</FormDescription>
-						</div>
-					</FormItem>
-				)}
-			/>
 		</>
 	);
 };
diff --git a/app/schemas/restic.ts b/app/schemas/restic.ts
index 1b41a5a7..96b692a8 100644
--- a/app/schemas/restic.ts
+++ b/app/schemas/restic.ts
@@ -62,13 +62,53 @@ export const rcloneRepositoryConfigSchema = type({
 	path: "string",
 }).and(baseRepositoryConfigSchema);
 
+const pemCertificateType = type("string").narrow((value, ctx) => {
+	if (!value || value.trim() === "") {
+		return true;
+	}
+
+	const trimmed = value.trim();
+
+	// Check for BEGIN and END markers
+	if (!trimmed.includes("-----BEGIN CERTIFICATE-----") || !trimmed.includes("-----END CERTIFICATE-----")) {
+		return ctx.error("Certificate must be in PEM format with BEGIN and END markers");
+	}
+
+	// Extract content between markers
+	const beginMarker = "-----BEGIN CERTIFICATE-----";
+	const endMarker = "-----END CERTIFICATE-----";
+	const beginIndex = trimmed.indexOf(beginMarker);
+	const endIndex = trimmed.indexOf(endMarker);
+
+	if (beginIndex === -1 || endIndex === -1 || endIndex <= beginIndex) {
+		return ctx.error("Invalid PEM certificate structure");
+	}
+
+	// Extract base64 content
+	const base64Content = trimmed.substring(beginIndex + beginMarker.length, endIndex).replace(/\s/g, "");
+
+	// Validate base64 format
+	const base64Regex = /^[A-Za-z0-9+/]*={0,2}$/;
+	if (!base64Regex.test(base64Content)) {
+		return ctx.error("Certificate contains invalid base64 characters");
+	}
+
+	if (base64Content.length === 0) {
+		return ctx.error("Certificate content is empty");
+	}
+
+	return true;
+});
+
+const optionalPemCertificate = pemCertificateType.optional();
+
 export const restRepositoryConfigSchema = type({
 	backend: "'rest'",
 	url: "string",
 	username: "string?",
 	password: "string?",
 	path: "string?",
-	cacert: "string?",
+	cacert: optionalPemCertificate as any,
 	insecureTls: "boolean?",
 }).and(baseRepositoryConfigSchema);
 

From 1a1243619501760cbbcc420a21618ee5ec4e9e5e Mon Sep 17 00:00:00 2001
From: tvories <taylor@tmtech.me>
Date: Sun, 21 Dec 2025 18:48:11 -0700
Subject: [PATCH 3/5] fix: add property existence checks before accessing
 repository config fields

---
 app/client/modules/repositories/tabs/info.tsx | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/client/modules/repositories/tabs/info.tsx b/app/client/modules/repositories/tabs/info.tsx
index c5b6697b..ad980487 100644
--- a/app/client/modules/repositories/tabs/info.tsx
+++ b/app/client/modules/repositories/tabs/info.tsx
@@ -116,7 +116,7 @@ export const RepositoryInfoTabContent = ({ repository }: Props) => {
 									{repository.lastChecked ? new Date(repository.lastChecked).toLocaleString() : "Never"}
 								</p>
 							</div>
-							{repository.type === "rest" && (
+							{repository.type === "rest" && "cacert" in repository.config && (
 								<>
 									<div>
 										<div className="text-sm font-medium text-muted-foreground">CA Certificate</div>
@@ -131,7 +131,7 @@ export const RepositoryInfoTabContent = ({ repository }: Props) => {
 									<div>
 										<div className="text-sm font-medium text-muted-foreground">TLS Certificate Validation</div>
 										<p className="mt-1 text-sm">
-											{repository.config.insecureTls ? (
+											{"insecureTls" in repository.config && repository.config.insecureTls ? (
 												<span className="text-red-500">disabled</span>
 											) : (
 												<span className="text-green-500">enabled</span>

From 08a19ed38db2de1a096ce02bc1f586b195d59503 Mon Sep 17 00:00:00 2001
From: tvories <taylor@tmtech.me>
Date: Tue, 30 Dec 2025 15:07:22 -0700
Subject: [PATCH 4/5] fix: PR suggestions

---
 .../components/create-repository-form.tsx     |  1 -
 .../repository-forms/rest-repository-form.tsx | 99 +++++--------------
 app/schemas/restic.ts                         | 42 +-------
 app/server/utils/restic.ts                    |  2 +-
 4 files changed, 25 insertions(+), 119 deletions(-)

diff --git a/app/client/modules/repositories/components/create-repository-form.tsx b/app/client/modules/repositories/components/create-repository-form.tsx
index 01a2d270..08fa6e0b 100644
--- a/app/client/modules/repositories/components/create-repository-form.tsx
+++ b/app/client/modules/repositories/components/create-repository-form.tsx
@@ -72,7 +72,6 @@ export const CreateRepositoryForm = ({
 	const form = useForm<RepositoryFormValues>({
 		resolver: arktypeResolver(cleanSchema as unknown as typeof formSchema),
 		defaultValues: initialValues,
-		mode: "onTouched",
 		resetOptions: {
 			keepDefaultValues: true,
 			keepDirtyValues: false,
diff --git a/app/client/modules/repositories/components/repository-forms/rest-repository-form.tsx b/app/client/modules/repositories/components/repository-forms/rest-repository-form.tsx
index d0ff8395..4317f98d 100644
--- a/app/client/modules/repositories/components/repository-forms/rest-repository-form.tsx
+++ b/app/client/modules/repositories/components/repository-forms/rest-repository-form.tsx
@@ -1,4 +1,3 @@
-import { useState, useRef } from "react";
 import type { UseFormReturn } from "react-hook-form";
 import {
 	FormControl,
@@ -22,10 +21,6 @@ type Props = {
 export const RestRepositoryForm = ({ form }: Props) => {
 	const insecureTls = form.watch("insecureTls");
 	const cacert = form.watch("cacert");
-	const [showCertTooltip, setShowCertTooltip] = useState(false);
-	const [tooltipPos, setTooltipPos] = useState({ x: 0, y: 0 });
-	const tooltipTimeoutRef = useRef<NodeJS.Timeout | null>(null);
-	const tooltipHideTimeoutRef = useRef<NodeJS.Timeout | null>(null);
 
 	return (
 		<>
@@ -91,81 +86,33 @@ export const RestRepositoryForm = ({ form }: Props) => {
 					<FormItem>
 						<FormLabel>CA Certificate (Optional)</FormLabel>
 						<FormControl>
-							<div className="relative">
-								<Textarea
-									placeholder="-----BEGIN CERTIFICATE-----&#10;...&#10;-----END CERTIFICATE-----"
-									rows={6}
-									disabled={insecureTls}
-									{...field}
-									value={insecureTls ? "" : field.value}
-									onChange={(e) => {
-										field.onChange(e);
-										if (e.target.value) {
-											form.setValue("insecureTls", false);
-										}
-									}}
-									onPointerEnter={(e) => {
-										if (insecureTls && !showCertTooltip) {
-											const rect = e.currentTarget.getBoundingClientRect();
-											setTooltipPos({
-												x: e.clientX - rect.left,
-												y: e.clientY - rect.top,
-											});
-
-											// Clear any existing timeout
-											if (tooltipTimeoutRef.current) {
-												clearTimeout(tooltipTimeoutRef.current);
-											}
-
-											// Set new timeout to show tooltip after 500ms
-											tooltipTimeoutRef.current = setTimeout(() => {
-												setShowCertTooltip(true);
-											}, 500);
-										}
-									}}
-									onPointerMove={(e) => {
-										if (insecureTls && !showCertTooltip) {
-											const rect = e.currentTarget.getBoundingClientRect();
-											setTooltipPos({
-												x: e.clientX - rect.left,
-												y: e.clientY - rect.top,
-											});
-										}
-									}}
-									onPointerLeave={() => {
-										// Clear show timeout if still waiting
-										if (tooltipTimeoutRef.current) {
-											clearTimeout(tooltipTimeoutRef.current);
-											tooltipTimeoutRef.current = null;
-										}
-
-										// Clear any existing hide timeout
-										if (tooltipHideTimeoutRef.current) {
-											clearTimeout(tooltipHideTimeoutRef.current);
-										}
-
-										// Set timeout to hide tooltip after 500ms
-										tooltipHideTimeoutRef.current = setTimeout(() => {
-											setShowCertTooltip(false);
-										}, 500);
-									}}
-								/>
-								{insecureTls && showCertTooltip && (
-									<div
-										className="pointer-events-none absolute z-50 rounded-md bg-foreground px-3 py-1.5 text-xs text-background shadow-md"
-										style={{
-											left: `${tooltipPos.x}px`,
-											top: `${tooltipPos.y - 40}px`,
-											transform: "translateX(-50%)",
-										}}
-									>
-										<p className="max-w-xs text-balance">
+							<Tooltip delayDuration={500}>
+								<TooltipTrigger asChild>
+									<div>
+										<Textarea
+											placeholder="-----BEGIN CERTIFICATE-----&#10;...&#10;-----END CERTIFICATE-----"
+											rows={6}
+											disabled={insecureTls}
+											{...field}
+											value={insecureTls ? "" : field.value}
+											onChange={(e) => {
+												field.onChange(e);
+												if (e.target.value) {
+													form.setValue("insecureTls", false);
+												}
+											}}
+										/>
+									</div>
+								</TooltipTrigger>
+								{insecureTls && (
+									<TooltipContent>
+										<p className="max-w-xs">
 											CA certificate is disabled because TLS validation is being skipped. Uncheck "Skip TLS Certificate
 											Verification" to provide a custom CA certificate.
 										</p>
-									</div>
+									</TooltipContent>
 								)}
-							</div>
+							</Tooltip>
 						</FormControl>
 						<FormDescription>
 							Custom CA certificate for self-signed certificates (PEM format).{" "}
diff --git a/app/schemas/restic.ts b/app/schemas/restic.ts
index 96b692a8..1b41a5a7 100644
--- a/app/schemas/restic.ts
+++ b/app/schemas/restic.ts
@@ -62,53 +62,13 @@ export const rcloneRepositoryConfigSchema = type({
 	path: "string",
 }).and(baseRepositoryConfigSchema);
 
-const pemCertificateType = type("string").narrow((value, ctx) => {
-	if (!value || value.trim() === "") {
-		return true;
-	}
-
-	const trimmed = value.trim();
-
-	// Check for BEGIN and END markers
-	if (!trimmed.includes("-----BEGIN CERTIFICATE-----") || !trimmed.includes("-----END CERTIFICATE-----")) {
-		return ctx.error("Certificate must be in PEM format with BEGIN and END markers");
-	}
-
-	// Extract content between markers
-	const beginMarker = "-----BEGIN CERTIFICATE-----";
-	const endMarker = "-----END CERTIFICATE-----";
-	const beginIndex = trimmed.indexOf(beginMarker);
-	const endIndex = trimmed.indexOf(endMarker);
-
-	if (beginIndex === -1 || endIndex === -1 || endIndex <= beginIndex) {
-		return ctx.error("Invalid PEM certificate structure");
-	}
-
-	// Extract base64 content
-	const base64Content = trimmed.substring(beginIndex + beginMarker.length, endIndex).replace(/\s/g, "");
-
-	// Validate base64 format
-	const base64Regex = /^[A-Za-z0-9+/]*={0,2}$/;
-	if (!base64Regex.test(base64Content)) {
-		return ctx.error("Certificate contains invalid base64 characters");
-	}
-
-	if (base64Content.length === 0) {
-		return ctx.error("Certificate content is empty");
-	}
-
-	return true;
-});
-
-const optionalPemCertificate = pemCertificateType.optional();
-
 export const restRepositoryConfigSchema = type({
 	backend: "'rest'",
 	url: "string",
 	username: "string?",
 	password: "string?",
 	path: "string?",
-	cacert: optionalPemCertificate as any,
+	cacert: "string?",
 	insecureTls: "boolean?",
 }).and(baseRepositoryConfigSchema);
 
diff --git a/app/server/utils/restic.ts b/app/server/utils/restic.ts
index 8768c162..b7044c46 100644
--- a/app/server/utils/restic.ts
+++ b/app/server/utils/restic.ts
@@ -886,7 +886,7 @@ export const cleanupTemporaryKeys = async (config: RepositoryConfig, env: Record
 		await fs.unlink(env.GOOGLE_APPLICATION_CREDENTIALS).catch(() => {});
 	}
 
-	if (config.backend === "rest" && env.RESTIC_CACERT) {
+	if (env.RESTIC_CACERT) {
 		await fs.unlink(env.RESTIC_CACERT).catch(() => {});
 	}
 };

From e0027b7668bb9e62b6c70af8507843b3e7f36475 Mon Sep 17 00:00:00 2001
From: Nicolas Meienberger <github@thisprops.com>
Date: Fri, 2 Jan 2026 17:37:38 +0100
Subject: [PATCH 5/5] refactor: code style and api client

---
 app/client/api-client/types.gen.ts            | 26 +++++++++++
 .../repository-forms/rest-repository-form.tsx | 43 +++++++------------
 app/client/modules/repositories/tabs/info.tsx | 42 ++++++++----------
 app/server/utils/restic.ts                    | 29 +++++++------
 4 files changed, 76 insertions(+), 64 deletions(-)

diff --git a/app/client/api-client/types.gen.ts b/app/client/api-client/types.gen.ts
index 9146e070..44b2b3c5 100644
--- a/app/client/api-client/types.gen.ts
+++ b/app/client/api-client/types.gen.ts
@@ -838,7 +838,9 @@ export type ListRepositoriesResponses = {
         } | {
             backend: 'rest';
             url: string;
+            cacert?: string;
             customPassword?: string;
+            insecureTls?: boolean;
             isExistingRepository?: boolean;
             password?: string;
             path?: string;
@@ -917,7 +919,9 @@ export type CreateRepositoryData = {
         } | {
             backend: 'rest';
             url: string;
+            cacert?: string;
             customPassword?: string;
+            insecureTls?: boolean;
             isExistingRepository?: boolean;
             password?: string;
             path?: string;
@@ -1058,7 +1062,9 @@ export type GetRepositoryResponses = {
         } | {
             backend: 'rest';
             url: string;
+            cacert?: string;
             customPassword?: string;
+            insecureTls?: boolean;
             isExistingRepository?: boolean;
             password?: string;
             path?: string;
@@ -1164,7 +1170,9 @@ export type UpdateRepositoryResponses = {
         } | {
             backend: 'rest';
             url: string;
+            cacert?: string;
             customPassword?: string;
+            insecureTls?: boolean;
             isExistingRepository?: boolean;
             password?: string;
             path?: string;
@@ -1487,7 +1495,9 @@ export type ListBackupSchedulesResponses = {
             } | {
                 backend: 'rest';
                 url: string;
+                cacert?: string;
                 customPassword?: string;
+                insecureTls?: boolean;
                 isExistingRepository?: boolean;
                 password?: string;
                 path?: string;
@@ -1749,7 +1759,9 @@ export type GetBackupScheduleResponses = {
             } | {
                 backend: 'rest';
                 url: string;
+                cacert?: string;
                 customPassword?: string;
+                insecureTls?: boolean;
                 isExistingRepository?: boolean;
                 password?: string;
                 path?: string;
@@ -1992,7 +2004,9 @@ export type GetBackupScheduleForVolumeResponses = {
             } | {
                 backend: 'rest';
                 url: string;
+                cacert?: string;
                 customPassword?: string;
+                insecureTls?: boolean;
                 isExistingRepository?: boolean;
                 password?: string;
                 path?: string;
@@ -2211,6 +2225,7 @@ export type GetScheduleNotificationsResponses = {
                 priority: 'default' | 'high' | 'low' | 'max' | 'min';
                 topic: string;
                 type: 'ntfy';
+                accessToken?: string;
                 password?: string;
                 serverUrl?: string;
                 username?: string;
@@ -2310,6 +2325,7 @@ export type UpdateScheduleNotificationsResponses = {
                 priority: 'default' | 'high' | 'low' | 'max' | 'min';
                 topic: string;
                 type: 'ntfy';
+                accessToken?: string;
                 password?: string;
                 serverUrl?: string;
                 username?: string;
@@ -2420,7 +2436,9 @@ export type GetScheduleMirrorsResponses = {
             } | {
                 backend: 'rest';
                 url: string;
+                cacert?: string;
                 customPassword?: string;
+                insecureTls?: boolean;
                 isExistingRepository?: boolean;
                 password?: string;
                 path?: string;
@@ -2526,7 +2544,9 @@ export type UpdateScheduleMirrorsResponses = {
             } | {
                 backend: 'rest';
                 url: string;
+                cacert?: string;
                 customPassword?: string;
+                insecureTls?: boolean;
                 isExistingRepository?: boolean;
                 password?: string;
                 path?: string;
@@ -2646,6 +2666,7 @@ export type ListNotificationDestinationsResponses = {
             priority: 'default' | 'high' | 'low' | 'max' | 'min';
             topic: string;
             type: 'ntfy';
+            accessToken?: string;
             password?: string;
             serverUrl?: string;
             username?: string;
@@ -2716,6 +2737,7 @@ export type CreateNotificationDestinationData = {
             priority: 'default' | 'high' | 'low' | 'max' | 'min';
             topic: string;
             type: 'ntfy';
+            accessToken?: string;
             password?: string;
             serverUrl?: string;
             username?: string;
@@ -2785,6 +2807,7 @@ export type CreateNotificationDestinationResponses = {
             priority: 'default' | 'high' | 'low' | 'max' | 'min';
             topic: string;
             type: 'ntfy';
+            accessToken?: string;
             password?: string;
             serverUrl?: string;
             username?: string;
@@ -2901,6 +2924,7 @@ export type GetNotificationDestinationResponses = {
             priority: 'default' | 'high' | 'low' | 'max' | 'min';
             topic: string;
             type: 'ntfy';
+            accessToken?: string;
             password?: string;
             serverUrl?: string;
             username?: string;
@@ -2971,6 +2995,7 @@ export type UpdateNotificationDestinationData = {
             priority: 'default' | 'high' | 'low' | 'max' | 'min';
             topic: string;
             type: 'ntfy';
+            accessToken?: string;
             password?: string;
             serverUrl?: string;
             username?: string;
@@ -3050,6 +3075,7 @@ export type UpdateNotificationDestinationResponses = {
             priority: 'default' | 'high' | 'low' | 'max' | 'min';
             topic: string;
             type: 'ntfy';
+            accessToken?: string;
             password?: string;
             serverUrl?: string;
             username?: string;
diff --git a/app/client/modules/repositories/components/repository-forms/rest-repository-form.tsx b/app/client/modules/repositories/components/repository-forms/rest-repository-form.tsx
index 4317f98d..287519fb 100644
--- a/app/client/modules/repositories/components/repository-forms/rest-repository-form.tsx
+++ b/app/client/modules/repositories/components/repository-forms/rest-repository-form.tsx
@@ -13,6 +13,7 @@ import { Textarea } from "../../../../components/ui/textarea";
 import { Checkbox } from "../../../../components/ui/checkbox";
 import { Tooltip, TooltipContent, TooltipTrigger } from "../../../../components/ui/tooltip";
 import type { RepositoryFormValues } from "../create-repository-form";
+import { cn } from "~/client/lib/utils";
 
 type Props = {
 	form: UseFormReturn<RepositoryFormValues>;
@@ -52,25 +53,20 @@ export const RestRepositoryForm = ({ form }: Props) => {
 											disabled={!!cacert}
 											onCheckedChange={(checked) => {
 												field.onChange(checked);
-												if (checked) {
-													form.setValue("cacert", "");
-												}
 											}}
 										/>
 									</div>
 								</TooltipTrigger>
-								{cacert && (
-									<TooltipContent>
-										<p className="max-w-xs">
-											This option is disabled because a CA certificate is provided. Remove the CA certificate to skip
-											TLS validation instead.
-										</p>
-									</TooltipContent>
-								)}
+								<TooltipContent className={cn({ hidden: !cacert })}>
+									<p className="max-w-xs">
+										This option is disabled because a CA certificate is provided. Remove the CA certificate to skip TLS
+										validation instead.
+									</p>
+								</TooltipContent>
 							</Tooltip>
 						</FormControl>
 						<div className="space-y-1 leading-none">
-							<FormLabel>Skip TLS Certificate Verification</FormLabel>
+							<FormLabel>Skip TLS certificate verification</FormLabel>
 							<FormDescription>
 								Disable TLS certificate verification if rest server is https and uses a self-signed certificate. This is
 								insecure and should only be used for testing.
@@ -94,28 +90,19 @@ export const RestRepositoryForm = ({ form }: Props) => {
 											rows={6}
 											disabled={insecureTls}
 											{...field}
-											value={insecureTls ? "" : field.value}
-											onChange={(e) => {
-												field.onChange(e);
-												if (e.target.value) {
-													form.setValue("insecureTls", false);
-												}
-											}}
 										/>
 									</div>
 								</TooltipTrigger>
-								{insecureTls && (
-									<TooltipContent>
-										<p className="max-w-xs">
-											CA certificate is disabled because TLS validation is being skipped. Uncheck "Skip TLS Certificate
-											Verification" to provide a custom CA certificate.
-										</p>
-									</TooltipContent>
-								)}
+								<TooltipContent className={cn({ hidden: !insecureTls })}>
+									<p className="max-w-xs">
+										CA certificate is disabled because TLS validation is being skipped. Uncheck "Skip TLS Certificate
+										Verification" to provide a custom CA certificate.
+									</p>
+								</TooltipContent>
 							</Tooltip>
 						</FormControl>
 						<FormDescription>
-							Custom CA certificate for self-signed certificates (PEM format).{" "}
+							Custom CA certificate for self-signed certificates (PEM format).&nbsp;
 							<a
 								href="https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html#rest-server"
 								target="_blank"
diff --git a/app/client/modules/repositories/tabs/info.tsx b/app/client/modules/repositories/tabs/info.tsx
index ad980487..d819b5a9 100644
--- a/app/client/modules/repositories/tabs/info.tsx
+++ b/app/client/modules/repositories/tabs/info.tsx
@@ -116,29 +116,25 @@ export const RepositoryInfoTabContent = ({ repository }: Props) => {
 									{repository.lastChecked ? new Date(repository.lastChecked).toLocaleString() : "Never"}
 								</p>
 							</div>
-							{repository.type === "rest" && "cacert" in repository.config && (
-								<>
-									<div>
-										<div className="text-sm font-medium text-muted-foreground">CA Certificate</div>
-										<p className="mt-1 text-sm">
-											{repository.config.cacert ? (
-												<span className="text-green-500">configured</span>
-											) : (
-												<span className="text-muted-foreground">not configured</span>
-											)}
-										</p>
-									</div>
-									<div>
-										<div className="text-sm font-medium text-muted-foreground">TLS Certificate Validation</div>
-										<p className="mt-1 text-sm">
-											{"insecureTls" in repository.config && repository.config.insecureTls ? (
-												<span className="text-red-500">disabled</span>
-											) : (
-												<span className="text-green-500">enabled</span>
-											)}
-										</p>
-									</div>
-								</>
+							{repository.config.backend === "rest" && repository.config.cacert && (
+								<div>
+									<div className="text-sm font-medium text-muted-foreground">CA Certificate</div>
+									<p className="mt-1 text-sm">
+										<span className="text-green-500">configured</span>
+									</p>
+								</div>
+							)}
+							{repository.config.backend === "rest" && "insecureTls" in repository.config && (
+								<div>
+									<div className="text-sm font-medium text-muted-foreground">TLS Certificate Validation</div>
+									<p className="mt-1 text-sm">
+										{repository.config.insecureTls ? (
+											<span className="text-red-500">disabled</span>
+										) : (
+											<span className="text-green-500">enabled</span>
+										)}
+									</p>
+								</div>
 							)}
 						</div>
 					</div>
diff --git a/app/server/utils/restic.ts b/app/server/utils/restic.ts
index b7044c46..f7670b09 100644
--- a/app/server/utils/restic.ts
+++ b/app/server/utils/restic.ts
@@ -157,7 +157,7 @@ export const buildEnv = async (config: RepositoryConfig) => {
 			}
 			if (config.cacert) {
 				const decryptedCert = await cryptoUtils.resolveSecret(config.cacert);
-				const certPath = path.join("/tmp", `rest-server-cacert-${crypto.randomBytes(8).toString("hex")}.pem`);
+				const certPath = path.join("/tmp", `zerobyte-cacert-${crypto.randomBytes(8).toString("hex")}.pem`);
 				await fs.writeFile(certPath, decryptedCert, { mode: 0o600 });
 				env.RESTIC_CACERT = certPath;
 			}
@@ -855,8 +855,8 @@ const copy = async (
 
 	const res = await safeSpawn({ command: "restic", args, env });
 
-	await cleanupTemporaryKeys(sourceConfig, sourceEnv);
-	await cleanupTemporaryKeys(destConfig, destEnv);
+	await cleanupTemporaryKeys(sourceEnv);
+	await cleanupTemporaryKeys(destEnv);
 
 	const { stdout, stderr } = res;
 
@@ -872,17 +872,20 @@ const copy = async (
 	};
 };
 
-export const cleanupTemporaryKeys = async (config: RepositoryConfig, env: Record<string, string>) => {
-	if (config.backend === "sftp") {
-		if (env._SFTP_KEY_PATH) {
-			await fs.unlink(env._SFTP_KEY_PATH).catch(() => {});
-		}
-		if (env._SFTP_KNOWN_HOSTS_PATH) {
-			await fs.unlink(env._SFTP_KNOWN_HOSTS_PATH).catch(() => {});
-		}
-	} else if (config.isExistingRepository && config.customPassword && env.RESTIC_PASSWORD_FILE) {
+export const cleanupTemporaryKeys = async (env: Record<string, string>) => {
+	if (env._SFTP_KEY_PATH) {
+		await fs.unlink(env._SFTP_KEY_PATH).catch(() => {});
+	}
+
+	if (env._SFTP_KNOWN_HOSTS_PATH) {
+		await fs.unlink(env._SFTP_KNOWN_HOSTS_PATH).catch(() => {});
+	}
+
+	if (env.RESTIC_PASSWORD_FILE) {
 		await fs.unlink(env.RESTIC_PASSWORD_FILE).catch(() => {});
-	} else if (config.backend === "gcs" && env.GOOGLE_APPLICATION_CREDENTIALS) {
+	}
+
+	if (env.GOOGLE_APPLICATION_CREDENTIALS) {
 		await fs.unlink(env.GOOGLE_APPLICATION_CREDENTIALS).catch(() => {});
 	}