{
  config,
  pkgs,
  ...
}: let
  genericBackupPath = "/var/lib/backups/";
  containersBackupPath = "${genericBackupPath}/oci-containers/";
in rec {
  environment.systemPackages = with pkgs; [restic];

  sops.secrets."restic-backups-b2-repo-password" = {
    sopsFile = ./restic.sops.yaml;
  };
  sops.secrets."restic-backups-b2-environment" = {
    sopsFile = ./restic-environment.sops;
    format = "binary";
    path = "/etc/nixos/secrets/b2-env";
  };
  services = {
    restic.backups.b2 = {
      passwordFile = "/run/secrets/restic-backups-b2-repo-password";
      paths = [
        "/var/lib/foundryvtt"
        "/var/lib/gitea"
        "/var/lib/mastodon"
        "${containersBackupPath}"
      ];
      repository = "b2:cyplo-restic-vpsfree";
      backupPrepareCommand = ''
        mkdir -p ${containersBackupPath}/
        ${pkgs.podman}/bin/podman volume export woodpecker-server-data -o ${containersBackupPath}/woodpecker.tar
      '';
      timerConfig = {OnCalendar = "hourly";};
      environmentFile = "${config.sops.secrets.restic-backups-b2-environment.path}";
    };
  };

  systemd.services.restic-backups-b2.serviceConfig = {
    Nice = 19;
    IOSchedulingClass = "idle";
  };
}