{ config, pkgs, ... }:
let
  genericBackupPath = "/var/lib/backups/";
  containersBackupPath = "${genericBackupPath}/oci-containers/";
in rec {
  environment.systemPackages = with pkgs; [ restic ];

  sops.secrets."restic-backups-b2-repo-password" = {
    sopsFile = ./restic.sops.yaml;
  };
  sops.secrets."restic-backups-b2-environment" = {
    sopsFile = ./restic-environment.sops;
    format = "binary";
    path = "/etc/nixos/secrets/b2-env";
  };
  services = {
    restic.backups.b2 = {
      passwordFile = "/run/secrets/restic-backups-b2-repo-password";
      paths = [
        "/var/lib/foundryvtt"
        "/var/lib/gitea"
        "/var/lib/mastodon"
        "${containersBackupPath}"
      ];
      repository = "b2:cyplo-restic-vpsfree";
      backupPrepareCommand = ''
        mkdir -p ${containersBackupPath}/
        systemctl stop container@mastodon.service
        ${pkgs.podman}/bin/podman volume export woodpecker-server-data -o ${containersBackupPath}/woodpecker.tar
      '';
      backupCleanupCommand = ''
        systemctl start container@mastodon.service
      '';
      timerConfig = { OnCalendar = "daily"; };
      environmentFile =
        "${config.sops.secrets.restic-backups-b2-environment.path}";
    };
  };

  systemd.services.restic-backups-b2 = {
    environment = { GOMAXPROCS = "1"; };
    serviceConfig = {
      Nice = 19;
      IOSchedulingClass = "idle";
    };
  };
}