{
  config,
  pkgs,
  ...
}: let
  genericBackupPath = "/var/lib/backups/";
  nixosContainersBackupPath = "/var/lib/nixos-containers/";
in rec {
  environment.systemPackages = with pkgs; [restic];

  sops.secrets."restic-backups-b2-repo-password" = {
    sopsFile = ./restic.sops.yaml;
  };
  sops.secrets."restic-backups-b2-environment" = {
    sopsFile = ./restic-environment.sops;
    format = "binary";
    path = "/etc/nixos/secrets/b2-env";
  };
  services = {
    restic.backups.b2 = {
      passwordFile = config.sops.secrets."restic-backups-b2-repo-password".path;
      paths = [
        "/var/lib/foundryvtt"
        "/var/lib/gitea"
        "/var/lib/mastodon"
        "/var/lib/postgresql"
        "/var/lib/private/cryptpad/"
        "${nixosContainersBackupPath}"
      ];
      repository = "b2:cyplo-backup-cupsnet";
      backupPrepareCommand = ''
        systemctl stop container@foundryvtt.service
        systemctl stop cryptpad.service
        systemctl stop forgejo.service
        systemctl stop mastodon*
        systemctl stop postgresql.service
      '';
      backupCleanupCommand = ''
        systemctl start postgresql.service
        systemctl start forgejo.service
        systemctl start cryptpad.service
        systemctl start container@foundryvtt.service
        systemctl start --all mastodon*
      '';
      timerConfig = {OnCalendar = "daily";};
      environmentFile = "${config.sops.secrets.restic-backups-b2-environment.path}";
      exclude = ["cache"];
      pruneOpts = [
        "--keep-hourly 25"
        "--keep-daily 8"
        "--keep-weekly 5"
        "--keep-monthly 13"
        "--keep-yearly 2"
      ];
      checkOpts = ["--with-cache"];
    };
  };

  systemd.services.restic-backups-b2 = {
    environment = {
      GOMAXPROCS = "1";
      GOGC = "20";
    };
    serviceConfig = {
      Nice = 19;
      IOSchedulingClass = "idle";
    };
  };
}