{ pkgs, config, lib, options, ... }:
let
  cfg = config.sbruder.restic;

  name = "${config.networking.hostName}-system";
  repository = "s3:https://s3.eu-central-1.wasabisys.com/sbruder-restic";
  excludes = [
    # Caches
    "/home/*/Downloads/"
    "/home/*/.cache/"
    "/home/*/**/cache/"
    "/home/*/.local/share/Trash" # some gui applications use it
    "/data/cache/"

    # Rust
    "/home/*/**/target/debug/"
    "/home/*/**/target/doc/"
    "/home/*/**/target/release/"
    "/home/*/**/target/rls/"
    "/home/*/**/target/tarpaulin/"
    "/home/*/**/target/wasm32-unknown-unknown/"
    "/home/*/.rustup/toolchains/"
    "/home/*/.cargo"

    # Misc
    "/home/*/mount"

    # Docker (state should be kept somewhere else)
    "/var/lib/docker/"
  ] ++ cfg.extraExcludes;
  excludesFile = pkgs.writeText "exludes.txt" (builtins.concatStringsSep "\n" excludes);

  # script to use restic as user without dealing with authentication
  authScript = pkgs.writeShellScriptBin "restic-auth" ''
    . <(pass nixos/machines/${config.networking.hostName}/restic-s3 | sed 's/^/export /')
    ${pkgs.unstable.restic}/bin/restic \
      --password-command="pass nixos/machines/${config.networking.hostName}/restic-password" \
      --repo "${repository}" \
      $@
  '';
in
{
  options.sbruder.restic = {
    enable = lib.mkEnableOption "restic";
    timerConfig = lib.recursiveUpdate
      ((builtins.elemAt
        (builtins.elemAt
          options.services.restic.backups.type.getSubModules
          0
        ).imports
        0)
        { name = ""; }).options.timerConfig
      {
        default = {
          OnCalendar = "20:00";
          RandomizedDelaySec = "2h";
        };
      };
    extraPaths = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [ ];
      example = [ "/data" ];
    };
    extraExcludes = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [ ];
    };
  };

  # custom module
  disabledModules = [ "services/backup/restic.nix" ];
  imports = [ (import /home/simon/src/nixpkgs/nixos/modules/services/backup/restic.nix { inherit config lib; pkgs = pkgs.unstable; }) ];

  config = lib.mkIf cfg.enable {
    services.restic.backups."${name}" = {
      # FIXME: replace with secret once repository uses rest server
      repositoryFile = (pkgs.writeText "restic-repository" repository);
      passwordFile = toString <secrets/restic-password>;
      s3CredentialsFile = toString <secrets/restic-s3>;
      paths = [
        "/home"
        "/srv"
        "/var"
      ] ++ cfg.extraPaths;
      initialize = true;
      extraBackupArgs = [
        "--exclude-caches"
        "--exclude-file=${excludesFile}"
        "--verbose"
      ];
      timerConfig = cfg.timerConfig;
    };

    systemd.services."restic-backups-${name}".serviceConfig = {
      "Nice" = 10;
      "IOSchedulingClass" = "best-effort";
      "IOSchedulingPriority" = 7;
    };

    environment.systemPackages = [
      authScript
    ];
  };
}