{ config, lib, pkgs, ...}: let
  secretPerm = {
    owner = "root";
    mode = "0400";
  };
in {
  imports = [
    ./backups/postgresql.nix
    ./backups/gitea.nix
  ];

  sops.secrets."restic/repo" = secretPerm;

  sops.secrets."restic/passwd" = secretPerm;
  
  sops.secrets."restic/backblaze" = secretPerm;
  
  services.restic.backups.hippocampus = {
    user = "root";
    initialize = true;
    timerConfig = {
      OnCalendar = "03:00";
      Persistent = true;
    };

    passwordFile = config.sops.secrets."restic/passwd".path;
    
    paths = [
      "/etc/group"
      "/etc/machine-id"
      "/etc/passwd"
      "/etc/subgid"
      "/home"
      "/root"
      "/var/backup"
      "/var/lib"
      "/jelly/conf"
    ];

    # USE REPOSITORYFILE
    repositoryFile = config.sops.secrets."restic/repo".path;
    environmentFile = config.sops.secrets."restic/backblaze".path;

    pruneOpts = [
      "--keep-daily 2"
      "--keep-weekly 4"
      "--keep-yearly 8"
    ];
  };
}