{
  pkgs,
  config,
  ...
}: let
  secrets = config.services.secrets.secrets;
in {
  services.restic.backups.vault = {
    user = "root";
    paths = ["/var/lib/vault" "/var/lib/acme"];
    timerConfig = {
      OnBootSec = "1m";
      OnCalendar = "daily";
    };
    # env contains fixed repository with auth
    repository = "rest:https://storage-restic.owo.monster/HetznerVM";
    passwordFile = "${secrets.restic_password.path}";
    environmentFile = "${secrets.restic_env.path}";
  };

  environment.systemPackages = [
    (pkgs.writeShellScriptBin "restic-vault" ''
      env \
        RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \
        $(cat ${secrets.restic_env.path}) \
      ${pkgs.restic}/bin/restic $@
    '')
  ];
}