{
  pkgs,
  hostSecrets,
  ...
}: let
  secrets = hostSecrets;
in {
  environment.systemPackages = with pkgs; [
    restic
    (pkgs.writeShellScriptBin "restic-piped-finland" ''
      env \
        RESTIC_PASSWORD_FILE=${secrets.piped_finland_restic_password.path} \
        $(cat ${secrets.piped_finland_restic_env.path}) \
      ${pkgs.restic}/bin/restic $@
    '')
  ];

  services.restic.backups.piped-finland = {
    user = "root";
    paths = [
      "/var/lib/cockroachdb"
      "/var/lib/cockroachdb-certs"
    ];

    # repository is overrided in environmentFile to contain auth
    # make sure to keep up to date when changing repository
    repository = "rest:https://storage-restic.owo.monster/Piped-Finland";
    passwordFile = "${secrets.piped_finland_restic_password.path}";
    environmentFile = "${secrets.piped_finland_restic_env.path}";

    pruneOpts = [
      "--keep-last 5"
    ];

    timerConfig = {
      OnBootSec = "1m";
      OnCalendar = "daily";
    };
  };
}