{ lib, config, pkgs, ... }:
let

  mail_config = (import ./mailserver/config.nix { });

  backupPrepareCommand = "${
      (pkgs.writeShellScriptBin "backupPrepareCommand" ''
        systemctl start postgresqlBackup --wait
      '')
    }/bin/backupPrepareCommand";
in {
  environment.systemPackages = [
    (pkgs.writeShellScriptBin "restic-hetzner-vm" ''
      env \
        RESTIC_PASSWORD_FILE=/secrets/restic-Chaos-Backups-HetznerVM-password \
        $(cat /secrets/restic-Chaos-Backups-HetznerVM-env) \
      ${pkgs.restic}/bin/restic $@
    '')
  ];

  services.restic.backups.hetzner-vm = {
    user = "root";
    paths = [
      "/secrets"

      "/var/lib/acme"
      # Quassel & Invidious
      "/var/backup/postgresql"
      "/home/quassel/.config/quassel-irc.org"
      # MPD State
      "/mpd"
      # doesn't work for restoring might as well not backup
      # "/var/lib/tailscale"

      # mail
      mail_config.vmail_config.directory
      mail_config.sieve_directory
      mail_config.dkim_directory
      "/var/lib/redis-rspamd"

      # misskey
      "/home/misskey/misskey-files"
      "/var/lib/redis-misskey"
    ];

    # repository is overrided in environmentFile to contain auth
    # make sure to keep up to date when changing repository
    repository = "rest:https://storage-restic.owo.monster/HetznerVM";
    passwordFile = "/secrets/restic-Chaos-Backups-HetznerVM-password";
    environmentFile = "/secrets/restic-Chaos-Backups-HetznerVM-env";

    timerConfig = {
      OnBootSec = "1m";
      OnCalendar = "daily";
    };

    inherit backupPrepareCommand;
  };

  services.postgresqlBackup = {
    enable = true;
    backupAll = true;
    compression = "zstd";
  };
}