{
  self,
  pkgs,
  config,
  ...
}: let
  inherit (config.services.secrets) secrets;
  backupSchedules = import "${self}/data/backupSchedules.nix";

  backupPrepareCommand = "${
    (pkgs.writeShellScriptBin "backupPrepareCommand" ''
      systemctl start remotePostgreSQLBackup-gotosocial --wait
      systemctl start remotePostgreSQLBackup-quassel --wait
    '')
  }/bin/backupPrepareCommand";
in {
  environment.systemPackages = with pkgs; [
    restic
    (pkgs.writeShellScriptBin "restic-postgresql" ''
      env \
        RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \
        $(cat ${secrets.restic_env.path}) \
      ${pkgs.restic}/bin/restic $@
    '')
  ];

  services.restic.backups.postgresql = {
    user = "root";
    paths = [
      "/var/backup/postgresql"
    ];

    # repository is overrided in environmentFile to contain auth
    # make sure to keep up to date when changing repository
    repository = "rest:https://storage-restic.owo.monster/PostgreSQL";
    passwordFile = "${secrets.restic_password.path}";
    environmentFile = "${secrets.restic_env.path}";

    pruneOpts = ["--keep-last 10"];
    timerConfig = backupSchedules.restic.high;

    inherit backupPrepareCommand;
  };

  services.postgreSQLRemoteBackup = {
    enable = true;
    backupUser = "postgres";
    databases = [
      "gotosocial"
      "quassel"
    ];
  };
}