{ lib, pkgs, ... }:
let

  mail_config = (import ./mailserver/config.nix { });

  backupUser = "root";
  backupPaths = [
    "/var/lib/postgresql"
    "/var/lib/vault"
    "/var/lib/acme"
    "/secrets"
    mail_config.vmail_config.directory
    mail_config.sieve_directory
    mail_config.dkim_directory
    "/var/lib/redis-rspamd"
  ];
  timerConfig = {
    OnBootSec = "1m";
    OnCalendar = "daily";
  };
  repos = {
    Chaos-Backups-HetznerVM = {
      repository = "b2:Chaos-Backups:HetznerVM";
      passwordFile = "/secrets/restic-Chaos-Backups-HetznerVM-password";
      environmentFile = "/secrets/restic-Chaos-Backups-HetznerVM-env";
    };
    Cassie-Backups-HetznerVM = {
      repository = "b2:Cryptidz-Backup:HetznerVM";
      passwordFile = "/secrets/restic-Cassie-Backups-HetznerVM-password";
      environmentFile = "/secrets/restic-Cassie-Backups-HetznerVM-env";
    };
  };

  restic_commands = lib.mapAttrsToList (repoName: repoInfo: (
    # nya
    pkgs.writeShellScriptBin "restic-${repoName}" ''
      env \
        $(cat ${repoInfo.environmentFile}) \
        RESTIC_PASSWORD_FILE=${repoInfo.passwordFile} \
        RESTIC_REPOSITORY=${repoInfo.repository} \
      ${pkgs.restic}/bin/restic $@
    ''
  )) repos;
in {
  environment.systemPackages = restic_commands;

  services.restic.backups.hetzner-vm = lib.mkMerge [
    {
      user = backupUser;
      paths = backupPaths;
      inherit timerConfig;
    }
    repos.Chaos-Backups-HetznerVM
  ];
  services.restic.backups.cassie-hetzner-vm = lib.mkMerge [
    {
      user = backupUser;
      paths = backupPaths;
      inherit timerConfig;
    }
    repos.Cassie-Backups-HetznerVM
  ];
}