{
  pkgs,
  config,
  lib,
  host_secrets,
  ...
}: let
  secrets = host_secrets;

  # Because gotosocial-admin isn't a seporate package we need to generate a seperate config
  # and duplicate the wrapper for use in a systemd unit
  goToSocialConfigFile = (pkgs.formats.yaml {}).generate "config.yml" config.services.gotosocial.settings;
  goToSocialAdmin = "${(pkgs.writeShellScriptBin "goToSocialAdmin" ''
    exec systemd-run \
      -u gotosocial-admin.service \
      -p Group=gotosocial \
      -p User=gotosocial \
      -q -t -G --wait --service-type=exec \
      ${pkgs.gotosocial}/bin/gotosocial --config-path ${goToSocialConfigFile} admin "$@"
  '')}/bin/goToSocialAdmin";

  backupPrepareCommand = "${
    (pkgs.writeShellScriptBin "backupPrepareCommand" ''
      systemctl start ${
        lib.concatStringsSep " "
        (lib.forEach config.services.postgresqlBackup.databases
          (db: "postgresqlBackup-${db}"))
      } --wait

      ${goToSocialAdmin} export --path /var/lib/gotosocial/gts-export.json
    '')
  }/bin/backupPrepareCommand";

  backupCleanupCommand = "${(pkgs.writeShellScriptBin "backupCleanupCommand" ''
    rm /var/lib/gotosocial/gts-export.json
  '')}/bin/backupCleanupCommand";
in {
  environment.systemPackages = with pkgs; [
    restic
    (pkgs.writeShellScriptBin "restic-social" ''
      env \
        RESTIC_PASSWORD_FILE=${secrets.social_restic_password.path} \
        $(cat ${secrets.social_restic_env.path}) \
      ${pkgs.restic}/bin/restic $@
    '')
  ];

  services.restic.backups.social = {
    user = "root";
    paths = [
      "/var/backup/postgresql"
      "/var/lib/gotosocial"
    ];

    # repository is overrided in environmentFile to contain auth
    # make sure to keep up to date when changing repository
    repository = "rest:https://storage-restic.owo.monster/Social";
    passwordFile = "${secrets.social_restic_password.path}";
    environmentFile = "${secrets.social_restic_env.path}";

    pruneOpts = [
      "--keep-last 10"
    ];

    timerConfig = {
      OnBootSec = "1m";
      OnCalendar = "daily";
    };

    inherit backupPrepareCommand;
    inherit backupCleanupCommand;
  };

  services.postgresqlBackup = {
    enable = true;
    backupAll = false;
    databases = ["gotosocial"];
    compression = "zstd";
  };
}