{ config, lib, pkgs, ... }:

{
  services.restic.backups."${config.networking.hostName}-server" = {
    initialize = false;

    paths = [
      "/media"
    ];

    exclude = [
      "/media/secrets"
      "/media/torrents"
      "/media/media"

      ".cache*"
      ".DS_Store"
      "logs"
    ];

    checkOpts = [
      "--with-cache" # just to make checks faster
    ];

    pruneOpts = [
      "--keep-daily 7"
      "--keep-weekly 5"
      "--keep-monthly 12"
      "--keep-yearly 10"
    ];

    timerConfig = {
      OnBootSec = "5m"; # lets wifi connect before starting backups
      OnCalendar = "daily";
      Persistent = true;
    };

    # backup postgres databases, kind of hacky but
    # i think its the only way to do it without needing
    # another backup repo
    backupPrepareCommand = ''
      rm -f /media/apps/postgres # -f doesn't error if doesn't exist
      touch /media/apps/postgres
      chmod 600 /media/apps/postgres
      ${lib.getExe pkgs.sudo} -u postgres ${config.services.postgresql.package}/bin/pg_dumpall > /media/apps/postgres
    '';

    backupCleanupCommand = ''
      rm /media/apps/postgres
    '';

    # https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html#other-services-via-rclone
    # put something like : "rclone:onedrive:restic" to use as the remote
    #
    # sudo nix run nixpkgs#rclone -- config
    repositoryFile = "/media/secrets/restic-repo";

    # the passphrase used 
    passwordFile = "/media/secrets/restic-password";
  };

  systemd.tmpfiles.rules = [
    "f /media/secrets/restic-repo 0400 root root"
    "f /media/secrets/restic-password 0400 root root"
  ];
}