{ config, pkgs, lib, ... }:

{
  sops.secrets = {
    "restic/password" = {};
    "restic/rest-auth.env" = {};
  };

  systemd.services = {
    db-backup = {
      wantedBy = [ "restic-backups-main.service" ];
      before = [ "restic-backups-main.service" ];
      script = ''
        DB_BACKUP_DIR=/var/backups/db-backup

        SQLITE_PATH=${lib.getExe pkgs.sqlite}
        SUDO_PATH=${lib.getExe pkgs.sudo}

        if [ ! -d $DB_BACKUP_DIR ]; then
            mkdir -p -m 700 $DB_BACKUP_DIR
        fi

        umask 077

        $SQLITE_PATH /var/lib/vaultwarden/db.sqlite3 ".backup $DB_BACKUP_DIR/vaultwarden.sqlite3"
        $SQLITE_PATH /var/lib/uptime-kuma/kuma.db ".backup $DB_BACKUP_DIR/kuma.db"
        $SQLITE_PATH /var/lib/nextcloud/data/nextcloud.db ".backup $DB_BACKUP_DIR/nextcloud.db"
        $SQLITE_PATH /var/lib/ntfy-sh/user.db ".backup $DB_BACKUP_DIR/ntfy-user.db"
        $SQLITE_PATH /var/lib/kanidm/kanidm.db ".backup $DB_BACKUP_DIR/kanidm.db"
        $SQLITE_PATH /var/lib/jellyfin/data/jellyfin.db ".backup $DB_BACKUP_DIR/jellyfin.db"
        $SQLITE_PATH /var/lib/jellyfin/data/library.db ".backup $DB_BACKUP_DIR/jellyfin-library.db"
        $SQLITE_PATH /var/lib/grafana/data/grafana.db ".backup $DB_BACKUP_DIR/grafana.db"
      '';
      serviceConfig.Type = "oneshot";
    };

    db-backup-cleanup = {
      wantedBy = [ "restic-backups-main.service" ];
      after = [ "restic-backups-main.service" ];
      script = "rm -r /var/backups/db-backup";
      serviceConfig.Type = "oneshot";
    };
  };

  services.restic.backups.main = {
    user = "restic-backup";
    package = pkgs.writeShellScriptBin "restic" ''
      exec /run/wrappers/bin/restic "$@"
    '';

    environmentFile = config.sops.secrets."restic/rest-auth.env".path;
    passwordFile = config.sops.secrets."restic/password".path;
    timerConfig = {
      OnCalendar = "03:00";
      Persistent = true;
    };

    repository = "rest:http://localhost:8001/drone";
    initialize = true;

    paths = [
      "/var/lib/jellyfin"
      "/var/lib/vaultwarden"
      "/var/backups/db-backup"
    ];

    # exclude databases since they are covered separately
    exclude = [
      "/var/lib/**/*.db"
      "/var/lib/**/*.db-shm"
      "/var/lib/**/*.db-wal"
      "/var/lib/**/*.sqlite3"
      "/var/lib/**/*.sqlite3-shm"
      "/var/lib/**/*.sqlite3-wal"

      "/var/lib/vaultwarden/sends/*"
      "/var/lib/vaultwarden/tmp/*"
    ];
  };

  services.restic.backups.syncthing = {
    user = "restic-backup";
    package = pkgs.writeShellScriptBin "restic" ''
      exec /run/wrappers/bin/restic "$@"
    '';

    environmentFile = config.sops.secrets."restic/rest-auth.env".path;
    passwordFile = config.sops.secrets."restic/password".path;
    timerConfig = {
      OnCalendar = "03:05";
      Persistent = true;
    };

    repository = "rest:http://localhost:8001/drone/syncthing";
    initialize = true;

    paths = [ "/var/lib/syncthing" ];
    exclude = [ "/var/lib/syncthing/.*" ];
  };
}