{ config, lib, pkgs, ... }:

let cfg = config.within.backups;
in with lib; {
  options.within.backups = {
    enable = mkEnableOption "Enables per-host backups to rsync.net";
    paths = mkOption {
      type = with types; listOf str;
      default = [ "/home" "/srv" "/var/lib" "/root" ];
      description = "paths to backup to rsync.net";
    };
    exclude = mkOption {
      type = with types; listOf str;
      default = [
        "/var/lib/docker"
        "/var/lib/systemd"
        "/var/lib/libvirt"
        "'**/.cache'"
        "'**/.nix-profile'"
        "'**/.elm'"
        "'**/.emacs.d'"
      ];
      description = "paths to NOT backup to rsync.net";
    };
    repo = mkOption {
      type = types.str;
      description = "Repo to submit backups to";
    };
  };

  config = mkIf config.within.backups.enable {
    services.borgbackup.jobs."borgbase" = {
      paths = cfg.paths;
      exclude = cfg.exclude;
      repo = cfg.repo;
      encryption = {
        mode = "repokey-blake2";
        passCommand = "cat /root/borgbackup_passphrase";
      };
      environment.BORG_RSH = "ssh -i /root/borgbackup_ssh_key";
      compression = "auto,lzma";
      startAt = "daily";
      extraArgs = "--remote-path=borg1";
    };

    age.secrets = {
      borgbackup-passphrase = {
        file = ../../secret/borgbackup_passphrase;
        path = "/root/borgbackup_passphrase";
      };
      borgbackup-ssh-key = {
        file = ../../secret/borgbackup_ssh_key;
        path = "/root/borgbackup_ssh_key";
      };
    };
  };
}