{
  config,
  flake,
  pkgs,
  ...
}:
let
  inherit (flake.config.services) instances;
  inherit (flake.config.people) user0;
  envFile = "backblaze/env";
  repoFile = "backblaze/repo";
  passFile = "restic-pass";
in
{
  services.restic = {
    backups = {
      remote = {
        environmentFile = config.sops.secrets.${envFile}.path;
        initialize = true;
        passwordFile = config.sops.secrets.${passFile}.path;
        repositoryFile = config.sops.secrets.${repoFile}.path;
        timerConfig = {
          OnCalendar = "0/4:00";
          Persistent = true;
        };
        paths = [
          "/home/${user0}/.ssh"
          instances.firefly-iii.mntPaths.path0
          instances.forgejo.mntPaths.path0
          instances.mastodon.mntPaths.path0
          instances.minecraft.mntPaths.path0
          instances.opencloud.mntPaths.path0
          instances.vaultwarden.mntPaths.path0
          "${instances.jellyfin.mntPaths.path0}/cache"
          "${instances.jellyfin.mntPaths.path0}/data"
          "${instances.jellyfin.mntPaths.path0}/media/music"
        ];
      };
    };
  };

  sops = {
    secrets = builtins.listToAttrs (
      map
        (secret: {
          name = secret;
          value = {
            path = "/run/secrets/${secret}";
            owner = "root";
            group = "root";
            mode = "0600";
          };
        })
        [
          envFile
          repoFile
          passFile
        ]
    );
  };

  environment = {
    variables = {
      # AWS_ACCESS_KEY_ID = "";
      # AWS_SECRET_ACCESS_KEY = "";
      # RESTIC_PASSWORD_FILE = "pass.txt";
      # RESTIC_REPOSITORY = "";
    };
    systemPackages = builtins.attrValues {
      inherit (pkgs)
        restic
        ;
    };
  };
}