{
  inputs,
  config,
  lib,
  ...
}:

let
  cfg = config.modules.services.borgmatic;
  hostname = config.networking.hostName;
in
{
  options.modules.services.borgmatic = {
    enable = lib.mkOption {
      default = false;
      example = true;
      description = lib.mdDoc "Enable backups on this host with `borgmatic`";
    };
    directories = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [ ];
      example = [
        "/home/jordan/Documents"
      ];
      description = lib.mdDoc "List of directories to backup";
    };
    repoPath = lib.mkOption {
      type = lib.types.str;
      example = "ssh://example@example.repo.borgbase.com/./repo";
      description = lib.mdDoc "Destination borg repository for backup";
    };
  };

  config = lib.mkIf cfg.enable {
    age.secrets."passwords/services/borg/${hostname}-passphrase" = {
      file = "${inputs.secrets}/passwords/services/borg/${hostname}-passphrase.age";
    };

    services.borgmatic = {
      enable = true;
      settings = {
        source_directories = cfg.directories;
        repositories = [
          {
            label = "borgbase";
            path = cfg.repoPath;
          }
        ];
        encryption_passcommand = "cat ${
          config.age.secrets."passwords/services/borg/${hostname}-passphrase".path
        }";
        ssh_command = "ssh -i /etc/ssh/ssh_host_ed25519_key";
        keep_daily = 7;
        keep_weekly = 4;
        keep_monthly = 6;
      };
    };

    services.postgresql.ensureUsers = [
      {
        name = "root";
        ensureClauses.superuser = true;
      }
    ];

    # Add `pg_dumpall` to unit environment
    systemd.services.borgmatic.path = [ config.services.postgresql.package ];

    # Without this override, `cat` is unavailable for `encryption_passcommand`
    systemd.services.borgmatic.confinement.fullUnit = true;
  };
}