{ config, lib, pkgs, inputs, ... }:

with lib;

let
  cfg = config.modules.services.borgmatic;
  hostname = config.networking.hostName;
in {
  options.modules.services.borgmatic = {
    enable = mkOption {
      default = false;
      example = true;
      description = mdDoc "Enable backups on this host with `borgmatic`";
    };
    directories = mkOption {
      type = types.listOf types.str;
      default = [];
      example = [
        "/home/jordan/Documents"
      ];
      description = mdDoc "List of directories to backup";
    };
    repoPath = mkOption {
      type = types.str;
      example = "ssh://example@example.repo.borgbase.com/./repo";
      description = mdDoc "Destination borg repository for backup";
    };
  };

  config = mkIf cfg.enable {
    age.secrets."passwords/services/borg/${hostname}-passphrase" = {
      file = "${inputs.secrets}/passwords/services/borg/${hostname}-passphrase.age";
    };

    services.borgmatic = {
      enable = true;
      settings = {
        source_directories = cfg.directories;
        repositories = [
          { label = "borgbase"; path = cfg.repoPath; }
        ];
        storage = {
          encryption_passcommand = "cat ${config.age.secrets."passwords/services/borg/${hostname}-passphrase".path}";
          ssh_command = "ssh -i /etc/ssh/ssh_host_ed25519_key";
        };
        retention = {
          keep_daily = 7;
          keep_weekly = 4;
          keep_monthly = 6;
        };
      };
    };

    # Without this override, `cat` is unavailable for `encryption_passcommand`
    systemd.services.borgmatic.confinement.fullUnit = true;
  };
}