{ config, lib, pkgs, ... }:

let
  cfg = config.orbekk.backups;

  backups.pincer = {
    paths = [ "/etc/nixos" ];
    doInit = true;
    repo = cfg.serverLocation;
    encryption = {
      mode = "repokey-blake2";
      passCommand = "cat ${config.age.secrets.pincer-borg-repo-key.path}";
    };
    environment = {
      BORG_RSH = "ssh -i ${config.age.secrets.pincer-borg-ssh-key.path}";
    };
    compression = "auto,lzma";
    startAt = "daily";
  };

  dragon-tmpl = repo: {
    inherit repo;
    paths = [ "/home" "/opt" "/var" "/storage" ];
    exclude = [ "/var/lib/lxd" "/var/lib/borg" "/storage/upload" ];
    doInit = true;
    encryption = {
      mode = "repokey-blake2";
      passCommand = "cat ${config.age.secrets.dragon-borg-repo-key.path}";
    };
    environment = {
      BORG_RSH = "ssh -i ${config.age.secrets.dragon-borg-ssh-key.path}";
    };
    compression = "auto,lzma";
    startAt = "daily";
    extraCreateArgs = "--stats";
  };
  backups.dragon-break = dragon-tmpl "borg@www.breakds.org:.";
  backups.dragon-trygve = dragon-tmpl "orbekk@trygve-backup.orbekk.com:/home/orbekk/repository";

  clientJobs = {
    ${config.networking.hostName} = backups.${config.networking.hostName};
  };

  serverJobs = {
    dragon-break = backups.dragon-break;
    dragon-trygve = backups.dragon-trygve;
  };

  backupJobs =
    if config.networking.hostName == "dragon" then serverJobs else clientJobs;
in {
  options = {
    orbekk.backups = {
      enableServer = lib.mkEnableOption "Enable backup server";
      enableClient = lib.mkEnableOption "Enable backup client";
      serverLocation = lib.mkOption {
        type = lib.types.str;
        default = "borg@localhost:.";
      };
    };
  };

  config = {
    age.secrets = lib.mkIf cfg.enableClient {
      "${config.networking.hostName}-borg-repo-key".file = ./.
        + "/../secrets/${config.networking.hostName}-borg-repo-key.age";
      "${config.networking.hostName}-borg-ssh-key".file = ./.
        + "/../secrets/${config.networking.hostName}-borg-ssh-key.age";
    };

    services.borgbackup.repos = lib.mkIf cfg.enableServer {
      # dragon = {
      #   authorizedKeys =
      #     [ (builtins.readFile ../secrets/dragon-borg-ssh-key.pub) ];
      #   path = [ "/var/lib/dragon" ];
      # };
      # breakds = {
      #   authorizedKeys = [ (builtins.readFile ../data/breakds.pub) ];
      #   path = [ "/var/lib/borg/breakds" ];
      # };
      # pincer = {
      #   authorizedKeys =
      #     [ (builtins.readFile ../secrets/pincer-borg-ssh-key.pub) ];
      #   path = [ "/var/lib/borg-pincer" ];
      # };
    };

    services.borgbackup.jobs = lib.mkIf cfg.enableClient backupJobs;
  };
}