{ config, lib, pkgs, ... }:

let
  cfg = config.orbekk.backups;

  dragon-tmpl = repo: {
    inherit repo;
    paths = [ "/home" "/opt" "/var" "/storage" ];
    exclude = [ "/var/lib/lxd" "/var/lib/borg" "/storage/upload" ];
    doInit = true;
    encryption = {
      mode = "repokey-blake2";
      passCommand = "cat /opt/secret/borg-backup-keys/dragon_backup";
    };
    environment = {
      BORG_RSH = "ssh -i /opt/secret/borg-backup-keys/ssh_key";
    };
    compression = "auto,lzma";
    startAt = "daily";
    extraCreateArgs = "--stats";
  };
  backups.dragon-break = dragon-tmpl "borg@www.breakds.org:.";
  backups.dragon-trygve = dragon-tmpl "orbekk@trygve-backup.orbekk.com:/home/orbekk/repository";

  clientJobs = {
    ${config.networking.hostName} = backups.${config.networking.hostName};
  };

  serverJobs = {
    dragon-break = backups.dragon-break;
    dragon-trygve = backups.dragon-trygve;
  };

  backupJobs =
    if config.networking.hostName == "dragon" then serverJobs else clientJobs;
in {
  options = {
    orbekk.backups = {
      enableServer = lib.mkEnableOption "Enable backup server";
      enableClient = lib.mkEnableOption "Enable backup client";
      serverLocation = lib.mkOption {
        type = lib.types.str;
        default = "borg@localhost:.";
      };
    };
  };

  config = {
    services.borgbackup.repos = lib.mkIf cfg.enableServer {
      # dragon = {
      #   authorizedKeys =
      #     [ (builtins.readFile ../secrets/dragon-borg-ssh-key.pub) ];
      #   path = [ "/var/lib/dragon" ];
      # };
      # breakds = {
      #   authorizedKeys = [ (builtins.readFile ../data/breakds.pub) ];
      #   path = [ "/var/lib/borg/breakds" ];
      # };
      # pincer = {
      #   authorizedKeys =
      #     [ (builtins.readFile ../secrets/pincer-borg-ssh-key.pub) ];
      #   path = [ "/var/lib/borg-pincer" ];
      # };
    };

    services.borgbackup.jobs = lib.mkIf cfg.enableClient backupJobs;
  };
}