{ config, pkgs, lib, ... }:
{
  services.restic.backups = let
    localJob = name: paths: {
      inherit paths;
      repository = "/mnt/feal-syn1/backup/defiant/${name}";
      passwordFile = config.sops.secrets."restic/${name}".path;
      initialize = true;
      pruneOpts = [
        "--keep-daily 3"
        "--keep-weekly 4"
        "--keep-monthly 3"
      ];
    };
  in {
    postgres = (localJob "postgres" [ "/tank/backup/postgresql" ]) // {
      timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
    };

    gitea = (localJob "gitea" [ "/tank/services/gitea" ]);
    matrix-synapse = (localJob "matrix-synapse" [ "/var/lib/matrix-synapse" ]);
    vaultwarden = (localJob "vaultwarden" [ "/var/lib/bitwarden_rs" ]);
  };

  # TODO: home-assistant, pihole
  sops.secrets."restic/postgres" = { };
  sops.secrets."restic/gitea" = { };
  sops.secrets."restic/matrix-synapse" = { };
  sops.secrets."restic/vaultwarden" = { };
}