{ self, pkgs, config, lib, ... }:
let
  sshPub = builtins.fromTOML (builtins.readFile "${self}/configs/ssh-pubkeys.toml");
  secrets = config.age.secrets;
  ssh-key-path = secrets."rsync.net/ssh-key".path;
  backupDir = "/data/slow/backups/";
  backupDest = "de2664@de2664.rsync.net";
in
{
  # a user used only for backups
  users.users.backup = {
    uid = 991;
    createHome = false;
    isSystemUser = true;
    group = "users";
    home = "${backupDir}/hosts";
    openssh.authorizedKeys.keys = with sshPub; [
      restic
    ];
  };

  services.openssh.sftpServerExecutable = "internal-sftp";
  services.openssh.extraConfig = ''
    Match User backup
      ChrootDirectory ${config.users.users.backup.home}
      ForceCommand internal-sftp
      AllowTcpForwarding no
  '';

  systemd.timers.rsync-backups = {
    description = "synchronize restic repository to rsync.net";
    wantedBy = [ "timers.target" ];
    partOf = [ "rsync-backups.service" ];
    timerConfig = {
      OnCalendar = "04:00";
    };
  };

  systemd.services.rsync-backups = {
    description = "synchronize restic repository to rsync.net";
    serviceConfig.Type = "oneshot";
    script = ''
      exec ${pkgs.rsync}/bin/rsync \
        -azq --delete \
        -e '${pkgs.openssh}/bin/ssh -i ${ssh-key-path}' \
        ${backupDir} ${backupDest}:backups/
    '';
  };
}