{
  lib,
  config,
  pkgs,
  ...
}:
let
  cfg = config.backup-helper;
  restic-wrapper = pkgs.writeShellApplication {
    name = "restic-wrapper";
    runtimeInputs = [
      pkgs.restic
    ];
    text = (builtins.readFile ./backup.sh);
  };
in
{
  options.backup-helper.enable = lib.mkEnableOption "Enable backup-helper";
  options.backup-helper = {
    restic-repository = lib.mkOption {
      type = lib.types.str;
      default = "rest:http://10.69.12.52:8000/backup-nix";
      description = "Repository to use for restic backup.";
    };
    backup-dirs = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [ ];
      description = "Directories to be backed up.";
    };
    backup-commands = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [ ];
      description = "Backup the stdout of commands. Format strings like key:command";
    };
    schedule = lib.mkOption {
      type = lib.types.str;
      default = "*-*-* 00:00:00";
      description = "Schedule for backups. Needs to be valid systemd OnCalendar value.";
    };
    password-file = lib.mkOption {
      type = lib.types.nullOr lib.types.str;
      default = null;
      description = "File containing the restic password.";
    };
    randomized-delay = lib.mkOption {
      type = lib.types.int;
      default = 0;
      description = "Randomized delay in seconds to spread out backups.";
    };
    forget = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = "Run restic forget after backup.";
    };
  };
  config = lib.mkIf cfg.enable {
    systemd.services."backup-helper" = {
      wants = [ "network-online.target" ];
      after = [ "network-online.target" ];
      environment =
        {
          RESTIC_REPOSITORY = cfg.restic-repository;
          BACKUP_HELPER_DIRS = lib.strings.concatStringsSep "," cfg.backup-dirs;
          BACKUP_FORGET = if cfg.forget then "1" else "0";
        }
        // lib.attrsets.optionalAttrs (builtins.hasAttr "password-file" cfg) {
          RESTIC_PASSWORD_FILE = cfg.password-file;
        }
        // lib.attrsets.optionalAttrs (cfg.backup-commands != [ ]) {
          BACKUP_HELPER_COMMANDS = lib.strings.concatStringsSep ";" cfg.backup-commands;
        };
      serviceConfig = {
        Type = "oneshot";
        ExecStart = "${restic-wrapper}/bin/restic-wrapper";
      };
    };
    systemd.timers."backup-helper" = {
      timerConfig = {
        OnCalendar = cfg.schedule;
        Persistent = true;
        RandomizedDelaySec = cfg.randomized-delay;
      };
      wantedBy = [ "timers.target" ];
    };
  };
}