{
  config,
  lib,
  pkgs,
  ...
}:

# using the restic cli:
# load credentials into shell by adding B2 secrets to .env (see .env.example).
# useful commands for analysing restic stats [snapshot-id], restic diff [s1] [s2],

with lib;
with builtins;
let
  resticLib = import ./lib.nix { inherit config lib pkgs; };
in
{
  imports = [ ./common.nix ];

  environment.systemPackages = with pkgs; [ restic ];

  services.restic.backups.full = resticLib.resticConfig {
    name = "home-pc";
    paths = [
      "/etc/nixos"
      "/var/lib"
      "/home"
    ];
    # inspiration: https://github.com/rubo77/rsync-homedir-excludes
    ignorePatterns = [
      "/var/lib/systemd"
      "/var/lib/libvirt"
      "/var/lib/containers"
      "/var/lib/nixos-containers"
      "/var/lib/lxcfs"
      "/var/lib/docker"
      "/var/lib/flatpak"
      "/var/lib/ollama"
      "/var/lib/open-webui"
      "/var/lib/private/open-webui"
      "/home/*/Downloads"
      "/home/*/Pictures"
      "/home/*/Videos"
      "/home/*/Music"
      "/home/*/Games"
      "/home/*/.android"
      "/home/*/.AndroidStudio*"
      "/home/*/.cache"
      "/home/*/.cargo"
      "/home/*/.compose-cache"
      "/home/*/.dotnet"
      "/home/*/.gradle"
      "/home/*/.mozilla"
      "/home/*/.mullvad"
      "/home/*/.npm"
      "/home/*/.nuget"
      "/home/*/.rustup"
      "/home/*/.steam"
      "/home/*/.templateengine"
      "/home/*/.var"
      "/home/*/.wine"
      "/home/*/.vagrant.d"
      "/home/*/.local/share/containers"
      "/home/*/.local/share/docker"
      "/home/*/.local/share/flatpak"
      "/home/*/.local/share/gnome-boxes"
      "/home/*/.local/share/bottles"
      "/home/*/.local/share/Steam"
      "/home/*/.local/share/libvirt"
      "/home/*/.local/share/lutris"
      "/home/*/.local/share/NuGet"
      "/home/*/.local/share/tor-browser"
      "/home/*/.local/share/com.github.johnfactotum.Foliate/books"
      "/home/*/.local/share/Trash"
      "/home/*/.config/BraveSoftware"
      "/home/*/.config/chromium"
      "/home/*/.config/gatsby"
      "/home/*/.config/heroic"
      "/home/*/.config/libvirt"
      "/home/*/.config/Proton Pass"
      "/home/*/.config/spotify/Users"
      "/home/felschr/media"
      "/home/felschr/dev" # backup ~/dev-backup instead

      # general
      ".cache"
      "cache"
      ".tmp"
      ".temp"
      "tmp"
      "temp"
      ".log"
      "log"
      ".Trash"

      # electron apps
      "/home/*/.config/**/blob_storage"
      "/home/*/.config/**/Application Cache"
      "/home/*/.config/**/Cache"
      "/home/*/.config/**/CachedData"
      "/home/*/.config/**/Code Cache"
      "/home/*/.config/**/GPUCache"
      "/home/*/.var/app/**/blob_storage"
      "/home/*/.var/app/**/Application Cache"
      "/home/*/.var/app/**/Cache"
      "/home/*/.var/app/**/CachedData"
      "/home/*/.var/app/**/Code Cache"
      "/home/*/.var/app/**/GPUCache"
    ];
    timerConfig.OnCalendar = "0/6:00:00";
    extraPruneOpts = [ "--keep-last 4" ];

    # Extra handling for dev folder to respect .gitignore files.
    # Do not delete `~/dev-backup` since this leads to changing ctimes
    # which would cause otherwise unchanged files to be backed up again.
    # Since `--link-dest` is used, file contents won't be duplicated on disk.
    backupPrepareCommand = ''
      # remove stale locks
      ${pkgs.restic}/bin/restic unlock || true

      rm -rf /home/felschr/dev-backup
      ${pkgs.rsync}/bin/rsync \
        -a --delete \
        --filter=':- .gitignore' \
        --exclude 'nixpkgs' \
        --link-dest=/home/felschr/dev \
        /home/felschr/dev/ /home/felschr/dev-backup
    '';
  };
}