{
  config,
  pkgs,
  ...
}:
let
  environmentFile = toString (
    pkgs.writeText "restic-gcs-env" ''
      GOOGLE_PROJECT_ID=fcuny-infra
      GOOGLE_APPLICATION_CREDENTIALS=${config.age.secrets.restic_gcs_credentials.path}
    ''
  );
in
{
  services.restic.backups.local = {
    passwordFile = config.age.secrets.restic_password.path;
    repository = "/srv/data/backups/";
    initialize = true;
    paths = [ "/var/lib/gitolite" ];
    exclude = [
      "/var/lib/gitolite/.bash_history"
      "/var/lib/gitolite/.ssh"
      "/var/lib/gitolite/.viminfo"
    ];
    extraBackupArgs = [
      "--exclude-caches"
      "--compression=max"
    ];
    timerConfig = {
      OnCalendar = "daily";
    };
    pruneOpts = [
      "--keep-daily 7"
      "--keep-weekly 4"
      "--keep-monthly 3"
    ];
  };

  services.restic.backups.gcs = {
    passwordFile = config.age.secrets.restic_password.path;
    environmentFile = environmentFile;
    repository = "gs:fcuny-infra-backups:/vm-synology/";
    initialize = true;
    paths = [ "/var/lib/gitolite" ];
    exclude = [
      "/var/lib/gitolite/.bash_history"
      "/var/lib/gitolite/.ssh"
      "/var/lib/gitolite/.viminfo"
    ];
    extraBackupArgs = [
      "--exclude-caches"
      "--compression=max"
    ];
    timerConfig = {
      OnCalendar = "daily";
    };
    pruneOpts = [
      "--keep-daily 7"
      "--keep-weekly 4"
      "--keep-monthly 3"
    ];
  };

  environment = {
    sessionVariables = {
      RESTIC_REPOSITORY = "/srv/data/backups";
      RESTIC_PASSWORD_FILE = config.age.secrets.restic_password.path;
    };
    systemPackages = with pkgs; [
      restic
    ];
  };
}