{ pkgs, config, ... }:
let
  syncJobs = [
    {
      name = "movies";
      source = "/data/media/movies/";
      destination = "/volume1/media/movies/";
    }
    {
      name = "videos";
      source = "/data/media/videos/";
      destination = "/volume1/media/videos/";
    }
  ];
  remoteHost = "192.168.1.68";
  remoteUser = "nas";
in
{
  age.secrets.rsync-ssh-key.file = ../secrets/rsync-ssh-nas.age;

  systemd.timers = pkgs.lib.listToAttrs (
    map (job: {
      name = "rsync-backup-${job.name}";
      value = {
        wantedBy = [ "timers.target" ];
        timerConfig = {
          OnCalendar = "daily";
          Persistent = true;
          RandomizedDelaySec = "1h";
        };
      };
    }) syncJobs
  );

  systemd.services = pkgs.lib.listToAttrs (
    map (job: {
      name = "rsync-backup-${job.name}";
      value = {
        description = "Rsync backup for ${job.name}";

        serviceConfig = {
          Type = "oneshot";
          DynamicUser = true;
          LoadCredential = "ssh-key:${config.age.secrets.rsync-ssh-key.path}";
          PrivateTmp = true;
          NoNewPrivileges = true;
          ProtectSystem = "strict";
          ProtectHome = true;

          ExecStart = pkgs.writeShellScript "rsync-backup-${job.name}" ''
            ${pkgs.rsync}/bin/rsync \
              -avz \
              -e "${pkgs.openssh}/bin/ssh -i ''${CREDENTIALS_DIRECTORY}/ssh-key -o StrictHostKeyChecking=accept-new" \
              ${job.source} \
              ${remoteUser}@${remoteHost}:${job.destination}
          '';
        };
      };
    }) syncJobs
  );
}