{ pkgs, lib, ... }:

with lib;

{
  config = {
    services.borgbackup.repos.borg = {
      path = "/srv/backup/borg";
      authorizedKeysAppendOnly = let
        dir = ./authorized-keys;
        toAuthKey = fname: ftype: if ftype != "regular" || !(hasSuffix ".pub" fname) then null else builtins.readFile (dir + "/${fname}");
      in filter (v: v != null) (lib.mapAttrsToList toAuthKey (builtins.readDir dir));
    };

    boot.postBootCommands = mkBefore ''
      ${pkgs.findutils}/bin/find /srv/backup/borg -maxdepth 1 -type d -empty -delete
    '';

    services.openssh.extraConfig = ''
      Match User borg
        ClientAliveInterval 10
        ClientAliveCountMax 30

      Match All
    '';

    sops.secrets.borg-passphrase = {
      sopsFile = ./passphrase.yaml;
      format = "yaml";
      key = "borg";
      owner = "borg";
      group = "borg";
      mode = "0440";
    };
  };
}