{ config, pkgs, lib, ... }:

with lib;

let
  copyService = { repo, repoEscaped }: let
    serviceName = "copy-borg@${repoEscaped}";
    sshConfig = pkgs.writeText "config" ''
      Include /etc/ssh/ssh_config

      Host yggdrasil.borgbase
        HostName nx69hpl8.repo.borgbase.com
        User nx69hpl8
        IdentityFile /run/credentials/${serviceName}.service/ssh-identity
        IdentitiesOnly yes

        BatchMode yes
        ServerAliveInterval 10
        ServerAliveCountMax 30
    '';
  in nameValuePair serviceName {
    serviceConfig = {
      Type = "oneshot";
      ExecStart = "${copyBorg}/bin/copy ${escapeShellArg repo} yggdrasil.borgbase:repo";
      # User = "borg";
      # Group = "borg";
      StateDirectory = "borg";
      RuntimeDirectory = "copy-borg";
      Environment = [
        "BORG_RSH=\"${pkgs.openssh}/bin/ssh -F ${sshConfig}\""
        "BORG_BASE_DIR=/var/lib/borg"
        "BORG_CONFIG_DIR=/var/lib/borg/config"
        "BORG_CACHE_DIR=/var/lib/borg/cache"
        "BORG_SECURITY_DIR=/var/lib/borg/security"
        "BORG_KEYS_DIR=/var/lib/borg/keys"
        "BORG_KEY_FILE=/run/credentials/${serviceName}.service/keyfile"
        "BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes"
        "BORG_HOSTNAME_IS_UNIQUE=yes"
      ];
      LoadCredential = [
        "ssh-identity:${config.sops.secrets."append.borgbase".path}"
        "keyfile:${config.sops.secrets."yggdrasil.borgkey".path}"
      ];
    };
  };

  copyBorg = pkgs.stdenv.mkDerivation (let
    # packageOverrides = pkgs.callPackage ./pyprctl-packages.nix {};
    # inpPython = pkgs.python39.override { inherit packageOverrides; };
    inpPython = pkgs.python39;
  in rec {
    name = "copy";
    src = ./copy.py;

    phases = ["buildPhase" "checkPhase" "installPhase"];

    buildInputs = with pkgs; [makeWrapper];

    python = inpPython.withPackages (ps: with ps; [humanize tqdm dateutil xdg python-unshare halo]);

    buildPhase = ''
      substitute $src copy \
        --subst-var-by python ${escapeShellArg python}
    '';

    doCheck = true;
    checkPhase = ''
      ${python}/bin/python -m py_compile copy
    '';

    installPhase = ''
      install -m 0755 -D -t $out/bin \
        copy

      wrapProgram $out/bin/copy \
        --prefix PATH : ${makeBinPath (with pkgs; [utillinux borgbackup])}
    '';
  });
in {
  config = {
    services.borgbackup.repos.jotnar = {
      path = "/srv/backup/borg/jotnar";
      authorizedKeysAppendOnly = let
        dir = ./jotnar;
        toAuthKey = fname: ftype: if ftype != "regular" || !(hasSuffix ".pub" fname) then null else builtins.readFile (dir + "/${fname}");
      in filter (v: v != null) (mapAttrsToList toAuthKey (builtins.readDir dir));
    };

    boot.postBootCommands = mkBefore ''
      ${pkgs.findutils}/bin/find /srv/backup/borg -type d -empty -delete
    '';

    users.users.borg.extraGroups = ["ssh"];

    services.openssh.extraConfig = ''
      Match User borg
        ClientAliveInterval 10
        ClientAliveCountMax 30

      Match All
    '';

    sops.secrets."append.borgbase" = {
      format = "binary";
      sopsFile = ./append.borgbase;
    };
    sops.secrets."yggdrasil.borgkey" = {
      format = "binary";
      sopsFile = ./yggdrasil.borgkey;
    };

    systemd.services = listToAttrs (map copyService [{ repo = "/srv/backup/borg/jotnar"; repoEscaped = "srv-backup-borg-jotnar"; }]);

    systemd.timers."copy-borg@srv-backup-borg-jotnar" = {
      wantedBy = ["multi-user.target"];
      
      timerConfig = {
        OnCalendar = "*-*-* 00/4:00:00 Europe/Berlin";
      };
    };
  };
}