{ config, flake, ... }:

let
  surtrRepoCfg = flake.nixosConfigurations."surtr".config.services.pgbackrest.settings.surtr;
in {
  config = {
    services.pgbackrest = {
      enable = true;
      tlsServer = {
        enable = true;

        user = "pgbackrest";
        group = "pgbackrest";
      };

      settings = {
        "surtr" = {
          pg1-host-type = "tls";
          pg1-host = "pgbackrest.surtr.yggdrasil";
          pg1-host-ca-file = toString ./ca/ca.crt;
          pg1-host-cert-file = toString ./ca/vidhar.crt;
          pg1-host-key-file = config.sops.secrets."pgbackrest.key".path;
          inherit (surtrRepoCfg) pg1-path;

          # repo1-host-type = "tls";
          # repo1-host = "pgbackrest.surtr.yggdrasil";
          # repo1-host-ca-file = toString ./ca/ca.crt;
          # repo1-host-cert-file = toString ./tls.crt;
          # repo1-host-key-file = config.sops.secrets."pgbackrest.key".path;
          # repo1-retention-full-type = "time";
          # repo1-retention-full = 7;
          # repo1-retention-archive = 2;

          repo2-path = "/var/lib/pgbackrest";
          repo2-retention-full-type = "time";
          repo2-retention-full = 14;
          repo2-retention-archive = 7;
        };

        "srv01.uniworx.de" = {
          pg1-host-type = "tls";
          pg1-host = "srv01.uniworx.de";
          pg1-host-ca-file = toString ./ca/ca.crt;
          pg1-host-cert-file = toString ./ca/vidhar.crt;
          pg1-host-key-file = config.sops.secrets."pgbackrest.key".path;
          pg1-path = "/var/lib/postgresql/15";

          repo2-path = "/var/lib/pgbackrest";
          repo2-retention-full-type = "time";
          repo2-retention-full = 14;
          repo2-retention-archive = 7;
        };

        "global" = {
          compress-type = "zst";
          compress-level = 9;

          archive-async = true;
          spool-path = "/var/spool/pgbackrest";
        };

        "global:server" = {
          tls-server-address = "2a03:4000:52:ada:4:1::";
          tls-server-ca-file = toString ./ca/ca.crt;
          tls-server-cert-file = toString ./ca/vidhar.crt;
          tls-server-key-file = config.sops.secrets."pgbackrest.key".path;
          tls-server-auth = ["surtr.yggdrasil=surtr" "srv01.uniworx.de=srv01.uniworx.de"];
        };

        "global:archive-push" = {
          process-max = 6;
        };
        "global:archive-get" = {
          process-max = 6;
        };
      };

      backups."surtr-daily" = {
        stanza = "surtr";
        repo = "2";
        user = "pgbackrest";
        group = "pgbackrest";
        timerConfig.OnCalendar = "daily Europe/Berlin";
      };
    };

    systemd.tmpfiles.rules = [
      "d /var/lib/pgbackrest 0750 pgbackrest pgbackrest - -"
      "d /var/spool/pgbackrest 0750 pgbackrest pgbackrest - -"
    ];

    users = {
      users.pgbackrest = {
        name = "pgbackrest";
        group = "pgbackrest";
        isSystemUser = true;
        home = "/var/lib/pgbackrest";
      };
      groups.pgbackrest = {};
    };

    systemd.services."pgbackrest-tls-server".serviceConfig = {
      StateDirectory = [ "pgbackrest" ];
      StateDirectoryMode = "0750";
    };

    sops.secrets."pgbackrest.key" = {
      format = "binary";
      sopsFile = ./ca/vidhar.key;
      owner = "pgbackrest";
      group = "pgbackrest";
      mode = "0400";
    };
  };
}