{
  pkgs,
  lib,
  config,
  ...
}: let
  cfg = config.pim.backups;

  borgmaticConfig = pkgs.writeTextFile {
    name = "borgmatic-config.yaml";

    text = lib.generators.toYAML {} {
      source_directories = ["/mnt/longhorn/persistent/longhorn-backup" "/mnt/longhorn/persistent/volumes"];

      repositories = [
        {
          path = cfg.repoLocation;
          label = "nfs";
        }
        {
          path = "ssh://s6969ym3@s6969ym3.repo.borgbase.com/./repo";
          label = "borgbase";
        }
      ];

      ssh_command = "${pkgs.openssh}/bin/ssh -i ${config.sops.secrets."borg/borgbasePrivateKey".path} -o StrictHostKeychecking=no";
      keep_daily = 7;
      keep_weekly = 4;
      keep_monthly = 6;
      encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.sops.secrets."borg/borgPassphrase".path}";
    };
  };
in {
  options.pim.backups = {
    enable = lib.mkOption {
      default = false;
      type = lib.types.bool;
      description = ''
        Whether to enable backups of persistent data on this machine.
      '';
    };

    repoLocation = lib.mkOption {
      default = "/mnt/longhorn/persistent/nfs.borg";
      type = lib.types.str;
      description = ''
        Location of the Borg repository to back up to.
      '';
    };
  };

  config = lib.mkIf cfg.enable {
    environment.systemPackages = with pkgs; [borgbackup];
    # Converted from:
    # https://github.com/borgmatic-collective/borgmatic/tree/84823dfb912db650936e3492f6ead7e0e0d32a0f/sample/systemd
    systemd.services.borgmatic = {
      description = "borgmatic backup";
      wants = ["network-online.target"];
      after = ["network-online.target"];
      unitConfig.ConditionACPower = true;
      preStart = "${pkgs.coreutils}/bin/sleep 10s";

      serviceConfig = {
        Type = "oneshot";
        Nice = 19;
        CPUSchedulingPolicy = "batch";
        IOSchedulingClass = "best-effort";
        IOSchedulingPriority = 7;
        IOWeight = 100;
        Restart = "no";
        LogRateLimitIntervalSec = 0;
        Environment = "BORG_PASSPHRASE_FILE=${config.sops.secrets."borg/borgPassphrase".path}";
      };

      script = "${pkgs.systemd}/bin/systemd-inhibit --who=\"borgmatic\" --what=\"sleep:shutdown\" --why=\"Prevent interrupting scheduled backup\" ${pkgs.borgmatic}/bin/borgmatic --verbosity -2 --syslog-verbosity 1 -c ${borgmaticConfig}";
    };

    systemd.timers.borgmatic = {
      description = "Run borgmatic backup";
      wantedBy = ["timers.target"];
      timerConfig = {
        OnCalendar = "*-*-* 3:00:00";
        Persistent = true;
        RandomizedDelaySec = "1h";
      };
    };

    sops.secrets = {
      "borg/borgPassphrase" = {};
      "borg/borgbasePrivateKey" = {};
    };
  };
}