{ config, pkgs, ... }:
{
  # Restic backups to the local REST server (docker/restic.nix, port 8010, private repos).
  # Each service gets its own repo: rest:http://localhost:8010/<username>/
  # REST credentials are injected via sops templates as an EnvironmentFile.
  # Add new jobs below following the same pattern.

  sops = {
    secrets."restic/kanidm_password" = { };
    secrets."restic/kanidm_rest_password" = { };

    # Compose a KEY=VALUE env file for the restic systemd service.
    templates."restic-kanidm-env" = {
      content = ''
        RESTIC_REST_USERNAME=kanidm
        RESTIC_REST_PASSWORD=${config.sops.placeholder."restic/kanidm_rest_password"}
      '';
    };
  };

  services.restic.backups = {
    kanidm = {
      repository = "rest:http://localhost:8010/kanidm/";
      passwordFile = config.sops.secrets."restic/kanidm_password".path;
      environmentFile = config.sops.templates."restic-kanidm-env".path;

      # Checkpoint the SQLite WAL before backup so the snapshot is consistent.
      backupPrepareCommand = ''
        ${pkgs.sqlite}/bin/sqlite3 /var/lib/kanidm/kanidm.db "PRAGMA wal_checkpoint(FULL);"
      '';

      paths = [ "/var/lib/kanidm" ];

      timerConfig = {
        OnCalendar = "04:00";
        Persistent = true;
      };

      pruneOpts = [
        "--keep-daily 7"
        "--keep-weekly 4"
        "--keep-monthly 3"
      ];
    };
  };
}