{ config, lib, ... }: {
  options.snowflake.services.restic = {
    enable = lib.mkEnableOption "enable restic";

    name = lib.mkOption {
      type = lib.types.str;
      description = "name to backup under, preferably use hostname";
    };
  };

  config = lib.mkIf config.snowflake.services.restic.enable {
    # TODO: potentially use a security wrapper on the restic binay, instead of
    # running it as root
    services.restic.backups = {
      kryo = {
        user = "root";
        repository =
          "sftp:cc@kryo.v2.n1.codingcoffee.me:/home/cc/${config.snowflake.services.restic.name}-backup";
        initialize =
          true; # initializes the repo, don't set if you want manual control
        timerConfig = {
          # backup daily
          OnCalendar = "daily";
          # to take care of backup if system was turned off during designated
          # backup time
          Persistent = true;
        };
        passwordFile = "/home/cc/.dotfiles/nix/conf/restic/password";
        extraBackupArgs = [
          # "--dry-run"
          "--exclude-file=/home/cc/.dotfiles/autorestic/.autoresticignore"
        ];
        pruneOpts = [ "--keep-last 10" ];
        paths = [ "/home/cc" ];
      };
    };
  };
}