{ config
, hostAddress
, localAddress
, subvolumes
, targetPathSuffix ? ""
}:

let
  passwords = import ../../variables/passwords.crypt.nix;
  subvolumeParentDir = "/var/lib/container-volumes";

in {
  config = { pkgs, ... }: {
    imports = [
      ../profiles/containers/configuration.nix
    ];

    environment.systemPackages = with pkgs; [
      btrfs-progs
      btrbk
    ];

    networking.firewall.enable = true;

    systemd.services."bkp-sync" = {
      enable = true;
      description = "bkp-sync service";

      serviceConfig = {
        Type = "oneshot";
      };

      after = [
        "bkp-run.service"
      ];

      requires = [
        "bkp-run.service"
      ];

      path = with pkgs; [ utillinux ];
      script = ''
        set -x
        true
      '';
    };

    systemd.services."bkp-run" = {
      enable = true;
      description = "bkp-run";

      serviceConfig = {
        Type = "oneshot";
      };

      partOf = [
        "bkp-sync.service"
      ];

      path = with pkgs; [ btrfs-progs btrbk coreutils ];

      script = let 
        bktrbkConf = pkgs.writeText "cfg" ''
          timestamp_format long
          ssh_identity ${passwords.storage.homeChBackup.keyPath}
          ssh_user ${passwords.storage.homeChBackup.user}
          ssh_compression no
          backend_remote btrfs-progs-sudo
          compat_remote busybox
          btrfs_commit_delete each
          snapshot_create onchange
          snapshot_preserve_min latest
          snapshot_preserve 7d 4w
          target_preserve_min no
          target_preserve 7d 4w 12m *y

          volume ${subvolumeParentDir}
            target ${passwords.storage.homeChBackup.target}/container-volumes/${targetPathSuffix}
          ${builtins.foldl' (sum: elem: sum + "  subvolume " + elem + "\n") "" subvolumes}
        '';
      in ''
        #! ${pkgs.bash}/bin/bash
        set -Eeuxo pipefail

        btrbk -c ${bktrbkConf} --progress ''${@:-run}
      '';
    };

    systemd.timers."bkp" = {
      description = "Timer to trigger bkp periodically";
      enable = true;
      wantedBy = [ "timer.target" "multi-user.target" ];
      timerConfig = {
        # Obtained using `systemd-analyze calendar "Wed 23:00"`
        # OnCalendar = "Wed *-*-* 23:00:00";
        OnStartupSec="1m";
        Unit = "bkp-sync.service";
        OnUnitInactiveSec="2h";
        Persistent="true";
      };
    };
  };

  autoStart = true;

  bindMounts = {
    "${subvolumeParentDir}" = {
      hostPath = subvolumeParentDir;
      isReadOnly = false;
    };

    "/etc/secrets/" = {
      hostPath = "/var/lib/container-volumes/backup/etc-secrets";
      isReadOnly = true;
    };

    "/dev/fuse" = {
      hostPath = "/dev/fuse";
      isReadOnly = false;
    };
  };

  allowedDevices = [
    { node = "/dev/fuse"; modifier = "rw"; }
  ];

  privateNetwork = true;
  forwardPorts = [
  ];

  inherit hostAddress localAddress;
}