{
  config,
  hostAddress,
  localAddress,
  subvolumes,
  targetPathSuffix ? "",
  autoStart ? false,
}: let
  passwords = import ../../variables/passwords.crypt.nix;
  subvolumeParentDir = "/var/lib/container-volumes";
in {
  config = {pkgs, ...}: {
    system.stateVersion = "20.03"; # Did you read the comment?

    imports = [../profiles/containers/configuration.nix];

    environment.systemPackages = with pkgs; [btrfs-progs btrbk];

    networking.firewall.enable = true;

    systemd.services."bkp-sync" = {
      enable = true;
      description = "bkp-sync service";

      serviceConfig = {Type = "oneshot";};

      after = ["bkp-run.service"];

      requires = ["bkp-run.service"];

      path = with pkgs; [utillinux];
      script = ''
        set -x
        true
      '';
    };

    systemd.services."bkp-run" = {
      enable = true;
      description = "bkp-run";

      serviceConfig = {Type = "oneshot";};

      partOf = ["bkp-sync.service"];

      path = with pkgs; [btrfs-progs btrbk coreutils];

      script = let
        btrbkConf = pkgs.writeText "cfg" ''
          timestamp_format long
          ssh_identity ${passwords.storage.backupTarget.keyPath}
          ssh_user ${passwords.storage.backupTarget.user}
          ssh_compression no
          backend_remote btrfs-progs-sudo
          compat_remote busybox
          btrfs_commit_delete each
          snapshot_create onchange
          snapshot_preserve_min latest
          snapshot_preserve 7d 4w
          target_preserve_min latest
          target_preserve 7d 4w 12m *y

          volume ${subvolumeParentDir}
            target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix}
          ${builtins.foldl' (sum: elem: sum + "  subvolume " + elem + "\n") ""
            subvolumes}
        '';
      in ''
        #! ${pkgs.bash}/bin/bash
        set -Eeuxo pipefail

        btrbk -c ${btrbkConf} --progress ''${@:-run}
      '';
    };

    systemd.timers."bkp" = {
      description = "Timer to trigger bkp periodically";
      enable = true;
      wantedBy = ["timer.target" "multi-user.target"];
      timerConfig = {
        # Obtained using `systemd-analyze calendar "Wed 23:00"`
        # OnCalendar = "Wed *-*-* 23:00:00";
        OnStartupSec = "1m";
        Unit = "bkp-sync.service";
        OnUnitInactiveSec = "2h";
        Persistent = "true";
      };
    };
  };

  inherit autoStart;

  bindMounts = {
    "${subvolumeParentDir}" = {
      hostPath = subvolumeParentDir;
      isReadOnly = false;
    };

    "/etc/secrets/" = {
      hostPath = "/var/lib/container-volumes/backup/etc-secrets";
      isReadOnly = true;
    };

    "/dev/fuse" = {
      hostPath = "/dev/fuse";
      isReadOnly = false;
    };
  };

  allowedDevices = [
    {
      node = "/dev/fuse";
      modifier = "rw";
    }
  ];

  extraFlags = ["--resolv-conf=bind-host"];

  privateNetwork = true;
  forwardPorts = [];

  inherit hostAddress localAddress;
}