{ config, pkgs, lib, ... }:
with lib;
let
  excludePaths = [
    "/var/lib/gitea/repositories/*/*.git/archives"
    "/var/lib/gitea/data/repo-archive"
    "/var/lib/gitea/data/indexers"
    "/var/vmail/m-labs.hk/js"
    "/var/lib/afws/.cache"
    "/var/lib/mattermost/data/2019*"
    "/var/lib/mattermost/data/2020*"
    "/var/lib/mattermost/data/2021*"
    "/var/lib/mattermost/data/2022*"
    "/var/lib/mattermost/data/2023*"
  ];
  makeBackup = pkgs.writeScript "make-backup" ''
    #!${pkgs.bash}/bin/bash -p

    set -e
    umask 0077

    DBDUMPDIR=`mktemp -d`
    trap "rm -rf $DBDUMPDIR" EXIT
    cd $DBDUMPDIR

    ${config.services.mysql.package}/bin/mysqldump --user=root --single-transaction flarum > flarum.sql
    ${config.services.postgresql.package}/bin/pg_dump mattermost > mattermost.sql
    ${config.services.postgresql.package}/bin/pg_dump rt5 > rt.sql

    exec 6< /etc/nixos/secret/backup-passphrase
    ${pkgs.gnutar}/bin/tar cf - ${lib.concatMapStringsSep " " (p: "--exclude \"${p}\"") excludePaths} /etc/nixos /var/vmail /var/lib/hedgedoc /var/lib/gitea /var/lib/afws /var/lib/mattermost/data /var/www/193thz flarum.sql mattermost.sql rt.sql | \
        ${pkgs.bzip2}/bin/bzip2 | \
        ${pkgs.gnupg}/bin/gpg --symmetric --batch --passphrase-fd 6
  '';
  cfg = config.services.mlabs-backup;
in
{
  options.services.mlabs-backup = {
    enable = mkOption {
      type = types.bool;
      default = false;
      description = "Enable backups";
    };
  };

  config = mkIf cfg.enable {
    users.extraGroups.backupdl = { };
    users.extraUsers.backupdl = {
      isNormalUser = true;
      extraGroups = ["backupdl" "nextcloud"];
      openssh.authorizedKeys.keys = [
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCbH+l0FIBTPdUKOS9H5OOT5ro/nljKLsiCTzTzublCScdPPmCNy27ORbLgNHX5Ughlug5wr2rAIU9AexV+L71V5MeVHUWDfKgRsNIpUTtY6wpJkAP7r1ipk2kTWc/sxhrxyPea62cohmy1dOeLlwXO6U8FnsiZfYKmgjZ8wuTo6ixDB8krXsAZ8VY/bj5WFcXqeW8GF1Qjpel7HgpCpj3HIUyC63uwIyUoYe+cgnhjzNLbRYdU9Yx2iqcUCwEUX2cMdz5VX+xbLkL8CWcuiMFg6TFo+CUPFtuA/kVzHcZ4Pa3BiilL3rf7oXlIXGN12JVsN+caX7j2weVqm2b5u5eVsyDxiLx1KA37ukq92CYAAdOuKE+saMPsLuOn+Qd9B6D5oYnYgsWg460uEGgwczwOTXLAZTT5wrwRaKIE+ezKqtRP+Tz7l2IEixulyj1MUR+XpSwECZXiFJx5DGofwzxcd2kWnNOPBReDkHv0At5ZLNIrLuxFMz2L6UXbqvHwEu8= backupdl@minipc"
      ];
    };
    security.wrappers.mlabs-backup = {
      source = makeBackup;
      setuid = true;
      owner = "root";
      group = "backupdl";
      permissions = "g+x";
    };
  };
}