{ pkgs, lib, config, inputs, ... }:
let
  inherit (builtins) readFile;
  inherit (config.users) users groups;
in
{
users.users.backup = {
  isSystemUser = true;
  shell = users.root.shell;
  group = groups.disk.name;
  openssh.authorizedKeys.keys = [
    (readFile (inputs.secrets + "/hosts/losurdo/ssh/backup.ssh-ed25519.pub"))
  ] ++ users."julm".openssh.authorizedKeys.keys;
};
systemd.tmpfiles.rules = [
  "z /dev/zfs 0660 - ${groups."disk".name}  -"
];
system.activationScripts.backup = ''
  # This one should not be necessary
  /run/booted-system/sw/bin/zfs allow -u ${users.backup.name} bookmark,hold,send rpool
  /run/booted-system/sw/bin/zfs allow -u ${users.backup.name} receive,create,mount,rollback rpool/backup
'';

systemd.services.sanoid.serviceConfig.SupplementaryGroups = [ groups."disk".name ];
services.sanoid = {
  enable = true;
  templates = {
    local = {
      autosnap = true;
      autoprune = true;
      monthly = 3;
    };
    remote = {
      autosnap = false;
      autoprune = true;
      monthly = 3;
    };
  };
  extraArgs = [
    "--verbose"
    #"--debug"
  ];
  datasets = {
    "rpool/backup/losurdo/var/postgresql" = {
      use_template = [ "remote" ];
      daily = 31;
    };
    "rpool/backup/losurdo/var/cryptpad" = {
      use_template = [ "remote" ];
      daily = 31;
      monthly = 0;
    };
  };
};
}