{ config, ... }:
let
  inherit (builtins) readFile;
  inherit (config.users) users groups;
in
{
  users.users.backup = {
    isSystemUser = true;
    shell = users.root.shell;
    group = groups.disk.name;
    openssh.authorizedKeys.keys = [
      (readFile ../losurdo/syncoid/sshKey.pub)
    ] ++ users."julm".openssh.authorizedKeys.keys;
  };
  systemd.tmpfiles.rules = [
    "z /dev/zfs 0660 - ${groups."disk".name}  -"
  ];
  system.activationScripts.backup = ''
    # This one should not be necessary
    /run/booted-system/sw/bin/zfs allow -u ${users.backup.name} bookmark,hold,send rpool
    /run/booted-system/sw/bin/zfs allow -u ${users.backup.name} receive,create,mount,rollback rpool/backup
  '';

  systemd.services.sanoid.serviceConfig.SupplementaryGroups = [ groups."disk".name ];
  services.sanoid = {
    enable = true;
    templates = {
      snap = {
        autosnap = true;
        autoprune = true;
        yearly = 0;
        monthly = 3;
        daily = 31;
        hourly = 24;
        frequently = 0;
      };
      prune = {
        autosnap = false;
        autoprune = true;
        yearly = 0;
        monthly = 3;
        daily = 31;
        hourly = 24;
        frequently = 0;
      };
    };
    extraArgs = [
      "--verbose"
      #"--debug"
    ];
    datasets = {
      "rpool/var/lib" = {
        use_template = [ "snap" ];
      };
      "rpool/backup/losurdo/var/postgresql" = {
        use_template = [ "prune" ];
      };
      "rpool/backup/losurdo/var/cryptpad" = {
        use_template = [ "prune" ];
      };
    };
  };
}