{
  config,
  lib,
  pkgs,
  ...
}:
/*
to restore mysql/marinadb database:
mysql -u root -p -e "DROP DATABASE IF EXISTS <database_name>;"  # delete old db if still lingering
mysql -u root -p -e "CREATE DATABASE IF NOT EXISTS <database_name>;"  # create empty db w/ correct name
zstd -dc <path_to_backup> | mysql -u root -p <database_name>

to restore a postgres database:
sudo -u postgres psql -c "DROP DATABASE IF EXISTS <database_name>;"   # delete old db if lingering (prolly wont work)
sudo -u postgres psql -c "CREATE DATABASE <database_name>;"   # create empty db w/ correct name
zstd -dc <path_to_backup> | sudo -u postgres psql -d immich   # restore from the dump
*/
let
  cfg = config.homelab.backups;
  sec = config.sops.secrets;
in {
  options.homelab.backups = {
    enable = lib.mkEnableOption "enables borg backups for state files and db backup services";
    baks = lib.mkOption {
      type = lib.types.attrsOf (lib.types.attrsOf (lib.types.listOf lib.types.path));
      default = {};
      description = "backup jobs, nested attribute sets should be <bak_name> = paths [<list_of_paths>]";
    };
    backup_repo = lib.mkOption {
      type = lib.types.path;
      default = "/holocron/archives/homelab";
      description = "path to take daily backups to with borg!";
    };
  };

  config = lib.mkIf cfg.enable {
    # backups homelab with borg
    services.borgbackup.jobs.homelab = lib.mkIf (cfg.baks != {}) {
        archiveBaseName = "homelab";
        repo = cfg.backup_repo;
        paths = lib.flatten (lib.attrsets.mapAttrsToList (_: arg: arg.paths) cfg.baks);
        compression = "auto,zstd";
        startAt = "03:30";
        group = "archives";
        encryption.mode = "repokey-blake2";
        encryption.passCommand = "cat ${sec."borg_passwd".path}";
        preHook = ''
          systemctl start mysql-backup.service
          systemctl start $(systemctl list-unit-files 'postgresqlBackup-*.service' --no-legend --no-pager | cut -d' ' -f1)
        '';
        extraArgs = ["--verbose" "--show-rc" "--umask" "0007"];
        extraCreateArgs = ["--list" "--stats" "--filter" "AME"];
        prune.keep = {
          within = "1d"; # Keep all archives from the last day
          daily = 7;
          weekly = 12;
          monthly = -1; # Keep at least one archive for each month
        };
      };

    # mysql backups currently minecraft_recpro is the only thing using this
    services.mysqlBackup = lib.mkIf (config.services.mysql.ensureDatabases != []) {
      enable = true;
      location = "/var/backup/mysql";
      user = "root";
      calendar = "daily"; # goes fast, included in back up with server dirs at **:00
      compressionAlg = "zstd";
      databases = config.services.mysql.ensureDatabases; # set to all databases defined in esure databases
    };
    # postgresql backups currently immich is the only user
    services.postgresqlBackup = lib.mkIf (config.services.postgresql.ensureDatabases != []) {
      enable = true;
      location = "/var/backup/postgresql";
      compression = "zstd"; # optional: "xz", "zstd", "none"
      startAt = "daily"; # the dump is included in a backup taken at 4:00
      databases = config.services.postgresql.ensureDatabases; # set to all databases defined in esure databases
    };

    # helpful and for scripts
    environment.systemPackages = with pkgs; [borgbackup tree];

    sops.secrets = {
      "borg_passwd" = {
        owner = "root";
        group = "root";
      };
    };
  };
}