{
  config,
  lib,
  pkgs,
  ...
}:
/*
this module enables a backup script made with borg!
to use import & set the options below
to declare a backup add the following code
to a module and it will backup all listed paths
in a borg archive to the specified repo

      |     <3yy>    |
      V              V
  system.backups.baks = {
    ${service} = { paths = [ cfg.data_dir ]; };
  };
*/
let
  cfg = config.system.backups;
  sec = config.sops.secrets;
  borg = "${pkgs.borgbackup}/bin/borg";
in {
  options.system.backups = {
    enable = lib.mkEnableOption "enables backups with borg";
    baks = lib.mkOption {
      type = lib.types.attrsOf (lib.types.attrsOf (lib.types.listOf lib.types.path));
      default = {};
      description = "backup jobs, nested attribute sets should be <bak_name> = paths [<list_of_paths>]";
    };
    gameserver_baks = lib.mkOption {
      type = lib.types.attrsOf (lib.types.attrsOf (lib.types.listOf lib.types.path));
      default = {};
      description = "backup jobs for game servers, nested attribute sets should be <bak_name> = paths [<list_of_paths>]";
    };
    repo = lib.mkOption {
      type = lib.types.path;
      default = "/holocron/archives/devices/snowbelle";
      description = "borg repository path";
    };
    gameserver_repo = lib.mkOption {
      type = lib.types.path;
      default = "/holocron/archives/gameservers/borg";
      description = "borg repository path";
    };
    passwd_file = lib.mkOption {
      type = lib.types.path;
      default = sec."borg_passwd".path;
      description = "borg repository passphrase file";
    };
    mode = lib.mkOption {
      type = lib.types.str;
      default = "split"; # "all"
      description = "choice between creating one archive of all paths or one archive per service";
    };
  };

  config = lib.mkIf (cfg.enable && cfg.baks != {}) {

    # db backups
    services.mysqlBackup = lib.mkIf config.services.mysql.enable {
      # mc servers use this
      enable = true;
      location = "/var/backup/mysql";
      user = "root";
      calendar = "*-*-* *:59:00";
      compressionAlg = "zstd";
      databases = config.services.mysql.ensureDatabases; # set to all databases defined in esure databases
    };
    services.postgresqlBackup = lib.mkIf config.services.postgresql.enable {
      # immich uses this
      enable = true;
      location = "/var/backup/postgresql";
      compression = "zstd"; # optional: "xz", "zstd", "none"
      startAt = "03:58";
      databases = ["immich"]; # set to all databases defined in esure databases
      #databases = config.services.postgresql.ensureDatabases; # set to all databases defined in esure databases
    };

    # declare secret for repo password
    sops.secrets = {
      "borg_passwd" = {
        owner = "root";
        group = "root";
      };
    };
  };
}