{ config, lib, my, pkgs, secrets, ... }:

{
  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_16;
    enableTCPIP = lib.mkDefault false;
    initdbArgs = [ "--data-checksums" ];
  };

  services.postgresqlBackup = {
    enable = true;
    backupAll = true;
    compression = "zstd";
    startAt = "*-*-* 04:00:00"; # daily at 04:00
  };

  users.users.postgres.extraGroups = [ "restic-backup" ];

  services.restic.backups.postgresql-16 = {
    environmentFile = secrets."restic/rest-env".path;
    initialize = true;
    repository =
      "${my.homelab.services.restic.repositoryBase}/${config.networking.hostName}";
    passwordFile = secrets."restic/repo-password".path;
    user = "postgres";
    paths = [ "/var/backup/postgresql/all.sql.zstd" ];
    timerConfig.OnCalendar = "*-*-* 4:30:00"; # daily at 04:30
    backupCleanupCommand = my.mkResticBackupNotificationCmd {
      name = "postgresql-16";
      inherit pkgs secrets;
    };
  };
}