{ config, my, pkgs, secrets, ... }:

{
  sops.secrets."navidrome/env" = {
    sopsFile = ../secrets/sops/navidrome.yaml;
    restartUnits = [ "navidrome.service" ];
  };

  services.navidrome = {
    enable = true;
    settings = {
      Address = "[::1]";
      BaseUrl = "https://music.${my.domain}";
      FFmpegPath = "${pkgs.ffmpeg-headless}/bin/ffmpeg";
      ImageCacheSize = "500MB";
      ScanSchedule = "@every 10m";
      TranscodingCacheSize = "500MB";
    };
  };

  systemd.services.navidrome.serviceConfig.EnvironmentFile =
    [ secrets."navidrome/env".path ];

  services.restic.backups.navidrome = {
    environmentFile = secrets."restic/rest-env".path;
    initialize = true;
    repository =
      "${my.homelab.services.restic.repositoryBase}/${config.networking.hostName}";
    passwordFile = secrets."restic/repo-password".path;
    paths = [ "/var/backup/navidrome.db.zst" ];
    timerConfig.OnCalendar = "*-*-* 4:10:00"; # daily at 04:10
    backupPrepareCommand = ''
      set -euo pipefail
      umask 0077
      f=$(mktemp)

      # consistency is provided by the internal locking of sqlite
      ${pkgs.sqlite}/bin/sqlite3 /var/lib/navidrome/navidrome.db ".backup $f"
      ${pkgs.zstd}/bin/zstd --compress -9 --rm --force \
        -o /var/backup/navidrome.db.zst $f
    '';
    backupCleanupCommand = my.mkResticBackupNotificationCmd {
      name = "navidrome";
      inherit pkgs secrets;
    };
  };
}