{
  config,
  pkgs,
  lib,
  factsGenerator,
  ...
}:
{

  clan.core.facts.services."paperless-ngx.borg" = factsGenerator.password { name = "borgbackup"; };
  clan.core.facts.services."paperless-ngx.ssh" = factsGenerator.ssh { name = "paperless-ngx"; };

  # backup
  services.borgbackup.jobs."paperless-ngx" = {
    paths = [ config.services.paperless.dataDir ];
    repo = "root@orbi.bear:borg-${config.networking.hostName}-paperless";
    compression = "auto,lzma";
    startAt = "daily";
    encryption = {
      mode = "keyfile-blake2";
      passCommand = "cat ${
        toString config.clan.core.facts.services."paperless-ngx.borg".secret."password.borgbackup".path
      }";
    };
    environment = {
      BORG_RSH = "ssh -i ${
        toString
          config.clan.core.facts.services."paperless-ngx.ssh".secret."ssh.paperless-ngx.id_ed25519".path
      }";
      BORG_RELOCATED_REPO_ACCESS_IS_OK = "yes";
    };
    prune.keep = {
      within = "3d"; # Keep all backups in the last 10 days.
      weekly = 2; # Keep 8 additional end of week archives.
      monthly = -1; # Keep end of month archive for every month
    };
    doInit = true;
  };

}