{ config, lib, ... }: {

  options = {
    backup.all.restic.dirs = lib.mkOption {
      default = [ ];
      type = with lib.types; listOf str;
    };
  };

  config = let
    servers = [ "porani.insecure" "workhorse.private" "workout.private" ];
    dirs = config.backup.all.restic.dirs;

    setup = server: {
      passwordFile = toString <secrets/backup/restic-repo>;
      repo = "sftp::backup/remote-${config.networking.hostName}";
      requires = [ ];
      extraArguments = [
        "sftp.command='ssh backup@${server} -i ${
          toString <secrets/backup/sftp-user_rsa>
        } -s sftp'"
      ];
      initialize = true;
      timerConfig = {
        OnCalendar = "daily";
        Persistent = "true";
      };
      dirs = dirs;
    };

    hostname = config.networking.hostName;
    infoEntry = server: {
      restic = {
        folders = dirs;
        from = hostname;
        to = {
          server = server;
          repo = config.backup.services.restic."on-${server}".repo;
        };
        enable = config.backup.services.restic."on-${server}".enable;
      };
    };

  in {

    backup.services.restic = lib.zipAttrsWith (name: vals: lib.head vals)
      (map (server: { "on-${server}" = setup server; }) servers);

    environment.etc."info/restic-${hostname}.json" = {
      enable = true;
      text = builtins.toJSON (map infoEntry servers);
    };
  };

}