{
  config,
  pkgs,
  lib,
  ...
}:
let
  # Declarative backrest config referencing the existing restic repo.
  # The password is read at runtime from the agenix secret path via
  # BACKREST_VAR_RESTIC_PASSWORD, which backrest expands as ${RESTIC_PASSWORD}
  # inside the repo env block.
  backrestConfig = builtins.toJSON {
    version = 4;
    modno = 1;
    instance = "dnsc-server";
    repos = [
      {
        id = "dnsc-storage";
        uri = "sftp:dnsc-storage:restic/dnsc-server";
        env = [ "RESTIC_PASSWORD_FILE=${config.age.secrets."restic/password".path}" ];
        flags = [
          "-o 'sftp.args=-i /root/.ssh/id_ed25519 -o StrictHostKeyChecking=accept-new'"
        ];
        autoInitialize = false;
        guid = "15448172d015919712f015508d40e28d13db4c9e877bf545454c8289ad621069";
        prunePolicy = {
          schedule = {
            disabled = true;
          };
        };
        checkPolicy = {
          schedule = {
            disabled = true;
          };
        };
      }
    ];
    plans = [
      {
        id = "dnsc-storage-plan";
        repo = "dnsc-storage";
        paths = [
          "/home/dennis/notes"
          "/main/share"
          "/data/actual-server"
        ];
        schedule = {
          disabled = true;
        };
        retention = {
          policyKeepLastN = 3;
        };
      }
    ];
    auth = {
      disabled = true;
    };
  };
in
{
  environment.systemPackages = lib.mkAfter (
    with pkgs;
    [
      backrest
    ]
  );

  # Write the declarative config into the backrest state dir at activation time.
  # The file must be in a writable location because backrest creates a .bak
  # alongside it when migrating. /var/lib/backrest is owned by the backrest user.
  system.activationScripts.backrestConfig = {
    deps = [ "users" ];
    text = ''
      install -d -m 750 /var/lib/backrest
      install -m 640 \
        ${pkgs.writeText "backrest-config.json" backrestConfig} \
        /var/lib/backrest/config.json
    '';
  };

  systemd.services.backrest = {
    enable = true;
    description = "Restic GUI";
    after = [ "network.target" ];
    wantedBy = [ "multi-user.target" ];

    environment = {
      BACKREST_PORT = "9004";
      BACKREST_RESTIC_COMMAND = "${pkgs.restic}/bin/restic";
      BACKREST_CONFIG = "/var/lib/backrest/config.json";
      BACKREST_DATA = "/var/lib/backrest/data";
    };

    serviceConfig = {
      Type = "simple";
      User = "root";
      ExecStart = "${pkgs.backrest}/bin/backrest";
      Restart = "on-failure";
      RestartSec = "5s";
    };
  };
}