{
  config,
  pkgs,
  lib,
  ...
}:
let
  # Declarative backrest config referencing the existing restic repo.
  # The password is read at runtime from the agenix secret path via
  # BACKREST_VAR_RESTIC_PASSWORD, which backrest expands as ${RESTIC_PASSWORD}
  # inside the repo env block.
  backrestConfig = builtins.toJSON {
    version = 4;
    modno = 1;
    instance = "dnsc-server";
    repos = [
      {
        id = "dnsc-storage";
        uri = "sftp:dnsc-storage:restic/dnsc-server";
        password = "file:${config.age.secrets."restic/password".path}";
        flags = [
          "-o"
          "sftp.args=-i /root/.ssh/id_ed25519 -o StrictHostKeyChecking=accept-new"
        ];
        autoInitialize = true;
        prunePolicy = {
          schedule = {
            disabled = true;
          };
        };
        checkPolicy = {
          schedule = {
            disabled = true;
          };
        };
      }
    ];
    plans = [
      {
        id = "dnsc-storage-plan";
        repo = "dnsc-storage";
        paths = [
          "/home/dennis/notes"
          "/main/share"
          "/data/actual-server"
        ];
        schedule = {
          disabled = true;
        };
        retention = {
          policyKeepLastN = 3;
        };
      }
    ];
    auth = {
      disabled = true;
    };
  };
in
{
  environment.systemPackages = lib.mkAfter (
    with pkgs;
    [
      backrest
    ]
  );

  users.groups.backrest = { };
  users.users.backrest = {
    isSystemUser = true;
    group = "backrest";
    home = "/var/lib/backrest";
    createHome = true;
    description = "Backrest service user";
  };

  # Write the declarative config at activation time.
  # The file is owned by root (readable by backrest via group or world-read)
  # but we set it 640 and add backrest to read it via the service's User=.
  environment.etc."backrest/config.json" = {
    text = backrestConfig;
    mode = "0440";
    group = "backrest";
  };

  systemd.services.backrest = {
    enable = true;
    description = "Restic GUI";
    after = [ "network.target" ];
    wantedBy = [ "multi-user.target" ];

    environment = {
      BACKREST_PORT = "9004";
      BACKREST_RESTIC_COMMAND = "${pkgs.restic}/bin/restic";
      BACKREST_CONFIG = "/etc/backrest/config.json";
      BACKREST_DATA = "/var/lib/backrest/data";
    };

    serviceConfig = {
      Type = "simple";
      User = "backrest";
      Group = "backrest";
      ExecStart = "${pkgs.backrest}/bin/backrest";
      Restart = "on-failure";
      RestartSec = "5s";
      # Allow backrest to read root's SSH key for SFTP access
      ReadOnlyPaths = [ "/root/.ssh/id_ed25519" ];
      SupplementaryGroups = [ "shadow" ];
    };
  };
}