{ inputs, ... }: {
  flake.modules.nixos.restic-server = { config, pkgs, lib, ... }: {
    services.restic.server = {
      enable = true;
      dataDir = "/mnt/restic";
      listenAddress = "0.0.0.0:8080";
      extraFlags = [ "--no-auth" ];
    };
  };

  flake.modules.homeManager.restic = { config, pkgs, lib, ... }:
    let
      cfg = config.restic;
    in
    {
      options.restic = {
        repoName = lib.mkOption {
          description = "Name of the restic repo to use";
          type = lib.types.str;
          default = "john-ubuntu";
        };
        passwordFile = lib.mkOption {
          description = "String path to the restic password file";
          type = lib.types.str;
        };
        paths = lib.mkOption {
          description = "List of string paths to include in the backup";
          type = lib.types.listOf lib.types.str;
          default = [ ];
        };
        exclude = lib.mkOption {
          description = "List of string paths to include in the backup. There are already some common ones included by default.";
          type = lib.types.listOf lib.types.str;
          default = [ ];
        };
        OnCalendar = lib.mkOption {
          description = "";
          type = lib.types.str;
        };
        RandomizedDelaySec = lib.mkOption {
          description = "";
          type = lib.types.str;
          default = "1m";
        };
      };

      config = let
        resticRepository = "rest:https://soteria.john-stream.com/${cfg.repoName}";
        caCert = "${config.mtls.certDir}/root_ca.crt";
        mtlsClientCert = "${config.mtls.certDir}/${config.mtls.bundleFilename}";
      in
      {
        home.sessionVariables = {
          RESTIC_REPOSITORY = resticRepository;
          RESTIC_PASSWORD_FILE = cfg.passwordFile;
          RESTIC_CACERT = caCert;
          RESTIC_TLS_CLIENT_CERT = mtlsClientCert;
        };
        
        # This is necessary because the restic service in home manager doesn't otherwise expose these options.
        systemd.user.services."restic-backups-${cfg.repoName}".Service.Environment = [
          "RESTIC_CACERT=${caCert}"
          "RESTIC_TLS_CLIENT_CERT=${mtlsClientCert}"
        ];

        services.restic = {
          enable = true;
          backups.${cfg.repoName} = {
            repository = resticRepository;
            passwordFile = cfg.passwordFile;
            paths = cfg.paths;
            timerConfig = {
              OnCalendar = cfg.OnCalendar;
              RandomizedDelaySec = cfg.RandomizedDelaySec;
              Persistent = true;
            };
            runCheck = true;
            pruneOpts = [
              "--keep-last 10"
              "--keep-hourly 8"
              "--keep-daily 14"
              "--keep-weekly 8"
              "--keep-monthly 12"
            ];
            exclude = cfg.exclude ++ [
              ".cache"
              ".devenv"
              ".rustup"
              ".cargo"
              ".venv"
              ".pyenv"
              ".vscode*"
              "data/postgres"
              "build"
              "dist"
              "__pycache__"
              "*.log"
              "*.egg-info"
              "*.csv"
              "*.m4a"
              ".local/share/Steam"
              ".local/share/Trash"
            ];
          };
        };

      };
    };
}