{
  flake,
  config,
  pkgs,
  lib,
  ...
}: let
  psCfg = config.pub-solar;
  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
  backupDir = "/var/lib/invoiceplane/backup";
in {
  age.secrets."invoiceplane-db-password.age" = {
    file = "${flake.self}/secrets/invoiceplane-db-password.age";
    mode = "600";
  };

  age.secrets."invoiceplane-db-secrets.env" = {
    file = "${flake.self}/secrets/invoiceplane-db-secrets.env";
    mode = "600";
  };

  services.invoiceplane.sites."invoicing.b12f.io" = {
    enable = true;

    database = {
      user = "invoiceplane";
      name = "invoiceplane";
      passwordFile = config.age.secrets."invoiceplane-db-password.age".path;
      host = "localhost";
      port = 5432;
      createLocally = false;
    };
  };

  virtualisation = {
    oci-containers = {
      backend = "docker";
      containers."invoiceplane-db" = {
        image = "postgres:16";
        autoStart = true;
        ports = [ "5432:5432" ];
        volumes = [
          "/var/lib/invoiceplane/db:/var/lib/postgresql/data"
        ];
        environmentFiles = [
          config.age.secrets."invoiceplane-db-secrets.env".path
        ];
      };
    };
  };

  systemd.tmpfiles.rules = [
    "d '${backupDir}' 0700 root root - -"
  ];

  services.restic.backups = {
    invoiceplane = {
      paths = [
        backupDir
        "/var/lib/invoiceplane/invoicing.b12f.io"
      ];
      initialize = true;
      passwordFile = config.age.secrets."restic-password.age".path;
      # See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
      repository = "rclone:cloud.pub.solar:/backups/InvoicePlane";
      backupPrepareCommand = ''
        ${pkgs.docker-client}/bin/docker exec -t invoiceplane-db pg_dumpall -c -U invoiceplane > "${backupDir}/postgres.sql"
      '';
      rcloneConfigFile = config.age.secrets."rclone-pie.conf".path;
    };
  };
}