{
  self,
  config,
  pkgs,
  ...
}: {
  age.secrets.backup_restic_htpasswd = {
    file = "${self}/secrets/cox_backup_restic_htpasswd.age";
    owner = "${toString config.ids.uids.restic}";
  };

  services.nginx = {
    enable = true;
    clientMaxBodySize = "1G";
    virtualHosts."backup.local" = {
      locations."/" = {
        proxyPass = "http://127.0.0.1:18000";
        extraConfig = ''
          proxy_connect_timeout 600;
          proxy_send_timeout 600;
          proxy_read_timeout 600;
          send_timeout 600;
          proxy_set_header Host ''$host;
          proxy_set_header X-Forwarded-For ''$remote_addr;
        '';
      };
    };
  };
  containers."backup" = {
    autoStart = true;
    ephemeral = true;
    bindMounts = {
      "/var/lib/restic" = {
        hostPath = "/opt/backup/hdd/restic";
        isReadOnly = false;
      };
      "/var/lib/restic/.htpasswd" = {
        hostPath = "/run/agenix/backup_restic_htpasswd";
        isReadOnly = false;
      };
    };

    config = {
      config,
      pkgs,
      ...
    }: {
      networking.firewall.enable = false;

      services.restic.server = {
        enable = true;
        listenAddress = "0.0.0.0:18000";
        privateRepos = true;
        extraFlags = [
          "--append-only"
          "--prometheus"
          "--prometheus-no-auth"
        ];
      };

      time.timeZone = "Europe/Berlin";
      system.stateVersion = "22.11";
    };
  };

  #virtualisation.oci-containers = {
  #  backend = "docker";
  #  containers = {
  #    backup-ssh = {
  #      image = "linuxserver/openssh-server:arm64v8-latest";
  #      ports = [ "32222:2222" ];
  #
  #      environment = {
  #        PUBLIC_KEY = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOTpA7OHfZhl1wsbvydLNMtMx4q64fz+ojIAZpVUJEMI root@cube";
  #        USER_NAME = "backup";
  #        TZ = "Europe/Berlin";
  #        PUID = "911";
  #        PGID = "911";
  #      };
  #
  #      volumes = [
  #        "/opt/backup/hdd/restic:/data/hdd/restic"
  #      ];
  #    };
  #  };
  #};
}