{
  config,
  lib,
  pkgs,
  ...
}:
let
  inherit (lib) types;
  cfg = config.zpha.profiles.resticBackupTarget;

in
{

  options.zpha.profiles.resticBackupTarget = {
    enable = lib.mkEnableOption "this machine to be used as restic backup target";
    path = lib.mkOption {
      type = types.path;
    };
    keys = lib.mkOption {
      type = with types; attrsOf str;
      default = { };
    };
  };

  config = lib.mkIf cfg.enable {
    dns.zones."fc9f.de".subdomains."restic-target".CNAME = lib.mkIf (
      config.networking.hostName == "cuvier"
    ) [ "${config.networking.fqdn}." ];

    users = {
      groups.restic = { };
      users.restic = {
        uid = 1002;
        isNormalUser = true;
        group = "restic";
        extraGroups = [
          "ssh"
          "nix"
        ];
        home = cfg.path;
        maid.packages = with pkgs; [
          restic
          rclone
        ];
        openssh.authorizedKeys.keys = lib.mapAttrsToList (
          repo: key:
          ''restrict,command="${lib.getExe pkgs.rclone} serve restic --stdio --append-only --verbose ${cfg.path}/${repo}" ${key}''
        ) cfg.keys;
      };
    };
  };

}