{
  config,
  lib,
  pkgs,
  ...
}:
let
  inherit (lib)
    mkIf
    mkEnableOption
    mkOption
    concatStringsSep
    ;
  inherit (lib.types)
    listOf
    nonEmptyStr
    package
    enum
    str
    port
    ;
  cfg = config.modules.services.rsync-backup;
in
{
  # Used to back up multiple source destinations to a target destination regularly,
  # with possibility to enable incremental backups for versioning.

  # TODO: systemd unit
  # - [x] script taking configurable args
  # - [x] sync from/to paths
  # - [ ] support
  #       - [ ] nfs
  #       - [ ] sftp
  #       - [ ] ssh
  #       - [x] local
  #       - [x] rsyncd
  # - [ ] retention limit for incremental backups

  options.modules.services.rsync-backup = {
    enable = mkEnableOption "rsync backups";

    sources = mkOption {
      type = listOf nonEmptyStr;
      default = [ ]; # TODO: validate if at least 1 element
      description = ''
        A list of absolute paths to the files or folders that should get synchronized.
        It isn't necessary to wrap them in escaped double quotation marks.
      '';
    };

    exclude = mkOption {
      type = str;
      default = "";
    };

    target = {
      location = mkOption {
        type = nonEmptyStr;
        description = ''
          The target to where the data should be backed up.
          If it is a directory, it will be created automatically by rsync.
          Append a : to the string if it is an ssh target and ensure that passwordless access is available.
        '';
      };

      finalLocation = mkOption {
        type = nonEmptyStr;
        default =
          if cfg.target.type == "local" then
            cfg.target.location
          else if cfg.target.type == "rsyncd" then
            "rsync://${cfg.target.host}/${cfg.target.location}"
          else
            throw "Unable to create location.";
      };

      type = mkOption {
        type = enum [
          "local"
          "rsyncd"
        ];
        default = "local";
        description = ''
          Guesses if the given target is local or ssh, very rudimentary therefore it might be necessary to specify manually (or rewrite the logic).
        '';
      };

      host = mkOption {
        type = str;
        default = "";
      };
    };

    package = mkOption {
      type = package;
      default = pkgs.rsync;
      description = ''
        The rsync package to use.
      '';
    };

    flags = mkOption {
      type = listOf str;
      default = [
        "--archive"
        "--verbose"
        "--mkpath"
      ];
    };

    flagsFinal = mkOption {
      type = listOf str;
      default = cfg.flags ++ [
        (mkIf cfg.incremental.enable "--delete")
        (mkIf (cfg.exclude != "") "--exclude=\"${cfg.exclude}\"")
        (mkIf cfg.incremental.enable "--backup-dir=\"${cfg.incremental.finalIncrementPath}\"")
        "--port=${toString cfg.port}"
      ];
      apply = concatStringsSep " ";
    };

    interval = mkOption {
      type = nonEmptyStr;
      default = "daily";
    };

    incremental = {
      enable = mkEnableOption "incremental backups";
      format = mkOption {
        type = nonEmptyStr;
        default = "%Y-%m-%d-%-H-%M-%S-$RANDOM";
        description = ''
          The increment folder name. Refer to `man date` for specifics about the format.
          Omit the leading +.
        '';
      };
      finalIncrementPath = mkOption {
        type = nonEmptyStr;
        default = "../${cfg.target.location}/increment/$(date +${cfg.incremental.format})/";
        description = ''
          The directory in which the changes will be stored, the .. at the start is necessary because it is relative to
          the target and we append `backup` to the target.

          -- cfg.location
              | - backup/
              | - increment/<increment format>
        '';
      };
      # TODO: add retention
    };

    unitName = mkOption {
      type = nonEmptyStr;
      default = "rsync-backup";
    };

    user = mkOption {
      type = str;
      default = "rsync-backup";
      description = "User account under which Rsync runs.";
    };

    group = mkOption {
      type = str;
      default = "rsync-backup";
      description = "Group under which Rsync runs.";
    };

    port = mkOption {
      type = port;
      default = 9523;
    };
  };

  config = mkIf cfg.enable {
    systemd.timers.${cfg.unitName} = {
      enable = true;
      wantedBy = [ "timers.target" ];
      unitConfig = {
        Description = "Triggers rsync-backup regularly.";
      };
      timerConfig = {
        Unit = "${cfg.unitName}.service";
        OnCalendar = cfg.interval;
        Persistent = true;
      };
    };

    systemd.services.${cfg.unitName} = {
      script =
        let
          destination =
            if cfg.incremental.enable then "${cfg.target.finalLocation}/backup" else cfg.target.finalLocation;
          sources = concatStringsSep " " (map (s: "\"${s}\"") cfg.sources);
        in
        ''
          ${cfg.package}/bin/rsync \
              ${cfg.flagsFinal} \
              ${sources} \
              "${destination}"
        '';

      requires = mkIf (cfg.target.type == "rsyncd") [ "network.target" ];
      unitConfig = {
        Description = "Backs up files from a source location to a specified destination.";
      };
      serviceConfig = {
        Type = "simple";
        Restart = "on-failure";
        RestartSec = 300;
        PrivateDevices = true;
        PrivateTmp = true;
        ProtectSystem = "full";
        ReadOnlyPaths = concatStringsSep " " cfg.sources;
        IPAddressAllow = "any";
      };
    };

    users.users = mkIf (cfg.user == "rsync-backup") {
      rsync-backup = {
        useDefaultShell = true;
        group = cfg.group;
        isSystemUser = true;
      };
    };

    users.groups = mkIf (cfg.group == "rsync-backup") {
      rsync-backup = { };
    };
  };
}