{
  config,
  namespace,
  ...
}:
{
  ${namespace}.services.restic = {
    enable = true;

    # -------------------------------------------------------------------------
    # ntfy notifications
    # -------------------------------------------------------------------------
    ntfy = {
      enable = true;
      server = "https://ntfy.mjallen.dev";
      topic = "backups";
      # SOPS secret keys — these must be declared in sops.nix with the correct
      # sopsFile so that sops-nix knows how to decrypt them.
      userSecret = "desktop/ntfy/user";
      passwordSecret = "desktop/ntfy/password";
    };

    # -------------------------------------------------------------------------
    # Excludes shared by every job on this host
    # -------------------------------------------------------------------------
    defaultExcludes = [
      "/home/matt/Steam"
      "/home/matt/Heroic"
      "/home/matt/1TB"
      "/home/matt/Downloads"
      "/home/matt/Nextcloud"
      "/home/matt/.cache"
      "/home/matt/.local/share/Steam"
      "/home/matt/.var/app/com.valvesoftware.Steam"
      "/home/matt/.tmp"
      "/home/matt/.thumbnails"
      "/home/matt/.compose-cache"
    ];

    # -------------------------------------------------------------------------
    # Backup jobs
    # -------------------------------------------------------------------------
    backups = {
      jallen-nas = {
        paths = [ "/home/matt" ];
        environmentFile = config.sops.templates."restic.env".path;
        passwordFile = config.sops.secrets."desktop/restic/password".path;
        repositoryFile = config.sops.secrets."desktop/restic/repo".path;
      };

      proton-drive = {
        paths = [ "/home/matt" ];
        passwordFile = config.sops.secrets."desktop/restic/password".path;
        rcloneConfigFile = "/home/matt/.config/rclone/rclone.conf";
        repository = "rclone:proton-drive:backup-nix";
      };
    };
  };
}