{
  config,
  pkgs,
  lib,
  ...
}:
let
  backupsWithHealthchecks =
    config.custom.services.restic.backups
    |> lib.filterAttrs (_: value: value.enable)
    |> lib.filterAttrs (_: value: value.doHealthchecks);
in
{
  options.custom.services.restic.backups = lib.mkOption {
    type = lib.types.attrsOf (
      lib.types.submodule {
        options.doHealthchecks = lib.mkEnableOption "" // {
          default = true;
        };
      }
    );
  };

  config = lib.mkIf (backupsWithHealthchecks != { }) {
    sops.secrets."healthchecks/ping-key" = { };

    systemd.services = lib.mkMerge [
      {
        "healthcheck-ping@" = {
          description = "Pings healthcheck (%i)";
          serviceConfig.Type = "oneshot";
          scriptArgs = "%i";
          script = ''
            ping_key="$(cat ${config.sops.secrets."healthchecks/ping-key".path})"
            slug="$(echo "$1" | tr _ /)"

            ${lib.getExe pkgs.curl} \
              --fail \
              --silent \
              --show-error \
              --max-time 10 \
              --retry 5 "https://hc-ping.com/$ping_key/$slug"
          '';
        };
      }

      (
        backupsWithHealthchecks
        |> lib.mapAttrs' (
          name: _:
          lib.nameValuePair "restic-backups-${name}" {
            wants = [ "healthcheck-ping@${name}-backup_start.service" ];
            onSuccess = [ "healthcheck-ping@${name}-backup.service" ];
            onFailure = [ "healthcheck-ping@${name}-backup_fail.service" ];
          }
        )
      )
    ];
  };
}