{ config, lib, pkgs, sops, secrets, ... }:

{
  # --- sops secret integration ---
  sops.secrets."rclone.conf" = {
    sopsFile = secrets + "/rclone.yaml";
    format = "yaml";
  };

  # --- user service ---
  systemd.user.services."rclone-backup" = {
    Unit = {
      Description = "Encrypted rclone backup to Google Drive";
      After = [ "network-online.target" ];
    };

    Service = {
      Type = "oneshot";
      ExecStart = ''
        ${pkgs.rclone}/bin/rclone sync \
          /home/thiago/Documents \
          gcrypt:backup \
          --config ${config.sops.secrets."rclone.conf".path} \
          --log-file=${config.home.homeDirectory}/.local/share/rclone-backup.log \
          --log-level INFO
      '';
    };
  };

  # --- timer (every 6 h) ---
  systemd.user.timers."rclone-backup" = {
    Unit.Description = "Periodic encrypted backup to Google Drive";
    Timer = {
      OnBootSec = "10m";
      OnUnitActiveSec = "6h";
      Persistent = true;
    };
    Install.WantedBy = [ "timers.target" ];
  };
}