{
  lib,
  config,
  pkgs,
  ...
}: let
  cfg = config.services.borg-server;
in {
  options.services.borg-server = {
    enable = lib.mkEnableOption "Enable the borg server";
    borg_user = lib.mkOption {
      type = lib.types.str;
      example = "borg";
      default = "borg";
      description = "The user for the borg repository home.";
    };
    repositories_path = lib.mkOption {
      type = lib.types.path;
      example = "/var/lib/borg-repositories";
      default = "/var/lib/borg-repositories";
      description = "The user for the borg repository home.";
    };
    repositories = lib.mkOption {
      type = lib.types.attrsOf (lib.types.submodule {
        options = {
          name = lib.mkOption {
            type = lib.types.nullOr (lib.types.strMatching "^[a-zA-Z0-9._-]+$");
            example = "borg-repo";
            description = "The name of the borg repository. If null, use key of attrset";
          };
          ssh_public_key = lib.mkOption {
            type = lib.types.singleLineStr;
            example = "ssh-rsa AAAA...";
            description = "The path to the public key for the borg repository.";
          };
        };
      });
    };
  };

  config = lib.mkIf cfg.enable {
    users.users.${cfg.borg_user} = {
      isNormalUser = true;
      description = "Borg user";
      home = cfg.repositories_path;
      createHome = true;
      extraGroups = ["borg"];
      openSSH.authorizedKeys.keys = builtins.attrValues (
        builtins.mapAttrs
        (key: repo: "command=\"${pkgs.borg}/bin/borg serve --restrict-to-path=${cfg.repositories_path}/${repo.name or key}\", restrict ${repo.ssh_public_key}")
        cfg.repositories
      );
    };
  };
}