{ config, pkgs, lib, ... }: {

  #sops.secrets.syncthing_cert = { };
  #sops.secrets.syncthing_key = { };

  services.syncthing = {
    enable = true;
    openDefaultPorts = false;
    user = "palo";
    dataDir = "/home/palo/.syncthing";
    configDir = "/home/palo/.syncthing";
    #cert = toString config.sops.secrets.syncthing_cert.path;
    #key = toString config.sops.secrets.syncthing_key.path;
    overrideFolders = true;
    folders = {

      # on encrypted drive
      # ------------------
      password-store = {
        enable = true;
        path = "/home/palo/.password-store";
      };
      #private = {
      #  enable = true;
      #  path = "/home/palo/private";
      #};
      art = {
        enable = true;
        path = "/home/palo/art";
      };
      desktop = {
        enable = true;
        path = "/home/palo/desktop";
      };
      finance = {
        enable = true;
        path = "/home/palo/finance";
      };

      # no need to be encrypted
      # -----------------------
      books = {
        enable = true;
        path = "/home/palo/books";
      };
      music-library = {
        enable = true;
        path = "/home/palo/music-library";
      };
      #      music-projects = {
      #        enable = true;
      #        path = "/home/palo/music-projects";
      #      };
    };
  };

  services.permown."/home/palo/music-library" = {
    owner = "palo";
    group = "users";
  };

  services.permown."/home/palo/finance" = {
    owner = "palo";
    group = "syncthing";
  };
}