{ config, pkgs, lib, ... }: {

  sops.secrets.syncthing_cert = { };
  sops.secrets.syncthing_key = { };

  networking.firewall.allowedTCPPorts = [ 22000 ];
  networking.firewall.allowedUDPPorts = [ 22000 ];

  services.syncthing = {
    enable = true;
    openDefaultPorts = false;
    dataDir = "/media/syncthing/config";
    configDir = "/media/syncthing/config";
    overrideDevices = true;
    overrideFolders = true;
    cert = toString config.sops.secrets.syncthing_cert.path;
    key = toString config.sops.secrets.syncthing_key.path;

    settings.folders = {
      # on media hard drive (not encrypted)
      # -----------------------------------
      #borg-mirror = {
      #  enable = true;
      #  path = "/media/syncthing/borg";
      #  rescanInterval = 36 * 3600;
      #  type = "sendonly";
      #};
      #video-material = {
      #  enable = true;
      #  path = "/home/syncthing/video-material";
      #};
      books = {
        enable = true;
        path = "/media/syncthing/books";
      };
      lost-fotos = {
        enable = true;
        path = "/media/syncthing/lost-fotos.ct";
        rescanIntervalS = 40 * 24 * 3600;
      };
      #media = {
      #  enable = true;
      #  watch = false;
      #  type = "sendonly";
      #  path = "/media/syncthing/media";
      #  rescanInterval = 27 * 24 * 3600;
      #};
      music-projects = {
        enable = true;
        #watch = true;
        path = "/media/syncthing/music-projects";
      };
      nextcloud_backup = {
        enable = true;
        #watch = true;
        path = "/media/syncthing/nextcloud_backup";
        rescanIntervalS = 23 * 3600;
      };
    };
  };

  services.permown."/media/syncthing" = {
    # not managed by syncthing anymore
    owner = "syncthing";
    group = "syncthing";
    umask = "0002";
  };
  systemd.services."permown._media_syncthing" = {
    bindsTo = [ "media.mount" ];
    after = [ "media.mount" ];
  };
  systemd.services."syncthing" = {
    bindsTo = [ "media.mount" ];
    after = [ "media.mount" ];
  };

}