{ config, pkgs, lib, ... }: {

  networking.firewall.interfaces."tinc.insecure".allowedTCPPorts = [ 8384 ];

  custom.samba-share = {
    enable = true;
    folders = {
      movies = config.services.syncthing.declarative.folders.movies.path;
      series = config.services.syncthing.declarative.folders.series.path;
      music = config.services.syncthing.declarative.folders.music-library.path;
    };
  };

  services.syncthing = {
    guiAddress = lib.mkForce "${config.networking.hostName}.insecure:8384";
    enable = true;
    openDefaultPorts = true;
    declarative = {
      cert = toString <secrets/syncthing/cert.pem>;
      key = toString <secrets/syncthing/key.pem>;
      overrideFolders = true;
      folders = {
        # on media hard drive (not encrypted)
        # -----------------------------------
        movies = {
          enable = true;
          path = "/media/movies";
          rescanInterval = 8 * 3600;
        };
        music-library = {
          enable = true;
          path = "/media/music-library";
          rescanInterval = 8 * 3600;
        };
        series = {
          enable = true;
          path = "/media/series";
          rescanInterval = 8 * 3600;
        };
      };
    };
  };

  system.permown."/media" = {
    owner = "syncthing";
    group = "syncthing";
  };
  systemd.services."permown._media" = {
    bindsTo = [ "media.mount" ];
    after = [ "media.mount" ];
  };
  systemd.services."syncthing" = {
    bindsTo = [ "media.mount" ];
    after = [ "media.mount" ];
  };

  users.groups."syncthing".members = [ "mpd" "syncthing" "kodi" "palo" ];

  backup.dirs = [ "/var/lib/syncthing/finance" ];

}