{ lib, config, ... }:
let
  domain = "sourcephile.fr";
  iface = config.services.nebula.networks.${domain}.tun.device;
  cfg = config.services.anki-sync-server;
in
{
  services.anki-sync-server = {
    enable = true;
    address = "::";
    port = 27701;
    openFirewall = true;
    users =
      lib.map
        (name: {
          username = name;
          passwordFile = "/var/lib/anki-sync-server/${name}.pass";
        })
        [
          "julm"
          "maya"
          "merlin"
          "maya+merlin"
        ];
  };
  networking.nftables.ruleset = lib.mkIf cfg.openFirewall ''
    table inet filter {
      chain input-${iface} {
        tcp dport ${toString cfg.port} counter accept comment "anki: sync server"
      }
    }
  '';
}