{
  pkgs,
  lib,
  config,
  inputs,
  hostName,
  ...
}:
let
  inherit (config.users) users;
  backupTarget = "off4";
  backupConf =
    conf:
    lib.mapAttrs (_n: v: lib.recursiveUpdate v conf) {
      "${hostName}/root" =
        let
          targetHost = "aubergine.local";
        in
        {
          target = "backup@${targetHost}:${backupTarget}/julm/backup/${hostName}";
          sendOptions = "raw";
          recursive = true;
          extraArgs = [
            "--create-bookmark"
            "--no-sync-snap"
            "--no-privilege-elevation"
            "--preserve-properties"
            "--preserve-recordsize"
            "--recursive"
            "--sendoptions=w"
            "--recvoptions=u"
            "--exclude"
            "${hostName}/root/nix"
            "--exclude"
            "${hostName}/root/var/cache"
            "--exclude"
            "${hostName}/root/var/log"
            "--exclude"
            "${hostName}/root/home/julm/.cache"
            "--exclude"
            "${hostName}/root/home/julm/Downloads"
            "--sshconfig"
            "${pkgs.writeText "ssh-config" ''
              Host *
                Ciphers aes128-gcm@openssh.com
                Compression no
                StrictHostKeyChecking yes
                UserKnownHostsFile ${pkgs.writeText "known_hosts" ''
                  ${targetHost} ${lib.readFile ../aubergine/ssh/host.key.pub}
                ''}
            ''}"
          ];
        };
    };
in
{
  networking.nftables.ruleset = lib.mkAfter ''
    table inet filter {
      chain output-net {
        skuid @nixos_syncoid_uids \
          meta l4proto tcp \
          counter accept \
          comment "syncoid: SSH"
      }
    }
  '';
  systemd.tmpfiles.rules = [
    "z /dev/zfs 0660 - ${config.users.groups."disk".name}  -"
  ];
  # ExplanationNote: give access to /var/run/avahi-daemon/socket
  # Using /var/run is not working due to RootDirectoryStartOnly=true
  systemd.services."syncoid-${hostName}-root".serviceConfig = {
    BindReadOnlyPaths = [ "/var/run" ];
    RootDirectoryStartOnly = lib.mkForce false;
    ExecStartPost = pkgs.writeShellScript "zfs-fix-bookmarks" ''
      set -ux
      for s in $(zfs list -Hrpt snapshot -o name ${hostName}/root); do
        zfs bookmark "$s" "''${s//@/#}" || true
      done
    '';
  };
  services.syncoid = {
    enable = true;
    interval = "*-*-* *:05:00";
    #interval = "*:0/1";
    sshKey = "ssh.key:${syncoid/ssh.key.cred}";
    commonArgs = [
      #"--debug"
      "--no-sync-snap"
      "--create-bookmark"
      #"--no-privilege-elevation"
      #"--no-stream"
      #"--preserve-recordsize"
      #"--preserve-properties"
    ];
    service = {
      serviceConfig.Group = config.users.groups."disk".name;
    };
    commands = { } // backupConf { };
  };
  programs.bash.interactiveShellInit = ''
    zfs-backup () {
      local -
      set -x
      dst=
      if ! zpool list ${backupTarget}
        then dst=aubergine.sp:
        fi
      sudo syncoid --sshkey ~julm/.ssh/id_ed25519 \
        --create-bookmark --no-sync-snap --no-privilege-elevation \
        --preserve-properties --preserve-recordsize \
        --recursive --sendoptions=w --recvoptions=u \
        --exclude ${hostName}/root/nix \
        --exclude ${hostName}/root/var/cache \
        --exclude ${hostName}/root/var/log \
        --exclude ${hostName}/root/home/julm/.cache \
        --exclude ${hostName}/root/home/julm/Downloads \
        ${hostName}/root \
        ''${dst}${backupTarget}/julm/backup/${hostName}
      zfs-fix-bookmarks ${hostName}/root 2>/dev/null
    }
  '';
}