{ pkgs, lib, config, hostName, hosts, ... }:
let
  inherit (config) networking;
  inherit (config.services) syncoid;
  inherit (config.security) gnupg;
  inherit (config.users) groups;
in
{
networking.nftables.ruleset = lib.mkAfter ''
  add rule inet filter fw2net \
    meta skuid @nixos-syncoid-uids \
    meta l4proto tcp \
    counter accept \
    comment "syncoid: allow SSH"
'';
security.gnupg.secrets."ssh/backup.ssh-ed25519" = {};
systemd.tmpfiles.rules = [
  "z /dev/zfs 0660 - disk  -"
];
services.syncoid = {
  enable = true;
  nftables.enable = true;
  interval = "*-*-* *:05:00";
  #interval = "*:0/1";
  sshKey = gnupg.secrets."ssh/backup.ssh-ed25519".path;
  commonArgs = [
    #"--debug"
    "--no-sync-snap"
    "--create-bookmark"
    #"--no-privilege-elevation"
    #"--no-stream"
  ];
  service = {
    after = [ gnupg.secrets."ssh/backup.ssh-ed25519".service ];
    wants = [ gnupg.secrets."ssh/backup.ssh-ed25519".service ];
    serviceConfig.Group = groups."disk".name;
  };
  commands = {
    "${hostName}/home/julm/work" = {
      sendOptions = "raw";
      target = "backup@mermet.${networking.domain}:rpool/backup/${hostName}/home/julm/work";
    };
    "backup@mermet.${networking.domain}:rpool/var/mail" = {
      sendOptions = "raw";
      target = "${hostName}/backup/mermet/var/mail";
    };
    "backup@mermet.${networking.domain}:rpool/var/postgresql" = {
      sendOptions = "raw";
      target = "${hostName}/backup/mermet/var/postgresql";
    };
    "backup@mermet.${networking.domain}:rpool/var/prosody" = {
      sendOptions = "raw";
      target = "${hostName}/backup/mermet/var/prosody";
    };
    "backup@mermet.${networking.domain}:rpool/var/public-inbox" = {
      sendOptions = "raw";
      target = "${hostName}/backup/mermet/var/public-inbox";
    };
    "backup@mermet.${networking.domain}:rpool/var/www" = {
      sendOptions = "raw";
      target = "${hostName}/backup/mermet/var/www";
    };
    "backup@mermet.${networking.domain}:rpool/var/git" = {
      sendOptions = "raw";
      target = "${hostName}/backup/mermet/var/git";
    };
    "backup@mermet.${networking.domain}:rpool/var/redis-rspamd" = {
      sendOptions = "raw";
      target = "${hostName}/backup/mermet/var/redis-rspamd";
    };
    "backup@mermet.${networking.domain}:rpool/home/julm/mail" = {
      sendOptions = "raw";
      target = "${hostName}/backup/mermet/home/julm/mail";
    };
    "backup@mermet.${networking.domain}:rpool/home/julm/log" = {
      sendOptions = "raw";
      target = "${hostName}/backup/mermet/home/julm/log";
    };
  };
};
}