{ pkgs, lib, config, hostName, hosts, ... }:
let
  inherit (config) networking;
  inherit (config.services) syncoid;
  inherit (config.security) gnupg;
  inherit (config.users) groups;
in
{
networking.nftables.ruleset = ''
  add rule inet filter fw2net \
    skuid "${syncoid.user}" \
    tcp dport 22 \
    ip daddr ${hosts.mermet.extraArgs.ipv4} \
    counter accept \
    comment "SSH to mermet"
'';
security.gnupg.secrets."ssh/backup.ssh-ed25519" = {
  user = syncoid.user;
};
users.groups.keys.members = [ syncoid.user ];
systemd.tmpfiles.rules = [
  "z /dev/zfs 0660 - disk  -"
];
services.syncoid = {
  enable = true;
  interval = "*-*-* *:05:00";
  group = "disk";
  #interval = "*:0/1";
  sshKey = gnupg.secrets."ssh/backup.ssh-ed25519".path;
  commonArgs = [
    "--no-sync-snap"
    "--create-bookmark"
    #"--no-privilege-elevation"
    #"--no-stream"
  ];
  service = {
    after = [ gnupg.secrets."ssh/backup.ssh-ed25519".service ];
    wants = [ gnupg.secrets."ssh/backup.ssh-ed25519".service ];
  };
  commands = {
    "${hostName}/home/julm/work" = {
      sendOptions = "raw";
      target = "backup@mermet.${networking.domain}:rpool/backup/${hostName}/home/julm/work";
    };
    "backup@mermet.${networking.domain}:rpool/var/mail" = {
      sendOptions = "raw";
      target = "${hostName}/backup/mermet/var/mail";
    };
    "backup@mermet.${networking.domain}:rpool/var/prosody" = {
      sendOptions = "raw";
      target = "${hostName}/backup/mermet/var/prosody";
    };
    "backup@mermet.${networking.domain}:rpool/var/public-inbox" = {
      sendOptions = "raw";
      target = "${hostName}/backup/mermet/var/public-inbox";
    };
    "backup@mermet.${networking.domain}:rpool/var/www" = {
      sendOptions = "raw";
      target = "${hostName}/backup/mermet/var/www";
    };
    "backup@mermet.${networking.domain}:rpool/var/git" = {
      sendOptions = "raw";
      target = "${hostName}/backup/mermet/var/git";
    };
    "backup@mermet.${networking.domain}:rpool/var/redis" = {
      sendOptions = "raw";
      target = "${hostName}/backup/mermet/var/redis";
    };
    "backup@mermet.${networking.domain}:rpool/home/julm/mail" = {
      sendOptions = "raw";
      target = "${hostName}/backup/mermet/home/julm/mail";
    };
    "backup@mermet.${networking.domain}:rpool/home/julm/log" = {
      sendOptions = "raw";
      target = "${hostName}/backup/mermet/home/julm/log";
    };
  };
};
}