{
  config,
  lib,
  pkgs,
  service_configs,
  ...
}:
{
  imports = [
    (lib.serviceMountWithZpool "syncthing" service_configs.zpool_ssds [
      service_configs.syncthing.dataDir
      service_configs.syncthing.signalBackupDir
      service_configs.syncthing.grayjayBackupDir
    ])
    (lib.serviceFilePerms "syncthing" [
      "Z ${service_configs.syncthing.dataDir} 0750 ${config.services.syncthing.user} ${config.services.syncthing.group}"
      "Z ${service_configs.syncthing.signalBackupDir} 0750 ${config.services.syncthing.user} ${config.services.syncthing.group}"
      "Z ${service_configs.syncthing.grayjayBackupDir} 0750 ${config.services.syncthing.user} ${config.services.syncthing.group}"
    ])
    (lib.mkCaddyReverseProxy {
      subdomain = "syncthing";
      port = service_configs.ports.private.syncthing_gui.port;
      auth = true;
    })
  ];

  services.syncthing = {
    enable = true;

    dataDir = service_configs.syncthing.dataDir;

    guiAddress = "127.0.0.1:${toString service_configs.ports.private.syncthing_gui.port}";

    overrideDevices = false;
    overrideFolders = false;

    settings = {
      gui = {
        insecureSkipHostcheck = true; # Allow access via reverse proxy
      };
      options = {
        urAccepted = 1; # enable usage reporting
        relaysEnabled = true;
      };
    };
  };

  # Open firewall ports for syncthing protocol
  networking.firewall = {
    allowedTCPPorts = [ service_configs.ports.public.syncthing_protocol.port ];
    allowedUDPPorts = [
      service_configs.ports.public.syncthing_discovery.port
      service_configs.ports.public.syncthing_protocol.port
    ];
  };

}