{
  config,
  lib,
  pkgs,
  service_configs,
  ...
}:
{
  imports = [
    (lib.serviceMountWithZpool "syncthing" service_configs.zpool_ssds [
      service_configs.syncthing.dataDir
      service_configs.syncthing.signalBackupDir
      service_configs.syncthing.grayjayBackupDir
    ])
  ];

  services.syncthing = {
    enable = true;

    dataDir = service_configs.syncthing.dataDir;

    guiAddress = "127.0.0.1:${toString service_configs.ports.syncthing_gui}";

    overrideDevices = false;
    overrideFolders = false;

    settings = {
      gui = {
        insecureSkipHostcheck = true; # Allow access via reverse proxy
      };
      options = {
        urAccepted = 1; # enable usage reporting
        relaysEnabled = true;
      };
    };
  };

  # Open firewall ports for syncthing protocol
  networking.firewall = {
    allowedTCPPorts = [ service_configs.ports.syncthing_protocol ];
    allowedUDPPorts = [ service_configs.ports.syncthing_discovery ];
  };

  services.caddy.virtualHosts."syncthing.${service_configs.https.domain}".extraConfig = ''
    import ${config.age.secrets.caddy_auth.path}
    reverse_proxy :${toString service_configs.ports.syncthing_gui}
  '';

  systemd.tmpfiles.rules = [
    "Z ${service_configs.syncthing.dataDir} 0750 ${config.services.syncthing.user} ${config.services.syncthing.group}"
    "Z ${service_configs.syncthing.signalBackupDir} 0750 ${config.services.syncthing.user} ${config.services.syncthing.group}"
    "Z ${service_configs.syncthing.grayjayBackupDir} 0750 ${config.services.syncthing.user} ${config.services.syncthing.group}"
  ];
}