{ config, lib, ... }:
let
  inherit (config.networking) hostName;
  isMainHost = hostName == "workstation";
  mkMobile =
    path:
    lib.mkIf isMainHost {
      inherit path;
      ignorePerms = false;
      devices = [
        "galaxy"
        "phone"
      ];
    };
in
{
  options.my.services.syncthing.enable = lib.mkEnableOption "Syncthing file synchronization";
  config = lib.mkIf (config.my.services.syncthing.enable && config.my.secureHost) {
    sops.secrets = {
      "syncthing_keys/${hostName}" = {
        sopsFile = ../../secrets/keys.yaml;
        owner = config.users.users.jawz.name;
        inherit (config.users.users.jawz) group;
        path = "/home/jawz/.config/syncthing/key.pem";
      };
      "syncthing_certs/${hostName}" = {
        sopsFile = ../../secrets/keys.yaml;
        owner = config.users.users.jawz.name;
        inherit (config.users.users.jawz) group;
        path = "/home/jawz/.config/syncthing/cert.pem";
      };
      "syncthing_password" = {
        sopsFile = ../../secrets/keys.yaml;
      };
    };
    services.syncthing = {
      enable = true;
      user = "jawz";
      group = "users";
      overrideDevices = true;
      overrideFolders = true;
      openDefaultPorts = true;
      key = config.sops.secrets."syncthing_keys/${hostName}".path;
      cert = config.sops.secrets."syncthing_certs/${hostName}".path;
      guiAddress = "${config.my.ips."${hostName}"}:8384";
      settings = {
        options = {
          natEnabled = false;
          relaysEnabled = false;
          globalAnnounceEnabled = false;
        };
        gui = {
          user = "jawz";
          password = config.sops.secrets.syncthing_password.path;
        };
        devices = {
          server.id = "BG6PF7S-KATABWO-7WAZFMX-6YO7IS3-WQTMR3M-VSOSV7V-HFFMNNH-BFX2EQ4";
          miniserver.id = "HDYEGIR-GFU7ONK-MOOJUFH-N3L3XHX-SXWN3FI-O23K6LD-BJENQK5-VIPV2AT";
          workstation.id = "4E4KJ6M-MSTNBVF-D7CNHDW-DUTB3VR-SXKZ4NH-ZKAOMF5-V24JECJ-4STSZAA";
          galaxy.id = "UAZ5YDV-YUFBXOY-QMS6S6R-WPIIKZI-4OPPW5L-G4OVUPO-YW5KFYY-YASRAAV";
          phone.id = "OSOX2VZ-AO2SA3C-BFB6NKF-K6CR6WX-64TDBKW-RRKEKJ4-FKZE5CV-J2RGJAJ";
          wg-friend1 = {
            id = "XBIYCD4-EFKS5SK-WFF73CU-P37GXVH-OMWEIA4-6KC5F3L-U5UQWSF-SYNNRQF";
            addresses = [ "tcp://${config.my.ips.wg-friend1}:22000" ];
            introducer = false;
            autoAcceptFolders = false;
            paused = false;
          };
        };
        folders = {
          cache = mkMobile "~/Downloads/cache/";
          friends = mkMobile "~/Pictures/artist/friends/";
          forme = mkMobile "~/Pictures/art for me/";
          comfy = mkMobile "~/Development/AI/ComfyUI/output/";
          gdl = {
            path = "~/.config/jawz/";
            ignorePerms = false;
            devices = [
              "server"
              "miniserver"
              "workstation"
            ];
          };
          librewolf = {
            path = "~/.librewolf/";
            ignorePerms = false;
            copyOwnershipFromParent = true;
            type = if isMainHost then "sendonly" else "receiveonly";
            devices = [
              "server"
              "miniserver"
              "workstation"
            ];
          };
          notes = {
            path = "~/Documents/Notes";
            ignorePerms = false;
            devices = [
              "galaxy"
              "phone"
              "server"
              "miniserver"
              "workstation"
            ];
          };
          friend_share = {
            path = "~/Pictures/encrypted/friends";
            ignorePerms = false;
            type = "sendreceive";
            devices = [
              "server"
              "workstation"
              "wg-friend1"
            ];
          };
        };
      };
    };
  };
}