{
  user ? throw "user argument is required",
  home ? throw "home argument is required",
}:
{ config, utils, ... }:
{
  networking.firewall = {
    allowedTCPPorts = [ 22000 ];
    allowedUDPPorts = [
      21027
      22000
    ];
  };

  sops.secrets = {
    # openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:3072
    "syncthing/key" = {
      owner = user;
      group = "users";
    };
    # openssl req -new -x509 -key key.pem -out cert.pem -days 9999 -subj "/CN=syncthing"
    "syncthing/cert" = {
      owner = user;
      group = "users";
    };
  };

  home-manager.users.${user} = {
    services.syncthing = {
      enable = true;
      key = config.sops.secrets."syncthing/key".path;
      cert = config.sops.secrets."syncthing/cert".path;
      extraOptions = [ "-no-default-folder" ];

      settings = {
        options.urAccepted = -1;
        devices = {
          amalthea.id = "2W7YT6Q-TO7CYMW-JH6QZXE-7Q6MDQQ-HPHKP4A-VI5HP7G-KLMGMST-MNRYHQG"; # Google Pixel 8 Pro
          ganymede.id = "DXJPEJA-JNGF6I4-VIZYTX7-U345C5V-HIUTSFC-D36N2EM-Y3FAKJM-PRKYQAI"; # Samsung Galaxy Tab S7+
        };
      };
    };

    systemd.user.services.syncthing.Unit.After = [
      "sops-nix.service"
      "local-fs.target"
    ];
  };
}