{
  user ? throw "user argument is required",
}:
{ config, ... }:
{
  networking.firewall = {
    allowedTCPPorts = [ 22000 ];
    allowedUDPPorts = [
      21027
      22000
    ];
  };

  sops.secrets = {
    # openssl ecparam -name prime256v1 -genkey -noout -out key.pem
    "syncthing/key" = {
      owner = user.name;
      group = "users";
    };
    # openssl req -new -x509 -key key.pem -out cert.pem -days 3650
    "syncthing/cert" = {
      owner = user.name;
      group = "users";
    };
  };

  home-manager.users.${user.name}.services.syncthing = {
    enable = true;
    key = config.sops.secrets."syncthing/key".path;
    cert = config.sops.secrets."syncthing/cert".path;
    extraOptions = [ "-no-default-folder" ];

    settings.options.urAccepted = -1;
  };
}