{ config, pkgs, ... }:
  let
    timeMachineDir = "/tank/backup/worf2";
    user = "worf-backup";
    sizeLimit = "1000000"; # MiB
    allowedIPs = "192.168.10.2 192.168.10.34"; #TODO
  in {
  services.avahi = {
    enable = true;
    publish = {
      enable = true;
      userServices = true;
    };
  };

  services.netatalk = {
    enable = true;

    settings = {
      Global = {
        "mimic model" = "TimeCapsule6,106";  # show the icon for the first gen TC
        "hosts allow" = allowedIPs;
      };

      "worf-time-machine" = {
        "time machine" = "yes";
        "path" = timeMachineDir;
        "valid users" = user;
        "vol size limit" = sizeLimit;
      };
    };
  };

  users.extraUsers.worf-backup = {
    isSystemUser = true;
    name = user;
    group = user;
  };
  users.groups."${user}" = {};

  networking.firewall.allowedTCPPorts = [ 548 636 ];
}