nodes['htz-hel.backup-kunsi'] = {
    'hostname': '2a01:4f9:6b:2d99::1337',
    'bundles': {
        'backup-server',
        'dm-crypt',
        'zfs',
    },
    'groups': {
        'debian-bullseye',
    },
    'metadata': {
        'apt': {
            'unattended-upgrades': {
                # requires manual apply after reboot to unlock dm-crypt
                # devices
                'reboot-enabled': False,
            },
        },
        'interfaces': {
            'ens18': {
                'ips': {
                    '2a01:4f9:6b:2d99::1337/64',
                },
                'gateway6': '2a01:4f9:6b:2d99::2',
            },
        },
        'backups': {
            # This is the backup target.
            'exclude_from_backups': True,
        },
        'backup-server': {
            'encrypted-devices': {
                '/dev/sdb1': bwpass.password('bw/backup-kunsi/encryption-passphrase'),
            },
            'clients': {
                'kunsi-t470': {
                    'user': 'kunsi-t470',
                    'retain': {
                        'daily': 30,
                        'weekly': 6,
                        'monthly': 12,
                    },
                },
            },
        },
        'openssh': {
            'allowed_users': {
                'kunsi-t470', # backup user
            },
        },
    },
}