{
  lib,
  config,
  pkgs,
  inputs,
  ...
}:
let
  sopsFolder = builtins.toString inputs.nix-secrets + "/sops";
in
{
  sops.secrets = {
    "trilium/oidc/id" = {
      sopsFile = "${sopsFolder}/services.yaml";
    };
    "trilium/oidc/secret" = {
      sopsFile = "${sopsFolder}/services.yaml";
    };
  };

  sops.templates."trilium-secrets".content = ''
    TRILIUM_OAUTH_ISSUER_BASE_URL=https://auth.wanderingcrow.net/.well-known/openid-configuration
    TRILIUM_OAUTH_BASE_URL=https://notes.wanderingcrow.net
    TRILIUM_OAUTH_CLIENT_ID=${config.sops.placeholder."trilium/oidc/id"}
    TRILIUM_OAUTH_CLIENT_SECRET=${config.sops.placeholder."trilium/oidc/secret"}
    TRILIUM_OAUTH_ISSUER_NAME=Pocket ID
    TRILIUM_OAUTH_ISSUER_ICON=https://auth.wanderingcrow.net/api/application-images/favicon
  '';

  services = {
    trilium-server = {
      enable = true;
      package = pkgs.trilium-next-server;
      instanceName = "WanderingCrow";
      port = 8090;
      environmentFile = config.sops.templates."trilium-secrets".path;
    };

    caddy = {
      enable = true;
      virtualHosts."notes.wanderingcrow.net".extraConfig = ''
        reverse_proxy http://127.0.0.1:8090
      '';
    };
  };
}