{ inputs, config, ... }:
let
  cfg = config.services.paperless;
  sopsFolder = inputs.nix-secrets + "/sops";
in
{
  services.caddy.virtualHosts."paperless.wanderingcrow.net".extraConfig = ''
    reverse_proxy http://${cfg.address}:${builtins.toString cfg.port}
  '';

  sops = {
    secrets."paperless/oidc/client" = {
      sopsFile = "${sopsFolder}/services.yaml";
    };
    secrets."paperless/oidc/secret" = {
      sopsFile = "${sopsFolder}/services.yaml";
    };

    templates."paperless-env".content = ''
      PAPERLESS_SOCIALACCOUNT_PROVIDERS={"openid_connect":{"SCOPE":["openid","profile","email"],"OAUTH_PKCE_ENABLED":true,"APPS":[{"provider_id":"pocket-id","name":"Pocket-ID","client_id":"${
        config.sops.placeholder."paperless/oidc/client"
      }","secret":"${
        config.sops.placeholder."paperless/oidc/secret"
      }","settings":{"server_url":"https://auth.wanderingcrow.net"}}]}}
    '';
  };

  services.paperless = {
    enable = true;
    domain = "paperless.wanderingcrow.net";
    database.createLocally = true;
    address = "127.0.0.1";
    port = 28981;
    exporter.enable = true;
    settings = {
      PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
      PAPERLESS_DISABLE_REGULAR_LOGIN = true;
      PAPERLESS_REDIRECT_LOGIN_TO_SSO = true;
    };
    environmentFile = config.sops.templates."paperless-env".path;
  };
}