{
  lib,
  config,
  pkgs,
  inputs,
  ...
}:
let
  sopsFolder = builtins.toString inputs.nix-secrets + "/sops";

  customTriliumModule = builtins.fetchurl {
    url = "https://raw.githubusercontent.com/NixOS/nixpkgs/refs/heads/master/nixos/modules/services/web-apps/trilium.nix";
    sha256 = "sha256:1y4xqwf011lkjzpn5ygmdn7chbwshha16h53hwydlx76avzsmd8j";
  };
in
{
  disabledModules = [
    "${inputs.nixpkgs}/nixos/modules/services/web-apps/trilium.nix"
  ];
  imports = [
    customTriliumModule
  ];

  sops.secrets = {
    "trilium/oidc/id" = {
      sopsFile = "${sopsFolder}/services.yaml";
    };
    "trilium/oidc/secret" = {
      sopsFile = "${sopsFolder}/services.yaml";
    };
  };

  sops.templates."trilium-secrets".content = ''
    TRILIUM_OAUTH_ISSUER_BASE_URL=https://auth.wanderingcrow.net/.well-known/openid-configuration
    TRILIUM_OAUTH_BASE_URL=https://notes.wanderingcrow.net
    TRILIUM_OAUTH_CLIENT_ID=${config.sops.placeholder."trilium/oidc/id"}
    TRILIUM_OAUTH_CLIENT_SECRET=${config.sops.placeholder."trilium/oidc/secret"}
    TRILIUM_OAUTH_ISSUER_NAME=Pocket ID
    TRILIUM_OAUTH_ISSUER_ICON=https://auth.wanderingcrow.net/api/application-images/favicon
  '';

  services = {
    trilium-server = {
      enable = true;
      package = pkgs.trilium-next-server;
      instanceName = "WanderingCrow";
      port = 8090;
      environmentFile = config.sops.templates."trilium-secrets".path;
    };

    caddy = {
      enable = true;
      virtualHosts."notes.wanderingcrow.net".extraConfig = ''
        reverse_proxy http://127.0.0.1:8090
      '';
    };
  };
}