{ ... }:
{
  networking.firewall.extraCommands = ''
    iptables -A nixos-fw -p tcp --source 192.168.0.0/24 --dport 28981:28981 -j nixos-fw-accept
  '';

  systemd.services = {
    paperless-scheduler.after = [ "var-lib-paperless.mount" ];
    paperless-consumer.after = [ "var-lib-paperless.mount" ];
    paperless-web.after = [ "var-lib-paperless.mount" ];
  };

  services = {
    paperless = {
      enable = true;
      address = "0.0.0.0";
      port = 28981;
      consumptionDirIsPublic = true;
      passwordFile = "/run/agenix/etebase";
      settings = {
        PAPERLESS_OCR_LANGUAGE = "eng";
        PAPERLESS_URL = "https://paperless.bhankas.org";
        PAPERLESS_ALLOWED_HOSTS = "127.0.0.1,paperless.bhankas.org";
        PAPERLESS_ADMIN_USER = "root";
        PAPERLESS_CSRF_TRUSTED_ORIGINS = "https://paperless.bhankas.org";
        PAPERLESS_USE_X_FORWARD_HOST = true;
        PAPERLESS_PROXY_SSL_HEADER = "[\"HTTP_XFORWARDED_PROTO\", \"https\"]";
        PAPERLESS_CONSUMER_RECURSIVE = true;
        PAPERLESS_CONSUMER_SUBDIRS_AS_TAGS = true;
      };
    };
    nginx = {
      virtualHosts = {
        "paperless.bhankas.org" = {
          addSSL = true;
          enableACME = true;
          locations."/" = {
            proxyPass = "http://127.0.0.1:28981";
            proxyWebsockets = false;
            extraConfig = "proxy_set_header Host $host;";
          };
        };
      };
    };
  };

  security.acme = {
    acceptTerms = true;
    certs = {
      "paperless.bhankas.org" = {
        email = "admin@bhankas.org";
        dnsResolver = "1.1.1.1:53";
      };
    };
  };
}