{
  config,
  pkgs,
  lib,
  ...
}:
let
  p = import ../parameters.nix;
in
{

  age.secrets = {
    paperless-admin = {
      file = ../../secrets/paperless-admin.age;
      mode = "770";
      owner = config.services.paperless.user;
      group = config.services.paperless.user;
    };
    paperless-oauth2-client-secret = {
      file = ../../secrets/paperless-oauth2-client-secret.age;
      mode = "770";
      owner = config.services.paperless.user;
      group = config.services.paperless.user;
    };
  };

  my = {
    utils = {
      commons.enable = true;
      lxc-standard.enable = true;
    };

    services.paperless = {
      enable = true;
      passwordFile = config.age.secrets.paperless-admin.path;
      mediaDir = "/mnt/nas01/documents/paperless";
      settings = {
        PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
        # PAPERLESS_SOCIALACCOUNT_PROVIDERS_FILE = config.age.secrets.paperless-oicd.path;

        PAPERLESS_SOCIALACCOUNT_PROVIDERS = builtins.toJSON ({
          openid_connect = {
            OAUTH_PKCE_ENABLED = true;
            APPS = [
              {
                provider_id = "authentik";
                name = "authentik";
                client_id = "MxETd4SMhYqRX6rhFvr8I4k6hCc6HDKvojVD2PQh";
                settings = {
                  server_url = "https://auth.pasetto.me/application/o/paperless/.well-known/openid-configuration";
                  oauth_pkce_enabled = true;
                };
              }
            ];
          };
        });

        PAPERLESS_SOCIAL_AUTO_SIGNUP = true;
        PAPERLESS_SOCIALACCOUNT_ALLOW_SIGNUPS = true;
        PAPERLESS_ACCOUNT_ALLOW_SIGNUPS = false;
        PAPERLESS_ACCOUNT_EMAIL_VERIFICATION = "none";
        PAPERLESS_DISABLE_REGULAR_LOGIN = false;
        PAPERLESS_REDIRECT_LOGIN_TO_SSO = false;
        PAPERLESS_ACCOUNT_SESSION_REMEMBER = true;
        PAPERLESS_SOCIAL_ACCOUNT_SYNC_GROUPS = true;

        PAPERLESS_FILENAME_FORMAT = "{{ created_year }}/{{ correspondent }}/{{ title }}";
      };
      proxy = {
        domain = p.domains.public;
      };
    };

    networking.nas-samba-share = {
      enable = true;
      allowUsers = [ config.services.paperless.user ];
    };

    virtualisation.proxmox.enable = true;
  };

  # Add secret to PAPERLESS_SOCIALACCOUNT_PROVIDERS
  systemd.services.paperless-web.script = lib.mkBefore ''
    oidcSecret=$(< ${config.age.secrets.paperless-oauth2-client-secret.path})
    export PAPERLESS_SOCIALACCOUNT_PROVIDERS=$(
      ${pkgs.jq}/bin/jq <<< "$PAPERLESS_SOCIALACCOUNT_PROVIDERS" \
        --compact-output \
        --arg oidcSecret "$oidcSecret" '.openid_connect.APPS.[0].secret = $oidcSecret'
    )
  '';

  # Extra packages
  environment.systemPackages = with pkgs; [ ];

  system.stateVersion = "24.11";
}