{
  config,
  pkgs,
  ...
}:
let
  p = import ../parameters.nix;
in
{

  age.secrets.karakeep-env = {
    file = ../../secrets/karakeep-env.age;
    owner = "karakeep";
    group = "karakeep";
    mode = "0400";
  };

  my = {
    utils = {
      commons.enable = true;
      lxc-standard.enable = true;
    };

    services.karakeep = {
      enable = true;
      port = 3000;
      environmentFile = config.age.secrets.karakeep-env.path;
      extraEnvironment = {
        NEXTAUTH_URL = "https://keep.${p.domains.public}";
        CRAWLER_FULL_PAGE_SCREENSHOT = "true";
        OPENAI_BASE_URL = "https://litellm.ts.${p.domains.public}";
        INFERENCE_IMAGE_MODEL = "GPT-4o Mini";
        INFERENCE_TEXT_MODEL = "GPT-4.1 Mini";
        EMBEDDING_TEXT_MODEL = "text-embedding-3-small";
        DISABLE_PASSWORD_AUTH = "true";
        OAUTH_PROVIDER_NAME = "Authentik";
        OAUTH_WELLKNOWN_URL = "https://auth.${p.domains.public}/application/o/karakeep/.well-known/openid-configuration";
      };
    };

    virtualisation.proxmox.enable = true;
  };

  networking.firewall.allowedTCPPorts = [ 3000 ];

  environment.systemPackages = with pkgs; [ ];

  system.stateVersion = "25.11";
}