{
  lib,
  config,
  pkgs,
  ...
}:
let
  cfg = config.my.services.paperless;
  defaultSettings = {
    PAPERLESS_DBHOST = "/run/postgresql";
    PAPERLESS_TIKA_ENABLED = true;
    PAPERLESS_TIKA_ENDPOINT = "http://localhost:${toString config.services.tika.port}";
    PAPERLESS_TIKA_GOTENBERG_ENDPOINT = "http://localhost:${toString config.services.gotenberg.port}";
    PAPERLESS_OCR_LANGUAGE = "eng+ita";
    PAPERLESS_OCR_USER_ARGS = {
      optimize = 1;
      pdfa_image_compression = "lossless";
      # Allow OCRmyPDF to modify signed PDFs, since original is also stored
      # https://github.com/paperless-ngx/paperless-ngx/issues/7383
      invalidate_digital_signatures = true;
    };
  };
in
{

  options.my.services.paperless = {
    enable = lib.mkEnableOption "Enable Paperless NGX module";

    passwordFile = lib.mkOption {
      type = lib.types.path;
      default = "/var/lib/paperless/password";
      description = "File with the Paperless NGX access password";
    };

    mediaDir = lib.mkOption {
      type = lib.types.path;
      default = "/var/lib/paperless/media";
      description = "Directory with the Paperless NGX media files";
    };

    settings = lib.mkOption {
      default = { };
      description = ''
        Paperless settings as described here: https://search.nixos.org/options?type=packages&query=services.paperless.settings
      '';
      inherit (pkgs.formats.json { }) type;
    };

    proxy = {
      enable = lib.mkEnableOption "Set the proxy entry for this service";

      domain = lib.mkOption {
        default = "example.com";
        type = lib.types.str;
        description = ''
          The domain where Caddy is reachable
        '';
      };

      subdomain = lib.mkOption {
        default = "docs";
        type = lib.types.str;
        description = ''
          The subdomain where Paperless NGX is reachable
        '';
      };

      host = lib.mkOption {
        default = "localhost";
        type = lib.types.str;
        description = ''
          host name where the service is running
        '';
      };

    };
  };

  config = lib.mkMerge [
    (lib.mkIf cfg.enable {

      my.services.postgresql = {
        enable = true;
        ensures = [
          {
            username = "paperless";
            database = "paperless";
          }
        ];
      };

      services.tika = {
        enable = true;
        enableOcr = true;
      };

      services.gotenberg = {
        enable = true;
        chromium.disableJavascript = true;
        extraArgs = [
          "--chromium-allow-list=file:///tmp/.*"
        ];
      };

      services.paperless = {
        enable = true;
        address = "0.0.0.0";
        settings =
          defaultSettings
          // cfg.settings
          // {
            PAPERLESS_URL = "https://${cfg.proxy.subdomain}.${cfg.proxy.domain}";
          };
        passwordFile = cfg.passwordFile;
        mediaDir = cfg.mediaDir;
        openMPThreadingWorkaround = true;
      };

      networking.firewall.allowedTCPPorts = [
        config.services.paperless.port
      ];

    })

    (lib.mkIf cfg.proxy.enable {
      services.caddy = with cfg.proxy; {
        virtualHosts."${subdomain}.${domain}".extraConfig = ''
          reverse_proxy http://${host}:${toString config.services.paperless.port}
          import cloudflare_${domain}
        '';
      };
    })
  ];
}