{
  flake,
  lib,
  config,
  pkgs,
  ...
}:
let
  psCfg = config.pub-solar;
  xdg = config.home-manager.users."${psCfg.user.name}".xdg;

  dataDir = "${xdg.dataHome}/Paperless";
  backupDir = "${xdg.dataHome}/PaperlessBackup";
  consumptionDir = "/home/${psCfg.user.name}/.local/share/scandir";

in {
  services.paperless = {
    enable = true;
    user = psCfg.user.name;
    consumptionDir = consumptionDir;
    dataDir = dataDir;
    address = "127.0.0.1";
    settings = {
      PAPERLESS_ADMIN_USER = psCfg.user.name;
      PAPERLESS_AUTO_LOGIN_USERNAME = psCfg.user.name;
      PAPERLESS_URL = "https://paperless.faenix.eu";
    };
  };

  hardware.sane = {
    enable = true;
    # No aarch64 support for now
    #brscan5.enable = true;
  };

  home-manager.users."${psCfg.user.name}" = {
    home.sessionVariables = {
      SCANNER_OUTPUT_DIR = consumptionDir;
    };
    systemd.user.sessionVariables = {
      SCANNER_OUTPUT_DIR = consumptionDir;
    };
  };

  security.acme.certs = {
    "paperless.faenix.eu" = {};
  };

  services.nginx = {
    enable = true;

    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedTlsSettings = true;
    recommendedProxySettings = true;
    clientMaxBodySize = "256m";

    virtualHosts = {
      "paperless.faenix.eu" = {
        #listenAddresses = [
        #  "192.168.13.35"
        #];
        forceSSL = true;
        useACMEHost = "paperless.faenix.eu";
        locations."/".proxyPass = "http://127.0.0.1:${builtins.toString config.services.paperless.port}";
      };
    };
  };

  #services.caddy = {
  #  enable = true;
  #  globalConfig = ''
  #    local_certs
  #  '';
  #  virtualHosts = {
  #    "paperless.fritz.box" = {
  #      extraConfig = ''
  #        reverse_proxy :${builtins.toString config.services.paperless.port}
  #      '';
  #    };
  #  };
  #};

  networking.firewall.allowedTCPPorts = [ 80 443 ];

  systemd.tmpfiles.rules = [
    "d /home/${psCfg.user.name}/.local 0700 ${psCfg.user.name} users - -"
    "d /home/${psCfg.user.name}/.local/share 0700 ${psCfg.user.name} users - -"
    "d '${backupDir}' 0700 ${psCfg.user.name} users - -"
  ];

  #age.secrets."rclone-pie.conf" = {
  #  file = "${flake.self}/secrets/rclone-pie.conf.age";
  #  path = "/root/.config/rclone/rclone.conf";
  #  mode = "400";
  #};

  #age.secrets."restic-password" = {
  #  file = "${flake.self}/secrets/restic-password.age";
  #  mode = "400";
  #};

  #services.restic.backups = {
  #  paperless = {
  #    paths = [ backupDir ];
  #    initialize = true;
  #    passwordFile = config.age.secrets."restic-password".path;
  #    # See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
  #    repository = "rclone:cloud.pub.solar:/backups/Paperless";
  #    backupPrepareCommand = "${dataDir}/paperless-manage document_exporter ${backupDir} -c -p";
  #    rcloneConfigFile = config.age.secrets."rclone-pie.conf".path;
  #  };
  #};
}