{ base-domain, lib, ... }:
let
  fqdn = "paperless.${base-domain}";
in
{
  services.paperless = {
    enable = true;
    address = "localhost";
    port = 28981;
    passwordFile = "/etc/nixos/secrets/paperless-password";
    consumptionDir = "/var/lib/paperless-upload";
    settings = {
      PAPERLESS_DBHOST = "/run/postgresql";
      PAPERLESS_DBNAME = "paperless";
      PAPERLESS_DBUSER = "paperless";
      PAPERLESS_DBPASS = "paperless";
      PAPERLESS_OCR_LANGUAGE = "fra+eng+deu";
      PAPERLESS_FILENAME_FORMAT = "{created_year}/{correspondent}/{title}";
      PAPERLESS_OCR_USER_ARGS = {
        optimize = 1;
        pdfa_image_compression = "lossless";
        # do not fail to import documents that have a digital signature
        # https://github.com/paperless-ngx/paperless-ngx/discussions/4047#discussioncomment-7019544
        invalidate_digital_signatures = true;
      };
      PAPERLESS_TIME_ZONE = "Europe/Paris";
      PAPERLESS_CONSUMER_ENABLE_BARCODES = "true";
      PAPERLESS_CONSUMER_ENABLE_ASN_BARCODE = "true";
      PAPERLESS_CONSUMER_BARCODE_SCANNER = "ZXING";
      PAPERLESS_TASK_WORKERS = "4";
      PAPERLESS_THREADS_PER_WORKER = "1";
      PAPERLESS_WORKER_TIMEOUT = "18000";
    };
  };
  users.groups.paperless-upload = {};
  users.users.paperless = {
    extraGroups = [ "paperless-upload" ];
  };
  users.users.paperless-upload = {
    isNormalUser = true;
    homeMode = "770";
    extraGroups = [ "paperless" ];
  };
  system.activationScripts.makePaperlessUploadDir = lib.stringAfter [ "var" ] ''
    mkdir -m 775 -p /var/lib/paperless-upload
    chown paperless:paperless /var/lib/paperless-upload/
  '';
}