{
  config,
  pkgs,
  lib,
  zerotierInterface,
  ...
}:
{

  services.paperless = {
    enable = true;
    address = "[::]";
    port = 28981;
    package = pkgs.paperless-ngx;
    settings = {
      PAPERLESS_OCR_LANGUAGE = "deu+eng";
      PAPERLESS_APP_TITLE = "paperless.chungus.private";
      PAPERLESS_CONSUMER_IGNORE_PATTERN = builtins.toJSON [
        ".DS_STORE/*"
        "desktop.ini"
      ];
      PAPERLESS_EMAIL_TASK_CRON = "0 */8 * * *"; # “At minute 0 past every 8th hour.”

      # https://github.com/paperless-ngx/paperless-ngx/discussions/4047#discussioncomment-7019544
      # https://github.com/paperless-ngx/paperless-ngx/issues/7383
      PAPERLESS_OCR_USER_ARGS = {
        "invalidate_digital_signatures" = true;
      };
    };
  };

  services.permown."/var/lib/paperless/consume" = {
    owner = "paperless";
    group = "paperless";
    directory-mode = "755";
    file-mode = "640";
  };

  networking.firewall.interfaces.wg0.allowedTCPPorts = [ config.services.paperless.port ];
  networking.firewall.interfaces.${zerotierInterface}.allowedTCPPorts = [
    config.services.paperless.port
  ];

  services.nginx.virtualHosts."paperless.${config.networking.hostName}.private" = {
    serverAliases = [ "paperless.ingolf-wagner.de" ];
    extraConfig = ''
      allow ${config.tinc.private.subnet};
      allow ${config.wireguard.wg0.subnet};
      deny all;
    '';
    locations."/" = {
      extraConfig = ''
        client_max_body_size 500M;
      '';
      proxyPass = "http://localhost:${toString config.services.paperless.port}";
      proxyWebsockets = true;
    };
  };

}