{ config, ... }: { services.paperless = { enable = true; address = "0.0.0.0"; }; networking.firewall.interfaces.wg0.allowedTCPPorts = [ config.services.paperless.port ]; services.nginx.virtualHosts."paperless.${config.networking.hostName}.private" = { extraConfig = '' allow ${config.tinc.private.subnet}; deny all; ''; locations."/" = { proxyPass = "http://localhost:${toString config.services.paperless.port}"; proxyWebsockets = true; }; }; }