{ config, lib, ... }: {
  options.snowflake.services.paperless = {
    enable = lib.mkEnableOption "enable paperless";

    domain = lib.mkOption {
      type = lib.types.str;
      description = "domain name to host paperless on";
    };
  };

  config = lib.mkIf config.snowflake.services.paperless.enable {
    services.paperless = {
      enable = true;
      user = "paperless";
      port = 28981;
      dataDir = "/var/lib/paperless";
      address = "localhost";
      passwordFile = "/root/paperless-password";

      settings = {
        PAPERLESS_CONSUMER_IGNORE_PATTERN = [ ".DS_STORE/*" "desktop.ini" ];
        PAPERLESS_OCR_USER_ARGS = {
          optimize = 1;
          pdfa_image_compression = "lossless";
        };
        PAPERLESS_OCR_LANGUAGE = "eng+fra+nld+ita+spa+cat";

        PAPERLESS_URL = config.snowflake.services.paperless.domain;
        PAPERLESS_ADMIN_USER = "admin";
        # cannot use PAPERLESS_ADMIN_PASSWORD: https://github.com/NixOS/nixpkgs/issues/249767
        # PAPERLESS_ADMIN_PASSWORD = "UWi303OcNd6Au7HlnFpf3D33aROuT1";

        PAPERLESS_FILENAME_FORMAT = "{created_year}/{document_type}/{title}";

        # config to enable tika + gotenberg, but is blocked on getting gotenberg
        # to function
        # PAPERLESS_TIKA_ENABLED = true;
        # PAPERLESS_TIKA_ENDPOINT = "http://localhost:9998";
        # PAPERLESS_TIKA_GOTENBERG_ENDPOINT = "http://localhost:3000";
      };
    };

    services.nginx.virtualHosts."${config.snowflake.services.paperless.domain}" =
      {
        serverName = config.snowflake.services.paperless.domain;
        enableACME = true;
        forceSSL = true;
        locations."/" = {
          proxyPass =
            "http://127.0.0.1:${toString config.services.paperless.port}/";
          proxyWebsockets = true;
        };
      };
  };
}