{
  config,
  lib,
  pkgs,
  ...
}: let
  dataDir = "/var/lib/paperless";
in {
  options.services.paperless = {
    subdomain = lib.mkOption {
      type = lib.types.str;
      description = "subdomain of base domain that paperless will be hosted at";
      default = "paperless";
    };
    database = {
      user = lib.mkOption {
        type = lib.types.str;
        description = "what is the user and database that we are going to use for paperless";
        default = "paperless";
      };
    };
  };

  config = lib.mkIf config.services.paperless.enable (lib.mkMerge [
    {
      host = {
        reverse_proxy.subdomains.${config.services.paperless.subdomain} = {
          target = "http://${config.services.paperless.address}:${toString config.services.paperless.port}";

          websockets.enable = true;
          forwardHeaders.enable = true;

          extraConfig = ''
            # allow large file uploads
            client_max_body_size 50000M;
          '';
        };
        postgres = {
          enable = true;
          extraUsers = {
            ${config.services.paperless.database.user} = {
              isClient = true;
              createUser = true;
            };
          };
          extraDatabases = {
            ${config.services.paperless.database.user} = {
              name = config.services.paperless.database.user;
            };
          };
        };
      };
      services.paperless = {
        configureTika = true;
        settings = {
          PAPERLESS_URL = "https://${config.services.paperless.subdomain}.${config.host.reverse_proxy.hostname}";

          PAPERLESS_DBENGINE = "postgresql";
          PAPERLESS_DBHOST = "/run/postgresql";
          PAPERLESS_DBNAME = config.services.paperless.database.user;
          PAPERLESS_DBUSER = config.services.paperless.database.user;
        };
      };
    }
    (lib.mkIf config.services.fail2ban.enable {
      environment.etc = {
        "fail2ban/filter.d/paperless.local".text = (
          pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
            [Definition]
            failregex = Login failed for user `.*` from (?:IP|private IP) `<HOST>`\.$
            ignoreregex =

          '')
        );
      };

      services.fail2ban = {
        jails = {
          paperless.settings = {
            enabled = true;
            filter = "paperless";
            action = ''iptables-multiport[name=HTTP, port="http,https"]'';
            logpath = "${config.services.paperless.dataDir}/log/*.log";
            backend = "auto";
            findtime = 600;
            bantime = 600;
            maxretry = 5;
          };
        };
      };
    })
    (lib.mkIf config.host.impermanence.enable {
      assertions = [
        {
          assertion = config.services.paperless.dataDir == dataDir;
          message = "paperless data location does not match persistence";
        }
      ];
      environment.persistence."/persist/system/root" = {
        directories = [
          {
            directory = dataDir;
            user = "paperless";
            group = "paperless";
          }
        ];
      };
    })
  ]);
}