let
  clientId = "xqV9QLU4JAP7i47XEa9ABbjP8MKWK3VUt1vHaTAaZYTYFdFqGkrlGmTPTAnvDDsvAb
w518mk";
in
{
  systemd.tmpfiles.rules = [
    "d /var/lib/open-webui 0755 root root"
  ];

  virtualisation.oci-containers.containers.open-webui = {
    image = "ghcr.io/open-webui/open-webui:main";
    ports = [
      "8090:8080"
    ];
    volumes = [ "/var/lib/open-webui:/app/backend/data" ];
    environment = {
      WEBUI_AUTH_TRUSTED_NAME_HEADER = "Remote-Name";
      WEBUI_AUTH_TRUSTED_EMAIL_HEADER = "Remote-Email";
    };
  };

  services.caddy.virtualHosts."https://open-webui.tailc50184.ts.net".extraConfig = ''
    bind tailscale/open-webui
    forward_auth localhost:9091 {
      uri /api/authz/forward-auth
      copy_headers Remote-Email Remote-Name
    }
    reverse_proxy http://localhost:8090
  '';

  networking.firewall.trustedInterfaces = [ "podman0" ];
}