{
  services = {
    paperless = {
      enable = true;
      settings = {
        PAPERLESS_ENABLE_HTTP_REMOTE_USER = true;
        PAPERLESS_ENABLE_HTTP_REMOTE_USER_API = true;
        PAPERLESS_LOGOUT_REDIRECT_URL = "https://auth.tailc50184.ts.net/logout";
        PAPERLESS_OCR_USER_ARGS = {
          "invalidate_digital_signatures" = true;
        };
        PAPERLESS_USE_X_FORWARD_HOST = true;
        PAPERLESS_USE_X_FORWARD_PORT = true;
        PAPERLESS_REDIRECT_LOGIN_TO_SSO = true;
      };
    };
    caddy.virtualHosts."paperless.tailc50184.ts.net".extraConfig = ''
      bind tailscale/paperless
      forward_auth localhost:9091 {
        uri /api/authz/forward-auth
        copy_headers Remote-User
      }
      reverse_proxy localhost:28981
    '';
  };
  users.users.syncthing.extraGroups = [ "paperless" ];
}