{
  services = {
    paperless = {
      enable = true;
      settings = {
        PAPERLESS_ENABLE_HTTP_REMOTE_USER = true;
        PAPERLESS_ENABLE_HTTP_REMOTE_USER_API = true;
        PAPERLESS_LOGOUT_REDIRECT_URL = "https://auth.tailc50184.ts.net/logout";
        PAPERLESS_OCR_USER_ARGS = {
          "invalidate_digital_signatures" = true;
        };
      };
    };

    caddy.virtualHosts."paperless.tailc50184.ts.net".extraConfig = ''
      bind tailscale/paperless
      forward_auth localhost:9091 {
        uri /api/authz/forward-auth
        copy_headers Remote-User
      }
      reverse_proxy localhost:28981
    '';
  };
}