{
  config,
  pkgs,
  ...
}:
let
  paperlessPort = 28981;
  paperlessUserId = config.users.users.nix-apps.uid;
  paperlessGroupId = config.users.groups.jallen-nas.gid;
  paperlessSecret = config.sops.templates."paperless-secret".content;
  clientId = config.sops.templates."paperless-client-id".content;
  clientSecret = config.sops.templates."paperless-client-secret".content;
  paperlessPkg = pkgs.stable.paperless-ngx;
in
{
  containers.paperless = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = "10.0.1.18";
    localAddress = "10.0.1.20";
    hostAddress6 = "fc00::1";
    localAddress6 = "fc00::20";

    config =
      {
        lib,
        ...
      }:
      {
        # Enable paperless service
        services.paperless = {
          enable = true;
          package = paperlessPkg;
          port = paperlessPort;
          user = "paperless";
          address = "0.0.0.0";
          passwordFile = "/var/lib/paperless/paperless-password";
          settings = {
            PAPERLESS_URL = "https://paperless.jallen.dev";
            PAPERLESS_SECRET = paperlessSecret;
            PAPERLESS_ENABLE_ALLAUTH = true;
            PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
            PAPERLESS_SOCIALACCOUNT_PROVIDERS = ''{"openid_connect":{"OAUTH_PKCE_ENABLED":true,"APPS":[{"provider_id":"authentik","name":"authentik","client_id":"${clientId}","secret":"${clientSecret}","settings":{"server_url":"https://authentik.mjallen.dev/application/o/paperless/.well-known/openid-configuration"}}]}}'';
          };
        };

        # Create required users and groups
        users.groups = {
          documents = {
            gid = lib.mkForce paperlessGroupId;
          };
        };

        users.users.paperless = {
          isSystemUser = true;
          uid = lib.mkForce paperlessUserId;
          group = lib.mkForce "documents";
        };

        # Create and set permissions for required directories
        system.activationScripts.paperless-dirs = ''
          mkdir -p /var/lib/paperless

          chown -R paperless:documents /var/lib/paperless

          chmod -R 775 /var/lib/paperless

        '';

        networking = {
          firewall = {
            enable = true;
            allowedTCPPorts = [ paperlessPort ];
          };
          # Use systemd-resolved inside the container
          # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
          useHostResolvConf = lib.mkForce false;
        };

        services.resolved.enable = true;
        system.stateVersion = "23.11";
      };

    # Bind mount directories from host
    bindMounts = {
      "/var/lib/paperless" = {
        hostPath = "/media/nas/ssd/nix-app-data/paperless";
        isReadOnly = false;
      };
    };
  };

  networking.nat = {
    forwardPorts = [
      {
        destination = "10.0.1.20:28981";
        sourcePort = paperlessPort;
      }
    ];
  };
}