{ config, ... }:
{
  services.paperless = {
    # TODO migrate DB
    enable = true;
    passwordFile = config.age.secrets.paperless.path;
  };
  systemd.tmpfiles.rules =
    let
      cfg = config.services.paperless;
    in
    [
      (
        if cfg.consumptionDirIsPublic then
          "d '${cfg.consumptionDir}' 777 - - - -"
        else
          "d '${cfg.consumptionDir}' 770 ${cfg.user} ${config.users.users.${cfg.user}.group} - -"
      )
    ];

  age.secrets = {
    paperless = {
      file = "${config.dadada.secrets.path}/paperless.age";
      mode = "700";
      owner = "paperless";
    };
  };
}