{ config, ... }:
{
  services.nginx = {
    enable = true;
    virtualHosts."paperless.grzb.de" = {
      forceSSL = true;
      enableACME = true;
      listen = [
        {
          addr = "0.0.0.0";
          port = 80;
        }
        {
          addr = "0.0.0.0";
          port = 443;
          ssl = true;
        }
      ];
      locations."/" = {
        proxyPass = "http://${config.services.paperless.address}:${builtins.toString config.services.paperless.port}";
        proxyWebsockets = true;
        extraConfig = ''
          add_header Referrer-Policy "strict-origin-when-cross-origin";
        '';
      };
      extraConfig = ''
        client_max_body_size 100M;
      '';
    };
  };
}