{ config, ... }:
{
  networking.firewall.allowedTCPPorts = [ 3000 ];

  services.hedgedoc = {
    enable = true;
    settings = {
      domain = "op.pai.wtf";
      protocolUseSSL = true;
      email = false;
      allowEmailRegister = false;
      allowOrigin = [ "op.pai.wtf" ];
    };
    dbUrl = "postgres://filled:by@dotenv:5432/file";
    environmentFile = "/run/secrets/services/hedgedoc/.env";
    groups = [ config.users.groups.keys.name ];
  };
}