{ config, ... }:
{
  networking.firewall.allowedTCPPorts = [ 3000 ];

  services.hedgedoc = {
    enable = true;
    settings = {
      dbURL = "postgres://filled:by@dotenv:5432/file";
      domain = "op.pai.wtf";
      host = "0.0.0.0";
      protocolUseSSL = true;
      email = true;
      allowEmailRegister = true;
      allowOrigin = [ "op.pai.wtf" ];
    };
    environmentFile = "/run/secrets/services/hedgedoc/.env";
    groups = [ config.users.groups.keys.name ];
  };
}