{
  inputs,
  config,
  ...
}:
let
  domain = "outline.vimium.com";
in
{
  nixpkgs.config.allowUnfree = true;

  services.nginx.virtualHosts = {
    "${domain}" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:3000";
        extraConfig = ''
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "Upgrade";
          proxy_set_header Host $host;

          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Scheme $scheme;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_redirect off;
        '';
      };
    };
  };

  age.secrets."passwords/services/outline/oidc-client-secret" = {
    file = "${inputs.secrets}/passwords/services/outline/oidc-client-secret.age";
    owner = "outline";
    group = "outline";
  };

  services.outline = {
    enable = true;
    forceHttps = false;
    oidcAuthentication = {
      clientId = "outline";
      clientSecretFile = config.age.secrets."passwords/services/outline/oidc-client-secret".path;
      displayName = "Vimium";
      authUrl = "https://auth.vimium.com/ui/oauth2";
      tokenUrl = "https://auth.vimium.com/oauth2/token";
      userinfoUrl = "https://auth.vimium.com/oauth2/openid/outline/userinfo";
    };
    publicUrl = "https://${domain}";
    storage.storageType = "local";
  };
}