{
  config,
  pkgs,
  ...
}:

let
  stateDir = "/var/lib/open-webui";
in
{
  age.secrets.open-webui-env = {
    rekeyFile = ./secrets/open-webui-env.age;
  };

  services.open-webui = {
    enable = true;
    package = pkgs.unstable.open-webui;
    port = 8081;
    environment =
      let
        clientId = "open-webui";
        publicUrl = "https://chat.ai.vimium.com";
      in
      {
        WEBUI_URL = publicUrl;
        ENABLE_LOGIN_FORM = "False";
        ENABLE_OAUTH_SIGNUP = "True";
        ENABLE_OAUTH_ROLE_MANAGEMENT = "True";
        OAUTH_CLIENT_ID = clientId;
        OAUTH_PROVIDER_NAME = "Vimium";
        OFFLINE_MODE = "True";
        OPENID_PROVIDER_URL = "https://auth.vimium.com/oauth2/openid/${clientId}/.well-known/openid-configuration";
        OPENID_REDIRECT_URI = "${publicUrl}/oauth/oidc/callback";

        # Fix from https://github.com/NixOS/nixpkgs/pull/431395
        STATIC_DIR = "${stateDir}/static";
        DATA_DIR = "${stateDir}/data";
        HF_HOME = "${stateDir}/hf_home";
        SENTENCE_TRANSFORMERS_HOME = "${stateDir}/transformers_home";
      };
    environmentFile = config.age.secrets.open-webui-env.path;
  };

  # Fix from https://github.com/NixOS/nixpkgs/pull/432897
  systemd.services.open-webui.preStart = ''
    if [ -d "${stateDir}/data" ] && [ -n "$(ls -A "${stateDir}/data" 2>/dev/null)" ]; then
      exit 0
    fi

    mkdir -p "${stateDir}/data"

    [ -f "${stateDir}/webui.db" ] && mv "${stateDir}/webui.db" "${stateDir}/data/"

    for dir in cache uploads vector_db; do
      [ -d "${stateDir}/$dir" ] && mv "${stateDir}/$dir" "${stateDir}/data/"
    done

    exit 0
  '';

  modules.services.borgmatic.directories = [
    "/var/lib/private/open-webui"
  ];

  environment.persistence."/persist".directories = [
    {
      directory = "/var/lib/private/open-webui";
      mode = "0700";
    }
  ];
}