{ ... }:
{
  services.hedgedoc = {
    enable = true;
    settings = {
      domain = "pad.katzen.cafe";
      port = 3001;
      protocolUseSSL = true;
      allowFreeURL = true;
      requireFreeURLAuthentication = true;
      allowEmailRegister = false;
      email = false;
      allowAnonymous = false;
      allowAnonymousEdits = true;
      oauth2 = {
        userProfileURL = "https://auth.katzen.cafe/realms/katzen.cafe/protocol/openid-connect/userinfo";
        userProfileUsernameAttr = "preferred_username";
        userProfileDisplayNameAttr = "name";
        userProfileEmailAttr = "email";
        tokenURL = "https://auth.katzen.cafe/realms/katzen.cafe/protocol/openid-connect/token";
        authorizationURL = "https://auth.katzen.cafe/realms/katzen.cafe/protocol/openid-connect/auth";
        clientID = "hedgedoc";
        providerName = "Keycloak";
        # the envfile should overwrite this?
        clientSecret = "none";
        scope = "openid email profile";
      };
      db = {
        dialect = "postgres";
        host = "/run/postgresql";
        database = "catpad";
      };
    };
    environmentFile = "/var/lib/secrets/hedgedoc.env";
  };
  deployment.keys = {
    "hedgedoc.env" = {
      keyCommand = [ "pass" "hedgedoc/envfile" ];
      destDir = "/var/lib/secrets";
      permissions = "0604";
    };
  };
}