{
  lib,
  config,
  pkgs-unstable,
  ...
}:
let
  cfg = config.services.open-webui;
  fqdn = "${cfg.subdomain}.${config.networking.domain}";

  open-webui-pkg = pkgs-unstable.open-webui.overridePythonAttrs (oldAttrs: {
    dependencies =
      oldAttrs.dependencies
      ++ (with pkgs-unstable.python3Packages; [
        pgvector
        psycopg2
      ])
      ++ [
        pkgs-unstable.ffmpeg
      ];
  });
in
{
  options.services.open-webui = {
    subdomain = lib.mkOption {
      type = lib.types.str;
    };
  };

  config = lib.mkIf cfg.enable {
    services = {
      open-webui = {
        package = open-webui-pkg;
        environment = {
          ANONYMIZED_TELEMETRY = "False";
          DO_NOT_TRACK = "True";
          SCARF_NO_ANALYTICS = "True";
          WEBUI_URL = "https://${fqdn}";
          VECTOR_DB = "pgvector";
          PGVECTOR_CREATE_EXTENSION = "False";
          DATABASE_URL = "postgresql:///open-webui?host=/var/run/postgresql";
          CORS_ALLOW_ORIGIN = "https://${fqdn};http://localhost";
        };
      };

      webserver.vHosts.${fqdn}.locations."/".proxyPort = cfg.port;
      postgresql = {
        enable = lib.mkDefault true;
        ensureDatabases = [ "open-webui" ];
        ensureUsers = [
          {
            name = "open-webui";
            ensureDBOwnership = true;
          }
        ];
        extensions = ps: with ps; [ pgvector ];
      };
    };

    systemd.services.open-webui-pgvector-setup = {
      description = "Ensure pgvector extension exists for open-webui";
      wantedBy = [ "open-webui.service" ];
      before = [ "open-webui.service" ];
      after = [
        "postgresql.service"
        "postgresql-setup.service"
      ];
      requires = [ "postgresql.service" ];
      serviceConfig = {
        Type = "oneshot";
        User = "postgres";
        Group = "postgres";
        ExecStart = "${config.services.postgresql.package}/bin/psql -d open-webui -c 'CREATE EXTENSION IF NOT EXISTS vector;'";
        RemainAfterExit = true;
      };
    };
  };
}