diff --git a/modules/services/default.nix b/modules/services/default.nix
index 555a6b1..10b9941 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -3,5 +3,6 @@
     ./forgejo
     ./homepage-dashboard
     ./homer
+    ./mealie
   ];
 }
diff --git a/modules/services/mealie/default.nix b/modules/services/mealie/default.nix
new file mode 100644
index 0000000..b3d45e8
--- /dev/null
+++ b/modules/services/mealie/default.nix
@@ -0,0 +1,40 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.my.services.mealie;
+in {
+  options.my.services.mealie = {
+    enable = mkEnableOption "Mealie";
+    port = mkOption {
+      type = types.port;
+      default = 3123;
+      example = 8080;
+      description = "HTTP port for the Mealie service.";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.mealie = {
+      enable = true;
+      inherit (cfg) port;
+      package = pkgs.unstable.mealie;
+      settings = {
+        BASE_URL = "https://recipes.thomasfmly.org";
+
+        # OIDC
+        OIDC_AUTH_ENABLED = true;
+        OIDC_CONFIGURATION_URL = "https://authentik.thomasfmly.org/application/o/mealie/.well-known/openid-configuration";
+        OIDC_CLIENT_ID = "FLFfJCP0nWsxGfHpAf26XfoqMaIoUuaVdODJLW28";
+        OIDC_ADMIN_GROUP = "Administrators";
+        OIDC_AUTO_REDIRECT = true;
+        OIDC_PROVIDER_NAME = "Authentik";
+      };
+    };
+
+    networking.firewall.allowedTCPPorts = [cfg.port];
+  };
+}