{
  pkgs,
  config,
  lib,
  ...
}:
with lib; let
  cfg = config.my.services.mealie;
in {
  options.my.services.mealie = {
    enable = mkEnableOption "Mealie";
    port = mkOption {
      type = types.port;
      default = 3123;
      example = 8080;
      description = "HTTP port for the Mealie service.";
    };
  };

  config = mkIf cfg.enable {
    services.mealie = {
      enable = true;
      inherit (cfg) port;
      package = pkgs.unstable.mealie;
      settings = {
        BASE_URL = "https://recipes.thomasfmly.org";

        # OIDC
        OIDC_AUTH_ENABLED = true;
        OIDC_CONFIGURATION_URL = "https://authentik.thomasfmly.org/application/o/mealie/.well-known/openid-configuration";
        OIDC_CLIENT_ID = "FLFfJCP0nWsxGfHpAf26XfoqMaIoUuaVdODJLW28";
        OIDC_ADMIN_GROUP = "Administrators";
        OIDC_AUTO_REDIRECT = true;
        OIDC_PROVIDER_NAME = "Authentik";
      };
    };

    networking.firewall.allowedTCPPorts = [cfg.port];
  };
}