{
  pkgs,
  inputs,
  config,
  lib,
  ...
}:
with lib; let
  cfg = config.my.services.mealie;
in {
  disabledModules = ["services/web-apps/mealie.nix"];
  imports = ["${inputs.unstable}/nixos/modules/services/web-apps/mealie.nix"];

  options.my.services.mealie = {
    enable = mkEnableOption "Mealie";
    port = mkOption {
      type = types.port;
      default = 3123;
      example = 8080;
      description = "HTTP port for the Mealie service.";
    };
  };

  config = mkIf cfg.enable {
    services.mealie = {
      enable = true;
      inherit (cfg) port;
      package = pkgs.unstable.mealie;
      settings = {
        BASE_URL = "https://recipes.thomasfmly.org";

        # OIDC
        OIDC_AUTH_ENABLED = true;
        OIDC_CONFIGURATION_URL = "https://auth.thomasfmly.org/realms/gringotts/.well-known/openid-configuration";
        OIDC_CLIENT_ID = "mealie";
        OIDC_CLIENT_SECRET = "cBh876vWKoMgJSWLVJkVv6kPvUoNkvxD";
        OIDC_GROUPS_CLAIM = "roles";
        OIDC_ADMIN_GROUP = "admin";
        OIDC_AUTO_REDIRECT = true;
        OIDC_PROVIDER_NAME = "Keycloak";
      };
    };

    networking.firewall.allowedTCPPorts = [cfg.port];
  };
}