{ config, pkgs, ... }:

{

  services.miniflux = {
    enable = true;
    createDatabaseLocally = true;

    # Really, really janky, but include
    # OAUTH2_CLIENT_ID = "<client ID>";
    # OAUTH2_CLIENT_SECRET = "<client secret>";
    # https://pocket-id.org/docs/client-examples/miniflux/
    adminCredentialsFile = /var/lib/miniflux/oidc;

    config = {
      LISTEN_ADDR = "0.0.0.0:8021";
      BASE_URL = "http://rss.${config.homelab.domain}";
      CLEANUP_FREQUENCY = 48;

      CREATE_ADMIN = 0;

      CLEANUP_ARCHIVE_BATCH_SIZE = 100000;
      CLEANUP_ARCHIVE_READ_DAYS = -1;
      CLEANUP_ARCHIVE_UNREAD_DAYS = 180;
      CLEANUP_FREQUENCY_HOURS = 24;
      CLEANUP_REMOVE_SESSION_DAYS = 7;

      DISABLE_HSTS = 1;
      HTTPS = 0;
      DISABLE_HTTP_SERVICE = 0;

      FETCH_YOUTUBE_WATCH_TIME = 1;
      FILTER_ENTRY_MAX_AGE_DAYS = 1825; # 5 years

      FORCE_REFRESH_INTERVAL = 30;
      POLLING_FREQUENCY = 180;

      OAUTH2_PROVIDER = "oidc";
      OAUTH2_REDIRECT_URL = "https://rss.${config.homelab.domain}/oauth2/oidc/callback";
      OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://${config.homelab.authDomain}/oauth2/openid/miniflux";
      OAUTH2_OIDC_PROVIDER_NAME = "kanidm";
      OAUTH2_USER_CREATION = 1;
      DISABLE_LOCAL_AUTH = 1;
    };
  };

  services.caddy.virtualHosts."rss.${config.homelab.domain}" = {
    useACMEHost = config.homelab.domain;
    extraConfig = ''
      reverse_proxy http://localhost:8021
      import block_non_private_ips
    '';
  };
}