{ config, pkgs, ... }:
let
  svcDomain = "feeds.${config.networking.domain}";
  svcPort = "8080";
in
{
  services.caddy.virtualHosts."${svcDomain}".extraConfig = ''
    reverse_proxy :${svcPort}
  '';
  # NOTE: Ensure the user exists ahead of trying to give secret permissions to that user.
  users.users.miniflux = {
    isSystemUser = true;
    group = "miniflux";
    createHome = false;
  };
  users.groups.miniflux = {};
  sops.secrets.miniflux_env = {
    sopsFile = ../../secrets/miniflux_admin_credentials.env;
    format = "dotenv";
    mode = "0440";
    owner = "miniflux";
    group = "miniflux";
    restartUnits = [ "miniflux.service" ];
  };
  services.kanidm.provision = {
    groups = {};
    systems.oauth2.miniflux = {
      displayName = "Miniflux Feed Reader";
      originUrl = "https://${fqdn}/callback";
      public = true; # enforces PKCE
      preferShortUsername = true;
      scopeMaps.pages_users = ["openid" "email" "profile"];
      claimMaps."${permissionsMap}".valuesByGroup.pages_admin = ["admin"];
    };
  };
  # NOTE: Currently requires some web-interface configuration
  services.miniflux = {
    enable = true;
    adminCredentialsFile = config.sops.secrets.miniflux_env.path;
    config = {
      BASE_URL = "https://${svcDomain}";
      CREATE_ADMIN = 0;
      DISABLE_LOCAL_AUTH = 1;
      OAUTH2_PROVIDER = "oidc";
      OAUTH2_OIDC_PROVIDER_NAME = "Kanidm";
      OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://id.${config.networking.domain}";
      OAUTH2_REDIRECT_URL = "https://${svcDomain}/oauth2/oidc/callback";
      OAUTH2_USER_CREATION = 1;
      CLEANUP_FREQUENCY = 48;
      LISTEN_ADDR = "localhost:${svcPort}";
    };
  };
}