{ config, ... }:
let
  domain = "reader.fcuny.net";
  port = 8002;
in
{
  age.secrets.miniflux-oidc = {
    owner = "miniflux";
    file = ../secrets/miniflux-oidc.age;
  };

  services.miniflux = {
    enable = true;
    config = {
      LISTEN_ADDR = "0.0.0.0:${toString port}";
      BASE_URL = "https://${domain}";
      CREATE_ADMIN = 0;
      OAUTH2_PROVIDER = "oidc";
      OAUTH2_CLIENT_ID = "miniflux";
      OAUTH2_CLIENT_SECRET_FILE = "/run/credentials/miniflux.service/oauth2-client-secret";
      OAUTH2_REDIRECT_URL = "https://${domain}/oauth2/oidc/callback";
      OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://auth.fcuny.net";
      OAUTH2_USER_CREATION = "1";
    };
  };

  networking.firewall.allowedTCPPorts = [ 8002 ];

  systemd.services.miniflux.serviceConfig.LoadCredential = [
    "oauth2-client-secret:${config.age.secrets.miniflux-oidc.path}"
  ];
}