{
  inputs,
  config,
  pkgs,
  ...
}:
let
  sopsFolder = inputs.nix-secrets + "/sops";
in
{

  services.caddy.virtualHosts."mealie.wanderingcrow.net".extraConfig = ''
    reverse_proxy http://localhost:9000
  '';
  sops.secrets = {
    "mealie/oidc/client" = {
      sopsFile = "${sopsFolder}/services.yaml";
    };
    "mealie/oidc/secret" = {
      sopsFile = "${sopsFolder}/services.yaml";
    };
  };
  sops.templates."mealie-env".content = ''
    OIDC_CONFIGURATION_URL=https://auth.wanderingcrow.net/.well-known/openid-configuration
    OIDC_CLIENT_ID=${config.sops.placeholder."mealie/oidc/client"}
    OIDC_CLIENT_SECRET=${config.sops.placeholder."mealie/oidc/secret"}
    OIDC_ADMIN_GROUP=admins
  '';
  services.mealie = {
    enable = true;
    package = pkgs.unstable.mealie;
    settings = {
      BASE_URL = "https://mealie.wanderingcrow.net";
      ALLOW_SIGNUP = "false";
      ALLOW_PASSWORD_LOGIN = "false";
      DB_ENGINE = "sqlite";
      OIDC_AUTH_ENABLED = "true";
      OIDC_SIGNUP_ENABLED = "true";
      OIDC_PROVIDER_NAME = "Pocket ID";
    };
    credentialsFile = config.sops.templates."mealie-env".path;
  };
}