{
  name = "FreshRSS";
  description = ''
    RSS reader and sync server
  '';

  traefikRoutes =
    {
      host,
      ...
    }:
    let
      hostname = host.hostname;
      config = host.config.freshrss;
    in
    [
      {
        name = "${hostname}-freshrss";
        rule = "Host(`${config.domain}`)";
        target = "http://${host.ip}:80";
      }
    ];

  nixosModule =
    { lib, config, ... }:
    {
      options.freshrss = {
        domain = lib.mkOption {
          type = lib.types.str;
        };
        adminUser = lib.mkOption {
          type = lib.types.str;
        };
      };

      config =
        let
          cfg = config.freshrss;
          secrets = config.sops.secrets;
        in
        {
          networking.firewall.allowedTCPPorts = [
            80 # Nginx running freshrss
          ];

          sops.secrets = {
            "freshrss/db_pass" = {
              owner = "freshrss";
            };
            "freshrss/client_id" = {
              owner = "freshrss";
            };
            "freshrss/client_secret" = {
              owner = "freshrss";
            };
          };

          sops.templates."freshrss-secret.env" = {
            owner = "freshrss";
            content = ''
              OIDC_CLIENT_ID=${config.sops.placeholder."freshrss/client_id"}
              OIDC_CLIENT_SECRET=${config.sops.placeholder."freshrss/client_secret"}
            '';
          };

          systemd.tmpfiles.rules = [
            "d '${config.services.freshrss.dataDir}/cache' 0750 ${config.services.freshrss.user} ${config.services.freshrss.user} - -"
            "d '${config.services.freshrss.dataDir}/users' 0750 ${config.services.freshrss.user} ${config.services.freshrss.user} - -"
            "d '${config.services.freshrss.dataDir}/favicons' 0750 ${config.services.freshrss.user} ${config.services.freshrss.user} - -"
          ];

          # Create the database
          postgres.databases = [ "freshrss" ];

          # Only run freshrss after ceph has been mounted
          systemd.services.freshrss-config = {
            after = [ "cephfs.mount" ];
          };
          systemd.services.nginx = {
            after = [ "cephfs.mount" ];
            serviceConfig = {
              Environment = [
                "OIDC_ENABLED=1"
                "OIDC_PROVIDER_METADATA_URL=https://auth.kallestruik.nl/application/o/freshrss/.well-known/openid-configuration"
                "OIDC_X_FORWARDED_HEADERS=\"X-Forwarded-Port X-Forwarded-Proto X-Forwarded-Host\""
                "OIDC_SCOPES=\"openid email profile\""
              ];
              EnvironmentFile = config.sops.templates."freshrss-secret.env".path;
            };
          };

          # Enable and configure the service
          services.freshrss = {
            enable = true;
            baseUrl = "https://${cfg.domain}";
            virtualHost = cfg.domain;
            dataDir = "/cephfs/appdata/freshrss";
            authType = "http_auth";

            database = {
              type = "pgsql";
              passFile = secrets."freshrss/db_pass".path;
            };
          };
        };
    };
}