{ config, lib, pkgs, ... }:

let
  svc_domain = "miniflux.${config.mine.shared.settings.domain}";
  port = 6466;
in {
  services.miniflux = {
    enable = true;

    config = {
      LISTEN_ADDR = "localhost:${builtins.toString port}";

      # disable admin account, disable local auth
      CREATE_ADMIN = 0;
      DISABLE_LOCAL_AUTH = "true";

      # use auth proxy
      # TODO: This should be configureable
      AUTH_PROXY_HEADER = "Remote-User";
      AUTH_PROXY_USER_CREATION = "true";
    };
  };

  # nginx
  services.nginx.virtualHosts."${svc_domain}" = config.mine.shared.lib.authelia.mkProtectedWebsite {
    forceSSL = true;
    enableACME = true;
    
    locations."/" = config.mine.shared.lib.authelia.mkProtectedLocation {
      proxyPass = "http://localhost:${builtins.toString port}";
    };

    locations."/v1".proxyPass = "http://localhost:${builtins.toString port}";
  };

  # meta
  mine.shared.meta.miniflux = {
    name = "Miniflux";
    description = "We host our own miniflux, use it to read all your feeds!";
    url = "https://${svc_domain}";

    package = let
      pkg = config.services.miniflux.package;
    in {
      name = pkg.pname;
      version = pkg.version;
      meta = pkg.meta;
    };
  };
}