{
  lib,
  config,
  utils,
  ...
}: {
  options.mealie.enable = lib.mkEnableOption "mealie";

  config = lib.mkIf config.mealie.enable {
    kubernetes.resources = {
      deployments.mealie.spec = {
        selector.matchLabels.app = "mealie";

        strategy = {
          type = "RollingUpdate";

          rollingUpdate = {
            maxSurge = 0;
            maxUnavailable = 1;
          };
        };

        template = {
          metadata.labels.app = "mealie";

          spec = {
            containers.mealie = {
              image = utils.mkNixNGImage "mealie";
              ports.web.containerPort = 8000;

              env = {
                SMTP_USER.value = "ref+sops://secrets.yml#/smtp2go/username";
                SMTP_PASSWORD.value = "ref+sops://secrets.yml#/smtp2go/password";
                OIDC_CLIENT_SECRET.value = "ref+sops://secrets.yml#/authentik/oauth2/mealie/client_secret";
              };

              volumeMounts = [
                {
                  name = "mealie";
                  mountPath = "/data";
                }
              ];
            };

            volumes.mealie.persistentVolumeClaim.claimName = "mealie";
          };
        };
      };

      services.mealie.spec = {
        selector.app = "mealie";

        ports.web = {
          port = 80;
          targetPort = "web";
        };
      };
    };

    lab = {
      ingresses.mealie = {
        host = "mealie.kun.is";

        service = {
          name = "mealie";
          portName = "web";
        };
      };

      longhorn.persistentVolumeClaim.mealie = {
        volumeName = "mealie";
        storage = "3Gi";
      };
    };
  };
}