{
  config,
  lib,
  globals,
  ...
}: {
  options.freshrss.enable = lib.mkEnableOption "freshrss";

  config = lib.mkIf config.freshrss.enable {
    kubernetes.resources = {
      secrets.server.stringData.adminPassword = "ref+sops://secrets.yml#/freshrss/password";

      deployments.server.spec = {
        selector.matchLabels.app = "freshrss";

        strategy = {
          type = "RollingUpdate";

          rollingUpdate = {
            maxSurge = 0;
            maxUnavailable = 1;
          };
        };

        template = {
          metadata.labels.app = "freshrss";

          spec = {
            containers.freshrss = {
              image = globals.images.freshrss;
              imagePullPolicy = "IfNotPresent";
              ports.web.containerPort = 80;

              env = {
                TZ.value = "Europe/Amsterdam";
                CRON_MIN.value = "2,32";
                ADMIN_EMAIL.value = "pim@kunis.nl";
                PUBLISHED_PORT.value = "443";
                OIDC_ENABLED.value = "1";
                OIDC_PROVIDER_METADATA_URL.value = "https://auth.kun.is/.well-known/openid-configuration";
                OIDC_CLIENT_ID.value = "HDp48U5TaX-3gWKNEfHx5ea2C7gfaQm-OsSWREq4WTzln56IBGy.rT61lq9rF-LTZFlWOd44";
                OIDC_CLIENT_SECRET.value = "ref+sops://secrets.yml#/authelia/oidc/freshrss_client_secret";
                OIDC_CLIENT_CRYPTO_KEY.value = "ref+sops://secrets.yml#/freshrss/oidc_crypto_key";
                OIDC_REMOTE_USER_CLAIM.value = "preferred_username";
                OIDC_SCOPES.value = "openid groups email profile";
                OIDC_X_FORWARDED_HEADERS.value = "X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto";

                ADMIN_PASSWORD.valueFrom.secretKeyRef = {
                  name = "server";
                  key = "adminPassword";
                };

                ADMIN_API_PASSWORD.valueFrom.secretKeyRef = {
                  name = "server";
                  key = "adminPassword";
                };
              };

              volumeMounts = [
                {
                  name = "data";
                  mountPath = "/var/www/FreshRSS/data";
                }
              ];
            };

            volumes.data.persistentVolumeClaim.claimName = "data";

            securityContext = {
              fsGroup = 33;
              fsGroupChangePolicy = "OnRootMismatch";
            };
          };
        };
      };

      services.server.spec = {
        type = "LoadBalancer";
        loadBalancerIP = globals.freshrssIPv4;
        selector.app = "freshrss";

        ports.web = {
          port = 80;
          targetPort = "web";
        };
      };

      ingresses.freshrss.metadata.annotations."traefik.ingress.kubernetes.io/router.middlewares" = "kube-system-forwardauth-authelia@kubernetescrd";
    };

    lab = {
      ingresses.freshrss = {
        host = "rss.kun.is";

        service = {
          name = "server";
          portName = "web";
        };
      };

      tailscaleIngresses.tailscale = {
        host = "freshrss";
        service.name = "server";
      };

      longhorn.persistentVolumeClaim.data = {
        volumeName = "freshrss";
        storage = "1Gi";
      };
    };
  };
}