From b605d07b52187c664623639647af38904327643f Mon Sep 17 00:00:00 2001
From: nhnn <nhnn@nhnn.dev>
Date: Mon, 14 Apr 2025 14:32:42 +0300
Subject: [PATCH] feat: Vikunja to-do app (#128)

Vikunja is fast self-hostable to-do app.

Reviewed-on: https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config/pulls/128
Reviewed-by: Inex Code <inex.code@selfprivacy.org>
Co-authored-by: nhnn <nhnn@nhnn.dev>
Co-committed-by: nhnn <nhnn@nhnn.dev>
---
 sp-modules/vikunja/config-paths-needed.json   |  10 +
 sp-modules/vikunja/flake.lock                 |  27 +++
 sp-modules/vikunja/flake.nix                  |  41 ++++
 sp-modules/vikunja/icon.svg                   |  16 ++
 .../vikunja/load-client-secret-from-env.patch |  33 ++++
 sp-modules/vikunja/module.nix                 | 186 ++++++++++++++++++
 6 files changed, 313 insertions(+)
 create mode 100644 sp-modules/vikunja/config-paths-needed.json
 create mode 100644 sp-modules/vikunja/flake.lock
 create mode 100644 sp-modules/vikunja/flake.nix
 create mode 100644 sp-modules/vikunja/icon.svg
 create mode 100644 sp-modules/vikunja/load-client-secret-from-env.patch
 create mode 100644 sp-modules/vikunja/module.nix

diff --git a/sp-modules/vikunja/config-paths-needed.json b/sp-modules/vikunja/config-paths-needed.json
new file mode 100644
index 0000000..0426aa4
--- /dev/null
+++ b/sp-modules/vikunja/config-paths-needed.json
@@ -0,0 +1,10 @@
+[
+  [ "selfprivacy", "domain" ],
+  [ "selfprivacy", "modules", "auth", "enable" ],
+  [ "selfprivacy", "modules", "vikunja" ],
+  [ "selfprivacy", "passthru", "auth", "mkOAuth2ClientSecretFP" ],
+  [ "selfprivacy", "passthru", "auth", "oauth2-discovery-url" ],
+  [ "selfprivacy", "passthru", "auth", "oauth2-provider-name" ],
+  [ "selfprivacy", "sso", "enable" ],
+  [ "selfprivacy", "useBinds" ]
+]
diff --git a/sp-modules/vikunja/flake.lock b/sp-modules/vikunja/flake.lock
new file mode 100644
index 0000000..c48dced
--- /dev/null
+++ b/sp-modules/vikunja/flake.lock
@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs-24-11": {
+      "locked": {
+        "lastModified": 1744440957,
+        "narHash": "sha256-FHlSkNqFmPxPJvy+6fNLaNeWnF1lZSgqVCl/eWaJRc4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "26d499fc9f1d567283d5d56fcf367edd815dba1d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs-24-11": "nixpkgs-24-11"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/sp-modules/vikunja/flake.nix b/sp-modules/vikunja/flake.nix
new file mode 100644
index 0000000..7558a21
--- /dev/null
+++ b/sp-modules/vikunja/flake.nix
@@ -0,0 +1,41 @@
+{
+  description = "PoC SP module for Vikunja service";
+
+  inputs = {
+    nixpkgs-24-11.url = "github:NixOS/nixpkgs/nixos-24.11";
+  };
+
+  outputs = {nixpkgs-24-11, ...}: {
+    nixosModules.default = import ./module.nix nixpkgs-24-11.legacyPackages.x86_64-linux;
+    configPathsNeeded =
+      builtins.fromJSON (builtins.readFile ./config-paths-needed.json);
+    meta = {lib, ...}: {
+      spModuleSchemaVersion = 1;
+      id = "vikunja";
+      name = "Vikunja";
+      description = "Vikunja, the fluffy, open-source, self-hostable to-do app.";
+      svgIcon = builtins.readFile ./icon.svg;
+      isMovable = true;
+      isRequired = false;
+      backupDescription = "Tasks and attachments.";
+      systemdServices = [
+        "vikunja.service"
+      ];
+      folders = [
+        "/var/lib/vikunja"
+      ];
+      postgreDatabases = [
+        "vikunja"
+      ];
+      license = [
+        lib.licenses.agpl3Plus
+      ];
+      homepage = "https://vikunja.io";
+      sourcePage = "https://github.com/go-vikunja/vikunja";
+      supportLevel = "normal";
+      sso = {
+        userGroup = "sp.vikunja.users";
+      };
+    };
+  };
+}
diff --git a/sp-modules/vikunja/icon.svg b/sp-modules/vikunja/icon.svg
new file mode 100644
index 0000000..b763ee8
--- /dev/null
+++ b/sp-modules/vikunja/icon.svg
@@ -0,0 +1,16 @@
+<svg width="257" height="251" viewBox="0 0 257 251" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M128.354 205.905C128.066 206.754 125.961 207.399 125.099 207.663C125.081 207.668 125.064 207.673 125.047 207.678C123.06 208.332 121.301 206.758 120.194 205.439C119.141 204.195 118.823 202.443 118.521 200.779C118.38 200 118.242 199.239 118.034 198.559C117.647 197.265 115.434 197.092 114.767 198.292C112.554 202.265 103.954 194.772 105.954 192.265C107.274 190.626 104.114 189.172 102.808 190.799C98.9411 195.612 109.341 204.585 115.287 202.159C115.554 203.359 115.821 204.559 116.354 205.705C117.341 207.958 119.541 209.412 121.821 210.638C124.9 212.292 130.914 209.372 131.82 206.598C132.474 204.665 128.994 203.972 128.354 205.905ZM155.766 176.773C156.086 178.106 156.14 182.639 153.633 180.159C152.633 179.159 150.62 179.759 150.54 181.092C150.353 184.212 147.22 184.292 144.527 183.346C142.393 182.599 141.247 185.559 143.38 186.292C147.34 187.679 151.646 186.906 153.34 183.919C154.686 184.546 156.206 184.719 157.433 183.572C159.566 181.572 159.886 178.746 159.26 176.146C158.793 174.173 155.3 174.799 155.766 176.773ZM162.086 241.971C161.153 243.878 159.446 243.758 157.606 242.958C156.26 242.371 154.593 243.331 154.993 244.691C155.82 247.437 152.366 248.237 150.02 247.264C147.967 246.397 146.18 249.104 148.26 249.971C152.473 251.731 157.82 250.184 158.593 246.477C161.313 246.917 163.899 246.157 165.179 243.504C166.073 241.691 162.993 240.118 162.086 241.971ZM134.727 94.7613C134.287 97.4545 129.247 94.3213 127.994 93.468C126.887 92.7346 125.46 93.188 125.327 94.4413C125.143 96.1106 122.925 95.6548 121.865 95.4371C121.85 95.434 121.835 95.4309 121.821 95.4279C119.847 95.0279 118.167 93.8013 118.127 91.9613C118.089 90.6751 118.655 89.3552 119.197 88.0923C119.419 87.5748 119.637 87.0669 119.807 86.5748C120.194 85.5082 118.647 84.3082 117.514 85.0415C115.487 86.3348 105.688 87.5081 109.594 83.2282C110.834 81.8683 108.648 79.9216 107.381 81.2949C105.581 83.2682 104.368 87.7881 108.261 88.7614C110.327 89.2547 113.301 89.2281 115.834 88.6547C114.767 92.0547 114.554 95.1613 118.927 97.3345C121.874 98.8145 125.927 98.8012 127.647 96.5346C131.274 98.4678 136.94 100.361 137.727 95.4946C138.007 93.7613 135.007 93.028 134.727 94.7613Z" fill="black" fill-opacity="0.08"/>
+<path d="M142.22 135.24C139.06 135.374 136.127 137.134 133.767 138.84C131.62 137.414 128.367 136.107 125.674 136.867C124.36 137.239 125.105 137.638 125.79 138.005C125.939 138.085 126.085 138.164 126.207 138.24C127.434 139.067 128.447 140.133 129.367 141.227C129.865 141.836 130.346 142.456 130.826 143.076C131.217 143.58 131.609 144.085 132.01 144.584C132.475 145.164 132.954 145.736 133.46 146.293C134.124 145.804 134.777 145.32 135.395 144.801C135.721 144.528 136.037 144.245 136.34 143.947C136.754 143.547 140.14 139.013 140.66 138.254C140.98 137.774 141.327 137.267 141.7 136.814C141.779 136.719 141.886 136.613 141.998 136.502C142.442 136.064 142.975 135.538 142.22 135.24Z" fill="black"/>
+<path d="M148.167 113.867C149.727 109.828 151.393 104.748 155.673 105.548C158.9 106.241 163.233 117.041 160.46 115.974C158.953 115.387 157.766 110.494 154.953 109.841C153.153 109.441 150.686 115.654 148.287 116.294C147.127 116.601 147.7 114.907 148.153 113.867" fill="black"/>
+<path d="M227.845 46.8958C225.724 44.2752 223.5 41.7399 221.178 39.296C197.112 14.03 164.353 0.0969831 128.967 0.0969831C112.151 0.0534819 95.493 3.34599 79.9578 9.78388C64.4227 16.2218 50.3188 25.6772 38.4626 37.6027C26.5335 49.4555 17.0766 63.559 10.6406 79.0952C4.20464 94.6313 0.917607 111.291 0.970226 128.107C0.923951 144.925 4.21382 161.584 10.6494 177.122C17.085 192.659 26.5385 206.766 38.4626 218.625C50.321 230.546 64.4259 239.996 79.9609 246.429C82.5536 247.503 85.1775 248.489 87.8282 249.387C88.234 245.172 88.8491 240.905 89.4682 236.61C90.6397 228.483 91.8254 220.258 91.6346 212.105C91.518 206.388 92.0461 200.395 92.579 194.349C93.6914 181.726 94.8244 168.87 90.1547 157.8C89.2127 155.576 88.1538 153.36 87.0999 151.153C85.5879 147.988 84.0862 144.845 82.9548 141.733C81.3402 137.597 80.1866 133.296 79.5149 128.907C79.2083 126.467 78.9683 116.387 79.1949 113.841C80.1549 102.988 81.4215 90.668 81.4215 90.668C81.4215 90.668 78.538 83.2532 82.7087 74.1981C82.134 73.7062 81.8586 72.6041 81.6773 71.8786C81.6423 71.7389 81.6109 71.6132 81.5815 71.5085C80.8749 69.0819 80.6216 66.522 80.4749 64.0154C79.5283 48.6424 79.2883 19.1365 100.661 12.47C109.005 9.85975 108.539 14.9581 108.023 20.5975C107.923 21.6988 107.82 22.8206 107.781 23.9097C107.696 27.5583 107.559 31.2201 107.422 34.8959C107.196 40.9854 106.968 47.1131 106.968 53.2823C106.968 53.7073 107.029 54.1349 107.089 54.556C107.128 54.8328 107.167 55.1068 107.189 55.3754C115.828 52.9578 124.61 52.669 130.687 52.669C137.936 52.669 149.128 53.0798 159.317 57.0235C161.379 49.4091 162.322 25.7926 162.594 18.9833L162.606 18.6832C163.326 1.6436 178.286 19.5231 180.899 26.3763C187.604 43.9862 184.886 57.3824 177.788 71.9949C183.583 82.0308 180.219 90.6814 180.219 90.6814C180.219 90.6814 182.526 114.614 182.179 122.147C181.536 136.316 177.886 142.982 174.111 149.878C172.17 153.423 170.195 157.029 168.579 161.746C164.252 174.382 165.853 188.08 167.423 201.514C167.851 205.175 168.277 208.817 168.579 212.412C168.882 215.825 170.19 222.63 171.784 230.924L171.784 230.926L171.785 230.928L171.786 230.931L171.786 230.932L171.786 230.934L171.787 230.94L171.789 230.95C172.778 236.096 173.877 241.814 174.914 247.65C175.939 247.256 176.958 246.85 177.973 246.429C193.508 239.996 207.613 230.546 219.471 218.625C231.396 206.766 240.85 192.659 247.286 177.122C253.721 161.584 257.011 144.925 256.964 128.107C256.964 98.8812 246.444 69.8152 227.845 46.9092V46.8958Z" fill="black"/>
+<path d="M99.3641 58.2527C99.5557 57.5813 99.7519 56.7916 99.9544 55.8423C100.214 54.6546 100.037 53.3736 99.8058 51.6889C99.6084 50.2531 99.3707 48.5239 99.3278 46.3092C99.3097 45.4476 99.3375 44.0459 99.3686 42.47C99.4296 39.3877 99.5038 35.639 99.2744 33.9628C99.2533 33.8004 99.2308 33.6168 99.2066 33.4179L99.2064 33.4162C98.9553 31.36 98.5047 27.6688 97.1678 28.8962C86.1767 38.9211 86.8594 54.5974 88.1575 66.2372C91.4146 62.7677 95.265 60.1806 99.3641 58.2527Z" fill="black" fill-opacity="0.51"/>
+<path d="M95.4745 66.8019C95.6406 66.6715 95.8004 66.5373 95.9553 66.3999C96.1178 65.987 96.2736 65.5608 96.4212 65.122C96.8903 63.7247 97.3302 62.9165 97.7663 62.1154C98.2898 61.1534 98.8078 60.2017 99.3641 58.2527C95.265 60.1806 91.4146 62.7677 88.1575 66.2372C88.3033 67.5441 88.4568 68.8002 88.6024 69.9917C88.6712 70.5542 88.7382 71.1024 88.8018 71.6347C89.1831 71.3423 89.5622 71.048 89.9416 70.7535C90.0361 70.6801 90.1309 70.6066 90.2255 70.5332C90.888 70.0193 91.5532 69.506 92.2346 69.0019C92.7498 68.6155 93.2806 68.2758 93.8088 67.9376C94.3743 67.5757 94.9369 67.2155 95.4745 66.8019Z" fill="black" fill-opacity="0.51"/>
+<path d="M95.9553 66.3999C95.8004 66.5373 95.6406 66.6715 95.4745 66.8019C94.9369 67.2155 94.3743 67.5757 93.8088 67.9376C93.2806 68.2758 92.7498 68.6155 92.2346 69.0019C91.5532 69.506 90.888 70.0193 90.2255 70.5332L89.9416 70.7535C89.5622 71.048 89.1831 71.3423 88.8018 71.6347C88.8605 72.1266 88.9164 72.6049 88.968 73.0685V73.0551C89.2937 75.9988 93.4324 72.8111 95.9553 66.3999Z" fill="black" fill-opacity="0.51"/>
+<path d="M109.794 105.548C113.021 106.241 117.354 117.041 114.594 115.974C113.978 115.734 113.413 114.775 112.769 113.679C111.837 112.095 110.737 110.227 109.074 109.841C108.166 109.637 107.078 111.144 105.912 112.759C104.786 114.319 103.587 115.98 102.408 116.294C101.248 116.601 101.834 114.907 102.288 113.867C102.372 113.648 102.457 113.426 102.543 113.201C104.038 109.293 105.759 104.791 109.794 105.548Z" fill="black"/>
+<path d="M178.366 54.3756C179.432 49.0024 180.766 41.8692 178.899 36.5227C177.912 33.6561 171.833 25.2563 171.113 28.1363C171.006 28.5898 170.916 30.1987 170.804 32.2219C170.635 35.2541 170.414 39.2168 170.006 41.616C169.743 43.143 169.413 44.665 169.083 46.1877C168.345 49.5976 167.606 53.0115 167.606 56.4956C167.601 58.4577 167.701 60.0922 167.875 61.4673C170.378 63.1785 172.698 65.2201 174.737 67.6554C176.16 63.8443 177.697 57.7895 178.366 54.3756Z" fill="black" fill-opacity="0.51"/>
+<path d="M174.737 67.6554C172.698 65.2201 170.378 63.1785 167.875 61.4673C168.468 66.153 169.932 67.826 171.117 69.181C171.581 69.7117 172.003 70.1936 172.313 70.7885V70.8019C172.866 71.7802 173.775 70.2296 174.737 67.6554Z" fill="black" fill-opacity="0.51"/>
+<path d="M132.82 160.173C133.914 160.573 135.26 159.813 135.447 158.826C135.468 158.709 135.483 158.589 135.495 158.468C134.867 158.513 134.242 158.549 133.62 158.573C133.011 158.594 132.402 158.598 131.794 158.586C131.923 159.304 132.201 159.94 132.82 160.173Z" fill="black"/>
+<path d="M133.7 162.893C138.54 162.773 151.02 160.893 150.886 154.893C149.261 156.678 146.291 157.119 143.865 157.479L143.86 157.48C141.127 157.882 138.288 158.268 135.495 158.468C135.483 158.589 135.468 158.709 135.447 158.826C135.26 159.813 133.914 160.573 132.82 160.173C132.201 159.94 131.923 159.304 131.794 158.586C128.953 158.532 126.121 158.15 123.294 157.769C121.474 157.524 119.654 157.278 117.835 157.121C121.769 160.6 128.088 163.026 133.7 162.893Z" fill="black"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M128.354 205.905C128.066 206.754 125.961 207.399 125.099 207.663L125.047 207.678C123.06 208.332 121.301 206.758 120.194 205.439C119.141 204.195 118.823 202.443 118.521 200.779C118.38 200 118.242 199.239 118.034 198.559C117.647 197.265 115.434 197.092 114.767 198.292C112.554 202.265 103.954 194.772 105.954 192.265C107.274 190.626 104.114 189.172 102.808 190.799C98.9411 195.612 109.341 204.585 115.287 202.159C115.554 203.359 115.821 204.559 116.354 205.705C117.341 207.958 119.541 209.412 121.821 210.638C124.9 212.292 130.914 209.372 131.82 206.598C132.474 204.665 128.994 203.972 128.354 205.905ZM155.766 176.773C156.086 178.106 156.14 182.639 153.633 180.159C152.633 179.159 150.62 179.759 150.54 181.092C150.353 184.212 147.22 184.292 144.527 183.346C142.393 182.599 141.247 185.559 143.38 186.292C147.34 187.679 151.646 186.906 153.34 183.919C154.686 184.546 156.206 184.719 157.433 183.572C159.566 181.572 159.886 178.746 159.26 176.146C158.793 174.173 155.3 174.799 155.766 176.773ZM162.086 241.971C161.153 243.878 159.446 243.758 157.606 242.958C156.26 242.371 154.593 243.331 154.993 244.691C155.82 247.437 152.366 248.237 150.02 247.264C147.967 246.397 146.18 249.104 148.26 249.971C152.473 251.731 157.82 250.184 158.593 246.477C161.313 246.917 163.899 246.157 165.179 243.504C166.073 241.691 162.993 240.118 162.086 241.971ZM134.727 94.7613C134.287 97.4545 129.247 94.3213 127.994 93.468C126.887 92.7346 125.46 93.188 125.327 94.4413C125.143 96.1106 122.925 95.6548 121.865 95.4371L121.821 95.4279C119.847 95.0279 118.167 93.8013 118.127 91.9613C118.089 90.6751 118.655 89.3552 119.197 88.0923C119.419 87.5748 119.637 87.0669 119.807 86.5748C120.194 85.5082 118.647 84.3082 117.514 85.0415C115.487 86.3348 105.688 87.5081 109.594 83.2282C110.834 81.8683 108.648 79.9216 107.381 81.2949C105.581 83.2682 104.368 87.7881 108.261 88.7614C110.327 89.2547 113.301 89.2281 115.834 88.6547C114.767 92.0547 114.554 95.1613 118.927 97.3345C121.874 98.8145 125.927 98.8012 127.647 96.5346C131.274 98.4678 136.94 100.361 137.727 95.4946C138.007 93.7613 135.007 93.028 134.727 94.7613ZM147.567 124.854C153.046 129.667 154.273 133.64 154.286 143.48H154.273C154.286 149.733 148.647 161.28 146.94 164C144.113 168.786 138.873 170.519 133.727 170.159C128.594 170.519 123.354 168.799 120.514 164C118.821 161.28 113.087 149.52 113.087 144.2C113.101 134.347 114.421 131.28 119.421 126.08C122.741 122.641 127.34 120.694 133.727 120.854C140.113 120.694 144.127 121.841 147.567 124.854ZM143.86 157.48C141.127 157.882 138.288 158.268 135.495 158.468C135.584 157.522 135.41 156.465 135.24 155.431C135.122 154.715 135.006 154.009 134.98 153.36C134.914 151.373 134.98 149.387 135.194 147.4C135.219 147.174 135.264 146.933 135.31 146.686C135.427 146.058 135.552 145.385 135.395 144.801C134.777 145.32 134.124 145.804 133.46 146.293C132.954 145.736 132.475 145.164 132.01 144.584L132.007 144.6C131.406 148.45 131.285 152.36 131.647 156.24C131.665 156.432 131.669 156.675 131.675 156.946C131.684 157.446 131.696 158.04 131.794 158.586C128.953 158.532 126.121 158.15 123.294 157.769C121.474 157.524 119.654 157.278 117.835 157.121C121.769 160.6 128.088 163.026 133.7 162.893C138.54 162.773 151.02 160.893 150.886 154.893C149.261 156.678 146.291 157.119 143.865 157.479L143.86 157.48Z" fill="black" fill-opacity="0.1"/>
+<path d="M132.007 144.6C131.406 148.45 131.285 152.36 131.647 156.24C131.665 156.432 131.669 156.675 131.675 156.946C131.684 157.446 131.696 158.04 131.794 158.586C132.402 158.598 133.011 158.594 133.62 158.573C134.242 158.549 134.867 158.513 135.495 158.468C135.584 157.522 135.41 156.465 135.24 155.431C135.122 154.715 135.006 154.009 134.98 153.36C134.914 151.373 134.98 149.387 135.194 147.4C135.219 147.174 135.264 146.933 135.31 146.686C135.427 146.058 135.552 145.385 135.395 144.801C134.777 145.32 134.124 145.804 133.46 146.293C132.954 145.736 132.475 145.164 132.01 144.584L132.007 144.6Z" fill="black"/>
+</svg>
diff --git a/sp-modules/vikunja/load-client-secret-from-env.patch b/sp-modules/vikunja/load-client-secret-from-env.patch
new file mode 100644
index 0000000..c8f4e17
--- /dev/null
+++ b/sp-modules/vikunja/load-client-secret-from-env.patch
@@ -0,0 +1,33 @@
+diff --git a/pkg/modules/auth/openid/providers.go b/pkg/modules/auth/openid/providers.go
+index 5e14c1b31..769dc96e8 100644
+--- a/pkg/modules/auth/openid/providers.go
++++ b/pkg/modules/auth/openid/providers.go
+@@ -17,6 +17,7 @@
+ package openid
+ 
+ import (
++	"os"
+ 	"regexp"
+ 	"strconv"
+ 	"strings"
+@@ -129,12 +130,19 @@ func getProviderFromMap(pi map[string]interface{}) (provider *Provider, err erro
+ 	if scope == "" {
+ 		scope = "openid profile email"
+ 	}
++
++	clientsecret, err := os.ReadFile(os.Getenv("SP_VIKUNJA_CLIENT_SECRET_PATH"))
++
++	if err != nil {
++		panic(err)
++	}
++
+ 	provider = &Provider{
+ 		Name:            pi["name"].(string),
+ 		Key:             k,
+ 		AuthURL:         pi["authurl"].(string),
+ 		OriginalAuthURL: pi["authurl"].(string),
+-		ClientSecret:    pi["clientsecret"].(string),
++		ClientSecret:    strings.TrimSuffix(string(clientsecret), "\n"),
+ 		LogoutURL:       logoutURL,
+ 		Scope:           scope,
+ 	}
diff --git a/sp-modules/vikunja/module.nix b/sp-modules/vikunja/module.nix
new file mode 100644
index 0000000..ee22a52
--- /dev/null
+++ b/sp-modules/vikunja/module.nix
@@ -0,0 +1,186 @@
+latestPkgs: {
+  config,
+  lib,
+  ...
+}: let
+  sp = config.selfprivacy;
+  cfg = sp.modules.vikunja;
+  oauthClientID = "vikunja";
+  auth-passthru = config.selfprivacy.passthru.auth;
+  oauth2-provider-name = auth-passthru.oauth2-provider-name;
+  oauthDiscoveryURL = auth-passthru.oauth2-discovery-url oauthClientID;
+
+  # SelfPrivacy uses SP Module ID to identify the group!
+  usersGroup = "sp.vikunja.users";
+
+  oauthClientSecretFP =
+    auth-passthru.mkOAuth2ClientSecretFP oauthClientID;
+
+  vikunjaPackage = latestPkgs.vikunja.overrideAttrs (old: {
+    doCheck = false; # Tests are slow.
+    patches =
+      (old.patches or [])
+      ++ [
+        ./load-client-secret-from-env.patch
+      ];
+  });
+in {
+  options.selfprivacy.modules.vikunja = {
+    enable =
+      (lib.mkOption {
+        default = false;
+        type = lib.types.bool;
+        description = "Enable Vikunja";
+      })
+      // {
+        meta = {
+          type = "enable";
+        };
+      };
+    location =
+      (lib.mkOption {
+        type = lib.types.str;
+        description = "Vikunja location";
+      })
+      // {
+        meta = {
+          type = "location";
+        };
+      };
+    subdomain =
+      (lib.mkOption {
+        default = "vikunja";
+        type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
+        description = "Subdomain";
+      })
+      // {
+        meta = {
+          widget = "subdomain";
+          type = "string";
+          regex = "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
+          weight = 0;
+        };
+      };
+  };
+
+  config =
+    lib.mkIf cfg.enable
+    {
+      assertions = [
+        {
+          assertion = sp.sso.enable;
+          message = "Vikunja cannot be enabled when SSO is disabled.";
+        }
+      ];
+
+      fileSystems = lib.mkIf sp.useBinds {
+        "/var/lib/vikunja" = {
+          device = "/volumes/${cfg.location}/vikunja";
+          options = ["bind"];
+        };
+      };
+
+      users = {
+        users.vikunja = {
+          isSystemUser = true;
+          group = "vikunja";
+        };
+        groups.vikunja = {};
+      };
+
+      services.postgresql = {
+        ensureDatabases = ["vikunja"];
+        ensureUsers = [
+          {
+            name = "vikunja";
+            ensureDBOwnership = true;
+          }
+        ];
+      };
+
+      services.vikunja = {
+        enable = true;
+        package = vikunjaPackage;
+        frontendScheme = "https";
+        frontendHostname = "${cfg.subdomain}.${sp.domain}";
+        port = 4835;
+
+        database = {
+          type = "postgres";
+          host = "/run/postgresql";
+        };
+
+        settings = {
+          service = {
+            enableregistration = false;
+            enabletotp = false;
+            enableuserdeletion = true;
+          };
+
+          auth = {
+            local.enabled = false;
+            openid = {
+              enabled = true;
+              providers = [
+                {
+                  name = oauth2-provider-name;
+                  authurl = lib.strings.removeSuffix "/.well-known/openid-configuration" oauthDiscoveryURL;
+                  clientid = oauthClientID;
+                  clientsecret = ""; # There's patch for our Vikunja to make it load client secret from environment variable.
+                  scope = "openid profile email";
+                }
+              ];
+            };
+          };
+        };
+      };
+
+      services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
+        useACMEHost = sp.domain;
+        forceSSL = true;
+        extraConfig = ''
+          add_header Strict-Transport-Security $hsts_header;
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+          add_header 'Referrer-Policy' 'origin-when-cross-origin';
+          add_header X-Frame-Options DENY;
+          add_header X-Content-Type-Options nosniff;
+          add_header X-XSS-Protection "1; mode=block";
+          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+        '';
+        locations = {
+          "/" = {
+            proxyPass = "http://127.0.0.1:4835";
+          };
+        };
+      };
+
+      systemd = {
+        services.vikunja = {
+          unitConfig.RequiresMountsFor = lib.mkIf sp.useBinds "/volumes/${cfg.location}/vikunja";
+          serviceConfig = {
+            Slice = "vikunja.slice";
+            LoadCredential = "oauth2-secret:${oauthClientSecretFP}";
+            DynamicUser = lib.mkForce false;
+            User = "vikunja";
+            Group = "vikunja";
+          };
+          environment.SP_VIKUNJA_CLIENT_SECRET_PATH = "%d/oauth2-secret";
+        };
+        slices.vikunja = {
+          description = "Vikunja service slice";
+        };
+      };
+
+      selfprivacy.auth.clients.${oauthClientID} = {
+        inherit usersGroup;
+        subdomain = cfg.subdomain;
+        isTokenNeeded = true;
+        originLanding = "https://${cfg.subdomain}.${sp.domain}/";
+        originUrl = "https://${cfg.subdomain}.${sp.domain}/auth/openid/${lib.strings.toLower oauth2-provider-name}";
+        clientSystemdUnits = ["vikunja.service"];
+        enablePkce = false;
+        linuxUserOfClient = "vikunja";
+        linuxGroupOfClient = "vikunja";
+      };
+    };
+}