{ config, pkgs, ... }:
let
  my = config.my;
  port = 8080;
in
{
  services.keycloak = {
    enable = true;
    package = pkgs.keycloak.override {
      jre = pkgs.jre8;
    };
    initialAdminPassword = "changemeasap";
    database.createLocally = true;
    database.passwordFile = config.age.secrets.keycloakDatabasePasswordFile.path; 
    frontendUrl = "https://auth.${my.subZone}/auth/";
    forceBackendUrlToFrontendUrl = true;
    httpPort = toString port;
    extraConfig = {
      "subsystem=undertow"."server=default-server"."http-listener=default".proxy-address-forwarding = true;
    };
  };

  services.nginx.virtualHosts."auth.${my.subZone}" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://127.0.0.1:${toString port}";
    };
  };
}