{ pkgs, config, ... }:
{
  age.secrets.snipeItAppKey = {
    owner = config.services.snipe-it.user;
    group = config.services.snipe-it.group;
  };

  age.secrets.snipeItOidcClientSecret = {
    owner = config.services.snipe-it.user;
    group = config.services.snipe-it.group;
  };

  services.snipe-it = {
    enable = true;
    hostName = "inventory.rz.ens.wtf";
    database.createLocally = true;
    appKeyFile = config.age.secrets.snipeItAppKey.path;

    nginx = {
      enableACME = true;
      forceSSL = true;
    };

    config = {
      AUTH_METHOD = "oidc";
      OIDC_NAME = "Keycloak";
      OIDC_DISPLAY_NAME_CLAIMS = "name";
      OIDC_CLIENT_ID = "snipe-it";
      OIDC_CLIENT_SECRET = { _secret = config.age.secrets.snipeItOidcClientSecret.path; };
      OIDC_ISSUER = "https://auth.rz.ens.wtf/auth/realms/ClubReseau";
      OIDC_ISSUER_DISCOVER = true;
    };
  };
}