{ config, pkgs, lib, ... }:
let
  my = config.my;
  port = 8080;
  keycloak-protocol-cas = pkgs.callPackage ./keycloak/keycloak-protocol-cas.nix {};
  domain = "auth.${my.subZone}";
  certs = config.security.acme.certs."${domain}".directory;
in
{
  services.keycloak = {
    enable = true;
    /*package = pkgs.keycloak.overrideAttrs (old: rec {
      version = "18.0.0";
      jre = pkgs.openjdk;
      src = pkgs.fetchzip {
        url = "https://github.com/keycloak/keycloak/releases/download/${version}/keycloak-${version}.zip";
        sha256 = "sha256-Tql5/yNtdctSCYgtSnz5Pa6IwZVf/HOApFdeCEpNrjs=";
      };
      });*/
    package = pkgs.callPackage ./keycloak/package.nix {};
    initialAdminPassword = "changemeasap";
    sslCertificate = "${certs}/cert.pem";
    sslCertificateKey = "${certs}/key.pem";
    plugins = [ pkgs.keycloak.plugins.keycloak-metrics-spi keycloak-protocol-cas ];
    database = {
      type = "postgresql";
      username = "keycloak";
      name = "keycloak";
      createLocally = true;
      passwordFile = "${config.age.secrets.keycloakDatabasePasswordFile.path}"; 
    };
    settings = {
     hostname-strict-backchannel = true;
     http-port = port;
     proxy = "edge";
     http-relative-path = "/auth";
     hostname = domain;
    };
  };

  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://127.0.0.1:${toString port}";
    };
  };
}