{ config, common, ... }:
let
  port = 8086;
  domain = "beta.auth.${common.domain}";
  dbPassKey = "keycloak/database-pass";
in
{

  services = {
    keycloak = {
      enable = true;
      settings = {
        hostname = "https://${domain}";
        http-port = port;
        http-enabled = true;
      };
      database = {
        type = "postgresql";
        createLocally = true;
        port = config.services.postgresql.settings.port;
        passwordFile = config.sops.secrets.${dbPassKey}.path;
      };
      initialAdminPassword = "changeme";
    };

    nginx.virtualHosts.${domain} = {
      forceSSL = true;
      enableACME = true;
      locations."/".proxyPass = "http://localhost:${toString port}";
    };
  };
  sops.secrets.${dbPassKey} = { };
}