{ config, common, ... }:
let
  port = 8086;
  domain = "beta.auth.${common.domain}";
  dbPassKey = "keycloak/database-pass";
  cfg = config.services.keycloak;
in
{
  services = {
    keycloak = {
      enable = true;
      settings = {
        hostname = domain;
        http-port = port;
        http-enabled = true;
      };
      database = {
        type = "postgresql";
        createLocally = false;
        host = "localhost";
        port = config.services.postgresql.settings.port;
        name = "keycloak";
        username = "keycloak";
        passwordFile = config.sops.secrets.${dbPassKey}.path;
        useSSL = false;
      };
    };

    nginx.virtualHosts."${domain}" = {
      forceSSL = true;
      enableACME = true;
      locations = {
        "/".proxyPass = "http://localhost:${toString port}";
      };
    };

    postgresql =
      let
        psql = cfg.database;
      in
      {
        ensureDatabases = [ psql.name ];
        ensureUsers = [
          {
            name = psql.username;
            ensureDBOwnership = true;
          }
        ];
      };
  };
  sops.secrets.${dbPassKey} = { };
}