{ config, lib, pkgs, unstable, ... }:

let
  dn = "auth.tfcconnection.org";
in
with lib;
{
  services = {
    keycloak = {
      enable = true;
      initialAdminPassword = "clang";
      settings = {
        hostname = dn;
        http-port = 8787;
        https-port = 8788;
        http-enabled = true;
        hostname-strict-https = false;
        # proxy = "passthrough";
      };
      database.passwordFile = "/keycloakbd";
    };
    nginx.virtualHosts.${dn} = {
      forceSSL = true;
      enableACME = true;
      locations = {
        "/" = {
          proxyPass = "http://localhost:${toString config.services.keycloak.settings.http-port}";
        };
      };
    };
  };
}