{ config, lib, pkgs, unstable, ... }:

let
  dn = "auth.tfcconnection.org";
in
with lib;
{
  services = {
    keycloak = {
      enable = true;
      initialAdminPassword = "clang";
      settings = {
        hostname = dn;
        http-port = 8787;
        # https-port = 8788;
        http-enabled = true;
        hostname-strict-https = false;
        proxy-headers = "forwarded";
        # proxy = "passthrough";
      };
      database.passwordFile = "/keycloakbd";
    };

    nginx.virtualHosts.${dn} = {
      forceSSL = true;
      enableACME = true;
      locations = {
        "/" = {
          proxyPass = "http://localhost:${toString config.services.keycloak.settings.http-port}";
          extraConfig = ''
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
          '';
        };
      };
    };
  };
}