{ config, pkgs, ... }:
let
  domain = "sso.${config.networking.domain}";
in
{
  sops.secrets."keycloak/db" = { };
  services.keycloak = {
    enable = true;
    # we use unstable as the release in stable is insecure
    # package = nixpkgs-unstable.legacyPackages.x86_64-linux.keycloak;
    settings = {
      http-port = 8086;
      https-port = 19000;
      hostname = domain;
      proxy-headers = "xforwarded";
      http-enabled = true;
      hostname-strict-https = false;
    };
    # The module requires a password for the DB and works best with its own DB config
    # Does an automatic Postgresql configuration
    database = {
      passwordFile = config.sops.secrets."keycloak/db".path;
    };
    initialAdminPassword = "plschangeme";
    themes = with pkgs ; {
      ifsr = keycloak_ifsr_theme;
    };
  };
  services.nginx.virtualHosts."${domain}" = {
    locations."/" = {
      proxyPass = "http://127.0.0.1:${toString config.services.keycloak.settings.http-port}";
      extraConfig = ''
        proxy_buffer_size 128k;
        proxy_buffers 4 256k;
        proxy_busy_buffers_size 256k;
      '';
    };
  };
}