{
  lib,
  config,
  inputs,
  ...
}:
let
  setup = import ../factories/mkserver.nix { inherit lib config; };
  cfg = config.my.servers.keycloak;
in
{
  options.my.servers.keycloak = setup.mkOptions "keycloak" "auth" 8090;
  config = lib.mkIf (cfg.enable && config.my.secureHost) {
    sops.secrets."keycloak/admin_password" = {
      sopsFile = ../../secrets/secrets.yaml;
      owner = "keycloak";
      group = "keycloak";
    };
    services.keycloak = {
      inherit (cfg) enable;
      database = {
        type = "postgresql";
        host = config.my.postgresSocket;
        username = "keycloak";
        database = "keycloak";
      };
      initialAdmin = {
        user = "admin";
        passwordFile = config.sops.secrets."keycloak/admin_password".path;
      };
      settings = {
        hostname = cfg.host;
        "hostname-strict" = true;
        "hostname-strict-https" = false;
        "http-enabled" = true;
        "http-port" = cfg.port;
        "proxy" = "edge";
        "frontend-url" = cfg.url;
      };
    };
    services.nginx.virtualHosts.${cfg.host} =
      lib.mkIf (cfg.enableProxy && config.my.enableProxy) (inputs.self.lib.proxyReverseFix cfg);
  };
}