{
  lib,
  config,
  inputs,
  ...
}:
let
  setup = import ../factories/mkserver.nix { inherit lib config; };
  cfg = config.my.servers.keycloak;
in
{
  options.my.servers.keycloak = setup.mkOptions "keycloak" "auth" 8090;
  config = lib.mkIf (cfg.enable && config.my.secureHost) {
    sops.secrets.keycloak = {
      sopsFile = ../../secrets/env.yaml;
      owner = "keycloak";
      group = "keycloak";
    };
    sops.secrets.postgres-password = {
      sopsFile = ../../secrets/secrets.yaml;
      owner = "keycloak";
      group = "keycloak";
    };
    services.keycloak = {
      inherit (cfg) enable;
      database = {
        type = "postgresql";
        host = "localhost";
        createLocally = false;
        username = "keycloak";
        name = "keycloak";
        passwordFile = config.sops.secrets."keycloak/db_password".path;
      };
      settings.hostname = cfg.host;
      "hostname-strict" = true;
      "hostname-strict-https" = false;
      "http-enabled" = true;
      "http-port" = cfg.port;
      "proxy" = "edge";
    };
    systemd.services.keycloak.serviceConfig.EnvironmentFile = config.sops.secrets.keycloak.path;
    services.nginx.virtualHosts.${cfg.host} = lib.mkIf (cfg.enableProxy && config.my.enableProxy) (
      inputs.self.lib.proxyReverseFix cfg
    );
  };
}