{ config, lib, ... }:
with lib;
let
  cfg = config.eboskma.keycloak;
in
{
  options.eboskma.keycloak = { enable = mkEnableOption "keycloak"; };

  config = mkIf cfg.enable {
    services.keycloak = {
      enable = true;
      database.passwordFile = config.sops.secrets.keycloak-db-password.path;

      settings = {
        hostname = "id.datarift.nl";
        http-host = "127.0.0.1";
        http-port = 8081;
        proxy = "edge";
      };
    };

    services.caddy = {
      enable = true;

      email = "erwin@datarift.nl";

      virtualHosts = {
        "${config.services.keycloak.settings.hostname}" = {
          extraConfig = ''
            @public_or_allowed_remote {
              expression path('/realms/*', '/resources/*', '/js/*', '/robots.txt') || remote_ip('10.64.0.0/10', '86.85.243.40/32', '2a02:a441:c959:1::/64')
            }

            route {
                  reverse_proxy @public_or_allowed_remote ${config.services.keycloak.settings.http-host}:${toString config.services.keycloak.settings.http-port}

                  error "Nope." 401
            }
          '';
        };
      };
    };

    security.acme.acceptTerms = true;

    networking.firewall.allowedTCPPorts = [ 80 443 ];
  };
}