{ config, lib, ... }:
with lib;
let
  cfg = config.eboskma.keycloak;
in
{
  options.eboskma.keycloak = { enable = mkEnableOption "keycloak"; };

  config = mkIf cfg.enable {
    services.keycloak = {
      enable = true;
      database.passwordFile = config.sops.secrets.keycloak-db-password.path;

      settings = {
        hostname = "id.datarift.nl";
        http-host = "127.0.0.1";
        http-port = 8081;
        proxy = "edge";
      };
    };

    services.caddy = {
      enable = true;

      email = "erwin@datarift.nl";

      virtualHosts = {
        "${config.services.keycloak.settings.hostname}" = {
          extraConfig = ''
            reverse_proxy ${config.services.keycloak.settings.http-host}:${toString config.services.keycloak.settings.http-port}
          '';
        };
      };
    };

    security.acme.acceptTerms = true;

    networking.firewall.allowedTCPPorts = [ 80 443 ];
  };
}