{ config, lib, pkgs, tools, ... }:
with tools.nginx;
let
  login = "login.${tools.meta.domain}";
  cfg = config.services.keycloak;
in
{
  reservePortsFor = [ "keycloak" ];

  imports = [
    ./identity-management.nix
  ];
  age.secrets.keycloak-dbpass = {
    file = ../../../../secrets/keycloak-dbpass.age;
    owner = "root";
    group = "root";
    mode = "0400";
  };
  services.nginx.virtualHosts = { 
    "${login}" = lib.recursiveUpdate (vhosts.proxy "http://${cfg.bindAddress}:${config.portsStr.keycloak}") {
      locations."= /".return = "302 /auth/realms/master/account/";
    };
    "account.${domain}" = vhosts.redirect "https://${login}/auth/realms/master/account/";
  };
  services.keycloak = {
    enable = true;
    frontendUrl = "https://${login}/auth";
    bindAddress = "127.0.0.1";
    httpPort = config.portsStr.keycloak;
    package = pkgs.keycloak.override { jre = pkgs.jdk11_headless; };
    database = {
      createLocally = true;
      type = "postgresql";
      passwordFile = config.age.secrets.keycloak-dbpass.path;
    };
    extraConfig = {
      "subsystem=undertow" = {
        "server=default-server" = {
          "http-listener=default" = {
            proxy-address-forwarding = true;
          };
        };
      };
    };
  };
}