{ pkgs, ... }:
{
  services.keycloak = {
    enable = true;

    settings = {
      http-port = 8080;
      http-enabled = true;

      proxy = "edge";

      hostname = "auth.katzen.cafe";
      hostname-port = "-1";
      hostname-admin-url = "https://auth.katzen.cafe";
      hostname-strict-backchannel = true;
    };

    #sslCertificateKey = "/var/lib/acme/auth.katzen.cafe/key.pem";
    #sslCertificate = "/var/lib/acme/auth.katzen.cafe/cert.pem";

    database = {
      type = "postgresql";
      createLocally = true;

      username = "keycloak";
      passwordFile = "/run/keys/keycloakDbPw";
    };
  };
  deployment.keys."keycloakDbPw" = {
    keyCommand = [ "cat" "/home/jade/keys-tmp/keycloak-db" ];
    destDir = "/run/keys/";
  };
}