{ pkgs, ... }:
{
  services.keycloak = {
    enable = true;

    settings = {
      http-port = 8097;
      proxy = "edge";
      hostname = "auth.katzen.cafe";
      hostname-strict-backchannel = true;
    };

    database = {
      type = "postgresql";
      createLocally = true;

      username = "keycloak";
      passwordFile = "/run/keys/keycloakDbPw";
    };
  };
  deployment.keys."keycloakDbPw" = {
    keyCommand = [ "cat" "/home/jade/keys-tmp/keycloak-db" ];
    destDir = "/run/keys/";
  };
}