{ pkgs, ... }:
{
  services.keycloak = {
    enable = true;

    settings = {
      http-port = 8080;
      http-host = "127.0.0.3";
      http-enabled = true;
      https-port = 8443;

      proxy = "edge";

      hostname = "auth.katzen.cafe";
      hostname-port = "-1";
      hostname-admin-url = "https://auth.katzen.cafe";
      # hostname-strict-backchannel = true;
    };

    #sslCertificateKey = "/var/lib/acme/auth.katzen.cafe/key.pem";
    #sslCertificate = "/var/lib/acme/auth.katzen.cafe/cert.pem";

    database = {
      type = "postgresql";
      createLocally = false;

      username = "keycloak";
      passwordFile = "/var/lib/secrets/keycloakDbPw";
    };
  };
  deployment.keys."keycloakDbPw" = {
    keyCommand = [ "pass" "keycloak/db-pass" ];
    destDir = "/var/lib/secrets";
  };
}