{ pkgs, config, ... }:

let
  network = import ./network.nix;
  domain = "auth.giugl.io";
in {
  services = {
    keycloak = {
      enable = true;
      initialAdminPassword = "giulio";
      database.passwordFile = "/secrets/keycloak/database.key";
      settings = {
        hostname = domain;
        proxy = "edge";
        http-port = 6654;
        https-port = 6655;
        hostname-strict-backchannel = true;
      };
    };

    postgresql = {
      ensureDatabases =
        [ "${toString config.services.keycloak.database.name}" ];
      ensureUsers = [{
        name = "${toString config.services.keycloak.database.username}";
        ensurePermissions = {
          "DATABASE ${toString config.services.keycloak.database.name}" =
            "ALL PRIVILEGES";
        };
      }];
    };

    nginx.virtualHosts.${domain} = {
      forceSSL = true;
      enableACME = true;

      locations = {
        "/" = { return = "301 https://${domain}/realms/master/account"; };
        
        "/admin" = {
          proxyPass = "http://127.0.0.1:${
              toString config.services.keycloak.settings.http-port
            }";
        };

        "/js" = {
          proxyPass = "http://127.0.0.1:${
              toString config.services.keycloak.settings.http-port
            }";
        };

        "/realms" = {
          proxyPass = "http://127.0.0.1:${
              toString config.services.keycloak.settings.http-port
            }";
        };

        "/resources" = {
          proxyPass = "http://127.0.0.1:${
              toString config.services.keycloak.settings.http-port
            }";
        };

        "/robots.txt" = {
          proxyPass = "http://127.0.0.1:${
              toString config.services.keycloak.settings.http-port
            }";
        };

      };
    };
  };

  networking.extraHosts = ''
    ${network.architect-lan} ${domain}
    ${network.architect-wg} ${domain}
  '';
}