{ hostRegistry, config, pkgs, ... }:
let
  frontendDomain = "keycloak.c3d2.de";
in
{
  networking.hostName = "keycloak";
  networking.useNetworkd = true;
  networking.interfaces.eth0.ipv4.addresses = [{
    address = hostRegistry.hosts.${config.networking.hostName}.ip4;
    prefixLength = 26;
  }];
  networking.defaultGateway = "172.20.73.1";

  # http https
  networking.firewall.allowedTCPPorts = [ 80 443 ];

  services.nginx = {
    enable = true;
    virtualHosts."keycloak.c3d2.de" = {
      default = true;
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        # proxyPass = "http://localhost:8073";
        # proxyWebsockets = true;
      };
    };
  };

 # noXlibs breaks cairo:
 environment.noXlibs = false;
 services.keycloak = let
    inherit (pkgs.keycloak-secrets) dbPassword;
  in {
    enable = true;
    inherit (pkgs.keycloak-secrets) initialAdminPassword;
    frontendUrl = "https://${frontendDomain}/auth";
    forceBackendUrlToFrontendUrl = true;
    # sslCertificate = "/var/lib/acme/${frontendDomain}/fullchain.pem";
    # sslCertificateKey = "/var/lib/acme/${frontendDomain}/key.pem";
    database.passwordFile = builtins.toFile "db_password" dbPassword;
  };
  systemd.services.keycloak.requires = [ "acme-${frontendDomain}.service" ];
}