{ hostRegistry, config, pkgs, ... }:
let
  frontendDomain = "keycloak.c3d2.de";
in
{
  networking = {
    hostName = "keycloak";
    useDHCP = false;
    useNetworkd = true;
    interfaces.eth0 = {
      useDHCP = false;
      ipv4.addresses = [{
        address = hostRegistry.hosts."${config.networking.hostName}".ip4;
        prefixLength = 26;
        }
      ];
    };
    defaultGateway = "172.20.73.1";
    nameservers = [ "172.20.73.8" "9.9.9.9" ];
  };

  # http https
  networking.firewall.allowedTCPPorts = [ 80 443 ];

  services.nginx = {
    enable = true;
    virtualHosts."keycloak.c3d2.de" = {
      default = true;
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:8080";
        # proxyWebsockets = true;
      };
      locations."/auth" = {
        proxyPass = "http://127.0.0.1:8080/auth";
        # proxyWebsockets = true;
      };
    };
  };

 # noXlibs breaks cairo:
 environment.noXlibs = false;
 services.keycloak = let
    inherit (pkgs.keycloak-secrets) dbPassword;
  in {
    enable = true;
    inherit (pkgs.keycloak-secrets) initialAdminPassword;
    frontendUrl = "https://${frontendDomain}/auth";
    forceBackendUrlToFrontendUrl = true;
    httpPort = "\${jboss.http.port:8080}";
    bindAddress = "\${jboss.bind.address:127.0.0.1}";
    # sslCertificate = "/var/lib/acme/${frontendDomain}/fullchain.pem";
    # sslCertificateKey = "/var/lib/acme/${frontendDomain}/key.pem";
    database.passwordFile = builtins.toFile "db_password" dbPassword;
  };
  systemd.services.keycloak.requires = [ "acme-${frontendDomain}.service" ];
}