{
  config,
  pkgs,
  lib,
  ...
}:
{
  sops.secrets = {
    keycloak_bootstrap_password = {};
  };

  services.nginx = {
    virtualHosts."keycloak.kjtsanaktsidis.id.au" = {
      forceSSL = true;
      enableACME = true;
      locations = {
        "/" = {
          proxyPass = "http://127.0.0.1:${builtins.toString config.services.keycloak.settings.http-port}";
        };
      };
    };
  };

  services.keycloak = {
    enable = true;
    database = {
      type = "postgresql";
      createLocally = false;
      passwordFile = "/dev/null";
    };
    settings = lib.mkOverride 10 {
      db = "postgres";
      db-url = "jdbc:postgresql://localhost/keycloak?socketFactory=org.newsclub.net.unix.AFUNIXSocketFactory$FactoryArg&socketFactoryArg=/var/run/postgresql/.s.PGSQL.5432";
      db-username = "keycloak";
      http-host = "127.0.0.1";
      http-port = 3256;
      hostname = "https://keycloak.kjtsanaktsidis.id.au";
      http-enabled = true;
      proxy-headers = "xforwarded";

      vault = "file";
      vault-dir = "\${CREDENTIALS_DIRECTORY}";

      bootstrap-admin-username = "admin";
      bootstrap-admin-password = { _secret = config.sops.secrets.keycloak_bootstrap_password.path; };
    };
    plugins = [
      "${pkgs.junixsocket-common}/share/java/junixsocket-common-${pkgs.junixsocket-common.version}.jar"
      "${pkgs.junixsocket-native-common}/share/java/junixsocket-native-common-${pkgs.junixsocket-native-common.version}.jar"
    ];
  };



  services.postgresql = {
    enable = true;
    ensureUsers = [{
      name = "keycloak";
      ensureDBOwnership = true;
    }];
    ensureDatabases = [ "keycloak" ];
    authentication = lib.mkAfter ''
      #type database  DBuser    auth-method
      local keycloak keycloak peer
    '';
  };
}